Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 Apr 2014 19:43:19 +0000 (UTC)
From:      Dru Lavigne <dru@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r44630 - head/en_US.ISO8859-1/books/handbook/security
Message-ID:  <201404221943.s3MJhJqo099184@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: dru
Date: Tue Apr 22 19:43:18 2014
New Revision: 44630
URL: http://svnweb.freebsd.org/changeset/doc/44630

Log:
  Prep work for IPsec chapter.
  Add additional definitions to intro. Still need to define SA and SAD.
  Still need to setup test environment to verify tech setup.
  This section does not yet mention setkey.
  More commits to come.
  
  Sponsored by:	iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Tue Apr 22 17:52:05 2014	(r44629)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Tue Apr 22 19:43:18 2014	(r44630)
@@ -61,7 +61,7 @@
       </listitem>
 
       <listitem>
-	<para>How to configure IPsec and create a
+	<para>How to configure <acronym>IPsec</acronym> and create a
 	  <acronym>VPN</acronym>.</para>
       </listitem>
 
@@ -1993,23 +1993,13 @@ Connection closed by foreign host.</scre
 
   <sect1 xml:id="ipsec">
     <info>
-      <title><acronym>VPN</acronym> over IPsec</title>
+      <title><acronym>VPN</acronym> over <acronym>IPsec</acronym></title>
 
       <authorgroup>
 	<author><personname><firstname>Nik</firstname><surname>Clayton</surname></personname><affiliation>
 	    <address><email>nik@FreeBSD.org</email></address>
 	  </affiliation><contrib>Written by </contrib></author>
       </authorgroup>
-    </info>
-
-    <indexterm>
-      <primary>IPsec</primary>
-    </indexterm>
-
-    <sect2>
-      <info>
-	<title>Understanding IPsec</title>
-
 	<authorgroup>
 	  <author><personname><firstname>Hiten
 	    M.</firstname><surname>Pandya</surname></personname><affiliation>
@@ -2018,57 +2008,66 @@ Connection closed by foreign host.</scre
 	</authorgroup>
       </info>
 
-      <para>This section demonstrates the process of setting up IPsec.
-	It assumes familiarity with the concepts of building a custom
-	kernel (see <xref linkend="kernelconfig"/>).</para>
+    <indexterm>
+      <primary><acronym>IPsec</acronym></primary>
+    </indexterm>
 
-      <para><emphasis>IPsec</emphasis> is a protocol which sits on
+    <para>Internet Protocol Security (<acronym>IPsec</acronym>) is a set of protocols which sit on
 	top of the Internet Protocol (<acronym>IP</acronym>) layer.
-	It allows two or more hosts to communicate in a secure manner.
-	The &os; IPsec <quote>network stack</quote> is based on the
-	<link xlink:href="http://www.kame.net/">KAME</link>;
-	implementation, which has support for both IPv4 and
-	IPv6.</para>
+	It allows two or more hosts to communicate in a secure manner
+	by authenticating and encrypting each <acronym>IP</acronym> packet of a communication session.
+	The &os; <acronym>IPsec</acronym> network stack is based on the
+	<link xlink:href="http://www.kame.net/">http://www.kame.net/</link>;
+	implementation and supports both <acronym>IPv4</acronym> and
+	<acronym>IPv6</acronym> sessions.</para>
 
       <indexterm>
-	<primary>IPsec</primary>
+	<primary><acronym>IPsec</acronym></primary>
 	<secondary>ESP</secondary>
       </indexterm>
 
       <indexterm>
-	<primary>IPsec</primary>
+	<primary><acronym>IPsec</acronym></primary>
 	<secondary>AH</secondary>
       </indexterm>
 
-      <para>IPsec consists of two sub-protocols:</para>
+      <para><acronym>IPsec</acronym> is comprised of the following sub-protocols:</para>
 
       <itemizedlist>
 	<listitem>
 	  <para><emphasis>Encapsulated Security Payload
-	      <acronym>ESP</acronym>)</emphasis>: this protocol
-	    protects the IP packet data from third party interference
+	      (<acronym>ESP</acronym>)</emphasis>: this protocol
+	    protects the <acronym>IP</acronym> packet data from third party interference
 	    by encrypting the contents using symmetric cryptography
-	    algorithms such as Blowfish and 3DES.</para>
+	    algorithms such as Blowfish and <acronym>3DES</acronym>.</para>
 	</listitem>
 
 	<listitem>
 	  <para><emphasis>Authentication Header
-	      (<acronym>AH</acronym>)</emphasis>: this protocol
-	    protects the IP packet header from third party
+	      (<acronym>AH</acronym>)</emphasis>): this protocol
+	    protects the <acronym>IP</acronym> packet header from third party
 	    interference and spoofing by computing a cryptographic
-	    checksum and hashing the IP packet header fields with a
+	    checksum and hashing the <acronym>IP </acronym> packet header fields with a
 	    secure hashing function.  This is then followed by an
 	    additional header that contains the hash, to allow the
 	    information in the packet to be authenticated.</para>
 	</listitem>
+
+	<listitem>
+	  <para><emphasis>IP Payload Compression Protocol
+	      (<acronym>IPComp</acronym></emphasis>): this protocol
+	    tries to increase communication performance	by compressing
+	    the <acronym>IP </acronym> payload in order ro reduce the
+	    amount of data sent.</para>
+	</listitem>
       </itemizedlist>
 
-      <para><acronym>ESP</acronym> and <acronym>AH</acronym> can
+      <para>These protocols can
 	either be used together or separately, depending on the
 	environment.</para>
 
       <indexterm>
-	<primary>VPN</primary>
+	<primary><acronym>VPN</acronym></primary>
       </indexterm>
 
       <indexterm>
@@ -2076,17 +2075,18 @@ Connection closed by foreign host.</scre
 	<see>VPN</see>
       </indexterm>
 
-      <para>IPsec can either be used to directly encrypt the traffic
-	between two hosts using <emphasis>Transport Mode</emphasis> or
-	to build <quote>virtual tunnels</quote> using
-	<emphasis>Tunnel Mode</emphasis>.  The latter mode is more
-	commonly known as a <emphasis>Virtual Private Network
-	(<acronym>VPN</acronym>)</emphasis>.  Consult &man.ipsec.4;
-	for detailed information on the IPsec subsystem in
+      <para><acronym>IPsec</acronym> supports two modes of operation.
+	The first mode, <firstterm>Transport Mode</firstterm>,
+	protects communications between two hosts.  The second mode,
+	<firstterm>Tunnel Mode</firstterm>, is used to build virtual tunnels,
+	commonly known as Virtual Private Networks
+	(<acronym>VPN</acronym>s).  Consult &man.ipsec.4;
+	for detailed information on the <acronym>IPsec</acronym> subsystem in
 	&os;.</para>
 
-      <para>To add IPsec support to the kernel, add the following
-	options to the custom kernel configuration file:</para>
+      <para>To add <acronym>IPsec</acronym> support to the kernel, add the following
+	options to the custom kernel configuration file and rebuild
+	the kernel using the instructions in <xref linkend="kernelconfig"/>:</para>
 
       <indexterm>
 	<primary>kernel options</primary>
@@ -2101,56 +2101,49 @@ device    crypto</screen>
 	<secondary>IPSEC_DEBUG</secondary>
       </indexterm>
 
-      <para>If IPsec debugging support is desired, the following
+      <para>If <acronym>IPsec</acronym> debugging support is desired, the following
 	kernel option should also be added:</para>
 
       <screen>options   IPSEC_DEBUG  #debug for IP security</screen>
-    </sect2>
-
-    <sect2>
-      <title><acronym>VPN</acronym> Between a Home and Corporate
-	Network</title>
-
-      <indexterm>
-	<primary>VPN</primary>
-	<secondary>creating</secondary>
-      </indexterm>
 
-      <para>There is no standard for what constitutes a
-	<acronym>VPN</acronym>.  <acronym>VPN</acronym>s can be
-	implemented using a number of different technologies, each
-	of which has their own strengths and weaknesses.  This
-	section presents the strategies used for implementing a
-	<acronym>VPN</acronym> for the following scenario:</para>
+      <para>This rest of this chapter demonstrates the process of
+	setting up an <acronym>IPsec</acronym> <acronym>VPN</acronym>
+	between a home network and a corporate
+	network.  In the example scenario:</para>
 
       <itemizedlist>
 	<listitem>
-	  <para>There are at least two sites where each site is using
-	    IP internally.</para>
-	</listitem>
-
-	<listitem>
 	  <para>Both sites are connected to the Internet through a
 	    gateway that is running &os;.</para>
 	</listitem>
 
 	<listitem>
-	  <para>The gateway on each network has at least one public
-	    IP address.</para>
+	  <para>The gateway on each network has at least one external
+	    <acronym>IP</acronym> address.  In this example, the corporate <acronym>LAN</acronym>'s
+	  external <acronym>IP</acronym> address is <systemitem
+	    class="ipaddress">172.16.5.4</systemitem> and the home
+	  <acronym>LAN</acronym>'s external <acronym>IP</acronym>
+	  address is <systemitem
+	    class="ipaddress">192.168.1.12</systemitem>.</para>
 	</listitem>
 
 	<listitem>
 	  <para>The internal addresses of the two networks can be
-	    either public or private IP addresses.  However, the
+	    either public or private <acronym>IP</acronym> addresses.  However, the
 	    address space must not collide.  For example, both
 	    networks cannot use <systemitem
-	      class="ipaddress">192.168.1.x</systemitem>.</para>
+	      class="ipaddress">192.168.1.x</systemitem>.  In this
+	    example, the corporate <acronym>LAN</acronym>'s
+	  internal <acronym>IP</acronym> address is <systemitem
+	    class="ipaddress">10.246.38.1</systemitem> and the home
+	  <acronym>LAN</acronym>'s internal <acronym>IP</acronym>
+	  address is <systemitem class="ipaddress">10.0.0.5</systemitem>.</para>
 	</listitem>
       </itemizedlist>
 
-      <sect3>
+      <sect2>
 	<info>
-	  <title>Configuring IPsec on &os;</title>
+	  <title>Configuring a <acronym>VPN</acronym> on &os;</title>
 
 	  <authorgroup>
 	    <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><affiliation>
@@ -2173,36 +2166,21 @@ device    crypto</screen>
 	  addresses of the internal and external interfaces of the two
 	  gateways:</para>
 
-	<screen>&prompt.root; <userinput>ifconfig gif0 create</userinput></screen>
-
-	<screen>&prompt.root; <userinput>ifconfig gif0 <replaceable>internal1 internal2</replaceable></userinput></screen>
+	<screen>&prompt.root; <userinput>ifconfig gif0 create</userinput>
+&prompt.root; <userinput>ifconfig gif0 <replaceable>internal1 internal2</replaceable></userinput>
+&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
 
-	<screen>&prompt.root; <userinput>ifconfig gif0 tunnel <replaceable>external1 external2</replaceable></userinput></screen>
+	<para>Verify the setup on each gateway, using
+	  <command>ifconfig</command>.  Here is the output from Gateway 1:</para>
 
-	<para>In this example, the corporate <acronym>LAN</acronym>'s
-	  external <acronym>IP</acronym> address is <systemitem
-	    class="ipaddress">172.16.5.4</systemitem> and its internal
-	  <acronym>IP</acronym> address is <systemitem
-	    class="ipaddress">10.246.38.1</systemitem>.  The home
-	  <acronym>LAN</acronym>'s external <acronym>IP</acronym>
-	  address is <systemitem
-	    class="ipaddress">192.168.1.12</systemitem> and its
-	  internal private <acronym>IP</acronym> address is
-	  <systemitem class="ipaddress">10.0.0.5</systemitem>.</para>
-
-	<para>If this is confusing, review the following example
-	  output from &man.ifconfig.8;:</para>
-
-	<programlisting>Gateway 1:
-
-gif0: flags=8051 mtu 1280
+	<programlisting>gif0: flags=8051 mtu 1280
 tunnel inet 172.16.5.4 --&gt; 192.168.1.12
 inet6 fe80::2e0:81ff:fe02:5881%gif0 prefixlen 64 scopeid 0x6
-inet 10.246.38.1 --&gt; 10.0.0.5 netmask 0xffffff00
+inet 10.246.38.1 --&gt; 10.0.0.5 netmask 0xffffff00</programlisting>
 
-Gateway 2:
+	<para>Here is the output from Gateway 2:</para>
 
-gif0: flags=8051 mtu 1280
+	<programlisting>gif0: flags=8051 mtu 1280
 tunnel inet 192.168.1.12 --&gt; 172.16.5.4
 inet 10.0.0.5 --&gt; 10.246.38.1 netmask 0xffffff00
 inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4</programlisting>
@@ -2235,16 +2213,13 @@ round-trip min/avg/max/stddev = 28.106/9
 	  receive <acronym>ICMP</acronym> packets from the privately
 	  configured addresses.  Next, both gateways must be told how
 	  to route packets in order to correctly send traffic from
-	  either network.  The following command will achieve this
+	  either network.  The following commands will achieve this
 	  goal:</para>
 
-	<screen>&prompt.root; <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput></screen>
-
-	<screen>&prompt.root; <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput></screen>
-
-	<screen>&prompt.root; <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput></screen>
-
-	<screen>&prompt.root; <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen>
+	<screen>&prompt.root; <userinput>corp-net# route add <replaceable>10.0.0.0 10.0.0.5 255.255.255.0</replaceable></userinput>
+&prompt.root; <userinput>corp-net# route add net <replaceable>10.0.0.0: gateway 10.0.0.5</replaceable></userinput>
+&prompt.root; <userinput>priv-net# route add <replaceable>10.246.38.0 10.246.38.1 255.255.255.0</replaceable></userinput>
+&prompt.root; <userinput>priv-net# route add host <replaceable>10.246.38.0: gateway 10.246.38.1</replaceable></userinput></screen>
 
 	<para>At this point, internal machines should be reachable
 	  from each gateway as well as from machines behind the
@@ -2432,7 +2407,6 @@ pass out quick on gif0 from any to any</
 ipsec_program="/usr/local/sbin/setkey"
 ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
 racoon_enable="yes"</programlisting>
-      </sect3>
     </sect2>
   </sect1>
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404221943.s3MJhJqo099184>