NAME

  R_RFC2408_5_10_1_1_CR - [Responder Test]Certificate Request Payload Format check

TARGET

  End-Node

SYNOPSIS

  R_RFC2408_5_10_1_1_CR.seq [-tooloption ...] -pkt R_RFC2408_5_10_1_1_CR.def -tooloption : v6eval tool option
  See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def

INITIALIZATION

Network Topology

        HOST-2(TN):initiator
          |3ffe:501:ffff:101::11
          |                     
Net-y   --+--------+------------------------ 3ffe:501:ffff:101::/64
                   |
                   |
                 ROUTER-1(TN)
                   |3ffe:501:ffff:100::11
                   |
Net-z   --+--------+------------------------ 3ffe:501:ffff:100::/64
          |
          |3ffe:501:ffff:100:XXXX
        NUT:responder
  

  XXXX: EUI64 address

Verification Points

Certificate Request Payload Format

       Next Payload field
       Place the value of the Next Payload in the Next Payload field.
       RESERVED Fields
       All RESERVED fields in the ISAKMP protocol MUST be set to zero (0).
       Place the value zero (0) in the RESERVED field.
       Payload Length field
       Place the length (in octets) of the payload in the Payload Length
       field.
       Certificate Type field
       Contains an encoding of the type of certificate requested
       Certificate Authority field
       Contains an encoding of an acceptable certificate authority for 
       the type of certificate requested.

Configuration

Initiator and Responder generate the public key and the secret key

Initiator and Responder IKE parameter

At least, following parameter must be included in proposal.

Machine

Src

Dest

Phase I

Phase II

Ex mode

Key Value

Enc Alg

Hash Alg

Auth Method

DH Group

PH1 Lt

IDx

Proto ID

Trans ID

Mode

Auth Alg

PH2 Lt

Upper

NUT

NUT addr

HOST-2 addr

Main

3DES

SHA

RSA signatures

8 Hour

NUT addr

PROTO_IPSEC_ESP

ESP_3DES

Transport

HMAC-SHA

8 Hour

any

HOST-2

HOST-2 addr

NUT addr

Main

3DES

SHA

RSA signatures

8 Hour

HOST-2 addr

PROTO_IPSEC_ESP

ESP_3DES

Transport

HMAC-SHA

8 Hour

any

*Ex Mode = Exchange mode *IDx = identity payload(FQDN or user FQDN can also be chosen as IDx) *Enc Alg = IKE Encryption Algorithm *Hash Alg = IKE Authentication Algorithm *Key Value = pre-shared key value *PH1 Lt = Phase-1 Lifetime *PH2 Lt = Phase-2 Lifetime *Proto ID = Protocol Identifier *Trans ID = Transform Identifier *Mode = Encapsulation Mode *Auth Alg = Authentication Algorithm *Auth Method = Authentication Method *DH Group = Diffie-Hellman Group *Upper = Upper Layer Protocol *NUT addr = NUT address *HOST-2 addr = HOST-2 address

TEST PROCEDURE

  This test check is following.


           IDENTITY PROTECTION EXCHANGE


 #   Initiator(TN)     Direction      Responder(NUT)
(1)  HDR; SA            ========>


(2)                     <========       HDR; SA


(3)  HDR; KE; NONCE     ========>


(4)                     <========     HDR; KE; NONCE; CERT Req
                Judgement (Check *1)


   1. Send the first message from TN
      In the first message (1), the initiator generates a proposal it
      considers adequate to protect traffic for the given situation.  The
      Security Association, Proposal, and Transform payloads are included
      in the Security Association payload (for notation purposes).


   2. Receive the second message from NUT
      In the second message (2), the responder indicates the protection
      suite it has accepted with the Security Association, Proposal, and
      Transform payloads. 


   3. Send the third message from TN
      In the third (3) message, the initiator send keying material 
      used to arrive at a common shared secret and random information 
      which is used to guarantee liveness and protect against replay attacks.


   4. Receive the fourth message from NUT
      In the fourth (4) message, the responder send keying material 
      used to arrive at a common shared secret and random information 
      which is used to guarantee liveness and protect against replay attacks.
      Additionally the responder send Certificate Request Payload.

JUDGEMENT

        The first to the second message must be exchanged correctly.
        The third message must be accepted. 
        And the fourth message's Certificate Request Payload Format must be base 
        on description of RFC(see above Verification Points).
        And must conform to above Configuration.

TERMINATION

  Clean up SAD and SPD

REFERENCE

  RFC2408
  3.10 Certificate Request Payload


  (omit)


                          1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     ! Next Payload  !   RESERVED    !         Payload Length        !
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     !  Cert. Type   !                                               !
     +-+-+-+-+-+-+-+-+                                               !
     ~                    Certificate Authority                      ~
     !                                                               !
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


  (omit)


    o  Next Payload (1 octet) - Identifier for the payload type of the
       next payload in the message.  If the current payload is the last
       in the message, then this field will be 0.


    o  RESERVED (1 octet) - Unused, set to 0.


    o  Payload Length (2 octets) - Length in octets of the current
       payload, including the generic payload header.


    o  Certificate Type (1 octet) - Contains an encoding of the type of
       certificate requested.  Acceptable values are listed in section
       3.9.


    o  Certificate Authority (variable length) - Contains an encoding of
       an acceptable certificate authority for the type of certificate
       requested.  As an example, for an X.509 certificate this field
       would contain the Distinguished Name encoding of the Issuer Name
       of an X.509 certificate authority acceptable to the sender of
       this payload.  This would be included to assist the responder in
       determining how much of the certificate chain would need to be
       sent in response to this request.  If there is no specific
       certificate authority requested, this field SHOULD not be
       included.


  (omit)


  5.3 Generic Payload Header Processing


   When creating any of the ISAKMP Payloads described in sections 3.4
   through 3.15 a Generic Payload Header is placed at the beginning of
   these payloads.  When creating the Generic Payload Header, the
   transmitting entity (initiator or responder) MUST do the following:


   1.  Place the value of the Next Payload in the Next Payload field.
       These values are described in section 3.1.


   2.  Place the value zero (0) in the RESERVED field.


   3.  Place the length (in octets) of the payload in the Payload Length
       field.


   4.  Construct the payloads as defined in the remainder of this
       section.


  (omit)


  5.10 Certificate Request Payload Processing


   When creating a Certificate Request Payload, the transmitting entity
   (initiator or responder) MUST do the following:


   1.  Determine the type of Certificate Encoding to be requested.  This
       may be specified by the DOI.


   2.  Determine the name of an acceptable Certificate Authority which
       is to be requested (if applicable).


   3.  Construct a Certificate Request payload.


   4.  Transmit the message to the receiving entity as described in
       section 5.1.


  (omit)