
FROM RFC 2407 and RFC 2408
"Magic Numbers" for ISAKMP Protocol

(last updated 2009-04-22)

-IPSEC Situation Definition
-IPSEC Security Protocol Identifiers
-IPSEC ISAKMP Transform Identifiers
-IPSEC AH Transform Identifiers
-IPSEC ESP Transform Identifiers
-IPSEC IPCOMP Transform Identifiers
-IPSEC Security Association Attributes
  -Class Values Details
-IPSEC Labeled Domain Identifiers
-IPSEC Identification Type
-IPSEC Notify Message Types
-ISAKMP Domain of Interpretation (DOI)
-Next Payload Types

IPSEC Situation Definition
==========================

The Situation Definition is a 32-bit bitmask which represents the
environment under which the IPSEC SA proposal and negotiation is
carried out.  Requests for assignments of new situations must be
accompanied by an RFC which describes the interpretation for the
associated bit.

If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.

Situation           Value               Reference	
---------           -----               ---------	
SIT_IDENTITY_ONLY    0x01               [RFC2407]
SIT_SECRECY          0x02               [RFC2407]
SIT_INTEGRITY        0x04               [RFC2407]

The upper two bits are reserved for private use amongst cooperating
systems.


IPSEC Security Protocol Identifiers
===================================

The Security Protocol Identifier is an 8-bit value which identifies a
security protocol suite being negotiated.  Requests for assignments of
new security protocol identifiers must be accompanied by an RFC which
describes the requested security protocol.  [AH] and [ESP] are
examples of security protocol documents.

If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.

Protocol ID       Value               Reference
-----------       -----               ---------
RESERVED              0               [RFC2407]	
PROTO_ISAKMP          1               [RFC2407]	
PROTO_IPSEC_AH        2               [RFC2407]	
PROTO_IPSEC_ESP       3               [RFC2407]	
PROTO_IPCOMP          4               [RFC2407]	
PROTO_GIGABEAM_RADIO  5               [RFC4705]

The values 249-255 are reserved for private use amongst cooperating
systems.


IPSEC ISAKMP Transform Identifiers
==================================

The IPSEC ISAKMP Transform Identifier is an 8-bit value which
identifies a key exchange protocol to be used for the negotiation.
Requests for assignments of new ISAKMP transform identifiers must be
accompanied by an RFC which describes the requested key exchange
protocol.  [IKE] is an example of one such document.

If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.

Transform       Value               Reference
---------       -----               ---------
RESERVED            0               [RFC2407]
KEY_IKE             1               [RFC2407]

The values 249-255 are reserved for private use amongst cooperating
systems.


IPSEC AH Transform Identifiers
==============================

The IPSEC AH Transform Identifier is an 8-bit value which identifies a
particular algorithm to be used to provide integrity protection for
AH.  Requests for assignments of new AH transform identifiers must be
accompanied by an RFC which describes how to use the algorithm within
the AH framework ([AH]).

If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.

Transform ID       Value        Reference
------------       -----        ---------
RESERVED             0-1        [RFC2407]
AH_MD5                 2        [RFC2407]
AH_SHA                 3        [RFC2407]
AH_DES                 4        [RFC2407]
AH_SHA2-256            5        [Leech][RFC4868]
AH_SHA2-384            6        [Leech][RFC4868]
AH_SHA2-512            7        [Leech][RFC4868]
AH_RIPEMD              8        [RFC2857]
AH_AES-XCBC-MAC        9        [RFC3566]
AH_RSA                10        [RFC4359]

The values 249-255 are reserved for private use amongst cooperating
systems.


IPSEC ESP Transform Identifiers
===============================

The IPSEC ESP Transform Identifier is an 8-bit value which identifies
a particular algorithm to be used to provide secrecy protection for
ESP.  Requests for assignments of new ESP transform identifiers must
be accompanied by an RFC which describes how to use the algorithm
within the ESP framework ([ESP]).

If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.

Transform ID         Value              Reference
------------         -----              ---------
RESERVED                 0              [RFC2407]
ESP_DES_IV64             1              [RFC2407]
ESP_DES                  2              [RFC2407]
ESP_3DES                 3              [RFC2407]
ESP_RC5                  4              [RFC2407]
ESP_IDEA                 5              [RFC2407]
ESP_CAST                 6              [RFC2407]
ESP_BLOWFISH             7              [RFC2407]
ESP_3IDEA                8              [RFC2407]
ESP_DES_IV32             9              [RFC2407]
ESP_RC4                 10              [RFC2407]
ESP_NULL                11              [RFC2407]
ESP_AES-CBC             12              [RFC3602]
ESP_AES-CTR             13              [RFC3686]
ESP_AES-CCM_8           14              [RFC4309]
ESP_AES-CCM_12          15              [RFC4309]
ESP_AES-CCM_16          16              [RFC4309]
Unassigned              17              
ESP_AES-GCM_8           18              [RFC4106]
ESP_AES-GCM_12          19              [RFC4106]
ESP_AES-GCM_16          20              [RFC4106]
ESP_SEED_CBC            21              [RFC4196]
ESP_CAMELLIA            22              [RFC4312]

The values 249-255 are reserved for private use amongst cooperating
systems.

IPSEC IPCOMP Transform Identifiers
==================================

The IPSEC IPCOMP Transform Identifier is an 8-bit value which
identifier a particular algorithm to be used to provide IP-level
compression before ESP.  Requests for assignments of new IPCOMP
transform identifiers must be accompanied by an RFC which describes
how to use the algorithm within the IPCOMP framework ([IPCOMP]).  In
addition, the requested algorithm must be published and in the public
domain.

If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.

Transform ID		Value				Reference
------------		-----				---------
RESERVED		0				[RFC2407]
IPCOMP_OUI		1				[RFC2407]
IPCOMP_DEFLATE  2               [RFC2407]
IPCOMP_LZS		3				[RFC2407]
IPCOMP_LZJH		4				[RFC3051]

The values 1-47 are reserved for algorithms for which an RFC has been
approved for publication.  The values 48-63 are reserved for private
use amongst cooperating systems.  The values 64-255 are reserved for
future expansion.


IPSEC Security Association Attributes
=====================================

The IPSEC Security Association Attribute consists of a 16-bit type and
its associated value.  IPSEC SA attributes are used to pass
miscellaneous values between ISAKMP peers.  Requests for assignments
of new IPSEC SA attributes must be accompanied by an Internet Draft
which describes the attribute encoding (Basic/Variable-Length) and its
legal values.  Section 4.5 of this document provides an example of
such a description.

	Attribute Types

Class                              Value     Type        Reference
-----                              -----     ----        ---------
SA Life Type                         1        B          [RFC2407]	
SA Life Duration                     2        V          [RFC2407]	
Group Description                    3        B          [RFC2407]	
Encapsulation Mode                   4        B          [RFC2407]	
Authentication Algorithm             5        B          [RFC2407]	
Key Length                           6        B          [RFC2407]	
Key Rounds                           7        B          [RFC2407]	
Compress Dictionary Size             8        B          [RFC2407]	
Compress Private Algorithm           9        V          [RFC2407]	
ECN Tunnel                          10        B          [RFC3168]
Extended (64-bit) Sequence Number   11        B          [RFC4304]
Authentication Key Length           12        V          [RFC4359]
Signature Encoding Algorithm        13        B          [RFC4359]

The values 32001-32767 are reserved for private use amongst
cooperating systems.

Class Values Details

  SA Life Type Values

	Name		Value			Reference
	----		-----			---------
	Reserved	0               [RFC2407]
	seconds		1               [RFC2407]		
	kilobytes	2               [RFC2407]

	Values 3-61439 are reserved to IANA.  Values 61440-65535 are
	for private use.

  Group Description(?)

  Encapsulation Mode

    Name                      Value             Reference
    ----                      -----             ---------
    Reserved                    0               [RFC2407]
    Tunnel                      1               [RFC2407]
    Transport                   2               [RFC2407]
    UDP-Encapsulated-Tunnel     3               [RFC3947]
    UDP-Encapsulated-Transport  4               [RFC3947]

    Values 3-61439 are reserved to IANA.  Values 61440-65535 are
    for private use.

  Authentication Algorithm

    Name            Value           Reference
    ----            -----           ---------
    Reserved        0               [RFC2407]	
    HMAC-MD5        1               [RFC2407]	
    HMAC-SHA        2               [RFC2407]	
    DES-MAC         3               [RFC2407]	
    KPDK            4               [RFC2407]	
    HMAC-SHA2-256   5               [Leech]
    HMAC-SHA2-384   6               [Leech]
    HMAC-SHA2-512   7               [Leech]
    HMAC-RIPEMD     8               [RFC2857]    
    AES-XCBC-MAC    9               [RFC3566]
    SIG-RSA         10              [RFC4359]

	Values 11-61439 are reserved to IANA.  Values 61440-65535 are
	for private use.

  Key Length

	Name		Value			Reference
	----		-----			---------
	Reserved	0			[RFC2407]

  Key Rounds

	Name		Value			Reference
	----		-----			---------
	Reserved	0			[RFC2407]

  Compression Dictionary Size

	Name		Value			Reference
	----		-----			---------
	Reserved	0			[RFC2407]

  Compression Private Algorithm(?)

  ECN Tunnel 

        RESERVED          0
        Allowed           1
        Forbidden         2

        Values 3-61439 are reserved to IANA.  Values 61440-65535 are
        for private use.
        If unspecified, the default shall be assumed to be Forbidden.

  Extended (64-bit) Sequence Number          [RFC4304]

       RESERVED                0           [RFC4304]
       64-bit Sequence Number  1           [RFC4304]

  Signature Encoding Algorithm Values - per [RFC4359]
     Name                Value     Reference
     -------------       -----     ---------
     Reserved            0         [RFC4359]
     RSASSA-PKCS1-v1_5   1         [RFC4359]
     RSASSA-PSS          2         [RFC4359]
     Reserved to IANA    3-61439 (Standards Action)
     Private Use         61440-65535

IPSEC Labeled Domain Identifiers
================================

The IPSEC Labeled Domain Identifier is a 32-bit value which identifies
a namespace in which the Secrecy and Integrity levels and categories
values are said to exist.  Requests for assignments of new IPSEC
Labeled Domain Identifiers should be granted on demand.  No
accompanying documentation is required, though Internet Drafts are
encouraged when appropriate.

Domain			Value			Reference
------			-----			---------
Reserved		0			[RFC2407]

The values 0x80000000-0xffffffff are reserved for private use amongst
cooperating systems.


IPSEC Identification Type
=========================

The IPSEC Identification Type is an 8-bit value which is used as a
discriminant for interpretation of the variable-length Identification
Payload.  Requests for assignments of new IPSEC Identification Types
must be accompanied by an RFC which describes how to use the
identification type within IPSEC.

If the RFC is not on the standards-track (i.e., it is an informational
or experimental RFC), it must be explicitly reviewed and approved by
the IESG before the RFC is published and the transform identifier is
assigned.

ID Type                 Value    Reference
-------                 -----    ---------
RESERVED                  0      [RFC2407]
ID_IPV4_ADDR              1      [RFC2407]
ID_FQDN                   2      [RFC2407]
ID_USER_FQDN              3      [RFC2407]
ID_IPV4_ADDR_SUBNET       4      [RFC2407]
ID_IPV6_ADDR              5      [RFC2407]
ID_IPV6_ADDR_SUBNET       6      [RFC2407]
ID_IPV4_ADDR_RANGE        7      [RFC2407]
ID_IPV6_ADDR_RANGE        8      [RFC2407]
ID_DER_ASN1_DN            9      [RFC2407]
ID_DER_ASN1_GN           10      [RFC2407]
ID_KEY_ID                11      [RFC2407]
ID_LIST                  12      [RFC3554]   

The values 249-255 are reserved for private use amongst cooperating
systems.


IPSEC Notify Message Types
==========================

The IPSEC Notify Message Type is a 16-bit value taken from the range
of values reserved by ISAKMP for each DOI.  There is one range for
error messages (8192-16383) and a different range for status messages
(24576-32767).  Requests for assignments of new Notify Message Types
must be accompanied by an Internet Draft which describes how to use
the identification type within IPSEC.

Notify Messages - Error Types	Value		Reference
-----------------------------	-----		---------
Reserved			8192		[RFC2407]


Notify Messages - Status Types	Value		Reference
------------------------------	-----		---------
RESPONDER-LIFETIME		24576		[RFC2407]
REPLAY-STATUS			24577		[RFC2407]
INITIAL-CONTACT			24578		[RFC2407]

The values 16001-16383 and the values 32001-32767 are reserved for
private use amongst cooperating systems.


Registry Name: ISAKMP Domain of Interpretation (DOI)
Reference: [RFC2408]
Registration Procedures: Standards-track RFC

Note:
The Domain of Interpretation is a 32-bit value which identifies the
context in which the Security Association payload is to be evaluated.
Requests for assignments of new domain of interpretation identifiers
must be accompanied by a public specification, such as an Internet RFC.

Registry: 
Value  DOI            Reference
-----  -------------  ---------
0      ISAKMP         [RFC2408]
1      IPSEC          [RFC2407]
2      GDOI           [RFC3547]


Registry Name: Next Payload Types
Reference: [RFC2408]
Range     Registration Procedures 
--------  -----------------------------------------------------
0-127     IETF Review
128-255   Reserved for private use amongst cooperating systems

Note:
The Next Payload type is an 8-bit value that indicates the type of the
next payload in the message.

Registry:
Value     Next Payload Type                   Reference
--------  ----------------------------------  ---------
0         NONE                                [RFC2408]
1         Security Association (SA)           [RFC2408]
2         Proposal (P)                        [RFC2408]
3         Transform (T)                       [RFC2408]
4         Key Exchange (KE)                   [RFC2408]
5         Identification (ID)                 [RFC2408]
6         Certificate (CERT)                  [RFC2408]
7         Certificate Request (CR)            [RFC2408]
8         Hash (HASH)                         [RFC2408]
9         Signature (SIG)                     [RFC2408]
10        Nonce (NONCE)                       [RFC2408]
11        Notification (N)                    [RFC2408]
12        Delete (D)                          [RFC2408]
13        Vendor ID (VID)                     [RFC2408]
14        Reserved, not to be used            [Dukes]
15        SA KEK Payload (SAK)                [RFC3547]
16        SA TEK Payload (SAT)                [RFC3547]
17        Key Download (KD)                   [RFC3547]
18        Sequence Number (SEQ)               [RFC3547]
19        Proof of Possession (POP)           [RFC3547]
20        NAT Discovery (NAT-D)               [RFC3947]
21        NAT Original Address (NAT-OA)       [RFC3947]
22-127    Unassigned
128-255   Reserved for private use


References
----------

[RFC2407] Piper, D., "The Internet IP Security Domain of
          Interpretation for ISAKMP", RFC 2407, Network Alchemy,
          November 1998.

[RFC2408] Maughan, D., Schertler, M., Schneider, M., and J. Turner,
          "Internet Security Association and Key Management Protocol
          (ISAKMP)", RFC 2408, November 1998.

[RFC2857]  Keromytis, A. and N. Provos, "The Use of HMAC-RIPEMD-160-96
           within ESP and AH", RFC 2857, June 2000.

[RFC3051]  Heath, J. and J. Border, "IP Payload Compression Using ITU-T
           V.44 Packet Method", RFC 3051, January 2001

[RFC3168]  K. Ramakrishnan, S. Floyd, and D. Black, "The Addition of 
           Explicit Congestion Notification (ECN) to IP", RFC 3168,
           September 2001.

[RFC3547]  Baugher, M., Hardjono, T., Harney, H., and B. Weis,
           "The Group Domain of Interpretation", RFC 3547, July 2003.

[RFC3554]  S. Bellovin, J. Ioannidis, A. Keromytis, and R. Stewart,
           "On the Use of SCTP with IPsec", RFC 3554, July 2003.

[RFC3566]  S. Frankel and H. Herbert, "The AES-XCBC-MAC-96 Algorithm 
           and Its Use With IPsec", RFC 3566, September 2003.

[RFC3602]  S. Frankel, S. Kelly, and R. Glenn, "The AES Cipher Algorithm 
           and Its Use With IPsec", RFC 3602, September 2003.

[RFC3686]  R. Housley, "Using AES Counter Mode With IPsec ESP", RFC 3686,
           January 2004.

[RFC3947]  T. Kivinen, A. Huttunen, B. Swander, and V. Volpe, "Negotiation 
           of NAT-Traversal in the IKE", RFC 3947, January 2005.

[RFC4106]  J. Viega and D. McGrew, "The Use of Galois/Counter Mode (GCM) in 
           IPsec ESP", RFC 4106, June 2005.

[RFC4196]  H. Lee, J. Yoon, S. Lee, and J. Lee, "The SEED Cipher Algorithm and 
           Its Use With IPSec", RFC 4196, October 2005.

[RFC4304]  S. Kent, "Extended Sequence Number Addendum to IPsec DOI for ISAKMP",
           RFC 4304, December 2005.

[RFC4309]  R. Housley, "Using AES CCM Mode With IPsec ESP", RFC 4309,
           December 2005.

[RFC4312]  A. Kato, S. Moriai, and M. Kanda, "The Camellia Cipher Algorithm 
           and Its Use With IPsec", RFC 4312, December 2005.

[RFC4359]  B. Weis, "The Use of RSA/SHA-1 Signatures within ESP and AH", 
           RFC 4359, January 2006.

[RFC4705]  R. Housley and A. Corry, "GigaBeam High-Speed Radio Link Encryption",
           RFC 4705, October 2006.

[RFC4868]  S. Kelly, S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-384, and 
           HMAC-SHA-512 with IPsec", May 2007.

People
------
[Dukes] Darren Dukes, <ddukes&cisco.com>, March 2001.

[Leech] Marcus Leech, <mleech&nortelnetworks.com>, October 2000.
 
[]







