Test IKEv2.EN.R.1.1.6.1: Cryptographic Algorithm Negotiation for IKE_SA Part C: PRF PRF_AES128_CBC (ADVANCED)
To verify an IKEv2 device properly handles various algorithms for IKE_SA.
* [RFC 4306] - Sections 2.7 and 3.3
* Network Topology Connect the devices according to the Common Topology. * Configuration From part A to part E, configure the devices according to the Common Configuration except for Italic parameters.
IKE_SA_INIT exchanges Algorithms Encryption PRF Integrity D-H Group Part C ENCR_3DES PRF_AES128_CBC AUTH_HMAC_SHA1_96 Group 2
* Pre-Sequence and Cleanup Sequence IKEv2 on the NUT is disabled after each part.
NUT TN1 (End-Node) (End-Node) | | |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) | | (Packet #1) |------------------->| IKE_SA_INIT response (HDR, SAr1, KEr, Nr) | | (Judgement #1) | | |<-------------------| IKE_AUTH request (HDR, SK {IDi, AUTH, N, SAi2, TSi, TSr}) | | (Packet #2) |------------------->| IKE_AUTH response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr}) | | (Judgement #2) | | V V
N: USE_TRANSPORT_MODE
Packet #1 See Common Packet #1 Packet #2 See Common Packet #3
Packet #1: IKE_SA_INIT requet Packet #1 is same as Common Packet #1 except SA Transform proposed in each test.
Part C: SA Transform of Tranform Type PRF is replaced by the following SA Transfrom.
SA Transform Next Payload 3 (more) Reserved 0 Transform Length 8 Transform Type 2 (PRF) Reserved 0 Transform ID 4 (AES128_XCBC)
Part C: PRF PRF_AES128_CBC (ADVANCED) 9. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request including a SA payload as described above. 10. Observe the messages transmitted on Link A. 11. After reception of IKE_SA_INIT response from the NUT, TN transmits an IKE_AUTH request protected with the accepted proposal to the NUT. 12. Observe the messages transmitted on Link A.
Part C Step 10: Judgment #1 The NUT transmits an IKE_SA_INIT response including "ENCR_3DES", "PRF_AES128_CBC", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted algorithms.
Step 12: Judgment #2 The NUT transmits an IKE_AUTH response including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms.
* None.