Path: blob/main/documentation/content/en/articles/ipsec-must/_index.po
18096 views
# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2026-02-22 15:58+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <[email protected]>\n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: Title = #: documentation/content/en/articles/ipsec-must/_index.adoc:1 #: documentation/content/en/articles/ipsec-must/_index.adoc:11 #, no-wrap msgid "Independent Verification of IPsec Functionality in FreeBSD" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:44 msgid "Abstract" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:47 msgid "" "You installed IPsec and it seems to be working. How do you know? I describe " "a method for experimentally verifying that IPsec is working." msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:49 msgid "'''" msgstr "" #. type: Title == #: documentation/content/en/articles/ipsec-must/_index.adoc:53 #, no-wrap msgid "The Problem" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:58 msgid "" "First, lets assume you have crossref:ipsec-must[ipsec-install, Installing " "IPsec]. How do you know it is crossref:ipsec-must[caveat, Caveat]? Sure, " "your connection will not work if it is misconfigured, and it will work when " "you finally get it right. man:netstat[1] will list it. But can you " "independently confirm it?" msgstr "" #. type: Title == #: documentation/content/en/articles/ipsec-must/_index.adoc:60 #, no-wrap msgid "The Solution" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:63 msgid "First, some crypto-relevant info theory:" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:65 msgid "" "Encrypted data is uniformly distributed, i.e., has maximal entropy per " "symbol;" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:66 msgid "" "Raw, uncompressed data is typically redundant, i.e., has sub-maximal entropy." msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:70 msgid "" "Suppose you could measure the entropy of the data to- and from- your network " "interface. Then you could see the difference between unencrypted data and " "encrypted data. This would be true even if some of the data in \"encrypted " "mode\" was not encrypted---as the outermost IP header must be if the packet " "is to be routable." msgstr "" #. type: Title === #: documentation/content/en/articles/ipsec-must/_index.adoc:72 #, no-wrap msgid "MUST" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:77 msgid "" "Ueli Maurer's \"Universal Statistical Test for Random Bit " "Generators\"(https://web.archive.org/web/20011115002319/http://" "www.geocities.com/SiliconValley/Code/4704/universal.pdf[MUST]) quickly " "measures the entropy of a sample. It uses a compression-like algorithm. " "crossref:ipsec-must[code, Maurer's Universal Statistical Test (for block " "size8 bits)] for a variant which measures successive (~quarter megabyte) " "chunks of a file." msgstr "" #. type: Title === #: documentation/content/en/articles/ipsec-must/_index.adoc:79 #, no-wrap msgid "Tcpdump" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:84 msgid "" "We also need a way to capture the raw network data. A program called " "man:tcpdump[1] lets you do this, if you have enabled the _Berkeley Packet " "Filter_ interface in your crossref:ipsec-must[kernel,src/sys/i386/conf/" "KERNELNAME]." msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:86 msgid "The command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:90 #, no-wrap msgid " tcpdump -c 4000 -s 10000 -w dumpfile.bin\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:94 msgid "" "will capture 4000 raw packets to _dumpfile.bin_. Up to 10,000 bytes per " "packet will be captured in this example." msgstr "" #. type: Title == #: documentation/content/en/articles/ipsec-must/_index.adoc:96 #, no-wrap msgid "The Experiment" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:99 msgid "Here is the experiment:" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:103 msgid "Open a window to an IPsec host and another window to an insecure host." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:104 msgid "Now start crossref:ipsec-must[tcpdump, Tcpdump]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:105 msgid "" "In the \"secure\" window, run the UNIX(R) command man:yes[1], which will " "stream the `y` character. After a while, stop this. Switch to the insecure " "window, and repeat. After a while, stop." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:106 msgid "" "Now run crossref:ipsec-must[code, Maurer's Universal Statistical Test (for " "block size8 bits)] on the captured packets. You should see something like " "the following. The important thing to note is that the secure connection has " "93% (6.7) of the expected value (7.18), and the \"normal\" connection has " "29% (2.1) of the expected value." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:122 #, no-wrap msgid "" "% tcpdump -c 4000 -s 10000 -w ipsecdemo.bin\n" "% uliscan ipsecdemo.bin\n" "Uliscan 21 Dec 98\n" "L=8 256 258560\n" "Measuring file ipsecdemo.bin\n" "Init done\n" "Expected value for L=8 is 7.1836656\n" "6.9396 --------------------------------------------------------\n" "6.6177 -----------------------------------------------------\n" "6.4100 ---------------------------------------------------\n" "2.1101 -----------------\n" "2.0838 -----------------\n" "2.0983 -----------------\n" msgstr "" #. type: Title == #: documentation/content/en/articles/ipsec-must/_index.adoc:126 #, no-wrap msgid "Caveat" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:132 msgid "" "This experiment shows that IPsec _does_ seem to be distributing the payload " "data __uniformly__, as encryption should. However, the experiment described " "here _cannot_ detect many possible flaws in a system (none of which do I " "have any evidence for). These include poor key generation or exchange, data " "or keys being visible to others, use of weak algorithms, kernel subversion, " "etc. Study the source; know the code." msgstr "" #. type: Title == #: documentation/content/en/articles/ipsec-must/_index.adoc:134 #, no-wrap msgid "IPsec---Definition" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:140 msgid "" "Internet Protocol security extensions to IPv4; required for IPv6. A " "protocol for negotiating encryption and authentication at the IP (host-to-" "host) level. SSL secures only one application socket; SSH secures only a " "login; PGP secures only a specified file or message. IPsec encrypts " "everything between two hosts." msgstr "" #. type: Title == #: documentation/content/en/articles/ipsec-must/_index.adoc:142 #, no-wrap msgid "Installing IPsec" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:146 msgid "" "Most of the modern versions of FreeBSD have IPsec support in their base " "source. So you will need to include the `IPSEC` option in your kernel " "config and, after kernel rebuild and reinstall, configure IPsec connections " "using man:setkey[8] command." msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:148 msgid "" "A comprehensive guide on running IPsec on FreeBSD is provided in extref:{vpn-" "ipsec}[VPN over IPsec]." msgstr "" #. type: Title == #: documentation/content/en/articles/ipsec-must/_index.adoc:150 #, no-wrap msgid "src/sys/i386/conf/KERNELNAME" msgstr "" #. type: delimited block = 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:154 msgid "" "This needs to be present in the kernel config file to capture network data " "with man:tcpdump[1]. Be sure to run man:config[8] after adding this, and " "rebuild and reinstall." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:158 #, no-wrap msgid "device\tbpf\n" msgstr "" #. type: Title == #: documentation/content/en/articles/ipsec-must/_index.adoc:161 #, no-wrap msgid "Maurer's Universal Statistical Test (for block size=8 bits)" msgstr "" #. type: Plain text #: documentation/content/en/articles/ipsec-must/_index.adoc:164 msgid "" "You can find the same code at https://web.archive.org/web/20031204230654/" "http://www.geocities.com:80/SiliconValley/Code/4704/uliscanc.txt[this link]." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:169 #, no-wrap msgid "" "/*\n" " ULISCAN.c ---blocksize of 8\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:173 #, no-wrap msgid "" " 1 Oct 98\n" " 1 Dec 98\n" " 21 Dec 98 uliscan.c derived from ueli8.c\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:175 #, no-wrap msgid " This version has // comments removed for Sun cc\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:178 #, no-wrap msgid "" " This implements Ueli M Maurer's \"Universal Statistical Test for Random\n" " Bit Generators\" using L=8\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:181 #, no-wrap msgid "" " Accepts a filename on the command line; writes its results, with other\n" " info, to stdout.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:183 #, no-wrap msgid " Handles input file exhaustion gracefully.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:186 #, no-wrap msgid "" " Ref: J. Cryptology v 5 no 2, 1992 pp 89-105\n" " also on the web somewhere, which is where I found it.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:189 #, no-wrap msgid "" " -David Honig\n" " [email protected]\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:194 #, no-wrap msgid "" " Usage:\n" " ULISCAN filename\n" " outputs to stdout\n" "*/\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:200 #, no-wrap msgid "" "#define L 8\n" "#define V (1<<L)\n" "#define Q (10*V)\n" "#define K (100 *Q)\n" "#define MAXSAMP (Q + K)\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:203 #, no-wrap msgid "" "#include <stdio.h>\n" "#include <math.h>\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:215 #, no-wrap msgid "" "int main(argc, argv)\n" "int argc;\n" "char **argv;\n" "{\n" " FILE *fptr;\n" " int i,j;\n" " int b, c;\n" " int table[V];\n" " double sum = 0.0;\n" " int iproduct = 1;\n" " int run;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:217 #, no-wrap msgid " extern double log(/* double x */);\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:219 #, no-wrap msgid " printf(\"Uliscan 21 Dec 98 \\nL=%d %d %d \\n\", L, V, MAXSAMP);\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:226 #, no-wrap msgid "" " if (argc < 2) {\n" " printf(\"Usage: Uliscan filename\\n\");\n" " exit(-1);\n" " } else {\n" " printf(\"Measuring file %s\\n\", argv[1]);\n" " }\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:228 #, no-wrap msgid " fptr = fopen(argv[1],\"rb\");\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:233 #, no-wrap msgid "" " if (fptr == NULL) {\n" " printf(\"Can't find %s\\n\", argv[1]);\n" " exit(-1);\n" " }\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:237 #, no-wrap msgid "" " for (i = 0; i < V; i++) {\n" " table[i] = 0;\n" " }\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:242 #, no-wrap msgid "" " for (i = 0; i < Q; i++) {\n" " b = fgetc(fptr);\n" " table[b] = i;\n" " }\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:244 #, no-wrap msgid " printf(\"Init done\\n\");\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:246 #, no-wrap msgid " printf(\"Expected value for L=8 is 7.1836656\\n\");\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:248 #, no-wrap msgid " run = 1;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:252 #, no-wrap msgid "" " while (run) {\n" " sum = 0.0;\n" " iproduct = 1;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:257 #, no-wrap msgid "" " if (run)\n" " for (i = Q; run && i < Q + K; i++) {\n" " j = i;\n" " b = fgetc(fptr);\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:260 #, no-wrap msgid "" " if (b < 0)\n" " run = 0;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:264 #, no-wrap msgid "" " if (run) {\n" " if (table[b] > j)\n" " j += K;\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:266 #, no-wrap msgid " sum += log((double)(j-table[b]));\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:270 #, no-wrap msgid "" " table[b] = i;\n" " }\n" " }\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:273 #, no-wrap msgid "" " if (!run)\n" " printf(\"Premature end of file; read %d blocks.\\n\", i - Q);\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:276 #, no-wrap msgid "" " sum = (sum/((double)(i - Q))) / log(2.0);\n" " printf(\"%4.4f \", sum);\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:279 #, no-wrap msgid "" " for (i = 0; i < (int)(sum*8.0 + 0.50); i++)\n" " printf(\"-\");\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:281 #, no-wrap msgid " printf(\"\\n\");\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/ipsec-must/_index.adoc:295 #, no-wrap msgid "" " /* refill initial table */\n" " if (0) {\n" " for (i = 0; i < Q; i++) {\n" " b = fgetc(fptr);\n" " if (b < 0) {\n" " run = 0;\n" " } else {\n" " table[b] = i;\n" " }\n" " }\n" " }\n" " }\n" "}\n" msgstr ""