"Magic Numbers" for ISAKMP Protocol
- Last Updated
- 2023-04-25
- Note
-
All registries listed below have been closed. See [RFC9395].
- Available Formats
-
XML
HTML
Plain text
Registries included below
- IPSEC Situation Definition
- IPSEC Security Protocol Identifiers
- IPSEC ISAKMP Transform Identifiers
- IPSEC AH Transform Identifiers
- IPSEC ESP Transform Identifiers
- IPSEC IPCOMP Transform Identifiers
-
IPSEC Security Association Attributes
- SA Life Type Values (Value 1)
- Group Description (Value 3)
- Encapsulation Mode (Value 4)
- Authentication Algorithm (Value 5)
- Compression Private Algorithm (Value 9)
- ECN Tunnel (Value 10)
- Extended (64-bit) Sequence Number (Value 11)
- Signature Encoding Algorithm Values (Value 13)
- Address Preservation (Value 14)
- SA Direction (Value 15)
- IPSEC Labeled Domain Identifiers
- IPSEC Identification Type
- IPSEC Notify Message Types
IPSEC Situation Definition
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC2407][RFC9395]
- Note
-
The Situation Definition is a 32-bit bitmask which represents the environment under which the IPSEC SA proposal and negotiation is carried out. Requests for assignments of new situations must be accompanied by an RFC which describes the interpretation for the associated bit. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. The upper two bits are reserved for private use amongst cooperating systems. - Available Formats
-
CSV
| Value | Situation | References |
|---|---|---|
| 0x01 | SIT_IDENTITY_ONLY | [RFC2407] |
| 0x02 | SIT_SECRECY | [RFC2407] |
| 0x04 | SIT_INTEGRITY | [RFC2407] |
IPSEC Security Protocol Identifiers
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC2407][RFC9395]
- Note
-
The Security Protocol Identifier is an 8-bit value which identifies a security protocol suite being negotiated. Requests for assignments of new security protocol identifiers must be accompanied by an RFC which describes the requested security protocol. [AH] and [ESP] are examples of security protocol documents. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. - Available Formats
-
CSV
| Value | Protocol ID | References |
|---|---|---|
| 0 | RESERVED | [RFC2407] |
| 1 | PROTO_ISAKMP | [RFC2407] |
| 2 | PROTO_IPSEC_AH | [RFC2407] |
| 3 | PROTO_IPSEC_ESP | [RFC2407] |
| 4 | PROTO_IPCOMP | [RFC2407] |
| 5 | PROTO_GIGABEAM_RADIO | [RFC4705] |
| 6-248 | Unassigned | |
| 249-255 | Reserved for private use |
IPSEC ISAKMP Transform Identifiers
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC2407][RFC9395]
- Note
-
The IPSEC ISAKMP Transform Identifier is an 8-bit value which identifies a key exchange protocol to be used for the negotiation. Requests for assignments of new ISAKMP transform identifiers must be accompanied by an RFC which describes the requested key exchange protocol. [IKE] is an example of one such document. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. - Available Formats
-
CSV
| Value | Transform | References |
|---|---|---|
| 0 | RESERVED | [RFC2407] |
| 1 | KEY_IKE | [RFC2407] |
| 2-248 | Unassigned | |
| 249-255 | Reserved for private use |
IPSEC AH Transform Identifiers
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC2407][RFC9395]
- Note
-
The IPSEC AH Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide integrity protection for AH. Requests for assignments of new AH transform identifiers must be accompanied by an RFC which describes how to use the algorithm within the AH framework ([AH]). If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. - Available Formats
-
CSV
| Value | Transform ID | References |
|---|---|---|
| 0-1 | RESERVED | [RFC2407] |
| 2 | AH_MD5 | [RFC2407] |
| 3 | AH_SHA | [RFC2407] |
| 4 | AH_DES | [RFC2407] |
| 5 | AH_SHA2-256 | [RFC4868] |
| 6 | AH_SHA2-384 | [RFC4868] |
| 7 | AH_SHA2-512 | [RFC4868] |
| 8 | AH_RIPEMD | [RFC2857] |
| 9 | AH_AES-XCBC-MAC | [RFC3566] |
| 10 | AH_RSA | [RFC4359] |
| 11 | AH_AES-128-GMAC | [RFC4543][RFC Errata 1821] |
| 12 | AH_AES-192-GMAC | [RFC4543][RFC Errata 1821] |
| 13 | AH_AES-256-GMAC | [RFC4543][RFC Errata 1821] |
| 14-248 | Unassigned | |
| 249-255 | Reserved for private use |
IPSEC ESP Transform Identifiers
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC2407][RFC9395]
- Note
-
The IPSEC ESP Transform Identifier is an 8-bit value which identifies a particular algorithm to be used to provide secrecy protection for ESP. Requests for assignments of new ESP transform identifiers must be accompanied by an RFC which describes how to use the algorithm within the ESP framework ([ESP]). If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. - Available Formats
-
CSV
| Value | Transform ID | References |
|---|---|---|
| 0 | RESERVED | [RFC2407] |
| 1 | ESP_DES_IV64 | [RFC2407] |
| 2 | ESP_DES | [RFC2407] |
| 3 | ESP_3DES | [RFC2407] |
| 4 | ESP_RC5 | [RFC2407] |
| 5 | ESP_IDEA | [RFC2407] |
| 6 | ESP_CAST | [RFC2407] |
| 7 | ESP_BLOWFISH | [RFC2407] |
| 8 | ESP_3IDEA | [RFC2407] |
| 9 | ESP_DES_IV32 | [RFC2407] |
| 10 | ESP_RC4 | [RFC2407] |
| 11 | ESP_NULL | [RFC2407] |
| 12 | ESP_AES-CBC | [RFC3602] |
| 13 | ESP_AES-CTR | [RFC3686] |
| 14 | ESP_AES-CCM_8 | [RFC4309][1] |
| 15 | ESP_AES-CCM_12 | [RFC4309][1] |
| 16 | ESP_AES-CCM_16 | [RFC4309][1] |
| 17 | Unassigned | |
| 18 | ESP_AES-GCM_8 | [RFC4106][1] |
| 19 | ESP_AES-GCM_12 | [RFC4106][1] |
| 20 | ESP_AES-GCM_16 | [RFC4106][1] |
| 21 | ESP_SEED_CBC | [RFC4196] |
| 22 | ESP_CAMELLIA | [RFC4312] |
| 23 | ESP_NULL_AUTH_AES-GMAC | [RFC4543][RFC Errata 1821] |
| 24-248 | Unassigned | |
| 249-255 | Reserved for private use |
IPSEC IPCOMP Transform Identifiers
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC2407][RFC9395]
- Note
-
The IPSEC IPCOMP Transform Identifier is an 8-bit value which identifier a particular algorithm to be used to provide IP-level compression before ESP. Requests for assignments of new IPCOMP transform identifiers must be accompanied by an RFC which describes how to use the algorithm within the IPCOMP framework ([IPCOMP]). In addition, the requested algorithm must be published and in the public domain. If the RFC is not on the standards-track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. - Available Formats
-
CSV
| Value | Transform ID | References |
|---|---|---|
| 0 | RESERVED | [RFC2407] |
| 1 | IPCOMP_OUI | [RFC2407] |
| 2 | IPCOMP_DEFLATE | [RFC2407] |
| 3 | IPCOMP_LZS | [RFC2407] |
| 4 | IPCOMP_LZJH | [RFC3051] |
| 5-47 | Reserved for approved algorithms | |
| 48-63 | Reserved for private use | |
| 64-255 | Unassigned |
IPSEC Security Association Attributes
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC2407][RFC9395]
- Note
-
The IPSEC Security Association Attribute consists of a 16-bit type and its associated value. IPSEC SA attributes are used to pass miscellaneous values between ISAKMP peers. Requests for assignments of new IPSEC SA attributes must be accompanied by an Internet Draft which describes the attribute encoding (Basic/Variable-Length) and its legal values. Section 4.5 of this document provides an example of such a description. - Available Formats
-
CSV
| Value | Type | Class | References |
|---|---|---|---|
| 1 | B | SA Life Type | [RFC2407] |
| 2 | V | SA Life Duration | [RFC2407] |
| 3 | B | Group Description | [RFC2407] |
| 4 | B | Encapsulation Mode | [RFC2407] |
| 5 | B | Authentication Algorithm | [RFC2407] |
| 6 | B | Key Length | [RFC2407] |
| 7 | B | Key Rounds | [RFC2407] |
| 8 | B | Compress Dictionary Size | [RFC2407] |
| 9 | V | Compress Private Algorithm | [RFC2407] |
| 10 | B | ECN Tunnel | [RFC3168] |
| 11 | B | Extended (64-bit) Sequence Number | [RFC4304] |
| 12 | V | Authentication Key Length | [RFC4359] |
| 13 | B | Signature Encoding Algorithm | [RFC4359] |
| 14 | B | Address Preservation | [RFC6407] |
| 15 | B | SA Direction | [RFC6407] |
| 16-32000 | Unassigned | ||
| 32001-32767 | Reserved for private use |
SA Life Type Values (Value 1)
| Value | Name | References |
|---|---|---|
| 0 | Reserved | [RFC2407] |
| 1 | seconds | [RFC2407] |
| 2 | kilobytes | [RFC2407] |
| 3-61439 | Unassigned | |
| 61440-65535 | Reserved for private use |
Group Description (Value 3)
- Note
-
Please refer to the registry Group Description (Value 4) at [IANA registry ipsec-registry]
Encapsulation Mode (Value 4)
| Value | Name | References |
|---|---|---|
| 0 | Reserved | [RFC2407] |
| 1 | Tunnel | [RFC2407] |
| 2 | Transport | [RFC2407] |
| 3 | UDP-Encapsulated-Tunnel | [RFC3947] |
| 4 | UDP-Encapsulated-Transport | [RFC3947] |
| 5-61439 | Unassigned | |
| 61440-65535 | Reserved for private use |
Authentication Algorithm (Value 5)
| Value | Name | References |
|---|---|---|
| 0 | Reserved | [RFC2407] |
| 1 | HMAC-MD5 | [RFC2407] |
| 2 | HMAC-SHA | [RFC2407] |
| 3 | DES-MAC | [RFC2407] |
| 4 | KPDK | [RFC2407] |
| 5 | HMAC-SHA2-256 | [Marcus_Leech][IPSEC] |
| 6 | HMAC-SHA2-384 | [Marcus_Leech][IPSEC] |
| 7 | HMAC-SHA2-512 | [Marcus_Leech][IPSEC] |
| 8 | HMAC-RIPEMD | [RFC2857] |
| 9 | AES-XCBC-MAC | [RFC3566] |
| 10 | SIG-RSA | [RFC4359] |
| 11 | AES-128-GMAC | [RFC4543][RFC Errata 1821] |
| 12 | AES-192-GMAC | [RFC4543][RFC Errata 1821] |
| 13 | AES-256-GMAC | [RFC4543][RFC Errata 1821] |
| 14-61439 | Unassigned | |
| 61440-65535 | Reserved for private use |
Compression Private Algorithm (Value 9)
- Registration Procedure(s)
-
IANA does not assign
- Reference
- [RFC2407]
- Note
-
Specifies a private vendor compression algorithm. The first three (3) octets must be an IEEE assigned company_id (OUI). The next octet may be a vendor specific compression subtype, followed by zero or more octets of vendor data.
| Registry is empty. |
ECN Tunnel (Value 10)
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC3168][RFC9395]
- Note
-
If unspecified, the default shall be assumed to be Forbidden.
- Available Formats
-
CSV
| Value | Name | References |
|---|---|---|
| 0 | Reserved | [RFC3168] |
| 1 | Allowed | [RFC3168] |
| 2 | Forbidden | [RFC3168] |
| 3-61439 | Unassigned | |
| 61440-65535 | Reserved for private use |
Extended (64-bit) Sequence Number (Value 11)
- Registration Procedure(s)
-
No additional class values will be assigned for this attribute.
- Reference
- [RFC4304][RFC9395]
- Available Formats
-
CSV
| Value | Name | References |
|---|---|---|
| 0 | RESERVED | [RFC4304] |
| 1 | 64-bit Sequence Number | [RFC4304] |
Signature Encoding Algorithm Values (Value 13)
| Value | Name | References |
|---|---|---|
| 0 | Reserved | [RFC4359] |
| 1 | RSASSA-PKCS1-v1_5 | [RFC4359] |
| 2 | RSASSA-PSS | [RFC4359] |
| 3-61439 | Unassigned | |
| 61440-65535 | Reserved for private use |
Address Preservation (Value 14)
| Value | Name | References |
|---|---|---|
| 0 | Reserved | [RFC6407] |
| 1 | None | [RFC6407] |
| 2 | Source-Only | [RFC6407] |
| 3 | Destination-Only | [RFC6407] |
| 4 | Source-and-Destination | [RFC6407] |
| 5-61439 | Unassigned | |
| 61440-65535 | Private Use | [RFC6407] |
SA Direction (Value 15)
| Value | Name | References |
|---|---|---|
| 0 | Reserved | [RFC6407] |
| 1 | Sender-Only | [RFC6407] |
| 2 | Receiver-Only | [RFC6407] |
| 3 | Symmetric | [RFC6407] |
| 4-61439 | Unassigned | [RFC6407] |
| 61440-65535 | Private Use | [RFC6407] |
IPSEC Labeled Domain Identifiers
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC2407][RFC9395]
- Note
-
The IPSEC Labeled Domain Identifier is a 32-bit value which identifies a namespace in which the Secrecy and Integrity levels and categories values are said to exist. Requests for assignments of new IPSEC Labeled Domain Identifiers should be granted on demand. No accompanying documentation is required, though Internet Drafts are encouraged when appropriate. - Available Formats
-
CSV
| Value | Domain | References |
|---|---|---|
| 0 | Reserved | [RFC2407] |
| 0x80000000-0xffffffff | Reserved for private use |
IPSEC Identification Type
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC2407][RFC9395]
- Note
-
The IPSEC Identification Type is an 8-bit value which is used as a discriminant for interpretation of the variable-length Identification Payload. Requests for assignments of new IPSEC Identification Types must be accompanied by an RFC which describes how to use the identification type within IPSEC. If the RFC is not on the standards track (i.e., it is an informational or experimental RFC), it must be explicitly reviewed and approved by the IESG before the RFC is published and the transform identifier is assigned. - Available Formats
-
CSV
| Value | ID Type | References |
|---|---|---|
| 0 | RESERVED | [RFC2407] |
| 1 | ID_IPV4_ADDR | [RFC2407] |
| 2 | ID_FQDN | [RFC2407] |
| 3 | ID_USER_FQDN | [RFC2407] |
| 4 | ID_IPV4_ADDR_SUBNET | [RFC2407] |
| 5 | ID_IPV6_ADDR | [RFC2407] |
| 6 | ID_IPV6_ADDR_SUBNET | [RFC2407] |
| 7 | ID_IPV4_ADDR_RANGE | [RFC2407] |
| 8 | ID_IPV6_ADDR_RANGE | [RFC2407] |
| 9 | ID_DER_ASN1_DN | [RFC2407] |
| 10 | ID_DER_ASN1_GN | [RFC2407] |
| 11 | ID_KEY_ID | [RFC2407] |
| 12 | ID_LIST | [RFC3554] |
| 13-248 | Unassigned | |
| 249-255 | Reserved for private use |
IPSEC Notify Message Types
- Registration Procedure(s)
-
Registry closed
- Reference
- [RFC2407][RFC9395]
- Note
-
The IPSEC Notify Message Type is a 16-bit value taken from the range of values reserved by ISAKMP for each DOI. There is one range for error messages (8192-16383) and a different range for status messages (24576-32767). Requests for assignments of new Notify Message Types must be accompanied by an Internet Draft which describes how to use the identification type within IPSEC.
Notify Messages - Error Types (8192-16383)
| Value | Notify Messages - Error Types | References |
|---|---|---|
| 8192 | Reserved | [RFC2407] |
| 8193-16000 | Unassigned | |
| 16001-16383 | Reserved for private use |
Notify Messages - Status Types (24576-32767)
| Value | Notify Messages - Status Types | References |
|---|---|---|
| 24576 | RESPONDER-LIFETIME | [RFC2407] |
| 24577 | REPLAY-STATUS | [RFC2407] |
| 24578 | INITIAL-CONTACT | [RFC2407] |
| 24579-32000 | Unassigned | |
| 32001-32767 | Reserved for private use |
Contact Information
| ID | Name | Contact URI | Last Updated |
|---|---|---|---|
| [IPSEC] | IETF IPSEC WG | mailto:ipsec&ietf.org | 2023-01-04 |
| [Marcus_Leech] | Marcus Leech | mailto:mleech&nortelnetworks.com | 2000-10 |
Footnote
| [1] |
This is combined mode cipher, but combined mode algorithms are not a ature of IPsec-v2. Although some IKEv1/IPsec-v2 implementations inude this capability (see [RFC6071] Section 5.4), it is not part of thprotocol. |