Because key exchanges are a vital part of establishing security associations (SA), you will want to know about key exchanges and their mechanisms.An IPsec SA is negotiated by means of the key management
protocol Internet Key Exchange
(IKE). Phase 1 of an IKE key
exchange authenticates the identity of the end-stations, which
allows the establishment of an IPsec SA in Phase 2.
Three key exchange mechanisms using IKE are supported between
storage systems and clients: certificate authentication, Kerberos,
and preshared keys.
- Certificate authentication lets an end-station prove its identity by providing a certificate that has been digitally signed by a third-party certificate authority (CA), such as Verisign or Entrust. With certificate authentication, administrators need not configure keys between all IPsec peers. Instead, administrators request and install a certificate on each peer, enabling it to dynamically authenticate all other participating peers.
- Kerberos is a network authentication system in which end stations prove their identities by obtaining identical secret keys from a Key Distribution Center (KDC), the Kerberos security server. For Windows 2000 and later, the KDC is located on the Windows domain controller, which processes IKE authentication requests for storage systems and Windows clients in the domain. Kerberos authentication is enabled automatically when CIFS is
licensed and configured on your storage system.
- Preshared keys are identical ASCII text strings entered manually on
each end-station. Authentication is validated when IKE successfully
compares the hash value of the two keys. Preshared key
configuration is simple, but it requires manual management on each
end-station. Also, preshared keys are static and persistent,
therefore vulnerable unless changed frequently.
Note: The authentication of end-station identity provided by the key
exchange protocol IKE is different from the packet integrity
authentication provided by the IPsec protocols AH and ESP.