Cc cng ngh v giao thc h

tr VPN
Khoa CNTT HSP KT Hng Yn | Science and Technology | PDF |

G
ive it 1/5
G
ive it 2/5
G
ive it 3/5
G
ive it 4/5
G
ive it 5/5

No votes yet
| 115 reads
ng hm v m ho
Chc nng chnh ca mt mng VPN l truyn thng tin c m ho trong mt ng hm
da trn h tng mng c chia s
ng hm
ng hm l mt khi nim quan trng ca mng VPN, n cho php cc cng ty c th to ra
cc mng o da trn h thng mng cng cng. Mng o ny khng cho php nhng ngi
khng c quyn truy cp vo. ng hm cung cp mt kt ni logic im n im trn h
thng mng Internet hay trn cc mng cng cng khc. d liu c truyn an ton trn
mng, mt gii php c a ra l m ho d liu trc khi truyn. D liu truyn trong ng
hm ch c th c c bi ngi nhn v ngi gi. ng hm to cho VPN c tnh cht
ring t trn mng.
m t chi tit nguyn l khi gi tin truyn qua ng hm ta nghin cu mt loi ng hm
in hnh l GRE. y cng l giao thc to ng hm c s dng trong PPTP l giao thc
to kt ni VPN Peer to Peer v Remote Access rt ph bin ca Microsoft.
Microsoft s dng dch v RRA(Routing and Remote Access) nh
tuyn gia cc LAN nh hnh sau:





nh dng gi tin GRE, y cng l giao thc Microsoft dng ng gi d liu nh sau:





D liu t Client a n VPN Getway c ng gi bi giao thc PPP(Point - to - Point
Protocol) vi mt PPP Header. Sau gi tin c ng gi bi GRE vi mt GRE Header v
c truyn trong ng hm. Ti u bn kia ca ng hm, gi tin c gii phng khi
GRE Header v PPP Header sau c vn chuyn n ch. Cc Header ca mi gi tin c
th hin trong hnh sau:





Mt v d v ng hm GRE sau khi c thit lp trong m hnh Site - to





M ho
M ho l mt c im c bn trong vic xy dng v thit k mng VPN. Mng VPN s dng
h tng ca h thng Internet v cc mng cng cng khc. Do vy d liu truyn trn mng c
th b bt gi v xem thng tin. m bo thng tin ch c c bi ngi nhn v ngi gi
th d liu phi c m ho vi cc thut ton phc tp. Tuy nhin ch nn m ho cc thng tin
quan trng v qu trnh m ho v gin m s nh hng n tc truyn ti thng tin.
Cc nh cung cp dch v VPN chia VPN thnh 3 tp hp l VPN lp 1, 2 v 3.
VPN lp 1 c s dng vn chuyn cc dch v lp 1 trn h tng mng c chia s, c
iu khin v qun l bi Generalized Multiprotocol Label Switching (GMPLS).
Hin nay, vic pht trin VPN lp 1 cn ang trong giai on th nghim nn VPN Layer 1
khng c cp n trong ti liu ny.
Hiu n gin nht, mt kt ni VPN gia hai im trn mng cng cng l hnh thc thit lp
mt kt ni logic. Kt ni logic c th c thit lp trn lp 2 hoc lp 3 ca m hnh OSI v
cng ngh VPN c th c phn loi rng ri theo tiu chun ny nh l VPN lp 2 v VPN
lp 3(Layer 2 VPNs or Layer 3 VPNs).
Cng ngh VPN lp 2
Cng ngh VPN lp 2 thc thi ti lp 2 ca m hnh tham chiu OSI; Cc kt ni point-to-point
c thit lp gia cc site da trn mt mch o(virtual circuit). Mt mch o l mt kt ni
logic gia 2 im trn mt mng v c th m rng thnh nhiu im. Mt mch o kt ni gia
2 im u cui(end-to-end) thng c gi l mt mch vnh cu(Permanent Virtual Circuit-
PVC). Mt mch o kt ni ng 2 im trn mng(point to point) cn c bit n nh mng
chuyn mch(Switched Virtual Circuit - SVC). SVC t c s dng hn v phc tp trong
qu trnh trin khai cng nh khc phc h thng li. ATM v Frame Relay l 02 cng ngh
VPN lp 2 ph bin.
Cc nh cung cp h thng mng ATM v Frame Relay c th cung cp cc kt ni site - to - site
cho cc tp on, cng ty bng cch cu hnh cc mch o vnh cu(PVC) thng qua h thng
cp Backbone c chia s.
Mt s tin li ca VPN lp 2 l c lp vi cc lung d liu lp 3. Cc mng ATM v Frame
Relay kt ni gia cc site c th s dng rt nhiu cc loi giao thc c nh tuyn khc nhau
nh IP, IPX, AppleTalk, IP Multicast...ATM v Frame Relay cn cung cp c im
QoS(Quality of Service). y l iu kin tin quyt khi vn chuyn cc lung d liu cho Voice.
Cng ngh VPN Lp 3
Mt kt ni gia cc site c th c nh ngha nh l VPN lp 3. Cc loi VPN lp 3 nh
GRE, MPLS v IPSec. Cng ngh GRE v IPSec c s dng thc hin kt ni point - to -
point, cng ngh MPLS thc hin kt ni a im(any - to - any)
ng hm GRE
Generic routing encapsulation (GRE) c khi xng v pht trin bi Cisco v sau c
IETF xc nhn thnh chun RFC 1702. GRE c dng khi to cc ng hm v c th
vn chuyn nhiu loi giao thc nh IP, IPX, Apple Talk v bt k cc gi d liu giao thc
khc vo bn trong ng hm IP. GRE khng c chc nng bo mt cp cao nhng c th c
bo v bng cch s dng c ch IPSec. Mt ng hm GRE gia 2 site, IP c th vn
ti c c th c m t nh l mt VPN bi v d liu ring gia 2 site c th c ng gi
thnh cc gi tin vi phn Header tun theo chun GRE.
Bi v mng Internet cng cng c kt ni trn ton th gii. Cc chi nhnh ca mt tp on
nm trn nhng vng a l khc nhau. cc chi nhnh ny c th truyn d liu cho nhau v
cho vn phng chnh ti trung tm th iu kin cn l mi chi nhnh ch cn thit lp mt kt ni
vt l n nh cung cp dch v Internet(ISP). Thng qua mng VPN c thit lp s dng
GRE Tunnel. Tt c cc d liu gia cc chi nhnh s trao i vi nhau trong mt ng hm
GRE. Hn th d liu cn c bo mt v chng li cc nguy c tn cng
MPLS VPNs
Cng ngh MPLS VPN xy dng cc kt ni chuyn mch nhn(Label Switched Path) thng qua
cc Router chuyn mnh nhn(Label Switch Routers). Cc gi tin c chuyn i da vo Label
ca mi gi tin. MPLS VPN c th s dng cc giao thc TDP(Tag Distribution Protocol),
LDP(Label Ditribution Protocol) hoc RSVP(Reservation Protocol)
Khi xng cho cng ngh ny l Cisco, MPLS c ngun gc l cc Tag trong mng chuyn
mch v sau c IETF chun ho thnh MPLS. MPLS c to ra thng qua cc Router s
dng c ch chuyn mch nhn(Label Switch Routers). Trong mt mng MPLS, cc gi tin c
chuyn mch da trn nhn ca mi gi tin. Cc nh cung cp dch v hin nay ang tng cng
trin khai MPLS cung cp dch v VPN MPLS n khch hng.
Ngun gc ca tt c cc cng ngh VPN l d liu ring c ng gi v phn phi n ch
vi vic gn cho cc gi tin thm phn Header; MPLS VPN s dng cc nhn(Label) ng
gi d liu gc v thc hin truyn gi tin n ch.
RFC 2547 nh ngha cho dch v VPN s dng MPLS. Mt tin ch ca VPN MPLS so vi cc
cng ngh VPN khc l n gim phc tp cu hnh VPN gia cc site.
V d
Cng ty chng ta c 03 chi nhnh ti 3 a im khc nhau, cc site ny c th truyn d liu
cho nhau chng ta thc hin cu hnh VPN any-to-any(Full Mesh) s dng cc cng ngh nh
ATM hay Frame Relay, khi mi site i hi 02 Virtual Circuit hoc tunnel n mi site khc
ng thi chng ta phi thit lp cu hnh n mi site do vy h s phc tp ca m hnh ny l
O(n) vi n l s site. Ngc li, vi m hnh VPN MPLS ta lun c h s phc tp l O(1) d h
thng c n n site khc nhau i chng na.
Thc t cho thy cc kt ni site-to-site khng to ng hm point-to-point ca VPN MPLS c
kh nng m rng d dng. Cc kt ni any-to-any gia cc site c th c thc hin d dng
bng cng ngh MPLS.
Tuy nhin cng ngh ny gp phi mt tr ngi l ph thuc vo c s h tng nh cung cp
dch v VPN MPLS. Trong khi cng ngh VPN GRE li c th c s dng thng qua
Internet m rng tm hot ng mt cch d dng m khng ph thuc nh cung cp, thm
vo bn thn cng ngh VPN GRE t chnh n t c mt kh nng bo mt c bn vi
cng ngh truyn d liu trong ng hm
IPSec VPNs
Mt ni dung chnh m bt k ai s dng VPN mun bo mt d liu khi chng c truyn trn
h thng mng cng cng. Mt cu hi c t ra l lm th no ngn chn mi nguy him
t vic nghe trm d liu khi chng c truyn i trn mng cng cng?
M ho d liu l mt cch bo v n. M ho d liu c th c thc hin bng cch trin
khai cc thit b m ho/gii m ti mi site.
IPSec l mt tp giao thc c pht trin bi IETF thc thi dch v bo mt trn cc mng IP
chuyn mch gi. Internet l mng chuyn mch gi cng cng ln nht. Cng ngh IPSec VPN
c trin khai c mt ngha quan trng l tit kim chi ph rt ln so vi mng VPN s dng
Leased-Line VPN.
Dch v IPSec cho php chng thc, kim tra tnh ton vn d liu, iu khin truy cp v m
bo b mt d liu. Vi IPSec, thng tin c trao i gia cc site s c m ho v kim tra.
IPSec c th c trin khai c trn hai loi VPN l Remote Access Client v Site-to-Site VPN
Giao thc PPTP(Point-to-Point Tunneling Protocol)
y l giao thc ng hm ph bin nht hin nay. Giao thc c pht trin bi Microsoft.
PPTP cung cp mt phn ca dch v truy cp t xa RAS(Remote Access Service). Nh L2F,
PPTP cho php to ng hm t pha ngi dng(Mobile User) truy cp vo VPN
Getway/Concentrator
Giao thc L2F
L giao thc lp 2 c pht trin bi Cisco System. L2F c thit k cho php to ng hm
gia NAS v mt thit b VPN Getway truyn cc Frame, ngi s dng t xa c th kt ni
n NAS v truyn Frame PPP t remote user n VPN Getway trong ng hm c to ra.
Giao thc L2TP





L chun giao thc do IETF xut, L2TP tch hp c hai im mnh l truy nhp t xa ca
L2F(Layer 2 Forwarding ca Cisco System) v tnh kt ni nhanh Point - to Point ca
PPTP(Point to Point Tunnling Protocol ca Microsoft). Trong mi trng Remote Access L2TP
cho php khi to ng hm cho cc frame v s dng giao thc PPP truyn d liu trong
ng hm.
Mt s u im ca L2TP
L2TP h tr a giao thc
Khng yu cu cc phn mm m rng hay s h tr ca HH. V vy nhng ngi dng t
xa cng nh trong mng Intranet khng cn ci thm cc phn mm c bit.
L2TP cho php nhiu Mobile user truy cp vo Remote Network thng qua h thng mng
cng cng
L2TP khng c tnh bo mt cao tuy nhin L2TP c th kt hp vi c ch bo mt IPSec
bo v d liu.
Vi L2TP s xc thc ti khon da trn Host Getway Network do vy pha nh cung cp
dch v khng phi duy tr mt Database thm nh quyn truy cp
IEEE 802.1Q tunneling (Q-in-Q)
ng hm 802.1Q cho php nh cung cp dch v to cc ng hm trn Ethernet s dng h
tng mng c chia s. D liu trong ng hm 802.1Q c vn chuyn ph thuc vo tag
802.1Q
The Secure Sockets Layer (SSL)
SSL l giao thc bo mt c pht trin bi tp on Netscape(SSL version 1,2 v 3). SSL
cung cp c ch bo mt truy cp t xa cho ngi dng di ng. C ch SSL t c trin khai
hn v tnh bo mt ca n khi so snh vi cc c ch khc(L2F, PPTP, L2TP, IPSec)
Giao thc Point to Point Protocol(PPP)
y l giao thc ng gi truyn d liu qua kt ni Serial. Li th ln nht ca PPP l c th
hot ng trn mi Data Terminal Equipment (DTE) hoc Data Connection Equipment(DCE).
Mt c im thun li ca PPP l n khng gii hn tc truy cp. PPP l sn sng cho kt
ni song cng (Full Duplex) v l gii php tt cho kt ni Dial-up.