Mạng riêng ảo VPN

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.

Presentation_ID.scr 1

1Ha Noi, thang 4 nam 2004

MNG RING O(Virtual Private Network - VPN)

2

Ni dung trnh by

Ni dung:

I. Gii thiu tng quan v VPN

II. VPN v bo mt INTERRNET VPN

III. Thit k cc khi ca mt VPN

IV. Qun l VPN

V. Tng kt



3

Nhng kin thc lin quan

L thuyt mng

TCP/IP

M ho thng tin

Firewall

4

I. GII THIU TNG QUAN V VPN

1.MNG RING O L G?

Virtual

Private

Network



5

Virtual Private Network gi l mng ring o -VPN c khi s nm

1997

Khi nim mng ring o

L phng php lm cho mt mng cng cng hot ng nh

mt mng cc b kt hp vi cc gii php bo mt trn ng truyn.

VPN cho php thnh lp cc kt ni ring vi ngi dng xa, cc vn

phng chi nhnh ca cng ty v cc i tc ca cng ty ang s dng

chung mt mng cng cng.

Khi nim nh ng hm (Tunneling)

L c ch dng cho vic ng gi mt giao thc trong mt

giao thc khc. nh ng hm cho php che du giao thc lp mng

nguyn thu bng cch m ho gi d liu v cha gi m ho vo

trong mt v bc IP.

6

Khi nim v cht lng dch v

VPN cn cung cp cc tho thun v cht lng dch v (QoS), nh

ra mt gii hn trn cho php v tr trung bnh ca gi trong

mng.

VPN= nh ng hm + Bo mt + Cc tho thun QoS

Ti sao phi xy dng VPN ?

Gim chi ph ng truyn: cho php tit kim n 60% chi ph so

vi thu bao ng truyn v gim ng k tin cc.

Gim chi ph u t. VPN khng tn chi ph u t cho my ch,

b nh tuyn, cc b chuyn mch nh khi u t cho mt mng

WAN ca cng ty (c th thu ca cc nh cung cp dch v).



7

Gim chi ph qun l v h tr. Vi quy m kinh t ca

mnh cc nh cung cp dch v c th mang li cho cng ty

nhng tit kim c gi tr so vi vi vic t qun l mng

Truy cp mi lc mi ni. VPN khng lm nh hng n

bt k mt dch v trun thng no ca Internet.

8

2.Phn loi mng ring o

Central Site

Site-to-SiteRemote Office

ExtranetBusiness Partner

POP

DSL

Cable

Mobile User

Home Telecommuter

VPNInternet

Truy cp t xa (Remote Access)

Kt ni chi nhnh ca cng ty (Site to Site)

Mng m rng (ExtranetVPN)



9

Ba loi lin kt trong mng VPN

Remote User Access

Intranet

Extranet

10

3.Cu trc ca VPN

Tnh tng thch (Compatibility)

H tr nhiu chun giao thc

Tnh bo mt (Sercurity)

Password cho User trong mng

M ho d liu khi truyn

n gin trong qun l, s dng

Tnh kh dng (Availability)

Tc kt ni

Cht lng dch v (QoS)

Kh nng hot ng tng tc

ng b vi thit b s dng



11

II. VPN v bo mt internet vpn

Kin trc VPN

Bo mt vi VPN

Giao thc trn VPN

12

1.Kin trc mng VPN

Kin trc ca mt mng VPN

ng hm: phn o trong VPN:

Khng duy tr kt ni thng trc gia cc im cui, thay

vo mt ni ch c to ra gia hai site khi cn thit, khi

khng cn cn thit na th n s b hu b, ti nguyn mng

sn sng cho nhng kt ni khc.

i vi ngi s dng VPN nhng thnh phn vt l ca

mng c cc ISP giu i. Vic che giu c s h tng ca

ISP v Internet c thc hin bi khi nim gi l nh ng

hm (Tunneling)



13

Vic to ng hm to ra mt kt ni c bit gia hai im

cui. to ra mt ng hm im cui ngun phi ng cc

gi ca mnh trong nhng gi IP (IP Packet) cho vic truyn

qua Internet. Trong VPN vic ng gi bao gm c vic m

ho gi gc. im cui nhn, cng ni (Gateway) g b tiu

IP v gii m gi nu cn v v chuyn gi n ch ca n.

Vic to ng hm cho php nhng dng d liu v thng tin

ngi dng kt hp c truyn trn mt mng chia s trong

mt ng o (virtual pipe). ng ny lm cho vic nh tuyn trn

mng hon ton tr nn trong sut i vi ngi dng.

14

ip ah Esp Tiu d D liu

A B D liu A B D liu1 2 A B D liu

Gi tin kiu ng hm



15

Authemtication:Bo m d liu n c ngun gc r rng.

Access control: ngawnhng ngi dng bt hp php.

Confidentiality:Hn ch vic d liu b ph hoi trn ng truyn.

Data intergity: Bo khng ai c th thay i ni dung d liu trn ng

truyn.

Mc d nhng ng hm c th lm cho vic truyn d liu trn

Internet c bo mt, nhng vic xc thc ngi dng v duy tr tnh

ton vn d liu ph thuc vo cc tin trnh m ho nh: ch k in t,

xc nhn vn bn. Nhng tin trnh ny c s dng thng qua cc kho,

phi c phn phi v qun l cht ch, y l mt cng vic ca mng

VPN. Mt khc cc dch v bo mt d liu c thc hin tng 2 v

tng 3.

Cc dch v bo mt: phn ring trong VPN

16

2. Mt s giao thc cho VPN

a. Point to Point Tunneling Protocol (PPTP)

PPTP l m rng ca giao thc PPP (RFC 1661).

Dch v ng hm m PPTP cung cp chy pha trn ca lp IP, ngc li th

giao thc PPP truyn thng li nm pha di. PPP thch hp cho vic bin i

bi v hot ng ca n cng gn ging nh hot ng m VPN cn, nhng PPP

khng an ton.

Kt ni iu khin PPTP: Khi s dng kt ni ti Internet c thit lp bi

PPP, PPTP thit lp kt ni iu khin, s dng cng TCP 1723, kt ni ny

dng TCP thit lp.

Xc thc: Cc my khch PPTP c nhn thc khi s dng giao thc PPP.

Cc mt khu r rng c s dng cc cch xc thc l PAP Password

Authentication Protocol, CHAP Chalenge Handshake Authentication Protocol.

RFC 1334, RFC1994, RFC2284.



17

b. Layer 2 Tunneling Protocol (L2TP)

Giao thc ng hm lp 2 lai ghp (Hybrid Layer 2 tunneling)

- Giao thc xy dng ng hm cho VPN i vi nhu cu truy cp

t xa. L m rng ca giao thc PPP, kt hp c u im ca L2F

ca Cisco v PPTP ca Microsoft.

- H tr cho mi trng a giao thc: Truyn c bt k giao thc no

c nh tuyn gm: IP, IPX, AppleTalk.

- Phng tin c lp: L2PT hot ng trn bt k mng no c kh

nng truyn khung IP, h tr bt k ng trc WAN no: Frame Relay,

ATM, X25, SONET, h tr cc phng tin LAN: Ethernet, TokenRing,

FDDI.

- C th thit lp t my ch truy cp mng (Network Access Server)

hoc t phn mm client ti mt router hot ng nh im u cui ca

ng hm.

18

3. Minh ho kin trc VPN ca Cisco

Khi bo mt

Khi truy cp lm nn cho cc ng dng thng mi, c thit k

tun theo cc yu cu v quy nh ging nh mng ring ca cng ty.

Khi truy cp VPN

@ Kin trc xc thc

Trong mi trng truy cp VPN, kha cnh bo mt quan trng nht lin quan

n vic nhn dng ra mt ngi dng ca cng ty v thit lp mt ng hm

n cng ni ca cng ty. Cng ni ny phi c kh nng xc thc ngi dng, cc

quyn truy cp v tnh cc (AAA).

@ Xc thc n phng

xc thc ngi dng, u tin Client s thit lp kt ni n mng cung cp

dch v thng qua mt POP, sau thit mt kt ni th hai vi mng khch

hng.



19

Cc im cui ca ng hm trong truy cp VPN xc thc vi nhau.

K tip ngi dng kt ni n cc thit b u cui khch hng

(CPE) Cc

Cng ni ngi dng s dng giao thc phn tch cht lng thnh

vin hay giao thc Internet tuyn ni tip SLIP (Serial Line Internet

Protocol) v c xc thc thng qua mt giao thc xc nh tn/mt

khu nh : PAP ( Password Authentication Protocol), giao thc xc

thc yu cu bt tay CHAP (Chanllenge Handshake Protocol) hay

mt h thng iu khin truy cp cng.

20

VPN reference architecture

customeredge device

provideredge device



21

VPN: logical view

customeredge device

provideredge device

virtual private network

22

Leased-line VPN

customer sites interconnected via static virtual channels (e.g., ATM VCs), leased lines

customer site connects to provider edge



23

Customer premise VPN

customer sites interconnected via tunnels tunnels encrypted typically SP treats VPN packets like all other packets

All VPN functions implemented by customer

24

Network-based Layer 3 VPNs

multiple virtual routers in single provider edge device



25

Tunneling

27

b- Xc thc song phng

u tin, ngi dng s quay s n im truy cp POP ca ISP, sau

ISP s nhn din ngi gi thng qua mt s nhn din chung.

My ch truy cp mng NAS (Network Access Server) s bit c s

nhn din ny thuc mng khch hng no. K tip, NAS s thit lp

mt ng hm vi cng ni pha khch hng. Cui cng, ngi dng

c xc thc ln th hai bi cng ni pha mng cng ty.



29

5. Fire wall - Bc tng la

Cisco IPX Fire wall cho php 64,000 kt ni hot ng cng mt mt lc, hot ng da

trn thut ton bo mt tng thch ASA ( Adaptive Security Algoritm), thut ton ny bo

mt mt cch hiu qu truy cp n cc my mng ni b.

Cc c im chnh:

- iu khin truy cp da trn ng cnh CBAC (Context - based access control): cung cp

bo mt, lc cc ng dng cho lu lng IP, cung cp cc giao thc mi nht.

- Java bloking - bo mt chng li cc Java applet nguy him, ch cho php cc applet t

cc ngun ng tin cy.

- Pht hin v ngn nga t chi dch v (Denial - of - service detection and prevention)

bo mt cc ti nguyn b nh tuyn chng li cc tn cng thng thng.

- Cnh bo thi gian thc (real-time alert) cnh bo trong trng hp ca cc tn cng t

chi dch v v cc tnh trng ac bit khc.

- Theo di, kim tra (Audit trail): d tm ngi truy cp bng thi gian, a ch ngun v

ch, cng, tng s byte c chuyn i.

30

VPN Server nm pha trc Firewall

a- M hnh bc tng la (1)



31

VPN Server nm pha sau Firewall

b- M hnh bc tng la (2)

32

6. K thut m ho v xc thc

Mt khung bo mt cho mt t chc, c quan bao gm 7 thnh phn

khc nhau:

Xc thc ( Authentication) Tin cy (Confidentiality)

Ton vn (Integrity) Cho php (Authorization)

Cng nhn (Nonrepudiation) Qun tr (Administration)

Theo di kim ton (Audit trail)

Cng dng ca h thng m ho v xc thc trong VPN

Bo mt d liu khi truyn

Hai bn cng gi b mt v vic lin lc (nhn thc)

Ton vn thng tin

Cng ngh mt m ph bin c dng trong VPN bao gm DES, Triple DES, RC2, RC4, RSA.



33

Internet VPN

Xc thc User

Tin cy v

ton vn

Theo di - kim

ton - Qun tr

Cho php Cng nhn

Fire wall

D liu

D liu

a- M hnh xc thc

34

Cc lp ng

dng (5-7)

Cc lp giao vn /

mng (3-4)

Cc lp Vt l/ lin k

d liu (1-2)

M ho lp ng dng

M ho lp mng

M ho lp lin kt d liu

b- M hnh m ho



35

7. Cc nguy c an ninh mng

Vic truyn d liu trn cc mng IP c th chu nhiu mi nguy him ,

trong c mt loi thng dng: nh la (spoofing), n cp phin

(session hijacking), nghe trm (sniffing) v tn cng chnh din (the man-

in the-middle-attack)

nh la

Tn cng kiu nh la l mt k tn cng c th s dng a ch IP ca

mt ai trong mng v gi v tr li ngi khc. Sau khi k tn cng

xc nh hai trm A v B ang truyn thng vi nhau keo kiu client /

server, s c gng gi lm mt trong hai trm (A chng hn) bng cch

no trm cn li (trm B) vn tin rng minh ang kt ni vi B.

K tn cng thc hin iu ny bng cch to ra mt bn tin gi vi a

ch ngun l a ch ca A, yu cu kt ni n B. Khi B nhn c bn tin

ny, n s xc thc (Acknowlegment) km theo s tun t cho vic truyn

d liu vi A. Nhng s tun t t my ch A l duy nht i vi kt ni

gia hai my.

36

hon tt mt phin lm vic gia A v B, B s mong ch A xc thc con s

tun t ca B trc khi tin hnh bt c mt s trao i thng tin no,

ngi tn cng ng vai bn A, anh ta phi on s

s tun t m B s s dng v phi ngn chn bn A tr li. Tuy nhin, khng

qu kh xc nh s tun t.

gia cho my A khng p ng c bt k vic truyn d liu no ca B,

ngi tn cng thng xuyn truyn mt s lng ln cc gi n A, lm cho

A b qu ti.

Kiu tn cng nh la tng i d bo mt, bng cch cu hnh cc b nh

tuyn loi b cc gi tin quay v no m bt phi hnh thnh t mt my

tnh trong mng ni b.

n cp phin

K tn cng c gng tip qun mt kt ni sn c gia hai my tnh trong

mng.

u tin, k tn cng iu khin thit b mng trn mng LAN, c th l bc

tng la hay mt my tnh khc, do c th gim st kt ni gia hai my

tnh, k tn cng c th xc nh c s tun t c s dng bi hai bn.



37

Sau khi gim st c kt ni, k tn cng c th to ra mt lu lng, lu

lng ny xut hin n t mt trong cc bn truyn thng, chim ly

phin lm vic t mt trong cc c nhn tham gia.

K tn cng s lm cho mt trong cc my tnh truyn thng qu ti bi vic

x l cc gi tin.

trnh vic n cp phin ch cn c mt xc nhn thnh vin trong mt

phin lm vic m bin php an ton nht l m ho.

Nghe trm

Bn cht ca vic nghe ln trn mng to ra mt s Card giao tip gi theo

chun Ethernet c th nhn c mt s gi tin kiu Broadcast. K tn

cng c th dng mt loi phn mm gi l nh hi (sniffer) c th ghi li cc

lu lng mng chuyn qua chng, l mt phn cn thit chn on

mng no lm vic vi mng Ethernet, cho php xc nh mt cch nhanh

chng iu g ang din ra trn mt on mng bt k. Cc sn phm Sniffer

cng l mt cng c ghi li nhng gi ng nhp vo mng v sau s dng

nhng thng tin ny xm nhp vo mt mng m anh ta khng c quyn

truy cp.

Gim st vt l l cch tt nht gim nguy c nghe trm.

38

Tn cng trc din

R rng l vic s dng nhng k thut m ho bo mt v xc thc

d liu l gii php hu hiu cho cc nguy c bo mt

trn, nhng m ho cng c nhng nguy c tim n nh l vic qun l

mt cc cn thn h thng kho. K tn cng c th dng nhiu bin

php thu c cc thng tin v vic trao i kho gia cc thnh

vin trong mng. Kiu tn cng gi l tn cng trc din.



39

8. K thut xc thc

Xc thc l mt phn khng th thiu ca kin trc bo mt trn VPN.

Xc thc da trn ba thuc tnh: ci g ta c ( mt kho hay mt card

token), ci g chng ta bit (mt khu) v ci g nhn din (ging ni,

qut vng mc, du vn tay,. . .)

Mt khu truyn thng

Cc loi xc thc n nh ID, mt khu c duy tr trong mt khong

thi gian nht nh khng mnh bo mt truy cp trn mng ngay

c khi ngi dng lun cnh gic.

V vy gii php mt khu mt ln hu hiu hn.

Mt khu mt ln OTP (One Time Password)

H thng mt khu mt ln trong loi S/Key l loi xc thc in hnh.

H thng S/Key to ra mt cch t ng danh sch mt khu cho mi

phin lm vic ca ngi dng.

Nhc im ca phng php ny l kh qun tr danh sch mt khu

cho mt s lng ln ngi dng.

40

Cc giao thc xc thc

Giao thc xc thc mt khu PAP (Password Authentication Protocol)

Giao thc PAP c thit k mt cch n gin cho mt my tnh t

xc thc n mt my tnh khc khi giao thc im - im c s dng lm giao

thc truyn thng.PAP l giao thc bt tay hai chiu my tnh ch to kt ni gi

mt nhn dng ngi dng v mt khu kp n h thng ch m n c gng thit

lp kt ni v sau h thng ch xc thc rng my tnh c xc thc ng v

chp nhn cho vic truyn thng.

PAP khng bo mt bi v thng tin xc thc c truyn i r rng v khng c g

bo mt chng li tn cng tr li hay lp li qu nhiu bi nhng ngi tn cng

nhm on ra mt khu ng.

Giao thc xc thc yu cu bt tay CHAP (Challenge Handshake Authentication

Protocol).

Giao thc CHAP l mt giao thc bt tay ba chiu, xc thc ny gm 3 bc:

1- B xc thc gi mt bn tin thch n my tnh ngang cp

2- My tnh ngang cp tnh ton mt gi tr s dng hm bm 1 chiu gi tr li cho

b xc thc.

3- My tnh xc thc c th p ng chp nhn nu tng ng vi gi tr mong

mun.



41

H thng iu khin truy cp b iu khin truy cp u cui TACACS

TACACS (Terminal Access Controller Access System) l mt trong nhng

H thng c pht trin khng ch cung cp c ch xc thc, m cn thm

hai chc nng 2A trong vic bo mt truy cp t xa, l : cho php

(Authorization) v tnh cc (Accouting). Khng nh nhng mi quan h ngang

cp c thit k trong PAP v CHAP,TACACS c thit k c chc nng nh

mt h thng Client/Server, trong mang tnh mm do hn, c bit trong vic

qun l bo mt mng. Trung tm hot ng ca TACACS v RADIUS l mt

my ch xc thc (authentication server)

User quay s vo

my ch truy nhp

DL ND

Giao thc

TACACS/RDIUS

gi yu cu xc

thc v Server

My ch xc thc

kim tra yu cu

nhn dng

My ch xc thc

v thng bo cho

my ch truy nhp

42

Cc h thng phn cng c bn

A- Smart card v PC card

Card thng minh (Smart card) l thit b c kch thc ging nh th tn

dng bao gm: 01 b vi x l v 01 b nh. c cc thng tin t Smart

card cn 01 u c. Smart card c th lu tr mt kho ring ca tng

ngi dng cng vi bt k ng dng no c gi t nhm n gin ho

qu trnh xc thc, c bit i vi ngi dng di ng. Hin nay xut hin

mt s SC gm mt b ng x l m ho v gii m, khi vic m v gii

m d dng v nhanh chng.

Cc h thng chng nhn in t n gin nht yu cu ngi nhp vo s

nhn din c nhn PIN hon tt tin trnh xc thc. Trong rt nhiu h

thng ngi ta kt hp gia PIN ca SC v cc thng tin v sinh trc hc ca

ngi dng nh vn tay. dng h thng ny ngi ta trang b 1 my qut

vn tay, sau so snh vi d liu c lu trn SC.

PC card l mt bo mch nh c cm vo slot m rng trn bo mch ch

ca my tnh. Cc PC card km linh hot hn nhng c b nh ln hn SC

nn c th lu tr lng tng tin xc thc ln hn.



43

B- Cc thit b th bi (token Devices)

Th bi c xy dng da trn phn cng ring bit dng hin th cc

m nhn dng (pascode) thay i m ngi dng phi nhp vo my. B x

l bn trong th bi lu gi mt tp cc kho m b mt c dng pht

cc m nhn dng mt ln. Cc m ny c chuyn n mt my ch bo

mt trn mng, my ch ny kim tra tnh hp l v chuyn quyn truy cp

cho ngi dng.

Trc khi ngi dng c xc thc, cc thit b th yu cu mt PIN, sau

s dng mt trong ba c ch sau:

1- C ch p ng thch , my ch bo mt pht ra mt con s ngu nhin

khi ngi dng ng nhp vo mng. Mt con s thch xut hin trn

mn hnh, ngi dng nhp vo s cc s trong th bi. Th bi m ho cc

con s thch ny vi m kho b mt ca n v hin th ln mn hnh LCD,

sau ngi dng nhp kt qu ny vo my tnh. Trong khi , my ch m

ho con s thch vi cng mt kho v nu nh hai kt qu ny ph hp

th ngi dng s c php vo mng.

44

2- C ch ng b thi gian

y th bi hin th mt s c m ho vi kho b mt m kho ny thay

i c 60 giy. Ngi dng c nhc cho con s khi c gng ng nhp vo

my ch. Bi ng h trn my ch v th c ng b, cho nn my ch c

th xc nhn ngi dng bng cch gii m con s th v so snh kt qu.

3- C ch ng b s kin. y, mt b m ghi li s ln vo mng ca

ngi dng. Sau mi ln vo mng, b m c cp nht v mt m nhn

dng khc c to ra cho ln ng nhp k tip.

C- H thng sinh trc hc

H thng sinh trc hc ph thuc vo vic s dng mt du vt c nhn duy

nht xc nh ngi dng. Cc du vt thng c s dng l : vn tay,

ging ni, vng mc.



45

9. K thut mt m

M ho i xng

Vn bn gc

Kho K

Vn bn m

Kho K

Vn bn gc

Kho K

M ho phi i xng

Vn bn gc

Kho E

Vn bn m

Kho D

Vn bn gc

Kho E

46

M ho i xng. K thut m ho DES trong 56 bits dng

lm kho v 8 bits dng kim sot li. S thut ton nh

sau:

16

ln

lp

Output

T=t1t2.....t64

Input

T=t1t2.....t64

Hon v khi u

(IP) T0=IP(T)

Tnh ton m ho

Hon v ngc khi u

(IP) T=IP(Tn)

Kho K

K=k1k2.....k64

To kho

Ki(16 la chn)



47

M ho phi i xng. K thut m ho Diffie Hellman (DH), c ch

lm vic: hai bn trao i c th s dng k thut DH to

ra mt gi tr b mt dng chung m sau c th c dng nh mt

kho chung cho thut ton m ho kho b mt.

To s ngu

nhin

Tnh ton

kho

Vn bn gc Vn bn m

To s ngu

nhin

Tnh ton

kho

Vn bn gc

48

Phng php m ho cng khai RSA ( Rivest, Shamir, Adleman).

Nm 1978 Rivest, Shamir v Adleman xut phng php m

ho RSA m Cng khai. Thut ton RSA da trn nhn xt sau: c

th d dng sinh ra 2 s nguyn t ln v nhn chng vi nhau,

nhng cc k kh phn tch mt hp s thnh 2 s nguyn t. Thut

gii c m t nh sau:

1- Chn 2 s nguyn t ln p v q

2- Tnh n= pxq v (n)=(p-1)(q-1)

3- Chn ngu nhin D ( 3 < D



49

10. Giao thc trong VPN

c im c bn ca IPSec

Giao thc IPSec c chun ho vo nm 1995, IPSec nh ngha 2 loi tiu

cho cc gi tin IP iu khin qu trnh xc thc v m ho: mt l xc

thc tiu IP-AH (IP Authentication Header) iu khin vic xc thc v

hai l bc gi bo mt ti ESP (Encapsulation Security Payload) cho mc

ch m ho. Vic h tr cho IPSec ch yu l cho IPv4 cn IPv6 th c sn

IPSec.

@ Kt hp bo mt SA (Security Association)

@ Xc thc tiu AH (Authentication Header)

@ Bc gi bo mt ti ESP (Encapsulation Security Payload)

@ Ch lm vic

a- Giao thc IPSEC

50

1- Kt hp bo mt SA

Thut gii xc thc s dng cho AH v kho ca n

Thut gii m ho ESP v kho ca n

Dng thc v kch thc ca b m s dng trong thut gii m ho

Giao thc, thut gii m ho, kho s dng cho vic truyn thng

Thi gian sng ca kho ca SA

a ch ngun ca SA

hai bn c th truyn v nhn d liu c bo mt, c bn truyn

v nhn phi cng thng nht s dng gii thut m ho v phng php

qun l v chuyn kho. Vic truyn tin c th i hi mt hoc nhiu SA

v mi gi tin theo giao thc IPSEC c m ho cng yu cu phi c SA.

Mt IPSec SA m t cc vn sau:



51

2- Xc thc tiu AH

Xc thc tiu AH trong h thng IPSec c chn vo gia tiu

IP v ni dung, khng lm thay i ni dung ca gi d liu. Xc thc

tiu u AH gm 5 trng: trng tiu k tip (Next Header Field), chiu

di ti (Payload Length), ch s tham s bo mt SPI (Security Parameter

Index), s tun t (Sequence Number), d liu xc thc (Authentication

Data).

ipv4 Tiu ip gc ah Tcp D liu

ipv4 Tiu ip gc TCP D liu

Xc thc khng k cc trng thay i

ipv6 Tiu ip gc ch, nh tuyn,phn mnh ah ch tu chn Tcp D liu

ipv6 Tiu ip gc Cc tiu ph TCP D liu

Xc thc khng k cc trng thay i

52

Cn ch AH khng gi c b mt gi tin m ch lm nhim v xc

thc. bo mt d liu cn s dng thnh phn th 2 l ESP

3- Bc gi bo mt ti ESP

Bc gi bo mt ti ESP c nhim v m ho d liu, nn ni dung ca gi s

b thay i.

ipv4 Tiu ip gc Tiu ESP Tcp D liu ui ESP Cp quyn ESP

ipv4 Tiu ip gc TCP D liu

c m ho

ipv6 Tiu ip

gc

ch, nh tuyn,

phn mnh

Esp ch tu

chnTcp D

liu

ui

ESP

Cp quyn

ESP

ipv6 Tiu ip gc Cc tiu ph nu c TCP D liu

c xc thc

c xc thc

c m ho



53

Gng nh tiu AH, ESP gm cc SPI ch cho bn nhn bit c ch

bo mt thch hp cho vic x l gi tin. S tun t trong ESP l b m

tng mi khi gi c gi n cng mt a ch

4- Ch lm vic

C hai ch lm vic trong IPSec:

Ch giao vn (Transport Mode) Ch c on trong lp giao vn trong gi l

c x l.

Ch giao vn s dng cho c cng ni v Host, cung cp c ch bo mt cho

cc giao thc lp trn. Trong ch giao vn, AH c chn vo sau tiu IP

v trc cc giao thc lp trn (TCP, UDP hay ICMP) hoc trc bt k tiu

IPSec c chn vo trc .

Ch ng hm (Tunnel Mode); Ton b gi s c x l cho m kho

xc thc

Trong ch ng hm tiu IP cha a ch ngun, a ch ch. AH bo

mt ton b gi IP.

54

ipv4 Tiu ip mi

ah Tiu ip

gc

tcp D liu

ipv6 Tiu ip

mi

Tiu mi

m rng

Ah Tiu

IP gc

Tiu

m rngtcp D liu

c xc thc khng k cc trng thay i

trong tiu IP mi

Xc thc khng k cc trng thay i trong tiu IP

mi

Ch ng hm AH ch chng li vic thay i ni dung d liu nn cn

phi c phng tin khc bo m tnh ring t ca d liu.



55

Ch ng hm ESP bo chng li nghe trm mt cch c hiu qu,

nhng khng bo mt c ton b lu lng.

TCP D

LIU

Tiu

IP gc

ESPTiu

IP miIPV4

c m ho

Phn ui

ESP

Phn cp

quyn ESP

c xc thc

IPV6TCP D

LIU

Tiu

IP gc

ESPTiu

IP mi

c m ho

Phn ui

ESP

Phn cp

quyn ESP

c xc thc

Tiu mi

m rng

Tiu gc

m rng

56

Mun to mt VPN m tt c cc my tnh c th lin lc vi nhau thng qua giao

thc IPSec th phi gi t phn mm IPSecs trn tt c cc my tnh v cc cng bo

mt.

5- S dng IPSec

Internet

Mng LAN

c bo v

Cng ni bo

mt

Cng ni bo

mt

Mng LAN

c bo v

Kt ni LAN - LAN

Kt ni Client - LAN



57

c im c bn ca PPTP

Giao thc nh hng ng hm PPTP (Point to Point Tunneling

Protocol) c a ra bi mt nhm cc cng ty gi l PPTP forum.

tng c bn ca giao thc ny l tch cc chc nng chung v ring ca

truy cp t xa, li dng li ch ca cc c s h tng Internet sn c

to kt ni bo mt gia client v mng ring. Ngi dng t xa ch vic

quay s ti nh cung cp dch v Internet a phng l c th to mt

ng hm bo mt ti mng ring ca h.

@ PPTP c th truyn trong ng hm bng nhiu giao thc khc nhau,

trong khi IPSec ch lm vic vi IP;

@ PPTP c thit k hot ng tng lin kt d liu DataLink.

Trong khi IPSec chy tng Network;

@ Thit lp v kt thc kt ni vt l;

b- Giao thc PPTP

58

1- Dng thc ca PPTP

PPTP da trn PP to ra kt ni quay s gia khch hng v my ch

truy cp mng. Sau khi PPP thit lp kt ni, PPTP s dng cc quy lut ng gi

ca PPP ng gi cc gi d liu truyn trong ng hm.

tn dng u im ca kt ni to ra bi PPP, PPTP nh ngha 2 loi gi: gi

iu khin v gi d liu, gn chng vo 2 knh ring. Sau PPTP phn tch cc

knh iu khin v knh d liu thnh lung iu khin vi giao thc TCP v

lung d liu vi giao thc IP. Kt ni TCP c to gia client PPTP v my ch

PPTP c s dng chuyn thng bo iu khin. Cc gi iu khin c gi

i theo chu k ly thng tin v trng thi kt ni v qun l bo hiu gia client

PTP v my ch mng, Cc gi iu khin cng c dng gi thng tin qun

l thit b, thng tin cu hnh gia hai u ca ng hm.

Knh iu khin c yu cu cho vic thit lp mt ng hm gia client PTP

v my ch PPTP. Phn mm client c th nm ngi dng th xa hay nm ti

my ch ISP.



59

Sau khi ng hm c thit lp d liu ca ngi dng c truyn t client

n my ch PPTP. Cc goi PPTP cha cc gi d liu IP. Gi d liu IP c

ng gi bi tiu GRE, s dng s ID ca host iu khin truy nhp. ACK

gim st tc truyn DL trong ng hm.

Bi v PPTP hot ng tng lin kt d liu, nn cn phi c tiu mi trng

truyn trong gi cho bit d liu c truyn trong ng hm theo phng

thc no. Tu theo kin trc h tng ca cc nh ISP m cc phng thc ny c

th l: Ethernet, Frame Relay hay kt ni PPP.

2- ng hm

PPTP cho php ngi dng v cc ISP c th to ra nhiu loi ng hm khc

nhau. Ngi dng c th ch nh im kt thc ca ng hm ngay ti my

ca mnh nu nh c ci cc client PTP, hay ti my ch ISP nu nh my tnh

ca h ch c PPP m khng c PPTP. Cc ng hm c th chia lm hai loi t

nguyn v bt buc.

ng hm t nguyn c to ra theo yu cu ca ngi dng cho mc ch

xc nh. Khi s dng ng hm t nguyn, ngi dng c th ng thi m

mt ng hm bo mt thng qua Internet bng giao thc TCP/IP bnh thng.

60

ng hm t nguyn thng c s dng cung cp tnh ring t v

ton vn d liu cho lu lng Intranet thng qua Internet.

ng hm bt buc to ra khng thng qua ngi dng nn n trong sut i ngi

dng u cui. im kt thc ca ng hm bt buc nm my ch truy cp t

xa. Tt c d liu truyn i t ngi dng qua ng hm PPTP thng qua RAS. Bi

v ng hm bt buc nh trc im kt thc v ngi dng khng th truy cp

phn cn li ca Internet nn n iu khin truy cp tt hn hn ng hm t

nguyn. iu c ngha l khng

Internet

Intranet

Cc ng hm t nguyn

ng hm

PPTP

Client PPTP



61

Ngi dng truy cp Internet trong khi truy cp VPN, mt khc vn cho truy

cp t Internet vo VPN. ng hm bt buc c th cng mt lc thit lp

c nhiu kt ni.

Mt ng hm bt buc tnh c cu hnh bi thit b hay bng tay. Cu hnh

bng thit b yu cu ngi dng gi mt s in thoi c bit to kt ni.

Cu hnh bng tay, RAS s kim tra mt phn tn ngi dng gi l Realm

quyt nh ni no s lin lc vi ngi dng . ng hm Realm c bn cho

php ngi dng lin kt vi mt Realm cho trc v c i x nh nhau.

Client PPTP

My ch

PPTP

Intranet

Internet

Cc ng hm bt buc

RAS PPTP

client

62

c im ch yu nht ca giao thc PPTP l cung cp phng thc quay s

truy cp bo mt vo VPN v nh ngha im kt thc ca ng hm, mt trong cc

im kt thc ny c th nm thit b ca nh cung cp dch v Internet nn cu

hnh c phi c s h tc gia ISP v ngi qun l mng trong vic xc thc ngi

dng.

3- S dng PPTP

Internet

Mng LAN

c bo v

My ch

PPTP

My ch

PPTP

Mng LAN

c bo v

Kt ni LAN - LAN

Kt ni Client - LANNAS khng

PPTP

NAS ca ISP

c PPTP



63

c im c bn ca L2TP

Giao thc nh hng ng hm lp 2 L2TP (Layer 2 Tunneling

Protocol) l s kt hp gia 2 giao PPTP v L2F ( Layer 2 Forwarding) do

vy L2TP k tha cc c tnh ca c PPTP v L2F.

@ L2TP c thit k hot ng tng lin kt d liu DataLink.

@ L2TP c th truyn trong ng hm bng nhiu giao thc khc nhau.

@ Microsoft c k hoch h tr L2TP trong Window NT v Window 98.

1- Dng thc ca L2TP

L2TP da trn PPP to kt ni quay s gia v my ch truy cp NAS.

L2TP s dng PPP to kt ni vt l, tin hnh giai on xc thc u, to gi

d liu PPP v ng kt ni khi ht phin lm vic.

c- Giao thc L2TP

64

Sau khi PPP to kt ni xong, L2TP s xc nh NAS ti site chnh c chp nhn

ngi dng v sn sng ng vai tr l im kt thc ng hm cho ngi dng

. Sau khi ng hm c to, L2TP s ng cc gi PPP ri

truyn ln mi trng m ISP gn cho ng hm . L2TP to ng hm gia

NAS ca ISP v my ch mng ca Client, n c th gn nhiu phin lm vic cho

ng hm. L2TP to ra cc s nhn dng cuc gi Call ID cho mi phin lm vic v

chn Call ID vo tiu L2TP ca mi gi ch ra n thuc phin lm vic no.

L2TP cng c th to ra nhiu ng hm gia NAS ca ISP v my ch mng client.

Bng vic chn gn mt phin lm vic ca ngi dng cho mt ng hm thay v

ghp nhiu phin lm vic vo mt ng hm, cho php gn cc ngi dng khc

nhau vo cc mi trng ng hm tu theo cht lng dch v ca h.

L2TP cng nh ngha 2 loi thng bo: thng bo iu khin v thng bo d liu.

Thng bo iu khin dng cho vic thit lp, qun l v gii phng phin lm vic

trn ng hm.

Thng bo d liu bao gm tiu mi trng ch ra ng hm lm vic mi

trng no.

Documents

Mạng riêng ảo VPN