> Can one of you IPSEC gurus expound on what exactly the
> DOI is in regards to IPSEC. Yes I have read the RFC
> left me going uhhhh... In plain english can someone
> provide me with a good working functional pragmatic
> explaination. I would appreciate it.
>
I'm no guru, but very briefly put (and bear with me, please; I really am
trying to keep it short):
In order for machines to secure communications, they have to negotiate how
they'll go about securing the communication channel(s) and how they'll
authenticate each other (or the users involved or whatever else they have to
authenticate). Different security protocols (IPSec AH, IPSec ESP, TLS,
whatever) use different mechanisms for authentication, encryption and key
management. In order to determine what mechanisms are to be used for a
connection (or set of connections), the machines establish security
associations (SAs).
A security association is the complete set of "rules" for a given security
protocol and connection. An SA includes things like which authentication
algorithm, encryption algorithm and key are used for the communication. When
two machines establish an SA, they're agreeing on the algorithms and keys
they'll use for the specific communication. Historically one of the problems
with SAs was that there was no established mechanism for key exchange, and
SAs rely on keys for authentication and encryption. Thus, ISAKMP (Internet
Security Association Key Management Protocol) was born.
ISAKMP is a framework that allows machines to establish an SA. ISAKMP
doesn't dictate what the SA will consist of, just defines the format of the
payloads used to exchange key and authentication information. In the process
of negotiating secure communication, the machines may be negotiating
different SAs for different aspects of their communication. ISAKMP just
allows the machines to "agree" on the format of the SA information that
they're exchanging with each other.
I know, none of this answers your question; I'm getting there. ;-)
ISAKAMP uses a Domain Of Interpretation (DOI) to identify which "pools" of
SAs, algorithms and exchange mechanisms can be used for a communication. A
DOI specifies which SAs are supported, how the acceptable authentication and
encryption algorithms are named, the "situation" under which the DOI
applies, and the payload formats. It's kind of the "instruction manual" that
tells the machines what they're negotiating- IPSec AH, IPSec ESP, etc.
I'm not sure if this actually cleared anything up for you; if it didn't,
re-post and I'll try to give a better explanation in daytime hours. ;-)
Laura
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
