How to Analyze Network Protocols, Learn More >>

Being able to support more than 300 protocols in the latest version, Capsa Network Sniffer make it easy to analyze protocols in network and understand what is happening.

Recommend Network Analysis Software >>


RFC 2408 http://tools.ietf.org/html/rfc2408

The Internet Message Access Protocol, version 4rev1 (ISAKMP) defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA). SAs contain all the information required for execution of various network security services, such as the IP layer services (such as header authentication and payload encapsulation), transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism.

The format of the header is shown in the following illustration:

Initiator cookie (8 bytes)
 

Responder cookie (8 bytes)
 
Next payload
(1 byte)
MjVer
(4 bits)
MnVer
(4 bits)
Exchange Type (1 byte) Flags
(1 byte)

Message ID (4 bytes)

Length (4 bytes) 
1 byte 1 byte 1 byte 1 byte
ISAKMP structure

Initiator cookie
Cookie of entity that initiated SA establishment, SA notification, or SA deletion.

Responder cookie
Cookie of entity is responding to an SA establishment, SA notification, or SA deletion.

Next payload
Indicates the type of the first payload in the message. Possible types are:

0 None
1 Security Association (SA)
2 Proposal (P)
3 Transform (T)
4 Key Exchange (KE)
5 Identification (ID)
6 Certificate (CERT)
7 Certificate Request (CR)
8 Hash (HASH)
9 Signature (SIG)
10 Nonce (NONCE)
11 Notification (N)
12 Delete (D)
13 Vendor ID (VID)
14-127 Reserved
128-255 Private use

MjVer
Major Version indicates the major v ersion of the ISAKMP protocol in use. Implementations based RFC2408 must set the Major Version to 1. Implementations based on previous versions of ISAKMP Internet- Drafts must set the Major Version to 0. Implementations should never accept packets with a major version number larger than its own.

MnVer
Minor Version - indicates the minor version of the ISAKMP protocol in use. Implementations based RFC2408 must set the minor version to 0. Implementations based on previous versions of ISAKMP Internet- Drafts must set the minor version to 1. Implementations should never accept packets with a minor version number larger than its own.

Exchange Type
The type of exchange being used. This dictates the message and payload orderings in the ISAKMP exchanges. Possible values are:

0 None
1 Base
2 Identity Protection
3 Authentication Only
4 Aggressive
5 Informational
6-31 ISAKMP Future Use
32-239 DOI Specific Use
240-255 Private Use

Flags
Specific options that are set for the ISAKMP exchange.
E(ncryption bit) (bit 0) - specifies that all payloads following the header are encrypted using the encryption algorithm identified in the ISAKMP SA.
C(ommit bit) (bit 1) - signals key exchange synchronization. It is used to ensure that encrypted material is not received prior to completion of the SA establishment.
A(uthentication Only Bit) (bit 2) - intended for use with the Informational Exchange with a Notify payload and will allow the transmission of information with integrity checking, but no encryption. All remaining bits are set to 0 before transmission.

Message ID
Unique Message Identifier used to identify protocol state during Phase 2 negotiations. This value is randomly generated by the initiator of the Phase 2 negotiation. In the event of simultaneous SA establishments (i.e., collisions), the value of this field will likely be different because they are independently generated and, thus, two security associations will progress toward establishment. However, it is unlikely there will be absolute simultaneous establishments. During Phase 1 negotiations, the value must be set to 0.

Length
Length of total message (header + payloads) in octets. Encryption can expand the size of an ISAKMP message.

Vulnerabilities for this protocol (from CVE)

CVE ID Protocol Source Port Targetport

TCP/IP Protocols:

AHARP/RARPATMPBGP-4COPSDCAPDHCPDNS
DVMRPEGPEIGRPESPFANPFingerFTPHSRP
HTTPICMPICMPv6IGMPIGRPIMAP4IPIPDC
IPv6ISAKMPL2FL2TPLDAPMARSMobile IPNARP
NetBIOS/IPNHRPNTPOSPFPIMPOP3PPTPRadius
RIP2RIPng for IPv6RLOGINRSVPRTSPRUDPS-HTTPSCTP
SLPSMTPSNMPSOCKS V5TACACSTALITCPTELNET
TFTPUDPVan JacobsonVRRPWCCPX-WindowXOT