Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!metro!metro!asstdc.scgt.oz.au!nsw.news.telstra.net!act.news.telstra.net!psgrain!iafrica.com!pipex-sa.net!plug.news.pipex.net!pipex!hole.news.pipex.net!pipex!oleane!jussieu.fr!math.ohio-state.edu!cs.utexas.edu!uwm.edu!spool.mu.edu!usenet.eel.ufl.edu!news.ultranet.com!zombie.ncsc.mil!news.mathworks.com!newsfeed.internetmci.com!uuneo.neosoft.com!bonkers!not-for-mail
From: ISAKMP+Oakley Maintainer <isakmp-oakley@cisco.com>
Newsgroups: comp.unix.bsd.freebsd.announce
Subject: Free Internet Key Management software
Date: 1 Aug 1996 23:46:49 -0500
Organization: cisco Systems, Inc., Menlo Park, Ca.
Lines: 65
Sender: daemon@taronga.com
Approved: peter@taronga.com
Message-ID: <4ts17p$8hl@bonkers.taronga.com>
NNTP-Posting-Host: localhost.taronga.com
Summary: Free Internet Key Management Software
Keywords: cisco, NRL, PF_KEY, ISAKMP, Oakley, IETF, IPsec, security, BSD, TLS
Cisco Systems is pleased to announce the release of the next version of
their ISAKMP+Oakley Internet key management daemon. This software distribution
is being made available free of charge for any commercial or non-commercial
use to advance ISAKMP and Oakley as a solution to Internet Key Management.
The "Internet Security Association & Key Management Protocol (ISAKMP)" is a
leading proposal within the IETF to provide standard key management for
Internet protocols, including IP Security (IPsec) and also for other network
layers such as Transport-Layer Security (TLS). ISAKMP provides a scalable,
flexible, and secure mechanism for establishing Security Associations among a
set of communicating network parties. The "Oakley Session Key Exchange
(Oakley)" provides a hybrid Diffie-Hellman session key exchange for use within
the ISAKMP framework. Oakley provides the important property of "Perfect
Forward Secrecy", among other attributes. ISAKMP and Oakley are documented
online in the Internet Draft archives, for example at:
ftp://ds.internic.net/internet-drafts/draft-ietf-ipsec-isakmp-05.txt
ftp://ds.internic.net/internet-drafts/draft-ietf-ipsec-oakley-*.txt
ftp://ds.internic.net/internet-drafts/draft-ietf-ipsec-isakmp-oakley-01.txt
Major changes from the previous cisco ISAKMP+Oakley version include:
* Compliance with draft-ietf-ipsec-isakmp-oakley-01.txt
* HMAC-MD5 ("derived from the RSA Data Security, Inc. MD5 Message-
Digest Algorithm") and HMAC-SHA support.
* Colin Plumb's BigNum multiprecision integer library.
* truerand() random number generator by Don Mitchell and Matt Blaze.
The software can be obtained by pointing your favorite web browser to
http://www.cisco.com/public/library/isakmp/isakmp.html and following the hot
links. In the near future, the software will also be available from
http://web.mit.edu/network/isakmp/ This software is export controlled under US
laws and so is not available overseas.
This key management daemon uses the PF_KEY Key Management API to register
with a kernel which has implemented this API and the surrounding key
management infrastructure. The NRL IPsec software distribution (currently
bundled with IPv6, but provides IPsec for IPv4 and IPsec for IPv6 as well) is
such an implementation. There are reports that recent versions of FreeBSD
also support PF_KEY. Security associations negotiated by the ISAKMP daemon
are inserted into the kernel's Key Engine and are available for use by its
IETF-standard AH/ESP security mechanisms. To facilitate use of this ISAKMP
daemon, the NRL IPsec+IPv6 distribution for BSD is also being made available
an the same URLs described above.
This distribution comes with a cryptographic library from Cylink
Corporation. Cylink has granted Cisco the right to offer this library--
source code to the Diffie-Hellman key exchange, the Digital Signature
Standard, and the Digital Encryption Standard-- to all third parties on a
royalty-free basis for use only with this ISAKMP reference implementation.
Note: Both the BigNum package and the cryptographic library come with
exercise routines to validate each package. If errors occur and the
respective README is not helpful, please contact the mailing list below
for help. If either the BigNum package or the cryptographic library is not
in full working order, the ISAKMP daemon will not work properly.
----------------------------------------------------------------------
A mailing list for problems, bug fixes, porting changes, and general
discussion of ISAKMP and Oakley has been established:
Postings: <isakmp-oakley@cisco.com>
Administrivia: <majordomo@cisco.com>
----------------------------------------------------------------------