3.4.1 Abstract Data Model

When this extension is implemented, the following additional state is maintained. This is an extension to IKE Protocol version 1 as specified in [RFC2409].

Main mode security association database (MMSAD): The entry for each MM SA contains the following CGA authentication–specific data elements:

• CGA_CAPABLE: A flag that indicates if the authentication type 0xFDED MUST be interpreted as the AUTH_CGA authentication method.

Peer authorization database (PAD): The following information MUST be maintained:

• A new valid value AUTH_CGA that identifies the CGA authentication method, added to the locally-configurable list of acceptable authentication methods.

• A new CGA ID data structure to hold the following parameters:

  • Modifier: size: 16 octets, type: unsigned integer. See [RFC3972] section 3.

  • Subnet Prefix: size: 8 octets, type: IPv6 subnet. See [RFC3972] section 3.

  • Collision Count: size: 1 octet, type: unsigned integer. See [RFC3972] section 3.

  • Public Key: size: variable, type: cryptographic key. See [RFC3972] section 3.

• A self-signed certificate (type X.509) compatible with the IKE exchange. See [RFC2409] section 5.1.

This data structure is used during:

• Generation of a CGA and its associated self-signed certificate (see section 3.4.3).

• Construction of an identity payload (see section 3.4.5.4).

• Verification of its association with a public key (see section 3.4.5.5).