Internet Security Association and Key Management Protocol
Encyclopedia
ISAKMP is a protocol defined by RFC 2408 for establishing Security Associations
(SA) and cryptographic keys in an Internet environment. ISAKMP only provides a framework for authentication and key exchange and is designed to be key exchange independent; protocols such as Internet Key Exchange
and Kerberized Internet Negotiation of Keys
provide authenticated keying material for use with ISAKMP.
, key generation
techniques, and threat mitigation (e.g. denial of service and replay attacks). As a framework, ISAKMP is typically utilized by IKE
for key exchange, although other methods have been implemented such as Kerberized Internet Negotiation of Keys
. A Preliminary SA is formed using this protocol; later a fresh keying is done.
ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.
ISAKMP is distinct from key exchange protocols
in order to cleanly separate the details of security association management (and key management) from the details of key exchange. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework.
ISAKMP can be implemented over any transport protocol. All implementation must include send and receive capability for ISAKMP using UDP
on port 500.
Services Service in Microsoft Windows
handles this functionality.
The KAME project
implements ISAKMP for BSD
and Linux
operating systems, and thus also for pfSense
. In legacy installations, the name of the application that implements ISAKMP is racoon.
Security association
A Security Association is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the...
(SA) and cryptographic keys in an Internet environment. ISAKMP only provides a framework for authentication and key exchange and is designed to be key exchange independent; protocols such as Internet Key Exchange
Internet key exchange
Internet Key Exchange is the protocol used to set up a security association in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP...
and Kerberized Internet Negotiation of Keys
Kerberized Internet Negotiation of Keys
Kerberized Internet Negotiation of Keys is a protocol defined in RFC 4430 used to set up an IPsec security association , similar to Internet Key Exchange , utilizing the Kerberos protocol to allow trusted third parties to handle authentication of peers and management of security policies in a...
provide authenticated keying material for use with ISAKMP.
Overview
ISAKMP defines the procedures for authenticating a communicating peer, creation and management of Security AssociationsSecurity association
A Security Association is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the...
, key generation
Key generation
Key generation is the process of generating keys for cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted....
techniques, and threat mitigation (e.g. denial of service and replay attacks). As a framework, ISAKMP is typically utilized by IKE
Internet key exchange
Internet Key Exchange is the protocol used to set up a security association in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP...
for key exchange, although other methods have been implemented such as Kerberized Internet Negotiation of Keys
Kerberized Internet Negotiation of Keys
Kerberized Internet Negotiation of Keys is a protocol defined in RFC 4430 used to set up an IPsec security association , similar to Internet Key Exchange , utilizing the Kerberos protocol to allow trusted third parties to handle authentication of peers and management of security policies in a...
. A Preliminary SA is formed using this protocol; later a fresh keying is done.
ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.
ISAKMP is distinct from key exchange protocols
Key-agreement protocol
In cryptography, a key-agreement protocol is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome. If properly done, this precludes undesired third-parties from forcing a key choice on the agreeing parties...
in order to cleanly separate the details of security association management (and key management) from the details of key exchange. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework.
ISAKMP can be implemented over any transport protocol. All implementation must include send and receive capability for ISAKMP using UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
on port 500.
Implementation
The IPsecIPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
Services Service in Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
handles this functionality.
The KAME project
KAME project
The KAME project was a joint effort of six organizations in Japan which aimed to provide a free IPv6 and IPsec protocol stack implementation for variants of the BSD Unix computer operating-system...
implements ISAKMP for BSD
Berkeley Software Distribution
Berkeley Software Distribution is a Unix operating system derivative developed and distributed by the Computer Systems Research Group of the University of California, Berkeley, from 1977 to 1995...
and Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
operating systems, and thus also for pfSense
PfSense
pfSense is an open source firewall/router distribution based on FreeBSD. pfSense is meant to be installed on a personal computer and is noted for its reliability and offering features often only found in expensive commercial firewalls. It can be configured and upgraded through a web-based...
. In legacy installations, the name of the application that implements ISAKMP is racoon.
External links
- RFC 2408 — Internet Security Association and Key Management Protocol
- RFC 2407 — The Internet IP Security Domain of Interpretation for ISAKMP