Improved Design Of IKE And The Framework Of Its Implementation

With the fabulous increasing of the application over Internet, security problems become more and more important in these years. Network security model sum up all of the factors in security area, its theory provides a base way to solve security problems. But we still can't deal with security problems ultimately other than by implementing security from bottom protocol because of the complexity and diversity of the TCP/IP protocol family. IPSec is such a bottom security protocol, which has implemented the security over IP layer. IPSec provides encryption from peer to peer and authentication to source, it also provides a way to verify if the data has been modified by malicious people when transfered. Now IPSec has been deployed in VPN network abroad. With the development of the IPv6 network, it will be applied more widely.Security association is an important conception in IPSec, which tells peers how to dispose the input and output of the IP datagram. Security association can be set statically by hand, it can also be established by dynamic negotiation protocol. IKE is such a protocol.This paper points out the defects in IKE(IKEvl).These defects originate from the IKE's complexity, which behaves especially in the definition of the mode and the generation of the keying material which is too close to the concrete method in authentication. This complexity endangers the secret information seriously, as well as prevents thecollaboration in different implementations. Besides above, IKE is also complex in resisting DOS attack and expressing negotiation strategy when creating SA. There are lots of things worth doing to improve it.IKEv2 draft brings forward a new IKE protocol. It preserves many features of the original IKE, including identity hiding, perfect forward secrecy and two phases negotiation, while greatly redesigning protocol for simplifying the exchange, the process of the cryptographic negotiation, and the generation of keying material. It also defines the method to resist DOS attack and provides a concrete way to generate keying material on both peers. At the same time, it brings forward eap idea which make IKE authentication reuse existing identity data conveniently.IKE-N is a new IKE design put forward in this paper,which bases on analysis to the weakness of IKEvl and essential ideas in IKEv2.IKE-N implemented slide window in IKEv2 and designs the entire transition situation inside protocol. An implementation framework is provided in the end, which defines the process of the IKE peer. In the framework, some main data structure, such as slide window > timer and state machine are described in detail. It is a good reference to the implementation.