#!/usr/bin/perl # # Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006 Yokogawa Electric Corporation. # All rights reserved. # # Redistribution and use of this software in source and binary # forms, with or without modification, are permitted provided that # the following conditions and disclaimer are agreed and accepted # by the user: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with # the distribution. # # 3. Neither the names of the copyrighters, the name of the project # which is related to this software (hereinafter referred to as # "project") nor the names of the contributors may be used to # endorse or promote products derived from this software without # specific prior written permission. # # 4. No merchantable use may be permitted without prior written # notification to the copyrighters. # # 5. The copyrighters, the project and the contributors may prohibit # the use of this software at any time. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHTERS, THE PROJECT AND # CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING # BUT NOT LIMITED THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHTERS, THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # $TAHI: ct-dhcpv6/dhcpv6.tahi/auth/S_RFC3315_21.4.3_KeyUtilization.seq,v 1.7 2006/03/14 01:16:32 mnaoki Exp $ ######################################################################## BEGIN { $V6evalTool::TestVersion = '$Name: DHCPv6_1_0 $'; push(@INC, '..'); } use strict; use V6evalTool; use DHCPv6_common; use Server_pktdesc; dhcpExitNS if ChkFuncSupport('AUTHENTICATION'); #--------------------------------------------------------------# # Initialization #--------------------------------------------------------------# vLogHTML('==== NUT Initialization ====
'); my $IF0 = "Link0"; #initial NUT config parameters, # Configure authentication parametor vLogHTML("Authentication Information
"); my $auth_realm = "DHCPv6.TEST.EXAMPLE.COM"; my $hex_auth_realm = Ascii2Hex($auth_realm); my $auth_key_id = "1"; my $auth_sharedsecretkey = "TAHITEST_VALID12"; vLogHTML("  REALM: $auth_realm
"); vLogHTML("  Key ID: $auth_key_id
"); vLogHTML("  Shared Secret Key: $auth_sharedsecretkey"); my $SHARED_SECRET_KEY_TYPE = ChkConfig('SHARED_SECRET_KEY_TYPE'); my $enc_auth_sharedsecretkey = SharedSecretKeyCheck($SHARED_SECRET_KEY_TYPE, $auth_sharedsecretkey); vLogHTML("  Device's Key Type: $SHARED_SECRET_KEY_TYPE, Encoded value: $enc_auth_sharedsecretkey
"); my %NUT_Server_Config = ( 'if_nut0'=> "$V6evalTool::NutDef{Link0_device}", 'init_opcode' => "vRemote(\"dhcp6s.rmt\", \"start\" , \"authentication=delayed\", \"auth_realm=$auth_realm\", \"auth_keyid=$auth_key_id\", \"auth_sharedsecretkey=$enc_auth_sharedsecretkey\", \"link0=$V6evalTool::NutDef{Link0_device}\",\"startaddr=3ffe:ffff:100::10\",\"endaddr=3ffe:ffff:100::11\")", ); dhcpSvrInit(\%NUT_Server_Config); #--------------------------------------------------------------# # Main Procedure #--------------------------------------------------------------# vLogHTML('==== DHCP Client-Initiated Configuration Exchange using Delayed Authentication Protocol ====
'); my $cpp = undef; # This is requried when Authentication option is used, otherwise not required. $AUTH_OPTION_REQUIRED = $TRUE; # 1. send DHCPv6 Solicit Message $CID_OPTION = "opt_CID_LLT_client1"; $IA_NA_OPTION = "opt_IA_NA"; $Authentication_OPTION = "opt_Auth"; $cpp = "-DAUTH_COUNTER=hexstr\\$\\\"0000000000000000\\\",8\\$ "; $cpp .= "-DNO_AUTH_INFO "; my ($ret1, %sol1) = send_solicit($IF0, "solicit_client1_to_alldhcp", $cpp); if (0 != $ret1){ dhcpExitFail(); } # 2.wait for DHCPv6 Advertise Message my ($ret2, %adv2) = wait_for_advertise($IF0, 5); if (0 != $ret2){ dhcpExitFail("Can't receive correct DHCPv6 Advertise message"); } # check options in Advertise Message if (0 != options_exist(\%adv2, ($CMP_CID|$CMP_SID|$CMP_AUTH))){ dhcpExitError("Do not include necessary options!"); } # compare Options if (0 != compare_options(\%sol1, \%adv2, ($CMP_CID|$CMP_TRANS_ID))){ dhcpExitError("Option Error"); } # Increment replay detection field (64bit) my $auth_counter = undef; $auth_counter = ReplayDetectCounter($adv2{'Recv_ReplayDetection'}); # 3.send DHCPv6 Request Message (INVARID auth_key_id) # change auth_key_id (VARID:1 -> INVARID:2) $auth_key_id = "2"; $CID_OPTION = "opt_CID_LLT_client1"; $IA_NA_OPTION = "opt_IA_NA"; $SID_OPTION = "opt_SID_ANY"; $Authentication_OPTION = "opt_Auth"; $cpp = "-DAUTH_COUNTER=hexstr\\$\\\"$auth_counter\\\",8\\$ "; $cpp .= "-DAUTH_REALM=hexstr\\$\\\"$hex_auth_realm\\\"\\$ "; $cpp .= "-DAUTH_KEY_ID=$auth_key_id "; $cpp .= "-DAUTH_KEY_VALUE=\\\"$auth_sharedsecretkey\\\" "; my ($ret3, %req3) = send_request($IF0, "request_client1_to_alldhcp", \%adv2, $cpp); if (0 != $ret3) { dhcpExitFail(); } # 4.wait for DHCPv6 Reply Message my ($ret4, %rep4) = wait_for_reply($IF0, 5); if (0 == $ret4){ dhcpExitFail("Can't receive correct DHCPv6 Reply message"); } vLogHTML("Send DHCPv6 Request Message once again (varid auth_key_id)"); # 5.send DHCPv6 Request Message (VARID auth_key_id) # change auth_key_id (INVARID:2 -> VARID:1) $auth_key_id = "1"; $CID_OPTION = "opt_CID_LLT_client1"; $IA_NA_OPTION = "opt_IA_NA"; $SID_OPTION = "opt_SID_ANY"; $Authentication_OPTION = "opt_Auth"; $cpp = "-DAUTH_COUNTER=hexstr\\$\\\"$auth_counter\\\",8\\$ "; $cpp .= "-DAUTH_REALM=hexstr\\$\\\"$hex_auth_realm\\\"\\$ "; $cpp .= "-DAUTH_KEY_ID=$auth_key_id "; $cpp .= "-DAUTH_KEY_VALUE=\\\"$auth_sharedsecretkey\\\" "; my ($ret3, %req3) = send_request($IF0, "request_client1_to_alldhcp", \%adv2, $cpp); if (0 != $ret3) { dhcpExitFail(); } # 6.wait for DHCPv6 Reply Message my ($ret4, %rep4) = wait_for_reply($IF0, 5); if (0 != $ret4){ dhcpExitFail("Can't receive correct DHCPv6 Reply message"); } # check options in Reply Message if (0 != options_exist(\%rep4, ($CMP_IA_NA|$CMP_CID|$CMP_SID|$CMP_AUTH))){ dhcpExitError("Do not include necessary options!"); } # compare Client ID Options if (0 != compare_options(\%req3, \%rep4, ( $CMP_CID|$CMP_TRANS_ID))){ dhcpExitError("The client ID option in Reply Msg is error!"); } #------------------------------------------------------------------- vLogHTML('DHCP Client-Initiated Configuration Exchange using Delayed Authentication Protocol is correct
'); #------------------------------------------------------------------- dhcpExitPass; #NOTREACHED ######################################################################## __END__ =head1 NAME S_RFC3315_21.4.3_KeyUtilization.seq - Key utilization check =head1 TARGET Server =head1 SYNOPSIS =begin html

  S_RFC3315_21.4.3_KeyUtilization.seq [-tooloption ...]
  -pkt S_RFC3315_21.4.3_KeyUtilization.def 
  -tooloption: v6eval tool option. See also DHCPv6.def

=head1 INITIALIZATION =begin html

Network Topology

          TN(Client1)  
             |
Link0 -------+-----------+--------------- 3ffe:501:ffff:100::/64
                         |
                       NUT(Server1)

Verification Points

  Each DHCP client has a set of keys.  Each key is identified by <DHCP
  realm, client DUID, key id>.  Each key also has a lifetime.  The key
  may not be used past the end of its lifetime.  The client's keys are
  initially distributed to the client through some out-of-band
  mechanism.  The lifetime for each key is distributed with the key.
  Mechanisms for key distribution and lifetime specification are beyond
  the scope of this document.

Configuration

DHCP realm: DHCPv6.TEST.EXAMPLE.COM
Client DUID: 00:01:00:01:00:04:93:e0:00:00:00:00:a2:a2
Key id: 1
Shared secret key: TAHITEST_VALID12

Device Name Device Type I/F Assigned Prefix Link Local Addr MAC Addr

Server1 NUT Link0 3ffe:501:ffff:100::/64 NUT's Linklocal address NUT's MAC address

Client1 TN Link0 3ffe:501:ffff:100::/64 fe80::200:ff:fe00:a2a2 00:00:00:00:a2:a2

=end html =head1 TEST PROCEDURE =begin html

       NUT     TN
        |       | 
        |       | initialize NUT (as a DHCPv6 Server)
        |       | 
        | <---- | Solicit w/ Authtication Option
        | ----> | Advertise w/ Authtication Option
        | <---- | Request w/ Authtication Option using Key id = 2
        | --->X | Reply w/ Authtication Option (*1)
        |       | 
        | <---- | Solicit w/ Authtication Option
        | ----> | Advertise w/ Authtication Option
        | <---- | Request w/ Authtication Option using Key id = 1
        | ----> | Reply w/ Authtication Option (*2)
        |       |

=end html =head1 JUDGEMENT =begin html

  (*1) PASS: If NUT received message that includes unrecognized Key id, NUT discards it.
  (*2) PASS: If NUT received message that includes recognized Key id, NUT reply it.

=end html =head1 TERMINATION N/A =head1 REFERENCE =begin html

  see also RFC3315
  21.4.3. Key Utilization
  21.4.5 Server Considerations for Delayed Authentication protocol
  22.11 Authentication Option

=end html =head1 SEE ALSO perldoc V6evalTool =cut

`Device Name`	`Device Type`	`I/F`	`Assigned Prefix`	`Link Local Addr`	`MAC Addr`
`Server1`	`NUT`	`Link0`	`3ffe:501:ffff:100::/64`	`NUT's Linklocal address`	`NUT's MAC address`
`Client1`	`TN`	`Link0`	`3ffe:501:ffff:100::/64`	`fe80::200:ff:fe00:a2a2`	`00:00:00:00:a2:a2`