Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OpenBSD/OpenIKED でリモートアクセス VPN

Ff1cf99c7a71928f886c3b6c7c95b1da?s=47 Masakazu Asama
February 29, 2020
Technology
0
320

OpenBSD/OpenIKED でリモートアクセス VPN

Ff1cf99c7a71928f886c3b6c7c95b1da?s=128

Masakazu Asama

February 29, 2020
Tweet

More Decks by Masakazu Asama

See All by Masakazu Asama
UPFの下周り性能ネタ(gtp5g他)
Ff1cf99c7a71928f886c3b6c7c95b1da?s=48 masakazu
0
290
draft-iab-covid19-workshop を読む
Ff1cf99c7a71928f886c3b6c7c95b1da?s=48 masakazu
0
66
EPC/5GC 入門(5GC 編)
Ff1cf99c7a71928f886c3b6c7c95b1da?s=48 masakazu
0
510
EPC/5GC入門
Ff1cf99c7a71928f886c3b6c7c95b1da?s=48 masakazu
2
900
WebRTC について調べてみた
Ff1cf99c7a71928f886c3b6c7c95b1da?s=48 masakazu
1
280
CoqSSRMathComp.pdf
Ff1cf99c7a71928f886c3b6c7c95b1da?s=48 masakazu
0
97
P4のはなし
Ff1cf99c7a71928f886c3b6c7c95b1da?s=48 masakazu
4
1.3k

Other Decks in Technology

See All in Technology
[SRE NEXT 2022]KaaS桶狭間の戦い 〜Yahoo! JAPANのSLI/SLOを用いた統合監視〜
667ad57b416187cb22589158805603b4?s=48 srenext
0
310
モダンデータスタックとかの話(データエンジニアのお仕事とは)
95be3c1812a3ae53c2d81cc7ea2eeb3d?s=48 foursue
0
420
一人から始めるプロダクトSRE / How to start SRE in a product team, all by yourself
12a5cec7a54018170b1a009731acf477?s=48 vtryo
4
2.7k
Who owns the Service Level?
93c80c388fe9d8f9df7d030549a0ff0b?s=48 chaspy
5
1.1k
Spotify物理コントローラーがほしい
1dceaa2dcea41c16004f430c1723b20e?s=48 miso
0
170
キャッチアップ Android 13 / Catch up Android 13
D2bcabeeb1ddff142fb8988b412cb4d3?s=48 yanzm
2
1.2k
LINEのData Platform室が実践する大規模分散環境のCapacity Planning
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
0
520
暗号資産ウォレット入門(MetaMaskの入門~NFTの購入~詐欺の注意事項など)
37f853c24b8c02fed3bc1b4dee46bf3e?s=48 kayato
2
200
プルリク作ったらデプロイされる仕組み on ECS / SRE NEXT 2022
2537ce662eb08182e617ec7944981437?s=48 carta_engineering
1
320
エンタープライズにおけるSRE立ち上げとNew Relic選定に至った背景とは / SRE Startup and New Relic in the Enterprise
Aa0d25b0254ef311ed8177b5275577f4?s=48 tomoyakitaura
2
160
SRE の歩き方・進め方 / sre-walk-through-procedure
28e154e6e0351c70091997d2f574295a?s=48 rrreeeyyy
0
290
Puny to Powerful PostgreSQL Rails Apps
65e84915478a95a22dd40da712f304df?s=48 andyatkinson
PRO
0
340

Featured

See All Featured
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
12
890
Designing the Hi-DPI Web
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
272
32k
Statistics for Hackers
56c4053438af8e8b90d6f53cbb7573be?s=48 jakevdp
781
210k
What’s in a name? Adding method to the madness
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
11
1.5k
Optimizing for Happiness
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
365
63k
GraphQLとの向き合い方2022年版
893f54413c2bd9ba41d11d753aacaf2c?s=48 quramy
16
8.1k
The Invisible Customer
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
110
11k
The Power of CSS Pseudo Elements
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
46
3.9k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
100
5.9k
The Art of Programming - Codeland 2020
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
32
5.8k
GitHub's CSS Performance
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1020
410k
In The Pink: A Labor of Love
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
130
21k

Transcript

  1. 0QFO#4%0QFO*,&%Ͱ ϦϞʔτΞΫηε71/ ઙؒਖ਼࿨ &#6(!εϊʔϐʔΫ)FBERVBSUFSTΩϟϯϓϑΟʔϧυ 1

  2. ߏ੒ Ұൠతͳϒϩʔυόϯυϧʔλ  Ұൠతͳ0QFO#4%αʔό SBTNZEPNBJO  71/ΫϥΠΞϯτʹ ׂΓ౰ͯΔ*1WΞυϨεଳ  6%1ͱ6%1Λ

    ʹ/"5 Ұൠతͳ*,&Wઃఆ ઀ଓઌ͸%%/4౳Λ૝ఆ 2 Πϥετ $ ͍Β͢ͱ΍

  3. ϒϩʔυόϯυϧʔλͷઃఆ 3

  4. Լ४උ  w *1Wύέοτసૹͷ༗ޮԽ w QGͷઃఆ w JLFEͷىಈઃఆ ras# cp

    /etc/examples/sysctl.conf /etc/ ras# vi /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets ras# vi /etc/rc.conf.local iked_flags="" ras# vi /etc/pf.conf pass in log on smsc0 proto udp from any to 192.168.11.254 port {isakmp, ipsec-nat-t} pass in log on enc0 4

  5. Լ४උ  w ϓϩΩγ"31ͷઃఆ ras# ifconfig smsc0 smsc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu

    1500 lladdr b8:27:eb:b7:4a:f4 index 3 priority 0 llprio 3 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.11.254 netmask 0xffffff00 broadcast 192.168.11.255 ras# arp -s 192.168.11.240 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.241 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.242 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.243 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.244 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.245 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.246 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.247 b8:27:eb:b7:4a:f4 pub 5

  6. $"ͷઃఆ  ras# ikectl ca vpn create CA passphrase: Retype

    CA passphrase: Generating RSA private key, 2048 bit long modulus .........+++++ ................................................................................................ +++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- ... 6

  7. $"ͷઃఆ  ... ----- Country Name (2 letter code) [JP]:

    State or Province Name (full name) [Niigata]: Locality Name (eg, city) [Sanjo]: Organization Name (eg, company) [Ginzado]: Organizational Unit Name (eg, section) [BT]: Common Name (eg, fully qualified host name) [VPN CA]: Email Address [m-asama@ginzado.co.jp]: Signature ok subject=/C=JP/ST=Niigata/L=Sanjo/O=Ginzado/OU=BT/CN=VPN CA/emailAddress=m-asama@ginzado.co.jp Getting Private key Using configuration from /etc/ssl/vpn/ca-revoke-ssl.cnf ras# ikectl ca vpn install certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl 7

  8. αʔό伴ϖΞͷઃఆ  ras# ikectl ca vpn certificate ras.my.domain create Generating

    RSA private key, 2048 bit long modulus ..............................................................................+++++ ..................................+++++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Niigata]: Locality Name (eg, city) [Sanjo]: Organization Name (eg, company) [Ginzado]: Organizational Unit Name (eg, section) [BT]: ... 8

  9. αʔό伴ϖΞͷઃఆ  ... Common Name (eg, fully qualified host name)

    [ras.my.domain]: Email Address [m-asama@ginzado.co.jp]: Using configuration from /etc/ssl/vpn/ras.my.domain-ssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :ASN.1 12:'Niigata' localityName :ASN.1 12:'Sanjo' organizationName :ASN.1 12:'Ginzado' organizationalUnitName:ASN.1 12:'BT' commonName :ASN.1 12:'ras.my.domain' emailAddress :IA5STRING:'m-asama@ginzado.co.jp' Certificate is to be certified until Feb 5 04:51:16 2021 GMT (365 days) Write out database with 1 new entries Data Base Updated ras# ikectl ca vpn certificate ras.my.domain install writing RSA key 9

  10. 0QFO*,&%ͷઃఆ ras# touch /etc/iked.conf ras# chmod 600 /etc/iked.conf ras# vi

    /etc/iked.conf user "m-asama" "password" ikev2 passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local 192.168.11.254 peer any \ srcid ras.my.domain \ eap "mschap-v2" \ config address 192.168.11.240/29 \ config netmask 255.255.255.0 \ config name-server 192.168.11.1 10

  11. ୺຤ଆઃఆ J1BE04ͷྫ  11

  12. ୺຤ଆઃఆ J1BE04ͷྫ  12

  13. ୺຤ଆઃఆ J1BE04ͷྫ  13

  14. ୺຤ଆઃఆ J1BE04ͷྫ  14

  15. ୺຤ଆઃఆ J1BE04ͷྫ  15

  16. ୺຤ଆઃఆ J1BE04ͷྫ  16

  17. ୺຤ଆઃఆ J1BE04ͷྫ  17

  18. ୺຤ଆઃఆ J1BE04ͷྫ  18

  19. ୺຤ଆઃఆ J1BE04ͷྫ  19

  20. ୺຤ଆઃఆ J1BE04ͷྫ  20

  21. ୺຤ଆઃఆ J1BE04ͷྫ  21

  22. ୺຤ଆઃఆ J1BE04ͷྫ  22

  23. ҰମԿ͕ى͖͍ͯΔͷ͔ʁ 23

  24. *1 6%1 )%3 4"J ,&J /J *1 6%1 )%3 4"S

    ,&S /S $&353&2 *OJUJBUPS 3FTQPOEFS *,&@4"@*/*5SFRVFTU *,&@4"@*/*5SFTQPOTF *,&@"65)SFRVFTU *,&@"65)SFTQPOTF *1 6%1 &41 1BZMPBE &41QBDLFU &"1ͷ৔߹*,&@"65)ΛԿԟ෮͔͢Δ *1 6%1 )%3 *%J $1 54J 54S 4"J ҉߸จ ฏจ *,&WʹΑΔ伴ަ׵ ࣮τϥώοΫ *,&@"65)Λ อޢ͢ΔͨΊͷ ΍ΓͱΓ ࣮τϥώοΫΛ อޢ͢ΔͨΊͷ ΍ΓͱΓ 24 Πϥετ $ ͍Β͢ͱ΍ *1 6%1 )%3 *%S "65) &"1 $&35

  25. 4"4FDVSJUZ"TTPDJBUJPO w ཁ͢Δʹl઀ଓzΛදݱ͢ΔϞϊ w ҉߸ԽΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w ׬શੑݕূΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w ٖࣅཚ਺ੜ੒ΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w

    %J⒏F)FMMNBOάϧʔϓ ˞ޙड़ ͸Կ͔ w ߦ͖ͱؼΓͰͦΕͧΕผͷ4"͕༻ҙ͞ΕΔ w *,&ͷ΍ΓͱΓͷͨΊͷ4" *,&4" ͱ&41ͷ΍ΓͱΓͷͨΊͷ 4" $IJME4" ͕ผʹͳ͍ͬͯΔ w લทͷ4"J͸*OJUJBUPS͕ఏҊ͢Δ*,&4"ͷΞϧΰϦζϜ܈Λද͠ 4"S͸3FTQPOEFS͕ఏҊ͢Δ*,&4"ͷΞϧΰϦζϜ܈Λද͢ 25

  26. ,&,FZ&YDIBOHF w l*OJUJBUPSͱ3FTQPOEFSͰڞ༗͢Δൿີͷ਺ࣈzΛੜ੒͢ΔͨΊͷ਺ࣈ w %J⒏F)FMMNBO伴ަ׵Ͱ༻͍Δ ˞ޙड़ 26

  27. /J/S/PODF w *OJUJBUPSͱ3FTQPOEFSͰͦΕͧΕੜ੒ͨ͠ϥϯμϜͳ਺ࣈ w ٖࣅཚ਺ੜ੒ͱ͔ೝূͷࡍʹ༻͍Δ 27

  28. %J⒏F)FMMNBO伴ަ׵ *OJUJBUPS 3FTQPOEFS 伴ަ׵ʹ༻͍Δ%J⒏F)FMMNBOάϧʔϓΛܾఆ͢Δ *,&@4"@*/*5ͷ4"J4"SͰܾ·Δ ྫ͑͹(SPVQ CJU.0%1 ͷ৔߹ Q?? ?

    \<?QJ> ^ H 㱡J㱡QͱͳΔ ཚ਺JΛੜ੒ 㱡S㱡QͱͳΔ ཚ਺SΛੜ੒ H?JNPEQΛ,&Jͱͯ͠ૹ৴ H?SNPEQΛ,&Sͱͯ͠ૹ৴ H?SNPEQ ?JNPEQ H? J S NPEQ ͕ڞ༗ൿີ伴 H?JNPEQ ?SNPEQ H? J S NPEQ ͕ڞ༗ൿີ伴 Q͕େ͖͍ͱQ H H?JNPEQ H?SNPEQͷ৘ใ͔Β H? J S NPEQΛܭࢉ͢Δͷ͸೉͍͠Β͍͠ ཭ࢄର਺໰୊  ଞʹ΋ପԁۂઢ҉߸Λ༻͍ͨ΋ͷͳͲ΋͋Δ 28 Πϥετ $ ͍Β͢ͱ΍

  29. *,&4"ͷ伴ͷੜ੒ ఆٛ QSG , 4 4ͱ,͔Βݻఆ௕ͷٖࣅཚ਺Λੜ੒͢Δؔ਺ QSG  , 4

    QSGΛ࢖ͬͯQSGͰੜ੒͞ΕΔٖࣅཚ਺ΑΓ େ͖͍ٖࣅཚ਺ ٖࣅཚ਺ͷ࿈ଓ Λੜ੒͢Δؔ਺ QSG JTEFpOFEBT QSG  , 4 5c5c5c5c XIFSF 5QSG , 4cY  5QSG , 5c4cY  5QSG , 5c4cY  5QSG , 5c4cY   3'$͔ΒҾ༻ લड़ͷ%J⒏F)FMMNBO伴ަ׵ͰH? J S Λܭࢉ͠4ͱ͠ /Jͱ/SΛ͚ͬͭͨ͘΋ͷΛ,ͱ͢Δ ˞ॳճͷ৔߹  ˣ ,ͱ4͔ΒQSG , 4 Λܭࢉ͠4,&:4&&%ͱ͢Δ ˣ /Jͱ/Sͱ41*Jͱ41*SΛ͚ͬͭͨ͘΋ͷΛ4ͱ͢Δ ˞41*͸)%3ʹॻ͔Εͨ*%ͷΑ͏ͳ΋ͷ  ˣ 4,&:4&&%ͱ4͔ΒQSG  4,&:4&&% 4 Λܭࢉ͠ ٖࣅཚ਺ͷ࿈ଓΛಘΔ ˣ ੜ੒͞Εٖͨࣅཚ਺ͷ࿈ଓΛઌ಄͔Β੾ΓऔΓ 4,@E $IJME4"ੜ੒༻ٖࣅཚ਺ੜ੒伴  4,@BJ 4,@BS *OJUJBUPS3FTQPOEFSͷ׬શੑݕূ伴  4,@FJ 4,@FS *OJUJBUPS3FTQPOEFSͷ҉߸伴  4,@QJ 4,@QS "65)༻ٖࣅཚ਺ੜ੒伴 ͱ͢Δ 29

  30. ೝূ &"1ͷ৔߹ w 3FTQPOEFS͔ΒΈͨ*OJUJBUPSͷೝূ w 111ͳͲͰ࢖ΘΕ͍ͯΔ.4$)"1WΛ༻͍Δ w ಉ͘͡.4$)"1WΛ༻͍Δ1151͸੬ऑੑ͕ݟ͔͍ͭͬͯΔ͕ *,&W͸*,&4"Ͱ௨৴͕อޢ͞Ε͍ͯΔͷͰେৎ෉Β͍͠ w

    3FTQPOEFS͕νϟϨϯδΛૹͬͯ*OJUJBUPS͕ਖ਼͍͠ϨεϙϯεΛฦͤ Ε͹ೝূ੒ޭ w *OJUJBUPS͔ΒΈͨ3FTQPOEFSͷೝূ w 3FTQPOEFS͸*,&@4"@*/*5ͳͲͷ಺༰Λൿີ伴Ͱॺ໊͠*OJUJBUPSʹ ૹΔ w *OJUJBUPS͸$"ͷެ։伴Ͱݕূ͢Δ͜ͱͰ3FTQPOEFSΛೝূ ଟ෼ 30

  31. $IJME4"ͷ伴ͷੜ੒ w *,&4"ͷ伴ͷੜ੒ͱಉ͡Α͏ͳײ͡Ͱ/Jͱ/SΛ͚ͬͭͨ͘΋ͷΛλω ʹ4,@EΛ伴ʹͯ͠QSG Λ࣮ߦٖ͠ࣅཚ਺ͷ࿈ଓΛੜ੒͠಄͔Β҉߸伴 ͱ׬શੑݕূ伴Λ੾ΓऔΔ w $IJME4"ͷ৘ใ͸1'@,&:ιέοτΛ࢖ͬͯΧʔωϧʹྲྀ͠ࠐ·ΕΔ 31

  32. 4"ͷߋ৽ w ΊΜͲ͍ͷͰলུ w $3&"5&@$)*-%@4"ͱ͍͏ϝοηʔδͰ w *,&4"ͷߋ৽ w ͦΜͳʹසൟʹ͸΍Βͳ͍ w

    ͜ͷ৔߹͸طଘͷ$IJME4"Λ৽͍͠*,&4"ʹඥ෇͚Δ w $IJME4"ͷߋ৽ w *,&4"ΑΓ͸සൟʹ΍Δ w Λߦ͏Μ͚ͩͲ͜Ε͕·ͨ௒ઈΊΜͲ͍ ओʹύέοτফࣦ΍ΤϥʔରԠ  w *OJUJBUPS3FTQPOEFSͷͲͪΒ΋$3&"5&@$)*-%@4"Λ։࢝͢Δ͜ͱ ͕Ͱ͖ͯͦΕ͕ಉ࣌ʹى͖ͨ࣌͸Ͳ͏͢Δ͔ͱ͔ߟ͑ͳ͍ͱ͚ͳ͍ 32

  33. 54J54S5SB⒏D4FMFDUPS w $IJME4"Ͱอޢ͢Δ w ΞυϨεൣғ w ϙʔτ൪߸ൣғ w Λࢦఆ͢ΔϞϊ w

    ࠓճͷྫͰ͸3FTQPOEFSͷઃఆ্͸54Jͱ54S͕ڞʹʹઃ ఆ͞Ε͍ͯΔ͕࣮ࡍʹ͸54JΛೝূͨ࣌͠఺Ͱ*OJUJBUPSʹׂΓ౰ͯͨΞ υϨεͷΈʹڱΊ͍ͯΔ 33 ras# ipsecctl -s flow flow esp in from 192.168.11.246 to 0.0.0.0/0 peer 203.0.113.85 \ srcid FQDN/ras.my.domain dstid IPV4/10.132.21.116 type use flow esp out from 0.0.0.0/0 to 192.168.11.246 peer 203.0.113.85 srcid FQDN/ras.my.domain dstid IPV4/10.132.21.116 type require flow esp out from ::/0 to ::/0 type deny

  34. $1$POpHVSBUJPO w %)$1ͷΑ͏ʹ૬ख͔ΒΞυϨεΛׂΓ౰ͯͯ΋ΒͬͨΓ%/4αʔόͷ ৘ใͳͲΛڭ͑ͯ΋ΒͬͨΓ͢ΔͨΊͷϞϊ w *,&Wͷࠒʹ͸ͳ͘*,&Wʹͳͬͯ࡞ΒΕͨ w *,&WͰ͸*1TFDͰ҉߸Խ͞Εͨܦ࿏Λ࡞্ͬͨʹ-51WͰτϯωϧ Λு͍ͬͯͨ w

    ΞυϨεׂΓ౰ͯͳͲ͸-51WͷػೳΛར༻͍ͯͨ͠ 34

  35. /"5τϥόʔαϧ w ࠓճ͸*,&΋&41΋6%1Λ࢖ͬͯ௨৴͞ΕΔ͜ͱΛલఏͱͨ͠આ໌͠ ͔͠ͳ͔͚ͬͨͲେੲ͸&41͸*1ͷϓϩτίϧͷͻͱͭͱͯ͠ఆٛ͞Ε ͍ͯͨͨΊؒʹ/"5૷ஔ͕͍Δͱ࢖͑ͳ͔ͬͨ w *,&WͰ͸్தͰ/"5τϥόʔαϧͱ͍͏ػೳ͕ผ3'$Ͱఆٛ͞Ε *,&WͰ͸*,&Wͷ࢓༷ʹ͜ͷػೳ͕࠷ॳ͔Β੝Γࠐ·Ε͍ͯΔ w ૹ৴ݩ͕Ѽઌͱૹ৴ݩʹઃఆͨ͠*1ΞυϨεͷ৘ใΛ*,&ͷ৘ใʹຒΊ

    ࠐΈ૬ख͕ड͚औͬͨࡍʹ࣮ࡍʹઃఆ͞ΕͨѼઌͱૹ৴ݩͷ*1ΞυϨε ͱൺֱ͢Δ͜ͱͰؒʹ/"5૷ஔ͕͍Δ͜ͱΛݕ஌͢Δ͜ͱ͕Ͱ͖Δ w 6%1ͷ/"5͸௨৴͕ͳ͍ͱηογϣϯ৘ใ͕ফ͞ΕΔͷͰఆظతʹ σ ϑΥϧτඵ /"5ΩʔϓΞϥΠϒΛૹΔ 35

  36. &41Ҏ֎ w ࠓճ͸&41Λલఏͱͨ͠આ໌͔͠͠ͳ͔͚ͬͨͲ*1TFDʹ͸ଞʹ") ΍*1$PNQͱ͍͏Ϟϊ΋͋Δ w ")͸҉߸Խͤͣ׬શੑ ్தͰվ᜵͞Ε͍ͯͳ͍͜ͱ Λอূ͢Δ͚ͩ ͷϞϊ w

    େੲ͸&41͸҉߸Խ͢Δ͚ͩͰ׬શੑ͸อূͤͣ׬શੑΛ୲อͨ͠ ͍࣌͸")ͱ૊Έ߹ΘͤΔͱ͍͏Ϟϊ͚ͩͬͨͲ&41Ͱ׬શੑ΋อ ূͰ͖ΔΑ͏ʹͳͬͯ")͸શ͘ͱݴ͍͍ͬͯ΄Ͳ࢖ΘΕͳ͔ͬͨ w ηΩϡϦςΟతʹ΋׬શੑΛνΣοΫ͠ͳ͍҉߸Խ͸ྑ͘ͳ͍Β͍͠ w *1$PNQ͸ϖΠϩʔυΛѹॖ͢ΔͨΊͷϞϊ 36

  37. τϯωϧϞʔυҎ֎ w ࠓճ͸τϯωϧϞʔυΛલఏͱ͢Δઆ໌͔͠͠ͳ͔͚ͬͨͲ*1TFDʹ͸ଞ ʹτϥϯεϙʔτϞʔυͱ͍͏Ϟϊ΋͋Δ w τϯωϧϞʔυ͸ΦϦδφϧͷ*1ύέοτΛ*1TFD૷ஔ͕ΧϓηϧԽ ͯ͠શମΛอޢ͢Δ͕τϥϯεϙʔτϞʔυ͸*1TFD૷ஔؒͷ௨৴ͷத ਎ͷΈΛอޢ͢Δ ΦϦδφϧͷ*1ϔομͷ಺ଆͷΈΛอޢ 

    w 3'$ʹ͸lτϥϯεϙʔτϞʔυ͸Ϋη͕ڧ͍zΈ͍ͨͳ͜ͱ͕ ॻ͔Ε͍ͯͯݸਓతʹ͸͋·ΓؔΘΓͨ͘ͳ͍ 5IJTTDFOBSJPFOBCMFTUIFFOEUPFOETFDVSJUZUIBUIBTCFFOBHVJEJOHQSJODJQMFGPSUIF *OUFSOFUTJODF<"3$)13*/$> <53"/41"3&/$:> BOEBNFUIPEPGMJNJUJOHUIFJOIFSFOU QSPCMFNTXJUIDPNQMFYJUZJOOFUXPSLTOPUFECZ<"3$)(6*%&1)*-> 3'$&OEQPJOUUP&OEQPJOU5SBOTQPSU.PEF 37

  38. ཧ૝ओٛWTݱ࣮ओٛ w ϦϞʔτΞΫηεʹ͸-51W͕͋ΔΜ͔ͩΒ*1TFDʹ͸ෆཁ ˠ ΍ͬͺΞυϨεׂΓ౰ͯػೳ͋ͬͨํ͕͍͍ΑͶ w /"5͸ѱ")ͱ&41͸*1ͷϓϩτίϧͰ ˠ ෆศ͗͢6%1Ͱ/"5ӽ͑Ͱ͖ΔΑ͏ʹ͠Α w

    ׬શੑΛ୲อ͍͚ͨ͠Ͳػີੑ͸ඞཁͳ͍࣌΋͋Ε͹ػີੑΛ୲อ͍ͨ͠ ͚Ͳ׬શੑ͕ඞཁͳ͍࣌΋͋Δ͸ͣͳͷͰඞཁʹԠͯ͡")ͱ&41Λ૊ Έ߹Θͤͯ࢖͏΂͖ ˠ ࣮ࡍʹ͸&41͔͠࢖ΘΕͣޙ͔Β׬શੑ΋୲อ͞ΕΔ w Πϯλʔωοτ͸ΤϯυπʔΤϯυ͡Όͳ͍ͱ ˠ τϥϯεϙʔτϞʔυ୭΋࢖ͬͯͳ͍ 38 ˞ݸਓͷภݟͰ͢