LinuxCommandLibrary

ip-token

Obtain or manage IP address tokens

SYNOPSIS

ip token { list | set | del } [ dev DEV ] [ token TOKEN ]

PARAMETERS

list
    List tokens for all devices or specified dev.

set
    Set token TOKEN on device DEV.

del
    Delete token TOKEN from device DEV.

dev DEV
    Network device name (required for set/del).

token TOKEN
    Arbitrary string token (required for set/del).

DESCRIPTION

The ip token command manages opaque string tokens attached to network interfaces via the Linux kernel's netlink API. These tokens are used by specific device drivers to authorize operations like virtual function (VF) configuration in SR-IOV environments or representor port identification in switchdev hardware offload modes.

Primarily utilized in virtualized and containerized setups with hardware accelerators (e.g., Mellanox ConnectX series via mlx5 driver or virtio-net), tokens enhance security by preventing unauthorized access to sensitive network hardware features. For instance, a hypervisor can set a token on a PF to allow only matching VMs to bind VFs.

The command supports listing all system tokens, setting a new token on a device, or deleting an existing one. Tokens are stored per-device and are driver-specific; unsupported drivers ignore them. This feature integrates with tools like libvirt or OpenStack for secure networking in clouds.

Usage requires root privileges and iproute2 package. It's lightweight, with operations completing instantly unless kernel locks are contended.

CAVEATS

Tokens supported only by drivers like mlx5, virtio_net; ignored otherwise. Requires root. Token length limits vary by driver (typically 32-256 bytes). No validation of token content by kernel.

EXAMPLES

ip token list # List all
ip token list dev enp1s0 # Device-specific
ip token set dev enp1s0 token secureVF123 # Set token
ip token del dev enp1s0 token secureVF123 # Delete

KERNEL SUPPORT

Check via ethtool -i DEV for drivers like mlx5_core. Tokens visible in /sys/class/net/DEV/ifindex indirectly.

HISTORY

Added in Linux kernel 4.15 (commit 8f5c3e5) for VF authorization, iproute2 4.15.0. Evolved for switchdev in 4.18+; widely used in NFV/SDN since 5.x kernels.

SEE ALSO

ip-link(8), ip(8), rtnetlink(7)

Copied to clipboard