diff --git a/en_US.ISO8859-1/articles/ipsec-must/Makefile b/en_US.ISO8859-1/articles/ipsec-must/Makefile new file mode 100644 index 0000000000..0647dfada3 --- /dev/null +++ b/en_US.ISO8859-1/articles/ipsec-must/Makefile @@ -0,0 +1,16 @@ +# $FreeBSD$ + +DOC?= article + +DOCFORMAT= html + +FORMATS?= html + +INSTALL_COMPRESSED?=gz +INSTALL_ONLY_COMPRESSED?= + +SRCS= article.sgml + +DOC_PREFIX?= ${.CURDIR}/../../.. + +.include "${DOC_PREFIX}/share/mk/doc.project.mk" diff --git a/en_US.ISO8859-1/articles/ipsec-must/article.sgml b/en_US.ISO8859-1/articles/ipsec-must/article.sgml new file mode 100644 index 0000000000..716ce5df5b --- /dev/null +++ b/en_US.ISO8859-1/articles/ipsec-must/article.sgml @@ -0,0 +1,297 @@ + + + +
+You installed IPsec and it seems to be working. + How do you know? I describe a method for experimentally verifying + that IPsec is working
+ +First, let's assume you have installed + IPsec. How do you know its working? + Sure, your connection won't work if its misconfigured, and it will work + when you finally get it right. Netstat will list it. But can you + independently confirm it?
+ +First, some crypto-relevent info theory:
+ +Encrypted data is uniformly distributed, ie, has maximal entropy + per symbol.
+Raw, uncompressed data is typically redundant, i.e., has + sub-maximal entropy.
+Suppose you could measure the entropy of the data to- and from- your + network interface. Then you could see the difference between unencrypted + data and encrypted data. This would be true even if some of the data + in "encrypted mode" was not encrypted ---as the outermost IP header must + be, if the packet is to be routable.
+ +Ueli Maurer's "Universal Statistical Test for Random Bit Generators" + ("MUST") quickly measures the entropy of a sample. It uses a + compression-like algorithm. The code is given below for a variant which measures successive + (~quarter megabyte) chunks of a file.
+ +We also need a way to capture the raw network data. A program called + "tcpdump" lets you do this, if you have enabled the Berkeley + Packet Filter interface in your kernel's config file.
+ +The command
+ +tcpdump -c 4000 -s 10000 -w + dumpfile.bin+ +
will capture 4000 raw packets to dumpfile.bin. Up to 10,000 + bytes per packet will be captured in this example.
+ +Here's the experiment. Open a window to an IPsec host and another + window to an insecure host.
+ +Now start capturing packets.
+ +In the "secure" window, run the unix command "yes", which will stream + the "y" character. After a while, stop this. Switch to the insecure + window, and repeat. After a while, stop.
+ +Now run MUST on the + captured packets. You should see something like the the following. + The important thing to note is that the secure connection has 93% (6.7) + of the expected value (7.18), and the "normal" connection has 29% (2.1) + of the expected value.
+ + +% tcpdump -c 4000 -s 10000 -w ipsecdemo.bin +% uliscan ipsecdemo.bin + +Uliscan 21 Dec 98 +L=8 256 258560 +Measuring file ipsecdemo.bin +Init done +Expected value for L=8 is 7.1836656 +6.9396 -------------------------------------------------------- +6.6177 ----------------------------------------------------- +6.4100 --------------------------------------------------- +2.1101 ----------------- +2.0838 ----------------- +2.0983 -----------------+ +
This experiment shows that IPsec does seem to be distributing the + payload data uniformly, as encryption should. However, the + experiment described here can not detect many possible flaws in a + system (none of which do I have any evidence for). These include poor + key generation or exchange, data or keys being visible to others, use of + weak algorithms, kernel subversion, etc. Study the source; know the + code.
+ +Internet Protocol security extensions to IP v 4; required for IP v6. A + protocol for negotiating encryption and authentication at the IP + (host-to-host) level. SSL secures only one application socket; SSH + secures only a login; PGP secures only a specified file or + message. IPsec encrypts everything between two hosts.
+ +Starting from the BSD 3.0 stable release,
+ +install IPsec v0.04, rebuild, reinstall
+run the administration tools (e.g, ipsecadm) and distribute + keys (or use Photuris for key exchange)
+set the routes (rt) up appropriately
+You may want to make an "ipsec_setup" script containing the + ipsecadm and rt commands which establish your IPsec + tunnel. You can run this script automatically at boottime from your + /etc/rc.local The ipsec_setup script will have to contain at + least two ipsecadm commands and one rt command to be + useful.
+ +This needs to be present in the kernel config file in order to run + IPsec. After adding it, run config, etc. and rebuild and + reinstall.
+ +# The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be +# aware of the legal and administrative consequences of enabling this +# option. Heh heh. The number of devices determines the maximum number of +# simultaneous BPF clients programs runnable. +pseudo-device bpfilter 2 #Berkeley packet filter + +# IPSEC +options IPSEC +options "MD5" +pseudo-device enc 1+ +
+#include+ + + + diff --git a/en_US.ISO_8859-1/articles/ipsec-must/Makefile b/en_US.ISO_8859-1/articles/ipsec-must/Makefile new file mode 100644 index 0000000000..0647dfada3 --- /dev/null +++ b/en_US.ISO_8859-1/articles/ipsec-must/Makefile @@ -0,0 +1,16 @@ +# $FreeBSD$ + +DOC?= article + +DOCFORMAT= html + +FORMATS?= html + +INSTALL_COMPRESSED?=gz +INSTALL_ONLY_COMPRESSED?= + +SRCS= article.sgml + +DOC_PREFIX?= ${.CURDIR}/../../.. + +.include "${DOC_PREFIX}/share/mk/doc.project.mk" diff --git a/en_US.ISO_8859-1/articles/ipsec-must/article.sgml b/en_US.ISO_8859-1/articles/ipsec-must/article.sgml new file mode 100644 index 0000000000..716ce5df5b --- /dev/null +++ b/en_US.ISO_8859-1/articles/ipsec-must/article.sgml @@ -0,0 +1,297 @@ + + + + ++ +int main(argc, argv) +int argc; +char **argv; +{ + FILE *fptr; + int i,j; + int b, c; + int table[V]; + double sum = 0.0; + int iproduct = 1; + int run; + + extern double log(/* double x */); + + printf("Uliscan 21 Dec 98 \nL=%d %d %d \n", L, V, MAXSAMP); + + if (argc < 2) { + printf("Usage: Uliscan filename\n"); + exit(-1); + } else { + printf("Measuring file %s\n", argv[1]); + } + + fptr = fopen(argv[1],"rb"); + + if (fptr == NULL) { + printf("Can't find %s\n", argv[1]); + exit(-1); + } + + for (i = 0; i < V; i++) { + table[i] = 0; + } + + for (i = 0; i < Q; i++) { + b = fgetc(fptr); + table[b] = i; + } + + printf("Init done\n"); + + printf("Expected value for L=8 is 7.1836656\n"); + + run = 1; + + while (run) { + sum = 0.0; + iproduct = 1; + + if (run) + for (i = Q; run && i < Q + K; i++) { + j = i; + b = fgetc(fptr); + + if (b < 0) + run = 0; + + if (run) { + if (table[b] > j) + j += K; + + sum += log((double)(j-table[b])); + + table[b] = i; + } + } + + if (!run) + printf("Premature end of file; read %d blocks.\n", i - Q); + + sum = (sum/((double)(i - Q))) / log(2.0); + printf("%4.4f ", sum); + + for (i = 0; i < (int)(sum*8.0 + 0.50); i++) + printf("-"); + + printf("\n"); + + /* refill initial table */ + if (0) { + for (i = 0; i < Q; i++) { + b = fgetc(fptr); + if (b < 0) { + run = 0; + } else { + table[b] = i; + } + } + } + } +}]]>
You installed IPsec and it seems to be working. + How do you know? I describe a method for experimentally verifying + that IPsec is working
+ +First, let's assume you have installed + IPsec. How do you know its working? + Sure, your connection won't work if its misconfigured, and it will work + when you finally get it right. Netstat will list it. But can you + independently confirm it?
+ +First, some crypto-relevent info theory:
+ +Encrypted data is uniformly distributed, ie, has maximal entropy + per symbol.
+Raw, uncompressed data is typically redundant, i.e., has + sub-maximal entropy.
+Suppose you could measure the entropy of the data to- and from- your + network interface. Then you could see the difference between unencrypted + data and encrypted data. This would be true even if some of the data + in "encrypted mode" was not encrypted ---as the outermost IP header must + be, if the packet is to be routable.
+ +Ueli Maurer's "Universal Statistical Test for Random Bit Generators" + ("MUST") quickly measures the entropy of a sample. It uses a + compression-like algorithm. The code is given below for a variant which measures successive + (~quarter megabyte) chunks of a file.
+ +We also need a way to capture the raw network data. A program called + "tcpdump" lets you do this, if you have enabled the Berkeley + Packet Filter interface in your kernel's config file.
+ +The command
+ +tcpdump -c 4000 -s 10000 -w + dumpfile.bin+ +
will capture 4000 raw packets to dumpfile.bin. Up to 10,000 + bytes per packet will be captured in this example.
+ +Here's the experiment. Open a window to an IPsec host and another + window to an insecure host.
+ +Now start capturing packets.
+ +In the "secure" window, run the unix command "yes", which will stream + the "y" character. After a while, stop this. Switch to the insecure + window, and repeat. After a while, stop.
+ +Now run MUST on the + captured packets. You should see something like the the following. + The important thing to note is that the secure connection has 93% (6.7) + of the expected value (7.18), and the "normal" connection has 29% (2.1) + of the expected value.
+ + +% tcpdump -c 4000 -s 10000 -w ipsecdemo.bin +% uliscan ipsecdemo.bin + +Uliscan 21 Dec 98 +L=8 256 258560 +Measuring file ipsecdemo.bin +Init done +Expected value for L=8 is 7.1836656 +6.9396 -------------------------------------------------------- +6.6177 ----------------------------------------------------- +6.4100 --------------------------------------------------- +2.1101 ----------------- +2.0838 ----------------- +2.0983 -----------------+ +
This experiment shows that IPsec does seem to be distributing the + payload data uniformly, as encryption should. However, the + experiment described here can not detect many possible flaws in a + system (none of which do I have any evidence for). These include poor + key generation or exchange, data or keys being visible to others, use of + weak algorithms, kernel subversion, etc. Study the source; know the + code.
+ +Internet Protocol security extensions to IP v 4; required for IP v6. A + protocol for negotiating encryption and authentication at the IP + (host-to-host) level. SSL secures only one application socket; SSH + secures only a login; PGP secures only a specified file or + message. IPsec encrypts everything between two hosts.
+ +Starting from the BSD 3.0 stable release,
+ +install IPsec v0.04, rebuild, reinstall
+run the administration tools (e.g, ipsecadm) and distribute + keys (or use Photuris for key exchange)
+set the routes (rt) up appropriately
+You may want to make an "ipsec_setup" script containing the + ipsecadm and rt commands which establish your IPsec + tunnel. You can run this script automatically at boottime from your + /etc/rc.local The ipsec_setup script will have to contain at + least two ipsecadm commands and one rt command to be + useful.
+ +This needs to be present in the kernel config file in order to run + IPsec. After adding it, run config, etc. and rebuild and + reinstall.
+ +# The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be +# aware of the legal and administrative consequences of enabling this +# option. Heh heh. The number of devices determines the maximum number of +# simultaneous BPF clients programs runnable. +pseudo-device bpfilter 2 #Berkeley packet filter + +# IPSEC +options IPSEC +options "MD5" +pseudo-device enc 1+ +
+#include+ + + ++ +int main(argc, argv) +int argc; +char **argv; +{ + FILE *fptr; + int i,j; + int b, c; + int table[V]; + double sum = 0.0; + int iproduct = 1; + int run; + + extern double log(/* double x */); + + printf("Uliscan 21 Dec 98 \nL=%d %d %d \n", L, V, MAXSAMP); + + if (argc < 2) { + printf("Usage: Uliscan filename\n"); + exit(-1); + } else { + printf("Measuring file %s\n", argv[1]); + } + + fptr = fopen(argv[1],"rb"); + + if (fptr == NULL) { + printf("Can't find %s\n", argv[1]); + exit(-1); + } + + for (i = 0; i < V; i++) { + table[i] = 0; + } + + for (i = 0; i < Q; i++) { + b = fgetc(fptr); + table[b] = i; + } + + printf("Init done\n"); + + printf("Expected value for L=8 is 7.1836656\n"); + + run = 1; + + while (run) { + sum = 0.0; + iproduct = 1; + + if (run) + for (i = Q; run && i < Q + K; i++) { + j = i; + b = fgetc(fptr); + + if (b < 0) + run = 0; + + if (run) { + if (table[b] > j) + j += K; + + sum += log((double)(j-table[b])); + + table[b] = i; + } + } + + if (!run) + printf("Premature end of file; read %d blocks.\n", i - Q); + + sum = (sum/((double)(i - Q))) / log(2.0); + printf("%4.4f ", sum); + + for (i = 0; i < (int)(sum*8.0 + 0.50); i++) + printf("-"); + + printf("\n"); + + /* refill initial table */ + if (0) { + for (i = 0; i < Q; i++) { + b = fgetc(fptr); + if (b < 0) { + run = 0; + } else { + table[b] = i; + } + } + } + } +}]]>