Professional Documents
Culture Documents
LI NI U
Vi chin lc pht trin ton din mang tnh cht n u v cng ngh nhm
to ra tim lc to ln, sc cnh tranh v cht lng v s a dng ha cc dch v
gi thnh thp, nng sut lao ng cao, Tp on Bu chnh Vin thng Vit nam c
chin lc v k hoch chuyn i mng Vin thng s sang mng th h sau (NGN).
Mng NGN c h tng thng tin duy nht da trn cng ngh chuyn mch gi, trin
khai dch v mt cch a dng v nhanh chng, p ng s hi t gia thoi v s
liu, gia c nh v di ng, bt ngun t s tin b ca cng ngh thng tin v cc
u im ca cng ngh chuyn mch gi ni chung v cng ngh IP ni ring v cng
ngh truyn dn quang bng rng. Cu trc ca mng th h sau v cc nguyn tc
hot ng ca n v c bn khc nhiu so vi cu trc ca mng PSTN hin nay. Do
vy i ng k s v cn b k thut Vin thng cn phi c bi dng cp nht
kin thc v cng ngh mi ny, c nh vy h mi kh nng v trnh vn hnh
khai thc qun l v trin khai cc dch v Vin thng mt cch an ton v hiu qu.
Chng trnh Bi dng k s in t vin thng v cng ngh IP v NGN
ca Tp on c xy dng vi mc ch cung cp kin thc v k nng c bn lin
quan ti cng ngh IP v NGN cho cc cn b k thut ang trc tip qun l v khai
thc h thng trang thit b ti c s nhm p ng yu cu v chuyn i cng ngh
mng li v dch v vin thng ca Tp on.
Cun ti liu Mng ring o bao gm 5 chng, gii thiu nhng vn k
thut c bn lin quan n vic xy dng VPN, cc gii php VPN da trn nn IPSec
v MPLS cng nh l tnh hnh trin khai VPN trn thc tin hin nay.
Chng 1 gii thiu nhng khi nim c bn v VPN, cc chc nng v c
im ca VPN, t lm c s phn loi VPN v a ra cc thun li cng nh
kh khn khi s dng cc loi hnh VPN .
Chng 2 trnh by v cc giao thc ng hm s dng cho VPN, phn tch
hot ng, cc c im v kh nng ng dng ca chng trong cc m hnh VPN
khc nhau.
Chng 3 trnh by v giao thc bo mt IPSec v mt s vn k thut lin
quan n vic thc hin VPN trn nn IPSec nh cc tiu chun mt m, cc cng c
kim tra tnh ton vn thng tin, cc thut ton xc thc cng nh l k thut qun l
v trao i kha.
Chng 4 trnh by v cc m hnh VPN trn nn MPLS, cc thnh phn v
hot ng ca MPLS-VPN, cc vn v iu khin kt ni, bo mt v QoS trong
MPLS-VPN. Trong chng ny cng a ra mt s so snh c im v kh nng ng
dng ca hai gii php VPN da trn nn IPSec v MPLS.
Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT
MNG RING O
ii
MC LC
MC LC
LI NI U.......................................................................................................................i
MC LC...........................................................................................................................iii
DANH SCH HNH............................................................................................................v
CHNG 1 - GII THIU CHUNG V VPN.................................................................1
1.1 Khi nim VPN...........................................................................................................2
1.2 Cc chc nng v u nhc im ca VPN...............................................................3
1.2.1 Chc nng............................................................................................................3
1.2.2 u im...............................................................................................................4
1.2.3 Nhc im v mt s vn cn khc phc.....................................................5
1.3 Cc m hnh VPN.......................................................................................................6
1.3.1 M hnh chng ln...............................................................................................6
1.3.2 M hnh ngang hng............................................................................................8
1.4 Phn loi VPN v ng dng........................................................................................9
1.4.1 VPN truy nhp t xa..........................................................................................10
1.4.2 VPN im ti im............................................................................................11
1.4.3 ng dng VPN..................................................................................................13
1.5 Kt chng................................................................................................................14
CHNG 2 - CC GIAO THC NG HM..........................................................15
2.1 Gii thiu cc giao thc ng hm.........................................................................16
2.2 Giao thc chuyn tip lp 2 L2F...........................................................................16
2.2.1 Cu trc gi L2F...............................................................................................17
2.2.2 Hot ng ca L2F............................................................................................17
2.2.3 u nhc im ca L2F....................................................................................19
2.3 Giao thc ng hm im ti im PPTP...........................................................20
2.3.1 Khi qut v hot ng ca PPTP.....................................................................20
2.3.2 Duy tr ng hm bng kt ni iu khin PPTP............................................21
2.3.3 ng gi d liu ng hm PPTP..................................................................22
2.3.4 X l d liu ti u cui ng hm PPTP......................................................24
2.3.5 Trin khai VPN da trn PPTP.........................................................................24
2.3.6 u nhc im v kh nng ng dng ca PPTP.............................................25
2.4 Giao thc ng hm lp 2 L2TP.........................................................................26
2.4.1 Khi qut v hot ng ca L2TP.....................................................................26
2.4.2 Duy tr ng hm bng bn tin iu khin L2TP............................................27
2.4.3 ng gi d liu ng hm L2TP..................................................................27
2.4.4 X l d liu ti u cui ng hm L2TP trn nn IPSec.............................30
2.4.5 Trin khai VPN da trn L2TP.........................................................................30
2.4.6 u nhc im v kh nng ng dng ca L2TP.............................................31
2.5 Kt chng................................................................................................................32
CHNG 3 - MNG RING O TRN NN IPSec....................................................33
3.1 Gii thiu v IPSec...................................................................................................34
Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT
iii
MNG RING O
iv
Hnh 5.1 M hnh cung cp dch v VPN qua mng MPLS ca VNPT........................86
Hnh 5.2 Gii php kt ni MPLS-VPN ca VNPT..................................................................87
Hnh 5.3 M hnh mng cung cp dch v MegaWAN.............................................................87
MNG RING O
vi
CHNG 1
MNG RING O
MNG RING O
MNG RING O
nhc l SSL/TLS c th lm vic thng qua mt tng la da trn bng bin dch a
ch NAT, cn IPSec th khng. Nhng nu c hai giao thc lm vic qua tng la th
s khng dch c a ch.
IPSec m ho tt c cc lu lng IP truyn ti gia hai my tnh, cn SSL/TLS
th c t mt ng dng. SSL/TLS dng cc hm m ho khng i xng thit lp
kt ni v n bo v hiu qu hn so vi dng cc hm m ho i xng.
Trong cc ng dng trn thc t, ngi qun tr c th quyt nh kt hp v
ghp cc giao thc to ra s cn bng tt nht cho s thc thi v an ton ca
mng. V d, cc client c th kt ni ti mt Web server thng qua tng la dng
ng dn an ton ca SSL/TLS, Web server c th kt ni ti mt dch v ng dng
dng IPSec, v dch v ng dng c th kt ni ti mt c s d liu thng qua cc
tng la khc cng dng SSL.
MNG RING O
MNG RING O
VPN cc b
11
MNG RING O
VPN m rng
12
13
MNG RING O
1.5 Kt chng
VPN c nh ngha nh l mng kt ni cc site khch hng m bo an ninh
trn c s h tng mng chung cng vi cc chnh sch iu khin truy nhp v bo
mt nh mt mng ring. Tuy c xy dng trn c s h tng sn c ca mng cng
cng nhng VPN li c c cc tnh cht ca mt mng cc b nh khi s dng cc
ng knh thu ring. N cho php ni lin cc chi nhnh ca mt cng ty cng nh
l vi cc i tc, cung cp kh nng iu khin quyn truy nhp ca khch hng, cc
nh cung cp dch v hoc cc i tng bn ngoi khc.
Kh nng ng dng ca VPN l rt ln. Theo nh d on ca nhiu hng trn
th gii th VPN s l dch v pht trin mnh trong tng lai. Do , vic tip cn v
lm quen vi cng ngh mi ny r rng l v cng cn thit. Chng ny trnh by
nhng khi nim c bn v VPN, cc chc nng v c im ca VPN, cc m hnh
xy dng VPN cng nh l phn loi VPN theo hnh thc v phm vi ng dng ca
chng. Nhng ni dung c cp ch mang tnh khi qut nhm gip ngi c c
c ci nhn tng quan v VPN. Cc vn k thut lin quan n vic thc hin
VPN s c trnh by trong cc chng sau.
14
CHNG 2
CC GIAO THC NG HM
15
MNG RING O
nhp t xa. L2F cung cp gii php cho dch v quay s o bng cch thit lp mt
ng hm bo mt thng qua c s h tng cng cng nh Internet. N cho php
ng gi cc gi PPP trong khun dng L2F v nh ng hm lp lin kt d liu.
1.6.1 Cu trc gi L2F
Khun dng gi tin L2F c cu trc nh trn hnh 2.1.
1bit
1bit
1bit
1bit
S
8bit
1bit
3bit
8bit
8bit
Reserved
Version
Protocol
Sequence
Multiplex ID
Client ID
Length
Offset
Key
Data
Checksum
17
MNG RING O
19
MNG RING O
20
21
MNG RING O
S ng gi
Hnh 2.5 l v d s ng gi PPTP t mt my trm qua kt ni truy nhp
VPN t xa s dng modem tng t.
23
MNG RING O
25
MNG RING O
mng IP truy nhp ti my ch L2TP hoc gin tip thng qua vic quay s ti my
ch truy nhp mng NAS thit lp kt ni IP. Vic xc thc trong qu trnh hnh
thnh ng hm L2TP phi s dng cc c ch xc thc trong kt ni PPP nh EAP,
MS-CHAP, CHAP, PAP. My ch L2TP l my ch IP-VPN s dng giao thc L2TP
vi mt giao din ni vi Internet v mt giao din khc ni vi mng Intranet.
L2TP c th dng hai kiu bn tin l iu khin v d liu. Cc bn tin iu
khin chu trch nhim thit lp, duy tr v hy cc ng hm. Cc bn tin d liu
ng gi cc khung PPP c chuyn trn ng hm. Cc bn tin iu khin dng c
ch iu khin tin cy bn trong L2TP m bo vic phn phi, trong khi cc bn
tin d liu khng c gi li khi b mt trn ng truyn.
1.8.2 Duy tr ng hm bng bn tin iu khin L2TP
Khng ging PPTP, vic duy tr ng hm L2TP khng c thc hin thng
qua mt kt ni TCP ring bit. Cc lu lng iu khin v duy tr cuc gi c gi
i nh cc bn tin UDP gia my trm v my ch L2TP (u s dng cng UDP
1701).
Cc bn tin iu khin L2TP qua mng IP c gi nh cc gi UDP. Gi UDP
li c mt m bi IPSec ESP nh trn hnh 2.7.
27
MNG RING O
28
29
MNG RING O
30
31
MNG RING O
Mc d L2TP ch yu chy trn mng IP, nhng kh nng chy trn cc mng
cng ngh khc nh Frame Relay hay ATM lm cho n thm ph bin. L2TP cho
php mt lng ln khch hng t xa c kt ni vo VPN cng nh l cc kt ni
LAN-LAN c dung lng ln. L2TP c c ch iu khin lung lm gim tc
nghn trn ng hm L2TP.
Vic la chn mt nh cung cp dch v L2TP c th thay i tu theo yu cu
thit k mng. Nu thit k mt VPN i hi m ho u cui ti u cui th cn ci
cc client tng thch L2TP ti cc trm t xa v tho thun vi ISP l s x l m ho
t my u xa n tn my ch ca VPN. Nu xy dng mt mng vi mc bo
mt thp hn, kh nng chu ng li cao hn v ch mun bo mt d liu khi n i
trong ng hm trn Inernet th tho thun vi ISP h h tr LAC v m ho d
liu ch t on LAC n LNS ca mng ring.
L2TP cho php thit lp nhiu ng hm vi cng LAC v LNS. Mi ng
hm c th gn cho mt ngi dng xc nh hoc mt nhm ngi dng v gn cho
cc mi trng khc nhau tu theo thuc tnh cht lng dch v QoS ca ngi s
dng.
1.9 Kt chng
Mc bo m an ninh ca s liu khi truyn qua mng ph thuc nhiu vo
gii php thc hin VPN ca doanh nghip. Chng 2 tp trung vo nhng vn k
thut ca gii php mng ring o s dng ng hm. K thut ng hm ng mt
vai tr rt quan trng trong vic trin khai VPN trn nn mng vin thng cng cng.
Cc giao thc ng hm c gii thiu y bao gm L2F, PPTP v L2TP. Mi
giao thc c trnh by tng i chi tit, t s ng gi d liu, nguyn l hot
ng, qu trnh x l d liu ti u cui ng hm cho n nhng c im trin
khai trn thc t. Trong ni dung trnh by cng a ra nhng phn tch cc c tnh
v u nhc im ca tng giao thc nhm th hin r kh nng v phm vi ng dng
ca chng.
32
CHNG 3
33
MNG RING O
IPSec c th s dng giao thc trao i kho IKE (Internet Key Exchange)
xc thc hai bn, thng lng cc chnh sch bo mt v xc thc thng qua vic xc
nh thut ton thit lp knh truyn, trao i kha cho mi phin kt ni v dng
trong mi phin truy nhp. Mng dng IPSec bo mt cc dng d liu c th t
ng kim tra tnh xc thc ca thit b bng chng thc s ca hai ngi dng trao
i thng tin qua li. Vic thng lng ny cui cng dn n thit lp mt lin kt
an ninh (SA Security Association) gia cc cp bo mt.
Lin kt an ninh SA c cha tp cc chnh sch, tham s, thut ton, giao thc
cho qu trnh ng gi d liu gia cc bn tham gia vo phin IPSec. Ti mi u
ng hm IPSec, SA c s dng xc nh loi lu lng cn c x l IPSec,
giao thc an ninh c s dng (AH hay ESP), thut ton v kha c s dng cho
qu trnh mt m v xc thc. Thng tin lin kt an ninh c lu trong c s d liu
lin kt an ninh, v khi kt hp mt a ch ch vi giao thc an ninh th c duy nht
mt SA.
IPSec c pht trin nhm vo h giao thc IP k tip l IPv6, nhng do vic
trin khai IPv6 cn chm v s cn thit phi bo mt cc gi IP nn IPSec c
thay i cho ph hp vi IPv4. Vic h tr IPSec ch l tu chn ca IPv4 nhng i
vi IPv6 th l c sn. IPSec l s la chn cho bo mt tng th cc VPN v l
phng n ti u cho mng ca cng ty. N m bo truyn thng tin cy trn mng IP
cng cng i vi cc ng dng VPN.
Ch truyn ti
35
MNG RING O
Ch ng hm
Gii thiu
Giao thc tiu xc thc AH c nh ngha trong RFC 1826 v sau pht
trin li trong RFC 2402. AH cung cp kh nng xc thc ngun gc d liu (Data
Origin Authentication), kim tra tnh ton vn d liu (Data Integrity) v dch v
chng pht li (Anti-replay Service). n y, cn lm r hn hai khi nim ton vn
d liu v chng pht li. Ton vn d liu l kim tra nhng thay i ca tng gi tin
IP, khng quan tm n v tr cc gi trong lung lu lng. Cn dch v chng pht
li l kim tra s pht lp li mt gi tin ti a ch ch nhiu hn mt ln.
AH cho php xc thc cc trng ca tiu IP cng nh d liu ca cc giao
thc lp trn. Tuy nhin, do mt s trng ca tiu IP thay i trong khi truyn v
pha pht khng d on trc c gi tr ca chng khi ti pha thu, gi tr ca cc
trng ny khng bo v c bng AH. C th ni AH ch bo v mt phn ca tiu
IP m thi. AH khng cung cp bt c x l no bo mt d liu ca cc lp
trn, tt c u c truyn di dng vn bn r. AH nhanh hn ESP, nn c th chn
AH trong trng hp cn yu cu chc chn v ngun gc v tnh ton vn ca d
liu, cn tnh bo mt d liu th khng yu cu cao.
Giao thc AH cung cp chc nng xc thc bng cch thc hin mt hm bm
mt chiu (One-way Hash Function) i vi d liu ca gi to ra mt on m xc
thc (Hash hay Message Digest). on m ny c chn vo thng tin ca gi truyn
i. Khi , bt c thay i no i vi ni dung ca gi trong qu trnh truyn i u
c pha thu pht hin khi n thc hin cng mt hm bm mt chiu i vi gi d
liu nhn c v i chiu vi gi tr m xc thc truyn cng vi gi d liu. Hm
bm c thc hin trn ton b gi d liu, tr mt s trng trong tiu IP c gi
tr thay i trong qu trnh truyn (v d nh trng thi gian sng TTL ca gi tin).
37
MNG RING O
2.2.2.2
Cu trc gi tin AH
38
X l AH trong ch truyn ti v ng hm
39
MNG RING O
40
Gii thiu
Giao thc ESP c nh ngha trong RFC 1827 v sau c pht trin thnh
RFC 2408. Cng nh AH, giao thc ny c pht trin hon ton cho IPSec. ESP
c s dng khi c yu cu v bo mt ca lu lng IPSec cn truyn. N cung cp
tnh bo mt d liu bng vic mt m ha cc gi tin. Thm vo , ESP cng cho
php xc thc ngun gc d liu, kim tra tnh ton vn d liu, dch v chng pht li
v mt s gii hn v lung lu lng cn bo mt.
Tp cc dch v cung cp bi ESP ph thuc vo cc la chn ti thi im thit
lp lin kt an ninh, trong dch v bo mt c cung cp c lp vi cc dch v
khc. Tuy nhin, nu khng kt hp s dng cc dch v xc thc v ton vn d liu
th hiu qu bo mt s khng c m bo. Hai dch v xc thc v ton vn d liu
lun i km nhau. Dch v chng pht li ch c th thc hin nu nh dch v xc
thc c la chn.
Hnh 3.7 minh ha c ch ng gi ESP.
Cu trc gi tin ESP c th hin trn hnh 3.8. Cc trng trong gi tin ESP c
th l bt buc hay ty chn. Nhng trng bt buc lun c mt trong tt c cc gi
ESP. Vic la chn mt trng ty chn c nh ngha trong qu trnh thit lp lin
kt an ninh. Nh vy, khun dng ESP i vi mt SA l c nh trong khong thi
gian tn ti ca SA .
41
MNG RING O
42
Hnh 3.9 Khun dng gi tin IPv4 trc v sau khi x l ESP
Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT
43
MNG RING O
Khun dng ca gi tin IPv6 trc v sau khi x l ESP c th hin trn hnh
3.10.
Hnh 3.10 Khun dng gi tin IPv6 trc v sau khi x l ESP
IPSec c th h tr c AH v ESP trong mt t hp cho php ca hai ch
truyn ti v ng hm. V d, c th s dng ch ng hm m ho v xc
thc cc gi v tiu ca n ri gn AH hoc ESP, hoc c hai trong ch truyn ti
bo mt cho tiu mi c to ra. AH v ESP khng th s dng chung trong
ch ng hm bi v ESP c c ch tu chn xc thc. Tu chn ny c s
dng trong ch ng hm khi cc gi cn phi m ho v xc thc.
2.2.3.4
M ha vi ESP
Cc thut ton m ha
Cc thut ton mt m c xc nh bi SA. ESP lm vic vi cc thut ton
mt m i xng. V cc gi IP c th n khng ng th t, nn mi gi phi mang
thng tin cn thit pha thu c th thit lp ng b mt m (Cryptographic
Synchronization) gii m. D liu ny c th c ch nh trong trng Payload,
chng hn di dng cc vect khi to IV (Initialization Vector), hoc thu c t
tiu ca gi. Vi s c mt ca trng Padding, cc thut ton mt m s dng vi
ESP c th c cc c tnh khi (Block) hoc lung (Stream). V dch v mt m l ty
chn nn thut ton mt m l khng bt buc.
Cc thut ton xc thc s dng tnh ICV c xc nh bi SA. i vi
truyn thng im ti im, cc thut ton xc thc thch hp c th l hm bm mt
chiu (MD5, SHA-1). V dch v xc thc l ty chn nn thut ton xc thc l khng
bt buc.
Cc thut ton sau y c th c s dng vi ESP:
44
45
MNG RING O
2.3.1.1
46
Kt hp cc lin kt an ninh
Trm
Trm11
Cng
Cnganan
ninh
ninh11
Interne
t
Cng
Cnganan
ninh
ninh22
Trm
Trm22
Trm
Trm11
Cng
Cnganan
ninh
ninh11
Interne
t
Cng
Cnganan
ninh
ninh22
Trm
Trm22
47
MNG RING O
Trm
Trm11
Cng
Cnganan
ninh
ninh11
Interne
t
Cng
Cnganan
ninh
ninh22
Trm
Trm22
Lin kt an ninh 1
Bc th nht
49
MNG RING O
by hot ng iu khin truy nhp mt m theo ACL khi thc hin cc lnh Permit v
Deny ti ngun v ch.
Bc th hai
51
MNG RING O
Bc th ba
53
MNG RING O
Bc th t
Sau khi hon thnh IKE pha hai v ch nhanh thit lp lin kt an ninh
IPSec SA, lu lng c th c trao i gia cc bn IP-VPN thng qua mt ng
hm an ton (hnh 3.18). Qu trnh x l gi tin (m ha, mt m, ng gi) ph thuc
vo cc thng s c thit lp ca SA.
Kt thc ng hm
2.4.1 Mt m
C th mt m bn tin khi s dng giao thc ESP. Bn tin mt m cho php gi
thng tin qua mng cng cng m khng s b xm phm d liu. Mt s tiu chun
c bn mt m d liu l DES (Data Encryption Standard) c di kho 56 bit,
3DES (Triple DES) c di kho 168 bit v AES (Advanced Encryption Standard)
c di kho 128, 192 hoc 256 bit. Cc thut ton ny s dng mt kho m ho
v gii m thng tin.
DES
DES l phng php mt m d liu tiu chun cho mt s gii php VPN. c
IBM pht trin vo nm 1977, DES p dng mt kha 56 bit cho 64 bit d liu v l
mt trong nhng k thut mt m mnh. N c xem nh l khng th b gy ti thi
im , nhng sau ny cc my tnh tc cao hn b gy DES trong khong thi
gian ngn (t hn mt ngy), v vy DES khng c s dng lu di cho nhng ng
dng bo mt cao.
K thut DES-CBC l mt trong rt nhiu phng php ca DES. CBC (Cipher
Block Chaining ch chui khi mt m) yu cu mt vect khi to IV
(Initialization Vector) bt u mt m. IPSec m bo c hai pha VPN cng c mt
IV hay mt kha b mt chia s. Kha b mt chia s c t vo thut ton mt m
DES mt m nhng khi 64 bit do bn r chia ra. Bn r c chuyn i thnh
dng mt m v c a ti ESP truyn qua bn kia. Khi x l ngc li, kha b
mt chia s c s dng to li bn r.
3DES
Mt phin bn ca DES l 3DES. N c tn nh vy v thc hin 3 qu trnh mt
m. 3DES s dng mt qu trnh ng gi, mt qu trnh m gi v mt qu trnh
ng gi khc vi kha 56 bit khc nhau. Ba qu trnh ny to ra mt t hp kha 168
bit, cung cp phng thc m ho mnh. Tt c cc sn phm v phn mm Cisco
VPN u h tr thut ton m ho 3DES vi kho 168 bit v thut ton DES 56 bit.
AES
Hin nay, nhiu t chc uy tn ngh a ra mt s thut ton cho AES nh
thut ton MARS (IBM), RC6 (RSA), Twofish (Bruce Schneier), Rijndael (Joan
Daemen/Vincent Rijmen), v.v. Nm 2000, NIST (US National Institute of Standard
and Technology) chn thut ton Rijndael, thc hin mng hon v thay th ci tin
10 vng cho chun AES.
Trong tng lai, AES s l chun mt m khi i xng v s c thc hin trn
c phn cng v phn mm. AES s c thit k tng di kho khi cn thit.
di khi d liu ca AES l 128 bit, cn di kho c th l 128, 192 hoc 256 bit.
2.4.2 Ton vn bn tin
Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT
55
MNG RING O
thc. Bn ch sau tnh ton li 128 bit gin lc bn tin nhng ch s dng 96 bit
nm bn tri so snh vi gi tr c lu trong trng xc thc.
MD5 to ra mt gin lc bn tin ngn hn SHA-1, c xem l t an ton hn
nhng kt qu li c thc hin tt hn. Tuy nhin, MD5 khng c HMAC l yu
hn cho nhng la chn dch v bo mt.
Thut ton bm an ton SHA
Thut ton bm an ton SHA c m t trong RFC 2404. SHA-1 to ra mt
gin lc bn tin di 160 bit v s dng kha b mt 160 bit. C th vi mt vi sn
phm th n s ly 96 bt bn tri ca gin lc bn tin gi vo trng xc thc.
Bn thu to li gin lc bn tin 160 bit s dng kha b mt 160 bit v ch so snh 96
bit bn tri vi gin lc bn tin trong khung ca trng xc thc.
Gin lc bn tin SHA-1 di hn v an ton hn so vi MD5. iu ny c
xem nh l kh an ton, nhng nu cn mt mc an ton cao cho ton vn bn tin
th c th chn thut ton HMAC-SHA-1.
2.4.3 Xc thc cc bn
Mt trong nhng x l IKE l thc hin xc thc cc bn. Qu trnh ny din ra
trong pha mt s dng thut ton kha bm cng vi mt trong ba loi kha sau:
- Kha chia s trc (Pre-shared Keys);
- Ch k s RSA (RSA Signatures);
- S ngu nhin mt m RSA (RSA-encrypted Nonces).
Kha chia s trc
X l kha chia s trc l x l th cng. Ngi qun tr ti mt u cui ca
IPSec-VPN ng v kha c s dng, sau t kha vo thit b l trm hoc
cng an ninh mt cch th cng. Phng php ny n gin, nhng khng c ng
dng rng ri.
Ch k s RSA
Mt chng thc s ca ngi c quyn chng thc (CA Certificate Authority)
cung cp ch k s RSA vo lc ng k. Ch k s m bo an ninh hn l kha chia
s. Mt khi cu hnh ban u c hon thnh, cc bn s dng ch k s RSA c
th xc thc i phng m khng cn s can thip ca ngi iu hnh.
Khi mt ch k s RSA c yu cu, mt cp kha cng cng v kha ring
c sinh ra. Trm s dng kha ring to ra mt ch k s v gi ch k s ca n
ti bn kia. Bn nhn s dng kha cng cng t ch k s ph chun ch k s
nhn c t bn gi.
S ngu nhin mt m RSA
Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT
57
MNG RING O
58
59
MNG RING O
2.7 Kt chng
Bo mt l mt trong nhng kha cnh quan trng nht ca cc cng ngh trin
khai trn nn IP, c bit l i vi cng ngh VPN. Lm ch v ng dng h thng
giao thc bo mt mt cch hiu qu nhm em li cc iu kin tt nht cho ngi s
dng dch v l mc tiu ca hu ht cc nh thit k v khai thc mng. Giao thc
IPSec c pht trin gii quyt vn bo m an ninh cho thng tin truyn trn
mng Internet v c coi l giao thc ti u nht cho vic thc hin IP-VPN. N l
mt tp hp cc tiu chun m, cung cp cc dch v bo mt d liu v iu khin
truy nhp.
Chng ny trnh by cc c im quan trng nht ca IPSec v hot ng
ca cc giao thc lin quan. Trong ni dung ca chng cng cp n nhng vn
k thut c bn m bo truyn thng an ton trong IPSec-VPN nh cc tiu chun
mt m, cc cng c kim tra tnh ton vn thng tin, cc thut ton xc thc cng nh
l k thut qun l v trao i kha. Cui chng l v d minh ha qu trnh thit lp
kt ni VPN v mt s vn t ra i vi vic thc hin VPN trn nn IPSec.
Hiu qu bo m an ninh cho s liu truyn trn mng ph thuc nhiu vo cc
gii php c trin khai bo mt d liu, cng c kho s dng, cc thut ton m
ha v phc tp ca chng, v.v. Qua cc ni dung trnh by trong chng ny,
ngi c s nm bt c nhng vn k thut c bn lin quan n vic thc hin
VPN da trn IPSec, cc u im, kh nng ng dng cng nh nhng vn cn tn
ti cn phi gii quyt trong giao thc IPSec.
60
CHNG 4
61
MNG RING O
62
63
MNG RING O
Kin trc mng ring o L3VPN c chia thnh hai lp, tng ng vi cc lp
3 v 2 ca m hnh OSI. L3VPN da trn RFC 2547 bis, m rng mt s c tnh c
bn ca giao thc cng bin BGP (Border Gateway Protocol) v tp trung vo hng
a giao thc ca BGP nhm phn b cc thng tin nh tuyn qua mng li ca nh
cung cp dch v cng nh l chuyn tip cc lu lng VPN qua mng li.
Trong kin trc L3VPN, cc b nh tuyn khch hng v ca nh cung cp c
coi l cc phn t ngang hng. B nh tuyn bin khch hng CE cung cp thng tin
nh tuyn ti b nh tuyn bin nh cung cp PE. PE lu cc thng tin nh tuyn
trong bng nh tuyn v chuyn tip o VRF. Mi khon mc ca VRF tng ng vi
mt mng khch hng v hon ton bit lp vi cc mng khch hng khc. Ngi s
dng VPN ch c php truy nhp ti cc site hoc my ch trong cng mt mng
ring ny. B nh tuyn PE cn h tr cc bng nh tuyn thng thng nhm
chuyn tip lu lng ca khch hng qua mng cng cng. Mt cu hnh mng
L3VPN da trn MPLS c ch ra trn hnh 4.3.
65
MNG RING O
mng hng kt ni. Ngoi ra, trong gii php ny ngi s dng u cui khng cn
phi cu hnh nh tuyn cho cc b nh tuyn khch hng CE.
Tuy nhin, L2VPN khng d dng m rng nh L3VPN. Mt cu hnh y
cho cc LSP phi c s dng kt ni cc VPN trong mng. Hn na, L2VPN
khng th t ng nh tuyn gia cc site. V vy, tu thuc vo cu hnh mng
MPLS v nhu cu c th m c th s dng mt trong hai m hnh ni trn.
67
MNG RING O
V vy, gii php ti u hn l vic truyn thng tin nh tuyn khch hng s do
mt giao thc nh tuyn gia cc b nh tuyn PE iu hnh, cn cc b nh tuyn
P khng tham gia vo qu trnh nh tuyn ny. Gii php ny mang li hiu qu cao v
n c kh nng m rng do s lng giao thc nh tuyn gia cc b nh tuyn PE
khng tng khi tng s lng khch hng, ng thi b nh tuyn P cng khng mang
thng tin v cc tuyn ca khch hng.
Khi s lng khch hng ln, giao thc nh tuyn c la chn s dng l
BGP v giao thc ny c th h tr s lng ln cc tuyn. Cng vi BGP, cc giao
thc EIGRP v IS-IS cng c th mang thng tin nh tuyn cho nhiu lp a ch khc
nhau, nhng IS-IS v EIGRP khng c kh nng m rng do khng mang c mt s
lng ln cc tuyn nh BGP. BGP c thit k trao i thng tin nh tuyn gia
cc b nh tuyn khng kt ni trc tip, v c im ny h tr vic lu gi thng
tin nh tuyn ti cc thit b bin m khng cn phi trao i vi cc b nh tuyn li
ca mng nh cung cp. Giao thc BGP dng trong MPLS-VPN c gi l
Multiprotocol BGP (MP-BGP).
3.3.2 a ch VPN-IP
Vi vic trin khai giao thc nh tuyn BGP trao i tt c cc tuyn ca
khch hng gia cc b nh tuyn PE t ra mt vn l lm th no m BGP c th
truyn nhng tin t xc nh thuc v cc khch hng khc nhau gia cc b nh
tuyn PE. BPG s dng a ch IP chn mt ng i gia tt c cc ng c th
i n ch. Do , BGP khng th lm vic ng nu khch hng s dng cng khng
gian a ch.
Ch c mt gii php gii quyt vn ny l m rng tin t a ch IP ca
khch hng vi mc ch lm cho a ch ny tr nn duy nht ngay c khi c s trng
lp a ch. Ngoi ra, phi m bo rng chnh sch s dng quyt nh tuyn no
trong s cc tuyn c BGP s dng ch c th c trong mt bng VRF duy nht.
Vic m rng tin t a ch IP ca khch hng VPN dn n mt khi nim
mi l a ch VPN-IP. a ch VPN-IP c to ra bng cch ghp hai thnh phn c
di khng i l trng phn bit tuyn (Route Distinguisher) v a ch IP c s
(hnh 4.5).
69
MNG RING O
70
71
MNG RING O
tuyn PE u ra, gi tin IP ca khch hng khng c thng tin no v VPN hay l VRF
b nh tuyn c th thc hin kim tra VRF, do n c th b mt.
Mt phng php ti u hn c th c la chn chuyn tip cc gi tin l
s dng ngn xp nhn (hnh 4.8).
Hnh 4.9 Hot ng chuyn tip d liu VPN qua mng MPLS
Gi s ng dn chuyn mch nhn LSP c thit lp gia PE1 v PE2, v
Host 1 mun gi d liu n Host 2. Host 1 gi gi tin n b nh tuyn CE1. CE1 s
ng gi gi tin v chuyn n PE1. PE1 nhn gi tin, v da trn giao din m gi tin
n, n quyt nh s dng bng chuyn tip ca VRF A nh tuyn gi tin. PE1
kim tra a ch ch ca Host 2 trong bng chuyn tip ca VRF A v tm thy c a
ch trong . PE1 dn nhn 16 vo gi tin. y l nhn bn trong nhn din VRF
trn b nh tuyn PE2. Nhn 16 trc c chuyn t PE2 n PE1 thng qua
phin lm vic MP-iBGP.
Tip theo, PE1 dn thm nhn 21 vo gi tin v chuyn gi dn nhn n b
nh tuyn P1. Nhn 21 c t vo trong ngn xp nhn sau nhn 16. Nh vy, nhn
21 l nhn bn ngoi v s c thay i sau mi phn on gia hai b nh tuyn
LSR vi nhau. P1 nhn gi tin t PE1 v ly nhn 21 ra kim tra trong bng chuyn
tip. N quyt nh dn nhn 19 thay cho nhn 21 ri chuyn tip gi tin n P2. P2
nhn gi tin v ly nhn 19 ra kim tra trong bng chuyn tip. Kt qu kim tra ch
th rng n phi dn nhn 46 thay cho nhn 19 ri chuyn tip gi tin n PE2.
73
MNG RING O
PE2 nhn gi tin t P2, kim tra nhn 46. PE2 c nhn bit l b nh tuyn
u ra ca ng chuyn mch nhn LSP nn n gii phng nhn 46. Sau n kim
tra nhn tip theo l 16 v xc nh c gi tin s i n VRF A. a ch IP ca gi
tin c kim tra trong VRF A xc nh ch v giao din u ra cho gi tin. PE2
chuyn tip gi tin n CE6. CE6 nhn gi tin IP t PE2 v kim tra a ch ch Host
2. Ti y vic nh tuyn c thc hin da trn cc giao thc nh tuyn IGP thng
thng.
M hnh h thng trn c hai mng ring o l VPN A v VPN B. VPN A gm
c CE1, CE5 v CE6. VPN B gm c CE2, CE3 v CE4. CE1 c lu lng n ch
l CE5 v CE6. V cc site ny cng chung mt VPN, nn PE1 s dng chung bng
chuyn tip l VRF A. Nhn bn trong xc nh VRF ch v n ging nhau trong tt
c cc gi tin thuc v VPN , ngay c nu cc gi tin ny c chuyn n cc site
khc nhau. CE2 v CE3 c lu lng n ch l CE4. V cc b nh tuyn ny thuc
v VPN B, PE1 s dng bng chuyn tip khc cho VPN ny l VRF B. Tuy nhin, c
hai VPN s dng cng mt ng chuyn mch nhn LSP v chng u c cng b
nh tuyn vo PE1 v b nh tuyn ra PE2.
75
MNG RING O
3.5.1 M hnh ng
Trong m hnh ng, nh cung cp dch v cung cp cho khch hng VPN mc
cht lng dch v QoS nht nh gia cc CE trong cng mt VPN. V hnh thc, c
th hnh dung m hnh ny nh mt ng ng kt ni hai b nh tuyn vi nhau, v
lu lng gia hai b nh tuyn trong ng ny c m bo mt mc QoS xc nh.
V d v mt hnh thc m bo QoS c th cung cp trong m hnh ng l m bo
gi tr bng thng nh nht gia hai Site.
Cc b nh tuyn bin pha nh cung cp PE ti hai u ca ng s thc hin
qu trnh lc v loi b cc lu lng d nhm m bo bng thng cho lung lu
lng trong ng. C th ci tin m hnh ng bng vic ch cho php mt s loi lu
lng (ng vi mt s ng dng) t mt CE ti cc CE khc s dng ng ng. Quy
nh lu lng no c th s dng ng ng c xc nh ti b nh tuyn PE pha
u ng.
Ch l m hnh ng kh ging vi m hnh QoS m cc khch hng VPN c
c vi cc gii php da trn Frame Relay hay ATM. im khc nhau c bn l vi
ATM hay Frame Relay th cc kt ni l song cng, trong khi m hnh ng cung cp
cc kt ni m bo theo mt hng. c im mt hng ny ca m hnh ng cho
php thit lp cc kt ni cho nhng ng dng s dng lung lu lng khng i
xng, trong lu lng t mt Site ti Site khc c th khc vi lu lng theo
hng ngc li.
Hnh 4.10 minh ha mt v d v m hnh ng cht lng dch v. Nh ch ra
trn hnh v, cc nh cung cp dch v cung cp cho VPN A mt ng ng m bo
bng thng 7 Mb/s cho lu lng t Site 3 n Site 1 (c th hn l t CE A3 n CE A1) v mt ng ng khc m bo bng thng 10 Mb/s cho lu lng t Site 3 n
Site 2 (t CE A3 n CE A2). Nh vy, mt b nh tuyn CE c th c nhiu hn mt
ng xut pht t n (v d hai ng xut pht t Site 3). Tng t, c th c hn mt
ng kt thc ti mt Site.
76
77
MNG RING O
78
79
MNG RING O
mm do
Bng thng v cc tuyn kt ni trong mng lun thay i theo thi gian. Cc
yu cu thay i bng thng i vi khch hng VPN cng khng l ngoi l. Cc nh
cung cp dch v lun quan tm ti kh nng m rng v thay i yu cu bng thng
ca khch hng VPN ti u ha h thng v p ng cc yu cu cht lng dch
v mt cch mm do.
Kh nng qun l
Vic qun l VPN tri rng t site trung tm ti cc chi nhnh phn tn nhiu
ni, v vy cc tnh nng qun l v gi thnh qun l c xu hng tng cng chiu.
Cc kiu dch v qun l bao gm:
- Cung cp mi trng qun l;
- Phn b v ci t phn mm qun l VPN;
- Ci t bo mt v chnh sch QoS;
- H tr tho thun mc dch v;
- H tr cc mng khc qua VPN;
- Thc hin qun l hiu nng mng, nh v v sa li, ho n, bo co,
thm/loi b hay thay i chc nng dch v.
3.6.2 Cc c im ni bt ca IPSec-VPN v MPLS-VPN
IPSec-VPN
bo v d liu qua mng cng cng, giao thc IPSec h tr t hp cc chc
nng bo mt mng sau:
- Nhn dng v m ho cc gi tin trc khi truyn dn;
- Xc thc cc gi nhm m bo tnh ton vn ca d liu;
- Xc thc d liu nguyn thu ca cc ngun gi tin;
- Xc nhn v loi b cc gi qu hn, gi lp v t chi cc gi lp.
Giao thc IPSec cung cp kh nng bo v cc gi tin IP theo thit k mng
ch ra cc lu lng c bit cn bo v. IPSec nh ngha cch thc bo v lu lng
v iu khin thit b nhn lu lng. VPN trn nn IPSec thay th hoc b sung cc
mng ring da trn h tng WAN truyn thng nh ng dy thu ring, Frame
Relay hoc ATM. u im ni tri ca IPSec l n p ng c cc yu cu ca
mng v mt gi thnh.
Khi mt doanh nghip s dng IPSec-VPN, nh cung cp dch v thng cu
hnh IPSec trong cu hnh Hub-and-Spoke, ni tt c cc nhnh Spoke duy tr kt ni
80
81
MNG RING O
MPLS-VPN
IPSec-VPN
Cu hnh
Bo mt/
Xc thc
phin
Tnh ring t
QoS v SLA
Kh nng m C kh nng m rng cao v khng Chp nhn cc m rng theo kiu Hubrng
yu cu cu hnh y hoc and-Spoke. Kh nng m rng ko theo
ngang hng.
hng lot cc thch thc v k hoch,
phn phi cc kho, qun l kho v cu
hnh cc thit b ngang hng.
H tr imim
C.
C.
H tr truy
nhp t xa
C nu c kt ni vi IPSec.
C.
Cung cp
dch v
82
nh cung cp.
Trin khai
dch v
Phm mm
Client VPN
3.7 Kt chng
Trong nhng nm gn y, cng ngh chuyn mch nhn a giao thc MPLS
c rt nhiu quc gia la chn xy dng v pht trin h thng mng vin thng
ca mnh. Mt trong nhng ng dng in hnh ca MPLS l dch v mng ring o
MPLS-VPN. Dch v ny gp phn rt ln vo s pht trin nhanh chng ca
MPLS v m ra nhiu kh nng ng dng mi.
Trong chng ny trnh by v cc thnh phn c bn ca MPLS-VPN, cc
m hnh trin khai MPLS-VPN ti lp 2 v lp 3, nhng k thut then cht trong
MPLS-VPN nh truyn thng tin nh tuyn, a ch VPN-IP v hot ng chuyn tip
gi tin VPN. Ngoi ra, trong ni dung ca chng cng cp n mt s vn lin
quan n cc kha cnh bo mt v cht lng dch v trong MPLS-VPN. Cui
chng c a ra mt s phn tch v so snh cc c im ni bt ca hai gii php
VPN da trn IPSec v MPLS.
Cc ni dung trnh by c th gip ngi c nm c nhng vn c bn
lin quan n MPLS-VPN, cc u nhc im chnh v kh nng m MPLS-VPN
mang li cng nh l cc bi ton cn phi gii quyt khi trin khai v ng dng cng
ngh ny. C th ni, vic trin khai cng ngh VPN trn nn MPLS ha hn nhiu
thun li mi v chc chn s l gii php l tng cho mng ring o trong tng lai.
83
CHNG 5
84
85
MNG RING O
Hnh 5.1 M hnh cung cp dch v VPN qua mng MPLS ca VNPT
Lu lng thoi v d liu trong mng LAN o s c dn ti VRF ti cc b
nh tuyn vn phng chi nhnh v sau chuyn ti thng qua mng WAN n cc
Site xa khc. p ng thm cho nhu cu bo mt, gii php ny c th s dng
IPSec. Ngoi ra, nh tuyn ni b c th c cu hnh nu c mt trong s cc
lin kt chnh b t, tt c lu lng c th c nh tuyn li n cc tuyn thay th
khc nhm m bo cc phin lin tc cho tt c ngi dng.
Gii php VPN/VNN trn nn MPLS ca VNPT s dng kt ni Local loop
(phn on kt ni t pha khch hng ti POP MPLS ca VDC) qua mt ng knh
ring tc cao (hnh 5.2).
86
87
MNG RING O
Vic s dng gii php MPLS-VPN cho php trin khai cc kt ni nhanh chng,
n gin v thun tin vi chi ph thp. Ngoi ra, MegaWAN cn cho php va truy
nhp mng ring o va truy nhp Internet nu khch hng c nhu cu. MegaWAN h
tr truy nhp Internet bng rng qua mng VNN do VNPT cung cp. Dch v ny cho
php khch hng truy nhp Internet vi tc cao da trn cng ngh ng dy thu
bao s bt i xng ADSL.
Thit b nh tuyn bin s dng trong mng MegaWAN l ERX-1410. Cc h
thng ny c th h tr MPLS-VPN nhm gi lu lng n cc ch khc nhau mt
cch an ton. Ngoi ra, h thng ERX cn cho php nh cung cp dch v ra nhng
k hoch pht trin cc cp khc nhau v h tr phn loi tn hiu ng truyn
trong mi thu bao s dng. Trong ERX vic truyn tn hiu m thanh l u tin s
mt, sau n d liu ca cc thu bao ln (cng ty hay tp on) ri mi n d
liu ca nhng khc hng n l.
4.4 Kt chng
Ngy nay VPN c trin khai rng ri trn ton th gii v tr thnh gii
php khng th thiu i vi cc cng ty ln c nhiu chi nhnh. Ty thuc vo iu
kin v yu cu c th m c th trin khai VPN theo nhiu m hnh khc nhau. Trong
chng ny trnh by v cc m hnh thc hin VPN cng nh thc tin trin khai
v ng dng cng ngh VPN Vit nam. Vi h thng mng li MPLS i vo hot
ng, VNPT l nh khai thc vin thng u tin Vit nam cung cp dch v MPLSVPN cho cc khch hng doanh nghip.
C th ni gii php MPLS-VPN ca VNPT vi m hnh cung cp dch v
MegaWAN t c nhng kt qu ban u kh quan. Vi c im ca mng vin
thng Vit nam l c phn vng v tri di t Bc vo Nam, VPN l mt gii php
thch hp v mang li nhiu li ch cho cc doanh nghip ng k dch v. Mc d vic
trin khai VPN trn thc t cn b tc ng bi rt nhiu yu t khc ngoi cc yu t
k thut, VPN vn l mt cng ngh y ha hn v chc chn s c ng dng rng
ri trong nhng nm ti y.
88
THUT NG VIT TT
THUT NG VIT TT
Thut ng Ting Anh
Ting Vit
0-9
3DES
Triple DES
AA
Access Accept
AAA
AC
Access Control
ACL
ADSL
AH
Authentication Header
ARP
ATM
CA
Certificate Authority
CBC
Ch chui khi mt m
CHAP
Challenge - Handshake
Authentication Protocol
DCE
DES
DH
Diffie-Hellman
DLCI
DNS
H thng tn min
DSL
ng dy thu bao s
DTE
EAP
ECB
Ch sch m in t
ESP
B
BGP
C
F
Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT
89
MNG RING O
FCS
FR
Frame Relay
FTP
ng gi nh tuyn chung
Hashed-keyed Message
Authenticaiton Code
M xc thc bn tin bm
ICMP
ICV
IETF
IKE
IKMP
IP
Internet Protocol
IPSec
IP Security Protocol
ISAKMP
ISO
International Standard
Organization
ISP
IV
Initial Vector
Vc t khi to
L2F
Layer 2 Forwarding
L2TP
Giao thc ng hm lp 2
LAN
Mng cc b
LCP
MAC
M xc thc bn tin
MD5
Message Digest 5
MTU
n v truyn ti cc i
NAS
NGN
Mng th h sau
NSA
M hnh kt ni cc h thng m
G
GRE
H
HMAC
I
O
OSI
90
THUT NG VIT TT
OSPF
PAP
PDU
PKI
POP
Point of Presence
im hin din
PPP
Giao thc im ti im
PPTP
Giao thc ng hm im ti im
PSTN
RADIUS
RARP
RAS
RFC
RSA
Rivest-Shamir-Adleman
SA
Security Association
Lin kt an ninh
SAD
SA Database
C s d liu SA
SHA-1
SN
Sequence Number
S th t
SPI
Ch s thng s an ninh
TCP
TLS
An ninh mc truyn ti
Mng ring o
U
UDP
V
VPN
W
WAN
91
92
[1]
Jeff Tyson. How Virtual Private Networks Work. Cisco Press, 2004.
[2]
[3]
[4]
[5]
[6]
Ivan Pepelnjak. MPLS and VPN Architectures, Vol. 1. Cisco Press, 2000.
[7]
Ivan Pepelnjak. MPLS and VPN Architectures, Vol. 2. Cisco Press, 2003.