$Id: specification.ja.txt,v 1.27 2005/10/04 08:22:14 fukumoto Exp $

Racoon2 

+ 
+ ݥꥷǡ (spmd)
+ IKEv1/v2ǡ (iked)
+ KINKǡ (kinkd)
+ ե (racoon.conf)
+ ̥饤֥ (libracoon.a)


+ 

o racoon2
	racoon2ϡĤΥץåȥեʣθ򴹥ץȥƱ
	ư뤿ȤǤ롣
	racoon2ϡݥꥷǡȳƥץȥǡǹ졢
	˸ɬפʶ̥饤֥󶡤롣

	ݥꥷǡϵưեɤ߹ɬפʤ
	ե˽񤫤줿ե륿򥫡ͥ˥󥹥ȡ뤹롣
	Υե륿ϳƥץȥǡư뤿ˡͥ뤫
	׵ȯġ
	ޤץꥱ̾褷ɬפʤ̾ȥ쥯
	å򤷡ͥ˥ե륿򥤥󥹥ȡ뤹롣
	ͥȤΥ󥿡եȤPF_KEY version2[RFC2367]
	γĥȤPF_KEYοСPF_POLICYФˤ
	ܹԤ롣

	Initiatorγƥץȥǡϡͥ뤫SA׵ᥤ٥Ȥ
	Ƹ򴹤Ϥ롣
	ResponderϡInitiator¦θ׵ᥤ٥Ȥˤɬפʤ
	򴹤򳫻Ϥ롣
	򴹥ץȥȤưʲ IPv4ڤIPv6ǥݡȤ롣

		IKE version 1 [RFC2409, RFC2407, RFC2408]
		IKE version 2 [draft-ietf-ipsec-ikev2-17.txt]
		KINK [draft-ietf-kink-kink-06.txt]

	̥饤֥ϡͥ륤󥿡եե
	¾Υ桼ƥƥ󶡤Ƥ롣

o Ѹ
	ե륿
		ǤդΥѥåȤФ
		쥯ȥ롼ǹ롣
		ݥꥷƱ

	ݥꥷ
		ե륿Ʊ

	쥯
		ѥåȤФƥե륿ŬѤ뤿
			IPɥ쥹
			ץեĹ
			ץȥֹ
			ICMP
			ICMP
			ݡֹ
		ǹ롣

	롼
		ե륿˥ޥåѥåȤν򵭽Ҥ롣
		IPsecξ硢ʲΣ̤꤬롣
			ѥåȤ˴
			IPsecåХѥ
			IPsecå̤
		IPsecå̤硢ƥץȥ⡼ɤ
		Ƥ롣

	쥯ǥå
		쥯դ˼̤ʸ
		selector_indexեΤǰդǤ롣

o ưĶ
	ʲΥץåȥեǳȯ
		NetBSD 2.0
		Linux 2.6.0

	ʲΥץåȥեư뤳ȤɸȤ
		NetBSD 2.0
		FreeBSD 4.x
		Linux 2.6.0

	ɬפʥͥ륤󥿡եʲǤ
		Socket API
		Advanced API[]
		PF_KEY [RFC2367]
		PF_KEYĥޤϥե륿I/F

	- PF_KEY [RFC2367]
		ʤȤʲΥå򥵥ݡȤƤɬפ롣
		GETSPI
		UPDATE
		ADD
		DELETE
		EXPIRE
		ACQUIRE

	- PF_KEYĥޤϥե륿I/F
		ƥݥꥷǡ١(SPD)ޤ
		ƱΥե륿ǡ١I/FʤФʤʤ

	- 򴹤λư˴ؤ
		ͥ뤬ѥåȤȤ˥ե륿ɾ
		⤷IPsecʤб SA뤫
		ʤХե륿μ̻Ҥ桼֤Τ餻Ǥ롣
		racoon2Ǥϥե륿μ̻Ҥե륿IDȸƤ֡
		ޤե륿ɾϥ桼Ǥ롣

	- Kerberosؤ׵
		A쥳ɤФprincipal򣱤ʤФʤ

o 
	XXX SAȤδط

o ǤSAIPSEC⡼
	IKEv1/IKEv2
		ESP with transport mode
			IP|ESP|ULP
		AH with transport mode
			IP|AH|ULP
		IPCOMP with transport mode
			IP|IPCOMP|ULP
		AH+ESP with transport mode
			IP|AH|ESP|ULP
		AH+IPCOMP with transport mode
			IP|AH|IPCOMP|ULP
		ESP+IPCOMP with transport mode
			IP|ESP|IPCOMP|ULP
		AH+ESP+IPCOMP with transport mode
			IP|AH|ESP|IPCOMP|ULP
		ESP with tunnel mode
			IP2|ESP|IP1|ULP
		AH with tunnel mode
			IP2|AH|IP1|ULP
		IPCOMP with tunnel mode
			IP2|IPCOMP|IP1|ULP
		AH+ESP with tunnel mode
			IP2|AH|ESP|IP1|ULP
		AH+IPCOMP with tunnel mode
			IP2|AH|IPCOMP|IP1|ULP
		ESP+IPCOMP with tunnel mode
			IP2|ESP|IPCOMP|IP1|ULP
		AH+ESP+IPCOMP with tunnel mode
			IP2|AH|ESP|IPCOMP|IP1|ULP

	KINK
		ESP with transport mode
			IP|ESP|ULP

o ưȽλ
	Ϥ spmdư˥ץȥǡ(iked, kinkd)ư롣
	iked, kinkdϸ̤˵ư롣
	spmdλȳƥץȥǡϽλ롣


+ ݥꥷǡ (spmd)

o ݥꥷǡ
	ݥꥷǡϰʲΣĤνʬ롣
		ե륿򥫡ͥ˥󥹥ȡ뤹
		̾
		ɥ쥹հ
		쥯ǥåSPIDΥޥåԥ

	ưե˽񤫤줿ե륿򥫡ͥ˥󥹥ȡ뤹롣
	쥯FQDN񤫤Ƥ硢󥹥ȡ뤹ǤIPɥ쥹
	Ȥäƥ󥹥ȡ뤹롣θ塢ץꥱ̾褷ˡ
	λǤIPɥ쥹ǥͥΥե륿֤롣äƥ쥯
	FQDNȤˤϡץꥱΥ꥾Фݥꥷǡ
	֤ʤФʤʤ

	ͥ˥ե륿򥤥󥹥ȡ뤹ȡͥϳƤSPID
	֤Τǡȥ쥯ǥåб롣

	ץȥǡ󤫤Υɥ쥹հ׵ƥå夷Ƥ
	FQDN֤
	ץȥǡ󤫤ݥꥷ׵бե륿
	ͥ˥󥹥ȡ뤹롣ݥꥷ׵ϥ쥯ǥå
	ꤵΤǡб

o ưץ
	commandline-options.txt 

o spmd 󥿡ե
	localhostTCPݡֹ9555()Ȥ
	telnet(1)ǥǥХåǤ褦˼롣
	ǧڤ challenge and responseȤ
	ѥɤե˽񤤤Ƥ롣
	եΥѡߥåա
	IPɥ쥹äˤɬפϤʤ

o 
	եɤ߹
	
	ŵư
	󥰽
	ƥåȽ
	PF_KEY
	PF_POLICY
	FQDNå
	٥Ԥ

o ̾
	꥾Ф֤Τǥץꥱ󤫤̾̾׵
	ʤФʤʤ
	127.0.0.1::153֥ݡȤȤ
	ե׵ᤵ줿FQDNä硢ŸƤΥɥ쥹
	Фƥե륿򥫡ͥ˥󥹥ȡ뤷FQDNIPɥ쥹Υڥ
	å夹롣
	˥󥹥ȡ뤵Ƥե륿äϾ񤭤롣

	P.HOGE CNAME Z.HOGE 
	Q.HOGE CNAME Z.HOGE
	R.HOGE CNAME Z.HOGE

	P.HOGE A     Z.HOGE
	Q.HOGE A     Z.HOGE
	R.HOGE A     Z.HOGE

o å
	racoon.conf˽񤫤ƤFQDNƥåоݤȤ롣
	A쥳ɤŸå夹롣
	쥳ɤκϤʤ̾λ˥å򹹿롣
	SIGUSR2ƥåѡ롣

o ɥ쥹հ
	ץȥǡ󤫤Υɥ쥹հ׵бǤդ
	A쥳ɤ򣱤֤

o ݥꥷ׵
	ץȥǡ󤫤ݥꥷ׵б륻쥯
	ͥ˥󥹥ȡ뤹롣Responder¦ȤưƤ
	ǡ󤫤׵Ǥ롣

	쥯INDEX
	Υɥ쥹

o ߤν񤭽Ф
	桼Τơߤ SPDեؽ񤭽Ф

o λ٥
	桼齪λ٥Ȥｪλ롣
	λνϰʲ̤ꡣ
	- ׵˴
	- socketΥ
	- ͥꤷIPsecݥꥷޤϤտ魯SAɬפʤ
	  롣
	- PF_KEYPF_POLILCY socketΥ
	- եΥ
	- ŵưɻߤβ

o ۾ｪλ
	㤨С­Τ褦ʲǽʾ֤˴٤äˤϰ۾ｪλ롣
	ꥤ᡼Ǥƽλ롣

o rekey˴ؤ
	daemonrekeyinitiate뤳Ȥͤ뤬
	ѥåȤʤΤrekeyɬפϤʤȤ顢
	rekeyinitiatekernelǤ롣


+ IKEv1/v2ǡ (iked)

o IKEv1/v2ǡ
	IKE version1IKE version2򥵥ݡȤǡǤ롣
	IPv4ڤIPv6̿Ǥ롣
	򴹤˻Ȥݡֹ 500֤Ȥ뤬Ѥ롣
	draft-ietf-ipsec-ikev2-10.txt 4. conformance requirements줿
	ǽ򥵥ݡȤ롣
	ikedϡFQDNǵҤ줿⥵ݡȤ롣

o IKEv1˴ؤ
	Main⡼ɤAggressive⡼ɤ򥵥ݡȤ롣
	ǧˡ Pre-share Key RSA Signature in PKCS#1򥵥ݡȤ롣
	ID Main⡼ with Pre-share KeyξIPɥ쥹
	ʳȹ礻ǤIPɥ쥹FQDN,E-mailɥ쥹Ȥ롣
	Oakley group 1,2,5򥵥ݡȤ롣

o IKEv1 ڥɲ
	RFC2408ڥɤΤʲΥڥɤ򥵥ݡȤ롣
	ISAKMP Header
	Security Association Payload
	Proposal Payload
	Transform Payload
	Key Exchange Payload
	Identification Payload
	Certificate Payload
	Certificate Request Payload
	Hash Payload
	Signature Payload
	Nonce Payload
	Notification Payload
	    Notify Message Types
	Delete Payload
	Vendor ID Payload

o IKEv1  SA Lifetime˴ؤ
	IKE-SA Lifetime IPsec-SA LifetimeΩ롣

	IKE-SA initiatorΥץݡФresponder
	ʲΤ줫ư򤹤롣

	OBEY
		initiator󼨤¸֤˽

	STRICT
		initiator󼨤¸֤responderΤû
		initiator˽ʳϥå˴롣

	CLAIM
		initiator󼨤¸֤responderΤû
		initiator˽ʳRESPONDER-LIFETIME
		Notifyå֤responderΤȤ

	EXACT
		initiator󼨤¸֤responderΤʤ
		å˴롣

o IKEv1 Initiator
	ͥ뤫SA׵ᥤ٥Ȥȡ˴ޤޤƤ
	ե륿IDݥꥷؿϤݥꥷ롣
	򴹤ɬפʤХ쥯INDEX鸰򴹤
	򴹤Ϥ롣
	򴹽λ塢ͥSAꤷơͥ뤫
	SADB_EXPIREåԤ롣

o IKEv1 Responder
	Initiator¦θ׵åȡ
	main modeξ硢IPɥ쥹̿ؿϤ
	̿˴ؤ롣
	aggressive modeξ硢IDڥɤ˴ޤޤƤID
	̿ؿϤ̿ꤹ롣
	ȥͥ⡼ɤθ򴹤ξPhase2IDڥɤ˴ޤޤƤ
	SAΥ쥯򥻥쥯ؿϤ쥯ȥݥꥷ롣
	򴹽λ塢ͥSAꤷݥꥷǡ
	ݥꥷ׵ͥ뤫SADB_EXPIREåԤ롣

	ޤRoadworrorξ
	phase1ID  selector_info򸡺
	ʤ ID payloadȤäƸ롣
	ID selector_info򸡺ϡphase2ID payload
	å򤷤ʤ

o IKEv2˴ؤ
	ʲεǽϥݡȤʤ
		UDP-ESPȥͥˤNATۤ̿(nat-t)
		ȥͥ륨ɥݥȤΰŪIPɥ쥹μ(mode-cfg)
		쥬ǧ(xauth)
		1ʾΥɥ
		1ĤIKE_SAʣSAꤹ뵡ǽ
		SA bundleϤ˳ʤ

	ǡե˽Initiator¦ Responder¦
	ޤϤξư򤹤롣
	ưѤϺƵư롣

o IKEv2 å
	IKEv2ͤ줿 IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA,
	INFORMATIONALŬڤ˽ʤФʤʤ
	InformationalåФƶInformationalå
	֤Ȥ뤬ikedŬڤʥå֤ΤȤ롣

o IKEv2 ڥɲ
	ʲΥڥɤ򥵥ݡȤ롣
		The IKE Header
		Security Association Payload
		Key Exchange Payload
		Identification Payloads
		Certificate Payload
		Certificate Request Payload
		Authentication Payload
		Nonce Payload
		Notify Payload
		Delete Payload
		Vendor ID Payload
		Traffic Selector Payload
		Encrypted Payload

	ʳΥڥɤξ硢ƥӥåȤ̵ͭǽѤ롣
	ƥӥåȤåȤƤʤСѥåΤ˴롣
	ƥӥåȤåȤʤʤСΥڥɤ̵뤹롣
	ξ⡢˥פȥƥӥåȤ̵ͭϤ롣

o IKEv2 TS Payload
	Initiatorξ
		TSڥɤϡ쥯󤫤롣
		ikedͥ뤫SADB_ACQUIREåˤϡ
		쥯IDޤޤ졢ȵưɤ߹ե뤫
		ikedϥ쥯򻲾ȤǤ롣

	Responderξ
		TSڥɤϡ쥯󤫤ꤵ롣
		ikedϡIKE_AUTHå˴ޤޤIDiڥɤ˴Ť
		⡼Ⱦ򻲾Ȥ롣ˡTSڥɤ饻쥯򸡺
		쥯󤫤ϡݥꥷ𤷤ƥ⡼Ⱦ󤬻ȤǤ
		Τǡˤ⡼Ⱦå롣

		*쥯θ(ޥå)λϡ
		⤷TSڥɤ specific TSǻϤޤäƤơTS 
		ʬΥե졼Υ쥯ޤ뤫
		ޤTS ڥɤTSڥɤκǽ餬 specific 
		TSǤϤʤ
		Ʊˡ
		TSڥɤΤ줫TSʬΥե졼
		Υ쥯ޤ
		ΤȤޥåȤߤʤ
		׹ͻ

		쥹ݥ˥֤TSڥɤϤĤͤ
		ʬΥե졼Υ쥯롣
		ʤTSΤۤȤʬΥ쥯ض
		뤳Ȥˤʤ롣


o IKEv2 Initiator
	ͥ뤫SA׵ᥤ٥Ȥȡ˴ޤޤƤ
	selector indexݥꥷؿϤݥꥷ롣
	򴹤ɬפʤselector index鸰򴹤
	򴹤Ϥ롣

	򴹽λ塢ͥSAꤷơͥ뤫
	SADB_EXPIREåԤ롣
	XXX äȼǤä

	+ IKE_SA_INIT
	HDR, SAi1, KEi, Ni

	+ IKE_AUTH
	HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr}

	+ CREATE_CHILD_SA
	HDR, SK {[N], SA, Ni, [KEi], [TSi, TSr]}

o IKEv2 Responder
	remote_infoθˡϡ
		IPɥ쥹ȳremote_infopeers_ipaddr
		IDremote_infopeers_id
		default
	νǺѤ롣
	Initiator¦θ׵å
	ȥͥ⡼ɤθ򴹤ξTSڥɤ˴ޤޤƤSAΥ쥯
	쥯ؿϤ쥯ȥݥꥷ롣
	򴹽λ塢ͥSAꤷݥꥷǡ
	ݥꥷ׵ͥ뤫SADB_EXPIREåԤ롣
	ޤRoadworrorξ

	+ IKE_SA_INIT
	HDR, SAr1, KEr, Nr, [CERTREQ]

	+ IKE_AUTH
	HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}

	+ CREATE_CHILD_SA
	HDR, SK {SA, Nr, [KEr], [TSi, TSr]}

o IKEv2 INFORMATIONAL
	HDR, SK {[N,] [D,] [CP,] ...} -->
	                             <-- HDR, SK {[N,] [D,] [CP], ...}

o IKEv2 CookieȤä
       Initiator                          Responder
       -----------                        -----------
       HDR(A,0), SAi1, KEi, Ni   -->

                                 <-- HDR(A,0), N(COOKIE)

       HDR(A,0), N(COOKIE), SAi1, KEi, Ni   -->

                                 <-- HDR(A,B), SAr1, KEr, Nr, [CERTREQ]

       HDR(A,B), SK {IDi, [CERT,] [CERTREQ,] [IDr,]
           AUTH, SAi2, TSi, TSr} -->

                                 <-- HDR(A,B), SK {IDr, [CERT,] AUTH,
                                                SAr2, TSi, TSr}

      Cookie = <VersionIDofSecret> | Hash(Ni | IPi | SPIi | <secret>)


o SA Lifetime
	IKEv2ͤˤIKE-SA,AH/ESP-SALifetimeΥͥϤʤ
	rekeyꤵ줿lifetimeIntiator,Responderȯ롣
	Ʊȯ뤳Ȥ򤱤뤿 jitterä롣
	jitterǽ
	ˤȯʤȤǽˤ롣

	- IKE-SAAH/ESP-SAexpire
	IKE-SARekeyChild-SAϿIKE-SA˰Ѥ롣

	- rekeyνλ
	lifetimesoft/hard expiration timeߤ롣
	hard expiration time ACQUIRE rekey롣
	kernelˤ soft/hardȤꤹ롣

	- rekeyˤkernel˴Ԥư
	SAɬפʤ hard expiration timeޤǤ ACQUIRE1ʾФ롣
	soft expiration timeޤǤ ACQUIREФʤȤ˾ޤ
	soft expiration time褿1ACQUIREФ롣
	ʹSAԤ٤ACQUIREФ롣
	1ð2İʾACQUIREФʤȤ˾ޤ

o DH key exchange
	- DH group줿ѥ᡼ȤDH key exchange˻Ȥͤ
	  롣
	- ˤϥ饤֥δؿȤۥåȤˤϴޤޤʤΤǡ
	  ѥޤϼ¹Ի˥󥯤ʤФʤʤ
	- ѤؿϸڥؿȶͭؿǤ롣
	- 饤֥ؿϤϡ Y = g^X mod p ˤ pgȤ롣
	   p, gIKEͤƤꡢpϽʬ礭ǿ
	  g 2Ǥ롣
	  饤֥ؿνϤϡY, XǤ롣
	- Ѥ DH group
		1,2 (ikev2-17.txt, Appendix B)
		5,14,15,16,17,18 (RFC3526)
		ʱ߷ϤϹθʤ
	- 饤֥ȤƤ OpenSSLȤ롣
	- ʳgroup줿ϡƥѥ뤹뤳Ȥ
	  Ѳǽˤ롣
	- DH KE payloadȤ롣


+ KINKǡ (kinkd)

o KINKǡ
	KINK(draft-ietf-kink-kink-05.txt)򥵥ݡȤǡǤ롣
	򴹤˻Ȥݡֹ <IANA consideration> Ǥ롣

o ưĶ
	ưĶϴŪracoon2˽ʲɲôĶɬפǤ롣

	- PF_KEYĥI/F
		PF_KEY󥿡ե
		SPIѹ뤳ȤʤIPsec SAѥ᡼񤭴뵡ǽ
		󶡤ʤФʤʤ
		3-way handshake Ԥʤ硢εǽɬפʤ

	- Kerberos V5饤֥
		ݡȤKerberos5饤֥ϰʲΤΤǤ롣
			Heimdal-0.6

		XXX
		͢е¤졢2003-10-24MITˤKerberos饤֥
		ꤹ뤳ȤǽˤʤäᡢŪˤ
			MIT krb5
		򥵥ݡȤǽ롣

	- Ź饤֥
		OpenSSL ???

o KINKå
	draft-ietf-kink-kink-05.txtåΤ
		CREATE
		DELETE
		REPLY
		GETTGT
		ACK
		STATUS
	򥵥ݡȤ롣

o KINKڥ
	ڥֹϸ <IANA consideration> Ǥ롣
	draft-ietf-kink-kink-05.txtڥɤ򤹤٤
	ݡȤ롣
		KINK_AP_REQ
		KINK_AP_REP
		KINK_KRB_ERROR
		KINK_TGT_REQ
		KINK_TGT_REP
		KINK_ISAKMP
		KINK_ENCRYPT
		KINK_ERROR

o ISAKMPڥ
	RFC2408ڥɤΤʲΥڥɤ򥵥ݡȤ롣
		Security Association Payload
		Proposal Payload
		Transform Payload
		Nonce Payload
		Delete Payload

	XXX
	key exchange
	identification
	notification

o 
	
	եɤ߹
	󥰽
	ֽ
	Kerberos TGTμ
	ŵưɻ߽
	signal
	KINK socket
	PF_KEY
	spmd³
	٥Ԥ

o Kerberos Ticketμ
	ư˺ǽTGT롣
	Service Ticketϸ׵᤬ȯǼ롣
	ޤTGTService TicketȤ˥å夹롣
	򴹤η̡Service Ticketͭ¤ڤƤϡ
	Service TicketκȯԤ롣
	Service TicketTGTͭ¤ڤƤϡ
	TGTκȯԤ롣

o λ٥Ƚ
	SIGTERMޤSIGINTˤäưʲｪλԤʤ
	- KINK socketΥ
	- PF_KEYPF_POLICY socketΥ
	- spmdؤQUITå
	- spmd socketΥ
	- եΥ
	- ŵưɻߤβ
	???- λ˼ʬꤷSAõ롣

o ۾ｪλ
	­֤ʤɤ̿Ūʾ֤˴٤äϡ
	ꥤ᡼Ϥƽλ롣???

o ¾Υ٥Ƚ
	SIGHUPˤäեκɤ߹ߤԤʤ
	ޤspmdؤ³ǤƤ硢³ߤ롣

o KINK Initiator
        ͥ뤫SADB_ACQUIREåȡ
	˴ޤޤƤ륻쥯IDݥꥷؿϤݥꥷ롣
        򴹤ɬפʤХ쥯INDEX鸰򴹤
        򴹤Ϥ롣
	̿principal name˴ޤޤFQDN뤿ᡢ
	spmdФƥɥ쥹հ׵(FQDN QUERYå)
	䤤碌Ԥʤ
	ͥinboundSAꤷ塢򴹤򳫻Ϥ
	򴹽λ塢outboundSAꤹ롣
	ͥ뤫SADB_EXPIREåȸιȤԤʤ

	XXX 3-way ε
	XXX user-to-user

o KINK Responder
	Initiatorθ׵åȡ
	IPɥ쥹KINK_AP_REQڥɤ˴ޤޤƤ
	principal nameKINK_ISAKMPڥɤ˴ޤޤƤѥ᡼
	ѤƸ򴹤򳫻Ϥ롣
	򴹻ˡͥSAꤷspmd˥ݥꥷ׵롣
	ResponderϸιԤʤʤΤǡSADB_EXPIREå̵뤹롣

	XXX 3-way ε


+ ե (racoon.conf)

	racoon2-config.txt򻲾


+ ̥饤֥ (libracoon.a)

	racoon2-lib.txt򻲾


+ 
	ưΥץǽϥեǤ롣Ƥʤ
	syslog()˽Ϥ롣
	remote줿θ򴹥ץȥ˽ϥե
	¾Υץ˴ؤ餺ΩƽϤ롣
	ưץɸϤˤΩƽФ롣
