13.1. Introduction

The Internet Key Exchange (IKE) protocol is the third leg of IPsec. It handles the difficult problem of key management by negotiating security associations between a set of peers. The IKE protocol specification is RFC 2409 [Harkins and Carrel 1998].

The basic idea behind IKE is straightforward: The peers perform a Diffie-Hellman exchange to obtain a shared secret that they use to generate keying material for the encryption and authentication algorithms used to protect a VPN. As usual, expressing this simple idea in a robust and secure manner is far from trivial. IKE must take steps to protect itself against denial-of-service attacks, replay attacks, man-in-the-middle attacks, and other attempts to subvert the secure exchange of keys. In addition to exchanging keying material, IKE negotiates the encryption, authentication, and other cryptographic primitives that the VPN needs and agrees on the policy that the VPN will use, so the protocol must handle these aspects of SA creation as well.

IKE is often described as a hybrid protocol because it derives from three other key-exchange protocols. IKE uses the first of these, the Internet Security Association and Key Management Protocol (ISAKMP), as a base protocol in much the same way that FTP, say, uses TCP. ISAKMP is a framework that provides mechanisms and message formats for expressing additional protocols that establish security associations and perform key exchange. ISAKMP is independent of any particular key-exchange method; it is a general framework that can support many key-management protocols. ISAKMP is specified in RFC 2408 [Maughan, Schertler, Schneider, and Turner 1998].

The Oakley Key Determination protocol (OAKLEY) describes a series of modes that specify methods for using the Diffie-Hellman algorithm to securely exchange keying material while providing identity verification, authentication, and perfect forward secrecy. IKE's use of various modes comes from the OAKLEY protocol, as do the original four fixed groups defined in RFC 2409 that IKE uses for the Diffie-Hellman exchange. The latter are called OAKLEY groups. The OAKLEY protocol is defined in RFC 2412 [Orman 1998].

The SKEME protocol [Krawczyk 1996] is a versatile key-exchange protocol that provides perfect forward secrecy, key replacement, and the negotiation of cryptographic primitives. SKEME can also provide endpoint anonymity and repudiability. IKE borrows SKEME's method of using public key encryption for authentication and the idea of fast rekeying by exchanging nonces.

In this chapter, we see how IKE combines parts of the OAKLEY and SKEME protocols into the ISAKMP framework to provide a robust key-management service for IPsec. IKE is by far the most complex of the three IPsec protocols, so we take the time to make a careful examination of it. From an operational point of view, our time will be well spent, because almost all cases of an IPsec VPN "being down" involve a failure of IKE to negotiate the required SAs. Indeed, recalling our remarks from Chapter 10 concerning the equivalence between a VPN and its SAs, we could say that a VPN is "up" if and only if its SAs existthat is, if and only if IKE was able to negotiate the SAs.