IKEv2和IKEv1差异.docVIP

IKEv2与IKEv1的差异IKEv2与IKEv1的差异?摘自RFC4306, 附录 A?? 1) To define the entire IKE protocol in a single document, replacing?? RFCs 2407, 2408, and 2409 and incorporating subsequent changes to?? support NAT Traversal, Extensible Authentication, and Remote Address?? acquisition;在一个单一文件中定义整个IKE协议, 替代RFC2407, 2408和2409以及后续的用于支持NAT穿越(NAT-T),扩展认证(XAUTH), 远程地址获取的相关修改；?? 2) To simplify IKE by replacing the eight different initial exchanges?? with a single four-message exchange (with changes in authentication?? mechanisms affecting only a single AUTH payload rather than?? restructuring the entire exchange) see [PK01];简化IKEv1中的8次初始交换为IKEv2中的4个消息交换(认证机制中的修改只影响单一的一个认证载荷而不是重构整个交换)；?? 3) To remove the Domain of Interpretation (DOI), Situation (SIT), and?? Labeled Domain Identifier fields, and the Commit and Authentication?? only bits;去掉了解释域（DOI），情形（SIT）和标签域标志符字段，而且提交和认证只是按位处理；?? 4) To decrease IKEs latency in the common case by making the initial?? exchange be 2 round trips (4 messages), and allowing the ability to?? piggyback setup of a CHILD_SA on that exchange;通过只进行2轮的初始化交换（供4个消息），来减少通常情况下的IKE延迟，而且允许在交换中就建立子SA的能力；?? 5) To replace the cryptographic syntax for protecting the IKE?? messages themselves with one based closely on ESP to simplify?? implementation and security analysis;替换用于保护IKE消息自己的加密的语法为和ESP类似的方法，用于简化具体实现和安全分析；?? 6) To reduce the number of possible error states by making the?? protocol reliable (all messages are acknowledged) and sequenced.?? This allows shortening CREATE_CHILD_SA exchanges from 3 messages to?? 2;减少了可能的错误状态使协议更可靠(所有消息都要确认)和有序，这使得建立子SA的信息交换从3个消息减少到2个；?? 7) To increase robustness by allowing the responder to not do?? significant processing until it receives a message proving that the?? initiator can receive messages at its claimed IP address, and not?? commit any state to an exchange until the initiator can be?? cryptographically authenticated;通过允许响应者在接收到可证明发起者能够以其声称的IP地址接收数据的消息前不进行重要处理，增加了协议鲁棒性，而且不提交任何状态进行交换直到发起者能进行加密地鉴别数据；?