Skip to main content

7. Differences from RFC 2406

7. Differences from RFC 2406

This document differs from RFC 2406 in a number of significant ways.

  • Confidentiality-only service -- now a MAY, not a MUST.

  • SPI -- modified to specify a uniform algorithm for SAD lookup for unicast and multicast SAs, covering a wider range of multicast technologies. For unicast, the SPI may be used alone to select an SA, or may be combined with the protocol, at the option of the receiver. For multicast SAs, the SPI is combined with the destination address, and optionally the source address, to select an SA.

  • Extended Sequence Number -- added a new option for a 64-bit sequence number for very high-speed communications. Clarified sender and receiver processing requirements for multicast SAs and multi-sender SAs.

  • Payload data -- broadened model to accommodate combined mode algorithms.

  • Padding for improved traffic flow confidentiality -- added requirement to be able to add bytes after the end of the IP Payload, prior to the beginning of the Padding field.

  • Next Header -- added requirement to be able to generate and discard dummy padding packets (Next Header = 59)

  • ICV -- broadened model to accommodate combined mode algorithms.

  • Algorithms -- Added combined confidentiality mode algorithms.

  • Moved references to mandatory algorithms to a separate document.

  • Inbound and Outbound packet processing -- there are now two paths: (1) separate confidentiality and integrity algorithms and (2) combined confidentiality mode algorithms. Because of the addition of combined mode algorithms, the encryption/decryption and integrity sections have been combined for both inbound and outbound packet processing.

Last updated on