The Internet IP Security Domain of Interpretation for ISAKMP (RFC2407)
Original Publication Date: 1998-Nov-01
Included in the Prior Art Database: 2019-Feb-11
Internet Society Requests For Comment (RFCs)
This document defines the Internet IP Security DOI (IPSEC DOI), which instantiates ISAKMP for use with IP when IP uses ISAKMP to negotiate security associations. [STANDARDS-TRACK]
Network Working Group D. Piper Request for Comments: 2407 Network Alchemy Category: Standards Track November 1998
The Internet IP Security Domain of Interpretation for ISAKMP
Status of this Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (1998). All Rights Reserved.
Section 18.104.22.168 states, "All implememtations within the IPSEC DOI MUST support ESP_DES...". Recent work in the area of cryptanalysis suggests that DES may not be sufficiently strong for many applications. Therefore, it is very likely that the IETF will deprecate the use of ESP_DES as a mandatory cipher suite in the near future. It will remain as an optional use protocol. Although the IPsec working group and the IETF in general have not settled on an alternative algorithm (taking into account concerns of security and performance), implementers may want to heed the recommendations of section 22.214.171.124 on the use of ESP_3DES.
The Internet Security Association and Key Management Protocol (ISAKMP) defines a framework for security association management and cryptographic key establishment for the Internet. This framework consists of defined exchanges, payloads, and processing guidelines that occur within a given Domain of Interpretation (DOI). This document defines the Internet IP Security DOI (IPSEC DOI), which instantiates ISAKMP for use with IP when IP uses ISAKMP to negotiate security associations.
For a list of changes since the previous version of the IPSEC DOI, please see Section 7.
Piper Standards Track [Page 1]
RFC 2407 IP Security Domain of Interpretation November 1998
Within ISAKMP, a Domain of Interpretation is used to group related protocols using ISAKMP to negotiate security associations. Security protocols sharing a DOI choose security protocol and cryptographic transforms from a common namespace and share key exchange protocol identifiers. They also share a common interpretation of DOI-specific payload data content, including the Security Association and Identification payloads.
Overall, ISAKMP places the following requirements on a DOI definition:
o define the naming scheme for DOI-specific protocol identifiers o define the interpretation for the Situation field o define the set of applicable security policies o define the syntax for DOI-specific SA Attributes (Phase II) o define the syntax for DOI-specific payload contents o define additional Key Exchange types, if needed o define additional Notification Message types, if needed
The remainder of this document details the instantiation of these requirements for using the IP Security (IPSEC) protocols to provide authentication, integrity, and/or c...