1 '\" te
2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH IKEADM 1M "Jan 27, 2009"
7 .SH NAME
8 ikeadm \- manipulate Internet Key Exchange (IKE) parameters and state
9 .SH SYNOPSIS
10 .LP
11 .nf
12 \fBikeadm\fR [\fB-np\fR]
13 .fi
14
15 .LP
16 .nf
17 \fBikeadm\fR [\fB-np\fR] get [debug | priv | stats | defaults]
18 .fi
19
20 .LP
21 .nf
22 \fBikeadm\fR [\fB-np\fR] set [debug | priv] [level] [file]
23 .fi
24
25 .LP
26 .nf
27 \fBikeadm\fR [\fB-np\fR] [get | del] [p1 | rule | preshared] [id]
28 .fi
29
30 .LP
31 .nf
32 \fBikeadm\fR [\fB-np\fR] add [rule | preshared] { \fIdescription\fR }
33 .fi
34
35 .LP
36 .nf
37 ikeadm [\fB-np\fR] token [login | logout] \fIPKCS#11_Token_Object\fR
38 .fi
39
40 .LP
41 .nf
42 \fBikeadm\fR [\fB-np\fR] [read | write] [rule | preshared | certcache] \fIfile\fR
43 .fi
44
45 .LP
46 .nf
47 \fBikeadm\fR [\fB-np\fR] [dump | pls | rule | preshared]
48 .fi
49
50 .LP
51 .nf
52 \fBikeadm\fR [\fB-np\fR] flush [p1 | certcache]
53 .fi
54
55 .LP
56 .nf
57 \fBikeadm\fR help
58 [get | set | add | del | read | write | dump | flush | token]
59 .fi
60
61 .SH DESCRIPTION
62 .LP
63 The \fBikeadm\fR utility retrieves information from and manipulates the
64 configuration of the Internet Key Exchange (\fBIKE\fR) protocol daemon,
65 \fBin.iked\fR(1M).
66 .sp
67 .LP
68 \fBikeadm\fR supports a set of operations, which may be performed on one or
69 more of the supported object types. When invoked without arguments,
70 \fBikeadm\fR enters interactive mode which prints a prompt to the standard
71 output and accepts commands from the standard input until the end-of-file is
72 reached.
73 .sp
74 .LP
75 Because \fBikeadm\fR manipulates sensitive keying information, you must be
76 superuser to use this command. Additionally, some of the commands available
77 require that the daemon be running in a privileged mode, which is established
78 when the daemon is started.
79 .sp
80 .LP
81 For details on how to use this command securely see .
82 .SH OPTIONS
83 .LP
84 The following options are supported:
85 .sp
86 .ne 2
87 .na
88 \fB\fB-n\fR\fR
89 .ad
90 .sp .6
91 .RS 4n
92 Prevent attempts to print host and network names symbolically when reporting
93 actions. This is useful, for example, when all name servers are down or are
94 otherwise unreachable.
95 .RE
96
97 .sp
98 .ne 2
99 .na
100 \fB\fB-p\fR\fR
101 .ad
102 .sp .6
103 .RS 4n
104 Paranoid. Do not print any keying material, even if saving Security
105 Associations. Instead of an actual hexadecimal digit, print an \fBX\fR when
106 this flag is turned on.
107 .RE
108
109 .SH USAGE
110 .SS "Commands"
111 .LP
112 The following commands are supported:
113 .sp
114 .ne 2
115 .na
116 \fB\fBadd\fR\fR
117 .ad
118 .sp .6
119 .RS 4n
120 Add the specified object. This option can be used to add a new policy rule or a
121 new preshared key to the current (running) in.iked configuration. When adding a
122 new preshared key, the command cannot be invoked from the command line, as it
123 will contain keying material. The rule or key being added is specified using
124 appropriate id-value pairs as described in the \fBID FORMATS\fR section.
125 .RE
126
127 .sp
128 .ne 2
129 .na
130 \fB\fBdel\fR\fR
131 .ad
132 .sp .6
133 .RS 4n
134 Delete a specific object or objects from \fBin.iked\fR's current configuration.
135 This operation is available for \fBIKE\fR (Phase 1) \fBSA\fRs, policy rules,
136 and preshared keys. The object to be deleted is specified as described in the
137 \fBId Formats\fR.
138 .RE
139
140 .sp
141 .ne 2
142 .na
143 \fB\fBdump\fR\fR
144 .ad
145 .sp .6
146 .RS 4n
147 Display all objects of the specified type known to \fBin.iked\fR. This option
148 can be used to display all Phase 1 \fBSA\fRs, policy rules, preshared keys, or
149 the certificate cache. A large amount of output may be generated by this
150 command.
151 .RE
152
153 .sp
154 .ne 2
155 .na
156 \fB\fBflush\fR\fR
157 .ad
158 .sp .6
159 .RS 4n
160 Remove all \fBIKE\fR (Phase 1) \fBSA\fRs or cached certificates from
161 \fBin.iked\fR.
162 .sp
163 Note that flushing the \fBcertcache\fR will also (as a side-effect) update IKE
164 with any new certificates added or removed.
165 .RE
166
167 .sp
168 .ne 2
169 .na
170 \fB\fBget\fR\fR
171 .ad
172 .sp .6
173 .RS 4n
174 Lookup and display the specified object. May be used to view the current debug
175 or privilege level, global statistics and default values for the daemon, or a
176 specific \fBIKE\fR (Phase 1) \fBSA\fR, policy rule, or preshared key. The
177 latter three object types require that identifying information be passed in;
178 the appropriate specification for each object type is described below.
179 .RE
180
181 .sp
182 .ne 2
183 .na
184 \fB\fBhelp\fR\fR
185 .ad
186 .sp .6
187 .RS 4n
188 Print a brief summary of commands, or, when followed by a command, prints
189 information about that command.
190 .RE
191
192 .sp
193 .ne 2
194 .na
195 \fB\fBread\fR\fR
196 .ad
197 .sp .6
198 .RS 4n
199 Update the current \fBin.iked\fR configuration by reading the policy rules or
200 preshared keys from either the default location or from the file specified.
201 .RE
202
203 .sp
204 .ne 2
205 .na
206 \fB\fBset\fR\fR
207 .ad
208 .sp .6
209 .RS 4n
210 Adjust the current debug or privilege level. If the debug level is being
211 modified, an output file may optionally be specified; the output file
212 \fBmust\fR be specified if the daemon is running in the background and is not
213 currently printing to a file. When changing the privilege level, adjustments
214 may only be made to lower the access level; it cannot be increased using
215 ikeadm.
216 .RE
217
218 .sp
219 .ne 2
220 .na
221 \fB\fBwrite\fR\fR
222 .ad
223 .sp .6
224 .RS 4n
225 Write the current \fBin.iked\fR policy rule set or preshared key set to the
226 specified file. A destination file must be specified. This command should not
227 be used to overwrite the existing configuration files.
228 .RE
229
230 .sp
231 .ne 2
232 .na
233 \fB\fBtoken\fR\fR
234 .ad
235 .sp .6
236 .RS 4n
237 Log into a PKCS#11 token object and grant access to keying material or log out
238 and invalidate access to keying material.
239 .sp
240 \fBtoken\fR can be run as a normal user with the following authorizations:
241 .RS +4
242 .TP
243 .ie t \(bu
244 .el o
245 \fBtoken\fR login: \fBsolaris.network.ipsec.ike.token.login\fR
246 .RE
247 .RS +4
248 .TP
249 .ie t \(bu
250 .el o
251 \fBtoken\fR logout: \fBsolaris.network.ipsec.ike.token.logout\fR
252 .RE
253 .RE
254
255 .SS "Object Types"
256 .ne 2
257 .na
258 \fBdebug\fR
259 .ad
260 .sp .6
261 .RS 4n
262 Specifies the daemon's debug level. This determines the amount and type of
263 output provided by the daemon about its operations. The debug level is actually
264 a bitmask, with individual bits enabling different types of information.
265 .sp
266
267 .sp
268 .TS
269 c c c
270 l l l .
271 Description Flag Nickname
272 _
273 Certificate management 0x0001 cert
274 Key management 0x0002 key
275 Operational 0x0004 op
276 Phase 1 SA creation 0x0008 phase1
277 Phase 2 SA creation 0x0010 phase2
278 PF_KEY interface 0x0020 pfkey
279 Policy management 0x0040 policy
280 Proposal construction 0x0080 prop
281 Door interface 0x0100 door
282 Config file processing 0x0200 config
283 All debug flags 0x3ff all
284 .TE
285
286 When specifying the debug level, either a number (decimal or hexadecimal) or a
287 string of nicknames may be given. For example, \fB88\fR, \fB0x58\fR, and
288 \fBphase1\fR+\fBphase2\fR+\fBpolicy\fR are all equivalent, and will turn on
289 debug for \fBphase 1\fR \fBsa\fR creation, \fBphase 2 sa\fR creation, and
290 policy management. A string of nicknames may also be used to remove certain
291 types of information; \fBall-op\fR has the effect of turning on all debug
292 \fBexcept\fR for operational messages; it is equivalent to the numbers
293 \fB1019\fR or \fB0x3fb\fR.
294 .RE
295
296 .sp
297 .ne 2
298 .na
299 \fBpriv\fR
300 .ad
301 .sp .6
302 .RS 4n
303 Specifies the daemon's access privilege level. The possible values are:
304 .sp
305 .in +2
306 .nf
307 Description Level Nickname
308 Base level 0 base
309 Access to preshared key info 1 modkeys
310 Access to keying material 2 keymat
311 .fi
312 .in -2
313 .sp
314
315 By default, \fBin.iked\fR is started at the base level. A command-line option
316 can be used to start the daemon at a higher level. \fBikeadm\fR can be used to
317 lower the level, but it cannot be used to raise the level.
318 .sp
319 Either the numerical level or the nickname may be used to specify the target
320 privilege level.
321 .sp
322 In order to get, add, delete, dump, read, or write preshared keys, the
323 privilege level must at least give access to preshared key information.
324 However, when viewing preshared keys (either using the get or dump command),
325 the key itself will only be available if the privilege level gives access to
326 keying material. This is also the case when viewing Phase 1 \fBSA\fRs.
327 .RE
328
329 .sp
330 .ne 2
331 .na
332 \fBstats\fR
333 .ad
334 .sp .6
335 .RS 4n
336 Global statistics from the daemon, covering both successful and failed Phase 1
337 \fBSA\fR creation.
338 .sp
339 Reported statistics include:
340 .RS +4
341 .TP
342 .ie t \(bu
343 .el o
344 Count of current P1 \fBSA\fRs which the local entity initiated
345 .RE
346 .RS +4
347 .TP
348 .ie t \(bu
349 .el o
350 Count of current P1 \fBSA\fRs where the local entity was the responder
351 .RE
352 .RS +4
353 .TP
354 .ie t \(bu
355 .el o
356 Count of all P1 \fBSA\fRs which the local entity initiated since boot
357 .RE
358 .RS +4
359 .TP
360 .ie t \(bu
361 .el o
362 Count of all P1 \fBSA\fRs where the local entity was the responder since boot
363 .RE
364 .RS +4
365 .TP
366 .ie t \(bu
367 .el o
368 Count of all attempted \fBP1\fR \fBSA\fRs since boot, where the local entity
369 was the initiator; includes failed attempts
370 .RE
371 .RS +4
372 .TP
373 .ie t \(bu
374 .el o
375 Count of all attempted P1 \fBSA\fRs since boot, where the local entity was the
376 responder; includes failed attempts
377 .RE
378 .RS +4
379 .TP
380 .ie t \(bu
381 .el o
382 Count of all failed attempts to initiate a \fBP1\fR \fBSA\fR, where the failure
383 occurred because the peer did not respond
384 .RE
385 .RS +4
386 .TP
387 .ie t \(bu
388 .el o
389 Count of all failed attempts to initiate a P1 \fBSA\fR, where the peer
390 responded
391 .RE
392 .RS +4
393 .TP
394 .ie t \(bu
395 .el o
396 Count of all failed \fBP1\fR \fBSA\fRs where the peer was the initiator
397 .RE
398 .RS +4
399 .TP
400 .ie t \(bu
401 .el o
402 Whether a PKCS#11 library is in use, and if applicable, the PKCS#11 library
403 that is loaded. See .
404 .RE
405 .RE
406
407 .sp
408 .ne 2
409 .na
410 \fBdefaults\fR
411 .ad
412 .sp .6
413 .RS 4n
414 Display default values used by the \fBin.iked\fR daemon. Some values can be
415 overridden in the daemon configuration file (see \fBike.config\fR(4)); for these
416 values, the token name is displayed in the \fBget defaults\fR output. The
417 output will reflect where a configuration token has changed the default.
418 .sp
419 Default values might be ignored in the event a peer system makes a valid
420 alternative proposal or they can be overridden by per-rule values established in
421 \fBike.config\fR. In such instances, a \fBget defaults\fR command continues to
422 display the default values, not the values used to override the defaults.
423 .RE
424
425 .sp
426 .ne 2
427 .na
428 \fBp1\fR
429 .ad
430 .sp .6
431 .RS 4n
432 An \fBIKE\fR Phase 1 \fBSA\fR. A \fBp1\fR object is identified by an \fBIP\fR
433 address pair or a cookie pair; identification formats are described below.
434 .RE
435
436 .sp
437 .ne 2
438 .na
439 \fBrule\fR
440 .ad
441 .sp .6
442 .RS 4n
443 An \fBIKE\fR policy rule, defining the acceptable security characteristics for
444 Phase 1 \fBSA\fRs between specified local and remote identities. A rule is
445 identified by its label; identification formats are described below.
446 .RE
447
448 .sp
449 .ne 2
450 .na
451 \fBpreshared\fR
452 .ad
453 .sp .6
454 .RS 4n
455 A preshared key, including the local and remote identification and applicable
456 \fBIKE\fR mode. A preshared key is identified by an \fBIP\fR address pair or an
457 identity pair; identification formats are described below.
458 .RE
459
460 .SS "Id Formats"
461 .LP
462 Commands like \fBadd\fR, \fBdel\fR, and \fBget\fR require that additional
463 information be specified on the command line. In the case of the delete and get
464 commands, all that is required is to minimally identify a given object; for the
465 add command, the full object must be specified.
466 .sp
467 .LP
468 Minimal identification is accomplished in most cases by a pair of values. For
469 \fBIP\fR addresses, the local addr and then the remote addr are specified,
470 either in dot-notation for IPv4 addresses, colon-separated hexadecimal format
471 for IPv6 addresses, or a host name present in the host name database. If a host
472 name is given that expands to more than one address, the requested operation
473 will be performed multiple times, once for each possible combination of
474 addresses.
475 .sp
476 .LP
477 Identity pairs are made up of a local type-value pair, followed by the remote
478 type-value pair. Valid types are:
479 .sp
480 .ne 2
481 .na
482 \fBprefix\fR
483 .ad
484 .sp .6
485 .RS 4n
486 An address prefix.
487 .RE
488
489 .sp
490 .ne 2
491 .na
492 \fBfqdn\fR
493 .ad
494 .sp .6
495 .RS 4n
496 A fully-qualified domain name.
497 .RE
498
499 .sp
500 .ne 2
501 .na
502 \fBdomain\fR
503 .ad
504 .sp .6
505 .RS 4n
506 Domain name, synonym for fqdn.
507 .RE
508
509 .sp
510 .ne 2
511 .na
512 \fBuser_fqdn\fR
513 .ad
514 .sp .6
515 .RS 4n
516 User identity of the form \fIuser\fR@fqdn.
517 .RE
518
519 .sp
520 .ne 2
521 .na
522 \fBmailbox\fR
523 .ad
524 .sp .6
525 .RS 4n
526 Synonym for \fBuser_fqdn\fR.
527 .RE
528
529 .sp
530 .LP
531 A cookie pair is made up of the two cookies assigned to a Phase 1 Security
532 Association (\fBSA\fR) when it is created; first is the initiator's, followed
533 by the responder's. A cookie is a 64-bit number.
534 .sp
535 .LP
536 Finally, a label (which is used to identify a policy rule) is a character
537 string assigned to the rule when it is created.
538 .sp
539 .LP
540 Formatting a rule or preshared key for the add command follows the format rules
541 for the in.iked configuration files. Both are made up of a series of id-value
542 pairs, contained in curly braces (\fB{\fR and \fB}\fR). See \fBike.config\fR(4)
543 and \fBike.preshared\fR(4) for details on the formatting of rules and preshared
544 keys.
545 .SH SECURITY
546 .LP
547 The \fBikeadm\fR command allows a privileged user to enter cryptographic keying
548 information. If an adversary gains access to such information, the security of
549 IPsec traffic is compromised. The following issues should be taken into account
550 when using the \fBikeadm\fR command.
551 .RS +4
552 .TP
553 .ie t \(bu
554 .el o
555 Is the \fBTTY\fR going over a network (interactive mode)?
556 .sp
557 If it is, then the security of the keying material is the security of the
558 network path for this \fBTTY\fR's traffic. Using \fBikeadm\fR over a clear-text
559 telnet or rlogin session is risky. Even local windows may be vulnerable to
560 attacks where a concealed program that reads window events is present.
561 .RE
562 .RS +4
563 .TP
564 .ie t \(bu
565 .el o
566 Is the file accessed over the network or readable to the world (read/write
567 commands)?
568 .sp
569 A network-mounted file can be sniffed by an adversary as it is being read. A
570 world-readable file with keying material in it is also risky.
571 .RE
572 .sp
573 .LP
574 If your source address is a host that can be looked up over the network, and
575 your naming system itself is compromised, then any names used will no longer be
576 trustworthy.
577 .sp
578 .LP
579 Security weaknesses often lie in misapplication of tools, not the tools
580 themselves. It is recommended that administrators are cautious when using the
581 \fBikeadm\fR command. The safest mode of operation is probably on a console, or
582 other hard-connected \fBTTY\fR.
583 .sp
584 .LP
585 For additional information regarding this subject, see the afterward by Matt
586 Blaze in Bruce Schneier's \fIApplied Cryptography: Protocols, Algorithms, and
587 Source Code in C.\fR
588 .SH EXAMPLES
589 .LP
590 \fBExample 1 \fREmptying out all Phase 1 Security Associations
591 .sp
592 .LP
593 The following command empties out all Phase 1 Security Associations:
594
595 .sp
596 .in +2
597 .nf
598 example# \fBikeadm flush p1\fR
599 .fi
600 .in -2
601 .sp
602
603 .LP
604 \fBExample 2 \fRDisplaying all Phase 1 Security Associations
605 .sp
606 .LP
607 The following command displays all Phase 1 Security Associations:
608
609 .sp
610 .in +2
611 .nf
612 example# \fBikeadm dump p1\fR
613 .fi
614 .in -2
615 .sp
616
617 .LP
618 \fBExample 3 \fRDeleting a Specific Phase 1 Security Association
619 .sp
620 .LP
621 The following command deletes the specified Phase 1 Security Associations:
622
623 .sp
624 .in +2
625 .nf
626 example# \fBikeadm del p1 local_ip remote_ip\fR
627 .fi
628 .in -2
629 .sp
630
631 .LP
632 \fBExample 4 \fRAdding a Rule From a File
633 .sp
634 .LP
635 The following command adds a rule from a file:
636
637 .sp
638 .in +2
639 .nf
640 example# \fBikeadm add rule rule_file\fR
641 .fi
642 .in -2
643 .sp
644
645 .LP
646 \fBExample 5 \fRAdding a Preshared Key
647 .sp
648 .LP
649 The following command adds a preshared key:
650
651 .sp
652 .in +2
653 .nf
654 example# \fBikeadm\fR
655 ikeadm> \fBadd preshared { localidtype ip localid local_ip
656 remoteidtype ip remoteid remote_ip ike_mode main
657 key 1234567890abcdef1234567890abcdef }\fR
658 .fi
659 .in -2
660 .sp
661
662 .LP
663 \fBExample 6 \fRSaving All Preshared Keys to a File
664 .sp
665 .LP
666 The following command saves all preshared keys to a file:
667
668 .sp
669 .in +2
670 .nf
671 example# \fBikeadm write preshared target_file\fR
672 .fi
673 .in -2
674 .sp
675
676 .LP
677 \fBExample 7 \fRViewing a Particular Rule
678 .sp
679 .LP
680 The following command views a particular rule:
681
682 .sp
683 .in +2
684 .nf
685 example# \fBikeadm get rule rule_label\fR
686 .fi
687 .in -2
688 .sp
689
690 .LP
691 \fBExample 8 \fRReading in New Rules from \fBike.config\fR
692 .sp
693 .LP
694 The following command reads in new rules from the ike.config file:
695
696 .sp
697 .in +2
698 .nf
699 example# \fBikeadm read rules\fR
700 .fi
701 .in -2
702 .sp
703
704 .LP
705 \fBExample 9 \fRLowering the Privilege Level
706 .sp
707 .LP
708 The following command lowers the privilege level:
709
710 .sp
711 .in +2
712 .nf
713 example# \fBikeadm set priv base\fR
714 .fi
715 .in -2
716 .sp
717
718 .LP
719 \fBExample 10 \fRViewing the Debug Level
720 .sp
721 .LP
722 The following command shows the current debug level
723
724 .sp
725 .in +2
726 .nf
727 example# \fBikeadm get debug\fR
728 .fi
729 .in -2
730 .sp
731
732 .LP
733 \fBExample 11 \fRUsing stats to Verify Hardware Accelerator
734 .sp
735 .LP
736 The following example shows how stats may include an optional line at the end
737 to indicate if IKE is using a PKCS#11 library to accelerate public-key
738 operations, if applicable.
739
740 .sp
741 .in +2
742 .nf
743 example# \fBikeadm get stats\fR
744 Phase 1 SA counts:
745 Current: initiator: 0 responder: 0
746 Total: initiator: 21 responder: 27
747 Attempted:initiator: 21 responder: 27
748 Failed: initiator: 0 responder: 0
749 initiator fails include 0 time-out(s)
750 PKCS#11 library linked in from /opt/SUNWconn/lib/libpkcs11.so
751 example#
752 .fi
753 .in -2
754 .sp
755
756 .LP
757 \fBExample 12 \fRDisplaying the Certificate Cache
758 .sp
759 .LP
760 The following command shows the certificate cache and the status of associated
761 private keys, if applicable:
762
763 .sp
764 .in +2
765 .nf
766 example# \fBikeadm dump certcache\fR
767 .fi
768 .in -2
769 .sp
770
771 .LP
772 \fBExample 13 \fRLogging into a PKCS#11 Token
773 .sp
774 .LP
775 The following command shows logging into a PKCS#11 token object and unlocking
776 private keys:
777
778 .sp
779 .in +2
780 .nf
781 example# \fBikeadm token login "Sun Metaslot"\fR
782 Enter PIN for PKCS#11 token:
783 ikeadm: PKCS#11 operation successful
784 .fi
785 .in -2
786 .sp
787
788 .SH EXIT STATUS
789 .LP
790 The following exit values are returned:
791 .sp
792 .ne 2
793 .na
794 \fB\fB0\fR\fR
795 .ad
796 .RS 12n
797 Successful completion.
798 .RE
799
800 .sp
801 .ne 2
802 .na
803 \fB\fBnon-zero\fR\fR
804 .ad
805 .RS 12n
806 An error occurred. Writes an appropriate error message to standard error.
807 .RE
808
809 .SH ATTRIBUTES
810 .LP
811 See \fBattributes\fR(5) for descriptions of the following attributes:
812 .sp
813
814 .sp
815 .TS
816 box;
817 c | c
818 l | l .
819 ATTRIBUTE TYPE ATTRIBUTE VALUE
820 _
821 Interface Stability Not an Interface
822 .TE
823
824 .SH SEE ALSO
825 .LP
826 \fBin.iked\fR(1M), \fBike.config\fR(4), \fBike.preshared\fR(4),
827 \fBattributes\fR(5), \fBipsec\fR(7P)
828 .sp
829 .LP
830 Schneier, Bruce, \fIApplied Cryptography: Protocols, Algorithms, and Source
831 Code in C\fR, Second Edition, John Wiley & Sons, New York, NY, 1996.
832 .SH NOTES
833 .LP
834 As \fBin.iked\fR can run only in the global zone and exclusive-IP zones, this
835 command is not useful in shared-IP zones.