Linux FreeS/WAN RFC List

The RFCs.tar.gz Distribution File

The Linux FreeS/WAN distribution is available from:
our primary distribution site and various mirror sites. To give people more control over their downloads, the RFCs that define IP security are bundled separately in the file RFCs.tar.gz.

The file you are reading is included in the main distribution and is available on the web site. It describes the RFCs included in the RFCs.tar.gz bundle and gives some pointers to other ways to get them.

Other sources for RFCs & Internet drafts


RFCs are downloadble at many places around the net such as:
browsable in HTML form at others such as: and some of them are available in translation: There is also a published Big Book of IPSEC RFCs.

Internet Drafts

Internet Drafts, working documents which sometimes evolve into RFCs, are also available.
Note: some of these may be obsolete, replaced by later drafts or by RFCs.

FIPS standards

Some things used by
IPSEC, such as DES and SHA, are defined by US government standards called FIPS. The issuing organisation, NIST, have a FIPS home page.

Document CDs

At least one vendor sells CD-ROMs of RFCs and Internet Drafts: Note: The 2401-2412 group of IPSEC RFCs were issued in late November 1998, and the 2535-2539 group on Secure DNS in March 1999, so an older CD may not be particularly useful if these areas are your main concern.

What's in the RFCs.tar.gz bundle?

All filenames are of the form rfc*.txt, with the * replaced with the RFC number.
RFC#	Title

Overview RFCs

2401	Security Architecture for the Internet Protocol
2411	IP Security Document Roadmap

Basic protocols

2402	IP Authentication Header
2406	IP Encapsulating Security Payload (ESP)

Key management

2367	PF_KEY Key Management API, Version 2
2407	The Internet IP Security Domain of Interpretation for ISAKMP
2408	Internet Security Association and Key Management Protocol (ISAKMP)
2409	The Internet Key Exchange (IKE)
2412	The OAKLEY Key Determination Protocol
2528	Internet X.509 Public Key Infrastructure

Details of various things used

2085	HMAC-MD5 IP Authentication with Replay Prevention
2104	HMAC: Keyed-Hashing for Message Authentication
2202	Test Cases for HMAC-MD5 and HMAC-SHA-1
2207	RSVP Extensions for IPSEC Data Flows
2403	The Use of HMAC-MD5-96 within ESP and AH
2404	The Use of HMAC-SHA-1-96 within ESP and AH
2405	The ESP DES-CBC Cipher Algorithm With Explicit IV
2410	The NULL Encryption Algorithm and Its Use With IPsec
2451	The ESP CBC-Mode Cipher Algorithms
2521	ICMP Security Failures Messages

Older RFCs which may be referenced

1321	The MD5 Message-Digest Algorithm
1828	IP Authentication using Keyed MD5
1829	The ESP DES-CBC Transform
1851	The ESP Triple DES Transform
1852	IP Authentication using Keyed SHA

RFCs for secure DNS service, which IPSEC may use

2137	Secure Domain Name System Dynamic Update
2230	Key Exchange Delegation Record for the DNS
2535	Domain Name System Security Extensions
2536	DSA KEYs and SIGs in the Domain Name System (DNS)
2537	RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
2538	Storing Certificates in the Domain Name System (DNS)
2539	Storage of Diffie-Hellman Keys in the Domain Name System (DNS)

RFCs labelled "experimental"

2521	ICMP Security Failures Messages
2522	Photuris: Session-Key Management Protocol
2523	Photuris: Extended Schemes and Attributes

Related RFCs

1750	Randomness Recommendations for Security
1918	Address Allocation for Private Internets
1984	IAB and IESG Statement on Cryptographic Technology and the Internet
2144	The CAST-128 Encryption Algorithm

Click below to go to: