Test IKEv2.EN.I.1.1.4.2: Unrecognized payload types and Critical bit is set
Part A: Invalid payload type 1 and Critical bit is set (BASIC)
To verify an IKEv2 device rejects the messages with invalid payload types when the invalid
type payload's critical bit is set.
* [RFC 4306] - Sections 2.5
* Network Topology
Connect the devices according to the Common Topology.
* Configuration
In each part, configure the devices according to the Common Configuration.
* Pre-Sequence and Cleanup Sequence
IKEv2 on the NUT is disabled after each part.
NUT TN1
(End-Node) (End-Node)
| |
|------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
| | (Judgement #1)
|<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
| | (Packet #1)
| |
|------------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, N+, SAi2, TSi, TSr})
| | (Judgement #2)
|<-------------------| IKE_AUTH response (HDR, SK {IDr, AUTH, N+, SAr2, TSi, TSr})
| | (Packet #2)
| |
--- ---
| | ---
|<-------------------| IPSec {Echo Request} |
| | (Packet #3) |
|------------------->| IPSec {Echo Reply} | repeat Echo exchange until lifetime of SA is expired
| | (Judgement #3) |
| | ---
--- ---
| |
|------------------->| CREATE_CHILD_SA request (HDR, SK {N, N+, SA, Ni, TSi, TSr})
| | (Judgement #4)
|<-------------------| CREATE_CHILD_SA response (HDR, SK {P, N+, SA, Nr, TSi, TSr})
| | (Packet #4)
| |
|<-------------------| IPSec {Echo Request} (new CHILD_SA)
| | (Packet #5)
|----------X | IPSec {Echo Reply} (new CHILD_SA)
| | (Judgement #5)
| |
V V P: Payload with an invalid payload type
N: REKEY_SA
N+: USE_TRANSPORT_MODE
| Packet #1 |
See Common Packet #2 |
| Packet #2 |
See Common Packet #4 |
| Packet #3 |
See Common Packet #19 |
| Packet #4 |
See below |
| Packet #5 |
See Common Packet #19 |
Packet #4: CREATE_CHILD_SA response
| IPv6 Header |
All fields are same as Common Packet #14 Payload |
| UDP Header |
All fields are same as Common Packet #14 Payload |
| IKEv2 Header |
All fields are same as Common Packet #14 Payload |
| E Payload |
Next Payload |
Invalid payload type value |
| Other fields are same as Common Packet #14 |
| Invalid Payload |
Next Payload |
41(N) |
| Critical |
1 |
| Reserved |
0 |
| Payload Length |
4 |
| N Payload |
All fields are same as Common Packet #14 Payload |
| SA Payload |
All fields are same as Common Packet #14 Payload |
| Ni, Nr paylaod |
All fields are same as Common Packet #14 Payload |
| TSi Payload |
All fields are same as Common Packet #14 Payload |
| TSr Payload |
All fields are same as Common Packet #14 Payload |
Part A: Invalid payload type 1 and Critical bit is set (BASIC)
1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
2. Observe the messages transmitted on Link A.
3. TN1 responds with an IKE_SA_INIT response to the NUT.
4. Observe the messages transmitted on Link A.
5. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
response to the NUT
6. TN1 transmits an Echo Request with IPsec ESP using the first negotiated algorithms to NUT.
7. Observe the messages transmitted on Link A.
8. Repeat Steps 6 and 7 until lifetime of SA is expired.
9. Observe the messages transmitted on Link A.
10. After reception of CREATE_CHILD_SA request for rekeying from the NUT, TN1 responds
with a CREATE_CHILD_SA response which includes a payload with invalid payload type
to the NUT. The E payload's IKE Header Next Payload field is set to 1 and the invalid
payload's critical flag is set.
11. Observe the messages transmitted on Link A.
12. TN1 transmits an Echo Request with IPsec ESP using the second negotiated algorithms to
NUT.
13. Observe the messages transmitted on Link A.
Part A
Step 2: Judgment #1
The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
"PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
lgorithms.
Step 4: Judgment #2
The NUT transmits an IKE_AUTH request including "ENCR_3DES",
"AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed algorithms.
Step 7: Judgment #3
The NUT transmits an Echo Reply with IPsec ESP using corresponding algorithms.
Step 11: Judgment #4
The NUT transmits a CREATE_CHILD_SA request including "ENCR_3DES",
"AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed
algorithms. And the CREATE_CHILD_SA request includes a Notify payload of type
REKEY_SA containing rekeyed CHILD_SA's SPI value in the SPI field.
Step 13: Judgment #5
The NUT never transmits an Echo Reply with IPsec ESP using the second negotiated
algorithms.
* None.