sandiego-result.jp

Linux 2.6 内核上配置IPSec VPN 的工具

Mon Jan 10 2000 - Fri Jan 14 2000

vs microsoft
    as responder
	phase 1$B$N:G8e$N%Q%1%C%H$r:FAw$7$F$/$k!#(Bkame$BB&$N(Bstate machine$B$N(B
	null pointer check$B$,B-$j$:Mn$A$?!#L@F|:FD)@o!#(B

	$B:FD)@o!"$&$^$/$$$C$?(B
		phase 1: pre-shared/3des/sha1/dh2
		phase 2: esp/sha/des/600sec/3kb

vs bluesteel
	$B$&$^$/$$$C$?$i$7$$!#(B

	$B$&$^$/$$$+$J$+$C$?!#(B
	initiator: $B80$G$-$?$1$I(B ping $B$7$F$b8~$3$&$,JV;v$;$:!#(B
		$B:F@oM=Dj(B
	transport $B$d$m$&$H$7$?$iE($,(B tunnel mode $B$r%M%4$C$F$?!#(B
	tunnel $B$N;~$OE($,FbB&$N%"%I%l%9$r4V0c$C$F$?!#(B
	$B$H8@$&J,$1$G(B OK.
	phase 1: pre-shared/md5/des/dh1/10min
	phase 2: esp/md5/des/10min

	$B$d$C$Q$j%M%4$C$?%]%j%7$rFM$C9~$`J}$,3Z$C$9!D(B

vs racoon
	rekey$BLdBj$r2r7h$7$?$"$H(B
	- phase 2$B$r(B5$BIC$K(B1$B2s(Brekey
	- phase 1$B$r(B8$BIC$K(B1$B2s(Brekey
	$B$J$I$N$$$8$a$r$7$F$$$k$,!"$*$*$`$M2wD4!#(B
	$B$?$^$K(Bphase 2$B$N<:GT$,$"$k(B(ping$B$7$F$k$H(B10$BIC$/$i$$7j$,$"$/(B)$B!#(B

	chargen$B$H$+$bJB9T$7$F;n$7$F$$$k$,LdBj$J$7!#(B

	kernel code$B$K(Bmemory leak$B$O$[$H$s$I$J$$LOMM!#(B
	racoon$BFb$K(Bmemory leak$B$,$"$kLOMM!#F0$+$7$F$k$HB@$k!#(B

	IPv6$B$b(BIPv4$BF1MM$A$c$s$HF0$$$F$^$9(B($B$?$@$7(Bglobal address)$B!#(B

	phase 1$B$,(Baggressive mode$B$N$H$-!"(Brekey$B$K<:GT$7$d$9$$!#(B
	(phase 1$B$rBT$C$F(Bphase 2$B$,:F3+$7$J$$(B)

	rekey$B$N$H$-$K$H$-$I$-(Bno spi$B1>!9$,=P$k!#(Bjenkins-ipsec-rekey$B$r(B
	$B$b$C$H4hD%$i$J$$$HBLL\$+(B?

vs ashley laurent
	phase 1 userfqdn support$B$$$l$F$h$s$H8@$o$l$?!#:#2s4V$K9g$&$N$+$J!#(B

	userfqdn $BF~$l$F:F@o$7$h$&$H$7$?$1$I!"E($,(B tunnel mode $B$N(B client $B$"$j(B
	$B$7$+%5%]!<%H$7$F$J$$$N$G!"L@F|:F@oM=Dj!#(B

	PC$BMQ0U$7$F:F@o!#(Bphase1 $B$O$"$C$5$j(Bok.
	phase2 $B$G(B pfs $B$r;H$&$HE($,%/%i%C%7%e$9$k!#(B
	$B<#$j$=$&$bL5$$$N$G%F%9%H$O$"$-$i$a!#(B

	phase1: psk/userfadn/md5/des/dh2

	pfs group $B$@$1;vA0$K(Bprotocol $B$N30$G%M%4$7$J$$$H%@%a$J$N$C$FJQ$+$b(B

vs ericsson
	initiator: $B4{CN$N(BDH group$B$K$D$$$F$O(BDH group type$B$r$D$1$F$O$$$1$J$$(B
	responder: blowfish$B!"$*$h$S(Bkey length$B$r$A$c$s$H%5%]!<%H$7$J$$$H$^$:$$(B

	$B=$@58e(Bok(size=2000$B$N(Bping$B$^$G(B)
		phase 1: pre-shared/des/md5/dh1/lifetime 1hour/lifebyte 1MB
		phase 2: esp/md5/blowfish 56bit/lifetime 1hour/lifebyte 1MB

	delete payload$B$r<u$1$F$b$3$C$A$O(Bphase 1$B$rJ];}$7$D$E$1$F$$$k$,!"(B
	$B$"$C$A$O(Bphase 1$B$b$-$l$?$H;W$C$F$k!#(B
	(jenkins-rekey$B$+$i$9$k$H(Bphase 1/2$B$OJ,N%$7$F4IM}$9$k$N$,@5$7$$$N$G!"(B
	$B$3$C$A$,@52r(B)

vs ibm
	$B@hJ}$G;n$7$?$H$3$m!"(Bagressive mode$B$K(Binterop issue$B$,$"$k$i$7$$!#(B
	($B$3$l$ODI$C$F(BBull$BB&$NLdBj$G$"$k$3$H$,3NG'$5$l$?(B)

	IPv4: main/aggressive$BN>J}(Bok
		phase 1 3des/md5/dh1/3600sec
		phase 2 esp/transport/des/sha1/dh2/1800sec

vs radguard
	gateway: $B$$$^$$$A!#860xITL@!#(B
		$B$3$C$A(Binitiate: policy$B$N$"$,$j$+$?$,$^$:$$(B/phase 1 2$B$H$b(B
			$B$$$^$$$A(B
		$B$3$C$A(Brespond: phase 1 2$B$H$b$$$^$$$A!#@hJ}(Bgateway$BN"$N(Bnode$B$+$i(B
			ping$B$,FO$+$J$$(B

		phase 1: pre-shared/des/md5/dh1
		phase 2: esp tun($BN"(B)/3des/sha1/dh2
	client: $B$P$C$A$j!"$?$@$7@hJ}$K(Bfragment$BLdBj$"$j(B(ping > 1500$BEz$($J$7(B)
		phase 1: pre-shared/3des/sha1/dh2
		phase 2: esp tun($B<+J,<+?H(B)/3des/sha1/dh2

	base mode $B$d$m$&$h$C$F8@$C$?$i;}$C$FMh$F$J$$$+$i!"(B
	$B$&$A$N%F%9%H%5%$%H(B www.ip-sec.com $B$G%F%9%H$7$F$_$F$C$F8@$o$l$k!#(B
	$B8+$?$1$I(B base mode $B$N$+$1$i$b$J$$$>!#(B

vs network associates
	base mode:
		initiator/responder: psk
		PSK $B$N(B HASH_R $B$N7W;;$O(B RFC2409 $B$@$h$HM!$5$l$k!D(B
		$B<#$7$F(B phase1 ok. 
		phase2 $B$G8~$3$&$K(B no proposal choosen. $B$H8@$o$l$k!#(B
		md5/sha1 x des/3des, esp, transport $B$N$O$:$J$s$@$1$I!D(B
		$B%A%'%C%/$7$F$b$i$C$F$k:GCf!#(B

	$B$U$D$&$N(B: $B$P$C$A$j!"(Brekey$BJ|Bj$b$P$C$A$j(B
		phase 1: pre-shared/sha1/3des/dh2/10min
		phase 2: esp/md5/cast128/dh2/5min
	$BL@F|(Bdh5$B$r$d$kM=Dj!#(B(1/12)
	dh5$B@.8y!#(B(1/13)
	agressive mode$B$b$d$C$?!#(B

	$B$3$C$A$,$o!"(Bbyte lifetime$B$KCn$"$j!#$D$M$K@_Dj$N(B1024$BG\$N(Bproposal$B$r(B
	$BEj$2$k!#(B
	$B$5$i$K(Blifetime$B$KCn!#(B

vs intel
	base mode: initiator/responder$B6&$KE($,(BHASH$B$N7W;;4V0c$C$F$$$k$i$7$$!#(B
		$B:F@oM=Dj!#(B

vs freeswan
	group 5: phase1 ok.
	phase2 $B$G(B PFS $B$7$F$k$N$K(B KE $B$,=P$J$$;~$,$"$k!#(B
	$BBgNL$K(Bracoon.conf$B=q$$$F5/F0$9$k$HMn$A$:$K%Q!<%9$K<:GT$9$k;~$,$"$k!#(B
	$B7k2L!"JQ$JCM$,F~$k;~$,$"$k!#(BKE$B$,=P$J$$$N$O$3$N$;$$!#(B

	racoon.conf $B$r>/$J$a$K$7$F:FD)@o!#(B
	$B:#EY$O(B KE $B=P$7$?$N$K<:GT!#(B
	freeswan $B$O(B informational exchange $B$7$J$$$N$G!"2?$,5/$-$?$+$o$+$i$J$$!#(B

	phase2 $B$N(Bproposal$B$r(B6$B8D=q$$$?$i(B SPI=0 $B$G=P$7$F$$$?!#(B
	$B$H$j$"$($:>/$J$a$K=q$$$F:FD)@o!#(B

	phase2 $B$G(BPFS$B$r;H$C$?;~$O(B SA $B$N(B group description $B$r(B
	$B=q$+$J$$$H%(%i!<$K$J$k!#(B

	$B<#$7$F(Bok. thanx hugh!
	phase1: psk/sha1/3des/dh5/10min
	phase2: esp/3des/md5/dh1/10min

vs ire
	ipcomp over ike$B$N%F%9%H(B
	spi$B$^$o$j$J$I$?$/$5$sD>$7$?!#(B2byte spi$B$,Mh$?$H$-$NBP=hEy!#(B
	$B8=>u$N(Bcode$B$O(Bwell-known cpi$B$r$D$C$3$^$l$k$H:$$k!#(B
	phase 1: 3des/sha1/dh1/600s
	phase 2: esp/transport/3des/sha1/300s, ipcomp/deflate/300s

	$B$H$j$"$($:(Bipcomp$B$O(Bok$B!#$d$C$F$_$?AH9g$;(B:
	ip esp ipcomp payload
	ip ah ipcomp payload
	ip esp ipcomp ip payload
	ip ah ipcomp ip payload

	- kame$BB&$N(Bwindow size$B$,$A$$$5$9$F?-D9$G$-$J$$!#(B
	  sys/netinet6/ipcomp_core.c 1.3 -> 1.4$B$,0-1F6A$7$F$$$k$N$GLa$9!#(B
	- ire$BB&$O(Btransport mode$B$N$H$-!"05=LA0%5%$%:(B > MTU$B$r2r<a$7$J$$!#(B
	  $B$N$G%F%9%H$G(Bping -s 2000$B$H$+$d$k$HJV$C$F$3$J$$!#$3$l:$$s$J$$$+(B?
	- ire$B$O!V(Bip esp ipcomp ip payload$B!W$N$H$-!"(BIKE$BE*$K(Besp ipcomp$B$H$b(B
	  tunnel$B$H(Bpropose$B$7$F$/$k!#(Bkame$BB&$O$=$&$G$O$J$$!#(B
	  kame$BB&$GL5M}LpM}$"$o$;$h$&$H$7$F(BIKE$BE*$K(Btunnel+tunnel$B!"(Bkernel$BE*$K(B
	  tunnel+transport$B$H$9$k$H!"L58B$K(Bacquire$B$,$"$,$k!#(B

vs fitel
	$B$"$C$5$j!#(Btunnel/transport ok.  rekey $B$K$A$g$C$HLdBj$"$j!#(B
	phase1: pks/userfqdn/md5/des/20s
	phase2: pfs1/md5/des/10s

	nonce $B$ND9$5(B 320 $BC!$-IU$1$?$i(B malformed payload $B$GJV$5$l$k!#(B
	encode $B$N(B padding $B$r(B 0-100$B$^$G(Brandom $B$K$7$F$bJ?5$!#(B
	padding $B$NCf?H$,(B 0 $B$@$C$?$N$G<#$9!#(B
	$B$?$^$K8~$3$&$+$i$N%Q%1%C%H$K(B1(s)$B0L$NCY1d$,$"$k!#(Brekey$B$H$O4X78$J$$$C$]$$(B

		A --- fitel === KAME --- B
	B $B$+$i(B A $B$X(B ping $B$7$F(B SA $B$r:n$k!#(B
	B $B$O(B ping $B$7B3$1$k!#(B
	A $B$+$i(B ping $B$9$k!#(B
	rekey $B$9$k$H(B A $B$+$i$N%Q%1%C%H$r(B fitel $B$,G1$l$J$/$J$k!#(B
	rekey $B$9$k$H(B fitel $B$O(B
		$B=P$7B&(B: $B8E$$(BSA$B$O$9$0>C$9(B
		$BF~$jB&(B: $B8E$$(BSA$B$O(Blifetime$B$^$G;D$9!#(B
	rekey $B$7$?8e$K;H$&(B SA $B$NLdBj$OL5$5$=$&!#860xITL@!#(B

vs cisco
	IKE$B$O$[$\LdBj$J$7!#(B
	phase 1: pre-shared/3des/sha1/dh2/180sec
	phase 2: esp transport/3des/sha1/dh2/120sec

	phase 1: pre-shared/3des/sha1/dh2/180sec
	phase 2: esp tunnel/3des/sha1/dh2/120sec

	ipsec SA$B$r%+!<%M%k$K$$$l$?8e!"(Bpacket$B=PNO;~$N(BSA$B8!:w$K(B
	$B<:GT$7$F$7$^$&>I>uB3H/!#(Bdelete payload$B$r$/$i$C$?$H$-$K>C$7$?(BSA$B$,(B
	dead$B$N$^$^;D$C$F$7$^$$!"8!:w$r$"$-$i$a$k!#$3$l$OFsEY$H>C$;$J$$(B?
	-> $BD>$7$?!#(Breference count$BLdBj!#(B

>206.175.160.20 206.175.161.114 
>	esp mode=tunnel spi=372644951(0x16361c57) reqid=0(0x00000000)
>	E: 3des-cbc  83dfc523 b3b66e28 06222ccf f33d1d4b c039aeef 07b0e7f0
>	A: hmac-sha1  e30c8e8a d3a8fa30 1985ed93 bdf1ad35 9cd46861
>	replay=4 flags=0x00000000 state=dead seq=1 pid=495
>	created: Jan 13 22:24:40 2000	current: Jan 13 22:39:54 2000
>	diff: 914(s)	hard: 120(s)	soft: 96(s)
>	last:                     	hard: 0(s)	soft: 0(s)
>	current: 0(bytes)	hard: 0(bytes)	soft: 515395584(bytes)
>	allocated: 0	hard: 0	soft: 0
>	refcnt=1
>206.175.160.20 206.175.161.114 
>	esp mode=tunnel spi=205659402(0x0c421d0a) reqid=0(0x00000000)
>	E: 3des-cbc  b2bec5f2 9a9d7d7c 92a5aea3 0ce5310c 7cedd2bb efdd62b2
>	A: hmac-sha1  8fff7c61 990fbb3e 6730e2ed c26c06cf 3c75a2c4
>	replay=4 flags=0x00000000 state=dead seq=0 pid=495
>	created: Jan 13 22:24:47 2000	current: Jan 13 22:39:54 2000
>	diff: 907(s)	hard: 120(s)	soft: 96(s)
>	last:                     	hard: 0(s)	soft: 0(s)
>	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
>	allocated: 0	hard: 0	soft: 0
>	refcnt=1

$B%F%9%H$9$k$K$O(B
	psk.txt$B$K%(%s%H%jDI2C!#(B
	samples/Makefile$B$KAj<j$N(Bentry$B$rDI2C!"@8@.!#(B
	$B@8@.$5$l$?(Bconfig file$B$rE,59$$$8$k!#(B

	tunnel mode$B$N>l9g$O$1$C$3$$$m$$$m$$$8$i$J$$$HBLL\$+$b!#(B

kame
	kernel$B$N(Bmbuf/key management memory$B$N(Bleak$B$O$[$H$s$I3'L5!#$$$/$i$G$b(B
	$BB3$1$i$l$^$9!#(Bracoon$B$OB@$C$?$j$U$s$E$1$?$j(B? $B$H$K$.$d$+!#(B

	bundle$B$K$D$$$F(B:
	- proposal$B$$$C$3$K$D$$$F(Btransform$B$$$C$3$K$J$k$h$&$J(Bconfig file$B$G$J$$$H(B
	  $BF0$+$J$$!#$D$^$j!"(B
		proposal { protocol ah; protocol esp; }
	  $B$O$$$$$,(B
		proposal { protocol esp; protocol esp; }
	  $B$d!"(Bstrength$B$N;HMQ$OIT2D!#(B

	$B$H$-$I$-(Bacquire$B$^$o$j$N(Btrouble$B$G(Brekey$B$7$J$/$J$k$3$H$,$"$k!#(B
	bundle$B;H$C$F$$$J$$$H$-$b;w$?>I>u$,=P$k$,!"(Bbundle$B$r;H$&$H$5$i$K(B
	$B5/$-$d$9$$5$$,$9$k!#(B
	(socket policy$B$K(Brequire$B$H=q$$$?>l9g$K!"(Bacquire$B$,>e$,$i$J$$$3$H$,B?$$(B)

	acquire$B$r(Buserland$BB&$G%U%#%k%?$9$k$H$3$m$G!"%U%#%k%?$7$9$.$K(B
	$B$J$k$3$H$,$"$k!#(B($B%M%4$k$Y$-$J$N$K%M%4$i$J$$(B)
	-> reference count$BLdBj$H$N$+$i$_$+(B?
	-> acquire$B$N%U%#%k%?%j%s%0$O$h$$$3$H$+$o$k$$$3$H$+(B?
	   kernel$BB&$O$^$"$$$$$H$7$F!"(Buserland$BB&$O(Bkernel$BB&>pJs$H(Buserland$BB&>pJs$N(B
	   $B$:$l$K$D$$$F$b$&$A$g$C$H4hD%$i$J$$$H$$$1$J$$$+$b$7$l$J$$!#(B
	   $BNc$($P!"(Bracoon$BF0$+$7$J$,$i(Bsetkey -F$B$7$?>l9g!"(B
	   $B8=>u(B: phase 2 handle$B$O;D$C$F$$$k$,80$O$J$$$N$G!"0lDj;~4V%U%#%k%?$9$k(B
	   $B<B$O(B: $B80$,$J$$$s$@$+$i%M%4$C$?J}$,$h$$!#(B
	   acquire$B$,>e$,$C$?$i$=$N(BSA$B$,$[$s$H$K%+!<%M%k$K$"$k$N$+8!>Z$9$k(B?
	   acquire$B$K!V(Bkernel$B$N$J$+$K$O(BSA$B$,$"$k(B/$B$J$$!W>pJs$N(Bextension$B$r$D$1$k(B?

	kernel$B$G(Bah use/esp use$B$H=q$$$F$"$k$N$K(Bracoon$BB&$G(Besp$B$7$+%M%4$7$J$+$C$?(B
	$B>l9g!"1J1s$K(Bah$B$N(Bacquire$B$,>e$,$jB3$1$k!#(B
	$B$G!"(Bah$B$N(Bacquire$B$,$"$,$C$?$K$b78$o$i$:!"(Bracoon$B$O(Besp$B$N%M%4$r$9$k$N$G(B
	$B1J5W$K%M%4$,B3$/!#(B
	- kernel policy$B$H(Bracoon policy$B$N@09g@-(B - racoon$B$,(Bkernel$B$K(B
	  $B%]%j%7$r$D$C$3$a$P$h$$(B
	- acquire$B$N:Y$+$$%A%'%C%/(B - ah$B$,MW5a$5$l$F$$$k$N$K(Besp$B$r%M%4$i$J$$$h$&$K(B
	$B$,I,MW!#(B

	byte lifetime$BLdBj!#(B
	- $BJRJ}8~$@$1$?$/$5$s(Btraffic$B$,$"$k$H!"JRJ}8~$@$1(Bexpire$B$9$k!#(B
	  $B$G!"%M%4$9$k$H5UB&$O$A$C$H$b(Bexpire$B$7$J$$$N$G80$,$?$/$5$sN/$C$F$$$/!#(B
	- $B%Q%1%C%H%m%9$,$"$k$H!"=P$7B&$O(Bexpire$B$9$k$N$K<u$1B&$O(Bexpire$B$7$J$$(B
	  $B>l9g$,$"$k!#(B($BLdBj$K$O$J$i$J$$$H;W$&$,(B)

	$B$I$C$A$N5sF0$,K>$^$7$$$N$+(B?
	racoon: lifetime$B!"$3$C$AB&$N(Bconfig file$B$K4X78$J$/%M%4$7$?7k2L$r(B
		kernel$B$K$$$l$k!#(B
	nai pgp client: lifetime$B$N%M%4$OIaDL$KDL$9$,!"(Bkernel$B$K$$$l$k$N$O(B
		min($B<+J,$N%]%j%7(B, $B%M%47k2L(B)

	initiate $B$9$k%Q%i%a!<%?$H(B acceptable check $B$K;H$&%Q%i%a!<%?$r(B
	$BJ,$1$?J}$,NI$$$+$b$7$l$J$$!#(B
	$B>/$J$/$H$b(B lifetime $B$d(B PFS group $B$K$OHO0O$,I,MW!#(B

	DOS$BBP:v(B
	- $BF1$8(B src $B$+$i!"(Bphase 1 $B$N0lH/L\$r(B
	  n$BIC4V$K(B m$BH/<u$1<h$C$?$i(BDOS$B$H;W$&$H$+!)(B
	- src $B$O56B$$G$-$k$+$i(B n$BIC4V$K(B m$BH/<u$1<h$C$?$i$G==J,$+$b!)(B
	  itojun$B$O$3$C$A$G$$$$$H;W$&!#$?$@$7(Bn$B$H(Bm$B$OD4@02DG=$K$7$F$*$-$?$$(B
	  (n = 1$B8GDj$G(Bm$B$@$12DJQ$G$b$$$$$1$I(B)

	INITIAL CONTACT $B$d$s$J$$$H!#(B

	phase 1 $B$N:G8e$K(B CONNECTED $B<u$1<h$C$?$i!"7k6I$I$&$9$k$N$,@5$7$$$N!)(B

	COMMIT BIT $B$NI,MW@-$,$h$/$o$+$i$s!#(B
		jenkins rekey $BFI$a$P$o$+$k$+$b!#(B

	IPcomp $B$H(B ESP $B$rJ;MQ$9$k;~$N(Blifetime$B$C$F!)(B
		bundle $B$J$i0l=o$K$9$k$O$:!#(B
		$BDL>o(B ESP $B$N(B lifetime $B$O(B 28800(s)
		$B$1$I!"(B ipcomp $B$N(B lifetime $B$C$F!g$G$bNI$$$/$i$$$J$N$K!#(B
		IPcomp $B$N%M%4$C$FI,MW$J$s$@$m$&$+!)(B (i.e.  $BAj<j$,(Bipcomp capable
		$B$+$o$+$l$P$h$$!#$=$l0J>e$N%M%4$NI,MW@-$O5?Ld(B)
	-> IPComp capable node$B$+$I$&$+$N>pJs$rC_$($k$K$O(BSA$B$r;H$&!#(B
	   SA$B$O%a%b%j$r?)$&!#%a%b%j$$$D$^$G$b?)$C$F$k$N$O7y!#(B
	   $B$h$C$F(Bipcomp lifetime$B$bI,MW!#(B