Kerberized Internet Negotiation of Keys

Kerberized Internet Negotiation of Keys (KINK) is a protocol defined in RFC 4430 used to set up an IPsec security association (SA), similar to Internet Key Exchange (IKE), utilizing the Kerberos protocol to allow trusted third parties to handle authentication of peers and management of security policies in a centralized fashion.^[1]

Its motivation is given in RFC 3129 as an alternative to IKE, in which peers must each use X.509 certificates for authentication, use Diffie–Hellman key exchange (DH) for encryption, know and implement a security policy for every peer with which it will connect,^[2] with authentication of the X.509 certificates either pre-arranged or using DNS, preferably with DNSSEC.^[3] Utilizing Kerberos, KINK peers must only mutually authenticate with the appropriate Authentication Server (AS), with a key distribution center (KDC) in turn controlling distribution of keying material for encryption and therefore controlling the IPsec security policy.

^ RFC 3129: Requirements for Kerberized Internet Negotiation of Keys, Internet Engineering Task Force, June 2001, p. 2
^ RFC 3129: Requirements for Kerberized Internet Negotiation of Keys, Internet Engineering Task Force, June 2001, p. 1
^ RFC 4322: Opportunistic Encryption using the Internet Key Exchange (IKE), Internet Engineering Task Force, June 2001, p. 5

[1] RFC 3129: Requirements for Kerberized Internet Negotiation of Keys, Internet Engineering Task Force, June 2001, p. 2

[2] RFC 3129: Requirements for Kerberized Internet Negotiation of Keys, Internet Engineering Task Force, June 2001, p. 1

[3] RFC 4322: Opportunistic Encryption using the Internet Key Exchange (IKE), Internet Engineering Task Force, June 2001, p. 5

[1]

[2]

[3]