ISAKMP – Learning the Basics

ISAKMP stands for Internet Security Association and Key Management Protocol. It is a protocol documented in RFC 2408 for launching cryptographic keys and setting up Security Associations (SA) in an Internet environment.

Overview of the Protocol

ISAKMP describes the procedures for the creation and management of Security Associations, threat mitigation, key generation techniques, and verification of a communicating peer.

Creation and Management of Security Associations

It defines packet formats and procedures to set up, negotiate, alter, and remove Security Associations (SAs). These Security Associations contain all the information necessary for the implementation of various network security services such as self-protection of negotiation traffic, IP layer services, and transport or application layer services.

Threat Mitigation

ISAKMP describes payloads or codes for exchanging authentication data and key generation. It provides a consistent framework for conveying key and authentication data that is independent of the encryption algorithm, authentication mechanism, and key generation technique.

Difference from IKE Protocols

ISAKMP often uses Internet key exchange (IKE) Protocol for key exchange, though other methods can also be executed.

ISAKMP is different from Internet Key Exchange (IKE) Protocols which plainly separate the details of key exchange from the details of security association management and key management.

Internet Key Exchange (IKE) Protocols establish a Security Association (SA) in the Internet Protocol Security (IPsec) protocol suite to secure Internet Protocol (IP) communications. This is done by encrypting and authenticating the IP packets in a data stream.

There are a lot of key exchange protocols, each with its own set of security properties. A common framework is essential for negotiating, altering, and deleting Security Associations, and also for favoring to the format of SA attributes. ISAKMP acts as this common framework.

Executed over any Transport Protocol

ISAKMP can be executed over any transport protocol. It must include a send and receive potential for ISAKMP using User Datagram Protocol (UDP) on port 500.

Furthermore, if the source interfaced IP address undergoes network address translation from the assigned IP address to a public IP address, the User Datagram Protocol (UDP) port 4500 must also be permitted at the destination to allow connection to the Internet.