Lien Quan Chu Ky So

n tt nghip i hc
Cng ngh IP - VPN
MC LC
MC LC......................................................................................................................i Danh mc bng biu......................................................................................................v Danh sch hnh v.........................................................................................................vi K hiu vit tt.............................................................................................................ix LI NI U...............................................................................................................1 Chng 1 B GIAO THC TCP/IP..............................................................................................3 1.1 Khi nim mng Internet.....................................................................................3 1.2 M hnh phn lp b giao thc TCP/IP...............................................................4 1.3 Cc giao thc trong m hnh TCP/IP...................................................................5
1.3.1 Giao thc Internet...................................................................................................5 1.3.1.1 Gii thiu chung.................................................................................................5 1.3.1.2. Cu trc IPv4.....................................................................................................6 1.3.1.3. Phn mnh IP v hp nht d liu....................................................................8 1.3.1.4. a ch v nh tuyn IP....................................................................................9 1.3.1.5. Cu trc gi tin IPv6 ........................................................................................9 1.3.2. Giao thc lp vn chuyn....................................................................................11 1.3.2.1. Giao thc UDP................................................................................................11 1.3.2.2. Giao thc TCP.................................................................................................12
1.4 Tng kt.............................................................................................................17 Chng 2 CNG NGH MNG RING O TRN INTERNET IP-VPN................................18 2.1 Gi thiu v mng ring o trn Internet IP-VPN..............................................18
2.1.1 Khi nim v mng ring o trn nn tng Internet............................................18 2.1.2 Kh nng ng dng ca IP-VPN.........................................................................18
2.2 Cc khi c bn trong mng IP-VPN................................................................19

2.2.1 iu khin truy nhp............................................................................................19 2.2.2 Nhn thc..............................................................................................................20 2.2.3 An ninh..................................................................................................................21 2.2.4 Truyn Tunnel nn tng IP-VPN.........................................................................21 2.2.5 Cc tha thun mc dch v.................................................................................23
2.3 Phn loi mng ring o theo kin trc..............................................................23
Bi Vn Nht 45K2 TVT
n tt nghip i hc
Cng ngh IP - VPN
2.3.1 IP-VPN truy nhp t xa........................................................................................23 2.3.2 Site-to-Site IP-VPN...............................................................................................25 2.3.2.1 Intranet IP-VPN ...............................................................................................25 2.3.2.2 Extranet IP-VPN ..............................................................................................26
2.4 Cc giao thc ng ngm trong IP-VPN.........................................................27

2.4.1 PPTP (Point - to - Point Tunneling Protocol).....................................................28 2.4.1.1 Duy tr ng ngm bng kt ni iu khin PPTP.........................................28 2.4.1.2 ng gi d liu ng ngm PPTP...............................................................29 2.4.1.3 X l d liu ng ngm PPTP ......................................................................30 2.4.1.4 S ng gi..................................................................................................30 2.4.2 L2TP (Layer Two Tunneling Protocol)................................................................31 2.4.2.1 Duy tr ng ngm bng bn tin iu khin L2TP.........................................32 2.4.2.2 ng ngm d liu L2TP...............................................................................32 2.4.2.3 X l d liu ng ngm L2TP trn nn IPSec..............................................33 2.4.2.4 S ng gi L2TP trn nn IPSec................................................................33
2.5 Tng kt.............................................................................................................35 Chng 3 GIAO THC IPSEC CHO IP-VPN.............................................................................36 3.1 Gi thiu............................................................................................................36
3.1.1 Khi nim v IPSec ..............................................................................................36 3.1.2 Cc chun tham chiu c lin quan.....................................................................37
3.2 ng gi thng tin ca IPSec............................................................................38

3.2.1 Cc kiu s dng...................................................................................................38 3.2.1.1 Kiu Transport..................................................................................................39 3.1.1.2 Kiu Tunnel.......................................................................................................39 3.2.2 Giao thc tiu xc thc AH.............................................................................40 3.2.2.1 Gii thiu..........................................................................................................40 3.2.2.2 Cu trc gi tin AH...........................................................................................41 3.2.2.3 Qu trnh x l AH...........................................................................................42 3.2.3 Giao thc ng gi an ton ti tin ESP...............................................................45 3.2.3.1 Gii thiu..........................................................................................................45 3.2.3.2 Cu trc gi tin ESP.........................................................................................46 3.2.3.3 Qu trnh x l ESP..........................................................................................48
3.3 Kt hp an ninh SA v giao thc trao i kha IKE..........................................53

3.3.1 Kt hp an ninh SA..............................................................................................53 3.3.1.1 nh ngha v mc tiu.....................................................................................53 3.3.1.2 Kt hp cc SA..................................................................................................54 3.3.1.3 C s d liu SA...............................................................................................55 3.3.2 Giao thc trao i kha IKE................................................................................56 3.3.2.1 Bc th nht...................................................................................................57 3.3.2.2 Bc th hai.....................................................................................................59
Bi Vn Nht 45K2 TVT
ii
n tt nghip i hc
Cng ngh IP - VPN
3.3.2.3 Bc th ba......................................................................................................61 3.3.2.4 Bc th t.......................................................................................................63 3.3.2.5 Kt thc ng ngm........................................................................................63
3.4 Nhng giao thc ang c ng dng cho x l IPSec.....................................63

3.4.1 Mt m bn tin......................................................................................................63 3.4.1.1 Tiu chun mt m d liu DES.......................................................................63 3.4.1.2 Tiu chun mt m ha d liu gp ba 3DES..................................................64 3.4.2 Ton vn bn tin....................................................................................................64 3.4.2.1 M nhn thc bn tin bm HMAC...................................................................65 3.4.2.2 Thut ton MD5................................................................................................65 3.4.2.3 Thut ton bm an ton SHA............................................................................65 3.4.3 Nhn thc cc bn................................................................................................65 3.4.3.1 Kha chia s trc............................................................................................66 3.4.3.2 Ch k s RSA..................................................................................................66 3.4.3.3 RSA mt m nonces.........................................................................................66 3.4.4 Qun l kha..........................................................................................................66 3.4.4.1 Giao thc Diffie-Hellman.................................................................................67 3.4.4.2 Quyn chng nhn CA......................................................................................68
3.5 V d v hot ng ca mt IP-VPN s dng IPSec..........................................69 3.6 Tng kt.............................................................................................................70 Chng 4 AN TON D LIU TRONG IP-VPN......................................................................71 4.1 Gii thiu...........................................................................................................71 4.2 Mt m...............................................................................................................72
4.2.1 Khi nim mt m.................................................................................................72 4.2.2 Cc h thng mt m kha i xng....................................................................73 4.2.2.1 Cc ch lm vic ECB, CBC........................................................................73 4.2.2.2 Gii thut DES (Data Encryption Standard)....................................................75 4.2.2.3 Gii thiu AES (Advanced Encryption Standard)............................................77 4.2.2.4Thut ton mt m lung (stream cipher).........................................................78 4.2.3 H thng mt m kha cng khai........................................................................78 4.2.3.1 Gii thiu v l thuyt v m kha cng khai...................................................78 4.2.3.2 H thng mt m kha cng khai RSA.............................................................80 4.2.4 Thut ton trao i kha Diffie-Hellman............................................................82
4.3 Xc thc.............................................................................................................83
4.3.1 Xc thc tnh ton vn ca d liu......................................................................83 4.3.1.1 Gin lc thng ip MD da trn cc hm bm mt chiu...........................83 4.3.1.2 M xc thc bn tin MAC da trn cc hm bm mt chiu s dng kha.....87 4.3.1.3 Ch k s da trn h thng mt m kha cng khai.......................................89 4.3.2 Xc thc ngun gc d liu..................................................................................90
Bi Vn Nht 45K2 TVT
iii
n tt nghip i hc
Cng ngh IP - VPN
4.3.2.1 Cc phng thc xc thc................................................................................90 4.3.2.2 Cc chng thc s (digital certificates)...........................................................92
Chng 5 THC HIN IP-VPN..................................................................................................96 5.1 Gii thiu...........................................................................................................96 5.2 Cc m hnh thc hin IP-VPN.........................................................................97
5.2.1 Access VPN............................................................................................................98 5.2.1.1 Kin trc khi to t my khch.......................................................................98 5.2.1.2 Kin trc khi to t my ch truy nhp NAS.................................................99 5.2.2 Intranet IP-VPN v Extranet IP-VPN.................................................................99 5.2.3 Mt s sn phm thc hin VPN........................................................................100
5.3 V d v thc hin IP-VPN..............................................................................100

5.3.1 Kt ni Client-to-LAN.........................................................................................101 5.3.2 Kt ni LAN-to-LAN...........................................................................................103
KT LUN...............................................................................................................104 Ti liu tham kho.....................................................................................................106 Cc website tham kho..............................................................................................107
Bi Vn Nht 45K2 TVT
iv
n tt nghip i hc
Cng ngh IP - VPN
Danh mc bng biu

Bng 3.1: Cc RFC a ra c lin quan n IPSec......................................................38 Bng 3.2: Kt qu khi kt hp lnh permit v deny.....................................................59 Bng 3.3: Tng kt chng cc giao thc ca IPSec...................................................70 Bng 4.1: Mt s giao thc v thut ton ng dng thng dng..................................71 Bng 4.2: Thi gian b kha trong gii thut RSSA/DSS v ECC..............................80 Bng 4.3: Tm tt gii thut RSA v phc tp........................................................81 Bng 4.4: Cc bc thc hin trao i kha Diffie Hellman...................................82 Bng 5.1: V d v cc sn phm ca Cisco v Netsreen...........................................100
Bi Vn Nht 45K2 TVT
n tt nghip i hc
Cng ngh IP - VPN
Danh sch hnh v

Hnh 1.1: M hnh phn lp b giao thc TCP/IP.........................................................4 Hnh 1.2: nh tuyn khi s dng IP Datagram.............................................................5 Hnh 1. 3: Giao thc kt ni v hng...........................................................................6 Hnh 1.4: Cu trc gi tin IPv4......................................................................................6 Hnh 1.5: Hin tng phn mnh trong IP.....................................................................8 Hnh 1.6: Cc lp a ch IPv4.......................................................................................9 Hnh 1.7: Cu trc tiu IPv6....................................................................................10 Hnh 1.8: Cu trc tiu UDP...................................................................................12 Hnh 1.9: Cu trc tiu TCP....................................................................................12 Hnh 1.10: Thit lp kt ni theo giao thc TCP..........................................................14 Hnh 1.11: Th tc ng kt ni TCP..........................................................................15 Hnh 1.12: C ch ca s trt vi kch thc c nh................................................17 Hnh 2.1: Truyn Tunnel trong ni mng ring o.......................................................21 Hnh 2.2: Che y a ch IP ring bng truyn Tunnel...............................................22 Hnh 2.3: IP-VPN truy nhp t xa................................................................................25 Hnh 2.4: Intranet IP-VPN...........................................................................................26 Hnh 2.5: Extranet IP-VPN..........................................................................................26 Hnh 2.6: Gi d liu ca kt ni iu khin PPTP......................................................29 Hnh 2.7: D liu ng ngm PPTP..........................................................................29 Hnh 2.8: S ng gi PPTP...................................................................................30 Hnh 2.9: Bn tin iu khin L2TP..............................................................................32 Hnh 2.10: ng bao gi tin L2TP...............................................................................32 Hnh 2.11: S ng gi L2TP.................................................................................34 Hnh 3.1 Gi tin IP kiu Transport............................................................................39 Hnh 3.2: Gi tin IP kiu Tunnel...............................................................................39 Hnh 3.3: Thit b mng thc hin IPSec kiu Tunnel.................................................40 Hnh 3.4: Cu trc tiu AH cho IPSec Datagram....................................................41 Hnh 3.5: Khun dng IPv4 trc v sau khi x l AH kiu Transport....................43 Hnh 3.6: Khun dng IPv6 trc v sau khi x l AH kiu Traport........................43
Bi Vn Nht 45K2 TVT
vi
n tt nghip i hc
Cng ngh IP - VPN
Hnh 3.7: Khun dng gi tin x l AH kiu Tunnel...........................................44 Hnh 3.8: X l ng gi ESP.....................................................................................46 Hnh 3.9: Khun dng gi ESP....................................................................................46 Hnh 3.10: Khun dng IPv4 trc v sau khi x l ESP kiu Transport.................48 Hnh 3.11: Khun dng IPv6 trc v sau khi x l ESP kiu Transport.................49 Hnh 3.12: Khun dng gi tin x l ESP kiu Tunnel........................................49 Hnh 3.13: Kt hp SA kiu Tunnel khi 2 im cui trng nhau.................................55 Hnh 3.14: Kt hp SA kiu Tunnel khi mt im cui trng nhau.............................55 Hnh 3.15: Kt hp SA kiu Tunnel khi khng c im cui trng nhau....................55 Hnh 3.16: Cc ch chnh, ch tn cng, ch nhanh ca IKE........................57 Hnh 3.17: Danh sch b mt ACL...............................................................................58 Hnh 3.18: IKE pha th nht s dng ch chnh (Main Mode)...............................59 Hnh 3.19: Cc tp chuyn i IPSec...........................................................................62 Hnh 3.20: V d v hot ng ca IP-VPN s dng IPSec.........................................69 Hnh 4.1: Cc khi nim chung s dng trong cc thut ton mt m.........................72 Hnh 4.2: Ch chnh sch m in t ECB..............................................................74 Hnh 4.3: Thut ton mt m khi ch CBC........................................................74 Hnh 4.4: S thut ton DES...................................................................................75 Hnh 4.5: Mng Fiestel................................................................................................76 Hnh 4.6: Phn phi kha trong h thng mt m kha i xng................................77 Hnh 4.7: Mt m lung...............................................................................................78 Hnh 4.8: S m kha cng khai.............................................................................79 Hnh 4.9: Mt bt thay i trong bn tin dn n 50% cc bt MD thay i................85 Hnh 4.10: Cc hm bm thng dng MD5, SHA........................................................86 Hnh 4.11: Cu trc c bn ca MD5, SHA.................................................................86 Hnh 4.12: Xc thc tnh ton vn da trn m xc thc bn tin MAC.......................87 Hnh 4.13: Qu trnh to m xc thc bn tin MAC....................................................88 Hnh 4.14: Ch k s...................................................................................................90 Hnh 4.15: Giao thc hi p MAC.............................................................................91 Hnh 4.16: Giao thc hi p s dng ch k s.........................................................92 Hnh 4.17: M hnh tin tng th nht (PGP Web of Trust)........................................93
Bi Vn Nht 45K2 TVT
vii
n tt nghip i hc
Cng ngh IP - VPN
Hnh 4.18: M hnh tin tng th hai (phn cp tin tng vi cc CAs).....................94 Hnh 4.19: Cu trc chung ca mt chng thc X.509................................................95 Hnh 5.1: Ba m hnh IP-VPN.....................................................................................97 Hnh 5.2: Truy nhp IP-VPN t xa khi to t pha ngi s dng.............................98 Hnh 5.3: Truy nhp IP-VPN khi to t my ch.......................................................99 Hnh 5.4: IP-VPN khi to t routers..........................................................................99 Hnh 5.5: Cc thnh phn ca kt ni Client-to-LAN................................................101 Hnh 5.6: ng ngm IPSec Client-to-LAN............................................................102 Hnh 5.7: Phn mm IPSec Client..............................................................................103 Hnh 5.8: ng ngm IPSec LAN-to-LAN.............................................................104
Bi Vn Nht 45K2 TVT
viii
n tt nghip i hc
Cng ngh IP - VPN
K hiu vit tt
Vit tt 3DES AA AAA Ch gii ting Anh Triple DES Acccess Accept Authentication, Authorization and Accounting AC Access Control ACK Acknowledge ACL Acess Control List ADSL Asymmetric Digital Subscriber Line AH Authentication Header ARP Address Resolution Protocol ARPA Advanced Research Project Agency ARPANET Advanced Research Project Agency ATM Asynchronous Transfer Mode BGP Border Gateway Protocol B-ISDN Broadband-Intergrated Service Digital Network BOOTP Boot Protocol CA Certificate Authority CBC Cipher Block Chaining CHAP Challenge - Handshake Authentication Protocol CR Cell Relay CSU Channel Service Unit DCE Data communication Equipment DES Data Encryption Standard DH Diffie-Hellman DLCI Data Link Connection Identifier DNS Domain Name System DSL Digital Subscriber Line DSLAM DSL Access Multiplex DTE Data Terminal Equipment EAP Extensible Authentication Ch gii ting Vit Thut ton m 3DES Chp nhn truy nhp Nhn thc, trao quyn v thanh ton iu khin truy nhp Chp nhn Danh sch iu khin truy nhp Cng ngh truy nhp ng dy thu bao s khng i xng Giao thc tiu xc thc Giao thc phn gii a ch Cc nghin cu cc d n tin tin ca M Mng vin thng ca cc nghin cu d n tin tin M Phng thc truyn ti khng ng b Giao thc nh tuyn cng min Mng s tch hp a dch v bng rng Giao thc khi u Thm quyn chng nhn Ch chui khi mt m Giao thc nhn thc i hi bt tay Cng ngh chuyn tip t bo n v dch v knh Thit b truyn thng d liu Thut ton m DES Giao thc trao i kha Diffie-Hellman Nhn dng kt ni lp lin kt d liu H thng tn min Cng ngh ng dy thu bao s B ghp knh DSL Thit b u cui s liu Giao thc xc thc m rng
Bi Vn Nht 45K2 TVT
ix
n tt nghip i hc Protocol Electronic Code Book Mode Encapsulating Sercurity Payload Frame Check Sequence Fiber Distributed Data Interface Fast Packet Switched Technology Frame Relay File Transfer Protocol Generic Routing Encapsulation Hashed-keyed Message Authenticaiton Code International Bussiness Machine Internet Control Message Protocol Intergrity Check Value Internet Engineering Task Force Internet Key Exchange Internet Key Management Protocol Intelligent Network Internet Protocol IP Security Protocol Internet Security Association and Key Management Protocol Intergrated Service Digital Network International Standard Organization Internet Service Provider Initial Vector Layer 2 Forwarding Layer 2 Tunneling Protocol Local Area Network Link Control Protocol Message Authentication Code Message Digest 5
Cng ngh IP - VPN
ECB ESP FCS FDDI FPST FR FTP GRE HMAC IBM ICMP ICV IETF IKE IKMP IN IP IPSec ISAKMP
Ch sch m in t Giao thc ng gi an ton ti tin Chui kim tra khung Giao din d liu cp quang phn tn K thut chuyn mch gi nhanh Cng ngh chuyn tip khung Giao thc truyn file ng gi nh tuyn chung M nhn thc bn tin bm Cng ty IBM Giao thc bn tin iu khin Internet Gi tr kim tra tnh ton vn C quan tiu chun k thut cho Internet Giao thc trao i kha Giao thc qun l kha qua Internet Cng ngh mng thng minh Giao thc lp Internet Giao thc an ninh Internet Giao thc kt hp an ninh v qun l kha qua Internet Mng s tch hp a dch v T chc chun quc t Nh cung cp dch v Internet Vc t khi to Giao thc chuyn tip lp 2 Giao thc ng ngm lp 2 Mng cc b Giao thc iu khin ng truyn M nhn thc bn tin Thut ton tm tt bn tin MD5
ISDN ISO ISP IV L2F L2TP LAN LCP MAC MD5
Bi Vn Nht 45K2 TVT
n tt nghip i hc MTU NAS NGN NSA OSI OSPF PAP PDU PKI POP PPP PPTP PSTN RADIUS RARP RAS RFC RIP RSA SA SAD SHA-1 SMTP SN SPI SS7 TCP TFTP TLS Maximum Transfer Unit Network Access Server Next Generation Network National Sercurity Agency Open System Interconnnection Open Shortest Path First Password Authentication Protocol Protocol Data Unit Public Key Infrastructure Point - Of - Presence Point-to-Point Protocol Point-to-Point Tunneling Protocol Public Switched Telephone Network Remote Authentication Dial-in User Service Reverse Address Resolution Protocol Remote Access Service Request for Comment Realtime Internet Protocol Rivest-Shamir-Adleman Security Association SA Database Secure Hash Algorithm-1 Simple Mail Transfer Protocol Sequence Number Security Parameter Index Signalling System No7 Transmission Control Protocol Trivial File Transfer Protocol Transport Level Security
Cng ngh IP - VPN n v truyn ti ln nht My ch truy nhp mng Mng th h k tip C quan an ninh quc gia M Kt ni h thng m Giao thc nh tuyn OSPF Giao thc nhn thc khu lnh n v d liu giao thc C s hn tng kha cng cng im hin din Giao thc im ti im Giao thc ng ngm im ti im Mng chuyn mch thoi cng cng Dch v nhn thc ngi dng quay s t xa Giao thc phn gii a ch ngc Dch v truy nhp t xa Cc ti liu v tiu chun IP do IETF a ra Giao thc bo hiu thi gian thc Tn mt qu trnh mt m bng kha cng cng Lin kt an ninh C s d liu SA Thut ton bm SHA-1 Giao thc truyn th n gin S th t Ch s thng s an ninh H thng bo hiu s 7 Giao thc iu khin truyn ti Giao thc truyn file bnh thng An ninh mc truyn ti
Bi Vn Nht 45K2 TVT
xi
n tt nghip i hc
Cng ngh IP - VPN
UDP VPN WAN
User Data Protocol Virtual Private Network Wide Area Network
Giao thc d liu ngi s dng Mng ring o Mng din rng
Cc k hiu ton hc
K hiu C D DK E EK IV K KR KU Li, Ri P ngha Vn bn mt m. Thut ton gii m. Thut ton gii m vi kha K. Thut ton mt m. Thut ton mt m vi kha K. Vect khi to. Kha K. Kha b mt. Kha cng cng. Bt bn tri v bn phi ti vng th i ca thut ton m ha DES. Vn bn r.
Bi Vn Nht 45K2 TVT
xii
n tt nghip i hc
Cng ngh IP - VPN
LI NI U
Cng vi xu th ton cu ha, s m rng giao lu hp tc quc t ngy cng tng, quan h hp tc kinh doanh khng ch dng li trong phm vi mt huyn, mt tnh, mt nc m cn m rng ra ton th gii. Mt cng ty c th c chi nhnh, c cc i tc kinh doanh nhiu quc gia v gia h lun c nhu cu trao i thng tin vi nhau. bo m b mt cc thng tin c trao i th theo cch truyn thng ngi ta dng cc knh thu ring, nhng nhc im l n t tin, gy lng ph ti nguyn khi d liu trao i khng nhiu v khng thng xuyn. V th ngi ta nghin cu ra nhng cng ngh khc vn c th p ng c nhu cu trao i thng tin nh th nhng tn km v thun tin hn, l gii php mng ring o. VPN c nh ngha l mng kt ni cc site khch hng m bo an ninh trn c s h tng mng chung cng vi cc chnh sch iu khin truy nhp v m bo an ninh nh mt mng ring. c rt nhiu phng n trin khai VPN nh: X.25, ATM, Frame Relay, leased line Tuy nhin khi thc hin cc gii php ny th chi ph rt ln mua sm cc thit b, chi ph cho vn hnh, duy tr, qun l rt ln v do doanh nghip phi gnh chu trong khi cc nh cung cp dch v ch m bo v mt knh ring cho s liu v khng chc chn v vn an ninh ca knh ring ny. Cc t chc, doanh nghip s dng dch v IP VPN s tit kim c rt nhiu chi ph trong vic mun kt ni cc chi nhnh vn phng vi nhau, truy cp t xa vo mng ni b, gi in thoi VoIP, vi bo mt cao. Hin nay ADSL tr nn ph bin, chi ph thp, nn vic thc hin IP VPN tr nn rt n gin, hiu qu v tn dng c ng truyn Internet tc cao. Tnh tng thch ca IP VPN cao v s ph bin ca n, nn bn c th kt hp nhiu thit b ca nhng sn phm thng hiu khc nhau. Trn c s , ti quyt nh chn hng nghin cu n ca mnh l cng ngh IP-VPN. Mc ch ca n l tm hiu nhng vn k thut c bn c lin quan n vic thc hin IP-VPN. B cc ca n gm 5 chng: - Chng 1: B giao thc TCP/IP. Chng ny trnh by khi qut v b giao thc ca TCP/IP. - Chng 2: Cng ngh mng ring o trn Internet IP-VPN. Chng ny trnh by cc khi nim VPN, bt u vi vic phn tch khi nim IP-VPN, u im ca n Bi Vn Nht 45K2TVT 1
n tt nghip i hc
Cng ngh IP - VPN
c th tr thnh mt gii php c kh nng pht trin mnh trn th trng. Tip theo l trnh by v cc khi chc nng c bn ca IP-VPN, phn loi mng ring o theo cu trc ca n. Cui cng l trnh by v cc giao thc ng ngm s dng cho IP-VPN. Chng 3: Giao thc IPSec cho IP-VPN. Chng ny trnh by cc vn v giao thc IPSec. B giao thc r quan trng IPSec dung cho IP - VPN m bo tnh ton vn d liu, tnh nht qun, tnh b mt v xc thc ca truyn d liu trn mt h tng mng cng cng. Chng 4: An ton d liu trong IP-VPN. Trnh by mt s thut ton c p dng m bo an ton d liu cho IP-VPN da trn IPSec Chng 5: Thc hin IP VPN. Chng ny trnh by cc phng php thc hin IP VPN hin ang c s dng. Cng ngh IP - VPN khng phi l mt vn mi m trn th gii v cng ang c trin khai rng ri Vit Nam. Tuy nhin c th trin khai c mt cch hon chnh th cn c rt nhiu kh khn phi gii quyt, n ch dng li mc nghin cu l thuyt v c nhng phn tch c bn. Em xin gi li cm n chn thnh n Trng i hc Vinh, cc thy c trong Khoa Cng Ngh to iu kin gip em trong qu trnh hc tp v nghin cu. V c bit em xin by t lng knh trng v bit n su sc n Ts. Phm Vn Bnh, ging vin i hc Bch Khoa H Ni, ngi tn tnh hng dn v ch bo em trong qu trnh nghin cu, xy dng v hon thnh n. Mc d nhn c rt nhiu s gip ca thy hng dn, cc thy c gio v s c gng ca bn thn nhng n khng trnh khi sai st v vy ti mong nhn c s ng gp nhiu hn na kin t pha cc thy c v ban b cng nhng ngi quan tm n lnh vc ny.
Vinh, thng 5 nm 2009 Sinh vin: Bi Vn Nht
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
Chng 1 B GIAO THC TCP/IP 1.1 Khi nim mng Internet

Thng 6/1968, mt c quan ca B Quc phng M l Cc cc d n nghin cu tin tin (Advanced Research Project Agency - vit tt l ARPA) xy dng d n ni kt cc trung tm nghin cu ln trong ton lin bang vi mc tiu l chia s, trao i ti nguyn thng tin, nh du s ra i ca ARPANET - tin thn ca mng Internet hm nay. Ban u, giao thc truyn thng c s dng trong mng ARPANET l NCP (Network Control Protocol), nhng sau c thay th bi b giao thc TCP/IP (Transfer Control Protocol/ Internet Protocol). B giao thc TCP/IP gm mt tp hp cc chun ca mng, c t chi tit cch thc cho cc my tnh thng tin lin lc vi nhau, cng nh quy c cho u ni lin mng v nh tuyn cho mng. Trc y, ngi ta nh ngha Internet l mng ca tt c cc mng s dng giao thc IP. Nhng hin nay, iu khng cn chnh xc na v nhiu mng c kin trc khc nhau nhng nh cc cu ni giao thc nn vn c th kt ni vo Internet v vn c th s dng y cc dch v Internet. Internet khng ch l mt tp hp cc mng c lin kt vi nhau, Internetworking cn c ngha l cc mng c lin kt vi nhau trn c s cng ng vi nhau v cc quy c m cho php cc my tnh lin lc vi nhau, cho d con ng lin lc s i qua nhng mng m chng khng c u ni trc tip ti. Nh vy, k thut Internet che du chi tit phn cng ca mng, v cho php cc h thng my tnh trao i thng tin c lp vi nhng lin kt mng vt l ca chng. TCP/IP c nhng c im sau y lm cho n tr nn ph bin: c lp vi kn trc mng: TCP/IP c th s dng trong cc kin trc Ethernet, Token Ring, trong mng cc b LAN cng nh mng din rng WAN.
Chun giao thc m: v TCP/IP c th thc hin trn bt k phn cng hay h
iu hnh no. Do , TCP/IP l tp giao thc l tng kt hp phn cng cng nh phn mm khc nhau.
S a ch ton cu: mi my tnh trn mng TCP/IP c mt a ch xc
nh duy nht. Mi gi d liu c gi trn mng TCP/IP c mt Header gm a ch ca my ch cng nh a ch ca my ngun.

Khung Client - Server: TCP/IP l khung cho nhng ng dng client - server
mnh hot ng trn mng cc b v mng din rng.
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
Chun giao thc ng dng: TCP/IP khng ch cung cp cho ngi lp trnh
phng thc truyn d liu trn mng gia cc ng dng m cn cung cp nhiu phng thc mc ng dng (nhng giao thc thc hin cc chc nng dng nh E-mail, truyn nhn file).
1.2 M hnh phn lp b giao thc TCP/IP

B giao thc TCP/IP l s kt hp ca cc giao thc khc nhau cc lp khc nhau, khng ch c cc giao thc TCP v IP. Mi lp c chc nng ring. M hnh TCP/IP c t chc thnh 4 lp (theo cch nhn t pha ng dng xung lp vt l) nh sau:
Hnh 1.1: M hnh phn lp b giao thc TCP/IP

Lp ng dng (Application layer): iu khin chi tit tng ng dng c th.
N tng ng vi cc lp ng dng, trnh din trong m hnh OSI. N gm cc giao thc mc cao, m ha, iu khin hi thoi Cc dch v ng dng nh SMTP, FTP, TFTP Hin nay c hng trm hoc thm ch hng nghn cc giao thc thuc lp ny. Cc chng trnh ng dng giao tip vi cc giao thc lp vn chuyn truyn v nhn d liu. Chng trnh ng dng truyn d liu dng yu cu n lp vn chuyn x l trc khi chuyn xung lp Internet tm ng i.
Lp vn chuyn (Transport layer): Chu trch nhim truyn thng ip
(message) t mt s tin trnh (mt chng trnh ang chy) ti mt tin trnh khc. Lp vn chuyn s m bo thng tin truyn n ni nhn khng b li v ng theo trt t. N c 2 giao thc rt khc nhau l giao thc iu khin truyn dn TCP v giao thc d liu ngi s dng UDP.
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
Lp Internet (Internet layer): Cung cp chc nng nh a ch, c lp phn
cng m nh d liu c th di chuyn gia cc mng con c kin trc vt l khc nhau. Lp ny iu khin vic chuyn gi qua mng, nh tuyn gi. (H tr giao thc lin IP - khi nim lin mng l ni ti mng ln hn: mng lin kt gia cc mng LAN). Cc giao thc ca lp ny l IP, ICMP, ARP, RARP.
Lp truy cp mng (Network Access Network): Cung cp giao tip vi mng
vt l. (Thng thng lp ny bao gm cc driver thit b trong h thng vn hnh v cc card giao din mng tng ng trong my tnh. Lp ny thc hin nhim v iu khin tt c cc chi tit phn cng hoc thc hin giao tip vt l v ccp (hoc vi bt k mi trng no c s dng)). Cung cp kim sot li d liu phn b trn mng vt l. Lp ny khng nh ngha mt giao thc ring no c, n h tr tt c cc giao thc chun v c quyn. V d: Ethernet, Tocken Ring, FDDI, X.25, wireless, Async, ATM, SNA
1.3 Cc giao thc trong m hnh TCP/IP

1.3.1 Giao thc Internet 1.3.1.1 Gii thiu chung Mc ch ca giao thc Internet l chuyn thng tin (d liu) t ngun ti ch. IP s dng cc gi tin d liu (datagram). Mi datagram c cha a ch ch v IP s dng thng tin ny nh tuyn gi tin ti ch ca n theo ng i thch hp. Cc gi tin ca cng mt cp ngi s dng dng nhng tuyn thng tin khc nhau, vic nh tuyn l ring bit i vi tng gi tin. Giao thc IP khng lu gi trng thi, sau khi datagram c chuyn i th bn gi khng cn lu thng tin g v n na, v th m khng c phng php no pht hin cc gi b mt v c th dn ti trnh trng lp gi v sai th t gi tin.
1
1 2
1 2
2
3 2
Hnh 1.2: nh tuyn khi s dng IP Datagram.
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
Giao thc Internet l giao thc phi kt ni (connectionless), ngha l khng cn thit lp ng dn trc khi truyn d liu v mi gi tin c x l c lp. IP khng kim tra tng cho phn d liu ca n, ch c Header ca gi l c kim tra trnh gi nhm a ch. Cc gi tin c th i c theo nhiu hng khc nhau ti ch. V vy d liu trong IP datagram khng c m bo. x l nhc im mt hoc lp gi IP phi da vo giao thc lp cao hn truyn tin cy (v d TCP). Data Data Data Receiver Sender 2 Data Data Data
Sender 1
Hnh 1. 3: Giao thc kt ni v hng

1.3.1.2. Cu trc IPv4 Thng tin nhn t lp vn chuyn c gn thm vo tiu IP. Tiu ny c chiu di t 20 n 60 bytes trn ng i ty thuc vo cc chc nng la chon c s dng. Cu trc gi IPv4 c m t nh trong hnh 1.4.
Hnh 1.4: Cu trc gi tin IPv4

Gii thch ngha cc trng: Bi Vn Nht 45K2TVT 6
n tt nghip i hc
Cng ngh IP - VPN
* Version (phin bn): ch ra phin bn ca giao thc IP dng to datagram, c s dng my gi, my nhn, cc b nh tuyn cng thng nht v nh dng lc d liu. y phin bn l IPv4. * IP header length ( di tiu IP): cung cp thng tin v di ca tiu datagram c tnh theo cc t 32 bit. * Type of service (loi dch v): trng loi phc v di 8 bit gm 2 phn, trng u tin v kiu phc v. Trng u tin gm 3 bit dng gn mc u tin cho datagram, cung cp c ch cho php iu khin cc gi tin qua mng. Cc bit cn li dng xc nh kiu lu lng datagram tin khi n chuyn qua mng nh c tnh thng, tr v tin cy. Tuy nhin, bn thn mng Internet khng m bo cht lng dch v, v vy trng ny ch mng tnh yu cu ch khng mang tnh i hi i vi cc b nh tuyn. * Total length (tng di): trng ny gm 16 bit, n s dng xc nh chiu di ca ton b IP datagram. * Identification (nhn dng): trng nhn dng di 16 bit. Trng ny c my ch dng pht hin v nhm cc on b chia nh ra ca gi tin. Cc b nh tuyn s chia nh cc datagram nu nh dn v truyn tin ln nht ca gi tin (MTU-Maximum Transmission Unit) ln hn MTU ca mi trng truyn. * Flags (c): cha 3 bit c s dng cho qu trnh iu khin phn on, bt u tin ch th ti cc b nh tuyn cho php hoc khng cho php phn on gi tin, 2 bit gi tr thp c s dng iu khin phn on, kt hp vi trng nhn dng xc nh c gi tin nhn sau qu trnh phn on.Fragment offset: mng thng tin v s ln cha mt gi tin, kch thc ca gi tin ph thuc vo mng c s truyn tin, tc l di gi tin khng th vt qu MTU ca mi trng truyn. * Time - to - live (thi gian sng): c dng ngn vic cc gi tin lp vng trn mng. N c vai tr nh mt b m ngc, trnh hin tng cc gi tin i qu lu trong mng. Bt k gi tin no c thi gian sng bng 0 th gi tin s b b nh tuyn hy b v thng bo li s c gi v trm pht gi tin. * Protocol (giao thc): trng ny c dng xc nhn giao thc tng k tip mc cao hn ang s dng dch v IP di dng con s. * Header checksum: trng kim tra tng header c di 16 bit, c tnh ton trong tt c cc trng ca tiu IPv4. Mt gi tin khi i qua cc b nh tuyn th cc trng trong phn tiu c th b thay i, v vy trng ny cn phi c tnh ton v cp nhp li m bo tin cy ca thng tin nh tuyn.
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
* Source Address - Destination Address (a ch ngun v a ch ch): c cc b nh tuyn v cc gateway s dng nh tuyn cc n v s liu, lun lun i cng vi gi tin t ngun ti ch. * Option and Padding (ty chn v m): c di thay i, dng thm thng tin chn v chn y m bo s liu bt u trong phm vi 32 bit.
1.3.1.3. Phn mnh IP v hp nht d liu Giao thc IP khi thc hin phi lun c cc thut ton phn chia v hp nht d liu. V mi datagram u c quy nh mt kch thc khung cho php ti a trn mt kt ni im - im, c gi l MTU. Khi i qua cc mng khc nhau c cc MTU khc nhau, gi s b phn chia ty theo gi tr MTU ca mng . Vic xc nh MTU ca mt mng ph thuc vo cc c im ca mng sao cho gi c truyn i vi tc cao nht. Trong qu trnh di chuyn t ngun ti ch, mt datagram c th i qua nhiu mng khc nhau. Mi Router m gi IP datagram t khung d liu n nhn c, x l v sau ng gi n trong mt khung d liu khc. Cc datagram hnh thnh sau khi phn chia s c nh s th t tin li cho qua trnh hp nht sau ny. nh dng v kch c ca khung d liu nhn c ph thuc vo giao thc ca mng vt l m khung d liu i qua. Nu IP cn chuyn datagram c kch c ln hn MTU th n gi datagram trong cc mnh (fragment), cc mnh ny s c ghp li u thu tr li trng thi ban u. Hnh 1.5 minh ha hin tng phn mnh.
Hnh 1.5: Hin tng phn mnh trong IP

Khi phn mnh, hu ht cc trng s c lp li, ch c mt vi thay i v mi mnh s li c tip tc b chia nh nu n gp phi mng c MTU nh hn kch thc Bi Vn Nht 45K2TVT 8
n tt nghip i hc
Cng ngh IP - VPN
ca n. Ch c host ch l c kh nng ghp cc mnh li vi nhau. V mi mnh c x l c lp nn c th i qua nhiu mng v node khc nhau ti ch. 1.3.1.4. a ch v nh tuyn IP a ch: Mi trm trong mng u c c trng bi mt s hiu nht nh gi l a ch IP. a ch IP c s dng trong lp mng nh tuyn cc gi tin qua mng. Do t chc v ln ca cc mng con trong lin mng khc nhau, nn ngi ta chia a ch IP thnh cc lp A, B, C, D, E.
Hnh 1.6: Cc lp a ch IPv4

nh tuyn trong mng Internet: vic nh tuyn trong mt h thng mng chuyn gi ch ra tin trnh la chn tuyn ng gi gi d liu qua h thng . Router chnh l thnh phn thc hin chc nng b nh tuyn. Vic nh tuyn s to nn mng o bao gm nhiu mng vt l cung cp dch v pht chuyn gi tin theo mt phng thc phi kt ni. C nhiu giao thc v phn mm khc nhau c s dng nh tuyn. Vic chn knh cho mt gi tin da trn hai tiu chun: trng thi ca cc nt v lin kt hoc khong cch ti ch (chiu di qung ng hoc s hop trn ng). Mt khi tiu chun khong cch c chn th cc tham s khc nh: tr, bng thng hoc xc sut mt gic tnh n khi la chn tuyn. 1.3.1.5. Cu trc gi tin IPv6 Th gii ang i mt vi vic thiu a ch IP cho cc thit b mng, a ch di 32 bit khng p ng c s bng n ca mng. Thm na, IPv4 l giao thc c, khng p ng c cc yu cu mi v bo mt, s linh hot trong nh tuyn v h tr lu lng. Din n IPv6 c bt u vo thng 7-1999 bi 50 nh cung cp Internet hng u vi mc ch pht trin giao thc IPv6, n c thit k bao gm cc chc nng v nh dng m rng hn IPv4 gii quyt vn ci thin cht lng v bo
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
mt ca Internet. IPv6 c bit quan trong khi cc thit b tnh ton di ng tip tc tham gia vo Internet trong tng lai. Do s thay i bn cht ca Internet v mng thng mi m giao thc lin mng IP tr nn li thi. Trc y, Internet v hu ht mng TCP cung cp s h tr cc ng dng phn tn kh n gin nh truyn file, mail, truy nhp t xa TELNET. Song ngy nay, Internet ngy cng tr thnh phng tin, mi trng giu tnh ng dng, dn u l dch v www (World Wide Web). Tt c s pht trin ny b xa kh nng p ng chc nng v dch v ca IP. Mt mi trng lin mng cn phi h tr lu lng thi gian thc, k hoch iu khin tc nghn linh hot v cc c im bo mt m IPv4 hin khng p ng c y . Hnh 1.7 minh ha cu trc gi tin IPv6.
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
version
Traffic Class Payload length
Flow Label Next Header Hop Limit
40 octet
Source Address
Destination Address
Hnh 1.7: Cu trc tiu IPv6

* Version (phin bn): ch ra phin bn IPv6. * Traffic Class (lp lu lng): c di 8 bit, c dng cho vic phn bit lu lng, t nh hng n kh nng u tin ca lu lng. * Flow Label (nhn lung): c di 20 bit, cho php ngun ch ra loi thng tin trong d liu xc nh cch x l c bit t ngun ti ch theo th t gi. V d nh: thoi, khung video hai loi ny s c u tin hn so vi d liu my tnh thng thng khi qua gateway trung chuyn trong qu trinh gi tin chuyn trn mng. * Payload Length ( di ti tin): c di 16 bit, xc nh di ca phn ti tin pha sau header. Gi tr mc nh ti a l 64K octet, song c th s dng ln hn bng cch lp trng ny bng 0 v bao gm trng m rng (sau phn header c bn) vi gi tr thc nm trong trng m rng ny. Thng tin m rng c mang trong cc header m rng tch bit ring. Chng nm sau trng a ch ch v hin nay c mt s header loi ny c nh ngha. Mi loi c phn bit bng cc gi tr khc nhau trong trng header. Bi Vn Nht 45K2TVT 10
n tt nghip i hc
Cng ngh IP - VPN
* Hop Limit (gii hn bc nhy): c di 8 bit, c dng ngn vic datagram lin tc xoay vng tr li. Gi tr ny gim mi khi datagram i qua mt router v nu n c gi tr bng 0 trc khi ti c ch ch nh th datagram ny s b hy. * Source Address v Destination Address (a ch ngun v a ch ch): trng a ch ngun v a ch ch trong IPv6 c di 128 bit, s dng h 16 (hecxa), ngn cch bng du hai chm. Nhng c im ca IPv6 + M rng khng gian a ch cho php phn cp v gii quyt c s thiu a ch. Vi IPv6 c 2128 a ch (khong 3,4x1038 a ch). + Hiu qu hn trong vic nh tuyn: vic ng k a ch IPv6 c thit k kch c ca bng nh tuyn ng trc khng vt qu gi tr 10.000 trong khi kch c bng nh tuyn ca IPv4 thng ln hn 100.000 bn ghi. + Tiu nh hn so vi cc m rng ty chn, v vy mt s trng b loi b hoc thay bng ty chn nn lm gim gnh nng cho cc qu trnh x l v gim chi ph cho bng thng. + Tng cng cht lng dch v. + Xy dng sn c ch truyn tin an ton. + H tr mng thng tin di ng. 1.3.2. Giao thc lp vn chuyn 1.3.2.1. Giao thc UDP Giao thc UDP (User Datagram Protocol) cung cp c ch chnh yu m cc chng trnh ng dng s dng gi i cc gi tin ti cc chng trnh ng dng khc. UDP cung cp cc cng phn bit cc chng trnh ng dng trn mt my tnh n. Ngha l, cng vi mi mt bn tin gi i, mi bn tin UDP cn bao gm mt gi tr cng ngun v cng ch, gip cho phn mm UDP ti ch c th pht chuyn gi tin ti ng ni nhn v cho php ni nhn gi tr li xc nhn tin. UDP cung cp dch v chuyn pht khng nh hng, khng m bo tin cy nh IP. UDP khng s dng c ch xc nhn m bo gi tin n ch hay khng, khng thc hin sp xp cc bn tin v khng cung cp thng tin phn hi xc nh mc truyn thng tin gia hai my. Chnh v vy, mt chng trnh ng dng s dng giao thc UDP chp nhn hon ton trch nhim cho vn x l tin cy. Cu trc tiu ca UDP c m t nh trong hnh 1.8.
Bi Vn Nht 45K2TVT
11
n tt nghip i hc
0 8 octet 15 31
Cng ngh IP - VPN

D estination Port Checksum
Source Port Segm length ent
Hnh 1.8: Cu trc tiu UDP

Cc trng cng ngun v cng ch cha cc gi tr 16 bit dng cho cng giao thc UDP c s dng tch cc gi tin trong tin trnh ang i nhn chng. Cng ngun l trng d liu ty chn. Khi s dng, n xc nh cng p xc nhn s c gi n. Nu khng c dng, n c gi tr zero. Trng di cha di ca UDP tnh theo octet, bao gm c phn u UDP v d liu ngi s dng. Trng tng kim tra l vng ty chn, cho php vic ci t c thc hin vi t bc tnh ton hn khi s dng UDP trn mng cc b c tin cy cao. Tng kim tra trong UDP cung cp cch duy nht m bo rng d liu nhn c nguyn vn v nn c s dng thng xuyn. Nu gi tr ca tng kim tra bng zero th c ngha l trng tng kim tra cha c tnh v thng c th hin bng cch ci t ton b cc bit 1, trnh vi trng hp sau khi chy thut ton tng kim tra cng c th sinh ra kt qu l cc bit c lp bng 0 v gi tr ca trng tng kim tra cng c xem bng zero. UDP s dng phng php gn phn u gi vo gi tin UDP, thm vo mt octet c gi tr zero c c ng bi s ca 16 bit v tnh tng cho ton b. Octet c ni vo phn u gi s khng c truyn i cng vi gi tin UDP v chng khng c tnh n trong phn di. 1.3.2.2. Giao thc TCP Giao thc TCP (Transmission Control Protocol) cung cp dch v truyn thng d liu nh hng truyn thng cho cc chng trnh - dch v chuyn dng (stream) tin cy. TCP cung cp mt mch o, cn c gi l kt ni. N cp kh nng t qung, kim tra li v iu khin lung. a) Cu trc tiu TCP
0 4 10 15 31
Source Port
Destination Port Sequence Number
40 octet
Acknowledgement Number
Header length
Unused Checksum
Flags Option Padding
Window Urgent Pointer
Hnh 1.9: Cu trc tiu TCP
Bi Vn Nht 45K2TVT
12
n tt nghip i hc Gii thch ngha cc trng:
Cng ngh IP - VPN
* Source port, Destination port (cng ngun, cng ch): cha cc gi tr cng TCP xc nh cc chng trnh ng dng ti hai u kt ni. Mi khi TCP nhn gi d liu t IP, n s g b phn u IP v c phn u TCP. Khi c Destination port, n s tm trong tp tin cha cc thng tin v dch v gi d liu n chng trnh ng vi s cng . Song vi TCP, gi tr cng phc tp hn UDP v mt gi tr cng TCP cho trc khng tng ng vi mt i tng n. Thay v vy, TCP c xy dng trn kt ni tru tng, trong cc i tng c xc nh l nhng lin kt mch o, khng phi tng cng. V d nh gi tr 192.168.2.3,25 xc nh cng TCP 25 trn my tnh c a ch 192.168.2.3. * Sequence Number (s th t): xc nh v tr trong chui cc byte d liu trong segment ca ni gi. * Acknowledgment Number (s xc nhn): xc nh s octet m ngun ang i nhn k tip. Lu l Sequence Number ch n lng d liu theo cng chiu vi segment, trong khi gi tr Acknowledgment Number ch n d liu ngc li vi segment n. * Header length ( di tiu ): cha mt s nguyn xc nh di ca phn u segment, c tnh theo bi s ca 32 bit. Gi tr ny l cn thit v c phn Options c di thay i, ty thuc vo nhng la chn c a vo. * Unused (d phng): c dnh ring s dng trong tng lai. * Flags (bt m): gm c 6 bt xc nh mc ch v ni dung ca segment, din dch cc ni dung trong phn u da vo ni dung cc bit. V d segment ch chuyn ti ACK, hoc ch chuyn a d liu hay ti nhng yu cu thit lp hoc ngt ni. * Window (ca s): thng bo cho my tnh u cui kch thc vng m cho qu trnh truyn. * Urgent pointer (con tr khn cp): yu cu kt ni gi d liu ngoi dng xc nh, chng trnh nhn phi c thng bo lp tc ngay khi d liu n cho d n nm u trong vng d liu. Sau khi x l xong d liu khn cp, TCP thng bo cho chng trnh ng dng tr v trn thi thng thng. Bi Vn Nht 45K2TVT 13
n tt nghip i hc
Cng ngh IP - VPN
n v truyn gia hai phn mm TCP trn hai my c gi l segment. Cc segment c trao i thit lp kt ni, truyn d liu, gi cc ACK (thng bo xc nhn nhn d liu), thng bo kch thc ca ca s (nhm ti u ha qu trnh truyn v nhn d liu) v ngt kt ni. b) Thit lp v ng mt kt ni TCP thit lp mt kt ni TCP s dng m hnh bt tay ba bc, trong trng hp n gin c th minh ha nh sau: u cui my tnh gi
Gi SYN Seq = x
Nhn SYN Gi SYN seq = y, ACK x+1
Mng
u cui my tnh nhn
Nhn SYN +ACK ACK y+1 Nhn ACK
Hnh 1.10: Thit lp kt ni theo giao thc TCP

Gi tin khi u cho kt ni c xc nh bi bit SYN trong trng d liu CODE, bn tin tr li lp gi tr cho bit SYN v ACK chuyn ngha ng b v tip tc tin trnh bt tay. Bn tin cui cng ch c ngha nh mt li p v ch n gin dng thng bo cho ch rng c hai bn cng ng mt kt ni c thit lp. Tin trnh bt tay ba bc l iu kin cn v c s ng b chnh xc gia hai u ca kt ni, thng thng cc phn mm TCP thng s dng phng php i th ng ch kt ni, nhng iu ny khng gy kh khn trong qu trnh kt ni v cc kt ni c thit lp t cc bn c lp vi nhau. S thc t c chn ngu nhin v c lp vi nhau cng c th c gi km cng vi d liu. Trong nhng trng hp , phn mm TCP gi li d liu cho n khi hon tt qu trnh bt tay kt ni. Mt khi kt ni c thit lp, phn mm TCP s gii phng d liu trc y v nhanh chng chuyn chng ti cc chng trnh ng dng cp cao hn. Th tc ng kt ni TCP c thc hin theo tng chiu, (gi thit kt ni TCP l song cng). Mt khi kt ni ng li theo chiu no , TCP s t chi nhn thm d liu trong kt ni ca chiu , trong lc d liu vn di chuyn theo chiu ngc li Bi Vn Nht 45K2TVT 14
n tt nghip i hc
Cng ngh IP - VPN
cho n khi ni gi thc hin ng kt ni. Nh vy, li p ca kt ni vn c chuyn v ni gi ngay c khi kt ni ng li, khi c hai chiu u ng, phn mm TCP ti mi bn xa b nhng ghi nhn v kt ni ny.
u cui my tnh gi
Gi FIN Seq = x
Mng
u cui my tnh nhn

Nhn FIN Gi ACK x+1 Gi FIN seq=x, ACK x+1
Nhn ACK Nhn FIN+ACK Gi ACK y+1 Nhn ACK
Hnh 1.11: Th tc ng kt ni TCP

c) TCP l giao thc truyn tin cy Yu cu i vi TCP pht chuyn stream (lung) l khi d liu ln v cn tin cy. Cc c trng i vi dch v pht chuyn tin cy gm: - nh hng stream: Khi hai chng trnh ng dng (cc tin trnh ca ngi s dng) truyn nhng khi lng ln d liu c xem nh mt chui bit, d liu ny c chia thnh cc octet. Dch v chuyn pht stream chuyn d liu mt cch chnh xc ti my nhn. - Kt ni knh o: Thc hin vic truyn stream cng tng t nh thc hin mt cuc gi in thoi. Trc khi vic truyn c th bt u, c hai chng trnh ng dng gi v nhn u phi tng tc vi h iu hnh, thng bo v yu cu thc hin truyn stream. V mt khi nim, mt chng trnh ng dng s thc hin mt cuc gi m u kia chp nhn, tc l thit lp kt ni - hay mch o truyn v nhn d liu mt cc chnh xc. - Vic truyn c vng m: Cc chng trnh ng dng gi mt dng d liu qua mch o bng cch lp li vic chuyn cc octet d liu n phn mm giao thc. Khi truyn d liu, mi chng trnh ng dng s dng bt k kch thc n v truyn no n thy thun tin, c th ch bng mt octet. Ti u nhn, phn mm giao thc pht chuyn mt cch t ng d liu theo ng th t m chng c gi i, lm cho chng sn sng c chng trnh ng dng nhn s dng ngay sau khi chng c nhn v kim tra. Phn mm giao thc c t do phn chia dng d liu thnh nhng gi d liu c lp vi n v m chng trnh ng dng truyn i. lm cho vic truyn hiu
Bi Vn Nht 45K2TVT
15
n tt nghip i hc
Cng ngh IP - VPN
qu hn v ti thiu giao thng trn mng, cc ci t thng tp hp cho d liu t vo datagram c ln thch hp trc khi truyn n qua Internet. Nh vy ngay c khi chng trnh ng dng pht sinh dng d liu c kch thc l 1 octet mi ln th vic truyn qua Internet vn hon ton hiu qu. Tng t, nu chng trnh ng dng quyt nh pht chuyn nhng khi d liu cc ln, phn mm giao thc c th quyt nh chia khi ny thnh nhng khi nh hn khi truyn. i vi nhng chng trnh ng dng m d liu phi c pht chuyn ngay c khi n khng y mt vng m, dch v stream cung cp c ch y cho cc chng trnh ng dng bt buc truyn. Stream khng c cu trc: Dch v TCP stream khng xc nh cc dng d liu c cu trc. Ngha l n khng phn bit c cu trc hay ni dung phn chia bn trong ca dng d liu. Cc chng trnh ng dng s dng dch v stream phi hiu ni dung stream v thng nht vi nhau v nh dng stream trc khi khi ng vic kt ni. Kt ni hai chiu: Cc kt ni do dch v TCP cp cho php truyn ng thi c hai chiu. Cch kt ni ny c gi l song cng. Ngha l t quan im ca mt tin trnh ng dng, kt ni 2 chiu bao gm 2 dng d liu c lp chy ngc nhau, khng c tng tc hay va chm. Dch v stream cho php mt tin trnh ng dng chm dt dng chy theo mt chiu trong khi d liu vn tip tc chy theo chiu kia lm cho kt ni tr thnh mt chiu (half duplex). u im chnh ca kt ni hai chiu l phn mm giao thc c s c th gi thng tin iu khin cho mt tream ngc tr v ngun trong nhng datagram ang chuyn ti d liu theo chiu ngc li. iu ny lm gim bt giao thng trn mng. thc hin cung cp tnh tin cy khi truyn tin, TCP s dng giao thc xc nhn gi tin (ACK) nhn c v truyn li nhng gi tin b mt hoc b li. B m thi gian bn gi s c kch hot mi khi gi gi (mi gi c gi s c mt b thi gian m t lc gi). Khi qa thi gian ca b m m cha nhn c ACK th mc nhin coi l mt gi hoc hng gi v gi s c gi li. S th t gi trong tiu dng cho bn gi v thu xc nh vic mt gi v trng lp d liu, t ti truyn hay loi b gi lp cho ph hp. d) K thut ca s trt thc hin vic iu khin lung, TCP s dng k thut ca s trt. Ca s trt c kch thc c nh hoc c th thay i c cho php xc nh s gi d liu ti a c truyn trc khi nhn c mt ACK t ch xc nhn v. K thut ny gii quyt vn quan trng l tng hiu qu truyn dn v iu khin tc dng d liu.
Bi Vn Nht 45K2TVT
16
n tt nghip i hc
G gi i G gi i G gi i Vn cha nhn c A nn CK khng truyn i na G gi i 4 1 1 1 Nhn gi
AC K AC K AC K 1 2 3
Cng ngh IP - VPN
1, gi ACK 2
K hng nhn c gi Nhn gi 3, gi ACK
M gi 2 hoc t qu thi gian G li gi i 2
Hnh 1.12: C ch ca s trt vi kch thc c nh
1.4 Tng kt
Chng 1 trnh by s lc v b giao thc TCP/IP, gii thiu chc nng c bn ca cc lp trong m hnh phn lp ca n. Do phm vi ca ti nn ch tp trung i su v giao thc IP ca lp Internet v giao thc TCP/UDP ca lp giao vn. i vi giao thc IP, y ch trnh by cc vn a ch, nh tuyn, phn mnh v hp nht d liu, cu trc gi tin IPv4 v IPv6. y l nhng vn c bn ca giao thc IP v n c s dng trong ni dung ca cc chng tip theo ca n. c bit trong phn ny l i tm hiu su v cu trc gi tin IPv4, IPv6 v cc c im khc bit ca gi tin IPv6 so vi gi tin IPv4. Ch quan trng rng gi tin IPv6 b sung nhng chc nng an ton. Qua chng ny, chng ta cng bit c rng Internet l mng thng tin pht trin rng khp trn phm vi ton cu, tr thnh mi trng truyn tin ca rt nhiu ng dng khc nhau. Xu hng pht trin ca mng vin thng l IP ha. Tuy nhin mt nhc im ln nht ca Internet l n khng cung cp tnh an ton cho d liu khi truyn trn n. Cng vi s pht trin ca Internet, yu cu v an ton d liu c t ra nh l mt yu cu tt yu. C rt nhiu gii php m bo an ton d liu cho Internet, trong IP-VPN l mt trong nhng gii php hiu qu.
Bi Vn Nht 45K2TVT
17
n tt nghip i hc
Cng ngh IP - VPN
Chng 2 CNG NGH MNG RING O TRN INTERNET IP-VPN 2.1 Gi thiu v mng ring o trn Internet IP-VPN
2.1.1 Khi nim v mng ring o trn nn tng Internet Nh ta bit, cc mng ring thng c nh ngha l cc phng tin ni mng khng chia s kt hp cc my trm (host) v cc client trc thuc cng mt thc th qun l. c tnh ca mng ring l h tr truyn thng gia nhng ngi dng c php, cho php h truy nhp ti cc dch v v ti nguyn lin kt mng khc nhau. Lu lng t ngun v u cui trong mng ring ch di chuyn dc theo nhng node c mt trong mng ring. Thm vo l s cch li lu lng. iu ny c ngha l lu lng tng ng vi mng ring khng nh hng v khng b nh hng bi lu lng t ngoi. Th d in hnh cho mng ring l mng Intranet ca mt hng. IPVPN (Internet Protocol Virtual Private Network) kt hp 2 khi nim: ni mng o v ni mng ring. Trong mt mng o, cc nt mng xa nhau v phn tn c th tng tc vi nhau theo cch m chng thng thc hin trong mt mng, trong cc nt t ti cng mt v tr a l. Cu hnh topo ca mng o c lp vi cu hnh vt l ca cc phng tin s dng n. Mt ngi s dng bnh thng ca mt mng o khng bit s thit lp mng vt l, s ch c th nhn bit c cu hnh topo o. Cu hnh ca mng o c xy dng da trn s chia s ca c s h tng mng vt l tn ti. Tuy nhin, cu hnh mng o v mng vt l thng chu s qun l ca cc nh qun tr khc nhau. Chng ta c th inh ngha IP-VPN nh sau: Mng ring o trn nn Internet l m phng cc mng s liu ring m bo an ninh trn c s h tng mng Internet cng cng chung khng m bo an ninh. Cc thuc tnh ca IP-VPN bao gm cc c ch bo v s liu v thit lp tin tng gia cc my trm v s kt hp cc phng php khc nhau m bo cc tho thun mc dch v v cht lng dch v cho tt c cc thc th thng qua mi trng Internet. 2.1.2 Kh nng ng dng ca IP-VPN Mng ring o c mt ngha rt ln i vi cc t chc hot ng phn tn ti nhiu vng a l khc nhau, nhn vin lm vic lun di chuyn, h thng khch hng v i tc kinh doanh rng ln N l gii php thc hin truyn thng an ton trn nn mng cng cng. iu ny cho php cc t chc c th tit kim ng k chi ph so vi phng thc thu knh ring. Mt khc VPN cn m bo cho s an ton s liu trong Bi Vn Nht 45K2TVT 18
n tt nghip i hc
Cng ngh IP - VPN
qu trnh truyn thng v kh nng m rng hot ng rng ln ngay c ti nhng vng a l phc tp.
2.2 Cc khi c bn trong mng IP-VPN

Cc khi c bn ca VPN bao gm:
iu khin truy nhp Nhn thc An ninh Truyn Tunnel Cc tho thun mc dch v
2.2.1 iu khin truy nhp iu khin truy nhp (AC: Access Control) trong kt ni mng s liu c nh ngha l tp cc chnh sch v cc k thut iu khin truy nhp n cc ti nguyn ni mng ring cho cc pha c trao quyn. Cc c ch AC hot ng c lp vi nhn thc v an ninh v c bn nh ngha cc ti nguyn no kh dng cho mt ngi s dng c th sau khi ngi ny c nhn thc. Trong th gii IP-VPN, cc thc th vt l nh cc my trm xa, tng la v cng IP-VPN trong cc mng thuc hng tham d vo phin thng tin thng chu trch nhim (hay t nht ch trch nhim) cho qu trnh tham d m bo trng thi kt ni IP-VPN. Th d cc quyt nh bao gm: + Khi u + Cho php + Tip tc + T chi + Kt thc Mc ch chnh ca IP-VPN l cho php truy nhp c m bo an ninh v c chn la n cc ti nguyn ni mng t xa. Nu ch c an ninh v nhn thc m khng c AC, IP-VPN ch bo v tnh ton vn, tnh b mt ca lu lng c truyn v ngn cn cc ngi s dng v danh s dng mng, nhng khng qun l truy nhp cc ti nguyn ni mng. AC thng ph thuc vo thng tin m thc th yu cu kt ni dng nhn dng hay chng ch cng nh cc quy tc nh ngha AC. Chng hn mt s IP-VPN c th c iu hnh bi mt server tp trung hay thit b iu khin IP-VPN khc t ti trung tm s liu ca nh cung cp dch v, hay c th cng IP-VPN qun l a phng trong cc mng lin quan n thng tin IP-VPN. 19
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
Tp cc quy tc v cc quy lut quy nh cc quyn truy nhp n cc ti nguyn mng c gi l chnh sch iu khin truy nhp. Chnh sch truy cp m bo mc ch kinh doanh, chng hn, chnh sch Cho php truy nhp cho cc thu bao cha vt qu 60 gi s dng c th thc hin bng cch s dng nhn thc da trn RADIUS (Remote Authentication Dial-in User Service: Dch v nhn thc ngi dng quay s t xa) v s dng mt b m thi gian mi khi ngi s dng truy nhp. V mt l thuyt c th s dng bn tin RADIUS DISCONNECT (tho g kt ni radius) ngt phin ca ngi s dng khi vt qu 60 gi, tuy nhin i khi chnh sch ny ch c p dng ti thi gian ng nhp, khi tin tng ngi s dng khng thng xuyn trnh trng ng nhp, hay bng cch t ra mt gii hn phin nh bn trn ca mc s dng khi vt qu thi gian cho php cc i. C th thc hin cc chnh sch tng t bng cch thay gii hn thi gian bng mt gii hn tnh ch c th lin quan n ti khon tr trc. 2.2.2 Nhn thc Mt trong cc chc nng quan trng nht c IP-VPN h tr l nhn thc. Trong ni mng ring o, mi thc th lin quan n thng tin phi c th t nhn dng mnh vi cc i tc lin quan khc v ngc li. Nhn thc l mt qu trnh cho php cc thc th thng tin kim tra cc nhn dng nh vy. Mt trong cc phng php nhn thc ph bin c s dng rng ri hin nay l PKI (Public Key Infrasrtucture: c s hn tng kha cng cng). Phng php ny c gi l nhn thc da trn chng nhn, v cc bn tham d thng tin nhn thc ln nhau bng cch trao i cc chng nhn ca chng. Cc chng nhn ny c m bo bi quan h tin tng vi mt b phn thm quyn chng nhn. Qu trnh nhn thc c th lin quan n vic cung cp thng tin nhn thc da trn b mt chia s (Shared Secret) nh: Mt khu hay cp khu lnh/ tr li ca CHAP cho ngi nhn thc, hay nh NAS (Network Access Server) n tra cu mt file a phng hay yu cu server RADIUS. V mt ny, hot ng ca VPN gm hai kiu nhn thc: nhn thc kiu client - cng v cng - cng. Trong trng hp nhn thc kiu client - cng, ch khi no ngi dng truy nhp thnh cng vi VPN cng th mi c php vo IPSec Tunnel ni n IPSec ca mng khch hng. Trng hp th hai, n thng gp khi kt ni site - site c thit lp hay khi cc mng quay s o c s dng v nhn thc thit lp Tunnel L2TP c yu cu gia LAC (L2TP Access Concentrator) v LNS (L2TP Network Server). Bi Vn Nht 45K2TVT 20
n tt nghip i hc 2.2.3 An ninh
Cng ngh IP - VPN
Theo nh ngha th VPN c xy dng trn cc phng tin cng cng dng chung khng an ton, v th tnh ton vn v mt m ho l yu cu nht thit. C th m bo an ninh cho VPN bng cch trin khai mt trong cc phng php mt m ho c hay c ch mt m ho kt hp vi cc h thng phn b kha an ninh. Tuy nhin cn nhc li rng an ninh khng ch l mt m ho lu lng VPN. N cng lin quan n cc th tc phc tp ca nh khai thc v cc hng cung cp n. V khi VPN da trn mng, cn thit lp quan h tin tng gia nh cung cp dch v v khch hnh VPN yu cu tha thun v trin khai c ch an ninh tng ng. Chng hn, c th truy nhp server AAA trong hng bng cch m bo an ninh cc bn tin RADIUS thng qua IPSec khi chng truyn trn c s h tng mng chung. Ngoi AAA server c th trc thuc mt mng khng trong VPN cch ly lu long AAA vi lu lng ngi s dng 2.2.4 Truyn Tunnel nn tng IP-VPN Truyn Tunnel l cng ngh quan trng duy nht xy dng IP-VPN. Truyn Tunnel bao gm ng bao (Encapsulation) mt s gi s liu vo cc gi khc theo mt tp quy tc c p dng cho c hai u cui ca Tunnel. Kt qu l ni dung c ng bao trong Tunnel khng th nhn thy i vi mng cng cng khng an ninh ni cc gi c truyn. Cc vn c th v cng ngh Tunnel c trnh by trong cc phn sau. Khi nim truyn Tunnel c p dng cho ni mng ring o c trnh by trong hnh 2.2 sau y. Trn hnh ny, cc gi c gi i t my trm A n my trm Z phi qua rt nhiu chuyn mch v router. Nu router C ng gi n t my A v cng Y m bao gi, th cc nt khc m gi ny i qua s khng nhn bit c gi ng bao bn ngoi ny v s khng th bit c phn ti tin cng nh a ch im nhn cui cng ca n. Bng cch ny, ti tin ca gi c gi gia C v Y s ch c nhn bit bi 2 nt mng ny v cc my A, Z l ni khi u v kt thc cui lu lng. iu ny to ra mt Tunnel mt cch hiu qu qua qua cc gi c truyn ti vi mc an ninh mong mun.
Z Tn e u nl Mtc g hn Ktn i v tl C A Itre n nt e Y Mn r n g i g
Hnh 2.1: Truyn Tunnel trong ni mng ring o

21
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
C th nh ngha Tunnel bi cc im cui, cc thc th mng ni s dng cc giao thc tho bao v ng bao. Cc k thut truyn Tunnel h tr IP-VPN nh L2TP hay PPTP c s dng ng bao cc khung lp lin kt (PPP). Tng t cc k thut truyn Tunnel nh IP trong IP v cc giao thc IPSec c s dng ng bao cc gi lp mng. Theo ng cnh ni mng ring o, truyn Tunnel c th thc hin ba nhim v chnh sau: + ng bao. +Tnh trong sut nh a ch ring. + Bo v tnh ton vn v b mt s liu u cui n u cui. Tnh trong sut nh a ch ring cho php s dng cc a ch ring trn h tng IP ni cho php nh a ch cng cng. V cc ni dung ca gi c truyn Tunnel v cc thng s, nh cc a ch, ch c th hiu bn ngoi cc im cui Tunnel, nh a ch IP ring hon ton che y khi mng IP cng cng bng cch s dng cc a ch hp l.
M ng ri ng In terne t M ng ring
a ch ri ng
a ch cng c ng
a ch rin g
Hnh 2.2: Che y a ch IP ring bng truyn Tunnel

Cc chc nng ton vn v bo mt m bo rng mt k khng c php khng th thay i cc gi truyn Tunnel ca ngi s dng v nh vy ni dung ca gi c bo v chng vic truy nhp tri php. Ngoi ra, ty chn truyn Tunnel c th bo v s ton vn ca tiu gi IP bn ngoi, v th m bo nhn thc ngun gc s liu. Chng hn, trong IP-VPN c th s dng tiu IPSec AH bo v cc a ch IP ca cc u cui Tunnel khng b bt chc. Tuy nhin trong cng ngh s liu, trong nhiu trng hp iu ny khng c coi l quan trng v thc t nhiu cng IP-VPN thm ch khng p dng AH. L do v nu gi truyn Tunnel ca ngi s dng c bo b ESP v gi ny c mt m ha bng cch s dng phn phi kha an ninh v cc k thut qun l cng nh cc gii thut gn nh l khng th b ph v nh 3DES, th mi s dng s thay i a ch IP chn hoc gi lu lng u v ngha. V th cc im cui c xu khng c cch no tham d vo lin kt an ninh trn IPSec Bi Vn Nht 45K2TVT 22
n tt nghip i hc
Cng ngh IP - VPN
ESP v v th vic tch h ha an ninh hin thi s khng d dng v mc khng th din di s liu nh cp l rt cao. y l iu m cc khch hng IP-VPN quan tm v cng l l do s dng hn ch AH. Cn lu rng AH hu ch khi cn cung cp thng tin iu khin thit lp Tunnel. 2.2.5 Cc tha thun mc dch v Cc thc th tham d vo ni mng o nh cc ISP, cc hng v tuyn, cc hng v ngi s dng t xa b rng buc bi cc tha thun t c cc mc dch v yu cu cng nh cc li nhun mong mun i vi cc dch v c cung cp. Cc tha thun ny c d tho gia cc bn quan tm v cc i tc ca h nh ngha cc mc cho php nh lng v nh gi dch v c gi l cc SLA (Service Level Agreement: tha thun mc dch v). Cc SLA c s dng nhiu dng. Tuy nhin chng c bit quan trng i vi cc mng o da trn c s h tng dng chung. Di y l cc nhn t nh hng khi xem xet n SLA cho VPN: + Tnh kh dng ca Tunnel. + Cc m bo v bng thng. + Tr ca Tunnel. + Tc t bo/ gi nh chp nhn c. + T l mt gi.
2.3 Phn loi mng ring o theo kin trc

y chng ta s i phn loi IP-VPN theo kin trc ca n. Cc kin trc ca IP-VPN c th phn loi thnh hai kiu chnh: Site-to-Site IP-VPN (cn c gi l LAN-to-LAN hay POP-to-POP) v cc IP-VPN truy nhp t xa. Cc Site-to-Site bao gm cc phng n nh: Extranet IP-VPN v Intranet IP-VPN, cc phng n ny u c chung cc thuc tnh nhng c thit k gii quyt cc tp vn khc nhau. IPVPN truy nhp t xa bao gm cc phng php truy nhp quay s v truy nhp gi trc tip, cc phng php ny cng s c cp dng kin trc chnh. 2.3.1 IP-VPN truy nhp t xa i vi ngi dng xa v cc nhn vin lun di chuyn hoc nhng vn phng dng mng din rng c dung lng nh rt thch hp vi loi hnh IP-VPN truy nhp t xa. Truy nhp IP-VPN t xa cho php m rng mng li ca mt t chc ti ngi s dng ca h thng qua chia s c s h tng cng cng, trong khi mng li ca t chc vn gim st c tt c nhng ngi dng. Truy nhp t xa l phng thc u tin s Bi Vn Nht 45K2TVT 23
n tt nghip i hc
Cng ngh IP - VPN
dng VPN. N cung cp phng thc truy nhp an ton ti nhng ng dng ca t chc cho nhng ngi s dng xa, nhng nhn vin lun di chuyn, vn phng nhnh v nhng i tc thng mi. Cu trc IP-VPN ny l phng tin thng qua mt c s h tng cng cng chung s dng ng dy ISDN (mng s a dch v), dial (quay s), tng t, Mobile IP (di ng IP), DSL (ng dy thu bao s) v in thoi ccp. Cu trc IP-VPN ny c quan tm n khp mi ni v n c th thit lp ti bt k thi im no v bt k u thng qua Internet. Thm vo l mt s thun li c c do vic chuyn i t nhng mng qun l ring sang dng IP-VPN truy nhp t xa di y: + Loi b chi ph cho kt ni khong cch xa t ngi s dng n mng ca t chc bi v tt c kt ni xa by gi c thay th bng kt ni Internet. + Khong cch kt ni rng v chi ph gim xung do ngi s dng IP-VPN ch cn quay s ti s ca nh cung cp dch v Internet ISP hoc trc tip kt ni qua mng bng rng lun hin hnh. + Trin khai thm ngi s dng n gin v s tng ln nhanh chng ca IPVPN cho php thm vo ngi dng mi m khng tng chi ph cho c s h tng. + Quay li vi vn qun l v bo dng mng quay s n gin khi thm ngi s dng mi s gip cc tp on c th chuyn hng kinh doanh hn. Mc d l c rt nhiu thun li th pht trin mt IP-VPN truy nhp t xa vn gp phi kh khn sau: + Giao thc ng ngm c mt tiu nh dng mt m d liu khi truyn v gii mt m khi nhn c thng tin. Mc d tiu nh, nhng n cng nh hng n mt s ng dng. + Vi ngi s dng Modem tng t kt ni ti Internet vi tc nh hn 400 kb/s th IP-VPN c th l nguyn nhn lm gim tc v tiu ca giao thc ng ngm cn c thi gian x l d liu. + Khi s dng giao thc ng ngm, chng ta c cm gic phi ch i. Bi v c s h tng mng Internet c s dng, khng c m bo v s lng phi i nn ng trong mi on kt ni nh ng hm d liu qua Internet. iu ny c th khng phi l vn qu kh khn, nhng n cng cn s quan tm. Ngi dng c th cn n chu k thit lp kt ni nu h cm thy lu. Cng vi s pht trin nhanh chng ca mng truy nhp t xa, trn ton b quc gia v thm ch l trin khai quc t cc POP (Point - Of - Presence: im hin din) quay s bi cc nh cung cp dch v, chi ph cho nhng cuc gi ng di c gim 24
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
i, tt c cc lo lng v th tc quay s c th c nh cung cp dch v Internet (ISP) v nh cung cp truy nhp gnh chu. Cc IP-VPN truy nhp t xa quay s c th c xy dng trn cc phng php truyn Tunnel bt buc hay t . Trong mt kch bn truy nhp t xa quay s s dng phng tin ca hng khc, ngi s dng quay s cc POP a phng ca cc nh cung cp dch v Internet bng cch thit lp kt ni PPP (Point to Point Protocol: Giao thc im ti im). Sau khi ngi s dng c nhn thc v lin kt PPP c thit lp, nh cung cp dch v thit lp theo cch bt buc (ngha l trong sut i vi ngi s dng) mt Tunnel n mt cng trong mng ring m ngi s dng xa mun truy nhp n. Mng ring thc hin nhn thc ngi s dng ln cui v thit lp kt ni. Kin trc ny c m t hnh 2.4. Cng ngh truyn Tunnel c la chn cho IP-VPN truy nhp quay s theo phng tin ca hng khc l L2TP.
DNS
Cng SS 7
DHCP RADIUS ACCT
RADIUS
IPSec Client Chuyn mch ISDN Modem DSLAM RAS PSTN LNS: L2TP Network Server - Server mng L 2TP DSL L2TP: Layer Two Tunneling Protocol - Giao thc truyn tunnel lp 2 RAS: Remote Access Server - Server truy nhp xa DSLAM : DSL Access Multiplex - Ghp knh truy nhp DSL Internet Cng IPSec Hng ISP
L2T P IP S e c
LNS
Hnh 2.3: IP-VPN truy nhp t xa

2.3.2 Site-to-Site IP-VPN Site-to-Site IP-VPN (hay cn c gi l LAN-to-LAN) c s dng ni cc site ca cc hng phn tn v mt a l, trong mi site c cc a ch mng ring c qun l sao cho bnh thng khng xy ra va chm. 2.3.2.1 Intranet IP-VPN Mt t chc c th dng IP-VPN khng ch kt ni cc site trc thuc t chc m cn kt ni trong min qun l ca mnh nh l cc vn phng t xa hoc l cc vn phng nhnh ti cc vng a l khc nhau ti mng u no thng qua c s h tng chia s. Nhng kt ni ny c th dng mt knh dnh ring, nh l mng Frame Relay, ATM, hoc knh im ti im. Tuy nhin khi s dng IP-VPN th s c nhng u im sau y: Gim bt chi ph cho WAN, c bit l khi s dng Internet; d dng m rng Bi Vn Nht 45K2TVT 25
n tt nghip i hc
Cng ngh IP - VPN
site mi, v vn an ton d liu c m bo hn. Vi kh nng ny, Intranet IPVPN li c s dng to lp mi trng ging nh phn chia vt l cc nhm ngi s dng vo cc mng con LAN khc nhau c kt ni bi cc cu hay cc Router.
Rmt e oe ofc fi e
PP O
d ic ee v 1
devi e c 3 d ce evi 2 1
Hm o e ofc fi e
Rmt e oe ofc fi e
I te n t nre / I -V N P P
PP O
PP O
H a q ates edur r
di c e e v
devi e c
de c e vi
Hnh 2.4: Intranet IP-VPN

2.3.2.2 Extranet IP-VPN Extranet IP-VPN c s dng khi mt tp on khng ch mun tng tc vi cc vn phng xa ca mnh m c vi cc site trc thuc khch hng ca h, cc ngun cung cp v cc thc th khc lin quan n cc giao dch hay trao i thng tin. Cc thc th ny thng c gi l cc mng i tc. h tr cc thng tin ny, cc Tunnel IP-VPN c th c thit lp gia cc mng ring trc thuc cc thc th ring khc nhau. Cc chc nng IP-VPN nh iu khin truy nhp, nhn thc v cc dch v an ninh c th c s dng t chi hay cho php truy nhp n cc ti nguyn cn thit cho kinh doanh. Cc nguy c an ninh i vi Extranet ln hn trong Intranet, v th IP-VPN v Extranet phi thc hin c thit k cn thn vi cc chnh sch iu khin truy nhp a lp v cc sp xp an ninh duy nht gia cc thnh vin Extranet.
Rmt e oe ofc fi e
Bs es u in s Pr e atn r PP O
dic ee v 1
de ce vi 3 devi e c 2 1
Hm o e of e f ic
Rmt e oe ofc fi e
I te n t n re / I -V N P P
PP O
PP O
H a q a rs e d u rte
S p lie up r C s mr u to e
d ic ee v
devi e c
devi e c
Hnh 2.5: Extranet IP-VPN

Bi Vn Nht 45K2TVT 26
n tt nghip i hc
Cng ngh IP - VPN
2.4 Cc giao thc ng ngm trong IP-VPN

Nh trnh by trong phn trn, cc giao thc ng ngm l nn tng ca cng ngh VPN. Mt giao thc ng ngm s thc hin ng gi d liu vi phn header (v c th c phn trailer) tng ng truyn qua Internet. C nhiu giao thc ng ngm, vic s dng giao thc ng ngm no ng gi d liu lin quan n cc phng php xc thc v mt m c dng. C 4 giao thc ng ngm trong IP-VPN nh sau:
PPTP (Point - to - Point Tunneling Protocol). L2F (Layer two Forwarding). L2TP (Layer Two Tunneling Protocol). IPSec (Internet Protocol Security).
Trc ht ta phn bit 2 giao thc u tin l PPTP v L2F. PPTP l giao thc do nhiu cng ty hp tc pht trin. L2F l do Cisco pht trin c lp. PPTP v L2F u c pht trin da trn giao thc PPP (Point - to - Point Protocol). PPP l mt giao thc truyn thng ni tip lp 2, c th s dng ng gi d liu lin mng IP v h tr a giao thc lp trn. Trn c s PPTP v L2F, IETF pht trin giao thc ng ngm L2TP. Hin nay giao thc PPTP v L2TP c s dng ph bin hn L2F. Trong cc giao thc ng ngm ni trn, IPSec l gii php ti u v mt an ton d liu. IPSec h tr cc phng php xc thc v mt m mnh nht. Ngoi ra, IPSec cn c tnh linh hot cao: Khng b rng buc bi bt c thut ton xc thc, mt m no, ng thi c th s dng IPSec cng vi cc giao thc ng ngm khc lm tng tnh an ton cho h thng. Mc d c nhng u im vt tri so vi cc giao thc ng ngm khc v kh nng m bo an ton d liu, IPSec cng c mt s nhc im. Th nht, IPSec l mt khung tiu chun mi v cn ang c tip tc pht trin, do s lng cc nh cung cp sn phm h tr IPSec cha nhiu. Th hai, tn dng kh nng m bo an ton d liu ca IPSec th cn phi s dng mt c s h tng kha cng khai PKI (Public Key Infrastructure) phc tp gii quyt vn nh chng thc s hay ch k s. Khc vi IPSec, cc giao thc PPTP v L2TP l cc chun c hon thin, nn cc sn phm h tr chng tng i ph bin. PPTP c th trin khai vi mt h thng mt khu n gin m khng cn s dng PKI. Ngoi ra PPTP v L2TP cn c mt s u im khc so vi IPSec nh kh nng h tr a giao thc lp trn. V vy, 27
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
trong khi IPSec cn ang hon thin th PPTP v L2TP vn c s dng rng ri. C th PPTP v L2TP thng c s dng trong cc ng dng truy nhp t xa. Trong phn ny chng ta s i tm hiu 2 giao thc ng ngm l PPTP v L2TP. Vi giao thc ng ngm IPSec s c cp trong chng 3. 2.4.1 PPTP (Point - to - Point Tunneling Protocol) PPTP ng gi cc khung d liu ca giao thc PPP vo cc IP datagram truyn qua mng IP (Internet hoc Intranet). PPTP dng mt kt ni TCP (gi l kt ni iu khin PPTP) khi to, duy tr, kt thc ng ngm; v mt phin bn ca giao thc GRE (Generic Routing Encapsulation - ng gi nh tuyn chung) ng gi cc khung PPP. Phn ti tin ca khung PPP c th c mt m hoc/v gii nn. PPTP gi nh tn ti mt mng IP gia PPTP client (VPN client s dng giao thc ng ngm PPTP) v PPTP server (VPN server s dng PPTP). PPTP client c th c ni trc tip qua vic quay s ti my ch truy nhp mng (Network Access Server - NAS) thit lp kt ni IP. Vic xc thc trong qu trnh thit lp kt ni IP-VPN trn giao thc PPTP s dng cc c ch xc thc ca kt ni PPP, v d EAP (Extensible Authentication Protocol: giao thc nhn thc m rng), CHAP (Challenge - Handshake Authentication Protocol: giao thc nhn thc i hi bt tay), PAP (Password Authentication Protocol: giao thc nhn thc khu lnh). PPTP cng tha hng vic mt m hoc/ v nn phn ti tin ca PPP. Mt m phn ti PPP s dng MPPE (Microsoft Point - to - Point Encryption: mt m im ti im ca Microsoft) (vi iu kin xc thc s dng giao thc EAP - TLS (EAP - Transport Level Security: EAP - an ninh mc truyn ti) hoc MS - CHAP ca Microsoft). MPPE ch cung cp mt m mc truyn dn, khng cung cp mt m u cui n u cui. Nu cn s dng mt m u cui n u cui th c th s dng IPSec mt m lu lng IP gia cc u cui sau khi ng ngm PPTP c thit lp. My ch PPTP l my ch IP-VPN s dng giao thc PPTP vi mt giao din ni vi Internet v mt giao din khc ni vi Intranet. 2.4.1.1 Duy tr ng ngm bng kt ni iu khin PPTP Kt ni iu khin PPTP l kt ni gia a ch IP ca my trm PPTP (c cng TCP c cp pht ng) v a ch IP ca my ch PPTP (s dng cng TCP dnh ring 1723). Kt ni iu khin PPTP mang cc bn tin iu khin v qun l cuc gi PPTP c s dng duy tr ng ngm PPTP. Cc bn tin ny bao gm cc bn tin PPTP Echo - Request v PPTP Encho - Reply nh k pht hin cc li kt ni gia PPTP client v PPTP server. Cc gi ca kt ni iu khin PPTP bao gm IP header, 28
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
TCP header, cc bn tin iu khin PPTP v cc header, trailer ca lp ng truyn d liu.

D link ata H eader IP TC P PPTP C ontrol M essage D link ata Trailer
Hnh 2.6: Gi d liu ca kt ni iu khin PPTP

2.4.1.2 ng gi d liu ng ngm PPTP a) ng gi khung PPP: D liu ng ngm PPTP c ng gi thng qua nhiu mc. Hnh 2.8 l cu trc d liu c ng gi.
Data link Header IP Header GRE Header PPP Header
Encrypted PPP Payload (IP Datagram , IPX Datagram , NetBEUI Frame )
Data link Trailer
Hnh 2.7: D liu ng ngm PPTP

Phn ti ca khung PPP ban u c mt m v ng gi vi phn tiu PPP to ra khung PPP. Khung PPP sau c ng gi vi phn tiu ca phin bn sa i giao thc GRE (Generic Routing Encapsulation: giao thc ng gi nh tuyn chung), giao thc ny cung cp c ch chung cho php ng gi d liu gi qua mng IP. i vi PPTP, phn Header ca GRE c sa i mt s im sau: - Mt bit xc nhn c s dng khng nh s c mt ca trng xc nhn 32 bit. - Trng Key c thay th bng trng di Payload 16 bit v trng ch s cuc gi 16 bit. Trng ch s cuc gi c thit lp bi PPTP client trong qu trnh khi to ng ngm PPTP. - Mt trng xc nhn di 32 bit c thm vo. b) ng gi cc GRE: Phn ti PPP ( c mt m) v cc GRE Header sau c ng gi vi mt tiu IP cha cc thng tin a ch ngun v ch thch hp cho PPTP client v PPTP server. c) ng gi lp lin kt d liu: c th truyn qua mng LAN hoc WAN, IP datagram cui cng s c ng gi vi mt Header v Trailer ca lp lin kt d liu giao din vt l u ra. V d, nu IP datagram c gi qua giao din Ethernet, n s c gi vi phn Header v Trailer Ethernet. Nu IP datagram c gi qua ng truyn WAN im ti im (v d nh ng in thoi tng t hoc ISDN), n s c ng gi vi phn Header v Trailer ca giao thc PPP. 29
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
2.4.1.3 X l d liu ng ngm PPTP Khi nhn c d liu ng ngm PPTP, PPTP client hoc PPTP server s thc hin cc bc sau: * X l v loi b phn Header v Trailer ca lp lin kt d liu. * X l v loi b IP Header. * X l v loi b GRE Header v PPP Header. * Gii m hoc/v gii nn phn PPP Payload (Nu cn thit). * X l phn Payload nhn hoc chuyn tip. 2.4.1.4 S ng gi Hnh 2.9 l s ng gi PPTP qua kin trc mng (t mt IP-VPN client qua kt ni truy nhp t xa VPN, s dng modem tng t).
N tB U e E I
T P /IP C
IP X
B t ug i y
N IS D N IS A D WN
L2T P PT PP Ay c sn
te t x
X.2 5
IS N D
D talin a k Ha e edr
IP Ha e edr
GE R Ha e edr
PP P Ha e ed r
E cy te P PP y a n r p d P a lo d (IPD ta r m a ga IP D ta r m X a ga N tB U F m e E I ra e
, , )
D talin a k Ta r r ile
C utr g i tinc c n c ui g
Hnh 2.8: S ng gi PPTP

Qu trnh c m t cc bc sau: * Cc IP datagram v IPX datagram hoc khung NetBEUI c a ti giao din o bng giao thc tng ng (giao din o i din cho kt ni VPN) s dng NDIS (Network Driver Interface Specification). * NDIS a gi d liu ti NDISWAN, ni thc hin mt m, nn d liu, v cung cp PPP Header. Phn tiu PPP ny ch gm trng m s giao thc PPP (PPP Protocol ID Field), khng c cc trng Flags v FCS (Frame Check Sequence). Gi nh trng a ch v iu khin c tha thun giao thc iu khin ng truyn LCP (Link Control Protocol) trong qu trnh kt ni PPP. Bi Vn Nht 45K2TVT 30
n tt nghip i hc
Cng ngh IP - VPN
* NDISWAN gi d liu ti giao thc PPTP, ni ng gi khung PPP vi phn tiu GRE. Trong GRE Header, trng ch s cuc gi c t gi tr thch hp xc nh ng ngm. * Giao thc PPTP sau s gi gi va hnh thnh ti giao thc TCP/IP. * TCP/IP dng gi d liu ng ngm PPTP vi phn tiu IP, sau gi kt qu ti giao din i din cho kt ni quay s ti local ISP s dng NDIS. * NDIS gi gi tin ti NDISWAN, ni cung cp cc phn PPP Header v Trailer. * NDISWAN gi khung PPP kt qu ti cng WAN tng ng i din cho phn cng quay s (v d, cng khng ng b cho kt ni modem). 2.4.2 L2TP (Layer Two Tunneling Protocol) trnh vic hai giao thc ng ngm khng tng thch cng tn ti gy kh khn cho ngi s dng, IETF kt hp v pht trin hai giao thc L2F v PPTP thnh L2TP, trn c s tn dng cc u im ca c hai giao thc ny, ng thi c th s dng c trong tt c cc trng hp ng dng ca PPTP v L2F. L2TP c m t trong khuyn ngh RFC 2661. L2TP ng gi cc khung PPP truyn qua mng IP, X.25, Frame Relay, hoc ATM. Hin nay mi ch c L2TP trn mng IP c nh ngha. Khi truyn qua mng IP, cc khung L2TP c ng gi nh cc bn tin UDP, L2TP c th c s dng nh mt giao thc ng ngm thng qua Internet hoc cc mng ring Intranet. L2TP dng cc bn tin UDP qua mng IP cho cc d liu ng ngm cng nh cc d liu bo dng ng ngm. Phn ti ca khung PPP ng gi c th c mt m, nn. Tuy nhin mt m trong cc kt ni L2TP thng c thc hin bi IPSec ESP (ch khng phi MPPE nh i vi PPTP). Cng c th to kt ni L2TP khng mt m IPSec. Tuy nhin, y khng phi l kt ni IP-VPN v d liu ring c ng gi bi L2TP khng c mt m. Cc kt ni L2TP khng mt m c th s dng tm thi sa li cc kt ni L2TP dng IPSec. L2TP gi nh tn ti mng IP gia L2TP client (VPN client dng giao thc ng ngm L2TP v IPSec). L2TP client c th c ni trc tip ti mng IP truy nhp ti L2TP server hoc gin tip thng qua vic quay s ti my ch truy nhp mng (Network Access Server - NAS) thit lp kt ni IP. Vic xc thc trong qu trnh hnh thnh ng ngm L2TP phi s dng cc c ch xc thc nh trong cc kt ni PPP nh EAP, MS-CHAP, CHAP, PAP. My ch L2TP l my ch IP-VPN s dng giao thc L2TP vi mt giao din ni vi Internet v mt giao din khc ni vi mng Intranet. Cc d liu ng ngm v d liu duy tr ng ngm c cng cu trc gi. Bi Vn Nht 45K2TVT 31
n tt nghip i hc
Cng ngh IP - VPN
2.4.2.1 Duy tr ng ngm bng bn tin iu khin L2TP Khng ging PPTP, vic duy tr ng ngm L2TP khng c thc hin thng qua mt kt ni TCP ring bit. Cc lu lng iu khin v duy tr cuc gi c gi i nh cc bn tin UDP gia L2TP client v L2TP server (L2TP client v L2TP server u s dng cng UDP 1701). Cc bn tin iu khin L2TP qua mng IP c gi nh cc UDP datagram. UDP datagram li c mt m bi IPSec ESP nh trn hnh 2.10.
Data link Header IP Header IPSec ESP Header UDP Header L2TP Message IPSec ESP Trailer
IPSec ESP Auth Trailer
Data link Trailer
Encryption by IPSec
Hnh 2.9: Bn tin iu khin L2TP

V kt ni TCP khng c s dng, L2TP dng th t bn tin m bo vic truyn cc bn tin L2TP. Trong bn tin iu khin L2TP, trng Next-Received (tng t nh TCP Acknowledgment) v Next-Sent (tng t nh TCP Sequence Number) c s dng duy tr thc t cc bn tin iu khin. Cc gi khng ng th t b loi b. Cc trng Next-Sent v Next-Received cng c th c s dng truyn dn tun t v iu khin lung cho cc d liu ng ngm. L2TP h tr nhiu cuc gi trn mi ng ngm. Trong bn tin iu khin L2TP v phn tiu L2TP ca d liu ng ngm c mt m s ng ngm (Tunnel ID) xc nh ng ngm, v mt m s cuc gi (Call ID) xc nh cuc gi trong ng ngm . 2.4.2.2 ng ngm d liu L2TP ng ngm d liu L2TP c thc hin thng qua nhiu mc ng gi. Hnh 2.11 ch ra cu trc cui cng ca d liu ng ngm L2TP trn nn IPSec.
PP P P ayloa d IP S e c IP S ec D a ta IP S ec ESP Da ta link IP U DP L2TP P PP (IP datagram , ES P ESP lin k Heade r H eader Heade rHeaderHe ader IPX data gram , A uth H eader T ra ile r T ra iler T ra ile r N etB EU I Fram e ) Encryption Authenticated by IPS ec ESP auth trailer
Hnh 2.10: ng bao gi tin L2TP

n tt nghip i hc
Cng ngh IP - VPN
a) ng gi L2TP: phn ti PPP ban u c ng gi vi mt PPP Header v mt L2TP Trailer. b) ng gi UDP: gi L2TP sau c ng gi vi mt UDP Header, cc a ch cng ngun v ch c t bng 1701. c)ng gi IPSec: tu thuc vo chnh sch IPSec, gi UDP c mt m v ng gi vi IPSec ESP Header, IPSec ESP Trailer, IPSec Authentication Trailer. d) ng gi IP: gi IPSec c ng gi vi IP Header cha a ch IP ngun v ch ca IP-VPN client v IP-VPN server. e)ng gi lp ng truyn d liu: truyn i c trn ng truyn LAN hoc WAN, IP datagram cui cng s c ng gi vi phn Header v Trailer tng ng vi k thut lp ng truyn d liu ca giao din vt l u ra. V d, khi cc IP datagram c gi vo mt giao din Ethernet, IP datagram s c ng gi vi Ethernet Header v Trailer. Khi cc IP datagram c gi trn ng truyn WAN im ti im (chng hn ng dy in thoi ISDN), IP datagram c ng gi vi PPP Header v Trailer. 2.4.2.3 X l d liu ng ngm L2TP trn nn IPSec Khi nhn c d liu ng ngm L2TP trn nn IPSec, L2TP client hay L2TP server s thc hin cc bc sau: * X l v loi b Header va Trailer ca lp ng truyn d liu. * X l v loi b IP Header. * Dng IPSec ESP Auth Trailer xc thc IP payload v IPSec ESP Header. * Dng IPSec ESP Header gii m phn gi mt m. * X l UDP Header v gi gi L2TP ti L2TP. * L2TP dng ch s ng ngm v ch s cuc gi trong L2TP Header xc nh ng ngm L2TP c th. * Dng PPP Header xc nh PPP Payload v chuyn tip n ti ng giao thc x l. 2.4.2.4 S ng gi L2TP trn nn IPSec Hnh 2.12 l s ng gi L2TP qua kin trc mng t mt IP-VPN client thng qua mt kt ni IP-VPN truy nhp t xa s dng mt modem tng t. Bi Vn Nht 45K2TVT 33
n tt nghip i hc
Cng ngh IP - VPN
IP e Sc
TP C
/IP
IP X
N tB U e EI
Bt ug i y
N IS D N IS A D WN
L2T P PT PP Ay c sn
tx et
X.2 5
IS N D
PP P Ha e edr
I P Ha e edr
I Sc Pe EP S Ha e edr
UP D Ha e edr
L2T P Ha e edr
PP P Ha e edr
P P a lo d P Py a (I d t ga P aa r m I X aa r m P d t ga Nt E I Fa e eB U r m
, , )
I Sc Pe EP S Ta r r ile
I Sc Pe EP S At uh Ta r r ile
PP P Ta r r ile
Cutr cg i ti c c n n ui g
Hnh 2.11: S ng gi L2TP

Cc bc sau m t qu trnh : * Mt IP datagram, IPX datagram, hoc NetBEUI Frame c a ti giao din o i din cho kt ni IP-VPN s dng NDIS bng giao thc thch hp. * NDIS a cc gi ti NDISWAN, ti y c th nen v cung cp PPP Header ch bao gm trng ch s PPP Protocol. Cc trng Flag hay FCS khng c thm vo. * NDISWAN gi khung PPP ti giao thc L2TP, ni ng gi PPP Frame vi mt L2TL Header. Trong L2TP Header, ch s ng ngm v ch s cuc gi c thit lp vi cc gi tr thch hp xc nh ng ngm. * Giao thc L2TP gi gi thu c ti giao thc TCP/IP vi thng tin gi gi L2TP nh mt bn tin UDP t cng UDP 1701 ti cng UDP 1701 vi cc a ch IP ca IP-VPN client v IP-VPN server. * Giao thc TCP/IP xy dng mt gi IP vi cc IP Header v UDP Header thch hp. IPSec sau s phn tch gi IP v so snh n vi chnh sch IPSec hin thi. Da trn nhng thit lp trong chnh sch, IPSec ng gi v mt m phn bn tin UDP ca gi IP s dng cc ESP Header v Trailer ph hp. IP Header ban u vi Protocol field c t l 50 c thm vo pha trc ca gi ESP. Giao thc TCP/IP sau gi gi thu c ti giao din i din cho kt ni quay s ti local ISP s dng NDIS. * NDIS gi s ti NDISWAN. * NDISWAN cung cp PPP Header v Trailer v gi khung PPP thu c ti cng AN thch hp i din cho phn cng dial-up. Bi Vn Nht 45K2TVT 34
n tt nghip i hc
Cng ngh IP - VPN
2.5 Tng kt
Chng ny a ra khi nim v gii thiu chung v cng ngh IP-VPN. y l mt cng ngh khng mi, nhng vi s pht trin mnh m ca mng Internet trn ton cu th th trng IP-VPN s rt pht trin. Vi cc t chc c mng li rng khp, s dng cng ngh ny s rt hiu qu trong truyn thng gia cc thnh vin ca hng cc vng a l khc nhau, m bo pht trin cc vn phng mi mt cch mm do, d dng tip cn vi khch hng mt cch trc tip v iu quan trng l tnh an ton thng tin. Theo cu trc c bn, c 2 loi VPN: Site-to-Site IP-VPN v Remote VPN. Trong Site-to-Site bao gm 2 m hnh l: Intranet IP-VPN c s dng kt ni cc mng LAN vn phng xa ca mt t chc; Extranet IP-VPN c s dng cho cc ng dng kt ni trc tuyn ti khch hng ca t chc. T nhng khi nim c trnh by ta c th nhn ra rng i tung v phm vi kt ni ca Extranet VPN c phn rng hn Intranet VPN. Do i tng kt ni lun thay i v kh c th m bo trc nn yu cu bo mt cng cao hn. Remote IP-VPN c ng dng cho nhng ngi lm vic lu ng hoc nhng vn phng xa dung lng nh. Mng IP-VPN bao gm cc khi c bn sau: iu khin truy nhp, nhn thc, an ninh, truyn Tunnel v cc tha thun mc dch v. y l nhng vn rt phc tp v yu cu nhiu giao thc kt hp vi nhau thc hin c cc chc nng ca mng IPVPN mt cch hin qu. Trong , ng ngm l nn tng ca IP-VPN. Trong chng ny gii thiu chung v cc giao thc ng ngm ang tn ti s dng cho IP-VPN, trong hai giao thc ng ngm PPTP v L2TP l 2 giao thc han thnh v hot ng ph bin trong giai on hin nay. Chng tip theo trnh by v giao thc IPSec, mt giao thc c xem nh ti u cho cng ngh IP-VPN.
Bi Vn Nht 45K2TVT
35
n tt nghip i hc
Cng ngh IP - VPN
Chng 3 GIAO THC IPSEC CHO IP-VPN 3.1 Gi thiu

Trong chng 2 trnh by v cc giao thc ng ngm PPTP v L2TP s dng xy dng mng IP-VPN. Trong chng ny s trnh by v giao thc IPSec, mt giao thc c coi l ti u nht cho IP-VPN. Nh ta bit, mng Internet nguyn thy c pht trin truyn thng gia cc my tnh tin cy, v vy n khng h tr cc dch v an ninh. Cng vi s pht trin rng khp ca Internet trn tan cu th vn an ninh l mt trong nhng vn quan trng. Giao thc IPSec c pht trin gii quyt vn an ninh ny v trong IP-VPN l mt trong nhng ng dng ca n. 3.1.1 Khi nim v IPSec IPSec (Internet Protocol Security) l mt giao thc c IETF pht trin. IPSec c nh ngha l mt giao thc trong tng mng cung cp cc dch v bo mt, nhn thc, ton vn d liu v iu khin truy cp. N l mt tp hp cc tiu chun m lm vic cng nhau gia cc phn thit b. Mt cch chung nht, IPSec cho php mt ng ngm bo mt thit lp gia 2 mng ring v nhn thc hai u ca ng ngm ny. Cc thit b gia hai u ng ngm c th l mt cp host, hoc mt cp cng bo mt (c th l router, firewall, b tp trung VPN) hoc mt cp thit b gm mt host v mt cng bo mt. ng ngm ng vai tr l mt knh truyn bo mt gia hai u v cc gi d liu yu cu an ton c truyn trn . IPSec cng thc hin ng gi d liu cc thng tin thit lp, duy tr v hy b knh truyn khi khng dng n na. Cc gi tin truyn trong ng ngm c khun dng ging nh cc gi tin bnh thng khc v khng lm thay i cc thit b, kin trc cng nh nhng ng dng hin c trn mng trung gian, qua cho php gim ng k chi ph trin khai v qun l. IPSec c hai c ch c bn m bo an ton d liu l AH (Authentication Header) v ESP (Encapsulating Security Payload), trong IPSec phi h tr ESP v c th h tr AH: + AH cho php xc thc ngun gc d liu, kim tra tnh ton vn d liu v dch v ty chn chng pht li ca cc gi IP truyn gia hai h thng. AH khng cung cp tnh bo mt, iu ny c ngha l n gi i thng tin di dng bn r.
Bi Vn Nht 45K2TVT
36
n tt nghip i hc
Cng ngh IP - VPN
+ ESP l mt giao thc cung cp tnh an ton ca cc gi tin c truyn bao gm: Mt m d liu, xc thc ngun gc d liu, kim tra tnh ton vn phi kt ni ca d liu. ESP m bo tnh b mt ca thng tin thng qua vic mt m gi tin IP. Tt c lu lng ESP u c mt m gia hai h thng. Vi c im ny th xu hng s s dng ESP nhiu hn AH tng tnh an ton cho d liu. + C AH v ESP l cc phng tin cho iu khin truy nhp, da vo s phn phi ca cc kha mt m v qun l cc lung giao thng c lin quan n nhng giao thc an ton ny. Nhng giao thc ny c th c p dng mt mnh hay kt hp vi nhau cung cp tp cc giao thc an ton mong mun trong IPv4 v IPv6, nhng cch chng cung cp cc dch v l khc nhau. i vi c hai giao thc AH v ESP ny, IPSec khng nh cc thut ton an ton c th c s dng, m thay vo l mt khung chun s dng cc thut ton theo tiu chun cng nghip. IPSec s dng cc thut ton: M nhn thc bn tin trn c s bm (HMAC), thut ton MD5 (Message Digest 5), thut ton SHA-1 thc hin chc nng ton vn bn tin; Thut ton DES, 3DES mt m d liu; Thut ton kha chia s trc, RSA ch k s v RSA mt m gi tr ngu nhin (Nonces) nhn thc cc bn. Ngoi ra cc chun cn nh ngha vic s dng cc thut ton khc nh IDEA, Blowfish v RC4. IPSec c th s dng giao thc IKE (Internet Key Exchange) xc thc hai pha v lm giao thc thng lng cc chnh sch bo mt v nhn thc thng qua vic xc nh thut ton c dng thit lp knh truyn, trao i kha cho mi phin kt ni, dng trong mi phin truy cp. Mng dng IPSec bo mt cc dng d liu c th t ng kim tra tnh xc thc ca thit b bng giy chng nhn s ca hai ngi dng trao i thng tin qua li. Vic thng lng ny cui cng dn n thit lp kt hp an ninh (SAs) gia cc cp bo mt, kt hp an ninh ny c tnh cht hai chiu trc tip. Thng tin kt hp an ninh c lu trong c s d liu lin k an ninh, v mi SA c n nh mt s tham s an ninh trong bng mc lc sao cho khi kt hp mt a ch ch vi giao thc an ninh (ESP hoc AH) th c duy nht mt SA. 3.1.2 Cc chun tham chiu c lin quan IETF a ra mt lot cc RFC (Request for Comment) c lin quan n IPSec:
Bi Vn Nht 45K2TVT
37
n tt nghip i hc
Cng ngh IP - VPN
Bng 3.1: Cc RFC a ra c lin quan n IPSec

RFC 1825 1826 1827 1828 1829 2104 2202 Tiu Security Architure for the Internet Protocol (kin trc bo mt cho giao thc Internet) IP Authentication Header (nhn thc tiu IP) IP Encapsulating Security Payload (ng gi an ton ti tin IP) IP Authentication Using Keyed MD5 (nhn thc IP s dng kha MD5) The ESP DES-CBC Transform (s bin i ESP nh DES-CBC) HMAC: Keyed-Hashing for Message Authentication (HMAC: kha bm cho nhn thc bn tin) Test Cases for HMAC-MD5 and HMAC-SHA-1 (cc trng hp kim tra cho HMAC-MD5 v HMAC-SHA-1) Security Architure for the Internet Protocol IP Authentication Header The Use of HMAC-MD5-96 within ESP and AH (s dng HMAC-MD5-96 cng vi ESP) The Use of HMAC-SHA-1-96 within ESP and AH (s dng HMAC-SHA-1-96 cng vi ESP v AH) The ESP DES-CBC Cipher Algorithm With Explicit IV (Thut ton m ha ESP DES-CBC cng IV (vect khi to)) IP Encapsulating Security Payload The Internet IP Security Domain of Interpretation for ISAKMP (bo mt gi tin IP trong phm vi lm sng t cho ISAKMP) Internet Security Association and Key Management Protocol (giao thc qun l kt hp an ninh Internet v kha) The Internet Key Exchange (phng thc trao i kha Internet) The NULL Encryption Algorithm and Its Use With IPSec (v hiu thut ton bo mt v s dng n vi IPSec) The ESP CBC-Mode Cipher Algorithms (thut ton mt m kiu CBC cho ESP) Ch IPSec AH ESP MD5 DES HMAC HMAC-MD5 HMAC-SHA-1 IPSec AH HMAC-MD5 HMAC-SHA-1 DES Thi gian 8/1995 8/1995 8/1995 8/1995 8/1995 1/1997 9/1997
2401 2402 2403 2404 2405
10/1998 10/1998 10/1998 10/1998 10/1998
2406 2407
ESP ISAKMP
10/1998 10/1998
2408
ISAKMP
10/1998
2409 2410
IKE NULL
10/1998 10/1998
2451
CBC
10/1998
3.2 ng gi thng tin ca IPSec

3.2.1 Cc kiu s dng 38
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
IPSec c hai kiu cung cp nhn thc v m ha mc cao thc hin ng gi thng tin, l kiu Transport (truyn ti) v kiu Tunnel (ng ngm). Sau y chng ta s xt n hai kiu ny trc khi tm hiu v cc giao thc AH v ESP: 3.2.1.1 Kiu Transport Trong kiu ny, vn an ninh c cung cp bi cc giao thc lp cao hn (t lp 4 tr ln). Kiu ny bo v phn ti tin ca gi nhng vn phn IP header ban u dng bn r. a ch IP ban u c s dng nh tuyn gi qua Internet.
Original Header AH Header
AH- kiu Transport
Payload Authenticated
ESP- kiu Transport
Original Header
ESP Header
Payload
Encrypted Authenticated
Hnh 3.1 Gi tin IP kiu Transport

Kiu Transport c u im l ch thm vo gi IP ban u mt s it byte. Nhc im l kiu ny cho php cc thit b trong mng nhn thy a ch ngun v ch ca gi tin v c th thc hin mt s x l (v d nh phn tch lu lng) da trn cc thng tin ca IP header. Tuy nhin nu c mt m bi ESP th s khng bit c d liu c th bn trong gi IP l g. Theo nh IETF th kiu Transport ch c th c s dng khi hai h thng u cui IP-VPN c thc hin IPSec. 3.1.1.2 Kiu Tunnel Kiu ny bo v ton b gi IP. Gi IP ban u (bao gm c IP header) c xc thc hoc mt m. Sau , gi IP m ha c ng gi vo mt IP header mi. a ch IP bn ngoi c s dng cho nh tuyn gi IP truyn qua Internet.
AH- kiu Tunnel New AH Header Header Original Payload Header Authenticated Original Header
ESP- kiu Tunnel
New ESP Header Header
Payload
Hnh 3.2: Gi tin IP kiu Tunnel

Trong kiu Tunnel, ton b gi IP ban u c ng gi v tr thnh Payload ca gi IP mi. Kiu ny cho php cc thit b mng nh router thc hin x l IPSec Bi Vn Nht 45K2TVT 39
n tt nghip i hc
Cng ngh IP - VPN
thay cho cc trm cui (host). Hnh 3.3 l v d: Router A x l cc gi t host A, gi chng vo ng ngm. Router B x l cc gi nhn c trong ng ngm, a v dng ban u v chuyn ha chng ti host B. Nh vy, cc trm cui khng cn thay i nhng vn c c tnh an ton d liu ca IPSec. Ngoi ra, nu s dng kiu Tunnel, cc thit b trung gian trong mng s ch c th nhn thy c cc a ch hai im cui ca ng hm ( y l cc router A v B). Khi s dng kiu Tunnel, cc u cui ca IP-VPN khng cn phi thay i ng dng hay h iu hnh.
H A ost Router A Router B H B ost
Co p te mu r
Co pu r m te
IPSec Tunnel
Hnh 3.3: Thit b mng thc hin IPSec kiu Tunnel

3.2.2 Giao thc tiu xc thc AH 3.2.2.1 Gii thiu Giao thc AH (Authentication Header) c nh ngha trong RFC 1826 v sau l pht trin li trong RFC 2402. AH cung cp xc thc ngun gc d liu (data origin authentication), kim tra tnh ton vn d liu (data integrity), v dch v chng pht li (anti-replay service). n y, cn phi phn bit c hai khi nim ton vn d liu v chng pht li: ton vn d liu l kim tra nhng thay i ca tng gi tin IP, khng quan tm n v tr cc gi trong lung lu lng; cn dch v chng pht li l kim tra s pht lp li mt gi tin ti a ch ch nhiu hn mt ln. AH cho php xc thc cc trng ca IP header cng nh d liu ca cc giao thc lp trn, tuy nhin do mt s trng ca IP header thay i trong khi truyn v pha pht c th khng d on trc c gi tr ca chng khi ti pha thu, do gi tr ca cc trng ny khng bo v c bng AH. C th ni AH ch bo v mt phn ca IP header m thi. AH khng cung cp bt c x l no v bo mt d liu ca cc lp trn, tt c u c truyn di dng vn bn r. AH nhanh hn ESP, nn c th chn AH trong trng hp chc chn v ngun gc v tnh ton vn ca d liu nhng tnh bo mt d liu khng cn c chc chn. Giao thc AH cung cp chc nng xc thc bng cch thc hin mt hm bm mt chiu (one-way hash function) i vi d liu ca gi to ra mt on m xc Bi Vn Nht 45K2TVT 40
n tt nghip i hc
Cng ngh IP - VPN
thc (hash hay message digest). on m c chn vo thng tin ca gi truyn i. Khi , bt c thay i no i vi ni dung ca gi trong qu trnh truyn i u c pha thu pht hin khi n thc hin cng vi mt hm bm mt chiu i vi gi d liu thu c v i chiu n vi gi tr hash truyn i. Hm bm c thc hin trn ton b gi d liu, tr mt s trng trong IP header c gi tr b thay i trong qu trnh truyn m pha thu khng th d on trc c (v d trng thi gian sng ca gi tin b cc router thay i trn ng truyn dn). 3.2.2.2 Cu trc gi tin AH Cc thit b s dng AH s chn mt tiu vo gia lu lng cn quan tm ca IP datagram, gia phn IP header v header lp 4. Bi v AH c lin kt vi IPSec, IP-VPN c th nh dng chn lu lng no cn c an ton v lu lng no khng cn phi s dng gii php an ton gia cc bn. V d nh bn c th chn x l lu lng email nhng khng i vi cc dch v web. Qu trnh x l chn AH header c din t nh trong hnh 3.4.
Oig a I r in l P Ha e e dr Oig a L y r r in l a e Ha e e dr 4 Dta a
O in l IP rig a Ha e e dr
IP e A Sc H
O in l L y r rig a a e Ha e edr
Dta a
N x Ha e e t edr
P y a L n th a lo d e g S c rityP ra e rs In e eu a m te dx Sq e c Nme e une u br
R s rv d ee e (S I ) P
A th n a nD ta u e tic tio a
(V ria lele g a b n th 3 b 2 its
-In g l M ltip o te ra u le f
3 b 2 its )
Hnh 3.4: Cu trc tiu AH cho IPSec Datagram

Gii thch ngha cc trng trong AH header: + Next Header (tiu tip theo) C di 8 bit nhn dng loi d liu ca phn ti tin theo sau AH. Gi tr ny c chn la t tp cc s giao thc IP c nh ngha trong cc RFC gn y nht. * Payload length ( di ti tin): C di 8 bit v cha di ca tiu AH c din t trong cc t 32 bit, tr 2. V d trong trng hp ca thut ton ton vn m mang li mt gi tr xc minh 96 bit (3x32 bit), cng vi 3 t 32 bit c nh, trng di ny c gi tr l 4. Vi IPv6, tng di ca tiu phi l bi ca cc khi 8. * Reserved (d tr): Trng 16 bit ny d tr cho ng dng trong tng lai. Bi Vn Nht 45K2TVT 41
n tt nghip i hc
Cng ngh IP - VPN
* Security Parameters Index (SPI: ch dn thng s an ninh): Trng ny c di 32 bit, mang tnh cht bt buc. * Sequence Number (s th t): y l trng 32 bit khng nh du cha mt gi tr m khi mi gi c gi i th tng mt ln. Trng ny c tnh bt buc. Bn gi lun lun bao gm trng ny ngay c khi bn nhn khng s dng dch v chng pht li. B m bn gi v nhn c khi to ban u l 0, gi u tin c s th t l 1. Nu dch v chng pht li c s dng, ch s ny khng th lp li, s c mt yu cu kt thc phin truyn thng v SA s c thit lp mi tr li trc khi truyn 2 32 gi mi. * Authentication Data (d liu nhn thc): Cn c gi l ICV (Integrity Check Value: gi tr kim tra tnh ton vn) c di thay i, bng s nguyn ln ca 32 bit i vi IPv4 v 64 bit i vi IPv6, v c th cha m lp y cho l bi s cc bit nh trn. ICV c tnh ton s dng thut ton nhn thc, bao gm m nhn thc bn tin (Message Authentication Code MACs). MACs n gin c th l thut ton m ha MD5 hoc SHA-1. Cc kha dng cho m ha AH l cc kha xc thc b mt c chia s gia cc phn truyn thng c th l mt s ngu nhin, khng phi l mt chui c th on trc ca bt c loi no. Tnh ton ICV c thc hin s dng gi tin mi a vo. Bt k trng c th bin i ca IP header no u c ci t bng 0, d liu lp trn c gi s l khng th bin i. Mi bn ti u cui IP-VPN tnh ton ICV ny c lp. Nu ICV tnh ton c pha thu v ICV c pha pht truyn n khi so snh vi nhau m khng ph hp th gi tin b loi b, bng cch nh vy s m bo rng gi tin khng b gi mo. 3.2.2.3 Qu trnh x l AH Hot ng ca AH c thc hin qua cc bc nh sau: Bc 1: Ton b gi IP (bao gm IP header v ti tin) c thc hin qua mt hm bm mt chiu. Bc 2: M hash thu c dng xy dng mt AH header, a header ny vo gi d liu ban u. Bc 3: Gi d liu sau khi thm AH header c truyn ti i tc IPSec. Bc 4: Bn thu thc hin hm bm vi IP header v ti tin, kt qu thu c mt m hash. Bc 5: Bn thu tch m hash trong AH header. Bc 6: Bn thu so snh m hash m n tnh c m m hash tch ra t AH header. Hai m hash ny phi hon ton ging nhau. Nu khc nhau ch mt bit trong Bi Vn Nht 45K2TVT 42
n tt nghip i hc
Cng ngh IP - VPN
qu trnh truyn th 2 m hash s khng ging nhau, bn thu lp tc pht hin tnh khng ton vn ca d liu. a) V tr ca AH AH c hai kiu hot ng, l kiu Transport v kiu Tunnel. Kiu Transport l kiu u tin c s dng cho kt ni u cui gia cc host hoc cc thit b hot ng nh host v kiu Tunnel c s dng cho cc ng dng cn li. kiu Transport cho php bo v cc giao thc lp trn, cng vi mt s trng trong IP header. Trong kiu ny, AH c chn vo sau IP header v trc mt giao thc lp trn (chng hn nh TCP, UDP, ICMP) v trc cc IPSec header c chen vo. i vi IPv4, AH t sau IP header v trc giao thc lp trn (v d y l TCP). i vi IPv6, AH c xem nh phn ti u cui-ti - u cui, nn s xut hin sau cc phn header m rng hop-to-hop, routing v fragmentation. Cc la chn ch (dest options extension headers) c th trc hoc sau AH.
IPv4 Orig IP hdr (any options) TCP Data
Trc khi thm AH
IPv4
Orig IP hdr (any options)
AH
TCP
Data
Sau khi thm AH
Hnh 3.5: Khun dng IPv4 trc v sau khi x l AH kiu Transport
Orig IP hdr Ext hdr IPv6 TCP (any options) if present
Trc khi thm H
Data
IPv6
Orig IP hdr Hop-by-hop, dest*, Dest AH opt* TCP (any options) routing, fragment Sau khi thm H
Data
Hnh 3.6: Khun dng IPv6 trc v sau khi x l AH kiu Traport
Trong kiu Tunnel, inner IP header mang a ch ngun v ch cui cng, cn outer IP header mang a ch nh tuyn qua Internet. Trong kiu ny, AH bo v ton b gi tin IP bn trong, bao gm c inner IP header (trong khi AH Transport ch Bi Vn Nht 45K2TVT 43
n tt nghip i hc
Cng ngh IP - VPN
bo v mt s trng ca IP header). So vi outer IP header th v tr ca AH ging nh trong kiu Trasport. IPv4

New IP hdr (any options) AH Orig IP hdr (any options) TCP Data
Nhn thc tr cc trng bin i New IP header
IPv6
New IP hdr Ext hdr Ext hdr (any options) If present AH Orig IP hdr If present TCP Nhn thc tr cc trng bin i New IP header
Data
Hnh 3.7: Khun dng gi tin x l AH kiu Tunnel

b) Cc thut ton xc thc Thut ton xc thc s dng tnh ICV c xc nh bi kt hp an ninh SA (Security Association). i vi truyn thng im ti im, cc thut ton xc thc thch hp bao gm cc hm bm mt chiu (MD5, SHA-1). y chnh l nhng thut ton bt buc m mt ng dng AH phi h tr. Chi tit v hm bm s c cp c th trong chng 4. c) X l gi u ra Trong kiu Transport, pha pht chn AH header vo sau IP header v trc mt header ca giao thc lp trn. Trong kiu Tunnel, c thm s xut hin ca outer IP header. Qu trnh x l gi tin u ra nh sau: - Tm kim SA: AH c thc hin trn gi tin u ra ch khi qu trnh IPSec xc nh c gi tin c lin kt vi mt SA. SA s yu cu AH x l gi tin. Vic xc nh qu trnh x l IPSec no cn thc hin trn lu lng u ra c th xem trong RFC 2401.To SN: b m pha pht c khi to 0 khi mt SA c thit lp. Pha pht tng SN cho SA ny v chn gi tr SN vo trng Sequence Number. Nu dch v anti-replay (chng pht li) c la chn, pha pht kim tra m bo b m khng b lp li trc khi chn mt gi tr mi. Nu dch v anti-replay khng c la chn th pha pht khng cn gim st n, tuy nhin n vn c tng cho n khi quay tr li 0.
Bi Vn Nht 45K2TVT
44
n tt nghip i hc
Cng ngh IP - VPN
+ Tnh ton ICV: bng cch s dng cc thut ton, pha thu s tnh ton li ICV pha thu v so snh n vi gi tr c trong AH quyt nh ti kh nng tn ti ca gi tin . + Chn d liu: c hai dng chn d liu trong AH, l chn d liu xc thc (Authentication Data Padding) v chn gi ngm nh (Implicit Packet Padding). i vi chn d liu xc thc, nu u ra ca thut ton xc thc l bi s ca 96 bit th khng c chn. Tuy nhin nu ICV c kch thc khc th vic chn thm d liu l cn thit. Ni dung ca phn d liu chn l ty , cng c mt trong php tnh ICV v c truyn i. Chn gi ngm nh c s dng khi thut ton xc thc yu cu tnh ICV l s nguyn ca mt khi b byte no v nu di gi IP khng tha mn iu kin th chn gi ngm nh c thc hin pha cui ca gi trc khi tnh ICV. Cc byte chn ny c gi tr l 0 v khng c truyn i cng vi gi. + Phn mnh: khi cn thit, phn mnh s c thc hin sau khi x l AH. V vy AH trong kiu transport ch c thc hin trn ton b gi IP, khng thc hin trn tng mnh. Nu bn thn gi IP qua x l AH b phn mnh trn ng truyn th pha thu phi c ghp li trc khi x l AH. kiu Tunnel, AH c th thc hin trn gi IP m phn ti tin l mt gi IP phn mnh. d) X l gi u vo Qu trnh x l gi tin u vo ngc vi qu trnh x l gi tin u ra: + Ghp mnh: c thc hin trc khi x l AH (nu cn). + Tm kim SA: khi nhn c gi cha AH header, pha thu s xc nh mt SA ph hp da trn a ch IP ch, giao thc an ninh (AH) v SPI. Qu trnh tm kim c th xem chi tit trong RFC 2401. Nu khng c SA no thch hp c tm thy cho phin truyn dn, pha thu s loi b gi. + Kim tra SN: AH lun h tr dch v chng pht li, mc d dch v ny c s dng hay khng l hon ton da vo ty chn pha thu. V vy qu trnh kim tra ny c th c thc hin hoc khng. 3.2.3 Giao thc ng gi an ton ti tin ESP 3.2.3.1 Gii thiu ESP c nh ngha trong RFC 1827 v sau c pht trin thnh RFC 2408. Cng nh AH, giao thc ny c pht trin hon ton cho IPSec. Giao thc ny cung cp tnh b mt d liu bng vic mt m ha cc gi tin. Thm vo , ESP cng cung cp nhn thc ngun gc d liu, kim tra tnh ton vn d liu, dch v chng pht li v mt s gii hn v lung lu lng cn bo mt. Tp cc dch v cung cp bi ESP Bi Vn Nht 45K2TVT 45
n tt nghip i hc
Cng ngh IP - VPN
ph thuc vo cc la chn ti thi im thit lp SA, dch v bo mt c cung cp c lp vi cc dch v khc. Tuy nhin nu khng kt hp s dng vi cc dch v nhn thc vo ton vn d liu th hiu qu b mt s khng c m bo. Hai dch v nhn thc v ton vn d liu lun i km nhau. Dch v chng pht li ch c th c nu nhn thc c la chn. Giao thc ny c s dng khi yu cu v b mt ca lu lng IPSec cn truyn. 3.2.3.2 Cu trc gi tin ESP Hot ng ca ESP khc hn so vi AH. Nh ng trong tn gi, ESP ng gi tt c hoc mt phn d liu gc. Do kh nng bo mt d liu nn xu hng ESP c s dng rng ri hn AH. Phn header ca giao thc nm ngay trc ESP header c gi tr 51 trong trng protocol ca n. Hnh 3.8 din t qu trnh x l ng gi:
Original IP Header Original Layer 4 Header Data
Original IP Header
IPSec ESP Header
Original Layer 4 Header
Data
IPSec ESP Trailer
SPI
Sequence Number
Padding
Pad Length
Next Header
ICV
Hnh 3.8: X l ng gi ESP

Hnh 3.9 trnh by khun dng gi ESP
Security Parameters Index Sequence Number Field
Authentication Coverage
(SPI )
Encryption Coverage
Payload Data
(Variable length - Integral Number of Bytes Padding (0 255 bytes ) Pad Length
Next Header
Authentication Data
(Variable Length ) ( Optional )

32 bits
Hnh 3.9: Khun dng gi ESP

n tt nghip i hc
Cng ngh IP - VPN
Sau y s nh ngha cc trng trong ESP. Lu cc trng ny c th l ty chn hay bt buc. Vic la chn mt trng ty chn c nh ngha trong qu trnh thit lp kt hp an ninh. Nh vy, khun dng ESP i vi SA no l c nh trong khong thi gian tn ti ca SA . Cn cc trng bt buc lun c mt trong tt c cc ESP. * SPI (ch dn thng s an ninh): L mt s bt k 32 bit, cng vi a ch IP ch v giao thc an ninh ESP cho php nhn dng duy nht SA cho gi d liu ny. Cc gi tr SPI t 0 255 c dnh ring s dng trong tng lai. SPI thng c chn la bi pha thu khi thit lp SA. SPI l trng bt buc. * Sequence Number (s th t): Tng t nh trng s th t ca AH * Payload Data (trng d liu ti tin): y l trng bt buc. N bao gm mt s lng bin i cc byte d liu gc hoc mt phn d liu yu cu bo mt c m t trong trng Next Header. Trng ny c m ha cng vi thut ton m ha chn la trong sut qu trnh thit lp SA. Nu thut ton yu cu cc vect khi to th n cng c bao gm y. Thut ton c dng m ha ESP thng l thut ton DES-CBC. i khi cc thut ton khc cng c h tr nh 3DES hay CDMF trong trng hp nh cung cp dch v IBM. * Padding (0 255 bytes): C nhiu nguyn nhn dn n s c mt ca trng ny: - Nu thut ton mt m c s dng yu cu bn r (plaintext) phi l s nguyn ln khi cc byte (v d trng hp m khi) th Padding c s dng in y vo plaintext (bao gm Payload Data, Pad Length, Next Header v Padding) c kch thc theo yu cu. - Padding cng cn thit m bo phn d liu mt m (ciphertext) s kt thc bin gii 4 byte phn bit r rng vi trng Authentication Data. Ngoi ra, Padding cn c th s dng che du di thc ca Payload, tuy nhin mc ch ny cn phi c cn nhc v n nh hng ti bng tn truyn dn. * Pad length ( di trng m): Trng ny xc nh s byte Padding c thm vo. Cc gi tr ph hp l 0 255 bytes, Pad length l trng bt buc. * Next Header (tiu tip theo): Trng ny di 8 bit, xc nh kiu d liu cha trong Payload Data, v d mt extension header trong IPv6, hoc nhn dng ca 47
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
mt giao thc lp trn khc. Gi tr ca trng ny c la chn t tp cc gi tr IP Protocol Number nh ngha bi IANA. Next Header l trng bt buc. * Authentication Data (d liu nhn thc): Trng c di bin i cha mt gi tr kim tra tnh ton vn ICV tnh trn d liu ca ton b gi ESP tr trng Authentication Data. di ca trng ny ph thuc vo thut ton xc thc c s dng. Trng ny l ty chn, v ch c thm vo nu dch v xc thc c la chn cho SA ang xt. Thut ton xc thc phi ch ra di ICV v cc bc x l cng nh cc lut so snh cn thc hin kim tra tnh ton vn ca gi tin. 3.2.3.3 Qu trnh x l ESP a) V tr ca ESP header ESP c hai kiu hot ng, l kiu Transport v kiu Tunnel. Kiu Transport cho php bo v cc giao thc lp trn, nhng khng bo v IP header. Trong kiu ny, ESP c chn vo sau mt IP header v trc mt giao thc lp trn (chng hn TCP, UDP hay ICMP) v trc IPSec header c chn vo. i vi IPv4, ESP header t sau IP header v trc giao thc lp trn (v d y l TCP). ESP trailer bao gm cc trng Paddinh, Pad length, v Next Header. i vi IPv6, ESP c xem nh phn ti u cui-ti - u cui, nn s xut hin sau phn header m rng hop-to-hop, routing v fragmentation. Cc la chn ch (dest options extention headers) c th trc hoc sau ESP header. Tuy nhin, do ESP ch bo v cc trng pha sau ESP header, nn cc la chn ch thng c t sau ESP header. Chi tit v IPv6 c th xem trong RFC 1883.
IPv4
Orig IP hdr (any options)
TCP
Data
Trc khi thm ESP
IPv4
ESP Orig IP hdr Header (any options)
TCP
Data
ESP Trailer
ESP Auth
Sau khi thm ESP
Hnh 3.10: Khun dng IPv4 trc v sau khi x l ESP kiu Transport
Bi Vn Nht 45K2TVT
48
n tt nghip i hc
Cng ngh IP - VPN
IPv6
Orig IP hdr Ext hdr (any options) if present TCP Trc khi
Data
thm ESP
Orig IP hdr Hop-by-hop, dest*, Dest ESP opt* TCP (any options) routing, fragment Sau khi thm AH ESP ESP Trailer Auth
IPv6
Data
Hnh 3.11: Khun dng IPv6 trc v sau khi x l ESP kiu Transport
Trong kiu Tunnel, inner IP header mang a ch ngun v ch cui cng, cn outer IP header mng a ch nh tuyn qua Internet. Trong kiu ny, ESP s bo v ton b gi tin IP bn trong, bao gm c inner IP header. So vi outer IP header th v tr ca ESP ging nh kiu Trasport
New IP hdr IPv4 (any option) ESP Orig IP hdr Header (any options) TCP Data ESP Trailer ESP Auth
Encrypted Authenticat
ed
IPv6 New IP hdr New Ext hdr ESP Orig IP Orig hdr Ext hdr TCP Data ESP Trailer ESP Auth
Hnh 3.12: Khun dng gi tin x l ESP kiu Tunnel

b) Cc thut ton C cc thut ton sau c s dng vi ESP: - DES, 3DES in CBC. - HMAC with MD5. - HMAC with SHA-1. - NULL Authentication algorithm. - NULL Encryption algorithm.
Bi Vn Nht 45K2TVT
49
n tt nghip i hc
Cng ngh IP - VPN
Cc thut ton khc c th c h tr. Lu l t nht mt trong hai dch v bo mt hoc nhn thc phi c thc hin, nn hai thut ton xc thc v mt m khng ng thi bng NULL. - Cc thut ton mt m: Thut ton mt m c xc nh bi SA. ESP lm vic vi cc thut ton mt m i xng. V cc gi IP c th n khng ng th t, nn mi gi phi mang thng tin cn thit pha thu c th thit lp ng b mt m (cryptographic synchronization) gii m. D liu ny c th c ch nh trong trng Payload (chng hn di dng cc vect khi to IV- Initialization Vector), hoc thu c t header ca gi. Vi s c mt ca trng Padding, cc thut ton mt m s dng vi ESP c th c cc c tnh khi (block) hoc lung (stream). V dch v bo mt l ty chn nn thut ton mt m c th l NULL. - Cc thut ton xc thc: Thut ton xc thc s dng tnh ICV c xc nh bi SA. i vi truyn thng im-ti-im, cc thut ton xc thc thch hp bao gm cc hm bm mt chiu (MD5, SHA-1). V dch v xc thc l ty chn nn thut ton xc thc c th l NULL. c) X l gi u ra Trong kiu Transport, pha pht ng gi thng tin giao thc lp trn vo ESP header/ trailer v gi nguyn IP header (v tt c IP extension headers i vi IPv6). Trong kiu Tunnel, c thm s xut hin ca outer IP header. Qu trnh x l gi tin u ra nh sau: - Tm kim SA: ESP c thc hin trn mt gi tin u ra ch khi qu trnh IPSec xc nh c gi tin c lin kt vi mt SA, SA s yu cu ESP x l gi tin. Vic xc nh qu trnh x l IPSec no cn thc hin trn lu lng u ra c th xen trong RFC 2401. - Mt m gi tin: i vi kiu Transport ch ng gi thng tin giao thc lp cao. i vi kiu Tunnel, ng gi ton b gi IP ban u: Thm trng Padding nu cn thit, mt m cc trng s dng kha, thut ton v kiu thut ton c ch ra bi SA v d liu ng b mt m nu c. Cc bc c th xy dng outer IP header ph thuc vo kiu s dng (Transport hay Tunnel). Nu dch v xc thc c la chn th mt m c thc hin trc, v qu trnh mt m khng bao gm trng Authentication Data. Th t x l ny cho php nhanh chng xc nh v loi b cc gi li hoc lp li m khng cn phi thc hin gii m, qua lm nh hng ca cc tn cng kiu t chi dch v (denial of service attacks), ng thi cho php pha thu x l song song: gii m v xc thc tin hnh song song. Bi Vn Nht 45K2TVT 50
n tt nghip i hc - To SN: tng t nh to SN ca AH.
Cng ngh IP - VPN
- Tnh ton ICV: nu dch v xc thc c la chn cho SA th pha pht s tnh ton gi tr ICV trn d liu gi ESP tr trng Authentication Data. Lu l cc trng mt m c thc hin trc xc thc. Chi tit v tnh ton ICV cng tng t nh AH. - Phn mnh: Khi cn thit, phn mnh c thc hin sau khi x l ESP. V vy ESP trong kiu Transport ch c thc hin trn ton b gi IP, khng thc hin trn tng mnh. Nu bn thn gi IP qua x l ESP b phn mnh bi cc router trn ng truyn th cc mnh phi c ghp li trc khi x l ESP pha thu. Trong kiu Tunnel, ESP c th thc hin trn gi IP m phn Payload l mt gi IP phn mnh. d) X l gi u vo Qu trnh x l gi u vo ngc vi qu trnh x l gi tin u ra: - Ghp mnh: Ghp mnh c thc hin trc khi x l ESP. - Tm kim SA: khi nhn c gi ghp mnh cha ESP header, pha thu s xc nh mt SA ph hp da trn a ch IP ch, giao thc an ninh ESP v SPI. Qu trnh tm kim c th xem chi tit trong RFC 2401. Thng tin trong SA s cho bit c cn kim tra trng Sequence Number hay khng, c cn thm trng Authentication Data hay khng v cc thut ton v kha cn s dng gii m tnh ICV nu c. Nu khng c SA no ph hp c tm thy cho phin truyn dn ny (v d pha thu khng c kha), pha thu s loi b gi. - Kim tra SN: ESP lun h tr dch v chng pht li (anti-repley), mc d vic dch v ny hon ton do la chn ph thu trn c s tng SA. Dch v ny khng thc hin c nu dch v xc thc khng c la chn, v khi ny Sequence Number khng c bo v tnh ton vn. Nu pha thu khng la chn dch v chng pht li cho mt SA no th khng cn kin tra trng Sequence Number. Tuy nhin pha pht mc nh l pha thu s dng dch v ny. V vy, pha pht khng phi thc hin gim st SN cng nh thit lp li SA mt cch khng cn thit, trong qu trnh thit lp SA pha thu s thng bo cho pha pht vic khng s dng dch v chng pht li (trong trng hp mt giao thc tht lp SA nh IKE c s dng). Nu pha thu c la chn dch v chng pht li cho mt SA th b m gi thu cho SA phi c khi to 0 khi thit lp SA. Vi mi gi thu c, pha thu phi kim tra rng gi c cha s SN khng lp ca bt k mt gi no trong thi gian tn ti ca SA . Sau khi mt gi c xc nh l tng ng vi mt SA no th Bi Vn Nht 45K2TVT 51
n tt nghip i hc
Cng ngh IP - VPN
php kim tra ny l cn c thc hin u tin c th nhanh chng quyt nh kh nng tn ti ca gi . Cc gi b loi b thng qua s dng mt ca s thu trt. Gi tr ca s ti thiu l 32 v mc nh l 64, pha thu cng c th s dng cc ca s c kch thc ln hn. Bn phi ca ca s i din cho SN hp l ln nht thu c trong SA ny. Cc gi c SN nh hn bn tri ca ca s s b loi b. Cc gi c SN nm trong khong gia hai bn ca ca s s c kim tra vi mt danh sch cc gi thu c trong ca s. Nu gi thu c nm trong vng ca s v l mi, hoc gi ti bn phi ca ca s th pha thu s tin hnh x l tip ICV. Nu vic kim tra ICV sai th pha thu phi loi b gi IP v khng hp l. Ca s thu ch c cp nht sau khi vic kim tra ICV thnh cng. - Kim tra ICV: nu dch v xc thc c la chn, pha thu s tnh ICV da trn d liu ca gi ESP ngoi tr trng Authentication Data, s dng thut ton xc thc xc nh trong SA v so snh vi gi tr ICV trong trng Authentication ca gi. Nu hai gi tr ICV hon ton trng khp th gi tin l hp l v c chp nhn. Ngc li, pha thu s loi b gi tin. Vic kim tra tin hnh nh sau: trc ht gi tr ICV nm trong trng Authentication Data c tch ra khi gi ESP v c lu tr. Tip theo kim tra da ca gi ESP (ngoi tr trn Authentication Data). Nu Padding ngm nh c yu cu bi thut ton xc thc th cc byte 0 c thm vo cui gi ESP, ngay sau trng Next Header. Tip theo thc hin tnh ton ICV v so snh vi gi tr lu s dng cc lut so snh c nh ngha bi thut ton. e) Gii m gi Nu ESP s dng mt m th s phi thc hin qu trnh gii m gi. Nu dch v bo mt khng c s dng, ti pha thu khng c qu trnh gii m gi ny. Qu trnh gii m gi din ra nh sau: - Gii m ESP (bao gm trng Payload Data, Padding, Pad Length, Next Header) s dng kha. Thut ton mt m v kiu thut ton c xc nh bi SA. - X l phn Padding theo c t ca thut ton. Pha thu cn tm v loi b phn Padding trc khi chuyn d liu gii m ln lp trn. - Xy dng li cu trc gi IP ban u t IP header ban u v thng tin giao thc lp cao trong ti tin ca ESP ( kiu Transport), hoc outer IP header v ton b gi IP ban u trong ti tin ca ESP ( kiu Tunnel). Nu dch v xc thc cng c la chn th qu trnh kim tra ICV v mt m c th tin hnh ni tip hoc song song. Nu tin hnh ni tip th kim tra ICV phi Bi Vn Nht 45K2TVT 52
n tt nghip i hc
Cng ngh IP - VPN
c thc hin trc. Nu tin hnh song song th kim tra ICV phi hon thnh trc khi gi gii m c chuyn ti bc x l tip theo. Trnh t ny gip loi b nhanh chng cc gi khng hp l. C mt s l do nh sau dn n qu trnh gii m khng thnh cng: - SA c la chn khng ng: SA c th sai do cc thng s SPI, a ch ch, trng Protocol type sai. - di phn Padding hoc gi tr ca n b sai. - Gi ESP mt m b li (c th c la chn nu dch v xc thc c la chn cho SA).
3.3 Kt hp an ninh SA v giao thc trao i kha IKE

3.3.1 Kt hp an ninh SA 3.3.1.1 nh ngha v mc tiu IPSec cung cp nhiu la chn thc hin cc gii php mt m v xc thc lp mng. Phn ny s nh ngha cc th tc qun l SA cho c IPv4 v IPv6 thc thi AH hoc ESP hoc c hai, ph thuc vo la chn ca ngi s dng. Khi thit lp kt ni IPSec, hai pha phi xc nh chnh xc cc thut ton no s c s dng, loi dch v no cn m bo an ton. Sau bt u x l thng lng chn mt tp cc tham s v cc gii thut ton hc p dng cho m ha bo mt hay nhn thc. Theo IETF th dch v bo mt quan h gia hai hoc nhiu thc th tha thun truyn thng an ton c gi l SA (Security Association). Mt SA l mt kt ni n cng, ngha l vi mi cp truyn thng vi nhau, c t nht 2 SA (mt t A ti B v mt t B ti A). Khi lu lng cn truyn trc tip 2 chiu qua VPN, giao thc trao i kha IKE (Internet Key Exchange) thit lp mt cp SA trc tip v sau c th thit lp thm nhiu SA khc. Mi SA c mt thi gian sng ring. SA c nhn dng duy nht bi b 3 gm c: ch dn thng s an ninh (SPI), a ch IP ch v mt nhn dng giao thc an ton (AH hay ESP). Tp cc gi tr SPI trong dy t 1 n 255 c dnh bi IANA s dng cho tng lai. Theo nguyn l, a ch IP ch c th l mt a ch n nht (unicast), mt a ch qung b (broadcast) hay mt a ch nhm (multicast). Tuy nhin, c ch qun l SA IPSec hin nay c nh ngha ch cho nhng SA n nht (unicast). Mt ln kt an ninh c th l mt trong hai kiu: Transport v Tunnel, ph thuc vo kiu ca giao thc s dng SA. Mt SA kiu Transport l mt lin kt an ton gia hai host, hoc lin kt an ton c yu cu gia hai h thng trung gian dc trn ng truyn. Trong trng hp khc, kiu Transport cng c th c s dng h tr IPin-IP hay ng ngm GRE qua cc SA kiu Transport. SA kiu Tunnel l mt SA c Bi Vn Nht 45K2TVT 53
n tt nghip i hc
Cng ngh IP - VPN
bn c ng dng ti mt ng ngm IP. Mt SA gia 2 cng an ton l mt SA kiu Tunnel in hnh ging nh mt SA gia mt host v mt cng an ton. Tuy nhin, trong nhng trng hp m lu lng c nh hnh t trc nh nhng lnh SNMP, cng an ton lm nhim v nh host v kiu Transport c cho php. SA cung cp nhiu la chn cho cc dch v IPSec, n ph thuc vo giao thc an ton c la chn (AH hay ESP), kiu SA, im kt thc ca SA v mt s tuyn chn ca cc dch v ty cc bn trong giao thc . V d nh khi s dng AH xc minh ngun gc d liu, tnh ton vn phi kt ni cho gi IP, c th s dng dch v chng pht li hoc khng ty thuc vo cc bn. Khi mt bn IP-VPN mun gi lu lng IPSec ti u bn kia, n kim tra bit nu c mt tn ti mt SA trong c s d liu hay cha hai bn c th s dng dch v an ninh theo yu cu. Nu n tm c mt SA tn ti, n SPI ca SA ny trong tiu IPSec, thc hin cc thut ton m ha v gi gi tin i. Bn thu s ly SPI, a ch ch v giao thc IPSec (AH hay ESP) v tm SA trong c s d liu ph hp x l gi tin . Lu rng mt u cui IP-VPN c th ng thi tn ti nhiu kt ni IPSec, v vy cng c ngha l tn ti nhiu SA. 3.3.1.2 Kt hp cc SA Cc gi IP truyn qua mt SA ring bit c cung cp s bo v mt cch chnh xc bi giao thc an ninh c th l AH hoc ESP nhng khng phi l c hai. i khi mt chnh sch an ton c th c gi cho mt s kt hp ca cc dch v cho mt lung giao thng c bit m khng th thc hin c vi mt SA n l. Trong trng hp cn thit giao cho nhiu SA thc hin chnh sch an ton c yu cu. Thut ng cm SA c s dng mt chui cc SA xuyn qua lu lng cn c x l tha mn mt tp chnh sch an ton. i vi kiu Tunnel, c 3 trng hp c bn ca kt hp an ninh nh sau: 1) C hai im cui SA u trng nhau: mi ng ngm bn trong hay bn ngoi l AH hay ESP, mc d host 1 c th nh r c hai ng ngm l nh nhau, tc l AH bn trong AH v ESP bn trong ESP.
Host 1
Security Gwy 1
Interne t
Security Gwy 2
Host 2
Security Association 1 (Tunnel) Security Association 2 (Tunnel)
Bi Vn Nht 45K2TVT
54
n tt nghip i hc
Cng ngh IP - VPN
Hnh 3.13: Kt hp SA kiu Tunnel khi 2 im cui trng nhau

2) Mt im cui SA trng nhau: ng hm bn trong hay bn ngoi c th l AH hay ESP. Security Gwy 1 Security Gwy 2
Host 1
Interne t
Host 2
Security Association 1 (Tunnel) Security Association 2 (Tunnel)
Hnh 3.14: Kt hp SA kiu Tunnel khi mt im cui trng nhau

3) Khng c im cui no trng nhau: Mi ng hm bn trong v bn ngoi l AH hay ESP.
Host 1
Security Gwy 1
Interne t SA 1 (Tunnel)
Security Gwy 2
Host 2
Security Association 2 (Tunnel)
Hnh 3.15: Kt hp SA kiu Tunnel khi khng c im cui trng nhau

Chi tit v kt hp cc SA c c trnh by trong RFC 2401. 3.3.1.3 C s d liu SA C hai c s d liu, l: C s d liu chnh sch an ninh (Security Policy Database SPD) v c s d liu kt hp an ninh (Security Association Database SAD). 1) SPD: ch ra cc dch v an ton c ngh cho lu lng IP, ph thuc vo cc nhn t nh ngun, ch, i ra hay i v. N cha ng mt danh sch nhng li vo chnh sch, tn ti ring r cho lu lng i vo v i ra. Cc li vo ny c th nhn nh mt vi lu lng khng qua x l IPSec, mt vi phi c loi b v cn li th c x l bi IPSec. Cc li vo ny l tng t cho firewall hay b lc gi. 2) SAD: cha thng s v mi SA, ging nh cc tnh ton v kha AH hay ESP, s trnh t, kiu giao thc v thi gian sng SA. Cho x l i ra, mt li vo SPD tr ti
Bi Vn Nht 45K2TVT
55
n tt nghip i hc
Cng ngh IP - VPN
mt li vo trong SAD. SAD quyt nh SA no c s dng cho mt gi cho. Cho x l i v, SAD c tham kho quyt nh gi c x l nh th no. 3.3.2 Giao thc trao i kha IKE Kt ni IPSec ch c hnh thnh khi SA c thit lp. Tuy nhin bn thn IPSec khng c c ch thit lp SA. Chnh v vy, IETF chn phng n chia qu trnh ra lm hai phn: IPSec cung cp vic x l mc gi, cm IKMP (Internet Key Management Protocol) chu trch nhim tha thun cc kt hp an ninh. Sau khi cn nhc cc phng n, trong c SKIP (Simple Key Internet Protocol), v Photuis, IETF quyt nh chn IKE (Internet Key Exchange) l chun cu hnh SA cho IPSec. Mt ng ngm IPSec IP-VPN c thit lp gia hai bn qua cc bc nh sau: Bc 1: Quan tm n lu lng c nhn hoc sinh ra t cc bn IPSec IPVPN ti mt giao din no yu cu thit lp phin thng tin IPSec cho lu lng . Bc 2: Thng lng ch chnh (Main Mode) hoc ch tn cng (Aggressive Mode) s dng IKE cho kt qu l to ra lin kt an ninh IKE (IKE SA) gia cc bn IPSec. Bc 3: Thng lng ch nhanh (Quick Mode)s dng IKE cho kt qu l to ra 2 IPSec SA gia hai bn IPSec. Bc 4: D liu bt u truyn qua ng ngm m ha s dng k thut ng gi ESP hoc AH (hoc c hai). Bc 5: Kt thc ng ngm IPSec VPN. Nguyn nhn c th l do IPSec SA kt thc hoc ht hn hoc b xa. Tuy l chia thnh 4 bc, nhng c bn l bc th 2 v bc th 3, hai bc ny nh ra mt cch r rng rng IKE c tt c 2 pha. Pha th nht s dng ch chnh hoc ch tn cng trao i gia cc bn, v pha th hai c hon thnh nh s dng trao i ch nhanh.
Bi Vn Nht 45K2TVT
56
n tt nghip i hc
Cng ngh IP - VPN
Hnh 3.16: Cc ch chnh, ch tn cng, ch nhanh ca IKE

Sau y chng ta s i xem xt c th cc bc v mc ch ca cc pha IKE. 3.3.2.1 Bc th nht Vic quyt nh lu lng no cn bo v l mt phn trong chnh sch an ninh ca mng VPN. Chnh sch c s dng quyt nh cn bo v lu lng no (nhng lu lng khc khng cn bo v s c gi di dng vn bn r). Chnh sch an ninh s c phn chiu trong mt danh sch truy nhp. Cc bn phi cha danh sch ging nhau, v c th c a danh sch truy nhp cho nhng mc ch khc nhau gia cc bn. Nhng danh sch ny c gi l cc danh sch iu khin truy nhp (ACLs- Acess Control List). N n gin l danh sch truy nhp IP m rng ca cc routers c s dng bit lu lng no cn mt m. ACLs lm vic khc nhau da vo mc ch cc cu lnh permit (cho php) v denny (ph nhn) l khc nhau. Hnh 3.17 trnh by kt qu ca cc trng thi khi thc hin lnh permit v deny ca ngun v ch:
Bi Vn Nht 45K2TVT
57
n tt nghip i hc
Cng ngh IP - VPN
Clear-Text Packet Source Peer Crypto ACL Permit IPSec Deny Destination Peer IPSec
Clear-Text Packet
Deny Permit
Crypto ACL AH or ESP Packet
AH or ESP Packet
AH or ESP or Clear-Text Packet
Hnh 3.17: Danh sch b mt ACL

T kha permit v deny c ngha khc nhau gia thit b ngun v ch: * Permit ti bn ngun: cho qua lu lng ti IPSec nhn thc, mt m ha hoc c hai. IPSec thay i gi tin bng cch chn tiu AH hoc ESP v c th mt m mt phn hoc tt c gi tin ngun v truyn chng ti bn ch. * Deny ti bn ngun: cho i vng lu lng v a cc gi tin bn r ti bn nhn. * Permit ti bn ch: cho qua lu lng ti IPSec nhn thc, gii m, hoc c hai. ACL s dng thng tin trong header quyt nh. Trong logic ca ACL, nu nh header cha ngun, ch, giao thc ng th gi tin c x l bi IPSec ti pha gi v by gi phi c x l pha thu. * Deny ti bn ch: cho i vng qua IPSec v gi s rng lu lng c gi dng vn bn r. Khi nhng t kha permit v deny c kt hp s dng mt cch chnh xc, d liu c bo v thnh cng v c truyn. Khi chng khng kt hp chnh xc, d liu b loi b. Bng 3.2 trnh by kt hp cc lnh permit v deny v kt qu thc hin cho cc kt hp. Bi Vn Nht 45K2TVT 58
n tt nghip i hc
Cng ngh IP - VPN
Bng 3.2: Kt qu khi kt hp lnh permit v deny Ngun Permit Permit Deny Deny 3.3.2.2 Bc th hai Bc th hai ny chnh l IKE pha th nht. Mc ch ca IKE pha th nht: * ng mt tp cc tham s c s dng nhn thc hai bn v mt m mt phn ch chnh v ton b trao i thc hin trong ch nhanh. Khng c bn tin no ch tn cng c mt m nu ch tn cng c s dng thng lng. * Hai bn tham gia IP-VPN nhn thc vi nhau. * To kha s dng lm tc nhn sinh ra kha m ha m ha d liu ngay sau khi thng lng kt thc. Tt c thng tin thng lng trong ch chnh hay ch tn cng, bao gm kha sau s dng to kha cho qu trnh mt m d liu, c lu vi tn gi l IKE SA hay ISAKMP SA (lin kt an ninh IKE hay ISAKMP). Bt k bn no trong hai bn cng ch c mt ISAKMP lin kt an ninh gia chng.
H A ost R outer A R outer B H B ost
ch Permit Deny Permit Deny
Kt qu ng Sai Sai ng
Cmu r o p te
Co p te mu r
IK pha 1 E C chnh h Thng lng chnh sch Trao i D iffie -H ellm an K imtra nhn dng cc bn Thng lng chnh sch T i rao D iffie -H ellm an K imtra nhn dng cc bn
Hnh 3.18: IKE pha th nht s dng ch chnh (Main Mode)

Ch chnh c trao i 6 bn tin (tc l c 3 trao i 2 chiu) gia hai bn khi to v bin nhn: * Trao i th nht: Cc thut ton mt m v xc thc (s dng bo v cc trao i IKE) s c tha thun gia cc i tc. Bi Vn Nht 45K2TVT 59
n tt nghip i hc
Cng ngh IP - VPN
* Trao i th hai: S dng trao i Diffie-Hellman to kha b mt chia s (shared secret keys), trao i cc s ngu nhin (nonces) khng nh nhn dng ca mi i tc. Kha b mt chia s c s dng to ra tt c cc kha b mt v xc thc khc. * Trao i th ba: xc minh nhn dng cc bn (xc thc i tc). Kt qu chnh ca ch chnh l mt ng truyn thng an ton cho cc trao i tip theo ca hai i tc. Ch nhanh thc hin trao i 3 bn tin. Hu ht cc trao i u c thc hin trong trao i th nht: tha thun cc tp chnh sch IKE, to kha cng cng Diffie-Hellman, v mt gi nhn dng c th s dng xc nh nhn dng thng qua mt bn th ba. Bn nhn gi tr li mi th cn thit hon thnh vic trao i. Cui cng bn khi to khng nh vic trao i. a) Cc tp chnh sch IKE Khi thit lp mt kt ni IP-VPN an ton gia hai host A v host B thng qua Internet, mt ng ngm an ton c thit lp gia router A v router B. Thng qua ng hm, cc giao thc mt m, xc thc v cc giao thc khc c tha thun. Thay v phi tha thun tng giao thc mt, cc giao thc c nhm thnh cc tp v c gi l tp chnh sch IKE (IKE policy set). Cc tp chnh sch IKE c trao i trong IKE pha th nht, trao i th nht. Nu mt chnh sch thng nht c tm thy hai pha th trao i c tip tc. Nu khng tm thy chnh sch thng nht no, ng ngm s b loi b. V d Router A gi cc tp chnh sch IKE policy 10 v IKE plicy 20 ti router B. Router B so snh vi tp chnh sch ca n, IKE policy 15, vi cc tp chnh sch nhn c t router A . Trong trng hp ny, mt chnh sch thng nht c tm thy: IKE policy 10 ca router A v IKE policy 15 ca router B l tng ng. Trong ng dng im - ti - im, mi bn ch cn nh ngha mt tp chnh sch IKE. Tuy nhin mng trung tm c th phi nh ngha nhiu chnh sch IKE p ng nhu cu ca tt c cc i tc t xa. b) Trao i kha Diffie-Hellman Trao i kha Diffie-Hellman l mt phng php mt m kha cng khai cho php hai bn thit lp mt kha b mt chung qua mt mi trng truyn thng khng an ton (xem chi tit trong chng 4). C 7 thut ton hay nhm Diffie-Hellman c nh
Bi Vn Nht 45K2TVT
60
n tt nghip i hc
Cng ngh IP - VPN
ngha: DH 1 7. Trong IKE pha th nht, cc bn phi tha thun nhm Diffie-Hellman c s dng. Khi hon tt vic tha thun nhm, kha b mt chung s c tnh. c) Xc thc i tc Xc thc i tc l kim tra xem ai ang pha bn kia ca ng ngm VPN. Cc thit b hai u ng ngm IP-VPN phi c xc thc trc khi ng truyn thng c coi l an ton. Trao i cui cng ca IKE pha th nht c mc ch nh xc thc i tc. C hai phng thc xc thc ngun gc d liu ch yu l i tc: Kha chia s trc (Pre-shared keys) v ch k s (RSA signatures). Chi tit v cc thut ton xc thc c cp trong chng 4. 3.3.2.3 Bc th ba Bc th 3 ny chnh l IKE pha 2. Mc ch ca IKE pha 2 l tha thun cc thng s an ninh IPSec s dng bo v ng ngm IPSec. Ch c mt ch nhanh c s dng cho IKE pha 2. IKE pha 2 thc hin cc chc nng sau: * Tha thun cc thng s anh ninh IPSec (IPSec Security parameters), cc tp chuyn i IPSec (IPSec transform sets). * Thit lp cc kt hp an ninh IPSec (IPSec Security Associations). * nh k tha thun li IPSec SA m bo tnh an ton ca ng ngm * Thc hin mt trao i Diffie-Hellman b sung (khi cc SA v cc kha mi c to ra, lm tng tnh an ton cho ng ngm). Ch nhanh cng c s dng tha thun li mt kt hp an ninh mi khi kt hp an ninh c ht hn. Khi cc bn c th khng cn quay tr li bc th 2 na m vn m bo thit lp mt SA cho phin truyn thng mi.
Bi Vn Nht 45K2TVT
61
n tt nghip i hc a) Cc tp chuyn i IPSec

Hs A ot Ru r A o te Ru rB o te Hs B ot
Cng ngh IP - VPN
Cmue o pt r
Cmu r o pt e
T th h a un c ct c u i p h yn Tpc u i h yn 3 0 EP S 3D S E SA H Tn e u nl Lf ti e ie m Tpc u i h yn 5 0 EP S 3D S E SA H Tn e u nl Le m if ti e
Tpc u i h yn 4 0 EP S DS E M 5 D Tn e u nl Lf ti e ie m
Hnh 3.19: Cc tp chuyn i IPSec

Mc ch cui cng ca IKE pha 2 l thit lp mt phin IPSec an ton gia hai im cui VPN. Trc khi thc hin c iu , mi cp im cui ln lt tha thun mc an ton cn thit (v d cc thut ton xc thc v mt m dng trong phin ). Thay v phi tha thun ring tng giao thc n l, cc giao thc c nhm thnh cc tp, chnh l cc tp chuyn i IPSec. Cc tp chuyn i ny c trao i gia hai pha trong ch nhanh. Nu tm thy mt tp chuyn i tng ng hai pha th qu trnh thit lp phin tip tc, ngc li th phin s b loi b. V d router A gi tp chuyn i 30 v 40 ti router B, router B kim tra thy tp chuyn i 50 ph hp vi tp chuyn i 30 ca router A, cc thut ton xc thc va mt m trong cc tp chuyn i ny hnh thnh mt kt hp an ninh. b) Thit lp kt hp an ninh Khi mt tp chuyn i c thng nht gia hai bn, mi thit b IP-VPN s a thng tin ny vo mt c s d liu. Thng tin ny c bit n nh l mt kt hp an ninh. Thit b IP-VPN sau s anh s mi SA bng mt ch s SPI. Khi c yu cu gi gi tin gia hai u VPN, cc thit b s da vo a ch i tc, cc ch s SPI, thut ton IPSec c dng x l gi tin trc khi truyn trong ng ngm. Chi tit v SA c trnh by trong phn 3.3.1. c) Thi gian sng ca mt kt hp an ninh Thi gian sng ca mt kt hp an ninh cng ln th cng c nhiu kh nng mt an ton. m an ton cho phin truyn thng th cc kha v cc SA phi c thay i thng xuyn. C hai cch tnh thi gian sng ca SA: tnh theo s lng d liu Bi Vn Nht 45K2TVT 62
n tt nghip i hc
Cng ngh IP - VPN
c truyn i v tnh theo giy. Cc kha v SA c hiu lc cho n khi ht thi gian tn ti ca SA hoc n khi ng ngm b ngt, khi SA b xa b. 3.3.2.4 Bc th t Sau khi hon thnh IKE pha 2 v ch nhanh c thit lp cc kt hp an ninh IPSec SA, lu lng c th c trao i gia cc bn IP-VPN thng qua mt ng ngm an ton. Qu trnh x l gi tin (m ha, mt m, ng gi) ph thuc vo cc thng s c thit lp ca SA. 3.3.2.5 Kt thc ng ngm Cc kt hp an ninh IPSec SA kt thc khi b xa b hoc ht thi gian tn ti. Khi cc bn IP-VPN khng s dng cc SA ny na v bt u gii phng c s d liu ca SA. Cc kha cng b loi b. Nu thi im ny cc bn IP-VPN vn cn mun thng tin vi nhau th mt IKE pha 2 mi s thc hin. Trong trng hp cn thit th cng c th thc hin li t IKE pha 1. Thng thng, m bo tnh lin tc ca thng tin th cc SA mi c thit lp trc khi cc SA c ht hn.
3.4 Nhng giao thc ang c ng dng cho x l IPSec

IPSec s dng nhiu giao thc ang tn ti mt m, nhn thc, trao i kha. iu ny ging nh duy tr IPSec tr thnh tiu chun ng dng c bn, lm cho n c kh nng tr thnh ph bin trong thng tin IP. Mt vi giao thc tiu chun c trnh by sau y: 3.4.1 Mt m bn tin C th mt m bn tin khi s dng giao thc ESP IPSec, bn tin mt m cho php bn gi thng tin nhy cm cao qua mng cng cng m khng s b xm phm d liu. C 2 tiu chun c bn mt m d liu hin nay ang c dng ph bin l DES (Data Encryption Standard: tiu chun mt m d liu) v tiu chun pht trin thm l 3DES (Triple DES: tiu chun mt m d liu gp ba). 3.4.1.1 Tiu chun mt m d liu DES DES l phng php mt m d liu tiu chun cho mt s pht trin VPN. DES p dng mt kha 56 bit cho 64 bit d liu. DES c th cung cp ti 72*10 5 kha ng gi d liu. DES c IBM pht trin IBM vo nm 1977 v c U.S Department of Defense (cc phng th M) chn, DES l mt trong nhng k thut mt m mnh. N c xem nh l khng th b gy ti thi im , nhng khi my tnh tc cao hn b gy DES trong khong thi gian ngn (t hn mt ngy), v vy DES khng c s dng lu di cho nhng ng dng bo mt cao.
Bi Vn Nht 45K2TVT
63
n tt nghip i hc
Cng ngh IP - VPN
K thut DES-CBC l mt trong rt nhiu phng php ca DES. CBC (Cipher Block Chaining: ch chui khi mt m) yu cu mt vect khi to IV (Initialization Vector) bt u mt m. IPSec m bo c hai pha IP-VPN cng c mt IV hay mt kha b mt chia s. Kha b mt chia s c t vo thut ton mt m DES mt m nhng khi 64 bit do vn bn r (clear text) chia ra. Vn bn r c chuyn i thnh dng mt m v c a ti ESP truyn qua bn i, khi x l ngc li s dng kha b mt chia s to li vn bn r. 3.4.1.2 Tiu chun mt m ha d liu gp ba 3DES Mt phin bn ca DES l 3DES, c tn nh vy v n thc hin 3 qu trnh mt m. N s dng mt qu trnh ng gi, mt qu trnh m gi v mt qu trnh ng gi khc cng vi kha 56 bit khc nhau. Ba qu trnh ny to ra mt t hp kha 168 bit, cung cp ng gi mnh. Trong chng 4 s trnh by c th thut ton DES. 3.4.2 Ton vn bn tin Ton vn bn tin c thc hin nh s dng mt hm bm ton hc tnh ton c trng ca bn tin hay ca file d liu. c trng ny c gi l tm tt bn tin MD (Message Digest) v di ph thuc vo hm bm c s dng. Tt c hoc mt phn ca tm tt bn tin c truyn vi d liu ti host ch, ni m s thc hin cng hm bm ti to tm tt bn tin ny. Tm tt bn tin ngun v ch s c i chiu. Bt c sai lch no u c ngha l bn tin bin i k t khi bn tin ngun c thit lp. S tng xng vi nhau c ngha l chc chn d liu khng b bin i trong qu trnh truyn. Khi s dng giao thc IPSec, bn tin tm tt c thit lp nh s dng trng khng bin i t gi tin IP v trng bin i c thay th bng gi tr 0 hoc gi tr c th d on c. Tnh ton MD v sau l t n vo trng d liu nhn thc (ICV) ca AH. Thit b ch sau copy MD t AH v tch trng d liu nhn thc trc khi tnh ton li MD. Vi giao thc IPSec ESP, vic x l cng tng t, tm tt bn tin c to nh s dng d liu khng bin i trong gi tin IP bt u t ESP header v kt thc l ESP trailer. MD tnh ton c sau t vo trng ICV ti cui ca gi tin. Vi ESP, host ch khng cn tch trng ICV bi v n t bn ngoi phm vi hm bm thng thng. C 2 thut ton chnh h tr ton vn bn tin, l MD5 v SHA-1 (Secure Hash Algorithm-1: thut ton bm an ton-1), chng s dng ch ch kha bm gi l Bi Vn Nht 45K2TVT 64
n tt nghip i hc
Cng ngh IP - VPN
HMAC (Hashed-keyed Message Authenticaiton Code: m nhn thc bn tin bm). Sau y l tng quan ba cng c cho ton vn bn tin ny. 3.4.2.1 M nhn thc bn tin bm HMAC RFC 2104 trnh by v thut ton HMAC, bi v n c pht trin lm vic cng vi thut ton bm ang tn ti l MD5 v SHA-1. Nhiu qu trnh x l an ninh phc tp trong chia s d liu yu cu s dng kha b mt v mt c ch c gi l m nhn thc bn tin (MAC: Message Authentication Code). Mt bn to MAC s dng kha b mt v truyn MAC ti bn kia. Bn kia to li MAC s dng cng mt kha b mt v so snh 2 gi tr MAC. MD5 v SHA-1 c khi nim tng t nhau, nhng chng s dng kha b mt khc nhau. iu ny chnh l yu cu c HMAC. HMAC c pht trin thm vo mt kha b mt cho tiu chun thut ton bm tnh ton tm tt bn tin. Kha b mt c thm vo theo th thc cng di nhng kt qu tm tt bn tin khc nhau khi s dng thut ton khc nhau. 3.4.2.2 Thut ton MD5 Thut ton tm tt bn tin MD5 thc hin tm tt bt k bn tin hay trng d liu no cng miu t c ng li cn 128 bt. Vi HMAC-MD5-96, kha b mt c di l 128 bt. Vi AH v ESP, HMAC ch s dng c 96 bit nm bn tri, t chng vo trng nhn thc. Bn ch sau tnh ton li 128 bit tm tt bn tin nhng ch s dng 96 bit nm bn tri so snh vi gi tr c lu trong trng nhn thc. MD5 to ra mt tm tt bn tin ngn hn SHA-1 v c xem nh l t an ton hn nhng kt qu li c thc hin tt hn. MD5 khng c HMAC c bit nh l yu hn cho nhng la chn dch v cht lng bo mt cao. 3.4.2.3 Thut ton bm an ton SHA Thut ton bm an ton c din t trong RFC 2404. SHA-1 to ra mt tm tt bn tin di 160 bit, v s dng kha b mt 160 bit. C th vi mt vi sn phm th n s ly 96 bt bn tri ca tm tt bn tin gi vo trng nhn thc. Bn thu to li tm tt bn tin 160 bit s dng kha b mt di 160 bit v ch so snh 96 bit vi tm tt bn tin trong khung ca trng nhn thc. Tm tt bn tin SHA-1 di 160 bit an ton hn so vi MD5 di 128 bit. iu ny c xem nh l qu an ton nhng nu nh bn cn mt an ton cao cho ton vn bn tin th c th chn thut ton HMAC-SHA-1. 3.4.3 Nhn thc cc bn
Bi Vn Nht 45K2TVT
65
n tt nghip i hc
Cng ngh IP - VPN
Mt trong nhng x l IKE l thc hin nhn thc cc bn. Qu trnh ny din ra trong pha th nht s dng thut ton kha bm cng vi mt trong 3 loi kha sau: + Kha chia s trc + Ch k s RSA + RSA mt m nonces y l ba loi kha v chng kt hp vi x l nhn thc nh phc tho sau 3.4.3.1 Kha chia s trc X l kha chia s trc l th cng. Ngi qun l ti mt u cui ca IPSec IP-VPN ng v kha c s dng v sau t kha vo thit b l host hoc gateway mt cch th cng. Phng php ny n gin, nhng khng c ng dng rng ri. 3.4.3.2 Ch k s RSA Mt giy chng nhn ca ngi c quyn chng nhn (Certificate Authority: CA) cung cp ch k s RSA vo lc ng k vi CA. Ch k s cho php an ninh hn l kha chia s. Mt khi cu hnh ban u c hon thnh, cc bn s dng ch k s RSA c th nhn thc i phng khng cn can thip ca ngi iu hnh. Khi mt ch k s RSA c yu cu, mt cp kha cng cng v kha ring c sinh ra. Host s dng kha ring to ra mt ch k s. Host ny s gi ch k s ca n ti bn kia IPSec. Bn s dng kha cng cng t ch k s ph chun ch k s nhn c t bn kia. 3.4.3.3 RSA mt m nonces Mt cch pht trin ca ch k s l x l RSA trong lc mt m nhn thc cc bn. Mt nonce l mt s gi ngu nhin. X l ny yu cu ng k vi mt CA thu c mt ch k s RSA. Cc bn khng chia s kha cng cng dng nhn thc ny. Chng khng trao i cc ch k s. Vic x l mt kha chia s l th cng v phi thc hin trong sut qu trnh thit lp ban u. RSA mt m nonce cho php t chi truyn thng khi m mt bn t chi hp l. 3.4.4 Qun l kha Qun l kha c th l mt vn ln khi lm vic cng vi IPSec VPN. N ging nh che du cc kha mi ni. Trong thc t, ch c 5 kha c nh cho mi bn IPSec quan h vi nhau. 66
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
+ 2 kha ring c lm ch bi mi bn v khng bao gi chia s. Chng c s dng mt hiu bn tin. + 2 kha cng cng c lm ch bi mi bn v chia s cho mi ngi. Nhng kha ny c s dng kim tra ch k. + Kha th 5 c s dng l kha bo mt chia s. C hai bn s dng kha ny cho mt m v hm bm. y l kha c to ra bi thut ton Diffie-Hellman, s c din t sau y. iu ny khng ging nh l nhiu kha. Nhng trong thc t, kha ring v kha cng cng c s dng cho nhiu kt ni IPSec cho mt bn a ra. Mt t chc nh, nhng kha ny c th ton b c qun l th cng. Vn xut hin khi c gng phn chia x l h tr cho hng trm hoc hng ngn phin VPN. Phn tip theo trnh by v giao thc Diffie-Hellman v nhn thc s, y l hai trong s nhng gii php hon ho qun l t ng vn nan gii ny. 3.4.4.1 Giao thc Diffie-Hellman Diffie-Hellman l giao thc ng kha cho php 2 bn trao i mt kha b mt khng cn bt k u tin b mt no. Giao thc ny l mt v d v x l trao i kha i xng, trong cc bn trao i kha cng cng khc nhau sinh ra kha ring ging nhau. Giao thc Diffie-Hellman c s dng trong IPSec VPN, nhng bn rt kh tm ra n. N c s dng trong x l thit lp knh an ton gia cc bn IPSec. Du hiu ca n nh sau: * IPSec s dng giao thc lin kt an ninh Internet v qun l kha (Internet Security Association and Key Management Protocol: ISAKMP) cung cp mt khung cho nhn thc v trao i kha. * ISAKMP s dng giao thc IKE thng lng an ton v cung cp nguyn liu to kha cho lin kt an ninh. * IKE s dng mt giao thc c gi l OAKLEY, n s a ra mt lot cc trao i kha v chi tit dch v c cung cp cho mi trao i. * OAKLEY s dng Diffie-Hellman thit lp mt kha b mt chia s gia cc bn. X l mt m kha i xng sau s dng kha b mt chia s cho mt m v nhn thc kt ni. Cc bn s dng giao thc mt m kha i xng phi chia s vi nhau cng mt kha b mt. Diffie-Hellman cung cp mt gii php cung cp mi bn mt kha b mt chia s khng cn gi du vt cc kha s dng. Bi Vn Nht 45K2TVT 67
n tt nghip i hc
Cng ngh IP - VPN
X l mt m kha i xng qu chm cho yu cu mt m khi lng ln trong knh IP-VPN tc cao. Cc bn IPSec s dng giao thc Diffie-Helman thng lng kha b mt chia s dng cho AH hoc ESP to d liu nhn thc hay mt m gi tin IP. Bn thu s dng kha nhn thc gi tin v gii m phn ti tin. Chi tit v cc bc ca thut ton Diffie-Helman c trnh by trong chng 4. 3.4.4.2 Quyn chng nhn CA Mt phng php khc nm gi kha m khng nm gi nhiu cng vic h tr qun l l s dng CA (Certificate Authorities) nh l mt thc th tin cy a ra v thu hi chng nhn s v cho vic cung cp mt ngha gip kim tra v nhn thc nhng chng thc. CA thng c 3 phn tc nhn nh VeriSign hoc Entrust, nhng tit kim, bn c th thit lp thit lp CA cho ring mnh trn c s s dng dch v giy chng nhn Windows 2000. Di y trnh by qu trnh lm vic ca CA: 1) Mt client mun s dng chng thc s to ra mt cp kha, mt kha cng cng v mt kha ring. Tip theo, chient chun b chng nhn khng nh du (X.509) n cha, gi nhiu th: ID nhn dng client v kha cng cng m n va to thnh. Chng nhn khng nh du ny sau c gi ti pha CA nh s dng mt vi phng php an ton. 2) Pha CA tnh ton m bm ca chng nhn khng nh du. Sau CA gi m bm v ng gi n s dng kha cng khai ca CA. Hm mt m bm ny l mt ch k s, v CA tn cng vo n chng nhn v quay li nh du chng nhn client. Chng nhn ny c gi l nhn dng chng nhn v c lu trong thit b client cho n khi n kt thc hoc b xa. CA cng gi cho client chng nhn s ca n, cc m tr thnh chng nhn gc cho client. 3) By gi client c mt chng nhn s nh du m n c th gi ti bt k bn thnh vin no. Nu bn thnh vin mun nhn thc chng nhn, n gii m chng nhn nh s dng kha cng khai. Ch quan trng l vi mi client th CA ch gi mt chng nhn ca client . Nu client mun thit lp IPSec IP-VPN vi mt client khc, n trao i chng nhn s vi client kia nh s dng kha cng khai chia s. Khi mt client mun mt m d liu gi ti mt bn, n s dng kha cng khai ca bn ly t chng nhn s. Bn ny sau gii m gi tin vi kha cng cng. Mt chc nng khc ca CA l sinh ra mt lot cc chng nhn theo chu k m n ht hiu lc hoc mt gi tr. CA to ra danh sch chng nhn b hy b (Certificate Revocation Lists: CRL) ca nhng khch hng ca n. Khi mt client nhn mt chng nhn s, n kim tra CRL tm nu nh chng nhn vn cn gi tr. Bi Vn Nht 45K2TVT 68
n tt nghip i hc
Cng ngh IP - VPN
3.5 V d v hot ng ca mt IP-VPN s dng IPSec

tm tt ton b qu trnh hot ng ca IPSec, ta a ra mt v d v kt ni IP-VPN nh hnh 3.20. Ch rng trc khi thit lp kt ni IPSec, cn phi chc chn rng cc thit b ang s dng dc theo ng dn ca IP-VPN m bo: c h tr IPSec (bao gm cc giao thc, thut ton), khng c kt ni IPSec no trc hoc nu c th cc tham s trong SA ang tn ti khng xung t vi cc tham s chun b thit lp, c th thc hin lnh ping chc chn v kt ni sn sng.
T s c h r h n V bn c m m n t V bn r n C tfc t ei i a r e At ot u ry hi
C ks h Pi n h IE K
I t re n nt e
C pt r o u me
C pt r o u me
C pt r o u me
n n g gm N nh c h t Mm t
Ur s e
N dn g i g
C pt r o u me
Hnh 3.20: V d v hot ng ca IP-VPN s dng IPSec

Trong v d ny, ngi dng mun truyn thng an ton vi mng tr s chnh. Khi gi d liu ti router ngi dng (router ny ng vai tr l mt cng an ninh), router ny s kim tra chnh sch an ninh v nhn ra gi d liu cn truyn thng ny l mt ng dng ca IP-VPN, cn c bo v. Chnh sch an ninh cu hnh trc cng cho bit router mng tr s chnh s l pha bn kia ca ng ngm IPSec, chnh l trm tr s chnh ca IP-VPN. Router ngi dng kim tra xem c IPSec SA no c thit lp cho phin truyn thng ny hay cha. Nu hon ton khng c mt IPSec SA no th bt u qu trnh thng lng IKE. Certificate Authority c chc nng gip tr s chnh nhn thc ngi s dng c c php thc hin phin thng tin ny hay khng, chng thc ny l ch k s v c k bi mt i tc c quyn k m hai bn u tin tng. Ngay sau khi hai router tha thun c mt IKE SA th IPSec SA tc thi c to ra. Nu hai bn khng tha thun c mt IKE SA no th n tip tc qu trnh tha thun hoc ngng kt ni phin thng tin. Vic to ra cc IPSec SA chnh l qu trnh tha thun gia cc bn v cc chnh sch an ninh, thut ton m ha c s dng (chng hn l DES), thut ton xc thc (chng hn MD5), v mt kha chia s. D liu v SA c lu trong c s d liu cho mi bn. Bi Vn Nht 45K2TVT 69
n tt nghip i hc
Cng ngh IP - VPN
Ti y, router ngi s dng s ng gi d liu theo cc yu cu thng lng trong IPSec SA (thut ton mt m, nhn thc, giao thc ng gi l AH hay ESP), thm cc thng tin thch hp a gi tin c m ha ny v dng IP datagram ban u v chuyn ti router mng trung tm. Khi nhn c gi tin t router ngi dng gi n, router mng trung tm tm kim IPSec SA, x l gi theo yu cu, a v dng gi tin ban u v chuyn n ti mng trung tm.
3.6 Tng kt
Chng ny trnh by chi tit v giao thc IPSec v ng dng ca n i vi cng ngh IP-VPN. IPSec l mt chun m, n khng nh ngha cc gii php c th m n ch a ra cc chun. Giao thc IPSec gm c 2 giao thc l AH v ESP, hot ng khc nhau cung cp kh nng m bo tnh ton vn, b mt, an ton cho d liu. Lin kt an ninh SA c cha tp cc chnh sch, tham s, thut ton, giao thc cho qu trnh ng gi d liu gia cc bn tham gia vo IPSec. Ti mi u ng ngm IPSec, SA c s dng xc inh loi lu lng cn c x l IPSec, giao thc IPSec c s dng (AH hay ESP), thut ton v kha c s dng cho qu trnh mt m v xc thc. Bn cnh , giao thc IKE l mt giao thc quan trng tho thun xc thc cc bn tham gia, thit lp cc tham s, chnh sch ca lin kt an ninh trong qu trnh thit lp. Nhim v ca giao thc IKE chnh l thng lng gia cc bn trong qu trnh thit lp hoc thng lng li khi cn thit to ra mt lin kt an ninh SA. Bng 3.3 a ra tm tt v 3 giao thc trong chng 3. Bng 3.3: Tng kt chng cc giao thc ca IPSec Giao thc AH ESP IKE Dch v Ton vn d liu Bo mt, ton vn d liu Xc thc i tc, thit lp cc tham s Thut ton/ phng thc MD5, SHA1 DES, 3DES, AES, MD5, SHA1 Kha chia s trc, RSA, Diffie-Hellman, CA
Bi Vn Nht 45K2TVT
70
n tt nghip i hc
Cng ngh IP - VPN
Chng 4 AN TON D LIU TRONG IP-VPN 4.1 Gii thiu

Nh trnh by trong chng 2, c im ca IP-VPN l cho php truyn d liu thng qua mt c s h tng mng cng cng m vn m bo c cc c tnh an ton v tin cy d liu. thc hin c iu , cng ngh IP-VPN phi gii quyt c hai vn : ng gi d liu v an ton d liu. ng gi d liu l cch thc thm cc phn thng tin iu khin vo gi tin ban u m bo gi tin i c t ngun ti ch mong mun, iu ny c cp trong cc chng trc. An ton d liu l cch thc m bo cho d liu i qua mng cng cng khng b xm phm, lm thay i bi nhng k khng mong mun. Thc t th vn an ton d liu khng phi l vn ring ca IP-VPN m l mi quan tm cng nh thch thc ca tt c cc t chc c nhu cu s dng Internet lm mi trng truyn tin. Chnh v vy, c rt nhiu gii php, giao thc, thut ton c pht trin gii quyt vn ny. Vic s dng gii php no l ty thuc vo tng ng dng c th v khng loi tr kh nng s dng kt hp nhiu gii php t hiu qu an ton nh mong mun. Bng 4.1 l tm tt mt s giao thc, thut ton an ton d liu ch yu ang c s dng. C th thy cc giao thc l rt a dng v phc tp v mi giao thc c th s dng nhiu thut ton khc nhau t hiu qu an ton d liu cn thit cho tng ng dng c th. Bng 4.1: Mt s giao thc v thut ton ng dng thng dng Chc nng Cung cp cc dch v d liu tin cy, xc thc ngun gc d liu. PPTP Kt ni VPN SET Cho php trao i an ton cc th tn dng S/MIME m bo vic truyn dn, lu tr, xc thc, chuyn tip an ton d liu mc ng dng SSL&TLS To mt ng ng an ton gia hai ng dng trao i d liu v xc thc ln nhau i vi IP-VPN, IPSec l giao thc ti u v mt an Giao thc IPSec Thut ton RSA, DH, DES, 3DES, MD5, SHA RC4 RSA, SHA, DES RSA, RC5, RC4, RC2, DES, 3DES RSA, DH, RC4, DES, 3DES, SHA, MD5 ton d liu. Th nht,
IPSec cung cp xc thc tnh ton vn d liu. Th hai, IPSec cho php s dng cc Bi Vn Nht 45K2TVT 71
n tt nghip i hc
Cng ngh IP - VPN
phng php, thut ton mt m, xc thc mng nht hin c. Th ba, IPSec l mt khung chun m, ngha l c th la chn cc thut ton ph hp vi mc an ton d liu mong mun m khng b gii hn cng nhc phi s dng ng mt thut ton no , ng thi c kh nng s dng cc thut ton tin tin pht trin trong tng lai. iu ny th hin tnh linh hot rt cao ca IPSec. Ni dung ca chng ny nhm lm r vn an ton d liu ca cng ngh IPVPN da trn giao thc IPSec.
4.2 Mt m
4.2.1 Khi nim mt m Hnh 4.1 cho thy khi nim chung s dng trong cc thut ton mt m v mi quan h gia chng.
Kha K Bn tin c mt m C Ciphertext Bn tin c mt m C
Bn tin ban u Plaintext Bn tin ban u
Mt m EK(P)=C
Cipher Gii m DK(C)=P
Kha K
Hnh 4.1: Cc khi nim chung s dng trong cc thut ton mt m

Mt h mt l mt b 5 (P, C, K, E, D)tha mn cc iu kin sau: 1) P l mt tp hu hn cc bn r c th. 2) C l mt tp hu hn cc bn m c th. 3) K l mt tp hu hn cc kha c th. 4) i vi k K c mt quy tc m ek: PC v mt quy tc gii m tng ng dk:CP sao cho dk(ek(x)) = x vi mi bn r x P. iu kin 4 ni ln rng mt bn r x c m ha bng ek v bn m nhn c sau c gii m bng dk th ta phi thu c bn r ban u x. Cc khi nim trong hnh c trnh by nh sau: Bi Vn Nht 45K2TVT 72
n tt nghip i hc
Cng ngh IP - VPN
+ Plaintext v ciphertext: bn tin ban u c gi l bn tin r (plaintext hay cleartext). Qu trnh bin i bn tin che du ni dung tht ca n c gi l mt m (encryption). Bn tin mt m c gi l ciphertext. Qu trnh bin bn tin mt m v bn tin ban u c gi l gii m (decryption). + Thut ton v kha: thut ton mt m (cn gi l cipher) l mt hm ton hc s dng mt m v gii m. Tnh an ton ca mt thut ton mt m ph thuc va mt kha b mt (secret key). Khong cc gi tr c th c ca kha c gi l khng gian kha (key space). Cc qu trnh mt m v gii m u ph thuc vo kha K nh sau: Mt m: EK(P)=C Gii m: DK(C)=P V c bn th cc thut ton mt m c chia thnh hai loi: cc h thng mt m kha i xng (Symmetric Key Cryptosystem), v cc h thng mt m kha cng khai (Public Key Cryptosystem). Mt m kha i xng s dng cng mt kha duy nht trong qu trnh mt m v gii m, vi h thng ny th hai u knh c cung cp cng mt kha qua mt knh tin cy v kha ny phi tn ti trc qu trnh truyn tin. Cn mt m kha cng khai s dng hai kha khc nhau (mt kha b mt v mt kha cng khai), kha cng khai dng lp m v ch c kha b mt l c kh nng gii m. Bn thn cc h mt m ny c nhiu thut ton thc hin. 4.2.2 Cc h thng mt m kha i xng 4.2.2.1 Cc ch lm vic ECB, CBC Ty thuc vo cch thc chuyn cc khi plaintext u vo thnh cc khi ciphertext u ra m cc thut ton mt m khi c phn loi theo cc ch lm vic khc nhau, trong c ECB, CBC v OFB. Ch sch m in t ECB (Electronic Code Book Mode): i vi thut ton mt m khi ECB, mt khi plaintext u vo c nh x tnh thnh mt khi ciphertext u ra. Vi nhng ngun ti nguyn b nh hu hn, c th xy dng mt bng tra cu (loopup table) hay danh sch m in t (Electronic Code Book) nh x ngc mt khi ciphertexxt v dng plaintext tng ng.
Bi Vn Nht 45K2TVT
73
n tt nghip i hc
Cng ngh IP - VPN
Pha pht P1 E C1 C1
Pha thu D P1
P2
C2
C2
P2
P3
C3
C3
P3
Hnh 4.2: Ch chnh sch m in t ECB

Nh vy, cc thut ton mt m ch ECB khng an ton i vi nhng tn cng kiu pht li (replay attacks), trong k tn cng lu li khi ciphertext (c kh nng cha thng tin mt) c th gii m nhng thi im sau . Ch chui khi mt m CBC (Cipher Block Chaining Mode) ngn chn cc tn cng kiu pht li, cc thut ton mt m khi hin nay thng hot ng ch CBC. Mi khi plaintext c XOR vi khi ciphertext trc ri mi thc hin mt m. Nh vy cc khi plaintext ging nhau xut hin trong cng mt bn tin s to thnh cc khi ciphertext khc nhau. Ti pha thu, mi ciphertext sau khi thc hin gii m s c XOR vi khi ciphertext thu c trc nhn c kh plaintext tng ng. Nu mt li bit xy ra th s lm sai ton b khi plaintext tng ng, cng vi mt li bit trong khi plaintext k tip. Nh vy nh hng ca li ch gii hn trong hai khi plaintext m thi.
Pha pht P1 P2 P3 IV C1 C2 C3 IV C1 C2 C3 Pha thu P1 P2 P3
Hnh 4.3: Thut ton mt m khi ch CBC
Bi Vn Nht 45K2TVT
74
n tt nghip i hc
Cng ngh IP - VPN
Bt c bn tin c mt m CBC no cng phi c khi to bi mt vc t IV (Initialization Vector). IV c truyn qua knh khng an ton thi im bt u ca phin truyn dn. trnh cc tn cng kiu lp li, gi tr IV ch s dng mt ln. iu ny c th thc hin c bng cch gn gi tr ngu nhin nhng tng n thun cho IV. 4.2.2.2 Gii thut DES (Data Encryption Standard) Thut ton DES c a ra vo nm 1977 ti M v c s dng rt rng ri. N cn l c s xy dng mt thut ton tin tin hn l 3DES. Hin nay, DES vn c s dng cho nhng ng dng khng i hi tnh an ton cao, v khi chun mt m d liu mi l AES cha chnh thc thay th n. DES m ha cc khi d liu 64 bit vi kha 56 bit. S thut ton DES cho trn hnh 4.4.
Pane t bo k litx lc K t oh v h i on Ru d on Ru d on 1 2 (6 bt ) 4 is Ky e B p rt ai y (6 bt ) 4 is (5 bt ) 6 is
Ru d on ok t oh v h i on C h re x bo k i et x t l c p
1 6
(6 bt ) 4 is
Hnh 4.4: S thut ton DES

Trc ht 64 bit T a vo c hon v bi php hon v khi to IP (Initial Permutation), khng ph thuc vo kha T0 = IP(T). Sau khi thc hin 16 vng lp, d liu c i qua cc bc hon v o RP (Reversed Permulation) v to thnh khi ciphertext. Thc cht cc hon v ny khng l tng tnh an ton DES. Trung tm ca mi vng lp x l DES l mng Fiestel (c t theo tn ca mt nh khoa hoc ti IBM). Hot ng ca mng Fiestel c din t nh sau: T =L0R0 vi L0 = t1 t32, R0 = t33 t64. Xt vng lp thc i (0<i<16): Li = Ri-1, Ri = Li-1 F(Ri-1, Ki) trong l php cng XOR v Ki l kha 48 bit. vng lp cui cng cc nhnh tri v phi khng i
Bi Vn Nht 45K2TVT
75
n tt nghip i hc
Cng ngh IP - VPN
ch chi nhau, v vy input ca IP-1 l R16L16. Trong hm F c th hin l khi hp en.

Li-1 32
Hon v m rng
Ri-1 Dch
Kha Ki-1
56
Dch
Hon v nn
Hp en
S-Box (Thay th )
48 48 32
P-Box (Hon v )
32 Li Ri
32
56
Kha Ki
Hnh 4.5: Mng Fiestel

a) Hot ng ca khi hp en Kh phc tp, trong n gm c cc khi chc nng v nhim v nh sau: - Hon v m rng: M rng Ri-1 32 bt u vo thnh khi 48 bt. Hot ng m rng ny da vo mt bng nh trc la chn cc bt u ra. Sau cc bt sau hon v m rng c XOR vi kha Ki. - S-box: Kt qu sau khi XOR c chia thnh 8 khi 6 bt t B1 ti B6. Mi khi Bj sau c a vo mt hm Sj. Hm Sj ny s tr li cc khi 6 bit thnh khi 4 bit theo bng nh trc. - P-Box: Cc khi 4 bit sau khi c tr li s kt hp vi nhau thnh khi 32 bt u ra ca hp en. b) Hot ng tnh kha: Kha input ban u l mt khi 64 bt, sau khi b i 8 bt parity v hon v 56 bt cn li theo mt trt t nht nh. DES to ra 16 kha, mi kha c chiu di 48 bit t mt kha input 56 bit, dng cho 16 vng lp. Ti mi vng lp, kha K i-1 c chia thnh hai phn l Ci-1 v Di-1. Sau cc bit ca hai thnh phn C i-1 v Di-1 c hon v dch to thnh Ci v Di. Sau khi hon v, Ci b qua cc bt 9, 18, 22, 25 to thnh na tri ca K I (24 bit) v Di b qua cc bt 35, 38, 43, 54 to ra na phi ca Ki (24 bt). Ghp na tri v na phi to ra kha Ki 48 bt. c) Gii m: Qu trnh gii m thc hin cc bc ny theo th t ngc li.
Bi Vn Nht 45K2TVT
76
n tt nghip i hc d) Phn phi kha
Cng ngh IP - VPN
Nhc im ln nht ca cc h thng mt m kha i xng l vn phn phi cc kha b mt thng qua knh khng an ton. S lng cc kha b mt cn thit khi s dng mt thut ton mt m kha i xng vi n i tc tham gia s l
2 C n = n( n 1) / 2 . C th thy vic phn phi cc kha b mt s tr nn ht sc kh khn
khi s lng i tc tham gia trao i thng tin ln. Hnh 4.6 ch ra vic phn phi kha trong h thng mt m kha i xng.
A F KAF , KBF , KCF , KDF , KEF
Computer Computer
KAB , KAC , KAD , KAE, KAF . B KAB, KBC , KBD , KBE , KBF .
KAE , KBE , KCE , KDE, KEF .

Computer Computer
KAC , KBC , KCD , KCE , KCF. E D

Computer
C KAD , KBD , KCD , KDE, KDF .
Hnh 4.6: Phn phi kha trong h thng mt m kha i xng

4.2.2.3 Gii thiu AES (Advanced Encryption Standard) Thut ton DES vi kha 56 bit c pht trin cch y gn 28 nm, v hin khng cn ph hp vi nhng ng dng i h tnh an ton d liu cao (c bit cc ng dng v qun s, hoc thng mi in t). y l l do cn pht trin cc thut ton mt m mi p ng c nhng yu cu an ton d liu ngy cng cao. Trong s cc thut ton mi c pht trin gn y c 3DES (Triple DES) vi kha cng khai 168 bt v c bit l AES. Nm 1997, NIST (US National Institute of Standards and Technology) t chc la chn nhng thut ton sau: * MARS (IBM): Ci tin mng Fiestel, thc hin 32 vng v da trn cu trc kt hp ca DES. * RC6 (RSA): Thc hin mng Fiestel 20 vng, ci tin thut ton RC5. * Twofish (Bruce Schneier): thc hin mng Fiestel 16 vng, ci tin thut ton Blowfish.
Bi Vn Nht 45K2TVT
77
n tt nghip i hc
Cng ngh IP - VPN
* Serpent (Ross Anderson/ Eli Biham/ Lars Knudsen): Thc hin mng hon v thay th 32 vng. * Rijndael (Joan Daemen/ Vincent Rijimen): Thc hin mng hon v thay th ci tin 10 vng. Trong 5 thut ton trn, NIST chn Rijindael cho chun AES vo nm 2000. Trong tng lai, AES s l chun mt m khi i xng v s c thc hin trn c phn cng ln phn mm. AES s c thit k c th tng di kha khi cn thit. di khi d liu ca AES l n = 128 bt, cn di kha k = 128, 192, 256 bit. 4.2.2.4Thut ton mt m lung (stream cipher) Mt m lung da trn mt b to lung kha (key stream generator) to nn mt chui s gi ngu nhin (pseudo-random sequence) khi to bi mt kha b mt (secret key). Chui kha c XOR vi chui bit plaintext. Ti pha thu, mt b to kha ging ht khi ta bi cng mt kha b mt c ng b vi chui ciphertext u vo. Pha thu phc hi plaintext bng cch XOR chui ciphertext vi chui kha ng b.
Kha B to chui gi ngu nhin Lung bit Plaintext Lung bit plaintext Lung bt gi ngu nhin Lung bit ciphertext 1 1 0 1 0 1 1 0 1 Lung bit ciphertext 1 1 0 1 1 0 1 0 1
Hnh 4.7: Mt m lung

4.2.3 H thng mt m kha cng khai 4.2.3.1 Gii thiu v l thuyt v m kha cng khai H thng mt m kha cng khai cn c gi l h thng mt m kha khng i xng, v theo nh c ch mt m ny th kha c dng m ha gi tin v kha c dng gii m l khc nhau. S pht trin ca mt m kha cng khai c ngha rt ln v to ra mt cuc cch mng trong ton b lch s ca mt m kha. Nhng thut ton cng khai u da trn nhng hm ton hc hn l nhng nhm thay th v hon v trong mt m kha c in. Trong h thng mt m kha cng khai th mi i tc tham gia s s hu mt cp kha duy nht, bao gm mt kha b mt (c lu b Bi Vn Nht 45K2TVT 78
n tt nghip i hc
Cng ngh IP - VPN
mt bi i tc) v mt kha cng khai tng ng (c pht trong cc th mc cng cng). Hai kha ny c quan h vi nhau m bo rng kha cng khai thc hin chc nng m ha v kha b mt thc hin chc nng gii m. Cc bc cn thit trong qu trnh m ha kha cng khai: - Mt h thng cui trong mng to ra mt cp kha dng cho m ha v gii m on tin m n s nhn. - Mi h thng cng b rng ri kha m ha bng cch t kha vo mt thanh ghi hay mt file cng khai. y l kha cng khai, kha cn li c gi ring. - Nu A mun gi mt on tin ti B th A s m ha on tin bng kha cng khai ca B. - Khi B nhn c on tin m ha, n gii m bng kha b mt ca mnh. Khng mt ngi no khc c th gii m on tin m ny bi v ch minh B bit kha b mt thi.
Kha cng khai Knh truyn
User A on tin
Gii thut m ha
Gii thut gii m
User B on tin Kha b mt
on tin c mt m
Hnh 4.8: S m kha cng khai

Vi cch tip cn ny, tt c nhng ngi tham gia c th truy xut kha cng khai. Kha b mt c to ra bi tng cc nhn, v vy khng bao gi c phn b. bt k thi im no, h thng cng c th chuyn i cp kha m bo tnh bo mt m khng cn s dng knh thng tin an ton truyn kha bo mt. Cc yu cu ca mt m kha cng khai: 1/ Cng vic tnh ton th d dng cho ngi nhn B: to cp kha cng khai KU v kha b mt KR. 2/ Cng vic tnh ton th d dng cho ngi nhn A: bit kha cng khai v on tin cn m ha M, to mt m tng ng C=EKub(M). 3/Cng vic tnh ton d dng cho ngi nhn B thc hin gii m: s dng kha b mt gii m on tin m ha C, khi phc li on tin ban u. M = DKRb(C) = DKRb[EKUb(M)] Bi Vn Nht 45K2TVT 79
n tt nghip i hc
Cng ngh IP - VPN
4/ Cng vic tnh ton khng th thy trc i vi ch th bit kha cng khai KUb xc nh kha b mt KRb. Cng vic tnh ton khng th thy trc i vi ch th bit kha cng khai KUb v on tin mt m C khi phc on tin ban u M. 5/ Chc nng m ha v gii m c th c p dng theo th t: M = DKRb[EKUb(M)] M = EKUb[DKRb(M)] C th nhn thy rng vic tnh Y = f(X) th d dng trong khi tnh X=f -1(Y) l khng th thy trc. Ni chung t d dng c xc nh bi 1 bi ton l n c th c gii quyt trong thi gian nht nh (n ph thuc vo chiu di input). Nu chiu di input l n bt th thi gian tnh hm t l vi n a . m bo tnh bo mt th phi s dng kha c kch thc ln (thng trn 100 ch s thp phn). V d kch thc kha v thi gian b kha (MIPS tnh theo nm) trong cc gii thut RSA/DSS v ECC nh sau. Bng 4.2: Thi gian b kha trong gii thut RSSA/DSS v ECC. RSA 512 768 1024 ECC 106 132 160 MIPS (nm) 104 108 1012
4.2.3.2 H thng mt m kha cng khai RSA RSA do Rivest, Shamir v Adleman pht trin nm 1977. S RSA l s m ha tng khi, vi mi khi c gi tr nh hn n. Vic m ha v gii m theo hnh thc sau, cho khi vn bn M v khi bo mt C: C = Me mod n M = Cd mod n = (Me)d mod n = Mde mod n C ngi gi v nhn phi bit gi tr n, ngi gi bit e v ch c ngi nhn bit d. Cho nn y l gii thut m ha vi kha cng khai KU = [e,n] v kha b mt KR = [d,n]. V gii thut ny tha gii thut m kha cng khai nn cc yu cu sau phi c p ng: * C th tm thy gi tr d, e, n : M = Mde mod n vi mi M<n hay khng? * Mt cch tng i d dng tnh Me v Cd vi mi M<n hay khng? Bi Vn Nht 45K2TVT 80
n tt nghip i hc * Khng th xc nh d khi bit e v n.
Cng ngh IP - VPN
Theo l thuyt Euler: cho 2 s nguyn p v q, 2 s nguyn n v m (n=p*q, 0<m<n) v s nguyn k. Ta c: mk0(n)+1mod n= mk(p-1)(q-1)+1 mod n= m mod n 0(n)=0(pq)=(p-1)(q-1) Do : Nu: de = k0(n) + 1 v gcd(0(n),e)=1 (gcd: c s chung ln nht) Th: de mod 0(n) = 1 v d mod 0(n) = e- 1 S RSA: Gi s user A cng b kha cng khai e ca n v user B mun gi on tin M ti A. Khi B tnh C=Me mod n v truyn C. Khi nhn c on tin C ny, user A gii m bng cch tnh Cd mod n. C th thy rng M=Cd mod n v: de mod 0(n) = 1 hay de = k0(n)+1
Mk0(n)+1mod n = Mk(p-1)(q-1)+1mod n=M mod n=(Mde mod n) modn=Mde mod n

Cd mod n = (Me)dmod n = Mde mod n = M C th tm tt gii thut RSA nh bng sau: Bng 4.3: Tm tt gii thut RSA v phc tp To kha To 2 s nguyn t ln p v q Tnh n = p*q, 0(n) = (p-1)*(q-1) Chn 1 s ngu nhin 1<e<0(n): gcd (0(n),e) = 1 Tnh d: d=e-1mod 0(n) (gii thut Euclidean m rng) Kha cng khai KU=[e,n] Kha b mt KR=[d,n] V d v qu trnh mt m v gii m ca thut ton RSA: Chn p = 3, q = 11. Khi ta c n = pq = 33 v (p-1)(q-1) = 20 = 2*5*5. Gi tr e c chn phi quan h nguyn t vi 20 , ngha l khng cha cc c s 2,5 v e < 20. Ta chn e = 3, d = 7. Khi ta c: Pha mt m: Gi s c bn tin: M = {10, 9, 5, 20} phc tp 0((log n)2) 0(log(0(n))2) 0((log n)3)
M3={1000, 729, 125, 8000} v C=M3 mod 33={10, 3, 26, 14}.

Pha gii m: C7 ={107, 2187, 267, 147} Bi Vn Nht 45K2TVT 81
n tt nghip i hc M=C7 mod 33{10, 9, 5, 20}
Cng ngh IP - VPN
Kch thc kha RSA: ty thuc vo tnh bo mt v thi gian sng ca kha m kha c chiu di thch hp: - Loi Export - Loi Personnal - Loi Militery : 512 bt. : 768 bit. : 2048 bit.
- Loi Commercial : 1024 bit. Trn y l nhng ni dung chnh ca thut ton mt m RSA. Thc t, thc hin c cc thut ton vi kch thc kha ln i hi mt lng tnh ton rt ln lin quan n vn l thuyt s nh thut ton Euclide tm USCLN ca hai s nguyn hay thut ton Miller-Rabin kim tra tnh nguyn t ca cc s t nhin ny. 4.2.4 Thut ton trao i kha Diffie-Hellman Thut ton Diffie-Hellman cho php hai bn trao i vi nhau mt kha b mt chung. Cc bc thc hin nh sau: Bng 4.4: Cc bc thc hin trao i kha Diffie Hellman Bn A ng vi bn B v s dng s nguyn ln ban u: P ng v s nguyn lm nhim v to kha: G Chn lc s b mt: A Tnh s cng cng: X=GAmod P Gi s X ti bn B By gi bit: P, G, A, X, Y Tnh KA=YAmod P By gi c kha bo mt chia s: KA=KB=K Chng minh: KA=(GBmod P)Amod P KA=(GB)Amod P KA=GBAmod P KA Mng X Y Bn B ng vi bn A v s dng s nguyn ln ban u: P ng v s nguyn lm nhim v to kha: G Chn lc s b mt: B Tnh s cng cng: Y=GBmod P Gi s X ti bn B By gi bit: P, G, B, X, Y Tnh KB=XBmod P By gi c kha bo mt chia s: KA=KB=K Chng minh: KB=(GAmod P)Bmod P KB=(GA)Bmod P KB=GAB KB mod P
V d v trao i kha Diffie-Hellman nh sau: hai bn A v B thng nht vi nhau s nguyn t P=31 v mt s nguyn G=3. Ti A: chn A=8 X=38mod 31 = 20. X=20 ny c gi n B. Bi Vn Nht 45K2TVT 82
n tt nghip i hc
Cng ngh IP - VPN
Ti B: chn B=6 Y=36mod 31 = 16. Y=16 ny c gi n A. Tnh kha b mt K: Ti A: KA=168mod 31 = 4 Ti B: KB=206mod 31 = 4
Hai bn chn kha b mt l KA=KB=K=8 cho qu trnh mt m v gii m thng tin.
4.3 Xc thc
Xc thc l thut ng ch hai khi nim: xc thc tnh ton vn ca d liu v xc thc ngun gc d liu. V c bn th cc xc thc ny c gii quyt bng cc phng php khc nhau. Trong phn ny chng ta s xem xt cch thc gii quyt hai vn ny. 4.3.1 Xc thc tnh ton vn ca d liu Xc thc tnh ton vn ca d liu (data intgity)bao gm 2 vn sau: + Pht hin cc bn tin b li (corrupted message): Pht hin cc li bt do nguyn nhn li ca phng php truyn d hoc ca thit b lu tr. Gii php cho vn ny s dng mt Message Digest (MD: gin lc thng ip- cn gi l hm hash) cho mi bn tin. MD hot ng nh mt du vn tay (fingerprint) cho php xc nh duy nht mt bn tin (tng t nh CRC). + Bo v chng sa i bt hp php bn tin (unathurized modification): pht hin ra nhng bn tin b sa i mt cch bt hp php trong qu trnh truyn dn. C hai gii php cho vn ny trn c s s dng mt m kha i xng v kha khng i xng. Gi php kha i xng to ra mt m xc thc bn tin MAC (Message Authentication Code) da trn mt hm gin lc thng ip c kha tc ng (keyed message digest function). Gii php kha khng i xng to ra mt ch k s (digital signature) bng cch mt m gin lc thng ip MD vi kha cng khai ca ngi gi. 4.3.1.1 Gin lc thng ip MD da trn cc hm bm mt chiu a) Gin lc thng ip MD (Message Digest) MD l phng php s dng pht hin li truyn dn, n c thc hin bng cc hm bm mt chiu. MD c di c nh hot ng nh mt du vn tay duy nht cho mt bn tin c di ty . Vi di thng thng ca mt MD t 128 bit n 256 bit th c th i din cho 10 38 n 1077 gi tr vn tay khc nhau. Con s ny l cc ln nu ly mt v d nh sau: gi s trong th k 21, dn s 10 t ngi, mi ngi Bi Vn Nht 45K2TVT 83
n tt nghip i hc
Cng ngh IP - VPN
trong mt ngy vit 100 vn bn, nh vy tng s vn bn mi ch l 365.10 14. Nu mi vn bn c mt du vn tay xc nh th cng ch c mt phn rt nh trong s 10 38 kh nng c th ca MD c s dng. b) Cc hm bm mt chiu Cc hm bm mt chiu c s dng tnh MD. Mt hm bm c coi l tt nu tha mn cc yu cu sau: - Vic tnh ton MD n gin, hiu qu, cho php tnh MD ca cc bn tin c kch thc nhiu GB. - Khng c kh nng tnh ngc li bn tin ban u khi bit gi tr MD ca n. y l l do ti sao hm bm c gi l mt chiu. - Gi tr MD phi ph thuc vo tt c cc bit ca bn tin tng ng. D ch mt bit trong bn tin b thay i, thm vo hoc xa bt th s c khong 50% cc bn tin trong MD s thay i gi tr mt cch ngu nhin. Hnh 4.9 din t iu ny. Hm bm c kh nng thc hin nh x message - to - digest gi ngu nhin, ngha l vi hai bn tin gn ging ht nhau th m hash ca chng li hon ton khc nhau. - Do bn cht gi ngu nhin ca hm bm v s lng cc ln cc gi tr hash c th c, nn hu nh khng c kh nng hai bn tin phn bit c cng gi tr hash. V vy, vi cc ng dng thc t hin nay, c th coi u ra ca hm bm thc hin trn mt bn tin l du vn tay duy nht ca bn tin .
Bi Vn Nht 45K2TVT
84
n tt nghip i hc
Cng ngh IP - VPN
Ti liu hoc bn tin ( di ty )
1010111 0010100 11011101 00010101 Hm Hash 101101
1010111 0110100 11011101 00010101 Hm Hash 000100
Hm bm mt chiu Message Digest ( di c nh)
Hnh 4.9: Mt bt thay i trong bn tin dn n 50% cc bt MD thay i

C hai hm bm thng dng l MD5 (Message Digest #5) v SHA (Secured Hash Funtion). MD5 do Ron Rivest (RSA Sercurity Inc) pht minh, tnh gi tr hash 128 bit t mt bn tin nh phn di ty . SHA c pht trin bi NIST (US National Institute of Standards and Technology) vi s cng tc ca NSA (National Security Agency). SHA-1 tnh gi tr hash 160 bit t mt bn tin nh phn c di ty . Thut ton ny tng t nh MD5 nhng an ton hn v kch thc hash ln hn. Thut ton SHA-2 vi cc kch thc hash l 256, 384 v 512 bt c NIST cng b vo thng 10 nm 2000 thch ng vi cc kha c di ln ca thut ton AES.
Bi Vn Nht 45K2TVT
85
n tt nghip i hc
Cng ngh IP - VPN
Ti liu hoc bn tin ( di ty )
1010111 0010100 11011101 00010101 MD5 128 bit
1010111 0010100 11011101 00010101 SHA 160 bit
Hm bm mt chiu Message Digest: Vn tay hm bm
Hnh 4.10: Cc hm bm thng dng MD5, SHA

c) Cu trc c bn ca cc hm bm mt chiu Hnh 4.12 cho thy cu trc c bn ca cc hm bm mt chiu MD5 v SHA.
Document Pad L
N x 512 bit
Khi 1 512 bit Khi 2 512 bit Khi N 512 bit
I V
Hm bm MD5/SHA
H a s h
Hm bm MD5/SHA
H a s h
Hm bm MD5/SHA
H a s h
IV Hash
128/160 bit Initialization vector 128/160 bit Hash value
P Padding L 64 bit Document Length
Hnh 4.11: Cu trc c bn ca MD5, SHA

MD5 v SHA l cc thut ton m khi: - C MD5 v SHA u lm vic vi cc khi d liu u vo 512 bit. Nh vy, bn tin ban u c phn thnh s nguyn ln cc khi d liu ny. iu ny thc hin bng cch thm mt trng L (Document Length: di bn tin) 64 bit vo cui bn tin, sau chen 0 512 bit m vo trc trng L khi d liu cui cng c di ng 512 bit. - Vic x l theo tng khi ny cho php tnh gi tr hash ca cc bn tin ln theo kiu ni tip. 86
Bi Vn Nht 45K2TVT
n tt nghip i hc Vect khi to IV v gi tr hash:
Cng ngh IP - VPN
- Ngoi 512 bit khi d liu u vo, hm bm cn yu cu mt vect khi to IV (Initialization Vector) c kch thc bng kch thc ca hash (128 bit i vi MD5 v 160 bit i vi SHA-1). - Trong vng tnh u tin, IV ly gi tr nh ngha trc trong cc chun MD5, SHA. Mt gi tr hash s c tnh da trn khi 512 bit u vo u tin. Gi tr hash ny s ng vai tr IV trong vng tnh th hai. Qu trnh tip tc vi gi tr hash ca vng trc l IV ca vng sau. Sau khi khi d liu 512 bit cui cng c x l th gi tr hash tnh c chnh l MD (vn tay) ca ton b bn tin. 4.3.1.2 M xc thc bn tin MAC da trn cc hm bm mt chiu s dng kha MAC (Message Authentication Code) l phng php bo v chng sa i bt hp php ni dung bn tin. MAC c thc hin bng cc hm bm mt chiu kt hp vi kha b mt.
1010111 0010100 11011101 00010101

Key Keyed Hash Funtion
Pha pht
1010111 0010100 11011101 00010101
Pha thu
Knh truyn
Key Keyed Hash Funtion MAC
So snh
MAC
MAC
Hnh 4.12: Xc thc tnh ton vn da trn m xc thc bn tin MAC

L do xy dng m xc thc bn tin MAC l v bn thnh MD khng cung cp bt k bo v no chng li vic thay i bt hp php ni dung ca bn tin. Khi mt ngi no thay i ni dung ca bn tin trn ng truyn dn th anh ta cng c th tnh li gi tr hash MD5 hay SHA da trn ni dung bn tin thay i . Nh vy, ti pha thu, gi tr hash ca bn tin nhn c vn hon ton hp l. Bi Vn Nht 45K2TVT 87
n tt nghip i hc
Cng ngh IP - VPN
gii quyt vn ny, phi s dng mt kha b mt trong qu trnh tnh vn tay ca bn tin th mi m bo chng li nhng thay i bt hp php. Pha thu (ni c kha b mt) to ra mt gin lc thng ip hp ln (valid MD), gi l m xc thc bn tin MAC. Pha thu s dng kha b mt xc nh tnh hp l ca bn tin bng cch tnh li gi tr MAC v so snh vi gi tr MAC m pha pht truyn i. n y, vn l xy dng cc hm bm mt chiu s dng kha da trn cc hm bm trnh by trn. RFC 2104 a ra mt phng n xy dng cc hm bm c s dng kha trn c s cc hm bm nh MD5, SHA.
0x360x36 XOR Key Pad 512 bit
Inner Key
Document
Hm bm MD5/SHA
XOR 0x5C0x5C Outer Key Hash
Hm bm MD5/SHA
Hash
MAC
Hnh 4.13: Qu trnh to m xc thc bn tin MAC

Pha trc bn tin cn xc thc, thm vo 512 bit kha bn trong (inner key). Kha ny c hnh thnh bng cch thm cc bit m (padding) vo kha b mt cho 512 bit, sau XOR khi ny vi cc gi tr 0x36. m bo tnh an ton cao nht th di ca kha b mt phi ln hn hoc bng di ca gi tr hash (128 bit i vi MD5 v 160 bit i vi SHA). Bn tin by gi c a ti hm bm. V gi tr hash ca khi d liu trc lun ng vai tr l vect khi to cho khi sau, nn hm bm thc hin trn khi inner key 88
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
s to ra mt vect khi to thc hin hash cho bn tin gc ban u, gi tr ca vect khi to ny ch ph thc vo kha b mt m thi. Nh vy, khi kha b mt gi nguyn th tt c cc bn tin u c th c k s dng cng mt vect khi to b mt. Tng t i vi kha ngoi (outer key). Kha ngoi c hnh thnh bng cch XOR kha b mt ( chn cc bit m) vi cc gi tr 0x5C. Khi , hm bm thc hin trn khi outer key s to ra mt vect khi to thc hin hash cho chnh gi tr hash tnh vng th nht. Thng thng gi tr MAC cui cng c to ra bng cch ct ngn gi tr hash thu c bi MD5 (128 bit) v SHA (160 bit) xung cn 96 bit. Mc d vic ct ngn ny lm gim ng k s cc t hp cn th i vi mt tn cng kiu brute fore, nhng n c tc dng che du trng thi bn trong ca thut ton bm v s kh khn hn rt nhiu cho k tn cng c th i t u ra ca vng bm th hai ti kt qu trung gian ca vng bm th nht. Phong php xc thc tnh ton vn s dng MAC c u im l thc hin nhanh v hiu qu, v vic to MAC da trn cc hm bm tng i n gin, do thng c s dng xc thc cc cm d liu tc cao. Nhc im l pha thu phi bit c kha b mt th mi xc nh c tnh ton vn ca bn tin, dn n vn phn phi kha mt cch an ton. 4.3.1.3 Ch k s da trn h thng mt m kha cng khai Ch k s l mt phng php bo v chng sa i bt hp php ni dung bn tin. Ch k s c thc hin bng cch mt m gi tr hash thu c t mt hm bm mt chiu. Hnh 4.14 din t gi tr hash (MD5 hoc SHA) ca bn tin c mt m vi kha b mt ca pha pht to thnh ch k s v c truyn i cng vi bn tin tng ng.
Bi Vn Nht 45K2TVT
89
n tt nghip i hc
Cng ngh IP - VPN
1010111 0010100 11011101 00010101
Pha pht
1010111 0010100 11011101 00010101
Pha thu
Knh truyn
Hm bm Gi tr bm Gi tr bm So snh Gi tr bm
Mt m cng vi kha ring
Gii m cng vi kha cng cng
Ch k
Ch k
Hnh 4.14: Ch k s
Pha thu tnh li m hash t bn tin thu c, ng thi gii m ch k s i km vi bn tin. Nu gi tr gii m trng vi gi tr hash tnh c th kt lun c tnh ton vn ca bn tin, v ch c pha pht mi c ng kha b mt mt m ch k s . Do cc kha cng khai c phn b rng ri, nn bt c ngi no cng c th xc nh c tnh ton vn ca bn tin. Phng php ny trnh c vn phn phi kha an ton, nhng cc qu trnh mt m v gii m s dng kha b mt/ cng khai thc hin rt chm. V vy phng php ny ch c s dng xc thc i tc ti thi im ban u ca phin trao i thng tin. 4.3.2 Xc thc ngun gc d liu 4.3.2.1 Cc phng thc xc thc C hai phng thc xc thc ngun gc d liu: xc thc da trn mt khu v xc thc da trn giao thc hi p. a) Phng thc xc thc da trn mt khu i vi phng thc ny, tn ti 2 nguy c mt an ton nh sau: - Nguy c th nht: Mt khu phi truyn qua mt knh khng an ton. V d trong trng hp ng nhp t xa s dng giao thc telnet yu cu truyn nhn dng (ID) v mt khu (password) ca ngi s dng dng bn r ti my ch. Nh vy nguy c mt an ton l cao v phi truyn mt khu qua Internet - mt knh khng an ton.
Bi Vn Nht 45K2TVT
90
n tt nghip i hc
Cng ngh IP - VPN
- Nguy c th hai: mt khu phi c lu trong mt phng tin lu tr ca my ch, thng thng l my ch ng nhp (login server). Vic lu tr mt khu cng l mt nguy c mt an ton cao. b) Phng thc xc thc da trn cc giao thc hi p xc thc qua mt knh khng an ton, c th s dng mt giao thc hi p kim tra xem i tc cn xc thc c s hu mt gi tr b mt xc thc i tc hay khng. Phng thc ny khng yu cu phi trao i cc gi tr b mt thng qua knh khng an ton. Giao thc hi p ny s dng m xc thc bn tin MAC hoc ch k s. - Giao thc hi p s dng m xc thc bn tin MAC
U
IDU
ser
RU
RS
Knh khng an ton

Khu lnh
Server
RS
Gi tr ngu nhin (Nonce)
Key
Keyed Hash Function RU MAC p IDU RU RS
IDU
Key
Keyed Hash Function MAC
MAC
Hnh 4.15: Giao thc hi p MAC

Phng php ny s dng mt kha b mt chung gia hai i tc. Chng hn khi mt ngi s dng mun ng nhp vo mt my ch, my ch s gi mt cu khu lnh (challenge) ti ngi s dng, doi dng mt gi tr ngu nhin (gi l nonce). phng tn cng kiu lp li, mi gi tr nonce thng khng c s dng n ln th hai. Ngi s dng to ra mt tr li (response) bng cch ghp cc gi tr ngu nhin RS (nhn c t my ch) vi thng s nhn dng ID ca ngi , sau a ti mt hm bm c s dng kha c khi to bi mt kha b mt. Bn thn hm bm tng tnh an ton. Kt qu ca hm bm l m MAC, cng vi thng s nhn dng ID s c gi ti my ch. Vi c tnh mt chiu ca MAC, d liu c truyn i trn knh khng an ton s khng l bt c thng tin no v kha b mt.
Bi Vn Nht 45K2TVT
91
n tt nghip i hc
Cng ngh IP - VPN
My ch da vo cc thng tin m n c (bao gm ID, R U, RS, kha b mt) tnh gi tr MAC, sau so snh vi MAC m ngi s dng gi i. Nu ngi s dng c ng kha b mt s dng chung th hai gi tr ny trng khp vi nhau v qu trnh xc thc thnh cng. - Giao thc xc thc s dng ch k s Giao thc hi p cng c th da trn ch k s, s dng mt m kha cng khai. Ngi s dng l ngi duy nht c kha b mt, cn mt server bt k c kha cng khai tng ng ca ngi s dng nu mun xc thc. Ngi s dng to ra mt m hash t cc thng tin: ID, RS (nhn c t my ch nh mt khu lnh), RU. Bng cch mt m gi tr hash vi kha b mt, s to thnh mt ch k s gi li my ch (nh mt tr li). Cc h thng mt m kha cng khai tr nn thng dng v kha cng khai khng cn phi gi b mt v do c th c phn phi mt cch rng ri. V vy, khi mt my ch xc thc mt ngi s dng bng cch kim tra ch k trn c s kha cng khai ca ngi s dng th vn t ra l liu cpkha cng khai/ b mt s dng trong qu trnh xc thc c thc s thuc v ngi s dng ny hay khng.
U
IDU
ser
RU
RS
Knh khng an ton Khu lnh
Server
RS Gi tr ngu nhin (Nonce)
Hash Mt m vi kha b mt IDU RU
IDU
RU
RS
Hash
Hash
Sig
Gii m vi kha cng khai
Sig
Hnh 4.16: Giao thc hi p s dng ch k s

Nu kha cng khai s dng trong qu trnh xc thc c ly t mt th mc cng cng th mt tn cng kiu trung gian (man-in-the-middle attack) c th d dng thay th kha cng khai ca ngi s dng bng mt kha cng khai ca k tn cng. y chnh l nguyn nhn dn n vic hnh thnh cc chng thc (certificate). Cc chng thc thit lp mt mi lin h tin cy gia nhn dng ngi s dng v kha cng khai ca ngi . 4.3.2.2 Cc chng thc s (digital certificates) Bi Vn Nht 45K2TVT 92
n tt nghip i hc a) M hnh tin tng th nht
Cng ngh IP - VPN
Mt phng php thit lp tin tng i vi kha cng khai ca ngi s dng l cch tip cn mng tin tng (web of trust) c s dng bi gi phn mm mt m v xc thc th in t PGP (Pretty Good Privacy). V d trong hnh 4.17, C c th tin tng A thng qua 3 ng lin kt trung gian.
A Signed by B B
Trust
Signed by A Signed by D Trust D Signed by B Signed by C
Certificate
Can C trust A ? C
Signed by D Certificate
Trust
Hnh 4.17: M hnh tin tng th nht (PGP Web of Trust)

Trong mng tin tng, mi i tc tham gia s yu cu cc i tc khc k vo m hash ca chng thc (cha nhn dng, chng hn a ch email v kha cng khai) ca i tc . Gi s C nhn c mt email k gi bi A, C s ly chng thc ca A t mt th mc cng cng v thy rng chng thc c k bi B. Tip theo, C ly chng thc ca B v thy rng n c k bi D. Tip theo, C ly chng nhn ca D v thy rng n c k bi chnh mnh. n y, cc mt xch hon tt v c th thit lp tin tng A. Cch tip cn kiu mng tin tng ch thch hp vi mt nhm nh ngi s dng. Khi s ngi cn c xc thc tng ln, chng hn hng triu ngi, s lng cc ng lin kt trung gian trung bnh tng v ko theo tng vic tm cc chng thc. Ngoi ra, khi s cc mt xch tin tng tng th tin cy cng gim i. u im ca mng tin tng l khng cn s c mt ca mt nh phn phi trung tm (central authority).
Bi Vn Nht 45K2TVT
93
n tt nghip i hc b) M hnh tin tng th hai
Cng ngh IP - VPN
M hnh tin tng th hai phn cp tin tng vi cc nh phn phi chng thc CAs (Certificate Authorities). Hin nay m hnh ny c la chn trin khai v s dng cc chng thc vi qui m ln. cc mt xch tin tng dng phn cp: trn cng l cc nh phn phi chng thc gc, tip theo l cc nh phn phi chng thc trung gian.
Verisign Self Signed
Root CA
Swisskey Self Signed
Amazon Verisign
Intermediate CA
Trust
Bob Amazon
Alice Amazon
Client Certificate
Carol Swisskey
Hnh 4.18: M hnh tin tng th hai (phn cp tin tng vi cc CAs)
- Cc nh phn phi chng thc gc (Root CAs) Ti mc trn cng ca phn cp cc mt xch tin tng l mt s nh phn phi chng thc gc. Cc Root CAs c dng ph bin l: Verisign, RSA, Baltimore, Rntrust, Deutsche Telekom v Swisskey. - Cc nh phn phi chng thc trung gian (Intermediate CAs) Root CAs c th trc tip cp pht cc chng thc cho ngi s dng. Tuy nhin i vi cc t chc trung bnh hoc ln th s thun li hn nhiu nu t thit lp ly mt CS, khi h c th t cp pht hoc hy b cc chng thc cho cc cc nhn trong t chc. Bn thn chng thc ca CA trung gian ny thng c cp pht vi k t Root CA.
Bi Vn Nht 45K2TVT
94
n tt nghip i hc
Cng ngh IP - VPN
V nguyn tc th c th thc hin mt s ty cc phn cp, nhng thng thng ch s dng t hai n ba cp t chng thc ca ngi s dng n Root CA. - Cu trc chung ca mt chng thc X.509 Mng tin tng thng s dng chng thc OpenPGP (RFC 2440). Cn m hnh phn cp tin tng thng s dng chng thc ITU-T X.509 (RFC 2459).
Version Serial Number Signature* Issuer Validity Subject SubjectPublicKeyInfo IssuerUniqueID Optional SubjectUniqueID Optional Extensions Optional
Hm hash
Hash/ Fingerprint
Encryption with Issures Private Key SignatureAlgorithm* Signature
Hnh 4.19: Cu trc chung ca mt chng thc X.509

Mt chng thc X.509v3 bao gm 3 phn - Phn thn ca chng thc. - nh ngha thut ton s dng bi CAs k chng thc. - Ch k m bo tnh xc thc ca chng thc, bao gm m hash ca phn thn chng thc c mt m vi kha b mt ca CAs. Ring phn thn ca chng thc bao gm cc thng tin sau: i/ Version Number (s phin bn): hin ti c cc phin bn v1, v2, v3. ii/ Serial Number: duy nht c cp bi SA tng ng. iii/ Signature (ch k) v Issure: m t thut ton c s dng chng thc. iv/ Nhn dng (ID) ca CA pht hnh v k chng thc. v/ Nhn dng (ID) ca i tng s dng. vi/ Kha cng khai ca i tng s dng. vii/ Cc m rng ty chn ca v2 hoc v3.
Bi Vn Nht 45K2TVT
95
n tt nghip i hc
Cng ngh IP - VPN
Chng 5 THC HIN IP-VPN 5.1 Gii thiu

Cc chng trc trnh by v nhng k thut c bn ca IP-VPN bao gm cc giao thc ng ngm, thut ton mt m v xc thc. Cc k thut ny hin c gii quyt tch hp sn trong cc sn phm ca nhiu hng trn th gii. Do hin nay cha c mt chun thng nht cho vic sn xut cc thit b VPN, nn vn t ra l s tng thch gia cc sn phm ca cc hng khc nhau. Ngi s dng cn phi c m bo rng thit b m h mua c th lm vic tt vi cc thit b khc trong mng. gii quyt vn ny, t nm 2000 VPNC (Virtual Private Network Consortium) t chc kim tra v cp chng ch cho cc sn phm IP-VPN t yu cu v tnh tng thch (VPNC Testing for Interoperability and Conformance). Sau y l danh sch mt s sn phm qua kim tra ca VPNC: ADTRAN, NetVanta. Alcatel, Secure VPN Gateway 7130 series. Check Point Software, VPN-1 Gateway. Cisco, IOS IPSec. Cisco, VPN 3000 Concentrator. Cylink, NetHawk. NetScreen, NetScreen family. Nokia, Nokia VPN. SafeNet, SafeNet family. SSH Communications Security, IPSec Express. WatchGuard Technologies, WatchGuard Firebox Vclass.
Nh vy c nhiu hng tham gia nghin cu, pht trin cc thit b VPN. Bn thn mi hng li c nhiu dng sn phm phc v cho nhiu nhu cu ng dng khc nhau. Cc sn phm c th l chuyn dng (phc v ring cho mc ch VPN) hoc kt hp (chc nng VPN c i km vi cc chc nng khc, chng hn nh router, firewall). Do cha tn ti mt chun chung nn cch thc s dng, cu hnh cc sn phm ny cng khc nhau. Mc ch ca chng ny l a ra cc nguyn tc v m hnh thc hin VPN ni chung v gii thiu qua v tnh hnh th trng VPN ca Vit Nam. Bi Vn Nht 45K2TVT 96
n tt nghip i hc
Cng ngh IP - VPN
5.2 Cc m hnh thc hin IP-VPN

Mt cch tng qut th vic la chn mt phng n thc hin VPN ph thuc vo mc ch v qui m ca ng dng. Nh bit, mc ch c bn ca ng dng VPN l truy nhp t xa (Remote Access) hoc kt ni Site-to-Site. Cn qui m ca ng dng th hin s phin trao i c th thc hin ng thi. Mt c im quan trng khc l vai tr ca nh cung cp dch v ISP. Mt phng n thc hin VPN c th da vo dch v cung cp bi ISP hoc trong sut i vi ISP. Trong trng hp th nht, ISP c trang b cc thit b VPN v c th cung cp dch v VPN cho cc t chc, ngi s dng c nhu cu v dch v ny. Trong trng hp th hai, bn thn cc t chc v ngi s dng t trang b ly thit b VPN cho mnh. Khi ny h c th thc hin VPN m khng cn quan tm n vic ISP c h tr dch v ny hay khng. V phng din ngi s dng, c 3 ng dng hay loi hnh IP-VPN l: Access IP-VPN, Intranet VPN v Extranet IP-VPN.
VPN
Dial
Dedicated
Access
Intranet
Extranet
Hnh 5.1: Ba m hnh IP-VPN

- Access IP-VPN: cung cp truy nhp t xa thng qua Internet ti mng trung tm, vi nhng c im ca mt mng ring, v d nh tn an ton (sercurity), n nh. Access IP-VPN cho php ngi s dng truy nhp cc ngun ti nguyn ca t chc bt k ni no, lc no m h mong mun. Cc cng ngh truy nhp tng t, quay s, ISDN, ng dy thu bao s (DSL), in thoi di ng u c th dng kt ni an ton nhng ngi s dng lu ng ti mng trung tm. - Intranet VPN: kt ni cc mng chi nhnh vi mng trung tm thng qua Internet, ng thi vn m bo cc c tnh ca mt mng ring. 97
Bi Vn Nht 45K2TVT
n tt nghip i hc
Cng ngh IP - VPN
- Extranet VPN: kt ni vi khch hng, i tc vi mt phn mng trung tm thng qua Internet, ng thi vn m bo cc c tnh ca mt mng ring. 5.2.1 Access VPN C rt nhiu la chn thc hin Access VPN, do vy cn cn nhc thn trng trc khi quyt nh la chn phng n no. Nh lit k y, c nhiu cng ngh truy nhp, t cc cng ngh quay s hoc ISDN truyn thng ti cc cng ngh mi nh truy nhp s dng DSL. Thm vo phi lc chn mt kin trc VPN: kin trc khi to t my khch (client inititated) hay kin trc khi to t my ch truy nhp (network access server initiated architure). 5.2.1.1 Kin trc khi to t my khch i vi Access IP-VPN khi to t phia my khch, mi PC ca ngi s dng t xa phi ci t phn mm IPSec. Khi ngi s dng quay s ti POP (Point of Presence) ca ISP, phn mm ny s khi to mt ng ngm IP-VPN v thc hin mt m. Kin trc ny rt an ton v d liu c bo v trn ton b ng ngm PC ca ngi s dng n mng trung tm. Trong phng n ny c th s dng bt k cng ngh truy nhp no kt ni ti Internet. Thm vo , phng n ny l trong sut i vi nh cung cp dch v ISP, ngha l c th thc hin IP-VPN m khng cn thc hin bt c thay i no i vi ISP, chng hn nh mt m d liu. Nhc im ca m hnh ny l phi ci t v qun tr phn mm IPSec client trn tt c cc PC truy nhp t xa.
P a riv te C rp ra o o te N tw rk e o
F w ll ire a
T le o m te e cmu r C n IP e lie t S c D l -u ia p Ru r o te
Hm o e G te a a wy
IS N D
C mu r o p te
P T OS
N tw rk e o Ac s c es S rv r e e (N S ) A
In r e te n t
Md m oe D l -in ia IP e T n e Sc u nl
Mb I o ile P
Hnh 5.2: Truy nhp IP-VPN t xa khi to t pha ngi s dng

n tt nghip i hc 5.2.1.2 Kin trc khi to t my ch truy nhp NAS
Cng ngh IP - VPN
i vi truy nhp IP-VPN khi to t my ch truy nhp th NAS (ti POP) s khi to ng ngm v thc hin mt m thay cho ngi s dng. S c mt phn kt ni khng c bo v gia ngi s dng v POP. Phn kt ni cn li c bo m an ton bi mt ng ngm v mt m d lu. M hnh ny d qun l hn, v khng phi kim sot tt c phn mm IPSec client ti cc PC truy nhp t xa. M hnh ny cng d dng m rng hn so vi m hnh truy nhp khi to t ngi s dng v ch cn cu hnh my ch NAS, thay v cu hnh tt c cc PC.
Service Provider N S A
PSTN /ISDN Corporate N etwork
Internet
Hom e Gateway
Se rver
Corporate Servers
Compu ter Co mputer
Remote Users
Hnh 5.3: Truy nhp IP-VPN khi to t my ch

5.2.2 Intranet IP-VPN v Extranet IP-VPN chng 2 trnh by v m hnh Intranet v Extranet IP-VPN. Chng ny s trnh by mt v d v m hnh trin khai Intranet v Extranet IP-VPN khi to t raouter. Hnh 5.4 v d v hai router mi u ca kt ni thit lp mt ng ngm s dng IPSec sau tha thun vic mt m.
Internet
POP
Service Provider
POP
IPSec Tunnel
Co mpute r
Remote 1
Remote Router Initiated Peering Remote Routers
Comp te u r
Remote 2
Hnh 5.4: IP-VPN khi to t routers

n tt nghip i hc
Cng ngh IP - VPN
M hnh ny c mt s la chn thc hin khc nhau. Trng hp th nht, ISP qun l, cung cp v duy tr kt ni Internet c s, cn bn thn t chc phi qun l tt c cc vn nh an ton d liu, qun l router, my ch, cc ngun ti nguyn nh ngn hng cc modem quay s. Trng hp th hai l m hnh lai (hybrid model). Trong m hnh ny, t chc v nh cung cp dch v chia s cc cng vic tng i ngang bng, ISP cung cp thit b VPN, m bo QoS vi mc bng tn tha thun, cn pha nh qun tr mng qun tr cc ng dng v cu hnh, cung cp cc dch v tr gip v an ton d liu. Trng hp th ba, nh qun tr mng ch qun l cc my ch an ninh, cn ISP cung cp ton b gii php VPN, dch v tr gip, hun luyn 5.2.3 Mt s sn phm thc hin VPN Nh ta bit, c nhiu hng tham gia nghn cu, pht trin cc sn phm VPN, mi hng li a ra nhiu dng sn phm. Cc hng khc nhau c cch tip cn v u nhc im ring. Sau y v d v cc sn phm ca Cisco v Netsreen. Sn phm ca 2 hng ny tng i a dng v c th phc v cho mt phm vi rng cc nhu cu ng dng khc nhau. Bng 5.1: V d v cc sn phm ca Cisco v Netsreen
Loi khch hng ISP/ Central Site Medium Site Small Office Remote Access 3080, 3060 Concentrators 3030 Concentrators 3015, 3005 Concentrantors Cisco VPN Software Client 3002 Hardware Client Cisco Site-to-Site VPN routers 71x0 Routers 7x00, 3600 Routers 3600, 2600, 1700 Router 800, 905 Netsreen Netsreen-1000, Netsreen-500 Netsreen-208, Netsreen-204 Netsreen-50, Netsreen-20, Netsreen-XP Netsreen-Remote
Home Office/ Telecommuter
5.3 V d v thc hin IP-VPN

minh ha, ta xt 2 trng hp: ng dng kt ni remote Access v ng dng Site-to-Site s dng thit b VPN 3000 Concentrantor ca Cisco. VPN concentrantor c cc thng s k thut sau: Xc thc tnh ton vn d liu: s dng thut ton HMAC-MD5 (128 bit), HMAC-SHA-1 (160 bit).
Bi Vn Nht 45K2TVT
100
n tt nghip i hc -
Cng ngh IP - VPN
Xc thc ngun gc d liu: c th cu hnh s dng mt khu (kha chia s trc) hoc ch k s. Trao i kha: s dng thut ton Diffie-Hellman, chng thc s. Mt m d liu: s dng mt trong cc thut ton DES, 3DES ch CBC.
Trong tng lai, cc thit b VPN cn h tr cc thut ton tin tin hn, chng hn thut ton mt m AES, xc thc SHA-2. 5.3.1 Kt ni Client-to-LAN Trong trng hp ny, ngi s dng t xa cn kt ni vo mng trung tm truy nhp th in t, cc file c s d liu, trnh din thc hin kt ni ny, mt phng n l s dng thit b VPN 3000 Concentrator mng trung tm ca t chc, v phn mm VPN 3000 Concentrantor Client ti my tnh ca ngi s dng.
A pplication Server V PN Concentrator
Co mpu r te
ISP
ISP
Telecommuter with V PN 3000 Client
Internet
PPP connectivity
Co mpu ter
Co mpu r te
IPSec Tunnel
Hnh 5.5: Cc thnh phn ca kt ni Client-to-LAN

C th thy trn hnh 5.5, kt ni Client-to-LAN bao gm 4 thnh phn: IPSec client Software, Point-to-Point Protocol (PPP), IPSec Protocol, v VPN 3000 Concentrator. Phn mm IPSec (IPSec Client Software) khng c sn trong h iu hnh Windows nn phi c ci t trn my tnh c yu cu truy nhp t xa. N c s dng mt m, xc thc v ng gi d liu, ng thi l mt im cui ca ng ngm. Giao thc PPP c cc ng dng truy nhp t xa s dng thit lp mt kt ni vt l ti nh cung cp dch v ISP. Sau khi c ISP xc thc, ngi s dng khi ng phn mm IPSec Client thit lp mt ng ngm an ton (secure tunnel), thng qua Internet ti VPN 3000 Concentrantor.
Bi Vn Nht 45K2TVT
101
n tt nghip i hc -
Cng ngh IP - VPN
Mng trung tm, VPN 3000 Concentrator l mt im cui cn li ca ng ngm. N thc hin gii m, xc thc, v m gi d liu.
Application Server VPN private IP 192 .168 .1.5 ISP Telecommuter with VPN 3000 Client
Internet
VPN public IP 172 .26 .26 .1 172 .26 .26.1 203 .16 .5.19
Co mpu ter
Com te pu r
192 .168 .1.10
Adapter (NIC ) IP Address 203 .162 .5.19 Client IP address 192 .168 .1.20
ESP
192 .168 .1.10 192 .168 .1.20
DATA
Hnh 5.6: ng ngm IPSec Client-to-LAN

Hnh 5.6 cho thy ng ngm IPSec Client-to-LAN. Ngi s dng t xa cn truy nhp thng tin ti my ch ca mng trung tm ti a ch 192.168.1.10. a ch ngun thng l a ch o ca client, 192.168.1.20. a ch ny thng c cp cho client t my ch DHCP hoc chnh VPN Concentrator. a ch o gip cho client c th hot ng nh ang ngay mng trung tm. Bt c d liu no khi truyn t server ti client u phi c bo v. Do chng c mt m, xc thc v ng gi bng giao thc ESP. Sau khi ng gi d liu bng ESP th mt IP header mi c thm vo gi d liu (gi l header ngoi) nh tuyn gi tin qua mng. a ch ngun ca outside IP header l a ch card mng (NIC) ca client. a ch ch l giao din cng cng ca VPN 3000 Concentrator. Ngoi thit b VPN 3000 Concentrator mng trung tm, mi my tnh truy nhp t xa cn ci t phn mm IPSec client. Phn mm ny lm vic vi VPN 3000 Concentrator to mt ng ngm an ton gia my tnh truy nhp t xa v mng trung tm. IPSec client s dng IKE v giao thc ng ngm IPSec to v qun l ng ngm. Trong qu trnh hot ng, cc bc sau thc hin gn nh t ng i vi ngi s dng. - Tha thun cc thng s ng ngm: a ch, thut ton. - Thit lp ng ngm da trn cc thng s thit lp. - Xc thc ngi s dng thng qua username, groupname, password, digital certificate.
Bi Vn Nht 45K2TVT
102
n tt nghip i hc
Cng ngh IP - VPN
- Thit lp cc quyn truy nhp ca ngi s dng: thi gian, s gi truy nhp, cc giao thc c php - Qun tr cc kha an ninh mt m va gii m. - Thit lp phin trao i IPSec. - Xc thc, mt m v gii m cc d liu i qua ng ngm.
Hnh 5.7: Phn mm IPSec Client

5.3.2 Kt ni LAN-to-LAN Trong trng hp ny, gi thit ngi s dng t mng LAN xa mun truy nhp vo my ch ng dng mng trung tm. Mt phng n thc hin kt ni ny l s dng hai VPN 3000 Concentrator, mt mng trung tm, mt mng xa. Mt gi tin IP c xy dng vi a ch ngun l 192.168.1.20 v a ch ch l 192.168.1.10. Gi tin c nh tuyn ti VPN Concentrantor, VPN Concentrator mt m v ng gi IP ban u vi ESP header. Gi tin ny c bo v nhng khng nh tuyn c do cc trng a ch dng mt m. V vy, mt IP header bn ngoi c thm vo. Cc a ch bn ngoi ny (203.16.5.19, 172.26.26.1) gip nh tuyn gi tin qua Internet. Sau khi c ng ngm th mt phin trao i c thit lp cho php truyn thng gia hai mng ring.
Bi Vn Nht 45K2TVT
103
n tt nghip i hc
Tne unl VN P C n e tra r o c n to VN P C n e tra r o c n to
Cng ngh IP - VPN
In rn t te e
V Np b I P u lic P 1 2 .2 .2 .1 7 6 6 1 2 .2 .2 .1 7 6 6 2 3 .1 .5.1 0 6 9 V Np b I P u lic P 2 3 .1 .5.1 0 6 9
C mu r o p te
Cmu r o p te
A p a nS r e p lic tio e v r 1 2 .1 8 .1.1 9 6 0
EP S
1 2 .1 8 .1.1 9 6 0 1 2 .1 8 .1.2 9 6 0
P IPA d s C d re s 1 2 .1 8 .1.2 9 6 0
DT AA
Hnh 5.8: ng ngm IPSec LAN-to-LAN
KT LUN
VPN l cng ngh c s dng ph bin hin nay nhm cung cp kt ni an ton v hiu qu truy cp ti nguyn ni b cng ty t bn ngoi thng qua mng Internet. Mc d s dng h tng mng chia s nhng chng ta vn bo m c tnh ring t ca d liu ging nh ang truyn thng trn mt h thng mng ring. n ny i su tm hiu cc vn k thut v m hnh thc hin ca cng ngh IP-VPN. Trong , ng ngm l nn tng ca IP-VPN, phm vi ca n ny trnh by v cc giao thc ng ngm: PPTP, L2TP v IPSec. PPTP v L2TP l nhng giao thc ng ngm c pht trin da trn giao thc PPP. Hai giao thc ny l cc chun hon thin v cc sn phm h tr chng tng i ph bin. i vi nhng ng dng yu cu an ton d liu cao th IPSec l giao thc thch hp. IPSec h tr cc phng php xc thc v mt m mnh nht, c tnh linh hot cao do khng b rng buc bi mt phng php xc thc cng nh mt m no. y c xem l giao thc ti u nht cho IP-VPN v c tm hiu mt cch chi tit nht. Bn cnh , n trnh by mt s thut ton mt m, xc thc, ton vn d liu l nhng thut ton c dng kt hp vi IPSec. Hin nay, ti Vit Nam c rt nhiu hng ang cung cp cc gii php VPN cho cc doanh nghip, mi hng c mt cu hnh VPN ring. Do nhu cu bo mt thng tin ngy cng c cc doanh nghip quan tm nhiu nn cng ngh IP VPN ha hn l cng ngh rt c tim nng pht trin mnh trong tng lai. Hin nay mng vin thng trn th gii ang chuyn sang xu hng IP ha v s dng cng ngh cho mng th h sau NGN. Do vic tch hp gia c nh v di ng ang c quan tm v pht trin. V vy, trong tng lai IP-VPN s c ng dng cho mng in thoi di ng. Khi , cc dch v vin thng s rt linh hot, kt hp
Bi Vn Nht 45K2TVT
104
n tt nghip i hc
Cng ngh IP - VPN
gia truyn hnh nh, s liu v thoi. y cng chnh l hng pht trin tip theo ca ti. Mc d c gng, nhng do cng ngh IP-VPN c nhiu gii php thc hin v lin quan n nhiu giao thc v thut ton phc tp, thi gian v trnh c hn nn n ny kh trnh khi thiu st. Ti rt mong nhn c kin ng gp ca thy c v bn b c th sa i, b sung cho nhng vn trnh by trong n ny. Vinh, thng 5 nm 2009 Sinh vin thc hin Bi Vn Nht
Bi Vn Nht 45K2TVT
105
n tt nghip i hc
Cng ngh IP - VPN
Ti liu tham kho

[1] TCP/IP protocol suite Behrouz A. Forouzan with Sophia Chung Fegan, 2000 Mc Graw Hill [2] Cng ngh chuyn mch IP Ch bin:TS.L Hu Lp, Bin son: Ks.Hong Trng Minh Hc vin CNBCVT 11/2000 [3] Virtual Private Networking and Intranet Security Copyright 1999, Microsoft Corperation, Inc [4] Understanding Virtual Private Networking Copyrignt 2001, ADTRAN, Inc [5] VPN Technologies: Sefinitions and Requirements Copyrignt 2002, VPN Consortium [6] CCSP Cisco Secure VPN Exam Certification Guide John F. Roland and Mark J. Newcomb Copyright 2003 Cisco Systems, Inc [7] IPSec Copyright 1998, Cisco Systems, Inc [8] Security Protocols Overview Copyright 1999, RSA Data Security, Inc
Bi Vn Nht 45K2TVT
106
n tt nghip i hc
Cng ngh IP - VPN
Cc website tham kho http://www.congnghemoi.net http://www.home.vnn.vn http://hocit.com http:// www.itu.int http://www.iec.org/tutorial/ http://www.vpnc.org http://techguide.com http://www.tuoitre.org http://www.vnpt.com.vn/ http://www.vnpost.mpt.gov.vn/ http://www.vnn.vn http://vnpro.org/ http://vietnamnet.vn
Bi Vn Nht 45K2TVT
107

Lien Quan Chu Ky So

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lien Quan Chu Ky So

Uploaded by

Copyright:

Available Formats

n tt nghip i hc

Cng ngh IP - VPN

2.2 Cc khi c bn trong mng IP-VPN................................................................19

2.3 Phn loi mng ring o theo kin trc..............................................................23

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

2.4 Cc giao thc ng ngm trong IP-VPN.........................................................27

3.2 ng gi thng tin ca IPSec............................................................................38

3.3 Kt hp an ninh SA v giao thc trao i kha IKE..........................................53

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

3.4 Nhng giao thc ang c ng dng cho x l IPSec.....................................63

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

4.3.2.1 Cc phng thc xc thc................................................................................90 4.3.2.2 Cc chng thc s (digital certificates)...........................................................92

5.3 V d v thc hin IP-VPN..............................................................................100

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

Danh mc bng biu

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

Danh sch hnh v

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

ISDN ISO ISP IV L2F L2TP LAN LCP MAC MD5

Bi Vn Nht 45K2 TVT

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

UDP VPN WAN

User Data Protocol Virtual Private Network Wide Area Network

Bi Vn Nht 45K2 TVT

Cng ngh IP - VPN

Cng ngh IP - VPN

Vinh, thng 5 nm 2009 Sinh vin: Bi Vn Nht

Cng ngh IP - VPN

Chng 1 B GIAO THC TCP/IP 1.1 Khi nim mng Internet

nh duy nht. Mi gi d liu c gi trn mng TCP/IP c mt Header gm a ch ca my ch cng nh a ch ca my ngun.

mnh hot ng trn mng cc b v mng din rng.

Cng ngh IP - VPN

1.2 M hnh phn lp b giao thc TCP/IP

Hnh 1.1: M hnh phn lp b giao thc TCP/IP

Cng ngh IP - VPN

Lp Internet (Internet layer): Cung cp chc nng nh a ch, c lp phn

1.3 Cc giao thc trong m hnh TCP/IP

Hnh 1.2: nh tuyn khi s dng IP Datagram.

Cng ngh IP - VPN

Hnh 1. 3: Giao thc kt ni v hng

Hnh 1.4: Cu trc gi tin IPv4

Cng ngh IP - VPN

Cng ngh IP - VPN

Hnh 1.5: Hin tng phn mnh trong IP

Cng ngh IP - VPN

Hnh 1.6: Cc lp a ch IPv4

Cng ngh IP - VPN

Traffic Class Payload length

Flow Label Next Header Hop Limit

Hnh 1.7: Cu trc tiu IPv6