#!/usr/bin/perl # # Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005 Yokogawa Electric Corporation, # IPA (Information-technology Promotion Agency, Japan). # All rights reserved. # # Redistribution and use of this software in source and binary forms, with # or without modification, are permitted provided that the following # conditions and disclaimer are agreed and accepted by the user: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # 3. Neither the names of the copyrighters, the name of the project which # is related to this software (hereinafter referred to as "project") nor # the names of the contributors may be used to endorse or promote products # derived from this software without specific prior written permission. # # 4. No merchantable use may be permitted without prior written # notification to the copyrighters. However, using this software for the # purpose of testing or evaluating any products including merchantable # products may be permitted without any notification to the copyrighters. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHTERS, THE PROJECT AND # CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING # BUT NOT LIMITED THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHTERS, THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT,STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # # $TAHI: ct/ipsec4/RTU_A_In_DM_IPv4H_src.seq,v 1.4 2002/09/18 11:52:26 ozoe Exp $ # ###################################################################### BEGIN { unshift(@INC, '../ipsec/'); $V6evalTool::TestVersion = '$Name: REL_2_1_2 $ '; } use V6evalTool; use IPSEC; %pktdesc = ( ### TBD ); $IF0 = Link0; $IF1 = Link1; #----- check NUT type ipsecCheckNUT(router); #----- set SAD,SPD vLogHTML("*** Target initialization phase ***
"); ipsecClearAll(); ## SG1 vs NUT ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_SG1_NET2_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET0_ADDR}" , "spi=0x1000" , "mode=tunnel" , "direction=in" , "protocol=ah" , "aalgo=hmac-md5" , "aalgokey=TAHITEST89ABCDEF", "nsrc=$IPSEC::IPsecAddr{IPSEC_NET4_ADDR}" , "ndst=$IPSEC::IPsecAddr{IPSEC_NET1_ADDR}" , ); # No SPD entry # #ipsecSetSPD( # "src=$IPSEC::IPsecAddr{IPSEC_NET4_ADDR}" , # "dst=$IPSEC::IPsecAddr{IPSEC_NET1_ADDR}" , # "upperspec=any" , # "direction=in" , # "protocol=ah" , # "mode=tunnel" , # "tsrc=$IPSEC::IPsecAddr{IPSEC_SG1_NET2_ADDR}" , # "tdst=$IPSEC::IPsecAddr{IPSEC_NUT_NET0_ADDR}" , # ); ipsecSetSPD( "policy=nopolicy" ); ipsecEnable(); #====================================================================== vLogHTML("*** Target testing phase ***
"); vCapture($IF0); vCapture($IF1); # NET1 NET0 NET2 NET4 # HOST1_NET1 <- NUT <- Router <- SG1 <- HOST1_NET4 # <====tunnel===== $cts = 'PASS'; #initialize current test status ($stat, %ret) = ipsecForwardDecap($IF0, $IF1, 'ahtun_from_sg1_net2_echo_request_from_host1_net4_to_host1_net1_on_net0', 'echo_request_from_host1_net4_to_host1_net1_on_net1'); $cts = 'FAIL' if $stat ne 'GOT_PACKET'; if ($cts eq 'PASS') { ($stat, %ret) = ipsecForwardDecap($IF0, $IF1, 'ahtun_from_sg1_net2_dm_ipv4h_src_echo_request_from_host1_net4_to_host1_net1_on_net0', 'echo_request_from_host1_net4_to_host1_net1_on_net1'); if($stat eq 'NO_PACKET') { vLogHTML("TN received no decapsulated packet from HOST1_NET4 to HOST1_NET1.
"); } else{ vLogHTML("TN received something packet from NUT to HOST1_NET1.
"); $cts = 'FAIL'; } } if ($cts eq 'PASS') { ipsecExitPass(); }else{ ipsecExitFail(); } ###################################################################### __END__ =head1 NAME RTU_A_In_DM_IPv4H_src - Router Tunnel Mode AH Inbound, Detect modification of IPv4 header IP src address with AH =head1 TARGET Router =head1 SYNOPSIS =begin html 
  RTU_A_In_DM_IPv4H_src.seq [-tooloption ...] -pkt RTU_A_DM_IPv4H.def
    -tooloption : v6eval tool option
  See also HTR_A_common.def and HTR_common.def
=end html =head1 INITIALIZATION =begin html

For details of Network Topology, see 00README

Set NUT's SAD and SPD as following: 

                          (Link0)  (Link1)
            NET4   NET2      NET0   NET1
  HOST1_NET4 -- SG1 -- Router -- NUT -- HOST1_NET1
                 =====tunnel======>

Security Association Database (SAD)

source address SG1_NET2
destination address NUT_NET0
SPI 0x1000
mode tunnel
protocol AH
AH algorithm HMAC-MD5
AH algorithm key TAHITEST89ABCDEF

Security Policy Database (SPD)

No SPD entry
=end html =head1 TEST PROCEDURE =begin html 
 Tester                      Target                      Tester
              (Link0)                     (Link1)
   |                           |                           |
   |-------------------------->|                           |
   |      ICMP Echo Request    |                           |
   |       within AH tunnel    |                           |
   |                           |-------------------------->|
   |                           |      ICMP Echo Request    |
   |                           |        Judgement #1       |
   |                           |                           |
   |-------------------------->|                           |
   |      ICMP Echo Request    |                           |
   |       within AH tunnel    |                           |
   |  (IPsrc of outer IPv4H is modified)                   |
   |                           | (---------------------->) |
   |                           |     No ICMP Echo Request  |
   |                           |        Judgement #2       |
   |                           |                           |
   v                           v                           v
  1. Send ICMP Echo Request within AH tunnel to Link0
  2. Receive ICMP Echo Request from Link1
  3. Send ICMP Echo Request within AH tunnel (IPsrc of outer IPv4H is modified) to Link0
  4. Receive nothing

ICMP Echo Request within AH tunnel to Link0

IP Header Source Address SG1_NET2
Destination Address NUT_NET0
AH SPI 0x1000
Sequence Number 1
Algorithm HMAC-MD5
Key TAHITEST89ABCDEF
IP Header Source Address HOST1_NET4
Destination Address HOST1_NET1
ICMP Type Echo Request

ICMP Echo Request from Link1

IP Header Source Address HOST1_NET4
Destination Address HOST1_NET1
ICMP Type Echo Request

Send ICMP Echo Request within AH tunnel (IPsrc of outer IPv4H is modified) to Link0

IP Header Source Address SG1_NET2 (SG2_NET2 is original)
Destination Address NUT_NET0
AH SPI 0x1000
Sequence Number 2
Algorithm HMAC-MD5
Key TAHITEST89ABCDEF
IP Header Source Address HOST1_NET4
Destination Address HOST1_NET1
ICMP Type Echo Request
=end html =head1 JUDGEMENT Judgement #1: Receive ICMP Echo Request from Link1 (MUST) Judgement #2: Receive nothing (MUST) =head1 SEE ALSO perldoc V6evalTool =begin html 
  IPSEC.html IPsec Test Common Utility
=end html =cut