Research Of IKEv2 Based On Extensible Authentication Mechanism

IPsec has become one of the international standards of VPN. And Internet Key Exchange Protocol (IKE) has become the preferred internet key exchange protocol in the realization of IPsec. While, because it is a kind of mixed protocol, its complexity brings some inevitable limitations. To improve these limitations, IETF published a new version of IKE standard--RFC4306 IKEv2 in December 2005. IKEv2 is designed based on the previous version. Most of the features of IKEv1 were reserved, such as identity hiding, perfect forward safe, two phases of negociations etc. Some parts of the previous version standard were redesigned to make it more robust, effcient and safe. One of the enhancements is adding the support for extensible authentication. Extensible Authentication Protocol (EAP) is a frame-like protocol. After supporting EAP, It can use more kinds of authentication method, which are much safer, to replace the Pre-Shared Key and Certification.The target of the paper is to find the advantages of the new version IKE through comparing between the two. Then find a feasible impletement way to combine IKEv2 and EAP, through analysing the applications of EAP. In the end, enhance the security of the process of Key Exchange using IKEv2, and to impletement its expanded function ? Extensible Authentication function, in order to bring both IKEv2 and IPsecmore security and flexibility. Firstly, the paper analysises and researches the IPsec protocol and related materials to master its architecture and working mechanism. Then, analysises and researches the IKEv2 protocol, its expanded function, its advantages and the Extensible Authentication protocol. Lastly, based on the work mentioned above, design and implement the IKEv2 system which not only has basic key exchange functions, but also has one of the expanded functions ? Expensible Authentication. This system runs in the user space of the operation system. It consists of the following seven modules: configuration and management modules, network communication module, key exchange module, payload disposing module, algorithm disposing module, IPsec module and thread disposing module. It adopts the NETLINK socket for communication between IKE and the operating system kernel secure database, which construct by XFRM. In this paper, the design conceptunction of the various modules are described and their work processes are introduced. The test results show that the system can make the key exchange in designed differents kinds of circumstances, can establish IKE SA, and at last establish IPsec SA.