FreeBSD ¤Î IPsec µ¡Ç½¤òÆÈΩ¸¡¾Ú¤¹¤ë¤Ë¤Ï

David Honig

$FreeBSD: head/ja_JP.eucJP/articles/ipsec-must/article.xml 39632 2012-10-01 11:56:00Z gabor $

1999 ǯ 5 ·î 3 Æü

FreeBSD ¤Ï The FreeBSD Foundation ¤ÎÅÐÏ¿¾¦É¸¤Ç¤¹¡£

Motif, OSF/1 ¤ª¤è¤Ó UNIX ¤Ï ¥¢¥á¥ê¥«¹ç½°¹ñ¤ª¤è¤Ó¤½¤Î¾¤Î¹ñ¤Ë¤ª¤±¤ë The Open Group ¤ÎÅÐÏ¿¾¦É¸¤Ç¡¢ IT DialTone ¤ª¤è¤Ó The Open Group ¤ÏƱ¤¸¤¯¾¦É¸¤Ç¤¹¡£

À½Â¤¼Ô¤ª¤è¤ÓÈÎÇä¼Ô¤¬À½Éʤò¶èÊ̤¹¤ë¤Î¤Ë ÍѤ¤¤Æ¤¤¤ëɽ¼¨¤Î¿¤¯¤Ï¡¢¾¦É¸¤È¤µ¤ì¤Æ¤¤¤Þ¤¹¡£ ¤³¤Îʸ½ñ¤ËÅо줹¤ëɽ¼¨¤Î¤¦¤Á FreeBSD Project ¤¬¤½¤Î¾¦É¸¤ò³Îǧ¤·¤Æ¤¤¤ë¤â¤Î¤Ë¤Ï¡¢¤½¤Îɽ¼¨¤Ë³¤¤¤Æ “™” ¤Þ¤¿¤Ï “®” µ­¹æ¤¬¤ª¤«¤ì¤Æ¤¤¤Þ¤¹¡£

IPsec ¤ò¥¤¥ó¥¹¥È¡¼¥ë¤·¤¿»þ¡¢ ¤½¤ì¤¬¤­¤Á¤ó¤ÈÆ°ºî¤·¤Æ¤¤¤ë¤«¤É¤¦¤«Ä´¤Ù¤ë¤Ë¤Ï¤É¤¦¤·¤¿¤éÎɤ¤¤Ç¤·¤ç¤¦? ¤³¤³¤Ç¤Ï¡¢IPsec ¤ÎÆ°ºî¤ò¸¡¾Ú¤¹¤ë¼Â¸³Åª¤ÊÊýË¡¤ò¾Ò²ð¤·¤Þ¤¹¡£


1. ÌäÂê

¤Þ¤º¡¢IPsec ¤¬¥¤¥ó¥¹¥È¡¼¥ë¤µ¤ì¤Æ¤¤¤ë¤³¤È¤òÁ°Äó¤ËÏäò¿Ê¤á¤Þ¤¹¡£ IPsec ¤¬¤­¤Á¤ó¤ÈÆ°ºî¤·¤Æ¤¤¤ë¤«¤É¤¦¤«ÃΤë¤Ë¤Ï¤É¤¦¤·¤¿¤éÎɤ¤¤Ç¤·¤ç¤¦? ¤â¤Á¤í¤óÀßÄ꤬´Ö°ã¤Ã¤Æ¤¤¤ì¤Ð¥Í¥Ã¥È¥ï¡¼¥¯Àܳ¤¬¹Ô¤Ê¤¨¤Ê¤¤¤Ç¤·¤ç¤¦¤·¡¢ Àܳ¤Ç¤­¤¿¤È¤¤¤¦¤³¤È¤ÏÀßÄ꤬¹ç¤Ã¤Æ¤¤¤ë¤«¤é¤À¡¢¤È¤¤¤¦Ç§¼±¤Ï´Ö°ã¤Ã¤Æ¤¤¤Þ¤»¤ó¡£ Àܳ¾õÂÖ¤Ï netstat(1) ¥³¥Þ¥ó¥É¤Ç³Î¤«¤á¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£ ¤·¤«¤·¡¢¤½¤ì¤òÆÈΩ¤·¤Æ¸¡¾Ú¤¹¤ë¤³¤È¤Ï²Äǽ¤Ê¤Î¤Ç¤·¤ç¤¦¤«?


2. ²ò·èÊýË¡

ºÇ½é¤Ë¡¢°Å¹æ¤Ë»È¤ï¤ì¤Æ¤¤¤ë¾ðÊóÍýÏÀ¤Ë¤Ä¤¤¤Æ¹Í¤¨¤Þ¤¹¡£

  1. °Å¹æ²½¤µ¤ì¤¿¥Ç¡¼¥¿¤Ï¡¢°ìÍͤËʬÉÛ¤·¤Æ¤¤¤ë¡£¤Ä¤Þ¤ê¡¢ ³Æ¾ðÊ󸻥·¥ó¥Ü¥ë¤ÏºÇÂç¤Î¥¨¥ó¥È¥í¥Ô¡¼¤ò»ý¤Ã¤Æ¤¤¤ë¡£

  2. Ä̾̤½èÍý¤Î¥Ç¡¼¥¿¤ä°µ½Ì¤µ¤ì¤Æ¤¤¤Ê¤¤¥Ç¡¼¥¿¤Ï¾éŤǤ¢¤ë¡£ ¤Ä¤Þ¤ê¡¢³Æ¾ðÊ󸻥·¥ó¥Ü¥ë¤Î¥¨¥ó¥È¥í¥Ô¡¼¤ÏºÇÂç¤Ç¤Ï¤Ê¤¤¡£

¥Í¥Ã¥È¥ï¡¼¥¯¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤òÆþ½ÐÎϤ¹¤ë¥Ç¡¼¥¿¤Î¥¨¥ó¥È¥í¥Ô¡¼¤ò¬Äê¤Ç¤­¤ë¤È²¾Äꤹ¤ë¤È¡¢ ¡Ö°Å¹æ²½¤µ¤ì¤Æ¤¤¤Ê¤¤¥Ç¡¼¥¿¡×¤È¡Ö°Å¹æ²½¤µ¤ì¤¿¥Ç¡¼¥¿¡×¤Îξ¼Ô¤Ë¡¢ °ã¤¤¤ò¸«¤ë¤³¤È¤¬¤Ç¤­¤ë¤Ï¤º¤Ç¤¹¡£ ¤³¤Î¤³¤È¤Ï¡¢¥Ñ¥±¥Ã¥È¤Î¥ë¡¼¥Æ¥£¥ó¥°¤¬¹Ô¤Ê¤ï¤ì¤ë¾ì¹ç¤Î°ìÈÖ³°Â¦¤Î IP ¥Ø¥Ã¥À¤Ê¤É¡¢ ¥Ç¡¼¥¿¤Î°ìÉô¤¬ “°Å¹æ²½¥â¡¼¥É” ¤Ç°Å¹æ²½¤µ¤ì¤Ê¤«¤Ã¤¿¤È¤·¤Æ¤âÀ®Î©¤·¤Þ¤¹¡£


2.1. MUST

Ueli Maurer »á¤Î “Universal Statistical Test for Random Bit Generators” (MUST) ¤Ï¡¢¥µ¥ó¥×¥ë¥Ç¡¼¥¿¤Î¥¨¥ó¥È¥í¥Ô¡¼¤ò¹â®¤Ë¬Äꤷ¤Þ¤¹¡£ ¤³¤ì¤Ë¤Ï°µ½Ì¤ÈÎɤ¯»÷¤¿¥¢¥ë¥´¥ê¥º¥à¤¬»È¤ï¤ì¤Æ¤¤¤Þ¤¹¡£ ʸËö¤Ë¼¨¤¹¤Î¤Ï¡¢ °ì¤Ä¤Î¥Õ¥¡¥¤¥ëÃæ¤ÇϢ³¤¹¤ë¥Ç¡¼¥¿ (ºÇÂç 0.25 ¥á¥¬¥Ð¥¤¥È) ¤ò¬Äꤹ¤ë¥³¡¼¥É¤Ç¤¹¡£


2.2. Tcpdump

¤µ¤Æ¼¡¤Ë¡¢¾åµ­¤Ë²Ã¤¨¤Æ¥Í¥Ã¥È¥ï¡¼¥¯¾å¤ÎÀ¸¥Ç¡¼¥¿¤òÊ᪤¹¤ë¤¿¤á¤Î¼êÃʤâɬÍפˤʤê¤Þ¤¹¡£ ¤½¤ì¤ò¼Â¸½¤¹¤ë¥×¥í¥°¥é¥à¤Ë¡¢tcpdump(1) ¤È¸Æ¤Ð¤ì¤ë¤â¤Î¤¬¤¢¤ê¤Þ¤¹¡£ ¤¿¤À¤·¡¢tcpdump ¤ò»È¤¦¤Ë¤Ï¡¢ ¥«¡¼¥Í¥ë¥³¥ó¥Õ¥£¥°¥ì¡¼¥·¥ç¥ó¥Õ¥¡¥¤¥ë¤Ë¤ª¤¤¤Æ Berkeley Packet Filter ¥¤¥ó¥¿¡¼¥Õ¥§¥¤¥¹¤¬Í­¸ú²½¤µ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤ê¤Þ¤»¤ó¡£

¼¡¤Î¥³¥Þ¥ó¥É:

tcpdump -c 4000 -s 10000 -w dumpfile.bin

¤Ï¡¢4000 ¸Ä¤ÎÀ¸¥Ñ¥±¥Ã¥È¤òÊ᪤·¡¢dumpfile.bin ¤Ëµ­Ï¿¤·¤Þ¤¹¡£ ¤³¤ÎÎã¤Î¤Ç¤Ï 10,000 ¥Ð¥¤¥È°Ê²¼¤Î¥Ñ¥±¥Ã¥È¤Î¤ßµ­Ï¿¤µ¤ì¤Þ¤¹¡£


3. ¼Â¸³

¤Ç¤Ï¡¢¼Â¸³¤·¤Æ¤ß¤Þ¤·¤ç¤¦¡£

  1. IPsec ¥Û¥¹¥È¤È IPsec ¤ò»È¤Ã¤Æ¤¤¤Ê¤¤¥Û¥¹¥È¤ÎξÊý¤Ë¥Í¥Ã¥È¥ï¡¼¥¯Àܳ¤·¤Æ¤¯¤À¤µ¤¤¡£

  2. ¤½¤·¤Æ ¥Ñ¥±¥Ã¥È¤ÎÊ᪠¤ò³«»Ï¤·¤Þ¤¹¡£

  3. ¼¡¤Ë¡¢“IPsec ¤ò»È¤Ã¤Æ¤¤¤ë” Àܳ¤Ç yes(1) ¤È¤¤¤¦ UNIX® ¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤Þ¤¹¡£ ¤³¤ì¤Ï¡¢y ¤È¤¤¤¦Ê¸»ú¤ÎϢ³¥Ç¡¼¥¿¤ò½ÐÎϤ¹¤ë¤â¤Î¤Ç¤¹¡£ ¤·¤Ð¤é¤¯¤·¤¿¤é¥³¥Þ¥ó¥É¤òÄä»ß¤µ¤»¡¢IPsec ¤ò»È¤Ã¤Æ¤¤¤Ê¤¤Àܳ¤ËÂФ·¤ÆƱ¤¸¥³¥Þ¥ó¥É¤ò¼Â¹Ô¤·¤Þ¤¹¡£ ¤³¤Á¤é¤â¡¢¤·¤Ð¤é¤¯¤·¤¿¤é¥³¥Þ¥ó¥É¤òÄä»ß¤µ¤»¤Æ¤¯¤À¤µ¤¤¡£

  4. ¤³¤³¤Ç¡¢MUST ¤òÊ᪤·¤¿¥Ñ¥±¥Ã¥È¤Ë¼Â¹Ô¤¹¤ë¤È¡¢¼¡¤Î¤è¤¦¤Ê½ÐÎϤ¬ÆÀ¤é¤ì¤ë¤Ï¤º¤Ç¤¹¡£ ¤³¤ÎÃæ¤Ç½ÅÍפʤΤϡ¢´üÂÔÃÍ (7.18) ¤ËÂФ·¤Æ¡¢ IPsec ¤ò»È¤Ã¤¿Àܳ¤¬ 93% (6.7)¡¢ “Ä̾ï¤Î”Àܳ¤¬ 29% (2.1) ¤È¤¤¤¦·ë²Ì¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤³¤È¤Ç¤¹¡£

    % tcpdump -c 4000 -s 10000 -w ipsecdemo.bin
    % uliscan ipsecdemo.bin
    
    Uliscan 21 Dec 98
    L=8 256 258560
    Measuring file ipsecdemo.bin
    Init done
    Expected value for L=8 is 7.1836656
    6.9396 --------------------------------------------------------
    6.6177 -----------------------------------------------------
    6.4100 ---------------------------------------------------
    2.1101 -----------------
    2.0838 -----------------
    2.0983 -----------------
    

4. Ãí°Õ

¤³¤Î¼Â¸³¤Ï°Å¹æ²½¤ÎÍýÏÀ¤¬¼¨¤¹¤È¤ª¤ê¡¢IPsec ¤ò»È¤Ã¤¿ÄÌ¿®¤Ç¤Ï³Î¤«¤Ë¥Ú¥¤¥í¡¼¥ÉÃæ¤Î¥Ç¡¼¥¿¤Ë´Þ¤Þ¤ì¤ë¥·¥ó¥Ü¥ë¤ÎÀ¸µ¯³ÎΨ¤¬°ìÍͤËʬÉÛ¤¹¤ë¡¢ ¤È¤¤¤¦¤³¤È¤ò¼¨¤·¤Æ¤¤¤Þ¤¹¡£ ¤·¤«¤·¡¢¤³¤³¤Ç¼¨¤·¤¿¼Â¸³¤Ç¤Ï¥·¥¹¥Æ¥à¾å¤Î·ç´Ù (¤¢¤ë¤Î¤«¤É¤¦¤«ÃΤê¤Þ¤»¤ó¤¬) ¤ò¸¡½Ð¤¹¤ë¤³¤È¤Ï¤Ç¤­¤Þ¤»¤ó¡£ ¤³¤³¤Ç¸À¤¦¡Ö·ç´Ù¡×¤È¤Ï¡¢¤¿¤È¤¨¤Ð°Å¹æ¸°À¸À®¤ä¸ò´¹¤ÎÉÔÈ÷¤ä¡¢ ¥Ç¡¼¥¿¤ä°Å¹æ¸°¤¬Â¾¿Í¤Ë¸«¤é¤ì¤Æ¤¤¤Ê¤¤¤«¤É¤¦¤«¤È¤¤¤Ã¤¿ÌäÂê¡¢ ¤¢¤ë¤¤¤Ï¥¢¥ë¥´¥ê¥º¥à¤Î¶¯Å٤Ϥɤ¦¤«¡¢ ¥«¡¼¥Í¥ë¤Î¥Ð¡¼¥¸¥ç¥ó¤Ï¹ç¤Ã¤Æ¤¤¤ë¤«¤È¤¤¤Ã¤¿¤³¤È¤Ç¤¹¡£ ¤³¤ì¤é¤Ï¥½¡¼¥¹¤òÄ´¤Ù¤ì¤Ð³Î¤«¤á¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£


5. IPsec ¤ÎÄêµÁ

¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥×¥í¥È¥³¥ë ¥»¥­¥å¥ê¥Æ¥£³ÈÄ¥ (Internet Protocol security extensions) ¤Ï IP v4 ¤È IP v6 ¤ËŬÍѤµ¤ì¡¢IP v6 ¤Ø¤Î¼ÂÁõ¤Ïɬ¿Ü¤È¤Ê¤Ã¤Æ¤¤¤Þ¤¹¡£ ¤³¤Î¥×¥í¥È¥³¥ë¤Ï IP (¥Û¥¹¥È´Ö) ¥ì¥Ù¥ë¤Ç°Å¹æ²½¤Èǧ¾Ú¤ò¼Â¸½¤¹¤ë¤¿¤á¤Î¤â¤Î¤Ç¤¹¡£ ¤¿¤È¤¨¤Ð SSL ¤Ï°ì¤Ä¤Î¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¥½¥±¥Ã¥È¡¢SSH ¤Ï¥í¥°¥¤¥ó¡¢ PGP ¤ÏÆÃÄê¤Î¥Õ¥¡¥¤¥ë¤ä¥á¥Ã¥»¡¼¥¸¤Î¤ß¤ËÂФ·¤Æ¤½¤ì¤¾¤ì°ÂÁ´À­¤òÄ󶡤·¤Þ¤¹¤¬¡¢ IPsec ¤Ï 2 ¥Û¥¹¥È´Ö¤Î¤¹¤Ù¤Æ¤ÎÄÌ¿®¤ò°Å¹æ²½¤·¤Þ¤¹¡£


6. IPsec ¤Î¥¤¥ó¥¹¥È¡¼¥ë

FreeBSD ¤ÎºÇ¶á¤Î¥Ð¡¼¥¸¥ç¥ó¤Ç¤Ï IPsec ¤Î¥µ¥Ý¡¼¥È¤¬´ðËܤΥ½¡¼¥¹¥³¡¼¥É¤Ë´Þ¤Þ¤ì¤Æ¤¤¤Þ¤¹¡£ ¤½¤ì¸Î¡¢¤¢¤Ê¤¿¤Ï¤ª¤½¤é¤¯ IPSEC ¥ª¥×¥·¥ç¥ó¤ò¥«¡¼¥Í¥ë¥³¥ó¥Õ¥£¥°¥Õ¥¡¥¤¥ë¤ËÄɲä·¡¢ ¥«¡¼¥Í¥ë¤òºÆ¹½ÃÛ/ºÆ¥¤¥ó¥¹¥È¡¼¥ë¤·¤Æ setkey(8) ¥³¥Þ¥ó¥É¤Ç IPsec Àܳ¤òÀßÄꤹ¤ì¤Ð¤è¤¤¤Ï¤º¤Ç¤¹¡£

FreeBSD ¤Ç IPsec ¤ò¼Â¹Ô¤¹¤ëÊñ³çŪ¤Ê¥¬¥¤¥É¤Ï FreeBSD ¥Ï¥ó¥É¥Ö¥Ã¥¯¤ÇÄ󶡤µ¤ì¤Æ¤¤¤Þ¤¹¡£


7. src/sys/i386/conf/KERNELNAME

¥Í¥Ã¥È¥ï¡¼¥¯¥Ç¡¼¥¿¤ò tcpdump(1) ¤ÇÊä­¤¹¤ë¤¿¤á¤Ë¤Ï¥«¡¼¥Í¥ë¥³¥ó¥Õ¥£¥°¥Õ¥¡¥¤¥ë¤Ë¤Ï°Ê²¼¤Î¹Ô¤¬É¬ÍפǤ¹¡£ Äɲøå config(8) ¤ò¼Â¹Ô¤·¥«¡¼¥Í¥ë¤ÎºÆ¹½ÃÛ/ºÆ¥¤¥ó¥¹¥È¡¼¥ë¤ò ¹Ô¤Ê¤Ã¤Æ¤¯¤À¤µ¤¤¡£

device	bpf

8. Maurer's Universal Statistical Test (¥Ö¥í¥Ã¥¯¥µ¥¤¥º = 8 ¥Ó¥Ã¥È)

Ʊ°ì¤Î¥³¡¼¥É¤ò ¤³¤Î¥ê¥ó¥¯¤«¤éÆþ¼ê¤¹¤ë¤³¤È¤¬¤Ç¤­¤Þ¤¹¡£

/*
  ULISCAN.c   ---blocksize of 8

  1 Oct 98
  1 Dec 98
  21 Dec 98       uliscan.c derived from ueli8.c

  This version has // comments removed for Sun cc

  This implements Ueli M Maurer's "Universal Statistical Test for Random
  Bit Generators" using L=8

  Accepts a filename on the command line; writes its results, with other
  info, to stdout.

  Handles input file exhaustion gracefully.

  Ref: J. Cryptology v 5 no 2, 1992 pp 89-105
  also on the web somewhere, which is where I found it.

  -David Honig
  honig@sprynet.com

  Usage:
  ULISCAN filename
  outputs to stdout
*/

#define L 8
#define V (1<<L)
#define Q (10*V)
#define K (100   *Q)
#define MAXSAMP (Q + K)

#include <stdio.h>
#include <math.h>

int main(argc, argv)
int argc;
char **argv;
{
  FILE *fptr;
  int i,j;
  int b, c;
  int table[V];
  double sum = 0.0;
  int iproduct = 1;
  int run;

  extern double   log(/* double x */);

  printf("Uliscan 21 Dec 98 \nL=%d %d %d \n", L, V, MAXSAMP);

  if (argc < 2) {
    printf("Usage: Uliscan filename\n");
    exit(-1);
  } else {
    printf("Measuring file %s\n", argv[1]);
  }

  fptr = fopen(argv[1],"rb");

  if (fptr == NULL) {
    printf("Can't find %s\n", argv[1]);
    exit(-1);
  }

  for (i = 0; i < V; i++) {
    table[i] = 0;
  }

  for (i = 0; i < Q; i++) {
    b = fgetc(fptr);
    table[b] = i;
  }

  printf("Init done\n");

  printf("Expected value for L=8 is 7.1836656\n");

  run = 1;

  while (run) {
    sum = 0.0;
    iproduct = 1;

    if (run)
      for (i = Q; run && i < Q + K; i++) {
        j = i;
        b = fgetc(fptr);

        if (b < 0)
          run = 0;

        if (run) {
          if (table[b] > j)
            j += K;

          sum += log((double)(j-table[b]));

          table[b] = i;
        }
      }

    if (!run)
      printf("Premature end of file; read %d blocks.\n", i - Q);

    sum = (sum/((double)(i - Q))) /  log(2.0);
    printf("%4.4f ", sum);

    for (i = 0; i < (int)(sum*8.0 + 0.50); i++)
      printf("-");

    printf("\n");

    /* refill initial table */
    if (0) {
      for (i = 0; i < Q; i++) {
        b = fgetc(fptr);
        if (b < 0) {
          run = 0;
        } else {
          table[b] = i;
        }
      }
    }
  }
}

ËÜʸ½ñ¡¢¤ª¤è¤Ó¾¤Îʸ½ñ¤Ï ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/ ¤«¤é¥À¥¦¥ó¥í¡¼¥É¤Ç¤­¤Þ¤¹¡£

FreeBSD ¤Ë´Ø¤¹¤ë¼ÁÌ䤬¤¢¤ë¾ì¹ç¤Ë¤Ï¡¢¥É¥­¥å¥á¥ó¥È ¤òÆɤó¤À¾å¤Ç <questions@FreeBSD.org> ¤Þ¤Ç (±Ñ¸ì¤Ç) Ï¢Íí¤·¤Æ¤¯¤À¤µ¤¤¡£
ËÜʸ½ñ¤Ë´Ø¤¹¤ë¼ÁÌä¤Ë¤Ä¤¤¤Æ¤Ï¡¢<doc@FreeBSD.org> ¤Þ¤ÇÅŻҥ᡼¥ë¤ò (±Ñ¸ì¤Ç) Á÷¤Ã¤Æ¤¯¤À¤µ¤¤¡£