From owner-doc-jp@jp.freebsd.org  Thu Mar 16 17:44:36 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id RAA46654;
	Thu, 16 Mar 2000 17:44:36 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from thumb.nail.or.jp (ppp147.dialup.st.keio.ac.jp [131.113.27.147])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id RAA46647
	for <doc-jp@jp.freebsd.org>; Thu, 16 Mar 2000 17:44:33 +0900 (JST)
	(envelope-from dui@360.cc)
Received: from localhost (localhost.nail.or.jp [127.0.0.1])
	by thumb.nail.or.jp (8.9.3/8.9.3) with ESMTP id RAA00999
	for <doc-jp@jp.freebsd.org>; Thu, 16 Mar 2000 17:44:15 +0900 (JST)
	(envelope-from dui@360.cc)
To: doc-jp@jp.freebsd.org
In-Reply-To: Your message of "Sun, 12 Mar 2000 11:40:44 +0900"
	<200003120241.LAA26768@mail.geocities.co.jp>
References: <200003120241.LAA26768@mail.geocities.co.jp>
X-Mailer: Mew version 1.93 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Message-Id: <20000316174414I.dui@360.cc>
Date: Thu, 16 Mar 2000 17:44:14 +0900
From: Naoto Kaneko <dui@360.cc>
X-Dispatcher: imput version 980905(IM100)
Lines: 253
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7170
Subject: [doc-jp 7170] Re: handbook/security/chapter.sgml 1.25 -> 1.26 #1
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: dui@360.cc

$B6b;R$G$9!#(B

$B5;=Q$N$3$H$,NI$/$o$+$C$FK]Lu$7$F$$$k$o$1$G$O$J$$$N$G!"$*$+$7$JItJ,$,$"(B
$B$l$P$4;XE&$/$@$5$$!#$3$o$C$Q3X@8$,JY6/$N$D$b$j$G$d$C$F$^$9!#29$+$$L\$G(B
$B8+$F$d$C$F$/$@$5$$!#(B

From: Hiroki Sato <hrs@geocities.co.jp>
Subject: [doc-jp 7159] handbook/security/chapter.sgml 1.25 -> 1.26 #1
Date: Sun, 12 Mar 2000 11:40:44 +0900
Message-ID: <200003120241.LAA26768@mail.geocities.co.jp>

> (handbook/security/chapter.sgml 1.25 -> 1.26 #1)
> 
>     <para>IPsec mechanism provides secure communication either for IP
>     layer and socket layer communication.  This section should
>     explain how to use them.  About IPsec implementation, please
>     refer <link linkend="ipsec-implementation">section 23.5.4</link>.</para>
> 
>     <para>The current IPsec implementation supports both transport mode
>     and tunnel mode.  However, tunnel mode comes with some restrictions.
>     <ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/
>     </ulink> has more comprehensive examples.</para>
> 
>     <sect2>
>       <title>Transport mode example with IPv4</title>
> 
>       <para>Let's setup security association to deploy a secure channel
>       between HOST A (10.2.3.4) and HOST B (10.6.7.8).  Here we show a little
>       complicated example.  From HOST A to HOST B, only old AH is used.
>       From HOST B to HOST A, new AH and new ESP are combined.</para>
> 
>       <para>Now we should choose algorithm to be used corresponding to
>       "AH"/"new AH"/"ESP"/"new ESP".  Please refer to the &man.setkey.8; man
>       page to know algorithm names.  Our choice is MD5 for AH, new-HMAC-SHA1
>       for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>
> 
>       <para>Key length highly depends on each algorithm.  For example, key
>       length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
>       and 8 for new-DES-expIV.  Now we choose "MYSECRETMYSECRET",
>       "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>
> 
>       <para>OK, let's assign SPI (Security Parameter Index) for each protocol.
>       Please note that we need 3 SPIs for this secure channel since three
>       security headers are produced (one for from HOST A to HOST B, two for
>       from HOST B to HOST A).  Please also note that SPI MUST be greater
>       than or equal to 256.  We choose, 1000, 2000, and 3000, respectively.
>       </para>
> 
>       <screen>
> 
> 	         (1)
> 	HOST A ------> HOST B
> 
> 	(1)PROTO=AH
> 		ALG=MD5(RFC1826)
> 		KEY=MYSECRETMYSECRET
> 		SPI=1000
> 
> 	         (2.1)
> 	HOST A <------ HOST B
> 	       <------
> 	         (2.2)
> 
> 	(2.1)
> 	PROTO=AH
> 		ALG=new-HMAC-SHA1(new AH)
> 		KEY=KAMEKAMEKAMEKAMEKAME
> 		SPI=2000
> 
> 	(2.2)
> 	PROTO=ESP
> 		ALG=new-DES-expIV(new ESP)
> 			IV length = 8
> 		KEY=PASSWORD
> 		SPI=3000
> 
>       </screen>
> 
>       <para>Now, let's setup security association.  Execute &man.setkey.8;
>       on both HOST A and B:</para>
> 
>       <screen>
> 
> &prompt.root; <command>setkey -c</command>
> add 10.2.3.4 10.6.7.8 ah-old  1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
> add 10.6.7.8 10.2.3.4 ah  2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
> add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
> ^D
> 
>      </screen>
> 
>      <para>Actually, IPsec communication doesn't process until security policy
>      entries will be defined.  In this case, you must setup each host.</para>
> 
>      <screen>
> 
> At A:
> 
> &prompt.root; <command>setkey -c</command>
> spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
> 	ah/transport/10.2.3.4-10.6.7.8/require ;
> ^D
> 
> At B:
> 
> &prompt.root; <command>setkey -c</command>
> spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
> 	esp/transport/10.6.7.8-10.2.3.4/require ;
> spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
> 	ah/transport/10.6.7.8-10.2.3.4/require ;
> ^D
> 
> 
>    HOST A --------------------------------------> HOST E
>   10.2.3.4                                       10.6.7.8
>           |                                     |
>           ========== old AH keyed-md5 ==========>
> 
>           <========= new AH hmac-sha1 ===========
>           <========= new ESP des-cbc ============
> 
>      </screen>
>     </sect2>

(handbook/security/chapter.sgml 1.25 -> 1.26 #1)

    <para>IPsec$B5!9=$O(BIP$B%l%$%d(B, $B%=%1%C%H%l%$%dN>J}$G$N$JDL?.$rDs6!$7$^(B
    $B$9(B. $B$3$N%;%/%7%g%s$G$O$=$N;HMQK!$K$D$$$F@bL@$7$^$9(B. IPsec$B$K$D$$$F(B
    $B$O(B<link linkend="ipsec-implementation">$B%;%/%7%g%s(B23.5.4</link>$B$r;2(B
    $B>H$7$F$/$@$5$$(B. </para>

    <para>$B8=:_$N(BIPsec$B$N<BAu$O%H%i%s%9%]!<%H%b!<%I$H%H%s%M%k%b!<%I$r%5(B
    $B%]!<%H$7$^$9(B. $B$7$+$7(B, $B%H%s%M%k%b!<%I$G$O$$$/$i$+$N@)8B$,$D$$$F$-$^(B
    $B$9(B. $BJq3gE*$JNc$O(B<ulink url="http://www.kame.net/newsletter/">
    http://www.kame.net/newsletter/</ulink>$B$K$"$j$^$9(B. </para>

    <sect2>
      <title>IPv4$B$G$N%H%i%s%9%]!<%H%b!<%I$NNc(B</title>

      <para>HOST A (10.2.3.4)$B$H(BHOST B (10.6.7.8)$B$N4V$K%;%-%e%"%A%c%s%M(B
      $B%k$rG[Hw$9$k$?$a(B, $B%;%-%e%j%F%#4X78$N%;%C%H%"%C%W$r$7$^$9(B. $B$3$3$G(B
      $B$O(B, $B>/$7J#;($JNc$r>R2p$7$^$9(B. HOST A$B$+$i(BHOST B$B$X$O8E$$(BAH$B$N$_$,;H(B
      $BMQ$5$l$F$$$^$9(B. HOST B$B$+$i(BHOST A$B$X$O?7$7$$(BAH$B$H?7$7$$(BESP$B$NAH9g$;(B
      $B$G$9(B. </para>

      <para>"AH"/"$B?7$7$$(BAH"/"ESP"/"$B?7$7$$(BESP"$B$KBP1~$9$k%"%k%4%j%:%`$r(B
      $BA*Br$9$kI,MW$,$"$j$^$9(B. $B%"%k%4%j%:%`$NL>A0$K$D$$$F$O(B
      &man.setkey.8$B$N(Bman$B%Z!<%8$r;2>H$7$F$/$@$5$$(B. $B$3$3$G$O(B, AH$B$K$O(BMD5, 
      $B?7$7$$(BAH$B$K$O(Bnew-HMAC-SHA1, $B$=$7$F?7$7$$(BESP$B$K$O(B8$B%S%C%H(BIV$B$N(B
      new-DES-expIV$B$rA*$V$3$H$K$7$^$9(B. </para>

      <para>$B%-!<$ND9$5$O%"%k%4%j%:%`$KHs>o$K0MB8$7$^$9(B. $BNc$($P(B, MD5$B$G(B
      $B$O(B16$B%P%$%H(B, new-HMAC-SHA1$B$G$O(B20$B%P%$%H(B, new-DES-expIV$B$G$O(B8$B%P%$%H(B
      $B$G$J$1$l$P$J$j$^$;$s(B. $B$=$l$>$l(B, "MYSECRETMYSECRET", 
      "KAMEKAMEKAMEKAMEKAME", "PASSWORD"$B$H$9$k$3$H$K$7$^$9(B. </para>

      <para>$B$=$l$G$O(B, SPI(Security Parameter Index)$B$r3F!9$N%W%m%H%3%k(B
      $B$X3d$jEv$F$^$7$g$&(B. 3$B$D$N%;%-%e%j%F%#%X%C%@(B($B0l$D$O(BHOST A$B$+$i(BHOST
      B$B$X(B, $B$b$&Fs$D$O(BHOST B$B$+$i(BHOST A$B$X(B)$B$,@8@.$5$l$k$?$a(B, $B$3$N%;%-%e%"(B
      $B%A%c%s%M%k$K$O(B3$B$D$N(BSPI$B$,I,MW$G$"$k$3$H$KCm0U$7$F$/$@$5$$(B. SPI$B$O(B
      256$B0J>e$G$J$1$l$P$J$i$J$$$3$H$K$b5$$rIU$1$F$/$@$5$$(B. $B$=$l$>$l(B
      1000, 2000, 3000$B$rA*$V$3$H$K$7$^$9(B. </para>

      <screen>

	         (1)
	HOST A ------> HOST B

	(1)PROTO=AH
		ALG=MD5(RFC1826)
		KEY=MYSECRETMYSECRET
		SPI=1000

	         (2.1)
	HOST A <------ HOST B
	       <------
	         (2.2)

	(2.1)
	PROTO=AH
		ALG=new-HMAC-SHA1(new AH)
		KEY=KAMEKAMEKAMEKAMEKAME
		SPI=2000

	(2.2)
	PROTO=ESP
		ALG=new-DES-expIV(new ESP)
			IV length = 8
		KEY=PASSWORD
		SPI=3000

      </screen>

      <para>$B$=$l$G$O(B, $B%;%-%e%j%F%#4X78$r%;%C%H%"%C%W$7$^$7$g$&(B. HOST A
      $B$H(BHOST B$B$NN>J}$G(B&man.setkey.8;$B$r<B9T$7$F$/$@$5$$!#(B</para>

      <screen>

&prompt.root; <command>setkey -c</command>
add 10.2.3.4 10.6.7.8 ah-old  1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
add 10.6.7.8 10.2.3.4 ah  2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
^D

     </screen>

     <para>$B<B:]$K$O(B, IPsec$BDL?.$O%;%-%e%j%F%#%]%j%7!<$N%(%s%H%j$,Dj5A$5(B
     $B$l$k$^$G=hM}$r9T$J$$$^$;$s(B. $B$3$N>l9g$O(B, $B3F!9$N%[%9%H$r@_Dj$7$J$1(B
     $B$l$P$J$j$^$;$s(B. </para>

     <screen>

At A:

&prompt.root; <command>setkey -c</command>
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
	ah/transport/10.2.3.4-10.6.7.8/require ;
^D

At B:

&prompt.root; <command>setkey -c</command>
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
	esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
	ah/transport/10.6.7.8-10.2.3.4/require ;
^D


   HOST A --------------------------------------> HOST E
  10.2.3.4                                       10.6.7.8
          |                                     |
          ========== old AH keyed-md5 ==========>

          <========= new AH hmac-sha1 ===========
          <========= new ESP des-cbc ============

     </screen>
    </sect2>

	                             /* $B6b;R(B $BD>?M(B
					$B7D1~Bg3XM}9)3XIt>pJs9)3X2J(B3$BG/(B
					dui@360.cc */










