Test IKEv2.EN.R.1.1.3.2: State Synchronization with IKE messages Part A: (BASIC)
To verify that an IKEv2 device doesn't conclude that the other endpoint has faild by receiving cryptographicaly unprotected IKE message.
* [RFC 4306] - Sections 2.1, 2.2 and 2.4
* Network Topology Connect the devices according to the Common Topology. * Configuration In each part, configure the devices according to the Common Configuration. * Pre-Sequence and Cleanup Sequence IKEv2 on the NUT is disabled after each part.
NUT TN1 (End-Node) (End-Node) | | |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) | | (Packet #1) |------------------->| IKE_SA_INIT response (HDR, SAr1, KEr, Nr) | | (Judgement #1) | | |<-------------------| IKE_AUTH request (HDR, SK {IDi, AUTH, N, SAi2, TSi, TSr}) | | (Packet #2) |------------------->| IKE_AUTH response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr}) | | (Judgement #2) | | |<-------------------| IPsec {Echo Request} | | (Packet #3) |------------------->| IPsec {Echo Reply} | | (Judgement #3) | | |<-------------------| cryptographically unprotected IKE message | | (Packet #4) | | |<-------------------| IPsec {Echo Request} | | (Packet #5) |------------------->| IPsec {Echo Reply} | | (Judgement #4) | | V V
N: USE_TRANSPORT_MODE
Packet #1 See Common Packet #1 Packet #2 See Common Packet #3 Packet #3 See Common Packet #19 Packet #4 See below Packet #5 See Common Packet #19
* Packet #4: cryptographicaly unprotected INFORMATIONAL request
IPv6 Header Source Address TN1's Global Address on Link A Destination Address NUT's Global Address on Link X UDP Header Source Port 500 Destination Port 500 IKEv2 Header IKE_SA Initiator's SPI any IKE_SA Responder's SPI any Next Payload 41 (N) Major Version 2 Minor Version 0 Exchange Type 37 (INFORMATIONAL) X (bits 0-2 of Flags) 0 I (bit 3 of Flags) any V (bit 4 of Flags) 0 R (bit 5 of Flags) 0 X (bits 6-7 Flags) 0 Message ID any Length any N Payload Next Payload 0 Critical 0 Reserved 0 Payload Length 8 Protocol ID 3 (ESP) SPI Size 0 Notify Message Type 11 (INVALID_SPI)
Part A: (BASIC) 1. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request. 2. Observe the messages transmitted on Link A. 3. After reception of IKE_SA_INIT response from the NUT, TN1 transmits an IKE_AUTH request to the NUT. 4. Observe the messages transmitted on Link A. 5. After reception of IKE_AUTH response from the NUT, TN1 transmits an Echo Request with IPsec ESP using corresponding algorithms to NUT. 6. Observe the messages transmitted on Link A. 7. After reception of an Echo Reply from NUT, TN1 transmits a cryptographically unprotected INFORMATIONAL request with Notify payload of type INVALID_ SPI to the NUT. 8. TN1 transmits an Echo Request with IPsec ESP using corresponding algorithms to NUT. 9. Observe the messages transmitted on Link A.
Part A Step 2: Judgment #1 The NUT transmits an IKE_SA_INIT response including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted algorithms. Step 4: Judgment #2 The NUT transmits an IKE_AUTH response including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms.
Step 6: Judgment #3 The NUT transmits an Echo Reply with IPsec ESP using corresponding algorithms. Step 9: Judgment #4 The NUT transmits an Echo Reply with IPsec ESP using corresponding algorithms.
* None.