IKEv2与IKEv1的差异

摘自RFC4306, 附录 A

   1) To define the entire IKE protocol in a single document, replacing
   RFCs 2407, 2408, and 2409 and incorporating subsequent changes to
   support NAT Traversal, Extensible Authentication, and Remote Address
   acquisition;

在一个单一文件中定义整个IKE协议, 替代RFC2407, 2408和2409以及后续的用于支持NAT穿越(NAT-T),
扩展认证(XAUTH), 远程地址获取的相关修改；

   2) To simplify IKE by replacing the eight different initial exchanges
   with a single four-message exchange (with changes in authentication
   mechanisms affecting only a single AUTH payload rather than
   restructuring the entire exchange) see [PK01];

简化IKEv1中的8次初始交换为IKEv2中的4个消息交换(认证机制中的修改只影响单一的一个认证载荷而不是重构整个交换)；

   3) To remove the Domain of Interpretation (DOI), Situation (SIT), and
   Labeled Domain Identifier fields, and the Commit and Authentication
   only bits;

去掉了解释域（DOI），情形（SIT）和标签域标志符字段，而且提交和认证只是按位处理；

   4) To decrease IKE's latency in the common case by making the initial
   exchange be 2 round trips (4 messages), and allowing the ability to
   piggyback setup of a CHILD_SA on that exchange;

通过只进行2轮的初始化交换（供4个消息），来减少通常情况下的IKE延迟，而且允许在交换中就建立子SA的能力；

   5) To replace the cryptographic syntax for protecting the IKE
   messages themselves with one based closely on ESP to simplify
   implementation and security analysis;

替换用于保护IKE消息自己的加密的语法为和ESP类似的方法，用于简化具体实现和安全分析；

   6) To reduce the number of possible error states by making the
   protocol reliable (all messages are acknowledged) and sequenced.
   This allows shortening CREATE_CHILD_SA exchanges from 3 messages to
   2;

减少了可能的错误状态使协议更可靠(所有消息都要确认)和有序，这使得建立子SA的信息交换从3个消息减少到2个；

   7) To increase robustness by allowing the responder to not do
   significant processing until it receives a message proving that the
   initiator can receive messages at its claimed IP address, and not
   commit any state to an exchange until the initiator can be
   cryptographically authenticated;

通过允许响应者在接收到可证明发起者能够以其声称的IP地址接收数据的消息前不进行重要处理，增加了协议鲁棒性，而且不提交任何状态进行交换直到发起者能进行加密地鉴别数据；

   8) To fix cryptographic weaknesses such as the problem with
   symmetries in hashes used for authentication documented by Tero
   Kivinen;

修正加密机制中的弱点如Tero Kivinen所写的在认证中HASH的对称性的问题；

   9) To specify Traffic Selectors in their own payloads type rather
   than overloading ID payloads, and making more flexible the Traffic
   Selectors that may be specified;

在通信选择子的载荷中即指定它们而不是重载于ID载荷，使得可指定的通信选择子更加灵活；

   10) To specify required behavior under certain error conditions or
   when data that is not understood is received, to make it easier to
   make future revisions that do not break backward compatibility;

指定在某种错误情况下或接收到不能理解的数据时的必须行为，这使得未来在不破坏向后兼容的情况下更容易修订协议；

   11) To simplify and clarify how shared state is maintained in the
   presence of network failures and Denial of Service attacks; and

简化和清晰化了在网络失效和受到拒绝服务攻击情况下的如何保持双方共享状态；

   12) To maintain existing syntax and magic numbers to the extent
   possible to make it likely that implementations of IKEv1 can be
   enhanced to support IKEv2 with minimum effort.

尽可能维护现有的语法和魔数使得现有IKEv1的实现能以最小代价增强到支持IKEv2。