Title

  Test IKEv2.EN.R.1.1.7.2: TS_UNACCEPTABLE
  Part A (BASIC)


Purpose

  To verify an IKEv2 device properly handles the Traffice Selector.


References

  * [RFC 4306] - Sections 2.8 and 3.10.1


Test Setup

  * Network Topology
      Connect the devices according to the Common Topology.
  * Configuration
      In each part, configure the devices according to the Common Configuration except
      Traffic Selector. Traffic Selector should be configured as following.
Traffic Selector
Source
Destination
Address
Range
Next Layer
Protocol
Port
Range
Address
Range
Next Layer
Protocol
Port
Range
Inbound TN1 TCP ANY NUT TCP ANY
Outbound NUT TCP ANY TN1 TCP ANY

  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.


Procedure

   NUT                  TN1
(End-Node)           (End-Node)
    |                    |
    |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |                    | (Packet #1)
    |------------------->| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |                    | (Judgement #1)
    |                    |
    |<-------------------| IKE_AUTH request (HDR, SK {IDi, AUTH, N, SAi2, TSi, TSr})
    |                    | (Packet #2)
    |------------------->| IKE_AUTH Response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr})
    |                    | (Judgement #2)
    |                    |
    |<-------------------| CREATE_CHILD_SA request (HDR, SK {N, SA, Ni, TSi, TSr})
    |                    | (Packet #3)
    |---------X          | CREATE_CHILD_SA response (HDR, SK {N, SA, Nr, KEr, TSi, TSr})
    |                    |   or
    |------------------->| CREATE_CHILD_SA response (HDR, SK { N(TS_UNACCEPTABLE) })
    |                    | (Judgement #3)
    |                    |
    V                    V

N: USE_TRANSPORT_MODE
Packet #1 See Common Packet #1
Packet #2 See below
Packet #3 See below


* Packet #2: IKE_AUTH request
IPv6 Header Same as the Common Packet #3
UDP Header Same as the Common Packet #3
IKEv2 Header Same as the Common Packet #3
E Payload Same as the Common Packet #3
IDi Payload Same as the Common Packet #3
AUTH Payload Same as the Common Packet #3
N Payload Same as the Common Packet #3
SA Payload Same as the common packet #3
TSi Payload Other fields are same as the Common Packet #3
Traffic Selectors See below
TSr Payload Other fields are same as the Common Packet #3
Traffic Selectors See below


TSi Payload Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)
IP Protocol ID 6 (TCP)
Selector Length 40
Start Port 0
End Port 65535
Starting Address TN1's Global Address on Link X
Ending Address TN1's Global Address on Link X


TSr Payload Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)
IP Protocol ID 6 (TCP)
Selector Length 40
Start Port 0
End Port 65535
Starting Address NUT's Global Address on Link A
Ending Address NUT's Global Address on Link A


* Packet #3: TCP SYN packet
IPv6 Header Same as the Common Packet #7
UDP Header Same as the Common Packet #7
IKEv2 Header Same as the Common Packet #7
E Payload Same as the Common Packet #7
IDi Payload Same as the Common Packet #7
AUTH Payload Same as the Common Packet #7
N Payload Same as the Common Packet #7
SA Payload Same as the common packet #7
TSi Payload Other fields are same as the Common Packet #7
Traffic Selectors See below
TSr Payload Other fields are same as the Common Packet #7
Traffic Selectors See below


TSi Payload Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)
IP Protocol ID 58 (ICMPv6)
Selector Length 40
Start Port 0
End Port 65535
Starting Address TN1's Global Address on Link X
Ending Address TN1's Global Address on Link X


TSr Payload Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)
IP Protocol ID 58 (ICMPv6)
Selector Length 40
Start Port 0
End Port 65535
Starting Address NUT's Global Address on Link A
Ending Address NUT's Global Address on Link A

  Part A (BASIC)
       1. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request.
       2. Observe the messages transmitted on Link A.
       3. After a reception of IKE_SA_INIT response from the NUT, TN1 transmits IKE_AUTH
          request to the NUT.
       4. Observe the messages transmitted on Link A.
       5. After reception of IKE_AUTH response from the NUT, TN1 transmits
          CREATE_CHILD_SA request including ICMPv6 (58) as IP Protocol ID value in Traffic
          Selector Payload to create new CHILD_SA.
       6. Observe the messages transmitted on Link A.


Observable Result


  Part A
    Step 2: Judgment #1
      The NUT transmits an IKE_SA_INIT response including "ENCR_3DES",
      "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted
      algorithms.

    Step 4: Judgment #2
      The NUT transmits an IKE_AUTH response including "ENCR_3DES",
      "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms.

    Step 6: Judgment #3
      The NUT does not transmits a CREATE_CHILD_SA response or transmits a
      CREATE_CHILD_SA response including a Notify payload of type TS_UNACCEPTABLE.


Possible Problems

  * None.