2.2.1.2.1 ipsecISAKMPPolicy{GUID} Object Attribute Descriptions
The following table specifies the attributes of the ipsecISAKMPPolicy class object (as specified in [MS-ADSC], [MS-ADA1], and [MS-ADA3]).
|
Name |
Type |
Description |
|---|---|---|
|
objectClass |
LDAPString |
The Directory String that contains the object class. A typical value is "ipsecISAKMPPolicy". This attribute is only used during policy creation. |
|
ipsecName |
LDAPString |
The ipsecName attribute for ipsecISAKMPPolicy objects. This MUST NOT be set to NULL.<1> |
|
whenChanged |
UTC-coded string |
The Unicode-generalized time syntax of the time and date that the policy was last changed. This value is set by the Active Directory server. |
|
ipsecID |
LDAPString |
This MUST be a Directory String containing the curly braced GUID string value of this ipsecISAKMPPolicy object. A typical value is "{6A155C3F-72B7-11D2-A3F0-0260B025CAFE}". |
|
distinguishedName |
Distinguished name |
This MUST be a Directory String description of the directory location of this ISAKMP policy. This MUST be in the distinguished name (DN) format of [RFC2251]. This MUST be set by the protocol. A typical value is "CN=ipsecISAKMPPolicy{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE },CN=IP Security,CN= System,DC=myDomain,DC=contoso,DC=com". |
|
ipsecOwnersReference |
Distinguished name |
This MUST be a Directory String reference (DN) to the "owner" IPsec policy object with which this ISAKMP object is associated. This MUST be in the DN format of [RFC2251]. A typical value is "CN=ipsecPolicy{6A455C3F-72B7-11D2-ACF0-0260B025CAFE},CN=IP Security,CN= System,DC=myDomain,DC=contoso,DC=com". |
|
ipsecDataType |
LDAPString |
The identifier that describes the format of the following ipsecData attribute. This MUST be the base-10 Directory String representation of the unsigned integer value 0x100 (256). |
|
ipsecData |
Octet string |
The octet string representation of the binary data that specifies additional policy data; stored as described in the following ipsecData-specific table. |
Note The ipsecISAKMPPolicy object ([MS-ADSC] section 2.72, "Class ipsecISAKMPPolicy") as specified in LDAP messages, is encoded using BER, as defined in [RFC2251] section 5.1.
The following table specifies the ipsecData attribute-specific sections, corresponding names, and data types for the assigned values for the purpose of IPsec policy configuration.
The values of these settings MUST NOT be interpreted by this protocol; that is, they are to be applied as is to the IPsec component, which can interpret them independently of the protocol or mechanism that was used to configure them. A description of the interpretation by the IPsec component is provided for informative purposes (as opposed to the syntax, which is normative).
Note that all fields specified in the following tables MUST appear in little-endian byte order.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ISAKMP-Policy-Type-ID (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Data-Length |
|||||||||||||||||||||||||||||||
|
ISAKMP-Policy-Instance (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Zero1 |
|||||||||||||||||||||||||||||||
|
Master-PFS-Required |
|||||||||||||||||||||||||||||||
|
ISAKMP-Options |
|||||||||||||||||||||||||||||||
|
New-DH-1 |
New-DH-2 |
New-DH-3 |
New-DH-4 |
||||||||||||||||||||||||||||
|
QM-Limit |
|||||||||||||||||||||||||||||||
|
MM-Lifetime |
|||||||||||||||||||||||||||||||
|
Zero2 (20 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Security-Method-Count |
|||||||||||||||||||||||||||||||
|
Security-Methods (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
ISAKMP-Policy-Type-ID (16 bytes): The identifier that specifies this as an ISAKMP policy; MUST be the GUID whose string representation is "{80DC20B8-2EC8-11D1-A89E-00A0248D3021}".
Data-Length (4 bytes): This field MUST be the length, in bytes, of the following data minus 1. This MUST be an unsigned integer. This field is always 1 byte less than the size of the following data encoded as an octet stream.
ISAKMP-Policy-Instance (16 bytes): This MUST be the GUID value of this ipsecISAKMPPolicy object. This MUST be a 128-bit GUID value.
Zero1 (4 bytes): This value MUST always be written as 0x00000000 and MUST be ignored when read.
Master-PFS-Required (4 bytes): Indicates whether IKE, as defined in [RFC2408], is to use master perfect forward secrecy (PFS) as defined in [RFC2409], sections 3.3 and 8. Master PFS configures the number of times a master key or its base keying material can be reused to generate the session key to one time only. It MUST be one of the following values.
-
Value
Meaning
0x00000000
No, master PFS is not required.
0x00000001
Yes, master PFS is required.
ISAKMP-Options (4 bytes): The policy specification modifiers applied to the ISAKMP policy, defined in [RFC2408] that IKE enacts. This field MUST be one of the following values.
-
Value
Meaning
0x00000000
No policy modifier.
0x00000001
When performing X.509 certificate authentication, the authentication MUST only be allowed if the certificate "Subject Alternate Name" can be mapped to a Kerberos authentication system identity (also known as certificate-mapping).
0x00000002
When performing X.509 certificate negotiation, do not send the peer the certificate request payload (CRP).
0x00000003
Perform X.509 certificate mapping (as per value 0x00000001 shown in the second row) and do not send the peer the CRP (as per value 0x00000002 shown in the third row).
New-DH-1 (1 byte): A nonzero value in the New-DH-1 field is first in the order of precedence for the main mode (MM) offers used by IKE. If the value in this field is zero, byte–fields New-DH-2, New-DH-3, and New-DH-4 is also set to zero. MM offers set on Security-Methods are appended to the New-DH-1, New-DH-2, New-DH-3, and New-DH-4 fields. The New-DH-1 field SHOULD<2> be one of the following values.
-
Value
Meaning
0x00
The field is not used.
0x01
The ISAKMP policy setting is Encryption:DES; Integrity:MD5; Diffie-Hellman:DH-2048.
0x02
The ISAKMP policy setting is Encryption:DES; Integrity:SHA-1; Diffie-Hellman:DH-2048.
0x03
The ISAKMP policy setting is Encryption:3DES; Integrity:MD5; Diffie-Hellman:DH-2048.
0x04
The ISAKMP policy setting is Encryption:3DES; Integrity:SHA-1; Diffie-Hellman:DH-2048.
New-DH-2 (1 byte): A nonzero value in the New-DH-2 field is second in the order of precedence for the MM offers used by IKE. If the value in this field is zero, byte–fields New-DH-3 and New-DH-4 are also set to zero. MM offers set on Security-Methods are appended to the New-DH-1, New-DH-2, New-DH-3, and New-DH-4 fields. The New-DH-2 field SHOULD<3> be one of the following values.
-
Value
Meaning
0x00
This field is not used.
0x01
The ISAKMP policy setting is Encryption:DES; Integrity:MD5; Diffie-Hellman:DH-2048.
0x02
The ISAKMP policy setting is Encryption:DES; Integrity:SHA-1; Diffie-Hellman:DH-2048.
0x03
The ISAKMP policy setting is Encryption:3DES; Integrity:MD5; Diffie-Hellman:DH-2048.
0x04
The ISAKMP policy setting is Encryption:3DES; Integrity:SHA-1; Diffie-Hellman:DH-2048.
New-DH-3 (1 byte): A nonzero value in the New-DH-3 field is third in the order of precedence for the MM offers used by IKE. If the value in this field is zero, byte–field New-DH-4 is also set to zero. MM offers set on Security-Methods are appended to the New-DH-1, New-DH-2, New-DH-3, and New-DH-4 fields. The New-DH-3 field SHOULD<4> be one of the following values.
-
Value
Meaning
0x00
This field is not used.
0x01
The ISAKMP policy setting is Encryption:DES; Integrity:MD5; Diffie-Hellman:DH-2048.
0x02
The ISAKMP policy setting is Encryption:DES; Integrity:SHA-1; Diffie-Hellman:DH-2048.
0x03
The ISAKMP policy setting is Encryption:3DES; Integrity:MD5; Diffie-Hellman:DH-2048.
0x04
The ISAKMP policy setting is Encryption:3DES; Integrity:SHA-1; Diffie-Hellman:DH-2048.
New-DH-4 (1 byte): A nonzero value in the New-DH-4 field is fourth in the order of precedence for the MM offers used by IKE. MM offers set on Security-Methods are appended to the New-DH-1, New-DH-2, New-DH-3, and New-DH-4 fields. The New-DH-4 field SHOULD<5> be one of the following values.
-
Value
Meaning
0x00
This field is not used.
0x01
The ISAKMP policy setting is Encryption:DES; Integrity:MD5; Diffie-Hellman:DH-2048.
0x02
The ISAKMP policy setting is Encryption:DES; Integrity:SHA-1; Diffie-Hellman:DH-2048.
0x03
The ISAKMP policy setting is Encryption:3DES; Integrity:MD5; Diffie-Hellman:DH-2048.
0x04
The ISAKMP policy setting is Encryption:3DES; Integrity:SHA-1; Diffie-Hellman:DH-2048.
The table that follows illustrates how the MM precedence order works. An X in a table cell denotes that a field has a value and a hyphen (-) indicates a value of zero.
|
New-DH-1 |
New-DH-2 |
New-DH-3 |
New-DH-4 |
Security-Method-1 |
... |
Security-Method-N |
Resultant order of MM precedence |
|---|---|---|---|---|---|---|---|
|
X |
X |
X |
X |
X |
... |
X |
New-DH-1 New-DH-2 New-DH-3 New-DH-4 Security-Method-1 ... Security-Method-N |
|
X |
X |
X |
- |
X |
... |
X |
New-DH-1 New-DH-2 New-DH-3 Security-Method-1 ... Security-Method-N |
|
X |
X |
- |
- |
X |
... |
X |
New-DH-1 New-DH-2 Security-Method-1 ... Security-Method-N |
|
X |
- |
- |
- |
X |
... |
X |
New-DH-1 Security-Method-1 ... Security-Method-N |
|
- |
- |
- |
- |
X |
... |
X |
Security-Method-1 ... Security-Method-N |
QM-Limit (4 bytes): The number of quick modes allowed per main mode in an IKE ([RFC2409]) negotiation. A special value is 0x00000000, which means no limit. This field MUST be an unsigned integer.
MM-Lifetime (4 bytes): The maximum allowed main-mode key lifetime, in seconds, that IKE uses. A special value is 0x00000000, which means the main-mode key lifetime is set to 28,800 seconds. This field MUST be an unsigned integer.
Zero2 (20 bytes): This value MUST always be written as a 20-byte field that is filled with 0x00 and MUST be ignored when read.
Security-Method-Count (4 bytes): This MUST be the number of security-method BLOBs that follow. This field MUST be an unsigned integer.
Security-Methods (variable): The ISAKMP security methods, as specified in the following binary representation. There can be any number of these. The number is specified by the preceding Security-Method-Count field. This field is a multiple of 64 bytes.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Major-Version
Minor-Version
Zero3
Encryption-Algorithm-ID
...
Zero4
Hash-Algorithm-ID
...
Zero5
Zero6
...
Random-Function
Zero7
...
Oakley-Group
QM-Limit
Oakley-Lifetime-KB
Oakley-Lifetime-Secs
PFS-Identity-Required
-
Major-Version (1 byte): The crypto bundle major version; MUST be 0x00.
-
Minor-Version (1 byte): The crypto bundle minor version; MUST be 0x00.
-
Zero3 (2 bytes): This value MUST always be written as 0x0000 and MUST be ignored when read.
-
Encryption-Algorithm-ID (8 bytes): The encryption algorithm that IKE uses. This MUST be one of the following values.
-
Value
Meaning
0x0000000000000000
None
0x0000000000000001
DES-CBC
0x0000000000000002
3DES-CBC
0x0000000000000003
3DES-CBC
-
-
Zero4 (4 bytes): This value MUST always be written as 0x00000000 and MUST be ignored when read.
-
Hash-Algorithm-ID (8 bytes): The hash algorithm that IKE uses. This MUST be one of the following values.
-
Value
Meaning
0x0000000000000000
None
0x0000000000000001
MD5
0x0000000000000002
SHA-1
-
-
Zero5 (4 bytes): This value MUST always be written as 0x00000000 and MUST be ignored when read.
-
Zero6 (8 bytes): This value MUST always be written as an 8-byte field that is filled with 0x00 and MUST be ignored when read.
-
Random-Function (1 byte): Overrides the values of Encryption-Algorithm-ID, Hash-Algorithm-ID, and Oakley-Group as follows. In addition, QM-Limit, MM-Lifetime, and Master-PFS-Required values from the policy object are used.
-
Value
Encryption-Algorithm-ID
Hash-Algorithm-ID
Oakley-Group
0x01
DES
MD5
Group-14
0x02
DES
SHA
Group-14
0x03
3DES
MD5
Group-14
0x04
3DES
SHA
Group-14
-
-
Zero7 (7 bytes): This value MUST always be written as a 7-byte field that is filled with 0x00 and MUST be ignored when read.
-
Oakley-Group (4 bytes): The Diffie-Hellman group that IKE uses, as defined in [RFC2412]. This MUST be one of the following values.
-
Value
Meaning
0x00000000
This field is not used.
0x00000001
Group-1
0x00000002
Group-2
0x10000001
Group-14
-
-
QM-Limit (4 bytes): The number of quick modes allowed per main mode in an IKE negotiation, as defined in [RFC2412] and [RFC2409]. A special value is 0x00000000, which means no limit. This field MUST be an unsigned integer.
-
Oakley-Lifetime-KB (4 bytes): The lifetime, in kilobytes, that IKE is to negotiate. This field MUST be an unsigned integer.
-
Oakley-Lifetime-Secs (4 bytes): The lifetime, in seconds, that IKE is to negotiate. This field MUST be an unsigned integer.
-
PFS-Identity-Required (4 bytes): Indicates whether IKE is to use PFS, as defined in [RFC2409]. Configures the number of times a master key or its base keying material can be reused to generate the session key to one time only. This MUST be one of the following values.
-
Value
Meaning
0x00000000
No, PFS Identity is not required.
0x00000001
Yes, PFS identity is required.
-