Foreword v
Introduction vi
1
Scope
2
Normative references
2.1 Identical Recommendations | International Standards
2.2 Paired Recommendations | International Standards equivalent in
technical content
2.3 Additional
references
3
Definitions
3.1 Security reference model definitions
3.2 Additional definitions
4
Symbols and abbreviations
5
Overview of the Protocol
5.1 Introduction
5.2 Security Associations and attributes
5.2.1 Security services for connection‑oriented
Transport protocol
5.2.2 Security Service for connectionless
Transport protocol
5.3 Service assumed of the Network Layer
5.4 Security management requirements
5.5 Minimum algorithm characteristics
5.6 Security encapsulation function
5.6.1 Data encipherment function
5.6.2 Integrity function
5.6.3
Security label function
5.6.4 Security padding function
5.6.5 Peer Entity Authentication function
5.6.6 SA Function using in band SA-P
6
Elements of procedure
6.1 Concatenation and separation
6.2 Confidentiality
6.2.1 Purpose
6.2.2 TPDUs and parameters used
6.2.3 Procedure
6.3 Integrity processing
6.3.1 Integrity
Check Value (ICV) processing
6.3.1.1 Purpose
6.3.1.2 TPDUs and parameters
used
6.3.1.3 Procedure
6.3.2 Direction indicator processing
6.3.2.1 Purpose
6.3.2.2 TPDUs and parameters
used
6.3.2.3 Procedure
6.3.3 Connection integrity sequence number
processing
6.3.3.1 Unique sequence
numbers
6.3.3.2 Purpose
6.3.3.3 Procedure
6.4 Peer address check processing
6.4.1 Purpose
6.4.2 Procedure
6.5 Security labels for Security Associations
6.5.1 Purpose
6.5.2 TPDUs and parameters used
6.5.3 Procedure
6.6 Connection
release
6.7 Key replacement
6.8 Unprotected TPDUs
6.9 Protocol identification
6.10 Security Association-Protocol
7
Use of elements of procedure
8
Structure and encoding of TPDUs
8.1 Structure of TPDU
8.2 Security encapsulation TPDU
8.2.1 Clear header
8.2.1.1 PDU clear header
length
8.2.1.2 PDU type
8.2.1.3
SA‑ID
8.2.2 Crypto sync
8.2.3 Protected contents
8.2.3.1 Structure of
protected contents field
8.2.3.2 Content length
8.2.3.3 Flags
8.2.3.4 Label
8.2.3.5 Protected data
8.2.3.6 Integrity PAD
8.2.4 ICV
8.2.5
Encipherment PAD
8.3 Security Association PDU
8.3.1 LI
8.3.2 PDU Type
8.3.3 SA-ID
8.3.4 SA-P Type
8.3.5 SA PDU Contents
9
Conformance
9.1 General
9.2 Common static conformance requirements
9.3 TLSP with ITU-T Rec. X.234 | ISO 8602 static conformance
requirements
9.4 TLSP with ITU-T Rec. X.224 | ISO/IEC 8073 static conformance
requirements
9.5 Common dynamic conformance requirements
9.6 TLSP with ITU-T Rec. X.234 | ISO 8602 dynamic conformance
requirements
9.7 TLSP with ITU-T Rec. X.224 | ISO/IEC 8073 dynamic conformance
requirements
10 Protocol implementation
conformance statement (PICS)
Annex A – PICS proforma
A.1 Introduction
A.1.1 Background
A.1.2 Approach
A.2 Implementation identification
A.3 General statement of conformance
A.4 Protocol implementation
A.5 Security services supported
A.6 Supported functions
A.7 Supported Protocol Data Units (PDUs)
A.7.1 Supported Transport PDUs (TPDUs)
A.7.2 Supported parameters of issued TPDUs
A.7.3 Supported parameters of received TPDUs
A.7.4 Allowed values of issued TPDU parameters
A.8 Service, function, and protocol relationships
A.8.1 Relationship between services and
functions
A.8.2 Relationship between services and
protocol
A.9 Supported algorithms
A.10 Error handling
A.10.1 Security errors
A.10.2 Protocol errors
A.11 Security Association
A.11.1 SA Generic Fields
A.11.2 Content Fields Specific to Key Exchange
SA-P
Annex B – Security Association Protocol Using Key Token Exchange and Digital
Signatures
B.1 Overview
B.2 Key Token Exchange (KTE)
B.3 SA‑Protocol Authentication
B.4 SA Attribute Negotiation
B.4.1 Service Negotiation
B.4.2
Label Set Negotiation
B.4.3 Key and ISN Selection
B.4.4 Miscellaneous SA Attribute Negotiation
B.4.5 Re-keying Overview
B.4.6 SA Abort/Release Overview
B.5 Mapping of SA‑Protocol Functions to Protocol Exchanges
B.5.1 KTE (First) Exchange
B.5.1.1 Request to Initiate
the SA‑Protocol
B.5.1.2 Receipt of the First
Exchange PDU by Recipient
B.5.2 Authentication and Security Negotiation
(Second) Exchange
B.5.2.1 Receipt of First
Exchange PDU by Initiator
B.5.2.2 Receipt of the Second
Exchange PDU by Recipient
B.5.3 Rekey Procedure
B.5.4 SA Release / Abort Exchange
B.5.4.1 Request to Initiate
SA Release / Abort
B.5.4.2 Receipt of SA Abort/Release Requests
B.6 SA PDU – SA Contents
B.6.1 Exchange ID
B.6.2 Content Length
B.6.3 Content Fields
B.6.3.1 My SA‑ID
B.6.3.2 Old Your SA-ID
B.6.3.3 Key Token 1, Key
Token 2, Key Token 3, and Key Token 4
B.6.3.4 Authentication
Digital Signature, Certificate
B.6.3.5 Service Selection
B.6.3.6 SA Rejection Reason
B.6.3.7 SA Abort/Release
Reason
B.6.3.8 Label
B.6.3.9
Key Selection
B.6.3.10 SA Flags
B.6.3.11 ASSR
Annex C – An example of an agreed set of security rules (ASSR)
Annex D – Overview of EKE Algorithm