|Email This Page
Internet Security Association and Key Management Protocol
Internet Security Association and Key Management Protocol (ISAKMP),
a key protocol in the IPsec (Internet Security) architecture, combines
the security concepts of authentication, key management and security
associations to establish the required security for government,
commercial and private communications on the Internet.
Internet Security Association and Key Management Protocol (ISAKMP)
defines procedures and packet formats to establish, negotiate, modify
and delete Security Associations (SAs). SAs contain all the
information required for execution of various network security
services, such as the IP layer services (such as header authentication
and payload encapsulation), transport or application layer services,
or self-protection of negotiation traffic. ISAKMP defines payloads for
exchanging key generation and authentication data. These formats
provide a consistent framework for transferring key and authentication
data independent of the key generation technique, encryption algorithm
and authentication mechanism.
is distinct from key exchange protocols in order to cleanly separate
the details of security association management (and key management)
from the details of key exchange. There may be many different key
exchange protocols, each with different security properties. However,
a common framework is required for agreeing to the format of SA
attributes and for negotiating, modifying and deleting SAs. ISAKMP
serves as this common framework.
the functionality into three parts adds complexity to the security
analysis of a complete ISAKMP implementation. However, the separation
is critical for interoperability between systems with differing
security requirements and should also simplify the analysis of further
evolution of an ISAKMP server.
is intended to support the negotiation of SAs for security protocols
at all layers of the network stack (e.g., IPSEC, TLS, TLSP, OSPF,
etc). By centralizing the management of the security associations,
ISAKMP reduces the amount of duplicated functionality within each
security protocol. ISAKMP can also reduce connection setup time by
negotiating a whole stack of services at once.
Within ISAKMP, a Domain of Interpretation (DOI) is
used to group related protocols, using ISAKMP to negotiate security
associations. Security protocols sharing a DOI choose security
protocol and cryptographic transforms from a common namespace and
share key exchange protocol identifiers. They also share a common
interpretation of DOI-specific payload data content, including the
Security Association and Identification payloads.
Overall, ISAKMP places requirements on a DOI
definition to define the following:
Protocol Structure - IPsec ISAKMP: Internet
Security Association and Key Management Protocol
Initiator Cookie – The
Initiator Cookie: Cookie of the entity that initiated SA
establishment, SA notification or SA deletion
Responder Cookie – The
Responder Cookie: Cookie of the entity that is responding to an SA
establishment request, SA notification or SA deletion.
Next Payload – The
type of the next payload in the message.
Major Version – The
major version of the ISAKMP protocol in use.
Minor Version – The
minor version of the ISAKMP protocol in use.
Exchange Type – The
type of exchange being used
Flags – Various options that are
set for the ISAKMP exchange.
Message ID – A
Unique Message Identifier used to identify protocol state during Phase
Length – Length of total message (header + payloads) in octets.
AH, DES, AES, IKE,
DOI, HMAC, HMAC-MD5, HMAC-SHA, PKI,
ISAKMP is defined by IETF (www.ietf.org
) in RFC 2408.
Internet Security Association and Key Management