I_RFC2408_3_6_1_P1_NP_0 - [Initiator Test] Transform Payload format check
End-Node
I_RFC2408_3_6_1_P1_NP_0.seq [-tooloption ...] -pkt I_RFC2408_3_6_1_P1_NP_0.def -tooloption : v6eval tool option
See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
HOST-2(TN):responder
|3ffe:501:ffff:101::11
|
Net-y --+--------+------------------------ 3ffe:501:ffff:101::/64
|
|
ROUTER-1(TN)
|3ffe:501:ffff:100::11
|
Net-z --+--------+------------------------ 3ffe:501:ffff:100::/64
|
|3ffe:501:ffff:100:XXXX
NUT:initiator
XXXX: EUI64 address
Verification PointsTransform Payload Format
Next Payload field
This field MUST only contain the value "3" or "0".
Place the value of the Next Payload in the Next Payload field.
(In this test, this field only contain the value "0")
RESERVED Fields
All RESERVED fields in the ISAKMP protocol MUST be set to zero (0).
Place the value zero (0) in the RESERVED field.
Payload Length field
Place the length (in octets) of the payload in the Payload Length
field.
Transform Number field
Identifies the Transform number for the current payload.
(In this test, this field is set as "1".)
Transform-ID field
All implementations within the IPSEC DOI MUST support KEY_IKE.
(In Phase I, this field only contain "1"(KEY_IKE))
Configuration
Initiator and Responder IKE parameter
At least, following parameter must be included in proposal.
| Machine |
Src |
Dest |
Phase I |
Phase II |
| Ex mode |
Key Value |
Enc Alg |
Hash Alg |
Auth Method |
DH Group |
PH1 Lt |
IDx |
Proto ID |
Trans ID |
Mode |
Auth Alg |
PH2 Lt |
Upper |
| NUT |
NUT addr |
HOST-2 addr |
Main |
IKE-TEST |
3DES |
SHA |
pre-shared key |
2 |
8 Hour |
NUT addr |
PROTO_IPSEC_ESP |
ESP_3DES |
Transport |
HMAC-SHA |
8 Hour |
any |
| HOST-2 |
HOST-2 addr |
NUT addr |
Main |
IKE-TEST |
3DES |
SHA |
pre-shared key |
2 |
8 Hour |
HOST-2 addr |
PROTO_IPSEC_ESP |
ESP_3DES |
Transport |
HMAC-SHA |
8 Hour |
any |
*Ex Mode = Exchange mode
*IDx = identity payload(FQDN or user FQDN can also be chosen as IDx)
*Enc Alg = IKE Encryption Algorithm
*Hash Alg = IKE Authentication Algorithm
*Key Value = pre-shared key value
*PH1 Lt = Phase-1 Lifetime
*PH2 Lt = Phase-2 Lifetime
*Proto ID = Protocol Identifier
*Trans ID = Transform Identifier
*Mode = Encapsulation Mode
*Auth Alg = Authentication Algorithm
*Auth Method = Authentication Method
*DH Group = Diffie-Hellman Group
*Upper = Upper Layer Protocol
*NUT addr = NUT address
*HOST-2 addr = HOST-2 address
Pre-Sequence
In order to start the negotiation of IKE,
NUT transmits Echo Request to TN(HOST-2).
This test check is following.
IDENTITY PROTECTION EXCHANGE
# Initiator(NUT) Direction Responder(TN)
(1) HDR; SA ========>
Judgement (Check *1)
1. Receive the first message from NUT
In the first message (1), the initiator generates a proposal it
considers adequate to protect traffic for the given situation. The
Security Association, Proposal, and Transform payloads are included
in the Security Association payload (for notation purposes).
The first message's Transform Payload Payload Format must be base
on description of RFC(see above Verification Points).
Clean up SAD and SPD
RFC2407
4.4.2.1 KEY_IKE
The KEY_IKE type specifies the hybrid ISAKMP/Oakley Diffie-Hellman
key exchange (IKE) as defined in the [IKE] document. All
implementations within the IPSEC DOI MUST support KEY_IKE.
RFC2408
2.5.2 RESERVED Fields
The existence of RESERVED fields within ISAKMP payloads are used
strictly to preserve byte alignment. All RESERVED fields in the
ISAKMP protocol MUST be set to zero (0) when a packet is issued. The
receiver SHOULD check the RESERVED fields for a zero (0) value and
discard the packet if other values are found.
(omit)
3.6 Transform Payload
(omit)
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Transform # ! Transform-Id ! RESERVED2 !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ SA Attributes ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
(omit)
o Next Payload (1 octet) - Identifier for the payload type of the
next payload in the message. This field MUST only contain the
value "3" or "0". If there are additional Transform payloads in
the proposal, then this field will be 3. If the current
Transform payload is the last within the proposal, then this
field will be 0.
o RESERVED (1 octet) - Unused, set to 0.
o Payload Length (2 octets) - Length in octets of the current
payload, including the generic payload header, Transform values,
and all SA Attributes.
o Transform # (1 octet) - Identifies the Transform number for the
current payload. If there is more than one transform proposed
for a specific protocol within the Proposal payload, then each
Transform payload has a unique Transform number. A description
of the use of this field is found in section 4.2.
o Transform-Id (1 octet) - Specifies the Transform identifier for
the protocol within the current proposal. These transforms are
defined by the DOI and are dependent on the protocol being
negotiated.
o RESERVED2 (2 octets) - Unused, set to 0.
o SA Attributes (variable length) - This field contains the
security association attributes as defined for the transform
given in the Transform-Id field. The SA Attributes SHOULD be
represented using the Data Attributes format described in section
3.3. If the SA Attributes are not aligned on 4-byte boundaries,
then subsequent payloads will not be aligned and any padding will
be added at the end of the message to make the message 4-octet
aligned.
(omit)
5.3 Generic Payload Header Processing
When creating any of the ISAKMP Payloads described in sections 3.4
through 3.15 a Generic Payload Header is placed at the beginning of
these payloads. When creating the Generic Payload Header, the
transmitting entity (initiator or responder) MUST do the following:
1. Place the value of the Next Payload in the Next Payload field.
These values are described in section 3.1.
2. Place the value zero (0) in the RESERVED field.
3. Place the length (in octets) of the payload in the Payload Length
field.
4. Construct the payloads as defined in the remainder of this
section.
(omit)
5.6 Transform Payload Processing
When creating a Transform Payload, the transmitting entity (initiator
or responder) MUST do the following:
1. Determine the Transform # for this transform.
2. Determine the number of transforms to be offered for this
proposal. Transforms are described in sections 3.6.
3. Construct a Transform payload.
(omit)
perldoc V6evalTool
IKE.html IKE Test Common Utility