#!/usr/bin/perl # # Copyright (C) 1999,2000 Yokogawa Electric Corporation and # YDC Corporation. # All rights reserved. # # Redistribution and use of this software in source and binary # forms, with or without modification, are permitted provided that # the following conditions and disclaimer are agreed and accepted # by the user: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in # the documentation and/or other materials provided with # the distribution. # # 3. Neither the names of the copyrighters, the name of the project # which is related to this software (hereinafter referred to as # "project") nor the names of the contributors may be used to # endorse or promote products derived from this software without # specific prior written permission. # # 4. No merchantable use may be permitted without prior written # notification to the copyrighters. # # 5. The copyrighters, the project and the contributors may prohibit # the use of this software at any time. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHTERS, THE PROJECT AND # CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING # BUT NOT LIMITED THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHTERS, THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # $Id: HTR_A_In_DM_DSTH_optlen.seq,v 1.1.1.1 2000/10/31 22:39:36 sekiya Exp $ # ###################################################################### BEGIN { unshift(@INC, '../ipsec/'); $V6evalTool::TestVersion = '$Name: $ '; } use V6evalTool; use IPSEC; %pktdesc = ( ### TBD ); $IF = Link0; #----- check NUT type ipsecCheckNUT(host); #----- set SAD,SPD vLogHTML("*** Target initialization phase ***
"); ipsecClearAll(); ## HOST1 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_HOST1_NET5_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "spi=0x1000" , "mode=transport" , "protocol=ah" , "aalgo=hmac-md5" , "aalgokey=0123456789ABCDEF" ); ipsecSetSPD( "src=$IPSEC::IPsecAddr{IPSEC_HOST1_NET5_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "upperspec=any" , "direction=in" , "protocol=ah" , "mode=transport" , ); #====================================================================== vLogHTML("*** Target testing phase ***
"); vCapture($IF); $test_result = 'PASS'; #### subtest No.1 $subtest_no = 1; $subtest_title[$subtest_no] = "option bit 000: option len is immutable"; vLogHTML("Subtest No.$subtest_no: $subtest_title[$subtest_no]
"); $ret = ping_host1_to_nut_normal(echo_request_from_host1_dstopt_ah); if ($ret eq 'PASS') { $ret = ping_host1_to_nut_ignored(echo_request_from_host1_ah_dm_dsth_000optlen); } vLogHTML("Subtest No.$subtest_no $ret

"); $subtest_results[$subtest_no] = $ret; #### subtest No.2 $subtest_no = 2; $subtest_title[$subtest_no] = "option bit 001: option len is immutable"; vLogHTML("Subtest No.$subtest_no: $subtest_title[$subtest_no]
"); $ret = ping_host1_to_nut_ignored(echo_request_from_host1_ah_dm_dsth_001optlen); vLogHTML("Subtest No.$subtest_no $ret

"); $subtest_results[$subtest_no] = $ret; ### resluts table vLogHTML("Subtest Results
"); for($i=1; $i < @subtest_title; $i++) { vLogHTML("|$i| $subtest_title[$i] | $subtest_results[$i] |
"); $test_results = 'FAIL' if $subtest_results[$i] eq 'FAIL'; } if ($test_results eq 'FAIL') { ipsecExitFail(); }else{ ipsecExitPass(); } #---------------------------------------------------------------------- sub ping_host1_to_nut_normal(;$) { my($echo_request) = @_; my($stat, %ret); $echo_request = 'echo_request_from_host1_ah' unless defined $echo_request; ($stat, %ret) = ipsecPing2NUT($IF, $echo_request, 'echo_reply_to_host1'); if ($stat ne 'GOT_REPLY') { vLogHTML("TN received no echo reply from NUT to HOST1.
"); return 'FAIL'; } vLogHTML("TN received echo reply from NUT to HOST1.
"); return 'PASS'; } sub ping_host1_to_nut_ignored($) { my($echo_request) = @_; my($stat, %ret); ($stat, %ret) = ipsecPing2NUT($IF, $echo_request, 'echo_reply_to_host1'); if ($stat ne 'NO_REPLY') { vLogHTML("TN received something reply packet from NUT to HOST1.
"); vLogHTML("TN did not ignore the modified echo request packet.
"); return 'FAIL'; } vLogHTML("TN received no echo reply from NUT to HOST1.
"); vLogHTML("TN ignored the modified echo request packet.
"); return 'PASS'; } ###################################################################### __END__ =head1 NAME HTR_A_In_DM_DSTH_optlen - Host Transport Mode AH Inbound, Detect modification of DstOpt header option len before AH =head1 TARGET Host =head1 SYNOPSIS =begin html 
  HTR_A_In_DM_DSTH_optlen.seq [-tooloption ...] -pkt HTR_A_DM_DSTH_optlen.def
    -tooloption : v6eval tool option
  See also HTR_A_common.def and HTR_common.def
=end html =head1 INITIALIZATION =begin html

For details of Network Topology, see 00README

Set NUT's SAD and SPD as following: 

              NET5      NET3
    HOST1_NET5 -- Router -- NUT
         -----transport----->

Security Association Database (SAD)

source address HOST1_NET5
destination address NUT_NET3
SPI 0x1000
mode transport
protocol AH
AH algorithm HMAC-MD5
AH algorithm key 0123456789ABCDEF

Security Policy Database (SPD)

source address HOST1_NET5
destination address NUT_NET3
upper spec any
direction in
protocol AH
mode transport
=end html =head1 TEST PROCEDURE =begin html 
 Tester                      Target
   |                           |
 Subtest No.1 "option bit 000: option len is immutable"
   |                           |
   |-------------------------->|
   |      ICMP Echo Request    |
   |      with [DSTH][AH]      |
   |                           |
   |<--------------------------|
   |      ICMP Echo Reply      |
   |        Judgement #1       |
   |                           |
   |-------------------------->|
   |      ICMP Echo Request    |
   |      with [DSTH][AH]      |
   |  (option len of DSTH is modified 0x04->0x02)
   |                           |
   | (<----------------------) |
   |     No ICMP Echo Reply    |
   |        Judgement #2       |
   v                           v
 Subtest No.2 "option bit 001: option len is immutable"
   |                           |
   |-------------------------->|
   |      ICMP Echo Request    |
   |      with [DSTH][AH]      |
   |  (option len of DSTH is modified 0x04->0x02)
   |                           |
   | (<----------------------) |
   |     No ICMP Echo Reply    |
   |        Judgement #3       |
   |                           |
   v                           v

ICMP Echo Request with [DSTH][AH]

IP Header Source Address HOST1_NET5
Destination Address NUT_NET3
Destination Options Header Type 0x02
Data Length 4
Data 0x0f0f0000
AH SPI 0x1000
Sequence Number 1
Algorithm HMAC-MD5
Key 0123456789ABCDEF
ICMP Type 128 (Echo Request)

ICMP Echo Reply

IP Header Source Address NUT_NET3
Destination Address HOST1_NET5
ICMP Type 129 (Echo Reply)

ICMP Echo Request with [DSTH][AH] (option len of DSTH is modified 0x04->0x02)

IP Header Source Address HOST1_NET5
Destination Address NUT_NET3
Destination Options Header Type 0x02
Data Length 2 (4 is original)
Data 0x0f0f
Type Pad1
Type Pad1
AH SPI 0x1000
Sequence Number 1
Algorithm HMAC-MD5
Key 0123456789ABCDEF
ICMP Type 128 (Echo Request)

ICMP Echo Request with [DSTH][AH] (option type of DSTH is modified 0x04->0x02)

IP Header Source Address HOST1_NET5
Destination Address NUT_NET3
Destination Options Header Type 0x22
Data Length 2 (4 is original)
Data 0x0f0f
Type Pad1
Type Pad1
AH SPI 0x1000
Sequence Number 1
Algorithm HMAC-MD5
Key 0123456789ABCDEF
ICMP Type 128 (Echo Request)
=end html =head1 JUDGEMENT Judgement #1: Receive ICMP Echo Reply (MUST) Judgement #2: Receive nothing (MUST) Judgement #3: Receive nothing (MUST) =head1 SEE ALSO perldoc V6evalTool =begin html 
  IPSEC.html IPsec Test Common Utility
=cut