3.7.1 Abstract Data Model
When this extension is implemented, the following additional states are maintained. This is an extension to IKE Protocol version 1 as specified in [RFC2409].
Main mode security association database (MMSAD): The entry for each MM SA contains the following specific data element for negotiation discovery:
Negotiation Discovery Supported: A flag that MUST be set if the peer supports negotiation discovery.
Security policy database (SPD): The following information MUST be maintained:
A policy flag indicating that negotiation discovery MUST be applied to inbound and/or outbound traffic.
A Boundary policy flag for negotiation discovery inbound rules that MUST be set if plaintext is accepted for this rule.
A policy flag that MUST be set if encryption is guaranteed for this traffic.
Security association database (SAD): The following information MUST be maintained:
Boundary flag: A flag that MUST be set if the QM SA matches an inbound negotiation discovery rule on the remote host.
Guaranteed Encryption flag: A flag that MUST be set if the QM SA is an encryption SA and can be used for flows that have the Guaranteed Encryption flag set.
Flow state table: The following information MUST be maintained:
Secure flag: A flag that MUST be set if one or more packets for this flow have been sent over a QM SA.
Guaranteed Encryption flag: A flag that MUST be set if encryption is guaranteed for this flow.
Acquire flag: A flag that MUST be set if a QM SA negotiation has already been triggered for this flow. This flag prevents triggering of an Acquire for each packet over a connection that stays in plaintext.