Security Architecture for the Internet Protocol
RFC 4301
Document Type RFC - Proposed Standard (December 2005; Errata)
Updated by RFC 7619, RFC 6040
Obsoletes RFC 2401
Updates RFC 3168
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4301 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors IPR 1 References Referenced by Nits 
Network Working Group                                            S. Kent
Request for Comments: 4301                                        K. Seo
Obsoletes: 2401                                         BBN Technologies
Category: Standards Track                                  December 2005

            Security Architecture for the Internet Protocol

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes an updated version of the "Security
   Architecture for IP", which is designed to provide security services
   for traffic at the IP layer.  This document obsoletes RFC 2401
   (November 1998).

Dedication

   This document is dedicated to the memory of Charlie Lynn, a long-time
   senior colleague at BBN, who made very significant contributions to
   the IPsec documents.

Kent & Seo                  Standards Track                     [Page 1]
RFC 4301              Security Architecture for IP         December 2005

Table of Contents

   1. Introduction ....................................................4
      1.1. Summary of Contents of Document ............................4
      1.2. Audience ...................................................4
      1.3. Related Documents ..........................................5
   2. Design Objectives ...............................................5
      2.1. Goals/Objectives/Requirements/Problem Description ..........5
      2.2. Caveats and Assumptions ....................................6
   3. System Overview .................................................7
      3.1. What IPsec Does ............................................7
      3.2. How IPsec Works ............................................9
      3.3. Where IPsec Can Be Implemented ............................10
   4. Security Associations ..........................................11
      4.1. Definition and Scope ......................................12
      4.2. SA Functionality ..........................................16
      4.3. Combining SAs .............................................17
      4.4. Major IPsec Databases .....................................18
           4.4.1. The Security Policy Database (SPD) .................19
                  4.4.1.1. Selectors .................................26
                  4.4.1.2. Structure of an SPD Entry .................30
                  4.4.1.3. More Regarding Fields Associated
                           with Next Layer Protocols .................32
           4.4.2. Security Association Database (SAD) ................34
                  4.4.2.1. Data Items in the SAD .....................36
                  4.4.2.2. Relationship between SPD, PFP
                           flag, packet, and SAD .....................38
           4.4.3. Peer Authorization Database (PAD) ..................43
                  4.4.3.1. PAD Entry IDs and Matching Rules ..........44
                  4.4.3.2. IKE Peer Authentication Data ..............45
                  4.4.3.3. Child SA Authorization Data ...............46
                  4.4.3.4. How the PAD Is Used .......................46
      4.5. SA and Key Management .....................................47
           4.5.1. Manual Techniques ..................................48
           4.5.2. Automated SA and Key Management ....................48
           4.5.3. Locating a Security Gateway ........................49
      4.6. SAs and Multicast .........................................50
   5. IP Traffic Processing ..........................................50
      5.1. Outbound IP Traffic Processing
           (protected-to-unprotected) ................................52
           5.1.1. Handling an Outbound Packet That Must Be
                  Discarded ..........................................54
           5.1.2. Header Construction for Tunnel Mode ................55
                  5.1.2.1. IPv4: Header Construction for
                           Tunnel Mode ...............................57
                  5.1.2.2. IPv6: Header Construction for
                           Tunnel Mode ...............................59
      5.2. Processing Inbound IP Traffic (unprotected-to-protected) ..59

Kent & Seo                  Standards Track                     [Page 2]
RFC 4301              Security Architecture for IP         December 2005
Show full document text
ISOC IETF Trust RFC Editor IRTF IESG IETF IAB IASA & IAOC IETF Tools IANA