RFC 2407 (rfc2407) - Page 2 of 32


The Internet IP Security Domain of Interpretation for ISAKMP



Alternative Format: Original Text Document



RFC 2407          IP Security Domain of Interpretation     November 1998


2. Introduction

   Within ISAKMP, a Domain of Interpretation is used to group related
   protocols using ISAKMP to negotiate security associations.  Security
   protocols sharing a DOI choose security protocol and cryptographic
   transforms from a common namespace and share key exchange protocol
   identifiers.  They also share a common interpretation of DOI-specific
   payload data content, including the Security Association and
   Identification payloads.

   Overall, ISAKMP places the following requirements on a DOI
   definition:

     o  define the naming scheme for DOI-specific protocol identifiers
     o  define the interpretation for the Situation field
     o  define the set of applicable security policies
     o  define the syntax for DOI-specific SA Attributes (Phase II)
     o  define the syntax for DOI-specific payload contents
     o  define additional Key Exchange types, if needed
     o  define additional Notification Message types, if needed

   The remainder of this document details the instantiation of these
   requirements for using the IP Security (IPSEC) protocols to provide
   authentication, integrity, and/or confidentiality for IP packets sent
   between cooperating host systems and/or firewalls.

   For a description of the overall IPSEC architecture, see [ARCH],
   [AH], and [ESP].

3. Terms and Definitions

   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
   document, are to be interpreted as described in [RFC 2119].

4.1 IPSEC Naming Scheme

   Within ISAKMP, all DOI's must be registered with the IANA in the
   "Assigned Numbers" RFC [STD-2].  The IANA Assigned Number for the
   Internet IP Security DOI (IPSEC DOI) is one (1).  Within the IPSEC
   DOI, all well-known identifiers MUST be registered with the IANA
   under the IPSEC DOI.  Unless otherwise noted, all tables within this
   document refer to IANA Assigned Numbers for the IPSEC DOI.  See
   Section 6 for further information relating to the IANA registry for
   the IPSEC DOI.

   All multi-octet binary values are stored in network byte order.




Piper                       Standards Track