Assigned Numbers: RFC 1700 is Replaced by an On-line Database

Network Working Group                                           A. Conta
Request for Comments: 2463                                        Lucent
Obsoletes: 1885                                               S. Deering
Category: Standards Track                                  Cisco Systems
                                                           December 1998

               Internet Control Message Protocol (ICMPv6)
               for the Internet Protocol Version 6 (IPv6)
                             Specification

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Abstract

   This document specifies a set of Internet Control Message Protocol
   (ICMP) messages for use with version 6 of the Internet Protocol
   (IPv6).

Table of Contents

      1. Introduction........................................2
      2. ICMPv6 (ICMP for IPv6)..............................2
            2.1 Message General Format.......................2
            2.2 Message Source Address Determination.........3
            2.3 Message Checksum Calculation.................4
            2.4 Message Processing Rules.....................4
      3. ICMPv6 Error Messages...............................6
            3.1 Destination Unreachable Message..............6
            3.2 Packet Too Big Message...................... 8
            3.3 Time Exceeded Message....................... 9
            3.4 Parameter Problem Message...................10
      4. ICMPv6 Informational Messages......................11
            4.1 Echo Request Message........................11
            4.2 Echo Reply Message..........................12
      5. Security Considerations............................13
      6. References.........................................14
      7. Acknowledgments....................................15
      8. Authors' Addresses.................................16
      Appendix A - Changes since RFC 1885...................17
      Full Copyright Statement..............................18

1. Introduction

   The Internet Protocol, version 6 (IPv6) is a new version of IP.  IPv6
   uses the Internet Control Message Protocol (ICMP) as defined for IPv4
   [RFC-792], with a number of changes.  The resulting protocol is
   called ICMPv6, and has an IPv6 Next Header value of 58.

   This document describes the format of a set of control messages used
   in ICMPv6.  It does not describe the procedures for using these
   messages to achieve functions like Path MTU discovery; such
   procedures are described in other documents (e.g., [PMTU]).  Other
   documents may also introduce additional ICMPv6 message types, such as
   Neighbor Discovery messages [IPv6-DISC], subject to the general rules
   for ICMPv6 messages given in section 2 of this document.

   Terminology defined in the IPv6 specification [IPv6] and the IPv6
   Routing and Addressing specification [IPv6-ADDR] applies to this
   document as well.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC-2119].

2. ICMPv6 (ICMP for IPv6)

   ICMPv6 is used by IPv6 nodes to report errors encountered in
   processing packets, and to perform other internet-layer functions,
   such as diagnostics (ICMPv6 "ping").  ICMPv6 is an integral part of
   IPv6 and MUST be fully implemented by every IPv6 node.

2.1 Message General Format

   ICMPv6 messages are grouped into two classes: error messages and
   informational messages.  Error messages are identified as such by
   having a zero in the high-order bit of their message Type field
   values.  Thus, error messages have message Types from 0 to 127;
   informational messages have message Types from 128 to 255.

   This document defines the message formats for the following ICMPv6
   messages:

        ICMPv6 error messages:

             1    Destination Unreachable      (see section 3.1)
             2    Packet Too Big               (see section 3.2)
             3    Time Exceeded                (see section 3.3)
             4    Parameter Problem            (see section 3.4)

        ICMPv6 informational messages:

             128  Echo Request                 (see section 4.1)
             129  Echo Reply                   (see section 4.2)

   Every ICMPv6 message is preceded by an IPv6 header and zero or more
   IPv6 extension headers. The ICMPv6 header is identified by a Next
   Header value of 58 in the immediately preceding header.
 (NOTE: this
   is different than the value used to identify ICMP for IPv4.)

   The ICMPv6 messages have the following general format:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      +                         Message Body                          +
      |                                                               |

   The type field indicates the type of the message. Its value
   determines the format of the remaining data.

   The code field depends on the message type. It is used to create an
   additional level of message granularity.

   The checksum field is used to detect data corruption in the ICMPv6
   message and parts of the IPv6 header.

2.2 Message Source Address Determination

   A node that sends an ICMPv6 message has to determine both the Source
   and Destination IPv6 Addresses in the IPv6 header before calculating
   the checksum.  If the node has more than one unicast address, it must
   choose the Source Address of the message as follows:

    (a) If the message is a response to a message sent to one of the
        node's unicast addresses, the Source Address of the reply must
        be that same address.

    (b) If the message is a response to a message sent to a multicast or
        anycast group in which the node is a member, the Source Address
        of the reply must be a unicast address belonging to the
        interface on which the multicast or anycast packet was received.

    (c) If the message is a response to a message sent to an address
        that does not belong to the node, the Source Address should be
        that unicast address belonging to the node that will be most
        helpful in diagnosing the error. For example, if the message is
        a response to a packet forwarding action that cannot complete
        successfully, the Source Address should be a unicast address
        belonging to the interface on which the packet forwarding
        failed.

    (d) Otherwise, the node's routing table must be examined to
        determine which interface will be used to transmit the message
        to its destination, and a unicast address belonging to that
        interface must be used as the Source Address of the message.

2.3 Message Checksum Calculation

   The checksum is the 16-bit one's complement of the one's complement
   sum of the entire ICMPv6 message starting with the ICMPv6 message
   type field, prepended with a "pseudo-header" of IPv6 header fields,
   as specified in [IPv6, section 8.1].  The Next Header value used in
   the pseudo-header is 58.  (NOTE: the inclusion of a pseudo-header in
   the ICMPv6 checksum is a change from IPv4; see [IPv6] for the
   rationale for this change.)

   For computing the checksum, the checksum field is set to zero.

2.4 Message Processing Rules

   Implementations MUST observe the following rules when processing
   ICMPv6 messages (from [RFC-1122]):

    (a) If an ICMPv6 error message of unknown type is received, it MUST
        be passed to the upper layer.

    (b) If an ICMPv6 informational message of unknown type is received,
        it MUST be silently discarded.

    (c) Every ICMPv6 error message (type < 128) includes as much of the
        IPv6 offending (invoking) packet (the packet that caused the
        error) as will fit without making the error message packet
        exceed the minimum IPv6 MTU [IPv6].

    (d) In those cases where the internet-layer protocol is required to
        pass an ICMPv6 error message to the upper-layer process, the
        upper-layer protocol type is extracted from the original packet
        (contained in the body of the ICMPv6 error message) and used to
        select the appropriate upper-layer process to handle the error.

        If the original packet had an unusually large amount of
        extension headers, it is possible that the upper-layer protocol
        type may not be present in the ICMPv6 message, due to truncation
        of the original packet to meet the minimum IPv6 MTU [IPv6]
        limit.  In that case, the error message is silently dropped
        after any IPv6-layer processing.

    (e) An ICMPv6 error message MUST NOT be sent as a result of
        receiving:

         (e.1) an ICMPv6 error message, or

         (e.2) a packet destined to an IPv6 multicast address (there are
               two exceptions to this rule: (1) the Packet Too Big
               Message - Section 3.2 - to allow Path MTU discovery to
               work for IPv6 multicast, and (2) the Parameter Problem
               Message, Code 2 - Section 3.4 - reporting an unrecognized
               IPv6 option that has the Option Type highest-order two
               bits set to 10), or

         (e.3) a packet sent as a link-layer multicast, (the exception
               from e.2 applies to this case too), or

         (e.4) a packet sent as a link-layer broadcast, (the exception
               from e.2 applies to this case too), or

         (e.5) a packet whose source address does not uniquely identify
               a single node -- e.g., the IPv6 Unspecified Address, an
               IPv6 multicast address, or an address known by the ICMP
               message sender to be an IPv6 anycast address.

    (f) Finally, in order to limit the bandwidth and forwarding costs
        incurred sending ICMPv6 error messages, an IPv6 node MUST limit
        the rate of ICMPv6 error messages it sends.  This situation may
        occur when a source sending a stream of erroneous packets fails
        to heed the resulting ICMPv6 error messages.  There are a
        variety of ways of implementing the rate-limiting function, for
        example:

         (f.1) Timer-based - for example, limiting the rate of
               transmission of error messages to a given source, or to
               any source, to at most once every T milliseconds.

         (f.2) Bandwidth-based - for example, limiting the rate at which
               error messages are sent from a particular interface to
               some fraction F of the attached link's bandwidth.

        The limit parameters (e.g., T or F in the above examples) MUST
        be configurable for the node, with a conservative default value
        (e.g., T = 1 second, NOT 0 seconds, or F = 2 percent, NOT 100
        percent).

   The following sections describe the message formats for the above
   ICMPv6 messages.

3. ICMPv6 Error Messages

3.1 Destination Unreachable Message

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Unused                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    As much of invoking packet                 |
      +                as will fit without the ICMPv6 packet          +
      |                exceeding the minimum IPv6 MTU [IPv6]          |

   IPv6 Fields:

   Destination Address

                  Copied from the Source Address field of the invoking
                  packet.

   ICMPv6 Fields:

   Type           1

   Code           0 - no route to destination
                  1 - communication with destination
                        administratively prohibited
                  2 - (not assigned)
                  3 - address unreachable
                  4 - port unreachable

   Unused         This field is unused for all code values.
                  It must be initialized to zero by the sender
                  and ignored by the receiver.

   Description

   A Destination Unreachable message SHOULD be generated by a router, or
   by the IPv6 layer in the originating node, in response to a packet
   that cannot be delivered to its destination address for reasons other
   than congestion.  (An ICMPv6 message MUST NOT be generated if a
   packet is dropped due to congestion.)

   If the reason for the failure to deliver is lack of a matching entry
   in the forwarding node's routing table, the Code field is set to 0
   (NOTE: this error can occur only in nodes that do not hold a "default
   route" in their routing tables).

   If the reason for the failure to deliver is administrative
   prohibition, e.g., a "firewall filter", the Code field is set to 1.

   If there is any other reason for the failure to deliver, e.g.,
   inability to resolve the IPv6 destination address into a
   corresponding link address, or a link-specific problem of some sort,
   then the Code field is set to 3.

   A destination node SHOULD send a Destination Unreachable message with
   Code 4 in response to a packet for which the transport protocol
   (e.g., UDP) has no listener, if that transport protocol has no
   alternative means to inform the sender.

   Upper layer notification

   A node receiving the ICMPv6 Destination Unreachable message MUST
   notify the upper-layer process.

3.2 Packet Too Big Message

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             MTU                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    As much of invoking packet                 |
      +               as will fit without the ICMPv6 packet           +
      |               exceeding the minimum IPv6 MTU [IPv6]           |

   IPv6 Fields:

   Destination Address

                  Copied from the Source Address field of the invoking
                  packet.

   ICMPv6 Fields:

   Type           2

   Code           Set to 0 (zero) by the sender and ignored by the
                  receiver

   MTU            The Maximum Transmission Unit of the next-hop link.

  Description

   A Packet Too Big MUST be sent by a router in response to a packet
   that it cannot forward because the packet is larger than the MTU of
   the outgoing link.  The information in this message is used as part
   of the Path MTU Discovery process [PMTU].

   Sending a Packet Too Big Message makes an exception to one of the
   rules of when to send an ICMPv6 error message, in that unlike other
   messages, it is sent in response to a packet received with an IPv6
   multicast destination address, or a link-layer multicast or link-
   layer broadcast address.

   Upper layer notification

   An incoming Packet Too Big message MUST be passed to the upper-layer
   process.

3.3 Time Exceeded Message

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                             Unused                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    As much of invoking packet                 |
      +               as will fit without the ICMPv6 packet           +
      |               exceeding the minimum IPv6 MTU [IPv6]           |

   IPv6 Fields:

   Destination Address
                  Copied from the Source Address field of the invoking
                  packet.

   ICMPv6 Fields:

   Type           3

   Code           0 - hop limit exceeded in transit

                  1 - fragment reassembly time exceeded

   Unused         This field is unused for all code values.
                  It must be initialized to zero by the sender
                  and ignored by the receiver.

   Description

   If a router receives a packet with a Hop Limit of zero, or a router
   decrements a packet's Hop Limit to zero, it MUST discard the packet
   and send an ICMPv6 Time Exceeded message with Code 0 to the source of
   the packet.  This indicates either a routing loop or too small an
   initial Hop Limit value.

   The rules for selecting the Source Address of this message are
   defined in section 2.2.

   Upper layer notification

   An incoming Time Exceeded message MUST be passed to the upper-layer
   process.

3.4 Parameter Problem Message

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                            Pointer                            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    As much of invoking packet                 |
      +               as will fit w
ithout the ICMPv6 packet           +
      |               exceeding the minimum IPv6 MTU [IPv6]           |

   IPv6 Fields:

   Destination Address

                  Copied from the Source Address field of the invoking
                  packet.

   ICMPv6 Fields:

   Type           4

   Code           0 - erroneous header field encountered

                  1 - unrecognized Next Header type encountered

                  2 - unrecognized IPv6 option encountered

   Pointer        Identifies the octet offset within the
                  invoking packet where the error was detected.

                  The pointer will point beyond the end of the ICMPv6
                  packet if the field in error is beyond what can fit
                  in the maximum size of an ICMPv6 error message.

   Description

   If an IPv6 node processing a packet finds a problem with a field in
   the IPv6 header or extension headers such that it cannot complete
   processing the packet, it MUST discard the packet and SHOULD send an
   ICMPv6 Parameter Problem message to the packet's source, indicating
   the type and location of the problem.

   The pointer identifies the octet of the original packet's header
   where the error was detected. For example, an ICMPv6 message with
   Type field = 4, Code field = 1, and Pointer field = 40 would indicate

   that the IPv6 extension header following the IPv6 header of the
   original packet holds an unrecognized Next Header field value.

   Upper layer notification

   A node receiving this ICMPv6 message MUST notify the upper-layer
   process.

4. ICMPv6 Informational Messages

4.1 Echo Request Message

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |           Identifier          |        Sequence Number        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Data ...
      +-+-+-+-+-

   IPv6 Fields:

   Destination Address

                  Any legal IPv6 address.

   ICMPv6 Fields:

   Type           128

   Code           0

   Identifier     An identifier to aid in matching Echo Replies
                  to this Echo Request.  May be zero.

   Sequence Number

                  A sequence number to aid in matching Echo Replies
                  to this Echo Request.  May be zero.

   Data           Zero or more octets of arbitrary data.

   Description

   Every node MUST implement an ICMPv6 Echo responder function that
   receives Echo Requests and sends corresponding Echo Replies.  A node
   SHOULD also implement an application-layer interface for sending Echo
   Requests and receiving Echo Replies, for diagnostic purposes.

   Upper layer notification

   Echo Request messages MAY be passed to processes receiving ICMP
   messages.

4.2 Echo Reply Message

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |           Identifier          |        Sequence Number        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Data ...
      +-+-+-+-+-

   IPv6 Fields:

   Destination Address

                  Copied from the Source Address field of the invoking
                  Echo Request packet.

   ICMPv6 Fields:

   Type           129

   Code           0

   Identifier     The identifier from the invoking Echo Request message.

   Sequence       The sequence number from the invoking Echo Request
   Number         message.

   Data           The data from the invoking Echo Request message.

   Description

   Every node MUST implement an ICMPv6 Echo responder function that
   receives Echo Requests and sends corresponding Echo Replies.  A node
   SHOULD also implement an application-layer interface for sending Echo
   Requests and receiving Echo Replies, for diagnostic purposes.

   The source address of an Echo Reply sent in response to a unicast
   Echo Request message MUST be the same as the destination address of
   that Echo Request message.

   An Echo Reply SHOULD be sent in response to an Echo Request message
   sent to an IPv6 multicast address.  The source address of the reply
   MUST be a unicast address belonging to the interface on which the
   multicast Echo Request message was received.

   The data received in the ICMPv6 Echo Request message MUST be returned
   entirely and unmodified in the ICMPv6 Echo Reply message.

   Upper layer notification

   Echo Reply messages MUST be passed to the process that originated an
   Echo Request message.  It may be passed to processes that did not
   originate the Echo Request message.

5. Security Considerations

5.1 Authentication and Encryption of ICMP messages

   ICMP protocol packet exchanges can be authenticated using the IP
   Authentication Header [IPv6-AUTH].  A node SHOULD include an
   Authentication Header when sending ICMP messages if a security
   association for use with the IP Authentication Header exists for the
   destination address.  The security associations may have been created
   through manual configuration or through the operation of some key
   management protocol.

   Received Authentication Headers in ICMP packets MUST be verified for
   correctness and packets with incorrect authentication MUST be ignored
   and discarded.

   It SHOULD be possible for the system administrator to configure a
   node to ignore any ICMP messages that are not authenticated using
   either the Authentication Header or Encapsulating Security Payload.
   Such a switch SHOULD default to allowing unauthenticated messages.

   Confidentiality issues are addressed by the IP Security Architecture
   and the IP Encapsulating Security Payload documents [IPv6-SA, IPv6-
   ESP].

5.2 ICMP Attacks

   ICMP messages may be subject to various attacks.  A complete
   discussion can be found in the IP Security Architecture [IPv6-SA].  A
   brief discussion of such attacks and their p
revention is as follows:

   1. ICMP messages may be subject to actions intended to cause the
      receiver believe the message came from a different source than the
      message originator.  The protection against this attack can be
      achieved by applying the IPv6 Authentication mechanism [IPv6-Auth]
      to the ICMP message.

   2. ICMP messages may be subject to actions intended to cause the
      message or the reply to it go to a destination different than the
      message originator's intention.  The ICMP checksum calculation
      provides a protection mechanism against changes by a malicious
      interceptor in the destination and source address of the IP packet
      carrying that message, provided the ICMP checksum field is
      protected against change by authentication [IPv6-Auth] or
      encryption [IPv6-ESP] of the ICMP message.

   3. ICMP messages may be subject to changes in the message fields, or
      payload.  The authentication [IPv6-Auth] or encryption [IPv6-ESP]
      of the ICMP message is a protection against such actions.

   4. ICMP messages may be used as attempts to perform denial of service
      attacks by sending back to back erroneous IP packets.  An
      implementation that correctly followed section 2.4, paragraph (f)
      of this specifications, would be protected by the ICMP error rate
      limiting mechanism.

6. References

   [IPv6]       Deering, S. and R. Hinden, "Internet Protocol, Version
                6, (IPv6) Specification", RFC 2460, December 1998.

   [IPv6-ADDR]  Hinden, R. and S. Deering, "IP Version 6 Addressing
                Architecture", RFC 2373, July 1998.

   [IPv6-DISC]  Narten, T., Nordmark, E. and W. Simpson, "Neighbor
                Discovery for IP Version 6 (IPv6)", RFC 2461, December
                1998.

   [RFC-792]    Postel, J., "Internet Control Message Protocol", STD 5,
                RFC 792, September 1981.

   [RFC-1122]   Braden, R., "Requirements for Internet Hosts -
                Communication Layers", STD 5, RFC 1122, August 1989.

   [PMTU]       McCann, J., Deering, S. and J. Mogul, "Path MTU
                Discovery for IP version 6", RFC 1981, August 1996.

   [RFC-2119]   Bradner, S., "Key words for use in RFCs to Indicate
                Requirement Levels", BCP 14, RFC 2119, March 1997.

   [IPv6-SA]    Kent, S. and R. Atkinson, "Security Architecture for the
                Internet Protocol", RFC 2401, November 1998.

   [IPv6-Auth]  Kent, S. and R. Atkinson, "IP Authentication Header",
                RFC 2402, November 1998.

   [IPv6-ESP]   Kent, S. and R. Atkinson, "IP Encapsulating Security
                Protocol (ESP)", RFC 2406, November 1998.

7. Acknowledgments

   The document is derived from previous ICMP drafts of the SIPP and
   IPng working group.

   The IPng working group and particularly Robert Elz, Jim Bound, Bill
   Simpson, Thomas Narten, Charlie Lynn, Bill Fink, Scott Bradner,
   Dimitri Haskin, and Bob Hinden (in chronological order) provided
   extensive review information and feedback.

8. Authors' Addresses

   Alex Conta
   Lucent Technologies Inc.
   300 Baker Ave, Suite 100
   Concord, MA 01742
   USA

   Phone: +1 978 287-2842
   EMail: aconta@lucent.com

   Stephen Deering
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, CA 95134-1706
   USA

   Phone: +1 408 527-8213
   EMail: deering@cisco.com

Appendix A - Changes from RFC 1885

   Version 2-02

    - Excluded mentioning informational replies from paragraph (f.2) of
      section 2.4.
    - In "Upper layer notification" sections changed "upper-layer
      protocol" and "User Interface" to "process".
    - Changed section 5.2, item 2 and 3 to also refer to AH
      authentication.
    - Removed item 5. from section 5.2 on denial of service attacks.
    - Updated phone numbers and Email addresses in the "Authors'
      Addresses" section.

   Version 2-01

    - Replaced all references to "576 octets" as the maximum for an ICMP
      message size with "minimum IPv6 MTU" as defined by the base IPv6
      specification.
    - Removed rate control from informational messages.
    - Added requirement that receivers ignore Code value in Packet Too
      Big message.
    - Removed "Not a Neighbor" (code 2) from destination unreachable
      message.
    - Fixed typos and update references.

   Version 2-00

    - Applied rate control to informational messages
    - Removed section 2.4 on Group Management ICMP messages
    - Removed references to IGMP in Abstract and Section 1.
    - Updated references to other IPv6 documents
    - Removed references to RFC-1112 in Abstract, and Section 1, and to
      RFC-1191 in section 1, and section 3.2
    - Added security section
    - Added Appendix A - changes

Full Copyright Statement

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

The post RFC 2463 – Internet Control Message Protocol (ICMPv6) appeared first on IPv6.net.

Network Working Group                                            S. Kent
Request for Comments: 2401                                      BBN Corp
Obsoletes: 1825                                              R. Atkinson
Category: Standards Track                                  @Home Network
                                                           November 1998

            Security Architecture for the Internet Protocol

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Table of Contents

1. Introduction........................................................3
  1.1 Summary of Contents of Document..................................3
  1.2 Audience.........................................................3
  1.3 Related Documents................................................4
2. Design Objectives...................................................4
  2.1 Goals/Objectives/Requirements/Problem Description................4
  2.2 Caveats and Assumptions..........................................5
3. System Overview.....................................................5
  3.1 What IPsec Does..................................................6
  3.2 How IPsec Works..................................................6
  3.3 Where IPsec May Be Implemented...................................7
4. Security Associations...............................................8
  4.1 Definition and Scope.............................................8
  4.2 Security Association Functionality..............................10
  4.3 Combining Security Associations.................................11
  4.4 Security Association Databases..................................13
     4.4.1 The Security Policy Database (SPD).........................14
     4.4.2 Selectors..................................................17
     4.4.3 Security Association Database (SAD)........................21
  4.5 Basic Combinations of Security Associations.....................24
  4.6 SA and Key Management...........................................26
     4.6.1 Manual Techniques..........................................27
     4.6.2 Automated SA and Key Management............................27
     4.6.3 Locating a Security Gateway................................28
  4.7 Security Associations and Multicast.............................29

5. IP Traffic Processing..............................................30
  5.1 Outbound IP Traffic Processing..................................30
     5.1.1 Selecting and Using an SA or SA Bundle.....................30
     5.1.2 Header Construction for Tunnel Mode........................31
        5.1.2.1 IPv4 -- Header Construction for Tunnel Mode...........31
        5.1.2.2 IPv6 -- Header Construction for Tunnel Mode...........32
  5.2 Processing Inbound IP Traffic...................................33
     5.2.1 Selecting and Using an SA or SA Bundle.....................33
     5.2.2 Handling of AH and ESP tunnels.............................34
6. ICMP Processing (relevant to IPsec)................................35
  6.1 PMTU/DF Processing..............................................36
     6.1.1 DF Bit.....................................................36
     6.1.2 Path MTU Discovery (PMTU)..................................36
        6.1.2.1 Propagation of PMTU...................................36
        6.1.2.2 Calculation of PMTU...................................37
        6.1.2.3 Granularity of PMTU Processing........................37
        6.1.2.4 PMTU Aging............................................38
7. Auditing...........................................................39
8. Use in Systems Supporting Information Flow Security................39
  8.1 Relationship Between Security Associations and Data Sensitivity.40
  8.2 Sensitivity Consistency Checking................................40
  8.3 Additional MLS Attributes for Security Association Databases....41
  8.4 Additional Inbound Processing Steps for MLS Networking..........41
  8.5 Additional Outbound Processing Steps for MLS Networking.........41
  8.6 Additional MLS Processing for Security Gateways.................42
9. Performance Issues.................................................42
10. Conformance Requirements..........................................43
11. Security Considerations...........................................43
12. Differences from RFC 1825.........................................43
Acknowledgements......................................................44
Appendix A -- Glossary................................................45
Appendix B -- Analysis/Discussion of PMTU/DF/Fragmentation Issues.....48
  B.1 DF bit..........................................................48
  B.2 Fragmentation...................................................48
  B.3 Path MTU Discovery..............................................52
     B.3.1 Identifying the Originating Host(s)........................53
     B.3.2 Calculation of PMTU........................................55
     B.3.3 Granularity of Maintaining PMTU Data.......................56
     B.3.4 Per Socket Maintenance of PMTU Data........................57
     B.3.5 Delivery of PMTU Data to the Transport Layer...............57
     B.3.6 Aging of PMTU Data.........................................57
Appendix C -- Sequence Space Window Code Example......................58
Appendix D -- Categorization of ICMP messages.........................60
References............................................................63
Disclaimer............................................................64
Author Information....................................................65
Full Copyright Statement..............................................66

1. Introduction

1.1 Summary of Contents of Document

   This memo specifies the base architecture for IPsec compliant
   systems.  The goal of the architecture is to provide various security
   services for traffic at the IP layer, in both the IPv4 and IPv6
   environments.  This document describes the goals of such systems,
   their components and how they fit together with each other and into
   the IP environment.  It also describes the security services offered
   by the IPsec protocols, and how these services can be employed in the
   IP environment.  This document does not address all aspects of IPsec
   architecture.  Subsequent documents will address additional
   architectural details of a more advanced nature, e.g., use of IPsec
   in NAT environments and more complete support for IP multicast.  The
   following fundamental components of the IPsec security architecture
   are discussed in terms of their underlying, required functionality.
   Additional RFCs (see Section 1.3 for pointers to other documents)
   define the protocols in (a), (c), and (d).

        a. Security Protocols -- Authentication Header (AH) and
           Encapsulating Security Payload (ESP)
        b. Security Associations -- what they are and how they work,
           how they are managed, associated proces
sing
        c. Key Management -- manual and automatic (The Internet Key
           Exchange (IKE))
        d. Algorithms for authentication and encryption

   This document is not an overall Security Architecture for the
   Internet; it addresses security only at the IP layer, provided
   through the use of a combination of cryptographic and protocol
   security mechanisms.

   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
   document, are to be interpreted as described in RFC 2119 [Bra97].

1.2 Audience

   The target audience for this document includes implementers of this
   IP security technology and others interested in gaining a general
   background understanding of this system.  In particular, prospective
   users of this technology (end users or system administrators) are
   part of the target audience.  A glossary is provided as an appendix

   to help fill in gaps in background/vocabulary.  This document assumes
   that the reader is familiar with the Internet Protocol, related
   networking technology, and general security terms and concepts.

1.3 Related Documents

   As mentioned above, other documents provide detailed definitions of
   some of the components of IPsec and of their inter-relationship.
   They include RFCs on the following topics:

        a. "IP Security Document Roadmap" [TDG97] -- a document
           providing guidelines for specifications describing encryption
           and authentication algorithms used in this system.
        b. security protocols -- RFCs describing the Authentication
           Header (AH) [KA98a] and Encapsulating Security Payload (ESP)
           [KA98b] protocols.
        c. algorithms for authentication and encryption -- a separate
           RFC for each algorithm.
        d. automatic key management -- RFCs on "The Internet Key
           Exchange (IKE)" [HC98], "Internet Security Association and
           Key Management Protocol (ISAKMP)" [MSST97],"The OAKLEY Key
           Determination Protocol" [Orm97], and "The Internet IP
           Security Domain of Interpretation for ISAKMP" [Pip98].

2. Design Objectives

2.1 Goals/Objectives/Requirements/Problem Description

   IPsec is designed to provide interoperable, high quality,
   cryptographically-based security for IPv4 and IPv6.  The set of
   security services offered includes access control, connectionless
   integrity, data origin authentication, protection against replays (a
   form of partial sequence integrity), confidentiality (encryption),
   and limited traffic flow confidentiality.  These services are
   provided at the IP layer, offering protection for IP and/or upper
   layer protocols.

   These objectives are met through the use of two traffic security
   protocols, the Authentication Header (AH) and the Encapsulating
   Security Payload (ESP), and through the use of cryptographic key
   management procedures and protocols.  The set of IPsec protocols
   employed in any context, and the ways in which they are employed,
   will be determined by the security and system requirements of users,
   applications, and/or sites/organizations.

   When these mechanisms are correctly implemented and deployed, they
   ought not to adversely affect users, hosts, and other Internet
   components that do not employ these security mechanisms for

   protection of their traffic.  These mechanisms also are designed to
   be algorithm-independent.  This modularity permits selection of
   different sets of algorithms without affecting the other parts of the
   implementation.  For example, different user communities may select
   different sets of algorithms (creating cliques) if required.

   A standard set of default algorithms is specified to facilitate
   interoperability in the global Internet.  The use of these
   algorithms, in conjunction with IPsec traffic protection and key
   management protocols, is intended to permit system and application
   developers to deploy high quality, Internet layer, cryptographic
   security technology.

2.2 Caveats and Assumptions

   The suite of IPsec protocols and associated default algorithms are
   designed to provide high quality security for Internet traffic.
   However, the security offered by use of these protocols ultimately
   depends on the quality of the their implementation, which is outside
   the scope of this set of standards.  Moreover, the security of a
   computer system or network is a function of many factors, including
   personnel, physical, procedural, compromising emanations, and
   computer security practices.  Thus IPsec is only one part of an
   overall system security architecture.

   Finally, the security afforded by the use of IPsec is critically
   dependent on many aspects of the operating environment in which the
   IPsec implementation executes.  For example, defects in OS security,
   poor quality of random number sources, sloppy system management
   protocols and practices, etc. can all degrade the security provided
   by IPsec.  As above, none of these environmental attributes are
   within the scope of this or other IPsec standards.

3. System Overview

   This section provides a high level description of how IPsec works,
   the components of the system, and how they fit together to provide
   the security services noted above.  The goal of this description is
   to enable the reader to "picture" the overall process/system, see how
   it fits into the IP environment, and to provide context for later
   sections of this document, which describe each of the components in
   more detail.

   An IPsec implementation operates in a host or a security gateway
   environment, affording protection to IP traffic.  The protection
   offered is based on requirements defined by a Security Policy
   Database (SPD) established and maintained by a user or system
   administrator, or by an application operating within constraints

   established by either of the above.  In general, packets are selected
   for one of three processing modes based on IP and transport layer
   header information (Selectors, Section 4.4.2) matched against entries
   in the database (SPD).  Each packet is either afforded IPsec security
   services, discarded, or allowed to bypass IPsec, based on the
   applicable database policies identified by the Selectors.

3.1 What IPsec Does

   IPsec provides security services at the IP layer by enabling a system
   to select required security protocols, determine the algorithm(s) to
   use for the service(s), and put in place any cryptographic keys
   required to provide the requested services.  IPsec can be used to
   protect one or more "paths" between a pair of hosts, between a pair
   of security gateways, or between a security gateway and a host.  (The
   term "security gateway" is used throughout the IPsec documents to
   refer to an intermediate system that implements IPsec protocols.  For
   example, a router or a firewall implementing IPsec is a security
   gateway.)

   The set of security services that IPsec can provide includes access
   control, connectionless integrity, data origin authentication,
   rejection of replayed packets (a form of partial sequence integrity),
   confidentiality (encryption), and limited traffic flow
   confidentiality.  Because these services are provided at the IP
   layer, they can be used by any high
er layer protocol, e.g., TCP, UDP,
   ICMP, BGP, etc.

   The IPsec DOI also supports negotiation of IP compression [SMPT98],
   motivated in part by the observation that when encryption is employed
   within IPsec, it prevents effective compression by lower protocol
   layers.

3.2 How IPsec Works

   IPsec uses two protocols to provide traffic security --
   Authentication Header (AH) and Encapsulating Security Payload (ESP).
   Both protocols are described in more detail in their respective RFCs
   [KA98a, KA98b].

        o The IP Authentication Header (AH) [KA98a] provides
          connectionless integrity, data origin authentication, and an
          optional anti-replay service.
        o The Encapsulating Security Payload (ESP) protocol [KA98b] may
          provide confidentiality (encryption), and limited traffic flow
          confidentiality.  It also may provide connectionless

          integrity, data origin authentication, and an anti-replay
          service.  (One or the other set of these security services
          must be applied whenever ESP is invoked.)
        o Both AH and ESP are vehicles for access control, based on the
          distribution of cryptographic keys and the management of
          traffic flows relative to these security protocols.

   These protocols may be applied alone or in combination with each
   other to provide a desired set of security services in IPv4 and IPv6.
   Each protocol supports two modes of use: transport mode and tunnel
   mode.  In transport mode the protocols provide protection primarily
   for upper layer protocols; in tunnel mode, the protocols are applied
   to tunneled IP packets.  The differences between the two modes are
   discussed in Section 4.

   IPsec allows the user (or system administrator) to control the
   granularity at which a security service is offered.  For example, one
   can create a single encrypted tunnel to carry all the traffic between
   two security gateways or a separate encrypted tunnel can be created
   for each TCP connection between each pair of hosts communicating
   across these gateways.  IPsec management must incorporate facilities
   for specifying:

        o which security services to use and in what combinations
        o the granularity at which a given security protection should be
          applied
        o the algorithms used to effect cryptographic-based security

   Because these security services use shared secret values
   (cryptographic keys), IPsec relies on a separate set of mechanisms
   for putting these keys in place. (The keys are used for
   authentication/integrity and encryption services.)  This document
   requires support for both manual and automatic distribution of keys.
   It specifies a specific public-key based approach (IKE -- [MSST97,
   Orm97, HC98]) for automatic key management, but other automated key
   distribution techniques MAY be used.  For example, KDC-based systems
   such as Kerberos and other public-key systems such as SKIP could be
   employed.

3.3 Where IPsec May Be Implemented

   There are several ways in which IPsec may be implemented in a host or
   in conjunction with a router or firewall (to create a security
   gateway).  Several common examples are provided below:

        a. Integration of IPsec into the native IP implementation.  This
           requires access to the IP source code and is applicable to
           both hosts and security gateways.

        b. "Bump-in-the-stack" (BITS) implementations, where IPsec is
           implemented "underneath" an existing implementation of an IP
           protocol stack, between the native IP and the local network
           drivers.  Source code access for the IP stack is not required
           in this context, making this implementation approach
           appropriate for use with legacy systems.  This approach, when
           it is adopted, is usually employed in hosts.

        c. The use of an outboard crypto processor is a common design
           feature of network security systems used by the military, and
           of some commercial systems as well.  It is sometimes referred
           to as a "Bump-in-the-wire" (BITW) implementation.  Such
           implementations may be designed to serve either a host or a
           gateway (or both).  Usually the BITW device is IP
           addressable.  When supporting a single host, it may be quite
           analogous to a BITS implementation, but in supporting a
           router or firewall, it must operate like a security gateway.

4. Security Associations

   This section defines Security Association management requirements for
   all IPv6 implementations and for those IPv4 implementations that
   implement AH, ESP, or both.  The concept of a "Security Association"
   (SA) is fundamental to IPsec.  Both AH and ESP make use of SAs and a
   major function of IKE is the establishment and maintenance of
   Security Associations.  All implementations of AH or ESP MUST support
   the concept of a Security Association as described below.  The
   remainder of this section describes various aspects of Security
   Association management, defining required characteristics for SA
   policy management, traffic processing, and SA management techniques.

4.1 Definition and Scope

   A Security Association (SA) is a simplex "connection" that affords
   security services to the traffic carried by it.  Security services
   are afforded to an SA by the use of AH, or ESP, but not both.  If
   both AH and ESP protection is applied to a traffic stream, then two
   (or more) SAs are created to afford protection to the traffic stream.
   To secure typical, bi-directional communication between two hosts, or
   between two security gateways, two Security Associations (one in each
   direction) are required.

   A security association is uniquely identified by a triple consisting
   of a Security Parameter Index (SPI), an IP Destination Address, and a
   security protocol (AH or ESP) identifier.  In principle, the
   Destination Address may be a unicast address, an IP broadcast
   address, or a multicast group address.  However, IPsec SA management
   mechanisms currently are defined only for unicast SAs.  Hence, in the

   discussions that follow, SAs will be described in the context of
   point-to-point communication, even though the concept is applicable
   in the point-to-multipoint case as well.

   As noted above, two types of SAs are defined: transport mode and
   tunnel mode.  A transport mode SA is a security association between
   two hosts.  In IPv4, a transport mode security protocol header
   appears immediately after the IP header and any options, and before
   any higher layer protocols (e.g., TCP or UDP).  In IPv6, the security
   protocol header appears after the base IP header and extensions, but
   may appear before or after destination options, and before higher
   layer protocols.  In the case of ESP, a transport mode SA provides
   security services only for these higher layer protocols, not for the
   IP header or any extension headers preceding the ESP header.  In the
   case of AH, the protection is also extended to selected portions of
   the IP header, selected portions of extension headers, and selected
   options (contained in the IPv4 header, IPv6 Hop-by-Hop extension
   header, or IPv6 Destination extension headers).  For more details on
   the coverage afforded by AH, see the AH specification [
KA98a].

   A tunnel mode SA is essentially an SA applied to an IP tunnel.
   Whenever either end of a security association is a security gateway,
   the SA MUST be tunnel mode.  Thus an SA between two security gateways
   is always a tunnel mode SA, as is an SA between a host and a security
   gateway.  Note that for the case where traffic is destined for a
   security gateway, e.g., SNMP commands, the security gateway is acting
   as a host and transport mode is allowed.  But in that case, the
   security gateway is not acting as a gateway, i.e., not transiting
   traffic.  Two hosts MAY establish a tunnel mode SA between
   themselves.  The requirement for any (transit traffic) SA involving a
   security gateway to be a tunnel SA arises due to the need to avoid
   potential problems with regard to fragmentation and reassembly of
   IPsec packets, and in circumstances where multiple paths (e.g., via
   different security gateways) exist to the same destination behind the
   security gateways.

   For a tunnel mode SA, there is an "outer" IP header that specifies
   the IPsec processing destination, plus an "inner" IP header that
   specifies the (apparently) ultimate destination for the packet.  The
   security protocol header appears after the outer IP header, and
   before the inner IP header.  If AH is employed in tunnel mode,
   portions of the outer IP header are afforded protection (as above),
   as well as all of the tunneled IP packet (i.e., all of the inner IP
   header is protected, as well as higher layer protocols).  If ESP is
   employed, the protection is afforded only to the tunneled packet, not
   to the outer header.

   In summary,
           a) A host MUST support both transport and tunnel mode.
           b) A security gateway is required to support only tunnel
              mode.  If it supports transport mode, that should be used
              only when the security gateway is acting as a host, e.g.,
              for network management.

4.2 Security Association Functionality

   The set of security services offered by an SA depends on the security
   protocol selected, the SA mode, the endpoints of the SA, and on the
   election of optional services within the protocol.  For example, AH
   provides data origin authentication and connectionless integrity for
   IP datagrams (hereafter referred to as just "authentication").  The
   "precision" of the authentication service is a function of the
   granularity of the security association with which AH is employed, as
   discussed in Section 4.4.2, "Selectors".

   AH also offers an anti-replay (partial sequence integrity) service at
   the discretion of the receiver, to help counter denial of service
   attacks.  AH is an appropriate protocol to employ when
   confidentiality is not required (or is not permitted, e.g , due to
   government restrictions on use of encryption).  AH also provides
   authentication for selected portions of the IP header, which may be
   necessary in some contexts.  For example, if the integrity of an IPv4
   option or IPv6 extension header must be protected en route between
   sender and receiver, AH can provide this service (except for the
   non-predictable but mutable parts of the IP header.)

   ESP optionally provides confidentiality for traffic.  (The strength
   of the confidentiality service depends in part, on the encryption
   algorithm employed.)  ESP also may optionally provide authentication
   (as defined above).  If authentication is negotiated for an ESP SA,
   the receiver also may elect to enforce an anti-replay service with
   the same features as the AH anti-replay service.  The scope of the
   authentication offered by ESP is narrower than for AH, i.e., the IP
   header(s) "outside" the ESP header is(are) not protected.  If only
   the upper layer protocols need to be authenticated, then ESP
   authentication is an appropriate choice and is more space efficient
   than use of AH encapsulating ESP.  Note that although both
   confidentiality and authentication are optional, they cannot both be
   omitted. At least one of them MUST be selected.

   If confidentiality service is selected, then an ESP (tunnel mode) SA
   between two security gateways can offer partial traffic flow
   confidentiality.  The use of tunnel mode allows the inner IP headers
   to be encrypted, concealing the identities of the (ultimate) traffic
   source and destination.  Moreover, ESP payload padding also can be

   invoked to hide the size of the packets, further concealing the
   external characteristics of the traffic.  Similar traffic flow
   confidentiality services may be offered when a mobile user is
   assigned a dynamic IP address in a dialup context, and establishes a
   (tunnel mode) ESP SA to a corporate firewall (acting as a security
   gateway).  Note that fine granularity SAs generally are more
   vulnerable to traffic analysis than coarse granularity ones which are
   carrying traffic from many subscribers.

4.3 Combining Security Associations

   The IP datagrams transmitted over an individual SA are afforded
   protection by exactly one security protocol, either AH or ESP, but
   not both.  Sometimes a security policy may call for a combination of
   services for a particular traffic flow that is not achievable with a
   single SA.  In such instances it will be necessary to employ multiple
   SAs to implement the required security policy.  The term "security
   association bundle" or "SA bundle" is applied to a sequence of SAs
   through which traffic must be processed to satisfy a security policy.
   The order of the sequence is defined by the policy.  (Note that the
   SAs that comprise a bundle may terminate at different endpoints. For
   example, one SA may extend between a mobile host and a security
   gateway and a second, nested SA may extend to a host behind the
   gateway.)

   Security associations may be combined into bundles in two ways:
   transport adjacency and iterated tunneling.

           o Transport adjacency refers to applying more than one
             security protocol to the same IP datagram, without invoking
             tunneling.  This approach to combining AH and ESP allows
             for only one level of combination; further nesting yields
             no added benefit (assuming use of adequately strong
             algorithms in each protocol) since the processing is
             performed at one IPsec instance at the (ultimate)
             destination.

             Host 1 --- Security ---- Internet -- Security --- Host 2
              | |        Gwy 1                      Gwy 2        | |
              | |                                                | |
              | -----Security Association 1 (ESP transport)------- |
              |                                                    |
              -------Security Association 2 (AH transport)----------

           o Iterated tunneling refers to the application of multiple
             layers of security protocols effected through IP tunneling.
             This approach allows for multiple levels of nesting, since
             each tunnel can originate or terminate at a different IPsec

             site along the path.  No special treatment is expected for
             ISAKMP traffic at intermediate security gateways other than
             what can be specified through appropriate SPD entries (See
             Case 3 in Section 4.5)

             There are 3 basic cases of iterated
 tunneling -- support is
             required only for cases 2 and 3.:

             1. both endpoints for the SAs are the same -- The inner and
                outer tunnels could each be either AH or ESP, though it
                is unlikely that Host 1 would specify both to be the
                same, i.e., AH inside of AH or ESP inside of ESP.

                Host 1 --- Security ---- Internet -- Security --- Host 2
                 | |        Gwy 1                      Gwy 2        | |
                 | |                                                | |
                 | -------Security Association 1 (tunnel)---------- | |
                 |                                                    |
                 ---------Security Association 2 (tunnel)--------------

             2. one endpoint of the SAs is the same -- The inner and
                uter tunnels could each be either AH or ESP.

                Host 1 --- Security ---- Internet -- Security --- Host 2
                 | |        Gwy 1                      Gwy 2         |
                 | |                                     |           |
                 | ----Security Association 1 (tunnel)----           |
                 |                                                   |
                 ---------Security Association 2 (tunnel)-------------

             3. neither endpoint is the same -- The inner and outer
                tunnels could each be either AH or ESP.

                Host 1 --- Security ---- Internet -- Security --- Host 2
                 |          Gwy 1                      Gwy 2         |
                 |            |                          |           |
                 |            --Security Assoc 1 (tunnel)-           |
                 |                                                   |
                 -----------Security Association 2 (tunnel)-----------

   These two approaches also can be combined, e.g., an SA bundle could
   be constructed from one tunnel mode SA and one or two transport mode
   SAs, applied in sequence.  (See Section 4.5 "Basic Combinations of
   Security Associations.") Note that nested tunnels can also occur
   where neither the source nor the destination endpoints of any of the
   tunnels are the same.  In that case, there would be no host or
   security gateway with a bundle corresponding to the nested tunnels.

   For transport mode SAs, only one ordering of security protocols seems
   appropriate.  AH is applied to both the upper layer protocols and
   (parts of) the IP header.  Thus if AH is used in a transport mode, in
   conjunction with ESP, AH SHOULD appear as the first header after IP,
   prior to the appearance of ESP.  In that context, AH is applied to
   the ciphertext output of ESP.  In contrast, for tunnel mode SAs, one
   can imagine uses for various orderings of AH and ESP.  The required
   set of SA bundle types that MUST be supported by a compliant IPsec
   implementation is described in Section 4.5.

4.4 Security Association Databases

   Many of the details associated with processing IP traffic in an IPsec
   implementation are largely a local matter, not subject to
   standardization.  However, some external aspects of the processing
   must be standardized, to ensure interoperability and to provide a
   minimum management capability that is essential for productive use of
   IPsec.  This section describes a general model for processing IP
   traffic relative to security associations, in support of these
   interoperability and functionality goals.  The model described below
   is nominal; compliant implementations need not match details of this
   model as presented, but the external behavior of such implementations
   must be mappable to the externally observable characteristics of this
   model.

   There are two nominal databases in this model: the Security Policy
   Database and the Security Association Database.  The former specifies
   the policies that determine the disposition of all IP traffic inbound
   or outbound from a host, security gateway, or BITS or BITW IPsec
   implementation.  The latter database contains parameters that are
   associated with each (active) security association.  This section
   also defines the concept of a Selector, a set of IP and upper layer
   protocol field values that is used by the Security Policy Database to
   map traffic to a policy, i.e., an SA (or SA bundle).

   Each interface for which IPsec is enabled requires nominally separate
   inbound vs. outbound databases (SAD and SPD), because of the
   directionality of many of the fields that are used as selectors.
   Typically there is just one such interface, for a host or security
   gateway (SG).  Note that an SG would always have at least 2
   interfaces, but the "internal" one to the corporate net, usually
   would not have IPsec enabled and so only one pair of SADs and one
   pair of SPDs would be needed.  On the other hand, if a host had
   multiple interfaces or an SG had multiple external interfaces, it
   might be necessary to have separate SAD and SPD pairs for each
   interface.

4.4.1 The Security Policy Database (SPD)

   Ultimately, a security association is a management construct used to
   enforce a security policy in the IPsec environment.  Thus an
   essential element of SA processing is an underlying Security Policy
   Database (SPD) that specifies what services are to be offered to IP
   datagrams and in what fashion.  The form of the database and its
   interface are outside the scope of this specification.  However, this
   section does specify certain minimum management functionality that
   must be provided, to allow a user or system administrator to control
   how IPsec is applied to traffic transmitted or received by a host or
   transiting a security gateway.

   The SPD must be consulted during the processing of all traffic
   (INBOUND and OUTBOUND), including non-IPsec traffic.  In order to
   support this, the SPD requires distinct entries for inbound and
   outbound traffic.  One can think of this as separate SPDs (inbound
   vs.  outbound).  In addition, a nominally separate SPD must be
   provided for each IPsec-enabled interface.

   An SPD must discriminate among traffic that is afforded IPsec
   protection and traffic that is allowed to bypass IPsec.  This applies
   to the IPsec protection to be applied by a sender and to the IPsec
   protection that must be present at the receiver.  For any outbound or
   inbound datagram, three processing choices are possible: discard,
   bypass IPsec, or apply IPsec.  The first choice refers to traffic
   that is not allowed to exit the host, traverse the security gateway,
   or be delivered to an application at all.  The second choice refers
   to traffic that is allowed to pass without additional IPsec
   protection.  The third choice refers to traffic that is afforded
   IPsec protection, and for such traffic the SPD must specify the
   security services to be provided, protocols to be employed,
   algorithms to be used, etc.

   For every IPsec implementation, there MUST be an administrative
   interface that allows a user or system administrator to manage the
   SPD.  Specifically, every inbound or outbound packet is subject to
   processing by IPsec and the SPD must specify what action will be
   taken in each case.  Thus the administrative interface must allow the
   user (or system administrator) to specify the security processing to
   be applied to any packet
entering or exiting the system, on a packet
   by packet basis.  (In a host IPsec implementation making use of a
   socket interface, the SPD may not need to be consulted on a per
   packet basis, but the effect is still the same.)  The management
   interface for the SPD MUST allow creation of entries consistent with
   the selectors defined in Section 4.4.2, and MUST support (total)
   ordering of these entries.  It is expected that through the use of
   wildcards in various selector fields, and because all packets on a

   single UDP or TCP connection will tend to match a single SPD entry,
   this requirement will not impose an unreasonably detailed level of
   SPD specification.  The selectors are analogous to what are found in
   a stateless firewall or filtering router and which are currently
   manageable this way.

   In host systems, applications MAY be allowed to select what security
   processing is to be applied to the traffic they generate and consume.
   (Means of signalling such requests to the IPsec implementation are
   outside the scope of this standard.)  However, the system
   administrator MUST be able to specify whether or not a user or
   application can override (default) system policies.  Note that
   application specified policies may satisfy system requirements, so
   that the system may not need to do additional IPsec processing beyond
   that needed to meet an application's requirements.  The form of the
   management interface is not specified by this document and may differ
   for hosts vs. security gateways, and within hosts the interface may
   differ for socket-based vs.  BITS implementations.  However, this
   document does specify a standard set of SPD elements that all IPsec
   implementations MUST support.

   The SPD contains an ordered list of policy entries.  Each policy
   entry is keyed by one or more selectors that define the set of IP
   traffic encompassed by this policy entry.  (The required selector
   types are defined in Section 4.4.2.)  These define the granularity of
   policies or SAs.  Each entry includes an indication of whether
   traffic matching this policy will be bypassed, discarded, or subject
   to IPsec processing.  If IPsec processing is to be applied, the entry
   includes an SA (or SA bundle) specification, listing the IPsec
   protocols, modes, and algorithms to be employed, including any
   nesting requirements.  For example, an entry may call for all
   matching traffic to be protected by ESP in transport mode using
   3DES-CBC with an explicit IV, nested inside of AH in tunnel mode
   using HMAC/SHA-1.  For each selector, the policy entry specifies how
   to derive the corresponding values for a new Security Association
   Database (SAD, see Section 4.4.3) entry from those in the SPD and the
   packet (Note that at present, ranges are only supported for IP
   addresses; but wildcarding can be expressed for all selectors):

           a. use the value in the packet itself -- This will limit use
              of the SA to those packets which have this packet's value
              for the selector even if the selector for the policy entry
              has a range of allowed values or a wildcard for this
              selector.
           b. use the value associated with the policy entry -- If this
              were to be just a single value, then there would be no
              difference between (b) and (a).  However, if the allowed
              values for the selector are a range (for IP addresses) or

              wildcard, then in the case of a range,(b) would enable use
              of the SA by any packet with a selector value within the
              range not just by packets with the selector value of the
              packet that triggered the creation of the SA.  In the case
              of a wildcard, (b) would allow use of the SA by packets
              with any value for this selector.

   For example, suppose there is an SPD entry where the allowed value
   for source address is any of a range of hosts (192.168.2.1 to
   192.168.2.10).  And suppose that a packet is to be sent that has a
   source address of 192.168.2.3.  The value to be used for the SA could
   be any of the sample values below depending on what the policy entry
   for this selector says is the source of the selector value:

           source for the  example of
           value to be     new SAD
           used in the SA  selector value
           --------------- ------------
           a. packet       192.168.2.3 (one host)
           b. SPD entry    192.168.2.1 to 192.168.2.10 (range of hosts)

   Note that if the SPD entry had an allowed value of wildcard for the
   source address, then the SAD selector value could be wildcard (any
   host).  Case (a) can be used to prohibit sharing, even among packets
   that match the same SPD entry.

   As described below in Section 4.4.3, selectors may include "wildcard"
   entries and hence the selectors for two entries may overlap.  (This
   is analogous to the overlap that arises with ACLs or filter entries
   in routers or packet filtering firewalls.)  Thus, to ensure
   consistent, predictable processing, SPD entries MUST be ordered and
   the SPD MUST always be searched in the same order, so that the first
   matching entry is consistently selected.  (This requirement is
   necessary as the effect of processing traffic against SPD entries
   must be deterministic, but there is no way to canonicalize SPD
   entries given the use of wildcards for some selectors.)  More detail
   on matching of packets against SPD entries is provided in Section 5.

   Note that if ESP is specified, either (but not both) authentication
   or encryption can be omitted.  So it MUST be possible to configure
   the SPD value for the authentication or encryption algorithms to be
   "NULL".  However, at least one of these services MUST be selected,
   i.e., it MUST NOT be possible to configure both of them as "NULL".

   The SPD can be used to map traffic to specific SAs or SA bundles.
   Thus it can function both as the reference database for security
   policy and as the map to existing SAs (or SA bundles).  (To
   accommodate the bypass and discard policies cited above, the SPD also

   MUST provide a means of mapping traffic to these functions, even
   though they are not, per se, IPsec processing.)  The way in which the
   SPD operates is different for inbound vs. outbound traffic and it
   also may differ for host vs.  security gateway, BITS, and BITW
   implementations.  Sections 5.1 and 5.2 describe the use of the SPD
   for outbound and inbound processing, respectively.

   Because a security policy may require that more than one SA be
   applied to a specified set of traffic, in a specific order, the
   policy entry in the SPD must preserve these ordering requirements,
   when present.  Thus, it must be possible for an IPsec implementation
   to determine that an outbound or inbound packet must be processed
   thorough a sequence of SAs.  Conceptually, for outbound processing,
   one might imagine links (to the SAD) from an SPD entry for which
   there are active SAs, and each entry would consist of either a single
   SA or an ordered list of SAs that comprise an SA bundle.  When a
   packet is matched against an SPD entry and there is an existing SA or
   SA bundle that can be used to carry the traffic, the processing of
   the packet is controlled by the SA or SA bundle entry on the list.
   For an inbound IPsec packet for which mul
tiple IPsec SAs are to be
   applied, the lookup based on destination address, IPsec protocol, and
   SPI should identify a single SA.

   The SPD is used to control the flow of ALL traffic through an IPsec
   system, including security and key management traffic (e.g., ISAKMP)
   from/to entities behind a security gateway.  This means that ISAKMP
   traffic must be explicitly accounted for in the SPD, else it will be
   discarded.  Note that a security gateway could prohibit traversal of
   encrypted packets in various ways, e.g., having a DISCARD entry in
   the SPD for ESP packets or providing proxy key exchange.  In the
   latter case, the traffic would be internally routed to the key
   management module in the security gateway.

4.4.2  Selectors

   An SA (or SA bundle) may be fine-grained or coarse-grained, depending
   on the selectors used to define the set of traffic for the SA.  For
   example, all traffic between two hosts may be carried via a single
   SA, and afforded a uniform set of security services.  Alternatively,
   traffic between a pair of hosts might be spread over multiple SAs,
   depending on the applications being used (as defined by the Next
   Protocol and Port fields), with different security services offered
   by different SAs.  Similarly, all traffic between a pair of security
   gateways could be carried on a single SA, or one SA could be assigned
   for each communicating host pair.  The following selector parameters
   MUST be supported for SA management to facilitate control of SA
   granularity.  Note that in the case of receipt of a packet with an
   ESP header, e.g., at an encapsulating security gateway or BITW

   implementation, the transport layer protocol, source/destination
   ports, and Name (if present) may be "OPAQUE", i.e., inaccessible
   because of encryption or fragmentation.  Note also that both Source
   and Destination addresses should either be IPv4 or IPv6.

      - Destination IP Address (IPv4 or IPv6): this may be a single IP
        address (unicast, anycast, broadcast (IPv4 only), or multicast
        group), a range of addresses (high and low values (inclusive),
        address + mask, or a wildcard address.  The last three are used
        to support more than one destination system sharing the same SA
        (e.g., behind a security gateway). Note that this selector is
        conceptually different from the "Destination IP Address" field
        in the <Destination IP Address, IPsec Protocol, SPI> tuple used
        to uniquely identify an SA.  When a tunneled packet arrives at
        the tunnel endpoint, its SPI/Destination address/Protocol are
        used to look up the SA for this packet in the SAD.  This
        destination address comes from the encapsulating IP header.
        Once the packet has been processed according to the tunnel SA
        and has come out of the tunnel, its selectors are "looked up" in
        the Inbound SPD.  The Inbound SPD has a selector called
        destination address.  This IP destination address is the one in
        the inner (encapsulated) IP header.  In the case of a
        transport'd packet, there will be only one IP header and this
        ambiguity does not exist.  [REQUIRED for all implementations]

      - Source IP Address(es) (IPv4 or IPv6): this may be a single IP
        address (unicast, anycast, broadcast (IPv4 only), or multicast
        group), range of addresses (high and low values inclusive),
        address + mask, or a wildcard address.  The last three are used
        to support more than one source system sharing the same SA
        (e.g., behind a security gateway or in a multihomed host).
        [REQUIRED for all implementations]

      - Name: There are 2 cases (Note that these name forms are
        supported in the IPsec DOI.)
                1. User ID
                    a. a fully qualified user name string (DNS), e.g.,
                       mozart@foo.bar.com
                    b. X.500 distinguished name, e.g., C = US, SP = MA,
                       O = GTE Internetworking, CN = Stephen T. Kent.
                2. System name (host, security gateway, etc.)
                    a. a fully qualified DNS name, e.g., foo.bar.com
                    b. X.500 distinguished name
                    c. X.500 general name

        NOTE: One of the possible values of this selector is "OPAQUE".

        [REQUIRED for the following cases.  Note that support for name
        forms other than addresses is not required for manually keyed
        SAs.
                o User ID
                    - native host implementations
                    - BITW and BITS implementations acting as HOSTS
                      with only one user
                    - security gateway implementations for INBOUND
                      processing.
                o System names -- all implementations]

      - Data sensitivity level: (IPSO/CIPSO labels)
        [REQUIRED for all systems providing information flow security as
        per Section 8, OPTIONAL for all other systems.]

      - Transport Layer Protocol: Obtained from the IPv4 "Protocol" or
        the IPv6 "Next Header" fields.  This may be an individual
        protocol number.  These packet fields may not contain the
        Transport Protocol due to the presence of IP extension headers,
        e.g., a Routing Header, AH, ESP, Fragmentation Header,
        Destination Options, Hop-by-hop options, etc.  Note that the
        Transport Protocol may not be available in the case of receipt
        of a packet with an ESP header, thus a value of "OPAQUE" SHOULD
        be supported.
        [REQUIRED for all implementations]

        NOTE: To locate the transport protocol, a system has to chain
        through the packet headers checking the "Protocol" or "Next
        Header" field until it encounters either one it recognizes as a
        transport protocol, or until it reaches one that isn't on its
        list of extension headers, or until it encounters an ESP header
        that renders the transport protocol opaque.

      - Source and Destination (e.g., TCP/UDP) Ports: These may be
        individual UDP or TCP port values or a wildcard port.  (The use
        of the Next Protocol field and the Source and/or Destination
        Port fields (in conjunction with the Source and/or Destination
        Address fields), as an SA selector is sometimes referred to as
        "session-oriented keying.").  Note that the source and
        destination ports may not be available in the case of receipt of
        a packet with an ESP header, thus a value of "OPAQUE" SHOULD be
        supported.

        The following table summarizes the relationship between the
        "Next Header" value in the packet and SPD and the derived Port
        Selector value for the SPD and SAD.

          Next Hdr        Transport Layer   Derived Port Selector Field
          in Packet       Protocol in SPD   Value in SPD and SAD
          --------        ---------------   ---------------------------
          ESP             ESP or ANY        ANY (i.e., don't look at it)
          -don't care-    ANY               ANY (i.e., don't look at it)
          specific value  specific value    NOT ANY (i.e., drop packet)
             fragment
          specific value  specific value    actual port selector field
             not fragment

        If the packet has been fragmented, then the port information may
        not be avail
able in the current fragment.  If so, discard the
        fragment.  An ICMP PMTU should be sent for the first fragment,
        which will have the port information.  [MAY be supported]

   The IPsec implementation context determines how selectors are used.
   For example, a host implementation integrated into the stack may make
   use of a socket interface.  When a new connection is established the
   SPD can be consulted and an SA (or SA bundle) bound to the socket.
   Thus traffic sent via that socket need not result in additional
   lookups to the SPD/SAD.  In contrast, a BITS, BITW, or security
   gateway implementation needs to look at each packet and perform an
   SPD/SAD lookup based on the selectors. The allowable values for the
   selector fields differ between the traffic flow, the security
   association, and the security policy.

   The following table summarizes the kinds of entries that one needs to
   be able to express in the SPD and SAD.  It shows how they relate to
   the fields in data traffic being subjected to IPsec screening.
   (Note: the "wild" or "wildcard" entry for src and dst addresses
   includes a mask, range, etc.)

 Field         Traffic Value       SAD Entry            SPD Entry
 --------      -------------   ----------------   --------------------
 src addr      single IP addr  single,range,wild  single,range,wildcard
 dst addr      single IP addr  single,range,wild  single,range,wildcard
 xpt protocol* xpt protocol    single,wildcard    single,wildcard
 src port*     single src port single,wildcard    single,wildcard
 dst port*     single dst port single,wildcard    single,wildcard
 user id*      single user id  single,wildcard    single,wildcard
 sec. labels   single value    single,wildcard    single,wildcard

       * The SAD and SPD entries for these fields could be "OPAQUE"
         because the traffic value is encrypted.

   NOTE: In principle, one could have selectors and/or selector values
   in the SPD which cannot be negotiated for an SA or SA bundle.
   Examples might include selector values used to select traffic for

   discarding or enumerated lists which cause a separate SA to be
   created for each item on the list.  For now, this is left for future
   versions of this document and the list of required selectors and
   selector values is the same for the SPD and the SAD.  However, it is
   acceptable to have an administrative interface that supports use of
   selector values which cannot be negotiated provided that it does not
   mislead the user into believing it is creating an SA with these
   selector values.  For example, the interface may allow the user to
   specify an enumerated list of values but would result in the creation
   of a separate policy and SA for each item on the list.  A vendor
   might support such an interface to make it easier for its customers
   to specify clear and concise policy specifications.

4.4.3 Security Association Database (SAD)

   In each IPsec implementation there is a nominal Security Association
   Database, in which each entry defines the parameters associated with
   one SA.  Each SA has an entry in the SAD.  For outbound processing,
   entries are pointed to by entries in the SPD.  Note that if an SPD
   entry does not currently point to an SA that is appropriate for the
   packet, the implementation creates an appropriate SA (or SA Bundle)
   and links the SPD entry to the SAD entry (see Section 5.1.1).  For
   inbound processing, each entry in the SAD is indexed by a destination
   IP address, IPsec protocol type, and SPI.  The following parameters
   are associated with each entry in the SAD.  This description does not
   purport to be a MIB, but only a specification of the minimal data
   items required to support an SA in an IPsec implementation.

   For inbound processing: The following packet fields are used to look
   up the SA in the SAD:

         o Outer Header's Destination IP address: the IPv4 or IPv6
           Destination address.
           [REQUIRED for all implementations]
         o IPsec Protocol: AH or ESP, used as an index for SA lookup
           in this database.  Specifies the IPsec protocol to be
           applied to the traffic on this SA.
           [REQUIRED for all implementations]
         o SPI: the 32-bit value used to distinguish among different
           SAs terminating at the same destination and using the same
           IPsec protocol.
           [REQUIRED for all implementations]

   For each of the selectors defined in Section 4.4.2, the SA entry in
   the SAD MUST contain the value or values which were negotiated at the
   time the SA was created.  For the sender, these values are used to
   decide whether a given SA is appropriate for use with an outbound
   packet.  This is part of checking to see if there is an existing SA

   that can be used.  For the receiver, these values are used to check
   that the selector values in an inbound packet match those for the SA
   (and thus indirectly those for the matching policy).  For the
   receiver, this is part of verifying that the SA was appropriate for
   this packet.  (See Section 6 for rules for ICMP messages.)  These
   fields can have the form of specific values, ranges, wildcards, or
   "OPAQUE" as described in section 4.4.2, "Selectors".  Note that for
   an ESP SA, the encryption algorithm or the authentication algorithm
   could be "NULL".  However they MUST not both be "NULL".

   The following SAD fields are used in doing IPsec processing:

         o Sequence Number Counter: a 32-bit value used to generate the
           Sequence Number field in AH or ESP headers.
           [REQUIRED for all implementations, but used only for outbound
           traffic.]
         o Sequence Counter Overflow: a flag indicating whether overflow
           of the Sequence Number Counter should generate an auditable
           event and prevent transmission of additional packets on the
           SA.
           [REQUIRED for all implementations, but used only for outbound
           traffic.]
         o Anti-Replay Window: a 32-bit counter and a bit-map (or
           equivalent) used to determine whether an inbound AH or ESP
           packet is a replay.
           [REQUIRED for all implementations but used only for inbound
           traffic. NOTE: If anti-replay has been disabled by the
           receiver, e.g., in the case of a manually keyed SA, then the
           Anti-Replay Window is not used.]
         o AH Authentication algorithm, keys, etc.
           [REQUIRED for AH implementations]
         o ESP Encryption algorithm, keys, IV mode, IV, etc.
           [REQUIRED for ESP implementations]
         o ESP authentication algorithm, keys, etc. If the
           authentication service is not selected, this field will be
           null.
           [REQUIRED for ESP implementations]
         o Lifetime of this Security Association: a time interval after
           which an SA must be replaced with a new SA (and new SPI) or
           terminated, plus an indication of which of these actions
           should occur.  This may be expressed as a time or byte count,
           or a simultaneous use of both, the first lifetime to expire
           taking precedence. A compliant implementation MUST support
           both types of lifetimes, and must support a simultaneous use
           of both.  If time is employed, and if IKE employs X.509
           certificates for SA establishment, the SA lifetime must
 be
           constrained by the validity intervals of the certificates,
           and the NextIssueDate of the CRLs used in the IKE exchange

           for the SA.  Both initiator and responder are responsible for
           constraining SA lifetime in this fashion.
           [REQUIRED for all implementations]

           NOTE: The details of how to handle the refreshing of keys
           when SAs expire is a local matter.  However, one reasonable
           approach is:
             (a) If byte count is used, then the implementation
                 SHOULD count the number of bytes to which the IPsec
                 algorithm is applied.  For ESP, this is the encryption
                 algorithm (including Null encryption) and for AH,
                 this is the authentication algorithm.  This includes
                 pad bytes, etc.  Note that implementations SHOULD be
                 able to handle having the counters at the ends of an
                 SA get out of synch, e.g., because of packet loss or
                 because the implementations at each end of the SA
                 aren't doing things the same way.
             (b) There SHOULD be two kinds of lifetime -- a soft
                 lifetime which warns the implementation to initiate
                 action such as setting up a replacement SA and a
                 hard lifetime when the current SA ends.
             (c) If the entire packet does not get delivered during
                 the SAs lifetime, the packet SHOULD be discarded.

         o IPsec protocol mode: tunnel, transport or wildcard.
           Indicates which mode of AH or ESP is applied to traffic on
           this SA.  Note that if this field is "wildcard" at the
           sending end of the SA, then the application has to specify
           the mode to the IPsec implementation.  This use of wildcard
           allows the same SA to be used for either tunnel or transport
           mode traffic on a per packet basis, e.g., by different
           sockets.  The receiver does not need to know the mode in
           order to properly process the packet's IPsec headers.

           [REQUIRED as follows, unless implicitly defined by context:
                   - host implementations must support all modes
                   - gateway implementations must support tunnel mode]

           NOTE: The use of wildcard for the protocol mode of an inbound
           SA may add complexity to the situation in the receiver (host
           only).  Since the packets on such an SA could be delivered in
           either tunnel or transport mode, the security of an incoming
           packet could depend in part on which mode had been used to
           deliver it.  If, as a result, an application cared about the
           SA mode of a given packet, then the application would need a
           mechanism to obtain this mode information.

         o Path MTU: any observed path MTU and aging variables.  See
           Section 6.1.2.4
           [REQUIRED for all implementations but used only for outbound
           traffic]

4.5 Basic Combinations of Security Associations

   This section describes four examples of combinations of security
   associations that MUST be supported by compliant IPsec hosts or
   security gateways.  Additional combinations of AH and/or ESP in
   tunnel and/or transport modes MAY be supported at the discretion of
   the implementor.  Compliant implementations MUST be capable of
   generating these four combinations and on receipt, of processing
   them, but SHOULD be able to receive and process any combination.  The
   diagrams and text below describe the basic cases.  The legend for the
   diagrams is:

        ==== = one or more security associations (AH or ESP, transport
               or tunnel)
        ---- = connectivity (or if so labelled, administrative boundary)
        Hx   = host x
        SGx  = security gateway x
        X*   = X supports IPsec

   NOTE: The security associations below can be either AH or ESP.  The
   mode (tunnel vs transport) is determined by the nature of the
   endpoints.  For host-to-host SAs, the mode can be either transport or
   tunnel.

   Case 1.  The case of providing end-to-end security between 2 hosts
        across the Internet (or an Intranet).

                 ====================================
                 |                                  |
                H1* ------ (Inter/Intranet) ------ H2*

        Note that either transport or tunnel mode can be selected by the
        hosts.  So the headers in a packet between H1 and H2 could look
        like any of the following:

                  Transport                  Tunnel
             -----------------          ---------------------
             1. [IP1][AH][upper]        4. [IP2][AH][IP1][upper]
             2. [IP1][ESP][upper]       5. [IP2][ESP][IP1][upper]
             3. [IP1][AH][ESP][upper]

        Note that there is no requirement to support general nesting,
        but in transport mode, both AH and ESP can be applied to the
        packet.  In this event, the SA establishment procedure MUST
        ensure that first ESP, then AH are applied to the packet.

   Case 2.  This case illustrates simple virtual private networks
        support.

                       ===========================
                       |                         |
  ---------------------|----                  ---|-----------------------
  |                    |   |                  |  |                      |
  |  H1 -- (Local --- SG1* |--- (Internet) ---| SG2* --- (Local --- H2  |
  |        Intranet)       |                  |          Intranet)      |
  --------------------------                  ---------------------------
      admin. boundary                               admin. boundary

        Only tunnel mode is required here.  So the headers in a packet
        between SG1 and SG2 could look like either of the following:

                        Tunnel
                ---------------------
                4. [IP2][AH][IP1][upper]
                5. [IP2][ESP][IP1][upper]

   Case 3.  This case combines cases 1 and 2, adding end-to-end security
        between the sending and receiving hosts.  It imposes no new
        requirements on the hosts or security gateways, other than a
        requirement for a security gateway to be configurable to pass
        IPsec traffic (including ISAKMP traffic) for hosts behind it.

     ===============================================================
     |                                                             |
     |                 =========================                   |
     |                 |                       |                   |
  ---|-----------------|----                ---|-------------------|---
  |  |                 |   |                |  |                   |  |
  | H1* -- (Local --- SG1* |-- (Internet) --| SG2* --- (Local --- H2* |
  |        Intranet)       |                |          Intranet)      |
  --------------------------                ---------------------------
       admin. boundary                            admin. boundary

   Case 4.  This covers the situation where a remote host (H1) uses the
        Internet to reach an organization's firewall (SG2) and to then
        gain access to some server or other machine (H2).  The remote
        host could be a mobile host (H1) dialing up to a local
PPP/ARA
        server (not shown) on the Internet and then crossing the
        Internet to the home organization's firewall (SG2), etc.  The

        details of support for this case, (how H1 locates SG2,
        authenticates it, and verifies its authorization to represent
        H2) are discussed in Section 4.6.3, "Locating a Security
        Gateway".

        ======================================================
        |                                                    |
        |==============================                      |
        ||                            |                      |
        ||                         ---|----------------------|---
        ||                         |  |                      |  |
        H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* |
              ^                    |           Intranet)        |
              |                    ------------------------------
        could be dialup              admin. boundary (optional)
        to PPP/ARA server

        Only tunnel mode is required between H1 and SG2.  So the choices
        for the SA between H1 and SG2 would be one of the ones in case
        2.  The choices for the SA between H1 and H2 would be one of the
        ones in case 1.

        Note that in this case, the sender MUST apply the transport
        header before the tunnel header.  Therefore the management
        interface to the IPsec implementation MUST support configuration
        of the SPD and SAD to ensure this ordering of IPsec header
        application.

   As noted above, support for additional combinations of AH and ESP is
   optional.  Use of other, optional combinations may adversely affect
   interoperability.

4.6 SA and Key Management

   IPsec mandates support for both manual and automated SA and
   cryptographic key management.  The IPsec protocols, AH and ESP, are
   largely independent of the associated SA management techniques,
   although the techniques involved do affect some of the security
   services offered by the protocols.  For example, the optional anti-
   replay services available for AH and ESP require automated SA
   management.  Moreover, the granularity of key distribution employed
   with IPsec determines the granularity of authentication provided.
   (See also a discussion of this issue in Section 4.7.)  In general,
   data origin authentication in AH and ESP is limited by the extent to
   which secrets used with the authentication algorithm (or with a key
   management protocol that creates such secrets) are shared among
   multiple possible sources.

   The following text describes the minimum requirements for both types
   of SA management.

4.6.1 Manual Techniques

   The simplest form of management is manual management, in which a
   person manually configures each system with keying material and
   security association management data relevant to secure communication
   with other systems.  Manual techniques are practical in small, static
   environments but they do not scale well.  For example, a company
   could create a Virtual Private Network (VPN) using IPsec in security
   gateways at several sites.  If the number of sites is small, and
   since all the sites come under the purview of a single administrative
   domain, this is likely to be a feasible context for manual management
   techniques.  In this case, the security gateway might selectively
   protect traffic to and from other sites within the organization using
   a manually configured key, while not protecting traffic for other
   destinations.  It also might be appropriate when only selected
   communications need to be secured.  A similar argument might apply to
   use of IPsec entirely within an organization for a small number of
   hosts and/or gateways.  Manual management techniques often employ
   statically configured, symmetric keys, though other options also
   exist.

4.6.2 Automated SA and Key Management

   Widespread deployment and use of IPsec requires an Internet-standard,
   scalable, automated, SA management protocol.  Such support is
   required to facilitate use of the anti-replay features of AH and ESP,
   and to accommodate on-demand creation of SAs, e.g., for user- and
   session-oriented keying.  (Note that the notion of "rekeying" an SA
   actually implies creation of a new SA with a new SPI, a process that
   generally implies use of an automated SA/key management protocol.)

   The default automated key management protocol selected for use with
   IPsec is IKE [MSST97, Orm97, HC98] under the IPsec domain of
   interpretation [Pip98].  Other automated SA management protocols MAY
   be employed.

   When an automated SA/key management protocol is employed, the output
   from this protocol may be used to generate multiple keys, e.g., for a
   single ESP SA.  This may arise because:

       o the encryption algorithm uses multiple keys (e.g., triple DES)
       o the authentication algorithm uses multiple keys
       o both encryption and authentication algorithms are employed

   The Key Management System may provide a separate string of bits for
   each key or it may generate one string of bits from which all of them
   are extracted.  If a single string of bits is provided, care needs to
   be taken to ensure that the parts of the system that map the string
   of bits to the required keys do so in the same fashion at both ends
   of the SA.  To ensure that the IPsec implementations at each end of
   the SA use the same bits for the same keys, and irrespective of which
   part of the system divides the string of bits into individual keys,
   the encryption key(s) MUST be taken from the first (left-most, high-
   order) bits and the authentication key(s) MUST be taken from the
   remaining bits.  The number of bits for each key is defined in the
   relevant algorithm specification RFC.  In the case of multiple
   encryption keys or multiple authentication keys, the specification
   for the algorithm must specify the order in which they are to be
   selected from a single string of bits provided to the algorithm.

4.6.3 Locating a Security Gateway

   This section discusses issues relating to how a host learns about the
   existence of relevant security gateways and once a host has contacted
   these security gateways, how it knows that these are the correct
   security gateways.  The details of where the required information is
   stored is a local matter.

   Consider a situation in which a remote host (H1) is using the
   Internet to gain access to a server or other machine (H2) and there
   is a security gateway (SG2), e.g., a firewall, through which H1's
   traffic must pass.  An example of this situation would be a mobile
   host (Road Warrior) crossing the Internet to the home organization's
   firewall (SG2).  (See Case 4 in the section 4.5 Basic Combinations of
   Security Associations.) This situation raises several issues:

        1. How does H1 know/learn about the existence of the security
           gateway SG2?
        2. How does it authenticate SG2, and once it has authenticated
           SG2, how does it confirm that SG2 has been authorized to
           represent H2?
        3. How does SG2 authenticate H1 and verify that H1 is authorized
           to contact H2?
        4. How does H1 know/learn about backup gateways which provide
           alternate paths to H2?

   To address these problems, a host or secu
rity gateway MUST have an
   administrative interface that allows the user/administrator to
   configure the address of a security gateway for any sets of
   destination addresses that require its use. This includes the ability
   to configure:

        o the requisite information for locating and authenticating the
          security gateway and verifying its authorization to represent
          the destination host.
        o the requisite information for locating and authenticating any
          backup gateways and verifying their authorization to represent
          the destination host.

   It is assumed that the SPD is also configured with policy information
   that covers any other IPsec requirements for the path to the security
   gateway and the destination host.

   This document does not address the issue of how to automate the
   discovery/verification of security gateways.

4.7 Security Associations and Multicast

   The receiver-orientation of the Security Association implies that, in
   the case of unicast traffic, the destination system will normally
   select the SPI value.  By having the destination select the SPI
   value, there is no potential for manually configured Security
   Associations to conflict with automatically configured (e.g., via a
   key management protocol) Security Associations or for Security
   Associations from multiple sources to conflict with each other.  For
   multicast traffic, there are multiple destination systems per
   multicast group.  So some system or person will need to coordinate
   among all multicast groups to select an SPI or SPIs on behalf of each
   multicast group and then communicate the group's IPsec information to
   all of the legitimate members of that multicast group via mechanisms
   not defined here.

   Multiple senders to a multicast group SHOULD use a single Security
   Association (and hence Security Parameter Index) for all traffic to
   that group when a symmetric key encryption or authentication
   algorithm is employed. In such circumstances, the receiver knows only
   that the message came from a system possessing the key for that
   multicast group.  In such circumstances, a receiver generally will
   not be able to authenticate which system sent the multicast traffic.
   Specifications for other, more general multicast cases are deferred
   to later IPsec documents.

   At the time this specification was published, automated protocols for
   multicast key distribution were not considered adequately mature for
   standardization.  For multicast groups having relatively few members,
   manual key distribution or multiple use of existing unicast key
   distribution algorithms such as modified Diffie-Hellman appears
   feasible.  For very large groups, new scalable techniques will be
   needed.  An example of current work in this area is the Group Key
   Management Protocol (GKMP) [HM97].

5. IP Traffic Processing

   As mentioned in Section 4.4.1 "The Security Policy Database (SPD)",
   the SPD must be consulted during the processing of all traffic
   (INBOUND and OUTBOUND), including non-IPsec traffic.  If no policy is
   found in the SPD that matches the packet (for either inbound or
   outbound traffic), the packet MUST be discarded.

   NOTE: All of the cryptographic algorithms used in IPsec expect their
   input in canonical network byte order (see Appendix in RFC 791) and
   generate their output in canonical network byte order.  IP packets
   are also transmitted in network byte order.

5.1 Outbound IP Traffic Processing

5.1.1 Selecting and Using an SA or SA Bundle

   In a security gateway or BITW implementation (and in many BITS
   implementations), each outbound packet is compared against the SPD to
   determine what processing is required for the packet.  If the packet
   is to be discarded, this is an auditable event.  If the traffic is
   allowed to bypass IPsec processing, the packet continues through
   "normal" processing for the environment in which the IPsec processing
   is taking place.  If IPsec processing is required, the packet is
   either mapped to an existing SA (or SA bundle), or a new SA (or SA
   bundle) is created for the packet.  Since a packet's selectors might
   match multiple policies or multiple extant SAs and since the SPD is
   ordered, but the SAD is not, IPsec MUST:

           1. Match the packet's selector fields against the outbound
              policies in the SPD to locate the first appropriate
              policy, which will point to zero or more SA bundles in the
              SAD.

           2. Match the packet's selector fields against those in the SA
              bundles found in (1) to locate the first SA bundle that
              matches.  If no SAs were found or none match, create an
              appropriate SA bundle and link the SPD entry to the SAD
              entry.  If no key management entity is found, drop the
              packet.

           3. Use the SA bundle found/created in (2) to do the required
              IPsec processing, e.g., authenticate and encrypt.

   In a host IPsec implementation based on sockets, the SPD will be
   consulted whenever a new socket is created, to determine what, if
   any, IPsec processing will be applied to the traffic that will flow
   on that socket.

   NOTE: A compliant implementation MUST not allow instantiation of an
   ESP SA that employs both a NULL encryption and a NULL authentication
   algorithm.  An attempt to negotiate such an SA is an auditable event.

5.1.2 Header Construction for Tunnel Mode

   This section describes the handling of the inner and outer IP
   headers, extension headers, and options for AH and ESP tunnels.  This
   includes how to construct the encapsulating (outer) IP header, how to
   handle fields in the inner IP header, and what other actions should
   be taken.  The general idea is modeled after the one used in RFC
   2003, "IP Encapsulation with IP":

        o The outer IP header Source Address and Destination Address
          identify the "endpoints" of the tunnel (the encapsulator and
          decapsulator).  The inner IP header Source Address and
          Destination Addresses identify the original sender and
          recipient of the datagram, (from the perspective of this
          tunnel), respectively.  (see footnote 3 after the table in
          5.1.2.1 for more details on the encapsulating source IP
          address.)
        o The inner IP header is not changed except to decrement the TTL
          as noted below, and remains unchanged during its delivery to
          the tunnel exit point.
        o No change to IP options or extension headers in the inner
          header occurs during delivery of the encapsulated datagram
          through the tunnel.
        o If need be, other protocol headers such as the IP
          Authentication header may be inserted between the outer IP
          header and the inner IP header.

   The tables in the following sub-sections show the handling for the
   different header/option fields (constructed = the value in the outer
   field is constructed independently of the value in the inner).

5.1.2.1 IPv4 -- Header Construction for Tunnel Mode

                        <-- How Outer Hdr Relates to Inner Hdr -->
                        Outer Hdr at                 Inner Hdr at
   IPv4                 Encapsulator                 Decapsulator
     Header fiel
ds:     --------------------         ------------
       version          4 (1)                        no change
       header length    constructed                  no change
       TOS              copied from inner hdr (5)    no change
       total length     constructed                  no change
       ID               constructed                  no change
       flags (DF,MF)    constructed, DF (4)          no change
       fragmt offset    constructed                  no change

       TTL              constructed (2)              decrement (2)
       protocol         AH, ESP, routing hdr         no change
       checksum         constructed                  constructed (2)
       src address      constructed (3)              no change
       dest address     constructed (3)              no change
   Options            never copied                 no change

        1. The IP version in the encapsulating header can be different
           from the value in the inner header.

        2. The TTL in the inner header is decremented by the
           encapsulator prior to forwarding and by the decapsulator if
           it forwards the packet.  (The checksum changes when the TTL
           changes.)

           Note: The decrementing of the TTL is one of the usual actions
           that takes place when forwarding a packet.  Packets
           originating from the same node as the encapsulator do not
           have their TTL's decremented, as the sending node is
           originating the packet rather than forwarding it.

        3. src and dest addresses depend on the SA, which is used to
           determine the dest address which in turn determines which src
           address (net interface) is used to forward the packet.

           NOTE: In principle, the encapsulating IP source address can
           be any of the encapsulator's interface addresses or even an
           address different from any of the encapsulator's IP
           addresses, (e.g., if it's acting as a NAT box) so long as the
           address is reachable through the encapsulator from the
           environment into which the packet is sent.  This does not
           cause a problem because IPsec does not currently have any
           INBOUND processing requirement that involves the Source
           Address of the encapsulating IP header.  So while the
           receiving tunnel endpoint looks at the Destination Address in
           the encapsulating IP header, it only looks at the Source
           Address in the inner (encapsulated) IP header.

        4. configuration determines whether to copy from the inner
           header (IPv4 only), clear or set the DF.

        5. If Inner Hdr is IPv4 (Protocol = 4), copy the TOS.  If Inner
           Hdr is IPv6 (Protocol = 41), map the Class to TOS.

5.1.2.2 IPv6 -- Header Construction for Tunnel Mode

   See previous section 5.1.2 for notes 1-5 indicated by (footnote
   number).

                        <-- How Outer Hdr  Relates Inner Hdr --->
                        Outer Hdr at                 Inner Hdr at
   IPv6                 Encapsulator                 Decapsulator
     Header fields:     --------------------         ------------
       version          6 (1)                        no change
       class            copied or configured (6)     no change
       flow id          copied or configured         no change
       len              constructed                  no change
       next header      AH,ESP,routing hdr           no change
       hop limit        constructed (2)              decrement (2)
       src address      constructed (3)              no change
       dest address     constructed (3)              no change
     Extension headers  never copied                 no change

        6. If Inner Hdr is IPv6 (Next Header = 41), copy the Class.  If
           Inner Hdr is IPv4 (Next Header = 4), map the TOS to Class.

5.2 Processing Inbound IP Traffic

   Prior to performing AH or ESP processing, any IP fragments are
   reassembled.  Each inbound IP datagram to which IPsec processing will
   be applied is identified by the appearance of the AH or ESP values in
   the IP Next Protocol field (or of AH or ESP as an extension header in
   the IPv6 context).

   Note: Appendix C contains sample code for a bitmask check for a 32
   packet window that can be used for implementing anti-replay service.

5.2.1 Selecting and Using an SA or SA Bundle

   Mapping the IP datagram to the appropriate SA is simplified because
   of the presence of the SPI in the AH or ESP header.  Note that the
   selector checks are made on the inner headers not the outer (tunnel)
   headers.  The steps followed are:

           1. Use the packet's destination address (outer IP header),
              IPsec protocol, and SPI to look up the SA in the SAD.  If
              the SA lookup fails, drop the packet and log/report the
              error.

           2. Use the SA found in (1) to do the IPsec processing, e.g.,
              authenticate and decrypt.  This step includes matching the
              packet's (Inner Header if tunneled) selectors to the
              selectors in the SA.  Local policy determines the
              specificity of the SA selectors (single value, list,
              range, wildcard).  In general, a packet's source address
              MUST match the SA selector value.  However, an ICMP packet
              received on a tunnel mode SA may have a source address

              other than that bound to the SA and thus such packets
              should be permitted as exceptions to this check.  For an
              ICMP packet, the selectors from the enclosed problem
              packet (the source and destination addresses and ports
              should be swapped) should be checked against the selectors
              for the SA.  Note that some or all of these selectors may
              be inaccessible because of limitations on how many bits of
              the problem packet the ICMP packet is allowed to carry or
              due to encryption.  See Section 6.

              Do (1) and (2) for every IPsec header until a Transport
              Protocol Header or an IP header that is NOT for this
              system is encountered.  Keep track of what SAs have been
              used and their order of application.

           3. Find an incoming policy in the SPD that matches the
              packet.  This could be done, for example, by use of
              backpointers from the SAs to the SPD or by matching the
              packet's selectors (Inner Header if tunneled) against
              those of the policy entries in the SPD.

           4. Check whether the required IPsec processing has been
              applied, i.e., verify that the SA's found in (1) and (2)
              match the kind and order of SAs required by the policy
              found in (3).

              NOTE: The correct "matching" policy will not necessarily
              be the first inbound policy found.  If the check in (4)
              fails, steps (3) and (4) are repeated until all policy
              entries have been checked or until the check succeeds.

   At the end of these steps, pass the resulting packet to the Transport
   Layer or forward the packet.  Note that any IPsec headers processed
   in these steps may have been removed, but that this information,
   i.e., what SAs were used and th
e order of their application, may be
   needed for subsequent IPsec or firewall processing.

   Note that in the case of a security gateway, if forwarding causes a
   packet to exit via an IPsec-enabled interface, then additional IPsec
   processing may be applied.

5.2.2 Handling of AH and ESP tunnels

   The handling of the inner and outer IP headers, extension headers,
   and options for AH and ESP tunnels should be performed as described
   in the tables in Section 5.1.

6. ICMP Processing (relevant to IPsec)

   The focus of this section is on the handling of ICMP error messages.
   Other ICMP traffic, e.g., Echo/Reply, should be treated like other
   traffic and can be protected on an end-to-end basis using SAs in the
   usual fashion.

   An ICMP error message protected by AH or ESP and generated by a
   router SHOULD be processed and forwarded in a tunnel mode SA.  Local
   policy determines whether or not it is subjected to source address
   checks by the router at the destination end of the tunnel.  Note that
   if the router at the originating end of the tunnel is forwarding an
   ICMP error message from another router, the source address check
   would fail.  An ICMP message protected by AH or ESP and generated by
   a router MUST NOT be forwarded on a transport mode SA (unless the SA
   has been established to the router acting as a host, e.g., a Telnet
   connection used to manage a router).  An ICMP message generated by a
   host SHOULD be checked against the source IP address selectors bound
   to the SA in which the message arrives.  Note that even if the source
   of an ICMP error message is authenticated, the returned IP header
   could be invalid. Accordingly, the selector values in the IP header
   SHOULD also be checked to be sure that they are consistent with the
   selectors for the SA over which the ICMP message was received.

   The table in Appendix D characterize ICMP messages as being either
   host generated, router generated, both, unknown/unassigned.  ICMP
   messages falling into the last two categories should be handled as
   determined by the receiver's policy.

   An ICMP message not protected by AH or ESP is unauthenticated and its
   processing and/or forwarding may result in denial of service.  This
   suggests that, in general, it would be desirable to ignore such
   messages.  However, it is expected that many routers (vs. security
   gateways) will not implement IPsec for transit traffic and thus
   strict adherence to this rule would cause many ICMP messages to be
   discarded.  The result is that some critical IP functions would be
   lost, e.g., redirection and PMTU processing.  Thus it MUST be
   possible to configure an IPsec implementation to accept or reject
   (router) ICMP traffic as per local security policy.

   The remainder of this section addresses how PMTU processing MUST be
   performed at hosts and security gateways.  It addresses processing of
   both authenticated and unauthenticated ICMP PMTU messages.  However,
   as noted above, unauthenticated ICMP messages MAY be discarded based
   on local policy.

6.1 PMTU/DF Processing

6.1.1 DF Bit

   In cases where a system (host or gateway) adds an encapsulating
   header (ESP tunnel or AH tunnel), it MUST support the option of
   copying the DF bit from the original packet to the encapsulating
   header (and processing ICMP PMTU messages).  This means that it MUST
   be possible to configure the system's treatment of the DF bit (set,
   clear, copy from encapsulated header) for each interface.  (See
   Appendix B for rationale.)

6.1.2 Path MTU Discovery (PMTU)

   This section discusses IPsec handling for Path MTU Discovery
   messages.  ICMP PMTU is used here to refer to an ICMP message for:

           IPv4 (RFC 792):
                   - Type = 3 (Destination Unreachable)
                   - Code = 4 (Fragmentation needed and DF set)
                   - Next-Hop MTU in the low-order 16 bits of the second
                     word of the ICMP header (labelled "unused" in RFC
                     792), with high-order 16 bits set to zero

           IPv6 (RFC 1885):
                   - Type = 2 (Packet Too Big)
                   - Code = 0 (Fragmentation needed)
                   - Next-Hop MTU in the 32 bit MTU field of the ICMP6
                     message

6.1.2.1 Propagation of PMTU

   The amount of information returned with the ICMP PMTU message (IPv4
   or IPv6) is limited and this affects what selectors are available for
   use in further propagating the PMTU information.  (See Appendix B for
   more detailed discussion of this topic.)

   o PMTU message with 64 bits of IPsec header -- If the ICMP PMTU
     message contains only 64 bits of the IPsec header (minimum for
     IPv4), then a security gateway MUST support the following options
     on a per SPI/SA basis:

        a. if the originating host can be determined (or the possible
           sources narrowed down to a manageable number), send the PM
           information to all the possible originating hosts.
        b. if the originating host cannot be determined, store the PMTU
           with the SA and wait until the next packet(s) arrive from the
           originating host for the relevant security association.  If

           the packet(s) are bigger than the PMTU, drop the packet(s),
           and compose ICMP PMTU message(s) with the new packet(s) and
           the updated PMTU, and send the ICMP message(s) about the
           problem to the originating host. Retain the PMTU information
           for any message that might arrive subsequently (see Section
           6.1.2.4, "PMTU Aging").

   o PMTU message with >64 bits of IPsec header -- If the ICMP message
     contains more information from the original packet then there may
     be enough non-opaque information to immediately determine to which
     host to propagate the ICMP/PMTU message and to provide that system
     with the 5 fields (source address, destination address, source
     port, destination port, transport protocol) needed to determine
     where to store/update the PMTU.  Under such circumstances, a
     security gateway MUST generate an ICMP PMTU message immediately
     upon receipt of an ICMP PMTU from further down the path.

   o Distributing the PMTU to the Transport Layer -- The host mechanism
     for getting the updated PMTU to the transport layer is unchanged,
     as specified in RFC 1191 (Path MTU Discovery).

6.1.2.2 Calculation of PMTU

   The calculation of PMTU from an ICMP PMTU MUST take into account the
   addition of any IPsec header -- AH transport, ESP transport, AH/ESP
   transport, ESP tunnel, AH tunnel.  (See Appendix B for discussion of
   implementation issues.)

   Note: In some situations the addition of IPsec headers could result
   in an effective PMTU (as seen by the host or application) that is
   unacceptably small.  To avoid this problem, the implementation may
   establish a threshold below which it will not report a reduced PMTU.
   In such cases, the implementation would apply IPsec and then fragment
   the resulting packet according to the PMTU.  This would result in a
   more efficient use of the available bandwidth.

6.1.2.3 Granularity of PMTU Processing

   In hosts, the granularity with which ICMP PMTU processing can be done
   differs depending on the implementation situation.  Looking at a
   host, ther
e are 3 situations that are of interest with respect to
   PMTU issues (See Appendix B for additional details on this topic.):

        a. Integration of IPsec into the native IP implementation
        b. Bump-in-the-stack implementations, where IPsec is implemented
           "underneath" an existing implementation of a TCP/IP protocol
           stack, between the native IP and the local network drivers

        c. No IPsec implementation -- This case is included because it
           is relevant in cases where a security gateway is sending PMTU
           information back to a host.

   Only in case (a) can the PMTU data be maintained at the same
   granularity as communication associations.  In (b) and (c), the IP
   layer will only be able to maintain PMTU data at the granularity of
   source and destination IP addresses (and optionally TOS), as
   described in RFC 1191.  This is an important difference, because more
   than one communication association may map to the same source and
   destination IP addresses, and each communication association may have
   a different amount of IPsec header overhead (e.g., due to use of
   different transforms or different algorithms).

   Implementation of the calculation of PMTU and support for PMTUs at
   the granularity of individual communication associations is a local
   matter.  However, a socket-based implementation of IPsec in a host
   SHOULD maintain the information on a per socket basis.  Bump in the
   stack systems MUST pass an ICMP PMTU to the host IP implementation,
   after adjusting it for any IPsec header overhead added by these
   systems.  The calculation of the overhead SHOULD be determined by
   analysis of the SPI and any other selector information present in a
   returned ICMP PMTU message.

6.1.2.4 PMTU Aging

   In all systems (host or gateway) implementing IPsec and maintaining
   PMTU information, the PMTU associated with a security association
   (transport or tunnel) MUST be "aged" and some mechanism put in place
   for updating the PMTU in a timely manner, especially for discovering
   if the PMTU is smaller than it needs to be.  A given PMTU has to
   remain in place long enough for a packet to get from the source end
   of the security association to the system at the other end of the
   security association and propagate back an ICMP error message if the
   current PMTU is too big.  Note that if there are nested tunnels,
   multiple packets and round trip times might be required to get an
   ICMP message back to an encapsulator or originating host.

   Systems SHOULD use the approach described in the Path MTU Discovery
   document (RFC 1191, Section 6.3), which suggests periodically
   resetting the PMTU to the first-hop data-link MTU and then letting
   the normal PMTU Discovery processes update the PMTU as necessary.
   The period SHOULD be configurable.

7. Auditing

   Not all systems that implement IPsec will implement auditing.  For
   the most part, the granularity of auditing is a local matter.
   However, several auditable events are identified in the AH and ESP
   specifications and for each of these events a minimum set of
   information that SHOULD be included in an audit log is defined.
   Additional information also MAY be included in the audit log for each
   of these events, and additional events, not explicitly called out in
   this specification, also MAY result in audit log entries.  There is
   no requirement for the receiver to transmit any message to the
   purported transmitter in response to the detection of an auditable
   event, because of the potential to induce denial of service via such
   action.

8. Use in Systems Supporting Information Flow Security

   Information of various sensitivity levels may be carried over a
   single network.  Information labels (e.g., Unclassified, Company
   Proprietary, Secret) [DoD85, DoD87] are often employed to distinguish
   such information.  The use of labels facilitates segregation of
   information, in support of information flow security models, e.g.,
   the Bell-LaPadula model [BL73].  Such models, and corresponding
   supporting technology, are designed to prevent the unauthorized flow
   of sensitive information, even in the face of Trojan Horse attacks.
   Conventional, discretionary access control (DAC) mechanisms, e.g.,
   based on access control lists, generally are not sufficient to
   support such policies, and thus facilities such as the SPD do not
   suffice in such environments.

   In the military context, technology that supports such models is
   often referred to as multi-level security (MLS).  Computers and
   networks often are designated "multi-level secure" if they support
   the separation of labelled data in conjunction with information flow
   security policies.  Although such technology is more broadly
   applicable than just military applications, this document uses the
   acronym "MLS" to designate the technology, consistent with much
   extant literature.

   IPsec mechanisms can easily support MLS networking.  MLS networking
   requires the use of strong Mandatory Access Controls (MAC), which
   unprivileged users or unprivileged processes are incapable of
   controlling or violating.  This section pertains only to the use of
   these IP security mechanisms in MLS (information flow security
   policy) environments.  Nothing in this section applies to systems not
   claiming to provide MLS.

   As used in this section, "sensitivity information" might include
   implementation-defined hierarchic levels, categories, and/or
   releasability information.

   AH can be used to provide strong authentication in support of
   mandatory access control decisions in MLS environments.  If explicit
   IP sensitivity information (e.g., IPSO [Ken91]) is used and
   confidentiality is not considered necessary within the particular
   operational environment, AH can be used to authenticate the binding
   between sensitivity labels in the IP header and the IP payload
   (including user data).  This is a significant improvement over
   labeled IPv4 networks where the sensitivity information is trusted
   even though there is no authentication or cryptographic binding of
   the information to the IP header and user data.  IPv4 networks might
   or might not use explicit labelling.  IPv6 will normally use implicit
   sensitivity information that is part of the IPsec Security
   Association but not transmitted with each packet instead of using
   explicit sensitivity information.  All explicit IP sensitivity
   information MUST be authenticated using either ESP, AH, or both.

   Encryption is useful and can be desirable even when all of the hosts
   are within a protected environment, for example, behind a firewall or
   disjoint from any external connectivity.  ESP can be used, in
   conjunction with appropriate key management and encryption
   algorithms, in support of both DAC and MAC.  (The choice of
   encryption and authentication algorithms, and the assurance level of
   an IPsec implementation will determine the environments in which an
   implementation may be deemed sufficient to satisfy MLS requirements.)
   Key management can make use of sensitivity information to provide
   MAC.  IPsec implementations on systems claiming to provide MLS SHOULD
   be capable of using IPsec to provide MAC for IP-based communications.

8.1 Relationship Between Security Associations and Data Sensitivity

   Both the Encapsulating Security Pay
load and the Authentication Header
   can be combined with appropriate Security Association policies to
   provide multi-level secure networking.  In this case each SA (or SA
   bundle) is normally used for only a single instance of sensitivity
   information.  For example, "PROPRIETARY - Internet Engineering" must
   be associated with a different SA (or SA bundle) from "PROPRIETARY -
   Finance".

8.2 Sensitivity Consistency Checking

   An MLS implementation (both host and router) MAY associate
   sensitivity information, or a range of sensitivity information with
   an interface, or a configured IP address with its associated prefix
   (the latter is sometimes referred to as a logical interface, or an

   interface alias).  If such properties exist, an implementation SHOULD
   compare the sensitivity information associated with the packet
   against the sensitivity information associated with the interface or
   address/prefix from which the packet arrived, or through which the
   packet will depart.  This check will either verify that the
   sensitivities match, or that the packet's sensitivity falls within
   the range of the interface or address/prefix.

   The checking SHOULD be done on both inbound and outbound processing.

8.3 Additional MLS Attributes for Security Association Databases

   Section 4.4 discussed two Security Association databases (the
   Security Policy Database (SPD) and the Security Association Database
   (SAD)) and the associated policy selectors and SA attributes.  MLS
   networking introduces an additional selector/attribute:

           - Sensitivity information.

   The Sensitivity information aids in selecting the appropriate
   algorithms and key strength, so that the traffic gets a level of
   protection appropriate to its importance or sensitivity as described
   in section 8.1.  The exact syntax of the sensitivity information is
   implementation defined.

8.4 Additional Inbound Processing Steps for MLS Networking

   After an inbound packet has passed through IPsec processing, an MLS
   implementation SHOULD first check the packet's sensitivity (as
   defined by the SA (or SA bundle) used for the packet) with the
   interface or address/prefix as described in section 8.2 before
   delivering the datagram to an upper-layer protocol or forwarding it.

   The MLS system MUST retain the binding between the data received in
   an IPsec protected packet and the sensitivity information in the SA
   or SAs used for processing, so appropriate policy decisions can be
   made when delivering the datagram to an application or forwarding
   engine.  The means for maintaining this binding are implementation
   specific.

8.5 Additional Outbound Processing Steps for MLS Networking

   An MLS implementation of IPsec MUST perform two additional checks
   besides the normal steps detailed in section 5.1.1.  When consulting
   the SPD or the SAD to find an outbound security association, the MLS
   implementation MUST use the sensitivity of the data to select an

   appropriate outbound SA or SA bundle.  The second check comes before
   forwarding the packet out to its destination, and is the sensitivity
   consistency checking described in section 8.2.

8.6 Additional MLS Processing for Security Gateways

   An MLS security gateway MUST follow the previously mentioned inbound
   and outbound processing rules as well as perform some additional
   processing specific to the intermediate protection of packets in an
   MLS environment.

   A security gateway MAY act as an outbound proxy, creating SAs for MLS
   systems that originate packets forwarded by the gateway.  These MLS
   systems may explicitly label the packets to be forwarded, or the
   whole originating network may have sensitivity characteristics
   associated with it.  The security gateway MUST create and use
   appropriate SAs for AH, ESP, or both, to protect such traffic it
   forwards.

   Similarly such a gateway SHOULD accept and process inbound AH and/or
   ESP packets and forward appropriately, using explicit packet
   labeling, or relying on the sensitivity characteristics of the
   destination network.

9. Performance Issues

   The use of IPsec imposes computational performance costs on the hosts
   or security gateways that implement these protocols.  These costs are
   associated with the memory needed for IPsec code and data structures,
   and the computation of integrity check values, encryption and
   decryption, and added per-packet handling.  The per-packet
   computational costs will be manifested by increased latency and,
   possibly, reduced throughout.  Use of SA/key management protocols,
   especially ones that employ public key cryptography, also adds
   computational performance costs to use of IPsec.  These per-
   association computational costs will be manifested in terms of
   increased latency in association establishment.  For many hosts, it
   is anticipated that software-based cryptography will not appreciably
   reduce throughput, but hardware may be required for security gateways
   (since they represent aggregation points), and for some hosts.

   The use of IPsec also imposes bandwidth utilization costs on
   transmission, switching, and routing components of the Internet
   infrastructure, components not implementing IPsec.  This is due to
   the increase in the packet size resulting from the addition of AH
   and/or ESP headers, AH and ESP tunneling (which adds a second IP
   header), and the increased packet traffic associated with key
   management protocols.  It is anticipated that, in most instances,

   this increased bandwidth demand will not noticeably affect the
   Internet infrastructure.  However, in some instances, the effects may
   be significant, e.g., transmission of ESP encrypted traffic over a
   dialup link that otherwise would have compressed the traffic.

   Note: The initial SA establishment overhead will be felt in the first
   packet.  This delay could impact the transport layer and application.
   For example, it could cause TCP to retransmit the SYN before the
   ISAKMP exchange is done.  The effect of the delay would be different
   on UDP than TCP because TCP shouldn't transmit anything other than
   the SYN until the connection is set up whereas UDP will go ahead and
   transmit data beyond the first packet.

   Note: As discussed earlier, compression can still be employed at
   layers above IP.  There is an IETF working group (IP Payload
   Compression Protocol (ippcp)) working on "protocol specifications
   that make it possible to perform lossless compression on individual
   payloads before the payload is processed by a protocol that encrypts
   it. These specifications will allow for compression operations to be
   performed prior to the encryption of a payload by IPsec protocols."

10. Conformance Requirements

   All IPv4 systems that claim to implement IPsec MUST comply with all
   requirements of the Security Architecture document.  All IPv6 systems
   MUST comply with all requirements of the Security Architecture
   document.

11. Security Considerations

   The focus of this document is security; hence security considerations
   permeate this specification.

12. Differences from RFC 1825

   This architecture document differs substantially from RFC 1825 in
   detail and in organization, but the fundamental notions are
   unchanged.  This document provid
es considerable additional detail in
   terms of compliance specifications.  It introduces the SPD and SAD,
   and the notion of SA selectors.  It is aligned with the new versions
   of AH and ESP, which also differ from their predecessors.  Specific
   requirements for supported combinations of AH and ESP are newly
   added, as are details of PMTU management.

Acknowledgements

   Many of the concepts embodied in this specification were derived from
   or influenced by the US Government's SP3 security protocol, ISO/IEC's
   NLSP, the proposed swIPe security protocol [SDNS, ISO, IB93, IBK93],
   and the work done for SNMP Security and SNMPv2 Security.

   For over 3 years (although it sometimes seems *much* longer), this
   document has evolved through multiple versions and iterations.
   During this time, many people have contributed significant ideas and
   energy to the process and the documents themselves.  The authors
   would like to thank Karen Seo for providing extensive help in the
   review, editing, background research, and coordination for this
   version of the specification.  The authors would also like to thank
   the members of the IPsec and IPng working groups, with special
   mention of the efforts of (in alphabetic order): Steve Bellovin,
   Steve Deering, James Hughes, Phil Karn, Frank Kastenholz, Perry
   Metzger, David Mihelcic, Hilarie Orman, Norman Shulman, William
   Simpson, Harry Varnis, and Nina Yuan.

Appendix A -- Glossary

   This section provides definitions for several key terms that are
   employed in this document.  Other documents provide additional
   definitions and background information relevant to this technology,
   e.g., [VK83, HA94].  Included in this glossary are generic security
   service and security mechanism terms, plus IPsec-specific terms.

     Access Control
        Access control is a security service that prevents unauthorized
        use of a resource, including the prevention of use of a resource
        in an unauthorized manner.  In the IPsec context, the resource
        to which access is being controlled is often:
                o for a host, computing cycles or data
                o for a security gateway, a network behind the gateway
        or
                  bandwidth on that network.

     Anti-replay
        [See "Integrity" below]

     Authentication
        This term is used informally to refer to the combination of two
        nominally distinct security services, data origin authentication
        and connectionless integrity.  See the definitions below for
        each of these services.

     Availability
        Availability, when viewed as a security service, addresses the
        security concerns engendered by attacks against networks that
        deny or degrade service.  For example, in the IPsec context, the
        use of anti-replay mechanisms in AH and ESP support
        availability.

     Confidentiality
        Confidentiality is the security service that protects data from
        unauthorized disclosure.  The primary confidentiality concern in
        most instances is unauthorized disclosure of application level
        data, but disclosure of the external characteristics of
        communication also can be a concern in some circumstances.
        Traffic flow confidentiality is the service that addresses this
        latter concern by concealing source and destination addresses,
        message length, or frequency of communication.  In the IPsec
        context, using ESP in tunnel mode, especially at a security
        gateway, can provide some level of traffic flow confidentiality.
        (See also traffic analysis, below.)

     Encryption
        Encryption is a security mechanism used to transform data from
        an intelligible form (plaintext) into an unintelligible form
        (ciphertext), to provide confidentiality.  The inverse
        transformation process is designated "decryption".  Oftimes the
        term "encryption" is used to generically refer to both
        processes.

     Data Origin Authentication
        Data origin authentication is a security service that verifies
        the identity of the claimed source of data.  This service is
        usually bundled with connectionless integrity service.

     Integrity
        Integrity is a security service that ensures that modifications
        to data are detectable.  Integrity comes in various flavors to
        match application requirements.  IPsec supports two forms of
        integrity: connectionless and a form of partial sequence
        integrity.  Connectionless integrity is a service that detects
        modification of an individual IP datagram, without regard to the
        ordering of the datagram in a stream of traffic.  The form of
        partial sequence integrity offered in IPsec is referred to as
        anti-replay integrity, and it detects arrival of duplicate IP
        datagrams (within a constrained window).  This is in contrast to
        connection-oriented integrity, which imposes more stringent
        sequencing requirements on traffic, e.g., to be able to detect
        lost or re-ordered messages.  Although authentication and
        integrity services often are cited separately, in practice they
        are intimately connected and almost always offered in tandem.

     Security Association (SA)
        A simplex (uni-directional) logical connection, created for
        security purposes.  All traffic traversing an SA is provided the
        same security processing.  In IPsec, an SA is an internet layer
        abstraction implemented through the use of AH or ESP.

     Security Gateway
        A security gateway is an intermediate system that acts as the
        communications interface between two networks.  The set of hosts
        (and networks) on the external side of the security gateway is
        viewed as untrusted (or less trusted), while the networks and
        hosts and on the internal side are viewed as trusted (or more
        trusted).  The internal subnets and hosts served by a security
        gateway are presumed to be trusted by virtue of sharing a
        common, local, security administration.  (See "Trusted
        Subnetwork" below.) In the IPsec context, a security gateway is
        a point at which AH and/or ESP is implemented in order to serve

        a set of internal hosts, providing security services for these
        hosts when they communicate with external hosts also employing
        IPsec (either directly or via another security gateway).

     SPI
        Acronym for "Security Parameters Index".  The combination of a
        destination address, a security protocol, and an SPI uniquely
        identifies a security association (SA, see above).  The SPI is
        carried in AH and ESP protocols to enable the receiving system
        to select the SA under which a received packet will be
        processed.  An SPI has only local significance, as defined by
        the creator of the SA (usually the receiver of the packet
        carrying the SPI); thus an SPI is generally viewed as an opaque
        bit string.  However, the creator of an SA may choose to
        interpret the bits in an SPI to facilitate local processing.

     Traffic Analysis
        The analysis of network traffic flow for the purpose of deducing
        information that is useful to an adversary.  Examples of such
        informat
ion are frequency of transmission, the identities of the
        conversing parties, sizes of packets, flow identifiers, etc.
        [Sch94]

     Trusted Subnetwork
        A subnetwork containing hosts and routers that trust each other
        not to engage in active or passive attacks.  There also is an
        assumption that the underlying communications channel (e.g., a
        LAN or CAN) isn't being attacked by other means.

Appendix B -- Analysis/Discussion of PMTU/DF/Fragmentation Issues

B.1 DF bit

   In cases where a system (host or gateway) adds an encapsulating
   header (e.g., ESP tunnel), should/must the DF bit in the original
   packet be copied to the encapsulating header?

   Fragmenting seems correct for some situations, e.g., it might be
   appropriate to fragment packets over a network with a very small MTU,
   e.g., a packet radio network, or a cellular phone hop to mobile node,
   rather than propagate back a very small PMTU for use over the rest of
   the path.  In other situations, it might be appropriate to set the DF
   bit in order to get feedback from later routers about PMTU
   constraints which require fragmentation.  The existence of both of
   these situations argues for enabling a system to decide whether or
   not to fragment over a particular network "link", i.e., for requiring
   an implementation to be able to copy the DF bit (and to process ICMP
   PMTU messages), but making it an option to be selected on a per
   interface basis.  In other words, an administrator should be able to
   configure the router's treatment of the DF bit (set, clear, copy from
   encapsulated header) for each interface.

   Note: If a bump-in-the-stack implementation of IPsec attempts to
   apply different IPsec algorithms based on source/destination ports,
   it will be difficult to apply Path MTU adjustments.

B.2 Fragmentation

   If required, IP fragmentation occurs after IPsec processing within an
   IPsec implementation.  Thus, transport mode AH or ESP is applied only
   to whole IP datagrams (not to IP fragments).  An IP packet to which
   AH or ESP has been applied may itself be fragmented by routers en
   route, and such fragments MUST be reassembled prior to IPsec
   processing at a receiver.  In tunnel mode, AH or ESP is applied to an
   IP packet, the payload of which may be a fragmented IP packet.  For
   example, a security gateway, "bump-in-the-stack" (BITS), or "bump-
   in-the-wire" (BITW) IPsec implementation may apply tunnel mode AH to
   such fragments.  Note that BITS or BITW implementations are examples
   of where a host IPsec implementation might receive fragments to which
   tunnel mode is to be applied.  However, if transport mode is to be
   applied, then these implementations MUST reassemble the fragments
   prior to applying IPsec.

   NOTE: IPsec always has to figure out what the encapsulating IP header
   fields are.  This is independent of where you insert IPsec and is
   intrinsic to the definition of IPsec.  Therefore any IPsec
   implementation that is not integrated into an IP implementation must
   include code to construct the necessary IP headers (e.g., IP2):

        o AH-tunnel --> IP2-AH-IP1-Transport-Data
        o ESP-tunnel -->  IP2-ESP_hdr-IP1-Transport-Data-ESP_trailer

   *********************************************************************

   Overall, the fragmentation/reassembly approach described above works
   for all cases examined.

                              AH Xport   AH Tunnel  ESP Xport  ESP Tunnel
 Implementation approach      IPv4 IPv6  IPv4 IPv6  IPv4 IPv6  IPv4 IPv6
 -----------------------      ---- ----  ---- ----  ---- ----  ---- ----
 Hosts (integr w/ IP stack)     Y    Y     Y    Y     Y    Y     Y    Y
 Hosts (betw/ IP and drivers)   Y    Y     Y    Y     Y    Y     Y    Y
 S. Gwy (integr w/ IP stack)               Y    Y                Y    Y
 Outboard crypto processor *

        * If the crypto processor system has its own IP address, then it
          is covered by the security gateway case.  This box receives
          the packet from the host and performs IPsec processing.  It
          has to be able to handle the same AH, ESP, and related
          IPv4/IPv6 tunnel processing that a security gateway would have
          to handle.  If it doesn't have it's own address, then it is
          similar to the bump-in-the stack implementation between IP and
          the network drivers.

   The following analysis assumes that:

        1. There is only one IPsec module in a given system's stack.
           There isn't an IPsec module A (adding ESP/encryption and
           thus) hiding the transport protocol, SRC port, and DEST port
           from IPsec module B.
        2. There are several places where IPsec could be implemented (as
           shown in the table above).
                a. Hosts with integration of IPsec into the native IP
                   implementation.  Implementer has access to the source
                   for the stack.
                b. Hosts with bump-in-the-stack implementations, where
                   IPsec is implemented between IP and the local network
                   drivers.  Source access for stack is not available;
                   but there are well-defined interfaces that allows the
                   IPsec code to be incorporated into the system.

                c. Security gateways and outboard crypto processors with
                   integration of IPsec into the stack.
        3. Not all of the above approaches are feasible in all hosts.
           But it was assumed that for each approach, there are some
           hosts for whom the approach is feasible.

   For each of the above 3 categories, there are IPv4 and IPv6, AH
   transport and tunnel modes, and ESP transport and tunnel modes -- for
   a total of 24 cases (3 x 2 x 4).

   Some header fields and interface fields are listed here for ease of
   reference -- they're not in the header order, but instead listed to
   allow comparison between the columns.  (* = not covered by AH
   authentication.  ESP authentication doesn't cover any headers that
   precede it.)

                                             IP/Transport Interface
             IPv4            IPv6            (RFC 1122 -- Sec 3.4)
             ----            ----            ----------------------
             Version = 4     Version = 6
             Header Len
             *TOS            Class,Flow Lbl  TOS
             Packet Len      Payload Len     Len
             ID                              ID (optional)
             *Flags                          DF
             *Offset
             *TTL            *Hop Limit      TTL
             Protocol        Next Header
             *Checksum
             Src Address     Src Address     Src Address
             Dst Address     Dst Address     Dst Address
             Options?        Options?        Opt

             ? = AH covers Option-Type and Option-Length, but
                 might not cover Option-Data.

   The results for each of the 20 cases is shown below ("works" = will
   work if system fragments after outbound IPsec processing, reassembles
   before inbound IPsec processing).  Notes indicate implementation
   issues.

    a. Hosts (integrated into IP stack)
          o AH-transport  --> (IP1-AH-Transport-Data)
                    - IPv4 -- works
                    - IPv6 -- works

          o AH-tunnel --> (IP2-AH-IP1-Transport-Data)
                    - IPv4 -- works
                    - IPv6 -- works

          o ESP-transport --> (IP1-ESP_hdr-Transport-Data-ESP_trailer)
                    - IPv4 -- works
                    - IPv6 -- works
          o ESP-tunnel -->  (IP2-ESP_hdr-IP1-Transport-Data-ESP_trailer)
                    - IPv4 -- works
                    - IPv6 -- works

    b. Hosts (Bump-in-the-stack) -- put IPsec between IP layer and
       network drivers.  In this case, the IPsec module would have to do
       something like one of the following for fragmentation and
       reassembly.
            - do the fragmentation/reassembly work itself and
              send/receive the packet directly to/from the network
              layer.  In AH or ESP transport mode, this is fine.  In AH
              or ESP tunnel mode where the tunnel end is at the ultimate
              destination, this is fine.  But in AH or ESP tunnel modes
              where the tunnel end is different from the ultimate
              destination and where the source host is multi-homed, this
              approach could result in sub-optimal routing because the
              IPsec module may be unable to obtain the information
              needed (LAN interface and next-hop gateway) to direct the
              packet to the appropriate network interface.  This is not
              a problem if the interface and next-hop gateway are the
              same for the ultimate destination and for the tunnel end.
              But if they are different, then IPsec would need to know
              the LAN interface and the next-hop gateway for the tunnel
              end.  (Note: The tunnel end (security gateway) is highly
              likely to be on the regular path to the ultimate
              destination.  But there could also be more than one path
              to the destination, e.g., the host could be at an
              organization with 2 firewalls.  And the path being used
              could involve the less commonly chosen firewall.)  OR
            - pass the IPsec'd packet back to the IP layer where an
              extra IP header would end up being pre-pended and the
              IPsec module would have to check and let IPsec'd fragments
              go by.
                                    OR
            - pass the packet contents to the IP layer in a form such
              that the IP layer recreates an appropriate IP header

       At the network layer, the IPsec module will have access to the
       following selectors from the packet -- SRC address, DST address,
       Next Protocol, and if there's a transport layer header --> SRC
       port and DST port.  One cannot assume IPsec has access to the
       Name.  It is assumed that the available selector information is
       sufficient to figure out the relevant Security Policy entry and
       Security Association(s).

          o AH-transport  --> (IP1-AH-Transport-Data)
                    - IPv4 -- works
                    - IPv6 -- works
          o AH-tunnel --> (IP2-AH-IP1-Transport-Data)
                    - IPv4 -- works
                    - IPv6 -- works
          o ESP-transport --> (IP1-ESP_hdr-Transport-Data-ESP_trailer)
                    - IPv4 -- works
                    - IPv6 -- works
          o ESP-tunnel -->  (IP2-ESP_hdr-IP1-Transport-Data-ESP_trailer)
                    - IPv4 -- works
                    - IPv6 -- works

    c. Security gateways -- integrate IPsec into the IP stack

       NOTE: The IPsec module will have access to the following
       selectors from the packet -- SRC address, DST address, Next
       Protocol, and if there's a transport layer header --> SRC port
       and DST port.  It won't have access to the User ID (only Hosts
       have access to User ID information.)  Unlike some Bump-in-the-
       stack implementations, security gateways may be able to look up
       the Source Address in the DNS to provide a System Name, e.g., in
       situations involving use of dynamically assigned IP addresses in
       conjunction with dynamically updated DNS entries.  It also won't
       have access to the transport layer information if there is an ESP
       header, or if it's not the first fragment of a fragmented
       message.  It is assumed that the available selector information
       is sufficient to figure out the relevant Security Policy entry
       and Security Association(s).

          o AH-tunnel --> (IP2-AH-IP1-Transport-Data)
                    - IPv4 -- works
                    - IPv6 -- works
          o ESP-tunnel -->  (IP2-ESP_hdr-IP1-Transport-Data-ESP_trailer)
                    - IPv4 -- works
                    - IPv6 -- works

   **********************************************************************

B.3 Path MTU Discovery

   As mentioned earlier, "ICMP PMTU" refers to an ICMP message used for
   Path MTU Discovery.

   The legend for the diagrams below in B.3.1 and B.3.3 (but not B.3.2)
   is:

        ==== = security association (AH or ESP, transport or tunnel)

        ---- = connectivity (or if so labelled, administrative boundary)
        .... = ICMP message (hereafter referred to as ICMP PMTU) for

                IPv4:
                - Type = 3 (Destination Unreachable)
                - Code = 4 (Fragmentation needed and DF set)
                - Next-Hop MTU in the low-order 16 bits of the second
                  word of the ICMP header (labelled unused in RFC 792),
                  with high-order 16 bits set to zero

                IPv6 (RFC 1885):
                - Type = 2 (Packet Too Big)
                - Code = 0 (Fragmentation needed and DF set)
                - Next-Hop MTU in the 32 bit MTU field of the ICMP6

        Hx   = host x
        Rx   = router x
        SGx  = security gateway x
        X*   = X supports IPsec

B.3.1 Identifying the Originating Host(s)

The amount of information returned with the ICMP message is limited
and this affects what selectors are available to identify security
associations, originating hosts, etc. for use in further propagating
the PMTU information.

In brief...  An ICMP message must contain the following information
from the "offending" packet:
        - IPv4 (RFC 792) --  IP header plus a minimum of 64 bits

Accordingly, in the IPv4 context, an ICMP PMTU may identify only the
first (outermost) security association.  This is because the ICMP
PMTU may contain only 64 bits of the "offending" packet beyond the IP
header, which would capture only the first SPI from AH or ESP.  In
the IPv6 context, an ICMP PMTU will probably provide all the SPIs and
the selectors in the IP header, but maybe not the SRC/DST ports (in
the transport header) or the encapsulated (TCP, UDP, etc.) protocol.
Moreover, if ESP is used, the transport ports and protocol selectors
may be encrypted.

Looking at the diagram below of a security gateway tunnel (as
mentioned elsewhere, security gateways do not use transport mode)...

     H1   ===================           H3
       \  |                 |          /
   H0 -- SG1* ---- R1 ---- SG2* ---- R2 -- H5
       /  ^        |                   \
     H2   |........|                    H4

   Suppose that the security policy for SG1 is to use a single SA to SG2
   for all the traffic between hosts H0, H1, and H2 and
 hosts H3, H4,
   and H5.  And suppose H0 sends a data packet to H5 which causes R1 to
   send an ICMP PMTU message to SG1.  If the PMTU message has only the
   SPI, SG1 will be able to look up the SA and find the list of possible
   hosts (H0, H1, H2, wildcard); but SG1 will have no way to figure out
   that H0 sent the traffic that triggered the ICMP PMTU message.

      original        after IPsec     ICMP
      packet          processing      packet
      --------        -----------     ------
                                      IP-3 header (S = R1, D = SG1)
                                      ICMP header (includes PMTU)
                      IP-2 header     IP-2 header (S = SG1, D = SG2)
                      ESP header      minimum of 64 bits of ESP hdr (*)
      IP-1 header     IP-1 header
      TCP header      TCP header
      TCP data        TCP data
                      ESP trailer

      (*) The 64 bits will include enough of the ESP (or AH) header to
          include the SPI.
              - ESP -- SPI (32 bits), Seq number (32 bits)
              - AH -- Next header (8 bits), Payload Len (8 bits),
                Reserved (16 bits), SPI (32 bits)

   This limitation on the amount of information returned with an ICMP
   message creates a problem in identifying the originating hosts for
   the packet (so as to know where to further propagate the ICMP PMTU
   information).  If the ICMP message contains only 64 bits of the IPsec
   header (minimum for IPv4), then the IPsec selectors (e.g., Source and
   Destination addresses, Next Protocol, Source and Destination ports,
   etc.) will have been lost.  But the ICMP error message will still
   provide SG1 with the SPI, the PMTU information and the source and
   destination gateways for the relevant security association.

   The destination security gateway and SPI uniquely define a security
   association which in turn defines a set of possible originating
   hosts.  At this point, SG1 could:

   a. send the PMTU information to all the possible originating hosts.
      This would not work well if the host list is a wild card or if
      many/most of the hosts weren't sending to SG1; but it might work
      if the SPI/destination/etc mapped to just one or a small number of
      hosts.
   b. store the PMTU with the SPI/etc and wait until the next packet(s)
      arrive from the originating host(s) for the relevant security
      association.  If it/they are bigger than the PMTU, drop the
      packet(s), and compose ICMP PMTU message(s) with the new packet(s)
      and the updated PMTU, and send the originating host(s) the ICMP
      message(s) about the problem.  This involves a delay in notifying
      the originating host(s), but avoids the problems of (a).

   Since only the latter approach is feasible in all instances, a
   security gateway MUST provide such support, as an option.  However,
   if the ICMP message contains more information from the original
   packet, then there may be enough information to immediately determine
   to which host to propagate the ICMP/PMTU message and to provide that
   system with the 5 fields (source address, destination address, source
   port, destination port, and transport protocol) needed to determine
   where to store/update the PMTU.  Under such circumstances, a security
   gateway MUST generate an ICMP PMTU message immediately upon receipt
   of an ICMP PMTU from further down the path.  NOTE: The Next Protocol
   field may not be contained in the ICMP message and the use of ESP
   encryption may hide the selector fields that have been encrypted.

B.3.2 Calculation of PMTU

   The calculation of PMTU from an ICMP PMTU has to take into account
   the addition of any IPsec header by H1 -- AH and/or ESP transport, or
   ESP or AH tunnel.  Within a single host, multiple applications may
   share an SPI and nesting of security associations may occur.  (See
   Section 4.5 Basic Combinations of Security Associations for
   description of the combinations that MUST be supported).  The diagram
   below illustrates an example of security associations between a pair
   of hosts (as viewed from the perspective of one of the hosts.)  (ESPx
   or AHx = transport mode)

           Socket 1 -------------------------|
                                             |
           Socket 2 (ESPx/SPI-A) ---------- AHx (SPI-B) -- Internet

   In order to figure out the PMTU for each socket that maps to SPI-B,
   it will be necessary to have backpointers from SPI-B to each of the 2
   paths that lead to it -- Socket 1 and Socket 2/SPI-A.

B.3.3 Granularity of Maintaining PMTU Data

   In hosts, the granularity with which PMTU ICMP processing can be done
   differs depending on the implementation situation.  Looking at a
   host, there are three situations that are of interest with respect to
   PMTU issues:

   a. Integration of IPsec into the native IP implementation
   b. Bump-in-the-stack implementations, where IPsec is implemented
      "underneath" an existing implementation of a TCP/IP protocol
      stack, between the native IP and the local network drivers
   c. No IPsec implementation -- This case is included because it is
      relevant in cases where a security gateway is sending PMTU
      information back to a host.

   Only in case (a) can the PMTU data be maintained at the same
   granularity as communication associations.  In the other cases, the
   IP layer will maintain PMTU data at the granularity of Source and
   Destination IP addresses (and optionally TOS/Class), as described in
   RFC 1191.  This is an important difference, because more than one
   communication association may map to the same source and destination
   IP addresses, and each communication association may have a different
   amount of IPsec header overhead (e.g., due to use of different
   transforms or different algorithms).  The examples below illustrate
   this.

   In cases (a) and (b)...  Suppose you have the following situation.
   H1 is sending to H2 and the packet to be sent from R1 to R2 exceeds
   the PMTU of the network hop between them.

                 ==================================
                 |                                |
                H1* --- R1 ----- R2 ---- R3 ---- H2*
                 ^       |
                 |.......|

   If R1 is configured to not fragment subscriber traffic, then R1 sends
   an ICMP PMTU message with the appropriate PMTU to H1.  H1's
   processing would vary with the nature of the implementation.  In case
   (a) (native IP), the security services are bound to sockets or the
   equivalent.  Here the IP/IPsec implementation in H1 can store/update
   the PMTU for the associated socket.  In case (b), the IP layer in H1
   can store/update the PMTU but only at the granularity of Source and
   Destination addresses and possibly TOS/Class, as noted above.  So the
   result may be sub-optimal, since the PMTU for a given
   SRC/DST/TOS/Class will be the subtraction of the largest amount of
   IPsec header used for any communication association between a given
   source and destination.

   In case (c), there has to be a security gateway to have any IPsec
   processing.  So suppose you have the following situation.  H1 is
   sending to H2 and the packet to be sent from SG1 to R exceeds the
   PMTU of the network hop between them.

                         ================
                         |              |

 H1 ---- SG1* --- R --- SG2* ---- H2
                 ^       |
                 |.......|

   As described above for case (b), the IP layer in H1 can store/update
   the PMTU but only at the granularity of Source and Destination
   addresses, and possibly TOS/Class.  So the result may be sub-optimal,
   since the PMTU for a given SRC/DST/TOS/Class will be the subtraction
   of the largest amount of IPsec header used for any communication
   association between a given source and destination.

B.3.4 Per Socket Maintenance of PMTU Data

   Implementation of the calculation of PMTU (Section B.3.2) and support
   for PMTUs at the granularity of individual "communication
   associations" (Section B.3.3) is a local matter.  However, a socket-
   based implementation of IPsec in a host SHOULD maintain the
   information on a per socket basis.  Bump in the stack systems MUST
   pass an ICMP PMTU to the host IP implementation, after adjusting it
   for any IPsec header overhead added by these systems.  The
   determination of the overhead SHOULD be determined by analysis of the
   SPI and any other selector information present in a returned ICMP
   PMTU message.

B.3.5 Delivery of PMTU Data to the Transport Layer

   The host mechanism for getting the updated PMTU to the transport
   layer is unchanged, as specified in RFC 1191 (Path MTU Discovery).

B.3.6 Aging of PMTU Data

   This topic is covered in Section 6.1.2.4.

Appendix C -- Sequence Space Window Code Example

   This appendix contains a routine that implements a bitmask check for
   a 32 packet window.  It was provided by James Hughes
   (jim_hughes@stortek.com) and Harry Varnis (hgv@anubis.network.com)
   and is intended as an implementation example.  Note that this code
   both checks for a replay and updates the window.  Thus the algorithm,
   as shown, should only be called AFTER the packet has been
   authenticated.  Implementers might wish to consider splitting the
   code to do the check for replays before computing the ICV.  If the
   packet is not a replay, the code would then compute the ICV, (discard
   any bad packets), and if the packet is OK, update the window.

#include <stdio.h>
#include <stdlib.h>
typedef unsigned long u_long;

enum {
    ReplayWindowSize = 32
};

u_long bitmap = 0;                 /* session state - must be 32 bits */
u_long lastSeq = 0;                     /* session state */

/* Returns 0 if packet disallowed, 1 if packet permitted */
int ChkReplayWindow(u_long seq);

int ChkReplayWindow(u_long seq) {
    u_long diff;

    if (seq == 0) return 0;             /* first == 0 or wrapped */
    if (seq > lastSeq) {                /* new larger sequence number */
        diff = seq - lastSeq;
        if (diff < ReplayWindowSize) {  /* In window */
            bitmap <<= diff;
            bitmap |= 1;                /* set bit for this packet */
        } else bitmap = 1;          /* This packet has a "way larger" */
        lastSeq = seq;
        return 1;                       /* larger is good */
    }
    diff = lastSeq - seq;
    if (diff >= ReplayWindowSize) return 0; /* too old or wrapped */
    if (bitmap & ((u_long)1 << diff)) return 0; /* already seen */
    bitmap |= ((u_long)1 << diff);              /* mark as seen */
    return 1;                           /* out of order but good */
}

char string_buffer[512];

#define STRING_BUFFER_SIZE sizeof(string_buffer)

int main() {
    int result;
    u_long last, current, bits;

    printf("Input initial state (bits in hex, last msgnum):\n");
    if (!fgets(string_buffer, STRING_BUFFER_SIZE, stdin)) exit(0);
    sscanf(string_buffer, "%lx %lu", &bits, &last);
    if (last != 0)
    bits |= 1;
    bitmap = bits;
    lastSeq = last;
    printf("bits:%08lx last:%lu\n", bitmap, lastSeq);
    printf("Input value to test (current):\n");

    while (1) {
        if (!fgets(string_buffer, STRING_BUFFER_SIZE, stdin)) break;
        sscanf(string_buffer, "%lu", ¤t);
        result = ChkReplayWindow(current);
        printf("%-3s", result ? "OK" : "BAD");
        printf(" bits:%08lx last:%lu\n", bitmap, lastSeq);
    }
    return 0;
}

Appendix D -- Categorization of ICMP messages

The tables below characterize ICMP messages as being either host
generated, router generated, both, unassigned/unknown.  The first set
are IPv4.  The second set are IPv6.

                                IPv4

Type    Name/Codes                                             Reference
========================================================================
HOST GENERATED:
  3     Destination Unreachable
         2  Protocol Unreachable                               [RFC792]
         3  Port Unreachable                                   [RFC792]
         8  Source Host Isolated                               [RFC792]
        14  Host Precedence Violation                          [RFC1812]
 10     Router Selection                                       [RFC1256]

Type    Name/Codes                                             Reference
========================================================================
ROUTER GENERATED:
  3     Destination Unreachable
         0  Net Unreachable                                    [RFC792]
         4  Fragmentation Needed, Don't Fragment was Set       [RFC792]
         5  Source Route Failed                                [RFC792]
         6  Destination Network Unknown                        [RFC792]
         7  Destination Host Unknown                           [RFC792]
         9  Comm. w/Dest. Net. is Administratively Prohibited  [RFC792]
        11  Destination Network Unreachable for Type of Service[RFC792]
  5     Redirect
         0  Redirect Datagram for the Network (or subnet)      [RFC792]
         2  Redirect Datagram for the Type of Service & Network[RFC792]
  9     Router Advertisement                                   [RFC1256]
 18     Address Mask Reply                                     [RFC950]

                                IPv4
Type    Name/Codes                                             Reference
========================================================================
BOTH ROUTER AND HOST GENERATED:
  0     Echo Reply                                             [RFC792]
  3     Destination Unreachable
         1  Host Unreachable                                   [RFC792]
        10  Comm. w/Dest. Host is Administratively Prohibited  [RFC792]
        12  Destination Host Unreachable for Type of Service   [RFC792]
        13  Communication Administratively Prohibited          [RFC1812]
        15  Precedence cutoff in effect                        [RFC1812]
  4     Source Quench                                          [RFC792]
  5     Redirect
         1  Redirect Datagram for the Host                     [RFC792]
         3  Redirect Datagram for the Type of Service and Host [RFC792]
  6     Alternate Host Address                                 [JBP]
  8     Echo                                                   [RFC792]
 11     Time Exceeded                                          [RFC792]
 12     Parameter Problem                              [RFC792,RFC1108]
 13     Timestamp                                              [RFC792]
 14     Timestamp Reply                                        [RFC792]
 15     Information Re
quest                                    [RFC792]
 16     Information Reply                                      [RFC792]
 17     Address Mask Request                                   [RFC950]
 30     Traceroute                                             [RFC1393]
 31     Datagram Conversion Error                              [RFC1475]
 32     Mobile Host Redirect                                   [Johnson]
 39     SKIP                                                   [Markson]
 40     Photuris                                               [Simpson]

Type    Name/Codes                                             Reference
========================================================================
UNASSIGNED TYPE OR UNKNOWN GENERATOR:
  1     Unassigned                                             [JBP]
  2     Unassigned                                             [JBP]
  7     Unassigned                                             [JBP]
 19     Reserved (for Security)                                [Solo]
 20-29  Reserved (for Robustness Experiment)                   [ZSu]
 33     IPv6 Where-Are-You                                     [Simpson]
 34     IPv6 I-Am-Here                                         [Simpson]
 35     Mobile Registration Request                            [Simpson]
 36     Mobile Registration Reply                              [Simpson]
 37     Domain Name Request                                    [Simpson]
 38     Domain Name Reply                                      [Simpson]
 41-255 Reserved                                               [JBP]

                                IPv6

Type    Name/Codes                                             Reference
========================================================================
HOST GENERATED:
  1     Destination Unreachable                                [RFC 1885]
         4  Port Unreachable

Type    Name/Codes                                             Reference
========================================================================
ROUTER GENERATED:
  1     Destination Unreachable                                [RFC1885]
         0  No Route to Destination
         1  Comm. w/Destination is Administratively Prohibited
         2  Not a Neighbor
         3  Address Unreachable
  2     Packet Too Big                                         [RFC1885]
         0
  3     Time Exceeded                                          [RFC1885]
         0  Hop Limit Exceeded in Transit
         1  Fragment reassembly time exceeded

Type    Name/Codes                                             Reference
========================================================================
BOTH ROUTER AND HOST GENERATED:
  4     Parameter Problem                                      [RFC1885]
         0  Erroneous Header Field Encountered
         1  Unrecognized Next Header Type Encountered
         2  Unrecognized IPv6 Option Encountered

References

   [BL73]    Bell, D.E. & LaPadula, L.J., "Secure Computer Systems:
             Mathematical Foundations and Model", Technical Report M74-
             244, The MITRE Corporation, Bedford, MA, May 1973.

   [Bra97]   Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Level", BCP 14, RFC 2119, March 1997.

   [DoD85]   US National Computer Security Center, "Department of
             Defense Trusted Computer System Evaluation Criteria", DoD
             5200.28-STD, US Department of Defense, Ft. Meade, MD.,
             December 1985.

   [DoD87]   US National Computer Security Center, "Trusted Network
             Interpretation of the Trusted Computer System Evaluation
             Criteria", NCSC-TG-005, Version 1, US Department of
             Defense, Ft. Meade, MD., 31 July 1987.

   [HA94]    Haller, N., and R. Atkinson, "On Internet Authentication",
             RFC 1704, October 1994.

   [HC98]    Harkins, D., and D. Carrel, "The Internet Key Exchange
             (IKE)", RFC 2409, November 1998.

   [HM97]    Harney, H., and C.  Muckenhirn, "Group Key Management
             Protocol (GKMP) Architecture", RFC 2094, July 1997.

   [ISO]     ISO/IEC JTC1/SC6, Network Layer Security Protocol, ISO-IEC
             DIS 11577, International Standards Organisation, Geneva,
             Switzerland, 29 November 1992.

   [IB93]    John Ioannidis and Matt Blaze, "Architecture and
             Implementation of Network-layer Security Under Unix",
             Proceedings of USENIX Security Symposium, Santa Clara, CA,
             October 1993.

   [IBK93]   John Ioannidis, Matt Blaze, & Phil Karn, "swIPe: Network-
             Layer Security for IP", presentation at the Spring 1993
             IETF Meeting, Columbus, Ohio

   [KA98a]   Kent, S., and R. Atkinson, "IP Authentication Header", RFC
             2402, November 1998.

   [KA98b]   Kent, S., and R. Atkinson, "IP Encapsulating Security
             Payload (ESP)", RFC 2406, November 1998.

   [Ken91]   Kent, S., "US DoD Security Options for the Internet
             Protocol", RFC 1108, November 1991.

   [MSST97]  Maughan, D., Schertler, M., Schneider, M., and J. Turner,
             "Internet Security Association and Key Management Protocol
             (ISAKMP)", RFC 2408, November 1998.

   [Orm97]   Orman, H., "The OAKLEY Key Determination Protocol", RFC
             2412, November 1998.

   [Pip98]   Piper, D., "The Internet IP Security Domain of
             Interpretation for ISAKMP", RFC 2407, November 1998.

   [Sch94]   Bruce Schneier, Applied Cryptography, Section 8.6, John
             Wiley & Sons, New York, NY, 1994.

   [SDNS]    SDNS Secure Data Network System, Security Protocol 3, SP3,
             Document SDN.301, Revision 1.5, 15 May 1989, published in
             NIST Publication NIST-IR-90-4250, February 1990.

   [SMPT98]  Shacham, A., Monsour, R., Pereira, R., and M. Thomas, "IP
             Payload Compression Protocol (IPComp)", RFC 2393, August
             1998.

   [TDG97]   Thayer, R., Doraswamy, N., and R. Glenn, "IP Security
             Document Roadmap", RFC 2411, November 1998.

   [VK83]    V.L. Voydock & S.T. Kent, "Security Mechanisms in High-
             level Networks", ACM Computing Surveys, Vol. 15, No. 2,
             June 1983.

Disclaimer

   The views and specification expressed in this document are those of
   the authors and are not necessarily those of their employers.  The
   authors and their employers specifically disclaim responsibility for
   any problems arising from correct or incorrect implementation or use
   of this design.

Author Information

   Stephen Kent
   BBN Corporation
   70 Fawcett Street
   Cambridge, MA  02140
   USA

   Phone: +1 (617) 873-3988
   EMail: kent@bbn.com

   Randall Atkinson
   @Home Network
   425 Broadway
   Redwood City, CA 94063
   USA

   Phone: +1 (415) 569-5000
   EMail: rja@corp.home.net

Copyright (C) The Internet Society (1998).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies a
nd derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

The post RFC 2401 – Security Architecture for the Internet Protocol appeared first on IPv6.net.

Network Working Group                                          J. McCann
Request for Comments: 1981                 Digital Equipment Corporation
Category: Standards Track                                     S. Deering
                                                              Xerox PARC
                                                                J. Mogul
                                           Digital Equipment Corporation
                                                             August 1996

                  Path MTU Discovery for IP version 6

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document describes Path MTU Discovery for IP version 6.  It is
   largely derived from RFC 1191, which describes Path MTU Discovery for
   IP version 4.

Table of Contents

   1. Introduction.................................................2
   2. Terminology..................................................2
   3. Protocol overview............................................3
   4. Protocol Requirements........................................4
   5. Implementation Issues........................................5
   5.1. Layering...................................................5
   5.2. Storing PMTU information...................................6
   5.3. Purging stale PMTU information.............................8
   5.4. TCP layer actions..........................................9
   5.5. Issues for other transport protocols......................11
   5.6. Management interface......................................12
   6. Security Considerations.....................................12
   Acknowledgements...............................................13
   Appendix A - Comparison to RFC 1191............................14
   References.....................................................14
   Authors' Addresses.............................................15

1. Introduction

   When one IPv6 node has a large amount of data to send to another
   node, the data is transmitted in a series of IPv6 packets.  It is
   usually preferable that these packets be of the largest size that can
   successfully traverse the path from the source node to the
   destination node.  This packet size is referred to as the Path MTU
   (PMTU), and it is equal to the minimum link MTU of all the links in a
   path.  IPv6 defines a standard mechanism for a node to discover the
   PMTU of an arbitrary path.

   IPv6 nodes SHOULD implement Path MTU Discovery in order to discover
   and take advantage of paths with PMTU greater than the IPv6 minimum
   link MTU [IPv6-SPEC].  A minimal IPv6 implementation (e.g., in a boot
   ROM) may choose to omit implementation of Path MTU Discovery.

   Nodes not implementing Path MTU Discovery use the IPv6 minimum link
   MTU defined in [IPv6-SPEC] as the maximum packet size.  In most
   cases, this will result in the use of smaller packets than necessary,
   because most paths have a PMTU greater than the IPv6 minimum link
   MTU.  A node sending packets much smaller than the Path MTU allows is
   wasting network resources and probably getting suboptimal throughput.

2. Terminology

   node        - a device that implements IPv6.

   router      - a node that forwards IPv6 packets not explicitly
                 addressed to itself.

   host        - any node that is not a router.

   upper layer - a protocol layer immediately above IPv6.  Examples are
                 transport protocols such as TCP and UDP, control
                 protocols such as ICMP, routing protocols such as OSPF,
                 and internet or lower-layer protocols being "tunneled"
                 over (i.e., encapsulated in) IPv6 such as IPX,
                 AppleTalk, or IPv6 itself.

   link        - a communication facility or medium over which nodes can
                 communicate at the link layer, i.e., the layer
                 immediately below IPv6.  Examples are Ethernets (simple
                 or bridged); PPP links; X.25, Frame Relay, or ATM
                 networks; and internet (or higher) layer "tunnels",
                 such as tunnels over IPv4 or IPv6 itself.

   interface   - a node's attachment to a link.

   address     - an IPv6-layer identifier for an interface or a set of
                 interfaces.

   packet      - an IPv6 header plus payload.

   link MTU    - the maximum transmission unit, i.e., maximum packet
                 size in octets, that can be conveyed in one piece over
                 a link.

   path        - the set of links traversed by a packet between a source
                 node and a destination node

   path MTU    - the minimum link MTU of all the links in a path between
                 a source node and a destination node.

   PMTU        - path MTU

   Path MTU
   Discovery   - process by which a node learns the PMTU of a path

   flow        - a sequence of packets sent from a particular source
                 to a particular (unicast or multicast) destination for
                 which the source desires special handling by the
                 intervening routers.

   flow id     - a combination of a source address and a non-zero
                 flow label.

3. Protocol overview

   This memo describes a technique to dynamically discover the PMTU of a
   path.  The basic idea is that a source node initially assumes that
   the PMTU of a path is the (known) MTU of the first hop in the path.
   If any of the packets sent on that path are too large to be forwarded
   by some node along the path, that node will discard them and return
   ICMPv6 Packet Too Big messages [ICMPv6].  Upon receipt of such a
   message, the source node reduces its assumed PMTU for the path based
   on the MTU of the constricting hop as reported in the Packet Too Big
   message.

   The Path MTU Discovery process ends when the node's estimate of the
   PMTU is less than or equal to the actual PMTU.  Note that several
   iterations of the packet-sent/Packet-Too-Big-message-received cycle
   may occur before the Path MTU Discovery process ends, as there may be
   links with smaller MTUs further along the path.

   Alternatively, the node may elect to end the discovery process by
   ceasing to send packets larger than the IPv6 minimum link MTU.

   The PMTU of a path may change over time, due to changes in the
   routing topology.  Reductions of the PMTU are detected by Packet Too
   Big messages.  To detect increases in a path's PMTU, a node
   periodically increases its assumed PMTU.  This will almost always
   result in packets being discarded and Packet Too Big messages being
   generated, because in most cases the PMTU of the path will not have
   changed.  Therefore, attempts to detect increases in a path's PMTU
   should be done infrequently.

   Path MTU Discovery supports multicast as well as unicast
   destinations.  In the case of a multicast destination, copies of a
   packet may traverse many different paths to many different nodes.

Each path may have a different PMTU, and a single multicast packet
   may result in multiple Packet Too Big messages, each reporting a
   different next-hop MTU.  The minimum PMTU value across the set of
   paths in use determines the size of subsequent packets sent to the
   multicast destination.

   Note that Path MTU Discovery must be performed even in cases where a
   node "thinks" a destination is attached to the same link as itself.
   In a situation such as when a neighboring router acts as proxy [ND]
   for some destination, the destination can to appear to be directly
   connected but is in fact more than one hop away.

4. Protocol Requirements

   As discussed in section 1, IPv6 nodes are not required to implement
   Path MTU Discovery.  The requirements in this section apply only to
   those implementations that include Path MTU Discovery.

   When a node receives a Packet Too Big message, it MUST reduce its
   estimate of the PMTU for the relevant path, based on the value of the
   MTU field in the message.  The precise behavior of a node in this
   circumstance is not specified, since different applications may have
   different requirements, and since different implementation
   architectures may favor different strategies.

   After receiving a Packet Too Big message, a node MUST attempt to
   avoid eliciting more such messages in the near future.  The node MUST
   reduce the size of the packets it is sending along the path.  Using a
   PMTU estimate larger than the IPv6 minimum link MTU may continue to
   elicit Packet Too Big messages.  Since each of these messages (and
   the dropped packets they respond to) consume network resources, the
   node MUST force the Path MTU Discovery process to end.

   Nodes using Path MTU Discovery MUST detect decreases in PMTU as fast
   as possible.  Nodes MAY detect increases in PMTU, but because doing
   so requires sending packets larger than the current estimated PMTU,

   and because the likelihood is that the PMTU will not have increased,
   this MUST be done at infrequent intervals.  An attempt to detect an
   increase (by sending a packet larger than the current estimate) MUST
   NOT be done less than 5 minutes after a Packet Too Big message has
   been received for the given path.  The recommended setting for this
   timer is twice its minimum value (10 minutes).

   A node MUST NOT reduce its estimate of the Path MTU below the IPv6
   minimum link MTU.

      Note: A node may receive a Packet Too Big message reporting a
      next-hop MTU that is less than the IPv6 minimum link MTU.  In that
      case, the node is not required to reduce the size of subsequent
      packets sent on the path to less than the IPv6 minimun link MTU,
      but rather must include a Fragment header in those packets [IPv6-
      SPEC].

   A node MUST NOT increase its estimate of the Path MTU in response to
   the contents of a Packet Too Big message.  A message purporting to
   announce an increase in the Path MTU might be a stale packet that has
   been floating around in the network, a false packet injected as part
   of a denial-of-service attack, or the result of having multiple paths
   to the destination, each with a different PMTU.

5. Implementation Issues

   This section discusses a number of issues related to the
   implementation of Path MTU Discovery.  This is not a specification,
   but rather a set of notes provided as an aid for implementors.

   The issues include:

   - What layer or layers implement Path MTU Discovery?

   - How is the PMTU information cached?

   - How is stale PMTU information removed?

   - What must transport and higher layers do?

5.1. Layering

   In the IP architecture, the choice of what size packet to send is
   made by a protocol at a layer above IP.  This memo refers to such a
   protocol as a "packetization protocol".  Packetization protocols are
   usually transport protocols (for example, TCP) but can also be
   higher-layer protocols (for example, protocols built on top of UDP).

   Implementing Path MTU Discovery in the packetization layers
   simplifies some of the inter-layer issues, but has several drawbacks:
   the implementation may have to be redone for each packetization
   protocol, it becomes hard to share PMTU information between different
   packetization layers, and the connection-oriented state maintained by
   some packetization layers may not easily extend to save PMTU
   information for long periods.

   It is therefore suggested that the IP layer store PMTU information
   and that the ICMP layer process received Packet Too Big messages.
   The packetization layers may respond to changes in the PMTU, by
   changing the size of the messages they send.  To support this
   layering, packetization layers require a way to learn of changes in
   the value of MMS_S, the "maximum send transport-message size".  The
   MMS_S is derived from the Path MTU by subtracting the size of the
   IPv6 header plus space reserved by the IP layer for additional
   headers (if any).

   It is possible that a packetization layer, perhaps a UDP application
   outside the kernel, is unable to change the size of messages it
   sends.  This may result in a packet size that exceeds the Path MTU.
   To accommodate such situations, IPv6 defines a mechanism that allows
   large payloads to be divided into fragments, with each fragment sent
   in a separate packet (see [IPv6-SPEC] section "Fragment Header").
   However, packetization layers are encouraged to avoid sending
   messages that will require fragmentation (for the case against
   fragmentation, see [FRAG]).

5.2. Storing PMTU information

   Ideally, a PMTU value should be associated with a specific path
   traversed by packets exchanged between the source and destination
   nodes.  However, in most cases a node will not have enough
   information to completely and accurately identify such a path.
   Rather, a node must associate a PMTU value with some local
   representation of a path.  It is left to the implementation to select
   the local representation of a path.

   In the case of a multicast destination address, copies of a packet
   may traverse many different paths to reach many different nodes.  The
   local representation of the "path" to a multicast destination must in
   fact represent a potentially large set of paths.

   Minimally, an implementation could maintain a single PMTU value to be
   used for all packets originated from the node.  This PMTU value would
   be the minimum PMTU learned across the set of all paths in use by the
   node.  This approach is likely to result in the use of smaller
   packets than is necessary for many paths.

   An implementation could use the destination address as the local
   representation of a path.  The PMTU value associated with a
   destination would be the minimum PMTU learned across the set of all
   paths in use to that destination.  The set of paths in use to a
   particular destination is expected to be small, in many cases
   consisting of a single path.  This approach will result in the use of
   optimally sized packets on a per-destination basis.  This approach
   integrates nicely with the conceptual model of a host as described in
   [ND]: a PMTU value could be stored with the corresponding entry in
   the destination cache.

   If flows [IPv6-SPEC] are in use, an implementation could use the flow
   id as the local repr
esentation of a path.  Packets sent to a
   particular destination but belonging to different flows may use
   different paths, with the choice of path depending on the flow id.
   This approach will result in the use of optimally sized packets on a
   per-flow basis, providing finer granularity than PMTU values
   maintained on a per-destination basis.

   For source routed packets (i.e. packets containing an IPv6 Routing
   header [IPv6-SPEC]), the source route may further qualify the local
   representation of a path.  In particular, a packet containing a type
   0 Routing header in which all bits in the Strict/Loose Bit Map are
   equal to 1 contains a complete path specification.  An implementation
   could use source route information in the local representation of a
   path.

      Note: Some paths may be further distinguished by different
      security classifications.  The details of such classifications are
      beyond the scope of this memo.

   Initially, the PMTU value for a path is assumed to be the (known) MTU
   of the first-hop link.

   When a Packet Too Big message is received, the node determines which
   path the message applies to based on the contents of the Packet Too
   Big message.  For example, if the destination address is used as the
   local representation of a path, the destination address from the
   original packet would be used to determine which path the message
   applies to.

      Note: if the original packet contained a Routing header, the
      Routing header should be used to determine the location of the
      destination address within the original packet.  If Segments Left
      is equal to zero, the destination address is in the Destination
      Address field in the IPv6 header.  If Segments Left is greater
      than zero, the destination address is the last address
      (Address[n]) in the Routing header.

   The node then uses the value in the MTU field in the Packet Too Big
   message as a tentative PMTU value, and compares the tentative PMTU to
   the existing PMTU.  If the tentative PMTU is less than the existing
   PMTU estimate, the tentative PMTU replaces the existing PMTU as the
   PMTU value for the path.

   The packetization layers must be notified about decreases in the
   PMTU.  Any packetization layer instance (for example, a TCP
   connection) that is actively using the path must be notified if the
   PMTU estimate is decreased.

      Note: even if the Packet Too Big message contains an Original
      Packet Header that refers to a UDP packet, the TCP layer must be
      notified if any of its connections use the given path.

   Also, the instance that sent the packet that elicited the Packet Too
   Big message should be notified that its packet has been dropped, even
   if the PMTU estimate has not changed, so that it may retransmit the
   dropped data.

      Note: An implementation can avoid the use of an asynchronous
      notification mechanism for PMTU decreases by postponing
      notification until the next attempt to send a packet larger than
      the PMTU estimate.  In this approach, when an attempt is made to
      SEND a packet that is larger than the PMTU estimate, the SEND
      function should fail and return a suitable error indication.  This
      approach may be more suitable to a connectionless packetization
      layer (such as one using UDP), which (in some implementations) may
      be hard to "notify" from the ICMP layer.  In this case, the normal
      timeout-based retransmission mechanisms would be used to recover
      from the dropped packets.

   It is important to understand that the notification of the
   packetization layer instances using the path about the change in the
   PMTU is distinct from the notification of a specific instance that a
   packet has been dropped.  The latter should be done as soon as
   practical (i.e., asynchronously from the point of view of the
   packetization layer instance), while the former may be delayed until
   a packetization layer instance wants to create a packet.
   Retransmission should be done for only for those packets that are
   known to be dropped, as indicated by a Packet Too Big message.

5.3. Purging stale PMTU information

   Internetwork topology is dynamic; routes change over time.  While the
   local representation of a path may remain constant, the actual
   path(s) in use may change.  Thus, PMTU information cached by a node
   can become stale.

   If the stale PMTU value is too large, this will be discovered almost
   immediately once a large enough packet is sent on the path.  No such
   mechanism exists for realizing that a stale PMTU value is too small,
   so an implementation should "age" cached values.  When a PMTU value
   has not been decreased for a while (on the order of 10 minutes), the
   PMTU estimate should be set to the MTU of the first-hop link, and the
   packetization layers should be notified of the change.  This will
   cause the complete Path MTU Discovery process to take place again.

      Note: an implementation should provide a means for changing the
      timeout duration, including setting it to "infinity".  For
      example, nodes attached to an FDDI link which is then attached to
      the rest of the Internet via a small MTU serial line are never
      going to discover a new non-local PMTU, so they should not have to
      put up with dropped packets every 10 minutes.

   An upper layer must not retransmit data in response to an increase in
   the PMTU estimate, since this increase never comes in response to an
   indication of a dropped packet.

   One approach to implementing PMTU aging is to associate a timestamp
   field with a PMTU value.  This field is initialized to a "reserved"
   value, indicating that the PMTU is equal to the MTU of the first hop
   link.  Whenever the PMTU is decreased in response to a Packet Too Big
   message, the timestamp is set to the current time.

   Once a minute, a timer-driven procedure runs through all cached PMTU
   values, and for each PMTU whose timestamp is not "reserved" and is
   older than the timeout interval:

   - The PMTU estimate is set to the MTU of the first hop link.

   - The timestamp is set to the "reserved" value.

   - Packetization layers using this path are notified of the increase.

5.4. TCP layer actions

   The TCP layer must track the PMTU for the path(s) in use by a
   connection; it should not send segments that would result in packets
   larger than the PMTU.  A simple implementation could ask the IP layer
   for this value each time it created a new segment, but this could be
   inefficient.  Moreover, TCP implementations that follow the "slow-
   start" congestion-avoidance algorithm [CONG] typically calculate and
   cache several other values derived from the PMTU.  It may be simpler
   to receive asynchronous notification when the PMTU changes, so that
   these variables may be updated.

   A TCP implementation must also store the MSS value received from its
   peer, and must not send any segment larger than this MSS, regardless
   of the PMTU.  In 4.xBSD-derived implementations, this may require
   adding an additional field to the TCP state record.

   The value sent in the TCP MSS option is independent of the PMTU.
   This MSS option value is used by the other end of the connection,
   which may be using an unrelated PMTU value.  See [IPv6-SPEC] sections
   "Packet Size Issues" and "M
aximum Upper-Layer Payload Size" for
   information on selecting a value for the TCP MSS option.

   When a Packet Too Big message is received, it implies that a packet
   was dropped by the node that sent the ICMP message.  It is sufficient
   to treat this as any other dropped segment, and wait until the
   retransmission timer expires to cause retransmission of the segment.
   If the Path MTU Discovery process requires several steps to find the
   PMTU of the full path, this could delay the connection by many
   round-trip times.

   Alternatively, the retransmission could be done in immediate response
   to a notification that the Path MTU has changed, but only for the
   specific connection specified by the Packet Too Big message.  The
   packet size used in the retransmission should be no larger than the
   new PMTU.

      Note: A packetization layer must not retransmit in response to
      every Packet Too Big message, since a burst of several oversized
      segments will give rise to several such messages and hence several
      retransmissions of the same data.  If the new estimated PMTU is
      still wrong, the process repeats, and there is an exponential
      growth in the number of superfluous segments sent.

      This means that the TCP layer must be able to recognize when a
      Packet Too Big notification actually decreases the PMTU that it
      has already used to send a packet on the given connection, and
      should ignore any other notifications.

   Many TCP implementations incorporate "congestion avoidance" and
   "slow-start" algorithms to improve performance [CONG].  Unlike a
   retransmission caused by a TCP retransmission timeout, a
   retransmission caused by a Packet Too Big message should not change
   the congestion window.  It should, however, trigger the slow-start
   mechanism (i.e., only one segment should be retransmitted until
   acknowledgements begin to arrive again).

   TCP performance can be reduced if the sender's maximum window size is
   not an exact multiple of the segment size in use (this is not the
   congestion window size, which is always a multiple of the segment

   size).  In many systems (such as those derived from 4.2BSD), the
   segment size is often set to 1024 octets, and the maximum window size
   (the "send space") is usually a multiple of 1024 octets, so the
   proper relationship holds by default.  If Path MTU Discovery is used,
   however, the segment size may not be a submultiple of the send space,
   and it may change during a connection; this means that the TCP layer
   may need to change the transmission window size when Path MTU
   Discovery changes the PMTU value.  The maximum window size should be
   set to the greatest multiple of the segment size that is less than or
   equal to the sender's buffer space size.

5.5. Issues for other transport protocols

   Some transport protocols (such as ISO TP4 [ISOTP]) are not allowed to
   repacketize when doing a retransmission.  That is, once an attempt is
   made to transmit a segment of a certain size, the transport cannot
   split the contents of the segment into smaller segments for
   retransmission.  In such a case, the original segment can be
   fragmented by the IP layer during retransmission.  Subsequent
   segments, when transmitted for the first time, should be no larger
   than allowed by the Path MTU.

   The Sun Network File System (NFS) uses a Remote Procedure Call (RPC)
   protocol [RPC] that, when used over UDP, in many cases will generate
   payloads that must be fragmented even for the first-hop link.  This
   might improve performance in certain cases, but it is known to cause
   reliability and performance problems, especially when the client and
   server are separated by routers.

   It is recommended that NFS implementations use Path MTU Discovery
   whenever routers are involved.  Most NFS implementations allow the
   RPC datagram size to be changed at mount-time (indirectly, by
   changing the effective file system block size), but might require
   some modification to support changes later on.

   Also, since a single NFS operation cannot be split across several UDP
   datagrams, certain operations (primarily, those operating on file
   names and directories) require a minimum payload size that if sent in
   a single packet would exceed the PMTU.  NFS implementations should
   not reduce the payload size below this threshold, even if Path MTU
   Discovery suggests a lower value.  In this case the payload will be
   fragmented by the IP layer.

5.6. Management interface

   It is suggested that an implementation provide a way for a system
   utility program to:

   - Specify that Path MTU Discovery not be done on a given path.

   - Change the PMTU value associated with a given path.

   The former can be accomplished by associating a flag with the path;
   when a packet is sent on a path with this flag set, the IP layer does
   not send packets larger than the IPv6 minimum link MTU.

   These features might be used to work around an anomalous situation,
   or by a routing protocol implementation that is able to obtain Path
   MTU values.

   The implementation should also provide a way to change the timeout
   period for aging stale PMTU information.

6. Security Considerations

   This Path MTU Discovery mechanism makes possible two denial-of-
   service attacks, both based on a malicious party sending false Packet
   Too Big messages to a node.

   In the first attack, the false message indicates a PMTU much smaller
   than reality.  This should not entirely stop data flow, since the
   victim node should never set its PMTU estimate below the IPv6 minimum
   link MTU.  It will, however, result in suboptimal performance.

   In the second attack, the false message indicates a PMTU larger than
   reality.  If believed, this could cause temporary blockage as the
   victim sends packets that will be dropped by some router.  Within one
   round-trip time, the node would discover its mistake (receiving
   Packet Too Big messages from that router), but frequent repetition of
   this attack could cause lots of packets to be dropped.  A node,
   however, should never raise its estimate of the PMTU based on a
   Packet Too Big message, so should not be vulnerable to this attack.

   A malicious party could also cause problems if it could stop a victim
   from receiving legitimate Packet Too Big messages, but in this case
   there are simpler denial-of-service attacks available.

Acknowledgements

   We would like to acknowledge the authors of and contributors to
   [RFC-1191], from which the majority of this document was derived.  We
   would also like to acknowledge the members of the IPng working group
   for their careful review and constructive criticisms.

Appendix A - Comparison to RFC 1191

   This document is based in large part on RFC 1191, which describes
   Path MTU Discovery for IPv4.  Certain portions of RFC 1191 were not
   needed in this document:

   router specification    - Packet Too Big messages and corresponding
                             router behavior are defined in [ICMPv6]

   Don't Fragment bit      - there is no DF bit in IPv6 packets

   TCP MSS discussion      - selecting a value to send in the TCP MSS
                             option is discussed in [IPv6-SPEC]

   old-style messages      - all Packet Too Big messages report the
                             MTU of the constricting link

   MTU plateau tables      - not needed because there are no old-style
                             messages

References

   [CONG]      Van Jacobson.  Congestion Avoidance and Control.  Proc.
               SIGCOMM '88 Symposium on Communications Architectures and
               Protocols, pages 314-329.  Stanford, CA, August, 1988.

   [FRAG]      C. Kent and J. Mogul.  Fragmentation Considered Harmful.
               In Proc. SIGCOMM '87 Workshop on Frontiers in Computer
               Communications Technology.  August, 1987.

   [ICMPv6]    Conta, A., and S. Deering, "Internet Control Message
               Protocol (ICMPv6) for the Internet Protocol Version 6
               (IPv6) Specification", RFC 1885, December 1995.

   [IPv6-SPEC] Deering, S., and R. Hinden, "Internet Protocol, Version
               6 (IPv6) Specification", RFC 1883, December 1995.

   [ISOTP]     ISO.  ISO Transport Protocol Specification: ISO DP 8073.
               RFC 905, SRI Network Information Center, April, 1984.

   [ND]        Narten, T., Nordmark, E., and W. Simpson, "Neighbor
               Discovery for IP Version 6 (IPv6)", Work in Progress.

   [RFC-1191]  Mogul, J., and S. Deering, "Path MTU Discovery",
               RFC 1191, November 1990.

   [RPC]       Sun Microsystems, Inc., "RPC: Remote Procedure Call
               Protocol", RFC 1057, SRI Network Information Center,
               June, 1988.

Authors' Addresses

   Jack McCann
   Digital Equipment Corporation
   110 Spitbrook Road, ZKO3-3/U14
   Nashua, NH 03062
   Phone: +1 603 881 2608

   Fax:   +1 603 881 0120
   Email: mccann@zk3.dec.com

   Stephen E. Deering
   Xerox Palo Alto Research Center
   3333 Coyote Hill Road
   Palo Alto, CA 94304
   Phone: +1 415 812 4839

   Fax:   +1 415 812 4471
   EMail: deering@parc.xerox.com

   Jeffrey Mogul
   Digital Equipment Corporation Western Research Laboratory
   250 University Avenue
   Palo Alto, CA 94301
   Phone: +1 415 617 3304

   EMail: mogul@pa.dec.com