105:, with some minor changes and omissions. In most cases, KINK exchanges are a single command and its response. An optional third message is required when creating SAs, only if the responder rejects the first proposal from the initiator or wants to contribute the keying materials. KINK also provides rekeying and
97:
mechanisms to provide mutual authentication and replay protection. For establishing SAs, KINK provides confidentiality for the payloads that follow the
Kerberos AP-REQ payload. The design of KINK mitigates denial of service attacks by requiring authenticated exchanges before the use of any public
98:
key operations and the installation of any state. KINK also provides a means of using
Kerberos User-to-User mechanisms when there is not a key shared between the server and the KDC. This is typically, but not limited to, the case with IPsec peers using PKINIT for initial authentication.
85:
KINK itself is a stateless protocol in that each command or response does not require storage of hard state for KINK. This is in contrast to IKE, which uses Main Mode to first establish an
Internet Security Association and Key Management Protocol
81:
SAs. Each command or response contains a common header along with a set of type-length-value payloads. The type of a command or a response constrains the payloads sent in the messages of the exchange.
414:
next payload: type of the first payload after the message header as KINK_DONE, KINK_AP_REQ, KINK_AP_REP, KINK_KRB_ERROR, KINK_TGT_REQ, KINK_TGT_REP, KINK_ISAKMP, KINK_ENCRYPT, or KINK_ERROR
405:
49:(DH) for encryption, know and implement a security policy for every peer with which it will connect, with authentication of the X.509 certificates either pre-arranged or using
673:
KINK_ISAKMP: a payload to encapsulate the ISAKMP IKE Quick Mode (phase 2) payloads, to allow backward compatibility with IKE and ISAKMP if there are subsequent revisions
54:
676:
KINK_ENCRYPT: a payload to encapsulate other KINK payloads and is encrypted using the session key and the algorithm specified by its etype
38:
protocol to allow trusted third parties to handle authentication of peers and management of security policies in a centralized fashion.
667:
KINK_TGT_REQ: a payload that provides a means to get a TGT from the peer in order to obtain a User-to-User service ticket from the KDC
811:
46:
786:
766:
746:
411:
transaction ID (XID): identification the transaction, defined as a command, a reply, and an optional acknowledgement
699:
670:
KINK_TGT_REP: a payload that contains the TGT requested in a previous KINK_TGT_REQ payload of a GETTGT command
417:
ACK or ACKREQ bit: 1 if responder requires an explicit acknowledgement that a REPLY was received otherwise 0
62:
720:
102:
58:
31:
27:
106:
94:
35:
66:
50:
426:
checksum: Kerberos keyed checksum over the entire message excluding the checksum field itself
41:
Its motivation is given in RFC 3129 as an alternative to IKE, in which peers must each use
703:
806:
800:
707:
689:
664:
KINK_KRB_ERROR: a payload that relays
Kerberos type errors back to the initiator
420:
checksum length: length in bytes of the cryptographic checksum of the message
77:
KINK is a command/response protocol that can create, delete, and maintain
782:
RFC 4322: Opportunistic
Encryption using the Internet Key Exchange (IKE)
780:
760:
740:
661:
KINK_AP_REP: a payload that relays a
Kerberos AP-REP to the initiator
658:
KINK_AP_REQ: a payload that relays a
Kerberos AP-REQ to the responder
87:
69:
for encryption and therefore controlling the IPsec security policy.
696:
101:
KINK directly reuses Quick Mode payloads defined in section 5.5 of
762:
RFC 3129: Requirements for
Kerberized Internet Negotiation of Keys
742:
RFC 3129: Requirements for
Kerberized Internet Negotiation of Keys
78:
42:
24:
395:
type: CREATE, DELETE, REPLY, GETTGT, ACK, STATUS, or private use
406:
Internet
Security Association and Key Management Protocol
404:
domain of interpretation (DOI): a DOI as defined in the
61:
with the appropriate Authentication Server (AS), with a
23:) is a protocol defined in RFC 4430 used to set up an
679:
KINK_ERROR: a payload that returns an error condition
423:
payloads: a list of Type/Length/Value (TLV) payloads
90:) SA followed by subsequent Quick Mode exchanges.
692:implementations of KINK are currently available:
117:The KINK message includes the following fields:
8:
618:
348:
303:
57:. Utilizing Kerberos, KINK peers must only
398:version: the major protocol version number
65:(KDC) in turn controlling distribution of
437:
119:
732:
647:next payload: type of the first payload
17:Kerberized Internet Negotiation of Keys
45:certificates for authentication, use
7:
654:The following payloads are defined:
401:length: length of the entire message
14:
787:Internet Engineering Task Force
767:Internet Engineering Task Force
747:Internet Engineering Task Force
319:domain of interpretation (DOI)
435:KINK payloads are defined as:
1:
650:length: length of the payload
47:Diffie–Hellman key exchange
828:
637:
621:
385:
367:
351:
330:
318:
306:
615:
345:
342:
300:
297:
812:Cryptographic protocols
63:key distribution center
789:, June 2001, p. 5
769:, June 2001, p. 1
749:, June 2001, p. 2
721:Internet Key Exchange
331:transaction ID (XID)
59:mutually authenticate
34:(IKE), utilizing the
32:Internet Key Exchange
73:Protocol description
28:security association
440:
122:
107:Dead Peer Detection
702:2008-10-15 at the
438:
120:
53:, preferably with
644:
643:
392:
391:
30:(SA), similar to
819:
791:
790:
777:
771:
770:
757:
751:
750:
737:
635:
613:
604:
599:
594:
589:
584:
579:
574:
569:
564:
559:
554:
549:
544:
539:
534:
529:
524:
519:
514:
509:
504:
499:
494:
489:
484:
479:
474:
469:
464:
459:
454:
449:
441:
383:
365:
352:checksum length
340:
328:
316:
295:
286:
281:
276:
271:
266:
261:
256:
251:
246:
241:
236:
231:
226:
221:
216:
211:
206:
201:
196:
191:
186:
181:
176:
171:
166:
161:
156:
151:
146:
141:
136:
131:
123:
827:
826:
822:
821:
820:
818:
817:
816:
797:
796:
795:
794:
779:
778:
774:
759:
758:
754:
739:
738:
734:
729:
717:
704:Wayback Machine
686:
684:Implementations
639:
631:
627:
622:payload length
609:
602:
597:
592:
587:
582:
577:
572:
567:
562:
557:
552:
547:
542:
537:
532:
527:
522:
517:
512:
507:
502:
497:
492:
487:
482:
477:
472:
467:
462:
457:
452:
447:
433:
387:
379:
375:
369:
361:
357:
336:
324:
312:
291:
284:
279:
274:
269:
264:
259:
254:
249:
244:
239:
234:
229:
224:
219:
214:
209:
204:
199:
194:
189:
184:
179:
174:
169:
164:
159:
154:
149:
144:
139:
134:
129:
115:
75:
67:keying material
12:
11:
5:
825:
823:
815:
814:
809:
799:
798:
793:
792:
772:
752:
731:
730:
728:
725:
724:
723:
716:
713:
712:
711:
688:The following
685:
682:
681:
680:
677:
674:
671:
668:
665:
662:
659:
652:
651:
648:
642:
641:
636:
624:
623:
620:
617:
614:
606:
605:
600:
595:
590:
585:
580:
575:
570:
565:
560:
555:
550:
545:
540:
535:
530:
525:
520:
515:
510:
505:
500:
495:
490:
485:
480:
475:
470:
465:
460:
455:
450:
445:
432:
429:
428:
427:
424:
421:
418:
415:
412:
409:
402:
399:
396:
390:
389:
384:
372:
371:
366:
354:
353:
350:
347:
344:
341:
333:
332:
329:
321:
320:
317:
309:
308:
305:
302:
299:
296:
288:
287:
282:
277:
272:
267:
262:
257:
252:
247:
242:
237:
232:
227:
222:
217:
212:
207:
202:
197:
192:
187:
182:
177:
172:
167:
162:
157:
152:
147:
142:
137:
132:
127:
114:
111:
74:
71:
13:
10:
9:
6:
4:
3:
2:
824:
813:
810:
808:
805:
804:
802:
788:
784:
783:
776:
773:
768:
764:
763:
756:
753:
748:
744:
743:
736:
733:
726:
722:
719:
718:
714:
709:
705:
701:
698:
695:
694:
693:
691:
683:
678:
675:
672:
669:
666:
663:
660:
657:
656:
655:
649:
646:
645:
634:
630:
626:
625:
612:
608:
607:
601:
596:
591:
586:
581:
576:
571:
566:
561:
556:
551:
546:
541:
536:
531:
526:
521:
516:
511:
506:
501:
496:
491:
486:
481:
476:
471:
466:
461:
456:
451:
446:
443:
442:
439:KINK payload
436:
430:
425:
422:
419:
416:
413:
410:
407:
403:
400:
397:
394:
393:
382:
378:
374:
373:
364:
360:
356:
355:
339:
335:
334:
327:
323:
322:
315:
311:
310:
294:
290:
289:
283:
278:
273:
268:
263:
258:
253:
248:
243:
238:
233:
228:
223:
218:
213:
208:
203:
198:
193:
188:
183:
178:
173:
168:
163:
158:
153:
148:
143:
138:
133:
128:
125:
124:
121:KINK message
118:
113:Packet format
112:
110:
108:
104:
99:
96:
91:
89:
83:
80:
72:
70:
68:
64:
60:
56:
52:
48:
44:
39:
37:
33:
29:
26:
22:
18:
781:
775:
761:
755:
741:
735:
708:WIDE Project
687:
653:
632:
628:
616:next payload
610:
434:
380:
376:
362:
358:
343:next payload
337:
325:
313:
292:
116:
100:
92:
84:
76:
40:
20:
16:
15:
690:open source
801:Categories
727:References
444:Bit offset
126:Bit offset
93:KINK uses
706:from the
715:See also
700:Archived
431:Payloads
408:(ISAKMP)
386:checksum
368:payloads
95:Kerberos
36:Kerberos
697:Racoon2
493: 9
488: 8
483: 7
478: 6
473: 5
468: 4
463: 3
458: 2
453: 1
448: 0
307:length
301:version
175: 9
170: 8
165: 7
160: 6
155: 5
150: 4
145: 3
140: 2
135: 1
130: 0
619:
349:
304:
88:ISAKMP
55:DNSSEC
807:IPsec
638:value
79:IPsec
43:X.509
25:IPsec
640:...
388:...
370:...
298:type
21:KINK
633:...
381:...
377:...
363:...
359:128
103:IKE
51:DNS
803::
785:,
765:,
745:,
629:32
603:31
598:30
593:29
588:28
583:27
578:26
573:25
568:24
563:23
558:22
553:21
548:20
543:19
538:18
533:17
528:16
523:15
518:14
513:13
508:12
503:11
498:10
338:96
326:64
314:32
285:31
280:30
275:29
270:28
265:27
260:26
255:25
250:24
245:23
240:22
235:21
230:20
225:19
220:18
215:17
210:16
205:15
200:14
195:13
190:12
185:11
180:10
109:.
710:.
611:0
346:A
293:0
86:(
19:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.