From owner-doc-jp@jp.freebsd.org  Tue Jul 18 12:07:11 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id MAA01696;
	Tue, 18 Jul 2000 12:07:11 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from tortoise.jp.freebsd.org (root@tortoise.jp.FreeBSD.ORG [210.157.158.41])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id MAA01690
	for <doc-jp@jp.freebsd.org>; Tue, 18 Jul 2000 12:07:10 +0900 (JST)
	(envelope-from kuriyama@FreeBSD.org)
Received: from waterblue.imgsrc.co.jp (waterblue.imgsrc.co.jp [2001:218:422:2:250:70ff:fe00:6c68])
	by tortoise.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP/IPv6 id MAA10993
	for <doc-jp@jp.freebsd.org>; Tue, 18 Jul 2000 12:07:08 +0900 (JST)
	(envelope-from kuriyama@FreeBSD.org)
Received: from waterblue.imgsrc.co.jp (localhost [127.0.0.1])
	by waterblue.imgsrc.co.jp (8.11.0.Beta3/8.11.0.Beta1) with ESMTP id e6I37BG18216
	for <doc-jp@jp.freebsd.org>; Tue, 18 Jul 2000 12:07:11 +0900 (JST)
Date: Tue, 18 Jul 2000 12:07:11 +0900
Message-ID: <7mbszwgmqo.wl@waterblue.imgsrc.co.jp>
From: Jun Kuriyama <kuriyama@FreeBSD.org>
To: Japanese Documentation Project <doc-jp@jp.freebsd.org>
User-Agent: Wanderlust/1.1.1 (Purple Rain) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) MULE XEmacs/21.1 (patch 10) (Capitol Reef) (i386--freebsd)
MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu")
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7576
Subject: [doc-jp 7576] =?ISO-2022-JP?B?GyRCTHU8VEpnPTgbKEI=?= (security
 ipsec)
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: kuriyama@FreeBSD.org


$B!!(Bsecurity/chapter.sgml $B$N(B 1.25 -> 1.26 $B4V$N:9J,$O(B 1 $B%;%/%7%g%s$NDI2C$@(B
$B$1$J$N$G!":Y$+$$$3$H$r5$$K$;$:K]Lu$G$-$^$9$M!#(B
$B!!0J2<$KE:IU$7$^$9$N$G!"$d$C$F$_$h$&$H$$$&J}$O<j$r5s$2$F$_$F$/$@$5$$!#(B


-----
  <sect1 id="ipsec">
    <title>IPsec</title>
    <para><emphasis>Contributed by &a.shin;, 5 March
	2000.</emphasis></para>

    <para>IPsec mechanism provides secure communication either for IP
    layer and socket layer communication.  This section should
    explain how to use them.  About IPsec implementation, please
    refer <link linkend="ipsec-implementation">section 23.5.4</link>.</para>

    <para>The current IPsec implementation supports both transport mode
    and tunnel mode.  However, tunnel mode comes with some restrictions.
    <ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/
    </ulink> has more comprehensive examples.</para>

    <sect2>
      <title>Transport mode example with IPv4</title>

      <para>Let's setup security association to deploy a secure channel
      between HOST A (10.2.3.4) and HOST B (10.6.7.8).  Here we show a little
      complicated example.  From HOST A to HOST B, only old AH is used.
      From HOST B to HOST A, new AH and new ESP are combined.</para>

      <para>Now we should choose algorithm to be used corresponding to
      "AH"/"new AH"/"ESP"/"new ESP".  Please refer to the &man.setkey.8; man
      page to know algorithm names.  Our choice is MD5 for AH, new-HMAC-SHA1
      for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>

      <para>Key length highly depends on each algorithm.  For example, key
      length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
      and 8 for new-DES-expIV.  Now we choose "MYSECRETMYSECRET",
      "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>

      <para>OK, let's assign SPI (Security Parameter Index) for each protocol.
      Please note that we need 3 SPIs for this secure channel since three
      security headers are produced (one for from HOST A to HOST B, two for
      from HOST B to HOST A).  Please also note that SPI MUST be greater
      than or equal to 256.  We choose, 1000, 2000, and 3000, respectively.
      </para>

      <screen>

	         (1)
	HOST A ------> HOST B

	(1)PROTO=AH
		ALG=MD5(RFC1826)
		KEY=MYSECRETMYSECRET
		SPI=1000

	         (2.1)
	HOST A <------ HOST B
	       <------
	         (2.2)

	(2.1)
	PROTO=AH
		ALG=new-HMAC-SHA1(new AH)
		KEY=KAMEKAMEKAMEKAMEKAME
		SPI=2000

	(2.2)
	PROTO=ESP
		ALG=new-DES-expIV(new ESP)
			IV length = 8
		KEY=PASSWORD
		SPI=3000

      </screen>

      <para>Now, let's setup security association.  Execute &man.setkey.8;
      on both HOST A and B:</para>

      <screen>

&prompt.root; <command>setkey -c</command>
add 10.2.3.4 10.6.7.8 ah-old  1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ;
add 10.6.7.8 10.2.3.4 ah  2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ;
add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
^D

     </screen>

     <para>Actually, IPsec communication doesn't process until security policy
     entries will be defined.  In this case, you must setup each host.</para>

     <screen>

At A:

&prompt.root; <command>setkey -c</command>
spdadd 10.2.3.4 10.6.7.8 any -P out ipsec
	ah/transport/10.2.3.4-10.6.7.8/require ;
^D

At B:

&prompt.root; <command>setkey -c</command>
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
	esp/transport/10.6.7.8-10.2.3.4/require ;
spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
	ah/transport/10.6.7.8-10.2.3.4/require ;
^D


   HOST A --------------------------------------> HOST E
  10.2.3.4                                       10.6.7.8
          |                                     |
          ========== old AH keyed-md5 ==========>

          <========= new AH hmac-sha1 ===========
          <========= new ESP des-cbc ============

     </screen>
    </sect2>

    <sect2>
      <title>Transport mode example with IPv6</title>

      <para>Another example using IPv6.</para>

      <para>ESP transport mode is recommended for TCP port number 110 between
      Host-A and Host-B.</para>

      <screen>

              ============ ESP ============
              |                           |
           Host-A                        Host-B
          fec0::10 -------------------- fec0::11

      </screen>

      <para>Encryption algorithm is blowfish-cbc whose key is "kamekame", and
      authentication algorithm is hmac-sha1 whose key is "this is the test
      key".  Configuration at Host-A:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0::10[any] fec0::11[110] tcp -P out ipsec
                esp/transport/fec0::10-fec0::11/use ;
        spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec
                esp/transport/fec0::11-fec0::10/use ;
        add fec0::10 fec0::11 esp 0x10001
                -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        add fec0::11 fec0::10 esp 0x10002
                -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        EOF

      </screen>

      <para>and at Host-B:</para>

      <screen>
        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0::11[110] fec0::10[any] tcp -P out ipsec
                esp/transport/fec0::11-fec0::10/use ;
        spdadd fec0::10[any] fec0::11[110] tcp -P in ipsec
                esp/transport/fec0::10-fec0::11/use ;
        add fec0::10 fec0::11 esp 0x10001 -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        add fec0::11 fec0::10 esp 0x10002 -m transport
                -E blowfish-cbc "kamekame"
                -A hmac-sha1 "this is the test key" ;
        EOF

      </screen>

      <para>Note the direction of SP.</para>
    </sect2>

    <sect2>
      <title>Tunnel mode example with IPv4</title>

      <para>Tunnel mode between two security gateways</para>

      <para>Security protocol is old AH tunnel mode, i.e. specified by
      RFC1826, with keyed-md5 whose key is "this is the test" as
      authentication algorithm.</para>

      <screen>

                             ======= AH =======
                             |                |
         Network-A       Gateway-A        Gateway-B        Network-B
        10.0.1.0/24 ---- 172.16.0.1 ----- 172.16.0.2 ---- 10.0.2.0/24

      </screen>

      <para>Configuration at Gateway-A:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd 10.0.1.0/24 10.0.2.0/24 any -P out ipsec
                ah/tunnel/172.16.0.1-172.16.0.2/require ;
        spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec
                ah/tunnel/172.16.0.2-172.16.0.1/require ;
        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
                -A keyed-md5 "this is the test" ;
        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
                -A keyed-md5 "this is the test" ;

        EOF

      </screen>

      <para>If port number field is omitted such above then "[any]" is
      employed. `-m' specifies the mode of SA to be used. "-m any" means
      wild-card of mode of security protocol. You can use this SA for both
      tunnel and transport mode.</para>

      <para>and at Gateway-B:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
                ah/tunnel/172.16.0.2-172.16.0.1/require ;
        spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
                ah/tunnel/172.16.0.1-172.16.0.2/require ;
        add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any
                -A keyed-md5 "this is the test" ;
        add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any
                -A keyed-md5 "this is the test" ;

        EOF

      </screen>

      <para>Making SA bundle between two security gateways</para>

      <para>AH transport mode and ESP tunnel mode is required between
      Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
      and AH transport mode is next.</para>

      <screen>

                            ========== AH =========
                            |  ======= ESP =====  |
                            |  |               |  |
       Network-A          Gateway-A        Gateway-B           Network-B
    fec0:0:0:1::/64 --- fec0:0:0:1::1 ---- fec0:0:0:2::1 --- fec0:0:0:2::/64

      </screen>
    </sect2>

    <sect2>
      <title>Tunnel mode example with IPv6</title>

      <para>Encryption algorithm is 3des-cbc, and authentication algorithm
      for ESP is hmac-sha1.  Authentication algorithm for AH is hmac-md5.
      Configuration at Gateway-A:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0:0:0:1::/64 fec0:0:0:2::/64 any -P out ipsec
                esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require
                ah/transport/fec0:0:0:1::1-fec0:0:0:2::1/require ;
        spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec
                esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require
                ah/transport/fec0:0:0:2::1-fec0:0:0:1::1/require ;
        add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel
                -E 3des-cbc "kamekame12341234kame1234"
                -A hmac-sha1 "this is the test key" ;
        add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport
                -A hmac-md5 "this is the test" ;
        add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel
                -E 3des-cbc "kamekame12341234kame1234"
                -A hmac-sha1 "this is the test key" ;
        add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport
                -A hmac-md5 "this is the test" ;

        EOF

      </screen>

      <para>Making SAs with the different end</para>

      <para>ESP tunnel mode is required between Host-A and Gateway-A. Encryption
      algorithm is cast128-cbc, and authentication algorithm for ESP is
      hmac-sha1.  ESP transport mode is recommended between Host-A and Host-B.
      Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
      hmac-md5.</para>

      <screen>

              ================== ESP =================
              |  ======= ESP =======                 |
              |  |                 |                 |
             Host-A            Gateway-A           Host-B
          fec0:0:0:1::1 ---- fec0:0:0:2::1 ---- fec0:0:0:2::2

      </screen>

      <para>Configuration at Host-A:</para>

      <screen>

        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
        spdadd fec0:0:0:1::1[any] fec0:0:0:2::2[80] tcp -P out ipsec
                esp/transport/fec0:0:0:1::1-fec0:0:0:2::2/use
                esp/tunnel/fec0:0:0:1::1-fec0:0:0:2::1/require ;
        spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec
                esp/transport/fec0:0:0:2::2-fec0:0:0:l::1/use
                esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ;
        add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001
                -m transport
                -E cast128-cbc "12341234"
                -A hmac-sha1 "this is the test key" ;
        add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002
                -E rc5-cbc "kamekame"
                -A hmac-md5 "this is the test" ;
        add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003
                -m transport
                -E cast128-cbc "12341234"
                -A hmac-sha1 "this is the test key" ;
        add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004
                -E rc5-cbc "kamekame"
                -A hmac-md5 "this is the test" ;

        EOF

      </screen>
    </sect2>
  </sect1>


-- 
Jun Kuriyama <kuriyama@FreeBSD.org> // FreeBSD Project
