35 HMAC-SHA and HMAC-MD5 HMAC is a symmetric authentication system supported by these two hashes.

2.3.4 Internet Key Exchange, ISAMKPOakley

In the parlance of the IPSec working documents produced by the IETF, a Security Association is any protected conversation between two possibly hostile parties. Having only ESP and AH does not complete the picture for an IPSec system. For secure communication, both parties must be able to negotiate keys for use while the communication is happening. Plus, both parties need to be able to decide which encryption and authentication algorithms to use. The Internet Key Exchange IKE protocol formerly known as ISAKMPOakley provides authentication of all peers, handles the security policies each can perform, and controls the exchange of keys. Key generation and key rotation are important because the longer the life of the key, the larger the amount of data at risk, and the easier it becomes to intercept more ciphertext for analysis. This is the concept of perfect forward secrecy. By changing the keys often, it becomes difficult for a network snoop to get the big picture if they have to keep cracking keys. Further, the keys generated on the fly should not bear any resemblance to one another, and should not be generated from environmental variables that could easily be guessed time of day, server load, etc. IKE uses the Diffie-Hellman key exchange protocol to handle this, and has proven to be adequate in its protection.

2.3.5 ISO X.509 v.3 Digital Certificates

Although not a security protocol in the same fashion as ESP and AH, the X.509 system is important because it provides a level of access control with a larger scope. Because the X.509 certificate systems are used with other Public Key Infrastructure devices and software, IPSec vendors have chosen to incorporate them into their equipment to handle authentication. Certificate management, as handled by a trusted third party, will play a big role in the future of the IPSec suite, and work is already being done by vendors to have their products communicate with the public CAs Certificate Authorities for authentication.

2.3.6 LDAP Lightweight Directory Access Protocol

Closely related to the X.509 system is the Lightweight Directory Access Protocol, or LDAP. LDAP is a smaller, and logically easier to implement, X.500 service that is supported on various VPN solutions to provide authentication and certificate management. Hardware products like the Bay Networks Extranet Switch use LDAP as well as some popular software solutions, such as Windows NT and Novell. It is becoming more common to use trusted third- party authentication systems such as LDAP and the X.500 directory system for remote access to a corporate network or a VPN.

2.3.7 Radius

Where LDAP and the X.500 systems provide authentication and certificate management to users anywhere in the world, Radius is an authentication system used more for intra- organization lookups. The Radius system was developed as an open standard by Livingstone Enterprises, and is not currently sanctioned by the IETF, but is under consideration. Recently, Merit updated the Radius system to enhance its clientserver capabilities and its vendor