I am neither especially clever nor especially gifted.I am only very, very curious.

5mouth Archive Project

Stay Hungry · Stay Foolish



IKEv1与IKEv2对比 - 5mouth

IKEv1与IKEv2对比

Table IKEv1 IKEv2 注释
SA IPsec SA Child SA RFC60711
Exchange modes Main mode: 9 messages
Aggressive mode: 6 messages		 Only 4 messages. RFC24092
身份验证方法 Pre-Shared Key (PSK)3
Digital Signature (RSA-Sig)4
Public Key Encryption5
Revised Mode of Public key Encryption6		 Pre-Shared Key (PSK)7
Digital Signature (RSA-Sig)8		 RFC2049
RFC6738
RFC7427
身份验证方法 两端认证必须配置相同 两端认证配置可以不同 RFC60719
流量选择器
(Traffic selector)		 每个IPsec SA仅允许源IP范围,目标IP范围,源端口和目标端口的组合。
需要在对等体之间精确地匹配流量选择器。		 多个组合,每个子SA允许源IP范围,目标IP范围,
源端口范围和目标端口范围。		 RFC599610
SA老化 需要对等体支持 没有协商,每个对等体可以通过交换DELETE有效载荷随时删除SA。 RFC599611
多主机 不支持 通过在单个IP地址和端口对上使用多个ID来支持 RFC455512
密钥 没有定义 定义 RFC599613
NAT穿越 需要在扩展中进行支持 默认即支持 RFC599614
远程接入VPN 不支持,需要特定厂商进行支持例如Cisco的Extended Authentication (XAUTH) 默认支持:
Extensible Authentication Protocol (EAP)
通过EAP的用户认证与IKE的认证进行关联配置Configuration payload (CP)		 RFC510615
DoS防护 不支持 支持Anti-replay,’Cookies’支持缓解洪泛攻击(flooding attacks),修复IKEv1漏洞 RFC631116
传输可靠性 相对可靠性低 消息以请求-回复的方式交互
定义了删除SA的操作
定义了消息重传		 RFC4306 17
扩展性 扩展性弱 IKEv2的重定向机制(RFC5685)
IKEv2会话恢复(RFC5723)
协议支持IKEv2 / IPsec的高可用性(RFC6311)
IKEv2中的仅EAP认证的扩展(RFC5998)
一个快速故障检测方法Internet密钥交换协议(IKE)(RFC6290)		 -

参考文献

  1. RFC6071: It is called the IPsec SA in IKEv1 and, in the IKEv2 RFCs, it is referred to variously as a CHILD_SA, a child SA, and an IPsec SA. This document uses the term “IPsec SA”. To further complicate the terminology, since IKEv1 consists of two sequential negotiations, called phases, the IKE SA is also referred to as a Phase 1 SA and the IPsec SA is referred to as a Phase 2 SA.
  2. RFC2409: 7 Payload Explosion of Complete Exchange
  3. RFC2409: 5.4 Authentication with a Pre-Shared Key
  4. RFC2409: 5.1 Authentication with Digital Signatures
  5. RFC2409: 5.2 Authentication with Public Key Encryption
  6. RFC2409: 5.3 A Revised method of Authentication with Public Key Encryption
  7. RFC6738
  8. RFC7427
  9. RFC6071: 2.3.1 Differences between IKEv1 and IKEv2
  10. RFC5996: 2.9. Traffic Selector Negotiation
  11. RFC5996: 2.8. Rekeying
  12. RFC4555
  13. RFC5996: 2.8. Rekeying
  14. RFC5996: 2.23. NAT Traversal
  15. RFC5106:
  16. RFC6311: 4. The IKEv2/IPsec SA Counter Synchronization Problem
  17. RFC4306: 2.1. Use of Retransmission Timers