Title

  Test IKEv2.EN.R.1.2.7.1: Receipt of cryptographically valid message on the new SA
  Part A: (ADVANCED)


Purpose

  To verify an IKEv2 device properly handles CREATE_CHILD_SA to create a new
  CHILD_SA.


References

  * [RFC 4306] - Sections 2.8 and 2.18


Test Setup

  * Network Topology
      Connect the devices according to the Common Topology.
  * Configuration
      In each part, configure the devices according to the Common Configuration.
  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.


Procedure

   NUT                  TN1
(End-Node)           (End-Node)
    |                    |
    |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |                    | (Packet #1)
    |------------------->| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |                    | (Judgement #1)
    |                    |
    |<-------------------| IKE_AUTH request (HDR, SK {IDi, AUTH, N, SAi2, TSi, TSr})
    |                    | (Packet #2)
    |------------------->| IKE_AUTH Response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr})
    |                    | (Judgement #2)
    |                    |
    |<-------------------| IPsec {TCP-SYN}
    |                    | (Packet #3)          
    |------------------->| IPsec {TCP-RST}    
    |                    | (Judgement #3)         
    |                    |
    |<-------------------| IPsec {Echo Request}
    |                    | (Packet #4)          
    |----------X         | IPsec {Echo Reply}    
    |                    | (Judgement #4)         
    |                    |   
    |<-------------------| CREATE_CHILD_SA request (HDR, SK {N, SA, Ni, TSi, TSr})
    |                    | (Packet #5)
    |------------------->| CREATE_CHILD_SA response (HDR, SK {N, SA, Nr, TSi, TSr})
    |                    | (Judgement #5)
    |                    |
    |<-------------------| IPsec {TCP-SYN}
    |                    | (Packet #6)          
    |------------------->| IPsec {TCP-RST}    
    |                    | (Judgement #6)         
    |                    |
    |<-------------------| IPsec {Echo Request}
    |                    | (Packet #7)          
    |------------------->| IPsec {Echo Reply}    
    |                    | (Judgement #7)         
    |                    |
    V                    V

N: USE_TRANSPORT_MODE
Packet #1 See Common Packet #1
Packet #2 See below
Packet #3 See below
Packet #4 See Common Packet #19
Packet #5 See below
Packet #6 See below
Packet #7 See Common Packet #19
Packet #2: IKE_AUTH response
IPv6 Header Same as the Common Packet #3
UDP Header Same as the Common Packet #3
IKEv2 Header Same as the Common Packet #3
E Payload Same as the Common Packet #3
IDi Payload Same as the Common Packet #3
AUTH Payload Same as the Common Packet #3
N Payload Same as the Common Packet #3
SA Payload Same as the Common Packet #3
TSi Payload Other fields are same as the Common Packet #3
Traffic Selectors See below
TSr Payload Other fields are same as the Common Packet #3
Traffic Selectors See below
TSi Payload Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)
IP Protocol ID 6 (TCP)
Selector Length 40
Start Port 0
End Port 65535
Starting Address TN1's Global Address on Link A
Ending Address TN1's Global Address on Link A
TSr Payload Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)
IP Protocol ID 6 (TCP)
Selector Length 40
Start Port 0
End Port 65535
Starting Address NUT's Global Address on Link X
Ending Address NUt's Global Address on Link X

Packet #3: TCP SYN packet
IPv6 Header Source Address TN1's Global Address on Link X
Destination Address NUT's Global Address on Link A
ESP Security Parameter Index CHILD_SA's SPI value used by this message
Sequence Number The value incremented the previous encrypted packet's Sequence Number by one.
Payload Data Subsequent data encrypted by underlying encryption algorithm
Padding Any value which to be a multiple of the encryption block size
Pad Length The length of the Padding field
Next Header 6 (TCP)
Integrity Check Value The checksum must be valid by calculation according to the manner described in RFC.
TCP Header Source Port 30000
Destination Port 30000
Flags SYN (0x02)

Packet #5: CREATE_CHILD_SA response
IPv6 Header Same as the Common Packet #7
UDP Header Same as the Common Packet #7
IKEv2 Header Same as the Common Packet #7
E Payload Same as the Common Packet #7
IDi Payload Same as the Common Packet #7
AUTH Payload Same as the Common Packet #7
N Payload Same as the Common Packet #7
SA Payload Same as the Common Packet #7
TSi Payload Other fields are same as the Common Packet #7
Traffic Selectors See below
TSr Payload Other fields are same as the Common Packet #7
Traffic Selectors See below
TSi Payload Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)
IP Protocol ID 58 (IPV6-ICMP)
Selector Length 40
Start Port 0
End Port 65535
Starting Address TN1's Global Address on Link X
Ending Address TN1's Global Address on Link X
TSr Payload Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)
IP Protocol ID 58 (IPV6-ICMP)
Selector Length 40
Start Port 0
End Port 65535
Starting Address NUT's Global Address on Link A
Ending Address NUT's Global Address on Link A

Packet #6: TCP SYN packet
IPv6 Header Source Address TN1's Global Address on Link X
Destination Address NUT's Global Address on Link A
ESP Security Parameter Index CHILD_SA's SPI value used by this message
Sequence Number The value incremented the previous encrypted packet's Sequence Number by one.
Payload Data Subsequent data encrypted by underlying encryption algorithm
Padding Any value which to be a multiple of the encryption block size
Pad Length The length of the Padding field
Next Header 6 (TCP)
Integrity Check Value The checksum must be valid by calculation according to the manner described in RFC.
TCP Header Source Port 30000
Destination Port 30000
Flags SYN (0x02)

  Part A: (ADVANCED)
     1. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request.
     2. Observe the messages transmitted on Link A.
     3. After reception of IKE_SA_INIT response from the NUT, TN1 transmits an IKE_AUTH
         request to the NUT.
     4. Observe the messages transmitted on Link A.
     5. TN1 transmits a TCP-SYN packet with IPsec ESP using corresponding algorithms to closed
         port 30000 on NUT.
     6. Observe the messages transmitted on Link A.
     7. TN1 transmits an Echo Request with IPsec ESP using corresponding algorithms to NUT.
     8. Observe the messages transmitted on Link A.
     9. TN1 transmits a CREATE_CHILD_SA request to the NUT.
     10. Observe the messages transmitted on Link A.
     11. TN1 transmits a TCP-SYN packet with IPsec ESP using corresponding algorithms to closed
         port 30000 on NUT.
     12. Observe the messages transmitted on Link A.
     13. TN1 transmits an Echo Request with IPsec ESP using corresponding algorithms to NUT.
     14. Observe the messages transmitted on Link A.


Observable Result

  Part A
       Step 2: Judgment #1
       The NUT transmits an IKE_SA_INIT response including "ENCR_3DES",
       "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted
       algorithms.
       Step 4: Judgment #2
       The NUT transmits an IKE_AUTH response including "ENCR_3DES",
       "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms.
       Step 6: Judgment #3
       The NUT transmits a TCP-RST packet with IPsec ESP using corresponding algorithms.
       Step 8: Judgment #4
       The NUT never transmits an Echo Reply with IPsec ESP using corresponding algorithms.
       Step 10: Judgment #5
       The NUT transmits a CREATE_CHILD_SA response including "ENCR_3DES",
       "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed algorithms.
       Step 12: Judgment #6
       The NUT transmits a TCP-RST packet with IPsec ESP using corresponding algorithms.
       Step 14: Judgment #7
       The NUT transmits an Echo Reply with IPsec ESP using corresponding algorithms.


Possible Problems

  * If the NUT uses TCP port 30000 for other applications, the TN1 transmits TCP-SYN
    packets to other closed TCP port on the NUT.