| IPSec(IP Security) provides interactive, highly-functional communication security based on cryptography for IPv4 and IPv6. Internet Key Exchange (IKE) protocol, an important component of EPSec protocol, whose main function is to realize exchange and management of the IPSec security parameter, now develops into the second edition, IKEv2.IKEv2 protocol concerns very complicated contents. At present, some international realizat-ion of IKEv2 protocol still keeps at its initial stage, without any ripe IKEv2 products entering the market, nor any public realization report of IKEv2 protocol for reference. All mentioned above will bring considerable difficulties to the work of research and realization in this paper.Firstly, this paper makes a deep research about the exchange course of IKEv2 protocol, network communication and key derivation, and analyzes the security of the protocol. On the base of that, and according to the rule of "minimal realization" , this paper puts forward a general designing plan, which divides the whole system into several modules: IKEv2 system manage module, initial exchange module, CHILDSA exchange module, payload module, setup interface module, kernel message process module, overtime process module, network message process module and cipher algorithm module.In this paper, the author designs and realizes IKEv2 system manage module, which is responsible for organizing and attempering the complex relation of other modules, so that system can work more efficiently and harmonically. The author designs and realizes the second edition of PFKEY protocol, which is mainly responsible for providing the interface for communication between IKE and Kernal secure database. The author realizes cipher algorithm module, in which code cipher algorithm, Diffie-Hellman algorithm,and HMAC algorithm are included. This module is the key for system realization.Finally, this paper makes a test of the finished IKEv2 system. The results show that the IKEv2 system realized by this paper can correctly reach the predetermined goal with consummate functions. Under the same experimental circumstances, the exchange efficiency of IKEv2 is superior to that of IKEv1, and the time of the production of the first IPSec SA(Security Association) is obviously reduced, while effectively improving the communication efficiency of IPSec. |
PDF Full Text Request