NAME

  SG_R_RFC2409_4_8 - [Responder Test]Transform payload SA Attributes check (3DES,SHA,RSA sign,DH2)

TARGET

SGW

SYNOPSIS

  SG_R_RFC2409_4_8.seq [-tooloption ...] -pkt SG_R_RFC2409_4_8.def -tooloption : v6eval tool option
  See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def

INITIALIZATION

Network Topology

                                 HOST-2(TN)
                                   |3ffe:501:ffff:104::11
                                   |
Net-v   --+------------------------+-------- 3ffe:501:ffff:104::/64
          |
          |
         SGW-2(TN):initiator
          |3ffe:501:ffff:103::11
          |                     
Net-w   --+--------+------------------------ 3ffe:501:ffff:103::/64
                   |
                   |
                  ROUTER-2(TN)
                   | 3ffe:501:ffff:102::11
                   |
Net-x   --+--------+------------------------ 3ffe:501:ffff:102::/64
          |
          |3ffe:501:ffff:102::1
         SGW-1(NUT):responder
          |3ffe:501:ffff:101::1
          |
Net-y   --+--------+------------------------ 3ffe:501:ffff:101::/64
                   |
                   | 3ffe:501:ffff:101::11
                  ROUTER-1(TN)
                   |
                   |
Net-z   -----------+---------------+-------- 3ffe:501:ffff:100::/64
                                   |
                                   |3ffe:501:ffff:100::13
                                 HOST-1(TN)

Verification Points

IKE implementations SHOULD support the following attribute values

Parameter Value

ISAKMP SA Attributes - 3DES in CBC mode
- SHA
- RSA signatures.
- MODP over group number two.

Configuration

Initiator and Responder generate the public key and the secret key

Initiator and Responder exchange the certificate of each other.

Initiator and Responder IKE parameter

At least, following parameter must be included in proposal.

Machine

Src

Dest

Phase I

Phase II

Ex mode

Key Value

Enc Alg

Hash Alg

Auth Method

DH Group

PH1 Lt

IDx

Proto ID

Trans ID

Mode

Auth Alg

PH2 Lt

IDci

IDcr

Upper

SGW-1

SGW-1 addr

SGW-2 addr

Main

3DES

SHA

RSA signatures

8 Hour

SGW-1 addr

PROTO_IPSEC_ESP

ESP_3DES

Tunnel

HMAC-SHA

8 Hour

Net-v addr

Net-z addr

any

SGW-2

SGW-2 addr

SGW-1 addr

Main

3DES

SHA

RSA signatures

8 Hour

SGW-2 addr

PROTO_IPSEC_ESP

ESP_3DES

Tunnel

HMAC-SHA

8 Hour

Net-v addr

Net-z addr

any

*Ex Mode = Exchange mode *IDx = identity payload(FQDN or user FQDN can also be chosen as IDx) *IDci = identity payload *IDcr = identity payload *Enc Alg = IKE Encryption Algorithm *Hash Alg = IKE Authentication Algorithm *Key Value = pre-shared key value *PH1 Lt = Phase-1 Lifetime *PH2 Lt = Phase-2 Lifetime *Proto ID = Protocol Identifier *Trans ID = Transform Identifier *Mode = Encapsulation Mode *Auth Alg = Authentication Algorithm *Auth Method = Authentication Method *DH Group = Diffie-Hellman Group *Upper = Upper Layer Protocol *SGW-1 addr = SGW-1 address *SGW-2 addr = SGW-2 address *Net-z = Net-z network address *Net-v = Net-v network address

TEST PROCEDURE

  This test check is following.


           IDENTITY PROTECTION EXCHANGE


 #   Initiator(TN)   Direction    Responder(NUT)
(1)  HDR; SA         ========>


(2)                  <========       HDR; SA
                Judgement (Check *1)


   1. Send the first message from TN
      In the first message (1), the initiator generates a proposal it
      considers adequate to protect traffic for the given situation.  The
      Security Association, Proposal, and Transform payloads are included
      in the Security Association payload (for notation purposes).


   2. Receive the second message from NUT
      In the second message (2), the responder indicates the protection
      suite it has accepted with the Security Association, Proposal, and
      Transform payloads.

JUDGEMENT

        The first message must be accepted. And the second message must be returned.
        The second message Attributes(3DES:1,SHA:2,RSA sign:3,DH2:2) must be correct.
        And must conform to above Configuration.

TERMINATION

  Clean up SAD and SPD

REFERENCE

  RFC2409 
  4.Introduction


  (omit)


     IKE implementations MUST support the following attribute values:


      - DES [DES] in CBC mode with a weak, and semi-weak, key check
      (weak and semi-weak keys are referenced in [Sch96] and listed in
      Appendix A). The key is derived according to Appendix B.


      - MD5 [MD5] and SHA [SHA].


      - Authentication via pre-shared keys.


      - MODP over default group number one (see below).


   In addition, IKE implementations SHOULD support: 3DES for encryption;
   Tiger ([TIGER]) for hash; the Digital Signature Standard, RSA [RSA]
   signatures and authentication with RSA public key encryption; and
   MODP group number 2.  IKE implementations MAY support any additional
   encryption algorithms defined in Appendix A and MAY support ECP and
   EC2N groups.


  (omit)

Parameter		Value
ISAKMP	SA Attributes	- 3DES in CBC mode - SHA - RSA signatures. - MODP over group number two.