Internet key exchange

Internet key exchange

Internet key exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite.


IKE was originally defined in RFC 2407, RFC 2408 and RFC 2409 and is currently defined in RFC 4306 as IKEv2. IKE uses a Diffie-Hellman key exchange to set up a shared session secret, from which cryptographic keys are derived. Public key techniques or, alternatively, a pre-shared key, are used to mutually authenticate the communicating parties.

IKE builds upon the Oakley protocol.


Most IPsec implementations consist of an IKE daemon that runs in user space and an IPsec stack in the kernel that processes the actual IP packets.

User-space daemons have easy access to mass storage containing configuration information, such as the IPsec endpoint addresses, keys and certificates, as required. Kernel modules, on the other hand, can process packets efficiently and with minimum overhead—which is important for performance reasons.

The IKE protocol uses UDP packets, usually on port 500, and generally requires 4-6 packets with 2-3 turn-around times to create an SA on both sides. The negotiated key material is then given to the IPsec stack. For instance, this could be an AES key, information identifying the IP endpoints and ports that are to be protected, as well as what type of IPsec tunnel has been created. The IPsec stack, in turn, intercepts the relevant IP packets if and where appropriate and performs encryption/decryption as required. Implementations vary on how the interception of the packets is done—for example, some use virtual devices, others take a slice out of the firewall, etc.

Interoperability matters

IKE has numerous configuration options, but lacks a general facility for automatic negotiation of a well-known, reasonably safe default case that is universally implemented. Consequently, both sides of an IKE must exactly agree on the type of security association they want to create — option by option — or a connection cannot be established. Further complications arise from the fact that in many implementations, the debug output is difficult for the uninitiated to interpret, if there is any at all.

The IKE specifications are open to a significant degree of interpretation, bordering on design faults (Dead-Peer-Detection being a case in point), giving rise to different IKE implementations not being able to create an agreed-upon security association at all for many combinations of options, however correctly configured they might appear at either end.

Commercial organizations now provide interoperability testing services for IPsec. The core value of such services pertains to IKE testing, because the rest of IPsec is straightforward by comparison. IPsec's interoperability problems are also considered a major reason why SSL-based VPNs are becoming popular.


There are several Open Source implementations of IPsec with associated IKE capabilities. On Linux, Openswan and strongSwan implementations provide an IKE daemon called "pluto", which can configure (i.e., establish SAs) to the KLIPS or NETKEY kernel-based IPsec stacks. NETKEY is the Linux 2.6 kernel's native IPsec implementation.

The Berkeley Software Distributions also have an IPsec implementation and IKE daemon, and most importantly a cryptographic framework (OpenBSD Cryptographic Framework, OCF), which makes supporting cryptographic accelerators much easier. OCF has recently been ported to Linux.

A significant number of network equipment vendors have created their own IKE daemons (and IPsec implementations), or license a stack from one another.


IKE Version 2 has been proposed to address a number of concerns, including protection against denial-of-service attacks using spoofed packets.

See also

* Key-agreement protocol

External links

* RFC 2409: Internet Key Exchange (obsolete)
* RFC 4306: Internet Key Exchange, v2 (obsoletes RFC 2407, 2408, 2409)
* [ An architecture for the Internet Key Exchange Protocol]
* [ Overview of IKE (from Cisco)]

Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Internet key exchange — (IKE) es un protocolo usado para establecer una Asociación de Seguridad (SA) en el protocolo IPsec. IKE emplea un intercambio secreto de claves de tipo Diffie Hellman para establecer el secreto compartido de la sesión. Se suelen usar sistemas de… …   Wikipedia Español

  • Internet Key Exchange — IPsec im TCP/IP‑Protokollstapel: Anwendung HTTP IMAP SMTP DNS … Transport TCP UDP …   Deutsch Wikipedia

  • Internet Key Exchange — Le Internet Key Exchange (IKE) est un protocole utilisé pour mettre en place les informations de sécurité partagées dans IPsec. Présentation IKE a été définie en premier dans RFC 2407, RFC 2408 et RFC 2409 et est en ce moment défini dans RFC 4306 …   Wikipédia en Français

  • Internet Key Exchange Protocol — IPsec im TCP/IP‑Protokollstapel: Anwendung HTTP IMAP SMTP DNS … Transport TCP UDP …   Deutsch Wikipedia

  • Internet Key Exchange Protokoll — IPsec im TCP/IP‑Protokollstapel: Anwendung HTTP IMAP SMTP DNS … Transport TCP UDP …   Deutsch Wikipedia

  • Internet Key Exchange —    See ISAKMP/Oakley …   Dictionary of networking

  • Key exchange — is any method in cryptography by which cryptographic keys are exchanged between users, allowing use of a cryptographic algorithm. If Alice and Bob wish to exchange encrypted messages, each must be equipped to decrypt received messages and to… …   Wikipedia

  • Diffie–Hellman key exchange — (D–H)[nb 1] is a specific method of exchanging keys. It is one of the earliest practical examples of key exchange implemented within the field of cryptography. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge …   Wikipedia

  • Diffie-Hellman key exchange — (D H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications… …   Wikipedia

  • Internet security — is a branch of computer security[1] specifically related to the Internet. Its objective is to establish rules and measures to use against attacks over the Internet.[2] The Internet represents an insecure channel for exchanging information leading …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”