Date: Sun, 15 Jul 2001 23:00:07 -0700 (PDT) From: Alex Kapranoff <kapr@acm.org> To: freebsd-doc@freebsd.org Subject: Re: docs/28916: DocBook conversion of doc/articles/ipsec-must Message-ID: <200107160600.f6G607o19744@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR docs/28916; it has been noted by GNATS.
From: Alex Kapranoff <kapr@acm.org>
To: Dima Dorfman <dima@unixfreak.org>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, honig@sprynet.com
Subject: Re: docs/28916: DocBook conversion of doc/articles/ipsec-must
Date: Mon, 16 Jul 2001 08:39:22 +0400
* Dima Dorfman <dima@unixfreak.org> [July 13 2001, 18:51]:
> Alex Kapranoff <kapr@acm.org> writes:
> > >Description:
> > I added some content (mostly removing obsolete info and
> > providing additional links) along with converting the text to
> > DocBook. A review would be appreciated.
>
> Could you please
>
> (1) separate the content changes from the DocBook conversion, and
> (2) send this in the form of a diff against the old version.
>
> (1) because content changes must be separate from markup changes (if
> not for `cvs diff` convenience, for translators), and (2) because
> sharballs for files already in the repository aren't very convenient
> to work with.
Yes, my fault. Thanks for the reminder. Below is the content diff for
translators (there's a ja_JA.eucJP translation). And markup diff in
this case is neither human-comprehendable nor space-saving. The main reason
for me not to submit changes in the diff form was that it won't help
anybody. You can easily generate it with `cvs diff', however, and see
that 95% of lines are changed and therefore included in the diff (twice).
And why do you say that sharballs are less convenient to work with?
Seems that it's true only if the diff is readable.
--- /usr/doc/en_US.ISO8859-1/articles/ipsec-must/article.sgml Wed Jun 13 18:16:55 2001
+++ article.html Mon Jul 16 08:22:26 2001
@@ -2,12 +2,12 @@
<html>
<head>
- <title>Independent Verification of IPSec Functionality in FreeBSD</title>
+ <title>Independent Verification of IPsec Functionality in FreeBSD</title>
</head>
<body text="#000000" bgcolor="#FFFFFF">
- <h1>Independent Verification of IPsec Functionality Under FreeBSD 3.0</h1>
+ <h1>Independent Verification of IPsec Functionality in FreeBSD</h1>
<p align="center"><i>You installed IPsec and it seems to be working.
How do you know? I describe a method for experimentally verifying
@@ -27,12 +27,12 @@
<ol>
<li>
- <p>Encrypted data is uniformly distributed, ie, has maximal entropy
- per symbol.</p>
+ <p>encrypted data is uniformly distributed, i.e., has maximal entropy
+ per symbol;</p>
</li>
<li>
- <p>Raw, uncompressed data is typically redundant, i.e., has
+ <p>raw, uncompressed data is typically redundant, i.e., has
sub-maximal entropy.</p>
</li>
</ol>
@@ -40,16 +40,17 @@
<p>Suppose you could measure the entropy of the data to- and from- your
network interface. Then you could see the difference between unencrypted
data and encrypted data. This would be true even if some of the data
- in "encrypted mode" was not encrypted ---as the outermost IP header must
+ in "encrypted mode" was not encrypted---as the outermost IP header must
be, if the packet is to be routable.</p>
<h4><a name="MUST"></a>MUST</h4>
<p>Ueli Maurer's "Universal Statistical Test for Random Bit Generators"
- ("MUST") quickly measures the entropy of a sample. It uses a
- compression-like algorithm. <a href="#Maurer's Universal Statistical
- Test">The code is given below for a variant which measures successive
- (~quarter megabyte) chunks of a file</a>.</p>
+ (<a href="http://www.geocities.com/SiliconValley/Code/4704/universal.pdf">MUST</a>)
+ quickly measures the entropy of a sample. It uses a
+ compression-like algorithm. <a href="#Maurer's Universal Statistical
+ Test">The code is given below</a> for a variant which measures successive
+ (~quarter megabyte) chunks of a file.</p>
<h4><a NAME="Tcpdump"></a>Tcpdump</h4>
@@ -103,15 +104,15 @@
<p>This experiment shows that IPsec <i>does</i> seem to be distributing the
payload data <i>uniformly</i>, as encryption should. However, the
- experiment described here <i>can not </i>detect many possible flaws in a
+ experiment described here <i>can not</i> detect many possible flaws in a
system (none of which do I have any evidence for). These include poor
key generation or exchange, data or keys being visible to others, use of
weak algorithms, kernel subversion, etc. Study the source; know the
code.</p>
- <h2><a NAME="IPsec"></a>IPsec -Definition</h2>
+ <h2><a NAME="IPsec"></a>IPsec---Definition</h2>
- <p>Internet Protocol security extensions to IP v 4; required for IP v6. A
+ <p>Internet Protocol security extensions to IPv4; required for IPv6. A
protocol for negotiating encryption and authentication at the IP
(host-to-host) level. SSL secures only one application socket; SSH
secures only a login; PGP secures only a specified file or
@@ -119,49 +120,34 @@
<h2><a NAME="Installing IPsec"></a>Installing IPsec</h2>
- <p>Starting from the BSD 3.0 stable release,</p>
+ <p>Most of the modern versions of FreeBSD have IPsec support
+ in their base source. So you'll probably will need to
+ include <i>IPSEC</i> option in your kernel config
+ and, after kernel rebuild and reinstall, configure IPsec
+ connections using <i>setkey</i> command.</p>
- <ol>
- <li>
- <p>install IPsec v0.04, rebuild, reinstall</p>
- </li>
- <li>
- <p>run the administration tools (e.g, <i>ipsecadm</i>) and distribute
- keys (or use <i>Photuris</i> for key exchange)</p>
- </li>
-
- <li>
- <p>set the routes (<i>rt</i>) up appropriately</p>
- </li>
- </ol>
-
- <p>You may want to make an "ipsec_setup" script containing the
- <i>ipsecadm</i> and <i>rt</i> commands which establish your IPsec
- tunnel. You can run this script automatically at boottime from your
- <i>/etc/rc.local</i> The ipsec_setup script will have to contain at
- least two <i>ipsecadm</i> commands and one <i>rt</i> command to be
- useful.</p>
+ <p>A comprehensive guide on running IPsec on FreeBSD is
+ provided in <a
+ href="http://www.freebsd.org/handbook/ipsec.html">FreeBSD
+ Handbook</a>.
<h2><a NAME="KERNELNAME"></a>usr/src/sys/i386/conf/KERNELNAME</h2>
- <p>This needs to be present in the kernel config file in order to run
- IPsec. After adding it, run <i>config</i>, etc. and rebuild and
+ <p>This needs to be present in the kernel config file in order to be able
+ to capture network data with <i>tcpdump</i>.
+ Be sure to run <i>config</i> after adding this, and rebuild and
reinstall.</p>
- <pre># The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be
-# aware of the legal and administrative consequences of enabling this
-# option. Heh heh. The number of devices determines the maximum number of
-# simultaneous BPF clients programs runnable.
-pseudo-device bpfilter 2 #Berkeley packet filter
-
-# IPSEC
-options IPSEC
-options "MD5"
-pseudo-device enc 1</pre>
+ <pre>device bpf
+</pre>
<h2><a name="Maurer's Universal Statistical Test"></a>Maurer's Universal Statistical Test (for block
size=8 bits)</h2>
+
+ <p>You can find the same code at <a
+ href="http://www.geocities.com/SiliconValley/Code/4704/uliscanc.txt">;
+ this link</a>.</p>
<pre><![ CDATA [/*
ULISCAN.c ---blocksize of 8
--
Alex Kapranoff, Voice: +7(0832)791845
We've lived 196 days in the brand new millenium...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107160600.f6G607o19744>