

Research of IKEv2 Based on Extensible Authentication Mechanism

【作者】 谷雷

【导师】 陈山枝;

【作者基本信息】 北京交通大学 , 通信与信息系统, 2008, 硕士

【摘要】 IPsec已成为构建VPN的国际标准之一,而互联网密钥交换协议(IKE)又是IPsec实现中首选的密钥交换协议。但由于它是一种混合型的协议,其自身的复杂性不可避免带来一些安全及性能上的缺陷。为此IETF于2005年12月正式推出新的IKE标准——RFC4306 IKEv2。IKEv2是在IKEvl基础上改进的结果,保留了第一版本的大部分特性,如身份隐藏、PFS、两个阶段的协商等特性,同时重新设计了某些部分,在强壮性、高效性和安全性上都显著提供。其中,相比之前版本增加了对扩展认证的支持。扩展认证协议是一个框架性协议,通过在IKEv2上支持扩展认证,可以用新的多种安全性更高的认证方式来取代目前白带的与共享密钥方式和证书方式。论文的研究目标通过IKE两个版本的分析对比,发现新版本的优势所在;然后分析目前EAP的实现形式,寻找一种可行的EAP与IKEv2结合的实现方式;再通过实现IKEv2来提高密钥交换的安全性,进而实现其新增的扩展认证功能,给使用IKEv2和IPsec带来更多的灵活性。论文首先分析研究了IPsec协议及相关内容掌握IPsec的体系结构和工作机制;进而分析研究IKEv2协议及其扩展功能和较之前版本的优势;然后分析扩展认证协议的应用情况,以及为了使用扩展认证RADIUS协议做出的相应修改;之后在深入研究相关协议的基础上,设计实现能够进行扩展认证的密钥管理系统。本系统运行在操作系统的用户空间,由配置管理模块、网络通信模块、密钥协商模块、载荷处理模块、算法处理模块、IPsec模块和线程处理等七大模块组成。采用NETLINK套接字与操作系统内核XFRM相关结构构建的安全数据库进行通信。本文对各个模块的设计思想和功能划分进行了描述,并介绍了其工作流程。测试结果表明,能够完成在设计的多种情况下经过协商建立IKE_SA并最终建立IPsec SA。

【Abstract】 IPsec has become one of the international standards of VPN. And Internet Key Exchange Protocol (IKE) has become the preferred internet key exchange protocol in the realization of IPsec. While, because it is a kind of mixed protocol, its complexity brings some inevitable limitations. To improve these limitations, IETF published a new version of IKE standard--RFC4306 IKEv2 in December 2005. IKEv2 is designed based on the previous version. Most of the features of IKEv1 were reserved, such as identity hiding, perfect forward safe, two phases of negociations etc. Some parts of the previous version standard were redesigned to make it more robust, effcient and safe. One of the enhancements is adding the support for extensible authentication. Extensible Authentication Protocol (EAP) is a frame-like protocol. After supporting EAP, It can use more kinds of authentication method, which are much safer, to replace the Pre-Shared Key and Certification.The target of the paper is to find the advantages of the new version IKE through comparing between the two. Then find a feasible impletement way to combine IKEv2 and EAP, through analysing the applications of EAP. In the end, enhance the security of the process of Key Exchange using IKEv2, and to impletement its expanded function ? Extensible Authentication function, in order to bring both IKEv2 and IPsecmore security and flexibility. Firstly, the paper analysises and researches the IPsec protocol and related materials to master its architecture and working mechanism. Then, analysises and researches the IKEv2 protocol, its expanded function, its advantages and the Extensible Authentication protocol. Lastly, based on the work mentioned above, design and implement the IKEv2 system which not only has basic key exchange functions, but also has one of the expanded functions ? Expensible Authentication. This system runs in the user space of the operation system. It consists of the following seven modules: configuration and management modules, network communication module, key exchange module, payload disposing module, algorithm disposing module, IPsec module and thread disposing module. It adopts the NETLINK socket for communication between IKE and the operating system kernel secure database, which construct by XFRM. In this paper, the design conceptunction of the various modules are described and their work processes are introduced. The test results show that the system can make the key exchange in designed differents kinds of circumstances, can establish IKE SA, and at last establish IPsec SA.

