8. Conformance Requirements
This section outlines the conformance requirements for IPsec implementations. Implementations MUST support both IPv4 and IPv6.
8.1. Security Policy Database (SPD)
All IPsec implementations MUST have an SPD. The SPD MUST support the following:
- All selectors defined in Section 4.4.1.1
- Both transport and tunnel mode SAs
- PROTECT, BYPASS, and DISCARD processing actions
- Ordered policy entries to handle overlapping selectors
8.2. Security Association Database (SAD)
All IPsec implementations MUST have an SAD. The SAD MUST contain all the data items specified in Section 4.4.2.1, including:
- Security Parameter Index (SPI)
- Sequence number counter and anti-replay window
- AH and/or ESP algorithm parameters
- SA lifetime
- IPsec protocol mode (tunnel or transport)
8.3. Peer Authorization Database (PAD)
All IPsec implementations MUST have a PAD. The PAD MUST support:
- Authentication via X.509 certificates
- Authentication via pre-shared secrets
- All ID types defined in Section 4.4.3.1
- Constraints on child SA creation
8.4. AH and ESP Support
- All IPsec implementations MUST support ESP
- All IPsec implementations SHOULD support AH
- ESP MUST support NULL encryption and MUST support encryption algorithms
- ESP MUST support integrity protection
- AH MUST support integrity protection with mandatory algorithms
8.5. Tunnel and Transport Modes
- All IPsec implementations MUST support both tunnel and transport modes
- Security gateways MUST support tunnel mode
- Native host implementations MUST support transport mode
8.6. Key Management
All IPsec implementations MUST support both:
- Manual key management
- Automated key management (IKEv2 is the default)
8.7. Traffic Selectors
All implementations MUST support the complete set of selectors defined in Section 4.4.1.1:
- Source and destination IP addresses (IPv4 and IPv6)
- Next layer protocol
- Source and destination ports (for applicable protocols)
- ICMP message type and code
- Mobility Header type (IPv6)
- Name (for symbolic SPD lookup)