Monday, February 25, 2008

Why is IKEv2 better than IKEv1?

IMO, any new deployment should go with IKEv2. It provides several advantages over IKEv1.

  • IKEv2 is light on bandwidth and faster
    • Less number of messages to establish tunnel.
  • IKEv2 provides inbuilt NAT Traversal.
    • IKEv1 does not provide this facility. But an internet draft was created to enhance IKEv1 with this functionality. Since this draft is not standardized, there may be interoperability issues.
  • IKEv2 has inbuilt tunnel liveness checks.
    • If tunnel is broken down on peer, it has facility to detect and re-establish the tunnel.
    • IKEv1 does not have this functionality. There is an internet draft available though.
  • IKEv2 provides comprehensive authentication capabilities.
    • It supports Pre-shared key authentication, certificate authentication. IKEv1 also has them.
    • More importantly, it provides EAP authentication and hence it is suitable to integrate with existing authentication systems in Enterprises. IKEv1 does not have this capability.
  • IKEv2 has companion document to work with changing IP addresses on devices .
    • MOBIKE standard is only supported on IKEv2.
  • IKEv2 has facility to negotiate multiple sets of selectors.
    • Many networks/ranges can be negotiated in one exchange. Hence, number of policy records can be very less when sites have multiple networks.
    • In IKEv1, each pair of networks need to be defined in one policy record in SPD.
  • IKEv2 has clear method to choose subset of selectors when both sites are not configured with exact selector values.
    • In case of mismatch, IKEv2 has better mechanisms to converge.
If you are newly deploying IPsec gateways or thinking of upgrading Ipsec based security gateways, consider using IKEv2.


RSJ said...

1. Why IKEv2 is better for a user, related with TS negotiation ?
2. Regarding EAP authentication, it's supported using X-AUTH in IKEv1 also ?

abbas said...

1. Traffic selector negotiation can server as consistency check in some scenarios to assure that SPDs are consistent.

2. yes but EAP has so many flavours...