Test IKEv2.EN.I.1.1.10.3: RSA Digital Signature
Part A: (ADVANCED)
To verify an IKEv2 device authenticates the corresponding node by RSA Digital Signature.
[RFC 4306] - Sections 1.2 and 3.7
* Network Topology
Connect the devices according to the Common Topology.
* Configuration
In each part, configure the devices according to the following IKE peer configuration.
|
Authentication Method |
| Remote |
X.509 Certificate - Signature |
* Pre-Sequence and Cleanup Sequence
IKEv2 on the NUT is disabled after each part.
NUT TN1
(End-Node) (End-Node)
| |
|------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
| | (Judgement #1)
|<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
| | (Packet #1)
| |
|------------------->| IKE_AUTH request (HDR, SK {IDi, CERTREQ, AUTH, N, SAi2, TSi, TSr})
| | (Judgement #2)
|<-------------------| IKE_AUTH Response (HDR, SK {IDr, iCERT, AUTH, N, SAr2, TSi, TSr})
| | (Packet #2)
| |
|<-------------------| IPSec {Echo Request}
| | (Packet #3)
|------------------->| IPSec {Echo Reply}
| | (Judgement #3)
| |
V V
N+: USE_TRANSPORT_MODE
| Packet #1 |
See Common Packet #2 |
| Packet #2 |
See below |
| Packet #3 |
See Common Packet #19 |
Packet #2: IKE_AUTH response
| IPv6 Header |
Same as Common Packet #4 |
| UDP Header |
Same as Common Packet #4 |
| IKEv2 Header |
Same as Common Packet #4 |
| E Payloa |
Same as Common Packet #4 |
| IDr Payload |
Next Payload |
37 (CERT) |
| Other fields are same as the Common Packet #4 |
| CERT Payload |
See below |
| AUTH Payload |
Same as Common Packet #4 |
| N Payload |
Same as Common Packet #4 |
| SA Payload |
Same as Common Packet #4 |
| TSi Payload |
Same as Common Packet #4 |
| TSr Payload |
Same as Common Packet #4 |
| CERT Payload |
Next Payload |
39 (AUTH) |
| Critical |
0 |
| Reserved |
0 |
| Payload Length |
Any |
| Certificate Encoding |
4 (X.509 Certificate - Signature) |
| Certificate Data |
TN1's X.509 Certificate |
Part A: (ADVANCED)
1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
2. Observe the messages transmitted on Link A.
3. TN1 responds with an IKE_SA_INIT response to the NUT.
4. Observe the messages transmitted on Link A.
5. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
response including IDr payload as describe above to the NUT
6. TN1 transmits an Echo Request with IPsec ESP using corresponding algorithms to NUT.
7. Observe the messages transmitted on Link A.
Part A
Step 2: Judgment #1
The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
"PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
algorithms.
Step 4: Judgment #2
The NUT transmits an IKE_AUTH request with a CERTREQ payload which contains 4
(X.509 Certificate - Signature) as Certificate Encoding.
Step 7: Judgment #3
The NUT transmits an Echo Reply with IPsec ESP using ENCR_3DES an
AUTH_HMAC_SHA1_96.
* None