ip-xfrm

ip xfrm {state | policy | monitor} OBJECT {COMMAND}

state
    Manage IPsec security associations (SAs).

policy
    Manage IPsec security policies (SPs).

monitor
    Monitor IPsec events.

OBJECT
    The object to manage (state or policy).

COMMAND
    The action to perform on the object (e.g., add, update, delete, list). Specific commands depend on the object.

state add
    Add a new security association.

state update
    Update an existing security association.

state delete
    Delete a security association.

state list
    List security associations.

policy add
    Add a new security policy.

policy update
    Update an existing security policy.

policy delete
    Delete a security policy.

policy list
    List security policies.

The ip-xfrm command is a part of the iproute2 suite of tools used for configuring and managing network interfaces, routing, and other network-related settings in Linux. Specifically, ip-xfrm focuses on configuring and managing IPsec (Internet Protocol Security) transforms. IPsec provides a framework for ensuring secure communication over IP networks by authenticating and encrypting network packets.

Transforms define the security algorithms and protocols used for IPsec. With ip-xfrm, you can add, modify, or delete transform configurations, enabling you to fine-tune the security parameters for your IPsec connections. This includes specifying encryption algorithms (like AES or 3DES), authentication algorithms (like HMAC-SHA1 or HMAC-SHA256), and other parameters needed for establishing secure communication channels. Proper configuration is crucial for setting up VPNs, secure tunnels, and other scenarios requiring secure data transmission over potentially untrusted networks. The command is designed to work with the kernel's XFRM (Transform Framework) subsystem, which handles the actual implementation of IPsec.

Security Associations (SAs) are fundamental to IPsec. They define the parameters for secure communication between two endpoints. Key attributes of an SA include: SPI (Security Parameters Index), destination IP address, security protocol (AH or ESP), encryption algorithm, and authentication algorithm. SAs are unidirectional, meaning that two SAs are typically needed for bidirectional communication.

Security Policies (SPs) determine which traffic should be protected by IPsec. They specify criteria such as source and destination IP addresses, ports, and protocols. When traffic matches an SP, the kernel will apply the corresponding SA to secure the traffic. SPs are crucial for defining the scope of IPsec protection.

ESP (Encapsulating Security Payload) provides both encryption and authentication, while AH (Authentication Header) provides only authentication. ESP is commonly used to provide confidentiality of the data, as well as source authentication and integrity protection. AH ensures the integrity of the entire IP packet and authenticates the source.
Usually ESP is preferred.

The ip-xfrm command was introduced as part of the iproute2 suite, which aimed to replace the older net-tools package (e.g., ifconfig, route) with a more modern and flexible approach to network configuration. The XFRM framework in the Linux kernel allowed for a more modular and extensible implementation of IPsec. ip-xfrm was designed to provide a user-friendly interface to this framework, allowing administrators to configure IPsec security associations and policies more easily. The command has evolved over time with improvements in the Linux kernel's IPsec stack and the addition of new security protocols and algorithms.

ip(8), setkey(8), iptables(8)