IP Key Management
What is key management and what is the group's charter for key
management?
- A protocol and cryptographic technique
- Application layer protocol for IPSP
- Independent of IPSP
- Initially supporting public key techniques
- Later adding Key Distribution Center (e.g., Kerbos) and/or
manual
Requirements of IKMP
The basic functions of the IKMP are to:
- create,
- manage, and
- remove security associations
used by the IP Security Protocol (IPSP) or other similar security
protocols.
A security association consists of:
- the key(s) used for that association as well as
- attributes guiding the operation of the associated protocol.
In particular, the IKMP is expected to handle negotiation of:
- cryptographic algorithms,
- protocol format, and
- protocol options (e.g., security labels, integrity checks).
IKMP Functional Requirements
Functional requirements for IKMP include:
- Security Association ID (SAID) assignment (or Security
Association-Creation)
- Key generation/distribution
- Attribute Negotiation
- Terminate/Delete Association
- Security Association Maintenance
- Peer Discovery and Authentication
- Recovery
- Protocol Profile
- Multiparty Associations Key Management
Preliminary Experimental Implementations of IKMP
- Implementation by Phil Karn
- Diffe-Hellman Key Exchange
- Designed to limit denial of service
Other Key Management Work
Existing work we might be able to take advantage of:
- SDNS KMP - Missing some things like algorithms
- IEEE 802.10C - Draft form, based on GULS
- ISO GULS - Generic envelopes, very complex, no specific
algorithms or option negotiation
- PEM - Not real-time, but does address certificates
- PGP
- X.509 - IPSEC will likely use X.509 certificate formats
- X9.17 - Private keys, now working on public keys
- SAMP - 2nd generation SDNS KMP, may be posted to net soon
- SAEP - Embedded in NLSP, network layer protocol
- Kerberos - Private keys centrally managed
- CATS-GSSAPI - IPSP KMP might be able to use their interface to
pass information to IPSP; also an outstanding question of whether
IPSP will meet their needs from a user perspective
IKMP Issues
- Device name and address implications for directories and
certificates
- Can a SA change, or is a change accomplished by terminating an
old SA and establishing a new one??
- Shared keys - used for multicast or (possibly) multiple IPSP
routers serving a site
- Relationship to other IETF Key Management related activities!