SG_R_RFC2407_4_2_2_1 - [Responder Test] Checking whether SIT_SECRECY is supported
SGW
SG_R_RFC2407_4_2_2_1.seq [-tooloption ...] -pkt SG_R_RFC2407_4_2_2_1.def -tooloption : v6eval tool option
See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
HOST-2(TN)
|3ffe:501:ffff:104::11
|
Net-v --+------------------------+-------- 3ffe:501:ffff:104::/64
|
|
SGW-2(TN):initiator
|3ffe:501:ffff:103::11
|
Net-w --+--------+------------------------ 3ffe:501:ffff:103::/64
|
|
ROUTER-2(TN)
| 3ffe:501:ffff:102::11
|
Net-x --+--------+------------------------ 3ffe:501:ffff:102::/64
|
|3ffe:501:ffff:102::1
SGW-1(NUT):responder
|3ffe:501:ffff:101::1
|
Net-y --+--------+------------------------ 3ffe:501:ffff:101::/64
|
| 3ffe:501:ffff:101::11
ROUTER-1(TN)
|
|
Net-z -----------+---------------+-------- 3ffe:501:ffff:100::/64
|
|3ffe:501:ffff:100::13
HOST-1(TN)
Verification Points
If a responder does not support SIT_SECRECY, a SITUATION-NOT-
SUPPORTED Notification Payload SHOULD be returned and the security
association setup MUST be aborted.
Configuration
SA Payload Format(HOST-2:Initiator)
Situation : SIT_SECRECY
Initiator and Responder IKE parameter
At least, following parameter must be included in proposal.
| Machine |
Src |
Dest |
Phase I |
Phase II |
| Ex mode |
Key Value |
Enc Alg |
Hash Alg |
Auth Method |
DH Group |
PH1 Lt |
IDx |
Proto ID |
Trans ID |
Mode |
Auth Alg |
PH2 Lt |
IDci |
IDcr |
Upper |
| SGW-1 |
SGW-1 addr |
SGW-2 addr |
Main |
IKE-TEST |
3DES |
SHA |
pre-shared key |
2 |
8 Hour |
SGW-1 addr |
PROTO_IPSEC_ESP |
ESP_3DES |
Tunnel |
HMAC-SHA |
8 Hour |
Net-v addr |
Net-z addr |
any |
| SGW-2 |
SGW-2 addr |
SGW-1 addr |
Main |
IKE-TEST |
3DES |
SHA |
pre-shared key |
2 |
8 Hour |
SGW-2 addr |
PROTO_IPSEC_ESP |
ESP_3DES |
Tunnel |
HMAC-SHA |
8 Hour |
Net-v addr |
Net-z addr |
any |
*Ex Mode = Exchange mode
*IDx = identity payload(FQDN or user FQDN can also be chosen as IDx)
*IDci = identity payload
*IDcr = identity payload
*Enc Alg = IKE Encryption Algorithm
*Hash Alg = IKE Authentication Algorithm
*Key Value = pre-shared key value
*PH1 Lt = Phase-1 Lifetime
*PH2 Lt = Phase-2 Lifetime
*Proto ID = Protocol Identifier
*Trans ID = Transform Identifier
*Mode = Encapsulation Mode
*Auth Alg = Authentication Algorithm
*Auth Method = Authentication Method
*DH Group = Diffie-Hellman Group
*Upper = Upper Layer Protocol
*SGW-1 addr = SGW-1 address
*SGW-2 addr = SGW-2 address
*Net-z = Net-z network address
*Net-v = Net-v network address
This test check is following.
IDENTITY PROTECTION EXCHANGE
# Initiator(TN) Direction Responder(NUT)
(1) HDR; SA ========> <-----Situation : SIT_SECRECY
(2-A) X <======== HDR; SA <-----Must not transmit if NUT doesn't support
situation SIT_SECRECY.
or
(2-B) <======== HDR; N/D
Judgement (Check *1)
1. Send the first message from TN
In the first message (1), the initiator generates a proposal it
considers adequate to protect traffic for the given situation. The
Security Association, Proposal, and Transform payloads are included
in the Security Association payload (for notation purposes).
2. Receive the second message from NUT
In the second message (2-B), the responder indicates either an ISAKMP
Notify Payload or an ISAKMP delete Payload.
If Responder(NUT) doesn't support situation SIT_SECRECY, then the first message
must not be accepted.
(* And the second message(SITUATION-NOT-SUPPORTED Notification
Payload)(2-B) is returned).
*option : if you want to check the retruned Notify message.
Clean up SAD and SPD
RFC2407
4.2.2 SIT_SECRECY
The SIT_SECRECY type specifies that the security association is being
negotiated in an environment that requires labeled secrecy. If
SIT_SECRECY is present in the Situation bitmap, the Situation field
will be followed by variable-length data that includes a sensitivity
level and compartment bitmask. See Section 4.6.1 for a complete
description of the Security Association Payload format.
If an initiator does not support SIT_SECRECY, SIT_SECRECY MUST NOT be
set in the Situation bitmap and no secrecy level or category bitmaps
shall be included.
If a responder does not support SIT_SECRECY, a SITUATION-NOT-
SUPPORTED Notification Payload SHOULD be returned and the security
association setup MUST be aborted.
perldoc V6evalTool
IKE.html IKE Test Common Utility