| IKE (Internet Key Exchange) Protocol is one of important protocol of IPSec (IP Security) Cluster which handling dynamic negotiation and administration of IPSec SA (Security Association). IKE represents IPSec negotiates with SA and fills SADB at the same time. IKE described by RFC 2409 documentation remains to be a complex protocol. It defines unique encryption and authentication forming technology and protocol share policy by inheriting foundation of ISAKMP, Oakley pattern, share of SKEME and Secret Key encryption updating technology. Besides, IKE also defines 2 SKE exchange modes. IKE utilizes ISAKMP in two steps. In the first step, each side within communication builds up a self encrypted security channel, that is, to establish IKE security links. In the second step, negotiating specified security links by using previous defined links. IKE also defines 2 steps, the 1st exchange step, the 2nd exchange step and two additional exchanges (which maintaining correct security links). For the first exchange step, IKE uses ID protect exchange (main exchange mode), and formulates wild exchange (wild exchange mode) method according to basic ISAKMP documentation. For the second exchange step, IKE defines an express exchange method (express exchange mode). The two additional exchanges which IKE defines are related to information exchange. IKE ensures establishing dynamic links and security of establishing process. IKE implements security links on one hand through kernel of IPSec protocol which remains to be very complicated. On the other hand, it may become the bottleneck for the whole system. So, it is to be the most important problem for implementing IPSec to optimize the IKE program and secret key arithmetic. The paper introduces the concept and application of VPN, simply analyzes domestic & overseas products, situation and key point of IPSec VPN technology. It also explains an in-depth analysis of IKE protocol, including the component of IKE protocol, the negotiation process of IKE, the format of IKE message, a proposal of feasible solution based on IKE and a proposal of module structure. In the next part of the paper, it contains the design idea and function partition for each module of the solution, introduction to main data structure and operation process that may be applied,... |
PDF Full Text Request