IKEv2与IKEv1的差异

IKEv2与IKEv1的差异   摘自RFC4306, 附录 A    1) To define the entire IKE protocol in a single document, replacing    RFCs 2407, 2408, and 2409 and incorporating subsequent changes to    support NAT Traversal, Extensible Authentication, and Remote Address    acquisition; 在一个单一文件中定义整个IKE协议, 替代RFC2407, 2408和2409以及后续的用于支持NAT穿越(NAT-T), 扩展认证(XAUTH), 远程地址获取的相关修改；    2) To simplify IKE by replacing the eight different initial exchanges    with a single four-message exchange (with changes in authentication    mechanisms affecting only a single AUTH payload rather than    restructuring the entire exchange) see [PK01]; 简化IKEv1中的8次初始交换为IKEv2中的4个消息交换(认证机制中的修改只影响单一的一个认证载荷而不是重构整个交换)；    3) To remove the Domain of Interpretation (DOI), Situation (SIT), and    Labeled Domain Identifier fields, and the Commit and Authentication    only bits; 去掉了解释域（DOI），情形（SIT）和标签域标志符字段，而且提交和认证只是按位处理；    4) To decrease IKE's latency in the common case by making the initial    exchange be 2 round trips (4 messages), and allowing the ability to    piggyback setup of a CHILD_SA on that exchange; 通过只进行2轮的初始化交换（供4个消息），来减少通常情况下的IKE延迟，而且允许在交换中就建立子SA的能力；    5) To replace the cryptographic syntax for protecting the IKE    messages themselves with one based closely on ESP to simplify    implementation and security analysis; 替换用于保护IKE消息自己的加密的语法为和ESP类似的方法，用于简化具体实现和安全分析；    6) To reduce the number of possible error states by making the    protocol reliable (all messages are acknowledged) and sequenced.    This allows shortening CREATE_CHILD_SA exchanges from 3 messages to    2; 减少了可能的错误状态使协议更可靠(所有消息都要确认)和有序，这使得建立子SA的信息交换从3个消息减少到2个；    7) To increase robustness by allowing the responder to not do    significant processing until it receives a message proving that the    initiator can receive messages at its claimed IP address, and not    commit any state to an exchange until the initiator can be    cryptographically authenticated; 通过允许响应者在接收到可证明发起者能够以其声称的IP地址接收数据的消息前不进行重要处理，增加了协议鲁棒性，而且不提交任何状态进行交换直到发起者能进行加密地鉴别数据；    8) To fix cryptographic weaknesses such as the problem with    symmetries in hashes used for authentication documented by Tero    Kivinen; 修正加密机制中的弱点如Tero Kivinen所写的在认证中HASH的对称性的问题；    9) To specify Traffic Selectors in their own payloads type rather    than overloading ID payloads, and making more flexible the Traffic    Selectors that may be specified; 在通信选择子的载荷中即指定它们而不是重载于ID载荷，使得可指定的通信选择子更加灵活；    10) To specify required behavior under certain error conditions or    when data that is not understood is received, to make it easier to    make future revisions that do not break backward compatibility; 指定在某种错误情况下或接收到不能理解的数据时的必须行为，这使得未来在不破坏向后兼容的情况下更容易修订协议；    11) To simplify and clarify how shared state is maintained in the    presence of network failures and Denial of Service attacks; and 简化和清晰化了在网络失效和受到拒绝服务攻击情况下的如何保持双方共享状态；    12) To maintain existing syntax and magic numbers to the extent    possible to make it likely that implementations of IKEv1 can be    enhanced to support IKEv2 with minimum effort. 尽可能维护现有的语法和魔数使得现有IKEv1的实现能以最小代价增强到支持IKEv2。

原文地址 http://www.ietf.org/rfc/rfc4306.txt?number=4306

责任编辑 webmaster

相关链接