Mangriengaovpndahieuchinh v2 140911092631 Phpapp02

LI NI U
LI NI U
Vi chin lc pht trin ton din mang tnh cht n u v cng ngh nhm
to ra tim lc to ln, sc cnh tranh v cht lng v s a dng ha cc dch v
gi thnh thp, nng sut lao ng cao, Tp on Bu chnh Vin thng Vit nam c
chin lc v k hoch chuyn i mng Vin thng s sang mng th h sau (NGN).
Mng NGN c h tng thng tin duy nht da trn cng ngh chuyn mch gi, trin
khai dch v mt cch a dng v nhanh chng, p ng s hi t gia thoi v s
liu, gia c nh v di ng, bt ngun t s tin b ca cng ngh thng tin v cc
u im ca cng ngh chuyn mch gi ni chung v cng ngh IP ni ring v cng
ngh truyn dn quang bng rng. Cu trc ca mng th h sau v cc nguyn tc
hot ng ca n v c bn khc nhiu so vi cu trc ca mng PSTN hin nay. Do
vy i ng k s v cn b k thut Vin thng cn phi c bi dng cp nht
kin thc v cng ngh mi ny, c nh vy h mi kh nng v trnh vn hnh
khai thc qun l v trin khai cc dch v Vin thng mt cch an ton v hiu qu.
Chng trnh Bi dng k s in t vin thng v cng ngh IP v NGN
ca Tp on c xy dng vi mc ch cung cp kin thc v k nng c bn lin
quan ti cng ngh IP v NGN cho cc cn b k thut ang trc tip qun l v khai
thc h thng trang thit b ti c s nhm p ng yu cu v chuyn i cng ngh
mng li v dch v vin thng ca Tp on.
Cun ti liu Mng ring o bao gm 5 chng, gii thiu nhng vn k
thut c bn lin quan n vic xy dng VPN, cc gii php VPN da trn nn IPSec
v MPLS cng nh l tnh hnh trin khai VPN trn thc tin hin nay.
Chng 1 gii thiu nhng khi nim c bn v VPN, cc chc nng v c
im ca VPN, t lm c s phn loi VPN v a ra cc thun li cng nh
kh khn khi s dng cc loi hnh VPN .
Chng 2 trnh by v cc giao thc ng hm s dng cho VPN, phn tch
hot ng, cc c im v kh nng ng dng ca chng trong cc m hnh VPN
khc nhau.
Chng 3 trnh by v giao thc bo mt IPSec v mt s vn k thut lin
quan n vic thc hin VPN trn nn IPSec nh cc tiu chun mt m, cc cng c
kim tra tnh ton vn thng tin, cc thut ton xc thc cng nh l k thut qun l
v trao i kha.
Chng 4 trnh by v cc m hnh VPN trn nn MPLS, cc thnh phn v
hot ng ca MPLS-VPN, cc vn v iu khin kt ni, bo mt v QoS trong
MPLS-VPN. Trong chng ny cng a ra mt s so snh c im v kh nng ng
dng ca hai gii php VPN da trn nn IPSec v MPLS.
Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT
MNG RING O
Chng 5 trnh by v cc m hnh v gii php trin khai VPN, trong tp

trung vo nhng gii php gn y nht c thc hin trn nn MPLS. Mt s thng
tin v tnh hnh trin khai cc loi hnh dch v VPN hin nay ca VNPT cng c
gii thiu trong chng ny.
Trong qu trnh bin son, mc d gio vin rt c gng, tuy nhin khng th
trnh khi nhng thiu st. Rt mong nhn c kin ng gp ca cc bn c
nhng ln xut bn sau cht lng ca ti liu c tt hn.
TRUNG TM O TO BU CHNH VIN THNG 1
ii
MC LC
MC LC
LI NI U.......................................................................................................................i
MC LC...........................................................................................................................iii
DANH SCH HNH............................................................................................................v
CHNG 1 - GII THIU CHUNG V VPN.................................................................1
1.1 Khi nim VPN...........................................................................................................2
1.2 Cc chc nng v u nhc im ca VPN...............................................................3
1.2.1 Chc nng............................................................................................................3
1.2.2 u im...............................................................................................................4
1.2.3 Nhc im v mt s vn cn khc phc.....................................................5
1.3 Cc m hnh VPN.......................................................................................................6
1.3.1 M hnh chng ln...............................................................................................6
1.3.2 M hnh ngang hng............................................................................................8
1.4 Phn loi VPN v ng dng........................................................................................9
1.4.1 VPN truy nhp t xa..........................................................................................10
1.4.2 VPN im ti im............................................................................................11
1.4.3 ng dng VPN..................................................................................................13
1.5 Kt chng................................................................................................................14
CHNG 2 - CC GIAO THC NG HM..........................................................15
2.1 Gii thiu cc giao thc ng hm.........................................................................16
2.2 Giao thc chuyn tip lp 2 L2F...........................................................................16
2.2.1 Cu trc gi L2F...............................................................................................17
2.2.2 Hot ng ca L2F............................................................................................17
2.2.3 u nhc im ca L2F....................................................................................19
2.3 Giao thc ng hm im ti im PPTP...........................................................20
2.3.1 Khi qut v hot ng ca PPTP.....................................................................20
2.3.2 Duy tr ng hm bng kt ni iu khin PPTP............................................21
2.3.3 ng gi d liu ng hm PPTP..................................................................22
2.3.4 X l d liu ti u cui ng hm PPTP......................................................24
2.3.5 Trin khai VPN da trn PPTP.........................................................................24
2.3.6 u nhc im v kh nng ng dng ca PPTP.............................................25
2.4 Giao thc ng hm lp 2 L2TP.........................................................................26
2.4.1 Khi qut v hot ng ca L2TP.....................................................................26
2.4.2 Duy tr ng hm bng bn tin iu khin L2TP............................................27
2.4.3 ng gi d liu ng hm L2TP..................................................................27
2.4.4 X l d liu ti u cui ng hm L2TP trn nn IPSec.............................30
2.4.5 Trin khai VPN da trn L2TP.........................................................................30
2.4.6 u nhc im v kh nng ng dng ca L2TP.............................................31
2.5 Kt chng................................................................................................................32
CHNG 3 - MNG RING O TRN NN IPSec....................................................33
3.1 Gii thiu v IPSec...................................................................................................34
iii
MNG RING O
3.2 ng gi thng tin IPSec..........................................................................................35

3.2.1 Cc ch hot ng........................................................................................35
3.2.2 Giao thc tiu xc thc AH..........................................................................37
3.2.3 Giao thc ng gi ti tin an ton ESP.............................................................41
3.3 Lin kt an ninh v hot ng trao i kha.............................................................45
3.3.1 Lin kt an ninh.................................................................................................45
3.3.2 Hot ng trao i kha IKE............................................................................48
3.4 Mt s vn k thut trong thc hin VPN trn nn IPSec....................................54
3.4.1 Mt m...............................................................................................................55
3.4.2 Ton vn bn tin................................................................................................56
3.4.3 Xc thc cc bn...............................................................................................57
3.4.4 Qun l kha......................................................................................................58
3.5 V d thc hin VPN trn nn IPSec........................................................................58
3.6 Cc vn cn tn ti trong IPSec...........................................................................59
3.7 Kt chng................................................................................................................60
CHNG 4 - MNG RING O TRN NN MPLS...................................................61
4.1 Cc thnh phn ca MPLS-VPN..............................................................................62
4.1.1 H thng cung cp dch v MPLS-VPN...........................................................62
4.1.2 B nh tuyn bin nh cung cp dch v.........................................................63
4.1.3 Bng nh tuyn v chuyn tip o...................................................................63
4.2 Cc m hnh MPLS-VPN.........................................................................................64
4.2.1 M hnh L3VPN................................................................................................64
4.2.2 M hnh L2VPN................................................................................................66
4.3 Hot ng ca MPLS-VPN......................................................................................67
4.3.1 Truyn thng tin nh tuyn..............................................................................67
4.3.2 a ch VPN-IP.................................................................................................68
4.3.3 Chuyn tip gi tin VPN...................................................................................71
4.4 Bo mt trong MPLS-VPN.......................................................................................74
4.5 Cht lng dch v trong MPLS-VPN.....................................................................75
4.5.1 M hnh ng......................................................................................................76
4.5.2 M hnh vi.......................................................................................................77
4.6 So snh cc c im ca VPN trn nn IPSec v MPLS........................................79
4.6.1 Cc tiu ch nh gi.........................................................................................79
4.6.2 Cc c im ni bt ca IPSec-VPN v MPLS-VPN.....................................80
4.7 Kt chng................................................................................................................83
CHNG 5 - TRIN KHAI V NG DNG VPN.......................................................84
5.1 Cc m hnh trin khai VPN.....................................................................................85
5.2 Gii php VPN trn nn MPLS ca VNPT...............................................................86
5.3 M hnh cung cp dch v MegaWAN.....................................................................87
5.4 Kt chng................................................................................................................88
THUT NG VIT TT..................................................................................................89
TI LIU THAM KHO.................................................................................................93
iv
DANH SCH HNH
DANH SCH HNH

Hnh 1.1 M hnh VPN an ton..................................................................................................3
Hnh 1.2 M hnh VPN truy nhp t xa....................................................................................10
Hnh 1.3 M hnh VPN cc b..................................................................................................12
Hnh 1.4 M hnh VPN m rng...............................................................................................13
Hnh 2.1 Khun dng gi ca L2F...........................................................................................17
Hnh 2.2 M hnh h thng s dng L2F.................................................................................18
Hnh 2.3 Gi d liu kt ni iu khin PPTP.........................................................................22
Hnh 2.4 ng gi d liu ng hm PPTP..........................................................................22
Hnh 2.5 S ng gi PPTP................................................................................................23
Hnh 2.6 Cc thnh phn ca h thng cung cp VPN da trn PPTP...................................24
Hnh 2.7 Bn tin iu khin L2TP............................................................................................27
Hnh 2.8 ng gi d liu ng hm L2TP...........................................................................28
Hnh 2.9 S ng gi L2TP.................................................................................................29
Hnh 2.10 Cc thnh phn ca h thng cung cp VPN da trn L2TP.................................30
Hnh 3.1 X l gi tin IP ch truyn ti............................................................................36
Hnh 3.2 X l gi tin IP ch ng hm.........................................................................36
Hnh 3.3 Thit b mng thc hin IPSec trong ch ng hm..........................................37
Hnh 3.4 Cu trc tiu AH cho gi tin IPSec.......................................................................38
Hnh 3.5 Khun dng gi tin IPv4 trc v sau khi x l AH..................................................40
Hnh 3.6 Khun dng gi tin IPv6 trc v sau khi x l AH..................................................40
Hnh 3.7 C ch ng gi ESP.................................................................................................41
Hnh 3.8 Khun dng gi ESP.................................................................................................42
Hnh 3.9 Khun dng gi tin IPv4 trc v sau khi x l ESP................................................43
Hnh 3.10 Khun dng gi tin IPv6 trc v sau khi x l ESP..............................................44
Hnh 3.11 Kt hp cc SA kiu ng hm khi hai im cui trng nhau...............................47
Hnh 3.12 Kt hp cc SA kiu ng hm khi mt im cui trng nhau.............................47
Hnh 3.13 Kt hp cc SA kiu ng hm khi khng c im cui trng nhau.....................48
Hnh 3.14 Cc pha v ch trao i kha IKE.....................................................................49
Hnh 3.15 Hot ng iu khin truy nhp mt m theo ACL.................................................50
Hnh 3.16 IKE pha mt s dng ch chnh..........................................................................51
Hnh 3.17 Trao i cc tp chuyn i IPSec..........................................................................53
Hnh 3.18 ng hm IPSec c thit lp............................................................................54
Hnh 3.19 V d thc hin kt ni VPN trn nn IPSec............................................................59
Hnh 4.1 H thng cung cp dch v MPLS-VPN v cc thnh phn......................................62
Hnh 4.2 B nh tuyn PE v s kt ni cc site khch hng............................................63
Hnh 4.3 M hnh MPLS L3VPN..............................................................................................65
Hnh 4.4 M hnh MPLS L2VPN..............................................................................................66
Hnh 4.5 a ch VPN-IPv4......................................................................................................68
Hnh 4.6 Khun dng trng phn bit tuyn..........................................................................69
Hnh 4.7 S dng nhn chuyn tip gi tin VPN.................................................................71
Hnh 4.8 S dng ngn xp nhn chuyn tip gi tin VPN.................................................72
Hnh 4.9 Hot ng chuyn tip d liu VPN qua mng MPLS..............................................73
Hnh 4.10 M hnh ng cht lng dch v trong MPLS-VPN................................................77
Hnh 4.11 M hnh vi cht lng dch v trong MPLS-VPN..................................................78
Hnh 5.1 M hnh cung cp dch v VPN qua mng MPLS ca VNPT........................86
Hnh 5.2 Gii php kt ni MPLS-VPN ca VNPT..................................................................87
Hnh 5.3 M hnh mng cung cp dch v MegaWAN.............................................................87
MNG RING O
vi
CHNG 1
GII THIU CHUNG V VPN

VPN c th c hiu nh l mng kt ni cc site khch hng m bo an ninh
trn c s h tng mng chung cng vi cc chnh sch iu khin truy nhp v bo
mt nh mt mng ring. Tuy c xy dng trn c s h tng sn c ca mng cng
cng nhng VPN li c c cc tnh cht ca mt mng cc b nh khi s dng cc
ng knh thu ring. Chng ny trnh by nhng khi nim c bn v VPN, cc
chc nng v c im ca VPN, t lm c s phn loi VPN v a ra cc
thun li cng nh kh khn khi s dng cc loi hnh VPN khc nhau.
Ni dung chng ny bao gm:
Khi nim VPN
Cc chc nng v u nhc im ca VPN
Cc m hnh VPN
Phn loi VPN theo ng dng
MNG RING O
1.1 Khi nim VPN

Mng ring o khng phi l khi nim mi. Chng tng c s dng trong
cc mng in thoi trc y nhng do mt s hn ch v cng ngh m cha c
c sc mnh v kh nng cnh tranh ln. Trong thi gian gn y, c s h tng
mng IP lm cho VPN thc s c tnh mi m. Cc kiu mng ring o xy dng
trn c s h tng mng Internet cng cng mang li mt kh nng mi, mt ci
nhn mi cho ngi s dng. Cng ngh VPN l gii php thng tin ti u i vi cc
cng ty, t chc c nhiu vn phng hay chi nhnh. Ngy nay, vi s pht trin ca
cng ngh v bng n ca mng Internet, kh nng ca VPN ngy mt hon thin v
dch v ny tr thnh mt dch v cnh tranh y trin vng.
Mng ring o c nh ngha nh l mt kt ni mng trin khai trn c s h
tng mng cng cng vi cc chnh sch qun l v bo mt ging nh mng cc b.
Mng ring o m rng phm vi ca cc mng LAN m khng b hn ch v mt
a l. Cc hng thng mi c th dng VPN cung cp quyn truy nhp mng cho
ngi dng di ng v t xa, kt ni cc chi nhnh phn tn thnh mt mng duy nht
v cho php s dng t xa cc trnh ng dng da trn cc dch v trong cng ty.
Trong thc t, ngi ta thng ni ti hai khi nim VPN l VPN kiu tin cy
(Trusted VPN) v VPN an ton (Secure VPN).
Mng ring o kiu tin cy c xem nh mt s mch thu ca mt nh cung
cp dch v vin thng. Mi mch thu ring hot ng nh mt ng dy trong mt
mng cc b. Tnh ring t ca Trusted VPN th hin ch nh cung cp dch v s
m bo khng c ai s dng cng mch thu ring . Khch hng ca mng ring o
loi ny tin cy vo nh cung cp dch v duy tr tnh ton vn v bo mt ca d
liu truyn trn mng. Cc mng ring xy dng trn cc ng dy thu thuc dng
Trusted VPN.
Mng ring o an ton l cc mng ring o c s dng mt m bo mt d
liu. D liu u ra ca mt mng c mt m ri chuyn vo mng cng cng nh
cc d liu khc truyn ti ch v sau c gii m ti pha thu. D liu mt
m c th coi nh c truyn trong mt ng hm (tunnel) bo mt t ngun ti
ch. Cho d mt k tn cng c th nhn thy d liu trn ng truyn th cng
khng c kh nng c c v n c mt m.
V d v giao thc s dng trong vic m ho m bo an ton l IPSec. l
mt tiu chun cho m ho cng nh xc thc cc gi IP ti tng mng. IPSec h tr
mt tp hp cc giao thc mt m vi hai mc ch: an ninh gi mng v thay i cc
kho mt m. IPSec c h tr trong Windows XP, 2000, 2003 v Vista; Linux phin
bn 2.6 tr i v nhiu h iu hnh khc na. Nhiu hng nhanh chng pht trin
v cung cp cc dch v IPSec-VPN server v IPSec-VPN client.
2
CHNG 1 - GII THIU CHUNG V VPN
Mng ring o xy dng da trn Internet l v d v mng ring o kiu an ton,

s dng c s h tng m v phn tn ca Internet cho vic truyn d liu gia cc site
ca mng (hnh 1.1).
Hnh 1.1 M hnh VPN an ton

Kt ni trong VPN l kt ni ng, ngha l khng c gn cng v tn ti nh
mt kt ni thc khi lu lng mng chuyn qua. Kt ni ny c th thay i v thch
ng vi nhiu mi trng khc nhau. Khi c yu cu kt ni th n c thit lp v
duy tr bt chp c s h tng mng gia nhng im u cui.
Tnh ring ca VPN th hin ch d liu truyn lun c gi b mt v ch
c th b truy nhp bi nhng ngui s dng c trao quyn. iu ny rt quan trng
bi v giao thc Internet ban u khng c thit k h tr cc mc bo mt.
Do , bo mt s c cung cp bng cch thm phn mm hay phn cng VPN.
1.2 Cc chc nng v u nhc im ca VPN

1.2.1 Chc nng
VPN cung cp ba chc nng chnh l tnh xc thc (Authentication), tnh ton
vn (Integrity) v tnh bo mt (Confidentiality).
Tnh xc thc
thit lp mt kt ni VPN th trc ht c hai pha phi xc thc ln nhau
khng nh rng mnh ang trao i thng tin vi ngi mnh mong mun ch khng
phi l mt ngi khc.
Tnh ton vn
m bo d liu khng b thay i hay c bt k s xo trn no trong qu trnh
truyn dn.
Tnh bo mt
Ngi gi c th m ho cc gi d liu trc khi truyn qua mng cng cng v
d liu s c gii m pha thu. Bng cch lm nh vy, khng mt ai c th truy
MNG RING O
nhp thng tin m khng c php. Thm ch nu c ly c th cng khng c

c.
1.2.2 u im
Mng ring o mang li li ch thc s v tc thi cho cc cng ty. N khng ch
gip n gin ho vic trao i thng tin gia cc nhn vin lm vic xa, ngi dng
lu ng, m rng Intranet n tng vn phng, chi nhnh, thm ch trin khai
Extranet n tn khch hng v cc i tc ch cht m cn cho php gim chi ph rt
nhiu so vi vic mua thit b v ng dy cho mng WAN ring. Nhng li ch trc
tip v gin tip m VPN mang li bao gm: tit kim chi ph, tnh linh hot, kh nng
m rng, v.v.
Tit kim chi ph
Vic s dng VPN s gip cc cng ty gim c chi ph u t v chi ph
thng xuyn. Tng gi thnh ca vic s hu mt mng VPN s c thu nh, do ch
phi tr t hn cho vic thu bng thng ng truyn, cc thit b mng ng trc v
duy tr hot ng ca h thng. Nhiu s liu cho thy, gi thnh cho vic kt ni
LAN-to-LAN gim t 20 ti 30% so vi vic s dng ng thu ring truyn thng,
cn i vi vic truy nhp t xa gim t 60 ti 80%.
Tnh linh hot
Tnh linh hot y khng ch th hin trong qu trnh vn hnh v khai thc m
n cn thc s mm do i vi yu cu s dng. Khch hng c th s dng nhiu
kiu kt ni khc nhau kt ni cc vn phng nh hay cc i tng di ng. Nh
cung cp dch v VPN c th cho php nhiu s la chn kt ni cho khch hng:
modem 56 kbit/s, ISDN 128 kbit/s, xDSL, E1,
Kh nng m rng
Do VPN c xy dng da trn c s h tng mng cng cng nn bt c ni
no c mng cng cng (nh Internet) u c th trin khai VPN. Ngy nay mng
Internet c mt khp mi ni nn kh nng m rng ca VPN rt d dng. Mt vn
phng xa c th kt ni mt cch kh n gin n mng ca cng ty bng cch s
dng ng dy in thoi hay ng dy thu bao s DSL.
Kh nng m rng cn th hin ch, khi mt vn phng hay chi nhnh yu cu
bng thng ln hn th n c th c nng cp d dng. Ngoi ra, cng c th d
dng g b VPN khi khng c nhu cu.
Gim thiu cc h tr k thut
Vic chun ho trn mt kiu kt ni t i tng di ng n mt POP ca ISP
v vic chun ho cc yu cu v bo mt lm gim thiu nhu cu v ngun h tr
k thut cho mng VPN. V ngy nay, khi m cc nh cung cp dch v m nhim
4
vic h tr mng nhiu hn th nhng yu cu h tr k thut i vi ngi s dng

ngy cng gim.
Gim thiu cc yu cu v thit b
Bng vic cung cp mt gii php truy nhp cho cc doanh nghip qua ng
Internet, VPN yu cu v thit b t hn v n gin hn nhiu so vi vic bo tr cc
modem ring bit, cc card tng thch cho thit b u cui v cc my ch truy nhp
t xa. Mt doanh nghip c th thit lp cc thit b khch hng cho mt mi trng,
chng hn nh T1 hay E1, phn cn li ca kt ni c thc hin bi ISP.
p ng cc nhu cu thng mi
i vi cc thit b v cng ngh vin thng mi th nhng vn cn quan tm
l chun ho, cc kh nng qun tr, m rng v tch hp mng, tnh k tha, tin cy
v hiu sut hot ng, c bit l kh nng thng mi ca sn phm.
Cc sn phm dch v VPN tun theo chun chung hin nay, mt phn m
bo kh nng lm vic ca sn phm nhng c l quan trng hn l sn phm ca
nhiu nh cung cp khc nhau c th lm vic vi nhau.
1.2.3 Nhc im v mt s vn cn khc phc
S ri ro an ninh
Mt mng ring o thng r v hiu qu hn so vi gii php s dng knh thu
ring. Tuy nhin, n cng tim n nhiu ri ro an ninh kh lng trc. Mc d hu
ht cc nh cung cp dch v qung co rng gii php ca h l m bo an ton, s
an ton khng bao gi l tuyt i. Cng c th lm cho mng ring o kh ph
hoi hn bng cch bo v tham s ca mng mt cch thch hp, song iu ny li
nh hng n gi thnh ca dch v.
tin cy v s thc thi
VPN s dng phng php m ho bo mt d liu, v cc hm mt m phc
tp c th dn n lu lng ti trn cc my ch l kh nng. Nhim v ca ngi
qun tr mng l qun l ti trn my ch bng cch gii hn s kt ni ng thi
bit my ch no c th iu khin. Tuy nhin, khi s ngi c gng kt ni ti VPN
t nhin tng vt v ph v ht qu trnh truyn tin, th chnh cc nhn vin qun tr
ny cng khng th kt ni c v tt c cc cng ca VPN u bn. iu chnh l
ng c thc y ngi qun tr to ra cc kho ng dng lm vic m khng i hi
VPN. Chng hn thit lp dch v proxy hoc dch v Internet Message Access
Protocol cho php nhn vin truy nhp e-mail t nh hay trn ng.
Vn la chn giao thc
Vic la chn gia IPSec hay SSL/TLS l mt vn kh quyt nh, cng nh
vin cnh s dng chng nh th no cng kh c th ni trc. Mt iu cn cn
MNG RING O
nhc l SSL/TLS c th lm vic thng qua mt tng la da trn bng bin dch a
ch NAT, cn IPSec th khng. Nhng nu c hai giao thc lm vic qua tng la th
s khng dch c a ch.
IPSec m ho tt c cc lu lng IP truyn ti gia hai my tnh, cn SSL/TLS
th c t mt ng dng. SSL/TLS dng cc hm m ho khng i xng thit lp
kt ni v n bo v hiu qu hn so vi dng cc hm m ho i xng.
Trong cc ng dng trn thc t, ngi qun tr c th quyt nh kt hp v
ghp cc giao thc to ra s cn bng tt nht cho s thc thi v an ton ca
mng. V d, cc client c th kt ni ti mt Web server thng qua tng la dng
ng dn an ton ca SSL/TLS, Web server c th kt ni ti mt dch v ng dng
dng IPSec, v dch v ng dng c th kt ni ti mt c s d liu thng qua cc
tng la khc cng dng SSL.
1.3 Cc m hnh VPN

C hai m hnh trin khai VPN l: da trn khch hng (Customer-based) v da
trn mng (Network-based). M hnh da trn khch hng cn c gi l m hnh
chng ln (overlay), trong VPN c cu hnh trn cc thit b ca khch hng v
s dng cc giao thc ng hm xuyn qua mng cng cng. Nh cung cp dch v
s bn cc mch o gia cc site ca khch hng nh l ng kt ni thu ring
(leased line).
M hnh da trn mng cn c gi l m hnh ngang hng hay ngang cp (peerto-peer), trong VPN c cu hnh trn cc thit b ca nh cung cp dch v v
c qun l bi nh cung cp dch v. Nh cung cp dch v v khch hng trao i
thng tin nh tuyn lp 3, sau nh cung cp s sp t d liu t cc site khch
hng vo ng i ti u nht m khng cn c s tham gia ca khch hng.
1.3.1 M hnh chng ln
M hnh VPN chng ln ra i t rt sm v c trin khai di nhiu cng ngh
khc nhau. Ban u, VPN c xy dng bng cch s dng cc ng thu ring
cung cp kt ni gia khch hng nhiu v tr khc nhau. Khch hng mua dch v
ng thu ring ca nh cung cp. Cc ng thu ny c thit lp gia cc site
ca khch hng cn kt ni v l ng dnh ring cho khch hng.
Khi Frame Relay ra i, n c xem nh l mt cng ngh h tr tt cho VPN v
p ng c yu cu kt ni cho khch hng nh dch v ng thu ring. im
khc l ch khch hng khng c cung cp cc ng dnh ring, m s s dng
mt ng chung nhng c ch nh cc mch o. Cc mch o ny m bo lu
lng cho mi khch hng l ring bit. Mch o c th gm mch o c nh PVC v
mch o chuyn mch SVC.
6
Cung cp mch o cho khch hng ngha l nh cung cp dch v xy dng mt

ng hm ring cho lu lng khch hng truyn qua mng dng chung ca nh
cung cp dch v. Khch hng thit lp phin lin lc gia cc thit b pha khch hng
CPE qua knh o. Giao thc nh tuyn chy trc tip gia cc b nh tuyn khch
hng thit lp mi quan h cn k v trao i thng tin nh tuyn vi nhau. Nh cung
cp dch v khng h bit n thng tin nh tuyn ca khch hng. Nhim v ca nh
cung cp dch v trong m hnh ny ch l m bo vn chuyn d liu im-im
gia cc site ca khch hng m thi.
VPN chng ln cn c trin khai di dng ng hm. S thnh cng ca
cng ngh IP thc y cc nh cung cp dch v trin khai VPN qua IP. Nu khch
hng no mun xy dng mng ring ca h qua Internet th c th dng gii php ny
v chi ph thp. Bn cnh l do kinh t, m hnh ng hm cn p ng cho khch
hng vic bo mt d liu. Hai cng ngh VPN ng hm ph bin l IPSec (IP
Security) v GRE (Generic Routing Encapsulation).
Cc cam kt v QoS trong m hnh VPN chng ln thng l cam kt v bng
thng trn mt VC. Gi tr ny c gi l CIR (Committed Information Rate). Bng
thng c th s dng c ti a trn mt knh o gi l PIR (Peak Information Rate).
Vic cam kt bng thng c thc hin thng qua cc thng k t nhin ca dch v
lp 2 nhng li ph thuc vo chin lc ca nh cung cp. iu ny c ngha l tc
cam kt khng tht s c bo m. Thng th nh cung cp c th m bo tc
nh nht MIR (Minimum Information Rate).
Cam kt v bng thng cng ch l cam kt cho hai im trong mng khch hng.
Nu khng c ma trn lu lng y cho tt c cc lp lu lng th tht kh c th
thc hin cam kt ny cho khch hng trong m hnh chng ln. V tht kh cung
cp nhiu lp dch v v nh cung cp dch v khng th phn bit c lu lng
gia mng. Vn ny c th c khc phc bng cch to ra nhiu kt ni (fullmesh), nh trong mng Frame Relay hay ATM c cc PVC gia cc site khch hng.
Tuy nhin, kt ni y thng lm tng thm chi ph ca mng.
M hnh VPN chng ln c u im l d thc hin, theo quan im ca c khch
hng v nh cung cp dch v. Trong m hnh ny nh cung cp dch v khng tham
gia vo nh tuyn lu lng khch hng. Nhim v ca h l vn chuyn d liu
im-im gia cc site ca khch hng. Vic nh du im tham chiu gia nh
cung cp dch v v khch hng s cho php qun l d dng hn.
M hnh chng ln thch hp cho cc mng khng cn d phng vi t site
trung tm v nhiu site u xa, nhng li kh qun l nu nh cn nhiu kt ni mt
li. Vic cung cp nhiu VC i hi phi c s hiu bit cn k v loi lu lng
gia cc site, m iu ny thng khng tht s thch hp. Ngoi ra, khi thc hin m
MNG RING O
hnh ny vi cc cng ngh lp 2 th s to ra mt lp mi khng cn thit i vi cc

nh cung cp hu ht ch da trn IP, v nh vy lm tng thm chi ph hot ng ca
mng.
1.3.2 M hnh ngang hng
khc phc cc hn ch ca m hnh VPN chng ln v ti u ha vic vn
chuyn d liu qua mng ng trc, m hnh VPN ngang hng ra i. Vi m
hnh ny nh cung cp dch v s tham gia vo hot ng nh tuyn ca khch hng.
B nh tuyn bin mng nh cung cp PE (Provider Edge) thc hin trao i thng tin
nh tuyn trc tip vi b nh tuyn ca khch hng CE (Customer Edge).
i vi m hnh VPN ngang hng, vic nh tuyn tr nn n gin hn (nhn t
pha khch hng) khi b nh tuyn khch hng ch trao i thng tin nh tuyn vi
mt hoc mt vi b nh tuyn bin nh cung cp PE. Trong khi m hnh VPN
chng ln, s lng b nh tuyn ln cn c th gia tng vi s lng ln. Ngoi ra,
do nh cung cp dch v bit cu hnh mng ca khch hng nn c th thit lp nh
tuyn ti u cho lu lng gia cc site khch hng.
Vic cung cp bng thng cng n gin hn bi v khch hng ch phi quan tm
n bng thng u vo v ra mi site m khng cn phi quan tm n ton b lu
lng t site ny n site kia nh trong m hnh VPN chng ln. Kh nng m rng
trong m hnh VPN ngang hng d dng hn v nh cung cp dch v ch cn thm vo
mt site v thay i cu hnh trn b nh tuyn PE. Trong m hnh chng ln, nh
cung cp dch v phi tham gia vo ton b tp hp cc knh o VC t site ny n
site khc ca VPN khch hng.
Nh cung cp dch v c th trin khai hai kiu ng dng VPN ngang hng l chia
s b nh tuyn v s dng b nh tuyn dnh ring.
Phng php chia s b nh tuyn
Cc khch hng VPN cng chia s mt b nh tuyn bin mng nh cung cp PE.
phng php ny, nhiu khch hng c th kt ni n cng mt b nh tuyn PE.
Do , trn b nh tuyn ny phi cu hnh mt danh sch truy nhp (Access List)
cho mi giao din PE-CE m bo chc chn s cch ly gia cc khch hng VPN,
ng thi ngn chn VPN ca khch hng ny thc hin cc tn cng t chi dch v
DoS (Denial of Service) vo VPN ca khch hng khc. Nh cung cp dch v chia
cc phn trong khng gian a ch ca n cho khch hng v qun l vic lc gi tin
trn b nh tuyn PE.
Phng php s dng b nh tuyn dnh ring
L phng php m mi khch hng VPN c b nh tuyn PE dnh ring. Trong
phng php ny, khch hng VPN ch truy nhp n cc tuyn trong bng nh tuyn
ca b nh tuyn PE dnh ring. Mi b nh tuyn s dng cc giao thc nh tuyn
8
to ra bng nh tuyn cho mt VPN. Bng nh tuyn ch c cc tuyn c qung

b bi khch hng VPN kt ni n chng, kt qu l to ra s cch ly tuyt i gia
cc VPN.
Vic nh tuyn trn b nh tuyn dnh ring c th c thc hin nh sau:
- Giao thc nh tuyn gia PE v CE l bt k;
- Giao thc hot ng gia PE v PE l BGP;
- PE phn phi cc tuyn nhn c t CE vo BGP, nh du vi nhn dng
ID ca khch hng ri truyn cc tuyn n b nh tuyn P, v b nh
tuyn ny s c cc tuyn t tt c cc VPN khch hng;
- B nh tuyn P ch truyn cc tuyn thch hp n b nh tuyn PE, do
PE ch nhn cc tuyn t b nh tuyn CE trong VPN.
Phng php dng chung b nh tuyn rt kh duy tr v n yu cu phi c danh
sch truy nhp di v phc tp trn mi giao din ca b nh tuyn. Cn trong
phng php dng b nh tuyn ring, mc d c v n gin v cu hnh v d duy
tr hn nhng nh cung cp dch v phi b ra chi ph ln m bo phc v tt cho
s lng ng khch hng.
Tt c khch hng dng chung khng gian a ch IP, nn h phi s dng hoc l
a ch tht trong mng ring ca h hoc l ph thuc vo nh cung cp dch v c
c a ch IP. Trong c hai trng hp, kt ni mt khch hng mi n dch v
VPN ngang hng i hi phi ng k li a ch IP trong mng khch hng.
Hn ch ca m hnh VPN ngang hng l nh cung cp dch v phi p ng c
nh tuyn khch hng cho ng v m bo vic hi t ca mng khch hng khi c
li lin kt. Ngoi ra, b nh tuyn P ca nh cung cp dch v phi mang tt c cc
tuyn ca khch hng.
1.4 Phn loi VPN v ng dng

Mng ring o VPN cung cp nhiu kh nng ng dng khc nhau. Yu cu c
bn i vi VPN l phi iu khin c quyn truy nhp ca khch hng, cc nh
cung cp dch v cng nh cc i tng bn ngoi khc. Da vo hnh thc ng dng
v nhng kh nng m mng ring o mang li, c th phn chng thnh hai loi nh
sau:
- VPN truy nhp t xa (Remote Access VPN);
- VPN im ti im (Site-to-Site VPN).
Trong mng VPN im ti im li c chia thnh hai loi l:
- VPN cc b (Intranet VPN);
- VPN m rng (Extranet VPN).
MNG RING O
1.4.1 VPN truy nhp t xa

Cc VPN truy nhp t xa cung cp kh nng truy nhp t xa cho ngi s dng
(hnh 1.2). Ti mi thi im, cc nhn vin hay chi nhnh vn phng di ng c th
s dng cc phn mm VPN truy nhp vo mng ca cng ty thng qua gateway
hoc b tp trung VPN (bn cht l mt server). Gii php ny v th cn c gi l
gii php client/server. VPN truy nhp t xa l kiu VPN in hnh nht, bi v chng
c th c thit lp vo bt k thi im no v t bt c ni no c mng Internet.
VPN truy nhp t xa m rng mng cng ty ti nhng ngi s dng thng qua
c s h tng chia s chung, trong khi nhng chnh sch mng cng ty vn duy tr.
Chng c th dng cung cp truy nhp an ton cho nhng nhn vin thng xuyn
phi i li, nhng chi nhnh hay nhng bn hng ca cng ty. Nhng kiu VPN ny
c thc hin thng qua c s h tng cng cng bng cch s dng cng ngh
ISDN, quay s, IP di ng, DSL hay cng ngh cp v thng yu cu mt vi kiu
phn mm client chy trn my tnh ca ngi s dng.
Mt hng pht trin kh mi trong VPN truy nhp t xa l dng VPN khng
dy (Wireless), trong mt nhn vin c th truy nhp v mng ca h thng qua kt
ni khng dy. Trong thit k ny, cc kt ni khng dy cn phi kt ni v mt trm
khng dy (Wireless Terminal) v sau v mng ca cng ty. Trong c hai trng
hp (c dy v khng dy), phn mm client trn my PC u cho php khi to cc
kt ni bo mt, cn c gi l ng hm.
Mt vn quan trng l vic thit k qu trnh xc thc ban u m bo yu
cu c xut pht t mt ngun tin cy. Thng th giai on ban u ny da trn
cng mt chnh sch v bo mt ca cng ty. Chnh sch ny bao gm mt s qui trnh
k thut v cc ng dng ch, v d nh Remote Authentication Dial-In User Service
(RADIUS), Terminal Access Controller Access Control System Plus (TACACS+),
Hnh 1.2 M hnh VPN truy nhp t xa

Cc u im ca VPN truy nhp t xa so vi cc phng php truy nhp t xa
truyn thng l:
10
- VPN truy nhp t xa khng cn s h tr ca nhn vin mng bi v qu trnh

kt ni t xa c cc ISP thc hin;
- Gim c cc chi ph cho kt ni t khong cch xa bi v cc kt ni
khong cch xa c thay th bi cc kt ni cc b thng qua mng Internet;
- Cung cp dch v kt ni gi r cho nhng ngi s dng xa;
- Do kt ni truy nhp l ni b nn cc modem kt ni hot ng tc cao
hn so vi cch truy nhp khong cch xa;
- VPN cung cp kh nng truy nhp tt hn n cc site ca cng ty bi v
chng h tr mc thp nht ca dch v kt ni.
Mc d c nhiu u im nhng mng VPN truy nhp t xa vn cn nhng
nhc im c hu i cng nh:
- VPN truy nhp t xa khng h tr cc dch v m bo QoS;
- Nguy c b mt d liu cao do cc gi c th phn pht khng n ni hoc b
mt;
- Do thut ton m ho phc tp nn tiu giao thc tng mt cch ng k.
1.4.2 VPN im ti im
VPN im ti im (Site-to-Site hay LAN-to-LAN) l gii php kt ni cc h
thng mng nhng ni khc nhau vi mng trung tm thng qua VPN. Trong tnh
hung ny, qu trnh xc thc ban u cho ngi s dng s l qu trnh xc thc gia
cc thit b. Cc thit b ny hot ng nh Cng an ninh (Security Gateway), truyn
lu lng mt cch an ton t Site ny n Site kia. Cc thit b nh tuyn hay tng
la vi h tr VPN u c kh nng thc hin kt ni ny. S khc nhau gia VPN
truy nhp t xa v VPN im ti im ch mang tnh tng trng. Nhiu thit b VPN
mi c th hot ng theo c hai cch ny.
VPN im ti im c th c xem nh mt VPN cc b hoc m rng xt t
quan im qun l chnh sch. Nu h tng mng c chung mt ngun qun l, n c
th c xem nh VPN cc b. Ngc li, n c th c coi l m rng. Vn truy
nhp gia cc im phi c kim sot cht ch bi cc thit b tng ng.
1.4.2.1
VPN cc b
VPN cc b l mt dng cu hnh tiu biu ca VPN im ti im, c s

dng bo mt cc kt ni gia cc a im khc nhau ca mt cng ty (hnh 1.3).
N lin kt tr s chnh, cc vn phng, chi nhnh trn mt c s h tng chung s
dng cc kt ni lun c m ho bo mt. iu ny cho php tt c cc a im c
th truy nhp an ton cc ngun d liu c php trong ton b mng ca cng ty.
11
MNG RING O
Hnh 1.3 M hnh VPN cc b

VPN cc b cung cp nhng c tnh ca mng WAN nh kh nng m rng,
tnh tin cy v h tr cho nhiu kiu giao thc khc nhau vi chi ph thp nhng vn
m bo tnh mm do. Nhng u im chnh ca gii php VPN cc b bao gm:
- Cc mng cc b hay din rng c th c thit lp thng qua mt hay nhiu
nh cung cp dch v;
- Gim c s nhn vin k thut h tr trn mng i vi nhng ni xa;
- Do kt ni trung gian c thc hin thng qua Internet, nn n c th d
dng thit lp thm mt lin kt ngang hng mi;
- Tit kim chi ph t vic s dng ng hm VPN thng qua Internet kt hp
vi cc cng ngh chuyn mch tc cao.
Tuy nhin gii php mng cc b da trn VPN cng c nhng nhc im i
cng nh:
- Do d liu c truyn ngm qua mng cng cng nh Internet nn vn cn
nhng mi e da v mc bo mt d liu v cht lng dch v (QoS);
- Kh nng cc gi d liu b mt trong khi truyn dn vn cn kh cao;
- Trng hp cn truyn khi lng ln d liu nh a phng tin vi yu cu
tc cao v m bo thi gian thc l thch thc ln trong mi trng
Internet.
1.4.2.2
VPN m rng
VPN m rng c cu hnh nh mt VPN im ti im, cung cp ng hm

bo mt gia cc khch hng, nh cung cp v i tc thng qua mt c s h tng
mng cng cng (hnh 1.4). Kiu VPN ny s dng cc kt ni lun c bo mt v
n khng b c lp vi th gii bn ngoi nh cc trng hp VPN cc b hay truy
nhp t xa.
12
Hnh 1.4 M hnh VPN m rng

Gii php VPN m rng cung cp kh nng iu khin truy nhp ti nhng
ngun ti nguyn mng cn thit m rng ti nhng i tng kinh doanh. S khc
nhau gia VPN cc b v VPN m rng l s truy nhp mng c cng nhn mt
trong hai u cui ca VPN.
Nhng u im chnh ca mng VPN m rng bao gm:
- Chi ph cho VPN m rng thp hn nhiu so vi cc gii php kt ni khc
cng t c mt mc ch nh vy;
- D dng thit lp, bo tr v thay i i vi mng ang hot ng;
- Do VPN m rng c xy dng da trn mng Internet nn c nhiu c hi
trong vic cung cp dch v v chn la gii php ph hp vi cc nhu cu
ca tng cng ty;
- Cc kt ni Internet c nh cung cp dch v Internet bo tr nn c th
gim c s lng nhn vin k thut h tr mng, v do vy gim c chi
ph vn hnh ca ton mng.
Bn cnh nhng u im trn, gii php VPN m rng cng cn nhng nhc
im i cng nh:
- Vn bo mt thng tin gp kh khn hn trong mi trng m rng nh
vy, v iu ny lm tng nguy c ri ro i vi mng cc b ca cng ty;
- Kh nng mt d liu trong khi truyn qua mng cng cng vn tn ti;
- Vic truyn khi lng ln d liu vi yu cu tc cao v thi gian thc
vn cn l mt thch thc ln cn gii quyt.
1.4.3 ng dng VPN
C VPN truy nhp t xa v VPN im ti im u cung cp gii php xy
dng mng ring o cho doanh nghip. Cc cng ty c th m rng mng ra nhng ni
m trc y khng th m rng. Trong nhiu ng dng, VPN cho php tit kim chi
ph mt cch ng k. Thay v cn nhiu kt ni n cng tr s chnh, gii php VPN
13
MNG RING O
tch hp lu lng vo mt kt ni duy nht, to ra c hi gim chi ph c bn trong

v bn ngoi doanh nghip.
Mng Internet hin nay l mt h tng tt, cho php doanh nghip thay i mng
ca h theo nhiu chiu hng. i vi cc cng ty ln c th d dng nhn thy rng
cc kt ni WAN qua knh thu ring l rt tn km v ang dn c thay th bi kt
ni VPN. i vi dch v truy nhp t xa, thay v dng cc ng kt ni tc chm
hoc cc dch v knh thu ring t tin, ngi s dng by gi c th c cung
cp cc dch v truy nhp tc cao vi gi thnh r. Ngoi ra, nhng ngi dng c
ng cng c th tn dng cc kt ni tc cao Ethernet trong cc khch sn, sn bay
hay ni cng cng phc v cho cng vic ca mnh mt cch hiu qu. Ch ring
yu t ct gim chi ph cuc gi ng di trong trng hp ny cng l mt l do
rt thuyt phc s dng VPN.
Mt trong nhng li ch khc ca VPN l gip cc cng ty c th trin khai nhiu
ng dng mi trn nn thng mi in t (e-Commerce) mt cch nhanh chng. Tuy
nhin, trong trng hp ny mt vi yu t cng cn phi c xem xt mt cch cn
thn. Cc tr ngi chnh ca Internet l bo mt, cht lng dch v, tin cy v kh
nng qun l.
1.5 Kt chng
VPN c nh ngha nh l mng kt ni cc site khch hng m bo an ninh
trn c s h tng mng chung cng vi cc chnh sch iu khin truy nhp v bo
mt nh mt mng ring. Tuy c xy dng trn c s h tng sn c ca mng cng
cng nhng VPN li c c cc tnh cht ca mt mng cc b nh khi s dng cc
ng knh thu ring. N cho php ni lin cc chi nhnh ca mt cng ty cng nh
l vi cc i tc, cung cp kh nng iu khin quyn truy nhp ca khch hng, cc
nh cung cp dch v hoc cc i tng bn ngoi khc.
Kh nng ng dng ca VPN l rt ln. Theo nh d on ca nhiu hng trn
th gii th VPN s l dch v pht trin mnh trong tng lai. Do , vic tip cn v
lm quen vi cng ngh mi ny r rng l v cng cn thit. Chng ny trnh by
nhng khi nim c bn v VPN, cc chc nng v c im ca VPN, cc m hnh
xy dng VPN cng nh l phn loi VPN theo hnh thc v phm vi ng dng ca
chng. Nhng ni dung c cp ch mang tnh khi qut nhm gip ngi c c
c ci nhn tng quan v VPN. Cc vn k thut lin quan n vic thc hin
VPN s c trnh by trong cc chng sau.
14
CHNG 2
CC GIAO THC NG HM
C th ni ng hm l mt trong nhng khi nim nn tng ca VPN. Giao

thc ng hm thc hin vic ng gi d liu vi cc phn tiu tng ng
truyn qua Internet. Trong chng ny gii thiu v cc giao thc ng hm ph bin
ang tn ti v s dng cho IP-VPN, bao gm L2F, PPTP v L2TP. Ring giao thc
IPSec s c trnh by chi tit trong chng 3 cng vi nhng c im k thut lin
quan trc tip n vic thc hin IP-VPN.
Gii thiu cc giao thc ng hm
Giao thc chuyn tip lp 2 L2F
Giao thc ng hm im ti im PPTP
Giao thc ng hm lp 2 L2TP
15
MNG RING O
2.1 Gii thiu cc giao thc ng hm

Cc giao thc ng hm l nn tng ca cng ngh VPN. C nhiu giao thc
ng hm khc nhau, v vic s dng giao thc no lin quan n cc phng php
xc thc v mt m i km. Cc giao thc ng hm ph bin hin nay l:
Giao thc chuyn tip lp 2 (L2F Layer Two Forwarding);
Giao thc ng hm im ti im (PPTP Point to Point Tunneling
Protocol);
Giao thc ng hm lp 2 (L2TP Layer Two Tunneling Protocol);
Giao thc bo mt IP (IPSec Internet Protocol Security).
L2F v PPTP u c pht trin da trn giao thc PPP (Point to Point
Protocol). PPP l mt giao thc truyn thng ni tip lp 2, c th s dng ng gi
d liu lin mng IP v h tr a giao thc lp trn. Giao thc L2F do Cisco pht trin
c lp, cn PPTP l do nhiu cng ty hp tc pht trin. Trn c s L2F v PPTP,
IETF pht trin giao thc ng hm L2TP. Hin nay cc giao thc PPTP v L2TP
c s dng ph bin hn L2F.
Trong cc giao thc ng hm ni trn, IPSec l gii php ti u v mt an ninh
d liu. N h tr cc phng php xc thc v mt m mnh nht. Ngoi ra, IPSec
cn c tnh linh hot cao, khng b rng buc bi bt c thut ton xc thc hay mt
m no. IPSec c th s dng ng thi cng vi cc giao thc ng hm khc
tng tnh an ton cho h thng.
Mc d c nhng u im vt tri so vi cc giao thc ng hm khc v kh
nng m bo an ninh d liu, IPSec cng c mt s nhc im. Th nht, IPSec l
mt khung tiu chun mi v cn ang c tip tc pht trin, do s lng cc
nh cung cp sn phm h tr IPSec cha nhiu. Th hai, tn dng kh nng m
bo an ninh d liu ca IPSec th cn phi s dng mt c s h tng kha cng khai
PKI (Public Key Infrastructure) phc tp gii quyt cc vn nh chng thc s
hay ch k s.
Khc vi IPSec, cc giao thc PPTP v L2TP l cc chun c hon thin,
nn sn phm h tr chng tng i ph bin. PPTP c th trin khai vi mt h
thng mt khu n gin m khng cn s dng PKI. Ngoi ra, PPTP v L2TP cn c
mt s u im khc so vi IPSec nh kh nng h tr a giao thc lp trn. V vy,
trong khi IPSec cn ang hon thin th PPTP v L2TP vn c s dng rng ri. C
th l PPTP v L2TP thng c s dng trong cc ng dng truy nhp t xa.
1.6 Giao thc chuyn tip lp 2 L2F

Giao thc L2F c pht trin sm nht, l phng php truyn thng cho
nhng ngi s dng xa truy nhp vo mt mng cng ty thng qua thit b truy
16
CHNG 2 - CC GIAO THC NG HM
nhp t xa. L2F cung cp gii php cho dch v quay s o bng cch thit lp mt
ng hm bo mt thng qua c s h tng cng cng nh Internet. N cho php
ng gi cc gi PPP trong khun dng L2F v nh ng hm lp lin kt d liu.
1.6.1 Cu trc gi L2F
Khun dng gi tin L2F c cu trc nh trn hnh 2.1.
1bit
1bit
1bit
1bit
S
8bit
1bit
3bit
8bit
8bit
Reserved
Version
Protocol
Sequence
Multiplex ID
Client ID
Length
Offset
Key
Data
Checksum
Hnh 2.1 Khun dng gi ca L2F

ngha cc trng trong gi L2F nh sau:
-
F: ch nh trng Offset c mt;
K: ch nh trng Key c mt;
P (Priority): thit lp u tin cho gi;
S: ch nh trng Sequence c mt;
Reserved: lun c t l 00000000;
Version: phin bn ca L2F dng to gi;
Protocol: xc nh giao thc ng gi L2F;
Sequence: s chui c a ra nu trong tiu L2F bit S bng 1.
Multiplex ID: nhn dng mt kt ni ring trong mt ng hm (tunnel);
Client ID: gip tch ng hm ti nhng im cui;
Length: chiu di ca gi (tnh bng byte) khng bao gm phn checksum;
Offset: xc nh s byte cch tiu L2F, ti d liu ti tin c bt u.

Trng ny c mt khi bit F bng 1;
Key: l mt phn ca qu trnh xc thc (c mt khi bit K bng 1);
Checksum: tng kim tra ca gi (c mt khi bit C bng 1).
1.6.2 Hot ng ca L2F

L2F ng gi nhng gi tin lp 2 (trong trng hp ny l PPP), sau truyn
chng xuyn qua mng. H thng s dng L2F gm cc thnh phn sau (hnh 2.2):
17
MNG RING O
My ch truy nhp mng NAS (Network Access Server): hng lu lng n

v i gia my khch xa (Remote Client) v Home Gateway. Mt h thng
ERX c th hot ng nh NAS.
ng hm (Tunnel): nh hng ng i gia NAS v Home Gateway.

Mt ng hm gm mt s kt ni.
Home Gateway: ngang hng vi NAS, l phn t ca ng thuc mng ring.
Kt ni (Connection): l mt kt ni PPP trong ng hm. Trong CLI, mt

kt ni L2F c xem nh l mt phin.
im ch (Destination): l im kt thc u xa ca ng hm. Trong

trng hp ny th Home Gateway l im ch.
Hnh 2.2 M hnh h thng s dng L2F

Cc hot ng ca L2F bao gm: thit lp kt ni, ng hm v phin lm vic.
Cc bc thc hin c th nh sau:
1) Mt ngi s dng xa quay s ti h thng NAS v khi u mt kt
ni PPP ti ISP.
2) H thng NAS v my khch trao i cc gi giao thc iu khin lin kt
LCP (Link Control Protocol).
3) NAS s dng c s d liu cc b lin quan ti tn min (domain name)
hay xc thc RADIUS quyt nh xem ngi s dng c hay khng
yu cu dch v L2F.
4) Nu ngi s dng yu cu L2F th qu trnh tip tc, NAS thu nhn a
ch ca Gateway ch (Home Gateway).
5) Mt ng hm c thit lp t NAS ti Gateway ch nu gia chng
cha c ng hm no. S thnh lp ng hm bao gm giai on xc
thc t ISP ti Gateway ch chng li tn cng bi nhng k th ba.
6) Mt kt ni PPP mi c to ra trong ng hm, iu ny c tc ng
ko di phin PPP t ngi s dng xa ti Home Gateway. Kt ni ny
18
c thit lp nh sau: Home Gateway tip nhn cc la chn v tt c

thng tin xc thc PAP/CHAP nh tho thun bi u cui ngi s
dng v NAS. Home Gateway chp nhn kt ni hay tho thun li LCP
v xc thc li ngi s dng.
7) Khi NAS tip nhn lu lng d liu t ngi s dng, n ng gi lu
lng vo trong cc khung L2F v hng chng vo trong ng hm.
8) Ti Home Gateway khung L2F c tch b, v d liu ng gi c
hng ti mng cng ty.
Khi h thng thit lp im ch, ng hm v nhng phin kt ni, ta phi
iu khin v qun l lu lng L2F nh sau:
- Ngn cn to nhng im ch, ng hm v phin mi.
- ng v m li tt c hay chn la nhng im ch, ng hm v phin.
- C kh nng kim tra tng UDP.
- Thit lp thi gian ri cho h thng v lu gi c s d liu vo ca cc
ng hm v kt ni.
S thay i mt im ch lm nh hng ti tt c nhng ng hm v phin
ti im ch . S thay i mt ng hm lm nh hng ti tt c cc phin trong
ng hm . V d, s kt thc im ch ng tt c cc ng hm v phin ti
im ch .
L2F cung cp mt s lnh thc hin cc chc nng ca n, v d:
- L2F checksum: kim tra s ton vn d liu trong cc khung L2F s dng
kim tra tng UDP, v d host 1(config)#l2f checksum
- L2F destruct-timeout: thit lp thi gian ri, gi tr thit lp trong di 10
3600 giy, v d host1 (config)#l2f destruct-timeout 1200
1.6.3 u nhc im ca L2F
Giao thc L2F c cc u im sau y:
- Cho php thit lp ng hm a giao thc;
- c h tr bi nhiu nh cung cp.
Cc nhc im chnh ca L2F l:
- Khng c m ho;
- Hn ch trong vic xc thc ngi dng;
- Khng c iu khin lung cho ng hm.
19
MNG RING O
1.7 Giao thc ng hm im ti im PPTP

Giao thc ng hm im ti im c a ra u tin bi mt nhm cc
cng ty c gi l PPTP Forum. tng c s ca giao thc ny l tch cc chc
nng chung v ring ca truy nhp t xa, li dng c s h tng Internet sn c to
kt ni bo mt gia ngi dng xa (client) v mng ring. Ngi dng xa ch vic
quay s ti nh cung cp dch v Internet a phng l c th to ng hm bo mt
ti mng ring ca h.
Giao thc PPTP c xy dng da trn chc nng ca PPP, cung cp kh nng
quay s truy nhp to ra mt ng hm bo mt thng qua Internet n site ch.
PPTP s dng giao thc ng gi nh tuyn chung GRE c m t li ng v
tch gi PPP. Giao thc ny cho php PPTP mm do x l cc giao thc khc khng
phi IP nh IPX, NETBEUI.
1.7.1 Khi qut v hot ng ca PPTP
PPP tr thnh giao thc truy nhp vo Internet v cc mng IP rt ph bin
hin nay. Lm vic lp lin kt d liu trong m hnh OSI, PPP bao gm cc phng
thc ng, tch gi cho cc loi gi d liu khc nhau truyn ni tip. PPP c th
ng cc gi IP, IPX, NETBEUI v truyn i trn kt ni im-im t my gi n
my nhn.
PPTP ng gi cc khung d liu ca giao thc PPP vo cc IP datagram
truyn qua mng IP (Internet hoc Intranet). PPTP dng mt kt ni TCP (gi l kt
ni iu khin PPTP) khi to, duy tr, kt thc ng hm, v mt phin bn ca
giao thc GRE ng gi cc khung PPP. Phn ti tin ca khung PPP c th c
mt m v/hoc nn.
PPTP s dng PPP thc hin cc chc nng:
- Thit lp v kt thc kt ni vt l.
- Xc thc ngi dng.
- To cc gi d liu PPP.
PPTP gi nh tn ti mt mng IP gia PPTP client (VPN client s dng PPTP)
v PPTP server (VPN server s dng PPTP). PPTP client c th c ni trc tip qua
vic quay s ti my ch truy nhp mng NAS thit lp kt ni IP. Khi mt kt ni
PPP c thit lp th ngi dng thng c xc thc. y l giai on tu chn
trong PPP, tuy nhin n lun lun c cung cp bi cc ISP.
Vic xc thc trong qu trnh thit lp kt ni da trn PPTP s dng cc c ch
xc thc ca kt ni PPP. Cc c ch xc thc c th l:
- EAP (Extensible Authentication Protocol) giao thc xc thc m rng;
20
- CHAP (Challenge Handshake Authentication Protocol) giao thc xc thc

i hi bt tay;
- PAP (Password Authentication Protocol) giao thc xc thc mt khu.
Vi PAP mt khu c gi qua kt ni di dng vn bn n gin v khng c
bo mt. CHAP l mt giao thc xc thc mnh hn, s dng phng thc bt tay ba
chiu. CHAP chng li cc v tn cng quay li bng cch s dng cc gi tr thch
(Challenge Value) duy nht v khng th on trc c.
PPTP cng tha hng vic mt m v/hoc nn phn ti tin ca PPP. mt m
phn ti tin PPP c th s dng phng thc m ho im ti im MPPE (Microsoft
Point to Point Encryption). MPPE ch cung cp mt m mc truyn dn, khng cung
cp mt m u cui n u cui. Nu cn s dng mt m u cui n u cui th
c th s dng IPSec mt m lu lng IP gia cc u cui sau khi ng hm
PPTP c thit lp.
Sau khi PPP thit lp kt ni, PPTP s dng cc quy lut ng gi ca PPP
ng cc gi truyn trong ng hm. tn dng u im ca kt ni to ra bi PPP,
PPTP nh ngha hai loi gi l iu khin v d liu, sau gn chng vo hai knh
ring l knh iu khin v knh d liu. PPTP phn tch cc knh iu khin v knh
v knh d liu thnh lung iu khin vi giao thc TCP v lung d liu vi giao
thc IP. Kt ni TCP to gia my trm PPTP (client) v my ch PPTP (server) c
s dng tryn thng bo iu khin.
Cc gi d liu l d liu thng thng ca ngi dng. Cc gi iu khin c
gi theo chu k ly thng tin v trng thi kt ni v qun l bo hiu gia ng
dng khch PPTP v my ch PPTP. Cc gi iu khin cng c dng gi cc
thng tin qun l thit b, thng tin cu hnh gia hai u ng hm.
Knh iu khin c yu cu cho vic thit lp mt ng hm gia my trm
v my ch PPTP. My ch PPTP l mt server s dng giao thc PPTP vi mt
giao din ni vi Internet v mt giao din khc ni vi Intranet, cn p hn mm
client c th nm my ngi dng t xa hoc ti my ch ca ISP.
1.7.2 Duy tr ng hm bng kt ni iu khin PPTP
Kt ni iu khin PPTP l kt ni gia a ch IP ca my trm PPTP (c cng
TCP c cp pht ng) v a ch IP ca my ch PPTP (s dng cng TCP dnh
ring 1723). Kt ni iu khin PPTP mang cc bn tin iu khin v qun l c s
dng duy tr ng hm PPTP. Cc bn tin ny bao gm PPTP Echo-Request v
PPTP Echo-Reply nh k pht hin cc li kt ni gia my trm v my ch
PPTP. Cc gi ca kt ni iu khin PPTP bao gm tiu IP, tiu TCP, bn tin
iu khin PPTP v tiu , phn ui ca lp lin kt d liu (hnh 2.3).
21
MNG RING O
Hnh 2.3 Gi d liu kt ni iu khin PPTP

1.7.3 ng gi d liu ng hm PPTP
ng gi khung PPP v GRE
D liu ng hm PPTP c ng gi thng qua nhiu mc. Hnh 2.4 l cu
trc d liu c ng gi.
Hnh 2.4 ng gi d liu ng hm PPTP

Phn ti ca khung PPP ban u c mt m v ng gi vi tiu PPP to
ra khung PPP. Khung PPP sau c ng gi vi phn tiu ca phin bn giao
thc GRE sa i.
GRE l giao thc ng gi chung, cung cp c ch ng gi d liu nh
tuyn qua mng IP. i vi PPTP, phn tiu ca GRE c sa i mt s im
nh sau:
- Mt trng xc nhn di 32 bit c thm vo.
- Mt bit xc nhn c s dng ch nh s c mt ca trng xc nhn 32
bit.
- Trng Key c thay th bng trng di Payload 16 bit v trng ch s
cuc gi 16 bit. Trng ch s cuc gi c thit lp bi my trm PPTP
trong qu trnh khi to ng hm PPTP.
ng gi IP
Phn ti PPP ( c mt m) v cc tiu GRE sau c ng gi vi mt
tiu IP cha cc thng tin a ch ngun v ch thch hp cho my trm v my ch
PPTP.
ng gi lp lin kt d liu
c th truyn qua mng LAN hoc WAN, gi IP cui cng s c ng gi
vi mt tiu v phn ui ca lp lin kt d liu giao din vt l u ra. V d,
nu gi IP c gi qua giao din Ethernet, n s c gi vi phn tiu v ui
Ethernet. Nu gi IP c gi qua ng truyn WAN im ti im (nh ng in
thoi tng t hoc ISDN), n s c ng gi vi phn tiu v ui ca giao thc
PPP.
22
S ng gi
Hnh 2.5 l v d s ng gi PPTP t mt my trm qua kt ni truy nhp
VPN t xa s dng modem tng t.
Hnh 2.5 S ng gi PPTP

Qu trnh ng gi c m t c th nh sau:
- Cc gi IP, IPX hoc khung NetBEUI c a ti giao din o i din cho
kt ni VPN bng giao thc tng ng s dng NDIS (Network Driver
Interface Specification).
- NDIS a gi d liu ti NDISWAN, ni thc hin mt m, nn d liu v
cung cp tiu PPP. Phn tiu PPP ny ch gm trng m s giao thc
PPP (PPP Protocol ID Field), khng c cc trng Flags v FCS (Frame
Check Sequence). Gi nh trng a ch v iu khin c tha thun
giao thc iu khin ng truyn LCP (Link Control Protocol) trong qu
trnh kt ni PPP.
- NDISWAN gi d liu ti giao thc PPTP, ni ng gi khung PPP vi phn
tiu GRE. Trong tiu GRE, trng ch s cuc gi c t gi tr thch
hp xc nh ng hm.
- Giao thc PPTP sau s gi gi va hnh thnh ti TCP/IP.
- TCP/IP ng gi d liu ng hm PPTP vi phn tiu IP, sau gi kt
qu ti giao din i din cho kt ni quay s ti ISP cc b s dng NDIS.
- NDIS gi gi tin ti NDISWAN, ni cung cp cc phn tiu v ui PPP.
- NDISWAN gi khung PPP kt qu ti cng WAN tng ng i din cho
phn cng quay s (v d, cng khng ng b cho kt ni modem).
23
MNG RING O
1.7.4 X l d liu ti u cui ng hm PPTP

Khi nhn c d liu ng hm PPTP, my trm v my ch PPTP s thc
hin cc bc sau:
- X l v loi b phn tiu v ui ca lp lin kt d liu;
- X l v loi b tiu IP;
- X l v loi b tiu GRE v PPP;
- Gii m v/hoc gii nn phn ti PPP (nu cn thit);
- X l phn ti tin nhn hoc chuyn tip.
1.7.5 Trin khai VPN da trn PPTP
trin khai VPN da trn giao thc PPTP yu cu h thng ti thiu phi c
cc thnh phn thit b nh ch ra trn hnh 2.6, c th bao gm:
- Mt my ch truy nhp mng dng cho phng thc quay s truy nhp bo
mt vo VPN;
- Mt my ch PPTP;
- My trm PPTP vi phn mm client cn thit.
Hnh 2.6 Cc thnh phn ca h thng cung cp VPN da trn PPTP

Cc my ch PPTP c th t ti mng ca cng ty v do nhn vin trong cng ty
qun l.
My ch PPTP
My ch PPTP thc hin hai chc nng chnh: ng vai tr l im kt ni ca
ng hm PPTP v chuyn cc gi n t ng hm ti mng LAN ring. My ch
PPTP chuyn cc gi n my ch bng cch x l gi PPTP c c a ch mng
ca my tnh ch. My ch PPTP cng c kh nng lc gi. Bng cch s dng c
24
ch lc gi PPTP my ch c th ngn cm, ch cho php truy nhp vo Internet, mng

ring hay c hai.
Thit lp my ch PPTP ti site mng c mt hn ch nu nh my ch PPTP
nm sau tng la. PPTP c thit k sao cho ch c mt cng TCP 1723 c s
dng chuyn d liu i. S khim khuyt ca cu hnh cng ny c th lm cho
tng la d b tn cng hn. Nu nh tng la c cu hnh lc gi th phi
thit lp n cho php GRE i qua.
Mt thit b khc c khi xng nm 1998 bi hng 3Com c chc nng
tng t my ch PPTP gi l chuyn mch ng hm. Mc ch ca chuyn mch
ng hm l m rng ng hm t mt mng n mt mng khc, tri rng ng
hm t mng ca ISP n mng ring. Chuyn mch ng hm c th c s dng
ti tng la lm tng kh nng qun l truy nhp t xa vo ti nguyn ca mng ni
b. N c th kim tra cc gi n v v, giao thc ca cc khung PPP hoc tn ca
ngi dng t xa.
Phn mm client PPTP
Nu nh cc thit b ca ISP h tr PPTP th khng cn phn cng hay phn
mm b sung no cho cc my trm, ch cn mt kt ni PPP chun. Nu nh cc thit
b ca ISP khng h tr PPTP th mt phn mm ng dng client vn c th to kt ni
bo mt bng cch u tin quay s kt ni ti ISP bng PPP, sau quay s mt ln
na thng qua cng PPTP o c thit lp my trm.
Phn mm client PPTP c sn trong Windows 9x, NT v cc h iu hnh sau
ny. Khi chn client PPTP cn phi so snh cc chc nng ca n vi my ch PPTP
c. Khng phi tt c cc phn mm client PPTP u h tr MS-CHAP, nu thiu
cng c ny th khng th tn dng c u im m ho trong RRAS.
My ch truy nhp mng
My ch truy nhp mng NAS cn c tn gi khc l my ch truy nhp t xa
(Remote Access Server) hay b tp trung truy nhp (Access Concentrator). NAS cung
cp kh nng truy nhp ng dy da trn phn mm, c kh nng tnh cc v c
kh nng chu ng li ti ISP POP. NAS ca ISP c thit k cho php mt s lng
ln ngi dng c th quay s truy nhp vo cng mt lc.
Nu mt ISP cung cp dch v PPTP th cn phi ci mt NAS cho php PPTP
h tr cc client chy trn cc nn khc nhau nh Unix, Windows, Macintosh, v.v.
Trong trung hp ny, my ch ISP ng vai tr nh mt client PPTP kt ni vi my
ch PPTP ti mng ring v my ch ISP tr thnh mt im cui ca ng hm,
im cui cn li l my ch ti u mng ring.
1.7.6 u nhc im v kh nng ng dng ca PPTP
25
MNG RING O
u im ca PPTP l c thit k hot ng lp 2 (lin kt d liu) trong

khi IPSec chy lp 3 ca m hnh OSI. Bng cch h tr vic truyn d liu lp 2,
PPTP c th truyn trong ng hm bng cc giao thc khc IP trong khi IPSec ch
c th truyn cc gi IP trong ng hm.
Tuy nhin, PPTP l mt gii php tm thi v hu ht cc nh cung cp u c k
hoch thay th PPTP bng L2TP khi m giao thc ny c chun ho. PPTP thch
hp cho quay s truy nhp vi s lng ngi dng gii hn hn l cho VPN kt ni
LAN-LAN. Mt vn ca PPTP l x l xc thc ngi dng thng qua Windows
NT hay thng qua RADIUS. My ch PPTP cng qu ti vi mt s lng ngi dng
quay s truy nhp hay mt lu lng ln d liu tryn qua, m iu ny l mt yu
cu ca kt ni LAN-LAN.
Khi s dng VPN da trn PPTP m c h tr thit b ca ISP th mt s quyn
qun l phi chia s cho ISP. Tnh bo mt ca PPTP khng mnh bng IPSec. Tuy
nhin, qun bo mt trong PPTP li n gin hn.
1.8 Giao thc ng hm lp 2 L2TP

1.8.1 Khi qut v hot ng ca L2TP
trnh vic hai giao thc ng hm khng tng thch cng tn ti gy kh
khn cho ngi s dng, IETF kt hp hai giao thc L2F v PPTP v pht trin
thnh L2TP. L2TP c xy dng trn c s tn dng cc u im ca c PPTP v
L2F, ng thi c th s dng c trong tt c cc trng hp ng dng ca hai giao
thc ny. L2TP c m t trong khuyn ngh RFC 2661.
Mt ng hm L2TP c th khi to t mt PC xa quay v L2TP Network
Server (LNS) hay t L2TP Access Concentrator (LAC) v LNS. Mc d L2TP vn
dng PPP, n nh ngha c ch to ng hm ca ring n, ty thuc vo phng
tin truyn ch khng dng GRE.
L2TP ng gi cc khung PPP truyn qua mng IP, X.25, Frame Relay hoc
ATM. Tuy nhin, hin nay mi ch c L2TP trn mng IP c nh ngha. Khi truyn
qua mng IP, cc khung L2TP c ng gi nh cc bn tin UDP. L2TP c th c
s dng nh mt giao thc ng hm thng qua Internet hoc cc mng ring
Intranet. L2TP dng cc bn tin UDP qua mng IP cho cc d liu ng hm cng
nh cc d liu duy tr ng hm. Phn ti ca khung PPP ng gi c th c
mt m v nn. Mt m trong cc kt ni L2TP thng c thc hin bi IPSec ESP
(ch khng phi MPPE nh i vi PPTP). Cng c th to kt ni L2TP khng s
dng mt m IPSec. Tuy nhin, y khng phi l kt ni IP-VPN v d liu ring
c ng gi bi L2TP khng c mt m. Cc kt ni L2TP khng mt m c th
s dng tm thi sa cc li kt ni L2TP dng IPSec.
L2TP gi nh tn ti mng IP gia my trm (VPN client dng giao thc ng
hm L2TP v IPSec) v my ch L2TP. My trm L2TP c th c ni trc tip vi
26
mng IP truy nhp ti my ch L2TP hoc gin tip thng qua vic quay s ti my
ch truy nhp mng NAS thit lp kt ni IP. Vic xc thc trong qu trnh hnh
thnh ng hm L2TP phi s dng cc c ch xc thc trong kt ni PPP nh EAP,
MS-CHAP, CHAP, PAP. My ch L2TP l my ch IP-VPN s dng giao thc L2TP
vi mt giao din ni vi Internet v mt giao din khc ni vi mng Intranet.
L2TP c th dng hai kiu bn tin l iu khin v d liu. Cc bn tin iu
khin chu trch nhim thit lp, duy tr v hy cc ng hm. Cc bn tin d liu
ng gi cc khung PPP c chuyn trn ng hm. Cc bn tin iu khin dng c
ch iu khin tin cy bn trong L2TP m bo vic phn phi, trong khi cc bn
tin d liu khng c gi li khi b mt trn ng truyn.
1.8.2 Duy tr ng hm bng bn tin iu khin L2TP
Khng ging PPTP, vic duy tr ng hm L2TP khng c thc hin thng
qua mt kt ni TCP ring bit. Cc lu lng iu khin v duy tr cuc gi c gi
i nh cc bn tin UDP gia my trm v my ch L2TP (u s dng cng UDP
1701).
Cc bn tin iu khin L2TP qua mng IP c gi nh cc gi UDP. Gi UDP
li c mt m bi IPSec ESP nh trn hnh 2.7.
Hnh 2.7 Bn tin iu khin L2TP

V khng s dng kt ni TCP, L2TP dng th t bn tin m bo vic truyn
cc bn tin L2TP. Trong bn tin iu khin L2TP, trng Next-Received (tng t nh
TCP Acknowledgment) v Next-Sent (tng t nh TCP Sequence Number) c s
dng duy tr th t cc bn tin iu khin. Cc gi khng ng th t b loi b.
Cc trng Next-Sent v Next-Received cng c th c s dng truyn dn tun
t v iu khin lung cho cc d liu ng hm.
L2TP h tr nhiu cuc gi trn mi ng hm. Trong bn tin iu khin L2TP
v phn tiu L2TP ca d liu ng hm c mt m s ng hm (Tunnel ID)
xc nh ng hm, v mt m nhn dng cuc gi (Call ID) xc nh cuc gi
trong ng hm .
1.8.3 ng gi d liu ng hm L2TP
D liu ng hm L2TP c thc hin thng qua nhiu mc ng gi nh sau:
ng gi L2TP. Phn ti PPP ban u c ng gi vi mt tiu PPP v
mt tiu L2TP.
27
MNG RING O
ng gi UDP. Gi L2TP sau c ng gi vi mt tiu UDP, cc a

ch cng ngun v ch c t bng 1701.
ng gi IPSec. Tu thuc vo chnh sch IPSec, gi UDP c mt m v
ng gi vi tiu IPSec ESP, ui IPSec ESP, ui IPSec Authentication.
ng gi IP. Gi IPSec c ng gi vi tiu IP cha a ch IP ngun v
ch ca my trm v my ch.
ng gi lp lin kt d liu. truyn i c trn ng truyn LAN
hoc WAN, gi IP cui cng s c ng gi vi phn tiu v ui tng
ng vi k thut lp lin kt d liu ca giao din vt l u ra. V d, khi gi
IP c gi vo giao din Ethernet, n s c ng gi vi tiu v ui
Ethernet. Khi cc gi IP c gi trn ng truyn WAN im ti im
(chng hn ng dy in thoi ISDN), chng c ng gi vi tiu v
ui PPP.
Hnh 2.8 ch ra cu trc cui cng ca gi d liu ng hm L2TP trn nn
IPSec.
Hnh 2.8 ng gi d liu ng hm L2TP

Hnh 2.9 l s ng gi L2TP t mt my trm VPN thng qua kt ni truy
nhp t xa s dng modem tng t.
28
Hnh 2.9 S ng gi L2TP

Qu trnh ng gi c thc hin thng qua cc bc nh sau:
- Gi tin IP, IPX hoc NetBEUI c a ti giao din o i din cho kt ni
VPN s dng NDIS bng giao thc thch hp.
- NDIS a cc gi ti NDISWAN, ti y c th nn v cung cp tiu PPP
ch bao gm trng ch s giao thc PPP. Cc trng Flag hay FCS khng
c thm vo.
- NDISWAN gi khung PPP ti giao thc L2TP, ni ng gi khung PPP vi
mt tiu L2TP. Trong tiu L2TP, ch s ng hm v ch s cuc gi
c thit lp vi cc gi tr thch hp xc nh ng hm.
- Giao thc L2TP gi gi thu c ti TCP/IP vi thng tin gi gi L2TP
nh mt bn tin UDP t cng UDP 1701 ti cng UDP 1701 theo cc a ch
IP ca my trm v my ch.
- TCP/IP xy dng gi IP vi cc tiu IP v UDP thch hp. IPSec sau s
phn tch gi IP v so snh n vi chnh sch IPSec hin thi. Da trn nhng
thit lp trong chnh sch, IPSec ng gi v mt m phn bn tin UDP ca
gi IP s dng cc tiu v ui ESP ph hp. Tiu IP ban u vi trng
Protocol c t l 50 v thm vo pha trc ca gi ESP. TCP/IP sau
gi gi thu c ti giao din i din cho kt ni quay s ti ISP cc b s
dng NDIS.
- NDIS gi s ti NDISWAN.
- NDISWAN cung cp tiu v ui PPP, sau gi khung PPP thu c ti
cng thch hp i din cho phn cng dial-up.
29
MNG RING O
1.8.4 X l d liu ti u cui ng hm L2TP trn nn IPSec

Khi nhn c d liu ng hm L2TP trn nn IPSec, my trm v my ch
L2TP s thc hin cc bc sau:
- X l v loi b tiu v ui ca lp lin kt d liu.
- X l v loi b tiu IP.
- Dng phn ui IPSec ESP Auth xc thc ti IP v tiu IPSec ESP.
- Dng tiu IPSec ESP gii m phn gi mt m.
- X l tiu UDP v gi gi ti L2TP.
- L2TP dng ch s ng hm v ch s cuc gi trong tiu L2TP xc
nh ng hm L2TP c th.
- Dng tiu PPP xc nh ti PPP v chuyn tip n ti ng giao thc
x l.
1.8.5 Trin khai VPN da trn L2TP
H thng cung cp VPN da trn L2TP bao gm cc thnh phn c bn sau: b
tp trung truy nhp mng, my ch L2TP v cc my trm L2TP (hnh 2.10).
Hnh 2.10 Cc thnh phn ca h thng cung cp VPN da trn L2TP

My ch L2TP
My ch L2TP c hai chc nng chnh: ng vai tr l im kt thc ca ng
hm L2TP v chuyn cc gi n t ng hm n mng LAN ring hay ngc li.
My ch chuyn cc gi n my tnh ch bng cch x l gi L2TP c c a
ch mng ca my tnh ch.
Khng ging nh my ch PPTP, my ch L2TP khng c kh nng lc cc gi.
Chc nng lc gi trong L2TP c thc hin bi tng la.Tuy nhin trong thc t,
30
ngi ta thng tch hp my ch mng v tng la. Vic tch hp ny mang li mt

s u im hn so vi PPTP, l:
- L2TP khng i hi ch c mt cng duy nht gn cho tng la nh trong
PPTP. Chng trnh qun l c th tu chn cng gn cho tng la, iu
ny gy kh khn cho k tn cng khi c gng tn cng vo mt cng trong
khi cng c th thay i.
- Lung d liu v thng tin iu khin c truyn trn cng mt UDP nn
vic thit lp tng la s n gin hn. Do mt s tng la khng h tr
GRE nn chng tng thch vi L2TP hn l vi PPTP.
Phn mm client L2TP
Nu nh cc thit b ca ISP h tr L2TP th khng cn phn cng hay phn
mm b sung no cho cc my trm, ch cn kt ni chun PPP l . Tuy nhin, vi
cc thit lp nh vy th khng s dng c m ho ca IPSec. Do vy ta nn s
dng cc phn mm client tng thch L2TP cho kt ni L2TP VPN.
Mt s c im ca phn mm client L2TP l:
- Tng thch vi cc thnh phn khc ca IPSec nh my ch m ho, giao
thc chuyn kho, gii thut m ho,
- a ra mt ch bo r rng khi IPSec ang hot ng;
- Hm bm (hashing) x l c cc a ch IP ng;
- C c ch bo mt kho (m ho kho vi mt khu);
- C c ch chuyn i m ho mt cch t ng v nh k;
- Chn hon ton cc lu lng khng IPSec.
B tp trung truy nhp mng
ISP cung cp dch v L2TP cn phi ci mt NAS cho php L2TP h tr cc
my trm L2TP chy trn nn cc h iu hnh khc nhau nh Unix, Windows,
Macintosh, v.v.
Cc ISP cng c th cung cp cc dch v L2TP m khng cn phi thm cc
thit b h tr L2TP vo my ch truy nhp ca h, iu ny i hi tt c ngi dng
phi c phn mm client L2TP ti my ca h. Khi ngi dng c th s dng dch
v ca nhiu ISP trong trng hp m hnh mng ca h rng ln v mt a l.
1.8.6 u nhc im v kh nng ng dng ca L2TP
L2TP l mt th h giao thc quay s truy nhp VPN pht trin sau. N phi hp
nhng c tnh tt nht ca PPTP v L2F. Hu ht cc nh cung cp sn phm PPTP
u a ra cc sn phm tng thch vi L2TP.
31
MNG RING O
Mc d L2TP ch yu chy trn mng IP, nhng kh nng chy trn cc mng
cng ngh khc nh Frame Relay hay ATM lm cho n thm ph bin. L2TP cho
php mt lng ln khch hng t xa c kt ni vo VPN cng nh l cc kt ni
LAN-LAN c dung lng ln. L2TP c c ch iu khin lung lm gim tc
nghn trn ng hm L2TP.
Vic la chn mt nh cung cp dch v L2TP c th thay i tu theo yu cu
thit k mng. Nu thit k mt VPN i hi m ho u cui ti u cui th cn ci
cc client tng thch L2TP ti cc trm t xa v tho thun vi ISP l s x l m ho
t my u xa n tn my ch ca VPN. Nu xy dng mt mng vi mc bo
mt thp hn, kh nng chu ng li cao hn v ch mun bo mt d liu khi n i
trong ng hm trn Inernet th tho thun vi ISP h h tr LAC v m ho d
liu ch t on LAC n LNS ca mng ring.
L2TP cho php thit lp nhiu ng hm vi cng LAC v LNS. Mi ng
hm c th gn cho mt ngi dng xc nh hoc mt nhm ngi dng v gn cho
cc mi trng khc nhau tu theo thuc tnh cht lng dch v QoS ca ngi s
dng.
1.9 Kt chng
Mc bo m an ninh ca s liu khi truyn qua mng ph thuc nhiu vo
gii php thc hin VPN ca doanh nghip. Chng 2 tp trung vo nhng vn k
thut ca gii php mng ring o s dng ng hm. K thut ng hm ng mt
vai tr rt quan trng trong vic trin khai VPN trn nn mng vin thng cng cng.
Cc giao thc ng hm c gii thiu y bao gm L2F, PPTP v L2TP. Mi
giao thc c trnh by tng i chi tit, t s ng gi d liu, nguyn l hot
ng, qu trnh x l d liu ti u cui ng hm cho n nhng c im trin
khai trn thc t. Trong ni dung trnh by cng a ra nhng phn tch cc c tnh
v u nhc im ca tng giao thc nhm th hin r kh nng v phm vi ng dng
ca chng.
32
CHNG 3
MNG RING O TRN NN IPSec

Cng vi s pht trin v m rng ca Internet th vic trao i thng tin gia
cc chi nhnh, vn phng xa trong mt cng ty hay vi cc i tc kinh doanh bn
ngoi khng cn l vn kh khn nh trc na. Tuy nhin, i i vi vic h tr
kinh doanh hiu qu th nguy c mt an ninh d liu hay b tn cng ph hoi qua
mng cng l iu rt d xy ra. Chnh v vy, vn m bo an ton cho d liu khi
truyn qua mng cng cng tr nn c ngha c bit quan trng.
Giao thc IPSec (Internet Protocol Security) c pht trin gii quyt vn
bo m an ninh cho thng tin truyn trn mng Internet v c coi l giao thc ti
u nht cho vic thc hin IP-VPN. Chng ny trnh by cc c im quan trng
nht ca IPSec, hot ng ca cc giao thc v tiu chun lin quan cng nh l nhng
thut ton v k thut h tr cho vic thc hin VPN trn nn IPSec.
Gii thiu v IPSec
ng gi thng tin IPSec
Lin kt an ninh SA v hot ng trao i kha IKE
Mt s vn k thut trong thc hin VPN trn IPSec
V d thc hin VPN trn nn IPSec
Cc vn cn tn ti trong IPSec
33
MNG RING O
2.1 Gii thiu v IPSec

Giao thc IPSec c IETF pht trin thit lp tnh bo mt trong mng IP
cp gi. IPSec c nh ngha l mt h giao thc trong tng mng cung cp cc
dch v bo mt, xc thc, ton vn d liu v iu khin truy nhp. N l mt tp hp
cc tiu chun m lm vic cng nhau, c gii thiu ln u tin trong cc RFC
1825 1829 vo nm 1995.
IPSec cho php mt ng hm bo mt thit lp gia hai mng ring v xc
thc hai u ca ng hm ny. Cc thit b gia hai u ng hm c th l mt
cp host, mt cp Cng an ninh (thit b nh tuyn, firewall, b tp trung VPN) hoc
cp thit b gm mt host v mt Cng an ninh. ng hm ng vai tr l mt knh
truyn bo mt gia hai u v cc gi d liu yu cu an ninh c truyn trn .
IPSec cng thc hin ng gi d liu v x l cc thng tin thit lp, duy tr v hy
b knh truyn khi khng dng n na. Cc gi tin truyn trong ng hm c khun
dng ging nh cc gi tin bnh thng khc v khng lm thay i cc thit b, kin
trc cng nh nhng ng dng hin c trn mng trung gian, qua cho php gim
ng k chi ph trin khai v qun l.
IPSec c hai c ch c bn m bo an ninh d liu l tiu xc thc (AH
Authentication Header) v ng gi ti tin an ton (ESP Encapsulating Security
Payload), trong IPSec phi h tr ESP v c th h tr AH. C AH v ESP u
cung cp cc phng tin cho iu khin truy nhp da vo s phn phi ca cc kha
mt m v qun l cc lung lu lng c lin quan n nhng giao thc an ninh ny.
AH cho php xc thc ngun gc d liu, kim tra tnh ton vn d liu v dch
v ty chn chng pht li ca cc gi IP truyn gia hai h thng. AH khng cung
cp tnh bo mt, iu ny c ngha l n gi i thng tin di dng bn r. ESP l
mt giao thc cung cp tnh an ninh ca cc gi tin c truyn, bao gm mt m d
liu, xc thc ngun gc d liu, kim tra tnh ton vn phi kt ni ca d liu. ESP
m bo tnh b mt ca thng tin thng qua vic mt m gi tin IP. Tt c lu lng
ESP u c mt m gia hai h thng. Vi c im ny th ESP c xu hng c
s dng nhiu hn tng tnh bo mt cho d liu.
Cc giao thc AH v ESP c th c p dng mt mnh hay kt hp vi nhau
cung cp tp cc giao thc an ninh mong mun trong IPv4 v IPv6, nhng cch chng
cung cp cc dch v l khc nhau. i vi c hai giao thc ny, IPSec khng nh
ngha cc thut ton an ninh c th, m thay vo l mt khung lm vic cho php s
dng cc thut ton tiu chun. IPSec s dng cc thut ton m xc thc bn tin trn
c s hm bm (HMAC), MD5 (Message Digest 5) hay SHA-1 thc hin chc nng
ton vn bn tin; DES hay 3DES mt m d liu; kha chia s trc, ch k s
RSA v s ngu nhin mt m RSA xc thc cc bn. Ngoi ra, cc chun cn nh
ngha vic s dng mt s thut ton khc nh IDEA, Blowfish v RC4.
34
CHNG 3 - MNG RING O TRN NN IPSec
IPSec c th s dng giao thc trao i kho IKE (Internet Key Exchange)
xc thc hai bn, thng lng cc chnh sch bo mt v xc thc thng qua vic xc
nh thut ton thit lp knh truyn, trao i kha cho mi phin kt ni v dng
trong mi phin truy nhp. Mng dng IPSec bo mt cc dng d liu c th t
ng kim tra tnh xc thc ca thit b bng chng thc s ca hai ngi dng trao
i thng tin qua li. Vic thng lng ny cui cng dn n thit lp mt lin kt
an ninh (SA Security Association) gia cc cp bo mt.
Lin kt an ninh SA c cha tp cc chnh sch, tham s, thut ton, giao thc
cho qu trnh ng gi d liu gia cc bn tham gia vo phin IPSec. Ti mi u
ng hm IPSec, SA c s dng xc nh loi lu lng cn c x l IPSec,
giao thc an ninh c s dng (AH hay ESP), thut ton v kha c s dng cho
qu trnh mt m v xc thc. Thng tin lin kt an ninh c lu trong c s d liu
lin kt an ninh, v khi kt hp mt a ch ch vi giao thc an ninh th c duy nht
mt SA.
IPSec c pht trin nhm vo h giao thc IP k tip l IPv6, nhng do vic
trin khai IPv6 cn chm v s cn thit phi bo mt cc gi IP nn IPSec c
thay i cho ph hp vi IPv4. Vic h tr IPSec ch l tu chn ca IPv4 nhng i
vi IPv6 th l c sn. IPSec l s la chn cho bo mt tng th cc VPN v l
phng n ti u cho mng ca cng ty. N m bo truyn thng tin cy trn mng IP
cng cng i vi cc ng dng VPN.
2.2 ng gi thng tin IPSec

2.2.1 Cc ch hot ng
IPSec cung cp hai ch xc thc v m ha mc cao thc hin ng gi
thng tin, l ch truyn ti (Transport Mode) v ch ng hm (Tunnel
Mode). Sau y chng ta s xt n hai ch ny trc khi tm hiu v cc giao thc
AH v ESP.
2.2.1.1
Ch truyn ti
Trong ch truyn ti, vn an ninh c cung cp bi cc giao thc lp cao

trong m hnh OSI (t lp 4 tr ln). Ch ny bo v phn ti tin ca gi nhng vn
phn tiu IP ban u dng gc nh trong nguyn bn (hnh 3.1). a ch IP ban
u ny c s dng nh tuyn gi qua Internet.
35
MNG RING O
Hnh 3.1 X l gi tin IP ch truyn ti

Ch truyn ti c u im l ch thm vo gi IP ban u mt s t byte.
Nhc im ca ch ny l n cho php cc thit b trong mng nhn thy a ch
ngun v ch ca gi tin v c th thc hin mt s x l (v d nh phn tch lu
lng) da trn cc thng tin ca tiu IP. Tuy nhin nu d liu c mt m bi
ESP th s khng bit c thng tin c th bn trong gi IP l g. Theo IETF th ch
truyn ti ch c th c s dng khi hai h thng u cui IP-VPN c thc hin
IPSec.
2.2.1.2
Ch ng hm
Trong ch ng hm, ton b gi IP ban u bao gm c tiu c xc

thc hoc mt m, sau c ng gi vi mt tiu IP mi (hnh 3.2). a ch IP
bn ngoi c s dng cho nh tuyn gi IP qua Internet.
Hnh 3.2 X l gi tin IP ch ng hm

Ch ny cho php cc thit b mng nh b nh tuyn thc hin x l IPSec
thay cho cc trm cui (host). Trong v d trn hnh 3.3, b nh tuyn A x l cc gi
t trm A, gi chng vo ng hm. B nh tuyn B x l cc gi nhn c trong
ng hm, a v dng ban u v chuyn chng ti trm B. Nh vy, cc trm cui
khng cn thay i m vn c c tnh an ninh d liu ca IPSec. Ngoi ra, nu s
dng ch ng hm, cc thit b trung gian trong mng s ch nhn thy c cc
a ch hai im cui ca ng hm ( y l cc b nh tuyn A v B). Khi s dng
36
ch ng hm, cc u cui ca IPSec-VPN khng cn phi thay i ng dng

hay h iu hnh.
Hnh 3.3 Thit b mng thc hin IPSec trong ch ng hm

2.2.2 Giao thc tiu xc thc AH
2.2.2.1
Gii thiu
Giao thc tiu xc thc AH c nh ngha trong RFC 1826 v sau pht
trin li trong RFC 2402. AH cung cp kh nng xc thc ngun gc d liu (Data
Origin Authentication), kim tra tnh ton vn d liu (Data Integrity) v dch v
chng pht li (Anti-replay Service). n y, cn lm r hn hai khi nim ton vn
d liu v chng pht li. Ton vn d liu l kim tra nhng thay i ca tng gi tin
IP, khng quan tm n v tr cc gi trong lung lu lng. Cn dch v chng pht
li l kim tra s pht lp li mt gi tin ti a ch ch nhiu hn mt ln.
AH cho php xc thc cc trng ca tiu IP cng nh d liu ca cc giao
thc lp trn. Tuy nhin, do mt s trng ca tiu IP thay i trong khi truyn v
pha pht khng d on trc c gi tr ca chng khi ti pha thu, gi tr ca cc
trng ny khng bo v c bng AH. C th ni AH ch bo v mt phn ca tiu
IP m thi. AH khng cung cp bt c x l no bo mt d liu ca cc lp
trn, tt c u c truyn di dng vn bn r. AH nhanh hn ESP, nn c th chn
AH trong trng hp cn yu cu chc chn v ngun gc v tnh ton vn ca d
liu, cn tnh bo mt d liu th khng yu cu cao.
Giao thc AH cung cp chc nng xc thc bng cch thc hin mt hm bm
mt chiu (One-way Hash Function) i vi d liu ca gi to ra mt on m xc
thc (Hash hay Message Digest). on m ny c chn vo thng tin ca gi truyn
i. Khi , bt c thay i no i vi ni dung ca gi trong qu trnh truyn i u
c pha thu pht hin khi n thc hin cng mt hm bm mt chiu i vi gi d
liu nhn c v i chiu vi gi tr m xc thc truyn cng vi gi d liu. Hm
bm c thc hin trn ton b gi d liu, tr mt s trng trong tiu IP c gi
tr thay i trong qu trnh truyn (v d nh trng thi gian sng TTL ca gi tin).
37
MNG RING O
2.2.2.2
Cu trc gi tin AH
Cc thit b s dng AH s chn mt tiu vo gia lu lng cn quan tm

ca gi IP, gia phn tiu IP v tiu lp 4. Bi v AH c lin kt vi IPSec,
IP-VPN c th nh dng chn lu lng no cn c bo v v lu lng no
khng cn phi s dng gii php an ton gia cc bn. V d nh c th chn x l
an ton lu lng email nhng khng cn i vi cc dch v web. Qu trnh x l
chn tiu AH c minh ha trn hnh 3.4.
Hnh 3.4 Cu trc tiu AH cho gi tin IPSec

ngha cc trng trong tiu AH nh sau:
Next Header (tiu tip theo). C di 8 bit nhn dng loi d liu ca
phn ti tin theo sau AH. Gi tr ny c chn la t tp cc gi tr s giao
thc IP c nh ngha bi IANA (TCP 6, UDP 17).
Payload Length ( di ti tin). C di 8 bit v cha di ca tiu AH
c biu din trong cc t 32 bit, tr i 2. V d, trong trng hp ca thut
ton ton vn mang li mt gi tr xc minh 96 bit (3 x 32 bit), cng vi 3 t
32 bit c nh, th trng di ny c gi tr l 4. Vi IPv6, tng di
ca tiu phi l bi ca cc khi 8 bit.
Reserved (d tr). Trng 16 bit ny d tr cho ng dng trong tng lai.
Gi tr ca trng ny c th t bng 0 v c tham gia trong vic tnh d liu
xc thc.
Security Parameters Index (SPI ch s thng s an ninh). Trng ny c
di 32 bit, cng vi a ch IP ch v giao thc an ninh ESP cho php
nhn dng duy nht SA cho gi d liu. Cc gi tr SPI t 1 n 255 c
dnh ring s dng trong tng lai. SPI l trng bt buc v thng c
38
la chn bi pha thu khi thit lp SA. Gi tr SPI bng 0 c s dng cc b

v c th dng ch ra rng cha c SA no tn ti.
Sequence Number (s th t). y l trng 32 bit khng du cha mt gi
tr m khi mi gi c gi i th tng mt n v. Trng ny l bt buc v
lun c a vo bi bn gi ngay c khi bn nhn khng s dng dch v
chng pht li. B m bn gi v nhn c khi to ban u l 0, gi u
tin c s th t l 1. Nu dch v chng pht li c s dng th ch s ny
khng th lp li. Khi , trnh trng hp b m b trn v lp li cc s
th t, s c mt yu cu kt thc phin truyn thng v mt SA mi c
thit lp trc khi truyn gi th 232 ca SA hin hnh.
Authentication Data (d liu xc thc). Cn c gi l gi tr kim tra tnh
ton vn ICV (Integrity Check Value), c di thay i v bng s nguyn
ln ca 32 bit i vi IPv4 hay 64 bit i vi IPv6. N c th cha m lp
y cho l bi s ca cc khi bit nh trn. ICV c tnh ton s dng
thut ton xc thc, bao gm m xc thc bn tin (MAC Message
Authentication Code). MAC n gin c th l thut ton m ha MD5 hoc
SHA-1. Cc kha dng cho m ha AH l kha xc thc b mt c chia s
gia cc i tng truyn thng, c th l mt s ngu nhin, khng th on
trc c. Tnh ton ICV c thc hin i vi gi tin mi a vo. Bt k
trng no c th bin i ca tiu IP u c ci t bng 0, d liu lp
trn c gi s l khng bin i. Mi bn u cui VPN s tnh ton gi tr
ICV ny mt cch c lp. Nu ICV tnh ton c pha thu v ICV do pha
pht truyn n so snh vi nhau m khng ph hp th gi tin b loi b.
Bng cch nh vy s m bo rng gi tin khng b gi mo.
2.2.2.3
X l AH trong ch truyn ti v ng hm
Hot ng ca AH c thc hin qua cc bc nh sau:

Bc 1: Ton b gi IP (bao gm c tiu v ti tin) c thc hin qua mt
hm bm mt chiu.
Bc 2: M bm thu c dng xy dng mt tiu AH, a tiu ny
vo gi d liu ban u.
Bc 3: Gi d liu sau khi thm tiu AH c truyn ti i tc IPSec.
Bc 4: Bn thu thc hin hm bm vi tiu v ti tin IP, kt qu thu c
mt m bm.
Bc 5: Bn thu tch m bm trong tiu AH.
39
MNG RING O
Bc 6: Bn thu so snh m bm m n tnh c vi m bm tch ra t tiu

AH. Hai m ny phi hon ton ging nhau. Nu chng khc nhau, bn thu
lp tc pht hin tnh khng ton vn ca d liu.
Vic x l AH ph thuc vo ch hot ng ca IPSec v phin bn s dng
ca giao thc IP. Khun dng ca gi tin IPv4 trc v sau khi x l AH trong hai ch
truyn ti v ng hm c th hin trn hnh 3.5.
Hnh 3.5 Khun dng gi tin IPv4 trc v sau khi x l AH

Khun dng ca gi tin IPv6 trc v sau khi x l AH c th hin trn hnh
3.6.
Hnh 3.6 Khun dng gi tin IPv6 trc v sau khi x l AH
40
2.2.3 Giao thc ng gi ti tin an ton ESP

2.2.3.1
Gii thiu
Giao thc ESP c nh ngha trong RFC 1827 v sau c pht trin thnh
RFC 2408. Cng nh AH, giao thc ny c pht trin hon ton cho IPSec. ESP
c s dng khi c yu cu v bo mt ca lu lng IPSec cn truyn. N cung cp
tnh bo mt d liu bng vic mt m ha cc gi tin. Thm vo , ESP cng cho
php xc thc ngun gc d liu, kim tra tnh ton vn d liu, dch v chng pht li
v mt s gii hn v lung lu lng cn bo mt.
Tp cc dch v cung cp bi ESP ph thuc vo cc la chn ti thi im thit
lp lin kt an ninh, trong dch v bo mt c cung cp c lp vi cc dch v
khc. Tuy nhin, nu khng kt hp s dng cc dch v xc thc v ton vn d liu
th hiu qu bo mt s khng c m bo. Hai dch v xc thc v ton vn d liu
lun i km nhau. Dch v chng pht li ch c th thc hin nu nh dch v xc
thc c la chn.
Hnh 3.7 minh ha c ch ng gi ESP.
Hnh 3.7 C ch ng gi ESP

Hot ng ca ESP khc so vi AH. ESP ng gi tt c hoc mt phn d liu
gc. Do h tr tt kh nng bo mt nn ESP c xu hng c s dng rng ri hn
AH.
2.2.3.2
Cu trc gi tin ESP
Cu trc gi tin ESP c th hin trn hnh 3.8. Cc trng trong gi tin ESP c
th l bt buc hay ty chn. Nhng trng bt buc lun c mt trong tt c cc gi
ESP. Vic la chn mt trng ty chn c nh ngha trong qu trnh thit lp lin
kt an ninh. Nh vy, khun dng ESP i vi mt SA l c nh trong khong thi
gian tn ti ca SA .
41
MNG RING O
Hnh 3.8 Khun dng gi ESP

Sau y l ngha ca cc trng trong cu trc gi tin ESP.
SPI (ch s thng s an ninh). L mt s bt k 32 bit, cng vi a ch IP
ch v giao thc an ninh ESP cho php nhn dng duy nht SA cho gi d
liu. Cc gi tr SPI t 0 n 255 c dnh ring s dng trong tng lai.
SPI l trng bt buc v thng c la chn bi pha thu khi thit lp SA.
Sequence Number (s th t). Tng t nh trng s th t ca AH.
Payload Data (d liu ti tin). y l trng bt buc, bao gm mt s lng
bin i cc byte d liu gc hoc mt phn d liu yu cu bo mt c
m t trong trng Next Header. Trng ny c m ha cng vi thut ton
m ha la chn trong sut qu trnh thit lp SA. Nu thut ton yu cu
cc vect khi to th n cng c bao gm y. Thut ton thng c
dng m ha ESP l DES-CBC. i khi cc thut ton khc cng c h
tr nh 3DES hay CDMF.
Padding (m). C nhiu nguyn nhn dn n s c mt ca trng m
nh:
42
Nu thut ton mt m s dng yu cu bn r (Clear-text) phi l s

nguyn ln cc khi byte (v d trng hp m khi) th trng m c
s dng in y vo phn bn r ny (bao gm c Payload Data, Pad
Length, Next Header v Padding) sao cho t ti kch thc theo yu cu.
Trng m cng cn thit m bo phn d liu mt m (Cipher-text)

s kt thc bin gii s nguyn ln ca 4 byte nhm phn bit r rng
vi trng d liu xc thc (Authentication Data).
Ngoi ra, trng m cn c th s dng che du di thc ca ti

tin, tuy nhin mc ch ny cn phi c cn nhc v n nh hng ti
bng thng truyn dn.
Pad length ( di m). Trng ny xc nh s byte m c thm vo.

Pad length l trng bt buc vi cc gi tr ph hp nm trong khong t 0
n 255 byte.
Next Header (tiu tip theo). Next Header l trng bt buc v c di
8 bit. N xc nh kiu d liu cha trong phn ti tin, v d mt tiu m
rng (Extension Header) trong IPv6 hoc nhn dng ca mt giao thc lp
trn khc. Gi tr ca trng ny c la chn t tp cc gi tr IP Protocol
Number nh ngha bi IANA.
Authentication Data (d liu xc thc). Trng ny c di bin i, cha
mt gi tr kim tra tnh ton vn ICV tnh trn d liu ca ton b gi ESP
tr trng Authentication Data. di ca trng ny ph thuc vo thut
ton xc thc c s dng. Trng ny l ty chn, v ch c thm vo
nu dch v xc thc c la chn cho SA ang xt. Thut ton xc thc
phi ch ra di ICV, cc bc x l cng nh cc lut so snh cn thc hin
kim tra tnh ton vn ca gi tin.
2.2.3.3
X l ESP trong ch truyn ti v ng hm
Vic x l ESP ph thuc vo ch hot ng ca IPSec v phin bn s dng

ca giao thc IP. Khun dng ca gi tin IPv4 trc v sau khi x l ESP trong hai ch
truyn ti v ng hm c th hin trn hnh 3.9.
Hnh 3.9 Khun dng gi tin IPv4 trc v sau khi x l ESP
43
MNG RING O
Khun dng ca gi tin IPv6 trc v sau khi x l ESP c th hin trn hnh
3.10.
Hnh 3.10 Khun dng gi tin IPv6 trc v sau khi x l ESP
IPSec c th h tr c AH v ESP trong mt t hp cho php ca hai ch
truyn ti v ng hm. V d, c th s dng ch ng hm m ho v xc
thc cc gi v tiu ca n ri gn AH hoc ESP, hoc c hai trong ch truyn ti
bo mt cho tiu mi c to ra. AH v ESP khng th s dng chung trong
ch ng hm bi v ESP c c ch tu chn xc thc. Tu chn ny c s
dng trong ch ng hm khi cc gi cn phi m ho v xc thc.
2.2.3.4
M ha vi ESP
Cc thut ton m ha
Cc thut ton mt m c xc nh bi SA. ESP lm vic vi cc thut ton
mt m i xng. V cc gi IP c th n khng ng th t, nn mi gi phi mang
thng tin cn thit pha thu c th thit lp ng b mt m (Cryptographic
Synchronization) gii m. D liu ny c th c ch nh trong trng Payload,
chng hn di dng cc vect khi to IV (Initialization Vector), hoc thu c t
tiu ca gi. Vi s c mt ca trng Padding, cc thut ton mt m s dng vi
ESP c th c cc c tnh khi (Block) hoc lung (Stream). V dch v mt m l ty
chn nn thut ton mt m l khng bt buc.
Cc thut ton xc thc s dng tnh ICV c xc nh bi SA. i vi
truyn thng im ti im, cc thut ton xc thc thch hp c th l hm bm mt
chiu (MD5, SHA-1). V dch v xc thc l ty chn nn thut ton xc thc l khng
bt buc.
Cc thut ton sau y c th c s dng vi ESP:
44
- DES, 3DES trong ch CBC;

- HMAC vi MD5;
- HMAC vi SHA-1;
- Khng thut ton xc thc;
- Khng thut ton mt m.
Ngoi nhng thut ton k trn, mt s thut ton khc c th c h tr. Lu
l t nht mt trong hai dch v mt m hoc xc thc phi c thc hin, do hai
thut ton xc thc v mt m khng c ng thi khng c.
Qu trnh gii m
Nu ESP s dng mt m th s phi thc hin qu trnh gii m gi. Nu dch v
mt m khng c s dng, ti pha thu khng c qu trnh gii m ny. Qu trnh
gii m gi din ra nh sau:
- Gii m ESP (bao gm trng Payload Data, Padding, Pad Length, Next
Header) s dng kha. Thut ton mt m v kiu thut ton c xc nh
bi SA.
- X l phn m (Padding) theo c t ca thut ton. Pha thu cn tm v loi
b phn m trc khi chuyn d liu gii m ln lp trn.
- Xy dng li cu trc gi IP ban u t tiu IP gc v thng tin giao thc
lp cao trong ti tin ca ESP ( ch truyn ti), hoc tiu IP ngoi v
ton b gi IP gc trong ti tin ca ESP ( ch ng hm).
Nu dch v xc thc cng c la chn th qu trnh kim tra ICV v mt m
c th tin hnh ni tip hoc song song. Nu tin hnh ni tip th kim tra ICV phi
c thc hin trc. Nu tin hnh song song th kim tra ICV phi hon thnh trc
khi gi gii m c chuyn ti bc x l tip theo. Trnh t ny gip loi b
nhanh chng cc gi khng hp l.
Qu trnh gii m c th khng thnh cng v mt s l do nh sau:
- SA c la chn khng ng (do cc thng s SPI, a ch ch hay trng
Protocol Type b sai);
- di phn m hoc gi tr ca n b sai;
- Gi ESP mt m b li.
2.3 Lin kt an ninh v hot ng trao i kha

2.3.1 Lin kt an ninh
45
MNG RING O
2.3.1.1
Cc kiu lin kt an ninh
IPSec cung cp nhiu la chn thc hin cc gii php mt m v xc thc

lp mng. Phn ny s nh ngha cc th tc qun l an ninh cho c IPv4 v IPv6
thc thi AH, ESP hoc c hai, ph thuc vo la chn ca ngi s dng. Khi thit lp
kt ni IPSec, hai bn phi xc nh chnh xc cc thut ton no s c s dng, loi
dch v no cn m bo an ninh. Sau bt u x l thng lng chn mt tp
cc tham s v cc gii thut p dng cho m ha bo mt hay xc thc. Nh trn
gii thiu, dch v bo mt quan h gia hai hay nhiu thc th tha thun truyn
thng an ton c gi l lin kt an ninh SA.
Lin kt an ninh l mt kt ni n cng, ngha l vi mi cp truyn thng A v
B c t nht hai SA (mt t A ti B v mt t B ti A). Khi lu lng cn truyn trc
tip hai chiu qua VPN, giao thc trao i kha IKE thit lp mt cp SA trc tip v
sau c th thit lp thm nhiu SA khc. Mi SA c mt thi gian sng ring. SA
c nhn dng duy nht bi b ba gm c: ch s thng s an ninh (SPI), a ch IP
ch v mt ch th giao thc an ninh (AH hay ESP). V nguyn tc, a ch IP ch c
th l mt a ch n hng (Unicast), a ch qung b (Broadcast) hay a ch nhm
(Multicast). Tuy nhin, c ch qun l SA ca IPSec hin nay ch c nh ngha cho
nhng SA n hng.
Lin kt an ninh c hai kiu l truyn ti v ng hm, ph thuc vo ch
ca giao thc s dng. SA kiu truyn ti l mt lin kt an ninh gia hai trm, hoc
c yu cu gia hai h thng trung gian dc trn ng truyn. Trong trng hp
khc, kiu truyn ti cng c th c s dng h tr IP-in-IP hay ng hm GRE
qua cc SA kiu truyn ti. SA kiu ng hm l mt SA c bn c ng dng ti
mt ng hm IP. SA gia hai cng an ninh l mt SA kiu ng hm in hnh,
ging nh mt SA gia mt trm v mt cng an ninh. Tuy nhin, trong nhng trng
hp m lu lng c nh hnh t trc nh nhng lnh SNMP, cng an ninh lm
nhim v nh trm v kiu truyn ti c cho php.
SA cung cp nhiu la chn cho cc dch v IPSec, n ph thuc vo giao thc
an ninh c chn (AH hay ESP), kiu SA, im kt thc ca SA v mt s tuyn
chn ca cc dch v ty bn trong giao thc s dng. V d nh khi s dng AH
xc minh ngun gc d liu v tnh ton vn phi kt ni cho gi IP, c th s dng
dch v chng pht li hoc khng ty thuc vo cc bn.
Khi mt bn IP-VPN mun gi lu lng IPSec ti u bn kia, n kim tra xem
tn ti mt SA trong c s d liu hay cha hai bn c th s dng dch v an
ninh theo yu cu. Nu tm thy mt SA tn ti, n SPI ca SA ny trong tiu
IPSec, thc hin cc thut ton m ha v gi gi tin i. Bn thu s ly SPI, a ch
ch, giao thc IPSec (AH hay ESP) v tm SA trong c s d liu ph hp x l
46
gi tin . Lu rng vi mt u cui IP-VPN c th ng thi tn ti nhiu kt ni

IPSec, v vy cng c ngha l tn ti nhiu SA.
2.3.1.2
Kt hp cc lin kt an ninh
Cc gi IP truyn qua mt SA ring bit c cung cp s bo v mt cch an

ton bi giao thc an ninh, c th l AH hoc ESP nhng khng phi l c hai. i khi
mt chnh sch an ninh c th cn n s kt hp ca cc dch v cho mt lung giao
thng c bit m khng th thc hin c vi mt SA n l. Trong trng hp
cn giao cho nhiu SA thc hin chnh sch an ninh theo yu cu. Thut ng cm
SA c s dng ch mt chui cc SA c thit lp x l lu lng nhm
tha mn mt tp chnh sch an ninh.
i vi kiu ng hm, c ba trng hp in hnh ca kt hp cc lin kt an
ninh c trnh by sau y.
C hai im cui ca cc SA u trng nhau
Mi ng hm bn trong hay ngoi l AH hay ESP, mc d Host 1 c th nh
r c hai ng hm l nh nhau, tc l AH bn trong AH v ESP bn trong ESP (hnh
3.11).
Trm
Trm11
Cng
Cnganan
ninh
ninh11
Interne
t
Cng
Cnganan
ninh
ninh22
Trm
Trm22
Lin kt an ninh 1 (ng hm)

Hnh 3.11 Kt hp cc SA kiu ng hm khi hai im cui trng nhau

Mt im cui ca cc SA trng nhau
ng hm bn trong hay bn ngoi c th l AH hay ESP (hnh 3.12).
Trm
Trm11
Cng
Cnganan
ninh
ninh11
Interne
t
Cng
Cnganan
ninh
ninh22
Trm
Trm22
Lin kt an ninh 1 (Tunnel)

Hnh 3.12 Kt hp cc SA kiu ng hm khi mt im cui trng nhau

Khng c im cui no ca cc SA trng nhau
47
MNG RING O
Mi ng hm bn trong hay bn ngoi l AH hay ESP (hnh 3.13).
Trm
Trm11
Cng
Cnganan
ninh
ninh11
Interne
t
Cng
Cnganan
ninh
ninh22
Trm
Trm22
Lin kt an ninh 1
Hnh 3.13 Kt hp cc SA kiu ng hm khi khng c im cui trng nhau

Chi tit v kt hp cc SA c c trnh by trong RFC 2401.
2.3.1.3
C s d liu lin kt an ninh
C hai c s d liu lin quan n an ninh l:

- C s d liu chnh sch an ninh SPD (Security Policy Database)
- C s d liu lin kt an ninh SAD (Security Association Database).
SPD ch ra nhng dch v an ninh c ngh cho lu lng IP, ph thuc vo
cc yu t nh ngun, ch, chiu i ra hay i vo. N cha ng mt danh sch
nhng li vo chnh sch tn ti ring r cho lu lng i vo v i ra. Cc li vo ny
c th xc nh mt vi lu lng khng qua x l IPSec, mt vi phi c loi b v
cn li th c x l bi IPSec. Cc li vo ny l tng t cho firewall hay b lc
gi.
SAD cha thng s v mi SA, ging nh cc tnh ton v kha AH hay ESP, s
trnh t, kiu giao thc v thi gian sng ca SA. i vi x l i ra, mt li vo SPD
tr ti mt li vo trong SAD v SAD s quyt nh SA no c s dng cho gi.
i vi x l i vo, SAD c tham kho quyt nh gi c x l nh th no.
2.3.2 Hot ng trao i kha IKE
Kt ni IPSec ch c hnh thnh khi SA c thit lp. Tuy nhin bn thn
IPSec khng c c ch thit lp SA. Chnh v vy, IETF chn phng n chia
qu trnh thit lp kt ni IPSec ra lm hai phn: IPSec cung cp vic x l mc gi,
cn IKMP (Internet Key Management Protocol) chu trch nhim tha thun cc lin
kt an ninh. Sau khi cn nhc mt s phng n, trong c IKE (Internet Key
Exchange), SKIP (Simple Key Internet Protocol) v Photuis, IETF quyt nh chn
IKE l chun cu hnh SA cho IPSec.
Mt ng hm IPSec-VPN c thit lp gia hai bn qua cc bc nh sau:
- Bc 1. Quyt nh lu lng no cn c quan tm bo v ti mt giao din
yu cu thit lp phin thng tin IPSec;
48
- Bc 2. Thng lng ch chnh (Main Mode) hoc ch linh hot

(Aggressive Mode) s dng IKE, kt qu l to ra lin kt an ninh IKE (IKE
SA) gia cc bn IPSec;
- Bc 3. Thng lng ch nhanh (Quick Mode) s dng IKE, kt qu l
to ra hai IPSec SA gia hai bn IPSec;
- Bc 4. D liu bt u truyn qua ng hm m ha s dng k thut ng
gi ESP hay AH (hoc c hai);
- Bc 5. Kt thc ng hm IPSec-VPN (nguyn nhn c th l do IPSec SA
kt thc, ht hn hoc b xa).
Tuy qu trnh thit lp kt ni gm bn bc, cc bc th hai v ba l quan
trng hn c. Hai bc ny nh ra mt cch r rng rng IKE c tt c hai pha. Pha
th nht s dng ch chnh hoc ch linh hot trao i gia cc bn, cn pha
th hai c hon thnh nh s dng ch trao i nhanh (hnh 3.14).
Hnh 3.14 Cc pha v ch trao i kha IKE

Sau y chng ta s i xem xt c th cc bc v mc ch ca cc pha IKE.
2.3.2.1
Bc th nht
Vic quyt nh lu lng no cn bo v l mt phn trong chnh sch an ninh

ca VPN. Chnh sch s c s dng quyt nh lu lng no cn bo v. Nhng
lu lng khc khng cn bo v s c gi di dng bn r (Clear-text).
Chnh sch an ninh c phn nh trong mt danh sch truy nhp. Cc bn phi
cha danh sch ging nhau, v c th c nhiu danh sch truy nhp cho nhng mc
ch khc nhau gia cc bn. Nhng danh sch ny c gi l danh sch iu khin
truy nhp ACL (Access Control List). N n gin l danh sch truy nhp IP m rng
ca cc b nh tuyn s dng bit lu lng no cn mt m. ACL lm vic da
vo cc cu lnh khc nhau l Permit (cho php) v Deny (t chi). Hnh 3.15 trnh
49
MNG RING O
by hot ng iu khin truy nhp mt m theo ACL khi thc hin cc lnh Permit v
Deny ti ngun v ch.
Hnh 3.15 Hot ng iu khin truy nhp mt m theo ACL

Cc t kha Permit v Deny c ngha khc nhau gia thit b ngun v ch.
Ti bn ngun ngha ca chng nh sau:
Permit: chuyn lu lng ti IPSec xc thc, mt m ha hoc c hai.
IPSec thay i gi tin bng cch chn tiu AH hoc ESP, c th mt m
mt phn hoc tt c gi tin ngun v truyn chng ti bn ch.
Deny: cho qua lu lng v a cc gi tin bn r ti bn nhn.
Ti bn ch ngha ca cc t kha Permit v Deny nh sau:
Permit: chuyn lu lng ti IPSec xc thc, gii m hoc c hai. ACL s
dng thng tin trong tiu quyt nh. Trong logic ca ACL, nu nh tiu
cha ngun, ch, giao thc ng th gi tin c x l bi IPSec ti
pha gi v nh vy phi c x l pha thu.
Deny: cho qua vi gi s rng lu lng c gi dng bn r.
Khi nhng t kha Permit v Deny c s dng kt hp mt cch chnh xc
gia ngun v ch, d liu c truyn v bo v thnh cng. Khi chng khng kt
hp chnh xc, d liu s b loi b.
2.3.2.2
Bc th hai
Bc th hai ny chnh l hot ng IKE pha mt. Mc ch ca pha ny l:

- Thng lng mt tp cc tham s c s dng xc thc hai bn v mt
m mt phn ch chnh, cn ton b trao i thc hin trong ch
50
nhanh. Khng c bn tin no ch linh hot c mt m nu ch linh

hot c s dng thng lng.
- Hai bn tham gia VPN xc thc vi nhau.
- To kha s dng lm tc nhn sinh ra kha m v m ha d liu ngay sau
khi vic thng lng kt thc.
Tt c thng tin thng lng trong ch chnh hay linh hot, bao gm kha s
dng sau to kha cho qu trnh mt m d liu, c lu vi tn gi l lin kt
an ninh IKE hay ISAKMP (Internet Security Association and Key Management
Protocol). Bt k bn no trong hai bn cng ch c mt lin kt an ninh ISAKMP.
Hnh 3.16 IKE pha mt s dng ch chnh

Ch chnh c 6 trao i bn tin (3 trao i hai chiu) gia bn khi to v bin
nhn (hnh 3.16).
- Trao i th nht. Cc thut ton mt m v xc thc (s dng bo v cc
trao i IKE) s c thng lng v tha thun gia cc i tc.
- Trao i th hai. S dng trao i Diffie-Hellman to kha b mt chia s
(shared secret keys), trao i cc s ngu nhin (nonces) khng nh xc
thc ca mi i tc. Kha b mt chia s c s dng to ra tt c cc
kha bo mt v xc thc khc.
- Trao i th ba. Kim tra xc thc cc bn (i tc). Kt qu ca ch
chnh l to ra mt ng truyn thng an ton cho cc trao i tip theo gia
hai i tc.
Ch nhanh thc hin 3 trao i bn tin. Hu ht cc hot ng u c thc
hin trong trao i th nht: tha thun cc tp chnh sch IKE, to kha cng cng
Diffie-Hellman, v mt gi xc thc c th s dng xc thc thng qua mt bn th
ba. Bn nhn gi tr li mi th cn thit hon thnh vic trao i. Cui cng bn
khi to khng nh vic trao i.
51
MNG RING O
Cc tp chnh sch IKE

Khi thit lp mt kt ni VPN an ton gia hai trm A v B thng qua Internet,
mt ng hm c thit lp gia cc b nh tuyn A v B. Thng qua ng hm,
cc giao thc mt m, xc thc v mt s giao thc khc c tha thun. Thay v
phi tha thun tng giao thc mt, cc giao thc c nhm thnh cc tp v c
gi l tp chnh sch IKE (IKE Policy Set). Cc tp chnh sch IKE c trao i
trong IKE pha mt, trao i th nht. Nu mt chnh sch thng nht c tm thy
hai pha th trao i c tip tc. Nu khng tm thy chnh sch thng nht no,
ng hm s b loi b.
V d, b nh tuyn A gi cc tp chnh sch IKE Policy 10 v 20 ti B. B nh
tuyn B so snh tp chnh sch ca n, IKE Policy 15, vi cc tp chnh sch nhn
c t A. Trong trng hp ny, mt chnh sch thng nht c tm thy: IKE
Policy 10 ca b nh tuyn A v IKE Policy 15 ca b nh tuyn B l tng ng.
Trong ng dng im-im, mi bn ch cn nh ngha mt tp chnh sch IKE. Tuy
nhin mng trung tm c th phi nh ngha nhiu chnh sch IKE p ng nhu
cu ca tt c cc i tc t xa.
Trao i kha Diffie-Hellman
Trao i kha Diffie-Hellman l phng php mt m kha cng khai cho php
hai bn thit lp mt kha b mt chung qua mt mi trng truyn thng khng an
ton. C 7 thut ton hay nhm Diffie-Hellman c nh ngha (DH 17). Trong IKE
pha mt, cc bn phi tha thun nhm Diffie-Hellman c s dng. Khi hon tt
vic tha thun nhm, kha b mt chung s c tnh.
Xc thc i tc
Trao i cui cng ca IKE pha mt c mc ch l xc thc i tc, ngha l
kim tra xem ai ang pha bn kia ca ng hm VPN. Cc thit b hai u
ng hm VPN phi c xc thc trc khi ng truyn thng c coi l an ton.
C ba phng php h tr vic xc thc ngun gc d liu l s dng kha chia s
trc, ch k s RSA v s ngu nhin mt m RSA.
2.3.2.3
Bc th ba
Bc th ba chnh l IKE pha hai. Mc ch ca pha ny l tha thun cc

thng s an ninh IPSec s dng cho vic bo v ng hm. Ch c mt ch nhanh
c s dng cho IKE pha hai.
IKE pha hai thc hin cc chc nng sau:
- Tha thun cc thng s an ninh IPSec, cc tp chuyn i IPSec;
- Thit lp cc lin kt an ninh IPSec;
- nh k tha thun li IPSec SA m bo tnh an ninh ca ng hm;
52
- Thc hin mt trao i Diffie-Hellman b sung (cc SA v kha mi c to

ra, lm tng tnh an ninh cho ng hm).
Ch nhanh cng c s dng tha thun li mt lin kt an ninh mi khi
lin kt an ninh c ht hn. Khi cc bn c th khng cn quay tr li bc th
hai na m vn m bo thit lp mt SA cho phin truyn thng mi.
Cc tp chuyn i IPSec
Mc ch cui cng ca IKE pha hai l thit lp mt phin IPSec an ton gia hai
im cui VPN. Trc khi thc hin c iu , mi cp im cui ln lt tha
thun mc an ninh cn thit (v d cc thut ton xc thc v mt m dng trong
phin). Thay v phi tha thun ring tng giao thc hay thut ton n l, cc giao
thc v thut ton ny c nhm thnh cc tp, gi l tp chuyn i IPSec
(Transform Set). Cc tp chuyn i ny c trao i gia hai pha trong ch
nhanh. Nu tm thy mt tp chuyn i tng ng hai pha th qu trnh thit lp
phin tip tc, ngc li th phin s b loi b.
Hnh 3.17 Trao i cc tp chuyn i IPSec

Trn hnh 3.17 l v d v vic trao i cc tp chuyn i IPSec. B nh tuyn
A gi tp chuyn i 30 v 40 ti B, b nh tuyn B kim tra thy tp chuyn i 50
ph hp vi tp chuyn i 30 ca A, cc thut ton xc thc v mt m trong cc tp
chuyn i ny hnh thnh mt lin kt an ninh.
Thit lp lin kt an ninh
Khi mt tp chuyn i c thng nht gia hai bn, mi thit b IP-VPN s
a thng tin ny vo mt c s d liu. Thng tin ny c bit n nh l mt lin
53
MNG RING O
kt an ninh SA. Thit b IP-VPN sau s nh s mi SA bng mt ch s SPI. Khi

c yu cu gi gi tin gia hai u VPN, cc thit b s da vo a ch i tc, cc ch
s SPI, thut ton IPSec c dng x l gi tin trc khi truyn trong ng hm.
Thi gian sng ca mt lin kt an ninh
Thi gian sng ca mt lin kt an ninh cng ln th cng c nhiu kh nng mt
an ton. m an ton cho phin truyn thng th cc kha v cc SA phi c thay
i thng xuyn. C hai cch tnh thi gian sng ca SA l theo s lng d liu
c truyn i v theo giy. Cc kha v SA c hiu lc cho n khi ht thi gian tn
ti ca SA hoc n khi ng hm b ngt, khi SA b xa b.
2.3.2.4
Bc th t
Sau khi hon thnh IKE pha hai v ch nhanh thit lp lin kt an ninh
IPSec SA, lu lng c th c trao i gia cc bn IP-VPN thng qua mt ng
hm an ton (hnh 3.18). Qu trnh x l gi tin (m ha, mt m, ng gi) ph thuc
vo cc thng s c thit lp ca SA.
Hnh 3.18 ng hm IPSec c thit lp

2.3.2.5
Kt thc ng hm
Cc lin kt an ninh IPSec SA kt thc khi b xa b hoc ht thi gian tn ti.

Khi cc bn IP-VPN khng s dng cc SA ny na v bt u gii phng c s d
liu ca SA. Cc kha cng b loi b. Nu thi im ny cc bn IP-VPN vn cn
mun trao i thng tin vi nhau th mt IKE pha hai mi s c thc hin. Trong
trng hp cn thit th cng c th thc hin li t IKE pha mt. Thng thng,
m bo tnh lin tc ca thng tin th cc SA mi c thit lp trc khi cc SA c
ht hn.
2.4 Mt s vn k thut trong thc hin VPN trn nn IPSec

IPSec s dng nhiu giao thc v k thut ang tn ti m ha, xc thc d
liu v trao i kha. iu ny lm cho IPSec tr thnh tiu chun ph bin trong cc
ng dng m bo an ninh thng tin nh VPN. Sau y trnh by khi qut v mt s
giao thc v k thut mt m, m bo ton vn thng tin, xc thc cc bn cng nh
l qun l v trao i kha. y l nhng k thut c bn c lin quan cht ch n vic
thc hin VPN trn nn IPSec.
54
2.4.1 Mt m
C th mt m bn tin khi s dng giao thc ESP. Bn tin mt m cho php gi
thng tin qua mng cng cng m khng s b xm phm d liu. Mt s tiu chun
c bn mt m d liu l DES (Data Encryption Standard) c di kho 56 bit,
3DES (Triple DES) c di kho 168 bit v AES (Advanced Encryption Standard)
c di kho 128, 192 hoc 256 bit. Cc thut ton ny s dng mt kho m ho
v gii m thng tin.
DES
DES l phng php mt m d liu tiu chun cho mt s gii php VPN. c
IBM pht trin vo nm 1977, DES p dng mt kha 56 bit cho 64 bit d liu v l
mt trong nhng k thut mt m mnh. N c xem nh l khng th b gy ti thi
im , nhng sau ny cc my tnh tc cao hn b gy DES trong khong thi
gian ngn (t hn mt ngy), v vy DES khng c s dng lu di cho nhng ng
dng bo mt cao.
K thut DES-CBC l mt trong rt nhiu phng php ca DES. CBC (Cipher
Block Chaining ch chui khi mt m) yu cu mt vect khi to IV
(Initialization Vector) bt u mt m. IPSec m bo c hai pha VPN cng c mt
IV hay mt kha b mt chia s. Kha b mt chia s c t vo thut ton mt m
DES mt m nhng khi 64 bit do bn r chia ra. Bn r c chuyn i thnh
dng mt m v c a ti ESP truyn qua bn kia. Khi x l ngc li, kha b
mt chia s c s dng to li bn r.
3DES
Mt phin bn ca DES l 3DES. N c tn nh vy v thc hin 3 qu trnh mt
m. 3DES s dng mt qu trnh ng gi, mt qu trnh m gi v mt qu trnh
ng gi khc vi kha 56 bit khc nhau. Ba qu trnh ny to ra mt t hp kha 168
bit, cung cp phng thc m ho mnh. Tt c cc sn phm v phn mm Cisco
VPN u h tr thut ton m ho 3DES vi kho 168 bit v thut ton DES 56 bit.
AES
Hin nay, nhiu t chc uy tn ngh a ra mt s thut ton cho AES nh
thut ton MARS (IBM), RC6 (RSA), Twofish (Bruce Schneier), Rijndael (Joan
Daemen/Vincent Rijmen), v.v. Nm 2000, NIST (US National Institute of Standard
and Technology) chn thut ton Rijndael, thc hin mng hon v thay th ci tin
10 vng cho chun AES.
Trong tng lai, AES s l chun mt m khi i xng v s c thc hin trn
c phn cng v phn mm. AES s c thit k tng di kho khi cn thit.
di khi d liu ca AES l 128 bit, cn di kho c th l 128, 192 hoc 256 bit.
2.4.2 Ton vn bn tin
55
MNG RING O
S ton vn bn tin c thc hin nh s dng mt hm bm ton hc tnh

ton c trng ca bn tin hay ca file d liu. c trng ny c gi l gin lc
bn tin MD (Message Digest) v di ph thuc vo hm bm c s dng. Tt c
hoc mt phn ca gin lc bn tin c truyn vi d liu ti trm ch, ni m s
thc hin cng mt hm bm to gin lc ca bn tin nhn c. Gin lc bn
tin ngun v ch s c i chiu, v bt c sai lch no u c ngha l bn tin
b bin i k t khi bn tin ngun c thit lp. S tng xng vi nhau c ngha l
d liu khng b bin i trong qu trnh truyn.
Khi s dng giao thc IPSec, vic to gin lc bn tin c p dng vi cc
trng khng bin i trong gi tin IP. Cc trng bin i c thay th bng gi tr
0 hoc gi tr c th d on c. Gin lc bn tin MD sau c t vo trng
d liu xc thc (ICV) ca AH. Thit b ch sau sao chp MD t AH v tch
trng d liu xc thc trc khi tnh ton li MD.
Vi giao thc ESP vic x l cng tng t. Gin lc bn tin c to nh s
dng d liu khng bin i trong gi tin IP bt u t tiu ESP v kt thc l phn
ui ESP. Gi tr MD tnh ton c sau t vo trng ICV ti cui ca gi tin.
Vi ESP, trm ch khng cn tch trng ICV bi v n t bn ngoi phm vi
hm bm thng thng.
C hai thut ton chnh h tr ton vn bn tin l MD5 v SHA-1 (Secure
Hash Algorithm-1). Chng s dng c ch kha bm gi l HMAC (Hashed-keyed
Message Authenticaiton Code). Sau y gii thiu khi qut v nhng cng c m
bo ton vn bn tin ny.
M xc thc bn tin bm HMAC
RFC 2104 trnh by v thut ton HMAC. N c pht trin lm vic cng
vi cc thut ton bm ang tn ti l MD5 v SHA-1. Nhiu qu trnh x l an ninh
phc tp trong chia s d liu yu cu s dng kha b mt v mt c ch gi l m
xc thc bn tin MAC (Message Authentication Code). Mt bn to MAC s dng
kha b mt v truyn cho bn kia. Bn nhn to li MAC s dng cng mt kha b
mt v so snh hai gi tr MAC vi nhau.
MD5 v SHA-1 c nguyn l tng t nhau, nhng chng s dng kha b mt
khc nhau. iu ny chnh l yu cu pht trin HMAC. HMAC thm vo mt
kha b mt cho tiu chun thut ton bm tnh ton gin lc bn tin. Kha b mt
c thm vo theo th thc cng di nhng kt qu gin lc bn tin s khc nhau
khi s dng thut ton khc nhau.
Thut ton gin lc bn tin MD5
Thut ton MD5 thc hin gin lc bt k bn tin hay trng d liu no thnh
mt m t ngn gn 128 bit. Vi HMAC-MD5-96, kha b mt c di l 128 bit.
Vi AH v ESP, HMAC ch s dng c 96 bit nm bn tri, t chng vo trng xc
56
thc. Bn ch sau tnh ton li 128 bit gin lc bn tin nhng ch s dng 96 bit
nm bn tri so snh vi gi tr c lu trong trng xc thc.
MD5 to ra mt gin lc bn tin ngn hn SHA-1, c xem l t an ton hn
nhng kt qu li c thc hin tt hn. Tuy nhin, MD5 khng c HMAC l yu
hn cho nhng la chn dch v bo mt.
Thut ton bm an ton SHA
Thut ton bm an ton SHA c m t trong RFC 2404. SHA-1 to ra mt
gin lc bn tin di 160 bit v s dng kha b mt 160 bit. C th vi mt vi sn
phm th n s ly 96 bt bn tri ca gin lc bn tin gi vo trng xc thc.
Bn thu to li gin lc bn tin 160 bit s dng kha b mt 160 bit v ch so snh 96
bit bn tri vi gin lc bn tin trong khung ca trng xc thc.
Gin lc bn tin SHA-1 di hn v an ton hn so vi MD5. iu ny c
xem nh l kh an ton, nhng nu cn mt mc an ton cao cho ton vn bn tin
th c th chn thut ton HMAC-SHA-1.
2.4.3 Xc thc cc bn
Mt trong nhng x l IKE l thc hin xc thc cc bn. Qu trnh ny din ra
trong pha mt s dng thut ton kha bm cng vi mt trong ba loi kha sau:
- Kha chia s trc (Pre-shared Keys);
- Ch k s RSA (RSA Signatures);
- S ngu nhin mt m RSA (RSA-encrypted Nonces).
Kha chia s trc
X l kha chia s trc l x l th cng. Ngi qun tr ti mt u cui ca
IPSec-VPN ng v kha c s dng, sau t kha vo thit b l trm hoc
cng an ninh mt cch th cng. Phng php ny n gin, nhng khng c ng
dng rng ri.
Ch k s RSA
Mt chng thc s ca ngi c quyn chng thc (CA Certificate Authority)
cung cp ch k s RSA vo lc ng k. Ch k s m bo an ninh hn l kha chia
s. Mt khi cu hnh ban u c hon thnh, cc bn s dng ch k s RSA c
th xc thc i phng m khng cn s can thip ca ngi iu hnh.
Khi mt ch k s RSA c yu cu, mt cp kha cng cng v kha ring
c sinh ra. Trm s dng kha ring to ra mt ch k s v gi ch k s ca n
ti bn kia. Bn nhn s dng kha cng cng t ch k s ph chun ch k s
nhn c t bn gi.
S ngu nhin mt m RSA
57
MNG RING O
Phng php s ngu nhin mt m RSA s dng chun mt m RSA vi kha

cng cng. N yu cu mi bn to ra mt s gi ngu nhin v mt m ha s ny
theo kha cng cng ca pha bn kia. Qu trnh xc thc xy ra khi mi bn gii m
gi tr s ngu nhin ca pha bn kia vi kha ring cc b, sau s dng s ngu
nhin gii m ny tnh ton bm.
2.4.4 Qun l kha
Qun l kha l mt vn quan trng khi lm vic vi IPSec-VPN. C 5 kha
c nh cho mi bn IPSec quan h vi nhau, bao gm:
- 2 kha ring c lm ch bi mi bn v khng bao gi chia s. Chng c s
dng mt m bn tin.
- 2 kha cng cng c lm ch bi mi bn v chia s cho mi ngi. Nhng
kha ny c s dng kim tra ch k.
- Kha th 5 c s dng l kha bo mt chia s. C hai bn s dng kha ny
cho mt m v hm bm. y l kha c to ra bi thut ton Diffie-Hellman.
Trong thc t, kha ring v kha cng cng c s dng cho nhiu kt ni
IPSec do mt bn a ra. i vi mt t chc nh, ton b nhng kha ny c th
c qun l th cng. Tuy nhin, khi c gng phn chia x l h tr cho mt s
lng ln cc phin VPN th s xut hin nhiu vn cn phi gii quyt. Giao thc
Diffie-Hellman v k thut chng thc s thng qua CA l hai trong s nhng gii
php hiu qu qun l kha mt cch t ng.
2.5 V d thc hin VPN trn nn IPSec

minh ha ton b qu trnh thc hin kt ni VPN trn nn IPSec, ta xem xt
mt v d nh trn hnh 3.19.
Trc khi thit lp kt ni IPSec, cn phi chc chn rng cc thit b ang s
dng dc theo ng dn ca VPN m bo c h tr IPSec (bao gm cc giao thc,
thut ton), v khng c kt ni IPSec no trc hoc nu c th cc tham s trong
SA ang tn ti phi khng xung t vi cc tham s chun b thit lp. C th thc
hin lnh ping chc chn rng kt ni sn sng.
Trong v d ny, ngi s dng mun truyn thng an ton vi mng tr s
chnh. Khi gi d liu ti b nh tuyn ngi dng (ng vai tr l mt cng an
ninh), b nh tuyn ny s kim tra chnh sch an ninh v nhn ra gi d liu cn
truyn l mt ng dng ca VPN v cn c bo v. Chnh sch an ninh cu hnh
trc cng cho bit b nh tuyn ti mng tr s chnh s l u pha bn kia ca
ng hm IPSec-VPN.
58
Hnh 3.19 V d thc hin kt ni VPN trn nn IPSec

B nh tuyn ngi dng kim tra xem c lin kt an ninh no c thit lp
cho phin truyn thng ny hay cha. Nu cha c th bt u qu trnh thng lng
IKE. Certificate Authority c chc nng gip tr s chnh xc thc ngi s dng xem
c c php thc hin phin truyn thng ny hay khng. Bin php xc thc y
l s dng ch k s c cung cp bi mt i tc c quyn chng thc m hai bn
u tin cy. Ngay sau khi hai b nh tuyn tha thun c mt IKE SA th IPSec
SA tc thi c to ra. Trong trng hp tha thun IKE SA khng t c th hai
bn c th tin hnh thng lng li hoc ngng phin kt ni thng tin.
Vic to ra IPSec SA chnh l kt qu ca qu trnh tha thun gia cc bn v
cc chnh sch an ninh, thut ton mt m (chng hn l DES), thut ton xc thc
(chng hn MD5), v mt kha chia s c s dng. D liu v SA c lu trong c
s d liu ca mi bn.
Ti y, b nh tuyn ngi s dng s ng gi d liu theo cc yu cu
tha thun trong IPSec SA (thut ton mt m, xc thc, giao thc ng gi l AH hay
ESP, ), sau thm cc thng tin thch hp a gi tin c m ha ny v dng
gi IP v chuyn ti b nh tuyn ni vi mng trung tm. Khi nhn c gi tin t
b nh tuyn ngi dng gi n, b nh tuyn mng trung tm tm kim IPSec SA,
x l gi theo yu cu, a v dng gi tin ban u v chuyn ti mng trung tm.
2.6 Cc vn cn tn ti trong IPSec

Mc d IPSec sn sng a ra cc c tnh cn thit m bo thit lp kt
ni VPN an ton thng qua mng Internet, n vn cn trong giai on pht trin
hng ti hon thin. Sau y l mt s vn t ra m IPSec cn phi gii quyt
h tr tt hn cho vic thc hin VPN:
59
MNG RING O
Tt c cc gi c x l theo IPSec s b tng kch thc do phi thm vo cc

tiu khc nhau, v iu ny lm cho thng lng hiu dng ca mng gim
xung. Vn ny c th c khc phc bng cch nn d liu trc khi m
ha, song cc k thut nh vy vn cn ang nghin cu v cha c chun ha.
IKE vn l cng ngh cha thc s khng nh c kh nng ca mnh. Phng

thc chuyn kho th cng li khng thch hp cho mng c s lng ln cc i
tng di ng.
IPSec c thit k ch h tr bo mt cho lu lng IP, khng h tr cc

dng lu lng khc.
Vic tnh ton nhiu gii thut phc tp trong IPSec vn cn l mt vn kh

i vi cc trm lm vic v my PC nng lc yu.
Vic phn phi cc phn cng v phn mm mt m vn cn b hn ch i vi

chnh ph ca mt s quc gia.
2.7 Kt chng
Bo mt l mt trong nhng kha cnh quan trng nht ca cc cng ngh trin
khai trn nn IP, c bit l i vi cng ngh VPN. Lm ch v ng dng h thng
giao thc bo mt mt cch hiu qu nhm em li cc iu kin tt nht cho ngi s
dng dch v l mc tiu ca hu ht cc nh thit k v khai thc mng. Giao thc
IPSec c pht trin gii quyt vn bo m an ninh cho thng tin truyn trn
mng Internet v c coi l giao thc ti u nht cho vic thc hin IP-VPN. N l
mt tp hp cc tiu chun m, cung cp cc dch v bo mt d liu v iu khin
truy nhp.
Chng ny trnh by cc c im quan trng nht ca IPSec v hot ng
ca cc giao thc lin quan. Trong ni dung ca chng cng cp n nhng vn
k thut c bn m bo truyn thng an ton trong IPSec-VPN nh cc tiu chun
mt m, cc cng c kim tra tnh ton vn thng tin, cc thut ton xc thc cng nh
l k thut qun l v trao i kha. Cui chng l v d minh ha qu trnh thit lp
kt ni VPN v mt s vn t ra i vi vic thc hin VPN trn nn IPSec.
Hiu qu bo m an ninh cho s liu truyn trn mng ph thuc nhiu vo cc
gii php c trin khai bo mt d liu, cng c kho s dng, cc thut ton m
ha v phc tp ca chng, v.v. Qua cc ni dung trnh by trong chng ny,
ngi c s nm bt c nhng vn k thut c bn lin quan n vic thc hin
VPN da trn IPSec, cc u im, kh nng ng dng cng nh nhng vn cn tn
ti cn phi gii quyt trong giao thc IPSec.
60
CHNG 4
MNG RING O TRN NN MPLS

MPLS-VPN c coi l s kt hp cc u im ca c hai m hnh mng ring
o chng ln v ngang hng. Vic thit lp cc mng ring o trn nn MPLS cho
php m bo nh tuyn ti u gia cc site khch hng, phn bit a ch khch hng
thng qua nhn dng tuyn v h tr xy dng cc m hnh VPN phc tp trn c s
ch nh tuyn.
Chng ny trnh by nhng vn c bn nht v mng ring o trn nn
MPLS, nguyn l hot ng cng nh nhng kh nng m MPLS-VPN mang li. Cc
c im chnh ca hai loi hnh mng ring o trn nn IPSec v MPLS cng c so
snh qua lm ni bt nhng u im ca gii php MPLS-VPN.
Cc thnh phn ca MPLS-VPN
Cc m hnh MPLS-VPN
Hot ng ca MPLS-VPN
Bo mt trong MPLS-VPN
Cht lng dch v trong MPLS-VPN
So snh cc c im ca VPN trn nn IPSec v MPLS
61
MNG RING O
3.1 Cc thnh phn ca MPLS-VPN

3.1.1 H thng cung cp dch v MPLS-VPN
Mt khi nim quan trng cn nhc li khi nghin cu v mng ring o trn nn
MPLS l site. VPN l mt tp hp nhiu site chia s cng thng tin nh tuyn chung.
Nh vy, mt site c th thuc v nhiu hn mt VPN nu n nm gi cc tuyn t
mi VPN ring. iu ny cung cp kh nng xy dng cc VPN cc b, m rng cng
nh cc VPN truy nhp t xa. Khi cc site ca VPN thuc v mt doanh nghip th
VPN c coi l cc b, cn nu cc site ca VPN thuc v nhng doanh nghip
khc nhau th VPN l VPN m rng.
Mt cch khi qut, m hnh h thng cung cp dch v MPLS-VPN c th
hin trn hnh 4.1.
Hnh 4.1 H thng cung cp dch v MPLS-VPN v cc thnh phn

Nh trn hnh v c th thy, cc thnh phn c bn trong MPLS-VPN bao gm:
- Mng li IP/MPLS c qun tr bi nh cung cp dch v;
- B nh tuyn li ca mng nh cung cp;
- B nh tuyn bin ca mng, cung cp thng tin nh tuyn ca khch hng
v thc hin p ng dch v cho khch hng t pha nh cung cp;
- B nh tuyn bin ca cc h t tr AS (Autonomous System), thc hin vai
tr kt ni vi cc AS khc. Nhng AS ny c th c cng hoc khc nh iu
hnh;
- Mng khch hng, c coi l mng truy nhp ti vng mng li;
- B nh tuyn khch hng, ng vai tr l cu ni gia mng khch hng v
mng ca nh cung cp. Nhng b nh tuyn ny c th c qun tr bi
khch hng hoc nh cung cp dch v.
62
CHNG 4 - MNG RING O TRN NN MPLS
3.1.2 B nh tuyn bin nh cung cp dch v

Nh gii thiu trn, thnh phn rt quan trng v khng th thiu khi trin
khai MPLS-VPN l cc thit b nh tuyn bin ca nh cung cp dch v. Cc b nh
tuyn bin PE trong MPLS-VPN c kin trc ging nh kin trc VPN ngang hng
dng chung b nh tuyn chia s, ch c s khc bit l ton b mi th c tp
trung trong mt thit b vt l (hnh 4.2).
Hnh 4.2 B nh tuyn PE v s kt ni cc site khch hng

Nh th hin trn hnh v, mi khch hng ng k mt bng nh tuyn c lp
gi l bng nh tuyn o, tng ng vi mt b nh tuyn o nh trong m hnh
VPN ngang hng. Mt b nh tuyn o cho php nhiu site ca khch hng cng kt
ni ti n. Vic nh tuyn qua mng ca nh cung cp c thc hin bi mt tin
trnh nh tuyn khc, s dng bng nh tuyn ton cc.
3.1.3 Bng nh tuyn v chuyn tip o
S kt hp gia bng nh tuyn v bng chuyn tip VPN to thnh mt bng
nh tuyn chuyn tip o VRF (Vitual Routing and Forwarding). Mi VPN u c
bng nh tuyn v chuyn tip ring ca n trong b nh tuyn PE, v mi b nh
tuyn PE duy tr mt hoc nhiu bng VRF. Mi site m c b nh tuyn PE ni vo
s lin kt vi mt trong cc bng ny. a ch IP ch ca mt gi tin ch c
kim tra trong bng VRF m n thuc v nu gi tin ny n trc tip t site tng
ng vi bng VRF . Mt VRF n gin ch l mt tp hp cc tuyn thch hp cho
mt site no (hoc mt tp hp gm nhiu site) kt ni n b nh tuyn PE. Cc
tuyn ny c th thuc v mt hoc nhiu VPN.
V d, gi s c 3 b nh tuyn PE l PE1, PE2, PE3, v 3 b nh tuyn CE l
CE1, CE2, CE3. Cng gi s rng PE1 tip nhn t CE1 cc tuyn hp l site CE1,
63
MNG RING O
cn PE2 v PE3 tng ng c ni ti cc site CE2 v CE3. C ba site ny u thuc

v cng mt VPN V. Khi PE1 s s dng BGP phn phi cho PE2 v PE3 cc
tuyn m n hc c t site CE1. PE2 v PE3 s dng cc tuyn ny a vo
bng chuyn tip dnh cho site CE2 v CE3. Cc tuyn t nhng site khng thuc vo
VPN V s khng xut hin trong bng chuyn tip ny, c ngha l cc gi tin t CE2
v CE3 khng th gi n nhng site khng thuc VPN V.
Nu mt site thuc v nhiu VPN, bng chuyn tip tng ng vi site c th
c nhiu tuyn lin quan n tt c VPN m n ph thuc. PE ch duy tr mt bng
VRF cho mt site. Cc site khc nhau c th chia s cng mt bng VRF nu s dng
tp hp cc tuyn mt cch chnh xc nh trong bng VRF . Nu tt c cc site c
thng tin nh tuyn ging nhau (iu ny thng l do cc site cng thuc v tp
hp VPN) th chng s c php lin lc trc tip vi nhau, v nu kt ni n cng
mt b nh tuyn PE th chng s c t vo cng mt bng VRF chung.
Gi s b nh tuyn PE nhn c gi tin t mt site ni trc tip vi n. Ta gi
site ny l site A nhng a ch ch ca gi tin khng c trong tt c cc thc th ca
bng chuyn tip tng ng vi site A. Nu nh cung cp dch v khng cung cp kh
nng truy nhp Internet cho site A th gi tin s b loi b v khng th phn phi c
n ch. Nhng nu nh cung cp dch v c h tr truy nhp Internet cho site A th
lc ny a ch ch ca gi tin s c tm kim trong bng nh tuyn ton cc. Do
, bt k b nh tuyn PE no trong mng MPLS-VPN cng u c nhiu bng nh
tuyn trn mi VRF v mt bng nh tuyn ton cc. Bng nh tuyn ny c s
dng tm cc b nh tuyn khc trong mng nh cung cp dch v cng nh cc
ch thuc v mng bn ngoi (v d nh Internet).
Tm li, VRF c s dng cho mt site VPN hoc cho nhiu site kt ni n
cng mt b nh tuyn PE min l nhng site ny chia s chnh xc cc yu cu kt
ni ging nhau. Do , cu trc ca bng VRF c th bao gm:
- Bng nh tuyn IP;
- Bng chuyn tip;
- Tp hp cc quy tc v cc tham s giao thc nh tuyn (gi l Routing
Protocol Context);
- Danh sch cc giao din s dng trong VRF.
3.2 Cc m hnh MPLS-VPN

Hin nay c hai m hnh trin khai mng ring o trn nn MPLS ph bin l
mng ring o lp 3 (L3VPN) v mng ring o lp 2 (L2VPN). Sau y s gii thiu
nhng c im chnh ca hai m hnh ny.
3.2.1 M hnh L3VPN
64
Kin trc mng ring o L3VPN c chia thnh hai lp, tng ng vi cc lp
3 v 2 ca m hnh OSI. L3VPN da trn RFC 2547 bis, m rng mt s c tnh c
bn ca giao thc cng bin BGP (Border Gateway Protocol) v tp trung vo hng
a giao thc ca BGP nhm phn b cc thng tin nh tuyn qua mng li ca nh
cung cp dch v cng nh l chuyn tip cc lu lng VPN qua mng li.
Trong kin trc L3VPN, cc b nh tuyn khch hng v ca nh cung cp c
coi l cc phn t ngang hng. B nh tuyn bin khch hng CE cung cp thng tin
nh tuyn ti b nh tuyn bin nh cung cp PE. PE lu cc thng tin nh tuyn
trong bng nh tuyn v chuyn tip o VRF. Mi khon mc ca VRF tng ng vi
mt mng khch hng v hon ton bit lp vi cc mng khch hng khc. Ngi s
dng VPN ch c php truy nhp ti cc site hoc my ch trong cng mt mng
ring ny. B nh tuyn PE cn h tr cc bng nh tuyn thng thng nhm
chuyn tip lu lng ca khch hng qua mng cng cng. Mt cu hnh mng
L3VPN da trn MPLS c ch ra trn hnh 4.3.
Hnh 4.3 M hnh MPLS L3VPN

Cc gi tin IP qua min MPLS c gn hai loi nhn, bao gm nhn MPLS ch
th ng dn chuyn mch nhn LSP v nhn ch th nh tuyn/chuyn tip o VRF.
Ngn xp nhn c thit lp cha cc nhn trn. Cc b nh tuyn P ca nh cung
cp x l nhn LSP chuyn tip cc gi tin qua min MPLS. Nhn VRF ch c
x l ti thit b nh tuyn bin PE ni vi b nh tuyn khch hng.
M hnh L3VPN c u im l khng gian a ch khch hng c qun l bi
nh khai thc, v do vy n cho php n gin ha vic trin khai kt ni vi nh cung
cp. Ngoi ra, L3VPN cn cung cp kh nng nh tuyn ng phn phi cc thng
tin nh tuyn ti cc b nh tuyn VPN. Tuy nhin, L3VPN ch h tr cc lu lng
IP hoc lu lng ng gi vo gi tin IP. ng thi, vic tn ti hai bng nh tuyn
ti cc thit b bin mng cng l mt vn phc tp trong iu hnh v nh hng
ti kh nng m rng cc h thng thit b.
65
MNG RING O
3.2.2 M hnh L2VPN

M hnh mng ring o lp 2 c pht trin sau v cc tiu chun vn ang
trong giai on hon thin. Cch tip cn L2VPN hng ti vic thit lp cc ng
hm qua mng MPLS x l cc kiu lu lng khc nhau nh Ethernet, FR, ATM
v PPP/HDLC.
C hai dng L2VPN c bn l:
- im ti im: tng t nh trong cng ngh ATM v FR, nhm thit
lp cc ng dn chuyn mch o qua mng;
- im ti a im: h tr cc cu hnh mt li v phn cp.
Trong nhng nm gn y, dch v LAN o da trn m hnh L2VPN a im s
dng cng ngh truy nhp Ethernet c trin khai rng ri. Gii php ny cho
php lin kt cc mng Ethernet qua h tng MPLS trn c s nhn dng lp 2, v vy
m gim c phc tp ca cc bng nh tuyn lp 3. Trong m hnh L2VPN cc
b nh tuyn CE v PE khng nht thit phi c coi l ngang hng (hnh 4.4). Thay
vo , ch cn tn ti kt ni lp 2 gia cc b nh tuyn ny. B nh tuyn PE
chuyn mch cc lung lu lng vo trong cc ng hm c cu hnh trc ti
cc b nh tuyn PE khc.
Hnh 4.4 M hnh MPLS L2VPN

L2VPN xc nh kh nng tm kim qua mt phng d liu bng a ch hc
c t cc b nh tuyn ln cn. L2VPN s dng ngn xp nhn tng t nh trong
L3VPN. Nhn MPLS bn ngoi c s dng xc nh ng dn cho lu lng
qua min MPLS, cn nhn knh o VC nhn dng cc mng LAN o, VPN hoc kt
ni ti cc im cui. Mt trng nhn tu chn s dng iu khin ng cc kt
ni lp 2 c t trong cng ngn xp st vi trng d liu.
L2VPN c u im quan trng nht l cho php cc giao thc lp cao c
truyn trong sut i vi MPLS. N c th hot ng trn hu ht cc cng ngh lp 2
gm ATM, FR, Ethernet v m ra kh nng tch hp cc mng phi kt ni IP vi cc
66
mng hng kt ni. Ngoi ra, trong gii php ny ngi s dng u cui khng cn
phi cu hnh nh tuyn cho cc b nh tuyn khch hng CE.
Tuy nhin, L2VPN khng d dng m rng nh L3VPN. Mt cu hnh y
cho cc LSP phi c s dng kt ni cc VPN trong mng. Hn na, L2VPN
khng th t ng nh tuyn gia cc site. V vy, tu thuc vo cu hnh mng
MPLS v nhu cu c th m c th s dng mt trong hai m hnh ni trn.
3.3 Hot ng ca MPLS-VPN

3.3.1 Truyn thng tin nh tuyn
Cc b nh tuyn PE cn phi trao i thng tin trong cc bng nh tuyn o
m bo vic nh tuyn d liu gia cc site khch hng ni vi nhng b nh tuyn
ny. Bi ton t ra l phi c mt giao thc nh tuyn truyn thng tin ca tt c
cc tuyn khch hng dc theo mng nh cung cp m vn duy tr c khng gian a
ch c lp gia cc khch hng vi nhau.
Mt gii php c xut trn c s s dng giao thc nh tuyn ring cho
mi khch hng. Cc b nh tuyn PE c th c kt ni thng qua cc ng hm
im-im (v giao thc nh tuyn cho mi khch hng s hot ng gia cc b nh
tuyn PE) hoc l b nh tuyn P ca nh cung cp c th tham gia vo qu trnh nh
tuyn ca khch hng. Gii php ny mc d thc hin n gin nhng li khng c
kh nng m rng v phi i mt vi nhiu vn khi c nhu cu cung cp dch v
VPN cho s lng ln khch hng. Nhng kh khn ny lin quan n vic cc b
nh tuyn PE phi chy mt s lng ln giao thc nh tuyn, cn b nh tuyn P
th phi lu thng tin ca tt c cc tuyn khch hng.
Mt gii php khc da trn vic trin khai mt giao thc nh tuyn trao i
thng tin ca tt c cc tuyn khch hng dc theo mng nh cung cp. R rng gii
php ny c u im hn nhng b nh tuyn P vn phi tham gia vo nh tuyn
khch hng, do vn khng gii quyt c vn m rng.
hiu r hn vn m rng khi trin khai mt giao thc nh tuyn trn mt
VPN, ta xem xt v d sau y.
Gi s mng ng trc ca nh cung cp dch v phi m bo cho hn 100
khch hng VPN kt ni n hai b nh tuyn bin PE s dng giao thc nh tuyn
OSPF. B nh tuyn PE trong mng ng trc s chy hn 100 bn copy tin trnh
nh tuyn OSPF c lp nhau, vi mi bn copy phi gi cc gi tin hello v gi tin
lm ti nh k qua mng. chy hn mt bn copy OSPF qua cng mt lin kt, ta
cn cu hnh cc subinterface cho mt VPN trn lin kt gia PE v CE, kt qu l s
to ra mt m hnh mng phc tp. Ngoi ra, cn phi chy 100 thut ton SPF cng
nh duy tr c s d liu v cc cu hnh ring r trong nhng b nh tuyn P ca
mng li.
67
MNG RING O
V vy, gii php ti u hn l vic truyn thng tin nh tuyn khch hng s do
mt giao thc nh tuyn gia cc b nh tuyn PE iu hnh, cn cc b nh tuyn
P khng tham gia vo qu trnh nh tuyn ny. Gii php ny mang li hiu qu cao v
n c kh nng m rng do s lng giao thc nh tuyn gia cc b nh tuyn PE
khng tng khi tng s lng khch hng, ng thi b nh tuyn P cng khng mang
thng tin v cc tuyn ca khch hng.
Khi s lng khch hng ln, giao thc nh tuyn c la chn s dng l
BGP v giao thc ny c th h tr s lng ln cc tuyn. Cng vi BGP, cc giao
thc EIGRP v IS-IS cng c th mang thng tin nh tuyn cho nhiu lp a ch khc
nhau, nhng IS-IS v EIGRP khng c kh nng m rng do khng mang c mt s
lng ln cc tuyn nh BGP. BGP c thit k trao i thng tin nh tuyn gia
cc b nh tuyn khng kt ni trc tip, v c im ny h tr vic lu gi thng
tin nh tuyn ti cc thit b bin m khng cn phi trao i vi cc b nh tuyn li
ca mng nh cung cp. Giao thc BGP dng trong MPLS-VPN c gi l
Multiprotocol BGP (MP-BGP).
3.3.2 a ch VPN-IP
Vi vic trin khai giao thc nh tuyn BGP trao i tt c cc tuyn ca
khch hng gia cc b nh tuyn PE t ra mt vn l lm th no m BGP c th
truyn nhng tin t xc nh thuc v cc khch hng khc nhau gia cc b nh
tuyn PE. BPG s dng a ch IP chn mt ng i gia tt c cc ng c th
i n ch. Do , BGP khng th lm vic ng nu khch hng s dng cng khng
gian a ch.
Ch c mt gii php gii quyt vn ny l m rng tin t a ch IP ca
khch hng vi mc ch lm cho a ch ny tr nn duy nht ngay c khi c s trng
lp a ch. Ngoi ra, phi m bo rng chnh sch s dng quyt nh tuyn no
trong s cc tuyn c BGP s dng ch c th c trong mt bng VRF duy nht.
Vic m rng tin t a ch IP ca khch hng VPN dn n mt khi nim
mi l a ch VPN-IP. a ch VPN-IP c to ra bng cch ghp hai thnh phn c
di khng i l trng phn bit tuyn (Route Distinguisher) v a ch IP c s
(hnh 4.5).
Hnh 4.5 a ch VPN-IPv4

Yu t phn bit a ch thuc v trng phn bit tuyn khi mng khch hng c
a ch IP trng nhau. Trng ny c cu trc cho php mi nh cung cp dch v VPN
68
t to ra mt gi tr nhn dng cho tuyn m khng s b trng vi gi tr tng t s

dng bi nh cung cp dch v khc. Trng phn bit tuyn bao gm 3 loi nh ch ra
trn hnh 4.6.
Hnh 4.6 Khun dng trng phn bit tuyn

Trng s h t tr ASN (Autonomous System Number) cha gi tr s i din
cho h thng ca nh cung cp dch v VPN. Trng s gn (Assigned Number) do
mi nh cung cp dch v mng VPN t qun l. Trong hu ht cc trng hp, nh
cung cp dch v n nh mt gi tr trng s gn cho mt mng VPN, tuy nhin i
khi cng c th gn nhiu gi tr cho mt mng VPN. Hai mng VPN do mt nh cung
cp dch v qun l s khng s dng chung mt s gn, v s h t tr ASN cng l
duy nht trong mng ton cu. Do s khng c hai mng VPN no c trng phn
bit tuyn trng nhau. Khi a ch IP l duy nht trong mt mng VPN th cng c
ngha l a ch VPN-IP l duy nht trong mng ton cu.
i vi giao thc BGP th vic qun l cc tuyn ng vi a ch VPN-IP khng
khc g vic qun l tuyn ng vi a ch IP c s. Kh nng h tr a giao thc ca
MP-BGP lm cho n c th qun l tuyn ng vi nhiu h a ch khc nhau. Mt
im quan trng cn lu l cu trc a ch VPN-IP cng nh cu trc ca trng
phn bit tuyn ng vi a ch VPN-IP l hon ton m i vi BGP. BGP ch so snh
phn mo u ca hai a ch VPN-IP ch n khng quan tm n cu trc ca chng.
V vy trong trng hp ny, BGP khng cn h tr thm cc giao thc ph m ch s
dng nhng c tnh sn c. Cc c tnh m giao thc BGP s dng cho MPLS-VPN
nh: c tnh cng ng (Community), nh tuyn lc da trn cng ng hay s dng
tuyn d phng. Cc c tnh trn c p dng i vi cc tuyn ng vi a ch
VPN-IP cng ging nh cc tuyn ng vi a ch IP thng thng.
69
MNG RING O
a ch VPN-IP ch hon ton gii hn trong nh cung cp dch v, v cc khch

hng VPN (c th l cc thit b ca khch hng) khng c khi nim g v n. a ch
VPN-IP ch c nhn bit v gn b nh tuyn bin ca nh cung cp PE. i vi
mi kt ni VPN, b nhn tuyn PE c cu hnh ng vi mt gi tr ca trng phn
bit tuyn. Khi PE nhn c mt tuyn t CE kt ni trc tip ti n th n cn xc
nh CE thuc VPN no trc khi chuyn thng tin v tuyn ny cho BGP ca nh
cung cp dch v. B nh tuyn PE s chuyn a ch IP c s ca tuyn thnh a ch
VPN-IP bng cch s dng trng phn bit tuyn c t cho VPN . Mt cch
tng t khi PE nhp mt tuyn t BGP ca nh cung cp dch v, n s chuyn thng
tin a ch VPN-IP ca tuyn thnh thng tin a ch IP c s.
Sau y chng ta so snh vai tr ca trng phn bit tuyn v cc c tnh cng
ng ca BGP. C hai vn tch bit nhau, v tng ng vi hai vn ny l hai c
ch ring bit. Th nht l lm th no gii quyt vic khng duy nht ca a ch
IP trong mng ton cu. khc phc vn ny, chng ta a vo s dng mt loi
a ch mi l a ch VPN-IP v s dng trng phn bit tuyn lm cho cc a
ch ny l duy nht trong mng ton cu. Nh vy, trng phn bit tuyn c vai tr
lm cho a ch IP tr thnh duy nht. Tuy nhin, trng phn bit tuyn khng th s
dng c cho nh tuyn lc. Th hai l cn gii quyt vic lm th no kt ni
tun th cc iu kin rng buc. Vn rng buc thng tin nh tuyn c thc
hin da trn qu trnh lc cc c tnh cng ng ca BGP. Song cc c tnh cng
ng ca BGP li khng lm cho cc a ch IP tr thnh duy nht.
Lu rng trong khi mt trng phn bit tuyn khng c s dng chung cho
cc VPN khc nhau, th mt VPN li c th s dng nhiu trng phn bit tuyn.
Tng t nh vy, trong khi cc mng VPN khng th dng chung mt cng ng
BGP nhng mt mng VPN li c th s dng nhiu cng ng ca BGP. V vy,
trng phn bit tuyn cng nh c tnh cng ng khng th s dng xc nh
mt VPN. iu ny cng ph hp vi nh ngha mng VPN l mt tp hp cc chnh
sch iu khin kt ni v quy nh cht lng dch v gia cc site.
Nh ta bit, BGPv4 hin nay ch c th thc hin c i vi cc a ch
IPv4. Khi , vic truyn thng tin tuyn ca khch hng dc theo mng MPLS-VPN
s c thc hin nh sau:
- B nh tuyn CE gi cp nht nh tuyn IPv4 n b nh tuyn PE;
- B nh tuyn PE sau thm trng phn bit tuyn (64 bit) vo
trng a ch IPv4 (32 bit) m n nhn, kt qu l to ra a ch VPN-IPv4
96 bit duy nht;
- a ch VPN-IPv4 ny c truyn i thng qua phin MP-iBGP n
cc b nh tuyn PE khc;
70
- B nh tuyn PE nhn s loi b trng phn bit tuyn t a ch

VPN-IPv4 to thnh a ch IPv4 nh ban u m CE u xa gi;
- a ch IPv4 ny c chuyn tip n b nh tuyn CE khc trong bn
cp nht nh tuyn IPv4.
Mt im quan trng cn nhn mnh l a ch VPN-IP ch c x l trong cc
giao thc nh tuyn ch khng c ti trong phn mo u ca gi IP. V vy VPNIP khng th s dng mt cch trc tip chuyn tip gi. Nhim v chuyn tip cc
gi c thc hin da trn MPLS v s c trnh by phn sau.
3.3.3 Chuyn tip gi tin VPN
Cc yu t cn thit m bo cho s hot ng ca MPLS-VPN bao gm giao
thc nh tuyn v phng thc truyn gi tin qua mng MPLS trong khi vn m bo
c tnh cht ca VPN.
Vi cc tuyn khch hng c truyn dc theo mng ng trc MPLS-VPN
lu lng gia cc b nh tuyn CE v PE mc nh l lu lng ca cc gi tin IP.
B nh tuyn khch hng CE h tr cc giao thc nh tuyn IP chun v khng tham
gia vo MPLS-VPN. Trong phng php ny, chuyn tip gi tin dc theo mng
ng trc MPLS-VPN, b nh tuyn PE ch phi chuyn gi tin IP nhn c t b
nh tuyn khch hng n cc b nh tuyn PE khc. R rng l gii php ny rt
kh thc hin bi v b nh tuyn P khng bit r v cc tuyn ca khch hng, v v
th mt s yu cu cht lng dch v s kh c kh nng p ng.
Phng php khc c v kh quan hn l s dng ng dn chuyn mch nhn
LSP gia cc b nh tuyn PE chuyn tip cc gi tin IP theo gi tr nhn gn vo
chng (hnh 4.7).
Hnh 4.7 S dng nhn chuyn tip gi tin VPN

Trong phng php ny, gi tin IP ca khch hng c gn mt nhn ng k
cho b nh tuyn PE u ra (Egress). Cc b nh tuyn li khng cn bit a ch IP
ca khch hng, v ch c gi tin no c gn nhn s c chuyn n b nh
tuyn PE u ra. Cc b nh tuyn li ch thc hin cc hot ng chuyn tip v
phn phi gi tin khch hng n b nh tuyn PE u ra. Tuy nhin, ti b nh
71
MNG RING O
tuyn PE u ra, gi tin IP ca khch hng khng c thng tin no v VPN hay l VRF
b nh tuyn c th thc hin kim tra VRF, do n c th b mt.
Mt phng php ti u hn c th c la chn chuyn tip cc gi tin l
s dng ngn xp nhn (hnh 4.8).
Hnh 4.8 S dng ngn xp nhn chuyn tip gi tin VPN

Ngn xp nhn MPLS c s dng ch th cho b nh tuyn PE u ra bit
phi lm g vi gi tin VPN. Ngn xp nhn bao gm hai nhn xp chng ln nhau gi
l nhn bn trong (inner label) v nhn bn ngoi (outer label). Khi gi tin vo mng,
b nh tuyn PE u vo gn hai nhn ny vo gi tin IP. Nhn trn cng trong ngn
xp l ca ng dn chuyn mch nhn (cn gi l nhn LDP), m bo cho gi tin
c truyn qua mng MPLS-VPN ng trc n b nh tuyn PE u ra.
MPLS s dng nhn ngoi chuyn tip gi tin t b nh tuyn PE u vo
qua mng li. mi b nh tuyn P nhn ny c s dng chuyn tip gi tin, n
chnh l ch s trong bng chuyn tip ca b nh tuyn. Cc b nh tuyn P chuyn
tip gi tin dc theo LSP theo phng php hon i nhn v khng bao gi kim tra
nhn bn trong hoc a ch ch IP ca gi tin. Khi gi tin n PE u ra, b nh
tuyn ny thc hin tch b nhn ngoi ri x l nhn trong. Nhn trong l nhn c
b nh tuyn PE ng k cho mi VRF, v PE s s dng n quyt nh VRF no
m gi tin thuc v. Ni cch khc, nhn trong quyt nh CE no gi tin s c gi
n.
Theo mc nh, b nh tuyn PE u ra thc hin tm kim trong bng chuyn
tip VRF s dng a ch IP ch ca gi tin. Sau , n chuyn tip gi IP khng nhn
n site khch hng thch hp. Bn thn cc nhn bn trong c lin lc gia cc PE
trong cc bn tin cp nht m rng MP-iBGP. Nhn th hai trong ngn xp nhn cn
c s dng ch trc tip n giao din u ra ti khch hng. Trong trng hp
ny, b nh tuyn PE u ra ch thc hin kim tra nhn trn gi tin VPN. Tnh hung
ny thng c dng khi b nh tuyn CE l bc k tip ca tuyn VPN v nhn
ny c th ch n mt VRF n nht. B nh tuyn PE u ra thc hin kim tra
nhn trc tm c VRF ch, sau mi thc hin kim tra a ch IP trong VRF.
hiu r hn c ch hot ng ca qu trnh chuyn tip cc gi VPN ta xem
mt v d nh trn hnh 4.9. Trong v d ny PE1 l b nh tuyn u vo, cn PE2 l
72
b nh tuyn u ra. B nh tuyn PE u vo c hai nhn lin quan ti tuyn VPN

u xa. Mt nhn dnh cho BGP next-hop, c ng k bi b nh tuyn P k tip
thng qua giao thc phn b nhn LDP v c ly t bng LIB cc b. Cn nhn th
hai c ng k bi b nh tuyn PE u xa v c truyn i thng qua cc cp
nht MP-iBGP. C hai nhn ny c kt hp trong ngn xp nhn v a vo bng
VRF.
Hnh 4.9 Hot ng chuyn tip d liu VPN qua mng MPLS
Gi s ng dn chuyn mch nhn LSP c thit lp gia PE1 v PE2, v
Host 1 mun gi d liu n Host 2. Host 1 gi gi tin n b nh tuyn CE1. CE1 s
ng gi gi tin v chuyn n PE1. PE1 nhn gi tin, v da trn giao din m gi tin
n, n quyt nh s dng bng chuyn tip ca VRF A nh tuyn gi tin. PE1
kim tra a ch ch ca Host 2 trong bng chuyn tip ca VRF A v tm thy c a
ch trong . PE1 dn nhn 16 vo gi tin. y l nhn bn trong nhn din VRF
trn b nh tuyn PE2. Nhn 16 trc c chuyn t PE2 n PE1 thng qua
phin lm vic MP-iBGP.
Tip theo, PE1 dn thm nhn 21 vo gi tin v chuyn gi dn nhn n b
nh tuyn P1. Nhn 21 c t vo trong ngn xp nhn sau nhn 16. Nh vy, nhn
21 l nhn bn ngoi v s c thay i sau mi phn on gia hai b nh tuyn
LSR vi nhau. P1 nhn gi tin t PE1 v ly nhn 21 ra kim tra trong bng chuyn
tip. N quyt nh dn nhn 19 thay cho nhn 21 ri chuyn tip gi tin n P2. P2
nhn gi tin v ly nhn 19 ra kim tra trong bng chuyn tip. Kt qu kim tra ch
th rng n phi dn nhn 46 thay cho nhn 19 ri chuyn tip gi tin n PE2.
73
MNG RING O
PE2 nhn gi tin t P2, kim tra nhn 46. PE2 c nhn bit l b nh tuyn
u ra ca ng chuyn mch nhn LSP nn n gii phng nhn 46. Sau n kim
tra nhn tip theo l 16 v xc nh c gi tin s i n VRF A. a ch IP ca gi
tin c kim tra trong VRF A xc nh ch v giao din u ra cho gi tin. PE2
chuyn tip gi tin n CE6. CE6 nhn gi tin IP t PE2 v kim tra a ch ch Host
2. Ti y vic nh tuyn c thc hin da trn cc giao thc nh tuyn IGP thng
thng.
M hnh h thng trn c hai mng ring o l VPN A v VPN B. VPN A gm
c CE1, CE5 v CE6. VPN B gm c CE2, CE3 v CE4. CE1 c lu lng n ch
l CE5 v CE6. V cc site ny cng chung mt VPN, nn PE1 s dng chung bng
chuyn tip l VRF A. Nhn bn trong xc nh VRF ch v n ging nhau trong tt
c cc gi tin thuc v VPN , ngay c nu cc gi tin ny c chuyn n cc site
khc nhau. CE2 v CE3 c lu lng n ch l CE4. V cc b nh tuyn ny thuc
v VPN B, PE1 s dng bng chuyn tip khc cho VPN ny l VRF B. Tuy nhin, c
hai VPN s dng cng mt ng chuyn mch nhn LSP v chng u c cng b
nh tuyn vo PE1 v b nh tuyn ra PE2.
3.4 Bo mt trong MPLS-VPN

Bo mt l mt trong nhng yu t rt quan trng i vi tt c cc gii php
mng VPN. V kha cnh bo mt th gii php VPN da trn BGP/MPLS c th t
c mc tng ng vi cc gii php VPN xy dng trn cng ngh ATM hoc
Frame Relay.
Bo mt cho VPN phi m bo c s cch ly v thng tin nh tuyn cng
nh v khng gian a ch ca mi VPN. Ngha l vic cp a ch ca mi VPN l
hon ton c lp nhau. Thng tin nh tuyn t VPN ny khng c php sang VPN
khc v ngc li. Yu cu th hai l bo mt phi m bo c cu trc mng li
hon ton trong sut vi khch hng s dng dch v. Th ba, bo mt phi m bo
c vic trnh lm gi nhn nh vic lm gi a ch IP v chng li cc cuc tn
cng t chi dch v (Denial of Service) cng nh tn cng truy nhp dch v
(Instrusion).
thy r vic bo mt trong MPLS-VPN c thc hin nh th no, trc ht
cn hiu rng MPLS-VPN cho php s dng cng khng gian a ch gia cc VPN
nhng vn m bo c tnh duy nht ca a ch cc site khch hng nh vo gi tr
64 bit ca trng phn bit tuyn. Do , khch hng s dng dch v MPLS-VPN
khng cn phi thay i a ch hin ti ca mnh.
Vic nh tuyn trong mng ca nh cung cp dch v VPN c thc hin trn
chuyn mch nhn ch khng phi da trn a ch IP truyn thng. Hn na, mi LSP
tng ng vi mt tuyn VPN-IP c bt u v kt thc ti cc b nh tuyn PE
ch khng bt u v kt thc mt im trung gian no trong mng ca nh cung
74
cp. Do mng li bn trong hon ton trong sut i vi khch hng. Mi b nh

tuyn PE duy tr mt bng VRF ring cho tng VPN, v VRF ny ch ph bin cc
tuyn thuc v VPN . Nh vy m bo c s cch ly thng tin nh tuyn gia
cc VPN vi nhau.
i vi gii php MPLS-VPN, tht kh c th tn cng trc tip vo VPN. Ch
c th tn cng vo mng li MPLS, ri t tn cng vo VPN. Mng li c th tn
cng theo hai cch l trc tip vo b nh tuyn PE hoc vo cc c ch bo hiu
MPLS. Tuy nhin, tn cng vo mng, trc ht cn phi bit a ch IP ca n.
Nhng mng li MPLS li hon ton trong sut vi bn ngoi, do k tn cng
khng th bit c a ch IP ca bt k b nh tuyn no trong mng li. Chng c
th on a ch v gi gi tin n nhng a ch ny. Song trong mng MPLS mi gi
tin i vo u c xem nh l thuc v khng gian a ch no ca khch hng, do
kh c th tm c cc b nh tuyn bn trong ngay c khi on c a ch.
C th vic trao i thng tin nh tuyn gia cc b nh tuyn PE v CE s l
im yu trong mng MPLS-VPN, nhng trn b nh tuyn PE c th dng ACL v
cc phng php xc thc ca giao thc nh tuyn dng trn kt ni s m bo
c vn bo mt. Vic lm gi nhn cng kh c th xy ra v b nh tuyn PE
ch chp nhn nhng gi tin t b nh tuyn CE gi n khng c nhn. Nu gi tin
l c nhn th nhn phi do PE kim sot v qun l.
T nhng vn nu trn, c th thy vic bo mt trong MPLS-VPN c bo
m mc rt cao v hon ton c th so snh ngang bng vi vic bo mt trong
cc gii php da trn ATM hay Frame Relay.
3.5 Cht lng dch v trong MPLS-VPN

Cht lng dch v lun l mt vn c quan tm hng u i vi cc nh
khai thc v qun tr mng. Cc c ch QoS c s dng phi mm do p
ng nhng yu cu khc nhau ca khch hng, ng thi phi c kh nng m rng
c th h tr mt s lng ln khch hng VPN. V d nh nh cung cp dch v phi
cung cp cho khch hng VPN nhiu mc dch v (CoS) khc nhau cho mi VPN,
trong cc ng dng khc nhau trong cng mt VPN c th nhn cc CoS khc
nhau. Theo cch ny, dch v Email c th c mt CoS trong khi mt s ng dng thi
gian thc nh dch v thoi li c th c CoS khc. Ngoi ra, CoS m ng dng nhn
c trong mt VPN c th khc so vi CoS m ng dng ny nhn c trong mt
VPN khc. Tc l cc c ch h tr QoS cho php quyt nh loi d liu no nhn
CoS no cho tng VPN. Hn na, khng phi mi VPN u phi s dng tt c cc
CoS m mt nh cung cp dch v a ra. Do , mt tp cc c ch h tr QoS cho
php quyt nh loi CoS no c s dng to c s cho VPN.
Hai dng m hnh cht lng dch v s dng cho mng ring o trn nn MPLS
l m hnh ng (pipe) v m hnh vi (hose).
75
MNG RING O
3.5.1 M hnh ng
Trong m hnh ng, nh cung cp dch v cung cp cho khch hng VPN mc
cht lng dch v QoS nht nh gia cc CE trong cng mt VPN. V hnh thc, c
th hnh dung m hnh ny nh mt ng ng kt ni hai b nh tuyn vi nhau, v
lu lng gia hai b nh tuyn trong ng ny c m bo mt mc QoS xc nh.
V d v mt hnh thc m bo QoS c th cung cp trong m hnh ng l m bo
gi tr bng thng nh nht gia hai Site.
Cc b nh tuyn bin pha nh cung cp PE ti hai u ca ng s thc hin
qu trnh lc v loi b cc lu lng d nhm m bo bng thng cho lung lu
lng trong ng. C th ci tin m hnh ng bng vic ch cho php mt s loi lu
lng (ng vi mt s ng dng) t mt CE ti cc CE khc s dng ng ng. Quy
nh lu lng no c th s dng ng ng c xc nh ti b nh tuyn PE pha
u ng.
Ch l m hnh ng kh ging vi m hnh QoS m cc khch hng VPN c
c vi cc gii php da trn Frame Relay hay ATM. im khc nhau c bn l vi
ATM hay Frame Relay th cc kt ni l song cng, trong khi m hnh ng cung cp
cc kt ni m bo theo mt hng. c im mt hng ny ca m hnh ng cho
php thit lp cc kt ni cho nhng ng dng s dng lung lu lng khng i
xng, trong lu lng t mt Site ti Site khc c th khc vi lu lng theo
hng ngc li.
Hnh 4.10 minh ha mt v d v m hnh ng cht lng dch v. Nh ch ra
trn hnh v, cc nh cung cp dch v cung cp cho VPN A mt ng ng m bo
bng thng 7 Mb/s cho lu lng t Site 3 n Site 1 (c th hn l t CE A3 n CE A1) v mt ng ng khc m bo bng thng 10 Mb/s cho lu lng t Site 3 n
Site 2 (t CE A3 n CE A2). Nh vy, mt b nh tuyn CE c th c nhiu hn mt
ng xut pht t n (v d hai ng xut pht t Site 3). Tng t, c th c hn mt
ng kt thc ti mt Site.
76
Hnh 4.10 M hnh ng cht lng dch v trong MPLS-VPN

Mt u im ca m hnh ng l n ging vi m hnh QoS ang c khch
hng VPN s dng vi FR hay ATM, do khch hng c th d dng ng dng. Tuy
nhin m hnh ng cng c mt s nhc im. V d, n i hi khch hng VPN
phi kim sot ton b ma trn lu lng gia cc Site. iu c ngha l, khch
hng phi bit tng lu lng i t mt Site ti tt c cc Site khc. Thng thng th
thng tin ny khng c sn, thm ch l nu c th cng b li thi.
M hnh ng gn ging vi m hnh tch hp dch v cung cp cht lng
dch v m bo. MPLS-VPN cung cp kh nng m bo bng thng cho cc LSP v
cho php s dng m hnh ng ny mt cch n gin. Cc LSP khi to v kt cui
ti cc PE s m bo bng thng qua mng li, cn tha thun dch v gia PE v CE
s m bo QoS t u cui ti u cui. t c hiu qu tt nht i vi m
hnh ng, khch hng VPN cn bit r yu cu s dng lu lng trong k hoch
mng.
3.5.2 M hnh vi
Trong m hnh vi, nh cung cp dch v VPN cung cp cho khch hng mt s
bo m QoS cho lu lng m mt b nh tuyn CE ca khch hng gi i v nhn
v t cc b nh tuyn CE khc trong cng VPN. Trong trng hp khc, khch hng
phi ch nh cch phn phi lu lng ti cc b nh tuyn CE trong mng. Nh vy,
i vi khch hng, m hnh vi cung cp cht lng dch v trong tng VPN v
khng yu cu phi phn tch lu lng hoc lp k hoch lu lng cho ti tng CE,
nh m gim bt c gnh nng cho cc khch hng s dng dch v VPN.
77
MNG RING O
M hnh vi s dng hai tham s tc l tc cam kt u vo ICR (Ingress

Committed Rate) v tc cam kt u ra ECR (Egress Committed Rate). Trong
ICR l tc lin quan ti lu lng m CE u vo c th gi ti nhng CE khc,
cn ECR l tc lin quan n lu lng m mt CE c th nhn t cc CE khc.
Ni cch khc, ICR i din cho tng lu lng t mt CE c th, trong khi ECR i
din cho tng lu lng ti mt CE c th. Lu l i vi mt CE khng nht thit
ICR phi bng ECR.
Hnh 4.11 minh ha v d v m hnh vi cht lng dch v. y nh cung cp
dch v cung cp cho VPN B s m bo bng thng 15 Mbit/s cho lu lng t Site 2
ti cc Site khc (ICR = 15 Mb/s) m khng quan tm n vic lu lng ny i ti
Site 1 hay Site 3. Tng t, nh cung cp dch v cung cp cho VPN A s m bo
bng thng 7 Mb/s cho lu lng t Site 3 gi ti cc Site khc trong cng VPN (ICR
= 7 Mb/s) m khng quan tm ti vic lu lng ti Site 1 hay Site 2. Cng nh vy,
nh cung cp dch v cung cp cho VPN B s m bo bng thng 15 Mb/s cho lu
lng gi ti Site 2 (ECR = 15 Mb/s) m khng quan tm ti vic lu lng xut pht
t Site 1 hay Site 3.
Hnh 4.11 M hnh vi cht lng dch v trong MPLS-VPN

M hnh vi h tr nhiu mc CoS ng vi cc dch v c nhiu tham s khc
nhau. V d, mt dch v c th yu cu tham s v mt gi tin t hn so vi dch v
khc. h tr lp dch v ta phi a vo m hnh vi, cho php nh cung cp dch
v s dng c ch phn bit dch v cng vi MPLS. V vy, m hnh vi l hng
tip cn t m hnh phn bit dch v Diffserv. Vi cc dch v i hi phi c s m
bo chc chn (nh v bng thng), th m hnh ng ph hp hn.
78
Nh cung cp dch v c th cung cp cho khch hng VPN m hnh ng, m

hnh vi hoc t hp ca c hai dng m hnh trn nhm p ng cc yu cu c th v
QoS. Cc b nh tuyn bin PE ca nh cung cp dch v xc nh lu lng c
nhn trong cc lp dch v. Tu thuc vo giao din u vo, a ch ngun, a ch
ch, ch s cng v cc cam kt cht lng dch v m cc gi s c nh du cho
ph hp vi yu cu v cht lng dch v.
3.6 So snh cc c im ca VPN trn nn IPSec v MPLS

Kin trc mng ring o VPN L3 c rt nhiu cng ty la chn v kh nng kt
ni din rng, kh nng m rng, cc tu chn kt ni v kh nng pht trin nhiu
loi hnh dch v. Tuy nhin, khng c mt gii php no l ton din trong vic cung
cp a dch v, v vn la chn kin trc VPN trn nn IPSec hay MPLS ph thuc
rt nhiu vo yu cu c th ca tng cng ty. Trong phn ny s a ra mt s so snh
v phn tch cc c im c bn ca hai kin trc trn.
3.6.1 Cc tiu ch nh gi
Trc ht, chng ta phn tch cc iu kin v tiu ch nh gi kin trc
mng VPN cho doanh nghip. Cc tiu ch nh gi c tp trung vo kh dng,
tnh bo mt, cht lng dch v, mm do v kh nng qun l.
kh dng
Mt mng ring o VPN cn d on cc dch v c kh dng cao cho ngi
dng doanh nghip v cc i tc ca h. Khch hng c th va yu cu tin cy
ca mng cao va yu cu d phng ln. Mt s nh cung cp dch v a ra cc
tho thun mc cht lng dch v (SLA), trong nh ngha cc tham s m mng
c th cung cp cho khch hng. SLA c th tu chn cc mc dch v cho nhng kiu
lu lng khc nhau nhm ti u ha lu lng v gi thnh ca mng.
Tnh bo mt
Trn thc t c rt nhiu cng ty chia s cc nh cung cp dch v qua mt mng
li, do vn bo mt lun c t ln hng u. h tr cho vn ny, cc
nh cung cp dch v c th a ra nhng k thut m bo an ton thng tin nh
ng hm, ng gi, m ho, phn b nh tuyn rng buc, tch cc bng nh
tuyn, tch lu lng, xc thc gi, xc thc ngi s dng v iu khin truy nhp.
Cht lng dch v
Cc tham s QoS nh bng thng, tr, bin ng tr hay t l mt gi l
nhng yu t c bn cho php nh gi cht lng ca dch v m nh cung cp a ra
cho khch hng. Mt s m hnh cht lng dch v c th c p dng vo VPN
nhm mc ch phn lp lu lng v xc nh th t u tin cho cc lung lu lng
khc nhau ca khch hng.
79
MNG RING O
mm do
Bng thng v cc tuyn kt ni trong mng lun thay i theo thi gian. Cc
yu cu thay i bng thng i vi khch hng VPN cng khng l ngoi l. Cc nh
cung cp dch v lun quan tm ti kh nng m rng v thay i yu cu bng thng
ca khch hng VPN ti u ha h thng v p ng cc yu cu cht lng dch
v mt cch mm do.
Kh nng qun l
Vic qun l VPN tri rng t site trung tm ti cc chi nhnh phn tn nhiu
ni, v vy cc tnh nng qun l v gi thnh qun l c xu hng tng cng chiu.
Cc kiu dch v qun l bao gm:
- Cung cp mi trng qun l;
- Phn b v ci t phn mm qun l VPN;
- Ci t bo mt v chnh sch QoS;
- H tr tho thun mc dch v;
- H tr cc mng khc qua VPN;
- Thc hin qun l hiu nng mng, nh v v sa li, ho n, bo co,
thm/loi b hay thay i chc nng dch v.
3.6.2 Cc c im ni bt ca IPSec-VPN v MPLS-VPN
IPSec-VPN
bo v d liu qua mng cng cng, giao thc IPSec h tr t hp cc chc
nng bo mt mng sau:
- Nhn dng v m ho cc gi tin trc khi truyn dn;
- Xc thc cc gi nhm m bo tnh ton vn ca d liu;
- Xc thc d liu nguyn thu ca cc ngun gi tin;
- Xc nhn v loi b cc gi qu hn, gi lp v t chi cc gi lp.
Giao thc IPSec cung cp kh nng bo v cc gi tin IP theo thit k mng
ch ra cc lu lng c bit cn bo v. IPSec nh ngha cch thc bo v lu lng
v iu khin thit b nhn lu lng. VPN trn nn IPSec thay th hoc b sung cc
mng ring da trn h tng WAN truyn thng nh ng dy thu ring, Frame
Relay hoc ATM. u im ni tri ca IPSec l n p ng c cc yu cu ca
mng v mt gi thnh.
Khi mt doanh nghip s dng IPSec-VPN, nh cung cp dch v thng cu
hnh IPSec trong cu hnh Hub-and-Spoke, ni tt c cc nhnh Spoke duy tr kt ni
80
im-im vi u cui. IPSec rt ph hp vi cu hnh VPN im ti im v truy

nhp t xa.
Mt s c im khin cho cc doanh nghip la chn gii php IPSec-VPN l:
- IPSec cung cp h thng bo mt rt tt, h tr cho cc doanh nghip
cn bo mt bng m ho d liu v nhn dng thit b;
- Gi thnh trin khai mng thp do IPSec-VPN c th thc hin trn bt
k mng IP no tn ti;
- Kh nng trin khai cc dch v nhanh, k c vic b sung hoc loi b
cc site;
- Lung lu lng r nhnh theo Hub-and-Spoke.
Thng thng, ngi s dng VPN dng phn mm VPN la chn ch thch
hp cho cc thng tin cn gi qua mng. Mt khi nhn dng thnh cng v ng hm
IPSec c thit lp, ngi s dng c th truy nhp t xa ti cc ng dng mt cch
n gin m khng cn phi sa i hng lot cc tham s ti cc site.
Vi cc kt ni im-im qua IPSec-VPN, ngi s dng khng cn phi c
phn mm client trn my tnh ca h. Ngi s dng ti cc nhnh khi to ng dng
nu n tn ti trong site, hoc trong mt phin vi trung tm. Sau khi phin tho
thun v nhn dng thnh cng, mt ng hm m bo gia cc nhnh v trung tm
c thit lp khng ph thuc vo hot ng ca ngi dng.
MPLS-VPN
MPLS cung cp mi trng nh tuyn thng minh v hiu nng chuyn mch
cao nh trnh by trn. u im ni tri nht ca MPLS-VPN l kh nng m
rng nhiu VPN trn cng mt mng li. Thm vo l cc c tnh m bo QoS,
sa li nhanh, bo v ng dn v cung cp nn tng pht trin cc dch v gi tr
gia tng. Mt s l do cc doanh nghip la chn MPLS-VPN l:
- Cc cng ty cn tho thun mc cht lng dch v SLA;
- Bo mt c h tr bi vic tch cc lung lu lng tng t nh
Frame Relay v ATM;
- Cc mu lu lng ph hp vi c cu hnh tng phn v y ;
- Cc doanh nghip mun hi t nhiu dch v a phng tin trn cng
mt mng;
- Cc doanh nghip mun pht trin nhng kt ni Multicast.
Kha cnh an ton mng ca MPLS da trn vic phn tch lung lu lng gia
cc VPN trn cng mng li thng qua trng phn bit tuyn. Cc tuyn c phn
bit m bo tnh ring t ca MPLS-VPN tng t nh trong mng din rng Frame
81
MNG RING O
Relay hay ATM. Cc nh cung cp c th d dng thit k v ti u ha mng do

khch hng khng cn bit kin trc mng li, cn cc b nh tuyn li th khng cn
bit thng tin v mng bin ca khch hng.
MPLS-VPN c mm do v linh hot cao, n khng yu cu cu hnh kt ni
y hoc ngang hng i vi cc kt cui nh cc m hnh khc i hi. Mt khc,
MPLS-VPN cng h tr tt cc tho thun mc dch v SLA. y l iu m khch
hng VPN quan tm nhiu nht, n cho php p ng cc yu cu v hiu nng v tnh
n hi ca mng. Ngoi ra, MPLS-VPN cn h tr cc k thut lu lng nhm p
ng yu cu QoS, h tr chnh sch qun l v phn b lu lng ti u cho mng.
Bng 4.1 di y s tng kt cc c im ca hai gii php mng ring o trn
nn IPSec v MPLS.
Bng 4.1 So snh IPSec-VPN v MPLS-VPN
c im
MPLS-VPN
IPSec-VPN
Cu hnh
im ti im, Hub-and-Spoke, im ti im, Hub-and-Spoke, cu

cu hnh y
hnh y
Bo mt/
Thit lp cc thnh vin VPN

trong qu trnh cung cp dch v,
nh ngha truy nhp ti nhm dch
v trong khi cu hnh, t chi cc
truy nhp khng hp php.
Xc thc
phin
Xc thc qua chng thc s hoc kha

xc nh trc.
Loi b gi khng ph hp vi chnh
sch bo mt.
Tnh ring t
Tch lu lng thnh cc lung S dng m ho v k thut ng hm

ring bit.
thch hp ti lp a ch mng.
QoS v SLA
Cho php lp cc SLA vi nhiu Khng ch ra cc QoS v SLA trc tip.

mc, c cc k thut m bo QoS
v k thut lu lng.
Kh nng m C kh nng m rng cao v khng Chp nhn cc m rng theo kiu Hubrng
yu cu cu hnh y hoc and-Spoke. Kh nng m rng ko theo
ngang hng.
hng lot cc thch thc v k hoch,
phn phi cc kho, qun l kho v cu
hnh cc thit b ngang hng.
H tr imim
C.
C.
H tr truy
nhp t xa
C nu c kt ni vi IPSec.
C.
Cung cp
dch v
Cn mt ln cung cp cc thit b Gim cc chi ph iu hnh mng qua

khch hng v thit b bin mng phng php cung cp tp trung.
82
nh cung cp.
Trin khai
dch v
Yu cu cc phn t mng MPLS C th trin khai trn bt k h tng

m dch v ti cc thit b li v mng IP c sn.
bin ca mng nh cung cp.
Phm mm
Client VPN
Khng yu cu, ngi s dng Cn phi c khi to cc phn mm

khng cn phn mm tng tc vi chc nng.
mng.
3.7 Kt chng
Trong nhng nm gn y, cng ngh chuyn mch nhn a giao thc MPLS
c rt nhiu quc gia la chn xy dng v pht trin h thng mng vin thng
ca mnh. Mt trong nhng ng dng in hnh ca MPLS l dch v mng ring o
MPLS-VPN. Dch v ny gp phn rt ln vo s pht trin nhanh chng ca
MPLS v m ra nhiu kh nng ng dng mi.
Trong chng ny trnh by v cc thnh phn c bn ca MPLS-VPN, cc
m hnh trin khai MPLS-VPN ti lp 2 v lp 3, nhng k thut then cht trong
MPLS-VPN nh truyn thng tin nh tuyn, a ch VPN-IP v hot ng chuyn tip
gi tin VPN. Ngoi ra, trong ni dung ca chng cng cp n mt s vn lin
quan n cc kha cnh bo mt v cht lng dch v trong MPLS-VPN. Cui
chng c a ra mt s phn tch v so snh cc c im ni bt ca hai gii php
VPN da trn IPSec v MPLS.
Cc ni dung trnh by c th gip ngi c nm c nhng vn c bn
lin quan n MPLS-VPN, cc u nhc im chnh v kh nng m MPLS-VPN
mang li cng nh l cc bi ton cn phi gii quyt khi trin khai v ng dng cng
ngh ny. C th ni, vic trin khai cng ngh VPN trn nn MPLS ha hn nhiu
thun li mi v chc chn s l gii php l tng cho mng ring o trong tng lai.
83
CHNG 5
TRIN KHAI V NG DNG VPN

Trong xu hng ton cu ha cc hot ng kinh doanh thng mi nh hin
nay, cc t chc v doanh nghip c nhiu chi nhnh, cc cng ty a quc gia lun
phi trao i thng tin vi khch hng, i tc hay nhn vin ca h. Vi vic trin
khai cc gii php VPN, nhu cu trao i thng tin ny c p ng khng my
kh khn. Cc chi nhnh hay nhn vin di ng ca cng ty khp ni trn th gii c
th lin lc vi tr s chnh ca mnh mi lc, mi ni m bo nm bt c
nhng thng tin mi nht v chnh xc nht trong qu trnh lm vic.
Chng ny gii thiu v cc m hnh thc hin VPN cng nh tnh hnh trin
khai v ng dng VPN hin nay Vit nam.
Cc m hnh trin khai VPN
Gii php VPN trn nn MPLS ca VNPT
M hnh cung cp dch v MegaWAN
84
CHNG 5 - TRIN KHAI V NG DNG VPN
4.1 Cc m hnh trin khai VPN

Cng ngh mng ring o VPN v ang c trin khai rt mnh m trn ton
th gii trong c Vit nam. c rt nhiu m hnh c xut, ch yu da trn
lp 2 v lp 3. Sau y l mt s m hnh trin khai gn y nht c thc hin trn
nn MPLS.
M hnh ISP l khch hng
Trong m hnh ny, cc nh cung cp dch v Internet ISP l khch hng ca mng
ring o VPN. Tng t nh nhng khch hng khc, ISP c th t ti v tr trung
tm, ni tp trung v tr thnh im POP, hoc mt h thng h tr kt ni trc tip.
thc hin c m hnh ny, mng cn cu hnh mt s tuyn ring m bo
cht lng dch v cho cc ISP. Vi s h tr ca cc cng ngh lp 2 nh truyn dn
quang bng thng rt ln, vic coi ISP l khch hng VPN cho php gim mc
phc tp ca cc kt ni khi s lng khch hng gia tng khng ngng.
Cc th tc nh tuyn trong BGP s thc hin nh tuyn cho CE v PE thng
qua qu trnh m rng ca MPLS ti CE. S m rng cho php to LSP t tuyn CE
ti tuyn PE. Khi , bin ca cc tuyn cng vi cc a ch c mang vo cc thuc
tnh tuyn tip theo ca BGP. B nh tuyn PE thng bo ti cc b nh tuyn khch
hng CE cc lin kt nhn. Khi b nh tuyn CE xy dng cc bng c s d liu, n
s s dng thng tin ca BGP xc nh a ch ca cc lin kt BGP tip theo cng
vi cc bc truyn khc.
M hnh nh cung cp dch v MPLS-VPN l khch hng
Trong m hnh ny, cc nh cung cp dch v mng ring o MPLS-VPN cng
c coi nh l khch hng VPN. Nh mt khch hng, nh cung cp dch v MPLSVPN phi c cu hnh y kt ni tt c cc ng VPN-IP ca nh cung cp
VPN. Tt c cc tuyn VPN-IP c coi l tuyn bn ngoi, ging nh t mt nh
cung cp dch v Internet ISP. S khc bit chnh gia trng hp khch hng l nh
cung cp dch v Internet v trng hp khch hng l nh cung cp dch v MPLSVPN l ch tuyn bn ngoi ca khch hng ISP l tuyn IP, cn tuyn bn ngoi
ca khch hng MPLS-VPN l tuyn VPN-IP.
Trong trng hp tt c cc site ca mt VPN c kt ni ging nh nh
cung cp dch v MPLS-VPN v cc site ny cng mun c kt ni ti nhiu nh
cung cp dch v MPLS-VPN khc, mt nhu cu cung cp hot ng a lin kt c
t ra trnh s phc tp gia tng trong mng khi m ton b lu lng c to ra
bi cc tuyn bin. Gii php nh cung cp hot ng a lin kt cho php cung cp
dch v VPN cho khch hng ca MPLS-VPN theo cc tuyn bn trong v bn ngoi
da trn giao thc BGP.
85
MNG RING O
4.2 Gii php VPN trn nn MPLS ca VNPT

Ti Vit nam, MPLS ang c xc tin xy dng trong mng truyn ti ca Tp
on BCVT Vit nam (VNPT). Vi d n NGN ang trin khai, VNPT thit lp
mng trc MPLS vi 3 LSR li. Cc LSR bin v ang c tip tc u t m
rng ti nhiu a im c nhu cu ln trn ton quc. Da trn mng li MPLS
thit lp, hin VNPT ang cung cp dch v MPLS-VPN cho cc khch hng doanh
nghip c nhu cu. M hnh cung cp dch v VPN lp 3 qua mng MPLS ca VNPT
th hin trn hnh 5.1.
Hnh 5.1 M hnh cung cp dch v VPN qua mng MPLS ca VNPT
Lu lng thoi v d liu trong mng LAN o s c dn ti VRF ti cc b
nh tuyn vn phng chi nhnh v sau chuyn ti thng qua mng WAN n cc
Site xa khc. p ng thm cho nhu cu bo mt, gii php ny c th s dng
IPSec. Ngoi ra, nh tuyn ni b c th c cu hnh nu c mt trong s cc
lin kt chnh b t, tt c lu lng c th c nh tuyn li n cc tuyn thay th
khc nhm m bo cc phin lin tc cho tt c ngi dng.
Gii php VPN/VNN trn nn MPLS ca VNPT s dng kt ni Local loop
(phn on kt ni t pha khch hng ti POP MPLS ca VDC) qua mt ng knh
ring tc cao (hnh 5.2).
86
CHNG 5 - TRIN KHAI V NG DNG VPN
Hnh 5.2 Gii php kt ni MPLS-VPN ca VNPT

Khc vi cc cng ngh VPN trn Internet (PPTP, L2TP, IPSec), c ch ng
hm y c thit lp hon ton trong mng trc MPLS. Mi kt ni VPN s thit
lp mt ng hm ring bit bng c ch gn nhn v chuyn tip gi IP. Mi kt ni
VPN ch nhn mt gi tr nhn duy nht do thit b nh tuyn MPLS trong mng cung
cp, do vy cc ng hm trong mng trc MPLS l ring bit hon ton. Vi kh
nng che giu a ch mng li, mi hnh thc tn cng mng nh DDoS, IP Snoofing
hay Label Snoofing s rt kh thc hin.
4.3 M hnh cung cp dch v MegaWAN

Dch v MegaWAN ca VNPT cung cp kh nng kt ni mng ring cho khch
hng trn nn IP/MPLS. MegaWAN cho php kt ni cc mng my tnh ca doanh
nghip (cc vn phng, chi nhnh, cng tc vin t xa, ) thuc cc v tr a l khc
nhau to thnh mt mng duy nht v tin cy thng qua vic s dng cc lin kt
bng rng xDSL. M hnh mng cung cp dch v ny th hin trn hnh 5.3.
Hnh 5.3 M hnh mng cung cp dch v MegaWAN
87
MNG RING O
Vic s dng gii php MPLS-VPN cho php trin khai cc kt ni nhanh chng,
n gin v thun tin vi chi ph thp. Ngoi ra, MegaWAN cn cho php va truy
nhp mng ring o va truy nhp Internet nu khch hng c nhu cu. MegaWAN h
tr truy nhp Internet bng rng qua mng VNN do VNPT cung cp. Dch v ny cho
php khch hng truy nhp Internet vi tc cao da trn cng ngh ng dy thu
bao s bt i xng ADSL.
Thit b nh tuyn bin s dng trong mng MegaWAN l ERX-1410. Cc h
thng ny c th h tr MPLS-VPN nhm gi lu lng n cc ch khc nhau mt
cch an ton. Ngoi ra, h thng ERX cn cho php nh cung cp dch v ra nhng
k hoch pht trin cc cp khc nhau v h tr phn loi tn hiu ng truyn
trong mi thu bao s dng. Trong ERX vic truyn tn hiu m thanh l u tin s
mt, sau n d liu ca cc thu bao ln (cng ty hay tp on) ri mi n d
liu ca nhng khc hng n l.
4.4 Kt chng
Ngy nay VPN c trin khai rng ri trn ton th gii v tr thnh gii
php khng th thiu i vi cc cng ty ln c nhiu chi nhnh. Ty thuc vo iu
kin v yu cu c th m c th trin khai VPN theo nhiu m hnh khc nhau. Trong
chng ny trnh by v cc m hnh thc hin VPN cng nh thc tin trin khai
v ng dng cng ngh VPN Vit nam. Vi h thng mng li MPLS i vo hot
ng, VNPT l nh khai thc vin thng u tin Vit nam cung cp dch v MPLSVPN cho cc khch hng doanh nghip.
C th ni gii php MPLS-VPN ca VNPT vi m hnh cung cp dch v
MegaWAN t c nhng kt qu ban u kh quan. Vi c im ca mng vin
thng Vit nam l c phn vng v tri di t Bc vo Nam, VPN l mt gii php
thch hp v mang li nhiu li ch cho cc doanh nghip ng k dch v. Mc d vic
trin khai VPN trn thc t cn b tc ng bi rt nhiu yu t khc ngoi cc yu t
k thut, VPN vn l mt cng ngh y ha hn v chc chn s c ng dng rng
ri trong nhng nm ti y.
88
THUT NG VIT TT
THUT NG VIT TT
Thut ng Ting Anh
Ting Vit
0-9
3DES
Triple DES
Thut ton m DES bi 3
AA
Access Accept
Chp nhn truy nhp
AAA
Authentication, Authorization and

Accounting
Xc thc, cp quyn v thanh ton
AC
Access Control
iu khin truy nhp
ACL
Access Control List
Danh sch iu khin truy nhp
ADSL
Asymmetric Digital Subscriber

Line
ng dy thu bao s bt i xng
AH
Authentication Header
Giao thc tiu xc thc
ARP
Address Resolution Protocol
Giao thc phn gii a ch
ATM
Asynchronous Transfer Mode
Phng thc truyn ti khng ng b
Border Gateway Protocol
Giao thc nh tuyn cng bin
CA
Certificate Authority
Thm quyn chng nhn
CBC
Cipher Block Chaining
Ch chui khi mt m
CHAP
Challenge - Handshake
Authentication Protocol
Giao thc xc thc i hi bt tay
DCE
Data communication Equipment
Thit b truyn thng d liu
DES
Data Encryption Standard
Thut ton m DES
DH
Diffie-Hellman
Giao thc trao i kha Diffie-Hellman
DLCI
Data Link Connection Identifier
Nhn dng kt ni lp lin kt d liu
DNS
Domain Name System
H thng tn min
DSL
Digital Subscriber Line
ng dy thu bao s
DTE
Data Terminal Equipment
Thit b u cui s liu
EAP
Extensible Authentication Protocol
Giao thc xc thc m rng
ECB
Electronic Code Book Mode
Ch sch m in t
ESP
Encapsulating Security Payload
Giao thc ng gi ti tin an ton
B
BGP
C
F
89
MNG RING O
FCS
Frame Check Sequence
Chui kim tra khung
FR
Frame Relay
Chuyn tip khung
FTP
File Transfer Protocol
Giao thc truyn file
Generic Routing Encapsulation
ng gi nh tuyn chung
Hashed-keyed Message
Authenticaiton Code
M xc thc bn tin bm
ICMP
Internet Control Message Protocol
Giao thc bn tin iu khin Internet
ICV
Intergrity Check Value
Gi tr kim tra tnh ton vn
IETF
Internet Engineering Task Force
T chc tiu chun k thut Internet
IKE
Internet Key Exchange
Trao i kha qua Internet
IKMP
Internet Key Management Protocol
Giao thc qun l kha qua Internet
IP
Internet Protocol
Giao thc Internet
IPSec
IP Security Protocol
Giao thc an ninh Internet
ISAKMP
Internet Security Association and

Key Management Protocol
Giao thc lin kt an ninh v qun l

kha qua Internet
ISO
International Standard
Organization
T chc chun ha quc t
ISP
Internet Service Provider
Nh cung cp dch v Internet
IV
Initial Vector
Vc t khi to
L2F
Layer 2 Forwarding
Giao thc chuyn tip lp 2
L2TP
Layer 2 Tunneling Protocol
Giao thc ng hm lp 2
LAN
Local Area Network
Mng cc b
LCP
Link Control Protocol
Giao thc iu khin ng truyn
MAC
Message Authentication Code
M xc thc bn tin
MD5
Message Digest 5
Thut ton gin lc bn tin MD5
MTU
Maximum Transfer Unit
n v truyn ti cc i
NAS
Network Access Server
My ch truy nhp mng
NGN
Next Generation Network
Mng th h sau
NSA
National Sercurity Agency
C quan an ninh quc gia M
Open System Interconnnection
M hnh kt ni cc h thng m
G
GRE
H
HMAC
I
O
OSI
90
THUT NG VIT TT
OSPF
Open Shortest Path First
Giao thc nh tuyn ng i ngn

nht
PAP
Password Authentication Protocol
Giao thc xc thc mt khu
PDU
Protocol Data Unit
n v d liu giao thc
PKI
Public Key Infrastructure
C s h tng kha cng cng
POP
Point of Presence
im hin din
PPP
Point to Point Protocol
Giao thc im ti im
PPTP
Point to Point Tunneling Protocol
Giao thc ng hm im ti im
PSTN
Public Switched Telephone

Network
Mng chuyn mch thoi cng cng
RADIUS
Remote Authentication Dial-in

User Service
Dch v xc thc ngi dng quay s

t xa
RARP
Reverse Address Resolution

Protocol
Giao thc phn gii a ch ngc
RAS
Remote Access Service
Dch v truy nhp t xa
RFC
Request for Comment
Ti liu tiu chun ca IETF trn

Internet
RSA
Rivest-Shamir-Adleman
Mt loi gii thut mt m bng kha

cng cng
SA
Security Association
Lin kt an ninh
SAD
SA Database
C s d liu SA
SHA-1
Secure Hash Algorithm-1
Thut ton bm SHA-1
SN
Sequence Number
S th t
SPI
Security Parameter Index
Ch s thng s an ninh
TCP
Transmission Control Protocol
Giao thc iu khin truyn ti
TLS
Transport Level Security
An ninh mc truyn ti
User Data Protocol
Giao thc d liu ngi s dng
Virtual Private Network
Mng ring o
Wide Area Network
Mng din rng
U
UDP
V
VPN
W
WAN
91
CNG NGH MNG RING O
TI LIU THAM KHO
92
[1]
Jeff Tyson. How Virtual Private Networks Work. Cisco Press, 2004.
[2]
IPSec, VPN, and Firewall Concepts. Cisco Press, 2004.
[3]
James Henry Carmouche. IPsec Virtual Private Network Fundamentals.

Cisco Press, 2006.
[4]
Understanding Virtual Private Networking. ADTRAN, Inc., 2001.
[5]
Michael H. Behringer, Monique J. Morrow. MPLS VPN Security. Cisco

Press, 2005.
[6]
Ivan Pepelnjak. MPLS and VPN Architectures, Vol. 1. Cisco Press, 2000.
[7]
Ivan Pepelnjak. MPLS and VPN Architectures, Vol. 2. Cisco Press, 2003.

Mangriengaovpndahieuchinh v2 140911092631 Phpapp02

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mangriengaovpndahieuchinh v2 140911092631 Phpapp02

Uploaded by

Copyright:

Available Formats

LI NI U

Chng 5 trnh by v cc m hnh v gii php trin khai VPN, trong tp

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

3.2 ng gi thng tin IPSec..........................................................................................35

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

DANH SCH HNH

DANH SCH HNH

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

GII THIU CHUNG V VPN

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

1.1 Khi nim VPN

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 1 - GII THIU CHUNG V VPN

Mng ring o xy dng da trn Internet l v d v mng ring o kiu an ton,

Hnh 1.1 M hnh VPN an ton

1.2 Cc chc nng v u nhc im ca VPN

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

nhp thng tin m khng c php. Thm ch nu c ly c th cng khng c

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 1 - GII THIU CHUNG V VPN

vic h tr mng nhiu hn th nhng yu cu h tr k thut i vi ngi s dng

1.3 Cc m hnh VPN

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 1 - GII THIU CHUNG V VPN

Cung cp mch o cho khch hng ngha l nh cung cp dch v xy dng mt

hnh ny vi cc cng ngh lp 2 th s to ra mt lp mi khng cn thit i vi cc

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 1 - GII THIU CHUNG V VPN

to ra bng nh tuyn cho mt VPN. Bng nh tuyn ch c cc tuyn c qung

1.4 Phn loi VPN v ng dng

1.4.1 VPN truy nhp t xa

Hnh 1.2 M hnh VPN truy nhp t xa

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 1 - GII THIU CHUNG V VPN

- VPN truy nhp t xa khng cn s h tr ca nhn vin mng bi v qu trnh

VPN cc b l mt dng cu hnh tiu biu ca VPN im ti im, c s

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

Hnh 1.3 M hnh VPN cc b

VPN m rng c cu hnh nh mt VPN im ti im, cung cp ng hm

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 1 - GII THIU CHUNG V VPN

Hnh 1.4 M hnh VPN m rng

tch hp lu lng vo mt kt ni duy nht, to ra c hi gim chi ph c bn trong

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

C th ni ng hm l mt trong nhng khi nim nn tng ca VPN. Giao

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

2.1 Gii thiu cc giao thc ng hm

1.6 Giao thc chuyn tip lp 2 L2F

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 2 - CC GIAO THC NG HM

Hnh 2.1 Khun dng gi ca L2F

F: ch nh trng Offset c mt;

K: ch nh trng Key c mt;

P (Priority): thit lp u tin cho gi;

S: ch nh trng Sequence c mt;

Reserved: lun c t l 00000000;

Version: phin bn ca L2F dng to gi;

Protocol: xc nh giao thc ng gi L2F;

Sequence: s chui c a ra nu trong tiu L2F bit S bng 1.

Multiplex ID: nhn dng mt kt ni ring trong mt ng hm (tunnel);

Client ID: gip tch ng hm ti nhng im cui;

Length: chiu di ca gi (tnh bng byte) khng bao gm phn checksum;

Offset: xc nh s byte cch tiu L2F, ti d liu ti tin c bt u.