No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IKEv2 SA Negotiation Process

IKEv2 SA Negotiation Process

To create a pair of IPsec SAs, IKEv1 requires two phases, namely, the main mode plus fast mode or the aggressive mode plus fast mode. The main mode plus fast mode requires at least nine messages while the latter requires at least six messages. For IKEv2, in normal cases, two exchanges and four messages are required to create one IKE SA and a pair of IPsec SAs through negotiation. To create multiple pairs of IPsec SAs, only one additional exchange is needed for each additional pair of SAs. That is, two messages can accomplish the task. In this sense, IKEv2 is much simpler than IKEv1.

IKEv2 SA Negotiation Process

IKEv2 defines three types of exchange, namely, initial exchange, creating Child SA exchanges, and notification exchange.

  1. Initial exchange

    IKE communication always starts from IKE SA initial exchange and IKE authentication exchange. The two exchanges usually consist of four messages. The number may increase in certain scenarios. All communications that use IKE consist of requests and replies. After IKE SA initial exchange and IKE authentication exchange are completed, an IKE SA and the first pair of Child SAs (IPsec SAs) are established.

    Figure 13-29 IKEv2 initial negotiation procedure

    The details are as follows:

    1. First message pair (IKE_SA_INIT)

      The message pair is responsible for the negotiation of IKE SA parameters, including the encryption and authentication algorithm negotiation, and Nonce and DH exchange.

      A shared key material is generated once IKE_SA_INIT exchange is complete. Other related keys can be derived from the shared key material.

    2. Second message pair (IKE_AUTH)

      Starting from IKE AUTH exchange, all packets must be encrypted before exchange. IKE_AUTH exchange requires at least two messages. During the exchange of the two packets, identity authentication is implemented and a Child SA is established.

      For RSA signature authentication and pre-shared key authentication, the calculation methods of the authentication payloads (AUTH payloads) are different. In IKE_SA_INIT exchange, the key material for IPsec SA is generated and all keys for IPsec SA can be derived from the key material.

      Apart from RSA signature authentication and pre-shared key authentication, IKEv2 also supports EAP authentication. EAP authentication is implemented in IKE as an additional IKE_AUTH exchange. The initiator omits the AUTH payload in message 3 to indicate that EAP authentication is required.

  2. Creating Child SA exchanges

    If multiple IPsec SAs are required by an IKE SA, create Child SA exchanges to negotiate multiple SAs. Besides, creating Child SA exchanges can also be used for the renegotiation of IKE SAs.

    Creating a Child SA exchange involves an exchange and two messages. In IKEv1, the exchange is called phase 2 exchange (fast mode). The exchange must be implemented after IKE initial exchange is completed. The initiator of the exchange can be the initiator or responder of IKE initial exchange. The two messages in the exchange need to be protected by the key negotiated in IKE initial exchange.

    Similar to PFS in IKEv1, a DH exchange can be reimplemented during the creation of the Child SA exchange to generate new key materials. After the key material is generated, all keys of the Child SA can be derived from the key material.

  3. Notification exchange

    The two ends involved in IKE negotiation sometimes send certain control messages such as error messages or notification messages. Such messages are transferred in notification exchange in IKEv2.

    Notification exchange must be protected by IKE SA. That is, notification exchange must come after initial exchange.

Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12543

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next