SG_I_A_RFC2408_3_1_1_Mj_2 - [Initiator Test] Check the Major Version fields to confirm they are correct
SGW
SG_I_A_RFC2408_3_1_1_Mj_2.seq [-tooloption ...] -pkt SG_I_A_RFC2408_3_1_1_Mj_2.def -tooloption : v6eval tool option See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
HOST-2(TN)
|3ffe:501:ffff:104::11
|
Net-v --+------------------------+-------- 3ffe:501:ffff:104::/64
|
|
SGW-2(TN):responder
|3ffe:501:ffff:103::11
|
Net-w --+--------+------------------------ 3ffe:501:ffff:103::/64
|
|
ROUTER-2(TN)
| 3ffe:501:ffff:102::11
|
Net-x --+--------+------------------------ 3ffe:501:ffff:102::/64
|
|3ffe:501:ffff:102::1
SGW-1(NUT):initiator
|3ffe:501:ffff:101::1
|
Net-y --+--------+------------------------ 3ffe:501:ffff:101::/64
|
| 3ffe:501:ffff:101::11
ROUTER-1(TN)
|
|
Net-z -----------+---------------+-------- 3ffe:501:ffff:100::/64
|
|3ffe:501:ffff:100::13
HOST-1(TN)
(b) An Informational Exchange with a Notification payload containing the INVALID-MAJOR-VERSION or INVALID-MINOR- VERSION message type MAY be sent to the transmitting entity. This action is dictated by a system security policy.
| Machine | Src | Dest | Phase I | Phase II | ||||||||||||||
| Ex mode | Key Value | Enc Alg | Hash Alg | Auth Method | DH Group | PH1 Lt | IDx | Proto ID | Trans ID | Mode | Auth Alg | PH2 Lt | IDci | IDcr | Upper | |||
| SGW-1 | SGW-1 addr | SGW-2 addr | Aggressive | IKE-TEST | 3DES | SHA | pre-shared key | 2 | 8 Hour | SGW-1 addr | PROTO_IPSEC_ESP | ESP_3DES | Tunnel | HMAC-SHA | 8 Hour | Net-z addr | Net-v addr | any |
| SGW-2 | SGW-2 addr | SGW-1 addr | Aggressive | IKE-TEST | 3DES | SHA | pre-shared key | 2 | 8 Hour | SGW-2 addr | PROTO_IPSEC_ESP | ESP_3DES | Tunnel | HMAC-SHA | 8 Hour | Net-z addr | Net-v addr | any |
In order to start the negotiation of IKE,
TN(HOST-1) transmits Echo Request to TN(HOST-2).
This test check is following.
AGGRESSIVE EXCHANGE
# Initiator(NUT) Direction Responder(TN) (1) HDR; SA, KE, Ni, IDii ========>
(2) <======== HDR; SA, KE, Nr, IDir, HASH_R <-----Major Version : 15(invalid)
(3-A)HDR[*]; HASH_I ========> X <-----Must not transmit or (3-B)HDR*; HASH(1); N/D ========> (HDR; N/D) Judgement (Check *1)
1. Receive the first message from NUT In the first message (1), the initiator generates a proposal it considers adequate to protect traffic for the given situation. The Security Association, Proposal, and Transform payloads are included in the Security Association payload (for notation purposes). Keying material used to arrive at a common shared secret and random information which is used to guarantee liveness and protect against replay attacks are also transmitted. Additionally, the initiator transmits identification information.
2. Send the second message from TN In the second message (2), the responder indicates the protection suite it has accepted with the Security Association, Proposal, and Transform payloads. Keying material used to arrive at a common shared secret and random information which is used to guarantee liveness and protect against replay attacks is also transmitted.Additionally, the responder transmits identification information and the results of the agreed upon authentication function(hash function).
3. Receive the third message from NUT In the third message (3-B), the initiator indicates either an ISAKMP Notify Payload or an ISAKMP delete Payload.
The second message must not be accepted. And the third message(3-A) must not be returned
(* or INVALID-MAJOR-VERSION message(3-B) is returned).
*option : if you want to check the retruned Notify message.
Clean up SAD and SPD
RFC2408 3.1 ISAKMP Header Format
(omit)
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Initiator ! ! Cookie ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Responder ! ! Cookie ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Message ID ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
(omit)
o Major Version (4 bits) - indicates the major version of the ISAKMP protocol in use. Implementations based on this version of the ISAKMP Internet-Draft MUST set the Major Version to 1. Implementations based on previous versions of ISAKMP Internet- Drafts MUST set the Major Version to 0. Implementations SHOULD never accept packets with a major version number larger than its own.
o Minor Version (4 bits) - indicates the minor version of the ISAKMP protocol in use. Implementations based on this version of the ISAKMP Internet-Draft MUST set the Minor Version to 0. Implementations based on previous versions of ISAKMP Internet- Drafts MUST set the Minor Version to 1. Implementations SHOULD never accept packets with a minor version number larger than its own, given the major version numbers are identical.
(omit)
5.2 ISAKMP Header Processing
When creating an ISAKMP message, the transmitting entity (initiator or responder) MUST do the following:
1. Create the respective cookie. See section 2.5.3 for details.
2. Determine the relevant security characteristics of the session (i.e. DOI and situation).
3. Construct an ISAKMP Header with fields as described in section 3.1.
4. Construct other ISAKMP payloads, depending on the exchange type.
5. Transmit the message to the destination host as described in section5.1.
When an ISAKMP message is received, the receiving entity (initiator or responder) MUST do the following:
1. Verify the Initiator and Responder "cookies". If the cookie validation fails, the message is discarded and the following actions are taken:
(a) The event, INVALID COOKIE, MAY be logged in the appropriate system audit file.
(b) An Informational Exchange with a Notification payload containing the INVALID-COOKIE message type MAY be sent to the transmitting entity. This action is dictated by a system security policy.
2. Check the Next Payload field to confirm it is valid. If the Next Payload field validation fails, the message is discarded and the following actions are taken:
(a) The event, INVALID NEXT PAYLOAD, MAY be logged in the appropriate system audit file.
(b) An Informational Exchange with a Notification payload containing the INVALID-PAYLOAD-TYPE message type MAY be sent to the transmitting entity. This action is dictated by a system security policy.
3. Check the Major and Minor Version fields to confirm they are correct (see section 3.1). If the Version field validation fails, the message is discarded and the following actions are
(a) The event, INVALID ISAKMP VERSION, MAY be logged in the appropriate system audit file.
(b) An Informational Exchange with a Notification payload containing the INVALID-MAJOR-VERSION or INVALID-MINOR- VERSION message type MAY be sent to the transmitting entity. This action is dictated by a system security policy.
4. Check the Exchange Type field to confirm it is valid. If the Exchange Type field validation fails, the message is discarded and the following actions are taken:
(a) The event, INVALID EXCHANGE TYPE, MAY be logged in the appropriate system audit file.
(b) An Informational Exchange with a Notification payload containing the INVALID-EXCHANGE-TYPE message type MAY be sent to the transmitting entity. This action is dictated by a system security policy.
5. Check the Flags field to ensure it contains correct values. If the Flags field validation fails, the message is discarded and the following actions are taken:
(a) The event, INVALID FLAGS, MAY be logged in the appropriate systemaudit file.
(b) An Informational Exchange with a Notification payload containing the INVALID-FLAGS message type MAY be sent to the transmitting entity. This action is dictated by a system security policy.
6. Check the Message ID field to ensure it contains correct values. If the Message ID validation fails, the message is discarded and the following actions are taken:
(a) The event, INVALID MESSAGE ID, MAY be logged in the appropriate system audit file.
(b) An Informational Exchange with a Notification payload containing the INVALID-MESSAGE-ID message type MAY be sent to the transmitting entity. This action is dictated by a system security policy.
7. Processing of the ISAKMP message continues using the value in the Next Payload field.
(omit)
perldoc V6evalTool
IKE.html IKE Test Common Utility