Introduction to IKE

Introduction to IKE


`IKE or Internet key exchange is the protocol responsible for negotiating the IPsec tunnel?

characteristics between two IPsec peers. IKE's responsibilities in the IPsec protocol include

? Negotiating protocol parameters

? Exchanging public keys

? Authenticating both sides

? Managing keys after the exchange

IKE solves the problems of manual and unscalable IPsec implementation by automating the?

entire key-exchange process. This is one of IPsec's critical requirements.

IKE, like IPsec, is also a combination of three different protocols:

? SKEME- Provides a mechanism for using public key encryption for authentication?

purposes.

? Oakley- Provides a mode-based mechanism for arriving at an encryption key?

between two IPsec peers.

? ISAKMP- Defines the architecture for message exchange, including packet formats?

and state transitions between two IPsec peers.

IKE combines these three protocols in one framework to provide IPsec with the facilities just?

discussed. Figure 13-3 shows these three main components of IKE.

No alt text provided for this image

Figure 13-3. Composition of the IKE Protocol

IKE is defined as a standard in RFC 2409. Although IKE does provide a great deal of?

functionality to the IPsec protocol, some shortcomings in the protocol structure make it?

difficult to implement in code and scale to new challenges. Work is underway to improve?

the workings of the IKE protocol and its restandardization in an improved format. This is?

called the "son-of-IKE" or IKE v2 initiative. See the IETF website for more information on?

this initiative.

IKE is a two phase protocol. An IPsec tunnel is set up between two peers through the?

following sequence of events:

Step 1. Interesting traffic is received or generated by one of the IPsec peers on an?

the interface that has been configured to initiate an IPsec session for this traffic.

Step 2. Main mode or aggressive mode negotiation using IKE results in the creation?

of an IKE Security Association (SA) between the two IPsec peers.

Step 3. Quick mode negotiation using IKE results in the creation of two IPsec SAs?

between the two IPsec peers.

Step 4. Data starts passing over an encrypted tunnel using the ESP or AH?

encapsulation techniques (or both).

Based on Steps 2 and 3, you can see that IKE is a two-phase protocol. Phase 1 is?

accomplished using main mode or aggressive mode exchanges between the peers, and?

Phase 2 is accomplished using quick mode exchanges.

This list shows how IKE behaves in a two-phase mechanism:

Step 1. In a Phase 1 exchange, peers negotiate a secure, authenticated channel with?

which to communicate. The main mode or aggressive mode accomplishes a Phase I?

exchange.

Step 2. In a Phase 2 exchange, security associations are negotiated on behalf of?

IPsec services. Quick mode accomplishes a Phase II exchange.

Main-mode exchange takes place through the exchange of a total of six messages between?

the two IPsec peers. If aggressive mode is used, only three messages complete Phase 1 of?

the exchange. Quick-mode exchange is done using an additional three messages exchanged?

between the two IPsec peers.

No alt text provided for this image

Figure 13-4 shows main mode, aggressive mode, and quick mode in IKE.

Figure 13-4. IKE Main Mode, Aggressive Mode, and Quick Mode

Goals of Main Mode (or Aggressive Mode)

The primary goals of the main mode (or aggressive mode) are

Agreeing on a set of parameters that are to be used to authenticate the two peers?

and to encrypt a portion of the main mode and all of the quick mode exchange. None?

of the aggressive modes is encrypted if it is used as the method for negotiation.

Authenticate the two peers to each other.

? Generate keys that can be used to generate keying material for actual encryption of?

data as soon as the negotiations have been completed.

All the information negotiated in main mode or aggressive mode, including the keys that are?

later used to generate the keys to encrypt the data, is stored as what is known as IKE or?

ISAKMP security association (SA). Any two IPsec peers have only one ISAKMP security?

association between them.

Goals of Quick Mode

The primary role of quick mode is allow the two peers to agree on a set of attributes for?

creating the IPsec security associations that will be used to encrypt (in the case of ESP) the?

data between the two hosts. Also, in the case of PFS (Perfect Forward Secrecy, which you'll?

read about later), quick mode is responsible for redoing the Diffie-Hellman (DH) exchange?

so that new keying material is available before the IPsec data encryption keys are?

generated.

要查看或添加评论,请登录

Shashank Sharma的更多文章

  • LOOK FOR THE BEST IN OTHERS IT BRINGS OUT THE BEST IN YOU

    LOOK FOR THE BEST IN OTHERS IT BRINGS OUT THE BEST IN YOU

    Work is work only if we prefer to be somewhere else. Work tends to be a negative perception of a task which we…

  • Classification Algorithm in Machine Learning

    Classification Algorithm in Machine Learning

    Classification is defined as the process of recognition, understanding, and grouping of objects and ideas into preset…

  • Braille Day and Shark Tank's Annie

    Braille Day and Shark Tank's Annie

    Two days ago was Braille Day, a day pioneer in history for those suffering from visual impairment. 4th January is the…

  • Composition of IPsec ( Internet Protocol Security )

    Composition of IPsec ( Internet Protocol Security )

    IPsec combines three main protocols to form a cohesive security framework: ? Internet Key Exchange (IKE) protocol ?…

  • Types of CLustering Algorithm

    Types of CLustering Algorithm

    Types of Clustering Algo K-means clustering is the most commonly used clustering algorithm. It's a centroid-based…

  • Types of Clustering Methods

    Types of Clustering Methods

    Types of Clustering Methods The clustering methods are broadly divided into Hard clustering (data point belonging to…

  • Clustering

    Clustering

    Clustering is the task of dividing the population or data points into a number of groups such that data points in the…

    2 条评论

社区洞察

其他会员也浏览了