"Magic Numbers" for ISAKMP Protocol (last updated 2012-01-06) Registries included below: - IPSEC Situation Definition - IPSEC Security Protocol Identifiers - IPSEC ISAKMP Transform Identifiers - IPSEC AH Transform Identifiers - IPSEC ESP Transform Identifiers - IPSEC IPCOMP Transform Identifiers - IPSEC Security Association Attributes - Class Values Details - IPSEC Labeled Domain Identifiers - IPSEC Identification Type - IPSEC Notify Message Types Registry Name: IPSEC Situation Definition Reference: [RFC2407] Registration Procedures: Standards Track RFC Note: The Situation Definition is a 32-bit bitmask which represents the environment under which the IPSEC SA proposal and negotiation is carried out. Requests for assignments of new situations must be accompanied by an RFC which describes the interpretation for the associated bit. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. The upper two bits are reserved for private use amongst cooperating systems. Registry: Value Situation Reference ------ ------------------------- --------- 0x01 SIT_IDENTITY_ONLY [RFC2407] 0x02 SIT_SECRECY [RFC2407] 0x04 SIT_INTEGRITY [RFC2407] Registry Name: IPSEC Security Protocol Identifiers Reference: [RFC2407] Range Registration Procedures Notes --------- ----------------------------- ---------------------------- 0-248 Standards Track RFC 249-255 Reserved for private use Amongst cooperating systems. Note: The Security Protocol Identifier is an 8-bit value which identifies a security protocol suite being negotiated. Requests for assignments of new security protocol identifiers must be accompanied by an RFC which describes the requested security protocol. [AH] and [ESP] are examples of security protocol documents. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Registry: Value Protocol ID Reference ------- ---------------------------- --------- 0 RESERVED [RFC2407] 1 PROTO_ISAKMP [RFC2407] 2 PROTO_IPSEC_AH [RFC2407] 3 PROTO_IPSEC_ESP [RFC2407] 4 PROTO_IPCOMP [RFC2407] 5 PROTO_GIGABEAM_RADIO [RFC4705] 6-248 Unassigned 249-255 Reserved for private use Registry Name: IPSEC ISAKMP Transform Identifiers Reference: [RFC2407] Range Registration Procedures Notes --------- ----------------------------- ---------------------------- 0-248 Standards Track RFC 249-255 Reserved for private use Amongst cooperating systems. Note: The IPSEC ISAKMP Transform Identifier is an 8-bit value which identifies a key exchange protocol to be used for the negotiation. Requests for assignments of new ISAKMP transform identifiers must be accompanied by an RFC which describes the requested key exchange protocol. [IKE] is an example of one such document. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Registry: Value Transform Reference ------- --------------------------- --------- 0 RESERVED [RFC2407] 1 KEY_IKE [RFC2407] 2-248 Unassigned 249-255 Reserved for private use Registry Name: IPSEC AH Transform Identifiers Reference: [RFC2407] Range Registration Procedures Notes --------- ----------------------------- ---------------------- 0-248 Standards Track RFC 249-255 Reserved for private use Amongst cooperating systems. Note: The IPSEC AH Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide integrity protection for AH. Requests for assignments of new AH transform identifiers must be accompanied by an RFC which describes how to use the algorithm within the AH framework ([AH]). If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Registry: Value Transform ID Reference -------- ------------------------------- --------- 0-1 RESERVED [RFC2407] 2 AH_MD5 [RFC2407] 3 AH_SHA [RFC2407] 4 AH_DES [RFC2407] 5 AH_SHA2-256 [Leech][RFC4868] 6 AH_SHA2-384 [Leech][RFC4868] 7 AH_SHA2-512 [Leech][RFC4868] 8 AH_RIPEMD [RFC2857] 9 AH_AES-XCBC-MAC [RFC3566] 10 AH_RSA [RFC4359] 11 AH_AES-128-GMAC [RFC4543][Errata1821] 12 AH_AES-192-GMAC [RFC4543][Errata1821] 13 AH_AES-256-GMAC [RFC4543][Errata1821] 14-248 Unassigned 249-255 Reserved for private use Registry Name: IPSEC ESP Transform Identifiers Reference: [RFC2407] Range Registration Procedures Notes --------- ----------------------------- ---------------------------- 0-248 Standards Track RFC 249-255 Reserved for private use Amongst cooperating systems. Note: The IPSEC ESP Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide secrecy protection for ESP. Requests for assignments of new ESP transform identifiers must be accompanied by an RFC which describes how to use the algorithm within the ESP framework ([ESP]). If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Registry: Value Transform ID Reference -------- ------------------------------- --------- 0 RESERVED [RFC2407] 1 ESP_DES_IV64 [RFC2407] 2 ESP_DES [RFC2407] 3 ESP_3DES [RFC2407] 4 ESP_RC5 [RFC2407] 5 ESP_IDEA [RFC2407] 6 ESP_CAST [RFC2407] 7 ESP_BLOWFISH [RFC2407] 8 ESP_3IDEA [RFC2407] 9 ESP_DES_IV32 [RFC2407] 10 ESP_RC4 [RFC2407] 11 ESP_NULL [RFC2407] 12 ESP_AES-CBC [RFC3602] 13 ESP_AES-CTR [RFC3686] 14 ESP_AES-CCM_8 [RFC4309] 15 ESP_AES-CCM_12 [RFC4309] 16 ESP_AES-CCM_16 [RFC4309] 17 Unassigned 18 ESP_AES-GCM_8 [RFC4106] 19 ESP_AES-GCM_12 [RFC4106] 20 ESP_AES-GCM_16 [RFC4106] 21 ESP_SEED_CBC [RFC4196] 22 ESP_CAMELLIA [RFC4312] 23 ESP_NULL_AUTH_AES-GMAC [RFC4543][Errata1821] 24-248 Unassigned 249-255 Reserved for private use Registry Name: IPSEC IPCOMP Transform Identifiers Reference: [RFC2407] Range Registration Procedures Notes --------- ---------------------------------- -------------------------------------- 1-47 Reserved for approved algorithms RFC has been approved for publication. 48-63 Reserved for private use Amongst cooperating systems. 64-255 Standards Track RFC Note: The IPSEC IPCOMP Transform Identifier is an 8-bit value which identifier a particular algorithm to be used to provide IP-level compression before ESP. Requests for assignments of new IPCOMP transform identifiers must be accompanied by an RFC which describes how to use the algorithm within the IPCOMP framework ([IPCOMP]). In addition, the requested algorithm must be published and in the public domain. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Registry: Value Transform ID Reference ------- ---------------------------------- -------- 0 RESERVED [RFC2407] 1 IPCOMP_OUI [RFC2407] 2 IPCOMP_DEFLATE [RFC2407] 3 IPCOMP_LZS [RFC2407] 4 IPCOMP_LZJH [RFC3051] 5-47 Reserved for approved algorithms 48-63 Reserved for private use 64-255 Unassigned Registry Name: IPSEC Security Association Attributes Reference: [RFC2407] Range Registration Procedures Notes ------------- ------------------------------ ---------------------------- 1-32000 Specification Required 32001-32767 Reserved for private use Amongst cooperating systems. Note: The IPSEC Security Association Attribute consists of a 16-bit type and its associated value. IPSEC SA attributes are used to pass miscellaneous values between ISAKMP peers. Requests for assignments of new IPSEC SA attributes must be accompanied by an Internet Draft which describes the attribute encoding (Basic/Variable-Length) and its legal values. Section 4.5 of this document provides an example of such a description. Registry: Value Type Class Reference ------------ ---- ----------------------------------- --------- 1 B SA Life Type [RFC2407] 2 V SA Life Duration [RFC2407] 3 B Group Description [RFC2407] 4 B Encapsulation Mode [RFC2407] 5 B Authentication Algorithm [RFC2407] 6 B Key Length [RFC2407] 7 B Key Rounds [RFC2407] 8 B Compress Dictionary Size [RFC2407] 9 V Compress Private Algorithm [RFC2407] 10 B ECN Tunnel [RFC3168] 11 B Extended (64-bit) Sequence Number [RFC4304] 12 V Authentication Key Length [RFC4359] 13 B Signature Encoding Algorithm [RFC4359] 14 B Address Preservation [RFC6407] 15 B SA Direction [RFC6407] 16-32000 Unassigned 32001-32767 Reserved for private use Sub-registry: SA Life Type Values (Value 1) Reference: [RFC2407] Range Registration Procedures Notes ------------ ------------------------------ ----- 1-61439 Specification Required 61440-65535 Reserved for private use Registry: Value Name Reference ------------ ---------------------------- --------- 0 Reserved [RFC2407] 1 seconds [RFC2407] 2 kilobytes [RFC2407] 3-61439 Unassigned 61440-65535 Reserved for private use Sub-registry: Group Description (Value 3) Note: Please refer to the registry Group Description (Value 4) at http://www.iana.org/assignments/ipsec-registry Sub-registry: Encapsulation Mode (Value 4) Reference: [RFC2407] Range Registration Procedures Notes ------------ ------------------------------ ----- 0-61439 Specification Required 61440-65535 Reserved for private use Registry: Value Name Reference ------------ ------------------------------------ --------- 0 Reserved [RFC2407] 1 Tunnel [RFC2407] 2 Transport [RFC2407] 3 UDP-Encapsulated-Tunnel [RFC3947] 4 UDP-Encapsulated-Transport [RFC3947] 5-61439 Unassigned 61440-65535 Reserved for private use Sub-registry: Authentication Algorithm (Value 5) Reference: [RFC2407] Range Registration Procedures Notes ------------ ------------------------------ ----- 3-61439 Specification Required 61440-65535 Reserved for private use Registry: Value Name Reference ------------ ------------------------------ --------- 0 Reserved [RFC2407] 1 HMAC-MD5 [RFC2407] 2 HMAC-SHA [RFC2407] 3 DES-MAC [RFC2407] 4 KPDK [RFC2407] 5 HMAC-SHA2-256 [Leech] 6 HMAC-SHA2-384 [Leech] 7 HMAC-SHA2-512 [Leech] 8 HMAC-RIPEMD [RFC2857] 9 AES-XCBC-MAC [RFC3566] 10 SIG-RSA [RFC4359] 11 AES-128-GMAC [RFC4543][Errata1821] 12 AES-192-GMAC [RFC4543][Errata1821] 13 AES-256-GMAC [RFC4543][Errata1821] 14-61439 Unassigned 61440-65535 Reserved for private use Sub-registry: Compression Private Algorithm (Value 9) Reference: [RFC2407] Registration Procedures: IANA does not assign Note: Specifies a private vendor compression algorithm. The first three (3) octets must be an IEEE assigned company_id (OUI). The next octet may be a vendor specific compression subtype, followed by zero or more octets of vendor data. Registry: Value Description Reference ----- ---------------- --------- There are no registrations at this time Sub-registry: ECN Tunnel (Value 10) Reference: [RFC3168] Range Registration Procedures Notes ------------ ------------------------------ ----- 0-61439 Specification Required 61440-65535 Reserved for private use Note: If unspecified, the default shall be assumed to be Forbidden. Registry: Value Name Reference ------------ ---------------------------- --------- 0 Reserved [RFC3168] 1 Allowed [RFC3168] 2 Forbidden [RFC3168] 3-61439 Unassigned 61440-65535 Reserved for private use Sub-registry: Extended (64-bit) Sequence Number (Value 11) Reference: [RFC4304] Registration Procedures: No additional class values will be assigned for this attribute. Registry: Value Name Reference ----- --------------------------- --------- 0 RESERVED [RFC4304] 1 64-bit Sequence Number [RFC4304] Sub-registry: Signature Encoding Algorithm Values (Value 13) Reference: [RFC4359] Range Registration Procedures Notes ------------ ------------------------------ ----- 0-61439 Standards Action 61440-65535 Reserved for private use Registry: Value Name Reference ------------ ---------------------------- --------- 0 Reserved [RFC4359] 1 RSASSA-PKCS1-v1_5 [RFC4359] 2 RSASSA-PSS [RFC4359] 3-61439 Unassigned 61440-65535 Reserved for private use Sub-registry: Address Preservation (Value 14) Reference: [RFC6407] Registration Procedures: Standards Action Value Name Reference ----------- ---------------------- --------- 0 Reserved [RFC6407] 1 None [RFC6407] 2 Source-Only [RFC6407] 3 Destination-Only [RFC6407] 4 Source-and-Destination [RFC6407] 5-61439 Unassigned 61440-65535 Private Use [RFC6407] Sub-registry: SA Direction (Value 15) Reference: [RFC6407] Registration Procedures: Standards Action Value Name Reference ----------- -------------- --------- 0 Reserved [RFC6407] 1 Sender-Only [RFC6407] 2 Receiver-Only [RFC6407] 3 Symmetric [RFC6407] 4-61439 Unassigned [RFC6407] 61440-65535 Private Use [RFC6407] Registry Name: IPSEC Labeled Domain Identifiers Reference: [RFC2407] Registration Procedures: First come first serve Note: The IPSEC Labeled Domain Identifier is a 32-bit value which identifies a namespace in which the Secrecy and Integrity levels and categories values are said to exist. Requests for assignments of new IPSEC Labeled Domain Identifiers should be granted on demand. No accompanying documentation is required, though Internet Drafts are encouraged when appropriate. Registry: Value Domain Reference ---------------------- ---------------------------- --------- 0 Reserved [RFC2407] 0x80000000-0xffffffff Reserved for private use Registry Name: IPSEC Identification Type Reference: [RFC2407] Range Registration Procedures Notes --------- ------------------------------ ----- 0-248 RFC 249-255 Reserved for private use Note: The IPSEC Identification Type is an 8-bit value which is used as a discriminant for interpretation of the variable-length Identification Payload. Requests for assignments of new IPSEC Identification Types must be accompanied by an RFC which describes how to use the identification type within IPSEC. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. Registry: Value ID Type Reference -------- ---------------------------- --------- 0 RESERVED [RFC2407] 1 ID_IPV4_ADDR [RFC2407] 2 ID_FQDN [RFC2407] 3 ID_USER_FQDN [RFC2407] 4 ID_IPV4_ADDR_SUBNET [RFC2407] 5 ID_IPV6_ADDR [RFC2407] 6 ID_IPV6_ADDR_SUBNET [RFC2407] 7 ID_IPV4_ADDR_RANGE [RFC2407] 8 ID_IPV6_ADDR_RANGE [RFC2407] 9 ID_DER_ASN1_DN [RFC2407] 10 ID_DER_ASN1_GN [RFC2407] 11 ID_KEY_ID [RFC2407] 12 ID_LIST [RFC3554] 13-248 Unassigned 249-255 Reserved for private use Registry Name: IPSEC Notify Message Types Reference: [RFC2407] Note: The IPSEC Notify Message Type is a 16-bit value taken from the range of values reserved by ISAKMP for each DOI. There is one range for error messages (8192-16383) and a different range for status messages (24576-32767). Requests for assignments of new Notify Message Types must be accompanied by an Internet Draft which describes how to use the identification type within IPSEC. Sub-registry: Notify Messages - Error Types (8192-16383) Range Registration Procedures Notes ----------- ---------------------------- ---------------------------- 8192-16000 Specification Required 16001-16383 Reserved for private use Amongst cooperating systems. Registry: Value Notify Messages - Error Types Reference ----------- ------------------------------- --------- 8192 Reserved [RFC2407] 8193-16000 Unassigned 16001-16383 Reserved for private use Sub-registry: Notify Messages - Status Types (24576-32767) Range Registration Procedures Notes ----------- ---------------------------- ---------------------------- 24576-32000 Specification Required 32001-32767 Reserved for private use Amongst cooperating systems. Registry: Value Notify Messages - Status Types Reference ----------- ------------------------------- --------- 24576 RESPONDER-LIFETIME [RFC2407] 24577 REPLAY-STATUS [RFC2407] 24578 INITIAL-CONTACT [RFC2407] 24579-32000 Unassigned 32001-32767 Reserved for private use References ---------- [Errata1821] RFC Errata Report 1821 for RFC 4543, http://www.rfc-editor.org/errata_search.php?rfc=4543&eid=1821, verified 2009-10-08. [RFC2407] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, Network Alchemy, November 1998. [RFC2408] Maughan, D., Schertler, M., Schneider, M., and J. Turner, "Internet Security Association and Key Management Protocol (ISAKMP)", RFC 2408, November 1998. [RFC2857] Keromytis, A. and N. Provos, "The Use of HMAC-RIPEMD-160-96 within ESP and AH", RFC 2857, June 2000. [RFC3051] Heath, J. and J. Border, "IP Payload Compression Using ITU-T V.44 Packet Method", RFC 3051, January 2001 [RFC3168] K. Ramakrishnan, S. Floyd, and D. Black, "The Addition of Explicit Congestion Notification (ECN) to IP", RFC 3168, September 2001. [RFC3547] Baugher, M., Hardjono, T., Harney, H., and B. Weis, "The Group Domain of Interpretation", RFC 3547, July 2003. [RFC3554] S. Bellovin, J. Ioannidis, A. Keromytis, and R. Stewart, "On the Use of SCTP with IPsec", RFC 3554, July 2003. [RFC3566] S. Frankel and H. Herbert, "The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec", RFC 3566, September 2003. [RFC3602] S. Frankel, S. Kelly, and R. Glenn, "The AES Cipher Algorithm and Its Use With IPsec", RFC 3602, September 2003. [RFC3686] R. Housley, "Using AES Counter Mode With IPsec ESP", RFC 3686, January 2004. [RFC3947] T. Kivinen, A. Huttunen, B. Swander, and V. Volpe, "Negotiation of NAT-Traversal in the IKE", RFC 3947, January 2005. [RFC4106] J. Viega and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec ESP", RFC 4106, June 2005. [RFC4196] H. Lee, J. Yoon, S. Lee, and J. Lee, "The SEED Cipher Algorithm and Its Use With IPSec", RFC 4196, October 2005. [RFC4304] S. Kent, "Extended Sequence Number Addendum to IPsec DOI for ISAKMP", RFC 4304, December 2005. [RFC4309] R. Housley, "Using AES CCM Mode With IPsec ESP", RFC 4309, December 2005. [RFC4312] A. Kato, S. Moriai, and M. Kanda, "The Camellia Cipher Algorithm and Its Use With IPsec", RFC 4312, December 2005. [RFC4359] B. Weis, "The Use of RSA/SHA-1 Signatures within ESP and AH", RFC 4359, January 2006. [RFC4543] D. McGrew, J. Viega, "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, May 2006. [RFC4705] R. Housley and A. Corry, "GigaBeam High-Speed Radio Link Encryption", RFC 4705, October 2006. [RFC4868] S. Kelly, S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec", May 2007 [RFC6407] B. Weis, S. Rowles, T. Hardjono, "The Group Domain of Interpretation", RFC 6407, October 2011. People ------ [Dukes] Darren Dukes, , March 2001. [Leech] Marcus Leech, , October 2000. []