22.3. Internet Security Association and Key Management Protocol (ISAKMP)
Internet Security Association and Key Management Protocol (ISAKMP) is used for negotiating, establishing, modification and deletion of SAs and related parameters. It defines the procedures and packet formats for peer authentication creation and management of SAs and techniques for key generation. It also includes mechanisms that mitigate certain threats – e.g., Denial Of Service (DOS) and anti-replay protection.
In ISAKMP, SA and key management are separate from any key exchange protocols; so, in a sense ISAKMP is an "abstract" protocol – it provides a framework for authentication and key management and supports many actual key exchange protocols (e.g., IKE). ISAKMP defines header and payload formats, but needs an instantiation to a specific set of protocols. Such an instantiation is denoted as the ISAKMP Domain Of Interpretation (DOI): an example of this for the IPsec/IKE is the IPsec DOI [RFC2407].
ISAKMP operates in two phases. During phase 1, peers establish an ISAKMP SA – namely, they authenticate and agree on the used mechanisms to secure further communications. In phase 2 this ISAKMP SA is used to negotiate further protocol SAs (e.g., an IPsec/ESP SA). After the initial establishment of an ISAKMP SA, multiple protocol SAs can be established.