xref: /openbsd-src/usr.sbin/tcpdump/ike.h (revision 6dc7f6f317ceed01b69b8fcb522ebd70c63d740b) 
1*6dc7f6f3Smmcc /* $OpenBSD: ike.h,v 1.26 2016/03/07 19:33:26 mmcc Exp $ */
2d05fa9a6Sho 
3d05fa9a6Sho /*
4d05fa9a6Sho  * Copyright (c) 2001 H�kan Olsson.  All rights reserved.
5d05fa9a6Sho  *
6d05fa9a6Sho  * Redistribution and use in source and binary forms, with or without
7d05fa9a6Sho  * modification, are permitted provided that the following conditions
8d05fa9a6Sho  * are met:
9d05fa9a6Sho  * 1. Redistributions of source code must retain the above copyright
10d05fa9a6Sho  *    notice, this list of conditions and the following disclaimer.
11d05fa9a6Sho  * 2. Redistributions in binary form must reproduce the above copyright
12d05fa9a6Sho  *    notice, this list of conditions and the following disclaimer in the
13d05fa9a6Sho  *    documentation and/or other materials provided with the distribution.
14d05fa9a6Sho  * 3. The name of the author may not be used to endorse or promote products
15d05fa9a6Sho  *    derived from this software without specific prior written permission.
16d05fa9a6Sho  *
17d05fa9a6Sho  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18d05fa9a6Sho  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19d05fa9a6Sho  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20d05fa9a6Sho  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21d05fa9a6Sho  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22d05fa9a6Sho  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23d05fa9a6Sho  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24d05fa9a6Sho  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25d05fa9a6Sho  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26d05fa9a6Sho  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27d05fa9a6Sho  */
28c16ee05dSho 
29c16ee05dSho #define ISAKMP_DOI		0
30c16ee05dSho #define IPSEC_DOI		1
31c16ee05dSho 
32c16ee05dSho #define PROTO_ISAKMP		1
337601e490Sho #define PROTO_IPSEC_AH		2
347601e490Sho #define PROTO_IPSEC_ESP		3
357601e490Sho #define PROTO_IPCOMP		4
36c16ee05dSho 
378c3c61ddSjsg #define IKE_VERSION_2		(2 << 4)
388c3c61ddSjsg 
39c16ee05dSho #define IKE_ATTR_ENCRYPTION_ALGORITHM	1
40c16ee05dSho #define IKE_ATTR_HASH_ALGORITHM		2
41c16ee05dSho #define IKE_ATTR_AUTHENTICATION_METHOD	3
42c16ee05dSho #define IKE_ATTR_GROUP_DESC		4
43c16ee05dSho #define IKE_ATTR_GROUP_TYPE		5
44c16ee05dSho #define IKE_ATTR_LIFE_TYPE		11
45c16ee05dSho 
467601e490Sho #define IKE_PROTO_INITIALIZER						\
477601e490Sho 	{ "RESERVED", "ISAKMP", "IPSEC_AH", "IPSEC_ESP", "IPCOMP",	\
487601e490Sho 	}
497601e490Sho 
50c16ee05dSho #define IKE_ATTR_ENCRYPT_INITIALIZER					\
517601e490Sho 	{ "NONE", "DES_CBC", "IDEA_CBC", "BLOWFISH_CBC",		\
527601e490Sho 	  "RC5_R16_B64_CBC", "3DES_CBC", "CAST_CBC", "AES_CBC",		\
53a674fbdbShshoexer 	  "AES_128_CTR"							\
54c16ee05dSho 	}
55c16ee05dSho #define IKE_ATTR_HASH_INITIALIZER					\
56c16ee05dSho 	{ "NONE", "MD5", "SHA", "TIGER",				\
577601e490Sho 	  "SHA2_256", "SHA2_384", "SHA2_512",				\
58c16ee05dSho 	}
59c16ee05dSho #define IKE_ATTR_AUTH_INITIALIZER					\
60c16ee05dSho 	{ "NONE", "PRE_SHARED", "DSS", "RSA_SIG",			\
61c16ee05dSho 	  "RSA_ENC", "RSA_ENC_REV",					\
62c16ee05dSho 	}
63c16ee05dSho #define IKE_ATTR_GROUP_DESC_INITIALIZER					\
64c16ee05dSho 	{ "NONE", "MODP_768", "MODP_1024",				\
653758c525Shshoexer 	  "E2CN_155", "E2CN_185", "MODP_1536", "NONE", "NONE", "NONE",	\
663758c525Shshoexer 	  "NONE", "NONE", "NONE", "NONE", "NONE", "MODP_2048",		\
67634a00f1Smikeb 	  "MODP_3072", "MODP_4096", "MODP_6144", "MODP_8192", "ECP256",	\
68634a00f1Smikeb 	  "ECP384", "ECP512", "MODP_1024-160", "MODP_2048-224",		\
69634a00f1Smikeb 	  "MODP_2048-256", "ECP192", "ECP224,"				\
70c16ee05dSho 	}
71c16ee05dSho #define IKE_ATTR_GROUP_INITIALIZER					\
72c16ee05dSho 	{ "NONE", "MODP", "ECP", "E2CN",				\
73c16ee05dSho 	}
74c16ee05dSho #define IKE_ATTR_SA_DURATION_INITIALIZER				\
75c16ee05dSho 	{ "NONE", "SECONDS", "KILOBYTES",				\
76c16ee05dSho 	}
77c16ee05dSho 
78c16ee05dSho #define IKE_ATTR_INITIALIZER						\
79c16ee05dSho 	{ "NONE", 			/* 0 (not in RFC) */		\
80c16ee05dSho 	  "ENCRYPTION_ALGORITHM", 	/* 1 */				\
81c16ee05dSho 	  "HASH_ALGORITHM",		/* 2 */				\
82c16ee05dSho 	  "AUTHENTICATION_METHOD",	/* 3 */				\
83c16ee05dSho 	  "GROUP_DESCRIPTION",		/* 4 */				\
84c16ee05dSho 	  "GROUP_TYPE",			/* 5 */				\
85c16ee05dSho 	  "GROUP_PRIME",		/* 6 */				\
86c16ee05dSho 	  "GROUP_GENERATOR_1",		/* 7 */				\
87c16ee05dSho 	  "GROUP_GENERATOR_2",		/* 8 */				\
88c16ee05dSho 	  "GROUP_CURVE_1",		/* 9 */				\
89c16ee05dSho 	  "GROUP_CURVE_2",		/* 10 */			\
90c16ee05dSho 	  "LIFE_TYPE",			/* 11 */			\
91c16ee05dSho 	  "LIFE_DURATION",		/* 12 */			\
92c16ee05dSho 	  "PRF",			/* 13 */			\
93c16ee05dSho 	  "KEY_LENGTH",			/* 14 */			\
94c16ee05dSho 	  "FIELD_SIZE",			/* 15 */			\
95c16ee05dSho 	  "GROUP_ORDER",		/* 16 */			\
96c16ee05dSho 	}
97c16ee05dSho 
98c16ee05dSho #define IKE_SITUATION_IDENTITY_ONLY	1
99c16ee05dSho #define IKE_SITUATION_SECRECY		2
100c16ee05dSho #define IKE_SITUATION_INTEGRITY		4
101c16ee05dSho /* Mask is all the above, i.e 1+2+4 = 7 */
102c16ee05dSho #define IKE_SITUATION_MASK		7
103c16ee05dSho 
104c16ee05dSho #define PAYLOAD_NONE		0
105c16ee05dSho #define PAYLOAD_SA		1
106c16ee05dSho #define PAYLOAD_PROPOSAL	2
107c16ee05dSho #define PAYLOAD_TRANSFORM	3
108c16ee05dSho #define PAYLOAD_KE		4
109c16ee05dSho #define PAYLOAD_ID		5
110c16ee05dSho #define PAYLOAD_CERT		6
111c16ee05dSho #define PAYLOAD_CERTREQUEST	7
112c16ee05dSho #define PAYLOAD_HASH		8
113c16ee05dSho #define PAYLOAD_SIG		9
114c16ee05dSho #define PAYLOAD_NONCE		10
115c16ee05dSho #define PAYLOAD_NOTIFICATION	11
116c16ee05dSho #define PAYLOAD_DELETE		12
117c16ee05dSho #define PAYLOAD_VENDOR		13
118f004498dSho #define PAYLOAD_ATTRIBUTE	14
11916173e3eShshoexer #define PAYLOAD_SAK		15
12016173e3eShshoexer #define PAYLOAD_SAT		16
12116173e3eShshoexer #define PAYLOAD_KD		17
12216173e3eShshoexer #define PAYLOAD_SEQ		18
12316173e3eShshoexer #define PAYLOAD_POP		19
12416173e3eShshoexer #define PAYLOAD_NAT_D		20
12516173e3eShshoexer #define PAYLOAD_NAT_OA		21
12616173e3eShshoexer #define PAYLOAD_RESERVED_MIN	22
1276e1d69b5Sho #define PAYLOAD_PRIVATE_MIN	128
12816173e3eShshoexer #define PAYLOAD_NAT_D_DRAFT	130
12916173e3eShshoexer #define PAYLOAD_NAT_OA_DRAFT	131
1306e1d69b5Sho #define PAYLOAD_PRIVATE_MAX	132
131c16ee05dSho 
1328c3c61ddSjsg #define PAYLOAD_IKEV2_NONE	0
1338c3c61ddSjsg #define PAYLOAD_IKEV2_SA	33
1348c3c61ddSjsg #define PAYLOAD_IKEV2_KE	34
1358c3c61ddSjsg #define PAYLOAD_IKEV2_IDI	35
1368c3c61ddSjsg #define PAYLOAD_IKEV2_IDR	36
1378c3c61ddSjsg #define PAYLOAD_IKEV2_CERT	37
1388c3c61ddSjsg #define PAYLOAD_IKEV2_CERTREQ	38
1398c3c61ddSjsg #define PAYLOAD_IKEV2_AUTH	39
1408c3c61ddSjsg #define PAYLOAD_IKEV2_NONCE	40
1418c3c61ddSjsg #define PAYLOAD_IKEV2_N		41
1428c3c61ddSjsg #define PAYLOAD_IKEV2_D		42
1438c3c61ddSjsg #define PAYLOAD_IKEV2_V		43
1448c3c61ddSjsg #define PAYLOAD_IKEV2_TSI	44
1458c3c61ddSjsg #define PAYLOAD_IKEV2_TSR	45
1468c3c61ddSjsg #define PAYLOAD_IKEV2_E		46
1478c3c61ddSjsg #define PAYLOAD_IKEV2_CP	47
1488c3c61ddSjsg #define PAYLOAD_IKEV2_EAP	48
1498c3c61ddSjsg #define PAYLOAD_IKEV2_PRIV_MIN	128
1508c3c61ddSjsg #define PAYLOAD_IKEv2_PRIV_MAX	255
1518c3c61ddSjsg 
152*6dc7f6f3Smmcc /* see https://www.iana.org/assignments/isakmp-registry */
153c16ee05dSho #define IKE_PAYLOAD_TYPES_INITIALIZER			\
154c16ee05dSho 	{ "NONE",		/*  0 */		\
155c16ee05dSho 	  "SA",			/*  1 */		\
156c16ee05dSho 	  "PROPOSAL",		/*  2 */		\
157c16ee05dSho 	  "TRANSFORM",		/*  3 */		\
158c16ee05dSho 	  "KEY_EXCH",		/*  4 */		\
159c16ee05dSho 	  "ID",			/*  5 */		\
160c16ee05dSho 	  "CERT",		/*  6 */		\
161c16ee05dSho 	  "CERTREQUEST",	/*  7 */		\
162c16ee05dSho 	  "HASH",		/*  8 */		\
163c16ee05dSho 	  "SIG",		/*  9 */		\
164c16ee05dSho 	  "NONCE",		/* 10 */		\
165c16ee05dSho 	  "NOTIFICATION",	/* 11 */		\
166c16ee05dSho 	  "DELETE",		/* 12 */		\
167c16ee05dSho 	  "VENDOR",		/* 13 */		\
168f004498dSho 	  "ATTRIBUTE",		/* 14 (ikecfg) */	\
169321cb446Shshoexer 	  "SAK",		/* 15 */		\
170321cb446Shshoexer 	  "SAT",		/* 16 */		\
171321cb446Shshoexer 	  "KD",			/* 17 */		\
172321cb446Shshoexer 	  "SEQ",		/* 18 */		\
173321cb446Shshoexer 	  "POP",		/* 19 */		\
174321cb446Shshoexer 	  "NAT-D",		/* 20 */		\
175321cb446Shshoexer 	  "NAT-OA",		/* 21 */		\
1766e1d69b5Sho 	}
1776e1d69b5Sho 
1786e1d69b5Sho #define IKE_PRIVATE_PAYLOAD_TYPES_INITIALIZER		\
1796e1d69b5Sho 	{ "NONE",		/*  128 */		\
1806e1d69b5Sho 	  "<unknown 129>",	/*  129 */		\
181321cb446Shshoexer 	  "NAT-D-DRAFT",	/*  130 (draft-ietf-ipsec-nat-t-ike-03) */  \
182321cb446Shshoexer 	  "NAT-OA-DRAFT",	/*  131 (draft-ietf-ipsec-nat-t-ike-03) */  \
183c16ee05dSho 	}
184c16ee05dSho 
185*6dc7f6f3Smmcc /* see https://www.iana.org/assignments/ikev2-parameters */
1868c3c61ddSjsg #define IKEV2_PAYLOAD_TYPES_INITIALIZER			\
1878c3c61ddSjsg 	{ "SA",			/* 33 */		\
1888c3c61ddSjsg 	  "KE",			/* 34 */		\
1898c3c61ddSjsg 	  "IDi",		/* 35 */		\
1908c3c61ddSjsg 	  "IDr",		/* 36 */		\
1918c3c61ddSjsg 	  "CERT",		/* 37 */		\
1928c3c61ddSjsg 	  "CERTREQ",		/* 38 */		\
1938c3c61ddSjsg 	  "AUTH",		/* 39 */		\
1948c3c61ddSjsg 	  "NONCE",		/* 40 */		\
1958c3c61ddSjsg 	  "N",			/* 41 */		\
1968c3c61ddSjsg 	  "D",			/* 42 */		\
1978c3c61ddSjsg 	  "V",			/* 43 */		\
1988c3c61ddSjsg 	  "TSi",		/* 44 */		\
1998c3c61ddSjsg 	  "TSr",		/* 45 */		\
2008c3c61ddSjsg 	  "E",			/* 46 */		\
2018c3c61ddSjsg 	  "CP",			/* 47 */		\
2028c3c61ddSjsg 	  "EAP",		/* 48 */		\
2038c3c61ddSjsg 	}
2048c3c61ddSjsg 
2058c3c61ddSjsg 
206c16ee05dSho /* Exchange types */
207c16ee05dSho #define EXCHANGE_NONE			0
208c16ee05dSho #define EXCHANGE_BASE			1
209c16ee05dSho #define EXCHANGE_ID_PROT		2
210c16ee05dSho #define EXCHANGE_AUTH_ONLY		3
211c16ee05dSho #define EXCHANGE_AGGRESSIVE		4
212c16ee05dSho #define EXCHANGE_INFO			5
213f004498dSho #define EXCHANGE_TRANSACTION		6
214c16ee05dSho #define EXCHANGE_QUICK_MODE		32
215c16ee05dSho #define EXCHANGE_NEW_GROUP_MODE		33
2168c3c61ddSjsg #define EXCHANGE_IKE_SA_INIT		34
2178c3c61ddSjsg #define EXCHANGE_IKE_AUTH		35
2188c3c61ddSjsg #define EXCHANGE_CREATE_CHILD_SA	36
2198c3c61ddSjsg #define EXCHANGE_INFORMATIONAL		37
2208c3c61ddSjsg #define EXCHANGE_IKE_SESSION_RESUME	38
221c16ee05dSho 
222c16ee05dSho /* Exchange types */
223c16ee05dSho #define IKE_EXCHANGE_TYPES_INITIALIZER			\
224c16ee05dSho 	{ "NONE",		/* 0 */			\
225c16ee05dSho 	  "BASE",		/* 1 */			\
226c16ee05dSho 	  "ID_PROT",		/* 2 */			\
227c16ee05dSho 	  "AUTH_ONLY",		/* 3 */			\
228c16ee05dSho 	  "AGGRESSIVE",		/* 4 */			\
229c16ee05dSho 	  "INFO",		/* 5 */			\
230f004498dSho 	  "TRANSACTION",	/* 6 (ikecfg) */	\
231c16ee05dSho 	  /* step up to type 32 with unknowns */	\
232c16ee05dSho 	  "unknown", "unknown", "unknown", "unknown",	\
233c16ee05dSho 	  "unknown", "unknown", "unknown", "unknown",	\
234c16ee05dSho 	  "unknown", "unknown", "unknown", "unknown",	\
235c16ee05dSho 	  "unknown", "unknown", "unknown", "unknown",	\
236c16ee05dSho 	  "unknown", "unknown", "unknown", "unknown",	\
237c16ee05dSho 	  "unknown", "unknown", "unknown", "unknown",	\
238506ba842Sho 	  "unknown",					\
239c16ee05dSho 	  "QUICK_MODE",		/* 32 */		\
240c16ee05dSho 	  "NEW_GROUP_MODE",	/* 33 */		\
2418c3c61ddSjsg 	  "IKE_SA_INIT",	/* 34 */		\
2428c3c61ddSjsg 	  "IKE_AUTH",		/* 35 */		\
2438c3c61ddSjsg 	  "CREATE_CHILD_SA",	/* 36 */		\
2448c3c61ddSjsg 	  "INFORMATIONAL",	/* 37 */		\
2458c3c61ddSjsg 	  "IKE_SESSION_RESUME",	/* 38 */		\
246c16ee05dSho 	}
247c16ee05dSho 
248c16ee05dSho #define FLAGS_ENCRYPTION	1
249c16ee05dSho #define FLAGS_COMMIT		2
250c16ee05dSho #define FLAGS_AUTH_ONLY		4
251c16ee05dSho 
252c16ee05dSho #define CERT_NONE		0
253c16ee05dSho #define CERT_PKCS		1
254c16ee05dSho #define CERT_PGP		2
255c16ee05dSho #define CERT_DNS		3
256c16ee05dSho #define CERT_X509_SIG		4
257c16ee05dSho #define CERT_X509_KE		5
258c16ee05dSho #define CERT_KERBEROS		6
259c16ee05dSho #define CERT_CRL		7
260c16ee05dSho #define CERT_ARL		8
261c16ee05dSho #define CERT_SPKI		9
262c16ee05dSho #define CERT_X509_ATTR		10
263c16ee05dSho 
264c16ee05dSho #define NOTIFY_INVALID_PAYLOAD_TYPE		1
265c16ee05dSho #define NOTIFY_DOI_NOT_SUPPORTED		2
266c16ee05dSho #define NOTIFY_SITUATION_NOT_SUPPORTED		3
267c16ee05dSho #define NOTIFY_INVALID_COOKIE			4
268c16ee05dSho #define NOTIFY_INVALID_MAJOR_VERSION		5
269c16ee05dSho #define NOTIFY_INVALID_MINOR_VERSION		6
270c16ee05dSho #define NOTIFY_INVALID_EXCHANGE_TYPE		7
271c16ee05dSho #define NOTIFY_INVALID_FLAGS			8
272c16ee05dSho #define NOTIFY_INVALID_MESSAGE_ID		9
273c16ee05dSho #define NOTIFY_INVALID_PROTOCOL_ID		10
274c16ee05dSho #define NOTIFY_INVALID_SPI			11
275c16ee05dSho #define NOTIFY_INVALID_TRANSFORM_ID		12
276c16ee05dSho #define NOTIFY_ATTRIBUTES_NOT_SUPPORTED		13
277c16ee05dSho #define NOTIFY_NO_PROPOSAL_CHOSEN		14
278c16ee05dSho #define NOTIFY_BAD_PROPOSAL_SYNTAX		15
279c16ee05dSho #define NOTIFY_PAYLOAD_MALFORMED		16
280c16ee05dSho #define NOTIFY_INVALID_KEY_INFORMATION		17
281c16ee05dSho #define NOTIFY_INVALID_ID_INFORMATION		18
282c16ee05dSho #define NOTIFY_INVALID_CERT_ENCODING		19
283c16ee05dSho #define NOTIFY_INVALID_CERTIFICATE		20
284c16ee05dSho #define NOTIFY_CERT_TYPE_UNSUPPORTED		21
285c16ee05dSho #define NOTIFY_INVALID_CERT_AUTHORITY		22
286c16ee05dSho #define NOTIFY_INVALID_HASH_INFORMATION		23
287c16ee05dSho #define NOTIFY_AUTHENTICATION_FAILED		24
288c16ee05dSho #define NOTIFY_INVALID_SIGNATURE		25
289c16ee05dSho #define NOTIFY_ADDRESS_NOTIFICATION		26
290c16ee05dSho #define NOTIFY_NOTIFY_SA_LIFETIME		27
291c16ee05dSho #define NOTIFY_CERTIFICATE_UNAVAILABLE		28
292c16ee05dSho #define NOTIFY_UNSUPPORTED_EXCHANGE_TYPE	29
293c16ee05dSho #define NOTIFY_UNEQUAL_PAYLOAD_LENGTHS		30
294c16ee05dSho 
295c16ee05dSho #define IKE_NOTIFY_TYPES_INITIALIZER			\
296c16ee05dSho 	{ "",						\
297c16ee05dSho 	  "INVALID PAYLOAD TYPE",			\
298c16ee05dSho 	  "DOI NOT SUPPORTED",				\
299c16ee05dSho 	  "SITUATION NOT SUPPORTED",			\
300c16ee05dSho 	  "INVALID COOKIE",				\
301c16ee05dSho 	  "INVALID MAJOR VERSION",			\
302c16ee05dSho 	  "INVALID MINOR VERSION",			\
303c16ee05dSho 	  "INVALID EXCHANGE TYPE",			\
304c16ee05dSho 	  "INVALID FLAGS",				\
305c16ee05dSho 	  "INVALID MESSAGE ID",				\
306c16ee05dSho 	  "INVALID PROTOCOL ID",			\
307c16ee05dSho 	  "INVALID SPI",				\
308c16ee05dSho 	  "INVALID TRANSFORM ID",			\
309c16ee05dSho 	  "ATTRIBUTES NOT SUPPORTED",			\
310c16ee05dSho 	  "NO PROPOSAL CHOSEN",				\
311c16ee05dSho 	  "BAD PROPOSAL SYNTAX",			\
312c16ee05dSho 	  "PAYLOAD MALFORMED",				\
313c16ee05dSho 	  "INVALID KEY INFORMATION",			\
314c16ee05dSho 	  "INVALID ID INFORMATION",			\
315c16ee05dSho 	  "INVALID CERT ENCODING",			\
316c16ee05dSho 	  "INVALID CERTIFICATE",			\
317c16ee05dSho 	  "CERT TYPE UNSUPPORTED",			\
318c16ee05dSho 	  "INVALID CERT AUTHORITY",			\
319c16ee05dSho 	  "INVALID HASH INFORMATION",			\
320c16ee05dSho 	  "AUTHENTICATION FAILED",			\
321c16ee05dSho 	  "INVALID SIGNATURE",				\
322c16ee05dSho 	  "ADDRESS NOTIFICATION",			\
323c16ee05dSho 	  "NOTIFY SA LIFETIME",				\
324c16ee05dSho 	  "CERTIFICATE UNAVAILABLE",			\
325c16ee05dSho 	  "UNSUPPORTED EXCHANGE TYPE",			\
326c16ee05dSho 	  "UNEQUAL PAYLOAD LENGTHS",			\
327c16ee05dSho 	}
3287601e490Sho 
3297601e490Sho /* RFC 2407, 4.6.3 */
3307601e490Sho #define NOTIFY_IPSEC_RESPONDER_LIFETIME	24576
3317601e490Sho #define NOTIFY_IPSEC_REPLAY_STATUS	24577
3327601e490Sho #define NOTIFY_IPSEC_INITIAL_CONTACT	24578
3337601e490Sho 
334506ba842Sho /* RFC 3706, Dead Peer Detection */
335506ba842Sho #define NOTIFY_STATUS_DPD_R_U_THERE	36136
336506ba842Sho #define NOTIFY_STATUS_DPD_R_U_THERE_ACK	36137
337506ba842Sho 
3387601e490Sho #define IPSEC_ID_RESERVED		0
3397601e490Sho #define IPSEC_ID_IPV4_ADDR		1
3407601e490Sho #define IPSEC_ID_FQDN			2
3417601e490Sho #define IPSEC_ID_USER_FQDN		3
3427601e490Sho #define IPSEC_ID_IPV4_ADDR_SUBNET	4
3437601e490Sho #define IPSEC_ID_IPV6_ADDR		5
3447601e490Sho #define IPSEC_ID_IPV6_ADDR_SUBNET	6
3457601e490Sho #define IPSEC_ID_IPV4_ADDR_RANGE	7
3467601e490Sho #define IPSEC_ID_IPV6_ADDR_RANGE	8
3477601e490Sho #define IPSEC_ID_DER_ASN1_DN		9
3487601e490Sho #define IPSEC_ID_DER_ASN1_GN		10
3497601e490Sho #define IPSEC_ID_KEY_ID			11
3507601e490Sho 
3517601e490Sho #define IPSEC_ID_TYPE_INITIALIZER			\
3527601e490Sho 	{ "RESERVED",					\
3537601e490Sho 	  "IPV4_ADDR",					\
3547601e490Sho 	  "FQDN",					\
3557601e490Sho 	  "USER_FQDN",					\
3567601e490Sho 	  "IPV4_ADDR_SUBNET",				\
3577601e490Sho 	  "IPV6_ADDR",					\
3587601e490Sho 	  "IPV6_ADDR_SUBNET",				\
3597601e490Sho 	  "IPV4_ADDR_RANGE",				\
3607601e490Sho 	  "IPV6_ADDR_RANGE",				\
3617601e490Sho 	  "DER_ASN1_DN",				\
3627601e490Sho 	  "DER_ASN1_GN",				\
3637601e490Sho 	  "KEY_ID",					\
3647601e490Sho 	}
3657601e490Sho 
3667601e490Sho #define IPSEC_ATTR_SA_LIFE_TYPE			1
3677601e490Sho #define IPSEC_ATTR_SA_LIFE_DURATION		2
3687601e490Sho #define IPSEC_ATTR_GROUP_DESCRIPTION		3
3697601e490Sho #define IPSEC_ATTR_ENCAPSULATION_MODE		4
3707601e490Sho #define IPSEC_ATTR_AUTHENTICATION_ALGORITHM	5
3717601e490Sho #define IPSEC_ATTR_KEY_LENGTH			6
3727601e490Sho #define IPSEC_ATTR_KEY_ROUNDS			7
3737601e490Sho #define IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE	8
3747601e490Sho #define IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM	9
3757601e490Sho 
3767601e490Sho #define IPSEC_ATTR_INITIALIZER					\
3777601e490Sho 	{ "NONE", "LIFE_TYPE", "LIFE_DURATION",			\
3787601e490Sho 	  "GROUP_DESCRIPTION", "ENCAPSULATION_MODE",		\
3797601e490Sho 	  "AUTHENTICATION_ALGORITHM", "KEY_LENGTH",		\
3807601e490Sho 	  "KEY_ROUNDS", "COMPRESS_DICTIONARY_SIZE",		\
3817601e490Sho 	  "COMPRESS_PRIVATE_ALGORITHM",				\
3827601e490Sho 	}
3837601e490Sho 
3847601e490Sho #define IPSEC_ATTR_DURATION_INITIALIZER				\
3857601e490Sho 	{ "NONE", "SECONDS", "KILOBYTES",			\
3867601e490Sho 	}
3877601e490Sho #define IPSEC_ATTR_AUTH_INITIALIZER				\
3887601e490Sho 	{ "NONE", "HMAC_MD5", "HMAC_SHA", "DES_MAC", "KPDK",	\
3897601e490Sho 	  "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512",	\
3907601e490Sho 	  "HMAC_RIPEMD",					\
3917601e490Sho 	}
3927601e490Sho #define IPSEC_AH_INITIALIZER					\
3937601e490Sho 	{ "NONE", "MD5", "SHA", "DES", "SHA2_256", "SHA2_384",	\
3947601e490Sho 	  "SHA2_512", "RIPEMD",					\
3957601e490Sho 	}
3967601e490Sho #define IPSEC_ESP_INITIALIZER					\
3977601e490Sho 	{ "NONE", "DEV_IV64", "DES", "3DES", "RC5", "IDEA",	\
3987601e490Sho 	  "CAST", "BLOWFISH", "3IDEA", "DES_IV32", "RC4",	\
399a674fbdbShshoexer 	  "NULL", "AES", "AESCTR"				\
4007601e490Sho 	}
401b415ec6bSho #define IPCOMP_INITIALIZER					\
4027601e490Sho 	{ "NONE", "OUI", "DEFLATE", "LZS", "V42BIS",		\
4037601e490Sho 	}
404c4f87239Ssthen static struct tok ipsec_attr_encap[] = {
405c4f87239Ssthen 	{ 0,	"NONE" },
406c4f87239Ssthen 	{ 1,	"TUNNEL" },
407c4f87239Ssthen 	{ 2,	"TRANSPORT" },
408c4f87239Ssthen 	{ 3,	"UDP_ENCAP_TUNNEL" },
409c4f87239Ssthen 	{ 4,	"UDP_ENCAP_TRANSPORT" },
410c4f87239Ssthen 	{ 61443, "UDP_ENCAP_TUNNEL_DRAFT" },	/* draft-ietf-ipsec-nat-t-ike */
411c4f87239Ssthen 	{ 61444, "UDP_ENCAP_TRANSPORT_DRAFT" }	/* draft-ietf-ipsec-nat-t-ike */
412c4f87239Ssthen };
413f004498dSho 
414f004498dSho /*
415f004498dSho  * IKE mode config.
416f004498dSho  */
417f004498dSho 
418f004498dSho #define IKE_CFG_ATTRIBUTE_TYPE_INITIALIZER		\
419f004498dSho 	{ "RESERVED", "CFG_REQUEST", "CFG_REPLY",	\
420f004498dSho 	  "CFG_SET", "CFG_ACK",				\
421f004498dSho 	}
422f004498dSho 
423f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP4_ADDRESS		1
424f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP4_NETMASK		2
425f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP4_DNS			3
426f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP4_NBNS			4
427f004498dSho #define IKE_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY		5
428f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP4_DHCP			6
429f004498dSho #define IKE_CFG_ATTR_APPLICATION_VERSION		7
430f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP6_ADDRESS		8
431f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP6_NETMASK		9
432f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP6_DNS			10
433f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP6_NBNS			11
434f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP6_DHCP			12
435f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP4_SUBNET		13
436f004498dSho #define IKE_CFG_ATTR_SUPPORTED_ATTRIBUTES		14
437f004498dSho #define IKE_CFG_ATTR_INTERNAL_IP6_SUBNET		15
438f004498dSho 
439f004498dSho #define IKE_CFG_ATTRIBUTE_INITIALIZER				\
440f004498dSho 	{ "RESERVED", "INTERNAL_IP4_ADDRESS",			\
441f004498dSho 	  "INTERNAL_IP4_NETMASK", "INTERNAL_IP4_DNS",		\
442f004498dSho 	  "INTERNAL_IP4_NBNS", "INTERNAL_ADDRESS_EXPIRY",	\
443f004498dSho 	  "INTERNAL_IP4_DHCP", "APPLICATION_VERSION",		\
444f004498dSho 	  "INTERNAL_IP6_ADDRESS", "INTERNAL_IP6_NETMASK",	\
445f004498dSho 	  "INTERNAL_IP6_DNS", "INTERNAL_IP6_NBNS",		\
446f004498dSho 	  "INTERNAL_IP6_DHCP", "INTERNAL_IP4_SUBNET",		\
447f004498dSho 	  "SUPPORTED_ATTRIBUTES", "INTERNAL_IP6_SUBNET",	\
448f004498dSho 	}
4492d7d0accShshoexer 
4502d7d0accShshoexer #define ISAKMP_SA_SZ		 8
4512d7d0accShshoexer #define ISAKMP_PROP_SZ		 8
4522d7d0accShshoexer #define ISAKMP_TRANSFORM_SZ	 8
4532d7d0accShshoexer #define ISAKMP_KE_SZ		 4
4542d7d0accShshoexer #define ISAKMP_ID_SZ		 8
4552d7d0accShshoexer #define ISAKMP_CERT_SZ		 5
4562d7d0accShshoexer #define ISAKMP_CERTREQ_SZ	 5
4572d7d0accShshoexer #define ISAKMP_HASH_SZ		 4
4582d7d0accShshoexer #define ISAKMP_SIG_SZ		 4
4592d7d0accShshoexer #define ISAKMP_NONCE_SZ		 4
4602d7d0accShshoexer #define ISAKMP_NOTIFY_SZ	12
4612d7d0accShshoexer #define ISAKMP_DELETE_SZ	12
4622d7d0accShshoexer #define ISAKMP_VENDOR_SZ	 4
4632d7d0accShshoexer #define ISAKMP_ATTRIBUTE_SZ	 8
4642d7d0accShshoexer #define ISAKMP_NAT_D_SZ		 4
4652d7d0accShshoexer #define ISAKMP_NAT_OA_SZ	 8
4662d7d0accShshoexer 
4672d7d0accShshoexer static u_int16_t min_payload_lengths[] = {
4682d7d0accShshoexer 	0, ISAKMP_SA_SZ, ISAKMP_PROP_SZ, ISAKMP_TRANSFORM_SZ, ISAKMP_KE_SZ,
4692d7d0accShshoexer 	ISAKMP_ID_SZ, ISAKMP_CERT_SZ, ISAKMP_CERTREQ_SZ, ISAKMP_HASH_SZ,
4702d7d0accShshoexer 	ISAKMP_SIG_SZ, ISAKMP_NONCE_SZ, ISAKMP_NOTIFY_SZ, ISAKMP_DELETE_SZ,
4716e1d69b5Sho 	ISAKMP_VENDOR_SZ, ISAKMP_ATTRIBUTE_SZ
4722d7d0accShshoexer };
4736e1d69b5Sho 
4746e1d69b5Sho static u_int16_t min_priv_payload_lengths[] = {
4756e1d69b5Sho 	0, 0, ISAKMP_NAT_D_SZ, ISAKMP_NAT_OA_SZ
4766e1d69b5Sho };
4776e1d69b5Sho 
4786e1d69b5Sho static const struct vendor_id
4796e1d69b5Sho {
480fd20a4a4Shshoexer     size_t	 len;
4816e1d69b5Sho     char	 vid[16];
4826e1d69b5Sho     char	*name;
4836e1d69b5Sho } vendor_ids[] = {
4846e1d69b5Sho  	{
485fd20a4a4Shshoexer 		16,
4866e1d69b5Sho 		{
4876e1d69b5Sho 			0x44, 0x85, 0x15, 0x2d, 0x18, 0xb6, 0xbb, 0xcd,
4886e1d69b5Sho 			0x0b, 0xe8, 0xa8, 0x46, 0x95, 0x79, 0xdd, 0xcc,
4896e1d69b5Sho 		},
4906e1d69b5Sho 		"v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00",
4916e1d69b5Sho 	},
4926e1d69b5Sho 	{
493fd20a4a4Shshoexer 		16,
4946e1d69b5Sho 		{
4956e1d69b5Sho 			0x90, 0xcb, 0x80, 0x91, 0x3e, 0xbb, 0x69, 0x6e,
4966e1d69b5Sho 			0x08, 0x63, 0x81, 0xb5, 0xec, 0x42, 0x7b, 0x1f,
4976e1d69b5Sho 		},
4986e1d69b5Sho 		"v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02",
4996e1d69b5Sho 	},
5006e1d69b5Sho 	{
501fd20a4a4Shshoexer 		16,
5026e1d69b5Sho 		{
50319b0c5aaShshoexer 			0xcd, 0x60, 0x46, 0x43, 0x35, 0xdf, 0x21, 0xf8,
50419b0c5aaShshoexer 			0x7c, 0xfd, 0xb2, 0xfc, 0x68, 0xb6, 0xa4, 0x48,
50519b0c5aaShshoexer 		},
50619b0c5aaShshoexer 		"v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02\\n",
50719b0c5aaShshoexer 	},
50819b0c5aaShshoexer 	{
509fd20a4a4Shshoexer 		16,
51019b0c5aaShshoexer 		{
5116e1d69b5Sho 			0x7d, 0x94, 0x19, 0xa6, 0x53, 0x10, 0xca, 0x6f,
5126e1d69b5Sho 			0x2c, 0x17, 0x9d, 0x92, 0x15, 0x52, 0x9d, 0x56,
5136e1d69b5Sho 		},
5146e1d69b5Sho 		"v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03",
5156e1d69b5Sho 	},
5166e1d69b5Sho 	{
517fd20a4a4Shshoexer 		16,
5186e1d69b5Sho 		{
519ef78ca22Stom 			0x99,0x09,0xb6,0x4e,0xed,0x93,0x7c,0x65,
520ef78ca22Stom 			0x73,0xde,0x52,0xac,0xe9,0x52,0xfa,0x6b,
521ef78ca22Stom 		},
522ef78ca22Stom 		"v4 NAT-T, draft-ietf-ipsec-nat-t-ike-04",
523ef78ca22Stom 	},
524ef78ca22Stom 	{
525ef78ca22Stom 		16,
526ef78ca22Stom 		{
527ef78ca22Stom 			0x80,0xd0,0xbb,0x3d,0xef,0x54,0x56,0x5e,
528ef78ca22Stom 			0xe8,0x46,0x45,0xd4,0xc8,0x5c,0xe3,0xee,
529ef78ca22Stom 		},
530ef78ca22Stom 		"v5 NAT-T, draft-ietf-ipsec-nat-t-ike-05",
531ef78ca22Stom 	},
532ef78ca22Stom 	{
533ef78ca22Stom 		16,
534ef78ca22Stom 		{
535ef78ca22Stom 			0x4d,0x1e,0x0e,0x13,0x6d,0xea,0xfa,0x34,
536ef78ca22Stom 			0xc4,0xf3,0xea,0x9f,0x02,0xec,0x72,0x85,
537ef78ca22Stom 		},
538ef78ca22Stom 		"v6 NAT-T, draft-ietf-ipsec-nat-t-ike-06",
539ef78ca22Stom 	},
540ef78ca22Stom 	{
541ef78ca22Stom 		16,
542ef78ca22Stom 		{
543ef78ca22Stom 			0x43,0x9b,0x59,0xf8,0xba,0x67,0x6c,0x4c,
544ef78ca22Stom 			0x77,0x37,0xae,0x22,0xea,0xb8,0xf5,0x82,
545ef78ca22Stom 		},
546ef78ca22Stom 		"v7 NAT-T, draft-ietf-ipsec-nat-t-ike-07",
547ef78ca22Stom 	},
548ef78ca22Stom 	{
549ef78ca22Stom 		16,
550ef78ca22Stom 		{
551ef78ca22Stom 			0x8f,0x8d,0x83,0x82,0x6d,0x24,0x6b,0x6f,
552ef78ca22Stom 			0xc7,0xa8,0xa6,0xa4,0x28,0xc1,0x1d,0xe8,
553ef78ca22Stom 		},
554ef78ca22Stom 		"v8 NAT-T, draft-ietf-ipsec-nat-t-ike-08",
555ef78ca22Stom 	},
556ef78ca22Stom 	{
557ef78ca22Stom 		16,
558ef78ca22Stom 		{
559ef78ca22Stom 			0x42,0xea,0x5b,0x6f,0x89,0x8d,0x97,0x73,
560ef78ca22Stom 			0xa5,0x75,0xdf,0x26,0xe7,0xdd,0x19,0xe1,
561ef78ca22Stom 		},
562ef78ca22Stom 		"v9 NAT-T, draft-ietf-ipsec-nat-t-ike-09",
563ef78ca22Stom 	},
564ef78ca22Stom 	{
565ef78ca22Stom 		16,
566ef78ca22Stom 		{
567ef78ca22Stom 			0xc4,0x0f,0xee,0x00,0xd5,0xd3,0x9d,0xdb,
568ef78ca22Stom 			0x1f,0xc7,0x62,0xe0,0x9b,0x7c,0xfe,0xa7,
569ef78ca22Stom 		},
570ef78ca22Stom 		"Testing NAT-T RFC",
571ef78ca22Stom 	},
572ef78ca22Stom 	{
573ef78ca22Stom 		16,
574ef78ca22Stom 		{
5756e1d69b5Sho 			0xaf, 0xca, 0xd7, 0x13, 0x68, 0xa1, 0xf1, 0xc9,
5766e1d69b5Sho 			0x6b, 0x86, 0x96, 0xfc, 0x77, 0x57, 0x01, 0x00,
5776e1d69b5Sho 			/* Last "0x01, 0x00" means major v1, minor v0 */
5786e1d69b5Sho 		},
5796e1d69b5Sho 		"DPD v1.0"
5806034d572Sho 	},
5816034d572Sho 	{
582fd20a4a4Shshoexer 		16,
5836034d572Sho 		{
5846034d572Sho 			0x4a, 0x13, 0x1c, 0x81, 0x07, 0x03, 0x58, 0x45,
5856034d572Sho 			0x5c, 0x57, 0x28, 0xf2, 0x0e, 0x95, 0x45, 0x2f,
5866034d572Sho 		},
5876034d572Sho 		"NAT-T, RFC 3947"
588b9806c7dShshoexer 	},
589b9806c7dShshoexer 	{
590fd20a4a4Shshoexer 		16,
591b9806c7dShshoexer 		{
592b9806c7dShshoexer 			0x6c, 0x0d, 0xcd, 0x48, 0x1d, 0xea, 0xe8, 0xae,
593b9806c7dShshoexer 			0x0b, 0x0a, 0x68, 0x38, 0x4b, 0x30, 0x72, 0xf9,
594b9806c7dShshoexer 		},
595b9806c7dShshoexer 		"OpenBSD-4.0"
596b9806c7dShshoexer 	},
597fd20a4a4Shshoexer 	{
598fd20a4a4Shshoexer 		8,
599fd20a4a4Shshoexer 		{
600fd20a4a4Shshoexer 			0x09, 0x00, 0x26, 0x89, 0xdf, 0xd6, 0xb7, 0x12
601fd20a4a4Shshoexer 		},
602817b4ef4Sreyk 		"draft-ietf-ipsra-isakmp-xauth-06.txt"
603ef78ca22Stom 	},
604ef78ca22Stom 	{
605ef78ca22Stom 		16,
606ef78ca22Stom 		{
607ef78ca22Stom 			0x12,0xf5,0xf2,0x8c,0x45,0x71,0x68,0xa9,
608ef78ca22Stom 			0x70,0x2d,0x9f,0xe2,0x74,0xcc,0x01,0x00,
609ef78ca22Stom 		},
610ef78ca22Stom 		"Cisco Unity",
611fd20a4a4Shshoexer 	}
6126e1d69b5Sho };
613