次の方法で共有


3.7.1 Abstract Data Model

When this extension is implemented, the following additional states are maintained. This is an extension to IKE Protocol version 1 as specified in [RFC2409].

Main mode security association database (MMSAD): The entry for each MM SA contains the following specific data element for negotiation discovery:

  • Negotiation Discovery Supported: A flag that MUST be set if the peer supports negotiation discovery.

Security policy database (SPD): The following information MUST be maintained:

  • A policy flag indicating that negotiation discovery MUST be applied to inbound and/or outbound traffic.

  • A Boundary policy flag for negotiation discovery inbound rules that MUST be set if plaintext is accepted for this rule.

  • A policy flag that MUST be set if encryption is guaranteed for this traffic.

Security association database (SAD): The following information MUST be maintained:

  • Boundary flag: A flag that MUST be set if the QM SA matches an inbound negotiation discovery rule on the remote host.

  • Guaranteed Encryption flag: A flag that MUST be set if the QM SA is an encryption SA and can be used for flows that have the Guaranteed Encryption flag set.

Flow state table: The following information MUST be maintained:

  • Secure flag: A flag that MUST be set if one or more packets for this flow have been sent over a QM SA.

  • Guaranteed Encryption flag: A flag that MUST be set if encryption is guaranteed for this flow.

  • Acquire flag: A flag that MUST be set if a QM SA negotiation has already been triggered for this flow. This flag prevents triggering of an Acquire for each packet over a connection that stays in plaintext.