Internet Security Association and Key Management Protocol


Internet Security Association and Key Management Protocol

ISAKMP (Internet Security Association and Key Management Protocol) is a protocol for establishing Security Associations (SA) and cryptographic keys in an Internet environment. The protocol is defined by RFC 2408.

Overview

ISAKMP defines the procedures for authenticating a communicating peer, creation and management of Security Associations, key generation techniques, and threat mitigation (e.g. denial of service and replay attacks). ISAKMP typically utilizes IKE for key exchange, although other methods can be implemented. Preliminary SA is formed using this protocol; later a fresh keying is done.

ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.

ISAKMP is distinct from key exchange protocols in order to cleanly separate the details of security association management (and key management) from the details of key exchange. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework.

ISAKMP can be implemented over any transport protocol. All implementations must include send and receive capability for ISAKMP using UDP on port 500. Additionally, UDP port 4500 must also be allowed at the destination if the source interface IP address undergoes network address translation from natural (assigned) IP address to a public IP address for connection to the internet.

Implementation

The IPsec Services Service in Microsoft Windows handles this functionality.

The KAME project implements ISAKMP for BSD and Linux operating systems, and thus also for pfSense. In legacy installations, the name of the application that implements ISAKMP is racoon.

See also

* Oakley protocol
* IPsec
* IKE

External links

* RFC 2408 — "Internet Security Association and Key Management Protocol"
* RFC 2407 — "The Internet IP Security Domain of Interpretation for ISAKMP"


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Internet Security Association and Key Management Protocol — (ISAKMP) es un protocolo criptográfico que constituye la base del protocolo de intercambio de claves IKE. Está definido en el RFC 2408. ISAKMP define los procedimientos para la autenticación entre pares, creación y gestión de asociaciones de… …   Wikipedia Español

  • Internet Security Association and Key Management Protocol — ISAKMP im TCP/IP‑Protokollstapel: Anwendung ISAKMP Transport UDP TCP Internet IP (IPv4, IPv6) Netzzugang Ethernet …   Deutsch Wikipedia

  • Internet Key Exchange Protocol — IPsec im TCP/IP‑Protokollstapel: Anwendung HTTP IMAP SMTP DNS … Transport TCP UDP …   Deutsch Wikipedia

  • Security Association — Eine Security Association (SA, dt. Sicherheitsverbindung) ist eine Vereinbarung zwischen zwei kommunizierenden Einheiten in Rechnernetzen. Sie beschreibt, wie die beiden Parteien Sicherheitsdienste anwenden werden, um sicher miteinander… …   Deutsch Wikipedia

  • Internet security — is a branch of computer security[1] specifically related to the Internet. Its objective is to establish rules and measures to use against attacks over the Internet.[2] The Internet represents an insecure channel for exchanging information leading …   Wikipedia

  • Norton Internet Security — The main, simplified graphical user interface of Norton Internet Security 2012 …   Wikipedia

  • Internet key exchange — (IKE) es un protocolo usado para establecer una Asociación de Seguridad (SA) en el protocolo IPsec. IKE emplea un intercambio secreto de claves de tipo Diffie Hellman para establecer el secreto compartido de la sesión. Se suelen usar sistemas de… …   Wikipedia Español

  • Internet Tunneling Protocol — (ITP) est un protocole (couche 3 du modèle OSI) permettant le transport de données sécurisées sur un réseau IP. Sommaire 1 Description 2 Les services proposés par ITP 3 Établissement de la connexion …   Wikipédia en Français

  • Internet Key Exchange — IPsec im TCP/IP‑Protokollstapel: Anwendung HTTP IMAP SMTP DNS … Transport TCP UDP …   Deutsch Wikipedia

  • Internet Key Exchange Protokoll — IPsec im TCP/IP‑Protokollstapel: Anwendung HTTP IMAP SMTP DNS … Transport TCP UDP …   Deutsch Wikipedia