Security Architecture for the Internet Protocol
RFC 4301
Document | Type |
RFC - Proposed Standard
(December 2005; Errata)
Obsoletes RFC 2401
Updates RFC 3168
|
|
---|---|---|---|
Authors | Karen Seo , Stephen Kent | ||
Last updated | 2020-01-21 | ||
Stream | Internent Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4301 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group S. Kent Request for Comments: 4301 K. Seo Obsoletes: 2401 BBN Technologies Category: Standards Track December 2005 Security Architecture for the Internet Protocol Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer. This document obsoletes RFC 2401 (November 1998). Dedication This document is dedicated to the memory of Charlie Lynn, a long-time senior colleague at BBN, who made very significant contributions to the IPsec documents. Kent & Seo Standards Track [Page 1] RFC 4301 Security Architecture for IP December 2005 Table of Contents 1. Introduction ....................................................4 1.1. Summary of Contents of Document ............................4 1.2. Audience ...................................................4 1.3. Related Documents ..........................................5 2. Design Objectives ...............................................5 2.1. Goals/Objectives/Requirements/Problem Description ..........5 2.2. Caveats and Assumptions ....................................6 3. System Overview .................................................7 3.1. What IPsec Does ............................................7 3.2. How IPsec Works ............................................9 3.3. Where IPsec Can Be Implemented ............................10 4. Security Associations ..........................................11 4.1. Definition and Scope ......................................12 4.2. SA Functionality ..........................................16 4.3. Combining SAs .............................................17 4.4. Major IPsec Databases .....................................18 4.4.1. The Security Policy Database (SPD) .................19 4.4.1.1. Selectors .................................26 4.4.1.2. Structure of an SPD Entry .................30 4.4.1.3. More Regarding Fields Associated with Next Layer Protocols .................32 4.4.2. Security Association Database (SAD) ................34 4.4.2.1. Data Items in the SAD .....................36 4.4.2.2. Relationship between SPD, PFP flag, packet, and SAD .....................38 4.4.3. Peer Authorization Database (PAD) ..................43 4.4.3.1. PAD Entry IDs and Matching Rules ..........44 4.4.3.2. IKE Peer Authentication Data ..............45 4.4.3.3. Child SA Authorization Data ...............46 4.4.3.4. How the PAD Is Used .......................46 4.5. SA and Key Management .....................................47 4.5.1. Manual Techniques ..................................48 4.5.2. Automated SA and Key Management ....................48 4.5.3. Locating a Security Gateway ........................49 4.6. SAs and Multicast .........................................50 5. IP Traffic Processing ..........................................50 5.1. Outbound IP Traffic Processing (protected-to-unprotected) ................................52 5.1.1. Handling an Outbound Packet That Must Be Discarded ..........................................54 5.1.2. Header Construction for Tunnel Mode ................55 5.1.2.1. IPv4: Header Construction for Tunnel Mode ...............................57 5.1.2.2. IPv6: Header Construction for Tunnel Mode ...............................59 5.2. Processing Inbound IP Traffic (unprotected-to-protected) ..59 Kent & Seo Standards Track [Page 2] RFC 4301 Security Architecture for IP December 2005 6. ICMP Processing ................................................63 6.1. Processing ICMP Error Messages Directed to an IPsec Implementation ......................................63Show full document text