World Library  
Flag as Inappropriate
Email this Article

Internet Security Association and Key Management Protocol

Article Id: WHEBN0000386623
Reproduction Date:

Title: Internet Security Association and Key Management Protocol  
Author: World Heritage Encyclopedia
Language: English
Subject: IPsec, Group Domain of Interpretation, Internet Key Exchange, Key-agreement protocol, Key management
Collection: Cryptographic Protocols, Ipsec, Key Management
Publisher: World Heritage Encyclopedia

Internet Security Association and Key Management Protocol

ISAKMP (Internet Security Association and Key Management Protocol) is a protocol defined by RFC 2408 for establishing Security Associations (SA) and cryptographic keys in an Internet environment. ISAKMP only provides a framework for authentication and key exchange and is designed to be key exchange independent; protocols such as Internet Key Exchange and Kerberized Internet Negotiation of Keys provide authenticated keying material for use with ISAKMP. For example: IKE describes a protocol using part of Oakley and part of SKEME in conjunction with ISAKMP to obtain authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IETF IPsec DOI[1]


  • Overview 1
  • Implementation 2
  • Vulnerabilities 3
  • See also 4
  • References 5
  • External links 6


ISAKMP defines the procedures for authenticating a communicating peer, creation and management of Security Associations, key generation techniques and threat mitigation (e.g. denial of service and replay attacks). As a framework,[1] ISAKMP is typically utilized by IKE for key exchange, although other methods have been implemented such as Kerberized Internet Negotiation of Keys. A Preliminary SA is formed using this protocol; later a fresh keying is done.

ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations. SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.

ISAKMP is distinct from key exchange protocols in order to cleanly separate the details of security association management (and key management) from the details of key exchange. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes and for negotiating, modifying and deleting SAs. ISAKMP serves as this common framework.

ISAKMP can be implemented over any transport protocol. All implementations must include send and receive capability for ISAKMP using UDP on port 500.


OpenBSD first implemented ISAKMP in 1998 via its isakmpd(8) software.

The IPsec Services Service in Microsoft Windows handles this functionality.

The KAME project implements ISAKMP for Linux and most other open source BSDs, and thus also for pfSense. In legacy installations, the name of the application that implements ISAKMP is racoon.

Modern Cisco routers implement ISAKMP for VPN negotiation.


Leaked NSA presentations released by 'Der Spiegel' indicate that ISAKMP is being exploited in an unknown manner to decrypt IPSec traffic, as is IKE.[2]

See also


  1. ^ a b The Internet Key Exchange (IKE), RFC 2409, §1 Abstract
  2. ^ Fielded Capability: End-to-end VPN SPIN9 Design Review (PDF), NSA via 'Der Spiegel', p. 5 

External links

  • RFC 2408 — Internet Security Association and Key Management Protocol
  • RFC 2407 — The Internet IP Security Domain of Interpretation for ISAKMP
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.