USENIX Technical Program - Abstract - USENIX Annual Conference, Freenix Session

USENIX Technical Program - Abstract - USENIX Annual Conference, Freenix Session - June 2000

Implementing Internet Key Exchange (IKE)

Niklas Hallqvist, Applitron Datasystem AB; Angelos D. Keromytis, University of Pennsylvania

Abstract

A key component of the IP Security architecture is the Internet Key Exchange protocol. IKE is invoked to establish session keys (and associated cryptographic and networking configuration) between two hosts across the network. IKE needs to authenticate and authorize the parties involved in an exchange, negotiate parameters to be used for the communication, and interact with the local IPsec stack. The number of tasks, along with the flexibility built into the protocol, as well as the need to allow future additions and modifications to the protocol, need to be taken into consideration when designing and implementing IKE.

Another complicating factor is the need for security policy management. Although IKE can establish security associations with remote hosts, some method for determining what kinds of traffic can and should be exchanged with a remote host is necessary. As there is no standard specification yet, we are using a trust-management based approach using the KeyNote system as a basis for specifying policy.

This paper discusses the design, architecture, and implementation details of the OpenBSD IKE daemon, with separate mention of the security policy mechanism.

View the full text of this paper in HTML form, PDF form, and PostScript form.
If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
To become a USENIX Member, please see our Membership Information.
Current USENIX Members may change their password.

Need help? Use our Contacts page.

Last changed: 6 Feb 2002 ml

Technical Program

Conference index

USENIX home