Diverse feste sono in corso
autenticato durante ciascuna delle fasi di negoziazione. Durante
prima fase, le parti autenticate sono ISAKMP
server / host, mentre durante la seconda fase, gli utenti o l'applicazione
i programmi di livello vengono autenticati.
Se si esamina la RFC di ISAKMP , nella sezione 2.3 (Fase di negoziazione) si parla di vantaggi di tale implementazione:
While the two-phased approach has a higher start-up cost for most
simple scenarios, there are several reasons that it is beneficial for
most cases.
First, entities (e.g. ISAKMP servers) can amortize the cost of the
first phase across several second phase negotiations. This allows
multiple SAs to be established between peers over time without having
to start over for each communication.
Second, security services negotiated during the first phase provide
security properties for the second phase. For example, after the
first phase of negotiation, the encryption provided by the ISAKMP SA
can provide identity protection, potentially allowing the use of
simpler second-phase exchanges. On the other hand, if the channel
established during the first phase is not adequate to protect
identities, then the second phase must negotiate adequate security
mechanisms.
Third, having an ISAKMP SA in place considerably reduces the cost of
ISAKMP management activity - without the "trusted path" that an
ISAKMP SA gives you, the entities (e.g. ISAKMP servers) would have
to go through a complete re-authentication for each error
notification or deletion of an SA.