| IPSec is the security standard for the Internet, It is primarily composed of three protocols: ESP, AH and IKE. It is also an indispensable part of IPv6, the next generation of Internet protocol suite. IPSec provides a general-purpose and standard security infrastructure on network layer for applications on higher layers. In this paper, the basic architecture and the running principle of IPSec security protocol suite and its security are described and deeply analyzed. The main results are the fallowings:· Based on the analysis of IKE, the initiator identifier during the secure key negotiation is not protected, but sometimes which is more important than the responder's. Meanwhile, the initiator has many CAs, but the responder doesn't point out which one is used in IKE phase one authenticated with public key encryption, then modified suggestions are put forward: Firstly, after the KE (key enjoyed) by them is negotiated, the initiator sends his identifier encrypted by the enjoyed key, which not only protect the initiator identifier and decrease the exchange messages as well. Secondly, the responder hashes the initiator's CAused by the responder, which make the initiator know the key is used by the responder.· On the basis of the further study to VPN (Virtual Private Network), a new methodgenerating secure policies is provided on the light of the study of VPN secure policy based IPSec in which a subset requirement of each bundle is found by dividing the entire traffic flow into some irrelative bundles based on the given requirement in the method.· With the emergency of new applications and services, a layering IPSec VPN scheme is proposed in which the IP data gram is divided into different zones to provide relevant security services. According to the idea of the model design, a VPN model based layering IPSec is put forward, which is easily implemented and embedded into the original system.
|
PDF Full Text Request