santabarbara-result.jp

Linux 2.6 内核上配置IPSec VPN 的工具

Mon May 24 1999 - Fri May 28 1999

vs SSH
	KAME -> SSH

	phase1 $B$GE($,%Q%1%C%H2r$1$J$$L5$/$F<:GT!#(B
	RC5, IDEA, CAST, blowfish $BA4LG!D$L$L$L(B
		racoon $B$N(B keylength $B4V0c$C$F$?!#(B
		phase 1 $B$,0l=V$G(B expire $B$7$F$?!#(B
		lifetime $BAw$C$F$3$J$$;~(B 0 $BF~$l$F$?!#(Bdefault $B$rF~$l$k!#(B
		isakmp-test.ssh.fi$B$G3NG'(B

	$B:FAw$r0l2s$K?tH/Aw$C$FMh$k!#(B
	racoon $B$O:FAw$J%Q%1%C%H$r0-$$%Q%1%C%H$H;W$C$F(B exchange $B$r=*$i$;$F$?!#(B
	$B0E9f2=$5$l$F$k%Q%1%C%H$r4|BT$7$F$k;~$bF1$8!#(B
	$B7k6I!"0-$$%Q%1%C%H$+:FAw$J%Q%1%C%H$+$NH=CG$,=PMh$J$$$N$GL5;k$9$k!#(B

	$BE($,CY$/$F!"$3$C$A$,@h$K:FAw$r$"$-$i$a$A$c$&!#(B

	$B$P$C$A$j(B
		phase 1: RC5
		phase 2: ESP 1DES+SHA1

vs Altiga
	Altiga -> KAME
	phase1: modp768,MD5,3DES
	phase2: ESP DES+MD5 tunnel mode

	SA $B$NJ}8~%A%'%C%/$K0z$C$+$+$C$F!"(Bphase 2 $B$N(B inbound SA $B$,FM$C9~$a$J$$!#(B
	$B$J$*$7$F(B phase 2 $B8r49$O(B OK

	$B8~$3$&$+$i$N(B ESP $B%Q%1%C%H$r$[$I$$$F!"8e$m$KEj$2$h$&$H$9$k$,(B
	$B$J$s$H(B inbound $B$N(B policy check $B$K$R$C$+$+$C$FE>Aw$G$-$J$$!D(B
		a --- A === B --- b

		a -> b  B	$B9T$-(B
		b -> a  A	$B5"$j(B A->a $B$KEj$2$k;~$K0z$C$+$+$k!#(B
		$B$H$j$"$($:(B b->a A $B$r>C$7$FD)@o!#(BOK

			PFKEYv2$B<BAu$9$k;~$K$J$*$9!#(B

	$BE($,(B netmask = 255.255.255.255 $B$G(B ID type = IPv4net $B$GAw$C$FMh$?!#(B
	$B$"$j!)(B -> $B$"$j!#(B

vs CheckPoint
	$B$U$i$l$?!#(B
	$B%F%9%HCf$@$C$?$_$?$$!#(B

vs HITACHI
	KAME -> HITACHI
	HITACHI -> KAME

	$B$D$J$.$C$Q$J$7$G?'!9!#(B
	$B>!<j$KMn$7$F>!<j$K$D$J$0!#(B
	racoon $BB&(B IV $B$N7W;;$K%_%9!#(BInformatinal message $B$N(B decode $B$K<:GT!#(B
	phase 1 $B$N(B rekeying $B$K<:GT$9$k$H(B pst $B$,;D$k;~$,$"$k!#(B
		phase 1 $B$,%(%i!<$K$J$C$?;~$N=hM}$,$$$^$$$A!#(B

	INVALID-COOKIE $B$O%m%0$7$FL5;k$9$k$Y$-!#?75,(BSA$B$rD%$m$&$H$7$F!"(B
	$B$$$s$A$-(BProposal $BEj$2$i$l$k$H=*$k!#(B
	$B0E9f2=$5$l$?(B Informatinal message $B$O?.MQ$9$k!#(B
	$B$=$l0J30$O%m%0$7$F<N$F$k$Y$-!#(B

vs freeSWAN
	freeSWAN -> KAME
		config file$BLdBj(B: phase 1$B$N(Btransport$B$N(Bdiffie-hellman$B$O(Bmust
			config file$B$K4V0c$$$,$"$C$?$i6+$V$Y$-!#(B
		lifetime attribute$B$N(Bparser$B4V0c$$(B
		lifetime attribute$B$N(Bparse$B$K<:GT$9$k$H!"(B0$B$r@_Dj$7$A$c$&(B
			default$B$KLa$9(B
	KAME -> freeSWAN
		$BD9$$(Bproposal$B$rEj$2$k$H(Bparse$B$7$F$/$l$J$$(B
		$B@hJ}$,(Bquick mode$B$N:G8e$G;`$L(B(SADB_UPDATE$BAjEv$N=hM}$G$X$/$k(B)

vs Netlock
	$B$"$C$A(Binitiator$B$G$d$C$F$_$k$,!"$3$C$AB&$N(Bphase 2 proposal parser$B$NLdBj(B
	(AND$B$,2r<a$G$-$J$$(B)$B$G$X$/$k!#(Bphase 1$B$O(Bok$B!#0J8e:FD)@o$;$:!#(B

vs VPNet
	VPN->KAME AH SHA1 

	phase1: modp768,MD5,3DES
	phase2: AH SHA1 tunnel mode
		AH checksum error
		MD5 $B;n$9M=Dj!#$J$s$+LdBj$,$"$C$F:#2s$O$*3+$-$i$7$$!#(B
		
	phase2: ESP DES+MD5 tunnel mode
		$BAPJ}8~(BOK

	CERT $B$N%G%b8+$;$F$b$i$&M=Dj(B
		$BAj<j$,$$$J$$$H%@%a$@$C$F!#(B
		CERT $B$OJL$K%;%-%e%"$K<hF@$7$J$/$F$bNI$$$i$7$$!#(B

vs ashley-laurent (vpcom.com)
	$B$I$C$A8~$-$b(Bok$B!#(B

	ashley -> KAME
		phase 1: 1DES+SHA1
		phase 2: ESP 1DES+SHA1
	KAME -> ashley
		phase 1: 3DES+MD5
		phase 2: ESP 1DES+SHA1

	ashley-laurent$B$,(Bresponder$B$N$H$-!"(Bproposal id #$B$r=q$-49$($F(B
	$BJV$7$F$$$k$N$G%W%m%H%3%kE*$K$O$$$1$J$$(B(racoon$B$OL[$C$F<u$1$F$7$^$&(B)$B!#(B
	lifetime$B$NCM$O=q$-JQ$o$C$FJV$C$FMh$k!#(B

$BJ,$+$C$?;v(B
	- $B:FAwAw$j$^$/$j%F%9%H$O$7$?J}$,NI$$!#(B
	- phase1, phase2 $B$N(B rekeying $B$O7c$7$/$d$k$Y$-!#(B
	- $B>!<j$KMn$7$F>!<j$K@\B3$9$k%F%9%H!#(B
	- proposal parser$B$,4E$$!#(Bproposal id #$B$,F1$8(B2$B$D0J>e$N%W%m%H%3%k(B
	  ($BNc(B: AH+ESP)$B$r@5$7$/=hM}$G$-$J$$!#(B
		$B$H$j$"$($:0BA4:v$O$$$l$?(B
			initiator$B$N$H$-$O(Bconfig file$B$K=q$$$F$"$C$F$b<N$F$k(B
			responder$B$N$H$-$OJVEz8uJd$+$i30$9(B
		cleanup$B$O$7$?$,$^$@IT40A4(B
		pfkey$B$H$H$b$KD>$9$Y$7(B

question
	- informational exchange
		- 1st exchange in phase 1 $B$NJV;v$O(B cookie $BKd$a$FJV$9$+!)(B
		- phase 1 $B$G0E9f$G$-$k$^$G$O!"Mh$?E[$=$N$^$^JV$;$PNI$$$N$G$O!)(B
		- phase 1 $B$H8@$($I$b(B msg-id $B$OF~$l$k!#(B
	- informatinal message
		$B0E9f2=$5$l$F$J$1$l$PL5;k$9$k$Y$-$@!#(B(DoS attack)
	- retransmmission
		$B8E$$%Q%1%C%H$H!"4|BT$7$J$$(B payload $B$NH=CG$,LLE]$J$N$G!"(B
		$B%Q%1%C%H$r%A%'%C%/$7$F!"4|BT$7$J$$(Bpayload$B$,F~$C$F$$$l$P(B
		$BHaLD$"$2$FL5;k!#0E9f2=$5$l$F$J$/$F$b%"%i!<%`$"$2$FL5;k!#(B
		mulformed packet $B$OA4ItL5;k$7$J$$$H(BDOS$B967b$KBP93=PMh$J$$!#(B
		1st exchange $B$r56B$$5$l$k$H!"$$$D$^$G$?$C$F$b@5$7$$Aj<j$H(B
		$BDL?.=PMh$J$$!#(B
	- HASH(3) $B$N(B 0 $B$O2?$G$"$s$N!)(B
		HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
	- broadcast$B$$$-(BIKE$B%Q%1%C%H(B
		$BL5;k$9$Y$-!#(B
		$B$5$i$K!"(BIKE$B$O(Bsrc$B$H(Bdst$B$rC1$K$R$C$/$j$+$($7$FEj$2$k$N$G!"(B
		src$B$,(Bbroadcast$B$N%Q%1%C%H$,860x$G(Bbroadcast storm$B$K$J$j$+$M$J$$!#(B
		-> $B$I$&$7$h$&(B?

racoon
	- zonbie-pst $B$7$J$j$*(B
		phase 2 $B40N;(B
		$BJRJ}(Breboot
		reboot $B$7$F$J$$J}$+$i(B phase 2 $B$K9T$/(B
		reboot $B$7$?$[$&$+$i(B invalid-cookie 
	- phase 2 $B$N(B id-type deirective $B$$$k!)(B
	- first contact $B=hM}$7$m$h$J!#(B-> $B$H$j$"$($:$7$J$/$FNI$$!#(B
	- phase 1 $B$N(B SA payload $B$N(BSPI $B$C$F!)(B
		option $B$K$7$?J}$,NI$$$+$b!#(B
		isakmp-test.ssh $B$O%*%W%7%g%s(B
	- SADB_DELETE $B$+$i(B delete payload $B=P$9$h$&$K$9$k!#(B
		$B$1$I(B DELETE 2$BH/<u$1$F(Bracoon$B;`$s$@!#(B
		$B:F8=$7$J$$!#(B
	- cool log
		racoon $B=*$i$;$J$$$H(Blog $B$_$l$J$$$N$O$$$d(B
		syslog $B2=!)(B
	- SPD $B4X78$N=hM}$O!)(B
		PFKEYv3$B$d$k$H$-9M$($k!#(B
	- racoon.conf base $B$N(B acceptable $B$+$N%A%'%C%/(B
	- cool SA parser
		error check
		acceptable check
		length check
	- sys/queue.h $B2=(B
		SLIST$B$O(BFreeBSD only$B$J$N$G6X;_!#(BLIST_hoge$B$K$7$F$M!#(B
	- $BAw$C$?(Bproposal$B$HJV$C$FMh$?(Bproposal$B$,$A$c$s$H9gCW$9$k$+%A%'%C%/(B
		$B$$$^$O(Binitiator$B$N$/$;$K<u?H!#(B

IPsec
	- sadb_expire $B$,JRJ}$7$+$"$,$C$F$3$J$$$>!)(B
	- $B8GM-%"%I%l%9$N(Bproxy $B%b!<%I$,(Bsetkey $B=PMh$J$$!#(B
	spdadd 209.154.67.34 10.64.91.10 any -P ipsec esp/require/209.154.64.91;
		PFKEYv2 $B$d$k$H$-$J$*$9!#(B