#!/usr/bin/perl # # Copyright (C) 2002, 2003, 2004, 2005 Yokogawa Electric Corporation, # INTAP(Interoperability Technology Association for Information # Processing, Japan), IPA (Information-technology Promotion Agency, Japan). # All rights reserved. # # Redistribution and use of this software in source and binary forms, with # or without modification, are permitted provided that the following # conditions and disclaimer are agreed and accepted by the user: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # 3. Neither the names of the copyrighters, the name of the project which # is related to this software (hereinafter referred to as "project") nor # the names of the contributors may be used to endorse or promote products # derived from this software without specific prior written permission. # # 4. No merchantable use may be permitted without prior written # notification to the copyrighters. However, using this software for the # purpose of testing or evaluating any products including merchantable # products may be permitted without any notification to the copyrighters. # # # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHTERS, THE PROJECT AND # CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING # BUT NOT LIMITED THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS # FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHTERS, THE PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES # (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT,STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # # $TAHI: ct/ipsec/HTR_E_In_LifetimeSATime.seq,v 1.2 2003/06/05 13:42:45 ozoe Exp $ # ###################################################################### BEGIN { unshift(@INC, '../ipsec/'); $V6evalTool::TestVersion = '$Name: REL_2_1_2 $ '; } use V6evalTool; use IPSEC; %pktdesc = ( ### TBD ); $IF = Link0; #----- check NUT type ipsecCheckNUT(host); #----- set SAD,SPD vLogHTML("*** Target initialization phase ***
"); ipsecClearAll(); ## HOST1 vs NUT $stime=35; $htime=35; #ipsecSetSADAsync( ipsecSetSAD( "src=$IPSEC::IPsecAddr{IPSEC_HOST1_NET5_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "spi=0x1000" , "mode=transport" , "protocol=esp" , "stime=$stime", "htime=$htime", "ealgo=null" , "eauth=hmac-md5" , "eauthkey=TAHITEST89ABCDEF" ); ipsecSetSPD( "src=$IPSEC::IPsecAddr{IPSEC_HOST1_NET5_ADDR}" , "dst=$IPSEC::IPsecAddr{IPSEC_NUT_NET3_ADDR}" , "upperspec=any" , "direction=in" , "protocol=esp-auth" , "mode=transport" , ); $stime=getTimeUTC(); $timestr=getTimeStamp(); vLogHTML("Excute ipsecSetSPD time: $timestr.
"); #vSleep(5); #====================================================================== vLogHTML("*** Target testing phase ***
"); #----- start capturing vCapture($IF); if ($IPSEC::IPsecAddr{IPSEC_IPVERSION} == 4) { } else { ## RA vSend($IF, ra_to_nut); vSleep(3); } # ping TN(Host1) <-> NUT while (1) { ($stat, %ret) = ipsecPing2NUT($IF, 'echo_request_from_host1_esp', 'echo_reply_to_host1'); $rtime = getTimeUTC(); $count = $rtime - $stime; if ($stat eq 'GOT_REPLY') { if ($count <= $htime){ vLogHTML("TN received echo reply from NUT to HOST1.
"); vLogHTML("Timer count: $count sec
"); vLogHTML('OK
'); }else{ if ($ret{status} !=0) { vLogHTML("TN received no echo reply from NUT to HOST1.
"); vLogHTML("Expire lifetime of SA, Timer count: $count sec
"); vLogHTML('OK
'); }else{ vLogHTML("Over lifetime of SA!!, Timer count: $count sec
"); goto error; } } }else{ vLogHTML("TN received no echo reply from NUT to HOST1.
"); if ($count > $htime){ vLogHTML("Expire lifetime of SA, Timer count: $count sec
"); vLogHTML('OK
'); last; }else{ vLogHTML("Timer count: $count sec
"); vLogHTML('Warn'); } } } #ipsecRemoteAsyncWait(); ipsecExitPass(); error: vLogHTML("TN received echo reply from NUT to HOST1.
"); ipsecRemoteAsyncWait(); ipsecExitFail(); ###################################################################### __END__ =head1 NAME HTR_E_In_LifetimeSATime - Lifetime of SA using time, Host Transport Mode Inbound ESP (NULL), ESP Authentication HMAC-MD5 =head1 TARGET Host =head1 SYNOPSIS =begin html

  HTR_E_In_LifetimeSATime.seq [-tooloption ...] -pkt HTR_E_LifetimeSA.def
    -tooloption : v6eval tool option
  See also HTR_E_common.def and HTR_common.def

=end html =head1 INITIALIZATION =begin html

For details of Network Topology, see 00README

Set NUT's SAD and SPD as following:

              NET5      NET3
    HOST1_NET5 -- Router -- NUT
         -----transport----->

Security Association Database (SAD)

source address	HOST1_NET5
destination address	NUT_NET3
SPI	0x1000
mode	transport
lifetime	hard = 35 sec soft = 35 sec
protocol	ESP
ESP algorithm	NULL
ESP authentication	HMAC-MD5
ESP authentication key	TAHITEST89ABCDEF

Security Policy Database (SPD)

source address	HOST1_NET5
destination address	NUT_NET3
upper spec	any
direction	in
protocol	ESP
mode	transport

=end html =head1 TEST PROCEDURE =begin html

 Tester                      Target
   |                           |
   |-------------------------->|
   |      ICMP Echo Request    |
   |        (with ESP)         |
   |                           |
   |<--------------------------|
   |      ICMP Echo Reply      |
   |                           |
   |           :               |
   |   Expire Lifetime of SA   |
   |           :               |
   |                           |
   |-------------------------->|
   |      ICMP Echo Request    |
   |        (with ESP)         |
   |                           |
   |<--------------------------|
   |     No ICMP Echo Reply    |
   |                           |
   v                           v

Send ICMP Echo Request with ESP
Receive ICMP Echo Reply
Continue until expire lifetime of SA
Send ICMP Echo Request with ESP
No Receive ICMP Echo Reply

ICMP Echo Request with ESP

IP Header	Source Address	HOST1_NET5
	Destination Address	NUT_NET3
ESP	SPI	0x1000
	Algorithm	DES-CBC
	Key	TAHITEST
ICMP	Type	128 (Echo Request)

ICMP Echo Reply

IP Header	Source Address	NUT_NET3
	Destination Address	HOST1_NET5
ICMP	Type	129 (Echo Reply)

=end html =head1 JUDGMENT PASS: When lifetime of SA was expired, TN didn't receive ICMP Echo Reply from NUT. FAIL: When lifetime of SA was expired, TN received ICMP Echo Reply from NUT. =head1 SEE ALSO perldoc V6evalTool =begin html

  IPSEC.html IPsec Test Common Utility

=cut