Kerberized Internet Negotiation of Keys (KINK) is a protocol defined in RFC 4430 used to set up an IPsec security association (SA), similar to Internet Key Exchange (IKE), utilizing the Kerberos protocol to allow trusted third parties to handle authentication of peers and management of security policies in a centralized fashion.
The design of KINK mitigates denial of service attacks by requiring authenticated exchanges before the use of any public key operations and the installation of any state.
KINK also provides a means of using Kerberos User-to-User mechanisms when there is not a key shared between the server and the KDC.
KINK directly reuses Quick Mode payloads defined in section 5.5 of IKE, with some minor changes and omissions.
An optional third message is required when creating SAs, only if the responder rejects the first proposal from the initiator or wants to contribute the keying materials.