Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.
Part ɪ
2011年IT网络行业就业形势回顾
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
123,463 113,571 201,321 244,202
1,016,026 921,943
1,764,111
2,236,892285,211
318,901
512,655
617,236
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
3,500,000
2008 2009 2010 2011
网络工程师
软件工程师
硬件工程师
+60.6%
-9.3%
+91.4%
2011年软硬件类人才需求增长依然迅猛,网络工程师涨幅20.4%
+11.8%
+60.8%
-8.01%
+20.4%
+26.8%
+21.3%
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
5,234
8,690
3,627
5,584
9,037
3,268
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
10,000
≤2 年工作经验 3-5年工作经验 >5 年工作经验
软件工程师
网络工程师
4
+11%
vs 软件工程师
+6.7%
vs 软件工程师
+4%
vs 软件工程师
2011年网络工程师的平均薪资比软件工程师高出4%-11%
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
432,485 430,230
287,575
232,792
99,340 97,468
48,327 46,46792,986 77,31153,804 45,785
30,040 28,781 16,642 14,730
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
400,000
450,000
500,000
上海 北京 深圳 广州
IT从业人员
IT人才缺口
网络从业人员
网络人才缺口
5
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
184,831
152,808144,021
128,758 126,511
113,315
15,41714,035 12,333
9,317 9,549 7,856
37,834
32,588 29,017 26,091 25,106 24,974
9,6048,831 7,321 5,487
6,0834,596
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
180,000
200,000
成都 武汉 杭州 西安 南京 重庆
IT从业人员
IT人才缺口
网络从业人员
网络人才缺口
6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
未来5年内,全球的
● 无线领域网络专家的需求将从现在的36%增长到66%
● 安全专家的需求从现在的46%增长到80%
● 语音专家的需求从现在的40%增长到65%
Cisco Confidential 9© 2010 Cisco and/or its affiliates. All rights reserved.
Understanding to
OSPF Database
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Types of LSA
● LSA类型1 —— 路由器链路状态条目(router link states)。由各路由器产生,描述在特定区域内的接口的状态。
● LSA类型2 —— 网络链路状态条目(net link states)。在广播型多路访问网络中由DR产生,用以代表该网络上的所有路由器。
● LSA类型3 —— 概括的网络链路状态条目(summary net link states)。由ABR产生,把非骨干区域的路由信息概括后传递到区域0,也把区域0的路由信息概括后传递到非完全末节区域的其他区域。
● LSA类型4 —— 概括的ASB链路状态条目(summary ASB link states)。由ABR产生,用来描述ASBR的可达性。以图3-1为例,R2为区域5生成LSA4,因此区域5中的路由器就知道R4是到达自治系统外的出口。ASBR所在区域的链路状态数据库中不含有该类型的LSA。完全末节区域不接受该类型的LSA
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Types of LSA
●LSA类型5 —— 自治系统外链路状态条目(AS external link states)。由ASBR产生,描述到达自治系统之外的路由信息。末节区域、完全末节区域和次末节区域不接受该类型的LSA
●LSA类型7 —— 次末节区域自治系统外部链路状态条目(NSSA external linkstates)。由NSSA中的ASBR产生,只在NSSA中传播。在ABR上它被转换成类型5并且被扩散到骨干区域。
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Show ip ospf database
BSCI Charpter 3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
● Encryption
● Key management
● Authentication
Cryptograph Fundamentals
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Secret Key Encryption Algorithms
●DES (data encryption standard)
●Triple DES
●Others: IDEA, Blowfish, CAST-128, ...
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
PlaintextDES/3DES
Encryption
Secret Key
DES/3DES
Decryption
Secret Key
Sender Receiver Transmitted
CiphertextPlaintext
Secret Key Exchange Requirement
● A secure and manageable scheme of secret key exchange and renewal is needed in actual implementation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
● Encryption
● Key management
● Authentication
Cryptography Fundamentals
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
● Sender and Receiver preselect two public values
‒p—a prime number; g—a primitive root of p
● Sender selects private Xs
● Sender calculates and sends public YS = g mod p
● Rcvr selects private XR
● Rcvr calculates and sends public YR = g mod p
● Secret key = YS mod p = YR mod p
‒= g mod p
Diffie-Hellman Key Exchange (1976)
Secret Key Exchange
Xs
XR
Xs
Xs
XR
XR
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Public Key Infrastructure (PKI)
● Certificate authority (CA)—an entity who issues public key certificates, and is trusted by all communicating parties
● CA can be public (VeriSign, Entrust, and so on) or private (in-house certificate servers)
● Public key certificate—an authenticated and verifiable (using CA’s public key) copy of one’s public key and other identity information
● Certificate revocation list (CRL)—a list of certificates that have been revoked (this list is maintained by CA)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
● Encryption
● Key management
● Authentication
Cryptography Fundamentals
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Authentication
● Fundamental objectives—to verify that:
‒The received message comes from the alleged source
‒The received message has not been altered
● Techniques are available to guard against packet insertion, deletion, delay, and replay
● Digital signatures can be used to prove the transmission and/or receipt of messages
● Authentication and encryption are different functions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Basic Authentication Techniques
§ Encryption—message encryptedby private key can serve as the authenticator
§ Message Authentication Code (MAC)
§ Hash functions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Message Authentication Code (MAC)
●A keyed public function that maps a message of any length into a fixed-length value
●Requires a secret key
●MAC can be built using encryption technology or hash functions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
MAC(M)
Message
M
Message
M
MAC
MAC
Same? YN
Reject AcceptKey
KeySender ReceiverTransmitted
Message Authentication Code
●Match of received and computed MACs at receiving end verifies that the message has not been altered after being transmitted
●Only the sender could have generated it, because of the secret key
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Hash Functions
●A public function that maps a message of any length into a fixed-length hash value
●No keys are involved in hash functions
●Hash by itself is not an authentication of originality
●Hash combined with encryption can provide authentication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Hash Functions
H(M)
Message
M
Message
M
Hash
Hash
Same? YN
Reject Accept
Sender ReceiverTransmitted
●Match of received and computed hash values at receiving end verifies that the message has not been altered after being transmitted
●Anyone could have generated it, because the hash function itself is public and keyless
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Hash Algorithms
● MD5 (message digest v5)
‒Takes input message of any length, and processes in 512-bit blocks successively
‒Outputs 128-bit message digest
● SHA-1 (secure hash function)
‒Based on MD4
‒Outputs 160-bit message digest
‒Stronger and computationally moreexpensive than MD5
● Others
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
HMAC (Hash-Based MAC)
● A popular class of MAC using hash functions such as MD5 and SHA-1, because
‒ Computationally more efficient than encryption
‒ Hash functions have no export restrictions
● A secret key is incorporated into
the hash algorithm to produce HMAC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Digital Signatures
● To offer authentication, and
● To protect sender and receiver against one another for possible disputes as follows:
‒Receiver may forge/alter message (common key)
‒Sender may deny message transmission (repudiation)
● Digital signature standard (DSS)
‒Digital signature algorithm (DSA)
‒DSA uses SHA and public key technique for signature generation and verification
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
IPsec
§ security Architecture for the Internet Protocol, commonly known as IP Security (IPsec)
§ Internet Engineering Task Force (IETF) standard RFC 2764
§ IPsec presents a comprehensive set of Layer 3 VPN components for IP networks.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
IPSec
● A set of IP security architectureand protocol standards
● Two IP security protocols
‒Authentication header (AH)
‒Encapsulating security payload (ESP)
● Internet key exchange (IKE)
‒Negotiates IPSec attributesbetween peers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
IP HDR
IP HDR Data
IPsec HDR Data
IP HDR Data
IPsec HDR IP HDRNew IP HDR
To Be Protected
Data
Tunnel Mode
Transport Mode
IPsec Modes
To Be Protected
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
IP HDR
Authenticated Except for Mutable Fields
AH Data
IP HDR Data
AH IP HDRNew IP HDR
Authenticated Except for Mutable Fields in New IP Header
Data
Tunnel Mode
Transport Mode
Authentication Header
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
IP HDR
Encrypted
ESP HDR Data
IP HDR Data
ESP HDR IP HDRNew IP HDR Data
Tunnel Mode
Transport Mode
ESP
Trailer
ESP
Auth
ESP
Trailer
ESP
Auth
Authenticated
Encrypted
Authenticated
Encapsulating Security Payload
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
AH versus ESP
●ESP encrypts; AH does not encrypt
●In transport mode, AH authenticates the entire packet; ESP authenticates only the data but not the IP header
●In tunnel mode, AH authenticates the entire packet (inner + outer); ESP authenticates only the inner packet but not the outer IP header
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Internet Key Exchange (IKE)● A hybrid protocol to negotiate keys and SAs in an authenticated and
protected manner
● Two components:
‒A framework for authentication and key exchange (ISAKMP), specifying packet formats for SA negotiations, but not dictating any specific key exchange algorithms
‒An authenticated key exchange algorithm (based on Diffie-Hellman, with added authentication and security features from Oakley and SKEME techniques)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Attributes Negotiated by IKE
●Encryption algorithm
●Hash algorithm
●Authenticated method
●Diffie-Hellman group info
●IKE SA lifetime
●These are ISAKMP SA attributes, for setting up a secured IKE link, of which IPSec SAs are negotiated
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Six Basic Steps of IPSec VPN Configuration
●Define IKE policy
●Configure CA support or manual keys
●Define transform sets
●Create crypto access-list
●Create crypto maps
●Apply crypto maps to interfaces
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
IKE Policy
●A set of security parameters for protecting IKE negotiations and exchanging IPSec session keys
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
● Router(config)#Crypto isakmp policy priority
● Router(config-isakmp)# encryption des /* default */
● Router(config-isakmp)# hash [sha | md5] /* def = sha */
● Router(config-isakmp)# authentication [rsa-sig | rsa-encr | pre-share] /* def = rsa-sig */
● Router(config-isakmp)# group [1 | 2] /* def = 1 */
● Router(config-isakmp)# lifetime seconds /* def = 86400 */
● Router(config-isakmp)# exit
● Group 1 is 768-bit modulus for Diffie-Hellman, Group 2 is 1024-bit modulus
IKE Policy Command Syntax
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
● IKE identity used during negotiation can be either IP address or hostname (default is IP address)
● To set ISAKMP identity:
‒Router(config)#crypto isakmp identity [address | hostname]
● If hostname is used, make sure DNS mapping or ip host config is
in place
● Address option (default) is recommended
● All peering routers should be set the same way
ISAKMP Identity
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
● Router(config)#Crypto isakmp key key-string address peer-address
● OR
● Router(config)#Crypto isakmp key key-string hostname peer-hostname
Configure ISAKMP Key
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
●Router(config)#Crypto ipsec transform-set name transform1 [transform2] [transform3] /*up to 3*/
●mode [tunnel | transport] /*def = tunnel*/
●exit
●(Please refer to Cisco IOS doc for additional configuration commands, options, explanations, and examples)
Set Ipsec Transform Command Syntax
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
● Each transform-set can have AH and/or ESP (with optional ESP authentication)
● For AH, select one out of:
‒ah-md5-hmac, ah-sha-hmac, ah-rfc1828
● For ESP, select one out of:
‒esp-des, esp-3des, esp-rfc1829
● For optional ESP auth, select one out of:
‒esp-md5-hmac, esp-sha-hmac
Allowed Transforms
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
●Same syntax as IP extended ACLs
‒Permit = Protect: IPSec-transform the packet before transmit
‒Deny = No-protect: Just transmit the packet
Crypto Access-Lists
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Crypto Map Command Syntax
● Router(config)#Crypto map map-name seq# ipsec-isakmp
● Router(config-crypto-map)# set peer [ip-address | hostname]
● Router(config-crypto-map)# set transform-set name1 [name2 … name6]
● Router(config-crypto-map)# match address [crypto ACL#]
● Router(config-crypto-map)# exit
● (Please refer to IOS doc for additional commands, ipsec-manual and ipsec-dynamic options, further explanations, and examples)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
● Router(config)#interface [type] /[number]
● Router(config-if)#crypto map [map-name]
● Router(config-if)# exit
Apply Crypto Map to Interface
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Example
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key sharedkey address 20.20.20.20
crypto ipsec transform-set auth2 esp-des esp-sha-hmac
crypto map test 10 ipsec-isakmp
set peer 20.20.20.20
set transform-set auth2
match address 133
interface Serial0 ip address 20.20.20.21 255.255.255.0
crypto map test
access-list 133 permit ip 50.50.50.0 0.0.0.255 60.60.60.0 0.0.0.255
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Verifying
wan2811#show crypto map tag test
Crypto Map "test" 10 ipsec-isakmp
Peer = 20.20.20.20
Extended IP access list 133
access-list 133 permit ip
source: addr = 50.50.50.0/0.0.0.255
dest: addr = 60.60.60.0/0.0.0.255
Current peer: 20.20.20.20
Session key lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform proposals={ auth2, }
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
verifying
wan2811#show crypto isakmp policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 240 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
wan2811#show crypto ipsec sa
interface: Serial0
Crypto map tag: test, local addr. 20.20.20.21
local ident (addr/mask/prot/port): (50.50.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (60.60.60.0/255.255.255.0/0/0)
current_peer: 20.20.20.20
PERMIT, flags={origin_is_acl,ident_is_ipsec,}
#pkts encaps: 320, #pkts encrypt: 320, #pkts digest 320
#pkts decaps: 320, #pkts decrypt: 320, #pkts verify 320
#send errors 0, #recv errors 0
local crypto endpt.: 20.20.20.21, remote crypto endpt.: 20.20.20.20
path mtu 1500, media mtu 1500
current outbound spi: 6625CD
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
inbound esp sas:
spi: 0x1925112F(421859631)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 11, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607971/3354)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
spi: 0x12050DD2(302321106)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 9, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607958/3354)
replay detection support: Y
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
outbound esp sas:
spi: 0x3262313(52830995)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 12, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607971/3354)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
spi: 0x6625CD(6694349)
transform: ah-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 10, crypto map: test
sa timing: remaining key lifetime (k/sec): (4607958/3354)
replay detection support: Y