Upload
manh-cuong
View
226
Download
0
Embed Size (px)
Citation preview
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
1/20
N TT NGHIP H THNG MNG
ti:
Cng ngh mng ring o VPN: Cc
giao thc ng hm v bo mt
CHNG 2
CC GIAO THC NG HM VPN
ng hm bt buc c to t ng khng cn bt k hnh ng
no t pha ngui dng v khng cho php ngi dng chn la. Do
ng hm bt buc c to ra khng thng qua ngi dng nn n
trong sut i vi ngi dng u cui. ng hm bt buc nh trc
im kt thc, nm LAC ca ISP v nn kiu ng hm ny iu
khin truy cp tt hn so vi ng hm t nguyn. Nu nh v tnh bo
mt m khng cho ngi dng truy cp vo Internet cng cng nhng
vn cho php dng Internet truy nhp VPN.
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
2/20
Mt u im ca ng hm bt buc l mt ng hm c th ti
nhiu kt ni, iu ny lm gim bng thng mng cho cc ng dng a
phin lm vic. Mt khuyt im ca ng hm bt buc l kt ni t
LAC n ngi dng nm ngoi ng hm nn b tn cng.
Mc d ISP c th chn cch thit lp tnh nh ngha ng hm
cho ngi dng, nhng iu ny gy lng ph ti nguyn mng. C cch
khc cho php s dng ti nguyn hiu qu hn bng cch thit lp
ng hm ng. Nhng ng hm ng ny c thit lp trong
L2TP bng cch kt ni vi my ch RADIUS.
RADIUS c th iu khin vic thit lp mt ng hm th n
cn phi lu cc thuc tnh ca ng hm. Cc thuc tnh ny bao gm:
giao thc ng hm c s dng (PPTP hay L2TP), a ch ca my
ch v mi trng truyn dn trong ng hm c s dng. S dng
my ch RADIUS thit lp ng hm bt buc c mt s u imnh:
- Cc ng hm c th c nh ngha v kim tra da trn xcthc ngi dng.
- Tnh cc th da trn s in thoi hoc cc phng thc xcthc khc.
a)Xc thc v m ha trong L2TP
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
3/20
Qu trnh xc thc ngi dng trong L2TP in ra trong 3 giai
on: giai on 1 din ra ti ISP, giai on 2 v giai on 3 (tu chn)
in ra my ch ca mng ring.
Trong giai on u, ISP s dng s in thoi ca ngi dng hoc
tn ngi dng xc nh dch v L2TP c yu cu v khi to kt
ni ng hm n my ch mng ring. Khi ng hm c thit lp,
LAC ca ISP ch nh mt s nhn dng cuc gi (Call ID) mi nh
danh cho kt ni trong ng hm v khi to phin bng cch chuyn
thng tin xc thc n my ch ca mng ring. My ch ca mngring s tin hnh tip bc th 2.
Giai on 2, my ch ca mng ring quyt nh chp nhn hay t
chi cuc gi. Cuc goi t ISP chuyn n c th mng thng tin
CHAP, PAP hay bt k thng tin xc thc no, my ch s da vo cc
thng tin ny quyt nh chp nhn hay t chi.Sau khi cuc gi c chp nhn th my ch c th khi ng giai
on th 3 ca qu trnh xc thc (ti lp PPP), y l giai on tu
chn. bc ny xem nh my ch xc thc mt ngi dng quay s truy
cp vo thng my ch. Kt qu ca 3 giai on ny cho php ngi
dng, ISP v my ch ca mng ring xc nh c tnh chnh xc ca
cuc ginhng vn cha bo mt cho d liu.
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
4/20
vic xc thc trong L2TP hiu qu th cn phi phn phi kho.
Mc d phn phi bng tay c th kh thi trong mt s trng hp
nhng v c bn th cn phi c mt giao thc qun l kho.
b)ng hm kt ni LAN-LANMc ch ban u ca L2TP l quay s truy cp VPN s dng
client PPP, nhng L2TP cng thch hp cho kt ni LAN-LAN trong
VPN.
ng hm kt ni LAN-LAN c thit lp gia hai my ch
L2TP nhng t nht mt trong 2 my ch phi c kt ni ti ISP khi
to phin lm vic PPP. Hai my ch ng vai tr va l LAC, va l
LNS v c th khi to hay kt thc ng hm khi cn.
Hnh 2.18: ng hm kt ni LAN-LAN
c)Qun l khoKhi hai i tng mun chuyn giao d liu mt cch bo mt v
kh thi th cn phi m bo chc chn rng c hai bn x l d liu nh
nhau. C hai bn phi cng s dng chung gii thut m ho, cng chiu
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
5/20
di t kho, cng chung mt kho d liu. iu ny c x l thng
qua bo mt kt hp SA.
2.1.1Sdng L2TPBi v chc nng chnh ca L2TP l quay s truy cp VPN thng
qua Internet nn cc thnh phn ca L2TP bao gm: b tp trung truy
cp mng, my ch L2TP, v cc L2TP client. Thnh phn quan trng
nht ca L2TP l nh ngha im kt thc mt ng hm, LAC v
LNS. LNS c th ci t ngay ti cng ty v iu hnh bi mt nhm
lm vic ca cng ty cn LAC th thng c h tr ca ISP. Cc
thnh phn c bn ca L2TP nh hnh v:
Hnh 2.19: Cc thnh phn c bn ca L2TP
a)My ch mng L2TP
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
6/20
My ch L2TP c hai chc nng chnh l: ng vai tr l im kt
thc ca ng hm PPTP v chuyn cc gi n t ng hm n
mng LAN ring v ngc li. My ch chuyn cc gi n my tnh
ch bng cch x l gi L2TP c c a ch mng ca my tnh
ch.
Khng ging nh my ch PPTP, my ch L2TP khng c kh
nng lc cc gi. Chc nng lc gi trong L2TP c thc hin bi
tng la.Tuy nhin trong thc t, ngi ta tch hp my ch mng v
tng la. Vic tch hp ny mang li mt s u im hn so vi PPTP, l:
- L2TP khng i hi ch c mt cng duy nht gn cho tng lanh trong PPTP. Chng trnh qun l c th tu chn cng gn
cho tng la, iu ny gy kh khn cho k tn cng khi c gng
tn cng vo mt cng bit trong khi cng c th thay i.- Lung d liu v thng tin iu khin c truyn trn cng mt
UDP nn vic thit lp tng la s n gin hn. Do mt s tng
la khng h tr GRE nn chng tng thch vi L2TP hn l vi
PPTP.
b)Phn mm client L2TPNu nh cc thit b ca ISP h tr L2TP th khng cn phn
cng hay phn mm no cho cc client, ch cn kt ni chun PPP l .
Tuy nhin, vi cc thit lp trn th khng s dng c m ho ca
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
7/20
IPSec. Do vy ta nn s dng cc client tng thch L2TP cho L2TP
VPN.
Mt s c im ca phn mm client L2TP
- Tng thch vi cc thnh phn khc ca IPSec nh: my ch mho, giao thc chuyn kho, gii thut m ho,
- a ra mt ch bo r rng khi IPSec ang hoat ng.- H tr ti SA v.- Hm bm (hashing) x l c cc a ch IP ng.- C c ch bo mt kho (m ho kho vi mt khu).- C c ch chuyn i m ho mt cch t ng v nh k.- Chn hon ton cc lu lng khng IPSec.
c) Cc b tp trung truy cp mngMt ISP cung cp dch v L2TP cn phi ci mt NAS cho php
L2TP h tr cho cc client L2TP chy trn cc nn khc nhau nh
Unix, Windows, Macintosh.
Cc ISP c th cung cp cc dch v L2TP m khng cn phi thm
cc thit b h tr L2TP vo my ch truy cp ca h, iu ny i hi
tt c ngi dng phi c client L2TP ti my ca h. iu ny cho
php ngi dng c th s dng dch v ca nhiu ISP khi m m hnh
mng ca h rng ln v mt a l.
2.1.2Kh nng p dng trong thc t ca L2TP
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
8/20
Vic la chn mt nh cung cp dch v L2TP c th thay i tu
theo yu cu thit k mng. Nu thit k mt VPN i hi m ho u
cui-u cui th cn ci cc client tng thch L2TP ti cc host t xa
v tho thun vi ISP l s x l m ho t my u xa n tn my ch
ca mng VPN. Nu xy dng mt mng vi mc bo mt thp hn,
kh nng chu ng li cao hn v ch mun bo mt d liu khi n i
trong ng hm trn Inernet th tho thun vi ISP h h tr LAC
v m ho d liu ch t on LAC n LNS ca mng ring.
L2TP l mt th h giao thc quay s truy cp mi ca VPN. Nphi hp nhng c tnh tt nht ca PPTP v L2F. Hu ht cc nh
cung cp sn phm PPTP u a ra cc sn phm tng thch L2TP
hoc s gii thiu sau ny.
Mc d L2TP ch yu chy trn mng IP, nhng kh nng chy trn
cc mng khc nh Frame Relay, ATM lm cho n thm ph bin.L2TP cho php mt lng ln client t xa c kt ni vo VPN hay
cho cc kt ni LAN-LAN c dung lng ln. L2TP c c ch iu
khin lung lm gim tc nghn trn ng hm L2TP.
L2TP cho php thit lp nhiu ng hm vi cng LAC v LNS.
Mi ng hm c th gn cho mt ngi dng xc nh, hoc mt
nhm cc ngi dng v gn cho cc mi trng khc nhau tu theo
thuc tnh cht lng phc v QoS ca ngi dng.
2.2 Giao thc bo mt IP - IPSEC
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
9/20
Cc giao thc nguyn thu TCP/IP khng bao gm cc c tnh bo
mt vn c. Trong giai on u ca Internet khi m ngi dng thuc
cc trng i hc v cc vin nghin cu th vn bo mt d liu
khng phi l vn quan trng nh by gi khi m Internet tr nn ph
bin, cc ng dng thng mi c mt khp ni trn Internet v i
tng s dng Internet rng hn bao gm c cc Hacker.
thit lp tnh bo mt trong IP cp gi, IETF a ra h
giao thc IPSec. H giao thc IPSec u tin oc dung cho xc thc,
m ho cc gi d liu IP, c chun ho thnh cc RFC t 1825 n1829 vo nm 1995. H giao thc ny m t kin trc c bn ca IPSec
bao gm hai loi tiu c s dng trong gi IP, gi IPl n v d
kiu c s trong mng IP. IPSec nh ngha 2 loi tiu cho cc gi IP
iu khin qu trnh xc thc v m ho: mt l xc thc tiu IP
AH (IP Authentication Header) iu khin vic xc thc v hai l ng
gi ti tin an ton ESP (Encapsulation Security Payload) cho mc ch
m ho.
IPSec khng phi l mt giao thc. N l mt khung ca cc tp
giao thc chun m cho php nhng nh qun tr mng la chn thut
ton, cc kho v phng php nhn thc cung cp s xc thc d
liu, tnh ton vn d liu, v s tin cy d liu. IPSec l s la chn
cho bo mt tng th cc VPN, l phng n ti u cho mng ca cng
ty. N m bo truyn thng tin cy trn mng IP cng cng i vi cc
ng dng.
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
10/20
IPsec to nhng ng hm bo mt xuyn qua mng Internet
truyn nhng lung d liu. Mi ng hm bo mt l mt cp nhng
kt hp an ninh bo v lung d liu gia hai Host.
IPSec c pht trin nhm vo h giao thc IP k tip l IPv6,
nhng do vic trin khai IPv6 cn chm v s cn thit phi bo mt cc
gi IP nn IPSec c thay i cho ph hp vi IPv4. Vic h tr
cho IPSec ch l tu chn ca IPv4 nhng i vi IPv6 th c sn IPSec.
2.2.1 Khung giao thc IPSecIPSec l khung ca cc chun m, c pht trin bi IETF.
Hnh 2.20: Khung giao thc c s dng trong IPSec
Mt s giao thc chnh c khuyn khch s dng khi lm vic vi
IPSec.
- Giao thc bo mt IP (IPSec)+ AH (Authentication Header)
+ ESP (Encapsulation Security Payload)
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
11/20
- M ho bn tin+ DES (Data Encryption Standard)
+ 3 DES (Triple DES)
- Cc chc nng ton vn bn tin+ HMAC (Hash ased Message Authentication Code)
+ MD5 (Message Digest 5)
+ SHA-1 (Secure Hash Algorithm -1)
- Nhn thc i tc (peer Authentication)+Rivest, Shamir, and Adelman (RSA) Digital Signatures
+ RSA Encrypted Nonces
- Qun l kho+ DH (Diffie- Hellman)
+ CA (Certificate Authority)
- Kt hp an ninh+ IKE (Internet Key Exchange)
+ ISAKMP (Internet Security Association and Key
Management Protocol)
IPSec l tp hp nhng tiu chun m lm vic cng nhau thit
lp tnh bo mt, ton vn d liu v nhn thc gia cc thit b ngang
hng. Nhng im ngang hng c th l nhng cp Host hay nhng cp
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
12/20
cng ni bo mt (nhng b nh tuyn, nhng tng la, nhng b tp
trung VPN ) hay c th gia mt host v mt cng ni bo mt, nh
trong VPN truy cp t xa.
Hai giao thc chnh ca IPSec l AH (Authentication Header) v ESP
(Encapsulation Security Payload ).
- AH: Cho php xc thc v kim tra tnh ton vn d liu ca ccgi IP truyn gia hai h thng. N l mt phng tin kim
tra xem d liu c b thay i trong khi truyn khng. Do AH khng
cung cp kh nng mt m d liu nn cc d liu u c truyn
di dng bn r.
- ESP: L mt giao thc an ton cho php mt m d liu, xc thcngun gc d liu, kim tra tnh ton vn d liu. ESP m bo tnh
b mt ca thng tin thng qua vic mt m lp IP. Tt c cc lu
lng ESP u c mt m gia hai h thng.
a)Giao thc AHkhun dng AH
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
13/20
Hnh 2.21: Khun dng gi AH
+ Next header (8bit): Xc nh kiu d liu ca phn Payload tip sau
AH. Gi tr ca trng ny c la chn t tp cc gi tr s giao thc
IP c nh ngha bi IANA (TCP_6; UDP_ 17).
+ Payload length (8bit): Xc nh di ca AH theo n v 32bit (4
Byte).
+ Reserved (16 bit): trng ny dng d tr s dng trong tng lai.
Gi tr ca trng ny c th t bng 0 v c tham gia trong vic tnh
Authentication Data.
+ Security Parameter Index (SPI):
- SPI l mt s 32 bit bt k, cng vi a ch IP ch v giao thcan ninh ESP cho php nhn dng duy nht SA cho gi d liu ny.
Cc gi tr SPI t 1255 c dnh ring s dng trong tng
lai. SPI thng c la chn bi pha thu khi thit lp SA. SPI l
trng bt buc.
- Gi tr SPI 0 c s dng cc b. C th s dng gi tr ny ch ra cha c SA no tn ti.
+ Sequence number (SN):
- Trng 32 bit khng du cha mt gi tr m tng dn. SN ltrng bt buc cho d pha thu khng thc hin dch v chng
trng lp cho mt SA c th no. vic x l SN tu thuc pha thu,
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
14/20
ngha l pha pht lun phi truyn trng ny, cn pha thu c th
khng cn phi x l n.
- B m ca pha pht v pha thu u c khi to 0 khi mt SAc thit lp (gi u tin c truyn i s dng SA s c
SN=1). Nu dch v anti-replay c la chn th c pht i s
khng c lp li (bng cch thit lp mt SA mi, v do l
mt kho mi) trc khi truyn gi th 232 ca mt SA.
+ Authentication Data:
Trng ny c di bin i cha mt mt gi tr kim tra tnh ton
vn ICV (integrity Check Value) cho gi tin. di ca trng ny
bng s nguyn ln 32 bit (hay 4 Byte).
Trng ny c th cha mt phn d liu m kiu tng minh
(Explicit padding) m bo di ca AH header l s nguyn ln 32
bit (i vi IPv4) hoc 64 bit (i vi IPv6).
b)Giao thc ESPKhun dng ESP
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
15/20
Hnh 2.22: Khun dng gi ESP
Trong :
+ Security Parameter Index (SPI):
- SPI l mt s 32 bit bt k, cng vi a ch IP ch v giao thcan ninh ESP cho php nhn dng duy nht SA cho gi d liu ny.
Cc gi tr SPI t 1255 c dnh ring s dng trong tng
lai. SPI thng c la chn bi pha thu khi thit lp SA. SPI l
trng bt buc.
- Gi tr SPI 0 c s dng cc b. C th s dng gi tr ny ch ra cha c SA no tn ti.
+ Sequence number (SN):
- Trng 32 bit khng du cha mt gi tr m tng dn (SN). SNl trng bt buc cho d pha thu khng thc hin dch v chng
trng lp cho mt SA c th no. vic x l SN tu thuc pha thu,
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
16/20
ngha l pha pht lun phi truyn trng ny, cn pha thu c th
khng cn phi x l n.
- B m ca pha pht v pha thu u c khi to 0 khi mt SAc thit lp (gi u tin c truyn i s dng SA s c
SN=1). Nu dch v anti-replay c la chn th c pht i s
khng c lp li (bng cch thit lp mt SA mi, v do l
mt kho mi) trc khi truyn gi th 232 ca mt SA.
+ Payload Data
Trng ny c di bin i cha d liu m t trong Next
header. Payload Data l trng bt buc v c di bng s nguyn ln
Byte.
+ Padding
Nu thut ton mt m c s dng yu cu bn r (cleartext hay
plaintext) phi l s nguyn ln khi cc Byte (trong mt m khi) th
Padding field c s dng thm vo Plaintext c kch thc yu
cu.
Padding cn thit m bo phn d liu mt m s kt thc
bin gii 4 Byte phn bit r rng vi trng Authentication Data.
Ngoi ra padding cn c th c s dng che du di thc
ca Payload, tuy nhin mc dch ny phi c cn nhc v n nh
hng ti bng tn truyn dn. Bn gi c th thm 0255 Padding
Byte.
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
17/20
+ Pad length
Trng ny xcnh s padding Byte thm vo. Cc gi tr hp
l l 0255. Pad length l trng bt buc.
+ Next header (8bit)
L mt trng bt buc. Next header xc nh kiu d liu cha
trong Payload Data. Gi tr ca trng ny c la chn t tp ccgi
tr IP Protocol Numbers nh ngha bi IANA..
+ Authentication Data
Trng c di bin i cha mt gi tr kim tra tnh ton ven
ICV (integrity Check Value) tnh trn d liu ca ton b gi ESP tr
trng Authentication Data. di ca trng ph thuc vo hm xc
thc c la chn. trng ny l tu chn, v ch c thm vo nu
dch v authentication c la chn cho SA ang xt. Thut ton xc
thc phi ch ra di ca ICV v cc bc x l cng nh cc lut so
snh cn thc hin kim tra tnh ton vn ca gi tin.
C)Hot ng ca AH v ESP trong cc ch (mode)
AH v ESP u c th c s dng cho cc gi tin IP theo hai
cch khc nhau tng ng vi hai mode: Transport mode v Tunnel
mode.
+ Transport mode:
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
18/20
c s dng ph bin cho nhng kt ni gia cc host hay gia
cc thit b c chc nng nh nhng host. V d, mt cng ni IPSec (
c th l b nh tuyn phn mm IOS, FIX Firewall, hay b tp trung
VPN 3000 ca Cisco) c th xem nh l mt host khi c truy nhp
bi mt nh qun l cu hnh hay nhng hot ng iu khin khc.
Transport mode cho php bo v phn ti tin ca gi d liu, cung
cp c ch bo mt cho cc giao thc lp trn, nhng khng bo v IP
header v phn IP header lun dng clear.
Trong Transport mode, AH c chn vo sau tiu IP v trc
cc giao thc lp trn (TCP, UDP) hoc bt k tiu IPSec c
chn vo trc .
+ Tunnel mode:
c s dng gia cc cng ni nh cc b nh tuyn, nhng FIX
Firewwall, nhng b tp trung. Tunnel mode cng c s dng ph
bin khi mt host kt ni ti mt trong nhng cng ni gia tng
truy nhp ti cc mng c iu khin bi cng ni , nh trong
trng hp nhng ngi dng t xa quay s truy cp ti mt b nh
tuyn hay b tp trung.
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
19/20
Hnh 2.23: Khun dng gi tin IPv4 trc v sau khi x l AH
Hnh 2.24: Khun dng gi tin IPv6 trc v sau khi x l AH
7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015
20/20
Hnh 2.25: Khun dng gi tin IPv4 trc v sau khi x l ESP