ãªãç§ã¯IPsecã«ãšãŠãæ ç±ãæã£ãŠããã®ã§ããïŒãããããããã¯ãŒã¯ãä¿è·ããããã®æãè€éãªãããã³ã«ã¹ã¿ãã¯ã§ããïŒçµå±ã®ãšãããè€éãã¯ä¿¡é Œæ§ãšå®å šæ§ã®äž»ãªæµã§ãïŒãŸãããã®ãããã³ã«ãç¹ã«IKEv2ã«ã€ããŠåŠã¶ã»ã©ãå€ãã®å¯èœæ§ãããã«æå ¥ãããããšãç解ãããã¯ã©ãããã¯ã©ãããé§åããããšããéçºè ã®äžè¬çãªã¢ãããŒãããé·ãçºçãããŸã§ãæ·±å»ãªåé¡ã®è§£æ±ºçãšã¯å¯Ÿç §çã«ããã®ææ ®æ·±ãã«æéãåããŸãã第äºã«ãIPsecãããã³ã«ã¯æå·åã®èŠ³ç¹ããããèããããŠãããå®éãå€ãESP / IKEv1ã§ãããæ·±å»ãªè匱æ§ããªãã£ãå¯äžã®ç£æ¥çšã®å€§é䜿çšãããã³ã«ã§ããåãSSLïŒ1995幎ïŒã¯ããŒãžã§ã³1.3ããã®ã¿ãã¡ããšèããããããã«ãªããŸããããããŠãIKEv1ã®å·šå€§ãªè€éãã®ããã«å€ãã®äººã ãIPsecãå«ããŸããããã¯v2ã«ã¯ãããŸããã
çæ³çã«ã¯ããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ã®éçºè ããIPsecãšIPv6ã®å®è£ ãšå®è£ ïŒã³ã³ãã¥ãŒã¿ã®å¯çšæ§ã®ãããNATããªãããïŒã§æéã®é床ãäœäžããŠããªããã°ãSSL / TLSã¯ååãšããŠè¡šç€ºãããã¹ãã§ã¯ãããŸãããäžçã¯å®ç§ã§ã¯ãªãããšãå€æããŸããããIPPEïŒå°ãªããšãã¹ã¿ãã¯ã®SA / SP + ESPéšåïŒã¯å°ãªããšãããã€ãã®åºç¯ãªOSã«ãããŸãïŒå人çã«ã¯ããµããŒãããéçºè ãäžè¶³ããŠããããã«IPsecã飲ãã DragonFly BSDããç¥ããŸããïŒããŸããäžéšã®å é²åœã®IPv6ã¯ã倧å€æ°ã®äººã ãããã«å©çšã§ããŸãã
IPsecã¯ããããã³ã«ãAPIåŒã³åºãããã¬ãŒã ã¯ãŒã¯ã®ã¹ã¿ãã¯ã§ãããã¢ããªã±ãŒã·ã§ã³ã管çè ãéä¿¡äžã«å¿ èŠãªã»ãã¥ãªãã£ãå€æã§ãããããã¯ãŒã¯ã¬ãã«ã§ééçã«ä¿èšŒãããŸãïŒIPç§urityïŒã1ã€ã®ãœã±ããã®ã¿ã®IPãã±ããïŒTCPæ¥ç¶ãªã©ïŒãšããããã¯ãŒã¯å šäœéã®ãã©ãã£ãã¯ã®äž¡æ¹ã«ã€ããŠè©±ãããšãã§ããŸãã
ãã©ãã£ãã¯ã»ãã¥ãªãã£ãšã¯ãããŒã¿ã®æ©å¯æ§ãããŒã¿ã®ä¿¡é Œæ§/æŽåæ§ãããã³åçæ»æããã®ä¿è·ã確ä¿ããããšãæå³ããŸããã»ãšãã©ãã¹ãŠã®ãããã³ã«ãšåæ§ã«ãIPsecã«ã¯ãIPãã±ãããä¿è·ãããã©ã³ã¹ããŒãéšåãšãããŒããŽã·ãšãŒã·ã§ã³ããã©ã¡ãŒã¿ãŒãæ§æãããã³ããŒãã£ã®èªèšŒã«é¢é£ãããã³ãã·ã§ã€ã¯éšåããããŸãã
TLS 1.3ïŒTCPæ¥ç¶ã®ãœã±ããããšã®ããŒã¿ä¿è·ã®ã¿ãæäŸããŸããDTLSã¯ããŒã¿ã°ã©ã ã®ä¿è·ãæäŸã§ããŸããïŒDTLS 1.3ã¯ãŸã æšæºã§ã¯ãããŸããïŒããã¹ãŠã®ã©ã€ãã©ãªãããããµããŒãããŠããããã§ã¯ãããŸããã
ãã©ã³ã¹ããŒããããã³ã«
IPsecãã©ã³ã¹ããŒãã¯IPãããã³ã«ã䜿çšããŸãã
- AHïŒèªèšŒããããŒïŒãAHã¯ããŒã¿ã®æ©å¯æ§ãæäŸããªãããããã以äžã¯èª¬æããŸãããç§ãèããéãã§ã¯ãæå·åã®äœ¿çšå¶éã«é¢ãã1990幎代ã®äžéšã®åœã®æ³åŸã«äœããã®åœ¢ã§ãææ ¢ãããããã ãã«äœæãããŸãããæå·åã¯ä»ã®ãã¹ãŠã«æ¯ã¹ãŠéåžžã«è»œéã§ããããããããç ç²ã«ããããšã¯æå³ããããŸãããããããESPãèšåãããŠããã»ãšãã©ãã¹ãŠã®å Žæã§ãAHãæå³ãããŸãã
- ESPïŒã»ãã¥ãªãã£ãã€ããŒãã®ã«ãã»ã«åïŒãESPã¯æéã®çµéãšãšãã«ãããã«é²åããçŸåšã¯ESPv3ããŒãžã§ã³ã䜿çšããŠããŸããããã¯ãå€ãã®å Žåãäžäœäºææ§ãããã以åã®ããŒãžã§ã³ãšåãã§ãã
IPãã©ãã£ãã¯ã¯ããã©ã³ã¹ããŒãå±€ã«ãã£ãŠã®ã¿ä¿è·ãããŸãããŸãã1ç§ãããæ°çŸäžã®ãã±ããã«ã€ããŠè©±ãããšãã§ãããããäºå®äžã®ESPã¯ããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ã®ã«ãŒãã«ã¬ãã«ã§ãå°ãªããšããã®ãããã¯ãŒã¯ã¹ã¿ãã¯ã«å®è£ ãããã«ãŒãã«ãšãŠãŒã¶ãŒã¹ããŒã¹ã®éã§ã³ã¹ãã®ãããã³ã³ããã¹ãåãæ¿ããè¡ããªãããã«ããŸãïŒéåžžã¯TLSã§çºçããŸãïŒã ãSSHãOpenVPNãªã©ïŒã
AHãšESPã¯IPå±€ãããã³ã«ã§ããããããã¯ãŒã¯ã§ããããã©ã³ã¹ããŒãã§ã¯ãªãããšã匷調ããŸãããªãUDPã§ã¯ãªãã®ã§ããïŒãã§ãã¯ãµã ã¯åé·ã§CPUãæ¶è²»ããæå·åã¯ãšã«ããæŽåæ§ãä¿èšŒããŸããããããããªãã®NATãESPã«ã€ããŠäœãç¥ããªãïŒãããŠåœŒãç¥ããªãïŒå Žåãããã¯ãã¹ãŠåœŒã«ãšã£ãŠã¯ããŸããããŸãããåŸã§åœŒãã¯NAT-Tã¯ã©ãããæãã€ãã ïŒNATãã©ããŒãµã«ïŒãIPsecãã©ãã£ãã¯ãããŒã4500ã§UDPãã±ããã«ã©ãããããNATãééã§ããå Žåãããã¯äžèŠãªãªãŒããŒãããã§ãããã«ãŒãã«å ã®IPsecã¹ã¿ãã¯ãç·šéããå¿ èŠããããŸããããã¯ããããã®ç¹å¥ãªUDPãã±ããããã§ã«ç解ããESPãæœåºããå¿ èŠãããããã§ããéåžžã®åŠçã
SPãSAãSPIããã³æåã®IPsecæå·å
ã«ãŒãã«ã¯ãIPãã±ãããã©ã®ããã«åŠçããããã©ã®ããã«èªèããŸãããããŒã䜿çšããŠæå·åããããçä¿¡ESPã埩å·åãããããŸãã¯IPãã±ããã«è§Šããã«ééããããããããè¡ãããã«ãã«ãŒãã«ã«ã¯ã»ãã¥ãªãã£ããªã·ãŒïŒSPïŒããããŸãããããã¯ãã¡ã€ã¢ãŠã©ãŒã«ã®ãããªã«ãŒã«ã§ãããããã«å ããŠãã³ã¢ã«ã¯ã»ãã¥ãªãã£ã¢ãœã·ãšãŒã·ã§ã³ïŒSAïŒãå«ãŸããŠããŸãïŒæå·åæäœïŒããŒãã«ãŠã³ã¿ãŒããŠã£ã³ããŠåçãªã©ïŒãå®è¡ããããã®ã³ã³ããã¹ããäžè¬ã«ãSPã¯IPsecåºæã§ãSAã§ããããŸãããä»ã®ã¿ã¹ã¯/ãããã³ã«ïŒOSPFãªã©ïŒã«äœ¿çšã§ããŸãã
SP / SAã¯ãç¹å¥ãªAPIïŒPF_KEYv2ïŒãä»ããŠããŸãã¯ããã€ãã®setkeyãŠãŒãã£ãªãã£ãä»ããŠæåã§æ§æã§ããŸããããšãã°ããã¹ãŠã®IPãã±ãããéä¿¡å ã§ããããšãã«ãŒãã«ã«éç¥ããå Žåfc :: 321ã®123ã¢ãã¬ã¹ã¯ESPãä»ããŠä¿è·ããå¿ èŠããããŸããããã¯ãã³ãã³ãã©ã€ã³ããåŒã³åºãããšã§ç°¡åã«å®è¡ã§ããŸãã
$ echo "spdadd fc00::123 fc00::321 any -P out ipsec esp/transport//require;" | setkey -c
ãã®ã³ãã³ãã®åã«ãpingã衚瀺ãããŸããã
IP6 fc00::123 > fc00::321: ICMP6, echo request, seq 0, length 16
IP6 fc00::321 > fc00::123: ICMP6, echo reply, seq 0, length 16
IP6 fc00::123 > fc00::321: ICMP6, echo request, seq 1, length 16
IP6 fc00::321 > fc00::123: ICMP6, echo reply, seq 1, length 16
ã«ãŒãã«ã¯æå·åãããäœãããŸã ç¥ããªãã®ã§ãåŸã§ãããèŠãããšãã§ããŸãããSAãè¿œå ããå¿ èŠããããŸããããã¯æåã§è¡ãããšãã§ããAES-GCM-16ã¢ã«ãŽãªãºã ã®AEADæå·åãšã©ã³ãã ãª160ãããããŒã®äœ¿ãããããèšå®ããŸãã
echo "add fc00::123 fc00::321 esp 0xdeadbabe -E aes-gcm-16 0x0c09d1d90f804b0b4cef80e255e29c0894db1928 ;" | setkey -c
ãªã¢ãŒããã¹ãã§åãã³ãã³ããå®è¡ãããšïŒã§-Pãæå®ããããšãå¿ããªãã§ãã ããïŒã次ã®ããã«è¡šç€ºãããŸãã
IP6 fc00::123 > fc00::321: ESP(spi=0xdeadbabe,seq=0x1), length 52
IP6 fc00::321 > fc00::123: ICMP6, echo reply, seq 0, length 16
IP6 fc00::123 > fc00::321: ESP(spi=0xdeadbabe,seq=0x2), length 52
IP6 fc00::321 > fc00::123: ICMP6, echo reply, seq 1, length 16
ãªã¯ãšã¹ãã¯ESPã«ãã£ãŠæå·åãããŸãããè¿ä¿¡ã¯æå·åãããŸãããESPã¯ããã©ã«ãã§ãäžæ¹åãã§åäœãããããåæ¹åéä¿¡ã®å Žåã¯ãå察æ¹åã«å¥ã®SP / SAãè¿œå ããå¿ èŠããããŸãããã®äŸã®
0xdeadbabeã¯ãã»ãã¥ãªãã£ãã©ã¡ãŒã¿ã€ã³ããã¯ã¹ïŒSPIïŒã§ããããã¯ã2ã€ã®IPã¢ãã¬ã¹éã®ESPããã³ãã«ãã®äžæã®èå¥åã§ãããã«ãŒãã«ã¯å¯Ÿå¿ããSAã³ã³ããã¹ããèŠã€ããŠããããã埩å·åããŒãååŸã§ããŸãããŸããesp / transport // requireã¯ãESPããã©ã³ã¹ããŒãã¢ãŒãã§äœ¿çšããããã®èŠä»¶ã§ãïŒè©³çŽ°ã¯ä»¥äžãåç §ïŒã
Giblets ESP
ESPããã±ãŒãžã¯ã次ã®ããã«æŠç¥çã«æ§æãããŠããŸãã
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---
| Security Parameters Index (SPI) | ^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | A
| Sequence Number | | u
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | t
~ IV (variable) ~ | h
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | e -----
| Payload Data (variable) | | n ^ E
~ ~ | t | n
| | | i | c
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | c | r
| | TFC Padding * (optional, variable) | | a | y
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | t | p
| | Padding (0-255 bytes) | | e | t
+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | d | e
| | Pad Length | Next Header | v v d
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---------
~ Integrity Check Value-ICV (variable) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- SPI -IPã¢ãã¬ã¹éã®ESPã»ãã·ã§ã³/ãã³ãã«/æ¥ç¶ã®32ãããã®äžæã®èå¥åãéåžžã{SrcIPãDstIPãSPI}ã¯SAããã³æå·åã³ã³ããã¹ãã§ãã
- SeqNum â 32- . . , replay attack.
- payload â ESP, .
- TFC padding â (Traffic Flow Confidentiality), , - , . TFC , , payload , . , payload IP , . TFC - , .
- Padding â ESP payload 32- , . , ( CBC) . . .
- Pad Length â 8- Padding .
- Next Header â 8- IP payload. «no next header», ESP- â , . TFC â .
- ICV â Integrity Check Value, (MAC).
ãã€ããŒããã次ã®ããã㌠ãŸã§ã®ãã±ããã®ãã¹ãŠã®éšåãæå·åãããŸãã MAC以å€ã¯ãã¹ãŠèªèšŒãããŸãã ICVã®é·ããIVïŒåæåãã¯ãã«ïŒã®ååšã¯ã䜿çšãããæå·åããã³èªèšŒã¢ãŒã/ã¢ã«ãŽãªãºã ã«ãã£ãŠç°ãªããŸãã
TLS 1.3ïŒæå®ããããµã€ãºãžã®ãªãã·ã§ã³ã®ããŒã¿ã®ããã£ã³ã°ã¯ããŒãžã§ã³1.3ã§ã®ã¿ç»å ŽããŸããããã以å€ã®ç¹ã§ã¯ãæå·åãšèªèšŒã¯å®å šã«äŒŒãŠããŸãã TLS 1.3ã¯ãAEADã¢ã«ãŽãªãºã ã®ã¿ã䜿çšããããšã矩åä»ããŠããŸããããã¯æ£ãããŠåªããŠããŸãã ESPã¯AEADããµããŒãããŠããŸãããããå€é¢šãªãœãªã¥ãŒã·ã§ã³ã®éžæè¢ããããŸããã¿ã€ããã£ãŒã«ãSPIãŸãã¯SeqNumããããTCPã¯ã·ãŒã±ã³ã¹ãšé ä¿¡ãä¿èšŒãããããããã«ãå®éã«ã¯ãåæåãã¯ãã«ã¯æ瀺çã«éä¿¡ãããŸããããããã£ãŠãTLSã¬ã³ãŒãã¬ã€ã€ãŒãã±ããã¯ãããã«çããªããŸãã DTLSã«ã¯ãSeqNumãšã¡ãã»ãŒãžãã©ã°ã¡ã³ããŒã·ã§ã³ããŒã¿ããã§ã«å«ãŸããŠããŸãã
32ãããã®ãã±ããçªå·ã¯å®éã«ã¯çãããå¯èœæ§ããããŸããããã¯ããã40å以äžã®IPãã±ããã§ããã10Mpps以äžã®é床ã§æ°åã§é£è¡ã§ããŸããã«ãŠã³ã¿ãŒããªãŒããŒãããŒãããšã©ããªããŸããïŒãŒãã«ãªã»ãããããŸãããã ããããã¯ãSPI + SeqNumã®å€ãç¹°ãè¿ããå§ãã以åã«ã€ã³ã¿ãŒã»ãããããESPãã±ããã䜿çšããŠæ»æãåçã§ããããšãæå³ããŸãããã®åé¡ã解決ããããã«ãESNãçºæãããŸããïŒæ¡åŒµã·ãŒã±ã³ã¹çªå·ïŒãããã¯64ãããã®ã«ãŠã³ã¿ãŒã§ããããã®ãäžäœãã®32ãããã®ã¿ãSeqNumãã£ãŒã«ãã«è»¢éãããäžäœã®32ããããã¡ã¢ãªã«ä¿åãããŸããESNã®å šé¡ãèªèšŒãããŸãããããã£ãŠãåœäºè ã¯ESNã®äœ¿çšã«ã€ããŠäºåã«åæãã矩åããããŸãã
ESPæå·å
ããšãã°ãAES-GCM-16ã䜿çšããŠããå ŽåãESPãã±ããã®æå·å/èªèšŒã¯ã©ã®çšåºŠæ£ç¢ºã«è¡ãããŸããïŒ ESPãæäœããã«ã¯ããã€ããŒãã®å é ã«ãã64ãããã®åæåãã¯ãã«ã䜿çšããŸãããŸããããŒãããªã¢ã«ã®äžéšãšããŠ32ããããœã«ãã䜿çšããŠããŸããsetkeyã®äŸã§ã¯ã128ãããã®ããŒã§ã¯ãªãã128 +32ãããã®ããŒãæå®ããŸãããããŒãåå©çšãããIVãå€ãç¹°ãè¿ãããšãã§ããäžè¯ãªç䌌ã©ã³ãã çªå·ãžã§ãã¬ãŒã¿ãŒïŒPRNGïŒã§æºããããŠããå ŽåããããŸãããœã«ãã¯ãååããããã±ããã®åŸ©å·åã«ã€ãªããå¯èœæ§ã®ãããã®æãå±éºãªã±ãŒã¹ããä¿è·ããããã«èšèšãããŠããŸãã AES-128-GCM-16-ESPã¢ãŒãã§ã®ESPæå·å/èªèšŒèªäœã¯æ¬¡ã®ãšããã§ãã
AES-GCM(
key = 128-bit key,
plaintext = 64-bit IV || payload || TFC || pad || padLen || NH,
nonce = 32-bit salt || IV,
associated-data = SPI || {ESN SeqNum},
) -> encrypted-payload || 128-bit ICV
ESP = SPI || SeqNum || IV || encrypted-payload || ICV
ãã·ã¢ã®GOSTã¢ã«ãŽãªãºã ïŒMagmaãŸãã¯Grasshopperæå·ïŒã®å Žåãå ¥åããŒã¿ã¯é¡äŒŒããŠããŸããäž¡æ¹ã®æå·ã¯MGMã¢ãŒãã§äœ¿çšããïŒGCMã®æ¹è¯çãšèšããŸãïŒãHMAC-Stribog-256ã䜿çšããŠéåžžã®ESPTREEããŒãããªã¢ã«ããŒããŒã·ã§ã³ãé©çšãããŸããããã«ãããããŒã®è² è·ã軜æžãããŸããäž»ã«IPsecã®ã³ã³ããã¹ãã§ã¯ãããã¯ãµã€ããã£ãã«ãä»ããæ»æé¢ãæžããã»ã©ã䜿çšæéãå¢ããããšã§ã¯ãããŸãããããšãã°ãããŒã¡ãã·ã¥ïŒäžå®ã®ããŒããŒããŒã·ã§ã³ã®åæ§ã®ãã¯ãããžïŒã«ããã64ããããããã¯ãµã€ãºã®GOST28147-89ãããã¯æå·ã¯SWEET32æ»æã«å¯ŸããŠç¡é²åã§ããããšãå€æããŸããã
å®å šæ§ã®èŠ³ç¹ãããAEADã¢ã«ãŽãªãºã ã䜿çšããESPã«ã€ããŠã®äžæºã¯ãããŸããããã ããAEADã¢ã«ãŽãªãºã ã®å ŽåãIVã¯åãªã64ãããã®ã«ãŠã³ã¿ãŒã§ããããã±ããå ã®ã¹ããŒã¹ã浪費ããåãã±ãããšãšãã«æ瀺çã«æž¡ãããŸããSeqNumã¯çãããESNã¯å®å šã«ã¯éä¿¡ãããŸããããIVãšããŠå®å šã«é©åããŸããéAEADã¢ã«ãŽãªãºã ã®å ŽåãIVã¯ãã§ã«å¿ èŠã§ãããäºæž¬ã§ããªãå€ãæã£ãŠããå¯èœæ§ããããŸããã決ããŠã«ãŠã³ã¿ãŒã§ã¯ãããŸãããããã¯ã¬ã¬ã·ãŒã§ãããããã±ãŒãžå ã®è²Žéãªã¹ããŒã¹ãé£ãå°œãããééã¯ããã§ã®ä¿¡é Œæ§ã«åœ±é¿ãäžããŸããã
AEADã®IVã128ãããããã®å€ãæã€ããšãã§ããå Žåã192ãããã®ãã³ã¹ã§XSalsa20 / XChaCha20ã®ãããªã¢ã«ãŽãªãºã ã䜿çšããããšãå¯èœã§ããããã®ãã¡ã®128ãããã¯èµ·åæã«ç䌌ã©ã³ãã ã«çæãããæ®ãã®64ãããã¯ã«ãŠã³ã¿ãŒã«äœ¿çšã§ããŸã..ãããã¯ãã«ãŠã³ã¿ãŒç¶æ ã倱ã£ãããæ¢åã®ããŒãåŒãç¶ã䜿çšãããã·ã¹ãã ã«ãšã£ãŠã¯åœã®æ©äººã«ãªãå¯èœæ§ããããŸãã
TLS 1.3ïŒXORã¯ãã¡ãã»ãŒãžã«ãŠã³ã¿ãŒãšããŒã§çæãããåæåãã¯ãã«ã®éã®ãã³ã¹ãšããŠäœ¿çšãããŸããã¡ãŒã¿ãŒãIVãæ瀺çã«éä¿¡ãããªããããTLS1.3ã¯ããå°ãã³ã³ãã¯ãã§ããESPãéAEADã¢ã«ãŽãªãºã ã䜿çšããå Žåãäºæž¬ã§ããªãIVã®çæãå¿ èŠã«ãªãå¯èœæ§ããããããã¯èããCPUã«è² è·ããããå¯èœæ§ããããŸãã
ãã³ãã«ã¢ãŒããšãã©ã³ã¹ããŒãã¢ãŒã
ããã±ãŒãž ã®ãã€ããŒãã«ã¯äœãå«ãŸããŠããŸããïŒããã¯ãESPããã©ã³ã¹ããŒãã¢ãŒãã§åäœããŠããããã³ãã«ã¢ãŒãã§åäœããŠãããã«ãã£ãŠç°ãªããŸãããã©ã³ã¹ããŒãã¢ãŒãã¯ãéä¿¡ãããIPãã±ããã®ãã€ããŒãããã®ãã€ããŒãã®ESPã«çœ®ãæããŸããã€ãŸãã次ã®ããã«ãªããŸããã
---------------------------------------
| orig IP hdr |[ext hdrs]| TCP | Data |
---------------------------------------
ãªããŸããïŒ
---------------------------------------------------------
| orig |hop-by-hop,dest*,| |dest| | | ESP | ESP|
|IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer| ICV|
---------------------------------------------------------
|<--- encryption ---->|
|<---- authenticity ----->|
ãã³ãã«ã¢ãŒãã§ã¯ãIPãã±ããå šäœãESPã§å®å šã«ã©ãããããéåžžã¯æ°ããããããŒãšSrcIP / DstIPã¢ãã¬ã¹ã䜿çšããŠæ°ããIPãã±ããã圢æãããŸãããã®ã¢ãŒãã¯ããããã¯ãŒã¯éã§ãã±ããããã³ããªã³ã°ããããã«äœ¿çšãããŸãã
----------------------------------------------------------
| new* |new ext| | orig*|orig ext| | | ESP | ESP|
|IP hdr| hdrs* |ESP|IP hdr| hdrs * |TCP|Data|Trailer| ICV|
----------------------------------------------------------
|<--------- encryption --------->|
|<---------- authenticity ---------->|
äŸãã°ã貫éã¯setkeyç§ã®éã®ãã¹ãŠã®ãã±ããã®ããã«æå®ããããšãã§ããAC :: / 64ïŒ2001ããã³2001ïŒDC :: / 64ãããã¯ãŒã¯ãã¢ãã¬ã¹ãšãã³ãã«ã®2ã€ã®ãšã³ããã€ã³ããä»ããŠæå·åãããæž¡ãå¿ èŠ2001 :: 123ã2001 :: 321 ..ã
spdadd 2001:ac::/64 2001:dc::/64 any -P out ipsec esp/tunnel/2001::123-2001::321/require ;
spdadd 2001:dc::/64 2001:ac::/64 any -P in ipsec esp/tunnel/2001::321-2001::123/require ;
ãã©ã³ã¹ããŒãã¢ãŒãã¯ãå€ãã®å Žåããã¹ãéæ¥ç¶ãšåŒã°ããŸãã2ã€ã®ãšã³ããã€ã³ãéã§ãã§ã«æ©èœããŠãããã³ããªã³ã°ã«GREãŸãã¯IPv * -over-IPv *ãããã³ã«ã䜿çšãããŠããå Žåããã®å ŽåãIPsecã¬ãã«ã§ãã³ããªã³ã°ã¢ãŒãã䜿çšããããšã¯æå³ããããŸããããã ãããã©ã³ã¹ããŒãã¢ãŒãã¯IPããããŒãèªèšŒããŸãããååãšããŠãããã¯éèŠã§ãéèŠã§ããããŸããããæ¡åŒµIPv6ããããŒãŸãã¯ãã±ããã®ãããŒã©ãã«ãå€æŽãããŠããªãããšã確èªããå Žåã¯ã2ã€ã®ãã¹ãéã§ãã£ãŠãããªãŒããŒããããç ç²ã«ããŠãã³ãã«ã¢ãŒãã䜿çšããå¿ èŠããããŸãã
ISAKMP
ã³ã³ãã¥ãŒã¿ãŒãåèµ·åãããšããã¹ãŠã®ã«ãŠã³ã¿ãŒå€ãæã€SAãã¡ã¢ãªããæ¶ããå€ãSP / SAã³ãã³ããæã§å床ããŒããããšã©ããªããŸããïŒãŸããIVã«äžèŽãããã±ããã埩å·åã§ããŸããããã¯ãæå·ãããã2å䜿çšããã®ãšåãã ããã§ãã次ã«ãSPI / salt / ESN / SeqNumãäžèŽããããã以åã«ã€ã³ã¿ãŒã»ããããããã¹ãŠã®ãã±ãããæå¹ã«èªèšŒãããããããåçã§ããŸãããã®ãããªã»ããããŒSAãåå©çšããããšã¯ãã»ãã¥ãªãã£ã«ãšã£ãŠæ²æšã§ãã第3ã«ãç¹ã«ESNã䜿çšãããŠããªãå ŽåïŒããšãã°ããã®èšäºã®å·çæç¹ã§FreeBSDã§ã¯ããŸã ãµããŒããããŠããŸããïŒãé·ãSAæäœã§ã¯ãã«ãŠã³ã¿ãŒãã䜿ãæããããŠãããããšã«æ°ä»ããªãå ŽåããããŸãã
ããã¯ãã¹ãŠãESPããŒãå®æçã«å€æŽããå¿ èŠãããããšãæå³ããŸãããŸããæå·åã¢ã«ãŽãªãºã ãESNãTFCããã©ã³ã¹ããŒã/ãã³ãã«ã¢ãŒããSPIå€ã®ååšã«ã€ããŠãããŽã·ãšãŒãããŸããäºå®äžãããã«ã¯ISAKMPãããã³ã«ïŒã€ã³ã¿ãŒãããã»ãã¥ãªãã£ã¢ãœã·ãšãŒã·ã§ã³ããã³ããŒç®¡çãããã³ã«ïŒã䜿çšãããŸãããã ããOTR / PGP / OMEMOèªèšŒæå·åã䜿çšããŠIMãç°¡åã«ãã蟌ã¿ãã·ã§ã«ã¹ã¯ãªããã®setkeyã³ãã³ãããµãŒããŒã«éä¿¡ããã ãã§ãããŒã¯/ dev / urandomãèªã¿åãããšã§çæãããŸãããããã©ã®ããã«åæããããã¯ãã«ãŒãã«ã«ãšã£ãŠéèŠã§ã¯ãããŸããã OpenVPNã®å Žåãšåæ§ã«ã蚌ææžã䜿çšããX.509èªèšŒãšããŒããŽã·ãšãŒã·ã§ã³ã¯éåžžTLSãä»ããŠè¡ãããVPNãã©ã³ã¹ããŒããããã³ã«èªäœã¯ãã§ã«ç¬èªã®ãã®ã§ãã
ãçŽç²ãªã圢åŒã§ã¯ãæå·åãå«ãŸããŠããªããããISAKMPã¯äœ¿çšãããŸããã察話è ãèªèšŒããäž»èŠãªè³æãçæããããã«ãISAKMPãå éšã«ã«ãã»ã«åãããµãŒãããŒãã£ã®ãããã³ã«ã䜿çšãããŸããç¥ã£ãŠããïŒ
- KINK -ããŒã®Kerberos察å¿ã®ã€ã³ã¿ãŒããã亀æžç¬¬äžã¯ãKerberos KDCãä¿¡é ŒããèªèšŒãšã®äº€æžã®ããã«äœ¿çšãããŠããŸãããŠã£ãããã£ã¢ããã®èª¬æã«å ããŠãç§ã¯KINKã«ã€ããŠãã以äžäœãç¥ãããã©ã€ãã§èŠãããšããããŸããã
- IKEïŒv1ïŒ-ã€ã³ã¿ãŒãããããŒäº€æã1998幎ã«äœæãããŸãããããããããŸã æã人æ°ã®ãããããã³ã«ã§ãã
- IKEv2ã¯ã2005幎ã®IKEã®2çªç®ã®ããŒãžã§ã³ã§ããããã«ã€ããŠã¯åŸã§èª¬æããŸãã
IKEãããã³ã«ã¯ãããŸããŸãªãã€ããŒãã¿ã€ããå€æ°ãããããéåžžã«æ¡åŒµæ§ããããŸãã IKEv1ã«ã¯ã1ã€ã®ãã³ãã«ã ããæ©èœãããããã«æ§æããããã®å€æ°ã®ãªãã·ã§ã³ããããŸããå ±éã®ãã€ããŒããæã€ISAKMPãšIKEv1ã®å šäœã説æãã12以äžã®RFCãæãããè€éããããã«ã絶察ã«ç¢ºå®ã§ãªãæ§æãç°¡åã«å°ç¡ãã«ããæ©èœãšãIKEv1ãã»ãŒå®å šã«æ§æãã¡ã€ã«ãã³ããŒããå Žåã«ã®ã¿æ©èœããããšãä¿èšŒãããŠãããšãããããç¥ãããŠãããéšåçã«ã¯åœç¶ã®ç¥è©±ã§ãã
幞ããªããšã«ãIKEv2ãç»å ŽããŸããã1ã€ã®äŸ¿å©ãªRFCïŒã»ãšãã©ã®æ©èœïŒããã©ã¡ãŒã¿ãŒãããŽã·ãšãŒãããããã®å€§å¹ ã«ç°¡çŽ åããããããã³ã«ããããã£ãŠãã®æ§æã§ããååãšããŠãIKEv1ããããã³ãã·ã§ã€ã¯ããã³ããŒåæããã»ã¹å šäœã®ã©ãŠã³ãããªãããå°ãªããªããŸãããããã£ãŠãIKEv1ã«ã¯æå³ããªããªã£ãããã圌ã ããèæ ®ãããŸãïŒãã ãããã§ã«å®è¡äžããã³åäœäžã®ã€ã³ã¹ã¿ã³ã¹ã¯åäœããŠããããã眮ãæããããšã¯ã»ãšãã©äŸ¡å€ããããŸããïŒãIKEv2ã¯ãIKEv1ãšã¯ç°ãªããESPãšãŸã£ããåæ§ã®ã¢ã«ãŽãªãºã ãšã¢ãããŒãã䜿çšããŠãç¬èªã®ã¡ãã»ãŒãžãæå·åããŸãããŸããEAPèªèšŒãšãååœäºè ãããŸããŸãªæ¹æ³ã§èªèšŒããæ©èœãå°å ¥ãããŸããïŒããšãã°ãã¯ã©ã€ã¢ã³ãã¯PSKã䜿çšããX.509ãµãŒããŒã¯èšŒææžã䜿çšããŸãïŒã
IKEããŒã¢ã³
+-------------+
| |
+-------------+
| |
| |
| | /userspace
=====[PF_KEY]====[PF_INET]====================
| |
+-----------+ +-------------+
| | |TCP/IP, |
| SA SP |---| IPsec|
+-----------+ +-------------+
|
+-----------+
| |
| |
+-----------+
IPsecã¹ã¿ãã¯ã®ãã®éšåã¯ãéåžžã¯ãŠãŒã¶ãŒã¹ããŒã¹ã§ãã§ã«å®è¡ãããŠããŸãããŸãããããã¯è² è·ã®é«ãããŒã¢ã³ã§ã¯ãããŸãããå°ãªããšã1æ¥ã«1åã¯çžäºã«éä¿¡ã§ããæåã®ãã³ãã·ã§ã€ã¯ã«ã¯UDPãä»ããæ°åã®ã©ãŠã³ãããªãããå¿ èŠã§ãã第äºã«ãISAKMP / IKEæ©èœã®æ°ã¯ãå®å šãªSA / SP / ESPå®è£ ã®æ°çŸåã®ã³ãŒãããããããªãã®ã§ãã ISAKMPããŒã¢ã³ã¯ãããããããŸãïŒstrongSwanïŒIKEv1 / v2ïŒïŒããã³OpenswanãLibreswanïŒãisakmpdïŒIKEv1ïŒãOpenIKEDïŒIKEv2ïŒãracoonïŒIKEv1ïŒãracoon2ïŒIKEv1 / v2ãKINKïŒãªã©ã
泚ïŒãããŒã¢ã³ãïŒããŒã¢ã³ïŒãèšè¿°ããŠè©±ãã®ã¯æ£ããã§ãïŒãç§ããã£ã¯ã·ã§ã³ã®ç¿»èš³ã§èŠãããã«ãããããæè¡çãªãã·ã¢èªåã§ã¯ããæªéãã¯ãã§ã«æ ¹ä»ããŠããŸãã
TLS 1.3ïŒäžè¬ã«ãTLSã¹ã¿ãã¯å šäœã¯ãåã ã®ã¢ããªã±ãŒã·ã§ã³ã§æ©èœããããŒãããªã¢ã«ãç¬èªã®ã¡ã¢ãªã«æ ŒçŽããã©ã€ãã©ãªé¢æ°ã§ãããã¹ãŠã®æå·åã¯ããŠãŒã¶ãŒã¹ããŒã¹ãžã®åãæ¿ãã§è¡ãããŸããããã¯å€§ããªãªãŒããŒãããã§ãããã ããIPsecãšåæ§ã«ããã©ã³ã¹ããŒãéšåãå®å šã«ã«ãŒãã«ã§åŠçããããã³ãã·ã§ã€ã¯ããŠãŒã¶ãŒã¹ããŒã¹ã§è¡ãããå Žåãå°ãªããšãFreeBSDãšLinuxã«ã¯ãã§ã«TLSã®ã«ãŒãã«ãªãããŒãå®è£ ããããŸãã
IKEv2ã¯UDPäžã§å®è¡ãããããã©ã«ãã§ã¯ããŒã500ïŒisakmpãµãŒãã¹ïŒãããŒã¢ã³ã¯ãå®å šãªãã£ãã«ã®äœæãçžäºã®èªèšŒãESP SA / SPã®ããŽã·ãšãŒã·ã§ã³/äœæ/åé€ãããŒã®æŽæ°ãããŒãããŒãã®å®è¡ïŒDead Peer DetectionïŒDPDïŒïŒãªã©ãè¡ããŸããããŒã¢ã³éã®ãã¹ãŠã®éä¿¡ã¯ãèŠæ±/å¿çã¡ãã»ãŒãžã®ãã¢ã®äº€æã®åœ¢ã§è¡ãããŸãããã¹ãŠã®èŠæ±ã«çããå¿ èŠããããŸããããã¯UDPãªã®ã§ããã±ãããæ¬ èœããŠããå Žåã¯ã©ãããã°ããã§ããïŒããªãã®å·ã§ã¯ãããèæ ®ã«å ¥ããå¿çãåä¿¡ãããŠããªãã¿ã€ã ã¢ãŠãåŸã«èŠæ±ãåéä¿¡ããç¹°ãè¿ãããèŠæ±ãžã®å¿çãåéä¿¡ããç¹°ãè¿ãããå¿çãç¡èŠããŸãããã±ããã¯æ··æ²ãšããé åºã§å°çããå¯èœæ§ããããäºæããæ¶ããå¯èœæ§ããããŸããIKEv2æšæºã§ã¯å€ãã®ããšãèæ ®ãããŠãããããŸããŸãªã¬ãŒã¹æ¡ä»¶äžã§ã®åäœæ¹æ³ã説æãããŠããŸãã
TLS 1.3ïŒTLSã®TCPã®æ§è³ªã«ãããã¡ãã»ãŒãžã®é åºãšé ä¿¡ãåŠçãããŸãããã ããTCPã¯OSã«ãŒãã«ã§ããªãã®ãªãœãŒã¹ãæ¶è²»ããïŒUDPãšã¯ç°ãªãïŒèšå€§ãªæ°ã®TCPã»ãã·ã§ã³ãåé¡ã«ãªãå¯èœæ§ããããŸãããã ããDTLSã§ã¯ãIKEã®å Žåãšåãããã«ãã¹ãŠã®åæ§ã®åé¡ãçºçããããã«æçåãããã¡ãã»ãŒãžã®åŠçã䌎ãçæ žãè¿œå ãããŸãã UDPã®ãšã³ããã€ã³ãã®IPã¢ãã¬ã¹ãå€æŽããããšã¯åé¡ã§ã¯ãããŸããã IKEæ¥ç¶ã¯ãååãšããŠéåžžã«é·å¯¿åœã§ããããïŒIKEç¶æ ã¯å°ããããŠãŒã¶ãŒã¹ããŒã¹ããŒã¢ã³ã®ã¡ã¢ãªã«ã®ã¿ä¿åãããŸãïŒããã³ãã·ã§ã€ã¯ã®å¿ èŠæ§ã¯å°ãªããªããŸãããTLSã§ã¯ãTCPæ¥ç¶ã倱ã£ãåŸããããè¡ãå¿ èŠããããŸãïŒãã ããç¶æ ããªãå Žåã¯ã»ãã·ã§ã³ãç¶ç¶ããé«éåãããæ¹æ³ããããŸãïŒããšãã°ãããã°ã©ã ãåèµ·åãããšãã«å€±ãããŸãïŒã IKEããŒã¢ã³ã¯ïŒååãšããŠïŒã·ã¹ãã å šäœã®ããŒã¢ã³ã§ãããããäžéšã®ã¢ããªã±ãŒã·ã§ã³ããããšå®å šã«éä¿¡ãããå Žåãã§ã«IKEæ¥ç¶ãæã£ãŠãã人ãšäžç·ã«ããå Žåããã®äººã¯ããã«ããã䜿çšããããããŒã¢ã³ã1åã®ã©ãŠã³ãããªããã§ã¢ããªã±ãŒã·ã§ã³çšã®è¿œå ã®ESPSAãäœæããŸãã
Giblets IKE
ããŒã¢ã³ã®æåã®äº€æïŒèŠæ±-å¿çïŒã¯IKE_SA_INITã«ãªããŸããããã«ãããããã«å®å šãªéä¿¡ã®ããã«IKESAãäœæãããŸããESP SAã¯ã«ãŒãã«ã«ãæ ŒçŽããããIKESAã¯ãŠãŒã¶ãŒã¹ããŒã¹ããŒã¢ã³ã«ããããšã«æ³šæããŠãã ããã次ã«ãåœäºè ãèªèšŒãããIKE_AUTH亀æãè¡ãããŸããåã亀æã§ãESP SAã«äœ¿çšãããåSAïŒåSAïŒãäœæãããŸããäžè¬ã«ãããã2ã€ã®äº€æã¯ãåœäºè ãèªèšŒããããŒã䜿çšããŠESP SAãã©ã¡ãŒã¿ãŒãããŽã·ãšãŒãããã³ã³ãã¥ãŒã¿ãŒéã§æå·åãããESPãã©ãã£ãã¯ãé§åããã®ã«ååã§ãããã®å Žåãåäœäžã®IKESAãããŒã¢ã³éã«é·æéæ®ããŸããããã«ããã€ã§ããCREATE_CHILD_SA亀æãè¡ã£ãŠãããå€ãã®åSAãäœæããããINFORMATIONALãäœæãããã§ããŸãã亀æïŒããŸããŸãªç®çïŒã
ãã¹ãŠã®IKEv2ã¡ãã»ãŒãžããããŒã®æ§é ã¯æ¬¡ã®ãšããã§ãã
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IKE SA Initiator's SPI |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IKE SA Responder's SPI |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload | Version | Exchange Type | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- SPIi -64ãããIKESAã€ãã·ãšãŒã¿ãŒSPIãIKEã»ãã·ã§ã³ã®éå§è ã«ãã£ãŠã©ã³ãã ã«çæãããèå¥åã
- SPIr -64ãããIKESAã¬ã¹ãã³ããŒSPIãåæ§ã§ãããã¬ã¹ãã³ããŒåŽããã®SPIã®ã¿ã§ããã€ãã·ãšãŒã¿ãŒããã®æåã®ã¡ãã»ãŒãžã§ã¯ããã®ãã£ãŒã«ãã¯ãŒããã€ãã§åããããŠããŸãã
- NP -8ãããã®æ¬¡ã®ãã€ããŒããããããŒã«ç¶ããã€ããŒãã®èå¥åã
- ããŒãžã§ã³-IKEãããã³ã«ã®8ãããããŒãžã§ã³ã
- ExchType - IKE亀æã®8ãããã¿ã€ãïŒIKE_SA_INITãIKE_AUTHãCREATE_CHILD_SAããŸãã¯INFORMATIONALã
- Flags â 8- . .
- MsgID â 32- . , , replay-. â request/response MsgID. , .
- Len â 32- ( + ).
SPIi + SPIrã¯128ãããã§ãã ESPã«32ããããããªãã®ã«ããªããããªã«å€ãã®ã§ããããããŸãããããã¯äžèŽããŸããããç䌌ã©ã³ãã ã«çæããããããè¡çªãåé¿ããã«ã¯çåŽã«64ãããã§ååã§ãã次ã«ãESPãIPã¢ãã¬ã¹ã«é¢é£ä»ããããŠããŸãããIKEã»ãã·ã§ã³ã¯éåžžã¯é¢é£ä»ããããŠããŸãããåœäºè ã¯ãIPã¢ãã¬ã¹ïŒã¢ãã€ã«ã¯ã©ã€ã¢ã³ãïŒãç°¡åã«å€æŽããŠãéä¿¡ãç¶ç¶ã§ããŸãã
TLS 1.3ïŒIPã¢ãã¬ã¹ãå€æŽãããšãæ¥ç¶ãåæãããŸãã iPSKã䜿çšããŠããå Žåã§ããé察称æå·åã®ãªãœãŒã¹ãç¯çŽããããã«åãã³ãã·ã§ã€ã¯ãè¡ãå¿ èŠããããŸããããã¯ã1.5ã©ãŠã³ãããªãããšTCPæ¥ç¶ã確ç«ããããã®ã©ãŠã³ãããªããã§ãããã§ã«ç¢ºç«ãããŠããIKEæ¥ç¶ïŒã¢ãã¬ã¹ã«ãã€ã³ããããŠããªãïŒã§ã®æ°ããIPã¢ãã¬ã¹ã§ã®åESP SAã®äœæã«ã¯ã1åã®ã©ãŠã³ãããªããããããããŸããïŒ+å€ããã®ãåé€ããããã®ã©ãŠã³ãããªããã§ãããããã¯æ°ããåäœäžã®ESP SAã®ããã¯ã°ã©ãŠã³ãã§ãã§ã«çºçããŸãïŒã
IKEããããŒã®åŸã«ã¯ã1ã€ä»¥äžã®ãã€ããŒããç¶ããŸããåãã€ããŒãã«ã¯ãäžè¬çãªãã©ãŒãããããããŒãšããã®ã¿ã€ãã«åºæã®ã³ã³ãã³ãããããŸããã³ã³ãã³ãã¯32ãããã«æããããŠããŸãããã¹ãŠã«å ±éã®ããããŒïŒ
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Payload |C| RESERVED | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Next Payload â 8- . payload- . payload. payload IKE . Encrypted Payload, payload- NP ( payload IKE ), payload- .
- C â «» payload. IKEv2 payload , IKE . payload . IKE vendor-specific , .
- Len â 16- payload ( + ).
ãããã£ãŠãIKEã¡ãã»ãŒãžã¯ããã§ãŒã³ã§ãªã³ã¯ãããIKEããããŒãšãã€ããŒãã§æ§æãããŸããããŒã¢ã³ã¯ãéèŠã§ã¯ãªãæªç¥ã®ãã€ããŒããç¡èŠã§ããŸããNonceã¿ã€ãïŒããããŒã®åŸïŒã®ãã€ããŒãã³ã³ãã³ãã¯ãåºå®ãµã€ãºã§ã¯ãªããåãªãã©ã³ãã ãªããŒã¿ã»ããã§ããããããã¯ããã«è€éãªæ§é ããããŸããIKEæšæºã§ã¯ããã€ããŒãã¿ã€ãã®çãæå®ãåãå ¥ããããŸãïŒããšãã°ããã³ã¹ã¡ãã»ãŒãžã®å Žåã¯N *ãã*ãã¯ãiãïŒã€ãã·ãšãŒã¿ãŒïŒãŸãã¯ãrãïŒã¬ã¹ãã³ããŒïŒã®ããããã§ãïŒã
ã·ã°ã
æå·åã®èŠ³ç¹ãããIKEv1 / IKEv2ã¯ãSTSãISO / IEC IS 9798-3ãããã³èªèšŒæžã¿ããŒäº€æãããã³ã«ã®SIGMAïŒSIGn-and-MAcïŒã¯ã©ã¹ã«å±ããŠããŸãããããã¯éåžžã«ããç 究ãããæ°åŠçã«æ€èšŒãããïŒSIGMAïŒãœãªã¥ãŒã·ã§ã³ã§ããç§ã®ãP2PF2FE2EE IM in one nightãã®èšäºã§ã¯ãSIGMA-Iãããã³ã«ã®åäœåçãšå®è£ ã«ã€ããŠãã§ã«èª¬æããŸãããIKEv2ã¯å®å šã«äŒŒãŠããŸãããã³ãã·ã§ã€ã¯ãããã³ã«ã®ã»ãã¥ãªãã£ã«ã€ããŠè°è«ãããšããç§ãã¡ã¯äœãæåŸ ããŠããŸããïŒ
- éä¿¡ãããã¡ãã»ãŒãžã®æ©å¯æ§ã
- éä¿¡ãããã¡ãã»ãŒãžã®ä¿¡é Œæ§ãšæŽåæ§-ãããã®å€æŽãæ€åºããå¿ èŠããããŸãã
- ãªãã¬ã€æ»æããã®ä¿è·-ã¡ãã»ãŒãžã®æ倱ãŸãã¯ãªãã¬ã€ã®äºå®ãæ€åºããå¿ èŠããããŸãã
- ;
perfect forward secrecy (PFS) â PSK ( IKE ESP SA). ;
/ ( ) IKE . / ( ) ;
, , . .
ãã®ãããªåŸã®IKE_SA_INIT亀æãããŒã¢ã³ãäºãã®ã¢ãã¬ã¹ãæãããSPII + SPIR IKEã»ãã·ã§ã³ã®å€ãSAã¯ïŒIKEã®å Žåããããã¯ãéµåæïŒããã¢ã«ãŽãªãºã ãããŽã·ãšãŒãDHïŒãã¡ãã»ãŒãžã®æå·å/èªèšŒïŒENCRïŒãéµçæïŒPRFïŒã¢ã«ãŽãªãºã ïŒå察åŽã®å ¬ééµïŒDHïŒãããã¯ãç¶æ ãã¡ã¢ãªã«ä¿åããŠããŒåæïŒDiffie-HellmanãGOST R 34.10-VKOãcurve25519ãªã©ïŒãå®è¡ããåŸç¶ã®IKEã¡ãã»ãŒãžã®ãã€ããŒããæå·åããããã®å¯Ÿç§°ããŒãçæããã®ã«ååã§ãã
TLS 1.3ïŒãã³ãã·ã§ã€ã¯ã¡ãã»ãŒãžã®åœ¢åŒã¯éåžžã«ç°ãªããå€ãã®ã¬ã¬ã·ãŒããããŸãããåºæ¬çã«ç®ç«ã€ãã®ã¯ãããŸãããnonceã®ä»£ããã«ã©ã³ãã ãã£ãŒã«ãã䜿çšãããŸãããã€ããŒãã®ä»£ããã«ãå€æ°ã®æ¡åŒµæ©èœãè€éãªSAææ¡æ§é ã®ä»£ããã«ãããã³ã³ãã¯ãã§ã·ã³ãã«ãªæå·ã¹ã€ãŒãèå¥åã䜿çšãããŸããç§ã®æèŠã§ã¯ãSAææ¡ã®æè»æ§ã¯é床ã§ãããIKEv2ã§ã¯ããã¯ãŸã åé¡ã§ã¯ãªããciphersuiteãšåæ§ã®å€ãæ§æãã¡ã€ã«ã«æžã蟌ãŸããŸããTLS1.3ããŒãžã§ã³ã§ã®ã¿DH亀æãå¿ é ã«ãªããŸãã
IKEããŒçŽ æ
åŸIKE_SA_INITãSKEYSEEDããããŠçæãããŸããïŒ
SKEYSEED = PRFïŒNi [ïŒ8] || Nr [ïŒ8]ãDH-KEYïŒ
PRFã¢ã«ãŽãªãºã ã¯IKESAã§éžæãããŠããŸããããšãã°ãGOST IKEv2ã®å Žåãããã¯HMAC-Stribog-512é¢æ°ã§ãã PRFããŒã¯ãåãã³ã¹ããã®64ããããã£ã³ã¯ã§ãã
ãã³ã¹ã¯ãªãŒãã³ã«éä¿¡ãããããã軜èã«èŠããŸããã€ãŸãããã®PRFã®ããŒã¯ããã©ãã£ãã¯ãååãããã¹ãŠã®äººã«ç¥ãããŠããŸãããã ããããã§ã¯PRFã¯ãDHã®èšç®çµæããããŒãçæããããã«ã®ã¿äœ¿çšãããŸããããã¯æ»æè ã«ã¯ãã§ã«ç¥ãããŠããŸããã DHé¢æ°ã®çµæã¯ã巚倧ã§äžåäžãªãšã³ããããŒå€ã«ãªãå¯èœæ§ããããæ¥åæ²ç·äžã®ç¹ã«ãªãå¯èœæ§ããããŸããããã¯ãã¹ãŠãçãé«ãšã³ããããŒå¯Ÿç§°ããŒãšããŠäœ¿çšããããšã¯ã§ããŸããããããã£ãŠãDH-KEYïŒããã¯SKEYSEEDã§ãïŒãããšã³ããããŒãæœåºããŠããå±éããå¿ èŠããããŸãïŒå±éïŒå¿ èŠãªæ°ã®ããŒã«æ¡åŒµããŸãã
PRF+(SKEYSEED, Ni || Nr || SPIi || SPIr) ->
SK_d || SK_ai || SK_ar || SK_ei || SK_er || SK_pi || SK_pr
PRF+(K,S) = T1 || T2 || T3 || T4 || ...
T1 = PRF(K, S || 0x01)
T2 = PRF(K, T1 || S || 0x02)
T3 = PRF(K, T2 || S || 0x03)
T4 = PRF(K, T3 || S || 0x04)
ããã¯ãã¹ãŠãHKDFé¢æ°ãšåæ§ã«ãæœåº/å±éã¹ããŒãžã䜿çšããåŸæ¥ã®ããŒå°åºæäœã§ããããããHKDFãããã·ã¥é¢æ°ã®äœ¿çšãæ³å®ããŠããå Žåããã®PRF / PRF +æ§é ã¯ã察称æå·ã§ç°¡åã«äœ¿çšã§ããŸã-äžè¬çãªAES-GCM + AES-XCBC-PRFã®å Žåãããã·ã¥é¢æ°ã¯ã©ãã«ã䜿çšãããŸããããå°æ°ã§ã䜿çšãããããªããã£ãã¯åžžã«è¯å¥œã§ãã
次ã®ããŒãçæãããŸãã
- åESPSAã®ããŒãçæããããã®SK_dããŒã
- IKEã¡ãã»ãŒãžèªèšŒçšã®SK_a [ir]ããŒãAEADã¢ã«ãŽãªãºã ïŒAES-GCMãGrasshopper / Magma-MGMãChaCha20-Poly1305ãªã©ïŒãåæãããŠããå Žåãçæãããªã/䜿çšãããŸããã
- SK_e[ir] IKE .
- SK_p[ir] AUTH.
TLS 1.3ïŒã¯ããã«è€éãªããŒã¹ã±ãžã¥ãŒãªã³ã°ããããŸãããšã³ããããŒã¯ãåã ã®ãã£ãŒã«ãã§ã¯ãªãããã³ãã·ã§ã€ã¯ã¡ãã»ãŒãžå šäœããäžåºŠã«çµãåºãããŸããçæãããæ¡åŒµã·ãŒã±ã³ã¹ã¯ãããã€ãã®ããŒã«ã«ãããããã ãã§ãªãïŒ+å¿ èŠã«å¿ããŠãœã«ãïŒããããã®ããŒãŸãã¯çæãããIVã®äœ¿çšç¶æ³ããšã«ã©ãã«ïŒã©ãã«ïŒã䜿çšããHMACå€æã䌎ããŸããçæãããããããçš®é¡ã®å€ã«ããã¹ãã©ãã«/ã¢ããªã±ãŒã·ã§ã³/ã³ã³ããã¹ãã䜿çšããããšã¯ãçŸä»£ã®åªããæ £è¡ã§ãããå¿ èŠãã©ããçåã«æããããåžžã«è¡ãæ¹ãç°¡åã§ããåºããããã¹ãŠã®ãã®ãããã·ã¥ããããšãããæªåããããšã¯ãªãããšããéåžžã«è¯ãç¿æ £ã§ãããã ããããã¯IKEv2ã®ã»ãã¥ãªãã£ãæªãããšãæå³ãããã®ã§ã¯ãªããã©ãã«ããªãããšãæ»æè ã®æã«æž¡ãå¯èœæ§ããããå°ãªããšããªã¢ãŒãã§çè«çãªç¶æ³ãç°¡åã«æãä»ãããšãã§ãããšããæå³ã§ããããŸãããIKEv2ã§ã¯ãã¢ãããŒãã¯æå°éã§ãããTLS 1.3ã§ã¯ãããªãŒããŒã©ã€ãããæ¹ãè¯ããïŒä»¥åã®ããŒãžã§ã³ã®ãããã³ã«ã§å®è¡ããã劚害ãŸãã¯åé¡ã®æ°ãå€ãããïŒã IKEv2ã¯ãå®çžŸã®ããã¢ãããŒããšããªããã£ããåŒãç¶ã䜿çšããå¿ èŠãªãã¹ãŠãèªèšŒãã転éããããã¹ãŠã®ãšã³ããããŒãå§çž®/èæ ®ããåãµã€ããšã¿ã¹ã¯ã«ç°ãªãããŒã䜿çšããŸãã
IKE_AUTH
次ã«ãIKE_AUTH亀æãå®è¡ãããäž¡æ¹ã®åœäºè ãèªèšŒãããESPSAãããŽã·ãšãŒããããŸãã
SK{IDi, [CERT, ...], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr} -->
<-- SK{IDr, [CERT, ...], AUTH, SAr2, TSi, TSr}
- IKEã¡ãã»ãŒãžã«ã¯ãä»ã®ãã¹ãŠãå«ãæå·åïŒSKïŒãã€ããŒããå«ãŸããŠããŸãã
- ã€ãã·ãšãŒã¿ãŒã¯ããã®IDïŒIDiïŒããªãŒã»ã³ãã£ã±ãŒã¿ãŒïŒAUTHïŒãESPã®SAãªãã¡ãŒïŒSAi2ïŒãããã³ã€ãã·ãšãŒã¿ãŒ/ã¬ã¹ãã³ããŒã®ãã¢ããããããã©ãã£ãã¯ã»ã¬ã¯ã¿ãŒïŒTS *ïŒãæäŸããŸãããªãã·ã§ã³ã§ãæåŸ ãããã¬ã¹ãã³ããŒIDãéä¿¡ããããšãã§ããŸããããã¯ãTLSããã®äžçš®ã®SNIã¢ããã°ãšèŠãªãããšãã§ããŸãã
- å¿çãšããŠãã¬ã¹ãã³ããŒã®IDãããŽã·ãšãŒããããESP SAããããŒã¶ã«ã確èªæžã¿ã®ãã©ãã£ãã¯ã»ã¬ã¯ã¿ãŒãããã³ãªãŒã»ã³ãã£ã±ãŒã¿ãŒãåãåããŸãã
- ãã®åŸãäž¡æ¹ã®åœäºè ããäºããèªèšŒæžã¿ãšèŠãªããESP SAããã®ESPã«å±ããå¿ èŠã®ãããã©ãã£ãã¯ã«ã€ããŠåæããSAããã³å Žåã«ãã£ãŠã¯SPãäœæããã³ãã³ããã«ãŒãã«ã«ãã§ã«çºè¡ã§ããŸãïŒSPããŸã£ããåŠçããªãããŒã¢ã³ããããŸãïŒã
ãããã®ãã€ããŒãã«ã€ããŠè©³ãã説æããŸãã
- ID-ããŒãã£èå¥åãèå¥ã¿ã€ããšããã«åºæã®ããŒã¿ãå«ãŸããŠããŸããããŒãã£ã¯ãIPv4 / IPv6ã¢ãã¬ã¹ãFQDNïŒå®å šä¿®é£Ÿãã¡ã€ã³åãæååã®ã¿ãæãäžè¬çãªæ¹æ³ïŒãRFC822é»åã¡ãŒã«ã¢ãã¬ã¹ãASN.1 DERèå¥åïŒX.509蚌ææžã䜿çšããå Žåã®æãäžè¬çãªæ¹æ³ïŒãŸãã¯äžè¬åãªã©ãããŸããŸãªæ¹æ³ã§èå¥ã§ããŸãããã³ããŒåºæã ãã§ãªãã
- AUTH â . PRF ( MAC-), (pre-shared key (PSK)), . (TBS*):
TBSi = Msg0 || Nr || PRF(SK_pi, IDi) TBSr = Msg1 || Ni || PRF(SK_pr, IDr)
(Msg0), nonce (Nr), (IDi), «» . , SK_pi ( ). «».
/ . . ( Ni Nr), . , , .
, . ( ), . , - . round-trip-. SIGMA- , IKEv2, ESP SA, . , , . SIGMA MAC c ( SK_*). IKEv2 PRF, . , PRF(ID*) , brute-force ( ) .
PSK, :
AUTHi = PRF(PRF(PSK, "Key Pad for IKEv2"), TBSi) AUTHr = PRF(PRF(PSK, "Key Pad for IKEv2"), TBSr)
PRF(PSK) PSK ? PSK PRF . PSK , /. PRF() «» . PRF(PSK) PSK PSK , ( Argon2, Balloon ).
- SA*2 â SA , ESP .
- TS* â . : IPv4/IPv6 , IP (), / (), / . :
TSi = ((proto=17, port=100, fc::123 - fc::123), (proto=17, port=200, fc::123 - fc::123)) TSr = ((proto=17, port=300, :: - ffff:..:ffff), (proto=17, port=400, :: - ffff:..:ffff))
, UDP ( = 17), 100- 200- fc::123 , UDP 300 400. , IP . , , IP , ( , ICMP ). , .
UDP . , , , 100 300-, ESP SA .
å¿çåŽã¯ã確èªæžã¿ã®ã»ã¬ã¯ã¿ãŒã®éžæãéä¿¡ããŸããã»ã¬ã¯ã¿ãŒã¯ãäžèŽããããéžæç¯å²ãçããªãå¯èœæ§ããããŸãã
ãããã®ãã€ããŒãã¯ãã¹ãŠãæåã®ã¡ãã»ãŒãžäº€æåŸã«IKESAã«ãã£ãŠçæãããããŒã§æå·åãããŸããéä¿¡ãããåœäºè ã®èå¥åããã®èšŒææžããã®ä»ã®å人æ å ±ãå ¬éããããã«æå·åãå¿ èŠã§ãããã ããã¢ã¯ãã£ããªæ»æè ã¯ãæåã®IKE_SA_INIT亀æã«ãŠã§ããžããŠãã®æ å ±ã確èªã§ããŸãããã»ãã·ã§ã³ãç¶è¡ããããšã¯ã§ããªããªããŸãã
TLS 1.3ïŒ
- application ( ServerHello ||⊠|| Finished, , , ), (Client Finished). IKEv2 ESP SA round-trip-, TCP/SCTP handshake.
- , (IDr ), SNI, ClientHello . IKEv2 . ESNI, , DNS, DPI.
- IKEv2 , «»/«» ( ), PSK, , EAP. TLS 1.3 X.509 . TLS 1.3 X.509 . RFC TLS 1.3 «» . IKEv2 / .
- TLS 1.3 , , application ClientHello (EarlyData), application Client Finished . TLS 1.3 EarlyData .
- TLS (session resumption), iPSK , , . IKEv2 , RFC 5723 . IKE , , ( TCP/SCTP/whatever ) IP .
- TLS . IKEv2 IKE SA ESP SA . , () high-grade , . , , , . - ChaCha20-Poly1305, AES-256-GCM-16, -MGM . IKE SA ESP - NIST-.
AEADæå·ã 䜿çšããSKãã€ããŒãã®æå·åã¯ããªãããŒã§ã¯ãªããããšãã°AES-GCMã®å Žåã®ESPãšå®å šã«äŒŒãŠããŸãïŒAES-GCM-ESPãšåæ§ã«ãå¡©ã¯äž»èŠãªææã®äžéšã§ãïŒã
AES-GCM(
key = SK_*e,
plaintext = 64-bit IV || payloads || pad || 8-bit padLen,
nonce = 32-bit salt || IV,
associated-data = IKEHdr || unencrypted payloads
) -> ciphertext
EDSã«ããèªèšŒ
眲åãšX.509蚌ææžã§èªèšŒãããå Žåã¯ã©ããªããŸããïŒãã®ãããæ¢ã«IKE_SA_INITãCERTREQã®ãã€ããŒããéä¿¡ããããšãã§ããã®åœ¢ã§èšŒææžãæäŸããããã«ãå察åŽãèŠæ±ãããCERTã®ãã€ããŒãããCERTããã³CERTREQã«ã¯ã蚌ææžãã©ãŒãããIDãšãã©ãŒãããåºæã®ã³ã³ãã³ããå«ãŸããŠããŸããéåžžã蚌ææžã¯ASN.1 DERãšããŠããŸãã¯èšŒææžã®SHA1ããã·ã¥+ããŠã³ããŒãå ã®URLãšããŠæ瀺ã§ããŸãã UDPã®ãµã€ãºã¯MTUã«ãã£ãŠå¶éãããŠããã蚌ææžã®ãµã€ãºã¯ã¯ããã«å€§ãããªãå¯èœæ§ããããããããã§ã¯ããã·ã¥+ URLãªãã·ã§ã³ãæå¹ã§ãïŒãã ããã¯ã©ãããšèŠãªãããšãã§ããŸãïŒã
IKEv2 RFCã ãã§ãDERã§ãšã³ã³ãŒããããX.509蚌ææžãšSHA1 + URLã«å ããŠãPKCSïŒ7ã©ãããããX.509蚌ææžãPGP蚌ææžãDNS眲åä»ãããŒãSPKI蚌ææžãX.509å±æ§èšŒææžãçã®å ¬éããŒããªã¹ããããŸããæãäžè¬çãªãŠãŒã¹ã±ãŒã¹TLSãšåãæ¹æ³ã§IPsecã䜿çšããå Žåãã€ãŸãX.509蚌ææžãšå¿åã¯ã©ã€ã¢ã³ãã«ãã£ãŠèªèšŒããããµãŒããŒã®å ŽåãIKEv2ã§ã¯ããããã®åœäºè ãèªèšŒããªãæ¹æ³ã¯ãããŸãããããããRFC 5386ã¯ããã¯ã©ã€ã¢ã³ããã裞ã®å ¬ééµã䜿çšã§ãããµãŒããŒããããå¿åãšããŠæ±ãããšãã§ãããBetter-Than-Nothing-Securityã¢ãããŒãã«ã€ããŠèª¬æããŠããŸãã
ããã«ãEAPèªèšŒãæšæºã§ãµããŒããããŠãããIKE_AUTHã«ã©ãŠã³ãããªãããè¿œå ãããŠããŸããäž¡æ¿ãEAPã¯ãããŒãã£ãèªèšŒãããŠãããã©ãããå€æã§ããã ãã§ãªããIKEv2ãèæ ®ããŠäœ¿çšããããŒãçæããããšãã§ããŸããEAPãã©ã®ããã«æ©èœãããã瀺ãå³ã®ã¿ã瀺ããŸãã
SAi1, KEi, Ni -->
<-- SAr1, KEr, Nr
SK{IDi, [IDr], SAi2, TSi, TSr} -->
<-- SK{IDr, AUTH, EAP}
SK{EAP} -->
<-- SK{EAP(success)}
SK{AUTH} -->
<-- SK{AUTH, SAr2, TSi, TSr}
TLS 1.3ïŒãã®äžã§ã眲åïŒãŸãã¯Finishedã¡ãã»ãŒãžã®MAC ïŒã¯ããã³ãã·ã§ã€ã¯ã«åå ãããã¹ãŠã®è¡šç€ºãããã¡ãã»ãŒãžã®ããã·ã¥ã®äžã«é 眮ãããŸãããŸããã·ã³ãã«ã§ä¿¡é Œæ§ã®é«ãåªããã¢ãããŒããããŸããŸãªèªèšŒæ¹æ³ã¯ãããŸããããããããã·ã¢ã®SESPAKEãOPAQUEãªã©ã匷åãªAuthenticated Password Key AgreementïŒPAKEïŒãããã³ã«ãå¿ èŠã§ãã
ESPSAã®äž»èŠè³æãšãã®æŽæ°
ãã®ãããèªèšŒãæ€èšŒããããŒåæãæ£ããããšãæ€èšŒããESPSAãšãã©ãã£ãã¯ã»ã¬ã¯ã¿ãŒãããŽã·ãšãŒãããŸãããESPã®å¯Ÿç§°ããŒãçæããããšã¯æ®ã£ãŠãããå¿ èŠãªSA / SPãã«ãŒãã«ã«ã€ã³ã¹ããŒã«ã§ããŸãã
PRF +ïŒSK_dãNi || NrïŒ-> KEYMAT0 || KEYMAT1
åæ¹åéä¿¡ã«ã¯2ã€ã®ESPSAãå¿ èŠã§ãããããIKEv2ã¯äžåºŠã«2ã€ã®äž»èŠãªãããªã¢ã«ãçæãããããã¯ãã§ã«å¯Ÿå¿ããSAã®ã³ã¢ã«çŽæ¥éä¿¡ãããŠããŸãããããªã¢ã«ã®é·ãã¯ã䜿çšããESPã¢ã«ãŽãªãºã ã«ãã£ãŠç°ãªããŸãïŒããšãã°ãAES-GCM-ESPã§ã¯ãããŒã«å ããŠã32ãããã®ãœã«ããå¿ èŠã§ãïŒãSPIå€ã¯ãESPSAããããŒã¶ã«ã®ååœäºè ã«ãã£ãŠæå®ãããSPIå€ã§ãã
ããšãã°ããã¹ãŠã®åžæãåäžã®TSi / TSrãã¢ã§æå®ã§ããããã§ã¯ãªããããè€æ°ã®ESP SA / SPã«ã€ããŠåæããå¿ èŠãããå Žåã¯ã©ããªããŸããïŒãã®ããã«ãIKE_AUTHã®åŸãã€ã§ãçºçããCREATE_CHILD_SA亀æã䜿çšãããŸããåSAã®äœæã¯ã次ã®äº€æã§è¡ãããŸãã
SK {SAãNiã[KEi]ãTSiãTSr}-> <-SK {SAãNrã[KEr]ãTSiãTSr}
SAãªãã¡ãŒãè¡ããããã³ã¹ããã©ãã£ãã¯ã»ã¬ã¯ã¿ãŒãéä¿¡ãããŸãããã¹ãŠã以åãšåãã§ããããŒãããªã¢ã«ã¯ããããã®æ°ãããã³ã¹ã䜿çšããŠãã§ã«çæãããŠããŸãããªãã·ã§ã³ã§ãããŒäº€æãã€ããŒãã䜿çšã§ããŸããããã«ããããšã³ããããŒãè¿œå ãããåœäºè ã¯ããã«é察称ã®æå·åã䜿çšããããã«ãªããŸããPFSããããã£ãåžžã«ç£èŠããå¿ èŠãããå ŽåããããŸãïŒOTRãããã³ã«ã§ã¯ããšãã§ã¡ã©ã«DHããŒãåã¡ãã»ãŒãžãšãšãã«éä¿¡ãããŸãïŒããã®å Žåã®éèŠãªè³æã¯æ¬¡ã®ããã«ãªããŸãã
PRF +ïŒSK_dãDH-KEY || Ni || NrïŒ-> KEYMAT0 || KEYMAT1
æ¥ç¶ã®IKESAãæŽæ°ãããå Žåã¯ã©ããªããŸããïŒæ¬¡ã®CREATE_CHILD_SA亀æãè¡ããŸãã
SK {SAãNiãKEi}-> <-SK {SAãNrãKEr}
SAã«ã¯ãã§ã«IKESAã®ææ¡ãå«ãŸããŠãããæ°ããSKEYSEEDãéçºãããŸãã
PRFïŒSK_d_oldãDH-KEY || Ni || NrïŒ-> SKEYSEED
ESP SAããŒã¯ãæ°ããESP SAïŒå¥ã®SPIã䜿çšïŒãäœæããŠå€ããã®ãåé€ããããç¹å¥ãªéç¥ïŒä»¥äžã§ããã«ã€ããŠïŒãéä¿¡ããããšã«ãã£ãŠæŽæ°ãããŸããæ°ããESPSAã䜿çšããããã«ãã©ãã£ãã¯ãåãæ¿ãããšãééçã§æ倱ããªããªããŸããçæéãåœäºè ã¯2ã€ã®ã¢ã¯ãã£ããªESP SAãæã¡ãéä¿¡ãã£ãã«ã§ãŸã 転éäžã®ãã©ãã£ãã¯ãåŠçã§ããããã«ãªããŸãã
ESP SAã®åé€ã¯ãåé€ããSPIããªã¹ãããåŸç¶ã®INFORMATIONAL亀æã§DELETEãã€ããŒããéä¿¡ããããšã«ãã£ãŠè¡ãããŸãããã¹ãŠã®ESPSAã¯ãã¢ã§ååšããããïŒåæ¹åéä¿¡ã®å ŽåïŒãåãµã€ãã¯éä¿¡ãã©ãã£ãã¯ãæ åœããESPSAã«ã®ã¿SPIå€ãéä¿¡ããŸããããã«å¿ããŠãçä¿¡ãã©ãã£ãã¯ã®SPI ESPSAå€ãåä¿¡ããŸãã
SK {DïŒSPIiïŒ}-> <-SK {DïŒSPIrïŒ}
IKE SAã®åé€ãDELETEãä»ããŠè¡ãããŸãããIKE SPIã䜿çšãã空ã®èªèšŒæžã¿å¿çãåãå ¥ããŸãã
SK {D}-> <-SK {}
TLS 1.3ïŒKeyUpdateã¡ãã»ãŒãžãä»ããŠããŒãå転ãããã¡ã«ããºã ããããŸããããšã³ããããŒãè¿œå ããããDHãå®è¡ãããããå¯èœæ§ã¯ãããŸããã TLSã¯æããã«ãéåžžã«é·å¯¿åœã®æ¥ç¶çšã«èšèšãããŠããŸãããæè¯ã®å Žåãã»ãã·ã§ã³ãäžæããŠç¶è¡/ãã³ãã·ã§ã€ã¯ã䜿çšããŠiPSK-ECDHEã§æ°ããã»ãã·ã§ã³ãäœæããããšããã§ããŸããã
IKEv1ã«ã¯ãåå¥ã®IKEããŒæŽæ°æé ãšãåèªèšŒçšã®åå¥ã®æé ã®äž¡æ¹ããããŸãã IKEv2ã«ã¯åèªèšŒã¯ãããŸããããããè¡ãã«ã¯ãæ°ããIKE SAãæåããäœæããå€ããã®ãDELETEã§åé€ããŸãã
TLS 1.3ïŒãã³ãã·ã§ã€ã¯åŸã®ä»»æã®æç¹ã§ããã³ãã·ã§ã€ã¯åŸã®ã¯ã©ã€ã¢ã³ãèªèšŒæ©èœãåããŠããŸãïŒçµäºïŒäž¡åŽããã®ã¡ãã»ãŒãžïŒããµãŒããŒã¯X.509蚌ææžã䜿çšããŠã¯ã©ã€ã¢ã³ãèªèšŒã®èŠæ±ãéä¿¡ã§ããŸããããšãã°ããµã€ããããŸãã£ãŠããã¯ã©ã€ã¢ã³ãããèªåã®å人ã¢ã«ãŠã³ãã®ããŒãžã«ã¢ã¯ã»ã¹ããŸãããIKEv2ã§ã¯ãããã¯äžå¯èœã§ããèªèšŒã¯ããã³ãã·ã§ã€ã¯æã«ã®ã¿å®è¡ãããŸãã
éç¥
ã§ã¯ããã³ãã«/ãã©ã³ã¹ããŒãã¢ãŒãã¯ã©ã®ããã«ããŽã·ãšãŒããããŸãããTFCïŒãã®ããã«ããéç¥ãNOTIFYïŒNïŒã®ãã€ããŒããèŠæ±ã«è¿œå ãããŸãã IKEv2 RFCã ãã§ããæ°åçš®é¡ã®éç¥ããããŸããã¢ã©ãŒãã¯ããšã©ãŒããªãã¡ãŒã®SAããŽã·ãšãŒã·ã§ã³ã®åé¡ããã©ãã£ãã¯ã»ã¬ã¯ã¿ãŒãªã©
ãéç¥ããããã«äœ¿çšãããŸããããŽã·ãšãŒããããESP SAã§ãã©ã³ã¹ããŒãã¢ãŒãã䜿çšããåžæãéç¥ããããã«ãNïŒUSE_TRANSPORT_MODEïŒéç¥ãã€ãã·ãšãŒã¿ãŒãšã¬ã¹ãã³ããŒã®äž¡æ¹ã«ãã£ãŠè¿œå ãããã¢ãŒãããŽã·ãšãŒã·ã§ã³ã確èªããŸããNïŒESP_TFC_PADDING_NOT_SUPPORTEDïŒã¢ã©ãŒãã¯ãTFCããµããŒããããŠããªãããšã瀺ããŸãããŸããNïŒHTTP_CERT_LOOKUP_SUPPORTEDïŒã¯ãURLããã®èšŒææžã®ããŠã³ããŒãããµããŒããããŠããããšã瀺ããŸãã
æ°ããESPSAãäœæããã«ESPSAããŒãæŽæ°ããæ©èœã¯ãåESP SAãäœæããæé ãšäŒŒãŠããŸãããã€ãã·ãšãŒã¿ãŒã¯çŸåšã®ESP SAã®SPIãå«ãNïŒREKEY_SAïŒéç¥ãè¿œå ããŸãã
SK {NïŒREKEY_SAïŒãSAãNiã[KEi]ãTSiãTSr}-> <-SK {SAãNrã[KEr]ãTSiãTSr}
DPD
空ã®SKãšã®INFORMATIONAL亀æã¯ãããŒã¢ã³éã®ããŒãããŒããšããŠãããããã¢æ€åºïŒDPDïŒã«äœ¿çšãããŸããIKEããŒã¢ã³ãé·æé䜿çšã§ããªãå Žåã¯ããã®ç¶æ ã倱ãããŠããå¯èœæ§ãé«ããããå察åŽã§ESP SAãç£èŠããŠããªãããã¢ã¯ãã£ãã§ã¯ãããŸããããããã£ãŠããªã¢ãŒãåŽã䜿çšã§ããªãããšãæãããªå Žåã¯ãé¢é£ãããã¹ãŠã®ESP / IKESAãåé€ããã®ãçã«ããªã£ãŠããŸãã空ã®SKã¯ããã€ããŒããå«ãŸããŠããªãããèªèšŒãããããŒã¿ïŒå°ãªããšããã«ãŠã³ã¿ãŒä»ãã®IKEããããŒïŒãããããšãæå³ããŸãããããã£ãŠããã®ãããªãã±ããã®èªèšŒã¯ãä¿¡é Œã§ããçåœã®å åã§ãã
SK {}-> <-SK {}
ããããäžæ¹ã®åŽãããã«åèµ·åããŠç¶æ ã倱ããæåããIKEæ¥ç¶ã®ç¢ºç«ãéå§ããå Žåã¯ã©ããªãã§ãããããå察åŽã¯ãããäžæ¹ãå©çšã§ããªãããšã«æ°ä»ããªãå¯èœæ§ããããå¥ã®IKEæ¥ç¶ã§åèªèšŒãããæ°ããåSAãäœæããããšã決å®ãããšèããããŸããå£æ» çãªããšã¯äœããããŸããããå€ãESPSAã¯ãŸã ãŸãšããªæéçããããšãã§ããŸããã€ãã·ãšãŒã¿ã¯ãIKE_AUTH亀æã«NïŒINITIAL_CONTACTïŒã¢ã©ãŒããé 眮ããŠããã®åŽãžã®å¯äžã®æ¢ç¥ã®IKEæ¥ç¶ã§ããããšãéç¥ããŠããã[MAY]ããã®ãããªèªèšŒãããéç¥ã確èªããããæ確ãªè¯èãæã£ãŠãã¹ãŠã®å€ãIKE / ESPSAãåé€ã§ããŸãã
DoSãšæªãKE
ãã§ã«IKE_SA_INITã®æåã«ãäžæçãªå ¬éããŒDHãæã€KEiãã€ããŒããéä¿¡ãããŸããããããã€ãã·ãšãŒã¿ãŒã¯ãŸã IKE SAã亀æããŠããããåä¿¡åŽãã©ã®ã¢ã«ãŽãªãºã ããµããŒãããŠããããã©ã®ããã«ããŠç¥ãããšãã§ããŸããïŒããã¯ããã®ã¢ãã¬ã¹ã«é¢é£ä»ããããã«ä»¥åã«äœ¿çšããããã®ãæšæž¬ããããé·æçãªã¡ã¢ãªã«èšæ¶ãããããããšããã§ããŸãããã¬ã¹ãã³ããŒãã¢ã«ãŽãªãºã ããµããŒãããŠããªãå Žåã¯ãNïŒINVALID_KEY_PAYLOADïŒã«éç¥ãéä¿¡ããŸããããã¯ãåªå DHã¢ã«ãŽãªãºã ã®èå¥åã瀺ããŸããã€ãã·ãšãŒã¿ãŒã¯èŠæ±ãç¹°ãè¿ãå¿ èŠããããŸãããæ°ããKEiã䜿çšããŸãã
TLS 1.3ïŒç°ãªãã¢ã«ãŽãªãºã ã䜿çšããŠãäžåºŠã«è€æ°ã®äžæçãªå ¬ééµãéä¿¡ã§ããŸãããããããããã¯ãªãœãŒã¹ãšãã©ãã£ãã¯ã§ãã圌ã¯å ¬ééµããŸã£ããéä¿¡ããªãå¯èœæ§ãããããµãŒããŒã¯ãã®èšå®ã䜿çšããŠHelloRetryRequestã§å¿çããŸããããã«ãåªå ãµãŒããŒã¢ã«ãŽãªãºã ãããããŸã§ãé«äŸ¡ãªé察称æå·åã¯ãŸã£ãã䜿çšãããŸããããè¿œå ã®ã©ãŠã³ãããªãããçºçããŸããã¯ã©ã€ã¢ã³ããæåã«äžé©åãªå ¬ééµã¢ã«ãŽãªãºã ãæäŸããå ŽåãIKEv2ã®å Žåãšåæ§ã«ãéžæããã¢ã«ãŽãªãºã ãå«ãHelloRetryRequestãåãåããŸãã
ããããã€ãã·ãšãŒã¿ãŒããåãåæãã±ãããéä¿¡ãããšã©ããªããŸããïŒããã§æ¯åæ°ããSPIiãçæããããšãå¯èœã§ã..ãã¬ã¹ãã³ããŒã¯ãå°ãªããšãDHèšç®ãæ£çŽã«å®è¡ããIKE_AUTHã§å¿çããŸãã DHã¯ãCPUãšãšã³ããããŒã®ãœãŒã¹ãæ¶è²»ããéåžžã«ãªãœãŒã¹ãæ¶è²»ããæäœã§ããããããã©ã³ã¹ãã³ããŒãæå·ããå¯èœæ§ããããŸãã
IKEv2ïŒIKEv1ã§ã¯ãªãïŒã§ã¯ãããã«å¯Ÿããä¿è·ããããCookieæååãå«ãã¢ã©ãŒããå«ãå¿çNïŒCOOKIEïŒã®åœ¢åŒã§ããã®åŸãã€ãã·ãšãŒã¿ãŒã¯èŠæ±ãç¹°ãè¿ãå¿ èŠããããŸããããã®NïŒCOOKIEïŒãã€ããŒããè¿œå ããŸãã
SAi1, KEi, Ni -->
<-- N(COOKIE)
SAi1, KEi, Ni, N(COOKIE) -->
<-- SAr1, KEr, Nr, [CERTREQ]
ãªã¯ãšã¹ãã«ã¯ãæåãšåãSPI / Niãå¿ èŠã§ããåã«ãã€ããŒãã§è£è¶³ããã ãã§ååã§ããã¬ã¹ãã³ããŒã¯ããªã¯ãšã¹ããšéä¿¡ãããCookieã®éã®æ¥ç¶ã«é¢ããç¶æ ãä¿åã§ããããããäžèŽããåŸã§ã®ã¿ãã€ãã·ãšãŒã¿ãŒã«ãããªã¯ãšã¹ããžã®Cookieã®è¿œå ã«é¢ãããã®äœæ¥ãå®äºããåŸãã¬ã¹ãã³ããŒã¯éåžžã®æ¹æ³ã§IKE_AUTH亀æãç¶è¡ã§ããŸãã
ãã ããç¶æ ãCookieå ã«çŽæ¥ä¿åããŠããèªå·±èªèšŒãã«ããããšã¯å¯èœã§ããåçè ãã€ãã·ãšãŒã¿ãŒããã®èŠæ±ãèŠããšããäºå®ãäŒããããšãã§ããŸãïŒå°ãªããšãNiãšSPIiã¯ãããèŠãŸããïŒïŒ
Cookie = MACïŒsome-secretãNi || SPIi ||ã¿ã€ã ã¹ã¿ã³ãïŒ
ãããã£ãŠãDoSæ奜家ã¯ç¶æ ãä¿åããç¹°ãè¿ãããã¡ãã»ãŒãžããªãµã€ã¯ã«ããå¿ èŠããããŸããããã«ãããæ»æã®ã³ã¹ããå€§å¹ ã«é«ããªããŸããDoSæ»æã®çããããå Žåã«ã®ã¿ãCookieä¿è·ãæå¹ã«ããŠãå šå¡ã«äœåãªã©ãŠã³ãããªããã匷å¶ããªãããã«ããããšã¯çã«ããªã£ãŠããŸãã
TLS 1.3ïŒåæ§ã®ãªãã·ã§ã³ã®ã»ãã¥ãªãã£ããããŸãããµãŒããŒã¯ãã¯ã©ã€ã¢ã³ããç¹°ãè¿ãããClientHello2ã«æ¿å ¥ããå¿ èŠãããCookieæ¡åŒµæ©èœãå«ãã¡ãã»ãŒãžã§HelloRetryRequestã§å¿çããŠããã[MAY]ã
CP
IKEv2ã䜿çšãããšãIPãããã¯ãŒã¯/ã¢ãã¬ã¹ã®æ§æãããŽã·ãšãŒãã§ããŸããæ§æãã€ããŒãïŒCPïŒã䜿çšãããšãæ§æã®åä¿¡ãèŠæ±ãïŒCFG_REQUEST / CFG_REPLYãã±ããã¿ã€ãïŒãæ§æãå察åŽã«èšå®ã§ããŸãïŒCFG_SET / CFG_ACKã¿ã€ãïŒãæ§æèŠæ±ã«ã¯ãåœäºè ãç¥ããã/èšå®ãããå±æ§ãå«ãŸããŠããŸããå±æ§ã«ã¯ããå éšãã¢ãã¬ã¹ãDNSã¢ãã¬ã¹ãDHCPããµãããããã¬ããžããŸãã¯é¢é£ããRFCã§èª¬æãããŠãããã®ä»ã®ã¿ã€ãããããŸããããšãã°ãIKE_AUTH亀æã®ã€ãã·ãšãŒã¿ã¯ãã€ã³ãã©ãããã¢ãã¬ã¹ïŒäŒç€Ÿã®ãããã¯ãŒã¯ã«æ¥ç¶ããŠããïŒãšDNSãµãŒããŒãçºè¡ããããã«èŠæ±ã§ããŸãã
SK{IDi, [IDr], AUTH, CP(CFG_REQUEST), SAi2, TSi, TSr} -->
<-- SK{IDr, AUTH, CP(CFG_REPLY), SAr2, TSi, TSr}
CP(CFG_REQUEST) =
INTERNAL_IP6_ADDRESS()
INTERNAL_IP6_DNS()
TSi = (proto=0, port=0-65535, :: - ffff:...:ffff)
TSr = (proto=0, port=0-65535, :: - ffff:...:ffff)
CP(CFG_REPLY) =
INTERNAL_IP6_ADDRESS(2001:db8::5/64)
INTERNAL_IP6_DNS(2001:db8::1)
INTERNAL_IP6_SUBNET(2001:db8:abcd::/64)
TSi = (proto=0, port=0-65535, 2001:db8::5 - 2001:db8::5)
TSr = (proto=0, port=0-65535, 2001:db8::0 - 2001:db8::ffff:ffff:ffff:ffff)
- 2001ïŒdb8 :: 5ã¢ãã¬ã¹ãã€ãã·ãšãŒã¿ãŒã«å²ãåœãŠãããŸãã
- ESP SA 2001:db8::/64 .
- 2001:db8::1 DNS .
- 2001:db8:abcd::/64 , , ESP SA, 2001:db8:: .
Go?
GOSTã¢ã«ãŽãªãºã ã䜿çšããIPsecã¹ã¿ãã¯ã®ææ°ã®åœå å®è£ ããã¹ãããããã«ãå®å šã«ç¬ç«ããïŒLinuxãFreeBSDãstrongSwanãããã³ãã®ä»ã®ã¹ã¿ãã¯ããã®ïŒå®è£ ãäœæããããšã«ããŸããããŸããGoèšèªã§ã®éçºã®ã¹ããŒããšå®¹æãã®ããã«ãGOSTã¢ã«ãŽãªãºã ã®æ¢åã®å®è£ ã§ããGoGOSTã©ã€ãã©ãªã䜿çšããŸãã以åãç§ã¯ãã§ã«GOSTãcrypto / tlsããã³crypto / x509Goã©ã€ãã©ãªã®TLS1.3å®è£ ã«çµ±åããçµéšããããŸãããgostipsec ãããžã§ã¯ãã¯ãESPERïŒESPv3ïŒãšIKERïŒIKEv2ïŒã®2ã€ã®ããŒã¢ã³ã§æ§æãããç¡æã®ãœãããŠã§ã¢ã§ãã
ââââââââ ââââââ âââââââ ââââââ
âremoteâ âikerâ âesperâ âipfwâ
ââââ¬ââââ âââ¬âââ ââââ¬âââ âââ¬âââ
â â â â
ââââââââ€ââââââªâââââââââââââââââªâââââââââââââ â â
â UDP â â â â â â
ââââââââ â IKEv2... â â â â
â â <âââââââââââââââ â â â
â â â â â â
â â IKEv2... â â â â
â â âââââââââââââââ> â â â
ââââââââââââââªâââââââââââââââââªâââââââââââââ â â
â â â â
â â â â
â âââââââââââââªâââ€ââââââââââââââªâââââââââââââ â
â â UNIX-SOCKET â â â â
â ââââââââââââââsetkey-commandsâ â â
â â â âââââââââââââââ> â â
â âââââââââââââªâââââââââââââââââªâââââââââââââ â
â â â â
â â â â
â â ââââââââââââââªââââ€ââââââââââââªâââââââââââââ
â â â DIVERT-SOCKET â â â
â â âââââââââââââââencrypted ESP â â
â â â â <ââââââââââââââ â
â â â â â â
â â â â decrypted ESP â â
â â â â ââââââââââââââ> â
â â â â â â
â â â â unencrypted IPâ â
â â â â <ââââââââââââââ â
â â â â â â
â â â â encrypted IP â â
â â â â ââââââââââââââ> â
â â ââââââââââââââªââââââââââââââââªâââââââââââââ
â â â â
çŸæç¹ã§ã¯ãESPERã¯DIVERTãœã±ããã§ã®ã¿æ©èœããŸãïŒLinuxã§ã¯ããã»ã©åçŽãªãã®ã¯èŠã€ãããŸããã§ããïŒããããã£ãŠãFreeBSDïŒããããOpenBSDããã§ãã¯ããªãã£ãïŒOSã§ã®ã¿ãµããŒããããŸãã ESPERã¯ãIKERãšåæ§ã«ãESP <-> IKEãã€ã³ãã£ã³ã°éã®ã€ã³ã¿ãŒãã§ã€ã¹ãšããŠãCãã€ã³ãã£ã³ã°ãå¿ èŠãšããPF_KEYv2ã䜿çšããŸããããèšäºã®åé ã§ãã§ã«èª¬æããããã¹ãã»ããããŒã®ãããªã€ã³ã¿ãŒãã§ã€ã¹ã䜿çšããŸãããããã£ãŠãIKERã䜿çšããŠãå®éã®setkeyã³ãã³ããåŒã³åºãããšã«ãããã«ãŒãã«ESPå®è£ ã®ããŒãããŽã·ãšãŒãããããšãã§ããŸãã ESPERã®ãããã®ã³ãã³ãã¯æ¬¡ã®ããã«ãªããŸãã
add fc00::ac fc00::dc esp 0x12345678 -u 123 -E aes-gcm-16 0xd3537e657fde5599a2804fbb52d1aaed94b65d3e ;
add fc00::dc fc00::ac esp 0x12345679 -u 234 -E aes-gcm-16 0x9a2dae68e475eacb39d41f23c3cbef890e9f6276 tfc:1320 ;
spdadd fc00::ac/128 fc00::dc/128 all -P in ipsec esp/transport//unique:123 ;
spdadd fc00::dc/128 fc00::ac/128 all -P out ipsec esp/transport//unique:234 ;
ãšã¹ããŒãµããŒãïŒAES-128/256 GCM-16ããã°ã/ããã¿-MGMãESNãTFCããã©ã³ã¹ããŒã/ãã³ãã«ã¢ãŒãã¯IPv6 / IPv4ã®ïŒåŸè ã®ãµããŒããã¯ããã«è€éã§ãååã«ãã¹ããããŠãããã誰ã®IPv4ãå¿ èŠãšããããæ°ãããããžã§ã¯ãïŒïŒããªãã¬ã€æ»æã«å¯Ÿããä¿è·ãIKERã§ã¯ãAES-128 / 256-GCM-16 + AES-XCBC + curve25519ãMagma / Grasshopper-MGM + HMAC-Stribog-512 + GOST R 34.10-2012-VKO-256 / 512ãESN / TFC /ãã©ã³ã¹ããŒããäžèŽãããããšãã§ããŸãã /ãã³ãã«ã¢ãŒããPSKããã³X.509ããžã¿ã«çœ²åïŒECDSAãGOST R 34.10-2012ïŒã䜿çšããŠèªèšŒããŸããåäžã®Hjsonãã¡ã€ã«ã§æ§æïŒ
{
IKEAlgos: [
gost128-vko512
aes256gcm16-aesxcbc-curve25519
aes128gcm16-aesxcbc-curve25519
]
ESPAlgos: [
gost128-esn
gost64-esn
aes256gcm16-esn
aes256gcm16-noesn
aes128gcm16-esn
aes128gcm16-noesn
]
SigHashes: [
streebog512
streebog256
sha512
sha256
]
DPDTimeout: 300
Peers: [
{
Autostart: true
OurIP: fc00::dc
TheirIP: fc00::ac
OurId: our.company.net
TheirId: CN=example.com
OurTSS: [
fc00::dc/128[tcp]
fc00::dc/128[udp/53]
]
TheirTSS: [
fc00::ac/128
]
Mode: transport
# Won't be used, because of X.509 signature authentication
PSK: DEADBABE
TheirCertHash: a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
OurCert: our.company.net.cer.pem
OurPrvKey: our.company.net.key.pem
TFC: 1200
}
]
}
ãã®äŸã§ã¯ãç§ãã¡ãç¥ã£ãŠããå¯äžã®ã¡ã³ããŒãèšå®ããŸããã
- ã©ã®ããŒã¢ã³ã«èªåçã«æ¥ç¶ããŸãã
- 5åããšã«ããããã¢æ€åºãå®è¡ããŸã
- ESN, fallback- , TFC 1200 .
- TCP DNS fc00::dc fc00::ac .
- X.509 , CN=example.com subject- SHA256 SubjectPublicKeyInfo . OurId OurCert .
- OurCert/OurPrvKey , PSK FQDN OurId.
IKERã¯ããã¹ãŠã®IKEv2æ©èœïŒCREATE_CHILD_SAãããŒã®åçæïŒã®å®å šãªã»ããããŸã ãµããŒãããŠãããããã±ããã®æ倱ãç£èŠãããDO N'TPANICã®ååãæ°ã«ããŸããããããã£ãŠããŸã ãç£æ¥çšãçšéã®åè£ãšã¯èŠãªãããŠããŸããã
Tarball gostipsecã«ã¯ããã¹ãŠã®äŸåé¢ä¿ãã³ã³ãã€ã«ããã.infoããã¥ã¡ã³ããããã³REDOãã«ãã·ã¹ãã ã®ã¿ãŒã²ããããã§ã«å«ãŸããŠããŸãããå®è¡å¯èœãã¡ã€ã«ã®ãã«ãã¯ãéåžžã®goãã«ãåŒã³åºãã§ç°¡åã«å®è¡ã§ããŸãã
HjsonïŒ
Holywarã®ããŒãã§ããããšã«ãããã¡ã€ããããŸãïŒ
- INIã§ã¯ããã®ãããªã¹ã€ãŒãæ§é ãæå®ããããšã¯ã§ããŸããããŸãã.iniãã¡ã€ã«ã®æšæºããããŸããã
- capabilities database , termcap-like, BSD , (, , ), C. IKER .
- XML â .
- JSON â , Python Go . , . - !
- YAML â , , . , . , YAML , , , . . . - . YAML ( ) - ( StrictYAML ).
- TOML â : , , , . , :
[[foo.bar]] baz = 123 [[foo.bar]] abc = 123
:
{ "foo": { "bar": [ {"baz": 123 }, {"abc": 123 } ] } }
«» / , . , TOML, NNCP , . , , . - Hjson â JSON ( , ), Hjson. github.com/hjson/hjson-go Hjson JSON, . . , . , JSON Hjson.
äžè¬ã«ãTLS 1.3ãšåæ§ã®æ©èœã®ãµãã»ãããå®è£ ããå ŽåïŒPSKããã³X.509蚌ææžã®ã¿ã«ããèªèšŒãæ·±å»ãªããŒã®åçæã¯ãããŸããïŒãIKEv2ããã³IPv6ã䜿çšããESPv3ïŒæäœãã¯ããã«ç°¡åã§ãïŒïŒãããã°ã©ããŒã®èŠ³ç¹ããã¯ãå°ãé£ãããªããŸããå®è£ äžã RFCã¯ãCREATE_CHILD_SA亀æããµããŒãããããšãã矩åä»ããŠããŸããã TLS 1.3ã®ç©è°ãéžãå±éºãªåäœã¢ãŒãããªããŠããã»ãã¥ãªãã£ã¯åªããŠããŸããæ žã¬ãã«ã§ã®ãã©ã³ã¹ããŒããšé·å¯¿åœã®IKEã»ãã·ã§ã³ã«ãããIPsecãœãªã¥ãŒã·ã§ã³ã®ããã©ãŒãã³ã¹ã¯äžè¬çã«é«ããªããŸãã
IPsecã§ã¯ããããã¯ãŒã¯å šäœéã®èšå€§ãªéã®ãã©ãã£ãã¯ãä¿è·ããããã«ãã¹ãŠãã·ã£ãŒãã«ãªã£ãŠããããšãããããŸãããBTNSïŒã»ãã¥ãªãã£ããªãããã¯ãŸãã§ãïŒIETFã¯ãŒãã³ã°ã°ã«ãŒãã¯ãIPPEããœã±ããããšã®æ¥ç¶ã«åé¡ãªã䜿çšã§ããããšã瀺ãããã€ãã®RFCãäœæããŸããããã®å Žåãåœäºè ã®1人ïŒã¯ã©ã€ã¢ã³ãïŒã¯å¿åã§ãããããTLSã䜿çšããããšã®åŠ¥åœæ§ã«å®å šã«çåãæããããŸãããã®å Žåãæ¥ç¶ã©ããã䜿çšãããšãsetsockoptã®ãããªç°¡åãªã·ã¹ãã åŒã³åºããè¡ãããšã§ãä»»æã®ãããã¯ãŒã¯ã¢ããªã±ãŒã·ã§ã³ããFQDN = bank.comã¢ãã¬ã¹ãžã®ESPãå¿ èŠã§ããããšã瀺ããX.509蚌ææžãšããŠæ瀺ïŒãŸãã¯å¿åã®ãŸãŸïŒããééçãè¿ éããã€ã¢ããªã±ãŒã·ã§ã³ããšã®ãŠãŒã¶ãŒã¹ããŒã¹ãã©ã³ã¹ããŒãã©ã€ãã©ãªã®åœ¢ã§ã¯ã©ããã䜿çšããã«ããã®bank.comã§å®å šã«äœæ¥ããŸãã
ã»ã«ã²ã€ã»ããããŒãšãããµã€ãã¡ãŒãã³ã¯ãPython / Go / C-éçºè ãFGUP STCAtlasã®ããŒãã¹ãã·ã£ãªã¹ãã