Title

  Test IKEv2.EN.I.1.1.4.1: Unrecognized payload types and Critical bit is not set
  Part D: Invalid payload type 255 (BASIC)

Purpose

  To verify an IKEv2 device ignores invalid payload types when the invalid type payload's
  critical bit is not set.

References

  * [RFC 4306] - Sections 2.5

Test Setup

  * Network Topology
      Connect the devices according to the Common Topology.
  * Configuration
      In each part, configure the devices according to the Common Configuration.
  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.

Procedure

   NUT                  TN1
(End-Node)           (End-Node)
    |                    |
    |------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |                    | (Judgement #1)
    |<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |                    | (Packet #1)
    |                    |
    |------------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, N+, SAi2, TSi, TSr})
    |                    | (Judgement #2)
    |<-------------------| IKE_AUTH response (HDR, SK {IDr, AUTH, N+, SAr2, TSi, TSr})
    |                    | (Packet #2)
    |                    |
   ---                  ---
    |                    |                        ---
    |<-------------------| IPSec {Echo Request}    |
    |                    | (Packet #3)             |
    |------------------->| IPSec {Echo Reply}      | repeat Echo exchange until lifetime of SA is expired
    |                    | (Judgement #3)          |
    |                    |                        ---
   ---                  ---
    |                    |
    |------------------->| CREATE_CHILD_SA request (HDR, SK {N, N+, SA, Ni, TSi, TSr})
    |                    | (Judgement #4)
    |<-------------------| CREATE_CHILD_SA response (HDR, SK {P, N+, SA, Nr, TSi, TSr})
    |                    | (Packet #4)
    |                    |
    |<-------------------| IPSec {Echo Request} (new CHILD_SA)
    |                    | (Packet #5)
    |------------------->| IPSec {Echo Reply} (new CHILD_SA)
    |                    | (Judgement #5)
    |                    |
    V                    V P: Payload with an invalid payload type
 N: REKEY_SA
 N+: USE_TRANSPORT_MODE

Packet #1 See Common Packet #2

Packet #2 See Common Packet #4

Packet #3 See Common Packet #19

Packet #4 See below

Packet #5 See Common Packet #19

Packet #4: CREATE_CHILD_SA response

IPv6 Header All fields are same as Common Packet #14 Payload

UDP Header All fields are same as Common Packet #14 Payload

IKEv2 Header Next Payload Invalid payload type value

Other fields are same as Common Packet #14

Invalid Payload Next Payload 41(N)

Critical 0

Reserved 0

Payload Length 4

N Payload All fields are same as Common Packet #14 Payload

SA Payload All fields are same as Common Packet #14 Payload

Ni, Nr paylaod All fields are same as Common Packet #14 Payload

TSi Payload All fields are same as Common Packet #14 Payload

TSr Payload All fields are same as Common Packet #14 Payload

  Part D: Invalid payload type 255 (BASIC)
     40. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
     41. Observe the messages transmitted on Link A.
     42. TN1 responds with an IKE_SA_INIT response to the NUT.
     43. Observe the messages transmitted on Link A.
     44. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
         response to the NUT
     45. TN1 transmits an Echo Request with IPsec ESP using the first negotiated algorithms to NUT.
     46. Observe the messages transmitted on Link A.
     47. Repeat Steps 45 and 46 until lifetime of SA is expired.
     48. Observe the messages transmitted on Link A.
     49. After reception of CREATE_CHILD_SA request for rekeying from the NUT, TN1 responds
         with a CREATE_CHILD_SA response which includes a payload with invalid payload type
         to the NUT. The E payload's IKE Header Next Payload field is set to 255 and the invalid
         payload's critical flag is not set.
     50. Observe the messages transmitted on Link A.
     51. TN1 transmits an Echo Request with IPsec ESP using the second negotiated algorithms to
         NUT.
     52. Observe the messages transmitted on Link A.

Observable Result

  Part D
       Step 41: Judgment #1
       The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
       "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
       lgorithms.

       Step 43: Judgment #2
       The NUT transmits an IKE_AUTH request including "ENCR_3DES",
       "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed algorithms.

       Step 46: Judgment #3
       The NUT transmits an Echo Reply with IPsec ESP using corresponding algorithms.

       Step 50: Judgment #4
       The NUT transmits a CREATE_CHILD_SA request including "ENCR_3DES",
       "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed
       algorithms. And the CREATE_CHILD_SA request includes a Notify payload of type
       REKEY_SA containing rekeyed CHILD_SA's SPI value in the SPI field.

       Step 52: Judgment #5
       The NUT transmits an Echo Reply with IPsec ESP using the second negotiated algorithms.

Possible Problems

  * None.

`Packet #1`	`See Common Packet #2`
`Packet #2`	`See Common Packet #4`
`Packet #3`	`See Common Packet #19`
`Packet #4`	`See below`
`Packet #5`	`See Common Packet #19`

IPv6 Header	All fields are same as Common Packet #14 Payload
UDP Header	All fields are same as Common Packet #14 Payload
IKEv2 Header	Next Payload	Invalid payload type value
	Other fields are same as Common Packet #14
Invalid Payload	Next Payload	41(N)
	Critical	0
	Reserved	0
	Payload Length	4
N Payload	All fields are same as Common Packet #14 Payload
SA Payload	All fields are same as Common Packet #14 Payload
Ni, Nr paylaod	All fields are same as Common Packet #14 Payload
TSi Payload	All fields are same as Common Packet #14 Payload
TSr Payload	All fields are same as Common Packet #14 Payload