#!/usr/bin/perl # # Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005 Yokogawa Electric Corporation. # All rights reserved. # # Redistribution and use of this software in source and binary # forms, with or without modification, are permitted provided that # the following conditions and disclaimer are agreed and accepted # by the user: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with # the distribution. # # 3. Neither the names of the copyrighters, the name of the project # which is related to this software (hereinafter referred to as # "project") nor the names of the contributors may be used to # endorse or promote products derived from this software without # specific prior written permission. # # 4. No merchantable use may be permitted without prior written # notification to the copyrighters. # # 5. The copyrighters, the project and the contributors may prohibit # the use of this software at any time. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHTERS, THE PROJECT AND # CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING # BUT NOT LIMITED THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHTERS, THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # $TAHI: ct/ike/ENODE/R_RFC2408_3_1_1_Mj_1_Mn_0.seq,v 1.41.2.2 2005/11/22 10:05:47 ozoe Exp $ # $Id: R_RFC2408_3_1_1_Mj_1_Mn_0.seq,v 1.41.2.2 2005/11/22 10:05:47 ozoe Exp $ # ###################################################################### BEGIN { } END{ } use V6evalTool; use IKE; use IKE_check; my $IF0 = Link0; #====== get sequence arguments ====== foreach (@ARGV) { /^test_type=(\S+)/ && do {$TEST_TYPE=$1; next; }; /^support=(\S+)/ && do {$SUPPORT=$1; next; }; /^app_type=(\S+)/ && do {$IKE::APP_TYPE=$1; next; }; /^test_phase=(\S+)/ && do {$IKE::TEST_PHASE=$1; next; }; ikeExitError("Unknown sequence option '$_'"); } #====== check NUT type ====== ikeCheckNUT(host, $TEST_TYPE, $SUPPORT); #====== Test Configuration ====== %ikeConfig = ( 'app_type' => 'ICMP', 'isakmp_src' => "$IKE::IKEAddr{IKE_NUT_NET0_HOST1_ADDR}", 'isakmp_dst' => "$IKE::IKEAddr{IKE_TN_NET1_HOST2_ADDR}", 'isakmp_dport' => '500', 'isakmp_ex_mode' => 'main', 'isakmp_doi' => 'ipsec_doi', 'isakmp_situation' => 'identity_only', 'isakmp_key_id' => "$IKE::IKEAddr{IKE_TN_NET1_HOST2_ADDR}", 'isakmp_key_value' => 'IKE-TEST', 'isakmp_enc_alg' => '3des', 'isakmp_hash_alg' => 'sha1', 'isakmp_auth_method' => 'pre_shared_key', 'isakmp_dh_group' => '2', 'isakmp_lt' => '28800', 'isakmp_lt_unit' => 'seconds', 'isakmp_src_id_type' => 'address', 'isakmp_src_id' => "$IKE::IKEAddr{IKE_NUT_NET0_HOST1_ADDR}", 'isakmp_dst_id_type' => 'address', 'isakmp_dst_id' => "$IKE::IKEAddr{IKE_TN_NET1_HOST2_ADDR}", 'isakmp_num_pro' => '1', 'isakmp_num_trans' => '1', 'ipsec_id_type' => 'address', 'ipsec_src' => "$IKE::IKEAddr{IKE_TN_NET1_HOST2_ADDR}", 'ipsec_dst' => "$IKE::IKEAddr{IKE_NUT_NET0_HOST1_ADDR}", 'ipsec_src_id' => "$IKE::IKEAddr{IKE_NUT_NET0_HOST1_ADDR}", 'ipsec_dst_id' => "$IKE::IKEAddr{IKE_TN_NET1_HOST2_ADDR}", 'ipsec_supper' => 'any', 'ipsec_dupper' => 'any', 'ipsec_direction' => 'in', 'ipsec_pfs_group' => 'off', 'ipsec_p_num' => '1', 'ipsec_p1_proto' => 'PROTO_IPSEC_ESP', 'ipsec_p1_t_num' => '1', 'ipsec_p1_t1_enc_alg' => 'ESP_3DES', 'ipsec_p1_t1_auth_mtd' => 'HMAC_SHA', 'ipsec_p1_t1_mode' => 'Transport', 'ipsec_p1_t1_lt' => '8', 'ipsec_p1_t1_lt_unit' => 'hour', ); #====== set TN's cookie ======== my $cookie = GetMD5("$IKE::IKEAddr{IKE_TN_NET1_HOST2_ADDR}"."$ikeConfig{'isakmp_dport'}".time()); $cookie = substr($cookie, 0, 16); $ikeConfig{'isakmp_cookie_i'} = $cookie; #====== set ISAKMP SA, IPSEC SPD #====== vLogHTML("*** Target IKE initialization phase ***
"); ikeInit(%ikeConfig); #====== set Address of NUT ====== vLogHTML("*** Target initialization phase ***
"); vCapture($IF0); ikeSetAddr($IF0); #====== set ISAKMP SA packet frame, parameter #====== my $cpp = undef; my @ike = (); #====================================================================== vLogHTML("*** Target testing phase ***
"); #====================================================================== #------------------------------------------------------------------- vLogHTML("*** Phase-1 1st message send ***
"); #------------------------------------------------------------------- vClear($IF0); %ret2 = ikePh1Send1st($IF0, 5, 0, 0, $cpp, \@ike, \%ikeConfig); if($ret2{'status'} == $IKE::FAIL) { ikeReset(); exit($V6evalTool::exitFail); } #------------------------------------------------------------------- vLogHTML("*** Phase-1 2nd message receive ***
"); #------------------------------------------------------------------- $CHECK_FLAG[0] = 0; #none my $OPTION_FLAG = $IKE_check::optionHash{'none'}; my %ret = ikePh1Recv2nd($IF0, 5, 0, 0, $cpp, \@ike, \%ret2, \%ikeConfig,\@CHECK_FLAG, $OPTION_FLAG); if($ret{'status'} == $IKE::FAIL) { ikeReset(); exit($V6evalTool::exitFail); } #------------------------------------------------------------------- vLogHTML("ISAKMP Header Format is correct
"); #------------------------------------------------------------------- #====================================================================== vLogHTML("*** Target test finish ***
"); #====================================================================== vStop($IF0); ikeReset(); ikeExitPass(); #NOTREACHED ###################################################################### __END__ =head1 NAME R_RFC2408_3_1_1_Mj_1_Mn_0 - [Responder Test]ISAKMP Header format check =head1 TARGET End-Node =head1 SYNOPSIS =begin html 
  R_RFC2408_3_1_1_Mj_1_Mn_0.seq [-tooloption ...] -pkt R_RFC2408_3_1_1_Mj_1_Mn_0.def -tooloption : v6eval tool option
  See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
=end html =head1 INITIALIZATION =begin html
  • Network Topology
    •         HOST-2(TN):initiator
          |3ffe:501:ffff:101::11
          |                     
Net-y   --+--------+------------------------ 3ffe:501:ffff:101::/64
                   |
                   |
                 ROUTER-1(TN)
                   |3ffe:501:ffff:100::11
                   |
Net-z   --+--------+------------------------ 3ffe:501:ffff:100::/64
          |
          |3ffe:501:ffff:100:XXXX
        NUT:responder
  
    
  XXXX: EUI64 address

  • Verification Points

      ISAKMP Header Format
      
    
    • Cookie field
      • 
       The cookies MUST NOT swap places when the direction of the ISAKMP SA changes.
       (The cookie must be set to Responder cookie field.)
    
    • Next Payload field
      • 
       Place the value of the Next Payload in the Next Payload field.
        (In this test, this field is set as 1(Security Association Payload).)
    
    • Version field
      • 
       Major Version 1
       Minor Version 0
    
    • Exchange Type
      • 
       indicates the type of exchange being used.
       (In this test, this field is set as 2(main mode).)
    
    • Flags field
      • 
       Bits of the Flags field(except E,C,A bit) MUST be set to 0 prior to transmission.
       |0|0|0|0|0|A|C|E|
    
    • Message ID field
      • 
       During Phase 1 negotiations, the value MUST be set to 0.
    
    • Payload Length field
      • 
       Place the length (in octets) of the payload in the Payload Length field.

  • Configuration

      •        
    • Initiator and Responder IKE parameter
      • 
At least, following parameter must be included in proposal.
          
      
          
          
      
            Machine              
            Src              
            Dest              
            Phase I             
            Phase II             
          
                   
          
                   
            Ex mode
            Key Value 
            Enc Alg
            Hash Alg           
            Auth Method           
            DH Group           
            PH1 Lt
            IDx
      		
            Proto ID
            Trans ID
            Mode
            Auth Alg
            PH2 Lt
            Upper
          
      
          
      
            NUT           
            NUT addr           
            HOST-2 addr           
            Main  
            IKE-TEST                               
            3DES           
            SHA           
            pre-shared key           
            2           
            8 Hour           
            NUT addr              
            PROTO_IPSEC_ESP
            ESP_3DES           
            Transport           
            HMAC-SHA 
            8 Hour           
            any           
          
         
          
         
            HOST-2
            HOST-2 addr
            NUT addr
            Main
            IKE-TEST                               
            3DES
            SHA
            pre-shared key           
            2           
            8 Hour
            HOST-2 addr    
            PROTO_IPSEC_ESP 
            ESP_3DES
            Transport
            HMAC-SHA
            8 Hour 
            any
          
      
                
        
      
          *Ex Mode = Exchange mode
          *IDx = identity payload(FQDN or user FQDN  can also be chosen as IDx)
          *Enc Alg = IKE Encryption Algorithm
          *Hash Alg = IKE Authentication Algorithm
          *Key Value = pre-shared key value
          *PH1 Lt = Phase-1 Lifetime
          *PH2 Lt = Phase-2 Lifetime
          *Proto ID = Protocol Identifier
          *Trans ID = Transform Identifier
          *Mode = Encapsulation Mode
          *Auth Alg = Authentication Algorithm
          *Auth Method = Authentication Method
          *DH Group = Diffie-Hellman Group
          *Upper = Upper Layer Protocol
          *NUT addr = NUT address
          *HOST-2 addr = HOST-2 address
=end html =head1 TEST PROCEDURE =begin html 
  This test check is following.


           IDENTITY PROTECTION EXCHANGE


 #   Initiator(TN)   Direction    Responder(NUT)
(1)  HDR; SA         ========>


(2)                  <========       HDR; SA
                Judgement (Check *1)


   1. Send the first message from TN
      In the first message (1), the initiator generates a proposal it
      considers adequate to protect traffic for the given situation.  The
      Security Association, Proposal, and Transform payloads are included
      in the Security Association payload (for notation purposes).


   2. Receive the second message from NUT
      In the second message (2), the responder indicates the protection
      suite it has accepted with the Security Association, Proposal, and
      Transform payloads.
=end html =head1 JUDGEMENT The first message must be accepted. And the second message's ISAKMP Header Format must be base on description of RFC(see above Verification Points). (cookie is set to Responder cookie filed, Major version=1 and Minor version=0 , Flags field is correct and Message ID=0). =head1 TERMINATION Clean up SAD and SPD =head1 REFERENCE =begin html 
  RFC2408
  3.1 ISAKMP Header Format 


  (omit)


                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    !                          Initiator                            !
    !                            Cookie                             !
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    !                          Responder                            !
    !                            Cookie                             !
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    !                          Message ID                           !
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    !                            Length                             !
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


  (omit)


    o  Next Payload (1 octet) - Indicates the type of the first payload
       in the message.  The format for each payload is defined in
       sections 3.4 through 3.16.  The processing for the payloads is
       defined in section 5.




                        Next Payload Type       Value
                    NONE                           0
                    Security Association (SA)      1
                    Proposal (P)                   2
                    Transform (T)                  3
                    Key Exchange (KE)              4
                    Identification (ID)            5
                    Certificate (CERT)             6
                    Certificate Request (CR)       7
                    Hash (HASH)                    8
                    Signature (SIG)                9
                    Nonce (NONCE)                 10
                    Notification (N)              11
                    Delete (D)                    12
                    Vendor ID (VID)               13
                    RESERVED                   14 - 127
                    Private USE               128 - 255


    o  Major Version (4 bits) - indicates the major version of the ISAKMP
       protocol in use.  Implementations based on this version of the
       ISAKMP Internet-Draft MUST set the Major Version to 1.
       Implementations based on previous versions of ISAKMP Internet-
       Drafts MUST set the Major Version to 0.  Implementations SHOULD
       never accept packets with a major version number larger than its
       own.


    o  Minor Version (4 bits) - indicates the minor version of the
       ISAKMP protocol in use.  Implementations based on this version of
       the ISAKMP Internet-Draft MUST set the Minor Version to 0.
       Implementations based on previous versions of ISAKMP Internet-
       Drafts MUST set the Minor Version to 1.  Implementations SHOULD
       never accept packets with a minor version number larger than its
       own, given the major version numbers are identical.


    o  Exchange Type (1 octet) - indicates the type of exchange being
       used.  This dictates the message and payload orderings in the
       ISAKMP exchanges.




                            Exchange Type      Value
                         NONE                    0
                         Base                    1
                         Identity Protection     2
                         Authentication Only     3
                         Aggressive              4
                         Informational           5
                         ISAKMP Future Use     6 - 31
                         DOI Specific Use     32 - 239
                         Private Use         240 - 255


    o  Flags (1 octet) - indicates specific options that are set for the
       ISAKMP exchange.  The flags listed below are specified in the
       Flags field beginning with the least significant bit, i.e the
       Encryption bit is bit 0 of the Flags field, the Commit bit is bit
       1 of the Flags field, and the Authentication Only bit is bit 2 of
       the Flags field.  The remaining bits of the Flags field MUST be
       set to 0 prior to transmission.


  (omit)


    o  Message ID (4 octets) - Unique Message Identifier used to
       identify protocol state during Phase 2 negotiations.  This value
       is randomly generated by the initiator of the Phase 2
       negotiation.  In the event of simultaneous SA establishments
       (i.e.  collisions), the value of this field will likely be
       different because they are independently generated and, thus, two
       security associations will progress toward establishment.
       However, it is unlikely there will be absolute simultaneous
       establishments.  During Phase 1 negotiations, the value MUST be
       set to 0.


    o  Length (4 octets) - Length of total message (header + payloads)
       in octets.  Encryption can expand the size of an ISAKMP message.


  (omit)


  5.2 ISAKMP Header Processing


   When creating an ISAKMP message, the transmitting entity (initiator
   or responder) MUST do the following:


   1.  Create the respective cookie.  See section 2.5.3 for details.


   2.  Determine the relevant security characteristics of the session
       (i.e. DOI and situation).


   3.  Construct an ISAKMP Header with fields as described in section
       3.1.


   4.  Construct other ISAKMP payloads, depending on the exchange type.


   5.  Transmit the message to the destination host as described in
       section5.1.




  RFC2409
  4. Introduction


  (omit)


   The ISAKMP SA is bi-directional. That is, once established, either
   party may initiate Quick Mode, Informational, and New Group Mode
   Exchanges.  Per the base ISAKMP document, the ISAKMP SA is identified
   by the Initiator's cookie followed by the Responder's cookie-- the
   role of each party in the phase 1 exchange dictates which cookie is
   the Initiator's. The cookie order established by the phase 1 exchange
   continues to identify the ISAKMP SA regardless of the direction the
   Quick Mode, Informational, or New Group exchange. In other words, the
   cookies MUST NOT swap places when the direction of the ISAKMP SA
   changes.


  (omit)
=end html =head1 SEE ALSO perldoc V6evalTool =begin html 
  IKE.html IKE Test Common Utility
=end html =cut