Network Systems DesignLine | IPsec, a Tutorial--Part VIII

Get the latest news, products and how-to information on network systems. Sign up for the Network Systems DesignLine newsletter, a weekly e-mail guide dedicated to the needs of engineers developing networking equipment and components. Here is our RSS feed.








 Network Systems DesignLine » How-To » IP Networking

 
 HOW-TO : IP Networking

IPsec, a Tutorial--Part VIII

Part VIII of IPsec, A Tutorial, a Network Systems DesignLine multi-series, beginning with terminology and background, explores IKE and ISAKMP.
By James Henry Carmouche Print This Story Send As Email Discuss This Story Reprints

Page 1 of 3

Network Systems Designline
(01/05/2007 3:09 AM EST)

Rate this article
WORSE | BETTER
1 2 3 4 5
Here are Parts I, II, Part III, Part IV, and Part Vand Part VI, and Part VII.

IKE and ISAKMP
Internet Key Exchange and the Internet Security Association and Key Management Protocol were designed to allow crypto endpoints to dynamically exchange keys and negotiate security associations. Unlike the examples that we've discussed that use manual SAs, IKE SAs can be established on the fly and torn down at a time period negotiated. As we had discussed before, IPsec specifies two SAs. The type of SA is the IPsec SA, which we reviewed in fair detail in Examples 1 through 9. The second one, which we have yet to discuss in great detail, is the IKE SA. It is over this SA, the one that IKE establishes, that IPsec can now dynamically establish and tear down its SA between crypto endpoints.

IKE and ISAKMP Terminology and Background
ISAKMP was originally defined as a framework implementing two critical services to growing IPsec environments, which are dynamic establishment of security associations and dynamic exchange of cryptographic keys over a secure channel. As such, ISAKMP defines procedures for:

  • Crypto endpoint authentication procedures
  • IPsec SA negotiation, maintenance, and timeout
  • Cryptographic key generation and exchange techniques (Diffie-Hellman)
  • Threat mitigation (antireplay, DoS mitigation techniques)

However, ISAKMP is a framework for delivering these services--it does not define the protocol for them. As such, ISAKMP is designed to be key-exchange independent, and supports a number of key exchange protocols. In the IPsec world, we are concerned with one of these key exchange protocols--IKE.

The protocol used for key exchange and SA negotiation in IPsec today, IKE, uses the framework outlined in ISAKMP to deliver upon authentication, SA negotiation, key generation and exchange, and native threat mitigation services. IKE represents a number of key exchange and SA negotiation protocols (Oakley and SKEME) that have been combined to fit within the ISAKMP framework. Oakley is a key exchange and management protocol that allows for the exchange of multiple keys and their corresponding services. SKEME supplies anonymity and nonrepudiation using its own key exchange method. IKE combines the strengths of Oakley and SKEME in a comprehensive protocol for establishing a secure channel over which to establish IPsec SAs.

As IKE is the ISAKMP protocol for IPsec, we will be discussing Oakley and SKEME only insofar as their relevance to IKE. In-depth coverage of Oakley and SKEME is outside of the scope of this work.

IKE SA Negotiation and Maintenance
The concept of an IPsec SA lifetime does not exist when using manual keys. The security parameters that comprise an IPsec SA are all manually defined. This is not the case with IKE/ISAKMP. IKE dynamically creates IPsec SAs upon the transmittal of traffic matching the IPsec policy. This is done by exchanging a series of messages over UDP port 500. IKE allows the crypto endpoints to negotiate a lifetime for each SA. This enables network administrators to use their SADB more efficiently through establishing security associations only when needed and automatically tearing down stale SAs at the end of their agreed-upon lifetime. Example 10 illustrates the configuration of the IPsec SA lifetime that Charlie would like to negotiate with James during IKE.


Example 10. Charlie Specifies a Lifetime for His IPsec SAs, Negotiated with James During IKE



Page 2: next page Print This Story Send As Email Discuss This Story Reprints

Page 1 | 2 | 3


 
eSearch  

 Top 5 Most Read
 How-To Stories
1. 2. 3. 4. 5.

 Top 5 Most Read
 News Stories
1. 2. 3. 4. 5.

  • Introduction to Optical Transmission Systems

    		•
  • Optimizing Embedded Systems for Broadband 10 Gigabit Ethernet Connectivity

    		•
  • Interfacing a DS3231 with an 8051-Type Microcontroller

    		•
    The entire library >>  

    		 
     Top 5 Most Read
     Product Stories
    1. 2. 3. 4. 5.

     Sponsor

    EE Times TechCareers
    Search Jobs

    Enter Keyword(s):


    Function:


    State:
      

    Post Your Resume
    -----------------
    Employers Area
    Most Recent Posts More career-related news, resources and job postings for technology professionals

     Tech Library
    ¤ Looking for the appropriate Industry Association? This comprehensive, up-to-date list will take you to the right Web site for the help you need.

    ¤ Got a question about a standard? Here are direct links to resources detailing the industry's most important communications standards.

    ¤ Freshen up on technology, new and old, with these links to interesting and informative tutorials.

    More from TechLibrary
    Welcome to our DesignLine network of web communities. On these sites, we provide practical how-to technical information for engineers and engineering managers involved in Automotive,audio, DSP, DTV, EDA, Industrial Control, Mobile Handset, Power Management, Programmable Logic,RF,Video, and Wireless networking design. Check out the sites and let us know your thoughts.
    		 



    HOME  |  ABOUT  |  FEEDBACK  |  CONTACT
    Career Center | CommsDesign.com | Embedded.com | EE Times | TechOnline
    Planet Analog | DeepChip | eeProductCenter | Electronic Supply & Manufacturing | Webinars


    All material on this site Copyright © 2006 CMP Media LLC. All rights reserved
    Privacy Statement | Your California Privacy Rights | Terms of Service