Title

  Test IKEv2.EN.I.2.1.2.5: Receipt of unrecognized Configuration Attributes 
  Part A (ADVANCED)

Purpose

  To verify an IKEv2 device properly handles unrecognized Configuration Attributes.

References

  * [RFC 4306] - Sections 2.19 and 3.15

Test Setup

  * Network Topology
     Connect the devices according to the following topology.

   NUT
(End-Node)
    |
----+-------+--- Link A (Prefix A, MTU=1500)
            |
           TR1
         (Router)
            |
----+-------+--- Link X (Prefix X, MTU=1500)
    |
   TN1
  (SGW)
    |
----+-------+--- Link Y (Prefix Y, MTU=1500)
            |
           TH1
          (Host)


Prefix A = 2001:0db8:0001:0001::/64
Prefix X = 2001:0db8:000f:0001::/64
Prefix Y = 2001:0db8:000f:0002::/64



NUT
End-Node
Link A
Prefix A::any_interface_ID (External Address) 


Prefix Y::1 (Internal Address) (assigned by CP)


TR1
Router
Link A
fe80::f 


TN1
SGW
Link X
Prefix X::1


TH1
Host 
Link Y
Prefix Y::f

  * Configuration
     In each part, configure NUT according to the Common Configuration except the traffic
     selector. Configure NUT to transmit CFG_REQUEST for
     INTERNAL_IP6_ADDRESS. The traffic selector must be configured by the following
     table.

Traffic Selector

Source Destination

Address
Range Next Layer
Protocol Port
Range Address
Range Next Layer
Protocol Port
Range

Inbound Link Y ANY ANY NUT
(internal address) ANY ANY

Outbound NUT
(internal address) ANY ANY Link Y ANY ANY

NUT must propose Traffic Selector covering above address range.

  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.

Procedure


   NUT                  TN1
(End-Node)           (End-Node)
    |                    |
    |------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |                    | (Judgement #1)
    |<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |                    | (Packet #1)
    |                    |
    |------------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, N, CP(CFG_REQUEST), SAi2, TSi, TSr})
    |                    | (Judgement #2)
    |<-------------------| IKE_AUTH Response (HDR, SK {IDr, AUTH, CP(CFG_REPLY), SAr2, TSi, TSr})
    |                    | (Packet #2)
    |                    |  
    |<-------------------| INFORMATIONAL request (HDR, SK {})
    |                    | (Packet #3)
    |------------------->| INFORMATIONAL response (HDR, SK {})
    |                    | (Judgement #3)
    |                    |
    V                    V

Packet #1 See Common Packet #2

Packet #2 See Below

Packet #3 See Common Packet #17

Packet #2: IKE_AUTH response packet

IPv6 Header Same as Common Packet #6

UDP Header Same as Common Packet #6

IKEv2 Header Same as Common Packet #6

E Payloa Same as Common Packet #6

IDr Payload Same as Common Packet #6

AUTH Payload Next Payload 47 (CP)

Other fields are same as Common Packet #6

CP Payload Next Payload 33 (SA)

Critical 0

Reserved 0

Payload Length 29

CFG Type 2 (CFG_REPLY)

RESERVED 0

Configuration Attributes See below

SA Payload Same as Common Packet #6

TSi Payload Other fields are same as Common Packet #6

Traffic Selectors See below

TSr Payload Same as Common Packet #6

Configuration Attributes Reserved 0

Attribute Type 32767

Length 17

Value IPv6 address Prefix Y::1

Prefix-length 128

Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)

IP Protocol ID 0 (any)

Selector Length 40

Start Port 0

End Port 65535

Starting Address Prefix Y::1

Ending Address Prefix Y::1

  Part A (ADVANCED)
     1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
     2. Observe the messages transmitted on Link A.
     3. TN1 responds with an IKE_SA_INIT response to the NUT.
     4. Observe the messages transmitted on Link A.
     5. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
         response to the NUT. The message includes a Configuration Attribute of unrecognized
         Attribute Type.
     6. TH1 transmits an INFORMATIONAL request with no payload to NUT.
     7. Observe the messages transmitted on Link A.

Observable Result

  Part A
       Step 2: Judgment #1
       The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
       "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
       algorithms.

       Step 4: Judgment #2
       The NUT transmits an IKE_AUTH request including "ENCR_3DES",
       "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed
       algorithms.

       Step 7: Judgment #3
       The NUT transmits an INFORMATIONAL response with no payload to the TN1.

Possible Problems

  * None

NUT	End-Node	Link A	Prefix A::any_interface_ID (External Address)
NUT	End-Node	Link A	Prefix Y::1 (Internal Address) (assigned by CP)
TR1	Router	Link A	fe80::f
TN1	SGW	Link X	Prefix X::1
TH1	Host	Link Y	Prefix Y::f

	Traffic Selector
	Source			Destination
	Address Range	Next Layer Protocol	Port Range	Address Range	Next Layer Protocol	Port Range
Inbound	Link Y	ANY	ANY	NUT (internal address)	ANY	ANY
Outbound	NUT (internal address)	ANY	ANY	Link Y	ANY	ANY

`Packet #1`	`See Common Packet #2`
`Packet #2`	`See Below`
`Packet #3`	`See Common Packet #17`

IPv6 Header	Same as Common Packet #6
UDP Header	Same as Common Packet #6
IKEv2 Header	Same as Common Packet #6
E Payloa	Same as Common Packet #6
IDr Payload	Same as Common Packet #6
AUTH Payload	Next Payload	47 (CP)
	Other fields are same as Common Packet #6
CP Payload	Next Payload	33 (SA)
	Critical	0
	Reserved	0
	Payload Length	29
	CFG Type	2 (CFG_REPLY)
	RESERVED	0
	Configuration Attributes	See below
SA Payload	Same as Common Packet #6
TSi Payload	Other fields are same as Common Packet #6
	Traffic Selectors	See below
TSr Payload	Same as Common Packet #6

Configuration Attributes	Reserved	0
	Attribute Type	32767
	Length	17
	Value	IPv6 address	Prefix Y::1
		Prefix-length	128

Traffic Selector	TS Type	8 (IPV6_ADDR_RANGE)
	IP Protocol ID	0 (any)
	Selector Length	40
	Start Port	0
	End Port	65535
	Starting Address	Prefix Y::1
	Ending Address	Prefix Y::1