IpSecManager
open class IpSecManager
kotlin.Any | |
↳ | android.net.IpSecManager |
This class contains methods for managing IPsec sessions. Once configured, the kernel will apply confidentiality (encryption) and integrity (authentication) to IP traffic.
Note that not all aspects of IPsec are permitted by this API. Applications may create transport mode security associations and apply them to individual sockets. Applications looking to create an IPsec VPN should use VpnManager
and Ikev2VpnProfile
.
Summary
Nested classes | |
---|---|
Thrown to indicate that an IPsec resource is unavailable. |
|
This class represents a reserved SPI. |
|
Thrown to indicate that a requested SPI is in use. |
|
This class provides access to a UDP encapsulation Socket. |
Constants | |
---|---|
static Int |
Used when applying a transform to direct traffic through an |
static Int |
Used when applying a transform to direct traffic through an |
Public methods | |
---|---|
open IpSecManager.SecurityParameterIndex |
allocateSecurityParameterIndex(destinationAddress: InetAddress) Reserve a random SPI for traffic bound to or from the specified destination address. |
open IpSecManager.SecurityParameterIndex |
allocateSecurityParameterIndex(destinationAddress: InetAddress, requestedSpi: Int) Reserve the requested SPI for traffic bound to or from the specified destination address. |
open Unit |
applyTransportModeTransform(socket: Socket, direction: Int, transform: IpSecTransform) Apply an IPsec transform to a stream socket. |
open Unit |
applyTransportModeTransform(socket: DatagramSocket, direction: Int, transform: IpSecTransform) Apply an IPsec transform to a datagram socket. |
open Unit |
applyTransportModeTransform(socket: FileDescriptor, direction: Int, transform: IpSecTransform) Apply an IPsec transform to a socket. |
open IpSecManager.UdpEncapsulationSocket |
openUdpEncapsulationSocket(port: Int) Open a socket for UDP encapsulation and bind to the given port. |
open IpSecManager.UdpEncapsulationSocket |
Open a socket for UDP encapsulation. |
open Unit |
removeTransportModeTransforms(socket: Socket) Remove an IPsec transform from a stream socket. |
open Unit |
Remove an IPsec transform from a datagram socket. |
open Unit |
Remove an IPsec transform from a socket. |
Constants
DIRECTION_IN
static val DIRECTION_IN: Int
Used when applying a transform to direct traffic through an IpSecTransform
towards the host.
See applyTransportModeTransform(java.net.Socket,int,android.net.IpSecTransform)
.
Value: 0
DIRECTION_OUT
static val DIRECTION_OUT: Int
Used when applying a transform to direct traffic through an IpSecTransform
away from the host.
See applyTransportModeTransform(java.net.Socket,int,android.net.IpSecTransform)
.
Value: 1
Public methods
allocateSecurityParameterIndex
open fun allocateSecurityParameterIndex(destinationAddress: InetAddress): IpSecManager.SecurityParameterIndex
Reserve a random SPI for traffic bound to or from the specified destination address.
If successful, this SPI is guaranteed available until released by a call to android.net.IpSecManager.SecurityParameterIndex#close()
.
Parameters | |
---|---|
destinationAddress |
InetAddress: the destination address for traffic bearing the requested SPI. For inbound traffic, the destination should be an address currently assigned on-device. This value cannot be null . |
Return | |
---|---|
IpSecManager.SecurityParameterIndex |
the reserved SecurityParameterIndex This value cannot be null . |
Exceptions | |
---|---|
android.net.IpSecManager.ResourceUnavailableException |
indicating that too many SPIs are currently allocated for this user |
allocateSecurityParameterIndex
open fun allocateSecurityParameterIndex(
destinationAddress: InetAddress,
requestedSpi: Int
): IpSecManager.SecurityParameterIndex
Reserve the requested SPI for traffic bound to or from the specified destination address.
If successful, this SPI is guaranteed available until released by a call to android.net.IpSecManager.SecurityParameterIndex#close()
.
Parameters | |
---|---|
destinationAddress |
InetAddress: the destination address for traffic bearing the requested SPI. For inbound traffic, the destination should be an address currently assigned on-device. This value cannot be null . |
requestedSpi |
Int: the requested SPI. The range 1-255 is reserved and may not be used. See RFC 4303 Section 2.1. |
Return | |
---|---|
IpSecManager.SecurityParameterIndex |
the reserved SecurityParameterIndex This value cannot be null . |
Exceptions | |
---|---|
android.net.IpSecManager.ResourceUnavailableException |
indicating that too many SPIs are currently allocated for this user |
android.net.IpSecManager.SpiUnavailableException |
indicating that the requested SPI could not be reserved |
applyTransportModeTransform
open fun applyTransportModeTransform(
socket: Socket,
direction: Int,
transform: IpSecTransform
): Unit
Apply an IPsec transform to a stream socket.
This applies transport mode encapsulation to the given socket. Once applied, I/O on the socket will be encapsulated according to the parameters of the IpSecTransform
. When the transform is removed from the socket by calling #removeTransportModeTransforms, unprotected traffic can resume on that socket.
For security reasons, the destination address of any traffic on the socket must match the remote InetAddress
of the IpSecTransform
. Attempts to send traffic to any other IP address will result in an IOException. In addition, reads and writes on the socket will throw IOException if the user deactivates the transform (by calling android.net.IpSecTransform#close()
) without calling #removeTransportModeTransforms.
Note that when applied to TCP sockets, calling IpSecTransform#close()
on an applied transform before completion of graceful shutdown may result in the shutdown sequence failing to complete. As such, applications requiring graceful shutdown MUST close the socket prior to deactivating the applied transform. Socket closure may be performed asynchronously (in batches), so the returning of a close function does not guarantee shutdown of a socket. Setting an SO_LINGER timeout results in socket closure being performed synchronously, and is sufficient to ensure shutdown. Specifically, if the transform is deactivated (by calling IpSecTransform#close()
), prior to the socket being closed, the standard [FIN - FIN/ACK - ACK], or the reset [RST] packets are dropped due to the lack of a valid Transform. Similarly, if a socket without the SO_LINGER option set is closed, the delayed/batched FIN packets may be dropped.
Rekey Procedure
When applying a new tranform to a socket in the outbound direction, the previous transform will be removed and the new transform will take effect immediately, sending all traffic on the new transform; however, when applying a transform in the inbound direction, traffic on the old transform will continue to be decrypted and delivered until that transform is deallocated by calling IpSecTransform#close()
. This overlap allows lossless rekey procedures where both transforms are valid until both endpoints are using the new transform and all in-flight packets have been received.
Parameters | |
---|---|
socket |
Socket: a stream socket This value cannot be null . |
direction |
Int: the direction in which the transform should be applied Value is android.net.IpSecManager#DIRECTION_IN , or android.net.IpSecManager#DIRECTION_OUT |
transform |
IpSecTransform: a transport mode IpSecTransform This value cannot be null . |
Exceptions | |
---|---|
java.io.IOException |
indicating that the transform could not be applied |
applyTransportModeTransform
open fun applyTransportModeTransform(
socket: DatagramSocket,
direction: Int,
transform: IpSecTransform
): Unit
Apply an IPsec transform to a datagram socket.
This applies transport mode encapsulation to the given socket. Once applied, I/O on the socket will be encapsulated according to the parameters of the IpSecTransform
. When the transform is removed from the socket by calling #removeTransportModeTransforms, unprotected traffic can resume on that socket.
For security reasons, the destination address of any traffic on the socket must match the remote InetAddress
of the IpSecTransform
. Attempts to send traffic to any other IP address will result in an IOException. In addition, reads and writes on the socket will throw IOException if the user deactivates the transform (by calling android.net.IpSecTransform#close()
) without calling #removeTransportModeTransforms.
Rekey Procedure
When applying a new tranform to a socket in the outbound direction, the previous transform will be removed and the new transform will take effect immediately, sending all traffic on the new transform; however, when applying a transform in the inbound direction, traffic on the old transform will continue to be decrypted and delivered until that transform is deallocated by calling IpSecTransform#close()
. This overlap allows lossless rekey procedures where both transforms are valid until both endpoints are using the new transform and all in-flight packets have been received.
Parameters | |
---|---|
socket |
DatagramSocket: a datagram socket This value cannot be null . |
direction |
Int: the direction in which the transform should be applied Value is android.net.IpSecManager#DIRECTION_IN , or android.net.IpSecManager#DIRECTION_OUT |
transform |
IpSecTransform: a transport mode IpSecTransform This value cannot be null . |
Exceptions | |
---|---|
java.io.IOException |
indicating that the transform could not be applied |
applyTransportModeTransform
open fun applyTransportModeTransform(
socket: FileDescriptor,
direction: Int,
transform: IpSecTransform
): Unit
Apply an IPsec transform to a socket.
This applies transport mode encapsulation to the given socket. Once applied, I/O on the socket will be encapsulated according to the parameters of the IpSecTransform
. When the transform is removed from the socket by calling #removeTransportModeTransforms, unprotected traffic can resume on that socket.
For security reasons, the destination address of any traffic on the socket must match the remote InetAddress
of the IpSecTransform
. Attempts to send traffic to any other IP address will result in an IOException. In addition, reads and writes on the socket will throw IOException if the user deactivates the transform (by calling android.net.IpSecTransform#close()
) without calling #removeTransportModeTransforms.
Note that when applied to TCP sockets, calling IpSecTransform#close()
on an applied transform before completion of graceful shutdown may result in the shutdown sequence failing to complete. As such, applications requiring graceful shutdown MUST close the socket prior to deactivating the applied transform. Socket closure may be performed asynchronously (in batches), so the returning of a close function does not guarantee shutdown of a socket. Setting an SO_LINGER timeout results in socket closure being performed synchronously, and is sufficient to ensure shutdown. Specifically, if the transform is deactivated (by calling IpSecTransform#close()
), prior to the socket being closed, the standard [FIN - FIN/ACK - ACK], or the reset [RST] packets are dropped due to the lack of a valid Transform. Similarly, if a socket without the SO_LINGER option set is closed, the delayed/batched FIN packets may be dropped.
Rekey Procedure
When applying a new tranform to a socket in the outbound direction, the previous transform will be removed and the new transform will take effect immediately, sending all traffic on the new transform; however, when applying a transform in the inbound direction, traffic on the old transform will continue to be decrypted and delivered until that transform is deallocated by calling IpSecTransform#close()
. This overlap allows lossless rekey procedures where both transforms are valid until both endpoints are using the new transform and all in-flight packets have been received.
Parameters | |
---|---|
socket |
FileDescriptor: a socket file descriptor This value cannot be null . |
direction |
Int: the direction in which the transform should be applied Value is android.net.IpSecManager#DIRECTION_IN , or android.net.IpSecManager#DIRECTION_OUT |
transform |
IpSecTransform: a transport mode IpSecTransform This value cannot be null . |
Exceptions | |
---|---|
java.io.IOException |
indicating that the transform could not be applied |
openUdpEncapsulationSocket
open fun openUdpEncapsulationSocket(port: Int): IpSecManager.UdpEncapsulationSocket
Open a socket for UDP encapsulation and bind to the given port.
See UdpEncapsulationSocket
for the proper way to close the returned socket.
Parameters | |
---|---|
port |
Int: a local UDP port |
Return | |
---|---|
IpSecManager.UdpEncapsulationSocket |
a socket that is bound to the given port This value cannot be null . |
Exceptions | |
---|---|
java.io.IOException |
indicating that the socket could not be opened or bound |
android.net.IpSecManager.ResourceUnavailableException |
indicating that too many encapsulation sockets are open |
openUdpEncapsulationSocket
open fun openUdpEncapsulationSocket(): IpSecManager.UdpEncapsulationSocket
Open a socket for UDP encapsulation.
See UdpEncapsulationSocket
for the proper way to close the returned socket.
The local port of the returned socket can be obtained by calling android.net.IpSecManager.UdpEncapsulationSocket#getPort()
.
Return | |
---|---|
IpSecManager.UdpEncapsulationSocket |
a socket that is bound to a local port This value cannot be null . |
Exceptions | |
---|---|
java.io.IOException |
indicating that the socket could not be opened or bound |
android.net.IpSecManager.ResourceUnavailableException |
indicating that too many encapsulation sockets are open |
removeTransportModeTransforms
open fun removeTransportModeTransforms(socket: Socket): Unit
Remove an IPsec transform from a stream socket.
Once removed, traffic on the socket will not be encrypted. Removing transforms from a socket allows the socket to be reused for communication in the clear.
If an IpSecTransform
object applied to this socket was deallocated by calling IpSecTransform#close()
, then communication on the socket will fail until this method is called.
Parameters | |
---|---|
socket |
Socket: a socket that previously had a transform applied to it This value cannot be null . |
Exceptions | |
---|---|
java.io.IOException |
indicating that the transform could not be removed from the socket |
removeTransportModeTransforms
open fun removeTransportModeTransforms(socket: DatagramSocket): Unit
Remove an IPsec transform from a datagram socket.
Once removed, traffic on the socket will not be encrypted. Removing transforms from a socket allows the socket to be reused for communication in the clear.
If an IpSecTransform
object applied to this socket was deallocated by calling IpSecTransform#close()
, then communication on the socket will fail until this method is called.
Parameters | |
---|---|
socket |
DatagramSocket: a socket that previously had a transform applied to it This value cannot be null . |
Exceptions | |
---|---|
java.io.IOException |
indicating that the transform could not be removed from the socket |
removeTransportModeTransforms
open fun removeTransportModeTransforms(socket: FileDescriptor): Unit
Remove an IPsec transform from a socket.
Once removed, traffic on the socket will not be encrypted. Removing transforms from a socket allows the socket to be reused for communication in the clear.
If an IpSecTransform
object applied to this socket was deallocated by calling IpSecTransform#close()
, then communication on the socket will fail until this method is called.
Parameters | |
---|---|
socket |
FileDescriptor: a socket that previously had a transform applied to it This value cannot be null . |
Exceptions | |
---|---|
java.io.IOException |
indicating that the transform could not be removed from the socket |