From owner-doc-jp@jp.freebsd.org  Sun Mar 12 11:42:14 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id LAA44968;
	Sun, 12 Mar 2000 11:42:14 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id LAA44963
	for <doc-jp@jp.freebsd.org>; Sun, 12 Mar 2000 11:42:13 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id LAA08881 for <doc-jp@jp.freebsd.org>; Sun, 12 Mar 2000 11:42:13 +0900 (JST)
Received: from mail.hrs.jp (sutkmax1-ppp46.ed.kagu.sut.ac.jp [133.31.177.48]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id LAA27405 for <doc-jp@jp.freebsd.org>; Sun, 12 Mar 2000 11:42:11 +0900 (JST)
Message-Id: <200003120242.LAA27405@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id LAA29063
	for <doc-jp@jp.freebsd.org>; Sun, 12 Mar 2000 11:41:25 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sun, 12 Mar 2000 11:41:24 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 148
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 7160
Subject: [doc-jp 7160] handbook/security/chapter.sgml 1.25 -> 1.26 #2
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

$B$U$?$D$a!#(B

(handbook/security/chapter.sgml 1.25 -> 1.26 #2)

    <sect2>
      <title>Transport mode example with IPv6</title>

      <para>Another example using IPv6.</para>

      <para>ESP transport mode is recommended for TCP port number 110 between
      Host-A and Host-B.</para>

      <screen>

              ============ ESP ============
              |                           |
           Host-A                        Host-B
          fec0::10 -------------------- fec0::11

      </screen>

      <para>Encryption algorithm is blowfish-cbc whose key is "kamekame", and
      authentication algorithm is hmac-sha1 whose key is "this is the test
      key".  Configuration at Host-A:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
                esp/transport/fec0::10-fec0::11/use ;
        spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
                esp/transport/fec0::11-fec0::10/use ;
        add fec0::10 fec0::11 esp 0x10001
                -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        add fec0::11 fec0::10 esp 0x10002
                -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        EOF

      </screen>

      <para>and at Host-B:</para>

      <screen>
        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
                esp/transport/fec0::11-fec0::10/use ;
        spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
                esp/transport/fec0::10-fec0::11/use ;
        add fec0::10 fec0::11 esp 0x10001 -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        add fec0::11 fec0::10 esp 0x10002 -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        EOF

      </screen>

      <para>Note the direction of SP.</para>
    </sect2>

    <sect2>
      <title>Tunnel mode example with IPv4</title>

      <para>Tunnel mode between two security gateways</para>

      <para>Security protocol is old AH tunnel mode, i.e. specified by
      RFC1826, with keyed-md5 whose key is "this is the test" as
      authentication algorithm.</para>

      <screen>

                             ======= AH =======
                             |                |
         Network-A       Gateway-A        Gateway-B        Network-B
        10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24

      </screen>

      <para>Configuration at Gateway-A:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
                ah/tunnel/172.16.0.1-172.16.0.2/require ;
        spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
                ah/tunnel/172.16.0.2-172.16.0.1/require ;
        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
                -A keyed-md5 "this is the test" ;
        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
                -A keyed-md5 "this is the test" ;

        EOF

      </screen>

      <para>If port number field is omitted such above then "[any]" is
      employed. `-m' specifies the mode of SA to be used. "-m any" means
      wild-card of mode of security protocol. You can use this SA for both
      tunnel and transport mode.</para>

      <para>and at Gateway-B:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
                ah/tunnel/172.16.0.2-172.16.0.1/require ;
        spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
                ah/tunnel/172.16.0.1-172.16.0.2/require ;
        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
                -A keyed-md5 "this is the test" ;
        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
                -A keyed-md5 "this is the test" ;

        EOF

      </screen>

      <para>Making SA bundle between two security gateways</para>

      <para>AH transport mode and ESP tunnel mode is required between
      Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
      and AH transport mode is next.</para>

      <screen>

                            ========== AH =========
                            |  ======= ESP =====  |
                            |  |               |  |
       Network-A          Gateway-A        Gateway-B           Network-B
    fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64

      </screen>
    </sect2>

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                  j7397067@ed.noda.sut.ac.jp(univ)
|                        hrs@jp.FreeBSD.org(FreeBSD doc-jp Project)
