Title

  Test IKEv2.EN.I.1.1.6.11: Receipt of INVALID_KE_PAYLOAD in Initial Exchange 
  Part B: IKE_SA Responder's SPI is not zero (ADVANCED)

Purpose

  To verify an IKEv2 device properly handles IKE_SA_INIT Response with a Notify payload
  of type INVALID_KE_PAYLOAD.

References

  * [RFC 4306] - Sections 2.7, 3.4 and 3.10.1
  * [RFC 4718] - Sections 2.1 and 2.2

Test Setup

  * Network Topology
      Connect the devices according to the Common Topology.
  * Configuration
      In each part, configure the devices according to the Common Configuration.
  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.

Procedure

   NUT                  TN1
(End-Node)           (End-Node)
    |                    |
    |------------------->| IKE_SA_INIT request (HDR, SAi1(DH#2, DH#14), KEi(DH#14), Ni)
    |                    | (Judgement #1)
    |<-------------------| IKE_SA_INIT Response (HDR, N(INVALID_KE_PAYLOAD(DH#2)))
    |                    | (Packet #1)
    |                    |
    |------------------->| IKE_SA_INIT request (HDR, SAi1(DH#2, DH#14), KEi'(DH#2), Ni)
    |                    | (Judgement #2)
    |                    |
    V                    V

Packet #1 See below

Packet #1: IKE_SA_INIT response

IPv6 Header Same as the Common Packet #2

UDP Header Same as the Common Packet #2

IKEv2 Header Same as the Common Packet #2

IKE_SA Responder's SPI See each Part

N Payload Next Payload 0

Critical 0

Reserved 0

Payload Length 10

Protocol ID 0

SPI Size 0

Notify Message Type INVALID_KE_PAYLOAD (17)

Notification Data The accepted D-H Group # (2)

  Part B: IKE_SA Responder's SPI is not zero (BASIC)
     5. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
     6. Observe the messages transmitted on Link A.
     7. TN1 responds with an IKE_SA_INIT Response including a Notify payload of type
         INVALID_KE_PAYLOAD containing 2 (1024 Bit MODP) as Notification Data to the NUT.
         The message's IKE_SA Responder's SPI is set to one.
     8. Observe the messages transmitted on Link A.

Observable Result

  Part B
       Step 6: Judgment #1
       The NUT transmits an IKE_SA_INIT Request including
       "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96", "D-H group 2" and "D-H
       group 14" as proposed algorithms. KEi payload must carry "D-H group 14" public key
       value.

       Step 8: Judgment #2
       The NUT transmits an IKE_SA_INIT request including a Key Exchange payoad which
       contains "D-H group 2" public key value. All other payloads are unchanged.

Possible Problems

  * None.

IPv6 Header	Same as the Common Packet #2
UDP Header	Same as the Common Packet #2
IKEv2 Header	Same as the Common Packet #2
IKE_SA Responder's SPI	See each Part
N Payload	Next Payload	0
	Critical	0
	Reserved	0
	Payload Length	10
	Protocol ID	0
	SPI Size	0
	Notify Message Type	INVALID_KE_PAYLOAD (17)
	Notification Data	The accepted D-H Group # (2)