U.S. DOD ISAKMP Software

ISAKMP Prototype Implementation, version 0.1

MIT is distributing ISAKMP on behalf of the Office of Information Security Research of the US Department of Defense and as a service to the Internet Community.

MIT is not the Author of this software and disclaims any liability relating to it.

This software is subject to U.S. Export Control regulations and is only available to U.S. Persons.

1. Introduction

This is the first release of a prototype of the IETF's ISAKMP protocol, and supporting software. This release is being made primarily for academic purposes - to show an example approach to taking advantage of the flexiblity of the ISAKMP protocol in establishing secure communications channels.

The implementation as released does not implement the complete ISAKMP protocol. Currently the delete and modify functions are not available, and not all exchange types are supported. We are working to complete the implementation, and making numerous improvements. Another release, including better documentation, will be made available the second week of April.

This package is export-controlled, and should be treated as such. In particular, the software cannot be released to non-US citizens, nor distributed to a non-us site. In a future release, we will unbundle the cryptographic software, and the ISAKMP engine and policy server will not be restricted by export control.

Also, all of the software in this package is provided under the following disclaimer:


/*
 * This software was written by the Office of Information Security Computer
 * Science Research of the US Department of Defense.  
 *
 * DISCLAIMER OF LIABILITY:
 *
 * THIS SOFTWARE IS PROVIDED BY THE DEPARTMENT OF DEFENSE ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE DEPARTMENT OF DEFENSE BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

You may retrieve the software here.

The negotiation server provided in this release does not adhere to the one specified in the ISAKMP internet draft. It is an implementation of a more sophisticated Domain of Interpretation (DOI), including complex situations and proposals. The April release will include another negotiation server, implementing the DOI found in the ISAKMP appendix.

Finally, this software is a proof of concept, not a fully secure solution. In order to expedite the prototyping, certain liberties are taken, such as storing private keys in publically accessable files. These shortcomings will obviously be addressed before a secure solution is deployed.

2. Documentation

There are several documents (and more coming) in the doc directory.

the internet draft of the ISAKMP protocol specification, in doc/IDv4/draft4.txt (this is the ascii version). The postscript version of the document can be found at any of the IETF ftp sites, under the name draft-ietf-ipsec-isakmp-04.ps
requirements.txt is an incomplete list of some of the requirements that a negotiation server must meet
- comparison.txt contains a techincal comparison of the various security association and key management protocols (as they were specified in December 1995).
- various notes files and todo lists.
- There are also README files in most of the directories, containing more detailed information regarding that part of the system.

3. General overview

Here is a description of the top-level directories:

  - include		various include files common to all modules
  - isakmp		the isakmp protocol engine
  - neg_server		an instance of a DOI - the policy that
			drives isakmp, plus cryptographic support
  - libsadb		code to interface the negotiation server and
			an IPSEC sadb
  - cryptoki		an implementation of PKCS #11, used by our
			negotiation server 
  - data		various policy files, key files, and certificates
  - crypt_support	legacy cryptographic support code.  generally
			superceded by cryptoki, but I can't get rid of
			it just yet.

4. Compiling and Testing ISAKMP

To build the ISAKMP library and the sample negotiation server, see the INSTALL file. INSTALL also contains directions for running basic tests of the package.

5. Mailing Lists, Support, and Bug Fixes

There is a mailing list for questions, bug reports, patches, and general discussion of our ISAKMP prototype. It is isakmp-proto@epoch.ncsc.mil. To join the list, send mail to isakmp-proto-request@epoch.ncsc.mil.

We are very interested in both bug reports, and suggestions for improving the package. We will try to respond as quickly as possible to all input (We will respond faster to patches :-)