This software distribution is a reference implementation of the IETF's ISAKMP protocol. This distribution is being made available free of charge for any commercial or non-commercial use to advance ISAKMP as a solution to Internet Key Management.
The implementation is based upon ISAKMP draft number 6 [MSST96] and the Resolution of ISAKMP with Oakley draft number 2 [HC96] which utilizes features from the OAKLEY Key Determination Protocol [Orm96].
Included with this distribution is a copy of a cryptographic library from Cylink, Corporation. In order to promote ISAKMP, Cylink has granted Cisco the right to offer this library-- source code to the Diffie-Hellman key exchange, the Digital Signature Standard, and the Digital Encryption Standard-- to all third parties on a royalty-free basis for use only with this ISAKMP reference implementation. This cryptographic library is offered under the following license:
"Cylink Corporation, through its wholly owned subsidiary Caro-Kann
Corporation, holds exclusive sublicensing rights to the following U.S.
patents owned by the Leland Stanford Junior University:
Cryptographic Apparatus and Method
("Hellman-Diffie") .................................. No. 4,200,770
Public Key Cryptographic Apparatus
and Method ("Hellman-Merkle") .................. No. 4,218, 582
In order to promote the widespread use of these inventions from
Stanford University and adoption of the ISAKMP reference by the IETF
community, Cisco has acquired the right under its sublicense from Cylink to
offer the ISAKMP reference implementation to all third parties on a royalty
free basis. This royalty free privilege is limited to use of the ISAKMP
reference implementation in accordance with proposed, pending or approved
IETF standards, and applies only when used with Diffie-Hellman key
exchange, the Digital Signature Standard, or any other public key
techniques which are publicly available for commercial use on a royalty
free basis. Any use of the ISAKMP reference implementation which does not
satisfy these conditions and incorporates the practice of public key may
require a separate patent license to the Stanford Patents which must be
negotiated with Cylink's subsidiary, Caro-Kann Corporation."
The Cylink library uses Colin Plumb's BigNum multiprecision integer
math library which is covered by the following copyright:
"BigNum multiprecision integer math library.
Copyright (c) 1995 Colin Plumb. All rights reserved.
Licensed from Philip Zimmermann by Cylink Corporation.
For licensing information, please contact Philip Zimmermann
(prz@acm.org, +1 303 541-0140).
Warranties:
The author does not guarantee that this software will do anything more
than take up storage space, nor that if it does do something, it will
be what you want it to do. This software is provided "as is," with no
warranty expressed or implied, including any warranty of merchantability
or fitness for a particular purpose. In no event will the author be
responsible for indirect or consequential damages including, without
limitation, loss of income, psychiatric care, or alimony. Neither shall
the author's liability exceed the amount paid for the software. Since
it is being distributed for free, don't expect very much."
Also included in this distribution is the "Physically random numbers"
generator by Don Mitchell and Matt Blaze. It is covered by the following
copyright:
"The authors of this software are Don Mitchell and Matt Blaze.
Copyright (c) 1995 by AT&T.
Permission to use, copy, and modify this software without fee
is hereby granted, provided that this entire notice is included in
all copies of any software which is or includes a copy or
modification of this software and in all copies of the supporting
documentation for such software.
This software may be subject to United States export controls.
THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED
WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY
REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY
OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE."
This distribution also uses the "RSA Data Security, Inc. MD5 Message-Digest
Algorithm" and implements an HMAC form which is "derived from the RSA Data
Security, Inc. MD5 Message-Digest Algorithm". This algorithm is covered by
the following copyright:
"Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
rights reserved.
License to copy and use this software is granted provided that it
is identified as the 'RSA Data Security, Inc. MD5 Message-Digest
Algorithm' in all material mentioning or referencing this software
or this function.
License is also granted to make and use derivative works provided
that such works are identified as "derived from the RSA Data
Security, Inc. MD5 Message-Digest Algorithm' in all material
mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either
the merchantability of this software or the suitability of this
software for any particular purpose. It is provided 'as is'
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this
documentation and/or software."
This entire distribution is export controlled. It should not be
distributed outside the United States or Canada nor should it be given
to a non-citizen or non-permanent resident of the United States. All
software in this package is provided under the following disclaimer:
"DISCLAIMER OF LIABILITY
THIS SOFTWARE IS PROVIDED BY CISCO SYSTEMS, INC. ("CISCO") ``AS IS''
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL CISCO BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE."
and is subject to licensing terms in the included LICENSE file.
This daemon uses the PF_KEY Key Management API [MPA96] to register
with a kernel which has implemented this API and the surrounding key
management infrastructure. The NRL IPsec software distribution (currently
bundled with IPv6) is such an implementation. Note that the NRL January 96
distribution must be patched with the patchfiles included in this release
*before* use with this ISAKMP implementation.The daemon fully functions with a BSD 4.4ish UNIX operating system to which the NRL code has been ported. Application requests for security generate key acquire requests to the ISAKMP daemon. Upon successful negotiation, a valid Security Association is inserted into the key engine, at which point packets from and/or to the application will be processed according to the attributes from the requested Security Association.
The ikmpd directory contains modules for each payload type. These contain "process" and "construct" routines which are invoked as the payload is parsed. The auth directory contains a suite of routines for the creation and manipulation of DSS public/private keys and pre-shared keys. A library also exists for the creation of new routines. The doc directory contains documentation on use of this distribution. It is recommended to read this documentation before attempting to compile or use this package.
If this release is used soley for non-commercial purposes it can be compiled with RSAREF. Compiler flags in auth/Makefile and ikmpd/Makefile selectively compile code to do authentication methods of RSA encryption, and RSA signatures, and create and manage RSA key rings.This distribution, coupled with the NRL distribution, provides end-to-end IP-layer security without the burden of manually pre-keyed Security Associations. It is, though, susceptible to well-known attacks:
We encourage cryptographic analysis of this protocol implementation to expose any design flaws which, in the absence of the above known problems, are serious security problems.
[HC96] Harkins, D., Carrel, D., "The Resolution of ISAKMP with Oakley", version 1, work in progress.
[MSST96] Maughhan, D., Schertler, M., Schneider, M., and Turner, J., "Internet Security Association and Key Management Protocol (ISAKMP)", version 5, work in progress.
[MPA96] McDonald, D., Phan B., and Atkinson, R., "A Socket-Based Key Management API", Proceedings of INET'96 Conference, June 1996, Montreal, Canada.
[Orm96] Orman, H., "The Oakley Key Determination Protocol", version 1, work in progress.