Browse Prior Art Database

Opportunistic Encryption using the Internet Key Exchange (IKE) (RFC4322)

IP.com Disclosure Number: IPCOM000132590D
Original Publication Date: 2005-Dec-01
Included in the Prior Art Database: 2005-Dec-23
Document File: 45 page(s) / 96K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

M. Richardson: AUTHOR [+2]

Abstract

This document describes opportunistic encryption (OE) as designed and implemented by the Linux FreeS/WAN project. OE uses the Internet Key Exchange (IKE) and IPsec protocols. The objective is to allow encryption for secure communication without any pre-arrangement specific to the pair of systems involved. DNS is used to distribute the public keys of each system involved. This is resistant to passive attacks. The use of DNS Security (DNSSEC) secures this system against active attackers as well.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 3% of the total text.

Network Working Group                                      M. Richardson
Request for Comments: 4322                                           SSW
Category: Informational                                  D.H. Redelmeier
                                                                  Mimosa
                                                           December 2005


     Opportunistic Encryption using the Internet Key Exchange (IKE)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes opportunistic encryption (OE) as designed and
   implemented by the Linux FreeS/WAN project.  OE uses the Internet Key
   Exchange (IKE) and IPsec protocols.  The objective is to allow
   encryption for secure communication without any pre-arrangement
   specific to the pair of systems involved.  DNS is used to distribute
   the public keys of each system involved.  This is resistant to
   passive attacks.  The use of DNS Security (DNSSEC) secures this
   system against active attackers as well.

   As a result, the administrative overhead is reduced from the square
   of the number of systems to a linear dependence, and it becomes
   possible to make secure communication the default even when the
   partner is not known in advance.

Table of Contents

   1. Introduction ....................................................3
      1.1. Motivation .................................................3
      1.2. Encryption Regimes .........................................4
      1.3. Peer Authentication in Opportunistic Encryption ............4
      1.4. Use of RFC 2119 Terms ......................................5
   2. Overview ........................................................6
      2.1. Reference Diagram ..........................................6
      2.2. Terminology ................................................6
      2.3. Model of Operation .........................................8

Richardson & Redelmeier      Informational                      [Page 1]
RFC 4322           Opportunistic Encryption using IKE      December 2005


   3. Protocol Specification ..........................................9
      3.1. Forwarding Plane State Machine .............................9
      3.2. Keying Daemon -- Initiator ................................12
      3.3. Keying Daemon -- Responder ................................20
      3.4. Renewal and Teardown ................