SG_R_RFC2409_5_5_5.seq [-tooloption ...] -pkt SG_R_RFC2409_5_5_5.def -tooloption : v6eval tool option See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def=end html =head1 INITIALIZATION =begin html
HOST-2(TN)
|3ffe:501:ffff:104::11
|
Net-v --+------------------------+-------- 3ffe:501:ffff:104::/64
|
|
SGW-2(TN):initiator
|3ffe:501:ffff:103::11
|
Net-w --+--------+------------------------ 3ffe:501:ffff:103::/64
|
|
ROUTER-2(TN)
| 3ffe:501:ffff:102::11
|
Net-x --+--------+------------------------ 3ffe:501:ffff:102::/64
|
|3ffe:501:ffff:102::1
SGW-1(NUT):responder
|3ffe:501:ffff:101::1
|
Net-y --+--------+------------------------ 3ffe:501:ffff:101::/64
|
| 3ffe:501:ffff:101::11
ROUTER-1(TN)
|
|
Net-z -----------+---------------+-------- 3ffe:501:ffff:100::/64
|
|3ffe:501:ffff:100::13
HOST-1(TN)
(TN:SGW-2)Identification Data field : ::(invalid value)
| Machine | Src | Dest | Phase I | Phase II | ||||||||||||||
| Ex mode | Key Value | Enc Alg | Hash Alg | Auth Method | DH Group | PH1 Lt | IDx | Proto ID | Trans ID | Mode | Auth Alg | PH2 Lt | IDci | IDcr | Upper | |||
| SGW-1 | SGW-1 addr | SGW-2 addr | Main | IKE-TEST | 3DES | SHA | pre-shared key | 2 | 8 Hour | SGW-1 addr | PROTO_IPSEC_ESP | ESP_3DES | Tunnel | HMAC-SHA | 8 Hour | Net-v addr | Net-z addr | any |
| SGW-2 | SGW-2 addr | SGW-1 addr | Main | IKE-TEST | 3DES | SHA | pre-shared key | 2 | 8 Hour | SGW-2 addr | PROTO_IPSEC_ESP | ESP_3DES | Tunnel | HMAC-SHA | 8 Hour | :: | Net-z addr | any |
This test check is following.=end html =head1 JUDGEMENT In Phase I , messages must be exchanged correctly. In Phase II , the first message is not accepted. The second message(2-A) must not be returned (* or INVALID-ID-INFORMATION message(2-B) is returned). *option : if you want to check the retruned Notify message. =head1 TERMINATION Clean up SAD and SPD =head1 REFERENCE =begin html
* PHASE I
Either IDENTITY PROTECTION EXCHANGE or AGGRESSIVE EXCHANGE is performed as a pre sequence.
IDENTITY PROTECTION EXCHANGE
# Initiator(TN) Direction Responder(NUT) (1) HDR; SA ========>
(2) <======== HDR; SA
(3) HDR; KE; NONCE ========>
(4) <======== HDR; KE; NONCE
(5) HDR*; IDii; HASH_I ========>
(6) <======== HDR*; IDir; HASH_R
1. Send the first message from TN In the first message (1), the initiator generates a proposal it considers adequate to protect traffic for the given situation. The Security Association, Proposal, and Transform payloads are included in the Security Association payload (for notation purposes).
2. Receive the second message from NUT In the second message (2), the responder indicates the protection suite it has accepted with the Security Association, Proposal, and Transform payloads.
3. Send the third message from TN In the third (3) message, the initiator send keying material used to arrive at a common shared secret and random information which is used to guarantee liveness and protect against replay attacks.
4. Receive the fourth message from NUT In the fourth (4) message, the responder send keying material used to arrive at a common shared secret and random information which is used to guarantee liveness and protect against replay attacks.
5. Send the fifth message from TN In the fifth (5) message, the initiator send identification information and the results of the agreed upon authentication function(hash function).
6. Receive the sixth message from NUT In the sixth (6) message, the responder send identification information and the results of the agreed upon authentication function(hash function).
AGGRESSIVE EXCHANGE
# Initiator(TN) Direction Responder(NUT) NOTE (1) HDR; SA; KE; => Begin ISAKMP-SA or Proxy negotiation NONCE; IDii and Key Exchange
(2) <= HDR; SA; KE; NONCE; IDir; AUTH Initiator Identity Verified by Responder Key Generated Basic SA agreed upon
(3) HDR*; AUTH => Responder Identity Verified by Initiator SA established
1. Send the first message from TN In the first message (1), the initiator generates a proposal it considers adequate to protect traffic for the given situation. The Security Association, Proposal, and Transform payloads are included in the Security Association payload (for notation purposes). There can be only one Proposal and one Transform offered (i.e. no choices) in order for the aggressive exchange to work. Keying material used to arrive at a common shared secret and random information which is used to guarantee liveness and protect against replay attacks are also transmitted. Random information provided by both parties SHOULD be used by the authentication mechanism to provide shared proof of participation in the exchange. Additionally, the initiator transmits identification information.
2. Recieve the second message from NUT In the second message (2), the responder indicates the protection suite it has accepted with the Security Association, Proposal, and Transform payloads. Keying material used to arrive at a common shared secret and random information which is used to guarantee liveness and protect against replay attacks is also transmitted. Random information provided by both parties SHOULD be used by the authentication mechanism to provide shared proof of participation in the exchange. Additionally, the responder transmits identification information. All of this information is transmitted under the protection of the agreed upon authentication function. Local security policy dictates the action of the responder if no proposed protection suite is accepted. One possible action is the transmission of a Notify payload as part of an Informational Exchange.
3. Send the third message from TN In the third (3) message, the initiator transmits the results of the agreed upon authentication function. This information is transmitted under the protection of the common shared secret. Local security policy dictates the action if an error occurs during these messages. One possible action is the transmission of a Notify payload as part of an Informational Exchange.
The test sequence is following.
* PHASE II
QUICK MODE
# Initiator(TN) Direction Responder(NUT) (1) HDR*, HASH(1), SA, Ni,IDci, IDcr; ========> <-----ID data field : ::(invalid)
(2-A) X <======== HDR*, HASH(2), SA, Nr, <-----Must not transmit IDci, IDcr; or (2-B) <======== HDR*, HASH(1), N/D Judgement (Check *1)
1. Send the first message from TN In the first message (1), the initiator generates a proposal it considers adequate to protect traffic for the given situation. The Security Association, Proposal, and Transform payloads are included in the Security Association payload (for notation purposes). And initiator send HASH(1) and Nonce. HASH(1) is the prf over the message id (M-ID) from the ISAKMP header concatenated with the entire message that follows the hash including all payload headers, but excluding any padding added for encryption. Nonce is random information which is used to guarantee liveness. IDci and IDcr is identification information.
2. Receive the second message from NUT In the second message (2-B), the responder indicates either an ISAKMP Notify Payload or an ISAKMP delete Payload.
RFC2409 5.5 Phase 2 - Quick Mode=end html =head1 SEE ALSO perldoc V6evalTool =begin html
(omit)
The identities of the SAs negotiated in Quick Mode are implicitly assumed to be the IP addresses of the ISAKMP peers, without any implied constraints on the protocol or port numbers allowed, unless client identifiers are specified in Quick Mode. If ISAKMP is acting as a client negotiator on behalf of another party, the identities of the parties MUST be passed as IDci and then IDcr. Local policy will dictate whether the proposals are acceptable for the identities specified. If the client identities are not acceptable to the Quick Mode responder (due to policy or other reasons), a Notify payload with Notify Message Type INVALID-ID-INFORMATION (18) SHOULD be sent.
(omit)
IKE.html IKE Test Common Utility=end html =cut