FROM RFC 2407 and RFC 2408 "Magic Numbers" for ISAKMP Protocol (last updated 2006-10-24) -IPSEC Situation Definition -IPSEC Security Protocol Identifiers -IPSEC ISAKMP Transform Identifiers -IPSEC AH Transform Identifiers -IPSEC ESP Transform Identifiers -IPSEC IPCOMP Transform Identifiers -IPSEC Security Association Attributes -Class Values Details -IPSEC Labeled Domain Identifiers -IPSEC Identification Type -IPSEC Notify Message Types -ISAKMP Domain of Interpretation (DOI) -Next Payload Types IPSEC Situation Definition ========================== The Situation Definition is a 32-bit bitmask which represents the environment under which the IPSEC SA proposal and negotiation is carried out. Requests for assignments of new situations must be accompanied by an RFC which describes the interpretation for the associated bit. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Situation Value Reference --------- ----- --------- SIT_IDENTITY_ONLY 0x01 [RFC2407] SIT_SECRECY 0x02 [RFC2407] SIT_INTEGRITY 0x04 [RFC2407] The upper two bits are reserved for private use amongst cooperating systems. IPSEC Security Protocol Identifiers =================================== The Security Protocol Identifier is an 8-bit value which identifies a security protocol suite being negotiated. Requests for assignments of new security protocol identifiers must be accompanied by an RFC which describes the requested security protocol. [AH] and [ESP] are examples of security protocol documents. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Protocol ID Value Reference ----------- ----- --------- RESERVED 0 [RFC2407] PROTO_ISAKMP 1 [RFC2407] PROTO_IPSEC_AH 2 [RFC2407] PROTO_IPSEC_ESP 3 [RFC2407] PROTO_IPCOMP 4 [RFC2407] PROTO_GIGABEAM_RADIO 5 [RFC4705] The values 249-255 are reserved for private use amongst cooperating systems. IPSEC ISAKMP Transform Identifiers ================================== The IPSEC ISAKMP Transform Identifier is an 8-bit value which identifies a key exchange protocol to be used for the negotiation. Requests for assignments of new ISAKMP transform identifiers must be accompanied by an RFC which describes the requested key exchange protocol. [IKE] is an example of one such document. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Transform Value Reference --------- ----- --------- RESERVED 0 [RFC2407] KEY_IKE 1 [RFC2407] The values 249-255 are reserved for private use amongst cooperating systems. IPSEC AH Transform Identifiers ============================== The IPSEC AH Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide integrity protection for AH. Requests for assignments of new AH transform identifiers must be accompanied by an RFC which describes how to use the algorithm within the AH framework ([AH]). If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Transform ID Value Reference ------------ ----- --------- RESERVED 0-1 [RFC2407] AH_MD5 2 [RFC2407] AH_SHA 3 [RFC2407] AH_DES 4 [RFC2407] AH_SHA2-256 5 [Leech] AH_SHA2-384 6 [Leech] AH_SHA2-512 7 [Leech] AH_RIPEMD 8 [RFC2857] AH_AES-XCBC-MAC 9 [RFC3566] AH_RSA 10 [RFC4359] The values 249-255 are reserved for private use amongst cooperating systems. IPSEC ESP Transform Identifiers =============================== The IPSEC ESP Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide secrecy protection for ESP. Requests for assignments of new ESP transform identifiers must be accompanied by an RFC which describes how to use the algorithm within the ESP framework ([ESP]). If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Transform ID Value Reference ------------ ----- --------- RESERVED 0 [RFC2407] ESP_DES_IV64 1 [RFC2407] ESP_DES 2 [RFC2407] ESP_3DES 3 [RFC2407] ESP_RC5 4 [RFC2407] ESP_IDEA 5 [RFC2407] ESP_CAST 6 [RFC2407] ESP_BLOWFISH 7 [RFC2407] ESP_3IDEA 8 [RFC2407] ESP_DES_IV32 9 [RFC2407] ESP_RC4 10 [RFC2407] ESP_NULL 11 [RFC2407] ESP_AES-CBC 12 [RFC3602] ESP_AES-CTR 13 [RFC3686] ESP_AES-CCM_8 14 [RFC4309] ESP_AES-CCM_12 15 [RFC4309] ESP_AES-CCM_16 16 [RFC4309] Unassigned 17 ESP_AES-GCM_8 18 [RFC4106] ESP_AES-GCM_12 19 [RFC4106] ESP_AES-GCM_16 20 [RFC4106] ESP_SEED_CBC 21 [RFC4196] ESP_CAMELLIA 22 [RFC4312] The values 249-255 are reserved for private use amongst cooperating systems. IPSEC IPCOMP Transform Identifiers ================================== The IPSEC IPCOMP Transform Identifier is an 8-bit value which identifier a particular algorithm to be used to provide IP-level compression before ESP. Requests for assignments of new IPCOMP transform identifiers must be accompanied by an RFC which describes how to use the algorithm within the IPCOMP framework ([IPCOMP]). In addition, the requested algorithm must be published and in the public domain. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Transform ID Value Reference ------------ ----- --------- RESERVED 0 [RFC2407] IPCOMP_OUI 1 [RFC2407] IPCOMP_DEFLATE 2 [RFC2407] IPCOMP_LZS 3 [RFC2407] IPCOMP_LZJH 4 [RFC3051] The values 1-47 are reserved for algorithms for which an RFC has been approved for publication. The values 48-63 are reserved for private use amongst cooperating systems. The values 64-255 are reserved for future expansion. IPSEC Security Association Attributes ===================================== The IPSEC Security Association Attribute consists of a 16-bit type and its associated value. IPSEC SA attributes are used to pass miscellaneous values between ISAKMP peers. Requests for assignments of new IPSEC SA attributes must be accompanied by an Internet Draft which describes the attribute encoding (Basic/Variable-Length) and its legal values. Section 4.5 of this document provides an example of such a description. Attribute Types Class Value Type Reference ----- ----- ---- --------- SA Life Type 1 B [RFC2407] SA Life Duration 2 V [RFC2407] Group Description 3 B [RFC2407] Encapsulation Mode 4 B [RFC2407] Authentication Algorithm 5 B [RFC2407] Key Length 6 B [RFC2407] Key Rounds 7 B [RFC2407] Compress Dictionary Size 8 B [RFC2407] Compress Private Algorithm 9 V [RFC2407] ECN Tunnel 10 B [RFC3168] Extended (64-bit) Sequence Number 11 B [RFC4304] Authentication Key Length 12 V [RFC4359] Signature Encoding Algorithm 13 B [RFC4359] The values 32001-32767 are reserved for private use amongst cooperating systems. Class Values Details SA Life Type Values Name Value Reference ---- ----- --------- Reserved 0 [RFC2407] seconds 1 [RFC2407] kilobytes 2 [RFC2407] Values 3-61439 are reserved to IANA. Values 61440-65535 are for private use. Group Description(?) Encapsulation Mode Name Value Reference ---- ----- --------- Reserved 0 [RFC2407] Tunnel 1 [RFC2407] Transport 2 [RFC2407] UDP-Encapsulated-Tunnel 3 [RFC3947] UDP-Encapsulated-Transport 4 [RFC3947] Values 3-61439 are reserved to IANA. Values 61440-65535 are for private use. Authentication Algorithm Name Value Reference ---- ----- --------- Reserved 0 [RFC2407] HMAC-MD5 1 [RFC2407] HMAC-SHA 2 [RFC2407] DES-MAC 3 [RFC2407] KPDK 4 [RFC2407] HMAC-SHA2-256 5 [Leech] HMAC-SHA2-384 6 [Leech] HMAC-SHA2-512 7 [Leech] HMAC-RIPEMD 8 [RFC2857] AES-XCBC-MAC 9 [RFC3566] SIG-RSA 10 [RFC4359] Values 11-61439 are reserved to IANA. Values 61440-65535 are for private use. Key Length Name Value Reference ---- ----- --------- Reserved 0 [RFC2407] Key Rounds Name Value Reference ---- ----- --------- Reserved 0 [RFC2407] Compression Dictionary Size Name Value Reference ---- ----- --------- Reserved 0 [RFC2407] Compression Private Algorithm(?) ECN Tunnel RESERVED 0 Allowed 1 Forbidden 2 Values 3-61439 are reserved to IANA. Values 61440-65535 are for private use. If unspecified, the default shall be assumed to be Forbidden. Extended (64-bit) Sequence Number [RFC4304] RESERVED 0 [RFC4304] 64-bit Sequence Number 1 [RFC4304] Signature Encoding Algorithm Values - per [RFC4359] Name Value Reference ------------- ----- --------- Reserved 0 [RFC4359] RSASSA-PKCS1-v1_5 1 [RFC4359] RSASSA-PSS 2 [RFC4359] Reserved to IANA 3-61439 (Standards Action) Private Use 61440-65535 IPSEC Labeled Domain Identifiers ================================ The IPSEC Labeled Domain Identifier is a 32-bit value which identifies a namespace in which the Secrecy and Integrity levels and categories values are said to exist. Requests for assignments of new IPSEC Labeled Domain Identifiers should be granted on demand. No accompanying documentation is required, though Internet Drafts are encouraged when appropriate. Domain Value Reference ------ ----- --------- Reserved 0 [RFC2407] The values 0x80000000-0xffffffff are reserved for private use amongst cooperating systems. IPSEC Identification Type ========================= The IPSEC Identification Type is an 8-bit value which is used as a discriminant for interpretation of the variable-length Identification Payload. Requests for assignments of new IPSEC Identification Types must be accompanied by an RFC which describes how to use the identification type within IPSEC. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. ID Type Value Reference ------- ----- --------- RESERVED 0 [RFC2407] ID_IPV4_ADDR 1 [RFC2407] ID_FQDN 2 [RFC2407] ID_USER_FQDN 3 [RFC2407] ID_IPV4_ADDR_SUBNET 4 [RFC2407] ID_IPV6_ADDR 5 [RFC2407] ID_IPV6_ADDR_SUBNET 6 [RFC2407] ID_IPV4_ADDR_RANGE 7 [RFC2407] ID_IPV6_ADDR_RANGE 8 [RFC2407] ID_DER_ASN1_DN 9 [RFC2407] ID_DER_ASN1_GN 10 [RFC2407] ID_KEY_ID 11 [RFC2407] ID_LIST 12 [RFC3554] The values 249-255 are reserved for private use amongst cooperating systems. IPSEC Notify Message Types ========================== The IPSEC Notify Message Type is a 16-bit value taken from the range of values reserved by ISAKMP for each DOI. There is one range for error messages (8192-16383) and a different range for status messages (24576-32767). Requests for assignments of new Notify Message Types must be accompanied by an Internet Draft which describes how to use the identification type within IPSEC. Notify Messages - Error Types Value Reference ----------------------------- ----- --------- Reserved 8192 [RFC2407] Notify Messages - Status Types Value Reference ------------------------------ ----- --------- RESPONDER-LIFETIME 24576 [RFC2407] REPLAY-STATUS 24577 [RFC2407] INITIAL-CONTACT 24578 [RFC2407] The values 16001-16383 and the values 32001-32767 are reserved for private use amongst cooperating systems. ISAKMP Domain of Interpretation (DOI) ===================================== The Domain of Interpretation is a 32-bit value which identifies the context in which the Security Association payload is to be evaluated. Requests for assignments of new domain of interpretation identifiers must be accompanied by a public specification, such as an Internet RFC. DOI Value Reference --- ----- --------- ISAKMP 0 [RFC2408] IPSEC 1 [RFC2407] GDOI 2 [RFC3547] Next Payload Types ================== The Next Payload type is an 8-bit value that indicates the type of the next payload in the message. Next Payload Type Value Reference ----------------- ----- --------- NONE 0 [RFC2408] Security Association (SA) 1 [RFC2408] Proposal (P) 2 [RFC2408] Transform (T) 3 [RFC2408] Key Exchange (KE) 4 [RFC2408] Identification (ID) 5 [RFC2408] Certificate (CERT) 6 [RFC2408] Certificate Request (CR) 7 [RFC2408] Hash (HASH) 8 [RFC2408] Signature (SIG) 9 [RFC2408] Nonce (NONCE) 10 [RFC2408] Notification (N) 11 [RFC2408] Delete (D) 12 [RFC2408] Vendor ID (VID) 13 [RFC2408] Reserved, not to be used 14 [Dukes] SA KEK Payload (SAK) 15 [RFC3547] SA TEK Payload (SAT) 16 [RFC3547] Key Download (KD) 17 [RFC3547] Sequence Number (SEQ) 18 [RFC3547] Proof of Possession (POP) 19 [RFC3547] NAT Discovery (NAT-D) 20 [RFC3947] NAT Original Address (NAT-OA) 21 [RFC3947] The values 128-255 are reserved for private use amongst cooperating systems. References ---------- [RFC2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, Network Alchemy, November 1998. [RFC2408] Maughan, D., Schertler, M., Schneider, M., and J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998. [RFC2857] Keromytis, A. and N. Provos, "The Use of HMAC-RIPEMD-160-96 within ESP and AH", RFC 2857, June 2000. [RFC3051] Heath, J. and J. Border, "IP Payload Compression Using ITU-T V.44 Packet Method", RFC 3051, January 2001 [RFC3168] K. Ramakrishnan, S. Floyd, and D. Black, "The Addition of Explicit Congestion Notification (ECN) to IP", RFC 3168, September 2001. [RFC3547] Baugher, M., Hardjono, T., Harney, H., and B. Weis, "The Group Domain of Interpretation", RFC 3547, July 2003. [RFC3554] S. Bellovin, J. Ioannidis, A. Keromytis, and R. Stewart, "On the Use of SCTP with IPsec", RFC 3554, July 2003. [RFC3566] S. Frankel and H. Herbert, "The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec", RFC 3566, September 2003. [RFC3602] S. Frankel, S. Kelly, and R. Glenn, "The AES Cipher Algorithm and Its Use With IPsec", RFC 3602, September 2003. [RFC3686] R. Housley, "Using AES Counter Mode With IPsec ESP", RFC 3686, January 2004. [RFC3947] T. Kivinen, A. Huttunen, B. Swander, and V. Volpe, "Negotiation of NAT-Traversal in the IKE", RFC 3947, January 2005. [RFC4106] J. Viega and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec ESP", RFC 4106, June 2005. [RFC4196] H. Lee, J. Yoon, S. Lee, and J. Lee, "The SEED Cipher Algorithm and Its Use With IPSec", RFC 4196, October 2005. [RFC4304] S. Kent, "Extended Sequence Number Addendum to IPsec DOI for ISAKMP", RFC 4304, December 2005. [RFC4309] R. Housley, "Using AES CCM Mode With IPsec ESP", RFC 4309, December 2005. [RFC4312] A. Kato, S. Moriai, and M. Kanda, "The Camellia Cipher Algorithm and Its Use With IPsec", RFC 4312, December 2005. [RFC4359] B. Weis, "The Use of RSA/SHA-1 Signatures within ESP and AH", RFC 4359, January 2006. [RFC4705] R. Housley and A. Corry, "GigaBeam High-Speed Radio Link Encryption", RFC 4705, October 2006. People ------ [Dukes] Darren Dukes, , March 2001. [Leech] Marcus Leech, , October 2000. []