datatracker.ietf.org
Sign in
Version 5.6.4.p1, 2014-10-20
Report a bug

The Internet Key Exchange (IKE)
RFC 2409

Document type: RFC - Proposed Standard (November 1998; No errata)
Obsoleted by RFC 4306
Updated by RFC 4109
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Document shepherd: No shepherd assigned

IESG State: RFC 2409 (Proposed Standard)
Responsible AD: (None)
Send notices to: No addresses provided

Network Working Group                                         D. Harkins
Request for Comments: 2409                                     D. Carrel
Category: Standards Track                                  cisco Systems
                                                           November 1998

                    The Internet Key Exchange (IKE)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Table Of Contents

   1 Abstract........................................................  2
   2 Discussion......................................................  2
   3 Terms and Definitions...........................................  3
   3.1 Requirements Terminology......................................  3
   3.2 Notation......................................................  3
   3.3 Perfect Forward Secrecty......................................  5
   3.4 Security Association..........................................  5
   4 Introduction....................................................  5
   5 Exchanges.......................................................  8
   5.1 Authentication with Digital Signatures........................ 10
   5.2 Authentication with Public Key Encryption..................... 12
   5.3 A Revised method of Authentication with Public Key Encryption. 13
   5.4 Authentication with a Pre-Shared Key.......................... 16
   5.5 Quick Mode.................................................... 16
   5.6 New Group Mode................................................ 20
   5.7 ISAKMP Informational Exchanges................................ 20
   6 Oakley Groups................................................... 21
   6.1 First Oakley Group............................................ 21
   6.2 Second Oakley Group........................................... 22
   6.3 Third Oakley Group............................................ 22
   6.4 Fourth Oakley Group........................................... 23
   7 Payload Explosion of Complete Exchange.......................... 23
   7.1 Phase 1 with Main Mode........................................ 23
   7.2 Phase 2 with Quick Mode....................................... 25
   8 Perfect Forward Secrecy Example................................. 27
   9 Implementation Hints............................................ 27

Harkins & Carrel            Standards Track                     [Page 1]
RFC 2409                          IKE                      November 1998

   10 Security Considerations........................................ 28
   11 IANA Considerations............................................ 30
   12 Acknowledgments................................................ 31
   13 References..................................................... 31
   Appendix A........................................................ 33
   Appendix B........................................................ 37
   Authors' Addresses................................................ 40
   Authors' Note..................................................... 40
   Full Copyright Statement.......................................... 41

1. Abstract

   ISAKMP ([MSST98]) provides a framework for authentication and key
   exchange but does not define them.  ISAKMP is designed to be key
   exchange independant; that is, it is designed to support many
   different key exchanges.

   Oakley ([Orm96]) describes a series of key exchanges-- called
   "modes"-- and details the services provided by each (e.g. perfect
   forward secrecy for keys, identity protection, and authentication).

   SKEME ([SKEME]) describes a versatile key exchange technique which
   provides anonymity, repudiability, and quick key refreshment.

   This document describes a protocol using part of Oakley and part of
   SKEME in conjunction with ISAKMP to obtain authenticated keying
   material for use with ISAKMP, and for other security associations
   such as AH and ESP for the IETF IPsec DOI.

2. Discussion

   This memo describes a hybrid protocol. The purpose is to negotiate,
   and provide authenticated keying material for, security associations
   in a protected manner.

   Processes which implement this memo can be used for negotiating
   virtual private networks (VPNs) and also for providing a remote user
   from a remote site (whose IP address need not be known beforehand)
   access to a secure host or network.

   Client negotiation is supported.  Client mode is where the

[include full document text]