IPsec Test Suite Data Sheet
Test Suite:
IPsec Test Suite
Direction:
NA

Internet Protocol Security (IPsec) is framework that offers capabilities for securing IP packets. This test suite can be used to test IPsec implementations for security flaws and robustness problems.

Used specifications

Specification
Title
RFC768

User Datagram Protocol

RFC791

Internet Protocol Specification

RFC792

Internet Control Message Protocol

RFC2402

IP Authentication Header

RFC2406

IP Encapsulating Security Payload (ESP)

RFC3173

IP Payload Compression Protocol (IPComp)

RFC3948

UDP Encapsulation of IPsec ESP Packets

RFC4106

The use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)

RFC4302

IP Authentication Header

RFC4303

IP Encapsulating Security Payload (ESP)

RFC4304

Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association

RFC4305

Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)

RFC4868

Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec

RFC4891

Using IPsec to Secure IPv6-in-IPv4 Tunnels

Tool-specific information

Tested message elements
Specifications
IPv4 header
RFC791
ICMP header
RFC792
IPComp header
RFC3173
Authentication header
RFC4302
Encapsulated Security Payload
RFC4303

Interoperability not verified with the following message groups
Sub-Group
NAT-Traversal Transport
ESP, Keep-Alive
NAT-Traversal Tunnel
ESP, Keep-Alive

Other features
Modes/Algorithms
IPsec tested with:

AH, ESP and AH+ESP both in transport and tunnel modes and with IPComp.

Supported AH authentication algorithms and ESP integrity algorithms:

NULL, HMAC_SHA1-96, HMAC_MD5-96, HMAC_SHA256-128, HMAC_SHA384-192, HMAC_SHA512-256.

Supported ESP crypto algorithms:

NULL, DES, DES3, AES-CBC128, AES-CBC192, AES-CBC256.

NAT traversal for the ESP test cases is supported with UDP encapsulation.

Support for Asymmetric Security Association configuration. Separate SAs can be configured for inbound and outbound packets.

IPComp supports deflate compression. Deflate compression can be executed either with or without GZIP/PKZIP support.

IPsec SA for the test suite can be negotiated with ISAKMP Server Test Suite 5.0.0 or later.

IPsec SA for the test suite can be negotiated with IKEv2 Server Test Suite 5.1.0 or later.

Test tool general features
  • Fully automated black-box negative testing
  • Ready-made test cases
  • Written in Java(tm)
  • GUI command line remote interface modes
  • Instrumentation (health-check) capability
  • Support and maintenance
  • Comprehensive user documentation
  • Results reporting and analysis