From owner-doc-jp@jp.freebsd.org  Thu Mar 16 17:44:40 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id RAA46719;
	Thu, 16 Mar 2000 17:44:40 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from thumb.nail.or.jp (ppp147.dialup.st.keio.ac.jp [131.113.27.147])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id RAA46709
	for <doc-jp@jp.freebsd.org>; Thu, 16 Mar 2000 17:44:38 +0900 (JST)
	(envelope-from dui@360.cc)
Received: from localhost (localhost.nail.or.jp [127.0.0.1])
	by thumb.nail.or.jp (8.9.3/8.9.3) with ESMTP id RAA01004
	for <doc-jp@jp.freebsd.org>; Thu, 16 Mar 2000 17:44:20 +0900 (JST)
	(envelope-from dui@360.cc)
To: doc-jp@jp.freebsd.org
In-Reply-To: Your message of "Sun, 12 Mar 2000 11:41:24 +0900"
	<200003120242.LAA27405@mail.geocities.co.jp>
References: <200003120242.LAA27405@mail.geocities.co.jp>
X-Mailer: Mew version 1.93 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Message-Id: <20000316174420Z.dui@360.cc>
Date: Thu, 16 Mar 2000 17:44:20 +0900
From: Naoto Kaneko <dui@360.cc>
X-Dispatcher: imput version 980905(IM100)
Lines: 295
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7171
Subject: [doc-jp 7171] Re: handbook/security/chapter.sgml 1.25 -> 1.26 #2
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: dui@360.cc

$B6b;R$G$9!#$D$E$-$G$9!#(B

From: Hiroki Sato <hrs@geocities.co.jp>
Subject: [doc-jp 7160] handbook/security/chapter.sgml 1.25 -> 1.26 #2
Date: Sun, 12 Mar 2000 11:41:24 +0900
Message-ID: <200003120242.LAA27405@mail.geocities.co.jp>

> (handbook/security/chapter.sgml 1.25 -> 1.26 #2)
> 
>     <sect2>
>       <title>Transport mode example with IPv6</title>
> 
>       <para>Another example using IPv6.</para>
> 
>       <para>ESP transport mode is recommended for TCP port number 110 between
>       Host-A and Host-B.</para>
> 
>       <screen>
> 
>               ============ ESP ============
>               |                           |
>            Host-A                        Host-B
>           fec0::10 -------------------- fec0::11
> 
>       </screen>
> 
>       <para>Encryption algorithm is blowfish-cbc whose key is "kamekame", and
>       authentication algorithm is hmac-sha1 whose key is "this is the test
>       key".  Configuration at Host-A:</para>
> 
>       <screen>
> 
>         &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
>         spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
>                 esp/transport/fec0::10-fec0::11/use ;
>         spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
>                 esp/transport/fec0::11-fec0::10/use ;
>         add fec0::10 fec0::11 esp 0x10001
>                 -m transport
>                 -E blowfish-cbc "kamekame"
>                 -A hmac-sha1 "this is the test key" ;
>         add fec0::11 fec0::10 esp 0x10002
>                 -m transport
>                 -E blowfish-cbc "kamekame"
>                 -A hmac-sha1 "this is the test key" ;
>         EOF
> 
>       </screen>
> 
>       <para>and at Host-B:</para>
> 
>       <screen>
>         &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
>         spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
>                 esp/transport/fec0::11-fec0::10/use ;
>         spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
>                 esp/transport/fec0::10-fec0::11/use ;
>         add fec0::10 fec0::11 esp 0x10001 -m transport
>                 -E blowfish-cbc "kamekame"
>                 -A hmac-sha1 "this is the test key" ;
>         add fec0::11 fec0::10 esp 0x10002 -m transport
>                 -E blowfish-cbc "kamekame"
>                 -A hmac-sha1 "this is the test key" ;
>         EOF
> 
>       </screen>
> 
>       <para>Note the direction of SP.</para>
>     </sect2>
> 
>     <sect2>
>       <title>Tunnel mode example with IPv4</title>
> 
>       <para>Tunnel mode between two security gateways</para>
> 
>       <para>Security protocol is old AH tunnel mode, i.e. specified by
>       RFC1826, with keyed-md5 whose key is "this is the test" as
>       authentication algorithm.</para>
> 
>       <screen>
> 
>                              ======= AH =======
>                              |                |
>          Network-A       Gateway-A        Gateway-B        Network-B
>         10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24
> 
>       </screen>
> 
>       <para>Configuration at Gateway-A:</para>
> 
>       <screen>
> 
>         &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
>         spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
>                 ah/tunnel/172.16.0.1-172.16.0.2/require ;
>         spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
>                 ah/tunnel/172.16.0.2-172.16.0.1/require ;
>         add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
>                 -A keyed-md5 "this is the test" ;
>         add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
>                 -A keyed-md5 "this is the test" ;
> 
>         EOF
> 
>       </screen>
> 
>       <para>If port number field is omitted such above then "[any]" is
>       employed. `-m' specifies the mode of SA to be used. "-m any" means
>       wild-card of mode of security protocol. You can use this SA for both
>       tunnel and transport mode.</para>
> 
>       <para>and at Gateway-B:</para>
> 
>       <screen>
> 
>         &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
>         spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
>                 ah/tunnel/172.16.0.2-172.16.0.1/require ;
>         spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
>                 ah/tunnel/172.16.0.1-172.16.0.2/require ;
>         add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
>                 -A keyed-md5 "this is the test" ;
>         add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
>                 -A keyed-md5 "this is the test" ;
> 
>         EOF
> 
>       </screen>
> 
>       <para>Making SA bundle between two security gateways</para>
> 
>       <para>AH transport mode and ESP tunnel mode is required between
>       Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
>       and AH transport mode is next.</para>
> 
>       <screen>
> 
>                             ========== AH =========
>                             |  ======= ESP =====  |
>                             |  |               |  |
>        Network-A          Gateway-A        Gateway-B           Network-B
>     fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64
> 
>       </screen>
>     </sect2>

(handbook/security/chapter.sgml 1.25 -> 1.26 #2)

    <sect2>
      <title>IPv6$B$G$N%H%i%s%9%]!<%H%b!<%I$NNc(B</title>

      <para>IPv6$B$r;H$C$?JL$NNc$G$9(B. </para>

      <para>Host-A$B$H(BHost-B$B$N4V$N(BTCP$B%]!<%H(B110$B$G$O(BESP$B%H%i%s%9%]!<%H%b!<(B
      $B%I$,?d>)$5$l$^$9(B. </para>

      <screen>

              ============ ESP ============
              |                           |
           Host-A                        Host-B
          fec0::10 -------------------- fec0::11

      </screen>

      <para>Host-A$B$N@_Dj$G$9(B. $B0E9f2=%"%k%4%j%9%`$O(Bblowfish-cbc$B$G%-!<$O(B
      "kamekame", $BG'>Z%"%k%4%j%:%`$O(Bhmac-sha1$B$G%-!<$O(B"this is the test
      key"$B$G$9(B. </para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
                esp/transport/fec0::10-fec0::11/use ;
        spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
                esp/transport/fec0::11-fec0::10/use ;
        add fec0::10 fec0::11 esp 0x10001
                -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        add fec0::11 fec0::10 esp 0x10002
                -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        EOF

      </screen>

      <para>$B$=$7$F(B, Host-B$B$G$O(B:</para>

      <screen>
        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
                esp/transport/fec0::11-fec0::10/use ;
        spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
                esp/transport/fec0::10-fec0::11/use ;
        add fec0::10 fec0::11 esp 0x10001 -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        add fec0::11 fec0::10 esp 0x10002 -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        EOF

      </screen>

      <para>SP$B$NJ}8~$KCm0U$7$F$/$@$5$$(B. </para>
    </sect2>

    <sect2>
      <title>IPv4$B$G$N%H%s%M%k%b!<%I$NNc(B</title>

      <para>$BFs$D$N%;%-%e%j%F%#!<%2!<%I%&%'%$4V$N%H%s%M%k%b!<%I$G$9(B. </para>

      <para>$B%;%-%e%j%F%#%W%m%H%3%k$O8E$$(BAH$B%H%s%M%k%b!<%I(B(RFC1826$B$GL@:Y(B
      $B$K@bL@$5$l$F$$$^$9(B)$B$G$9(B. $BG'>Z%"%k%4%j%:%`$H$7$F(Bkeyed-md5$B$r;H$$(B, 
      $B%-!<$O(B"this is the test"$B$G$9(B. </para>

      <screen>

                             ======= AH =======
                             |                |
         Network-A       Gateway-A        Gateway-B        Network-B
        10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24

      </screen>

      <para>Gateway-A$B$G$N@_Dj$G$9(B:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
                ah/tunnel/172.16.0.1-172.16.0.2/require ;
        spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
                ah/tunnel/172.16.0.2-172.16.0.1/require ;
        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
                -A keyed-md5 "this is the test" ;
        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
                -A keyed-md5 "this is the test" ;

        EOF

      </screen>

      <para>$B>e$N$h$&$K%]!<%HHV9f$N%U%#!<%k%I$r;XDj$7$J$$$H(B"[any]"$B$,;H(B
      $B$o$l$^$9(B. `-m'$B$O;HMQ$9$k(BSA$B$N%b!<%I$r;XDj$7$^$9(B. "-m any"$B$O%;%-%e(B
      $B%j%F%#%W%m%H%3%k$N%b!<%I$N%o%$%k%I%+!<%I$r0UL#$7$^$9(B. $B%H%s%M%k%b!<(B
      $B%I$H%H%i%s%9%]!<%H%b!<%I$NN>J}$G$3$N(BSA$B$r;HMQ$G$-$^$9(B. </para>

      <para>$B$=$7$F(B, Gateway-B$B$G$O(B:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
                ah/tunnel/172.16.0.2-172.16.0.1/require ;
        spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
                ah/tunnel/172.16.0.1-172.16.0.2/require ;
        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
                -A keyed-md5 "this is the test" ;
        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
                -A keyed-md5 "this is the test" ;

        EOF

      </screen>

      <para>$BFs$D$N%;%-%e%"%2!<%I%&%'%$$N4V$K(BSA$B%P%s%I%k$rD%$j$^$9(B</para>

      <para>AH$B%H%i%s%9%]!<%H%b!<%I$H(BESP$B%H%s%M%k%b!<%I$O(BGateway-A$B$H(B
      Gateway-B$B$N4V$GI,MW$H$5$l$^$9(B. $B$3$N>l9g$O(B, ESP$B%H%s%M%k%b!<%I$,@h(B
      $B$KE,MQ$5$l(B, AH$B%H%i%s%9%]!<%H%b!<%I$,$=$l$KB3$-$^$9(B. </para>

      <screen>

                            ========== AH =========
                            |  ======= ESP =====  |
                            |  |               |  |
       Network-A          Gateway-A        Gateway-B           Network-B
    fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64

      </screen>
    </sect2>

	                             /* $B6b;R(B $BD>?M(B
					$B7D1~Bg3XM}9)3XIt>pJs9)3X2J(B3$BG/(B
					dui@360.cc */







