IP xfrm 命令说明1-sa

SA命令

       ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark MARK [ mask MASK ] ] [ reqid REQID ] [seq SEQ ] [ replay-window SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ flag FLAG-LIST ] [ selSELECTOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST]ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ] [ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]ip xfrm state { deleteall | list } [ ID ] [ mode MODE ] [ reqid REQID ] [ flag FLAG-LIST ]ip xfrm state flush [ proto XFRM-PROTO ]ip xfrm state countID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]XFRM-PROTO := esp | ah | comp | route2 | haoALGO-LIST := [ ALGO-LIST ] ALGOALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |comp ALGO-NAMEMODE := transport | tunnel | beet | ro | in_triggerFLAG-LIST := [ FLAG-LIST ] FLAGFLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec | align4SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UPSPEC ]UPSPEC := proto { PROTO |{ tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |{ icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code NUMBER ] |gre [ key { DOTTED-QUAD | NUMBER } ] }LIMIT-LIST := [ LIMIT-LIST ] limit LIMITLIMIT-LISTsets limits in seconds, bytes, or numbers of packets.ENCAP  encapsulates  packets  with  protocol espinudp or espinudp-nonike, using source port SPORT, destinationport DPORT , and original address OADDR.

SA命令解析

       ip xfrm state { add | update } ID [ ALGO-LIST ] [ mode MODE ] [ mark MARK [ mask MASK ] ] [ reqid REQID ] [seq SEQ ] [ replay-window SIZE ] [ replay-seq SEQ ] [ replay-oseq SEQ ] [ flag FLAG-LIST ] [ selSELECTOR ] [ LIMIT-LIST ] [ encap ENCAP ] [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST]

ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM-PROTO ] [ spi SPI ]

ID 是键值，用来区分不同SA。
ID内容为：
原地址、目的地址、协议（IPsec封装协议）和spi共同决定一个sa。

XFRM-PROTO := esp | ah | comp | route2 | hao

协议内容：目前一般使用esp

   ALGO := { enc | auth } ALGO-NAME ALGO-KEYMAT |auth-trunc ALGO-NAME ALGO-KEYMAT ALGO-TRUNC-LEN |aead ALGO-NAME ALGO-KEYMAT ALGO-ICV-LEN |comp ALGO-NAME

ALGO-LIST：算法列表。对数据加密、认证的算法。 ipsec能使用的算法跟内核算法模块支持的算法不同，是其子集。不同版本的内核支持的算法列表页不同，详见附录1：内核支持的算法列表。

 MODE := transport | tunnel | beet | ro | in_trigger

封装模式，ESP封装协议支持隧道和传输模式，一般使用隧道模式（过NAT）

FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG := noecn | decap-dscp | nopmtudisc | wildrecv | icmp | af-unspec | align4

暂留，目前未使用到

SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UPSPEC ]

关联sp，选择进入隧道的数据流

   UPSPEC := proto { PROTO |{ tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |{ icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code NUMBER ] |gre [ key { DOTTED-QUAD | NUMBER } ] }

数据流的协议等特征。

   LIMIT-LIST := [ LIMIT-LIST ] limit LIMITLIMIT-LISTsets limits in seconds, bytes, or numbers of packets.

sa的限制，可以通过时间、数据包、数据量来更新sa

   ENCAP  encapsulates  packets  with  protocol espinudp or espinudp-nonike, using source port SPORT, destinationport DPORT , and original address OADDR.

带封装的ESP，比如espinudp 、espintcp。

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.mzph.cn/news/9970.shtml

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！