sbin/setkey/setkey.8: cleanup groff mdoc warnings

PR: 293072
Sponsored by: NVidia networking
MFC after: 3 days

setkey(8): document -hwif extension

Sponsored by: NVidia networking

setkey(8): add -esn extension option to enable ESN

Sponsored by: NVIDIA networking

setkey(8): Grammar fix: a FQDN -> an FQDN

Event: Advanced UNIX Programming Course (Fall'23) at NTHU.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1024

setkey(8): make the policy specification more readable

by applying markup and highlighting the semantical blocks.

Sponsored by: NVidia networking
MFC after: 1 week

Remove $FreeBSD$: two-line nroff pattern

Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/

setkey(8): document NAT-T and NAT-T MTU extensions syntax

Reviewed by: ae
Discussed with: bz
Sponsored by: NVidia networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D403

setkey(8): document NAT-T and NAT-T MTU extensions syntax

Reviewed by: ae
Discussed with: bz
Sponsored by: NVidia networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D40300

show more ...

setkey(8): add -e option to take script from the command line

Reviewed by: ae
Sponsored by: Nvidia networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D39393

ipsec: add support for CHACHA20POLY1305

Based on a patch by ae@.

Reviewed by: gbe (man page), pauamma (man page)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https:/

ipsec: add support for CHACHA20POLY1305

Based on a patch by ae@.

Reviewed by: gbe (man page), pauamma (man page)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37180

show more ...

setkey.8: Improve direction descriptions

Be more precise in the definition of policy directions
and policy levels.

PR: 250177
Reported by: Bram Ton <bram at cbbg dot nl>
Reviewed by: gbe, ae
MFC a

setkey.8: Improve direction descriptions

Be more precise in the definition of policy directions
and policy levels.

PR: 250177
Reported by: Bram Ton <bram at cbbg dot nl>
Reviewed by: gbe, ae
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D26719

show more ...

Indicate that racoon.8 is in ports/security/ipsec-tools.

setkey(8): Clarify language around AEAD ciphers.

AEAD ciphers for IPsec combine both encryption and authentication. As
such, ESP configurations using an AEAD cipher should not use a
seperate authen

setkey(8): Clarify language around AEAD ciphers.

AEAD ciphers for IPsec combine both encryption and authentication. As
such, ESP configurations using an AEAD cipher should not use a
seperate authentication algorithm via -A. However, this was not
apparent from the setkey manpage and 12.x and earlier did not perform
sufficient argument validation permitting users to pair an explicit -A
such as SHA256-HMAC with AES-GCM. (The result was a non-standard
combination of AES-CTR with the specified MAC, but with the wrong
initial block counter (and thus different keystream) compared to using
AES-CTR as the cipher.)

Attempt to clarify this in the manpage by explicitly calling out AEAD
ciphers (currently only AES-GCM) and noting that AEAD ciphers should
not use -A.

While here, explicitly note which authentication algorithms can be
used with esp vs esp-old. Also add subsection headings for the
different algorithm lists and tidy some language.

I did not convert the tables to column lists (Bl -column) though that
would probably be more correct than using literal blocks (Bd
-literal).

PR: 263379
Reviewed by: Pau Amma <pauamma@gundo.com>, markj
Differential Revision: https://reviews.freebsd.org/D34947

show more ...

update external URL

Refer to AES-CBC as "aes-cbc" rather than "rijndael-cbc" for IPsec.

At this point, AES is the more common name for Rijndael128. setkey(8)
will still accept the old name, and old constants remain fo

Refer to AES-CBC as "aes-cbc" rather than "rijndael-cbc" for IPsec.

At this point, AES is the more common name for Rijndael128. setkey(8)
will still accept the old name, and old constants remain for
compatiblity.

Reviewed by: cem, bcr (manpages)
MFC after: 2 weeks
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D24964

show more ...

Add RFC reference for AES-CTR with IPsec.

MFC after: 1 week
Sponsored by: Chelsio Communications

Remove support for IPsec algorithms deprecated in r348205 and r360202.

Examples of depecrated algorithms in manual pages and sample configs
are updated where relevant. I removed the one example of

Remove support for IPsec algorithms deprecated in r348205 and r360202.

Examples of depecrated algorithms in manual pages and sample configs
are updated where relevant. I removed the one example of combining
ESP and AH (vs using a cipher and auth in ESP) as RFC 8221 says this
combination is NOT RECOMMENDED.

Specifically, this removes support for the following ciphers:
- des-cbc
- 3des-cbc
- blowfish-cbc
- cast128-cbc
- des-deriv
- des-32iv
- camellia-cbc

This also removes support for the following authentication algorithms:
- hmac-md5
- keyed-md5
- keyed-sha1
- hmac-ripemd160

Reviewed by: cem, gnn (older verisons)
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D24342

show more ...

setkey(8): document -hwif extension

Sponsored by: NVidia networking

setkey(8): add -esn extension option to enable ESN

Sponsored by: NVIDIA networking

setkey(8): Grammar fix: a FQDN -> an FQDN

Event: Advanced UNIX Programming Course (Fall'23) at NTHU.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1024

setkey(8): make the policy specification more readable

by applying markup and highlighting the semantical blocks.

Sponsored by: NVidia networking
MFC after: 1 week

Remove $FreeBSD$: two-line nroff pattern

Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/

setkey(8): document NAT-T and NAT-T MTU extensions syntax

Reviewed by: ae
Discussed with: bz
Sponsored by: NVidia networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D403

setkey(8): document NAT-T and NAT-T MTU extensions syntax

Reviewed by: ae
Discussed with: bz
Sponsored by: NVidia networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D40300

show more ...

setkey(8): add -e option to take script from the command line

Reviewed by: ae
Sponsored by: Nvidia networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D39393

ipsec: add support for CHACHA20POLY1305

Based on a patch by ae@.

Reviewed by: gbe (man page), pauamma (man page)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https:/

ipsec: add support for CHACHA20POLY1305

Based on a patch by ae@.

Reviewed by: gbe (man page), pauamma (man page)
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D37180

show more ...

setkey.8: Improve direction descriptions

Be more precise in the definition of policy directions
and policy levels.

PR: 250177
Reported by: Bram Ton <bram at cbbg dot nl>
Reviewed by: gbe, ae
MFC a

setkey.8: Improve direction descriptions

Be more precise in the definition of policy directions
and policy levels.

PR: 250177
Reported by: Bram Ton <bram at cbbg dot nl>
Reviewed by: gbe, ae
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D26719

show more ...