Research And Application Of IPSec In IPv6

As the core of the next generation Internet, Internet Protocol Version 6 (IPv6) is in the developing process from laboratory to commercialism or industrialization. Its security means the future network's security. Be a part of IPv6, Internet Protocol Security (IPSec) is responsible for network security. The paper takes IPSec as research object, its aim is to study and discuss how to apply IPSec to provide security protection for IPv6 network communication in network layer, in order to satisfy increasing network security desiderata.Firstly, this thesis presents the IPv6 origin, its developing status, the main differences between IPv4 and IPv6, as well as its primary characteristics. Then, it mainly states the architecture of IPSec and its security mechanism. It gives some ususl IPSec solutions in IPv6 network under the different work mode. And then, it expatiates on IPSec implementation on the Linux 2.6 platform and IPSec applications in IPv6 campus trial network. From two ways of manual configuration and IKE daemon auto configuration, combining with the pre-shared key authentication and x.509 certificate authentication, it validates IKE negotiation and IPSec security mechanism in practice, realizes the target protecting IPv6 network in network layer. Finally, the paper makes a summary of the whole text, and puts forward some expectation for the future work.In the course of research , the work of this thesis are:1. Studies the IPv6 developing status in the world, mainly introduces its developed experience in our home and what we have done in the IPv6 standard development way.2. Deeply researches IPSec in IPv6, briefly introduces the message format of the security protocols, states reasonedly the course and related technique of AH authentication, such as hash function, message authentication code, digital signature.In the way of key exchange and managemant, it discusses Diffie-Hellman key exchange process and the payload of ISAKMP datagram, illustrates the transmited message in IKE exchange and its format, gives formula descriptions to the key and authentication message generated in the main exchange mode or the aggressive exchange mode. 3. By analyzing a number of IPSec configuration examples, it brings forward some usual IPSec solutions protecting data security and protocol security, detailedly speaks the nesting application of IPSec tunnel and its process.4. In the way of IPSec applications, there is not such a research about manual configuration IPSec in the civil presently. This paper studys these problems, and compares manual configuration with the IKE daemon automatic configuration. On one hand it is to introduce how to configurate IPSec. On the other hand, it is to explain the merits and demerits of two configuration modes, all these are to account for what the IKE daemon can automatically does and what need administrators to do.5. With regard to the IPSec application research in the internal, there are much more about the applications of pre-shared key authentication, but there is hardly little as to the X.509 certificate authentication applications. So this thesis deeply studies these problems, dwells on the generation and application of X.509 certificate, how to generate a fingerprint for a public key certificate and how to generate randomly a pre-shared key.6. For the applications of IPSec in IPv6 network, the paper, on the Linux 2.6 platform, begins with analysing the security desiderata of IPv6 campus trial network , then combines network topology to discuss every material configuration process. During the connecting test, it applies experiment data to explain the functions and characteristics of Security Policy and Security Association. It also specifies the dynamic process of automatically negotiating IKE SA and IPSec SA by racoon, as well as the active IPSec SA parameters. In the end, it objectively evaluates every application security.