Internet Security Association Key Management Protocol

Description

The Internet Security Association Key Management Protocol (ISAKMP) is a protocol framework defined by the IETF (RFC 2408) for establishing, negotiating, modifying, and deleting Security Associations (SAs) and corresponding cryptographic keys. A Security Association is a simplex connection that affords security services to the traffic carried on it. ISAKMP defines procedures and packet formats for authentication, key establishment, and key management. It is independent of the specific key exchange protocol, authentication method, or encryption algorithm, making it a flexible framework. In 3GPP, ISAKMP is mandated within the Network Domain Security for IP (NDS/IP) specification (TS 33.210) to secure IP-based control plane and user plane communications between network elements, particularly in the Radio Access Network (RAN) and between RAN and core network elements. For instance, it is used to secure the S1 interface between eNodeB (eNB) and Mobility Management Entity (MME)/Serving Gateway (S-GW) and the X2 interface between eNBs in LTE networks, and similarly for NG-RAN interfaces in 5G. The protocol operates in two phases: Phase 1 establishes a secure, authenticated channel (an ISAKMP SA) between two peers, which is then used to protect the negotiations in Phase 2. Phase 2 establishes SAs for other protocols, such as IPsec ESP or AH, which will be used to secure the actual user or control plane data traffic. ISAKMP packets use UDP port 500. Within NDS/IP, ISAKMP is typically used with IKEv1 or IKEv2 as the key exchange protocol to perform mutual authentication (often using pre-shared keys or certificates) and to derive the keys for the IPsec SAs.

Purpose & Motivation

ISAKMP was created to provide a standardized, scalable, and secure framework for managing Security Associations in IP networks, which is a fundamental requirement for building trusted VPNs and securing inter-node communication. Within 3GPP, the adoption of ISAKMP as part of NDS/IP was motivated by the transition to all-IP network architectures in 3GPP Release 5 and beyond. As network interfaces moved from legacy, often physically protected TDM/ATM links to packet-switched IP networks, they became vulnerable to eavesdropping, spoofing, and other IP-based attacks. The purpose of NDS/IP, and by extension ISAKMP, is to provide hop-by-hop security at the IP layer between trusted 3GPP network elements, ensuring confidentiality, integrity, and authentication of signaling and user data traversing these interfaces. This addresses the security gap created by the all-IP transformation. Prior to NDS/IP, physical security of links was often deemed sufficient. ISAKMP provides a flexible, standards-based method to automate the establishment and lifecycle management of the IPsec tunnels that protect these critical network links, reducing manual configuration and enabling dynamic peer authentication and key refresh.

Key Features

• Framework for establishment, negotiation, modification, and deletion of Security Associations (SAs)
• Operational independence from specific key exchange protocols, encryption, or authentication algorithms
• Two-phase operation: Phase 1 for establishing a secure management channel (ISAKMP SA), Phase 2 for establishing protocol-specific SAs (e.g., for IPsec)
• Support for multiple authentication methods (pre-shared keys, digital signatures, public key encryption)
• Defines payloads and exchanges for SA attributes, proposals, and notifications
• Uses UDP port 500 for transport, providing connectionless yet reliable delivery mechanisms

Evolution Across Releases

Defining Specifications