Securing the Network in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

IKE Concepts and Terminology

    The following concepts and terms are common to both versions of IKE. They might be implemented differently in the two versions.

  • Key negotiation and exchange – The exchange of keying material and the authentication of the peer's identity in a secure manner. The process uses asymmetric cryptographic algorithms. The two main methods are the RSA and the Diffie-Hellman protocols.

    IKE creates and manages the IPsec SAs between systems that are running an IKE daemon. IKE negotiates a secure channel that protects the transmission of keying material. The daemon creates the keys from a random number generator by using the /dev/random device. The daemon changes the keys at a configurable rate. The keying material is available to algorithms that are specified in the configuration file for IPsec policy, ipsecinit.conf.

  • Diffie-Hellman (DH) algorithm – A key exchange algorithm that allows two systems to securely generate a shared secret over an insecure channel.

  • RSA algorithm – An asymmetric key algorithm that is used to authenticate the identity of peer systems, typically by proving ownership of an X.509 certificate. The algorithm is named for its three creators: Rivest, Shamir, and Adleman.

    Alternatively, DSA or ECDSA algorithms may be used for this purpose.

  • Perfect forward secrecy (PFS) – In PFS, the key that is used to protect transmission of data is not used to derive additional keys. Also, the source of the key that is used to protect data transmission is never used to derive additional keys. Therefore, PFS can prevent the decryption of previously recorded traffic.

  • Oakley group – Used to negotiate PFS. See Section 6 of the The Internet Key Exchange (IKE) RFC.

  • IKE policy – The set of IKE rules which define the acceptable parameters that an IKE daemon uses when attempting to set up a secure key exchange channel with a peer system. This is called an IKE SA in IKEv2 or Phase 1 in IKEv1.

    The parameters include algorithms, key sizes, Oakley groups, and authentication method. The Oracle Solaris IKE daemons support preshared keys and certificates as authentication methods.