Please Whitelist This Site?
I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)
If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.
If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.
Thanks for your understanding!
Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide
NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.
IPSec Key Exchange (IKE)
(Page 2 of 2)
So, IKE doesn't strictly implement
either OAKLEY or SKEME but takes bits of each to form its own method
of using ISAKMP. Clear as mud, I know. Since IKE functions within the
framework of ISAKMP, its operation is based on the ISAKMP phased negotiation
process. There are two phases:
- ISAKMP Phase 1: The first phase is a setup
stage where two devices agree on how to exchange further information
securely. This negotiation between the two units creates a security
association for ISAKMP itself; an ISAKMP SA. This security association
is then used for securely exchanging more detailed information in Phase
- ISAKMP Phase 2: In this phase the ISAKMP
SA established in Phase 1 is used to create SAs for other security protocols.
Normally, this is where the parameters for the real SAs
for the AH and ESP protocols would be negotiated.
An obvious question is why IKE bothers
with this two-phased approach; why not just negotiate the security association
for AH or ESP in the first place? Well, even though the extra phase
adds overhead, multiple Phase 2 negotiations can be conducted after
one Phase 1, which amortizes the extra cost of the two-phase
approach. It is also possible to use a simpler exchange method for Phase
2 once the ISAKMP security association has been established in Phase
The ISAKMP security association negotiated
during Phase 1 includes the negotiation of the following attributes
used for subsequent negotiations:
- An encryption algorithm to be used, such as the
Data Encryption Standard (DES).
- A hash algorithm (MD5 or SHA, as
used by AH or ESP).
- An authentication method, such as authentication
using previously shared keys.
- A Diffie-Hellman group. Diffie and Hellman
were two pioneers in the industry who invented public-key cryptography.
In this method, instead of encrypting and decrypting with the same key,
data is encrypted using a public key knowable to anyone, and decrypted
using a private key that is kept secret. A Diffie-Hellman group defines
the attributes of how to perform this type of cryptography. Four predefined
groups derived from OAKLEY are specified in IKE and provision is allowed
for defining new groups as well.
Note that even though security associations
in general are unidirectional, the ISAKMP SA is established bidirectionally.
Once Phase 1 is complete, then, either device can set up a subsequent
SA for AH or ESP using it.
|If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!|
Table Of Contents - Contact Us
The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005
© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.