$Id: iked-memo.ja.txt,v 1.13 2007/05/16 08:26:24 fukumoto Exp $

racoon2 iked ˤĤ


IKEv2ڥåФ
CERT CERTREQ ڥɼ谷̤ʼ̵ޤϥ顼
   Implementations MUST be capable of being configured to send and
   accept up to four X.509 certificates in support of authentication,
   and also MUST be capable of being configured to send and accept the
   first two Hash and URL formats (with HTTP URLs).  Implementations
   SHOULD be capable of being configured to send and accept Raw RSA
   keys.  If multiple certificates are sent, the first certificate MUST
   contain the public key used to sign the AUTH payload. The other
   certificates may be sent in any order.
HTTP_CERT_LOOKUP_SUPPORTEDNON_FIRST_FRAGMENTS_ALSO б̵ʼ̵
RSASIGΥϥå SHA1
CREATE_CHILD_SAǡ DHͥ IKE SA Ȱۤʤ DHʤbug
ץʥʵǽǡikedǤϥݡȤʤ¥ݡȤΤ
	 EAP ̵Ʊ
	 window  minimum 1
꤬ NO_ADDITIONAL_SAS ֤Ƥν̵
ȥ󥹥եͥ ID=0б̵
      If the
      initiator wishes to make use of the transform optional to
      the responder, it includes a transform substructure with
      transform ID = 0 as one of the options.
IPCOMP_SUPPORTEDμ谷̵SADB_REGISTERͤ iked 鸫
  ˤ뤳Ȥɬס



racoon2ڥåФ
proposal_check ̤ʻˤ餺 obey
selector_check  IDȿǤʤTS exact Τߡʤϥڥåɤ
	racoon2-spec.txt Ǥϡ
			ikedϡTSexactly matchݡȤʤ
	racoon2-config.txtǤϡ
			selector_check (obey|exact) ;
			responder¦IDTSӽ롣
			³Τ˥ǥեȤ obey


padlen_random, max_padlen ưracoon1 ȤƤޤ
	max_padlen == 0, random_padlen == false:	ǾΥѥǥ
	max_padlen != 0, random_padlen == true:		0..max_padlenĹ
	max_padlen == 0, random_padlen == true:		max_padlen = 255, random_padlen=trueƱ
	max_padlen != 0, random_padlen == false:	max_padlenʲκѥǥ


TSڥɤΰ
  


ץʥʥڥɤξܺ

IKE_SA_INIT request
HDR, SAi1, KEi, Ni [N(NAT_DET_SRC), N(NAT_DET_DST)] 

     request send (initiator)
     [N(NAT_DETE_SRC), N(NAT_DET_DST)] nat_traversalonʤdefault

     request recv (responder)
     [N(NAT_DETE_SRC), N(NAT_DET_DST)] ɤ


IKE_SA_INIT response
HDR, SAr1, KEr, Nr, [N(NAT_DET_SRC), N(NAT_DET_DST),] [CERTREQ] 

     response send (responder)
     [N(NAT_DETE_SRC), N(NAT_DET_DST)] nat_traversalonʤdefault
     [CERTREQ]  ʤ
     N(COOKIE)  cookie_required Ǥ뤫half open sa ͤ¿Ȥ֤


     response recv (initiator)
     [CERTREQ]  ̵뤹
     N(COOKIE)  ɤ
     N(INVALID_KE_PAYLOAD)  ɤ


IKE_AUTH request
HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,], AUTH, SAi2, TSi, TSr}

     request send (initiator)
     [CERT]  ʤ
     [CERTREQ]  ʤ
     [IDr]  peer_id ꤵƤ
     [N(INITIAL_CONTACT)]  ƻȤremoteʤդ
     [N(IPCOMP_SUPPORTED)]  դʤ
     [N(SET_WINDOW_SIZE)]  դʤ
     [N(USE_TRANSPORT_MODE)]  ȥ󥹥ݡȥ⡼ɤʤդ
     [N(HTTP_CERT_LOOKUP_SUPPORTED)]  դʤ
     [N(ESP_TFC_PADDING_NOT_SUPPORTED)]  դʤ

     EAPѻΥåեޥåбʤ


     request recv (responder)
     [CERT]  ̵뤹
     [CERTREQ]  ̵뤹
     [IDr]  ͭʤ my_id Ȱפ뤫ǧ롣ʤ AUTHENTICATION_FAILED
     [N(INITIAL_CONTACT)]  ̵뤹
     [N(IPCOMP_SUPPORTED)]  ̵뤹
     [N(SET_WINDOW_SIZE)]  ̵뤹
     [N(USE_TRANSPORT_MODE)]  ͭSAȥ󥹥ݡȥ⡼ɤȤ롣աNotifyڥɤSPI̵뤹
     [N(HTTP_CERT_LOOKUP_SUPPORTED)]  ̵뤹
     [N(ESP_TFC_PADDING_NOT_SUPPORTED)]  ̵뤹

     EAPIRASΥåбʤ


IKE_AUTH response 
HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}

     response send (responder)
     [CERT]  ʤ
     [N(INITIAL_CONTACT)]  ƻȤremoteʤդ
     [N(IPCOMP_SUPPORTED)]  դʤ
     [N(SET_WINDOW_SIZE)]  դʤ
     [N(USE_TRANSPORT_MODE)]  ȥ󥹥ݡȥ⡼ɤʤդ
     [N(HTTP_CERT_LOOKUP_SUPPORTED)]  դʤ
     [N(ESP_TFC_PADDING_NOT_SUPPORTED)]  դʤ
     

     response recv (initiator)
     [CERT]  ̵뤹
     [N(SINGLE_PAIR_REQUIRED)]  ̵뤹
     [N(NO_PROPOSAL_CHOSEN)]  child sa ϥܡȤike sa Ωclarification draft)
     [N(INTERNAL_ADDRESS_FAILURE)]  child sa ϥܡȤike sa Ωclarification draft)
     [N(FAILED_CP_REQUIRED)]  child sa ϥܡȤike sa Ωclarification draft)
     [N(TS_UNACCEPTABLE)]  child sa ϥܡȤike sa Ωclarification draft)


CREATE_CHILD_SA request
HDR, SK {SA, Ni, [KEi], TSi, TSr}
or (rekey IKE_SA)
HDR, SK {SA(proposal proto=IKE), Ni, KEi}
or (rekey CHILD_SA)
HDR, SK {N(REKEY_SA), SA, Ni, [KEi]}

     request send (initiator)
     [N(REKEY)]  child sa rekey λդ
     [KEi]  child sa ϡneed_pfs ꤵ줿Ȥդ rekey ikesa λɬܤդ
     [N(USE_TRANSPORT_MODE)]  ȥ󥹥ݡȥ⡼ɤʤդ
     [N(ESP_TFC_PADDING_NOT_SUPPORTED)]  դ
     [N(IPCOMP_SUPPORTED)]  դʤ


     request recv (responder)
     [KEi]  
     [N(USE_TRANSPORT_MODE)]  ͭSAȥ󥹥ݡȥ⡼ɤȤ롣աNotifyڥɤSPI̵뤹
     [N(ESP_TFC_PADDING_NOT_SUPPORTED)]  ̵뤹
     [N(IPCOMP_SUPPORTED)]  ̵뤹


CREATE_CHILD_SA response
HDR, SK {SA, Nr, [KEr], TSi, TSr}
or (rekey IKE_SA)
HDR, SK {SA, Nr, KEr}

     response send (responder)
     [KEr]  need_pfsλդ롣 rekey ike_sa λɬܤդ롣
     [N(SINGLE_PAIR_REQUIRED),]  դʤ
     [N(ADDITIONAL_TS_POSSIBLE)]  դʤ
     [N(USE_TRANSPORT_MODE)]  ȥ󥹥ݡȥ⡼ɤʤդ
     [N(ESP_TFC_PADDING_NOT_SUPPORTED)]  դ
     [N(IPCOMP_SUPPORTED)]  դʤ


     response recv (initiator)
     [N(ADDITIONAL_TS_POSSIBLE)]  ̵뤹
     [N(SINGLE_PAIR_REQUIRED)]  child_sa 򥢥ܡȡŬڤ˽٤
     [N(NO_ADDITIONAL_SAS)]  child_sa 򥢥ܡȡŬڤ˽٤
     [N(INVALID_KE_PAYLOAD)]  need_pfs ʤл dh group  createchildƼ¹ԡǤʤХ顼Ȥ child_sa 򥢥ܡ
     [N(NO_PROPOSAL_CHOSEN)]  child_sa 򥢥ܡ
     [N(FAILED_CP_REQUIRED)]  child_sa 򥢥ܡ
     [N(TS_UNACCEPTABLE)]  child_sa 򥢥ܡ
