%!PS-Adobe-2.0 %%Creator: dvips(k) 5.86 Copyright 1999 Radical Eye Software %%Title: ikepaper.dvi %%Pages: 14 %%PageOrder: Ascend %%BoundingBox: 0 0 596 842 %%EndComments %DVIPSWebPage: (www.radicaleye.com) %DVIPSCommandLine: dvips -o ikepaper.ps ikepaper.dvi %DVIPSParameters: dpi=600, compressed %DVIPSSource: TeX output 2000.08.01:1530 %%BeginProcSet: texc.pro %! /TeXDict 300 dict def TeXDict begin/N{def}def/B{bind def}N/S{exch}N/X{S N}B/A{dup}B/TR{translate}N/isls false N/vsize 11 72 mul N/hsize 8.5 72 mul N/landplus90{false}def/@rigin{isls{[0 landplus90{1 -1}{-1 1}ifelse 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale isls{ landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 div hsize mul 0}ifelse TR}if Resolution VResolution vsize -72 div 1 add mul TR[ matrix currentmatrix{A A round sub abs 0.00001 lt{round}if}forall round exch round exch]setmatrix}N/@landscape{/isls true N}B/@manualfeed{ statusdict/manualfeed true put}B/@copies{/#copies X}B/FMat[1 0 0 -1 0 0] N/FBB[0 0 0 0]N/nn 0 N/IEn 0 N/ctr 0 N/df-tail{/nn 8 dict N nn begin /FontType 3 N/FontMatrix fntrx N/FontBBox FBB N string/base X array /BitMaps X/BuildChar{CharBuilder}N/Encoding IEn N end A{/foo setfont}2 array copy cvx N load 0 nn put/ctr 0 N[}B/sf 0 N/df{/sf 1 N/fntrx FMat N df-tail}B/dfs{div/sf X/fntrx[sf 0 0 sf neg 0 0]N df-tail}B/E{pop nn A definefont setfont}B/Cw{Cd A length 5 sub get}B/Ch{Cd A length 4 sub get }B/Cx{128 Cd A length 3 sub get sub}B/Cy{Cd A length 2 sub get 127 sub} B/Cdx{Cd A length 1 sub get}B/Ci{Cd A type/stringtype ne{ctr get/ctr ctr 1 add N}if}B/id 0 N/rw 0 N/rc 0 N/gp 0 N/cp 0 N/G 0 N/CharBuilder{save 3 1 roll S A/base get 2 index get S/BitMaps get S get/Cd X pop/ctr 0 N Cdx 0 Cx Cy Ch sub Cx Cw add Cy setcachedevice Cw Ch true[1 0 0 -1 -.1 Cx sub Cy .1 sub]/id Ci N/rw Cw 7 add 8 idiv string N/rc 0 N/gp 0 N/cp 0 N{ rc 0 ne{rc 1 sub/rc X rw}{G}ifelse}imagemask restore}B/G{{id gp get/gp gp 1 add N A 18 mod S 18 idiv pl S get exec}loop}B/adv{cp add/cp X}B /chg{rw cp id gp 4 index getinterval putinterval A gp add/gp X adv}B/nd{ /cp 0 N rw exit}B/lsh{rw cp 2 copy get A 0 eq{pop 1}{A 255 eq{pop 254}{ A A add 255 and S 1 and or}ifelse}ifelse put 1 adv}B/rsh{rw cp 2 copy get A 0 eq{pop 128}{A 255 eq{pop 127}{A 2 idiv S 128 and or}ifelse} ifelse put 1 adv}B/clr{rw cp 2 index string putinterval adv}B/set{rw cp fillstr 0 4 index getinterval putinterval adv}B/fillstr 18 string 0 1 17 {2 copy 255 put pop}for N/pl[{adv 1 chg}{adv 1 chg nd}{1 add chg}{1 add chg nd}{adv lsh}{adv lsh nd}{adv rsh}{adv rsh nd}{1 add adv}{/rc X nd}{ 1 add set}{1 add clr}{adv 2 chg}{adv 2 chg nd}{pop nd}]A{bind pop} forall N/D{/cc X A type/stringtype ne{]}if nn/base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{A A length 1 sub A 2 index S get sf div put }if put/ctr ctr 1 add N}B/I{cc 1 add D}B/bop{userdict/bop-hook known{ bop-hook}if/SI save N @rigin 0 0 moveto/V matrix currentmatrix A 1 get A mul exch 0 get A mul add .99 lt{/QV}{/RV}ifelse load def pop pop}N/eop{ SI restore userdict/eop-hook known{eop-hook}if showpage}N/@start{ userdict/start-hook known{start-hook}if pop/VResolution X/Resolution X 1000 div/DVImag X/IEn 256 array N 2 string 0 1 255{IEn S A 360 add 36 4 index cvrs cvn put}for pop 65781.76 div/vsize X 65781.76 div/hsize X}N /p{show}N/RMat[1 0 0 -1 0 0]N/BDot 260 string N/Rx 0 N/Ry 0 N/V{}B/RV/v{ /Ry X/Rx X V}B statusdict begin/product where{pop false[(Display)(NeXT) (LaserWriter 16/600)]{A length product length le{A length product exch 0 exch getinterval eq{pop true exit}if}{pop}ifelse}forall}{false}ifelse end{{gsave TR -.1 .1 TR 1 1 scale Rx Ry false RMat{BDot}imagemask grestore}}{{gsave TR -.1 .1 TR Rx Ry scale 1 1 false RMat{BDot} imagemask grestore}}ifelse B/QV{gsave newpath transform round exch round exch itransform moveto Rx 0 rlineto 0 Ry neg rlineto Rx neg 0 rlineto fill grestore}B/a{moveto}B/delta 0 N/tail{A/delta X 0 rmoveto}B/M{S p delta add tail}B/b{S p tail}B/c{-4 M}B/d{-3 M}B/e{-2 M}B/f{-1 M}B/g{0 M} B/h{1 M}B/i{2 M}B/j{3 M}B/k{4 M}B/w{0 rmoveto}B/l{p -4 w}B/m{p -3 w}B/n{ p -2 w}B/o{p -1 w}B/q{p 1 w}B/r{p 2 w}B/s{p 3 w}B/t{p 4 w}B/x{0 S rmoveto}B/y{3 2 roll p a}B/bos{/SS save N}B/eos{SS restore}B end %%EndProcSet TeXDict begin 39158280 55380996 1000 600 600 (ikepaper.dvi) @start %DVIPSBitmapFont: Fa cmti9 9 51 /Fa 51 122 df39 D<1560EC01E0EC03C0EC0700140E5C143C5C5C495A 495A13075C49C7FC5B131E5B137C137813F85B12015B12035B1207A25B120FA290C8FC5A A2121E123EA3123C127CA31278A212F8A35AAF12701278A21238A2123C121CA27EA27E6C 7E12011B4A75B71F>I<14301438A28080A2140F801580A2140315C0A4140115E0A81403 A415C0A31407A31580140FA315005CA3141E143EA2143C147CA25CA25C13015C13035C13 075C130F91C7FC131E133E133C5B5B485AA2485A485A48C8FC121E5A12705A5A1B4A7EB7 1F>I44 DI<121C127F12FFA412FE12 380808778718>I48 DI<010614C090380FC00F91B51280160015FC4913F015C0D91CFEC7FC91C8FC13 3C1338A313781370A313F0EBE0FE9038E3FF809038EF03C03901FC01E001F87FEBF00049 7F485A5BC8FCA41401A4003C130300FC5CA34A5A5A00E0495AA24A5A4AC7FC6C137E0070 5B387801F8383E07F0381FFFC06C90C8FCEA03F8223478B127>53 D55 D57 D<1370EA01FC1203A413F8EA00 E01300B0121C127F5AA45A12380E20779F18>I<130EEB3F80137FA41400131C90C7FCB0 EA0380EA0FC0487EA45B1207120012015BA2120390C7FC5A1206120E5A5A123012705A5A 112F7A9F18>I<161C163CA2167C16FCA21501821503A2ED077E150F150E151CA21538A2 157015F015E0EC01C0A2913803807F82EC0700A2140E141E141C5CA25CA25C49B6FCA25B 913880003F49C7EA1F80A2130E131E131C133C13385B13F05B12011203D80FF0EC3FC0D8 FFFE903807FFFEA32F367BB539>65 D 67 D<0107B612C04915F017FC903A003F8001FEEE007FEF1F8092C7EA0FC0EF07E05CEF 03F0147E170102FE15F8A25CA21301A25CA2130317035CA2130718F04A1407A2130F18E0 4A140F18C0011F151F18805CEF3F00133F177E91C85AA2494A5A4C5A017E4A5A4C5A01FE 4A5A047EC7FC49495A0001EC0FF8007FB612E0B7C8FC15F835337BB23A>I<0107B712F0 5B18E0903A003F80001F1707170392C7FC17015C18C0147EA214FEA24A130EA20101EC1E 03041C13804A91C7FC163C13035E9138F001F891B5FC5B5EECE0011500130F5E5C170701 1F01015BEEC00E0280141E92C7121C133F173C91C812381778495DA2017E14014C5A01FE 14074C5A49141F00014AB45A007FB7FCB8FC94C7FC34337CB234>I<0107B712E05B18C0 903A003F80003F170F170792C7FC17035C1880147EA214FEA25C161C0101EC3C07043813 004A91C7FCA20103147816704A13F0150349B5FCA25EECE003130F6F5A14C0A2011F1303 5E1480A2013F90C9FCA291CAFCA25BA2137EA213FEA25B1201387FFFFCB5FCA233337CB2 32>I<92391FE001809238FFF8030207EBFE07913A1FF01F0F0091393F80079F9139FE00 03DFD901F86DB4FCD907F05C49481300495A4948147E49C8127C137E13FE485A48481578 A2485AA248481570A2485A94C7FC123F5BA3127F90CBFCA400FE91383FFFFCA25F923800 3F8094C7FCA2007E5DA2167EA2007F15FE7E5E6C6C1301A26C6C495A6D13076C6CEB0F78 6C6C133E3A00FF01FC3090387FFFF0011F01C0C8FCD903FEC9FC313775B43B>I<010FB5 1280A216009038003FC05DA292C7FCA25CA2147EA214FEA25CA21301A25CA21303A25CA2 1307A25CA2130FA25CA2131FA25CA2133FA291C8FCA25BA2137EA213FEA25B1201B512F8 A25C21337BB21E>73 D<0107B512C05BA29026003FC0C7FC5DA292C8FCA25CA2147EA214 FEA25CA21301A25CA21303A25CA21307A25CA2130FA25C17E0011F140117C05C1603013F 1580160791C7FCEE0F005B5E017E143EA201FE5CED01FC4913030001EC1FF8007FB6FCB7 FC5E2B337CB230>76 D<902607FF8090383FFFC0496D5BA2D9001F913803F8004A6C6D5A 6060EC3BF0027B140360EC71F8A202F11407DAF0FC91C7FC14E0A20101017E5B170E14C0 810103151EEE801CEC801FA20107ECC03C030F1338140016E049010713781770010E14F0 1503011E15F0705A011C1301A2013C14FD03005B133816FF0178147F5F0170143FA213F0 70C8FC1201EA07F8267FFF807FB5140EA23A337BB239>78 D<0107B612C04915F883903A 003F8001FEEE003FEF1F8092C713C0170F5C18E0147EA214FEEF1FC05CA201011680173F 4A1500177E010315FE5F4AEB03F8EE07E00107EC3FC091B6C7FC16F802E0C9FC130FA25C A2131FA25CA2133FA291CAFCA25BA2137EA213FEA25B1201387FFFF0B5FCA233337CB234 >80 D<913901FC018091380FFF03023F13C791387E07EF903A01F801FF0049487E4A7F49 5A4948133E131F91C7FC5B013E143CA3137E1638A293C7FC137FA26D7E14E014FE90381F FFC06D13F86D7F01017F6D6C7E020F7F1400153F6F7E150FA4120EA2001E5D121CA2151F 003C92C7FCA2003E143E5D127E007F5C6D485A9038C007E039F3F80FC000F0B5C8FC38E0 3FFC38C00FF029377AB42B>83 D<0003B812C05A1880903AF800FC003F260FC001141F01 80150F01005B001EEE07001403121C003C4A5BA200380107140E127800705CA2020F141E 00F0161CC74990C7FCA2141FA25DA2143FA292C9FCA25CA2147EA214FEA25CA21301A25C A21303A25CA21307A25C497E001FB512F05AA2323374B237>I<3B3FFFF801FFFE485CA2 D801FEC7EA1FC049EC0F80170049140EA2161E120349141CA2163C1207491438A2167812 0F491470A216F0121F495CA21501123F90C75BA215035A007E5DA2150712FE4892C7FCA2 5D150E48141E151C153C153815786C5C5D007C1301007E495A003EEB0F806C011EC8FC38 0FC0FC6CB45A000113E06C6CC9FC2F3570B239>I87 D<902607FFFE90387FFFC0A39026001FF090380FF80003C014C0020F5D6F91C7FC020714 1E6F5B5F02035C6F485A02015C6F485A4CC8FC0200130EEDFE1EED7E3C5EED7FF06F5A5E 5E151F82A24B7E157F1577EDE7F0EC01C7EC038302077FEC0F01021E7F143CEC38004A7F 4A137E495A0103147F49487F49C77F131E49141F017C8113FC00074B7EB5D88003B57EA2 95C7FC3A337CB239>I97 D<137EEA0FFE121F5B1200A35BA21201A25BA21203 A25BA21207A2EBC3E0EBCFF8380FDC3EEBF81F497E01E01380EA1FC0138015C013005AA2 123EA2007E131F1580127CA2143F00FC14005AA2147EA25CA2387801F85C495A6C485A49 5A6C48C7FCEA0FFCEA03F01A3578B323>I<14FCEB07FF90381F078090383E03C0EBFC01 3801F8033803F0073807E00F13C0120F391F80070091C7FC48C8FCA35A127EA312FE5AA4 007C14C0EC01E0A2EC03C06CEB0F80EC1F006C137C380F81F03803FFC0C648C7FC1B2278 A023>II< EB03F8EB0FFEEB3E0F9038F807803801F003EA03E0EA07C0120FEA1F801407D83F001300 5C007E133EEB03F8387FFFE04848C7FC00FCC8FCA45AA4EC0180EC03C0A2007CEB0780EC 1F00003C133E6C13F8380F03E03807FF80D801FCC7FC1A2277A023>I<151FED7FC0EDF0 E0020113F0EC03E3A2EC07C316E0EDC1C091380FC0005DA4141F92C7FCA45C143E90381F FFFEA3D9007EC7FC147CA414FC5CA513015CA413035CA413075CA3130FA25CA3131F91C8 FCA35B133E1238EA7E3CA2EAFE7812FC485AEA78E0EA3FC0000FC9FC244582B418>I<14 3FECFF80903803E1E6903807C0FF90380F807FEB1F00133E017E133F49133EA24848137E A24848137CA215FC12074913F8A21401A2D80FC013F0A21403120715E01407140F141F39 03E03FC00001137FEBF0FF38007FCF90381F0F801300141FA21500A25C143E1238007E13 7E5C00FE5B48485A387803E0387C0F80D81FFFC7FCEA07F820317CA023>III107 D<133FEA07FF5A13FEEA007EA3137CA213FCA213F8A21201A213F0 A21203A213E0A21207A213C0A2120FA21380A2121FA21300A25AA2123EA2127EA2127C13 18EAFC1C133CEAF838A21378137012F013F0EAF8E01279EA3FC0EA0F00103579B314>I< 2703C003F8137F3C0FF00FFE01FFC03C1E783C1F07C1E03C1C7CF00F8F01F03B3C3DE007 9E0026383FC001FC7FD97F805B007001005B5E137ED8F0FC90380FC00100E05FD860F814 8012000001021F130360491400A200034A13076049013E130FF081800007027EEC83C005 1F138049017C1403A2000F02FC1407053E130049495CEF1E0E001F01015D183C010049EB 0FF0000E6D48EB03E03A227AA03F>I<3903C007F0390FF01FFC391E787C1E391C7CF01F 393C3DE00F26383FC01380EB7F8000781300EA707EA2D8F0FC131F00E01500EA60F81200 00015C153E5BA20003147E157C4913FCEDF8180007153C0201133801C013F0A2000F1578 EDE070018014F016E0001FECE1C015E390C7EAFF00000E143E26227AA02B>I<14FCEB07 FF90381F07C090383E03E09038FC01F0EA01F83903F000F8485A5B120F484813FCA248C7 FCA214014814F8127EA2140300FE14F05AA2EC07E0A2007CEB0FC01580141FEC3F006C13 7E5C381F01F0380F83E03803FF80D800FCC7FC1E2278A027>I<011E137C90387F81FF90 39F3C387C09039E3EF03E03901E1FE01D9C1FC13F0EBC3F8000313F0018314F814E0EA07 871307000313C01200010F130316F01480A2011F130716E01400A249EB0FC0A2013EEB1F 80A2017EEB3F00017F133E5D5D9038FF81F09038FDC3E09038F8FF80027EC7FC000190C8 FCA25BA21203A25BA21207A25BB5FCA325307FA027>I<3903C00FC0390FF03FF0391E78 F078391C7DE03C393C3FC0FC00381380EB7F00007814F8D8707E13701500EAF0FC12E0EA 60F812001201A25BA21203A25BA21207A25BA2120FA25BA2121FA290C8FC120E1E227AA0 20>114 DI<1303EB0F80A3 131FA21400A25BA2133EA2137EA2137C387FFFF8A2B5FC3800F800A21201A25BA21203A2 5BA21207A25BA2120FA25B1460001F13F014E01300130114C01303001E1380EB07005BEA 0F1EEA07F8EA01E015307AAE19>II<01F01338D803FC13FCEA0F 1E120E121C123C0038147CEA783E0070143CA2137ED8F07C1338EA60FCC65A1578000114 705BA215F0000314E05BA2EC01C0A2EBC003158014071500EBE00EA26C6C5A3800F878EB 7FE0EB1F801E227AA023>II<011F137C90387FC1FF3A01E1E787803A03C0F703C0903880FE0FEA07004813 FC000E1580001E9038F80700001C91C7FC1301003C5B1218120013035CA31307A25C1506 010F130F150E14800038141ED87C1F131C00FC143C1538013F5B39F07FC0E03970F3C3C0 393FE1FF80260F807EC7FC22227CA023>I<13F0D803FC1307D80F1E130F000E141F121C 123C0038143FD8783E133E1270A2017E137ED8F07C137CEA60FCC65A15FC000114F85BA2 1401000314F013E0A2140315E0EA07C0A20003130715C0EBE00F141F0001133F9038F07F 8038007FEFEB1F8FEB001F1500A25C003E133E007E137E147C5C007C5BEA7001495A3838 0780D83C1FC7FCEA0FFCEA07F020317AA025>I E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fb cmr9 9 70 /Fb 70 124 df14 D<14C01301EB0380EB0F00130E5B133C5B5BA2485A485AA212075B120F90C7FC5AA2121E 123EA3123C127CA55AB0127CA5123C123EA3121E121FA27E7F12077F1203A26C7E6C7EA2 13787F131C7F130FEB0380EB01C01300124A79B71E>40 D<12C07E1270123C121C7E120F 6C7E6C7EA26C7E6C7EA27F1378137C133C133EA2131E131FA37F1480A5EB07C0B0EB0F80 A514005BA3131E133EA2133C137C137813F85BA2485A485AA2485A48C7FC120E5A123C12 705A5A124A7CB71E>I<123C127EB4FCA21380A2127F123D1201A412031300A25A120612 0E120C121C5A5A126009177A8715>44 DI<123C127E12FFA412 7E123C08087A8715>I<1530157815F8A215F01401A215E01403A215C01407A21580140F A215005CA2143EA2143C147CA2147814F8A25C1301A25C1303A25C1307A2495AA291C7FC 5BA2131E133EA2133C137CA2137813F8A25B1201A25B1203A2485AA25B120FA290C8FC5A A2121E123EA2123C127CA2127812F8A25A12601D4B7CB726>II<13075B5B137FEA07FFB5FC13BFEAF83F1200B3B3 A2497E007FB51280A319327AB126>II II<000C14C0380FC00F90B512801500 5C5C14F014C0D80C18C7FC90C8FCA9EB0FC0EB7FF8EBF07C380FC03F9038001F80EC0FC0 120E000CEB07E0A2C713F01403A215F8A41218127E12FEA315F0140712F8006014E01270 EC0FC06C131F003C14806CEB7F00380F80FE3807FFF8000113E038003F801D347CB126> I<14FE903807FF80011F13E090383F00F0017C13703901F801F8EBF003EA03E01207EA0F C0EC01F04848C7FCA248C8FCA35A127EEB07F0EB1FFC38FE381F9038700F809038E007C0 39FFC003E0018013F0EC01F8130015FC1400A24814FEA5127EA4127F6C14FCA26C130101 8013F8000F14F0EBC0030007EB07E03903E00FC03901F81F806CB51200EB3FFCEB0FE01F 347DB126>I<1230123C003FB6FCA34814FEA215FC0070C7123800601430157015E04814 C01401EC0380C7EA07001406140E5C141814385CA25CA2495A1303A3495AA2130FA3131F 91C7FCA25BA55BA9131C20347CB126>III<123C127E12FFA4127E123C1200B0123C127E12 FFA4127E123C08207A9F15>I<15E0A34A7EA24A7EA34A7EA3EC0DFE140CA2EC187FA34A 6C7EA202707FEC601FA202E07FECC00FA2D901807F1507A249486C7EA301066D7EA2010E 80010FB5FCA249800118C77EA24981163FA2496E7EA3496E7EA20001821607487ED81FF0 4A7ED8FFFE49B512E0A333367DB53A>65 DIIIIIIII<017FB5FCA39038003FE0EC1FC0B3B1127EB4FCA4EC3F805A00601400 00705B6C13FE6C485A380F03F03803FFC0C690C7FC20357DB227>IIIIIII82 D<90381FE00390387FFC07 48B5FC3907F01FCF390F8003FF48C7FC003E80814880A200788000F880A46C80A27E92C7 FC127F13C0EA3FF013FF6C13F06C13FF6C14C06C14F0C680013F7F01037F9038003FFF14 0302001380157F153FED1FC0150F12C0A21507A37EA26CEC0F80A26C15006C5C6C143E6C 147E01C05B39F1FC03F800E0B512E0011F138026C003FEC7FC22377CB42B>I<007FB712 FEA390398007F001D87C00EC003E0078161E0070160EA20060160600E01607A3481603A6 C71500B3AB4A7E011FB512FCA330337DB237>IIII<267FFFFC90B512C0A3000101E090381FF80026007F80EB0FC0013F6E5A6E91C7FC6D 6C130E010F140C6E5B6D6C133801035C6E13606D6C13E06D6C485A5EDA7F83C8FCEC3FC7 15C6EC1FECEC0FFC5D14076E7EA26E7E815C6F7E9138063FC0140E4A6C7E9138180FF0EC 380702707F91386003FCECC0010101804A6C7E49C77E4981010E6E7E010C6E7E131C496E 7E01786E7E13FCD807FEEC1FFEB56C90B512F8A335337EB23A>II91 D93 D97 DII<153FEC0FFFA3EC007F81AEEB07F0EB3FFCEBFC0F3901F003BF39 07E001FF48487E48487F8148C7FCA25A127E12FEAA127E127FA27E6C6C5BA26C6C5B6C6C 4813803A03F007BFFC3900F81E3FEB3FFCD90FE0130026357DB32B>III<151F90391FC07F809039FFF8E3C03901F07FC73907E03F033A0FC01F8380 9039800F8000001F80EB00074880A66C5CEB800F000F5CEBC01F6C6C48C7FCEBF07C380E FFF8380C1FC0001CC9FCA3121EA2121F380FFFFEECFFC06C14F06C14FC4880381F000100 3EEB007F4880ED1F8048140FA56C141F007C15006C143E6C5C390FC001F83903F007E0C6 B51280D91FFCC7FC22337EA126>III107 DI<2703F01FE013FF00FF 90267FF80313C0903BF1E07C0F03E0903BF3803E1C01F02807F7003F387FD803FE147049 6D486C7EA2495CA2495CB3486C496C487EB53BC7FFFE3FFFF0A33C217EA041>I<3903F0 1FC000FFEB7FF09038F1E0FC9038F3807C3907F7007EEA03FE497FA25BA25BB3486CEB7F 80B538C7FFFCA326217EA02B>II<3903F03F8000FFEBFFE09038F3C0F89038F7007ED807FE7F6C48EB1F804914C049 130F16E0ED07F0A3ED03F8A9150716F0A216E0150F16C06D131F6DEB3F80160001FF13FC 9038F381F89038F1FFE0D9F07FC7FC91C8FCAA487EB512C0A325307EA02B>I<903807F0 0390383FFC07EBFC0F3901F8038F3807E001000F14DF48486CB4FC497F123F90C77E5AA2 5A5AA9127FA36C6C5B121F6D5B000F5B3907E003BF3903F0073F3800F81EEB3FF8EB0FE0 90C7FCAAED7F8091380FFFFCA326307DA029>I<3803E07C38FFE1FF9038E38F809038E7 1FC0EA07EEEA03ECA29038FC0F8049C7FCA35BB2487EB512E0A31A217FA01E>II<1330A51370A313F0A21201A2120312 07381FFFFEB5FCA23803F000AF1403A814073801F806A23800FC0EEB7E1CEB1FF8EB07E0 182F7FAD1E>IIIII<3A7FFF807FF8A33A07F8001FC00003EC0F8000 01EC070015066C6C5BA26D131C017E1318A26D5BA2EC8070011F1360ECC0E0010F5BA290 3807E180A214F3010390C7FC14FBEB01FEA26D5AA31478A21430A25CA214E05CA2495A12 78D8FC03C8FCA21306130EEA701CEA7838EA1FF0EA0FC025307F9F29>I<003FB512F0A2 EB000F003C14E00038EB1FC00030EB3F800070137F1500006013FE495A13035CC6485A49 5AA2495A495A49C7FC153013FE485A12035B48481370485A001F14604913E0485A387F00 0348130F90B5FCA21C207E9F22>II E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fc cmmi10 10 1 /Fc 1 23 df22 D E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fd cmtt10 10 72 /Fd 72 126 df<010F133C90381F807EA8013F13FE4A5AA4007FB612F0B712F8A4003F15 F03A007E01F800A5EBFE0301FC5BA6003FB612F0B712F8A46C15F03A01F807E000A30003 130F01F05BA86C486C5A25337DB22C>35 D<143814FC13011303EB07F8EB0FF0EB1FC0EB 3F80EB7F0013FE485A485A5B12075B120F5B485AA2123F90C7FCA25A127EA312FE5AAC7E 127EA3127F7EA27F121FA26C7E7F12077F12037F6C7E6C7E137FEB3F80EB1FC0EB0FF0EB 07F8EB03FC130113001438164272B92C>40 D<127012FC7E7E6C7E6C7EEA0FE06C7E6C7E 6C7E6C7E137F7F1480131F14C0130FEB07E0A214F01303A214F81301A314FC1300AC1301 14F8A3130314F0A2130714E0A2EB0FC0131F1480133F14005B13FE485A485A485A485AEA 3FC0485A48C7FC5A5A1270164279B92C>II44 D<007FB6FCB71280A46C150021067B9B2C>I<121FEA3F80EA7FC0EAFFE0A5EA7FC0EA3F 80EA1F000B0B708A2C>I<1507ED0F80151FA2153F16005D157E15FE5D14015D14035DA2 14075D140F5D141F5D143F92C7FC5C147E14FE5CA213015C13035C13075C130F5C131F5C A2133F91C8FC5B137E13FE5B12015B12035B12075BA2120F5B121F5B123F90C9FC5A127E 12FE5AA25A127821417BB92C>II<13 07497EA2131FA2133F137F13FF5A1207127FB5FC13DF139FEA7C1F1200B3AE007FB512E0 B612F0A36C14E01C3477B32C>IIII<000FB512FE4880A35D0180C8FCADEB83FE90389FFF8090B512E015F8819038FE03 FE9038F000FF01C07F49EB3F8090C7121F6C15C0C8120FA2ED07E0A4123C127EB4FC150F 16C0A248141F007EEC3F80007FEC7F006C6C5B6D485A391FF80FFC6CB55A6C5C000114C0 6C6C90C7FCEB0FF823347CB22C>II<1278B712C016E0A316C000FCC7EA3F80ED7F0015FE00785CC712014A5A4A5A5D14 0F5D4A5A143F92C7FC5C147E14FE5C13015CA2495AA213075CA3495AA4495AA5133F91C8 FCAA131E23357CB32C>III<121FEA3F80EA7FC0EAFFE0 A5EA7FC0EA3F80EA1F00C7FCAE121FEA3F80EA7FC0EAFFE0A5EA7FC0EA3F80EA1F000B24 70A32C>II<007FB612F0B712F8A4003F15F0CAFCA8003FB612F0B712F8A46C15 F025147DA22C>61 D<127012FC7E6C7E13E06C7EEA1FFC6C7E3803FF80C67FEB7FF0EB1F F8EB0FFEEB03FF6D13C06D6C7EEC3FF8EC0FFC6EB4FC0201138080A25C02071300EC0FFC EC3FF8EC7FE049485A4990C7FCEB0FFEEB1FF8EB7FF0EBFFC000035BD80FFEC8FC485AEA 7FF0485A138048C9FC5A1270212A7BAD2C>I<14FE497EA4497FA214EFA2130781A214C7 A2010F7FA314C390381F83F0A590383F01F8A490387E00FCA549137E90B512FEA34880A2 9038F8003FA34848EB1F80A4000715C049130FD87FFEEBFFFC6D5AB514FE6C15FC497E27 347EB32C>65 D<007FB512E015F8B612FE6C8016C03903F0003FED0FE0ED07F01503A2ED 01F8A6ED03F0A21507ED0FE0ED1FC0EDFF8090B612005D5D15FF16C09039F0001FE0ED07 F0ED03F81501ED00FCA216FE167EA616FE16FC1501ED03F8150FED3FF0007FB612E016C0 B712806CECFE0015F027337FB22C>I<02FF13700107EBE0F84913F9013F13FD4913FFEB FF813901FE007F4848131FD807F0130F1507485A491303485A150148C7FCA25A007EEC00 F01600A212FE5AAB7E127EA3007F15F06CEC01F8A26C7EA26C6C13036D14F06C6C130716 E0D803FC131F6C6CEB3FC03A00FF81FF806DB512006D5B010F5B6D13F00100138025357D B32C>I<007FB5FCB612C015F0816C803907E003FEEC00FFED7F80153FED1FC0ED0FE0A2 150716F0150316F81501A4ED00FCACED01F8A3150316F0A2150716E0150FED1FC0153FED 7F80EDFF00EC03FE007FB55AB65A5D15C06C91C7FC26337EB22C>I<007FB612F0B712F8 A37E3903F00001A7ED00F01600A4EC01E04A7EA490B5FCA5EBF003A46E5A91C8FCA5163C 167EA8007FB612FEB7FCA36C15FC27337EB22C>I<007FB612F8B712FCA37ED803F0C7FC A716781600A515F04A7EA490B5FCA5EBF001A46E5A92C7FCAD387FFFE0B5FC805C7E2633 7EB22C>I<903901FC038090390FFF87C04913EF017F13FF90B6FC4813073803FC01497E 4848137F4848133F49131F121F5B003F140F90C7FCA2127EED078092C7FCA212FE5AA891 3803FFF84A13FCA27E007E6D13F89138000FC0A36C141FA27F121F6D133F120F6D137F6C 7E6C6C13FF6D5A3801FF076C90B5FC6D13EF011F13CF6DEB0780D901FCC7FC26357DB32C >II<007FB512F8B612FCA36C14F83900 0FC000B3B3A5007FB512F8B612FCA36C14F81E3379B22C>I75 D<387FFFE0B57EA36C5BD803F0C8FCB3AE16F0ED01F8 A8007FB6FCB7FCA36C15F025337DB22C>IIII<007FB512C0B612F88115 FF6C15802603F00013C0153FED0FE0ED07F0A2150316F81501A6150316F01507A2ED0FE0 ED3FC015FF90B61280160015FC5D15C001F0C8FCB0387FFF80B57EA36C5B25337EB22C> I<387FFFFCB67E15E015F86C803907E007FE1401EC007F6F7E151FA26F7EA64B5AA2153F 4BC7FCEC01FE140790B55A5D15E081819038E007FCEC01FE1400157F81A8160FEE1F80A5 D87FFEEB1FBFB5ECFF00815E6C486D5AC8EA01F029347EB22C>82 D<90381FF80790B5EA0F804814CF000714FF5A381FF01F383FC003497E48C7FC007E147F 00FE143F5A151FA46CEC0F00007E91C7FC127F7FEA3FE0EA1FFCEBFFC06C13FC0003EBFF C06C14F06C6C7F01077F9038007FFEEC07FF02001380153FED1FC0A2ED0FE0A200781407 12FCA56CEC0FC0A26CEC1F806D133F01E0EB7F009038FE01FF90B55A5D00F914F0D8F83F 13C0D8700790C7FC23357CB32C>I<007FB612FCB712FEA43AFC007E007EA70078153CC7 1400B3AF90383FFFFCA2497F6D5BA227337EB22C>I<3B7FFF803FFFC0B56C4813E0A36C 496C13C03B03F00001F800B3AF6D130300015DA26D130700005D6D130F017F495A6D6C48 5AECE0FF6DB5C7FC6D5B010313F86D5B9038003F802B3480B22C>I87 D<3A3FFF03FFE0484913F014 8714076C6D13E03A01F800FE007F0000495A13FE017E5BEB7F03013F5B1487011F5B14CF 010F5B14FF6D5BA26D90C7FCA26D5AA26D5AA2497EA2497EA2497F81EB0FCF81EB1FC7EC 87F0EB3F83EC03F8EB7F01017E7FEBFE00497F0001147E49137F000380491480151FD87F FEEBFFFC6D5AB514FE6C15FC497E27337EB22C>II<387FFFFCB512FEA314FC00FCC7FCB3B3B3 B512FC14FEA36C13FC17416FB92C>91 D<387FFFFCB512FEA37EC7127EB3B3B3387FFFFE B5FCA36C13FC17417DB92C>93 D<007FB6FCB71280A46C150021067B7D2C>95 D<3801FFF0000713FE001F6D7E15E048809038C01FF81407EC01FC381F80000006C77EC8 127EA3ECFFFE131F90B5FC1203120F48EB807E383FF800EA7FC090C7FC12FE5AA47E007F 14FEEB8003383FE01F6CB612FC6C15FE6C14BF0001EBFE1F3A003FF007FC27247CA32C> 97 DI<903803FFE0011F13F8017F13FE48B5FC48804848C6FCEA0FF0485A49137E 4848131890C9FC5A127EA25AA8127EA2127F6C140F6DEB1F806C7E6D133F6C6CEB7F0039 07FE03FF6CB55A6C5C6C6C5B011F13E0010390C7FC21247AA32C>IIII II< 1307EB1FC0A2497EA36D5AA20107C7FC90C8FCA7387FFFC080B5FC7EA2EA0007B3A8007F B512FCB612FEA36C14FC1F3479B32C>I107 D<387FFFE0B57EA37EEA0003B3B3A5007F B61280B712C0A36C158022337BB22C>I<3A7F83F007E09039CFFC1FF83AFFDFFE3FFCD8 7FFF13FF91B57E3A07FE1FFC3E01FCEBF83F496C487E01F013E001E013C0A301C01380B3 3B7FFC3FF87FF0027F13FFD8FFFE6D13F8D87FFC4913F0023F137F2D2481A32C>I<397F F01FE039FFF87FFC9038F9FFFE01FB7F6CB6FC00019038F03F80ECC01F02807FEC000F5B 5BA25BB3267FFFE0B5FCB500F11480A36C01E0140029247FA32C>II<397FF01FE0 39FFF8FFF801FB13FE90B6FC6C158000019038F07FC09138801FE091380007F049EB03F8 5BED01FC491300A216FE167EA816FE6D14FCA2ED01F86D13036DEB07F0150F9138801FE0 9138E07FC091B51280160001FB5B01F813F8EC3FC091C8FCAD387FFFE0B57EA36C5B2736 7FA32C>I114 D<90387FF8700003B512F8120F5A5A387FC00F387E00034813015AA36CEB00F0007F1400 13F0383FFFC06C13FE6CEBFF80000314E0C66C13F8010113FCEB0007EC00FE0078147F00 FC143F151F7EA26C143F6D133E6D13FE9038F007FC90B5FC15F815E000F8148039701FFC 0020247AA32C>I<131E133FA9007FB6FCB71280A36C1500D8003FC8FCB1ED03C0ED07E0 A5EC800F011FEB1FC0ECE07F6DB51280160001035B6D13F89038003FE0232E7EAD2C>I< 3A7FF003FF80486C487FA3007F7F0001EB000FB3A3151FA2153F6D137F3900FE03FF90B7 FC6D15807F6D13CF902603FE07130029247FA32C>I<3A7FFF01FFFCB514FE148314016C 15FC3A03E0000F80A26D131F00011500A26D5B0000143EA26D137E017C137CA2017E13FC 013E5BA2EB3F01011F5BA21483010F5BA214C701075BA214EF01035BA214FF6D90C7FCA2 6D5A147C27247EA32C>II<3A3FFF03 FFF048018713F8A36C010313F03A00FC007E005D90387E01F8013F5BEB1F83EC87E09038 0FCFC0903807EF80EB03FF6D90C7FC5C6D5A147C14FE130180903803EF80903807CFC0EB 0FC7EC83E090381F01F0013F7FEB7E00017C137C49137E0001803A7FFF01FFFC1483B514 FE6C15FC140127247EA32C>I<3A7FFF01FFFCB5008113FE148314816C010113FC3A03E0 000F806C7E151F6D140012005D6D133E137C017E137E013E137CA2013F13FC6D5BA2EB0F 815DA2EB07C1ECC3E0A2EB03E3ECE7C0130114F75DEB00FFA292C7FC80A2143EA2147E14 7CA214FC5CA2EA0C01003F5BEA7F83EB87E0EA7E0F495A387FFF806C90C8FC6C5A6C5AEA 07E027367EA32C>I<15FF02071380141F147F91B512004913C04AC7FCEB03F85CB31307 EB1FE013FF007F5BB55A49C8FC6D7E6C7FC67F131FEB07F01303B380EB01FEECFFC06D13 FF6E1380141F14070200130021417BB92C>123 D125 D E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fe cmr8 8 40 /Fe 40 122 df<14FF010713E090381F80F090383E003849137C4913FC485A1203491378 153092C7FCA7157CB612FCA23803E000157CB3A5486C13FE3A7FFF0FFFE0A2232F7FAE27 >12 D<123C127EB4FCA21380A2127F123D1201A312031300A25A1206120E5A5A5A126009 157A8714>44 DI<123C127E12FFA4127E123C08087A8714>I48 D<000CEB0180380FC01F90B512005C5C14F014C0D80C7EC7FC 90C8FCA8EB1FC0EB7FF8380DE07C380F801F01001380000E130F000CEB07C0C713E0A214 0315F0A4127812FCA448EB07E012E0006014C00070130F6C14806CEB1F006C133E380780 F83801FFE038007F801C2D7DAB23>53 D57 D68 DI73 D78 DII82 D<90383F80303901FFF0703807C07C390F000EF0001E13074813 034813011400127000F01470A315307EA26C1400127E127FEA3FE013FE381FFFE06C13FC 6C13FF00011480D8003F13E013039038003FF0EC07F81401140015FC157C12C0153CA37E A215787E6C14706C14F06CEB01E039F78003C039E3F00F0038E07FFE38C00FF01E2F7CAD 27>I87 D<3B7FFFE003FFF8A2000390C713806C48EC7E00000015 7C017F14786D14706E5B6D6C5B6D6C485A15036D6C48C7FC903803F80601015BECFC1C6D 6C5AEC7F305DEC3FE06E5A140F816E7E81140DEC1DFCEC38FEEC307F14609138E03F8049 486C7EEC800FD903007F496D7E010E6D7E130C011C6D7E496D7E49147E167F01F0EC3F80 000316C0D80FF8EC7FE0D8FFFE0103B5FCA2302D7EAC35>I<13FF000713C0380F01F038 1C00F8003F137C80A2143F001E7FC7FCA4EB07FF137F3801FE1FEA07F0EA1FC0EA3F80EA 7F00127E00FE14065AA3143F7E007E137F007FEBEF8C391F83C7FC390FFF03F83901FC01 E01F207D9E23>97 DII<15F8141FA214011400ACEB0FE0EB7FF83801F81E3803E0073807C003380F8001EA 1F00481300123E127EA25AA9127C127EA2003E13017EEB8003000F13073903E00EFC3A01 F03CFFC038007FF090391FC0F800222F7EAD27>III<013F13F89038FFC3FE3903E1FF1E3807807C000F14 0C391F003E00A2003E7FA76C133EA26C6C5A00071378380FE1F0380CFFC0D81C3FC7FC90 C8FCA3121E121F380FFFF814FF6C14C04814F0391E0007F848130048147C12F848143CA4 6C147C007C14F86CEB01F06CEB03E03907E01F803901FFFE0038003FF01F2D7E9D23>I< EA07C012FFA2120F1207AC14FE9038C3FF809038C703E09038DE01F013F8496C7EA25BA2 5BB2486C487E3AFFFE1FFFC0A2222E7EAD27>II107 DI<2607C07FEB 07F03BFFC3FFC03FFC903AC783F0783F3C0FCE01F8E01F803B07DC00F9C00F01F8D9FF80 13C04990387F000749137EA249137CB2486C01FEEB0FE03CFFFE0FFFE0FFFEA2371E7E9D 3C>I<3807C0FE39FFC3FF809038C703E0390FDE01F0EA07F8496C7EA25BA25BB2486C48 7E3AFFFE1FFFC0A2221E7E9D27>II<3807C0FE39FF C7FF809038CF03E0390FDC01F03907F800FC49137E49133E49133FED1F80A3ED0FC0A815 1F1680A2ED3F00A26D137E6D137C5D9038FC01F09038CE07E09038C7FF80D9C1FCC7FC01 C0C8FCA9487EEAFFFEA2222B7E9D27>I<380781F838FF87FEEB8E3FEA0F9CEA07B813B0 EBF01EEBE000A45BB0487EB5FCA2181E7E9D1C>114 D<3801FE183807FFB8381E01F8EA 3C00481378481338A21418A27E7EB41300EA7FF06CB4FC6C13C06C13F0000113F838001F FC130138C0007E143EA26C131EA27EA26C133CA26C137838FF01F038E3FFC000C0130017 207E9E1C>I<1360A413E0A312011203A21207121FB512F0A23803E000AF1418A7143838 01F03014703800F860EB3FE0EB0F80152A7FA81B>II<3AFFFC01FFC0A23A0FE0007E000007147C15380003143015706C6C1360A26C6C 5BA390387C0180A26D48C7FCA2EB3F07EB1F06A2EB0F8CA214DCEB07D8A2EB03F0A36D5A A26D5A221E7F9C25>I<3BFFFC3FFE07FFA23B0FE003F001F801C09038E000F000070101 14E0812603E00314C0A2913807F8012701F006781380A29039F80E7C030000D90C3C1300 A290397C181E06A2151F6D486C5AA2168C90391F600798A216D890390FC003F0A36D486C 5AA36DC75A301E7F9C33>I<3AFFFC07FF80A23A0FF003FC000003EB01F0000114C06D48 5A000091C7FCEB7C06EB3E0E6D5A14B8EB0FB0EB07E013036D7E497E1307EB067C497EEB 1C1F01387FEB700F496C7E6E7ED803C07F00076D7E391FE003FC3AFFF007FFC0A2221D7F 9C25>I<3AFFFC01FFC0A23A0FE0007E000007147C1538000314306D137000011460A26C 6C5BA2EBFC01017C5BEB7E03013E90C7FCA2EB1F06A2148EEB0F8CA2EB07D8A2EB03F0A3 6D5AA26D5AA2495AA2130391C8FC1278EAFC06A25B131CEA7838EA7070EA3FE0EA0F8022 2B7F9C25>I E %EndDVIPSBitmapFont %DVIPSBitmapFont: Ff cmr6 6 3 /Ff 3 52 df<13E01201120712FF12F91201B3A7487EB512C0A212217AA01E>49 DI<13FF000313C0380F03E0381C00F014F800 3E13FC147CA2001E13FC120CC712F8A2EB01F0EB03E0EB0FC03801FF00A2380003E0EB00 F01478147C143E143F1230127812FCA2143E48137E0060137C003813F8381E03F0380FFF C00001130018227DA01E>I E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fg cmr7 7 3 /Fg 3 52 df<13381378EA01F8121F12FE12E01200B3AB487EB512F8A215267BA521>49 D<13FF000313E0380E03F0381800F848137C48137E00787F12FC6CEB1F80A4127CC7FC15 005C143E147E147C5C495A495A5C495A010EC7FC5B5B903870018013E0EA018039030003 0012065A001FB5FC5A485BB5FCA219267DA521>I<13FF000313E0380F01F8381C007C00 30137E003C133E007E133FA4123CC7123E147E147C5C495AEB07E03801FF8091C7FC3800 01E06D7E147C80143F801580A21238127C12FEA21500485B0078133E00705B6C5B381F01 F03807FFC0C690C7FC19277DA521>I E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fh cmsy10 10 1 /Fh 1 16 df15 D E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fi cmti10 10 37 /Fi 37 122 df<150C151C153815F0EC01E0EC03C0EC0780EC0F00141E5C147C5C5C495A 1303495A5C130F49C7FCA2133EA25BA25BA2485AA212035B12075BA2120F5BA2121FA290 C8FCA25AA2123EA2127EA2127CA412FC5AAD1278A57EA3121C121EA2120E7EA26C7E6C7E A212001E5274BD22>40 D<140C140E80EC0380A2EC01C015E0A2140015F0A21578A4157C 153CAB157CA715FCA215F8A21401A215F0A21403A215E0A21407A215C0140F1580A2141F 1500A2143EA25CA25CA2495AA2495A5C1307495A91C7FC5B133E133C5B5B485A12035B48 C8FC120E5A12785A12C01E527FBD22>I44 D<387FFFF8A2B5FCA214F0150579941E>I<120EEA3F80127F12FFA31300127E123C0909 778819>I<1703EF0780170FA2EF1F005F173E5FA25FA24C5A16035F4C5AA24C5AA24CC7 FCA2163E167E167C5EA24B5AA24B5A15075E4B5AA24BC8FCA2153E157E157C5DA24A5AA2 4A5A14075D4A5AA24AC9FCA2143EA25C14FC5C495AA2495AA2495A130F5C49CAFCA2133E A25B13FC5B485AA2485AA2485A120F5B48CBFCA2123EA25AA25AA2127031537FBD2A>I< EC03F8EC1FFEEC7C1F9138F80780D901E013C0903903C003E0EB0780010F1301D91F0013 F0A2133E137E017C130313FCA2485AA2000314075BA2120716E049130F120FA34848EB1F C0A44848EB3F80A448C7EA7F00A3157E007E14FEA25D00FE13015DA248495AA25D007C13 075D4A5AA24AC7FC6C133E5C6C5B380F83E03807FF80C648C8FC243A77B72A>I51 D<010314186E13F8903907F007F091B5 12E016C01600495B15F8010E13E0020CC7FC011EC8FC131CA3133C1338A313781370A214 7F9038F3FFC09038EF83E09038FC01F0496C7E485A497F49137CC8FC157EA315FEA41401 000C5C123F5A1403485C5A4A5A12F800E05C140F4A5A5D6C49C7FC0070137E00785B387C 01F8383E07F0381FFFC06C90C8FCEA01F8253A77B72A>53 D57 D<0103B512F8A390390007F8005DA2140FA25DA2141FA2 5DA2143FA25DA2147FA292C7FCA25CA25CA21301A25CA21303A25CA21307A25CA2130FA2 5CA2131FA25CA2133FA25CA2137FA291C8FC497EB6FCA25C25397CB820>73 D<0107B612F817FF1880903B000FF0003FE04BEB0FF0EF03F8141FEF01FC5DA2023F15FE A25DA2147FEF03FC92C7FCA24A15F817074A15F0EF0FE01301EF1FC04AEC3F80EFFE0001 034A5AEE0FF091B612C04CC7FCD907F8C9FCA25CA2130FA25CA2131FA25CA2133FA25CA2 137FA291CAFCA25BA25B1201B512FCA337397BB838>80 D<0103B612F017FEEFFF80903B 0007F8003FC04BEB0FF01707020FEC03F8EF01FC5DA2021F15FEA25DA2143FEF03FC5DA2 027FEC07F818F092C7120F18E04AEC1FC0EF3F004A14FEEE01F80101EC0FE091B6128004 FCC7FC9138FC003F0103EC0F80834A6D7E8301071403A25C83010F14075F5CA2011F140F A25CA2133F161F4AECE007A2017F160F180E91C7FC49020F131C007F01FE153CB5913807 F078040313F0CAEAFFE0EF3F80383B7CB83D>82 D<003FB539800FFFFEA326007F80C7EA 7F8091C8EA3F00173E49153CA2491538A20001167817705BA2000316F05F5BA200071501 5F5BA2000F15035F5BA2001F150794C7FC5BA2003F5D160E5BA2007F151E161C90C8FCA2 163C4815385A16781670A216F04B5A5E1503007E4A5A4BC8FC150E6C143E6C6C5B15F039 0FC003E03907F01FC00001B5C9FC38007FFCEB1FE0373B70B83E>85 D<49B5D8F007B5FCA3D9000790C713E0DA03FCEC7F00187C020115786F5C4D5A02005D6F 495A4DC7FC6F5BEE801E5F033F5BEEC0705F92381FC1C016E3EEE780DB0FEFC8FC16FE6F 5A5EA2150382A2150782150F151CED3CFF5D4B7EDA01E07FEDC03FDA03807FEC0700020E 131F021E805C4A130F0270805C49481307494880130749C71203011E81133E01FE81D807 FF1407B500E090387FFFFC93B5FC6040397CB83E>88 D<14F8EB07FE90381F871C90383E 03FE137CEBF801120148486C5A485A120FEBC001001F5CA2EA3F801403007F5C1300A214 07485C5AA2140F5D48ECC1C0A2141F15831680143F1587007C017F1300ECFF076C485B90 38038F8E391F0F079E3907FE03FC3901F000F0222677A42A>97 D<133FEA1FFFA3C67E13 7EA313FE5BA312015BA312035BA31207EBE0F8EBE7FE9038EF0F80390FFC07C013F89038 F003E013E0D81FC013F0A21380A2123F1300A214075A127EA2140F12FE4814E0A2141F15 C05AEC3F80A215005C147E5C387801F8007C5B383C03E0383E07C0381E1F80D80FFEC7FC EA01F01C3B77B926>I<147F903803FFC090380FC1E090381F0070017E13784913383901 F801F83803F003120713E0120FD81FC013F091C7FC485AA2127F90C8FCA35A5AA45AA315 3015381578007C14F0007EEB01E0003EEB03C0EC0F806CEB3E00380F81F83803FFE0C690 C7FC1D2677A426>II<147F903803FFC090380FC1E090383F00F0017E13785B485A 485A485A120F4913F8001F14F0383F8001EC07E0EC1F80397F81FF00EBFFF891C7FC90C8 FC5A5AA55AA21530007C14381578007E14F0003EEB01E0EC03C06CEB0F806CEB3E003807 81F83803FFE0C690C7FC1D2677A426>III II107 DIII<147F903803FFC09038 0FC1F090381F00F8017E137C5B4848137E4848133E0007143F5B120F485AA2485A157F12 7F90C7FCA215FF5A4814FEA2140115FC5AEC03F8A2EC07F015E0140F007C14C0007EEB1F 80003EEB3F00147E6C13F8380F83F03803FFC0C648C7FC202677A42A>I<9039078007C0 90391FE03FF090393CF0787C903938F8E03E9038787FC00170497EECFF00D9F0FE148013 E05CEA01E113C15CA2D80003143FA25CA20107147FA24A1400A2010F5C5E5C4B5A131F5E EC80035E013F495A6E485A5E6E48C7FC017F133EEC70FC90387E3FF0EC0F8001FEC9FCA2 5BA21201A25BA21203A25B1207B512C0A3293580A42A>I<3903C003F0390FF01FFC391E 783C0F381C7C703A3C3EE03F8038383FC0EB7F800078150000701300151CD8F07E90C7FC EAE0FE5BA2120012015BA312035BA312075BA3120F5BA3121F5BA3123F90C9FC120E2126 79A423>114 D<14FE903807FF8090380F83C090383E00E04913F00178137001F813F000 01130313F0A215E00003EB01C06DC7FC7FEBFFC06C13F814FE6C7F6D13807F010F13C013 00143F141F140F123E127E00FE1480A348EB1F0012E06C133E00705B6C5B381E03E06CB4 5AD801FEC7FC1C267AA422>II<13F8D803FEEB01C0D8078FEB03E0390E0F8007121E121C0038140F131F007815C0 1270013F131F00F0130000E015805BD8007E133FA201FE14005B5D120149137EA215FE12 0349EBFC0EA20201131E161C15F813E0163CD9F003133814070001ECF07091381EF8F03A 00F83C78E090393FF03FC090390FC00F00272679A42D>I<01F0130ED803FC133FD8071E EB7F80EA0E1F121C123C0038143F49131F0070140FA25BD8F07E140000E08013FEC6485B 150E12015B151E0003141C5BA2153C000714385B5DA35DA24A5A140300035C6D48C7FC00 01130E3800F83CEB7FF8EB0FC0212679A426>I<903907E007C090391FF81FF89039787C 383C9038F03E703A01E01EE0FE3803C01F018013C0D8070014FC481480000E1570023F13 00001E91C7FC121CA2C75AA2147EA214FEA25CA21301A24A1370A2010314F016E0001C5B 007E1401010714C000FEEC0380010F1307010EEB0F0039781CF81E9038387C3C393FF03F F03907C00FC027267CA427>120 D<13F0D803FCEB01C0D8071EEB03E0D80E1F1307121C 123C0038140F4914C01270A249131FD8F07E148012E013FEC648133F160012015B5D0003 147E5BA215FE00075C5BA214015DA314035D14070003130FEBF01F3901F87FE038007FF7 EB1FC7EB000F5DA2141F003F5C48133F92C7FC147E147C007E13FC387001F8EB03E06C48 5A383C1F80D80FFEC8FCEA03F0233679A428>I E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fj cmbx10 10 48 /Fj 48 124 df<913803FFC0027F13F00103B512FC010FEB00FED93FF8133FD97FE0EBFF 8049485A5A1480484A13C04A6C1380A36F1300167E93C7FCA592383FFFC0B8FCA4000390 C7FCB3ABB5D8FC3F13FFA4303A7EB935>12 D34 D46 D<141E143E14FE1307133FB5FCA313CFEA000FB3B3A6007FB61280A4213779 B630>49 DIII<001C15 C0D81F80130701F8137F90B61280A216005D5D15F05D15804AC7FC14F090C9FCA8EB07FE 90383FFFE090B512F89038FC07FC9038E003FFD98001138090C713C0120EC813E0157F16 F0A216F8A21206EA3F80EA7FE012FF7FA44914F0A26C4813FF90C713E0007C15C06C5B6C 491380D9C0071300390FF01FFE6CB512F8000114E06C6C1380D90FF8C7FC25387BB630> II<123C123EEA3FE090B71280A41700 485D5E5E5EA25E007CC7EA0FC000784A5A4BC7FC00F8147E48147C15FC4A5A4A5AC7485A 5D140F4A5A143F92C8FC5C147E14FE1301A2495AA31307A2130F5CA2131FA5133FA96D5A 6D5A6D5A293A7BB830>I63 D65 D67 DIII75 D77 D80 D82 DI<003F B91280A4D9F800EBF003D87FC09238007FC049161F007EC7150FA2007C1707A200781703 A400F818E0481701A4C892C7FCB3AE010FB7FCA43B387DB742>I89 D<0160130301E05B0003141F49131E48485B48C75A001E5CA248495A00385C0078130300 705CA300F013074891C7FCD8E7C0133ED8FFF0EBFF8001F814C0A201FC14E0A3007F7FA2 6C486C13C0A26C486C1380D807C0EB3E00231D75B932>92 D97 D<13FFB5FCA412077EAF4AB47E020F13F0023F13FC9138FE03FFDAF00013804AEB7FC002 80EB3FE091C713F0EE1FF8A217FC160FA217FEAA17FCA3EE1FF8A217F06E133F6EEB7FE0 6E14C0903AFDF001FF80903AF8FC07FE009039F03FFFF8D9E00F13E0D9C00390C7FC2F3A 7EB935>I<903801FFC0010F13FC017F13FFD9FF8013802603FE0013C048485AEA0FF812 1F13F0123F6E13804848EB7F00151C92C7FC12FFA9127FA27F123FED01E06C7E15036C6C EB07C06C6C14806C6C131FC69038C07E006DB45A010F13F00101138023257DA42A>II<903803FF8001 1F13F0017F13FC3901FF83FE3A03FE007F804848133F484814C0001FEC1FE05B003FEC0F F0A2485A16F8150712FFA290B6FCA301E0C8FCA4127FA36C7E1678121F6C6C14F86D14F0 00071403D801FFEB0FE06C9038C07FC06DB51200010F13FC010113E025257DA42C>II<161FD907FE EBFFC090387FFFE348B6EAEFE02607FE07138F260FF801131F48486C138F003F15CF4990 387FC7C0EEC000007F81A6003F5DA26D13FF001F5D6C6C4890C7FC3907FE07FE48B512F8 6D13E0261E07FEC8FC90CAFCA2123E123F7F6C7E90B512F8EDFF8016E06C15F86C816C81 5A001F81393FC0000F48C8138048157F5A163FA36C157F6C16006D5C6C6C495AD81FF0EB 07FCD807FEEB3FF00001B612C06C6C91C7FC010713F02B377DA530>I<13FFB5FCA41207 7EAFED7FC0913803FFF8020F13FE91381F03FFDA3C01138014784A7E4A14C05CA25CA291 C7FCB3A3B5D8FC3F13FFA4303A7DB935>II<13FFB5FCA412077EAF92 380FFFE0A4923803FC0016F0ED0FE0ED1F804BC7FC157E5DEC03F8EC07E04A5A141FEC7F E04A7E8181A2ECCFFEEC0FFF496C7F806E7F6E7F82157F6F7E6F7E82150F82B5D8F83F13 F8A42D3A7EB932>107 D<13FFB5FCA412077EB3B3ACB512FCA4163A7DB91B>I<01FED97F E0EB0FFC00FF902601FFFC90383FFF80020701FF90B512E0DA1F81903983F03FF0DA3C00 903887801F000749DACF007F00034914DE6D48D97FFC6D7E4A5CA24A5CA291C75BB3A3B5 D8FC1FB50083B512F0A44C257DA451>I<01FEEB7FC000FF903803FFF8020F13FE91381F 03FFDA3C011380000713780003497E6D4814C05CA25CA291C7FCB3A3B5D8FC3F13FFA430 257DA435>I<903801FFC0010F13F8017F13FFD9FF807F3A03FE003FE048486D7E48486D 7E48486D7EA2003F81491303007F81A300FF1680A9007F1600A3003F5D6D1307001F5DA2 6C6C495A6C6C495A6C6C495A6C6C6CB45A6C6CB5C7FC011F13FC010113C029257DA430> I<9039FF01FF80B5000F13F0023F13FC9138FE07FFDAF00113800007496C13C06C0180EB 7FE091C713F0EE3FF8A2EE1FFCA3EE0FFEAA17FC161FA217F8163F17F06E137F6E14E06E EBFFC0DAF00313809139FC07FE0091383FFFF8020F13E0020390C7FC91C9FCACB512FCA4 2F357EA435>I<9038FE03F000FFEB0FFEEC3FFF91387C7F809138F8FFC000075B6C6C5A 5CA29138807F80ED3F00150C92C7FC91C8FCB3A2B512FEA422257EA427>114 D<90383FF0383903FFFEF8000F13FF381FC00F383F0003007E1301007C130012FC15787E 7E6D130013FCEBFFE06C13FCECFF806C14C06C14F06C14F81203C614FC131F9038007FFE 140700F0130114007E157E7E157C6C14FC6C14F8EB80019038F007F090B512C000F81400 38E01FF81F257DA426>I<130FA55BA45BA25B5BA25A1207001FEBFFE0B6FCA3000390C7 FCB21578A815F86CEB80F014816CEBC3E090383FFFC06D1380903803FE001D357EB425> I<01FFEC3FC0B5EB3FFFA4000714016C80B3A35DA25DA26C5C6E4813E06CD9C03E13FF90 387FFFFC011F13F00103138030257DA435>II120 DI<003FB612C0A3D9F0031380EB800749481300003E5C00 3C495A007C133F5D0078495A14FF5D495B5BC6485B92C7FC495A131F5C495A017FEB03C0 EBFFF014E04813C05AEC80074813005A49EB0F80485A003F141F4848133F9038F001FFB7 FCA322257DA42A>II E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fk cmr10 10 81 /Fk 81 124 df11 DIII23 D<001C131C007F137F39FF80FF80A26D13C0A3007F137F 001C131C00001300A40001130101801380A20003130301001300485B00061306000E130E 485B485B485B006013601A197DB92A>34 D<030C1303031E497EA2033E130FA2033C91C7 FCA2037C5BA20378131EA303F8133EA24B133CA20201147CA24B1378A2020314F8A24B5B A302071301007FB91280BA12C0A26C1880C7271F0007C0C7FC021E5CA3023E130FA2023C 91C8FCA2027C5BA20278131EA302F8133E007FB91280BA12C0A26C1880280003E000F8C8 FC4A5BA301071301A202805BA2010F1303A202005BA2491307A2011E5CA3013E130FA201 3C91C9FCA2017C5BA20178131EA20130130C3A4A7BB945>I<121C127FEAFF80A213C0A3 127F121C1200A412011380A2120313005A1206120E5A5A5A12600A1979B917>39 D<146014E0EB01C0EB0380EB0700130E131E5B5BA25B485AA2485AA212075B120F90C7FC A25A121EA2123EA35AA65AB2127CA67EA3121EA2121F7EA27F12077F1203A26C7EA26C7E 1378A27F7F130E7FEB0380EB01C0EB00E01460135278BD20>I<12C07E12707E7E7E120F 6C7E6C7EA26C7E6C7EA21378A2137C133C133E131EA2131F7FA21480A3EB07C0A6EB03E0 B2EB07C0A6EB0F80A31400A25B131EA2133E133C137C1378A25BA2485A485AA2485A48C7 FC120E5A5A5A5A5A13527CBD20>I<15301578B3A6007FB812F8B912FCA26C17F8C80078 C8FCB3A6153036367BAF41>43 D<121C127FEAFF80A213C0A3127F121C1200A412011380 A2120313005A1206120E5A5A5A12600A19798817>II<121C127F EAFF80A5EA7F00121C0909798817>I<150C151E153EA2153C157CA2157815F8A215F014 01A215E01403A215C01407A21580140FA215005CA2141E143EA2143C147CA2147814F8A2 5C1301A25C1303A2495AA25C130FA291C7FC5BA2131E133EA2133C137CA2137813F8A25B 1201A25B1203A25B1207A25B120FA290C8FC5AA2121E123EA2123C127CA2127812F8A25A 12601F537BBD2A>IIIII<1538A2157815F8A2140114031407A2140F141F141B14331473146314C313011483EB 030313071306130C131C131813301370136013C01201EA038013005A120E120C5A123812 305A12E0B712F8A3C73803F800AB4A7E0103B512F8A325397EB82A>I<0006140CD80780 133C9038F003F890B5FC5D5D158092C7FC14FC38067FE090C9FCABEB07F8EB3FFE903878 0F803907E007E090388003F0496C7E12066E7EC87EA28181A21680A4123E127F487EA490 C71300485C12E000605C12700030495A00385C6C1303001E495A6C6C485A3907E03F8000 01B5C7FC38007FFCEB1FE0213A7CB72A>II56 DI<121C127FEAFF80A5EA7F00121CC7FC B2121C127FEAFF80A5EA7F00121C092479A317>I<121C127FEAFF80A5EA7F00121CC7FC B2121C127F5A1380A4127F121D1201A412031300A25A1206A2120E5A121812385A126009 3479A317>I<1538A3157CA315FEA34A7EA34A6C7EA202077FEC063FA2020E7FEC0C1FA2 021C7FEC180FA202387FEC3007A202707FEC6003A202C07F1501A2D901807F81A249C77F 167FA20106810107B6FCA24981010CC7121FA2496E7EA3496E7EA3496E7EA213E0707E12 01486C81D80FFC02071380B56C90B512FEA3373C7DBB3E>65 DI<91 3A01FF800180020FEBE003027F13F8903A01FF807E07903A03FC000F0FD90FF0EB039F49 48EB01DFD93F80EB00FF49C8127F01FE153F12014848151F4848150FA248481507A2485A 1703123F5B007F1601A35B00FF93C7FCAD127F6DED0180A3123F7F001F160318006C7E5F 6C7E17066C6C150E6C6C5D00001618017F15386D6C5CD91FE05C6D6CEB03C0D903FCEB0F 80902701FF803FC7FC9039007FFFFC020F13F002011380313D7BBA3C>IIIII II<013FB512E0A3903900 1FFC00EC07F8B3B3A3123FEA7F80EAFFC0A44A5A1380D87F005B0070131F6C5C6C495A6C 49C7FC380781FC3801FFF038007F80233B7DB82B>IIIIIIIIII<003FB812E0A3D9C003EB001F273E0001FE130348EE01F00078160000701770 A300601730A400E01738481718A4C71600B3B0913807FF80011FB612E0A335397DB83C> IIII<007FB590383FFFFCA3C601F801071380D97FE0D903FCC7FC013FEC01 F06D6C5C5F6D6C5C6D6C13034CC8FC6D6C1306160E6D6C5B6DEB8018163891387FC0306E 6C5A16E06E6C5A91380FF18015FB6EB4C9FC5D14036E7EA26E7F6F7EA24B7E15DF913801 9FF09138038FF8150F91380607FC91380E03FE140C4A6C7EEC38000230804A6D7E14E04A 6D7E49486D7E130391C76C7E01066E7E130E010C6E7E011C1401013C8101FE822607FF80 010713E0B500E0013FEBFF80A339397EB83E>II91 D<3901800180000313033907000700000E130E485B001813180038133800301330007013 7000601360A200E013E0485BA400CE13CE39FF80FF806D13C0A3007F137FA2393F803F80 390E000E001A1974B92A>II97 DIIII<147E903803FF8090380FC1E0EB1F8790383F0F F0137EA213FCA23901F803C091C7FCADB512FCA3D801F8C7FCB3AB487E387FFFF8A31C3B 7FBA19>IIIIIII<2703F00FF0EB1FE000FFD93FFCEB7FF8913AF03F01E07E903B F1C01F83803F3D0FF3800FC7001F802603F70013CE01FE14DC49D907F8EB0FC0A2495CA3 495CB3A3486C496CEB1FE0B500C1B50083B5FCA340257EA445>I<3903F00FF000FFEB3F FCECF03F9039F1C01F803A0FF3800FC03803F70013FE496D7EA25BA35BB3A3486C497EB5 00C1B51280A329257EA42E>II<3903F01FE000FFEB7FF89038F1E07E 9039F3801F803A0FF7000FC0D803FEEB07E049EB03F04914F849130116FC150016FEA316 7FAA16FEA3ED01FCA26DEB03F816F06D13076DEB0FE001F614C09039F7803F009038F1E0 7E9038F0FFF8EC1FC091C8FCAB487EB512C0A328357EA42E>II<3807E01F00FFEB7F C09038E1E3E09038E387F0380FE707EA03E613EE9038EC03E09038FC0080491300A45BB3 A2487EB512F0A31C257EA421>II<1318A51338A31378A313F8120112031207001FB5FCB6FCA2D801 F8C7FCB215C0A93800FC011580EB7C03017E13006D5AEB0FFEEB01F81A347FB220>IIIIII<003FB512FCA2EB8003D83E0013F8003CEB07F00038EB0FE012300070EB1FC0EC3F80 0060137F150014FE495AA2C6485A495AA2495A495A495AA290387F000613FEA2485A485A 0007140E5B4848130C4848131CA24848133C48C7127C48EB03FC90B5FCA21F247EA325> II E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fl cmbx10 10.95 37 /Fl 37 123 df46 D<140F143F5C495A130F48B5FCB6FCA313F7EAFE071200B3B3A8007FB612 F0A5243C78BB34>49 D<903803FF80013F13F890B512FE00036E7E4881260FF80F7F261F C0037F4848C67F486C6D7E6D6D7E487E6D6D7EA26F1380A46C5A6C5A6C5A0007C7FCC8FC 4B1300A25E153F5E4B5AA24B5A5E4A5B4A5B4A48C7FC5D4A5AEC1FE04A5A4A5A9139FF00 0F80EB01FC495A4948EB1F00495AEB1F8049C7FC017E5C5B48B7FC485D5A5A5A5A5AB7FC 5EA4293C7BBB34>I<903801FFE0010F13FE013F6D7E90B612E04801817F3A03FC007FF8 D807F06D7E82D80FFC131F6D80121F7FA56C5A5E6C48133FD801F05CC8FC4B5A5E4B5A4A 5B020F5B902607FFFEC7FC15F815FEEDFFC0D9000113F06E6C7E6F7E6F7E6F7E1780A26F 13C0A217E0EA0FC0487E487E487E487EA317C0A25D491580127F49491300D83FC0495A6C 6C495A3A0FFE01FFF86CB65A6C5DC61580013F49C7FC010313E02B3D7CBB34>II<00071538D80FE0EB01F801FE13 3F90B6FC5E5E5E5E93C7FC5D15F85D15C04AC8FC0180C9FCA9ECFFC0018713FC019F13FF 90B67E020113E09039F8007FF0496D7E01C06D7E5B6CC77FC8120F82A31780A21207EA1F C0487E487E12FF7FA21700A25B4B5A6C5A01805C6CC7123F6D495AD81FE0495A260FFC07 5B6CB65A6C92C7FCC614FC013F13F0010790C8FC293D7BBB34>II<16FCA24B7EA24B7EA34B7FA24B7FA34B7FA24B7FA3 4B7F157C03FC7FEDF87FA2020180EDF03F0203804B7E02078115C082020F814B7E021F81 1500824A81023E7F027E81027C7FA202FC814A147F49B77EA34982A2D907E0C7001F7F4A 80010F835C83011F8391C87E4983133E83017E83017C81B500FC91B612FCA5463F7CBE4F >65 D<922607FFC0130E92B500FC131E020702FF133E023FEDC07E91B7EAE1FE01039138 803FFB499039F80003FF4901C01300013F90C8127F4948151FD9FFF8150F48491507485B 4A1503481701485B18004890CAFC197E5A5B193E127FA349170012FFAC127F7F193EA212 3FA27F6C187E197C6C7F19FC6C6D16F86C6D150119F06C6D15036C6DED07E0D97FFEED0F C06D6CED3F80010F01C0ECFF006D01F8EB03FE6D9039FF801FFC010091B55A023F15E002 071580020002FCC7FC030713C03F407ABE4C>67 DI70 D73 D79 DI82 D<903A03FFC001C0011FEBF803017FEBFE0748B6128F4815DF48010013FFD80F F8130F48481303497F4848EB007F127F49143F161F12FF160FA27F1607A27F7F01FC91C7 FCEBFF806C13F8ECFFC06C14FCEDFF806C15E016F86C816C816C816C16806C6C15C07F01 0715E0EB007F020714F0EC003F1503030013F8167F163F127800F8151FA2160FA27EA217 F07E161F6C16E06D143F01E015C001F8EC7F8001FEEB01FF9026FFE00713004890B55A48 6C14F8D8F81F5CD8F00314C027E0003FFEC7FC2D407ABE3A>I87 D<903807FFC0013F13F848B6FC48812607FE037F260FF8007F6DEB3FF0486C806F7EA36F 7EA26C5A6C5AEA01E0C8FC153F91B5FC130F137F3901FFFE0F4813E0000F1380381FFE00 485A5B485A12FF5BA4151F7F007F143F6D90387BFF806C6C01FB13FE391FFF07F36CEBFF E100031480C6EC003FD91FF890C7FC2F2B7DA933>97 D<13FFB5FCA512077EAFEDFFE002 0713FC021FEBFF80027F80DAFF8113F09139FC003FF802F06D7E4A6D7E4A13074A807013 80A218C082A318E0AA18C0A25E1880A218005E6E5C6E495A6E495A02FCEB7FF0903AFCFF 01FFE0496CB55AD9F01F91C7FCD9E00713FCC7000113C033407DBE3A>IIII<903A03FF8007F0013F9038F83FF8499038FCFFFC48B712FE48018313F9 3A07FC007FC34848EB3FE1001FEDF1FC4990381FF0F81700003F81A7001F5DA26D133F00 0F5D6C6C495A3A03FF83FF8091B5C7FC4814FC01BF5BD80F03138090CAFCA2487EA27F13 F06CB6FC16F016FC6C15FF17806C16C06C16E01207001F16F0393FE000034848EB003F49 EC1FF800FF150F90C81207A56C6CEC0FF06D141F003F16E001F0147FD81FFC903801FFC0 2707FF800F13006C90B55AC615F8013F14E0010101FCC7FC2F3D7DA834>103 D<13FFB5FCA512077EAFED1FF8EDFFFE02036D7E4A80DA0FE07F91381F007F023C805C4A 6D7E5CA25CA35CB3A4B5D8FE0FB512E0A5333F7CBE3A>II<13FF B5FCA512077EB092380FFFFEA5DB01FEC7FC4B5AED07F0ED1FE04B5A4B5A4BC8FCEC03FC 4A5A4A5A141F4A7EECFFFCA2818102E77F02C37F148102007F826F7E6F7E151F6F7E826F 7F6F7F816F7FB5D8FC07EBFFC0A5323F7DBE37>107 D<13FFB5FCA512077EB3B3AFB512 FCA5163F7CBE1D>I<01FFD91FF8ECFFC0B590B5010713F80203DAC01F13FE4A6E487FDA 0FE09026F07F077F91261F003FEBF8010007013EDAF9F0806C0178ECFBC04A6DB4486C7F A24A92C7FC4A5CA34A5CB3A4B5D8FE07B5D8F03FEBFF80A551297CA858>I<01FFEB1FF8 B5EBFFFE02036D7E4A80DA0FE07F91381F007F0007013C806C5B4A6D7E5CA25CA35CB3A4 B5D8FE0FB512E0A533297CA83A>I I<01FFEBFFE0B5000713FC021FEBFF80027F80DAFF8113F09139FC007FF8000701F06D7E 6C496D7E4A130F4A6D7E1880A27013C0A38218E0AA4C13C0A318805E18005E6E5C6E495A 6E495A02FCEBFFF0DAFF035B92B55A029F91C7FC028713FC028113C00280C9FCACB512FE A5333B7DA83A>I<3901FE01FE00FF903807FF804A13E04A13F0EC3F1F91387C3FF80007 13F8000313F0EBFFE0A29138C01FF0ED0FE091388007C092C7FCA391C8FCB3A2B6FCA525 297DA82B>114 D<90383FFC1E48B512BE000714FE5A381FF00F383F800148C7FC007E14 7EA200FE143EA27E7F6D90C7FC13F8EBFFE06C13FF15C06C14F06C806C806C806C80C615 80131F1300020713C014000078147F00F8143F151F7EA27E16806C143F6D140001E013FF 9038F803FE90B55A15F0D8F87F13C026E00FFEC7FC222B7DA929>III121 D<003FB612F8A4D9F80113F001C014E0495A494813C04A1380007E15005C4A5A007C5C14 7F4A5A495B5DC65A495B495BA249EB007C495A5C137F494813FC484913F85C5A48EBC001 14804814034813004848130749131F007FECFFF0B7FCA426287DA72E>I E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fm cmtt12 12 15 /Fm 15 116 df<121FEA3F80EA7FC0EAFFE0A5EA7FC0EA3F80EA1F000B0B6C8A33>46 D64 D97 DI100 DI103 D<14E0EB03F8A2497EA36D5AA2EB00E091C8FCAA383FFFF8487FA47E EA0001B3AD007FB612C0B712E016F0A216E06C15C0243E78BD33>105 D107 D<383FFFFC487FB5FCA27E7EC7FCB3 B3AD003FB612F84815FCB712FEA26C15FC6C15F8273D7ABC33>I<4AB4FC263FFC0713C0 267FFE1F13F000FF017F7F91B5FC6CB67E6CEC07FEC6EBF801ECF0004A7F4A7F5CA291C7 FCA35BB3A43B3FFFF80FFFFC486D4813FEB56C4813FFA26C496C13FE6C496C13FC302C7F AB33>110 DII114 D<90381FFE0F90B5EA8F80000314FF120F5A5AEBF007387F800190C7FC00FE14 7F5A153FA37E007FEC1F0001C090C7FCEA3FF8EBFFC06C13FF6C14E0000314F8C680011F 13FF01001480020713C0EC007FED1FE0007C140F00FEEC07F01503A27EA27F15076D14E0 6D130F6DEB3FC09038FE01FF90B61280160000FD5C00FC14F8D8F83F13E0D8780790C7FC 242E79AC33>I E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fn cmr12 12 32 /Fn 32 122 df<121EEA7F8012FF13C0A213E0A3127FEA1E601200A413E013C0A3120113 80120313005A1206120E5A5A5A12600B1D78891B>44 D<121EEA7F80A2EAFFC0A4EA7F80 A2EA1E000A0A78891B>46 D<16C04B7EA34B7EA34B7EA34B7EA3ED19FEA3ED30FFA20370 7FED607FA203E07FEDC03FA2020180ED801FA2DA03007F160FA20206801607A24A6D7EA3 4A6D7EA34A6D7EA20270810260147FA202E08191B7FCA249820280C7121FA249C87F170F A20106821707A2496F7EA3496F7EA3496F7EA201788313F8486C83D80FFF03037FB500E0 027FEBFFC0A342477DC649>65 DI68 D72 D75 DI78 D80 D<49B41303010FEBE007013F13F89039FE00FE0FD801F8131FD8 07E0EB079F49EB03DF48486DB4FC48C8FC4881003E81127E82127C00FC81A282A37E82A2 7EA26C6C91C7FC7F7FEA3FF813FE381FFFE06C13FE6CEBFFE06C14FC6C14FF6C15C0013F 14F0010F80010180D9001F7F14019138001FFF03031380816F13C0167F163F161F17E000 C0150FA31607A37EA36C16C0160F7E17806C151F6C16006C5D6D147ED8FBC05CD8F9F049 5AD8F07C495A90393FC00FE0D8E00FB51280010149C7FC39C0003FF02B487BC536>83 D 85 D97 DI<167FED3FFF A315018182B3EC7F80903803FFF090380FC07C90383F000E017E1307496D5AD803F87F48 487F5B000F81485AA2485AA2127FA290C8FC5AAB7E7FA2123FA26C7EA2000F5D7F6C6C5B 00035C6C6C9038077F806C6C010E13C0013F011C13FE90380FC0F8903803FFE09026007F 0013002F467DC436>100 DIII105 D107 DII<3901FC01 FE00FF903807FFC091381E07F091383801F8000701707F0003EBE0002601FDC07F5C01FF 147F91C7FCA25BA35BB3A8486CECFF80B5D8F83F13FEA32F2C7DAB36>II<3901FC03FC00FF90380FFF8091383C07E091387001F83A 07FDE000FE00030180137FD801FFEC3F8091C7EA1FC04915E049140F17F0160717F81603 17FCA3EE01FEABEE03FCA3EE07F8A217F0160F6D15E0EE1FC06D143F17806EEB7E00D9FD C05B9039FCF003F891383C0FE091381FFF80DA03FCC7FC91C9FCAE487EB512F8A32F3F7D AB36>I<91387F8003903903FFE00790380FE07890393F801C0F90387E000E496D5AD803 F8EB039F0007EC01BF4914FF48487F121F5B003F81A2485AA348C8FCAB6C7EA3123F7F12 1F6D5C120F6D5B12076C6C5B6C6C497E6C6C130E013F131C90380FC0F8903803FFE09038 007F0091C7FCAEEEFF80033F13FEA32F3F7DAB33>I<3903F803F000FFEB1FFCEC3C3EEC 707F0007EBE0FF3803F9C000015B13FBEC007E153C01FF13005BA45BB3A748B4FCB512FE A3202C7DAB26>I<90383FE0183901FFFC383907E01F78390F0003F8001E130148130000 7C1478127800F81438A21518A27EA27E6C6C13006C7E13FC383FFFE06C13FC6C13FF6C14 C06C14E0C614F0011F13F81300EC0FFC140300C0EB01FE1400157E7E153EA27EA36C143C 6C147C15786C14F86CEB01F039F38003E039F1F00F8039E07FFE0038C00FF01F2E7DAC26 >I<1306A5130EA4131EA3133E137EA213FE12011207001FB512F0B6FCA2C648C7FCB3A4 150CAA017E131C017F1318A26D133890381F8030ECC070903807E0E0903801FFC0903800 7F001E3E7EBC26>III121 D E %EndDVIPSBitmapFont %DVIPSBitmapFont: Fo cmbx12 12 45 /Fo 45 122 df40 D<12F07E127E7E6C7E6C7E6C7E7F6C7E6C7E12007F137F80133F806D7EA26D7EA26D7EA2 801303A2801301A280A27F1580A4EC7FC0A615E0A2143FAE147FA215C0A6ECFF80A41500 5BA25CA213035CA213075CA2495AA2495AA2495A5C137F91C7FC13FE5B1201485A485A5B 485A485A48C8FC127E12F85A1B647ACA2C>I49 DII<163FA25E5E5D5DA25D5D5D5DA25D92B5FCEC01F7EC03E7140715C7EC0F 87EC1F07143E147E147C14F8EB01F0EB03E0130714C0EB0F80EB1F00133E5BA25B485A48 5A485A120F5B48C7FC123E5A12FCB91280A5C8000F90C7FCAC027FB61280A531417DC038 >I<0007150301E0143F01FFEB07FF91B6FC5E5E5E5E5E16804BC7FC5D15E092C8FC01C0 C9FCAAEC3FF001C1B5FC01C714C001DF14F09039FFE03FFC9138000FFE01FC6D7E01F06D 13804915C0497F6C4815E0C8FC6F13F0A317F8A4EA0F80EA3FE0487E12FF7FA317F05B5D 6C4815E05B007EC74813C0123E003F4A1380D81FC0491300D80FF0495AD807FEEBFFFC6C B612F0C65D013F1480010F01FCC7FC010113C02D427BC038>I<4AB47E021F13F0027F13 FC49B6FC01079038807F8090390FFC001FD93FF014C04948137F4948EBFFE048495A5A14 00485A120FA248486D13C0EE7F80EE1E00003F92C7FCA25B127FA2EC07FC91381FFF8000 FF017F13E091B512F89039F9F01FFC9039FBC007FE9039FF8003FF17804A6C13C05B6F13 E0A24915F0A317F85BA4127FA5123FA217F07F121FA2000F4A13E0A26C6C15C06D491380 6C018014006C6D485A6C9038E01FFC6DB55A011F5C010714C0010191C7FC9038003FF02D 427BC038>I<121E121F13FC90B712FEA45A17FC17F817F017E017C0A2481680007EC8EA 3F00007C157E5E00785D15014B5A00F84A5A484A5A5E151FC848C7FC157E5DA24A5A1403 5D14074A5AA2141F5D143FA2147F5D14FFA25BA35B92C8FCA35BA55BAA6D5A6D5A6D5A2F 447AC238>II65 DIIII73 D75 D<923807FFC092B512FE0207ECFFC0 021F15F091267FFE0013FC902601FFF0EB1FFF01070180010313C04990C76C7FD91FFC6E 6C7E49486F7E49486F7E01FF8348496F7E48496F1380A248496F13C0A24890C96C13E0A2 4819F04982003F19F8A3007F19FC49177FA400FF19FEAD007F19FC6D17FFA3003F19F8A2 6D5E6C19F0A26E5D6C19E0A26C6D4B13C06C19806E5D6C6D4B13006C6D4B5A6D6C4B5A6D 6C4B5A6D6C4A5B6D01C001075B6D01F0011F5B010101FE90B5C7FC6D90B65A023F15F802 0715C002004AC8FC030713C047467AC454>79 DI82 DI<003FBA12E0A59026FE000FEB 8003D87FE09338003FF049171F90C71607A2007E1803007C1801A300781800A400F819F8 481978A5C81700B3B3A20107B8FCA545437CC24E>I<903801FFE0011F13FE017F6D7E48 B612E03A03FE007FF84848EB1FFC6D6D7E486C6D7EA26F7FA36F7F6C5A6C5AEA00F090C7 FCA40203B5FC91B6FC1307013F13F19038FFFC01000313E0000F1380381FFE00485A5B12 7F5B12FF5BA35DA26D5B6C6C5B4B13F0D83FFE013EEBFFC03A1FFF80FC7F0007EBFFF86C ECE01FC66CEB8007D90FFCC9FC322F7DAD36>97 DIIIIIII<137C48B4FC4813804813C0A24813E0A56C13C0 A26C13806C1300EA007C90C7FCAAEB7FC0EA7FFFA512037EB3AFB6FCA518467CC520>I< EB7FC0B5FCA512037EB293387FFFE0A593380FE0004C5A4CC7FC167E5EED03F8ED07E04B 5A4B5A037FC8FC15FEECC1FCECC3FE14C7ECDFFF91B57E82A202F97F02E17F02C07FEC80 7F6F7E826F7E816F7F836F7F816F7F83707E163FB60003B512F8A535457DC43B>107 DI<90277F8007FEEC0FFCB590 263FFFC090387FFF8092B5D8F001B512E002816E4880913D87F01FFC0FE03FF8913D8FC0 0FFE1F801FFC0003D99F009026FF3E007F6C019E6D013C130F02BC5D02F86D496D7EA24A 5D4A5DA34A5DB3A7B60081B60003B512FEA5572D7CAC5E>I<90397F8007FEB590383FFF 8092B512E0028114F8913987F03FFC91388F801F000390399F000FFE6C139E14BC02F86D 7E5CA25CA35CB3A7B60083B512FEA5372D7CAC3E>II<90397FC00FF8B590B57E02C314E002CF14F89139DFC03FFC91 39FF001FFE000301FCEB07FF6C496D13804A15C04A6D13E05C7013F0A2EF7FF8A4EF3FFC ACEF7FF8A318F017FFA24C13E06E15C06E5B6E4913806E4913006E495A9139DFC07FFC02 CFB512F002C314C002C091C7FCED1FF092C9FCADB67EA536407DAC3E>I<90387F807FB5 3881FFE0028313F0028F13F8ED8FFC91389F1FFE000313BE6C13BC14F8A214F0ED0FFC91 38E007F8ED01E092C7FCA35CB3A5B612E0A5272D7DAC2E>114 D<90391FFC038090B512 87000314FF120F381FF003383FC00049133F48C7121F127E00FE140FA215077EA27F01E0 90C7FC13FE387FFFF014FF6C14C015F06C14FC6C800003806C15806C7E010F14C0EB003F 020313E0140000F0143FA26C141F150FA27EA26C15C06C141FA26DEB3F8001E0EB7F0090 38F803FE90B55A00FC5CD8F03F13E026E007FEC7FC232F7CAD2C>IIIIIII E %EndDVIPSBitmapFont end %%EndProlog %%BeginSetup %%Feature: *Resolution 600dpi TeXDict begin %%PaperSize: A4 %%EndSetup %%Page: 1 1 1 0 bop 846 282 a Fo(Implemen)m(ting)35 b(In)m(ternet)h(Key)i(Exc)m (hange)g(\(IKE\))1594 523 y Fn(Niklas)32 b(Hallqvist)1374 639 y(Applitron)f(Datasystem)h(AB)1474 756 y Fm(niklas@openbsd.org)1465 988 y Fn(Angelos)g(D.)g(Kerom)m(ytis)806 1104 y(Distributed)f(Systems)j (Lab,)e(Univ)m(ersit)m(y)i(of)e(P)m(ennsylv)-5 b(ania)1448 1220 y Fm(angelos@openbsd.org)0 1546 y Fl(Abstract)0 1829 y Fk(A)29 b(k)n(ey)e(comp)r(onen)n(t)h(of)h(the)f(IP)g(Securit)n (y)g(arc)n(hitecture)f(is)0 1928 y(the)21 b(In)n(ternet)g(Key)f(Exc)n (hange)f(proto)r(col.)33 b(IKE)20 b(is)h(in)n(v)n(ok)n(ed)0 2028 y(to)46 b(establish)f(session)g(k)n(eys)g(\(and)i(asso)r(ciated)d (crypto-)0 2128 y(graphic)25 b(and)g(net)n(w)n(orking)g (con\014guration\))f(b)r(et)n(w)n(een)i(t)n(w)n(o)0 2227 y(hosts)20 b(across)e(the)j(net)n(w)n(ork.)33 b(IKE)19 b(needs)h(to)g(authen)n(ticate)0 2327 y(and)32 b(authorize)f(the)h (parties)f(in)n(v)n(olv)n(ed)g(in)h(an)f(exc)n(hange,)0 2427 y(negotiate)h(parameters)g(to)h(b)r(e)g(used)g(for)g(the)h(comm)n (uni-)0 2526 y(cation,)25 b(and)g(in)n(teract)g(with)g(the)h(lo)r(cal)f (IPsec)f(stac)n(k.)35 b(The)0 2626 y(n)n(um)n(b)r(er)24 b(of)f(tasks,)h(along)f(with)h(the)g(\015exibilit)n(y)g(built)g(in)n (to)0 2725 y(the)i(proto)r(col,)f(as)g(w)n(ell)h(as)f(the)h(need)f(to)h (allo)n(w)f(future)h(ad-)0 2825 y(ditions)35 b(and)g(mo)r (di\014cations)g(to)g(the)h(proto)r(col,)g(need)f(to)0 2925 y(b)r(e)25 b(tak)n(en)g(in)n(to)f(consideration)g(when)h (designing)f(and)h(im-)0 3024 y(plemen)n(ting)j(IKE.)0 3224 y(Another)c(complicating)g(factor)g(is)g(the)h(need)g(for)f (securit)n(y)0 3323 y(p)r(olicy)c(managemen)n(t.)33 b(Although)20 b(IKE)f(can)h(establish)g(se-)0 3423 y(curit)n(y)k(asso)r(ciations)e (with)i(remote)g(hosts,)g(some)g(metho)r(d)0 3522 y(for)e(determining)h (what)f(kinds)h(of)f(tra\016c)h(can)f(and)g(should)0 3622 y(b)r(e)34 b(exc)n(hanged)e(with)i(a)f(remote)g(host)g(is)g (necessary)-7 b(.)53 b(As)0 3722 y(there)40 b(is)f(no)h(standard)e(sp)r (eci\014cation)i(y)n(et,)i(w)n(e)e(are)e(us-)0 3821 y(ing)c(a)g (trust-managemen)n(t)f(based)h(approac)n(h)f(using)h(the)0 3921 y(KeyNote)27 b(system)g(as)g(a)g(basis)g(for)g(sp)r(ecifying)h(p)r (olicy)-7 b(.)0 4120 y(This)36 b(pap)r(er)f(discusses)g(the)h(design,)i (arc)n(hitecture,)e(and)0 4220 y(implemen)n(tation)f(details)g(of)f (the)i(Op)r(enBSD)f(IKE)f(dae-)0 4319 y(mon,)i(with)f(separate)f(men)n (tion)g(of)h(the)g(securit)n(y)e(p)r(olicy)0 4419 y(mec)n(hanism.)0 4818 y Fo(1)112 b(In)m(tro)s(duction)0 5101 y Fk(The)26 b(IP)f(Securit)n(y)g(arc)n(hitecture)f([)p Fj(?)p Fk(],)i(as)f(sp)r (eci\014ed)h(b)n(y)f(the)0 5201 y(IETF)41 b(\(In)n(ternet)h (Engineering)e(T)-7 b(ask)41 b(F)-7 b(orce\),)44 b(is)e(com-)0 5300 y(prised)d(of)h(a)f(set)g(of)h(proto)r(cols)e(that)i(pro)n(vide)e (data)h(in-)0 5400 y(tegrit)n(y)-7 b(,)43 b(con\014den)n(tialit)n(y)-7 b(,)42 b(repla)n(y)d(protection,)k(and)d(au-)2010 1546 y(then)n(tication)29 b(at)g(the)h(net)n(w)n(ork)e(la)n(y)n(er.)40 b(This)30 b(p)r(ositioning)2010 1645 y(in)38 b(the)g(net)n(w)n(ork)f (stac)n(k)g(o\013ers)g(considerable)f(\015exibilit)n(y)2010 1745 y(in)f(transparen)n(tly)e(emplo)n(ying)g(IPsec)h(in)h(di\013eren)n (t)f(roles)2010 1845 y(\()p Fi(e.g.,)c Fk(in)f(building)f(Virtual)g (Priv)-5 b(ate)27 b(Net)n(w)n(orks,)g(end-to-)2010 1944 y(end)f(securit)n(y)-7 b(,)25 b(remote)g(access,)f Fi(etc.)p Fk(\).)37 b(Suc)n(h)26 b(\015exibilit)n(y)f(is)2010 2044 y(not)h(p)r(ossible)f(in)h(higher)f(or)g(lo)n(w)n(er)f(lev)n(els)h(of)g (abstraction.)2010 2243 y(The)e(o)n(v)n(erall)d(IPsec)i(arc)n (hitecture)f(is)i(v)n(ery)e(similar)h(to)h(pre-)2010 2343 y(vious)k(w)n(ork)f([)p Fj(?)p Fk(])i(and)f(is)h(comp)r(osed)f(of) g(three)h(mo)r(dules:)2093 2616 y Fh(\017)41 b Fk(The)36 b(data)g(encryption/authen)n(tication)f(proto)r(cols)2176 2716 y([)p Fj(?)p Fk(,)41 b Fj(?)p Fk(].)75 b(These)41 b(are)e(the)i(\\wire)e(proto)r(cols,")j(used)2176 2815 y(for)37 b(encapsulating)f(IP)h(pac)n(k)n(ets)f(to)i(b)r(e)f (protected.)2176 2915 y(Outgoing)19 b(pac)n(k)n(ets)f(are)h(authen)n (ticated,)i(encrypted,)2176 3014 y(and)53 b(encapsulated)g(just)h(b)r (efore)f(b)r(eing)g(sen)n(t)g(to)2176 3114 y(the)33 b(net)n(w)n(ork,)e (and)h(incoming)g(pac)n(k)n(ets)f(are)g(decap-)2176 3214 y(sulated,)49 b(v)n(eri\014ed,)g(and)c(decrypted)g(immediately)2176 3313 y(up)r(on)25 b(receipt.)35 b(These)25 b(proto)r(cols)e(are)g(t)n (ypically)h(im-)2176 3413 y(plemen)n(ted)42 b(inside)g(the)g(k)n (ernel,)i(for)d(p)r(erformance)2176 3513 y(and)35 b(securit)n(y)f (reasons.)57 b(A)35 b(brief)g(o)n(v)n(erview)e(of)i(the)2176 3612 y(Op)r(enBSD)29 b(k)n(ernel)f(IPsec)g(arc)n(hitecture)g(is)h(giv)n (en)f(in)2176 3712 y(Section)g(2.)2093 3874 y Fh(\017)41 b Fk(The)f(k)n(ey)f(exc)n(hange)f(proto)r(col)h(\(IKE\))g([)p Fj(?)q Fk(])g(is)h(used)2176 3974 y(to)23 b(dynamically)g(establish)g (and)g(main)n(tain)h(Securit)n(y)2176 4073 y(Asso)r(ciations)38 b(\(SAs\).)72 b(An)39 b(SA)h(is)e(the)i(set)f(of)g(pa-)2176 4173 y(rameters)26 b(necessary)f(for)i(one-w)n(a)n(y)e(secure)i(comm)n (u-)2176 4273 y(nication)21 b(b)r(et)n(w)n(een)h(t)n(w)n(o)f(hosts)g (\()p Fi(e.g.,)k Fk(cryptographic)2176 4372 y(k)n(eys,)k(algorithm)e(c) n(hoice,)i(ordering)e(of)i(transforms,)2176 4472 y Fi(etc.)p Fk(\).)38 b(Although)27 b(the)g(wire)g(proto)r(cols)f(can)h(b)r(e)g (used)2176 4572 y(on)38 b(their)h(o)n(wn)e(using)i(man)n(ual)e(k)n(ey)h (managemen)n(t,)2176 4671 y(wide)27 b(deplo)n(ymen)n(t)f(and)g(use)h (of)f(IPsec)g(in)h(the)g(In)n(ter-)2176 4771 y(net)32 b(requires)d(automated,)j(on-demand)e(SA)i(estab-)2176 4870 y(lishmen)n(t.)2176 5001 y(Due)c(to)f(the)h(large)e(n)n(um)n(b)r (er)i(and)f(v)-5 b(ariet)n(y)27 b(of)g(con\014g-)2176 5101 y(urations)38 b(and)i(options)e(an)h(IKE)g(implemen)n(tation)2176 5201 y(m)n(ust)34 b(supp)r(ort,)h(this)g(part)e(of)h(the)g(IPsec)f(arc) n(hitec-)2176 5300 y(ture)c(tends)h(to)f(dominate)g(the)h(other)e(t)n (w)n(o)h(in)g(terms)2176 5400 y(of)k(co)r(de)g(size)f(and)h(complexit)n (y)-7 b(.)52 b(The)33 b(\014rst)g(part)f(of)p eop %%Page: 2 2 2 1 bop 166 83 a Fk(this)36 b(pap)r(er)e(discusses)h(the)g(Op)r(enBSD)h (implemen-)166 183 y(tation)27 b(of)h(IKE.)83 366 y Fh(\017)41 b Fk(The)50 b(p)r(olicy)h(mo)r(dule)f(go)n(v)n(erns)e(the)j(handling)f (of)166 466 y(pac)n(k)n(ets)34 b(on)h(their)h(w)n(a)n(y)e(in)n(to)h(or) f(out)i(of)f(an)g(IPsec-)166 566 y(complian)n(t)28 b(host.)39 b(Ev)n(en)27 b(though)h(the)h(securit)n(y)e(pro-)166 665 y(to)r(cols)37 b(protect)f(the)i(data)f(from)g(tamp)r(ering,)i (they)166 765 y(do)g(not)g(address)f(the)i(issue)e(of)i(whic)n(h)f (host)g(is)g(al-)166 865 y(lo)n(w)n(ed)k(to)h(exc)n(hange)f(what)h (kind)h(of)f(tra\016c)g(with)166 964 y(what)33 b(other)g(host.)54 b(While)34 b(traditional)f(pac)n(k)n(et)f(\014l-)166 1064 y(tering)g(mec)n(hanisms,)h(suc)n(h)g(as)f(emplo)n(y)n(ed)f(in)i (mo)r(d-)166 1163 y(ern)21 b(\014rew)n(alls,)g(can)g(b)r(e)g(used)g (\(with)h(minor)f(mo)r(di\014ca-)166 1263 y(tions\))g(in)h(enforcing)e (tra\016c)h(p)r(olicies,)h(a)f(higher-lev)n(el)166 1363 y(mec)n(hanism)28 b(for)g(v)-5 b(alidating)28 b(and)g(con\014guring)f (suc)n(h)166 1462 y(\014lters)f(is)g(needed.)37 b(The)26 b(second)f(part)h(of)g(this)h(pap)r(er)166 1562 y(discusses)f(the)i (implemen)n(tation)f(of)g(a)f(securit)n(y)g(p)r(ol-)166 1662 y(icy)j(mec)n(hanism)f(based)g(on)h(trust)g(managemen)n(t)f([)p Fj(?)p Fk(])166 1761 y(in)g(the)g(Op)r(enBSD)g(IPsec.)0 2069 y Fl(1.1)105 b(P)m(ap)s(er)35 b(Organization)0 2377 y Fk(The)25 b(remainder)f(of)h(this)h(pap)r(er)e(is)h(organized)f(as)g (follo)n(ws.)0 2476 y(Section)g(2)g(outlines)g(the)h(Op)r(enBSD)g (IPsec)e(arc)n(hitecture.)0 2576 y(Section)g(3)f(giv)n(es)g(a)g(brief)h (o)n(v)n(erview)e(of)i(the)g(IKE)f(proto)r(col,)0 2676 y(while)28 b(Section)f(4)g(discusses)g(the)h(design)f(and)g(implemen-)0 2775 y(tation)37 b(of)f(the)i(Op)r(enBSD)f(IKE)f(implemen)n(tation,)j (and)0 2875 y(Section)e(5)g(presen)n(ts)g(the)h(securit)n(y)e(p)r (olicy)i(mec)n(hanism.)0 2975 y(Related)28 b(and)f(future)h(w)n(ork)e (is)i(presen)n(ted)f(in)g(Section)h(6.)0 3399 y Fo(2)112 b(Op)s(enBSD)38 b(IPsec)0 3706 y Fk(IPsec)43 b(in)h(the)g(Op)r(enBSD)h (k)n(ernel)e(is)g(implemen)n(ted)i(as)0 3806 y(just)24 b(another)f(pair)g(of)g(IP)g(transp)r(ort)g(proto)r(cols)f(\(AH)i(and)0 3906 y(ESP\).)f(Th)n(us,)h(incoming)f(IPsec)f(pac)n(k)n(ets)g(destined) i(to)f(the)0 4005 y(lo)r(cal)37 b(host)g(are)f(submitted)i(to)f(the)h (appropriate)d(IPsec)0 4105 y(proto)r(col)27 b(for)h(pro)r(cessing)f (based)h(on)g(the)h(proto)r(col)e(n)n(um-)0 4204 y(b)r(er)38 b(in)g(the)g(IP)g(header.)67 b(The)38 b(SA)g(needed)g(to)g(pro)r(cess)0 4304 y(the)27 b(pac)n(k)n(et)f(is)h(lo)r(cated)g(in)g(an)g(in-k)n (ernel)f(database)f(using)0 4404 y(information)33 b(retriev)n(ed)f (from)h(the)h(pac)n(k)n(et)e(itself.)55 b(Once)0 4503 y(the)25 b(pac)n(k)n(et)f(has)g(b)r(een)h(correctly)e(pro)r(cessed)h (\(decrypted,)0 4603 y(authen)n(ticit)n(y)36 b(v)n(eri\014ed,)i Fi(etc.)p Fk(\),)h(it)d(is)g(re-queued)g(for)f(fur-)0 4703 y(ther)30 b(pro)r(cessing)e(b)n(y)h(the)h(IP)f(mo)r(dule,)i (accompanied)d(b)n(y)0 4802 y(additional)e(information)h(\(suc)n(h)g (as)f(the)h(fact)g(that)h(it)f(w)n(as)0 4902 y(receiv)n(ed)35 b(securely\))h(for)g(use)g(b)n(y)g(higher)f(proto)r(cols)g(and)0 5001 y(the)28 b(so)r(c)n(k)n(et)f(la)n(y)n(er.)0 5201 y(Outgoing)38 b(pac)n(k)n(ets)g(require)h(somewhat)g(di\013eren)n(t)g (pro-)0 5300 y(cessing.)c(When)26 b(a)f(pac)n(k)n(et)f(is)h(handed)g (to)g(the)h(IP)f(mo)r(dule)0 5400 y(for)40 b(transmission,)i(a)e(lo)r (okup)g(is)g(made)g(in)h(a)f(mo)r(di\014ed)2010 83 y(v)n(ersion)30 b(of)i(the)g(routing)f(table)h(\(called)f(Securit)n(y)g(P)n(olicy)2010 183 y(Database,)24 b(or)e(SPD,)i(in)g(the)g(IPsec)e(standards\))h(to)h (deter-)2010 282 y(mine)k(whether)f(that)g(pac)n(k)n(et)f(needs)i(to)f (b)r(e)g(pro)r(cessed)f(b)n(y)2010 382 y(IPsec.)56 b(If)34 b(this)h(is)f(the)g(case,)h(the)g(result)f(of)g(the)h(lo)r(okup)2010 482 y(also)22 b(sp)r(eci\014es)g(what)h(SA\(s\))g(to)g(use)g(for)f (IPsec-pro)r(cessing)2010 581 y(the)32 b(pac)n(k)n(et.)49 b(Once)31 b(pro)r(cessed,)h(the)g(pac)n(k)n(et)f(is)h(then)g(re-)2010 681 y(queued)25 b(for)g(transmission)e(b)n(y)i(IP)-7 b(.)25 b(If)g(no)g(SA)g(is)g(curren)n(tly)2010 780 y(established)k (with)g(the)h(destination)f(host,)g(the)g(pac)n(k)n(et)f(is)2010 880 y(dropp)r(ed)j(and)f(a)h(message)e(is)i(sen)n(t)g(to)f(the)h(k)n (ey)g(manage-)2010 980 y(men)n(t)j(daemon)f(through)g(the)h Fj(PF)p 3141 980 29 4 v 34 w(KEY)g Fk(in)n(terface)f([)p Fj(?)p Fk(].)2010 1079 y(It)h(is)g(then)g(the)h(k)n(ey)e(managemen)n (t's)g(task)g(to)h(negotiate)2010 1179 y(the)28 b(necessary)e(SAs.)2010 1378 y(T)-7 b(o)44 b(manage)f(the)i(SA)g(and)f(SPD)g(tables,)49 b(w)n(e)44 b(use)g(the)2010 1478 y(PF)p 2126 1478 25 4 v 30 w(KEY)38 b(in)n(terface,)i(whic)n(h)f(is)f(similar)g(in)h (concept)f(to)2010 1577 y(the)29 b(routing)e(so)r(c)n(k)n(et)g(in)n (terface)g(a)n(v)-5 b(ailable)27 b(in)i(BSD.)f(Both)2010 1677 y(man)n(ual)36 b(k)n(eying)g(utilities)i(and)f(k)n(ey)f(managemen) n(t)g(dae-)2010 1777 y(mons)20 b(\(suc)n(h)h(as)f(IKE)f(or)h(Photuris)f ([)p Fj(?)q Fk(]\))i(use)f(this)h(in)n(terface)2010 1876 y(to)27 b(comm)n(unicate)h(with)g(the)g(k)n(ernel.)2010 2076 y(A)e(somewhat)f(dated)h(o)n(v)n(erview)e(of)i(the)g(Op)r(enBSD)g (IPsec)2010 2175 y(arc)n(hitecture)g(is)i(giv)n(en)f(in)h([)p Fj(?)p Fk(].)2010 2600 y Fo(3)112 b(The)38 b(IKE)e(Proto)s(col)2010 2909 y Fk(IPsec)d(pro)n(vides)g(a)h(solution)g(to)g(the)g(problem)g(of) g(secur-)2010 3009 y(ing)k(comm)n(unications.)70 b(Ho)n(w)n(ev)n(er,)39 b(for)f(large-scale)e(de-)2010 3109 y(plo)n(ymen)n(t)31 b(and)g(use,)h(an)e(automated)h(metho)r(d)h(for)f(man-)2010 3208 y(aging)41 b(SAs)h(and)g(k)n(ey)f(setup)h(is)g(required.)80 b(There)41 b(are)2010 3308 y(sev)n(eral)32 b(issues)g(in)i(this)f (problem)g(domain:)48 b(negotiation)2010 3407 y(of)e(SA)g(attributes,) 51 b(authen)n(tication,)f(secure)45 b(k)n(ey)g(dis-)2010 3507 y(tribution,)f(and)c(k)n(ey)g(aging)f(to)h(name)g(some.)75 b(Man)n(ual)2010 3607 y(managemen)n(t)41 b(is)i(complicated,)i (tedious,)h(error-prone,)2010 3706 y(and)h(do)r(es)g(not)g(scale.)95 b(Standardized)46 b(proto)r(cols)g(ad-)2010 3806 y(dressing)g(these)i (issues)e(are)h(needed;)57 b(IETF's)47 b(recom-)2010 3906 y(mended)37 b(proto)r(col)f(is)h(named)g(IKE,)f(the)i(In)n(ternet) f(Key)2010 4005 y(Exc)n(hange.)58 b(IKE)34 b(is)h(based)g(on)g(a)g (framew)n(ork)e(proto)r(col)2010 4105 y(called)22 b(ISAKMP)h(and)f (implemen)n(ts)h(seman)n(tics)f(from)h(the)2010 4204 y(Oakley)32 b(k)n(ey)g(exc)n(hange,)g(therefore)g(IKE)g(is)h(also)f (kno)n(wn)2010 4304 y(as)27 b(ISAKMP/Oakley)-7 b(.)2010 4503 y(The)23 b(IKE)e(proto)r(col)g(is)i(unfortunately)f(a)g(rather)g (complex)2010 4603 y(one,)35 b(with)f(man)n(y)g(mo)r(des)f(and)h (options.)55 b(F)-7 b(urthermore,)2010 4703 y(new)24 b(extensions)f(prop)r(osed)f(result)i(in)g(a)f(further)g(increase)2010 4802 y(in)35 b(complexit)n(y)-7 b(.)59 b(In)n(terop)r(eration)34 b(has)g(b)r(een)i(a)f(problem)2010 4902 y(b)r(ecause)g(of)g(this,)i (but)f(w)n(e)e(are)g(b)r(eginning)h(to)g(see)g(go)r(o)r(d)2010 5001 y(in)n(terop)r(erabilit)n(y)28 b(in)i(the)g(mandatory)e(parts)h (of)g(the)h(pro-)2010 5101 y(to)r(col.)2010 5300 y(The)35 b(IKE)f(proto)r(col)g(has)g(t)n(w)n(o)h(phases:)50 b(the)36 b(\014rst)f(phase)2010 5400 y(establishes)k(a)g(secure)g(c)n(hannel)g (b)r(et)n(w)n(een)h(the)g(t)n(w)n(o)f(k)n(ey)p eop %%Page: 3 3 3 2 bop 0 83 a Fk(managemen)n(t)39 b(daemons,)k(while)e(in)g(the)g (second)f(phase)0 183 y(IPsec)j(SAs)i(can)f(b)r(e)h(directly)f (negotiated.)86 b(The)44 b(\014rst)0 282 y(phase)23 b(negotiates)g(at)g (least)h(an)f(authen)n(tication)h(metho)r(d,)0 382 y(an)36 b(encryption)f(algorithm,)i(a)e(hash)h(algorithm,)h(and)e(a)0 482 y(Di\016e-Hellman)c([)p Fj(?)p Fk(])f(group.)44 b(This)30 b(set)g(of)h(parameters)d(is)0 581 y(called)i(a)f(\\Phase)f(1)i(SA.")g (Using)g(this)g(information,)g(the)0 681 y(p)r(eers)24 b(authen)n(ticate)g(eac)n(h)g(other)f(and)i(compute)f(k)n(ey)g(ma-)0 780 y(terial)30 b(to)g(use)g(for)g(protecting)g(Phase)f(2.)44 b(Dep)r(ending)31 b(on)0 880 y(the)24 b(protection)g(suite)g(sp)r (eci\014ed)g(during)f(Phase)g(1,)h(di\013er-)0 980 y(en)n(t)33 b(mo)r(des)g(can)f(b)r(e)i(used)e(to)h(establish)g(a)f(Phase)g(1)h(SA,) 0 1079 y(the)38 b(t)n(w)n(o)f(most)g(imp)r(ortan)n(t)g(ones)g(b)r(eing) h(\\main)e(mo)r(de")0 1179 y(and)31 b(\\aggressiv)n(e)c(mo)r(de.")45 b(Main)31 b(mo)r(de)g(pro)n(vides)e(iden-)0 1279 y(tit)n(y)24 b(protection,)h(b)n(y)f(transmitting)f(the)i(iden)n(tities)g(of)f(the)0 1378 y(p)r(eers)35 b(encrypted.)62 b(Aggressiv)n(e)34 b(mo)r(de)i(pro)n(vides)e(some-)0 1478 y(what)42 b(w)n(eak)n(er)f (guaran)n(tees,)j(but)f(requires)f(few)n(er)f(mes-)0 1577 y(sages)28 b(and)i(allo)n(ws)e(for)h(\\road)f(w)n(arrior")1323 1547 y Fg(1)1390 1577 y Fk(t)n(yp)r(es)h(of)h(con-)0 1677 y(\014guration)c(using)i(passphrase-based)c(authen)n(tication.)0 1876 y(The)g(second)f(phase)h(is)g(commonly)f(called)h(\\quic)n(k)e(mo) r(de")0 1976 y(and)30 b(results)g(in)h(a)f(IPsec)g(SA)h(tuple)g(\(one)f (incoming)g(and)0 2076 y(one)40 b(outgoing\).)74 b(As)40 b(quic)n(k)g(mo)r(de)g(is)h(protected)e(b)n(y)h(a)0 2175 y(Phase)f(1)g(SA,)h(it)g(do)r(es)f(not)h(need)g(to)f(pro)n(vide)g(its)h (o)n(wn)0 2275 y(authen)n(tication)29 b(protection,)h(allo)n(wing)f (for)g(a)g(fast)h(nego-)0 2374 y(tiation)f(\(hence)g(the)g(name\).)41 b(Optionally)-7 b(,)28 b(a)h(new)g(Di\016e-)0 2474 y(Hellman)e (computation)g(can)g(b)r(e)g(done,)g(pro)n(viding)f(\\P)n(er-)0 2574 y(fect)34 b(F)-7 b(orw)n(ard)33 b(Secrecy".)54 b(PFS)34 b(is)g(an)f(attribute)h(of)g(en-)0 2673 y(crypted)18 b(comm)n(unications)g(allo)n(wing)f(for)h(a)g(transien)n(t)g(ses-)0 2773 y(sion)32 b(k)n(ey)h(to)f(get)h(compromised)f(without)h (a\013ecting)g(the)0 2873 y(securit)n(y)i(of)i(future)g(k)n(eys)e (negotiated)h(under)g(the)h(same)0 2972 y(Phase)j(1)g(SA)i(\(in)f (other)g(w)n(ords,)i(all)d(session)g(k)n(eys)g(are)0 3072 y(cryptographically)25 b(indep)r(enden)n(t\).)0 3514 y Fo(4)112 b(Op)s(enBSD)38 b(IKE)0 3841 y Fk(During)k(spring)f (1998,)i(Ericsson)d(Radio)h(Systems)h(w)n(as)0 3940 y(lo)r(oking)23 b(for)h(tec)n(hnology)e(that)j(could)f(secure)f(general)g(IP-)0 4040 y(tra\016c)g(in)h(net)n(w)n(orks)e(of)i(tens,)g(ma)n(yb)r(e)f(h)n (undreds)h(of)f(thou-)0 4140 y(sands)29 b(of)g(participating)f(hosts.) 42 b(F)-7 b(airly)29 b(so)r(on)f(it)i(b)r(ecame)0 4239 y(eviden)n(t)37 b(that)g(IPsec)f(w)n(as)g(the)h(righ)n(t)g(approac)n (h,)g(but)h(it)0 4339 y(w)n(as)17 b(not)i(at)f(all)h(clear)e(what)i (IKE)e(implemen)n(tation)i(to)f(use.)0 4439 y(The)30 b(IKE)g(standard)f(w)n(as)g(still)i(ev)n(olving,)e(and)h(a)n(v)-5 b(ailable)0 4538 y(implemen)n(tations)18 b(w)n(ere)g(lac)n(king)f(in)i (either)f(functionalit)n(y)-7 b(,)0 4638 y(p)r(ortabilit)n(y)g(,)32 b(exp)r(ortabilit)n(y)-7 b(,)31 b(or)g(scalabilit)n(y)-7 b(.)46 b(After)32 b(ha)n(v-)0 4737 y(ing)f(b)r(een)g(presen)n(ted)g (with)g(the)h(state)f(of)g(the)g(IKE)f(mar-)0 4837 y(k)n(et,)e (Ericsson)f(agreed)g(to)h(fund)h(the)f(dev)n(elopmen)n(t)g(of)g(an)0 4937 y(IKE)23 b(implemen)n(tation)g(written)h(from)f(scratc)n(h,)g Fi(isakmp)l(d.)0 5036 y Fk(The)29 b(initial)g(authors)f(w)n(ere)h (Niklas)f(Hallqvist)h(and)g(Niels)0 5136 y(Pro)n(v)n(os,)c(b)r(oth)j (from)f(the)h(Op)r(enBSD)g(pro)5 b(ject.)p 0 5244 744 4 v 92 5298 a Ff(1)127 5321 y Fe(Remote)29 b(mobile)f(users)h(that)i (need)f(to)g(access)g(the)g(protected)0 5400 y(net)n(w)n(ork)25 b(b)r(ehind)f(a)g(\014rew)n(all,)e(using)i(IPsec.)2010 83 y Fl(4.1)105 b(Arc)m(hitecture)2010 419 y Fk(When)38 b(reading)e(the)h(drafts)g(\(later)g(RF)n(Cs\))g(on)g(IKE,)g(it)2010 518 y(b)r(ecame)28 b(clear)e(the)i(proto)r(col)f(w)n(as)f(complex,)i (with)g(man)n(y)2010 618 y(degrees)23 b(of)i(freedom.)35 b(It)25 b(w)n(as)f(also)g(kno)n(wn)g(that)g Fi(isakmp)l(d)2010 718 y Fk(w)n(ould)g(b)r(e)g(p)r(orted)g(to)g(sev)n(eral)e(platforms,)i (eac)n(h)f(with)i(dif-)2010 817 y(feren)n(t)41 b(APIs)g(to)g(the)g (IPsec)f(stac)n(k.)77 b(There)40 b(w)n(ere)g(also)2010 917 y(a)32 b(n)n(um)n(b)r(er)g(of)h(prop)r(osals)d(for)i(IKE)g (extensions)g(in)g(v)-5 b(ary-)2010 1016 y(ing)39 b(stages)g(of)g (completion.)73 b(All)40 b(these)f(facts)h(p)r(oin)n(ted)2010 1116 y(to)n(w)n(ards)34 b(a)h(v)n(ery)f(mo)r(dular)h(arc)n(hitecture)f (with)i(distinct)2010 1216 y(APIs)h(b)r(et)n(w)n(een)h(the)g (subsystems.)67 b(T)-7 b(o)37 b(a)n(v)n(oid)f(dev)n(elop-)2010 1315 y(men)n(t)d(complexit)n(y)-7 b(,)34 b(w)n(e)e(also)g(decided)g(to) h(map)g(the)g(con-)2010 1415 y(cepts)h(of)g(the)g(standards)f(fairly)h (directly)f(on)n(to)h(in)n(ternal)2010 1515 y(data)27 b(structures.)2010 1714 y(Giv)n(en)59 b(ho)n(w)f Fi(isakmp)l(d)i Fk(w)n(ould)e(w)n(ork)g(\(accepting)g(in-)2010 1813 y(b)r(ound)21 b(pac)n(k)n(ets,)g(doing)f(some)g(pro)r(cessing)f(in)i(the)g(pac)n(k)n (et-)2010 1913 y(prescrib)r(ed)29 b(con)n(text,)h(sending)f(a)g (reply\),)h(it)h(felt)f(natural)2010 2013 y(to)j(build)h(a)g (message-based)d(ev)n(en)n(t-driv)n(en)h(application.)2010 2112 y(Th)n(us)39 b Fi(isakmp)l(d)i Fk(lo)r(oks)e(lik)n(e)g(most)g (Unix)h(UDP)g(serv)n(ers,)2010 2212 y(with)27 b(a)g(main)f(lo)r(op)h (consisting)f(of)h(a)f(select)h(call)f(follo)n(w)n(ed)2010 2312 y(b)n(y)34 b(a)f(m)n(ultiplexor)g(calling)h(the)g(righ)n(t)f (handlers)g(for)h(the)2010 2411 y(o)r(ccurring)26 b(ev)n(en)n(ts.)2010 2610 y(The)k(most)h(common)f(ev)n(en)n(t)g(is)g(pac)n(k)n(et)f(arriv)-5 b(al,)30 b(handled)2010 2710 y(b)n(y)42 b(the)g(message)f(mo)r(dule)i (whic)n(h)f(is)g(also)f(resp)r(onsible)2010 2810 y(for)31 b(pac)n(k)n(et)f(v)-5 b(alidation)30 b(and)h(con)n(text)g(lo)r(okup.)47 b(Another)2010 2909 y(fairly)33 b(common)g(ev)n(en)n(t)g(is)g(the)h (timeout,)i(dealt)d(with)h(b)n(y)2010 3009 y(the)20 b(timer)f(mo)r (dule.)35 b(There)19 b(are)f(also)h(application)g(ev)n(en)n(ts,)2010 3109 y(whic)n(h)37 b(are)f(up)r(calls)g(from)h(the)g(con)n(trolled)f (application,)2010 3208 y(in)30 b(our)f(case)g(the)h(IPsec)f(stac)n(k.) 42 b(The)30 b(design)f(of)g Fi(isakmp)l(d)2010 3308 y Fk(allo)n(ws)34 b(for)h(other)g(suc)n(h)g(\\applications")e(in)j(the)g (future.)2010 3407 y(This)28 b(is)h(the)f(reason)f(wh)n(y)h(it)h(is)g (called)f Fi(isakmp)l(d,)i Fk(instead)2010 3507 y(of)25 b Fi(ike)l(d.)37 b Fk(IKE)24 b(is)g(just)h(one)g(p)r(ossible)f(instan)n (tiation)g(of)h(the)2010 3607 y(ISAKMP)39 b(framew)n(ork.)72 b(The)40 b(up)r(calls)g(are)f(dealt)h(with)2010 3706 y(b)n(y)29 b(the)g(application)f(mo)r(dule,)h(whic)n(h)g(to)g(a)f (great)g(exten)n(t)2010 3806 y(consists)f(of)h(system-dep)r(enden)n(t)g (co)r(de)f(dealing)g(with)i(the)2010 3906 y(IPsec)37 b(stac)n(k)g(at)h(hand.)69 b(Curren)n(tly)-7 b(,)39 b(there)f(exist)g (three)2010 4005 y(application)h(bac)n(k-ends,)i(PF)p 2988 4005 25 4 v 30 w(KEY,)e(PF)p 3375 4005 V 29 w(ENCAP)g(and)2010 4105 y(F)-7 b(reeS/W)e(AN's)27 b(NetLink)h(API.)2010 4304 y(F)-7 b(or)30 b(con)n(trolling)e Fi(isakmp)l(d)k Fk(there)f(are)e(a)h(couple)g(of)g(mo)r(d-)2010 4404 y(ules)36 b(w)n(orth)f(men)n(tioning.)62 b(The)36 b(\\user)f(in)n (terface")g(\()p Fi(UI)p Fk(\))2010 4503 y(mo)r(dule)26 b(listens)g(for)f(async)n(hronous)e(ev)n(en)n(ts)i(that)h(con)n(trol) 2010 4603 y(di\013eren)n(t)19 b(asp)r(ects)f(of)g Fi(isakmp)l(d,)k Fk(lik)n(e)d(debugging)e(lev)n(el,)j(ac-)2010 4703 y(tiv)n(e)j (connections)f Fi(etc.)36 b Fk(This)23 b(is)g(curren)n(tly)f(done)h (through)2010 4802 y(a)e(FIF)n(O,)h(but)g(the)g(design)f(allo)n(ws)f (use)i(of)g(so)r(c)n(k)n(ets)e(or)h(some)2010 4902 y(other)i(IPC)g(mec) n(hanism.)35 b(There)23 b(is)h(also)e(a)i(con\014guration)2010 5001 y(mo)r(dule)39 b(dealing)e(with)i(con\014guration)e(\014le)h (parsing,)i(as)2010 5101 y(w)n(ell)c(as)h(lo)r(okups)f(and)g(o)n(v)n (errides)e(\(via)j(UI\))g(of)g(con\014gu-)2010 5201 y(ration)30 b(en)n(tries.)44 b(Last)30 b(but)h(not)g(least,)g(there)f(is)g(a)g(p)r (olicy)2010 5300 y(mo)r(dule)c(con)n(trolling)f(what)h(kind)h(of)f(SAs) g(are)f(allo)n(w)n(ed)g(to)2010 5400 y(b)r(e)j(negotiated)f(and)g(b)n (y)h(whom)f(\(see)h(Section)f(5\).)p eop %%Page: 4 4 4 3 bop 0 83 a Fk(As)33 b(ISAKMP)g(is)g(a)g(transp)r(ort-neutral)e (proto)r(col,)i(there)0 183 y(is)44 b(also)e(a)h(transp)r(ort)g(mo)r (dule,)48 b(whic)n(h)c(is)f(actually)g(an)0 282 y(abstract)i(class)f (in)i(an)g(ob)5 b(ject-orien)n(ted)44 b(view.)91 b(Since)0 382 y(IKE)18 b(only)h(requires)f(UDP)i(as)f(the)g(transp)r(ort)g(mec)n (hanism,)0 482 y(there)h(is)g(just)h(one)f(deriv)n(ed)g(class,)h(the)g Fi(udp)g Fk(class.)33 b(Finally)-7 b(,)0 581 y(there)38 b(is)f(also)g(a)g(lo)n(w-lev)n(el)f(net)n(w)n(ork)h(in)n(terface)g(mo)r (dule)0 681 y(whic)n(h)28 b(pro)n(vides)e(in)n(terface-w)n(alking,)f Fi(etc.)0 880 y Fk(As)k(all)g(ISAKMP)f(pac)n(k)n(ets)g(b)r(elong)h(to)g (\\exc)n(hanges,")d(w)n(e)0 980 y(c)n(hose)j(to)i(create)e(an)i(exc)n (hange)e(abstraction)g(whic)n(h)h(w)n(as)0 1079 y(mainly)35 b(a)g(script)g(engine)g(and)g(a)g(data)g(structure)g(accu-)0 1179 y(m)n(ulating)28 b(con)n(text)h(state)f(to)h(later)f(b)r(e)h (carried)e(o)n(v)n(er)g(in)n(to)0 1279 y(SAs.)59 b(Therefore,)36 b(there)f(are)f(exc)n(hange)g(and)h(SA)g(mo)r(d-)0 1378 y(ules.)g(They)21 b(deal)g(with)g(creation,)h(lo)r(okup,)g(main)n (tenance,)0 1478 y(aging,)44 b(and)d(destruction)g(of)g(these)g (structures.)77 b(Eac)n(h)0 1577 y(exc)n(hange)31 b(has)g(a)h (\\script,")f(whic)n(h)h(is)g(w)n(alk)n(ed)f(for)g(ev)n(ery)0 1677 y(pac)n(k)n(et)e(receiv)n(ed)f(or)g(transmitted.)43 b(This)30 b(mak)n(es)e(it)i(easy)0 1777 y(to)37 b(create)g(a)g(source)f (\014le)h(p)r(er)h(exc)n(hange)e(t)n(yp)r(e,)k(making)0 1876 y(the)28 b(co)r(de)f(w)n(ell)h(mo)r(dularized.)0 2076 y(Indep)r(enden)n(t)33 b(of)f(what)g(exc)n(hange)e(is)i(used,)i (there)d(are)g(a)0 2175 y(lot)36 b(of)g(common)f(op)r(erations)g(that)h (need)g(to)g(b)r(e)g(carried)0 2275 y(out)31 b(during)g(a)f (negotiation.)47 b(F)-7 b(or)30 b(this)i(purp)r(ose)e(w)n(e)h(cre-)0 2374 y(ated)37 b(separate)f(mo)r(dules)h(for)g(authen)n(tication,)i (encryp-)0 2474 y(tion,)45 b(hash)d(computation,)j(and)d (Di\016e-Hellman)g(com-)0 2574 y(putation.)50 b(These)31 b(in)i(turn)f(need)g(more)f(basic)g(mo)r(dules,)0 2673 y(lik)n(e)d(random)f(n)n(um)n(b)r(er)i(generation,)e(long)g(in)n(teger) h(math,)0 2773 y(group)g(math)i(of)f(b)r(oth)h Fi(mo)l(dP)g Fk(and)g(elliptic)g(curv)n(e)e(kinds,)0 2873 y(and)f Fi(X.509)j Fk(certi\014cate)d(managemen)n(t)f([)p Fj(?)p Fk(].)0 3072 y(Lastly)-7 b(,)20 b(there)f(are)f(miscellaneous)f(mo)r (dules)i(dealing)g(with)0 3171 y(things)28 b(lik)n(e)f(dynamic)g (loading)g(of)g(co)r(de,)h(logging,)e Fi(etc.)0 3488 y Fl(4.2)105 b(Comp)s(onen)m(t)34 b(Description)83 3754 y Fh(\017)41 b Fk(The)28 b(message)e(mo)r(dule.)166 3904 y(This)47 b(mo)r(dule)g(pro)n(vides)e(an)i(abstract)f(data-t)n(yp)r(e) 166 4004 y(represen)n(ting)21 b(individual)i(ISAKMP)g(messages.)33 b(In-)166 4104 y(ternally)-7 b(,)39 b(the)e(messages)f(are)g(sub)r (divided)h(and)g(in-)166 4203 y(dexed)25 b(b)n(y)f(pa)n(yload)g(t)n(yp) r(e.)36 b(Exp)r(orted)24 b(functionalit)n(y)166 4303 y(consists)52 b(of)h(creation/destruction,)k(incremen)n(tal)166 4403 y(pa)n(yload)26 b(addition,)h(parsing,)f(v)-5 b(alidation,)27 b(and)g(con-)166 4502 y(text)37 b(lo)r(okup)e(of)h(incoming)g (messages,)h(registering)166 4602 y(of)i(p)r(ost-send)f(functions,)k (transp)r(ort-indep)r(enden)n(t)166 4701 y(send)c(logic,)h(and)e (message)f(debugging.)66 b(There)37 b(is)166 4801 y(also)29 b(generic)f(SA)i(negotiation)f(logic)f(whic)n(h)i(is)f(co)n(v-)166 4901 y(ered)j(in)g(the)h(implemen)n(tation)f(details)g(section)g(b)r (e-)166 5000 y(lo)n(w.)k(The)28 b(reason)e(for)h(this)g(logic)g(b)r (eing)h(here)f(is)g(b)r(e-)166 5100 y(cause)j(it)g(is)h(driv)n(en)e(b)n (y)h(the)h(ph)n(ysical)e(message)g(la)n(y-)166 5200 y(out.)83 5400 y Fh(\017)41 b Fk(The)28 b(timer)f(mo)r(dule.)2176 83 y(A)38 b(fairly)f(simple)h(mo)r(dule)g(accepting)f(registration)2176 183 y(of)h(functions)h(to)f(call)g(at)h(sp)r(eci\014c)f(times)h (together)2176 282 y(with)g(their)f(actual)f(parameter.)67 b(In)39 b(order)d(to)i(get)2176 382 y(the)d(functions)f(called,)i(the)e (time)h(mo)r(dule)g(exp)r(orts)2176 482 y(a)26 b(function)h(that)g (calculates)f(the)h(timeout)g(parame-)2176 581 y(ter)32 b(to)h(giv)n(e)f(the)h Fi(sele)l(ct)g Fk(call)f(of)g(the)i(main)e(lo)r (op,)i(as)2176 681 y(w)n(ell)26 b(as)f(the)i(actual)e(timer)h(run)g (function.)37 b(Remo)n(v)-5 b(al)2176 780 y(and)29 b(rep)r(orting)f (\(for)h(debugging\))f(of)h(timers)g(is)g(also)2176 880 y(supp)r(orted.)2093 1054 y Fh(\017)41 b Fk(The)82 b(application)g(mo)r (dules)g(\()p Fi(app,)94 b(pf)p 3614 1054 26 4 v 32 w(enc)l(ap,)2176 1154 y(pf)p 2248 1154 V 31 w(key,)31 b(etc.)p Fk(\))2176 1291 y(These)41 b(mo)r(dules)h(deal)f(with)h(the)g(comm)n(unication) 2176 1390 y(with)25 b(the)f(application)f(for)h(whic)n(h)g Fi(isakmp)l(d)h Fk(is)f(nego-)2176 1490 y(tiating)29 b(SAs.)41 b(Curren)n(tly)-7 b(,)29 b(only)f(one)h(application)f(is)2176 1590 y(supp)r(orted,)35 b(IPsec.)55 b(Comm)n(unication)33 b(with)h(it)h(o)r(c-)2176 1689 y(curs)i(through)f(v)-5 b(arious)36 b(system-dep)r(enden)n(t)h(APIs.)2176 1789 y(Op)r(erations)31 b(that)i(need)g(to)f(b)r(e)h(supp)r(orted)g(include) 2176 1889 y(getting)g(a)g(fresh)g(SPI,)g(creating)g(an)g(SA,)h(up)r (dating)2176 1988 y(a)39 b(\\larv)-5 b(al")37 b(SA,)i(grouping)f(SA)h (bundles,)j(and,)g(\014-)2176 2088 y(nally)-7 b(,)37 b(remo)n(ving)c(SAs.)59 b(Also)35 b(needed)g(is)g(a)g(means)2176 2187 y(for)d(telling)h(the)g(IPsec)e(stac)n(k)h(that)h(ISAKMP)f(traf-) 2176 2287 y(\014c)24 b(needs)h(to)f(b)r(e)h(unencrypted.)35 b(In)25 b(Op)r(enBSD,)g(this)2176 2387 y(is)31 b(ac)n(hiev)n(ed)e(b)n (y)i(setting)g(the)g(appropriate)e Fi(setso)l(ck-)2176 2486 y(opt\(3\))f Fk(options)g(in)f(the)h Fi(isakmp)l(d)i Fk(so)r(c)n(k)n(et.)2093 2661 y Fh(\017)41 b Fk(The)28 b(net)n(w)n(ork)e(mo)r(dules)i(\()p Fi(tr)l(ansp)l(ort,)i(udp)e Fk(and)f Fi(if)p Fk(\).)2176 2797 y(The)59 b(transp)r(ort)f(mo)r(dule)h (exp)r(orts)f(an)g(abstract)2176 2897 y(data-t)n(yp)r(e)31 b(represen)n(ting)f(a)i(sp)r(eci\014c)f(transp)r(ort.)49 b(It)2176 2997 y(has)36 b(an)h(asso)r(ciated)e(function)i(p)r(oin)n (ter)f(table,)j(just)2176 3096 y(lik)n(e)50 b(the)g(common)g Fi(vtables)h Fk(that)f(C++)f(compil-)2176 3196 y(ers)55 b(create)g(in)g(order)g(to)g(implemen)n(t)h(p)r(olymor-)2176 3296 y(phism.)97 b(Th)n(us)47 b(the)h(transp)r(ort)f(structure)g(is)g (re-)2176 3395 y(ally)31 b(a)f(base)g(class)g(for)h(the)g(real)f (transp)r(ort)g(classes.)2176 3495 y(There)41 b(is)h(just)g(one)f(suc)n (h)g(class)g(at)g(the)h(momen)n(t,)2176 3594 y(the)51 b Fi(udp)h Fk(class.)105 b(Exp)r(orted)50 b(functionalit)n(y)h(con-) 2176 3694 y(sists)43 b(of)f(creation/destruction)f(\(or)h(rather)g (refer-)2176 3794 y(ence/dereference)47 b(as)g(they)i(are)e(ref-coun)n (ted\))h(of)2176 3893 y(transp)r(orts,)k(getting)47 b(\014le)h (descriptors)f(ready)g(for)2176 3993 y(I/O)26 b(to)h(use)h(in)f(the)h (select)f(lo)r(op)f(of)i Fi(main\(\),)g Fk(as)e(w)n(ell)2176 4093 y(as)20 b(c)n(hec)n(king)f(them)i(for)f(I/O)g(p)r(ossibilit)n(y)g (afterw)n(ards.)2176 4192 y(Message)g(sending)i(and)f(reception)g (metho)r(ds)h(are)f(ex-)2176 4292 y(p)r(orted)i(as)g(w)n(ell,)h(along)e (with)i(endp)r(oin)n(t)g(address)e(de-)2176 4391 y(termination.)2093 4566 y Fh(\017)41 b Fk(The)28 b(UI)g(mo)r(dule.)2176 4703 y(This)61 b(mo)r(dule)g(is)f(really)g(just)h(a)g(simple)g(com-) 2176 4802 y(mand)32 b(line)g(in)n(terpreter.)49 b(It)32 b(con)n(v)n(enien)n(tly)f(accepts)2176 4902 y(commands)j(async)n (hronously)e(through)h(a)h(one-w)n(a)n(y)2176 5001 y(FIF)n(O)c(\(named) h(pip)r(e\).)47 b(The)30 b(commands)g(are)f(rudi-)2176 5101 y(men)n(tary)-7 b(,)60 b(one)54 b(letter)g(with)h(a)e(few)i (parameters)2176 5201 y(eac)n(h.)80 b(The)42 b(existing)g(con)n(trols)e (deal)i(with)h(issues)2176 5300 y(lik)n(e)29 b(debugging,)f(SA)i (managemen)n(t,)e(and)h(dynamic)2176 5400 y(c)n(hanges)d(to)i(the)g (con\014guration)e(database.)p eop %%Page: 5 5 5 4 bop 0 58 a Fd(int)42 b(\(*ike_main_mode_i)o(ni)o(tia)o(to)o(r[])o (\))37 b(\(struct)k(message)g(*\))h(=)i({)87 157 y(ike_phase_1_initi)o (at)o(or)o(_se)o(nd)o(_SA)o(,)87 257 y(ike_phase_1_initi)o(at)o(or)o (_re)o(cv)o(_SA)o(,)87 357 y(ike_phase_1_initi)o(at)o(or)o(_se)o(nd)o (_KE)o(_N)o(ONC)o(E,)87 456 y(ike_phase_1_initi)o(at)o(or)o(_re)o(cv)o (_KE)o(_N)o(ONC)o(E,)87 556 y(initiator_send_ID)o(_A)o(UT)o(H,)87 655 y(ike_phase_1_recv_)o(ID)o(_A)o(UTH)0 755 y(};)1179 1021 y Fk(Figure)27 b(1:)36 b(The)28 b(Initiator)f(Main)g(Mo)r(de)h (script)83 1286 y Fh(\017)41 b Fk(The)28 b(con\014guration)e(mo)r (dule.)166 1418 y Fi(isakmp)l(d)56 b Fk(main)n(tains)d(a)h (con\014guration)e(database)166 1518 y(consisting)32 b(of)g(section/tag/v)-5 b(alue)31 b(triplets,)j Fi(i.e.)54 b Fk(it)166 1617 y(maps)46 b(closely)g(to)g(a)g(w)n(ell)g(kno)n(wn)g (format)f(called)166 1717 y(\\.INI".)35 b(This)g(con\014guration)f (database)g(is)h(primed)166 1817 y(from)e(the)i(con\014guration)d (\014le)i(\(.INI-st)n(yle\))g(at)f(pro-)166 1916 y(gram)20 b(start,)j(and)e(ev)n(ery)f(time)i(a)g(HUP)f(signal)g(is)g(sen)n(t)166 2016 y(to)36 b(the)h Fi(isakmp)l(d)g Fk(pro)r(cess.)62 b(It)36 b(is)g(also)f(p)r(ossible)h(to)166 2116 y(dynamically)21 b(alter)g(the)h(database)f(via)g(the)h(UI)g(mo)r(d-)166 2215 y(ule.)37 b(There)25 b(is)h(functionalit)n(y)g(to)g(treat)g(the)g (v)-5 b(alue)26 b(of)166 2315 y(a)j(triplet)h(as)f(a)h(comma-separated) d(list,)j(and)g(easily)166 2414 y(\\w)n(alk")25 b(that)i(list.)37 b(Otherwise,)26 b(ordinary)f(database)166 2514 y(op)r(erations)20 b(lik)n(e)g(creation,)i(lo)r(okup,)g(and)e(remo)n(v)-5 b(al)20 b(of)166 2614 y(en)n(tries)27 b(are)g(exp)r(orted.)83 2779 y Fh(\017)41 b Fk(The)28 b(p)r(olicy)f(mo)r(dule.)166 2911 y(See)32 b(section)f(5)h(for)f(a)h(description)f(of)h(this)g(mo)r (dule.)166 3011 y(This)f(mo)r(dule)h(exp)r(orts)e(only)h(one)g (function,)i(whic)n(h)166 3110 y(is)g(called)f(to)h(v)-5 b(alidate)33 b(a)f(com)n(bination)g(of)h(SA)g(pro-)166 3210 y(p)r(osal,)38 b(remote)e(p)r(eer)g(iden)n(tit)n(y)-7 b(,)39 b(and)d(pac)n(k)n(et)g(selec-)166 3309 y(tors)27 b(\(Phase)g(2)g(IDs\).)83 3474 y Fh(\017)41 b Fk(The)28 b(exc)n(hange)e(mo)r(dule.)166 3607 y(A)32 b(k)n(ey)f(abstraction)g(in) h Fi(isakmp)l(d)h Fk(is)f(the)g(exc)n(hange.)166 3706 y(This)e(is)g(the)h(engine)e(that)i(driv)n(es)e(the)h(negotiations)166 3806 y(to)n(w)n(ards)19 b(SA)j(establishmen)n(t.)35 b(Exc)n(hanges)19 b(form)i(the)166 3906 y(con)n(text)29 b(of)h(all)f(negotiations,)g(and) g(closely)g(map)g(to)166 4005 y(the)k(exc)n(hange)d(concept)i(of)g(the) h(RF)n(Cs.)50 b(Ev)n(ery)31 b(ex-)166 4105 y(c)n(hange)f(is)h(a)g(w)n (ell-de\014ned,)h(\014xed-length)f(sequence)166 4204 y(of)h(messages)f(b)r(et)n(w)n(een)i(the)g(t)n(w)n(o)e(p)r(eers.)51 b(Ev)n(ery)31 b(in-)166 4304 y(dividual)36 b(message)e(also)h(has)h(a)f (w)n(ell-de\014ned)h(min-)166 4404 y(im)n(um)j(con)n(ten)n(t)e(of)h(pa) n(yloads.)67 b(This)38 b(structure)g(of)166 4503 y(exc)n(hanges)d (lends)i(itself)g(to)g(implemen)n(tation)f(as)g(a)166 4603 y(generic)24 b(\014nite)h(state)g(mac)n(hine)f(driv)n(en)g(b)n(y)h (\\scripts")166 4703 y(supplied)30 b(b)n(y)f(eac)n(h)f(exc)n(hange)g(t) n(yp)r(e.)42 b(These)29 b(scripts)166 4802 y(pro)n(vide)17 b(the)i(actions)f(to)h(execute)f(at)h(message)e(recep-)166 4902 y(tion)33 b(as)g(w)n(ell)g(as)g(b)r(efore/after)f(message)g (transmis-)166 5001 y(sion.)49 b(It)32 b(is)f(also)g(easy)g(to)g(ha)n (v)n(e)g(a)g(generic)f(\\syn)n(tax)166 5101 y(c)n(hec)n(k)n(er")23 b(insp)r(ecting)j(eac)n(h)f(message,)f(ensuring)h(the)166 5201 y(required)35 b(pa)n(yloads)e(are)i(presen)n(t.)60 b(This)36 b(mo)r(dule's)166 5300 y(exp)r(orted)j(API)g(consists)f(of)h (functions)g(for)g(estab-)166 5400 y(lishing)d(exc)n(hanges)f(when)h (acting)g(as)g(initiator,)i(as)2176 1286 y(w)n(ell)23 b(as)f(setting)h(up)g(exc)n(hanges)e(for)i(\\incoming")e(ne-)2176 1386 y(gotiations.)38 b(There)28 b(are)f(also)g(sev)n(eral)g(lo)r(okup) h(func-)2176 1485 y(tions,)c(\014nding)e(exc)n(hanges)f(using)h (di\013eren)n(t)h(criteria.)2093 1659 y Fh(\017)41 b Fk(The)28 b(SA)g(mo)r(dule.)2176 1796 y(Just)43 b(lik)n(e)g(the)g (IPsec)f(k)n(ernel,)47 b Fi(isakmp)l(d)d Fk(needs)f(to)2176 1896 y(main)n(tain)32 b(its)g(o)n(wn)f(SA)h(database.)48 b(This)32 b(database)2176 1995 y(actually)e(consists)f(of)h(b)r(oth)h (ISAKMP)f(SAs,)h(whic)n(h)2176 2095 y(are)43 b(the)i(results)e(of)h (Phase)f(1)h(negotiations,)j(and)2176 2195 y(application)34 b(SAs)h(from)f(Phase)f(2.)57 b(Ev)n(ery)33 b(SA)i(has)2176 2294 y(attac)n(hed)24 b(DOI-dep)r(enden)n(t)g(\(Domain)h(Of)f(In)n (terpre-)2176 2394 y(tation\))37 b(data,)i(should)e(w)n(e)g(ev)n(er)f (need)h(to)g(supp)r(ort)2176 2493 y(other)27 b(DOIs)f(than)i(IPsec.)35 b(The)28 b(SA)f(structure)g(con-)2176 2593 y(tains)21 b(b)r(oth)g(the)h(on-the-wire)d(represen)n(tation)h(of)h(the)2176 2693 y(SA,)35 b(as)g(w)n(ell)f(as)h(in)n(ternal)f(p)r(er-SA)h(data.)58 b(SAs)35 b(are)2176 2792 y(created)22 b(when)h(the)g(negotiation)f (starts,)h(but)g(are)f(in-)2176 2892 y(activ)n(e)30 b(un)n(til)g(an)h (exc)n(hange)d(\014nalization)i(routine)g(is)2176 2992 y(run.)46 b(The)30 b(SA)h(API)g(is)f(mostly)g(a)g(set)h(of)f(life)h (main-)2176 3091 y(tenance)36 b(functions,)k Fi(i.e.)65 b Fk(creation,)38 b(ref-coun)n(ting,)2176 3191 y(expiration)j(setup,)k (and)c(destruction)g(op)r(erations.)2176 3290 y(Similar)c(to)f(the)i (exc)n(hange)d(mo)r(dule,)40 b(a)c(fairly)g(v)n(er-)2176 3390 y(satile)27 b(set)h(of)f(lo)r(okup)h(functions)f(is)h(a)n(v)-5 b(ailable.)2093 3564 y Fh(\017)41 b Fk(The)28 b(authen)n(tication)f(mo) r(dule.)2176 3701 y(IKE)h(allo)n(ws)f(for)i(sev)n(eral)e(kinds)i(of)f (authen)n(tication.)2176 3801 y(An)19 b(authen)n(tication)f(metho)r(d)h (needs)f(to)g(pro)n(vide)f(just)2176 3900 y(three)35 b(functions:)51 b(generation)33 b(of)i(a)f(shared)g(secret)2176 4000 y(the)25 b(p)r(eers)f(deriv)n(e)f(k)n(eys)g(from,)i(enco)r(ding)f (of)g(a)g(k)n(ey)n(ed)2176 4099 y(hash)29 b(pro)n(ving)g(the)h(authen)n (ticit)n(y)g(of)g(the)g(p)r(eer,)g(and)2176 4199 y(deco)r(ding)k(of)f (suc)n(h)h(a)f(hash)h(thereb)n(y)f(v)n(erifying)g(the)2176 4299 y(other)41 b(p)r(eer's)g(authen)n(ticit)n(y)-7 b(.)78 b(Curren)n(tly)40 b Fi(isakmp)l(d)2176 4398 y Fk(supp)r(orts)18 b(the)h(mandatory)f(pre-shared)e(k)n(ey)i(authen-)2176 4498 y(tication)44 b(metho)r(d,)50 b(as)44 b(w)n(ell)g(as)g (certi\014cate)g(based)2176 4598 y(\(X.509\))50 b(RSA)g(signature)f (authen)n(tication.)105 b(W)-7 b(e)2176 4697 y(plan)45 b(to)f(supp)r(ort)h(public)g(k)n(ey)f(encryption-based)2176 4797 y(authen)n(tication)27 b(in)h(the)g(near)f(future.)2093 4971 y Fh(\017)41 b Fk(Cryptograph)n(y)25 b(and)j(math.)2176 5108 y Fi(Isakmp)l(d)h Fk(builds)f(up)r(on)f(some)g(basic)g (cryptographic)2176 5207 y(and)g(mathematic)h(comp)r(onen)n(ts.)2269 5400 y Fj({)42 b Fk(Ciphers.)p eop %%Page: 6 6 6 5 bop 349 83 a Fk(There)28 b(is)h(a)g(collection)g(of)g(ciphers)f (whic)n(h)h(can)349 183 y(b)r(e)49 b(used)h(in)n(terc)n(hangeably)d(to) i(protect)g(the)349 282 y(data)21 b(that)h(go)r(es)f(on)g(the)h(wire.) 35 b(It)22 b(is)f(natural)g(to)349 382 y(implemen)n(t)i(these)g (ciphers)g(as)f(sub)r(classes)g(to)g(a)349 482 y(\\crypto")i(base)h (class,)g(whic)n(h)h(pro)n(vides)e(ho)r(oks)349 581 y(for)g (initialization,)h(cloning,)g(and)f(up)r(dating)h(of)349 681 y(k)n(ey)37 b(state,)k(as)d(w)n(ell)g(as)f(encryption)h(and)g(de-) 349 780 y(cryption)e(of)h(data.)65 b(The)37 b(separation)f(of)h(k)n(ey) 349 880 y(state)i(managemen)n(t)f(from)h(the)g(actual)g(algo-)349 980 y(rithm)29 b(applications)g(is)g(imp)r(ortan)n(t)g(for)f(main-)349 1079 y(taining)d(cryptographic)e(sync)n(hronization)g(b)r(e-)349 1179 y(t)n(w)n(een)53 b(the)h(p)r(eers.)114 b Fi(isakmp)l(d)56 b Fk(implemen)n(ts)349 1279 y(the)48 b(follo)n(wing)e(algorithms:)75 b(DES,)48 b(3-DES,)349 1378 y(CAST,)28 b(and)f(Blo)n(w\014sh.)259 1517 y Fj({)42 b Fk(Hashes.)349 1636 y(As)32 b(w)n(as)f(the)h(case)g (with)g(ciphers,)h(it)g(is)e(also)g(a)349 1736 y(design)36 b(requiremen)n(t)g(that)i(hash)e(algorithms)349 1836 y(b)r(e)h(easy)f(to)h(alter.)64 b(Th)n(us,)39 b(hash)d(algorithms)349 1935 y(are)41 b(also)f(implemen)n(ted)j(as)e(sub)r(classes)g(of)g(a)349 2035 y(generic)21 b(hash)i(class,)g(pro)n(viding)e(a)h(simple)h(API)349 2135 y(for)29 b(incremen)n(tal)f(hash)h(computation)g(of)h(con-)349 2234 y(catenated)d(data.)259 2373 y Fj({)42 b Fk(Di\016e-Hellman.)349 2492 y(The)34 b(Di\016e-Hellman)h(algorithm)e(is)h(a)g(means)349 2592 y(of)18 b(establishing)g(a)g(shared)g(secret)f(b)r(et)n(w)n(een)i (t)n(w)n(o)349 2692 y(p)r(eers)28 b(without)i(exp)r(osing)f(su\016cien) n(t)g(data)g(for)349 2791 y(wire-tapp)r(ers)e(to)h(compute)g(that)g (secret.)38 b(The)349 2891 y(API)21 b(is)g(simple,)i(since)f(only)f(t)n (w)n(o)f(functions)i(are)349 2991 y(needed:)60 b(creation)38 b(of)h(a)g(lo)r(cal)f(random)h(big-)349 3090 y(in)n(teger,)24 b(and)h(computation)f(of)h(the)g(actual)g(se-)349 3190 y(cret)33 b(based)h(on)f(the)h(lo)r(cal)g(big-in)n(teger)e(and)h(a)349 3289 y(similar-t)n(yp)r(e)26 b(v)-5 b(alue)28 b(receiv)n(ed)e(from)i (the)g(p)r(eer.)259 3428 y Fj({)42 b Fk(Group)27 b(mathematics.)349 3548 y(The)19 b(mathematical)g(basis)f(for)h(Di\016e-Hellman)349 3647 y(is)45 b(called)f(group)g(math.)89 b(Groups)45 b(are)f(big-)349 3747 y(in)n(teger)27 b(arithmetic)h(systems)g(with)g (a)g(few)h(pa-)349 3847 y(rameters.)81 b(It)44 b(turns)e(out)h(that)h (groups)d(are)349 3946 y(also)c(suitable)g(to)h(implemen)n(t)h(in)f(an) g(ob)5 b(ject-)349 4046 y(orien)n(ted)51 b(fashion,)59 b(as)51 b(there)i(are)e(di\013eren)n(t)349 4145 y(algorithms)44 b(that)j(comply)e(with)i(the)f(group)349 4245 y(math)35 b(requiremen)n(ts.)58 b(In)35 b Fi(isakmp)l(d,)k Fk(there)c(is)349 4345 y(supp)r(ort)44 b(for)f(t)n(w)n(o)g(kind)i(of)f(groups,)j (elliptic)349 4444 y(curv)n(es)26 b(and)h Fi(mo)l(dP)i Fk(groups.)259 4583 y Fj({)42 b Fk(Big)27 b(in)n(teger)f(mathematics.) 349 4703 y(Both)38 b(group)f(mathematics)h(and)h(the)g(public)349 4802 y(k)n(ey)29 b(cryptograph)n(y)f(used)i(in)h(the)g(authen)n(tica-) 349 4902 y(tion)e(and)f(p)r(olicy)h(mo)r(dules,)h(need)f(big-in)n (teger)349 5001 y(math.)69 b(W)-7 b(e)39 b(curren)n(tly)e(use)h(Op)r (enSSL's)h(BN)349 5101 y(functions)33 b(as)f(w)n(ell)g(as)g(a)h(few)g (supplemen)n(tary)349 5201 y(routines)44 b(written)h(b)n(y)g(us.)90 b(W)-7 b(e)45 b(ha)n(v)n(e)f(ho)n(w-)349 5300 y(ev)n(er)i(made)h(the)h (underlying)f(math)g(library)349 5400 y(exc)n(hangeable)31 b(so)i(other)g(math)g(libraries)f(can)2359 83 y(b)r(e)49 b(used)g(if)h(needed.)102 b(W)-7 b(e)49 b(curren)n(tly)f(sup-)2359 183 y(p)r(ort)41 b(FSF's)g(GMP)g(but)h(w)n(e)f(also)f(in)n(tend)h(to) 2359 282 y(tak)n(e)h(adv)-5 b(an)n(tage)41 b(of)h(hardw)n(are)f(supp)r (ort)i(for)2359 382 y(big-in)n(teger)i(op)r(erations,)52 b(since)47 b(suc)n(h)g(pro)r(d-)2359 482 y(ucts)23 b(ha)n(v)n(e)f(b)r (egun)h(to)g(mak)n(e)f(their)h(app)r(earance)2359 581 y(in)28 b(the)g(mark)n(et.)2093 757 y Fh(\017)41 b Fk(The)28 b(dynamic)f(loader)f(mo)r(dule.)2176 887 y(P)n(erhaps)g(a)h(less)f(ob)n (vious)g(comp)r(onen)n(t)h(to)h(ha)n(v)n(e)e(in)h(a)2176 987 y(daemon)32 b(lik)n(e)h Fi(isakmp)l(d)h Fk(is)f(a)g(mo)r(dule)g (for)f(dynamic)2176 1086 y(loading)40 b(and)h(linking)g(of)f(co)r(de.) 77 b(The)41 b(reason)f(for)2176 1186 y(this)31 b(mo)r(dule)h(is)e (mainly)h(due)g(to)g(the)g(RSA)h(paten)n(t;)2176 1286 y(w)n(e)f(cannot)g(ship)g(RSA)h(co)r(de)f(in)g(Op)r(enBSD)h(as)f(the) 2176 1385 y(license-free)18 b(implemen)n(tation)g(cannot)g(b)r(e)h(imp) r(orted)2176 1485 y(to)39 b(the)h(United)g(States.)72 b(Therefore,)42 b(w)n(e)d(dynam-)2176 1584 y(ically)e(load)f(that)h (supp)r(ort)g(if)h(it)g(is)f(a)n(v)-5 b(ailable)35 b(\(the)2176 1684 y(supp)r(orting)d(libraries)e(can)i(b)r(e)g(fetc)n(hed)g (separately)-7 b(,)2176 1784 y(di\013eren)n(t)30 b(v)n(ersions)e(for)i (di\013eren)n(t)g(coun)n(tries\).)43 b(This)2176 1883 y(mo)r(dule)20 b(exp)r(orts)e(a)h(function)h(that)g(tak)n(es)e(a)h (dynamic)2176 1983 y(load)33 b(script,)i(written)f(in)f(a)h(v)n(ery)e (simple)i(language)2176 2083 y(w)n(e)21 b(designed,)h(that)f(describ)r (es)f(what)h(\014les)g(should)g(b)r(e)2176 2182 y(loaded)27 b(and)g(what)h(sym)n(b)r(ols)f(should)g(b)r(e)h(resolv)n(ed.)2093 2343 y Fh(\017)41 b Fk(The)28 b(log)e(mo)r(dule.)2176 2474 y(Logging)d(is)i(crucial)e(in)i(securit)n(y)f(applications.)35 b(It)25 b(is)2176 2574 y(also)f(imp)r(ortan)n(t)i(that)f(dev)n(elop)r (ers)f(of)i(securit)n(y)e(soft-)2176 2673 y(w)n(are)34 b(are)h(presen)n(ted)g(with)h(debugging)f(to)r(ols)g(that)2176 2773 y(help)21 b(them)g(\014nd)g(bugs)f(faster.)34 b(W)-7 b(e)21 b(consider)f(logging)2176 2872 y(to)f(b)r(e)g(suc)n(h)g(a)g(to)r (ol,)h(if)g(it)f(can)g(b)r(e)g(con)n(trolled)f(in)i(a)e(\014ne-)2176 2972 y(grained)25 b(w)n(a)n(y)-7 b(.)36 b(This)26 b(mo)r(dule)h(exp)r (orts)f(functions)h(to)2176 3072 y(c)n(hange)34 b(the)h(lev)n(els)f(p)r (er)h(logging)e(class,)j(to)e(con)n(trol)2176 3171 y(where)d(logging)f (information)h(go)r(es)g(and,)h(naturally)2176 3271 y(to)24 b(actually)f(log)g(b)r(oth)i(binary)e(and)h(textual)g(bu\013ers.)2093 3432 y Fh(\017)41 b Fk(The)28 b(system-dep)r(enden)n(t)f(mo)r(dule.) 2176 3563 y(In)43 b(order)e(to)h(main)n(tain)g(p)r(ortabilit)n(y)-7 b(,)46 b(ev)n(ery)41 b(func-)2176 3662 y(tion)c(that)g(ma)n(y)f(need)i (di\013ering)e(implemen)n(tations)2176 3762 y(dep)r(ending)28 b(on)g(the)g(platform,)g(needs)g(to)g(b)r(e)g(placed)2176 3862 y(in)40 b(a)g(cen)n(tral,)i(exc)n(hangeable,)f(system-dep)r(enden) n(t)2176 3961 y(mo)r(dule.)j(Most)29 b(often,)i(functions)f(placed)g (here)f(are)2176 4061 y(glue)e(or)g(pro)n(xies.)2010 4355 y Fl(4.3)105 b(Implemen)m(tation)33 b(Details)2010 4649 y Fj(4.3.1)94 b(The)32 b(Exc)m(hange)g(Script)h(Mac)m(hine)2010 4902 y Fk(An)26 b(IKE)f(exc)n(hange)f(normally)h(consists)g(of)g(a)g (\014xed)h(n)n(um-)2010 5001 y(b)r(er)g(of)g(w)n(ell-de\014ned)g (messages,)e(whic)n(h)i(eac)n(h)g(p)r(eer)f(sends)2010 5101 y(ev)n(ery)31 b(other)g(turn.)51 b(Recognizing)31 b(this)i(simple)f(fact,)h(w)n(e)2010 5201 y(c)n(hose)45 b(to)h(build)h(the)f(state)g(mac)n(hine)f(around)h(an)f(en-)2010 5300 y(gine)33 b(whic)n(h)h(ran)e(\\scripts")g(unique)i(for)f(eac)n(h)g (exc)n(hange)2010 5400 y(t)n(yp)r(e.)51 b(An)33 b(example)f(of)g(a)g (script)g(is)h(sho)n(wn)e(in)i(\014gure)e(1.)p eop %%Page: 7 7 7 6 bop 0 83 a Fk(This)39 b(is)g(the)h(script)f(an)g(initiator)g(runs)f (when)i(doing)e(a)0 183 y(\\main)28 b(mo)r(de".)41 b(The)29 b(elemen)n(ts)g(of)g(the)g(script)g(are)f(func-)0 282 y(tions,)c(alternately)e(constructing)g(a)g(message)g(to)h(b)r(e)g(sen) n(t,)0 382 y(or)34 b(dealing)g(with)h(a)f(message)g(that)h(has)f(b)r (een)h(receiv)n(ed.)0 482 y(Along)c(with)i(this)f(seman)n(tics)f (description)h(there)f(is)h(also)0 581 y(a)i(syn)n(tactic)g(\\script",) h(whic)n(h)g(ma)n(y)f(lo)r(ok)f(lik)n(e)i(\014gure)e(2.)0 681 y(This)22 b(syn)n(tax)f(description)g(describ)r(es)g(what)h(pa)n (yloads)e(are)0 780 y(mandatory)k(in)h(eac)n(h)f(message)g(of)h(the)g (exc)n(hange.)35 b(It)25 b(also)0 880 y(marks)h(when)i(the)g(exc)n (hange)e(ends.)0 1251 y Fj(4.3.2)94 b(Con\014guration)0 1515 y Fk(Con\014guring)24 b(IKE)h(is)g(an)g(in)n(v)n(olv)n(ed)f(pro)r (cess,)h(due)h(to)f(IKE)0 1614 y(b)r(eing)c(a)g(complex)g(proto)r(col.) 33 b(When)22 b(w)n(e)e(w)n(ere)h(faced)g(with)0 1714 y(the)26 b(problem)g(of)g(ho)n(w)f(to)h(design)f(the)h(con\014guration) f(lan-)0 1813 y(guage)20 b(w)n(e)h(tried)h(a)f(few)h(simplistic)g (approac)n(hes,)f(but)h(they)0 1913 y(so)r(on)33 b(turned)g(out)h(to)f (b)r(e)h(to)r(o)f(in\015exible.)55 b(Th)n(us)33 b(w)n(e)g(de-)0 2013 y(cided)j(to)g(use)f(a)g(rather)g(generic)g(con\014guration)f(syn) n(tax)0 2112 y(whic)n(h)i(w)n(e)g(could)f(\014t)i(in)f(ev)n(erything)f (w)n(e)h(w)n(an)n(ted.)61 b(The)0 2212 y(syn)n(tax)26 b(w)n(ould)g(also)f(allo)n(w)h(for)g(easy)f(dynamic)i(mo)r(di\014ca-)0 2312 y(tion)h(of)g(the)h(in)n(ternal)e(con\014guration)f(information)i (with-)0 2411 y(out)e(reloading)e(a)h(full)h(\014le.)37 b(The)25 b(ca)n(v)n(eat)f(is)i(that)g(our)f(con-)0 2511 y(\014guration)g(syn)n(tax)g(maps)g(m)n(uc)n(h)h(b)r(etter)g(to)g(the)h (mac)n(hine)0 2610 y(and)e(proto)r(cols)f(than)h(to)g(a)g(h)n(uman)g(b) r(eing)h(administering)0 2710 y Fi(isakmp)l(d)p Fk(.)42 b(Our)28 b(plan)h(w)n(as)f(to)g(get)h(someone)e(else)i(write)f(a)0 2810 y(\\real")23 b(con\014guration)g(\014le)i(format)g(that)g(could)g (b)r(e)g(trans-)0 2909 y(lated)20 b(in)n(to)f(our)g(st)n(yle.)33 b(So)20 b(far)f(no)g(one)g(has)g(tak)n(en)g(the)h(bait.)0 3009 y(Note)j(that)f(ideally)-7 b(,)24 b(v)n(ery)d(little)i (con\014guration)e(should)i(b)r(e)0 3109 y(needed)j(for)g Fi(isakmp)l(d)p Fk(;)i(most)e(of)g(the)h(information)e(should)0 3208 y(b)r(e)h(pro)n(vided)g(on-the-\015y)f(b)n(y)h(the)g(k)n(ernel)f (\(at)i(least)e(in)i(the)0 3308 y(end-to-end)37 b(case\),)j(or)d (through)g(some)g(securit)n(y)g(p)r(olicy)0 3407 y(disco)n(v)n(ery)25 b(mec)n(hanism.)0 3607 y(The)j(\014le)f(format)g(is)h(commonly)f(kno)n (wn)g(as)g(.INI-format,)0 3706 y(and)33 b(a)g(snipp)r(et)i(is)e(sho)n (wn)g(in)g(\014gure)g(3.)54 b(In)n(ternally)-7 b(,)35 b(ev-)0 3806 y(erything)c(is)h(treated)f(as)g(\(section,)i(tag,)f(v)-5 b(alue\))32 b(triplets,)0 3906 y(where)21 b(the)g(v)-5 b(alues)21 b(can)f(optionally)h(b)r(e)g(lists)g(of)g(scalar)f(v)-5 b(al-)0 4005 y(ues.)37 b(The)27 b(v)-5 b(alues)27 b(themselv)n(es)g (are)f(often)i(section)f(names)0 4105 y(thereb)n(y)k(giving)h(a)f(tree) h(\(or)f(rather)g(a)h(forest\))g(structure)0 4204 y(to)27 b(the)h(data.)0 4404 y(As)i(w)n(e)f(ha)n(v)n(e)f(already)g(men)n (tioned,)i(the)g(in)n(ternal)f(con\014g-)0 4503 y(uration)39 b(is)g(dynamically)g(alterable.)72 b(W)-7 b(e)40 b(sa)n(w)f(a)g(need)0 4603 y(for)f(sev)n(eral)f(\\users")f(altering)i(the)h(con\014guration)e (con-)0 4703 y(curren)n(tly)-7 b(,)29 b(so)f(w)n(e)h(made)f(the)i(API)f (transactional.)39 b(Eac)n(h)0 4802 y(transaction)23 b(can)h(con)n(tain)g(sev)n(eral)e(mo)r(di\014cations)i(to)h(the)0 4902 y(con\014guration,)h(and)h(they)h(are)f(atomically)f(in)n(tro)r (duced.)0 5101 y(In)n(ternally)21 b(there)g(is)h(also)f(an)g(API)g(to)h (get)g(the)g(actual)f(con-)0 5201 y(\014guration)33 b(v)-5 b(alues.)56 b(Because)33 b(of)h(this,)i(it)e(is)g(considered)0 5300 y(v)n(ery)f(easy)g(to)h(mo)n(v)n(e)f(the)i(con\014guration)d (database)h(in)n(to)0 5400 y(other)27 b(in)n(ternal)g(formats)g(or)f (ev)n(en)i(externalize)e(it.)2010 83 y Fj(4.3.3)94 b(P)m(ortabilit)m(y) 32 b(Considerations)2010 338 y Fk(F)-7 b(rom)20 b(its)h(conception,)h (there)f(w)n(as)f(a)g(p)r(ortabilit)n(y)g(require-)2010 437 y(men)n(t)41 b(in)f Fi(isakmp)l(d)p Fk(.)78 b(It)40 b(should)h(run)f(on)g(v)-5 b(arious)39 b(plat-)2010 537 y(forms,)33 b(and)g(with)g(di\013eren)n(t)g(IPsec)f(stac)n(ks.)50 b(Because)32 b(of)2010 637 y(this)d(demand,)g(the)g(\\sysdep")e(mo)r (dule)i(w)n(as)e(in)n(tro)r(duced.)2010 736 y(Eac)n(h)f(platform)i(w)n (e)f(supp)r(ort)g(needs)h(to)f(pro)n(vide)g(its)h(o)n(wn)2010 836 y(v)n(ersion)c(of)h(this)h(mo)r(dule.)36 b(In)26 b(principle,)g(all)f(of)g(the)h(IPsec)2010 935 y(API)32 b(could)g(b)r(e)h(dealt)f(with)h(here,)g(but)g(as)f(APIs)g(can)g(b)r(e) 2010 1035 y(shared)24 b(among)g(sev)n(eral)f(platforms)h(\(and)h(there) f(ev)n(en)h(ex-)2010 1135 y(ist)35 b(standards)e(no)n(w\),)i(most)g (often)f(the)h(sysdep)f(mo)r(dule)2010 1234 y(only)21 b(has)g(stub)h(co)r(de)f(to)g(call)g(the)h(righ)n(t)e(API)i(mo)r(dule,) g(lik)n(e)2010 1334 y(PF)p 2126 1334 25 4 v 30 w(KEY.)2010 1533 y(PF)p 2126 1533 V 30 w(KEY)27 b(ma)n(y)g(b)r(ecome)h(a)g (standard,)f(but)h(it)h(is)f(only)f(an)2010 1633 y(API)f(for)g(main)n (taining)g(SAs,)g(and)h(IPsec)e(also)g(needs)h(p)r(ol-)2010 1732 y(icy)k(main)n(tenance.)42 b(All)30 b(PF)p 2918 1732 V 30 w(KEY)f(systems)g(w)n(e)g(supp)r(ort)2010 1832 y(ha)n(v)n(e)36 b(c)n(hosen)h(to)h(add)f(p)r(olicy)h(extensions)f(to)g (PF)p 3662 1832 V 30 w(KEY)2010 1932 y(b)r(ecause)30 b(of)h(the)g(fact)f(that)h(the)g(API)g(is)f(\015exible)h(enough)2010 2031 y(to)d(pass)f(suc)n(h)h(data)f(as)h(w)n(ell,)g(and)g(it)g(is)g (easier)f(to)h(extend)2010 2131 y(something)43 b(w)n(orking)f(than)i (to)g(in)n(v)n(en)n(t)f(something)g(en-)2010 2231 y(tirely)22 b(new.)35 b(Ho)n(w)n(ev)n(er,)21 b(extensions)g(tend)h(to)g(b)r(e)g (platform)2010 2330 y(sp)r(eci\014c,)39 b(so)e(the)g(PF)p 2713 2330 V 30 w(KEY)f(supp)r(ort)h(co)r(de)f(in)h Fi(isakmp)l(d)2010 2430 y Fk(has)21 b(to)g(deal)h(with)g(sev)n(eral)e(di\013eren)n(t)h(v) -5 b(arian)n(ts)21 b(of)g(the)h(pro-)2010 2529 y(to)r(col.)49 b(This)32 b(problem)f(is)h(recognized,)f(and)h(there)g(actu-)2010 2629 y(ally)d(is)g(some)g(consensus)g(b)r(et)n(w)n(een)g(Op)r(enBSD,)h (KAME,)2010 2729 y(and)21 b(F)-7 b(reeS/W)e(AN)21 b(that)g(this)g (needs)g(to)g(c)n(hange,)g(and)g(that)2010 2828 y(the)i(extensions)e (need)i(to)f(con)n(v)n(erge,)f(if)i(not)f(ev)n(en)g(b)r(e)h(stan-)2010 2928 y(dardized.)2010 3127 y(With)44 b(resp)r(ect)f(to)g(di\013erences) f(in)i(the)f(build)h(en)n(viron-)2010 3227 y(men)n(t,)39 b(w)n(e)e(ha)n(v)n(e)f(seen)g(a)h(need)g(to)f(supp)r(ort)h(b)r(oth)g (main)2010 3326 y(\\mak)n(e")31 b(dialects,)j(BSD)g(and)f(GNU.)g(This)g (is)g(of)g(course)2010 3426 y(less)38 b(than)g(optimal,)j(but)d(giv)n (en)g(the)g(alternativ)n(es)f(it)h(is)2010 3526 y(curren)n(tly)28 b(our)g(b)r(est)i(option.)40 b(F)-7 b(urthermore,)29 b(ev)n(ery)e(sup-)2010 3625 y(p)r(orted)g(platform)f(has)h(to)f(pro)n (vide)g(a)h(mak)n(e\014le)f(fragmen)n(t)2010 3725 y(wherein)18 b(constrain)n(ts)f(on)h(what)h Fi(isakmp)l(d)h Fk(should)e(supp)r(ort) 2010 3825 y(on)h(that)i(particular)d(platform)h(can)h(b)r(e)g (expressed,)g(as)f(w)n(ell)2010 3924 y(as)36 b(instructions)g(on)g(ho)n (w)g(to)h(build)g(system-dep)r(enden)n(t)2010 4024 y(co)r(de.)2010 4348 y Fj(4.3.4)94 b(Debugging)30 b(Supp)s(ort)2010 4603 y Fk(Being)53 b(a)g(securit)n(y)g(critical)g(application,)59 b(it)54 b(is)f(vital)2010 4703 y Fi(isakmp)l(d)22 b Fk(b)r(e)f(as)f (bug-free)f(as)h(p)r(ossible.)34 b(All)21 b(soft)n(w)n(are)e(con-)2010 4802 y(tains)35 b(bugs,)h(and)e(all)h(dev)n(elopmen)n(t)f(creates)g (new)h(ones.)2010 4902 y(Recognizing)f(that,)j(w)n(e)d(ha)n(v)n(e)g(c)n (hosen)g(to)h(mak)n(e)f(debug-)2010 5001 y(ging)e(a)h(more)f(pleasan)n (t)g(task)g(than)h(it)h(usually)e(is.)53 b(Nor-)2010 5101 y(mally)28 b Fi(isakmp)l(d)j Fk(detac)n(hes)d(from)g(the)h(con)n (trolling)e(termi-)2010 5201 y(nal)g(and)g(logs)f(only)h(exceptional)g (conditions)f(to)h(the)h(sys-)2010 5300 y(log)39 b(facilit)n(y)-7 b(.)74 b(Ho)n(w)n(ev)n(er,)41 b(in)f(order)f(to)h(b)r(e)g(able)f(to)h (run)2010 5400 y(under)e(a)f(normal)g(debugger,)i(it)f(is)f(p)r (ossible)h(to)f(run)h(in)p eop %%Page: 8 8 8 7 bop 0 152 a Fd(int16_t)41 b(script_identity)o(_pr)o(ot)o(ect)o(io)o (n[])c(=)43 b({)87 252 y(ISAKMP_PAYLOAD_SA)o(,/)o(*)37 b(Initiator)j(->)j(responder.)83 b(*/)87 351 y(EXCHANGE_SCRIPT_S)o(WI)o (TC)o(H,)87 451 y(ISAKMP_PAYLOAD_SA)o(,/)o(*)37 b(Responder)j(->)j (initiator.)83 b(*/)87 551 y(EXCHANGE_SCRIPT_S)o(WI)o(TC)o(H,)87 650 y(ISAKMP_PAYLOAD_KE)o(Y_)o(EX)o(CH,)o(/*)37 b(Initiator)j(->)j (responder.)83 b(*/)87 750 y(ISAKMP_PAYLOAD_NO)o(NC)o(E,)87 849 y(EXCHANGE_SCRIPT_S)o(WI)o(TC)o(H,)87 949 y(ISAKMP_PAYLOAD_KE)o(Y_) o(EX)o(CH,)o(/*)37 b(Responder)j(->)j(initiator.)83 b(*/)87 1049 y(ISAKMP_PAYLOAD_NO)o(NC)o(E,)87 1148 y(EXCHANGE_SCRIPT_S)o(WI)o (TC)o(H,)87 1248 y(ISAKMP_PAYLOAD_ID)o(,/)o(*)37 b(Initiator)j(->)j (responder.)83 b(*/)87 1348 y(EXCHANGE_SCRIPT_A)o(UT)o(H,)87 1447 y(EXCHANGE_SCRIPT_S)o(WI)o(TC)o(H,)87 1547 y(ISAKMP_PAYLOAD_ID)o (,/)o(*)37 b(Responder)j(->)j(initiator.)83 b(*/)87 1646 y(EXCHANGE_SCRIPT_A)o(UT)o(H,)87 1746 y(EXCHANGE_SCRIPT_E)o(ND)0 1846 y(};)1071 2111 y Fk(Figure)27 b(2:)36 b(The)28 b(syn)n(tax)f(of)g (an)h(ID)p 2179 2111 25 4 v 30 w(PR)n(OT)e(exc)n(hange)0 2433 y Fd(#)43 b(Incoming)d(phase)i(1)h(negotiations)c(are)j (multiplexed)d(on)k(the)f(source)f(IP)i(address.)0 2633 y([Phase)e(1])0 2732 y(192.168.0.1=)e(ISAKMP-peer-nod)o(e-0)0 2932 y([ISAKMP-peer-nod)o(e-0)o(])0 3031 y(Phase=)i(1)0 3131 y(Transport=)e(udp)0 3231 y(Address=)h(192.168.0.1)0 3330 y(Configuration=)e(Default-main-mod)o(e)0 3430 y(Authentication=)f (yoursharedsecretw)o(ith)o(0)0 3629 y([Default-main-mo)o(de])0 3729 y(DOI=)42 b(IPSEC)0 3828 y(EXCHANGE_TYPE=)c(ID_PROT)0 3928 y(Transforms=)h(3DES-SHA,3DES-MD)o(5)0 4127 y([3DES-SHA])0 4227 y(ENCRYPTION_ALGOR)o(ITH)o(M=)e(3DES_CBC)0 4326 y(HASH_ALGORITHM=)g(SHA)0 4426 y(AUTHENTICATION_M)o(ETH)o(OD)o(=)g (PRE_SHARED)0 4526 y(GROUP_DESCRIPTIO)o(N=)g(MODP_1024)0 4625 y(Life=)42 b(LIFE_600_SECS)0 4825 y([LIFE_600_SECS])0 4924 y(LIFE_TYPE=)d(SECONDS)0 5024 y(LIFE_DURATION=)f(600,450:720)1241 5289 y Fk(Figure)27 b(3:)36 b(Con\014guration)26 b(en)n(try)h(samples)p eop %%Page: 9 9 9 8 bop 0 83 a Fk(the)32 b(foreground,)f(sending)g(logging)f(messages)f (to)j Fi(stderr)0 183 y Fk(instead.)k(As)25 b(w)n(e)g(ha)n(v)n(e)e (already)h(men)n(tioned,)h(the)h(logging)0 282 y(mo)r(dule)j(has)g(a)g (\014ne-grained)e(con)n(trol)h(mec)n(hanism)h(mak-)0 382 y(ing)f(it)h(easy)f(to)g(c)n(hose)f(detailed)i(information)f(on)g (certain)0 482 y(topics.)34 b(In)22 b(order)d(to)i(ease)g(problem)f (pinp)r(oin)n(ting,)j(almost)0 581 y(ev)n(ery)j(in)n(termediary)h (computation)g(can)g(b)r(e)h(logged.)0 780 y(The)22 b(build)h(en)n (vironmen)n(t)e(also)g(con)n(tains)g(instructions)g(on)0 880 y(ho)n(w)40 b(to)g(build)h Fi(isakmp)l(d)h Fk(with)g(t)n(w)n(o)d (di\013eren)n(t)i(memory)0 980 y(allo)r(cation)30 b(debugging)h(to)r (ols:)44 b(ElectricF)-7 b(ence,)31 b(for)g(\014nd-)0 1079 y(ing)d(bu\013er)h(o)n(v)n(er\015o)n(ws)d(and)i(use)g(after)h (deallo)r(cation,)e(and)0 1179 y(Bo)r(ehm's)42 b(garbage)f(collector)g (to)i(\014nd)g(memory)f(leaks.)0 1279 y(W)-7 b(e)24 b(p)r(erio)r (dically)e(run)i(with)f(these)h(to)r(ols)f(to)g(test)h(for)e(suc)n(h)0 1378 y(problems.)0 1696 y Fj(4.3.5)94 b(Addressing)31 b(Denial)g(of)h(Service)g(A)m(ttac)m(ks)0 1949 y Fk(IKE)j(is)h(sub)5 b(ject)35 b(to)h(DoS)g(\(Denial)g(of)g(Service\))f(attac)n(ks)0 2049 y(since)25 b(state)f(has)h(to)g(b)r(e)g(k)n(ept)g(in)g(the)g(resp) r(onder)f(after)h(the)0 2148 y(\014rst)j(message)e(has)h(b)r(een)i (receiv)n(ed.)36 b(If)29 b(a)e(malicious)g(p)r(eer)0 2248 y(starts)e(\015o)r(o)r(ding)h Fi(isakmp)l(d)i Fk(with)f(exc)n (hange)e(initiations,)h(a)0 2347 y(lot)d(of)h(state)f(will)g(accum)n (ulate)g(in)h(the)g(resp)r(onder.)34 b(W)-7 b(orse)0 2447 y(y)n(et,)30 b(in)h(aggressiv)n(e)26 b(mo)r(de,)31 b(the)g(resp)r(onder)d(will)i(ha)n(v)n(e)f(to)0 2547 y(do)f(exp)r(ensiv)n(e)g(computational)g(w)n(ork)1245 2517 y Fg(2)1311 2547 y Fk(b)r(efore)g(the)h(p)r(eer)0 2646 y(has)35 b(b)r(een)g(authen)n(ticated.)60 b(These)35 b(issues)g(are)f(actually)0 2746 y(proto)r(col)19 b(problems)g(and)h (could)f(ha)n(v)n(e)g(b)r(een)i(mo)r(ot,)g(if)f(only)0 2846 y(the)25 b(\\co)r(okie")f(mec)n(hanism)g(adopted)h(from)g(the)g (Photuris)0 2945 y(proto)r(col)39 b(had)h(b)r(een)h(understo)r(o)r(d)e (and)h(used)h(correctly)0 3045 y([)p Fj(?)p Fk(,)e Fj(?)p Fk(].)70 b(Since)39 b(the)g(proto)r(col)e(has)h(b)r(een)h (standardized,)0 3144 y(w)n(e)32 b(need)h(to)f(address)f(the)i(p)r (oten)n(tial)f(attac)n(ks.)50 b(Our)32 b(ap-)0 3244 y(proac)n(h)21 b(is)i(t)n(w)n(ofold:)34 b(\014rst)22 b(o\013,)i(w)n(e)e(alw)n(a)n(ys)f (c)n(hec)n(k)h(memory)0 3344 y(allo)r(cation)29 b(for)g(failure,)g(and) h(bac)n(k)e(out,)j(cleaning)d(up)i(all)0 3443 y(resources)i(tied)i(in)g (with)g(the)h(message)d(w)n(e)i(are)e(re)i(deal-)0 3543 y(ing)26 b(with.)36 b(Second,)26 b(w)n(e)g(use)f(a)h(maxim)n(um,)g (con\014gurable,)0 3643 y(exc)n(hange)38 b(lifetime.)75 b(If)40 b(the)h(exc)n(hange)d(times)i(out,)j(all)0 3742 y(resources)26 b(are)g(giv)n(en)h(bac)n(k)g(to)g(the)h(system.)0 3941 y(W)-7 b(e)42 b(ha)n(v)n(e)e(considered)g(additional)g(measures,)k (lik)n(e)c(ag-)0 4041 y(gressiv)n(e)25 b(random)h(tail)h(drop)g(of)g (exc)n(hanges)e(stuc)n(k)i(in)h(the)0 4141 y(state)g(after)g(the)g (\014rst)g(reply)-7 b(.)38 b(This)29 b(w)n(ould)e(b)r(e)i(somewhat)0 4240 y(analogous)41 b(to)j(the)f(normal)g(resp)r(onse)f(to)i(TCP)f (SYN-)0 4340 y(\015o)r(o)r(ds.)0 4658 y Fj(4.3.6)94 b(Solving)31 b(the)g(RSA)h(\\problem")0 4911 y Fk(A)n(t)h(the)f(time)h(w)n(e)f (started)g(implemen)n(ting)h Fi(isakmp)l(d,)j Fk(ex-)0 5010 y(p)r(orting)21 b(a)g(US)h(RSA)g(implemen)n(tation)f(in)h(source)e (form)h(to)0 5110 y(the)j(w)n(orld)f(at)g(large)g(w)n(as)f(illegal.)35 b(Another)24 b(problem)f(w)n(as)p 0 5165 744 4 v 92 5219 a Ff(2)127 5242 y Fe(Ev)n(en)g(hardw)n(are)g(accelerators)g(for)f(big)g (n)n(um)n(b)r(er)g(computation)0 5321 y(cannot)28 b(handle)f(the)g (high)g(v)n(olume)f(of)g(op)r(erations)h(that)h(w)n(ould)e(b)r(e)0 5400 y(in)n(v)n(olv)n(ed)e(in)g(suc)n(h)g(a)g(DOS)f(attac)n(k.)2010 83 y Fk(that)j(it)g(is)f(not)g(legal)g(to)g(use)g(the)h(RSA)g (algorithm)e(within)2010 183 y(the)33 b(US)g(unless)g(one)f(has)h(a)f (license)h(from)f(RSA)h(Inc.)53 b(or)2010 282 y(use)28 b(the)g(US-originated)f(non-commercial)g(RSAREF)h(li-)2010 382 y(brary)-7 b(.)42 b(Th)n(us,)30 b(there)g(w)n(as)e(no)i(w)n(a)n(y)e (to)i(mak)n(e)f(a)g(distribu-)2010 482 y(tion)23 b(that)h(w)n(ould)f(b) r(e)g(free)g(to)g(use)g(b)r(oth)h(in)f(the)h(US)g(and)f(in)2010 581 y(the)35 b(rest)e(of)i(the)f(w)n(orld,)h(b)r(ecause)f(the)h(only)f (implemen-)2010 681 y(tation)39 b(that)g(is)g(free)g(in)h(the)f(US)h(w) n(as)e(not)h(exp)r(ortable.)2010 780 y(Op)r(enBSD)23 b(has)f(solv)n(ed)g(this)g(problem)g(in)h(other)f(places)g(of)2010 880 y(the)f(source)e(tree)h(in)h(an)f(elegan)n(t)g(w)n(a)n(y:)32 b(w)n(e)20 b(c)n(hose)g(to)g(use)g(all)2010 980 y(RSA)32 b(functionalit)n(y)g(via)f(a)h(dynamically)e(link)n(ed)i(shared)2010 1079 y(library)-7 b(,)37 b Fi(lib)l(crypto,)k Fk(whic)n(h)36 b(is)g(part)g(of)g(Op)r(enSSL.)h(This)2010 1179 y(library)32 b(exists)h(in)h(three)f(v)-5 b(arian)n(ts:)48 b(one)33 b(RSA-crippled,)2010 1279 y(with)20 b(no)g(RSA)g(supp)r(ort)g(at)f (all,)j(one)d(with)h(in)n(ternationally)2010 1378 y(written)27 b(RSA)h(co)r(de)e(and)h(one)g(with)g(RSAREF.)h(W)-7 b(e)27 b(ship)2010 1478 y(the)g(RSA-crippled)f(v)n(ersion)f(as)g(that)i(one)e (has)h(no)g(paten)n(t)2010 1577 y(or)i(exp)r(ortabilit)n(y)h(issues)g (at)g(all.)42 b(Then)29 b(w)n(e)g(tell)h(in)n(terna-)2010 1677 y(tional)25 b(users)f(to)h(fetc)n(h)h(the)f(in)n(ternational)f (lib)r(crypto)h(v)n(er-)2010 1777 y(sion,)d(and)f(US)h(users)e(to)h (get)g(the)g(one)g(based)g(on)g(RSAREF)2010 1876 y(\(if)28 b(they)g(meet)g(criteria)f(to)g(legally)g(use)g(it\).)2010 2076 y(This)k(could)g(w)n(ork)f(for)g Fi(isakmp)l(d)j Fk(to)r(o,)f(if)g(it)f(w)n(ere)f(not)i(for)2010 2175 y(the)19 b(fact)g(that)g(w)n(e)f(w)n(an)n(t)g Fi(isakmp)l(d)j Fk(to)d(b)r(e)h(statically)f(link)n(ed,)2010 2275 y(so)41 b(w)n(e)g(can)g(get)h(IKE)f(negotiation)f(capabilities)h(really)2010 2374 y(early)26 b(in)i(the)g(b)r(o)r(ot)g(pro)r(cess.)2010 2574 y(The)41 b(solution)g(w)n(as)g(to)g(use)g(dynamic)h(linking)f(via) g(the)2010 2673 y Fi(d)t(lop)l(en)26 b Fk(API.)e(Ev)n(ery)e (RSA-related)i(sym)n(b)r(ol)g(of)g(lib)r(crypto)2010 2773 y(needs)35 b(to)h(b)r(e)f(accessed)f(indirectly)i(through)e(a)h(p) r(oin)n(ter.)2010 2873 y(This)j(p)r(oin)n(ter)f(is)g(initialized)h (with)g(the)g(address)e(of)i(the)2010 2972 y(statically)d(link)n(ed)g (RSA-crippled)g(stubs.)61 b(After)36 b(a)f(suc-)2010 3072 y(cessful)j(dynamic)g(link)g(the)h(p)r(oin)n(ters)e(get)h(reset)g (to)g(the)2010 3171 y(newly)23 b(loaded)f(lib)r(crypto)g(equiv)-5 b(alen)n(ts.)35 b(It)23 b(is)g(not)g(consid-)2010 3271 y(ered)31 b(a)h(fatal)f(error)f(if)i(the)h(dynamic)e(linking)h(fails.) 49 b(Not)2010 3371 y(all)22 b(op)r(erating)f(systems)g(allo)n(w)g (statically)g(link)n(ed)h(binaries)2010 3470 y(to)k(use)h Fi(d)t(lop)l(en)h Fk(though,)e(but)h(those)g(who)f(do)g(can)g(b)r (ene\014t)2010 3570 y(from)h(this.)2010 3941 y Fj(4.3.7)94 b(P)m(erformance)32 b(and)g(Co)s(de)f(Size)2010 4204 y Fk(The)38 b(SA)h(negotiation)e(is)h(v)n(ery)f(CPU-in)n(tensiv)n(e.)67 b(More)2010 4304 y(sp)r(eci\014cally)-7 b(,)41 b(in)d(main)g(and)h (aggressiv)n(e)c(mo)r(de)j(there)g(is)2010 4404 y(alw)n(a)n(ys)c(a)h (Di\016e-Hellman)h(exp)r(onen)n(tiation)f(and)h(some-)2010 4503 y(times,)k(dep)r(ending)e(on)g(authen)n(tication)f(metho)r(d,)j (RSA)2010 4603 y(or)32 b(DSS)h(signature)e(op)r(erations)h(that)h(are)e (fairly)h(exp)r(en-)2010 4703 y(siv)n(e)21 b(in)h(terms)f(of)h(CPU)f (pro)r(cessing.)34 b(In)22 b(quic)n(k)f(mo)r(de,)i(the)2010 4802 y(DH)41 b(exp)r(onen)n(tiation)e(is)h(optional)f(but)i (recommended.)2010 4902 y(That)27 b(exp)r(onen)n(tiation)f(is)h(what)f (pro)n(vides)g(\\P)n(erfect)f(F)-7 b(or-)2010 5001 y(w)n(ard)29 b(Secrecy)-7 b(.")44 b(Some)30 b(sample)g(timings)h(can)f(b)r(e)h (found)2010 5101 y(in)d(\014gure)f(4.)2010 5300 y(In)46 b(its)h(curren)n(t)e(state,)50 b Fi(isakmp)l(d)e Fk(consists)d(of)h (roughly)2010 5400 y(36,000)30 b(lines)h(of)h(co)r(de,)h(almost)e(all)h (of)g(it)g(in)g(C.)g(This)g(in-)p eop %%Page: 10 10 10 9 bop 468 3 2935 4 v 466 103 4 100 v 518 73 a Fk(Exc)n(hange)p 3015 103 V 2199 w(Seconds)p 3401 103 V 468 106 2935 4 v 466 206 4 100 v 518 176 a(Main)27 b(mo)r(de,)h(3DES,)f(SHA,)h(DH)h (group)d(2,)h(pre-shared)f(k)n(ey)p 3015 206 V 736 w(1.44)p 3401 206 V 466 306 V 518 276 a(Quic)n(k)g(mo)r(de,)i(3DES,)f(SHA,)i (PFS)e(\(DH)i(group)d(2\))p 3015 306 V 1042 w(1.40)p 3401 306 V 468 309 2935 4 v 466 408 4 100 v 518 379 a(Main)h(mo)r(de,)h (DES,)g(MD5,)f(DH)i(group)d(1,)h(pre-shared)f(k)n(ey)p 3015 408 V 767 w(0.95)p 3401 408 V 466 508 V 518 478 a(Quic)n(k)g(mo)r(de,)i(DES,)g(MD5,)g(PFS)f(\(DH)i(group)d(1\))p 3015 508 V 1073 w(0.60)p 3401 508 V 468 511 2935 4 v 466 611 4 100 v 518 581 a(Aggressiv)n(e)f(mo)r(de,)j(3DES,)f(SHA,)h(DH) h(group)d(2,)h(RSA)i(signature)d(\(X.509\))p 3015 611 V 238 w(1.50)p 3401 611 V 466 711 V 518 681 a(Quic)n(k)g(mo)r(de,)i (3DES,)f(SHA,)i(no)e(PFS)p 3015 711 V 1449 w(0.35)p 3401 711 V 468 714 2935 4 v 0 951 a(Figure)c(4:)35 b(A)24 b(P)n(en)n(tium)g(200MHz)f(running)g(t)n(w)n(o)h(instances)f(of)h (isakmp)r(d)g(negotiating)f(o)n(v)n(er)f(the)i(lo)r(opbac)n(k)f(in)n (terface)g(\(an)0 1050 y(exc)n(hange)f(b)r(et)n(w)n(een)i(t)n(w)n(o)f (distinct)i(mac)n(hines)e(ma)n(y)g(actually)g(\014nish)h(faster)f(as)h (some)f(computations)g(can)g(b)r(e)i(carried)d(out)0 1150 y(in)28 b(parallel\).)0 1420 y(cludes)g(commen)n(tary)-7 b(,)26 b(whic)n(h)h(w)n(e)h(ha)n(v)n(e)e(at)i(least)f(tried)g(to)0 1519 y(b)r(e)40 b(fairly)e(generous)g(with.)71 b(Securit)n(y)39 b(proto)r(col)f(imple-)0 1619 y(men)n(tations)28 b(need)g(to)g(b)r(e)h (auditable,)f(and)g(readabilit)n(y)f(is)0 1719 y(therefore)36 b(an)g(imp)r(ortan)n(t)g(asp)r(ect.)63 b(4,000)35 b(of)i(these)f(are)0 1818 y(the)25 b(platform-dep)r(enden)n(t)g(parts,)f(and)h(2,500)e(are)g (regres-)0 1918 y(sion)f(testing.)35 b(The)22 b(static)g(memory)f(fo)r (otprin)n(t)h(for)f(i386)g(is)0 2017 y(appro)n(ximately)32 b(950KB)g(for)i(a)f(full-blo)n(wn)h(v)n(ersion)e(and)0 2117 y(300KB)37 b(for)i(a)g(trimmed)g(do)n(wn)g(v)n(ersion)f(with)h (supp)r(ort)0 2217 y(only)25 b(for)g(mandatory)f(ciphers,)h(exc)n (hanges,)f(groups,)g(and)0 2316 y(authen)n(tication)44 b(metho)r(ds)g(\(no)h(debugging)e(or)g(re\014ned)0 2416 y(p)r(olicy)g(handling)f(is)g(included)i(in)f(the)g(trimmed-do)n(wn)0 2516 y(v)n(ersion\).)0 2920 y Fo(5)112 b(Securit)m(y)37 b(P)m(olicy)0 3208 y Fk(When)h(discussing)f(securit)n(y)f(p)r(olicy)-7 b(,)41 b(it)c(is)h(often)g(useful)0 3308 y(to)32 b(de\014ne)f(the)h (term)g(in)g(the)g(appropriate)e(con)n(text.)49 b(F)-7 b(or)0 3407 y(our)24 b(purp)r(oses,)g(securit)n(y)g(p)r(olicy)h(in)g (the)g(net)n(w)n(ork)e(la)n(y)n(er)g(is)0 3507 y(the)30 b(information)f(needed)h(to)f(decide)h(whether)g(a)f(pac)n(k)n(et)0 3607 y(should)f(b)r(e)h(accepted/forw)n(arded)e(or)g(dropp)r(ed.)40 b(F)-7 b(urther)0 3706 y(restricting)37 b(the)h(de\014nition)g(in)g (the)h(IPsec)e(con)n(text,)j(se-)0 3806 y(curit)n(y)h(p)r(olicy)g (dictates)g(what)g(classes)f(of)h(pac)n(k)n(ets)f(are)0 3906 y(acceptable)32 b(o)n(v)n(er)f(a)i(sp)r(eci\014c)g(SA.)g(This)g (is)g(all)g(the)g(more)0 4005 y(imp)r(ortan)n(t)23 b(for)f(IPsec,)h (since)g(the)g(encapsulation)f(mec)n(ha-)0 4105 y(nism)h(used)g (literally)g(allo)n(ws)e(establishmen)n(t)i(of)g(arbitrary)0 4204 y(virtual)k(top)r(ologies)f(o)n(v)n(er)g(the)i(net)n(w)n(ork)e (fabric.)0 4404 y(Since)f(there)f(exists)h(no)f(standard)g(mec)n (hanism)g(for)g(sp)r(eci-)0 4503 y(fying,)j(disseminating,)f(and)h(pro) r(cessing)e(securit)n(y)h(p)r(olicy)0 4603 y(for)33 b(IPsec,)i(w)n(e)f (ha)n(v)n(e)f(adopted)g(some)h(ongoing)e(researc)n(h)0 4703 y(w)n(ork)f(based)h(on)f(a)h(compliance-c)n(hec)n(king)e(arc)n (hitecture.)0 4802 y(The)d(concept)f(b)r(ehind)i(this)f(arc)n (hitecture)e(is)i(that,)g(at)g(SA)0 4902 y(establishmen)n(t)21 b(time,)j(w)n(e)d(utilize)h(some)f(mec)n(hanism)g(that)0 5001 y(v)-5 b(alidates)37 b(the)i(suitabilit)n(y)f(of)f(an)h(SA)g(for)g (a)f(particular)0 5101 y(class)31 b(of)g(pac)n(k)n(ets)f(and)i(a)f (remote)g(principal)g(at)g(IKE)g(ex-)0 5201 y(c)n(hange)24 b(time;)i(all)f(the)g(c)n(haracteristics)d(of)j(the)g(SA)h(\(cryp-)0 5300 y(tographic)e(algorithms,)g(k)n(ey)h(sizes,)g(transform)f (ordering,)0 5400 y Fi(etc.)p Fk(\),)f(along)c(with)i(the)g(pac)n(k)n (et)f(classes)f(\(in)i(e\013ect,)h(a)f(set)f(of)2010 1420 y(pac)n(k)n(et)27 b(\014lter)i(rules\))f(and)g(the)h(remote)f (principal's)g(iden-)2010 1519 y(tit)n(y)c(\(public)g(k)n(ey)-7 b(,)24 b(X.509)e(certi\014cates,)i(passphrase,)e Fi(etc.)p Fk(\))2010 1619 y(are)f(a)n(v)-5 b(ailable)21 b(at)h(that)h(stage.)34 b(It)23 b(is)f(imp)r(ortan)n(t)g(to)g(realize)2010 1719 y(that)36 b(this)g(op)r(eration)f(is)h(p)r(erformed)g(only)f(infrequen) n(tly)2010 1818 y(compared)21 b(to)h(the)h(n)n(um)n(b)r(er)f(of)g(pac)n (k)n(ets)f(that)h(will)h(use)f(the)2010 1918 y(established)f(SAs.)35 b(Th)n(us,)23 b(it)f(is)g(p)r(ossible)f(to)g(use)h(a)f(mec)n(ha-)2010 2017 y(nism)28 b(that)g(is)g(more)f(general,)f(p)r(o)n(w)n(erful,)h (and)h(extensible)2010 2117 y(than)38 b(a)g(simple)h(pac)n(k)n(et)e (\014lter)i(sp)r(eci\014cation)f(language.)2010 2217 y(W)-7 b(e)31 b(w)n(ould)g(also)f(lik)n(e)g(to)h(b)r(e)g(able)g(to)g (utilize)g(creden)n(tials)2010 2316 y(delegating)f(authorit)n(y)-7 b(,)31 b(as)f(w)n(e)h(ha)n(v)n(e)f(found)h(these)g(to)g(al-)2010 2416 y(lo)n(w)c(easier)f(and)i(more)e(scalable)h(administration.)2010 2615 y(The)61 b(higher-lev)n(el)e(mec)n(hanism)h(for)g(securit)n(y)g(p) r(olicy)2010 2715 y(compliance-c)n(hec)n(king)28 b(w)n(e)j(use)f(is)h (a)f(trust-managemen)n(t)2010 2814 y(system.)58 b(T)-7 b(rust-managemen)n(t)34 b(systems)g([)p Fj(?)p Fk(,)h Fj(?)p Fk(])g(pro)n(vide)2010 2914 y(a)40 b(uni\014ed)g(approac)n(h)f (to)h(sp)r(ecifying)g(securit)n(y)f(p)r(olicies,)2010 3014 y(creden)n(tials,)28 b(and)h(relationships)f(b)r(et)n(w)n(een)h (principals)g(in)2010 3113 y(the)21 b(system.)34 b(Unlik)n(e)20 b(traditional)g(certi\014cation)g(sc)n(hemes,)2010 3213 y(trust-managemen)n(t)28 b(creden)n(tials)g(bind)i(k)n(eys)e(directly)h (to)2010 3313 y(the)37 b(authorization)d(to)i(p)r(erform)g(some)g (task.)62 b(A)36 b(trust-)2010 3412 y(managemen)n(t)50 b(system)h(pro)n(vides)f(a)g(highly-adaptable)2010 3512 y(general-purp)r(ose)35 b(mec)n(hanism)i(for)g(sp)r(ecifying)h(securit) n(y)2010 3611 y(p)r(olicies)32 b(and)h(creden)n(tials.)51 b(A)33 b(principle)f(of)h(trust)g(man-)2010 3711 y(agemen)n(t)g(is)g (\\monotonicit)n(y)-7 b(.")54 b(This)33 b(means)g(that)h(p)r(oli-)2010 3811 y(cies)e(and)f(creden)n(tials)g(can)h(only)f(ha)n(v)n(e)g(a)g(p)r (ositiv)n(e)h(e\013ect)2010 3910 y(on)27 b(the)i(privileges)d(of)i(a)f (principal;)g(it)i(is)e(not)h(p)r(ossible)f(to)2010 4010 y(rev)n(ok)n(e)32 b(privilege)g(b)n(y)i(issuing)f(a)g(creden)n(tial.)54 b(This)34 b(ma)n(y)2010 4110 y(only)h(b)r(e)h(done)g(b)n(y)f(expiring)g (creden)n(tials,)i(or)e(b)n(y)g(mo)r(di-)2010 4209 y(fying)f(the)h (relev)-5 b(an)n(t)33 b(p)r(olicies)h(and)g(creden)n(tials.)55 b(F)-7 b(or)33 b(an)2010 4309 y(extensiv)n(e)27 b(o)n(v)n(erview)e(of)j (trust-managemen)n(t,)e(see)i([)p Fj(?)p Fk(].)2010 4508 y(KeyNote)f(is)h(an)g(instan)n(tiation)f(of)h(a)f(trust-managemen)n(t) 2010 4608 y(system,)35 b(designed)e(to)g(b)r(e)h(simple)f(y)n(et)g (\015exible.)54 b(It)34 b(pro-)2010 4707 y(vides)23 b(a)f(single)h (language)e(for)h(b)r(oth)h(p)r(olicies)g(and)g(creden-)2010 4807 y(tials,)30 b(based)f(on)g(predicates)g(that)h(describ)r(e)f(the)h (trusted)2010 4907 y(actions)d(p)r(ermitted)i(b)n(y)f(holders)f(of)h (sp)r(eci\014c)g(public)h(k)n(eys)2010 5006 y(\(or)35 b(other)h(cryptographic)e(iden)n(ti\014ers\).)62 b(F)-7 b(or)35 b(more)g(de-)2010 5106 y(tails)22 b(on)g(KeyNote)f(syn)n(tax)h (and)g(pro)r(cessing,)g(see)f([)p Fj(?)p Fk(].)36 b(F)-7 b(or)2010 5205 y(more)21 b(details)g(on)h(the)g(p)r(olicy)f(arc)n (hitecture)g(itself,)i(see)f([)p Fj(?)p Fk(].)2010 5305 y(The)28 b(follo)n(wing)f(subsection)h(discusses)f(some)h(implemen-)p eop %%Page: 11 11 11 10 bop 0 83 a Fk(tation)27 b(sp)r(eci\014cs.)0 397 y Fl(5.1)105 b(Implemen)m(tation)33 b(Details)0 710 y Fk(Mo)r(difying)d Fi(isakmp)l(d)i Fk(to)e(mak)n(e)g(use)g(of)g(the)h (compliance-)0 810 y(c)n(hec)n(king)40 b(arc)n(hitecture)g(for)h(p)r (olicy)g(resolution)g(pro)n(v)n(ed)0 910 y(straigh)n(tforw)n(ard.)31 b Fi(isakmp)l(d)20 b Fk(w)n(as)e(initially)h(designed)g(with)0 1009 y(a)29 b(rudimen)n(tary)e(mec)n(hanism)i(for)f(v)n(erifying)g (securit)n(y)g(as-)0 1109 y(so)r(ciations)f(prop)r(osed)h(b)n(y)g(the)g (remote)g(p)r(eer.)39 b(The)29 b(set)f(of)0 1208 y(acceptable)k (securit)n(y)h(asso)r(ciations)e(w)n(as)h(read)g(from)h(the)0 1308 y(con\014guration)22 b(\014le,)i(and)f(then)h(consulted)f(when)h (examin-)0 1408 y(ing)33 b(the)g(prop)r(osed)f(SA.)h(Ho)n(w)n(ev)n(er,) g(this)g(sc)n(heme)f(lac)n(k)n(ed)0 1507 y(\015exibilit)n(y)41 b(and)g(extensibilit)n(y)-7 b(.)78 b(In)42 b(particular,)h(it)f(w)n(as) 0 1607 y(not)f(p)r(ossible)g(to)g(delegate)g(authorit)n(y)-7 b(,)43 b(allo)n(w)e(for)f(v)n(ery)0 1707 y(\014ne-grained)34 b(SA)i(sp)r(eci\014cation)f(without)h(an)f(explosion)0 1806 y(in)24 b(the)f(size)h(of)f(the)h(con\014guration)e(\014le,)i(tak) n(e)f(in)n(to)g(consid-)0 1906 y(eration)28 b(information)h(not)g (directly)g(relev)-5 b(an)n(t)29 b(to)g(the)h(SA)0 2005 y(\(suc)n(h)h(as)f(time)h(of)g(da)n(y)-7 b(,)31 b(or)f(system)g (securit)n(y)g(lev)n(el\),)i(nor)0 2105 y(allo)n(w)i(for)g(\015exible)h (pac)n(k)n(et)f(selectors)f(\(an)i(exact)f(matc)n(h)0 2205 y(w)n(as)27 b(required\).)0 2404 y(Since)h(this)g(v)n (eri\014cation)f(mec)n(hanism)g(w)n(as)g(implemen)n(ted)0 2504 y(as)45 b(a)g(pro)r(cedure)g(call,)k(w)n(e)d(only)f(had)g(to)h(mo) r(dify)g(the)0 2603 y(in)n(v)n(oking)35 b(co)r(de)h(to)g(call)g (another)f(pro)r(cedure)g(that)i(ulti-)0 2703 y(mately)32 b(in)n(v)n(ok)n(ed)e(KeyNote.)48 b(This)32 b(c)n(hange)e(o)r(ccurred)h (in)0 2802 y(t)n(w)n(o)c(places:)60 3107 y(1.)41 b(When)19 b(the)g(Resp)r(onder)f(of)g(an)g(IKE)g(exc)n(hange)f(exam-)166 3206 y(ines)i(the)h(list)f(of)h(IPsec)e(\(Phase)g(2\))h(SAs)h(to)f (determine)166 3306 y(whic)n(h)28 b(one)f(is)g(acceptable.)60 3502 y(2.)41 b(When)e(the)f(Initiator)g(receiv)n(es)e(\(during)i(Phase) f(2\))166 3601 y(the)28 b(resp)r(onse)f(con)n(taining)f(the)i (acceptable)f(SA.)0 3906 y(When)k(in)n(v)n(ok)n(ed,)f(the)h(pro)r (cedure)f(con)n(v)n(erts)f(information)0 4005 y(tak)n(en)d(from)h(the)g Fi(exchange)g Fk(and)g Fi(sa)g Fk(structures)f(to)h(a)f(for-)0 4105 y(mat)h(suitable)f(for)g(use)g(b)n(y)g(KeyNote.)36 b(Suc)n(h)27 b(information)0 4204 y(con)n(tains)d(the)i(IPsec)e(proto)r (cols)g(to)h(b)r(e)h(used,)g(the)f(crypto-)0 4304 y(graphic)k (algorithms)f(to)i(b)r(e)h(used,)f(the)g(pac)n(k)n(et)f(selectors)0 4404 y(requested)43 b(\(Phase)g(2)g(User)g(IDs\),)48 b(the)c(cryptographic)0 4503 y(iden)n(ti\014er)27 b(used)h(in)g(Phase)e (1)i(b)n(y)f(the)h(remote)f(p)r(eer,)g Fi(etc.)0 4703 y Fk(This)g(cryptographic)e(iden)n(ti\014er)h(is)h(used)g(b)n(y)f(the)h (compli-)0 4802 y(ance)21 b(c)n(hec)n(k)n(er)f(to)i(determine)g(whic)n (h)g(part)f(of)h(the)g(securit)n(y)0 4902 y(p)r(olicy)j(is)h(relev)-5 b(an)n(t)25 b(to)g(a)g(sp)r(eci\014c)h(request.)36 b(If)26 b(public)g(k)n(ey)0 5001 y(authen)n(tication)39 b(w)n(as)f(used,)k (then)e(our)f(securit)n(y)f(p)r(olicy)0 5101 y(ma)n(y)28 b(directly)h(refer)f(to)h(said)g(public)g(k)n(ey)-7 b(,)29 b(and)g(the)h(same)0 5201 y(applies)37 b(for)g(passphrase)f(authen)n (tication.)66 b(F)-7 b(or)36 b(X.509-)0 5300 y(based)29 b(authen)n(tication,)g(w)n(e)g(ha)n(v)n(e)f(a)h(n)n(um)n(b)r(er)f(of)i (options)0 5400 y(as)d(to)g(who)h(p)r(olicy)f(ma)n(y)g(refer)g(to:)2093 83 y Fh(\017)41 b Fk(The)24 b(public)g(k)n(ey)e(of)i(the)g(remote)f (principal)g(as)g(it)h(ap-)2176 183 y(p)r(ears)32 b(in)h(the)g(Sub)5 b(ject)34 b(\014eld)f(of)g(the)g(X.509)f(certi\014-)2176 282 y(cate,)h(or)e(the)h(X.509)e(certi\014cate)i(itself.)50 b(This)31 b(form)2176 382 y(of)g(delegation)f(is)g(the)h(most)g(direct) g(and)f(limited)i(in)2176 482 y(scop)r(e.)2093 656 y Fh(\017)41 b Fk(The)46 b(public)g(k)n(ey)f(or)g(X.509)g(certi\014cate)g (of)h(some)2176 755 y(certi\014cation)54 b(authorit)n(y)f(\(CA\))i (that)g(ultimately)2176 855 y(\\sp)r(eaks)21 b(for")g(the)i(remote)f (principal.)35 b(This)22 b(ma)n(y)g(b)r(e)2176 955 y(the)34 b(CA)g(immediately)g(v)-5 b(alidating)33 b(said)g(principal,)2176 1054 y(or)h(some)f(other)h(CA)h(further)f(up)h(in)g(a)f(CA)h(hierar-) 2176 1154 y(c)n(h)n(y)-7 b(.)36 b(The)27 b(higher)g(up)g(the)h(CA)f(w)n (e)g(delegate)g(to,)g(the)2176 1254 y(broader)h(the)i(scop)r(e)g(of)g (the)g(delegation)f(\(and)h(th)n(us,)2176 1353 y(more)j(users)g(share)g (the)i(same)e(righ)n(ts\).)56 b(Note)34 b(that)2176 1453 y(it)26 b(is)g(p)r(ossible)f(to)h(delegate)f(a)h(set)f(of)h(righ)n(ts)f (to)h(some)2176 1552 y(CA)32 b(that)g(\\sp)r(eaks)e(for")g(some)h (user,)h(and)g(sim)n(ulta-)2176 1652 y(neously)h(giv)n(e)g(more)g(righ) n(ts)f(to)i(that)g(sp)r(eci\014c)g(user.)2176 1752 y(Reducing)d(a)g (user's)g(privileges)f(through)h(the)h(same)2176 1851 y(mec)n(hanism)21 b(is)h(not)f(feasible)g(under)h(KeyNote,)g(ho)n(w-) 2176 1951 y(ev)n(er)d(\(b)r(ecause)h(of)g(monotonicit)n(y)-7 b(,)20 b(as)g(previously)e(de-)2176 2051 y(scrib)r(ed\).)2093 2225 y Fh(\017)41 b Fk(Since)46 b(public)f(k)n(eys)g(and)g(X.509)f (certi\014cates)g(can)2176 2325 y(b)r(e)38 b(cum)n(b)r(ersome)f(to)g (manipulate)h(ev)n(en)f(in)h(a)f(text)2176 2424 y(form,)47 b(it)d(is)f(p)r(ossible)g(to)h(use)f(the)h(Distinguished)2176 2524 y(Name)19 b(as)f(it)i(app)r(ears)e(in)h(an)g(X.509)f (certi\014cate.)33 b(This)2176 2623 y(mak)n(es)18 b(p)r(olicies)i(m)n (uc)n(h)f(more)f(concise)h(and)g(readable.)2176 2723 y(An)29 b(added)f(b)r(ene\014t)h(is)f(that)h(certi\014cates)e(\(and)i (ev)n(en)2176 2823 y(k)n(eys\))i(ma)n(y)f(c)n(hange)g(without)i (a\013ecting)f(the)g(p)r(olicy)2176 2922 y(\(although)23 b(in)h(some)f(cases)g(this)h(ma)n(y)f(turn)h(in)n(to)f(a)g(li-)2176 3022 y(abilit)n(y\).)35 b(W)-7 b(e)21 b(can)g(use)g(the)h(DN)f(of)g (the)h(remote)e(prin-)2176 3122 y(cipal)26 b(directly)-7 b(,)26 b(or)e(that)i(of)g(some)f(CA)h(that)g(\\sp)r(eaks)2176 3221 y(for")h(the)h(principal.)2010 3510 y(The)20 b(assem)n(bled)e (information)h(is)g(passed)g(on)g(to)h(KeyNote,)2010 3609 y(and)33 b(the)h(resp)r(onse)e(indicates)h(whether)h(the)f(SA)h (should)2010 3709 y(b)r(e)d(accepted)g(or)e(dropp)r(ed.)47 b(In)31 b(e\013ect,)h(KeyNote)e(is)g(v)n(er-)2010 3809 y(ifying)36 b(that)h(the)g(com)n(bination)e(of)i(remote)f(p)r(eer,)i (IPsec)2010 3908 y(proto)r(cols)d(\(and)i(algorithms,)h(lifetimes,)h Fi(etc.)65 b Fk(used)36 b(b)n(y)2010 4008 y(those)k(proto)r(cols\),)h (and)f(pac)n(k)n(et)f(selectors)g(are)g(accept-)2010 4107 y(able)27 b(b)n(y)g(p)r(olicy)-7 b(.)37 b(This)28 b(p)r(olicy)f(ma)n(y)g(b)r(e)h(expressed)e(solely)2010 4207 y(in)h(terms)f(of)g(lo)r(cal)g(p)r(olicy)g(or)g(as)g(a)g(com)n (bination)f(of)i(lo)r(cal)2010 4307 y(p)r(olicy)37 b(and)f(\(signed\))h (creden)n(tials.)63 b(These)36 b(creden)n(tials)2010 4406 y(ma)n(y)24 b(b)r(e)i(acquired)e(during)h(the)g(Phase)f(1)h(exc)n (hange)f(\(pro-)2010 4506 y(vided)33 b(b)n(y)f(the)h(remote)f(p)r (eer\))h(or)f(at)h(an)n(y)f(p)r(oin)n(t)h(in)g(time)2010 4606 y(afterw)n(ards)f(\()p Fi(e.g.,)37 b Fk(fetc)n(hed)d(on-demand)f (through)g(some)2010 4705 y(out-of-band)39 b(proto)r(col)2771 4675 y Fg(3)2807 4705 y Fk(\).)75 b(As)40 b(so)r(on)g(as)f(an)h(SA)h (is)f(ac-)2010 4805 y(cepted,)28 b(the)g(searc)n(h)e(is)h(concluded.) 2010 5004 y(The)37 b(pro)r(cedure)f(is)g(called)h(once)f(for)g(eac)n(h) g(distinct)i(SA)2010 5104 y(prop)r(osal)c(receiv)n(ed)h(from)g(the)i(p) r(eer)e(\(since)h(there)g(is)f(no)p 2010 5165 744 4 v 2102 5219 a Ff(3)2137 5242 y Fe(W)-6 b(e)29 b(ha)n(v)n(e)g(exp)r (erimen)n(ted)g(with)f(fetc)n(hing)h(creden)n(tials)g(from)d(a)2010 5321 y(w)n(eb)c(serv)n(er,)f(using)g(a)g(primitiv)n(e)f(cgi-script)g (and)i(a)g(database)g(k)n(ey)n(ed)2010 5400 y(on)i(public)g(k)n(eys)g (and)g(X.509)g(Distinguished)g(Names.)p eop %%Page: 12 12 12 11 bop 0 83 a Fk(w)n(a)n(y)22 b(to)h(e\016cien)n(tly)g(enco)r(de)f (all)h(the)h(SA)f(prop)r(osals)e(in)i(one)0 183 y(action)31 b(attribute)i(set)f(and)f(ha)n(v)n(e)g(KeyNote)h(mak)n(e)f(a)g(de-)0 282 y(cision)25 b(on)g(whic)n(h)g(one)g(to)g(select)g({)g(this)g(is)g (a)g(dra)n(wbac)n(k)e(of)0 382 y(using)c(KeyNote)f(instead)h(of)g(a)f (more)g(complex)h(p)r(olicy)g(lan-)0 482 y(guage\).)46 b(Note)31 b(ho)n(w)n(ev)n(er)e(that)i(eac)n(h)f(suc)n(h)h(in)n(v)n(o)r (cation)e(is)0 581 y(v)n(ery)j(\\ligh)n(t)n(w)n(eigh)n(t")f(in)i(pro)r (cessing)f(terms:)48 b(con)n(v)n(erting)0 681 y(the)23 b(relev)-5 b(an)n(t)22 b(information)g(is)h(straigh)n(tforw)n(ard,)d (and)j(an)n(y)0 780 y(cryptographic)35 b(op)r(erations)h(are)g(only)h (p)r(erformed)g(once)0 880 y(and)h(their)g(results)g(cac)n(hed)f(for)g (future)i(use.)68 b(The)38 b(p)r(ol-)0 980 y(icy)29 b(assertions)e(are) h(loaded)g(once)g(at)h(startup)g(time)g(\(and)0 1079 y(reloaded)h(if)i Fi(isakmp)l(d)g Fk(is)f(ask)n(ed)f(to)h (re-initialize\).)47 b(Some)0 1179 y(simple)33 b(exp)r(erimen)n(ts)g (sho)n(w)f(that)h(the)h(cost)f(of)g(in)n(v)n(oking)0 1279 y(KeyNote)f(increases)g(linearly)g(with)i(the)f(n)n(um)n(b)r(er)g (of)g(as-)0 1378 y(sertions)k(in)i(use,)i(and)d(that)g(for)g(a)g (simple)g(setup)h(of)f(3-)0 1478 y(4)d(assertions/creden)n(tials)d(the) k(cost)e(is)i(in)f(the)h(order)e(of)0 1577 y(150)p Fc(\026)p Fk(sec.)0 1777 y(Here,)26 b(w)n(e)h(wish)f(to)g(mak)n(e)g(t)n(w)n(o)g (additional)g(observ)-5 b(ations:)83 2050 y Fh(\017)41 b Fk(KeyNote)22 b(is)g(in)n(v)n(ok)n(ed)f(during)h(Phase)f(2)h(only)-7 b(.)35 b(While)166 2149 y(it)f(is)f(trivial)g(to)g(allo)n(w)f(p)r (olicy)h(con)n(trol)f(o)n(v)n(er)g(estab-)166 2249 y(lishmen)n(t)i(of)g (Phase)f(1)g(SAs,)j(w)n(e)d(b)r(eliev)n(e)h(that)g(this)166 2349 y(is)h(b)r(oth)g(unnecessary)e(and)i(p)r(oten)n(tially)g (confusing)166 2448 y(to)e(users.)51 b(Since)33 b(Phase)f(1)g(SAs)h (are)f(used)h(only)f(b)n(y)166 2548 y Fi(isakmp)l(d)37 b Fk(and)e(ha)n(v)n(e)f(no)g(direct)h(e\013ect)h(on)f(the)g(sys-)166 2647 y(tem)g(or)f(on)h(net)n(w)n(ork)e(tra\016c,)j(this)f(approac)n(h)e (do)r(es)166 2747 y(not)28 b(compromise)e(safet)n(y)-7 b(.)83 2909 y Fh(\017)41 b Fk(Curren)n(tly)-7 b(,)41 b(compliance)e(c)n(hec)n(king)f(on)h(the)g(initia-)166 3009 y(tor)c(is)g(p)r(erformed)g(when)g(the)h(accepted)f(SA)h(is)f(re-) 166 3109 y(ceiv)n(ed)26 b(from)h(the)g(resp)r(onder)f(\(message)f(2)i (in)g(Quic)n(k)166 3208 y(Mo)r(de\).)49 b(Ideally)-7 b(,)33 b(this)f(c)n(hec)n(k)e(should)i(b)r(e)g(done)f(b)r(e-)166 3308 y(fore)e(transmission)f(of)h(the)g(\014rst)g(message)f(in)i(Quic)n (k)166 3407 y(Mo)r(de,)25 b(to)g(a)n(v)n(oid)e(transmitting)i(SA)g (prop)r(osals)e(that)166 3507 y(in)j(the)g(end)g(will)g(not)g(b)r(e)g (accepted)g(b)n(y)f(us.)36 b(Pro)r(cess-)166 3607 y(ing)i(after)g (receipt)g(of)g(message)f(2)g(should)h(b)r(e)h(lim-)166 3706 y(ited)24 b(to)f(v)n(erifying)f(that)i(the)f(returned)g(SA)h(is)f (among)166 3806 y(those)33 b(o\013ered)g(in)h(the)f(\014rst)g(message.) 53 b(W)-7 b(e)34 b(elected)166 3906 y(not)28 b(to)h(do)f(this)h(b)r (ecause)f(of)g(co)r(de)g(complexit)n(y:)38 b(b)r(e-)166 4005 y(cause)19 b(KeyNote)h(supp)r(ort)g(w)n(as)f(added)h(after)g(most) g(of)166 4105 y Fi(isakmp)l(d)32 b Fk(w)n(as)e(written,)i(the)f(co)r (de)g(that)g(constructs)166 4204 y(the)g(list)g(of)g(SAs)g(in)g (message)e(1)i(w)n(as)e(already)h(in)n(tri-)166 4304 y(cately)e(tied)i(to)e(message)g(construction,)g(con\014gura-)166 4404 y(tion)h(\014le)h(parsing,)f(and)g(attribute)g(syn)n(tax)g(v)n (eri\014ca-)166 4503 y(tion.)66 b(Rewriting)37 b(the)g(relev)-5 b(an)n(t)37 b(co)r(de)g(just)h(to)f(ac-)166 4603 y(commo)r(date)29 b(KeyNote)h(w)n(ould)f(in)n(v)n(olv)n(e)f(serious)h(re-)166 4703 y(structuring.)70 b(W)-7 b(e)39 b(in)n(tend)g(to)g(rewrite)f(that) h(piece)166 4802 y(of)h Fi(isakmp)l(d)i Fk(in)f(the)f(near)g(future)g (to)h(retriev)n(e)e(SA)166 4902 y(information)d(from)g(the)h(k)n(ernel) e(\(as)h(opp)r(osed)g(to)g(a)166 5001 y(con\014guration)d(\014le\).)58 b(A)n(t)34 b(that)h(time,)i(an)d(in)n(terface)166 5101 y(b)r(etter)22 b(suited)g(to)f(p)r(olicy)h(compliance)f(c)n(hec)n(king) f(will)166 5201 y(b)r(e)31 b(in)n(tro)r(duced.)47 b(W)-7 b(e)31 b(should)f(note)h(that)g(this)g(issue)166 5300 y(is)e(not)g(an)g(artifact)g(of)g(our)g(use)g(of)g(KeyNote;)g(using)166 5400 y(an)n(y)c(securit)n(y)g(p)r(olicy)h(system)f(on)h(the)g (initiator)f(side)2176 83 y(w)n(ould)i(require)g(the)h(same)f(co)r(de)g (restructuring.)2010 374 y(In)49 b(terms)f(of)h(co)r(de)f(size,)54 b(the)48 b(\\glue")g(co)r(de)g(b)r(et)n(w)n(een)2010 473 y Fi(isakmp)l(d)28 b Fk(and)e(KeyNote)g(w)n(as)g(ab)r(out)g(1200)f (lines,)i(almost)2010 573 y(exclusiv)n(ely)j(dealing)g(with)i(the)f (con)n(v)n(ersion)e(of)i(informa-)2010 673 y(tion)e(from)f Fi(isakmp)l(d)p Fk('s)i(in)n(ternal)e(structures)f(to)i(KeyNote)2010 772 y(action)41 b(attributes.)79 b(W)-7 b(e)42 b(also)f(had)g(to)h(add) f(ab)r(out)h(50)2010 872 y(lines)31 b(of)f(co)r(de)h(in)g(di\013eren)n (t)f(parts)g(of)h(KeyNote,)g(dealing)2010 972 y(with)41 b(initialization)g(and)f(record)f(k)n(eeping.)76 b(The)40 b(co)r(de)2010 1071 y(displaced)30 b(b)n(y)h(KeyNote)e(w)n(as)h(appro)n (ximately)f(500)g(lines)2010 1171 y(long.)35 b(The)26 b(KeyNote)e(library)g(itself)i(is)f(ab)r(out)h(5000)d(lines)2010 1270 y(\(not)38 b(including)h(the)f(cryptographic)e(functions,)42 b(where)2010 1370 y Fi(lib)l(crypto)29 b Fk(is)f(used\).)2010 1791 y Fo(6)112 b(Conclusion)2010 2095 y Fl(6.1)105 b(Curren)m(t)34 b(State)2010 2400 y Fk(W)-7 b(e)51 b(b)r(eliev)n(e)f(that)h Fi(isakmp)l(d)h Fk(curren)n(tly)e(addresses)e(all)2010 2500 y(mandatory)69 b(features)g(in)h(the)g(RF)n(Cs.)164 b(W)-7 b(e)70 b(also)2010 2599 y(implemen)n(t)77 b(most)f(optional)g (features.)182 b Fi(isakmp)l(d)2010 2699 y Fk(curren)n(tly)62 b(runs)g(on)h(Op)r(enBSD's)g(old)g(IPsec)f(stac)n(k)2010 2798 y(with)44 b(PF)p 2331 2798 25 4 v 29 w(ENCAP)-7 b(,)43 b(Op)r(enBSD's)h(curren)n(t)e(stac)n(k)h(with)2010 2898 y(PF)p 2126 2898 V 30 w(KEY,)19 b(F)-7 b(reeS/W)e(AN)21 b(with)f(Lin)n(ux)g(NetLink)h(API)f(and)2010 2998 y(F)-7 b(reeBSD/NetBSD)47 b(with)g(KAME's)f(IPsec)g(stac)n(k)g(via)2010 3097 y(PF)p 2126 3097 V 30 w(KEY.)35 b(W)-7 b(e)37 b(ha)n(v)n(e)e(also) g(made)i(it)f(p)r(ossible)g(to)h(sha)n(v)n(e)2010 3197 y(o\013)24 b(m)n(uc)n(h)g(of)g(the)h(extras)e(at)h(compile)g(time,)i (th)n(us)e(making)2010 3297 y Fi(isakmp)l(d)43 b Fk(a)d(candidate)h (for)g(b)r(eing)g(used)g(in)g(small)g(em-)2010 3396 y(b)r(edded)34 b(systems.)55 b Fi(isakmp)l(d)35 b Fk(is)e(in)h(pro)r(duction)f(used)h (in)2010 3496 y(n)n(umerous)27 b(sites.)2010 3800 y Fl(6.2)105 b(F)-9 b(uture)35 b(Directions)2010 4105 y Fk(There)20 b(seems)g(to)g(b)r(e)h(an)f(increasing)f(n)n(um)n(b)r(er)i(of)f(prop)r (osed)2010 4204 y(new)j(IKE)g(extensions)f(after)h(ev)n(ery)f(IETF.)h (W)-7 b(e)24 b(are,)f(ho)n(w-)2010 4304 y(ev)n(er,)g(reluctan)n(t)f(to) g(incorp)r(orate)f(them)i(all)f(as)g(co)r(de)h(bloat)2010 4404 y(is)f(a)g(problem)g(w)n(e)g(should)g(\014gh)n(t)g(to)g(main)n (tain)g(an)n(y)g(kind)g(of)2010 4503 y(securit)n(y)-7 b(.)34 b(Something)21 b(w)n(e)f(de\014nitely)i(are)e(going)g(to)g(add)h (is)2010 4603 y(IPv6)28 b(supp)r(ort,)i(as)f(w)n(e)g(recen)n(tly)g(ha)n (v)n(e)f(started)h(shipping)2010 4703 y(Op)r(enBSD)34 b(with)h(an)e(IPsec-a)n(w)n(are)e(IPv6)i(stac)n(k.)55 b(Other)2010 4802 y(lik)n(ely)29 b(enhancemen)n(ts)g(are)f(supp)r(ort)h (for)g(PK)n(CS#11)e(\(an)2010 4902 y(API)43 b(to)g(talk)g(to)g (cryptographic)f(tok)n(ens,)k(lik)n(e)d(smart-)2010 5001 y(cards,)48 b(for)c(authen)n(tication\),)49 b(c)n(hallenge-resp)r(onse) 43 b(au-)2010 5101 y(then)n(tication)27 b(for)f(Phase)f(1)h(exc)n (hanges)f(and)i(PKIX)f(com-)2010 5201 y(pliance.)46 b(A)31 b(ma)5 b(jor)30 b(short-term)f(pro)5 b(ject)30 b(is)h(supp)r(ort)g(for) 2010 5300 y(cryptographic)18 b(hardw)n(are)f(for)j(RSA)g(and)g (Di\016e-Hellman)2010 5400 y(computation,)50 b(since)45 b(Op)r(enBSD)h(has)g(b)r(egan)f(to)g(sup-)p eop %%Page: 13 13 13 12 bop 0 83 a Fk(p)r(ort)26 b(a)g(cryptographic)e(services)g(framew) n(ork)h(in)h(the)g(k)n(er-)0 183 y(nel.)50 b(Other)31 b(minor)h(pro)5 b(jects)31 b(in)n(v)n(olv)n(e)f(in)n(tegration)h(with)0 282 y(DNSSEC)g([)p Fj(?)p Fk(])f(infrastructure)g(once)f(w)n(e)h(see)g (further)g(de-)0 382 y(plo)n(ymen)n(t)45 b(and)g(use,)k(and)c(\\New)g (group)f(mo)r(de")g(sup-)0 482 y(p)r(ort)32 b(to)h(dynamically)f (negotiate)f(new)i(groups)e(to)i(com-)0 581 y(pute)42 b(DH)h(secrets)e(in.)80 b(There)41 b(are)g(plans)h(to)f(supp)r(ort)0 681 y(some)29 b(new)h(platforms,)g(for)g(example)f(F)-7 b(reeS/W)e(AN)30 b(o)n(v)n(er)0 780 y(PF)p 116 780 25 4 v 30 w(KEY)k(and)h(Solaris)f(8.)59 b(There)34 b(are)h(other)f (commer-)0 880 y(cial)39 b(Unices)g(with)h(IPsec)e(stac)n(ks)g(whic)n (h)h(w)n(e)g(ma)n(y)f(p)r(ort)0 980 y Fi(isakmp)l(d)32 b Fk(to.)44 b(Closer)29 b(in)n(tegration)g(with)h(the)h(k)n(ernel)e (and)0 1079 y(userland)23 b(applications)f(\(p)r(ossibly)i(through)e (the)i Fi(setso)l(ck-)0 1179 y(opt\(3\)/getso)l(ckopt\(3\))30 b Fk(API\),)e(and)g(v)-5 b(arious)26 b(pro)5 b(jects)27 b(in-)0 1279 y(v)n(olving)i(p)r(olicy)i(disco)n(v)n(ery/negotiation)26 b(\(in)31 b(particular,)0 1378 y(direct)i(exc)n(hanging)e(of)i(KeyNote) g(creden)n(tials\))f(and)h(au-)0 1478 y(tomatic)28 b(con\014guration)f (are)h(also)g(part)g(of)g(our)g(plans)h(for)0 1577 y(future)f(w)n(ork.) 0 1885 y Fl(6.3)105 b(In)m(terop)s(erabilit)m(y)0 2194 y Fk(W)-7 b(e)23 b(ha)n(v)n(e)f(attended)i(a)e(couple)h(of)g(in)n (terop)r(erabilit)n(y)f(w)n(ork-)0 2293 y(shops)k(as)h(w)n(ell)g(as)f (carried)g(out)h(our)g(o)n(wn)f(tests)h(and)g(ha)n(v)n(e)0 2393 y(succeeded)h(remark)-5 b(ably)26 b(w)n(ell,)i(giv)n(en)f(the)i (complexit)n(y)e(of)0 2492 y(the)42 b(IKE)e(sp)r(eci\014cations.)78 b(A)41 b(lot)g(ma)n(y)g(b)r(e)h(attributed)0 2592 y(to)23 b(our)g(\015exible)h(con\014guration)e(whic)n(h,)i(ho)n(w)n(ev)n(er,)f (cannot)0 2692 y(b)r(e)k(said)e(to)h(b)r(e)h(user-friendly)-7 b(.)35 b(W)-7 b(e)27 b(ha)n(v)n(e)e(b)r(een)i(kno)n(wn)e(to)0 2791 y(in)n(terop)r(erate)34 b(with)i(the)f(3com)f(P)n(ath)n(builder)g (500,)i(Ash-)0 2891 y(ley)c(Lauren)n(t)f(VPCom,)i(Axen)n(t)f(Raptor,)g (Cendio)g(F)-7 b(uego)0 2991 y(Firew)n(all,)34 b(Chec)n(kP)n(oin)n(t)e (FireW)-7 b(all-1,)34 b(Cisco)f(IOS,)h(Cisco)0 3090 y(PIX,)41 b(F-secure)g(VPN+,)k(F)-7 b(reeBSD/NetBSD)41 b(KAME,)0 3190 y(In)n(tel)29 b(LanRo)n(v)n(er,)e(Lin)n(ux)i(F)-7 b(reeS/W)e(AN,)29 b(Nortel)g(Con)n(tiv-)0 3289 y(it)n(y)-7 b(,)23 b(PGP)d(VPN,)h(Radguard)f(cIPro,)h(T)-7 b(eam)n(w)n(are)19 b(TWISS,)0 3389 y(Windo)n(ws)27 b(2K,)g(and)g(Timestep)h(P)n(ermit.)0 3588 y(Most)19 b(of)g(this)g(in)n(terop)r(eration)f(has)h(b)r(een)g (with)h(pre-shared)0 3688 y(k)n(eys.)33 b(Unfortunately)20 b(w)n(e)f(ha)n(v)n(e)g(not)g(y)n(et)h(had)f(a)g(c)n(hance)g(to)0 3788 y(do)33 b(extensiv)n(e)g(certi\014cate-based)g(in)n(terop)r (erabilit)n(y)f(test-)0 3887 y(ing.)0 4195 y Fl(6.4)105 b(Securit)m(y)36 b(Considerations)0 4503 y Fk(As)27 b(migh)n(t)g(ha)n (v)n(e)f(b)r(ecome)h(clear)f(b)n(y)h(no)n(w,)f(IKE)g(is)h(a)g(com-)0 4603 y(plex)k(proto)r(col,)f(p)r(erhaps)h(o)n(v)n(erly)e(so.)46 b(As)31 b(w)n(e)f(are)g(imple-)0 4703 y(men)n(ting)h(securit)n(y)-7 b(,)32 b(complexit)n(y)e(is)h(not)h(something)e(w)n(ell)0 4802 y(lo)r(ok)n(ed)k(up)r(on.)58 b(Complex)34 b(proto)r(cols)f(are)g (implemen)n(ted)0 4902 y(with)40 b(complex)e(programs)f(whic)n(h)i (tend)h(to)f(ha)n(v)n(e)f(more)0 5001 y(bugs,)26 b(and)h(some)e(bugs)h (migh)n(t)h(just)g(happ)r(en)g(to)f(b)r(e)h(secu-)0 5101 y(rit)n(y)19 b(breac)n(hes.)33 b(Mo)r(dular)19 b(design)h(with)g(clear) f(APIs)h(in)n(ter-)0 5201 y(nally)30 b(helps)g(reduce)g(complexit)n(y)f (and)h(allo)n(ws)f(for)g(easier)0 5300 y(auditing,)c(but)h(there)f(is)f (still)i(a)e(lot)h(more)f(risk)g(with)i(com-)0 5400 y(plex)39 b(programs)f(than)h(with)h(simple)g(ones.)72 b(There)39 b(are)2010 83 y(simpler)34 b(alternativ)n(es)f(to)i(IKE,)f(more)g (limited)h(in)g(func-)2010 183 y(tionalit)n(y)-7 b(,)27 b(but)h(lik)n(ely)g(more)e(secure)h([)p Fj(?)p Fk(].)2010 476 y Fl(6.5)105 b(Related)35 b(W)-9 b(ork)2010 769 y Fk(There)46 b(are)g(of)h(course)f(other)g(Op)r(en)h(Source)f(pro)5 b(jects)2010 869 y(that)38 b(implemen)n(t)g(IKE,)f(the)h(t)n(w)n(o)f (most)h(widely)g(kno)n(wn)2010 968 y(b)r(eing)h(the)g(Lin)n(ux)f(F)-7 b(reeS/W)e(AN)39 b(pro)5 b(ject's)37 b Fi(Pluto,)42 b Fk(and)2010 1068 y Fi(R)l(ac)l(o)l(on,)c Fk(of)d(the)g(KAME)g(pro)5 b(ject)35 b(whose)f(IPsec)g(stac)n(ks)2010 1167 y(exist)27 b(for)f(b)r(oth)h(NetBSD)h(and)e(F)-7 b(reeBSD.)27 b(Both)f(of)h(these) 2010 1267 y(are)21 b(only)h(mean)n(t)h(for)e(their)i(resp)r(ectiv)n(e)e (platforms,)i(unlik)n(e)2010 1367 y Fi(isakmp)l(d,)i Fk(whic)n(h)d(is)f(mean)n(t)h(to)f(b)r(e)h(a)g(p)r(ortable)f(implemen-) 2010 1466 y(tation.)38 b(As)29 b(a)e(matter)h(of)g(fact,)h Fi(isakmp)l(d)g Fk(runs)f(on)g(top)g(of)2010 1566 y(b)r(oth)35 b(the)g(F)-7 b(reeS/W)e(AN)34 b(and)g(KAME)g(stac)n(ks.)56 b(Raco)r(on)2010 1666 y(is,)49 b(to)44 b(our)g(kno)n(wledge,)j(the)e (only)f(IKE)f(implemen)n(ta-)2010 1765 y(tion)33 b(with)g(IPv6)e(supp)r (ort.)51 b(There)32 b(are)g(also)f(other)h(k)n(ey-)2010 1865 y(managemen)n(t)19 b(proto)r(col)g(implemen)n(tations)g(a)n(v)-5 b(ailable,)20 b(an)2010 1964 y(example)37 b(is)g Fi(photurisd,)k Fk(Op)r(enBSD's)c(Photuris)f(imple-)2010 2064 y(men)n(tation.)65 b(An)37 b(extensiv)n(e)f(o)n(v)n(erview)f(of)i(the)g(emplo)n(y-)2010 2164 y(men)n(t)f(of)g(cryptograph)n(y)e(in)i(Op)r(enBSD)g(ma)n(y)f(b)r (e)i(found)2010 2263 y(in)28 b([)p Fj(?)p Fk(].)2010 2673 y Fo(7)112 b(Ac)m(kno)m(wledgmen)m(ts)2010 2966 y Fk(W)-7 b(e)23 b(w)n(ould)f(lik)n(e)h(to)f(thank)h(Matt)g(Blaze,)g (Theo)g(de)f(Raadt,)2010 3066 y(Martin)29 b(F)-7 b(redriksson,)29 b(Markus)g(F)-7 b(riedl,)30 b(Hugh)g(Graham,)2010 3165 y(John)41 b(Ioannidis,)i(H)-10 b(\027)-52 b(ak)-5 b(an)41 b(Olsson,)i(Niels)f(Pro)n(v)n(os,)f(and)2010 3265 y(Jonathan)32 b(Smith)h(for)f(their)h(supp)r(ort,)g(commen)n(ts,)h(sug-)2010 3364 y(gestions,)24 b(and)g(w)n(ork)f(in)i(v)-5 b(arious)23 b(asp)r(ects)h(of)g(this)h(pro)5 b(ject)2010 3464 y(and)41 b(pap)r(er.)76 b(Most)41 b(of)g(the)g(dev)n(elopmen)n(t)g(of)f Fi(isakmp)l(d)2010 3564 y Fk(w)n(as)30 b(funded)j(b)n(y)e(Ericsson)f (Radio)h(Systems.)48 b(The)32 b(secu-)2010 3663 y(rit)n(y)h(p)r(olicy)g (w)n(ork)g(men)n(tioned)g(in)h(this)g(pap)r(er)f(w)n(as)f(sup-)2010 3763 y(p)r(orted)j(b)n(y)g(D)n(ARP)-7 b(A)35 b(under)g(gran)n(t)f (F39502-99-1-0512)o(-)2010 3863 y(MOD)28 b(P0001.)2010 4272 y Fo(8)112 b(Av)-6 b(ailabilit)m(y)2010 4565 y Fk(All)30 b(the)g(soft)n(w)n(are)f(describ)r(ed)g(in)h(the)g(pap)r(er)g(is)f(a)n (v)-5 b(ailable)2010 4665 y(through)27 b(the)h(Op)r(enBSD)g(w)n(eb)f (page)g(at:)2439 4933 y Fd(http://www.openb)o(sd)o(.o)o(rg/)2010 5201 y Fk(Op)r(enBSD)d(is)g(based)f(in)h(Calgary)-7 b(,)23 b(Canada.)35 b(All)24 b(individ-)2010 5300 y(uals)j(doing)f (cryptograph)n(y-related)e(w)n(ork)h(do)i(so)f(outside)2010 5400 y(coun)n(tries)h(that)g(ha)n(v)n(e)g(limiting)h(la)n(ws.)p eop %%Page: 14 14 14 13 bop 0 83 a Fo(References)38 293 y Fb([1])43 b(R.)19 b(A)n(tkinson.)j(IP)d(Authen)n(tication)g(Header.)k(RF)n(C)c(1826,)161 384 y(August)25 b(1995.)38 510 y([2])43 b(R.)32 b(A)n(tkinson.)53 b(IP)32 b(Encapsulating)h(Securit)n(y)e(P)n(a)n(yload.)161 601 y(RF)n(C)26 b(1827,)h(August)e(1995.)38 727 y([3])43 b(M.)64 b(Blaze,)75 b(J.)65 b(F)-6 b(eigen)n(baum,)72 b(J.)64 b(Ioannidis,)74 b(and)161 818 y(A.)20 b(Kerom)n(ytis.)k(The)c (role)h(of)f(trust)g(managemen)n(t)e(in)i(dis-)161 910 y(tributed)28 b(systems)g(securit)n(y)-6 b(.)42 b(In)28 b Fa(Se)l(cur)l(e)k(Internet)g(Pr)l(o-)161 1001 y(gr)l(amming)p Fb(,)f(v)n(olume)e(1603)i(of)f Fa(L)l(e)l(ctur)l(e)k(Notes)e(in)f(Com-) 161 1092 y(puter)26 b(Scienc)l(e)p Fb(,)e(pages)g(185{210.)h (Springer-V)-6 b(erlag)23 b(Inc.,)161 1184 y(New)j(Y)-6 b(ork,)25 b(NY,)g(USA,)g(1999.)38 1310 y([4])43 b(M.)32 b(Blaze,)i(J.)d(F)-6 b(eigen)n(baum,)32 b(J.)g(Ioannidis,)h(and)d(A.)h (D.)161 1401 y(Kerom)n(ytis.)f(The)24 b(k)n(eynote)f(trust)g(managemen) n(t)f(system)161 1492 y(v)n(ersion)k(2.)35 b(In)n(ternet)24 b(RF)n(C)i(2704,)h(Septem)n(b)r(er)d(1999.)38 1618 y([5])43 b(M.)29 b(Blaze,)i(J.)e(F)-6 b(eigen)n(baum,)29 b(and)f(J.)h(Lacy)-6 b(.)42 b(Decen)n(tral-)161 1710 y(ized)25 b(T)-6 b(rust)24 b(Managemen)n(t.)33 b(In)23 b Fa(Pr)l(o)l(c.)k(of)g(the)g(17th)g(Sym-) 161 1801 y(p)l(osium)40 b(on)h(Se)l(curity)g(and)g(Privacy)p Fb(,)j(pages)c(164{173.)161 1892 y(IEEE)21 b(Computer)e(So)r(ciet)n(y)i (Press,)h(Los)f(Alamitos,)h(1996.)38 2018 y([6])43 b(M.)34 b(Blaze,)k(J.)c(Ioannidis,)j(and)c(A.)h(Kerom)n(ytis.)57 b(T)-6 b(rust)161 2109 y(Managemen)n(t)38 b(and)f(Net)n(w)n(ork)g(La)n (y)n(er)h(Securit)n(y)e(Proto-)161 2201 y(cols.)26 b(In)19 b Fa(Pr)l(o)l(c)l(e)l(e)l(dings)24 b(of)e(the)h(1999)g(Cambridge)f(Se)l (curity)161 2292 y(Pr)l(oto)l(c)l(ols)29 b(International)g(Workshop)p Fb(.)e(Springer,)f(1999.)38 2418 y([7])43 b(Consultation)d(Committee.) 74 b Fa(X.509:)60 b(The)40 b(Dir)l(e)l(ctory)161 2509 y(A)n(uthentic)l(ation)55 b(F)-6 b(r)l(amework)p Fb(.)117 b(In)n(ternational)53 b(T)-6 b(ele-)161 2601 y(phone)29 b(and)g(T)-6 b(elegraph,)31 b(In)n(ternational)f(T)-6 b(elecomm)n(uni-)161 2692 y(cations)27 b(Union,)e(Genev)l(a,)h(1989.)38 2818 y([8])43 b(T.)37 b(de)g(Raadt,)i(N.)d(Hallqvist,)k(A.)d(Grab)r(o)n (wski,)k(A.)36 b(D.)161 2909 y(Kerom)n(ytis,)62 b(and)55 b(N.)g(Pro)n(v)n(os.)123 b(Cryptograph)n(y)55 b(in)161 3001 y(Op)r(enBSD:)42 b(An)g(Ov)n(erview.)84 b(In)42 b Fa(Pr)l(o)l(c.)i(of)e(the)i(1999)161 3092 y(USENIX)52 b(A)n(nnual)h(T)-6 b(e)l(chnic)l(al)53 b(Confer)l(enc)l(e,)60 b(F)-6 b(r)l(e)l(enix)161 3183 y(T)g(r)l(ack)p Fb(,)27 b(pages)g(93)f({)g(101,)h(June)f(1999.)38 3309 y([9])43 b(W.)36 b(Di\016e)g(and)f(M.E.)i(Hellman.)64 b(New)36 b(Directions)h(in)161 3401 y(Cryptograph)n(y)-6 b(.)35 b Fa(IEEE)28 b(T)-6 b(r)l(ansactions)30 b(on)e(Information)161 3492 y(The)l(ory)p Fb(,)f(IT{22\(6\):644{654,)k(No)n(v)25 b(1976.)0 3618 y([10])43 b(D.)24 b(Eastlak)n(e)i(and)e(C.)h(Kaufman.)32 b(Dynamic)23 b(Name)h(Ser-)161 3709 y(vice)40 b(and)g(Securit)n(y)-6 b(.)78 b(In)n(ternet)39 b(RF)n(C)h(2065,)46 b(Jan)n(uary)161 3800 y(1997.)0 3926 y([11])d(D.)36 b(Harkins)f(and)h(D.)g(Carrel.)66 b(The)36 b(in)n(ternet)g(k)n(ey)f(ex-)161 4018 y(c)n(hange)f(\(IKE\).) 58 b(Request)32 b(for)j(Commen)n(ts)d(\(Prop)r(osed)161 4109 y(Standard\))f(2409,)k(In)n(ternet)c(Engineering)h(T)-6 b(ask)32 b(F)-6 b(orce,)161 4200 y(No)n(v)n(em)n(b)r(er)24 b(1998.)0 4326 y([12])43 b(John)28 b(Ioannidis)h(and)f(Matt)h(Blaze.)44 b(The)29 b(Arc)n(hitecture)161 4418 y(and)18 b(Implemen)n(tation)e(of)j (Net)n(w)n(ork-La)n(y)n(er)f(Securit)n(y)f(Un-)161 4509 y(der)35 b(Unix.)64 b(In)35 b Fa(F)-6 b(ourth)38 b(Usenix)f(Se)l (curity)i(Symp)l(osium)161 4600 y(Pr)l(o)l(c)l(e)l(e)l(dings)p Fb(.)28 b(USENIX,)d(Octob)r(er)g(1993.)0 4726 y([13])43 b(P)-6 b(.)34 b(Karn)g(and)g(W.)g(Simpson.)59 b(Photuris:)52 b(Session-k)n(ey)161 4817 y(managemen)n(t)20 b(proto)r(col.)29 b(Request)20 b(for)j(Commen)n(ts)d(\(Ex-)161 4909 y(p)r(erimen)n(tal\)) h(2522,)j(In)n(ternet)d(Engineering)h(T)-6 b(ask)22 b(F)-6 b(orce,)161 5000 y(Marc)n(h)26 b(1999.)0 5126 y([14])43 b(S.)25 b(Ken)n(t)f(and)h(R.)f(A)n(tkinson.)33 b(Securit)n(y)24 b(arc)n(hitecture)h(for)161 5217 y(the)d(in)n(ternet)g(proto)r(col.)30 b(Request)22 b(for)h(Commen)n(ts)e(\(Pro-)161 5309 y(p)r(osed)34 b(Standard\))f(2401,)38 b(In)n(ternet)33 b(Engineering)i(T)-6 b(ask)161 5400 y(F)g(orce,)26 b(No)n(v)n(em)n(b)r(er)e(1998.)2010 83 y([15])43 b(A.)35 b(D.)g(Kerom)n(ytis,)j(J.)e(Ioannidis,)i(and)d(J.) h(M.)g(Smith.)2171 174 y(Implemen)n(ting)16 b(IPsec.)23 b(In)18 b Fa(Pr)l(o)l(c)l(e)l(e)l(dings)23 b(of)e(Glob)l(al)g(Inter-) 2171 266 y(net)28 b(\(Glob)l(eCom\))g('97)p Fb(,)e(pages)g(1948)g({)g (1952,)h(No)n(v)n(em)n(b)r(er)2171 357 y(1997.)2010 482 y([16])43 b(D.)18 b(McDonald,)j(C.)e(Metz,)i(and)d(B.)h(Phan.)k(PF)p 3525 482 24 4 v 28 w(KEY)18 b(Key)2171 573 y(Managemen)n(t)38 b(API,)f(V)-6 b(ersion)38 b(2.)70 b(Request)37 b(for)i(Com-)2171 664 y(men)n(ts)34 b(\(Informational\))h(2367,)k(In)n(ternet)34 b(Engineering)2171 756 y(T)-6 b(ask)26 b(F)-6 b(orce,)26 b(July)g(1998.)2010 880 y([17])43 b(W.)26 b(A.)h(Simpson.)35 b(IKE/ISAKMP)25 b(Considered)i(Harm-)2171 971 y(ful.)35 b Fa(USENIX)27 b(;lo)l(gin:)p Fb(,)e(Decem)n(b)r(er)f(1999.)p eop %%Trailer end userdict /end-hook known{end-hook}if %%EOF