Test IKEv2.EN.I.2.1.2.4: Receipt of IKE_AUTH response without CFG_REPLY
Part A (ADVANCED)
To verify an IKEv2 device properly handles the Initial Exchanges using Pre-shared key
* [RFC 4718] - Sections 6.8
* Network Topology
Connect the devices according to the following topology.
NUT
(End-Node)
|
----+-------+--- Link A (Prefix A, MTU=1500)
|
TR1
(Router)
|
----+-------+--- Link X (Prefix X, MTU=1500)
|
TN1
(SGW)
|
----+-------+--- Link Y (Prefix Y, MTU=1500)
|
TH1
(Host)
Prefix A = 2001:0db8:0001:0001::/64
Prefix X = 2001:0db8:000f:0001::/64
Prefix Y = 2001:0db8:000f:0002::/64
| NUT |
End-Node |
Link A |
Prefix A::any_interface_ID (External Address) |
| Prefix Y::1 (Internal Address) (assigned by CP) |
| TR1 |
Router |
Link A |
fe80::f |
| TN1 |
SGW |
Link X |
Prefix X::1 |
| TH1 |
Host |
Link Y |
Prefix Y::f |
* Configuration
In each part, configure NUT according to the Common Configuration except the traffic
selector. Configure NUT to transmit CFG_REQUEST for
INTERNAL_IP6_ADDRESS. The traffic selector must be configured by the following
table.
|
Traffic Selector |
| Source |
Destination |
Address
Range |
Next Layer
Protocol |
Port
Range |
Address
Range |
Next Layer
Protocol |
Port
Range |
| Inbound |
Link Y |
ANY |
ANY |
NUT
(internal address) |
ANY |
ANY |
| Outbound |
NUT
(internal address) |
ANY |
ANY |
Link Y |
ANY |
ANY |
NUT must propose Traffic Selector covering above address range.
* Pre-Sequence and Cleanup Sequence
IKEv2 on the NUT is disabled after each part.
NUT TN1
(End-Node) (End-Node)
| |
|------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
| | (Judgement #1)
|<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
| | (Packet #1)
| |
|------------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, N, CP(CFG_REQUEST), SAi2, TSi, TSr})
| | (Judgement #2)
|<-------------------| IKE_AUTH Response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr})
| | (Packet #2)
| |
|<-------------------| INFORMATIONAL request (HDR, SK {})
| | (Packet #3)
|------------------->| INFORMATIONAL response (HDR, SK {})
| | (Judgement #3)
| |
V V
| Packet #1 |
See Common Packet #2 |
| Packet #2 |
See Below |
| Packet #3 |
See Common Packet #17 |
Packet #2: IKE_AUTH response packet
| IPv6 Header |
Same as Common Packet #6 |
| UDP Header |
Same as Common Packet #6 |
| IKEv2 Header |
Same as Common Packet #6 |
| E Payloa |
Same as Common Packet #6 |
| IDr Payload |
Same as Common Packet #6 |
| AUTH Payload |
Next Payload |
33 (SA) |
| Other fields are same as Common Packet #6 |
| SA Payload |
Same as Common Packet #6 |
| TSi Payload |
Other fields are same as Common Packet #6 |
| Traffic Selectors |
See below |
| TSr Payload |
Same as Common Packet #6 |
| Traffic Selector |
TS Type |
8 (IPV6_ADDR_RANGE) |
| IP Protocol ID |
0 (any) |
| Selector Length |
40 |
| Start Port |
0 |
| End Port |
65535 |
| Starting Address |
Prefix Y::1 |
| Ending Address |
Prefix Y::1 |
Part A (ADVANCED)
1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
2. Observe the messages transmitted on Link A.
3. TN1 responds with an IKE_SA_INIT response to the NUT.
4. Observe the messages transmitted on Link A.
5. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
response to the NUT. The message does not include any Configuration payloads.
6. TH1 transmits an INFORMATIONAL request with no payload to NUT.
7. Observe the messages transmitted on Link A.
Part A
Step 2: Judgment #1
The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
"PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
algorithms.
Step 4: Judgment #2
The NUT transmits an IKE_AUTH request including "ENCR_3DES",
"AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed
algorithms.
Step 7: Judgment #3
The NUT transmits an INFORMATIONAL response with no payload to the TN1.
* None