ISAKMP - PowerPoint PPT Presentation

About This Presentation
Title:

ISAKMP

Description:

ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures – PowerPoint PPT presentation

Number of Views:105
Avg rating:3.0/5.0
Slides: 27
Provided by: Ack70
Learn more at: http://webpages.sou.edu
Category:

less

Transcript and Presenter's Notes

Title: ISAKMP


1
ISAKMP
  • RFC 2408
  • Internet Security Association Key Management
    Protocol
  • Protocol
  • Establish, modify, and delete SAs
  • Negotiate crypto keys
  • Procedures
  • Authentication of peers
  • Threat mitigation

2
ISAKMP
  • Defines procedures and packet formats to deal
    with SAs and keys
  • Provides a framework for secure communication on
    the Internet
  • Does not specify algorithms, formats, or
    protocols
  • ISAKMP is a framework in which a specific secure
    communication definition can be implemented

3
ISAKMP
  • Security Associations
  • Authentication
  • Public Key Cryptography
  • Protection
  • DoS Anti-Clogging
  • Hijacking a connection
  • Man in the middle attacks

4
ISAKMP Terminology
  • DOI Domain Of Interpretation defines payload
    formats, exchange types, naming conventions

5
IISAKMP Phases
  • Phase 1 Two entities agree on how to protect
    further negotiation traffic. They negotiate an
    ISAKMP SA for an authenticated and secure channel
  • Phase 2The phase 1 secure channel is used to
    negotiate security services for IPSec.

6
ISAKMP Header
Initiator Cookie
Responder Cookie
Major Version
Minor Version
Exchange Type
Flags
Next Payload
Message ID
Length
7
Header Fields
  • Initiator Cookie (8 octets) Cookie of entity
    that initiated SA establishment, notification or
    deletion.
  • Responder Cookie (8 octets) Cookie of the
    responder
  • Next Payload (1 octet) Type of first payload
  • Major/Minor Version (4 bits each) Version of
    ISAKMP in use
  • Exchange Type (1 octet) Type of exchange being
    used
  • Flags (1 octet) More stinking flags, encrypt,
    commit authentication only
  • Message ID (4 octets) Unique ID to identify
    things in Phase 2
  • Length (4 octets) Length of total message
    (headers payloads)

8
Next Payload Types
Next Payload Type Value Hash 8 Signature 9 Nonce 1
0 Notification 11 Delete 12 Vendor
ID 13 Reserved 14 127 Private Use 128 - 255
  • Next Payload Type Value
  • NONE 0
  • SA 1
  • Proposal 2
  • Transform 3
  • Key Exchange 4
  • Identification 5
  • Certificate 6
  • Cert Request 7

9
Exchange Types
Exchange Type Value ISAKMP Future Use 6 - 31 DOI
Specific Use 32 127 Private Use 128 - 255
  • Exchange Type Value
  • NONE 0
  • Base 1
  • Id Protection 2
  • Auth Only 3
  • Aggressive 4
  • Informational 5

10
Generic Payload Header
Payload Length
Reserved
Next Payload
Payload Data
11
SA Payload
Payload Length
Reserved
Next Payload
Domain of Interpretation (DOI)

Situation
DOI (4 octets) Identifies the DOI under which
this negotiation is taking place. A value of 0
(zero) during Phase 1 specifies a Generic ISAKMP
SA which can be used for any protocol during
Phase 2. Situation - A DOI-specific field that
identifies the situation under which this
negotiation is taking place.
12
Proposal Payload
Payload Length
Reserved
Next Payload
Proposal No.
Proposal ID
SPI Size
No. of Transforms
SPI (variable)
13
Proposal Payload
  • Payload Length (2 octets) Length is octets of
    the entire Proposal payload including the generic
    payload header, the Proposal payload, and all
    Transform payloads associated with this proposal.
  • Proposal No. - Identifies the Proposal number for
    the current payload.
  • Proposal ID Specifies the protocol identifier
    such as IPSEC ESP, IPSEC AH, OSPF, TLS, etc.
  • SPI Size Length in octets of the SPI as defined
    by the Protocol ID.
  • No. of Transforms Specifies the number of
    transforms for the proposal.
  • SPI (variable) The sending entity's SPI.

14
Transform Payload
Payload Length
Reserved
Next Payload
Transform No.
Transform ID
Reserved2

SA Attributes
15
Transform Payload
  • Payload Length (2 octets) Length is octets of
    the current payload, including the generic
    payload header, Transform values, and all SA
    attributes
  • Transform No. - Identifies the Transform number
    for the current payload.
  • Transform ID Specifies the Transform
    identifier fmor the protocol within the current
    proposal.
  • Reserved 2 (2 octets) Set to zero.
  • SA Attributes (Variable length) SA attributes
    should be represented using the Data Attributes
    format.

16
Key Exchange Payload
Payload Length
Reserved
Next Payload

Key Exchange Data
Key Exchange Data (variable length) Data
required to generate a session key. This data is
specified by the DOI and the associated Key
Exchange algorithm.
17
Certificate Payload
Payload Length
Reserved
Next Payload
Cert Encoding
Key Exchange Data

Cert Encoding (1 octet) Indicates the type of
certificate contained in the Certificate field.
18
Certificate Types
Certificate Type Value Kerberos Token 6 Cert
Revoc List 7 Authority Revoc List 8 SPKI
Cert. 9 X.509 Cert Attribute 10 Reserved 11 -
255
  • Certificate Type Value
  • NONE 0
  • PKCS 7 1
  • PGP Certificate 2
  • DNS Signed Key 3
  • X.509 Cert - Signature 4
  • X.509 Cert Key Exchange 5

19
Other Payloads
Payload Length
Reserved
Next Payload

Hash Data
Payload Length
Reserved
Next Payload

Signature Data
Payload Length
Reserved
Next Payload

Nonce Data
20
Notification Payload
Payload Length
Reserved
Next Payload
DOI
Protocol ID
SPI Size
Notify Message Type

SPI

Notification Data
21
Notify Messages
Errors
Value INVALID-PAYLOAD-TYPE
1 DOI-NOT-SUPPORTED
2
SITUATION-NOT-SUPPORTED 3
INVALID-COOKIE 4
INVALID-MAJOR-VERSION 5
INVALID-MINOR-VERSION 6
INVALID-EXCHANGE-TYPE 7
INVALID-FLAGS 8
INVALID-MESSAGE-ID 9
INVALID-PROTOCOL-ID 10
INVALID-SPI
11 INVALID-TRANSFORM-ID
12 ATTRIBUTES-NOT-SUPPORTED
13 NO-PROPOSAL-CHOSEN
14 BAD-PROPOSAL-SYNTAX
15
Errors
Value PAYLOAD-MALFORMED
16 INVALID-KEY-INFORMATION
17 INVALID-ID-INFORMATION
18 INVALID-CERT-ENCODIN
G 19
INVALID-CERTIFICATE 20
CERT-TYPE-UNSUPPORTED 21
INVALID-CERT-AUTHORITY 22
INVALID-HASH-INFORMATION 23
AUTHENTICATION-FAILED 24
INVALID-SIGNATURE 25
ADDRESS-NOTIFICATION 26
NOTIFY-SA-LIFETIME 27
CERTIFICATE-UNAVAILABLE
28 UNSUPPORTED-EXCHANGE-TYPE
29 UNEQUAL-PAYLOAD-LENGTHS
30 RESERVED (Future Use)
31 - 8191 Private Use
8192 16383
22
ISAKMP Message Construction
Initiator Cookie
Responder Cookie
Major Version
Minor Version
Exchange Type
Flags
NP KE
Message ID
Total Message Length
KE Payload Length
Reserved
NP Nonce
Key Exchange Data
Nonce Payload Length
Reserved
NP 0
Nonce Data
23
Proposal Syntax
Proposal Transform Transform Proposal
Transform
Proposals with the same Proposal number are
taken as a logical AND. Proposals with different
numbers are taken as a logical OR. Different
Transform within a proposal are taken as a
logical OR.
24
Proposal Example
Proposal 1 AH Transform 1 HMAC-SHA Transform
2 HMAC-MD5 Proposal 2 ESP Transform 1 3DES
with HMAC-SHA Transform 2 3DES with
HMAC-MD5 Transform 3 AES with
HMAC-SHA-256 Proposal 3 ESP Transform 1 3DES
with HMAC-SHA Proposal 4 PCP Transform 1 LZS
25
Exchange Types
Exchange Type Value ISAKMP Future Use 6 - 31 DOI
Specific Use 32 127 Private Use 128 - 255
  • Exchange Type Value
  • NONE 0
  • Base 1
  • Id Protection 2
  • Auth Only 3
  • Aggressive 4
  • Informational 5

26
Base Exchange
  • Initiator Direction Responder Note
  • Header, SA, Nonce gt Begin ISAKMP-SA
    negotiation
  • lt HDR, SA, Nonce Basic SA agreed upon
  • Header, KE, Idii, Auth gt Key generated by
    responder
  • Initiator Ident verified
  • lt HDR, KE, Idir, Auth Responder Ident
    verified
  • Initiator key generated, SA est.
Write a Comment
User Comments (0)
About PowerShow.com