Cong Nghe Mang Rieng Ao VPN 2-3-8015

7/29/2019 Cong Nghe Mang Rieng Ao VPN 2-3-8015

1/20

N TT NGHIP H THNG MNG

ti:

Cng ngh mng ring o VPN: Cc

giao thc ng hm v bo mt

CHNG 2

CC GIAO THC NG HM VPN

ng hm bt buc c to t ng khng cn bt k hnh ng

no t pha ngui dng v khng cho php ngi dng chn la. Do

ng hm bt buc c to ra khng thng qua ngi dng nn n

trong sut i vi ngi dng u cui. ng hm bt buc nh trc

im kt thc, nm LAC ca ISP v nn kiu ng hm ny iu

khin truy cp tt hn so vi ng hm t nguyn. Nu nh v tnh bo

mt m khng cho ngi dng truy cp vo Internet cng cng nhng

vn cho php dng Internet truy nhp VPN.


2/20

Mt u im ca ng hm bt buc l mt ng hm c th ti

nhiu kt ni, iu ny lm gim bng thng mng cho cc ng dng a

phin lm vic. Mt khuyt im ca ng hm bt buc l kt ni t

LAC n ngi dng nm ngoi ng hm nn b tn cng.

Mc d ISP c th chn cch thit lp tnh nh ngha ng hm

cho ngi dng, nhng iu ny gy lng ph ti nguyn mng. C cch

khc cho php s dng ti nguyn hiu qu hn bng cch thit lp

ng hm ng. Nhng ng hm ng ny c thit lp trong

L2TP bng cch kt ni vi my ch RADIUS.

RADIUS c th iu khin vic thit lp mt ng hm th n

cn phi lu cc thuc tnh ca ng hm. Cc thuc tnh ny bao gm:

giao thc ng hm c s dng (PPTP hay L2TP), a ch ca my

ch v mi trng truyn dn trong ng hm c s dng. S dng

my ch RADIUS thit lp ng hm bt buc c mt s u imnh:

- Cc ng hm c th c nh ngha v kim tra da trn xcthc ngi dng.

- Tnh cc th da trn s in thoi hoc cc phng thc xcthc khc.

a)Xc thc v m ha trong L2TP


3/20

Qu trnh xc thc ngi dng trong L2TP in ra trong 3 giai

on: giai on 1 din ra ti ISP, giai on 2 v giai on 3 (tu chn)

in ra my ch ca mng ring.

Trong giai on u, ISP s dng s in thoi ca ngi dng hoc

tn ngi dng xc nh dch v L2TP c yu cu v khi to kt

ni ng hm n my ch mng ring. Khi ng hm c thit lp,

LAC ca ISP ch nh mt s nhn dng cuc gi (Call ID) mi nh

danh cho kt ni trong ng hm v khi to phin bng cch chuyn

thng tin xc thc n my ch ca mng ring. My ch ca mngring s tin hnh tip bc th 2.

Giai on 2, my ch ca mng ring quyt nh chp nhn hay t

chi cuc gi. Cuc goi t ISP chuyn n c th mng thng tin

CHAP, PAP hay bt k thng tin xc thc no, my ch s da vo cc

thng tin ny quyt nh chp nhn hay t chi.Sau khi cuc gi c chp nhn th my ch c th khi ng giai

on th 3 ca qu trnh xc thc (ti lp PPP), y l giai on tu

chn. bc ny xem nh my ch xc thc mt ngi dng quay s truy

cp vo thng my ch. Kt qu ca 3 giai on ny cho php ngi

dng, ISP v my ch ca mng ring xc nh c tnh chnh xc ca

cuc ginhng vn cha bo mt cho d liu.


4/20

vic xc thc trong L2TP hiu qu th cn phi phn phi kho.

Mc d phn phi bng tay c th kh thi trong mt s trng hp

nhng v c bn th cn phi c mt giao thc qun l kho.

b)ng hm kt ni LAN-LANMc ch ban u ca L2TP l quay s truy cp VPN s dng

client PPP, nhng L2TP cng thch hp cho kt ni LAN-LAN trong

VPN.

ng hm kt ni LAN-LAN c thit lp gia hai my ch

L2TP nhng t nht mt trong 2 my ch phi c kt ni ti ISP khi

to phin lm vic PPP. Hai my ch ng vai tr va l LAC, va l

LNS v c th khi to hay kt thc ng hm khi cn.

Hnh 2.18: ng hm kt ni LAN-LAN

c)Qun l khoKhi hai i tng mun chuyn giao d liu mt cch bo mt v

kh thi th cn phi m bo chc chn rng c hai bn x l d liu nh

nhau. C hai bn phi cng s dng chung gii thut m ho, cng chiu


5/20

di t kho, cng chung mt kho d liu. iu ny c x l thng

qua bo mt kt hp SA.

2.1.1Sdng L2TPBi v chc nng chnh ca L2TP l quay s truy cp VPN thng

qua Internet nn cc thnh phn ca L2TP bao gm: b tp trung truy

cp mng, my ch L2TP, v cc L2TP client. Thnh phn quan trng

nht ca L2TP l nh ngha im kt thc mt ng hm, LAC v

LNS. LNS c th ci t ngay ti cng ty v iu hnh bi mt nhm

lm vic ca cng ty cn LAC th thng c h tr ca ISP. Cc

thnh phn c bn ca L2TP nh hnh v:

Hnh 2.19: Cc thnh phn c bn ca L2TP

a)My ch mng L2TP


6/20

My ch L2TP c hai chc nng chnh l: ng vai tr l im kt

thc ca ng hm PPTP v chuyn cc gi n t ng hm n

mng LAN ring v ngc li. My ch chuyn cc gi n my tnh

ch bng cch x l gi L2TP c c a ch mng ca my tnh

ch.

Khng ging nh my ch PPTP, my ch L2TP khng c kh

nng lc cc gi. Chc nng lc gi trong L2TP c thc hin bi

tng la.Tuy nhin trong thc t, ngi ta tch hp my ch mng v

tng la. Vic tch hp ny mang li mt s u im hn so vi PPTP, l:

- L2TP khng i hi ch c mt cng duy nht gn cho tng lanh trong PPTP. Chng trnh qun l c th tu chn cng gn

cho tng la, iu ny gy kh khn cho k tn cng khi c gng

tn cng vo mt cng bit trong khi cng c th thay i.- Lung d liu v thng tin iu khin c truyn trn cng mt

UDP nn vic thit lp tng la s n gin hn. Do mt s tng

la khng h tr GRE nn chng tng thch vi L2TP hn l vi

PPTP.

b)Phn mm client L2TPNu nh cc thit b ca ISP h tr L2TP th khng cn phn

cng hay phn mm no cho cc client, ch cn kt ni chun PPP l .

Tuy nhin, vi cc thit lp trn th khng s dng c m ho ca


7/20

IPSec. Do vy ta nn s dng cc client tng thch L2TP cho L2TP

VPN.

Mt s c im ca phn mm client L2TP

- Tng thch vi cc thnh phn khc ca IPSec nh: my ch mho, giao thc chuyn kho, gii thut m ho,

- a ra mt ch bo r rng khi IPSec ang hoat ng.- H tr ti SA v.- Hm bm (hashing) x l c cc a ch IP ng.- C c ch bo mt kho (m ho kho vi mt khu).- C c ch chuyn i m ho mt cch t ng v nh k.- Chn hon ton cc lu lng khng IPSec.

c) Cc b tp trung truy cp mngMt ISP cung cp dch v L2TP cn phi ci mt NAS cho php

L2TP h tr cho cc client L2TP chy trn cc nn khc nhau nh

Unix, Windows, Macintosh.

Cc ISP c th cung cp cc dch v L2TP m khng cn phi thm

cc thit b h tr L2TP vo my ch truy cp ca h, iu ny i hi

tt c ngi dng phi c client L2TP ti my ca h. iu ny cho

php ngi dng c th s dng dch v ca nhiu ISP khi m m hnh

mng ca h rng ln v mt a l.

2.1.2Kh nng p dng trong thc t ca L2TP


8/20

Vic la chn mt nh cung cp dch v L2TP c th thay i tu

theo yu cu thit k mng. Nu thit k mt VPN i hi m ho u

cui-u cui th cn ci cc client tng thch L2TP ti cc host t xa

v tho thun vi ISP l s x l m ho t my u xa n tn my ch

ca mng VPN. Nu xy dng mt mng vi mc bo mt thp hn,

kh nng chu ng li cao hn v ch mun bo mt d liu khi n i

trong ng hm trn Inernet th tho thun vi ISP h h tr LAC

v m ho d liu ch t on LAC n LNS ca mng ring.

L2TP l mt th h giao thc quay s truy cp mi ca VPN. Nphi hp nhng c tnh tt nht ca PPTP v L2F. Hu ht cc nh

cung cp sn phm PPTP u a ra cc sn phm tng thch L2TP

hoc s gii thiu sau ny.

Mc d L2TP ch yu chy trn mng IP, nhng kh nng chy trn

cc mng khc nh Frame Relay, ATM lm cho n thm ph bin.L2TP cho php mt lng ln client t xa c kt ni vo VPN hay

cho cc kt ni LAN-LAN c dung lng ln. L2TP c c ch iu

khin lung lm gim tc nghn trn ng hm L2TP.

L2TP cho php thit lp nhiu ng hm vi cng LAC v LNS.

Mi ng hm c th gn cho mt ngi dng xc nh, hoc mt

nhm cc ngi dng v gn cho cc mi trng khc nhau tu theo

thuc tnh cht lng phc v QoS ca ngi dng.

2.2 Giao thc bo mt IP - IPSEC


9/20

Cc giao thc nguyn thu TCP/IP khng bao gm cc c tnh bo

mt vn c. Trong giai on u ca Internet khi m ngi dng thuc

cc trng i hc v cc vin nghin cu th vn bo mt d liu

khng phi l vn quan trng nh by gi khi m Internet tr nn ph

bin, cc ng dng thng mi c mt khp ni trn Internet v i

tng s dng Internet rng hn bao gm c cc Hacker.

thit lp tnh bo mt trong IP cp gi, IETF a ra h

giao thc IPSec. H giao thc IPSec u tin oc dung cho xc thc,

m ho cc gi d liu IP, c chun ho thnh cc RFC t 1825 n1829 vo nm 1995. H giao thc ny m t kin trc c bn ca IPSec

bao gm hai loi tiu c s dng trong gi IP, gi IPl n v d

kiu c s trong mng IP. IPSec nh ngha 2 loi tiu cho cc gi IP

iu khin qu trnh xc thc v m ho: mt l xc thc tiu IP

AH (IP Authentication Header) iu khin vic xc thc v hai l ng

gi ti tin an ton ESP (Encapsulation Security Payload) cho mc ch

m ho.

IPSec khng phi l mt giao thc. N l mt khung ca cc tp

giao thc chun m cho php nhng nh qun tr mng la chn thut

ton, cc kho v phng php nhn thc cung cp s xc thc d

liu, tnh ton vn d liu, v s tin cy d liu. IPSec l s la chn

cho bo mt tng th cc VPN, l phng n ti u cho mng ca cng

ty. N m bo truyn thng tin cy trn mng IP cng cng i vi cc

ng dng.


10/20

IPsec to nhng ng hm bo mt xuyn qua mng Internet

truyn nhng lung d liu. Mi ng hm bo mt l mt cp nhng

kt hp an ninh bo v lung d liu gia hai Host.

IPSec c pht trin nhm vo h giao thc IP k tip l IPv6,

nhng do vic trin khai IPv6 cn chm v s cn thit phi bo mt cc

gi IP nn IPSec c thay i cho ph hp vi IPv4. Vic h tr

cho IPSec ch l tu chn ca IPv4 nhng i vi IPv6 th c sn IPSec.

2.2.1 Khung giao thc IPSecIPSec l khung ca cc chun m, c pht trin bi IETF.

Hnh 2.20: Khung giao thc c s dng trong IPSec

Mt s giao thc chnh c khuyn khch s dng khi lm vic vi

IPSec.

- Giao thc bo mt IP (IPSec)+ AH (Authentication Header)

+ ESP (Encapsulation Security Payload)


11/20

- M ho bn tin+ DES (Data Encryption Standard)

+ 3 DES (Triple DES)

- Cc chc nng ton vn bn tin+ HMAC (Hash ased Message Authentication Code)

+ MD5 (Message Digest 5)

+ SHA-1 (Secure Hash Algorithm -1)

- Nhn thc i tc (peer Authentication)+Rivest, Shamir, and Adelman (RSA) Digital Signatures

+ RSA Encrypted Nonces

- Qun l kho+ DH (Diffie- Hellman)

+ CA (Certificate Authority)

- Kt hp an ninh+ IKE (Internet Key Exchange)

+ ISAKMP (Internet Security Association and Key

Management Protocol)

IPSec l tp hp nhng tiu chun m lm vic cng nhau thit

lp tnh bo mt, ton vn d liu v nhn thc gia cc thit b ngang

hng. Nhng im ngang hng c th l nhng cp Host hay nhng cp


12/20

cng ni bo mt (nhng b nh tuyn, nhng tng la, nhng b tp

trung VPN ) hay c th gia mt host v mt cng ni bo mt, nh

trong VPN truy cp t xa.

Hai giao thc chnh ca IPSec l AH (Authentication Header) v ESP

(Encapsulation Security Payload ).

- AH: Cho php xc thc v kim tra tnh ton vn d liu ca ccgi IP truyn gia hai h thng. N l mt phng tin kim

tra xem d liu c b thay i trong khi truyn khng. Do AH khng

cung cp kh nng mt m d liu nn cc d liu u c truyn

di dng bn r.

- ESP: L mt giao thc an ton cho php mt m d liu, xc thcngun gc d liu, kim tra tnh ton vn d liu. ESP m bo tnh

b mt ca thng tin thng qua vic mt m lp IP. Tt c cc lu

lng ESP u c mt m gia hai h thng.

a)Giao thc AHkhun dng AH


13/20

Hnh 2.21: Khun dng gi AH

+ Next header (8bit): Xc nh kiu d liu ca phn Payload tip sau

AH. Gi tr ca trng ny c la chn t tp cc gi tr s giao thc

IP c nh ngha bi IANA (TCP_6; UDP_ 17).

+ Payload length (8bit): Xc nh di ca AH theo n v 32bit (4

Byte).

+ Reserved (16 bit): trng ny dng d tr s dng trong tng lai.

Gi tr ca trng ny c th t bng 0 v c tham gia trong vic tnh

Authentication Data.

+ Security Parameter Index (SPI):

- SPI l mt s 32 bit bt k, cng vi a ch IP ch v giao thcan ninh ESP cho php nhn dng duy nht SA cho gi d liu ny.

Cc gi tr SPI t 1255 c dnh ring s dng trong tng

lai. SPI thng c la chn bi pha thu khi thit lp SA. SPI l

trng bt buc.

- Gi tr SPI 0 c s dng cc b. C th s dng gi tr ny ch ra cha c SA no tn ti.

+ Sequence number (SN):

- Trng 32 bit khng du cha mt gi tr m tng dn. SN ltrng bt buc cho d pha thu khng thc hin dch v chng

trng lp cho mt SA c th no. vic x l SN tu thuc pha thu,


14/20

ngha l pha pht lun phi truyn trng ny, cn pha thu c th

khng cn phi x l n.

- B m ca pha pht v pha thu u c khi to 0 khi mt SAc thit lp (gi u tin c truyn i s dng SA s c

SN=1). Nu dch v anti-replay c la chn th c pht i s

khng c lp li (bng cch thit lp mt SA mi, v do l

mt kho mi) trc khi truyn gi th 232 ca mt SA.

+ Authentication Data:

Trng ny c di bin i cha mt mt gi tr kim tra tnh ton

vn ICV (integrity Check Value) cho gi tin. di ca trng ny

bng s nguyn ln 32 bit (hay 4 Byte).

Trng ny c th cha mt phn d liu m kiu tng minh

(Explicit padding) m bo di ca AH header l s nguyn ln 32

bit (i vi IPv4) hoc 64 bit (i vi IPv6).

b)Giao thc ESPKhun dng ESP


15/20

Hnh 2.22: Khun dng gi ESP

Trong :

+ Security Parameter Index (SPI):

- SPI l mt s 32 bit bt k, cng vi a ch IP ch v giao thcan ninh ESP cho php nhn dng duy nht SA cho gi d liu ny.

Cc gi tr SPI t 1255 c dnh ring s dng trong tng

lai. SPI thng c la chn bi pha thu khi thit lp SA. SPI l

trng bt buc.

- Gi tr SPI 0 c s dng cc b. C th s dng gi tr ny ch ra cha c SA no tn ti.

+ Sequence number (SN):

- Trng 32 bit khng du cha mt gi tr m tng dn (SN). SNl trng bt buc cho d pha thu khng thc hin dch v chng

trng lp cho mt SA c th no. vic x l SN tu thuc pha thu,


16/20

ngha l pha pht lun phi truyn trng ny, cn pha thu c th

khng cn phi x l n.

- B m ca pha pht v pha thu u c khi to 0 khi mt SAc thit lp (gi u tin c truyn i s dng SA s c

SN=1). Nu dch v anti-replay c la chn th c pht i s

khng c lp li (bng cch thit lp mt SA mi, v do l

mt kho mi) trc khi truyn gi th 232 ca mt SA.

+ Payload Data

Trng ny c di bin i cha d liu m t trong Next

header. Payload Data l trng bt buc v c di bng s nguyn ln

Byte.

+ Padding

Nu thut ton mt m c s dng yu cu bn r (cleartext hay

plaintext) phi l s nguyn ln khi cc Byte (trong mt m khi) th

Padding field c s dng thm vo Plaintext c kch thc yu

cu.

Padding cn thit m bo phn d liu mt m s kt thc

bin gii 4 Byte phn bit r rng vi trng Authentication Data.

Ngoi ra padding cn c th c s dng che du di thc

ca Payload, tuy nhin mc dch ny phi c cn nhc v n nh

hng ti bng tn truyn dn. Bn gi c th thm 0255 Padding

Byte.


17/20

+ Pad length

Trng ny xcnh s padding Byte thm vo. Cc gi tr hp

l l 0255. Pad length l trng bt buc.

+ Next header (8bit)

L mt trng bt buc. Next header xc nh kiu d liu cha

trong Payload Data. Gi tr ca trng ny c la chn t tp ccgi

tr IP Protocol Numbers nh ngha bi IANA..

+ Authentication Data

Trng c di bin i cha mt gi tr kim tra tnh ton ven

ICV (integrity Check Value) tnh trn d liu ca ton b gi ESP tr

trng Authentication Data. di ca trng ph thuc vo hm xc

thc c la chn. trng ny l tu chn, v ch c thm vo nu

dch v authentication c la chn cho SA ang xt. Thut ton xc

thc phi ch ra di ca ICV v cc bc x l cng nh cc lut so

snh cn thc hin kim tra tnh ton vn ca gi tin.

C)Hot ng ca AH v ESP trong cc ch (mode)

AH v ESP u c th c s dng cho cc gi tin IP theo hai

cch khc nhau tng ng vi hai mode: Transport mode v Tunnel

mode.

+ Transport mode:


18/20

c s dng ph bin cho nhng kt ni gia cc host hay gia

cc thit b c chc nng nh nhng host. V d, mt cng ni IPSec (

c th l b nh tuyn phn mm IOS, FIX Firewall, hay b tp trung

VPN 3000 ca Cisco) c th xem nh l mt host khi c truy nhp

bi mt nh qun l cu hnh hay nhng hot ng iu khin khc.

Transport mode cho php bo v phn ti tin ca gi d liu, cung

cp c ch bo mt cho cc giao thc lp trn, nhng khng bo v IP

header v phn IP header lun dng clear.

Trong Transport mode, AH c chn vo sau tiu IP v trc

cc giao thc lp trn (TCP, UDP) hoc bt k tiu IPSec c

chn vo trc .

+ Tunnel mode:

c s dng gia cc cng ni nh cc b nh tuyn, nhng FIX

Firewwall, nhng b tp trung. Tunnel mode cng c s dng ph

bin khi mt host kt ni ti mt trong nhng cng ni gia tng

truy nhp ti cc mng c iu khin bi cng ni , nh trong

trng hp nhng ngi dng t xa quay s truy cp ti mt b nh

tuyn hay b tp trung.


19/20

Hnh 2.23: Khun dng gi tin IPv4 trc v sau khi x l AH

Hnh 2.24: Khun dng gi tin IPv6 trc v sau khi x l AH


20/20

Hnh 2.25: Khun dng gi tin IPv4 trc v sau khi x l ESP

Documents

Cong Nghe Mang Rieng Ao VPN 2-3-8015