$30 off During Our Annual Pro Sale. View Details »

OpenBSD/OpenIKED でリモートアクセス VPN

Masakazu Asama
February 29, 2020
Technology
0
400

OpenBSD/OpenIKED でリモートアクセス VPN

Masakazu Asama

February 29, 2020
Tweet

More Decks by Masakazu Asama

See All by Masakazu Asama
自宅フロー解析
masakazu
0
2.3k
UPFの下周り性能ネタ(gtp5g他)
masakazu
0
360
draft-iab-covid19-workshop を読む
masakazu
0
95
EPC/5GC 入門(5GC 編)
masakazu
0
630
EPC/5GC入門
masakazu
2
990
WebRTC について調べてみた
masakazu
1
340
CoqSSRMathComp.pdf
masakazu
0
100
P4のはなし
masakazu
4
1.3k

Other Decks in Technology

See All in Technology
i3DESIGN_Culture_Book / for Engineer
i3design
0
160
Microsoft 365 による情報保護 ~ DLP 編
sophiakunii
0
480
Web Runtime
dynamis
6
2.8k
Kaggle Days Championship Final参加報告
mot_ai_tech
0
140
Svelte Runtime 101 (JSConf JP 2022)
baseballyama
3
2.4k
【全7回】グラフはなぜ使われていない?どうやって使われている?グラフデータベース活用事例 #1
oracle4engineer
PRO
3
140
謎は全て解けた!安楽椅子探偵に捧げる AWS ネットワーク分析入門 #CNDT2022 / CloudNative Days Tokyo 2022
ytaka23
0
450
バンダイナムコスタジオにおけるクラウドネイティブなゲーム開発スタジオの挑戦
yaegashi
2
170
データ操作について
miyakemito
0
240
コンテナ環境でのJava技術の進化
kazumura
4
400
Reading "Interpretable Personalized Experimentation"
tatsuyashirakawa
0
120
スタートアップ企業で始めるAWSセキュリティ対策 ~内部統制の観点から~ / aws-security-and-internal-audit-at-a-startup
yuj1osm
2
940

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
7
3k
From Idea to $5000 a Month in 5 Months
shpigford
374
44k
The Art of Programming - Codeland 2020
erikaheidi
35
11k
Become a Pro
speakerdeck
PRO
3
3.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
254
12k
How to train your dragon (web standard)
notwaldorf
64
4.1k
How GitHub (no longer) Works
holman
298
140k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
351
21k
A designer walks into a library…
pauljervisheath
197
16k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
175
8.9k
The Illustrated Children's Guide to Kubernetes
chrisshort
22
42k
Thoughts on Productivity
jonyablonski
48
2.6k

Transcript

  1. 0QFO#4%0QFO*,&%Ͱ ϦϞʔτΞΫηε71/ ઙؒਖ਼࿨ &#6(!εϊʔϐʔΫ)FBERVBSUFSTΩϟϯϓϑΟʔϧυ 1

  2. ߏ੒ Ұൠతͳϒϩʔυόϯυϧʔλ  Ұൠతͳ0QFO#4%αʔό SBTNZEPNBJO  71/ΫϥΠΞϯτʹ ׂΓ౰ͯΔ*1WΞυϨεଳ  6%1ͱ6%1Λ

    ʹ/"5 Ұൠతͳ*,&Wઃఆ ઀ଓઌ͸%%/4౳Λ૝ఆ 2 Πϥετ $ ͍Β͢ͱ΍

  3. ϒϩʔυόϯυϧʔλͷઃఆ 3

  4. Լ४උ  w *1Wύέοτసૹͷ༗ޮԽ w QGͷઃఆ w JLFEͷىಈઃఆ ras# cp

    /etc/examples/sysctl.conf /etc/ ras# vi /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets ras# vi /etc/rc.conf.local iked_flags="" ras# vi /etc/pf.conf pass in log on smsc0 proto udp from any to 192.168.11.254 port {isakmp, ipsec-nat-t} pass in log on enc0 4

  5. Լ४උ  w ϓϩΩγ"31ͷઃఆ ras# ifconfig smsc0 smsc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu

    1500 lladdr b8:27:eb:b7:4a:f4 index 3 priority 0 llprio 3 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.11.254 netmask 0xffffff00 broadcast 192.168.11.255 ras# arp -s 192.168.11.240 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.241 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.242 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.243 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.244 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.245 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.246 b8:27:eb:b7:4a:f4 pub ras# arp -s 192.168.11.247 b8:27:eb:b7:4a:f4 pub 5

  6. $"ͷઃఆ  ras# ikectl ca vpn create CA passphrase: Retype

    CA passphrase: Generating RSA private key, 2048 bit long modulus .........+++++ ................................................................................................ +++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- ... 6

  7. $"ͷઃఆ  ... ----- Country Name (2 letter code) [JP]:

    State or Province Name (full name) [Niigata]: Locality Name (eg, city) [Sanjo]: Organization Name (eg, company) [Ginzado]: Organizational Unit Name (eg, section) [BT]: Common Name (eg, fully qualified host name) [VPN CA]: Email Address [m-asama@ginzado.co.jp]: Signature ok subject=/C=JP/ST=Niigata/L=Sanjo/O=Ginzado/OU=BT/CN=VPN CA/emailAddress=m-asama@ginzado.co.jp Getting Private key Using configuration from /etc/ssl/vpn/ca-revoke-ssl.cnf ras# ikectl ca vpn install certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl 7

  8. αʔό伴ϖΞͷઃఆ  ras# ikectl ca vpn certificate ras.my.domain create Generating

    RSA private key, 2048 bit long modulus ..............................................................................+++++ ..................................+++++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Niigata]: Locality Name (eg, city) [Sanjo]: Organization Name (eg, company) [Ginzado]: Organizational Unit Name (eg, section) [BT]: ... 8

  9. αʔό伴ϖΞͷઃఆ  ... Common Name (eg, fully qualified host name)

    [ras.my.domain]: Email Address [m-asama@ginzado.co.jp]: Using configuration from /etc/ssl/vpn/ras.my.domain-ssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :ASN.1 12:'Niigata' localityName :ASN.1 12:'Sanjo' organizationName :ASN.1 12:'Ginzado' organizationalUnitName:ASN.1 12:'BT' commonName :ASN.1 12:'ras.my.domain' emailAddress :IA5STRING:'m-asama@ginzado.co.jp' Certificate is to be certified until Feb 5 04:51:16 2021 GMT (365 days) Write out database with 1 new entries Data Base Updated ras# ikectl ca vpn certificate ras.my.domain install writing RSA key 9

  10. 0QFO*,&%ͷઃఆ ras# touch /etc/iked.conf ras# chmod 600 /etc/iked.conf ras# vi

    /etc/iked.conf user "m-asama" "password" ikev2 passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local 192.168.11.254 peer any \ srcid ras.my.domain \ eap "mschap-v2" \ config address 192.168.11.240/29 \ config netmask 255.255.255.0 \ config name-server 192.168.11.1 10

  11. ୺຤ଆઃఆ J1BE04ͷྫ  11

  12. ୺຤ଆઃఆ J1BE04ͷྫ  12

  13. ୺຤ଆઃఆ J1BE04ͷྫ  13

  14. ୺຤ଆઃఆ J1BE04ͷྫ  14

  15. ୺຤ଆઃఆ J1BE04ͷྫ  15

  16. ୺຤ଆઃఆ J1BE04ͷྫ  16

  17. ୺຤ଆઃఆ J1BE04ͷྫ  17

  18. ୺຤ଆઃఆ J1BE04ͷྫ  18

  19. ୺຤ଆઃఆ J1BE04ͷྫ  19

  20. ୺຤ଆઃఆ J1BE04ͷྫ  20

  21. ୺຤ଆઃఆ J1BE04ͷྫ  21

  22. ୺຤ଆઃఆ J1BE04ͷྫ  22

  23. ҰମԿ͕ى͖͍ͯΔͷ͔ʁ 23

  24. *1 6%1 )%3 4"J ,&J /J *1 6%1 )%3 4"S

    ,&S /S $&353&2 *OJUJBUPS 3FTQPOEFS *,&@4"@*/*5SFRVFTU *,&@4"@*/*5SFTQPOTF *,&@"65)SFRVFTU *,&@"65)SFTQPOTF *1 6%1 &41 1BZMPBE &41QBDLFU &"1ͷ৔߹*,&@"65)ΛԿԟ෮͔͢Δ *1 6%1 )%3 *%J $1 54J 54S 4"J ҉߸จ ฏจ *,&WʹΑΔ伴ަ׵ ࣮τϥώοΫ *,&@"65)Λ อޢ͢ΔͨΊͷ ΍ΓͱΓ ࣮τϥώοΫΛ อޢ͢ΔͨΊͷ ΍ΓͱΓ 24 Πϥετ $ ͍Β͢ͱ΍ *1 6%1 )%3 *%S "65) &"1 $&35

  25. 4"4FDVSJUZ"TTPDJBUJPO w ཁ͢Δʹl઀ଓzΛදݱ͢ΔϞϊ w ҉߸ԽΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w ׬શੑݕূΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w ٖࣅཚ਺ੜ੒ΞϧΰϦζϜ͸ԿͰ伴௕͸͍͔ͭ͘ w

    %J⒏F)FMMNBOάϧʔϓ ˞ޙड़ ͸Կ͔ w ߦ͖ͱؼΓͰͦΕͧΕผͷ4"͕༻ҙ͞ΕΔ w *,&ͷ΍ΓͱΓͷͨΊͷ4" *,&4" ͱ&41ͷ΍ΓͱΓͷͨΊͷ 4" $IJME4" ͕ผʹͳ͍ͬͯΔ w લทͷ4"J͸*OJUJBUPS͕ఏҊ͢Δ*,&4"ͷΞϧΰϦζϜ܈Λද͠ 4"S͸3FTQPOEFS͕ఏҊ͢Δ*,&4"ͷΞϧΰϦζϜ܈Λද͢ 25

  26. ,&,FZ&YDIBOHF w l*OJUJBUPSͱ3FTQPOEFSͰڞ༗͢Δൿີͷ਺ࣈzΛੜ੒͢ΔͨΊͷ਺ࣈ w %J⒏F)FMMNBO伴ަ׵Ͱ༻͍Δ ˞ޙड़ 26

  27. /J/S/PODF w *OJUJBUPSͱ3FTQPOEFSͰͦΕͧΕੜ੒ͨ͠ϥϯμϜͳ਺ࣈ w ٖࣅཚ਺ੜ੒ͱ͔ೝূͷࡍʹ༻͍Δ 27

  28. %J⒏F)FMMNBO伴ަ׵ *OJUJBUPS 3FTQPOEFS 伴ަ׵ʹ༻͍Δ%J⒏F)FMMNBOάϧʔϓΛܾఆ͢Δ *,&@4"@*/*5ͷ4"J4"SͰܾ·Δ ྫ͑͹(SPVQ CJU.0%1 ͷ৔߹ Q?? ?

    \<?QJ> ^ H 㱡J㱡QͱͳΔ ཚ਺JΛੜ੒ 㱡S㱡QͱͳΔ ཚ਺SΛੜ੒ H?JNPEQΛ,&Jͱͯ͠ૹ৴ H?SNPEQΛ,&Sͱͯ͠ૹ৴ H?SNPEQ ?JNPEQ H? J S NPEQ ͕ڞ༗ൿີ伴 H?JNPEQ ?SNPEQ H? J S NPEQ ͕ڞ༗ൿີ伴 Q͕େ͖͍ͱQ H H?JNPEQ H?SNPEQͷ৘ใ͔Β H? J S NPEQΛܭࢉ͢Δͷ͸೉͍͠Β͍͠ ཭ࢄର਺໰୊  ଞʹ΋ପԁۂઢ҉߸Λ༻͍ͨ΋ͷͳͲ΋͋Δ 28 Πϥετ $ ͍Β͢ͱ΍

  29. *,&4"ͷ伴ͷੜ੒ ఆٛ QSG , 4 4ͱ,͔Βݻఆ௕ͷٖࣅཚ਺Λੜ੒͢Δؔ਺ QSG  , 4

    QSGΛ࢖ͬͯQSGͰੜ੒͞ΕΔٖࣅཚ਺ΑΓ େ͖͍ٖࣅཚ਺ ٖࣅཚ਺ͷ࿈ଓ Λੜ੒͢Δؔ਺ QSG JTEFpOFEBT QSG  , 4 5c5c5c5c XIFSF 5QSG , 4cY  5QSG , 5c4cY  5QSG , 5c4cY  5QSG , 5c4cY   3'$͔ΒҾ༻ લड़ͷ%J⒏F)FMMNBO伴ަ׵ͰH? J S Λܭࢉ͠4ͱ͠ /Jͱ/SΛ͚ͬͭͨ͘΋ͷΛ,ͱ͢Δ ˞ॳճͷ৔߹  ˣ ,ͱ4͔ΒQSG , 4 Λܭࢉ͠4,&:4&&%ͱ͢Δ ˣ /Jͱ/Sͱ41*Jͱ41*SΛ͚ͬͭͨ͘΋ͷΛ4ͱ͢Δ ˞41*͸)%3ʹॻ͔Εͨ*%ͷΑ͏ͳ΋ͷ  ˣ 4,&:4&&%ͱ4͔ΒQSG  4,&:4&&% 4 Λܭࢉ͠ ٖࣅཚ਺ͷ࿈ଓΛಘΔ ˣ ੜ੒͞Εٖͨࣅཚ਺ͷ࿈ଓΛઌ಄͔Β੾ΓऔΓ 4,@E $IJME4"ੜ੒༻ٖࣅཚ਺ੜ੒伴  4,@BJ 4,@BS *OJUJBUPS3FTQPOEFSͷ׬શੑݕূ伴  4,@FJ 4,@FS *OJUJBUPS3FTQPOEFSͷ҉߸伴  4,@QJ 4,@QS "65)༻ٖࣅཚ਺ੜ੒伴 ͱ͢Δ 29

  30. ೝূ &"1ͷ৔߹ w 3FTQPOEFS͔ΒΈͨ*OJUJBUPSͷೝূ w 111ͳͲͰ࢖ΘΕ͍ͯΔ.4$)"1WΛ༻͍Δ w ಉ͘͡.4$)"1WΛ༻͍Δ1151͸੬ऑੑ͕ݟ͔͍ͭͬͯΔ͕ *,&W͸*,&4"Ͱ௨৴͕อޢ͞Ε͍ͯΔͷͰେৎ෉Β͍͠ w

    3FTQPOEFS͕νϟϨϯδΛૹͬͯ*OJUJBUPS͕ਖ਼͍͠ϨεϙϯεΛฦͤ Ε͹ೝূ੒ޭ w *OJUJBUPS͔ΒΈͨ3FTQPOEFSͷೝূ w 3FTQPOEFS͸*,&@4"@*/*5ͳͲͷ಺༰Λൿີ伴Ͱॺ໊͠*OJUJBUPSʹ ૹΔ w *OJUJBUPS͸$"ͷެ։伴Ͱݕূ͢Δ͜ͱͰ3FTQPOEFSΛೝূ ଟ෼ 30

  31. $IJME4"ͷ伴ͷੜ੒ w *,&4"ͷ伴ͷੜ੒ͱಉ͡Α͏ͳײ͡Ͱ/Jͱ/SΛ͚ͬͭͨ͘΋ͷΛλω ʹ4,@EΛ伴ʹͯ͠QSG Λ࣮ߦٖ͠ࣅཚ਺ͷ࿈ଓΛੜ੒͠಄͔Β҉߸伴 ͱ׬શੑݕূ伴Λ੾ΓऔΔ w $IJME4"ͷ৘ใ͸1'@,&:ιέοτΛ࢖ͬͯΧʔωϧʹྲྀ͠ࠐ·ΕΔ 31

  32. 4"ͷߋ৽ w ΊΜͲ͍ͷͰলུ w $3&"5&@$)*-%@4"ͱ͍͏ϝοηʔδͰ w *,&4"ͷߋ৽ w ͦΜͳʹසൟʹ͸΍Βͳ͍ w

    ͜ͷ৔߹͸طଘͷ$IJME4"Λ৽͍͠*,&4"ʹඥ෇͚Δ w $IJME4"ͷߋ৽ w *,&4"ΑΓ͸සൟʹ΍Δ w Λߦ͏Μ͚ͩͲ͜Ε͕·ͨ௒ઈΊΜͲ͍ ओʹύέοτফࣦ΍ΤϥʔରԠ  w *OJUJBUPS3FTQPOEFSͷͲͪΒ΋$3&"5&@$)*-%@4"Λ։࢝͢Δ͜ͱ ͕Ͱ͖ͯͦΕ͕ಉ࣌ʹى͖ͨ࣌͸Ͳ͏͢Δ͔ͱ͔ߟ͑ͳ͍ͱ͚ͳ͍ 32

  33. 54J54S5SB⒏D4FMFDUPS w $IJME4"Ͱอޢ͢Δ w ΞυϨεൣғ w ϙʔτ൪߸ൣғ w Λࢦఆ͢ΔϞϊ w

    ࠓճͷྫͰ͸3FTQPOEFSͷઃఆ্͸54Jͱ54S͕ڞʹʹઃ ఆ͞Ε͍ͯΔ͕࣮ࡍʹ͸54JΛೝূͨ࣌͠఺Ͱ*OJUJBUPSʹׂΓ౰ͯͨΞ υϨεͷΈʹڱΊ͍ͯΔ 33 ras# ipsecctl -s flow flow esp in from 192.168.11.246 to 0.0.0.0/0 peer 203.0.113.85 \ srcid FQDN/ras.my.domain dstid IPV4/10.132.21.116 type use flow esp out from 0.0.0.0/0 to 192.168.11.246 peer 203.0.113.85 srcid FQDN/ras.my.domain dstid IPV4/10.132.21.116 type require flow esp out from ::/0 to ::/0 type deny

  34. $1$POpHVSBUJPO w %)$1ͷΑ͏ʹ૬ख͔ΒΞυϨεΛׂΓ౰ͯͯ΋ΒͬͨΓ%/4αʔόͷ ৘ใͳͲΛڭ͑ͯ΋ΒͬͨΓ͢ΔͨΊͷϞϊ w *,&Wͷࠒʹ͸ͳ͘*,&Wʹͳͬͯ࡞ΒΕͨ w *,&WͰ͸*1TFDͰ҉߸Խ͞Εͨܦ࿏Λ࡞্ͬͨʹ-51WͰτϯωϧ Λு͍ͬͯͨ w

    ΞυϨεׂΓ౰ͯͳͲ͸-51WͷػೳΛར༻͍ͯͨ͠ 34

  35. /"5τϥόʔαϧ w ࠓճ͸*,&΋&41΋6%1Λ࢖ͬͯ௨৴͞ΕΔ͜ͱΛલఏͱͨ͠આ໌͠ ͔͠ͳ͔͚ͬͨͲେੲ͸&41͸*1ͷϓϩτίϧͷͻͱͭͱͯ͠ఆٛ͞Ε ͍ͯͨͨΊؒʹ/"5૷ஔ͕͍Δͱ࢖͑ͳ͔ͬͨ w *,&WͰ͸్தͰ/"5τϥόʔαϧͱ͍͏ػೳ͕ผ3'$Ͱఆٛ͞Ε *,&WͰ͸*,&Wͷ࢓༷ʹ͜ͷػೳ͕࠷ॳ͔Β੝Γࠐ·Ε͍ͯΔ w ૹ৴ݩ͕Ѽઌͱૹ৴ݩʹઃఆͨ͠*1ΞυϨεͷ৘ใΛ*,&ͷ৘ใʹຒΊ

    ࠐΈ૬ख͕ड͚औͬͨࡍʹ࣮ࡍʹઃఆ͞ΕͨѼઌͱૹ৴ݩͷ*1ΞυϨε ͱൺֱ͢Δ͜ͱͰؒʹ/"5૷ஔ͕͍Δ͜ͱΛݕ஌͢Δ͜ͱ͕Ͱ͖Δ w 6%1ͷ/"5͸௨৴͕ͳ͍ͱηογϣϯ৘ใ͕ফ͞ΕΔͷͰఆظతʹ σ ϑΥϧτඵ /"5ΩʔϓΞϥΠϒΛૹΔ 35

  36. &41Ҏ֎ w ࠓճ͸&41Λલఏͱͨ͠આ໌͔͠͠ͳ͔͚ͬͨͲ*1TFDʹ͸ଞʹ") ΍*1$PNQͱ͍͏Ϟϊ΋͋Δ w ")͸҉߸Խͤͣ׬શੑ ్தͰվ᜵͞Ε͍ͯͳ͍͜ͱ Λอূ͢Δ͚ͩ ͷϞϊ w

    େੲ͸&41͸҉߸Խ͢Δ͚ͩͰ׬શੑ͸อূͤͣ׬શੑΛ୲อͨ͠ ͍࣌͸")ͱ૊Έ߹ΘͤΔͱ͍͏Ϟϊ͚ͩͬͨͲ&41Ͱ׬શੑ΋อ ূͰ͖ΔΑ͏ʹͳͬͯ")͸શ͘ͱݴ͍͍ͬͯ΄Ͳ࢖ΘΕͳ͔ͬͨ w ηΩϡϦςΟతʹ΋׬શੑΛνΣοΫ͠ͳ͍҉߸Խ͸ྑ͘ͳ͍Β͍͠ w *1$PNQ͸ϖΠϩʔυΛѹॖ͢ΔͨΊͷϞϊ 36

  37. τϯωϧϞʔυҎ֎ w ࠓճ͸τϯωϧϞʔυΛલఏͱ͢Δઆ໌͔͠͠ͳ͔͚ͬͨͲ*1TFDʹ͸ଞ ʹτϥϯεϙʔτϞʔυͱ͍͏Ϟϊ΋͋Δ w τϯωϧϞʔυ͸ΦϦδφϧͷ*1ύέοτΛ*1TFD૷ஔ͕ΧϓηϧԽ ͯ͠શମΛอޢ͢Δ͕τϥϯεϙʔτϞʔυ͸*1TFD૷ஔؒͷ௨৴ͷத ਎ͷΈΛอޢ͢Δ ΦϦδφϧͷ*1ϔομͷ಺ଆͷΈΛอޢ 

    w 3'$ʹ͸lτϥϯεϙʔτϞʔυ͸Ϋη͕ڧ͍zΈ͍ͨͳ͜ͱ͕ ॻ͔Ε͍ͯͯݸਓతʹ͸͋·ΓؔΘΓͨ͘ͳ͍ 5IJTTDFOBSJPFOBCMFTUIFFOEUPFOETFDVSJUZUIBUIBTCFFOBHVJEJOHQSJODJQMFGPSUIF *OUFSOFUTJODF<"3$)13*/$> <53"/41"3&/$:> BOEBNFUIPEPGMJNJUJOHUIFJOIFSFOU QSPCMFNTXJUIDPNQMFYJUZJOOFUXPSLTOPUFECZ<"3$)(6*%&1)*-> 3'$&OEQPJOUUP&OEQPJOU5SBOTQPSU.PEF 37

  38. ཧ૝ओٛWTݱ࣮ओٛ w ϦϞʔτΞΫηεʹ͸-51W͕͋ΔΜ͔ͩΒ*1TFDʹ͸ෆཁ ˠ ΍ͬͺΞυϨεׂΓ౰ͯػೳ͋ͬͨํ͕͍͍ΑͶ w /"5͸ѱ")ͱ&41͸*1ͷϓϩτίϧͰ ˠ ෆศ͗͢6%1Ͱ/"5ӽ͑Ͱ͖ΔΑ͏ʹ͠Α w

    ׬શੑΛ୲อ͍͚ͨ͠Ͳػີੑ͸ඞཁͳ͍࣌΋͋Ε͹ػີੑΛ୲อ͍ͨ͠ ͚Ͳ׬શੑ͕ඞཁͳ͍࣌΋͋Δ͸ͣͳͷͰඞཁʹԠͯ͡")ͱ&41Λ૊ Έ߹Θͤͯ࢖͏΂͖ ˠ ࣮ࡍʹ͸&41͔͠࢖ΘΕͣޙ͔Β׬શੑ΋୲อ͞ΕΔ w Πϯλʔωοτ͸ΤϯυπʔΤϯυ͡Όͳ͍ͱ ˠ τϥϯεϙʔτϞʔυ୭΋࢖ͬͯͳ͍ 38 ˞ݸਓͷภݟͰ͢