1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
|
Network Working Group D. Piper
Request for Comments: 2407 Network Alchemy
Category: Standards Track November 1998
The Internet IP Security Domain of Interpretation for ISAKMP
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
IESG Note
Section 4.4.4.2 states, "All implememtations within the IPSEC DOI
MUST support ESP_DES...". Recent work in the area of cryptanalysis
suggests that DES may not be sufficiently strong for many
applications. Therefore, it is very likely that the IETF will
deprecate the use of ESP_DES as a mandatory cipher suite in the near
future. It will remain as an optional use protocol. Although the
IPsec working group and the IETF in general have not settled on an
alternative algorithm (taking into account concerns of security and
performance), implementers may want to heed the recommendations of
section 4.4.4.3 on the use of ESP_3DES.
1. Abstract
The Internet Security Association and Key Management Protocol
(ISAKMP) defines a framework for security association management and
cryptographic key establishment for the Internet. This framework
consists of defined exchanges, payloads, and processing guidelines
that occur within a given Domain of Interpretation (DOI). This
document defines the Internet IP Security DOI (IPSEC DOI), which
instantiates ISAKMP for use with IP when IP uses ISAKMP to negotiate
security associations.
For a list of changes since the previous version of the IPSEC DOI,
please see Section 7.
Piper Standards Track [Page 1]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
2. Introduction
Within ISAKMP, a Domain of Interpretation is used to group related
protocols using ISAKMP to negotiate security associations. Security
protocols sharing a DOI choose security protocol and cryptographic
transforms from a common namespace and share key exchange protocol
identifiers. They also share a common interpretation of DOI-specific
payload data content, including the Security Association and
Identification payloads.
Overall, ISAKMP places the following requirements on a DOI
definition:
o define the naming scheme for DOI-specific protocol identifiers
o define the interpretation for the Situation field
o define the set of applicable security policies
o define the syntax for DOI-specific SA Attributes (Phase II)
o define the syntax for DOI-specific payload contents
o define additional Key Exchange types, if needed
o define additional Notification Message types, if needed
The remainder of this document details the instantiation of these
requirements for using the IP Security (IPSEC) protocols to provide
authentication, integrity, and/or confidentiality for IP packets sent
between cooperating host systems and/or firewalls.
For a description of the overall IPSEC architecture, see [ARCH],
[AH], and [ESP].
3. Terms and Definitions
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
document, are to be interpreted as described in [RFC 2119].
4.1 IPSEC Naming Scheme
Within ISAKMP, all DOI's must be registered with the IANA in the
"Assigned Numbers" RFC [STD-2]. The IANA Assigned Number for the
Internet IP Security DOI (IPSEC DOI) is one (1). Within the IPSEC
DOI, all well-known identifiers MUST be registered with the IANA
under the IPSEC DOI. Unless otherwise noted, all tables within this
document refer to IANA Assigned Numbers for the IPSEC DOI. See
Section 6 for further information relating to the IANA registry for
the IPSEC DOI.
All multi-octet binary values are stored in network byte order.
Piper Standards Track [Page 2]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
4.2 IPSEC Situation Definition
Within ISAKMP, the Situation provides information that can be used by
the responder to make a policy determination about how to process the
incoming Security Association request. For the IPSEC DOI, the
Situation field is a four (4) octet bitmask with the following
values.
Situation Value
--------- -----
SIT_IDENTITY_ONLY 0x01
SIT_SECRECY 0x02
SIT_INTEGRITY 0x04
4.2.1 SIT_IDENTITY_ONLY
The SIT_IDENTITY_ONLY type specifies that the security association
will be identified by source identity information present in an
associated Identification Payload. See Section 4.6.2 for a complete
description of the various Identification types. All IPSEC DOI
implementations MUST support SIT_IDENTITY_ONLY by including an
Identification Payload in at least one of the Phase I Oakley
exchanges ([IKE], Section 5) and MUST abort any association setup
that does not include an Identification Payload.
If an initiator supports neither SIT_SECRECY nor SIT_INTEGRITY, the
situation consists only of the 4 octet situation bitmap and does not
include the Labeled Domain Identifier field (Figure 1, Section 4.6.1)
or any subsequent label information. Conversely, if the initiator
supports either SIT_SECRECY or SIT_INTEGRITY, the Labeled Domain
Identifier MUST be included in the situation payload.
4.2.2 SIT_SECRECY
The SIT_SECRECY type specifies that the security association is being
negotiated in an environment that requires labeled secrecy. If
SIT_SECRECY is present in the Situation bitmap, the Situation field
will be followed by variable-length data that includes a sensitivity
level and compartment bitmask. See Section 4.6.1 for a complete
description of the Security Association Payload format.
If an initiator does not support SIT_SECRECY, SIT_SECRECY MUST NOT be
set in the Situation bitmap and no secrecy level or category bitmaps
shall be included.
If a responder does not support SIT_SECRECY, a SITUATION-NOT-
SUPPORTED Notification Payload SHOULD be returned and the security
association setup MUST be aborted.
Piper Standards Track [Page 3]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
4.2.3 SIT_INTEGRITY
The SIT_INTEGRITY type specifies that the security association is
being negotiated in an environment that requires labeled integrity.
If SIT_INTEGRITY is present in the Situation bitmap, the Situation
field will be followed by variable-length data that includes an
integrity level and compartment bitmask. If SIT_SECRECY is also in
use for the association, the integrity information immediately
follows the variable-length secrecy level and categories. See
section 4.6.1 for a complete description of the Security Association
Payload format.
If an initiator does not support SIT_INTEGRITY, SIT_INTEGRITY MUST
NOT be set in the Situation bitmap and no integrity level or category
bitmaps shall be included.
If a responder does not support SIT_INTEGRITY, a SITUATION-NOT-
SUPPORTED Notification Payload SHOULD be returned and the security
association setup MUST be aborted.
4.3 IPSEC Security Policy Requirements
The IPSEC DOI does not impose specific security policy requirements
on any implementation. Host system policy issues are outside of the
scope of this document.
However, the following sections touch on some of the issues that must
be considered when designing an IPSEC DOI host implementation. This
section should be considered only informational in nature.
4.3.1 Key Management Issues
It is expected that many systems choosing to implement ISAKMP will
strive to provide a protected domain of execution for a combined IKE
key management daemon. On protected-mode multiuser operating
systems, this key management daemon will likely exist as a separate
privileged process.
In such an environment, a formalized API to introduce keying material
into the TCP/IP kernel may be desirable. The IP Security
architecture does not place any requirements for structure or flow
between a host TCP/IP kernel and its key management provider.
Piper Standards Track [Page 4]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
4.3.2 Static Keying Issues
Host systems that implement static keys, either for use directly by
IPSEC, or for authentication purposes (see [IKE] Section 5.4), should
take steps to protect the static keying material when it is not
residing in a protected memory domain or actively in use by the
TCP/IP kernel.
For example, on a laptop, one might choose to store the static keys
in a configuration store that is, itself, encrypted under a private
password.
Depending on the operating system and utility software installed, it
may not be possible to protect the static keys once they've been
loaded into the TCP/IP kernel, however they should not be trivially
recoverable on initial system startup without having to satisfy some
additional form of authentication.
4.3.3 Host Policy Issues
It is not realistic to assume that the transition to IPSEC will occur
overnight. Host systems must be prepared to implement flexible
policy lists that describe which systems they desire to speak
securely with and which systems they require speak securely to them.
Some notion of proxy firewall addresses may also be required.
A minimal approach is probably a static list of IP addresses, network
masks, and a security required flag or flags.
A more flexible implementation might consist of a list of wildcard
DNS names (e.g. '*.foo.bar'), an in/out bitmask, and an optional
firewall address. The wildcard DNS name would be used to match
incoming or outgoing IP addresses, the in/out bitmask would be used
to determine whether or not security was to be applied and in which
direction, and the optional firewall address would be used to
indicate whether or not tunnel mode would be needed to talk to the
target system though an intermediate firewall.
4.3.4 Certificate Management
Host systems implementing a certificate-based authentication scheme
will need a mechanism for obtaining and managing a database of
certificates.
Secure DNS is to be one certificate distribution mechanism, however
the pervasive availability of secure DNS zones, in the short term, is
doubtful for many reasons. What's far more likely is that hosts will
Piper Standards Track [Page 5]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
need an ability to import certificates that they acquire through
secure, out-of-band mechanisms, as well as an ability to export their
own certificates for use by other systems.
However, manual certificate management should not be done so as to
preclude the ability to introduce dynamic certificate discovery
mechanisms and/or protocols as they become available.
4.4 IPSEC Assigned Numbers
The following sections list the Assigned Numbers for the IPSEC DOI:
Situation Identifiers, Protocol Identifiers, Transform Identifiers,
AH, ESP, and IPCOMP Transform Identifiers, Security Association
Attribute Type Values, Labeled Domain Identifiers, ID Payload Type
Values, and Notify Message Type Values.
4.4.1 IPSEC Security Protocol Identifier
The ISAKMP proposal syntax was specifically designed to allow for the
simultaneous negotiation of multiple Phase II security protocol
suites within a single negotiation. As a result, the protocol suites
listed below form the set of protocols that can be negotiated at the
same time. It is a host policy decision as to what protocol suites
might be negotiated together.
The following table lists the values for the Security Protocol
Identifiers referenced in an ISAKMP Proposal Payload for the IPSEC
DOI.
Protocol ID Value
----------- -----
RESERVED 0
PROTO_ISAKMP 1
PROTO_IPSEC_AH 2
PROTO_IPSEC_ESP 3
PROTO_IPCOMP 4
4.4.1.1 PROTO_ISAKMP
The PROTO_ISAKMP type specifies message protection required during
Phase I of the ISAKMP protocol. The specific protection mechanism
used for the IPSEC DOI is described in [IKE]. All implementations
within the IPSEC DOI MUST support PROTO_ISAKMP.
NB: ISAKMP reserves the value one (1) across all DOI definitions.
Piper Standards Track [Page 6]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
4.4.1.2 PROTO_IPSEC_AH
The PROTO_IPSEC_AH type specifies IP packet authentication. The
default AH transform provides data origin authentication, integrity
protection, and replay detection. For export control considerations,
confidentiality MUST NOT be provided by any PROTO_IPSEC_AH transform.
4.4.1.3 PROTO_IPSEC_ESP
The PROTO_IPSEC_ESP type specifies IP packet confidentiality.
Authentication, if required, must be provided as part of the ESP
transform. The default ESP transform includes data origin
authentication, integrity protection, replay detection, and
confidentiality.
4.4.1.4 PROTO_IPCOMP
The PROTO_IPCOMP type specifies IP payload compression as defined in
[IPCOMP].
4.4.2 IPSEC ISAKMP Transform Identifiers
As part of an ISAKMP Phase I negotiation, the initiator's choice of
Key Exchange offerings is made using some host system policy
description. The actual selection of Key Exchange mechanism is made
using the standard ISAKMP Proposal Payload. The following table
lists the defined ISAKMP Phase I Transform Identifiers for the
Proposal Payload for the IPSEC DOI.
Transform Value
--------- -----
RESERVED 0
KEY_IKE 1
Within the ISAKMP and IPSEC DOI framework it is possible to define
key establishment protocols other than IKE (Oakley). Previous
versions of this document defined types both for manual keying and
for schemes based on use of a generic Key Distribution Center (KDC).
These identifiers have been removed from the current document.
The IPSEC DOI can still be extended later to include values for
additional non-Oakley key establishment protocols for ISAKMP and
IPSEC, such as Kerberos [RFC-1510] or the Group Key Management
Protocol (GKMP) [RFC-2093].
Piper Standards Track [Page 7]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
4.4.2.1 KEY_IKE
The KEY_IKE type specifies the hybrid ISAKMP/Oakley Diffie-Hellman
key exchange (IKE) as defined in the [IKE] document. All
implementations within the IPSEC DOI MUST support KEY_IKE.
4.4.3 IPSEC AH Transform Identifiers
The Authentication Header Protocol (AH) defines one mandatory and
several optional transforms used to provide authentication,
integrity, and replay detection. The following table lists the
defined AH Transform Identifiers for the ISAKMP Proposal Payload for
the IPSEC DOI.
Note: the Authentication Algorithm attribute MUST be specified to
identify the appropriate AH protection suite. For example, AH_MD5
can best be thought of as a generic AH transform using MD5. To
request the HMAC construction with AH, one specifies the AH_MD5
transform ID along with the Authentication Algorithm attribute set to
HMAC-MD5. This is shown using the "Auth(HMAC-MD5)" notation in the
following sections.
Transform ID Value
------------ -----
RESERVED 0-1
AH_MD5 2
AH_SHA 3
AH_DES 4
Note: all mandatory-to-implement algorithms are listed as "MUST"
implement (e.g. AH_MD5) in the following sections. All other
algorithms are optional and MAY be implemented in any particular
implementation.
4.4.3.1 AH_MD5
The AH_MD5 type specifies a generic AH transform using MD5. The
actual protection suite is determined in concert with an associated
SA attribute list. A generic MD5 transform is currently undefined.
All implementations within the IPSEC DOI MUST support AH_MD5 along
with the Auth(HMAC-MD5) attribute. This suite is defined as the
HMAC-MD5-96 transform described in [HMACMD5].
The AH_MD5 type along with the Auth(KPDK) attribute specifies the AH
transform (Key/Pad/Data/Key) described in RFC-1826.
Piper Standards Track [Page 8]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
Use of AH_MD5 with any other Authentication Algorithm attribute value
is currently undefined.
4.4.3.2 AH_SHA
The AH_SHA type specifies a generic AH transform using SHA-1. The
actual protection suite is determined in concert with an associated
SA attribute list. A generic SHA transform is currently undefined.
All implementations within the IPSEC DOI MUST support AH_SHA along
with the Auth(HMAC-SHA) attribute. This suite is defined as the
HMAC-SHA-1-96 transform described in [HMACSHA].
Use of AH_SHA with any other Authentication Algorithm attribute value
is currently undefined.
4.4.3.3 AH_DES
The AH_DES type specifies a generic AH transform using DES. The
actual protection suite is determined in concert with an associated
SA attribute list. A generic DES transform is currently undefined.
The IPSEC DOI defines AH_DES along with the Auth(DES-MAC) attribute
to be a DES-MAC transform. Implementations are not required to
support this mode.
Use of AH_DES with any other Authentication Algorithm attribute value
is currently undefined.
4.4.4 IPSEC ESP Transform Identifiers
The Encapsulating Security Payload (ESP) defines one mandatory and
many optional transforms used to provide data confidentiality. The
following table lists the defined ESP Transform Identifiers for the
ISAKMP Proposal Payload for the IPSEC DOI.
Note: when authentication, integrity protection, and replay detection
are required, the Authentication Algorithm attribute MUST be
specified to identify the appropriate ESP protection suite. For
example, to request HMAC-MD5 authentication with 3DES, one specifies
the ESP_3DES transform ID with the Authentication Algorithm attribute
set to HMAC-MD5. For additional processing requirements, see Section
4.5 (Authentication Algorithm).
Piper Standards Track [Page 9]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
Transform ID Value
------------ -----
RESERVED 0
ESP_DES_IV64 1
ESP_DES 2
ESP_3DES 3
ESP_RC5 4
ESP_IDEA 5
ESP_CAST 6
ESP_BLOWFISH 7
ESP_3IDEA 8
ESP_DES_IV32 9
ESP_RC4 10
ESP_NULL 11
Note: all mandatory-to-implement algorithms are listed as "MUST"
implement (e.g. ESP_DES) in the following sections. All other
algorithms are optional and MAY be implemented in any particular
implementation.
4.4.4.1 ESP_DES_IV64
The ESP_DES_IV64 type specifies the DES-CBC transform defined in
RFC-1827 and RFC-1829 using a 64-bit IV.
4.4.4.2 ESP_DES
The ESP_DES type specifies a generic DES transform using DES-CBC.
The actual protection suite is determined in concert with an
associated SA attribute list. A generic transform is currently
undefined.
All implementations within the IPSEC DOI MUST support ESP_DES along
with the Auth(HMAC-MD5) attribute. This suite is defined as the
[DES] transform, with authentication and integrity provided by HMAC
MD5 [HMACMD5].
4.4.4.3 ESP_3DES
The ESP_3DES type specifies a generic triple-DES transform. The
actual protection suite is determined in concert with an associated
SA attribute list. The generic transform is currently undefined.
All implementations within the IPSEC DOI are strongly encouraged to
support ESP_3DES along with the Auth(HMAC-MD5) attribute. This suite
is defined as the [ESPCBC] transform, with authentication and
integrity provided by HMAC MD5 [HMACMD5].
Piper Standards Track [Page 10]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
4.4.4.4 ESP_RC5
The ESP_RC5 type specifies the RC5 transform defined in [ESPCBC].
4.4.4.5 ESP_IDEA
The ESP_IDEA type specifies the IDEA transform defined in [ESPCBC].
4.4.4.6 ESP_CAST
The ESP_CAST type specifies the CAST transform defined in [ESPCBC].
4.4.4.7 ESP_BLOWFISH
The ESP_BLOWFISH type specifies the BLOWFISH transform defined in
[ESPCBC].
4.4.4.8 ESP_3IDEA
The ESP_3IDEA type is reserved for triple-IDEA.
4.4.4.9 ESP_DES_IV32
The ESP_DES_IV32 type specifies the DES-CBC transform defined in
RFC-1827 and RFC-1829 using a 32-bit IV.
4.4.4.10 ESP_RC4
The ESP_RC4 type is reserved for RC4.
4.4.4.11 ESP_NULL
The ESP_NULL type specifies no confidentiality is to be provided by
ESP. ESP_NULL is used when ESP is being used to tunnel packets which
require only authentication, integrity protection, and replay
detection.
All implementations within the IPSEC DOI MUST support ESP_NULL. The
ESP NULL transform is defined in [ESPNULL]. See the Authentication
Algorithm attribute description in Section 4.5 for additional
requirements relating to the use of ESP_NULL.
4.4.5 IPSEC IPCOMP Transform Identifiers
The IP Compression (IPCOMP) transforms define optional compression
algorithms that can be negotiated to provide for IP payload
compression ([IPCOMP]). The following table lists the defined IPCOMP
Transform Identifiers for the ISAKMP Proposal Payload within the
Piper Standards Track [Page 11]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
IPSEC DOI.
Transform ID Value
------------ -----
RESERVED 0
IPCOMP_OUI 1
IPCOMP_DEFLATE 2
IPCOMP_LZS 3
4.4.5.1 IPCOMP_OUI
The IPCOMP_OUI type specifies a proprietary compression transform.
The IPCOMP_OUI type must be accompanied by an attribute which further
identifies the specific vendor algorithm.
4.4.5.2 IPCOMP_DEFLATE
The IPCOMP_DEFLATE type specifies the use of the "zlib" deflate
algorithm as specified in [DEFLATE].
4.4.5.3 IPCOMP_LZS
The IPCOMP_LZS type specifies the use of the Stac Electronics LZS
algorithm as specified in [LZS].
4.5 IPSEC Security Association Attributes
The following SA attribute definitions are used in Phase II of an IKE
negotiation. Attribute types can be either Basic (B) or Variable-
Length (V). Encoding of these attributes is defined in the base
ISAKMP specification.
Attributes described as basic MUST NOT be encoded as variable.
Variable length attributes MAY be encoded as basic attributes if
their value can fit into two octets. See [IKE] for further
information on attribute encoding in the IPSEC DOI. All restrictions
listed in [IKE] also apply to the IPSEC DOI.
Piper Standards Track [Page 12]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
Attribute Types
class value type
-------------------------------------------------
SA Life Type 1 B
SA Life Duration 2 V
Group Description 3 B
Encapsulation Mode 4 B
Authentication Algorithm 5 B
Key Length 6 B
Key Rounds 7 B
Compress Dictionary Size 8 B
Compress Private Algorithm 9 V
Class Values
SA Life Type
SA Duration
Specifies the time-to-live for the overall security
association. When the SA expires, all keys negotiated under
the association (AH or ESP) must be renegotiated. The life
type values are:
RESERVED 0
seconds 1
kilobytes 2
Values 3-61439 are reserved to IANA. Values 61440-65535 are
for private use. For a given Life Type, the value of the
Life Duration attribute defines the actual length of the
component lifetime -- either a number of seconds, or a number
of Kbytes that can be protected.
If unspecified, the default value shall be assumed to be
28800 seconds (8 hours).
An SA Life Duration attribute MUST always follow an SA Life
Type which describes the units of duration.
See Section 4.5.4 for additional information relating to
lifetime notification.
Group Description
Specifies the Oakley Group to be used in a PFS QM
negotiation. For a list of supported values, see Appendix A
of [IKE].
Piper Standards Track [Page 13]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
Encapsulation Mode
RESERVED 0
Tunnel 1
Transport 2
Values 3-61439 are reserved to IANA. Values 61440-65535 are
for private use.
If unspecified, the default value shall be assumed to be
unspecified (host-dependent).
Authentication Algorithm
RESERVED 0
HMAC-MD5 1
HMAC-SHA 2
DES-MAC 3
KPDK 4
Values 5-61439 are reserved to IANA. Values 61440-65535 are
for private use.
There is no default value for Auth Algorithm, as it must be
specified to correctly identify the applicable AH or ESP
transform, except in the following case.
When negotiating ESP without authentication, the Auth
Algorithm attribute MUST NOT be included in the proposal.
When negotiating ESP without confidentiality, the Auth
Algorithm attribute MUST be included in the proposal and the
ESP transform ID must be ESP_NULL.
Key Length
RESERVED 0
There is no default value for Key Length, as it must be
specified for transforms using ciphers with variable key
lengths. For fixed length ciphers, the Key Length attribute
MUST NOT be sent.
Key Rounds
RESERVED 0
There is no default value for Key Rounds, as it must be
specified for transforms using ciphers with varying numbers
of rounds.
Piper Standards Track [Page 14]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
Compression Dictionary Size
RESERVED 0
Specifies the log2 maximum size of the dictionary.
There is no default value for dictionary size.
Compression Private Algorithm
Specifies a private vendor compression algorithm. The first
three (3) octets must be an IEEE assigned company_id (OUI).
The next octet may be a vendor specific compression subtype,
followed by zero or more octets of vendor data.
4.5.1 Required Attribute Support
To ensure basic interoperability, all implementations MUST be
prepared to negotiate all of the following attributes.
SA Life Type
SA Duration
Auth Algorithm
4.5.2 Attribute Parsing Requirement (Lifetime)
To allow for flexible semantics, the IPSEC DOI requires that a
conforming ISAKMP implementation MUST correctly parse an attribute
list that contains multiple instances of the same attribute class, so
long as the different attribute entries do not conflict with one
another. Currently, the only attributes which requires this
treatment are Life Type and Duration.
To see why this is important, the following example shows the binary
encoding of a four entry attribute list that specifies an SA Lifetime
of either 100MB or 24 hours. (See Section 3.3 of [ISAKMP] for a
complete description of the attribute encoding format.)
Attribute #1:
0x80010001 (AF = 1, type = SA Life Type, value = seconds)
Attribute #2:
0x00020004 (AF = 0, type = SA Duration, length = 4 bytes)
0x00015180 (value = 0x15180 = 86400 seconds = 24 hours)
Attribute #3:
0x80010002 (AF = 1, type = SA Life Type, value = KB)
Piper Standards Track [Page 15]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
Attribute #4:
0x00020004 (AF = 0, type = SA Duration, length = 4 bytes)
0x000186A0 (value = 0x186A0 = 100000KB = 100MB)
If conflicting attributes are detected, an ATTRIBUTES-NOT-SUPPORTED
Notification Payload SHOULD be returned and the security association
setup MUST be aborted.
4.5.3 Attribute Negotiation
If an implementation receives a defined IPSEC DOI attribute (or
attribute value) which it does not support, an ATTRIBUTES-NOT-SUPPORT
SHOULD be sent and the security association setup MUST be aborted,
unless the attribute value is in the reserved range.
If an implementation receives an attribute value in the reserved
range, an implementation MAY chose to continue based on local policy.
4.5.4 Lifetime Notification
When an initiator offers an SA lifetime greater than what the
responder desires based on their local policy, the responder has
three choices: 1) fail the negotiation entirely; 2) complete the
negotiation but use a shorter lifetime than what was offered; 3)
complete the negotiation and send an advisory notification to the
initiator indicating the responder's true lifetime. The choice of
what the responder actually does is implementation specific and/or
based on local policy.
To ensure interoperability in the latter case, the IPSEC DOI requires
the following only when the responder wishes to notify the initiator:
if the initiator offers an SA lifetime longer than the responder is
willing to accept, the responder SHOULD include an ISAKMP
Notification Payload in the exchange that includes the responder's
IPSEC SA payload. Section 4.6.3.1 defines the payload layout for the
RESPONDER-LIFETIME Notification Message type which MUST be used for
this purpose.
4.6 IPSEC Payload Content
The following sections describe those ISAKMP payloads whose data
representations are dependent on the applicable DOI.
4.6.1 Security Association Payload
The following diagram illustrates the content of the Security
Association Payload for the IPSEC DOI. See Section 4.2 for a
description of the Situation bitmap.
Piper Standards Track [Page 16]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Domain of Interpretation (IPSEC) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Situation (bitmap) !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Labeled Domain Identifier !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Secrecy Length (in octets) ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Secrecy Level ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Secrecy Cat. Length (in bits) ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Secrecy Category Bitmap ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Integrity Length (in octets) ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Integrity Level ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Integ. Cat. Length (in bits) ! RESERVED !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Integrity Category Bitmap ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Security Association Payload Format
The Security Association Payload is defined as follows:
o Next Payload (1 octet) - Identifier for the payload type of
the next payload in the message. If the current payload is the
last in the message, this field will be zero (0).
o RESERVED (1 octet) - Unused, must be zero (0).
o Payload Length (2 octets) - Length, in octets, of the current
payload, including the generic header.
o Domain of Interpretation (4 octets) - Specifies the IPSEC DOI,
which has been assigned the value one (1).
o Situation (4 octets) - Bitmask used to interpret the remainder
of the Security Association Payload. See Section 4.2 for a
complete list of values.
Piper Standards Track [Page 17]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
o Labeled Domain Identifier (4 octets) - IANA Assigned Number used
to interpret the Secrecy and Integrity information.
o Secrecy Length (2 octets) - Specifies the length, in octets, of
the secrecy level identifier, excluding pad bits.
o RESERVED (2 octets) - Unused, must be zero (0).
o Secrecy Level (variable length) - Specifies the mandatory
secrecy level required. The secrecy level MUST be padded with
zero (0) to align on the next 32-bit boundary.
o Secrecy Category Length (2 octets) - Specifies the length, in
bits, of the secrecy category (compartment) bitmap, excluding
pad bits.
o RESERVED (2 octets) - Unused, must be zero (0).
o Secrecy Category Bitmap (variable length) - A bitmap used to
designate secrecy categories (compartments) that are required.
The bitmap MUST be padded with zero (0) to align on the next
32-bit boundary.
o Integrity Length (2 octets) - Specifies the length, in octets,
of the integrity level identifier, excluding pad bits.
o RESERVED (2 octets) - Unused, must be zero (0).
o Integrity Level (variable length) - Specifies the mandatory
integrity level required. The integrity level MUST be padded
with zero (0) to align on the next 32-bit boundary.
o Integrity Category Length (2 octets) - Specifies the length, in
bits, of the integrity category (compartment) bitmap, excluding
pad bits.
o RESERVED (2 octets) - Unused, must be zero (0).
o Integrity Category Bitmap (variable length) - A bitmap used to
designate integrity categories (compartments) that are required.
The bitmap MUST be padded with zero (0) to align on the next
32-bit boundary.
4.6.1.1 IPSEC Labeled Domain Identifiers
The following table lists the assigned values for the Labeled Domain
Identifier field contained in the Situation field of the Security
Association Payload.
Piper Standards Track [Page 18]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
Domain Value
------- -----
RESERVED 0
4.6.2 Identification Payload Content
The Identification Payload is used to identify the initiator of the
Security Association. The identity of the initiator SHOULD be used
by the responder to determine the correct host system security policy
requirement for the association. For example, a host might choose to
require authentication and integrity without confidentiality (AH)
from a certain set of IP addresses and full authentication with
confidentiality (ESP) from another range of IP addresses. The
Identification Payload provides information that can be used by the
responder to make this decision.
During Phase I negotiations, the ID port and protocol fields MUST be
set to zero or to UDP port 500. If an implementation receives any
other values, this MUST be treated as an error and the security
association setup MUST be aborted. This event SHOULD be auditable.
The following diagram illustrates the content of the Identification
Payload.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! ID Type ! Protocol ID ! Port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Identification Payload Format
The Identification Payload fields are defined as follows:
o Next Payload (1 octet) - Identifier for the payload type of
the next payload in the message. If the current payload is the
last in the message, this field will be zero (0).
o RESERVED (1 octet) - Unused, must be zero (0).
o Payload Length (2 octets) - Length, in octets, of the
identification data, including the generic header.
o Identification Type (1 octet) - Value describing the identity
information found in the Identification Data field.
Piper Standards Track [Page 19]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
o Protocol ID (1 octet) - Value specifying an associated IP
protocol ID (e.g. UDP/TCP). A value of zero means that the
Protocol ID field should be ignored.
o Port (2 octets) - Value specifying an associated port. A value
of zero means that the Port field should be ignored.
o Identification Data (variable length) - Value, as indicated by
the Identification Type.
4.6.2.1 Identification Type Values
The following table lists the assigned values for the Identification
Type field found in the Identification Payload.
ID Type Value
------- -----
RESERVED 0
ID_IPV4_ADDR 1
ID_FQDN 2
ID_USER_FQDN 3
ID_IPV4_ADDR_SUBNET 4
ID_IPV6_ADDR 5
ID_IPV6_ADDR_SUBNET 6
ID_IPV4_ADDR_RANGE 7
ID_IPV6_ADDR_RANGE 8
ID_DER_ASN1_DN 9
ID_DER_ASN1_GN 10
ID_KEY_ID 11
For types where the ID entity is variable length, the size of the ID
entity is computed from size in the ID payload header.
When an IKE exchange is authenticated using certificates (of any
format), any ID's used for input to local policy decisions SHOULD be
contained in the certificate used in the authentication of the
exchange.
4.6.2.2 ID_IPV4_ADDR
The ID_IPV4_ADDR type specifies a single four (4) octet IPv4 address.
4.6.2.3 ID_FQDN
The ID_FQDN type specifies a fully-qualified domain name string. An
example of a ID_FQDN is, "foo.bar.com". The string should not
contain any terminators.
Piper Standards Track [Page 20]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
4.6.2.4 ID_USER_FQDN
The ID_USER_FQDN type specifies a fully-qualified username string, An
example of a ID_USER_FQDN is, "piper@foo.bar.com". The string should
not contain any terminators.
4.6.2.5 ID_IPV4_ADDR_SUBNET
The ID_IPV4_ADDR_SUBNET type specifies a range of IPv4 addresses,
represented by two four (4) octet values. The first value is an IPv4
address. The second is an IPv4 network mask. Note that ones (1s) in
the network mask indicate that the corresponding bit in the address
is fixed, while zeros (0s) indicate a "wildcard" bit.
4.6.2.6 ID_IPV6_ADDR
The ID_IPV6_ADDR type specifies a single sixteen (16) octet IPv6
address.
4.6.2.7 ID_IPV6_ADDR_SUBNET
The ID_IPV6_ADDR_SUBNET type specifies a range of IPv6 addresses,
represented by two sixteen (16) octet values. The first value is an
IPv6 address. The second is an IPv6 network mask. Note that ones
(1s) in the network mask indicate that the corresponding bit in the
address is fixed, while zeros (0s) indicate a "wildcard" bit.
4.6.2.8 ID_IPV4_ADDR_RANGE
The ID_IPV4_ADDR_RANGE type specifies a range of IPv4 addresses,
represented by two four (4) octet values. The first value is the
beginning IPv4 address (inclusive) and the second value is the ending
IPv4 address (inclusive). All addresses falling between the two
specified addresses are considered to be within the list.
4.6.2.9 ID_IPV6_ADDR_RANGE
The ID_IPV6_ADDR_RANGE type specifies a range of IPv6 addresses,
represented by two sixteen (16) octet values. The first value is the
beginning IPv6 address (inclusive) and the second value is the ending
IPv6 address (inclusive). All addresses falling between the two
specified addresses are considered to be within the list.
4.6.2.10 ID_DER_ASN1_DN
The ID_DER_ASN1_DN type specifies the binary DER encoding of an ASN.1
X.500 Distinguished Name [X.501] of the principal whose certificates
are being exchanged to establish the SA.
Piper Standards Track [Page 21]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
4.6.2.11 ID_DER_ASN1_GN
The ID_DER_ASN1_GN type specifies the binary DER encoding of an ASN.1
X.500 GeneralName [X.509] of the principal whose certificates are
being exchanged to establish the SA.
4.6.2.12 ID_KEY_ID
The ID_KEY_ID type specifies an opaque byte stream which may be used
to pass vendor-specific information necessary to identify which pre-
shared key should be used to authenticate Aggressive mode
negotiations.
4.6.3 IPSEC Notify Message Types
ISAKMP defines two blocks of Notify Message codes, one for errors and
one for status messages. ISAKMP also allocates a portion of each
block for private use within a DOI. The IPSEC DOI defines the
following private message types for its own use.
Notify Messages - Error Types Value
----------------------------- -----
RESERVED 8192
Notify Messages - Status Types Value
------------------------------ -----
RESPONDER-LIFETIME 24576
REPLAY-STATUS 24577
INITIAL-CONTACT 24578
Notification Status Messages MUST be sent under the protection of an
ISAKMP SA: either as a payload in the last Main Mode exchange; in a
separate Informational Exchange after Main Mode or Aggressive Mode
processing is complete; or as a payload in any Quick Mode exchange.
These messages MUST NOT be sent in Aggressive Mode exchange, since
Aggressive Mode does not provide the necessary protection to bind the
Notify Status Message to the exchange.
Nota Bene: a Notify payload is fully protected only in Quick Mode,
where the entire payload is included in the HASH(n) digest. In Main
Mode, while the notify payload is encrypted, it is not currently
included in the HASH(n) digests. As a result, an active substitution
attack on the Main Mode ciphertext could cause the notify status
message type to be corrupted. (This is true, in general, for the
last message of any Main Mode exchange.) While the risk is small, a
corrupt notify message might cause the receiver to abort the entire
negotiation thinking that the sender encountered a fatal error.
Piper Standards Track [Page 22]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
Implementation Note: the ISAKMP protocol does not guarantee delivery
of Notification Status messages when sent in an ISAKMP Informational
Exchange. To ensure receipt of any particular message, the sender
SHOULD include a Notification Payload in a defined Main Mode or Quick
Mode exchange which is protected by a retransmission timer.
4.6.3.1 RESPONDER-LIFETIME
The RESPONDER-LIFETIME status message may be used to communicate the
IPSEC SA lifetime chosen by the responder.
When present, the Notification Payload MUST have the following
format:
o Payload Length - set to length of payload + size of data (var)
o DOI - set to IPSEC DOI (1)
o Protocol ID - set to selected Protocol ID from chosen SA
o SPI Size - set to either sixteen (16) (two eight-octet ISAKMP
cookies) or four (4) (one IPSEC SPI)
o Notify Message Type - set to RESPONDER-LIFETIME (Section 4.6.3)
o SPI - set to the two ISAKMP cookies or to the sender's inbound
IPSEC SPI
o Notification Data - contains an ISAKMP attribute list with the
responder's actual SA lifetime(s)
Implementation Note: saying that the Notification Data field contains
an attribute list is equivalent to saying that the Notification Data
field has zero length and the Notification Payload has an associated
attribute list.
4.6.3.2 REPLAY-STATUS
The REPLAY-STATUS status message may be used for positive
confirmation of the responder's election on whether or not he is to
perform anti-replay detection.
When present, the Notification Payload MUST have the following
format:
o Payload Length - set to length of payload + size of data (4)
o DOI - set to IPSEC DOI (1)
o Protocol ID - set to selected Protocol ID from chosen SA
o SPI Size - set to either sixteen (16) (two eight-octet ISAKMP
cookies) or four (4) (one IPSEC SPI)
o Notify Message Type - set to REPLAY-STATUS
o SPI - set to the two ISAKMP cookies or to the sender's inbound
IPSEC SPI
o Notification Data - a 4 octet value:
Piper Standards Track [Page 23]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
0 = replay detection disabled
1 = replay detection enabled
4.6.3.3 INITIAL-CONTACT
The INITIAL-CONTACT status message may be used when one side wishes
to inform the other that this is the first SA being established with
the remote system. The receiver of this Notification Message might
then elect to delete any existing SA's it has for the sending system
under the assumption that the sending system has rebooted and no
longer has access to the original SA's and their associated keying
material. When used, the content of the Notification Data field
SHOULD be null (i.e. the Payload Length should be set to the fixed
length of Notification Payload).
When present, the Notification Payload MUST have the following
format:
o Payload Length - set to length of payload + size of data (0)
o DOI - set to IPSEC DOI (1)
o Protocol ID - set to selected Protocol ID from chosen SA
o SPI Size - set to sixteen (16) (two eight-octet ISAKMP cookies)
o Notify Message Type - set to INITIAL-CONTACT
o SPI - set to the two ISAKMP cookies
o Notification Data - <not included>
4.7 IPSEC Key Exchange Requirements
The IPSEC DOI introduces no additional Key Exchange types.
5. Security Considerations
This entire memo pertains to the Internet Key Exchange protocol
([IKE]), which combines ISAKMP ([ISAKMP]) and Oakley ([OAKLEY]) to
provide for the derivation of cryptographic keying material in a
secure and authenticated manner. Specific discussion of the various
security protocols and transforms identified in this document can be
found in the associated base documents and in the cipher references.
6. IANA Considerations
This document contains many "magic" numbers to be maintained by the
IANA. This section explains the criteria to be used by the IANA to
assign additional numbers in each of these lists. All values not
explicitly defined in previous sections are reserved to IANA.
Piper Standards Track [Page 24]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
6.1 IPSEC Situation Definition
The Situation Definition is a 32-bit bitmask which represents the
environment under which the IPSEC SA proposal and negotiation is
carried out. Requests for assignments of new situations must be
accompanied by an RFC which describes the interpretation for the
associated bit.
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The upper two bits are reserved for private use amongst cooperating
systems.
6.2 IPSEC Security Protocol Identifiers
The Security Protocol Identifier is an 8-bit value which identifies a
security protocol suite being negotiated. Requests for assignments
of new security protocol identifiers must be accompanied by an RFC
which describes the requested security protocol. [AH] and [ESP] are
examples of security protocol documents.
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 249-255 are reserved for private use amongst cooperating
systems.
6.3 IPSEC ISAKMP Transform Identifiers
The IPSEC ISAKMP Transform Identifier is an 8-bit value which
identifies a key exchange protocol to be used for the negotiation.
Requests for assignments of new ISAKMP transform identifiers must be
accompanied by an RFC which describes the requested key exchange
protocol. [IKE] is an example of one such document.
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 249-255 are reserved for private use amongst cooperating
systems.
Piper Standards Track [Page 25]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
6.4 IPSEC AH Transform Identifiers
The IPSEC AH Transform Identifier is an 8-bit value which identifies
a particular algorithm to be used to provide integrity protection for
AH. Requests for assignments of new AH transform identifiers must be
accompanied by an RFC which describes how to use the algorithm within
the AH framework ([AH]).
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 249-255 are reserved for private use amongst cooperating
systems.
6.5 IPSEC ESP Transform Identifiers
The IPSEC ESP Transform Identifier is an 8-bit value which identifies
a particular algorithm to be used to provide secrecy protection for
ESP. Requests for assignments of new ESP transform identifiers must
be accompanied by an RFC which describes how to use the algorithm
within the ESP framework ([ESP]).
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 249-255 are reserved for private use amongst cooperating
systems.
6.6 IPSEC IPCOMP Transform Identifiers
The IPSEC IPCOMP Transform Identifier is an 8-bit value which
identifier a particular algorithm to be used to provide IP-level
compression before ESP. Requests for assignments of new IPCOMP
transform identifiers must be accompanied by an RFC which describes
how to use the algorithm within the IPCOMP framework ([IPCOMP]). In
addition, the requested algorithm must be published and in the public
domain.
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
Piper Standards Track [Page 26]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
The values 1-47 are reserved for algorithms for which an RFC has been
approved for publication. The values 48-63 are reserved for private
use amongst cooperating systems. The values 64-255 are reserved for
future expansion.
6.7 IPSEC Security Association Attributes
The IPSEC Security Association Attribute consists of a 16-bit type
and its associated value. IPSEC SA attributes are used to pass
miscellaneous values between ISAKMP peers. Requests for assignments
of new IPSEC SA attributes must be accompanied by an Internet Draft
which describes the attribute encoding (Basic/Variable-Length) and
its legal values. Section 4.5 of this document provides an example
of such a description.
The values 32001-32767 are reserved for private use amongst
cooperating systems.
6.8 IPSEC Labeled Domain Identifiers
The IPSEC Labeled Domain Identifier is a 32-bit value which
identifies a namespace in which the Secrecy and Integrity levels and
categories values are said to exist. Requests for assignments of new
IPSEC Labeled Domain Identifiers should be granted on demand. No
accompanying documentation is required, though Internet Drafts are
encouraged when appropriate.
The values 0x80000000-0xffffffff are reserved for private use amongst
cooperating systems.
6.9 IPSEC Identification Type
The IPSEC Identification Type is an 8-bit value which is used as a
discriminant for interpretation of the variable-length Identification
Payload. Requests for assignments of new IPSEC Identification Types
must be accompanied by an RFC which describes how to use the
identification type within IPSEC.
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 249-255 are reserved for private use amongst cooperating
systems.
Piper Standards Track [Page 27]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
6.10 IPSEC Notify Message Types
The IPSEC Notify Message Type is a 16-bit value taken from the range
of values reserved by ISAKMP for each DOI. There is one range for
error messages (8192-16383) and a different range for status messages
(24576-32767). Requests for assignments of new Notify Message Types
must be accompanied by an Internet Draft which describes how to use
the identification type within IPSEC.
The values 16001-16383 and the values 32001-32767 are reserved for
private use amongst cooperating systems.
7. Change Log
7.1 Changes from V9
o add explicit reference to [IPCOMP], [DEFLATE], and [LZS]
o allow RESPONDER-LIFETIME and REPLAY-STATUS to be directed
at an IPSEC SPI in addition to the ISAKMP "SPI"
o added padding exclusion to Secrecy and Integrity Length text
o added forward reference to Section 4.5 in Section 4.4.4
o update document references
7.2 Changes from V8
o update IPCOMP identifier range to better reflect IPCOMP draft
o update IANA considerations per Jeff/Ted's suggested text
o eliminate references to DES-MAC ID ([DESMAC])
o correct bug in Notify section; ISAKMP Notify values are 16-bits
7.3 Changes from V7
o corrected name of IPCOMP (IP Payload Compression)
o corrected references to [ESPCBC]
o added missing Secrecy Level and Integrity Level to Figure 1
o removed ID references to PF_KEY and ARCFOUR
o updated Basic/Variable text to align with [IKE]
o updated document references and add intro pointer to [ARCH]
o updated Notification requirements; remove aggressive reference
o added clarification about protection for Notify payloads
o restored RESERVED to ESP transform ID namespace; moved ESP_NULL
o added requirement for ESP_NULL support and [ESPNULL] reference
o added clarification on Auth Alg use with AH/ESP
o added restriction against using conflicting AH/Auth combinations
7.4 Changes from V6
The following changes were made relative to the IPSEC DOI V6:
Piper Standards Track [Page 28]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
o added IANA Considerations section
o moved most IANA numbers to IANA Considerations section
o added prohibition on sending (V) encoding for (B) attributes
o added prohibition on sending Key Length attribute for fixed
length ciphers (e.g. DES)
o replaced references to ISAKMP/Oakley with IKE
o renamed ESP_ARCFOUR to ESP_RC4
o updated Security Considerations section
o updated document references
7.5 Changes from V5
The following changes were made relative to the IPSEC DOI V5:
o changed SPI size in Lifetime Notification text
o changed REPLAY-ENABLED to REPLAY-STATUS
o moved RESPONDER-LIFETIME payload definition from Section 4.5.4
to Section 4.6.3.1
o added explicit payload layout for 4.6.3.3
o added Implementation Note to Section 4.6.3 introduction
o changed AH_SHA text to require SHA-1 in addition to MD5
o updated document references
7.6 Changes from V4
The following changes were made relative to the IPSEC DOI V4:
o moved compatibility AH KPDK authentication method from AH
transform ID to Authentication Algorithm identifier
o added REPLAY-ENABLED notification message type per Architecture
o added INITIAL-CONTACT notification message type per list
o added text to ensure protection for Notify Status messages
o added Lifetime qualification to attribute parsing section
o added clarification that Lifetime notification is optional
o removed private Group Description list (now points at [IKE])
o replaced Terminology with pointer to RFC-2119
o updated HMAC MD5 and SHA-1 ID references
o updated Section 1 (Abstract)
o updated Section 4.4 (IPSEC Assigned Numbers)
o added restriction for ID port/protocol values for Phase I
7.7 Changes from V3 to V4
The following changes were made relative to the IPSEC DOI V3, that
was posted to the IPSEC mailing list prior to the Munich IETF:
o added ESP transform identifiers for NULL and ARCFOUR
Piper Standards Track [Page 29]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
o renamed HMAC Algorithm to Auth Algorithm to accommodate
DES-MAC and optional authentication/integrity for ESP
o added AH and ESP DES-MAC algorithm identifiers
o removed KEY_MANUAL and KEY_KDC identifier definitions
o added lifetime duration MUST follow lifetype attribute to
SA Life Type and SA Life Duration attribute definition
o added lifetime notification and IPSEC DOI message type table
o added optional authentication and confidentiality
restrictions to MAC Algorithm attribute definition
o corrected attribute parsing example (used obsolete attribute)
o corrected several Internet Draft document references
o added ID_KEY_ID per ipsec list discussion (18-Mar-97)
o removed Group Description default for PFS QM ([IKE] MUST)
Acknowledgments
This document is derived, in part, from previous works by Douglas
Maughan, Mark Schertler, Mark Schneider, Jeff Turner, Dan Harkins,
and Dave Carrel. Matt Thomas, Roy Pereira, Greg Carter, and Ran
Atkinson also contributed suggestions and, in many cases, text.
References
[AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
2402, November 1998.
[ARCH] Kent, S., and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[DEFLATE] Pereira, R., "IP Payload Compression Using DEFLATE", RFC
2394, August 1998.
[ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", RFC 2406, November 1998.
[ESPCBC] Pereira, R., and R. Adams, "The ESP CBC-Mode Cipher
Algorithms", RFC 2451, November 1998.
[ESPNULL] Glenn, R., and S. Kent, "The NULL Encryption Algorithm and
Its Use With IPsec", RFC 2410, November 1998.
[DES] Madson, C., and N. Doraswamy, "The ESP DES-CBC Cipher
Algorithm With Explicit IV", RFC 2405, November 1998.
[HMACMD5] Madson, C., and R. Glenn, "The Use of HMAC-MD5 within ESP
and AH", RFC 2403, November 1998.
Piper Standards Track [Page 30]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
[HMACSHA] Madson, C., and R. Glenn, "The Use of HMAC-SHA-1-96 within
ESP and AH", RFC 2404, November 1998.
[IKE] Harkins, D., and D. Carrel, D., "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[IPCOMP] Shacham, A., Monsour, R., Pereira, R., and M. Thomas, "IP
Payload Compression Protocol (IPComp)", RFC 2393, August
1998.
[ISAKMP] Maughan, D., Schertler, M., Schneider, M., and J. Turner,
"Internet Security Association and Key Management Protocol
(ISAKMP)", RFC 2408, November 1998.
[LZS] Friend, R., and R. Monsour, "IP Payload Compression Using
LZS", RFC 2395, August 1998.
[OAKLEY] Orman, H., "The OAKLEY Key Determination Protocol", RFC
2412, November 1998.
[X.501] ISO/IEC 9594-2, "Information Technology - Open Systems
Interconnection - The Directory: Models", CCITT/ITU
Recommendation X.501, 1993.
[X.509] ISO/IEC 9594-8, "Information Technology - Open Systems
Interconnection - The Directory: Authentication
Framework", CCITT/ITU Recommendation X.509, 1993.
Author's Address
Derrell Piper
Network Alchemy
1521.5 Pacific Ave
Santa Cruz, California, 95060
United States of America
Phone: +1 408 460-3822
EMail: ddp@network-alchemy.com
Piper Standards Track [Page 31]
^L
RFC 2407 IP Security Domain of Interpretation November 1998
Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Piper Standards Track [Page 32]
^L
|