Add to collection(s) Add to saved
  1. Math
  2. Algebra

8.2.5.IPSec-ISAKMP

advertisement 
ISAKMP
●
RFC 2408
●
Internet Security Association & Key Management Protocol
●
Protocol
●
–
Establish, modify, and delete SAs
–
Negotiate crypto keys
Procedures
–
Authentication of peers
–
Threat mitigation
ISAKMP
●
●
●
●
Defines procedures and packet formats to deal with
SAs and keys
Provides a framework for secure communication on
the Internet
Does not specify algorithms, formats, or protocols
ISAKMP is a framework in which a specific secure
communication definition can be implemented
ISAKMP
●
Security Associations
●
Authentication
●
Public Key Cryptography
●
Protection
●
DoS – Anti-Clogging
●
Hijacking a connection
●
Man in the middle attacks
ISAKMP
Terminology
●
DOI – Domain Of Interpretation: defines payload
formats, exchange types, naming conventions
IISAKMP – Phases
●
●
Phase 1: Two entities agree on how to protect
further negotiation traffic. They negotiate an
ISAKMP SA for an authenticated and secure
channel
Phase 2:The phase 1 secure channel is used to
negotiate security services for IPSec.
ISAKMP
Header
Initiator Cookie
Responder Cookie
Next Payload
Major
Version
Minor
Version
Exchange Type
Message ID
Length
Flags
Header Fields
●
Initiator Cookie (8 octets) – Cookie of entity that initiated SA
establishment, notification or deletion.
●
Responder Cookie (8 octets) – Cookie of the responder
●
Next Payload (1 octet) – Type of first payload
●
Major/Minor Version (4 bits each) – Version of ISAKMP in use
●
Exchange Type (1 octet) – Type of exchange being used
●
Flags (1 octet) – More stinking flags, encrypt, commit
authentication only
●
Message ID (4 octets) – Unique ID to identify things in Phase 2
●
Length (4 octets) – Length of total message (headers + payloads)
Next Payload Types
Next Payload Type
Value
Next Payload Type
Value
NONE
0
Hash
8
SA
1
Signature
9
Proposal
2
Nonce
10
Transform
3
Notification
11
Key Exchange
4
Delete
12
Identification
5
Vendor ID
13
Certificate
6
Reserved
14 – 127
Cert Request
7
Private Use
128 - 255
Exchange Types
Exchange Type
Value
Exchange Type
Value
NONE
0
ISAKMP Future Use
6 - 31
Base
1
DOI Specific Use
32 – 127
Id Protection
2
Private Use
128 - 255
Auth Only
3
Aggressive
4
Informational
5
Generic Payload Header
Next Payload
Reserved
Payload Length
Payload Data
SA Payload
Next Payload
Reserved
Payload Length
Domain of Interpretation (DOI)
~
Situation
DOI (4 octets) – Identifies the DOI under which this negotiation is taking place. A
value of 0 (zero) during Phase 1 specifies a Generic ISAKMP SA
which can be used for any protocol during Phase 2.
Situation A DOI-specific field that identifies the situation under which this
negotiation is taking place.
Proposal Payload
Next Payload
Proposal No.
Reserved
Proposal ID
Payload Length
SPI Size
SPI (variable)
No. of Transforms
Proposal Payload
Payload Length (2 octets) – Length is octets of the entire Proposal
payload including the generic payload header, the Proposal payload,
and all Transform payloads associated with this proposal.
●
Proposal No. - Identifies the Proposal number for the current
payload.
●
Proposal ID – Specifies the protocol identifier such as IPSEC ESP,
IPSEC AH, OSPF, TLS, etc.
●
SPI Size – Length in octets of the SPI as defined by the Protocol ID.
●
No. of Transforms – Specifies the number of transforms for the
proposal.
●
SPI (variable) – The sending entity's SPI.
●
Transform Payload
Next Payload
Transform No.
~
Reserved
Payload Length
Transform ID
Reserved2
SA Attributes
Transform Payload
Payload Length (2 octets) – Length is octets of the current payload,
including the generic payload header, Transform values, and all SA
attributes
●
Transform No. - Identifies the Transform number for the current
payload.
●
Transform ID – Specifies the Transform identifier fmor the protocol
within the current proposal.
●
Reserved 2 (2 octets) – Set to zero.
●
SA Attributes (Variable length) – SA attributes should be
represented using the Data Attributes format.
●
Key Exchange Payload
Next Payload
~
Reserved
Payload Length
Key Exchange Data
Key Exchange Data (variable length) – Data required to generate a session key.
This data is specified by the DOI and the associated Key
Exchange algorithm.
Certificate Payload
Next Payload
Reserved
Payload Length
Cert Encoding
Key Exchange Data
~
Cert Encoding (1 octet) – Indicates the type of certificate contained in the
Certificate field.
Certificate Types
Certificate Type
Value
Certificate Type
Value
NONE
0
Kerberos Token
6
PKCS #7
1
Cert Revoc List
7
PGP Certificate
2
Authority Revoc List
8
DNS Signed Key
3
SPKI Cert.
9
X.509 Cert - Signature
4
X.509 Cert – Attribute
10
Reserved
11 - 255
X.509 Cert – Key Exchange
5
Other Payloads
Next Payload
~
Hash Data
Next Payload
Payload Length
Reserved
~
Signature Data
Next Payload
~
Payload Length
Reserved
Payload Length
Reserved
Nonce Data
Notification Payload
Next Payload
Payload Length
Reserved
DOI
Protocol ID
SPI Size
Notify Message Type
~
SPI
~
Notification Data
Notify Messages
Errors
INVALID-PAYLOAD-TYPE
DOI-NOT-SUPPORTED
SITUATION-NOT-SUPPORTED
INVALID-COOKIE
INVALID-MAJOR-VERSION
INVALID-MINOR-VERSION
INVALID-EXCHANGE-TYPE
INVALID-FLAGS
INVALID-MESSAGE-ID
INVALID-PROTOCOL-ID
INVALID-SPI
INVALID-TRANSFORM-ID
ATTRIBUTES-NOT-SUPPORTED
NO-PROPOSAL-CHOSEN
BAD-PROPOSAL-SYNTAX
Value
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Errors
PAYLOAD-MALFORMED
INVALID-KEY-INFORMATION
INVALID-ID-INFORMATION
INVALID-CERT-ENCODING
INVALID-CERTIFICATE
CERT-TYPE-UNSUPPORTED
INVALID-CERT-AUTHORITY
INVALID-HASH-INFORMATION
AUTHENTICATION-FAILED
INVALID-SIGNATURE
ADDRESS-NOTIFICATION
NOTIFY-SA-LIFETIME
CERTIFICATE-UNAVAILABLE
UNSUPPORTED-EXCHANGE-TYPE
UNEQUAL-PAYLOAD-LENGTHS
RESERVED (Future Use)
Private Use
Value
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 - 8191
8192 – 16383
ISAKMP Message Construction
Initiator Cookie
Responder Cookie
NP = KE
Major
Version
Minor
Version
Exchange Type
Flags
Message ID
Total Message Length
NP = Nonce
KE Payload Length
Reserved
Key Exchange Data
NP = 0
Reserved
Nonce Payload Length
Nonce Data
Proposal Syntax
Proposal #
Transform #
Transform #
Proposal #
Transform #
Proposals with the same Proposal
number are taken as a logical AND.
Proposals with different numbers are
taken as a logical OR.
Different Transform within a proposal
are taken as a logical OR.
Proposal Example
Proposal 1: AH
Transform 1: HMAC-SHA
Transform 2: HMAC-MD5
Proposal 2: ESP
Transform 1: 3DES with HMAC-SHA
Transform 2: 3DES with HMAC-MD5
Transform 3: AES with HMAC-SHA-256
Proposal 3: ESP
Transform 1: 3DES with HMAC-SHA
Proposal 4: PCP
Transform 1: LZS
Exchange Types
Exchange Type
Value
Exchange Type
Value
NONE
0
ISAKMP Future Use
6 - 31
Base
1
DOI Specific Use
32 – 127
Id Protection
2
Private Use
128 - 255
Auth Only
3
Aggressive
4
Informational
5
Base Exchange
Initiator
Direction
Header, SA, Nonce
negotiation
=>
<=
Responder
Note
Begin ISAKMP-SA
HDR, SA, Nonce
Basic SA agreed
upon
Header, KE, Idii, Auth
=>
Key generated by responder
Initiator Ident verified
<=
HDR, KE, Idir, Auth
Responder Ident verified
Initiator key generated, SA
est.
Related documents
Preliminary Design Review - University of North Dakota
Preliminary Design Review - University of North Dakota
CDR Presentation - St. Thomas High School
CDR Presentation - St. Thomas High School
Part 2
Part 2
PDR Presentation Slides ()
PDR Presentation Slides ()
- University of New Hampshire
- University of New Hampshire
spinning_payload_pdr
spinning_payload_pdr
Converged_Technologies_ Improve_Operator_Awareness
Converged_Technologies_ Improve_Operator_Awareness
Presentation
Presentation
Slides
Slides
Download
advertisement