1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
|
FROM RFC 2407 and RFC 2408
"Magic Numbers" for ISAKMP Protocol
(last updated 2001 Jun 29)
IPSEC Situation Definition
The Situation Definition is a 32-bit bitmask which represents the
environment under which the IPSEC SA proposal and negotiation is
carried out. Requests for assignments of new situations must be
accompanied by an RFC which describes the interpretation for the
associated bit.
If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.
Situation Value Reference
--------- ----- ---------
SIT_IDENTITY_ONLY 0x01 [RFC2407]
SIT_SECRECY 0x02 [RFC2407]
SIT_INTEGRITY 0x04 [RFC2407]
The upper two bits are reserved for private use amongst cooperating
systems.
IPSEC Security Protocol Identifiers
The Security Protocol Identifier is an 8-bit value which identifies a
security protocol suite being negotiated. Requests for assignments of
new security protocol identifiers must be accompanied by an RFC which
describes the requested security protocol. [AH] and [ESP] are
examples of security protocol documents.
If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.
Protocol ID Value Reference
----------- ----- ---------
RESERVED 0 [RFC2407]
PROTO_ISAKMP 1 [RFC2407]
PROTO_IPSEC_AH 2 [RFC2407]
PROTO_IPSEC_ESP 3 [RFC2407]
PROTO_IPCOMP 4 [RFC2407]
The values 249-255 are reserved for private use amongst cooperating
systems.
IPSEC ISAKMP Transform Identifiers
The IPSEC ISAKMP Transform Identifier is an 8-bit value which
identifies a key exchange protocol to be used for the negotiation.
Requests for assignments of new ISAKMP transform identifiers must be
accompanied by an RFC which describes the requested key exchange
protocol. [IKE] is an example of one such document.
If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.
Transform Value Reference
--------- ----- ---------
RESERVED 0 [RFC2407]
KEY_IKE 1 [RFC2407]
The values 249-255 are reserved for private use amongst cooperating
systems.
IPSEC AH Transform Identifiers
The IPSEC AH Transform Identifier is an 8-bit value which identifies a
particular algorithm to be used to provide integrity protection for
AH. Requests for assignments of new AH transform identifiers must be
accompanied by an RFC which describes how to use the algorithm within
the AH framework ([AH]).
If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.
Transform ID Value Reference
------------ ----- ---------
RESERVED 0-1 [RFC2407]
AH_MD5 2 [RFC2407]
AH_SHA 3 [RFC2407]
AH_DES 4 [RFC2407]
AH_SHA2-256 5 [Leech]
AH_SHA2-384 6 [Leech]
AH_SHA2-512 7 [Leech]
AH_RIPEMD 8 [RFC2857]
The values 249-255 are reserved for private use amongst cooperating
systems.
IPSEC ESP Transform Identifiers
The IPSEC ESP Transform Identifier is an 8-bit value which identifies
a particular algorithm to be used to provide secrecy protection for
ESP. Requests for assignments of new ESP transform identifiers must
be accompanied by an RFC which describes how to use the algorithm
within the ESP framework ([ESP]).
If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.
Transform ID Value Reference
------------ ----- ---------
RESERVED 0 [RFC2407]
ESP_DES_IV64 1 [RFC2407]
ESP_DES 2 [RFC2407]
ESP_3DES 3 [RFC2407]
ESP_RC5 4 [RFC2407]
ESP_IDEA 5 [RFC2407]
ESP_CAST 6 [RFC2407]
ESP_BLOWFISH 7 [RFC2407]
ESP_3IDEA 8 [RFC2407]
ESP_DES_IV32 9 [RFC2407]
ESP_RC4 10 [RFC2407]
ESP_NULL 11 [RFC2407]
ESP_AES 12 [Leech]
The values 249-255 are reserved for private use amongst cooperating
systems.
IPSEC IPCOMP Transform Identifiers
The IPSEC IPCOMP Transform Identifier is an 8-bit value which
identifier a particular algorithm to be used to provide IP-level
compression before ESP. Requests for assignments of new IPCOMP
transform identifiers must be accompanied by an RFC which describes
how to use the algorithm within the IPCOMP framework ([IPCOMP]). In
addition, the requested algorithm must be published and in the public
domain.
If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.
Transform ID Value Reference
------------ ----- ---------
RESERVED 0 [RFC2407]
IPCOMP_OUI 1 [RFC2407]
IPCOMP_DEFLATE 2 [RFC2407]
IPCOMP_LZS 3 [RFC2407]
IPCOMP_LZJH 4 [RFC3051]
The values 1-47 are reserved for algorithms for which an RFC has been
approved for publication. The values 48-63 are reserved for private
use amongst cooperating systems. The values 64-255 are reserved for
future expansion.
IPSEC Security Association Attributes
The IPSEC Security Association Attribute consists of a 16-bit type and
its associated value. IPSEC SA attributes are used to pass
miscellaneous values between ISAKMP peers. Requests for assignments
of new IPSEC SA attributes must be accompanied by an Internet Draft
which describes the attribute encoding (Basic/Variable-Length) and its
legal values. Section 4.5 of this document provides an example of
such a description.
Attribute Types
Class Value Type Reference
----- ----- ---- ---------
SA Life Type 1 B [RFC2407]
SA Life Duration 2 V [RFC2407]
Group Description 3 B [RFC2407]
Encapsulation Mode 4 B [RFC2407]
Authentication Algorithm 5 B [RFC2407]
Key Length 6 B [RFC2407]
Key Rounds 7 B [RFC2407]
Compress Dictionary Size 8 B [RFC2407]
Compress Private Algorithm 9 V [RFC2407]
ECN Tunnel 10 B [RFCXXXX]
The values 32001-32767 are reserved for private use amongst
cooperating systems.
Class Values Details
SA Life Type Values
Name Value Reference
---- ----- ---------
Reserved 0 [RFC2407]
seconds 1 [RFC2407]
kilobytes 2 [RFC2407]
Values 3-61439 are reserved to IANA. Values 61440-65535 are
for private use.
Group Description(?)
Encapsulation Mode
Name Value Reference
---- ----- ---------
Reserved 0 [RFC2407]
Tunnel 1 [RFC2407]
Transport 2 [RFC2407]
Values 3-61439 are reserved to IANA. Values 61440-65535 are
for private use.
Authentication Algorithm
Name Value Reference
---- ----- ---------
Reserved 0 [RFC2407]
HMAC-MD5 1 [RFC2407]
HMAC-SHA 2 [RFC2407]
DES-MAC 3 [RFC2407]
KPDK 4 [RFC2407]
HMAC-SHA2-256 5 [Leech]
HMAC-SHA2-384 6 [Leech]
HMAC-SHA2-512 7 [Leech]
HMAC-RIPEMD 8 [RFC2857]
Values 5-61439 are reserved to IANA. Values 61440-65535 are
for private use.
Key Length
Name Value Reference
---- ----- ---------
Reserved 0 [RFC2407]
Key Rounds
Name Value Reference
---- ----- ---------
Reserved 0 [RFC2407]
Compression Dictionary Size
Name Value Reference
---- ----- ---------
Reserved 0 [RFC2407]
Compression Private Algorithm(?)
ECN Tunnel
RESERVED 0
Allowed 1
Forbidden 2
Values 3-61439 are reserved to IANA. Values 61440-65535 are
for private use.
If unspecified, the default shall be assumed to be Forbidden.
IPSEC Labeled Domain Identifiers
The IPSEC Labeled Domain Identifier is a 32-bit value which identifies
a namespace in which the Secrecy and Integrity levels and categories
values are said to exist. Requests for assignments of new IPSEC
Labeled Domain Identifiers should be granted on demand. No
accompanying documentation is required, though Internet Drafts are
encouraged when appropriate.
Domain Value Reference
------ ----- ---------
Reserved 0 [RFC2407]
The values 0x80000000-0xffffffff are reserved for private use amongst
cooperating systems.
IPSEC Identification Type
The IPSEC Identification Type is an 8-bit value which is used as a
discriminant for interpretation of the variable-length Identification
Payload. Requests for assignments of new IPSEC Identification Types
must be accompanied by an RFC which describes how to use the
identification type within IPSEC.
If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.
ID Type Value Reference
------- ----- ---------
RESERVED 0 [RFC2407]
ID_IPV4_ADDR 1 [RFC2407]
ID_FQDN 2 [RFC2407]
ID_USER_FQDN 3 [RFC2407]
ID_IPV4_ADDR_SUBNET 4 [RFC2407]
ID_IPV6_ADDR 5 [RFC2407]
ID_IPV6_ADDR_SUBNET 6 [RFC2407]
ID_IPV4_ADDR_RANGE 7 [RFC2407]
ID_IPV6_ADDR_RANGE 8 [RFC2407]
ID_DER_ASN1_DN 9 [RFC2407]
ID_DER_ASN1_GN 10 [RFC2407]
ID_KEY_ID 11 [RFC2407]
The values 249-255 are reserved for private use amongst cooperating
systems.
IPSEC Notify Message Types
The IPSEC Notify Message Type is a 16-bit value taken from the range
of values reserved by ISAKMP for each DOI. There is one range for
error messages (8192-16383) and a different range for status messages
(24576-32767). Requests for assignments of new Notify Message Types
must be accompanied by an Internet Draft which describes how to use
the identification type within IPSEC.
Notify Messages - Error Types Value Reference
----------------------------- ----- ---------
Reserved 8192 [RFC2407]
Notify Messages - Status Types Value Reference
------------------------------ ----- ---------
RESPONDER-LIFETIME 24576 [RFC2407]
REPLAY-STATUS 24577 [RFC2407]
INITIAL-CONTACT 24578 [RFC2407]
The values 16001-16383 and the values 32001-32767 are reserved for
private use amongst cooperating systems.
References
----------
[RFC2407] Piper, D., "The Internet IP Security Domain of
Interpretation for ISAKMP", RFC 2407, Network Alchemy,
November 1998.
[RFC2857] Keromytis, A. and N. Provos, "The Use of HMAC-RIPEMD-160-96
within ESP and AH", RFC 2857, June 2000.
[RFC3051] Heath, J. and J. Border, "IP Payload Compression Using ITU-T
V.44 Packet Method", RFC 3051, January 2001
[RFCXXXX] Floyd, S., D. Black, and K. K. Ramakrishnan, "IPsec
Interactions with ECN", RFC XXXX, Month Year.
People
------
[Leech] Marcus Leech, <mleech@nortelnetworks.com>, October 2000.
[]
|
