Can the IPsec turn KEYMAT into encryption and authentication keys?
IPsec is a framework protocol that consists of the sub-protocols ESP and AH. IPsec, innate, doesn't include a Key Exchange mechanism, and is therefore dependent on manually setting Keys (archaic), or using IKEv1 or IKEv2 to securely establish mutual keys between two parties.
From reading the IKE and IKEv2 RFC, I know that both of them at some point generate KEYMAT, which is meant to be passed to IPsec so that IPsec can generate its own symmetric keys.
IKEv1 generates KEYMAT using this formula: PFS Disabled:
KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b).
PFS Enabled:
KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b)
IKEv2 generates KEYMAT using this formula:
For the first Child SA:
KEYMAT = prf+(SK_d, Ni | Nr)
For all subsequent Child SA's KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ) In both cases, KEYMAT is passed to IPSec to (presumably) create its own symmetric Encryption and Authentication keys. But I haven't been able to find anywhere the formulas IPsec uses to take the KEYMAT and/or derivative keys (SKEYID_d or SK_d) and create its own keys.
So my question is, What does IPsec do with KEYMAT in order to generate its own symmetric keys? And also related, What keys does IPsec generate after being given KEYMAT?
The IPsec stack does not create its own keys, or request any keys for that matter, instead the IKE daemon generates as much key material as required for the negotiated encryption and authentication algorithms using the PRF+ How key material is taken from the expanded KEYMAT is described in detail in RFC 7296 (IKEv2), section 2.17. The resulting keys are then passed with the rest of the information about an IPsec SA to the stack. With the standardised PF_KEY interface, for instance, this is done with two Key extensions if encryption and authentication is used.