NAME

  R_RFC2409_6_2_1 - [Responder Test]Transform payload SA Attributes check (3DES,SHA,PSK,DH1)

TARGET

  End-Node

SYNOPSIS

  R_RFC2409_6_2_1.seq [-tooloption ...] -pkt R_RFC2409_6_2_1.def -tooloption : v6eval tool option

  See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def

INITIALIZATION

Network Topology

        HOST-2(TN):initiator
          |3ffe:501:ffff:101::11
          |                     
Net-y   --+--------+------------------------ 3ffe:501:ffff:101::/64
                   |
                   |
                 ROUTER-1(TN)
                   |3ffe:501:ffff:100::11
                   |
Net-z   --+--------+------------------------ 3ffe:501:ffff:100::/64
          |
          |3ffe:501:ffff:100:XXXX
        NUT:responder
  

  XXXX: EUI64 address

Verification Points

IKE implementations SHOULD support the following attribute values

Parameter Value

ISAKMP SA Attributes - 3DES in CBC mode
- SHA
- Authentication via pre-shared keys.
- MODP over default group number one.

Configuration

       Initiator and Responder IKE parameter
At least, following parameter must be included in proposal.
          
          
          
            Machine              
            Src              
            Dest              
            Phase I             
            Phase II             
                       
                       
            Ex mode
            Key Value 
            Enc Alg
            Hash Alg           
            Auth Method           
            DH Group           
            PH1 Lt
            IDx
            Proto ID
            Trans ID
            Mode
            Auth Alg 
            PH2 Lt
            Upper
          
          
            NUT           
            NUT addr           
            HOST-2 addr           
            Main 
            IKE-TEST                               
            3DES           
            SHA           
            pre-shared key           
            1
            8 Hour           
            NUT addr              
            PROTO_IPSEC_ESP
            ESP_3DES           
            Transport           
            HMAC-SHA 
            8 Hour           
            any           
             
             
            HOST-2
            HOST-2 addr
            NUT addr
            Main
            IKE-TEST      
            3DES
            SHA
            pre-shared key           
            1           
            8 Hour
            HOST-2 addr    
            PROTO_IPSEC_ESP
            ESP_3DES    
            Transport
            HMAC-SHA
            8 Hour 
            any
          
          
        
          *Ex Mode = Exchange mode
          *IDx = identity payload(FQDN or user FQDN  can also be chosen as IDx)
          *Enc Alg = IKE Encryption Algorithm
          *Hash Alg = IKE Authentication Algorithm
          *Key Value = pre-shared key value
          *PH1 Lt = Phase-1 Lifetime
          *PH2 Lt = Phase-2 Lifetime
          *Proto ID = Protocol Identifier
          *Trans ID = Transform Identifier
          *Mode = Encapsulation Mode
          *Auth Alg = Authentication Algorithm
          *Auth Method = Authentication Method
          *DH Group = Diffie-Hellman Group
          *Upper = Upper Layer Protocol
          *NUT addr = NUT address
          *HOST-2 addr = HOST-2 address

TEST PROCEDURE

  This test check is following.


           IDENTITY PROTECTION EXCHANGE


 #   Initiator(TN)   Direction    Responder(NUT)
(1)  HDR; SA         ========>


(2)                  <========       HDR; SA
                Judgement (Check *1)


   1. Send the first message from TN
      In the first message (1), the initiator generates a proposal it
      considers adequate to protect traffic for the given situation.  The
      Security Association, Proposal, and Transform payloads are included
      in the Security Association payload (for notation purposes).


   2. Receive the second message from NUT
      In the second message (2), the responder indicates the protection
      suite it has accepted with the Security Association, Proposal, and
      Transform payloads.

JUDGEMENT

        The first message must be accepted. And the second message must be returned.
        The second message Attributes(3DES:5,SHA:2,PSK:1,DH1:1) must be correct.
        And must conform to above Configuration.

TERMINATION

  Clean up SAD and SPD

REFERENCE

  RFC2409 
  4.Introduction


  (omit)


     IKE implementations MUST support the following attribute values:


      -DES [DES] in CBC mode with a weak, and semi-weak, key check
      (weak and semi-weak keys are referenced in [Sch96] and listed in
      Appendix A). The key is derived according to Appendix B.


      - MD5 [MD5] and SHA [SHA].


      - Authentication via pre-shared keys.


      - MODP over default group number one (see below).


   In addition, IKE implementations SHOULD support: 3DES for encryption;
   Tiger ([TIGER]) for hash; the Digital Signature Standard, RSA [RSA]
   signatures and authentication with RSA public key encryption; and
   MODP group number 2.  IKE implementations MAY support any additional
   encryption algorithms defined in Appendix A and MAY support ECP and
   EC2N groups.


  (omit)


6.1 First Oakley Default Group


   Oakley implementations MUST support a MODP group with the following
   prime and generator. This group is assigned id 1 (one).


      The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }
      Its hexadecimal value is


         FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
         29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
         EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
         E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF


      The generator is: 2.


 (omit)

Parameter		Value
ISAKMP	SA Attributes	- 3DES in CBC mode - SHA - Authentication via pre-shared keys. - MODP over default group number one.