setkey

å称
     setkey — æå㧠IPsec ã® SA/SP ãã¼ã¿ãã¼ã¹ãæä½ãã

æ¸å¼
     setkey [-v] -c setkey [-v] -f filename setkey [-aPlv] -D setkey [-Pv] -F
     setkey [-h] -x

解説
     setkey ã¦ã¼ãã£ãªãã£ã¯ã ã«ã¼ãã«åã®ã»ãã¥ãªãã£ã¢ã½ã·ã¨ã¼ã·ã§ã³ãã¼ã¿ãã¼ã¹
     (SAD) ã¨ã³ããªã¨ ã»ãã¥ãªãã£ããªã·ãã¼ã¿ãã¼ã¹ (SPD) ã¨ã³ããªãã
     追å ã»æ´æ°ã»å容åæã»åé¤ãã¾ãã

     setkey ã¦ã¼ãã£ãªãã£ã¯ãä¸é£ã®æä½ãæ¨æºå¥åããåãåãã ( -c ä»ã§èµ·åãããå ´å)ã
     filename ã¨ããååã®ãã¡ã¤ã«ããåãåãã¾ã ( -f filename ä»ã§èµ·åãããå ´å)ã

     -D      SAD ã¨ã³ããªããã³ããã¾ãã -P ä»ã®å ´åãSPD ã¨ã³ããªããã³ããã¾ãã

     -F      SAD ã¨ã³ããªãæ¨ã¦ã¾ãã -P ä»ã®å ´åãSPD ãæ¨ã¦ã¾ãã

     -a      setkey ã¯é常ã -D ã§ã¯ãæ»ãã  SAD ã¨ã³ããªã表示ãã¾ããã -a
             ä»ã®å ´åãæ»ãã  SAD ã¨ã³ããªã表示ãã¾ãã æ»ãã  SAD
             ã¨ã³ããªã¨ã¯ãæéåãã§ã¯ãããã®ã®ã SPD ã¨ã³ããªããåç§ããã¦ããããã«ã·ã¹ãã ä¸‐
             ã«æ®ã£ã¦ãããã®ãæãã¾ãã

     -h      -x ã¢ã¼ãã«ããã¦ã16 é²æ°ãã³ãã追å ãã¾ãã

     -l      -D ã«ããã¦ãçãåºåã§ç¡éã«ã¼ããã¾ãã

     -v      åé·ã«ãªãã¾ãã ããã°ã©ã ã¯ã PF_KEY
             ã½ã±ããä¸ã§äº¤æããã¡ãã»ã¼ã¸ããã³ããã¾ãã ããã«ã¯ä»ãã‐
             ã»ã¹ããã«ã¼ãã«ã«éãããã¡ãã»ã¼ã¸ãå«ã¿ã¾ãã

     -x      ç¡éã«ã¼ããã PF_KEY ã½ã±ããã¸éãããå¨ã¡ãã»ã¼ã¸ããã³ããã¾ãã -xx
             ã¯ãåã¿ã¤ã ã¹ã¿ã³ãã®ãã©ã¼ããããããã¾ãã

   è¨å®æ§æ
     -c ããã㯠-f ãã³ãã³ãã©ã¤ã³ã«ããã¨ã setkey ã¯æ¬¡ã®è¨å®æ§æãåãä»ãã¾ãã
     ããã·ã¥ãã¼ã¯ (‘#’) ã§å§ã¾ãè¡ã¯ã³ã¡ã³ãè¡ã¨ãã¦æ±ããã¾ãã

     add [-46n] src dst protocol spi [extensions] algorithm ... ;
             åä¸ã® SAD ã¨ã³ããªã追å ãã¾ãã add ã®å¤±æã«ã¯ããã¤ãçç±ãããã
             éµã®é·ããæå®ããã¢ã«ã´ãªãºã ã«åè´ããªãå ´åãå«ã¾ãã¾ãã

     get [-46n] src dst protocol spi ;
             åä¸ã® SAD ã¨ã³ããªã表示ãã¾ãã

     delete [-46n] src dst protocol spi ;
             åä¸ã® SAD ã¨ã³ããªãåé¤ãã¾ãã

     deleteall [-46n] src dst protocol ;
             æå®ã«é©åãããã¹ã¦ã® SAD ã¨ã³ããªãåé¤ãã¾ãã

     flush [protocol] ;
             ãªãã·ã§ã³ã«é©åããå¨ SAD ã¨ã³ããªãã¯ãªã¢ãã¾ãã ã³ãã³ãã©ã¤ã³ã« -F
             ãæå®ããã¨ãåãå¹æãå¾ããã¾ãã

     dump [protocol] ;
             ãªãã·ã§ã³ã«é©åããå¨ SAD ã¨ã³ããªããã³ããã¾ãã ã³ãã³ãã©ã¤ã³ã« -D
             ãæå®ããã¨ãåãå¹æãå¾ããã¾ãã

     spdadd [-46n] src_range dst_range upperspec policy ;
             åä¸ã® SPD ã¨ã³ããªã追å ãã¾ãã

     spddelete [-46n] src_range dst_range upperspec -P direction ;
             åä¸ã® SPD ã¨ã³ããªãåé¤ãã¾ãã

     spdflush ;
             å¨ SPD ã¨ã³ããªãã¯ãªã¢ãã¾ãã ã³ãã³ãã©ã¤ã³ã« -FP
             ãæå®ããã¨ãåãå¹æãå¾ããã¾ãã

     spddump ;
             å¨ SPD ã¨ã³ããªããã³ããã¾ãã ã³ãã³ãã©ã¤ã³ã« -DP
             ãæå®ããã¨ãåãå¹æãå¾ããã¾ãã

     ã¡ã¿å¼æ°ã¯ä¸è¨ã®éãã§ã:

     src
     dst     ã»ãã¥ã¢ã³ãã¥ãã±ã¼ã·ã§ã³ã®å§ç¹/çµç¹ã IPv4/v6 ã¢ãã¬ã¹ã§æå®ãã¾ãã
             setkey ã¦ã¼ãã£ãªãã£ã¯ FQDN ãæ°å¤ã¢ãã¬ã¹ã«è§£æ±ºå¯è½ã§ãã FQDN
             ãè¤æ°ã®ã¢ãã¬ã¹ã«è§£æ±ºãããå ´åã setkey ã¯ãã¹ã¦ã®çµã¿åããã試ã¿ã¦ã
             è¤æ°ã® SAD/SPD ã¨ã³ããªãã«ã¼ãã«ã«ã¤ã³ã¹ãã¼ã«ãã¾ãã -4, -6, -n
             ã¯ãFQDN ã®è§£æ±ºãå¶éãã¾ãã -4 㨠-6 ã¯ãããããçµæã IPv4/v6
             ã¢ãã¬ã¹ã®ã¿ã«ãªãããå¶éãã¾ãã -n 㯠FQDN ã®è§£æ±ºãé²æ‐
             ¢ããã¢ãã¬ã¹ãæ°å¤ã¢ãã¬ã¹ã§ãããã¨ãè¦æ±ãã¾ãã

     protocol
             protocol ã¯æ¬¡ã®ãããã 1 ã¤ã§ã:
             esp         rfc2406 ãåºã«ããæå·ãã¤ãã¼ã
             esp-old     rfc1827 ãåºã«ããæå·ãã¤ãã¼ã
             ah          rfc2402 ãåºã«ããèªè¨¼ããã
             ah-old      rfc1826 ãåºã«ããèªè¨¼ããã
             ipcomp      IPComp
             tcp         rfc2385 ãåºã«ãã TCP-MD5

     spi     SAD ããã³ SPD ç¨ã®ãã»ãã¥ãªãã£ãã©ã¡ã¼ã¿ã¤ã³ããã¯ã¹ (SPI)ã spi 㯠10
             é²æ°ã¾ã㯠‘0x’ ä»ãã® 16 é²æ°ã§æå®ããå¿è¦ãããã¾ãã ç¯å² 0 ãã 255 ã®
             SPI å¤ã¯ãå°æ¥ã®ä½¿ç¨ã®ããã« IANA ãäºç´ãã¦ããã 使ç¨ã§ãã¾ããã TCP-MD5
             é¢ä¿ã¯ 0x1000 ã使ããªãã¨ãªãã¾ããã®ã§ã
             ç¾æç¹ã§ã¯ãã¹ããã¨ã®ç²åº¦ããããã¾ããã

     extensions
             次ã«ç¤ºãå¼æ°ãåãä»ãã¾ã:
             -m mode     使ç¨ããã»ãã¥ãªãã£ãããã³ã«ã¢ã¼ããæå®ãã¾ãã mode
                         ã¯æ¬¡ã®ãããã 1 ã¤ã§ã: transport, tunnel, any ã
                         ããã©ã«ãå¤ã¯ any ã§ãã
             -r size     ç¹°ãè¿ãæ»æãé²ãããã®ã¦ã£ã³ãã¦ãµã¤ãºããã¤ãæ°ã§æå®ãã¾ãã
                         size 㯠32 ãããã¯ã¼ãã® 10 é²æ°ã§æå®ããå¿è¦ãããã¾ãã size
                         ã 0 ã¾ãã¯æå®ãããªãã£ãå ´åãç¹°ãè¿ãã®ãã§ãã¯ã¯è¡ããã¾ããã
             -u id       SAD ä¸ã®ããªã·ã¨ã³ããªã®èå¥åãæå®ãã¾ãã policy
                         ãåç§ãã¦ãã ããã
             -f pad_option
                         ESP ããã£ã³ã°ã®å容ãæå®ãã¾ãã pad_option ã¯æ¬¡ã®ãããã 1
                         ã¤ã§ã:
                         zero-pad    ããã£ã³ã°ã¯ãã¹ã¦ 0ã
                         random-pad  ä¸é£ã®ä¹±æ°å¤ãè¨å®ã
                         seq-pad     1 ããéå§ãã¦å¢å ããä¸é£ã®æ°ãè¨å®ã
             -f nocyclic-seq
                         å¨æçãªé åºçªå·ã許å¯ãã¾ããã
             -lh time
             -ls time    SA ã®ãã¼ãæå¹æé/ã½ããæå¹æéãæå®ãã¾ãã

     algorithm
             -E ealgo key
                         ESP ç¨ã«æå·åã¢ã«ã´ãªãºã  ealgo ãæå®ãã¾ãã
             -E ealgo key -A aalgo key
                         ESP ç¨ã«æå·åã¢ã«ã´ãªãºã  ealgo ã¨ãã¤ã‐
                         ã¼ãèªè¨¼ã¢ã«ã´ãªãºã  aalgo ãæå®ãã¾ãã
             -A aalgo key
                         AH ç¨ã«èªè¨¼ã¢ã«ã´ãªãºã ãæå®ãã¾ãã
             -C calgo [-R]
                         IPComp ç¨ã«å§ç¸®ã¢ã«ã´ãªãºã ãæå®ãã¾ãã -R ãæå®ãããã¨ã
                         spi ãã£ã¼ã«ãä¸ã®å¤ãã ã¯ã¤ã¤ä¸ã«ãã®ã¾ã¾ IPComp CPI
                         (compression parameter index)
                         ãã£ã¼ã«ãã¨ãã¦ä½¿ç¨ããã¾ãã -R ãæå®ãããªãã¨ã
                         ã«ã¼ãã«ã¯ã¯ã¤ã¤ä¸ã«è¯ãç¥ããã CPI ã使ç¨ãã spi
                         ãã£ã¼ã«ãã¯ã«ã¼ãã«åé¨ä½¿ç¨ã®ããã®ã¤ã³ããã¯ã¹ã¨ãã¦ã®ã¿ä½¿ç¨ããã¾ãã

             key ã¯ãããã«ã¯ã©ã¼ãã§æ¬ãããæååãã ä¸ç¶ãã® ‘0x’ ä»ã 16
             é²æ°ã§æå®ããå¿è¦ãããã¾ãã

             ealgo, aalgo, calgo ãåãå¾ãå¤ã¯å¥ã®ç¯ã§è¦å®ãã¾ãã

     src_range
     dst_range
             ã»ãã¥ã¢ã³ãã¥ãã±ã¼ã·ã§ã³ã®é¸æã§ããã IPv4/v6 ã¢ãã¬ã¹ã¾ã㯠IPv4/v6
             ã¢ãã¬ã¹ç¯å²ã§æå®ãã¾ãã TCP/UDP ãã¼ãæå®ãä»å ãããã¨ãå¯è½ã§ãã
             次ã®å½¢å¼ãåãä»ãã¾ã:

             address
             address/prefixlen
             address[port]
             address/prefixlen[port]

             prefixlen 㨠port 㯠10 é²æ°ã§æå®ããå¿è¦ãããã¾ãã port
             ã®å¨ãã®è§æ¬å¼§ã¯ãå®éã«å¿è¦ã§ãã ããã¥ã¢ã«ãã¼ã¸ã®ã¡ã¿æåã§ã¯ããã¾ããã
             FQDN ã®è§£æ±ºã«é¢ãã¦ã¯ã src 㨠dst
             ã«å¯¾ãã¦é©ç¨ãããã«ã¼ã«ãããã§ãé©ç¨ããã¾ãã

     upperspec
             使ç¨ããä¸ä½å±¤ãããã³ã«ã upperspec ã¨ãã¦ã /etc/protocols ä¸ã® 1
             èªã使ç¨å¯è½ã§ãã ã¾ãã¯ã icmp6, ip4, any ãæå®å¯è½ã§ãã any ã¯
             “ä»»æã®ãããã³ã«” ãæå³ãã¾ãã ã¾ãããããã³ã«çªå·ã使ç¨å¯è½ã§ãã ä¸ä½å±¤ã
             ICMPv6 ã®å ´åãICMPv6 ç¨ã®ã¿ã¤ããã³ã¼ããæå®å¯è½ã§ãã ä»æ§ã¯ icmp6
             ã®å¾ã«ç½®ãã¾ãã ã¿ã¤ãã¯ãåä¸ã®ã³ã³ãã§åºåãã¾ãã
             ã³ã¼ãã¯å¸¸ã«æå®ãããã¨ãå¿è¦ã§ãã 0
             ãæå®ãããå ´åãã«ã¼ãã«ã¯ãããã¯ã¤ã«ãã«ã¼ãã¨ãã¦æ±ãã¾ãã
             ã«ã¼ãã«ã¯ã¯ã¤ã«ãã«ã¼ã㨠ICMPv6 ã¿ã¤ã 0 ã¨ãåºå¥ã§ããªããã¨ã«
             注æãã¦ãã ããã ä¾ãã°ä¸è¨ã¯ã å¥åã®è¿é£è¦è«ã«å¯¾ã㦠IPsec
             ãä¸è¦ã¨ããããªã·ãæå³ãã¾ãã

                   spdadd ::/0 ::/0 icmp6 135,0 -P in none;

             注: upperspec ã¯ãç¾æç¹ã§ã¯è»¢éã«å¯¾ãã¦æ©è½ãã¾ããã
             転éãã¼ãã«ããã¦ã追å ã®åæ§æ (ç¾æç¹ã§ã¯æªå®è£) ãå¿è¦ã¨ãªãããã§ãã
             /etc/protocols ã«ã¯å¤æ°ã®ãããã³ã«ãç»é²ããã¦ãã¾ããã TCP, UDP, ICMP
             以å¤ã¯ IPSec ã¨å±ã«ä½¿ç¨ããã«ã¯ä¸é©åããããã¾ããã ãã®ãããªãã‐
             ãã³ã«ã®ä½¿ç¨ã«ã¯ã注æãã¦ãã ããã

     policy  policy ã¯æ¬¡ã® 3 種é¡ã®å½¢å¼ã®ãã¡ãããã 1 ã¤ã§ã:

           -P direction discard
           -P direction none
           -P direction ipsec protocol/mode/src-dst/level [...]

             ããªã·ã®æ¹åã direction ã§æå®ããå¿è¦ãããã¾ãã out ã¾ã㯠in
             ã使ç¨ããã¾ãã discard
             ã¯ãã¤ã³ããã¯ã¹ã«é©åãããã±ãããæ¨ã¦ããããã¨ãæå³ãã¾ãã none
             ã¯ããã±ããã«å¯¾ã㦠IPsec æä½ãå®æ½ãããªããã¨ãæå³ãã¾ãã ipsec
             ã¯ããã±ããã«å¯¾ã㦠IPsec æä½ãå®æ½ããããã¨ãæå³ãã¾ãã
             protocol/mode/src-dst/level ã®é¨åã¯ããã±ããå¦çæ¹æ³ã®ã«ã¼ã«ãæå®ãã¾ãã
             ah, esp, ipcomp ã®ãããããã protocol ã¨ãã¦è¨å®ãã¾ãã mode ã¯
             transport ã¾ã㯠tunnel ã®ããããã§ãã mode ã tunnel ã®å ´åã SA
             ã®æ«ç«¯ã¢ãã¬ã¹ãã src ããã³ dst ã§ã両ã¢ãã¬ã¹éã« ‘-’
             ãä»ãã¦æå®ããå¿è¦ãããã¾ãã ããã¯ã使ç¨ãã SA ãæå®ããããã«ç¨ãããã¾ãã mode ã
             transport ã®å ´åã src 㨠dst ã¯ä¸¡æ¹çç¥å¯è½ã§ãã level
             ã¯æ¬¡ã®ããããã§ã: default, use, require, unique ã
             ãã¹ã¦ã®ã¬ãã«ã«ãã㦠SA ãå©ç¨å¯è½ã§ãªãå ´åã SA
             åå¾è¦æ±ãã«ã¼ãã«ã¯éµäº¤æãã¼ã¢ã³ã«éãã¾ãã default
             ã¯ãã«ã¼ãã«ããã±ãããå¦çããã¨ãã æå®ãããããã³ã«ã«ã¤ãã¦ã
             ã·ã¹ãã å¨ä½ã®ããã©ã«ããåãåããããã¨ãæå³ãã¾ãã ããã¯ä¾ãã° sysctl å¤æ°
             esp_trans_deflev ãæãã¾ãã use ã¯ãã«ã¼ãã«ã SA
             ã使ç¨å¯è½ã§ããã°ä½¿ç¨ãã
             使ç¨ä¸è½ã®å ´åã«ã¯é常æä½ãç¶ãããã¨ãæå³ãã¾ãã require
             ã¯ãããªã·ã«é©åãããã±ãããã«ã¼ãã«ãéãæã«ã¯ ãã¤ã SA
             ãå¿è¦ã§ãããã¨ãæå³ãã¾ãã unique 㯠require ã¨åãã§ãã
             æ´ã«ãããªã·ãä¸æãªå¤åã SA ã«çµåãããã¨ã許ãã¾ãã ããªã·ã¬ãã«ã«ã¯ unique
             ãæå®ããã ãã§è¯ãã racoon(8) ããã®ããªã·ã®ããã« SA ãè¨å®ãã¦ããã¾ãã
             ãã®ããªã·ç¨ã«æåãã¼å¥å㧠SA ãè¨å®ããå ´åã unique ã®å¾ã«ã³ãã³ ‘:’
             ã§åºåã£ãå¾ã« 10 é²æ°ã§ããªã·èå¥åãæå®å¯è½ã§ããã次ã®ããã«ãã¾ã:
             unique:number ã ããã§ãã®ããªã·ã SA ã«çµåããã¾ãã number 㯠1 ãã 32767
             ã®ç¯å²ã«ãããã¨ãå¿è¦ã§ãã ããã¯ãæå SA è¨å®ã® extensions -u
             ã«å¯¾å¿ãã¾ãã SA ãã³ãã«ã使ç¨ãããå ´åãè¤æ°ã®ã«ã¼ã«ãå®ç¾©å¯è½ã§ãã
             ä¾ãã°ãIP ããããAH ããããESP ããããä¸ä½å±¤ãããã³ã«ãããã¨ç¶ãå ´åã
             ã«ã¼ã«ã¯æ¬¡ã®ããã«ãªãã¾ã:
                   esp/transport//require ah/transport//require;
             ã«ã¼ã«ã®é åºã¯é常ã«éè¦ã§ãã

             “discard” 㨠“none” 㯠ipsec_set_policy(3) ã«è¨è¿°ããã¦ããæ§æã«ã¯å‐
             å¨ããªããã¨ã«æ³¨æãã¦ãã ããã 両èã®æ§æã«ã¯ã¡ãã£ã¨ããéããããã¾ãã 詳細ã¯
             ipsec_set_policy(3) ãåç§ãã¦ãã ããã

ã¢ã«ã´ãªãºã
     次ã®ä¸è¦§ã¯ããµãã¼ãããã¦ããã¢ã«ã´ãªãºã ã示ãã¦ãã¾ãã protocol 㨠algorithm
     ã¯ãã»ã¼ç´äº¤ãã¦ãã¾ãã 次ã«ç¤ºãã®ã¯ã protocol ãã©ã¡ã¼ã¿ã® -A aalgo ã§
     aalgo ã¨ãã¦ä½¿ç¨å¯è½ãªèªè¨¼ã¢ã«ã´ãªãºã ã®ä¸è¦§ã§ã:

           ã¢ã«ã´ãªãºã     éµé· (ããã)      ã³ã¡ã³ã
           hmac-md5        128             ah: rfc2403
                           128             ah-old: rfc2085
           hmac-sha1       160             ah: rfc2404
                           160             ah-old: 128bit ICV (ææ¸ç¡ã)
           keyed-md5       128             ah: 96bit ICV (ææ¸ç¡ã)
                           128             ah-old: rfc1828
           keyed-sha1      160             ah: 96bit ICV (ææ¸ç¡ã)
                           160             ah-old: 128bit ICV (ææ¸ç¡ã)
           null            0 ï½ 2048       ãããã°ç¨
           hmac-sha2-256   256             ah: 96bit ICV
                                           (draft-ietf-ipsec-ciph-sha-256-00)
           hmac-sha2-384   384             ah: 96bit ICV (ææ¸ç¡ã)
                           384             ah-old: 128bit ICV (ææ¸ç¡ã)
           hmac-sha2-512   512             ah: 96bit ICV (ææ¸ç¡ã)
                           512             ah-old: 128bit ICV (ææ¸ç¡ã)
           hmac-ripemd160  160             ah: 96bit ICV (RFC2857)
                                           ah-old: 128bit ICV (ææ¸ç¡ã)
           aes-xcbc-mac    128             ah: 96bit ICV (RFC3566)
                           128             ah-old: 128bit ICV (ææ¸ç¡ã)
           tcp-md5         8 to 640        tcp: rfc2385

     次ã«ç¤ºãã®ã¯ã protocol ãã©ã¡ã¼ã¿ã® -E ealgo 㧠ealgo
     ã¨ãã¦ä½¿ç¨å¯è½ãªæå·åã¢ã«ã´ãªãºã ã®ä¸è¦§ã§ã:

           ã¢ã«ã´ãªãºã     éµé· (ããã)      ã³ã¡ã³ã
           des-cbc         64              esp-old: rfc1829, esp: rfc2405
           3des-cbc        192             rfc2451
           null            0 ï½ 2048       rfc2410
           blowfish-cbc    40 ï½ 448       rfc2451
           cast128-cbc     40 ï½ 128       rfc2451
           des-deriv       64              ipsec-ciph-des-derived-01
           3des-deriv      192             ææ¸ç¡ã
           rijndael-cbc    128/192/256     rfc3602
           aes-ctr         160/224/288     draft-ietf-ipsec-ciph-aes-ctr-03

     aes-ctr éµã®æåã® 128 ããã㯠AES éµã¨ãã¦ä½¿ç¨ããã æ®ãã® 32 ããã㯠nonce
     ã¨ãã¦ä½¿ç¨ããããã¨ã«æ³¨æãã¦ãã ããã

     次ã«ç¤ºãã®ã¯ã protocol ãã©ã¡ã¼ã¿ã® -C calgo 㧠calgo
     ã¨ãã¦ä½¿ç¨å¯è½ãªå§ç¸®ã¢ã«ã´ãªãºã ã®ä¸è¦§ã§ã:

           ã¢ã«ã´ãªãºã     ã³ã¡ã³ã
           deflate         rfc2394

診æ
     The setkey utility exits 0 on success, and >0 if an error occurs.

使ç¨ä¾
     add 3ffe:501:4819::1 3ffe:501:481d::1 esp 123457
             -E des-cbc 0x3ffe05014819ffff ;

     add -6 myhost.example.com yourhost.example.com ah 123456
             -A hmac-sha1 "AH SA configuration!" ;

     add 10.0.11.41 10.0.11.33 esp 0x10001
             -E des-cbc 0x3ffe05014819ffff
             -A hmac-md5 "authentication!!" ;

     get 3ffe:501:4819::1 3ffe:501:481d::1 ah 123456 ;

     flush ;

     dump esp ;

     spdadd 10.0.11.41/32[21] 10.0.11.33/32[any] any
             -P out ipsec esp/tunnel/192.168.0.1-192.168.1.2/require ;

     add 10.1.10.34 10.1.10.36 tcp 0x1000 -A tcp-md5 "TCP-MD5 BGP secret" ;


é¢é£é ç®
     ipsec_set_policy(3), racoon(8), sysctl(8) Changed manual key
     configuration for IPsec, October 1999,
     http://www.kame.net/newsletter/19991007/.

æ´å²
     setkey ã¦ã¼ãã£ãªãã£ã¯ WIDE Hydrangea IPv6 ãããã³ã«ã¹ã¿ãã¯ãããã§
     ã¯ããã¦ç»å ´ãã¾ããã æ¬ã¦ã¼ãã£ãªãã£ã¯ 1998 å¹´ 6 æã«ãå®å¨ã«åãã¶ã¤ã³ããã¾ããã

ãã°
     setkey ã¦ã¼ãã£ãªãã£ã¯ãæ§æã¨ã©ã¼ãããããå ±åããæ±ããã¹ãã§ãã

     IPsec ã²ã¼ãã¦ã§ã¤è¨å®ã§ã¯ã TCP/UDP ãã¼ãçªå·ä»ãã® src_range 㨠dst_range
     ã¯åä½ãã¾ããã ããã¯ãã²ã¼ãã¦ã§ã¤ããã±ãããåçµã¿ç«ã¦ããªãããã§ã
     (ä¸ä½å±¤ãããã®æ¤æ»ã¯ã§ãã¾ãã)ã