Professional Documents
Culture Documents
Lien Quan Chu Ky So
Lien Quan Chu Ky So
MC LC
MC LC......................................................................................................................i Danh mc bng biu......................................................................................................v Danh sch hnh v.........................................................................................................vi K hiu vit tt.............................................................................................................ix LI NI U...............................................................................................................1 Chng 1 B GIAO THC TCP/IP..............................................................................................3 1.1 Khi nim mng Internet.....................................................................................3 1.2 M hnh phn lp b giao thc TCP/IP...............................................................4 1.3 Cc giao thc trong m hnh TCP/IP...................................................................5
1.3.1 Giao thc Internet...................................................................................................5 1.3.1.1 Gii thiu chung.................................................................................................5 1.3.1.2. Cu trc IPv4.....................................................................................................6 1.3.1.3. Phn mnh IP v hp nht d liu....................................................................8 1.3.1.4. a ch v nh tuyn IP....................................................................................9 1.3.1.5. Cu trc gi tin IPv6 ........................................................................................9 1.3.2. Giao thc lp vn chuyn....................................................................................11 1.3.2.1. Giao thc UDP................................................................................................11 1.3.2.2. Giao thc TCP.................................................................................................12
1.4 Tng kt.............................................................................................................17 Chng 2 CNG NGH MNG RING O TRN INTERNET IP-VPN................................18 2.1 Gi thiu v mng ring o trn Internet IP-VPN..............................................18
2.1.1 Khi nim v mng ring o trn nn tng Internet............................................18 2.1.2 Kh nng ng dng ca IP-VPN.........................................................................18
n tt nghip i hc
2.3.1 IP-VPN truy nhp t xa........................................................................................23 2.3.2 Site-to-Site IP-VPN...............................................................................................25 2.3.2.1 Intranet IP-VPN ...............................................................................................25 2.3.2.2 Extranet IP-VPN ..............................................................................................26
2.5 Tng kt.............................................................................................................35 Chng 3 GIAO THC IPSEC CHO IP-VPN.............................................................................36 3.1 Gi thiu............................................................................................................36
3.1.1 Khi nim v IPSec ..............................................................................................36 3.1.2 Cc chun tham chiu c lin quan.....................................................................37
ii
n tt nghip i hc
3.5 V d v hot ng ca mt IP-VPN s dng IPSec..........................................69 3.6 Tng kt.............................................................................................................70 Chng 4 AN TON D LIU TRONG IP-VPN......................................................................71 4.1 Gii thiu...........................................................................................................71 4.2 Mt m...............................................................................................................72
4.2.1 Khi nim mt m.................................................................................................72 4.2.2 Cc h thng mt m kha i xng....................................................................73 4.2.2.1 Cc ch lm vic ECB, CBC........................................................................73 4.2.2.2 Gii thut DES (Data Encryption Standard)....................................................75 4.2.2.3 Gii thiu AES (Advanced Encryption Standard)............................................77 4.2.2.4Thut ton mt m lung (stream cipher).........................................................78 4.2.3 H thng mt m kha cng khai........................................................................78 4.2.3.1 Gii thiu v l thuyt v m kha cng khai...................................................78 4.2.3.2 H thng mt m kha cng khai RSA.............................................................80 4.2.4 Thut ton trao i kha Diffie-Hellman............................................................82
4.3 Xc thc.............................................................................................................83
4.3.1 Xc thc tnh ton vn ca d liu......................................................................83 4.3.1.1 Gin lc thng ip MD da trn cc hm bm mt chiu...........................83 4.3.1.2 M xc thc bn tin MAC da trn cc hm bm mt chiu s dng kha.....87 4.3.1.3 Ch k s da trn h thng mt m kha cng khai.......................................89 4.3.2 Xc thc ngun gc d liu..................................................................................90
iii
n tt nghip i hc
Chng 5 THC HIN IP-VPN..................................................................................................96 5.1 Gii thiu...........................................................................................................96 5.2 Cc m hnh thc hin IP-VPN.........................................................................97
5.2.1 Access VPN............................................................................................................98 5.2.1.1 Kin trc khi to t my khch.......................................................................98 5.2.1.2 Kin trc khi to t my ch truy nhp NAS.................................................99 5.2.2 Intranet IP-VPN v Extranet IP-VPN.................................................................99 5.2.3 Mt s sn phm thc hin VPN........................................................................100
iv
n tt nghip i hc
n tt nghip i hc
vi
n tt nghip i hc
Hnh 3.7: Khun dng gi tin x l AH kiu Tunnel...........................................44 Hnh 3.8: X l ng gi ESP.....................................................................................46 Hnh 3.9: Khun dng gi ESP....................................................................................46 Hnh 3.10: Khun dng IPv4 trc v sau khi x l ESP kiu Transport.................48 Hnh 3.11: Khun dng IPv6 trc v sau khi x l ESP kiu Transport.................49 Hnh 3.12: Khun dng gi tin x l ESP kiu Tunnel........................................49 Hnh 3.13: Kt hp SA kiu Tunnel khi 2 im cui trng nhau.................................55 Hnh 3.14: Kt hp SA kiu Tunnel khi mt im cui trng nhau.............................55 Hnh 3.15: Kt hp SA kiu Tunnel khi khng c im cui trng nhau....................55 Hnh 3.16: Cc ch chnh, ch tn cng, ch nhanh ca IKE........................57 Hnh 3.17: Danh sch b mt ACL...............................................................................58 Hnh 3.18: IKE pha th nht s dng ch chnh (Main Mode)...............................59 Hnh 3.19: Cc tp chuyn i IPSec...........................................................................62 Hnh 3.20: V d v hot ng ca IP-VPN s dng IPSec.........................................69 Hnh 4.1: Cc khi nim chung s dng trong cc thut ton mt m.........................72 Hnh 4.2: Ch chnh sch m in t ECB..............................................................74 Hnh 4.3: Thut ton mt m khi ch CBC........................................................74 Hnh 4.4: S thut ton DES...................................................................................75 Hnh 4.5: Mng Fiestel................................................................................................76 Hnh 4.6: Phn phi kha trong h thng mt m kha i xng................................77 Hnh 4.7: Mt m lung...............................................................................................78 Hnh 4.8: S m kha cng khai.............................................................................79 Hnh 4.9: Mt bt thay i trong bn tin dn n 50% cc bt MD thay i................85 Hnh 4.10: Cc hm bm thng dng MD5, SHA........................................................86 Hnh 4.11: Cu trc c bn ca MD5, SHA.................................................................86 Hnh 4.12: Xc thc tnh ton vn da trn m xc thc bn tin MAC.......................87 Hnh 4.13: Qu trnh to m xc thc bn tin MAC....................................................88 Hnh 4.14: Ch k s...................................................................................................90 Hnh 4.15: Giao thc hi p MAC.............................................................................91 Hnh 4.16: Giao thc hi p s dng ch k s.........................................................92 Hnh 4.17: M hnh tin tng th nht (PGP Web of Trust)........................................93
vii
n tt nghip i hc
Hnh 4.18: M hnh tin tng th hai (phn cp tin tng vi cc CAs).....................94 Hnh 4.19: Cu trc chung ca mt chng thc X.509................................................95 Hnh 5.1: Ba m hnh IP-VPN.....................................................................................97 Hnh 5.2: Truy nhp IP-VPN t xa khi to t pha ngi s dng.............................98 Hnh 5.3: Truy nhp IP-VPN khi to t my ch.......................................................99 Hnh 5.4: IP-VPN khi to t routers..........................................................................99 Hnh 5.5: Cc thnh phn ca kt ni Client-to-LAN................................................101 Hnh 5.6: ng ngm IPSec Client-to-LAN............................................................102 Hnh 5.7: Phn mm IPSec Client..............................................................................103 Hnh 5.8: ng ngm IPSec LAN-to-LAN.............................................................104
viii
n tt nghip i hc
K hiu vit tt
Vit tt 3DES AA AAA Ch gii ting Anh Triple DES Acccess Accept Authentication, Authorization and Accounting AC Access Control ACK Acknowledge ACL Acess Control List ADSL Asymmetric Digital Subscriber Line AH Authentication Header ARP Address Resolution Protocol ARPA Advanced Research Project Agency ARPANET Advanced Research Project Agency ATM Asynchronous Transfer Mode BGP Border Gateway Protocol B-ISDN Broadband-Intergrated Service Digital Network BOOTP Boot Protocol CA Certificate Authority CBC Cipher Block Chaining CHAP Challenge - Handshake Authentication Protocol CR Cell Relay CSU Channel Service Unit DCE Data communication Equipment DES Data Encryption Standard DH Diffie-Hellman DLCI Data Link Connection Identifier DNS Domain Name System DSL Digital Subscriber Line DSLAM DSL Access Multiplex DTE Data Terminal Equipment EAP Extensible Authentication Ch gii ting Vit Thut ton m 3DES Chp nhn truy nhp Nhn thc, trao quyn v thanh ton iu khin truy nhp Chp nhn Danh sch iu khin truy nhp Cng ngh truy nhp ng dy thu bao s khng i xng Giao thc tiu xc thc Giao thc phn gii a ch Cc nghin cu cc d n tin tin ca M Mng vin thng ca cc nghin cu d n tin tin M Phng thc truyn ti khng ng b Giao thc nh tuyn cng min Mng s tch hp a dch v bng rng Giao thc khi u Thm quyn chng nhn Ch chui khi mt m Giao thc nhn thc i hi bt tay Cng ngh chuyn tip t bo n v dch v knh Thit b truyn thng d liu Thut ton m DES Giao thc trao i kha Diffie-Hellman Nhn dng kt ni lp lin kt d liu H thng tn min Cng ngh ng dy thu bao s B ghp knh DSL Thit b u cui s liu Giao thc xc thc m rng
ix
n tt nghip i hc Protocol Electronic Code Book Mode Encapsulating Sercurity Payload Frame Check Sequence Fiber Distributed Data Interface Fast Packet Switched Technology Frame Relay File Transfer Protocol Generic Routing Encapsulation Hashed-keyed Message Authenticaiton Code International Bussiness Machine Internet Control Message Protocol Intergrity Check Value Internet Engineering Task Force Internet Key Exchange Internet Key Management Protocol Intelligent Network Internet Protocol IP Security Protocol Internet Security Association and Key Management Protocol Intergrated Service Digital Network International Standard Organization Internet Service Provider Initial Vector Layer 2 Forwarding Layer 2 Tunneling Protocol Local Area Network Link Control Protocol Message Authentication Code Message Digest 5
ECB ESP FCS FDDI FPST FR FTP GRE HMAC IBM ICMP ICV IETF IKE IKMP IN IP IPSec ISAKMP
Ch sch m in t Giao thc ng gi an ton ti tin Chui kim tra khung Giao din d liu cp quang phn tn K thut chuyn mch gi nhanh Cng ngh chuyn tip khung Giao thc truyn file ng gi nh tuyn chung M nhn thc bn tin bm Cng ty IBM Giao thc bn tin iu khin Internet Gi tr kim tra tnh ton vn C quan tiu chun k thut cho Internet Giao thc trao i kha Giao thc qun l kha qua Internet Cng ngh mng thng minh Giao thc lp Internet Giao thc an ninh Internet Giao thc kt hp an ninh v qun l kha qua Internet Mng s tch hp a dch v T chc chun quc t Nh cung cp dch v Internet Vc t khi to Giao thc chuyn tip lp 2 Giao thc ng ngm lp 2 Mng cc b Giao thc iu khin ng truyn M nhn thc bn tin Thut ton tm tt bn tin MD5
n tt nghip i hc MTU NAS NGN NSA OSI OSPF PAP PDU PKI POP PPP PPTP PSTN RADIUS RARP RAS RFC RIP RSA SA SAD SHA-1 SMTP SN SPI SS7 TCP TFTP TLS Maximum Transfer Unit Network Access Server Next Generation Network National Sercurity Agency Open System Interconnnection Open Shortest Path First Password Authentication Protocol Protocol Data Unit Public Key Infrastructure Point - Of - Presence Point-to-Point Protocol Point-to-Point Tunneling Protocol Public Switched Telephone Network Remote Authentication Dial-in User Service Reverse Address Resolution Protocol Remote Access Service Request for Comment Realtime Internet Protocol Rivest-Shamir-Adleman Security Association SA Database Secure Hash Algorithm-1 Simple Mail Transfer Protocol Sequence Number Security Parameter Index Signalling System No7 Transmission Control Protocol Trivial File Transfer Protocol Transport Level Security
Cng ngh IP - VPN n v truyn ti ln nht My ch truy nhp mng Mng th h k tip C quan an ninh quc gia M Kt ni h thng m Giao thc nh tuyn OSPF Giao thc nhn thc khu lnh n v d liu giao thc C s hn tng kha cng cng im hin din Giao thc im ti im Giao thc ng ngm im ti im Mng chuyn mch thoi cng cng Dch v nhn thc ngi dng quay s t xa Giao thc phn gii a ch ngc Dch v truy nhp t xa Cc ti liu v tiu chun IP do IETF a ra Giao thc bo hiu thi gian thc Tn mt qu trnh mt m bng kha cng cng Lin kt an ninh C s d liu SA Thut ton bm SHA-1 Giao thc truyn th n gin S th t Ch s thng s an ninh H thng bo hiu s 7 Giao thc iu khin truyn ti Giao thc truyn file bnh thng An ninh mc truyn ti
xi
n tt nghip i hc
Giao thc d liu ngi s dng Mng ring o Mng din rng
Cc k hiu ton hc
K hiu C D DK E EK IV K KR KU Li, Ri P ngha Vn bn mt m. Thut ton gii m. Thut ton gii m vi kha K. Thut ton mt m. Thut ton mt m vi kha K. Vect khi to. Kha K. Kha b mt. Kha cng cng. Bt bn tri v bn phi ti vng th i ca thut ton m ha DES. Vn bn r.
xii
n tt nghip i hc
LI NI U
Cng vi xu th ton cu ha, s m rng giao lu hp tc quc t ngy cng tng, quan h hp tc kinh doanh khng ch dng li trong phm vi mt huyn, mt tnh, mt nc m cn m rng ra ton th gii. Mt cng ty c th c chi nhnh, c cc i tc kinh doanh nhiu quc gia v gia h lun c nhu cu trao i thng tin vi nhau. bo m b mt cc thng tin c trao i th theo cch truyn thng ngi ta dng cc knh thu ring, nhng nhc im l n t tin, gy lng ph ti nguyn khi d liu trao i khng nhiu v khng thng xuyn. V th ngi ta nghin cu ra nhng cng ngh khc vn c th p ng c nhu cu trao i thng tin nh th nhng tn km v thun tin hn, l gii php mng ring o. VPN c nh ngha l mng kt ni cc site khch hng m bo an ninh trn c s h tng mng chung cng vi cc chnh sch iu khin truy nhp v m bo an ninh nh mt mng ring. c rt nhiu phng n trin khai VPN nh: X.25, ATM, Frame Relay, leased line Tuy nhin khi thc hin cc gii php ny th chi ph rt ln mua sm cc thit b, chi ph cho vn hnh, duy tr, qun l rt ln v do doanh nghip phi gnh chu trong khi cc nh cung cp dch v ch m bo v mt knh ring cho s liu v khng chc chn v vn an ninh ca knh ring ny. Cc t chc, doanh nghip s dng dch v IP VPN s tit kim c rt nhiu chi ph trong vic mun kt ni cc chi nhnh vn phng vi nhau, truy cp t xa vo mng ni b, gi in thoi VoIP, vi bo mt cao. Hin nay ADSL tr nn ph bin, chi ph thp, nn vic thc hin IP VPN tr nn rt n gin, hiu qu v tn dng c ng truyn Internet tc cao. Tnh tng thch ca IP VPN cao v s ph bin ca n, nn bn c th kt hp nhiu thit b ca nhng sn phm thng hiu khc nhau. Trn c s , ti quyt nh chn hng nghin cu n ca mnh l cng ngh IP-VPN. Mc ch ca n l tm hiu nhng vn k thut c bn c lin quan n vic thc hin IP-VPN. B cc ca n gm 5 chng: - Chng 1: B giao thc TCP/IP. Chng ny trnh by khi qut v b giao thc ca TCP/IP. - Chng 2: Cng ngh mng ring o trn Internet IP-VPN. Chng ny trnh by cc khi nim VPN, bt u vi vic phn tch khi nim IP-VPN, u im ca n Bi Vn Nht 45K2TVT 1
n tt nghip i hc
c th tr thnh mt gii php c kh nng pht trin mnh trn th trng. Tip theo l trnh by v cc khi chc nng c bn ca IP-VPN, phn loi mng ring o theo cu trc ca n. Cui cng l trnh by v cc giao thc ng ngm s dng cho IP-VPN. Chng 3: Giao thc IPSec cho IP-VPN. Chng ny trnh by cc vn v giao thc IPSec. B giao thc r quan trng IPSec dung cho IP - VPN m bo tnh ton vn d liu, tnh nht qun, tnh b mt v xc thc ca truyn d liu trn mt h tng mng cng cng. Chng 4: An ton d liu trong IP-VPN. Trnh by mt s thut ton c p dng m bo an ton d liu cho IP-VPN da trn IPSec Chng 5: Thc hin IP VPN. Chng ny trnh by cc phng php thc hin IP VPN hin ang c s dng. Cng ngh IP - VPN khng phi l mt vn mi m trn th gii v cng ang c trin khai rng ri Vit Nam. Tuy nhin c th trin khai c mt cch hon chnh th cn c rt nhiu kh khn phi gii quyt, n ch dng li mc nghin cu l thuyt v c nhng phn tch c bn. Em xin gi li cm n chn thnh n Trng i hc Vinh, cc thy c trong Khoa Cng Ngh to iu kin gip em trong qu trnh hc tp v nghin cu. V c bit em xin by t lng knh trng v bit n su sc n Ts. Phm Vn Bnh, ging vin i hc Bch Khoa H Ni, ngi tn tnh hng dn v ch bo em trong qu trnh nghin cu, xy dng v hon thnh n. Mc d nhn c rt nhiu s gip ca thy hng dn, cc thy c gio v s c gng ca bn thn nhng n khng trnh khi sai st v vy ti mong nhn c s ng gp nhiu hn na kin t pha cc thy c v ban b cng nhng ngi quan tm n lnh vc ny.
Bi Vn Nht 45K2TVT
n tt nghip i hc
iu hnh no. Do , TCP/IP l tp giao thc l tng kt hp phn cng cng nh phn mm khc nhau.
S a ch ton cu: mi my tnh trn mng TCP/IP c mt a ch xc
Bi Vn Nht 45K2TVT
n tt nghip i hc
Chun giao thc ng dng: TCP/IP khng ch cung cp cho ngi lp trnh
phng thc truyn d liu trn mng gia cc ng dng m cn cung cp nhiu phng thc mc ng dng (nhng giao thc thc hin cc chc nng dng nh E-mail, truyn nhn file).
N tng ng vi cc lp ng dng, trnh din trong m hnh OSI. N gm cc giao thc mc cao, m ha, iu khin hi thoi Cc dch v ng dng nh SMTP, FTP, TFTP Hin nay c hng trm hoc thm ch hng nghn cc giao thc thuc lp ny. Cc chng trnh ng dng giao tip vi cc giao thc lp vn chuyn truyn v nhn d liu. Chng trnh ng dng truyn d liu dng yu cu n lp vn chuyn x l trc khi chuyn xung lp Internet tm ng i.
Lp vn chuyn (Transport layer): Chu trch nhim truyn thng ip
(message) t mt s tin trnh (mt chng trnh ang chy) ti mt tin trnh khc. Lp vn chuyn s m bo thng tin truyn n ni nhn khng b li v ng theo trt t. N c 2 giao thc rt khc nhau l giao thc iu khin truyn dn TCP v giao thc d liu ngi s dng UDP.
Bi Vn Nht 45K2TVT
n tt nghip i hc
cng m nh d liu c th di chuyn gia cc mng con c kin trc vt l khc nhau. Lp ny iu khin vic chuyn gi qua mng, nh tuyn gi. (H tr giao thc lin IP - khi nim lin mng l ni ti mng ln hn: mng lin kt gia cc mng LAN). Cc giao thc ca lp ny l IP, ICMP, ARP, RARP.
Lp truy cp mng (Network Access Network): Cung cp giao tip vi mng
vt l. (Thng thng lp ny bao gm cc driver thit b trong h thng vn hnh v cc card giao din mng tng ng trong my tnh. Lp ny thc hin nhim v iu khin tt c cc chi tit phn cng hoc thc hin giao tip vt l v ccp (hoc vi bt k mi trng no c s dng)). Cung cp kim sot li d liu phn b trn mng vt l. Lp ny khng nh ngha mt giao thc ring no c, n h tr tt c cc giao thc chun v c quyn. V d: Ethernet, Tocken Ring, FDDI, X.25, wireless, Async, ATM, SNA
1 2
2
3 2
Bi Vn Nht 45K2TVT
n tt nghip i hc
Giao thc Internet l giao thc phi kt ni (connectionless), ngha l khng cn thit lp ng dn trc khi truyn d liu v mi gi tin c x l c lp. IP khng kim tra tng cho phn d liu ca n, ch c Header ca gi l c kim tra trnh gi nhm a ch. Cc gi tin c th i c theo nhiu hng khc nhau ti ch. V vy d liu trong IP datagram khng c m bo. x l nhc im mt hoc lp gi IP phi da vo giao thc lp cao hn truyn tin cy (v d TCP). Data Data Data Receiver Sender 2 Data Data Data
Sender 1
n tt nghip i hc
* Version (phin bn): ch ra phin bn ca giao thc IP dng to datagram, c s dng my gi, my nhn, cc b nh tuyn cng thng nht v nh dng lc d liu. y phin bn l IPv4. * IP header length ( di tiu IP): cung cp thng tin v di ca tiu datagram c tnh theo cc t 32 bit. * Type of service (loi dch v): trng loi phc v di 8 bit gm 2 phn, trng u tin v kiu phc v. Trng u tin gm 3 bit dng gn mc u tin cho datagram, cung cp c ch cho php iu khin cc gi tin qua mng. Cc bit cn li dng xc nh kiu lu lng datagram tin khi n chuyn qua mng nh c tnh thng, tr v tin cy. Tuy nhin, bn thn mng Internet khng m bo cht lng dch v, v vy trng ny ch mng tnh yu cu ch khng mang tnh i hi i vi cc b nh tuyn. * Total length (tng di): trng ny gm 16 bit, n s dng xc nh chiu di ca ton b IP datagram. * Identification (nhn dng): trng nhn dng di 16 bit. Trng ny c my ch dng pht hin v nhm cc on b chia nh ra ca gi tin. Cc b nh tuyn s chia nh cc datagram nu nh dn v truyn tin ln nht ca gi tin (MTU-Maximum Transmission Unit) ln hn MTU ca mi trng truyn. * Flags (c): cha 3 bit c s dng cho qu trnh iu khin phn on, bt u tin ch th ti cc b nh tuyn cho php hoc khng cho php phn on gi tin, 2 bit gi tr thp c s dng iu khin phn on, kt hp vi trng nhn dng xc nh c gi tin nhn sau qu trnh phn on.Fragment offset: mng thng tin v s ln cha mt gi tin, kch thc ca gi tin ph thuc vo mng c s truyn tin, tc l di gi tin khng th vt qu MTU ca mi trng truyn. * Time - to - live (thi gian sng): c dng ngn vic cc gi tin lp vng trn mng. N c vai tr nh mt b m ngc, trnh hin tng cc gi tin i qu lu trong mng. Bt k gi tin no c thi gian sng bng 0 th gi tin s b b nh tuyn hy b v thng bo li s c gi v trm pht gi tin. * Protocol (giao thc): trng ny c dng xc nhn giao thc tng k tip mc cao hn ang s dng dch v IP di dng con s. * Header checksum: trng kim tra tng header c di 16 bit, c tnh ton trong tt c cc trng ca tiu IPv4. Mt gi tin khi i qua cc b nh tuyn th cc trng trong phn tiu c th b thay i, v vy trng ny cn phi c tnh ton v cp nhp li m bo tin cy ca thng tin nh tuyn.
Bi Vn Nht 45K2TVT
n tt nghip i hc
* Source Address - Destination Address (a ch ngun v a ch ch): c cc b nh tuyn v cc gateway s dng nh tuyn cc n v s liu, lun lun i cng vi gi tin t ngun ti ch. * Option and Padding (ty chn v m): c di thay i, dng thm thng tin chn v chn y m bo s liu bt u trong phm vi 32 bit.
1.3.1.3. Phn mnh IP v hp nht d liu Giao thc IP khi thc hin phi lun c cc thut ton phn chia v hp nht d liu. V mi datagram u c quy nh mt kch thc khung cho php ti a trn mt kt ni im - im, c gi l MTU. Khi i qua cc mng khc nhau c cc MTU khc nhau, gi s b phn chia ty theo gi tr MTU ca mng . Vic xc nh MTU ca mt mng ph thuc vo cc c im ca mng sao cho gi c truyn i vi tc cao nht. Trong qu trnh di chuyn t ngun ti ch, mt datagram c th i qua nhiu mng khc nhau. Mi Router m gi IP datagram t khung d liu n nhn c, x l v sau ng gi n trong mt khung d liu khc. Cc datagram hnh thnh sau khi phn chia s c nh s th t tin li cho qua trnh hp nht sau ny. nh dng v kch c ca khung d liu nhn c ph thuc vo giao thc ca mng vt l m khung d liu i qua. Nu IP cn chuyn datagram c kch c ln hn MTU th n gi datagram trong cc mnh (fragment), cc mnh ny s c ghp li u thu tr li trng thi ban u. Hnh 1.5 minh ha hin tng phn mnh.
n tt nghip i hc
ca n. Ch c host ch l c kh nng ghp cc mnh li vi nhau. V mi mnh c x l c lp nn c th i qua nhiu mng v node khc nhau ti ch. 1.3.1.4. a ch v nh tuyn IP a ch: Mi trm trong mng u c c trng bi mt s hiu nht nh gi l a ch IP. a ch IP c s dng trong lp mng nh tuyn cc gi tin qua mng. Do t chc v ln ca cc mng con trong lin mng khc nhau, nn ngi ta chia a ch IP thnh cc lp A, B, C, D, E.
Bi Vn Nht 45K2TVT
n tt nghip i hc
mt ca Internet. IPv6 c bit quan trong khi cc thit b tnh ton di ng tip tc tham gia vo Internet trong tng lai. Do s thay i bn cht ca Internet v mng thng mi m giao thc lin mng IP tr nn li thi. Trc y, Internet v hu ht mng TCP cung cp s h tr cc ng dng phn tn kh n gin nh truyn file, mail, truy nhp t xa TELNET. Song ngy nay, Internet ngy cng tr thnh phng tin, mi trng giu tnh ng dng, dn u l dch v www (World Wide Web). Tt c s pht trin ny b xa kh nng p ng chc nng v dch v ca IP. Mt mi trng lin mng cn phi h tr lu lng thi gian thc, k hoch iu khin tc nghn linh hot v cc c im bo mt m IPv4 hin khng p ng c y . Hnh 1.7 minh ha cu trc gi tin IPv6.
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
version
40 octet
Source Address
Destination Address
n tt nghip i hc
* Hop Limit (gii hn bc nhy): c di 8 bit, c dng ngn vic datagram lin tc xoay vng tr li. Gi tr ny gim mi khi datagram i qua mt router v nu n c gi tr bng 0 trc khi ti c ch ch nh th datagram ny s b hy. * Source Address v Destination Address (a ch ngun v a ch ch): trng a ch ngun v a ch ch trong IPv6 c di 128 bit, s dng h 16 (hecxa), ngn cch bng du hai chm. Nhng c im ca IPv6 + M rng khng gian a ch cho php phn cp v gii quyt c s thiu a ch. Vi IPv6 c 2128 a ch (khong 3,4x1038 a ch). + Hiu qu hn trong vic nh tuyn: vic ng k a ch IPv6 c thit k kch c ca bng nh tuyn ng trc khng vt qu gi tr 10.000 trong khi kch c bng nh tuyn ca IPv4 thng ln hn 100.000 bn ghi. + Tiu nh hn so vi cc m rng ty chn, v vy mt s trng b loi b hoc thay bng ty chn nn lm gim gnh nng cho cc qu trnh x l v gim chi ph cho bng thng. + Tng cng cht lng dch v. + Xy dng sn c ch truyn tin an ton. + H tr mng thng tin di ng. 1.3.2. Giao thc lp vn chuyn 1.3.2.1. Giao thc UDP Giao thc UDP (User Datagram Protocol) cung cp c ch chnh yu m cc chng trnh ng dng s dng gi i cc gi tin ti cc chng trnh ng dng khc. UDP cung cp cc cng phn bit cc chng trnh ng dng trn mt my tnh n. Ngha l, cng vi mi mt bn tin gi i, mi bn tin UDP cn bao gm mt gi tr cng ngun v cng ch, gip cho phn mm UDP ti ch c th pht chuyn gi tin ti ng ni nhn v cho php ni nhn gi tr li xc nhn tin. UDP cung cp dch v chuyn pht khng nh hng, khng m bo tin cy nh IP. UDP khng s dng c ch xc nhn m bo gi tin n ch hay khng, khng thc hin sp xp cc bn tin v khng cung cp thng tin phn hi xc nh mc truyn thng tin gia hai my. Chnh v vy, mt chng trnh ng dng s dng giao thc UDP chp nhn hon ton trch nhim cho vn x l tin cy. Cu trc tiu ca UDP c m t nh trong hnh 1.8.
Bi Vn Nht 45K2TVT
11
n tt nghip i hc
0 8 octet 15 31
Source Port
40 octet
Acknowledgement Number
Header length
Unused Checksum
Bi Vn Nht 45K2TVT
12
* Source port, Destination port (cng ngun, cng ch): cha cc gi tr cng TCP xc nh cc chng trnh ng dng ti hai u kt ni. Mi khi TCP nhn gi d liu t IP, n s g b phn u IP v c phn u TCP. Khi c Destination port, n s tm trong tp tin cha cc thng tin v dch v gi d liu n chng trnh ng vi s cng . Song vi TCP, gi tr cng phc tp hn UDP v mt gi tr cng TCP cho trc khng tng ng vi mt i tng n. Thay v vy, TCP c xy dng trn kt ni tru tng, trong cc i tng c xc nh l nhng lin kt mch o, khng phi tng cng. V d nh gi tr 192.168.2.3,25 xc nh cng TCP 25 trn my tnh c a ch 192.168.2.3. * Sequence Number (s th t): xc nh v tr trong chui cc byte d liu trong segment ca ni gi. * Acknowledgment Number (s xc nhn): xc nh s octet m ngun ang i nhn k tip. Lu l Sequence Number ch n lng d liu theo cng chiu vi segment, trong khi gi tr Acknowledgment Number ch n d liu ngc li vi segment n. * Header length ( di tiu ): cha mt s nguyn xc nh di ca phn u segment, c tnh theo bi s ca 32 bit. Gi tr ny l cn thit v c phn Options c di thay i, ty thuc vo nhng la chn c a vo. * Unused (d phng): c dnh ring s dng trong tng lai. * Flags (bt m): gm c 6 bt xc nh mc ch v ni dung ca segment, din dch cc ni dung trong phn u da vo ni dung cc bit. V d segment ch chuyn ti ACK, hoc ch chuyn a d liu hay ti nhng yu cu thit lp hoc ngt ni. * Window (ca s): thng bo cho my tnh u cui kch thc vng m cho qu trnh truyn. * Urgent pointer (con tr khn cp): yu cu kt ni gi d liu ngoi dng xc nh, chng trnh nhn phi c thng bo lp tc ngay khi d liu n cho d n nm u trong vng d liu. Sau khi x l xong d liu khn cp, TCP thng bo cho chng trnh ng dng tr v trn thi thng thng. Bi Vn Nht 45K2TVT 13
n tt nghip i hc
n v truyn gia hai phn mm TCP trn hai my c gi l segment. Cc segment c trao i thit lp kt ni, truyn d liu, gi cc ACK (thng bo xc nhn nhn d liu), thng bo kch thc ca ca s (nhm ti u ha qu trnh truyn v nhn d liu) v ngt kt ni. b) Thit lp v ng mt kt ni TCP thit lp mt kt ni TCP s dng m hnh bt tay ba bc, trong trng hp n gin c th minh ha nh sau: u cui my tnh gi
Gi SYN Seq = x
Nhn SYN Gi SYN seq = y, ACK x+1
Mng
n tt nghip i hc
cho n khi ni gi thc hin ng kt ni. Nh vy, li p ca kt ni vn c chuyn v ni gi ngay c khi kt ni ng li, khi c hai chiu u ng, phn mm TCP ti mi bn xa b nhng ghi nhn v kt ni ny.
u cui my tnh gi
Gi FIN Seq = x
Mng
Bi Vn Nht 45K2TVT
15
n tt nghip i hc
qu hn v ti thiu giao thng trn mng, cc ci t thng tp hp cho d liu t vo datagram c ln thch hp trc khi truyn n qua Internet. Nh vy ngay c khi chng trnh ng dng pht sinh dng d liu c kch thc l 1 octet mi ln th vic truyn qua Internet vn hon ton hiu qu. Tng t, nu chng trnh ng dng quyt nh pht chuyn nhng khi d liu cc ln, phn mm giao thc c th quyt nh chia khi ny thnh nhng khi nh hn khi truyn. i vi nhng chng trnh ng dng m d liu phi c pht chuyn ngay c khi n khng y mt vng m, dch v stream cung cp c ch y cho cc chng trnh ng dng bt buc truyn. Stream khng c cu trc: Dch v TCP stream khng xc nh cc dng d liu c cu trc. Ngha l n khng phn bit c cu trc hay ni dung phn chia bn trong ca dng d liu. Cc chng trnh ng dng s dng dch v stream phi hiu ni dung stream v thng nht vi nhau v nh dng stream trc khi khi ng vic kt ni. Kt ni hai chiu: Cc kt ni do dch v TCP cp cho php truyn ng thi c hai chiu. Cch kt ni ny c gi l song cng. Ngha l t quan im ca mt tin trnh ng dng, kt ni 2 chiu bao gm 2 dng d liu c lp chy ngc nhau, khng c tng tc hay va chm. Dch v stream cho php mt tin trnh ng dng chm dt dng chy theo mt chiu trong khi d liu vn tip tc chy theo chiu kia lm cho kt ni tr thnh mt chiu (half duplex). u im chnh ca kt ni hai chiu l phn mm giao thc c s c th gi thng tin iu khin cho mt tream ngc tr v ngun trong nhng datagram ang chuyn ti d liu theo chiu ngc li. iu ny lm gim bt giao thng trn mng. thc hin cung cp tnh tin cy khi truyn tin, TCP s dng giao thc xc nhn gi tin (ACK) nhn c v truyn li nhng gi tin b mt hoc b li. B m thi gian bn gi s c kch hot mi khi gi gi (mi gi c gi s c mt b thi gian m t lc gi). Khi qa thi gian ca b m m cha nhn c ACK th mc nhin coi l mt gi hoc hng gi v gi s c gi li. S th t gi trong tiu dng cho bn gi v thu xc nh vic mt gi v trng lp d liu, t ti truyn hay loi b gi lp cho ph hp. d) K thut ca s trt thc hin vic iu khin lung, TCP s dng k thut ca s trt. Ca s trt c kch thc c nh hoc c th thay i c cho php xc nh s gi d liu ti a c truyn trc khi nhn c mt ACK t ch xc nhn v. K thut ny gii quyt vn quan trng l tng hiu qu truyn dn v iu khin tc dng d liu.
Bi Vn Nht 45K2TVT
16
n tt nghip i hc
G gi i G gi i G gi i Vn cha nhn c A nn CK khng truyn i na G gi i 4 1 1 1 Nhn gi
AC K AC K AC K 1 2 3
1, gi ACK 2
1.4 Tng kt
Chng 1 trnh by s lc v b giao thc TCP/IP, gii thiu chc nng c bn ca cc lp trong m hnh phn lp ca n. Do phm vi ca ti nn ch tp trung i su v giao thc IP ca lp Internet v giao thc TCP/UDP ca lp giao vn. i vi giao thc IP, y ch trnh by cc vn a ch, nh tuyn, phn mnh v hp nht d liu, cu trc gi tin IPv4 v IPv6. y l nhng vn c bn ca giao thc IP v n c s dng trong ni dung ca cc chng tip theo ca n. c bit trong phn ny l i tm hiu su v cu trc gi tin IPv4, IPv6 v cc c im khc bit ca gi tin IPv6 so vi gi tin IPv4. Ch quan trng rng gi tin IPv6 b sung nhng chc nng an ton. Qua chng ny, chng ta cng bit c rng Internet l mng thng tin pht trin rng khp trn phm vi ton cu, tr thnh mi trng truyn tin ca rt nhiu ng dng khc nhau. Xu hng pht trin ca mng vin thng l IP ha. Tuy nhin mt nhc im ln nht ca Internet l n khng cung cp tnh an ton cho d liu khi truyn trn n. Cng vi s pht trin ca Internet, yu cu v an ton d liu c t ra nh l mt yu cu tt yu. C rt nhiu gii php m bo an ton d liu cho Internet, trong IP-VPN l mt trong nhng gii php hiu qu.
Bi Vn Nht 45K2TVT
17
n tt nghip i hc
Chng 2 CNG NGH MNG RING O TRN INTERNET IP-VPN 2.1 Gi thiu v mng ring o trn Internet IP-VPN
2.1.1 Khi nim v mng ring o trn nn tng Internet Nh ta bit, cc mng ring thng c nh ngha l cc phng tin ni mng khng chia s kt hp cc my trm (host) v cc client trc thuc cng mt thc th qun l. c tnh ca mng ring l h tr truyn thng gia nhng ngi dng c php, cho php h truy nhp ti cc dch v v ti nguyn lin kt mng khc nhau. Lu lng t ngun v u cui trong mng ring ch di chuyn dc theo nhng node c mt trong mng ring. Thm vo l s cch li lu lng. iu ny c ngha l lu lng tng ng vi mng ring khng nh hng v khng b nh hng bi lu lng t ngoi. Th d in hnh cho mng ring l mng Intranet ca mt hng. IPVPN (Internet Protocol Virtual Private Network) kt hp 2 khi nim: ni mng o v ni mng ring. Trong mt mng o, cc nt mng xa nhau v phn tn c th tng tc vi nhau theo cch m chng thng thc hin trong mt mng, trong cc nt t ti cng mt v tr a l. Cu hnh topo ca mng o c lp vi cu hnh vt l ca cc phng tin s dng n. Mt ngi s dng bnh thng ca mt mng o khng bit s thit lp mng vt l, s ch c th nhn bit c cu hnh topo o. Cu hnh ca mng o c xy dng da trn s chia s ca c s h tng mng vt l tn ti. Tuy nhin, cu hnh mng o v mng vt l thng chu s qun l ca cc nh qun tr khc nhau. Chng ta c th inh ngha IP-VPN nh sau: Mng ring o trn nn Internet l m phng cc mng s liu ring m bo an ninh trn c s h tng mng Internet cng cng chung khng m bo an ninh. Cc thuc tnh ca IP-VPN bao gm cc c ch bo v s liu v thit lp tin tng gia cc my trm v s kt hp cc phng php khc nhau m bo cc tho thun mc dch v v cht lng dch v cho tt c cc thc th thng qua mi trng Internet. 2.1.2 Kh nng ng dng ca IP-VPN Mng ring o c mt ngha rt ln i vi cc t chc hot ng phn tn ti nhiu vng a l khc nhau, nhn vin lm vic lun di chuyn, h thng khch hng v i tc kinh doanh rng ln N l gii php thc hin truyn thng an ton trn nn mng cng cng. iu ny cho php cc t chc c th tit kim ng k chi ph so vi phng thc thu knh ring. Mt khc VPN cn m bo cho s an ton s liu trong Bi Vn Nht 45K2TVT 18
n tt nghip i hc
qu trnh truyn thng v kh nng m rng hot ng rng ln ngay c ti nhng vng a l phc tp.
2.2.1 iu khin truy nhp iu khin truy nhp (AC: Access Control) trong kt ni mng s liu c nh ngha l tp cc chnh sch v cc k thut iu khin truy nhp n cc ti nguyn ni mng ring cho cc pha c trao quyn. Cc c ch AC hot ng c lp vi nhn thc v an ninh v c bn nh ngha cc ti nguyn no kh dng cho mt ngi s dng c th sau khi ngi ny c nhn thc. Trong th gii IP-VPN, cc thc th vt l nh cc my trm xa, tng la v cng IP-VPN trong cc mng thuc hng tham d vo phin thng tin thng chu trch nhim (hay t nht ch trch nhim) cho qu trnh tham d m bo trng thi kt ni IP-VPN. Th d cc quyt nh bao gm: + Khi u + Cho php + Tip tc + T chi + Kt thc Mc ch chnh ca IP-VPN l cho php truy nhp c m bo an ninh v c chn la n cc ti nguyn ni mng t xa. Nu ch c an ninh v nhn thc m khng c AC, IP-VPN ch bo v tnh ton vn, tnh b mt ca lu lng c truyn v ngn cn cc ngi s dng v danh s dng mng, nhng khng qun l truy nhp cc ti nguyn ni mng. AC thng ph thuc vo thng tin m thc th yu cu kt ni dng nhn dng hay chng ch cng nh cc quy tc nh ngha AC. Chng hn mt s IP-VPN c th c iu hnh bi mt server tp trung hay thit b iu khin IP-VPN khc t ti trung tm s liu ca nh cung cp dch v, hay c th cng IP-VPN qun l a phng trong cc mng lin quan n thng tin IP-VPN. 19
Bi Vn Nht 45K2TVT
n tt nghip i hc
Tp cc quy tc v cc quy lut quy nh cc quyn truy nhp n cc ti nguyn mng c gi l chnh sch iu khin truy nhp. Chnh sch truy cp m bo mc ch kinh doanh, chng hn, chnh sch Cho php truy nhp cho cc thu bao cha vt qu 60 gi s dng c th thc hin bng cch s dng nhn thc da trn RADIUS (Remote Authentication Dial-in User Service: Dch v nhn thc ngi dng quay s t xa) v s dng mt b m thi gian mi khi ngi s dng truy nhp. V mt l thuyt c th s dng bn tin RADIUS DISCONNECT (tho g kt ni radius) ngt phin ca ngi s dng khi vt qu 60 gi, tuy nhin i khi chnh sch ny ch c p dng ti thi gian ng nhp, khi tin tng ngi s dng khng thng xuyn trnh trng ng nhp, hay bng cch t ra mt gii hn phin nh bn trn ca mc s dng khi vt qu thi gian cho php cc i. C th thc hin cc chnh sch tng t bng cch thay gii hn thi gian bng mt gii hn tnh ch c th lin quan n ti khon tr trc. 2.2.2 Nhn thc Mt trong cc chc nng quan trng nht c IP-VPN h tr l nhn thc. Trong ni mng ring o, mi thc th lin quan n thng tin phi c th t nhn dng mnh vi cc i tc lin quan khc v ngc li. Nhn thc l mt qu trnh cho php cc thc th thng tin kim tra cc nhn dng nh vy. Mt trong cc phng php nhn thc ph bin c s dng rng ri hin nay l PKI (Public Key Infrasrtucture: c s hn tng kha cng cng). Phng php ny c gi l nhn thc da trn chng nhn, v cc bn tham d thng tin nhn thc ln nhau bng cch trao i cc chng nhn ca chng. Cc chng nhn ny c m bo bi quan h tin tng vi mt b phn thm quyn chng nhn. Qu trnh nhn thc c th lin quan n vic cung cp thng tin nhn thc da trn b mt chia s (Shared Secret) nh: Mt khu hay cp khu lnh/ tr li ca CHAP cho ngi nhn thc, hay nh NAS (Network Access Server) n tra cu mt file a phng hay yu cu server RADIUS. V mt ny, hot ng ca VPN gm hai kiu nhn thc: nhn thc kiu client - cng v cng - cng. Trong trng hp nhn thc kiu client - cng, ch khi no ngi dng truy nhp thnh cng vi VPN cng th mi c php vo IPSec Tunnel ni n IPSec ca mng khch hng. Trng hp th hai, n thng gp khi kt ni site - site c thit lp hay khi cc mng quay s o c s dng v nhn thc thit lp Tunnel L2TP c yu cu gia LAC (L2TP Access Concentrator) v LNS (L2TP Network Server). Bi Vn Nht 45K2TVT 20
Theo nh ngha th VPN c xy dng trn cc phng tin cng cng dng chung khng an ton, v th tnh ton vn v mt m ho l yu cu nht thit. C th m bo an ninh cho VPN bng cch trin khai mt trong cc phng php mt m ho c hay c ch mt m ho kt hp vi cc h thng phn b kha an ninh. Tuy nhin cn nhc li rng an ninh khng ch l mt m ho lu lng VPN. N cng lin quan n cc th tc phc tp ca nh khai thc v cc hng cung cp n. V khi VPN da trn mng, cn thit lp quan h tin tng gia nh cung cp dch v v khch hnh VPN yu cu tha thun v trin khai c ch an ninh tng ng. Chng hn, c th truy nhp server AAA trong hng bng cch m bo an ninh cc bn tin RADIUS thng qua IPSec khi chng truyn trn c s h tng mng chung. Ngoi AAA server c th trc thuc mt mng khng trong VPN cch ly lu long AAA vi lu lng ngi s dng 2.2.4 Truyn Tunnel nn tng IP-VPN Truyn Tunnel l cng ngh quan trng duy nht xy dng IP-VPN. Truyn Tunnel bao gm ng bao (Encapsulation) mt s gi s liu vo cc gi khc theo mt tp quy tc c p dng cho c hai u cui ca Tunnel. Kt qu l ni dung c ng bao trong Tunnel khng th nhn thy i vi mng cng cng khng an ninh ni cc gi c truyn. Cc vn c th v cng ngh Tunnel c trnh by trong cc phn sau. Khi nim truyn Tunnel c p dng cho ni mng ring o c trnh by trong hnh 2.2 sau y. Trn hnh ny, cc gi c gi i t my trm A n my trm Z phi qua rt nhiu chuyn mch v router. Nu router C ng gi n t my A v cng Y m bao gi, th cc nt khc m gi ny i qua s khng nhn bit c gi ng bao bn ngoi ny v s khng th bit c phn ti tin cng nh a ch im nhn cui cng ca n. Bng cch ny, ti tin ca gi c gi gia C v Y s ch c nhn bit bi 2 nt mng ny v cc my A, Z l ni khi u v kt thc cui lu lng. iu ny to ra mt Tunnel mt cch hiu qu qua qua cc gi c truyn ti vi mc an ninh mong mun.
Z Tn e u nl Mtc g hn Ktn i v tl C A Itre n nt e Y Mn r n g i g
Bi Vn Nht 45K2TVT
n tt nghip i hc
C th nh ngha Tunnel bi cc im cui, cc thc th mng ni s dng cc giao thc tho bao v ng bao. Cc k thut truyn Tunnel h tr IP-VPN nh L2TP hay PPTP c s dng ng bao cc khung lp lin kt (PPP). Tng t cc k thut truyn Tunnel nh IP trong IP v cc giao thc IPSec c s dng ng bao cc gi lp mng. Theo ng cnh ni mng ring o, truyn Tunnel c th thc hin ba nhim v chnh sau: + ng bao. +Tnh trong sut nh a ch ring. + Bo v tnh ton vn v b mt s liu u cui n u cui. Tnh trong sut nh a ch ring cho php s dng cc a ch ring trn h tng IP ni cho php nh a ch cng cng. V cc ni dung ca gi c truyn Tunnel v cc thng s, nh cc a ch, ch c th hiu bn ngoi cc im cui Tunnel, nh a ch IP ring hon ton che y khi mng IP cng cng bng cch s dng cc a ch hp l.
M ng ri ng In terne t M ng ring
a ch ri ng
a ch cng c ng
a ch rin g
n tt nghip i hc
ESP v v th vic tch h ha an ninh hin thi s khng d dng v mc khng th din di s liu nh cp l rt cao. y l iu m cc khch hng IP-VPN quan tm v cng l l do s dng hn ch AH. Cn lu rng AH hu ch khi cn cung cp thng tin iu khin thit lp Tunnel. 2.2.5 Cc tha thun mc dch v Cc thc th tham d vo ni mng o nh cc ISP, cc hng v tuyn, cc hng v ngi s dng t xa b rng buc bi cc tha thun t c cc mc dch v yu cu cng nh cc li nhun mong mun i vi cc dch v c cung cp. Cc tha thun ny c d tho gia cc bn quan tm v cc i tc ca h nh ngha cc mc cho php nh lng v nh gi dch v c gi l cc SLA (Service Level Agreement: tha thun mc dch v). Cc SLA c s dng nhiu dng. Tuy nhin chng c bit quan trng i vi cc mng o da trn c s h tng dng chung. Di y l cc nhn t nh hng khi xem xet n SLA cho VPN: + Tnh kh dng ca Tunnel. + Cc m bo v bng thng. + Tr ca Tunnel. + Tc t bo/ gi nh chp nhn c. + T l mt gi.
n tt nghip i hc
dng VPN. N cung cp phng thc truy nhp an ton ti nhng ng dng ca t chc cho nhng ngi s dng xa, nhng nhn vin lun di chuyn, vn phng nhnh v nhng i tc thng mi. Cu trc IP-VPN ny l phng tin thng qua mt c s h tng cng cng chung s dng ng dy ISDN (mng s a dch v), dial (quay s), tng t, Mobile IP (di ng IP), DSL (ng dy thu bao s) v in thoi ccp. Cu trc IP-VPN ny c quan tm n khp mi ni v n c th thit lp ti bt k thi im no v bt k u thng qua Internet. Thm vo l mt s thun li c c do vic chuyn i t nhng mng qun l ring sang dng IP-VPN truy nhp t xa di y: + Loi b chi ph cho kt ni khong cch xa t ngi s dng n mng ca t chc bi v tt c kt ni xa by gi c thay th bng kt ni Internet. + Khong cch kt ni rng v chi ph gim xung do ngi s dng IP-VPN ch cn quay s ti s ca nh cung cp dch v Internet ISP hoc trc tip kt ni qua mng bng rng lun hin hnh. + Trin khai thm ngi s dng n gin v s tng ln nhanh chng ca IPVPN cho php thm vo ngi dng mi m khng tng chi ph cho c s h tng. + Quay li vi vn qun l v bo dng mng quay s n gin khi thm ngi s dng mi s gip cc tp on c th chuyn hng kinh doanh hn. Mc d l c rt nhiu thun li th pht trin mt IP-VPN truy nhp t xa vn gp phi kh khn sau: + Giao thc ng ngm c mt tiu nh dng mt m d liu khi truyn v gii mt m khi nhn c thng tin. Mc d tiu nh, nhng n cng nh hng n mt s ng dng. + Vi ngi s dng Modem tng t kt ni ti Internet vi tc nh hn 400 kb/s th IP-VPN c th l nguyn nhn lm gim tc v tiu ca giao thc ng ngm cn c thi gian x l d liu. + Khi s dng giao thc ng ngm, chng ta c cm gic phi ch i. Bi v c s h tng mng Internet c s dng, khng c m bo v s lng phi i nn ng trong mi on kt ni nh ng hm d liu qua Internet. iu ny c th khng phi l vn qu kh khn, nhng n cng cn s quan tm. Ngi dng c th cn n chu k thit lp kt ni nu h cm thy lu. Cng vi s pht trin nhanh chng ca mng truy nhp t xa, trn ton b quc gia v thm ch l trin khai quc t cc POP (Point - Of - Presence: im hin din) quay s bi cc nh cung cp dch v, chi ph cho nhng cuc gi ng di c gim 24
Bi Vn Nht 45K2TVT
n tt nghip i hc
i, tt c cc lo lng v th tc quay s c th c nh cung cp dch v Internet (ISP) v nh cung cp truy nhp gnh chu. Cc IP-VPN truy nhp t xa quay s c th c xy dng trn cc phng php truyn Tunnel bt buc hay t . Trong mt kch bn truy nhp t xa quay s s dng phng tin ca hng khc, ngi s dng quay s cc POP a phng ca cc nh cung cp dch v Internet bng cch thit lp kt ni PPP (Point to Point Protocol: Giao thc im ti im). Sau khi ngi s dng c nhn thc v lin kt PPP c thit lp, nh cung cp dch v thit lp theo cch bt buc (ngha l trong sut i vi ngi s dng) mt Tunnel n mt cng trong mng ring m ngi s dng xa mun truy nhp n. Mng ring thc hin nhn thc ngi s dng ln cui v thit lp kt ni. Kin trc ny c m t hnh 2.4. Cng ngh truyn Tunnel c la chn cho IP-VPN truy nhp quay s theo phng tin ca hng khc l L2TP.
DNS
Cng SS 7
RADIUS
IPSec Client Chuyn mch ISDN Modem DSLAM RAS PSTN LNS: L2TP Network Server - Server mng L 2TP DSL L2TP: Layer Two Tunneling Protocol - Giao thc truyn tunnel lp 2 RAS: Remote Access Server - Server truy nhp xa DSLAM : DSL Access Multiplex - Ghp knh truy nhp DSL Internet Cng IPSec Hng ISP
L2T P IP S e c
LNS
n tt nghip i hc
site mi, v vn an ton d liu c m bo hn. Vi kh nng ny, Intranet IPVPN li c s dng to lp mi trng ging nh phn chia vt l cc nhm ngi s dng vo cc mng con LAN khc nhau c kt ni bi cc cu hay cc Router.
Rmt e oe ofc fi e
PP O
d ic ee v 1
devi e c 3 d ce evi 2 1
Hm o e ofc fi e
Rmt e oe ofc fi e
I te n t nre / I -V N P P
PP O
PP O
H a q ates edur r
di c e e v
devi e c
de c e vi
Bs es u in s Pr e atn r PP O
dic ee v 1
de ce vi 3 devi e c 2 1
Hm o e of e f ic
Rmt e oe ofc fi e
I te n t n re / I -V N P P
PP O
PP O
H a q a rs e d u rte
S p lie up r C s mr u to e
d ic ee v
devi e c
devi e c
n tt nghip i hc
Trc ht ta phn bit 2 giao thc u tin l PPTP v L2F. PPTP l giao thc do nhiu cng ty hp tc pht trin. L2F l do Cisco pht trin c lp. PPTP v L2F u c pht trin da trn giao thc PPP (Point - to - Point Protocol). PPP l mt giao thc truyn thng ni tip lp 2, c th s dng ng gi d liu lin mng IP v h tr a giao thc lp trn. Trn c s PPTP v L2F, IETF pht trin giao thc ng ngm L2TP. Hin nay giao thc PPTP v L2TP c s dng ph bin hn L2F. Trong cc giao thc ng ngm ni trn, IPSec l gii php ti u v mt an ton d liu. IPSec h tr cc phng php xc thc v mt m mnh nht. Ngoi ra, IPSec cn c tnh linh hot cao: Khng b rng buc bi bt c thut ton xc thc, mt m no, ng thi c th s dng IPSec cng vi cc giao thc ng ngm khc lm tng tnh an ton cho h thng. Mc d c nhng u im vt tri so vi cc giao thc ng ngm khc v kh nng m bo an ton d liu, IPSec cng c mt s nhc im. Th nht, IPSec l mt khung tiu chun mi v cn ang c tip tc pht trin, do s lng cc nh cung cp sn phm h tr IPSec cha nhiu. Th hai, tn dng kh nng m bo an ton d liu ca IPSec th cn phi s dng mt c s h tng kha cng khai PKI (Public Key Infrastructure) phc tp gii quyt vn nh chng thc s hay ch k s. Khc vi IPSec, cc giao thc PPTP v L2TP l cc chun c hon thin, nn cc sn phm h tr chng tng i ph bin. PPTP c th trin khai vi mt h thng mt khu n gin m khng cn s dng PKI. Ngoi ra PPTP v L2TP cn c mt s u im khc so vi IPSec nh kh nng h tr a giao thc lp trn. V vy, 27
Bi Vn Nht 45K2TVT
n tt nghip i hc
trong khi IPSec cn ang hon thin th PPTP v L2TP vn c s dng rng ri. C th PPTP v L2TP thng c s dng trong cc ng dng truy nhp t xa. Trong phn ny chng ta s i tm hiu 2 giao thc ng ngm l PPTP v L2TP. Vi giao thc ng ngm IPSec s c cp trong chng 3. 2.4.1 PPTP (Point - to - Point Tunneling Protocol) PPTP ng gi cc khung d liu ca giao thc PPP vo cc IP datagram truyn qua mng IP (Internet hoc Intranet). PPTP dng mt kt ni TCP (gi l kt ni iu khin PPTP) khi to, duy tr, kt thc ng ngm; v mt phin bn ca giao thc GRE (Generic Routing Encapsulation - ng gi nh tuyn chung) ng gi cc khung PPP. Phn ti tin ca khung PPP c th c mt m hoc/v gii nn. PPTP gi nh tn ti mt mng IP gia PPTP client (VPN client s dng giao thc ng ngm PPTP) v PPTP server (VPN server s dng PPTP). PPTP client c th c ni trc tip qua vic quay s ti my ch truy nhp mng (Network Access Server - NAS) thit lp kt ni IP. Vic xc thc trong qu trnh thit lp kt ni IP-VPN trn giao thc PPTP s dng cc c ch xc thc ca kt ni PPP, v d EAP (Extensible Authentication Protocol: giao thc nhn thc m rng), CHAP (Challenge - Handshake Authentication Protocol: giao thc nhn thc i hi bt tay), PAP (Password Authentication Protocol: giao thc nhn thc khu lnh). PPTP cng tha hng vic mt m hoc/ v nn phn ti tin ca PPP. Mt m phn ti PPP s dng MPPE (Microsoft Point - to - Point Encryption: mt m im ti im ca Microsoft) (vi iu kin xc thc s dng giao thc EAP - TLS (EAP - Transport Level Security: EAP - an ninh mc truyn ti) hoc MS - CHAP ca Microsoft). MPPE ch cung cp mt m mc truyn dn, khng cung cp mt m u cui n u cui. Nu cn s dng mt m u cui n u cui th c th s dng IPSec mt m lu lng IP gia cc u cui sau khi ng ngm PPTP c thit lp. My ch PPTP l my ch IP-VPN s dng giao thc PPTP vi mt giao din ni vi Internet v mt giao din khc ni vi Intranet. 2.4.1.1 Duy tr ng ngm bng kt ni iu khin PPTP Kt ni iu khin PPTP l kt ni gia a ch IP ca my trm PPTP (c cng TCP c cp pht ng) v a ch IP ca my ch PPTP (s dng cng TCP dnh ring 1723). Kt ni iu khin PPTP mang cc bn tin iu khin v qun l cuc gi PPTP c s dng duy tr ng ngm PPTP. Cc bn tin ny bao gm cc bn tin PPTP Echo - Request v PPTP Encho - Reply nh k pht hin cc li kt ni gia PPTP client v PPTP server. Cc gi ca kt ni iu khin PPTP bao gm IP header, 28
Bi Vn Nht 45K2TVT
n tt nghip i hc
Bi Vn Nht 45K2TVT
n tt nghip i hc
2.4.1.3 X l d liu ng ngm PPTP Khi nhn c d liu ng ngm PPTP, PPTP client hoc PPTP server s thc hin cc bc sau: * X l v loi b phn Header v Trailer ca lp lin kt d liu. * X l v loi b IP Header. * X l v loi b GRE Header v PPP Header. * Gii m hoc/v gii nn phn PPP Payload (Nu cn thit). * X l phn Payload nhn hoc chuyn tip. 2.4.1.4 S ng gi Hnh 2.9 l s ng gi PPTP qua kin trc mng (t mt IP-VPN client qua kt ni truy nhp t xa VPN, s dng modem tng t).
N tB U e E I
T P /IP C
IP X
B t ug i y
N IS D N IS A D WN
L2T P PT PP Ay c sn
te t x
X.2 5
IS N D
D talin a k Ha e edr
IP Ha e edr
GE R Ha e edr
PP P Ha e ed r
E cy te P PP y a n r p d P a lo d (IPD ta r m a ga IP D ta r m X a ga N tB U F m e E I ra e
, , )
D talin a k Ta r r ile
C utr g i tinc c n c ui g
n tt nghip i hc
* NDISWAN gi d liu ti giao thc PPTP, ni ng gi khung PPP vi phn tiu GRE. Trong GRE Header, trng ch s cuc gi c t gi tr thch hp xc nh ng ngm. * Giao thc PPTP sau s gi gi va hnh thnh ti giao thc TCP/IP. * TCP/IP dng gi d liu ng ngm PPTP vi phn tiu IP, sau gi kt qu ti giao din i din cho kt ni quay s ti local ISP s dng NDIS. * NDIS gi gi tin ti NDISWAN, ni cung cp cc phn PPP Header v Trailer. * NDISWAN gi khung PPP kt qu ti cng WAN tng ng i din cho phn cng quay s (v d, cng khng ng b cho kt ni modem). 2.4.2 L2TP (Layer Two Tunneling Protocol) trnh vic hai giao thc ng ngm khng tng thch cng tn ti gy kh khn cho ngi s dng, IETF kt hp v pht trin hai giao thc L2F v PPTP thnh L2TP, trn c s tn dng cc u im ca c hai giao thc ny, ng thi c th s dng c trong tt c cc trng hp ng dng ca PPTP v L2F. L2TP c m t trong khuyn ngh RFC 2661. L2TP ng gi cc khung PPP truyn qua mng IP, X.25, Frame Relay, hoc ATM. Hin nay mi ch c L2TP trn mng IP c nh ngha. Khi truyn qua mng IP, cc khung L2TP c ng gi nh cc bn tin UDP, L2TP c th c s dng nh mt giao thc ng ngm thng qua Internet hoc cc mng ring Intranet. L2TP dng cc bn tin UDP qua mng IP cho cc d liu ng ngm cng nh cc d liu bo dng ng ngm. Phn ti ca khung PPP ng gi c th c mt m, nn. Tuy nhin mt m trong cc kt ni L2TP thng c thc hin bi IPSec ESP (ch khng phi MPPE nh i vi PPTP). Cng c th to kt ni L2TP khng mt m IPSec. Tuy nhin, y khng phi l kt ni IP-VPN v d liu ring c ng gi bi L2TP khng c mt m. Cc kt ni L2TP khng mt m c th s dng tm thi sa li cc kt ni L2TP dng IPSec. L2TP gi nh tn ti mng IP gia L2TP client (VPN client dng giao thc ng ngm L2TP v IPSec). L2TP client c th c ni trc tip ti mng IP truy nhp ti L2TP server hoc gin tip thng qua vic quay s ti my ch truy nhp mng (Network Access Server - NAS) thit lp kt ni IP. Vic xc thc trong qu trnh hnh thnh ng ngm L2TP phi s dng cc c ch xc thc nh trong cc kt ni PPP nh EAP, MS-CHAP, CHAP, PAP. My ch L2TP l my ch IP-VPN s dng giao thc L2TP vi mt giao din ni vi Internet v mt giao din khc ni vi mng Intranet. Cc d liu ng ngm v d liu duy tr ng ngm c cng cu trc gi. Bi Vn Nht 45K2TVT 31
n tt nghip i hc
2.4.2.1 Duy tr ng ngm bng bn tin iu khin L2TP Khng ging PPTP, vic duy tr ng ngm L2TP khng c thc hin thng qua mt kt ni TCP ring bit. Cc lu lng iu khin v duy tr cuc gi c gi i nh cc bn tin UDP gia L2TP client v L2TP server (L2TP client v L2TP server u s dng cng UDP 1701). Cc bn tin iu khin L2TP qua mng IP c gi nh cc UDP datagram. UDP datagram li c mt m bi IPSec ESP nh trn hnh 2.10.
Data link Header IP Header IPSec ESP Header UDP Header L2TP Message IPSec ESP Trailer
IPSec ESP Auth Trailer
Encryption by IPSec
n tt nghip i hc
a) ng gi L2TP: phn ti PPP ban u c ng gi vi mt PPP Header v mt L2TP Trailer. b) ng gi UDP: gi L2TP sau c ng gi vi mt UDP Header, cc a ch cng ngun v ch c t bng 1701. c)ng gi IPSec: tu thuc vo chnh sch IPSec, gi UDP c mt m v ng gi vi IPSec ESP Header, IPSec ESP Trailer, IPSec Authentication Trailer. d) ng gi IP: gi IPSec c ng gi vi IP Header cha a ch IP ngun v ch ca IP-VPN client v IP-VPN server. e)ng gi lp ng truyn d liu: truyn i c trn ng truyn LAN hoc WAN, IP datagram cui cng s c ng gi vi phn Header v Trailer tng ng vi k thut lp ng truyn d liu ca giao din vt l u ra. V d, khi cc IP datagram c gi vo mt giao din Ethernet, IP datagram s c ng gi vi Ethernet Header v Trailer. Khi cc IP datagram c gi trn ng truyn WAN im ti im (chng hn ng dy in thoi ISDN), IP datagram c ng gi vi PPP Header v Trailer. 2.4.2.3 X l d liu ng ngm L2TP trn nn IPSec Khi nhn c d liu ng ngm L2TP trn nn IPSec, L2TP client hay L2TP server s thc hin cc bc sau: * X l v loi b Header va Trailer ca lp ng truyn d liu. * X l v loi b IP Header. * Dng IPSec ESP Auth Trailer xc thc IP payload v IPSec ESP Header. * Dng IPSec ESP Header gii m phn gi mt m. * X l UDP Header v gi gi L2TP ti L2TP. * L2TP dng ch s ng ngm v ch s cuc gi trong L2TP Header xc nh ng ngm L2TP c th. * Dng PPP Header xc nh PPP Payload v chuyn tip n ti ng giao thc x l. 2.4.2.4 S ng gi L2TP trn nn IPSec Hnh 2.12 l s ng gi L2TP qua kin trc mng t mt IP-VPN client thng qua mt kt ni IP-VPN truy nhp t xa s dng mt modem tng t. Bi Vn Nht 45K2TVT 33
n tt nghip i hc
IP e Sc
TP C
/IP
IP X
N tB U e EI
Bt ug i y
N IS D N IS A D WN
L2T P PT PP Ay c sn
tx et
X.2 5
IS N D
PP P Ha e edr
I P Ha e edr
I Sc Pe EP S Ha e edr
UP D Ha e edr
L2T P Ha e edr
PP P Ha e edr
P P a lo d P Py a (I d t ga P aa r m I X aa r m P d t ga Nt E I Fa e eB U r m
, , )
I Sc Pe EP S Ta r r ile
I Sc Pe EP S At uh Ta r r ile
PP P Ta r r ile
Cutr cg i ti c c n n ui g
n tt nghip i hc
2.5 Tng kt
Chng ny a ra khi nim v gii thiu chung v cng ngh IP-VPN. y l mt cng ngh khng mi, nhng vi s pht trin mnh m ca mng Internet trn ton cu th th trng IP-VPN s rt pht trin. Vi cc t chc c mng li rng khp, s dng cng ngh ny s rt hiu qu trong truyn thng gia cc thnh vin ca hng cc vng a l khc nhau, m bo pht trin cc vn phng mi mt cch mm do, d dng tip cn vi khch hng mt cch trc tip v iu quan trng l tnh an ton thng tin. Theo cu trc c bn, c 2 loi VPN: Site-to-Site IP-VPN v Remote VPN. Trong Site-to-Site bao gm 2 m hnh l: Intranet IP-VPN c s dng kt ni cc mng LAN vn phng xa ca mt t chc; Extranet IP-VPN c s dng cho cc ng dng kt ni trc tuyn ti khch hng ca t chc. T nhng khi nim c trnh by ta c th nhn ra rng i tung v phm vi kt ni ca Extranet VPN c phn rng hn Intranet VPN. Do i tng kt ni lun thay i v kh c th m bo trc nn yu cu bo mt cng cao hn. Remote IP-VPN c ng dng cho nhng ngi lm vic lu ng hoc nhng vn phng xa dung lng nh. Mng IP-VPN bao gm cc khi c bn sau: iu khin truy nhp, nhn thc, an ninh, truyn Tunnel v cc tha thun mc dch v. y l nhng vn rt phc tp v yu cu nhiu giao thc kt hp vi nhau thc hin c cc chc nng ca mng IPVPN mt cch hin qu. Trong , ng ngm l nn tng ca IP-VPN. Trong chng ny gii thiu chung v cc giao thc ng ngm ang tn ti s dng cho IP-VPN, trong hai giao thc ng ngm PPTP v L2TP l 2 giao thc han thnh v hot ng ph bin trong giai on hin nay. Chng tip theo trnh by v giao thc IPSec, mt giao thc c xem nh ti u cho cng ngh IP-VPN.
Bi Vn Nht 45K2TVT
35
n tt nghip i hc
Bi Vn Nht 45K2TVT
36
n tt nghip i hc
+ ESP l mt giao thc cung cp tnh an ton ca cc gi tin c truyn bao gm: Mt m d liu, xc thc ngun gc d liu, kim tra tnh ton vn phi kt ni ca d liu. ESP m bo tnh b mt ca thng tin thng qua vic mt m gi tin IP. Tt c lu lng ESP u c mt m gia hai h thng. Vi c im ny th xu hng s s dng ESP nhiu hn AH tng tnh an ton cho d liu. + C AH v ESP l cc phng tin cho iu khin truy nhp, da vo s phn phi ca cc kha mt m v qun l cc lung giao thng c lin quan n nhng giao thc an ton ny. Nhng giao thc ny c th c p dng mt mnh hay kt hp vi nhau cung cp tp cc giao thc an ton mong mun trong IPv4 v IPv6, nhng cch chng cung cp cc dch v l khc nhau. i vi c hai giao thc AH v ESP ny, IPSec khng nh cc thut ton an ton c th c s dng, m thay vo l mt khung chun s dng cc thut ton theo tiu chun cng nghip. IPSec s dng cc thut ton: M nhn thc bn tin trn c s bm (HMAC), thut ton MD5 (Message Digest 5), thut ton SHA-1 thc hin chc nng ton vn bn tin; Thut ton DES, 3DES mt m d liu; Thut ton kha chia s trc, RSA ch k s v RSA mt m gi tr ngu nhin (Nonces) nhn thc cc bn. Ngoi ra cc chun cn nh ngha vic s dng cc thut ton khc nh IDEA, Blowfish v RC4. IPSec c th s dng giao thc IKE (Internet Key Exchange) xc thc hai pha v lm giao thc thng lng cc chnh sch bo mt v nhn thc thng qua vic xc nh thut ton c dng thit lp knh truyn, trao i kha cho mi phin kt ni, dng trong mi phin truy cp. Mng dng IPSec bo mt cc dng d liu c th t ng kim tra tnh xc thc ca thit b bng giy chng nhn s ca hai ngi dng trao i thng tin qua li. Vic thng lng ny cui cng dn n thit lp kt hp an ninh (SAs) gia cc cp bo mt, kt hp an ninh ny c tnh cht hai chiu trc tip. Thng tin kt hp an ninh c lu trong c s d liu lin k an ninh, v mi SA c n nh mt s tham s an ninh trong bng mc lc sao cho khi kt hp mt a ch ch vi giao thc an ninh (ESP hoc AH) th c duy nht mt SA. 3.1.2 Cc chun tham chiu c lin quan IETF a ra mt lot cc RFC (Request for Comment) c lin quan n IPSec:
Bi Vn Nht 45K2TVT
37
n tt nghip i hc
2406 2407
ESP ISAKMP
10/1998 10/1998
2408
ISAKMP
10/1998
2409 2410
IKE NULL
10/1998 10/1998
2451
CBC
10/1998
Bi Vn Nht 45K2TVT
n tt nghip i hc
IPSec c hai kiu cung cp nhn thc v m ha mc cao thc hin ng gi thng tin, l kiu Transport (truyn ti) v kiu Tunnel (ng ngm). Sau y chng ta s xt n hai kiu ny trc khi tm hiu v cc giao thc AH v ESP: 3.2.1.1 Kiu Transport Trong kiu ny, vn an ninh c cung cp bi cc giao thc lp cao hn (t lp 4 tr ln). Kiu ny bo v phn ti tin ca gi nhng vn phn IP header ban u dng bn r. a ch IP ban u c s dng nh tuyn gi qua Internet.
Original Header AH Header
Payload Authenticated
Original Header
ESP Header
Payload
Encrypted Authenticated
Payload
Encrypted Authenticated
n tt nghip i hc
thay cho cc trm cui (host). Hnh 3.3 l v d: Router A x l cc gi t host A, gi chng vo ng ngm. Router B x l cc gi nhn c trong ng ngm, a v dng ban u v chuyn ha chng ti host B. Nh vy, cc trm cui khng cn thay i nhng vn c c tnh an ton d liu ca IPSec. Ngoi ra, nu s dng kiu Tunnel, cc thit b trung gian trong mng s ch c th nhn thy c cc a ch hai im cui ca ng hm ( y l cc router A v B). Khi s dng kiu Tunnel, cc u cui ca IP-VPN khng cn phi thay i ng dng hay h iu hnh.
H A ost Router A Router B H B ost
Co p te mu r
Co pu r m te
IPSec Tunnel
n tt nghip i hc
thc (hash hay message digest). on m c chn vo thng tin ca gi truyn i. Khi , bt c thay i no i vi ni dung ca gi trong qu trnh truyn i u c pha thu pht hin khi n thc hin cng vi mt hm bm mt chiu i vi gi d liu thu c v i chiu n vi gi tr hash truyn i. Hm bm c thc hin trn ton b gi d liu, tr mt s trng trong IP header c gi tr b thay i trong qu trnh truyn m pha thu khng th d on trc c (v d trng thi gian sng ca gi tin b cc router thay i trn ng truyn dn). 3.2.2.2 Cu trc gi tin AH Cc thit b s dng AH s chn mt tiu vo gia lu lng cn quan tm ca IP datagram, gia phn IP header v header lp 4. Bi v AH c lin kt vi IPSec, IP-VPN c th nh dng chn lu lng no cn c an ton v lu lng no khng cn phi s dng gii php an ton gia cc bn. V d nh bn c th chn x l lu lng email nhng khng i vi cc dch v web. Qu trnh x l chn AH header c din t nh trong hnh 3.4.
Oig a I r in l P Ha e e dr Oig a L y r r in l a e Ha e e dr 4 Dta a
O in l IP rig a Ha e e dr
IP e A Sc H
O in l L y r rig a a e Ha e edr
Dta a
N x Ha e e t edr
R s rv d ee e (S I ) P
A th n a nD ta u e tic tio a
-In g l M ltip o te ra u le f
3 b 2 its )
n tt nghip i hc
* Security Parameters Index (SPI: ch dn thng s an ninh): Trng ny c di 32 bit, mang tnh cht bt buc. * Sequence Number (s th t): y l trng 32 bit khng nh du cha mt gi tr m khi mi gi c gi i th tng mt ln. Trng ny c tnh bt buc. Bn gi lun lun bao gm trng ny ngay c khi bn nhn khng s dng dch v chng pht li. B m bn gi v nhn c khi to ban u l 0, gi u tin c s th t l 1. Nu dch v chng pht li c s dng, ch s ny khng th lp li, s c mt yu cu kt thc phin truyn thng v SA s c thit lp mi tr li trc khi truyn 2 32 gi mi. * Authentication Data (d liu nhn thc): Cn c gi l ICV (Integrity Check Value: gi tr kim tra tnh ton vn) c di thay i, bng s nguyn ln ca 32 bit i vi IPv4 v 64 bit i vi IPv6, v c th cha m lp y cho l bi s cc bit nh trn. ICV c tnh ton s dng thut ton nhn thc, bao gm m nhn thc bn tin (Message Authentication Code MACs). MACs n gin c th l thut ton m ha MD5 hoc SHA-1. Cc kha dng cho m ha AH l cc kha xc thc b mt c chia s gia cc phn truyn thng c th l mt s ngu nhin, khng phi l mt chui c th on trc ca bt c loi no. Tnh ton ICV c thc hin s dng gi tin mi a vo. Bt k trng c th bin i ca IP header no u c ci t bng 0, d liu lp trn c gi s l khng th bin i. Mi bn ti u cui IP-VPN tnh ton ICV ny c lp. Nu ICV tnh ton c pha thu v ICV c pha pht truyn n khi so snh vi nhau m khng ph hp th gi tin b loi b, bng cch nh vy s m bo rng gi tin khng b gi mo. 3.2.2.3 Qu trnh x l AH Hot ng ca AH c thc hin qua cc bc nh sau: Bc 1: Ton b gi IP (bao gm IP header v ti tin) c thc hin qua mt hm bm mt chiu. Bc 2: M hash thu c dng xy dng mt AH header, a header ny vo gi d liu ban u. Bc 3: Gi d liu sau khi thm AH header c truyn ti i tc IPSec. Bc 4: Bn thu thc hin hm bm vi IP header v ti tin, kt qu thu c mt m hash. Bc 5: Bn thu tch m hash trong AH header. Bc 6: Bn thu so snh m hash m n tnh c m m hash tch ra t AH header. Hai m hash ny phi hon ton ging nhau. Nu khc nhau ch mt bit trong Bi Vn Nht 45K2TVT 42
n tt nghip i hc
qu trnh truyn th 2 m hash s khng ging nhau, bn thu lp tc pht hin tnh khng ton vn ca d liu. a) V tr ca AH AH c hai kiu hot ng, l kiu Transport v kiu Tunnel. Kiu Transport l kiu u tin c s dng cho kt ni u cui gia cc host hoc cc thit b hot ng nh host v kiu Tunnel c s dng cho cc ng dng cn li. kiu Transport cho php bo v cc giao thc lp trn, cng vi mt s trng trong IP header. Trong kiu ny, AH c chn vo sau IP header v trc mt giao thc lp trn (chng hn nh TCP, UDP, ICMP) v trc cc IPSec header c chen vo. i vi IPv4, AH t sau IP header v trc giao thc lp trn (v d y l TCP). i vi IPv6, AH c xem nh phn ti u cui-ti - u cui, nn s xut hin sau cc phn header m rng hop-to-hop, routing v fragmentation. Cc la chn ch (dest options extension headers) c th trc hoc sau AH.
IPv4 Orig IP hdr (any options) TCP Data
IPv4
AH
TCP
Data
Hnh 3.5: Khun dng IPv4 trc v sau khi x l AH kiu Transport
Orig IP hdr Ext hdr IPv6 TCP (any options) if present
Trc khi thm H
Data
IPv6
Orig IP hdr Hop-by-hop, dest*, Dest AH opt* TCP (any options) routing, fragment Sau khi thm H
Data
Hnh 3.6: Khun dng IPv6 trc v sau khi x l AH kiu Traport
Trong kiu Tunnel, inner IP header mang a ch ngun v ch cui cng, cn outer IP header mang a ch nh tuyn qua Internet. Trong kiu ny, AH bo v ton b gi tin IP bn trong, bao gm c inner IP header (trong khi AH Transport ch Bi Vn Nht 45K2TVT 43
n tt nghip i hc
IPv6
New IP hdr Ext hdr Ext hdr (any options) If present AH Orig IP hdr If present TCP Nhn thc tr cc trng bin i New IP header
Data
Bi Vn Nht 45K2TVT
44
n tt nghip i hc
+ Tnh ton ICV: bng cch s dng cc thut ton, pha thu s tnh ton li ICV pha thu v so snh n vi gi tr c trong AH quyt nh ti kh nng tn ti ca gi tin . + Chn d liu: c hai dng chn d liu trong AH, l chn d liu xc thc (Authentication Data Padding) v chn gi ngm nh (Implicit Packet Padding). i vi chn d liu xc thc, nu u ra ca thut ton xc thc l bi s ca 96 bit th khng c chn. Tuy nhin nu ICV c kch thc khc th vic chn thm d liu l cn thit. Ni dung ca phn d liu chn l ty , cng c mt trong php tnh ICV v c truyn i. Chn gi ngm nh c s dng khi thut ton xc thc yu cu tnh ICV l s nguyn ca mt khi b byte no v nu di gi IP khng tha mn iu kin th chn gi ngm nh c thc hin pha cui ca gi trc khi tnh ICV. Cc byte chn ny c gi tr l 0 v khng c truyn i cng vi gi. + Phn mnh: khi cn thit, phn mnh s c thc hin sau khi x l AH. V vy AH trong kiu transport ch c thc hin trn ton b gi IP, khng thc hin trn tng mnh. Nu bn thn gi IP qua x l AH b phn mnh trn ng truyn th pha thu phi c ghp li trc khi x l AH. kiu Tunnel, AH c th thc hin trn gi IP m phn ti tin l mt gi IP phn mnh. d) X l gi u vo Qu trnh x l gi tin u vo ngc vi qu trnh x l gi tin u ra: + Ghp mnh: c thc hin trc khi x l AH (nu cn). + Tm kim SA: khi nhn c gi cha AH header, pha thu s xc nh mt SA ph hp da trn a ch IP ch, giao thc an ninh (AH) v SPI. Qu trnh tm kim c th xem chi tit trong RFC 2401. Nu khng c SA no thch hp c tm thy cho phin truyn dn, pha thu s loi b gi. + Kim tra SN: AH lun h tr dch v chng pht li, mc d dch v ny c s dng hay khng l hon ton da vo ty chn pha thu. V vy qu trnh kim tra ny c th c thc hin hoc khng. 3.2.3 Giao thc ng gi an ton ti tin ESP 3.2.3.1 Gii thiu ESP c nh ngha trong RFC 1827 v sau c pht trin thnh RFC 2408. Cng nh AH, giao thc ny c pht trin hon ton cho IPSec. Giao thc ny cung cp tnh b mt d liu bng vic mt m ha cc gi tin. Thm vo , ESP cng cung cp nhn thc ngun gc d liu, kim tra tnh ton vn d liu, dch v chng pht li v mt s gii hn v lung lu lng cn bo mt. Tp cc dch v cung cp bi ESP Bi Vn Nht 45K2TVT 45
n tt nghip i hc
ph thuc vo cc la chn ti thi im thit lp SA, dch v bo mt c cung cp c lp vi cc dch v khc. Tuy nhin nu khng kt hp s dng vi cc dch v nhn thc vo ton vn d liu th hiu qu b mt s khng c m bo. Hai dch v nhn thc v ton vn d liu lun i km nhau. Dch v chng pht li ch c th c nu nhn thc c la chn. Giao thc ny c s dng khi yu cu v b mt ca lu lng IPSec cn truyn. 3.2.3.2 Cu trc gi tin ESP Hot ng ca ESP khc hn so vi AH. Nh ng trong tn gi, ESP ng gi tt c hoc mt phn d liu gc. Do kh nng bo mt d liu nn xu hng ESP c s dng rng ri hn AH. Phn header ca giao thc nm ngay trc ESP header c gi tr 51 trong trng protocol ca n. Hnh 3.8 din t qu trnh x l ng gi:
Original IP Header Original Layer 4 Header Data
Original IP Header
Data
SPI
Sequence Number
Padding
Pad Length
Next Header
ICV
(SPI )
Encryption Coverage
Payload Data
(Variable length - Integral Number of Bytes Padding (0 255 bytes ) Pad Length
Next Header
Authentication Data
n tt nghip i hc
Sau y s nh ngha cc trng trong ESP. Lu cc trng ny c th l ty chn hay bt buc. Vic la chn mt trng ty chn c nh ngha trong qu trnh thit lp kt hp an ninh. Nh vy, khun dng ESP i vi SA no l c nh trong khong thi gian tn ti ca SA . Cn cc trng bt buc lun c mt trong tt c cc ESP. * SPI (ch dn thng s an ninh): L mt s bt k 32 bit, cng vi a ch IP ch v giao thc an ninh ESP cho php nhn dng duy nht SA cho gi d liu ny. Cc gi tr SPI t 0 255 c dnh ring s dng trong tng lai. SPI thng c chn la bi pha thu khi thit lp SA. SPI l trng bt buc. * Sequence Number (s th t): Tng t nh trng s th t ca AH * Payload Data (trng d liu ti tin): y l trng bt buc. N bao gm mt s lng bin i cc byte d liu gc hoc mt phn d liu yu cu bo mt c m t trong trng Next Header. Trng ny c m ha cng vi thut ton m ha chn la trong sut qu trnh thit lp SA. Nu thut ton yu cu cc vect khi to th n cng c bao gm y. Thut ton c dng m ha ESP thng l thut ton DES-CBC. i khi cc thut ton khc cng c h tr nh 3DES hay CDMF trong trng hp nh cung cp dch v IBM. * Padding (0 255 bytes): C nhiu nguyn nhn dn n s c mt ca trng ny: - Nu thut ton mt m c s dng yu cu bn r (plaintext) phi l s nguyn ln khi cc byte (v d trng hp m khi) th Padding c s dng in y vo plaintext (bao gm Payload Data, Pad Length, Next Header v Padding) c kch thc theo yu cu. - Padding cng cn thit m bo phn d liu mt m (ciphertext) s kt thc bin gii 4 byte phn bit r rng vi trng Authentication Data. Ngoi ra, Padding cn c th s dng che du di thc ca Payload, tuy nhin mc ch ny cn phi c cn nhc v n nh hng ti bng tn truyn dn. * Pad length ( di trng m): Trng ny xc nh s byte Padding c thm vo. Cc gi tr ph hp l 0 255 bytes, Pad length l trng bt buc. * Next Header (tiu tip theo): Trng ny di 8 bit, xc nh kiu d liu cha trong Payload Data, v d mt extension header trong IPv6, hoc nhn dng ca 47
Bi Vn Nht 45K2TVT
n tt nghip i hc
mt giao thc lp trn khc. Gi tr ca trng ny c la chn t tp cc gi tr IP Protocol Number nh ngha bi IANA. Next Header l trng bt buc. * Authentication Data (d liu nhn thc): Trng c di bin i cha mt gi tr kim tra tnh ton vn ICV tnh trn d liu ca ton b gi ESP tr trng Authentication Data. di ca trng ny ph thuc vo thut ton xc thc c s dng. Trng ny l ty chn, v ch c thm vo nu dch v xc thc c la chn cho SA ang xt. Thut ton xc thc phi ch ra di ICV v cc bc x l cng nh cc lut so snh cn thc hin kim tra tnh ton vn ca gi tin. 3.2.3.3 Qu trnh x l ESP a) V tr ca ESP header ESP c hai kiu hot ng, l kiu Transport v kiu Tunnel. Kiu Transport cho php bo v cc giao thc lp trn, nhng khng bo v IP header. Trong kiu ny, ESP c chn vo sau mt IP header v trc mt giao thc lp trn (chng hn TCP, UDP hay ICMP) v trc IPSec header c chn vo. i vi IPv4, ESP header t sau IP header v trc giao thc lp trn (v d y l TCP). ESP trailer bao gm cc trng Paddinh, Pad length, v Next Header. i vi IPv6, ESP c xem nh phn ti u cui-ti - u cui, nn s xut hin sau phn header m rng hop-to-hop, routing v fragmentation. Cc la chn ch (dest options extention headers) c th trc hoc sau ESP header. Tuy nhin, do ESP ch bo v cc trng pha sau ESP header, nn cc la chn ch thng c t sau ESP header. Chi tit v IPv6 c th xem trong RFC 1883.
IPv4
TCP
Data
IPv4
TCP
Data
ESP Trailer
ESP Auth
Hnh 3.10: Khun dng IPv4 trc v sau khi x l ESP kiu Transport
Bi Vn Nht 45K2TVT
48
n tt nghip i hc
IPv6
Orig IP hdr Ext hdr (any options) if present TCP Trc khi
Data
thm ESP
Orig IP hdr Hop-by-hop, dest*, Dest ESP opt* TCP (any options) routing, fragment Sau khi thm AH ESP ESP Trailer Auth
IPv6
Data
Hnh 3.11: Khun dng IPv6 trc v sau khi x l ESP kiu Transport
Trong kiu Tunnel, inner IP header mang a ch ngun v ch cui cng, cn outer IP header mng a ch nh tuyn qua Internet. Trong kiu ny, ESP s bo v ton b gi tin IP bn trong, bao gm c inner IP header. So vi outer IP header th v tr ca ESP ging nh kiu Trasport
New IP hdr IPv4 (any option) ESP Orig IP hdr Header (any options) TCP Data ESP Trailer ESP Auth
Encrypted Authenticat
ed
IPv6 New IP hdr New Ext hdr ESP Orig IP Orig hdr Ext hdr TCP Data ESP Trailer ESP Auth
Encrypted Authenticated
Bi Vn Nht 45K2TVT
49
n tt nghip i hc
Cc thut ton khc c th c h tr. Lu l t nht mt trong hai dch v bo mt hoc nhn thc phi c thc hin, nn hai thut ton xc thc v mt m khng ng thi bng NULL. - Cc thut ton mt m: Thut ton mt m c xc nh bi SA. ESP lm vic vi cc thut ton mt m i xng. V cc gi IP c th n khng ng th t, nn mi gi phi mang thng tin cn thit pha thu c th thit lp ng b mt m (cryptographic synchronization) gii m. D liu ny c th c ch nh trong trng Payload (chng hn di dng cc vect khi to IV- Initialization Vector), hoc thu c t header ca gi. Vi s c mt ca trng Padding, cc thut ton mt m s dng vi ESP c th c cc c tnh khi (block) hoc lung (stream). V dch v bo mt l ty chn nn thut ton mt m c th l NULL. - Cc thut ton xc thc: Thut ton xc thc s dng tnh ICV c xc nh bi SA. i vi truyn thng im-ti-im, cc thut ton xc thc thch hp bao gm cc hm bm mt chiu (MD5, SHA-1). V dch v xc thc l ty chn nn thut ton xc thc c th l NULL. c) X l gi u ra Trong kiu Transport, pha pht ng gi thng tin giao thc lp trn vo ESP header/ trailer v gi nguyn IP header (v tt c IP extension headers i vi IPv6). Trong kiu Tunnel, c thm s xut hin ca outer IP header. Qu trnh x l gi tin u ra nh sau: - Tm kim SA: ESP c thc hin trn mt gi tin u ra ch khi qu trnh IPSec xc nh c gi tin c lin kt vi mt SA, SA s yu cu ESP x l gi tin. Vic xc nh qu trnh x l IPSec no cn thc hin trn lu lng u ra c th xen trong RFC 2401. - Mt m gi tin: i vi kiu Transport ch ng gi thng tin giao thc lp cao. i vi kiu Tunnel, ng gi ton b gi IP ban u: Thm trng Padding nu cn thit, mt m cc trng s dng kha, thut ton v kiu thut ton c ch ra bi SA v d liu ng b mt m nu c. Cc bc c th xy dng outer IP header ph thuc vo kiu s dng (Transport hay Tunnel). Nu dch v xc thc c la chn th mt m c thc hin trc, v qu trnh mt m khng bao gm trng Authentication Data. Th t x l ny cho php nhanh chng xc nh v loi b cc gi li hoc lp li m khng cn phi thc hin gii m, qua lm nh hng ca cc tn cng kiu t chi dch v (denial of service attacks), ng thi cho php pha thu x l song song: gii m v xc thc tin hnh song song. Bi Vn Nht 45K2TVT 50
- Tnh ton ICV: nu dch v xc thc c la chn cho SA th pha pht s tnh ton gi tr ICV trn d liu gi ESP tr trng Authentication Data. Lu l cc trng mt m c thc hin trc xc thc. Chi tit v tnh ton ICV cng tng t nh AH. - Phn mnh: Khi cn thit, phn mnh c thc hin sau khi x l ESP. V vy ESP trong kiu Transport ch c thc hin trn ton b gi IP, khng thc hin trn tng mnh. Nu bn thn gi IP qua x l ESP b phn mnh bi cc router trn ng truyn th cc mnh phi c ghp li trc khi x l ESP pha thu. Trong kiu Tunnel, ESP c th thc hin trn gi IP m phn Payload l mt gi IP phn mnh. d) X l gi u vo Qu trnh x l gi u vo ngc vi qu trnh x l gi tin u ra: - Ghp mnh: Ghp mnh c thc hin trc khi x l ESP. - Tm kim SA: khi nhn c gi ghp mnh cha ESP header, pha thu s xc nh mt SA ph hp da trn a ch IP ch, giao thc an ninh ESP v SPI. Qu trnh tm kim c th xem chi tit trong RFC 2401. Thng tin trong SA s cho bit c cn kim tra trng Sequence Number hay khng, c cn thm trng Authentication Data hay khng v cc thut ton v kha cn s dng gii m tnh ICV nu c. Nu khng c SA no ph hp c tm thy cho phin truyn dn ny (v d pha thu khng c kha), pha thu s loi b gi. - Kim tra SN: ESP lun h tr dch v chng pht li (anti-repley), mc d vic dch v ny hon ton do la chn ph thu trn c s tng SA. Dch v ny khng thc hin c nu dch v xc thc khng c la chn, v khi ny Sequence Number khng c bo v tnh ton vn. Nu pha thu khng la chn dch v chng pht li cho mt SA no th khng cn kin tra trng Sequence Number. Tuy nhin pha pht mc nh l pha thu s dng dch v ny. V vy, pha pht khng phi thc hin gim st SN cng nh thit lp li SA mt cch khng cn thit, trong qu trnh thit lp SA pha thu s thng bo cho pha pht vic khng s dng dch v chng pht li (trong trng hp mt giao thc tht lp SA nh IKE c s dng). Nu pha thu c la chn dch v chng pht li cho mt SA th b m gi thu cho SA phi c khi to 0 khi thit lp SA. Vi mi gi thu c, pha thu phi kim tra rng gi c cha s SN khng lp ca bt k mt gi no trong thi gian tn ti ca SA . Sau khi mt gi c xc nh l tng ng vi mt SA no th Bi Vn Nht 45K2TVT 51
n tt nghip i hc
php kim tra ny l cn c thc hin u tin c th nhanh chng quyt nh kh nng tn ti ca gi . Cc gi b loi b thng qua s dng mt ca s thu trt. Gi tr ca s ti thiu l 32 v mc nh l 64, pha thu cng c th s dng cc ca s c kch thc ln hn. Bn phi ca ca s i din cho SN hp l ln nht thu c trong SA ny. Cc gi c SN nh hn bn tri ca ca s s b loi b. Cc gi c SN nm trong khong gia hai bn ca ca s s c kim tra vi mt danh sch cc gi thu c trong ca s. Nu gi thu c nm trong vng ca s v l mi, hoc gi ti bn phi ca ca s th pha thu s tin hnh x l tip ICV. Nu vic kim tra ICV sai th pha thu phi loi b gi IP v khng hp l. Ca s thu ch c cp nht sau khi vic kim tra ICV thnh cng. - Kim tra ICV: nu dch v xc thc c la chn, pha thu s tnh ICV da trn d liu ca gi ESP ngoi tr trng Authentication Data, s dng thut ton xc thc xc nh trong SA v so snh vi gi tr ICV trong trng Authentication ca gi. Nu hai gi tr ICV hon ton trng khp th gi tin l hp l v c chp nhn. Ngc li, pha thu s loi b gi tin. Vic kim tra tin hnh nh sau: trc ht gi tr ICV nm trong trng Authentication Data c tch ra khi gi ESP v c lu tr. Tip theo kim tra da ca gi ESP (ngoi tr trn Authentication Data). Nu Padding ngm nh c yu cu bi thut ton xc thc th cc byte 0 c thm vo cui gi ESP, ngay sau trng Next Header. Tip theo thc hin tnh ton ICV v so snh vi gi tr lu s dng cc lut so snh c nh ngha bi thut ton. e) Gii m gi Nu ESP s dng mt m th s phi thc hin qu trnh gii m gi. Nu dch v bo mt khng c s dng, ti pha thu khng c qu trnh gii m gi ny. Qu trnh gii m gi din ra nh sau: - Gii m ESP (bao gm trng Payload Data, Padding, Pad Length, Next Header) s dng kha. Thut ton mt m v kiu thut ton c xc nh bi SA. - X l phn Padding theo c t ca thut ton. Pha thu cn tm v loi b phn Padding trc khi chuyn d liu gii m ln lp trn. - Xy dng li cu trc gi IP ban u t IP header ban u v thng tin giao thc lp cao trong ti tin ca ESP ( kiu Transport), hoc outer IP header v ton b gi IP ban u trong ti tin ca ESP ( kiu Tunnel). Nu dch v xc thc cng c la chn th qu trnh kim tra ICV v mt m c th tin hnh ni tip hoc song song. Nu tin hnh ni tip th kim tra ICV phi Bi Vn Nht 45K2TVT 52
n tt nghip i hc
c thc hin trc. Nu tin hnh song song th kim tra ICV phi hon thnh trc khi gi gii m c chuyn ti bc x l tip theo. Trnh t ny gip loi b nhanh chng cc gi khng hp l. C mt s l do nh sau dn n qu trnh gii m khng thnh cng: - SA c la chn khng ng: SA c th sai do cc thng s SPI, a ch ch, trng Protocol type sai. - di phn Padding hoc gi tr ca n b sai. - Gi ESP mt m b li (c th c la chn nu dch v xc thc c la chn cho SA).
n tt nghip i hc
bn c ng dng ti mt ng ngm IP. Mt SA gia 2 cng an ton l mt SA kiu Tunnel in hnh ging nh mt SA gia mt host v mt cng an ton. Tuy nhin, trong nhng trng hp m lu lng c nh hnh t trc nh nhng lnh SNMP, cng an ton lm nhim v nh host v kiu Transport c cho php. SA cung cp nhiu la chn cho cc dch v IPSec, n ph thuc vo giao thc an ton c la chn (AH hay ESP), kiu SA, im kt thc ca SA v mt s tuyn chn ca cc dch v ty cc bn trong giao thc . V d nh khi s dng AH xc minh ngun gc d liu, tnh ton vn phi kt ni cho gi IP, c th s dng dch v chng pht li hoc khng ty thuc vo cc bn. Khi mt bn IP-VPN mun gi lu lng IPSec ti u bn kia, n kim tra bit nu c mt tn ti mt SA trong c s d liu hay cha hai bn c th s dng dch v an ninh theo yu cu. Nu n tm c mt SA tn ti, n SPI ca SA ny trong tiu IPSec, thc hin cc thut ton m ha v gi gi tin i. Bn thu s ly SPI, a ch ch v giao thc IPSec (AH hay ESP) v tm SA trong c s d liu ph hp x l gi tin . Lu rng mt u cui IP-VPN c th ng thi tn ti nhiu kt ni IPSec, v vy cng c ngha l tn ti nhiu SA. 3.3.1.2 Kt hp cc SA Cc gi IP truyn qua mt SA ring bit c cung cp s bo v mt cch chnh xc bi giao thc an ninh c th l AH hoc ESP nhng khng phi l c hai. i khi mt chnh sch an ton c th c gi cho mt s kt hp ca cc dch v cho mt lung giao thng c bit m khng th thc hin c vi mt SA n l. Trong trng hp cn thit giao cho nhiu SA thc hin chnh sch an ton c yu cu. Thut ng cm SA c s dng mt chui cc SA xuyn qua lu lng cn c x l tha mn mt tp chnh sch an ton. i vi kiu Tunnel, c 3 trng hp c bn ca kt hp an ninh nh sau: 1) C hai im cui SA u trng nhau: mi ng ngm bn trong hay bn ngoi l AH hay ESP, mc d host 1 c th nh r c hai ng ngm l nh nhau, tc l AH bn trong AH v ESP bn trong ESP.
Host 1
Security Gwy 1
Interne t
Security Gwy 2
Host 2
Bi Vn Nht 45K2TVT
54
n tt nghip i hc
Host 1
Interne t
Host 2
Host 1
Security Gwy 1
Interne t SA 1 (Tunnel)
Security Gwy 2
Host 2
Bi Vn Nht 45K2TVT
55
n tt nghip i hc
mt li vo trong SAD. SAD quyt nh SA no c s dng cho mt gi cho. Cho x l i v, SAD c tham kho quyt nh gi c x l nh th no. 3.3.2 Giao thc trao i kha IKE Kt ni IPSec ch c hnh thnh khi SA c thit lp. Tuy nhin bn thn IPSec khng c c ch thit lp SA. Chnh v vy, IETF chn phng n chia qu trnh ra lm hai phn: IPSec cung cp vic x l mc gi, cm IKMP (Internet Key Management Protocol) chu trch nhim tha thun cc kt hp an ninh. Sau khi cn nhc cc phng n, trong c SKIP (Simple Key Internet Protocol), v Photuis, IETF quyt nh chn IKE (Internet Key Exchange) l chun cu hnh SA cho IPSec. Mt ng ngm IPSec IP-VPN c thit lp gia hai bn qua cc bc nh sau: Bc 1: Quan tm n lu lng c nhn hoc sinh ra t cc bn IPSec IPVPN ti mt giao din no yu cu thit lp phin thng tin IPSec cho lu lng . Bc 2: Thng lng ch chnh (Main Mode) hoc ch tn cng (Aggressive Mode) s dng IKE cho kt qu l to ra lin kt an ninh IKE (IKE SA) gia cc bn IPSec. Bc 3: Thng lng ch nhanh (Quick Mode)s dng IKE cho kt qu l to ra 2 IPSec SA gia hai bn IPSec. Bc 4: D liu bt u truyn qua ng ngm m ha s dng k thut ng gi ESP hoc AH (hoc c hai). Bc 5: Kt thc ng ngm IPSec VPN. Nguyn nhn c th l do IPSec SA kt thc hoc ht hn hoc b xa. Tuy l chia thnh 4 bc, nhng c bn l bc th 2 v bc th 3, hai bc ny nh ra mt cch r rng rng IKE c tt c 2 pha. Pha th nht s dng ch chnh hoc ch tn cng trao i gia cc bn, v pha th hai c hon thnh nh s dng trao i ch nhanh.
Bi Vn Nht 45K2TVT
56
n tt nghip i hc
Bi Vn Nht 45K2TVT
57
n tt nghip i hc
Clear-Text Packet Source Peer Crypto ACL Permit IPSec Deny Destination Peer IPSec
Clear-Text Packet
Deny Permit
Crypto ACL AH or ESP Packet
AH or ESP Packet
n tt nghip i hc
Bng 3.2: Kt qu khi kt hp lnh permit v deny Ngun Permit Permit Deny Deny 3.3.2.2 Bc th hai Bc th hai ny chnh l IKE pha th nht. Mc ch ca IKE pha th nht: * ng mt tp cc tham s c s dng nhn thc hai bn v mt m mt phn ch chnh v ton b trao i thc hin trong ch nhanh. Khng c bn tin no ch tn cng c mt m nu ch tn cng c s dng thng lng. * Hai bn tham gia IP-VPN nhn thc vi nhau. * To kha s dng lm tc nhn sinh ra kha m ha m ha d liu ngay sau khi thng lng kt thc. Tt c thng tin thng lng trong ch chnh hay ch tn cng, bao gm kha sau s dng to kha cho qu trnh mt m d liu, c lu vi tn gi l IKE SA hay ISAKMP SA (lin kt an ninh IKE hay ISAKMP). Bt k bn no trong hai bn cng ch c mt ISAKMP lin kt an ninh gia chng.
H A ost R outer A R outer B H B ost
Kt qu ng Sai Sai ng
Cmu r o p te
Co p te mu r
IK pha 1 E C chnh h Thng lng chnh sch Trao i D iffie -H ellm an K imtra nhn dng cc bn Thng lng chnh sch T i rao D iffie -H ellm an K imtra nhn dng cc bn
n tt nghip i hc
* Trao i th hai: S dng trao i Diffie-Hellman to kha b mt chia s (shared secret keys), trao i cc s ngu nhin (nonces) khng nh nhn dng ca mi i tc. Kha b mt chia s c s dng to ra tt c cc kha b mt v xc thc khc. * Trao i th ba: xc minh nhn dng cc bn (xc thc i tc). Kt qu chnh ca ch chnh l mt ng truyn thng an ton cho cc trao i tip theo ca hai i tc. Ch nhanh thc hin trao i 3 bn tin. Hu ht cc trao i u c thc hin trong trao i th nht: tha thun cc tp chnh sch IKE, to kha cng cng Diffie-Hellman, v mt gi nhn dng c th s dng xc nh nhn dng thng qua mt bn th ba. Bn nhn gi tr li mi th cn thit hon thnh vic trao i. Cui cng bn khi to khng nh vic trao i. a) Cc tp chnh sch IKE Khi thit lp mt kt ni IP-VPN an ton gia hai host A v host B thng qua Internet, mt ng ngm an ton c thit lp gia router A v router B. Thng qua ng hm, cc giao thc mt m, xc thc v cc giao thc khc c tha thun. Thay v phi tha thun tng giao thc mt, cc giao thc c nhm thnh cc tp v c gi l tp chnh sch IKE (IKE policy set). Cc tp chnh sch IKE c trao i trong IKE pha th nht, trao i th nht. Nu mt chnh sch thng nht c tm thy hai pha th trao i c tip tc. Nu khng tm thy chnh sch thng nht no, ng ngm s b loi b. V d Router A gi cc tp chnh sch IKE policy 10 v IKE plicy 20 ti router B. Router B so snh vi tp chnh sch ca n, IKE policy 15, vi cc tp chnh sch nhn c t router A . Trong trng hp ny, mt chnh sch thng nht c tm thy: IKE policy 10 ca router A v IKE policy 15 ca router B l tng ng. Trong ng dng im - ti - im, mi bn ch cn nh ngha mt tp chnh sch IKE. Tuy nhin mng trung tm c th phi nh ngha nhiu chnh sch IKE p ng nhu cu ca tt c cc i tc t xa. b) Trao i kha Diffie-Hellman Trao i kha Diffie-Hellman l mt phng php mt m kha cng khai cho php hai bn thit lp mt kha b mt chung qua mt mi trng truyn thng khng an ton (xem chi tit trong chng 4). C 7 thut ton hay nhm Diffie-Hellman c nh
Bi Vn Nht 45K2TVT
60
n tt nghip i hc
ngha: DH 1 7. Trong IKE pha th nht, cc bn phi tha thun nhm Diffie-Hellman c s dng. Khi hon tt vic tha thun nhm, kha b mt chung s c tnh. c) Xc thc i tc Xc thc i tc l kim tra xem ai ang pha bn kia ca ng ngm VPN. Cc thit b hai u ng ngm IP-VPN phi c xc thc trc khi ng truyn thng c coi l an ton. Trao i cui cng ca IKE pha th nht c mc ch nh xc thc i tc. C hai phng thc xc thc ngun gc d liu ch yu l i tc: Kha chia s trc (Pre-shared keys) v ch k s (RSA signatures). Chi tit v cc thut ton xc thc c cp trong chng 4. 3.3.2.3 Bc th ba Bc th 3 ny chnh l IKE pha 2. Mc ch ca IKE pha 2 l tha thun cc thng s an ninh IPSec s dng bo v ng ngm IPSec. Ch c mt ch nhanh c s dng cho IKE pha 2. IKE pha 2 thc hin cc chc nng sau: * Tha thun cc thng s anh ninh IPSec (IPSec Security parameters), cc tp chuyn i IPSec (IPSec transform sets). * Thit lp cc kt hp an ninh IPSec (IPSec Security Associations). * nh k tha thun li IPSec SA m bo tnh an ton ca ng ngm * Thc hin mt trao i Diffie-Hellman b sung (khi cc SA v cc kha mi c to ra, lm tng tnh an ton cho ng ngm). Ch nhanh cng c s dng tha thun li mt kt hp an ninh mi khi kt hp an ninh c ht hn. Khi cc bn c th khng cn quay tr li bc th 2 na m vn m bo thit lp mt SA cho phin truyn thng mi.
Bi Vn Nht 45K2TVT
61
Cmue o pt r
Cmu r o pt e
T th h a un c ct c u i p h yn Tpc u i h yn 3 0 EP S 3D S E SA H Tn e u nl Lf ti e ie m Tpc u i h yn 5 0 EP S 3D S E SA H Tn e u nl Le m if ti e
Tpc u i h yn 4 0 EP S DS E M 5 D Tn e u nl Lf ti e ie m
n tt nghip i hc
c truyn i v tnh theo giy. Cc kha v SA c hiu lc cho n khi ht thi gian tn ti ca SA hoc n khi ng ngm b ngt, khi SA b xa b. 3.3.2.4 Bc th t Sau khi hon thnh IKE pha 2 v ch nhanh c thit lp cc kt hp an ninh IPSec SA, lu lng c th c trao i gia cc bn IP-VPN thng qua mt ng ngm an ton. Qu trnh x l gi tin (m ha, mt m, ng gi) ph thuc vo cc thng s c thit lp ca SA. 3.3.2.5 Kt thc ng ngm Cc kt hp an ninh IPSec SA kt thc khi b xa b hoc ht thi gian tn ti. Khi cc bn IP-VPN khng s dng cc SA ny na v bt u gii phng c s d liu ca SA. Cc kha cng b loi b. Nu thi im ny cc bn IP-VPN vn cn mun thng tin vi nhau th mt IKE pha 2 mi s thc hin. Trong trng hp cn thit th cng c th thc hin li t IKE pha 1. Thng thng, m bo tnh lin tc ca thng tin th cc SA mi c thit lp trc khi cc SA c ht hn.
Bi Vn Nht 45K2TVT
63
n tt nghip i hc
K thut DES-CBC l mt trong rt nhiu phng php ca DES. CBC (Cipher Block Chaining: ch chui khi mt m) yu cu mt vect khi to IV (Initialization Vector) bt u mt m. IPSec m bo c hai pha IP-VPN cng c mt IV hay mt kha b mt chia s. Kha b mt chia s c t vo thut ton mt m DES mt m nhng khi 64 bit do vn bn r (clear text) chia ra. Vn bn r c chuyn i thnh dng mt m v c a ti ESP truyn qua bn i, khi x l ngc li s dng kha b mt chia s to li vn bn r. 3.4.1.2 Tiu chun mt m ha d liu gp ba 3DES Mt phin bn ca DES l 3DES, c tn nh vy v n thc hin 3 qu trnh mt m. N s dng mt qu trnh ng gi, mt qu trnh m gi v mt qu trnh ng gi khc cng vi kha 56 bit khc nhau. Ba qu trnh ny to ra mt t hp kha 168 bit, cung cp ng gi mnh. Trong chng 4 s trnh by c th thut ton DES. 3.4.2 Ton vn bn tin Ton vn bn tin c thc hin nh s dng mt hm bm ton hc tnh ton c trng ca bn tin hay ca file d liu. c trng ny c gi l tm tt bn tin MD (Message Digest) v di ph thuc vo hm bm c s dng. Tt c hoc mt phn ca tm tt bn tin c truyn vi d liu ti host ch, ni m s thc hin cng hm bm ti to tm tt bn tin ny. Tm tt bn tin ngun v ch s c i chiu. Bt c sai lch no u c ngha l bn tin bin i k t khi bn tin ngun c thit lp. S tng xng vi nhau c ngha l chc chn d liu khng b bin i trong qu trnh truyn. Khi s dng giao thc IPSec, bn tin tm tt c thit lp nh s dng trng khng bin i t gi tin IP v trng bin i c thay th bng gi tr 0 hoc gi tr c th d on c. Tnh ton MD v sau l t n vo trng d liu nhn thc (ICV) ca AH. Thit b ch sau copy MD t AH v tch trng d liu nhn thc trc khi tnh ton li MD. Vi giao thc IPSec ESP, vic x l cng tng t, tm tt bn tin c to nh s dng d liu khng bin i trong gi tin IP bt u t ESP header v kt thc l ESP trailer. MD tnh ton c sau t vo trng ICV ti cui ca gi tin. Vi ESP, host ch khng cn tch trng ICV bi v n t bn ngoi phm vi hm bm thng thng. C 2 thut ton chnh h tr ton vn bn tin, l MD5 v SHA-1 (Secure Hash Algorithm-1: thut ton bm an ton-1), chng s dng ch ch kha bm gi l Bi Vn Nht 45K2TVT 64
n tt nghip i hc
HMAC (Hashed-keyed Message Authenticaiton Code: m nhn thc bn tin bm). Sau y l tng quan ba cng c cho ton vn bn tin ny. 3.4.2.1 M nhn thc bn tin bm HMAC RFC 2104 trnh by v thut ton HMAC, bi v n c pht trin lm vic cng vi thut ton bm ang tn ti l MD5 v SHA-1. Nhiu qu trnh x l an ninh phc tp trong chia s d liu yu cu s dng kha b mt v mt c ch c gi l m nhn thc bn tin (MAC: Message Authentication Code). Mt bn to MAC s dng kha b mt v truyn MAC ti bn kia. Bn kia to li MAC s dng cng mt kha b mt v so snh 2 gi tr MAC. MD5 v SHA-1 c khi nim tng t nhau, nhng chng s dng kha b mt khc nhau. iu ny chnh l yu cu c HMAC. HMAC c pht trin thm vo mt kha b mt cho tiu chun thut ton bm tnh ton tm tt bn tin. Kha b mt c thm vo theo th thc cng di nhng kt qu tm tt bn tin khc nhau khi s dng thut ton khc nhau. 3.4.2.2 Thut ton MD5 Thut ton tm tt bn tin MD5 thc hin tm tt bt k bn tin hay trng d liu no cng miu t c ng li cn 128 bt. Vi HMAC-MD5-96, kha b mt c di l 128 bt. Vi AH v ESP, HMAC ch s dng c 96 bit nm bn tri, t chng vo trng nhn thc. Bn ch sau tnh ton li 128 bit tm tt bn tin nhng ch s dng 96 bit nm bn tri so snh vi gi tr c lu trong trng nhn thc. MD5 to ra mt tm tt bn tin ngn hn SHA-1 v c xem nh l t an ton hn nhng kt qu li c thc hin tt hn. MD5 khng c HMAC c bit nh l yu hn cho nhng la chn dch v cht lng bo mt cao. 3.4.2.3 Thut ton bm an ton SHA Thut ton bm an ton c din t trong RFC 2404. SHA-1 to ra mt tm tt bn tin di 160 bit, v s dng kha b mt 160 bit. C th vi mt vi sn phm th n s ly 96 bt bn tri ca tm tt bn tin gi vo trng nhn thc. Bn thu to li tm tt bn tin 160 bit s dng kha b mt di 160 bit v ch so snh 96 bit vi tm tt bn tin trong khung ca trng nhn thc. Tm tt bn tin SHA-1 di 160 bit an ton hn so vi MD5 di 128 bit. iu ny c xem nh l qu an ton nhng nu nh bn cn mt an ton cao cho ton vn bn tin th c th chn thut ton HMAC-SHA-1. 3.4.3 Nhn thc cc bn
Bi Vn Nht 45K2TVT
65
n tt nghip i hc
Mt trong nhng x l IKE l thc hin nhn thc cc bn. Qu trnh ny din ra trong pha th nht s dng thut ton kha bm cng vi mt trong 3 loi kha sau: + Kha chia s trc + Ch k s RSA + RSA mt m nonces y l ba loi kha v chng kt hp vi x l nhn thc nh phc tho sau 3.4.3.1 Kha chia s trc X l kha chia s trc l th cng. Ngi qun l ti mt u cui ca IPSec IP-VPN ng v kha c s dng v sau t kha vo thit b l host hoc gateway mt cch th cng. Phng php ny n gin, nhng khng c ng dng rng ri. 3.4.3.2 Ch k s RSA Mt giy chng nhn ca ngi c quyn chng nhn (Certificate Authority: CA) cung cp ch k s RSA vo lc ng k vi CA. Ch k s cho php an ninh hn l kha chia s. Mt khi cu hnh ban u c hon thnh, cc bn s dng ch k s RSA c th nhn thc i phng khng cn can thip ca ngi iu hnh. Khi mt ch k s RSA c yu cu, mt cp kha cng cng v kha ring c sinh ra. Host s dng kha ring to ra mt ch k s. Host ny s gi ch k s ca n ti bn kia IPSec. Bn s dng kha cng cng t ch k s ph chun ch k s nhn c t bn kia. 3.4.3.3 RSA mt m nonces Mt cch pht trin ca ch k s l x l RSA trong lc mt m nhn thc cc bn. Mt nonce l mt s gi ngu nhin. X l ny yu cu ng k vi mt CA thu c mt ch k s RSA. Cc bn khng chia s kha cng cng dng nhn thc ny. Chng khng trao i cc ch k s. Vic x l mt kha chia s l th cng v phi thc hin trong sut qu trnh thit lp ban u. RSA mt m nonce cho php t chi truyn thng khi m mt bn t chi hp l. 3.4.4 Qun l kha Qun l kha c th l mt vn ln khi lm vic cng vi IPSec VPN. N ging nh che du cc kha mi ni. Trong thc t, ch c 5 kha c nh cho mi bn IPSec quan h vi nhau. 66
Bi Vn Nht 45K2TVT
n tt nghip i hc
+ 2 kha ring c lm ch bi mi bn v khng bao gi chia s. Chng c s dng mt hiu bn tin. + 2 kha cng cng c lm ch bi mi bn v chia s cho mi ngi. Nhng kha ny c s dng kim tra ch k. + Kha th 5 c s dng l kha bo mt chia s. C hai bn s dng kha ny cho mt m v hm bm. y l kha c to ra bi thut ton Diffie-Hellman, s c din t sau y. iu ny khng ging nh l nhiu kha. Nhng trong thc t, kha ring v kha cng cng c s dng cho nhiu kt ni IPSec cho mt bn a ra. Mt t chc nh, nhng kha ny c th ton b c qun l th cng. Vn xut hin khi c gng phn chia x l h tr cho hng trm hoc hng ngn phin VPN. Phn tip theo trnh by v giao thc Diffie-Hellman v nhn thc s, y l hai trong s nhng gii php hon ho qun l t ng vn nan gii ny. 3.4.4.1 Giao thc Diffie-Hellman Diffie-Hellman l giao thc ng kha cho php 2 bn trao i mt kha b mt khng cn bt k u tin b mt no. Giao thc ny l mt v d v x l trao i kha i xng, trong cc bn trao i kha cng cng khc nhau sinh ra kha ring ging nhau. Giao thc Diffie-Hellman c s dng trong IPSec VPN, nhng bn rt kh tm ra n. N c s dng trong x l thit lp knh an ton gia cc bn IPSec. Du hiu ca n nh sau: * IPSec s dng giao thc lin kt an ninh Internet v qun l kha (Internet Security Association and Key Management Protocol: ISAKMP) cung cp mt khung cho nhn thc v trao i kha. * ISAKMP s dng giao thc IKE thng lng an ton v cung cp nguyn liu to kha cho lin kt an ninh. * IKE s dng mt giao thc c gi l OAKLEY, n s a ra mt lot cc trao i kha v chi tit dch v c cung cp cho mi trao i. * OAKLEY s dng Diffie-Hellman thit lp mt kha b mt chia s gia cc bn. X l mt m kha i xng sau s dng kha b mt chia s cho mt m v nhn thc kt ni. Cc bn s dng giao thc mt m kha i xng phi chia s vi nhau cng mt kha b mt. Diffie-Hellman cung cp mt gii php cung cp mi bn mt kha b mt chia s khng cn gi du vt cc kha s dng. Bi Vn Nht 45K2TVT 67
n tt nghip i hc
X l mt m kha i xng qu chm cho yu cu mt m khi lng ln trong knh IP-VPN tc cao. Cc bn IPSec s dng giao thc Diffie-Helman thng lng kha b mt chia s dng cho AH hoc ESP to d liu nhn thc hay mt m gi tin IP. Bn thu s dng kha nhn thc gi tin v gii m phn ti tin. Chi tit v cc bc ca thut ton Diffie-Helman c trnh by trong chng 4. 3.4.4.2 Quyn chng nhn CA Mt phng php khc nm gi kha m khng nm gi nhiu cng vic h tr qun l l s dng CA (Certificate Authorities) nh l mt thc th tin cy a ra v thu hi chng nhn s v cho vic cung cp mt ngha gip kim tra v nhn thc nhng chng thc. CA thng c 3 phn tc nhn nh VeriSign hoc Entrust, nhng tit kim, bn c th thit lp thit lp CA cho ring mnh trn c s s dng dch v giy chng nhn Windows 2000. Di y trnh by qu trnh lm vic ca CA: 1) Mt client mun s dng chng thc s to ra mt cp kha, mt kha cng cng v mt kha ring. Tip theo, chient chun b chng nhn khng nh du (X.509) n cha, gi nhiu th: ID nhn dng client v kha cng cng m n va to thnh. Chng nhn khng nh du ny sau c gi ti pha CA nh s dng mt vi phng php an ton. 2) Pha CA tnh ton m bm ca chng nhn khng nh du. Sau CA gi m bm v ng gi n s dng kha cng khai ca CA. Hm mt m bm ny l mt ch k s, v CA tn cng vo n chng nhn v quay li nh du chng nhn client. Chng nhn ny c gi l nhn dng chng nhn v c lu trong thit b client cho n khi n kt thc hoc b xa. CA cng gi cho client chng nhn s ca n, cc m tr thnh chng nhn gc cho client. 3) By gi client c mt chng nhn s nh du m n c th gi ti bt k bn thnh vin no. Nu bn thnh vin mun nhn thc chng nhn, n gii m chng nhn nh s dng kha cng khai. Ch quan trng l vi mi client th CA ch gi mt chng nhn ca client . Nu client mun thit lp IPSec IP-VPN vi mt client khc, n trao i chng nhn s vi client kia nh s dng kha cng khai chia s. Khi mt client mun mt m d liu gi ti mt bn, n s dng kha cng khai ca bn ly t chng nhn s. Bn ny sau gii m gi tin vi kha cng cng. Mt chc nng khc ca CA l sinh ra mt lot cc chng nhn theo chu k m n ht hiu lc hoc mt gi tr. CA to ra danh sch chng nhn b hy b (Certificate Revocation Lists: CRL) ca nhng khch hng ca n. Khi mt client nhn mt chng nhn s, n kim tra CRL tm nu nh chng nhn vn cn gi tr. Bi Vn Nht 45K2TVT 68
n tt nghip i hc
C ks h Pi n h IE K
I t re n nt e
C pt r o u me
C pt r o u me
C pt r o u me
n n g gm N nh c h t Mm t
Ur s e
N dn g i g
C pt r o u me
n tt nghip i hc
Ti y, router ngi s dng s ng gi d liu theo cc yu cu thng lng trong IPSec SA (thut ton mt m, nhn thc, giao thc ng gi l AH hay ESP), thm cc thng tin thch hp a gi tin c m ha ny v dng IP datagram ban u v chuyn ti router mng trung tm. Khi nhn c gi tin t router ngi dng gi n, router mng trung tm tm kim IPSec SA, x l gi theo yu cu, a v dng gi tin ban u v chuyn n ti mng trung tm.
3.6 Tng kt
Chng ny trnh by chi tit v giao thc IPSec v ng dng ca n i vi cng ngh IP-VPN. IPSec l mt chun m, n khng nh ngha cc gii php c th m n ch a ra cc chun. Giao thc IPSec gm c 2 giao thc l AH v ESP, hot ng khc nhau cung cp kh nng m bo tnh ton vn, b mt, an ton cho d liu. Lin kt an ninh SA c cha tp cc chnh sch, tham s, thut ton, giao thc cho qu trnh ng gi d liu gia cc bn tham gia vo IPSec. Ti mi u ng ngm IPSec, SA c s dng xc inh loi lu lng cn c x l IPSec, giao thc IPSec c s dng (AH hay ESP), thut ton v kha c s dng cho qu trnh mt m v xc thc. Bn cnh , giao thc IKE l mt giao thc quan trng tho thun xc thc cc bn tham gia, thit lp cc tham s, chnh sch ca lin kt an ninh trong qu trnh thit lp. Nhim v ca giao thc IKE chnh l thng lng gia cc bn trong qu trnh thit lp hoc thng lng li khi cn thit to ra mt lin kt an ninh SA. Bng 3.3 a ra tm tt v 3 giao thc trong chng 3. Bng 3.3: Tng kt chng cc giao thc ca IPSec Giao thc AH ESP IKE Dch v Ton vn d liu Bo mt, ton vn d liu Xc thc i tc, thit lp cc tham s Thut ton/ phng thc MD5, SHA1 DES, 3DES, AES, MD5, SHA1 Kha chia s trc, RSA, Diffie-Hellman, CA
Bi Vn Nht 45K2TVT
70
n tt nghip i hc
IPSec cung cp xc thc tnh ton vn d liu. Th hai, IPSec cho php s dng cc Bi Vn Nht 45K2TVT 71
n tt nghip i hc
phng php, thut ton mt m, xc thc mng nht hin c. Th ba, IPSec l mt khung chun m, ngha l c th la chn cc thut ton ph hp vi mc an ton d liu mong mun m khng b gii hn cng nhc phi s dng ng mt thut ton no , ng thi c kh nng s dng cc thut ton tin tin pht trin trong tng lai. iu ny th hin tnh linh hot rt cao ca IPSec. Ni dung ca chng ny nhm lm r vn an ton d liu ca cng ngh IPVPN da trn giao thc IPSec.
4.2 Mt m
4.2.1 Khi nim mt m Hnh 4.1 cho thy khi nim chung s dng trong cc thut ton mt m v mi quan h gia chng.
Kha K Bn tin c mt m C Ciphertext Bn tin c mt m C
Mt m EK(P)=C
Kha K
n tt nghip i hc
+ Plaintext v ciphertext: bn tin ban u c gi l bn tin r (plaintext hay cleartext). Qu trnh bin i bn tin che du ni dung tht ca n c gi l mt m (encryption). Bn tin mt m c gi l ciphertext. Qu trnh bin bn tin mt m v bn tin ban u c gi l gii m (decryption). + Thut ton v kha: thut ton mt m (cn gi l cipher) l mt hm ton hc s dng mt m v gii m. Tnh an ton ca mt thut ton mt m ph thuc va mt kha b mt (secret key). Khong cc gi tr c th c ca kha c gi l khng gian kha (key space). Cc qu trnh mt m v gii m u ph thuc vo kha K nh sau: Mt m: EK(P)=C Gii m: DK(C)=P V c bn th cc thut ton mt m c chia thnh hai loi: cc h thng mt m kha i xng (Symmetric Key Cryptosystem), v cc h thng mt m kha cng khai (Public Key Cryptosystem). Mt m kha i xng s dng cng mt kha duy nht trong qu trnh mt m v gii m, vi h thng ny th hai u knh c cung cp cng mt kha qua mt knh tin cy v kha ny phi tn ti trc qu trnh truyn tin. Cn mt m kha cng khai s dng hai kha khc nhau (mt kha b mt v mt kha cng khai), kha cng khai dng lp m v ch c kha b mt l c kh nng gii m. Bn thn cc h mt m ny c nhiu thut ton thc hin. 4.2.2 Cc h thng mt m kha i xng 4.2.2.1 Cc ch lm vic ECB, CBC Ty thuc vo cch thc chuyn cc khi plaintext u vo thnh cc khi ciphertext u ra m cc thut ton mt m khi c phn loi theo cc ch lm vic khc nhau, trong c ECB, CBC v OFB. Ch sch m in t ECB (Electronic Code Book Mode): i vi thut ton mt m khi ECB, mt khi plaintext u vo c nh x tnh thnh mt khi ciphertext u ra. Vi nhng ngun ti nguyn b nh hu hn, c th xy dng mt bng tra cu (loopup table) hay danh sch m in t (Electronic Code Book) nh x ngc mt khi ciphertexxt v dng plaintext tng ng.
Bi Vn Nht 45K2TVT
73
n tt nghip i hc
Pha pht P1 E C1 C1
Pha thu D P1
P2
C2
C2
P2
P3
C3
C3
P3
Bi Vn Nht 45K2TVT
74
n tt nghip i hc
Bt c bn tin c mt m CBC no cng phi c khi to bi mt vc t IV (Initialization Vector). IV c truyn qua knh khng an ton thi im bt u ca phin truyn dn. trnh cc tn cng kiu lp li, gi tr IV ch s dng mt ln. iu ny c th thc hin c bng cch gn gi tr ngu nhin nhng tng n thun cho IV. 4.2.2.2 Gii thut DES (Data Encryption Standard) Thut ton DES c a ra vo nm 1977 ti M v c s dng rt rng ri. N cn l c s xy dng mt thut ton tin tin hn l 3DES. Hin nay, DES vn c s dng cho nhng ng dng khng i hi tnh an ton cao, v khi chun mt m d liu mi l AES cha chnh thc thay th n. DES m ha cc khi d liu 64 bit vi kha 56 bit. S thut ton DES cho trn hnh 4.4.
Pane t bo k litx lc K t oh v h i on Ru d on Ru d on 1 2 (6 bt ) 4 is Ky e B p rt ai y (6 bt ) 4 is (5 bt ) 6 is
Ru d on ok t oh v h i on C h re x bo k i et x t l c p
1 6
(6 bt ) 4 is
Bi Vn Nht 45K2TVT
75
n tt nghip i hc
Ri-1 Dch
Kha Ki-1
56
Dch
Hon v nn
Hp en
S-Box (Thay th )
48 48 32
P-Box (Hon v )
32 Li Ri
32
56
Kha Ki
Bi Vn Nht 45K2TVT
76
Nhc im ln nht ca cc h thng mt m kha i xng l vn phn phi cc kha b mt thng qua knh khng an ton. S lng cc kha b mt cn thit khi s dng mt thut ton mt m kha i xng vi n i tc tham gia s l
2 C n = n( n 1) / 2 . C th thy vic phn phi cc kha b mt s tr nn ht sc kh khn
khi s lng i tc tham gia trao i thng tin ln. Hnh 4.6 ch ra vic phn phi kha trong h thng mt m kha i xng.
A F KAF , KBF , KCF , KDF , KEF
Computer Computer
KAB , KAC , KAD , KAE, KAF . B KAB, KBC , KBD , KBE , KBF .
Bi Vn Nht 45K2TVT
77
n tt nghip i hc
* Serpent (Ross Anderson/ Eli Biham/ Lars Knudsen): Thc hin mng hon v thay th 32 vng. * Rijndael (Joan Daemen/ Vincent Rijimen): Thc hin mng hon v thay th ci tin 10 vng. Trong 5 thut ton trn, NIST chn Rijindael cho chun AES vo nm 2000. Trong tng lai, AES s l chun mt m khi i xng v s c thc hin trn c phn cng ln phn mm. AES s c thit k c th tng di kha khi cn thit. di khi d liu ca AES l n = 128 bt, cn di kha k = 128, 192, 256 bit. 4.2.2.4Thut ton mt m lung (stream cipher) Mt m lung da trn mt b to lung kha (key stream generator) to nn mt chui s gi ngu nhin (pseudo-random sequence) khi to bi mt kha b mt (secret key). Chui kha c XOR vi chui bit plaintext. Ti pha thu, mt b to kha ging ht khi ta bi cng mt kha b mt c ng b vi chui ciphertext u vo. Pha thu phc hi plaintext bng cch XOR chui ciphertext vi chui kha ng b.
Kha B to chui gi ngu nhin Lung bit Plaintext Lung bit plaintext Lung bt gi ngu nhin Lung bit ciphertext 1 1 0 1 0 1 1 0 1 Lung bit ciphertext 1 1 0 1 1 0 1 0 1
n tt nghip i hc
mt bi i tc) v mt kha cng khai tng ng (c pht trong cc th mc cng cng). Hai kha ny c quan h vi nhau m bo rng kha cng khai thc hin chc nng m ha v kha b mt thc hin chc nng gii m. Cc bc cn thit trong qu trnh m ha kha cng khai: - Mt h thng cui trong mng to ra mt cp kha dng cho m ha v gii m on tin m n s nhn. - Mi h thng cng b rng ri kha m ha bng cch t kha vo mt thanh ghi hay mt file cng khai. y l kha cng khai, kha cn li c gi ring. - Nu A mun gi mt on tin ti B th A s m ha on tin bng kha cng khai ca B. - Khi B nhn c on tin m ha, n gii m bng kha b mt ca mnh. Khng mt ngi no khc c th gii m on tin m ny bi v ch minh B bit kha b mt thi.
Kha cng khai Knh truyn
User A on tin
Gii thut m ha
on tin c mt m
n tt nghip i hc
4/ Cng vic tnh ton khng th thy trc i vi ch th bit kha cng khai KUb xc nh kha b mt KRb. Cng vic tnh ton khng th thy trc i vi ch th bit kha cng khai KUb v on tin mt m C khi phc on tin ban u M. 5/ Chc nng m ha v gii m c th c p dng theo th t: M = DKRb[EKUb(M)] M = EKUb[DKRb(M)] C th nhn thy rng vic tnh Y = f(X) th d dng trong khi tnh X=f -1(Y) l khng th thy trc. Ni chung t d dng c xc nh bi 1 bi ton l n c th c gii quyt trong thi gian nht nh (n ph thuc vo chiu di input). Nu chiu di input l n bt th thi gian tnh hm t l vi n a . m bo tnh bo mt th phi s dng kha c kch thc ln (thng trn 100 ch s thp phn). V d kch thc kha v thi gian b kha (MIPS tnh theo nm) trong cc gii thut RSA/DSS v ECC nh sau. Bng 4.2: Thi gian b kha trong gii thut RSSA/DSS v ECC. RSA 512 768 1024 ECC 106 132 160 MIPS (nm) 104 108 1012
4.2.3.2 H thng mt m kha cng khai RSA RSA do Rivest, Shamir v Adleman pht trin nm 1977. S RSA l s m ha tng khi, vi mi khi c gi tr nh hn n. Vic m ha v gii m theo hnh thc sau, cho khi vn bn M v khi bo mt C: C = Me mod n M = Cd mod n = (Me)d mod n = Mde mod n C ngi gi v nhn phi bit gi tr n, ngi gi bit e v ch c ngi nhn bit d. Cho nn y l gii thut m ha vi kha cng khai KU = [e,n] v kha b mt KR = [d,n]. V gii thut ny tha gii thut m kha cng khai nn cc yu cu sau phi c p ng: * C th tm thy gi tr d, e, n : M = Mde mod n vi mi M<n hay khng? * Mt cch tng i d dng tnh Me v Cd vi mi M<n hay khng? Bi Vn Nht 45K2TVT 80
Theo l thuyt Euler: cho 2 s nguyn p v q, 2 s nguyn n v m (n=p*q, 0<m<n) v s nguyn k. Ta c: mk0(n)+1mod n= mk(p-1)(q-1)+1 mod n= m mod n 0(n)=0(pq)=(p-1)(q-1) Do : Nu: de = k0(n) + 1 v gcd(0(n),e)=1 (gcd: c s chung ln nht) Th: de mod 0(n) = 1 v d mod 0(n) = e- 1 S RSA: Gi s user A cng b kha cng khai e ca n v user B mun gi on tin M ti A. Khi B tnh C=Me mod n v truyn C. Khi nhn c on tin C ny, user A gii m bng cch tnh Cd mod n. C th thy rng M=Cd mod n v: de mod 0(n) = 1 hay de = k0(n)+1
Kch thc kha RSA: ty thuc vo tnh bo mt v thi gian sng ca kha m kha c chiu di thch hp: - Loi Export - Loi Personnal - Loi Militery : 512 bt. : 768 bit. : 2048 bit.
- Loi Commercial : 1024 bit. Trn y l nhng ni dung chnh ca thut ton mt m RSA. Thc t, thc hin c cc thut ton vi kch thc kha ln i hi mt lng tnh ton rt ln lin quan n vn l thuyt s nh thut ton Euclide tm USCLN ca hai s nguyn hay thut ton Miller-Rabin kim tra tnh nguyn t ca cc s t nhin ny. 4.2.4 Thut ton trao i kha Diffie-Hellman Thut ton Diffie-Hellman cho php hai bn trao i vi nhau mt kha b mt chung. Cc bc thc hin nh sau: Bng 4.4: Cc bc thc hin trao i kha Diffie Hellman Bn A ng vi bn B v s dng s nguyn ln ban u: P ng v s nguyn lm nhim v to kha: G Chn lc s b mt: A Tnh s cng cng: X=GAmod P Gi s X ti bn B By gi bit: P, G, A, X, Y Tnh KA=YAmod P By gi c kha bo mt chia s: KA=KB=K Chng minh: KA=(GBmod P)Amod P KA=(GB)Amod P KA=GBAmod P KA Mng X Y Bn B ng vi bn A v s dng s nguyn ln ban u: P ng v s nguyn lm nhim v to kha: G Chn lc s b mt: B Tnh s cng cng: Y=GBmod P Gi s X ti bn B By gi bit: P, G, B, X, Y Tnh KB=XBmod P By gi c kha bo mt chia s: KA=KB=K Chng minh: KB=(GAmod P)Bmod P KB=(GA)Bmod P KB=GAB KB mod P
V d v trao i kha Diffie-Hellman nh sau: hai bn A v B thng nht vi nhau s nguyn t P=31 v mt s nguyn G=3. Ti A: chn A=8 X=38mod 31 = 20. X=20 ny c gi n B. Bi Vn Nht 45K2TVT 82
n tt nghip i hc
4.3 Xc thc
Xc thc l thut ng ch hai khi nim: xc thc tnh ton vn ca d liu v xc thc ngun gc d liu. V c bn th cc xc thc ny c gii quyt bng cc phng php khc nhau. Trong phn ny chng ta s xem xt cch thc gii quyt hai vn ny. 4.3.1 Xc thc tnh ton vn ca d liu Xc thc tnh ton vn ca d liu (data intgity)bao gm 2 vn sau: + Pht hin cc bn tin b li (corrupted message): Pht hin cc li bt do nguyn nhn li ca phng php truyn d hoc ca thit b lu tr. Gii php cho vn ny s dng mt Message Digest (MD: gin lc thng ip- cn gi l hm hash) cho mi bn tin. MD hot ng nh mt du vn tay (fingerprint) cho php xc nh duy nht mt bn tin (tng t nh CRC). + Bo v chng sa i bt hp php bn tin (unathurized modification): pht hin ra nhng bn tin b sa i mt cch bt hp php trong qu trnh truyn dn. C hai gii php cho vn ny trn c s s dng mt m kha i xng v kha khng i xng. Gi php kha i xng to ra mt m xc thc bn tin MAC (Message Authentication Code) da trn mt hm gin lc thng ip c kha tc ng (keyed message digest function). Gii php kha khng i xng to ra mt ch k s (digital signature) bng cch mt m gin lc thng ip MD vi kha cng khai ca ngi gi. 4.3.1.1 Gin lc thng ip MD da trn cc hm bm mt chiu a) Gin lc thng ip MD (Message Digest) MD l phng php s dng pht hin li truyn dn, n c thc hin bng cc hm bm mt chiu. MD c di c nh hot ng nh mt du vn tay duy nht cho mt bn tin c di ty . Vi di thng thng ca mt MD t 128 bit n 256 bit th c th i din cho 10 38 n 1077 gi tr vn tay khc nhau. Con s ny l cc ln nu ly mt v d nh sau: gi s trong th k 21, dn s 10 t ngi, mi ngi Bi Vn Nht 45K2TVT 83
n tt nghip i hc
trong mt ngy vit 100 vn bn, nh vy tng s vn bn mi ch l 365.10 14. Nu mi vn bn c mt du vn tay xc nh th cng ch c mt phn rt nh trong s 10 38 kh nng c th ca MD c s dng. b) Cc hm bm mt chiu Cc hm bm mt chiu c s dng tnh MD. Mt hm bm c coi l tt nu tha mn cc yu cu sau: - Vic tnh ton MD n gin, hiu qu, cho php tnh MD ca cc bn tin c kch thc nhiu GB. - Khng c kh nng tnh ngc li bn tin ban u khi bit gi tr MD ca n. y l l do ti sao hm bm c gi l mt chiu. - Gi tr MD phi ph thuc vo tt c cc bit ca bn tin tng ng. D ch mt bit trong bn tin b thay i, thm vo hoc xa bt th s c khong 50% cc bn tin trong MD s thay i gi tr mt cch ngu nhin. Hnh 4.9 din t iu ny. Hm bm c kh nng thc hin nh x message - to - digest gi ngu nhin, ngha l vi hai bn tin gn ging ht nhau th m hash ca chng li hon ton khc nhau. - Do bn cht gi ngu nhin ca hm bm v s lng cc ln cc gi tr hash c th c, nn hu nh khng c kh nng hai bn tin phn bit c cng gi tr hash. V vy, vi cc ng dng thc t hin nay, c th coi u ra ca hm bm thc hin trn mt bn tin l du vn tay duy nht ca bn tin .
Bi Vn Nht 45K2TVT
84
n tt nghip i hc
Bi Vn Nht 45K2TVT
85
n tt nghip i hc
N x 512 bit
Khi 1 512 bit Khi 2 512 bit Khi N 512 bit
I V
Hm bm MD5/SHA
H a s h
Hm bm MD5/SHA
H a s h
Hm bm MD5/SHA
H a s h
IV Hash
Bi Vn Nht 45K2TVT
- Ngoi 512 bit khi d liu u vo, hm bm cn yu cu mt vect khi to IV (Initialization Vector) c kch thc bng kch thc ca hash (128 bit i vi MD5 v 160 bit i vi SHA-1). - Trong vng tnh u tin, IV ly gi tr nh ngha trc trong cc chun MD5, SHA. Mt gi tr hash s c tnh da trn khi 512 bit u vo u tin. Gi tr hash ny s ng vai tr IV trong vng tnh th hai. Qu trnh tip tc vi gi tr hash ca vng trc l IV ca vng sau. Sau khi khi d liu 512 bit cui cng c x l th gi tr hash tnh c chnh l MD (vn tay) ca ton b bn tin. 4.3.1.2 M xc thc bn tin MAC da trn cc hm bm mt chiu s dng kha MAC (Message Authentication Code) l phng php bo v chng sa i bt hp php ni dung bn tin. MAC c thc hin bng cc hm bm mt chiu kt hp vi kha b mt.
Pha pht
Pha thu
Knh truyn
So snh
MAC
MAC
n tt nghip i hc
gii quyt vn ny, phi s dng mt kha b mt trong qu trnh tnh vn tay ca bn tin th mi m bo chng li nhng thay i bt hp php. Pha thu (ni c kha b mt) to ra mt gin lc thng ip hp ln (valid MD), gi l m xc thc bn tin MAC. Pha thu s dng kha b mt xc nh tnh hp l ca bn tin bng cch tnh li gi tr MAC v so snh vi gi tr MAC m pha pht truyn i. n y, vn l xy dng cc hm bm mt chiu s dng kha da trn cc hm bm trnh by trn. RFC 2104 a ra mt phng n xy dng cc hm bm c s dng kha trn c s cc hm bm nh MD5, SHA.
Inner Key
Document
Hm bm MD5/SHA
Hm bm MD5/SHA
Hash
MAC
Bi Vn Nht 45K2TVT
n tt nghip i hc
s to ra mt vect khi to thc hin hash cho bn tin gc ban u, gi tr ca vect khi to ny ch ph thc vo kha b mt m thi. Nh vy, khi kha b mt gi nguyn th tt c cc bn tin u c th c k s dng cng mt vect khi to b mt. Tng t i vi kha ngoi (outer key). Kha ngoi c hnh thnh bng cch XOR kha b mt ( chn cc bit m) vi cc gi tr 0x5C. Khi , hm bm thc hin trn khi outer key s to ra mt vect khi to thc hin hash cho chnh gi tr hash tnh vng th nht. Thng thng gi tr MAC cui cng c to ra bng cch ct ngn gi tr hash thu c bi MD5 (128 bit) v SHA (160 bit) xung cn 96 bit. Mc d vic ct ngn ny lm gim ng k s cc t hp cn th i vi mt tn cng kiu brute fore, nhng n c tc dng che du trng thi bn trong ca thut ton bm v s kh khn hn rt nhiu cho k tn cng c th i t u ra ca vng bm th hai ti kt qu trung gian ca vng bm th nht. Phong php xc thc tnh ton vn s dng MAC c u im l thc hin nhanh v hiu qu, v vic to MAC da trn cc hm bm tng i n gin, do thng c s dng xc thc cc cm d liu tc cao. Nhc im l pha thu phi bit c kha b mt th mi xc nh c tnh ton vn ca bn tin, dn n vn phn phi kha mt cch an ton. 4.3.1.3 Ch k s da trn h thng mt m kha cng khai Ch k s l mt phng php bo v chng sa i bt hp php ni dung bn tin. Ch k s c thc hin bng cch mt m gi tr hash thu c t mt hm bm mt chiu. Hnh 4.14 din t gi tr hash (MD5 hoc SHA) ca bn tin c mt m vi kha b mt ca pha pht to thnh ch k s v c truyn i cng vi bn tin tng ng.
Bi Vn Nht 45K2TVT
89
n tt nghip i hc
Pha pht
Pha thu
Knh truyn
Hm bm Gi tr bm Gi tr bm So snh Gi tr bm
Ch k
Ch k
Hnh 4.14: Ch k s
Pha thu tnh li m hash t bn tin thu c, ng thi gii m ch k s i km vi bn tin. Nu gi tr gii m trng vi gi tr hash tnh c th kt lun c tnh ton vn ca bn tin, v ch c pha pht mi c ng kha b mt mt m ch k s . Do cc kha cng khai c phn b rng ri, nn bt c ngi no cng c th xc nh c tnh ton vn ca bn tin. Phng php ny trnh c vn phn phi kha an ton, nhng cc qu trnh mt m v gii m s dng kha b mt/ cng khai thc hin rt chm. V vy phng php ny ch c s dng xc thc i tc ti thi im ban u ca phin trao i thng tin. 4.3.2 Xc thc ngun gc d liu 4.3.2.1 Cc phng thc xc thc C hai phng thc xc thc ngun gc d liu: xc thc da trn mt khu v xc thc da trn giao thc hi p. a) Phng thc xc thc da trn mt khu i vi phng thc ny, tn ti 2 nguy c mt an ton nh sau: - Nguy c th nht: Mt khu phi truyn qua mt knh khng an ton. V d trong trng hp ng nhp t xa s dng giao thc telnet yu cu truyn nhn dng (ID) v mt khu (password) ca ngi s dng dng bn r ti my ch. Nh vy nguy c mt an ton l cao v phi truyn mt khu qua Internet - mt knh khng an ton.
Bi Vn Nht 45K2TVT
90
n tt nghip i hc
- Nguy c th hai: mt khu phi c lu trong mt phng tin lu tr ca my ch, thng thng l my ch ng nhp (login server). Vic lu tr mt khu cng l mt nguy c mt an ton cao. b) Phng thc xc thc da trn cc giao thc hi p xc thc qua mt knh khng an ton, c th s dng mt giao thc hi p kim tra xem i tc cn xc thc c s hu mt gi tr b mt xc thc i tc hay khng. Phng thc ny khng yu cu phi trao i cc gi tr b mt thng qua knh khng an ton. Giao thc hi p ny s dng m xc thc bn tin MAC hoc ch k s. - Giao thc hi p s dng m xc thc bn tin MAC
U
IDU
ser
RU
RS
Server
RS
Key
IDU
Key
MAC
Bi Vn Nht 45K2TVT
91
n tt nghip i hc
My ch da vo cc thng tin m n c (bao gm ID, R U, RS, kha b mt) tnh gi tr MAC, sau so snh vi MAC m ngi s dng gi i. Nu ngi s dng c ng kha b mt s dng chung th hai gi tr ny trng khp vi nhau v qu trnh xc thc thnh cng. - Giao thc xc thc s dng ch k s Giao thc hi p cng c th da trn ch k s, s dng mt m kha cng khai. Ngi s dng l ngi duy nht c kha b mt, cn mt server bt k c kha cng khai tng ng ca ngi s dng nu mun xc thc. Ngi s dng to ra mt m hash t cc thng tin: ID, RS (nhn c t my ch nh mt khu lnh), RU. Bng cch mt m gi tr hash vi kha b mt, s to thnh mt ch k s gi li my ch (nh mt tr li). Cc h thng mt m kha cng khai tr nn thng dng v kha cng khai khng cn phi gi b mt v do c th c phn phi mt cch rng ri. V vy, khi mt my ch xc thc mt ngi s dng bng cch kim tra ch k trn c s kha cng khai ca ngi s dng th vn t ra l liu cpkha cng khai/ b mt s dng trong qu trnh xc thc c thc s thuc v ngi s dng ny hay khng.
U
IDU
ser
RU
RS
Server
RS Gi tr ngu nhin (Nonce)
IDU
RU
RS
Hash
Hash
Sig
Sig
Mt phng php thit lp tin tng i vi kha cng khai ca ngi s dng l cch tip cn mng tin tng (web of trust) c s dng bi gi phn mm mt m v xc thc th in t PGP (Pretty Good Privacy). V d trong hnh 4.17, C c th tin tng A thng qua 3 ng lin kt trung gian.
A Signed by B B
Trust
Certificate
Can C trust A ? C
Signed by D Certificate
Trust
Bi Vn Nht 45K2TVT
93
M hnh tin tng th hai phn cp tin tng vi cc nh phn phi chng thc CAs (Certificate Authorities). Hin nay m hnh ny c la chn trin khai v s dng cc chng thc vi qui m ln. cc mt xch tin tng dng phn cp: trn cng l cc nh phn phi chng thc gc, tip theo l cc nh phn phi chng thc trung gian.
Root CA
Amazon Verisign
Intermediate CA
Trust
Bob Amazon
Alice Amazon
Client Certificate
Carol Swisskey
Hnh 4.18: M hnh tin tng th hai (phn cp tin tng vi cc CAs)
- Cc nh phn phi chng thc gc (Root CAs) Ti mc trn cng ca phn cp cc mt xch tin tng l mt s nh phn phi chng thc gc. Cc Root CAs c dng ph bin l: Verisign, RSA, Baltimore, Rntrust, Deutsche Telekom v Swisskey. - Cc nh phn phi chng thc trung gian (Intermediate CAs) Root CAs c th trc tip cp pht cc chng thc cho ngi s dng. Tuy nhin i vi cc t chc trung bnh hoc ln th s thun li hn nhiu nu t thit lp ly mt CS, khi h c th t cp pht hoc hy b cc chng thc cho cc cc nhn trong t chc. Bn thn chng thc ca CA trung gian ny thng c cp pht vi k t Root CA.
Bi Vn Nht 45K2TVT
94
n tt nghip i hc
V nguyn tc th c th thc hin mt s ty cc phn cp, nhng thng thng ch s dng t hai n ba cp t chng thc ca ngi s dng n Root CA. - Cu trc chung ca mt chng thc X.509 Mng tin tng thng s dng chng thc OpenPGP (RFC 2440). Cn m hnh phn cp tin tng thng s dng chng thc ITU-T X.509 (RFC 2459).
Version Serial Number Signature* Issuer Validity Subject SubjectPublicKeyInfo IssuerUniqueID Optional SubjectUniqueID Optional Extensions Optional
Hm hash
Hash/ Fingerprint
Bi Vn Nht 45K2TVT
95
n tt nghip i hc
Nh vy c nhiu hng tham gia nghin cu, pht trin cc thit b VPN. Bn thn mi hng li c nhiu dng sn phm phc v cho nhiu nhu cu ng dng khc nhau. Cc sn phm c th l chuyn dng (phc v ring cho mc ch VPN) hoc kt hp (chc nng VPN c i km vi cc chc nng khc, chng hn nh router, firewall). Do cha tn ti mt chun chung nn cch thc s dng, cu hnh cc sn phm ny cng khc nhau. Mc ch ca chng ny l a ra cc nguyn tc v m hnh thc hin VPN ni chung v gii thiu qua v tnh hnh th trng VPN ca Vit Nam. Bi Vn Nht 45K2TVT 96
n tt nghip i hc
Dial
Dedicated
Access
Intranet
Extranet
Bi Vn Nht 45K2TVT
n tt nghip i hc
- Extranet VPN: kt ni vi khch hng, i tc vi mt phn mng trung tm thng qua Internet, ng thi vn m bo cc c tnh ca mt mng ring. 5.2.1 Access VPN C rt nhiu la chn thc hin Access VPN, do vy cn cn nhc thn trng trc khi quyt nh la chn phng n no. Nh lit k y, c nhiu cng ngh truy nhp, t cc cng ngh quay s hoc ISDN truyn thng ti cc cng ngh mi nh truy nhp s dng DSL. Thm vo phi lc chn mt kin trc VPN: kin trc khi to t my khch (client inititated) hay kin trc khi to t my ch truy nhp (network access server initiated architure). 5.2.1.1 Kin trc khi to t my khch i vi Access IP-VPN khi to t phia my khch, mi PC ca ngi s dng t xa phi ci t phn mm IPSec. Khi ngi s dng quay s ti POP (Point of Presence) ca ISP, phn mm ny s khi to mt ng ngm IP-VPN v thc hin mt m. Kin trc ny rt an ton v d liu c bo v trn ton b ng ngm PC ca ngi s dng n mng trung tm. Trong phng n ny c th s dng bt k cng ngh truy nhp no kt ni ti Internet. Thm vo , phng n ny l trong sut i vi nh cung cp dch v ISP, ngha l c th thc hin IP-VPN m khng cn thc hin bt c thay i no i vi ISP, chng hn nh mt m d liu. Nhc im ca m hnh ny l phi ci t v qun tr phn mm IPSec client trn tt c cc PC truy nhp t xa.
P a riv te C rp ra o o te N tw rk e o
F w ll ire a
T le o m te e cmu r C n IP e lie t S c D l -u ia p Ru r o te
Hm o e G te a a wy
IS N D
C mu r o p te
P T OS
N tw rk e o Ac s c es S rv r e e (N S ) A
In r e te n t
Md m oe D l -in ia IP e T n e Sc u nl
Mb I o ile P
i vi truy nhp IP-VPN khi to t my ch truy nhp th NAS (ti POP) s khi to ng ngm v thc hin mt m thay cho ngi s dng. S c mt phn kt ni khng c bo v gia ngi s dng v POP. Phn kt ni cn li c bo m an ton bi mt ng ngm v mt m d lu. M hnh ny d qun l hn, v khng phi kim sot tt c phn mm IPSec client ti cc PC truy nhp t xa. M hnh ny cng d dng m rng hn so vi m hnh truy nhp khi to t ngi s dng v ch cn cu hnh my ch NAS, thay v cu hnh tt c cc PC.
Service Provider N S A
PSTN /ISDN Corporate N etwork
Internet
Hom e Gateway
Se rver
Corporate Servers
Compu ter Co mputer
Remote Users
POP
Service Provider
POP
IPSec Tunnel
Co mpute r
Remote 1
Comp te u r
Remote 2
n tt nghip i hc
M hnh ny c mt s la chn thc hin khc nhau. Trng hp th nht, ISP qun l, cung cp v duy tr kt ni Internet c s, cn bn thn t chc phi qun l tt c cc vn nh an ton d liu, qun l router, my ch, cc ngun ti nguyn nh ngn hng cc modem quay s. Trng hp th hai l m hnh lai (hybrid model). Trong m hnh ny, t chc v nh cung cp dch v chia s cc cng vic tng i ngang bng, ISP cung cp thit b VPN, m bo QoS vi mc bng tn tha thun, cn pha nh qun tr mng qun tr cc ng dng v cu hnh, cung cp cc dch v tr gip v an ton d liu. Trng hp th ba, nh qun tr mng ch qun l cc my ch an ninh, cn ISP cung cp ton b gii php VPN, dch v tr gip, hun luyn 5.2.3 Mt s sn phm thc hin VPN Nh ta bit, c nhiu hng tham gia nghn cu, pht trin cc sn phm VPN, mi hng li a ra nhiu dng sn phm. Cc hng khc nhau c cch tip cn v u nhc im ring. Sau y v d v cc sn phm ca Cisco v Netsreen. Sn phm ca 2 hng ny tng i a dng v c th phc v cho mt phm vi rng cc nhu cu ng dng khc nhau. Bng 5.1: V d v cc sn phm ca Cisco v Netsreen
Loi khch hng ISP/ Central Site Medium Site Small Office Remote Access 3080, 3060 Concentrators 3030 Concentrators 3015, 3005 Concentrantors Cisco VPN Software Client 3002 Hardware Client Cisco Site-to-Site VPN routers 71x0 Routers 7x00, 3600 Routers 3600, 2600, 1700 Router 800, 905 Netsreen Netsreen-1000, Netsreen-500 Netsreen-208, Netsreen-204 Netsreen-50, Netsreen-20, Netsreen-XP Netsreen-Remote
Bi Vn Nht 45K2TVT
100
n tt nghip i hc -
Xc thc ngun gc d liu: c th cu hnh s dng mt khu (kha chia s trc) hoc ch k s. Trao i kha: s dng thut ton Diffie-Hellman, chng thc s. Mt m d liu: s dng mt trong cc thut ton DES, 3DES ch CBC.
Trong tng lai, cc thit b VPN cn h tr cc thut ton tin tin hn, chng hn thut ton mt m AES, xc thc SHA-2. 5.3.1 Kt ni Client-to-LAN Trong trng hp ny, ngi s dng t xa cn kt ni vo mng trung tm truy nhp th in t, cc file c s d liu, trnh din thc hin kt ni ny, mt phng n l s dng thit b VPN 3000 Concentrator mng trung tm ca t chc, v phn mm VPN 3000 Concentrantor Client ti my tnh ca ngi s dng.
A pplication Server V PN Concentrator
Co mpu r te
ISP
ISP
Internet
PPP connectivity
Co mpu ter
Co mpu r te
IPSec Tunnel
Bi Vn Nht 45K2TVT
101
n tt nghip i hc -
Mng trung tm, VPN 3000 Concentrator l mt im cui cn li ca ng ngm. N thc hin gii m, xc thc, v m gi d liu.
Application Server VPN private IP 192 .168 .1.5 ISP Telecommuter with VPN 3000 Client
Internet
VPN public IP 172 .26 .26 .1 172 .26 .26.1 203 .16 .5.19
Co mpu ter
Com te pu r
Adapter (NIC ) IP Address 203 .162 .5.19 Client IP address 192 .168 .1.20
ESP
192 .168 .1.10 192 .168 .1.20
DATA
Bi Vn Nht 45K2TVT
102
n tt nghip i hc
- Thit lp cc quyn truy nhp ca ngi s dng: thi gian, s gi truy nhp, cc giao thc c php - Qun tr cc kha an ninh mt m va gii m. - Thit lp phin trao i IPSec. - Xc thc, mt m v gii m cc d liu i qua ng ngm.
Bi Vn Nht 45K2TVT
103
n tt nghip i hc
Tne unl VN P C n e tra r o c n to VN P C n e tra r o c n to
In rn t te e
V Np b I P u lic P 1 2 .2 .2 .1 7 6 6 1 2 .2 .2 .1 7 6 6 2 3 .1 .5.1 0 6 9 V Np b I P u lic P 2 3 .1 .5.1 0 6 9
C mu r o p te
Cmu r o p te
EP S
1 2 .1 8 .1.1 9 6 0 1 2 .1 8 .1.2 9 6 0
P IPA d s C d re s 1 2 .1 8 .1.2 9 6 0
DT AA
KT LUN
VPN l cng ngh c s dng ph bin hin nay nhm cung cp kt ni an ton v hiu qu truy cp ti nguyn ni b cng ty t bn ngoi thng qua mng Internet. Mc d s dng h tng mng chia s nhng chng ta vn bo m c tnh ring t ca d liu ging nh ang truyn thng trn mt h thng mng ring. n ny i su tm hiu cc vn k thut v m hnh thc hin ca cng ngh IP-VPN. Trong , ng ngm l nn tng ca IP-VPN, phm vi ca n ny trnh by v cc giao thc ng ngm: PPTP, L2TP v IPSec. PPTP v L2TP l nhng giao thc ng ngm c pht trin da trn giao thc PPP. Hai giao thc ny l cc chun hon thin v cc sn phm h tr chng tng i ph bin. i vi nhng ng dng yu cu an ton d liu cao th IPSec l giao thc thch hp. IPSec h tr cc phng php xc thc v mt m mnh nht, c tnh linh hot cao do khng b rng buc bi mt phng php xc thc cng nh mt m no. y c xem l giao thc ti u nht cho IP-VPN v c tm hiu mt cch chi tit nht. Bn cnh , n trnh by mt s thut ton mt m, xc thc, ton vn d liu l nhng thut ton c dng kt hp vi IPSec. Hin nay, ti Vit Nam c rt nhiu hng ang cung cp cc gii php VPN cho cc doanh nghip, mi hng c mt cu hnh VPN ring. Do nhu cu bo mt thng tin ngy cng c cc doanh nghip quan tm nhiu nn cng ngh IP VPN ha hn l cng ngh rt c tim nng pht trin mnh trong tng lai. Hin nay mng vin thng trn th gii ang chuyn sang xu hng IP ha v s dng cng ngh cho mng th h sau NGN. Do vic tch hp gia c nh v di ng ang c quan tm v pht trin. V vy, trong tng lai IP-VPN s c ng dng cho mng in thoi di ng. Khi , cc dch v vin thng s rt linh hot, kt hp
Bi Vn Nht 45K2TVT
104
n tt nghip i hc
gia truyn hnh nh, s liu v thoi. y cng chnh l hng pht trin tip theo ca ti. Mc d c gng, nhng do cng ngh IP-VPN c nhiu gii php thc hin v lin quan n nhiu giao thc v thut ton phc tp, thi gian v trnh c hn nn n ny kh trnh khi thiu st. Ti rt mong nhn c kin ng gp ca thy c v bn b c th sa i, b sung cho nhng vn trnh by trong n ny. Vinh, thng 5 nm 2009 Sinh vin thc hin Bi Vn Nht
Bi Vn Nht 45K2TVT
105
n tt nghip i hc
Bi Vn Nht 45K2TVT
106
n tt nghip i hc
Cc website tham kho http://www.congnghemoi.net http://www.home.vnn.vn http://hocit.com http:// www.itu.int http://www.iec.org/tutorial/ http://www.vpnc.org http://techguide.com http://www.tuoitre.org http://www.vnpt.com.vn/ http://www.vnpost.mpt.gov.vn/ http://www.vnn.vn http://vnpro.org/ http://vietnamnet.vn
Bi Vn Nht 45K2TVT
107