| This thesis has focused on the research of the IKE protocol in IPsec protocol suite, made thorough research and analysis to the newest dynamic key exchange mechanism IKEv2, and given out a detail scheme that introduces the EAP authentication frame into IKEv2, so as to design an enhanced extensible IKE protocol based on EAP/AAA. The thesis specific research and implementation includes:Tracing the development of IKE-related protocols, comparing IKEv2 protocol with IKEv1 protocol and analyzing the disadvantages of current IKEv1 protocol; summarizing the advantages of IKEv2.Studying the newest IKEv2, including its protocol specifications and interaction in negotiation;Thoroughly researching the key deriving and authentication mechanism of IKEv2, making three authentication methods, PSK, RSA certificate and EAP, using a uniform interface, completing the encapsulation design of authentications;Reseaching on PKI technique, optimizing the schema design of fetching CRLs from LDAP server;Learning EAP methods deeply, choosing an feasible method EAP-SIM to implement in IKEv2, giving out the specific integration design scheme;Building an RADIUS server to complete the authencation of EAP-SIM, thus extending the authentication methods of IKEv2 and improving its flexibility; Designing IKE initial interaction procedure in detail, encapsulating the interaction tasks in several phases into different objects, making the task uniform interface, and appending the support for EAP authentication used by initiator in IKE_AUTH interaction;Testing the prototype system and analyzing with the results that shows the prototype system could work with IPsec modules in Linux kernel v2.6.10 smoothly.The research of this thesis has sponsored by the natural science foundation of Jiangsu Province for the project"Research on High Strength VPN Security Gateway Techniques and Core System Based on PKI and ECC"(Project Number: BK2004039). |
PDF Full Text Request