Security Association Negotiation and Key Management

To establish a SA between communicating entities, the entities must first agree on a common security policy and a compatible set of cryptographic algorithms. To facilitate the secure exchange of corresponding information, they must also agree on a shared key or secret, which must be negotiated over a potentially insecure communication path (shared secret) or which must be based on previously defined and authenticated certificates (either through a trusted public key infrastructure or through out-of-band distribution and verification of certificates).

The corresponding standard, the Internet Key Exchange (IKE, RFC 2409) describes a protocol that allows communicating entities to obtain authenticated keying material and to manage Security Associations for the use of the AH and ESP services within IPSEC. IKE is considered an application-layer protocol from an IPSEC point of view, and it runs on port 500/UDP. Thus, other key management frameworks besides the default IKE could be provided.

IKE is a collection and selective adaptation of three more general protocols:

  • The Internet Security Association and Key Management Protocol (ISAKMP, RFC 2408) provides a general framework for handling SAs and key exchange, but does not define them specifically. To suit the IPSEC requirements, the Internet IP Security Domain of Interpretation (DOI, RFC 2407) describes the tailoring and parameterization of ISAKMP to be used in IPSEC. In particular, ...

Get IPv6 Essentials now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.