The use the nonce payload wil dictated the key exchange

NETWORK LAYER SECURITY 265

additional Transform payloads in the proposal. This field is 0 when the current Transform Payload is the last within the proposal.

The SA Attributes field (variable length) contains the security association (SA) attributes as defined for the transform given in the Transform-id field. The SA Attributes should be represented using the Data Attributes format. These Data Attributes are not an ISAKMP payload, but are contained within ISAKMP payloads. The format of the Data Attributes provides the flexibility for representation of many different types of information. There may be multiple Data Attributes within a payload. The length of the Data Attributes will either be 4 octets or defined by the Attribute Length field (16 bits). If the SA Attributes are not aligned on 4-byte boundaries, then subsequent payloads will not be aligned and any padding will be added at the end of the message to make th message 4-byte aligned.

The payload type for the Transform Payload is three (3).

The Reserved field (8 bits) is unused for the future use, set to 0.

The Payload Length field (16 bits) is the length in octets of the current payload, including the generic payload header.

The Identification Payload fields are described as follows:

The Next Payload field (8 bits) is the identifier for the payload type of the Next Payload in the message. If the current payload is the last in the message, then this field will be 0.

The Identification Data field (variable length) contains identity information. The values for this field are DOI-specific and the format is specified by the ID Type field. Specific details for the IETF IPsec DOI identification data are detailed in RFC 2407.

The payload type for the Identification Payload is five(5).

The Reserved field (8 bits) is unused, set to 0.

The Payload Length field (16 bits) is the length in octets of the current payload, including the generic payload header.

The Certificate Data field (variable length) denotes actual encoding of certificate data. The type of certificate is indicated by the Certificate Encoding field.

The Payload type for the Certificate payload is six(6).

The Reserved field (8 bits) is not used, set to 0.

The Payload Length field (16 bits) is the length in octets of the current payload, including the generic payload header.

The Hash Payload contains data generated by the hash function over some part of the message and/or ISAKMP state. This payload possibly be used to verify the integrity of the data in an ISAKMP message or for authentication of the negotiating entities.

The Hash Payload fields are defined as follows:

The Hash Data field (variable length) is the data that results from applying the hash routine to the ISAKMP message and/or state.

The payload type for the Hash Payload is eight(8).

The Reserved field (8 bits) is not used, but set to 0.

The Payload Length field (16 bits) is the length in octets of the current payload, including the generic payload header.

The Nonce Payload fields are defined as follows:

The Next Payload field (8 bits) is the identifier for the payload type of the next payload in the message. If the current payload is the last in the message, then this field will be 0.

Notification Payload

The Notification Payload can contain both ISAKMP and DOI-specific data and is used to transmit information data, such as error conditions to an ISAKMP peer. It is possible to send multiple Notification Payloads in a single ISAKMP message. Notification which

The Reserved field (8 bits) is unused, but set to 0.

The Payload Length field (16 bits) is the length in octets of the current payload, including the generic payload header.

The Notify Message Type field (16 bits) specifies the type of notification message. Addi-tional text, if specified by the DOI, is placed in the Notification Data field.

The Security Parameter Index (SPI) field has the variable length. The length of this field is determined by the SPI Size field and is not necessarily aligned to a 4-octet boundary. During the SA establishment, a SPI must be generated. ISAKMP is designed to handle variable sized SPIs. This is accomplished by using the SPI Size field within the Proposal payload during SA establishment.

The Delete Payload fields are defined as follows:

The Next Payload field (8 bits) is the identifier for the payload type of the next payload in the message. If the current payload is the last in the message, then this field will be 0.