Foreword           v
Introduction        vi
 1     Scope
 2     Normative references
        2.1     Identical Recommendations | International Standards
        2.2     Paired Recommendations | International Standards equivalent in technical content
        2.3     Additional references
 3     Definitions
        3.1     Security reference model definitions
        3.2     Additional definitions
 4     Symbols and abbreviations
 5     Overview of the Protocol
        5.1     Introduction
        5.2     Security Associations and attributes
                  5.2.1     Security services for connection‑oriented Transport protocol
                  5.2.2     Security Service for connectionless Transport protocol
        5.3     Service assumed of the Network Layer
        5.4     Security management requirements
        5.5     Minimum algorithm characteristics
        5.6     Security encapsulation function
                  5.6.1     Data encipherment function
                  5.6.2     Integrity function
                  5.6.3     Security label function
                  5.6.4     Security padding function
                  5.6.5     Peer Entity Authentication function
                  5.6.6     SA Function using in band SA-P
 6     Elements of procedure
        6.1     Concatenation and separation
        6.2     Confidentiality
                  6.2.1     Purpose    
                  6.2.2     TPDUs and parameters used
                  6.2.3     Procedure
        6.3     Integrity processing
                  6.3.1     Integrity Check Value (ICV) processing
                          TPDUs and parameters used
                  6.3.2     Direction indicator processing
                          TPDUs and parameters used
                  6.3.3     Connection integrity sequence number processing
                          Unique sequence numbers
        6.4     Peer address check processing
                  6.4.1     Purpose    
                  6.4.2     Procedure
        6.5     Security labels for Security Associations
                  6.5.1     Purpose    
                  6.5.2     TPDUs and parameters used
                  6.5.3     Procedure
        6.6     Connection release
        6.7     Key replacement
        6.8     Unprotected TPDUs
        6.9     Protocol identification
       6.10     Security Association-Protocol
 7     Use of elements of procedure
 8     Structure and encoding of TPDUs
        8.1     Structure of TPDU
        8.2     Security encapsulation TPDU
                  8.2.1     Clear header
                          PDU clear header length
                          PDU type         
                  8.2.2     Crypto sync
                  8.2.3     Protected contents
                          Structure of protected contents field
                          Content length
                          Protected data
                          Integrity PAD
                  8.2.4     ICV         
                  8.2.5     Encipherment PAD
        8.3     Security Association PDU
                  8.3.1     LI 
                  8.3.2     PDU Type
                  8.3.3     SA-ID      
                  8.3.4     SA-P Type
                  8.3.5     SA PDU Contents
 9     Conformance
        9.1     General
        9.2     Common static conformance requirements
        9.3     TLSP with ITU-T Rec. X.234 | ISO 8602 static conformance requirements
        9.4     TLSP with ITU-T Rec. X.224 | ISO/IEC 8073 static conformance requirements
        9.5     Common dynamic conformance requirements
        9.6     TLSP with ITU-T Rec. X.234 | ISO 8602 dynamic conformance requirements
        9.7     TLSP with ITU-T Rec. X.224 | ISO/IEC 8073 dynamic conformance requirements
10     Protocol implementation conformance statement (PICS)
Annex A – PICS proforma
        A.1     Introduction
                  A.1.1     Background
                  A.1.2     Approach
        A.2     Implementation identification
        A.3     General statement of conformance
        A.4     Protocol implementation
        A.5     Security services supported
        A.6     Supported functions
        A.7     Supported Protocol Data Units (PDUs)
                  A.7.1     Supported Transport PDUs (TPDUs)
                  A.7.2     Supported parameters of issued TPDUs
                  A.7.3     Supported parameters of received TPDUs
                  A.7.4     Allowed values of issued TPDU parameters
        A.8     Service, function, and protocol relationships
                  A.8.1     Relationship between services and functions
                  A.8.2     Relationship between services and protocol
        A.9     Supported algorithms
       A.10     Error handling
                 A.10.1     Security errors
                 A.10.2     Protocol errors
       A.11     Security Association
                 A.11.1     SA Generic Fields
                 A.11.2     Content Fields Specific to Key Exchange SA-P
Annex B – Security Association Protocol Using Key Token Exchange and Digital Signatures
        B.1     Overview
        B.2     Key Token Exchange (KTE)
        B.3     SA‑Protocol Authentication
        B.4     SA Attribute Negotiation
                  B.4.1     Service Negotiation
                  B.4.2     Label Set Negotiation
                  B.4.3     Key and ISN Selection
                  B.4.4     Miscellaneous SA Attribute Negotiation
                  B.4.5     Re-keying Overview
                  B.4.6     SA Abort/Release Overview
        B.5     Mapping of SA‑Protocol Functions to Protocol Exchanges
                  B.5.1     KTE (First) Exchange
                               B.5.1.1     Request to Initiate the SA‑Protocol
                               B.5.1.2     Receipt of the First Exchange PDU by Recipient
                  B.5.2     Authentication and Security Negotiation (Second) Exchange
                               B.5.2.1     Receipt of First Exchange PDU by Initiator
                               B.5.2.2     Receipt of the Second Exchange PDU by Recipient
                  B.5.3     Rekey Procedure
                  B.5.4     SA Release / Abort Exchange
                               B.5.4.1     Request to Initiate SA Release / Abort
                               B.5.4.2     Receipt of SA Abort/Release Requests
        B.6     SA PDU – SA Contents
                  B.6.1     Exchange ID
                  B.6.2     Content Length
                  B.6.3     Content Fields
                               B.6.3.1     My SA‑ID       
                               B.6.3.2     Old Your SA-ID
                               B.6.3.3     Key Token 1, Key Token 2, Key Token 3, and Key Token 4
                               B.6.3.4     Authentication Digital Signature, Certificate
                               B.6.3.5     Service Selection
                               B.6.3.6     SA Rejection Reason
                               B.6.3.7     SA Abort/Release Reason
                               B.6.3.8     Label   
                               B.6.3.9     Key Selection
                              B.6.3.10     SA Flags
                              B.6.3.11     ASSR
Annex C – An example of an agreed set of security rules (ASSR)
Annex D – Overview of EKE Algorithm