· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
Linux Advanced Routing & Traffic Control HOWTO


Linux Advanced Routing & Traffic Control HOWTO

¿Å±äÀÌ: ÀÌÀ籤 pulccot(at)unitel.co.kr , ³Ê¹Ù³ª, scipione, softgear(at)dcn.ssu.ac.kr

Bert Hubert Netherlabs BV

bert.hubert(at)netherlabs.nl Gregory Maxwell

greg(at)linuxpower.cx

Remco van Mook

remco(at)virtu.nl

Martijn van Oosterhout

kleptog(at)cupid.suninternet.com

Paul B Schroeder

paulsch(at)us.ibm.com

Jasper Spaans

jasper(at)spaans.ds9a.nl

Revision History Revision $Revision: 1.52 $ $Date: 2006/09/14 15:31:31 $ DocBook Edition



Contents

1. ÇåÁ¤
2. ¼Ò°³
2.1. ±Ç¸®ÀÇ Æ÷±â¿Í Çã°¡
2.2. »çÀü Áö½Ä
2.3. ¸®´ª½º·Î ÇÒ ¼ö ÀÖ´Â °Í µé
2.4. ¹®¼­¿¡ ´ëÇØ ÀÏ·¯µÎ±â
2.5. Á¢±Ù, CVS¿Í ¼öÁ¤º»ÀÇ Á¦Ãâ
2.6. ¸ÞÀϸµ ¸®½ºÆ®
2.7. ¹®¼­ÀÇ ±¸Á¶
3. iproute2 ¼Ò°³
3.1. ¿Ö iproute2 Àΰ¡ ?
3.2. iproute2 ¿©Çà
3.3. Áغñ¹°
3.4. ÇöÀç ¼³Á¤ »ìÆ캸±â
3.4.1. ip·Î ¿¬°á(link) »óÅ º¸±â
3.4.2. ip ¸í·ÉÀ¸·Î IP ÁÖ¼Ò º¸±â
3.4.3. ip ¸í·ÉÀ¸·Î ¶ó¿ìÆà Á¤º¸ º¸±â
3.5. ARP (Address Resolution Protocol)
4. ±ÔÄ¢µé - °æ·Î¹èÁ¤ Á¤Ã¥ µ¥ÀÌÅͺ£À̽º (Routing Policy Database)
4.1. Ãâó¿¡ µû¸¥ ´Ü¼øÇÑ °æ·Î ¹èÁ¤ Á¤Ã¥
4.2. ¿©·¯ »óÇâ °æ·Î¿Í ¼­ºñ½º Á¦°øÀÚ¸¦ À§ÇÑ °æ·Î ¹èÁ¤
4.2.1. ºÐ¸® Á¢±Ù
4.2.2. ºÎÇÏ ºÐ»ê
5. GRE ¿Í ´Ù¸¥ Åͳεé
5.1. Åͳο¡ ´ëÇÑ ¸î °¡Áö À̾߱â
5.2. IP in IP Åͳθµ
5.3. GRE Åͳθµ
5.3.1. IPv4 Åͳθµ
5.3.2. IPv6 Åͳθµ
5.4. »ç¿ëÀÚ ¿µ¿ª ÅͳÎ
6. ½Ã½ºÄÚ ¿Í(¶Ç´Â) 6bone¿¡¼­ IPv6 Åͳθµ
6.1. IPv6 Åͳθµ
7. IPSEC: ÀÎÅÍ³Ý »óÀÇ ¾ÈÀüÇÑ IP
7.1. ¼öµ¿ Å°ÀÔ·Â ÀÔ¹®
7.2. ÀÚµ¿ Å°±³È¯
7.2.1. ÀÌ·Ð
7.2.2. ¿¹Á¦
7.2.2.1. ¹®Á¦Á¡ ¹× ¾Ë·ÁÁø °áÇÔ
7.2.3. X.509 ÀÎÁõ¼­¸¦ ÀÌ¿ëÇÑ ÀÚµ¿ Å°±³È¯
7.2.3.1. È£½ºÆ®¸¦ À§ÇÑ X.509 ÀÎÁõ¼­ ¸¸µé±â
7.2.3.2. ¼³Á¤ ¹× ½Ãµ¿
7.2.3.3. ¾ÈÀüÇÏ°Ô ÅͳÎÀ» ±¸¼ºÇÏ´Â ¹æ¹ý
7.3. IPSEC ÅͳÎ
7.4. ±âŸ IPSEC ¼ÒÇÁÆ®¿þ¾î
7.5. ´Ù¸¥ ½Ã½ºÅÛ°úÀÇ IPSEC »óÈ£ ¿¬µ¿
7.5.1. Windows
7.5.2. Check Point VPN-1 NG
8. ¸ÖƼij½ºÆà ¶ó¿ìÆÃ
9. ´ë¿ªÆø °ü¸®¸¦ À§ÇÑ Å¥À× Å¥Ä¢
9.1. Å¥¿Í Å¥À× ±ÔÄ¢¿¡ ´ëÇÑ ¼³¸í
9.2. ´Ü¼øÇÑ, Ŭ·¡½º ¾ø´Â Å¥À× ±ÔÄ¢
9.2.1. pfifo_fast
9.2.1.1. ¸Å°³º¯¼ö ¹× »ç¿ë¹ý
9.2.2. Token Bucket Filter
9.2.2.1. ÆĶó¸ÞÅÍ & »ç¿ë¹ý
9.2.2.2. ¿¹Á¦ ¼³Á¤
9.2.3. Stochastic Fairness Queuing
9.2.3.1. ÆĶó¸ÞÅÍ & »ç¿ë¹ý
9.2.3.2. ¿¹Á¦ ¼³Á¤
9.3. °¢ Å¥¸¦ »ç¿ëÇÒ¶§ ÇÊ¿äÇÑ Á¶¾ð
9.4. Terminology
9.5. Classful Queuing Disciplines
9.5.1. Flows within classful qdiscs & classes
9.5.2. The qdisc family: roots, handles, siblings and parents
9.5.3. The PRIO qdisc
9.5.4. The famous CBQ qdisc
9.5.5. Hierarchical Token Bucket
9.6. Classifying packets with filters
9.6.1. Some simple filtering examples
9.6.2. All the filtering commands you will normally need
9.7. The Intermediate Queuing Device (IMQ)
9.7.1. Simple configuration
10. Load sharing over multiple interfaces
10.1. Caveats
10.2. Other possibilities
11. Netfilter & iproute - marking packets
12. Advanced filters for (re-)classifying packets
12.1. The u32 classifier
12.1.1. U32 selector
12.1.2. General selectors
12.1.3. Specific selectors
12.2. The route classifier
12.3. Policing filters
12.3.1. Ways to police
12.3.2. Overlimit actions
12.3.3. Examples
12.4. Hashing filters for very fast massive filtering
12.5. Filtering IPv6 traffic
12.5.1. How come that IPv6 tc filters do not work?
12.5.2. Marking IPv6 packets using ip6tables
12.5.3. Using the u32 selector to match IPv6 packet
13. Ä¿³Î ³×Æ®¿öÅ© ¸Å°³º¯¼ö
13.1. ¿ª°æ·Î ÇÊÅ͸µ(Reverse Path Filtering)
13.2. ¼û°ÜÁø ¼³Á¤µé
13.2.1. ipv4 ÀϹÝ
13.2.2. ÀåÄ¡º° ¼³Á¤
13.2.3. ÀÌ¿ô(neighbor) Á¤Ã¥
13.2.4. ¶ó¿ìÆà ¼³Á¤
14. Àü¹®ÀûÀÌ°í ´ú »ç¿ëµÇ´Â Å¥ ±¸Á¶µé
14.1. bfifo/pfifo
14.1.1. ÆĶó¸ÞÅÍ & »ç¿ë¹ý
14.2. Clark-Shenker-Zhang algorithm (CSZ)
14.3. DSMARK
14.3.1. Introduction
14.3.2. What is DSMARK related to?
14.3.3. Differentiated Services guidelines
14.3.4. Working with DSMARK
14.3.5. How SCH_DSMARK works
14.3.6. TC_INDEX Filter
14.4. Ingress qdisc
14.4.1. Parameters & usage
14.5. Random Early Detection (RED)
14.6. Generic Random Early Detection
14.7. VC/ATM emulation
14.8. Weighted Round Robin (WRR)
15. Cookbook
15.1. Running multiple sites with different SLAs
15.2. Protecting your host from SYN floods
15.3. Rate limit ICMP to prevent dDoS
15.4. Prioritizing interactive traffic
15.5. Transparent web-caching using netfilter, iproute2, ipchains and squid
15.5.1. Traffic flow diagram after implementation
15.6. Circumventing Path MTU Discovery issues with per route MTU settings
15.6.1. Solution
15.7. Circumventing Path MTU Discovery issues with MSS Clamping (for ADSL, cable, PPPoE & PPtP users)
15.8. The Ultimate Traffic Conditioner: Low Latency, Fast Up & Downloads
15.8.1. Why it doesn't work well by default
15.8.2. The actual script (CBQ)
15.8.3. The actual script (HTB)
15.9. Rate limiting a single host or netmask
15.10. Example of a full nat solution with QoS
15.10.1. Let's begin optimizing that scarce bandwidth
15.10.2. Classifying packets
15.10.3. Improving our setup
15.10.4. Making all of the above start at boot
16. Building bridges, and pseudo-bridges with Proxy ARP
16.1. State of bridging and iptables
16.2. Bridging and shaping
16.3. Pseudo-bridges with Proxy-ARP
16.3.1. ARP & Proxy-ARP
16.3.2. Implementing it
17. Dynamic routing - OSPF and BGP
17.1. Setting up OSPF with Zebra
17.1.1. Prerequisites
17.1.2. Configuring Zebra
17.1.3. Running Zebra
17.2. Setting up BGP4 with Zebra
17.2.1. Network Map (Example)
17.2.2. Configuration (Example)
17.2.3. Checking Configuration
18. Other possibilities
19. Further reading
20. Acknowledgements

1. ÇåÁ¤


ÀÌ ¹®¼­´Â ¸¹Àº »ç¶÷µéÀÇ ¿­Á¤ÀÌÀÚ ¹«¾ð°¡ º¸´äÇÏ°í ½ÍÀº ³ªÀÇ ³ë·ÂÀÇ °á°ú¹°ÀÌ´Ù. ÀûÀº ¼ö³ª¸¶ ³ªÅ¸³»¸é ¾Æ·¡¿Í °°´Ù.

  • Rusty Russell
  • Alexey N. Kuznetsov
  • ±¸±Û¿¡ ÀÖ´Â ÁÁÀº »ç¶÷µé
  • Casema InternetÀÇ Á÷¿øµé

2. ¼Ò°³


¹Ý°©½À´Ï´Ù, ´ÙÁ¤ÇÑ µ¶ÀÚ¿©.

ÀÌ ¹®¼­´Â ¸®´ª½º 2.2/2.4¸¦ °¡Áö°í ¾î¶»°Ô ¸¹Àº °ÍÀ» ÇÒ ¼ö ÀÖ´ÂÁö °¡¸£Ä¡±â¸¦ Èñ¸ÁÇÕ´Ï´Ù. ¸¹Àº »ç¿ëÀڵ鿡°Ô´Â ¹ÌÁöÀÇ °ÍÀÌÁö¸¸ ¸ÚÁø ÀÏÀ» ÇÏ°Ô ÇØÁÖ´Â µµ±¸µéÀ» ÀÌ¹Ì ½ÇÇàÇØ ºÃÀ» °Ì´Ï´Ù. route ¿Í ifconfig °°Àº ¸í·ÉÀº »ç½Ç ¸Å¿ì °­·ÂÇÑ iproute2 ÀÎÇÁ¶ó¸¦ µÑ·¯½Ñ ¾ãÀº ²®Áú¿¡ ºÒ°úÇÕ´Ï´Ù.

³ª´Â ÀÌ HOWTO°¡ Rusty RussellÀÇ °Í Áß Çϳª netfilter¿Í °°ÀÌ ³Î¸® ÀÐÈ÷±â¸¦ ¹Ù¶ø´Ï´Ù.

MHOWTO ÆÀ¿¡°Ô ±ÛÀ» ¾²¸é Ç×»ó ¿¬¶ôÇÒ ¼ö ÀÖ½À´Ï´Ù. ±×·¯³ª ³»¿ëÀÌ ÀÌ HOWTO¿Í Á÷Á¢ ¿¬°üÀÌ ¾ø´Ù¸é ¸ÞÀϸµ ¸®½ºÆ®(°ü·Ã ºÎºÐÀ» º¸½Ã¿À)¿¡ ¿Ã¸®´Â°É °í·ÁÇϽʽÿÀ. ¿ì¸®´Â ¹«·á µµ¿ì¹Ì°¡ ¾Æ´Õ´Ï´Ù, ´Ù¸¸ ¸®½ºÆ®¿¡ ¿Ã¶ó¿Â ³»¿ë¿¡ ´ëÇؼ± °¡²û¾¿ ´ë´äÀ» ÇÕ´Ï´Ù.

ÀÌ HOWTO¿¡¼­ ±æÀ» ÀÒ±â Àü¿¡ °£´ÜÇÑ È帧 Á¶Àý¸¸ ÇÒ »ý°¢ÀÌ¸é ¸ðµç°É °Ç³Ê ¶Ù°í ´Ù¸¥ °¡´É¼ºÀ¸·Î °¡¼­ CBQ.init À» ÀÐÀ¸½Ê½Ã¿À.

2.1. ±Ç¸®ÀÇ Æ÷±â¿Í Çã°¡

ÀÌ ¹®¼­´Â ¸Å¿ì À¯¿ëÇÏ°Ô »ç¿ëµÇ¸®¶ó ÇÏ´Â Èñ¸ÁÇÏ¿¡ ¹èÆ÷ÇÏÁö¸¸, ¾Æ¹«·± º¸Áõµµ ÇÏÁö ¾Ê½À´Ï´Ù. ±â°èÀûÀ̳ª ƯÁ¤ ¸ñÀû¿¡ ¸Â´Â´Ù´Â ¾Ï¹¬ÀûÀÎ º¸Áõµµ ¾ø½À´Ï´Ù.

ª°Ô ¾ê±âÇؼ­, STM-64 ¹éº»ÀÌ »ç¿ëºÒ´ÉÀÌ µÇ°Å³ª °¡Àå Áß¿äÇÑ °í°´¿¡°Ô Æ÷¸£³ë°¡ ÀüÇØÁø´Ù°í Çصµ ±×°Ç ¿ì¸®ÀÇ À߸øÀÌ ¾Æ´Õ´Ï´Ù. ¹Ì¾ÈÇÕ´Ï´Ù.

Copyright (c) 2002 by bert hubert, Gregory Maxwell, Martijn van Oosterhout, Remco van Mook, Paul B. Schroeder and others. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

À̹®¼­¸¦ ¾î¶² Çü½ÄÀ¸·Îµç ÀÚÀ¯·Ó°Ô º¹»çÇÏ°í ¹èÆ÷(ÆȰųª ȤÀº Áְųª)ÇϽʽÿÀ. ¼öÁ¤°ú ³íÆòÀº ¹®¼­ °ü¸®ÀÚ¿¡°Ô Àü´ÞÇϵµ·Ï ºÎŹÇÕ´Ï´Ù.

¶ÇÇÑ ÀÌ ¹®¼­¸¦ ÃâÆÇÇÑ´Ù¸é ÀúÀÚ¿¡°Ô "°ËÅä" ¸ñÀûÀ¸·Î ¸î °³ º¸³»ÁÖ½Ã±æ ºÎŹµå¸³´Ï´Ù. :-)

ÇÑ±Û ¹ø¿ªÀÇ ÀúÀÛ±ÇÀº ÀÌÀ籤°ú ±âÁ¸ ¹ø¿ªÀÚ °¢°¢¿¡°Ô ÀÖÀ¸¸ç Open Publication License v1.0 À̳ª ÀÌÈÄ (ÃÖ±Ù ÆÇÀº http://www.opencontent.org/openpub/ ¿¡ ÀÖ½À´Ï´Ù.)ÀÇ 4ÀýÀÇ Á¶°Ç¿¡ ºÎÇÕÇÏ´Â °æ¿ì¿¡ Àç ¹èÆ÷µÉ¼ö ÀÖ½À´Ï´Ù.

2.2. »çÀü Áö½Ä

Á¦¸ñÀÌ ¾ê±â ÇÏ´Â °Íó·³ "°í±Þ" ÇÏ¿ìÅõ´Ù. ·ÎÄÏ °úÇÐÀ» ¾ê±âÇÏ´Â °Ç ¾Æ´ÏÁö¸¸ ¾à°£ÀÇ »çÀü Áö½ÄÀÌ ÀÖ´Ù°í °¡Á¤ÇÑ´Ù.

¿©±â µµ¿ò ÁÙ ¼ö ÀÖ´Â ¸î°³ÀÇ Âü°í ¹®µéÀ» ¼Ò°³ÇÑ´Ù.

[http] Rusty Russell's networking-concepts-HOWTO
³×Æ®¿÷ÀÌ ¹«¾ùÀΰ¡¿¡ ´ëÇØ ¸Å¿ì ÈǸ¢ÇÑ ¼Ò°³¿Í ¼³¸íÀÌ ÀÖ°í ¾î¶»°Ô ´Ù¸¥ ³×Æ®¿÷°ú ¿¬°áµÇ´ÂÁö ¾ê±âÇÑ´Ù.

Linux Networking-HOWTO (Àü¿¡´Â Net-3 HOWTO)
Á» ¼ö´Ùµå·´Áö¸¸ ´ë´ÜÇÑ ÀÛÇ°ÀÌ´Ù. ÀÌ¹Ì ÀÎÅͳݿ¡ ¿¬°áµÇ¾î ÀÖ´Ù¸é ¼³Á¤ÇØ ³õÀº ¸¹Àº °Íµé¿¡ ´ëÇؼ­ °¡¸£ÃÄ ÁØ´Ù. /usr/doc/HOWTO/NET3-4-HOWTO.txt ¿©±â ÀÖ°ÚÁö¸¸ ¿Â¶óÀο¡¼­´Â [http]¿©±â¿¡¼­ ã´Â´Ù.

2.3. ¸®´ª½º·Î ÇÒ ¼ö ÀÖ´Â °Í µé

ÀÌ·±ÀÏÀ» ÇÒ ¼ö ÀÖ½À´Ï´Ù :
  • ƯÁ¤ ÄÄÇ»ÅÍÀÇ ´ë¿ªÆøÀ» Á¦ÇÑÇÕ´Ï´Ù.
  • ƯÁ¤ ÄÄÇ»ÅÍ·Î °¡´Â ´ë¿ªÆøÀ» Á¦ÇÑÇÕ´Ï´Ù.
  • ´ë¿ªÆøÀ» °øÆòÇÏ°Ô ³ª´² ¾¹´Ï´Ù.
  • ³×Æ®¿÷À» ¼­ºñ½º °ÅºÎ °ø°Ý(DoS attack: Denial of Service attack)¿¡¼­ º¸È£ÇÕ´Ï´Ù.
  • ÀÎÅͳݸÁÀ» °í°´¿¡°Ô¼­ º¸È£ÇÕ´Ï´Ù.
  • °í°¡¿ë¼ºÀ̳ª ºÎÇϺлêÀ» À§ÇØ ¿©·¯ ¼­¹ö¸¦ Çϳª ó·³ º¸ÀÌ°Ô ÇÕ´Ï´Ù.
  • ÄÄÇ»ÅÍ¿¡ ´ëÇÑ Á¢±ÙÀ» Á¦ÇÑÇÕ´Ï´Ù.
  • »ç¿ëÀÚµéÀÌ ´Ù¸¥ È£½ºÆ®·Î Á¢±ÙÇÏ´Â °É Á¦ÇÑÇÕ´Ï´Ù.
  • »ç¿ëÀÚº°(¹°·Ð), MAC ÁÖ¼Ò, Ãâ¹ßÁö IP ÁÖ¼Ò, Æ÷Æ®, ¼­ºñ½º Á¾·ù, ½Ã°£, ³»¿ë¿¡ µû¶ó ´Ù¸£°Ô ¶ó¿ìÆà ÇÒ ¼ö ÀÖ½À´Ï´Ù.
ÇöÀç ÀûÀº »ç¶÷µéÀÌ °í±Þ ±â´ÉÀ» »ç¿ëÇÏ°í ÀÖ½À´Ï´Ù. ¿©±â¿¡´Â ¿©·¯ ÀÌÀ¯°¡ ÀÖ½À´Ï´Ù. ÀÌÀ¯´Â ¿©·¯°¡ÁöÀε¥, ±âÁ¸ÀÇ ¹®¼­µéÀÌ ³Ê¹« ÀåȲÇѵ¥´Ù ½ÇÁ¦·Î ½á¸ÔÀ»¸¸ÇÑ °Í°ú´Â °Å¸®°¡ ¸Ö°í, È帧 Á¶Àý¿¡ ´ëÇؼ­´Â °ÅÀÇ ¼³¸íÀÌ ¾ø±â ¶§¹®ÀÔ´Ï´Ù.

2.4. ¹®¼­¿¡ ´ëÇØ ÀÏ·¯µÎ±â

ÀÌ ¹®¼­¿¡ ´ëÇØ ¹Ì¸® ¸»ÇØµÎ°í ½ÍÀº °ÍµéÀÌ ¸î °¡Áö ÀÖ½À´Ï´Ù. ¹®¼­ÀÇ ´ëºÎºÐÀº Á¦°¡ ÀÛ¼ºÇßÁö¸¸, °è¼ÓÇؼ­ °°Àº ¹æ¹ýÀ¸·Î ¹®¼­¸¦ À¯ÁöÇسª°¡°í ½ÍÁö´Â ¾Ê½À´Ï´Ù. Àú´Â ¿ÀǼҽº¿¡ ´ëÇÑ °­·ÂÇÑ ÁöÁöÀڷμ­ ´©±¸µçÁö ÀÌ ¹®¼­¿¡ ´ëÇØ Çǵå¹éÀ» º¸³»ÁÖ°í, °»½ÅÇϰųª ¼öÁ¤ÇÏ´Â °Í¿¡ ´ëÇØ È¯¿µÀÔ´Ï´Ù. ¿ÀÅ»ÀÚ°¡ Àְųª »ç¼ÒÇÏ°Ô À߸øµÈ ºÎºÐÀÌ ÀÖ´õ¶óµµ ¾ðÁ¦µç Á¦°Ô ¾Ë·ÁÁֽʽÿÀ. ¹®Ã¼°¡ ¾îµòÁö µüµüÇÏ°Ô ´À²¸Áø´Ù¸é ÇÊÀÚ°¡ ¿µ¾î¹Î ¾Æ´Ï¶ó¼­ ±×·¯·Á´Ï »ý°¢ÇØ ÁֽʽÿÀ. Á¦¾ÈÇÒ ³»¿ëÀ» º¸³»´Âµ¥ ºÎ´ãÀ» °®Áö ¸»¾ÆÁֽʽÿÀ.

¸¸¾à ´ç½ÅÀÌ ¾î¶² ¼½¼ÇÀ» ¸Ã¾Æ¼­ À¯ÁöÇϴµ¥ ½º½º·Î°¡ ´õ Àû´çÇÏ´Ù°í ´À³¢½Å´Ù¸é, ¶Ç´Â »õ·Î¿î ¼½¼ÇÀ» ÀÛ¼ºÇؼ­ À¯ÁöÇسª°¡·Á°í ÇÑ´Ù¸é ±×°Í ¶ÇÇÑ È¯¿µÇÕ´Ï´Ù. ÀÌ ÇÏ¿ìÅõÀÇ SGML ÆÇÀº CVS ¸¦ ÅëÇØ ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù. ¸¹Àº ºÐµéÀÌ ÀÌ ¹®¼­¸¦ Çù·ÂÇؼ­ ¸¸µé¾î³ª°¥ ¼ö ÀÖ´Ù¸é Á¤¸» ÁÁ°Ú½À´Ï´Ù.

µ¡ºÙ¿© ÀÌ ¹®¼­¸¦ Àдٺ¸¸é ¸¹Àº FIXME Ç¥½Ã¸¦ º¸½Ç°Ì´Ï´Ù. ¼öÁ¤Àº ¾ðÁ¦³ª ´ëȯ¿µ! FIXME Ç¥½Ã°¡ ÀÖ´Â ºÎºÐÀ» ÀÐÀ¸½Å´Ù¸é ´ç½ÅÀº ¹ÌÁöÀÇ ¿µ¿ªÀ» °È°í ÀÖ´Â °ÍÀÔ´Ï´Ù. Ç¥½Ã°¡ ºÙ¾îÀÖÁö ¾ÊÀº ´Ù¸¥ ºÎºÐ¿¡¼­´Â ¿À·ù°¡ ÀüÇô ¾ø´Ù´Â Àǹ̴ ¹°·Ð ¾Æ´Õ´Ï´Ù¸¸, ±×¸¸Å­ ´õ Á¶½ÉÇØ¾ß µÈ´Ù´Â ¶æÀÌÁÒ. ¸¸¾à ¾î¶² ³»¿ë¿¡ ´ëÇØ °ËÁõÇÏ¼Ì´Ù¸é ¾Ë·ÁÁֽʽÿÀ. ±×·¯¸é FIXME Ç¥½Ã¸¦ »èÁ¦ÇÒ °ÍÀÔ´Ï´Ù.

ÀÌ ÇÏ¿ìÅõ¿¡¼­´Â ¸î°¡Áö °¡Á¤ÇÏ°í ÀÖ´Â °ÍÀÌ ÀÖ½À´Ï´Ù. À̸¦Å×¸é ½ÇÁ¦·Î´Â Á» µå¹°°ÚÁö¸¸ ÀÎÅÍ³Ý ¿¬°á¿¡ 10 Mbit À̶óµçÁö ÇÏ´Â ³»¿ëÀÔ´Ï´Ù.

2.5. Á¢±Ù, CVS¿Í ¼öÁ¤º»ÀÇ Á¦Ãâ

ÀÌ HOWTO ¹®¼­´Â °ø½ÄÀûÀ¸·Î [http]ÀÌ°÷ ¿¡¼­ ¾òÀ» ¼ö ÀÖ½À´Ï´Ù.

Àü ¼¼°è ¾îµð¼­µç À͸í CVS ¿¢¼¼½º°¡ °¡´ÉÇÕ´Ï´Ù. ÀÌ´Â ¿©·¯°¡Áö ¸é¿¡¼­ ÀÌÁ¡ÀÌ Àִµ¥, À̸¦ÅëÇØ ÇÏ¿ìÅõÀÇ »õ ¹öÀüÀ» ¾ò°Å³ª ÆÐÄ¡¸¦ Á¦ÃâÇϴµ¥ ¼ö°í¸¦ ´ú ¼ö ÀÖ½À´Ï´Ù.

°Ô´Ù°¡ ¹®¼­¸¦ À¯ÁöÇÏ°í ÀÖ´Â ÀúÀÚµéÀÌ °¢°¢ ÀÛ¾÷ÇÒ ¼ö Àֱ⠶§¹®¿¡ ´õ¿í ÁÁ½À´Ï´Ù.
$ export CVSROOT=:pserver:anon@outpost.ds9a.nl:/var/cvsroot
$ cvs login
CVS password: ['cvs'¶ó°í Ä¡¼¼¿ä ('´Â »©½Ã°í)]
$ cvs co 2.4routing
cvs server: Updating 2.4routing
U 2.4routing/2.4routing.sgml
¿À·ù¸¦ ã°Å³ª Ãß°¡ÇÏ°íÀÚ ÇÏ´Â ³»¿ëÀÌ ÀÖ´Â °æ¿ì´Â Á÷Á¢ °íÄ¡½Å ÈÄ cvs diff -u ¸í·ÉÀ» ½ÇÇà ÇÑ °á°ú¸¦ ¿ì¸®¿¡°Ô º¸³»ÁֽʽÿÀ.

postscript ¿Í dvi, pdf, html, plain text µîÀ» ¸¸µé ¼ö ÀÖ´Â Makefile µµ Á¦°øÇÏ°í ÀÖ½À´Ï´Ù. ÀÌ·¯ÇÑ ¹®¼­ Æ÷¸ËÀ» ¸¸µé±â À§Çؼ­´Â docbook °ú docbook-utils, ghostscript, tetex ¸¦ ¼³Ä¡ÇØ µÎ¾î¾ß ÇÕ´Ï´Ù.

2.6. ¸ÞÀϸµ ¸®½ºÆ®

ÀúÀÚµéÀº ÀÌ ÇÏ¿ìÅõ¿¡ ´ëÇØ Á¡Á¡ ´õ ¸¹Àº ÆíÁö¸¦ ¹Þ°Ô µÇ¾ú´Âµ¥, ¸ÞÀϸµ¸®½ºÆ®¸¦ °³¼³ÇÏ´Â °ÍÀÌ ¸ðµÎ¿¡°Ô µµ¿òÀÌ µÉ °ÍÀ̶ó´Â °ÍÀÌ ¸í¹éÇÏ´Ù´Â °áÁ¤¿¡ À̸£·¶½À´Ï´Ù. [http]ÀÌ°÷¿¡¼­ ¸ÞÀϸµ¸®½ºÆ®¿¡ °¡ÀÔÇÒ ¼ö ÀÖÀ¸¸ç, ¹®¼­¿Í °ü·ÃµÈ ³»¿ë¿¡ ´ëÇØ À̾߱âÇÒ ¼ö ÀÖ½À´Ï´Ù.

¸ÞÀϸµ¸®½ºÆ®¸¦ ÅëÇÏÁö ¾ÊÀº Áú¹®¿¡ ´ëÇؼ­´Â ÀúÀÚµéÀÌ ´äÇϱ⸦ ¸Å¿ì ²¨·Á ÇÒ °ÍÀ̶õ °ÍÀ» ÁöÀûÇÏ°í ³Ñ¾î°©´Ï´Ù. ÀÌ´Â ¸ÞÀϸµ¸®½ºÆ®°¡ ÀÏÁ¾ÀÇ Áö½ÄÀÇ ÁÖÃåµ¹ÀÌ µÇ±æ ¿øÇϱ⠶§¹®ÀÔ´Ï´Ù. ¸¸¾à Áú¹®ÀÌ ÀÖ´Ù¸é ¿ì¼± ¸ÞÀϸµ ÀúÀå¼Ò¸¦ °Ë»öÇغ» ´ÙÀ½¿¡ ¸ÞÀϸµ¸®½ºÆ®¿¡ Åõ°íÇØÁÖ¼¼¿ä.

2.7. ¹®¼­ÀÇ ±¸Á¶

¿ì¸®´Â ½ÃÀÛºÎÅÍ Àç¹ÌÀÖ´Â ³»¿ëµéÀ» ´Ù·ç°Ô µË´Ï´Ù. ±×·¡¼­ óÀ½ ÀÌ ¹®¼­¸¦ ÀÐÀ» ¶§´Â ¿ÏÀüÈ÷ ¼³¸íÇÒ ¼ö ¾ø´Â ºÎºÐµµ ÀÖ°í, ¿Ïº®ÇÏÁö ¾ÊÀº ºÎºÐµµ ÀÖ½À´Ï´Ù. ÀÌ·± ºÎºÐ¿¡ ´ëÇؼ­´Â ´ëÃæ ³Ñ¾î°¡½Ê½Ã¿À. ¾ðÁ¨°¡ ³ªÁß¿¡´Â ¸ðµç °ÍÀ» ÀÌÇØÇÒ ¼ö ÀÖÀ» °Ì´Ï´Ù.

¶ó¿ìÆðú ÇÊÅ͸µÀº ¶Ñ·ÇÇÏ°Ô ±¸º°µÇ´Â µÎ ºÐ·ùÀε¥, ÇÊÅ͸µ¿¡ ´ëÇؼ­´Â Rusty ÀÇ ÇÏ¿ìÅõ¿¡¼­ ¾ÆÁÖ Àß ¼³¸íÇÏ°í ÀÖ½À´Ï´Ù. ¿©±â¼­ Àо¼¼¿ä :

ÀÌ ¹®¼­¿¡¼­´Â netfilter ¿Í iproute2 ¸¦ ¿¬µ¿ÇÏ¿© ÇÒ ¼ö ÀÖ´Â ÀÛ¾÷µéÀ» ÁßÁ¡ÀûÀ¸·Î ´Ù·ì´Ï´Ù.

3. iproute2 ¼Ò°³

3.1. ¿Ö iproute2 Àΰ¡ ?

ÇöÀç ´ëºÎºÐ ¸®´ª½º ¹èÆ÷º»°ú À¯´Ð½º ½Ã½ºÅÛ¿¡¼­´Â arp ³ª ifconfig, route ¿Í °°Àº ÀüÅëÀûÀÎ ¸í·É¾î¸¦ »ç¿ëÇÏ°í ÀÖ½À´Ï´Ù. ÀÌ·± µµ±¸µéÀÌ µ¿ÀÛÇϱä ÇÏÁö¸¸ Ä¿³Î 2.2 ÀÌÈÄ ¸®´ª½º¿¡¼­´Â ÀǵµÇÏÁö ¾ÊÀº µ¿ÀÛÀ» º¸ÀÔ´Ï´Ù. ¿¹ÄÁµ¥ ÇöÀç GRE ÅͳÎÀº ¶ó¿ìÆÃÀ» ±¸¼ºÇÏ´Â ÇÑ ºÎºÐÀÌÁö¸¸ ¿Ïº®È÷ ´Ù¸¥ µµ±¸¸¦ ÇÊ¿ä·Î ÇÕ´Ï´Ù.

iproute2¿Í ÇÔ²²¶ó¸é Åͳεµ ¿ÏÀüÇÑ µµ±¸ÁýÇÕ¿¡ Æ÷ÇԵ˴ϴÙ.

Ä¿³Î 2.2 ÀÌ»ó ¸®´ª½º´Â ³×Æ®¿÷ ÇϺΠ±¸Á¶¸¦ »õ·Î ¼³°è Çß½À´Ï´Ù. »õ·Î¿î ³×Æ®¿÷ ÄÚµå´Â ¸®´ª½º°¡ ÀÏ¹Ý ¿î¿µÃ¼Á¦¿¡ ºñ±³ÇØ ¼º´É°ú ±â´É¿¡ ¾à°£ÀÇ °æÀï·ÂÀ» °®µµ·Ï ÇÕ´Ï´Ù. »ç½Ç »õ·Î¿î ¶ó¿ìÆÃ, ÇÊÅ͸µ, ºÐ·ù ÄÚµå´Â °¢°¢ÀÇ ¶ó¿ìÅÍ, ¹æÈ­º®, È帧Á¶Àý Á¦Ç°ÀÌ Á¦°øÇÏ´Â °Íº¸´Ù ±â´ÉÀÌ ÁÁ½À´Ï´Ù.

»õ·Î¿î ³×Æ®¿öÅ· °³³äÀº »ç¶÷µéÀÌ ±âÁ¸ ¿î¿µÃ¼Á¦ÀÇ »À´ë¸¦ Åä´ë·Î ±×°ÍµéÀ» µÚ¼¯¾î ¸¸µé¾î ³Â½À´Ï´Ù. ÀÏ°üµÇ°Ô °è¼ÓÇÑ ÀÛ¾÷Àº ³×Æ®¿öÅ· Äڵ带 º°³­ ÇൿÀ¸·Î ä¿ü°í, ¸¶Ä¡ »ç¶÷ÀÇ ¸»°ú ºñ½ÁÇÕ´Ï´Ù. °ú°Å¿¡´Â ÀÌ·± ÀÏÀ» Çϴµ¥ SunOS ó·³ µû¶óÇßÀ¸³ª ÀÌ»óÀûÀÌÁø ¾Ê¾Ò½À´Ï´Ù.

»õ·Î¿î »À´ë´Â °ú°Å ¸®´ª½º°¡ ´êÁö ¸øÇß´ø ±â´ÉÀ» ¸íÈ®È÷ Ç¥ÇöÇÒ ¼ö ÀÖ½À´Ï´Ù.

3.2. iproute2 ¿©Çà

¸®´ª½º´Â Æ®·¡ÇÈ Á¦¾î (Traffic Control)¶ó ºÎ¸£´Â ¸Å¿ì Á¤±³ÇÑ ´ë¿ªÆø ½Ã½ºÅÛÀ» °¡Áö°í ÀÖ½À´Ï´Ù. ÀÌ ½Ã½ºÅÛÀº ´ë¿ªÆøÀ» ºÐ·ùÇÏ°í, ¿ì¼±±ÇÀ» Á¦°øÇÏ°í, °øÆòÇÏ°Ô ºÐ¹èÇÏ°í, ¶Ç´Â µé¾î¿À°Å³ª ³ª°¡´Â Æ®·¡ÇÈÀ» Á¦ÇÑ ÇÒ ¼ö ÀÖ´Â ¿©·¯°¡Áö ¹æ¹ýÀ» Á¦°øÇÕ´Ï´Ù.

ÀÌÁ¦ iproute2ÀÇ °¡´É¼ºÀ¸·Î ¿©ÇàÀ» ½ÃÀÛÇÕ´Ï´Ù.

3.3. Áغñ¹°

¿ì¼± µµ±¸µéÀ» ¼³Ä¡Çß´ÂÁö È®ÀÎÇÕ´Ï´Ù. RedHat °ú Debian ½Ã½ºÅÛ¿¡¼­ 'iproute' ¶ó´Â ÆÐÅ°Áö·Î Á¦°øµÇ°í, ¶Ç´Â ftp://ftp.inr.ac.ru/ip-routing/iproute2-2.2.4-now-ss??????.tar.gz" ¿¡¼­ ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù.

[ftp]ÀÌ°÷¿¡¼­ ÃֽŠ¹öÀüÀ» ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù.

ÀϺΠiproute ÀÇ ±â´ÉµéÀ» ÀÌ¿ëÇϱâ À§Çؼ­´Â ¸î°¡Áö Ä¿³Î ¿É¼ÇµéÀ» È°¼ºÈ­(enable)Çؾ߸¸ ÇÕ´Ï´Ù. ¶ÇÇÑ, RedHat 6.2 ¸¦ Æ÷ÇÔÇÏ¿© ±× ÀÌÀü ¹öÀü¿¡¼­´Â Æ®·¡ÇÈ Á¦¾î¿¡ ÇÊ¿äÇÑ ´ëºÎºÐÀÇ Ä¿³Î ±â´ÉÀÌ ±âº» Ä¿³Î¿¡¼­ ºüÁ® ÀÖ´Ù´Â Á¡À» À¯ÀÇÇØ¾ß ÇÕ´Ï´Ù.

RedHat 7.2 ´Â ±âº» Ä¿³Î¿¡ ´Ù °¡Áö°í ÀÖ½À´Ï´Ù.

Ä¿³ÎÀ» »õ·Î ÄÄÆÄÀÏÇÏ´Â °æ¿ì¶ó¸é netlink ±â´ÉÀ» Æ÷ÇÔÇØ¾ß ÇÕ´Ï´Ù. iproute2 °¡ ÇÊ¿ä·Î ÇÏ´Â ±â´ÉÀÔ´Ï´Ù.

3.4. ÇöÀç ¼³Á¤ »ìÆ캸±â

³î¶ó¿î ÀÏÀϼöµµ ÀÖÁö¸¸, iproute2 ´Â ÀÌ¹Ì ¼³Á¤ÀÌ µÇ¾î ÀÖ½À´Ï´Ù. ifconfig, route ¿Í °°Àº ¸í·É¾î´Â ÀÌ¹Ì °í±Þ ½Ã½ºÅÛ È£ÃâÀ» »ç¿ëÇÏ°í ÀÖÁö¸¸, ´ëºÎºÐ ±âº» ¼³Á¤À» »ç¿ëÇÕ´Ï´Ù.

ip ¸í··¾î´Â ÇÙ½ÉÀûÀÎ µµ±¸À̸ç, À̸¦ÅëÇØ ÀÎÅÍÆäÀ̽º Á¤º¸¸¦ »ìÆì º¸°Ú½À´Ï´Ù.

3.4.1. ip·Î ¿¬°á(link) »óÅ º¸±â

[ahu@home ahu]$ ip link list
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop 
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1400 qdisc pfifo_fast qlen 100
    link/ether 48:54:e8:2a:47:16 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:e0:4c:39:24:78 brd ff:ff:ff:ff:ff:ff
3764: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 10
    link/ppp 
³ªÅ¸³­ ¼ýÀÚµéÀº Á¶±Ý¾¿ ´Ù¸¦ ¼ö ÀÖ°ÚÁö¸¸, ¾Æ¹«Æ° Á¦°¡ Áý¿¡¼­ ¾²´Â NAT ¶ó¿ìÅÍÀÇ ¼³Á¤Àº À§¿Í °°½À´Ï´Ù. Ãâ·ÂÇÑ °á°úÁß¿¡ Á÷Á¢ ¿¬°üÀÌ ÀÖ´Â °Íµé¸¸ ¼³¸íÇÕ´Ï´Ù.

¿ì¼± loopback ÀÎÅÍÆäÀ̽º¸¦ º¾½Ã´Ù. ÀÌ°Í ¾øÀÌ µ¿ÀÛÇÏ´Â ÄÄÇ»Å͵µ ÀÖÁö¸¸ ÀÏ´Ü ¼³¸íÀ» ÇÕ´Ï´Ù. MTU (ÃÖ´ë Àü¼Û Å©±â) ´Â 3924 ¿ÁÅÝ(octet)ÀÌ°í, Å¥¿¡ µé¾î°¡Áö ¾Êµµ·Ï µÇ¾î ÀÖ½À´Ï´Ù. ±× ÀÌÀ¯´Â loopback ÀÎÅÍÆäÀ̽º´Â Ä¿³Î¿¡¼­ °¡»óÀ¸·Î Àâ¾Æ³õÀº °ÍÀ̱⠶§¹®ÀÔ´Ï´Ù.

dummy ÀÎÅÍÆäÀ̽º´Â Áö±ÝÀº °Ç³Ê ¶Ý´Ï´Ù. ÀÌ°ÍÀº ´ç½Å ÄÄÇ»ÅÍ¿¡´Â ¾øÀ» ¼öµµ ÀÖ½À´Ï´Ù. ´ÙÀ½À¸·Î µÎ °³ÀÇ ¹°¸®ÀûÀÎ ³×Æ®¿÷ ÀÎÅÍÆäÀ̽º°¡ ÀÖ½À´Ï´Ù. Çϳª´Â ÄÉÀÌºí ¸ðµ©¿¡ ÀÖ°í, ´Ù¸¥ Çϳª´Â Áý¾ÈÀÇ ÀÌ´õ³Ý¸ÁÂÊ¿¡ ÀÖ½À´Ï´Ù. °Ô´Ù°¡ ppp0 ÀÎÅÍÆäÀ̽ºµµ ÀÖ½À´Ï´Ù.

IP ÁÖ¼Ò°¡ ¾ø´Ù´Â °ÍÀ» À¯ÀÇÇϼ¼¿ä. iproute ´Â '¿¬°á(link)' °ú 'IP ÁÖ¼Ò' ¸¦ ºÐ¸®ÇÕ´Ï´Ù. IP aliasing À» ÇÑ´Ù¸é °íÀ¯ÇÑ IP ÁÖ¼Ò´Â ¾îÂî º¸¸é ¹«ÀǹÌÇØ Áý´Ï´Ù.

±×·¸Áö¸¸ ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽ºÀÇ Çϵå¿þ¾î ½Äº°ÀÚ°¡ µÇ´Â MAC ÁÖ¼Ò¸¦ º¸¿©ÁÖ°í ÀÖ½À´Ï´Ù.

3.4.2. ip ¸í·ÉÀ¸·Î IP ÁÖ¼Ò º¸±â

[ahu@home ahu]$ ip address show        
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop 
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1400 qdisc pfifo_fast qlen 100
    link/ether 48:54:e8:2a:47:16 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/8 brd 10.255.255.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:e0:4c:39:24:78 brd ff:ff:ff:ff:ff:ff
3764: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 10
    link/ppp 
    inet 212.64.94.251 peer 212.64.94.1/32 scope global ppp0
À§ÀÇ Ãâ·Â °á°ú´Â Á»´õ ¸¹Àº Á¤º¸¸¦ º¸¿©ÁÝ´Ï´Ù. ¾î¶² Ä«µå°¡ ¾î¶² ÁÖ¼Ò¸¦ °¡Áö°í ÀÖ´ÂÁö ¸ðµÎ º¸¿©ÁÝ´Ï´Ù. 'inet'Àº ÀÎÅͳÝ(IPv4)¸¦ ³ªÅ¸³À´Ï´Ù. 'inet' ¸»°íµµ ´Ù¸¥ ÁÖ¼Ò °¡Á·(address family)µéÀÌ ÀÖÁö¸¸ ´çÀåÀº ½Å°æ¾²Áö ¸¶½Ê½Ã¿À.

  • address family¿¡ °üÇÑ °ÍÀº socket ¶Ç´Â route µîÀÇ man page¸¦ Âü°íÇϼ¼¿ä. º¸´Ù È®½ÇÇÑ°ÍÀº socketÀÇ Çì´õÆÄÀÏÀ» ¿­¾îº¸¸é ¾Ë ¼ö ÀÖ½À´Ï´Ù.

eth0 À» ´õ ÀÚ¼¼È÷ »ìÆ캾½Ã´Ù. eth0 Àº inet ÁÖ¼Ò '10.0.0.1/8' ¿¡ ¿¬°áµÇ¾î ÀÖ´Ù°í ³ª¿Í ÀÖ½À´Ï´Ù. ¹«½¼ ¶æÀϱî¿ä? /8 Àº ³×Æ®¿÷ ÁÖ¼ÒÀÇ ºñÆ® ¼ö¸¦ ÀǹÌÇÕ´Ï´Ù. 32ºñÆ® Áß¿¡¼­ 24 ºñÆ®¸¦ ¿ì¸® ³×Æ®¿÷À» À§ÇØ ÇÒ´çÇÕ´Ï´Ù. 10.0.0.1 ÀÇ Ã³À½ 8 ºñÆ®´Â 10.0.0.0 Àε¥, ÀÌ´Â ³×Æ®¿÷ ÁÖ¼Ò°¡ µÇ°í, µû¶ó¼­ netmask ´Â 255.0.0.0 ÀÔ´Ï´Ù.

³²Àº ºñÆ®´Â eth0 ¿¡ ¿¬°áµÇ¹Ç·Î, ¿¹¸¦ µé¸é 10.0.0.1 °ú ¸¶Âù°¡Áö·Î 10.250.3.13 ¶ÇÇÑ eth0 ¿¡ Á÷Á¢ ÇÒ´ç ÇÒ ¼ö ÀÖ½À´Ï´Ù.

ppp0 ¿¡¼­µµ ¼ýÀÚ¸¸ ´Ù¸¦ »Ó °°Àº ¿ø¸®ÀÔ´Ï´Ù. ppp0 Àº subnet mask ¾øÀÌ 212.64.94.251 ÀÇ ÁÖ¼Ò¸¦ °®°í ÀÖ½À´Ï´Ù. ÀÌ´Â Á¡´ëÁ¡(point-to-point) ¿¬°áÀ» ÀǹÌÇÏ°í, µû¶ó¼­ 212.64.94.251 ÀÌ ¾Æ´Ñ ¸ðµç ÁÖ¼ÒµéÀº ¿ø°ÝÁö ¶ó´Â ¶æÀÌ µË´Ï´Ù. ±× ¿Ü¿¡µµ ´Ù¸¥ Á¤º¸¸¦ º¼ ¼ö Àִµ¥, ÀÌ link ÀÇ ÀúÆí ³¡¿¡´Â ¿ª½Ã ÇϳªÀÇ ÁÖ¼Ò 212.64.94.1 ¸¸ÀÌ Á¸ÀçÇÔÀ» ³ªÅ¸³À´Ï´Ù. /32 ¶ó´Â °Í¿¡¼­ '³×Æ®¿÷ ºñÆ®' °¡ ¾øÀ½À» ¾Ë ·ÁÁÝ´Ï´Ù.

À§¿¡¼­ ¼³¸íÇÑ °³³äµéÀ» ÀÌÇØÇÏ´Â °Ç ¸Å¿ì Áß¿äÇÕ´Ï´Ù. ±×·¸Áö ¾Ê´Ù¸é ÀÌ ÇÏ¿ìÅõÀÇ ¾ÕºÎºÐ¿¡¼­ ¼Ò°³Çß´ø ¹®¼­µéÀ» Âü°íÇϽʽÿÀ.

Ȥ½Ã À§ÀÇ Ãâ·Â °á°ú Áß¿¡ 'qdisc' ¿¡ °ü½ÉÀÌ ÀÖÀ» ¼ö ÀÖ½À´Ï´Ù. À̴ ťÀ× ±ÔÄ¢(Queueing Discipline)À» ÀǹÌÇÕ´Ï´Ù. ³ªÁß¿¡ ¸Å¿ì Áß¿äÇÕ´Ï´Ù.

3.4.3. ip ¸í·ÉÀ¸·Î ¶ó¿ìÆà Á¤º¸ º¸±â

ÀÌÁ¦ 10.x.y.z ÁÖ¼Ò¸¦ ã´Â¹ýµµ ¾Ë¾Ò°í, 212.64.94.1 ±îÁö µµ´ÞÇÒ ¼ö ÀÖ½À´Ï´Ù. ÇÏÁö¸¸ ÀÌ°ÍÀ¸·Î´Â ÃæºÐÇÏÁö°¡ ¾Ê½À´Ï´Ù. ¼¼»ó ¸ðµç °÷¿¡ µµ´ÞÇÒ ¼ö ÀÖ´Â ¹æ¹ýÀÌ ÇÊ¿äÇÕ´Ï´Ù. ¿ì¸®´Â ppp(Point-to-Point Protocol) ¿¬°áÀ» ÅëÇØ ÀÎÅͳݰú ¿¬°áÇÕ´Ï´Ù. 212.64.94.1 Àº ¿ì¸®ÀÇ ÆÐŶÀ» ´Ù¸¥ °÷À¸·Î Àü´ÞÇÏ°í, ¶ÇÇÑ ±×¿¡´ëÇÑ °á°ú¸¦ ¿ì¸®¿¡°Ô µÇµ¹·ÁÁÝ´Ï´Ù.
[ahu@home ahu]$ ip route show
212.64.94.1 dev ppp0  proto kernel  scope link  src 212.64.94.251 
10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.1 
127.0.0.0/8 dev lo  scope link 
default via 212.64.94.1 dev ppp0
ÀÌ °á°ú´Â ¼³¸íÇÏÁö ¾Ê¾Æµµ ½±°Ô ¾Ë ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù. óÀ½ 4 ÁÙÀº ip address show ¶ó´Â ¸í·É ±× ÀÚü°¡ ÀǹÌÇÏ´Â ¹Ù¸¦ ¸í½ÃÀûÀ¸·Î º¸¿©ÁÖ°í ÀÖ½À´Ï´Ù. ¸¶Áö¸· ÁÙ¿¡¼­´Â 212.64.94.1 À» ÅëÇØ ¹Ù±ù ¼¼»óÀ¸·Î ³ª°¥ ¼ö ÀÖ´Ù´Â °ÍÀ» ³ªÅ¸³À´Ï´Ù. ÀÌ°ÍÀº ±âº» °ü¹®(gateway)ÀÔ´Ï´Ù. 212.64.94.1 ÀÌ °ü¹®À̶ó´Â °ÍÀº via ¶ó´Â ´Ü¾î¸¦ º¸°í ¾Ë ¼ö ÀÖ½À´Ï´Ù. ÆÐŶÀ» 212.64.94.1 ·Î º¸³»¸é ¾Ë¾Æ¼­ ó¸®ÇØ ÁÝ´Ï´Ù.

Âü°í·Î ¿¹Àü route ¸í·ÉÀÇ °á°ú´Â ÀÌ·¸½À´Ï´Ù :
[ahu@home ahu]$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
212.64.94.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         212.64.94.1     0.0.0.0         UG    0      0        0 ppp0

3.5. ARP (Address Resolution Protocol)

ARP ´Â [http]RFC 826¿¡ ¼³¸íµÇ¾î ÀÖ´Â ÁÖ¼Ò°áÁ¤ ÇÁ·ÎÅäÄÝÀÔ´Ï´Ù. ARP ´Â ³×Æ®¿÷¿¡ ¿¬°áµÈ ÄÄÇ»ÅÍ°¡ °°Àº Áö¿ª ³×Æ®¿÷¿¡ Á¸ÀçÇÏ´Â ´Ù¸¥ ÄÄÇ»ÅÍÀÇ Çϵå¿þ¾î À§Ä¡/ÁÖ¼Ò¸¦ ¾Ë¾Æ³»´Âµ¥ »ç¿ëµË´Ï´Ù. ÀÎÅÍ³Ý »óÀÇ ÄÄÇ»Å͵éÀº º¸Åë ÀÚ±â À̸§ÀÌ ¾Ë·ÁÁ® Àִµ¥, ÀÌ À̸§Àº IP ÁÖ¼Ò·Î Çؼ® ÇÒ ¼ö ÀÖ½À´Ï´Ù. ÀÌ·¯ÇÑ ¹æ¹ýÀ¸·Î foo.com ³×Æ®¿÷¿¡ ÀÖ´Â ÄÄÇ»ÅÍ´Â bar.net ¿¡ ÀÖ´Â ´Ù¸¥ ÄÄÇ»ÅÍ¿Í Åë½ÅÇÕ´Ï´Ù. ÇÏÁö¸¸ IP ÁÖ¼Ò´Â ÄÄÇ»ÅÍÀÇ ¹°¸®ÀûÀÎ À§Ä¡¸¦ ¾Ë·ÁÁÖÁö´Â ¾Ê´Âµ¥, ¿©±â¼­ ARP °¡ Àç¹ÌÀÖ´Â ¿ªÇÒÀ» ÇÕ´Ï´Ù.

¾ÆÁÖ °£´ÜÇÑ ¿¹¸¦ »ìÆ캾½Ã´Ù. ¸î ´ëÀÇ ÄÄÇ»ÅÍ·Î ±¸¼ºµÇ´Â ³×Æ®¿÷ÀÌ Çϳª ÀÖ´Ù°í ÇØ º¾½Ã´Ù. ÀÌ ³×Æ®¿÷¿¡´Â IP ÁÖ¼Ò 10.0.0.1ÀÎ foo ¿Í 10.0.0.2ÀÎ bar °¡ ÀÖ½À´Ï´Ù. foo ´Â bar °¡ ÄÑÁ®ÀÖ´ÂÁö È®ÀÎÇÏ·Á°í ping À» º¸³»·Á°í ÇÕ´Ï´Ù. ±×·±µ¥ ¿Ø°É, foo ´Â bar °¡ ¾îµð¿¡ ÀÖ´ÂÁö ¸ð¸£°í ÀÖ½À´Ï´Ù. ±×·¡¼­ foo ´Â bar ¿¡°Ô ping À» º¸³»±â Àü¿¡ ARP ¿äûÀ» º¸³»¾ß ÇÕ´Ï´Ù. ÀÌ ARP ¿äûÀº ¸¶Ä¡ foo °¡ Àüü ³×Æ®¿÷¿¡ ´ëÇØ "bar (10.0.0.2)! ¾îµðÀÖ½À´Ï±î?" ¶ó°í ¿ÜÄ¡´Â °Í°ú ºñ½ÁÇÕ´Ï´Ù. ARP ¿äûÀ¸·Î ÀÌ ³×Æ®¿÷¿¡ Á¸ÀçÇÏ´Â ¸ðµç ±â±âµéÀº foo °¡ ºÎ¸£´Â ¼Ò¸®¸¦ µèÁö¸¸, ´ë´äÀ» ÇÏ´Â °ÍÀº bar (10.0.0.2) »ÓÀÔ´Ï´Ù. bar ´Â ARP ÀÀ´äÀ» foo ¿¡°Ô "foo (10.0.0.1), ³­ ¿©±â 00:60:94:E9:08:12 ¿¡ ÀÖ¼Ò."¶ó°í Á÷Á¢ º¸³À´Ï´Ù. ÀÌ·¯ÇÑ °£´ÜÇÑ ¸Þ¼¼Áö Àü´Þ·Î ³×Æ®¿÷»óÀÇ Ä£±¸ bar ¸¦ ã¾Ò´Ù¸é, ÀÌÁ¦ foo ´Â bar°¡ ¾îµð¿¡ ÀÖ´ÂÁö Àرâ Àü±îÁö´Â bar ¿Í Åë½ÅÇÒ ¼ö ÀÖ½À´Ï´Ù. (Åë»ó À¯´Ð½º ½Ã½ºÅÛ¿¡¼­´Â 15ºÐ µ¿¾È ±â¾ïÇÕ´Ï´Ù.)

ÀÌÁ¦ ¾î¶»°Ô µ¿ÀÛÇÏ´ÂÁö »ìÆ캾½Ã´Ù. ÇöÀçÀÇ arp/neighbor cache/table´Â ÀÌ·¸½À´Ï´Ù :
[root@espa041 /home/src/iputils]# ip neigh show
9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable
9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud reachable
À§¿¡¼­ º¸µíÀÌ ÄÄÇ»ÅÍ espa041 (9.3.76.41) Àº espa042 (9.3.76.42) ¿Í espagate (9.3.76.1) ÀÇ À§Ä¡¸¦ ¾Ë°í ÀÖ½À´Ï´Ù. ÀÌÁ¦ ´Ù¸¥ ÄÄÇ»Å͸¦ arp ij½Ã¿¡ Ãß°¡ÇսôÙ.
[root@espa041 /home/paulsch/.gnome-desktop]# ping -c 1 espa043
PING espa043.austin.ibm.com (9.3.76.43) from 9.3.76.41 : 56(84) bytes of data.
64 bytes from 9.3.76.43: icmp_seq=0 ttl=255 time=0.9 ms

--- espa043.austin.ibm.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.9/0.9/0.9 ms

[root@espa041 /home/src/iputils]# ip neigh show
9.3.76.43 dev eth0 lladdr 00:06:29:21:80:20 nud reachable
9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable
9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud reachable
espa041 ¿¡¼­ espa043 À¸·Î ¿¬°áÀ» ½ÃµµÇÑ °á°ú, espa043 ÀÇ Çϵå¿þ¾î ÁÖ¼Ò/À§Ä¡°¡ arp/neighbor ij½Ã¿¡ Ãß°¡µÇ¾ú½À´Ï´Ù. µû¶ó¼­ espa041 Àº espa043 Ç׸ñÀÌ (µÑ»çÀÌ¿¡ ¾Æ¹«·± Åë½ÅÀÌ ¾ø´Â °á°ú·Î ¸»¹Ì¾Ï¾Æ) ½Ã°£ ÃÊ°ú°¡ »ý±æ ¶§±îÁö espa041ÀÎ °æ¿ì »ó´ë¹æ À§Ä¡¸¦ ¾Ë°í ÀÖÀ¸¹Ç·Î ARP ¿äûÀ» º¸³¾ ÇÊ¿ä°¡ ¾ø½À´Ï´Ù.

À̹ø¿¡´Â espa043 À» arp ij½Ã¿¡¼­ Áö¿öº¾½Ã´Ù :
[root@espa041 /home/src/iputils]# ip neigh delete 9.3.76.43 dev eth0
[root@espa041 /home/src/iputils]# ip neigh show
9.3.76.43 dev eth0  nud failed
9.3.76.42 dev eth0 lladdr 00:60:08:3f:e9:f9 nud reachable
9.3.76.1 dev eth0 lladdr 00:06:29:21:73:c8 nud stale
espa041 Àº ´Ù½Ã espa043 ÀÌ ¾îµð¿¡ ÀÖ´ÂÁö ÀÒ¾î¹ö·È½À´Ï´Ù. ´ÙÀ½¿¡ espa043 °ú Åë½ÅÇϱâ À§Çؼ­´Â ARP ¿äûÀ» ´Ù½Ã º¸³»¾ß¸¸ ÇÕ´Ï´Ù. ÇÑÆí espagate (9.3.76.1) ¿¡ ´ëÇØ "stale(ÁøºÎÇÑ)" »óÅ·Π¹Ù²î¾úÀ½À» ¾Ë ¼ö ÀÖ½À´Ï´Ù. ÀÌ´Â espagate ÀÇ À§Ä¡´Â ¿©ÀüÈ÷ À¯È¿ÇÏÁö¸¸, ±× ÄÄÇ»ÅÍ·Î ¿¬°áÇÒ ¶§´Â È®ÀÎÇØ º¸¾Æ¾ß ÇÑ´Ù´Â °ÍÀ» ÀǹÌÇÕ´Ï´Ù.

4. ±ÔÄ¢µé - °æ·Î¹èÁ¤ Á¤Ã¥ µ¥ÀÌÅͺ£À̽º (Routing Policy Database)

´ëÇü ¶ó¿ìÅÍ¿¡´Â ¸¹Àº »ç¶÷µéÀÌ ¿¬°áµÇ¾î ÀÖ°í, ÀÌ »ç¶÷µéÀº °¢°¢ ¼­·Î ´Ù¸¥ ¼­ºñ½º ¼öÁØÀ» ¿ä±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù. ÀÌ ¶§ ¶ó¿ìÅÍ ¿î¿µÀÚ´Â ÀÌ·¯ÇÑ ¹®Á¦¸¦ ÇØ°áÇÒ ¼ö ÀÖ¾î¾ß ÇÕ´Ï´Ù. °æ·Î¹èÁ¤ Á¤Ã¥ µ¥ÀÌÅÍ º£À̽º¸¦ ÀÌ¿ëÇÏ¸é ¿©·¯ Á¾·ùÀÇ °æ·Î ¹èÁ¤ Ç¥(routing table) ¸ðÀ½À» »ç¿ëÇؼ­ ÀÌ·¯ÇÑ ÀÛ¾÷ÀÌ °¡´ÉÇÏ°Ô µË´Ï´Ù.

ÀÌ ±â´ÉÀ» ÀÌ¿ëÇϱâ À§Çؼ­´Â Ä¿³Î¿¡ "IP: advanced router" ¿Í "IP: policy routing" ¿É¼ÇÀ» Æ÷ÇÔÇؼ­ ÄÄÆÄÀÏ ÇØ¾ß ÇÕ´Ï´Ù.

Ä¿³ÎÀÌ ÆÐŶÀ» °æ·Î¹èÁ¤ ÇÒ ¶§´Â ¾î¶² Ç¥¸¦ »ç¿ë ÇÒÁö ¸ÕÀú °í·ÁÇÕ´Ï´Ù. ±âº»À¸·Î ¼¼ °³ÀÇ Å×À̺íÀÌ ÀÖ°í, ÀüÅëÀûÀÎ 'route' ¸í·ÉÀº main °ú local Ç¥¸¦ ¼öÁ¤ ÇÒ ¼ö ÀÖ½À´Ï´Ù. ip ¸í·ÉÀ¸·Îµµ ¹°·Ð °¡´ÉÇÕ´Ï´Ù.

±âº» ±ÔÄ¢Àº ¾Æ·¡¿Í °°½À´Ï´Ù. :
[ahu@home ahu]$ ip rule list
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default
À§ÀÇ ¸®½ºÆ®´Â ¸ðµç ±ÔÄ¢ÀÇ ¿ì¼±¼øÀ§¸¦ º¸¿©ÁÝ´Ï´Ù. ¿©±â º¸ÀÌ´Â ¸ðµç ±ÔÄ¢Àº ¸ðµç ÆÐŶ¿¡ Àû¿ëµË´Ï´Ù. ('from all') 'main' Ç¥´Â ¾Õ¿¡¼­ ip route ls ÀÇ °á°ú¿¡¼­ ÀÌ¹Ì º» ÀûÀÌ ÀÖ½À´Ï´Ù. 'local' °ú 'default' Ç¥´Â óÀ½ ÀÔ´Ï´Ù.

Àç¹ÌÀÖ´Â ÀÏÀ» ÇÏ·Á¸é ´Ù¸¥ Ç¥¸¦ °¡¸®Å°´Â ±ÔÄ¢À» ¸¸µé¸é. ±× Ç¥¸¦ ÅëÇØ ½Ã½ºÅÛ °æ·Î ¹èÁ¤ ±ÔÄ¢À» µÚ¾þÀ» ¼ö ÀÖ½À´Ï´Ù.

Á» ´õ Àß ¸Â´Â ±ÔÄ¢ÀÌ ÀÖÀ» ¶§ Ä¿³ÎÀÌ ¹«¾ùÀ» ÇÏ´ÂÁö¿¡ ´ëÇÑ Á¤È®ÇÑ Àǹ̴ Alexey ÀÇ ip-cref ¹®¼­¸¦ Àо½Ê½Ã¿À.

4.1. Ãâó¿¡ µû¸¥ ´Ü¼øÇÑ °æ·Î ¹èÁ¤ Á¤Ã¥

½ÇÁ¦ ¿¹Á¦¸¦ ´Ù½Ã º¾½Ã´Ù. ¸®´ª½º NAT('¸¶½ºÄ¿·¹À̵ù') ¶ó¿ìÅÍ·Î ¿¬°áµÈ ÄÉÀÌºí ¸ðµ©ÀÌ 2°³ ÀÖ½À´Ï´Ù. (½ÇÁ¦·Î´Â 3°³) ¿©±â »ç´Â »ç¶÷µéÀº ÀÎÅÍ³Ý »ç¿ëÀ» À§ÇØ Á¦°Ô µ·À» ³À´Ï´Ù. ¿ì¸®Áý¿¡ »ç´Â »ç¶÷ Áß ÇÑ»ç¶÷ÀÌ ´Ü¼øÈ÷ ÇÖ¸ÞÀϸ¸ »ç¿ëÇÏ°í µ·À» Àû°Ô ³»±æ ¿øÇÑ´Ù°í °¡Á¤ÇսôÙ. ÀÌ°ÍÀº Á¦°Ôµµ ÁÁÀº ÀÏÀÌ°í °á±¹ ¼Óµµ°¡ ´À¸° ÄÉÀÌºí ¸ðµ©À» »ç¿ëÇÒ °Í ÀÔ´Ï´Ù.

'ºü¸¥' ÄÉÀ̺í¸ðµ©Àº 212.64.94.251 ÀÌ°í 212.64.94.1 °ú PPP ·Î ¿¬°áµÇ¾î ÀÖ½À´Ï´Ù. '´À¸°' ÄÉÀÌºí ¸ðµ©Àº ¿©·¯°¡Áö ip ¸¦ ¹Þ¾Æ¿Ã ¼ö ÀÖ°í, ¿¹Á¦¿¡¼­´Â 212.64.78.148 ÀÌ°í, 195.96.98.253 À¸·Î ¿¬°áµÇ¾î ÀÖ½À´Ï´Ù.

local Ç¥´Â :
[ahu@home ahu]$ ip route list table local
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
local 10.0.0.1 dev eth0  proto kernel  scope host  src 10.0.0.1 
broadcast 10.0.0.0 dev eth0  proto kernel  scope link  src 10.0.0.1 
local 212.64.94.251 dev ppp0  proto kernel  scope host  src 212.64.94.251 
broadcast 10.255.255.255 dev eth0  proto kernel  scope link  src 10.0.0.1 
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1 
local 212.64.78.148 dev ppp2  proto kernel  scope host  src 212.64.78.148 
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 

¸¹Àº °ÍµéÀÌ ¸íÈ®ÇÕ´Ï´Ù¸¸ À̰͵éÀº ¾îµð¼±°¡ ¹Ýµå½Ã ¼³Á¤Çؾ߸¸ ÇÏ´Â °ÍµéÀÔ´Ï´Ù. ÇÏÁö¸¸ ÀÌ¹Ì µÇ¾î ÀÖ½À´Ï´Ù. default Ç¥´Â ºñ¾î ÀÖ½À´Ï´Ù.

'main' Ç¥¸¦ º¾½Ã´Ù:
[ahu@home ahu]$ ip route list table main 
195.96.98.253 dev ppp2  proto kernel  scope link  src 212.64.78.148 
212.64.94.1 dev ppp0  proto kernel  scope link  src 212.64.94.251 
10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.1 
127.0.0.0/8 dev lo  scope link 
default via 212.64.94.1 dev ppp0 
¿ì¸®°¡ 'John' À̶ó°í ºÎ¸£´Â °¡»óÀÇ µ¿°ÅÀÎÀ» À§ÇÑ »õ·Î¿î ±ÔÄ¢À» Çϳª ¸¸µì´Ï´Ù. ¼ýÀڷθ¸ ÀÛ¾÷ÇØ¾ß ÇÏÁö¸¸, /etc/iproute2/rt_tables ÆÄÀÏ¿¡ Ç¥¸¦ Ãß°¡ÇÏ¸é ¸Å¿ì ½±½À´Ï´Ù.
# echo 200 John >> /etc/iproute2/rt_tables
# ip rule add from 10.0.0.10 table John
# ip rule ls
0:	from all lookup local 
32765:	from 10.0.0.10 lookup John
32766:	from all lookup main 
32767:	from all lookup default
ÀÌÁ¦ ³²Àº ÀÏÀº John ÀÇ Ç¥¸¦ ¸¸µé°í °æ·Î ¹èÁ¤ ij½Ã¸¦ ºñ¿ì´Â(flush) ÀÏÀÔ´Ï´Ù.
# ip route add default via 195.96.98.253 dev ppp2 table John
# ip route flush cache
ÀÌÁ¦ ´Ù µÇ¾ú½À´Ï´Ù. À§¿¡¼­ ¼³¸íÇÑ ³»¿ëÀ» ip-up ½ºÅ©¸³Æ®¿¡ Ãß°¡ÇÏ´Â ÀÏÀº ¿©·¯ºÐ²² ³²°Üµå¸³´Ï´Ù.

4.2. ¿©·¯ »óÇâ °æ·Î¿Í ¼­ºñ½º Á¦°øÀÚ¸¦ À§ÇÑ °æ·Î ¹èÁ¤

ÈçÈ÷ º¸´Â ±¸¼ºÀº ¾Æ·¡¿Í °°½À´Ï´Ù. Áö¿ª ³×Æ®¿÷ (ȤÀº ´ÜÁö ÇÑ°³ÀÇ ÄÄÇ»ÅÍ)À» ÀÎÅͳݿ¡ ¿¬°áÇØ ÁÖ´Â ÀÎÅÍ³Ý ¿¬°á »ç¾÷ÀÚ°¡ µÎ°³ ÀÖ½À´Ï´Ù.
                                                                 ________
                                          +------------+        /
                                          |            |       |
                            +-------------+ ¼­ºñ½º     +-------
        __                  |             | Á¦°øÀÚ 1   |     /
    ___/  \_         +------+-------+     +------------+    |
  _/        \__      |     if1      |                      /
 /             \     |              |                      |
|    Áö¿ª¸Á     -----+ ¸®´ª½º¶ó¿ìÅÍ |                      |     ÀÎÅͳÝ
 \_           __/    |              |                      |
   \__     __/       |     if2      |                      \
      \___/          +------+-------+     +------------+    |
                            |             |            |     \
                            +-------------+ ¼­ºñ½º     +-------
                                          | Á¦°øÀÚ 2   |       |
                                          +------------+        \________
ÀÌ·± ¼³Á¤Àº µÎ°¡Áö¸¦ º¸Åë »ç¿ëÇÕ´Ï´Ù.

4.2.1. ºÐ¸® Á¢±Ù

¼­ºñ½º Á¦°øÀÚ 1 ·Î ºÎ¸£´Â ƯÁ¤ ¼­ºñ½º Á¦°øÀÚ¸¦ ÅëÇؼ­ ÆÐŶÀÌ ¿Â °æ¿ì¸¦ ù°·Î º¸ÀÚ¸é ¿ª½Ã °°Àº ¼­ºñ½º Á¦°øÀÚ¸¦ ÅëÇØ ÀÀ´äÇØ¾ß ÇÕ´Ï´Ù.

¿ì¼± ¸î°³ÀÇ ´ëü À̸§À» ÁöÁ¤ÇÕ´Ï´Ù. $IF1 °ú $IF2 ¸¦ °¢°¢ ¶ó¿ìÅÍÀÇ Ã¹¹ø°, µÎ¹ø° ÀÎÅÍÆäÀ̽º (if1, if2) ÀÇ À̸§À̶ó°í ÇսôÙ. $IP1 °ú $IP2 ´Â °¢°¢ $IF1 °ú $IF2 ¿¡ ÇÒ´çµÈ IP ÁÖ¼Ò¶ó°í ÇÕ´Ï´Ù. ±×¸®°í $P1 °ú $P2 ´Â °¢°¢ ¼­ºñ½º Á¦°øÀÚ 1 °ú ¼­ºñ½º Á¦°øÀÚ 2 ÀÇ °ü¹® IP ÁÖ¼ÒÀÔ´Ï´Ù. ¸¶Áö¸·À¸·Î $P1_NET °ú $P2_NET Àº °¢°¢ $P1 °ú $P2 ÀÌ ÀÖ´Â IP ³×Æ®¿÷ ÀÔ´Ï´Ù.

µÎ °³ÀÇ °æ·Î ¹èÁ¤ Ç¥¸¦ Ãß°¡ÇÏ°í ±× À̸§À» °¢°¢ T1 °ú T2 À̶ó°í ÇÕ´Ï´Ù. ÀÌ°ÍÀº /etc/iproute2/rt_tables ¿¡ Ãß°¡ÇÕ´Ï´Ù. ÀÌÁ¦ ¾Æ·¡Ã³·³ ÀÌ Ç¥¿¡ ´ëÇÑ °æ·Î ¹èÁ¤À» ÇÒ ¼ö ÀÖ½À´Ï´Ù :

	  ip route add $P1_NET dev $IF1 src $IP1 table T1
	  ip route add default via $P1 table T1
	  ip route add $P2_NET dev $IF2 src $IP2 table T2
	  ip route add default via $P2 table T2

º°·Î ´ë´ÜÇÑ °Ç ¾ø½À´Ï´Ù. °ü¹®(gateway)À¸·Î °¡´Â °æ·Î¸¦ Çϳª ¸¸µé°í ±× °ü¹®À» ÅëÇØ ±âº» °æ·Î ¹èÁ¤À» ÇÕ´Ï´Ù. ÀÌ°ÍÀº ¿ÜºÎ¸ÁÀ¸·Î ¿¬°áµÇ´Â ÀÎÅÍ³Ý ¼­ºñ½º Á¦°øÀÚ°¡ ÇϳªÀÎ °æ¿ì¿Í °°½À´Ï´Ù. ´Ù¸¸ ÀÌ ÀÛ¾÷À» °¢ ¼­ºñ½º Á¦°øÀÚ ¸¶´Ù º°µµÀÇ Ç¥¸¦ ÅëÇØ °æ·Î¸¦ ¼³Á¤ÇÑ´Ù´Â °ÍÀÌ ´Ù¸¨´Ï´Ù. À§¿¡¼­ ó·³ °ü¹®À» Æ÷ÇÔÇÏ¿© ³×Æ®¿÷ÀÇ ¾î¶² È£½ºÆ®¶óµµ ãÀ» ¼ö ÀÖ´Â ¹æ¹ýÀ» ¾Ë·ÁÁÖ´Â °Í¸¸À¸·Îµµ ³×Æ®¿÷ °æ·Î ¹èÁ¤Àº ÃæºÐÇÕ´Ï´Ù.

´ÙÀ½À¸·Î main °æ·Î ¹èÁ¤Ç¥¸¦ ¼³Á¤ÇÕ´Ï´Ù. ÀÎÅÍÆäÀ̽º¿¡ ¿¬°áµÈ ÀÌ¿ô¿¡°Ô Á÷Á¢ °æ·Î ¹èÁ¤ÇÏ¸é µË´Ï´Ù. `src' Àμö¸¦ »ç¿ëÇÕ´Ï´Ù. ÀÌ´Â ³ª°¡´Â IP ÁÖ¼Ò¸¦ ÁöÁ¤ÇßÀ½À» ³ªÅ¸³À´Ï´Ù.

            ip route add $P1_NET dev $IF1 src $IP1
	    ip route add $P2_NET dev $IF2 src $IP2

±×¸®°í ¾î¶² °ÍÀ» ±âº» °æ·Î ¿ì¼±ÇÒÁö ¼±ÅÃÇÕ´Ï´Ù :

	    ip route add default via $P1

´ÙÀ½À¸·Î °æ·Î ¹èÁ¤ ±ÔÄ¢À» ¼³Á¤ÇÕ´Ï´Ù. ÀÌ´Â °æ·Î ¹èÁ¤À» ÇÒ¶§ ¾î¶² Ç¥¸¦ »ç¿ëÇÒÁö °áÁ¤ÇÕ´Ï´Ù. ÀÌ¹Ì ÇØ´çÇÏ´Â Ãâ¹ßÁö ÁÖ¼Ò¸¦ ¼³Á¤ÇØ µÎ¾úÀ¸¸é ÁöÁ¤ÇÑ ÀÎÅÍÆäÀ̽º¸¦ ÅëÇØ °æ·Î ¹èÁ¤ ÇÒ ¼ö ÀÖ½À´Ï´Ù.

	    ip rule add from $IP1 table T1
	    ip rule add from $IP2 table T2

¿©±â±îÁö ƯÁ¤ÇÑ ÀÎÅÍÆäÀ̽º¸¦ ÅëÇØ µé¾î¿À´Â È帧¿¡ ´ëÇØ ±× ÀÎÅÍÆäÀ̽º¸¦ »ç¿ëÇؼ­ ÀÀ´äÇϵµ·Ï ÇÏ´Â ¸í·É¾î ¸ðÀ½ÀÔ´Ï´Ù.

Áö±Ý±îÁö ¸Å¿ì °£´ÜÇÑ ¼³Á¤À̾ú½À´Ï´Ù. ÀÌ ¼³Á¤Àº Áö¿ª ³×Æ®¿öÅ© ȤÀº ¸¶½ºÄ¿·¹À̵ù »óŶó°í Çصµ ¶ó¿ìÅÍ¿¡¼­ µ¿ÀÛÇÏ´Â ¸ðµç ÇÁ·Î¼¼½º¿¡¼­´Â Àß µ¿ÀÛÇÕ´Ï´Ù. ¸¸ÀÏ ±×·¸Áö ¾Ê´Ù¸é µÎ ¼­ºñ½º Á¦°øÀÚ°¡ °°ÀÌ Á¦°øÇÏ´Â IP ¿µ¿ªÀÌ Àְųª µÎ ¼­ºñ½º Á¦°øÀÚÁß Çϳª¸¦ ÅëÇØ ¸¶½ºÄ¿·¹À̵ùÀ» »ç¿ëÇÏ·Á´Â °æ¿ì ÀÏ °ÍÀÔ´Ï´Ù. ¾Õ¼­ µÎ°¡Áö °æ¿ì¿¡ ¸ðµÎ Áö¿ª¸Á¿¡ ÀÖ´Â ÄÄÇ»ÅÍÀÇ ÁÖ¼Ò¿¡ ±â¹ÝÇÑ ¼­ºñ½º Á¦°øÀÚ ¼±Åà °æ·Î ¹èÁ¤ ±ÔÄ¢À» Ãß°¡ÇÒ ¼ö ÀÖ½À´Ï´Ù.

4.2.2. ºÎÇÏ ºÐ»ê

µÎ¹ø° °úÁ¦´Â µÎ ¼­ºñ½º Á¦°øÀÚ¸¦ ÅëÇØ ³ª°¡´Â È帧ÀÇ ¾çÀ» Á¶ÀýÇÏ´Â ¹æ¹ýÀÔ´Ï´Ù. À§¿¡¼­ ó·³ ºÐ¸® Á¢±ÙÀ» ÇØ ³õ¾Ò´Ù¸é ¾î·ÆÁö ¾Ê½À´Ï´Ù.

µÎ ¼­ºñ½º Á¦°øÀÚÁß Çϳª¸¦ ±âº» °æ·Î·Î ¼³Á¤ÇÏ´Â ´ë½Å, ±âº» °æ·Î¸¦ ´ÙÁß °æ·Î·Î ÁöÁ¤ÇÕ´Ï´Ù. ÀÌ·¸°Ô ÇÏ¸é ±âº» Ä¿³Î¿¡¼± µÎ ¼­ºñ½º Á¦°øÀÚ¸¦ ÅëÇØ ºÎÇÏ ºÐ»êÀ» ÇÕ´Ï´Ù. ¾Æ·¡¿Í °°ÀÌ ÇÏ¸é µË´Ï´Ù (ºÐ¸® Á¢±Ù¿¡ ÀÖ´Â ¿¹Á¦¸¦ Çѹø ´õ ÇÕ´Ï´Ù) :

	    ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
	    nexthop via $P2 dev $IF2 weight 1

ÀÌ·¸°Ô ÇÏ¸é ¾çÂÊ ¼­ºñ½º Á¦°øÀÚ¸¦ ÅëÇØ ºÎÇÏ ºÐ»ê °æ·Î ¹èÁ¤À» ÇÕ´Ï´Ù. weight Àμö¸¦ »ç¿ëÇÏ¸é ¼±È£ÇÏ´Â ¼­ºñ½º Á¦°øÀÚ¸¦ Á¶À² ÇÒ ¼ö ÀÖ½À´Ï´Ù.

ºÎÇÏ ºÐ»êÀº °æ·Î¸¦ ±â¹ÝÀ¸·Î ÇÏ°íÀÖ°í, ÀÌ °æ·ÎµéÀº ij½ÃµÇ±â ¶§¹®¿¡ ºÎÇÏ ºÐ»êÀº ºÒ¿ÏÀü ÇÏ´Ù´Â °Í¿¡ ÁÖÀÇ ÇϽÿÀ. ÀÌ°ÍÀº ÀÚÁÖ ¹æ¹®ÇÏ´Â »çÀÌÆ®´Â Ç×»ó °°Àº ¼­ºñ½º Á¦°øÀÚ¸¦ ÅëÇؼ­¸¸ ¿¬°á µÉ ¼öµµ ÀÖ½À´Ï´Ù.

³ª¾Æ°¡ ÀÌ·± ¹®Á¦Á¡À» ÇØ°áÇÏ°í ½Í´Ù¸é Julian Anastasov ÀÇ ÆÐÄ¡¸¦ [http]http://www.linuxvirtualserver.org/~julian/#routes ¿¡¼­ ã¾Æº¸½Ã¿À. ÀÌ ÆÐÄ¡¸¦ Àû¿ëÇϸé Á» ´õ Àß ÀÛµ¿ÇÕ´Ï´Ù.

5. GRE ¿Í ´Ù¸¥ Åͳεé

¸®´ª½º¿¡´Â ¼¼ °¡Áö Á¾·ùÀÇ ÅͳÎÀÌ ÀÖ½À´Ï´Ù. IP in IP Åͳθµ, GRE Åͳθµ, Ä¿³Î ¿ÜºÎÀÇ ÅͳΠ(¿¹¸¦ µé¾î PPTP ¿Í À¯»çÇÑ °Í) ÀÌ ±×°ÍÀÔ´Ï´Ù.

5.1. Åͳο¡ ´ëÇÑ ¸î °¡Áö À̾߱â

ÅͳÎÀ» »ç¿ëÇÏ¸é ¾ÆÁÖ Æ¯º°ÇÏ°í ´ë´ÜÇÑ ÀÏÀ» Çس¾ ¼ö ÀÖ½À´Ï´Ù. ¹Ý¸é Á¦´ë·Î ¼³Á¤ÇÏÁö ¾ÊÀ¸¸é ¸ðµç °ÍÀ» ¿ÏÀüÈ÷ ¸ÁÃijõÀ» ¼ö ÀÖ½À´Ï´Ù. ±×·¡¼­ ¹«¾ùÀ» ÇÏ´ÂÁö Á¤È®È÷ ÀÌÇØÇÏÁö ¸øÇÏ´Â ºÐÀº Àý´ë·Î ±âº» °æ·Î¸¦ ÅͳΠÀåÄ¡·Î Çϵµ·Ï ¸¸µéÁö ¸¶½Ê½Ã¿À. :-) °Ô´Ù°¡ ÅͳθµÀº °£Á¢ºñ¿ëÀ» Áõ°¡½Ãŵ´Ï´Ù. ÀÌ°ÍÀº IP ¸Ó¸®°¡ Ãß°¡µÇ±â ¶§¹®Àε¥, ÀϹÝÀûÀ¸·Î ÆÐŶ´ç 20 ¹ÙÀÌÆ®ÀÇ Å©±â¸¦ °¡Áý´Ï´Ù. µû¶ó¼­ ³×Æ®¿÷ÀÇ º¸Åë ÆÐŶ Å©±â(MTU)°¡ 1500 ¹ÙÀÌÆ® ¶ó¸é ÅͳÎÀ» Åë°úÇÒ ¼ö ÀÖ´Â ÆÐŶÀº 1480 ¹ÙÀÌÆ®°¡ ÇÑ°èÀÔ´Ï´Ù. ÀÌ°ÍÀÌ ²À ¹®Á¦°¡ µÈ´Ù´Â °ÍÀº ¾Æ´ÏÁö¸¸, ´ë±Ô¸ð ³×Æ®¿÷À» ÅͳÎÀ» ÅëÇØ ¿¬°á½ÃÅ°·Á°í ÇÒ ¶§ IP ÆÐŶÀÇ ºÐÇÒ/ÀçÁ¶ÇÕ¿¡ ´ëÇØ ÃæºÐÈ÷ ¾Ë°í ÀÖÁö ¾ÊÀ¸¸é °ï¶õÇÕ´Ï´Ù. ¾Æ, ±×¸®°í ÅͳÎÀ» ¸¸µå´Âµ¥ °¡Àå ºü¸¥ ¹æ¹ýÀº ¾çÂÊ¿¡¼­ °°ÀÌ ÆÄ´Â °ÍÀÔ´Ï´Ù.

5.2. IP in IP Åͳθµ

ÀÌ Åͳθµ ¹æ¹ýÀº ¸®´ª½º¿¡¼­´Â ¿À·¡ÀüºÎÅÍ Áö¿øÇÏ°í ÀÖ½À´Ï´Ù. »ç¿ëÇϱâ À§Çؼ­´Â ipip.o ¿Í new_tunnel.o ÀÇ µÎ Ä¿³Î ¸ðµâÀÌ ÇÊ¿äÇÕ´Ï´Ù.

³×Æ®¿÷ÀÌ ¼Â ÀÖ´Ù°í Çغ¾½Ã´Ù : ³»ºÎ ³×Æ®¿÷ A ¿Í B °¡ ÀÖ°í, ±× »çÀÌ¿¡ ³×Æ®¿÷ C °¡ ÀÖ½À´Ï´Ù. (¶Ç´Â ÀÎÅͳÝÀ̶ó°í ÇսôÙ) ³×Æ®¿÷ A ´Â :
network 10.0.1.0
netmask 255.255.255.0
router  10.0.1.1
¶ó¿ìÅÍÀÇ ÁÖ¼Ò´Â ³×Æ®¿÷ C ¿¡¼­ 172.16.17.18 ÀÔ´Ï´Ù.

³×Æ®¿÷ B ´Â :
network 10.0.2.0
netmask 255.255.255.0
router  10.0.2.1
¶ó¿ìÅÍÀÇ ÁÖ¼Ò´Â ³×Æ®¿÷ C ¿¡¼­ 172.19.20.21 ÀÔ´Ï´Ù.

³×Æ®¿÷ C ¿¡ ´ëÇؼ­´Â ±×Àú ³×Æ®¿÷ A ¿Í B ÀÇ ÆÐŶµéÀ» ¼­·Î°£¿¡ Àü´ÞÇØÁÖ´Â °ÍÀ¸·Î »ý°¢ÇսôÙ. Æí¸®ÇÏ°Ô ÀÎÅͳÝÀ» »ç¿ëÇÑ´Ù°í »ý°¢Çصµ ÁÁ½À´Ï´Ù.

¿©±â ÇÒÀÏÀÌ ÀÖ½À´Ï´Ù:

ù°, ¸ðµâÀ» È®½ÇÈ÷ ¼³Ä¡ÇÕ´Ï´Ù:
insmod ipip.o
insmod new_tunnel.o
³×Æ®¿÷ AÀÇ ¶ó¿ìÅÍ¿¡¼­ ¾Æ·¡ ó·³ÇÕ´Ï´Ù:
ifconfig tunl0 10.0.1.1 pointopoint 172.19.20.21
route add -net 10.0.2.0 netmask 255.255.255.0 dev tunl0
³×Æ®¿÷ BÀÇ ¶ó¿ìÅÍ¿¡¼±:
ifconfig tunl0 10.0.2.1 pointopoint 172.16.17.18
route add -net 10.0.1.0 netmask 255.255.255.0 dev tunl0
ÅͳÎÀ» ³¡³»·Á¸é:
ifconfig tunl0 down
ºü¸£°Ô ¸ðµç°É ¸¶ÃƽÀ´Ï´Ù. IP-in-IP ÅͳÎÀ» ÅëÇؼ­´Â IPv6 ³ª ¹æ¼ÛÀ» º¸³¾ ¼ö ¾ø½À´Ï´Ù. ÀÌÁ¦ ¼­·Î Åë½ÅÇÏÁö ¸øÇß´ø IPv4 ³×Æ®¿÷À» µÎ°³ ¿¬°áÇß°í ±×°Ô ´Ù ÀÔ´Ï´Ù. ȣȯ¼ºÀÌ ÁöÄÑÁö´Â µ¿¾È ÀÌ ¸í·ÉµéÀº »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù. ±×°ÍÀº 1.3 Ä¿³Î°ú ÇÏÀ§ ȣȯÀ» °®´Â´Ù´Â °ÍÀ» ¸»ÇÕ´Ï´Ù. ¸®´ª½ºÀÇ IP-in-IP ÅͳθµÀº ´Ù¸¥ ¿î¿µÃ¼Á¦³ª ¶ó¿ìÅÍ¿Í °°ÀÌ »ç¿ëÇÒ ¼ö ¾ø½À´Ï´Ù. °£´ÜÇÏ°í Àß µ¿ÀÛÇÕ´Ï´Ù. ¹Ýµå½Ã ½á¾ß ÇÑ´Ù¸é »ç¿ëÇϽʽÿÀ. ±×·¸Áö ¾ÊÀ¸¸é GRE¸¦ »ç¿ëÇϽʽÿÀ.

5.3. GRE Åͳθµ

GRE ´Â ¿ø·¡ Cisco ¿¡¼­ °³¹ßÇÑ Åͳθµ ÇÁ·ÎÅäÄÝÀε¥ IP-in-IP Åͳθµ¿¡ ºñÇØ ¸î °¡Áö ±â´ÉÀÌ ´õ ÀÖ½À´Ï´Ù. ¿¹¸¦ µé¸é GRE ÅͳÎÀ» ¾²¸é ¸ÖƼij½ºÆ®³ª IPv6 À» ó¸®ÇÒ ¼ö ÀÖ½À´Ï´Ù.

¸®´ª½º´Â ip_gre.o ¸ðµâÀÌ ÇÊ¿äÇÕ´Ï´Ù.

5.3.1. IPv4 Åͳθµ

¿ì¼± IPv4 ÅͳθµÀ» Çغ¾½Ã´Ù:

¿ì¼± ¼¼°³ÀÇ ³×Æ®¿÷À» °¡Áö°í ÀÖ´Ù°í ÇսôÙ: ³»ºÎ ³×Æ®¿÷ A,B°¡ ÀÖ°í ±×»çÀÌ¿¡ ³×Æ®¿÷ C°¡ ÀÖ½À´Ï´Ù. (¶Ç´Â ÀÎÅͳÝ)

³×Æ®¿÷ A´Â :
network 10.0.1.0
netmask 255.255.255.0
router  10.0.1.1
¶ó¿ìÅÍ´Â ³×Æ®¿÷ C¿¡¼­ 172.16.17.18À» ÁÖ¼Ò·Î °¡Áö°í ÀÖ½À´Ï´Ù. ÀÌ ³×Æ®¿÷À» neta¶ó°í ÇսôÙ. (¹°·Ð ÁøÂ¥´Â ¾Æ´Õ´Ï´Ù)

±×¸®°í ³×Æ®¿÷ B´Â :
network 10.0.2.0
netmask 255.155.255.0
router  10.0.2.1
¶ó¿ìÅÍ´Â ³×Æ®¿÷ C¿¡¼­ 172.19.20.21À» ÁÖ¼Ò·Î °¡Áö°í ÀÖ½À´Ï´Ù. ÀÌ ³×Æ®¿÷À» netb¶ó°í ÇսôÙ. (¾ÆÁ÷µµ ÁøÂ¥´Â ¾Æ´Õ´Ï´Ù)

³×Æ®¿÷ C¿¡ °üÇؼ­´Â A¿¡¼­ B·Î°¡´Â ¸ðµç ÆÐŶÀ» Àü´ÞÇØ Áִ°ÍÀ¸·Î ÇսôÙ. ¾î¶»°Ô ³ª ¿Ö±×·¡¾ß Çϳª Çϴ°ÍÀº ½Å°æ¾²Áö ¸¿½Ã´Ù.

³×Æ®¿÷ A¿¡ ÀÖ´Â ¶ó¿ìÅÍ¿¡ ´ÙÀ½°ú °°ÀºÀÏÀ» ÇսôÙ:
ip tunnel add netb mode gre remote 172.19.20.21 local 127.16.17.18 ttl 255
ip link set netb up
ip addr add 10.0.1.1 dev netb
ip route add 10.0.2.0/24 dev netb
ÀÌÁ¦ À§ÀÇ ÀÏ¿¡ ´ëÇØ Á¶±Ý ¾ê±âÇØ º¾½Ã´Ù. ù¹ø°ÁÙ, netb¶ó´Â ÅͳΠÀåÄ¡¸¦ Ãß°¡ÇÕ´Ï´Ù(´ç¿¬ÇÑÀÏÀÔ´Ï´Ù ÆÐŶÀ» º¸³»·Á°í ÇÏ´Â °÷À̴ϱî¿ä). °Ô´Ù°¡ GRE ÇÁ·ÎÅäÄÝÀ» (mode gre)À» »ç¿ëÇÏ°í ¿ø°ÝÁö ÁÖ¼Ò°¡ 172.19.20.21 (»ó´ëÆí ¶ó¿ìÅÍ ÁÖ¼Ò)ÀÌ°í ÅͳÎÀ» Áö³ª´Â ÆÐŶÀÌ 172.16.17.18¿¡¼­ Ãâ¹ßÇÑ °ÍÀ¸·Î ÇÏ°í (ÀÌ°ÍÀº ¶ó¿ìÅÍ°¡ ³×Æ®¿÷ C¿¡¼­ ¿©·¯°³ÀÇ ÁÖ¼Ò¸¦ °¡Áö°í ÀÖÀ»¶§ ±× Çϳª¸¦ ÅͳηΠ»ç¿ëÇÒ¼ö ÀÖ°Ô ÇÕ´Ï´Ù) ÆÐŶÀÇ TTLÀ» 255·Î ÇÕ´Ï´Ù(ttl 255).

µÎ¹ø° ÁÙÀº ÀåÄ¡¸¦ È°¼ºÈ­ ½Ãŵ´Ï´Ù.

¼¼¹ø° ÁÙ¿¡¼­ »õ·Î¿î netb¿¡ ÁÖ¼Ò¸¦ 10.0.1.1·Î ÁöÁ¤ÇÕ´Ï´Ù. ÀÛÀº ³×Æ®¿÷¿¡¼± ÀÌ°ÍÀ¸·Î ÃæºÐÇÕ´Ï´Ù¸¸ ¶¥±¼Æı⸦ ½ÃÀÛÇÑ´Ù¸é(¸¹Àº ÅͳÎÀÌ ÇÊ¿äÇÑ°æ¿ì)´Â Åͳθµ ÀåÄ¡¸¦ À§ÇØ ´Ù¸¥ IP ´ë¿ªÀ» »ç¿ëÇϴ°ÍÀ» »ý°¢ÇØ º¼ ¼ö ÀÖ½À´Ï´Ù(¿¹¸¦ µé¸é 10.0.3.0À» »ç¿ëÇÒ¼ö ÀÖ½À´Ï´Ù).

³×¹ø° ÁÙ¿¡¼­ ³×Æ®¿ö B·Î°¡´Â °æ·Î¸¦ ÁöÁ¤ÇÕ´Ï´Ù. netmask¿¡ »ç¿ëÇÑ Ç¥±â¹ý¿¡ ÁÖÀÇÇϽʽÿÀ. ÀÌ Ç¥±â¹ý¿¡ Àͼ÷ÇÏÁö ¾ÊÀººÐÀ¸ À§ÇØ ¼³¸íÀ» µå¸®¸é netmask¸¦ ÀÌÁøÇüÅ·Π½á ³õ°í °Å±â¼­ 1ÀÇ °³¼ö¸¦ ¼¼´Â ¹æ¹ýÀ¸·Î »ç¿ëÇÕ´Ï´Ù. ¾î¶»°Ô ±×·¸°Ô µÇ´ÂÁö ¸ð¸£½Ã´Â ºÐÀº 255.0.0.0Àº /8, 255.255.0.0Àº /16, 255.255.255.0Àº /24¸¦ ±â¾ïÇϽʽÿÀ. Ȥ½Ã ±Ã±ÝÇÑ ºÐÀ» À§Çؼ­ 255.255.254.0Àº /23ÀÔ´Ï´Ù.

ÀÌÁ¤µµ·Î ÃæºÐÇÏ°í, ´ÙÀ½Àº ³×Æ®¿÷ BÀÇ ¶ó¿ìÅÍ·Î °¡º¾½Ã´Ù.
ip tunnel add neta mode gre remote 172.16.17.18 local 172.19.20.21 ttl 255
ip link set neta up
ip addr add 10.0.2.1 dev neta
ip route add 10.0.1.0/24 dev nta
±×¸®°í ¶ó¿ìÅÍ A¿¡¼­ ÅͳÎÀ» ¾ø¾Ö°í ½ÍÀ»¶§´Â:
ip link set netb down
ip tunnel del netb
¹°·Ð ¶ó¿ìÅÍ B¿¡¼­´Â neta¸¦ netb·Î ¹Ù²Ù¸é µË´Ï´Ù.

5.3.2. IPv6 Åͳθµ

IPv6ÀÇ ÁÖ¼Ò¿¡ °üÇؼ­´Â 6ÀåÀ» º¸½Ã¿À.

On with the tunnels.

¾Æ·¡¿Í °°Àº IPv6³×Æ®¿÷ÀÌ ÀÖ°í 6boneÀ̳ª Ä£±¸¿¡°Ô ¿¬°áÇÏ·Á°í ÇÑ´Ù°í °¡Á¤ÇսôÙ.
Network 3ffe:406:5:1:5:a:2:1/96
³×Æ®¿÷ÀÇ IPv4ÁÖ¼Ò´Â 172.16.17.18ÀÌ°í 6bone ¶ó¿ìÅÍÀÇ IPv4ÁÖ¼Ò´Â 172.22.23.24ÀÔ´Ï´Ù.
ip tunnel add sixbone mode sit remote 172.22.23.24 local 172.16.17.18 ttl 255
ip link set sixbone up
ip addr add 3ffe:406:5:1:5:a:2:1/96 dev sixbone
ip route add 3ffe::/15 dev sixbone
À§¿¡ ´ëÇؼ­ ¾ê±âÇØ º¾½Ã´Ù. ù¹ø°ÁÙ, sixboneÀ̶ó´Â ÅͳΠÀåÄ¡¸¦ ¸¸µé¾ú½À´Ï´Ù. ¸ðµå¸¦ sit(IPv4 Åͳθµ¿¡ IPv6¸¦ ¾ð´Â°Í)À¸·Î ÇÏ°í Ãâ¹ß(local)°ú µµÂø(remote)À» ÁöÁ¤Çß½À´Ï´Ù. TTLÀº ÃÖ´ë°ªÀÎ 255·Î ÁöÁ¤ÇÕ´Ï´Ù. ´ÙÀ½À¸·Î ÀåÄ¡¸¦ È°¼ºÈ­ÇÕ´Ï´Ù (up). ±×ÈÄ ³×Æ®¿÷ ÁÖ¼Ò¸¦ ÁöÁ¤ÇÏ°í ÅͳÎÀ» ÅëÇÒ ÁÖ¼Ò¸¦ 3ffe::/15(ÇöÀç ¸ðµç 6boneÀÇ ÁÖ¼Ò)·Î ¶ó¿ìÅÍ¿¡ ÁöÁ¤ÇÕ´Ï´Ù.

GRE ÅͳÎÀº ÇöÀç ÅͳÎÁß¿¡¼­ ¼±È£ÇÏ´Â ÅͳÎÀÔ´Ï´Ù. ÀÌ°ÍÀº Ç¥ÁØÀÌ°í ¸®´ª½º ¼¼°è¸¦ ¹þ¾î³ª¼­µµ ³Ð°Ô »ç¿ëÇÏ°í ÀÖÀ¸¹Ç·Î ÁÁÀº°ÍÀÔ´Ï´Ù.

5.4. »ç¿ëÀÚ ¿µ¿ª ÅͳÎ

±Û ±×´ë·Î Ä¿³Î¹Û¿¡´Â ÅͳÎÀ» ±¸ÇöÇÑ´Â ¹æ¹ýÀÌ ¾ÆÁÖ ¸¹´Ù. °¡Àå Àß ¾Ë·ÁÁø°ÍÀº PPP¿Í PPTPÀÌ°í ±×¹Û¿¡µµ ¾ÆÁÖ ¸¹ÀÌ (ÁöÀûÀç»ê±ÇÀÌ Àִ°Í, ¾ÈÀüÇÑ°Í, ȤÀº IP¸¦ »ç¿ëÇÏÁö ¾Ê´Â°Íµî)ÀÖ°í ±×°Íµé¿¡ °üÇؼ­´Â ÀÌ ÇÏ¿ìÅõÀÇ ¹üÀ§¸¦ ¹þ¾î³­´Ù.

6. ½Ã½ºÄÚ ¿Í(¶Ç´Â) 6bone¿¡¼­ IPv6 Åͳθµ

Marco Davids <marco@sara.nl>

°ü¸®ÀÚ¿¡ ´ëÇÑ ÁÖÀÇ : ³»°¡ º¸±â¿£, ÀÌ IPv6-IPv4ÅͳθµÀº GRE ÅͳθµÀÇ Á¤ÀÇ¿¡ °üÇÑ°ÍÀÌ ¾Æ´Õ´Ï´Ù. ´ç½ÅÀº GRE ÅͳÎÀÇ ÀϹÝÀûÀÎ ¹æ¹ýÀ¸·Î (GRE´Â ¾î¶²°ÍÀÌ¶óµµ IPv4À§¿¡ ÅͳÎÀ» ¿­¼öÀÖÀ½) IPv4À§¿¡ IPv6¸¦ ¾ð´Â ÅͳÎÀ» ÇßÁö¸¸ ±×ÀåÄ¡´Â ¿ÀÁ÷ IPv4À§¾î IPv6¸¦ ¾ð´Â ("sit") Åͳηθ¸ »ç¿ëµÇ¾ú°í ±×·¡¼­ ÀÌ°ÍÀº ¾à°£ ´Ù¸¥ ¾ê±âÀÔ´Ï´Ù.

6.1. IPv6 Åͳθµ

ÀÌ°ÍÀº ¸®´ª½ºÀÇ Åͳθµ ´É·Â¿¡ ´ëÇÑ ´Ù¸¥ ÀÀ¿ëÀÔ´Ï´Ù. ÀÌ°ÍÀº ´ç½Å°°Àº IPv6ÀÇ Å½Çè°¡³ª ¾ó¸®¾î´ðÅÍ »çÀÌ¿¡¼­ À¯¸íÇÕ´Ï´Ù. ¾Æ·¡ÀÇ '½Ç½À' ¿¹Á¦´Â È®½ÇÈ÷ IPv6 Åͳθµ¿¡ °üÇѰ͸¸ ÇÏÁö ¾Ê½À´Ï´Ù. ±×·¯³ª, À̹æ¹ýÀº ¸®´ª½º¿Í ½Ã½ºÄÚÀÇ IPv6 ¶ó¿ìÅÍ»çÀÌÀÇ Åͳο¡ ÀÚÁÖ »ç¿ëµÇ¸ç °æÇè»ó ¸¹Àº »ç¶÷µéÀÌ ÈÄ¿¡ °°Àº ÀÏÀ» ÇÒ °ÍÀÔ´Ï´Ù. ½ÊºÐÀÇ ÀÏ·Î ´ç½Å¿¡°Ôµµ Àû¿ëµË´Ï´Ù. ;-)

IPv6ÁÖ¼Ò¿¡ °üÇØ Á¶±Ý:

IPv6ÁÖ¼Ò´Â IPv4 ÁÖ¼Ò¿¡ ºñÇØ ÁøÂ¥ Å®´Ï´Ù: 128ºñÆ®¿Í 32ºñÆ®. ±×¸®°í ¿ì¸®°¡ ¿øÇÏ´Â °ÍÀ» Á¦°øÇÕ´Ï´Ù:¾ÆÁÖ ¾ÆÁÖ ¸¹Àº IPÁÖ¼Òµé:Á¤È®È÷´Â 340,282,266,920,938,463,374,607,431,768,211,465. ÀÌ°ÍÀ» ¶°³ª, IPv6(ȤÀº IPng, ´ÙÀ½¼¼´ëÀÇ IP)´Â ÀÎÅÍ³Ý ÁßÃß ¶ó¿ìÅÍ¿¡ Á»´õ ÀÛÀº °æ·Î ¹èÁ¤Ç¥°¡ ÇÊ¿äÇÒ°ÍÀ¸·Î ¿¹»óµÇ°í ÀåºñÀÇ ´Ü¼øÇÑ ¼³Á¤, IP ¼öÁØ¿¡¼­ Á»´õ ¾ÈÀüÇÏ°í Á»´õ ÁÁÀº ¼­ºñ½º Ç°ÁúÀ» Á¦°øÇÒ °ÍÀÔ´Ï´Ù.

º¸±â: 2002:836b:9820:0000:0000:0000:836b:9886

IPv6¸¦ Àû´Â°ÍÀº Å« ÁüÀÌ µË´Ï´Ù. ±×·¡¼­ ½±°Ô Çϱâ À§ÇÑ ¸î°¡Áö ±ÔÄ¢ÀÌ ÀÖ½À´Ï´Ù:

  • óÀ½¿¡ ¿À´Â0À» ¾²Áö ¾Ê´Â´Ù. IPv4µµ °°½À´Ï´Ù.

  • 16ºñÆ® ȤÀº µÎ¹ÙÀÌÆ®¸¦ ³ª´©±â À§ÇØ ÄÝ·ÐÀ» »ç¿ëÇÕ´Ï´Ù.

  • ¿¬¼ÓÀûÀÎ 0À» ¸¹ÀÌ °¡Áö°í ÀÖÀ¸¸é :: ¾µ ¼ö ÀÖ½À´Ï´Ù. ÁÖ¼Ò¿¡¼­ ¿ÀÁ÷ Çѹø¸¸ ¾µ ¼ö ÀÖ°í Àû¾îµµ 16ºñÆ® ÀÌ»óÀÌ µÇ¾î¾ß ÇÕ´Ï´Ù.

ÁÖ¼Ò 2002:836b:9820:0000:0000:0000:836b:9886´Â ¾î¶²¸é¿¡¼­´Â Ä£¼÷ÇÏ°Ô 2002:836b:9820::836b:9886·Î ¾µ ¼ö ÀÖ½À´Ï´Ù.

´Ù¸¥ º¸±â´Â, ÁÖ¼Ò 3ffe:0000:0000:0000:0000:0020:34A1:F32C´Â ¾ÆÁÖ Âª°Ô 3ffe::20:34A1:F32C·Î ¾µ ¼ö ÀÖ½À´Ï´Ù.

IPv6´Â IPv4ÀÇ ÈÄ°èÀÚ°¡ µÇ·Á°í ÇÕ´Ï´Ù. ¿Ö³ÄÇÏ¸é ºñ±³Àû ½Å±â¼úÀÌ°í ¾ÆÁ÷ ¼¼°èÀûÀ¸·Î º»·¡ÀÇ IPv6 ³×Æ®¿÷ÀÌ ¾ø±â¶§¹®ÀÔ´Ï´Ù. ÀüȯÀ» ºü¸£°Ô ÇÏ·Á°í 6boneÀÌ ¼Ò°³µÇ¾ú½À´Ï´Ù.

IPv6 ³×Æ®¿÷ÀÎ ÀÌ¹Ì ÀÖ´Â IPv4 ÀÎÇÁ¶ó¸¦ ÅëÇØ IPv6 ÇÁ·ÎÅäÄÝÀ» IPv4 ÆÐŶ¿¡ ½Î¼­ º¸³»´Â ½ÄÀ¸·Î ¿¬°áÇÕ´Ï´Ù.

±×°ÍÀÌ Á¤È®ÇÏ°Ô Åͳο¡ ¹ßÀ» µé¿© ³õ´Â °ÍÀÔ´Ï´Ù.

IPv6¸¦ »ç¿ëÇϱâ À§Çؼ± Ä¿³ÎÀÌ Áö¿øÇϵµ·Ï ÇØ¾ß ÇÕ´Ï´Ù. ±×°ÍÀ» ÇϱâÀ§ÇÑ ¸¸Àº ¹®¼­µéÀÌ ÀÖ½À´Ï´Ù. ±×·¯³ª ±×°ÍÀº ¸ðµÎ ¸î´Ü°è·Î ÁÙÀϼö ÀÖ½À´Ï´Ù:

  • Àû´çÇÑ glibc°¡ ÀÖ´Â ¸®´ª½º ¹èÆ÷º»À» ±¸ÇÕ´Ï´Ù.

  • ÃֽŠĿ³Î ¼Ò½º¸¦ ±¸ÇÕ´Ï´Ù.

¸ðµÎ ÁغñµÇ¸é, IPv6¸¦ Áö¿øÇÏ´Â Ä¿³ÎÀ» ÄÄÆÄÀÏÇÒ ¼ö ÀÖ½À´Ï´Ù:

  • /usr/src/linux ·Î °¡¼­ ÀÔ·ÂÇÕ´Ï´Ù :

  • make menuconfig

  • "Networking Options"¸¦ ¼±ÅÃÇÕ´Ï´Ù

  • "The IPv6 protocol", "IPv6: enable EUI-64 token format", "IPv6: disable provider based addresses"¸¦ ¼±ÅÃÇÕ´Ï´Ù

¿ä·É: 'module' ¿É¼ÇÀ» ÇÏÁö ¾Ê½À´Ï´Ù. Á¾Á¾ Á¦´ë·Î ¿òÁ÷ÀÌÁö ¾Ê½À´Ï´Ù.

´Ù¸¥¸»·Î Çϸé, IPv6¸¦ Ä¿³Î¿¡ ³»ÀåÇؼ­ ÄÄÆÄÀÏÇÕ´Ï´Ù. ¼³Á¤À» º¸Åëó·³ ÀúÀåÇÏ°í Ä¿³ÎÀ» ÄÄÆÄÀÏ ÇÕ´Ï´Ù.

¿ä·É: ÇϱâÀü¿¡ MakefileÀ» °íÄ¡´Â °ÍÀ» °í·ÁÇØ º¸½Ê½Ã¿À: EXTRAVERSION = -x; -->; EXTRAVERSION = -x-IPv6

Ä¿³ÎÀ» ÄÄÆÄÀÏÇÏ°í ¼³Ä¡ÇÏ´Â ¸¹Àº ¹®¼­°¡ ÀÖÁö¸¸ ÀÌ ¹®¼­¿¡¼­ ¾ê±âÇÏ°íÀÚ ÇÏ´Â °ÍÀº ¾à°£ ´Ù¸¥ ¾ê±âÀÔ´Ï´Ù. ÀÌ ´Ü°è¿¡ ¹®Á¦°¡ ÀÖ´Ù¸é ´ç½ÅÀÇ »ó¼¼ Á¶°Ç¿¡ ¸ÂÃß¾î ¸®´ª½º Ä¿³ÎÀ» ÄÄÆÄÀÏÇÏ´Â ¹®¼­¸¦ ã¾Æ º¸½Ê½Ã¿À.

/usr/src/linux/README´Â ÁÁÀº ½ÃÀÛÀÏ ¼ö ÀÖ½À´Ï´Ù. ÀÌ°ÍÀ» ¸¶Ä£ÈÄ¿¡´Â ´ç½Å »óÇ¥ÀÇ »õ Ä¿³Î·Î ºÎÆÃÇÒ ¼ö ÀÖ°í '/sbin/ifconfig -a' ¸í·ÉÀ» »ç¿ëÇØ »õ 'sit0-device'¸¦ º¼ ¼ö ÀÖ½À´Ï´Ù. SITÀº °£´ÜÇÑ ÀÎÅÍ³Ý º¯È¯ (Simple Internet Transition)À» ³ªÅ¸³À´Ï´Ù. ÀÌÁ¦ ´ÙÀ½¼¼´ëÀÇ IP¿¡ Áß¿äÇÑ ÇÑ°ÉÀ½À» ´Ù°¡°£ °ÍÀ» ÀÚÃàÇÒ ¼ö ÀÖ½À´Ï´Ù. ;-)

´ÙÀ½ ´Ü°è. È£½ºÆ® ¶Ç´Â Àüü LANÀ» ´Ù¸¥ IPv6À» Áö¿øÇÏ´Â ³×Æ®¿÷¿¡ ¿¬°áÇÏ°íÀÚ ÇÒ ¼ö ÀÖ½À´Ï´Ù. ÀÌ°ÍÀÌ "6bone"ÀÌ µÉ°ÍÀÌ°í ÀÌ·± Ưº°ÇÑ ¸ñÀûÀ» À§ÇØ ¼³Ä¡ÇÕ´Ï´Ù.

´ç½ÅÀÌ IPv6 ³×Æ®¿÷: 3ffe:604:6:8::/64À» °¡Áö°í ÀÖ°í Ä£±¸³ª 6boneÀ¸·Î ¿¬°áÇÏ°íÀÚ ÇÑ´Ù°í °¡Á¤ÇսôÙ. /64 ÇÏÀ§ ³×Æ®¿÷ Ç¥ÇöÀÌ ÀÏ¹Ý IP ÁÖ¼Òó·³ ¾²Àδٴ°Ϳ¡ ÁÖ¸ñÇØ ÁֽʽÿÀ.

IPv4 ÁÖ¼Ò´Â 145.100.24.181 ÀÌ°í 6bone¶ó¿ìÅÍÀÇ IPv4 ÁÖ¼Ò´Â 145.100.1.5 ÀÔ´Ï´Ù.

# ip tunnel add sixbone mode sit remote 145.100.1.5 [local 145.100.24.181 ttl 255]
# ip link set sixbone up
# ip addr add 3FFE:604:6:7::2/126 dev sixbone
# ip route add 3ffe::0/16 dev sixbone

À§¿¡ ´ëÇØ À̾߱âÇØ º¾½Ã´Ù. ù¹ø°ÁÙ, sixboneÀ¸·Î ºÎ¸£´Â ÅͳΠÀåÄ¡¸¦ ¸¸µé¾ú½À´Ï´Ù. ÅͳÎÀÇ ¸ðµå¸¦ sit (IPv4 Åͳο¡¼­ IPv6¸¦ »ç¿ë)À¸·Î ÇÏ°í Ãâ¹ß (local)¿¡¼­ µµÂø (remote)ÇÒ °÷À» ÁöÁ¤Çß½À´Ï´Ù. TTLÀº ÃÖ´ë°ªÀÎ 255·Î ÁöÁ¤Çß½À´Ï´Ù.

´ÙÀ½, ÀåÄ¡¸¦ È°¼º½Ãŵ´Ï´Ù. ±× ÈÄ, ¿ì¸® ³×Æ®¿÷ ÁÖ¼Ò¸¦ Ãß°¡ÇÏ°í 3ffe::/16 (ÇöÀç ¸ðµç 6boneÀ» ³ªÅ¸³¿)À¸·Î °¡´É °æ·ÎƲ ÅͳÎÀ» ÅëÇϵµ·Ï Çß½À´Ï´Ù. IPv6 °ü¹® ±â°è¿¡¼­ ½ÇÇàÇÏ·Á¸é ´ÙÀ½ ÁÙÀ» Ãß°¡ÇÏ´Â °ÍÀ» °í·ÁÇϽʽÿÀ:

# echo 1 >/proc/sys/net/ipv6/conf/all/forwarding
# /usr/local/sbin/radvd

³ªÁß¿¡, radvd´Â -zebra ó·³- IPv6 ÀÚµ¿ ¼³Á¤ ±â´ÉÀ» Áö¿øÇÏ´Â ¶ó¿ìÅÍ ±¤°í µ¥¸óÀÔ´Ï´Ù. Èï¹Ì ÀÖ´Ù¸é ÁÁ¾ÆÇÏ´Â °Ë»ö¿£ÁøÀ» ÅëÇØ Ã£¾Æ º¸½Ê½Ã¿À. ¾Æ·¡¿Í °°ÀÌ °Ë»çÇÒ ¼öµµ ÀÖ½À´Ï´Ù:

# /sbin/ip -f inet6 addr

radvd¸¦ IPv6 °ü¹®¿¡ ½ÇÇàÇÏ°í Áö¿ª LAN¿¡ IPv6¸¦ Áö¿øÇÏ´Â ¸®´ª½º¸¦ ºÎÆÃÇϸé IPv6ÀÇ ÀÚµ¿ ¼³Á¤ÀÇ ÀÌÁ¡À» Áñ±æ ¼ö ÀÖ½À´Ï´Ù.

# /sbin/ip -f inet6 addr
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue inet6 ::1/128 scope host

3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
inet6 3ffe:604:6:8:5054:4cff:fe01:e3d6/64 scope global dynamic
valid_lft forever preferred_lft 604646sec inet6 fe80::5054:4cff:fe01:e3d6/10 
scope link

bind¸¦ IPv6 ÁÖ¼Ò¿¡ ¸Â°Ô ¼³Á¤ÇÒ ¼ö ÀÖ½À´Ï´Ù. A Çü½ÄÀº IPv6¿¡¼± AAAAÀÌ´Ù. in-addr.arpa´Â ip6.int¿Í °°´Ù. ÀÌ ÁÖÁ¦¿¡ °üÇؼ± ¸¹Àº Á¤º¸°¡ ÀÖ½À´Ï´Ù.

IPv6¸¦ Áö¿øÇÏ´Â ÀÀ¿ëÇÁ·Î±×·¥Àº ¸¹ÀÌ ´Ã¾î³ª°í ÀÖÀ¸¸ç ±×Áß¿¡ secure shell, telnet, inetd, Mozilla, Apache¿Í ±×¿Ü ¸¹Àº ´Ù¸¥°ÍµéÀÌ Æ÷ÇԵ˴ϴÙ. ±×·¯³ª À̰͵éÀº °æ·Î¹èÁ¤ ¹®¼­¿¡ °üÇÑ ¹®¼­ÀÇ ¹üÀ§¸¦ ¹þ¾î³³´Ï´Ù ;-)

½Ã½ºÄÚÀÇ ¼³Á¤Àº ´ÙÀ½°ú °°ÀÌ µË´Ï´Ù:
!
interface Tunnel1
description IPv6 tunnel
no ip address
no ip directed-broadcast
ipv6 enable
ipv6 address 3FFE:604:6:7::1/126
tunnel source Serial0
tunnel destination 145.100.24.181
tunnel mode ipv6ip
!
ipv6 route 3FFE:604:6:8::/64 Tunnel1
½Ã½ºÄÚ°¡ ´ç½Å Àç»êÁß¿¡ ¾ø´Ù¸é ÀÎÅͳݿ¡ ÀÖ´Â ¸¹Àº IPv6 ÅͳΠÁß°³ÀÎÁß Çϳª¸¦ ½ÃµµÇØ º¼ ¼ö ÀÖ½À´Ï´Ù. ±×µéÀº ½Ã½ºÄÚ¿¡ ´ç½ÅÀ» À§ÇÑ Ãß°¡ ÅͳÎÀ» ¼³Á¤ÇØ ÁÙ°Í ÀÔ´Ï´Ù. ´ëºÎºÐ ½¬¿î À¥ ÀÎÅÍÆäÀ̽º¸¦ °¡Áö°í ÀÖ½À´Ï´Ù. ¼±È£ÇÏ´Â °Ë»ö¿£Áø¿¡ "ipv6 tunnel broker"·Î ã¾Æº¸½Ê½Ã¿À.

7. IPSEC: ÀÎÅÍ³Ý »óÀÇ ¾ÈÀüÇÑ IP

ÃÖ±Ù¿¡ ¸®´ª½º¿¡¼­´Â µÎ °¡Áö Á¾·ùÀÇ WikiPedia:IPSECÀ» »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù. 2.2 ¹× 2.4¿¡´Â WikiPedia:FreeS/WANÀÌ Àִµ¥, ÀÌ´Â ÃÖÃÊÀÇ Á¦´ë·Î µÈ ±¸ÇöÀ̾ú½À´Ï´Ù. [http]°ø½Ä »çÀÌÆ® ¹× ÇöÀçµµ À¯Áö °ü¸®°¡ ÀÌ·ç¾îÁö°í ÀÖ´Â [http]ºñ°ø½Ä »çÀÌÆ®°¡ ÀÖ½À´Ï´Ù. ÀüÅëÀûÀ¸·Î FreeS/WANÀº ¸î °¡Áö ÀÌÀ¯·Î ÀÎÇØ ÁÖ·ù Ä¿³Î·Î ÅëÇÕµÇÁö ¾Ê¾Ò½À´Ï´Ù. °¡Àå ¸¹ÀÌ ¾ð±ÞµÇ´Â ÀÌÀ¯´Â ¹Ì±¹ÀÎÀÌ ¾Ïȣȭ¿¡ ÀÛ¾÷À» Çؼ­ ¼öÃâ °¡´É¼ºÀ» ÈѼսÃŲ °Í°ú °ü·ÃµÈ 'Á¤Ä¡ÀûÀÎ' ¹®Á¦ÀÔ´Ï´Ù. (¿ªÀÚÁÖ: ¹Ì±¹ÀÇ ¾ÏȣȭÁ¦Ç° ¼öÃâ±ÝÁö¹ýÀº ¾î¶² ±âÁØ ÀÌ»óÀÇ ¼º´ÉÀ» °¡Áø ¾Ïȣȭ ±â¼úÀ» Æ÷ÇÔÇÑ Á¦Ç°ÀÇ ¼öÃâÀ» Á¦ÇÑ ³»Áö´Â ±ÝÁöÇÏ°í ÀÖ½À´Ï´Ù.) °Ô´Ù°¡, ÀÌ ÇÁ·Î±×·¥Àº ¸®´ª½º Ä¿³Î¿¡ ¾ÆÁÖ Àß ÅëÇÕµÇÁö´Â ¾ÊÀ¸¸ç, ÀÌ·Î ÀÎÇØ ½ÇÁ¦ ÇÕº´ÀÇ ÁÁÀº È帴 µÇÁö ¸øÇÏ°í ÀÖ½À´Ï´Ù. (¿ªÀÚÁÖ: FreeS/WAN¿¡¼­ À̾îÁø ÇÁ·ÎÁ§Æ®·Î [http]Openswan°ú [http]strongSwanÀÌ ÀÖ½À´Ï´Ù.)

´õºÒ¾î, [http]¸¹Àº °ü·ÃÀεé(¿ªÀÚÁÖ: NoSmoke:DeadLink)ÀÌÄÚµåÀÇ Ç°Áú¿¡ ´ëÇØ [http]¿ì·ÁÀÇ ¸ñ¼Ò¸®(¿ªÀÚÁÖ: NoSmoke:DeadLink)¸¦³»°í ÀÖ½À´Ï´Ù. FreeS/WANÀÇ ¼³Ä¡¸¦ À§ÇÑ ¸¹Àº [http]¹®¼­µé(¿ªÀÚÁÖ: NoSmoke:DeadLink)ÀÌ [http]Á¸ÀçÇÕ´Ï´Ù.

¸®´ª½º 2.5.47ÀÇ °æ¿ì Ä¿³Î ³»¿¡ ÀÚüÀûÀÎ IPSEC ±¸ÇöÀÌ ÀÖ½À´Ï´Ù. ÀÌ´Â Alexey Kuznetsov ¹× Dave Miller°¡ [http]USAGI IPv6 ±×·ìÀÇ ÀÛ¾÷¿¡ ¿µÇâÀ» ¹Þ¾Æ ÀÛ¼ºÇÑ °ÍÀÔ´Ï´Ù. James MorrisÀÇ !CryptoAPIµµ º´ÇÕÀÌ ÀÌ·ç¾îÁ®¼­ Ä¿³ÎÀÇ ÀϺΰ¡ µÇ¾úÀ¸¸ç, ½ÇÁ¦·Î ¾Ïȣȭ¸¦ ÇØ ÁÝ´Ï´Ù.

ÀÌ HOWTO´Â IPSECÀÇ 2.5+ ¹öÀü¸¸À» ´Ù·ê °ÍÀÔ´Ï´Ù. ÇöÀç·Î¼± ¸®´ª½º 2.4 »ç¿ëÀÚ¿¡°Ô FreeS/WANÀ» ±ÇÇÏÁö¸¸, ±× ±¸¼ºÀÌ ÀÚüÀûÀÎ IPSECÀÇ °æ¿ì¿Í´Â ´Ù¸¦ °ÍÀ̶õ Á¡À» ¿°µÎ¿¡ µÎ¾î¾ß ÇÕ´Ï´Ù. °ü·Ã ¼Ò½Ä¿¡ µû¸£¸é ÇöÀç FreeS/WANÀÇ »ç¿ëÀÚ°ø°£ Äڵ带 ÀÚüÀûÀÎ ¸®´ª½º IPSEC°ú ÇÔ²² µ¿ÀÛÇϵµ·Ï ÇØ ÁÖ´Â [http]ÆÐÄ¡µéÀÌ ÀÖ´Ù°í ÇÕ´Ï´Ù.

2.5.49ÀÇ °æ¿ì IPSECÀº Ãß°¡ÀûÀÎ ÆÐÄ¡ ¾øÀ̵µ µ¿ÀÛÇÕ´Ï´Ù.

ÁÖÀÇ »ç¿ëÀÚ °ø°£ µµ±¸µéÀº [http]¿©±â¿¡ ÀÖ´Â µí ÇÕ´Ï´Ù. ´Ù¾çÇÑ ÇÁ·Î±×·¥µéÀÌ Á¸ÀçÇϸç, ¿©±â¿¡ ¸µÅ©µÈ °Ç Rocoon¿¡ ±â¹ÝÇÑ °ÍÀÔ´Ï´Ù.

Ä¿³ÎÀ» ÄÄÆÄÀÏ ÇÒ ¶§ 'PF_KEY'¿Í 'AH', 'ESP', ±×¸®°í CryptoAPI ¾È¿¡ ÀÖ´Â ¸ðµç °ÍµéÀ» ÄÑÁÖ´Â °É ÀØÁö ¸¶¼¼¿ä!

°æ°í ÀÌ ÀåÀÇ ÀúÀÚ´Â Á¦´ë·ÎµÈ IPSEC ¹ÙºÎÅÊÀÔ´Ï´Ù! ¾øÀ» ¸®°¡ ¾ø´Â ½Ç¼öµéÀ» ã°Ô µÇ¸é bert hubert<Mahu@ds9a.nl>¿¡°Ô ¸ÞÀÏÀ» ³¯·Á ÁֽʽÿÀ.

ù ¹ø°·Î´Â, µÎ È£½ºÆ® °£¿¡ ¼öµ¿À¸·Î º¸¾È Åë½ÅÀ» ¼³Á¤ÇÏ´Â ¹ýÀ» º¸ÀÏ °ÍÀÔ´Ï´Ù. ÀÌ °úÁ¤ÀÇ »ó´ç ºÎºÐÀº ÀÚµ¿È­ µÉ ¼öµµ ÀÖ½À´Ï´Ù¸¸, ¿©±â¼­´Â '¾Æ·§ µ¿³×¿¡¼­' ÁøÇàµÇ´Â Àϵ鿡 Àͼ÷ÇØ Áú ¼ö ÀÖµµ·Ï Çϱâ À§ÇØ Á÷Á¢ ÇØ º¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.

ÀÚµ¿ Å°±³È¯¿¡¸¸ °ü½ÉÀÌ ÀÖ´Ù¸é ´ÙÀ½ ÀýÀ» °Ç³Ê¶Ù¾îµµ ¹«¹æÇÕ´Ï´Ù¸¸, ¼öµ¿ Å°ÀÔ·Â(¿ªÀÚÁÖ: manual keyingÀº '¼öµ¿ Å°ÀÔ·Â'À¸·Î, automatic keyingÀº 'ÀÚµ¿ Å°±³È¯'À¸·Î ¹ø¿ªÇÕ´Ï´Ù)À» ¾î´À Á¤µµ ÀÌÇØÇÏ´Â °Ô À¯¿ëÇÏ´Ù´Â °Ç ¾Ë°í °è½Ã±æ ¹Ù¶ø´Ï´Ù.

7.1. ¼öµ¿ Å°ÀÔ·Â ÀÔ¹®

IPSECÀº º¹ÀâÇÑ ÁÖÁ¦ÀÔ´Ï´Ù. ¸¹Àº Á¤º¸µéÀÌ ¿Â¶óÀÎ »ó¿¡ ÀÖÀ¸¸ç, ÀÌ HOWTO´Â ¿©·¯ºÐµéÀÌ °ÉÀ½¸¶¸¦ ¶¿ ¼ö ÀÖµµ·Ï ÇÏ´Â °Í°ú ±âº»ÀûÀÎ ¿ø¸®µéÀ» ¼³¸íÇÏ´Â °Í¿¡ ÁýÁßÇÒ °ÍÀÔ´Ï´Ù. ¸ðµç ¿¹Á¦µéÀº À§¿¡¼­ ¾ê±âÇÑ ¸µÅ©¿¡ ÀÖ´Â Rocoon¿¡ ±â¹ÝÇÏ°í ÀÖ½À´Ï´Ù.

ÁÖÀÇ ¸¹Àº iptables ±¸¼ºµéÀº IPSEC ÆÐŶÀ» Â÷´Ü½Ãŵ´Ï´Ù! IPSECÀ» Åë°ú½ÃÅ°·Á¸é: 'iptables -A xxx -p 50 -j ACCEPT' ¹× 'iptables -A xxx -p 51 -j ACCEPT'

IPSECÀº InternetProtocolÀÇ º¸¾È ¹öÀüÀ» Á¦°øÇØ ÁÝ´Ï´Ù. ÀÌ ¸Æ¶ô¿¡¼­ º¸¾ÈÀ̶õ ¾Ïȣȭ(encryption)¿Í ÀÎÁõ(authentication)À̶ó´Â »óÀÌÇÑ µÎ °¡Áö¸¦ ¶æÇÕ´Ï´Ù. º¸¾È¿¡ ´ëÇÑ ¾èÀº ½Ã°¢À¸·Î´Â ¾Ïȣȭ¸¸À» ¾ê±âÇÒ ¼öµµ ÀÖ°ÚÁö¸¸, ±×°Í¸¸À¸·Î´Â ÃæºÐÄ¡ ¾Ê´Ù´Â °É ½±°Ô ¾Ë ¼ö ÀÖ½À´Ï´Ù. ¾Ïȣȭ¸¦ Çؼ­ Åë½ÅÀ» ÇÏ°í ÀÖ´Ù°í Çصµ, ¿ø°ÝÁöÀÇ »ó´ë°¡ ÀÚ½ÅÀÌ ¿¹»óÇÏ°í ÀÖ´Â ±× »ç¶÷ÀÎÁö´Â º¸ÀåµÇÁö ¾Ê½À´Ï´Ù.

IPSECÀº ¾Ïȣȭ¸¦ À§ÇÑ 'Encapsulated Security Payload'(ESP)¿Í ¿ø°ÝÁöÀÇ »ó´ë¸¦ ÀÎÁõÇϱâ À§ÇÑ 'Authentication Header'(AH)¸¦ Áö¿øÇÕ´Ï´Ù. ÀÌ µÑ ¸ðµÎ¸¦ ¼³Á¤ÇÒ ¼öµµ ÀÖ°í, µÑ Áß Çϳª¸¸À» ¼³Á¤ÇØ ÁÙ ¼öµµ ÀÖ½À´Ï´Ù.

ESP¿Í AH ¸ðµÎ´Â º¸¾È ¿¬°è(security association)¿¡ ÀÇÁ¸ÇÏ°í ÀÖ½À´Ï´Ù. º¸¾È ¿¬°è(SA)´Â Ãâ¹ßÁö¿Í ¸ñÀûÁö, ±×¸®°í Áö½Ã»çÇ×À¸·Î ÀÌ·ç¾îÁ® ÀÖ½À´Ï´Ù. °£´ÜÇÑ ÀÎÁõ SA¸¦ ¿¹·Î µé¸é ´ÙÀ½°ú °°½À´Ï´Ù.
add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";

ÀÌ°Ç '10.0.0.11¿¡¼­ 10.0.0.216À¸·Î °¡´Â AH°¡ ÇÊ¿äÇÑ Æ®·¡ÇÈÀº ºñ¹Ð°ª 1234567890123456À» ¾²´Â HMAC-MD5¸¦ ÀÌ¿ëÇؼ­ ¼­¸íÇÒ ¼ö ÀÖ´Ù'¶ó´Â ¾ê±âÀÔ´Ï´Ù. ÀÌ Áö½Ã´Â SPI('Security Parameter Index') ¾ÆÀ̵ð '15700'À̶ó´Â µüÁö°¡ ºÙ¾î Àִµ¥, ÀÌ¿¡ ´ëÇؼ± Àá½Ã ÈÄ Á» ´õ ¼³¸íÇÏ°Ú½À´Ï´Ù. SA¿¡ ´ëÇÑ Èï¹Ì·Î¿î Á¡Àº ÀÌ°Ô ´ëĪÀûÀ̶ó´Â °Ì´Ï´Ù. Åë½ÅÀÇ ¾çÃøÀÌ Á¤È®È÷ µ¿ÀÏÇÑ SA¸¦ °øÀ¯Çϸç, »ó´ëÆí¿¡¼­µµ SAÀÇ ¹æÇâÀÌ ¹Ù²îÁö ¾Ê½À´Ï´Ù. ÇÏÁö¸¸ 'ÀÚµ¿ ¹æÇâ ¹Ù²Þ' ±ÔÄ¢Àº ¾ø´Ù´Â °Í¿¡ À¯ÀÇÇØ¾ß ÇÕ´Ï´Ù. ÀÌ SA´Â 10.0.0.11¿¡¼­ 10.0.0.216À¸·ÎÀÇ °¡´ÉÇÑ ÀÎÁõ¸¸À» ±â¼úÇÏ°í ÀÖ½À´Ï´Ù. ¾ç¹æÇâ Æ®·¡ÇÈÀ» À§Çؼ± µÎ °³ÀÇ SA°¡ ÇÊ¿äÇÕ´Ï´Ù.

ESP SAÀÇ ¿¹´Â ´ÙÀ½°ú °°½À´Ï´Ù.
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "1234567890123456789012";

ÀÌ°Ç '10.0.0.11¿¡¼­ 10.0.0.216À¸·Î °¡´Â ¾Ïȣȭ°¡ ÇÊ¿äÇÑ Æ®·¡ÇÈÀº Å° 1234567890123456789012¸¦ ¾²´Â 3des-cbc¸¦ ÀÌ¿ëÇؼ­ ¾Ïȣȭ ÇÒ ¼ö ÀÖ´Ù'¶ó´Â ¾ê±âÀÔ´Ï´Ù. SPI ¾ÆÀ̵ð´Â '15701'ÀÔ´Ï´Ù.

Áö±Ý±îÁö »ìÆ캻 ¹Ù·Î´Â, SA°¡ °¡´ÉÇÑ Áö½Ã»çÇ×µéÀ» ¼­¼úÇϱâ´Â ÇÏÁö¸¸, ¾ðÁ¦ À̰͵éÀÌ ¾²¿©¾ß Çϴ°¡ ÇÏ´Â Á¤Ã¥Àº »ç½Ç ¼­¼úÇÏÁö ¾Ê½À´Ï´Ù. ½ÇÁ¦·Î, SPI ¾ÆÀ̵𸸠´Ù¸¥ °ÅÀÇ µ¿ÀÏÇÑ SA°¡ ¾ó¸¶µçÁö ÀÖÀ» ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù. ¿©±â¼­ SPI´Â º¸¾È ¸Å°³º¯¼ö »öÀÎ(Security Parameter Index)À» ¶æÇÕ´Ï´Ù. ½ÇÁ¦ ¾Ïȣȭ¸¦ Çϱâ À§Çؼ± Á¤Ã¥À» ¼­¼úÇØ ÁÙ ÇÊ¿ä°¡ ÀÖ½À´Ï´Ù. ÀÌ Á¤Ã¥¿¡´Â '°¡´ÉÇÑ °æ¿ì ipsecÀ» »ç¿ë'À̳ª 'ipsecÀÌ ¾ø´Â °æ¿ì Æ®·¡ÇÈÀ» Â÷´Ü' °°Àº °ÍµéÀÌ Æ÷Ç﵃ ¼ö ÀÖ½À´Ï´Ù.

º¸ÅëÀÇ °£´ÜÇÑ º¸¾È Á¤Ã¥(Security Policy; SP)Àº ´ÙÀ½°ú °°Àº ¸ð½ÀÀÖ´Ï´Ù.
spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
   esp/transport//require
   ah/transport//require;

È£½ºÆ® 10.0.0.216¿¡¼­ ÀÔ·ÂµÈ °æ¿ì¶ó¸é, ÀÌ´Â 10.0.0.11À» ÇâÇØ ³ª°¡´Â ¸ðµç Æ®·¡ÇÈÀ» ¾Ïȣȭ ÇÏ°í¼­ AH ÀÎÁõ Çì´õ·Î µÑ·¯½Î¾ß ÇÑ´Ù´Â °É ¶æÇÕ´Ï´Ù. ¿©±â¿¡ ¾î¶² SA¸¦ »ç¿ëÇÒÁö´Â ¼­¼úµÇ¾î ÀÖÁö ¾Ê´Ù´Â °É ¾Ë ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù. ±×°É °áÁ¤ÇÏ´Â °Ç Ä¿³ÎÀÇ ÇÒÀÏÀÔ´Ï´Ù.

´Ù½Ã ¸»ÇÏÀÚ¸é, º¸¾È Á¤Ã¥Àº ¿ì¸®°¡ ¹«¾ùÀ» ¿øÇÏ´ÂÁö¸¦ ÁöÁ¤Çϸç, º¸¾È ¿¬°è´Â ±×°É ¾î¶² ½ÄÀ¸·Î ¿øÇÏ´ÂÁö¸¦ ±â¼úÇÕ´Ï´Ù.

³ª°¡´Â ÆÐŶ¿¡´Â Ä¿³ÎÀÌ ¾Ïȣȭ ¹× ÀÎÁõ¿¡ »ç¿ëÇÑ SA SPI('¾î¶² ½ÄÀ¸·Î')°¡ ²¿¸®Ç¥·Î ´Þ·ÁÀ־, À̸¦ ÀÌ¿ëÇØ ¿ø°ÝÁö¿¡¼­ ´ëÀÀÇÏ´Â °ËÁõ ¹× º¹È£È­ Áö½Ã¸¦ ãÀ» ¼ö ÀÖ½À´Ï´Ù.

¾Æ·¡ÀÇ ³»¿ëÀº È£½ºÆ® 10.0.0.216¿¡¼­ 10.0.0.11·Î ¾Ïȣȭ ¹× ÀÎÁõÀ» ÀÌ¿ëÇؼ­ Åë½ÅÀ» ÇÏ´Â ¾ÆÁÖ ´Ü¼øÇÑ ±¸¼ºÀÔ´Ï´Ù. À̹ø ù ¹ø° ¹öÀü¿¡¼­´Â ¹Ý´ë ¹æÇâÀÌ Æò¹®À¸·Î Àü´ÞµÇ±â¿¡ ÀÌ ±¸¼ºÀº ½ÇÁ¦·Î »ç¿ëµÇ¾î¼± ¾È µÊÀ» À¯ÀÇÇØ ÁֽʽÿÀ.

È£½ºÆ® 10.0.0.216¿¡¼­´Â:
#!/sbin/setkey -f
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "1234567890123456789012";

spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
   esp/transport//require
   ah/transport//require;

È£½ºÆ® 10.0.0.11¿¡¼­´Â, µ¿ÀÏÇÑ º¸¾È ¿¬°è·Î, º¸¾È Á¤Ã¥Àº ¾øÀÌ:
#!/sbin/setkey -f
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "1234567890123456789012";

À§ ±¸¼ºÀÌ ÀÖÀ¸¸é (ÀÌ ÆÄÀϵéÀº 'setkey'°¡ /sbin¿¡ ¼³Ä¡µÇ¾î ÀÖÀ¸¸é ½ÇÇà °¡´ÉÇÕ´Ï´Ù) 10.0.0.216¿¡¼­ 'ping 10.0.0.11'À» Çϸé tcpdump¿¡¼­ ´ÙÀ½°ú °°ÀÌ º¸ÀÔ´Ï´Ù.
23:37:52 10.0.0.216 > 10.0.0.11: AH(spi=0x00005fb4,seq=0xa): ESP(spi=0x00005fb5,seq=0xa) (DF)
22:37:52 10.0.0.11 > 10.0.0.216: icmp: echo reply

10.0.0.11¿¡¼­ µ¹¾Æ¿À´Â ÇÎÀÌ Á¤¸»·Î ±×³É º¸Àδٴ °É ¾Ë ¼ö ÀÖ½À´Ï´Ù. ³»º¸³»´Â ÇÎÀº ´ç¿¬È÷ tcpdump·Î ÀÐÀ» ¼ö ¾øÁö¸¸, AH ¹× ESPÀÇ º¸¾È ¸Å°³º¯¼ö »öÀÎÀº º¸¿©ÁÝ´Ï´Ù. ÀÌ »öÀÎÀº ¿ì¸®°¡ º¸³½ ÆÐŶÀÇ ½Å·Ú¼ºÀ» ¾î¶»°Ô °ËÁõÇÏ°í ¾î¶»°Ô À̸¦ º¹È£È­ ÇÒ °ÍÀÎÁö¸¦ 10.0.0.11¿¡°Ô ¾Ë·Á ÁÝ´Ï´Ù.

±×·±µ¥ ¸î °¡Áö¸¦ Á» ¾ð±ÞÇÏ°Ú½À´Ï´Ù. À§ÀÇ ±¸¼ºÀº ¿©·¯ IPSEC ¿¹Á¦¿¡¼­ º¸À̴µ¥, ¾ÆÁÖ À§ÇèÇÑ °ÍÀÔ´Ï´Ù. ¹®Á¦´Â À§ÀÇ ±¸¼ºÀÌ, 10.0.0.216ÀÌ 10.0.0.11·Î °¡´Â ÆÐŶÀ» ¾î¶»°Ô ó¸®ÇØ¾ß Çϴ°¡¿¡ ´ëÇÑ Á¤Ã¥À» Æ÷ÇÔÇÏ°í ÀÖ°í 10.0.0.11ÀÌ ±× ÆÐŶµéÀ» ¾î¶»°Ô ´Ù·ï¾ß ÇÏ´ÂÁö´Â ¼³¸íÇÏ°í ÀÖÁö¸¸, 10.0.0.11ÀÌ ÀÎÁõ ȤÀº ¾Ïȣȭ°¡ ÀÌ·ïÁöÁö ¾ÊÀº ÆÐŶÀ» ¹ö·Á¾ß ÇÑ´Ù°í ¾Ë·ÁÁÖ°í ÀÖÁö´Â ¾Ê´Ù´Â °ÍÀÔ´Ï´Ù!

Áö±ÝÀº ´©±¸µç °¡Â¥ ÁÖ¼Ò¸¦ °¡Áø ÀüÇô ¾Ïȣȭ ¾È µÈ µ¥ÀÌÅ͸¦ ³¢¿ö³ÖÀ» ¼ö ÀÖ°í, 10.0.0.11Àº À̸¦ ±×´ë·Î ¹Þ¾ÆµéÀÏ °ÍÀÔ´Ï´Ù. À§ ±¸¼ºÀ» ¹Ù·ÎÀâÀ¸·Á¸é ´ÙÀ½°ú °°ÀÌ, 10.0.0.11 »ó¿¡ µé¾î¿À´Â ¹æÇâÀÇ º¸¾È Á¤Ã¥ÀÌ ÇÊ¿äÇÕ´Ï´Ù.
#!/sbin/setkey -f
spdadd 10.0.0.216 10.0.0.11 any -P IN ipsec
   esp/transport//require
   ah/transport//require;

ÀÌ Á¤Ã¥Àº 10.0.0.216¿¡¼­ ¿À´Â ¸ðµç ÆÐŶÀº À¯È¿ÇÑ ESP ¹× AH¿©¾ß ÇÔÀ» 10.0.0.11¿¡°Ô ¾Ë·Á ÁÖ°í ÀÖ½À´Ï´Ù.

ÀÌÁ¦, ÀÌ ±¸¼ºÀ» ¿Ï¼ºÇϱâ À§Çؼ± µ¹¾Æ¿À´Â Æ®·¡Çȵµ ´ç¿¬È÷ ¾Ïȣȭ ¹× ÀÎÁõÀÌ µÇµµ·Ï ÇØ¾ß ÇÕ´Ï´Ù. 10.0.0.216¿¡¼­ÀÇ ¿ÏÀüÇÑ ±¸¼ºÀº:
#!/sbin/setkey -f
flush;
spdflush;

# AH
add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";

# ESP
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";

spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
           esp/transport//require
           ah/transport//require;

spdadd 10.0.0.11 10.0.0.216 any -P in ipsec
           esp/transport//require
           ah/transport//require;

±×¸®°í 10.0.0.11¿¡¼­´Â:
#!/sbin/setkey -f
flush;
spdflush;

# AH
add 10.0.0.11 10.0.0.216 ah 15700 -A hmac-md5 "1234567890123456";
add 10.0.0.216 10.0.0.11 ah 24500 -A hmac-md5 "1234567890123456";

# ESP
add 10.0.0.11 10.0.0.216 esp 15701 -E 3des-cbc "123456789012123456789012";
add 10.0.0.216 10.0.0.11 esp 24501 -E 3des-cbc "123456789012123456789012";


spdadd 10.0.0.11 10.0.0.216 any -P out ipsec
           esp/transport//require
           ah/transport//require;

spdadd 10.0.0.216 10.0.0.11 any -P in ipsec
           esp/transport//require
           ah/transport//require;

ÀÌ ¿¹Á¦¿¡¼­ Æ®·¡ÇÈÀÇ ¾ç¹æÇâ ¸ðµÎ¿¡ µ¿ÀÏÇÑ Å°¸¦ »ç¿ëÇßÀ½À» ¾Ë ¼ö ÀÖ½À´Ï´Ù. ÇÏÁö¸¸ ÀÌ°Ç ÀüÇô ÇʼöÀûÀÎ °ÍÀÌ ¾Æ´Õ´Ï´Ù.

¹æ±Ý ¸¸µç ±¸¼ºÀ» È®ÀÎÇØ º¸·Á¸é, setkey -D¸¦ ½ÇÇàÇؼ­ º¸¾È ¿¬°è¸¦ º¸°Å³ª setkey -DP¸¦ ½ÇÇàÇؼ­ ±¸¼ºµÈ Á¤Ã¥À» º¸¸é µË´Ï´Ù.

7.2. ÀÚµ¿ Å°±³È¯

ÀÌÀü Àý¿¡¼­´Â ´Ü¼øÇÑ °øÀ¯ ºñ¹Ð°ªÀ» ÀÌ¿ëÇؼ­ ¾Ïȣȭ°¡ ±¸¼ºµÇ¾ú½À´Ï´Ù. ´Þ¸® ¸»ÇÏÀÚ¸é, ¾ÈÀüÇÑ »óÅ°¡ À¯ÁöµÇ±â À§Çؼ± ¿ì¸®ÀÇ ¾Ïȣȭ ±¸¼ºÀ» ½Å·ÚÇÒ ¼ö ÀÖ´Â °æ·Î¸¦ ÅëÇØ Àü´ÞÇØ ÁÙ ÇÊ¿ä°¡ ÀÖ½À´Ï´Ù. ¿ì¸®°¡ ÅÚ³ÝÀ» ÅëÇØ ¿ø°Ý È£½ºÆ®¸¦ ±¸¼ºÇØ¾ß ÇÑ´Ù°í Çϸé, ¾î´À Á¦»ïÀÚ°¡ ¿ì¸®ÀÇ °øÀ¯ ºñ¹Ð°ªÀ» ¾Ë°Ô µÇ°í ¼³Á¤Àº ¾ÈÀüÇÏÁö°¡ ¾Ê°Ô µÉ °ÍÀÔ´Ï´Ù.

´õºÒ¾î, ºñ¹Ð°ªÀÌ °øÀ¯µÇ°í Àֱ⿡ ÀÌ´Â ºñ¹ÐÀÌ ¾Æ´Õ´Ï´Ù. ¿ø°ÝÃø¿¡¼­ ¿ì¸®ÀÇ ºñ¹Ð°ªÀ¸·Î ¿©·¯ °¡Áö¸¦ ÇÒ ¼ö´Â ¾øÁö¸¸, ±×·¡µµ ¿ì¸° ¸ðµç »ó´ë¿ÍÀÇ Åë½Å¿¡¼­ ¼­·Î ´Ù¸¥ ºñ¹Ð°ªÀ» »ç¿ëÇϵµ·Ï ÇØÁÙ ÇÊ¿ä°¡ ÀÖ½À´Ï´Ù. ÀÌ´Â ¸¹Àº ¼öÀÇ Å°¸¦ ÇÊ¿ä·Î ÇÕ´Ï´Ù. 10¸íÀÌ Åë½ÅÀ» ÇÏ·Á¸é ÃÖ¼ÒÇÑ 50°³ÀÇ ¼­·Î ´Ù¸¥ ºñ¹Ð°ªÀÌ ÇÊ¿äÇÕ´Ï´Ù.

´ëĪŰ ¹®Á¦ ¸»°íµµ, Å° ȸÀü(rollover)ÀÌ ÇÊ¿äÇϱ⵵ ÇÕ´Ï´Ù. Á¦»ïÀÚ°¡ ÀÌ·°Àú·° ÃæºÐÇÑ ¾çÀÇ Æ®·¡ÇÈÀ» ÈÉÃĺ¸°í ³ª¸é Å°¸¦ ¿ª°øÇÐÀ¸·Î ¾Ë¾Æ³¾ ¼ö ÀÖ´Â »óÅ°¡ µÉ ¼öµµ ÀÖ½À´Ï´Ù. ÀÏÁ¤ ½Ã°£¸¶´Ù »õ·Î¿î Å°·Î ¿Å°Ü°¨À¸·Î½á À̸¦ ¹æÁöÇÒ ¼ö ÀÖÁö¸¸, ÀÌ °úÁ¤Àº ÀÚµ¿È­ µÉ ÇÊ¿ä°¡ ÀÖ½À´Ï´Ù.

¶Ç´Ù¸¥ ¹®Á¦´Â, À§¿¡¼­ ¼³¸íÇÑ ¼öµ¿ Å°ÀÔ·ÂÀÇ °æ¿ì »ç¿ëµÇ´Â ¾Ë°í¸®Áò ¹× Å° ±æÀÌ °°Àº, ¿ø°ÝÃø°úÀÇ ¸¹Àº Á¶Á¤À» ÇÊ¿ä·Î ÇÏ´Â °ÍµéÀ» ¿ì¸®°¡ Á¤È®ÇÏ°Ô ÁöÁ¤ÇÑ´Ù´Â °ÍÀÔ´Ï´Ù. 'ÃÖ¼Ò ´ÙÀ½°ú °°Àº Å° ±æÀ̸¦ °¡Áø 3DES ¹× Blowfish¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù' °°Àº Á»´õ ÀϹÝÀûÀÎ Å° Á¤Ã¥À» ±â¼úÇÒ ¼ö ÀÖ°Ô µÇ´Â °ÍÀÌ ¹Ù¶÷Á÷ÇÕ´Ï´Ù.

ÀÌ ¹®Á¦µéÀ» ÇØ°áÇϱâ À§ÇØ IPSECÀº Internet Key Exchange ÇÁ·ÎÅäÄÝÀ» Á¦°øÇÏ¿© ³­¼öÀûÀ¸·Î »ý¼ºµÈ Å°¸¦ ÀÚµ¿À¸·Î ±³È¯Çϸç, ÀÌ Å°´Â Çù»óµÈ ¾Ë°í¸®Áò ¼¼ºÎ »çÇ׿¡ µû¶ó¼­ ºñ´ëĪ ¾Ïȣȭ ±â¼úÀ» ÀÌ¿ëÇØ Àü¼ÛµË´Ï´Ù.

¸®´ª½º 2.5ÀÇ IPSEC ±¸ÇöÀº [http]KAME 'racoon' WikiPedia:IKEµ¥¸ó°ú ÇÔ²² µ¿ÀÛÇÕ´Ï´Ù. 11¿ù 9ÀÏ ÇöÀç, AlexeyÀÇ iptools ¹èÆ÷ÆÇÀº µÎ °³ÀÇ ÆÄÀÏ¿¡¼­ #include <net/route.h>¸¦ Á¦°ÅÇØ Áà¾ß ÇÒ ¼öµµ ÀÖ±â´Â ÇÏÁö¸¸, ÄÄÆÄÀÏÀÌ °¡´ÉÇÕ´Ï´Ù. ´ë½Å Á¦°¡ Á¦°øÇÏ´Â [http]¹Ì¸® ÄÄÆÄÀÏµÈ ¹öÀüµµ ÀÖ½À´Ï´Ù.

³ëÆ® IKE´Â UDP Æ÷Æ® 500¿¡ ´ëÇÑ Á¢±ÙÀ» ÇÊ¿ä·Î ÇÏ´Ï, iptables°¡ ÀÌ Æ÷Æ®¸¦ ¸·Áö ¾Êµµ·Ï ÇØ ÁÖ¼¼¿ä.

7.2.1. ÀÌ·Ð

¾Õ¼­ ¼³¸íÇÑ °Íó·³, ÀÚµ¿ Å°±³È¯Àº ¿ì¸®¸¦ ´ë½ÅÇØ ¸¹Àº ÀϵéÀ» ÇØ ÁÝ´Ï´Ù. ±¸Ã¼ÀûÀ¸·Î ¸»ÇÏÀÚ¸é, ¹Ù»Ú°Ô º¸¾È ¿¬°è¸¦ ¸¸µé¾î ÁÝ´Ï´Ù. ÇÏÁö¸¸, ´ç¿¬È÷ ±×·¡¾ß °ÚÁö¸¸, ¿ì¸® ´ë½Å Á¤Ã¥À» ¼³Á¤ÇÏÁö´Â ¾Ê½À´Ï´Ù.

°í·Î IKEÀÇ ´öÀ» º¸ÀÚ¸é, Á¤Ã¥Àº ¼³Á¤Ç쵂 ¾î¶² SAµµ Á¦°øÇØ ÁÖÁö ¸»¾Æ¾ß ÇÕ´Ï´Ù. IPSEC Á¤Ã¥Àº Àִµ¥ º¸¾È ¿¬°è´Â ¾ø´Ù´Â °É Ä¿³ÎÀÌ ¹ß°ßÇϸé À̸¦ IKE µ¥¸ó¿¡°Ô ¾Ë·ÁÁÖ°í, ±×·³ µ¥¸óÀº º¸¾È ¿¬°è¸¦ Çù»óÇÏ·Á°í ½ÃµµÇÏ´Â ÀÛ¾÷¿¡ Âø¼öÇÕ´Ï´Ù.

´Ù½Ã ¸»Çϴµ¥, º¸¾È Á¤Ã¥Àº ¿ì¸®°¡ ¹«¾ùÀ» ¿øÇÏ´ÂÁö¸¦ ÁöÁ¤Çϸç, º¸¾È ¿¬°è´Â ¿ì¸®°¡ À̸¦ ¾î¶² ½ÄÀ¸·Î ¿øÇÏ´ÂÁö¸¦ ±â¼úÇÕ´Ï´Ù. ÀÚµ¿ Å°±³È¯À» »ç¿ëÇÔÀ¸·Î½á ¿ì¸®´Â ¹«¾ùÀ» ¿øÇϴ°¡¸¦ ÁöÁ¤ÇÏ´Â °Í¸¸À¸·Îµµ ÃæºÐÇÏ°Ô µË´Ï´Ù.

7.2.2. ¿¹Á¦

Kame racoon¿¡´Â ±²ÀåÈ÷ ¸¹Àº ¿É¼ÇµéÀÌ Á¦°øµÇ´Âµ¥, ´ëºÎºÐÀÇ ¿É¼ÇµéÀº ¾ÆÁÖ ÈǸ¢ÇÑ ±âº»°ªÀ» °¡Áö°í À־ ¿ì¸®°¡ °Çµå·Á ÁÖÁö ¾Ê¾Æµµ µË´Ï´Ù. À§¿¡¼­ ¼³¸íÇÑ °Íó·³, ¿î¿ëÀÚ´Â º¸¾È Á¤Ã¥À» Á¤ÀÇÇØ¾ß Çϸç, º¸¾È ¿¬°è´Â Á¤ÀÇÇÒ ÇÊ¿ä°¡ ¾ø½À´Ï´Ù. ±×°É Çù»óÇÏ´Â °Ç IKE µ¥¸ó¿¡°Ô ³²°Ü ÁÖ´Â °ÍÀÌÁö¿ä.

ÀÌ ¿¹Á¦¿¡¼­´Â 10.0.0.11°ú 10.0.0.216ÀÌ ¶Ç´Ù½Ã ¾ÈÀüÇÑ Åë½ÅÀ» ¼³Á¤ÇÏ·Á°í ÇÏ°í ÀÖÀ¸¸ç, À̹ø¿¡´Â racoonÀÇ µµ¿òÀ» ¹Þ°Ô µË´Ï´Ù. ´Ü¼øÇÔÀ» À§ÇØ ÀÌ ±¸¼º¿¡¼­´Â ¹«½Ã¹«½ÃÇÑ '°øÀ¯ ºñ¹Ð°ª'ÀÎ »çÀü °øÀ¯Å°(pre-shared key; PSK)¸¦ »ç¿ëÇÏ°Ô µË´Ï´Ù. X.509 ÀÎÁõ¼­´Â º°µµÀÇ Àý¿¡¼­ ³íÀǵǴÏ, 7.2.3ÀýÀ» Âü°íÇØ ÁֽʽÿÀ.

¿ì¸®´Â ¾çÂÊ È£½ºÆ® ¸ðµÎ¿¡¼­ µ¿ÀÏÇÏ°Ô, ±âº» ±¸¼ºÀ» °ÅÀÇ ±×´ë·Î »ç¿ëÇÏ·Á°í ÇÕ´Ï´Ù.
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

remote anonymous
{
	exchange_mode aggressive,main;
	doi ipsec_doi;
	situation identity_only;

	my_identifier address;

	lifetime time 2 min;	# sec,min,hour
	initial_contact on;
	proposal_check obey;	# obey, strict or claim

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}
 
sainfo anonymous
{
	pfs_group 1;
	lifetime time 2 min;
	encryption_algorithm 3des ;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}
»ó´çÇÑ ¾çÀÇ ¼³Á¤ÀÔ´Ï´Ù. Á¦ »ý°¢¿¡´Â ¾ÆÁ÷ ´õ ¸¹Àº ³»¿ëµéÀ» Á¦°ÅÇؼ­ ±âº» ±¸¼º¿¡ °¡±õ°Ô ¸¸µé ¼ö ÀÖÀ» °Í °°½À´Ï´Ù. ÁÖ¸ñÇÒ °ÍÀÌ ÀÖ½À´Ï´Ù. ¿ì¸®´Â ¾î¶² ¿ø°Ý »ó´ë¿¡ ´ëÇؼ­µµ »ç¿ëÇÒ ¼ö ÀÖ´Â µÎ °³ÀÇ ÀÍ¸í ¼³Á¤À» ±¸¼ºÇÔÀ¸·Î½á, ÀÌÈÄÀÇ ±¸¼ºÀ» ¼ö¿ùÇÏ°Ô ÇÒ °ÍÀÔ´Ï´Ù. Á¤¸»·Î ¿øÇÏ´Â °Ô ¾Æ´Ï¶ó¸é ¿©±â¿¡ È£½ºÆ®º° ±¸ÀýµéÀÌ ÇÊ¿äÇÏÁö´Â ¾Ê½À´Ï´Ù.

´õºÒ¾î, ¿ì¸®´Â IP ÁÖ¼Ò¿¡ ±â¹ÝÇؼ­ ÀÚ½ÅÀ» ³ªÅ¸³»µµ·Ï ¼³Á¤ÇßÀ¸¸ç('my_identifier address'), 3des¿Í sha1À» ¾µ ¼ö ÀÖÀ¸¸ç psk.txt¿¡ ÀÖ´Â »çÀü °øÀ¯Å°¸¦ »ç¿ëÇÒ °ÍÀ̶ó°í ¼±¾ðÇÏ°í ÀÖ½À´Ï´Ù.

psk.txtÀÇ °æ¿ì´Â, ¾çÂÊ È£½ºÆ®¿¡¼­ ¼­·Î ´Ù¸£°Ô µÎ °¡Áö ³»¿ëÀ» ¼³Á¤ÇØ ÁÝ´Ï´Ù. 10.0.0.11¿¡¼­´Â:
10.0.0.216	password2

±×¸®°í 10.0.0.216¿¡¼­´Â:
10.0.0.11	password2

ÀÌ ÆÄÀÏÀÇ ¼ÒÀ¯ÀÚ´Â rootÀÌ°í ¸ðµå´Â 0600À¸·Î ¼³Á¤µÅ ÀÖ¾î¾ß ÇÕ´Ï´Ù. ¾È ±×·¯¸é racoonÀº ±× ³»¿ëÀ» ½Å·ÚÇÏÁö ¾ÊÀ» °Ì´Ï´Ù. ÀÌ ÆÄÀϵéÀÌ ¼­·Î¿¡°Ô °Å¿ï»óÀ̶ó´Â Á¡¿¡ À¯ÀÇÇØ ÁֽʽÿÀ.

ÀÌÁ¦ ÃæºÐÈ÷ ´Ü¼øÇÑ °ÍÀ̱ä ÇÏÁö¸¸, ¿ì¸®°¡ ¿øÇÏ´Â Á¤Ã¥À» ¼³Á¤ÇÒ Áغñ°¡ µÇ¾ú½À´Ï´Ù. È£½ºÆ® 10.0.0.216¿¡¼­´Â:
#!/sbin/setkey -f
flush;
spdflush;

spdadd 10.0.0.216 10.0.0.11 any -P out ipsec
	esp/transport//require;

spdadd 10.0.0.11 10.0.0.216 any -P in ipsec
	esp/transport//require;

±×¸®°í 10.0.0.11¿¡¼­´Â:
#!/sbin/setkey -f
flush;
spdflush;

spdadd 10.0.0.11 10.0.0.216 any -P out ipsec
	esp/transport//require;

spdadd 10.0.0.216 10.0.0.11 any -P in ipsec
	esp/transport//require;

ÀÌ Á¤Ã¥µéÀÌ ¸¶Âù°¡Áö·Î ¼­·Î ´ëĪÀ» ÀÌ·ç°í ÀÖ´Ù´Â µ¥¿¡ À¯ÀÇÇØ ÁֽʽÿÀ.

µåµð¾î racoonÀÇ Ãâ¹ß Áغñ°¡ ¿Ï·áµÆ½À´Ï´Ù! ÀÏ´Ü ½ÃÀÛµÇ°í ³ª¸é, ¿ì¸®°¡ 10.0.0.11¿¡¼­ 10.0.0.216À¸·Î ÅÚ³ÝÀ̳ª ±× ºñ½ÁÇÑ °É ÇÏ·Á°í ÇÏ´Â ¼ø°£ racoonÀÌ Çù»óÀ» ½ÃÀÛÇÏ°Ô µË´Ï´Ù.
12:18:44: INFO: isakmp.c:1689:isakmp_post_acquire(): IPsec-SA
  request for 10.0.0.11 queued due to no phase1 found.
12:18:44: INFO: isakmp.c:794:isakmp_ph1begin_i(): initiate new
  phase 1 negotiation: 10.0.0.216[500]<=>10.0.0.11[500]
12:18:44: INFO: isakmp.c:799:isakmp_ph1begin_i(): begin Aggressive mode.
12:18:44: INFO: vendorid.c:128:check_vendorid(): received Vendor ID:
  KAME/racoon
12:18:44: NOTIFY: oakley.c:2037:oakley_skeyid(): couldn't find
  the proper pskey, try to get one by the peer's address.
12:18:44: INFO: isakmp.c:2417:log_ph1established(): ISAKMP-SA
  established 10.0.0.216[500]-10.0.0.11[500] spi:044d25dede78a4d1:ff01e5b4804f0680
12:18:45: INFO: isakmp.c:938:isakmp_ph2begin_i(): initiate new phase 2
  negotiation: 10.0.0.216[0]<=>10.0.0.11[0]
12:18:45: INFO: pfkey.c:1106:pk_recvupdate(): IPsec-SA established:
  ESP/Transport 10.0.0.11->10.0.0.216 spi=44556347(0x2a7e03b)
12:18:45: INFO: pfkey.c:1318:pk_recvadd(): IPsec-SA established:
  ESP/Transport 10.0.0.216->10.0.0.11 spi=15863890(0xf21052)

º¸¾È ¿¬°è¸¦ º¸¿©ÁÖ´Â setkey -D¸¦ Áö±Ý ½ÇÇàÇØ º¸¸é, ½ÇÁ¦·Î È®ÀÎÀ» ÇÒ ¼ö ÀÖ½À´Ï´Ù.
10.0.0.216 10.0.0.11
	esp mode=transport spi=224162611(0x0d5c7333) reqid=0(0x00000000)
	E: 3des-cbc  5d421c1b d33b2a9f 4e9055e3 857db9fc 211d9c95 ebaead04
	A: hmac-sha1  c5537d66 f3c5d869 bd736ae2 08d22133 27f7aa99
	seq=0x00000000 replay=4 flags=0x00000000 state=mature
	created: Nov 11 12:28:45 2002	current: Nov 11 12:29:16 2002
	diff: 31(s)	hard: 600(s)	soft: 480(s)
	last: Nov 11 12:29:12 2002	hard: 0(s)	soft: 0(s)
	current: 304(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 3	hard: 0	soft: 0
	sadb_seq=1 pid=17112 refcnt=0
10.0.0.11 10.0.0.216
	esp mode=transport spi=165123736(0x09d79698) reqid=0(0x00000000)
	E: 3des-cbc  d7af8466 acd4f14c 872c5443 ec45a719 d4b3fde1 8d239d6a
	A: hmac-sha1  41ccc388 4568ac49 19e4e024 628e240c 141ffe2f
	seq=0x00000000 replay=4 flags=0x00000000 state=mature
	created: Nov 11 12:28:45 2002	current: Nov 11 12:29:16 2002
	diff: 31(s)	hard: 600(s)	soft: 480(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 231(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 2	hard: 0	soft: 0
	sadb_seq=0 pid=17112 refcnt=0

Á÷Á¢ ±¸¼ºÇØ ÁØ º¸¾È Á¤Ã¥µµ È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.
10.0.0.11[any] 10.0.0.216[any] tcp
	in ipsec
	esp/transport//require
	created:Nov 11 12:28:28 2002 lastused:Nov 11 12:29:12 2002
	lifetime:0(s) validtime:0(s)
	spid=3616 seq=5 pid=17134
	refcnt=3
10.0.0.216[any] 10.0.0.11[any] tcp
	out ipsec
	esp/transport//require
	created:Nov 11 12:28:28 2002 lastused:Nov 11 12:28:44 2002
	lifetime:0(s) validtime:0(s)
	spid=3609 seq=4 pid=17134
	refcnt=3
7.2.2.1. ¹®Á¦Á¡ ¹× ¾Ë·ÁÁø °áÇÔ
µ¿ÀÛÀ» ÇÏÁö ¾Ê´Â´Ù¸é ¸ðµç ¼³Á¤ ÆÄÀϵéÀÇ ¼ÒÀ¯ÀÚ°¡ rootÀ̸ç, root¸¸ ÀÐÀ» ¼ö ÀÖµµ·Ï µÇ¾î ÀÖ´ÂÁö¸¦ È®ÀÎÇØ º¸½Ê½Ã¿À. racoonÀ» foreground·Î ½ÇÇàÇÏ·Á¸é '-F'¸¦ ¾²¸é µË´Ï´Ù. ÄÄÆÄÀÏ µÈ À§Ä¡¿¡ ÀÖ´Â °Í ´ë½Å ƯÁ¤ ¼³Á¤ ÆÄÀÏÀ» Àеµ·Ï °­Á¦ÇÏ·Á¸é '-f'¸¦ ¾²½Ê½Ã¿À. ¹«Áö¸·ÁöÇÑ ¾çÀÇ ¼¼ºÎ ³»¿ëµéÀ» º¸·Á¸é racoon.conf¿¡ 'log debug;'¸¦ Ãß°¡ÇØ ÁֽʽÿÀ.

7.2.3. X.509 ÀÎÁõ¼­¸¦ ÀÌ¿ëÇÑ ÀÚµ¿ Å°±³È¯

¾Õ¼­ ¾ð±ÞÇÑ °Íó·³, °øÀ¯ ºñ¹Ð°ªÀÇ »ç¿ëÀº ½±Áö°¡ ¾ÊÀºµ¥, ½±°Ô °øÀ¯µÉ ¼ö°¡ ¾ø´Â µ¥´Ù°¡ ÀÏ´Ü °øÀ¯µÇ°í ³ª¸é ´õÀÌ»ó ºñ¹ÐÀÌ ¾Æ´Ï°Ô µÇ±â ¶§¹®ÀÔ´Ï´Ù. ´ÙÇàÈ÷µµ ºñ´ëĪ ¾Ïȣȭ ±â¼úÀÌ À־ ÀÌ ¹®Á¦ÀÇ ÇØ°áÀ» µµ¿ÍÁÙ ¼ö ÀÖ½À´Ï´Ù.

°¢ IPSEC Âü¿©ÀÚ °¢°¢ÀÌ °ø°³Å°(public key)¿Í °³ÀÎÅ°(private key)¸¦ ¸¸µé¸é, ¾çÂÊ ¸ðµÎ°¡ ÀÚ½ÅÀÇ °ø°³Å°¸¦ °øÆ÷ÇÏ°í Á¤Ã¥À» ¼³Á¤ÇÔÀ¸·Î½á ¾ÈÀüÇÑ Åë½ÅÀ» Á¶Á÷ÇÒ ¼ö ÀÖ½À´Ï´Ù.

¾ó¸¶°£ÀÇ ÀÛ¾÷ÀÌ ÇÊ¿äÇϱâ´Â ÇÏÁö¸¸, Å°¸¦ ¸¸µå´Â °Ç ²Ï ½±½À´Ï´Ù. ´ÙÀ½ ³»¿ëÀº 'openssl' µµ±¸¸¦ ¹ÙÅÁÀ¸·Î ÇÏ°í ÀÖ½À´Ï´Ù.
7.2.3.1. È£½ºÆ®¸¦ À§ÇÑ X.509 ÀÎÁõ¼­ ¸¸µé±â
[http]OpenSSLÀº ÀÎÁõ ±â°ü(certificate authority)ÀÌ ¼­¸íÀ» ÇÒ ¼öµµ ÀÖ°í ¾Æ´Ò ¼öµµ ÀÖ´Â Å°µé¿¡ ´ëÇÑ Ç³ºÎÇÑ ±â¹Ý ±¸Á¶¸¦ °¡Áö°í ÀÖ½À´Ï´Ù. ÀÏ´Ü ¿ì¸®´Â ±× ±â¹Ý ±¸Á¶ ¸ðµÎ¸¦ µÚ·Î ÇÏ°í, ²Ï ±¦ÂúÀº °íÀüÀûÀÎ Snake Oil º¸¾ÈÀ», ÀÎÁõ ±â°ü ¾øÀÌ ½Ç½ÀÇØ¾ß ÇÕ´Ï´Ù.

¸ÕÀú ¿ì¸®´Â 'laptop'À̶ó°í À̸§ºÙÀÎ ¿ì¸® È£½ºÆ®¸¦ À§ÇÑ 'ÀÎÁõ¼­ ¿äû'À» ¹ßÇàÇÕ´Ï´Ù:
$ openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout \
  laptop.private -outform PEM -out request.pem

±×·¯¸é ¸î °¡Áö Áú¹®À» ¹Þ°Ô µË´Ï´Ù:
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Delft
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linux Advanced
Routing & Traffic Control
Organizational Unit Name (eg, section) []:laptop
Common Name (eg, YOUR name) []:bert hubert
Email Address []:ahu@ds9a.nl

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

ÀÌ°É ¾ó¸¶³ª ¿ÏÀüÇÏ°Ô Ã¤¿ö³ÖÀ» °ÍÀΰ¡´Â °¢ÀÚÀÇ °áÁ¤¿¡ ¸Ã±âµµ·Ï ÇÏ°Ú½À´Ï´Ù. º¸¾È ¿ä±¸¿¡ µû¶ó¼­, È£½ºÆ® À̸§À» ³ÖÀ» ¼öµµ ÀÖ°í ±×·¯Áö ¾ÊÀ» ¼öµµ ÀÖ½À´Ï´Ù. ÀÌ ¿¹¿¡¼­´Â ³Ö¾ú½À´Ï´Ù.

ÀÌÁ¦´Â ÀÌ ¿äûÀ» 'ÀÚ°¡ ¼­¸í'Çϵµ·Ï ÇÏ°Ú½À´Ï´Ù:
$ openssl x509 -req -in request.pem -signkey laptop.private -out \
  laptop.public
Signature ok
subject=/C=NL/L=Delft/O=Linux Advanced Routing & Traffic \
  Control/OU=laptop/CN=bert hubert/Email=ahu@ds9a.nl
Getting Private key

ÀÌÁ¦ 'request.pem' ÆÄÀÏÀº ¹ö·Áµµ µË´Ï´Ù.

ÀÌ °úÁ¤À» Å°°¡ ÇÊ¿äÇÑ ¸ðµç È£½ºÆ®¿¡ ´ëÇØ ¹Ýº¹ÇØ ÁֽʽÿÀ. '.public' ÆÄÀÏÀº ¾Æ¹« ¹®Á¦ ¾øÀÌ ¹èÆ÷ÇÒ ¼ö ÀÖÁö¸¸, '.private' ÆÄÀÏÀº °³ÀÎÀûÀ¸·Î À¯ÁöÇØ¾ß ÇÕ´Ï´Ù!
7.2.3.2. ¼³Á¤ ¹× ½Ãµ¿
¿ì¸® È£½ºÆ®µéÀ» À§ÇÑ °ø°³Å° ¹× °³ÀÎÅ°°¡ ÁغñµÇ°í ³ª¸é, racoon¿¡°Ô À̸¦ »ç¿ëÇ϶ó°í ¾ê±âÇØ ÁÙ ¼ö ÀÖ½À´Ï´Ù.

ÀÌÀüÀÇ ±¸¼º°ú 10.0.0.11 ('upstairs') ¹× 10.0.0.216 ('laptop') µÎ È£½ºÆ®ÀÇ °æ¿ì·Î µ¹¾Æ°¡µµ·Ï ÇÏ°Ú½À´Ï´Ù.

10.0.0.11¿¡¼­ racoon.conf ÆÄÀÏ¿¡ ´ÙÀ½À» Ãß°¡ÇÕ´Ï´Ù:
path certificate "/usr/local/etc/racoon/certs";

remote 10.0.0.216
{
	exchange_mode aggressive,main;
	my_identifier asn1dn;
	peers_identifier asn1dn;

	certificate_type x509 "upstairs.public" "upstairs.private";

	peers_certfile "laptop.public";
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method rsasig;
		dh_group 2;
	}
}

ÀÌ ±¸¼ºÀº ÀÎÁõ¼­¸¦ /usr/local/etc/racoon/certs/¿¡¼­ ãÀ» ¼ö ÀÖ´Ù°í racoon¿¡°Ô ¾Ë·ÁÁÖ°í ÀÖ½À´Ï´Ù. ´õºÒ¾î, ¿ø°Ý È£½ºÆ® 10.0.0.216¿¡ °íÀ¯ÇÑ ¼³Á¤ Ç׸ñµéÀ» Æ÷ÇÔÇÏ°í ÀÖ½À´Ï´Ù.

'asn1dn'ÀÌ µé¾î ÀÖ´Â ÁÙÀº ·ÎÄà ¹× ¿ø°Ý Á¾´Ü ¸ðµÎÀÇ ½Äº°ÀÚ¸¦ °ø°³Å°¿¡¼­ ÃßÃâÇØ¾ß ÇÑ´Ù°í ¾ê±âÇØ ÁÖ°í ÀÖ½À´Ï´Ù. ÀÌ°Ç À§¿¡ ³ª¿Ô´ø 'subject=/C=NL/L=Delft/O=Linux Advanced Routing & Traffic Control/OU=laptop/CN=bert hubert/Email=ahu@ds9a.nl' Ãâ·Â ºÎºÐÀÔ´Ï´Ù.

certificate_type ÇàÀº ·ÎÄÃÀÇ °ø°³Å° ¹× °³ÀÎÅ°¸¦ ¼³Á¤ÇÕ´Ï´Ù. peers_certfile ¹®ÀåÀº racoonÀÌ ¿ø°Ý È£½ºÆ®ÀÇ °ø°³Å°¸¦ ÆÄÀÏ laptop.public¿¡¼­ ÀÐ¾î ¿Àµµ·Ï ¼³Á¤ÇÕ´Ï´Ù.

proposal ºí·°Àº authentication_method°¡ rsasigÀÎ °É Á¦¿ÜÇÏ°í´Â ¾Õ¼­ º» °Í°ú ´Ù¸£Áö ¾Ê½À´Ï´Ù. ±× ÁÙÀº ÀÎÁõÀ» À§ÇØ RSA °ø°³/°³ÀÎÅ°¸¦ »ç¿ëÇÒ °ÍÀ» Áö½ÃÇÏ°í ÀÖ½À´Ï´Ù.

10.0.0.216ÀÇ ±¸¼º¿¡ ´ëÇÑ Ãß°¡ ³»¿ëÀº ÀϹÝÀûÀÎ ÀÚ¸®¹Ù²ÞÀ» Á¦¿ÜÇÏ°í´Â °ÅÀÇ µ¿ÀÏÇÕ´Ï´Ù:
path certificate "/usr/local/etc/racoon/certs";

remote 10.0.0.11
{
	exchange_mode aggressive,main;
	my_identifier asn1dn;
	peers_identifier asn1dn;

	certificate_type x509 "laptop.public" "laptop.private";
 
	peers_certfile "upstairs.public";

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method rsasig;
		dh_group 2;
	}
}

ÀÌÁ¦ ÀÌ ¹®ÀåµéÀ» µÎ È£½ºÆ® ¸ðµÎ¿¡°Ô Ãß°¡ÇØ ÁÖ¾úÀ¸´Ï, Å° ÆÄÀÏÀ» Á¦ÀÚ¸®¿¡ °¡Á®´Ù µÎ±â¸¸ ÇÏ¸é µË´Ï´Ù. 'upstairs' Àåºñ´Â /usr/local/etc/racoon/certs ¾È¿¡ upstairs.private, upstairs.public, ±×¸®°í laptop.public ÆÄÀÏÀÌ ÀÖ¾î¾ß ÇÕ´Ï´Ù. ÀÌ µð·ºÅ͸®ÀÇ ¼ÒÀ¯ÀÚ°¡ rootÀÌ¸ç ¸ðµå°¡ 0700ÀÓÀ» È®ÀÎÇϽʽÿÀ. ±×·¸Áö ¾ÊÀ¸¸é racoonÀº ÆÄÀÏÀ» Àб⸦ °ÅºÎÇÒ ¼öµµ ÀÖ½À´Ï´Ù!

'laptop' Àåºñ´Â /usr/local/etc/racoon/certs ¾È¿¡ laptop.private, laptop.public, ±×¸®°í upstairs.publicÀ» ÇÊ¿ä·Î ÇÕ´Ï´Ù. ´Þ¸® ¸»ÇÏÀÚ¸é, °¢ È£½ºÆ®´Â ÀÚ½ÅÀÇ °ø°³Å° ¹× ºñ¹ÐÅ°, °Å±â¿¡ ´õÇؼ­ ¿ø°Ý È£½ºÆ®ÀÇ °ø°³Å°¸¦ ÇÊ¿ä·Î ÇÕ´Ï´Ù.

º¸¾È Á¤Ã¥ÀÌ Á¦ÀÚ¸®¿¡ ÀÖ´ÂÁö È®ÀÎÇϽʽÿÀ (7.2.2Àý¿¡ 'spdadd' ÇàµéÀ» ½ÇÇàÇϽʽÿÀ). ±×¸®°í racoonÀ» ½Ãµ¿ÇÏ¸é ¸ðµç °Ô µ¿ÀÛÇÒ °Ì´Ï´Ù.
7.2.3.3. ¾ÈÀüÇÏ°Ô ÅͳÎÀ» ±¸¼ºÇÏ´Â ¹æ¹ý
¿ø°ÝÃø°úÀÇ ¾ÈÀüÇÑ Åë½ÅÀ» ±¸¼ºÇϱâ À§Çؼ± °ø°³Å°¸¦ ±³È¯ÇØ¾ß ÇÕ´Ï´Ù. °ø°³Å°´Â ºñ¹Ð·Î À¯ÁöÇØ¾ß ÇÒ ÇÊ¿ä°¡ ¾ø´Â ¹Ý¸é, ´ë½Å Å°°¡ ½ÇÁ¦·Î º¯°æµÇÁö ¾ÊÀº Å°¶ó´Â °É º¸ÀåÇÏ´Â °Ô ¸Å¿ì Áß¿äÇÕ´Ï´Ù. ´Þ¸® ¸»ÇÏÀÚ¸é, '»çÀÌ¿¡¼­ ¹º°¡¸¦ ÇÏ´Â ÀÚ(man in the middle)'°¡ ¾ø´Ù´Â °Ô È®½ÇÇØ¾ß ÇÕ´Ï´Ù.

À̸¦ µ½±â À§ÇØ OpenSSLÀº 'digest' ¸í·ÉÀ» Á¦°øÇÕ´Ï´Ù:
$ openssl dgst upstairs.public 
MD5(upstairs.public)= 78a3bddafb4d681c1ca8ed4d23da4ff1

ÀÌÁ¦ ¿ì¸®°¡ ÇØ¾ß ÇÒ ÀÏÀ̶õ ¿ø°ÝÁöÀÇ »ó´ë°¡ µ¿ÀÏÇÑ ´ÙÀÌÁ¦½ºÆ®¸¦ º¸´ÂÁö È®ÀÎÇÏ´Â °ÍÀÔ´Ï´Ù. ÀÌ´Â ½ÇÁ¦ »î¿¡¼­ ¸¸³ª´Â ½ÄÀ¸·Îµµ °¡´ÉÇÏ°Ú°í, ÀüÈ­¸¦ ÅëÇؼ­µµ °¡´ÉÇѵ¥, À̶§´Â ¿ø°Ý »ó´ëÀÇ ÀüÈ­ ¹øÈ£°¡ Å°¸¦ ´ã°í ÀÖ´ø À̸ÞÀÏ¿¡¼­ ÇÔ²² º¸³»ÁöÁö´Â ¾Ê¾Ò´ÂÁö È®ÀÎÇØ¾ß ÇÕ´Ï´Ù!

À̸¦ À§ÇÑ ¶Ç´Ù¸¥ ¹æ¹ýÀº ÀÎÁõ ±â°üÀ» ¿î¿µÇÏ´Â ½Å·ÚÇÏ´Â Á¦»ïÀÚ(WikiPedia:Trusted_third_party)¸¦ÀÌ¿ëÇÏ´Â °ÍÀÔ´Ï´Ù. ¾Õ¼­ ¿ì¸®°¡ Á÷Á¢ Çß´ø Å°¿¡ ´ëÇÑ ¼­¸íÀ» ÀÌ CA°¡ ÇØÁÙ °ÍÀÔ´Ï´Ù.

7.3. IPSEC ÅͳÎ

Áö±Ý±îÁö ¿ì¸®´Â ¼ÒÀ§ ¸»ÇÏ´Â 'Æ®·£½ºÆ÷Æ®(transport)' ¸ðµå¿¡¼­ÀÇ IPSEC¸¸À» »ìÆ캸¾Ò½À´Ï´Ù. ÀÌ ¸ðµå¿¡¼± ¾çÂÊ Á¾Á¡ ¸ðµÎ°¡ IPSECÀ» Á÷Á¢ ¼öÇàÇÕ´Ï´Ù. ÀÌ·± °æ¿ì°¡ ÈçÄ¡´Â ¾Ê±â¿¡, ¶ó¿ìÅ͸¸ IPSEC¿¡ ´ëÇؼ­ ¾Ë°í ÀÖµµ·Ï ÇÏ°í ´Ù¸¥ È£½ºÆ®µéÀ» ´ë½ÅÇؼ­ ÇÊ¿äÇÑ ÀÛ¾÷µéÀ» Çϵµ·Ï ÇØ¾ß ÇÒ ¼öµµ ÀÖ½À´Ï´Ù. ÀÌ·± °É 'ÅͳÎ(tunnel) ¸ðµå'¶ó°í ÇÕ´Ï´Ù.

ÀÌ ¸ðµå¸¦ ¼³Á¤ÇÏ´Â °Ç ½ÄÀº Á× ¸Ô±âÀÔ´Ï´Ù. 10.0.0.216¿¡¼­ 10.0.0.11À» °ÅÃļ­ 130.161.0.0/16À¸·Î °¡´Â ¸ðµç Æ®·¡ÇÈÀ» ÅͳÎÀ» ÅëÇϵµ·Ï Çϱâ À§Çؼ±, 10.0.0.216¿¡¼­ ´ÙÀ½°ú °°Àº ¸í·ÉÀ» ÀÛ¼ºÇØ ÁÖ¸é µË´Ï´Ù:
#!/sbin/setkey -f
flush;
spdflush;

add 10.0.0.216 10.0.0.11 esp 34501
	-m tunnel
	-E 3des-cbc "123456789012123456789012";

spdadd 10.0.0.0/24 130.161.0.0/16 any -P out ipsec
	esp/tunnel/10.0.0.216-10.0.0.11/require;
'-m tunnel'ÀÌ º¸À̴µ¥, ÀÌ°Ô ±²ÀåÈ÷ Áß¿äÇÑ °Ì´Ï´Ù! ÀÌ ¼³Á¤Àº ¸ÕÀú µÎ ÅͳΠÁ¾Á¡ÀÎ 10.0.0.216°ú 10.0.0.11 »çÀÌ¿¡¼­ ESP ¾Ïȣȭ SA¸¦ ±¸¼ºÇÕ´Ï´Ù.

´ÙÀ½¿¡´Â ½ÇÁ¦ ÅͳÎÀÌ ±¸¼ºµË´Ï´Ù. 10.0.0.0/24¿¡¼­ 130.161.0.0/16À¸·Î ¶ó¿ìÆà ÇØ¾ß ÇÏ´Â ¸ðµç Æ®·¡ÇÈÀ» ¾Ïȣȭ Çϵµ·Ï Ä¿³Î¿¡°Ô Áö½ÃÇÕ´Ï´Ù. ±×¸®°í ¾ÏȣȭµÈ ÀÌ Æ®·¡ÇÈÀº 10.0.0.11·Î º¸³»Áö°Ô µË´Ï´Ù.

10.0.0.11¿¡¼­µµ ¹º°¡ ¼³Á¤ÀÌ ÇÊ¿äÇÕ´Ï´Ù:
#!/sbin/setkey -f
flush;
spdflush;

add 10.0.0.216 10.0.0.11 esp 34501
	-m tunnel
	-E 3des-cbc "123456789012123456789012";

spdadd 10.0.0.0/24 130.161.0.0/16 any -P in ipsec
	esp/tunnel/10.0.0.216-10.0.0.11/require;
ÀÌ ¼³Á¤Àº '-P out'ÀÌ '-P in'À¸·Î ¹Ù²ï °É »©°í´Â ¾ÕÀÇ ¼³Á¤°ú µ¿ÀÏÇÔÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù. ¾Õ¼­ÀÇ ¿¹Á¦¿Í ¸¶Âù°¡Áö·Î, ¿ì¸®´Â Áö±Ý ÇÑ ¹æÇâÀ¸·Î °¡´Â Æ®·¡Çȸ¸À» ±¸¼ºÇÑ °ÍÀÔ´Ï´Ù. ÅͳÎÀÇ ´Ù¸¥ Àý¹ÝÀ» ¿Ï¼ºÇÏ´Â °Ç µ¶ÀÚÀÇ ½Ç½À °Å¸®·Î ³²°ÜµÎ°Ú½À´Ï´Ù.

ÀÌ·¯ÇÑ ¼³Á¤ÀÇ ¶Ç´Ù¸¥ À̸§Àº 'ÇÁ·°½Ã(proxy) ESP'ÀÔ´Ï´Ù. ÀÌ°Ô ´Ù¼Ò ¶æÀÌ ºÐ¸íÇÕ´Ï´Ù.

ÁÖÀÇ IPSEC ÅͳÎÀ» À§Çؼ± Ä¿³Î¿¡¼­ IP Æ÷¿öµùÀÌ È°¼ºÈ­ µÇ¾î ÀÖ¾î¾ß ÇÕ´Ï´Ù.(¿ªÀÚÁÖ: 'echo 1 > /proc/sys/net/ipv4/ip_forward')

7.4. ±âŸ IPSEC ¼ÒÇÁÆ®¿þ¾î

Thomas Walpuski´Â ÀÚ½ÅÀÌ OpenBSDÀÇ isakmpd¸¦ ¸®´ª½º 2.5ÀÇ IPSEC°ú µ¿ÀÛÇϵµ·Ï ÇÏ´Â ÆÐÄ¡¸¦ ÀÛ¼ºÇß´Ù°í ¾ê±âÇÏ°í ÀÖ½À´Ï´Ù. °Ô´Ù°¡ ¸ÞÀÎ isakmpd CVS ÀúÀå¼Ò´Â Áö±Ý ÀÌ Äڵ带 Æ÷ÇÔÇÏ°í ÀÖ½À´Ï´Ù! [http]±×ÀÇ ÆäÀÌÁö(¿ªÀÚÁÖ: NoSmoke:DeadLink)¿¡¸î °¡Áö ¼³¸íµéÀÌ ÀÖ½À´Ï´Ù.

isakmpd´Â À§¿¡¼­ ¾ð±ÞÇÑ racoon°ú´Â ²Ï ´Ù¸£¸ç, ¸¹Àº »ç¶÷µéÀÌ ÀÌ ÇÁ·Î±×·¥À» ÁÁ¾ÆÇÕ´Ï´Ù. [http]¿©±â¿¡¼­ ãÀ» ¼ö ÀÖ½À´Ï´Ù. OpenBSD CVS¿¡ ´ëÇؼ­ ´õ ÀÐÀ¸·Á¸é [http]¿©±â¸¦ º¸½Ê½Ã¿À. Thomas´Â ¶ÇÇÑ CVS³ª ÆÐÄ¡¿¡ ´É¼÷ÇÏÁö ¾ÊÀº »ç¶÷µéÀ» À§ÇØ [http]Ÿ¸£º¼(¿ªÀÚÁÖ: NoSmoke:DeadLink)À»¸¸µé¾î µÎ±âµµ Çß½À´Ï´Ù.

´õºÒ¾î, FreeS/WAN »ç¿ëÀÚ °ø°£ µµ±¸µéÀ» ¸®´ª½º 2.5ÀÇ ÀÚüÀûÀÎ IPSEC°ú µ¿ÀÛÇϵµ·Ï ¸¸µå´Â ÆÐÄ¡°¡ ÀÖ½À´Ï´Ù. [http]¿©±â¿¡¼­ ãÀ» ¼ö ÀÖ½À´Ï´Ù.

7.5. ´Ù¸¥ ½Ã½ºÅÛ°úÀÇ IPSEC »óÈ£ ¿¬µ¿

FIXME: ÀÛ¼º ÇÊ¿ä

7.5.1. Windows

Andreas Jellinghaus<Maj@dungeon.inka.de>ÀÇ º¸°í: "win2k: µ¿ÀÛÇÕ´Ï´Ù. ÀÎÁõÀ» À§ÇØ »çÀü °øÀ¯Å°¿Í ip ÁÖ¼Ò¸¦ »ç¿ëÇß½À´Ï´Ù(À©µµ¿ì°¡ fqdnÀ̳ª userfqdn ¹®ÀÚ¿­À» Áö¿øÇÏ´Â °Í °°Áö´Â ¾Ê³×¿ä). ÀÎÁõ¼­µµ ºÐ¸í µ¿ÀÛÇÒ ÅÙµ¥, Çغ¸Áö´Â ¾Ê¾Ò½À´Ï´Ù."

7.5.2. Check Point VPN-1 NG

Peter BieringerÀÇ º¸°í:
Here are some results (tunnel mode only tested, auth=SHA1):

DES:     ok 
3DES:    ok 
AES-128: ok 
AES-192: not supported by CP VPN-1
AES-256: ok 
CAST* :  not supported by used Linux kernel

Tested version: FP4 aka R54 aka w/AI

[http]¿©±â¿¡ Ãß°¡ Á¤º¸°¡ ÀÖ½À´Ï´Ù.

8. ¸ÖƼij½ºÆà ¶ó¿ìÆÃ

FIXME: ´ã´çÀÚ ¾øÀ½!

Multicast-HOWTO´Â (»ó´ëÀûÀ¸·Î ¸»Çؼ­) ¿¾³¯ÀÇ ³»¿ëÀÌ¸ç ±×·Î ÀÎÇØ ºÎÁ¤È®Çϰųª ¿ÀÇظ¦ ºÒ·¯ ÀÏÀ¸Å³ ¼ö ÀÖ½À´Ï´Ù.

¸ÖƼij½ºÆ® ¶ó¿ìÆÃ(multicast routing)À» ÇÒ ¼ö ÀÖÀ¸·Á¸é, ÀÚ½ÅÀÌ ¿øÇÏ´Â ¸ÖƼij½ºÆ® ¶ó¿ìÆà Á¾·ù¸¦ Áö¿øÇϵµ·Ï ¸®´ª½º Ä¿³ÎÀ» ±¸¼ºÇØ ÁÖ¾î¾ß ÇÕ´Ï´Ù. À̸¦ À§Çؼ± ¾î¶² Á¾·ùÀÇ ¸ÖƼij½ºÆ® ¶ó¿ìÆÃÀ» »ç¿ëÇϱ⸦ ¹Ù¶ó´ÂÁö °áÁ¤ÇØ¾ß ÇÕ´Ï´Ù. ±âº»ÀûÀ¸·Î ³× °¡ÁöÀÇ "ÀϹÝÀûÀÎ" Á¾·ùµéÀÌ ÀÖ½À´Ï´Ù. WikiPedia:DVMRP(RIPÀ¯´Ïij½ºÆ® ÇÁ·ÎÅäÄÝÀÇ ¸ÖƼij½ºÆ® ¹öÀü), MOSPF(¸¶Âù°¡Áö, WikiPedia:OSPFÀÇ °æ¿ì), PIM-SM("WikiPedia:Protocol_Independent_Multicast - Sparse Mode", ¸ÖƼij½ºÆ® ±×·ìÀÇ »ç¿ëÀÚµéÀÌ ¹¶ÃÄÁ® ÀÖÁö ¾Ê°í Èð¾îÁ® ÀÖ´Ù°í °¡Á¤ÇÔ), ±×¸®°í PIM-DM(¸¶Âù°¡ÁöÀÌÁö¸¸ "Dense Mode", Áï µ¿ÀÏÇÑ ¸ÖƼij½ºÆ® ±×·ì »ç¿ëÀÚµéÀÌ »ó´çÈ÷ ¹¶ÃÄ ÀÖ´Ù°í °¡Á¤ÇÔ)ÀÌ ±×°ÍÀÔ´Ï´Ù.

¸®´ª½º Ä¿³Î¿¡¼­´Â ÀÌ·± ¿É¼ÇµéÀÌ ¾È º¸Àδٴ °É ¾Ë ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù. ÀÌ´Â, ÇÁ·ÎÅäÄÝ ÀÚü´Â Zebra³ª mountd, pimd °°Àº ¶ó¿ìÆà ÀÀ¿ë ÇÁ·Î±×·¥ÀÌ ´Ù·ç´Â °ÍÀ̱⠶§¹®ÀÔ´Ï´Ù. ÇÏÁö¸¸ ±×·¸´Ù°í Çصµ, Ä¿³Î ³»¿¡¼­ ¿Ã¹Ù¸¥ ¿É¼ÇÀ» ¼±ÅÃÇϱâ À§Çؼ± ¾î¶² ÇÁ·ÎÅäÄÝÀ» »ç¿ëÇÒ °ÍÀÎÁö Àß ¾Ë°í ÀÖ¾î¾ß ÇÕ´Ï´Ù.

¸ðµç ¸ÖƼij½ºÆ® ¶ó¿ìÆÿ¡ ´ëÇؼ­ "multicasting" ¹× "multicast routing"À» (¿ªÀÚÁÖ: CONFIG_IP_MULTICAST ¹× CONFIG_IP_MROUTE) È°¼ºÈ­ ½ÃÄÑÁÖ¾î¾ß ÇÏ´Â °Ç ºÐ¸íÇÕ´Ï´Ù. DVMRP ¹× MOSPFÀÇ °æ¿ì´Â ÀÌ°É·Î ÃæºÐÇÕ´Ï´Ù. PIMÀ» »ç¿ëÇÒ °Å¶ó¸é, Á¢¼ÓÇÏ·Á´Â ³×Æ®¿öÅ©°¡ PIM ÇÁ·ÎÅäÄÝÀÇ ¹öÀü 1°ú 2Áß ¾î´À °É »ç¿ëÇϴ°¡¿¡ µû¶ó PIMv1 ¶Ç´Â PIMv2¸¦ È°¼ºÈ­ ½ÃÄÑÁÖ¾î¾ß ÇÕ´Ï´Ù.

¼±ÅÃÀ» ¸¶Ä¡°í »õ·Î¿î ¸®´ª½º Ä¿³ÎÀ» ÄÄÆÄÀÏ ÇÏ°í ³ª¸é ÀÌÁ¦ ºÎÆà ¶§ ³ª¿­µÇ´Â IP ÇÁ·ÎÅäÄÝ¿¡ WikiPedia:IGMP°¡ Æ÷ÇԵǾî ÀÖ´Â °É º¼ ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù. ÀÌ ÇÁ·ÎÅäÄÝÀº ¸ÖƼij½ºÆ® ±×·ìÀ» °ü¸®ÇÏ´Â °ÍÀÔ´Ï´Ù. ±ÛÀ» ÀÛ¼ºÇÏ°í ÀÖ´Â ÇöÀç ¸®´ª½º´Â IGMP ¹öÀü 1°ú 2¸¸À» Áö¿øÇÕ´Ï´Ù. ¹öÀü 3µµ Á¸ÀçÇÏ¸ç ¹®¼­È­µµ µÇ¾î ÀÖ±â´Â ÇÕ´Ï´Ù. ÇÏÁö¸¸ ÀÌ°Ç ½ÇÁ¦·Î´Â º° »ó°üÀÌ ¾ø´Âµ¥, IGMPv3´Â ¾ÆÁ÷ »õ·Î¿î °ÍÀ̾ !IGMPv3ÀÇ Ãß°¡ÀûÀÎ ±â´ÉµéÀº º°·Î ¾²ÀÌÁö ¾ÊÀ» °ÍÀ̱⠶§¹®ÀÔ´Ï´Ù. IGMP´Â ±×·ìÀ» ´Ù·ç±â¿¡, Àüü ±×·ì¿¡¼­ °¡Àå ´Ü¼øÇÑ ¹öÀüÀÇ IGMP¿¡ ÀÖ´Â ±â´Éµé¸¸ ¾²ÀÌ°Ô µË´Ï´Ù. ¾ÆÁ÷ !IGMPv1À» ¸¶ÁÖÄ¡±âµµ ÇÏÁö¸¸, ´ëºÎºÐÀÇ °æ¿ì IGMPv2°¡ ¾²ÀÌ°Ô µÉ °ÍÀÔ´Ï´Ù.

Áö±Ý±îÁö´Â ±×·°Àú·° ÁÁ½À´Ï´Ù. ¿ì¸®´Â ¸ÖƼij½ºÆÃÀ» È°¼ºÈ­ ½ÃÄ×½À´Ï´Ù. ÀÌÁ¦ ¿ì¸®´Â ¸®´ª½º Ä¿³Î¿¡°Ô ½ÇÁ¦·Î ¹º°¡¸¦ Çϵµ·Ï Çؼ­, ¶ó¿ìÆÃÀ» ½ÃÀÛÇÒ ¼ö ÀÖ¾î¾ß ÇÕ´Ï´Ù. ÀÌ´Â ¶ó¿ìÅÍ Å×ÀÌºí¿¡ ¸ÖƼij½ºÆ® °¡»ó ³×Æ®¿öÅ©¸¦ Ãß°¡ÇØ ÁÖ´Â °É ¶æÇÕ´Ï´Ù:
ip route add 224.0.0.0/4 dev eth0

(º¸´Ù½ÃÇÇ eth0¿¡¼­ ¸ÖƼij½ºÆÃÀ» ÇÏ°í ÀÖ´Ù°í °¡Á¤ÇÏ°í ÀÖ½À´Ï´Ù! ÇÊ¿äÇÏ¸é ¿øÇÏ´Â ÀåÄ¡ À̸§À» ´ë½Å ½áÁֽʽÿÀ.)

À̹ø¿£, ¸®´ª½º¿¡°Ô ÆÐŶÀ» Àü´ÞÇ϶ó°í(forward) ¾ê±âÇØ ÁÝ´Ï´Ù...
echo 1 > /proc/sys/net/ipv4/ip_forward

ÀÌ ½ÃÁ¡¿¡¼­, ÀÌ·¸°Ô ÇØÁØ °Ô ¹º°¡ ÇÏ´Â °ÇÁö ±Ã±ÝÇÒ ¼öµµ Àְڳ׿ä. ±×·³, ¿¬°áÀ» Å×½ºÆ® Çغ¸±â À§ÇØ ±âº» ±×·ìÀÎ 224.0.0.1·Î ÇÎÀ» ³¯·Á¼­ ¹º°¡ »ì¾ÆÀÖ´ÂÁö È®ÀÎÇØ º¸µµ·Ï ÇսôÙ. LAN »ó¿¡ ÀÖ´Â ¸ÖƼij½ºÆÃÀ» È°¼ºÈ­ ÇÑ ¸ðµç ÀåºñµéÀÌ ÀÀ´ä ÇØ¾ß Çϸç, ±×°Ô ÀüºÎÀÔ´Ï´Ù. ÀÀ´äÇÑ Àåºñµé Áß ¾î´À °Íµµ 224.0.0.1À̶ó´Â IP ÁÖ¼Ò¸¦ °¡Áö°í ÀÖÁö ¾Ê´Ù´Â °É ¾Ë ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù. ³î¶ø±º¿ä! :) ÀÌ ÁÖ¼Ò´Â ±×·ì ÁÖ¼Ò(°¡ÀÔÀڵ鿡 ´ëÇÑ "¹æ¼Û(broadcast)")À̸ç, ±× ±×·ìÀÇ ¸ðµç ±¸¼º¿øµéÀº ±×·ì ÁÖ¼Ò°¡ ¾Æ´Ñ ÀÚ½ÅÀÇ ÁÖ¼Ò·Î ÀÀ´äÇÏ°Ô µË´Ï´Ù.
ping -c 2 224.0.0.1

ÀÌÁ¦ ½ÇÁ¦ ¸ÖƼij½ºÆ® ¶ó¿ìÆÃÀ» ÇÒ Áغñ°¡ µÇ¾ú½À´Ï´Ù. ÀÚ, µÎ °³ÀÇ ³×Æ®¿öÅ©°¡ ÀÖ°í ±× »çÀÌ¿¡¼­ ¶ó¿ìÆÃÀ» ÇØÁà¾ß ÇÑ´Ù°í °¡Á¤ÇØ º¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.

(´ÙÀ½ ÀÌ ½Ã°£¿¡...)

9. ´ë¿ªÆø °ü¸®¸¦ À§ÇÑ Å¥À× Å¥Ä¢

±×·±µ¥, ÀÌ°É ¹ß°ßÇßÀ» ¶§ ³­ Á¤¸»·Î »Ð°¬½À´Ï´Ù. ¸®´ª½º 2.2/2.4¿¡´Â °í±Þ Àü¿ë ´ë¿ªÆø °ü¸® ½Ã½ºÅÛ°ú ºñ°ßÇÒ ¸¸ÇÑ ¹æ½ÄÀ¸·Î ´ë¿ªÆøÀ» °ü¸®ÇÒ ¼ö ÀÖ´Â ¸ðµç °ÍµéÀÌ ÀÖ½À´Ï´Ù.

¸®´ª½º´Â ½ÉÁö¾î FrameÀ̳ª ATMÀÌ Á¦°øÇÏ´Â °Í ÀÌ»óÀ¸·Î ÇØÁֱ⵵ ÇÕ´Ï´Ù.

È¥¶õÀ» ¹æÁöÇϱâ À§ÇØ ¸»ÇصÎÀÚ¸é, tc´Â ´ë¿ªÆøÀ» ¸í½ÃÇÒ ¶§ ´ÙÀ½ ±ÔÄ¢À» »ç¿ëÇÕ´Ï´Ù:
mbps = 1024 kbps = 1024 * 1024 bps => byte/s
mbit = 1024 kbit => kilo bit/s.
mb = 1024 kb = 1024 * 1024 b => byte
mbit = 1024 kbit => kilo bit.
³»ºÎÀûÀ¸·Î´Â ¼ýÀÚ°¡ bps ¹× b·Î ÀúÀåµË´Ï´Ù.

ÇÏÁö¸¸ tc°¡ ¼Óµµ¸¦ Ãâ·ÂÇÒ ¶§´Â ´ÙÀ½ ±ÔÄ¢À» »ç¿ëÇÕ´Ï´Ù:
1Mbit = 1024 Kbit = 1024 * 1024 bps => byte/s

9.1. Å¥¿Í Å¥À× ±ÔÄ¢¿¡ ´ëÇÑ ¼³¸í

Å¥À×(queueing)À» ÅëÇØ ¿ì¸®´Â µ¥ÀÌÅ͸¦ º¸³»´Â ¹æ½ÄÀ» °áÁ¤ÇÕ´Ï´Ù. Àü¼ÛÇÏ´Â µ¥ÀÌÅ͸¸À» ¼ÎÀÌÇÎ(shaping) ÇÒ ¼ö ÀÖÀ½À» ²À ¾Ë°í ÀÖ¾î¾ß ÇÕ´Ï´Ù.

ÀÎÅͳÝÀÌ µ¿ÀÛÇÏ´Â ¹æ½Ä¿¡¼­ ¿ì¸®´Â »ç¶÷µéÀÌ ¿ì¸®¿¡°Ô º¸³»´Â °Í¿¡ ´ëÇؼ± Á÷Á¢ÀûÀÎ Á¦¾î±ÇÀÌ ¾ø½À´Ï´Ù. ÀÌ°Ç Áý¿¡ ÀÖ´Â (¹°¸®ÀûÀÎ!) ÆíÁöÇÔ°ú ´Ù¼Ò ºñ½ÁÇÕ´Ï´Ù. ¼¼»ó Àüü¿¡ ¿µÇâÀ» Á༭ »ç¶÷µéÀÌ ´ç½Å¿¡°Ô º¸³»´Â ¸ÞÀÏÀÇ ¾çÀ» ¹Ù²Ü ¼ö ÀÖ´Â ¹æ¹ýÀº ¾ø½À´Ï´Ù. ¸ðµÎ¿¡°Ô ¿¬¶ôÀ» ÇÏ´Â °ÍÁ¶Â÷µµ ºÒ°¡´ÉÇÕ´Ï´Ù.

ÇÏÁö¸¸ ÀÎÅͳÝÀº ´ëºÎºÐ TCP/IP¿¡ ±â¹ÝÇÏ°í ÀÖ°í, ¿©±â¿¡´Â ¿ì¸®¸¦ µµ¿ÍÁִ Ư¼ºµéÀÌ ¸î °¡Áö ÀÖ½À´Ï´Ù. TCP/IP´Â µÎ È£½ºÆ® »çÀÌÀÇ ³×Æ®¿öÅ©ÀÇ ¿ë·®À» ¾Ë ¼ö ÀÖ´Â ¹æ¹ýÀÌ ¾ø¾î¼­, ÀÏ´Ü µ¥ÀÌÅ͸¦ Á¶±Ý¾¿ ´õ ºü¸£°Ô º¸³»´Ù°¡('slow start') º¸³¾ °ø°£ÀÌ ¾ø¾î¼­ ÆÐŶÀÌ À¯½ÇµÇ±â ½ÃÀÛÇÏ¸é ±×¶§ ¼Óµµ¸¦ ´ÊÃß°Ô µË´Ï´Ù. ½ÇÁ¦·Î´Â À̰ͺ¸´Ù´Â Á» ´õ ¶È¶ÈÇÏ°Ô µ¿ÀÛÇÏÁö¸¸, °Å±â¿¡ ´ëÇؼ± ³ªÁß¿¡ ´Ù·ç°Ú½À´Ï´Ù.

ÀÌ°Ç, ´ç½Å¿¡°Ô ¿Â ÆíÁöÀÇ Àý¹ÝÀ» ÀÐÁö ¾Ê°í¼­ »ç¶÷µéÀÌ ´ç½Å¿¡°Ô ÆíÁö¸¦ º¸³»´Â °É ¸ØÃç ÁÖ±æ ¹Ù¶ó´Â °Í°ú µ¿ÀÏÇÕ´Ï´Ù. Â÷ÀÌ°¡ ÀÖ´Ù¸é ÀÎÅͳݿ¡¼­´Â ÀÌ°Ô µ¿ÀÛÇÑ´Ù´Â °ÅÁö¿ä:-)

¶ó¿ìÅ͸¦ Çϳª °¡Áö°í Àִµ¥ ³×Æ®¿öÅ© ³»ÀÇ Æ¯Á¤ È£½ºÆ®µéÀÌ ³Ê¹« ºü¸£°Ô ³»·Á¹Þ±â¸¦ ÇÏ´Â °É ¸·°í ½Í´Ù¸é, ¶ó¿ìÅÍÀÇ *¾ÈÂÊ* ÀÎÅÍÆäÀ̽º¿¡ ´ëÇؼ­ ¼ÎÀÌÇÎÀ» ÇØÁÖ¾î¾ß ÇÕ´Ï´Ù. ¶ó¿ìÅÍ°¡ ±× ÄÄÇ»Å͵鿡°Ô µ¥ÀÌÅ͸¦ º¸³»´Â ÀÎÅÍÆäÀ̽º ¸»ÀÔ´Ï´Ù.

¶ÇÇÑ ºÐ¸íÇÏ°Ô ¸µÅ©ÀÇ º´¸ñÀ» Á¦¾îÇØ¾ß ÇÕ´Ï´Ù. 100Mbit NIC¸¦ °¡Áö°í ÀÖ°í 256kbit ¸µÅ©°¡ ÀÖ´Â ¶ó¿ìÅÍ°¡ ÀÖ´Ù¸é, ó¸®ÇÒ ¼ö ÀÖ´Â ÀÌ»óÀÇ µ¥ÀÌÅ͸¦ ¶ó¿ìÅÍ¿¡°Ô º¸³»Áö ¾Êµµ·Ï ÇØ¾ß ÇÕ´Ï´Ù. ±×·¯Áö ¾ÊÀ¸¸é ¹Ù·Î ¶ó¿ìÅÍ°¡ ¸µÅ©¸¦ Á¦¾îÇÏ°í °¡¿ë ´ë¿ªÆøÀ» ¼ÎÀÌÇÎ ÇÏ°Ô µË´Ï´Ù. ¸»ÇÏÀÚ¸é 'Å¥¸¦ ¼ÒÀ¯'ÇØ¾ß ÇÏ°í, ¿¬¼ÓµÈ ¸µÅ© ³»¿¡¼­ °¡Àå ´À¸° ¸µÅ©°¡ µÇ¾î¾ß ÇÕ´Ï´Ù. ´ÙÇàÈ÷µµ ÀÌ´Â ½±°Ô °¡´ÉÇÕ´Ï´Ù.

9.2. ´Ü¼øÇÑ, Ŭ·¡½º ¾ø´Â Å¥À× ±ÔÄ¢

¸»ÇßµíÀÌ, Å¥À× ±ÔÄ¢À» ÅëÇØ µ¥ÀÌÅÍ°¡ Àü´ÞµÇ´Â ¹æ¹ýÀ» ¹Ù²Ù°Ô µË´Ï´Ù. Ŭ·¡½º ¾ø´Â Å¥À× ±ÔÄ¢Àº ÀÏ´Ü µ¥ÀÌÅ͸¦ ¹Þ¾ÆµéÀÌ°í¼­ À̸¦ ´Ù½Ã ½ºÄÉÁÙ¸µ Çϰųª, Áö¿¬Çϰųª, Â÷´ÜÇϱ⸸ ÇÏ´Â ±ÔÄ¢ÀÔ´Ï´Ù.

ÀÌ·¯ÇÑ ±ÔÄ¢µéÀº ´õ ³ª´©´Â °Í ¾øÀÌ Àüü ÀÎÅÍÆäÀ̽º¿¡ ´ëÇÑ Æ®·¡ÇÈÀ» ¼ÎÀÌÇÎ ÇÏ´Â µ¥¿¡ ¾²ÀÏ ¼ö ÀÖ½À´Ï´Ù. Ŭ·¡½º ÀÖ´Â qdisc¸¦´ã°íÀÖ´Âqdisc ¾ê±â·Î ÁøÇàÇϱâ Àü¿¡ Å¥À×ÀÇ ÀÌ ºÎºÐÀ» ÀÌÇØÇØ µÎ´Â °ÍÀÌ ¾ÆÁÖ Áß¿äÇÕ´Ï´Ù!

¹«¾ùº¸´Ù °¡Àå ³Î¸® ¾²ÀÌ´Â ±ÔÄ¢Àº pfifo_fast qdiscÀÔ´Ï´Ù. ÀÌ ±ÔÄ¢ÀÌ ±âº»°ªÀÔ´Ï´Ù. ÀÌ ±ÔÄ¢Àº ¶ÇÇÑ ¿Ö ÀÌ·± °í±Þ ±â´ÉµéÀÌ ÀÌ·¸°Ô źźÇÏ°Ô µ¿ÀÛÇÏ´ÂÁö¸¦ ¼³¸íÇØ ÁÝ´Ï´Ù. '±×³É ¶Ç´Ù¸¥ Å¥' ÀÌ»óÀÌ ¾Æ´Ï±â ¶§¹®ÀÔ´Ï´Ù.

À̵é Å¥ °¢°¢Àº ³ª¸§ÀÇ °­Á¡°ú ¾àÁ¡À» °¡Áö°í ÀÖ½À´Ï´Ù. ÀÌ°Íµé ¸ðµÎ¸¦ Å×½ºÆ®±îÁö Çغ¸Áö´Â ¾Ê¾Ò½À´Ï´Ù.

9.2.1. pfifo_fast

ÀÌ Å¥´Â, ±× À̸§ÀÌ ¸»ÇØÁÖµí, First In, First OutÀÔ´Ï´Ù. Áï, ¾î¶² ÆÐŶµµ Ưº° ´ë¿ì¸¦ ¹ÞÁö ¾Ê½À´Ï´Ù. ÃÖ¼ÒÇÑ, ¸¹ÀÌ´Â ¾Æ´Õ´Ï´Ù. ÀÌ Å¥´Â 3°³ÀÇ ¼ÒÀ§ ¸»ÇÏ´Â '¹êµå(band)'¸¦ °¡Áö°í ÀÖ½À´Ï´Ù. °¢ ¹êµå ³»¿¡¼­ FIFO ±ÔÄ¢ÀÌ Àû¿ëµË´Ï´Ù. ±×·±µ¥, ¹êµå 0 ³»¿¡ ´ë±âÁßÀÎ ÆÐŶÀÌ ÀÖ´Â µ¿¾ÈÀº ¹êµå 1ÀÌ Ã³¸®µÇÁö ¾Ê½À´Ï´Ù. ¹êµå 1°ú ¹êµå 2¿¡ ´ëÇؼ­µµ ¸¶Âù°¡ÁöÀÔ´Ï´Ù.

Ä¿³ÎÀº ÆÐŶ ³»ÀÇ ¼ÒÀ§ Type of Service Ç÷¡±×¸¦ Á¸ÁßÇϸç, 'Áö¿¬ ÃÖ¼ÒÈ­' ÆÐŶÀ» ½Å°æ½á¼­ ¹êµå 0¿¡ Áý¾î³Ö¾î ÁÝ´Ï´Ù.

ÀÌ Å¬·¡½º ¾ø´Â ´Ü¼øÇÑ qdisc¸¦ Ŭ·¡½º ÀÖ´Â PRIO qdisc¿Í È¥µ¿ÇÏÁö ¸¶½Ê½Ã¿À! À¯»çÇÏ°Ô ÇൿÇϱâ´Â ÇÏÁö¸¸, pfifo_fast´Â Ŭ·¡½º°¡ ¾ø¾î¼­ tc ¸í·ÉÀ¸·Î ´Ù¸¥ qdisc¸¦ Ãß°¡ÇØ ÁÙ ¼ö ¾ø½À´Ï´Ù.
9.2.1.1. ¸Å°³º¯¼ö ¹× »ç¿ë¹ý
±âº»°ªÀ̱⿡ pfifo_fast qdisc¸¦ µû·Î ±¸¼ºÇÏ´Â °Ç ºÒ°¡´ÉÇÕ´Ï´Ù. ±âº»ÀûÀ¸·Î ±¸¼ºµÇ¾î ÀÖ´Â ¹æ½ÄÀº ´ÙÀ½°ú °°½À´Ï´Ù.

priomap
Ä¿³ÎÀÌ ÇÒ´çÇØ ÁØ ÆÐŶ ¿ì¼±¼øÀ§°¡ ¾î¶»°Ô ¹êµå·Î »ç»óµÇ´ÂÁö °áÁ¤ÇÕ´Ï´Ù. ´ÙÀ½°ú °°ÀÌ »ý±ä ÆÐŶÀÇ TOS ¹ÙÀÌÆ®¿¡ ±â¹ÝÇؼ­ »ç»óÀÌ ÀϾ´Ï´Ù:
   0     1     2     3     4     5     6     7
+-----+-----+-----+-----+-----+-----+-----+-----+
|                 |                       |     |
|   PRECEDENCE    |          TOS          | MBZ |
|                 |                       |     |
+-----+-----+-----+-----+-----+-----+-----+-----+
TOS 4ºñÆ®('TOS Çʵå')´Â ´ÙÀ½°ú °°ÀÌ Á¤ÀǵǾî ÀÖ½À´Ï´Ù:
ÀÌÁø¼ö ½ÊÁø¼ö    ÀǹÌ
-----------------------------------------
1000   8         Áö¿¬ ÃÖ¼ÒÈ­ (md)
0100   4         ó¸®À² ÃÖ´ëÈ­ (mt)
0010   2         ½Å·Úµµ ÃÖ´ëÈ­ (mr)
0001   1         ±ÝÀü ºñ¿ë ÃÖ¼ÒÈ­ (mmc)
0000   0         Á¤»ó ¼­ºñ½º
ÀÌ 4°³ ºñÆ® ¿À¸¥ÂÊ¿¡ ºñÆ® 1°³°¡ ´õ Àֱ⠶§¹®¿¡ TOS ÇʵåÀÇ ½ÇÁ¦ °ªÀº TOS ºñÆ® °ªÀÇ 2¹èÀÔ´Ï´Ù. tcpdump -v -v¸¦ Çϸé 4°³ ºñÆ®°¡ ¾Æ´Ñ Àüü TOS ÇʵåÀÇ °ªÀÌ Ç¥½ÃµË´Ï´Ù. ¹Ù·Î ¾Æ·¡ Ç¥ÀÇ Ã¹ ¹ø° ¿­¿¡ ÀÖ´Â °ªÀÔ´Ï´Ù.
TOS     ºñÆ®  ÀÇ¹Ì                     ¸®´ª½º ¿ì¼±¼øÀ§   ¹êµå
------------------------------------------------------------
0x0     0     Á¤»ó ¼­ºñ½º              0 Best Effort     1
0x2     1     ±ÝÀü ºñ¿ë ÃÖ¼ÒÈ­(mmc)    1 Filler          2
0x4     2     ½Å·Úµµ ÃÖ´ëÈ­(mr)        0 Best Effort     1
0x6     3     mmc+mr                   0 Best Effort     1
0x8     4     ó¸®À² ÃÖ´ëÈ­(mt)        2 Bulk            2
0xa     5     mmc+mt                   2 Bulk            2
0xc     6     mr+mt                    2 Bulk            2
0xe     7     mmc+mr+mt                2 Bulk            2
0x10    8     Áö¿¬ ÃÖ¼ÒÈ­(md)          6 Interactive     0
0x12    9     mmc+md                   6 Interactive     0
0x14    10    mr+md                    6 Interactive     0
0x16    11    mmc+mr+md                6 Interactive     0
0x18    12    mt+md                    4 Int. Bulk       1
0x1a    13    mmc+mt+md                4 Int. Bulk       1
0x1c    14    mr+mt+md                 4 Int. Bulk       1
0x1e    15    mmc+mr+mt+md             4 Int. Bulk       1
¼ýÀÚµéÀÌ Âü ¸¹½À´Ï´Ù. µÎ ¹ø° ¿­ÀÇ °ªÀº ÇØ´çÇÏ´Â TOS 4ºñÆ®ÀÌ°í, ±× ´ÙÀ½ ¿­Àº Çؼ®ÇÑ ÀǹÌÀÔ´Ï´Ù. ¿¹¸¦ µé¾î, 15´Â ±ÝÀü ºñ¿ë ÃÖ¼ÒÈ­, ½Å·Úµµ ÃÖ´ëÈ­, ó¸®À² ÃÖ´ëÈ­, °Å±â´Ù°¡ Áö¿¬ ÃÖ¼ÒÈ­¸¦ ¿øÇÏ´Â ÆÐŶÀ» ³ªÅ¸³À´Ï´Ù. Àü ÀÌ°É 'Âʹٸ® ÆÐŶ(Dutch Packet)'À̶ó°í ºÎ¸¨´Ï´Ù.

³× ¹ø° ¿­¿¡´Â ¸®´ª½º Ä¿³ÎÀÌ TOS ºñÆ®¸¦ Çؼ®ÇÏ´Â ¹æ½ÄÀ» ³ª¿­ÇÏ°í ÀÖ½À´Ï´Ù. TOS ºñÆ®°¡ ¾î¶² ¿ì¼±¼øÀ§·Î »ç»óµÇ´ÂÁö º¼ ¼ö ÀÖ½À´Ï´Ù.

¸¶Áö¸· ¿­Àº ±âº» priomapÀÇ °á°ú¸¦ º¸¿©ÁÝ´Ï´Ù. ¸í·ÉÇà¿¡¼­ º¸¸é ±âº» priomapÀº ÀÌ·¸°Ô º¸ÀÔ´Ï´Ù:
1, 2, 2, 2, 1, 2, 0, 0 , 1, 1, 1, 1, 1, 1, 1, 1
¿¹¸¦ µé¸é, ¿ì¼±¼øÀ§ 4°¡ ¹êµå ¹øÈ£ 1·Î »ç»óµÈ´Ù´Â ÀǹÌÀÔ´Ï´Ù. priomap¿¡¼­´Â TOS »ç»ó¿¡´Â ´ëÀÀÇÏÁö ¾ÊÁö¸¸ ´Ù¸¥ ¹æ¹ýÀ¸·Î ¼³Á¤ °¡´ÉÇÑ ³ôÀº ¿ì¼±¼øÀ§(> 7)¸¦ ³ª¿­ÇÒ ¼öµµ ÀÖ½À´Ï´Ù.

RFC 1349(ÀÚ¼¼ÇÑ ³»¿ëÀº Àо½Ê½Ã¿À)¿¡¼­ °¡Á®¿Â ´ÙÀ½ Ç¥´Â ÀÀ¿ë ÇÁ·Î±×·¥µéÀÌ ÀÚ½ÅÀÇ TOS ºñÆ®¸¦ ¾î¶»°Ô ¼³Á¤ÇÒ ¼ö Àִ°¡¿¡ ´ëÇÑ °ÍÀÔ´Ï´Ù.
TELNET                   1000           (Áö¿¬ ÃÖ¼ÒÈ­)
FTP
	Control          1000           (Áö¿¬ ÃÖ¼ÒÈ­)
        Data             0100           (ó¸®À² ÃÖ´ëÈ­)

TFTP                     1000           (Áö¿¬ ÃÖ¼ÒÈ­)

SMTP 
	Command phase    1000           (Áö¿¬ ÃÖ¼ÒÈ­)
        DATA phase       0100           (ó¸®À² ÃÖ´ëÈ­)

Domain Name Service
	UDP Query        1000           (Áö¿¬ ÃÖ¼ÒÈ­)
	TCP Query        0000
	Zone Transfer    0100           (ó¸®À² ÃÖ´ëÈ­)

NNTP                     0001           (±ÝÀü ºñ¿ë ÃÖ¼ÒÈ­)

ICMP
	Errors           0000
	Requests         0000 (´ëºÎºÐ)
	Responses        <¿äû°ú µ¿ÀÏ> (´ëºÎºÐ)


txqueuelen
ÀÌ Å¥ÀÇ ±æÀÌ´Â, ifconfig°ú ip·Î º¸°í ¹Ù²Ü ¼ö ÀÖ´Â, ÀÎÅÍÆäÀ̽º ¼³Á¤¿¡¼­ °¡Á®¿É´Ï´Ù. Å¥ ±æÀ̸¦ 10À¸·Î ¼³Á¤ÇÏ·Á¸é ÀÌ·¸°Ô ½ÇÇàÇϽʽÿÀ: ifconfig eth0 txqueuelen 10

tc·Î´Â ÀÌ ¸Å°³º¯¼ö¸¦ ¹Ù²Ü ¼ö ¾ø½À´Ï´Ù!

9.2.2. Token Bucket Filter

ÅäÅ« ¹öŶ ÇÊÅÍ(TBF)´Â °£´ÜÇÑ Å¥±¸Á¶·Î¼­, ¼³Á¤µÈ Àü¼Û·üÀ» ÃÊ°úÇÏ´Â ÆÐŶÀ» º¸³»Áö ¾Êµµ·Ï Çϴ ť±¸Á¶ÀÔ´Ï´Ù. ±×·¯³ª, ¼ø°£ÀûÀ¸·Î ÀÌ Àü¼Û·ü¸¦ ÃÊ°úÇϴ ªÀº ¹ö½ºÆ®(ÆÐŶÀÌ »¡¸® ¿¬¼ÓµÇ´Â °æ¿ì)ÀÇ °æ¿ì¿¡´Â ÆÐŶÀ» Àü´ÞÇÕ´Ï´Ù.

TBF´Â ¸Å¿ì Á¤¹ÐÇϸç, ³×Æ®¿÷°ú ÇÁ·Î¼¼¼­¿¡ ¸¹ÀÌ »ç¿ëµË´Ï´Ù. ¸¸¾à ¿©·¯ºÐÀÌ ÀÎÅÍÆäÀ̽ºÀÇ ¼Óµµ¸¦ ´À¸®°Ô ³·Ãß°íÀÚ ÇÑ´Ù¸é, ÀÌ Å¥±¸Á¶¸¦ ¸ÕÀú ¼±ÅÃÇÒ ¼ö ÀÖ½À´Ï´Ù.

TBFÀÇ ±¸ÇöÀº ¹öÆÛ(¹öŶ, bucket- token(ÅäÅ«)À̶ó°í ºÒ¸®¿ì´Â °¡»óÀûÀÎ Á¶°¢µé¿¡ ÀÇÇØ Ã¤¿öÁö´Â ¹Ù±¸´Ï)¿Í Á¤ÇØÁø ÅäÅ« ¹ß»ý·ü(token rate)·Î ±¸¼ºµË´Ï´Ù. ¹öŶÀÇ °¡Àå Áß¿äÇÑ ÆĶó¸ÞÅÍ´Â ±×°ÍÀÇ Å©±âÀ̸ç, ÅäÅ«À» ´ãÀ» ¼ö ÀÖ´Â °³¼ö·Î Ç¥½ÃÇÒ ¼ö ÀÖ½À´Ï´Ù.

ÅäÅ«ÀÌ ½×À̸鼭 ÆÐŶÀÌ µµÂø Çϱ⸦ ±â´Ù¸®°í, ÀÌ°ÍÀº °ð ¹öŶÀ¸·ÎºÎÅÍ Áö¿öÁý´Ï´Ù. ÅäÅ«°ú µ¥ÀÌÅÍÀÇ µÎ È帧À» ¿¬°èÇϸé, ´ÙÀ½°ú °°Àº ¼¼°¡Áö ½Ã³ª¸®¿À¸¦ »ý°¢ÇØ º¼ ¼ö ÀÖ½À´Ï´Ù.

  • µ¥ÀÌÅÍ°¡ TBF¿¡ µµÂøÇÏ´Â ¼Óµµ°¡ ÅäÅ« ¹ß»ý·ü°ú °°Àº °æ¿ì, °¢°¢ µµÂøÇÏ´Â ÆÐŶÀº ÅäÅ«°ú ÀÏÄ¡ÇÏ¿© Áö¿¬¾øÀÌ ¹Ù·Î Å¥·Î Åë°úµË´Ï´Ù.
  • µ¥ÀÌÅÍ°¡ TBF¿¡ µµÂøÇÏ´Â ¼Óµµ°¡ ÅäÅ« ¹ß»ý·üº¸´Ù ÀûÀº °æ¿ì, ÆÐŶÀÌ µµÂøÇÏ´Â °Íº¸´Ù ÅäÅ«ÀÌ ´õ ¸¹ÀÌ »ý¼ºµÇ¹Ç·Î, ÅäÅ«Àº ¹öŶũ±â ¸¸Å­ ½×ÀÌ°Ô µÇ°í, ±×ÈÄ¿¡´Â µ¥ÀÌÅÍ°¡ µµÂøÇÏ´Â °Íº¸´Ù ´õ »¡¸® ¸¸µé¾îÁö´Â ÅäÅ«Àº Áö¿öÁú °ÍÀÔ´Ï´Ù. ¹öŶ¿¡ ½×ÀÎ ÅäÅ«Àº µ¥ÀÌÅÍ°¡ ¿¬¼ÓÀ¸·Î »¡¸® µµÂøÇÏ´Â ¹ö½ºÆ®ÀÇ °æ¿ì¿¡ »ç¿ëµÉ °ÍÀÔ´Ï´Ù.
  • µ¥ÀÌÅÍ°¡ TBF¿¡ µµÂøÇÏ´Â ¼Óµµ°¡ ÅäÅ« ¹ß»ý·üº¸´Ù Å« °æ¿ì, ÀÌ °æ¿ì ¹öŶ¿¡ ½×¿´´ø ÅäÅ«ÀÌ ´çºÐ°£ »ç¿ëµÉ °ÍÀÔ´Ï´Ù. ÀÌ°ÍÀ» °úÁ¦ÇÑ »óÅÂ(overlimit situation)À̶ó°í ÇÕ´Ï´Ù. ¸¸¾à °è¼Ó ÆÐŶÀÌ ºü¸£°Ô µµÂøÇÑ´Ù¸é, ÆÐŶ ¼Õ½ÇÀÌ ½ÃÀ۵˴ϴÙ.

¸¶Áö¸· ½Ã³ª¸®¿À´Â ¸Å¿ì Áß¿äÇÕ´Ï´Ù. ¿Ö³ÄÇϸé, µ¥ÀÌÅ͸¦ Åë°ú½ÃÅ°´Â ÇÊÅÍ·Î, ¿î¿µÀÚ°¡ ´ë¿ªÆøÀ» Á¶ÀýÇÒ ¼ö ÀÖ°Ô ÇØÁֱ⠶§¹®ÀÔ´Ï´Ù.

ÅäÅ«ÀÌ ¹öŶ¿¡ ½×ÀÌ´Â °ÍÀº ¼ø°£ÀûÀ¸·Î ºü¸£°Ô µ¥ÀÌÅÍ°¡ µµÂøÇÒ °æ¿ìÀÇ ¼Õ½ÇÀ» ÇÇÇϱâ À§Çؼ­ ÇÊ¿äÇÕ´Ï´Ù. ±×·¯³ª, °è¼ÓÀûÀÎ ºÎÇÏ´Â ÆÐŶ Áö¿¬À» ¾ß±âÇÒ °ÍÀÌ°í, °ð ¼Õ½ÇµÉ °ÍÀÔ´Ï´Ù.

9.2.2.1. ÆĶó¸ÞÅÍ & »ç¿ë¹ý
¿©·¯ºÐÀÌ ÆĶó¸ÞÅ͸¦ º¯°æÇÒ ÇÊ¿ä°¡ ¾øÀ» ¼öµµ ÀÖÁö¸¸, TBF´Â ¸î°¡Áö ¼³Á¤°¡´ÉÇÑ ÆĶó¸ÞÅÍ°¡ ÀÖ½À´Ï´Ù.

limit ¶Ç´Â latency
Limit´Â ÅäÅ«ÀÌ »ç¿ë°¡´ÉÇÏ°Ô µÇ±â¸¦ ±â´Ù¸®´Â ¹ÙÀÌÆ® ¼ö¸¦ ¸»ÇÕ´Ï´Ù. ¿©·¯ºÐÀº latency ÆĶó¸ÞÅ͸¦ ¼¼ÆÃÇÏ´Â ¹æ¹ýÀ» »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù. latency ÆĶó¸ÞÅÍ´Â TBF³»¿¡ ÆÐŶÀÌ ±â´Ù¸®´Â ÃÖ´ë ½Ã°£À» ¸í½ÃÇÕ´Ï´Ù. ÀÌ°ÍÀº ¹öŶũ±â¿Í ÅäÅ«¹ß»ý·ü ±×¸®°í ÇÇÅ©À²(¸¸¾à ¼¼ÆÃÇÑ °æ¿ì)¸¦ °í·ÁÇÏ°Ô µË´Ï´Ù.

burst/buffer/maxburst
¹öŶÀÇ Å©±â(¹ÙÀÌÆ® ´ÜÀ§). ÀÌ°ÍÀº Çѹø¿¡ »ç¿ë°¡´ÉÇÑ ÅäÅ«ÀÇ ÃÖ´ë ÃÑ ¹ÙÀÌÆ®¼öÀÔ´Ï´Ù. ÀϹÝÀûÀ¸·Î, Å« ½¦ÀÌÇÎÀ²(shaping rate)ÀÇ °æ¿ì¿¡´Â Å« ¹öÆÛ¸¦ ¿ä±¸ÇÕ´Ï´Ù. ¸¸¾à 10MbpsÀÇ °æ¿ì, ¿©·¯ºÐÀº Àû¾îµµ 10k¹ÙÀÌÆ® ¹öÆÛ°¡ ÇÊ¿äÇÕ´Ï´Ù. ¸¸¾à ¹öÆÛ°¡ ³Ê¹« ÀÛÀ¸¸é, ÆÐŶÀº ¼Õ½ÇµÉ ¼ö ÀÖ½À´Ï´Ù. ¿Ö³ÄÇϸé, ¹öŶ¿¡ µé¾î°¥ ¼ö ÀÖ´Â ÅäÅ«¼öº¸´Ù ´õ ¸¹Àº ÅäÅ«ÀÌ ÇÊ¿äÇϱ⠶§¹®ÀÔ´Ï´Ù.

mpu
0 Å©±âÀÇ ÆÐŶÀÌ ´ë¿ªÆø 0À» Â÷ÁöÇÏ´Â °ÍÀº ¾Æ´Õ´Ï´Ù. ÀÌ´õ³ÝÀÇ °æ¿ì, 64¹ÙÀÌÆ®º¸´Ù ÀÛÀº ÆÐŶÀº ¾ø½À´Ï´Ù. ÃÖ¼Ò ÆÐŶ ´ÜÀ§´Â ÇÑ ÆÐŶ¿¡ ´ëÇÑ ÃÖ¼Ò ÅäÅ«À» °áÁ¤ÇÕ´Ï´Ù.
rate
¼Óµµ¸¦ ¸»ÇÕ´Ï´Ù. ¾Õ¿¡¼­ ¸»ÇÑ limit¸¦ º¸½Ê½Ã¿À. ¸¸¾à ¹öŶÀÌ ÅäÅ«À» ´ã°í ÀÖ´Ù°¡ ºñ¿ì´Â °æ¿ì, ±âº»ÀûÀ¸·Î ¹«ÇÑ´ë ¼Óµµ·Î ¼öÇàµË´Ï´Ù. ¸¸¾à ÀÌ°ÍÀ» Àû¿ëÇÒ ¼ö ¾ø´Â °æ¿ì¿¡´Â ´ÙÀ½ µÎ ÆĶó¸ÞÅ͸¦ »ç¿ëÇϽʽÿÀ.

peakrate
ÅäÅ«ÀÌ »ç¿ë°¡´ÉÇÏ°í ÆÐŶÀÌ µµÂøÇÒ °æ¿ì, ÆÐŶÀº Áï½Ã(ÈçÈ÷ ¸»ÇÏ´Â ±¤¼ÓÀ¸·Î) Àü¼ÛµË´Ï´Ù. ±×·¯³ª ½ÇÁ¦·Î´Â ±×·¸Áö ¾ÊÀ» ¼ö ÀÖ½À´Ï´Ù. peakrate´Â ¾ó¸¶³ª »¡¸® ¹öŶÀ» ºñ¿ï ¼ö ÀÖ´ÂÁö¸¦ ¼³Á¤ÇÕ´Ï´Ù. Á¤È®ÇÏ°Ô´Â, ÆÐŶÀ» ÂÓº¸³½´ÙÀ½, Á» ÀÖ´Ù°¡, ´ÙÀ½ °ÍÀ» ÂÓº¸³À´Ï´Ù. °è»êÇÒ¶§´Â peakrate·Î º¸³»´Â °ÍÀ¸·Î ÇÕ´Ï´Ù. ±×·¯³ª, UnixÀÇ ±âº» 10msŸÀÌ¸Ó ¶§¹®¿¡, 10,000ºñÆ® Æò±Õ ÆÐŶµé¿¡ ´ëÇØ, 1Mbps·Î reakrate°¡ Á¦Çѵ˴ϴÙ.

mtu/minburst
1Mbps peakrate´Â ´ë¿ªÆøÀÌ Å¬ °æ¿ì¿¡´Â ¸Å¿ì À¯¿ëÇÏÁö ¸øÇÕ´Ï´Ù. ´õ Å« peakrate´Â timertick´ç ¿©·¯°³ÀÇ ÆÐŶÀ» º¸³»´Â ¹æ¹ýÀ¸·Î °¡´ÉÇÏ´Ù. ÀÌ°ÍÀº µÎ¹ø° ¹öŶÀ» »ç¿ëÇÏ¿© µ¿ÀÛÇϵµ·Ï ÇÏ¿´½À´Ï´Ù. ÀÌ µÎ¹ø° ¹öŶÀº »ç½ÇÀº ¹öŶÀÌ ¾Æ´Ï°í ±âº»ÀûÀ¸·Î ÇϳªÀÇ ÆÐŶũ±âÀÔ´Ï´Ù. ÃÖ´ë °¡´É peakrate¸¦ °è»êÇÏ·Á¸é, ¼³Á¤µÈ mtu¿¡ 100À» °öÇÕ´Ï´Ù. (¶Ç´Â ´õ Á¤È®ÇÏ°Ô HZ°ª - IntelÀÇ °æ¿ì 100, AlphaĨÀÇ °æ¿ì 1024)

9.2.2.2. ¿¹Á¦ ¼³Á¤
°£´ÜÇÏÁö¸¸ À¯¿ëÇÑ ¼³Á¤ÀÌ ¿©±â ÀÖ½À´Ï´Ù.:

 # tc qdisc add dev ppp0 root tbf rate 220kbit latency 50ms burst 1540 

±×·¸½À´Ï´Ù. ¿Ö ÀÌ°ÍÀÌ À¯¿ëÇÒ±î¿ä? ¸¸¾à ¿©·¯ºÐÀÌ Å« Å¥¸¦ °¡Áö°í ÀÖ´Â ³×Æ®¿öÅ· ÀåÄ¡(¿¹¸¦ µé¸é DSL ¸ðµ© ¶Ç´Â ÄÉÀÌºí ¸ðµ©)¸¦ °¡Áö°í ÀÖ°í, ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽º °°Àº ºü¸¥ ÀåÄ¡¸¦ ÅëÇØ Åë½ÅÇÑ´Ù¸é, ¾÷·ÎµùÀÌ »óÈ£µ¿ÀÛÀ» ¸Á°¡¶ß¸®´Â °ÍÀ» ¾Ë ¼ö ÀÖÀ» °ÍÀÔ´Ï´Ù. ÀÌ°ÍÀº ¾÷·ÎµùÀÌ ¸ðµ©¿¡¼­ Å¥¸¦ °¡µæ ä¿ì±â ¶§¹®ÀÔ´Ï´Ù. ÀÌ Å¥´Â ¾Æ¸¶µµ ¸Å¿ì Ŭ °ÍÀÔ´Ï´Ù. ¿Ö³ÄÇÏ¸é ´õ ÁÁÀº ThroughputÀ» ¾òµµ·Ï µÇ¾î Àֱ⠶§¹®ÀÔ´Ï´Ù. ±×·¯³ª, ¿©·¯ºÐÀº ÀÌ·¯ÇÑ °ÍÀ» ¿øÇÏÁö ¾ÊÀ» °ÍÀÔ´Ï´Ù. ¿©·¯ºÐÀº µ¥ÀÌÅ͸¦ º¸³»´Â µ¿¾È ´Ù¸¥ µ¿ÀÛÀ» ÇÒ ¼ö ÀÖµµ·Ï Å¥°¡ ³Ê¹« Å©Áö ¾Ê±â¸¦ ¿øÇÕ´Ï´Ù. ±×·¡¼­ Àú À§ÀÇ ¿¹Á¦´Â Àü¼Û¼Óµµ¸¦ ³·Ã߾ ¸ðµ©¿¡¼­ ÆÐŶÀÌ ½×ÀÌÁö ¾Êµµ·Ï ÇÕ´Ï´Ù. ÆÐŶÀº ¿ì¸®ÀÇ ¸®´ª½º³»ÀÇ Å¥¿¡¼­ ½×ÀÏ °ÍÀ̸ç, ÀÌ Å¥´Â ¿ì¸®°¡ Å©±â¸¦ Á¦¾îÇÒ ¼ö ÀÖ½À´Ï´Ù. ¿¹Á¦ÀÇ 220kbit¸¦ ½ÇÁ¦ ¾÷¸µÅ© ¼Óµµ·Î ¼³Á¤Çغ¸¼¼¿ä. ¸¸¾à ¿©·¯ºÐÀÌ ¸Å¿ì ºü¸¥ ¸ðµ©À» °¡Áö°í ÀÖ´Ù¸é, burst¸¦ Á» ¿Ã·Áº¸½Ê½Ã¿À.

9.2.3. Stochastic Fairness Queuing

SFQ´Â fair queueing ¾Ë°í¸®Áòµé Áß¿¡ °£´ÜÇÑ ±¸ÇöÀÔ´Ï´Ù. ÀÌ°ÍÀº ´Ù¸¥ °Íµéº¸´Ù´Â Á¤È®ÇÏÁö´Â ¾ÊÁö¸¸, °è»ê·®ÀÌ Àû½À´Ï´Ù.

SFQÀÇ Çٽɾî´Â conversation ¶Ç´Â flowÀÔ´Ï´Ù. ÀÌ°ÍÀº º¸Åë TCP session À̳ª UDP stream¿¡ ºÎÇÕÇÕ´Ï´Ù. Æ®·¡ÇÈÀº ¸Å¿ì ¸¹Àº FIFOÅ¥·Î ³ª´¹´Ï´Ù. FIFOÅ¥ Çϳª´Â conversationÇϳª¸¦ ´ã´çÇÕ´Ï´Ù. Æ®·¡ÇÈÀº ÇÑÅÏ¿¡ Çѹø¾¿ ±âȸ¸¦ ¾ò´Â ¶ó¿îµå ·Îºó(round robin) ¹æ½ÄÀ¸·Î º¸³»Áý´Ï´Ù.

ÀÌ°ÍÀº ¸Å¿ì °øÆòÇÑ µ¿ÀÛÀ» Çϵµ·Ï Çϸç, ¾î¶² ÇϳªÀÇ conversationÀÌ ´Ù¸¥ °ÍµéÀ» ¸Á°¡¶ß¸®´Â °ÍÀ» ¸·½À´Ï´Ù. SFQ´Â "È®·üÀû"À̶ó°í ºÒ¸®¿ì´Â ÀÌÀ¯´Â °¢ ¼¼¼Ç¿¡ ´ëÇØ ½ÇÁ¦·Î Å¥¸¦ ÇÒ´çÇÏÁö´Â ¾Ê±â ¶§¹®ÀÔ´Ï´Ù. SFQ´Â ÇØ½Ì¾Ë°í¸®ÁòÀ» »ç¿ëÇÏ¿© Æ®·¡ÇȵéÀ» Á¦ÇÑµÈ ¼öÀÇ Å¥·Î ºÐ·ù¸¦ ÇÏ´Â ¾Ë°í¸®ÁòÀ» »ç¿ëÇÕ´Ï´Ù.

Çؽ¬¸¦ »ç¿ëÇϱ⠶§¹®¿¡, ¿©·¯°³ÀÇ ¼¼¼ÇµéÀÌ µ¿ÀÏÇÑ Å¥·Î µé¾î°¥ ¼ö ÀÖ½À´Ï´Ù. ÀÌ´Â °¢ ¼¼¼ÇÀÇ ÆÐŶÀ» º¸³»´Â ±âȸ°¡ ³ª´µ¾îÁö°Ô µÇ¸ç, °á±¹ ½ÇÁ¦ ¼Óµµµµ ³ª´µ¾îÁö°Ô µË´Ï´Ù. ÀÌ·¯ÇÑ °ÍÀÌ Æ¼°¡ ³ª´Â °ÍÀ» ÇÇÇϱâ À§ÇÏ¿©, SFQ´Â Çؽ¬¾Ë°í¸®ÁòÀ» ÀÚÁÖ ¹Ù²ß´Ï´Ù. ±×·¡¼­ ¾î¶² µÎ °³ÀÇ ¼¼¼ÇÀÌ ¼öÃÊ Á¤µµ ³»¿¡¼­¸¸ °°ÀÌ ÀÖ°Ô µË´Ï´Ù.

¿©·¯ºÐÀÇ outgoing ÀÎÅÍÆäÀ̽º°¡ ½ÇÁ¦·Î fullÀÌ ³¯ °æ¿ì¿¡ SFQ°¡ À¯¿ëÇÏ´Ù´Â »ç½ÇÀº Áß¿äÇÕ´Ï´Ù. ¸¸¾à ±×·¸Áö ¾Ê´Ù¸é, ¸®´ª½º¿¡´Â ÆÐŶÀÌ Å¥µÇÁö ¾ÊÀ» °ÍÀÌ°í, SFQ´Â È¿°ú°¡ ¾øÀ» °ÍÀÔ´Ï´Ù. ¾çÂÊ »óȲ¿¡¼­ ¾µ¼ö ÀÖµµ·Ï SFQ¸¦ ´Ù¸¥ Å¥±¸Á¶¿Í °°ÀÌ ¾²´Â °ÍÀ» ³ªÁß¿¡ ¼³¸íÇÒ °ÍÀÔ´Ï´Ù.

Ưº°È÷, ÄÉÀÌºí ¸ðµ©À̳ª DSL¶ó¿ìÅÍ¿¡ ¿¬°áµÇ¾î ÀÖ´Â ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽º¿¡, Ãß°¡ÀûÀÎ shaping¾øÀÌ, SFQ¸¦ ¼³Á¤ÇÏ´Â °ÍÀº ¹«ÀǹÌÇÕ´Ï´Ù.

9.2.3.1. ÆĶó¸ÞÅÍ & »ç¿ë¹ý
SFQ´Â ÀÚü Æ©´×À» ÇÕ´Ï´Ù.

perturb
hashingÀ» ´Ù½ÃÇÒ Áֱ⸦ ÃÊ´ÜÀ§·Î ¼³Á¤ÇÕ´Ï´Ù. ¸¸¾à ÀÌ°ÍÀÌ ¼³Á¤µÇÁö ¾ÊÀ¸¸é, Çؽ¬¸¦ º¯°æÇÏÁö ¾Ê½À´Ï´Ù. ÀÌ·¸°Ô ¾²´Â °ÍÀ» ÃßõÇÏÁö ¾Ê½À´Ï´Ù. 10ÃÊ Á¤µµ°¡ ¾Æ¸¶µµ ÀûÀýÇÑ °ªÀÌ µÉ °ÍÀÔ´Ï´Ù.

quantum
´ÙÀ½ Å¥·Î ³Ñ¾î°¡±â Àü¿¡ Çã¶ôµÇ´Â Å¥¿¡¼­ ²¨³»´Â ¹ÙÀÌÆ® ¼ö¸¦ ¼³Á¤ÇÕ´Ï´Ù. ±âº»°ªÀº MTU ¹ÙÀÌÆ® °ªÀÔ´Ï´Ù. MTUº¸´Ù ÀÛÀº °ªÀ» ¼³Á¤ÇÏÁö ¸¶½Ê½Ã¿À.

limit
SFQ¿¡ ÀÇÇØ Å¥µÇ´Â ÆÐŶÀÇ ÃÖ´ë °³¼ö¸¦ ¸»ÇÕ´Ï´Ù. ÀÌ °³¼ö¸¦ ³Ñ¾î¼­´Â °æ¿ì ÆÐŶÀ» Æó±âµË´Ï´Ù.

9.2.3.2. ¿¹Á¦ ¼³Á¤
¸¸¾à ¿©·¯ºÐÀÇ ÀåÄ¡°¡ ½ÇÁ¦ ´ë¿ªÆø°ú µ¿ÀÏÇÑ °æ¿ì, Áï ÀüÈ­ ¸ðµ© °°Àº °æ¿ì, ´ÙÀ½ ¼³Á¤Àº °øÆò¼ºÀ» °®°Ô Çϴµ¥ µµ¿òÀÌ µË´Ï´Ù.

# tc qdisc add dev ppp0 root sfq perturb 10
# tc -s -d qdisc ls
qdisc sfq 800c: dev ppp0 quantum 1514b limit 128p flows 128/1024 perturb 10sec 
 Sent 4812 bytes 62 pkts (dropped 0, overlimits 0) 

¼ýÀÚ 800c:´Â ÀÚµ¿À¸·Î ÇÒ´çµÈ ÇÚµé ¹øÈ£ÀÔ´Ï´Ù. limit´Â 128ÆÐŶÀÌ ÀÌ Å¥¿¡ µé¾î°¥ ¼ö ÀÖÀ½À» ³ªÅ¸³À´Ï´Ù. 1024Çؽ¬ ¹öŶµéÀÌ °è»ê¿¡ »ç¿ëµÇ¸ç, ÀÌ Áß¿¡¼­ 128°³°¡ »ç¿ëµÇ´Â °ÍÀ» ÀǹÌÇÕ´Ï´Ù. ¸Å 10Ãʸ¶´Ù, Çؽ¬¸¦ ´Ù½Ã ±¸¼ºÇÕ´Ï´Ù.

9.3. °¢ Å¥¸¦ »ç¿ëÇÒ¶§ ÇÊ¿äÇÑ Á¶¾ð


¿ä¾àÇÏÀÚ¸é, ¾ÕÀÇ ´Ü¼øÇÑ Å¥µéÀº ÀçÁ¤·Ä, ´À¸®°ÔÇϱ⠶Ǵ ÆÐŶÀ» ¹ö¸²À¸·Î¼­ ½ÇÁ¦·Î ÅëÇà·®À» °ü¸®ÇÑ´Ù.

¾Æ·¡¿¡ »ç¿ëÇÒ Å¥¸¦ °áÁ¤Çϴµ¥ µµ¿òÀÌ µÉ¸¸ÇÑ ¸î°¡Áö°¡ ÀÖ´Ù. ¶Ç 14Àå¿¡¼­ ¼³¸íÇÏ´Â ¸î°¡Áö Å¥À× ±ÔÄ¢¿¡ ´ëÇؼ­ À̾߱â ÇÒ°ÍÀÌ´Ù.

  • ¼ø¼öÈ÷ ¿ÜºÎ·Î °¡³ª´Â ÅëÇà·®À» ÁÙÀÌ·Á¸é ÅäÅ« ¹öŶ ÇÊÅÍ(TBF)¸¦ ¾²¶ó. ¹öŶÀ» Á¶ÀýÇÏ¸é ¸Å¿ì Å« ´ë¿ªÆø¿¡¼­µµ Àß ÀÛµ¿ÇÑ´Ù.

  • ¿¬°áÀÌ Á¤¸» ²ËÂ÷ÀÖ°í ¾î´À ´©±¸µµ ¿ÜºÎ·Î ³ª°¡´Â ´ë¿ªÆøÀ» µ¶Á¡ÇÏ°Ô ÇÏ°í ½ÍÁö ¾Ê´Ù¸é °øÆòÇÑ Åë°èÀû Å¥À×(SFQ)À» »ç¿ëÇ϶ó.

  • ¸Å¿ìÅ« ¹éº»À» °¡Áö°í ÀÖ°í ¹«¾ùÀ» ÇÏ°í ÀÖ´ÂÁö ¾Ë°í ÀÖ´Ù¸é Random Early Drop(RED)¸¦ °í·ÁÇغ¸¶ó (°í±Þ³»¿ëÀÌ ÀÖ´Â ÀåÀ» º¸¶ó)

  • ¿ÜºÎ¿¡¼­ µé¾î¿À´Â ÅëÇà·®Áß Àü´ÞÇÏÁö ¾ÊÀ» °ÍÀ» 'Á¶Àý' ÇÒ¶§´Â Ingress Policer¸¦ »ç¿ëÇ϶ó. µé¾î¿À´Â ÅëÇà·® Á¶ÀýÀº 'policing' À̶ó ºÎ¸£°í, ¿©ÇÏÆ°, 'shaping'Àº ¾Æ´Ï´Ù.

  • ±×°ÍÀ» Àü´Þ*Áß* À̶ó¸é, ÀڷḦ Àü´ÞÇÏ´Â ÀÎÅÍÆäÀ̽º¿¡ TBF¸¦ »ç¿ëÇ϶ó. ¸¸ÀÏ Á¶ÀýÇÏ·Á´Â ÅëÇà·®ÀÌ ¿©·¯ ÀÎÅÍÆäÀ̽º¸¦ ÅëÇØ ³ª°¡¼­ Á¶ÀýÇÒ ÇÊ¿ä°¡ ¾ø´Ù¸é ±× °æ¿ì °øÅë ¿ä¼Ò´Â µé¾î¿À´Â ÀÎÅÍÆäÀ̽º ¹Û¿¡ ¾ø´Ù. ±× °æ¿ì Ingress Policer¸¦ »ç¿ëÇ϶ó.

  • ÅëÇà·®À» Á¶ÀýÇÒ ÇÊ¿ä°¡ ¾ø´Â´ë½Å ÀÎÅÍÆäÀ̽º¿¡ ºÎÇÏ°¡ °É¸®´Â °Í¸¸ ¾Ë¾Æº¸°íÀÚ ÇÒ°æ¿ì pfifo Å¥ (pfifo_fast °¡ ¾Æ´Ï°í)¸¦ »ç¿ëÇ϶ó. ³»ºÎ ´ë¿ªÀº ºÎÁ·ÇÏÁö¸¸ Å¥ÀÇ ÀÜ·® Å©±â´Â Àê¼ö ÀÖ´Ù.

  • ¸¶Áö¸·À¸·Î - "»çȸÀû Á¶Àý"À» ÇÒ¼ö ÀÖ´Ù. ¿øÇÏ´Â °ÍÀ» ¾ò±â À§ÇØ Ç×»ó ±â¼úÀ» »ç¿ëÇؾ߸¸ ÇÏ´Â °ÍÀº ¾Æ´Ï´Ù. »ç¿ëÀÚµéÀº ±â¼úÀû ¼Ó¹ÚÀ» ºÒÄèÇÏ°Ô ¹Þ¾ÆµéÀδÙ. ¸î¸¶µð Ä£ÀýÇÑ ¸»ÀÌ Á¤È®ÇÏ°Ô ³ª´¶ ´ë¿ªÆøº¸´Ù ´õ µµ¿òÀÌ µÉ¼ö ÀÖ´Ù.

9.4. Terminology


9.5. Classful Queuing Disciplines


9.5.1. Flows within classful qdiscs & classes


9.5.2. The qdisc family: roots, handles, siblings and parents


9.5.3. The PRIO qdisc


9.5.4. The famous CBQ qdisc


9.5.5. Hierarchical Token Bucket


9.6. Classifying packets with filters


9.6.1. Some simple filtering examples


9.6.2. All the filtering commands you will normally need


9.7. The Intermediate Queuing Device (IMQ)


9.7.1. Simple configuration


10. Load sharing over multiple interfaces


10.1. Caveats


10.2. Other possibilities


11. Netfilter & iproute - marking packets


12. Advanced filters for (re-)classifying packets


12.1. The u32 classifier


12.1.1. U32 selector


12.1.2. General selectors


12.1.3. Specific selectors


12.2. The route classifier


12.3. Policing filters


12.3.1. Ways to police


12.3.2. Overlimit actions


12.3.3. Examples


12.4. Hashing filters for very fast massive filtering


12.5. Filtering IPv6 traffic


12.5.1. How come that IPv6 tc filters do not work?


12.5.2. Marking IPv6 packets using ip6tables


12.5.3. Using the u32 selector to match IPv6 packet


13. Ä¿³Î ³×Æ®¿öÅ© ¸Å°³º¯¼ö

Ä¿³ÎÀº ´Ù¾çÇÑ È¯°æ¿¡ ¸Â°Ô Á¶Á¤ÇÒ ¼ö ÀÖ´Â ¸Å°³º¯¼öµéÀ» ´Ù¼ö °¡Áö°í ÀÖ½À´Ï´Ù. ¹°·Ð º¸Åë ±×·¸µí, ±âº»ÀûÀÎ ¸Å°³º¯¼öµé·Îµµ 99%ÀÇ ¼³Ä¡ ȯ°æ¿¡¼­´Â ÃæºÐÇÕ´Ï´Ù¸¸, ¿ì¸®°¡ ±¦È÷ ÀÌ ±ÛÀ» Advanced HOWTO¶ó°í ÇÏ´Â °Ç ¾Æ´ÏÀݽÀ´Ï±î!

Èï¹Ì·Î¿î °ÍµéÀÌ /proc/sys/net ³»¿¡ ÀÖÀ¸´Ï Çѹø µÑ·¯ º¸½Ê½Ã¿À. ¸ðµç ³»¿ëµéÀÌ Ã³À½ºÎÅÍ ¿©±â¿¡ ±â·ÏµÇÁö´Â ¾Ê°ÚÁö¸¸, °è¼Ó ÀÛ¾÷À» ÇØ ³ª°¥ °ÍÀÔ´Ï´Ù.

ÇÑÆí ¸®´ª½º Ä¿³Î ¼Ò½º¸¦ »ìÆ캸°í ½ÍÀ» ¼öµµ ÀÖÀ» ÅÙµ¥, Documentation/filesystems/proc.txt ÆÄÀÏÀ» Àоµµ·Ï ÇϽʽÿÀ. ´ëºÎºÐÀÇ ³»¿ëµéÀÌ °Å±â¿¡ ¼³¸íµÇ¾î ÀÖ½À´Ï´Ù.

(FIXME)

13.1. ¿ª°æ·Î ÇÊÅ͸µ(Reverse Path Filtering)

±âº»ÀûÀ¸·Î ¶ó¿ìÅÍ´Â ¹¹µçÁö, ½ÉÁö¾î 'ºÐ¸íÈ÷' ´ç½ÅÀÇ ³×Æ®¿öÅ©¿¡ ¼ÓÇÏÁö ¾Ê´Â ÆÐŶ±îÁöµµ ¶ó¿ìÆà ÇÕ´Ï´Ù. ½¬¿î ¿¹·Î »ç¼³ IP °ø°£ÀÌ ÀÎÅͳÝÀ¸·Î ºüÁ®³ª°¡´Â °É µé ¼ö ÀÖ½À´Ï´Ù. ¾î¶² ÀÎÅÍÆäÀ̽º·Î 195.96.96.0/24¶ó´Â ¶ó¿ìÆ®°¡ ÀÖ´Ù¸é ±× ÀÎÅÍÆäÀ̽º¿¡ 212.64.94.1¿¡¼­ ¿Â ÆÐŶÀÌ µµÂøÇÒ °Å¶ó°í´Â »ý°¢ÇÏÁö ¾Ê½À´Ï´Ù.

¸¹Àº »ç¶÷µéÀÌ ÀÌ·¯ÇÑ Æ¯¼ºÀ» ²ø ¼ö Àֱ⸦ ¿øÇϱ⿡ Ä¿³Î ÇØÄ¿µéÀÌ ½±°Ô ±×·¸°Ô ÇÒ ¼ö ÀÖµµ·Ï Çصξú½À´Ï´Ù. /proc ³»¿¡´Â Ä¿³Î¿¡°Ô ±×·¸°Ô Ç϶ó°í ÇÒ ¼ö ÀÖ´Â ÆÄÀϵéÀÌ ÀÖ½À´Ï´Ù. ±×·¯ÇÑ ¹æ¹ýÀ» "¿ª°æ·Î ÇÊÅ͸µ"À̶ó°í ÇÕ´Ï´Ù. ±âº»ÀûÀ¸·Î ÆÐŶ¿¡ ´ëÇÑ ÀÀ´äÀÌ ±× ÆÐŶÀÌ µé¾î¿Â ÀÎÅÍÆäÀ̽º·Î ³ª°¡Áö ¾ÊÀ» °Í °°À¸¸é ÀÌ ÆÐŶÀº °¡Â¥ ÆÐŶÀÎ °ÍÀÌ°í, µû¶ó¼­ ¹«½ÃµË´Ï´Ù.

´ÙÀ½ ¸í·ÉÀº ÇöÀç¿Í ¹Ì·¡ÀÇ ¸ðµç ÀÎÅÍÆäÀ̽º¿¡ ´ëÇØ ÀÌ ¹æ¹ýÀ» Àû¿ëÇØ ÁÝ´Ï´Ù.
# for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
>  echo 2 > $i
> done
À§¿¡¼­ÀÇ ¿¹¸¦ °¡Áö°í ÇÏÀÚ¸é, ¸®´ª½º ¶ó¿ìÅÍÀÇ eth1¿¡ µµÂøÇÑ ÆÐŶÀÌ ÀڱⰡ »ç¹«½Ç+ISP ¼­ºê³Ý¿¡¼­ ¿Ô´Ù°í ÁÖÀåÇÏ¸é ±× ÆÐŶÀº »ç¶óÁý´Ï´Ù. ¸¶Âù°¡Áö·Î »ç¹«½Ç ¼­ºê³Ý¿¡¼­ ÆÐŶÀÌ ¿Ô´Âµ¥ ÀÚ½ÅÀÌ ¹æÈ­º® ¹ÛÀÇ ¾îµò°¡¿¡¼­ ¿Ô´Ù°í ÁÖÀåÇÏ¸é ¸¶Âù°¡Áö·Î »ç¶óÁö°Ô µË´Ï´Ù.

À§¿¡ ÀÖ´Â °Ç Àüü ¿ª°æ·Î ÇÊÅ͸µÀÔ´Ï´Ù. ±âº»ÀûÀÎ µ¿ÀÛÀº Á÷Á¢ ¿¬°áµÇ¾î ÀÖ´Â ³×Æ®¿öÅ©ÀÇ IP ÁÖ¼Ò¿¡ ±â¹ÝÇؼ­ ÇÊÅ͸µ ÇÏ´Â °Í»ÓÀÔ´Ï´Ù. Àüü ÇÊÅ͸µÀ» ºñ´ëĪ ¶ó¿ìÆÃÀÇ °æ¿ì ¹®Á¦°¡ µÉ ¼ö ÀÖ½À´Ï´Ù. (ºñ´ëĪ ¶ó¿ìÆÃÀº À§¼º Åë½Å¿¡¼­Ã³·³ ÇÑ ÂÊÀ¸·Î ÆÐŶÀÌ µé¾î¿À°í ´Ù¸¥ ÂÊÀ¸·Î ÆÐŶÀÌ ³ª°©´Ï´Ù. ³×Æ®¿öÅ©¿¡¼­ µ¿Àû ¶ó¿ìÆÃ(bgp, ospf, rip)À» ÇÏ´Â °æ¿ìµµ ¸¶Âù°¡ÁöÀÔ´Ï´Ù. À§¼º Åë½ÅÀÇ °æ¿ì À§¼º Á¢½Ã¸¦ ÅëÇØ µ¥ÀÌÅÍ°¡ ³»·Á¿À°í Á¤»óÀûÀÎ Áö»ó ȸ¼±À» ÅëÇØ ÀÀ´äÀÌ µ¹¾Æ°©´Ï´Ù.)

ÀÌ·¯ÇÑ ¿¹¿ÜÀûÀÎ °æ¿ì°¡ Àڽſ¡°Ô ÇØ´çµÈ´Ù¸é (±×·¸´Ù¸é ÀÌ¹Ì º»ÀÎÀÌ ±×°É ¾Ë°í ÀÖÀ» °Ì´Ï´Ù.) À§¼º µ¥ÀÌÅÍ°¡ µé¾î¿À´Â ÀÎÅÍÆäÀ̽º¿¡¼­ rp_filter¸¦ ²¨ÁÖ¸é µË´Ï´Ù. ÆÐŶÀÌ »ç¶óÁö°í ÀÖ´ÂÁö ¾Ë°í ½ÍÀº °æ¿ì °°Àº µð·ºÅ͸® ³»ÀÇ log_martians ÆÄÀÏÀÌ Ä¿³ÎÀÌ ±×·± ÆÐŶµéÀ» syslog¿¡ ±â·ÏÇϵµ·Ï ÇØÁÝ´Ï´Ù.
# echo 1 >/proc/sys/net/ipv4/conf/<interfacename>/log_martians
FIXME: conf/{default,all}/* ÆÄÀϵéÀ» ¼³Á¤Çϸé ÃæºÐÇÏÁö ¾Ê³ª¿ä? - martijn
(¿ªÀÚÁÖ: ÃæºÐÇÏÁö ¾Ê½À´Ï´Ù. conf/all/* ÆÄÀÏÀº µ¿ÀÛ¿¡ ¿µÇâÀ» ÁÖÁö ¾ÊÀ¸¸ç, ÀÎÅÍÆäÀ̽ºº° µð·ºÅ͸® ³»ÀÇ ÆÄÀÏÀ» Á÷Á¢ Á¶ÀÛÇØ ÁÖ¾î¾ß ÇÕ´Ï´Ù.)

13.2. ¼û°ÜÁø ¼³Á¤µé

ÀÚ, º¯°æÇÒ ¼ö ÀÖ´Â ¸Å°³º¯¼öµéÀÌ Âü ¸¹ÀÌ ÀÖ½À´Ï´Ù. ¸ðµÎ¸¦ ³ª¿­ÇØ º¼ °ÍÀÔ´Ï´Ù. ÀÌ´Â Documentation/ip-sysctl.txt¿¡(¿ªÀÚÁÖ: Documentation/networking/ip-sysctl.txt°¡ Á¤È®ÇÑ °æ·ÎÀÔ´Ï´Ù.) (ÀϺÎ) ¹®¼­È­ µÇ¾î ÀÖ½À´Ï´Ù.

ÀÌ ¼³Á¤µé Áß ¸î¸îÀº Ä¿³ÎÀ» ÄÄÆÄÀÏ ÇÒ ¶§ 'È£½ºÆ® ´ë½Å ¶ó¿ìÅÍ·Î ±¸¼ºÇϱâ'(¿ªÀÚÁÖ: NETFILTER, IP_ADVANCED_ROUTER µî)¿¡ 'Yes'·Î ´ë´äÇߴ°¡¿¡ µû¶ó¼­ ´Ù¸¥ ±âº»°ªÀ» °¡Áý´Ï´Ù.

Oskar Andreasson ¿ª½Ãµµ ÀÌ Ç÷¡±×µé ÀüºÎ¿¡ ´ëÇÑ ÆäÀÌÁö¸¦ °¡Áö°í ÀÖÀ¸¸ç ¿ì¸® °Íº¸´Ù ´õ ³ªÀº °Í °°À¸´Ï, [http]http://ipsysctl-tutorial.frozentux.net/µµ È®ÀÎÇØ º¸½Ê½Ã¿À.

13.2.1. ipv4 ÀϹÝ

ÀϹÝÀûÀ¸·Î ÁÖÀÇÇÒ °ÍÀº ´ëºÎºÐÀÇ ¼Óµµ Á¦ÇÑ ±â´ÉÀÌ ·çÇÁ¹é¿¡¼­´Â µ¿ÀÛÇÏÁö ¾Ê´Â´Ù´Â °ÍÀÔ´Ï´Ù. ±×·¯´Ï ·ÎÄÿ¡¼­ Å×½ºÆ® ÇÏÁö ¸¶½Ê½Ã¿À. Á¦ÇÑÀº 'jiffy' ´ÜÀ§ÀÌ¸ç ¾Õ¼­ ¾ð±ÞÇÑ ÅäÅ« ¹öŶ ÇÊÅ͸¦ »ç¿ëÇØ Àû¿ëµË´Ï´Ù.

Ä¿³ÎÀº ÃÊ´ç 'HZ' ¹ø(Ȥ´Â HZ 'jiffies' ¸¸Å­) ¶ÈµüÀÌ´Â ³»ºÎ ½Ã°è¸¦ °¡Áö°í ÀÖ½À´Ï´Ù. IntelÀÇ °æ¿ì 'HZ'´Â ´ëºÎºÐ 100ÀÔ´Ï´Ù. µû¶ó¼­ *_rate ÆÄÀÏÀ» 50À¸·Î ¼³Á¤Çϸé ÃÊ´ç 2°³ ÆÐŶÀ» Çã¿ëÇÏ°Ô µË´Ï´Ù. ÅäÅ« ¹öŶ ÇÊÅÍ´Â ÃæºÐÇÑ ÅäÅ«À» ¸ðÀº °æ¿ì ÃÖ´ë 6°³ ÆÐŶ±îÁö ÁýÁߵǴ °É Çã¿ëÇÕ´Ï´Ù.

´ÙÀ½ ¸ñ·ÏÀÇ ¸î¸î Ç׸ñÀº Alexey Kuznetsov <Mkuznet@ms2.inr.ac.ru> ¹× Andi Kleen <Mak@muc.de>°¡ ÀÛ¼ºÇÑ /usr/src/linux/Documentation/networking/ip-sysctl.txt¿¡¼­ º¹»çÇß½À´Ï´Ù.

/proc/sys/net/ipv4/icmp_destunreach_rate
Ä¿³ÎÀÌ ÆÐŶÀ» Àü´ÞÇÒ ¼ö ¾ø´Ù°í ÆÇ´ÜÇϸé À̸¦ Á¦°ÅÇÏ°í, ÆÐŶÀÇ Ãâ¹ßÁö·Î ±×·¸°Ô ÇÑ °Í¿¡ ´ëÇÑ ICMP ¾Ë¸²À» º¸³» ÁÝ´Ï´Ù.

/proc/sys/net/ipv4/icmp_echo_ignore_all
echo ÆÐŶ¿¡ ´ëÇØ ¾Æ¹« ´ëÀÀµµ ÇÏÁö ¾Ê½À´Ï´Ù. ÀÌ°É ±âº»À¸·Î ¼³Á¤ÇÏÁö ¾Ê´Â °Ô °¡±ÞÀû ÁÁÁö¸¸, È£½ºÆ®°¡ DoS °ø°Ý¿¡¼­ Áß°èÁ¡À¸·Î ¾²ÀÌ°í ÀÖ´Ù¸é ÀÌ°Ô À¯¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù.

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [À¯¿ëÇÔ]
³×Æ®¿öÅ©ÀÇ ºê·Îµåij½ºÆ® ÁÖ¼Ò·Î pingÀ» ÇÏ¸é ¸ðµç È£½ºÆ®µéÀÌ ÀÀ´äÇϵµ·Ï µÇ¾î ÀÖ½À´Ï´Ù. ÀÌ°Ç ¼¼·ÃµÈ ¼­ºñ½º °ÅºÎ °ø°Ý µµ±¸¿¡ ¾²ÀÏ ¼ö ÀÖ½À´Ï´Ù. ÀÌ°É 1·Î ¼³Á¤ÇÏ¸é ±×·± ºê·Îµåij½ºÆ® ¸Þ½ÃÁö¸¦ ¹«½ÃÇÕ´Ï´Ù.

/proc/sys/net/ipv4/icmp_echoreply_rate
¾î¶² ÇÑ ¸ñÀûÁö·Î echo ÀÀ´äÀ» º¸³»´Â ¼ÓµµÀÔ´Ï´Ù.

/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
ÀÌ°É ¼³Á¤ÇÏ¸é ³×Æ®¿öÅ© ³»ÀÇ È£½ºÆ®°¡ ¾î¶² ÇÁ·¹ÀÓÀ» ºê·Îµåij½ºÆ® ÁÖ¼Ò·Î º¸³½ °ÍÀ¸·Î ÀνÄÇÏ¿© À߸ø ´ëÀÀÇÏ¸ç º¸³½ ICMP ¿À·ù¸¦ ¹«½ÃÇÕ´Ï´Ù.

/proc/sys/net/ipv4/icmp_paramprob_rate
±úÁø IP ȤÀº TCP Çì´õ¸¦ °¡Áø À߸øµÈ ÆÐŶ¿¡ ´ëÇÑ ÀÀ´äÀ¸·Î º¸³»´Â ºñ±³Àû ¾Ë·ÁÁöÁö ¾ÊÀº ICMP ¸Þ½ÃÁöÀÔ´Ï´Ù. ÀÌ ÆÄÀÏ·Î ±×·¯ÇÑ ¸Þ½ÃÁö¸¦ º¸³»´Â ¼Óµµ¸¦ Á¦¾îÇÒ ¼ö ÀÖ½À´Ï´Ù.

/proc/sys/net/ipv4/icmp_timeexceed_rate
ÀÌ°Ç traceroute¿¡¼­ 'Solaris middle star'(¿ªÀÚÁÖ: traceroute¿¡¼­ ÀÀ´äÇÏÁö ¾Ê¾Æ¼­ "*"·Î Ç¥½ÃµÇ´Â °Í)ÀÇ À¯¸íÇÑ ¿øÀÎÀÔ´Ï´Ù. º¸³»´Â ICMP Time Exceeded ¸Þ½ÃÁöÀÇ ¼Óµµ¸¦ Á¦ÇÑÇÕ´Ï´Ù.

/proc/sys/net/ipv4/igmp_max_memberships
È£½ºÆ® »óÀÇ ¸®½º´× ÇÏ´Â igmp (¸ÖƼij½ºÆ®) ¼ÒÄÏÀÇ ÃÖ´ë °³¼öÀÔ´Ï´Ù. FIXME: Á¤¸»Àΰ¡¿ä?

/proc/sys/net/ipv4/inet_peer_gc_maxtime
FIXME: inet peer ÀúÀå¿¡ ´ëÇØ Á»´õ ¼³¸íÀ» Ãß°¡ÇØ ÁÖ¼¼¿ä. ¾²·¹±â ¼öÁý ÀÛ¾÷ »çÀÌÀÇ ÃÖ´ë °£°ÝÀÔ´Ï´Ù. ÀÌ °£°ÝÀº Ç® »óÀÇ ¸Þ¸ð¸®°¡ ÁÙ¾îµå´Â(ȤÀº ¼ÒÁøµÇ´Â) °Í¿¡ ¿µÇâÀ» ¹Þ½À´Ï´Ù. jiffies ´ÜÀ§ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/inet_peer_gc_mintime
¾²·¹±â ¼öÁý ÀÛ¾÷ »çÀÌÀÇ ÃÖ¼Ò °£°ÝÀÔ´Ï´Ù. ÀÌ °£°ÝÀº Ç® »óÀÇ ¸Þ¸ð¸®°¡ ¸¹¾ÆÁö´Â °Í¿¡ ¿µÇâÀ» ¹Þ½À´Ï´Ù. jiffies ´ÜÀ§ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/inet_peer_maxttl
Ç׸ñÀÇ ÃÖ´ë À¯Áö ½Ã°£ÀÔ´Ï´Ù. Ç®¿¡ ¸Þ¸ð¸®°¡ ¾øÀ¸¸é (Áï Ç® ³»ÀÇ Ç׸ñÀÇ °³¼ö°¡ ¾ÆÁÖ ÀûÀ¸¸é) ÀÌ ½Ã°£ÀÌ Áö³­ ÈÄ »ç¿ëÇÏÁö ¾ÊÀº Ç׸ñÀÌ ¾ø¾îÁö°Ô µË´Ï´Ù. jiffies ´ÜÀ§ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/inet_peer_minttl
Ç׸ñÀÇ ÃÖ¼Ò À¯Áö ½Ã°£ÀÔ´Ï´Ù. ÀçÁ¶¸³ÇÏ´Â ÂÊ¿¡¼­ÀÇ ´ÜÆí À¯Áö ½Ã°£¸¸Å­Àº µÇ¾î¾ß ÇÕ´Ï´Ù. Ç® Å©±â°¡ inet_peer_thresholdº¸´Ù ÀÛÀ¸¸é ÀÌ ÃÖ¼Ò À¯Áö ½Ã°£ÀÌ º¸ÀåµË´Ï´Ù. jiffies ´ÜÀ§ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/inet_peer_threshold
INET peer ÀúÀå¼ÒÀÇ ´ë·«ÀûÀÎ Å©±âÀÔ´Ï´Ù. ÀÌ ¹®ÅΰªÀ» ³Ñ¾î°¡¸é¼­ºÎÅÍ Ç׸ñµéÀ» Àû±ØÀûÀ¸·Î ¹ö¸®°Ô µË´Ï´Ù. ÀÌ ¹®ÅΰªÀº Ç׸ñµéÀÇ À¯Áö ½Ã°£°ú ¾²·¹±â ¼öÁý ÀÛ¾÷ »çÀÌÀÇ °£°ÝÀ» °áÁ¤Çϱ⵵ ÇÕ´Ï´Ù. Ç׸ñÀÌ ¸¹À¸¸é À¯Áö ½Ã°£ÀÌ Âª¾ÆÁö°í ¾²·¹±â ¼öÁý °£°Ýµµ ª¾ÆÁý´Ï´Ù.

/proc/sys/net/ipv4/ip_autoconfig
È£½ºÆ®°¡ RARP, BOOTP, DHCP, ±âŸ À¯»çÇÑ ¹æ¹ýÀ¸·Î IP ±¸¼ºÀ» ¹Þ¾Æ¿Â °æ¿ì ÀÌ ÆÄÀÏ¿¡ 1ÀÌ µé¾î°©´Ï´Ù. ±×·¸Áö ¾ÊÀ¸¸é 0ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/ip_default_ttl
ÆÐŶÀÇ À¯Áö ½Ã°£(Time To Live)ÀÔ´Ï´Ù. ¾ÈÀüÇÏ°Ô 64·Î ¼³Á¤ÇϽʽÿÀ. °Å´ëÇÑ ³×Æ®¿öÅ©¸¦ °¡Áö°í ÀÖ´Ù¸é ¿Ã·Á ÁֽʽÿÀ. Àç¹Ì·Î ¿Ã¸®Áö´Â ¸¶½Ê½Ã¿À. ±×·¯¸é ¶ó¿ìÆà ·çÇÁ°¡ ´õ Å« ¼Õ»óÀ» À¯¹ßÇÕ´Ï´Ù. ¸î¸î ȯ°æ¿¡¼­´Â ÀÌ °ªÀ» ³·Ãß´Â °ÍÀ» °í·ÁÇØ¾ß ÇÒ ¼öµµ ÀÖ½À´Ï´Ù.

/proc/sys/net/ipv4/ip_dynaddr
µ¿Àû ÀÎÅÍÆäÀ̽º ÁÖ¼Ò·Î dial-on-demand(¿ªÀÚÁÖ: Æ®·¡ÇÈÀÌ ÀÖÀ» ¶§ ¿¬°áÀ» Çϴ ȸ¼±)¸¦ »ç¿ëÇÑ´Ù¸é ÀÌ°É ¼³Á¤ÇØ ÁÖ¾î¾ß ÇÕ´Ï´Ù. demand ÀÎÅÍÆäÀ̽º°¡ ¿Ã¶ó¿À¸é ÀÀ´äÀ» ¹ÞÁö ¸øÇÑ ¸ðµç ·ÎÄÃÀÇ TCP ¼ÒÄÏÀ» ¿Ã¹Ù¸¥ ÁÖ¼Ò·Î ´Ù½Ã ¿¬°á½ÃÄÑ ÁÝ´Ï´Ù. ÀÌ´Â ÀÎÅÍÆäÀ̽º¸¦ ¿Ã·ÁÁÖ´Â ¿¬°á ÀÚü´Â µ¿ÀÛÇÏÁö ¾Ê°í µÎ ¹ø° ½ÃµµºÎÅÍ µ¿ÀÛÇÏ´Â ¹®Á¦¸¦ ÇØ°áÇØ ÁÝ´Ï´Ù.

/proc/sys/net/ipv4/ip_forward
Ä¿³ÎÀÌ ÆÐŶ Àü´ÞÀ» ÇÏ°Ô µÇ´Â °æ¿ìÀÔ´Ï´Ù. ±âº»ÀûÀ¸·Î ²¨Á® ÀÖ½À´Ï´Ù.

/proc/sys/net/ipv4/ip_local_port_range
³ª°¡´Â ¿¬°áÀÇ ·ÎÄà Æ÷Æ®ÀÇ ¹üÀ§ÀÔ´Ï´Ù. ±âº»ÀûÀ¸·Î´Â »ó´çÈ÷ ÀÛÀº 1024ºÎÅÍ 4999·Î µÇ¾î ÀÖ½À´Ï´Ù.

/proc/sys/net/ipv4/ip_no_pmtu_disc
°æ·Î MTU ¹ß°ß(Path MTU discovery)À» ºñÈ°¼ºÈ­ ½ÃÅ°·Á¸é ÀÌ°É ¼³Á¤ÇØ ÁֽʽÿÀ. °æ·Î MTU ¹ß°ßÀº °æ·Î »ó¿¡¼­ °¡´ÉÇÑ ÃÖ´ëÀÇ MTU(Maximum Transfer Unit) °ªÀ» ¾Ë¾Æ³»´Â ±â¹ýÀÔ´Ï´Ù. Ä£Àý ¼³¸í¼­ÀåÀÇ MTU °æ·Î ¹ß°ß¿¡ ´ëÇÑ ÀýÀ» Âü°íÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù.

/proc/sys/net/ipv4/ipfrag_high_thresh
IP Á¶°¢ ÀçÁ¶¸³¿¡ ¾²ÀÌ´Â ÃÖ´ë ¸Þ¸ð¸®ÀÔ´Ï´Ù. ipfrag_high_thresh¹ÙÀÌÆ®ÀÇ ¸Þ¸ð¸®°¡ ÀÌ ¸ñÀûÀ¸·Î ÇÒ´çµÇ¾î ÀÖÀ¸¸é Á¶°¢ 󸮺δ ipfrag_low_thresh¿¡ µµ´ÞÇÒ ¶§±îÁö´Â ÆÐŶÀ» ¾²·¹±âÅë¿¡ ´øÁ®³Ö°Ô µË´Ï´Ù.

/proc/sys/net/ipv4/ip_nonlocal_bind
ÀÀ¿ë ÇÁ·Î±×·¥ÀÌ ½Ã½ºÅÛ »óÀÇ ÀåÄ¡¿¡ ¾ø´Â ÁÖ¼Ò·Î ¹ÙÀεù ÇÒ ¼ö ÀÖµµ·Ï ÇØÁÖ°í ½ÍÀ¸¸é ÀÌ°É ¼³Á¤ÇØ ÁֽʽÿÀ. ÀÌ´Â Àåºñ°¡ ºñ¿µ¼ÓÀûÀÎ(ȤÀº µ¿Àû) ¿¬°á»ó¿¡ ÀÖÀ» ¶§ À¯¿ëÇÕ´Ï´Ù. ¿¬°áÀÌ ²÷¾îÁ® ÀÖÀ» ¶§µµ ¼­ºñ½º ÇÁ·Î±×·¥ÀÌ ½ÃÀÛÇÏ¿© ƯÁ¤ ÁÖ¼Ò·Î ¹ÙÀεùÀ» ÇÒ ¼ö ÀÖ½À´Ï´Ù.

/proc/sys/net/ipv4/ipfrag_low_thresh
IP Á¶°¢ ÀçÁ¶¸³¿¡ ¾²ÀÌ´Â ÃÖ¼Ò ¸Þ¸ð¸®ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/ipfrag_time
IP Á¶°¢À» ¸Þ¸ð¸®¿¡¼­ À¯ÁöÇÏ´Â ÃÊ ´ÜÀ§ ½Ã°£ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/tcp_abort_on_overflow
µé¾î¿À´Â ¿¬°áÀÌ ¸¹À» ¶§ÀÇ µ¿ÀÛÀ» Á¦¾îÇÏ´Â ºÒ¸®¾ð Ç÷¡±×ÀÔ´Ï´Ù. È°¼ºÈ­ ½ÃÅ°¸é ¼­ºñ½º¿¡ °úºÎÇÏ°¡ °É¸± ¶§ Ä¿³ÎÀÌ Àçºü¸£°Ô RST ÆÐŶÀ» º¸³»µµ·Ï ÇÕ´Ï´Ù.

/proc/sys/net/ipv4/tcp_fin_timeout
¿ì¸®ÂÊ¿¡¼­ ´ÝÀº °æ¿ì ¼ÒÄÏÀ» FIN-WAIT-2 »óÅ¿¡ µÎ´Â ½Ã°£ÀÔ´Ï´Ù. »ó´ë¿¡°Ô ¹®Á¦°¡ »ý°Ü¼­ ±×ÂÊÀ» ´Ý¾ÆÁÖÁö ¾ÊÀ» ¼öµµ ÀÖ°í »ó´ë°¡ °©ÀÚ±â Á×¾î¹ö¸± ¼öµµ Àֱ⠶§¹®ÀÔ´Ï´Ù. ±âº»°ªÀº 60ÃÊÀÔ´Ï´Ù. 2.2¿¡¼­ ½è´ø ÀϹÝÀûÀÎ °ªÀº 180ÃÊ¿´°í, ±× °ªÀ¸·Î µ¹¾Æ°¥ ¼öµµ ÀÖ½À´Ï´Ù. ´Ü, ºÎÇÏ°¡ ÀûÀº À¥ ¼­¹ö¿¡¼­Á¶Â÷µµ ¿Õâ ³²¾ÆÀÖ´Â Á×Àº ¼ÒÄϵéÀÌ ¸Þ¸ð¸® ºÎÁ·À» ÀÏÀ¸Å³ À§ÇèÀÌ ÀÖ´Ù´Â °É ÀØÁö ¸¶½Ê½Ã¿À. FIN-WAIT-2 ¼ÒÄÏÀº ÃÖ´ë 1.5KÀÇ ¸Þ¸ð¸®¸¸À» Àâ¾Æ¸Ô±â¿¡ FIN-WAIT-1º¸´Ù´Â ´ú À§ÇèÇÏÁö¸¸, ´ë½Å ´õ ¿À·¡ À¯ÁöµÇ´Â °æ¿ì°¡ ¸¹½À´Ï´Ù. Âü°í: tcp_max_orphans.

/proc/sys/net/ipv4/tcp_keepalive_time
¿¬°áÀ¯Áö(keepalive)°¡ ÄÑÁ³À» ¶§ TCP°¡ ¾ó¸¶³ª ÀÚÁÖ ¿¬°áÀ¯Áö ¸Þ½ÃÁö¸¦ º¸³»´Â°¡ÀÔ´Ï´Ù. ±âº»°ª: 2½Ã°£.

/proc/sys/net/ipv4/tcp_keepalive_intvl
Á¶»ç¿ë ÆÐŶ¿¡ ´ëÇÑ ÀÀ´äÀÌ ¾øÀ» ¶§ ÆÐŶÀ» ¾ó¸¶³ª ÀÚÁÖ ÀçÀü¼Û Çϴ°¡ÀÔ´Ï´Ù. ±âº»°ª: 75ÃÊ.

/proc/sys/net/ipv4/tcp_keepalive_probes
¿¬°áÀÌ ±úÁ³´Ù°í ÆÇ´ÜÇÒ ¶§±îÁö TCP°¡ ¾ó¸¶³ª ¸¹Àº ¿¬°áÀ¯Áö Á¶»ç ÆÐŶÀ» º¸³»´Â°¡ÀÔ´Ï´Ù. ±âº»°ª: 9. tcp_keepalive_intvl°ú °öÇÏ¸é ¿¬°áÀ¯Áö ÆÐŶÀ» º¸³»°í¼­ ¿¬°áÀÌ ÀÀ´ä ¾øÀÌ À¯ÁöµÉ ¼ö ÀÖ´Â ½Ã°£ÀÌ µË´Ï´Ù.

/proc/sys/net/ipv4/tcp_max_orphans
»ç¿ëÀÚ ÆÄÀÏ Çڵ鿡 ¿¬°áµÇ¾î ÀÖÁö ¾Ê¾Æ¼­ ½Ã½ºÅÛÀÌ °¡Áö°í ÀÖ´Â TCP ¼ÒÄÏÀÇ ÃÖ´ë °³¼öÀÔ´Ï´Ù. ÀÌ °³¼ö¸¦ ÃÊ°úÇÏ¸é °í¾Æ(orphaned) ¿¬°áÀº Áï½Ã ÃʱâÈ­ µÇ°í °æ°í°¡ Ãâ·ÂµË´Ï´Ù. ÀÌ Á¦ÇÑÀº ´Ü¼øÇÑ DoS °ø°ÝÀ» ¸·±â À§Çؼ­ Á¸ÀçÇÒ »ÓÀ̸ç, ¿©±â¿¡ ÀÇÁ¸Çϰųª Á¦ÇÑ°ªÀ» ¾ïÁö·Î ³·Ãç¼± ¾ÈµË´Ï´Ù. ³×Æ®¿öÅ© »óȲÀÌ ±âº»°ª ÀÌ»óÀ» ÇÊ¿ä·Î ÇÑ´Ù¸é µµ¸®¾î (¾Æ¸¶µµ ¸Þ¸ð¸® ¼³Ä¡¸¦ ´ÃÀÎ ´ÙÀ½¿¡) ÀÌ °ªÀ» ³ô¿©ÁÖ¾î¾ß ÇÕ´Ï´Ù. ±×¸®°í ³×Æ®¿öÅ© ¼­ºñ½º°¡ ½Ã°£À» ²øµµ·Ï(linger) Á¶Á¤ÇØ ÁÖ°í ±×·¯ÇÑ »óŸ¦ Á»´õ °ø°ÝÀûÀ¸·Î Á׿© ÁÖ¾î¾ß ÇÕ´Ï´Ù. ´Ù½Ã Çѹø ¸»ÇÏ°Ú½À´Ï´Ù: °¢°¢ÀÇ °í¾Æ ¿¬°áÀº ½º¿Ò ºÒ°¡´ÉÇÑ ¸Þ¸ð¸® 64K¸¦ Àâ¾Æ¸Ô½À´Ï´Ù.

/proc/sys/net/ipv4/tcp_orphan_retries
¿ì¸®ÂÊ¿¡¼­ ´ÝÀº TCP ¿¬°áÀ» Á×À̱â Àü±îÁö ¸î ¹øÀ̳ª Àç½Ãµµ¸¦ ÇÒ °ÍÀΰ¡ÀÔ´Ï´Ù. ±âº»°ª 7Àº RTO¿¡ ¶§¶ó¼­ 50ÃÊ-16ºÐ¿¡ ´ëÀÀÇÏ°Ô µË´Ï´Ù. ±×·¯ÇÑ ¼ÒÄÏÀº »ó´çÇÑ ÀÚ¿øÀ» ¼Ò¸ðÇϹǷÎ, Àåºñ°¡ ºÎÇÏ°¡ ÀÖ´Â À¥ ¼­¹ö¶ó¸é ÀÌ °ªÀ» ³·Ãß´Â °É »ý°¢ÇØ ºÁ¾ß ÇÕ´Ï´Ù. Âü°í: tcp_max_orphans.

/proc/sys/net/ipv4/tcp_max_syn_backlog
¿¬°áÇؿ Ŭ¶óÀ̾ðÆ®ÀÇ ÀÀ´ä(acknowldege)À» ¾ÆÁ÷ ¹ÞÁö ¾ÊÀº ¿¬°á ¿äûµé Áß ±â¾ïÇØ µÑ °³¼öÀÇ ÃÖ´ë°ªÀÔ´Ï´Ù. ±âº»°ªÀº 128Mb¸¦ ³Ñ´Â ¸Þ¸ð¸®¸¦ °¡Áø ½Ã½ºÅÛ¿¡¼­´Â 1024ÀÌ°í, ±×º¸´Ù ÀÛÀº ¸Þ¸ð¸®ÀÇ Àåºñ¿¡¼­´Â 128ÀÔ´Ï´Ù. ¼­¹ö°¡ °úºÎÇϸ¦ °Þ°í ÀÖ´Ù¸é ÀÌ ¼ýÀÚ¸¦ ´Ã¿©º¸½Ê½Ã¿À. ÁÖÀÇ»çÇ×! 1024º¸´Ù Å©°Ô ÇÏ·Á´Â °æ¿ì´Â include/net/tcp.h¿¡¼­ TCP_SYNQ_HSIZE¸¦ TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog °ü°è°¡ À¯ÁöµÇµµ·Ï ¹Ù²ãÁÖ°í¼­ Ä¿³ÎÀ» ´Ù½Ã ÄÄÆÄÀÏ ÇÏ´Â °ÍÀÌ ÁÁ½À´Ï´Ù.

/proc/sys/net/ipv4/tcp_max_tw_buckets
½Ã½ºÅÛÀÌ µ¿½Ã¿¡ °¡Áö°í ÀÖÀº timewait ¼ÒÄÏÀÇ ÃÖ´ë °³¼öÀÔ´Ï´Ù. ÀÌ °ªÀ» ÃÊ°úÇϸé time-wait ¼ÒÄÏÀ» Áï½Ã Æı«ÇÏ°í °æ°í¸¦ Ãâ·ÂÇÕ´Ï´Ù. ÀÌ Á¦ÇÑÀº ´Ü¼øÇÑ DoS °ø°ÝÀ» ¸·±â À§Çؼ­ Á¸ÀçÇÒ »ÓÀ̸ç, Á¦ÇÑ°ªÀ» ¾ïÁö·Î ³·Ãç¼± ¾ÈµË´Ï´Ù. ³×Æ®¿öÅ© »óȲÀÌ ±âº»°ª ÀÌ»óÀ» ÇÊ¿ä·Î ÇÑ´Ù¸é µµ¸®¾î (¾Æ¸¶µµ ¸Þ¸ð¸® ¼³Ä¡¸¦ ´ÃÀÎ ´ÙÀ½¿¡) ÀÌ °ªÀ» ³ô¿©ÁÖ¾î¾ß ÇÕ´Ï´Ù.

/proc/sys/net/ipv4/tcp_retrans_collapse
¸î¸î ±¸¸° ÇÁ¸°ÅÍ¿ÍÀÇ È£È¯¼ºÀ» À§ÇÑ ¹ö±×¿¡ ´ëÇÑ ¹ö±×ÀÔ´Ï´Ù. ÀçÀü¼Û½Ã¿¡ ´õ Å« ÆÐŶÀ» º¸³»·Á°í ÇÔÀ¸·Î½á ƯÁ¤ TCP ½ºÅÃÀÇ ¹ö±×¸¦ ÇÇÇØ°©´Ï´Ù.

/proc/sys/net/ipv4/tcp_retries1
¹º°¡ ¹®Á¦°¡ ÀÖÀ¸¸ç À̸¦ ³×Æ®¿öÅ© °èÃþ¿¡ º¸°íÇØ¾ß ÇÑ´Ù´Â ÆÇ´ÜÀ» ³»¸®±â Àü±îÁö ¸î ¹øÀ̳ª Àç½Ãµµ¸¦ ÇÒ °ÍÀΰ¡ÀÔ´Ï´Ù. ÃÖ¼ÒÀÇ RFC°ªÀº 3À̸ç, ±âº»°ªÀ̱⵵ ÇÕ´Ï´Ù. ÀÌ´Â RTO¿¡ µû¶ó¼­ 3ÃÊ-8ºÐ¿¡ ´ëÀÀÇÕ´Ï´Ù.

/proc/sys/net/ipv4/tcp_retries2
»ì¾ÆÀÖ´Â TCP ¿¬°áÀ» Á×À̱â Àü±îÁö ¸î ¹øÀ̳ª Àç½Ãµµ¸¦ ÇÒ °ÍÀΰ¡ÀÔ´Ï´Ù. [http]RFC 1122¿¡¼­´Â Á¦ÇÑ°ªÀÌ 100Ãʺ¸´Ù ±æ¾î¾ß ÇÑ´Ù°í ¾ê±âÇÏ°í ÀÖ½À´Ï´Ù. ±×°Ç ³Ê¹« ÀÛÀº °ªÀÔ´Ï´Ù. ±âº»°ª 15´Â RTO¿¡ µû¶ó¼­ 13-30ºÐ¿¡ ´ëÀÀÇÕ´Ï´Ù.

/proc/sys/net/ipv4/tcp_rfc1337
ÀÌ ºÒ¸®¾ð°ªÀº RFC 1337¿¡¼­ ¼³¸íÇÑ 'tcp¿¡¼­ÀÇ time-wait ¾Ï»ì À§Çè'¿¡ ´ëÇÑ ¼öÁ¤ »çÇ×À» È°¼ºÈ­ÇÕ´Ï´Ù. È°¼ºÈ­Çϸé Ä¿³ÎÀº time-wait »óÅÂÀÎ ¼ÒÄÏ¿¡ ´ëÇØ RST ÆÐŶÀ» ¹«½ÃÇÕ´Ï´Ù. ±âº»°ª: 0

/proc/sys/net/ipv4/tcp_sack
Selective ACK¸¦ »ç¿ëÇÕ´Ï´Ù. À̴ ƯÁ¤ ÆÐŶÀÌ ºüÁ³´Ù´Â °É ¾Ë·ÁÁÖµµ·Ï ÇÏ¸ç ºü¸¥ º¹±¸¸¦ µµ¿ÍÁÝ´Ï´Ù.

/proc/sys/net/ipv4/tcp_stdurg
TCP urg Æ÷ÀÎÅÍ Çʵ忡 ´ëÇÑ È£½ºÆ® ¿ä±¸»çÇ׿¡ µû¸¥ Çؼ®À» Àû¿ëÇÕ´Ï´Ù. ´ëºÎºÐÀÇ È£½ºÆ®´Â ÀÌÀüÀÇ BSD½Ä Çؼ®À» Àû¿ëÇϱ⿡, ÀÌ°É ÄÑÁÖ¸é ¸®´ª½º°¡ ±× È£½ºÆ®µé°ú Á¦´ë·Î Åë½ÅÇÏÁö ¸øÇÒ ¼öµµ ÀÖ½À´Ï´Ù. ±âº»°ª: FALSE

/proc/sys/net/ipv4/tcp_syn_retries
»õ ¿¬°áÀ» Æ÷±âÇÒ ¶§±îÁö Ä¿³ÎÀÌ SYN ÆÐŶÀ» º¸³» º¸´Â Ƚ¼öÀÔ´Ï´Ù.

/proc/sys/net/ipv4/tcp_synack_retries
¿¬°áÀÇ ¹Ý´ëÆíÀ» ¿­¾îÁÖ±â À§ÇØ Ä¿³ÎÀº ¾Õ¼­ ¹ÞÀº SYN¿¡ ÀÀ´äÇÏ´Â ACK¸¦ ¾ñ¾î¼­ SYN¸¦ º¸³À´Ï´Ù. ÀÌ°Ô »ï´Ü°è ÇÚµå¼ÎÀÌÅ·ÀÇ 2ºÎÀÔ´Ï´Ù. ÀÌ ¼³Á¤Àº ¿¬°áÀ» Æ÷±âÇÒ ¶§±îÁö Ä¿³ÎÀÌ SYN+ACK ÆÐŶÀ» º¸³» º¸´Â Ƚ¼öÀÔ´Ï´Ù.

/proc/sys/net/ipv4/tcp_timestamps
timestamp´Â ¿©·¯ °¡Áö ¸ñÀûÀÌ ÀÖÁö¸¸, ÀÏ·Ã ¹øÈ£¸¦ µÇµ¹¸®´Â °Í(wrapping)¿¡ ´ëÇÑ º¸È£¸¦ À§ÇØ ¾²ÀÔ´Ï´Ù. 1 ±â°¡ºñÆ® ¿¬°á¿¡¼­´Â ÀÌÀü »ý¼º¿­ÀÇ °ÍÀÌ¶ó¼­ Áø·Î¸¦ ¹þ¾î³­ °ªÀ» °¡Áø ÀÌÀüÀÇ ÀÏ·Ã ¹øÈ£¸¦ ´Ù½Ã ¸¶ÁÖÄ¥ ¼ö ÀÖ½À´Ï´Ù. timestamp´Â À̸¦ '¿À·¡µÈ ÆÐŶ'À̶ó°í ¾Ë ¼ö ÀÖ°Ô ÇØÁÝ´Ï´Ù.

/proc/sys/net/ipv4/tcp_tw_recycle
TIME-WAIT ¼ÒÄÏÀÇ ºü¸¥ Àç»ç¿ëÀ» È°¼ºÈ­ÇÕ´Ï´Ù. ±âº»°ªÀº 1ÀÔ´Ï´Ù. ±â¼ú Àü¹®°¡ÀÇ Á¶¾ð/¿äû ¾øÀÌ °ªÀ» ¹Ù²ã¼± ¾ÈµË´Ï´Ù.

/proc/sys/net/ipv4/tcp_window_scaling
TCP/IP´Â º¸Åë 65535 ¹ÙÀÌÆ®±îÁö À©µµ¿ì°¡ Ä¿Áú ¼ö ÀÖµµ·Ï ÇØÁÝ´Ï´Ù. Á¤¸» ºü¸¥ ¸Á¿¡¼­´Â ÀÌ°Ô ÃæºÐÄ¡ ¾ÊÀ» ¼ö ÀÖ½À´Ï´Ù. À©µµ¿ì ½ºÄÉÀϸµ ¿É¼ÇÀº °ÅÀÇ ±â°¡¹ÙÀÌÆ®ÀÇ À©µµ¿ì¸¦ Çã¿ëÇϴµ¥, ÀÌ´Â ³ôÀº ´ë¿ªÆø°ú Áö¿¬ ½Ã°£À» °¡Áø Á¦Ç°¿¡ ÁÁ½À´Ï´Ù.

13.2.2. ÀåÄ¡º° ¼³Á¤

DEV´Â ½ÇÁ¦ ÀÎÅÍÆäÀ̽º, ¶Ç´Â 'all(Àüü)'À̳ª 'default(±âº»°ª)'À» ³ªÅ¸³À´Ï´Ù. ±âº»°ªÀº ¶ÇÇÑ »ý¼ºµÉ ÀÎÅÍÆäÀ̽º¿¡ ´ëÇÑ ¼³Á¤À» ¹Ù²ãÁÝ´Ï´Ù.

/proc/sys/net/ipv4/conf/DEV/accept_redirects
´ç½ÅÀÌ ¶ó¿ìÅ͸¦ À߸ø »ç¿ëÇÏ°í ÀÖ´Ù°í (Áï, ´ç½ÅÀÇ ÆÐŶÀ» µ¿ÀÏÇÑ ÀÏÅÍÆäÀ̽º¿¡¼­ ÀçÀü¼Û ÇØÁÖ¾î¾ß ÇÑ´Ù°í) ÆÇ´ÜÇÏ¸é ¶ó¿ìÅÍ´Â ICMP Redirect¸¦ º¸³»ÁÝ´Ï´Ù. ÇÏÁö¸¸ ÀÌ°Ç ¹Ì¹¦ÇÑ º¸¾È À§ÇèÀÌ µÉ ¼ö Àֱ⿡, ÀÌ°É ²ô°í¼­ ¾ÈÀüÇÑ Àüȯ(redirect)À» »ç¿ëÇÏ´Â °É ¿øÇÒ °Ì´Ï´Ù.

/proc/sys/net/ipv4/conf/DEV/accept_source_route
ÀÌÁ¦´Â º°·Î ¾²ÀÌÁö ¾Ê½À´Ï´Ù. ÀÌÀü¿¡´Â ÆÐŶÀÌ °¡¸é¼­ ¹æ¹®ÇÒ IP ÁÖ¼Ò ¸ñ·ÏÀ» ¾Ë·ÁÁÙ ¼ö ÀÖ¾ú½À´Ï´Ù. ¸®´ª½º Àåºñ°¡ ÀÌ IP ¿É¼ÇÀ» Á¸ÁßÇϵµ·Ï ÇØÁÙ ¼ö ÀÖ½À´Ï´Ù.

/proc/sys/net/ipv4/conf/DEV/bootp_relay
Ãâ¹ßÁö ÁÖ¼Ò°¡ 0.b.c.dÀÌ°í ¸ñÀûÁö°¡ ÀÌ È£½ºÆ®°¡ ¾Æ´Ñ ÆÐŶÀ» Àڽſ¡°Ô ¿Â ÆÐŶÀ¸·Î ¹Þ¾ÆµéÀÔ´Ï´Ù. BOOTP Àü´Þ µ¥¸óÀÌ ÀÌ ÆÐŶÀ» Àâ¾Æä¼­ Àü´ÞÇÏ°Ô µË´Ï´Ù.

/proc/sys/net/ipv4/conf/DEV/forwarding
ÀÌ ÀÎÅÍÆäÀ̽º¿¡¼­ IP Æ÷¿öµùÀ» ÄѰųª ²ü´Ï´Ù.

/proc/sys/net/ipv4/conf/DEV/log_martians
¿ª°æ·Î ÇÊÅ͸µ¿¡ ´ëÇÑ ÀýÀ» Âü°íÇϽʽÿÀ.

/proc/sys/net/ipv4/conf/DEV/mc_forwarding
ÀÌ ÀÎÅÍÆäÀ̽º¿¡¼­ ¸ÖƼij½ºÆ® Àü´ÞÀ» ÇÒ °ÍÀÎÁöÀÔ´Ï´Ù.

/proc/sys/net/ipv4/conf/DEV/proxy_arp
ÀÌ°É 1·Î ¼³Á¤ÇÏ¸é ±× ÁÖ¼Ò¿¡ ´ëÇÑ ¶ó¿ìÆ®¸¦ Ä¿³ÎÀÌ °¡Áö°í ÀÖ´Â °æ¿ì ÀÌ ÀÎÅÍÆäÀ̽º°¡ ARP ¿äû¿¡ ÀÀ´äÇÏ°Ô µË´Ï´Ù. 'ip pseudo ºê¸®Áö'¸¦ ±¸ÃàÇÏ´Â µ¥¿¡ ¾ÆÁÖ À¯¿ëÇÏ°Ô »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù. ÀÌ°É ÄÑÁÖ±â Àü¿¡ ³Ý¸¶½ºÅ©°¡ È®½ÇÈ÷ ¿Ã¹Ù¸¥Áö¸¦ ½Å°æ½á ÁֽʽÿÀ! ¶ÇÇÑ µû·Î ¾ð±ÞÇÏ´Â arp_filter ¿ª½Ãµµ ARP ÁúÀÇ¿¡ ¿µÇâÀ» Áشٴ °É ¾Ë¾ÆµÎ½Ê½Ã¿À!

/proc/sys/net/ipv4/conf/DEV/rp_filter
¿ª°æ·Î ÇÊÅ͸µ¿¡ ´ëÇÑ ÀýÀ» Âü°íÇϽʽÿÀ.

/proc/sys/net/ipv4/conf/DEV/secure_redirects
±âº» °ÔÀÌÆ®¿þÀÌ ¸ñ·Ï¿¡ ÀÖ´Â °ÔÀÌÆ®¿þÀÌ¿¡ ´ëÇؼ­¸¸ ICMP Àüȯ(redirect) ¸Þ½ÃÁö¸¦ ¹Þ¾ÆµéÀÔ´Ï´Ù. ±âº»ÀûÀ¸·Î ÄÑÁ® ÀÖ½À´Ï´Ù.

/proc/sys/net/ipv4/conf/DEV/send_redirects
¾Õ¼­ ¾ð±ÞÇÑ Àüȯ ¸Þ½ÃÁö¸¦ º¸³» ÁÖ´ÂÁöÀÔ´Ï´Ù.

/proc/sys/net/ipv4/conf/DEV/shared_media
ÀÌ°É ¼³Á¤ÇØ ÁÖÁö ¾ÊÀ¸¸é Ä¿³ÎÀº ÀÌ ÀåÄ¡»ó¿¡¼­ ¼­·Î ´Ù¸¥ ¼­ºê³ÝµéÀÌ Á÷Á¢ Åë½ÅÇÒ ¼ö ÀÖ´Ù°í °¡Á¤ÇÏÁö ¾Ê½À´Ï´Ù. ±âº» ¼³Á¤Àº 'yes'ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/conf/DEV/tag
FIXME: ä¿öÁÖ¼¼¿ä.

13.2.3. ÀÌ¿ô(neighbor) Á¤Ã¥

DEV´Â ½ÇÁ¦ ÀÎÅÍÆäÀ̽º, ¶Ç´Â 'all(Àüü)'À̳ª 'default(±âº»°ª)'À» ³ªÅ¸³À´Ï´Ù. ±âº»°ªÀº ¶ÇÇÑ »ý¼ºµÉ ÀÎÅÍÆäÀ̽º¿¡ ´ëÇÑ ¼³Á¤À» ¹Ù²ãÁÝ´Ï´Ù.

/proc/sys/net/ipv4/neigh/DEV/anycast_delay
neighbor solicitation ¸Þ½ÃÁö¿¡ ´ëÇÑ ÀÀ´äÀÇ ÀÓÀÇ Áö¿¬ÀÇ ÃÖ´ë°ªÀ̸ç jiffies(1/100ÃÊ) ´ÜÀ§ÀÔ´Ï´Ù. ¾ÆÁ÷ ±¸ÇöµÇ¾î ÀÖÁö ¾Ê½À´Ï´Ù (¸®´ª½º´Â ¾ÆÁ÷ ¾Ö´Ïij½ºÆ® Áö¿øÀ» ÇÏÁö ¾Ê½À´Ï´Ù).

/proc/sys/net/ipv4/neigh/DEV/app_solicit
»ç¿ëÀÚ ¼öÁØ ARP µ¥¸ó¿¡°Ô º¸³»´Â ¿äûÀÇ °³¼ö¸¦ °áÁ¤ÇÕ´Ï´Ù. 0À» »ç¿ëÇØ ²¨ÁֽʽÿÀ.

/proc/sys/net/ipv4/neigh/DEV/base_reachable_time
RFC2461¿¡¼­ ¸í¼¼ÇÑ ´ë·Î random reachable time°ªÀ» °è»êÇÏ´Â µ¥ ¾²ÀÌ´Â ±âº»°ªÀÔ´Ï´Ù.

/proc/sys/net/ipv4/neigh/DEV/delay_first_probe_time
ÀÌ¿ôÀÌ Á¢±Ù °¡´ÉÇÑ °æ¿ì ù ¹ø° time probe¿¡ ´ëÇÑ Áö¿¬ ½Ã°£ÀÔ´Ï´Ù. (gc_stale_time Âü°í)

/proc/sys/net/ipv4/neigh/DEV/gc_stale_time
¾ó¸¶³ª ÀÚÁÖ ³°Àº ARP Ç׸ñÀ» °Ë»çÇÒ °ÍÀÎÁö¸¦ °áÁ¤ÇÕ´Ï´Ù. ARP Ç׸ñÀÌ ³°Àº °ÍÀÌ µÇ¸é ±× Ç׸ñÀ» ´Ù½Ã È®ÀÎÇÏ°Ô µË´Ï´Ù (ÀÌ´Â IP ÁÖ¼Ò°¡ ´Ù¸¥ Àåºñ·Î ¿Å°Ü°£ °æ¿ì¿¡ À¯¿ëÇÕ´Ï´Ù). ucast_solicitÀÌ 0º¸´Ù Å©¸é ¸ÕÀú ¾Ë·ÁÁø È£½ºÆ®¿¡°Ô ARP ÆÐŶÀ» Á÷Á¢ º¸³»·Á°í ½ÃµµÇÕ´Ï´Ù. ±×°Ô ½ÇÆÐÇÏ°í mcast_solicitÀÌ 0º¸´Ù Å©¸é ARP ¿äûÀ» ºê·Îµåij½ºÆà ÇÕ´Ï´Ù.

/proc/sys/net/ipv4/neigh/DEV/locktime
ÀÌÀü Ç׸ñÀÌ ÃÖ¼ÒÇÑ locktime¸¸Å­ ¿À·¡µÈ °æ¿ì¿¡¸¸ ARP/ÀÌ¿ô Ç׸ñÀ» »õ Ç׸ñÀ¸·Î ±³Ã¼ÇÕ´Ï´Ù. ÀÌ´Â ARP ij½Ã ½º·¡½ÌÀ» ¹æÁöÇØ ÁÝ´Ï´Ù.

/proc/sys/net/ipv4/neigh/DEV/mcast_solicit
¸ÖƼij½ºÆ® solicitation¿¡ ´ëÇÑ ÃÖ´ë ½Ãµµ Ƚ¼öÀÔ´Ï´Ù.

/proc/sys/net/ipv4/neigh/DEV/proxy_delay
ÇÁ·°½Ã ARP Ç׸ñÀ» °¡Áö°í ÀÖ´Â ARP ¿äû¿¡ ´ëÇØ ÀÀ´äÇϱâ±îÁöÀÇ ÃÖ´ë ½Ã°£ÀÔ´Ï´Ù (½ÇÁ¦ ½Ã°£Àº random0..proxy_delayÀÔ´Ï´Ù). ¸î¸î °æ¿ì¿¡ ³×Æ®¿öÅ© Ç÷¯µùÀ» ¸·´Â µ¥¿¡ »ç¿ëÇÕ´Ï´Ù.

/proc/sys/net/ipv4/neigh/DEV/proxy_qlen
Áö¿¬µÈ ÇÁ·°½Ã arp ŸÀ̸ÓÀÇ ÃÖ´ë Å¥ ±æÀÌÀÔ´Ï´Ù. (proxy_delay Âü°í)

/proc/sys/net/ipv4/neigh/DEV/retrans_time
ÀçÀü¼ÛµÇ´Â Neighbor Solicitation ¸Þ½ÃÁö°£ÀÇ ½Ã°£À̸ç, jiffies(1/100ÃÊ) ´ÜÀ§ÀÔ´Ï´Ù. ÁÖ¼Ò ¾Ë¾Æ³»±â ¹× ÀÌ¿ôÀÌ Á¢±Ù ºÒ°¡´ÉÇÑÁö¸¦ ¾Ë¾Æ³»´Â µ¥¿¡ ¾²ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/neigh/DEV/ucast_solicit
À¯´Ïij½ºÆ® solicitation¿¡ ´ëÇÑ ÃÖ´ë ½Ãµµ Ƚ¼öÀÔ´Ï´Ù.

/proc/sys/net/ipv4/neigh/DEV/unres_qlen
´ë±âÁßÀÎ arp ¿äû¿¡ ´ëÇÑ ÃÖ´ë Å¥ ±æÀÌÀÔ´Ï´Ù. Áï, ARP ÁÖ¼Ò¸¦ ¾ÆÁ÷ È®ÀÎÇÏ°í ÀÖ´Â µ¿¾È ´Ù¸¥ °èÃþ¿¡¼­ ¹Þ¾ÆµéÀÌ´Â ÆÐŶÀÇ °³¼öÀÔ´Ï´Ù.

13.2.4. ¶ó¿ìÆà ¼³Á¤

/proc/sys/net/ipv4/route/error_burst ¹× /proc/sys/net/ipv4/route/error_cost
ÀÌ ¸Å°³º¯¼öµéÀº ¶ó¿ìÆà Äڵ尡 Ä¿³Î ·Î±×¿¡ ±â·ÏÇÏ´Â °æ°í ¸Þ½ÃÁö¸¦ Á¦ÇÑÇÏ´Â µ¥¿¡ ¾²ÀÔ´Ï´Ù. error_cost ÀÎÀÚ°¡ ³ôÀ¸¸é ´õ ÀûÀº ¸Þ½ÃÁö¸¦ ±â·ÏÇÏ°Ô µË´Ï´Ù. error_burst´Â ¾ðÁ¦ ¸Þ½ÃÁö°¡ »ç¶óÁú °ÍÀÎÁö¸¦ Á¦¾îÇÕ´Ï´Ù. ±âº» ¼³Á¤Àº 5ÃÊ¿¡ ÇѹøÀ¸·Î °æ°í ¸Þ½ÃÁö¸¦ Á¦ÇÑÇÕ´Ï´Ù.

/proc/sys/net/ipv4/route/flush
ÀÌ ÆÄÀÏ¿¡ ±â·ÏÀ» ÇÏ¸é ¶ó¿ìÆà ij½Ã¸¦ ºñ¿ö¹ö¸³´Ï´Ù.

/proc/sys/net/ipv4/route/gc_elasticity
¶ó¿ìÆà ij½Ã¿¡ ´ëÇÑ ¾²·¹±â ¼öÁý ¾Ë°í¸®ÁòÀÇ ºóµµ ¹× µ¿ÀÛÀ» Á¦¾îÇÏ´Â °ªÀÔ´Ï´Ù. ÀÌ°Ç Àå¾Ö ±Øº¹(fail over)À» ÇÏ´Â °æ¿ì¿¡ Áß¿äÇÒ ¼ö ÀÖ½À´Ï´Ù. ÀÌÀü ¶ó¿ìÆ®°¡ Á׾ »õ·Î¿î ¶ó¿ìÆ®·Î ¸®´ª½º°¡ °Ç³Ê¶Û ¶§±îÁö ÃÖ¼ÒÇÑ gc_timeoutÃʸ¸Å­ Áö³ª°Ô µË´Ï´Ù. ±âº»°ªÀÌ 300À¸·Î ¼³Á¤µÇ¾î ÀÖÀ¸¸ç, ºü¸¥ Àå¾Ö ±Øº¹À» À§ÇØ ³·ÃçÁÖ´Â °Íµµ °¡´ÉÇÕ´Ï´Ù. Ard van BreemenÀÇ [http]ÀÌ ±Ûµµ Âü°íÇϽʽÿÀ.

/proc/sys/net/ipv4/route/gc_interval
/proc/sys/net/ipv4/route_gc_elasticity¸¦ Âü°íÇϽʽÿÀ.

/proc/sys/net/ipv4/route/gc_min_interval
/proc/sys/net/ipv4/route_gc_elasticity¸¦ Âü°íÇϽʽÿÀ.

/proc/sys/net/ipv4/route/gc_thresh
/proc/sys/net/ipv4/route_gc_elasticity¸¦ Âü°íÇϽʽÿÀ.

/proc/sys/net/ipv4/route/gc_timeout
/proc/sys/net/ipv4/route_gc_elasticity¸¦ Âü°íÇϽʽÿÀ.

/proc/sys/net/ipv4/route/max_delay
¶ó¿ìÆà ij½Ã¸¦ ºñ¿ö³»´Â °Í¿¡ ´ëÇÑ ÃÖ´ë Áö¿¬ ½Ã°£ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/route/max_size
¶ó¿ìÆà ij½ÃÀÇ ÃÖ´ë Å©±âÀÔ´Ï´Ù. ij½Ã°¡ ÀÌ Å©±â¿¡ µµ´ÞÇÏ¸é ¿À·¡µÈ Ç׸ñµéÀÌ ¾ø¾îÁö°Ô µË´Ï´Ù.

/proc/sys/net/ipv4/route/min_adv_mss
FIXME: ä¿öÁÖ¼¼¿ä.

/proc/sys/net/ipv4/route/min_delay
¶ó¿ìÆà ij½Ã¸¦ ºñ¿ö³»´Â °Í¿¡ ´ëÇÑ ÃÖ¼Ò Áö¿¬ ½Ã°£ÀÔ´Ï´Ù.

/proc/sys/net/ipv4/route/min_pmtu
FIXME: ä¿öÁÖ¼¼¿ä.

/proc/sys/net/ipv4/route/mtu_expires
FIXME: ä¿öÁÖ¼¼¿ä.

/proc/sys/net/ipv4/route/redirect_load
ƯÁ¤ È£½ºÆ®·Î ´õ ¸¹Àº ICMP Àüȯ ¸Þ½ÃÁö¸¦ º¸³»¾ß Çϴ°¡¸¦ °áÁ¤ÇÏ´Â ÀÎÀÚÀÔ´Ï´Ù. Àüȯ ¸Þ½ÃÁöÀÇ ºÎÇÏ ÇÑ°è(redirect_load) ¶Ç´Â ÃÖ´ë °³¼ö(redirect_number)¿¡ µµ´ÞÇÏ°í ³ª¸é ´õÀÌ»ó Àüȯ ¸Þ½ÃÁö¸¦ º¸³»Áö ¾Ê°Ô µË´Ï´Ù.

/proc/sys/net/ipv4/route/redirect_number
/proc/sys/net/ipv4/route/redirect_load¸¦ Âü°íÇϽʽÿÀ.

/proc/sys/net/ipv4/route/redirect_silence
Àüȯ ¸Þ½ÃÁö¿¡ ´ëÇÑ ÁßÁö ½Ã°£ÀÔ´Ï´Ù. ºÎÇϳª °³¼ö Á¦ÇÑ¿¡ µµ´ÞÇÏ¿© ÁßÁöµÈ ÈĶó°í Çصµ, ÀÌ ½Ã°£ÀÌ Áö³ª¸é Àüȯ ¸Þ½ÃÁö¸¦ ´Ù½Ã º¸³»°Ô µË´Ï´Ù.

14. Àü¹®ÀûÀÌ°í ´ú »ç¿ëµÇ´Â Å¥ ±¸Á¶µé

¾Õ¿¡¼­ ¾ð±ÞµÈ Å¥µé ÀÌ¿Ü¿¡, ¸®´ª½º Ä¿³ÎÀº ÀÌ Àå¿¡¼­ ¾ð±ÞµÇ´Â Ưº°ÇÑ Å¥µéÀ» Æ÷ÇÔÇÏ°í ÀÖ´Ù.

14.1. bfifo/pfifo

bfifo¿Í pfifo´Â Ŭ·¡½º¾ø´Â(classless) Å¥±¸Á¶·Î, ³»ºÎÀûÀÎ ¹êµå¸¦ °®´Â pfifo_fastº¸´Ù´õ ´Ü¼øÇÑ °ÍÀÌ´Ù. Áï, ¸ðµç Æ®·¡ÇÈÀÌ µ¿ÀÏÇÏ°Ô Ãë±ÞµÈ´Ù. ÀÌ ±¸Á¶µéÀº ÇϳªÀÇ Áß¿äÇÑ ÀåÁ¡À» °®´Âµ¥, ¹Ù·Î ¾î¶² Åë°èÄ¡¸¦ °®´Â´Ù´Â °ÍÀÌ´Ù. ±×·¡¼­, shaping ¶Ç´Â prioritizingÀÌ ¾øÀ» °æ¿ì¿¡, ¿©·¯ºÐÀÇ ÀÎÅÍÆäÀ̽ºÀÇ backlog(½×¿© ÀÖ´Â ÆÐŶ ¶Ç´Â µ¥ÀÌÅÍ·®)¸¦ °áÁ¤Çϴµ¥ »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù.

pfifo´Â ÆÐŶ °³¼ö·Î ±æÀ̸¦ °è»êÇϸç, bfifo´Â ¹ÙÀÌÆ®´ÜÀ§·Î ±æÀ̸¦ °è»êÇÕ´Ï´Ù.

14.1.1. ÆĶó¸ÞÅÍ & »ç¿ë¹ý

limit

Å¥ÀÇ ±æÀ̸¦ ¸í½ÃÇÕ´Ï´Ù. bfifo¿¡¼­´Â ¹ÙÀÌÆ®´ÜÀ§·Î °è»êµÇ¸ç, pfifo¿¡¼­´Â ÆÐŶ´ÜÀ§·Î °è»êµË´Ï´Ù. ±âº»°ªÀº ÀÎÅÍÆäÀ̽º txqueuelen ÆÐŶ±æÀÌ°¡ µÇ¸ç(pfifo_fast ÀåÀ» Âü°í), bfifoÀÇ °æ¿ì¿¡´Â txqueuelen*mtu ¹ÙÀÌÆ®ÀÔ´Ï´Ù.

14.2. Clark-Shenker-Zhang algorithm (CSZ)


14.3. DSMARK


14.3.1. Introduction


14.3.2. What is DSMARK related to?


14.3.3. Differentiated Services guidelines


14.3.4. Working with DSMARK


14.3.5. How SCH_DSMARK works


14.3.6. TC_INDEX Filter


14.4. Ingress qdisc


14.4.1. Parameters & usage


14.5. Random Early Detection (RED)


14.6. Generic Random Early Detection

GRED¿¡ ´ëÇØ ¸¹ÀÌ ¾Ë·ÁÁø °ÍÀÌ ¾ø½À´Ï´Ù. GRED´Â Diffserv tcindex¿¡ ±â¹ÝÇÑ ³»ºÎÀûÀΠť¸¦ °¡Áö°í ÀÖ½À´Ï´Ù.°ü·ÃµÈ ½½¶óÀ̵å´Â [http]¿©±â(¸µÅ©±úÁü)¿¡ µû¸£¸é, Dave ClarkÀÇ RIOó·³ ½Ã½ºÄÚÀÇ 'Distributed Weighted RED'ÀÇ ±â´ÉÀ» Æ÷ÇÔÇÏ°í ÀÖ½À´Ï´Ù. Drop ÆĶó¸ÞÅ͸¦ °¢ °¡»óÅ¥º°·Î ¼³Á¤ÇÒ ¼ö ÀÖ½À´Ï´Ù.

FIXME: Ãß°¡ÀûÀÎ Á¤º¸¸¦ Jamal ¶Ç´Â Werner¿¡°Ô ¾Ë·ÁÁÖ¼¼¿ä.

(softgear- GRED¿¡ ´ëÇؼ­´Â http://www.opalsoft.net/qos/DS.htm ¿¡¼­ ´õ ¸¹Àº Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖ½À´Ï´Ù)

14.7. VC/ATM emulation


14.8. Weighted Round Robin (WRR)

ÀÌ Å¥±¸Á¶´Â Ç¥ÁØ ¸®´ª½º Ä¿³Î¿¡´Â Æ÷ÇԵǾî ÀÖÁö ¾ÊÁö¸¸, [http]¿©±â(¸µÅ©±úÁü)¿¡¼­ ´Ù¿î ¹ÞÀ» ¼ö ÀÖ½À´Ï´Ù. ÇöÀç ÀÌ Å¥±¸Á¶´Â 2.2Ä¿³Î¿¡¼­ Å×½ºÆ® ÁßÀÌ°í, 2.4,2.5Ä¿³Î¿¡¼­µµ ¾Æ¸¶ µ¿ÀÛÇÒ °ÍÀÔ´Ï´Ù. WRRÅ¥ ±¸Á¶´Â ¶ó¿îµå ·Îºó ½ºÅ´(¼ø¼­´ë·Î µ¹¾Æ°¡¸é¼­ ¼­ºñ½ºÇØ ÁÖ´Â ¹æ½Ä)À» »ç¿ëÇÏ¿© °¢ Ŭ·¡½ºº°·Î ´ë¿ªÆøÀ» ÇÒ´çÇÕ´Ï´Ù. ÀÌ°ÍÀº,CBQó·³, °¢ Ŭ·¡½º¿¡ ¶Ç´Ù¸¥ Å¥±¸Á¶¸¦ Áý¾î ³ÖÀ» ¼ö ÀÖ½À´Ï´Ù. ¸ðµç Ŭ·¡½º´Â °¢°¢ °¡ÁßÄ¡¸¦ °¡Áö°í ´ë¿ªÆøÀ» ¾ò°Ô µË´Ï´Ù. °¡ÁßÄ¡´Â tcÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© Á÷Á¢ ¼³Á¤ÇÒ ¼ö ÀÖ½À´Ï´Ù. ±×·¯³ª, Áö³ªÄ¡°Ô ¸¹Àº µ¥ÀÌÅÍ°¡ ÀÖ´Â °æ¿ì °¡ÁßÄ¡´Â ÀÚµ¿À¸·Î ³»·Á°¥ ¼ö ÀÖ½À´Ï´Ù.

ÀÌ Å¥±¸Á¶´Â ³»Àå ºÐ·ùÀÚ(classifier)¸¦ °¡Áö°í ÀÖ½À´Ï´Ù. ÀÌ´Â ´Ù¸¥ Ŭ·¡½º³ª Àåºñ·ÎºÎÅÍ µé¾î¿À´Â ÆÐŶ ¶Ç´Â ³ª°¡´Â ÆÐŶ¿¡ ÇÒ´çÇÒ ¼ö ÀÖ½À´Ï´Ù. MAC ¶Ç´Â IP ±×¸®°í source ¶Ç´Â destinationÁÖ¼Ò¸¦ »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù. ±×·¯³ª, MACÁÖ¼Ò´Â Linux box°¡ ethernet bridge·Î µ¿ÀÛÇÒ¶§¸¸ »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù. Ŭ·¡½º´Â ÆÐŶ¿¡ Ç¥½ÃµÈ ÀåºñÀÇ ÁÖ¼Ò¿¡ µû¶ó ÀÚµ¿À¸·Î ÇÒ´çµË´Ï´Ù. ÀÌ Å¥±¸Á¶´Â ¸¹Àº ÀÎÅÍ³Ý ¿¬°áÀÌ °øÀ¯µÇ´Â °÷¿¡¼­ À¯¿ëÇÏ°Ô »ç¿ëµÉ ¼ö ÀÖ½À´Ï´Ù. WRR ¹èÆ÷ÆÇ¿¡´Â ÀÌ·¯ÇÑ °÷¿¡¼­ µ¿ÀÛÇÒ ¼ö ÀÖ´Â ½ºÅ©¸³Æ®µéÀÌ Æ÷ÇԵǾî ÀÖ½À´Ï´Ù.

15. Cookbook


15.1. Running multiple sites with different SLAs


15.2. Protecting your host from SYN floods


15.3. Rate limit ICMP to prevent dDoS


15.4. Prioritizing interactive traffic


15.5. Transparent web-caching using netfilter, iproute2, ipchains and squid


15.5.1. Traffic flow diagram after implementation


15.6. Circumventing Path MTU Discovery issues with per route MTU settings


15.6.1. Solution


15.7. Circumventing Path MTU Discovery issues with MSS Clamping (for ADSL, cable, PPPoE & PPtP users)


15.8. The Ultimate Traffic Conditioner: Low Latency, Fast Up & Downloads


15.8.1. Why it doesn't work well by default


15.8.2. The actual script (CBQ)


15.8.3. The actual script (HTB)


15.9. Rate limiting a single host or netmask


15.10. Example of a full nat solution with QoS


15.10.1. Let's begin optimizing that scarce bandwidth


15.10.2. Classifying packets


15.10.3. Improving our setup


15.10.4. Making all of the above start at boot


16. Building bridges, and pseudo-bridges with Proxy ARP


16.1. State of bridging and iptables


16.2. Bridging and shaping


16.3. Pseudo-bridges with Proxy-ARP


16.3.1. ARP & Proxy-ARP


16.3.2. Implementing it


17. Dynamic routing - OSPF and BGP


17.1. Setting up OSPF with Zebra


17.1.1. Prerequisites


17.1.2. Configuring Zebra


17.1.3. Running Zebra


17.2. Setting up BGP4 with Zebra


17.2.1. Network Map (Example)


17.2.2. Configuration (Example)


17.2.3. Checking Configuration


18. Other possibilities


19. Further reading


20. Acknowledgements



DeleteMe ¿À·¡ Àü¿¡ lartc ¹ø¿ªÀ» ÇÏ´ø °ÍÀÌ ÀÖ½À´Ï´Ù. ¹ø¿ªÀÇ ½ÃÀÛÀ» kldp ÂÊÀ¸·Î ¹Ì¸® ¾Ë¸®Áö ¾Ê°í °³ÀÎÀûÀ¸·Î ÇÏ´ø ÀÛ¾÷À̾ due ¸¦ µÎÁö ¾Ê¾Ò´õ´Ï Áß´ÜµÈ »óų׿ä. Áö±ÝÀº revision ¾ó¸¶ÀÎÁö ¸ð¸£°ÚÁö¸¸ ÇÑ ÀÏ ³â ÀüÀÇ ¹®¼­¸¦ ±âÁØÀ¸·Î ¹ø¿ªÇÑ °ÍÀÌ´Ï Âü°íÇϼ¼¿ä. ¾Æ·¡ ÁÖ¼Ò¿¡ ÀÖ½À´Ï´Ù.

¹ø¿ª ÀÛ¾÷À» ±×¸¸µÐ ÀÌÀ¯°¡.. ¾Æ¹«·¡µµ ¿ø¹®ÀÇ ¸À ±×´ë·Î¸¦ Çѱ¹¾î·Î ¿Å±ä´Ù´Â °ÍÀº Á¦ ´É·ÂÀ¸·Î ¹«¸®¿´´Ù´Â Á¡ÀÌ °¡Àå Å©Áö ¾Ê¾Ò³ª ÇÕ´Ï´Ù. -- ai
À½.. ¸¶¹«¸®¸¦ ÇϼÌÀ¸¸é ´õ ÁÁ¾ÒÀ» ÅÙµ¥¿ä.. ±×·¡µµ ¾Æ¿¹ ¾ø´Â °Í º¸´Ù´Â µÞ »ç¶÷À» À§Çؼ­¶óµµ ÇÏ´Â°Ô ÁÁÁÒ.. ^^ -- ³Ê¹Ù³ª

Çã¶ôµµ ¾øÀÌ °¨È÷ ³¢¾îµé¾ú½À´Ï´Ù.. ¿ö³«¿¡ ¹ø¿ª(?) Çغ¸°í ½Í´ø ¹®¼­¶ó¼­¿ä.. ¾çÀÌ Á» ¸¹°í °è¼ÓÇؼ­ ¾÷µ¥ÀÌÆ® µÇ°í ÀÖ´Â ¹®¼­¶ó Áß°£Áß°£ ««ÀÌ ³¢¾îµé°Ô¿ä.. ±×¸®°í LARTC ȨÆäÀÌÁö ¸µÅ©Çß½À´Ï´Ù.. ^^;;; -- scipione

±¦Âú½À´Ï´Ù.. ½ÃÀÛÀº ai ´ÔÀÌ ¸ÕÀú ÇϽŰŰí Àü ¾ÆÁ÷ ¿Å±â´Â µ¥µµ ½Ã°£ÀÌ ºÎÁ·Çؼ­ õõÈ÷ ÇØ ³ª°¥ »ý°¢ÀÌ´Ï Áøµµ°¡ ¾È³ª°¡°í ÀÖ±¸³ª ÇÏ°í »ý°¢µÇ¸é °è¼Ó ²¸µé¾î ÁÖ¼¼¿ä.. ^^ -- ³Ê¹Ù³ª Áý¿¡¼­´Â.. Anonymous ·Î..

°³ÀÎÀûÀ¸·Î QoS¿¡ ´ëÇؼ­ °ü½ÉÀÌ ¸¹¾Æ¼­ ÀÌ ¹®¼­¸¦ º¸´Ù°¡ ÀÌ°÷±îÁö ¿À°Ô µÇ¾ú½À´Ï´Ù. Âü.. ÈûµçÀÛ¾÷ ÇϽʴϴÙ... ¿ö³« ¾öû³­ ÀÚ·áµéÀ̶ó¼­.. °³ÀÎÀûÀ¸·Î³ª¸¶ Àúµµ docbook¿¡ ´ëÇØ °øºÎ¸¦ ÇÏ°í Çؼ®À» Çسª°¡ º¸°Ú½À´Ï´Ù¸¸... µµ¿òÀÌ µÉÁö´Â ¹ÌÁö¼ö ÀÔ´Ï´Ù... -_-;; ±×·³ ¼ö°íµé ÇϽʽÿä.. -- SkullQ

ID
Password
Join
Even the smallest candle burns brighter in the dark.


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2006-09-15 00:31:31
Processing time 0.0547 sec