Using Security Associations
As mentioned earlier, ISAKMP provides a generalized protocol for establishing SAs and managing cryptographic keys within an Internet environment. The procedures and packet formats needed to establish, negotiate, modify, and delete SAs are defi ned within ISAKMP, which also defi nes payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring this data, independent of how the key is generated or what type of encryption or authentication algorithms are being used.
ISAKMP was designed to provide a framework that can be used by any security protocols that use SAs, not just IPsec. To be useful for a particular security protocol, a Domain of Interpretation , or DOI , must be defined. The DOI groups related protocols for the purpose of negotiating security associations-security protocols that share a DOI all choose protocol and cryptographic transforms from a common namespace. They also share key exchange protocol identifiers, as well as a common interpretation of payload data content.
While ISAKMP and the IPsec DOI provide a framework for authentication and key exchange, ISAKMP does not actually define how those functions are to be carried out. The IKE protocol, working within the framework defined by ISAKMP, does define a mechanism for hosts to perform these exchanges.
The sending host knows what kind of security to apply to the packet by looking in a Security Policy Database ( SPD ). The sending host determines what policy is appropriate for the packet, depending on various selectors (for example, destination IP address and/or transport-layer ports), by looking in the SPD. The SPD indicates what the policy is for a particular packet: Either the packet requires IPsec processing of some sort-in which case it is passed to the IPsec module for processing-or it does not-in which case it is simply passed along for normal IP processing.
Outbound packets must be checked against the SPD to see what kind (if any) of IPsec processing to apply. Inbound packets are checked against the SPD to see what kind of IPsec service should be present in those packets.
Another database, called the Security Association Database ( SAD ), includes all security parameters associated with all active SAs. When an IPsec host wants to send a packet, it checks the appropriate selectors to see what the SAD says is the security policy for that destination/port/application. The SPD may reference a particular SA, so the host can look up the SA in the SAD to identify appropriate security parameters for that packet.
In this tutorial:
- IP Security
- IP Security Issues
- Security Goals
- Encryption and Authentication Algorithms
- Symmetric Encryption
- Public Key Encryption
- Key Management
- Secure Hashes
- Digital Signature
- IPSEC: The Protocols
- IP and IPSEC
- Security Associations
- Using Security Associations
- Tunnel and Transport Mode
- Encapsulating Security Payload (ESP)
- Authentication Header
- Calculating the Integrity Check Value (ICV)
- IPsec Headers in Action
- Implementing and Deploying IPSEC