NAME

  I_RFC2409_4_6 - [Initiator Test] Transform payload SA Attributes check (MD5)

TARGET

  End-Node

SYNOPSIS

  I_RFC2409_4_6.seq [-tooloption ...] -pkt I_RFC2409_4_6.def -tooloption : v6eval tool option

  See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def

INITIALIZATION

Network Topology

        HOST-2(TN):responder
          |3ffe:501:ffff:101::11
          |                        
Net-y   --+--------+------------------------ 3ffe:501:ffff:101::/64
                   |
                   |
                 ROUTER-1(TN)
                   |3ffe:501:ffff:100::11
                   |
Net-z   --+--------+------------------------ 3ffe:501:ffff:100::/64
          |
          |3ffe:501:ffff:100:XXXX
        NUT:initiator
  

  XXXX: EUI64 address

Verification Points

IKE implementations MUST support the following attribute values

Parameter Value

ISAKMP SA Attributes - DES in CBC mode
- MD5
- Authentication via pre-shared keys.
- MODP over default group number one.

So, IKE implementations MUST support MD5.

Configuration

       Initiator and Responder IKE parameter
(It is shown that the mark of "*" permits anythings as attributes.)
At least, following parameter must be included in proposal.
          
          
          
            Machine              
            Src              
            Dest              
            Phase I             
            Phase II             
                       
                       
            Ex mode
            Key Value 
            Enc Alg
            Hash Alg           
            Auth Method           
            DH Group           
            PH1 Lt
            IDx
            Proto ID
            Trans ID
            Mode
            Auth Alg
            PH2 Lt
            Upper
          
          
            NUT           
            NUT addr           
            HOST-2 addr           
            Main  
            IKE-TEST                               
            3DES*           
            MD5           
            pre-shared key*           
            2*
            8 Hour            
            NUT addr              
            PROTO_IPSEC_ESP   
            ESP_3DES             
            Transport           
            HMAC-SHA  
            8 Hour          
            any            
             
             
            HOST-2
            HOST-2 addr
            NUT addr
            Main
            IKE-TEST      
            3DES
            MD5
            pre-shared key           
            2           
            8 Hour
            HOST-2 addr    
            PROTO_IPSEC_ESP
            ESP_3DES     
            Transport
            HMAC-SHA 
            8 Hour 
            any
          
          
        
          *Ex Mode = Exchange mode
          *IDx = identity payload(FQDN or user FQDN  can also be chosen as IDx)
          *Enc Alg = IKE Encryption Algorithm
          *Hash Alg = IKE Authentication Algorithm
          *Key Value = pre-shared key value
          *PH1 Lt = Phase-1 Lifetime
          *PH2 Lt = Phase-2 Lifetime
          *Proto ID = Protocol Identifier
          *Trans ID = Transform Identifier
          *Mode = Encapsulation Mode
          *Auth Alg = Authentication Algorithm
          *Auth Method = Authentication Method
          *DH Group = Diffie-Hellman Group
          *Upper = Upper Layer Protocol
          *NUT addr = NUT address
          *HOST-2 addr = HOST-2 address

Pre-Sequence

         In order to start the negotiation of IKE, 
       NUT transmits Echo Request to TN(HOST-2).

TEST PROCEDURE

  This test check is following.


           IDENTITY PROTECTION EXCHANGE


 #   Initiator(NUT)   Direction    Responder(TN)
(1)  HDR; SA         ========>
                Judgement (Check *1)


   1. Receive the first message from NUT
      In the first message (1), the initiator generates a proposal it
      considers adequate to protect traffic for the given situation.  The
      Security Association, Proposal, and Transform payloads are included
      in the Security Association payload (for notation purposes).

JUDGEMENT

     The first message Attributes(MD5:1) must be included.
     And must conform to above Configuration.

TERMINATION

  Clean up SAD and SPD

REFERENCE

  RFC2409 
  4. Introduction


  (omit)


     IKE implementations MUST support the following attribute values:


      - DES [DES] in CBC mode with a weak, and semi-weak, key check
      (weak and semi-weak keys are referenced in [Sch96] and listed in
      Appendix A). The key is derived according to Appendix B.


      - MD5 [MD5] and SHA [SHA].


      - Authentication via pre-shared keys.


      - MODP over default group number one (see below).


  (omit)

Parameter		Value
ISAKMP	SA Attributes	- DES in CBC mode - MD5 - Authentication via pre-shared keys. - MODP over default group number one.