Test IKEv2.EN.R.1.2.1.1: Receipt of CREATE_CHILD_SA request Part A: IKE Header Format (BASIC) Part B: Encrypted Payload Format (BASIC) Part C: Notify Payload (USE_TRANSPORT_MODE) Format (BASIC) Part D: SA Payload Format (BASIC) Part E: Nonce Payload Format (BASIC) Part F: Nonce Payload Format (BASIC) Part G: TSr Payload Format (BASIC)
To verify an IKEv2 device properly handles the CREATE_CHILD_SA exchanges using Pre- shared key
* [RFC 4306] - Sections 1.3 and 2.8
* Network Topology Connect the devices according to the Common Topology. * Configuration In each part, configure the devices according to the Common Configuration. * Pre-Sequence and Cleanup Sequence IKEv2 on the NUT is disabled after each part.
NUT TN1 (End-Node) (End-Node) | | |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) | | (Packet #1) |------------------->| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr) | | (Judgement #1) | | |<-------------------| IKE_AUTH request (HDR, SK {IDi, AUTH, N+, SAi2, TSi, TSr}) | | (Packet #2) |------------------->| IKE_AUTH Response (HDR, SK {IDr, AUTH, N+, SAr2, TSi, TSr}) | | (Judgement #2) | | |<-------------------| CREATE_CHILD_SA request (HDR, SK {N, N+, SA, Ni, TSi, TSr}) | | (Packet #3) |------------------->| CREATE_CHILD_SA response (HDR, SK { N+, SA, Nr, TSi, TSr}) | | (Judgement #3) | | V V
N: REKEY_SA N+: USE_TRANSPORT_MODE
Packet #1 See Common Packet #1 Packet #2 See Common Packet #3 Packet #3 See Common Packet #13
Part A: IKE Header Format (BASIC) 1. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request. 2. Observe the messages transmitted on Link A. 3. After a reception of IKE_SA_INIT response from the NUT, TN1 transmits IKE_AUTH request to the NUT. 4. Observe the messages transmitted on Link A. 5. After reception of IKE_AUTH response from the NUT, TN1 transmits CREATE_CHILD_SA request to the NUT to rekey CHILD_SAs. 6. Observe the messages transmitted on Link A.
Part B: Encrypted Payload Format (BASIC) 7. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request. 8. Observe the messages transmitted on Link A. 9. After a reception of IKE_SA_INIT response from the NUT, TN1 transmits IKE_AUTH request to the NUT. 10. Observe the messages transmitted on Link A. 11. After reception of IKE_AUTH response from the NUT, TN1 transmits CREATE_CHILD_SA request to the NUT to rekey CHILD_SAs. 12. Observe the messages transmitted on Link A.
Part C: Notify Payload (USE_TRANSPORT_MODE) Format (BASIC) 13. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request. 14. Observe the messages transmitted on Link A. 15. After a reception of IKE_SA_INIT response from the NUT, TN1 transmits IKE_AUTH request to the NUT. 16. Observe the messages transmitted on Link A. 17. After reception of IKE_AUTH response from the NUT, TN1 transmits CREATE_CHILD_SA request to the NUT to rekey CHILD_SAs. 18. Observe the messages transmitted on Link A.
Part D: Notify Payload (USE_TRANSPORT_MODE) Format (BASIC) 13. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request. 14. Observe the messages transmitted on Link A. 15. After a reception of IKE_SA_INIT response from the NUT, TN1 transmits IKE_AUTH request to the NUT. 16. Observe the messages transmitted on Link A. 17. After reception of IKE_AUTH response from the NUT, TN1 transmits CREATE_CHILD_SA request to the NUT to rekey CHILD_SAs. 18. Observe the messages transmitted on Link A.
Part E: Nonce Payload Format (BASIC) 25. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request. 26. Observe the messages transmitted on Link A. 27. After a reception of IKE_SA_INIT response from the NUT, TN1 transmits IKE_AUTH request to the NUT. 28. Observe the messages transmitted on Link A. 29. After reception of IKE_AUTH response from the NUT, TN1 transmits CREATE_CHILD_SA request to the NUT to rekey CHILD_SAs. 30. Observe the messages transmitted on Link A.
Part F: Nonce Payload Format (BASIC) 25. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request. 26. Observe the messages transmitted on Link A. 27. After a reception of IKE_SA_INIT response from the NUT, TN1 transmits IKE_AUTH request to the NUT. 28. Observe the messages transmitted on Link A. 29. After reception of IKE_AUTH response from the NUT, TN1 transmits CREATE_CHILD_SA request to the NUT to rekey CHILD_SAs. 30. Observe the messages transmitted on Link A.
Part G: TSr Payload Format (BASIC) 37. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request. 38. Observe the messages transmitted on Link A. 39. After a reception of IKE_SA_INIT response from the NUT, TN1 transmits IKE_AUTH request to the NUT. 40. Observe the messages transmitted on Link A. 41. After reception of IKE_AUTH response from the NUT, TN1 transmits CREATE_CHILD_SA request to the NUT to rekey CHILD_SAs. 42. Observe the messages transmitted on Link A.
Part A Step 2: Judgment #1 The NUT transmits an IKE_SA_INIT response including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted algorithms. Step 4: Judgment #2 The NUT transmits an IKE_AUTH response including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms. Step 6: Judgment #3 The NUT transmits a CREATE_CHILD_SA response including properly formatted IKE Header containing following values:
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! IKE_SA Initiator's SPI ! ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! IKE_SA Responder's SPI ! ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Message ID ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 73 Header format
* An IKE_SA Initiator's SPI field is set to same as the IKE_SA_INIT request's IKE_SA Initiator's SPI field value. * An IKE_SA Responder's SPI field is set to same as the IKE_SA_INIT response's IKE_SA Responder's SPI field value. * A Next Payload field is set to Encrypted Payload (46). * A Major Version field is set to 2. * A Minor Version field is set to zero. * An Exchange Type field is set to CREATE_CHILD_SA (36). * A Flags field is set to (00000100)2 = (4)10. * A Message ID field is set to the same value as corresponding IKEv2 request message's Message ID. * A Length field is set to the length of the message (header + payloads) in octets.
Part B Step 8: Judgment #1 The NUT transmits an IKE_SA_INIT response including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted algorithms. Step 10: Judgment #2 The NUT transmits an IKE_AUTH response including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms. Step 12: Judgment #3 The NUT transmits a CREATE_CHILD_SA response including properly formatted Encrypted Payload containing following values:
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload !C! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Initialization Vector ! ! (length is block size for encryption algorithm) ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Encrypted IKE Payloads ~ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! Padding (0-255 octets) ! +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ ! ! Pad Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Integrity Checksum Data ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 74 Encrypted payload
* A Next Payload field is set to N Payload (41). * A Critical field is set to zero. * A RESERVED field is set to zero. * A Payload Length field is set to length in octets of the header, IV, Encrypted IKE Payloads, Padding, Pad Length, and Integrity Check sum Data. * An Initialization Vector field is set to a randomly chosen value whose length is equal to the block length of the underlying encryption algorithm. It is 64 bits length in ENCR_3DES case. * An Encrypted IKE Payloads field is set to subsequent payloads encrypted by ENCR_3DES. * A Padding field is set to any value which to be a multiple of the encryption block size. It is 64 bits length in ENCR_3DES case. * A Pad Length field is set to the length of the Padding field. * An Integrity Checksum Data set to the cryptographic checksum of the entire message. It is 96 bits length in AUTH_HMAC_SHA1_96 case. The checksum must be valid by calculation according to the manner described in RFC.
Part C Step 14: Judgment #1 The NUT transmits an IKE_SA_INIT response including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted algorithms. Step 16: Judgment #2 The NUT transmits an IKE_AUTH response including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms. Step 18: Judgment #3 The NUT transmits a CREATE_CHILD_SA response including properly formatted Notify Payload containing following values:
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload !C! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Protocol ID ! SPI Size ! Notify Message Type ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Security Parameter Index (SPI) ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Notification Data ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 75 Notify Payload format
* A Next Payload field is set to SA Payload (33). * A Critical field is set to zero. * A RESERVED field is set to zero. * A Payload Length field is set to length of the current payload. It is 8 bytes for USE_TRANSPORT_MODE. * A Protocol ID field is set to undefined (0). * A SPI Size field is set to zero. * A Notify Message Type field is set to USE_TRANSPORT_MODE (16391)
Part D Step 20: Judgment #1 The NUT transmits an IKE_SA_INIT response including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted algorithms.
Step 22: Judgment #2 The NUT transmits an IKE_AUTH response including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms.
Step 24: Judgment #3
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------- ! Next 44 !0! 0 ! Length 40 ! | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--- | ! 0 ! 0 ! Length 36 ! | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ! Number 1 ! Prot ID 3 ! SPI Size 4 ! Trans Cnt 3 ! | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ! SPI value ! | | --- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ! 3 ! 0 ! Length 8 ! | | Transform | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |SA Payload | ! Type 1 (EN) ! 0 ! Transform ID 3 (3DES) ! | Proposal | --- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ! 3 ! 0 ! Length 8 ! | | Transform | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ! Type 3 (IN) ! 0 ! Transform ID 2 (SHA1) ! | | --- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ! 0 ! 0 ! Length 8 ! | | Transform | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ! Type 5 (ESN)! 0 ! Transform ID 0 (No) ! | | --- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
Figure 76 SA Payload contents
The NUT transmits a CREATE_CHILD_SA response including properly formatted SA Payload containing following values (refer following figures):
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload !C! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ <Proposals> ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 77 SA Payload format
* A Next Payload field is set to Nr Payload (40). * A Critical field is set to zero. * A RESERVED field is set to zero. * A Payload Length field is set to length of the current payload.
The following proposal must be included in Proposals field.1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! 0 (last) or 2 ! RESERVED ! Proposal Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Proposal # ! Protocol ID ! SPI Size !# of Transforms! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ SPI (variable) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ <Transforms> ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 78 Proposal sub-structure format
Proposal #1 * A 0 or 2 field is set to zero if this structure is the last proposal, otherwise set to 2. * A RESREVD field is set to zero. * A Proposal Length field is set to length of this proposal, including all transforms and attributes. It is 36 bytes according to Common Configuration. * A Proposal # field is set to 1. * A Protocol ID field is set to ESP (3). * A SPI Size field is set to 4. * A # of Transforms field is set to 3. * A SPI field is set to the sending entity's SPI (4 octets value)
Transform field is set to following (There are 3 Transform Structures).1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! 0 (last) or 3 ! RESERVED ! Transform Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ !Transform Type ! RESERVED ! Transform ID ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Transform Attributes ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 79 Transform sub-structure format
Transform #1 * A 0 or 3 field is set to zero if this structure is the last transform, otherwise set to 3. * A RESERVED field is set to zero. * A Transform Length set to length of the Transform Substructure including Header and Attribute. It is 8 bytes for ENCR_3DES. * A Transform Type field is set to ENCR (1). * A RESERVED field is set to zero. * A Transform ID set to ENCR_3DES (3). Transform #2 * A 0 or 3 field is set to zero if this structure is the last transform, otherwise set to 3. * A RESERVED field is set to zero. * A Transform Length set to length of the Transform Substructure including Header and Attribute. It is 8 bytes for AUTH_HMAC_SHA1. * A Transform Type field is set to INTEG (3). * A RESERVED field is set to zero. * A Transform ID set to AUTH_HMAC_SHA1 (2). Transform #3 * A 0 or 3 field is set to zero if this structure is the last transform, otherwise set to 3. * A RESERVED field is set to zero. * A Transform Length set to length of the Transform Substructure including Header and Attribute. It is 8 bytes for ESN. * A Transform Type field is set to ESN (5). * A RESERVED field is set to zero. * A Transform ID set to No Extended Sequence Numbers (0).
Part E Step 26: Judgment #1 The NUT transmits an IKE_SA_INIT response including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted algorithms.
Step 28: Judgment #2 The NUT transmits an IKE_AUTH response including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms.
Step 30: Judgment #3 The NUT transmits a CREATE_CHILD_SA response including properly formatted Nonce Payload containing following values:
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload !C! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Nonce Data ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 80 Nonce Payload format
* A Next Payload field is set to TSi Payload (44). * A Critical field is set to zero. * A RESERVED field is set to zero. * A Payload Length field is set to length of the current payload. * A Nonce Data field is set to random data generated by the transmitting entity. * The size of the Nonce must between 16 and 256 octets.
Part F Step 32: Judgment #1 The NUT transmits an IKE_SA_INIT response including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted algorithms. Step 34: Judgment #2 The NUT transmits an IKE_AUTH response including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms. Step 36: Judgment #3 The NUT transmits a CREATE_CHILD_SA response including properly formatted TSi Payload containing following values:
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload !C! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Number of TSs ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ <Traffic Selectors> ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 81 TSi Payload format
* A Next Payload field is set to TSr Payload (45). * A Critical field is set to zero. * A RESERVED field is set to zero. * A Payload Length field is set to length of the current payload. * A Number of TSs field is set to 1. * A RESERVED field is set to zero.
The following traffic selector must be included in Traffic Selectors field.1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! TS Type !IP Protocol ID*| Selector Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Start Port* | End Port* | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Starting Address* ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Ending Address* ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 82 Traffic Selector
* A TS Type set to TS_IPV6_ADDR_RANGE (8). * An IP Protocol ID field is set to zero. * A Selector Length field is set to length of this Traffic Selector Substructure including the header. * A Start Port field is set to zero. * An End Port field is set to 65535. * A Starting Address field is set to TN1 address. * A Ending Address field is set to TN1 address.
Part G Step 38: Judgment #1 The NUT transmits an IKE_SA_INIT response including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted lgorithms. Step 40: Judgment #2 The NUT transmits an IKE_AUTH response including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms. Step 42: Judgment #3 The NUT transmits a CREATE_CHILD_SA response including properly formatted TSr Payload containing following values:
1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Next Payload !C! RESERVED ! Payload Length ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Number of TSs ! RESERVED ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ <Traffic Selectors> ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 83 TSr Payload format
* A Next Payload field is set to zero. * A Critical field is set to zero. * A RESERVED field is set to zero. * A Payload Length field is set to length of the current payload. * A Number of TSs field is set to 1. * A RESERVED field is set to zero.
The following traffic selector must be included in Traffic Selectors field.1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! TS Type !IP Protocol ID*| Selector Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Start Port* | End Port* | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Starting Address* ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! ! ~ Ending Address* ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 84 Traffic Selector
* A TS Type set to TS_IPV6_ADDR_RANGE (8). * An IP Protocol ID field is set to zero. * A Selector Length field is set to length of this Traffic Selector Substructure including the header. * A Start Port field is set to zero. * An End Port field is set to 65535. * A Starting Address field is set to NUT address. * A Starting Address field is set to NUT address.
* CREATE_CHILD_SA response has following packet format.It may have additional payloads described below. Additional payloads can be ignored by this test. The order of payload may be different from this sample.
[N(IPCOMP_SUPPORTED)+], [N(USE_TRANSPORT_MODE)], [N(ESP_TFC_PADDING_NOT_SUPPORTED)], [N(NON_FIRST_FRAGMENTS_ALSO)], SA, Nr, [KEr], TSi, TSr, [N(ADDITIONAL_TS_POSSIBLE)]
* Each of transforms can be located in the any order.