From owner-doc-jp@jp.freebsd.org  Fri Mar 17 09:40:00 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id JAA07166;
	Fri, 17 Mar 2000 09:40:00 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from ns4.sony.co.jp (ns4.Sony.CO.JP [202.238.80.4])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id JAA07156
	for <doc-jp@jp.freebsd.org>; Fri, 17 Mar 2000 09:40:00 +0900 (JST)
	(envelope-from masato.hori@jp.sony.com)
Received: from mail2.sony.co.jp (gatekeeper7.Sony.CO.JP [202.238.80.21])
	by ns4.sony.co.jp (02/04/00) with ESMTP id JAA13469
	for <doc-jp@jp.freebsd.org>; Fri, 17 Mar 2000 09:40:00 +0900 (JST)
Received: from sjp01002.meis.sony.co.jp (sjp01002.meis.sony.co.jp [43.15.126.31])
	by mail2.sony.co.jp (3.7W99040614b) with ESMTP id JAA05966
	for <doc-jp@jp.freebsd.org>; Fri, 17 Mar 2000 09:40:00 +0900 (JST)
Received: from PCG-N505-SERIES.jp.sony.com (PCG-N505 [43.17.37.107]) by sjp01002.meis.sony.co.jp with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2651.97)
	id HCQM6N5T; Fri, 17 Mar 2000 09:40:00 +0900
Date: Fri, 17 Mar 2000 09:39:17 +0900
Message-ID: <wk8zziqvka.wl@jp.sony.com>
From: Hori Masato <mho@cmpnetmail.com>
To: doc-jp@jp.freebsd.org
In-Reply-To: In your message of "Sun, 12 Mar 2000 11:41:24 +0900"
	<200003120242.LAA27405@mail.geocities.co.jp>
References: <200003120242.LAA27405@mail.geocities.co.jp>
User-Agent: Wanderlust/2.2.16 (No Son Of Mine) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) Emacs/20.4 (i386-*-windows98.2222) MULE/4.1 (AOI) Meadow/1.10 (TSUYU)
MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu")
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7174
Subject: [doc-jp 7174] Re: handbook/security/chapter.sgml 1.25 -> 1.26 #2
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: mho@cmpnetmail.com

(handbook/security/chapter.sgml 1.25 -> 1.26 #2)

    <sect2>
      <title>IPv6$B$G$N(BTransport $B%b!<%I$NNc(B</title>

      <para>$BJL$NNc$G(BIPv6$B$r;H$$$^$9(B.</para>

      <para>Host-A$B$H(BHost-B $B$N4V$N(BTCP $B%]!<%H(B110$B$G(B ESP transport $B%b!<%I(B
      $B$r;H$&$3$H$,?d>)$5$l$F$$$k$H$7$^$9(B.</para>

      <screen>

              ============ ESP ============
              |                           |
           Host-A                        Host-B
          fec0::10 -------------------- fec0::11

      </screen>

      <para>$B0E9f%"%k%4%j%:%`$O(B blowfish-cbc, $B80$O(B "kamekame", $BG'>Z%"%k(B
      $B%4%j%:%`$O(Bhmac-sha1, $B80$O(B "this is the test
      key" $B$G$9(B.  Host-A$B$G$N@_Dj$O0J2<$N$H$*$j$G$9(B.</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
                esp/transport/fec0::10-fec0::11/use ;
        spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
                esp/transport/fec0::11-fec0::10/use ;
        add fec0::10 fec0::11 esp 0x10001
                -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        add fec0::11 fec0::10 esp 0x10002
                -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        EOF

      </screen>

      <para>Host-B$B$G$O0J2<$N$H$*$j$G$9(B.</para>

      <screen>
        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
                esp/transport/fec0::11-fec0::10/use ;
        spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
                esp/transport/fec0::10-fec0::11/use ;
        add fec0::10 fec0::11 esp 0x10001 -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        add fec0::11 fec0::10 esp 0x10002 -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        EOF

      </screen>

      <para>SP$B$NJ}8~$KCm0U$7$F$/$@$5$$(B.</para>
    </sect2>

    <sect2>
      <title>IPv4$B$r;H$C$?(BTunnel $B%b!<%I$NNc(B</title>

      <para>2$B$D$N(Bsecurity gateway$B4V$N(BTunnel $B%b!<%I(B</para>

      <para>Security $B%W%m%H%3%k$O8E$$(B AH $B$N(B tunnel $B%b!<%I(B, $B$D$^$j(B
      RFC1826$B5,Dj$5$l$F$$$k$b$N$G$9(B. $BG'>Z%"%k%4%j%:%`$O(Bkeyed-md5, $B80$O(B
      "this is the test" $B$G$9(B.</para> 

      <screen>

                             ======= AH =======
                             |                |
         Network-A       Gateway-A        Gateway-B        Network-B
        10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24

      </screen>

      <para>Gateway-A$B$N@_Dj$O0J2<$N$H$*$j$G$9(B.</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
                ah/tunnel/172.16.0.1-172.16.0.2/require ;
        spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
                ah/tunnel/172.16.0.2-172.16.0.1/require ;
        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
                -A keyed-md5 "this is the test" ;
        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
                -A keyed-md5 "this is the test" ;

        EOF

      </screen>

      <para>$B>e$NNc$N$h$&$K%]!<%HHV9f$,>JN,$5$l$?>l9g(B"[any]"$B$,;H$o$l$^(B
      $B$9(B. `-m' $B$O(BSA $B$N%b!<%I$r;XDj$7$^$9(B.  "-m any" $B$O(Bsecurity $B%W%m%H%3(B
      $B%k$N%b!<%I$,(Bwild-card$B$G$"$k$3$H$r0UL#$7$^$9(B. $B$3$N(BSA$B$O(B
      tunnel $B%b!<%I$H(Btransport $B%b!<%I$NN>J}$K;HMQ$G$-$^$9(B.</para>

      <para>Gateway-B$B$G$O0J2<$N$h$&$K$J$j$^$9(B.</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
                ah/tunnel/172.16.0.2-172.16.0.1/require ;
        spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
                ah/tunnel/172.16.0.1-172.16.0.2/require ;
        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
                -A keyed-md5 "this is the test" ;
        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
                -A keyed-md5 "this is the test" ;

        EOF

      </screen>

      <para>2$B$D$N(Bsecurity gateway$B4V$G(BSA bundle$B$r:n$j$^$9(B</para>

      <para>Gateway-A $B$H(B Gateway-B $B4V$G$O(BAH transport $B%b!<%I(B $B$H(B ESP
      tunnel $B%b!<%I$,I,MW$G$9(B. $B$3$NNc$G$O(B, ESP tunnel $B%b!<%I$r@h$K(B
      $B;HMQ$7(B, $B<!$K(B AH transport $B%b!<%I$r;H$$$^$9(B.</para>

      <screen>

                            ========== AH =========
                            |  ======= ESP =====  |
                            |  |               |  |
       Network-A          Gateway-A        Gateway-B           Network-B
    fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64

      </screen>
    </sect2>
