RFC 2409 (rfc2409) - Page 2 of 41

The Internet Key Exchange (IKE)

Alternative Format: Original Text Document
< Previous
Next >
RFC 2409                          IKE                      November 1998


   10 Security Considerations........................................ 28
   11 IANA Considerations............................................ 30
   12 Acknowledgments................................................ 31
   13 References..................................................... 31
   Appendix A........................................................ 33
   Appendix B........................................................ 37
   Authors' Addresses................................................ 40
   Authors' Note..................................................... 40
   Full Copyright Statement.......................................... 41

1. Abstract

   ISAKMP ([MSST98]) provides a framework for authentication and key
   exchange but does not define them.  ISAKMP is designed to be key
   exchange independant; that is, it is designed to support many
   different key exchanges.

   Oakley ([Orm96]) describes a series of key exchanges-- called
   "modes"-- and details the services provided by each (e.g. perfect
   forward secrecy for keys, identity protection, and authentication).

   SKEME ([SKEME]) describes a versatile key exchange technique which
   provides anonymity, repudiability, and quick key refreshment.

   This document describes a protocol using part of Oakley and part of
   SKEME in conjunction with ISAKMP to obtain authenticated keying
   material for use with ISAKMP, and for other security associations
   such as AH and ESP for the IETF IPsec DOI.

2. Discussion

   This memo describes a hybrid protocol. The purpose is to negotiate,
   and provide authenticated keying material for, security associations
   in a protected manner.

   Processes which implement this memo can be used for negotiating
   virtual private networks (VPNs) and also for providing a remote user
   from a remote site (whose IP address need not be known beforehand)
   access to a secure host or network.

   Client negotiation is supported.  Client mode is where the
   negotiating parties are not the endpoints for which security
   association negotiation is taking place.  When used in client mode,
   the identities of the end parties remain hidden.







Harkins & Carrel            Standards Track
< Previous
Next >