datatracker.ietf.org
Sign in
Version 5.6.2.p1, 2014-07-22
Report a bug

Security Architecture for the Internet Protocol
RFC 4301

Document type: RFC - Proposed Standard (December 2005; Errata)
Updated by RFC 6040
Obsoletes RFC 2401
Updates RFC 3168
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4301 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: byfraser@cisco.com, tytso@mit.edu

Network Working Group                                            S. Kent
Request for Comments: 4301                                        K. Seo
Obsoletes: 2401                                         BBN Technologies
Category: Standards Track                                  December 2005

            Security Architecture for the Internet Protocol

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes an updated version of the "Security
   Architecture for IP", which is designed to provide security services
   for traffic at the IP layer.  This document obsoletes RFC 2401
   (November 1998).

Dedication

   This document is dedicated to the memory of Charlie Lynn, a long-time
   senior colleague at BBN, who made very significant contributions to
   the IPsec documents.

Kent & Seo                  Standards Track                     [Page 1]
RFC 4301              Security Architecture for IP         December 2005

Table of Contents

   1. Introduction ....................................................4
      1.1. Summary of Contents of Document ............................4
      1.2. Audience ...................................................4
      1.3. Related Documents ..........................................5
   2. Design Objectives ...............................................5
      2.1. Goals/Objectives/Requirements/Problem Description ..........5
      2.2. Caveats and Assumptions ....................................6
   3. System Overview .................................................7
      3.1. What IPsec Does ............................................7
      3.2. How IPsec Works ............................................9
      3.3. Where IPsec Can Be Implemented ............................10
   4. Security Associations ..........................................11
      4.1. Definition and Scope ......................................12
      4.2. SA Functionality ..........................................16
      4.3. Combining SAs .............................................17
      4.4. Major IPsec Databases .....................................18
           4.4.1. The Security Policy Database (SPD) .................19
                  4.4.1.1. Selectors .................................26
                  4.4.1.2. Structure of an SPD Entry .................30
                  4.4.1.3. More Regarding Fields Associated
                           with Next Layer Protocols .................32
           4.4.2. Security Association Database (SAD) ................34
                  4.4.2.1. Data Items in the SAD .....................36
                  4.4.2.2. Relationship between SPD, PFP
                           flag, packet, and SAD .....................38
           4.4.3. Peer Authorization Database (PAD) ..................43
                  4.4.3.1. PAD Entry IDs and Matching Rules ..........44
                  4.4.3.2. IKE Peer Authentication Data ..............45
                  4.4.3.3. Child SA Authorization Data ...............46
                  4.4.3.4. How the PAD Is Used .......................46
      4.5. SA and Key Management .....................................47
           4.5.1. Manual Techniques ..................................48
           4.5.2. Automated SA and Key Management ....................48
           4.5.3. Locating a Security Gateway ........................49
      4.6. SAs and Multicast .........................................50
   5. IP Traffic Processing ..........................................50
      5.1. Outbound IP Traffic Processing
           (protected-to-unprotected) ................................52
           5.1.1. Handling an Outbound Packet That Must Be
                  Discarded ..........................................54
           5.1.2. Header Construction for Tunnel Mode ................55
                  5.1.2.1. IPv4: Header Construction for
                           Tunnel Mode ...............................57
                  5.1.2.2. IPv6: Header Construction for
                           Tunnel Mode ...............................59
      5.2. Processing Inbound IP Traffic (unprotected-to-protected) ..59

Kent & Seo                  Standards Track                     [Page 2]
RFC 4301              Security Architecture for IP         December 2005

[include full document text]