Internet Security Association and Key Management Protocol (ISAKMP)
RFC 2408

Document Type RFC - Proposed Standard (November 1998; No errata)
Obsoleted by RFC 4306
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2408 (Proposed Standard)
Consensus Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                      D. Maughan
Request for Comments: 2408                   National Security Agency
Category: Standards Track                                M. Schertler
                                                       Securify, Inc.
                                                         M. Schneider
                                             National Security Agency
                                                            J. Turner
                                              RABA Technologies, Inc.
                                                        November 1998

   Internet Security Association and Key Management Protocol (ISAKMP)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Abstract

   This memo describes a protocol utilizing security concepts necessary
   for establishing Security Associations (SA) and cryptographic keys in
   an Internet environment.  A Security Association protocol that
   negotiates, establishes, modifies and deletes Security Associations
   and their attributes is required for an evolving Internet, where
   there will be numerous security mechanisms and several options for
   each security mechanism.  The key management protocol must be robust
   in order to handle public key generation for the Internet community
   at large and private key requirements for those private networks with
   that requirement.  The Internet Security Association and Key
   Management Protocol (ISAKMP) defines the procedures for
   authenticating a communicating peer, creation and management of
   Security Associations, key generation techniques, and threat
   mitigation (e.g.  denial of service and replay attacks).  All of
   these are necessary to establish and maintain secure communications
   (via IP Security Service or any other security protocol) in an
   Internet environment.

Maughan, et. al.            Standards Track                     [Page 1]
RFC 2408                         ISAKMP                    November 1998

Table of Contents

   1 Introduction                                                     4
     1.1 Requirements Terminology  . . . . . . . . . . . . . . . . .  5
     1.2 The Need for Negotiation  . . . . . . . . . . . . . . . . .  5
     1.3 What can be Negotiated?   . . . . . . . . . . . . . . . . .  6
     1.4 Security Associations and Management  . . . . . . . . . . .  7
       1.4.1 Security Associations and Registration  . . . . . . . .  7
       1.4.2 ISAKMP Requirements   . . . . . . . . . . . . . . . . .  8
     1.5 Authentication  . . . . . . . . . . . . . . . . . . . . . .  8
       1.5.1 Certificate Authorities   . . . . . . . . . . . . . . .  9
       1.5.2 Entity Naming   . . . . . . . . . . . . . . . . . . . .  9
       1.5.3 ISAKMP Requirements   . . . . . . . . . . . . . . . . . 10
     1.6 Public Key Cryptography . . . . . . . . . . . . . . . . . . 10
       1.6.1 Key Exchange Properties   . . . . . . . . . . . . . . . 11
       1.6.2 ISAKMP Requirements   . . . . . . . . . . . . . . . . . 12
     1.7 ISAKMP Protection . . . . . . . . . . . . . . . . . . . . . 12
       1.7.1 Anti-Clogging (Denial of Service)   . . . . . . . . . . 12
       1.7.2 Connection Hijacking  . . . . . . . . . . . . . . . . . 13
       1.7.3 Man-in-the-Middle Attacks   . . . . . . . . . . . . . . 13
     1.8 Multicast Communications  . . . . . . . . . . . . . . . . . 13
   2 Terminology and Concepts                                        14
     2.1 ISAKMP Terminology  . . . . . . . . . . . . . . . . . . . . 14
     2.2 ISAKMP Placement  . . . . . . . . . . . . . . . . . . . . . 16
     2.3 Negotiation Phases  . . . . . . . . . . . . . . . . . . . . 16
     2.4 Identifying Security Associations . . . . . . . . . . . . . 17
     2.5 Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . 20
       2.5.1 Transport Protocol  . . . . . . . . . . . . . . . . . . 20
       2.5.2 RESERVED Fields   . . . . . . . . . . . . . . . . . . . 20
       2.5.3 Anti-Clogging Token ("Cookie") Creation   . . . . . . . 20
   3 ISAKMP Payloads                                                 21
     3.1 ISAKMP Header Format  . . . . . . . . . . . . . . . . . . . 21
     3.2 Generic Payload Header  . . . . . . . . . . . . . . . . . . 25
     3.3 Data Attributes . . . . . . . . . . . . . . . . . . . . . . 25
     3.4 Security Association Payload  . . . . . . . . . . . . . . . 27
Show full document text