SG_R_A_RFC2407_4_2_3_1 - [Responder Test] Checking whether SIT_INTEGRITY is supported
SGW
SG_R_A_RFC2407_4_2_3_1.seq [-tooloption ...] -pkt SG_R_A_RFC2407_4_2_3_1.def -tooloption : v6eval tool option
See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
HOST-2(TN)
|3ffe:501:ffff:104::11
|
Net-v --+------------------------+-------- 3ffe:501:ffff:104::/64
|
|
SGW-2(TN):initiator
|3ffe:501:ffff:103::11
|
Net-w --+--------+------------------------ 3ffe:501:ffff:103::/64
|
|
ROUTER-2(TN)
| 3ffe:501:ffff:102::11
|
Net-x --+--------+------------------------ 3ffe:501:ffff:102::/64
|
|3ffe:501:ffff:102::1
SGW-1(NUT):responder
|3ffe:501:ffff:101::1
|
Net-y --+--------+------------------------ 3ffe:501:ffff:101::/64
|
| 3ffe:501:ffff:101::11
ROUTER-1(TN)
|
|
Net-z -----------+---------------+-------- 3ffe:501:ffff:100::/64
|
|3ffe:501:ffff:100::13
HOST-1(TN)
Verification Points
If a responder does not support SIT_INTEGRITY, a SITUATION-NOT-
SUPPORTED Notification Payload SHOULD be returned and the security
association setup MUST be aborted.
Configuration
SA Payload Format(HOST-2:Initiator)
Situation : SIT_INTEGRITY
Initiator and Responder IKE parameter
At least, following parameter must be included in proposal.
| Machine |
Src |
Dest |
Phase I |
Phase II |
| Ex mode |
Key Value |
Enc Alg |
Hash Alg |
Auth Method |
DH Group |
PH1 Lt |
IDx |
Proto ID |
Trans ID |
Mode |
Auth Alg |
PH2 Lt |
IDci |
IDcr |
Upper |
| SGW-1 |
SGW-1 addr |
SGW-2 addr |
Aggressive |
IKE-TEST |
3DES |
SHA |
pre-shared key |
2 |
8 Hour |
SGW-1 addr |
PROTO_IPSEC_ESP |
ESP_3DES |
Tunnel |
HMAC-SHA |
8 Hour |
Net-v addr |
Net-z addr |
any |
| SGW-2 |
SGW-2 addr |
SGW-1 addr |
Aggressive |
IKE-TEST |
3DES |
SHA |
pre-shared key |
2 |
8 Hour |
SGW-2 addr |
PROTO_IPSEC_ESP |
ESP_3DES |
Tunnel |
HMAC-SHA |
8 Hour |
Net-v addr |
Net-z addr |
any |
*Ex Mode = Exchange mode
*IDx = identity payload(FQDN or user FQDN can also be chosen as IDx)
*IDci = identity payload
*IDcr = identity payload
*Enc Alg = IKE Encryption Algorithm
*Hash Alg = IKE Authentication Algorithm
*Key Value = pre-shared key value
*PH1 Lt = Phase-1 Lifetime
*PH2 Lt = Phase-2 Lifetime
*Proto ID = Protocol Identifier
*Trans ID = Transform Identifier
*Mode = Encapsulation Mode
*Auth Alg = Authentication Algorithm
*Auth Method = Authentication Method
*DH Group = Diffie-Hellman Group
*Upper = Upper Layer Protocol
*SGW-1 addr = SGW-1 address
*SGW-2 addr = SGW-2 address
*Net-z = Net-z network address
*Net-v = Net-v network address
This test check is following.
AGGRESSIVE EXCHANGE
# Initiator(TN) Direction Responder(NUT)
(1) HDR; SA, KE, Ni, IDii ========> <-----Situation : SIT_INTEGRITY
(2-A) X <======== HDR; SA, KE, Nr, IDir, HASH_R <-----Must not transmit if NUT doesn't support
situation SIT_INTEGRITY.
or
(2-B) <======== HDR; N/D
Judgement (Check *1)
1. Send the first message from TN
In the first message (1), the initiator generates a proposal it
considers adequate to protect traffic for the given situation. The
Security Association, Proposal, and Transform payloads are included
in the Security Association payload (for notation purposes).
Keying material used to arrive at a common shared secret and random
information which is used to guarantee liveness and protect against
replay attacks are also transmitted. Additionally, the initiator
transmits identification information.
2. Receive the second message from NUT
In the second message (2-B), the responder indicates either an ISAKMP
Notify Payload or an ISAKMP delete Payload.
If Responder(NUT) doesn't support situation SIT_INTEGRITY, then the first message
must not be accepted.
(* And the second message(SITUATION-NOT-SUPPORTED Notification
Payload)(2-B) is returned).
*option : if you want to check the retruned Notify message.
Clean up SAD and SPD
RFC2407
4.2.3 SIT_INTEGRITY
The SIT_INTEGRITY type specifies that the security association is
being negotiated in an environment that requires labeled integrity.
If SIT_INTEGRITY is present in the Situation bitmap, the Situation
field will be followed by variable-length data that includes an
integrity level and compartment bitmask. If SIT_SECRECY is also in
use for the association, the integrity information immediately
follows the variable-length secrecy level and categories. See
section 4.6.1 for a complete description of the Security Association
Payload format.
If an initiator does not support SIT_INTEGRITY, SIT_INTEGRITY MUST
NOT be set in the Situation bitmap and no integrity level or category
bitmaps shall be included.
If a responder does not support SIT_INTEGRITY, a SITUATION-NOT-
SUPPORTED Notification Payload SHOULD be returned and the security
association setup MUST be aborted.
perldoc V6evalTool
IKE.html IKE Test Common Utility