TCP/IP Solution  «Prev 

Internet Key Exchange

The management of keying material for IPsec security associations (SAs) is called key management. Automatic key management requires a secure channel of communication for the creation, authentication, and exchange of keys. Oracle Solaris uses Internet Key Exchange (IKE) to automate key management. IKE eliminates administrative overhead and the security risk of manually distributing secret keys. IKE can take advantage of available hardware cryptographic acceleration and key storage. Hardware cryptographic accelerators permit CPU-intensive key operations to be handled off the system. Key storage on hardware provides an additional layer of protection. Oracle Solaris supports two versions of the IKE protocol.
  1. IKE Version 2 (IKEv2), which is based on Internet Key Exchange Protocol Version 2 (IKEv2), RFC 5996
  2. IKE Version 1 (IKEv1), which is based on The Internet Key Exchange (IKE), RFC 2409
On a FIPS 140-2 enabled system, you should configure IKEv2 with FIPS 140-2 approved algorithms only.

Data is passed from the higher protocol layers down to the network layer.

Phase 1 of the IKE takes place,, in whcih the ISAKMP SA is established. The computers establish a common encryption algorithm, using either DES or triple DES.

Phase 2 of the IKE proceeds, where the IPSec SA is established. After a secure channel has been establish by the creation of the ISAMKP SA, the IPSec SAs will be established. The process is similar, except that a separate IPSec SA is created for each protocol (AH or ESP)

After phase 2 of the IKE is complete, all data moves between computers within the secure contexts of the IPSec SA.