Research And Implementation Of Internet Key Exchange Protocol

Originally IP packets defined by IPv4 don.t contain any security characteristic.Attackers can easily forge the address of the IP packets, revise their content, replay them in a later time, and eavesdrop data during transmission. In order to make up the innate deficiency of the IPv4, IPSec protocol provides a kind of standard and robust security mechanism, and can be used to provide security protection for IP and higher layer protocols. But before IPSec protocol can be used widely, a problem must be resolved. The problem is how to negotiate keys automatically through Internet. And it is what this paper mainly deals with. First, this paper introduces the concept of IPSec protocol and discusses emphatically the IKE protocol which resolves the problem of key negotiation. Then,according to our current research work, I describe in detail the procedure on how to realize IKE protocol in Linux. There are totally five chapters in this paper. The first chapter shows the current development status of Internet , some network security problems and some classic Internet attacks, discusses the advantages and disadvantages to realize network security on different TCP/IP layers, and gives a simple introduce about Virtual Private Network and two kinds of VPN tunneling protocoals. The second chapter introduces the protocols contained in IPSec protocol stack,the work modes and the methods to build Security Associations. Then the detail of IKE protocol is described, including the two negotiating phases, the format of all IKE payloads, and the exchange mode defined by IKE. In the third chapter, combined with our current research, I describe how to design and realize IKE in Linux OS. The realization includes establishing and managing security association database in Linux kernel, developing PF_KEY socket interface and PF_KEY message, and designing the state machines of IKE main mode and IKE quick mode. In the fourth chapter, I depict the realization of the VPN router, the out interface of the VPN router, and the realization of hardware encryption. In the end, I describe the test to the VPN router. Chapter 5 draws the conclusion and indicts the future direction of the system.