From: Stephan M. <ste...@at...> - 2011-11-02 08:31:04
|
On 01.11.2011 14:33:00, +0100, Ondrej Moriš <om...@re...> wrote: Hi Ondrej, > Hi Stephan, > > audit-test contains configuration for the following IPsec testing > scenarios: > > 1. ESP between TOE and itself over IPv4/TCP (TOE = Target of Evaluation, > NS = Network Server) > 2. AH between TOE and NS over IPv4/TCP > 3. ESP between TOE and itself over IPv4/UDP allowing SystemLow (s0) on > port 4300 only > 4. ESP between TOE and itself over IPv4/UDP allowing SystemHigh > (s15:c0.c1023) on port 4301 only > 5. AH between TOE and NS over IPv4/UDPallowing SystemLow (s0) on port > 4300 only > 6. AH between TOE and NS over IPv4/UDPallowing SystemHigh (s15:c0.c1023) > on port 4301only > 7. ESP between TOE and itself over IPv6/TCP > 8. AH between TOE and NS over IPv6/TCP > 9. ESP between TOE and itself over IPv6/UDP allowing SystemLow (s0) on > port 4300 only > 10.ESP between TOE and itself over IPv6/UDP allowing SystemHigh > (s15:c0.c1023) on port 4301 only > 11.AH between TOE and NS over IPv6/UDPallowing SystemLow (s0) on port > 4300 only > 12. AH between TOE and NS over IPv6/UDPallowing SystemHigh > (s15:c0.c1023) on port 4301only > > but IPsec test in trustedprograms (test_ipsec.bash) tests only scenarios > 2 and 8. Configuration of IPsec comes from audit-test used in RHEL5, it > was just rewritten from ipsec-tools / setkey notation into openswan / > ip_xfrm notation. On RHEL5, IPsec test in trustedprograms > (test_racoon.bash) tests scenario 2 only. We have extended it to cover > scenario 8 as well. But remaining scenarios are not covered by IPsec > test trustedprograms (test_ipsec.bash) on RHEL6. > > What is the meaning of the other testing scenarios (ie. {1..12} / > {2,8})? Is their configuration needed for some tests in networking > directory of audit-test? Are they supposed to be covered by ipsec test > in trustedprograms? Otherwise they are useless and they should be > removed them from ipsec configuration (which is performed, for instance, > on TOE by 'make netconfig'). For IPSEC, the only functionality we care about is the labeled networking support. Any crypto support is irrelevant for us. Therefore, the tests above a nice, but we need to have MLS labeled networking tests (like test 10 through 12). > -- Ciao Stephan atsec information security GmbH, Steinstraße 70, 81667 München, Germany P: +49 89 442 49 830 - F: +49 89 442 49 831 M: +49 172 216 55 78 - HRB: 129439 (Amtsgericht München) GF: Salvatore la Pietra, Staffan Persson atsec it security news blog - atsec-information-security.blogspot.com |