FreeBSD Mail Archives

Date:      Thu, 12 Jul 2001 18:59:40 +0400 (MSD)
From:      Alex Kapranoff <kapr@acm.org>
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        honig@sprynet.com
Subject:   docs/28916: DocBook conversion of doc/articles/ipsec-must
Message-ID:  <200107121459.f6CExeq01850@kapran.bitmcnit.bryansk.su>

next in thread | raw e-mail | index | archive | help


>Number:         28916
>Category:       docs
>Synopsis:       DocBook conversion of doc/articles/ipsec-must
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 12 08:10:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Alex Kapranoff
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Inner Mongolia
>Environment:
System: FreeBSD kapran.bitmcnit.bryansk.su 5.0-CURRENT FreeBSD 5.0-CURRENT #5: Sun Jun 24 22:56:52 MSD 2001 root@kapran.bitmcnit.bryansk.su:/usr/src/sys/compile/KAPRAN i386


	
>Description:
	I added some content (mostly removing obsolete info and
	providing additional links) along with converting the text to
	DocBook. A review would be appreciated.
>How-To-Repeat:
	
>Fix:

# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	Makefile
#	article.sgml
#
echo x - Makefile
sed 's/^X//' >Makefile << 'END-of-Makefile'
X# $FreeBSD: doc/en_US.ISO8859-1/articles/ipsec-must/Makefile,v 1.1 2000/06/26 09:10:24 nik Exp $
X
XDOC?= article
X
XFORMATS?= html
X
XINSTALL_COMPRESSED?=gz
XINSTALL_ONLY_COMPRESSED?=
X
XSRCS= article.sgml
X
XDOC_PREFIX?= ${.CURDIR}/../../..
X
X.include "${DOC_PREFIX}/share/mk/doc.project.mk"
END-of-Makefile
echo x - article.sgml
sed 's/^X//' >article.sgml << 'END-of-article.sgml'
X<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
X<!ENTITY % man PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN">
X%man;
X]>
X
X<!-- $FreeBSD$ -->
X
X<article>
X  <articleinfo>
X    <title>Independent Verification of IPSec Functionality in FreeBSD</title>
X
X    <author>
X      <firstname>David</firstname>
X      <surname>Honig</surname>
X
X      <affiliation>
X        <address><email>honig@sprynet.com</email></address>
X      </affiliation>
X    </author>
X
X    <pubdate>3 May 1999</pubdate>
X
X    <abstract>
X      <para>You installed IPsec and it seems to be working. How do you
X        know?  I describe a method for experimentally verifying that IPsec is
X        working.</para>
X    </abstract>
X  </articleinfo>
X
X  <sect1>
X    <title>The Problem</title>
X
X    <para>First, let's assume you have <link linkend="ipsec-install">
X      installed <emphasis>IPsec</emphasis></link>.  How do you know
X      it's <link linkend="caveat">working</link>?  Sure, your
X      connection won't work if its misconfigured, and it will work
X      when you finally get it right.  &man.netstat.1; will list it.
X      But can you independently confirm it?</para>
X  </sect1>
X
X  <sect1>
X    <title>The Solution</title>
X
X    <para>First, some crypto-relevant info theory:</para>
X
X    <orderedlist>
X      <listitem>
X	<para>encrypted data is uniformly distributed, i.e., has maximal
X	  entropy per symbol;</para>
X      </listitem>
X
X      <listitem>
X	<para>raw, uncompressed data is typically redundant, i.e., has
X	  sub-maximal entropy.</para>
X      </listitem>
X    </orderedlist>
X
X    <para>Suppose you could measure the entropy of the data to- and
X      from- your network interface.  Then you could see the difference
X      between unencrypted data and encrypted data.  This would be true
X      even if some of the data in <quote>encrypted mode</quote> was
X      not encrypted---as the outermost IP header must be, if the
X      packet is to be routable.</para>
X
X    <sect2 id="MUST">
X      <title>MUST</title>
X
X      <para>Ueli Maurer's <quote>Universal Statistical Test for Random
X	Bit Generators</quote>(<ulink
X	url="http://www.geocities.com/SiliconValley/Code/4704/universal.pdf">;
X	<acronym>MUST</acronym></ulink>) quickly measures the entropy
X	of a sample.  It uses a compression-like algorithm.  <link
X	linkend="code">The code is given below</link> for a variant
X	which measures successive (~quarter megabyte) chunks of a
X	file.</para>
X    </sect2>
X
X    <sect2 id="tcpdump">
X      <title>Tcpdump</title>
X
X      <para>We also need a way to capture the raw network data.  A
X	program called &man.tcpdump.1; lets you do this, if you have
X	enabled the <emphasis>Berkeley Packet Filter</emphasis>
X	interface in your <link linkend="kernel">kernel's config
X	file</link>.</para>
X
X      <para>The command
X
X      <screen>
X      <userinput><command>tcpdump</command> -c 4000 -s 10000 -w <replaceable>dumpfile.bin</replaceable></userinput>
X      </screen>
X
X      will capture 4000 raw packets to
X      <replaceable>dumpfile.bin</replaceable>.  Up to 10,000 bytes per
X      packet will be captured in this example.</para>
X    </sect2>
X
X  <sect1>
X    <title>The Experiment</title>
X
X    <para>Here's the experiment.</para>
X
X    <procedure>
X      <step>
X	<para>Open a window to an IPsec host and another window to an
X	  insecure host.</para>
X      </step>
X
X      <step>
X	<para>Now start <link linkend="tcpdump">capturing
X	  packets</link>.</para>
X      </step>
X
X      <step>
X	<para>In the <quote>secure</quote> window, run the UNIX
X	  command &man.yes.1;, which will stream the <quote>y</quote>
X	  character.  After a while, stop this.  Switch to the
X	  insecure window, and repeat.  After a while, stop.</para>
X      </step>
X
X      <step>
X	<para>Now run <link linkend="code">MUST</link> on the
X	  captured packets.  You should see something like the
X	  following.  The important thing to note is that the secure
X	  connection has 93% (6.7) of the expected value (7.18), and
X	  the <quote>normal</quote> connection has 29% (2.1) of the
X	  expected value.</para>
X
X    <screen>
X&prompt.user; <userinput>tcpdump -c 4000 -s 10000 -w <replaceable>ipsecdemo.bin</replaceable></userinput>
X&prompt.user; <userinput>uliscan <replaceable>ipsecdemo.bin</replaceable></userinput>
X
XUliscan 21 Dec 98
XL=8 256 258560
XMeasuring file ipsecdemo.bin
XInit done
XExpected value for L=8 is 7.1836656
X6.9396 --------------------------------------------------------
X6.6177 -----------------------------------------------------
X6.4100 ---------------------------------------------------
X2.1101 -----------------
X2.0838 -----------------
X2.0983 -----------------
X</screen>
X      </step>
X    </procedure>
X  </sect1>
X
X    <sect1 id="caveat">
X      <title>Caveat</title>
X
X    <para>This experiment shows that IPsec <emphasis>does</emphasis>
X      seem to be distributing the payload data
X      <emphasis>uniformly</emphasis>, as encryption should.  However,
X      the experiment described here <emphasis>can not</emphasis>
X      detect many possible flaws in a system (none of which do I have
X      any evidence for).  These include poor key generation or
X      exchange, data or keys being visible to others, use of weak
X      algorithms, kernel subversion, etc.  Study the source; know the
X      code.</para>
X  </sect1>
X
X  <sect1 id="IPsec">
X    <title>IPsec---Definition</title>
X
X    <para>Internet Protocol security extensions to IPv4; required for
X      IPv6.  A protocol for negotiating encryption and authentication
X      at the IP (host-to-host) level.  SSL secures only one application
X      socket; <application>SSH</application> secures only a login;
X      <application>PGP</application> secures only a specified file or
X      message.  IPsec encrypts everything between two hosts.</para>
X  </sect1>
X
X  <sect1 id="ipsec-install">
X    <title>Installing IPsec</title>
X
X    <para>Most of the modern versions of FreeBSD have IPsec support
X      in their base source.  So you'll probably will need to include
X      <option>IPSEC</option> option in your kernel config and, after
X      kernel rebuild and reinstall, configure IPsec connections using
X      &man.setkey.8; command.</para>
X
X    <para>A comprehensive guide on running IPsec on FreeBSD is
X      provided in <ulink
X      url="http://www.freebsd.org/handbook/ipsec.html">FreeBSD
X      Handbook</ulink>.</para>
X  </sect1>
X
X  <sect1 id="kernel">
X    <title>usr/src/sys/i386/conf/KERNELNAME</title>
X
X    <para>This needs to be present in the kernel config file in order
X      to be able to capture network data with &man.tcpdump.1;.  Be sure
X      to run &man.config.8; after adding this, and rebuild and
X      reinstall.</para>
X
X<programlisting>
Xdevice	bpf
X</programlisting>
X  </sect1>
X
X    <sect1 id="code">
X      <title>Maurer's Universal Statistical Test (for block size=8
X        bits)</title>
X
X        <para>You can find the same code at <ulink
X          url="http://www.geocities.com/SiliconValley/Code/4704/uliscanc.txt">;
X          this link</ulink>.</para>
X
X<programlisting>
X/*
X  ULISCAN.c   ---blocksize of 8
X
X  1 Oct 98
X  1 Dec 98
X  21 Dec 98       uliscan.c derived from ueli8.c
X
X  This version has // comments removed for Sun cc
X
X  This implements Ueli M Maurer's "Universal Statistical Test for Random
X  Bit Generators" using L=8
X
X  Accepts a filename on the command line; writes its results, with other
X  info, to stdout.
X
X  Handles input file exhaustion gracefully.
X
X  Ref: J. Cryptology v 5 no 2, 1992 pp 89-105
X  also on the web somewhere, which is where I found it.
X
X  -David Honig
X  honig@sprynet.com
X
X  Usage:
X  ULISCAN filename
X  outputs to stdout
X*/
X
X#define L 8
X#define V (1&lt;&lt;L)
X#define Q (10*V)
X#define K (100   *Q)
X#define MAXSAMP (Q + K)
X
X#include &lt;stdio.h&gt;
X#include &lt;math.h&gt;
X
Xint main(argc, argv)
Xint argc;
Xchar **argv;
X{
X  FILE *fptr;
X  int i,j;
X  int b, c;
X  int table[V];
X  double sum = 0.0;
X  int iproduct = 1;
X  int run;
X
X  extern double   log(/* double x */);
X
X  printf("Uliscan 21 Dec 98 \nL=%d %d %d \n", L, V, MAXSAMP);
X
X  if (argc &lt; 2) {
X    printf("Usage: Uliscan filename\n");
X    exit(-1);
X  } else {
X    printf("Measuring file %s\n", argv[1]);
X  }
X
X  fptr = fopen(argv[1],"rb");
X
X  if (fptr == NULL) {
X    printf("Can't find %s\n", argv[1]);
X    exit(-1);
X  }
X
X  for (i = 0; i &lt; V; i++) {
X    table[i] = 0;
X  }
X
X  for (i = 0; i &lt; Q; i++) {
X    b = fgetc(fptr);
X    table[b] = i;
X  }
X
X  printf("Init done\n");
X
X  printf("Expected value for L=8 is 7.1836656\n");
X
X  run = 1;
X
X  while (run) {
X    sum = 0.0;
X    iproduct = 1;
X
X    if (run)
X      for (i = Q; run && i &lt; Q + K; i++) {
X        j = i;
X        b = fgetc(fptr);
X
X        if (b &lt; 0)
X          run = 0;
X
X        if (run) {
X          if (table[b] &gt; j)
X            j += K;
X
X          sum += log((double)(j-table[b]));
X
X          table[b] = i;
X        }
X      }
X
X    if (!run)
X      printf("Premature end of file; read %d blocks.\n", i - Q);
X
X    sum = (sum/((double)(i - Q))) /  log(2.0);
X    printf("%4.4f ", sum);
X
X    for (i = 0; i &lt; (int)(sum*8.0 + 0.50); i++)
X      printf("-");
X
X    printf("\n");
X
X    /* refill initial table */
X    if (0) {
X      for (i = 0; i &lt; Q; i++) {
X        b = fgetc(fptr);
X        if (b &lt; 0) {
X          run = 0;
X        } else {
X          table[b] = i;
X        }
X      }
X    }
X  }
X}
X</programlisting>
X  </sect1>
X</article>
END-of-article.sgml
exit

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107121459.f6CExeq01850>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation