The Research And Implementation Of IKEv2 Protocol Based On IXP2850 Platform

As the fast growing of Internet, network security has becoming more and more important in people's daily life, and various security solutions have been proposed. VPN (Virtual Private Network) technology is a typical security solution which can create a secure virtual private data channel by encapsulating and encrypting packets. VPN technology has kinds of ways to realize, in which IPSec is the most widely used technology. IPSec is not a separate protocol, which provides a set of network data security architecture based on the IP layer.The IKEv2 protocol is an extremely important mixed key management protocol, which can provides guaranty for creating or updating secure shared key in an insecure network environment.This dissertation research how to achieve IKEv2 protocol based on IXP2850 platform.IXP2850 network processor is a high-speed programmable processor of new generation which is used to process and forward data. It can support up to 10Gbits packet forwarding rate,and hardware encryption and decryption units are integrated into it,which is quite suitable for IPSec, IKE related development.This dissertation which is based on Sci-tech Planning Projects of Guangdong Province "VPN System Integrated in 3G intelligent Firewall", research how to build server for IKEv2 requests on IXP2850 platform.This system is focus on improving and achieving the Diffie-Hellman algorithm involved in the initial exchange, maintaining efficiency security policy database, defending middle attack, and using cookie mechanism to defend Dos attack.Besides, this dissertation talk about programming graphical user interface for the function testing of IKEv2 system,and using Spirent Test equipment to do performance testing. The result proves that this system can respond to requests properly and efficiently, and the performance achieves the requirement of carrier-grade equipment.The main achievements of this paper are:1. This system has improved the Diffie-Hellman algorithm and the realization of security policy database, and has solved the bottlenecks of slow channel in network processor.So the system can give full play to IXP2850 processor performance, and ensure that the throughput performance of the server can be up to 8Gbps. 2. The operations of this system such as encryption,decryption and authentication are realized with hardware encryption units,which compared with traditional software encryption,can greatly improve the system efficiency.