NAME

  R_RFC3526_3 - [Responder Test]Transform payload SA Attributes check (3DES,SHA,PSK,DH14)

TARGET

  End-Node

SYNOPSIS

  R_RFC3526_3.seq [-tooloption ...] -pkt R_RFC3526_3.def -tooloption : v6eval tool option

  See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def

INITIALIZATION

Network Topology

        HOST-2(TN):initiator
          |3ffe:501:ffff:101::11
          |                     
Net-y   --+--------+------------------------ 3ffe:501:ffff:101::/64
                   |
                   |
                 ROUTER-1(TN)
                   |3ffe:501:ffff:100::11
                   |
Net-z   --+--------+------------------------ 3ffe:501:ffff:100::/64
          |
          |3ffe:501:ffff:100:XXXX
        NUT:responder
  

  XXXX: EUI64 address

Verification Points

IKE implementations support the following attribute values

Parameter Value

ISAKMP SA Attributes - 3DES in CBC mode
- SHA
- Authentication via pre-shared keys.
- MODP over group number fourteen.

Configuration

       Initiator and Responder IKE parameter
At least, following parameter must be included in proposal.
          
          
          
            Machine              
            Src              
            Dest              
            Phase I             
            Phase II             
                       
                       
            Ex mode
            Key Value 
            Enc Alg
            Hash Alg           
            Auth Method           
            DH Group           
            PH1 Lt
            IDx
            Proto ID
            Trans ID
            Mode
            Auth Alg 
            PH2 Lt
            Upper
          
          
            NUT           
            NUT addr           
            HOST-2 addr           
            Main 
            IKE-TEST                               
            3DES           
            SHA           
            pre-shared key           
            14
            8 Hour           
            NUT addr              
            PROTO_IPSEC_ESP
            ESP_3DES           
            Transport           
            HMAC-SHA 
            8 Hour           
            any           
             
             
            HOST-2
            HOST-2 addr
            NUT addr
            Main
            IKE-TEST      
            3DES
            SHA
            pre-shared key           
            14           
            8 Hour
            HOST-2 addr    
            PROTO_IPSEC_ESP
            ESP_3DES    
            Transport
            HMAC-SHA
            8 Hour 
            any
          
          
        
          *Ex Mode = Exchange mode
          *IDx = identity payload(FQDN or user FQDN  can also be chosen as IDx)
          *Enc Alg = IKE Encryption Algorithm
          *Hash Alg = IKE Authentication Algorithm
          *Key Value = pre-shared key value
          *PH1 Lt = Phase-1 Lifetime
          *PH2 Lt = Phase-2 Lifetime
          *Proto ID = Protocol Identifier
          *Trans ID = Transform Identifier
          *Mode = Encapsulation Mode
          *Auth Alg = Authentication Algorithm
          *Auth Method = Authentication Method
          *DH Group = Diffie-Hellman Group
          *Upper = Upper Layer Protocol
          *NUT addr = NUT address
          *HOST-2 addr = HOST-2 address

TEST PROCEDURE

  This test check is following.


           IDENTITY PROTECTION EXCHANGE


 #   Initiator(TN)   Direction    Responder(NUT)
(1)  HDR; SA         ========>


(2)                  <========       HDR; SA
                Judgement (Check *1)


   1. Send the first message from TN
      In the first message (1), the initiator generates a proposal it
      considers adequate to protect traffic for the given situation.  The
      Security Association, Proposal, and Transform payloads are included
      in the Security Association payload (for notation purposes).


   2. Receive the second message from NUT
      In the second message (2), the responder indicates the protection
      suite it has accepted with the Security Association, Proposal, and
      Transform payloads.

JUDGEMENT

        The first message must be accepted. And the second message must be returned.
        The second message Attributes(3DES:5,SHA:2,PSK:1,DH14:14) must be correct.
        And must conform to above Configuration.

TERMINATION

  Clean up SAD and SPD

REFERENCE

  RFC2409 
  4.Introduction


  (omit)


     IKE implementations MUST support the following attribute values:


      -DES [DES] in CBC mode with a weak, and semi-weak, key check
      (weak and semi-weak keys are referenced in [Sch96] and listed in
      Appendix A). The key is derived according to Appendix B.


      - MD5 [MD5] and SHA [SHA].


      - Authentication via pre-shared keys.


      - MODP over default group number one (see below).


   In addition, IKE implementations SHOULD support: 3DES for encryption;
   Tiger ([TIGER]) for hash; the Digital Signature Standard, RSA [RSA]
   signatures and authentication with RSA public key encryption; and
   MODP group number 2.  IKE implementations MAY support any additional
   encryption algorithms defined in Appendix A and MAY support ECP and
   EC2N groups.


  (omit)




3.  2048-bit MODP Group


   This group is assigned id 14.


   This prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }


   Its hexadecimal value is:


      FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
      29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
      EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
      E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
      EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
      C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
      83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
      670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
      E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
      DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
      15728E5A 8AACAA68 FFFFFFFF FFFFFFFF


   The generator is: 2.




Algorithms for Internet Key Exchange version 1 (IKEv1)
draft-hoffman-ikev1-algorithms-02.txt
3.  New algorithm requirements


   The new requirements for IKEv1 are:


   o  TripleDES for encryption MUST be supported
   o  AES-128 in CBC mode [RFC3602] SHOULD be supported
   o  SHA-1 for hashing and HMAC functions MUST be supported
   o  Pre-shared secrets for authentication MUST be supported
   o  AES-128 in CBC mode for HMAC functions ([RFC3566] and [RFC3664])
      SHOULD be supported
   o  Diffie-Hellman MODP group 2 (discrete log 1024 bits) MUST be
      supported
   o  Diffie-Hellman MODP group 14 (discrete log 2048 bits) [RFC3526]
      SHOULD be supported
   o  RSA for authentication with signatures SHOULD be supported


   The other algorithms that were listed at MUST-level and SHOULD-level
   in RFC 2409 are now MAY-level.  This includes DES for encryption, MD5
   and Tiger for hashing, Diffie-Hellman MODP group 1, Diffie-Hellman
   MODP groups with elliptic curves, DSA for authentication with
   signatures, and RSA for authentication with encryption.  DES for
   encryption, MD5 for hashing, Diffie-Hellman MODP group 1 are dropped
   to MAY due to cryptographic weakness.  Tiger for hashing,
   Diffie-Hellman MODP groups with elliptic curves, DSA for
   authentication with signatures, and RSA for authentication with
   encryption are dropped due to lack of any significant deployment and
   interoperability.

Parameter		Value
ISAKMP	SA Attributes	- 3DES in CBC mode - SHA - Authentication via pre-shared keys. - MODP over group number fourteen.