< draft-ietf-ipsec-ipsec-doi-08.txt   draft-ietf-ipsec-ipsec-doi-09.txt >
Network Working Group Derrell Piper Network Working Group Derrell Piper
INTERNET-DRAFT Network Alchemy INTERNET-DRAFT Network Alchemy
draft-ietf-ipsec-ipsec-doi-08.txt March 13, 1998 draft-ietf-ipsec-ipsec-doi-09.txt May 12, 1998
The Internet IP Security Domain of Interpretation for ISAKMP The Internet IP Security Domain of Interpretation for ISAKMP
<draft-ietf-ipsec-ipsec-doi-08.txt> <draft-ietf-ipsec-ipsec-doi-09.txt>
Status of this Memo Status of this Memo
This document is an Internet Draft. Internet Drafts are working This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and working groups. Note that other groups may also distribute and working groups. Note that other groups may also distribute
working documents as Internet Drafts. working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six months Internet Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet Drafts as reference time. It is inappropriate to use Internet Drafts as reference
material or to cite them other than as ``work in progress.'' material or to cite them other than as ``work in progress.''
To learn the current status of any Internet Draft, please check the To view the entire list of current Internet-Drafts, please check
``1id-abstracts.txt'' listing contained in the Internet Drafts Shadow the "1id-abstracts.txt" listing contained in the Internet-Drafts
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
munnari.oz.au (Australia), ds.internic.net (US East Coast), or (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
ftp.isi.edu (US West Coast). (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu
(US West Coast).
Distribution of this memo is unlimited. This draft will expire six Distribution of this memo is unlimited. This draft will expire six
months from date of issue. months from date of issue.
1. Abstract 1. Abstract
The Internet Security Association and Key Management Protocol The Internet Security Association and Key Management Protocol
(ISAKMP) defines a framework for security association management and (ISAKMP) defines a framework for security association management and
cryptographic key establishment for the Internet. This framework cryptographic key establishment for the Internet. This framework
consists of defined exchanges, payloads, and processing guidelines consists of defined exchanges, payloads, and processing guidelines
skipping to change at page 9, line 22 skipping to change at page 9, line 22
Use of AH_SHA with any other Authentication Algorithm attribute value Use of AH_SHA with any other Authentication Algorithm attribute value
is currently undefined. is currently undefined.
4.4.3.3 AH_DES 4.4.3.3 AH_DES
The AH_DES type specifies a generic AH transform using DES. The The AH_DES type specifies a generic AH transform using DES. The
actual protection suite is determined in concert with an associated actual protection suite is determined in concert with an associated
SA attribute list. A generic DES transform is currently undefined. SA attribute list. A generic DES transform is currently undefined.
The IPSEC DOI defines AH_DES along with the Auth(DES-MAC) attribute The IPSEC DOI defines AH_DES along with the Auth(DES-MAC) attribute
to be the DES-MAC transform described in [DESMAC]. Implementations to be a DES-MAC transform. Implementations are not required to
are not required to support this mode. support this mode.
Use of AH_DES with any other Authentication Algorithm attribute value Use of AH_DES with any other Authentication Algorithm attribute value
is currently undefined. is currently undefined.
4.4.4 IPSEC ESP Transform Identifiers 4.4.4 IPSEC ESP Transform Identifiers
The Encapsulating Security Payload (ESP) defines one mandatory and The Encapsulating Security Payload (ESP) defines one mandatory and
many optional transforms used to provide data confidentiality. The many optional transforms used to provide data confidentiality. The
following table lists the defined ESP Transform Identifiers for the following table lists the defined ESP Transform Identifiers for the
ISAKMP Proposal Payload for the IPSEC DOI. ISAKMP Proposal Payload for the IPSEC DOI.
skipping to change at page 11, line 37 skipping to change at page 11, line 37
detection. detection.
All implementations within the IPSEC DOI MUST support ESP_NULL. The All implementations within the IPSEC DOI MUST support ESP_NULL. The
ESP NULL transform is defined in [ESPNULL]. See the Authentication ESP NULL transform is defined in [ESPNULL]. See the Authentication
Algorithm attribute description in Section 4.5 for additional Algorithm attribute description in Section 4.5 for additional
requirements relating to the use of ESP_NULL. requirements relating to the use of ESP_NULL.
4.4.5 IPSEC IPCOMP Transform Identifiers 4.4.5 IPSEC IPCOMP Transform Identifiers
The IP Compression (IPCOMP) transforms define optional compression The IP Compression (IPCOMP) transforms define optional compression
algorithms that can be negotiated to provide for IP compression algorithms that can be negotiated to provide for IP payload
before ESP encryption. The following table lists the defined IPCOMP compression ([IPCOMP]). The following table lists the defined IPCOMP
Transform Identifiers for the ISAKMP Proposal Payload within the Transform Identifiers for the ISAKMP Proposal Payload within the
IPSEC DOI. IPSEC DOI.
Transform ID Value Transform ID Value
------------ ----- ------------ -----
RESERVED 0 RESERVED 0
IPCOMP_OUI 1 IPCOMP_OUI 1
IPCOMP_DEFLATE 2 IPCOMP_DEFLATE 2
IPCOMP_LZS 3 IPCOMP_LZS 3
IPCOMP_V42BIS 4 IPCOMP_V42BIS 4
skipping to change at page 24, line 36 skipping to change at page 24, line 36
This document contains many "magic" numbers to be maintained by the This document contains many "magic" numbers to be maintained by the
IANA. This section explains the criteria to be used by the IANA to IANA. This section explains the criteria to be used by the IANA to
assign additional numbers in each of these lists. All values not assign additional numbers in each of these lists. All values not
explicitly defined in previous sections are reserved to IANA. explicitly defined in previous sections are reserved to IANA.
6.1 IPSEC Situation Definition 6.1 IPSEC Situation Definition
The Situation Definition is a 32-bit bitmask which represents the The Situation Definition is a 32-bit bitmask which represents the
environment under which the IPSEC SA proposal and negotiation is environment under which the IPSEC SA proposal and negotiation is
carried out. Requests for assignments of new situations must be carried out. Requests for assignments of new situations must be
accompanied by a standards-track RFC which describes the accompanied by an RFC which describes the interpretation for the
interpretation for the associated bit. associated bit.
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The upper two bits are reserved for private use amongst cooperating The upper two bits are reserved for private use amongst cooperating
systems. systems.
6.2 IPSEC Security Protocol Identifiers 6.2 IPSEC Security Protocol Identifiers
The Security Protocol Identifier is an 8-bit value which identifies a The Security Protocol Identifier is an 8-bit value which identifies a
security protocol suite being negotiated. Requests for assignments security protocol suite being negotiated. Requests for assignments
of new security protocol identifiers must be accompanied by a of new security protocol identifiers must be accompanied by an RFC
standards-track RFC which describes the requested security protocol. which describes the requested security protocol. [AH] and [ESP] are
[AH] and [ESP] are examples of security protocol documents. examples of security protocol documents.
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 249-255 are reserved for private use amongst cooperating The values 249-255 are reserved for private use amongst cooperating
systems. systems.
6.3 IPSEC ISAKMP Transform Identifiers 6.3 IPSEC ISAKMP Transform Identifiers
The IPSEC ISAKMP Transform Identifier is an 8-bit value which The IPSEC ISAKMP Transform Identifier is an 8-bit value which
identifies a key exchange protocol to be used for the negotiation. identifies a key exchange protocol to be used for the negotiation.
Requests for assignments of new ISAKMP transform identifiers must be Requests for assignments of new ISAKMP transform identifiers must be
accompanied by a standards-track RFC which describes the requested accompanied by an RFC which describes the requested key exchange
key exchange protocol. [IKE] is an example of one such document. protocol. [IKE] is an example of one such document.
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 249-255 are reserved for private use amongst cooperating The values 249-255 are reserved for private use amongst cooperating
systems. systems.
6.4 IPSEC AH Transform Identifiers 6.4 IPSEC AH Transform Identifiers
The IPSEC AH Transform Identifier is an 8-bit value which identifies The IPSEC AH Transform Identifier is an 8-bit value which identifies
a particular algorithm to be used to provide integrity protection for a particular algorithm to be used to provide integrity protection for
AH. Requests for assignments of new AH transform identifiers must be AH. Requests for assignments of new AH transform identifiers must be
accompanied by a standards-track RFC which describes how to use the accompanied by an RFC which describes how to use the algorithm within
algorithm within the AH framework ([AH]). In addition, the requested the AH framework ([AH]).
algorithm must be published and in the public domain. If the
requested algorithm is not in the public domain, the addition must be If the RFC is not on the standards-track (i.e., it is an
approved by an IESG action. informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 249-255 are reserved for private use amongst cooperating The values 249-255 are reserved for private use amongst cooperating
systems. systems.
6.5 IPSEC ESP Transform Identifiers 6.5 IPSEC ESP Transform Identifiers
The IPSEC ESP Transform Identifier is an 8-bit value which identifies The IPSEC ESP Transform Identifier is an 8-bit value which identifies
a particular algorithm to be used to provide secrecy protection for a particular algorithm to be used to provide secrecy protection for
ESP. Requests for assignments of new ESP transform identifiers must ESP. Requests for assignments of new AH transform identifiers must
be accompanied by a standards-track RFC which describes how to use be accompanied by an RFC which describes how to use the algorithm
the algorithm within the ESP framework ([ESP]). In addition, the within the ESP framework ([ESP]).
requested algorithm must be published and in the public domain. If
the requested algorithm is not in the public domain, the addition If the RFC is not on the standards-track (i.e., it is an
must be approved by an IESG action. informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 249-255 are reserved for private use amongst cooperating The values 249-255 are reserved for private use amongst cooperating
systems. systems.
6.6 IPSEC IPCOMP Transform Identifiers 6.6 IPSEC IPCOMP Transform Identifiers
The IPSEC IPCOMP Transform Identifier is an 8-bit value which The IPSEC IPCOMP Transform Identifier is an 8-bit value which
identifier a particular algorithm to be used to provide IP-level identifier a particular algorithm to be used to provide IP-level
compression before ESP. Requests for assignments of new IPCOMP compression before ESP. Requests for assignments of new IPCOMP
transform identifiers must be accompanied by a standards-track RFC transform identifiers must be accompanied by an RFC which describes
which describes how to use the algorithm within the IPCOMP framework how to use the algorithm within the IPCOMP framework ([IPCOMP]). In
([IPCOMP]). In addition, the requested algorithm must be published addition, the requested algorithm must be published and in the public
and in the public domain. If the requested algorithm is not in the domain.
public domain, the addition must be approved by an IESG action.
The values 249-255 are reserved for private use amongst cooperating If the RFC is not on the standards-track (i.e., it is an
systems. informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 1-47 are reserved for algorithms for which an RFC has been
approved for publication. The values 48-63 are reserved for private
use amongst cooperating systems. The values 64-255 are reserved for
future expansion.
6.7 IPSEC Security Association Attributes 6.7 IPSEC Security Association Attributes
The IPSEC Security Association Attribute consists of a 16-bit type The IPSEC Security Association Attribute consists of a 16-bit type
and its associated value. IPSEC SA attributes are used to pass and its associated value. IPSEC SA attributes are used to pass
miscellaneous values between ISAKMP peers. Requests for assignments miscellaneous values between ISAKMP peers. Requests for assignments
of new IPSEC SA attributes must be accompanied by an Internet Draft of new IPSEC SA attributes must be accompanied by an Internet Draft
which describes the attribute encoding (Basic/Variable-Length) and which describes the attribute encoding (Basic/Variable-Length) and
its legal values. Section 4.5 of this document provides an example its legal values. Section 4.5 of this document provides an example
of such a description. of such a description.
skipping to change at page 26, line 39 skipping to change at page 27, line 17
encouraged when appropriate. encouraged when appropriate.
The values 0x80000000-0xffffffff are reserved for private use amongst The values 0x80000000-0xffffffff are reserved for private use amongst
cooperating systems. cooperating systems.
6.9 IPSEC Identification Type 6.9 IPSEC Identification Type
The IPSEC Identification Type is an 8-bit value which is used as a The IPSEC Identification Type is an 8-bit value which is used as a
discriminant for interpretation of the variable-length Identification discriminant for interpretation of the variable-length Identification
Payload. Requests for assignments of new IPSEC Identification Types Payload. Requests for assignments of new IPSEC Identification Types
must be accompanied by a standard-track RFC which describes how to must be accompanied by an RFC which describes how to use the
use the identification type within IPSEC. identification type within IPSEC.
If the RFC is not on the standards-track (i.e., it is an
informational or experimental RFC), it must be explicitly reviewed
and approved by the IESG before the RFC is published and the
transform identifier is assigned.
The values 249-255 are reserved for private use amongst cooperating The values 249-255 are reserved for private use amongst cooperating
systems. systems.
6.10 IPSEC Notify Message Types 6.10 IPSEC Notify Message Types
The IPSEC Notify Message Type is an 8-bit value taken from the range The IPSEC Notify Message Type is a 16-bit value taken from the range
of values reserved by ISAKMP for each DOI. There is one range for of values reserved by ISAKMP for each DOI. There is one range for
error message (8192-16383) and a different range for status messages error messages (8192-16383) and a different range for status messages
(24576-32767). Requests for assignments of new Notify Message Types (24576-32767). Requests for assignments of new Notify Message Types
must be accompanied by an Internet Draft which describes how to use must be accompanied by an Internet Draft which describes how to use
the identification type within IPSEC. the identification type within IPSEC.
The values 16001-16383 and the values 32001-32767 are reserved for The values 16001-16383 and the values 32001-32767 are reserved for
private use amongst cooperating systems. private use amongst cooperating systems.
7. Change Log 7. Change Log
7.1 Changes from V7 7.1 Changes from V8
o update IPCOMP identifier range to better reflect IPCOMP draft
o update IANA considerations per Jeff/Ted's suggested text
o eliminate references to DES-MAC ID ([DESMAC])
o correct bug in Notify section; ISAKMP Notify values are 16-bits
7.2 Changes from V7
o corrected name of IPCOMP (IP Payload Compression) o corrected name of IPCOMP (IP Payload Compression)
o corrected references to [ESPCBC] o corrected references to [ESPCBC]
o added missing Secrecy Level and Integrity Level to Figure 1 o added missing Secrecy Level and Integrity Level to Figure 1
o removed ID references to PF_KEY and ARCFOUR o removed ID references to PF_KEY and ARCFOUR
o updated Basic/Variable text to align with [IKE] o updated Basic/Variable text to align with [IKE]
o updated document references and add intro pointer to [ARCH] o updated document references and add intro pointer to [ARCH]
o updated Notification requirements; remove aggressive reference o updated Notification requirements; remove aggressive reference
o added clarification about protection for Notify payloads o added clarification about protection for Notify payloads
o restored RESERVED to ESP transform ID namespace; moved ESP_NULL o restored RESERVED to ESP transform ID namespace; moved ESP_NULL
o added requirement for ESP_NULL support and [ESPNULL] reference o added requirement for ESP_NULL support and [ESPNULL] reference
o added clarification on Auth Alg use with AH/ESP o added clarification on Auth Alg use with AH/ESP
o added restriction against using conflicting AH/Auth combinations o added restriction against using conflicting AH/Auth combinations
7.2 Changes from V6 7.3 Changes from V6
The following changes were made relative to the IPSEC DOI V6: The following changes were made relative to the IPSEC DOI V6:
o added IANA Considerations section o added IANA Considerations section
o moved most IANA numbers to IANA Considerations section o moved most IANA numbers to IANA Considerations section
o added prohibition on sending (V) encoding for (B) attributes o added prohibition on sending (V) encoding for (B) attributes
o added prohibition on sending Key Length attribute for fixed o added prohibition on sending Key Length attribute for fixed
length ciphers (e.g. DES) length ciphers (e.g. DES)
o replaced references to ISAKMP/Oakley with IKE o replaced references to ISAKMP/Oakley with IKE
o renamed ESP_ARCFOUR to ESP_RC4 o renamed ESP_ARCFOUR to ESP_RC4
o updated Security Considerations section o updated Security Considerations section
o updated document references o updated document references
7.3 Changes from V5 7.4 Changes from V5
The following changes were made relative to the IPSEC DOI V5: The following changes were made relative to the IPSEC DOI V5:
o changed SPI size in Lifetime Notification text o changed SPI size in Lifetime Notification text
o changed REPLAY-ENABLED to REPLAY-STATUS o changed REPLAY-ENABLED to REPLAY-STATUS
o moved RESPONDER-LIFETIME payload definition from Section 4.5.4 o moved RESPONDER-LIFETIME payload definition from Section 4.5.4
to Section 4.6.3.1 to Section 4.6.3.1
o added explicit payload layout for 4.6.3.3 o added explicit payload layout for 4.6.3.3
o added Implementation Note to Section 4.6.3 introduction o added Implementation Note to Section 4.6.3 introduction
o changed AH_SHA text to require SHA-1 in addition to MD5 o changed AH_SHA text to require SHA-1 in addition to MD5
o updated document references o updated document references
7.4 Changes from V4 7.5 Changes from V4
The following changes were made relative to the IPSEC DOI V4: The following changes were made relative to the IPSEC DOI V4:
o moved compatibility AH KPDK authentication method from AH o moved compatibility AH KPDK authentication method from AH
transform ID to Authentication Algorithm identifier transform ID to Authentication Algorithm identifier
o added REPLAY-ENABLED notification message type per Architecture o added REPLAY-ENABLED notification message type per Architecture
o added INITIAL-CONTACT notification message type per list o added INITIAL-CONTACT notification message type per list
o added text to ensure protection for Notify Status messages o added text to ensure protection for Notify Status messages
o added Lifetime qualification to attribute parsing section p o o added Lifetime qualification to attribute parsing section p o
added clarification that Lifetime notification is optional added clarification that Lifetime notification is optional
o removed private Group Description list (now points at [IKE]) o removed private Group Description list (now points at [IKE])
o replaced Terminology with pointer to RFC-2119 o replaced Terminology with pointer to RFC-2119
o updated HMAC MD5 and SHA-1 ID references o updated HMAC MD5 and SHA-1 ID references
o updated Section 1 (Abstract) o updated Section 1 (Abstract)
o updated Section 4.4 (IPSEC Assigned Numbers) o updated Section 4.4 (IPSEC Assigned Numbers)
o added restriction for ID port/protocol values for Phase I o added restriction for ID port/protocol values for Phase I
7.5 Changes from V3 to V4 7.6 Changes from V3 to V4
The following changes were made relative to the IPSEC DOI V3, that The following changes were made relative to the IPSEC DOI V3, that
was posted to the IPSEC mailing list prior to the Munich IETF: was posted to the IPSEC mailing list prior to the Munich IETF:
o added ESP transform identifiers for NULL and ARCFOUR o added ESP transform identifiers for NULL and ARCFOUR
o renamed HMAC Algorithm to Auth Algorithm to accommodate o renamed HMAC Algorithm to Auth Algorithm to accommodate
DES-MAC and optional authentication/integrity for ESP DES-MAC and optional authentication/integrity for ESP
o added AH and ESP DES-MAC algorithm identifiers o added AH and ESP DES-MAC algorithm identifiers
o removed KEY_MANUAL and KEY_KDC identifier definitions o removed KEY_MANUAL and KEY_KDC identifier definitions
o added lifetime duration MUST follow lifetype attribute to o added lifetime duration MUST follow lifetype attribute to
skipping to change at page 29, line 21 skipping to change at page 30, line 12
[ESPCBC] Pereira, R., Adams, R., "The ESP CBC-Mode Cipher [ESPCBC] Pereira, R., Adams, R., "The ESP CBC-Mode Cipher
Algorithms," draft-ietf-ipsec-ciph-cbc-02.txt. Algorithms," draft-ietf-ipsec-ciph-cbc-02.txt.
[ESPNULL] Glenn, R., Kent, S., "The NULL Encryption Algorithm and Its [ESPNULL] Glenn, R., Kent, S., "The NULL Encryption Algorithm and Its
Use With IPsec," draft-ietf-ipsec-ciph-null-00.txt. Use With IPsec," draft-ietf-ipsec-ciph-null-00.txt.
[DES] Madson, C., Doraswamy, N., "The ESP DES-CBC Cipher Algorithm [DES] Madson, C., Doraswamy, N., "The ESP DES-CBC Cipher Algorithm
With Explicit IV," draft-ietf-ipsec-ciph-des-expiv-02.txt. With Explicit IV," draft-ietf-ipsec-ciph-des-expiv-02.txt.
[DESMAC] Bitan, S., "The Use of DES-MAC within ESP and AH," draft-
bitan-auth-des-mac-00.txt.
[HMACMD5] Madson, C., Glenn, R., "The Use of HMAC-MD5 within ESP and [HMACMD5] Madson, C., Glenn, R., "The Use of HMAC-MD5 within ESP and
AH," draft-ietf-ipsec-auth-hmac-md5-96-03.txt. AH," draft-ietf-ipsec-auth-hmac-md5-96-03.txt.
[HMACSHA] Madson, C., Glenn, R., "The Use of HMAC-SHA-1-96 within ESP [HMACSHA] Madson, C., Glenn, R., "The Use of HMAC-SHA-1-96 within ESP
and AH," draft-ietf-ipsec-auth-hmac-sha196-03.txt. and AH," draft-ietf-ipsec-auth-hmac-sha196-03.txt.
[IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)," [IKE] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE),"
draft-ietf-ipsec-isakmp-oakley-06.txt. draft-ietf-ipsec-isakmp-oakley-06.txt.
[IPCOMP] Shacham, A., Monsour, R., Pereira, R., Thomas, M., "IP [IPCOMP] Shacham, A., Monsour, R., Pereira, R., Thomas, M., "IP
 End of changes. 21 change blocks. 
48 lines changed or deleted 83 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/