IKE protocol, which is responsible for the dynamic negotiation and management of IPSec SA, is an essential element of the IPSec protocol family. The thesis investigates the details of protocol content, the mechanisms of realizing the key exchange, as well as the pros and cons of the protocol itself. The thesis provides a practical mechanism to realize the Main Mode and the Quick Mode of IKE protocol.The thesis first introduces the technology of VPN. The concept and the design of the distributed VPN are described. The differences and their characteristics of the traditional VPN and the distributed VPN are then compared. Essential VPN technologies currently being deployed broadly are presented. On the base that IPSec protocol has been analysed, the status and action of IKE protocol in it is presented. The thesis then provides in-depth analysis of IKE protocol, including components of the protocol, the negotiating process of IKE, the format of IKE messages, and the security of the protocol. Based on the existing protocol, a new practical mechanism for realizing the IKE, as well as a new mode, is proposed. The design principles and the functionalities of each component are then illustrated. The main data structure and the procedures are also discussed. Meanwhile, the thesis provides a complete analysis of the message mechanism under Windows system, which describes how the application communicates with the kernel. The thesis finally examines the components for secret key exchange in the IKE, analyses the examination and brings forward a proposal. Then the expansion of functionalities and future development of IKE are discussed.The main achievement is that the thesis provides a group of program to realize the Main Mode and the Quick Mode of IKE protocol. Dynamic SAs have been provided for IPSec, and make the VPN system more perfect and safe. |