System Administration Guide: IP Services

IKE Overview

The Internet Key Exchange (IKE) daemon, in.iked(1M), negotiates and authenticates keying material for security associations in a protected manner. The daemon uses random seeds for keys from internal functions provided by the SunOSTM. IKE provides Perfect Forward Secrecy (PFS), that is, the keys that protect data transmission are not used to derive additional keys, and seeds used to create data transmission keys are not reused.

When the IKE daemon discovers a remote host's public encryption key, the local system can then encrypt messages destined for the remote host whose public key it has discovered. The IKE daemon performs its job in two phases called exchanges.

Phase 1 Exchange

The Phase 1 exchange is known as Main Mode. In the Phase 1 exchange, IKE uses public-key encryption methods to authenticate itself with peer IKE entities. The result is an ISAKMP (Internet Security Association and Key Management Protocol) Security Association, which is a secure channel for IKE to negotiate keying material for the IP datagrams. Unlike IPsec SAs, the ISAKMP security associations are bidirectional, so only one is needed.

How IKE negotiates keying material in the Phase 1 exchange is configurable. IKE reads the configuration information from the /etc/inet/ike/config file. Configuration information includes the interfaces that are affected, the algorithms that are used, the authentication method, and if PFS is used. The two authentication methods are pre-shared keys and public key certificates The public key certificates can be self–signed, or they can be issued by a Certificate Authority (CA) from a PKI (Public Key Infrastructure) vendor. Vendors include iPlanetTM Certificate Management System, Entrust, and Verisign.

Phase 2 Exchange

The Phase 2 exchange is known as Quick Mode. In the Phase 2 exchange, IKE creates and manages the IPsec SAs between hosts running the IKE daemon. IKE uses the secure channel that was created in Phase 1 to protect the transmission of keying material. The IKE daemon creates the keys from a random number generator (/dev/random), refreshes them at a configurable rate, and provides the keying material to algorithms specified in the IPsec policy configuration file.