I_A_RFC3602_5_1 - [Initiator Test] Transform payload SA Attributes check (AES(128bit))
End-Node
I_A_RFC3602_5_1.seq [-tooloption ...] -pkt I_A_RFC3602_5_1.def -tooloption : v6eval tool option
See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
HOST-2(TN):responder
|3ffe:501:ffff:101::11
|
Net-y --+--------+------------------------ 3ffe:501:ffff:101::/64
|
|
ROUTER-1(TN)
|3ffe:501:ffff:100::11
|
Net-z --+--------+------------------------ 3ffe:501:ffff:100::/64
|
|3ffe:501:ffff:100:XXXX
NUT:initiator
XXXX: EUI64 address
| Parameter | Value | |
| ISAKMP | SA Attributes | - AES-128 in CBC mode - SHA - Authentication via pre-shared keys. - MODP over group number two. |
| Machine | Src | Dest | Phase I | Phase II | ||||||||||||
| Ex mode | Key Value | Enc Alg | Hash Alg | Auth Method | DH Group | PH1 Lt | IDx | Proto ID | Trans ID | Mode | Auth Alg | PH2 Lt | Upper | |||
| NUT | NUT addr | HOST-2 addr | Aggressive | IKE-TEST | AES | SHA* | pre-shared key* | 2* | 8 Hour | NUT addr | PROTO_IPSEC_ESP | ESP_3DES | Transport | HMAC-SHA | 8 Hour | any |
| HOST-2 | HOST-2 addr | NUT addr | Aggressive | IKE-TEST | AES | SHA* | pre-shared key* | 2* | 8 Hour | HOST-2 addr | PROTO_IPSEC_ESP | ESP_3DES | Transport | HMAC-SHA | 8 Hour | any |
In order to start the negotiation of IKE,
NUT transmits Echo Request to TN(HOST-2).
This test check is following.
AGGRESSIVE EXCHANGE
# Initiator(NUT) Direction Responder(TN) (1) HDR; SA, KE, Ni, IDii ========> Judgement (Check *1)
1. Receive the first message from NUT In the first message (1), the initiator generates a proposal it considers adequate to protect traffic for the given situation. The Security Association, Proposal, and Transform payloads are included in the Security Association payload (for notation purposes). Keying material used to arrive at a common shared secret and random information which is used to guarantee liveness and protect against replay attacks are also transmitted. Additionally, the initiator transmits identification information.
The first message Attributes(AES-CBC:7) must be included.
And must conform to above Configuration.
Clean up SAD and SPD
RFC3602 5. IKE Interactions
5.1. Phase 1 Identifier
For Phase 1 negotiations, IANA has assigned an Encryption Algorithm ID of 7 for AES-CBC.
Algorithms for Internet Key Exchange version 1 (IKEv1) draft-hoffman-ikev1-algorithms-02.txt 3. New algorithm requirements
The new requirements for IKEv1 are:
o TripleDES for encryption MUST be supported o AES-128 in CBC mode [RFC3602] SHOULD be supported o SHA-1 for hashing and HMAC functions MUST be supported o Pre-shared secrets for authentication MUST be supported o AES-128 in CBC mode for HMAC functions ([RFC3566] and [RFC3664]) SHOULD be supported o Diffie-Hellman MODP group 2 (discrete log 1024 bits) MUST be supported o Diffie-Hellman MODP group 14 (discrete log 2048 bits) [RFC3526] SHOULD be supported o RSA for authentication with signatures SHOULD be supported
The other algorithms that were listed at MUST-level and SHOULD-level in RFC 2409 are now MAY-level. This includes DES for encryption, MD5 and Tiger for hashing, Diffie-Hellman MODP group 1, Diffie-Hellman MODP groups with elliptic curves, DSA for authentication with signatures, and RSA for authentication with encryption. DES for encryption, MD5 for hashing, Diffie-Hellman MODP group 1 are dropped to MAY due to cryptographic weakness. Tiger for hashing, Diffie-Hellman MODP groups with elliptic curves, DSA for authentication with signatures, and RSA for authentication with encryption are dropped due to lack of any significant deployment and interoperability.
perldoc V6evalTool
IKE.html IKE Test Common Utility