Article 338 at 07/06/04 15:49:21 From: okamoto.satoru@jp.fujitsu.com Subject: [users:00338] Problem executing 5.1.2 of IPsec Self Test v.1.1.0

Index: [Article Count Order] [Thread]
Date: Mon, 04 Jun 2007 15:49:05 +0900
From: okamoto.satoru@jp.fujitsu.com
Subject: [users:00338] Problem executing 5.1.2 of IPsec Self Test v.1.1.0
To: users@tahi.org
Message-Id: <4663B5E1.20105@jp.fujitsu.com>
X-Mail-Count: 00338

Hello, TAHI project members.


We plan to obtain the IPv6 Ready Logo for some of our products.
For a preparation, I am executing the test scripts from TAHI project
with a FreeBSD PC as NUT.

But I have a problem in executing one of the test scripts
in the most recent version of IPsec Self Test (v.1.1.0).
The test script seems to lack some necessary configuration.


In one of the newly added tests
"5.1.2 Select SPD (ICMP Type), ESP=3DES-CBC HMAC-SHA1",
NUT is required to make four associations of SA's and SP's as below:

   ------------------------------------------------------------
   SA1-I(src=TN, dst=NUT, SPI=0x1000)
     <-> SP1-I(src=TN, dst=NUT, upperspec=ICMPv6 Echo request, dir=in)

   SA1-O(src=NUT, dst=TN, SPI=0x2000)
     <-> SP1-O(src=NUT, dst=TN, upperspec=ICMPv6 Echo request, dir=out)

   SA2-I(src=TN, dst=NUT, SPI=0x3000)
     <-> SP2-I(src=TN, dst=NUT, upperspec=ICMPv6 Echo reply, dir=in)

   SA2-O(src=NUT, dst=TN, SPI=0x4000)
     <-> SP2-O(src=NUT, dst=TN, upperspec=ICMPv6 Echo reply, dir=out)
   ------------------------------------------------------------

In particular, two different outbound SA's are given and
NUT has to select one of the two depending on
whether the outgoing packet is of ICMPv6 echo request
or of ICMPv6 echo reply.


In such cases that a certain SP is to be associated with a certain SA,
for FreeBSD hosts, we must use the keyword "unique" in setkey command.
And sort of something like this is required as well for other hosts.

The test script, however, does not contain any instructions
to insert the keyword "unique" into setkey command,
as a result, the test execution finishes in failure
since NUT has no way to select appropriate SA's.


On the other hand, the remote scripts seem to be able to
handle the keyword "unique" properly,
if we add "unique=(value)" and "level=unique" options
in calling ipsecSetSAD() and ipsecSetSPD() from test scripts.

So I modified the test script ipsec.p2/p2_HTR_E_SelectSPD.seq
to instruct the need of the keyword "unique" and
executed the test again, then it finished successfully.
Diff output compared to its original is attached to this mail.

   Note: The remote script "ipsecSetSPD.rmt" for system "kame-freebsd"
         had to be modified as well, because that from TAHI project
         done not handle ICMPv6 type/code options in SP configuration.
         Its diff output is also attached to this mail.


Test scripts are not what we Logo applicants are allowed to modify,
so I think the test scripts need fixing.


I will appreciate any help or suggestion.


Best regards,

Satoru OKAMOTO.

	338_2.txt (attatchment)(tag is disabled)

	338_3.txt (attatchment)(tag is disabled)