From owner-freebsd-doc Thu Jul 12 8:10:25 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8391D37B40B for ; Thu, 12 Jul 2001 08:10:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6CFA1S58415; Thu, 12 Jul 2001 08:10:01 -0700 (PDT) (envelope-from gnats) Received: from rbn-gw.bgtu.debryansk.ru (rbn-gw.bgtu.debryansk.ru [62.76.89.2]) by hub.freebsd.org (Postfix) with ESMTP id A846C37B401 for ; Thu, 12 Jul 2001 08:05:57 -0700 (PDT) (envelope-from alex@kapran.bitmcnit.bryansk.su) Received: from server.bitmcnit.bryansk.su (root@bitmcnit.bryansk.su [192.168.121.2]) by rbn-gw.bgtu.debryansk.ru (8.11.2/8.11.2) with ESMTP id f6CF1qD25457; Thu, 12 Jul 2001 19:01:52 +0400 Received: (from uucp@localhost) by server.bitmcnit.bryansk.su (8.9.3/8.9.3) with UUCP id SAA15873; Thu, 12 Jul 2001 18:58:30 +0400 Received: (from alex@localhost) by kapran.bitmcnit.bryansk.su (8.11.4/8.11.4) id f6CExeq01850; Thu, 12 Jul 2001 18:59:40 +0400 (MSD) (envelope-from alex) Message-Id: <200107121459.f6CExeq01850@kapran.bitmcnit.bryansk.su> Date: Thu, 12 Jul 2001 18:59:40 +0400 (MSD) From: Alex Kapranoff To: FreeBSD-gnats-submit@freebsd.org Cc: honig@sprynet.com X-Send-Pr-Version: 3.113 Subject: docs/28916: DocBook conversion of doc/articles/ipsec-must Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 28916 >Category: docs >Synopsis: DocBook conversion of doc/articles/ipsec-must >Confidential: no >Severity: non-critical >Priority: high >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Jul 12 08:10:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Alex Kapranoff >Release: FreeBSD 5.0-CURRENT i386 >Organization: Inner Mongolia >Environment: System: FreeBSD kapran.bitmcnit.bryansk.su 5.0-CURRENT FreeBSD 5.0-CURRENT #5: Sun Jun 24 22:56:52 MSD 2001 root@kapran.bitmcnit.bryansk.su:/usr/src/sys/compile/KAPRAN i386 >Description: I added some content (mostly removing obsolete info and providing additional links) along with converting the text to DocBook. A review would be appreciated. >How-To-Repeat: >Fix: # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # Makefile # article.sgml # echo x - Makefile sed 's/^X//' >Makefile << 'END-of-Makefile' X# $FreeBSD: doc/en_US.ISO8859-1/articles/ipsec-must/Makefile,v 1.1 2000/06/26 09:10:24 nik Exp $ X XDOC?= article X XFORMATS?= html X XINSTALL_COMPRESSED?=gz XINSTALL_ONLY_COMPRESSED?= X XSRCS= article.sgml X XDOC_PREFIX?= ${.CURDIR}/../../.. X X.include "${DOC_PREFIX}/share/mk/doc.project.mk" END-of-Makefile echo x - article.sgml sed 's/^X//' >article.sgml << 'END-of-article.sgml' X X%man; X]> X X X X
X X Independent Verification of IPSec Functionality in FreeBSD X X X David X Honig X X X
honig@sprynet.com
X X X X 3 May 1999 X X X You installed IPsec and it seems to be working. How do you X know? I describe a method for experimentally verifying that IPsec is X working. X X X X X The Problem X X First, let's assume you have X installed IPsec. How do you know X it's working? Sure, your X connection won't work if its misconfigured, and it will work X when you finally get it right. &man.netstat.1; will list it. X But can you independently confirm it? X X X X The Solution X X First, some crypto-relevant info theory: X X X X encrypted data is uniformly distributed, i.e., has maximal X entropy per symbol; X X X X raw, uncompressed data is typically redundant, i.e., has X sub-maximal entropy. X X X X Suppose you could measure the entropy of the data to- and X from- your network interface. Then you could see the difference X between unencrypted data and encrypted data. This would be true X even if some of the data in encrypted mode was X not encrypted---as the outermost IP header must be, if the X packet is to be routable. X X X MUST X X Ueli Maurer's Universal Statistical Test for Random X Bit Generators( X MUST) quickly measures the entropy X of a sample. It uses a compression-like algorithm. The code is given below for a variant X which measures successive (~quarter megabyte) chunks of a X file. X X X X Tcpdump X X We also need a way to capture the raw network data. A X program called &man.tcpdump.1; lets you do this, if you have X enabled the Berkeley Packet Filter X interface in your kernel's config X file. X X The command X X X tcpdump -c 4000 -s 10000 -w dumpfile.bin X X X will capture 4000 raw packets to X dumpfile.bin. Up to 10,000 bytes per X packet will be captured in this example. X X X X The Experiment X X Here's the experiment. X X X X Open a window to an IPsec host and another window to an X insecure host. X X X X Now start capturing X packets. X X X X In the secure window, run the UNIX X command &man.yes.1;, which will stream the y X character. After a while, stop this. Switch to the X insecure window, and repeat. After a while, stop. X X X X Now run MUST on the X captured packets. You should see something like the X following. The important thing to note is that the secure X connection has 93% (6.7) of the expected value (7.18), and X the normal connection has 29% (2.1) of the X expected value. X X X&prompt.user; tcpdump -c 4000 -s 10000 -w ipsecdemo.bin X&prompt.user; uliscan ipsecdemo.bin X XUliscan 21 Dec 98 XL=8 256 258560 XMeasuring file ipsecdemo.bin XInit done XExpected value for L=8 is 7.1836656 X6.9396 -------------------------------------------------------- X6.6177 ----------------------------------------------------- X6.4100 --------------------------------------------------- X2.1101 ----------------- X2.0838 ----------------- X2.0983 ----------------- X X X X X X X Caveat X X This experiment shows that IPsec does X seem to be distributing the payload data X uniformly, as encryption should. However, X the experiment described here can not X detect many possible flaws in a system (none of which do I have X any evidence for). These include poor key generation or X exchange, data or keys being visible to others, use of weak X algorithms, kernel subversion, etc. Study the source; know the X code. X X X X IPsec---Definition X X Internet Protocol security extensions to IPv4; required for X IPv6. A protocol for negotiating encryption and authentication X at the IP (host-to-host) level. SSL secures only one application X socket; SSH secures only a login; X PGP secures only a specified file or X message. IPsec encrypts everything between two hosts. X X X X Installing IPsec X X Most of the modern versions of FreeBSD have IPsec support X in their base source. So you'll probably will need to include X option in your kernel config and, after X kernel rebuild and reinstall, configure IPsec connections using X &man.setkey.8; command. X X A comprehensive guide on running IPsec on FreeBSD is X provided in FreeBSD X Handbook. X X X X usr/src/sys/i386/conf/KERNELNAME X X This needs to be present in the kernel config file in order X to be able to capture network data with &man.tcpdump.1;. Be sure X to run &man.config.8; after adding this, and rebuild and X reinstall. X X Xdevice bpf X X X X X Maurer's Universal Statistical Test (for block size=8 X bits) X X You can find the same code at X this link. X X X/* X ULISCAN.c ---blocksize of 8 X X 1 Oct 98 X 1 Dec 98 X 21 Dec 98 uliscan.c derived from ueli8.c X X This version has // comments removed for Sun cc X X This implements Ueli M Maurer's "Universal Statistical Test for Random X Bit Generators" using L=8 X X Accepts a filename on the command line; writes its results, with other X info, to stdout. X X Handles input file exhaustion gracefully. X X Ref: J. Cryptology v 5 no 2, 1992 pp 89-105 X also on the web somewhere, which is where I found it. X X -David Honig X honig@sprynet.com X X Usage: X ULISCAN filename X outputs to stdout X*/ X X#define L 8 X#define V (1<<L) X#define Q (10*V) X#define K (100 *Q) X#define MAXSAMP (Q + K) X X#include <stdio.h> X#include <math.h> X Xint main(argc, argv) Xint argc; Xchar **argv; X{ X FILE *fptr; X int i,j; X int b, c; X int table[V]; X double sum = 0.0; X int iproduct = 1; X int run; X X extern double log(/* double x */); X X printf("Uliscan 21 Dec 98 \nL=%d %d %d \n", L, V, MAXSAMP); X X if (argc < 2) { X printf("Usage: Uliscan filename\n"); X exit(-1); X } else { X printf("Measuring file %s\n", argv[1]); X } X X fptr = fopen(argv[1],"rb"); X X if (fptr == NULL) { X printf("Can't find %s\n", argv[1]); X exit(-1); X } X X for (i = 0; i < V; i++) { X table[i] = 0; X } X X for (i = 0; i < Q; i++) { X b = fgetc(fptr); X table[b] = i; X } X X printf("Init done\n"); X X printf("Expected value for L=8 is 7.1836656\n"); X X run = 1; X X while (run) { X sum = 0.0; X iproduct = 1; X X if (run) X for (i = Q; run && i < Q + K; i++) { X j = i; X b = fgetc(fptr); X X if (b < 0) X run = 0; X X if (run) { X if (table[b] > j) X j += K; X X sum += log((double)(j-table[b])); X X table[b] = i; X } X } X X if (!run) X printf("Premature end of file; read %d blocks.\n", i - Q); X X sum = (sum/((double)(i - Q))) / log(2.0); X printf("%4.4f ", sum); X X for (i = 0; i < (int)(sum*8.0 + 0.50); i++) X printf("-"); X X printf("\n"); X X /* refill initial table */ X if (0) { X for (i = 0; i < Q; i++) { X b = fgetc(fptr); X if (b < 0) { X run = 0; X } else { X table[b] = i; X } X } X } X } X} X X X
END-of-article.sgml exit >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message