#!/usr/bin/perl # # $Copyright$ # # $Id: HTR_C_Out_SPD_discard_none.seq,v 1.1.1.1 2000/10/31 22:38:51 sekiya Exp $ # ###################################################################### BEGIN { unshift(@INC, '../ipsec/'); $V6evalTool::TestVersion = '$Name: $ '; } use V6evalTool; use IPSEC; %pktdesc = ( ### TBD ); $IF = Link0; #----- check NUT type ipsecCheckNUT(host); #----- set SAD,SPD vLogHTML("*** Target initialization phase ***
"); ipsecClearAll(); ## HOST1 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_HOST1_NET5_ADDR}" , "spi=0x1000" , "mode=transport" , "protocol=ah" , "aalgo=hmac-md5" , "aalgokey=0123456789ABCDEF" ); ipsecSetSPD( "src=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_HOST1_NET5_ADDR}" , "upperspec=any" , "direction=out" , "policy=discard" , ); ## HOST2 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_HOST2_NET5_ADDR}" , "spi=0x2000" , "mode=transport" , "protocol=ah" , "aalgo=hmac-md5" , "aalgokey=foo0foo1foo2foo3" ); ipsecSetSPD( "src=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_HOST2_NET5_ADDR}" , "upperspec=any" , "direction=out" , "policy=none" , ); #====================================================================== vLogHTML("*** Target testing phase ***
"); vCapture($IF); #### subtest No.1 $subtest_no = 1; $subtest_title[$subtest_no] = "Disard the packet if policy=discard"; vLogHTML("Subtest No.$subtest_no: $subtest_title[$subtest_no]
"); ($stat, %ret) = ipsecPing2NUT($IF, 'echo_request_from_host1', 'echo_reply_to_host1'); if ($stat ne 'NO_REPLY') { vLogHTML("TN received something reply packet from NUT to HOST1.
"); $ret = 'FAIL'; } else { vLogHTML("TN received no echo reply from NUT to HOST2.
"); vLogHTML("Ping over 1st SPD entry (policy=discard) is available.
"); $ret = 'PASS'; } vLogHTML("Subtest No.$subtest_no $ret

"); $subtest_results[$subtest_no] = $ret; #### subtest No.2 $subtest_no = 2; $subtest_title[$subtest_no] = "Pass the packet without IPsec process if policy=none"; vLogHTML("Subtest No.$subtest_no: $subtest_title[$subtest_no]
"); ($stat, %ret) = ipsecPing2NUT($IF, 'echo_request_from_host2', 'echo_reply_to_host2'); if ($stat ne 'GOT_REPLY') { vLogHTML("TN received no echo reply from NUT to HOST2.
"); $ret = 'FAIL'; } else { vLogHTML("TN received echo reply from NUT to HOST2.
"); vLogHTML("Ping over 2nd SPD entry (policy=none) is available.
"); $ret = 'PASS'; } vLogHTML("Subtest No.$subtest_no $ret

"); $subtest_results[$subtest_no] = $ret; ### resluts table vLogHTML("Subtest Results
"); for($i=1; $i < @subtest_title; $i++) { vLogHTML("|$i| $subtest_title[$i] | $subtest_results[$i] |
"); $test_results = 'FAIL' if $subtest_results[$i] eq 'FAIL'; } if ($test_results eq 'FAIL') { ipsecExitFail(); }else{ ipsecExitPass(); } ###################################################################### __END__ =head1 NAME HTR_C_Out_SPD_discard_none - Host Common Outbound, Select SPD entry (policy=discard,none) =head1 TARGET Host =head1 SYNOPSIS =begin html

  HTR_C_Out_SPD_discard_none.seq [-tooloption ...] -pkt HTR_A_SPD_discard_none.def
    -tooloption : v6eval tool option
  See also HTR_common.def

=end html =head1 INITIALIZATION =begin html

For details of Network Topology, see 00README

Set NUT's SAD and SPD as following:

              NET5      NET3
    HOST1_NET5 -+ Router -- NUT
        <---policy=discard--
                |
    HOST2_NET5 -+
        <---policy=none-----

Security Association Database (SAD)

source address	NUT_NET3
destination address	HOST1_NET5
SPI	0x1000
mode	transport
protocol	AH
AH algorithm	HMAC-MD5
AH algorithm key	0123456789ABCDEF

Security Policy Database (SPD) for policy=discard

source address	NUT_NET3
destination address	HOST1_NET5
upper spec	any
direction	out
policy	discard

Security Association Database (SAD)

source address	NUT_NET3
destination address	HOST2_NET5
SPI	0x1000
mode	transport
protocol	AH
AH algorithm	HMAC-SHA1
AH algorithm key	foo0foo1foo2foo3

Security Policy Database (SPD) for policy=discard

source address	NUT_NET3
destination address	HOST2_NET5
upper spec	any
direction	out
policy	none

=end html =head1 TEST PROCEDURE =begin html

 Tester                      Target
   |                           |
 Subtest No.1 "Disard the packet if policy=discard"
   |-------------------------->|
   |      ICMP Echo Request    |
   |      for policy=discard   |
   |                           |
   |(<------------------------)|
   |          No Reply         |
   |        Judgement #1       |
   |                           |
 Subtest No.2 "Pass the packet without IPsec process if policy=none"
   |                           |
   |-------------------------->|
   |      ICMP Echo Request    |
   |      for policy=none      |
   |                           |
   |<--------------------------|
   |      ICMP Echo Reply      |
   |        Judgement #2       |
   |                           |
   v                           v

ICMP Echo Request for policy=discard

IP Header	Source Address	HOST1_NET5
	Destination Address	NUT_NET3
ICMP	Type	128 (Echo Request)

ICMP Echo Request for policy=none

IP Header	Source Address	HOST2_NET5
	Destination Address	NUT_NET3
ICMP	Type	128 (Echo Request)

ICMP Echo Reply

IP Header	Source Address	NUT_NET3
	Destination Address	HOST2_NET5
ICMP	Type	129 (Echo Reply)

=end html =head1 JUDGEMENT Judgement #1: No Reply Judgement #2: ICMP Echo Reply received =head1 SEE ALSO perldoc V6evalTool =begin html

  IPSEC.html IPsec Test Common Utility

=cut