English Spanish
Independent Verification of IPsec Functionality in FreeBSD Verificación independiente de la funcionalidad de IPsec en FreeBSD
Abstract Resumen
You installed IPsec and it seems to be working. How do you know? I describe a method for experimentally verifying that IPsec is working. Instaló IPsec y parece estar funcionando. ¿Cómo lo sabe? Describo un método para verificar de forma experimental que IPsec está funcionando.
''' '''
The Problem El problema
First, lets assume you have <<ipsec-install>>. How do you know it is <<caveat>>? Sure, your connection will not work if it is misconfigured, and it will work when you finally get it right. man:netstat[1] will list it. But can you independently confirm it?
The Solution La solución
First, some crypto-relevant info theory: Primero, alguna información teórica relevante sobre criptografía:
Encrypted data is uniformly distributed, i.e., has maximal entropy per symbol; Los datos cifrados se distribuyen uniformemente, es decir, tienen una entropía máxima por símbolo;
Raw, uncompressed data is typically redundant, i.e., has sub-maximal entropy. Los datos sin procesar y sin comprimir suelen ser redundantes, es decir, tienen una entropía submáxima.
Suppose you could measure the entropy of the data to- and from- your network interface. Then you could see the difference between unencrypted data and encrypted data. This would be true even if some of the data in "encrypted mode" was not encrypted---as the outermost IP header must be if the packet is to be routable. Suponga que usted pudiera medir la entropía de los datos que van hacia -y desde- su interfaz de red. Entonces podría ver la diferencia entre los datos no cifrados y los cifrados. Esto sería verdad incluso si algunos de los datos en <quote>modo cifrado</quote> no lo estuvieran---ya que el encabezado IP más externo debe estarlo para que el paquete sea enrutable.
Ueli Maurer's "Universal Statistical Test for Random Bit Generators"(https://web.archive.org/web/20011115002319/http://www.geocities.com/SiliconValley/Code/4704/universal.pdf[MUST]) quickly measures the entropy of a sample. It uses a compression-like algorithm. <<code>> for a variant which measures successive (~quarter megabyte) chunks of a file.
Tcpdump Tcpdump
We also need a way to capture the raw network data. A program called man:tcpdump[1] lets you do this, if you have enabled the _Berkeley Packet Filter_ interface in your <<kernel>>.
The command: El comando:
tcpdump -c 4000 -s 10000 -w dumpfile.bin
will capture 4000 raw packets to _dumpfile.bin_. Up to 10,000 bytes per packet will be captured in this example.
The Experiment El experimento
Here is the experiment: Aquí está el experimento: