");
#======================================================================
vStop($IF0);
vStop($IF1);
ikeReset();
ikeExitPass();
#NOTREACHED
######################################################################
__END__
=head1 NAME
SG_I_RFC2409_5_19 - [Initiator Test] Multiple Transform Payloads check(modify proposal)
=head1 TARGET
SGW
=head1 SYNOPSIS
=begin html
SG_I_RFC2409_5_19.seq [-tooloption ...] -pkt SG_I_RFC2409_5_19.def -tooloption : v6eval tool option
See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
=end html
=head1 INITIALIZATION
=begin html
HOST-2(TN)
|3ffe:501:ffff:104::11
|
Net-v --+------------------------+-------- 3ffe:501:ffff:104::/64
|
|
SGW-2(TN):responder
|3ffe:501:ffff:103::11
|
Net-w --+--------+------------------------ 3ffe:501:ffff:103::/64
|
|
ROUTER-2(TN)
| 3ffe:501:ffff:102::11
|
Net-x --+--------+------------------------ 3ffe:501:ffff:102::/64
|
|3ffe:501:ffff:102::1
SGW-1(NUT):initiator
|3ffe:501:ffff:101::1
|
Net-y --+--------+------------------------ 3ffe:501:ffff:101::/64
|
| 3ffe:501:ffff:101::11
ROUTER-1(TN)
|
|
Net-z -----------+---------------+-------- 3ffe:501:ffff:100::/64
|
|3ffe:501:ffff:100::13
HOST-1(TN)
Verification Points
If the initiator of an exchange notices that attribute values
have changed or attributes have been added or deleted from an
offer made, that response MUST be rejected.
The initiator MUST verify that the Security Association payload
received from the responder matches one of the proposals sent initially.
Configuration
Initiator and Responder IKE parameter
Any attribute is acceptable as proposal.
| Machine |
Src |
Dest |
Phase I |
Phase II |
| Ex mode |
Key Value |
Trans # |
Enc Alg |
Hash Alg |
Auth Method |
DH Group |
PH1 Lt |
IDx |
Proto ID |
Trans ID |
Mode |
Auth Alg |
PH2 Lt |
IDci |
IDcr |
Upper |
| SGW-1 |
SGW-1 addr |
SGW-2 addr |
Main |
IKE-TEST |
1 |
DES |
MD5 |
pre-shared key |
2 |
8 Hour |
SGW-1 addr |
PROTO_IPSEC_ESP |
ESP_3DES |
Tunnel |
HMAC-SHA |
8 Hour |
Net-z addr |
Net-v addr |
any |
| |
|
|
|
|
2 |
3DES |
SHA |
pre-shared key |
2 |
8 Hour |
|
|
|
|
|
|
|
| SGW-2 |
SGW-2 addr |
SGW-1 addr |
Main |
IKE-TEST |
|
65000 |
65000 |
pre-shared key |
2 |
8 Hour |
SGW-2 addr |
PROTO_IPSEC_ESP |
ESP_3DES |
Tunnel |
HMAC-SHA |
8 Hour |
Net-z addr |
Net-v addr |
any |
*Ex Mode = Exchange mode
*IDx = identity payload(FQDN or user FQDN can also be chosen as IDx)
*IDci = identity payload
*IDcr = identity payload
*Enc Alg = IKE Encryption Algorithm
*Hash Alg = IKE Authentication Algorithm
*Key Value = pre-shared key value
*Trans # = Transform number
*PH1 Lt = Phase-1 Lifetime
*PH2 Lt = Phase-2 Lifetime
*Proto ID = Protocol Identifier
*Trans ID = Transform Identifier
*Mode = Encapsulation Mode
*Auth Alg = Authentication Algorithm
*Auth Method = Authentication Method
*DH Group = Diffie-Hellman Group
*Upper = Upper Layer Protocol
*SGW-1 addr = SGW-1 address
*SGW-2 addr = SGW-2 address
*Net-z = Net-z network address
*Net-v = Net-v network address
Pre-Sequence
In order to start the negotiation of IKE,
TN(HOST-1) transmits Echo Request to TN(HOST-2).
=end html
=head1 TEST PROCEDURE
=begin html
This test check is following.
IDENTITY PROTECTION EXCHANGE
# Initiator(NUT) Direction Responder(TN)
(1) HDR; SA ========>
(2) <======== HDR; SA <-----modify proposal(invalid)
(3) HDR; KE; NONCE ========> X <-----Must not transmit
Judgement (Check *1)
1. Receive the first message from NUT
In the first message (1), the initiator generates a proposal it
considers adequate to protect traffic for the given situation. The
Security Association, Proposal, and Transform payloads are included
in the Security Association payload (for notation purposes).
2. Send the second message from TN
In the second message (2), the responder indicates the protection
suite it has accepted with the Security Association, Proposal, and
Transform payloads.
3. Receive the third message from NUT
In the third (3) message, the initiator send keying material
used to arrive at a common shared secret and random information
which is used to guarantee liveness and protect against replay attacks.
=end html
=head1 JUDGEMENT
The second message must not be accepted. And the third message(3-A)
must not be returned.
=head1 TERMINATION
Clean up SAD and SPD
=head1 REFERENCE
=begin html
RFC2408
4.2 Security Association Establishment
(omit)
When responding to a Security Association payload, the responder MUST
send a Security Association payload with the selected proposal, which
may consist of multiple Proposal payloads and their associated
Transform payloads. Each of the Proposal payloads MUST contain a
single Transform payload associated with the Protocol. The responder
SHOULD retain the Proposal # field in the Proposal payload and the
Transform # field in each Transform payload of the selected Proposal.
Retention of Proposal and Transform numbers should speed the
initiator's protocol processing by negating the need to compare the
respondor's selection with every offered option. These values enable
the initiator to perform the comparison directly and quickly. The
initiator MUST verify that the Security Association payload received
from the responder matches one of the proposals sent initially.
RFC2409
5. Exchanges
(omit)
During security association negotiation, initiators present offers
for potential security associations to responders. Responders MUST
NOT modify attributes of any offer, attribute encoding excepted (see
Appendix A). If the initiator of an exchange notices that attribute
values have changed or attributes have been added or deleted from an
offer made, that response MUST be rejected.
=end html
=head1 SEE ALSO
perldoc V6evalTool
=begin html
IKE.html IKE Test Common Utility
=end html
=cut