Oulun yliopisto - Etusivulle University of Oulu in English

ee.oulu.fi

Electrical and Information Engineering

Faculty of Technology > Electrical and Information Engineering > Computer Engineering Laboratory


OUSPG

[This page is CSS2 enabled. Your browser might not fully support it]

PROTOS Test-Suite: c09-isakmp

$RCSfile: index.html,v $ $Revision: 1.29 $ $Date: 2005/11/14 13:11:36 $
Status: Release 1

ABSTRACT

The Internet Security Association and Key Management Protocol (ISAKMP), is designed to establish, negotiate, modify and delete Security Associations. ISAKMP provides a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. Internet Key Exchange (IKE), a derivate of ISAKMP, is a key protocol in the Internet Security Architecture (IPsec). A subset of IKE Phase 1 negotiation was chosen as the subject protocol for vulnerability assessment through syntax testing and test-suite creation. A survey of the related standards was made. Test-material was prepared and tests were carried out against a sample set of existing implementations. Results were gathered and reported. Some of the implementations available for evaluation failed to perform in a robust manner under the test. Some failures had information security implications, and should be considered as vulnerabilities. Therefore, this robustness test-material should be adopted for evaluation and development of ISAKMP/IKE products.

Table of Contents

Introduction

This test-suite is a byproduct of the "PROTOS - Security Testing of Protocol Implementations" project. [1] This test-suite covers a limited set of information security and robustness related implementation errors within the chosen focus area. Important: Background, goals, limitations, terminology and licensing for this test-suite release are explained in the "Test-suite releases in Theory and Practice" document. This test-suite covers a limited set of information security and robustness related implementation errors for a subset of the chosen protocol.

The purpose of this test-suite is to evaluate implementation level security and robustness of Internet Security Association and Key Management Protocol (ISAKMP) implementations. The initial scope of the test-suite was set to IPsec DOI (Internet IP Security Domain of Interpretation) version of ISAKMP, namely IKE (Internet Key Exchange). The factors behind chossing IKE included:

  • IKE is an important part of IPsec which is used in critical infrastructure. When IKE is being used, the traffic (UDP/500) is usually not filtered until processed.
  • There are plenty of implementations by several vendors available for testing. IKE has a history of interoperability problems.
  • There are no free, publicly available robustness test suites to evaluate IKE implementations.

The scope was further narrowed to IKE phase 1 with pre-shared secret authentication. Rationale behind this selection was:

  • IKE phase 1 does not require any special preconditions as phase 2 does. Additionally, phase 1 aggressive mode allows sending several payloads in the first packet.
  • IKE phase 1 authentication with pre-shared secret is required from all ISAKMP/IKE implementations.

Potential IKE vulnerabilites in above scope can be roughly categorised based on the on the IKE identity and shared secret:

  • A. Vulnerability does not require a valid identity nor a shared secret (greatest impact).
  • B. Vulnerability requires a valid identity but not the shared secret.
  • C. Vulnerability requires both a valid identity and the corresponding shared secret (smallest impact).

The peer source IP address may also affect on results depending on the setup. For example, a different security policy may be selected in the target implementation depending on whether the source IP is configured as an IPsec endpoint or not. Some policies accept aggressive mode exhcanges and some not.

The category C was chosen as the initial test-strategy. If possible, the test-suite and test-subject were configured as IKE peers. If a failure was discovered, it was verified within the other categories as well.

Test-Suite Design

Standard Survey

The available standards were studied and analysed. The relevant specifications are listed below.

  • RFC 2407 - The Internet IP Security Domain of Interpretation for ISAKMP[2]
  • RFC 2408 - Internet Security Association and Key Management Protocol (ISAKMP)[3]
  • RFC 2409 - The Internet Key Exchange (IKE)[4]
  • RFC 2412 - The OAKLEY Key Determination Protocol[5]

Subject Survey

A survey of available implementations is conducted. This should include a diverse selection of implementations in order to gain a better insight into the applications implementing the protocol, and to give a hint on the impact of potential vulnerabilities. A subset of the implementations is chosen to be tested during the test-suite creation and prerelease phases. Typically, not all implementations are available for testing.

Additional lists of vendors, specific implementations and related information may be found from the following resources:

  • VPN Vendor and Service Provider Links [6]
  • VPN Products and Services [7]

A subset of the implementations was chosen as a sample set to be tested during the test-suite creation and pre-release phases. Most likely reasons for omission of a specific product from the sample set include:

  • no evaluation copy of the product was available
  • or a restrictive licence prohibited evaluation
  • or we were not aware of the product

Injection Vector Survey

In injection vector survey, different methods of delivering the test cases to the implementations under test are identified and analysed. Often, there are several injection methods and one test-suite cannot cover them all, or might miss some vectors not available in all implementations.

Injection vector survey
Application protocol Transport protocol Packet
IKE UDP (port 500) All IKE packets
IKE TCP (port 500) All IKE packets

About ISAKMP Message Exchanges

ISAKMP consists of two phases. In phase 1 the two parties negotiate a security association (SA) to agree on how to protect the traffic in the next phase. In phase 2 keying material is derived and policy to share it is negotiated. In this way security associations for other security protocols are established. [3].

There are two ways to establish a phase 1 SA, main mode and aggressive mode. Both generate authenticated keying material from an ephemeral Diffie-Hellman exchange. Main mode as illustrated in figure 1, is required in every implementation whereas aggressive mode (figure 2) is optional. In main mode the identities of the parties are always protected but in aggressive mode only when public key encryption is used in authentication. [4]

Here are the abbreviations used in figures 1 and 2:

  • i = initiator
  • r = responder
  • hdr = ISAKMP Header
  • hdrc = ISAKMP Header followed by encrypted payloads
  • sa = security association payload
  • ke = key exchange payload
  • nonce = nonce payload
  • id = identification payload
  • hash = hash payload
[Sequence diagram of Main Mode]

Figure 1: Sequence diagram of main mode

In the first message of main mode the initiator generates one or more proposals to protect neqotiations. It includes security association payload which encapsulates proposal and transform payloads. The responder chooses one of the proposals and sends it in the second message. In the next two messages the Diffie-Hellman public values are exchanged for common shared secret (key-exchange) and random information (nonce). Then the initiator and responder authenticate the Diffie-Hellman exchange. They exchange identification information (id) and the results of the agreed authentication function (hash) in the fifth and sixth messages. This information is encrypted by methods agreed in previous messages. [3] [4].

[Sequence diagram of Aggressive Mode]

Figure 2: Sequence diagram of aggressive mode

In aggressive mode the first two messages negotiate policy, exchange Diffie-Hellman public values and ancillary data necessary for the exchange and identities. The second message also authenticates the responder when the third message authenticates the initiator and provides a proof of participation in the exchange. [3] [4].

Once phase 1 is completed, phase 2 exchange is accomplished by the quick mode. More than one phase 2 negotiations can be started on the base of one phase 1 SA. [4].

Specifications Design

Protocol data unit specifications are used as a basis for generating the test-cases. Starting point for the design of the test-suite is to acquire or create a machine-readable representation of the protocol specification. The test-tool in use utilises a custom dialect of BNF (Backus-Naur Form). BNF is capable of describing the context-free syntax of a specification, but is often insufficient for automated test-case generation. The specification is completed by rules which maintain semantic validity and provide communication channels necessary to simulate the protocol.

The following default values were used in the test-material:

  • ISAKMP Security Association attributes:
    • Encryption algorithm: 3DES-CBC
    • Hash algorithm: HMAC-SHA-1
    • Authentication method: Pre-shared key
    • Group description: 1024 bit MODP (Oakley 2)
  • Identification type:
    • ID_IPV4_ADDR

Design of Exceptional Elements

An exceptional element is a piece of data designed to provoke undesired behaviour of the test subject. A single test-case contains one or few exceptional elements. An exceptional element can violate the protocol specification, but often it is legal or in the hazy region between legal and illegal constructs. In a nutshell, an exceptional element is an input that might not have been considered properly when implementing the software.

The following table lists the categories of the exceptional elements designed for the test-material:

Exceptional Element Categories
Name Description
ee-empty Omitted element
ee-4bit Some 4-bit combinations
ee-8bit Some 8-bit combinations
ee-16bit Some 16-bit combinations
ee-32bit Some 32-bit combinations
ee-overflow Overflows of 0x61
ee-zero Overflows of 0x00
ee-fmtstring Format strings (e.g. %s%s%s or %.4097d)
ee-string Exceptional strings including overflows and format strings
ee-repeat Repeated element
ee-ipv4-addr Some IPv4 addresses
ee-ipv4-netmask Some IPv4 netmasks
ee-ipv6-addr Some IPv6 addresses
ee-ipv6-netmask Some IPv6 netmasks
ee-fqdn Exceptional fully-qualified domain name strings
ee-user-fqdn Exceptional fully-qualified username strings
ee-notify-msg-type Selected notify message types

Design of Test-Material

The test-material consists of test-cases simulating hostile input to the implementation under test. A test-case contains one or more exceptional elements, other elements being in their default state. Cases are arranged into test-groups, each covering a certain part of PDUs or containing similar anomalies. Details for the test messages are presented in the table below.

Test-groups
Name Exceptional Elements Test cases First index Last index
valid-main-mode - 1 0 0
valid-aggr-mode - 1 1 1
main-hdr-sa-i-isakmp-header Ee-empty, ee-overflow 11 2 12
main-hdr-sa-i-isakmp-header-next-payload Ee-empty, ee-8bit 10 13 22
main-hdr-sa-i-isakmp-header-mjver ee-4bit 4 23 26
main-hdr-sa-i-isakmp-header-mnver ee-4bit 6 27 32
main-hdr-sa-i-isakmp-header-exchange-type Ee-empty, ee-8bit 10 33 42
main-hdr-sa-i-isakmp-header-flags Ee-empty, ee-8bit 13 43 55
main-hdr-sa-i-isakmp-header-message-id Ee-empty, ee-32bit 20 56 75
main-hdr-sa-i-isakmp-header-length Ee-empty, ee-32bit 20 76 95
main-hdr-sa-i-sec-association-payload Ee-empty, ee-overflow 11 96 106
main-hdr-sa-i-sec-association-payload-next-payload Ee-empty, ee-8bit 10 107 116
main-hdr-sa-i-sec-association-payload-reserved Ee-empty, ee-8bit 10 117 126
main-hdr-sa-i-sec-association-payload-length Ee-empty, ee-16bit 11 127 137
main-hdr-sa-i-sec-association-payload-doi Ee-empty, ee-32bit 20 138 157
main-hdr-sa-i-sec-association-payload-situation Ee-empty, ee-32bit 20 158 177
main-hdr-sa-i-sec-association-payload-labeled-domain-identifier Ee-empty, ee-32bit 20 178 197
main-hdr-sa-i-sec-association-payload-secrecy Ee-empty, ee-overflow 11 198 208
main-hdr-sa-i-sec-association-payload-secrecy-length Ee-empty, ee-16bit 12 209 220
main-hdr-sa-i-sec-association-payload-secrecy-level Ee-empty, ee-overflow, ee-fmtstring 23 221 243
main-hdr-sa-i-sec-association-payload-secrecy-category-length Ee-empty, ee-16bit 12 244 255
main-hdr-sa-i-sec-association-payload-secrecy-category-bitmap Ee-empty, ee-overflow, ee-fmtstring 23 256 278
main-hdr-sa-i-sec-association-payload-integrity Ee-empty, ee-overflow 11 279 289
main-hdr-sa-i-sec-association-payload-integrity-length Ee-empty, ee-16bit 12 290 301
main-hdr-sa-i-sec-association-payload-integrity-level Ee-empty, ee-overflow, ee-fmtstring 23 302 324
main-hdr-sa-i-sec-association-payload-integrity-category-length Ee-empty, ee-16bit 12 325 336
main-hdr-sa-i-sec-association-payload-integrity-category-bitmap Ee-empty, ee-overflow, ee-fmtstring 23 337 359
main-hdr-sa-i-proposal-payload Ee-empty, ee-overflow 11 360 370
main-hdr-sa-i-proposal-payload-next-payload Ee-empty, ee-8bit 10 371 380
main-hdr-sa-i-proposal-payload-reserved Ee-empty, ee-8bit 10 381 390
main-hdr-sa-i-proposal-payload-length Ee-empty, ee-16bit 11 391 401
main-hdr-sa-i-proposal-payload-proposal-number Ee-empty, ee-8bit 10 402 411
main-hdr-sa-i-proposal-payload-protocol-id Ee-empty, ee-8bit 10 412 421
main-hdr-sa-i-proposal-payload-spi-size Ee-empty, ee-8bit 10 422 431
main-hdr-sa-i-proposal-payload-number-of-transforms Ee-empty, ee-8bit 10 432 441
main-hdr-sa-i-proposal-payload-spi Ee-empty, ee-overflow 11 442 452
main-hdr-sa-i-transform-payload Ee-empty, ee-overflow 11 453 463
main-hdr-sa-i-transform-payload-repeat Ee-repeat 8 464 471
main-hdr-sa-i-transform-payload-next-payload Ee-empty, ee-8bit 10 472 481
main-hdr-sa-i-transform-payload-reserved Ee-empty, ee-8bit 10 482 491
main-hdr-sa-i-transform-payload-length Ee-empty, ee-16bit 11 492 502
main-hdr-sa-i-transform-payload-transform-number Ee-empty, ee-8bit 10 503 512
main-hdr-sa-i-transform-payload-transform-id Ee-empty, ee-8bit 10 513 522
main-hdr-sa-i-transform-payload-reserved2 Ee-empty, ee-16bit 12 523 534
main-hdr-sa-i-transform-payload-sa-attributes Ee-empty, ee-32bit, ee-overflow, ee-fmtstring, ee- repeat 48 535 582
main-hdr-sa-i-transform-payload-SA-Encryption-Algorithm-type Ee-empty, ee-16bit 12 583 594
main-hdr-sa-i-transform-payload-SA-Encryption-Algorithm-tlv-length Ee-empty, ee-16bit 12 595 606
main-hdr-sa-i-transform-payload-SA-Encryption-Algorithm-tv-value Ee-empty, ee-16bit 12 607 618
main-hdr-sa-i-transform-payload-SA-Encryption-Algorithm-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 619 641
main-hdr-sa-i-transform-payload-SA-Hash-Algorithm-type Ee-empty, ee-16bit 12 642 653
main-hdr-sa-i-transform-payload-SA-Hash-Algorithm-tlv-length Ee-empty, ee-16bit 12 654 665
main-hdr-sa-i-transform-payload-SA-Hash-Algorithm-tv-value Ee-empty, ee-16bit 12 666 677
main-hdr-sa-i-transform-payload-SA-Hash-Algorithm-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 678 700
main-hdr-sa-i-transform-payload-SA-Authentication-Method-type Ee-empty, ee-16bit 12 701 712
main-hdr-sa-i-transform-payload-SA-Authentication-Method-tlv-length Ee-empty, ee-16bit 12 713 724
main-hdr-sa-i-transform-payload-SA-Authentication-Method-tv-value Ee-empty, ee-16bit 12 725 736
main-hdr-sa-i-transform-payload-SA-Authentication-Method-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 737 759
main-hdr-sa-i-transform-payload-SA-Group-Description-type Ee-empty, ee-16bit 12 760 771
main-hdr-sa-i-transform-payload-SA-Group-Description-tlv-length Ee-empty, ee-16bit 12 772 783
main-hdr-sa-i-transform-payload-SA-Group-Description-tv-value Ee-empty, ee-16bit 12 784 795
main-hdr-sa-i-transform-payload-SA-Group-Description-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 796 818
main-hdr-sa-i-transform-payload-SA-Group-Type-type Ee-empty, ee-16bit 12 819 830
main-hdr-sa-i-transform-payload-SA-Group-Type-tlv-length Ee-empty, ee-16bit 12 831 842
main-hdr-sa-i-transform-payload-SA-Group-Type-tv-value Ee-empty, ee-16bit 12 843 854
main-hdr-sa-i-transform-payload-SA-Group-Type-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 855 877
main-hdr-sa-i-transform-payload-SA-Group-Prime-Irreducible-Polynomial-type Ee-empty, ee-16bit 12 878 889
main-hdr-sa-i-transform-payload-SA-Group-Prime-Irreducible-Polynomial-tlv-length Ee-empty, ee-16bit 12 890 901
main-hdr-sa-i-transform-payload-SA-Group-Prime-Irreducible-Polynomial-tv-value Ee-empty, ee-16bit 12 902 913
main-hdr-sa-i-transform-payload-SA-Group-Prime-Irreducible-Polynomial-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 914 936
main-hdr-sa-i-transform-payload-SA-Group-Generator-One-type Ee-empty, ee-16bit 12 937 948
main-hdr-sa-i-transform-payload-SA-Group-Generator-One-tlv-length Ee-empty, ee-16bit 12 949 960
main-hdr-sa-i-transform-payload-SA-Group-Generator-One-tv-value Ee-empty, ee-16bit 12 961 972
main-hdr-sa-i-transform-payload-SA-Group-Generator-One-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 973 995
main-hdr-sa-i-transform-payload-SA-Group-Generator-Two-type Ee-empty, ee-16bit 12 996 1007
main-hdr-sa-i-transform-payload-SA-Group-Generator-Two-tlv-length Ee-empty, ee-16bit 12 1008 1019
main-hdr-sa-i-transform-payload-SA-Group-Generator-Two-tv-value Ee-empty, ee-16bit 12 1020 1031
main-hdr-sa-i-transform-payload-SA-Group-Generator-Two-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 1032 1054
main-hdr-sa-i-transform-payload-SA-Group-Curve-A-type Ee-empty, ee-16bit 12 1055 1066
main-hdr-sa-i-transform-payload-SA-Group-Curve-A-tlv-length Ee-empty, ee-16bit 12 1067 1078
main-hdr-sa-i-transform-payload-SA-Group-Curve-A-tv-value Ee-empty, ee-16bit 12 1079 1090
main-hdr-sa-i-transform-payload-SA-Group-Curve-A-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 1091 1113
main-hdr-sa-i-transform-payload-SA-Group-Curve-B-type Ee-empty, ee-16bit 12 1114 1125
main-hdr-sa-i-transform-payload-SA-Group-Curve-B-tlv-length Ee-empty, ee-16bit 12 1126 1137
main-hdr-sa-i-transform-payload-SA-Group-Curve-B-tv-value Ee-empty, ee-16bit 12 1138 1149
main-hdr-sa-i-transform-payload-SA-Group-Curve-B-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 1150 1172
main-hdr-sa-i-transform-payload-SA-Life-Type-type Ee-empty, ee-16bit 12 1173 1184
main-hdr-sa-i-transform-payload-SA-Life-Type-tlv-length Ee-empty, ee-16bit 12 1185 1196
main-hdr-sa-i-transform-payload-SA-Life-Type-tv-value Ee-empty, ee-16bit 12 1197 1208
main-hdr-sa-i-transform-payload-SA-Life-Type-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 1209 1231
main-hdr-sa-i-transform-payload-SA-Life-Duration-type Ee-empty, ee-16bit 12 1232 1243
main-hdr-sa-i-transform-payload-SA-Life-Duration-tlv-length Ee-empty, ee-16bit 12 1244 1255
main-hdr-sa-i-transform-payload-SA-Life-Duration-tv-value Ee-empty, ee-16bit 12 1256 1267
main-hdr-sa-i-transform-payload-SA-Life-Duration-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 1268 1290
main-hdr-sa-i-transform-payload-SA-PRF-type Ee-empty, ee-16bit 12 1291 1302
main-hdr-sa-i-transform-payload-SA-PRF-tlv-length Ee-empty, ee-16bit 12 1303 1314
main-hdr-sa-i-transform-payload-SA-PRF-tv-value Ee-empty, ee-16bit 12 1315 1326
main-hdr-sa-i-transform-payload-SA-PRF-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 1327 1349
main-hdr-sa-i-transform-payload-SA-Key-Length-type Ee-empty, ee-16bit 12 1350 1361
main-hdr-sa-i-transform-payload-SA-Key-Length-tlv-length Ee-empty, ee-16bit 12 1362 1373
main-hdr-sa-i-transform-payload-SA-Key-Length-tv-value Ee-empty, ee-16bit 12 1374 1385
main-hdr-sa-i-transform-payload-SA-Key-Length-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 1386 1408
main-hdr-sa-i-transform-payload-SA-Field-Size-type Ee-empty, ee-16bit 12 1409 1420
main-hdr-sa-i-transform-payload-SA-Field-Size-tlv-length Ee-empty, ee-16bit 12 1421 1432
main-hdr-sa-i-transform-payload-SA-Field-Size-tv-value Ee-empty, ee-16bit 12 1433 1444
main-hdr-sa-i-transform-payload-SA-Field-Size-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 1445 1467
main-hdr-sa-i-transform-payload-SA-Group-Order-type Ee-empty, ee-16bit 12 1468 1479
main-hdr-sa-i-transform-payload-SA-Group-Order-tlv-length Ee-empty, ee-16bit 12 1480 1491
main-hdr-sa-i-transform-payload-SA-Group-Order-tv-value Ee-empty, ee-16bit 12 1492 1503
main-hdr-sa-i-transform-payload-SA-Group-Order-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 1504 1526
main-hdr-ke-nonce-i-isakmp-header Ee-empty, ee-overflow 11 1527 1537
main-hdr-ke-nonce-i-isakmp-header-next-payload Ee-empty, ee-8bit 10 1538 1547
main-hdr-ke-nonce-i-isakmp-header-mjver ee-4bit 4 1548 1551
main-hdr-ke-nonce-i-isakmp-header-mnver ee-4bit 6 1552 1557
main-hdr-ke-nonce-i-isakmp-header-exchange-type Ee-empty, ee-8bit 10 1558 1567
main-hdr-ke-nonce-i-isakmp-header-flags Ee-empty, ee-8bit 13 1568 1580
main-hdr-ke-nonce-i-isakmp-header-message-id Ee-empty, ee-32bit 20 1581 1600
main-hdr-ke-nonce-i-isakmp-header-length Ee-empty, ee-32bit 20 1601 1620
main-hdr-ke-nonce-i-key-exchange-payload Ee-empty, ee-overflow 11 1621 1631
main-hdr-ke-nonce-i-key-exchange-payload-next-payload Ee-empty, ee-8bit 10 1632 1641
main-hdr-ke-nonce-i-key-exchange-payload-reserved Ee-empty, ee-8bit 10 1642 1651
main-hdr-ke-nonce-i-key-exchange-payload-length Ee-empty, ee-16bit 11 1652 1662
main-hdr-ke-nonce-i-key-exchange-payload-key-exchange-data Ee-empty, ee-string 52 1663 1714
main-hdr-ke-nonce-i-nonce-payload Ee-empty, ee-overflow 11 1715 1725
main-hdr-ke-nonce-i-nonce-payload-next-payload Ee-empty, ee-8bit 10 1726 1735
main-hdr-ke-nonce-i-nonce-payload-reserved Ee-empty, ee-8bit 10 1736 1745
main-hdr-ke-nonce-i-nonce-payload-length Ee-empty, ee-16bit 11 1746 1756
main-hdr-ke-nonce-i-nonce-payload-nonce-data Ee-empty, ee-string 52 1757 1808
main-hdrc-id-hash-i-isakmp-header Ee-empty, ee-overflow 11 1809 1819
main-hdrc-id-hash-i-isakmp-header-next-payload Ee-empty, ee-8bit 10 1820 1829
main-hdrc-id-hash-i-isakmp-header-mjver ee-4bit 4 1830 1833
main-hdrc-id-hash-i-isakmp-header-mnver ee-4bit 6 1834 1839
main-hdrc-id-hash-i-isakmp-header-exchange-type Ee-empty, ee-8bit 10 1840 1849
main-hdrc-id-hash-i-isakmp-header-flags Ee-empty, ee-8bit 13 1850 1862
main-hdrc-id-hash-i-isakmp-header-message-id Ee-empty, ee-32bit 20 1863 1882
main-hdrc-id-hash-i-isakmp-header-length Ee-empty, ee-32bit 20 1883 1902
main-hdrc-id-hash-i-padding Ee-zero 10 1903 1912
main-hdrc-id-hash-i-identification-payload Ee-empty, ee-overflow 11 1913 1923
main-hdrc-id-hash-i-identification-payload-next-payload Ee-empty, ee-8bit 10 1924 1933
main-hdrc-id-hash-i-identification-payload-reserved Ee-empty, ee-8bit 10 1934 1943
main-hdrc-id-hash-i-identification-payload-length Ee-empty, ee-16bit 11 1944 1954
main-hdrc-id-hash-i-identification-payload-id-type Ee-empty, ee-8bit 10 1955 1964
main-hdrc-id-hash-i-identification-payload-protocol-id Ee-empty, ee-8bit 20 1965 1984
main-hdrc-id-hash-i-identification-payload-port Ee-empty, ee-8bit 12 1985 1996
main-hdrc-id-hash-i-identification-data-ipv4-addr Ee-empty, ee-overflow, ee-ipv4-addr 18 1997 2014
main-hdrc-id-hash-i-identification-data-fqdn Ee-empty, ee-overflow, ee-string, ee-fqdn 101 2015 2115
main-hdrc-id-hash-i-identification-data-user-fqdn Ee-empty, ee-overflow, ee-string, ee-user-fqdn 98 2116 2213
main-hdrc-id-hash-i-identification-data-ipv4-subnet Ee-empty, ee-overflow 11 2214 2224
main-hdrc-id-hash-i-identification-data-ipv4-subnet-mask ee-ipv4-netmask 12 2225 2236
main-hdrc-id-hash-i-identification-data-ipv6-addr Ee-empty, ee-overflow, ee-ipv6-addr 31 2237 2267
main-hdrc-id-hash-i-identification-data-ipv6-subnet Ee-empty, ee-overflow 11 2268 2278
main-hdrc-id-hash-i-identification-data-ipv6-subnet-mask Ee-ipv6-netmask 6 2279 2284
main-hdrc-id-hash-i-identification-data-ipv4-range Ee-empty, ee-overflow 11 2285 2295
main-hdrc-id-hash-i-identification-data-ipv4-range-addr ee-ipv4-addr 7 2296 2302
main-hdrc-id-hash-i-identification-data-ipv6-range Ee-empty, ee-overflow 11 2303 2313
main-hdrc-id-hash-i-identification-data-ipv6-range-addr ee-ipv6-addr 20 2314 2333
main-hdrc-id-hash-i-identification-data-dn Ee-empty, ee-overflow 11 2334 2344
main-hdrc-id-hash-i-identification-data-gn Ee-empty, ee-overflow 11 2345 2355
main-hdrc-id-hash-i-identification-data-key-id Ee-empty, ee-overflow 11 2356 2366
main-hdrc-id-hash-i-hash-payload Ee-empty, ee-overflow 11 2367 2377
main-hdrc-id-hash-i-hash-payload-next-payload Ee-empty, ee-8bit 10 2378 2387
main-hdrc-id-hash-i-hash-payload-reserved Ee-empty, ee-8bit 10 2388 2397
main-hdrc-id-hash-i-hash-payload-length Ee-empty, ee-16bit 11 2398 2408
main-hdrc-id-hash-i-hash-payload-hash-data Ee-empty, ee-string 52 2409 2460
aggr-hdr-sa-ke-nonce-id-i-isakmp-header Ee-empty, ee-overflow 11 2461 2471
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-next-payload Ee-empty, ee-8bit 10 2472 2481
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-mjver ee-4bit 4 2482 2485
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-mnver ee-4bit 6 2486 2491
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-exchange-type Ee-empty, ee-8bit 10 2492 2501
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-flags Ee-empty, ee-8bit 13 2502 2514
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-message-id Ee-empty, ee-32bit 20 2515 2534
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-length Ee-empty, ee-32bit 20 2535 2554
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload Ee-empty, ee-overflow 11 2555 2565
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-next-payload Ee-empty, ee-8bit 10 2566 2575
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-reserved Ee-empty, ee-8bit 10 2576 2585
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-length Ee-empty, ee-16bit 11 2586 2596
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-doi Ee-empty, ee-32bit 20 2597 2616
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-situation Ee-empty, ee-32bit 20 2617 2636
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-labeled-domain-identifier Ee-empty, ee-32bit 20 2637 2656
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-secrecy Ee-empty, ee-overflow 11 2657 2667
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-secrecy-length Ee-empty, ee-16bit 12 2668 2679
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-secrecy-level Ee-empty, ee-overflow, ee-fmtstring 23 2680 2702
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-secrecy-category-length Ee-empty, ee-16bit 12 2703 2714
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-secrecy-category-bitmap Ee-empty, ee-overflow, ee-fmtstring 23 2715 2737
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-integrity Ee-empty, ee-overflow 11 2738 2748
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-integrity-length Ee-empty, ee-16bit 12 2749 2760
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-integrity-level Ee-empty, ee-overflow, ee-fmtstring 23 2761 2783
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-integrity-category-length Ee-empty, ee-16bit 12 2784 2795
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-integrity-category-bitmap Ee-empty, ee-overflow, ee-fmtstring 23 2796 2818
aggr-hdr-sa-ke-nonce-id-i-proposal-payload Ee-empty, ee-overflow 11 2819 2829
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-next-payload Ee-empty, ee-8bit 10 2830 2839
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-reserved Ee-empty, ee-8bit 10 2840 2849
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-length Ee-empty, ee-16bit 11 2850 2860
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-proposal-number Ee-empty, ee-8bit 10 2861 2870
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-protocol-id Ee-empty, ee-8bit 10 2871 2880
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-spi-size Ee-empty, ee-8bit 10 2881 2890
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-number-of-transforms Ee-empty, ee-8bit 10 2891 2900
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-spi Ee-empty, ee-overflow 29 2901 2929
aggr-hdr-sa-ke-nonce-id-i-transform-payload Ee-empty, ee-overflow 11 2930 2940
aggr-hdr-sa-ke-nonce-id-i-transform-payload-next-payload Ee-empty, ee-8bit 10 2941 2950
aggr-hdr-sa-ke-nonce-id-i-transform-payload-reserved Ee-empty, ee-8bit 10 2951 2960
aggr-hdr-sa-ke-nonce-id-i-transform-payload-length Ee-empty, ee-16bit 11 2961 2971
aggr-hdr-sa-ke-nonce-id-i-transform-payload-transform-number Ee-empty, ee-8bit 10 2972 2981
aggr-hdr-sa-ke-nonce-id-i-transform-payload-transform-id Ee-empty, ee-8bit 10 2982 2991
aggr-hdr-sa-ke-nonce-id-i-transform-payload-reserved2 Ee-empty, ee-16bit 12 2992 3003
aggr-hdr-sa-ke-nonce-id-i-transform-payload-sa-attributes Ee-overflow 10 3004 3013
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Duration-type Ee-empty, ee-16bit 12 3014 3025
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Duration-tlv-length Ee-empty, ee-16bit 12 3026 3037
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Duration-tv-value Ee-empty, ee-16bit 12 3038 3049
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Duration-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 3050 3072
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Type-type Ee-empty, ee-16bit 12 3073 3084
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Type-tlv-length Ee-empty, ee-16bit 12 3085 3096
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Type-tv-value Ee-empty, ee-16bit 12 3097 3108
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Type-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 3109 3131
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Key-Length-type Ee-empty, ee-16bit 12 3132 3143
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Key-Length-tlv-length Ee-empty, ee-16bit 12 3144 3155
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Key-Length-tv-value Ee-empty, ee-16bit 12 3156 3167
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Key-Length-tlv-value Ee-empty, ee-overflow, ee-fmtstring 23 3168 3190
aggr-hdr-sa-ke-nonce-id-i-key-exchange-payload Ee-empty, ee-overflow 11 3191 3201
aggr-hdr-sa-ke-nonce-id-i-key-exchange-payload-next-payload Ee-empty, ee-8bit 10 3202 3211
aggr-hdr-sa-ke-nonce-id-i-key-exchange-payload-reserved Ee-empty, ee-8bit 10 3212 3221
aggr-hdr-sa-ke-nonce-id-i-key-exchange-payload-length Ee-empty, ee-16bit 11 3222 3232
aggr-hdr-sa-ke-nonce-id-i-key-exchange-payload-key-exchange-data Ee-empty, ee-overflow, ee-string, ee-repeat 68 3233 3300
aggr-hdr-sa-ke-nonce-id-i-nonce-payload Ee-empty, ee-overflow 11 3301 3311
aggr-hdr-sa-ke-nonce-id-i-nonce-payload-next-payload Ee-empty, ee-8bit 10 3312 3321
aggr-hdr-sa-ke-nonce-id-i-nonce-payload-reserved Ee-empty, ee-8bit 10 3322 3331
aggr-hdr-sa-ke-nonce-id-i-nonce-payload-length Ee-empty, ee-16bit 11 3332 3342
aggr-hdr-sa-ke-nonce-id-i-nonce-payload-nonce-data Ee-empty, ee-overflow, ee-string, ee-repeat 68 3343 3410
aggr-hdr-sa-ke-nonce-id-i-identification-payload Ee-empty, ee-overflow 11 3411 3421
aggr-hdr-sa-ke-nonce-id-i-identification-payload-next-payload Ee-empty, ee-8bit 10 3422 3431
aggr-hdr-sa-ke-nonce-id-i-identification-payload-reserved Ee-empty, ee-8bit 10 3432 3441
aggr-hdr-sa-ke-nonce-id-i-identification-payload-length Ee-empty, ee-16bit 11 3442 3452
aggr-hdr-sa-ke-nonce-id-i-identification-payload-id-type Ee-empty, ee-8bit 10 3453 3462
aggr-hdr-sa-ke-nonce-id-i-identification-payload-protocol-id Ee-empty, ee-8bit 20 3463 3482
aggr-hdr-sa-ke-nonce-id-i-identification-payload-port Ee-empty, ee-8bit 12 3483 3494
aggr-hdr-sa-ke-nonce-id-i-identification-data-ipv4-addr Ee-empty, ee-overflow, ee-ipv4-addr 18 3495 3512
aggr-hdr-sa-ke-nonce-id-i-identification-data-fqdn Ee-empty, ee-overflow, ee-string, ee-fqdn 101 3513 3613
aggr-hdr-sa-ke-nonce-id-i-identification-data-user-fqdn Ee-empty, ee-overflow, ee-string, ee-user-fqdn 98 3614 3711
aggr-hdr-sa-ke-nonce-id-i-identification-data-ipv6-addr Ee-empty, ee-overflow, ee-ipv6-addr 31 3712 3742
aggr-hdr-sa-ke-nonce-id-i-identification-data-dn Ee-empty, ee-overflow 11 3743 3753
aggr-hdr-sa-ke-nonce-id-i-identification-data-gn Ee-empty, ee-overflow 11 3754 3764
aggr-hdr-sa-ke-nonce-id-i-identification-data-key-id Ee-empty, ee-overflow 11 3765 3775
aggr-hdrc-hash-i-isakmp-header Ee-empty, ee-overflow 11 3776 3786
aggr-hdrc-hash-i-isakmp-header-next-payload Ee-empty, ee-8bit 10 3787 3796
aggr-hdrc-hash-i-isakmp-header-mjver ee-4bit 4 3797 3800
aggr-hdrc-hash-i-isakmp-header-mnver ee-4bit 6 3801 3806
aggr-hdrc-hash-i-isakmp-header-exchange-type Ee-empty, ee-8bit 10 3807 3816
aggr-hdrc-hash-i-isakmp-header-flags Ee-empty, ee-8bit 13 3817 3829
aggr-hdrc-hash-i-isakmp-header-message-id Ee-empty, ee-32bit 20 3830 3849
aggr-hdrc-hash-i-isakmp-header-length Ee-empty, ee-32bit 20 3850 3869
aggr-hdrc-hash-i-hash-payload Ee-empty, ee-overflow 11 3870 3880
aggr-hdrc-hash-i-hash-payload-next-payload Ee-empty, ee-8bit 10 3881 3890
aggr-hdrc-hash-i-hash-payload-reserved Ee-empty, ee-8bit 10 3891 3900
aggr-hdrc-hash-i-hash-payload-length Ee-empty, ee-16bit 11 3901 3911
aggr-hdrc-hash-i-hash-payload-hash-data Ee-empty, ee-string 52 3912 3963
info-notification-length Ee-empty, ee-16bit 12 3964 3975
info-notification-spi-size Ee-empty, ee-8bit 10 3976 3985
info-notification-message-type Ee-empty, ee-8bit 10 3986 3995
info-notification-spi Ee-empty, ee-overflow 11 3996 4006
info-notification-message-type-and-data Ee-notify-msg-type, ee-string 306 4007 4312
info-sa-notification-message-type-and-data Ee-notify-msg-type, ee-string 306 4313 4618
info-ke-nonce-notification-message-type-and-data Ee-notify-msg-type, ee-string 306 4619 4924
info-delete-length Ee-empty, ee-16bit 12 4925 4936
info-delete-spi-size Ee-empty, ee-8bit 10 4937 4946
info-delete-number-of-spi Ee-empty, ee-16bit 12 4947 4958
info-delete-spi Ee-empty, ee-overflow 11 4959 4969
info-delete-spi-size1-repeat Ee-repeat 10 4970 4979
info-delete-spi-size4-repeat Ee-repeat 10 4980 4989
info-delete-spi-size16-repeat Ee-repeat 10 4990 4999

Legend:

  • "Name" column represents the tag-names of the test-groups. Tags reflect the field and element names in the protocol specification. Tags can be used to follow which parts of the PDUs are being tested.
  • "Exceptional Elements" column describes which exceptional element categories are integrated in the test-group.
  • "Test Cases", "First Index" and "Last Index" columns describe the the number of cases and the first and last test-case index in the test-group.

Implementation

Test-runs were conducted against the chosen sample of implementations. Specifications, exceptional elements, semantic rules, injectors and instrumentation were integrated as a test-tool configuration to enable automatic execution of the tests.

Injection

The test-tool provides communication rules for test-case injection. The test-tool was configured as the initiator of the IKE negotiation.

Instrumentation

The implementation under test is monitored for undesired behaviour that could have security implications. Instrumentation methods can roughly be divided to two categories.

Out-of-Band Instrumentation on the target platform includes debuggers, resource monitoring or custom made tools used to extract information from the implementation under test. Unfortunately, the modern trend of abusing the try-catch -type of constructs easily masks the exceptions generated by stack and memory corruption. Catching these hidden exceptions relies on the debugging skills of the developers themselves. Out-of-Band Instrumentation is often the preferred form of instrumentation.

In In-Band Instrumentation the implementation is monitored via the injection vector, ie. the same interface used to deliver the test-cases. While not necessarily checked for protocol conformance, absent or malformed responses can often reveal anomalous conditions such as denial of service. Also, the ability to accept subsequent test-cases indicates how they affect the performance of the target implementation. Especially with embedded devices, this form of instrumentation may be the only option easily available.

A valid case in-band instrumentation will be bundled with the test-material.

Test-Runs

Results

Results from the test-runs are summarised herein. Tables below represent the observations from feeding the test-material against the chosen subject software. Product names of the actual subjects are omitted to protect the innocent. Results are presented in a tabular form with test-cases divided into test-groups based on the exceptional element types utilised and PDU fields under examination.

Each failed test-case represents at minimum a denial of service type chance of exploiting the found vulnerability. In most cases, they represent memory corruption, stack corruption or other fatal error conditions. Some of these may lead exposure to typical buffer overflow exploits, allowing running of arbitrary code or modification of the target system.

The verdict failed is granted if any of the following criteria is met and a single test-case can be identified to be responsible:

  • A device undergoes a fatal failure and stops functioning normally.
  • A process or a device crashes or hangs and needs to be restarted manually.
  • A process or a device crashes and restarts automatically.
  • A process consumes CPU and/or memory resources for an exceptionally long or indefinite time thus causing at least a denial of service.

If no single test-case can be identified but similar effects are observed, the verdict is inconclusive.

Sometimes, a subject gets corrupted so badly or is fundamentally so unstable that there is no way to collect accurate test-results for the whole test-run. Untested regions are marked as unknown.

Otherwise, the verdict is passed.

Test-results
Test-group / Test-run # tr-001 tr-002 tr-003 tr-004 tr-005 tr-006 tr-007 tr-008
[passed test-groups omitted]
main-hdr-sa-i-transform-payload-SA-Life-Duration-type - - - - - - - -
main-hdr-sa-i-transform-payload-SA-Life-Duration-tlv-length - - - - - - - -
main-hdr-sa-i-transform-payload-SA-Life-Duration-tv-value - - - - - - - -
main-hdr-sa-i-transform-payload-SA-Life-Duration-tlv-value X - - - - X X -
main-hdr-sa-i-transform-payload-SA-PRF-type - - - - - - - -
main-hdr-sa-i-transform-payload-SA-PRF-tlv-length - - - - - - - -
main-hdr-sa-i-transform-payload-SA-PRF-tv-value - - - - - - - -
main-hdr-sa-i-transform-payload-SA-PRF-tlv-value - - - - - - - -
[passed test-groups omitted]
main-hdrc-id-hash-i-identification-payload - - - - - - - -
main-hdrc-id-hash-i-identification-payload-next-payload - - - - - - - -
main-hdrc-id-hash-i-identification-payload-reserved - - - - - - - -
main-hdrc-id-hash-i-identification-payload-length - - - - - - - -
main-hdrc-id-hash-i-identification-payload-id-type - - - X - - - -
main-hdrc-id-hash-i-identification-payload-protocol-id - - - - - - - -
main-hdrc-id-hash-i-identification-payload-port - - - - - - - -
main-hdrc-id-hash-i-identification-data-ipv4-addr - - - - - - - -
main-hdrc-id-hash-i-identification-data-fqdn X - - - - - - -
main-hdrc-id-hash-i-identification-data-user-fqdn X - - - - - - -
main-hdrc-id-hash-i-identification-data-ipv4-subnet - - - - - - - -
main-hdrc-id-hash-i-identification-data-ipv4-subnet-mask - - - - - - - -
main-hdrc-id-hash-i-identification-data-ipv6-addr - - - - - - - -
main-hdrc-id-hash-i-identification-data-ipv6-subnet - - - - - - - -
main-hdrc-id-hash-i-identification-data-ipv6-subnet-mask - - - - - - - -
main-hdrc-id-hash-i-identification-data-ipv4-range - - - - - - - -
main-hdrc-id-hash-i-identification-data-ipv4-range-addr - - - - - - - -
main-hdrc-id-hash-i-identification-data-ipv6-range - - - - - - - -
main-hdrc-id-hash-i-identification-data-ipv6-range-addr - - - - - - - -
main-hdrc-id-hash-i-identification-data-dn - - - - - - - -
main-hdrc-id-hash-i-identification-data-gn - - - - - - - -
main-hdrc-id-hash-i-identification-data-key-id - - - - - - - -
main-hdrc-id-hash-i-hash-payload - - - - - - - -
main-hdrc-id-hash-i-hash-payload-next-payload X - - - - - - I
main-hdrc-id-hash-i-hash-payload-reserved X - - - - - - I
main-hdrc-id-hash-i-hash-payload-length X - X - - - - I
main-hdrc-id-hash-i-hash-payload-hash-data - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-isakmp-header - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-next-payload - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-mjver - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-mnver - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-exchange-type - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-flags - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-message-id - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-isakmp-header-length - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-next-payload - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-reserved - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-length - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-doi - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-situation - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-labeled-domain-identifier - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-secrecy - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-secrecy-length - - - - - - - -
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-secrecy-level - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-secrecy-category-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-secrecy-category-bitmap - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-integrity - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-integrity-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-integrity-level - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-integrity-category-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-sec-association-payload-integrity-category-bitmap - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-proposal-payload - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-next-payload - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-reserved - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-proposal-number - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-protocol-id - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-spi-size - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-number-of-transforms - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-proposal-payload-spi - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-next-payload - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-reserved - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-transform-number - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-transform-id - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-reserved2 - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-sa-attributes - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Duration-type - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Duration-tlv-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Duration-tv-value - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Duration-tlv-value - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Type-type - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Type-tlv-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Type-tv-value - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Life-Type-tlv-value - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Key-Length-type - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Key-Length-tlv-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Key-Length-tv-value - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-transform-payload-SA-Key-Length-tlv-value - - - - - X X I
aggr-hdr-sa-ke-nonce-id-i-key-exchange-payload - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-key-exchange-payload-next-payload - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-key-exchange-payload-reserved - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-key-exchange-payload-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-key-exchange-payload-key-exchange-data - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-nonce-payload - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-nonce-payload-next-payload - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-nonce-payload-reserved - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-nonce-payload-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-nonce-payload-nonce-data - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-payload - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-payload-next-payload - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-payload-reserved - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-payload-length - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-payload-id-type - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-payload-protocol-id - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-payload-port - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-data-ipv4-addr - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-data-fqdn X - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-data-user-fqdn X - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-data-ipv6-addr - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-data-dn - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-data-gn - - - - - - - I
aggr-hdr-sa-ke-nonce-id-i-identification-data-key-id - - - - - - - I
aggr-hdrc-hash-i-isakmp-header - - - - - - - I
aggr-hdrc-hash-i-isakmp-header-next-payload - - - - - - - -
aggr-hdrc-hash-i-isakmp-header-mjver - - - - - - - -
aggr-hdrc-hash-i-isakmp-header-mnver - - - - - - - -
aggr-hdrc-hash-i-isakmp-header-exchange-type - - - - - - - -
aggr-hdrc-hash-i-isakmp-header-flags - - - - - - - -
aggr-hdrc-hash-i-isakmp-header-message-id - - - - - - - -
aggr-hdrc-hash-i-isakmp-header-length - - - - - - X -
aggr-hdrc-hash-i-hash-payload - - - - - - - -
aggr-hdrc-hash-i-hash-payload-next-payload - - - - - - - -
aggr-hdrc-hash-i-hash-payload-reserved - - - - - - - -
aggr-hdrc-hash-i-hash-payload-length - - - - - - - -
aggr-hdrc-hash-i-hash-payload-hash-data - - - - - - - -
[passed test-groups omitted]

Legend:

  • nnn: Each different test-run (tr-nnn) represents a different tested implementation.
  • X: Verdict is failed
  • I: Verdict is inconclusive
  • -: Verdict is passed
  • ?: Verdict is unknown

Please note that if a subject fails in a format string (fmtstring) test-group, the failure may be caused by a buffer overflow condition with a very long format string as a trigger. Should an implementation have failed in a format string category, but not in previous overflow category, it is then likely to contain a format string type of vulnerability.

The results are further summarised in the table below.

Test-results summary
Test-run # Total test-cases Failed test-cases Total groups Failed groups (inconclusive)
tr-001 5000 n 268 8
tr-002 5000 0 268 0
tr-003 5000 6 268 1
tr-004 5000 0 268 0
tr-005 5000 n 268 1
tr-006 5000 n 268 2
tr-007 5000 n 268 3
tr-008 5000 n 268 0(66)

Legend:

  • N: We were unable to determine the exact number of failures. See the more detailed tables above.

Verification via Exploits

To support the vulnerability reporting process, typically one exploit per implementation is refined and included in the respective vulnerability report. The exploit is only intended for demonstration purposes and is harmless as it is. Simplest of them only executes some harmless commands in the target system, typically with the privileges of the vulnerable process. Some only provide a demonstration by causing a Denial of Service (DoS) against the software.

To support the vulnerability reports to the respective vendors, following exploits were developed:

  • None as of 2005-08-19.

Test-Material Package

Package Information

The test-material is distributed as a JAR package. The package comprises of the following elements:

  • Test-cases located in org/ouspg/testcases/ directory
  • Codenomicon Toolkit Engine for feeding the test-cases against the system under test.
  • LICENSE.TXT - License for the test-material package
  • README.TXT - Very short instructions

License and Copyright

The license allows free use and redistribution of the test-material package. However, modifying the test-material package is not allowed without a permission. See the license file for more information.

We recommend some additional guidelines, although these do not restrict the test-material licence. These guidelines can be found from the "Test-suite releases in Theory and Practice" document.

Prerequisites

A prerequisite for using the test-material is a properly configured and started implementation, preferably not in an open network. The implementation should be configured to allow the following parameters:

  • Encryption algorithm: 3DES-CBC
  • Hash algorithm: HMAC-SHA-1
  • Authentication method: Pre-shared key
  • Group description: 1024 bit MODP (Oakley 2)

In addition, Java is required to execute the test-cases. The package has been tested on Java 2 Platform, Standard Edition (J2SE) versions 1.4.0 and 1.4.2. [8]

Usage

The test-material is used through a command line interface. The test-material is run with java, using the -jar switch.

The command java -jar c09-isakmp-r2.jar --help displays the built-in help for the available command line options:

--host host       Target hostname or IP (required)
--id id           Your ISAKMP identity IPv4 address (required)
--secret secret   Shared secret (required)
--port port       Target port (500)
--sourceport port Source port (500)
--index index     Test case index, e.g. 0,1-6,50-
--timeout timeout Timeout (ms) to wait for reply (2500)
--delay delay     Delay (ms) between test cases (1000)
--showsent        Show sent messages (off)
--showreceived    Show received messages (off)
--instrument      Use valid-case instrumentation (off)
--validcase case  Index to use in valid-case instrumentation (0)
--help            Show command line help

The minimal command line required to run all test-cases from host 10.10.10.1 against host 10.10.10.2 would then be java -jar c09-isakmp-r2.jar --host 10.10.10.2 --id 10.10.10.1 --secret deadbeef where deadbeef would be the shared secret.

Please see Appendix B for commonly encountered error messages when using the test-material.

Download

Use of latest release (highest number) is recommended. Older releases are provided for completeness and reproduction.

Release 2

Release 1

Conclusions

Although this test-suite only scratches the complex ISAKMP/IKE protocol, many of the implementations available for evaluation failed to perform in a robust manner under the test. Some failures had information security implications, and should be considered as vulnerabilities. Therefore, this robustness test-material should be adopted for evaluation and development of ISAKMP/IKE products.

Acknowledgements

We wish to express our gratitude to individual vendors who worked with us to protect their customers. We are in debt to Sonera Corporation, CERT-FI and The Finnish Defence Forces for providing us facilities and support in determining the impact of the test-suite. Again, we thank CERT-FI and NISCC for their advice and active role during the vulnerability process.

Vulnerability Management

Prior Public Vulnerabilities

The most common sources for vulnerability information and exploits were covered and cross checked for potential and already known vulnerabilities in the implementations of the chosen protocol. Typical sources for finding out about existing vulnerabilities are databases and mailing-lists. Search-engines may also reveal information on past vulnerabilities.

Following prior vulnerabilities, in no particular order, were identified as ISAKMP/IKE related:

  • "Cisco IOS Unauthorized Security Association Establishment Vulnerability" [9]
  • "Cisco IOS Easy VPN Server XAUTH Authentication Bypass Vulnerability" [10]
  • "KAME Racoon Malformed ISAKMP Packet Headers Denial of Service Vulnerability" [11]
  • "OpenBSD ISAKMPD Kernel Heap Buffer Overflow Local Denial Of Service Vulnerability" [12]
  • "Entrust LibKMP ISAKMP Library Remote IPsec/ISAKMP Buffer Overflow Vulnerability" [13]
  • "OpenBSD ISAKMPD Security Association Piggyback Delete Payload Denial Of Service Vulnerability" [14]
  • "Check Point VPN-1 ISAKMP Remote Buffer Overflow Vulnerability" [15]
  • "KAME Racoon Malformed ISAKMP Packet Denial of Service Vulnerability" [16]
  • "TCPDump ISAKMP Delete Payload Buffer Overrun Vulnerability" [17]
  • "TCPDump ISAKMP Identification Payload Integer Underflow Vulnerability" [18]
  • "OpenBSD ISAKMPD Zero Payload Length Denial Of Service Vulnerability" [19]
  • "OpenBSD ISAKMPD Malformed IPSEC SA Payload Denial Of Service Vulnerability" [20]
  • "OpenBSD ISAKMPD Malformed CERT Request Payload Denial Of Service Vulnerability" [21]
  • "OpenBSD ISAKMPD Delete Payload Denial Of Service Vulnerability" [22]
  • "OpenBSD ISAKMPD Memory Leak Denial Of Service Vulnerability" [23]
  • "Check Point VPN-1/SecuRemote ISAKMP Large Certificate Request Payload Buffer Overflow Vulnerability" [24]
  • "TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerability" [25]
  • "TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Overflow Vulnerabilities" [26]
  • "ISAKMPD "Initial Contact" Notification SA Deletion Vulnerability" [27]
  • "ISAKMPD "Invalid SPI" SA Deletion Vulnerability" [28]
  • "OpenBSD isakmpd Multiple IKE Payload Handling Security Weaknesses" [29]
  • "TCPDump Malformed ISAKMP Packet Denial Of Service Vulnerability" [30]
  • "Cisco VPN 3000 Series Concentrator ISAKMP Denial of Service Vulnerabilities" [31]
  • "OpenBSD isakmpd IKE Payloads Denial Of Service Vulnerability" [32]
  • "KAME Racoon Remote IKE Message Denial Of Service Vulnerability" [33]
  • "Cisco IOS Malformed IKE Packet Remote Denial Of Service Vulnerability" [34]
  • "Racoon IKE Daemon Unauthorized X.509 Certificate Connection Vulnerability" [35]
  • "HP Tru64 UNIX Unspecified IPsec/IKE Remote Privilege Escalation Vulnerability" [36]
  • "Multiple Vendor IKE Implementation Certificate Authenticity Verification Vulnerability" [37]
  • "Multiple Vendor IKE Insecure XAUTH Implementation Vulnerabilities" [38]
  • "OpenBSD isakmpd Multiple IKE Payload Handling Security Weaknesses" [29]
  • "Check Point VPN-1 IKE Aggressive Mode Forcing Vulnerability" [39]
  • "Netscreen-Remote VPN Client IKE Packet Excessive Payloads Vulnerability" [40]
  • "PGPFreeware Malformed IKE Response Packet Buffer Overflow Vulnerability" [41]
  • "Cisco VPN Client Zero Length IKE Packet Denial Of Service Vulnerability" [42]
  • "Cisco VPN Client IKE Security Parameter Index Payload Buffer Overflow Vulnerability" [43]
  • "Cisco VPN Client IKE Packet Excessive Payloads Vulnerability" [44]
  • "OpenBSD isakmpd IKE Payloads Denial Of Service Vulnerability" [32]
  • "IKE Aggressive Mode Shared Secret Hash Leakage Weakness" [45]

The Vulnerability Process

During the prerelease phase all verified vulnerabilities were reported to the respective vendors. The vulnerability reports were tracked by CERT-FI and NISCC in the role of independent coordinators and advisors. An attempt was made to seek a channel to distribute the test material to vendors whose products we were not able to obtain for testing.

Advisories and Vendor Statements

Vendor statements or security advisories issued in order to address the vulnerabilities uncovered by this test-suite are collected. Advisories that we are aware of are listed here-in:

References

[1]
"PROTOS - Security Testing of Protocol Implementations". University of Oulu. http://www.ee.oulu.fi/research/ouspg/protos.
[2]
Piper. (1998). "RFC 2407 - The Internet IP Security Domain of Interpretation for ISAKMP". Network Working Group. http://www.ietf.org/rfc/rfc2407.txt. [Accessed: 2004-03-11].
[3]
Maughan, et. al.. (1998). "RFC 2408 - Internet Security Association and Key Management Protocol (ISAKMP)". Network Working Group. http://www.ietf.org/rfc/rfc2408.txt. [Accessed: 2004-03-10].
[4]
Harkins & Carrel. (1998). "RFC 2409 - The Internet Key Exchange (IKE)". Network Working Group. http://www.ietf.org/rfc/rfc2409.txt. [Accessed: 2004-03-11].
[5]
Orman. (1998). "RFC 2412 - The OAKLEY Key Determination Protocol". Network Working Group. http://www.ietf.org/rfc/rfc2412.txt. [Accessed: 2004-03-11].
[6]
Internetweek.com. "VPN Vendor and Service Provider Links". http://www.internetweek.com/VPN/links.htm.
[7]
VPNlabs. (2002). "VPN Products and Services". http://www.vpnlabs.org/vpn-categories/Products-Services/46/index.html.
[8]
"Java[tm] 2 Platform, Standard Edition v 1.4.2 Overview". Sun Microsystems. http://java.sun.com/j2se/1.4.2/.
[9]
Cisco. (2005). "Cisco IOS Unauthorized Security Association Establishment Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/13033.
[10]
Cisco. (2005). "Cisco IOS Easy VPN Server XAUTH Authentication Bypass Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/13031.
[11]
S. Krahmer. (2005). "KAME Racoon Malformed ISAKMP Packet Headers Denial of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/12804.
[12]
S. Miltchev. (2004). "OpenBSD ISAKMPD Kernel Heap Buffer Overflow Local Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/11928.
[13]
M. Dowd & N. Mehta. (2004). "Entrust LibKMP ISAKMP Library Remote IPsec/ISAKMP Buffer Overflow Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/11039.
[14]
T. Walpuski. (2004). "OpenBSD ISAKMPD Security Association Piggyback Delete Payload Denial Of Service Vulnerabilit". SecurityFocus. http://online.securityfocus.com/bid/10496.
[15]
Check Point Software. (2004). "Check Point VPN-1 ISAKMP Remote Buffer Overflow Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10273.
[16]
KAME. (2004). "KAME Racoon Malformed ISAKMP Packet Denial of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10172.
[17]
Rapid7. (2004). "TCPDump ISAKMP Delete Payload Buffer Overrun Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10003.
[18]
Rapid7. (2004). "TCPDump ISAKMP Identification Payload Integer Underflow Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10004.
[19]
OpenBSD. (2004). "OpenBSD ISAKMPD Zero Payload Length Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10028.
[20]
OpenBSD. (2004). "OpenBSD ISAKMPD Malformed IPSEC SA Payload Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10029.
[21]
OpenBSD. (2004). "OpenBSD ISAKMPD Malformed CERT Request Payload Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10030.
[22]
OpenBSD. (2004). "OpenBSD ISAKMPD Delete Payload Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10031.
[23]
OpenBSD. (2004). "OpenBSD ISAKMPD Memory Leak Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10032.
[24]
M. Dowd & N. Mehta. (2004). "Check Point VPN-1/SecuRemote ISAKMP Large Certificate Request Payload Buffer Overflow Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/9582.
[25]
G. Bakos. (2004). "TCPDump ISAKMP Decoding Routines Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/9507.
[26]
G. Bakos & J. Heusser. (2004). "TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Overflow Vulnerabilities". SecurityFocus. http://online.securityfocus.com/bid/9423.
[27]
T. Walpuski. (2004). "ISAKMPD "Initial Contact" Notification SA Deletion Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/9334.
[28]
T. Walpuski. (2004). "ISAKMPD "Invalid SPI" SA Deletion Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/9333.
[29]
T. Walpuski. (2003). "OpenBSD isakmpd Multiple IKE Payload Handling Security Weaknesses". SecurityFocus. http://online.securityfocus.com/bid/8964.
[30]
A. Griffiths. (2003). "TCPDump Malformed ISAKMP Packet Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/6974.
[31]
Cisco. (2003). "Cisco VPN 3000 Series Concentrator ISAKMP Denial of Service Vulnerabilities". SecurityFocus. http://online.securityfocus.com/bid/5619.
[32]
OpenBSD. (2003). "OpenBSD isakmpd IKE Payloads Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/5589.
[33]
J. Lampe. (2004). "KAME Racoon Remote IKE Message Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10296.
[34]
Cisco. (2004). "Cisco IOS Malformed IKE Packet Remote Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10083.
[35]
R. Spenneberg. (2004). "Racoon IKE Daemon Unauthorized X.509 Certificate Connection Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/10072.
[36]
HP advisory. (2004). "HP Tru64 UNIX Unspecified IPsec/IKE Remote Privilege Escalation Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/9803.
[37]
T.L. Simon. (2003). "Multiple Vendor IKE Implementation Certificate Authenticity Verification Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/9208.
[38]
T.L. Simon. (2003). "Multiple Vendor IKE Insecure XAUTH Implementation Vulnerabilities". SecurityFocus. http://online.securityfocus.com/bid/9209.
[39]
Check Point. (2002). "Check Point VPN-1 IKE Aggressive Mode Forcing Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/5920.
[40]
Netscreen Security Advisory. (2002). "Netscreen-Remote VPN Client IKE Packet Excessive Payloads Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/5668.
[41]
A. Rager. (2002). "PGPFreeware Malformed IKE Response Packet Buffer Overflow Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/5449.
[42]
A. Rager. (2002). "Cisco VPN Client Zero Length IKE Packet Denial Of Service Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/5440.
[43]
A. Rager. (2002). "Cisco VPN Client IKE Security Parameter Index Payload Buffer Overflow Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/5441.
[44]
A. Rager. (2002). "Cisco VPN Client IKE Packet Excessive Payloads Vulnerability". SecurityFocus. http://online.securityfocus.com/bid/5443.
[45]
J. Pliam. (1999). "IKE Aggressive Mode Shared Secret Hash Leakage Weakness". SecurityFocus. http://online.securityfocus.com/bid/7423.

Appendix A: Release Errata

Erratum: The pr1 version of test-material contained the following bugs.

Exceptional element category ee-string included characters that were not encoded correctly in the test material. As a result, some test-cases were too large to send via UDP and the following kind of error messages were displayed:

ERROR error sending: Message too long
ERROR error sending: errno: 0, error: sendto failed

The size of the UDP socket input buffer was too small. The following kind of error message was shown:

ERROR decoded 4068 octet payload, but length was 4108

Informational exchange test-groups (prefix "info-") had a wrong ISAKMP major version number (0). Due the bug, some implementations may have ignored these test-groups.

The maximum amount of repeats in exceptional element category ee-repeat was too high.

Erratum: The pr2 and r1 versions of test-material contain the following bugs.

The Encryption bit in the hash-information message is incorrectly set to 0.

The test group phase1-aggr-hdr-sa-ke-nonce-id-i-identification-payload-protocol-id has 10 extraneous test cases.

Appendix B: Test-Material Error Messages

Many of the error messages are due to fact that IKE is communicated from port 500 to port 500. Therefore, port 500 sometimes receives packets not related to the current message exchange (test case).

ERROR error reading: Receive timed out

Explanation: Test suite did not receive a response within specified timeout (timeout command line option). May indicate an availability problem in test subject if the message is valid. For a malformed message, this error means probably that the test subject has decided not to respond.

ERROR Expected 0x00, got 0x4c (under <message-id>)

Explanation: Message-id in ISAKMP generic header is always zero (0x00) during phase 1 negotiation (ISAKMP SA negotiation). However, during phase 2 (quick mode) it is non-zero. This error message indicates that one or more phase 1 negotiations has been completed and the test subject tries to communicate with phase 2 messages. Can be mitigated by deleting ISAKMP SAs in test subject.

ERROR Expected (0x00 0x00 0x01 0x04 
0x37 0x80 0x5c 0x88), got (0x00 0x00 0x01 0x04 
0x37 0x80 0x4e 0xa6) (under <cookie-i>)

ERROR Expected (0xf5 0xea 0xb4 0xed
0x0e 0x72 0xfe 0x05), got (0x24 0x9c 0x7c 0x47 
0x90 0x3d 0x9a 0xcc) (under <cookie-r>)

Explanation: Either cookie field in the generic ISAKMP header is different than the one used in current phase 1 negotiation (test case). One or more phase 1 negotiations has been initiated but not finished. The test subject tries to finish one of these prior negotiations. Can be mitigated by removing outstanding phase 1 negotations or limiting the phase 1 timeout/retries in the test subject.

ERROR DESede/CBC/NoPadding decyption failed due illegal 
input block size

Explanation: Decryption error. Test suite expects a certain kind of encrypted packet but receives a unencrypted packet or packet encrypted with a different key.

ERROR detected a loop made up of repeats of <OCTET>,
out-of-memory would result (under <nonce-r-data-main>)

Explanation: Test suite did not receive responder's nonce data because the test subject did not send a Nonce payload. Might be because of a very malformed test case. Test suite tries to process the uninitialized value of responder's nonce data which is set to infinite amount of octets (because it is a variable length field).

Appendix C: Related Test-Suites

A survey of related ISAKMP/IKE test-suites was conducted.

http://www.codenomicon.com/products/internet/isakmp/
"Codenomicon ISAKMP/IKE Test Tool helps proactively eliminate security flaws in ISAKMP/IKE implementations."
http://www.rapid7.com
"Rapid7 Striker ISAKMP Protocol Test Suite is an ISAKMP packet generation tool that automatically produces and sends invalid and/or atypical ISAKMP packets."

[This page is CSS2 enabled. Your browser might not fully support it]