ISAKMP

Internet Security Association Key Management Protocol

Security →
Introduced in Rel-8

ISAKMP is a framework for establishing Security Associations and cryptographic keys, used within 3GPP's NDS/IP specification to secure communications between network entities like eNBs and the core network.

Category
Security
Introduced
Rel-8
Where
Core Network › 5G Core
Specifications
1 specs
ISAKMP Description Purpose Related Classification Detected Changes Specifications

Description

The Internet Security Association Key Management Protocol (ISAKMP) is a protocol framework defined by the IETF (RFC 2408) for establishing, negotiating, modifying, and deleting Security Associations (SAs) and corresponding cryptographic keys. A Security Association is a simplex connection that affords security services to the traffic carried on it. ISAKMP defines procedures and packet formats for authentication, key establishment, and key management. It is independent of the specific key exchange protocol, authentication method, or encryption algorithm, making it a flexible framework. In 3GPP, ISAKMP is mandated within the Network Domain Security for IP (NDS/IP) specification (TS 33.210) to secure IP-based control plane and user plane communications between network elements, particularly in the Radio Access Network (RAN) and between RAN and core network elements. For instance, it is used to secure the S1 interface between eNodeB (eNB) and Mobility Management Entity (MME)/Serving Gateway (S-GW) and the X2 interface between eNBs in LTE networks, and similarly for NG-RAN interfaces in 5G. The protocol operates in two phases: Phase 1 establishes a secure, authenticated channel (an ISAKMP SA) between two peers, which is then used to protect the negotiations in Phase 2. Phase 2 establishes SAs for other protocols, such as IPsec ESP or AH, which will be used to secure the actual user or control plane data traffic. ISAKMP packets use UDP port 500. Within NDS/IP, ISAKMP is typically used with IKEv1 or IKEv2 as the key exchange protocol to perform mutual authentication (often using pre-shared keys or certificates) and to derive the keys for the IPsec SAs.

Purpose & Motivation

ISAKMP was created to provide a standardized, scalable, and secure framework for managing Security Associations in IP networks, which is a fundamental requirement for building trusted VPNs and securing inter-node communication. Within 3GPP, the adoption of ISAKMP as part of NDS/IP was motivated by the transition to all-IP network architectures in 3GPP Release 5 and beyond. As network interfaces moved from legacy, often physically protected TDM/ATM links to packet-switched IP networks, they became vulnerable to eavesdropping, spoofing, and other IP-based attacks. The purpose of NDS/IP, and by extension ISAKMP, is to provide hop-by-hop security at the IP layer between trusted 3GPP network elements, ensuring confidentiality, integrity, and authentication of signaling and user data traversing these interfaces. This addresses the security gap created by the all-IP transformation. Prior to NDS/IP, physical security of links was often deemed sufficient. ISAKMP provides a flexible, standards-based method to automate the establishment and lifecycle management of the IPsec tunnels that protect these critical network links, reducing manual configuration and enabling dynamic peer authentication and key refresh.

Classification

Part ofIPSec
Specific typesIKE
Related approachesNDS/IP

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (7 CRs across 3 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-8, normative work from Rel-15.

Rel-15 2 changes

In Release 15, the ISAKMP function was updated by expanding the NDS/IP scope to include application layer cryptographic profiles, centralizing this repository within the specification. This change was complemented by the addition of specific references for the TLS Protocol Profiles clause, further detailing the security mechanisms for protocols above the IP layer. These updates reinforced the document's role as the central repository for protecting IP-based control plane signalling.

  • Update NDS/IP scope with application layer crypto profiles TS 33.210CR0050
  • Adding references for the TLS Protocol Profiles clause TS 33.210CR0055
Rel-16 2 changes

In Release 16, the updates to the ISAKMP function within NDS/IP primarily involved editorial corrections and a scope update to incorporate application layer cryptographic profiles. This established the specification as the central repository for cryptographic profiles for security above the IP layer. The changes reinforced the document's role in defining protection mechanisms for control plane signalling across 3GPP and fixed broadband networks.

  • Update NDS/IP scope with application layer crypto profiles TS 33.210CR0056
  • Editorial corrections to NDS/IP TS 33.210CR0068
Rel-17 3 changes

In Release 17, the ISAKMP function, specifically for IKEv2, was updated by replacing the obsolete reference to RFC 7296 with the new standard RFC 8247, which provides the algorithm implementation requirements and usage guidance for IKEv2. This change was part of broader security updates for algorithms and protocols within the specification. Additionally, the related IPsec references were updated to align with current standards, including RFC 8221 for ESP and AH.

  • Security updates for algorithms and protocols for 33.210 TS 33.210CR0072
  • Update IPSec references to rfc8221 TS 33.210CR0073
  • Update IPSec reference from obsolete RFC 7296 to RFC 8247 TS 33.210CR0074

Explore further

Broader topics and technologies where ISAKMP plays a role.

Topics
Authentication (5G-AKA, EAP)Encryption & IntegrityMEC (Edge Computing)LTE / LTE-AdvancedLawful InterceptSMS & Messaging
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference ISAKMP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 33.210 vj20 UMTS Security for IP Networks Rel-19