Test IKEv2.EN.I.2.1.2.1: Sending CFG_REQUEST
Part A: (ADVANCED)
To verify an IKEv2 device transmits IKE_AUTH request using properly Configuration
Payload format
* [RFC 4306] - Sections 3.15
* Network Topology
Connect the devices according to the following topology.
NUT
(End-Node)
|
----+-------+--- Link A (Prefix A, MTU=1500)
|
TR1
(Router)
|
----+-------+--- Link X (Prefix X, MTU=1500)
|
TN1
(SGW)
|
----+-------+--- Link Y (Prefix Y, MTU=1500)
|
TH1
(Host)
Prefix A = 2001:0db8:0001:0001::/64
Prefix X = 2001:0db8:000f:0001::/64
Prefix Y = 2001:0db8:000f:0002::/64
| NUT |
End-Node |
Link A |
Prefix A::any_interface_ID (External Address) |
| Prefix Y::1 (Internal Address) (assigned by CP) |
| TR1 |
Router |
Link A |
fe80::f |
| TN1 |
SGW |
Link X |
Prefix X::1 |
| TH1 |
Host |
Link Y |
Prefix Y::f |
* Configuration
In each part, configure NUT according to the Common Configuration except the traffic
selector. Configure NUT to transmit CFG_REQUEST for
INTERNAL_IP6_ADDRESS. The traffic selector must be configured by the following
table.
|
Traffic Selector |
| Source |
Destination |
Address
Range |
Next Layer
Protocol |
Port
Range |
Address
Range |
Next Layer
Protocol |
Port
Range |
| Inbound |
Link Y |
ANY |
ANY |
NUT
(internal address) |
ANY |
ANY |
| Outbound |
NUT
(internal address) |
ANY |
ANY |
Link Y |
ANY |
ANY |
NUT must propose Traffic Selector covering above address range.
* Pre-Sequence and Cleanup Sequence
IKEv2 on the NUT is disabled after each part.
NUT TN1
(End-Node) (End-Node)
| |
|------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
| | (Judgement #1)
|<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
| | (Packet #1)
| |
|------------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, CP(CFG_REQUEST), SAi2, TSi, TSr})
| | (Judgement #2)
| |
V V
| Packet #1 |
See Common Packet #2 |
Part A: (ADVANCED)
1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
2. Observe the messages transmitted on Link A.
3. TN1 responds with an IKE_SA_INIT response to the NUT.
4. Observe the messages transmitted on Link A.
5. TN1 responds with an IKE_SA_INIT response to the NUT.
6. Observe the messages transmitted on Link A.
Part A
Step 2: Judgment #1
The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
"PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
algorithms.
Step 4: Judgment #2
The NUT transmits an IKE_AUTH request including properly formatted Configuration
Payload containing following values:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload !C! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! CFG Type ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
~ Configuration Attributes ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 47 Configuration Payload format
* A Next Payload field is set to SA Payload (33).
* A Critical field is set to zero.
* A RESERVED field is set to zero.
* A Payload Length field is set to length of the current payload.
* A CFG Type field is set to CFG_REQUEST (1).
* A RESERVED field is set to zero.
The following configuration attribute must be included in Configuration Attributes field.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!R| Attribute Type ! Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Value ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 48 Configuration Attributes format
Configuration Attribute #1
* Reserved field is set to zero.
* Attribute Type field is set to INTERNAL_IP6_ADDRESS (8).
* Length field is set to zero.
* Value field is empty.
* The implementation may not set single configuration attribute by the implementation
policy. In this case, Configuration Payload contains multiple configuration attributes.