Supported RFCs

FortiOS supports the following RFCs.

BGP

l RFC 4724: Graceful Restart Mechanism for BGP l RFC 4456: BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) l RFC 4360: BGP Extended Communities Attribute l RFC 4271: A Border Gateway Protocol 4 (BGP-4) l RFC 2918: Route Refresh Capability for BGP-4 l RFC 2545: Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing l RFC 2439: BGP Route Flap Damping l RFC 1997: BGP Communities Attribute l RFC 1930: Guidelines for creation, selection, and registration of an Autonomous System (AS) l RFC 1772: Application of the Border Gateway Protocol in the Internet

Cryptography

• RFC 8031: Curve25519 and Curve448 for the Internet Key Exchange Protocol Version 2 (IKEv2) Key Agreement l RFC 7634: ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec l RFC 7627: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension l RFC 7539: ChaCha20 and Poly1305 for IETF Protocols l RFC 7427: Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) l RFC 7383: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation l RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2) l RFC 7027: Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS) l RFC 6989: Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
• RFC 6954: Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol

Version 2 (IKEv2) l RFC 6290: A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) l RFC 6023: A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA) l RFC 5723: Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption l RFC 5282: Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol

• RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile l RFC 4754: IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA) l RFC 4635: HMAC SHA TSIG Algorithm Identifiers l RFC 4492: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)

DHCP

• RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol l RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) l RFC 3947: Negotiation of NAT-Traversal in the IKE l RFC 3602: The AES-CBC Cipher Algorithm and Its Use with IPsec l RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) l RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7 l RFC 2845: Secret Key Transaction Authentication for DNS (TSIG) l RFC 2631: Diffie-Hellman Key Agreement Method l RFC 2451: The ESP CBC-Mode Cipher Algorithms l RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec l RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV l RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH l RFC 2403: The Use of HMAC-MD5-96 within ESP and AH l RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5 l RFC 2104: HMAC: Keyed-Hashing for Message Authentication l RFC 2085: HMAC-MD5 IP Authentication with Replay Prevention l RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management l RFC 1321: The MD5 Message-Digest Algorithm l PKCS #12: PKCS 12 v1: Personal Information Exchange Syntax

DHCP

l RFC 4361: Node-specific Client Identifiers for Dynamic Host Configuration Protocol Version Four (DHCPv4) l RFC 3736: Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6 l RFC 3633: IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6 l RFC 3456: Dynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel Mode l RFC 3315: Dynamic Host Configuration Protocol for IPv6 (DHCPv6) l RFC 2132: DHCP Options and BOOTP Vendor Extensions l RFC 2131: Dynamic Host Configuration Protocol

Diffserv

l RFC 3260: New Terminology and Clarifications for Diffserv l RFC 2597: Assured Forwarding PHB Group l RFC 2475: An Architecture for Differentiated Services l RFC 2474: Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers 7

DNS

DNS

l RFC 6895: Domain Name System (DNS) IANA Considerations l RFC 6604: xNAME RCODE and Status Bits Clarification l RFC 6147: DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers l RFC 4592: The Role of Wildcards in the Domain Name System l RFC 4035: Protocol Modifications for the DNS Security Extensions l RFC 4034: Resource Records for the DNS Security Extensions l RFC 4033: DNS Security Introduction and Requirements l RFC 3597: Handling of Unknown DNS Resource Record (RR) Types l RFC 3226: DNSSEC and IPv6 A6 aware server/resolver message size requirements l RFC 3007: Secure Domain Name System (DNS) Dynamic Update l RFC 2308: Negative Caching of DNS Queries (DNS NCACHE) l RFC 2181: Clarifications to the DNS Specification l RFC 2136: Dynamic Updates in the Domain Name System (DNS UPDATE) l RFC 1996: A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) l RFC 1995: Incremental Zone Transfer in DNS l RFC 1982: Serial Number Arithmetic l RFC 1876: A Means for Expressing Location Information in the Domain Name System l RFC 1706: DNS NSAP Resource Records l RFC 1183: New DNS RR Definitions l RFC 1101: DNS Encoding of Network Names and Other Types l RFC 1035: Domain Names – Implementation and Specification l RFC 1034: Domain Names – Concepts and Facilities

ICMP

l RFC 6918: Formally Deprecating Some ICMPv4 Message Types l RFC 6633: Deprecation of ICMP Source Quench Messages l RFC 4884: Extended ICMP to Support Multi-Part Messages l RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification l RFC 1191: Path MTU Discovery l RFC 792: Internet Control Message Protocol

IP

• RFC 5798: Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6 l RFC 4301: Security Architecture for the Internet Protocol l RFC 3272: Overview and Principles of Internet Traffic Engineering

IP multicast

• RFC 3168: The Addition of Explicit Congestion Notification (ECN) to IP l RFC 2072: Router Renumbering Guide l RFC 2071: Network Renumbering Overview: Why would I want it and what is it anyway?
• RFC 1918: Address Allocation for Private Internets l RFC 1123: Requirements for Internet Hosts — Application and Support l RFC 1122: Requirements for Internet Hosts — Communication Layers l RFC 791: Internet Protocol

IP multicast

• RFC 5059: Bootstrap Router (BSR) Mechanism for Protocol Independent Multicast (PIM)
• RFC 4604: Using Internet Group Management Protocol Version 3 (IGMPv3) and Multicast Listener Discovery

Protocol Version 2 (MLDv2) for Source-Specific Multicast l RFC 3973: Protocol Independent Multicast – Dense Mode (PIM-DM): Protocol Specification (Revised) l RFC 3956: Embedding the Rendezvous Point (RP) Address in an IPv6 Multicast Address l RFC 3306: Unicast-Prefix-based IPv6 Multicast Addresses l RFC 2365: Administratively Scoped IP Multicast l RFC 1112: Host Extensions for IP Multicasting

IPsec

• RFC 4304: Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet

Security Association and Key Management Protocol (ISAKMP) l RFC 4303: IP Encapsulating Security Payload (ESP)

• RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers

IPv4

l RFC 6864: Updated Specification of the IPv4 ID Field l RFC 5177: Network Mobility (NEMO) Extensions for Mobile IPv4 l RFC 4632: Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan l RFC 3927: Dynamic Configuration of IPv4 Link-Local Addresses l RFC 3021: Using 31-Bit Prefixes on IPv4 Point-to-Point Links l RFC 1812: Requirements for IP Version 4 Routers

IPv6

l RFC 6343: Advisory Guidelines for 6to4 Deployment l RFC 5175: IPv6 Router Advertisement Flags Option

9

IS-IS

• RFC 5095: Deprecation of Type 0 Routing Headers in IPv6 l RFC 4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 l RFC 4862: IPv6 Stateless Address Autoconfiguration l RFC 4861: Neighbor Discovery for IP version 6 (IPv6) l RFC 4389: Neighbor Discovery Proxies (ND Proxy) l RFC 4213: Basic Transition Mechanisms for IPv6 Hosts and Routers l RFC 4193: Unique Local IPv6 Unicast Addresses l RFC 4007: IPv6 Scoped Address Architecture l RFC 3971: SEcure Neighbor Discovery (SEND) l RFC 3596: DNS Extensions to Support IP Version 6 l RFC 3587: IPv6 Global Unicast Address Format l RFC 3493: Basic Socket Interface Extensions for IPv6 l RFC 3056: Connection of IPv6 Domains via IPv4 Clouds l RFC 3053: IPv6 Tunnel Broker l RFC 2894: Router Renumbering for IPv6 l RFC 2675: IPv6 Jumbograms l RFC 2185: Routing Aspects Of IPv6 Transition
• RFC 1752: The Recommendation for the IP Next Generation Protocol

IS-IS

l RFC 5310: IS-IS Generic Cryptographic Authentication l RFC 5308: Routing IPv6 with IS-IS l RFC 3359: Reserved Type, Length and Value (TLV) Codepoints in Intermediate System to Intermediate System l RFC 1195: Use of OSI IS-IS for Routing in TCP/IP and Dual Environments

LDAP

• RFC 4513: Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms l RFC 4512: Lightweight Directory Access Protocol (LDAP): Directory Information Models l RFC 4511: Lightweight Directory Access Protocol (LDAP): The Protocol
• RFC 3494: Lightweight Directory Access Protocol version 2 (LDAPv2) to Historic Status

MPLS

• RFC 7026: Retiring TLVs from the Associated Channel Header of the MPLS Generic Associated Channel l RFC 6426: MPLS On-Demand Connectivity Verification and Route Tracing l RFC 6425: Detecting Data-Plane Failures in Point-to-Multipoint MPLS – Extensions to LSP Ping l RFC 6423: Using the Generic Associated Channel Label for Pseudowire in the MPLS Transport Profile (MPLS-TP) l RFC 5586: MPLS Generic Associated Channel

NAT

• RFC 5462: Multiprotocol Label Switching (MPLS) Label Stack Entry: “EXP” Field Renamed to “Traffic Class” Field l RFC 5332: MPLS Multicast Encapsulations l RFC 5129: Explicit Congestion Marking in MPLS l RFC 4448: Encapsulation Methods for Transport of Ethernet over MPLS Networks l RFC 4182: Removing a Restriction on the use of MPLS Explicit NULL l RFC 3564: Requirements for Support of Differentiated Services-aware MPLS Traffic Engineering l RFC 3469: Framework for Multi-Protocol Label Switching (MPLS)-based Recovery l RFC 3443: Time To Live (TTL) Processing in Multi-Protocol Label Switching (MPLS) Networks l RFC 3270: Multi-Protocol Label Switching (MPLS) Support of Differentiated Services l RFC 3032: MPLS Label Stack Encoding

NAT

• RFC 6888: Common Requirements for Carrier-Grade NATs (CGNs) l RFC 6146: Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers l RFC 4966: Reasons to Move the Network Address Translator – Protocol Translator (NAT-PT) to Historic Status l RFC 4787: Network Address Translation (NAT) Behavioral Requirements for Unicast UDP l RFC 4380: Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs) l RFC 3948: UDP Encapsulation of IPsec ESP Packets
• RFC 3022: Traditional IP Network Address Translator (Traditional NAT)

OSPF

l RFC 6860: Hiding Transit-Only Networks in OSPF l RFC 6845: OSPF Hybrid Broadcast and Point-to-Multipoint Interface Type l RFC 5340: OSPF for IPv6 l RFC 4812: OSPF Restart Signaling l RFC 4811: OSPF Out-of-Band Link State Database (LSDB) Resynchronization l RFC 4203: OSPF Extensions in Support of Generalized Multi-Protocol Label Switching (GMPLS) l RFC 3630: Traffic Engineering (TE) Extensions to OSPF Version 2 l RFC 3623: Graceful OSPF Restart l RFC 3509: Alternative Implementations of OSPF Area Border Routers l RFC 3101: The OSPF Not-So-Stubby Area (NSSA) Option l RFC 2328: OSPF Version 2 l RFC 1765: OSPF Database Overflow l RFC 1370: Applicability Statement for OSPF

PPP

PPP

• RFC 2516: A Method for Transmitting PPP Over Ethernet (PPPoE) l RFC 2364: PPP Over AAL5
• RFC 1661: The Point-to-Point Protocol (PPP)

RADIUS

• RFC 5176: Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) l RFC 2866: RADIUS Accounting
• RFC 2548: Microsoft Vendor-specific RADIUS Attributes

RIP

l RFC 4822: RIPv2 Cryptographic Authentication l RFC 2453: RIP Version 2 l RFC 2080: RIPng for IPv6 l RFC 1724: RIP Version 2 MIB Extension l RFC 1058: Routing Information Protocol

SIP

l RFC 3960: Early Media and Ringing Tone Generation in the Session Initiation Protocol (SIP) l RFC 3325: Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks l RFC 3262: Reliability of Provisional Responses in the Session Initiation Protocol (SIP) l RFC 3261: SIP: Session Initiation Protocol

SNMP

• RFC 4293: Management Information Base for the Internet Protocol (IP) l RFC 4273: Definitions of Managed Objects for BGP-4 l RFC 4113: Management Information Base for the User Datagram Protocol (UDP) l RFC 4022: Management Information Base for the Transmission Control Protocol (TCP) l RFC 3635: Definitions of Managed Objects for the Ethernet-like Interface Types l RFC 3417: Transport Mappings for the Simple Network Management Protocol (SNMP) l RFC 3416: Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) l RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) SSL
• RFC 3413: Simple Network Management Protocol (SNMP) Applications l RFC 3412: Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) l RFC 3411: An Architecture for Describing Simple Network Management Protocol (SNMP) Management

Frameworks l RFC 3410: Introduction and Applicability Statements for Internet Standard Management Framework l RFC 2863: The Interfaces Group MIB l RFC 2578: Structure of Management Information Version 2 (SMIv2)

• RFC 1238: CLNS MIB for use with Connectionless Network Protocol (ISO 8473) and End System to Intermediate

System (ISO 9542) l RFC 1215: A Convention for Defining Traps for use with the SNMP l RFC 1213: Management Information Base for Network Management of TCP/IP-based internets: MIB-II l RFC 1212: Concise MIB Definitions l RFC 1157: A Simple Network Management Protocol (SNMP) l RFC 1156: Management Information Base for Network Management of TCP/IP-based internets l RFC 1155: Structure and Identification of Management Information for TCP/IP-based Internets

SSL

l RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 l RFC 6101:The Secure Sockets Layer (SSL) Protocol Version 3.0

TCP

l RFC 6691: TCP Options and Maximum Segment Size (MSS) l RFC 6298: Computing TCP’s Retransmission Timer l RFC 6093: On the Implementation of the TCP Urgent Mechanism l RFC 793: Transmission Control Protocol

TLS

l RFC 6347: Datagram Transport Layer Security Version 1.2 l RFC 6066:Transport Layer Security (TLS) Extensions: Extension Definitions l RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension l RFC 5425: Transport Layer Security (TLS) Transport Mapping for Syslog l RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 l RFC 4681: TLS User Mapping Extension l RFC 4680: TLS Handshake Message for Supplemental Data

VPN

VPN

• RFC 4761: Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling
• RFC 4684: Constrained Route Distribution for Border Gateway Protocol/MultiProtocol Label Switching (BGP/MPLS)

Internet Protocol (IP) Virtual Private Networks (VPNs) l RFC 4577: OSPF as the Provider/Customer Edge Protocol for BGP/MPLS IP Virtual Private Networks (VPNs) l RFC 4364: BGP/MPLS IP Virtual Private Networks (VPNs)

• RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements

Other protocols

l RFC 5357: A Two-Way Active Measurement Protocol (TWAMP) l RFC 5214: Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) l RFC 4960: Stream Control Transmission Protocol l RFC 4251: The Secure Shell (SSH) Protocol Architecture l RFC 3435: Media Gateway Control Protocol (MGCP) Version 1.0 l RFC 3376 : Internet Group Management Protocol, Version 3 l RFC 2890: Key and Sequence Number Extensions to GRE l RFC 2784: Generic Routing Encapsulation (GRE) l RFC 2661: Layer Two Tunneling Protocol “L2TP” l RFC 2637: Point-to-Point Tunneling Protocol (PPTP) l RFC 2412: The OAKLEY Key Determination Protocol l RFC 2225: Classical IP and ARP over ATM l RFC 2033: Local Mail Transfer Protocol l RFC 1413: Identification Protocol l RFC 1011: Official Internet Protocols l RFC 862: Echo Protocol l RFC 768: User Datagram Protocol l The TACACS+ Protocol

Miscellaneous

• RFC 7348: Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2

Networks over Layer 3 Networks l RFC 4784: Verizon Wireless Dynamic Mobile IP Key Update for cdma2000(R) Networks for cdma2000(R) Networks l RFC 4470: Minimally Covering NSEC Records and DNSSEC On-line Signing l RFC 3985: Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture l RFC 2979: Behavior of and Requirements for Internet Firewalls

Miscellaneous

• RFC 2827: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address

Spoofing l RFC 2780: IANA Allocation Guidelines For Values In the Internet Protocol and Related Headers l RFC 2647: Benchmarking Terminology for Firewall Performance l RFC 2644: Changing the Default for Directed Broadcasts in Routers l RFC 2231: MIME Parameter Value and Encoded Word Extensions: Character Sets, Languages, and Continuations l RFC 1945: Hypertext Transfer Protocol — HTTP/1.0 l RFC 950: Internet Standard Subnetting Procedure l RFC 894: A Standard for the Transmission of IP Datagrams over Ethernet Networks