Security Architecture for the Internet Protocol
RFC 1825

Document Type RFC - Proposed Standard (August 1995; No errata)
Obsoleted by RFC 2401
Last updated 2013-03-02
Replaces draft-ietf-ipngwg-sec
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 1825 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        R. Atkinson
Request for Comments: 1825                     Naval Research Laboratory
Category: Standards Track                                    August 1995

            Security Architecture for the Internet Protocol

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

1. INTRODUCTION

   This memo describes the security mechanisms for IP version 4 (IPv4)
   and IP version 6 (IPv6) and the services that they provide.  Each
   security mechanism is specified in a separate document.  This
   document also describes key management requirements for systems
   implementing those security mechanisms.  This document is not an
   overall Security Architecture for the Internet and is instead focused
   on IP-layer security.

1.1 Technical Definitions

   This section provides a few basic definitions that are applicable to
   this document.  Other documents provide more definitions and
   background information [VK83, HA94].

   Authentication
           The property of knowing that the data received is the same as
           the data that was sent and that the claimed sender is in fact
           the actual sender.

   Integrity
           The property of ensuring that data is transmitted from source
           to destination without undetected alteration.

   Confidentiality
           The property of communicating such that the intended
           recipients know what was being sent but unintended
           parties cannot determine what was sent.

   Encryption
           A mechanism commonly used to provide confidentiality.

Atkinson                    Standards Track                     [Page 1]
RFC 1825              Security Architecture for IP           August 1995

   Non-repudiation
           The property of a receiver being able to prove that the sender
           of some data did in fact send the data even though the sender
           might later desire to deny ever having sent that data.

   SPI
           Acronym for "Security Parameters Index".  An unstructured
           opaque index which is used in conjunction with the
           Destination Address to identify a particular Security
           Association.

   Security Association
           The set of security information relating to a given network
           connection or set of connections.  This is described in
           detail below.

   Traffic Analysis
           The analysis of network traffic flow for the purpose of
           deducing information that is useful to an adversary.
           Examples of such information are frequency of transmission,
           the identities of the conversing parties, sizes of packets,
           Flow Identifiers used, etc. [Sch94].

1.2 Requirements Terminology

   In this document, the words that are used to define the significance
   of each particular requirement are usually capitalised.  These words
   are:

   - MUST

      This word or the adjective "REQUIRED" means that the item is an
      absolute requirement of the specification.

   - SHOULD

      This word or the adjective "RECOMMENDED" means that there might
      exist valid reasons in particular circumstances to ignore this
      item, but the full implications should be understood and the case
      carefully weighed before taking a different course.

   - MAY

      This word or the adjective "OPTIONAL" means that this item is
      truly optional.  One vendor might choose to include the item
      because a particular marketplace requires it or because it
      enhances the product, for example; another vendor may omit the
      same item.

Atkinson                    Standards Track                     [Page 2]
RFC 1825              Security Architecture for IP           August 1995

1.3 Typical Use

   There are two specific headers that are used to provide security
   services in IPv4 and IPv6.  These headers are the "IP Authentication
   Header (AH)" [Atk95a] and the "IP Encapsulating Security Payload
   (ESP)" [Atk95b] header.  There are a number of ways in which these IP
   security mechanisms might be used.  This section describes some of
   the more likely uses.  These descriptions are not complete or
   exhaustive.  Other uses can also be envisioned.

   The IP Authentication Header is designed to provide integrity and
   authentication without confidentiality to IP datagrams.  The lack of
   confidentiality ensures that implementations of the Authentication
   Header will be widely available on the Internet, even in locations
   where the export, import, or use of encryption to provide
   confidentiality is regulated.  The Authentication Header supports
Show full document text