1.3.14 Extension to RFC Cross Reference
The following table summarizes how each IKE extension extends each of the applicable RFCs.
|
IKE extension |
Extends [RFC2407] |
Extends [RFC2408] |
Extends [RFC2409] |
Extends [RFC3947] |
Extends [RFC4306] |
IKE version |
|---|---|---|---|---|---|---|
|
NAT-T transport mode only |
(1) |
(2) (3) |
|
(7) |
|
IKEv1 |
|
IKE fragmentation |
|
(3) |
(8) |
|
|
IKEv1 |
|
CGA authentication |
(4) (5) |
(3) |
(9) |
|
|
IKEv1 |
|
Fast failover |
|
(3) |
(10) |
|
|
IKEv1 |
|
|
(3) (6) |
(10) |
|
|
IKEv1 |
|
|
Reliable delete |
|
|
(11) |
|
|
IKEv1 |
|
Denial of Service protection |
|
(6) |
(12) |
|
|
IKEv1 |
|
IKE SA Correlation |
|
|
|
|
(13) |
IKEv2 |
|
Configuration Attribute |
|
|
|
|
(14) |
IKEv2 |
Adjunction of an encapsulation mode in the private range. Encapsulation mode is specified in [RFC2407] section 4.5.
Adjunction of a vendor ID. Vendor ID is as specified in [RFC2408] section 3.16.
Adjunction of payload types in the private range. Payload types are specified in [RFC2408] section 3.1.
Adjunction of an authentication method within an ISAKMP SA payload, as specified in [RFC2407] section 4.6.1.
Adjunction of an identification type for an ISAKMP Identification payload from the private Identification Type range, as specified in [RFC2407] section 4.6.2.
Adjunction of a notify message type from the private range. The notify message types are specified in [RFC2408] section 3.14.1.
Negotiation of the interpretation of payload types and encapsulation modes.
Fragmentation and reassembly. Packet construction and decoding for IKE are specified in [RFC2409] section 5.
Extends the IKE phase 1 exchange using certificates. For more information, see [RFC2409] section 5.1.
Extends the IKE phase 1 exchange. For more information, see [RFC2409] section 5. Extends the QM SAs negotiation. For more information, see [RFC2409] section 5.5.
Extends the Notify exchange. For more information, see [RFC2409] section 5.7.
Extends the IKE phase 1 exchange. For more information, see [RFC2409] section 5.1.
This extension allows two different IKEv2 IKE_SA to be correlated together for the purpose of ensuring that the client credentials are still valid but without tearing down the existing SA. When validation is required, a new IKE_SA (called SAcurrent) can be built to embed a new payload in this exchange that securely correlates this SA with the original SA.
This extension allows the IKEv2 client endpoint of an IPsec remote access client (IRAC), as specified in [RFC4306], to determine the internal IPv4 and IPv6 addresses of the IPsec remote access server (IRAS), also as specified in [RFC4306].