ISAKMP, IKE, DH Key Exchange Relationship

superman859

I was wondering if anyone could help me grasp the overall concept of these protocols, as it's a bit difficult to wrap my head around. From what I understand, they seem to "work together", but my poor understanding just leads me to feel like they are redundant - when reading about them they all sound like the same thing....to me, it seems like the work is done in DH key exchange, so what is actually provided by the others? Does DH not provide two unknown parties with a common, secure symmetric key which can be used to encrypt all data with? What more is there to it?

Stuff I read says ISAKMP is a "framework" that allows different protocols to be used on it (such as IKE), but what exactly does this mean? Sure, we can swap out the protocol used, but is that it? Why not just say we are using a different protocol? What does ISAKMP really provide?

And what does IKE provide? We can use it in ISAKMP as a key exchange protocol, and yet IKE still doesn't perform any actual key exchange. IKE relies on DH for that.

To me, I see it as

ISAKMP ( IKE (DH) )

where ISAKMP and IKE literally read the same (provides key exchange and establish SAs) but neither actually do key exchange since that is DH.

So, I know I'm wrong and missing something completely. But I just can't see it.

How does IKE differ from ISAKMP (it must, since IKE is just one protocol that can be used in ISAKMP, so they are obviously on different levels)? What do they really provide us since DH does the actual work anyways providing us with a secure way to communicate (this is our end goal isn't it?)

I think this same structure shows up elsewhere in my Sec+ studies as well. There seems to be a "framework" that relies on different "protocols" which may use different "methods" all to accomplish the goal, but often I miss why there are so many layers necessary and it often sounds like they all do the same thing yet rely upon each other.

fieldmonkey

I did a quick look in the index of the book I'm using and there is no mention of IKE or ISAKMP ... So I guess those must be some high-level international frameworks.

Since it's not in my book, I sure hope it's not on the exam!

What reference(s) are you pulling this from?

BTW--I agree with you... seems DH is doing all the work, everything else is gravy.

superman859

fieldmonkey wrote: »

I did a quick look in the index of the book I'm using and there is no mention of IKE or ISAKMP ... So I guess those must be some high-level international frameworks.

Since it's not in my book, I sure hope it's not on the exam!

What reference(s) are you pulling this from?

BTW--I agree with you... seems DH is doing all the work, everything else is gravy.

Well, I would expect at least IKE to be on there...I mean, I've at least heard of IKE for a while although never understood it really. ISAKMP is more new to me though.

I'm using all-in-one Sec+ book right now, but recently grabbed some more info on these topics from wiki.

It's getting into the details of IPSec really. from what I currently understand, IPSec uses IKE for authentication which in turn is based on ISAKMP, and IKE uses DH to do the grunt work. So I kind of understand (I think) how it fits together like this, but I still don't see why all the layers are necessary. To me, IPSec does the authentication and generates SAs (and then encrypts data / etc), but I don't see why it goes IPSec -> IKE -> DH for authentication rather than something like IPSec -> DH. Wiki articles for IKE and ISAKMP also say they do "authentication and SAs", so it all just sounds redundant and mixes together in my head.

fieldmonkey

superman859 wrote: »

Well, I would expect at least IKE to be on there...

Just reviewed the objectives and neither IKE, nor ISAKMP is on there. ISAKMP seems to be a framework only and IKE is associated with IPSec (part of the nuts & bolts), but I doubt either will be mentioned on the exam, unless it's one the extra questions.

I wouldn't focus too much on those, unless it's purely intriguing to you.