NAME

HA_6_3_10 - HoTI (unauthorization)

TARGET

Router

TOPOLOGY

                       MN1X    CN1X
                        |       |
        --------+-------+-------+------- Link1X
                |
                R1
                |
--------+-------+----------------------- Link1
        |
       NUT
        |
--------+---------------+--------------- Link0
                        |
                       MN0

Link0 global 3ffe:501:ffff:100::/64 home link

Link1 global 3ffe:501:ffff:101::/64 foreign link

Link1X global 3ffe:501:ffff:1101::/64 foreign link

R1 (Link1) global 3ffe:501:ffff:101::a1a1

ether 00:00:00:00:a1:a1

MN0 global 3ffe:501:ffff:100:200:ff:fe00:a2a2 home address

MN1X global 3ffe:501:ffff:1101:200:ff:fe00:a2a2 care-of address

CN1X global 3ffe:501:ffff:1101:<TnDef.Link0_addr>

INITIALIZATION

Reboot NUT (reboot.rmt)
Enable HA function (mip6EnableHA.rmt)
Configure routing table of NUT (route.rmt)

Check Link1 routing table

  NUT
(Link0)   MN1X
   |       |
   | <---- | Echo Request
   | ----> | Echo Reply
   |       |

1. MN1X sends Echo Request
2. MN1X receives Echo Reply

Initialize IPsec configuration (ipsecEnable.rmt, ipsecClearAll.rmt)
Set IPsec configuration (ipsecSetSAD.rmt, ipsecSetSPD.rmt)
- ESP transport mode (BU/BA)
- ESP tunnel mode (HoTI/HoT)

home registration

  NUT
(Link0)   MN1X
   |       |
   | <---- | BU (A=1, lifetime=0x0010) (SPI=0x101)
   | ----> | BA (SPI=0x102)
   |       |

1. MN1X sends BU
2. MN1X receives BA

Check BCE

  NUT
(Link0)   MN1X
   |       |
   | <---- | Echo Request w/ HaO
   | ----> | Echo Reply w/ RH
   |       |

1. MN1X sends Echo Request w/ HaO
2. MN1X receives Echo Reply w/ RH

TEST PROCEDURE

Tunnel Processing

          NUT
  MN0   (Link0)   MN1X    CN1X
   |       |       |       |
   |       | <==== |       | HoTI (encapsulated)
   | --------------------X | no response
   |       |       |       |

1. MN1X sends HoTI (encapsulated)
    packet format is:
        Home_Test_Init_message_format.gif
2. no response

JUDGEMENT

PASS: no response

REFERENCE

10.4.5 Handling Reverse Tunneled Packets

   Unless a binding has been established between the mobile node and a
   correspondent node, traffic from the mobile node to the correspondent
   node goes through a reverse tunnel.  Home agents MUST support reverse
   tunneling as follows:

   o  The tunneled traffic arrives to the home agent's address using
      IPv6 encapsulation [15].

   o  Depending on the security policies used by the home agent, reverse
      tunneled packets MAY be discarded unless accompanied by a valid
      ESP header.  The support for authenticated reverse tunneling
      allows the home agent to protect the home network and
      correspondent nodes from malicious nodes masquerading as a mobile
      node.

   o  Otherwise, when a home agent decapsulates a tunneled packet from
      the mobile node, the home agent MUST verify that the Source
      Address in the tunnel IP header is the mobile node's primary
      care-of address.  Otherwise any node in the Internet could send
      traffic through the home agent and escape ingress filtering
      limitations.  This simple check forces the attacker to at least
      know the current location of the real mobile node and be able to
      defeat ingress filtering.

`Link0`	`global`	`3ffe:501:ffff:100::/64`	`home link`
`Link1`	`global`	`3ffe:501:ffff:101::/64`	`foreign link`
`Link1X`	`global`	`3ffe:501:ffff:1101::/64`	`foreign link`
`R1 (Link1)`	`global`	`3ffe:501:ffff:101::a1a1`
`R1 (Link1)`	`ether`	`00:00:00:00:a1:a1`
`MN0`	`global`	`3ffe:501:ffff:100:200:ff:fe00:a2a2`	`home address`
`MN1X`	`global`	`3ffe:501:ffff:1101:200:ff:fe00:a2a2`	`care-of address`
`CN1X`	`global`	`3ffe:501:ffff:1101:<TnDef.Link0_addr>`