Lý thuyết_đề tài Ipsec_ipv6_windowserver2008

8/3/2019 L thuyt_ ti Ipsec_ipv6_windowserver2008

1/50

HC VIN K THUT MT MKHOA CNG NGH THNG TIN

TI THC TP C S :

Trin khai cng ngh IpSec trn giao thc IPv6trong mi trng Window Server 2008

Gio vin hng dn :Nguyn Hng VitSinh vin thc hin : Dng Vn Tuyn

Nguyn Quc ThunNguyn Vn Nht


2/50

Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008

HC VIN K THUT MT MKHOA CNG NGH THNG TIN

TI THC TP C S :

Trin khai cng ngh IpSec trn giao thc IPv6 trongmi trng Window Server 2008

Nhn xt ca gio vin hng dn :...........

..im chuyn cn ca nhm :.Chm im kt qu bn in hon chnh ca bo co thc tp ..

Lp AT5C-Hc Vin K Thut Mt M 2


3/50


Mc lc

Chng I.Tm hiu v Window Server 2008

1.Gii thiuWindow Server 2008

2.Cc cng ngh ca Window Server 2008

2.1.Web

2.2.o ha

2.3.Bo mt

2.4.Nn tng hp nht cho cng vic ca doanh nghip

3.So snh cc h thng Windows,Linux,Unix

3.1 Windows,Linux(gi c,tnh nng,qun l,bo tr,bo mt.)

3.2 Windows,Unix(gi c,tnh nng,qun l,bo tr,bo mt,.)

Chng II.Tm hiu v IPv6

1.Gii thiu Ipv6

2.Phn loi IPv6

2.1- Unicast Address

a. Global Unicast Address

b. Link-local Addresses

c. Site-Local Addresses



4/50


d. Unique Local Address

2.2 Anycast Address

2. 3 Multicast Address

2.4 Cc loi a ch IPV6 c bit

3.Header Ipv6

Chng III. Tm hiu IPSec

1.Tng quan2.Cu trc bo mt

3.Hin trng

4.Thit k theo yu cu

5.Mode

1.Transport mode 2.Tunnel mode

6. Phng thc

6.1Authentication Header (AH)

6.2Encapsulating Security Payload (ESP)

7. Trao i kha trong IPSEC - Key Exchange(IKE)

7.1 Trao i kha trong IpSec - Key Exchange(IKE)

7.1.1 ISAKMP phase 1

7.1.2 ISAKIMP phase 2

7.2 IKE Modes



5/50


Chng IV.Demo

(trin khai Ipsec trn giao thc ipv6 trong window server 2008,dng cc ToolNetwork monitor,wireshark phn tch gi tin)

Li ni uIPv4 ang cn kit,c th gii ln k hoch chuyn sang di a ch IPv6 cung cp cho c th gii.Chng ta hy tng tng l chic Tivi,ni cmin,iu ha.u c th iu khin t xa khi chng c gn a ch IP,nh c IPv6 iu c th xy ra.Vn bo mt cho IPv6 ra sao?nu trinkhai trn h thng window server 2008 s th no?Tt c iu s c trnhby chi tit trong ti ny.

Chng I.Tm hiu v Window Server 2008

1.Gii thiuWindow Server 2008

Microsoft Windows Server 2008 l th h k tip ca h iu hnh Windows

Server, c th gip cc chuyn gia cng ngh thng tin c th kim sot ti ac s h tng ca h v cung cp kh nng qun l v hiu lc cha tng c, lsn phm hn hn trong vic m bo an ton, kh nng tin cy v mitrng my ch vng chc hn cc phin bn trc y.

Windows Server 2008 cung cp nhng gi tr mi cho cc t chc bng vic bom tt c ngi dng u c th c c nhng thnh phn b sung t ccdch v t mng. Windows Server 2008 cng cung cp nhiu tnh nng vt tribn trong h iu hnh v kh nng chun on, cho php cc qun tr vin tngc thi gian h tr cho cng vic ca doanh nghip.

Windows Server 2008 xy dng trn s thnh cng v sc mnh ca h iuhnh c trc l Windows Server 2003 v nhng cch tn c trong bnService Pack 1 v Windows Server 2003 R2. Mc d vy Windows Server 2008hon ton hn hn cc h iu hnh tin nhim.

Windows Server 2008 c thit k cung cp cho cc t chc c c nntng sn xut tt nht cho ng dng, mng v cc dch v web t nhm lm vicn nhng trung tm d liu vi tnh nng ng, tnh nng mi c gi tr v



6/50


nhng ci thin mnh m cho h iu hnh c bn.

Ci thin cho h iu hnh my ch ca WindowsThm vo tnh nng mi, Windows Server 2008 cung cp nhiu ci thim tt

hn cho h iu hnh c bn so vi Windows Server 2003.Nhng ci thin c th thy c gm c cc vn v mng, cc tnh nngbo mt nng cao, truy cp ng dng t xa, qun l role my ch tp trung, cccng c kim tra tin cy v hiu sut, nhm chuyn i d phng, s trinkhai v h thng file. Nhng ci thin ny v rt nhiu ci thin khc s gip cct chc ti a c tnh linh hot, kh nng sn c v kim sot c cc mych ca h

2.Cc cng ngh ca Window Server 2008

2.1.Web



7/50




8/50


2.2.o ha



9/50


2.3.Bo mt



10/50


2.4.Nn tng hp nht cho cng vic ca doanh nghip

3.So snh cc h thng Windows,Linux,Unix

3.1 Windows,Linux(gi c,tnh nng,qun l,bo tr,bo mt.)

Window Server Red Hat Enterprise



11/50


-TCO:Chi Ph trin khai & s dng:

$199-$3919

+Gim thi gian bo tr,qun l

-Reliability - n nh

+D cu hnh,qun l=>n nh hn

(Chun ha,cung cp cc cng c qun tr cbn -mnh m..)

+Kh nng tng thch,h tr t phn cngnhiu hn..

-Security-Bo mt

+Qu trnh ti u ha bo mt,theo chun tkhu thit k spbn thng mi

+H tr ca cc hng bo mt

-Choice-La chn

+thuc hng sxpm c lp ln nht th gii

+Thng dng,nhiu ng dng.

Chi Ph trin khai & s dng: Free

$349-18000$

+Tnh ph h tr cho h iu hnhny(server, Clustering..)

+Ci theo package(k ..)

+Mt time cu hnh li 1 ht trong tnglai(bn v li mi,thiu tnh thng nht,ksupport)

+Thiu s h tr t cc hng bo mtngun m..)

+ nm 2006: l hng bo mt WindowsServer


12/50


+ng dng a dng,ty tng loi,h tr a s cccng ty va v nh,ln.

+ tin cy cho h thng ln


13/50


Chng II.Tm hiu v IPv6

Nh chng ta bit IPv4 dng 32bit biu din a ch IP. S dng 32 bitny, ta c th nh c khong 4,3 t a ch khc nhau.Nhng ch khonghn 10 nm sau khi ra i, vo na u thp k 90, nguy c thiu a ch IP xut hin ti 1 s nc nh Trung Quc, n , .

gii quyt vn th IPv6 ra i. Vi 128 bit ln hn IPv4 gp 4ln.y l khng gian a ch cc ln khng ch dnh ring cho Internet m cncho tt c cc mng my tnh, h thng vin thng, h thng iu khin v thmch l vt dng gia nh.

1.Gii thiu IPv6

IPv6 c tch hp trong Windows XP v Windows Server 2003,2008nhng cha c s dng nhiu . Hin ti ngi ta ang quan tm nhiu nIPv6 v thc t mt s ni trn th gii ngi ta i vo trin khai chngTrong phn ny, nhm s gii thiu tng quan, cch trin khai v thit lp mt hthng mng c IPv6.IPv6 c tng cng l 128 bit c chia lm 2 phn: 64 bit u c gi lnetwork, 64 bit cn li c gi l host. Phn network dng xc nh subnet,a ch ny c gn bi cc ISP hoc nhng t chc ln nh IANA (Internet

Assigned Numbers Authority). Cn phn host l mt a ch ngu nhin da trn48 bit ca MAC Address.

a ch IPv6 c 128 bit, do vic nh c a ch ny rt kh khn. Cho nn vit a ch IPv6, ngi ta chia 128 bit ra thnh 8 nhm, mi nhm chim 2bytes, gm 4 s c vit di h s 16, v mi nhm c ngn cch nhaubng du hai chm

V d:FEDL:8435:7356:EADC:BA98:2010:3280:ABCDNhng nu m vit theo kiu nh vy (p th c p ), nhng nhn

mt hi nhc u w. Cho nn, cn phi n gin ci a ch ny mtcht. V IPv6 l mt a ch mi nn chng ta s ko xi ht 128 bits, cngging nh SIM in thoi vy, u s 0122 mi ra c rt nhiu s v do chng ta c quyn la chn. V IPv6 cng vy, v mi ra cho nn sc nhiu s 0 cc bit u. Chng ta c th lc b cc s 0 ny i. Tily mt v d c th:

a ch:1088:0000:0000:0000:0008:0800:200C:463A > Bn c th vit 0 thay v phi vit l 0000, vit 8 thay v phi vit 0008,



14/50


vit 800 thay v phi vit l 0800V y l a ch c rt gn:1088:0:0:0:8:800:200C:463ANhn chung nh vy cng c ri, nhng IPv6 cn c mt nguyn tcna l bn c th nhm cc s 0 li thnh 2 du hai chm ::, a ch

trn, bn c th vit li nh sau:1088::8:800:200C:463AQua v d trn, bn s rt ra c 2 nguyn tc:

- -Trong dy a ch IPV6, nu c s 0 ng u c th loi b. V d0800 s c vit thnh 800, hoc 0008 s c vit thnh 8

-- Trong dy a ch IPv6, nu c cc nhm s 0 lin tip, c th ngin cc nhm ny bng 2 du :: ( ch p dng khi dy 0 lin tip nhau)V d 1:FADC:BA98::7654:3210-> IPv6 c tng cng l 8 nhm, m trn c 4 nhm, nh vy gia 2 du

hai chm, s l 4 nhm s 0. Vy a ch trn c th vit y l:FADC:BA98:0:0:0:0:7654:3210V d 2:FADC:BA98:7654:3210::-> c a ch y l:FADC:BA98:7654:3210:0:0:0:0V d 3:::FADC:BA98:7654:3210-> c a ch y l:0:0:0:0:FADC:BA98:7654:3210C trng hp nh th ny:Gi s c a ch 0:0:0:AB65:8952:0:0:0, nh vy n gin a ch ny tac 3 phng n nh sau: 1 ::AB65:8952::

2 ::AB65:8952:0:0:0

3 0:0:0:AB65:8952::Tuy nhin ch c p n 2 v 3 l ng. Mt nguyn tc na cn phi nhtrong IPv6 l bnch c th s dng 2 du hai chm mt ln vi a ch .Khng c vit nh vy::AB65:8952::, v nu bn vit nh th s gynhm ln khi dch ra y .V d: Nu bn vit::AB65:8952::, th ngi ta c th on a ch y ca n nh th ny0:0:AB65:8952:0:0:0:0 hoc 0:0:0:0:AB65:8952:0:0 , S dng cc a ch IPv6 trong vic truy cp URLBn c th truy cp mt trang web bng tn hoc bng a ch IP. V dhttp://www.google.com.vn/, c a ch IPv4 tng ng l 64.233.167.104.

Vy bn hon ton c th vo website google.com.vn bng cchg: http://64.233.167.104 .Tng t nh vy bn c th truy cp mt trang web bng a ch IPv6nhng phi n trong cp du {}. V d:http://{FEDL:8435:7356:EADC:BA98:2010:3280:ABCD}Ngoi ra, bn cng c th thm s port vo a ch URL, V d:http://{FEDL:8435:7356:EADC:BA98:2010:3280:ABCD}:80

http://www.google.com.vn/http://203.171.30.212/http://www.google.com.vn/http://203.171.30.212/


15/50


2.Phn loi IPv6:IPv6 gm cc loi chnh sau y:

+ Unicast Address: Unicast Address dng xc nh mt Interface trongphm vi cc Unicast Address. Gi tin (Packet) c ch n l Unicast Addresss thng qua Routing chuyn n 1 Interface duy nht+ Anycast Address: Anycast Address dng xc nh nhiu Interfaces.Tuy vy, Packet c ch n l Anycast Address s thng qua Routing chuyn n mt Interface trong s cc Interface c cng Anycast Address,thng thng l Interface gn nht. Ch gn nht y c xc nhthng qua giao thc nh tuyn ang s dng+ Multicast Address: Multicast Address dng xc nh nhiu Interfaces.Packet c ch n l Multicast Address s thng qua Routing chuyn ntt c cc Interfaces c cng Multicast Addressnhn thy IPv6 khng c a ch Broadcast v chc nng ca a ch ny bao gm trong nhm a ch MulticastNi tm li, c th hiu nh sau:Unicast : Gi ti 1 a ch xc nhMulticast: Gi ti tt c cc thnh vin ca 1 nhmAnycast: Gi ti 1 thnh vin gn nht ca 1 nhmBy gi chng ta s i su vo tng loi :

2 .1- Unicast Address:c chia thnh 4 nhm:a/ Global Unicast Address:

a ch ny c s dng h tr cho cc ISP. Ni i khi cho d hiu ln ging nh a ch Public ca IPv4.



16/50


001: 3 bits u lun lun c gi tr = 001TLA ID( Top Level Aggregation): Xc nh nh cung cp cao nht trong hthng cc nh cung cp dch vRes: cha s dngNLA ID (Next Level Aggregation):Xc nh nh cung cp tip theo trong hthng cc nh cung cp dch vSLA ID (Site Level Aggregation): Xc nh cc site to cc subnetInterface ID: L a ch ca Interface trong subnet

http://www.gccom.net/blog/uploads/2009/01/image018-thumb.jpghttp://www.gccom.net/blog/uploads/2009/01/image017-thumb.jpg


17/50


b/ Link-local Addresses: y l loi a ch dng cho cc host khi chng mun giao tip vi cc host khctrong cng mng. Tt c IPv6 ca cc interface u c a ch link localTheo hnh bn di, bn s thy

10 bits u tin lun l: 1111 1110 1054 bits k tip c gi tr bng 0-> Nh vy, trong Link Local Address: 64 bit u l gi tr c nh khng thayi (prefix : fe80::/64)

+ 64 bits cui cng l a ch ca Interface

V c mt lu dnh cho bn: Mt router khng th chuyn bt k gi tin no ca ch ngun hoc a ch ch l Link Local Addressc/ Site-Local Addresses:Site-Local Addresses c s dng trong h thng ni b (Intranet) tng tcc a ch Private IPv4 (10.X.X.X, 172.16.X.X, 192.168.X.X). Phm vi s dngSite-Local Addresses l trong cng Site.

10 bits u tin lun l: 1111 1110 11 (Prefix FEC0::/10)

54 bits k tip: l gi tr Subnet ID64 bits cui cng: l a ch ca Interfaced/ Unique Local Address:Unique Local Address l a ch nh tuyn gia cc subnet trn mt privatenetwork

http://www.gccom.net/blog/uploads/2009/01/image021-thumb.gifhttp://www.gccom.net/blog/uploads/2009/01/image020-thumb.gif


18/50


1111 1101 : 8 bits u l gi tr c nh FD00:: /840 bits k tip l Global ID : a ch Site (Site ID). C th gn ty 16 bits k tip l Subnet ID : a ch Subnet trong Site, c th to ra 65.536subnet trong mt site64 bits cui cng: l a ch ca Interface2.2- Anycast Address:Anycast Address l a ch c bit c th gn cho nhiu interface, gi tin chuynn Anycast Address s c vn chuyn bi h thng Routing n Interfacegn nht. Hin nay, a ch Anycast c s dng rt hn ch, rt t ti liu niv cch s dng loi a ch ny. Hu nh Anycast addresss ch c dng t cho Router, khng t cho Host, l do l bi v hin nay a ch ny ch cs dng vo mc ch cn bng ti.V d : khi mt nh cung cp dch v mng c rt nhiu khch hng mun truycp dch v t nhiu ni khc nhau, nh cung cp mun tit kim nn ch mtServer trung tm phc v tt c, h xy dng nhiu Router kt ni khch hngvi Server trung tm, khi mi khch hng c th c nhiu con ng truycp dch v. Nh cung cp dch v t a ch Anycast cho cc Interfaces l ccRouter kt ni n Server trung tm, by gi mi khch hng ch vic ghi nh vtruy cp vo mt a ch Anycast thi, t ng h s c kt ni ti Server thng qua Router gn nht. y tht s l mt cch x l n gin v hiu quKhi tm hiu v a ch Anycast, chng ta s thy rt nhm ln. Bi v nu nhgn a ch ny cho mt Interface th n y nh l a ch Unicast, nhng khi gncho nhiu Interfaces th n li c v nh l a ch Multicast2.3 Multicast Address:Trong a ch IPv6 khng cn tn ti khi nim a ch Broadcast. Mi chc nngca a ch Broadcast trong IPv4 c m nhim thay th bi a ch IPv6Multicast. a ch Multicast ging a ch Broadcast ch im ch ca gi tin lmt nhm cc my trong mt mng, song khng phi tt c cc my. Trong khiBroadcast gi trc tip ti mi host trong mt subnet th Multicast ch gi trctip cho mt nhm xc nh cc host, cc host ny li c th thuc cc subnetkhc nhau. Host c th la chn c tham gia vo mt nhm Multicast c th no hay khng (thng c thc hin vi th tc qun l nhm internet -Internet Group Management Protocol), trong khi vi Broadcast, mi host lthnh vin ca nhm Broadcast bt k n c mun hay khng.

2.4 Cc loi a ch IPV6 c bit:

a. IPv4-Cpompatible Address (IPv4CA) :Format : 0:0:0:0:0:0:w.x.y.z Trong w,x,y,z l cc IPv4 AddressVd : 0:0:0:0:0:0:0:192.168.1.2

http://www.gccom.net/blog/uploads/2009/01/image022-thumb.jpg


19/50


IPv4CA l a ch tng thch ca mtIPv4/IPv6 Node. Khi s dng IPv4CA nhmt IPv6 Destination, gi tin s c ng gi (Packet) vi IPv4 Header truyn trong mi trng IPv4

b. IPv4-mapped address (IPv4MA)Format : 0:0:0:0:0:FFFF:w.x.y.z (::FFFF:w.x.y.z ) Trong w,x,y,z l cc IPv4AddressVd : 0:0:0:0:0:FFFF:192.168.1.2IPv4MA l a ch ca mtIPv4 Only Nodei vi mt IPv6 Node, IPv4MA ch ctc dng thng bo v khng c dng nh Resource hoc DestinationAddress

c. 6to4 AddressL a ch s dng trong lin lc gia cc IPv4/IPv6 nodes trong h thng htng IPv4 (IPv4 Routing Infrastructure). 6to4 c to bi Prefix gm 64 bits nh

sau :Prefix = 2002/16 + 32 bits IPv4 Address =64 bits6to4 Address l a ch ca Tunnel (Tulneling Address) nh ngha bi RFC30563 .Header Ipv6



20/50


IPv6 l bn nng cp ca IPv4 , nh trong hnh trng Flow Label vExtension headers l nhng trng c thm mi vo trong IPv6Cc trng c bn ca IPv6 Header: Version(4-bit) Phin bn ca giao thc IP. Trng ny cha gi tr 6 khc

vi gi tr 4 ca IPv4 Traffic Class(8-bit) Trng ny c chc nay tng t trng Type of Service(ToS) trong IPv4. N c nh du gi tin IPv6 vi m DifferentiatedServices Code Point(DSCP), khi mt gi tin c nh du DSCP th cc router s bit gi tin c x l u tin nh th no. Flow Label(20-bit) Trng ny c tc dng nh du lung cho gi tin IPv6,n gip cho cc router chuyn gi tin mt cch lin tc t ngun ti ch . FlowLabel c s dng trong IPv6 s h tr tt hn khi thc thi QoS.Khi nim mt dng (flow):Mt dng (flow) l mt chui cc gi tin c gi t mt ngun ti mt ch nhtnh (c th l unicast hay multicast). Ngun s yu cu cc router c cc x l

c bit i vi cc gi tin thuc mt flow. Vic cn phi x l nh th no ivi gi tin c th c truyn ti router bng mt th tc iu khin, hoc cngc th l thng tin cha trong chnh gi tin ca dng, v d nh header m rnghop-by-hop ca gi tin.Gia mt ngun v mt ch c th c nhiu dng. Vic kt hp gia a ch ngun v mt s Flow label khc 0 s xc nh duy nht mt dng. Nhng gi tinkhng thuc dng no c s c thit lp ton b cc bt Flow Label c gi tr0.Mi gi tin thuc cng mt dng phi c gi vi cng a ch ngun, cng ach ch, v cng c mt s Flow label khc 0. Router x l gi tin s thit lptrng thi x l i vi mt label c th v c th la chn lu tr thng tin

(cache), s dng gi tr a ch ngun v flow label lm kho. i vi nhng gitin sau , c cng a ch ngun v gi tr flow label, router c th p dng cchthc x l da trn thng tin h tr t vng cache.Mt ngun IPv6 c th s dng 20 bt flow label trong IPv6 header xc nhgi tin gi i trong mt dng nht nh, yu cu cch thc c x c bit carouter. V d ngun yu cu cht lng dch v khng mc nh hoc dch vthi gian thc.Ti thi im hin nay, vic s dng trng ny trong thc thi QoS vn nm mc th nghim, cc tiu chun ho trng ny cn cha hon thin. Hin naycha c mt cu trc thng dng cho vic s dng n. IETF ang tip tc tiuchun ho v a ra nhng yu cu r rng hn cho Internet v h tr trng

Flow Label. Nhiu router, host cha h tr vic s dng trng label. i vinhng router v host ny, ton b cc bt ca trng label s c thit lp gitr 0 v cc host, router ny b qua trng khi nhn c gi tin. Payload Length(16-bit) - Dng o chiu di ca phn thng tin theo sauIPv6 Header Next Header(8-bit) Trng ny dng xc nh loi thng tin i sau header c bn caIPv6. Cc loi thng tin c th l mt giao thc lp trn nh TCP hay UDP,



21/50


hoc n cng c th l Extension header. Trng ny ging vi trng Protocolca IPv4IPv6 Extension headers l mt la chn c th theo sau header c bn caIPv6. Mt gi tin IPv6 c th khng c, c mt hoc l nhiu extension headers.

Nh trong hnh ..... khi c nhiu extension headers cng c s dng trong gitin IPv6, th chng c to thnh mt chui cc danh sch headers v cxc nh bi trng Next header ca header trc n. Khi gi i t ngun nch, cc Node trung gian khng c php x l cc Extension Header n khin trm ch, hoc nhng trm ch (trong trng hp Multicast) tr mt vitrng hp ngoi l. V vic x l cc Header ny cng phi din ra theo ngtun t m cc Header sp xp trong gi tin IPv6. Khng bao gi c php xyra trng hp trm ch qut qua ton b gi tin v chn ra mt Header no x l trc.Trng hp ngoi l nh va cp chnh l trng hp Hop-by-hop ExtensionHeader. S hin din ca Hop-by-hop Extension Header buc gi tin phi b

kim tra bi tt c cc Node trung gian trn ng t ngun n ch, bao gmc trm ngun v ch. V vy, Hop-by-hop Extension Header lun phi ngsau IPv6 Header. S hin din ca Extension Header ny c ch th bi gi tr0 trong Next-Header ca IPv6 Header.-Hop by Hop : l extension header c t u tin ngay sau header cbn. Header ny c s dng xc nh nhng tham s nht nh ti mibc (hop) trn ng truyn dn gi tin t ngun ti ch. Do vy s c xl ti mi router trn ng truyn dn gi tin.-Destination : c s dng xc nh cc tham s truyn ti gi ti ch tiptheo hoc ch cui cng trn ng i ca gi tin. Nu trong gi tin cextension header m "Routing" th extension header "Destination" mang thng

tin tham s x l ti mi ch ti tip theo. Ngc li, nu trong gi tin khng cextension header "Routing" th thng tin trong extension header "Destination" ltham s x l ti ch cui cng.-Routing : m nhim xc nh ng dn nh tuyn ca gi tin. Nu mun gitin c truyn i theo mt ng xc nh (khng la chn ng i ca ccthut ton nh tuyn), node IPv6 ngun c th s dng extension header Routing xc nh ng i, bng cch lit k a ch ca cc router m gitin phi i qua. Cc a ch thuc danh sch ny s c ln lt dng lm ach ch ca gi tin IPv6 theo th t c lit k v gi tin s c gi t router ny n router khc, theo danh sch lit k trong extension header Routing.-Fragment : extension header Fragment mang thng tin h tr cho qu trnh

phn mnh v ti to gi tin IPv6, c s dng khi ngun IPv6 gi i gi tin lnhn gi tr MTU (Maximum Transmission Unit) nh nht trong ton b ngdn t ngun ti ch. Trong hot ng ca a ch IPv4, mi router trn ngdn cn tin hnh phn mnh gi tin theo gi tr ca MTU t cho mi giao din,iu ny lm gim hiu sut ca router. Bi vy trong a ch IPv6, router khngthc hin phn mnh gi tin. Vic ny c thc hin ti ngun gi gi tin. Nodengun IPv6 s thc hin thut ton tm kim gi tr MTU nh nht trn ton bmt ng dn nht nh t ngun ti ch (gi l gi tr PathMTU) v iu chnh



22/50


kch thc gi tin tu theo gi tr ny trc khi gi chng. Nu ti ngun p dngphng thc ny, n s gi d liu c kch thc ti u, v khng cn thit xl ti tng IP. Tuy nhin, nu ng dng khng s dng phng thc ny, nphi chia nh gi tin c kch thc ln hn PathMTU. Trong trng hp ,

nhng gi tin ny cn c phn mnh ti tng IP ca node ngun v mo um rng Fragment c s dng mang nhng thng tin phc v cho qutrnh phn mnh v ti to gi tin IPv6 ti cc u cui ng kt ni.-Authentication and Encapsulating Security Payload : trong hot ng caa ch IPv6, thc thi IPSec c coi l mt c tnh bt buc. Ty tng trnghp m IPSec c s dng. Khi IPSec c s dng, gi tin IPv6 cn c ccdng extension header Xc thc v M ho". Extension header Xc thc dng xc thc v bo mt tnh ng nht ca d liu .Extension header M hodng xc nh nhng thng tin lin quan n m ho d liu

Chng III. Tm hiu IPSec

1.Tng quanGiao thc IPsec c lm vic ti tng Network Layer layer 3 ca m

hnh OSI. Cc giao thc bo mt trn Internet khc nh SSL, TLS v SSH, cthc hin t tng transport layer tr ln (T tng 4 ti tng 7 m hnh OSI). iuny to ra tnh mm do cho IPsec, giao thc ny c th hot ng t tng 4 viTCP, UDP, hu ht cc giao thc s dng ti tng ny. IPsec c mt tnh nngcao cp hn SSL v cc phng thc khc hot ng ti cc tng trn ca m

hnh OSI. Vi mt ng dng s dng IPsec m (code) khng b thay i, nhngnu ng dng bt buc s dng SSL v cc giao thc bo mt trn cc tngtrn trong m hnh OSI th on m ng dng s b thay i ln2. Cu trc bo mt

IPsec c trin khai (1) s dng cc giao thc cung cp mt m(cryptographic protocols) nhm bo mt gi tin (packet) trong qu trnh truyn,(2) phng thc xc thc v (3) thit lp cc thng s m ho.

Xy dng IPsec s dng khi nim v bo mt trn nn tng IP. Mt s kt hpbo mt rt n gin khi kt hp cc thut ton v cc thng s (v nh cckho keys) l nn tng trong vic m ho v xc thc trong mt chiu. Tuynhin trong cc giao tip hai chiu, cc giao thc bo mt s lm vic vi nhauv p ng qu trnh giao tip. Thc t la chn cc thut ton m ho v xcthc li ph thuc vo ngi qun tr IPsec bi IPsec bao gm mt nhm ccgiao thc bo mt p ng m ho v xc thc cho mi gi tin IP.



23/50


Trong cc bc thc hin phi quyt nh ci g cn bo v v cung cp cho mtgi tin outgoing (i ra ngoi), IPsec s dng cc thng s Security Parameter Index (SPI), mi qu trnh Index (nh th t v lu trong d liu Index v nh

mt cun danh b in thoi) bao gm Security Association Database (SADB),theo sut chiu di ca a ch ch trong header ca gi tin, cng vi s nhndng duy nht ca mt tho hip bo mt (tm dch t - security association) chomi gi tin. Mt qu trnh tng t cng c lm vi gi tin i vo (incomingpacket), ni IPsec thc hin qu trnh gii m v kim tra cc kho t SADB.

Cho cc gi multicast, mt tho hip bo mt s cung cp cho mt group, vthc hin cho ton b cc receiver trong group . C th c hn mt tho hipbo mt cho mt group, bng cch s dng cc SPI khc nhau, tuy nhin ncng cho php thc hin nhiu mc bo mt cho mt group. Mi ngi gic th c nhiu tho hip bo mt, cho php xc thc, trong khi ngi nhn ch bit c cc keys c gi i trong d liu. Ch cc chun khng miu tlm th no cc tho hip v la chn vic nhn bn t group ti cc cnhn

3. Hin trng

IPsec l mt phn bt bc ca IPv6, c th c la chn khi s dngIPv4. Trong khi cc chun c thit kt cho cc phin bn IP ging nhau,

ph bin hin nay l p dng v trin khai trn nn tng IPv4.Cc giao thcIPsec c nh ngha t RFCs 1825 1829, v c ph bin nm 1995. Nm1998, c nng cp vi cc phin bn RFC 2401 2412, n khng tng thchvi chun 1825 1929. Trong thng 12 nm 2005, th h th 3 ca chunIPSec, RFC 4301 4309. Cng khng khc nhiu so vi chun RFC 2401 2412 nhng th h mi c cung cp chun IKE second. Trong th h mi nyIP security cng c vit tt li l IPsec.S khc nhau trong quy nh vit tttrong th h c quy chun bi RFC 1825 1829 l ESP cn phin bn mi lESPbis



24/50


4. Thit k theo yu cu.

IPsec c cung cp bi Transport mode (end-to-end) p ng bo mt giacc my tnh giao tip trc tip vi nhau hoc s dng Tunnel mode (portal-to-portal) cho cc giao tip gia hai mng vi nhau v ch yu c s dng khi

kt ni VPN.IPsec c th c s dng trong cc giao tip VPN, s dng rt nhiu tronggiao tip. Tuy nhin trong vic trin khai thc hin s c s khc nhau gia haimode ny.



25/50


Giao tip end-to-end c bo mt trong mng Internet c pht trin chm vphi ch i rt lu. Mt phn b l do tnh ph thng ca no khng cao, haykhng thit thc, Public Key Infrastructure (PKI) c s dng trong phng

thc ny.IPsec c gii thiu v cung cp cc dch v bo mt:

1. M ho qu trnh truyn thng tin

2. m bo tnh nguyn ven ca d liu

3. Phi c xc thc gia cc giao tip

4. Chng qu trnh replay trong cc phin bo mt.5. Modes Cc modeHai ch chnh c s dng trong ipsec l : transport v tunnel. AH v ESPu cung cp s bo mt bng cch thm vo trng header bo mt thng vo trong datagram.

1) Transport mode :

cch bo v thng tin c th hin khi m gi tin ip c chuyn xung t tvn chuyn TCP. Th gi tn c s l bi AH hoc ESP thm trng header vtrc trng TCP/UDP header. Lc ny gi tin c chuyn tip hay s l thnqua ipsec header , khng cn s l trn ip header na.



26/50


2) Tunnel mode

Trong ch ng hm, ipsec c s dng bo v qu trnh nggi ip datagram, sau khi ip header sn sng. Ipsec header c thmvo trc ip header, ri sau mt ip header mi, c thm vo trcipsec header. Lc ip datagram c bo v.



27/50




28/50


6. Phng thc.

C hai giao thc c pht trin v cung cp bo mt cho cc gi tin ca c hai phin bnIPv4 v IPv6:

IP Authentication Header gip m bo tnh ton vn v cung cp xc thc.

IP Encapsulating Security Payload cung cp bo mt, v l option bn c th la chn ctnh nng authentication v Integrity m bo tnh ton vn d liu.

Thut ton m ho c s dng trong IPsec bao gm HMAC-SHA1 cho tnh ton vn dliu (integrity protection), v thut ton TripleDES-CBC v AES-CBC cho m m ho v m

bo an ton ca gi tin. Ton b thut ton ny c th hin trong RFC 4305.

a. Authentication Header (AH)

AH c s dng trong cc kt ni khng c tnh m bo d liu. Hn na n l la chnnhm chng li cc tn cng replay attack bng cch s dng cng ngh tn cng slidingwindows v discarding older packets. AH bo v qu trnh truyn d liu khi s dng IP.Trong IPv4, IP header c bao gm TOS, Flags, Fragment Offset, TTL, v Header Checksum. AH thc hin trc tip trong phn u tin ca gi tin IP. di y l m hnhca AH header.

5. Cc modes thc hin

0 - 7 bit 8 - 15 bit 16 - 23 bit 24 - 31 bit

Next header Payload length RESERVED

Security parameters index (SPI)

Sequence number

Authentication data (variable)

ngha ca tng phn:



29/50


Next header

Nhn dng giao thc trong s dng truyn thng tin.

Payload length

ln ca gi tin AH.RESERVED

S dng trong tng lai (cho ti thi im ny n c biu din bng ccs 0).Security parameters index (SPI)

Nhn ra cc thng s bo mt, c tch hp vi a ch IP, v nhn dngcc thng lng bo mt c kt hp vi gi tin.Sequence number

Mt s t ng tng ln mi gi tin, s dng nhm chng li tn cng dngreplay attacks.Authentication data

Bao gm thng s Integrity check value (ICV) cn thit trong gi tin xc thc.

b. Encapsulating Security Payload (ESP)

Giao thc ESP cung cp xc thc, ton vn, m bo tnh bo mt cho gi tin. ESP cngh tr tnh nng cu hnh s dng trong tnh hung ch cn bo m ho v ch cn choauthentication, nhng s dng m ho m khng yu cu xc thc khng m bo tnh bomt. Khng nh AH, header ca gi tin IP, bao gm cc option khc. ESP thc hin trn topIP s dng giao thc IP v mang s hiu 50 v AH mang s hiu 51.

0 - 7 bit 8 - 15 bit 16 - 23 bit 24 - 31 bit

Security parameters index (SPI)

Sequence number



30/50


Payload data (variable)

Padding (0-255 bytes)

Pad Length Next Header

Authentication Data (variable)

ngha ca cc phn:

Security parameters index (SPI) Nhn ra cc thng s c tch hp vi a ch IP.

Sequence number

T ng tng c tc dng chng tn cng kiu replay attacks.Payload data

Cho d liu truyn i

Padding

S dng vi block m hoPad length

ln ca padding.Next header

Nhn ra giao thc c s dng trong qu trnh truyn thng tin.Authentication data

Bao gm d liu xc thc cho gi tin.

7. Trao i kha trong IPSEC - Key Exchange(IKE)



31/50


IPsec c thc hin trong nhn vi cc trnh qun l cc key v qu trnhthng lng bo mt ISAKMP/IKE t ngi dng. Tuy nhin mt chungiao din cho qun l key, n c th c iu khin bi nhn ca

IPsec.Bi v c cung cp cho ngi dng cui, IPsec c th c trinkhai trn nhn ca Linux. D n FreeS/WAN l d n u tin hon thnhvic thc hin IPsec trong m ngun m c th l Linux. N bao gm mt nhn IPsec stack (KLIPS), kt hp vi trnh qun l key l deamon v rt nhiu shell scripts. D n FreeS/WAN c bt u vo thng 3 nm 2004.Openswan v strongSwan tip tc d n FreeS/WAN. D n KAME cng hon thnh vic trin khai s dng IPsec cho NetBSB, FreeBSB.

Trnh qun l cc kho c gi l racoon. OpenBSB c to raISAKMP/IKE, vi tn n gin l isakmpd (n cng c trin khai trnnhiu h thng, bao gm c h thng Linux)

7.1 Trao i kha trong IpSec - Key Exchange(IKE)

Chc nng chnh ca IKE l chp nhn cc thit b trao i thng tin di mcan ton. Thm vo kha m ha l s dng cho vic chng thc thng tin v mha thng tin. IKE c bit n nh mt giao thc lai bi v n c phi hpt ba giao thc khc. u tin l ISAKMP(internet secury associaction and key management protocol). Cung cp mt nn tng cho vic trao i kha m ha vbo mt thng tin. ISAKMP h tr nhiu phng thc trao i kha khc nhau,hai giai on chnh ca ISAKMP l

7.1.2 ISAKMP phase 1: Giai on I ca IKE u tin xc nhn cc imthng tin, v sau thit lp mt knh bo mt cho s thit lp SA. Tip , c bn thng tin tha thun mt ISAKMP SA ng ln nhau, bao gm cc thu



32/50


ton m ha, hm bm, v cc phng php xc nhn bo v m kha.Sau khi c ch m ha v hm bm c ng trn, mt kha chi s b mc pht sinh. Theo sau l nhng thng tin c dng pht sinh kha b mt

-Gi tr Diffie-Hellman

-SPI ca ISAKMP SA dng cookies

-S ngu nhin known as nonces (used for signing purposes) Nu hai bn ng s dng phng php xc nhn da trn public key, chng cng ctrao i IDs. Sau khi trao i cc thng tin cn thit, c hai bn pht sinh nhng key rinca chnh mnh s dng chng chia s b mt. Theo cch ny, nhng kha m hc pht sinh m khng cn thc s trao i bt k kha no thng qua mng

7.1.2 ISAKIMP phase 2:

Trong khi giai on I tha thun thit lp SA cho ISAKMP, giai on II gii quyt bvic thit lp SAs cho IPSec. Trong giai on ny, SAs dng nhiu dch v khc nhatha thun. C ch xc nhn, hm bm, v thut ton m ha bo v gi d liu IPStip theo (s dng AH v ESP) dihnh thc mt phn ca giai on SA.S tha thuca giai on xy ra thng xuyn hn giai on I. in hnh, s tha thun c th lsau 4-5 pht. S thay i thng xuyn cc m kha ngn cn cc hacker b gy nhnkha ny v sau l ni dung ca gi d liu.

Tng qut, mt phin lm vic giai on II tng ng vi mt phin lmvic n giai on I. Tuy nhin, nhiu s thay i giai on II cng c th c h tr bi mtrng hp n giai on I. iu ny lm qu trnh giao dch chm chp ca IKE t tng i nhanh hn

7.2 IKE Modes

4 ch IKE ph bin thng c trin khai :

Ch chnh (Main mode) Ch linh hot (Aggressive mode) Ch nhanh (Quick mode) Ch nhm mi (New Group mode)

7.2.1. Main Mode



33/50


Main mode xc nhn v bo v tnh ng nht ca cc bn c lin quan trong qua trnhgiao dch. Trong ch ny, 6 thng ip c trao i gia cc im:

2 thng ip u tin dng tha thun chnh sch bo mt cho s thay i.

2 thng ip k tip phc v thay i cc kha Diffie-Hellman v nonces. Nhngkha sau ny thc hin mt vai tro quan trng trong c ch m ha. Hai thng ip cui cng ca ch ny dng xc nhn cc bn giao dch vi sgip ca ch k, cc hm bm, v tu chn vi chng nhn.

7.2.2 Aggressive ModeAggressive mode v bn cht ging Main mode. Ch khc nhau thay v main mode c 6thng ip th cht ny ch c 3 thng ip c trao i. Do , Aggressive modenhanh hn mai mode. Cc thng ip bao gm : Thng ip u tin dng a ra chnh sch bo mt, pass data cho kha chnh, v

trao i nonces cho vic k v xc minh tip theo. Thng ip k tip hi p li cho thng tin u tin. N xc thc ngi nhn v hothnh chnh sch bo mt bng cc kha.

Thng ip cui cng dng xc nhn ngi gi (hoc b khi to ca phin lmvic).



34/50


C Main mode v Aggressive mode u thuc giai on I.

7.2..3 Quick Mode

Ch th ba ca IKE, Quick mode, l ch trong giai on II. N dng tha thuSA cho cc dch v bo mt IPSec. Ngoi ra, Quick mode cng c th pht sinh khachnh mi. Nu chnh sch ca Perfect Forward Secrecy (PFS) c tha thun trong gion I, mt s thay i hon ton Diffie-Hellman key c khi to. Mt khc, kha mc pht sinh bng cc gi tr bm

7.2.4 New Group Mode New Group mode c dng tha thun mt private group mi nhm to iu kintrao i Diffie-Hellman key c d dng. Hnh 6-18 m t New Group mode. Mc dch ny c thc hin sau giai on I, nhng n khng thuc giai on II.



35/50


Ngoi 4 ch IKE ph bin trn, cn c thm Informational mode. Ch ny kt hvi qu trnh thay ca giai on II v SAs. Ch ny cung cp cho cc bn c linquan mt s thng tin thm, xut pht t nhng tht bi trong qu trnh tha thun. V dnu vic gii m tht bi ti ngi nhn hoc ch k khng c xc minh thnh cn

Informational mode c dng thng bo cho cc bn khc bit.



36/50


Chng IV.Demo

Thc hnh: Chun b:-1 Server: Windw Server 2008 ( domain thuchanhipsec.local),ipv6

-1 client: win 2k8 ,ipv6-Ci wireshark,Network monitor trn my Server

1.Cu hnh TCP/IPv6Ti myServer , vo Run=>ncpa.cplHp thoiLocal Area Connection Properties , b du chnInternet Protocol Version 4 (TCP/IPv4) ,chn Internet Protocol Version 6 (TCP/IPv6) , chn Properties

Trong ca s Internet Protocol Version 6 (TCP/IPv6) Properties , nhp thng s nh hnh : IPv6address: fc00:192:168:5::25Subnet prefix length:64Preferred DNS server: fc00:192:168:5::25



37/50


-Tng t ta cng cu hnh a ch IPv6 ca clientfc00:192:168:5::27, Preferred DNSserver: fc00:192:168:5::25

2.Khi cha trin khai IPSec

By gi t Client ping th ti Server fc00:192:168:5::25

+ 2 my cha trin khai IPSec. Trn network monitor ca Server. MenuCapture. Nhn

Pause thy kt qu khi capture gi tin ICMP (Destination Mac. Source Mac. IP) tmy no n my no

--C th gi tin ICMP th trong phn d liu cha c m ha. D liu gm 32 bit. T an w v a n i i t con s hexa.Trn wireshark: tng t



38/50


** Tng t nu ta gi gi tin ICMP t Server qua my client. Th khi client capture gi

tin d liu cng khng b m ha. ( D liu cng l 32 bit t a dn w v a n i i t cs hexa ca gi tin)

3.Cu hnh IP Sec+ Chng ta ln lt cu hnh IP Sec trn my Server v my client-Server: Vo Run=> Gsecpol.msc vo Local Security Policy



39/50


+ Trong Local Security Policy. Right click voIP Security Policices on LocalComputer chnCreate IP Security Policy. . .

+ Mn hnh Welcome nhnNext

+ Hp thoi IP Security Policy Name. in 1 tn bt k. NhnNext

+ Hp thoiRequests for Secure Communication.G du check Active the defaultresponse rule. NhnNext



40/50


+ B du check Edit Properties. NhnFinish hon tt

+ Right click vo policy mi to. ChnAssign

+ Tip tc right click vo policy. ChnProperties

+ Hp thoi Properties ca policy xut hin. NhnAdd to ra 1 rule mi



41/50


+ Hp thoi Welcome. NhnNext

+ Hp thoiTunnel Endpoint. mc nh.This rule does not specify a tunnel. NhnNext



42/50


+ Hp thoiNetwork Type. ChnLocal area network (Lan). NhnNext

+ Hp thoiIP Filter List. chng ta c th chn All IP Traffic (mc nh ca IPsec).Chn Add.

Ti y chng ta c th ty chn danh sch lc IP ch,ngun

Click add,nhnNext chn source address



43/50


Next chn destination address

Next chn 1 loi giao thc

NhnNext,n finish .Ra bng IP filter,chn IP filter list m ta va cu hnh



44/50


Nhn Next ra bng Filter

Click chn Filter Action,nhnEdit chnh sa kiu Security methods,chnNegotiatesecurity ,sau nhn Edit chnh sa



45/50


ChnCustom,click setting ,ti y ta c th chn cc kiu m ha d liu nhMD5,SHA1..Sau ta chnOK 2 ln

Tip theo lm nh hnh v,ty chn cc Tm dchAccept unsecured communication,but always respond using ipsec(Chp nhn khng c bo m thng tin lin lc, nhng lun lun p ng bng cch s dng ipsec)Allow fallback to unsecured communication if a secure connection can not beestablished(Cho php d phng giao tip khng c bo m nu mt kt ni anton khng th c thit lp)



46/50


Use session key perfect forward secrecy(PFS)(S dng kha an ton chuyn tip cho phin lm vic)

,Apply,Nhn Next lm nh hnh v,Next tip

n Finish kt thc



47/50


Chn Apply ,OK kt thc qu trnh ci t ,cu hnh Ipsec

** Trn my Client ta cng lm tng t nh vy. By gi ta kim tra xem gi tin ICMPgi i c m ha hay cha ?

---Trng hp 1: Server cu hnh IPsec,Client khng cu hnh IPSec- Trn my Client thc hin lnh ping t ti Server. Bo khng thy ch n,do ta chnh IPsec trn Server Block,negotiate security tt c traffic t bn ngoi vo,tt IPsectrn Client

Trn Network monitor Giao thc IKE xut hin,IKE xc nhn cc im thng tin,v sau thit lp mt knh bo mt cho s thit lp SA. Tip , cc bn thng tin



48/50


tha thun mt ISAKMP SA ng ln nhau, bao gm cc thut ton m ha, hmbm, v cc phng php xc nhn bo v m kha.

Bt wireshark trn Server ta thy:ISAKMP(internet secury associaction and keymanagement protocol) vic trao i xc thc kha 2 bn,nu Client khng c kha s nhn c kt qu nh trn

---Trng hp 2: Server,Client u cu hnh IPsecKhi bt Ipsec trn Client ta thy kt qu Ping t ti Server trn Network moniter trn

Server ICMPv6 Echo Reply,Echo Request c thay th bng ESP



49/50


Nu ta chn Block tt c traffic trong IPSEc th kt qu nh sau:

------------------------The end------------------------



50/50


Kt qu t c v phng hng pht trin ti Di s hng dn tn tnh ca thy gio hng dn ,s ch bo c

thy trong trng Hc Vin K Thut Mt M,v s tm ti nghin cu ccc thnh vin trong nhm,c bn chng em xy dng,trin khai thnhcng cng ngh bo mt giao thc IP-IPSec,qun tr mt cch c bn vtng quan nht Window Server 2008.

thc s tr thnh nhng K S,Chuyn gia trong lnh vc AnTon Thng Tin m trng ang o to ,nhm em s tch cc tm hiuchuyn su v cc vn bo mt ca cng ngh IPSec ngoi mi trngwindow server 2008,unix,linux......v nhng vn lin quan khc na.

Kinh mong cc thy c ng gp kin bi Bo co thc tp canhm em c hon chnh v tng lai khng xa s c p dng thc ti

Chng em xin chn thnh cm n

Ti liu tham kho1. www.ddth.com/showthread.php/186571-Bi-vit-v-IPsec

2. http://kmasecurity.net3. http://www.vnpro.vn/4. http://technet.microsoft.com5. http://www.nhatnghe.com/6. http://vnexperts.net/7. http://ictpress.vn/8. http://technet.com.vn/
http://www.ddth.com/showthread.php/186571-B%C3%A0i-vi%E1%BA%BFt-v%E1%BB%81-IPsechttp://kmasecurity.net/http://www.vnpro.vn/http://technet.microsoft.com/http://www.nhatnghe.com/http://vnexperts.net/http://ictpress.vn/http://technet.com.vn/http://www.ddth.com/showthread.php/186571-B%C3%A0i-vi%E1%BA%BFt-v%E1%BB%81-IPsechttp://kmasecurity.net/http://www.vnpro.vn/http://technet.microsoft.com/http://www.nhatnghe.com/http://vnexperts.net/http://ictpress.vn/http://technet.com.vn/

Documents

Lý thuyết_đề tài Ipsec_ipv6_windowserver2008