You are on page 1of 26

ISAKMP

● RFC 2408
● Internet Security Association & Key Management Protocol
● Protocol
– Establish, modify, and delete SAs
– Negotiate crypto keys
● Procedures
– Authentication of peers
– Threat mitigation
ISAKMP

● Defines procedures and packet formats to deal with


SAs and keys
● Provides a framework for secure communication on
the Internet
● Does not specify algorithms, formats, or protocols
● ISAKMP is a framework in which a specific secure
communication definition can be implemented
ISAKMP

● Security Associations
● Authentication
● Public Key Cryptography
● Protection
● DoS – Anti-Clogging
● Hijacking a connection
● Man in the middle attacks
ISAKMP
Terminology
● DOI – Domain Of Interpretation: defines payload
formats, exchange types, naming conventions
IISAKMP – Phases

● Phase 1: Two entities agree on how to protect


further negotiation traffic. They negotiate an
ISAKMP SA for an authenticated and secure
channel
● Phase 2:The phase 1 secure channel is used to
negotiate security services for IPSec.
ISAKMP
Header

Initiator Cookie

Responder Cookie

Major Minor
Next Payload Version Version Exchange Type Flags

Message ID

Length
Header Fields
● Initiator Cookie (8 octets) – Cookie of entity that initiated SA
establishment, notification or deletion.

● Responder Cookie (8 octets) – Cookie of the responder

● Next Payload (1 octet) – Type of first payload

● Major/Minor Version (4 bits each) – Version of ISAKMP in use

● Exchange Type (1 octet) – Type of exchange being used

● Flags (1 octet) – More stinking flags, encrypt, commit


authentication only

● Message ID (4 octets) – Unique ID to identify things in Phase 2

● Length (4 octets) – Length of total message (headers + payloads)


Next Payload Types
Next Payload Type Value Next Payload Type Value

NONE 0 Hash 8

SA 1 Signature 9

Proposal 2 Nonce 10

Transform 3 Notification 11

Key Exchange 4 Delete 12

Identification 5 Vendor ID 13

Certificate 6 Reserved 14 – 127

Cert Request 7 Private Use 128 - 255


Exchange Types

Exchange Type Value Exchange Type Value

NONE 0 ISAKMP Future Use 6 - 31

Base 1 DOI Specific Use 32 – 127

Id Protection 2 Private Use 128 - 255

Auth Only 3

Aggressive 4

Informational 5
Generic Payload Header

Next Payload Reserved Payload Length

Payload Data
SA Payload

Next Payload Reserved Payload Length

Domain of Interpretation (DOI)

Situation
~

DOI (4 octets) – Identifies the DOI under which this negotiation is taking place. A
value of 0 (zero) during Phase 1 specifies a Generic ISAKMP SA
which can be used for any protocol during Phase 2.
Situation - A DOI-specific field that identifies the situation under which this
negotiation is taking place.
Proposal Payload

Next Payload Reserved Payload Length

Proposal No. Proposal ID SPI Size No. of Transforms

SPI (variable)
Proposal Payload
Payload Length (2 octets) – Length is octets of the entire Proposal

payload including the generic payload header, the Proposal payload,


and all Transform payloads associated with this proposal.

Proposal No. - Identifies the Proposal number for the current


payload.

●Proposal ID – Specifies the protocol identifier such as IPSEC ESP,


IPSEC AH, OSPF, TLS, etc.

SPI Size – Length in octets of the SPI as defined by the Protocol ID.

No. of Transforms – Specifies the number of transforms for the


proposal.

SPI (variable) – The sending entity's SPI.



Transform Payload

Next Payload Reserved Payload Length

Transform No. Transform ID Reserved2

~ SA Attributes
Transform Payload
●Payload Length (2 octets) – Length is octets of the current payload,
including the generic payload header, Transform values, and all SA
attributes

Transform No. - Identifies the Transform number for the current


payload.

Transform ID – Specifies the Transform identifier fmor the protocol


within the current proposal.

Reserved 2 (2 octets) – Set to zero.


●SA Attributes (Variable length) – SA attributes should be


represented using the Data Attributes format.
Key Exchange Payload

Next Payload Reserved Payload Length

~ Key Exchange Data

Key Exchange Data (variable length) – Data required to generate a session key.
This data is specified by the DOI and the associated Key
Exchange algorithm.
Certificate Payload

Next Payload Reserved Payload Length

Cert Encoding
Key Exchange Data

Cert Encoding (1 octet) – Indicates the type of certificate contained in the


Certificate field.
Certificate Types

Certificate Type Value Certificate Type Value

NONE 0 Kerberos Token 6

PKCS #7 1 Cert Revoc List 7

PGP Certificate 2 Authority Revoc List 8

DNS Signed Key 3 SPKI Cert. 9

X.509 Cert - Signature 4 X.509 Cert – Attribute 10

X.509 Cert – Key Exchange Reserved 11 - 255


5
Other Payloads

Next Payload Reserved Payload Length

~ Hash Data

Next Payload Reserved Payload Length

~ Signature Data

Next Payload Reserved Payload Length

~ Nonce Data
Notification Payload

Next Payload Reserved Payload Length

DOI

Protocol ID SPI Size Notify Message Type

~ SPI

~ Notification Data
Notify Messages

Errors Value Errors Value

INVALID-PAYLOAD-TYPE 1 PAYLOAD-MALFORMED 16
DOI-NOT-SUPPORTED 2 INVALID-KEY-INFORMATION 17
SITUATION-NOT-SUPPORTED 3 INVALID-ID-INFORMATION 18
INVALID-COOKIE 4 INVALID-CERT-ENCODING 19
INVALID-MAJOR-VERSION 5 INVALID-CERTIFICATE 20
INVALID-MINOR-VERSION 6 CERT-TYPE-UNSUPPORTED 21
INVALID-EXCHANGE-TYPE 7 INVALID-CERT-AUTHORITY 22
INVALID-FLAGS 8 INVALID-HASH-INFORMATION 23
INVALID-MESSAGE-ID 9 AUTHENTICATION-FAILED 24
INVALID-PROTOCOL-ID 10 INVALID-SIGNATURE 25
INVALID-SPI 11 ADDRESS-NOTIFICATION 26
INVALID-TRANSFORM-ID 12 NOTIFY-SA-LIFETIME 27
ATTRIBUTES-NOT-SUPPORTED 13 CERTIFICATE-UNAVAILABLE 28
NO-PROPOSAL-CHOSEN 14 UNSUPPORTED-EXCHANGE-TYPE 29
BAD-PROPOSAL-SYNTAX 15 UNEQUAL-PAYLOAD-LENGTHS 30
RESERVED (Future Use) 31 - 8191
Private Use 8192 – 16383
ISAKMP Message Construction
Initiator Cookie

Responder Cookie

Major Minor Exchange Type Flags


NP = KE
Version Version

Message ID

Total Message Length

NP = Nonce Reserved KE Payload Length

Key Exchange Data

NP = 0 Reserved Nonce Payload Length

Nonce Data
Proposal Syntax

Proposal # Proposals with the same Proposal


Transform # number are taken as a logical AND.
Transform # Proposals with different numbers are
Proposal # taken as a logical OR.
Transform #
Different Transform within a proposal
are taken as a logical OR.
Proposal Example

Proposal 1: AH
Transform 1: HMAC-SHA
Transform 2: HMAC-MD5
Proposal 2: ESP
Transform 1: 3DES with HMAC-SHA
Transform 2: 3DES with HMAC-MD5
Transform 3: AES with HMAC-SHA-256
Proposal 3: ESP
Transform 1: 3DES with HMAC-SHA
Proposal 4: PCP
Transform 1: LZS
Exchange Types

Exchange Type Value Exchange Type Value

NONE 0 ISAKMP Future Use 6 - 31

Base 1 DOI Specific Use 32 – 127

Id Protection 2 Private Use 128 - 255

Auth Only 3

Aggressive 4

Informational 5
Base Exchange

Initiator Direction Responder Note

Header, SA, Nonce => Begin ISAKMP-SA


negotiation

<= HDR, SA, Nonce Basic SA agreed


upon

Header, KE, Idii, Auth => Key generated by responder

Initiator Ident verified

<= HDR, KE, Idir, Auth Responder Ident verified

Initiator key generated, SA


est.

You might also like