From owner-doc-jp@jp.freebsd.org  Fri Mar 17 09:40:00 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id JAA07162;
	Fri, 17 Mar 2000 09:40:00 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from ns4.sony.co.jp (ns4.Sony.CO.JP [202.238.80.4])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id JAA07154
	for <doc-jp@jp.freebsd.org>; Fri, 17 Mar 2000 09:39:59 +0900 (JST)
	(envelope-from masato.hori@jp.sony.com)
Received: from mail1.sony.co.jp (gatekeeper7.Sony.CO.JP [202.238.80.21])
	by ns4.sony.co.jp (02/04/00) with ESMTP id JAA13415
	for <doc-jp@jp.freebsd.org>; Fri, 17 Mar 2000 09:39:58 +0900 (JST)
Received: from sjp01002.meis.sony.co.jp (sjp01002.meis.sony.co.jp [43.15.126.31])
	by mail1.sony.co.jp (3.7W990708a) with ESMTP id JAA27939
	for <doc-jp@jp.freebsd.org>; Fri, 17 Mar 2000 09:39:58 +0900 (JST)
Received: from PCG-N505-SERIES.jp.sony.com (PCG-N505 [43.17.37.107]) by sjp01002.meis.sony.co.jp with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2651.97)
	id HCQM6N5R; Fri, 17 Mar 2000 09:39:58 +0900
Date: Fri, 17 Mar 2000 09:39:04 +0900
Message-ID: <wkaejyqvkn.wl@jp.sony.com>
From: Hori Masato <mho@cmpnetmail.com>
To: doc-jp@jp.freebsd.org
In-Reply-To: In your message of "Sun, 12 Mar 2000 11:40:44 +0900"
	<200003120241.LAA26768@mail.geocities.co.jp>
References: <200003120241.LAA26768@mail.geocities.co.jp>
User-Agent: Wanderlust/2.2.16 (No Son Of Mine) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) Emacs/20.4 (i386-*-windows98.2222) MULE/4.1 (AOI) Meadow/1.10 (TSUYU)
MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu")
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7173
Subject: [doc-jp 7173] Re: handbook/security/chapter.sgml 1.25 -> 1.26 #1
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: mho@cmpnetmail.com


$BCY$/$J$j$^$7$?$,(BIPsec$B$NItJ,$G$9!#(B

secure$B$r!V%;%-%e%"!W$K$9$k$+$H$+MQ8l$rC1=c$K%+%?%+%J$KCV$-49$($k$+$J$I(B
$BLB$C$?$N$G$9$,(Bsecurity association$B$,8e$G(BSA$B$HN,$5$l$?$j$9$k$N$r8+$F$$$k(B
$B$H868l$NDV$j$,$J$$$H$o$+$j$K$/$/$J$j$H;W$$!"$=$N$^$^$K$7$^$7$?!#(B



(handbook/security/chapter.sgml 1.25 -> 1.26 #1)

    <para>IPsec$B$N%a%+%K%:%`$K$h$j(BIP$BAX$H%=%1%C%HAX$G$N(Bsecure$B$JDL?.$,2DG=$K(B
     $B$J$j$^$9(B. $B$3$N>O$G$O$=$N;H$$J}$r@bL@$7$^$9(B. IPsec$B$N<BAu$K$D$$$F$O(B
    <link linkend="ipsec-implementation">$B>O(B 23.5.4</link>$B$r;2>H$7(B
     $B$F$/$@$5$$(B.</para>

    <para>$B8=:_$N(B IPsec $B$O(B transport $B%b!<%I$H(B tunnel $B%b!<%I$NN>J}$r%5%]!<(B
    $B%H$7$F$$$^$9(B. $B$?$@$7(B, tunnel $B%b!<%I$K$O$$$/$D$+$N@)8B$,$"$j$^$9(B. $B$h(B
    $B$jA4HLE*$J@bL@$O(B
    <ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/
    </ulink> $B$r$4Mw$/$@$5$$(B.</para>

    <sect2>
      <title>IPv4$B$G$N(Btransport $B%b!<%I$NNc(B</title>

      <para>HOST A (10.2.3.4) $B$H(B HOST B (10.6.7.8)$B$N4V$K(Bsecure$B%A%c%M%k(B
      $B$rD%$k$?$a$N(Bsecurity association$B$r3NN)$7$^$9(B. $B$3$3$G@bL@$9$kNc$O(B
      $B>/$7J#;($G$9(B. HOST A$B$+$i(BHOST B$B$X$O8E$$(BAH$B$@$1$r;H$$$^$9(B. HOST B$B$+(B
      $B$i(BHOST A$B$X$O?7$7$$(BAH$B$H?7$7$$(BESP$B$rAH$_9g$o$;$F;HMQ$7$^$9(B.</para>

      <para>$B$3$3$G(B "AH"/"new AH"/"ESP"/"new ESP" $B$=$l$>$l$G;HMQ$9$k%"(B
      $B%k%4%j%:%`$rA*$P$J$1$l$P$J$j$^$;$s(B.$B%"%k%4%j%:%`L>$r@bL@$7$?(B
      &man.setkey.8$B$N(Bman page$B$r8+$F$/$@$5$$(B. $B8E$$(BAH$B$K$O(B
      MD5, $B?7$7$$(BAH$B$K$O(Bnew-HMAC-SHA1, $B?7$7$$(BESP$B$K$O(B 8 byte IV$B$r;H$C$?(B
      new-DES-expIV$B$rA*$S$^$7$?(B.</para>

      <para>$B80$ND9$5$O$=$l$>$l$N%"%k%4%j%:%`$K6/$/0MB8$7$^$9(B. $B$?$H$($P!"(B
      MD5$B$N80$O(B16$B%P%$%H$G$J$1$l$P$J$j$^$;$s(B. new-HMAC-SHA1$B$G$O(B20$B%P%$%H(B,
      new-DES-expIV$B$G$O(B8$B%P%$%H$K$J$j$^$9(B. $B$=$l$>$l(B "MYSECRETMYSECRET",
      "KAMEKAMEKAMEKAMEKAME", "PASSWORD" $B$rA*$S$^$9(B.</para>

      <para>$B$=$l$>$l$N%W%m%H%3%k$K(B SPI (Security Parameter Index) $B$r7h(B
      $B$a$^$9(B. $B$3$NNc$N(Bsecure$B$JDL?.O)$K$O(B3$B8D$N(BSPI$B$,I,MW$K$J$j$^$9(B. HOST
      A$B$+$i(BHOST B$B$K(B1$B8D!"(BHOST B$B$+$i(BHOST A$B$K(B2$B8D$N(Bsecurity $B%X%C%@$,@8@.$5(B
      $B$l$k$+$i$G$9(B. $B$^$?(BSPI$B$O(B256$B0J>e$G$J$1$l$P$J$j$^$;$s(B. $B$3$3$G$O3F!9(B
      $B$r(B1000, 2000, 3000$B$H$7$^$9(B.</para>

      <screen>

	         (1)
	HOST A ------> HOST B

	(1)PROTO=AH
		ALG=MD5(RFC1826)
		KEY=MYSECRETMYSECRET
		SPI=1000

	         (2.1)
	HOST A <------ HOST B
	       <------
	         (2.2)

	(2.1)
	PROTO=AH
		ALG=new-HMAC-SHA1(new AH)
		KEY=KAMEKAMEKAMEKAMEKAME
		SPI=2000

	(2.2)
	PROTO=ESP
		ALG=new-DES-expIV(new ESP)
			IV length = 8
		KEY=PASSWORD
		SPI=3000

      </screen>

      <para>security association$B$r3NN)$7$^$9(B. 
	HOST A$B$H(BHOST B$B>e$G(B &man.setkey.8; $B$r<B9T$7$^$9(B:</para>

      <screen>

&prompt.root; <command>setkey -c</command>
add 10.2.3.4 10.6.7.8 ah-old  1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
add 10.6.7.8 10.2.3.4 ah  2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
^D

     </screen>

     <para>$B<B:]$K$O(B IPsec$B$NDL?.$O(Bsecurity policy $B$N%(%s%H%j$,;XDj$5$l$k$^$G(B
      $B$O<B9T$5$l$^$;$s(B. $B$3$NNc$N>l9g$K$O3F%[%9%H$G$N@_Dj$r9T$&I,MW$,$"$j$^(B
      $B$9(B. </para>

     <screen>

At A:

&prompt.root; <command>setkey -c</command>
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
	ah/transport/10.2.3.4-10.6.7.8/require ;
^D

At B:

&prompt.root; <command>setkey -c</command>
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
	esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
	ah/transport/10.6.7.8-10.2.3.4/require ;
^D


   HOST A --------------------------------------> HOST B
  10.2.3.4                                       10.6.7.8
          |                                     |
          ========== old AH keyed-md5 ==========>

          <========= new AH hmac-sha1 ===========
          <========= new ESP des-cbc ============

     </screen>
    </sect2>

