IKEv2与IKEv1的差异
IKEv2与IKEv1的差异IKEv2与IKEv1的差异
摘自RFC4306, 附录 A 1 To define the entire IKE protocol in a single document, replacing?? RFCs 2407, 2408, and 2409 and incorporating subsequent changes to?? support NAT Traversal, Extensible Authentication, and Remote Address?? acquisition;
在一个单一文件中定义整个IKE协议, 替代RFC2407, 2408和2409以及后续的用于支持NAT穿越 NAT-T ,扩展认证 XAUTH , 远程地址获取的相关修改; 2 To simplify IKE by replacing the eight different initial exchanges?? with a single four-message exchange with changes in authentication?? mechanisms affecting only a single AUTH payload rather than?? restructuring the entire exchange see [PK01];
简化IKEv1中的8次初始交换为IKEv2中的4个消息交换 认证机制中的修改只影响单一的一个认证载荷而不是重构整个交换 ; 3 To remove the Domain of Interpretation DOI , Situation SIT , and?? Labeled Domain Identifier fields, and the Commit and Authentication?? only bits;
去掉了解释域(DOI),情形(SIT)和标签域标志符字段,而且提交和认证只是按位处理; 4 To decrease IKE's latency in the common case by making the initial?? exchange be 2 round trips 4 messages , and allowing the ability to?? piggyback setup of a CHILD_SA on that exchange;
通过只进行2轮的初始化交换(供4个消息),来减少通常情况下的IKE延迟,而且允许在交换中就建立子SA的能力; 5 To replace the cryptographic syntax for protecting the IKE?? messages themselves with one based closely on ESP to simplify?? implementation and security analysis;
替换用于保护IKE消息自己的加密的语法为和ESP类似的方法,用于简化具体实现和安全分析; 6 To reduce the number of possible error states by making the?? protocol reliable all messages are acknowledged and sequenced.?? This allows shortening CREATE_CHILD_SA exchanges from 3 messages to?? 2;
减少了可能的错误状态使协议更可靠 所有消息都要确认 和有序,这使得建立子SA的信息交换从3个消息减少到2个; 7 To increase robustness by allowing the responder to not do?? significant processing until it receives a message proving that the?? initiator can receive messages at its claimed IP address, and not?? commit any state to an exchange until the initiator can be?? cryptographically authenticated;
通过允许响应者在接收到可证明发起者能够以其声称的IP地址接收数据的消息前不进行重要处理,增加了协议鲁棒性,而且不提交任何状态进行交换直到发起者能进行加密地鉴别数据; 8 To fix cryp