Internet Key Exchange (IKE) Attributes - per RFC 2409 (IKE) (last updated 2009-04-22) Attribute Assigned Numbers Attributes negotiated during phase one use the following definitions. Phase two attributes are defined in the applicable DOI specification (for example, IPsec attributes are defined in the IPsec DOI), with the exception of a group description when Quick Mode includes an ephemeral Diffie-Hellman exchange. Attribute types can be either Basic (B) or Variable-length (V). Encoding of these attributes is defined in the base ISAKMP specification as Type/Value (Basic) and Type/Length/Value (Variable). Attributes described as basic MUST NOT be encoded as variable. Variable length attributes MAY be encoded as basic attributes if their value can fit into two octets. If this is the case, an attribute offered as variable (or basic) by the initiator of this protocol MAY be returned to the initiator as a basic (or variable). Attribute Classes class value type ------------------------------------------------------------------- Encryption Algorithm 1 B Hash Algorithm 2 B Authentication Method 3 B Group Description 4 B Group Type 5 B Group Prime/Irreducible Polynomial 6 V Group Generator One 7 V Group Generator Two 8 V Group Curve A 9 V Group Curve B 10 V Life Type 11 B Life Duration 12 V PRF 13 B Key Length 14 B Field Size 15 B Group Order 16 V values 17-16383 are reserved to IANA. Values 16384-32767 are for private use among mutually consenting parties. Class Values Encryption Algorithm Value Reference -------------------- ----- --------- DES-CBC 1 [RFC2405] IDEA-CBC 2 [RFC2409] Blowfish-CBC 3 [RFC2409] RC5-R16-B64-CBC 4 [RFC2409] 3DES-CBC 5 [RFC2409] CAST-CBC 6 [RFC2409] AES-CBC 7 [RFC3602] CAMELLIA-CBC 8 [RFC4312] values 9-65000 are reserved to IANA. Values 65001-65535 are for private use among mutually consenting parties. Hash Algorithm Value References -------------- ----- ---------- MD5 1 [RFC1321] SHA 2 FIPS 180-1 Tiger 3 See Reference [TIGER] SHA2-256 4 [Leech][RFC4868] SHA2-384 5 [Leech][RFC4868] SHA2-512 6 [Leech][RFC4868] values 7-65000 are reserved to IANA. Values 65001-65535 are for private use among mutually consenting parties. IPSEC Authentication Methods Method Value Reference ------ ----- --------- pre-shared key 1 [RFC2409] DSS signatures 2 [RFC2409] RSA signatures 3 [RFC2409] Encryption with RSA 4 [RFC2409] Revised encryption with RSA 5 [RFC2409] Encryption with El-Gamal 6 Revised encryption with El-Gamal 7 ECDSA signatures 8 [Fahn] ECDSA with SHA-256 on the P-256 curve 9 [RFC4754] ECDSA with SHA-384 on the P-384 curve 10 [RFC4754] ECDSA with SHA-512 on the P-521 curve 11 [RFC4754] values 9-65000 are reserved to IANA. Values 65001-65535 are for private use among mutually consenting parties. Group Description Value Reference ------------------------------------------------ ----- --------- default 768-bit MODP group (section 6.1) 1 [RFC2409] alternate 1024-bit MODP group (section 6.2) 2 [RFC2409] EC2N group on GP[2^155] (section 6.3) 3 [RFC2409] EC2N group on GP[2^185] (section 6.4) 4 [RFC2409] 1536-bit MODP group (section 2) 5 [RFC3526] EC2N group over GF[2^163] (Section 2.1) 6 [Panjwani] EC2N group over GF[2^163] (Section 2.2) 7 [Panjwani] EC2N group over GF[2^283] (Section 2.3) 8 [Panjwani] EC2N group over GF[2^283] (Section 2.4) 9 [Panjwani] EC2N group over GF[2^409] (Section 2.5) 10 [Blake-Wilson] EC2N group over GF[2^409] (Section 2.6) 11 [Blake-Wilson] EC2N group over GF[2^571] (Section 2.7) 12 [Blake-Wilson] EC2N group over GF[2^571] (Section 2.8) 13 [Blake-Wilson] 2048-bit MODP group (section 3) 14 [RFC3526] 3072-bit MODP group (section 4) 15 [RFC3526] 4096-bit MODP group (section 5) 16 [RFC3526] 6144-bit MODP group (section 6) 17 [RFC3526] 8192-bit MODP group (section 7) 18 [RFC3526] 256-bit random ECP group 19 [RFC4753] 384-bit random ECP group 20 [RFC4753] 521-bit random ECP group 21 [RFC4753] 1024-bit MODP Group with 160-bit Prime Order Subgroup 22 [RFC5114] 2048-bit MODP Group with 224-bit Prime Order Subgroup 23 [RFC5114] 2048-bit MODP Group with 256-bit Prime Order Subgroup 24 [RFC5114] 192-bit Random ECP Group 25 [RFC5114] 224-bit Random ECP Group 26 [RFC5114] values 27-32767 are reserved to IANA. Values 32768-65535 are for private use among mutually consenting parties. Group Type Value ---------- ----- MODP (modular exponentiation group) 1 ECP (elliptic curve group over GF[P]) 2 EC2N (elliptic curve group over GF[2^N]) 3 values 4-65000 are reserved to IANA. Values 65001-65535 are for private use among mutually consenting parties. Life Type Value --------- ---- seconds 1 kilobytes 2 values 3-65000 are reserved to IANA. Values 65001-65535 are for private use among mutually consenting parties. For a given "Life Type" the value of the "Life Duration" attribute defines the actual length of the SA life-- either a number of seconds, or a number of kbytes protected. PRF --- There are currently no pseudo-random functions defined. values 1-65000 are reserved to IANA. Values 65001-65535 are for private use among mutually consenting parties. Key Length ---------- When using an Encryption Algorithm that has a variable length key, this attribute specifies the key length in bits. (MUST use network byte order). This attribute MUST NOT be used when the specified Encryption Algorithm uses a fixed length key. Field Size ---------- The field size, in bits, of a Diffie-Hellman group. Group Order ----------- The group order of an elliptical curve group. Note the length of this attribute depends on the field size. Additional Exchanges Defined-- XCHG values Quick Mode 32 New Group Mode 33 People ------ [Blake-Wilson] Simon Blake-Wilson, , October 2000. [Fahn] Paul Fahn, , January 2000. [Leech] Marcus Leech, , October 2000. [Panjwani] Prakash Panjwani, , May 2000. Preferences ---------- [RFC2409] Harkins, D., and D. Carrel, "The Internet Key Exchange", RFC 2409, November 1998. [TIGER] Anderson, R., and Biham, E., "Fast Software Encryption", Springer LNCS v. 1039, 1996. [RFC3526] T. Kivinen and M. Kojo, "More MODP Diffie-Hellman groups for IKE", RFC 3526, May 2003. [RFC3602] S. Frankel, R. Glenn, S. Kelly, "The AES-CBC Cipher Algorithm and Its Use with IPsec", RFC 3602, September 2003 [RFC4312] A. Kato, S. Moriai, and M. Kanda, "The Camellia Cipher Algorithm and Its Use With IPsec", RFC 4312, December 2005. [RFC4753] D. Fu, J. Solinas, "ECP Groups For IKE and IKEv2", RFC 4753, January 2007. [RFC4754] D. Fu, J. Solinas, "IKE and IKEv2 Authentication Using ECDSA", RFC 4754, January 2007. [RFC4868] S. Kelly, S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec", May 2007. [RFC5114] M. Lepinski, S. Kent, "Additional Diffie-Hellman Groups for use with IETF Standards", RFC 5114, January 2008. []