#!/usr/bin/perl # # $Copyright$ # # $Id: RTU_A_In_DM_DSTH_opttype.seq,v 1.1.1.1 2000/10/31 22:38:51 sekiya Exp $ # ###################################################################### BEGIN { unshift(@INC, '../ipsec/'); $V6evalTool::TestVersion = '$Name: $ '; } use V6evalTool; use IPSEC; %pktdesc = ( ### TBD ); $IF0 = Link0; $IF1 = Link1; #----- check NUT type ipsecCheckNUT(router); #----- set SAD,SPD vLogHTML("*** Target initialization phase ***
"); ipsecClearAll(); ## SG1 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_SG1_NET2_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET0_ADDR}" , "spi=0x1000" , "mode=tunnel" , "direction=in" , "protocol=ah" , "aalgo=hmac-md5" , "aalgokey=0123456789ABCDEF", "nsrc=$IPSEC::IPsecAddr{IPSEC_NET4_ADDR}" , "ndst=$IPSEC::IPsecAddr{IPSEC_NET1_ADDR}" , ); # No SPD entry # #ipsecSetSPD( # "src=$IPSEC::IPsecAddr{IPSEC_NET4_ADDR}" , # "dst=$IPSEC::IPsecAddr{IPSEC_NET1_ADDR}" , # "upperspec=any" , # "direction=in" , # "protocol=ah" , # "mode=tunnel" , # "tsrc=$IPSEC::IPsecAddr{IPSEC_SG1_NET2_ADDR}" , # "tdst=$IPSEC::IPsecAddr{IPSEC_NUT_NET0_ADDR}" , # ); ipsecEnable(); #====================================================================== vLogHTML("*** Target testing phase ***
"); vCapture($IF0); vCapture($IF1); $test_result = 'PASS'; # NET1 NET0 NET2 NET4 # HOST1_NET1 <- NUT <- Router <- SG1 <- HOST1_NET4 # <====tunnel===== #### subtest No.1 $subtest_no = 1; $subtest_title[$subtest_no] = "option bit 000: option type is immutable"; vLogHTML("Subtest No.$subtest_no: $subtest_title[$subtest_no]
"); $csts = 'PASS'; #initialize current subtest status ($stat, %ret) = ipsecForwardDecap($IF0, $IF1, 'ahtun_from_sg1_net2_dstopt_echo_request_from_host1_net4_to_host1_net1_on_net0', 'echo_request_from_host1_net4_to_host1_net1_on_net1'); $csts = 'FAIL' if $stat ne 'GOT_PACKET'; if ($csts eq 'PASS') { ($stat, %ret) = ipsecForwardDecap($IF0, $IF1, 'ahtun_from_sg1_net2_dm_dsth_000opttype_echo_request_from_host1_net4_to_host1_net1_on_net0', 'echo_request_from_host1_net4_to_host1_net1_on_net1'); if($stat eq 'NO_PACKET') { vLogHTML("TN received no decapsulated packet from HOST1_NET4 to HOST1_NET1.
"); } else{ vLogHTML("TN received something packet from NUT to HOST1_NET1.
"); $csts = 'FAIL'; } } vLogHTML("Subtest No.$subtest_no $csts

"); $subtest_results[$subtest_no] = $csts; #### subtest No.2 $subtest_no = 2; $subtest_title[$subtest_no] = "option bit 001: option type is immutable"; vLogHTML("Subtest No.$subtest_no: $subtest_title[$subtest_no]
"); $csts = 'PASS'; #initialize current subtest status ($stat, %ret) = ipsecForwardDecap($IF0, $IF1, 'ahtun_from_sg1_net2_dm_dsth_001opttype_echo_request_from_host1_net4_to_host1_net1_on_net0', 'echo_request_from_host1_net4_to_host1_net1_on_net1'); if($stat eq 'NO_PACKET') { vLogHTML("TN received no decapsulated packet from HOST1_NET4 to HOST1_NET1.
"); } else{ vLogHTML("TN received something packet from NUT to HOST1_NET1.
"); $csts = 'FAIL'; } vLogHTML("Subtest No.$subtest_no $csts

"); $subtest_results[$subtest_no] = $csts; ### resluts table vLogHTML("Subtest Results
"); for($i=1; $i < @subtest_title; $i++) { vLogHTML("|$i| $subtest_title[$i] | $subtest_results[$i] |
"); $test_results = 'FAIL' if $subtest_results[$i] eq 'FAIL'; } if ($test_results eq 'FAIL') { ipsecExitFail(); }else{ ipsecExitPass(); } ###################################################################### __END__ =head1 NAME RTU_A_In_DM_DSTH_opttype - Router Tunnel Mode AH Inbound, Detect modification of DstOpt header option type before AH =head1 TARGET Router =head1 SYNOPSIS =begin html

  RTU_A_In_DM_DSTH_opttype.seq [-tooloption ...] -pkt RTU_A_DM_DSTH_opttype.def
    -tooloption : v6eval tool option
  See also HTR_A_common.def and HTR_common.def

=end html =head1 INITIALIZATION =begin html

For details of Network Topology, see 00README

Set NUT's SAD and SPD as following:

                          (Link0)  (Link1)
            NET4   NET2      NET0   NET1
  HOST1_NET4 -- SG1 -- Router -- NUT -- HOST1_NET1
                 =====tunnel======>

Security Association Database (SAD)

source address	SG1_NET2
destination address	NUT_NET0
SPI	0x1000
mode	tunnel
protocol	AH
AH algorithm	HMAC-MD5
AH algorithm key	0123456789ABCDEF

Security Policy Database (SPD)

No SPD entry

=end html =head1 TEST PROCEDURE =begin html

 Tester                      Target                      Tester
              (Link0)                     (Link1)
   |                           |                           |
 Subtest No.1 "option bit 000: option type is immutable"
   |                           |                           |
   |-------------------------->|                           |
   |      ICMP Echo Request    |                           |
   |  within [DSTH][AH] tunnel |                           |
   |                           |-------------------------->|
   |                           |      ICMP Echo Request    |
   |                           |        Judgement #1       |
   |                           |                           |
   |-------------------------->|                           |
   |      ICMP Echo Request    |                           |
   |  within [DSTH][AH] tunnel |                           |
   |  (option type of DSTH is modified 0x02->0x22)         |
   |                           | (---------------------->) |
   |                           |     No ICMP Echo Request  |
   |                           |        Judgement #2       |
   |                           |                           |
   v                           v                           v
 Subtest No.2 "option bit 001: option type is immutable"
   |                           |                           |
   |-------------------------->|                           |
   |      ICMP Echo Request    |                           |
   |  within [DSTH][AH] tunnel |                           |
   |  (option type of DSTH is modified 0x22->0x23)         |
   |                           | (---------------------->) |
   |                           |     No ICMP Echo Request  |
   |                           |        Judgement #3       |
   |                           |                           |
   v                           v                           v

ICMP Echo Request within [DSTH][AH] tunnel to Link0

IP Header	Source Address	SG1_NET2
	Destination Address	NUT_NET0
Destination Options Header	Type	0x02
	Data Length	4
	Data	0x0f0f0000
AH	SPI	0x1000
	Sequence Number	1
	Algorithm	HMAC-MD5
	Key	0123456789ABCDEF
IP Header	Source Address	HOST1_NET4
	Destination Address	HOST1_NET1
ICMP	Type	128 (Echo Request)

ICMP Echo Request from Link1

IP Header	Source Address	HOST1_NET4
	Destination Address	HOST1_NET1
ICMP	Type	128 (Echo Request)

Send ICMP Echo Request within [DSTH][AH] tunnel (option type of DSTH is modified 0x02->0x22) to Link0

IP Header	Source Address	SG1_NET2
	Destination Address	NUT_NET0
Destination Options Header	Type	0x22 (0x02 is original)
	Data Length	4
	Data	0x0f0f0000
AH	SPI	0x1000
	Sequence Number	2
	Algorithm	HMAC-MD5
	Key	0123456789ABCDEF
IP Header	Source Address	HOST1_NET4
	Destination Address	HOST1_NET1
ICMP	Type	128 (Echo Request)

Send ICMP Echo Request within [DSTH][AH] tunnel (option type of DSTH is modified 0x22->0x23) to Link0

IP Header	Source Address	SG1_NET2
	Destination Address	NUT_NET0
Destination Options Header	Type	0x23 (0x22 is original)
	Data Length	4
	Data	0x0f0f0000
AH	SPI	0x1000
	Sequence Number	3
	Algorithm	HMAC-MD5
	Key	0123456789ABCDEF
IP Header	Source Address	HOST1_NET4
	Destination Address	HOST1_NET1
ICMP	Type	128 (Echo Request)

=end html =head1 JUDGEMENT Judgement #1: Receive ICMP Echo Request from Link1 (MUST) Judgement #2: Receive nothing (MUST) Judgement #3: Receive nothing (MUST) =head1 SEE ALSO perldoc V6evalTool =begin html

  IPSEC.html IPsec Test Common Utility

=end html =cut