Test IKEv2.EN.I.1.3.1.1: Sending INFORMATIONAL Exchange
Part A: IKE Header Format (BASIC)
Part B: Encrypted Payload Format (BASIC)
To verify an IKEv2 device checks whether the other endpoint is alive.
* [RFC 4306] - Sections 2.1, 2.2 and 2.4
* Network Topology
Connect the devices according to the Common Topology.
* Configuration
In each part, configure the devices according to the Common Configuration. In
addition, set retransmission timer to 1 second.
* Pre-Sequence and Cleanup Sequence
IKEv2 on the NUT is disabled after each part.
NUT TN1
(End-Node) (End-Node)
| |
|------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
| | (Judgement #1)
|<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
| | (Packet #1)
| |
|------------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, N, SAi2, TSi, TSr})
| | (Judgement #2)
|<-------------------| IKE_AUTH Response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr})
| | (Packet #2)
| |
| * wait until receiving liveness check
| |
|------------------->| INFORMATIONAL request (HDR, SK {})
| | (Judgement #3)
| |
V V
N: USE_TRANSPORT_MODE
| Packet #1 |
See Common Packet #2 |
| Packet #2 |
See Common Packet #4 |
Part A: IKE Header Format (BASIC)
1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
2. Observe the messages transmitted on Link A.
3. TN1 responds with an IKE_SA_INIT response to the NUT.
4. Observe the messages transmitted on Link A.
5. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
response to the NUT.
6. TN1 waits for receiving an INFORMATIONAL request with no payloads.
7. Observe the messages transmitted on Link A.
Part B: Encrypted Payload Format (BASIC)
8. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
9. Observe the messages transmitted on Link A.
10. TN1 responds with an IKE_SA_INIT response to the NUT.
11. Observe the messages transmitted on Link A.
12. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
response to the NUT.
13. TN1 waits for receiving an INFORMATIONAL request with no payloads.
14. Observe the messages transmitted on Link A.
Part A
Step 2: Judgment #1
The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
"PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
algorithms.
Step 4: Judgment #2
The NUT transmits an IKE_AUTH request including "ENCR_3DES",
"AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed algorithms.
Step 7: Judgment #3
The NUT transmits an INFORMATIONAL request including properly formatted IKE Header
containing following values:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! IKE_SA Initiator s SPI !
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! IKE_SA responder s SPI !
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Message ID !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 35 Header format
* An IKE_SA Initiator's SPI field is set to same as the IKE_SA_INIT request's IKE_SA
Initiator's SPI field value.
* An IKE_SA Responder's SPI field is set to same as the IKE_SA_INIT response's
IKE_SA Responder's SPI field value.
* A Next Payload field is set to Encrypted Payload (46).
* A Major Version field is set to 2.
* A Minor Version field is set to zero.
* An Exchange Type field is set to INFORMATIONAL (37).
* A Flags field is set to (00010000)2 = (16)10.
* A Message ID field is set to the value incremented the previous IKE message's
Message ID by one.
* A Length field is set to the length of the message (header + payloads) in octets.
Part B
Step 9: Judgment #1
The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
"PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
algorithms.
Step 1: Judgment #2
The NUT transmits an IKE_AUTH request including "ENCR_3DES",
"AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed algorithms.
Step 14: Judgment #3
The NUT transmits an INFORMATIONAL request including properly formatted Encrypted
Payload containing following values:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload !C! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Initialization Vector !
! (length is block size for encryption algorithm) !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Encrypted IKE Payloads ~
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! ! Padding (0-255 octets) !
+-+-+-+-+-+-+-+-+ --+-+-+-+-+-+-+-+
! ! Pad Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Integrity Checksum Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 36 Encrypted payload
* A Next Payload field is set to zero.
* A Critical field is set to zero.
* A RESERVED field is set to zero.
* A Payload Length field is set to length in octets of the header, IV, Encrypted
IKE Payloads, Padding, Pad Length, and Integrity Check sum Data.
* An Initialization Vector field is set to a randomly chosen value whose length is
equal to the block length of the underlying encryption algorithm. It is 64 bits
length in ENCR_3DES case.
* An Encrypted IKE Payloads field is set to subsequent payloads encrypted by
ENCR_3DES.
* A Padding field is set to any value which to be a multiple of the encryption
block size. It is 64 bits length in ENCR_3DES case.
* A Pad Length field is set to the length of the Padding field.
* An Integrity Checksum Data set to the cryptographic checksum of the entire
message. It is 96 bits length in AUTH_HMAC_SHA1_96 case. The checksum
must be valid by calculation according to the manner described in RFC.
* none.