6.1 KiB
6.1 KiB
Mon May 24 1999 - Fri May 28 1999
vs SSH
KAME -> SSH
phase1 $B$GE($,%Q%1%C%H2r$1$J$$L5$/$F<:GT!#
RC5, IDEA, CAST, blowfish $BA4LG!D$L$L$L
racoon $B$N keylength $B4V0c$C$F$?!#
phase 1 $B$,0l=V$G expire $B$7$F$?!#
lifetime $BAw$C$F$3$J$$;~ 0 $BF~$l$F$?!#default $B$rF~$l$k!#
isakmp-test.ssh.fi$B$G3NG'
$B:FAw$r0l2s$K?tH/Aw$C$FMh$k!#
racoon $B$O:FAw$J%Q%1%C%H$r0-$$%Q%1%C%H$H;W$C$F exchange $B$r=*$i$;$F$?!#
$B0E9f2=$5$l$F$k%Q%1%C%H$r4|BT$7$F$k;~$bF1$8!#
$B7k6I!"0-$$%Q%1%C%H$+:FAw$J%Q%1%C%H$+$NH=CG$,=PMh$J$$$N$GL5;k$9$k!#
$BE($,CY$/$F!"$3$C$A$,@h$K:FAw$r$"$-$i$a$A$c$&!#
$B$P$C$A$j
phase 1: RC5
phase 2: ESP 1DES+SHA1
vs Altiga
Altiga -> KAME
phase1: modp768,MD5,3DES
phase2: ESP DES+MD5 tunnel mode
SA $B$NJ}8~%A%'%C%/$K0z$C$+$+$C$F!"phase 2 $B$N inbound SA $B$,FM$C9~$a$J$$!#
$B$J$*$7$F phase 2 $B8r49$O OK
$B8~$3$&$+$i$N ESP $B%Q%1%C%H$r$[$I$$$F!"8e$m$KEj$2$h$&$H$9$k$,
$B$J$s$H inbound $B$N policy check $B$K$R$C$+$+$C$FE>Aw$G$-$J$$!D
a --- A === B --- b
a -> b B $B9T$-
b -> a A $B5"$j A->a $B$KEj$2$k;~$K0z$C$+$+$k!#
$B$H$j$"$($: b->a A $B$r>C$7$FD)@o!#OK
PFKEYv2$B<BAu$9$k;~$K$J$*$9!#
$BE($, netmask = 255.255.255.255 $B$G ID type = IPv4net $B$GAw$C$FMh$?!#
$B$"$j!) -> $B$"$j!#
vs CheckPoint
$B$U$i$l$?!#
$B%F%9%HCf$@$C$?$_$?$$!#
vs HITACHI
KAME -> HITACHI
HITACHI -> KAME
$B$D$J$.$C$Q$J$7$G?'!9!#
$B>!<j$KMn$7$F>!<j$K$D$J$0!#
racoon $BB& IV $B$N7W;;$K%_%9!#Informatinal message $B$N decode $B$K<:GT!#
phase 1 $B$N rekeying $B$K<:GT$9$k$H pst $B$,;D$k;~$,$"$k!#
phase 1 $B$,%(%i!<$K$J$C$?;~$N=hM}$,$$$^$$$A!#
INVALID-COOKIE $B$O%m%0$7$FL5;k$9$k$Y$-!#?75,SA$B$rD%$m$&$H$7$F!"
$B$$$s$A$-Proposal $BEj$2$i$l$k$H=*$k!#
$B0E9f2=$5$l$? Informatinal message $B$O?.MQ$9$k!#
$B$=$l0J30$O%m%0$7$F<N$F$k$Y$-!#
vs freeSWAN
freeSWAN -> KAME
config file$BLdBj: phase 1$B$Ntransport$B$Ndiffie-hellman$B$Omust
config file$B$K4V0c$$$,$"$C$?$i6+$V$Y$-!#
lifetime attribute$B$Nparser$B4V0c$$
lifetime attribute$B$Nparse$B$K<:GT$9$k$H!"0$B$r@_Dj$7$A$c$&
default$B$KLa$9
KAME -> freeSWAN
$BD9$$proposal$B$rEj$2$k$Hparse$B$7$F$/$l$J$$
$B@hJ}$,quick mode$B$N:G8e$G;`$L(SADB_UPDATE$BAjEv$N=hM}$G$X$/$k)
vs Netlock
$B$"$C$Ainitiator$B$G$d$C$F$_$k$,!"$3$C$AB&$Nphase 2 proposal parser$B$NLdBj
(AND$B$,2r<a$G$-$J$$)$B$G$X$/$k!#phase 1$B$Ook$B!#0J8e:FD)@o$;$:!#
vs VPNet
VPN->KAME AH SHA1
phase1: modp768,MD5,3DES
phase2: AH SHA1 tunnel mode
AH checksum error
MD5 $B;n$9M=Dj!#$J$s$+LdBj$,$"$C$F:#2s$O$*3+$-$i$7$$!#
phase2: ESP DES+MD5 tunnel mode
$BAPJ}8~OK
CERT $B$N%G%b8+$;$F$b$i$&M=Dj
$BAj<j$,$$$J$$$H%@%a$@$C$F!#
CERT $B$OJL$K%;%-%e%"$K<hF@$7$J$/$F$bNI$$$i$7$$!#
vs ashley-laurent (vpcom.com)
$B$I$C$A8~$-$bok$B!#
ashley -> KAME
phase 1: 1DES+SHA1
phase 2: ESP 1DES+SHA1
KAME -> ashley
phase 1: 3DES+MD5
phase 2: ESP 1DES+SHA1
ashley-laurent$B$,responder$B$N$H$-!"proposal id #$B$r=q$-49$($F
$BJV$7$F$$$k$N$G%W%m%H%3%kE*$K$O$$$1$J$$(racoon$B$OL[$C$F<u$1$F$7$^$&)$B!#
lifetime$B$NCM$O=q$-JQ$o$C$FJV$C$FMh$k!#
$BJ,$+$C$?;v
- $B:FAwAw$j$^$/$j%F%9%H$O$7$?J}$,NI$$!#
- phase1, phase2 $B$N rekeying $B$O7c$7$/$d$k$Y$-!#
- $B>!<j$KMn$7$F>!<j$K@\B3$9$k%F%9%H!#
- proposal parser$B$,4E$$!#proposal id #$B$,F1$82$B$D0J>e$N%W%m%H%3%k
($BNc: AH+ESP)$B$r@5$7$/=hM}$G$-$J$$!#
$B$H$j$"$($:0BA4:v$O$$$l$?
initiator$B$N$H$-$Oconfig file$B$K=q$$$F$"$C$F$b<N$F$k
responder$B$N$H$-$OJVEz8uJd$+$i30$9
cleanup$B$O$7$?$,$^$@IT40A4
pfkey$B$H$H$b$KD>$9$Y$7
question
- informational exchange
- 1st exchange in phase 1 $B$NJV;v$O cookie $BKd$a$FJV$9$+!)
- phase 1 $B$G0E9f$G$-$k$^$G$O!"Mh$?E[$=$N$^$^JV$;$PNI$$$N$G$O!)
- phase 1 $B$H8@$($I$b msg-id $B$OF~$l$k!#
- informatinal message
$B0E9f2=$5$l$F$J$1$l$PL5;k$9$k$Y$-$@!#(DoS attack)
- retransmmission
$B8E$$%Q%1%C%H$H!"4|BT$7$J$$ payload $B$NH=CG$,LLE]$J$N$G!"
$B%Q%1%C%H$r%A%'%C%/$7$F!"4|BT$7$J$$payload$B$,F~$C$F$$$l$P
$BHaLD$"$2$FL5;k!#0E9f2=$5$l$F$J$/$F$b%"%i!<%`$"$2$FL5;k!#
mulformed packet $B$OA4ItL5;k$7$J$$$HDOS$B967b$KBP93=PMh$J$$!#
1st exchange $B$r56B$$5$l$k$H!"$$$D$^$G$?$C$F$b@5$7$$Aj<j$H
$BDL?.=PMh$J$$!#
- HASH(3) $B$N 0 $B$O2?$G$"$s$N!)
HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
- broadcast$B$$$-IKE$B%Q%1%C%H
$BL5;k$9$Y$-!#
$B$5$i$K!"IKE$B$Osrc$B$Hdst$B$rC1$K$R$C$/$j$+$($7$FEj$2$k$N$G!"
src$B$,broadcast$B$N%Q%1%C%H$,860x$Gbroadcast storm$B$K$J$j$+$M$J$$!#
-> $B$I$&$7$h$&?
racoon
- zonbie-pst $B$7$J$j$*
phase 2 $B40N;
$BJRJ}reboot
reboot $B$7$F$J$$J}$+$i phase 2 $B$K9T$/
reboot $B$7$?$[$&$+$i invalid-cookie
- phase 2 $B$N id-type deirective $B$$$k!)
- first contact $B=hM}$7$m$h$J!#-> $B$H$j$"$($:$7$J$/$FNI$$!#
- phase 1 $B$N SA payload $B$NSPI $B$C$F!)
option $B$K$7$?J}$,NI$$$+$b!#
isakmp-test.ssh $B$O%*%W%7%g%s
- SADB_DELETE $B$+$i delete payload $B=P$9$h$&$K$9$k!#
$B$1$I DELETE 2$BH/<u$1$Fracoon$B;`$s$@!#
$B:F8=$7$J$$!#
- cool log
racoon $B=*$i$;$J$$$Hlog $B$_$l$J$$$N$O$$$d
syslog $B2=!)
- SPD $B4X78$N=hM}$O!)
PFKEYv3$B$d$k$H$-9M$($k!#
- racoon.conf base $B$N acceptable $B$+$N%A%'%C%/
- cool SA parser
error check
acceptable check
length check
- sys/queue.h $B2=
SLIST$B$OFreeBSD only$B$J$N$G6X;_!#LIST_hoge$B$K$7$F$M!#
- $BAw$C$?proposal$B$HJV$C$FMh$?proposal$B$,$A$c$s$H9gCW$9$k$+%A%'%C%/
$B$$$^$Oinitiator$B$N$/$;$K<u?H!#
IPsec
- sadb_expire $B$,JRJ}$7$+$"$,$C$F$3$J$$$>!)
- $B8GM-%"%I%l%9$Nproxy $B%b!<%I$,setkey $B=PMh$J$$!#
spdadd 209.154.67.34 10.64.91.10 any -P ipsec esp/require/209.154.64.91;
PFKEYv2 $B$d$k$H$-$J$*$9!#
vs SSH
KAME -> SSH
phase1 $B$GE($,%Q%1%C%H2r$1$J$$L5$/$F<:GT!#
RC5, IDEA, CAST, blowfish $BA4LG!D$L$L$L
racoon $B$N keylength $B4V0c$C$F$?!#
phase 1 $B$,0l=V$G expire $B$7$F$?!#
lifetime $BAw$C$F$3$J$$;~ 0 $BF~$l$F$?!#default $B$rF~$l$k!#
isakmp-test.ssh.fi$B$G3NG'
$B:FAw$r0l2s$K?tH/Aw$C$FMh$k!#
racoon $B$O:FAw$J%Q%1%C%H$r0-$$%Q%1%C%H$H;W$C$F exchange $B$r=*$i$;$F$?!#
$B0E9f2=$5$l$F$k%Q%1%C%H$r4|BT$7$F$k;~$bF1$8!#
$B7k6I!"0-$$%Q%1%C%H$+:FAw$J%Q%1%C%H$+$NH=CG$,=PMh$J$$$N$GL5;k$9$k!#
$BE($,CY$/$F!"$3$C$A$,@h$K:FAw$r$"$-$i$a$A$c$&!#
$B$P$C$A$j
phase 1: RC5
phase 2: ESP 1DES+SHA1
vs Altiga
Altiga -> KAME
phase1: modp768,MD5,3DES
phase2: ESP DES+MD5 tunnel mode
SA $B$NJ}8~%A%'%C%/$K0z$C$+$+$C$F!"phase 2 $B$N inbound SA $B$,FM$C9~$a$J$$!#
$B$J$*$7$F phase 2 $B8r49$O OK
$B8~$3$&$+$i$N ESP $B%Q%1%C%H$r$[$I$$$F!"8e$m$KEj$2$h$&$H$9$k$,
$B$J$s$H inbound $B$N policy check $B$K$R$C$+$+$C$FE>Aw$G$-$J$$!D
a --- A === B --- b
a -> b B $B9T$-
b -> a A $B5"$j A->a $B$KEj$2$k;~$K0z$C$+$+$k!#
$B$H$j$"$($: b->a A $B$r>C$7$FD)@o!#OK
PFKEYv2$B<BAu$9$k;~$K$J$*$9!#
$BE($, netmask = 255.255.255.255 $B$G ID type = IPv4net $B$GAw$C$FMh$?!#
$B$"$j!) -> $B$"$j!#
vs CheckPoint
$B$U$i$l$?!#
$B%F%9%HCf$@$C$?$_$?$$!#
vs HITACHI
KAME -> HITACHI
HITACHI -> KAME
$B$D$J$.$C$Q$J$7$G?'!9!#
$B>!<j$KMn$7$F>!<j$K$D$J$0!#
racoon $BB& IV $B$N7W;;$K%_%9!#Informatinal message $B$N decode $B$K<:GT!#
phase 1 $B$N rekeying $B$K<:GT$9$k$H pst $B$,;D$k;~$,$"$k!#
phase 1 $B$,%(%i!<$K$J$C$?;~$N=hM}$,$$$^$$$A!#
INVALID-COOKIE $B$O%m%0$7$FL5;k$9$k$Y$-!#?75,SA$B$rD%$m$&$H$7$F!"
$B$$$s$A$-Proposal $BEj$2$i$l$k$H=*$k!#
$B0E9f2=$5$l$? Informatinal message $B$O?.MQ$9$k!#
$B$=$l0J30$O%m%0$7$F<N$F$k$Y$-!#
vs freeSWAN
freeSWAN -> KAME
config file$BLdBj: phase 1$B$Ntransport$B$Ndiffie-hellman$B$Omust
config file$B$K4V0c$$$,$"$C$?$i6+$V$Y$-!#
lifetime attribute$B$Nparser$B4V0c$$
lifetime attribute$B$Nparse$B$K<:GT$9$k$H!"0$B$r@_Dj$7$A$c$&
default$B$KLa$9
KAME -> freeSWAN
$BD9$$proposal$B$rEj$2$k$Hparse$B$7$F$/$l$J$$
$B@hJ}$,quick mode$B$N:G8e$G;`$L(SADB_UPDATE$BAjEv$N=hM}$G$X$/$k)
vs Netlock
$B$"$C$Ainitiator$B$G$d$C$F$_$k$,!"$3$C$AB&$Nphase 2 proposal parser$B$NLdBj
(AND$B$,2r<a$G$-$J$$)$B$G$X$/$k!#phase 1$B$Ook$B!#0J8e:FD)@o$;$:!#
vs VPNet
VPN->KAME AH SHA1
phase1: modp768,MD5,3DES
phase2: AH SHA1 tunnel mode
AH checksum error
MD5 $B;n$9M=Dj!#$J$s$+LdBj$,$"$C$F:#2s$O$*3+$-$i$7$$!#
phase2: ESP DES+MD5 tunnel mode
$BAPJ}8~OK
CERT $B$N%G%b8+$;$F$b$i$&M=Dj
$BAj<j$,$$$J$$$H%@%a$@$C$F!#
CERT $B$OJL$K%;%-%e%"$K<hF@$7$J$/$F$bNI$$$i$7$$!#
vs ashley-laurent (vpcom.com)
$B$I$C$A8~$-$bok$B!#
ashley -> KAME
phase 1: 1DES+SHA1
phase 2: ESP 1DES+SHA1
KAME -> ashley
phase 1: 3DES+MD5
phase 2: ESP 1DES+SHA1
ashley-laurent$B$,responder$B$N$H$-!"proposal id #$B$r=q$-49$($F
$BJV$7$F$$$k$N$G%W%m%H%3%kE*$K$O$$$1$J$$(racoon$B$OL[$C$F<u$1$F$7$^$&)$B!#
lifetime$B$NCM$O=q$-JQ$o$C$FJV$C$FMh$k!#
$BJ,$+$C$?;v
- $B:FAwAw$j$^$/$j%F%9%H$O$7$?J}$,NI$$!#
- phase1, phase2 $B$N rekeying $B$O7c$7$/$d$k$Y$-!#
- $B>!<j$KMn$7$F>!<j$K@\B3$9$k%F%9%H!#
- proposal parser$B$,4E$$!#proposal id #$B$,F1$82$B$D0J>e$N%W%m%H%3%k
($BNc: AH+ESP)$B$r@5$7$/=hM}$G$-$J$$!#
$B$H$j$"$($:0BA4:v$O$$$l$?
initiator$B$N$H$-$Oconfig file$B$K=q$$$F$"$C$F$b<N$F$k
responder$B$N$H$-$OJVEz8uJd$+$i30$9
cleanup$B$O$7$?$,$^$@IT40A4
pfkey$B$H$H$b$KD>$9$Y$7
question
- informational exchange
- 1st exchange in phase 1 $B$NJV;v$O cookie $BKd$a$FJV$9$+!)
- phase 1 $B$G0E9f$G$-$k$^$G$O!"Mh$?E[$=$N$^$^JV$;$PNI$$$N$G$O!)
- phase 1 $B$H8@$($I$b msg-id $B$OF~$l$k!#
- informatinal message
$B0E9f2=$5$l$F$J$1$l$PL5;k$9$k$Y$-$@!#(DoS attack)
- retransmmission
$B8E$$%Q%1%C%H$H!"4|BT$7$J$$ payload $B$NH=CG$,LLE]$J$N$G!"
$B%Q%1%C%H$r%A%'%C%/$7$F!"4|BT$7$J$$payload$B$,F~$C$F$$$l$P
$BHaLD$"$2$FL5;k!#0E9f2=$5$l$F$J$/$F$b%"%i!<%`$"$2$FL5;k!#
mulformed packet $B$OA4ItL5;k$7$J$$$HDOS$B967b$KBP93=PMh$J$$!#
1st exchange $B$r56B$$5$l$k$H!"$$$D$^$G$?$C$F$b@5$7$$Aj<j$H
$BDL?.=PMh$J$$!#
- HASH(3) $B$N 0 $B$O2?$G$"$s$N!)
HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
- broadcast$B$$$-IKE$B%Q%1%C%H
$BL5;k$9$Y$-!#
$B$5$i$K!"IKE$B$Osrc$B$Hdst$B$rC1$K$R$C$/$j$+$($7$FEj$2$k$N$G!"
src$B$,broadcast$B$N%Q%1%C%H$,860x$Gbroadcast storm$B$K$J$j$+$M$J$$!#
-> $B$I$&$7$h$&?
racoon
- zonbie-pst $B$7$J$j$*
phase 2 $B40N;
$BJRJ}reboot
reboot $B$7$F$J$$J}$+$i phase 2 $B$K9T$/
reboot $B$7$?$[$&$+$i invalid-cookie
- phase 2 $B$N id-type deirective $B$$$k!)
- first contact $B=hM}$7$m$h$J!#-> $B$H$j$"$($:$7$J$/$FNI$$!#
- phase 1 $B$N SA payload $B$NSPI $B$C$F!)
option $B$K$7$?J}$,NI$$$+$b!#
isakmp-test.ssh $B$O%*%W%7%g%s
- SADB_DELETE $B$+$i delete payload $B=P$9$h$&$K$9$k!#
$B$1$I DELETE 2$BH/<u$1$Fracoon$B;`$s$@!#
$B:F8=$7$J$$!#
- cool log
racoon $B=*$i$;$J$$$Hlog $B$_$l$J$$$N$O$$$d
syslog $B2=!)
- SPD $B4X78$N=hM}$O!)
PFKEYv3$B$d$k$H$-9M$($k!#
- racoon.conf base $B$N acceptable $B$+$N%A%'%C%/
- cool SA parser
error check
acceptable check
length check
- sys/queue.h $B2=
SLIST$B$OFreeBSD only$B$J$N$G6X;_!#LIST_hoge$B$K$7$F$M!#
- $BAw$C$?proposal$B$HJV$C$FMh$?proposal$B$,$A$c$s$H9gCW$9$k$+%A%'%C%/
$B$$$^$Oinitiator$B$N$/$;$K<u?H!#
IPsec
- sadb_expire $B$,JRJ}$7$+$"$,$C$F$3$J$$$>!)
- $B8GM-%"%I%l%9$Nproxy $B%b!<%I$,setkey $B=PMh$J$$!#
spdadd 209.154.67.34 10.64.91.10 any -P ipsec esp/require/209.154.64.91;
PFKEYv2 $B$d$k$H$-$J$*$9!#