Hello, TAHI project members.
Could anyone show agreement or opposition to my report
about lack of the keyword 'unique' in the test script 5.1.2
of IPsec Self Test v.1.1.0 ?
As stated in my previous mail, I think the test script
must be fixed in order to satisfy its requirement.
Reply from test script maintenance members are very welcome.
Best regards,
Satoru OKAMOTO.
> Hello, TAHI project members.
>
>
> We plan to obtain the IPv6 Ready Logo for some of our products.
> For a preparation, I am executing the test scripts from TAHI project
> with a FreeBSD PC as NUT.
>
> But I have a problem in executing one of the test scripts
> in the most recent version of IPsec Self Test (v.1.1.0).
> The test script seems to lack some necessary configuration.
>
>
> In one of the newly added tests
> "5.1.2 Select SPD (ICMP Type), ESP=3DES-CBC HMAC-SHA1",
> NUT is required to make four associations of SA's and SP's as below:
>
> ------------------------------------------------------------
> SA1-I(src=TN, dst=NUT, SPI=0x1000)
> <-> SP1-I(src=TN, dst=NUT, upperspec=ICMPv6 Echo request, dir=in)
>
> SA1-O(src=NUT, dst=TN, SPI=0x2000)
> <-> SP1-O(src=NUT, dst=TN, upperspec=ICMPv6 Echo request, dir=out)
>
> SA2-I(src=TN, dst=NUT, SPI=0x3000)
> <-> SP2-I(src=TN, dst=NUT, upperspec=ICMPv6 Echo reply, dir=in)
>
> SA2-O(src=NUT, dst=TN, SPI=0x4000)
> <-> SP2-O(src=NUT, dst=TN, upperspec=ICMPv6 Echo reply, dir=out)
> ------------------------------------------------------------
>
> In particular, two different outbound SA's are given and
> NUT has to select one of the two depending on
> whether the outgoing packet is of ICMPv6 echo request
> or of ICMPv6 echo reply.
>
>
> In such cases that a certain SP is to be associated with a certain SA,
> for FreeBSD hosts, we must use the keyword "unique" in setkey command.
> And sort of something like this is required as well for other hosts.
>
> The test script, however, does not contain any instructions
> to insert the keyword "unique" into setkey command,
> as a result, the test execution finishes in failure
> since NUT has no way to select appropriate SA's.
>
>
> On the other hand, the remote scripts seem to be able to
> handle the keyword "unique" properly,
> if we add "unique=(value)" and "level=unique" options
> in calling ipsecSetSAD() and ipsecSetSPD() from test scripts.
>
> So I modified the test script ipsec.p2/p2_HTR_E_SelectSPD.seq
> to instruct the need of the keyword "unique" and
> executed the test again, then it finished successfully.
> Diff output compared to its original is attached to this mail.
>
> Note: The remote script "ipsecSetSPD.rmt" for system "kame-freebsd"
> had to be modified as well, because that from TAHI project
> does not handle ICMPv6 type/code options in SP configuration.
> Its diff output is also attached to this mail.
>
>
> Test scripts are not what we Logo applicants are allowed to modify,
> so I think the test scripts need fixing.
>
>
> I will appreciate any help or suggestion.
>
>
> Best regards,
>
> Satoru OKAMOTO.