Monday, February 25, 2008

Why is IKEv2 better than IKEv1?

IMO, any new deployment should go with IKEv2. It provides several advantages over IKEv1.

  • IKEv2 is light on bandwidth and faster
    • Less number of messages to establish tunnel.
  • IKEv2 provides inbuilt NAT Traversal.
    • IKEv1 does not provide this facility. But an internet draft was created to enhance IKEv1 with this functionality. Since this draft is not standardized, there may be interoperability issues.
  • IKEv2 has inbuilt tunnel liveness checks.
    • If tunnel is broken down on peer, it has facility to detect and re-establish the tunnel.
    • IKEv1 does not have this functionality. There is an internet draft available though.
  • IKEv2 provides comprehensive authentication capabilities.
    • It supports Pre-shared key authentication, certificate authentication. IKEv1 also has them.
    • More importantly, it provides EAP authentication and hence it is suitable to integrate with existing authentication systems in Enterprises. IKEv1 does not have this capability.
  • IKEv2 has companion document to work with changing IP addresses on devices .
    • MOBIKE standard is only supported on IKEv2.
  • IKEv2 has facility to negotiate multiple sets of selectors.
    • Many networks/ranges can be negotiated in one exchange. Hence, number of policy records can be very less when sites have multiple networks.
    • In IKEv1, each pair of networks need to be defined in one policy record in SPD.
  • IKEv2 has clear method to choose subset of selectors when both sites are not configured with exact selector values.
    • In case of mismatch, IKEv2 has better mechanisms to converge.
If you are newly deploying IPsec gateways or thinking of upgrading Ipsec based security gateways, consider using IKEv2.

2 comments:

RSJ said...

1. Why IKEv2 is better for a user, related with TS negotiation ?
2. Regarding EAP authentication, it's supported using X-AUTH in IKEv1 also ?

abbas said...

1. Traffic selector negotiation can server as consistency check in some scenarios to assure that SPDs are consistent.

2. yes but EAP has so many flavours...