《IKEv2与IKEv1的差异.docx》由会员分享,可在线阅读,更多相关《IKEv2与IKEv1的差异.docx(4页珍藏版)》请在三一办公上搜索。
1、IKEv2与IKEv1的差异IKEv2与IKEv1的差异 IKEv2与IKEv1的差异 摘自RFC4306, 附录 A 1) To define the entire IKE protocol in a single document, replacing RFCs 2407, 2408, and 2409 and incorporating subsequent changes to support NAT Traversal, Extensible Authentication, and Remote Address acquisition; 在一个单一文件中定义整个IKE协议, 替代RF
2、C2407, 2408和2409以及后续的用于支持NAT穿越(NAT-T), 扩展认证(XAUTH), 远程地址获取的相关修改; 2) To simplify IKE by replacing the eight different initial exchanges with a single four-message exchange (with changes in authentication mechanisms affecting only a single AUTH payload rather than restructuring the entire exchange) se
3、e PK01; 简化IKEv1中的8次初始交换为IKEv2中的4个消息交换(认证机制中的修改只影响单一的一个认证载荷而不是重构整个交换); 3) To remove the Domain of Interpretation (DOI), Situation (SIT), and Labeled Domain Identifier fields, and the Commit and Authentication only bits; 去掉了解释域,情形和标签域标志符字段,而且提交和认证只是按位处理; 4) To decrease IKEs latency in the common case
4、by making the initial exchange be 2 round trips (4 messages), and allowing the ability to piggyback setup of a CHILD_SA on that exchange; 通过只进行2轮的初始化交换,来减少通常情况下的IKE延迟,而且允许在交换中就建立子SA的能力; 5) To replace the cryptographic syntax for protecting the IKE messages themselves with one based closely on ESP to
5、 simplify implementation and security analysis; 替换用于保护IKE消息自己的加密的语法为和ESP类似的方法,用于简化具体实现和安全分析; 6) To reduce the number of possible error states by making the protocol reliable (all messages are acknowledged) and sequenced. This allows shortening CREATE_CHILD_SA exchanges from 3 messages to 2; 减少了可能的错误
6、状态使协议更可靠(所有消息都要确认)和有序,这使得建立子SA的信息交换从3个消息减少到2个; 7) To increase robustness by allowing the responder to not do significant processing until it receives a message proving that the initiator can receive messages at its claimed IP address, and not commit any state to an exchange until the initiator can b
7、e cryptographically authenticated; 通过允许响应者在接收到可证明发起者能够以其声称的IP地址接收数据的消息前不进行重要处理,增加了协议鲁棒性,而且不提交任何状态进行交换直到发起者能进行加密地鉴别数据; 8) To fix cryptographic weaknesses such as the problem with symmetries in hashes used for authentication documented by Tero Kivinen; 修正加密机制中的弱点如Tero Kivinen所写的在认证中HASH的对称性的问题; 9) To
8、specify Traffic Selectors in their own payloads type rather than overloading ID payloads, and making more flexible the Traffic Selectors that may be specified; 在通信选择子的载荷中即指定它们而不是重载于ID载荷,使得可指定的通信选择子更加灵活; 10) To specify required behavior under certain error conditions or when data that is not understo
9、od is received, to make it easier to make future revisions that do not break backward compatibility; 指定在某种错误情况下或接收到不能理解的数据时的必须行为,这使得未来在不破坏向后兼容的情况下更容易修订协议; 11) To simplify and clarify how shared state is maintained in the presence of network failures and Denial of Service attacks; and 简化和清晰化了在网络失效和受到拒绝服务攻击情况下的如何保持双方共享状态; 12) To maintain existing syntax and magic numbers to the extent possible to make it likely that implementations of IKEv1 can be enhanced to support IKEv2 with minimum effort. 尽可能维护现有的语法和幻数使得现有IKEv1的实现能以最小代价增强到支持IKEv2。
