Title

  Test IKEv2.EN.I.2.1.2.3: Non zero RESERVED fields in Configuration Payload
  Part A (ADVANCED)

Purpose

  To verify an IKEv2 device ignores the content of RESERVED filed in IKE messages.

References

  * [RFC 4306] - Sections 2.5

Test Setup

  * Network Topology
     Connect the devices according to the following topology.

   NUT
(End-Node)
    |
----+-------+--- Link A (Prefix A, MTU=1500)
            |
           TR1
         (Router)
            |
----+-------+--- Link X (Prefix X, MTU=1500)
    |
   TN1
  (SGW)
    |
----+-------+--- Link Y (Prefix Y, MTU=1500)
            |
           TH1
          (Host)


Prefix A = 2001:0db8:0001:0001::/64
Prefix X = 2001:0db8:000f:0001::/64
Prefix Y = 2001:0db8:000f:0002::/64



NUT
End-Node
Link A
Prefix A::any_interface_ID (External Address) 


Prefix Y::1 (Internal Address) (assigned by CP)


TR1
Router
Link A
fe80::f 


TN1
SGW
Link X
Prefix X::1


TH1
Host 
Link Y
Prefix Y::f

  * Configuration
     In each part, configure NUT according to the Common Configuration except the traffic
     selector. Configure NUT to transmit CFG_REQUEST for
     INTERNAL_IP6_ADDRESS. The traffic selector must be configured by the following
     table.

Traffic Selector

Source Destination

Address
Range Next Layer
Protocol Port
Range Address
Range Next Layer
Protocol Port
Range

Inbound Link Y ANY ANY NUT
(internal address) ANY ANY

Outbound NUT
(internal address) ANY ANY Link Y ANY ANY

NUT must propose Traffic Selector covering above address range.

  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.

Procedure


   NUT            TN1           TH1
(End-Node)       (SGW)         (Host)
    |              |             |
    |------------->|             | IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |              |             | (Judgement #1)
    |<-------------|             | IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |              |             | (Packet #1)
    |              |             |
    |------------->|             | IKE_AUTH request (HDR, SK {IDi, AUTH,
    |              |             |                            CP(CFG_REQUEST), SAi2, TSi, TSr})
    |              |             | (Judgement #2)
    |<-------------|             | IKE_AUTH Response (HDR, SK {IDr, AUTH, CP(CFG_REPLY), SAr2, TSi, TSr})
    |              |             | (Packet #2)
    |              |             |
    |<=============+-------------| IPsec {Echo Request (sent to NUT internal address)}
    |              |             | (Packet #3)
    |==============+------------>| IPsec {Echo Reply (sent from NUT internal address)}
    |              |             | (Judgement #3)
    |              |             |
    V              V             V

Packet #1 See Common Packet #2

Packet #2 See Below

Packet #3 See Below

Packet #2: IKE_AUTH response packet

IPv6 Header Same as Common Packet #6

UDP Header Same as Common Packet #6

IKEv2 Header Same as Common Packet #6

E Payloa Same as Common Packet #6

IDr Payload Same as Common Packet #6

AUTH Payload Next Payload 47 (CP)

Other fields are same as Common Packet #6

CP Payload Next Payload 33 (SA)

Critical 0

Reserved 1

Payload Length 29

CFG Type 2 (CFG_REPLY)

RESERVED 1

Configuration Attributes See below

SA Payload Same as Common Packet #6

TSi Payload Other fields are same as Common Packet #6

Traffic Selectors See below

TSr Payload Same as Common Packet #6

Configuration Attributes Reserved 1

Attribute Type INTERNAL_IP6_ADDRESS

Length 17

Value IPv6 address Prefix Y::1

Prefix-length 128

Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)

IP Protocol ID 0 (any)

Selector Length 40

Start Port 0

End Port 65535

Starting Address Prefix Y::1

Ending Address Prefix Y::1

Packet #3: Echo Request packet

IPv6 Header Same as Common Packet #20

ESP Same as Common Packet #20

IPv6 Header Source Address Prefyx Y::f

Destination Address Prefix Y::1

ICMPv6 Header Same as Common Packet #20

  Part A (ADVANCED)
     1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
     2. Observe the messages transmitted on Link A.
     3. TN1 responds with an IKE_SA_INIT response to the NUT.
     4. Observe the messages transmitted on Link A.
     5. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
         response to the NUT
     6. TH1 transmits an Echo Request to NUT internal address and TN1 forwards an Echo Request
         with IPsec ESP using ENCR_3DES an AUTH_HMAC_SHA1_96.
     7. Observe the messages transmitted on Link A.

Observable Result

  Part A
       Step 2: Judgment #1
       The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
       "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
       algorithms.

       Step 4: Judgment #2
       The NUT transmits an IKE_AUTH request including "ENCR_3DES",
       "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed
       algorithms.

       Step 7: Judgment #3
       The NUT transmits an Echo Reply with IPsec ESP using ENCR_3DES an
       AUTH_HMAC_SHA1_96. The inner packet is sent from NUT internal address.

Possible Problems

  * None

NUT	End-Node	Link A	Prefix A::any_interface_ID (External Address)
NUT	End-Node	Link A	Prefix Y::1 (Internal Address) (assigned by CP)
TR1	Router	Link A	fe80::f
TN1	SGW	Link X	Prefix X::1
TH1	Host	Link Y	Prefix Y::f

	Traffic Selector
	Source			Destination
	Address Range	Next Layer Protocol	Port Range	Address Range	Next Layer Protocol	Port Range
Inbound	Link Y	ANY	ANY	NUT (internal address)	ANY	ANY
Outbound	NUT (internal address)	ANY	ANY	Link Y	ANY	ANY

`Packet #1`	`See Common Packet #2`
`Packet #2`	`See Below`
`Packet #3`	`See Below`

IPv6 Header	Same as Common Packet #6
UDP Header	Same as Common Packet #6
IKEv2 Header	Same as Common Packet #6
E Payloa	Same as Common Packet #6
IDr Payload	Same as Common Packet #6
AUTH Payload	Next Payload	47 (CP)
	Other fields are same as Common Packet #6
CP Payload	Next Payload	33 (SA)
	Critical	0
	Reserved	1
	Payload Length	29
	CFG Type	2 (CFG_REPLY)
	RESERVED	1
	Configuration Attributes	See below
SA Payload	Same as Common Packet #6
TSi Payload	Other fields are same as Common Packet #6
	Traffic Selectors	See below
TSr Payload	Same as Common Packet #6

Configuration Attributes	Reserved	1
	Attribute Type	INTERNAL_IP6_ADDRESS
	Length	17
	Value	IPv6 address	Prefix Y::1
		Prefix-length	128

Traffic Selector	TS Type	8 (IPV6_ADDR_RANGE)
	IP Protocol ID	0 (any)
	Selector Length	40
	Start Port	0
	End Port	65535
	Starting Address	Prefix Y::1
	Ending Address	Prefix Y::1

IPv6 Header	Same as Common Packet #20
ESP	Same as Common Packet #20
IPv6 Header	Source Address	Prefyx Y::f
	Destination Address	Prefix Y::1
ICMPv6 Header	Same as Common Packet #20