The Internet IP Security Domain of Interpretation for ISAKMP
RFC 2407

Document Type RFC - Proposed Standard (November 1998; Errata)
Obsoleted by RFC 4306
Author Derrell Piper 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2407 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                           D. Piper
Request for Comments: 2407                               Network Alchemy
Category: Standards Track                                  November 1998

      The Internet IP Security Domain of Interpretation for ISAKMP

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.


   Section states, "All implememtations within the IPSEC DOI
   MUST support ESP_DES...".  Recent work in the area of cryptanalysis
   suggests that DES may not be sufficiently strong for many
   applications.  Therefore, it is very likely that the IETF will
   deprecate the use of ESP_DES as a mandatory cipher suite in the near
   future.  It will remain as an optional use protocol.  Although the
   IPsec working group and the IETF in general have not settled on an
   alternative algorithm (taking into account concerns of security and
   performance), implementers may want to heed the recommendations of
   section on the use of ESP_3DES.

1. Abstract

   The Internet Security Association and Key Management Protocol
   (ISAKMP) defines a framework for security association management and
   cryptographic key establishment for the Internet.  This framework
   consists of defined exchanges, payloads, and processing guidelines
   that occur within a given Domain of Interpretation (DOI).  This
   document defines the Internet IP Security DOI (IPSEC DOI), which
   instantiates ISAKMP for use with IP when IP uses ISAKMP to negotiate
   security associations.

   For a list of changes since the previous version of the IPSEC DOI,
   please see Section 7.

Piper                       Standards Track                     [Page 1]
RFC 2407          IP Security Domain of Interpretation     November 1998

2. Introduction

   Within ISAKMP, a Domain of Interpretation is used to group related
   protocols using ISAKMP to negotiate security associations.  Security
   protocols sharing a DOI choose security protocol and cryptographic
   transforms from a common namespace and share key exchange protocol
   identifiers.  They also share a common interpretation of DOI-specific
   payload data content, including the Security Association and
   Identification payloads.

   Overall, ISAKMP places the following requirements on a DOI

     o  define the naming scheme for DOI-specific protocol identifiers
     o  define the interpretation for the Situation field
     o  define the set of applicable security policies
     o  define the syntax for DOI-specific SA Attributes (Phase II)
     o  define the syntax for DOI-specific payload contents
     o  define additional Key Exchange types, if needed
     o  define additional Notification Message types, if needed

   The remainder of this document details the instantiation of these
   requirements for using the IP Security (IPSEC) protocols to provide
   authentication, integrity, and/or confidentiality for IP packets sent
   between cooperating host systems and/or firewalls.

   For a description of the overall IPSEC architecture, see [ARCH],
   [AH], and [ESP].

3. Terms and Definitions

   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
   document, are to be interpreted as described in [RFC 2119].

4.1 IPSEC Naming Scheme

   Within ISAKMP, all DOI's must be registered with the IANA in the
   "Assigned Numbers" RFC [STD-2].  The IANA Assigned Number for the
   Internet IP Security DOI (IPSEC DOI) is one (1).  Within the IPSEC
   DOI, all well-known identifiers MUST be registered with the IANA
   under the IPSEC DOI.  Unless otherwise noted, all tables within this
   document refer to IANA Assigned Numbers for the IPSEC DOI.  See
   Section 6 for further information relating to the IANA registry for
   the IPSEC DOI.

   All multi-octet binary values are stored in network byte order.

Piper                       Standards Track                     [Page 2]
RFC 2407          IP Security Domain of Interpretation     November 1998

4.2 IPSEC Situation Definition

   Within ISAKMP, the Situation provides information that can be used by
   the responder to make a policy determination about how to process the
   incoming Security Association request.  For the IPSEC DOI, the
   Situation field is a four (4) octet bitmask with the following

       Situation                   Value
       ---------                   -----
       SIT_IDENTITY_ONLY           0x01
       SIT_SECRECY                 0x02
Show full document text