CSC 774 -- Network Security - Dr. Peng Ning

More documents

Recommendations

Info

ISAKMP Phases • Phase 1 – Establish ISAKMP SA to protect further ISAKMP exchanges – Or use pre-established ISAKMP SA – ISAKMP SA identified by initiator cookie and responder cookie • Phase 2 – Negotiate security services in SA for target security protocol or application. Computer Science Dr. Peng Ning CSC 774 Network Security 31 ISAKMP • Disadvantage – Additional overhead due to 2 phases • Advantages – Same ISAKMP SA can be used to negotiate phase 2 for multiple protocols – ISAKMP SA can be used to facilitate maintenance of SAs. – ISAKMP SA can simplify phase 2. Computer Science Dr. Peng Ning CSC 774 Network Security 32
ISAKMP Domain Of Interpretation (DOI) • DOI defines – Payload format – Exchange types – Naming conventions for security policies, cryptographic algorithms • DOI for IPsec has been defined. Computer Science Dr. Peng Ning CSC 774 Network Security 33 ISAKMP Exchange Types • 0 none • 1 base • 2 identity protection • 3 authentication only • 4 aggressive • 5 informational • 6-31 reserved • 32-239 DOI specific use • 240-255 private use Computer Science Dr. Peng Ning CSC 774 Network Security 34
Page 1 and 2: Computer Science CSC 774 -- Network
Page 3 and 4: Security Principles (Cont’d) •
Page 5 and 6: Tunnel Mode Encrypted Tunnel Gatewa
Page 7 and 8: Automatic Key Management • Key di
Page 9 and 10: SKIP (Cont’d) • Limitations - N
Page 11 and 12: Resource Clogging Attack (Cont’d)
Page 13 and 14: Oakley Groups • 0 no group (place
Page 15: ISAKMP Message • Fixed format hea
Page 19 and 20: ISAKKMP Payload Types • 8 H hash
Page 21 and 22: ISAKMP Exchanges (Cont’d) Authent

CSC 774 -- Network Security - Dr. Peng Ning

Create successful ePaper yourself

Delete template?

Save as template?