The Ike Protocol On A Linux System To Achieve Technical Analysis As Well As On The 2.6 Kernel

As the development of Internet, the issue of network security has become more and more obvious. IPSec protocol is an effective method to ensure the security of IP data transmission in public network. Internet Key Exchange (IKE) is one of the most important protocols of IPSec protocol family. Its main function is to authenticate identity, negotiate security association and produce shared keys of encryption for two nodes (hosts or routers) which communicate securely with each other. Moreover, IKE also fills data to SADB. Currently, IKE is integrated as a part of IPSec FreeS/WAN, not functions as an independent software, which not only made the IKE difficult to be implemented but also broke the independence of IKE protocol, and prevented the enlargement of functions of IKE itself because it mixed the process of IPsec packet and the implementation of IKE protocols. Linux 2.6 which was issued in 2003 has implemented IPSec process and data encryption and dezcryption, which requires the separation of IKE and IPsec. And Linux kernel 2.6 also supported PF_KEY socket, which made it possible for IKE to be implemented in user space, communicate with the kernel and supply SA of automatic negotiation for IPsec. According to this new situation the IKE protocol needs to be redesigned. In the process of the design and implementation of IKE, the characteristics of the Linux2.6 and the requirements of the IPSEC had been taken into account, which made the design more reasonable, easier to be implemented, comprehended and expanded. In the paper, IKE protocol is analyzed in detail, including the contents of IKE, the format of the IKE message and the negotiating procedure. And then, the possible security attacks of the protocol are analyzed and corresponding scenario to solve the problem is presented, on the basis of which, the implementation of IKE in Linux is discussed deeply. And then a feasible implementation scenario based on Linux 2.6 kernel is presented, and the details of the implementation of event process sub-system and sub-system communicating with the kernel was described. At the end of this paper, the test results are analyzed.