RFC 1826 (rfc1826) - Page 3 of 13
IP Authentication Header
Alternative Format: Original Text Document
RFC 1826 IP Authentication Header August 1995
1.2 Requirements Terminology
In this document, the words that are used to define the significance
of each particular requirement are usually capitalised. These words
are:
- MUST
This word or the adjective "REQUIRED" means that the item is an
absolute requirement of the specification.
- SHOULD
This word or the adjective "RECOMMENDED" means that there might
exist valid reasons in particular circumstances to ignore this
item, but the full implications should be understood and the case
carefully weighed before taking a different course.
- MAY
This word or the adjective "OPTIONAL" means that this item is
truly optional. One vendor might choose to include the item
because a particular marketplace requires it or because it
enhances the product, for example; another vendor may omit the
same item.
2. KEY MANAGEMENT
Key management is an important part of the IP security architecture.
However, it is not integrated with this specification because of a
long history in the public literature of subtle flaws in key
management algorithms and protocols. The IP Authentication Header
tries to decouple the key management mechanisms from the security
protocol mechanisms. The only coupling between the key management
protocol and the security protocol is with the Security Parameters
Index (SPI), which is described in more detail below. This
decoupling permits several different key management mechanisms to be
used. More importantly, it permits the key management protocol to be
changed or corrected without unduly impacting the security protocol
implementations.
The key management mechanism is used to negotiate a number of
parameters for each "Security Association", including not only the
keys but also other information (e.g., the authentication algorithm
and mode) used by the communicating parties. The key management
mechanism creates and maintains a logical table containing the
several parameters for each current security association. An
implementation of the IP Authentication Header will need to read that
Atkinson Standards Track