I_RFC2408_5_4_2_3_SA_3 - [Initiator Test] Check the proposal to confirm it is valid(Authentication method)
End-Node
I_RFC2408_5_4_2_3_SA_3.seq [-tooloption ...] -pkt I_RFC2408_5_4_2_3_SA_3.def -tooloption : v6eval tool option See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
HOST-2(TN):responder
|3ffe:501:ffff:101::11
|
Net-y --+--------+------------------------ 3ffe:501:ffff:101::/64
|
|
ROUTER-1(TN)
|3ffe:501:ffff:100::11
|
Net-z --+--------+------------------------ 3ffe:501:ffff:100::/64
|
|3ffe:501:ffff:100:XXXX
NUT:initiator
XXXX: EUI64 address
Process the remaining payloads (i.e. Proposal, Transform) of the
Security Association Payload. If the Security Association
Proposal (as described in sections 5.5 and 5.6) is not accepted,
then the following actions are taken:
(a) The event, INVALID PROPOSAL, MAY be logged in the
appropriate system audit file.
(b) An Informational Exchange with a Notification payload
containing the NO-PROPOSAL-CHOSEN message type MAY be sent
to the transmitting entity. This action is dictated by a
system security policy.
| Machine | Src | Dest | Phase I | Phase II | ||||||||||||
| Ex mode | Key Value | Enc Alg | Hash Alg | Auth Method | DH Group | PH1 Lt | IDx | Proto ID | Trans ID | Mode | Auth Alg | PH2 Lt | Upper | |||
| NUT | NUT addr | HOST-2 addr | Main | IKE-TEST | 3DES | SHA | pre-shared key | 2 | 8 Hour | NUT addr | PROTO_IPSEC_ESP | ESP_3DES | Transport | HMAC-SHA | 8 Hour | any |
| HOST-2 | HOST-2 addr | NUT addr | Main | IKE-TEST | 3DES | SHA | 65000 | 2 | 8 Hour | HOST-2 addr | PROTO_IPSEC_ESP | ESP_3DES | Transport | HMAC-SHA | 8 Hour | any |
In order to start the negotiation of IKE,
NUT transmits Echo Request to TN(HOST-2).
This test check is following.
IDENTITY PROTECTION EXCHANGE
# Initiator(NUT) Direction Responder(TN) (1) HDR; SA ========>
(2) <======== HDR; SA <-----Invalid proposal
(3-A)HDR; KE; NONCE ========> X <-----Must not transmit or (3-B)HDR; N/D ========> Judgement (Check *1)
1. Receive the first message from NUT In the first message (1), the initiator generates a proposal it considers adequate to protect traffic for the given situation. The Security Association, Proposal, and Transform payloads are included in the Security Association payload (for notation purposes).
2. Send the second message from TN In the second message (2), the responder indicates the protection suite it has accepted with the Security Association, Proposal, and Transform payloads.
3. Receive the third message from NUT In the third message (3-B), the initiator indicates either an ISAKMP Notify Payload or an ISAKMP delete Payload.
The second message must not be accepted. And the third(3-A) message must not be returned
(* or NO-PROPOSAL-CHOSEN(3-B) message is returned).
*option : if you want to check the retruned Notify message.
Clean up SAD and SPD
RFC2408 5.4 Security Association Payload Processing
(omit)
When a Security Association payload is received, the receiving entity (initiator or responder) MUST do the following:
1. Determine if the Domain of Interpretation (DOI) is supported. If the DOI determination fails, the message is discarded and the following actions are taken:
(a) The event, INVALID DOI, MAY be logged in the appropriate system audit file.
(b) An Informational Exchange with a Notification payload containing the DOI-NOT-SUPPORTED message type MAY be sent to the transmitting entity. This action is dictated by a system security policy.
2. Determine if the given situation can be protected. If the Situation determination fails, the message is discarded and the following actions are taken:
(a) The event, INVALID SITUATION, MAY be logged in the appropriate system audit file.
(b) An Informational Exchange with a Notification payload containing the SITUATION-NOT-SUPPORTED message type MAY be sent to the transmitting entity. This action is dictated by a system security policy.
3. Process the remaining payloads (i.e. Proposal, Transform) of the Security Association Payload. If the Security Association Proposal (as described in sections 5.5 and 5.6) is not accepted, then the following actions are taken:
(a) The event, INVALID PROPOSAL, MAY be logged in the appropriate system audit file.
(b) An Informational Exchange with a Notification payload containing the NO-PROPOSAL-CHOSEN message type MAY be sent to the transmitting entity. This action is dictated by a system security policy.
perldoc V6evalTool
IKE.html IKE Test Common Utility