Академический Документы
Профессиональный Документы
Культура Документы
● RFC 2408
● Internet Security Association & Key Management Protocol
● Protocol
– Establish, modify, and delete SAs
– Negotiate crypto keys
● Procedures
– Authentication of peers
– Threat mitigation
ISAKMP
● Security Associations
● Authentication
● Public Key Cryptography
● Protection
● DoS – Anti-Clogging
● Hijacking a connection
● Man in the middle attacks
ISAKMP
Terminology
● DOI – Domain Of Interpretation: defines payload
formats, exchange types, naming conventions
IISAKMP – Phases
Initiator Cookie
Responder Cookie
Major Minor
Next Payload Version Version Exchange Type Flags
Message ID
Length
Header Fields
● Initiator Cookie (8 octets) – Cookie of entity that initiated SA
establishment, notification or deletion.
NONE 0 Hash 8
SA 1 Signature 9
Proposal 2 Nonce 10
Transform 3 Notification 11
Identification 5 Vendor ID 13
Auth Only 3
Aggressive 4
Informational 5
Generic Payload Header
Payload Data
SA Payload
Situation
~
DOI (4 octets) – Identifies the DOI under which this negotiation is taking place. A
value of 0 (zero) during Phase 1 specifies a Generic ISAKMP SA
which can be used for any protocol during Phase 2.
Situation - A DOI-specific field that identifies the situation under which this
negotiation is taking place.
Proposal Payload
SPI (variable)
Proposal Payload
Payload Length (2 octets) – Length is octets of the entire Proposal
●
payload.
SPI Size – Length in octets of the SPI as defined by the Protocol ID.
●
proposal.
~ SA Attributes
Transform Payload
●Payload Length (2 octets) – Length is octets of the current payload,
including the generic payload header, Transform values, and all SA
attributes
payload.
Key Exchange Data (variable length) – Data required to generate a session key.
This data is specified by the DOI and the associated Key
Exchange algorithm.
Certificate Payload
Cert Encoding
Key Exchange Data
~ Hash Data
~ Signature Data
~ Nonce Data
Notification Payload
DOI
~ SPI
~ Notification Data
Notify Messages
INVALID-PAYLOAD-TYPE 1 PAYLOAD-MALFORMED 16
DOI-NOT-SUPPORTED 2 INVALID-KEY-INFORMATION 17
SITUATION-NOT-SUPPORTED 3 INVALID-ID-INFORMATION 18
INVALID-COOKIE 4 INVALID-CERT-ENCODING 19
INVALID-MAJOR-VERSION 5 INVALID-CERTIFICATE 20
INVALID-MINOR-VERSION 6 CERT-TYPE-UNSUPPORTED 21
INVALID-EXCHANGE-TYPE 7 INVALID-CERT-AUTHORITY 22
INVALID-FLAGS 8 INVALID-HASH-INFORMATION 23
INVALID-MESSAGE-ID 9 AUTHENTICATION-FAILED 24
INVALID-PROTOCOL-ID 10 INVALID-SIGNATURE 25
INVALID-SPI 11 ADDRESS-NOTIFICATION 26
INVALID-TRANSFORM-ID 12 NOTIFY-SA-LIFETIME 27
ATTRIBUTES-NOT-SUPPORTED 13 CERTIFICATE-UNAVAILABLE 28
NO-PROPOSAL-CHOSEN 14 UNSUPPORTED-EXCHANGE-TYPE 29
BAD-PROPOSAL-SYNTAX 15 UNEQUAL-PAYLOAD-LENGTHS 30
RESERVED (Future Use) 31 - 8191
Private Use 8192 – 16383
ISAKMP Message Construction
Initiator Cookie
Responder Cookie
Message ID
Nonce Data
Proposal Syntax
Proposal 1: AH
Transform 1: HMAC-SHA
Transform 2: HMAC-MD5
Proposal 2: ESP
Transform 1: 3DES with HMAC-SHA
Transform 2: 3DES with HMAC-MD5
Transform 3: AES with HMAC-SHA-256
Proposal 3: ESP
Transform 1: 3DES with HMAC-SHA
Proposal 4: PCP
Transform 1: LZS
Exchange Types
Auth Only 3
Aggressive 4
Informational 5
Base Exchange