IPsec下IKEv2协议的研究与实现

发布时间：2018-01-29 19:09

  本文关键词： IPsec IKEv2 安全联盟 ESP AH　出处：《西安电子科技大学》2015年硕士论文　论文类型：学位论文

【摘要】：随着互联网的发展,频繁的网络攻击(如DOS攻击等)给企业和用户造成了不可估量的危害,因此网络安全愈来愈引起大家的关注。为了从IP层来解决网络安全的问题,在1998年IETF(Internet Engineering Task Force)公布了IPsec安全标准,IPsec协议新标准为IP层及其上层的协议提供安全保障,包括:身份验证、机密性以及密钥管理等。安全联盟是IPsec的关键,是成功建立IPsec安全隧道的前提条件。安全联盟可以通过手工配置密钥的方式进行建立,但是对于大型的组网来说,因为节点比较多,使用手工配置密钥的方式容易导致工作量大、出错率高。IKE协议能够为IPsec提供自动交换密钥、建立安全联盟的服务,为IPsec的使用和管理提供方便,RFC2409中规定了早期IKE协议标准,但由于该标准比较复杂,而且部分协议作用有限。因此,IETF于2005年发布了IKE的第二版本,该版本简化了协商的过程、增强了安全性。本文提出基于IKEv2方式建立IPsec安全隧道的机制,在IKEv1设计框架的基础之上,对协商消息的构造、载荷的构造以及报文重传机制进行更改,同时增加了SA重协商机制、Cookie-challenge机制。通过对以上的更改,使IKEv2具有更强的抗攻击能力,密钥交换能力更强,报文交互数量较少等特点。本文设计并实现了利用IKEv2方式建立IPsec安全隧道的机制,参考开源程序openikev2,采用C编程语言,基于Linux平台开发设计,并应用在防火墙安全设备上,然后对IKEv2方式建立IPsec安全隧道进行测试,测试结果表明IKEv2能够完成IPsec安全隧道的建立,同等条件下相对于IKEv1具有更高的协商速率。
[Abstract]:With the development of Internet, frequent network attacks (such as DOS attacks) have caused immeasurable harm to enterprises and users. Therefore, network security has attracted more and more attention. In order to solve the problem of network security from IP layer. In 1998, IETF(Internet Engineering Task Force released the IPsec security standards. The new standard of IPsec protocol provides security for IP layer and its upper layer, including authentication, confidentiality and key management. Security alliance is the key of IPsec. Security alliance can be established by manually configuring the key, but for large network, because there are more nodes. It is easy to use manual configuration of key to lead to heavy workload. Ike protocol with high error rate can provide automatic key exchange for IPsec and set up security alliance service. In order to provide convenience for the use and management of IPsec, RFC2409 provides for the early IKE protocol standard, but because of the complexity of the standard, and part of the protocol function is limited. In 2005, IETF released the second version of IKE, which simplifies the negotiation process and enhances security. This paper proposes a mechanism to build IPsec secure tunnel based on IKEv2. Based on the design framework of IKEv1, the structure of negotiation message, the construction of load and the mechanism of message retransmission are changed, and the SA renegotiation mechanism is added. Cookie-challenge mechanism. Through the above changes, IKEv2 has a stronger ability to resist attacks, and the ability of key exchange is stronger. This paper designs and implements the mechanism of establishing IPsec secure tunnel by IKEv2, referring to open source program openikev2 and using C programming language. Based on Linux platform development and design, and applied to firewall security equipment, and then IKEv2 way to build IPsec security tunnel for testing. The test results show that IKEv2 can complete the construction of IPsec secure tunnel, and the negotiation rate is higher than that of IKEv1 under the same conditions.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2015
【分类号】：TP393.08

【相似文献】

相关期刊论文 前1条

1 叶润国;范科峰;徐克超;蔡磊;;云安全联盟安全信任和保证注册项目研究[J];信息技术与标准化;2014年06期

相关硕士学位论文 前3条

1 张旭成;美国“亚太再平衡”战略背景下的美澳安全联盟研究[D];上海社会科学院;2015年

2 谢建豪;IPsec下IKEv2协议的研究与实现[D];西安电子科技大学;2015年

3 肖波;基于IPSec协议的安全联盟设计及其应用[D];重庆大学;2013年

，

本文编号：1474141