[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to skip phase 1?



Patrik,

> Dear sir,
> In your internet-draft ISAKMP, chapter 1.4.2 you write:
> "If a basic set of security attributes is already in place
> between the negotiating server entities, the initial ISAKMP
> exchange may be skipped and the establishment of a security 
> association can be done directly".
>
> I can't find any descriptions how this is supposed to be
> done however. As this is something we would like to be able
> to do (we will distribute some basic attributes as part of the
> configuration of our Security Gateways) we would like to
> get some hints on how "the initial ISAKMP excange may be skipped".

You have answered your own question. If there is no SA between ISAKMP
daemons, then an ISAKMP Phase 1 exchange must be done in order to
negotiate a Phase 2 SA. If you don't want to do the Phase 1 exchange,
the alternative is to distribute the basic attributes separately, read
manually placed SA attributes and keys.

> One idea is to create complete SA entries together with cookies
> in the Management utility. This seems to increase the workload of
> the Management utility quite a bit.

I'm not familiar with your Security Gateway product, but it sounds like
the Management Utility would be the place to perform the manual
insertion of SA attributes.

> Another idea is to add a new exchange that can use some of
> the existing SA-attributes to establish a complete SA. We would
> like to have no plaintext communication in between the SGs at any
> time (including ISAKMP negotiation).

Once you have an existing SA (manually placed), you can use ISAKMP to
negotiate additional SAs and none of the communication will be
plaintext. It will be protected by the security mechanisms defined by
the manually placed SA.

> 
> ----------------------------------------------------------
> Patrik Sjvgren                   Tel : +46 13 235606
> SECTRA AB                        Fax : +46 13 212185
> Teknikringen 2	                 mailto:ps@sectra.se
> 583 30 Linkoping, Sweden         url:http://www.sectra.se/
> ---------------------------------------------------------

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Douglas Maughan                Voice:  (301) 688-0847           *
* Technical Director, R23        Fax:    (301) 688-0255           *
* National Security Agency       E-mail: wdmaugh@tycho.ncsc.mil   *
* 9800 Savage Road                       maughan@cs.umbc.edu      *
* Fort Meade, MD. 20755-6000                                      *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *