Contents Previous Next

IPSEC RFCs and related documents

The RFCs.tar.gz Distribution File

The Linux FreeS/WAN distribution is available from:

our primary distribution site and various mirror sites. To give people more control over their downloads, the RFCs that define IP security are bundled separately in the file RFCs.tar.gz.

The file you are reading is included in the main distribution and is available on the web site. It describes the RFCs included in the RFCs.tar.gz bundle and gives some pointers to other ways to get them.

Other sources for RFCs & Internet drafts

RFCs

RFCs are downloadble at many places around the net such as:

browsable in HTML form at others such as:

and some of them are available in translation:

There is also a published Big Book of IPSEC RFCs.

Internet Drafts

Internet Drafts, working documents which sometimes evolve into RFCs, are also available.

Note: some of these may be obsolete, replaced by later drafts or by RFCs.

FIPS standards

Some things used by IPSEC, such as DES and SHA, are defined by US government standards called FIPS. The issuing organisation, NIST , have a FIPS home page .

Document CDs

At least one vendor sells CD-ROMs of RFCs and Internet Drafts:

Note: The 2401-2412 group of IPSEC RFCs were issued in late November 1998, and the 2535-2539 group on Secure DNS in March 1999, so an older CD may not be particularly useful if these areas are your main concern.

What's in the RFCs.tar.gz bundle?

All filenames are of the form rfc*.txt, with the * replaced with the RFC number.

RFC#        Title

Overview RFCs

2401        Security Architecture for the Internet Protocol
2411        IP Security Document Roadmap

Basic protocols

2402        IP Authentication Header
2406        IP Encapsulating Security Payload (ESP)

Key management

2367        PF_KEY Key Management API, Version 2
2407        The Internet IP Security Domain of Interpretation for ISAKMP
2408        Internet Security Association and Key Management Protocol (ISAKMP)
2409        The Internet Key Exchange (IKE)
2412        The OAKLEY Key Determination Protocol
2528        Internet X.509 Public Key Infrastructure

Details of various things used

2085        HMAC-MD5 IP Authentication with Replay Prevention
2104        HMAC: Keyed-Hashing for Message Authentication
2202        Test Cases for HMAC-MD5 and HMAC-SHA-1
2207        RSVP Extensions for IPSEC Data Flows
2403        The Use of HMAC-MD5-96 within ESP and AH
2404        The Use of HMAC-SHA-1-96 within ESP and AH
2405        The ESP DES-CBC Cipher Algorithm With Explicit IV
2410        The NULL Encryption Algorithm and Its Use With IPsec
2451        The ESP CBC-Mode Cipher Algorithms
2521        ICMP Security Failures Messages

Older RFCs which may be referenced

1321        The MD5 Message-Digest Algorithm
1828        IP Authentication using Keyed MD5
1829        The ESP DES-CBC Transform
1851        The ESP Triple DES Transform
1852        IP Authentication using Keyed SHA

RFCs for secure DNS service, which IPSEC may use

2137        Secure Domain Name System Dynamic Update
2230        Key Exchange Delegation Record for the DNS
2535        Domain Name System Security Extensions
2536        DSA KEYs and SIGs in the Domain Name System (DNS)
2537        RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
2538        Storing Certificates in the Domain Name System (DNS)
2539        Storage of Diffie-Hellman Keys in the Domain Name System (DNS)

RFCs labelled "experimental"

2521        ICMP Security Failures Messages
2522        Photuris: Session-Key Management Protocol
2523        Photuris: Extended Schemes and Attributes

Related RFCs

1750        Randomness Recommendations for Security
1918        Address Allocation for Private Internets
1984        IAB and IESG Statement on Cryptographic Technology and the Internet
2144        The CAST-128 Encryption Algorithm

Contents Previous Next