Menu
▾
▴
Re: [Audit-test-developer] IPsec - configuration vs. tests
|
From: Stephan M. <ste...@at...> - 2011-11-02 08:31:04
|
On 01.11.2011 14:33:00, +0100, Ondrej Moriš <om...@re...> wrote:
Hi Ondrej,
> Hi Stephan,
>
> audit-test contains configuration for the following IPsec testing
> scenarios:
>
> 1. ESP between TOE and itself over IPv4/TCP (TOE = Target of Evaluation,
> NS = Network Server)
> 2. AH between TOE and NS over IPv4/TCP
> 3. ESP between TOE and itself over IPv4/UDP allowing SystemLow (s0) on
> port 4300 only
> 4. ESP between TOE and itself over IPv4/UDP allowing SystemHigh
> (s15:c0.c1023) on port 4301 only
> 5. AH between TOE and NS over IPv4/UDPallowing SystemLow (s0) on port
> 4300 only
> 6. AH between TOE and NS over IPv4/UDPallowing SystemHigh (s15:c0.c1023)
> on port 4301only
> 7. ESP between TOE and itself over IPv6/TCP
> 8. AH between TOE and NS over IPv6/TCP
> 9. ESP between TOE and itself over IPv6/UDP allowing SystemLow (s0) on
> port 4300 only
> 10.ESP between TOE and itself over IPv6/UDP allowing SystemHigh
> (s15:c0.c1023) on port 4301 only
> 11.AH between TOE and NS over IPv6/UDPallowing SystemLow (s0) on port
> 4300 only
> 12. AH between TOE and NS over IPv6/UDPallowing SystemHigh
> (s15:c0.c1023) on port 4301only
>
> but IPsec test in trustedprograms (test_ipsec.bash) tests only scenarios
> 2 and 8. Configuration of IPsec comes from audit-test used in RHEL5, it
> was just rewritten from ipsec-tools / setkey notation into openswan /
> ip_xfrm notation. On RHEL5, IPsec test in trustedprograms
> (test_racoon.bash) tests scenario 2 only. We have extended it to cover
> scenario 8 as well. But remaining scenarios are not covered by IPsec
> test trustedprograms (test_ipsec.bash) on RHEL6.
>
> What is the meaning of the other testing scenarios (ie. {1..12} /
> {2,8})? Is their configuration needed for some tests in networking
> directory of audit-test? Are they supposed to be covered by ipsec test
> in trustedprograms? Otherwise they are useless and they should be
> removed them from ipsec configuration (which is performed, for instance,
> on TOE by 'make netconfig').
For IPSEC, the only functionality we care about is the labeled
networking support. Any crypto support is irrelevant for us. Therefore,
the tests above a nice, but we need to have MLS labeled networking tests
(like test 10 through 12).
>
--
Ciao
Stephan
atsec information security GmbH, Steinstraße 70, 81667 München, Germany
P: +49 89 442 49 830 - F: +49 89 442 49 831
M: +49 172 216 55 78 - HRB: 129439 (Amtsgericht München)
GF: Salvatore la Pietra, Staffan Persson
atsec it security news blog - atsec-information-security.blogspot.com
|