From owner-doc-jp@jp.freebsd.org  Sun Mar 12 11:41:08 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id LAA44841;
	Sun, 12 Mar 2000 11:41:08 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id LAA44836
	for <doc-jp@jp.freebsd.org>; Sun, 12 Mar 2000 11:41:07 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id LAA08684 for <doc-jp@jp.freebsd.org>; Sun, 12 Mar 2000 11:41:07 +0900 (JST)
Received: from mail.hrs.jp (sutkmax1-ppp46.ed.kagu.sut.ac.jp [133.31.177.48]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id LAA26768 for <doc-jp@jp.freebsd.org>; Sun, 12 Mar 2000 11:41:02 +0900 (JST)
Message-Id: <200003120241.LAA26768@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id LAA29058
	for <doc-jp@jp.freebsd.org>; Sun, 12 Mar 2000 11:40:46 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sun, 12 Mar 2000 11:40:44 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 130
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 7159
Subject: [doc-jp 7159] handbook/security/chapter.sgml 1.25 -> 1.26 #1
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

IPsec $B$N2r@b$,DI2C$5$l$?(B security/chapter.sgml 1.26 $B$G$9!#(B
$BBgItJ,$,(B <screen>..</screen> $B$G$9$N$G!"<B<AE*$JNL$O(B
$B8+$?$a$[$IB?$/$"$j$^$;$s!#(B

$B%?%0$dJ8=q9=B$$OL5;k$7$F$b$i$C$F9=$$$^$;$s$N$G!"(B
$B1QJ8$NItJ,$@$1K]Lu$r$*4j$$$7$^$9!#(B

$B$R$H$D$a!#(B

(handbook/security/chapter.sgml 1.25 -> 1.26 #1)

    <para>IPsec mechanism provides secure communication either for IP
    layer and socket layer communication.  This section should
    explain how to use them.  About IPsec implementation, please
    refer <link linkend="ipsec-implementation">section 23.5.4</link>.</para>

    <para>The current IPsec implementation supports both transport mode
    and tunnel mode.  However, tunnel mode comes with some restrictions.
    <ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/
    </ulink> has more comprehensive examples.</para>

    <sect2>
      <title>Transport mode example with IPv4</title>

      <para>Let's setup security association to deploy a secure channel
      between HOST A (10.2.3.4) and HOST B (10.6.7.8).  Here we show a little
      complicated example.  From HOST A to HOST B, only old AH is used.
      From HOST B to HOST A, new AH and new ESP are combined.</para>

      <para>Now we should choose algorithm to be used corresponding to
      "AH"/"new AH"/"ESP"/"new ESP".  Please refer to the &man.setkey.8; man
      page to know algorithm names.  Our choice is MD5 for AH, new-HMAC-SHA1
      for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>

      <para>Key length highly depends on each algorithm.  For example, key
      length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
      and 8 for new-DES-expIV.  Now we choose "MYSECRETMYSECRET",
      "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>

      <para>OK, let's assign SPI (Security Parameter Index) for each protocol.
      Please note that we need 3 SPIs for this secure channel since three
      security headers are produced (one for from HOST A to HOST B, two for
      from HOST B to HOST A).  Please also note that SPI MUST be greater
      than or equal to 256.  We choose, 1000, 2000, and 3000, respectively.
      </para>

      <screen>

	         (1)
	HOST A ------> HOST B

	(1)PROTO=AH
		ALG=MD5(RFC1826)
		KEY=MYSECRETMYSECRET
		SPI=1000

	         (2.1)
	HOST A <------ HOST B
	       <------
	         (2.2)

	(2.1)
	PROTO=AH
		ALG=new-HMAC-SHA1(new AH)
		KEY=KAMEKAMEKAMEKAMEKAME
		SPI=2000

	(2.2)
	PROTO=ESP
		ALG=new-DES-expIV(new ESP)
			IV length = 8
		KEY=PASSWORD
		SPI=3000

      </screen>

      <para>Now, let's setup security association.  Execute &man.setkey.8;
      on both HOST A and B:</para>

      <screen>

&prompt.root; <command>setkey -c</command>
add 10.2.3.4 10.6.7.8 ah-old  1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
add 10.6.7.8 10.2.3.4 ah  2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
^D

     </screen>

     <para>Actually, IPsec communication doesn't process until security policy
     entries will be defined.  In this case, you must setup each host.</para>

     <screen>

At A:

&prompt.root; <command>setkey -c</command>
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
	ah/transport/10.2.3.4-10.6.7.8/require ;
^D

At B:

&prompt.root; <command>setkey -c</command>
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
	esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
	ah/transport/10.6.7.8-10.2.3.4/require ;
^D


   HOST A --------------------------------------> HOST E
  10.2.3.4                                       10.6.7.8
          |                                     |
          ========== old AH keyed-md5 ==========>

          <========= new AH hmac-sha1 ===========
          <========= new ESP des-cbc ============

     </screen>
    </sect2>


--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                  j7397067@ed.noda.sut.ac.jp(univ)
|                        hrs@jp.FreeBSD.org(FreeBSD doc-jp Project)
