IKEv1
IKEv1 provides a framework for the
parameter negotiation and key exchange between VPN peers for the correct
establishment of an SA. However, the actual processes of key exchange and
parameter negotiation are carried
out by two protocols used by IKEv1:
Internet
Security Association and Key Management Protocol (ISAKMP)
Oakley
ISAKMP takes care of
parameter negotiation between peers (for example, DH groups, lifetimes,
encryption [if required], and authentication). The process of negotiating these
parameters between peers is required for the successful establishment of SAs.
After an SA has been established, ISAKMP defines the procedures followed for
correct maintenance and removal of the SA during connection termination.
Oakley provides the
key-exchange function between peers using the DH protocol. DH is an
asynchronous protocol, meaning each peer uses its own set of keys for
communications establishment and operation between peers. However, the keys are
never exchanged, providing a much higher level of security than synchronous
protocols (DES, 3DES, and so on) that require both peers to use the same keys
for operation. After both peers have established their shared communication
path, they can proceed to exchange the keys used by the various synchronous
protocols for authentication and encryption purposes.
No comments:
Post a Comment