The Research And Implementation Of The Automatic Negotiation Mechanism Of IP Tunnel And IKE Protocol

Internet and most packet switched networks are based on IPv4. In fact IPv4 has no attribute of security. It is easy to fabricate the address of the packets, modify the content, replay the packets and intercept the packets to get the information. IP Security Protocol (IPSec) provides identity authentication and high strength data encryption for traffic at the IP layer to protect the integrality and confidentiality of the packets. IPSec ensure the security of IP layer and upper layer protocol, such as TCP, UDP and so on.The emphases of IPSec are Internet Key Exchange (IKE) Protocol and Security Policy System. Whether IPSec is perfect and standard or not, it is according to the implementation of the two technologies.Based on the standard protocols of IPSec and ISAKMP/OAKLEY, the paper presents a network security device named IP Tunnel Machine, which can be used to construct VPN. I have researched IKE protocol and implemented the automatic negotiation mechanism of IP tunnel.Specifically, the contribution in the paper includes as follows: 1. has analyzed IPSec's realization in Linux operating system carefully -About 50,000 lines of source codes, and some source codes that the network realized in Linux operating system, and on the basis of this, has designed and realized a type of network safety device named IP Tunnel Machine. It can provide high strength (with key of 256bits) encryption, integrality validation, identity authentication based on PKI, and anti-replay protection for upper layer application.2. keeping to ISAKMP/OAKLEY protocol, has presented the secure and credible key distribution and management, supported strict identity authentication based on PKI and supported X.509 and PKCS12 certificates.3. has presented the mechanism of adding the information of the tunnel automatically, which has improved very efficient.4. has offered high strength (with key of 256bits) data encryption.5. has allowed 128 tunnels simultaneously with tunnel model.6. has presented the access and control mechanism on client side, and has designed and realized a flexible, convenient disposition tool.7. integrating with firewall, has had application in Disease Resume Center (DRC) based on Internet to construct a secure and credible transmission environment.Technically, the great breakthrough of IP Tunnel Machine includes:1. the implementation of IKE automatic negotiation, supporting manual and automatic key negotiation and automatic negotiation of the tunnel;2. identity authentication based on PKI, supporting the certificates format such as X.509 and PKCS12;3. high strength (with 128/256bits) data encryption supporting DES, 3-DES, AES etc;4. the skill of nested tunnels, supporting 128 absolute IP tunnels.On April 25 2003, Disease Resume Centre (DRC) based on Internet passed the appraisement of Sichuan Science and Technology Department. Every member in the appraisal council appraises DRC like this: The System is the first disease resume system, which is based on Internet across zone and platform, and its technology is the first rank. The technology of VPN ensures the security of traffic between local data center and remote data backup center, and segregate each other logically.