Internet Key Exchange
Internet Key Exchange (IKE) defines how both encryption and authentication keys will be negotiated during SA establishment. IKE is a protocol that automates key exchange in a secure manner. IKE messages are sent using ISAKMP. In other words, ISAKMP provides a structure for authentication and key exchange, but it does not define the actual key exchange detail.
ISAKMP can support many different key exchange methodologies. That’s where IKE fits; it defines the method to obtain keys for use with ISAKMP, which is then used to establish and maintain the SA. Some parameters negotiated during the establishment of the SA are listed below.
- The encryption algorithm for ESP
- The authentication algorithm for AH
- Encryption and authentication keys
- The lifetime of the keys
- Lifetime of the SA
In addition to exchanging encryption keys, IKE can also provide identity protection (i.e., endpoint authentication) in a number of ways. There are four mechanisms defined in the IKE standard. The two major approaches are listed below.
- Via another channel, such as talking on the phone, the administrator(s) on both sides of the IPSec connection can agree to a “pre-shared key” and enter it into their VPN software. This pre-shared key is really just a password exchanged to verify the identity of the IPSec peers. Management of these manually configured keys can become problematic in large VPNs.
- Public key certificates can be used as a more manageable alternative to pre-shared keys. Certificates are issued by certificate authorities (e.g., VeriSign or Entrust). The use of digital certificates is much more involved, but adds an additional level of trust to authentication.
Let’s assume two security gateways have exchanged a secret key (either manually or automatically) that will be used to secure the IKE communication between them.
The visual illustrates how IKE uses ISAKMP, and how ISAKMP currently maps into the IP protocol suite via UDP. UDP port 500 has been assigned to ISAKMP by IANA. So, if a firewall or router implementing access lists separates the two security gateways, UDP traffic on port 500 must be allowed to pass through the firewall or router.
ISAKMP provides the structure of the header, and IKE provides the details/contents of the header fields. For example, when using AH and/or ESP, the options are negotiated via ISAKMP.