| Originally IP packets defined by IPv4 don't contain any security characteristics. Attackers can easily forge the address of the IP packets, revise their content, replay them in a later time, and eavesdrop data during transmission. In order to make up the innate deficiency of the IPv4, IPSec protocol provides a kind of standard and robust security mechanism, and can be used to provide security protection for IP and higher layer protocols. But before IPSec protocol can be used widely, a problem must be resolved. The problem is how to negotiate keys safely and automatically through Internet. And it is what this paper mainly deals with. First, the current statement of network security is discussed .The comparison of the merits and shortcomings of security service in different layers of network shows the superiority of security service in network layer. Second, introduce the structure of IPSec, which can provide security service in network layer. AH protocol, ESP protocol, Security Alliance and Security Policy are also introduced in detail. Third, IKE protocol is analyzed, including architecture, framework, the process of negotiation, the format of IKE messages and its security performance. At last, the mechanism and situation of Denial-of-Service attack of IKE protocol is systemically analyzed. The weakness of IKE protocol lies in its authentication mechanism, which is based on Diffie-Hellman Key Exchange Protocol. With deeply understanding of IPSec protocol, two amendment projects are proposed. In the meantime, solutions of man-in-the-middle attack and identity protection are given. |
PDF Full Text Request