Internet key exchange
Encyclopedia
Internet Key Exchange is the protocol used to set up a security association
(SA) in the IPsec
protocol suite. IKE builds upon the Oakley protocol
and ISAKMP
. IKE uses X.509
certificates for authentication which are either pre-shared or distributed using DNS
(preferably with DNSSEC), and a Diffie–Hellman key exchange to set up a shared session secret
from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.
(IETF) in a series of publications (Request for Comments
) known as RFC 2407, RFC 2408, and RFC 2409.
IKE was updated to version two (IKEv2) in December 2005 by RFC 4306. Some open details were clarified in October 2006 by RFC 4718. These two documents plus additional clarifications were combined into the updated IKEv2 RFC 5996 which was published in September 2010.
The parent organization of the IETF, The Internet Society (ISOC), has maintained the copyrights of these standards as being freely available to the Internet community.
that runs in user space
and an IPsec stack in the kernel that processes the actual IP
packets.
User-space daemons have easy access to mass storage containing configuration information, such as the IPsec endpoint addresses, keys and certificates, as required. Kernel modules, on the other hand, can process packets efficiently and with minimum overhead—which is important for performance reasons.
The IKE protocol uses UDP
packets, usually on port 500, and generally requires 4-6 packets with 2-3 turn-around times to create an SA
on both sides. The negotiated key material is then given to the IPsec stack. For instance, this could be an AES
key, information identifying the IP endpoints and ports that are to be protected, as well as what type of IPsec tunnel has been created. The IPsec stack, in turn, intercepts the relevant IP packets if and where appropriate and performs encryption/decryption as required. Implementations vary on how the interception of the packets is done—for example, some use virtual devices, others take a slice out of the firewall, etc.
IKE phase 1's purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association
(SA). The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption. Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers; Aggressive Mode does not.
During IKE phase 2, the IKE peers use the secure channel established in Phase 1 to negotiate Security Associations on behalf of other services like IPsec
. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound). Phase 2 operates only in Quick Mode.
they wanted to create — option by option — or a connection could not be established. Further complications arose from the fact that in many implementations the debug output was difficult to interpret, if there was any debug routine at all.
The IKE specifications were open to a significant degree of interpretation, bordering on design faults (Dead-Peer-Detection
being a case in point), giving rise to different IKE implementations not being able to create an agreed-upon security association at all for many combinations of options, however correctly configured they might appear at either end.
This can be explained like this:
Suppose HostA has a Security Parameter Index
(SPI) A and HostB has an SPI B.
The scenario is like this:
HostA---------------HostB
If HostB is experiencing large amount of half-open IKE init connection, the responder will send an unencrypted reply message of the ike_sa_init with a notify message of type cookie.And the responder will expect a ike_sa_init request with that cookie value in a notify payload.This is to ensure that the initiator is really capable of handling a response from the responder.
HostA-------------------------------------------------HostB
HDR(A,0),sai1,kei,Ni----------------------------->
<----------------------------HDR(A,0),N(cookie)
HDR(A,0),N(cookie),sai1,kei,Ni------------------->
<--------------------------HDR(A,B),SAr1,ker,Nr
of modernizing the IKEv2 protocol and adapting it better to high volume,
production environments. These extensions include:
implementation in Windows 2000
, Windows XP
, Windows Server 2003
, Windows Vista
and Windows Server 2008. The ISAKMP/IKE implementation was jointly developed by Cisco and Microsoft.
Microsoft
Windows 7 and Windows Server 2008 R2
fully support IKEv2 (RFC 4306) as well as MOBIKE (RFC 4555) through the VPN Reconnect feature (also known as Agile VPN).
There are several open source implementations of IPsec with associated IKE capabilities. On Linux
, Openswan
and strongSwan
implementations provide an IKE daemon called pluto, which can configure (i.e., establish SAs) to the KLIPS or NETKEY kernel-based IPsec stacks. NETKEY is the Linux
2.6 kernel's native IPsec implementation.
The Berkeley Software Distribution
s also have an IPsec implementation and IKE daemon, and most importantly a cryptographic framework (OpenBSD Cryptographic Framework, OCF), which makes supporting cryptographic accelerator
s much easier. OCF has recently been ported to Linux.
A significant number of network equipment vendors have created their own IKE daemons (and IPsec implementations), or license a stack from one another.
As of May-2006 there are a number of implementations of IKEv2 and some of the companies dealing in IPsec certification and interoperability testing are starting to hold workshops for testing as well as updated certification requirements to deal with IKEv2 testing. ICSA Labs held its latest IKEv2 Interoperability Workshop in Orlando, FL in March 2007 with 13 vendors from around the world.
The following open source implementations of IKEv2 are currently available:
Security association
A Security Association is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the...
(SA) in the IPsec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
protocol suite. IKE builds upon the Oakley protocol
Oakley protocol
The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to exchange keying material across an insecure connection using the Diffie-Hellman key exchange algorithm. The protocol was proposed by H...
and ISAKMP
Internet Security Association and Key Management Protocol
ISAKMP is a protocol defined by RFC 2408 for establishing Security Associations and cryptographic keys in an Internet environment...
. IKE uses X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
certificates for authentication which are either pre-shared or distributed using DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
(preferably with DNSSEC), and a Diffie–Hellman key exchange to set up a shared session secret
Shared secret
In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. The shared secret can be a password, a passphrase, a big number or an array of randomly chosen bytes....
from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.
History
IKE was originally defined in November 1998 by the Internet Engineering Task ForceInternet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
(IETF) in a series of publications (Request for Comments
Request for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...
) known as RFC 2407, RFC 2408, and RFC 2409.
- RFC 2407 defined The Internet IP Security Domain of Interpretation for ISAKMP.
- RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)
- RFC 2409 defined The Internet Key Exchange (IKE)
IKE was updated to version two (IKEv2) in December 2005 by RFC 4306. Some open details were clarified in October 2006 by RFC 4718. These two documents plus additional clarifications were combined into the updated IKEv2 RFC 5996 which was published in September 2010.
The parent organization of the IETF, The Internet Society (ISOC), has maintained the copyrights of these standards as being freely available to the Internet community.
Architecture
Most IPsec implementations consist of an IKE daemonDaemon (computer software)
In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...
that runs in user space
User space
A conventional computer operating system usually segregates virtual memory into kernel space and user space. Kernel space is strictly reserved for running the kernel, kernel extensions, and most device drivers...
and an IPsec stack in the kernel that processes the actual IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
packets.
User-space daemons have easy access to mass storage containing configuration information, such as the IPsec endpoint addresses, keys and certificates, as required. Kernel modules, on the other hand, can process packets efficiently and with minimum overhead—which is important for performance reasons.
The IKE protocol uses UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
packets, usually on port 500, and generally requires 4-6 packets with 2-3 turn-around times to create an SA
Security association
A Security Association is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the...
on both sides. The negotiated key material is then given to the IPsec stack. For instance, this could be an AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
key, information identifying the IP endpoints and ports that are to be protected, as well as what type of IPsec tunnel has been created. The IPsec stack, in turn, intercepts the relevant IP packets if and where appropriate and performs encryption/decryption as required. Implementations vary on how the interception of the packets is done—for example, some use virtual devices, others take a slice out of the firewall, etc.
IKE Phases
IKE consists of two phases: phase 1 and phase 2.IKE phase 1's purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association
Security association
A Security Association is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the...
(SA). The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption. Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers; Aggressive Mode does not.
During IKE phase 2, the IKE peers use the secure channel established in Phase 1 to negotiate Security Associations on behalf of other services like IPsec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound). Phase 2 operates only in Quick Mode.
Problems with IKE
Originally, IKE had numerous configuration options but lacked a general facility for automatic negotiation of a well-known default case that is universally implemented. Consequently, both sides of an IKE had to exactly agree on the type of security associationSecurity association
A Security Association is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the...
they wanted to create — option by option — or a connection could not be established. Further complications arose from the fact that in many implementations the debug output was difficult to interpret, if there was any debug routine at all.
The IKE specifications were open to a significant degree of interpretation, bordering on design faults (Dead-Peer-Detection
Dead Peer Detection
Dead Peer Detection is a method of detecting a dead Internet Key Exchange peer. The method uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer. DPD is used to reclaim the lost resources in case a peer is found dead and it is also used to...
being a case in point), giving rise to different IKE implementations not being able to create an agreed-upon security association at all for many combinations of options, however correctly configured they might appear at either end.
Improvements with IKEv2
The need and intent of an overhaul of the IKE protocol was described in Appendix A of RFC 4306. The following issues were addressed:- Fewer RFCs: The specifications for IKE were covered in at least three RFCs, more if one takes into account NAT traversalNAT traversalNAT traversal is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation gateways. Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the...
and other extensions that are in common use. IKEv2 combines these in one RFC as well as making improvements to support for NAT traversal and firewall traversal in general.
- Standard Mobility support: There is a standard extension for IKEv2 (named MOBIKE) used to support mobility and multihoming for it and ESP. By use of this extension IKEv2 and IPsec can be used by mobile and multihomed users.
- NAT traversalNAT traversalNAT traversal is a general term for techniques that establish and maintain Internet protocol connections traversing network address translation gateways. Network address translation breaks end-to-end connectivity. Intercepting and modifying traffic can only be performed transparently in the...
: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a device or firewall performing NAT.
- SCTP support: IKEv2 allows for the SCTP protocol as used in Internet Telephony VoIP.
- Simple message exchange: IKEv2 has one four-message initial exchange mechanism where IKE provided eight distinctly different initial exchange mechanisms, each one of which had slight advantages and disadvantages.
- Fewer cryptographic mechanisms: IKEv2 uses cryptographic mechanisms to protect its packets that are very similar to what IPsecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
Encapsulating Security Payload (ESP) uses to protect the IPsec packets. This led to simpler implementations and certifications for Common CriteriaCommon CriteriaThe Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
and FIPS 140-2FIPS 140-2The Federal Information Processing Standard Publication 140-2, , is a U.S. government computer security standard used to accredit cryptographic modules. The title is Security Requirements for Cryptographic Modules...
, which require each cryptographic implementation to be separately validated.
- Reliability and State management: IKEv2 uses sequence numbers and acknowledgments to provide reliability and mandates some error processing logistics and shared state management. IKE could end up in a dead state due to the lack of such reliability measures, where both parties were expecting the other to initiate an action - which never eventuated. Work arounds (such as Dead-Peer-DetectionDead Peer DetectionDead Peer Detection is a method of detecting a dead Internet Key Exchange peer. The method uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer. DPD is used to reclaim the lost resources in case a peer is found dead and it is also used to...
) were developed but not standardized. This meant that different implementations of work-arounds were not always compatible.
- Denial of Service (DoS) attack resilience: IKEv2 does not perform much processing until it determines if the requester actually exists. This addressed some of the DOS problems suffered by IKE which would perform a lot of expensive cryptographic processing from spoofedIP address spoofingIn computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system.-Background:The basic...
locations.
This can be explained like this:
Suppose HostA has a Security Parameter Index
Security Parameter Index
The Security Parameter Index is an identification tag added to the header while using IPsec for tunneling the IP traffic. This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use....
(SPI) A and HostB has an SPI B.
The scenario is like this:
HostA---------------HostB
If HostB is experiencing large amount of half-open IKE init connection, the responder will send an unencrypted reply message of the ike_sa_init with a notify message of type cookie.And the responder will expect a ike_sa_init request with that cookie value in a notify payload.This is to ensure that the initiator is really capable of handling a response from the responder.
HostA-------------------------------------------------HostB
HDR(A,0),sai1,kei,Ni----------------------------->
<----------------------------HDR(A,0),N(cookie)
HDR(A,0),N(cookie),sai1,kei,Ni------------------->
<--------------------------HDR(A,B),SAr1,ker,Nr
Protocol extensions
The IETF ipsecme working group has standardized a number of extensions, with the goalof modernizing the IKEv2 protocol and adapting it better to high volume,
production environments. These extensions include:
- IKE session resumption: the ability to resume a failed IKE/IPsec "session" after a failure, without the need to go through the entire IKE setup process (RFC 5723).
- IKE redirect: redirection of incoming IKE requests, allowing for simple load-balancing between multiple IKE endpoints (RFC 5685).
- IPsec traffic visibility: special tagging of ESP packets that are authenticated but not encrypted, with the goal of making it easier for middleboxes (such as intrusion detection systems) to analyze the flow (RFC 5840).
- Mutual EAP authentication: support for EAPExtensible Authentication ProtocolExtensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
-only (i.e., certificate-less) authentication of both of the IKE peers; the goal is to allow for modern password-based authenticationPassword-authenticated key agreementIn cryptography, a password-authenticated key agreement method is an interactive method for two or more parties to establish cryptographic keys based on one or more party's knowledge of a password.-Types:...
methods to be used (RFC 5998). - Quick crash detection: minimizing the time until an IKE peer detects that its opposite peer has crashed (RFC 6290).
- High availability extensions: improving IKE/IPsec-level protocol synchronization between a cluster of IPsec endpoints and a peer, to reduce the probability of dropped connections after a failover event (RFC 6311).
Implementations
IKE is supported as part of the IPsecIPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
implementation in Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, Windows Server 2003
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
, Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and Windows Server 2008. The ISAKMP/IKE implementation was jointly developed by Cisco and Microsoft.
Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Windows 7 and Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
fully support IKEv2 (RFC 4306) as well as MOBIKE (RFC 4555) through the VPN Reconnect feature (also known as Agile VPN).
There are several open source implementations of IPsec with associated IKE capabilities. On Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, Openswan
Openswan
Openswan is a complete IPsec implementation for Linux 2.0, 2.2, 2.4 and 2.6 kernels.Openswan began as a fork of the now-defunct FreeS/WAN project, and continues to be released freely under the GNU General Public License. Unlike the FreeS/WAN project, it is not developed exclusively for the Linux...
and strongSwan
StrongSwan
strongSwan is a complete IPsec implementation for Linux 2.6 and 3.x kernels.As a descendant of the FreeS/WAN project, it continues to be released under the GPL license. The project is actively maintained by Andreas Steffen who is a professor for Security in Communications at the University of...
implementations provide an IKE daemon called pluto, which can configure (i.e., establish SAs) to the KLIPS or NETKEY kernel-based IPsec stacks. NETKEY is the Linux
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
2.6 kernel's native IPsec implementation.
The Berkeley Software Distribution
Berkeley Software Distribution
Berkeley Software Distribution is a Unix operating system derivative developed and distributed by the Computer Systems Research Group of the University of California, Berkeley, from 1977 to 1995...
s also have an IPsec implementation and IKE daemon, and most importantly a cryptographic framework (OpenBSD Cryptographic Framework, OCF), which makes supporting cryptographic accelerator
Cryptographic accelerator
A cryptographic accelerator is a device that performs processor-intensive decrypting/encrypting while freeing the host CPU to perform other tasks. In general cryptographic accelerator is a co-processor. Common use for cryptographic accelerator is a webserver protecting data transmitted through...
s much easier. OCF has recently been ported to Linux.
A significant number of network equipment vendors have created their own IKE daemons (and IPsec implementations), or license a stack from one another.
As of May-2006 there are a number of implementations of IKEv2 and some of the companies dealing in IPsec certification and interoperability testing are starting to hold workshops for testing as well as updated certification requirements to deal with IKEv2 testing. ICSA Labs held its latest IKEv2 Interoperability Workshop in Orlando, FL in March 2007 with 13 vendors from around the world.
The following open source implementations of IKEv2 are currently available:
- OpenIKEv2,
- strongSwanStrongSwanstrongSwan is a complete IPsec implementation for Linux 2.6 and 3.x kernels.As a descendant of the FreeS/WAN project, it continues to be released under the GPL license. The project is actively maintained by Andreas Steffen who is a professor for Security in Communications at the University of...
, - OpenswanOpenswanOpenswan is a complete IPsec implementation for Linux 2.0, 2.2, 2.4 and 2.6 kernels.Openswan began as a fork of the now-defunct FreeS/WAN project, and continues to be released freely under the GNU General Public License. Unlike the FreeS/WAN project, it is not developed exclusively for the Linux...
, - IKEv2,
- RacoonRacoon (KAME)Racoon is a tool for handling Internet Key Exchange in IPsec for Linux, FreeBSD and NetBSD.It's part of the KAME project, and almost all of the implemented KAME project code has been merged to FreeBSD and NetBSD. IPsec-Tools is a port of the KAME code to Linux.-External links:***, a port of...
and Racoon2 from the KAME projectKAME projectThe KAME project was a joint effort of six organizations in Japan which aimed to provide a free IPv6 and IPsec protocol stack implementation for variants of the BSD Unix computer operating-system...
, - iked from the OpenBSDOpenBSDOpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
project.
See also
- IPsecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
- Key-agreement protocolKey-agreement protocolIn cryptography, a key-agreement protocol is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome. If properly done, this precludes undesired third-parties from forcing a key choice on the agreeing parties...
- Group Domain of InterpretationGroup Domain of InterpretationGroup Domain of Interpretation or GDOI is a cryptographic protocol for group key management. The GDOI protocol is specified in an IETF Proposed Standard, RFC 3547, and is based on Internet Security Association and Key Management Protocol , RFC 2408, and Internet Key Exchange version 1...
- Kerberized Internet Negotiation of KeysKerberized Internet Negotiation of KeysKerberized Internet Negotiation of Keys is a protocol defined in RFC 4430 used to set up an IPsec security association , similar to Internet Key Exchange , utilizing the Kerberos protocol to allow trusted third parties to handle authentication of peers and management of security policies in a...
External links
- RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP, Internet Engineering Task Force (IETF)
- RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP), Internet Engineering Task Force (IETF)
- RFC 2409 The Internet Key Exchange (IKE), Internet Engineering Task Force (IETF)
- RFC 5996: Internet Key Exchange (IKEv2) Protocol), Internet Engineering Task Force (IETF)
- Overview of IKE (from Cisco)