#!/usr/bin/perl # # Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006 # Yokogawa Electric Corporation. # All rights reserved. # # Redistribution and use of this software in source and binary # forms, with or without modification, are permitted provided that # the following conditions and disclaimer are agreed and accepted # by the user: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with # the distribution. # # 3. Neither the names of the copyrighters, the name of the project # which is related to this software (hereinafter referred to as # "project") nor the names of the contributors may be used to # endorse or promote products derived from this software without # specific prior written permission. # # 4. No merchantable use may be permitted without prior written # notification to the copyrighters. # # 5. The copyrighters, the project and the contributors may prohibit # the use of this software at any time. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHTERS, THE PROJECT AND # CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING # BUT NOT LIMITED THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHTERS, THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # $TAHI: ct/ike/SGW/SG_I_RFC2409_4_7.seq,v 1.27.2.3 2005/11/22 10:06:04 ozoe Exp $ # $Id: SG_I_RFC2409_4_7.seq,v 1.27.2.3 2005/11/22 10:06:04 ozoe Exp $ # ###################################################################### BEGIN { } use V6evalTool; use IKE; use IKE_check; my $IF0 = Link0; my $IF1 = Link1; #====== get sequence arguments ====== foreach (@ARGV) { /^test_type=(\S+)/ && do {$TEST_TYPE=$1; next; }; /^support=(\S+)/ && do {$SUPPORT=$1; next; }; /^app_type=(\S+)/ && do {$IKE::APP_TYPE=$1; next; }; /^test_phase=(\S+)/ && do {$IKE::TEST_PHASE=$1; next; }; ikeExitError("Unknown sequence option '$_'"); } #====== check NUT type ====== ikeCheckNUT(sgw, $TEST_TYPE, $SUPPORT); #====== Test Configuration ====== %ikeConfig = ( 'app_type' => 'ICMP', 'isakmp_src' => "$IKE::IKEAddr{IKE_NUT_NET2_SGW1_ADDR}", 'isakmp_dst' => "$IKE::IKEAddr{IKE_TN_NET3_SGW2_ADDR}", 'isakmp_dport' => '500', 'isakmp_ex_mode' => 'main', 'isakmp_doi' => 'ipsec_doi', 'isakmp_situation' => 'identity_only', 'isakmp_key_id' => "$IKE::IKEAddr{IKE_TN_NET3_SGW2_ADDR}", 'isakmp_key_value' => 'IKE-TEST', 'isakmp_enc_alg' => '3des', 'isakmp_hash_alg' => 'sha1', 'isakmp_auth_method' => 'pre_shared_key', 'isakmp_dh_group' => '2', 'isakmp_lt' => '28800', 'isakmp_lt_unit' => 'seconds', 'isakmp_src_id_type' => 'address', 'isakmp_src_id' => "$IKE::IKEAddr{IKE_NUT_NET2_SGW1_ADDR}", 'isakmp_dst_id_type' => 'address', 'isakmp_dst_id' => "$IKE::IKEAddr{IKE_TN_NET3_SGW2_ADDR}", 'isakmp_num_pro' => '1', 'isakmp_num_trans' => '1', 'ipsec_id_type' => 'address', 'ipsec_src' => "$IKE::IKEAddr{IKE_NET0_ADDR}", 'ipsec_dst' => "$IKE::IKEAddr{IKE_NET4_ADDR}", 'ipsec_src_id' => "$IKE::IKEAddr{IKE_NET0_ADDR}", 'ipsec_dst_id' => "$IKE::IKEAddr{IKE_NET4_ADDR}", 'ipsec_tsrc' => "$IKE::IKEAddr{IKE_NUT_NET2_SGW1_ADDR}", 'ipsec_tdst' => "$IKE::IKEAddr{IKE_TN_NET3_SGW2_ADDR}", 'ipsec_end_src' => "$IKE::IKEAddr{IKE_TN_NET0_HOST1_ADDR}", 'ipsec_end_dst' => "$IKE::IKEAddr{IKE_TN_NET4_HOST2_ADDR}", 'ipsec_supper' => 'any', 'ipsec_dupper' => 'any', 'ipsec_direction' => 'out', 'ipsec_pfs_group' => 'off', 'ipsec_p_num' => '1', 'ipsec_p1_proto' => 'PROTO_IPSEC_ESP', 'ipsec_p1_t_num' => '1', 'ipsec_p1_t1_enc_alg' => 'ESP_3DES', 'ipsec_p1_t1_auth_mtd' => 'HMAC_SHA', 'ipsec_p1_t1_mode' => 'Tunnel', 'ipsec_p1_t1_lt' => '8', 'ipsec_p1_t1_lt_unit' => 'hour', ); #====== set ISAKMP SA, IPSEC SPD #====== vLogHTML("*** Target IKE initialization phase ***
"); ikeInit(%ikeConfig); #====== set Address of NUT ====== vLogHTML("*** Target initialization phase ***
"); vCapture($IF0); vCapture($IF1); ikeSetAddr($IF0,$IF1,$IKE::address_debug); #====== set ISAKMP SA packet frame, parameter #====== my $cpp = undef; my @ike = (); #====================================================================== vLogHTML("*** Target testing phase ***
"); #------------------------------------------------------------------- vLogHTML("*** Phase-1 1st message recv ***
"); #------------------------------------------------------------------- $IKE::pktdesc{'echo_request_send_net0host1_net4host2'} = 'Send Echo Request from Host-1(TN) to Host-2(TN) via SGW1(NUT)'; my $ret0 = packetSendOnly($IF1, 'echo_request_send_net0host1_net4host2'); if($ret0 == $IKE::FAIL) { ikeReset(); exit($V6evalTool::exitFail); } my @CHECK_FLAG = undef; $CHECK_FLAG[0] = 0; #None my $OPTION_FLAG = $IKE_check::optionHash{'none'}; my %ret = ikePh1Recv('Link0', 10, 0, 0, $cpp, \@ike, \%ikeConfig,\@CHECK_FLAG,$OPTION_FLAG); ##################### # Hash Alg check ###################### my $atttype = 2; my $attvalue = $IKE::isakmp_hash_algorithm_value{$ikeConfig{'isakmp_hash_alg'}}; my $attret = &IKE_check::SpecificAttributeCheckFromSeq(\%ret,$atttype,$attvalue,1); if($attret < 0){ $ret{'status'} = $IKE::FAIL } if($ret{'status'} == $IKE::FAIL) { ikeReset(); exit($V6evalTool::exitFail); } vLogHTML("Transform payload SA Attributes(SHA) is correct
"); vLogHTML("*** Target test finish ***
"); vStop($IF0); vStop($IF1); ikeReset(); ikeExitPass(); #NOTREACHED ###################################################################### __END__ =head1 NAME SG_I_RFC2409_4_7 - [Initiator Test] Transform payload SA Attributes check (SHA) =head1 TARGET SGW =head1 SYNOPSIS =begin html 
  SG_I_RFC2409_4_7.seq [-tooloption ...] -pkt SG_I_RFC2409_4_7.def -tooloption : v6eval tool option

 See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
=end html =head1 INITIALIZATION =begin html
  • Network Topology
    •                                  HOST-2(TN)
                                   |3ffe:501:ffff:104::11
                                   |
Net-v   --+------------------------+-------- 3ffe:501:ffff:104::/64
          |
          |
         SGW-2(TN):responder
          |3ffe:501:ffff:103::11
          |                     
Net-w   --+--------+------------------------ 3ffe:501:ffff:103::/64
                   |
                   |
                  ROUTER-2(TN)
                   | 3ffe:501:ffff:102::11
                   |
Net-x   --+--------+------------------------ 3ffe:501:ffff:102::/64
          |
          |3ffe:501:ffff:102::1
         SGW-1(NUT):initiator
          |3ffe:501:ffff:101::1
          |
Net-y   --+--------+------------------------ 3ffe:501:ffff:101::/64
                   |
                   | 3ffe:501:ffff:101::11
                  ROUTER-1(TN)
                   |
                   |
Net-z   -----------+---------------+-------- 3ffe:501:ffff:100::/64
                                   |
                                   |3ffe:501:ffff:100::13
                                 HOST-1(TN)

  • Verification Points
      IKE implementations SHOULD support the following attribute values
      Parameter Value
      ISAKMP SA Attributes - 3DES in CBC mode
      - SHA
      - Authentication via pre-shared keys.
      - MODP over group number two.
      So, IKE implementations SHOULD support SHA.

  • Configuration

      •        
    • Initiator and Responder IKE parameter
      • 
(It is shown that the mark of "*" permits anythings as attributes.)
At least, following parameter must be included in proposal.
          
      
          
          
      
            Machine              
            Src              
            Dest              
            Phase I             
            Phase II
          
                   
          
                   
            Ex mode
            Key Value 
            Enc Alg
            Hash Alg           
            Auth Method           
            DH Group           
            PH1 Lt
            IDx
      		
            Proto ID
            Trans ID
            Mode
            Auth Alg 
            PH2 Lt
            IDci
            IDcr
            Upper
          
      
          
      
            SGW-1           
            SGW-1 addr           
            SGW-2 addr           
            Main  
            IKE-TEST                               
            3DES*           
            SHA           
            pre-shared key*           
            2*           
            8 Hour            
            SGW-1 addr              
            PROTO_IPSEC_ESP   
            ESP_3DES            
            Tunnel           
            HMAC-SHA  
            8 Hour            
            Net-z addr          
            Net-v addr   
            any            
          
         
          
         
            SGW-2
            SGW-2 addr
            SGW-1 addr
            Main
            IKE-TEST      
            3DES
            SHA
            pre-shared key           
            2           
            8 Hour
            SGW-2 addr    
            PROTO_IPSEC_ESP 
            ESP_3DES   
            Tunnel
            HMAC-SHA
            8 Hour 
            Net-z addr          
            Net-v addr   
            any
          
      
                
        
      
          *Ex Mode = Exchange mode
          *IDx = identity payload(FQDN or user FQDN  can also be chosen as IDx)
          *IDci = identity payload
          *IDcr = identity payload
          *Enc Alg = IKE Encryption Algorithm
          *Hash Alg = IKE Authentication Algorithm
          *Key Value = pre-shared key value
          *PH1 Lt = Phase-1 Lifetime
          *PH2 Lt = Phase-2 Lifetime
          *Proto ID = Protocol Identifier
          *Trans ID = Transform Identifier
          *Mode = Encapsulation Mode
          *Auth Alg = Authentication Algorithm
          *Auth Method = Authentication Method
          *DH Group = Diffie-Hellman Group
          *Upper = Upper Layer Protocol
          *SGW-1 addr = SGW-1 address
          *SGW-2 addr = SGW-2 address
          *Net-z = Net-z network address
          *Net-v = Net-v network address

  • Pre-Sequence
    •        In order to start the negotiation of IKE, 
       TN(HOST-1) transmits Echo Request to TN(HOST-2).
=end html =head1 TEST PROCEDURE =begin html 
  This test check is following.


           IDENTITY PROTECTION EXCHANGE


 #   Initiator(NUT)   Direction    Responder(TN)
(1)  HDR; SA         ========>
                Judgement (Check *1)


   1. Receive the first message from NUT
      In the first message (1), the initiator generates a proposal it
      considers adequate to protect traffic for the given situation.  The
      Security Association, Proposal, and Transform payloads are included
      in the Security Association payload (for notation purposes).
=end html =head1 JUDGEMENT The first message Attributes(SHA:2) must be included. And must conform to above Configuration. =head1 TERMINATION Clean up SAD and SPD =head1 REFERENCE =begin html 
  RFC2409 
  4.Introduction


  (omit)


     IKE implementations MUST support the following attribute values:


      - DES [DES] in CBC mode with a weak, and semi-weak, key check
      (weak and semi-weak keys are referenced in [Sch96] and listed in
      Appendix A). The key is derived according to Appendix B.


      - MD5 [MD5] and SHA [SHA].


      - Authentication via pre-shared keys.


      - MODP over default group number one (see below).


  (omit)
=end html =head1 SEE ALSO perldoc V6evalTool =begin html 
  IKE.html IKE Test Common Utility
=end html =cut