Security Architecture for the Internet Protocol
RFC 2401
Document | Type |
RFC - Proposed Standard
(November 1998; No errata)
Obsoleted by RFC 4301
Updated by RFC 3168
Obsoletes RFC 1825
|
|
---|---|---|---|
Authors | Randall Atkinson , Stephen Kent | ||
Last updated | 2013-03-02 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 2401 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group S. Kent Request for Comments: 2401 BBN Corp Obsoletes: 1825 R. Atkinson Category: Standards Track @Home Network November 1998 Security Architecture for the Internet Protocol Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1998). All Rights Reserved. Table of Contents 1. Introduction........................................................3 1.1 Summary of Contents of Document..................................3 1.2 Audience.........................................................3 1.3 Related Documents................................................4 2. Design Objectives...................................................4 2.1 Goals/Objectives/Requirements/Problem Description................4 2.2 Caveats and Assumptions..........................................5 3. System Overview.....................................................5 3.1 What IPsec Does..................................................6 3.2 How IPsec Works..................................................6 3.3 Where IPsec May Be Implemented...................................7 4. Security Associations...............................................8 4.1 Definition and Scope.............................................8 4.2 Security Association Functionality..............................10 4.3 Combining Security Associations.................................11 4.4 Security Association Databases..................................13 4.4.1 The Security Policy Database (SPD).........................14 4.4.2 Selectors..................................................17 4.4.3 Security Association Database (SAD)........................21 4.5 Basic Combinations of Security Associations.....................24 4.6 SA and Key Management...........................................26 4.6.1 Manual Techniques..........................................27 4.6.2 Automated SA and Key Management............................27 4.6.3 Locating a Security Gateway................................28 4.7 Security Associations and Multicast.............................29 Kent & Atkinson Standards Track [Page 1] RFC 2401 Security Architecture for IP November 1998 5. IP Traffic Processing..............................................30 5.1 Outbound IP Traffic Processing..................................30 5.1.1 Selecting and Using an SA or SA Bundle.....................30 5.1.2 Header Construction for Tunnel Mode........................31 5.1.2.1 IPv4 -- Header Construction for Tunnel Mode...........31 5.1.2.2 IPv6 -- Header Construction for Tunnel Mode...........32 5.2 Processing Inbound IP Traffic...................................33 5.2.1 Selecting and Using an SA or SA Bundle.....................33 5.2.2 Handling of AH and ESP tunnels.............................34 6. ICMP Processing (relevant to IPsec)................................35 6.1 PMTU/DF Processing..............................................36 6.1.1 DF Bit.....................................................36 6.1.2 Path MTU Discovery (PMTU)..................................36 6.1.2.1 Propagation of PMTU...................................36 6.1.2.2 Calculation of PMTU...................................37 6.1.2.3 Granularity of PMTU Processing........................37 6.1.2.4 PMTU Aging............................................38 7. Auditing...........................................................39 8. Use in Systems Supporting Information Flow Security................39 8.1 Relationship Between Security Associations and Data Sensitivity.40 8.2 Sensitivity Consistency Checking................................40 8.3 Additional MLS Attributes for Security Association Databases....41 8.4 Additional Inbound Processing Steps for MLS Networking..........41 8.5 Additional Outbound Processing Steps for MLS Networking.........41 8.6 Additional MLS Processing for Security Gateways.................42 9. Performance Issues.................................................42 10. Conformance Requirements..........................................43 11. Security Considerations...........................................43 12. Differences from RFC 1825.........................................43Show full document text