os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Assorted spelling, punctuation, and markup fixes.

Browse source 
PR:		28916
Submitted by:	Alex Kapranoff <kapr@acm.org>
This commit is contained in:
Dima Dorfman 2001-07-19 11:55:05 +00:00
parent f312a3debb
commit 1011e0acaa
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=9965
1 changed files with 32 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

78
en_US.ISO8859-1/articles/ipsec-must/article.sgml
View file

@ -2,12 +2,12 @@
<html>
<head>
<title>Independent Verification of IPSec Functionality in FreeBSD</title>
<title>Independent Verification of IPsec Functionality in FreeBSD</title>
</head>
<body text="#000000" bgcolor="#FFFFFF">
<h1>Independent Verification of IPsec Functionality Under FreeBSD 3.0</h1>
<h1>Independent Verification of IPsec Functionality in FreeBSD</h1>
<p align="center"><i>You installed IPsec and it seems to be working.&nbsp;
How do you know? I describe a method for experimentally verifying
@ -27,12 +27,12 @@
<ol>
<li>
<p>Encrypted data is uniformly distributed, ie, has maximal entropy
per symbol.</p>
<p>encrypted data is uniformly distributed, i.e., has maximal entropy
per symbol;</p>
</li>
<li>
<p>Raw, uncompressed data is typically redundant, i.e., has
<p>raw, uncompressed data is typically redundant, i.e., has
sub-maximal entropy.</p>
</li>
</ol>
@ -40,16 +40,17 @@
<p>Suppose you could measure the entropy of the data to- and from- your
network interface. Then you could see the difference between unencrypted
data and encrypted data. This would be true even if some of the data
in "encrypted mode" was not encrypted ---as the outermost IP header must
in "encrypted mode" was not encrypted---as the outermost IP header must
be, if the packet is to be routable.</p>
<h4><a name="MUST"></a>MUST</h4>
<p>Ueli Maurer's "Universal Statistical Test for Random Bit Generators"
("MUST") quickly measures the entropy of a sample. It uses a
compression-like algorithm. <a href="#Maurer's Universal Statistical
Test">The code is given below for a variant which measures successive
(~quarter megabyte) chunks of a file</a>.</p>
(<a href="http://www.geocities.com/SiliconValley/Code/4704/universal.pdf">MUST</a>)
quickly measures the entropy of a sample. It uses a
compression-like algorithm. <a href="#Maurer's Universal Statistical
Test">The code is given below</a> for a variant which measures successive
(~quarter megabyte) chunks of a file.</p>
<h4><a NAME="Tcpdump"></a>Tcpdump</h4>
@ -103,15 +104,15 @@ Expected value for L=8 is 7.1836656
<p>This experiment shows that IPsec <i>does</i> seem to be distributing the
payload data <i>uniformly</i>, as encryption should. However, the
experiment described here <i>cannot </i>detect many possible flaws in a
experiment described here <i>cannot</i>detect many possible flaws in a
system (none of which do I have any evidence for). These include poor
key generation or exchange, data or keys being visible to others, use of
weak algorithms, kernel subversion, etc. Study the source; know the
code.</p>
<h2><a NAME="IPsec"></a>IPsec -Definition</h2>
<h2><a NAME="IPsec"></a>IPsec---Definition</h2>
<p>Internet Protocol security extensions to IP v 4; required for IP v6. A
<p>Internet Protocol security extensions to IPv4; required for IPv6. A
protocol for negotiating encryption and authentication at the IP
(host-to-host) level. SSL secures only one application socket; SSH
secures only a login; PGP secures only a specified file or
@ -119,50 +120,35 @@ Expected value for L=8 is 7.1836656
<h2><a NAME="Installing IPsec"></a>Installing IPsec</h2>
<p>Starting from the BSD 3.0 stable release,</p>
<p>Most of the modern versions of FreeBSD have IPsec support
in their base source. So you'll probably will need to
include <i>IPSEC</i> option in your kernel config
and, after kernel rebuild and reinstall, configure IPsec
connections using <i>setkey</i> command.</p>
<ol>
<li>
<p>install IPsec v0.04, rebuild, reinstall</p>
</li>
<li>
<p>run the administration tools (e.g, <i>ipsecadm</i>) and distribute
keys (or use <i>Photuris</i> for key exchange)</p>
</li>
<li>
<p>set the routes (<i>rt</i>) up appropriately</p>
</li>
</ol>
<p>You may want to make an "ipsec_setup" script containing the
<i>ipsecadm</i> and <i>rt</i> commands which establish your IPsec
tunnel. You can run this script automatically at boottime from your
<i>/etc/rc.local</i> The ipsec_setup script will have to contain at
least two <i>ipsecadm</i> commands and one <i>rt</i> command to be
useful.</p>
<p>A comprehensive guide on running IPsec on FreeBSD is
provided in <a
href="http://www.freebsd.org/handbook/ipsec.html">FreeBSD
Handbook</a>.
<h2><a NAME="KERNELNAME"></a>usr/src/sys/i386/conf/KERNELNAME</h2>
<p>This needs to be present in the kernel config file in order to run
IPsec. After adding it, run <i>config</i>, etc. and rebuild and
<p>This needs to be present in the kernel config file in order to be able
to capture network data with <i>tcpdump</i>.
Be sure to run <i>config</i> after adding this, and rebuild and
reinstall.</p>
<pre># The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be
# aware of the legal and administrative consequences of enabling this
# option. Heh heh. The number of devices determines the maximum number of
# simultaneous BPF clients programs runnable.
pseudo-device bpfilter 2 #Berkeley packet filter
# IPSEC
options IPSEC
options "MD5"
pseudo-device enc 1</pre>
<pre>device bpf
</pre>
<h2><a name="Maurer's Universal Statistical Test"></a>Maurer's Universal Statistical Test (for block
size=8 bits)</h2>
<p>You can find the same code at <a
href="http://www.geocities.com/SiliconValley/Code/4704/uliscanc.txt">
this link</a>.</p>
<pre><![ CDATA [/*
ULISCAN.c ---blocksize of 8