KINK Conformance Test Specification Revision 1.0.0

Transcription

TAHI Project
Conformance Test Specification
KINK
Technical Document
Revision 1.0.0
Converged Test Specification
TAHI Project (Japan)
MODIFICATION RECORD
Version 1.0.0
Version 0.1.0
Version 0.0.0
Mar. 23, 2010
- supported whole message exchanges in RFC 4430
Feb. 24, 2009
- supported only optimistic keying
Jan. 15, 2009
- launched this document
TAHI Project TECHNICAL DOCUMENT
1
KINK Test Specification
ACKNOWLEDGMENTS
The TAHI Project would like to acknowledge the efforts of the following organizations in
the development of this test suite.
Authors:
Yokogawa Electric Corporation
Commentators:
NTT Advanced Technology Corporation (NTT-AT)
Note:
Development of this document was supported in part by a grant from NICT.
2
INTRODUCTION
Overview:
TAHI Project is the joint effort formed with the objective of developing and providing
the verification technology for IPv6.
The growth process of IPv4 was the history of encountering various kinds of obstacles
and conquering such obstacles.
However, once the position as infrastructure was
established, it is not allowed to repeat the same history.
This is a reason why the
verification technology is essential for IPv6 deployment.
We research and develop conformance tests and interoperability tests for IPv6.
We closely work with the KAME project and USAGI project.
We help activities of these
projects in the quality side by offering the verification technology we develop in TAHI
project and improve the development efficiency.
We open the results and fruits of the project to the public for FREE.
Any developer
concerned with IPv6 can utilize the results and fruits of TAHI project freely.
software plays an important role in progress of the Internet.
Free
We believe that providing
the verification technology for FREE contributes to advances of IPv6.
Besides the programs, the specifications and criteria of verification will be included in
the Package.
3
Abbreviations and Acronyms:
TN:
TH:
TR:
NUT:
HUT:
RUT:
EN:
SGW:
SPI:
KDC:
KINK:
DPD:
PFS:
SA:
P:
T
KE:
IDi:
IDr:
Ni:
Nr:
N:
D:
TLV:
TV:
Testing Node
Testing Host
Testing Router
Node Under Test
Host Under Test
Router Under Test
End Node
Security Gateway
Security Parameter Index
Key Distribution Center
Kerberized Internet Negotiation of Keys
Dead Peer Detection
Perfect Forward Secrecy
Security Association
Proposal
Transform
Key Exchange
Identification – Initiator
Identification – Responder
Nonce – Initiator
Nonce – Responder
Notification
Delete
Type/Length/Value
Type/Value
4
Advanced Functionality Tests:
The following tests may be omitted if the NUT does not support the advanced
functionalities.
Test Label
EN.EN.I.1.1
EN.EN.I.1.2
EN.EN.I.1.3
EN.EN.I.2.1
EN.EN.I.2.2
EN.EN.I.2.3
EN.EN.I.2.4
EN.EN.I.2.5
EN.EN.I.2.6
EN.EN.I.3.1
EN.EN.I.4.1
EN.EN.I.6.1
EN.EN.I.7.1
EN.EN.I.7.2
EN.EN.I.7.3
EN.EN.I.8.1
EN.EN.I.8.2
EN.EN.I.8.3
EN.EN.I.8.4
EN.EN.I.8.5
EN.EN.I.8.6
EN.EN.I.8.7
EN.EN.I.8.8
EN.EN.I.9.1
EN.EN.I.9.2
EN.EN.I.9.3
EN.EN.I.9.4
EN.EN.I.9.5
EN.EN.R.1.1
EN.EN.R.1.2
EN.EN.R.2.1
EN.EN.R.2.2
EN.EN.R.2.3
EN.EN.R.2.4
EN.EN.R.2.5
EN.EN.R.2.6
EN.EN.R.2.7
EN.EN.R.2.8
EN.EN.R.2.9
EN.EN.R.3.1
EN.EN.R.3.2
EN.EN.R.4.1
EN.EN.R.4.2
EN.EN.R.4.3
EN.EN.R.5.1
EN.EN.R.5.2
Part
A
A
A
A
B
C
D
E
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B
C
D
E
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
ENs
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(BASIC)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
SGWs
-
Required ADVANCED function
NULL encryption algorithm
AES-CBC with 128-bit keys
AES-CTR with 128-bit keys
NULL authentication algorithm
AES-XCBC-MAC-96
Transmitting multiple Transform payloads
Transmitting multiple Proposal payloads
PFS
User-to-User authentication
AES-XCBC-MAC-96
PFS
-
-
5
EN.EN.R.6.1
EN.EN.R.6.2
EN.EN.R.6.3
EN.EN.R.7.1
EN.EN.R.7.2
EN.EN.R.7.3
EN.EN.R.7.4
EN.EN.R.8.1
EN.EN.R.8.2
EN.EN.R.8.3
EN.EN.R.8.4
EN.EN.R.8.5
EN.EN.R.8.6
EN.EN.R.9.1
EN.EN.R.9.2
EN.EN.R.9.3
EN.EN.R.9.4
EN.EN.R.9.5
EN.EN.R.9.6
EN.EN.R.9.7
EN.EN.R.9.8
EN.EN.R.9.9
EN.EN.R.9.10
EN.EN.R.9.11
EN.SGW.I.1.1
EN.SGW.R.1.1
SGW.SGW.I.1.1
SGW.SGW.I.1.2
SGW.SGW.I.1.3
SGW.SGW.I.1.4
SGW.SGW.I.2.1
SGW.SGW.I.2.2
SGW.SGW.I.2.3
SGW.SGW.I.2.4
SGW.SGW.I.2.5
SGW.SGW.I.2.6
SGW.SGW.I.3.1
SGW.SGW.I.4.1
SGW.SGW.I.6.1
SGW.SGW.I.7.1
SGW.SGW.I.7.2
SGW.SGW.I.7.3
SGW.SGW.I.8.1
SGW.SGW.I.8.2
SGW.SGW.I.8.3
SGW.SGW.I.8.4
SGW.SGW.I.8.5
SGW.SGW.I.8.6
SGW.SGW.I.8.7
SGW.SGW.I.8.8
SGW.SGW.I.9.1
SGW.SGW.I.9.2
SGW.SGW.I.9.3
SGW.SGW.I.9.4
SGW.SGW.I.9.5
SGW.SGW.R.1.1
SGW.SGW.R.1.2
SGW.SGW.R.2.1
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B
C
D
E
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
-
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(BASIC)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
6
Endpoint to Security Gateway Tunnel
AES-XCBC-MAC-96
PFS
SGW.SGW.R.2.2
SGW.SGW.R.2.3
SGW.SGW.R.2.4
SGW.SGW.R.2.5
SGW.SGW.R.2.6
SGW.SGW.R.2.7
SGW.SGW.R.2.8
SGW.SGW.R.2.9
SGW.SGW.R.3.1
SGW.SGW.R.3.2
SGW.SGW.R.4.1
SGW.SGW.R.4.2
SGW.SGW.R.4.3
SGW.SGW.R.5.1
SGW.SGW.R.5.2
SGW.SGW.R.6.1
SGW.SGW.R.6.2
SGW.SGW.R.6.3
SGW.SGW.R.7.1
SGW.SGW.R.7.2
SGW.SGW.R.7.3
SGW.SGW.R.7.4
SGW.SGW.R.8.1
SGW.SGW.R.8.2
SGW.SGW.R.8.3
SGW.SGW.R.8.4
SGW.SGW.R.8.5
SGW.SGW.R.8.6
SGW.SGW.R.9.1
SGW.SGW.R.9.2
SGW.SGW.R.9.3
SGW.SGW.R.9.4
SGW.SGW.R.9.5
SGW.SGW.R.9.6
SGW.SGW.R.9.7
SGW.SGW.R.9.8
SGW.SGW.R.9.9
SGW.SGW.R.9.10
SGW.SGW.R.9.11
SGW.EN.I.1.1
SGW.EN.R.1.1
C
D
E
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B
A
A
A
A
A
A
A
A
A
-
(ADVANCED)
(ADVANCED)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(BASIC)
(ADVANCED)
(ADVANCED)
7
AES-XCBC-MAC-96
PFS
TEST ORGANIZATION
This document organizes tests by Section based on related test methodology or goals.
Each group begins with a brief set of comments pertaining to all tests within that group.
This is followed by a series of description blocks; each block describes a single test. The
format of the description block is as follows:
Test Label:
Purpose:
References:
Resource
Requirements:
Test Setup:
Procedure:
Observable
Results:
Possible
Problems:
The test label and title comprise the first line of the test block. The
test label is composed by concatenating the short test suite name, the
section number, the group number, and the test number within the
group. These elements are separated by periods. The Test
Number is the section, group and test number, also separated by
periods.
The Purpose is a short statement describing what the test attempts
to achieve. It is usually phrased as a simple assertion of the feature
or capability to be tested.
The References section lists cross-references to the specifications and
documentation that might be helpful in understanding and
evaluating the test and results.
The Resource Requirements section specifies the software, hardware,
and test equipment that will be needed to perform the test.
The Test Setup section describes the configuration of all devices prior
to the start of the test. Different parts of the procedure may involve
configuration steps that deviate from what is given in the test setup.
If a value is not provided for a protocol parameter, then the protocol’s
default is used for that parameter.
This section of the test description contains the step-by-step
instructions for carrying out the test. These steps include such
things as enabling interfaces, unplugging devices from the network,
or sending packets from a test station. The test procedure also cues
the tester to make observations, which are interpreted in accordance
with the observable results given for that test part.
This section lists observable results that can be examined by the
tester to verify that the NUT is operating properly. When multiple
observable results are possible, this section provides a short
discussion on how to interpret them. The determination of a pass or
fail for each test is usually based on how the NUT’s behavior
compares to the results described in this section.
This section contains a description of known issues with the test
procedure, which may affect test results in certain situations.
8
REFERENCES
The following documents are referenced in this text:
[KERBEROS]
[KINK]
Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos
Network Authentication Service (V5)", RFC 4120, July 2005.
Sakane, S., Kamada, K., Thomas, M. and J. Vilhuber, "Kerberized
Internet Negotiation of Keys (KINK)", RFC 4430, March 2006.
9
TABLE OF CONTENTS
MODIFICATION RECORD ................................................................................................ 1
ACKNOWLEDGMENTS .................................................................................................... 2
INTRODUCTION................................................................................................................ 3
Overview: ......................................................................................................................... 3
Abbreviations and Acronyms: ......................................................................................... 4
Advanced Functionality Tests: ........................................................................................ 5
TEST ORGANIZATION...................................................................................................... 8
REFERENCES .................................................................................................................... 9
TABLE OF CONTENTS ................................................................................................... 10
Requirements .................................................................................................................... 17
Equipment Type:............................................................................................................ 17
Function List:................................................................................................................. 18
Chapter 1: EN implementation ........................................................................................ 19
Section 1.1: EN to EN Transport .................................................................................. 20
Subsection 1.1.1: Initiator.......................................................................................... 23
Group 1: CREATE Message Flow .......................................................................... 35
EN.EN.I.1.1: Sending CREATE Message .......................................................... 36
EN.EN.I.1.2: CREATE Message Flow (2-way handshake) ............................... 38
EN.EN.I.1.3: The non-optimistic keying by receipt of Nr ................................. 41
Group 2: Cryptographic Algorithm Negotiation.................................................... 44
EN.EN.I.2.1: Cryptographic Algorithm Negotiation ......................................... 45
EN.EN.I.2.2: The shorter LIFE_SECONDS is selected from optimistic proposal
............................................................................................................................. 49
EN.EN.I.2.3: The optimistic proposal is selected from multiple transforms ... 52
EN.EN.I.2.4: The non-optimistic proposal is selected from multiple transforms
............................................................................................................................. 56
EN.EN.I.2.5: The optimistic proposal is selected from multiple proposals...... 60
EN.EN.I.2.6: The non-optimistic proposal is selected from multiple proposals
............................................................................................................................. 64
Group 3: Perfect Forward Secrecy ......................................................................... 68
EN.EN.I.3.1: PFS................................................................................................ 69
Group 4: Rekeying .................................................................................................. 74
EN.EN.I.4.1: Initiating Rekeying....................................................................... 75
Group 5: DELETE Message Flow .......................................................................... 78
10
Group 6: Dead Peer Detection................................................................................ 79
EN.EN.I.6.1: Initiating Liveness Check ............................................................ 80
Group 7: GETTGT Message Flow .......................................................................... 83
EN.EN.I.7.1: Sending GETTGT Message .......................................................... 84
EN.EN.I.7.2: GETTGT Message Flow ............................................................... 86
EN.EN.I.7.3: Receipt of KINK_TGT_REP against a KINK command with a
User-to-User ticket that cannot be decrypted with its TGT ............................. 89
Group 8: Retransmission........................................................................................ 92
EN.EN.I.8.1: Retransmission of CREATE ......................................................... 93
EN.EN.I.8.2: Stop the retransmission of CREATE ........................................... 96
EN.EN.I.8.3: Responding to retransmitted REPLY with the ACKREQ bit set99
EN.EN.I.8.4: Retransmission of STATUS........................................................ 102
EN.EN.I.8.5: Stop the retransmission of STATUS.......................................... 105
EN.EN.I.8.6: Retransmission of GETTGT....................................................... 109
EN.EN.I.8.7: Stop the retransmission of GETTGT ......................................... 111
EN.EN.I.8.8: Restart a new transaction by receipt of
KRB_AP_ERR_TKT_EXPIRED ....................................................................... 114
Group 9: Message Validation ............................................................................... 117
EN.EN.I.9.1: Responding to KINK_ERROR with the ACKREQ bit set......... 118
EN.EN.I.9.2: Receipt of REPLY with non-zero value in reserved field .......... 121
EN.EN.I.9.3: Receipt of unencrypted REPLY.................................................. 124
EN.EN.I.9.4: Receipt of authenticated KRB_AP_ERR_SKEW ...................... 127
EN.EN.I.9.5: Receipt of unauthenticated KRB_AP_ERR_SKEW .................. 131
Subsection 1.1.2: Responder .................................................................................... 135
Group 1: CREATE Message Flow ........................................................................ 151
EN.EN.R.1.1: Receipt of CREATE Message .................................................... 152
EN.EN.R.1.2: CREATE Message Flow ............................................................ 155
Group 2: Cryptographic Algorithm Negotiation.................................................. 158
EN.EN.R.2.1: Cryptographic Algorithm Negotiation ...................................... 159
EN.EN.R.2.2: The shorter LIFE_SECONDS is proposed ............................... 163
EN.EN.R.2.3: Selecting the optimistic proposal from multiple transforms ... 168
EN.EN.R.2.4: Selecting the non-optimistic proposal from multiple transforms
........................................................................................................................... 172
EN.EN.R.2.5: Selecting the optimistic proposal from multiple proposals ..... 176
EN.EN.R.2.6: Selecting the non-optimistic proposal from multiple proposals
........................................................................................................................... 180
11
EN.EN.R.2.7: Responding to multiple KINK_ISAKMP by optimistic keying 184
EN.EN.R.2.8: Responding to multiple KINK_ISAKMP by non-optimistic
keying ................................................................................................................ 196
EN.EN.R.2.9: Sending NO-PROPOSAL-CHOSEN ......................................... 206
Group 3: Perfect Forward Secrecy ....................................................................... 211
EN.EN.R.3.1: PFS............................................................................................. 212
EN.EN.R.3.2: Sending INVALID-PAYLOAD-TYPE against the receipt of KE
........................................................................................................................... 217
Group 4: Rekeying ................................................................................................ 222
EN.EN.R.4.1: Responding to Rekeying............................................................ 223
EN.EN.R.4.2: Receipt of transaction ID constructed by using a non monotonic
counter............................................................................................................... 227
EN.EN.R.4.3: Responding to CREATE with INVALID-SPI............................ 231
Group 5: DELETE Message Flow ........................................................................ 236
EN.EN.R.5.1: DELETE Message Flow ............................................................ 237
EN.EN.R.5.2: Responding to DELETE with INVALID-SPI ........................... 240
Group 6: Dead Peer Detection.............................................................................. 245
EN.EN.R.6.1: Responding to Liveness Check.................................................. 246
EN.EN.R.6.2: Closing SA when the principal's epoch has changed ............... 249
EN.EN.R.6.3: Not closing SA by unprotected routing information ................ 252
Group 7: GETTGT Message Flow ........................................................................ 255
EN.EN.R.7.1: Receipt of GETTGT Message .................................................... 256
EN.EN.R.7.2: GETTGT Message Flow ............................................................ 258
EN.EN.R.7.3: Receipt of a KINK command with a User-to-User ticket that
cannot be decrypted with its TGT .................................................................... 261
EN.EN.R.7.4: Sending KINK_U2UDENIED................................................... 263
Group 8: Retransmission...................................................................................... 265
EN.EN.R.8.1: Responding to retransmitted CREATE .................................... 266
EN.EN.R.8.2: Retransmission of REPLY with the ACKREQ bit set .............. 269
EN.EN.R.8.3: Stop the retransmission of REPLY with the ACKREQ bit set 273
EN.EN.R.8.4: Responding to retransmitted DELETE .................................... 277
EN.EN.R.8.5: Responding to retransmitted STATUS..................................... 280
EN.EN.R.8.6: Responding to retransmitted GETTGT .................................... 283
EN.EN.R.9.1: Sending INVALID-PAYLOAD-TYPE against the unrecognized
ISAKMP payload............................................................................................... 286
12
EN.EN.R.9.2: Checksum Verification .............................................................. 291
EN.EN.R.9.3: Sending KINK_INVMAJ........................................................... 293
EN.EN.R.9.4: Sending KINK_BADQMVERS ................................................. 296
EN.EN.R.9.5: Receipt of unnecessary data after the message ....................... 300
EN.EN.R.9.6: Receipt of CREATE with non-zero value in reserved field ...... 303
EN.EN.R.9.7: Receipt of ACK with non-zero value in reserved field ............. 306
EN.EN.R.9.8: Receipt of GETTGT with non-zero value in reserved field...... 310
EN.EN.R.9.9: Receipt of unencrypted CREATE.............................................. 313
EN.EN.R.9.10: Receipt of unencrypted DELETE............................................ 316
EN.EN.R.9.11: Sending KRB_AP_ERR_SKEW .............................................. 320
Section 1.2: EN to SGW Tunnel .................................................................................. 324
Subsection 1.2.1: Initiator........................................................................................ 327
EN.SGW.I.1.1: CREATE Message Flow (2-way handshake)........................... 335
EN.SGW.R.1.1: CREATE Message Flow.......................................................... 350
Chapter 2: SGW implementation ................................................................................... 353
Section 2.1: SGW to SGW Tunnel ............................................................................... 354
SGW.SGW.I.1.1: Sending CREATE Message................................................... 370
SGW.SGW.I.1.2: CREATE Message Flow (2-way handshake) ........................ 372
SGW.SGW.I.1.3: The non-optimistic keying by receipt of Nr.......................... 375
SGW.SGW.I.1.4: Creating an optimistic inbound SA ...................................... 378
SGW.SGW.I.2.1: Cryptographic Algorithm Negotiation.................................. 382
SGW.SGW.I.2.2: The shorter LIFE_SECONDS is selected from optimistic
proposal ............................................................................................................. 386
SGW.SGW.I.2.3: The optimistic proposal is selected from multiple transforms
........................................................................................................................... 389
SGW.SGW.I.2.4: The non-optimistic proposal is selected from multiple
transforms ......................................................................................................... 393
SGW.SGW.I.2.5: The optimistic proposal is selected from multiple proposals
........................................................................................................................... 397
SGW.SGW.I.2.6: The non-optimistic proposal is selected from multiple
13
proposals............................................................................................................ 401
SGW.SGW.I.3.1: PFS......................................................................................... 406
Group 4: Rekeying ................................................................................................ 412
SGW.SGW.I.4.1: Initiating Rekeying ............................................................... 413
SGW.SGW.I.6.1: Initiating Liveness Check ..................................................... 419
SGW.SGW.I.7.1: Sending GETTGT Message................................................... 423
SGW.SGW.I.7.2: GETTGT Message Flow ........................................................ 425
SGW.SGW.I.7.3: Receipt of KINK_TGT_REP against a KINK command with a
User-to-User ticket that cannot be decrypted with its TGT ........................... 428
SGW.SGW.I.8.1: Retransmission of CREATE.................................................. 432
SGW.SGW.I.8.2: Stop the retransmission of CREATE.................................... 435
SGW.SGW.I.8.3: Responding to retransmitted REPLY with the ACKREQ bit
set ...................................................................................................................... 438
SGW.SGW.I.8.4: Retransmission of STATUS .................................................. 441
SGW.SGW.I.8.5: Stop the retransmission of STATUS..................................... 444
SGW.SGW.I.8.6: Retransmission of GETTGT ................................................. 448
SGW.SGW.I.8.7: Stop the retransmission of GETTGT.................................... 450
SGW.SGW.I.8.8: Restart a new transaction by receipt of
KRB_AP_ERR_TKT_EXPIRED ....................................................................... 453
SGW.SGW.I.9.1: Responding to KINK_ERROR with the ACKREQ bit set ... 457
SGW.SGW.I.9.2: Receipt of REPLY with non-zero value in reserved field..... 460
SGW.SGW.I.9.3: Receipt of unencrypted REPLY ............................................ 463
SGW.SGW.I.9.4: Receipt of authenticated KRB_AP_ERR_SKEW ................. 466
SGW.SGW.I.9.5: Receipt of unauthenticated KRB_AP_ERR_SKEW............. 469
SGW.SGW.R.1.1: Receipt of CREATE Message ............................................... 491
SGW.SGW.R.1.2: CREATE Message Flow ....................................................... 494
SGW.SGW.R.2.1: Cryptographic Algorithm Negotiation................................. 498
14
SGW.SGW.R.2.2: The shorter LIFE_SECONDS is proposed.......................... 502
SGW.SGW.R.2.3: Selecting the optimistic proposal from multiple transforms
........................................................................................................................... 507
SGW.SGW.R.2.4: Selecting the non-optimistic proposal from multiple
transforms ......................................................................................................... 511
SGW.SGW.R.2.5: Selecting the optimistic proposal from multiple proposals 515
SGW.SGW.R.2.6: Selecting the non-optimistic proposal from multiple proposals
........................................................................................................................... 519
SGW.SGW.R.2.7: Responding to multiple KINK_ISAKMP by optimistic keying
........................................................................................................................... 523
SGW.SGW.R.2.8: Responding to multiple KINK_ISAKMP by non-optimistic
keying ................................................................................................................ 534
SGW.SGW.R.2.9: Sending NO-PROPOSAL-CHOSEN.................................... 543
SGW.SGW.R.3.1: PFS ....................................................................................... 549
SGW.SGW.R.3.2: Sending INVALID-PAYLOAD-TYPE against the receipt of KE
........................................................................................................................... 554
Group 4: Rekeying ................................................................................................ 559
SGW.SGW.R.4.1: Responding to Rekeying....................................................... 560
SGW.SGW.R.4.2: Receipt of transaction ID constructed by using a non
monotonic counter............................................................................................. 564
SGW.SGW.R.4.3: Responding to CREATE with INVALID-SPI ...................... 568
SGW.SGW.R.5.1: DELETE Message Flow ....................................................... 574
SGW.SGW.R.5.2: Responding to DELETE with INVALID-SPI ...................... 578
SGW.SGW.R.6.1: Responding to Liveness Check ............................................ 584
SGW.SGW.R.6.2: Closing SA when the principal's epoch has changed .......... 587
SGW.SGW.R.6.3: Not closing SA by unprotected routing information ........... 591
SGW.SGW.R.7.1: Receipt of GETTGT Message............................................... 596
SGW.SGW.R.7.2: GETTGT Message Flow ....................................................... 598
SGW.SGW.R.7.3: Receipt of a KINK command with a User-to-User ticket that
cannot be decrypted with its TGT .................................................................... 602
SGW.SGW.R.7.4: Sending KINK_U2UDENIED ............................................. 604
15
SGW.SGW.R.8.1: Responding to retransmitted CREATE............................... 607
SGW.SGW.R.8.2: Retransmission of REPLY with the ACKREQ bit set......... 610
SGW.SGW.R.8.3: Stop the retransmission of REPLY with the ACKREQ bit set
........................................................................................................................... 614
SGW.SGW.R.8.4: Responding to retransmitted DELETE............................... 618
SGW.SGW.R.8.5: Responding to retransmitted STATUS ............................... 622
SGW.SGW.R.8.6: Responding to retransmitted GETTGT............................... 626
SGW.SGW.R.9.1: Sending INVALID-PAYLOAD-TYPE against the
unrecognized ISAKMP payload........................................................................ 629
SGW.SGW.R.9.2: Checksum Verification ......................................................... 634
SGW.SGW.R.9.3: Sending KINK_INVMAJ ..................................................... 636
SGW.SGW.R.9.4: Sending KINK_BADQMVERS ............................................ 639
SGW.SGW.R.9.5: Receipt of unnecessary data after the message .................. 643
SGW.SGW.R.9.6: Receipt of CREATE with non-zero value in reserved field. 646
SGW.SGW.R.9.7: Receipt of ACK with non-zero value in reserved field ........ 649
SGW.SGW.R.9.8: Receipt of GETTGT with non-zero value in reserved field 653
SGW.SGW.R.9.9: Receipt of unencrypted CREATE ........................................ 656
SGW.SGW.R.9.10: Receipt of unencrypted DELETE ...................................... 659
SGW.SGW.R.9.11: Sending KRB_AP_ERR_SKEW ......................................... 663
Section 2.2: SGW to EN Tunnel .................................................................................. 667
SGW.EN.I.1.1: CREATE Message Flow (2-way handshake)........................... 679
SGW.EN.R.1.1: CREATE Message Flow.......................................................... 695
16
Requirements
NUT must satisfy all of the following requirements.
Equipment Type:
There are two possibilities for equipment types:
EN:
A node which can use KINK (IPsec transport mode and optionally
tunnel mode) only for itself.
Host and Router can be an EN.
SGW:
A node which can provide IKEv2 (IPsec tunnel mode) for nodes behind
it.
Router can be a SGW.
17
Function List:
This conformance test specification consists following BASIC/ADVANCED functions.
The tests for ADVANCED functions may be omitted if the NUT does not support the
ADVANCED function. All NUTs are required to support BASIC. ADVANCED is
required for all NUTs which support ADVANCED function.
Table 1 BASIC/ADVANCED Functionality table
Parameter
Kerberos
encryption
Kerberos checksum
Kerberos
authentication
IPsec protocol
IPsec
EN
mode
SGW
IPsec encryption
algorithm
-
BASIC
AES256-CTS-HMAC-SHA1-96
-
HMAC-SHA1-96-AES256
Non-User-to-User authentication
-
ESP
Transport mode
Tunnel mode
TripleDES-CBC
ADVANCED
-
-
-
IPsec
authentication
algorithm
IPsec SA life type
KINK role
KINK_ISAKMP
Payload
-
HMAC-SHA1-96
-
Seconds
Initiator
Responder
Initiating by single
KINK_ISAKMP
Responding to single
KINK_ISAKMP
Responding to multiple
KINK_ISAKMP
Receiving KINK_ENCRYPT
KINK_ENCRYPT
Payload
Proposal Payload
-
Nr payload
-
PFS
-
Transform Payload
Retransmission
-
Rekeying
-
Deleting existing
SA
DPD
Liveness Check
-
-
Sending single Proposal
Receiving single Proposal
Receiving multiple Proposal
Sending single Transform
Receiving single Transform
Receiving multiple Transform
Sending Nr payload when
non-optimistic proposal is selected
Receiving Nr payload
Rejecting KE payload
Retransmitting the command
Retransmitting the response with
the ACKREQ bit set
Initiating Rekeying
Responding to Rekeying
Responding to DELETE message
flow
closing SA when the principal's
epoch has changed
Sending STATUS for DAD
Responding to STATUS for DAD
18
UNTESTED
-
User-to-User
authentication
Tunnel mode
NULL
AES-CBC with
128-bit keys
AES-CTR with
128-bit keys
NULL
AES-XCBC-MAC-96
-
AH
-
-
-
-
Kilobytes
-
-
-
Initiating by
multiple
KINK_ISAKMP
-
-
Sending
KINK_ENCRYPT
-
-
Transmitting
multiple Proposal
-
Transmitting
multiple Transform
-
-
-
-
-
Sending KE payload
Receiving KE payload
-
Sending Nr payload
when optimistic
proposal is selected
-
-
-
-
- Initiating to DELETE
message flow
-
-
-
Chapter 1: EN implementation
19
Section 1.1: EN to EN Transport
Scope:
The following tests cover the endpoint-to-endpoint transport scenario.
In this
endpoint-to-endpoint transport scenario, both endpoints of the IP connection implement
IPsec and the transport mode will be used with no inner IP header.
Overview:
These tests are designed to verify the readiness of a KINK implementation vis-a-vis the
KINK specification when the KINK implementation uses the transport mode IPsec to
communicate with the another endpoint.
Default Network Topology:
The logical network topology involves ENs, KDC and Router on each link.
region labelled as <TN> in Fig 1 is done inside TN node logically.
The shaded
The transport mode
is used in this network topology as shown as Fig 2.
Fig 1 EN to EN Common Network Topology for NUT (EN)
20
Fig 2 EN to EN Transport Scenario for NUT (EN)
Default NUT (EN) Configuration:
- IP configuration:
Address
Default router
NUT - Link A
(Prefix A::<any_interface_ID>)
TR1 - Link A
(fe80::f)
- Kerberos configuration:
KDC
Principal Name
Pre-shared Key
Encryption Type
Checksum Type
KDC - Link X
(Prefix X::e)
"kink/nut.example.com@EXAMPLE.COM"
"KINKtest0123456789abcdefABCDEF!?"
AES256-CTS-HMAC-SHA1-96 (18)
HMAC-SHA1-96-AES256 (16)
disable
- KINK configuration:
Address
Port
Principal Name
PFS
IDi
IDr
ID Type
Protocol ID
Port
Identification
Data
Local
NUT - Link A
kink (910)
"kink/nut.example.com
@EXAMPLE.COM"
disable
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Remote
TN1 - Link X
(Prefix X::1)
kink (910)
"kink/tn.example.com
@EXAMPLE.COM"
disable
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
- IPsec configuration:
IPsec Security Protocol
IPsec ESP Transform
SA Life Type (1)
SA Life Duration (2)
Encapsulation Mode (4)
Authentication Algorithm (5)
Inbound
Outbound
PROTO_IPSEC_ESP (3) PROTO_IPSEC_ESP (3)
ESP_3DES (3)
ESP_3DES (3)
Seconds (1)
Seconds (1)
28,800
28,800
Transport (2)
Transport (2)
HMAC-SHA (2)
HMAC-SHA (2)
If NUT is the initiator, above proposal must be one of proposals from NUT.
If NUT is the responder, NUT must select above proposal.
21
22
Subsection 1.1.1: Initiator
Scope:
In KINK exchanges, either of endpoints initiates the exchange by sending the command
and the another responds to this command with the response.
The following tests
cover KINK exchanges when the KINK implementation initiates these exchanges.
Overview:
KINK specification when the KINK implementation initiates KINK exchanges.
Default Packets:
Packets sent from TN:
Common Packets to be transmitted from TN are defined as the following. Tests in
this test group may refer to these packets.
Common Transmitted Packet #1: REPLY for CREATE
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
Destination Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
the actual length of this message in octets
Internet IP Security DOI (1)
the same value as CREATE message
KINK_AP_REP (2)
false (0)
0
the actual length of Cksum
KINK_ENCRYPT (7)
0
the actual length of this payload in octets
the current POSIX time
23
AP-REP:
KINK_ENCRYPT Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
Identification Data:
IDr Payload
Next Payload:
raw data of Kerberos AP-REP
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
SIT_IDENTITY_ONLY (1)
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
NONE (0)
24
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
output of the Kerberos 5 get_mic function
with Key Usage Number 40 (Cksum field)
Cksum:
* The shaded region in Common Transmitted Packet #1 is encrypted by
Kerberos encrypt function with Key Usage Number 39 (KINK_ENCRYPT
payload).
Common Transmitted Packet #2: REPLY with Nr for CREATE
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
kink (910)
kink (910)
REPLY (3)
1
0
KINK_AP_REP (2)
true (1)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
25
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
8 bytes length random data
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
Cksum:
payload).
26
Common Transmitted Packet #3: IPsec ESP { ICMPv6 Echo Request }
IPv6
Next Header:
Source Address:
ESP (50)
TN1 - Link X
(Prefix X::1)
NUT - Link A
ESP
SPI:
Sequence Number:
IV:
proposed by CREATE from NUT
1
8 bytes length stream
that all bits are set to zero
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Request (128)
0
ICMPv6 checksum
0
0
ANY
the actual length of Pad in octets
IPv6-ICMP (58)
calculated by HMAC-SHA1-96
using calculated KEYMAT
TripleDES in CBC mode using calculated KEYMAT.
Common Transmitted Packet #4: REPLY for STATUS
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
the same value as STATUS message
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
Payload Length: the actual length of this payload in octets
EPOCH:
the same value as REPLY message
in CREATE Message Flow
AP-REP:
27
Cksum:
Common Transmitted Packet #5: REPLY for GETTGT
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
the same value as GETTGT message
NextPayload:
KINK_TGT_REP (5)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_TGT_REP Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
TGT:
DER-encoded TGT of the responder
Cksum:
Common Transmitted Packet #6: ICMPv6 Destination Unreachable
IPv6
Next Header:
Source Address:
ICMPv6
Type:
Code:
Checksum:
Unused:
Data:
IPv6-ICMP (58)
TR1 - Link X
(Prefix X::f)
NUT - Link A
Destination Unreachable (1)
Address unreachable (3)
ICMPv6 checksum
0
Common Observed Packet #4
Packets sent from NUT:
Common Packets to be transmitted from NUT are defined as the following. Tests
in this test group may refer to these packets.
Common Observed Packet #1: CREATE
28
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
29
kink (910)
kink (910)
CREATE (1)
1
0
ANY
KINK_AP_REQ (1)
false (0)
0
KINK_ENCRYPT (7)
0
raw data of Kerberos AP-REQ
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
Cksum:
* The shaded region in Common Observed Packet #1 is encrypted by Kerberos
encrypt function with Key Usage Number 39 (KINK_ENCRYPT payload).
Common Observed Packet #2: unencrypted CREATE
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
kink (910)
kink (910)
CREATE (1)
1
0
ANY
KINK_AP_REQ (1)
false (0)
0
30
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
IDr Payload
31
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
Cksum:
Common Observed Packet #3: ACK
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
ACK (5)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_AP_REQ (1)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REQ:
Cksum:
Common Observed Packet #4: IPsec ESP { ICMPv6 Echo Reply }
IPv6
Next Header:
Source Address:
ESP
SPI:
Sequence Number:
IV:
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
0x10000000
ANY
ANY
Echo Reply (129)
0
ICMPv6 checksum
0
0
32
Data:
Padding:
Pad Length:
Next Header:
ICV:
ANY
IPv6-ICMP (58)
* The shaded region in Common Observed Packet #4 is encrypted by TripleDES
in CBC mode using calculated KEYMAT.
Common Observed Packet #5: STATUS
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
STATUS (6)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
ANY
NextPayload:
KINK_AP_REQ (1)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REQ:
Cksum:
Common Observed Packet #6: GETTGT
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
ACK (5)
1
0
33
XID:
ANY
NextPayload:
KINK_TGT_REQ (4)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_TGT_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
PrincName:
kink/tn.example.com@EXAMPLE.COM
Cksum:
34
Group 1: CREATE Message Flow
Scope:
The following tests
cover the CREATE message flows when the KINK implementation initiates these
exchanges.
Overview:
KINK specification when the KINK implementation initiates CREATE message flows.
35
EN.EN.I.1.1: Sending CREATE Message
Purpose:
Verify that an initiator transmits CREATE message in properly format
References:
- [KINK] - Section 3.2
Resource Requirements:
- Packet generator
- Monitor to capture packets
- KDC
Test Setup:
- Network Topology
Connect the devices according to the Default Network Topology.
- Configuration
In each part, configure devices according to the Default NUT (EN)
Configuration.
- Pre-Procedure and Cleanup Procedure
Before each part, initialize NUT and synchronize TN and NUT clock.
TN1 and NUT must obtain TGT from their KDC.
Both
NUT must obtain TN1's
service ticket from its KDC.
Procedure:
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE, AP_REQ,
E{ISAKMP(SA(P(T)), Ni, IDi, IDr)}
36
Part A: (BASIC)
1. NUT starts to negotiate with TN1 by sending CREATE message.
2. Observe the packets transmitted by the NUT on Link A.
Observable Results:
Part A:
Step 2: (Judgment #1)
The NUT must transmit properly formatted CREATE message described as
Common Observed Packet #1 or 2. Data Attributes in Transform payload can be
placed in any order excepting that SA Life Duration Data Attribute is always
follow SA Life Type Data Attribute.
Possible Problems:
- An implementation may add Notification Payload indicating status (not error) or
Vendor ID Payload into KINK_ISAKMP payload by its policy.
The tester must allow
them.
- SA Life Duration Data Attribute sent from NUT may have Variable-Length format
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
37
TLV (0)
ANY
28,800
EN.EN.I.1.2: CREATE Message Flow (2-way handshake)
Purpose:
Verify that an initiator properly establish SA by CREATE message flow
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
38
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE, AP_REQ,
Packet #1
REPLY, AP_REP,
E{ISAKMP(SA(P(T)), IDi, IDr)}
Packet #2
IPsec(ESP){ICMPv6 Echo Request}
Judgment #2
IPsec(ESP){ICMPv6 Echo Reply}
Part A: (BASIC)
3. TN1 responds to CREATE with REPLY described as Common Transmitted
Packet #1.
4. After responding to CREATE, TN1 transmits ICMPv6 Echo Request
encrypted by ESP described as Common Transmitted Packet #3.
Observable Results:
Part A:
The NUT must transmit properly formatted ICMPv6 Echo Reply encrypted by
ESP described as Common Observed Packet #4.
Possible Problems:
them.
39
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
40
TLV (0)
ANY
28,800
EN.EN.I.1.3: The non-optimistic keying by receipt of Nr
Purpose:
Verify that an initiator properly processes 3-way handshake when the responder
wants to contribute the keying materials
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
41
NUT (EN)
initiator
Judgment #1
Packet #1
Judgment #2
Packet #2
Judgment #3
TN1 (EN)
responder
CREATE, AP_REQ,
REPLY(ACKREQ), AP_REP,
E{ISAKMP(SA(P(T)), Nr, IDi, IDr)}
ACK, AP_REQ
Part A: (BASIC)
Packet #2.
5. After observing ACK, TN1 transmits ICMPv6 Echo Request encrypted by ESP
described as Common Transmitted Packet #3.
Observable Results:
Part A:
The NUT must respond to REPLY with ACK described as Common Observed
Packet #3.
42
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
43
TLV (0)
ANY
28,800
Group 2: Cryptographic Algorithm Negotiation
Scope:
Creating SAs has two modes -- 2-way handshake and 3-way handshake.
The initiator
usually begins a negotiation expecting a 2-way handshake but the negotiation is
switched to a 3-way handshake when the optimistic proposal is not chosen by the
responder. The following tests cover 2-way handshake and 3-way handshake.
Overview:
KINK specification when the KINK implementation can switch two modes while the
cryptographic algorithm negotiation.
44
EN.EN.I.2.1: Cryptographic Algorithm Negotiation
Purpose:
Verify that an initiator properly establish SA with the specific cryptographic
algorithms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration, however use Cryptographic Algorithms as described below.
Part
A
B
C
D
E
IPsec encryption algorithm
ESP_NULL (11)
ESP_AES-CBC (12) with 128-bit keys
ESP_AES-CTR (13) with 128-bit keys
ESP_3DES (3)
ESP_3DES (3)
IPsec authentication algorithm
HMAC-SHA (2)
HMAC-SHA (2)
HMAC-SHA (2)
NONE (undefined)
AES-XCBC-MAC (9)
Both
45
Procedure:
NUT (EN)
initiator
TN1 (EN)
responder
CREATE, AP_REQ,
Judgment #1
Packet #1
REPLY, AP_REP,
Packet #2
Judgment #2
Part A through E (ADVANCED)
Part
A
B
C
D
E
NULL
TripleDES-CBC
TripleDES-CBC
HMAC-SHA1-96
HMAC-SHA1-96
HMAC-SHA1-96
NONE
AES-XCBC-MAC-96
Packet #1. However Transform-ID in Transform payload and Attribute Value
in Authentication Algorithm Data Attribute must be set according to the
corresponding entry of the table above.
Only for Part B and C, following
Data Attribute must be also additionally included in Transform payload.
And only for Part D, Authentication Algorithm Data Attribute does not appear
in Transform Payload.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
Key Length (6)
128
However
encryption algorithm and authentication algorithm must be set according to
the corresponding entry of the table above.
46
Observable Results:
Part A through E:
Common Observed Packet #1 or 2. However Transform-ID in Transform
payload and Attribute Value in Authentication Algorithm Data Attribute must be
set according to the corresponding entry of the table in the procedure above.
In
addition, Data Attributes in Transform payload can be placed in any order
excepting that SA Life Duration Data Attribute is always follow SA Life Type
Data Attribute.
Only for Part B and C, following Data Attribute must be also
additionally included in Transform payload.
And only for Part D,
Authentication Algorithm Data Attribute must not appear in Transform Payload.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
Key Length (6)
128
ESP described as Common Observed Packet #4. However encryption algorithm
and authentication algorithm must be set according to the corresponding entry of
the table in the procedure above.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
47
TLV (0)
ANY
28,800
48
EN.EN.I.2.2: The shorter LIFE_SECONDS is selected from optimistic proposal
Purpose:
Verify that an initiator uses the shorter lifetime when the responder set lifetime to a
lower value
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
TN1 will respond with 30 seconds SA Life Duration.
Both
Procedure:
49
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE, AP_REQ,
E{ISAKMP(SA(P(T(LIFE_SECONDSi))), Ni, IDi, IDr)}
Packet #1
REPLY, AP_REP,
E{ISAKMP(SA(P(T(LIFE_SECONDSr))), IDi, IDr)}
Packet #2
Judgment #2
(LIFE_SECONDSr expires)
Packet #3
Judgment #3
No response
Part A: (BASIC)
Packet #1.
However Attribute Value in SA Life Duration Data Attribute
must be set to 30 seconds.
6. After 30 seconds, TN1 transmits ICMPv6 Echo Request encrypted by ESP
described as Common Transmitted Packet #3 with updating ICMPv6
Identifier to one.
Observable Results:
Part A:
50
The NUT must not respond to ICMPv6 Echo Request with ICMPv6 Echo Reply
because SA has negotiated with 30 seconds lifetime and should expire.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
51
TLV (0)
ANY
28,800
EN.EN.I.2.3: The optimistic proposal is selected from multiple transforms
Purpose:
Verify that a node properly processes 2-way handshake when the responder selects
the optimistic proposal from proposed multiple transforms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
In addition, configure NUT to propose with multiple
Transform payloads as described below.
Transform #
1
2
ESP_3DES (3)
ESP_AES-CBC (12)
Transform #1 will be selected by TN1.
HMAC-SHA (2)
AES-XCBC-MAC (9)
Both
52
Procedure:
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE, AP_REQ,
E{ISAKMP(SA(P(T1, T2)), Ni, IDi, IDr)}
Packet #1
REPLY, AP_REP,
E{ISAKMP(SA(P(T1)), IDi, IDr)}
Packet #2
Judgment #2
Part A: (ADVANCED)
Packet #1.
Observable Results:
Part A:
Common Observed Packet #1 or 2. However Proposal Payload must be set as
following.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
53
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
In addition, Data Attributes in Transform payload can be placed in any order
Data Attribute.
Possible Problems:
54
them.
- If NUT doesn't support cryptographic algorithms required in Transform #2, NUT can
use any other algorithms other than Transform #1.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
55
TLV (0)
ANY
28,800
EN.EN.I.2.4: The non-optimistic proposal is selected from multiple transforms
Purpose:
the non-optimistic proposal from proposed multiple transforms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Transform #
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
56
Procedure:
NUT (EN)
initiator
Judgment #1
Packet #1
Judgment #2
Packet #2
Judgment #3
TN1 (EN)
responder
CREATE, AP_REQ,
E{ISAKMP(SA(P(T2)), Nr, IDi, IDr)}
ACK, AP_REQ
Part A: (ADVANCED)
Packet #2.
Observable Results:
Part A:
following.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
57
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
NONE (0)
0
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
Data Attribute.
Packet #3.
58
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
59
TLV (0)
ANY
28,800
EN.EN.I.2.5: The optimistic proposal is selected from multiple proposals
Purpose:
the optimistic proposal from proposed multiple proposals
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Proposal #
1
2
Protocol ID
PROTO_IPSEC_ESP (3)
PROTO_IPSEC_AH (2)
Proposal #1 will be selected by TN1.
ESP_3DES (3)
-
HMAC-SHA (2)
AH_SHA (3)
Both
60
Procedure:
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE, AP_REQ,
E{ISAKMP(SA(P1(T), P2(T)), Ni, IDi, IDr)}
Packet #1
REPLY, AP_REP,
E{ISAKMP(SA(P1(T)), IDi, IDr)}
Packet #2
Judgment #2
Part A: (ADVANCED)
Packet #1.
Observable Results:
Part A:
Common Observed Packet #1 or 2. However Security Association Payload must
be set as following.
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
Ni (10)
0
P (2)
0
1
PROTO_IPSEC_ESP (3)
4
61
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
PROTO_IPSEC_AH (2)
4
1
ANY
NONE (0)
0
1
AH_SHA (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
Data Attribute.
62
Possible Problems:
them.
- If NUT doesn't support Protocol ID required in Proposal #2, NUT can use any other
Protocol IDs other than Proposal #1.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
63
TLV (0)
ANY
28,800
EN.EN.I.2.6: The non-optimistic proposal is selected from multiple proposals
Purpose:
the non-optimistic proposal from proposed multiple proposals
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Proposal #
1
2
Protocol ID
PROTO_IPSEC_AH (2)
PROTO_IPSEC_ESP (3)
ESP_3DES (3)
AH_SHA (3)
HMAC-SHA (2)
Both
64
Procedure:
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE, AP_REQ,
Packet #1
Judgment #2
Packet #2
Judgment #3
E{ISAKMP(SA(P2(T)), Nr, IDi, IDr)}
ACK, AP_REQ
Part A: (ADVANCED)
Packet #2.
Observable Results:
Part A:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Ni (10)
0
P (2)
0
65
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
1
PROTO_IPSEC_AH (2)
4
1
ANY
NONE (0)
0
1
AH_SHA (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
Data Attribute.
66
Packet #3.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
67
TLV (0)
ANY
28,800
Group 3: Perfect Forward Secrecy
Scope:
The initiator usually begins a negotiation expecting a 2-way handshake, but 3-way
handshake is expected from the beginning when and only when the initiator uses a KE
payload.
The following tests cover 3-way handshake by adding KE payload.
Overview:
KINK specification when the KINK implementation proposes to use the perfect forward
secrecy (PFS).
68
EN.EN.I.3.1: PFS
Purpose:
Verify that an initiator properly processes 3-way handshake when the initiator
requires to use PFS
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration with enabling PFS.
DH group is 1024 MODP Group (2).
Both
Procedure:
69
NUT (EN)
initiator
Judgment #1
Packet #1
Judgment #2
Packet #2
Judgment #3
TN1 (EN)
responder
CREATE, AP_REQ,
E{ISAKMP(SA(P(T)), Ni, KE, IDi, IDr)}
E{ISAKMP(SA(P(T)), Nr, KE, IDi, IDr)}
ACK, AP_REQ
Part A: (ADVANCED)
Packet #2.
However KINK_ISAKMP Payload must be set as following.
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
70
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
KE Payload
Next Payload:
RESERVED:
Payload Length:
Key Exchange Data
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
28,800
TV (1)
Group Description (3)
1024 MODP Group (2)
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
KE (4)
0
IDi (5)
0
DH Group #2 public value
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
Observable Results:
Part A:
Common Observed Packet #1 or 2. However KINK_ISAKMP Payload must be
set as following.
71
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
KE Payload
Next Payload:
RESERVED:
Payload Length:
Key Exchange Data
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
1024 MODP Group (2)
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
KE (4)
0
ANY
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
72
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IPv6-ICMP (58)
ANY (0)
NUT - Link A
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
Data Attributes in Transform payload can be placed in any order excepting that
SA Life Duration Data Attribute is always follow SA Life Type Data Attribute.
Packet #3.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
73
TLV (0)
ANY
28,800
Group 4: Rekeying
Scope:
Unlike IKE, the initiator of KINK exchange has the responsibility for rekeying the SA.
The following tests cover CREATE message flow when the SA lifetime expires.
Overview:
KINK specification when the KINK implementation rekeys SA.
74
EN.EN.I.4.1: Initiating Rekeying
Purpose:
Verify that a node properly processes rekeying
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
75
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE, AP_REQ,
E{ISAKMP(SA(P(SPIi1, T)), Ni, IDi, IDr)}
Packet #1
REPLY, AP_REP,
E{ISAKMP(SA(P(SPIr1, T)), IDi, IDr)}
Packet #2
IPsec(ESP(SPIi1)){
ICMPv6 Echo Request}
IPsec(ESP(SPIr1)){
ICMPv6 Echo Reply}
Judgment #2
(repeat until initiator’s
soft lifetime expires)
Packet #2
Judgment #2
IPsec(ESP(SPIi1)){
ICMPv6 Echo Request}
IPsec(ESP(SPIr1)){
ICMPv6 Echo Reply}
(Rekeying)
Judgment #3
CREATE, AP_REQ,
Part A: (BASIC)
Packet #1.
6. Repeat Steps 4 and 5 for 30 seconds with the interval value of 1 second.
ICMPv6 Sequence Number should be incremented in each of transmitted
packets.
While transmitting ICMPv6 Echo Request, observe the packets
transmitted by the NUT on Link A.
Observable Results:
Part A:
Common Observed Packet #1 or 2. SPI in Proposal Payload must be updated to
76
establish new SA.
Data Attributes in Transform payload can be placed in any
order excepting that SA Life Duration Data Attribute is always follow SA Life
Type Data Attribute.
ICMPv6 Sequence Number
must be the same value as the value in transmitted ICMPv6 Echo Request by
TN1.
The NUT must newly transmit properly formatted CREATE message described
as Common Observed Packet #1 or 2.
Data Attributes in Transform payload can
be placed in any order excepting that SA Life Duration Data Attribute is always
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
77
TLV (0)
ANY
28,800
Group 5: DELETE Message Flow
Scope:
The DELETE command deletes existing SAs.
The following tests cover the DELETE
message flows when the KINK implementation initiates these exchanges.
Overview:
KINK specification when the KINK implementation initiates DELETE message flows.
There are no tests in this group because initiating DELETE message flow is defined as
untested item in this document.
78
Group 6: Dead Peer Detection
Scope:
The STATUS flow is used to send any information to a peer or to elicit any information
from a peer.
A STATUS command is also used as a means of dead peer detection. The
following tests cover the STATUS message flows when the KINK implementation
initiates these exchanges.
Overview:
KINK specification when the KINK implementation initiates STATUS message flows.
79
EN.EN.I.6.1: Initiating Liveness Check
Purpose:
Verify that a node properly processes a dead peer detection
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
80
Part A: (BASIC)
Packet #1.
6. TR1 responds to ICMPv6 Echo Reply with ICMPv6 Destination Unreachable
Observable Results:
Part A:
81
The NUT must transmit properly formatted STATUS message described as
Common Observed Packet #5.
However XID should be updated from the value
in CREATE transmitted at Step 1.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
82
TLV (0)
ANY
28,800
Group 7: GETTGT Message Flow
Scope:
GETTGT flow is used to retrieve a TGT from the remote peer in User-to-User
authentication mode. The following tests cover the GETTGT message flows when the
KINK implementation initiates these exchanges.
Overview:
KINK specification when the KINK implementation uses User-to-User authentication
mode.
83
EN.EN.I.7.1: Sending GETTGT Message
Purpose:
Verify that an initiator transmits GETTGT message in properly format
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration with enabling User-to-User authentication.
Both
Procedure:
84
Part A: (ADVANCED)
1. NUT starts to negotiate with TN1 by using User-to-User authentication.
Observable Results:
Part A:
The NUT must transmit properly formatted GETTGT message described as
Possible Problems:
- None
85
EN.EN.I.7.2: GETTGT Message Flow
Purpose:
Verify that a node properly retrieve a TGT from the remote peer in User-to-User
authentication mode
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
86
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
GETTGT, TGT_REQ
Packet #1
TN2 (KDC)
REPLY, TGT_REP
(Kerberos specific procedure)
Kerberos (TGS-REQ)
Kerberos (TGS-REP)
Judgment #2
CREATE, AP_REQ,
Packet #2
REPLY, AP_REP,
Packet #3
Judgment #3
Part A: (ADVANCED)
3. TN1 responds to GETTGT with REPLY described as Common Transmitted
Packet #5.
Packet #1.
Observable Results:
Part A:
After the NUT obtains a service ticket for TN1 from TN2, the NUT must transmit
properly formatted CREATE message described as Common Observed Packet #1
87
or 2.
Data Attributes in Transform payload can be placed in any order excepting
that SA Life Duration Data Attribute is always follow SA Life Type Data
Attribute.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
88
TLV (0)
ANY
28,800
EN.EN.I.7.3: Receipt of KINK_TGT_REP against a KINK command with a
User-to-User ticket that cannot be decrypted with its TGT
Purpose:
Verify that a node properly recovers dead user-to-user peer
References:
- [KINK] - Subsection 3.7.1
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
89
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
GETTGT, TGT_REQ
Packet #1
TN2 (KDC)
REPLY, TGT_REP(TGTr1)
Kerberos (TGS-REQ)
Kerberos (TGS-REP)
Judgment #2
CREATE, AP_REQ, E{ISAKMP(SA(P(T)), Ni, IDi, IDr)}
Packet #1
Kerberos (TGS-REQ)
Kerberos (TGS-REP)
Judgment #3
CREATE, AP_REQ,
Part A: (ADVANCED)
Packet #5.
5. TN1 responds to CREATE with REPLY, but the packet format is the same as
REPLY for GETTGT described as Common Transmitted Packet #5.
However
TGT is newly obtained from TN2.
Observable Results:
Part A:
90
or 2.
Attribute.
After the NUT newly obtains a service ticket for TN1 from TN2 again, the NUT
must transmit properly formatted CREATE message described as Common
Observed Packet #1 or 2.
Data Attributes in Transform payload can be placed in
any order excepting that SA Life Duration Data Attribute is always follow SA Life
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
91
TLV (0)
ANY
28,800
Group 8: Retransmission
Scope:
KINK implementation must retransmit the request using timer T when this message
expects a response.
The following tests cover the retransmission mechanism.
Overview:
KINK specification when the KINK implementation retransmits KINK messages.
92
EN.EN.I.8.1: Retransmission of CREATE
Purpose:
Verify that a node properly retransmit CREATE message
References:
- [KINK] – Chapter 9
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
93
Part A: (BASIC)
3. After NUT transmits CREATE, observe the packets transmitted by the NUT
on Link A until the timer T expires.
Observable Results:
Part A:
The NUT must retransmit properly formatted CREATE message described as
Possible Problems:
them.
described as below.
94
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
- A timer T may be implemented with implementation's local policy. The tester must
consider the timer T configurable parameter.
95
EN.EN.I.8.2: Stop the retransmission of CREATE
Purpose:
Verify that a node properly stops the retransmission of CREATE message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
96
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE(XIDi1), AP_REQ(AP-REQ1),
(T expires)
(Retransmission)
Judgment #2
Packet #1
REPLY(XIDi), AP_REP,
(T*2 expires)
Judgment #3
No response
Part A: (BASIC)
3. After NUT transmits first CREATE, observe the packets transmitted by the
NUT on Link A until the timer T expires.
4. TN1 responds to second CREATE with REPLY described as Common
Transmitted Packet #1.
5. Observe the packets transmitted by the NUT on Link A until doubled T
expires.
Observable Results:
Part A:
97
The NUT never retransmit CREATE message because message exchange had
been completed at Step 5.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
98
EN.EN.I.8.3: Responding to retransmitted REPLY with the ACKREQ bit set
Purpose:
Verify that a node properly retransmit REPLY message
References:
- [KINK] - Chapter 9
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
99
Part A: (BASIC)
Packet #2.
5. After observing ACK, TN1 transmits REPLY described as Common
Transmitted Packet #2 again.
Observable Results:
Part A:
Packet #3.
Packet #3 again.
100
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
101
EN.EN.I.8.4: Retransmission of STATUS
Purpose:
Verify that a node properly retransmit STATUS message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
102
Part A: (BASIC)
Packet #1.
8. After NUT transmits STATUS, observe the packets transmitted by the NUT
Observable Results:
Part A:
103
The NUT must retransmit properly formatted STATUS message described as
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
104
EN.EN.I.8.5: Stop the retransmission of STATUS
Purpose:
Verify that a node properly stops the retransmission of STATUS message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
105
TR1 (Router)
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE(XIDi1), AP_REQ,
Packet #1
REPLY(XIDi1), AP_REP,
Packet #2
Judgment #2
Packet #3
Judgment #3
ICMPv6 Destination Unreachable
(Address unreachable)
STATUS(XIDi2), AP_REQ(AP-REQ1)
(T expires)
(Retransmission)
Judgment #4
Packet #4
REPLY(XIDi2), AP_REP
(T*2 expires)
Judgment #5
No response
Part A: (BASIC)
Packet #1.
8. After NUT transmits first STATUS, observe the packets transmitted by the
9. TN1 responds to second STATUS with REPLY described as Common
expires.
106
Observable Results:
Part A:
The NUT never retransmit STATUS message because message exchange had
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
107
108
EN.EN.I.8.6: Retransmission of GETTGT
Purpose:
Verify that a node properly retransmit GETTGT message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
GETTGT, TGT_REQ
(T expires)
(Retransmission)
Judgment #2
GETTGT, TGT_REQ
109
Part A: (ADVANCED)
3. After NUT transmits GETTGT, observe the packets transmitted by the NUT
Observable Results:
Part A:
The NUT must retransmit properly formatted GETTGT message described as
Possible Problems:
110
EN.EN.I.8.7: Stop the retransmission of GETTGT
Purpose:
Verify that a node properly stops the retransmission of GETTGT message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
111
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
GETTGT, TGT_REQ
(T expires)
(Retransmission)
Judgment #2
Packet #1
GETTGT, TGT_REQ
REPLY, TGT_REP
(T*2 expires)
Judgment #3
No response
Part A: (ADVANCED)
3. After NUT transmits first GETTGT, observe the packets transmitted by the
4. TN1 responds to second GETTGT with REPLY described as Common
expires.
Observable Results:
Part A:
The NUT never retransmit GETTGT message because message exchange had
Possible Problems:
112
113
EN.EN.I.8.8: Restart a new transaction by receipt of
KRB_AP_ERR_TKT_EXPIRED
Purpose:
Verify that a node properly starts a new transaction with a new ticket when the node
receives the error indicating ticket expired
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
114
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
Packet #1
REPLY, KRB_ERROR(KRB_AP_ERR_TKT_EXPIRED)
TN2 (KDC)
Kerberos (TGS-REQ)
Kerberos (TGS-REP)
Judgment #2
Part A: (BASIC)
3. TN1 responds to CREATE with KRB_ERROR described as following.
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_KRB_ERROR (3)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_KRB_ERROR Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
KRB-ERROR:
raw Kerberos KRB-ERROR
indicating KRB_AP_ERR_TKT_EXPIRED
115
Observable Results:
Part A:
After the NUT obtains a service ticket for TN1 from TN2, The NUT must newly
transmit properly formatted CREATE message described as Common Observed
Packet #1 or 2.
Data Attributes in Transform payload can be placed in any order
Data Attribute.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
116
Group 9: Message Validation
Scope:
The following tests cover the message validation.
Overview:
KINK specification when the KINK implementation processes of suspicious messages.
117
EN.EN.I.9.1: Responding to KINK_ERROR with the ACKREQ bit set
Purpose:
Verify that a node properly responds to an error message that the ACKREQ bit is set
with ACK message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
118
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE, AP_REQ,
Packet #1
Judgment #2
REPLY(ACKREQ), ERROR(KINK_INTERR)
ACK, AP_REQ
Part A: (BASIC)
3. TN1 responds to CREATE with REPLY described as following.
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_ERROR (8)
ACKREQ:
true (1)
RESERVED2:
0
CksumLen:
0
KINK_ ERROR Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
ErrorCode:
KINK_INTERR (5)
Observable Results:
Part A:
119
Packet #3.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
120
EN.EN.I.9.2: Receipt of REPLY with non-zero value in reserved field
Purpose:
Verify that a node properly ignores reserved field in REPLY message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
121
Part A: (BASIC)
Packet #1. However Reserved Field in CREATE message must be set as
following.
KINK
RESRVED:
0xf
RESERVED2:
0x7f
KINK_AP_REP Payload
RESERVED:
0xff
RESERVED:
0xff
RESERVED2:
0xffffff
KINK_ISAKMP Payload
RESERVED: 0xff
RESERVED: 0xffff
Observable Results:
Part A:
122
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
123
EN.EN.I.9.3: Receipt of unencrypted REPLY
Purpose:
Verify that a node properly processes REPLY message which doesn't encrypted by
KINK_ENCRYPT payload
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
124
NUT (EN)
initiator
Judgment #1
TN1 (EN)
responder
CREATE, AP_REQ,
Packet #1
REPLY, AP_REP, ISAKMP(SA(P(T)), IDi, IDr)
Packet #2
Judgment #2
Part A: (BASIC)
Packet #1.
However KINK_ENCRYPT Payload must not appear as described
as following.
KINK
KINK_AP_REP Payload
KINK_ISAKMP Payload
SA Payload
P Payload
T Payload
Data Attribute
Data Attribute
Data Attribute
Data Attribute
IDi Payload
IDr Payload
Observable Results:
Part A:
125
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
126
EN.EN.I.9.4: Receipt of authenticated KRB_AP_ERR_SKEW
Purpose:
Verify that a node properly adjust clock by the receipt of protected
KRB_AP_ERR_SKEW
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
127
Part A: (BASIC)
1. Set the clock forward 6 minutes on TN1.
The
shaded region in the figure is encrypted by Kerberos encrypt function with
Key Usage Number 39 (KINK_ENCRYPT payload).
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_ENCRYPT (7)
RESERVED:
0
Payload Length:
EPOCH:
AP-REP:
Next Payload:
KINK_DONE (0)
RESERVED:
0
Payload Length:
128
InnerNextPload:
KINK_KRB_ERROR (3)
RESERVED2:
0
Next Payload:
KINK_DONE (0)
RESERVED:
0
KRB-ERROR:
indicating KRB_AP_ERR_SKEW
Cksum:
5. NUT starts to negotiate with TN1 by sending CREATE message again.
Observable Results:
Part A:
The NUT adjusts system clock to the time noticed by KRB-ERROR message.
And the NUT must newly transmit properly formatted CREATE message
described as Common Observed Packet #1 or 2. EPOCH in KINK_AP_REQ
Payload must be computed with the newly updated system clock.
Data
Attributes in Transform payload can be placed in any order excepting that SA
Life Duration Data Attribute is always follow SA Life Type Data Attribute.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
129
130
EN.EN.I.9.5: Receipt of unauthenticated KRB_AP_ERR_SKEW
Purpose:
Verify that a node properly does not adjust clock by the receipt of unprotected
KRB_AP_ERR_SKEW
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
131
NUT (EN)
initiator
TN1 (EN)
responder
(push TN’s clock forward 6 minutes)
Judgment #1
Packet #1
CREATE, AP_REQ(EPOCHi1),
REPLY, AP_REP,
E{KRB_ERROR(KRB_AP_ERR_SKEW)}
(Reinitiating)
Judgment #2
Part A: (BASIC)
The
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_ENCRYPT (7)
RESERVED:
0
Payload Length:
EPOCH:
AP-REP:
Next Payload:
KINK_DONE (0)
RESERVED:
0
132
Payload Length:
InnerNextPload:
KINK_KRB_ERROR (3)
RESERVED2:
0
Next Payload:
KINK_DONE (0)
RESERVED:
0
KRB-ERROR:
Observable Results:
Part A:
The NUT never adjusts system clock to the time noticed by KRB-ERROR
message.
And the NUT must newly transmit properly formatted CREATE
message described as Common Observed Packet #1 or 2, but EPOCH in
KINK_AP_REQ Payload is still computed without updating the system clock.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
133
134
Subsection 1.1.2: Responder
Scope:
The following tests
cover KINK exchanges when the KINK implementation responds to these exchanges.
Overview:
Default Packets:
Common Transmitted Packet #1: CREATE
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
kink (910)
kink (910)
CREATE (1)
1
0
0
KINK_AP_REQ (1)
false (0)
0
KINK_ENCRYPT (7)
0
135
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
IDr Payload
136
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Cksum:
payload).
Common Transmitted Packet #2: ACK
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
ACK (5)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_AP_REQ (1)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REQ:
Cksum:
IPv6
Next Header:
Source Address:
ESP
SPI:
Sequence Number:
ESP (50)
TN1 - Link X
(Prefix X::1)
NUT - Link A
proposed by REPLY from NUT
1
137
IV:
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Request (128)
0
ICMPv6 checksum
0
0
ANY
IPv6-ICMP (58)
Common Transmitted Packet #4: DELETE
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
D Payload
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
kink (910)
kink (910)
DELETE (2)
1
0
1
KINK_AP_REQ (1)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
D (12)
1
0
0
138
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-Id:
SPI Size:
# of SPIs
SPI #1
Cksum:
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
1
payload).
Common Transmitted Packet #5: STATUS
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
STATUS (6)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
1
NextPayload:
KINK_AP_REQ (1)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REQ:
Cksum:
Common Transmitted Packet #6: GETTGT
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
kink (910)
kink (910)
139
Type:
ACK (5)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_TGT_REQ (4)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
Next Payload:
KINK_DONE (0)
RESERVED:
0
PrincName:
kink/nut.example.com@EXAMPLE.COM
Cksum:
IPv6
Next Header:
Source Address:
ICMPv6
Type:
Code:
Checksum:
Unused:
Data:
IPv6-ICMP (58)
TR1 - Link X
(Prefix X::f)
NUT - Link A
ICMPv6 checksum
0
Common Observed Packet #1: REPLY for CREATE
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
kink (910)
kink (910)
REPLY (3)
1
0
the actual length of this message
0
KINK_AP_REP (2)
140
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
141
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDr (5)
0
Payload Length:
ID Type:
Protocol ID:
Port:
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Cksum:
Common Observed Packet #2: unencrypted REPLY for CREATE
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
142
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
Cksum:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Common Observed Packet #3: REPLY with Nr for CREATE
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
143
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
144
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
true (1)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Cksum:
Common Observed Packet #4: unencrypted REPLY with Nr for CREATE
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
true (1)
0
KINK_ISAKMP (6)
0
145
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
146
Cksum:
NUT - Link A
IPv6
Next Header:
Source Address:
ESP
SPI:
Sequence Number:
IV:
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
0x10000000
ANY
ANY
Echo Reply (129)
0
ICMPv6 checksum
0
0
ANY
IPv6-ICMP (58)
Common Observed Packet #6: REPLY for DELETE
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
147
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
D Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-Id:
SPI Size:
# of SPIs
SPI #1
Cksum:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
D (12)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
1
Common Observed Packet #7: unencrypted REPLY for DELETE
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
148
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
D Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-Id:
SPI Size:
# of SPIs
SPI #1
Cksum:
KINK_DONE (0)
0
D (12)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
1
Common Observed Packet #8: REPLY for STATUS
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REP:
Cksum:
Common Observed Packet #9: REPLY for GETTGT
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
149
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_TGT_REP (5)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
Next Payload:
KINK_DONE (0)
RESERVED:
0
TGT:
Cksum:
150
Scope:
The following tests
exchanges.
Overview:
KINK specification when the KINK implementation responds to CREATE message
flows.
151
EN.EN.R.1.1: Receipt of CREATE Message
Purpose:
Verify that an initiator processes CREATE message in properly format
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
TN1 must obtain NUT's
Procedure:
152
Part A: (BASIC)
1. TN1 transmits CREATE message described as Common Transmitted Packet
#1.
Observable Results:
Part A:
The NUT must transmit properly formatted REPLY message described as
Common Observed Packet #1, 2, 3 or 4.
Data Attributes in Transform payload
can be placed in any order excepting that SA Life Duration Data Attribute is
always follow SA Life Type Data Attribute.
Possible Problems:
them.
described as below.
153
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
154
EN.EN.R.1.2: CREATE Message Flow
Purpose:
Verify that a responder properly establish SA by CREATE message flow
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
155
Part A: (BASIC)
#1.
3. If REPLY from NUT includes Nonce Payload and ACKREQ bit is set, TN1
responds to REPLY with ACK described as Common Transmitted Packet #2.
4. TN1 transmits ICMPv6 Echo Request encrypted by ESP described as
Common Transmitted Packet #3.
Observable Results:
Part A:
156
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
157
Scope:
The initiator
Overview:
158
EN.EN.R.2.1: Cryptographic Algorithm Negotiation
Purpose:
Verify that a responder properly establish SA with the specific cryptographic
algorithms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Part
A
B
C
D
E
ESP_NULL (11)
ESP_3DES (3)
ESP_3DES (3)
HMAC-SHA (2)
HMAC-SHA (2)
HMAC-SHA (2)
NONE (undefined)
AES-XCBC-MAC (9)
Both
159
Procedure:
Part
A
B
C
D
E
NULL
TripleDES-CBC
TripleDES-CBC
HMAC-SHA1-96
HMAC-SHA1-96
HMAC-SHA1-96
NONE
AES-XCBC-MAC-96
#1.
However Transform-ID in Transform payload and Attribute Value in
Authentication Algorithm Data Attribute must be set according to the
160
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
Key Length (6)
128
Common Transmitted Packet #3. However encryption algorithm and
authentication algorithm must be set according to the corresponding entry of
the table above.
Observable Results:
Part A through E:
However Transform-ID in Transform
In
Data Attribute.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
Key Length (6)
128
ESP described as Common Observed Packet #5. However encryption algorithm
and authentication algorithm must be set according to the corresponding entry of
the table in the procedure above.
161
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
162
EN.EN.R.2.2: The shorter LIFE_SECONDS is proposed
Purpose:
Verify that a responder properly processes CREATE message when the initiator
proposes lower lifetime than the responder's lifetime
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
TN1 will propose with 30 seconds SA Life Duration.
Both
Procedure:
163
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
CREATE, AP_REQ,
(optimistic proposal, but Nr was added by the responder)
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Judgment #1
TN1 (EN)
initiator
Judgment #1
REPLY, AP_REP,
E{ISAKMP(SA(P(T(LIFE_SECONDSi))),
IDi, IDr)}
Nr, IDi, IDr)}
(IPsec DOI-specific error)
NUT (EN)
responder
Judgment #1
TN1 (EN)
initiator
REPLY, AP_REP,
E{ISAKMP(N(NO-PROPOSAL-CHOSEN))}
Part A: (BASIC)
#1.
However Attribute Value in SA Life Duration Data Attribute must be set
to 30 seconds.
Observable Results:
Part A:
Common Observed Packet #1, 2, 3, 4 or the packets described below.
If the
packet transmitted by NUT is REPLY, Attribute Value in SA Life Duration Data
Attribute must be set to 30 seconds.
In addition, Data Attributes in Transform
164
payload can be placed in any order excepting that SA Life Duration Data
Attribute is always follow SA Life Type Data Attribute.
NO-PROPOSAL-CHOSEN
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notify Message Type:
Notification Data:
Cksum:
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
NO-PROPOSAL-CHOSEN (14)
ANY
165
unencrypted NO-PROPOSAL-CHOSEN
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
Possible Problems:
them.
described as below.
166
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
167
EN.EN.R.2.3: Selecting the optimistic proposal from multiple transforms
Purpose:
Verify that a node properly chooses optimistic proposal from proposed multiple
transforms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
TN1 will propose multiple Transform payloads as described
Transform #1 will be selected by NUT.
Transform #
1
2
ESP_3DES (3)
ESP_AES-CBC (12)
HMAC-SHA (2)
AES-XCBC-MAC (9)
Both
168
Procedure:
Part A: (BASIC)
#1.
However Proposal Payload must be set as following.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_3DES (3)
169
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
Observable Results:
Part A:
170
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
171
EN.EN.R.2.4: Selecting the non-optimistic proposal from multiple transforms
Purpose:
Verify that a node properly chooses non-optimistic proposal from proposed multiple
transforms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Transform #
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
172
Procedure:
NUT (EN)
responder
Packet #1
Judgment #1
TN1 (EN)
initiator
CREATE, AP_REQ,
Packet #2
ACK, AP_REQ
Packet #3
Judgment #2
Part A: (BASIC)
#1.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
173
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
128
NONE (0)
0
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
3. TN1 responds to REPLY with ACK described as Common Transmitted Packet
#2.
Observable Results:
Part A:
Possible Problems:
174
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
175
EN.EN.R.2.5: Selecting the optimistic proposal from multiple proposals
Purpose:
proposals
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Proposal #
1
2
TN1 will propose multiple Proposal payloads as described
Proposal #1 will be selected by NUT.
Protocol ID
PROTO_IPSEC_ESP (3)
PROTO_IPSEC_AH (2)
ESP_3DES (3)
-
HMAC-SHA (2)
AH_SHA (3)
Both
176
Procedure:
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
CREATE, AP_REQ,
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Judgment #1
TN1 (EN)
initiator
Judgment #1
REPLY, AP_REP,
Packet #2
ACK, AP_REQ
NUT (EN)
responder
Packet #3
TN1 (EN)
initiator
Judgment #2
Part A: (BASIC)
#1.
However Security Association Payload must be set as following.
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
Ni (10)
0
P (2)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
177
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
PROTO_IPSEC_AH (2)
4
1
ANY
NONE (0)
0
1
AH_SHA (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
178
Observable Results:
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
179
EN.EN.R.2.6: Selecting the non-optimistic proposal from multiple proposals
Purpose:
proposals
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Proposal #
1
2
Protocol ID
PROTO_IPSEC_AH (2)
PROTO_IPSEC_ESP (3)
ESP_3DES (3)
AH_SHA (3)
HMAC-SHA (2)
Both
180
Procedure:
NUT (EN)
responder
Packet #1
Judgment #1
TN1 (EN)
initiator
CREATE, AP_REQ,
Packet #2
ACK, AP_REQ
Packet #3
Judgment #2
Part A: (BASIC)
#1.
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Ni (10)
0
P (2)
0
1
PROTO_IPSEC_AH (2)
4
1
ANY
NONE (0)
0
1
AH_SHA (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
181
Attribute Format:
Attribute Type:
Attribute Value:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
#2.
Observable Results:
Part A:
182
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
183
EN.EN.R.2.7: Responding to multiple KINK_ISAKMP by optimistic keying
Purpose:
KINK_ISAKMP payloads
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
However, multiple SPD entries are needed to configure on
NUT for both inbound and outbound direction as described below.
SPD #
1
2
Remote IP Address
TN1 - Link X
(Prefix X::1)
TN1 - Link X
(Prefix X::1)
Local IP Address
NUT - Link A
NUT - Link A
Next Layer Protocol
IPv6-ICMP (58)
TCP (6)
For both SPD #1 and #2, IPsec configuration described in Default NUT (EN)
Configuration will be proposed by TN1.
184
Both
Procedure:
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
CREATE, AP_REQ,
E{ISAKMP1(SA(P(T)), Ni, IDi, IDr),
ISAKMP2(SA(P(T)), Ni, IDi, IDr)}
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Judgment #1
Judgment #1
E{ISAKMP1(SA(P(T)), Nr, IDi, IDr),
ISAKMP2(SA(P(T)), Nr, IDi, IDr)}
REPLY, AP_REP,
E{ISAKMP1(SA(P(T)), IDi, IDr),
ISAKMP2(SA(P(T)), IDi, IDr)}
Packet #2
ACK, AP_REQ
NUT (EN)
responder
Packet #3
Judgment #2
Packet #4
Judgment #3
TN1 (EN)
initiator
IPsec(ESP1){ICMPv6 Echo Request}
IPsec(ESP1){ICMPv6 Echo Reply}
IPsec(ESP2){TCP(SYN)}
IPsec(ESP2){TCP(SYN, ACK) or TCP(RST, ACK)}
Part A: (BASIC)
#1.
However KINK_ENCRYPT Payload must be set as following.
The
shaded region in this packet is encrypted by Kerberos encrypt function with
185
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_ISAKMP (6)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
186
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x20000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
187
Payload Length:
ID Type:
Protocol ID:
Port:
ID_IPV6_ADDR (5)
TCP (6)
ANY (0)
TN1 - Link X
(Prefix X::1)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
ID_IPV6_ADDR (5)
TCP (6)
ANY (0)
NUT - Link A
SPI must be set to the value proposed in
the first KINK_ISAKMP Payload of REPLY.
6. TN1 transmits TCP packet by ESP described as described below. The shaded
region in this packet is encrypted by TripleDES in CBC mode using calculated
KEYMAT.
IPv6
Next Header:
Source Address:
ESP
SPI:
Sequence Number:
IV:
TCP
Source Port:
Destination Port:
Sequence Number:
Acknowledgment Number:
Data Offset:
Reserved:
URG:
ACK:
PSH:
RST:
SYN:
FIN:
Window:
Checksum:
Urgent Pointer:
Padding:
ESP (50)
TN1 - Link X
(Prefix X::1)
NUT - Link A
proposed by second KINK_ISAKMP Payload
in REPLY from NUT
1
0x1000
0x1000
0
0
5
0
false (0)
false (0)
false (0)
false (0)
true (1)
false (0)
0xffff
TCP checksum
0
ANY
188
Pad Length:
Next Header:
ICV:
TCP (6)
Observable Results:
Part A:
However the NUT includes two
KINK_ISAKMP Payloads as following.
KINK_ISAKMP Payload for Common Observed Packet #1 and 2
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
KINK_ISAKMP (6)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
189
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
190
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
TCP (6)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
TCP (6)
ANY (0)
NUT - Link A
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
KINK_ISAKMP (6)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
191
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
192
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
TCP (6)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
TCP (6)
ANY (0)
NUT - Link A
The NUT must transmit properly formatted TCP packet encrypted by ESP.
If
the NUT provides a service on port 0x1000, the NUT respond with the packet
described as following.
IPv6
Next Header:
Source Address:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
ESP
SPI:
Sequence Number:
0x20000000
1
193
IV:
TCP
Source Port:
Destination Port:
Sequence Number:
Data Offset:
Reserved:
URG:
ACK:
PSH:
RST:
SYN:
FIN:
Window:
Checksum:
Urgent Pointer:
Padding:
Pad Length:
Next Header:
ICV:
0x1000
0x1000
ANY
1
5
0
false (0)
true (1)
false (0)
false (0)
true (1)
false (0)
ANY
TCP checksum
0
ANY
TCP (6)
Otherwise, the NUT respond with the packet described as following.
IPv6
Next Header:
Source Address:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
ESP
SPI:
Sequence Number:
IV:
TCP
Source Port:
Destination Port:
Sequence Number:
Data Offset:
Reserved:
URG:
ACK:
PSH:
RST:
SYN:
FIN:
Window:
Checksum:
Urgent Pointer:
Padding:
Pad Length:
Next Header:
ICV:
0x20000000
ANY
ANY
0x1000
0x1000
ANY
1
5
0
false (0)
true (1)
false (0)
true (1)
false (0)
false (0)
ANY
TCP checksum
0
ANY
TCP (6)
Possible Problems:
194
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
- An implementation may add TCP options to SYN-ACK or RST-ACK packet.
- An implementation may want to contribute the keying materials by adding Nr
Payload to only one KINK_ISAKMP. Payload.
195
EN.EN.R.2.8: Responding to multiple KINK_ISAKMP by non-optimistic keying
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
SPD #
1
2
Remote IP Address
TN1 - Link X
(Prefix X::1)
TN1 - Link X
(Prefix X::1)
Local IP Address
NUT - Link A
NUT - Link A
Next Layer Protocol
IPv6-ICMP (58)
TCP (6)
For SPD #1, IPsec configuration described in Default NUT (EN) Configuration
will be proposed by TN1.
However, for SPD #2, multiple Transform payloads
described below are proposed by TN1. Transform #2 will be selected by NUT.
Transform #
1
ESP_AES-CBC (12)
196
AES-XCBC-MAC (9)
2
ESP_3DES (3)
HMAC-SHA (2)
Both
Procedure:
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Judgment #1
CREATE, AP_REQ,
ISAKMP2(SA(P(T1, T2)), Ni, IDi, IDr)}
ISAKMP2(SA(P(T2)), Nr, IDi, IDr)}
Packet #2
ACK, AP_REQ
Packet #3
IPsec(ESP1){ICMPv6 Echo Request}
Judgment #2
Packet #4
Judgment #3
IPsec(ESP1){ICMPv6 Echo Reply}
IPsec(ESP2){TCP(SYN)}
IPsec(ESP2){TCP(SYN, ACK) or TCP(RST, ACK)}
Part A: (BASIC)
#1.
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_ISAKMP (6)
0
SA (1)
1
0
0
197
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
KINK_DONE (0)
0
SA (1)
1
198
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
0x20000000
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
NONE (0)
0
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
199
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
HMAC-SHA (2)
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
TCP (6)
ANY (0)
TN1 - Link X
(Prefix X::1)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
ID_IPV6_ADDR (5)
TCP (6)
ANY (0)
NUT - Link A
#2.
6. TN1 transmits TCP packet by ESP described as described below. The shaded
region in this packet is encrypted by TripleDES in CBC mode using calculated
KEYMAT.
IPv6
Next Header:
Source Address:
ESP
SPI:
Sequence Number:
IV:
TCP
Source Port:
Destination Port:
Sequence Number:
Data Offset:
ESP (50)
TN1 - Link X
(Prefix X::1)
NUT - Link A
proposed by second KINK_ISAKMP Payload
in REPLY from NUT
1
0x1000
0x1000
0
0
5
200
Reserved:
URG:
ACK:
PSH:
RST:
SYN:
FIN:
Window:
Checksum:
Urgent Pointer:
Padding:
Pad Length:
Next Header:
ICV:
0
false (0)
false (0)
false (0)
false (0)
true (1)
false (0)
0xffff
TCP checksum
0
ANY
TCP (6)
Observable Results:
Part A:
Common Observed Packet #3 or 4. However the NUT includes two
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
KINK_ISAKMP (6)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
201
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
202
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
TCP (6)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
TCP (6)
ANY (0)
NUT - Link A
The NUT must transmit properly formatted TCP packet encrypted by ESP.
If
the NUT provides a service on port 0x1000, the NUT respond with the packet
described as following.
IPv6
Next Header:
Source Address:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
ESP
SPI:
Sequence Number:
IV:
0x20000000
ANY
ANY
203
TCP
Source Port:
Destination Port:
Sequence Number:
Data Offset:
Reserved:
URG:
ACK:
PSH:
RST:
SYN:
FIN:
Window:
Checksum:
Urgent Pointer:
Padding:
Pad Length:
Next Header:
ICV:
0x1000
0x1000
0
1
5
0
false (0)
true (1)
false (0)
false (0)
true (1)
false (0)
ANY
TCP checksum
0
ANY
TCP (6)
Otherwise, the NUT respond with the packet described as following.
IPv6
Next Header:
Source Address:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
ESP
SPI:
Sequence Number:
IV:
TCP
Source Port:
Destination Port:
Sequence Number:
Data Offset:
Reserved:
URG:
ACK:
PSH:
RST:
SYN:
FIN:
Window:
Checksum:
Urgent Pointer:
Padding:
Pad Length:
Next Header:
ICV:
0x20000000
ANY
ANY
0x1000
0x1000
0
1
5
0
false (0)
true (1)
false (0)
true (1)
false (0)
false (0)
ANY
TCP checksum
0
ANY
TCP (6)
Possible Problems:
204
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
- An implementation may add TCP options to SYN-ACK or RST-ACK packet.
Payload also to optimistic proposal represented as first KINK_ISAKMP Payload.
205
EN.EN.R.2.9: Sending NO-PROPOSAL-CHOSEN
Purpose:
Verify that a node properly rejects the proposal which is not accepted by the
responder
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
TN1 will propose following Transform payload and NUT will
reject it by sending NO-PROPOSAL-CHOSEN.
ESP_AES-CBC (12)
AES-XCBC-MAC (9)
Both
Procedure:
206
Part A: (BASIC)
#1.
However Transform Payload must be set as following.
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
Observable Results:
Part A:
The NUT must respond to CREATE with properly formatted IPsec DOI-specific
error described as following.
207
NO-PROPOSAL-CHOSEN
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
208
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
TLV (0)
ANY
209
Attribute Value:
28,800
210
Scope:
payload.
Overview:
KINK specification when the KINK implementation chooses to use the perfect forward
secrecy (PFS).
211
EN.EN.R.3.1: PFS
Purpose:
Verify that a responder properly processes 3-way handshake when the initiator
requires to use PFS
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
212
NUT (EN)
responder
Packet #1
Judgment #1
TN1 (EN)
initiator
CREATE, AP_REQ,
Packet #2
ACK, AP_REQ
Packet #3
Judgment #2
Part A: (ADVANCED)
#1.
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
213
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
KE Payload
Next Payload:
RESERVED:
Payload Length:
Key Exchange Data
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
1024 MODP Group (2)
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
KE (4)
0
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
#2.
Observable Results:
Part A:
set as following.
214
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
KE Payload
Next Payload:
RESERVED:
Payload Length:
Key Exchange Data
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
1024 MODP Group (2)
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
KE (4)
0
ANY
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
215
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
216
EN.EN.R.3.2: Sending INVALID-PAYLOAD-TYPE against the receipt of KE
Purpose:
Verify that a responder properly rejects to use PFS when the responder doesn't
support PFS
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
217
NUT (EN)
responder
Packet #1
Judgment #1
TN1 (EN)
initiator
CREATE, AP_REQ,
REPLY, AP_REP,
E{ISAKMP(N(INVALID-PAYLOAD-TYPE))}
Part A: (BASIC)
#1.
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
1024 MODP Group (2)
TV (1)
Transport (2)
218
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
KE Payload
Next Payload:
RESERVED:
Payload Length:
Key Exchange Data
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
HMAC-SHA (2)
KE (4)
0
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Observable Results:
Part A:
INVALID-PAYLOAD-TYPE
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
219
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
1
KINK_AP_REP (2)
false (0)
0
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
INVALID-PAYLOAD-TYPE (1)
ANY
unencrypted INVALID-PAYLOAD-TYPE
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
220
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
0
KINK_ENCRYPT (7)
0
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
221
Group 4: Rekeying
Scope:
Overview:
KINK specification when the KINK implementation responds to rekeying SA.
222
EN.EN.R.4.1: Responding to Rekeying
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
223
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
Packet #1
CREATE(XID=0), AP_REQ,
Judgment #1
Judgment #1
REPLY(XID=0, ACKREQ), AP_REP,
E{ISAKMP(SA(P(SPIr1, T)), Nr, IDi, IDr)}
REPLY(XID=0), AP_REP,
Packet #2
ACK(XID=0), AP_REQ
NUT (EN)
responder
Packet #3
Judgment #2
TN1 (EN)
initiator
IPsec(ESP(SPIr1)){ICMPv6 Echo Request}
IPsec(ESP(SPIi1)){ICMPv6 Echo Reply}
(Rekeying)
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Packet #4
TN1 (EN)
initiator
Packet #4
Judgment #3
Judgment #3
Packet #5
ACK(XID=1), AP_REQ
NUT (EN)
responder
Packet #6
Judgment #4
TN1 (EN)
initiator
224
Part A: (BASIC)
#1.
#1 with updating SPI value to 0x20000000.
XID is updated to one.
ICMPv6 Identifier is set to one.
Observable Results:
Part A:
The NUT must newly transmit properly formatted REPLY message described as
XID must be 1. Data Attributes in
Transform payload can be placed in any order excepting that SA Life Duration
Data Attribute is always follow SA Life Type Data Attribute.
225
ESP described as Common Observed Packet #5 with updating SPI value to
0x20000000.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
226
EN.EN.R.4.2: Receipt of transaction ID constructed by using a non monotonic
counter
Purpose:
Verify that a node properly processes the transaction ID
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
227
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=65535), AP_REQ
NUT (EN)
responder
Packet #3
Judgment #2
TN1 (EN)
initiator
(Rekeying)
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Packet #4
TN1 (EN)
initiator
Packet #4
Judgment #3
Judgment #3
Packet #5
ACK(XID=255), AP_REQ
NUT (EN)
responder
Packet #6
Judgment #4
TN1 (EN)
initiator
228
Part A: (BASIC)
#1.
However XID is set to 65535.
XID is updated to 255.
Observable Results:
Part A:
XID must be 65535.
Data Attributes in
XID must be 255.
Data Attributes in
229
ESP described as Common Observed Packet #5 with updating SPI value to
0x20000000.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
230
EN.EN.R.4.3: Responding to CREATE with INVALID-SPI
Purpose:
Verify that a node properly rejects CREATE message containing an existing SPI
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
231
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
Packet #1
E{ISAKMP1(SA(P(SPIi1, T)), Ni, IDi, IDr)}
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
NUT (EN)
responder
Packet #3
Judgment #2
TN1 (EN)
initiator
IPsec(ESP1(SPIr1)){ICMPv6 Echo Request}
IPsec(ESP1(SPIi1)){ICMPv6 Echo Reply}
(Rekeying)
Packet #4
Judgment #3
REPLY(XID=1), AP_REP, E{ISAKMP(N(INVALID-SPI))}
Part A: (BASIC)
#1.
#1 again.
Observable Results:
232
Part A:
INVALID-SPI
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
233
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
SPI
Notification Data:
Cksum:
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
INVALID-SPI (11)
0x10000000
ANY
unencrypted INVALID-SPI
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
234
SPI
Notification Data:
Cksum:
INVALID-SPI (11)
0x10000000
ANY
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
235
Scope:
message flows when the KINK implementation responds to these exchanges.
Overview:
KINK specification when the KINK implementation responds to DELETE message
flows.
236
EN.EN.R.5.1: DELETE Message Flow
Purpose:
Verify that a node properly deleates an existing SA
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
237
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
NUT (EN)
responder
Packet #3
Judgment #2
TN1 (EN)
initiator
(Deleting)
Packet #4
DELETE(XID=1), AP_REQ, E{ISAKMP(D(SPIi1))}
Judgment #3
REPLY(XID=1), AP_REP, E{ISAKMP(D(SPIr1)))}
Packet #5
Judgment #4
No response
Part A: (BASIC)
#1.
6. TN1 transmits DELETE message described as Common Transmitted Packet
#4.
238
Observable Results:
Part A:
Common Observed Packet #6 or 7.
because SA has already deleted at Step 7.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
239
EN.EN.R.5.2: Responding to DELETE with INVALID-SPI
Purpose:
Verify that a node properly rejects DELETE message containing a non-existing SPI
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
240
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
NUT (EN)
responder
Packet #3
Judgment #2
TN1 (EN)
initiator
(Deleting)
Packet #4
Judgment #3
DELETE(XID=1), AP_REQ, E{ISAKMP(D(SPIi2))}
E{ISAKMP(N(INVALID-SPI))}
Part A: (BASIC)
#1.
#4.
However SPI is set to 0x20000000.
Observable Results:
241
Part A:
The NUT must respond to DELETE with properly formatted IPsec DOI-specific
INVALID-SPI
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
242
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
SPI
Notification Data:
Cksum:
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
INVALID-SPI (11)
0x20000000
ANY
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
243
SPI
Notification Data:
Cksum:
INVALID-SPI (11)
0x20000000
ANY
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
244
Scope:
from a peer.
responds to these exchanges.
Overview:
KINK specification when the KINK implementation responds to STATUS message
flows.
245
EN.EN.R.6.1: Responding to Liveness Check
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
246
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
Packet #1
CREATE(XID=0), AP_REQ(EPOCHi1),
Judgment #1
Judgment #1
REPLY(XID=0), AP_REP(EPOCHr1),
REPLY(XID=0, ACKREQ),
AP_REP(EPOCHr1),
Packet #2
ACK(XID=0),
AP_REQ(EPOCHi1)
NUT (EN)
responder
Packet #3
Judgment #2
Packet #4
Judgment #3
TN1 (EN)
initiator
STATUS(XID=1), AP_REQ
REPLY(XID=1), AP_REP
Part A: (BASIC)
#1.
6. TN1 transmits STATUS message described as Common Transmitted Packet
#5.
Observable Results:
247
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
248
EN.EN.R.6.2: Closing SA when the principal's epoch has changed
Purpose:
Verify that a node properly closes SA when the principal's epoch has changed
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
249
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
Packet #1
Judgment #1
Judgment #1
AP_REP(EPOCHr1),
Packet #2
ACK(XID=0),
AP_REQ(EPOCHi1)
NUT (EN)
responder
Packet #3
Judgment #2
Packet #4
TN1 (EN)
initiator
STATUS(XID=1), AP_REQ(EPOCHi2)
Judgment #3
REPLY(XID=1), AP_REP(EPOCHr1)
Packet #5
Judgment #4
No response
Part A: (BASIC)
#1.
#5.
However, EPOCH is newly generated with the current time.
250
Observable Results:
Part A:
because SA has already been considered as invalid at Step 6.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
251
EN.EN.R.6.3: Not closing SA by unprotected routing information
Purpose:
Verify that a node properly keeps SA by the receipt of an unprotected routing
information
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
252
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Packet #1
CREATE, AP_REQ,
Judgment #1
Judgment #1
REPLY, AP_REP,
Packet #2
ACK, AP_REQ
TR1 (Router)
NUT (EN)
responder
Packet #3
TN1 (EN)
initiator
Judgment #2
Packet #4
Packet #5
Judgment #3
Part A: (BASIC)
#1.
253
Observable Results:
Part A:
However, ICMPv6 Identifier
must be set to one.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
254
Scope:
KINK implementation responds to these exchanges.
Overview:
KINK specification when the KINK implementation chooses to use User-to-User
authentication mode.
255
EN.EN.R.7.1: Receipt of GETTGT Message
Purpose:
Verify that an responder responds to GETTGT message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
256
Part A: (ADVANCED)
1. TN1 transmits GETTGT message described as Common Transmitted Packet
#6.
Observable Results:
Part A:
The NUT must respond to GETTGT with properly formatted REPLY message
described as Common Observable Packet #9.
Possible Problems:
- None
257
EN.EN.R.7.2: GETTGT Message Flow
Purpose:
Verify that a responder properly establish SA in User-to-User authentication mode
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
258
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
GETTGT, TGT_REQ
Judgment #1
TN2 (KDC)
REPLY, TGT_REP
(tester internal procedure)
Kerberos (TGS-REQ)
Kerberos (TGS-REP)
CREATE, AP_REQ,
E{ISAKMP(SA(P(T)),
Ni, IDi, IDr)}
Packet #2
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Judgment #2
TN1 (EN)
initiator
Judgment #2
REPLY, AP_REP,
Packet #3
ACK, AP_REQ
NUT (EN)
responder
Packet #4
TN1 (EN)
initiator
Judgment #3
Part A: (ADVANCED)
#6.
3. After the TN1 obtains a service ticket for NUT from TN2 internally, TN1
transmits CREATE message described as Common Transmitted Packet #1
with updating XID to one.
259
responds to REPLY with ACK described as Common Transmitted Packet #2
Observable Results:
Part A:
Common Observed Packet #1, 2, 3 or 4. However, XID must be set to one.
Data
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
260
EN.EN.R.7.3: Receipt of a KINK command with a User-to-User ticket that cannot
be decrypted with its TGT
Purpose:
Verify that a node properly processes against dead user-to-user peer
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
261
NUT (EN)
responder
Packet #1
Judgment #1
TN1 (EN)
initiator
CREATE, AP_REQ,
REPLY, TGT_REP(TGTr)
Part A: (ADVANCED)
#1, even though NUT is configured to use User-to-User authentication.
Observable Results:
Part A:
Possible Problems:
- None
262
EN.EN.R.7.4: Sending KINK_U2UDENIED
Purpose:
Verify that a node properly rejects to use User-to-User authentication mode when the
responder is not allowed to return its TGT
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
263
Part A: (BASIC)
#6.
Observable Results:
Part A:
The NUT must respond to GETTGT with REPLY message described as following
to indicate that the NUT is not allowed to return its TGT.
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_ERROR (8)
ACKREQ:
true (1)
RESERVED2:
0
CksumLen:
0
KINK_ ERROR Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
ErrorCode:
KINK_U2UDENIED (7)
Possible Problems:
- None
264
Scope:
expects a response.
Overview:
KINK specification when the KINK implementation responds to retransmission of
KINK messages.
265
EN.EN.R.8.1: Responding to retransmitted CREATE
Purpose:
Verify that a node properly responds to retransmitted CREATE message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
266
NUT (EN)
responder
Packet #1
Judgment #1
TN1 (EN)
initiator
CREATE(XID=0), AP_REQ(AP-REQ1),
REPLY(XID=0), AP_REP(AP-REP1),
REPLY(XID=0, ACKREQ), AP_REP(AP-REP1),
(Retransmission)
Packet #2
Judgment #2
Part A: (BASIC)
#1.
3. TN1 newly transmits CREATE message described as Common Transmitted
Packet #1.
Observable Results:
Part A:
267
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
268
EN.EN.R.8.2: Retransmission of REPLY with the ACKREQ bit set
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Transform #
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
Procedure:
269
Part A: (BASIC)
#1.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
NONE (0)
0
270
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
3. After NUT transmits REPLY, observe the packets transmitted by the NUT on
Link A until the timer T expires.
Observable Results:
Part A:
The NUT must retransmit properly formatted REPLY message described as
Possible Problems:
them.
271
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
272
EN.EN.R.8.3: Stop the retransmission of REPLY with the ACKREQ bit set
Purpose:
Verify that a node properly stops the retransmission of REPLY message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Transform #
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
Procedure:
273
Part A: (BASIC)
#1.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
AES-XCBC-MAC (9)
TV (1)
274
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Key Length (6)
128
NONE (0)
0
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
#2.
expires.
Observable Results:
Part A:
275
The NUT never retransmit REPLY message because message exchange had been
completed at Step 4.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
276
EN.EN.R.8.4: Responding to retransmitted DELETE
Purpose:
Verify that a node properly responds to retransmitted DELETE message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
277
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
NUT (EN)
responder
Packet #3
Judgment #2
TN1 (EN)
initiator
(Deleting)
Packet #4
Judgment #3
DELETE(XID=1), AP_REQ(AP-REQ1),
E{ISAKMP(D(SPIi1))}
(Retransmission)
Packet #5
Judgment #6
E{ISAKMP(D(SPIi1))}
Part A: (BASIC)
#1.
#4.
278
8. TN1 retransmits DELETE message described as Common Transmitted
Packet #4.
Observable Results:
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
279
EN.EN.R.8.5: Responding to retransmitted STATUS
Purpose:
Verify that a node properly responds to retransmitted STATUS message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
280
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
NUT (EN)
responder
Packet #3
Judgment #2
Packet #4
Judgment #3
TN1 (EN)
initiator
STATUS(XID=1), AP_REQ(AP-REQ1)
(Retransmission)
Packet #5
Judgment #4
Part A: (BASIC)
#1.
#5.
8. TN1 retransmits STATUS message described as Common Transmitted Packet
281
#5.
Observable Results:
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
282
EN.EN.R.8.6: Responding to retransmitted GETTGT
Purpose:
Verify that a node properly responds to retransmitted GETTGT message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
283
Part A: (ADVANCED)
#6.
3. TN1 retransmits GETTGT message described as Common Transmitted
Packet #6.
Observable Results:
Part A:
described as Common Observable Packet #9 again.
Possible Problems:
- None
284
Scope:
Overview:
285
EN.EN.R.9.1: Sending INVALID-PAYLOAD-TYPE against the unrecognized
ISAKMP payload
Purpose:
Verify that a node properly rejects unrecognized ISAKMP payload
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
286
Part A: (BASIC)
#1.
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
1024 MODP Group (2)
TV (1)
287
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
Unrecognized Payload
Next Payload:
RESERVED:
Payload Length:
Transport (2)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
unrecognized (0xff)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
NONE (0)
0
4
Observable Results:
Part A:
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
288
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
1
KINK_AP_REP (2)
false (0)
0
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
289
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
false (0)
0
KINK_ENCRYPT (7)
0
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
290
EN.EN.R.9.2: Checksum Verification
Purpose:
Verify that a node properly rejects the message containing invalid checksum
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
291
Part A: (BASIC)
#1.
However, Cksum is overwritten by the data that all bits set to one.
Observable Results:
Part A:
The NUT must not respond to CREATE message.
Possible Problems:
- None.
292
EN.EN.R.9.3: Sending KINK_INVMAJ
Purpose:
Verify that a node properly rejects a message containing unsupported KINK version
number in the header
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
293
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
CREATE(MjVer=0xf), AP_REQ,
Judgment #1
REPLY, ERROR(KINK_INVMAJ)
Part A: (BASIC)
#1.
However, MjVer is set to 0xf.
Observable Results:
Part A:
The NUT must respond to CREATE with REPLY message described as following
to indicate KINK error.
KINK_INVMAJ
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
1
NextPayload:
KINK_ERROR (8)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_ERROR Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
ErrorCode:
KINK_INVMAJ (3)
Possible Problems:
294
them.
295
EN.EN.R.9.4: Sending KINK_BADQMVERS
Purpose:
Verify that a node properly rejects a message containing ISAKMP version which is
greater than the highest currently supported version
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
Part A: bad major version (BASIC)
296
NUT (EN)
responder
Packet #1
Judgment #1
TN1 (EN)
initiator
CREATE, AP_REQ,
E{ISAKMP(QMMaj=0xf, SA(P(T)), Ni, IDi, IDr)}
REPLY, AP_REP,
E{ERROR(KINK_BADQMVERS), ISAKMP())}
#1.
However, QMMaj is set to 0xf.
Part B: bad minor version (BASIC)
NUT (EN)
responder
Packet #1
Judgment #1
TN1 (EN)
initiator
CREATE, AP_REQ,
E{ISAKMP(QMMin=0xf, SA(P(T)), Ni, IDi, IDr)}
REPLY, AP_REP,
E{ERROR(KINK_BADQMVERS), ISAKMP())}
#1.
However, QMMin is set to 0xf.
Observable Results:
Part A:
KINK_BADQMVERS
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
297
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
AP-REP:
Next Payload:
KINK_DONE (0)
RESERVED:
0
Payload Length:
InnerNextPload:
KINK_ERROR (8)
RESERVED2:
0
KINK_ERROR Payload
Next Payload:
KINK_ISAKMP (6)
RESERVED:
0
ErrorCode:
KINK_BADQMVERS (6)
KINK_ISAKMP Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
InnerNextPload: NONE (0)
QMMaj:
1
QMMin:
0
RESERVED:
0
Cksum:
unencrypted KINK_BADQMVERS
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
298
DOI:
XID:
1
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_ERROR (8)
RESERVED:
0
EPOCH:
AP-REP:
KINK_ERROR Payload
Next Payload:
KINK_ISAKMP (6)
RESERVED:
0
ErrorCode:
KINK_BADQMVERS (6)
KINK_ISAKMP Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
QMMaj:
1
QMMin:
0
RESERVED:
0
Cksum:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
299
EN.EN.R.9.5: Receipt of unnecessary data after the message
Purpose:
Verify that a node properly proccesses a message which has unnecessary data after
the message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
300
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
KINK(CREATE, AP_REQ,
E{ISAKMP(SA(P(T)), Ni, IDi, IDr)}, Cksum),
8 bytes unnecessary data (all bits set to zero)
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Judgment #1
TN1 (EN)
initiator
Judgment #1
REPLY, AP_REP,
Part A: (BASIC)
#1.
However, 8 bytes extra UDP data that all bits set to zero is added after
KINK message.
Observable Results:
Part A:
Possible Problems:
them.
301
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
302
EN.EN.R.9.6: Receipt of CREATE with non-zero value in reserved field
Purpose:
Verify that a node properly ignores reserved field in CREATE message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
303
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
CREATE, AP_REQ,
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Judgment #1
Judgment #1
REPLY, AP_REP,
Part A: (BASIC)
#1.
However, Reserved Field in CREATE message must be set as following.
KINK
RESRVED:
0xf
RESERVED2:
0x7f
KINK_AP_REQ Payload
RESERVED:
0xff
RESERVED:
0xff
RESERVED2:
0xffffff
KINK_ISAKMP Payload
RESERVED: 0xff
RESERVED: 0xffff
Observable Results:
Part A:
304
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
305
EN.EN.R.9.7: Receipt of ACK with non-zero value in reserved field
Purpose:
Verify that a node properly ignores reserved field in ACK message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Transform #
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
Procedure:
306
NUT (EN)
responder
Packet #1
Judgment #1
TN1 (EN)
initiator
CREATE, AP_REQ,
Packet #2
ACK, AP_REQ
Packet #3
Judgment #2
Part A: (BASIC)
#1.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
NONE (0)
0
307
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Transport (2)
TV (1)
HMAC-SHA (2)
#2.
KINK
RESRVED:
0xf
RESERVED2:
0x7f
KINK_AP_REQ Payload
RESERVED:
0xff
Observable Results:
Part A:
308
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
309
EN.EN.R.9.8: Receipt of GETTGT with non-zero value in reserved field
Purpose:
Verify that a node properly ignores reserved field in GETTGT message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
NUT (EN)
responder
Packet #1
Judgment #1
TN1 (EN)
initiator
GETTGT, TGT_REQ
REPLY, ERROR(KINK_U2UDENIED)
310
Part A: (BASIC)
#6.
KINK
RESRVED:
0xf
RESERVED2:
0x7f
RESERVED:
0xff
Observable Results:
Part A:
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_ERROR (8)
ACKREQ:
true (1)
RESERVED2:
0
CksumLen:
0
KINK_ ERROR Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
ErrorCode:
KINK_U2UDENIED (7)
Possible Problems:
311
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
312
EN.EN.R.9.9: Receipt of unencrypted CREATE
Purpose:
Verify that a node properly processes CREATE message which doesn't encrypted by
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
313
NUT (EN)
responder
Packet #1
TN1 (EN)
initiator
CREATE, AP_REQ, ISAKMP(SA(P(T)), Ni, IDi, IDr)
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Judgment #1
Judgment #1
REPLY, AP_REP,
Part A: (BASIC)
#1.
However KINK_ENCRYPT Payload must not appear as described as
following.
KINK
KINK_AP_REQ Payload
KINK_ISAKMP Payload
SA Payload
P Payload
T Payload
Data Attribute
Data Attribute
Data Attribute
Data Attribute
Ni Payload
IDi Payload
IDr Payload
Observable Results:
Part A:
314
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
315
EN.EN.R.9.10: Receipt of unencrypted DELETE
Purpose:
Verify that a node properly processes DELETE message which doesn't encrypted by
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
316
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
NUT (EN)
responder
Packet #3
Judgment #2
TN1 (EN)
initiator
(Deleting)
Packet #4
Judgment #3
Packet #5
Judgment #4
DELETE(XID=1), AP_REQ, ISAKMP(D(SPIi1))
No response
Part A: (BASIC)
#1.
#4.
following.
317
KINK
KINK_AP_REQ Payload
KINK_ISAKMP Payload
D Payload
Observable Results:
Part A:
because SA has already deleted at Step 7.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
TLV (0)
318
Attribute Length:
Attribute Value:
ANY
28,800
319
EN.EN.R.9.11: Sending KRB_AP_ERR_SKEW
Purpose:
Verify that a node properly rejects a message when the responder clock and the
initiator clock are off by more than the policy-determinde clock skew limit.
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
320
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Judgment #1
CREATE, AP_REQ,
REPLY, AP_REP,
Part A: (BASIC)
#1.
Observable Results:
Part A:
to indicate Kerberos error.
KRB_AP_ERR_SKEW
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
321
EPOCH:
AP-REP:
Next Payload:
KINK_DONE (0)
RESERVED:
0
Payload Length:
InnerNextPload:
KINK_KRB_ERROR (3)
RESERVED2:
0
Next Payload:
KINK_DONE (0)
RESERVED:
0
KRB-ERROR:
Cksum:
unencrypted KRB_AP_ERR_SKEW
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_KRB_ERROR (3)
RESERVED:
0
EPOCH:
AP-REP:
Next Payload:
KINK_DONE (0)
RESERVED:
0
KRB-ERROR:
Cksum:
Possible Problems:
322
- None.
323
Section 1.2: EN to SGW Tunnel
Scope:
The following tests cover the endpoint to security gateway tunnel mode scenario.
In
this endpoint to security gateway tunnel mode scenario, a protected endpoint connects
back to its network through an IPsec-protected tunnel.
Overview:
KINK specification when the KINK implementation uses the tunnel mode IPsec to
communicate with the another endpoint.
The logical network topology involves EN, SGW, KDC, Host and Router on each link.
The shaded region labelled as <TN> in Fig 3 is done inside TN node logically.
The
tunnel mode is used in this network topology as shown as Fig 4.
324
Fig 3 EN to SGW Common Network Topology for NUT (EN)
Fig 4 EN to SGW Tunnel Scenario for NUT (EN)
Default NUT (EN) Configuration:
- IP configuration:
Address
Default router
NUT - Link A
TR1 - Link A
(fe80::f)
KDC
Principal Name
Pre-shared Key
Encryption Type
Checksum Type
KDC - Link X
(Prefix X::e)
disable
325
Address
Port
Principal Name
PFS
IDi
IDr
ID Type
Protocol ID
Port
Identification
Data
Local
NUT - Link A
910
@EXAMPLE.COM"
disable
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Remote
TN1 - Link X
(Prefix X::1)
910
@EXAMPLE.COM"
disable
ID_IPV6_ADDR_SUBNET (6)
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
IPsec ESP Transform
SA Life Type (1)
Inbound
Outbound
ESP_3DES (3)
ESP_3DES (3)
Seconds (1)
Seconds (1)
28,800
28,800
Tunnel (1)
Tunnel (1)
HMAC-SHA (2)
HMAC-SHA (2)
326
Scope:
The following tests
Overview:
Default Packets:
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
KINK_ENCRYPT (7)
0
327
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
NONE (0)
328
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
Cksum:
payload).
IPv6
Next Header:
Source Address:
ESP (50)
TN1 - Link X
(Prefix X::1)
NUT - Link A
ESP
SPI:
Sequence Number:
IV:
1
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TH1 - Link Y
(Prefix Y::d)
NUT - Link A
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Request (128)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
329
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
kink (910)
kink (910)
CREATE (1)
1
0
ANY
KINK_AP_REQ (1)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
330
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
Cksum:
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
CREATE (1)
1
0
331
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
ANY
KINK_AP_REQ (1)
false (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
ID_IPV6_ADDR (5)
332
Protocol ID:
Port:
IPv6-ICMP (58)
ANY (0)
NUT - Link A
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
Cksum:
IPv6
Next Header:
Source Address:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
ESP
SPI:
Sequence Number:
IV:
IPv6
Next Header:
Source Address:
0x10000000
ANY
ANY
IPv6-ICMP (58)
NUT - Link A
TH1 - Link Y
(Prefix Y::d)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Reply (129)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
333
Scope:
The following tests
exchanges.
Overview:
334
EN.SGW.I.1.1: CREATE Message Flow (2-way handshake)
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
335
TN1 (SGW)
responder
NUT (EN)
initiator
Judgment #1
CREATE, AP_REQ,
REPLY, AP_REP,
Packet #1
TH1 (Host)
Packet #2
ICMPv6 Echo Request
Judgment #2
ICMPv6 Echo Reply
IPsec ESP tunnel
Part A: (ADVANCED)
Packet #1.
Observable Results:
Part A:
Possible Problems:
336
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
337
Scope:
The following tests
Overview:
Default Packets:
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
kink (910)
kink (910)
CREATE (1)
1
0
0
KINK_AP_REQ (1)
false (0)
0
KINK_ENCRYPT (7)
0
338
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
IDr Payload
339
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Cksum:
payload).
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
ACK (5)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_AP_REQ (1)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REQ:
Cksum:
IPv6
Next Header:
Source Address:
ESP
SPI:
Sequence Number:
ESP (50)
TN1 - Link X
(Prefix X::1)
NUT - Link A
1
340
IV:
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TH1 - Link Y
(Prefix Y::d)
NUT - Link A
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Request (128)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
341
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
NONE (0)
342
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Cksum:
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
343
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
Cksum:
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
kink (910)
kink (910)
REPLY (3)
1
0
0
344
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
345
KINK_AP_REP (2)
true (1)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
Cksum:
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
true (1)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
346
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
Cksum:
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
NUT - Link A
347
IPv6
Next Header:
Source Address:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
ESP
SPI:
Sequence Number:
IV:
IPv6
Next Header:
Source Address:
0x10000000
ANY
ANY
IPv6-ICMP (58)
NUT - Link A
TH1 - Link Y
(Prefix Y::d)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Reply (129)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
348
Scope:
The following tests
exchanges.
Overview:
flows.
349
EN.SGW.R.1.1: CREATE Message Flow
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
350
TN1 (SGW)
initiator
NUT (EN)
responder
CREATE, AP_REQ,
Packet #1
(2-way handshake)
(3-way handshake)
TN1 (SGW)
initiator
NUT (EN)
responder
TN1 (SGW)
initiator
NUT (EN)
responder
Judgment #1
Judgment #1
REPLY, AP_REP,
Packet #2
ACK, AP_REQ
TN1 (SGW)
initiator
NUT (EN)
responder
TH1 (Host)
Packet #3
ICMPv6 Echo Request
Judgment #2
ICMPv6 Echo Reply
IPsec ESP tunnel
Part A: (ADVANCED)
#1.
Observable Results:
351
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
352
Chapter 2: SGW implementation
353
Section 2.1: SGW to SGW Tunnel
Scope:
The following tests cover the security gateway to security gateway tunnel scenario.
In
this security gateway to security gateway tunnel scenario, neither endpoint of the IP
connection implements IPsec, but network nodes between them protect traffic for part
of the way.
Overview:
protect the communication between endpoints behind their own gateways.
The logical network topology involves SGWs, KDC, Router and Host on each link. The
shaded region labelled as <TN> in Fig 5 is done inside TN node logically.
The tunnel
mode is used in this network topology as shown as Fig 6.
354
Fig 5 SGW to SGW Common Network Topology for NUT (SGW)
Fig 6 SGW to SGW Tunnel Scenario for NUT (SGW)
Default NUT (SGW) Configuration:
- IP configuration:
Address
Default router
NUT - Link A
NUT - Link B
(Prefix B::<any_interface_ID>)
TR1 - Link A
(fe80::f)
355
KDC
Principal Name
Pre-shared Key
Encryption Type
Checksum Type
KDC - Link X
(Prefix X::e)
disable
Address
Port
Principal Name
PFS
IDi
IDr
ID Type
Protocol ID
Port
Identification
Data
Local
NUT - Link A
910
@EXAMPLE.COM"
disable
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Remote
TN1 - Link X
(Prefix X::1)
910
@EXAMPLE.COM"
disable
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
IPsec ESP Transform
SA Life Type (1)
Inbound
Outbound
ESP_3DES (3)
ESP_3DES (3)
Seconds (1)
Seconds (1)
28,800
28,800
Tunnel (1)
Tunnel (1)
HMAC-SHA (2)
HMAC-SHA (2)
356
Scope:
The following tests
Overview:
Default Packets:
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
KINK_ENCRYPT (7)
0
357
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
NONE (0)
358
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
Cksum:
payload).
Common Transmitted Packet #2: REPLY with Nr for CREATE
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
kink (910)
kink (910)
REPLY (3)
1
0
KINK_AP_REP (2)
true (1)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
359
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (3)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
Cksum:
payload).
360
IPv6
Next Header:
Source Address:
ESP (50)
TN1 - Link X
(Prefix X::1)
NUT - Link A
ESP
SPI:
Sequence Number:
IV:
1
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TH2 - Link Y
(Prefix Y::c)
TH1 - Link B
(Prefix B::d)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Request (128)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
Common Transmitted Packet #4: ICMPv6 Echo Reply
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TH1 - Link B
(Prefix B::d)
TH2 - Link Y
(Prefix Y::c)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Echo Reply (129)
0
ICMPv6 checksum
0
0
Common Transmitted Packet #5: REPLY for STATUS
IPv6
Next Header:
UDP (17)
361
Source Address:
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
the same value as STATUS message
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REP:
Cksum:
Common Transmitted Packet #6: REPLY for GETTGT
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_TGT_REP (5)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
Next Payload:
KINK_DONE (0)
RESERVED:
0
TGT:
Cksum:
IPv6
Next Header:
IPv6-ICMP (58)
362
Source Address:
ICMPv6
Type:
Code:
Checksum:
Unused:
Data:
TR1 - Link X
(Prefix X::f)
NUT - Link A
ICMPv6 checksum
0
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
kink (910)
kink (910)
CREATE (1)
1
0
ANY
KINK_AP_REQ (1)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
363
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
Cksum:
364
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
kink (910)
kink (910)
CREATE (1)
1
0
ANY
KINK_AP_REQ (1)
false (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
365
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
28,800
TV (1)
Tunnel (3)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
Cksum:
Common Observed Packet #3: ACK
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
ACK (5)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_AP_REQ (1)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REQ:
366
Cksum:
Common Observed Packet #4: ICMPv6 Echo Request
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TH2 - Link Y
(Prefix Y::c)
TH1 - Link B
(Prefix B::d)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Echo Request (128)
0
ICMPv6 checksum
0
0
IPv6
Next Header:
Source Address:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
ESP
SPI:
Sequence Number:
IV:
IPv6
Next Header:
Source Address:
0x10000000
ANY
ANY
IPv6-ICMP (58)
TH1 - Link B
(Prefix B::d)
TH2 - Link Y
(Prefix Y::c)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Reply (129)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
Common Observed Packet #6: STATUS
367
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
STATUS (6)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
ANY
NextPayload:
KINK_AP_REQ (1)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REQ:
Cksum:
Common Observed Packet #7: GETTGT
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
ACK (5)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
ANY
NextPayload:
KINK_TGT_REQ (4)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
Next Payload:
KINK_DONE (0)
RESERVED:
0
PrincName:
kink/tn.example.com@EXAMPLE.COM
Cksum:
368
Scope:
The following tests
exchanges.
Overview:
369
SGW.SGW.I.1.1: Sending CREATE Message
Purpose:
Verify that an initiator transmits CREATE message in properly format
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
In each part, configure devices according to the Default NUT (SGW)
Configuration.
Both
Procedure:
370
Part A: (BASIC)
Observable Results:
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
371
SGW.SGW.I.1.2: CREATE Message Flow (2-way handshake)
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
372
Part A: (BASIC)
Packet #1.
5. Observe the packets transmitted by the NUT on Link B.
6. TH1 responds to ICMPv6 Echo Request with ICMPv6 Echo Reply described as
Observable Results:
Part A:
The NUT must decapsulate protected ICMPv6 Echo Request as Common
Observed Packet #4 and forward to TH1.
373
The NUT must forward properly formatted ICMPv6 Echo Reply encrypted by
ESP described as Common Observed Packet #5 to TN1.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
374
SGW.SGW.I.1.3: The non-optimistic keying by receipt of Nr
Purpose:
Verify that an initiator properly processes 3-way handshake when the responder
wants to contribute the keying materials
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
375
TN1 (SGW)
responder
NUT (SGW)
initiator
Judgment #1
CREATE, AP_REQ,
Packet #1
Judgment #2
ACK, AP_REQ
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #2/Jdg #3
ICMPv6 Echo Request
Pkt #3/Jdg #4
ICMPv6 Echo Reply
Part A: (BASIC)
Packet #2.
Observable Results:
Part A:
376
Packet #3.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
377
SGW.SGW.I.1.4: Creating an optimistic inbound SA
Purpose:
Verify that a node properly creates an optimistic inbound SA before initiating
CREATE message flow
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
378
TN1 (SGW)
responder
NUT (SGW)
initiator
Judgment #1
CREATE, AP_REQ,
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #1/Jdg #2
ICMPv6 Echo Request
Part A: (BASIC)
3. After observing CREATE, TN1 transmits ICMPv6 Echo Request encrypted by
ESP described as Common Transmitted Packet #3.
Observable Results:
Part A:
Possible Problems:
them.
described as below.
379
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
380
Scope:
The initiator
Overview:
381
SGW.SGW.I.2.1: Cryptographic Algorithm Negotiation
Purpose:
Verify that an initiator properly establish SA with the specific cryptographic
algorithms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Part
A
B
C
D
E
ESP_NULL (11)
ESP_3DES (3)
ESP_3DES (3)
HMAC-SHA (2)
HMAC-SHA (2)
HMAC-SHA (2)
NONE (undefined)
AES-XCBC-MAC (9)
Both
382
Procedure:
Part
A
B
C
D
E
NULL
TripleDES-CBC
TripleDES-CBC
HMAC-SHA1-96
HMAC-SHA1-96
HMAC-SHA1-96
NONE
AES-XCBC-MAC-96
Packet #1. However Transform-ID in Transform payload and Attribute Value
in Authentication Algorithm Data Attribute must be set according to the
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
Key Length (6)
128
383
However
encryption algorithm and authentication algorithm must be set according to
the corresponding entry of the table above.
Observable Results:
Part A through E:
Common Observed Packet #1 or 2. However Transform-ID in Transform
In
Data Attribute.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
Key Length (6)
128
ESP described as Common Observed Packet #5 to TN1. However encryption
algorithm and authentication algorithm must be set according to the
corresponding entry of the table in the procedure above.
Possible Problems:
384
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
385
SGW.SGW.I.2.2: The shorter LIFE_SECONDS is selected from optimistic proposal
Purpose:
Verify that an initiator uses the shorter lifetime when the responder set lifetime to a
lower value
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
386
NUT (SGW)
initiator
TN1 (SGW)
responder
Judgment #1
CREATE, AP_REQ,
Ni, IDi, IDr)}
Packet #1
REPLY, AP_REP,
E{ISAKMP(SA(P(T(LIFE_SECONDSr))),
IDi, IDr)}
IPsec ESP tunnel
TH2 (Host)
TH1 (Host)
Pkt #2/Jdg #2
ICMPv6 Echo Request
Pkt #3/Jdg #3
ICMPv6 Echo Reply
(LIFE_SECONDSr expires)
Pkt #4/Jdg #4
No response
ICMPv6 Echo Request
IPsec ESP tunnel
Part A: (BASIC)
Packet #1.
8. After 30 seconds, TN1 transmits ICMPv6 Echo Request encrypted by ESP
described as Common Transmitted Packet #3 with updating ICMPv6
Identifier to one.
Observable Results:
387
Part A:
The NUT must not decapsulate protected ICMPv6 Echo Request as Common
Observed Packet #4 and must not forward to TH1 because SA has negotiated
with 30 seconds lifetime and should expire.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
388
SGW.SGW.I.2.3: The optimistic proposal is selected from multiple transforms
Purpose:
the optimistic proposal from proposed multiple transforms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Transform #
1
2
ESP_3DES (3)
ESP_AES-CBC (12)
HMAC-SHA (2)
AES-XCBC-MAC (9)
Both
389
Procedure:
Part A: (ADVANCED)
Packet #1.
Observable Results:
Part A:
following.
P Payload
Next Payload:
RESERVED:
Payload Length:
NONE (0)
0
390
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
Data Attribute.
391
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
392
SGW.SGW.I.2.4: The non-optimistic proposal is selected from multiple transforms
Purpose:
the non-optimistic proposal from proposed multiple transforms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Transform #
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
393
Procedure:
NUT (SGW)
initiator
TN1 (SGW)
responder
CREATE, AP_REQ,
Judgment #1
Packet #1
Judgment #2
ACK, AP_REQ
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #2/Jdg #3
ICMPv6 Echo Request
Pkt #3/Jdg #4
ICMPv6 Echo Reply
Part A: (ADVANCED)
Packet #2.
Observable Results:
Part A:
following.
394
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
NONE (0)
0
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
Data Attribute.
395
Packet #3.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
396
SGW.SGW.I.2.5: The optimistic proposal is selected from multiple proposals
Purpose:
the optimistic proposal from proposed multiple proposals
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Proposal #
1
2
Protocol ID
PROTO_IPSEC_ESP (3)
PROTO_IPSEC_AH (2)
ESP_3DES (3)
-
HMAC-SHA (2)
AH_SHA (3)
Both
397
Procedure:
NUT (SGW)
initiator
TN1 (SGW)
responder
CREATE, AP_REQ,
Judgment #1
REPLY, AP_REP,
Packet #1
TH1 (Host)
TH2 (Host)
Pkt #2/Jdg #2
ICMPv6 Echo Request
Pkt #3/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
Part A: (ADVANCED)
Packet #1.
Observable Results:
Part A:
SA Payload
Next Payload:
Ni (10)
398
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
0
P (2)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
PROTO_IPSEC_AH (2)
4
1
ANY
NONE (0)
0
1
AH_SHA (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
399
Attribute Value:
HMAC-SHA (2)
Data Attribute.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
400
SGW.SGW.I.2.6: The non-optimistic proposal is selected from multiple proposals
Purpose:
the non-optimistic proposal from proposed multiple proposals
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Proposal #
1
2
Protocol ID
PROTO_IPSEC_AH (2)
PROTO_IPSEC_ESP (3)
ESP_3DES (3)
AH_SHA (3)
HMAC-SHA (2)
Both
401
Procedure:
NUT (SGW)
initiator
TN1 (SGW)
responder
CREATE, AP_REQ,
Judgment #1
Packet #1
Judgment #2
ACK, AP_REQ
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #2/Jdg #3
ICMPv6 Echo Request
Pkt #3/Jdg #4
ICMPv6 Echo Reply
Part A: (ADVANCED)
Packet #2.
Observable Results:
Part A:
402
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Ni (10)
0
P (2)
0
1
PROTO_IPSEC_AH (2)
4
1
ANY
NONE (0)
0
1
AH_SHA (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
403
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
HMAC-SHA (2)
Data Attribute.
Packet #3.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
404
Scope:
payload.
Overview:
KINK specification when the KINK implementation proposes to use the perfect forward
secrecy (PFS).
405
SGW.SGW.I.3.1: PFS
Purpose:
Verify that an initiator properly processes 3-way handshake when the initiator
requires to use PFS
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
406
TN1 (SGW)
responder
NUT (SGW)
initiator
Judgment #1
CREATE, AP_REQ,
Packet #1
Judgment #2
ACK, AP_REQ
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #2/Jdg #3
ICMPv6 Echo Request
Pkt #3/Jdg #4
ICMPv6 Echo Reply
Part A: (ADVANCED)
Packet #2.
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
407
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
KE Payload
Next Payload:
RESERVED:
Payload Length:
Key Exchange Data
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
1024 MODP Group (2)
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
KE (4)
0
IDi (5)
0
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
Observable Results:
408
Part A:
set as following.
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
KE Payload
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
1024 MODP Group (2)
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
KE (4)
0
ANY
409
Next Payload:
RESERVED:
Payload Length:
Key Exchange Data
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDi (5)
0
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
Packet #3.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
410
411
Group 4: Rekeying
Scope:
Overview:
KINK specification when the KINK implementation rekeys SA.
412
SGW.SGW.I.4.1: Initiating Rekeying
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
413
NUT (SGW)
initiator
TN1 (SGW)
responder
CREATE, AP_REQ,
Judgment #1
REPLY, AP_REP,
Packet #1
IPsec ESP(SPIi) tunnel
TH1 (Host)
TH2 (Host)
ICMPv6
Echo Request
ICMPv6
Echo Reply
Pkt #2/Jdg #2
Pkt #3/Jdg #3
IPsec ESP(SPIr) tunnel
(repeat
until initiator’s
soft lifetime
expires)
IPsec ESP(SPIi) tunnel
ICMPv6
Echo Request
ICMPv6
Echo Reply
Pkt #4/Jdg #4
Pkt #5/Jdg #5
IPsec ESP(SPIr) tunnel
(Rekeying)
Judgment #6
CREATE, AP_REQ,
Part A: (BASIC)
Packet #1.
8. Repeat Steps 4 and 7 for 30 seconds with the interval value of 1 second.
414
ICMPv6 Sequence Number should be incremented in each of transmitted
packets.
While transmitting ICMPv6 Echo Request and Echo Reply, observe
the packets transmitted by the NUT on Link A.
Observable Results:
Part A:
Common Observed Packet #1 or 2. SPI in Proposal Payload must be updated to
establish new SA.
Data Attributes in Transform payload can be placed in any
order excepting that SA Life Duration Data Attribute is always follow SA Life
The NUT must newly transmit properly formatted CREATE message described
as Common Observed Packet #1 or 2.
Data Attributes in Transform payload can
be placed in any order excepting that SA Life Duration Data Attribute is always
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
415
416
Scope:
message flows when the KINK implementation initiates these exchanges.
Overview:
KINK specification when the KINK implementation initiates DELETE message flows.
There are no tests in this group because initiating DELETE message flow is defined as
untested item in this document.
417
Scope:
from a peer.
initiates these exchanges.
Overview:
KINK specification when the KINK implementation initiates STATUS message flows.
418
SGW.SGW.I.6.1: Initiating Liveness Check
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
419
NUT (SGW)
initiator
TR1 (Router)
TN1 (SGW)
responder
CREATE, AP_REQ,
Judgment #1
REPLY, AP_REP,
Packet #1
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #2/Jdg #2
ICMPv6 Echo Request
Pkt #3/Jdg #3
ICMPv6 Echo Reply
Packet #4
Judgment #4
STATUS, AP_REQ
Part A: (BASIC)
Packet #1.
Observable Results:
Part A:
420
However XID should be updated from the value
in CREATE transmitted at Step 1.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
421
Scope:
KINK implementation initiates these exchanges.
Overview:
KINK specification when the KINK implementation uses User-to-User authentication
mode.
422
SGW.SGW.I.7.1: Sending GETTGT Message
Purpose:
Verify that an initiator transmits GETTGT message in properly format
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
Part A: (ADVANCED)
423
Observable Results:
Part A:
Possible Problems:
- None
424
SGW.SGW.I.7.2: GETTGT Message Flow
Purpose:
Verify that a node properly retrieve a TGT from the remote peer in User-to-User
authentication mode
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
425
NUT (SGW)
initiator
TN1 (SGW)
responder
Judgment #1
TN2 (KDC)
GETTGT, TGT_REQ
Packet #1
REPLY, TGT_REP
Kerberos (TGS-REQ)
Kerberos (TGS-REP)
CREATE, AP_REQ,
Judgment #2
REPLY, AP_REP,
Packet #2
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #3/Jdg #3
ICMPv6 Echo Request
Pkt #4/Jdg #4
ICMPv6 Echo Reply
Part A: (ADVANCED)
Packet #6.
Packet #1.
Observable Results:
Part A:
426
or 2.
Attribute.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
427
SGW.SGW.I.7.3: Receipt of KINK_TGT_REP against a KINK command with a
User-to-User ticket that cannot be decrypted with its TGT
Purpose:
Verify that a node properly recovers dead user-to-user peer
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
428
TN1 (SGW)
responder
NUT (SGW)
initiator
Judgment #1
Packet #1
TN2 (KDC)
GETTGT, TGT_REQ
Kerberos (TGS-REQ)
Kerberos (TGS-REP)
Judgment #2
CREATE, AP_REQ, E{ISAKMP(SA(P(T)), Ni, IDi, IDr)}
Packet #1
Kerberos (TGS-REQ)
Kerberos (TGS-REP)
Judgment #3
CREATE, AP_REQ,
Part A: (ADVANCED)
Packet #6.
5. TN1 responds to CREATE with REPLY, but the packet format is the same as
REPLY for GETTGT described as Common Transmitted Packet #6.
However
TGT is newly obtained from TN2.
Observable Results:
Part A:
429
or 2.
Attribute.
After the NUT newly obtains a service ticket for TN1 from TN2 again, the NUT
must transmit properly formatted CREATE message described as Common
Observed Packet #1 or 2.
Data Attributes in Transform payload can be placed in
any order excepting that SA Life Duration Data Attribute is always follow SA Life
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
430
Scope:
expects a response.
Overview:
KINK specification when the KINK implementation retransmits KINK messages.
431
SGW.SGW.I.8.1: Retransmission of CREATE
Purpose:
Verify that a node properly retransmit CREATE message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
432
NUT (SGW)
initiator
TN1 (SGW)
responder
Judgment #1
(T expires)
(Retransmission)
Judgment #2
Part A: (BASIC)
3. After NUT transmits CREATE, observe the packets transmitted by the NUT
Observable Results:
Part A:
Possible Problems:
them.
described as below.
433
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
434
SGW.SGW.I.8.2: Stop the retransmission of CREATE
Purpose:
Verify that a node properly stops the retransmission of CREATE message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
435
NUT (SGW)
initiator
TN1 (SGW)
responder
Judgment #1
(T expires)
(Retransmission)
Judgment #2
Packet #1
REPLY(XIDi), AP_REP,
(T*2 expires)
Judgment #3
No response
Part A: (BASIC)
3. After NUT transmits first CREATE, observe the packets transmitted by the
4. TN1 responds to second CREATE with REPLY described as Common
expires.
Observable Results:
Part A:
436
The NUT never retransmit CREATE message because message exchange had
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
437
SGW.SGW.I.8.3: Responding to retransmitted REPLY with the ACKREQ bit set
Purpose:
References:
- [KINK] - Chapter 9
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
438
Part A: (BASIC)
Packet #2.
5. After observing ACK, TN1 transmits REPLY described as Common
Transmitted Packet #2 again.
Observable Results:
Part A:
Packet #3.
Packet #3 again.
439
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
440
SGW.SGW.I.8.4: Retransmission of STATUS
Purpose:
Verify that a node properly retransmit STATUS message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
441
TN1 (SGW)
responder
TR1 (Router)
NUT (SGW)
initiator
Judgment #1
REPLY(XIDi1), AP_REP,
Packet #1
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #2/Jdg #2
ICMPv6 Echo Request
Pkt #3/Jdg #3
ICMPv6 Echo Reply
Packet #4
Judgment #4
(T expires)
(Retransmission)
Judgment #5
Part A: (BASIC)
Packet #1.
10. After NUT transmits STATUS, observe the packets transmitted by the NUT
Observable Results:
442
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
443
SGW.SGW.I.8.5: Stop the retransmission of STATUS
Purpose:
Verify that a node properly stops the retransmission of STATUS message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
444
Part A: (BASIC)
Packet #1.
10. After NUT transmits first STATUS, observe the packets transmitted by the
445
11. TN1 responds to second STATUS with REPLY described as Common
expires.
Observable Results:
Part A:
The NUT never retransmit STATUS message because message exchange had
Possible Problems:
them.
446
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
447
SGW.SGW.I.8.6: Retransmission of GETTGT
Purpose:
Verify that a node properly retransmit GETTGT message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
NUT (SGW)
initiator
TN1 (SGW)
responder
Judgment #1
GETTGT, TGT_REQ
(T expires)
(Retransmission)
Judgment #2
GETTGT, TGT_REQ
448
Part A: (ADVANCED)
3. After NUT transmits GETTGT, observe the packets transmitted by the NUT
Observable Results:
Part A:
Possible Problems:
449
SGW.SGW.I.8.7: Stop the retransmission of GETTGT
Purpose:
Verify that a node properly stops the retransmission of GETTGT message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
450
NUT (SGW)
initiator
TN1 (SGW)
responder
Judgment #1
GETTGT, TGT_REQ
(T expires)
(Retransmission)
Judgment #2
Packet #1
GETTGT, TGT_REQ
REPLY, TGT_REP
(T*2 expires)
Judgment #3
No response
Part A: (ADVANCED)
3. After NUT transmits first GETTGT, observe the packets transmitted by the
4. TN1 responds to second GETTGT with REPLY described as Common
expires.
Observable Results:
Part A:
The NUT never retransmit GETTGT message because message exchange had
Possible Problems:
451
452
SGW.SGW.I.8.8: Restart a new transaction by receipt of
KRB_AP_ERR_TKT_EXPIRED
Purpose:
Verify that a node properly starts a new transaction with a new ticket when the node
receives the error indicating ticket expired
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
453
NUT (SGW)
initiator
TN1 (SGW)
responder
Judgment #1
Packet #1
REPLY, KRB_ERROR(KRB_AP_ERR_TKT_EXPIRED)
TN2 (KDC)
Kerberos (TGS-REQ)
Kerberos (TGS-REP)
Judgment #2
Part A: (BASIC)
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_KRB_ERROR (3)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
Next Payload:
KINK_DONE (0)
RESERVED:
0
KRB-ERROR:
indicating KRB_AP_ERR_TKT_EXPIRED
Observable Results:
454
Part A:
After the NUT obtains a service ticket for TN1 from TN2, The NUT must newly
transmit properly formatted CREATE message described as Common Observed
Packet #1 or 2.
Data Attributes in Transform payload can be placed in any order
Data Attribute.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
455
Scope:
Overview:
456
SGW.SGW.I.9.1: Responding to KINK_ERROR with the ACKREQ bit set
Purpose:
Verify that a node properly responds to an error message that the ACKREQ bit is set
with ACK message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
457
Part A: (BASIC)
3. TN1 responds to CREATE with REPLY described as following.
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_ERROR (8)
ACKREQ:
true (1)
RESERVED2:
0
CksumLen:
0
KINK_ ERROR Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
ErrorCode:
KINK_INTERR (5)
Observable Results:
Part A:
458
Packet #3.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
459
SGW.SGW.I.9.2: Receipt of REPLY with non-zero value in reserved field
Purpose:
Verify that a node properly ignores reserved field in REPLY message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
460
NUT (SGW)
initiator
TN1 (SGW)
responder
CREATE, AP_REQ,
Judgment #1
REPLY, AP_REP,
Packet #1
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #2/Jdg #2
ICMPv6 Echo Request
Pkt #3/Jdg #3
ICMPv6 Echo Reply
Part A: (BASIC)
Packet #1. However Reserved Field in CREATE message must be set as
following.
KINK
RESRVED:
0xf
RESERVED2:
0x7f
KINK_AP_REP Payload
RESERVED:
0xff
RESERVED:
0xff
RESERVED2:
0xffffff
KINK_ISAKMP Payload
RESERVED: 0xff
RESERVED: 0xffff
Observable Results:
461
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
462
SGW.SGW.I.9.3: Receipt of unencrypted REPLY
Purpose:
Verify that a node properly processes REPLY message which doesn't encrypted by
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
463
NUT (SGW)
initiator
TN1 (SGW)
responder
CREATE, AP_REQ,
Judgment #1
Packet #1
REPLY, AP_REP, ISAKMP(SA(P(T)), IDi, IDr)
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #2/Jdg #2
ICMPv6 Echo Request
Pkt #3/Jdg #3
ICMPv6 Echo Reply
Part A: (BASIC)
Packet #1.
However KINK_ENCRYPT Payload must not appear as described
as following.
KINK
KINK_AP_REP Payload
KINK_ISAKMP Payload
SA Payload
P Payload
T Payload
Data Attribute
Data Attribute
Data Attribute
Data Attribute
IDi Payload
IDr Payload
Observable Results:
Part A:
464
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
465
SGW.SGW.I.9.4: Receipt of authenticated KRB_AP_ERR_SKEW
Purpose:
Verify that a node properly adjust clock by the receipt of protected
KRB_AP_ERR_SKEW
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
466
NUT (SGW)
initiator
TN1 (SGW)
responder
Judgment #1
Packet #1
REPLY, AP_REP,
(Reinitiating)
Judgment #2
Part A: (BASIC)
The
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_ENCRYPT (7)
RESERVED:
0
Payload Length:
EPOCH:
AP-REP:
Next Payload:
KINK_DONE (0)
RESERVED:
0
Payload Length:
InnerNextPload:
KINK_KRB_ERROR (3)
RESERVED2:
0
467
Next Payload:
KINK_DONE (0)
RESERVED:
0
KRB-ERROR:
Cksum:
Observable Results:
Part A:
The NUT adjusts system clock to the time noticed by KRB-ERROR message.
And the NUT must newly transmit properly formatted CREATE message
described as Common Observed Packet #1 or 2. EPOCH in KINK_AP_REQ
Payload must be computed with the newly updated system clock.
Data
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
468
SGW.SGW.I.9.5: Receipt of unauthenticated KRB_AP_ERR_SKEW
Purpose:
Verify that a node properly does not adjust clock by the receipt of unprotected
KRB_AP_ERR_SKEW
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
469
NUT (SGW)
initiator
TN1 (SGW)
responder
Judgment #1
Packet #1
REPLY, AP_REP,
(Reinitiating)
Judgment #2
Part A: (BASIC)
The
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_ENCRYPT (7)
RESERVED:
0
Payload Length:
EPOCH:
AP-REP:
Next Payload:
KINK_DONE (0)
RESERVED:
0
470
Payload Length:
InnerNextPload:
KINK_KRB_ERROR (3)
RESERVED2:
0
Next Payload:
KINK_DONE (0)
RESERVED:
0
KRB-ERROR:
Observable Results:
Part A:
The NUT never adjusts system clock to the time noticed by KRB-ERROR
message.
And the NUT must newly transmit properly formatted CREATE
message described as Common Observed Packet #1 or 2, but EPOCH in
KINK_AP_REQ Payload is still computed without updating the system clock.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
471
472
Scope:
The following tests
Overview:
Default Packets:
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
kink (910)
kink (910)
CREATE (1)
1
0
0
KINK_AP_REQ (1)
false (0)
0
KINK_ENCRYPT (7)
0
473
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
IDr Payload
474
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Cksum:
payload).
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
ACK (5)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_AP_REQ (1)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REQ:
Cksum:
IPv6
Next Header:
Source Address:
ESP
SPI:
Sequence Number:
ESP (50)
TN1 - Link X
(Prefix X::1)
NUT - Link A
1
475
IV:
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TH2 - Link Y
(Prefix Y::c)
TH1 - Link B
(Prefix B::d)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Request (128)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TH1 - Link B
(Prefix B::d)
TH2 - Link Y
(Prefix Y::c)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Echo Reply (129)
0
ICMPv6 checksum
0
0
Common Transmitted Packet #5: DELETE
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
kink (910)
kink (910)
DELETE (2)
1
0
476
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
D Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-Id:
SPI Size:
# of SPIs
SPI #1
Cksum:
1
KINK_AP_REQ (1)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
D (12)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
1
payload).
Common Transmitted Packet #6: STATUS
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
kink (910)
kink (910)
STATUS (6)
1
0
1
KINK_AP_REQ (1)
false (0)
477
RESERVED2:
0
CksumLen:
KINK_AP_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REQ:
Cksum:
Common Transmitted Packet #7: GETTGT
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
ACK (5)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_TGT_REQ (4)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
Next Payload:
KINK_DONE (0)
RESERVED:
0
PrincName:
kink/nut.example.com@EXAMPLE.COM
Cksum:
IPv6
Next Header:
Source Address:
ICMPv6
Type:
Code:
Checksum:
Unused:
Data:
IPv6-ICMP (58)
TR1 - Link X
(Prefix X::f)
NUT - Link A
ICMPv6 checksum
0
478
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
479
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (2)
TV (1)
HMAC-SHA (2)
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Cksum:
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
480
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
0
KINK_AP_REP (2)
false (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (2)
TV (1)
HMAC-SHA (2)
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
481
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
Cksum:
Link Y
(Prefix Y::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
true (1)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
482
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Cksum:
IPv6
483
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
true (1)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
484
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Cksum:
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TH2 - Link Y
(Prefix Y::c)
TH1 - Link B
(Prefix B::d)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Echo Request (128)
0
ICMPv6 checksum
0
0
IPv6
Next Header:
Source Address:
ESP
SPI:
Sequence Number:
IV:
IPv6
Next Header:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
0x10000000
ANY
ANY
IPv6-ICMP (58)
485
Source Address:
TH1 - Link B
(Prefix B::d)
TH2 - Link Y
(Prefix Y::c)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Reply (129)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
Common Observed Packet #7: REPLY for DELETE
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
D (12)
1
486
QMMin:
RESERVED:
D Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-Id:
SPI Size:
# of SPIs
SPI #1
Cksum:
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
1
Common Observed Packet #8: unencrypted REPLY for DELETE
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
D Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-Id:
SPI Size:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
D (12)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
487
# of SPIs
SPI #1
Cksum:
1
Common Observed Packet #9: REPLY for STATUS
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REP:
Cksum:
Common Observed Packet #10: REPLY for GETTGT
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_TGT_REP (5)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
Next Payload:
KINK_DONE (0)
488
RESERVED:
Payload Length:
TGT:
Cksum:
0
489
Scope:
The following tests
exchanges.
Overview:
flows.
490
SGW.SGW.R.1.1: Receipt of CREATE Message
Purpose:
Verify that an initiator processes CREATE message in properly format
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
491
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
CREATE, AP_REQ,
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
Judgment #1
TN1 (SGW)
initiator
Judgment #1
REPLY, AP_REP,
Part A: (BASIC)
#1.
Observable Results:
Part A:
Possible Problems:
them.
described as below.
492
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
493
SGW.SGW.R.1.2: CREATE Message Flow
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
494
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
CREATE, AP_REQ,
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
Judgment #1
TN1 (SGW)
initiator
Judgment #1
REPLY, AP_REP,
Packet #2
ACK, AP_REQ
TH1 (Host)
NUT (SGW)
responder
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
Part A: (BASIC)
#1.
495
Observable Results:
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
496
Scope:
The initiator
Overview:
497
SGW.SGW.R.2.1: Cryptographic Algorithm Negotiation
Purpose:
Verify that a responder properly establish SA with the specific cryptographic
algorithms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Part
A
B
C
D
E
ESP_NULL (11)
ESP_3DES (3)
ESP_3DES (3)
HMAC-SHA (2)
HMAC-SHA (2)
HMAC-SHA (2)
NONE (undefined)
AES-XCBC-MAC (9)
Both
498
Procedure:
NUT (SGW)
responder
TN1 (SGW)
initiator
CREATE, AP_REQ,
Packet #1
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
Judgment #1
TN1 (SGW)
initiator
Judgment #1
REPLY, AP_REP,
Packet #2
ACK, AP_REQ
TH1 (Host)
NUT (SGW)
responder
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
Part
A
B
C
D
E
NULL
TripleDES-CBC
TripleDES-CBC
HMAC-SHA1-96
HMAC-SHA1-96
HMAC-SHA1-96
NONE
AES-XCBC-MAC-96
#1.
However Transform-ID in Transform payload and Attribute Value in
Authentication Algorithm Data Attribute must be set according to the
499
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
Key Length (6)
128
Common Transmitted Packet #3. However encryption algorithm and
authentication algorithm must be set according to the corresponding entry of
the table above.
Observable Results:
Part A through E:
However Transform-ID in Transform
In
Data Attribute.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
500
TV (1)
Key Length (6)
128
ESP described as Common Observed Packet #6 to TN1. However encryption
algorithm and authentication algorithm must be set according to the
corresponding entry of the table in the procedure above.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
501
SGW.SGW.R.2.2: The shorter LIFE_SECONDS is proposed
Purpose:
Verify that a responder properly processes CREATE message when the initiator
proposes lower lifetime than the responder's lifetime
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
TN1 will propose with 30 seconds SA Life Duration.
Both
Procedure:
502
NUT (SGW)
responder
TN1 (SGW)
initiator
CREATE, AP_REQ,
Packet #1
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
Judgment #1
TN1 (SGW)
initiator
Judgment #1
REPLY, AP_REP,
IDi, IDr)}
Nr, IDi, IDr)}
(IPsec DOI-specific error)
NUT (SGW)
responder
TN1 (SGW)
initiator
Judgment #1
REPLY, AP_REP,
E{ISAKMP(N(NO-PROPOSAL-CHOSEN))}
Part A: (BASIC)
#1.
However Attribute Value in SA Life Duration Data Attribute must be set
to 30 seconds.
Observable Results:
Part A:
Common Observed Packet #1, 2, 3, 4 or the packets described below.
If the
packet transmitted by NUT is REPLY, Attribute Value in SA Life Duration Data
Attribute must be set to 30 seconds.
In addition, Data Attributes in Transform
503
payload can be placed in any order excepting that SA Life Duration Data
Attribute is always follow SA Life Type Data Attribute.
NO-PROPOSAL-CHOSEN
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
504
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
Possible Problems:
them.
described as below.
505
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
506
SGW.SGW.R.2.3: Selecting the optimistic proposal from multiple transforms
Purpose:
transforms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Transform #
1
2
ESP_3DES (3)
ESP_AES-CBC (12)
HMAC-SHA (2)
AES-XCBC-MAC (9)
Both
507
Procedure:
NUT (SGW)
responder
TN1 (SGW)
initiator
CREATE, AP_REQ,
Packet #1
(2-way handshake)
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
NUT (SGW)
responder
Judgment #1
TN1 (SGW)
initiator
Judgment #1
REPLY, AP_REP,
E{ISAKMP(SA(P(T1)), IDi, IDr)}
Packet #2
ACK, AP_REQ
NUT (SGW)
responder
TH1 (Host)
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
Part A: (BASIC)
#1.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
508
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
509
Observable Results:
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
510
SGW.SGW.R.2.4: Selecting the non-optimistic proposal from multiple transforms
Purpose:
transforms
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Transform #
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
511
Procedure:
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
Judgment #1
Packet #2
CREATE, AP_REQ,
ACK, AP_REQ
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
Part A: (BASIC)
#1.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
AES-XCBC-MAC (9)
512
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
TV (1)
Key Length (6)
128
NONE (0)
0
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
#2.
Observable Results:
Part A:
513
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
514
SGW.SGW.R.2.5: Selecting the optimistic proposal from multiple proposals
Purpose:
proposals
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Proposal #
1
2
Protocol ID
PROTO_IPSEC_ESP (3)
PROTO_IPSEC_AH (2)
ESP_3DES (3)
-
HMAC-SHA (2)
AH_SHA (3)
Both
515
Procedure:
NUT (SGW)
responder
TN1 (SGW)
initiator
CREATE, AP_REQ,
Packet #1
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
TN1 (SGW)
initiator
TN1 (SGW)
initiator
NUT (SGW)
responder
Judgment #1
Judgment #1
REPLY, AP_REP,
Packet #2
ACK, AP_REQ
NUT (SGW)
responder
TH1 (Host)
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
Part A: (BASIC)
#1.
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
Ni (10)
0
P (2)
0
1
PROTO_IPSEC_ESP (3)
4
516
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
PROTO_IPSEC_AH (2)
4
1
ANY
NONE (0)
0
1
AH_SHA (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
517
Observable Results:
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
518
SGW.SGW.R.2.6: Selecting the non-optimistic proposal from multiple proposals
Purpose:
proposals
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Proposal #
1
2
Protocol ID
PROTO_IPSEC_AH (2)
PROTO_IPSEC_ESP (3)
ESP_3DES (3)
AH_SHA (3)
HMAC-SHA (2)
Both
519
Procedure:
TN1 (SGW)
initiator
NUT (SGW)
responder
Packet #1
Judgment #1
Packet #2
CREATE, AP_REQ,
E{ISAKMP(SA(P1(T), P2(T)),
Ni, IDi, IDr)}
ACK, AP_REQ
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
Part A: (BASIC)
#1.
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Ni (10)
0
P (2)
0
1
PROTO_IPSEC_AH (2)
4
1
ANY
NONE (0)
0
1
AH_SHA (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
520
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Tunnel (1)
TV (1)
HMAC-SHA (2)
NONE (0)
0
2
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
#2.
Observable Results:
Part A:
521
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
522
SGW.SGW.R.2.7: Responding to multiple KINK_ISAKMP by optimistic keying
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
SPD #
1
2
Remote IP Address
TH2 - Link Y
(Prefix Y::c)
TH3 - Link Y
(Prefix Y::b)
Local IP Address
TH1 - Link B
(Prefix B::d)
TH1 - Link B
(Prefix B::d)
Next Layer Protocol
IPv6-ICMP (58)
IPv6-ICMP (58)
For both SPD #1 and #2, IPsec configuration described in Default NUT (SGW)
523
Both
Procedure:
TN1 (SGW)
initiator
NUT (SGW)
responder
Packet #1
CREATE, AP_REQ,
ISAKMP2(SA(P(T)), Ni, IDi, IDr)}
(2-way handshake)
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
TN1 (SGW)
initiator
NUT (SGW)
responder
Judgment #1
Judgment #1
ISAKMP2(SA(P(T)), Nr, IDi, IDr)}
REPLY, AP_REP,
E{ISAKMP1(SA(P(T)), IDi, IDr),
ISAKMP2(SA(P(T)), IDi, IDr)}
Packet #2
ACK, AP_REQ
NUT (SGW)
responder
TH1 (Host)
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
*
TH3 (Host)
Pkt #5/Jdg #4
Pkt #6/Jdg #5
IPsec ESP tunnel
*
ICMPv6 Echo Request
ICMPv6 Echo Reply
Part A: (BASIC)
#1.
524
The
shaded region in this packet is encrypted by Kerberos encrypt function with
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_ISAKMP (6)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
525
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH2 - Link Y
(Prefix Y::c)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH1 - Link B
(Prefix B::d)
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x20000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
526
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH3 - Link Y
(Prefix Y::b)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH1 - Link B
(Prefix B::d)
Common Transmitted Packet #3. However, Source Address in the inner IPv6
Header is set to TH3 address.
SPI must be set to the value proposed in the
second KINK_ISAKMP Payload of REPLY.
Common Transmitted Packet #4. However, Destination address in IPv6
Observable Results:
Part A:
527
However the NUT includes two
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
KINK_ISAKMP (6)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH2 - Link Y
(Prefix Y::c)
NONE (0)
0
528
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH1 - Link B
(Prefix B::d)
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH3 - Link Y
(Prefix Y::b)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
529
Port:
ANY (0)
TH1 - Link B
(Prefix B::d)
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
KINK_ISAKMP (6)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
530
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IPv6-ICMP (58)
ANY (0)
TH2 - Link Y
(Prefix Y::c)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH1 - Link B
(Prefix B::d)
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
531
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH3 - Link Y
(Prefix Y::b)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH1 - Link B
(Prefix B::d)
However, Source Address in IPv6
However, Destination
address in the inner IPv6 Header is set to TH3 address.
Possible Problems:
them.
described as below.
532
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
Payload to only one KINK_ISAKMP. Payload.
533
SGW.SGW.R.2.8: Responding to multiple KINK_ISAKMP by non-optimistic keying
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
SPD #
1
2
Remote IP Address
TH2 - Link Y
(Prefix Y::c)
TH3 - Link Y
(Prefix Y::b)
Local IP Address
TH1 - Link B
(Prefix B::d)
TH1 - Link B
(Prefix B::d)
Next Layer Protocol
IPv6-ICMP (58)
IPv6-ICMP (58)
For SPD #1, IPsec configuration described in Default NUT (SGW)
However, for SPD #2, multiple
Transform payloads described below are proposed by TN1. Transform #2 will
be selected by NUT.
Transform #
534
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
Procedure:
TN1 (SGW)
initiator
NUT (SGW)
responder
Packet #1
Judgment #1
Packet #2
TH1 (Host)
CREATE, AP_REQ,
ISAKMP2(SA(P(T1, T2)), Ni, IDi, IDr)}
ISAKMP2(SA(P(T2)), Nr, IDi, IDr)}
ACK, AP_REQ
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
*
TH3 (Host)
Pkt #5/Jdg #4
ICMPv6 Echo Request
Pkt #6/Jdg #5
ICMPv6 Echo Reply
IPsec ESP tunnel
*
Part A: (BASIC)
#1.
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
535
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP (6)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH2 - Link Y
(Prefix Y::c)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
536
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
TH1 - Link B
(Prefix B::d)
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
0x20000000
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
NONE (0)
0
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
537
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH3 - Link Y
(Prefix Y::b)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH1 - Link B
(Prefix B::d)
#2.
Common Transmitted Packet #3. However, Source Address in the inner IPv6
SPI must be set to the value proposed in the
second KINK_ISAKMP Payload of REPLY.
538
Common Transmitted Packet #4. However, Destination address in IPv6
Observable Results:
Part A:
Common Observed Packet #3 or 4. However the NUT includes two
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
KINK_ISAKMP (6)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
539
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH2 - Link Y
(Prefix Y::c)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH1 - Link B
(Prefix B::d)
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
540
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH3 - Link Y
(Prefix Y::b)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TH1 - Link B
(Prefix B::d)
However, Source Address in IPv6
However, Destination
address in the inner IPv6 Header is set to TH3 address.
Possible Problems:
them.
541
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
Payload also to optimistic proposal represented as first KINK_ISAKMP Payload.
542
SGW.SGW.R.2.9: Sending NO-PROPOSAL-CHOSEN
Purpose:
Verify that a node properly rejects the proposal which is not accepted by the
responder
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
TN1 will propose following Transform payload and NUT will
reject it by sending NO-PROPOSAL-CHOSEN.
ESP_AES-CBC (12)
AES-XCBC-MAC (9)
Both
Procedure:
543
Part A: (BASIC)
#1.
However Transform Payload must be set as following.
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
Observable Results:
Part A:
544
NO-PROPOSAL-CHOSEN
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
545
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
TLV (0)
ANY
546
Attribute Value:
28,800
547
Scope:
payload.
Overview:
KINK specification when the KINK implementation chooses to use the perfect forward
secrecy (PFS).
548
SGW.SGW.R.3.1: PFS
Purpose:
Verify that a responder properly processes 3-way handshake when the initiator
requires to use PFS
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
549
Part A: (ADVANCED)
#1.
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
550
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
KE Payload
Next Payload:
RESERVED:
Payload Length:
Key Exchange Data
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
28,800
TV (1)
1024 MODP Group (2)
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
KE (4)
0
IDi (5)
0
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
#2.
Observable Results:
551
Part A:
set as following.
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
KE Payload
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
1024 MODP Group (2)
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
KE (4)
0
ANY
552
Next Payload:
RESERVED:
Payload Length:
Key Exchange Data
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDi (5)
0
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
553
SGW.SGW.R.3.2: Sending INVALID-PAYLOAD-TYPE against the receipt of KE
Purpose:
Verify that a responder properly rejects to use PFS when the responder doesn't
support PFS
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
554
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
Judgment #1
CREATE, AP_REQ,
REPLY, AP_REP,
E{ISAKMP(N(INVALID-PAYLOAD-TYPE))}
Part A: (BASIC)
#1.
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
1024 MODP Group (2)
TV (1)
Tunnel (1)
555
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
KE Payload
Next Payload:
RESERVED:
Payload Length:
Key Exchange Data
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
HMAC-SHA (2)
KE (4)
0
IDi (5)
0
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Observable Results:
Part A:
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
556
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
1
KINK_AP_REP (2)
false (0)
0
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
557
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
0
KINK_ENCRYPT (7)
0
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
558
Group 4: Rekeying
Scope:
Overview:
KINK specification when the KINK implementation responds to rekeying SA.
559
SGW.SGW.R.4.1: Responding to Rekeying
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
560
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
TH1 (Host)
NUT (SGW)
responder
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP(SPIi1) tunnel
IPsec ESP(SPIr1) tunnel
(Rekeying)
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Packet #4
TN1 (EN)
initiator
Packet #4
Judgment #4
Judgment #4
Packet #5
ACK(XID=1), AP_REQ
TH1 (Host)
NUT (SGW)
responder
TN1 (SGW)
initiator
TH2 (Host)
Pkt #6/Jdg #5
ICMPv6 Echo Request
Pkt #7/Jdg #6
ICMPv6 Echo Reply
561
Part A: (BASIC)
#1.
Common Transmitted Packet #4 with updating ICMPv6 Identifier to one.
Observable Results:
Part A:
562
XID must be 1. Data Attributes in
ESP described as Common Observed Packet #6 to TN1 with updating SPI value
to 0x20000000 with updating ICMPv6 Identifier to one.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
563
SGW.SGW.R.4.2: Receipt of transaction ID constructed by using a non monotonic
counter
Purpose:
Verify that a node properly processes the transaction ID
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
564
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=65535),
AP_REQ
TH1 (Host)
NUT (SGW)
responder
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
(Rekeying)
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
Packet #4
TN1 (EN)
initiator
Packet #4
Judgment #4
Judgment #4
Packet #5
ACK(XID=255),
AP_REQ
TH1 (Host)
NUT (SGW)
responder
TN1 (SGW)
initiator
TH2 (Host)
Pkt #6/Jdg #5
ICMPv6 Echo Request
Pkt #7/Jdg #6
ICMPv6 Echo Reply
565
Part A: (BASIC)
#1.
However XID is set to 65535.
XID is updated to 255.
Common Transmitted Packet #4
Observable Results:
Part A:
XID must be 65535.
Data Attributes in
566
XID must be 255.
Data Attributes in
ESP described as Common Observed Packet #6 to TN1 with updating SPI value
to 0x20000000.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
567
SGW.SGW.R.4.3: Responding to CREATE with INVALID-SPI
Purpose:
Verify that a node properly rejects CREATE message containing an existing SPI
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
568
(2-way handshake)
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
TN1 (SGW)
initiator
NUT (SGW)
responder
Packet #1
Packet #1
E{ISAKMP1(SA(P(SPIi1, T)), Ni, IDi, IDr)}
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
NUT (SGW)
responder
TH1 (Host)
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
(Rekeying)
Packet #5
Judgment #4
Part A: (BASIC)
#1.
#1 again.
569
Observable Results:
Part A:
INVALID-SPI
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
570
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
SPI
Notification Data:
Cksum:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
INVALID-SPI (11)
0x10000000
ANY
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
571
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
SPI
Notification Data:
Cksum:
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
INVALID-SPI (11)
0x10000000
ANY
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
572
Scope:
message flows when the KINK implementation responds to these exchanges.
Overview:
KINK specification when the KINK implementation responds to DELETE message
flows.
573
SGW.SGW.R.5.1: DELETE Message Flow
Purpose:
Verify that a node properly deleates an existing SA
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
574
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
TN1 (SGW)
initiator
NUT (SGW)
responder
TH1 (Host)
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
(Deleting)
DELETE(XID=1), AP_REQ,
E{ISAKMP(D(SPIi1))}
E{ISAKMP(D(SPIr1)))}
Packet #5
Judgment #4
No response
Pkt #6/Jdg #5
ICMPv6 Echo Request
Part A: (BASIC)
#1.
575
#5.
Observable Results:
Part A:
Observed Packet #5 and must not forward to TH1 because SA has already deleted
at Step 9.
Possible Problems:
them.
576
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
577
SGW.SGW.R.5.2: Responding to DELETE with INVALID-SPI
Purpose:
Verify that a node properly rejects DELETE message containing a non-existing SPI
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
578
(2-way handshake)
NUT (EN)
responder
(3-way handshake)
TN1 (EN)
initiator
NUT (EN)
responder
TN1 (EN)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
TN1 (SGW)
initiator
NUT (SGW)
responder
TH1 (Host)
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
(Deleting)
E{ISAKMP(D(SPIi2))}
Packet #5
Judgment #4
Part A: (BASIC)
#1.
#5.
However SPI is set to 0x20000000.
579
Observable Results:
Part A:
The NUT must respond to DELETE with properly formatted IPsec DOI-specific
INVALID-SPI
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
580
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
SPI
Notification Data:
Cksum:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
INVALID-SPI (11)
0x20000000
ANY
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
581
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
SPI
Notification Data:
Cksum:
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
4
INVALID-SPI (11)
0x20000000
ANY
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
582
Scope:
from a peer.
responds to these exchanges.
Overview:
KINK specification when the KINK implementation responds to STATUS message
flows.
583
SGW.SGW.R.6.1: Responding to Liveness Check
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
584
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
TN1 (SGW)
initiator
Packet #1
Judgment #1
Judgment #1
AP_REP(EPOCHr1),
Packet #2
ACK(XID=0),
AP_REQ(EPOCHi1)
TH1 (Host)
NUT (SGW)
responder
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
Packet #5
STATUS(XID=1), AP_REQ
Judgment #4
Part A: (BASIC)
#1.
#6.
585
Observable Results:
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
586
SGW.SGW.R.6.2: Closing SA when the principal's epoch has changed
Purpose:
Verify that a node properly closes SA when the principal's epoch has changed
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
587
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
TN1 (SGW)
initiator
Packet #1
Judgment #1
Judgment #1
AP_REP(EPOCHr1),
Packet #2
ACK(XID=0),
AP_REQ(EPOCHi1)
TH1 (Host)
NUT (SGW)
responder
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
Packet #5
STATUS(XID=1), AP_REQ(EPOCHi2)
Judgment #4
No response
REPLY(XID=1), AP_REP(EPOCHr1)
Pkt #6/Jdg #5
ICMPv6 Echo Request
IPsec ESP tunnel
Part A: (BASIC)
#1.
588
#6.
However, EPOCH is newly generated with the current time.
Observable Results:
Part A:
Observed Packet #5 and must not forward to TH1 because SA has already been
considered as invalid at Step 8.
Possible Problems:
them.
589
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
590
SGW.SGW.R.6.3: Not closing SA by unprotected routing information
Purpose:
Verify that a node properly keeps SA by the receipt of an unprotected routing
information
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
591
(2-way handshake)
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
TN1 (SGW)
initiator
NUT (SGW)
responder
Packet #1
Packet #1
CREATE, AP_REQ,
Judgment #1
Judgment #1
REPLY, AP_REP,
Packet #2
ACK, AP_REQ
TH1 (Host)
NUT (SGW)
responder
TR1 (Router)
TN1 (SGW)
initiator
Pkt #3/Jdg #2
Pkt #4/Jdg #3
TH2 (Host)
ICMPv6 Echo Request
ICMPv6 Echo Reply
IPsec ESP tunnel
Packet #5
Pkt #6/Jdg #4
ICMPv6 Echo Request
Pkt #7/Jdg #5
ICMPv6 Echo Reply
IPsec ESP tunnel
Part A: (BASIC)
#1.
592
Observable Results:
Part A:
Observed Packet #5 and forward to TH1. However, ICMPv6 Identifier must be set
to one.
ESP described as Common Observed Packet #6 to TN1. However, ICMPv6
Identifier must be set to one.
Possible Problems:
593
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
594
Scope:
KINK implementation responds to these exchanges.
Overview:
KINK specification when the KINK implementation chooses to use User-to-User
authentication mode.
595
SGW.SGW.R.7.1: Receipt of GETTGT Message
Purpose:
Verify that an responder responds to GETTGT message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
TN1 (SGW)
initiator
NUT (SGW)
responder
Packet #1
Judgment #1
GETTGT, TGT_REQ
REPLY, TGT_REP
596
Part A: (ADVANCED)
#7.
Observable Results:
Part A:
Possible Problems:
- None
597
SGW.SGW.R.7.2: GETTGT Message Flow
Purpose:
Verify that a responder properly establish SA in User-to-User authentication mode
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
598
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
TN2 (KDC)
GETTGT, TGT_REQ
Judgment #1
REPLY, TGT_REP
Kerberos (TGS-REQ)
Kerberos (TGS-REP)
CREATE, AP_REQ,
E{ISAKMP(SA(P(T)),
Ni, IDi, IDr)}
Packet #2
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
Judgment #2
TN1 (SGW)
initiator
Judgment #2
REPLY, AP_REP,
Packet #3
ACK, AP_REQ
TH1 (Host)
NUT (SGW)
responder
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #3
ICMPv6 Echo Request
Pkt #4/Jdg #4
ICMPv6 Echo Reply
IPsec ESP tunnel
Part A: (ADVANCED)
#7.
3. After the TN1 obtains a service ticket for NUT from TN2 internally, TN1
transmits CREATE message described as Common Transmitted Packet #1
599
responds to REPLY with ACK described as Common Transmitted Packet #2
Observable Results:
Part A:
Common Observed Packet #1, 2, 3 or 4. However, XID must be set to one.
Data
Possible Problems:
them.
described as below.
600
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
601
SGW.SGW.R.7.3: Receipt of a KINK command with a User-to-User ticket that
cannot be decrypted with its TGT
Purpose:
Verify that a node properly processes against dead user-to-user peer
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
602
TN1 (SGW)
initiator
NUT (SGW)
responder
Packet #1
Judgment #1
CREATE, AP_REQ,
REPLY, TGT_REP(TGTr)
Part A: (ADVANCED)
#1, even though NUT is configured to use User-to-User authentication.
Observable Results:
Part A:
Possible Problems:
- None
603
SGW.SGW.R.7.4: Sending KINK_U2UDENIED
Purpose:
Verify that a node properly rejects to use User-to-User authentication mode when the
responder is not allowed to return its TGT
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
TN1 (SGW)
initiator
NUT (SGW)
responder
Packet #1
Judgment #1
GETTGT, TGT_REQ
REPLY, ERROR(KINK_U2UDENIED)
604
Part A: (BASIC)
#7.
Observable Results:
Part A:
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_ERROR (8)
ACKREQ:
true (1)
RESERVED2:
0
CksumLen:
0
KINK_ ERROR Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
ErrorCode:
KINK_U2UDENIED (7)
Possible Problems:
- None
605
Scope:
expects a response.
Overview:
KINK specification when the KINK implementation responds to retransmission of
KINK messages.
606
SGW.SGW.R.8.1: Responding to retransmitted CREATE
Purpose:
Verify that a node properly responds to retransmitted CREATE message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
607
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
Judgment #1
or
(Retransmission)
Packet #2
Judgment #2
Part A: (BASIC)
#1.
3. TN1 newly transmits CREATE message described as Common Transmitted
Packet #1.
Observable Results:
Part A:
608
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
609
SGW.SGW.R.8.2: Retransmission of REPLY with the ACKREQ bit set
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Transform #
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
Procedure:
610
Part A: (BASIC)
#1.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
128
NONE (0)
0
611
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
Observable Results:
Part A:
Possible Problems:
them.
612
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
613
SGW.SGW.R.8.3: Stop the retransmission of REPLY with the ACKREQ bit set
Purpose:
Verify that a node properly stops the retransmission of REPLY message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Transform #
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
Procedure:
614
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
Judgment #1
CREATE, AP_REQ,
REPLY(ACKREQ), AP_REP(AP-REP1),
(T expires)
(Retransmission)
Judgment #2
Packet #2
REPLY(ACKREQ), AP_REP(AP-REP2),
ACK, AP_REQ
(T*2 expires)
Judgment #3
No response
Part A: (BASIC)
#1.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
AES-XCBC-MAC (9)
TV (1)
615
Attribute Type:
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Key Length (6)
128
NONE (0)
0
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
#2.
expires.
Observable Results:
Part A:
616
The NUT never retransmit REPLY message because message exchange had been
completed at Step 4.
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
617
SGW.SGW.R.8.4: Responding to retransmitted DELETE
Purpose:
Verify that a node properly responds to retransmitted DELETE message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
618
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
NUT (SGW)
responder
TN1 (SGW)
initiator
TN1 (SGW)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
NUT (SGW)
responder
TH1 (Host)
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
(Deleting)
E{ISAKMP(D(SPIi1))}
Packet #5
Judgment #4
(Retransmission)
E{ISAKMP(D(SPIi1))}
Packet #6
Judgment #5
Part A: (BASIC)
#1.
619
#5.
10. TN1 retransmits DELETE message described as Common Transmitted
Packet #5.
Observable Results:
Part A:
Possible Problems:
them.
620
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
621
SGW.SGW.R.8.5: Responding to retransmitted STATUS
Purpose:
Verify that a node properly responds to retransmitted STATUS message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
622
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
TN1 (SGW)
initiator
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
TH1 (Host)
NUT (SGW)
responder
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
Packet #5
Judgment #4
(Retransmission)
Packet #6
Judgment #5
Part A: (BASIC)
#1.
623
#6.
10. TN1 retransmits STATUS message described as Common Transmitted Packet
#6.
Observable Results:
Part A:
Possible Problems:
them.
described as below.
624
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
625
SGW.SGW.R.8.6: Responding to retransmitted GETTGT
Purpose:
Verify that a node properly responds to retransmitted GETTGT message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Both
Procedure:
626
Part A: (ADVANCED)
#7.
3. TN1 retransmits GETTGT message described as Common Transmitted
Packet #7.
Observable Results:
Part A:
described as Common Observable Packet #10 again.
Possible Problems:
- None
627
Scope:
Overview:
628
SGW.SGW.R.9.1: Sending INVALID-PAYLOAD-TYPE against the unrecognized
ISAKMP payload
Purpose:
Verify that a node properly rejects unrecognized ISAKMP payload
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
629
Part A: (BASIC)
#1.
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
1024 MODP Group (2)
TV (1)
630
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
Unrecognized Payload
Next Payload:
RESERVED:
Payload Length:
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link Y
(Prefix Y::/64)
unrecognized (0xff)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
NONE (0)
0
4
Observable Results:
Part A:
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
631
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
1
KINK_AP_REP (2)
false (0)
0
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
632
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
false (0)
0
KINK_ENCRYPT (7)
0
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
N Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Protocol-ID:
SPI Size:
Notification Data:
Cksum:
KINK_DONE (0)
0
N (11)
1
0
0
NONE (0)
0
PROTO_IPSEC_ESP (3)
0
ANY
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
633
SGW.SGW.R.9.2: Checksum Verification
Purpose:
Verify that a node properly rejects the message containing invalid checksum
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
634
Part A: (BASIC)
#1.
However, Cksum is overwritten by the data that all bits set to one.
Observable Results:
Part A:
The NUT must not respond to CREATE message.
Possible Problems:
- None.
635
SGW.SGW.R.9.3: Sending KINK_INVMAJ
Purpose:
Verify that a node properly rejects a message containing unsupported KINK version
number in the header
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
636
Part A: (BASIC)
#1.
However, MjVer is set to 0xf.
Observable Results:
Part A:
KINK_INVMAJ
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
1
NextPayload:
KINK_ERROR (8)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_ERROR Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
ErrorCode:
KINK_INVMAJ (3)
Possible Problems:
637
them.
638
SGW.SGW.R.9.4: Sending KINK_BADQMVERS
Purpose:
Verify that a node properly rejects a message containing ISAKMP version which is
greater than the highest currently supported version
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
Part A: bad major version (BASIC)
639
#1.
However, QMMaj is set to 0xf.
Part B: bad minor version (BASIC)
#1.
However, QMMin is set to 0xf.
Observable Results:
Part A:
KINK_BADQMVERS
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
640
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
1
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
AP-REP:
Next Payload:
KINK_DONE (0)
RESERVED:
0
Payload Length:
InnerNextPload:
KINK_ERROR (8)
RESERVED2:
0
KINK_ERROR Payload
Next Payload:
KINK_ISAKMP (6)
RESERVED:
0
ErrorCode:
KINK_BADQMVERS (6)
KINK_ISAKMP Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
QMMaj:
1
QMMin:
0
RESERVED:
0
Cksum:
unencrypted KINK_BADQMVERS
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
641
DOI:
XID:
1
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_ERROR (8)
RESERVED:
0
EPOCH:
AP-REP:
KINK_ERROR Payload
Next Payload:
KINK_ISAKMP (6)
RESERVED:
0
ErrorCode:
KINK_BADQMVERS (6)
KINK_ISAKMP Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
QMMaj:
1
QMMin:
0
RESERVED:
0
Cksum:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
642
SGW.SGW.R.9.5: Receipt of unnecessary data after the message
Purpose:
Verify that a node properly proccesses a message which has unnecessary data after
the message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
643
Part A: (BASIC)
#1.
However, 8 bytes extra UDP data that all bits set to zero is added after
KINK message.
Observable Results:
Part A:
Possible Problems:
them.
644
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
645
SGW.SGW.R.9.6: Receipt of CREATE with non-zero value in reserved field
Purpose:
Verify that a node properly ignores reserved field in CREATE message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
646
TN1 (SGW)
initiator
NUT (SGW)
responder
Packet #1
CREATE, AP_REQ,
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
Judgment #1
TN1 (SGW)
initiator
Judgment #1
REPLY, AP_REP,
Part A: (BASIC)
#1.
KINK
RESRVED:
0xf
RESERVED2:
0x7f
KINK_AP_REQ Payload
RESERVED:
0xff
RESERVED:
0xff
RESERVED2:
0xffffff
KINK_ISAKMP Payload
RESERVED: 0xff
RESERVED: 0xffff
Observable Results:
Part A:
647
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
648
SGW.SGW.R.9.7: Receipt of ACK with non-zero value in reserved field
Purpose:
Verify that a node properly ignores reserved field in ACK message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
below.
Transform #
1
2
ESP_AES-CBC (12)
ESP_3DES (3)
AES-XCBC-MAC (9)
HMAC-SHA (2)
Both
Procedure:
649
TN1 (SGW)
initiator
NUT (SGW)
responder
Packet #1
Judgment #1
Packet #2
CREATE, AP_REQ,
ACK, AP_REQ
IPsec ESP tunnel
TH1 (Host)
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
Part A: (BASIC)
#1.
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
2
ANY
T (3)
0
1
ESP_AES-CBC (12)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
AES-XCBC-MAC (9)
TV (1)
Key Length (6)
650
Attribute Value:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
128
NONE (0)
0
2
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
#2.
KINK
RESRVED:
0xf
RESERVED2:
0x7f
KINK_AP_REQ Payload
RESERVED:
0xff
Observable Results:
Part A:
651
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
652
SGW.SGW.R.9.8: Receipt of GETTGT with non-zero value in reserved field
Purpose:
Verify that a node properly ignores reserved field in GETTGT message
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
653
Part A: (BASIC)
#7.
KINK
RESRVED:
0xf
RESERVED2:
0x7f
RESERVED:
0xff
Observable Results:
Part A:
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
NextPayload:
KINK_ERROR (8)
ACKREQ:
true (1)
RESERVED2:
0
CksumLen:
0
KINK_ ERROR Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
ErrorCode:
KINK_U2UDENIED (7)
Possible Problems:
654
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
655
SGW.SGW.R.9.9: Receipt of unencrypted CREATE
Purpose:
Verify that a node properly processes CREATE message which doesn't encrypted by
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
656
NUT (SGW)
responder
TN1 (SGW)
initiator
Packet #1
CREATE, AP_REQ, ISAKMP(SA(P(T)), Ni, IDi, IDr)
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
TN1 (SGW)
initiator
NUT (SGW)
responder
Judgment #1
TN1 (SGW)
initiator
Judgment #1
REPLY, AP_REP,
Part A: (BASIC)
#1.
following.
KINK
KINK_AP_REQ Payload
KINK_ISAKMP Payload
SA Payload
P Payload
T Payload
Data Attribute
Data Attribute
Data Attribute
Data Attribute
Ni Payload
IDi Payload
IDr Payload
Observable Results:
Part A:
657
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
658
SGW.SGW.R.9.10: Receipt of unencrypted DELETE
Purpose:
Verify that a node properly processes DELETE message which doesn't encrypted by
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
659
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
NUT (SGW)
responder
TN1 (SGW)
initiator
TN1 (SGW)
initiator
Packet #1
Packet #1
Judgment #1
Judgment #1
Packet #2
ACK(XID=0), AP_REQ
NUT (SGW)
responder
TH1 (Host)
TN1 (SGW)
initiator
TH2 (Host)
Pkt #3/Jdg #2
ICMPv6 Echo Request
Pkt #4/Jdg #3
ICMPv6 Echo Reply
(Deleting)
ISAKMP(D(SPIi1))
Packet #5
Judgment #4
No response
Pkt #6/Jdg #5
ICMPv6 Echo Request
Part A: (BASIC)
#1.
660
#5.
following.
KINK
KINK_AP_REQ Payload
KINK_ISAKMP Payload
D Payload
Observable Results:
Part A:
Observed Packet #5 and must not forward to TH1 because SA has already deleted
at Step 9.
Possible Problems:
661
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
662
SGW.SGW.R.9.11: Sending KRB_AP_ERR_SKEW
Purpose:
Verify that a node properly rejects a message when the responder clock and the
initiator clock are off by more than the policy-determinde clock skew limit.
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
663
Part A: (BASIC)
#1.
Observable Results:
Part A:
to indicate Kerberos error.
KRB_AP_ERR_SKEW
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
664
EPOCH:
AP-REP:
Next Payload:
KINK_DONE (0)
RESERVED:
0
Payload Length:
InnerNextPload:
KINK_KRB_ERROR (3)
RESERVED2:
0
Next Payload:
KINK_DONE (0)
RESERVED:
0
KRB-ERROR:
Cksum:
unencrypted KRB_AP_ERR_SKEW
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
REPLY (3)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_AP_REP (2)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REP Payload
Next Payload:
KINK_KRB_ERROR (3)
RESERVED:
0
EPOCH:
AP-REP:
Next Payload:
KINK_DONE (0)
RESERVED:
0
KRB-ERROR:
Cksum:
Possible Problems:
665
- None.
666
Section 2.2: SGW to EN Tunnel
Scope:
The following tests cover the endpoint to security gateway tunnel mode scenario.
In
this endpoint to security gateway tunnel mode scenario, a protected endpoint connects
back to its network through an IPsec-protected tunnel.
Overview:
protect the communication between an endpoint behind the KINK implementation and
an another endpoint.
The logical network topology involves EN, SGW, KDC, Host and Router on each link.
The shaded region labelled as <TN> in Fig 7 is done inside TN node logically.
The
tunnel mode is used in this network topology as shown as Fig 8.
667
Fig 7 SGW to EN Common Network Topology for NUT (SGW)
tunnel mode
NUT (SGW)
Link B
TN1 (EN)
Fig 8 SGW to EN Tunnel Scenario for NUT (SGW)
Default NUT (SGW) Configuration:
- IP configuration:
Address
Default router
NUT - Link A
NUT - Link B
(Prefix B::<any_interface_ID>)
TR1 - Link A
(fe80::f)
KDC
Principal Name
Pre-shared Key
Encryption Type
Checksum Type
KDC - Link X
(Prefix X::e)
disable
668
Address
Port
Principal Name
PFS
IDi
IDr
ID Type
Protocol ID
Port
Identification
Data
Local
NUT - Link A
910
@EXAMPLE.COM"
disable
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Remote
TN1 - Link X
(Prefix X::1)
910
@EXAMPLE.COM"
disable
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
IPsec ESP Transform
SA Life Type (1)
Inbound
Outbound
ESP_3DES (3)
ESP_3DES (3)
Seconds (1)
Seconds (1)
28,800
28,800
Tunnel (1)
Tunnel (1)
HMAC-SHA (2)
HMAC-SHA (2)
669
Scope:
The following tests
Overview:
Default Packets:
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
KINK_ENCRYPT (7)
0
670
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
NONE (0)
671
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
Cksum:
payload).
IPv6
Next Header:
Source Address:
ESP (50)
TN1 - Link X
(Prefix X::1)
NUT - Link A
ESP
SPI:
Sequence Number:
IV:
1
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TN1 - Link X
(Prefix X::1)
TH1 - Link B
(Prefix B::d)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Request (128)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TH1 - Link B
(Prefix B::d)
672
TN1 - Link X
(Prefix X::1)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Echo Reply (129)
0
ICMPv6 checksum
0
0
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
kink (910)
kink (910)
CREATE (1)
1
0
ANY
KINK_AP_REQ (1)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
673
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
Cksum:
674
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
kink (910)
kink (910)
CREATE (1)
1
0
ANY
KINK_AP_REQ (1)
false (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
675
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
NONE (0)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
Cksum:
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TN1 - Link X
(Prefix X::1)
TH1 - Link B
(Prefix B::d)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Echo Request (128)
0
ICMPv6 checksum
0
0
IPv6
Next Header:
Source Address:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
ESP
676
SPI:
Sequence Number:
IV:
IPv6
Next Header:
Source Address:
0x10000000
ANY
ANY
IPv6-ICMP (58)
TH1 - Link B
(Prefix B::d)
TN1 - Link X
(Prefix X::1)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Reply (129)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
677
Scope:
The following tests
exchanges.
Overview:
678
SGW.EN.I.1.1: CREATE Message Flow (2-way handshake)
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
679
Part A: (ADVANCED)
Packet #1.
Observable Results:
Part A:
680
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
681
Scope:
The following tests
Overview:
Default Packets:
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REQ Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REQ:
kink (910)
kink (910)
CREATE (1)
1
0
0
KINK_AP_REQ (1)
false (0)
0
KINK_ENCRYPT (7)
0
682
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Ni Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Ni (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
0x10000000
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
IDr Payload
683
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Cksum:
payload).
IPv6
Next Header:
Source Address:
UDP (17)
TN1 - Link X
(Prefix X::1)
NUT - Link A
UDP
Source Port:
kink (910)
Destination Port:
kink (910)
KINK
Type:
ACK (5)
MjVer:
1
RESRVED:
0
Length:
DOI:
XID:
0
NextPayload:
KINK_AP_REQ (1)
ACKREQ:
false (0)
RESERVED2:
0
CksumLen:
KINK_AP_REQ Payload
Next Payload:
KINK_DONE (0)
RESERVED:
0
EPOCH:
AP-REQ:
Cksum:
IPv6
Next Header:
Source Address:
ESP
SPI:
Sequence Number:
ESP (50)
TN1 - Link X
(Prefix X::1)
NUT - Link A
1
684
IV:
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TN1 - Link X
(Prefix X::1)
TH1 - Link B
(Prefix B::d)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
ICV:
Echo Request (128)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TH1 - Link B
(Prefix B::d)
TN1 - Link X
(Prefix X::1)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Echo Reply (129)
0
ICMPv6 checksum
0
0
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
685
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
686
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Cksum:
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
false (0)
0
KINK_ISAKMP (6)
0
687
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
Cksum:
KINK_DONE (0)
0
SA (1)
1
0
0
IDi (5)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
688
IPv6
Next Header:
Source Address:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
RESERVED2:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
kink (910)
kink (910)
REPLY (3)
1
0
0
KINK_AP_REP (2)
true (1)
0
KINK_ENCRYPT (7)
0
KINK_DONE (0)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
689
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
ANY (0)
TN1 - Link X
(Prefix X::1)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Cksum:
IPv6
Next Header:
Source Address:
UDP
Source Port:
Destination Port:
KINK
Type:
MjVer:
RESRVED:
Length:
DOI:
XID:
UDP (17)
NUT - Link A
TN1 - Link X
(Prefix X::1)
kink (910)
kink (910)
REPLY (3)
1
0
0
690
NextPayload:
ACKREQ:
RESERVED2:
CksumLen:
KINK_AP_REP Payload
Next Payload:
RESERVED:
Payload Length:
EPOCH:
AP-REP:
KINK_ISAKMP Payload
Next Payload:
RESERVED:
Payload Length:
InnerNextPload:
QMMaj:
QMMin:
RESERVED:
SA Payload
Next Payload:
RESERVED:
Payload Length:
DOI:
Situation:
P Payload
Next Payload:
RESERVED:
Payload Length:
Proposal #:
Protocol-Id:
SPI Size:
# of Transforms:
SPI:
T Payload
Next Payload:
RESERVED:
Payload Length:
Transform #:
Transform-Id:
RESERVED2:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Data Attribute
Attribute Format:
Attribute Type:
Attribute Value:
Nr Payload
Next Payload:
RESERVED:
Payload Length:
Nonce Data:
IDi Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
KINK_AP_REP (2)
true (1)
0
KINK_ISAKMP (6)
0
KINK_DONE (0)
0
SA (1)
1
0
0
Nr (10)
0
NONE (0)
0
1
PROTO_IPSEC_ESP (3)
4
1
ANY
NONE (0)
0
1
ESP_3DES (3)
0
TV (1)
SA Life Type (1)
Seconds (1)
TV (1)
28,800
TV (1)
Tunnel (1)
TV (1)
HMAC-SHA (2)
IDi (5)
0
ANY
IDr (5)
0
ID_IPV6_ADDR (5)
IPv6-ICMP (58)
691
Port:
ANY (0)
TN1 - Link X
(Prefix X::1)
IDr Payload
Next Payload:
RESERVED:
Payload Length:
ID Type:
Protocol ID:
Port:
NONE (0)
0
IPv6-ICMP (58)
ANY (0)
Link B
(Prefix B::/64)
Cksum:
IPv6
Next Header:
Source Address:
IPv6-ICMP (58)
TN1 - Link X
(Prefix X::1)
TH1 - Link B
(Prefix B::d)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Echo Request (128)
0
ICMPv6 checksum
0
0
IPv6
Next Header:
Source Address:
ESP (50)
NUT - Link A
TN1 - Link X
(Prefix X::1)
ESP
SPI:
Sequence Number:
IV:
IPv6
Next Header:
Source Address:
0x10000000
ANY
ANY
IPv6-ICMP (58)
TH1 - Link B
(Prefix B::d)
TN1 - Link X
(Prefix X::1)
ICMPv6
Type:
Code:
Checksum:
Identifier:
Sequence Number:
Data:
Padding:
Pad Length:
Next Header:
Echo Reply (129)
0
ICMPv6 checksum
0
0
ANY
IPv6 (41)
692
ICV:
693
Scope:
The following tests
exchanges.
Overview:
flows.
694
SGW.EN.R.1.1: CREATE Message Flow
Purpose:
References:
- Packet generator
- KDC
Test Setup:
- Network Topology
- Configuration
Configuration.
Both
Procedure:
695
NUT (SGW)
responder
TN1 (EN)
initiator
CREATE, AP_REQ,
Packet #1
(2-way handshake)
NUT (SGW)
responder
(3-way handshake)
NUT (SGW)
responder
TN1 (EN)
initiator
Judgment #1
TN1 (EN)
initiator
Judgment #1
REPLY, AP_REP,
Packet #2
ACK, AP_REQ
TH1 (Host)
NUT (SGW)
responder
TN1 (EN)
initiator
ICMPv6 Echo Request
Pkt #3/Jdg #2
Pkt #4/Jdg #3
ICMPv6 Echo Reply
IPsec ESP tunnel
Part A: (ADVANCED)
#1.
696
Observable Results:
Part A:
Possible Problems:
them.
described as below.
Data Attribute
Attribute Format:
Attribute Type:
Attribute Length:
Attribute Value:
TLV (0)
ANY
28,800
697
********************************************************************************
All Rights Reserved. Copyright (C) 2010
Yokogawa Electric Corporation
No part of this documentation may be reproduced for any purpose without prior permission.
698

KINK Conformance Test Specification Revision 1.0.0

Transcription

Similar documents