");
vCapture($IF);
$ret = ping_host1_to_nut_normal();
if ($ret eq 'PASS') {
$ret = ping_host1_to_nut_ignored(echo_request_from_host1_ah_dm_ipv6h_src);
}
if ($ret eq 'PASS') {
ipsecExitPass();
}else{
ipsecExitFail();
}
#----------------------------------------------------------------------
sub ping_host1_to_nut_normal(;$) {
my($echo_request) = @_;
my($stat, %ret);
$echo_request = 'echo_request_from_host1_ah' unless defined $echo_request;
($stat, %ret) = ipsecPing2NUT($IF, $echo_request, 'echo_reply_to_host1');
if ($stat ne 'GOT_REPLY') {
vLogHTML("TN received no echo reply from NUT to HOST1.
");
return 'FAIL';
}
vLogHTML("TN received echo reply from NUT to HOST1.
");
return 'PASS';
}
sub ping_host1_to_nut_ignored($) {
my($echo_request) = @_;
my($stat, %ret);
($stat, %ret) = ipsecPing2NUT($IF, $echo_request, 'echo_reply_to_host1');
if ($stat ne 'NO_REPLY') {
vLogHTML("TN received something reply packet from NUT to HOST1.
");
vLogHTML("TN did not ignore the modified echo request packet.
");
return 'FAIL';
}
vLogHTML("TN received no echo reply from NUT to HOST1.
");
vLogHTML("TN ignored the modified echo request packet.
");
return 'PASS';
}
######################################################################
__END__
=head1 NAME
HTR_A_In_DM_IPv6H_src - Host Transport Mode AH Inbound, Detect modification of IPv6 header IP src address with AH
=head1 TARGET
Host
=head1 SYNOPSIS
=begin html
HTR_A_In_DM_IPv6H_src.seq [-tooloption ...] -pkt HTR_A_DM_IPv6H.def
-tooloption : v6eval tool option
See also HTR_A_common.def and HTR_common.def
=end html
=head1 INITIALIZATION
=begin html
For details of Network Topology, see 00README
Set NUT's SAD and SPD as following:
NET5 NET3
HOST1_NET5 -- Router -- NUT
-----transport----->
Security Association Database (SAD)
source address |
HOST1_NET5 |
destination address |
NUT_NET3 |
SPI |
0x1000 |
mode |
transport |
protocol |
AH |
AH algorithm |
HMAC-MD5 |
AH algorithm key |
TAHITEST89ABCDEF |
Security Policy Database (SPD)
source address |
HOST1_NET5 |
destination address |
NUT_NET3 |
upper spec |
any |
direction |
in |
protocol |
AH |
mode |
transport |
=end html
=head1 TEST PROCEDURE
=begin html
Tester Target
| |
|-------------------------->|
| ICMP Echo Request |
| with AH |
| |
|<--------------------------|
| ICMP Echo Reply |
| Judgement #1 |
| |
|-------------------------->|
| ICMP Echo Request |
| with AH |
| (IPsrc of IPv6H is modified)
| |
| (<----------------------) |
| No ICMP Echo Reply |
| Judgement #2 |
| |
v v
- Send ICMP Echo Request with AH
- Receive ICMP Echo Reply
- Send ICMP Echo Request with AH (IPsrc of IPv6H is modified)
- Receive nothing
ICMP Echo Request with AH
IP Header |
Source Address |
HOST1_NET5 |
|
Destination Address |
NUT_NET3 |
AH |
SPI |
0x1000 |
|
Sequence Number |
1 |
|
Algorithm |
HMAC-MD5 |
|
Key |
TAHITEST89ABCDEF |
ICMP |
Type |
128 (Echo Request) |
ICMP Echo Reply
IP Header |
Source Address |
NUT_NET3 |
|
Destination Address |
HOST1_NET5 |
ICMP |
Type |
129 (Echo Reply) |
ICMP Echo Request with AH (IPsrc of IPv6H is modified)
IP Header |
Source Address |
HOST1_NET5 (HOST2_NET5 is original) |
|
Destination Address |
NUT_NET3 |
AH |
SPI |
0x1000 |
|
Sequence Number |
2 |
|
Algorithm |
HMAC-MD5 |
|
Key |
TAHITEST89ABCDEF |
ICMP |
Type |
128 (Echo Request) |
=end html
=head1 JUDGMENT
Judgement #1:
Receive ICMP Echo Reply (MUST)
Judgement #2:
Receive nothing (MUST)
=head1 SEE ALSO
perldoc V6evalTool
=begin html
IPSEC.html IPsec Test Common Utility
=cut