| With the development of the Internet, frequent network attacks(such as DOS attacks, etc.) have caused immeasurable effects to enterprises and users, therefore the network security is attracting more and more attention. In order to solve the problems of network security from the IP layer, IETF(Internet Engineering Task Force) published IPsec security standards in 1998. The new IPsec protocol standard provides safeguard, including authentication, confidentiality and key management for IP and its upper layer protocols.SA(Security Association) is the key part of IPsec, and is a prerequisite for the successful establishment of IPsec security tunnel. Security Association can be established through the manual configured key. But for large networks, the way of manual configuration can easily lead to heavy workload and high error rate due to large scale of nodes. IKE can provide the service of automatic key exchange and the establishment of the Security Assoication for IPsec, which bring convenience for the use and management of IPsec. RFC2409 specified the earlier IKE protocol standard, which is more complex, and some protocols do not play any role in the process of implementation, IETF released the second version of IKE in 2005, which simplified the process of negotiation and enhanced security.In this paper, we propose a mechanism for building IPsec security tunnel using IKEv2. IKEv2 is based on framework of IKEv1.We changed the structure of the message?payload structure and the mechanism of packet retransmission, At the same time,we add a mechanism of SA re-negotiation and a mechanism of Cookie-challenge.By the above improvemrnt, the IKEv2 can have a stronger ability to resist attacks, higher ability for key exchange, and less numbers for messages interaction.This paper has designed and realized the mechanism of IPsec security tunnel by IKEv2. Refer to the openikev2 program of Open Source, using the C programming language to design and develop on the Linux platform, and apply it to the firewall security device. Then verificates the method. The results of the test show that IKEv2 can establish the IPsec security tunnel,with a higher efficiency than IKEv1 int the same conditions. |
PDF Full Text Request