IPsec ISAKMP: Internet Security Association and Key Management Protocol

Internet Security Association and Key Management Protocol (ISAKMP), a key protocol in the IPsec (Internet Security) architecture, combines the security concepts of authentication, key management and security associations to establish the required security for government, commercial and private communications on the Internet.

The Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SAs). SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data independent of the key generation technique, encryption algorithm and authentication mechanism.

ISAKMP is distinct from key exchange protocols in order to cleanly separate the details of security association management (and key management) from the details of key exchange. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes and for negotiating, modifying and deleting SAs. ISAKMP serves as this common framework.

Separating the functionality into three parts adds complexity to the security analysis of a complete ISAKMP implementation. However, the separation is critical for interoperability between systems with differing security requirements and should also simplify the analysis of further evolution of an ISAKMP server.

ISAKMP is intended to support the negotiation of SAs for security protocols at all layers of the network stack (e.g., IPSEC, TLS, TLSP, OSPF, etc). By centralizing the management of the security associations, ISAKMP reduces the amount of duplicated functionality within each security protocol. ISAKMP can also reduce connection setup time by negotiating a whole stack of services at once.

Within ISAKMP, a Domain of Interpretation (DOI) is used to group related protocols, using ISAKMP to negotiate security associations. Security protocols sharing a DOI choose security protocol and cryptographic transforms from a common namespace and share key exchange protocol identifiers. They also share a common interpretation of DOI-specific payload data content, including the Security Association and Identification payloads.

Overall, ISAKMP places requirements on a DOI definition to define the following:

• Naming scheme for DOI-specific protocol identifiers
• Interpretation for the Situation field
• Set of applicable security policies
• Syntax for DOI-specific SA Attributes (Phase II)
• Syntax for DOI-specific payload contents
• Additional Key Exchange types, if needed

• Additional Notification Message types, if needed

Protocol Structure - IPsec ISAKMP: Internet Security Association and Key Management Protocol

¨       Initiator Cookie – The Initiator Cookie: Cookie of the entity that initiated SA establishment, SA notification or SA deletion

¨       Responder Cookie – The Responder Cookie: Cookie of the entity that is responding to an SA establishment request, SA notification or SA deletion.

¨       Next Payload – The type of the next payload in the message.

¨       Major Version – The major version of the ISAKMP protocol in use.

¨       Minor Version – The minor version of the ISAKMP protocol in use.

¨       Exchange Type – The type of exchange being used

¨       Flags – Various options that are set for the ISAKMP exchange.

¨       Message ID – A Unique Message Identifier used to identify protocol state during Phase 2 negotiations.