Internet Key Exchange (IKE) Attributes
2023-04-25
All registries listed below have been closed. See .
Attribute Assigned Numbers
Attributes negotiated during phase one use the following definitions.
Phase two attributes are defined in the applicable DOI specification
(for example, IPsec attributes are defined in the IPsec DOI), with the
exception of a group description when Quick Mode includes an ephemeral
Diffie-Hellman exchange. Attribute types can be either Basic (B) or
Variable-length (V). Encoding of these attributes is defined in the
base ISAKMP specification as Type/Value (Basic) and Type/Length/Value
(Variable).
Attributes described as basic MUST NOT be encoded as variable.
Variable length attributes MAY be encoded as basic attributes if their
value can fit into two octets. If this is the case, an attribute
offered as variable (or basic) by the initiator of this protocol MAY
be returned to the initiator as a basic (or variable).
Attribute Classes
Registry closed
1
Encryption Algorithm
B
2
Hash Algorithm
B
3
Authentication Method
B
4
Group Description
B
5
Group Type
B
6
Group Prime/Irreducible Polynomial
V
7
Group Generator One
V
8
Group Generator Two
V
9
Group Curve A
V
10
Group Curve B
V
11
Life Type
B
12
Life Duration
V
13
PRF
B
14
Key Length
B
15
Field Size
B
16
Group Order
V
17-16383
Unassigned
16384-32767
Reserved for private use
Encryption Algorithm Class Values (Value 1)
Registry closed
0
Reserved
1
DES-CBC
2
IDEA-CBC
3
Blowfish-CBC
4
RC5-R16-B64-CBC
5
3DES-CBC
6
CAST-CBC
7
AES-CBC
8
CAMELLIA-CBC
9-65000
Unassigned
65001-65535
Reserved for private use
Hash Algorithm (Value 2)
Registry closed
0
Reserved
1
MD5
2
SHA
NIST, FIPS PUB 180-1: Secure Hash Standard,
April 1995.
3
Tiger
Anderson, R., and Biham, E., "Fast Software Encryption",
Springer LNCS v. 1039, 1996.
4
SHA2-256
5
SHA2-384
6
SHA2-512
7-65000
Unassigned
65001-65535
Reserved for private use
IPSEC Authentication Methods (Value 3)
Registry closed
0
Reserved
1
pre-shared key
2
DSS signatures
3
RSA signatures
4
Encryption with RSA
5
Revised encryption with RSA
6
Reserved (was Encryption with El-Gamal)
7
Reserved (was Revised encryption with El-Gamal)
8
Reserved (was ECDSA signatures)
9
ECDSA with SHA-256 on the P-256 curve
10
ECDSA with SHA-384 on the P-384 curve
11
ECDSA with SHA-512 on the P-521 curve
12-65000
Unassigned
65001-65535
Reserved for private use
Group Description (Value 4)
These values were reserved as per draft-ipsec-ike-ecc-groups
which never made it to the RFC. These values might be used by some
implementations as currently registered in the registry, but new
implementations should not use them.
Registry closed
0
Reserved
1
default 768-bit MODP group
Section 6.1
2
alternate 1024-bit MODP group
Section 6.2
3
EC2N group on GP[2^155]
Section 6.3
4
EC2N group on GP[2^185]
Section 6.4
5
1536-bit MODP group
Section 2
6
EC2N group over GF[2^163](see Note)
Section 2.1
7
EC2N group over GF[2^163](see Note)
Section 2.2
8
EC2N group over GF[2^283](see Note)
Section 2.3
9
EC2N group over GF[2^283](see Note)
Section 2.4
10
EC2N group over GF[2^409](see Note)
Section 2.5
11
EC2N group over GF[2^409](see Note)
Section 2.6
12
EC2N group over GF[2^571](see Note)
Section 2.7
13
EC2N group over GF[2^571](see Note)
Section 2.8
14
2048-bit MODP group
Section 3
15
3072-bit MODP group
Section 4
16
4096-bit MODP group
Section 5
17
6144-bit MODP group
Section 6
18
8192-bit MODP group
Section 7
19
256-bit random ECP group
20
384-bit random ECP group
21
521-bit random ECP group
22
1024-bit MODP Group with 160-bit Prime Order Subgroup
23
2048-bit MODP Group with 224-bit Prime Order Subgroup
24
2048-bit MODP Group with 256-bit Prime Order Subgroup
25
192-bit Random ECP Group
26
224-bit Random ECP Group
27
224-bit Brainpool ECP group
Section 2.1. Not for RFC 2409.
28
256-bit Brainpool ECP group
Section 2.2. Not for RFC 2409.
29
384-bit Brainpool ECP group
Section 2.3. Not for RFC 2409.
30
512-bit Brainpool ECP group
Section 2.4. Not for RFC 2409.
31-32767
Unassigned
32768-65535
Reserved for private use
Group Type (Value 5)
Registry closed
0
Reserved
1
MODP (modular exponentiation group)
2
ECP (elliptic curve group over GF[P])
3
EC2N (elliptic curve group over GF[2^N])
4-65000
Unassigned
65001-65535
Reserved for private use
Life Type (Value 11)
For a given "Life Type" the value of the "Life Duration" attribute defines
the actual length of the SA life -- either a number of seconds, or a number
of kbytes protected.
Registry closed
0
Reserved
1
seconds
2
kilobytes
3-65000
Unassigned
65001-65535
Reserved for private use
PRF (Value 13)
Registry closed
Exchange Type
Registry closed
DOI Specific use is the Additional Exchanges Defined registry
0
NONE
1
Base
2
Identity Protection
3
Authentication Only
4
Aggressive
5
Informational
6-31
ISAKMP Future Use
32-239
DOI Specific Use
240-255
Private Use
Additional Exchanges Defined-- XCHG values
Registry closed
32
Quick Mode
33
New Group Mode
ISAKMP Domain of Interpretation (DOI)
Registry closed
The Domain of Interpretation is a 32-bit value which identifies the
context in which the Security Association payload is to be evaluated.
Requests for assignments of new domain of interpretation identifiers
must be accompanied by a public specification, such as an Internet RFC.
0
ISAKMP
1
IPSEC
2
GDOI
Next Payload Types
The Next Payload type is an 8-bit value that indicates the type of the
next payload in the message.
Registry closed
0
NONE
1
Security Association (SA)
2
Proposal (P)
3
Transform (T)
4
Key Exchange (KE)
5
Identification (ID)
6
Certificate (CERT)
7
Certificate Request (CR)
8
Hash (HASH)
9
Signature (SIG)
10
Nonce (NONCE)
11
Notification (N)
12
Delete (D)
13
Vendor ID (VID)
14
Reserved, not to be used
Dukes
15
SA KEK Payload (SAK)
16
SA TEK Payload (SAT)
17
Key Download (KD)
18
Sequence Number (SEQ)
19
Proof of Possession (POP)
20
NAT Discovery (NAT-D)
21
NAT Original Address (NAT-OA)
22
Group Associated Policy (GAP)
23-127
Unassigned
128-255
Reserved for private use
Notify Message Types
1 - 8191
Registry closed
Error types
8192 - 16383
Registry closed
Doi-Specific Error types
16384 - 24575
Registry closed
Status types RESERVED
24576 - 32767
Registry closed
DOI-specific Status codes
32768 - 40959
Registry closed
Private Use
40960 - 65535
Registry closed
RESERVED
Notify Messages - Error Types (1-8191)
Registry closed
1
INVALID-PAYLOAD-TYPE
2
DOI-NOT-SUPPORTED
3
SITUATION-NOT-SUPPORTED
4
INVALID-COOKIE
5
INVALID-MAJOR-VERSION
6
INVALID-MINOR-VERSION
7
INVALID-EXCHANGE-TYPE
8
INVALID-FLAGS
9
INVALID-MESSAGE-ID
10
INVALID-PROTOCOL-ID
11
INVALID-SPI
12
INVALID-TRANSFORM-ID
13
ATTRIBUTES-NOT-SUPPORTED
14
NO-PROPOSAL-CHOSEN
15
BAD-PROPOSAL-SYNTAX
16
PAYLOAD-MALFORMED
17
INVALID-KEY-INFORMATION
18
INVALID-ID-INFORMATION
19
INVALID-CERT-ENCODING
20
INVALID-CERTIFICATE
21
CERT-TYPE-UNSUPPORTED
22
INVALID-CERT-AUTHORITY
23
INVALID-HASH-INFORMATION
24
AUTHENTICATION-FAILED
25
INVALID-SIGNATURE
26
ADDRESS-NOTIFICATION
27
NOTIFY-SA-LIFETIME
28
CERTIFICATE-UNAVAILABLE
29
UNSUPPORTED-EXCHANGE-TYPE
30
UNEQUAL-PAYLOAD-LENGTHS
31-8191
RESERVED (Future Use)
Notify Messages - Status Types (16384-24575)
Registry closed
16384
CONNECTED
16385-24575
RESERVED (Future Use)