Security Mechanism Research And Implementation Of IKEv2 Protocol

The "Military Next Generation Internet" under China National Hi-tech Research Program 863 needs a secure dual-stack router to protect data, so the function defined by the IPsec protocol must be implemented. The security of the IPsec protocol is based on the security of ciphering key. So we should analyze and research into the secure mechanisms of the ciphering key management protocol, IKEv2(Internet Key Exchange Protocol Version 2), designated by the IPsec protocol to improve security and to guarantee the security of the router.The contributions present in this thesis include:After intensive study the IPsec protocol, the functional module of IKEv2 based on the requirements of the secure router is provided. And the simplified realization scheme of IKEv2 combined with the minimize realization rule of IKEv2 is proposed.This thesis researches into the mechanisms of IKEv2 to resist MITM (Man-In-The-Middle) attacks and DoS (Denial of Service) attacks as well as the perfect forward protect mechanisms of IKEv2. Combined with results of IKEv2's formal analysis, the IKEv2 protocol has proved to be in compliance with authentication, confidentiality, integrality and undeniable of a standard secure protocol. At the same time the IKEv2 protocol is found to be in the lack of detecting and preventing mechanisms to resist DDoS (Distributed Denial of Service) attacks.The thesis proposes the IKEv2 arrived session model after analyzing the IKEv2 arriving session based UDP , and comes up with a scheme combined with existent anti-DoS mechanisms in IKEv2 protocol to resist DDoS attack.and finally proposed a secondary detecting and preventing anti-DDoS attack mechanism based IKEv2 arrival session by mathematic analysis.An IKEv2 scheme together with secondary detecting and anti-DDoS attack mechanism has been proposed and implemented. Tests have been made over the project and secondary DDoS attack detection and prevention mechanism functions and performance. IKEv1 and IKEv2 performance are contrasted and the secondary DDoS attack detection and prevention mechanism's performance has been analyzed through the test data.