IPsec: IKE (Internet Key Exchange)

Charlie Kaufman, Microsoft Corporation

Introduction

IKE Usage Scenarios

Gateway to Gateway

End Point to Gateway

End Point to End Point

IKE Protocol Handshake

Authentication Keys

Initial Diffie-Hellman Exchange

Negotiation of Cryptographic Algorithms

Identity Hiding

Negotiation of Traffic Selectors

Extensions and Variations

Denial of Service Protection

Extended Authentication Protocol

NAT Traversal

Differences Between IKEv1 and IKEv2

Two Phases

IKEv1 Handshake

Glossary

Cross References

References

Further Reading

INTRODUCTION

The IPsec (Internet Protocol Security) protocol cryptographically protects messages sent over the Internet on a packet-by-packet basis, as opposed to other protocols such as secure sockets layer (SSL) or secure multipurpose Internet e-mail extension (S/MIME) that encrypt larger messages before breaking them into packets. The major advantage of the IPsec approach is that it can be done transparently to applications. It can be done by the underlying operating system—or even by an external networking device—without making any changes to applications. IPsec is commonly used to tunnel messages between two trusted networks over an untrusted network, where the ultimate sending and receiving machines are not aware of any cryptographic processing.

In order that the IPsec end points be able to protect messages cryptographically, they must agree on which cryptographic algorithms and keys to use. To detect and discard long delayed and ...