Mang Rieng Ao VPN (Da Hieu Chinh-V2)

8/13/2019 Mang Rieng Ao VPN (Da Hieu Chinh-V2)

1/99

LI NI U

Chng trnh bi dng kin thc IP v NGN cho ks TVT ca VNPT i

LI NI U

Vi chin lc pht trin ton din mang tnh cht n u vcng nghnhmto ra timlc to ln, sc cnh tranh vcht lng v sa dng ha cc dch v

gi thnh thp, nng sut lao ng cao, Tp on Bu chnh Vin thng Vit namcchin lc v khoch chuyn i mng Vin thng ssang mng thhsau (NGN).Mng NGN c htng thng tin duy nht da trn cng nghchuyn mch gi, trinkhai dch vmt cch a dng v nhanh chng, p ng shi tgia thoi v sliu, gia cnh v di ng, bt ngun tstin bca cng nghthng tin v ccu imca cng nghchuyn mch gi ni chung v cng nghIP ni ring v cngnghtruyn dn quang bng rng. Cu trc ca mng thhsau v cc nguyn tchot ng ca n vc bn khc nhiu so vi cu trc ca mng PSTN hin nay. Dovy i ngks v cn bkthut Vin thng cn phi c bi dng cp nht

kin thc vcng nghmi ny, c nh vy hmi khnng v trnhvn hnhkhai thc qun l v trin khai cc dch vVin thng mt cch an ton v hiu qu.

Chng trnh Bi dng ks in tvin thng vcng nghIP v NGNca Tponc xy dng vi mc ch cung cp kin thc v knng c bn linquan ti cng nghIP v NGN cho cc cn bkthut ang trc tip qun l v khaithc hthng trang thit bti c snhm p ng yu cu vchuyn i cng nghmng li v dch vvin thng ca Tp on.

Cun ti liu Mng ring o bao gm 5 chng, gii thiu nhng vn k

thut c bn lin quan n vic xy dng VPN, cc gii php VPN da trn nn IPSecv MPLS cng nh l tnh hnh trin khai VPN trn thc tin hin nay.

Chng 1gii thiu nhng khi nim c bn vVPN, cc chc nng v cimca VPN, t lmc sphn loi VPN v a ra cc thun li cng nhkh khn khi sdng cc loi hnh VPN .

Chng 2trnh by vcc giao thc ng hm sdng cho VPN, phn tchhot ng, cc c imv khnng ng dng ca chng trong cc m hnh VPNkhc nhau.

Chng 3trnh by vgiao thc bo mt IPSec v mt svn kthut linquann vic thc hin VPN trn nn IPSec nh cc tiu chun mt m, cc cng ckim tra tnh ton vn thng tin, cc thut ton xc thc cng nh l kthut qun lv trao i kha.

Chng 4trnh by vcc m hnh VPN trn nn MPLS, cc thnh phn v hotng ca MPLS-VPN, cc vn viu khin kt ni, bo mt v QoS trong MPLS-VPN. Trong chng ny cng a ra mt sso snh c im v khnngng dngca hai gii php VPN da trn nn IPSec v MPLS.


2/99

MNG RINGO

Chng trnh bi dng kin thc IP v NGN cho ks TVT ca VNPTii

Chng 5trnh by vcc m hnh v gii php trin khai VPN, trong tptrung vo nhng gii php gny nht c thc hin trn nn MPLS. Mt sthngtin vtnh hnh trin khai cc loi hnh dch vVPN hin nay ca VNPT cng cgii thiu trong chng ny.

Trong qu trnh bin son, mc d gio vin rt cgng, tuy nhin khng th

trnh khi nhng thiu st. Rt mong nhn c kinng gp ca cc bn c nhng ln xut bn sau cht lng ca ti liu c tt hn.

TRUNG TM O TO BU CHNH VIN THNG 1


3/99

MC LC

Chng trnh bi dng kin thc IP v NGN cho ks TVT ca VNPT iii

MC LC

LI NI U ..................................................................................................................iMC LC.......................................................................................................................iii

DANH SCH HNH........................................................................................................vCHNG 1 - GII THIU CHUNG VVPN ..............................................................1

1.1 Khi nim VPN ......................................................................................................21.2 Cc chc nng v u nhc im ca VPN............................................................3

1.2.1 Chc nng.......................................................................................................31.2.2 u im ..........................................................................................................41.2.3Nhc im v mt svn cn khc phc ..................................................5

1.3 Cc m hnh VPN...................................................................................................6

1.3.1 M hnh chng ln ..........................................................................................61.3.2 M hnh ngang hng........................................................................................8

1.4 Phn loi VPN v ng dng....................................................................................91.4.1 VPN truy nhp t xa......................................................................................101.4.2 VPN im ti im ....................................................................................... 111.4.3ng dng VPN ............................................................................................. 13

1.5 Kt chng........................................................................................................... 14

CHNG 2 - CC GIAO THC NG HM .......................................................152.1 Giithiu cc giao thc ng hm ..................................................................... 162.2 Giao thc chuyn tip lp 2 L2F.................... .................................................... 16

2.2.1 Cu trc gi L2F ........................................................................................... 172.2.2 Hot ng ca L2F........................................................................................ 17

2.2.3 u nhc im ca L2F................................................................................ 192.3 Giao thc ng hm im ti im PPTP........................................................ 20

2.3.1 Khi qut vhot ng ca PPTP.................................................................. 202.3.2 Duy tr ng hm bng kt ni iu khin PPTP ......................................... 212.3.3 ng gi dliu ng hm PPTP ............................................................... 222.3.4 Xl dliu ti u cui ng hm PPTP................................................... 242.3.5 Trin khai VPN da trn PPTP...................................................................... 242.3.6 u nhc im v khnng ng dng ca PPTP .......................................... 25

2.4 Giao thc ng hm lp 2 L2TP.................. .................................................... 262.4.1 Khi qut vhot ng ca L2TP.................................................................. 262.4.2 Duy tr ng hm bng bn tin iu khin L2TP ......................................... 272.4.3 ng gi dliu ng hm L2TP ............................................................... 272.4.4 Xl dliu ti u cui ng hm L2TP trn nn IPSec............................ 302.4.5 Trin khai VPN da trn L2TP...................................................................... 302.4.6 u nhc im v khnng ng dng ca L2TP .......................................... 31

2.5 Kt chng........................................................................................................... 32

CHNG 3 - MNG RING O TRN NN IPSec.................................................333.1 Gii thiu v IPSec............................................................................................... 34
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


4/99

MNG RINGO

Chng trnh bi dng kin thc IP v NGN cho ks TVT ca VNPTiv

3.2 ng gi thng tin IPSec......................................................................................35

3.2.1 Cc chhot ng ....................................................................................353.2.2 Giao thc tiu xc thc AH.......................................................................373.2.3 Giao thc ng gi ti tin an ton ESP ..........................................................41

3.3 Lin kt an ninh v hot ng trao i kha..........................................................453.3.1 Lin kt an ninh.............................................................................................45

3.3.2 Hot ng trao i kha IKE.........................................................................483.4 Mt svn kthut trong thc hin VPN trn nn IPSec ..................................54

3.4.1 Mt m..........................................................................................................553.4.2 Ton vn bn tin............................................................................................563.4.3 Xc thc cc bn ...........................................................................................573.4.4 Qun l kha..................................................................................................58

3.5 V dthc hin VPN trn nn IPSec .....................................................................583.6 Cc vn cn tn ti trong IPSec........................................................................593.7 Kt chng...........................................................................................................60

CHNG 4 - MNG RING O TRN NN MPL S................................................614.1 Ccthnh phn ca MPLS-VPN...........................................................................62

4.1.1 Hthng cung cp dch vMPLS-VPN ........................................................624.1.2 Bnh tuyn bin nh cung cp dch v.......................................................634.1.3 Bng nh tuyn v chuyn tip o ................................................................63

4.2 Cc m hnh MPLS-VPN .....................................................................................64

4.2.1 M hnh L3VPN............................................................................................64

4.2.2 M hnh L2VPN............................................................................................66

4.3 Hot ng ca MPLS-VPN...................................................................................674.3.1 Truyn thng tin nh tuyn...........................................................................674.3.2 a ch VPN-IP .............................................................................................684.3.3 Chuyn tip gi tin VPN ......................................... ...................................... 71

4.4 Bo mt trong MPLS-VPN...................................................................................744.5 Cht lng dch vtrong MPLS-VPN..................................................................75

4.5.1 M hnh ng..................................................................................................764.5.2 M hnh vi...................................................................................................77

4.6 So snh cc c im ca VPN trn nn IPSec v MPLS......................................794.6.1 Cc tiu ch nh gi .....................................................................................79

4.6.2 Cc c im ni bt ca IPSec-VPN v MPLS-VPN ...................................804.7 Kt chng...........................................................................................................83

CHNG 5 -TRI

N KHAI V

NG D

NG VPN ....................................................845.1 Cc m hnh trin khai VPN.................................................................................855.2 Giiphp VPN trn nn MPLS ca VNPT ...........................................................865.3 M hnh cung cp dch v MegaWAN..................................................................875.4 Kt chng...........................................................................................................88

THUT NGVIT TT .............................................................................................89TI LIU THAM KHO.............................................................................................93


5/99

DANH SCH HNH

Chng trnh bi dng kin thc IP v NGN cho ks TVT ca VNPT v

DANH SCH HNH

Hnh 1.1 M hnh VPN an ton..............................................................................................3Hnh 1.2 M hnh VPN truy nhp txa................................................................................10Hnh 1.3 M hnh VPN cc b..............................................................................................12Hnh 1.4 M hnh VPN mrng...........................................................................................13Hnh 2.1 Khun dng gi ca L2F .......................................................................................17Hnh 2.2 M hnh hthng sdng L2F ..............................................................................18Hnh 2.3 Gi dliu kt ni iu khin PPTP ......................................................................22Hnh 2.4ng gi dliu ng hm PPTP .......................................................................22Hnh 2.5 S ng gi PPTP ............................................................................................23Hnh 2.6 Cc thnh phn ca hthng cung cp VPN da trn PPTP .................................24Hnh 2.7 Bn tiniu khin L2TP ........................................................................................27Hnh 2.8ng gi dliu ng hm L2TP........................................................................28Hnh 2.9 S ng gi L2TP.............................................................................................29Hnh 2.10 Cc thnh phn ca hthng cung cp VPN da trn L2TP................................30Hnh 3.1 Xl gi tin IP chtruyn ti.........................................................................36Hnh 3.2 Xl gi tin IP chng hm......................................................................36Hnh 3.3 Thit bmng thc hin IPSec trong chng hm........................................37Hnh 3.4 Cu trc tiuAH cho gi tin IPSec....................................................................38Hnh 3.5 Khun dng gi tin IPv4 trc v sau khi xl AH...............................................40Hnh 3.6 Khun dng gi tin IPv6 trc v sau khi xl AH...............................................40Hnh 3.7 C chng gi ESP.............................................................................................41Hnh 3.8 Khun dng gi ESP..............................................................................................42Hnh 3.9 Khun dng gi tin IPv4 trc v sau khi xl ESP..............................................43Hnh 3.10 Khun dng gi tin IPv6 trc v sau khi xl ESP............................................44Hnh 3.11 Kt hp cc SA kiung hmkhi hai im cui trng nhau.............................47Hnh 3.12 Kt hp cc SA kiung hmkhi mt im cui trng nhau............................47Hnh 3.13 Kt hp cc SA kiung hmkhi khng c im cui trng nhau....................48Hnh 3.14 Cc pha v chtrao i kha IKE...................................................................49Hnh 3.15 Hotng iu khin truy nhp mt m theo ACL ...............................................50Hnh 3.16 IKE pha mt sdng ch chnh......................................................................51Hnh 3.17 Traoi cc tp chuyn i IPSec.......................................................................53Hnh 3.18ng hm IPSec c thit lp.........................................................................54Hnh 3.19 V dthc hin kt ni VPN trn nn IPSec.........................................................59Hnh 4.1 Hthng cung cp dch vMPLS-VPN v cc thnh phn....................................62Hnh 4.2 Bnh tuyn PE v s kt ni cc site khch hng..........................................63Hnh 4.3 M hnh MPLS L3VPN..........................................................................................65Hnh 4.4 M hnh MPLS L2VPN..........................................................................................66Hnh 4.5 a ch VPN-IPv4..................................................................................................68Hnh 4.6 Khun dng trng phn bit tuyn.......................................................................69Hnh 4.7 Sdng nhnchuyn tip gi tin VPN..............................................................71Hnh 4.8 Sdng ngn xp nhnchuyn tip gi tin VPN...............................................72Hnh 4.9 Hotng chuyn tip dliu VPN qua mng MPLS............................................73Hnh 4.10 M hnhng cht lng dch vtrong MPLS-VPN..............................................77Hnh 4.11 M hnh vi cht lng dch vtrong MPLS-VPN...............................................78Hnh 5.1 M hnh cung cp dch vVPN qua mng MPLS ca VNPT..................................86Hnh 5.2 Gii php kt ni MPLS-VPN ca VNPT...............................................................87Hnh 5.3 M hnh mng cung cp dch vMegaWAN..........................................................87


6/99


7/99

Chng trnh bi dng kin thc IP v NGN cho ks TVT ca VNPT 1

CHNG 1

GII THIU CHUNG VVPN

VPN c thc hiu nh l mng kt ni cc site khch hng m bo an ninhtrn c sh tng mng chung cng vi cc chnh sch iu khin truy nhp v bo

mt nh mt mng ring. Tuy c xy dng trn c shtng sn c ca mng cngcng nhng VPN li c c cc tnh cht ca mt mng cc bnh khi sdng ccng knh thu ring. Chng ny trnh by nhng khi nim c bn vVPN, ccchc nng v c im ca VPN, t lm c s phn loi VPN v a ra cc

thun li cng nh kh khn khi sdng cc loi hnh VPN khc nhau.

Ni dung chng ny bao gm:

q Khi nimVPN

q Cc chc nng v u nhc im ca VPN

q Cc m hnh VPN

q Phn loi VPN theong dng


8/99

MNG RINGO

Chng trnh bi dng kin thc IP v NGN cho ks TVT ca VNPT2

1.1 Khi nim VPN

Mng ring o khng phi l khi nim mi. Chng tng c sdng trongcc mng in thoi trc y nhng do mt s hn ch v cng nghm cha c

c sc mnh v kh nng cnh tranh ln. Trong thi gian gn y, c sh tngmng IP lm cho VPN thc sc tnh mi m. Cc kiu mng ring o xy dng

trn c sh tng mng Internet cng cng mang li mt khnng mi, mt cinhn mi cho ngi sdng. Cng nghVPN l gii php thng tin ti u i vi cc

cng ty, tchc c nhiu vn phng hay chi nhnh. Ngy nay, vi spht trin cacng nghv bng nca mng Internet, khnng ca VPN ngy mt hon thin v

dch vny trthnh mt dch vcnh tranh y trin vng.

Mng ring o c nh ngha nh l mt kt ni mng trin khai trn c shtng mng cng cng vi cc chnh sch qun l v bo mt ging nh mng cc b.

Mng ring o mrng phm vi ca cc mng LAN m khng bhn chvmt

a l. Cc hng thng mi c thdng VPN cung cp quyn truy nhp mng cho

ngi dng di ng v txa, kt ni cc chi nhnh phn tn thnh mt mng duy nhtv cho php sdng txa cc trnh ng dng da trn cc dch vtrong cng ty.

Trong thc t, ngi ta thng ni ti hai khi nim VPN l VPN kiu tin cy

(Trusted VPN) v VPN an ton (Secure VPN).

Mng ring o kiu tin cy c xem nh mt smch thu ca mt nh cungcp dch vvin thng. Mi mch thu ring hot ng nh mt ng dy trong mt

mng cc b. Tnh ring t ca Trusted VPN thhin chnh cung cp dch vsm bo khng c ai sdng cng mch thu ring . Khch hng ca mng ring o

loi ny tin cy vo nh cung cp dch vduy tr tnh ton vn v bo mt ca dliu truyn trn mng. Cc mng ring xy dng trn cc ng dy thu thuc dng

Trusted VPN.

Mng ring o an ton l cc mng ring o c sdng mt m bo mt dliu. Dliu u ra ca mt mng c mt m ri chuyn vo mng cng cng nh

cc dliu khc truyn ti ch v sau c gii m ti pha thu. Dliu mtm c thcoi nh c truyn trong mt ng hm (tunnel) bo mt tngun ti

ch. Cho d mt k tn cng c thnhn thy d liu trn ng truyn th cngkhng c khnng c c v n c mt m.

V dvgiao thc sdng trong vic m ho m bo an ton l IPSec. lmt tiu chun cho m ho cng nh xc thc cc gi IP ti tng mng. IPSec htr

mt tp hp cc giao thc mt m vi hai mc ch: an ninh gi mng v thay i cckho mt m. IPSec c htrtrong Windows XP, 2000, 2003 v Vista; Linux phin

bn 2.6 tri v nhiu hiu hnh khc na. Nhiu hng nhanh chng pht trinv cung cp cc dch vIPSec-VPN server v IPSec-VPN client.


9/99

CHNG 1 - GII THIU CHUNG VVPN


Mng ring o xy dng da trn Internet l v dvmng ring o kiu an ton,sdng c shtng mv phn tn ca Internet cho vic truyn dliu gia cc site

ca mng (hnh 1.1).

Hnh 1.1M hnh VPN an ton

Kt ni trong VPN l kt ni ng, ngha l khng c gn cng v tn ti nh

mt kt ni thc khi lu lng mng chuyn qua. Kt ni ny c ththay i v thchng vi nhiu mi trng khc nhau. Khi c yu cu kt ni th n c thit lp v

duy tr bt chp c shtng mng gia nhng im u cui.

Tnh ring ca VPN thhin chdliu truyn lun c gib mt v chc thbtruy nhp bi nhng ngui sdng c trao quyn. iu ny rt quan trng

bi v giao thc Internet ban u khng c thit kh trcc mc bo mt.Do , bo mt sc cung cp bng cch thm phn mm hay phn cng VPN.

1.2 Cc chc nng vu nhc im ca VPN

1.2.1 Chc nngVPN cung cp ba chc nng chnh l tnh xc thc (Authentication), tnh ton

vn (Integrity) v tnh bo mt (Confidentiality).

Tnh xc thc

thit lp mt kt ni VPN th trc ht chai pha phi xc thc ln nhau khng nh rng mnh ang trao i thng tin vi ngi mnh mong mun chkhng

phi l mt ngi khc.

Tnh ton vn

m bo dliu khng bthay i hay c bt ksxo trn no trong qu trnhtruyn dn.

Tnh bo mt

Ngi gi c thm ho cc gi dliu trc khi truyn qua mng cng cng v

dliu sc gii m pha thu. Bng cch lm nh vy, khng mt ai c thtruy


10/99

MNG RINGO


nhp thng tin m khng c php. Thm ch nu c ly c th cng khng cc.

1.2.2 u im

Mng ring o mang li li ch thc sv tc thi cho cc cng ty. N khng ch

gip n gin ho vic trao i thng tin gia cc nhn vin lm vic xa, ngi dng

lu ng, m rng Intranet n tng vn phng, chi nhnh, thm ch trin khaiExtranet n tn khch hng v cc i tc chcht m cn cho php gim chi ph rtnhiu so vi vic mua thit bv ng dy cho mng WAN ring. Nhng li ch trctip v gin tip m VPN mang li bao gm: tit kim chi ph, tnh linh hot, khnng

mrng, v.v.

Tit kim chi ph

Vic s dng VPN s gip cc cng ty gim c chi ph u t v chi phthng xuyn. Tng gi thnh ca vic shu mt mng VPN sc thu nh, do ch

phi trt hn cho vic thu bng thng ng truyn, cc thit bmng ng trc vduy tr hot ng ca h thng. Nhiu s liu cho thy, gi thnh cho vic kt niLAN-to-LAN gim t20 ti 30% so vi vic sdng ng thu ring truyn thng,cn i vi vic truy nhp txa gim t60 ti 80%.

Tnh linh hot

Tnh linh hot y khng chthhin trong qu trnh vn hnh v khai thc mn cn thc smm do i vi yu cu sdng. Khch hng c thsdng nhiukiu kt ni khc nhau kt ni cc vn phng nhhay cc i tng di ng. Nh

cung cp dch v VPN c th cho php nhiu s la chn kt ni cho khch hng:modem 56 kbit/s, ISDN 128 kbit/s, xDSL, E1,

Khnng mrng

Do VPN c xy dng da trn c shtng mng cng cng nn bt cni

no c mng cng cng (nh Internet) u c th trin khai VPN. Ngy nay mngInternet c mt khp mi ni nn khnng mrng ca VPN rt ddng. Mt vnphng xa c thkt ni mt cch kh n gin n mng ca cng ty bng cch sdng ng dy in thoi hay ng dy thu bao sDSL.

Khnng mrng cn thhin ch, khi mt vn phng hay chi nhnh yu cu

bng thng ln hn th n c thc nng cp d dng. Ngoi ra, cng c thddng gbVPN khi khng c nhu cu.

Gim thiu cc htrkthut

Vic chun ho trn mt kiu kt ni ti tng di ng n mt POP ca ISP

v vic chun ho cc yu cu vbo mt lm gim thiu nhu cu vngun htrk thut cho mng VPN. V ngy nay, khi m cc nh cung cp dch vm nhim


11/99



vic h trmng nhiu hn th nhng yu cu h trk thut i vi ngi sdngngy cng gim.

Gim thiu cc yu cu vthit b

Bng vic cung cp mt gii php truy nhp cho cc doanh nghip qua ng

Internet, VPN yu cu vthit bt hn v n gin hn nhiu so vi vic bo tr ccmodem ring bit, cc card tng thch cho thit bu cui v cc my chtruy nhp

txa. Mt doanh nghip c ththit lp cc thit bkhch hng cho mt mi trng,chng hn nh T1 hay E1, phn cn li ca kt ni c thc hin bi ISP.

png cc nhu cu thng mi

i vi cc thit bv cng nghvin thng mi th nhng vn cn quan tml chun ho, cc khnng qun tr, m rng v tch hp mng, tnh k tha, tincy v hiu sut hot ng, c bit l khnng thng mi ca sn phm.

Cc sn phm dch vVPN tun theo chun chung hin nay, mt phn mbo khnng lm vic ca sn phm nhng c lquan trng hn l sn phm ca

nhiu nh cung cp khc nhau c thlm vic vi nhau.

1.2.3 Nhc im v mt svn cn khc phc

Sri ro an ninh

Mt mng ring o thng rv hiu quhn so vi gii php sdng knh thuring. Tuy nhin, n cng tim n nhiu ri ro an ninh kh lng trc. Mc d huht cc nh cung cp dch vqung co rng gii php ca hl m bo an ton, san ton khng bao gi l tuyt i. Cng c th lm cho mng ring o kh ph

hoi hn bng cch bo v tham s ca mng mt cch thch hp, song iu ny linh hng n gi thnh ca dch v.

tin cy v sthc thi

VPN sdng phng php m ho bo mt dliu, v cc hm mt m phc

tp c thdn n lu lng ti trn cc my ch l kh nng. Nhim v ca ngiqun trmng l qun l ti trn my chbng cch gii hn skt ni ng thi

bit my chno c thiu khin. Tuy nhin, khi sngi cgng kt ni ti VPNt nhin tng vt v ph vht qu trnh truyn tin, th chnh cc nhn vin qun tr

ny cng khng thkt ni c v tt ccc cng ca VPN u bn. iu chnh lng c thc y ngi qun trto ra cc kho ng dng lm vic m khng i hi

VPN. Chng hn thit lp dch v proxy hoc dch v Internet Message AccessProtocol cho php nhn vin truy nhp e-mail tnh hay trn ng.

Vn la chn giao thc

Vic la chn gia IPSec hay SSL/TLS l mt vn kh quyt nh, cng nh

vin cnh sdng chng nh th no cng kh c th ni trc. Mt iu cn cn


12/99

MNG RINGO


nhc l SSL/TLS c thlm vic thng qua mt tng la da trn bng bin dch achNAT, cn IPSec th khng. Nhng nu chai giao thc lm vic qua tng la th

skhng dch c a ch.

IPSec m ho tt ccc lu lng IP truyn ti gia hai my tnh, cn SSL/TLSth c tmt ng dng. SSL/TLS dng cc hm m ho khng i xng thit lp

kt ni v n bo vhiu quhn so vi dng cc hm m ho i xng.Trong cc ng dng trn thc t, ngi qun tr c thquyt nh kt hp v

ghp cc giao thc to ra scn bng tt nht cho s thc thi v an ton camng. V d, cc client c thkt ni ti mt Web server thng qua tng la dng

ng dn an ton ca SSL/TLS, Web server c thkt ni ti mt dch vng dngdng IPSec, v dch vng dng c thkt ni ti mt c sd liu thng qua cctng la khc cng dng SSL.

1.3 Cc m hnh VPN

C hai m hnh trin khai VPN l: da trn khch hng (Customer-based) v datrn mng (Network-based). M hnh da trn khch hng cn c gi l m hnh

chng ln (overlay), trong VPN c cu hnh trn cc thit bca khch hng v

sdng cc giao thc ng hm xuyn qua mng cng cng. Nh cung cp dch v

s bn cc mch o gia cc site ca khch hng nh l ng kt ni thu ring

(leased line).

M hnh da trn mng cn c gi l m hnh ngang hng hay ngang cp (peer-

to-peer), trong VPN c cu hnh trn cc thit bca nh cung cp dch vv

c qun l bi nh cung cp dch v. Nh cung cp dch vv khch hng trao i

thng tin nh tuyn lp 3, sau nh cung cp s sp t d liu tcc site khch

hng vo ng i ti u nht m khng cn c stham gia ca khch hng.

1.3.1 M hnh chng ln

M hnh VPN chng ln ra i trt sm v c trin khai di nhiu cng ngh

khc nhau. Ban u, VPN c xy dng bng cch sdng cc ng thu ring

cung cp kt ni gia khch hng nhiu vtr khc nhau. Khch hng mua dch v

ng thu ring ca nh cung cp. Cc ng thu ny c thit lp gia cc site

ca khch hng cn kt ni v l ng dnh ring cho khch hng.Khi Frame Relay ra i, n c xem nh l mt cng nghhtrtt cho VPN v

p ng c yu cu kt ni cho khch hng nh dch vng thu ring. im

khc l chkhch hng khng c cung cp cc ng dnh ring, m ssdng

mt ng chung nhng c chnh cc mch o. Cc mch o ny m bo lu

lng cho mi khch hng l ring bit. Mch o c thgm mch o cnh PVC v

mch o chuyn mch SVC.


13/99


14/99

MNG RINGO


hnh ny vi cc cng nghlp 2 th sto ra mt lp mi khng cn thit i vi cc

nh cung cp hu ht chda trn IP, v nh vy lm tng thm chi ph hot ng ca

mng.

1.3.2 M hnh ngang hng

khc phc cc hn ch ca m hnh VPN chng ln v ti u ha vic vn

chuyn d liu qua mng ng trc, m hnh VPN ngang hng ra i. Vi m

hnh ny nh cung cp dch vstham gia vo hot ng nh tuyn ca khch hng.

Bnh tuyn bin mng nh cung cp PE (Provider Edge) thc hin trao i thng tin

nh tuyn trc tip vi bnh tuyn ca khch hng CE (Customer Edge).

i vi m hnh VPN ngang hng, vic nh tuyn trnn n gin hn (nhn t

pha khch hng) khi bnh tuyn khch hng chtrao i thng tin nh tuyn vi

mt hoc mt vi bnh tuyn bin nh cung cp PE. Trong khi m hnh VPN

chng ln, slng bnh tuyn ln cn c thgia tng vi slng ln. Ngoi ra,

do nh cung cp dch vbit cu hnh mng ca khch hng nn c ththit lp nhtuyn ti u cho lu lng gia cc site khch hng.

Vic cung cp bng thng cng n gin hn bi v khch hng chphi quan tm

n bng thng u vo v ra mi site m khng cn phi quan tm n ton blu

lng tsite ny n site kia nh trong m hnh VPN chng ln. Khnng mrng

trong m hnh VPN ngang hng ddng hn v nh cung cp dch vchcn thm vo

mt site v thay i cu hnh trn bnh tuyn PE. Trong m hnh chng ln, nh

cung cp dch vphi tham gia vo ton b tp hp cc knh o VC tsite ny n

site khc ca VPN khch hng.Nh cung cp dch vc thtrin khai hai kiu ng dng VPN ngang hng l chia

sbnh tuynv sdng bnh tuyn dnh ring.Phng php chia sbnh tuynCc khch hng VPN cng chia smt bnh tuyn bin mng nh cung cp PE.

phng php ny, nhiu khch hng c thkt ni n cng mt bnh tuyn PE.

Do , trn bnh tuyn ny phi cu hnh mt danh sch truy nhp (Access List)

cho mi giao din PE-CE m bo chc chn scch ly gia cc khch hng VPN,

ng thi ngn chn VPN ca khch hng ny thc hin cc tn cng tchi dch v

DoS (Denial of Service) vo VPN ca khch hng khc. Nh cung cp dch vchia

cc phn trong khng gian a chca n cho khch hng v qun l vic lc gi tin

trn bnh tuyn PE.

Phng php sdng bnh tuyn dnh ringL phng php m mi khch hng VPN c bnh tuyn PE dnh ring. Trong

phng php ny, khch hng VPN chtruy nhp n cc tuyn trong bng nh tuyn

ca bnh tuyn PE dnh ring. Mi bnh tuyn sdng cc giao thc nh tuyn


15/99



to ra bng nh tuyn cho mt VPN. Bng nh tuyn chc cc tuyn c qung

b bi khch hng VPN kt ni n chng, kt qul to ra scch ly tuyt i gia

cc VPN.

Vic nh tuyn trn bnh tuyn dnh ring c thc thc hin nh sau:

- Giao thc nh tuyn gia PE v CE l bt k;

- Giao thc hot ng gia PE v PE l BGP;- PE phn phi cc tuyn nhn c tCE vo BGP, nh du vi nhn dng

ID ca khch hng ri truyn cc tuyn n bnh tuyn P, v b nh

tuyn ny sc cc tuyn ttt ccc VPN khch hng;

- Bnh tuyn P chtruyn cc tuyn thch hp n bnh tuyn PE, do

PE chnhn cc tuyn tbnh tuyn CE trong VPN.

Phng php dng chung bnh tuyn rt kh duy tr v n yu cu phi c danh

sch truy nhp di v phc tp trn mi giao din ca b nh tuyn. Cn trong

phng php dng bnh tuyn ring, mc d c vn gin vcu hnh v dduytr hn nhng nh cung cp dch vphi bra chi ph ln m bo phc vtt cho

slng ng khch hng.

Tt ckhch hng dng chung khng gian a chIP, nn hphi sdng hoc l

a chtht trong mng ring ca hhoc l phthuc vo nh cung cp dch vc

c a ch IP. Trong chai trng hp, kt ni mt khch hng mi n dch v

VPN ngang hng i hi phi ng k li a chIP trong mng khch hng.

Hn chca m hnh VPN ngang hng l nh cung cp dch vphi p ng c

nh tuyn khch hng cho ng v m bo vic hi tca mng khch hng khi c

li lin kt. Ngoi ra, bnh tuyn P ca nh cung cp dch vphi mang tt ccc

tuyn ca khch hng.

1.4 Phn loi VPN vng dng

Mng ring o VPN cung cp nhiu khnng ng dng khc nhau. Yu cu c

bn i vi VPN l phi iu khin c quyn truy nhp ca khch hng, cc nhcung cp dch vcng nh cc i tng bn ngoi khc. Da vo hnh thc ng dngv nhng khnng m mng ring o mang li, c thphn chng thnh hai loi nh

sau:

- VPN truy nhp txa (Remote Access VPN);

- VPN im ti im (Site-to-Site VPN).

Trong mng VPN im ti im li c chia thnh hai loi l:

- VPN cc b(Intranet VPN);

- VPN mrng (Extranet VPN).


16/99

MNG RINGO


1.4.1 VPN truy nhp txa

Cc VPN truy nhp txa cung cp khnng truy nhp txa cho ngi sdng(hnh 1.2). Ti mi thi im, cc nhn vin hay chi nhnh vn phng di ng c thsdng cc phn mm VPN truy nhp vo mng ca cng ty thng qua gatewayhoc btp trung VPN (bn cht l mt server). Gii php ny v thcn c gi l

gii php client/server. VPN truy nhp txa l kiu VPN in hnh nht, bi v chngc thc thit lp vo bt kthi im no v tbt cni no c mng Internet.

VPN truy nhp txa mrng mng cng ty ti nhng ngi sdng thng quac sh tng chia s chung, trong khi nhng chnh sch mng cng ty vn duy tr.

Chng c thdng cung cp truy nhp an ton cho nhng nhn vin thng xuynphi i li, nhng chi nhnh hay nhng bn hng ca cng ty. Nhng kiu VPN nyc thc hin thng qua c shtng cng cng bng cch sdng cng nghISDN,quay s, IP di ng, DSL hay cng ngh cp v thng yu cu mt vi kiu phn

mm client chy trn my tnh ca ngi sdng.

Mt hng pht trin kh mi trong VPN truy nhp txa l dng VPN khngdy (Wireless), trong mt nhn vin c thtruy nhp vmng ca hthng qua kt

ni khng dy. Trong thit kny, cc kt ni khng dy cn phi kt ni vmt trmkhng dy (Wireless Terminal) v sau vmng ca cng ty. Trong chai trng

hp (c dy v khng dy), phn mm client trn my PC u cho php khi to cckt ni bo mt, cn c gi l ng hm.

Mt vn quan trng l vic thit kqu trnh xc thc ban u m bo yu

cu c xut pht tmt ngun tin cy. Thng th giai on ban u ny da trn

cng mt chnh sch vbo mt ca cng ty. Chnh sch ny bao gm mt squi trnhkthut v cc ng dng ch, v dnh Remote Authentication Dial-In User Service(RADIUS), Terminal Access Controller Access Control System Plus (TACACS+),

Hnh 1.2 M hnh VPN truy nhp txa

Cc u im ca VPN truy nhp txa so vi cc phng php truy nhp txatruyn thng l:


17/99



- VPN truy nhp txa khng cn shtrca nhn vin mng bi v qu trnhkt ni txa c cc ISP thc hin;

- Gim c cc chi ph cho kt ni t khong cch xa bi v cc kt nikhong cch xa c thay thbi cc kt ni cc bthng qua mng Internet;

- Cung cp dch vkt ni gi rcho nhng ngi sdng xa;

- Do kt ni truy nhp l ni bnn cc modem kt ni hot ng tc caohn so vi cch truy nhp khong cch xa;

- VPN cung cp kh nng truy nhp tt hn n cc site ca cng ty bi vchng htrmc thp nht ca dch vkt ni.

Mc d c nhiu u im nhng mng VPN truy nhp t xa vn cn nhng

nhc im chu i cng nh:

- VPN truy nhp txa khng htrcc dch vm bo QoS;

- Nguy c bmt dliu cao do cc gi c thphn pht khng n ni hoc bmt;

- Do thut ton m ho phc tp nn tiu giao thc tng mt cch ng k.

1.4.2 VPN im ti im

VPN im ti im (Site-to-Site hay LAN-to-LAN) l gii php kt ni cc h

thng mng nhng ni khc nhau vi mng trung tm thng qua VPN. Trong tnhhung ny, qu trnh xc thc ban u cho ngi sdng sl qu trnh xc thc giacc thit b. Cc thit bny hot ng nh Cng an ninh (Security Gateway), truyn

lu lng mt cch an ton tSite ny n Site kia. Cc thit bnh tuyn hay tngla vi h trVPN u c khnng thc hin kt ni ny. Skhc nhau gia VPNtruy nhp txa v VPN im ti im chmang tnh tng trng. Nhiu thit bVPN

mi c thhot ng theo chai cch ny.

VPN im ti im c thc xem nh mt VPN cc bhoc mrng xt tquan im qun l chnh sch. Nu htng mng c chung mt ngun qun l, n cthc xem nh VPN cc b. Ngc li, n c thc coi l mrng. Vn truynhp gia cc im phi c kim sot cht chbi cc thit btng ng.

1.4.2.1 VPN cc bVPN cc b l mt dng cu hnh tiu biu ca VPN im ti im, c s

dng bo mt cc kt ni gia cc a im khc nhau ca mt cng ty (hnh 1.3).N lin kt tr s chnh, cc vn phng, chi nhnh trn mt c sh tng chung s

dng cc kt ni lun c m ho bo mt. iu ny cho php tt ccc a im cthtruy nhp an ton cc ngun dliu c php trong ton bmng ca cng ty.


18/99

MNG RINGO


Hnh 1.3 M hnh VPN cc b

VPN cc b cung cp nhng c tnh ca mng WAN nh khnng m rng,

tnh tin cy v htrcho nhiu kiu giao thc khc nhau vi chi ph thp nhng vnm bo tnh mm do. Nhng u im chnh ca gii php VPN cc bbao gm:

- Cc mng cc bhay din rng c thc thit lp thng qua mt hay nhiunh cung cp dch v;

- Gim c snhn vin kthut htrtrn mng i vi nhng ni xa;

- Do kt ni trung gian c thc hin thng qua Internet, nn n c th ddng thit lp thm mt lin kt ngang hng mi;

- Tit kim chi ph tvic sdng ng hm VPN thng qua Internet kt hpvi cc cng nghchuyn mch tc cao.

Tuy nhin gii php mng cc bda trn VPN cng c nhng nhc im icng nh:

- Do dliu c truyn ngm qua mng cng cng nh Internet nn vn cnnhng mi e da vmc bo mt dliu v cht lng dch v(QoS);

- Khnng cc gi dliu bmt trong khi truyn dn vn cn kh cao;

- Trng hp cn truyn khi lng ln dliu nh a phng tin vi yu cutc cao v m bo thi gian thc l thch thc ln trong mi trngInternet.

1.4.2.2 VPN mrngVPN mrng c cu hnh nh mt VPN im ti im, cung cp ng hm

bo mt gia cc khch hng, nh cung cp v i tc thng qua mt c sh tng

mng cng cng (hnh 1.4). Kiu VPN ny sdng cc kt ni lun c bo mt vn khng b c lp vi thgii bn ngoi nh cc trng hp VPN cc bhay truynhp txa.


19/99



Intranet

DSL

cable

Extranet

Business-to-business

Router

InternetInternetPOPPOP

Remote site Central site

or

Hnh 1.4 M hnh VPN mrng

Gii php VPN m rng cung cp kh nng iu khin truy nhp ti nhngngun ti nguyn mng cn thit mrng ti nhng i tng kinh doanh. Skhc

nhau gia VPN cc bv VPN mrng l struy nhp mng c cng nhn mttrong hai u cui ca VPN.

Nhng u im chnh ca mng VPN mrng bao gm:

- Chi ph cho VPN mrng thp hn nhiu so vi cc gii php kt ni khc cng t c mt mc ch nh vy;

- Ddng thit lp, bo tr v thay i i vi mng ang hot ng;

- Do VPN mrng c xy dng da trn mng Internet nn c nhiu c hitrong vic cung cp dch vv chn la gii php ph hp vi cc nhu cu

ca tng cng ty;

- Cc kt ni Internet c nh cung cp dch v Internet bo tr nn c thgim c slng nhn vin kthut htrmng, v do vy gim c chiph vn hnh ca ton mng.

Bn cnh nhng u im trn, gii php VPN m rng cng cn nhng nhc

im i cng nh:

- Vn bo mt thng tin gp kh khn hn trong mi trng mrng nhvy, v iu ny lm tng nguy c ri ro i vi mng cc bca cng ty;

- Khnng mt dliu trong khi truyn qua mng cng cng vn tn ti;

- Vic truyn khi lng ln d liu vi yu cu tc cao v thi gian thcvn cn l mt thch thc ln cn gii quyt.

1.4.3 ng dng VPN

CVPN truy nhp txa v VPN im ti im u cung cp gii php xydng mng ring o cho doanh nghip. Cc cng ty c thmrng mng ra nhng nim trc y khng thmrng. Trong nhiu ng dng, VPN cho php tit kim chiph mt cch ng k. Thay v cn nhiu kt ni n cng trschnh, gii php VPN


20/99

MNG RINGO


tch hp lu lng vo mt kt ni duy nht, to ra c hi gim chi ph cbn trongv bn ngoi doanh nghip.

Mng Internet hin nay l mt htng tt, cho php doanh nghip thay i mngca htheo nhiu chiu hng. i vi cc cng ty ln c thddng nhn thy rngcc kt ni WAN qua knh thu ring l rt tn km v ang dn c thay thbi kt

ni VPN. i vi dch vtruy nhp txa, thay v dng cc ng kt ni tc chmhoc cc dch vknh thu ring t tin, ngi sdng by gi c thc cungcp cc dch vtruy nhp tc cao vi gi thnh r. Ngoi ra, nhng ngi dng c

ng cng c thtn dng cc kt ni tc cao Ethernet trong cc khch sn, sn bayhay ni cng cng phc vcho cng vic ca mnh mt cch hiu qu. Chring

yu tct gim chi ph cuc gi ng di trong trng hp ny cng l mt l dort thuyt phc sdng VPN.

Mt trong nhng li ch khc ca VPN l gip cc cng ty c thtrin khai nhiu

ng dng mi trn nn thng mi in t(e-Commerce) mt cch nhanh chng. Tuy

nhin, trong trng hp ny mt vi yu tcng cn phi c xem xt mt cch cnthn. Cc trngi chnh ca Internet l bo mt, cht lng dch v, tin cy v khnng qun l.

1.5 Kt chng

VPN c nh ngha nh l mng kt ni cc site khch hng m bo an ninhtrn c sh tng mng chung cng vi cc chnh sch iu khin truy nhp v bo

mt nh mt mng ring. Tuy c xy dng trn c shtng sn c ca mng cngcng nhng VPN li c c cc tnh cht ca mt mng cc bnh khi sdng cc

ng knh thu ring. N cho php ni lin cc chi nhnh ca mt cng ty cng nhl vi cc i tc, cung cp khnng iu khin quyn truy nhp ca khch hng, cc

nh cung cp dch vhoc cc i tng bn ngoi khc.

Khnng ng dng ca VPN l rt ln. Theo nh don ca nhiu hng trnthgii th VPN sl dch vpht trin mnh trong tng lai. Do , vic tip cn v

lm quen vi cng nghmi ny r rng l v cng cn thit. Chng ny trnh bynhng khi nim c bn vVPN, cc chc nng v c im ca VPN, cc m hnh

xy dng VPN cng nh l phn loi VPN theo hnh thc v phm vi ng dng cachng. Nhng ni dung c cp chmang tnh khi qut nhm gip ngi c c

c ci nhn tng quan vVPN. Cc vn k thut lin quan n vic thc hinVPN sc trnh by trong cc chng sau.


21/99


CHNG 2

CC GIAO THC NG HM

C thni ng hm l mt trong nhng khi nim nn tng ca VPN. Giaothc ng hm thc hin vic ng gi d liu vi cc phn tiu tng ng truyn qua Internet. Trong chng ny gii thiu vcc giao thc ng hm phbin

ang tn ti v sdng cho IP-VPN, bao gm L2F, PPTP v L2TP. Ring giao thcIPSec sc trnh by chi tit trong chng 3 cng vi nhng c im kthut linquan trc tip n vic thc hin IP-VPN.


q Gii thiu cc giao thc ng hmq Giao thc chuyn tip lp 2 L2F

q Giao thc ng hmim ti im PPTP

q Giao thc ng hmlp 2 L2TP


22/99

MNG RINGO


2.1 Gii thiu cc giao thc ng hm

Cc giao thc ng hm l nn tng ca cng nghVPN. C nhiu giao thcng hm khc nhau, v vic sdng giao thc no lin quan n cc phng php

xc thc v mt m i km. Cc giao thc ng hm phbin hin nay l:

Giao thc chuyn tip lp 2 (L2F Layer Two Forwarding);

Giao thc ng hm im ti im (PPTP Point to Point Tunneling

Protocol);

Giao thc ng hm lp 2 (L2TP Layer Two Tunneling Protocol);

Giao thc bo mt IP (IPSec Internet Protocol Security).

L2F v PPTP u c pht trin da trn giao thc PPP (Point to PointProtocol). PPP l mt giao thc truyn thng ni tip lp 2, c thsdng ng gidliu lin mng IP v htra giao thc lp trn. Giao thc L2F do Cisco pht trin

c lp, cn PPTP l do nhiu cng ty hp tc pht trin. Trn c sL2F v PPTP,IETF pht trin giao thc ng hm L2TP. Hin nay cc giao thc PPTP v L2TPc sdng phbin hn L2F.

Trong cc giao thc ng hm ni trn, IPSec l gii php ti u vmt an ninh

d liu. N h trcc phng php xc thc v mt m mnh nht. Ngoi ra, IPSeccn c tnh linh hot cao, khng brng buc bi bt c thut ton xc thc hay mt

m no. IPSec c th sdng ng thi cng vi cc giao thc ng hm khc tng tnh an ton cho hthng.

Mc d c nhng u im vt tri so vi cc giao thc ng hm khc vkh

nng m bo an ninh dliu, IPSec cng c mt snhc im. Thnht, IPSec lmt khung tiu chun mi v cn ang c tip tc pht trin, do s lng ccnh cung cp sn phm htrIPSec cha nhiu. Thhai, tn dng khnng m

bo an ninh dliu ca IPSec th cn phi sdng mt c shtng kha cng khaiPKI (Public Key Infrastructure) phc tp gii quyt cc vn nh chng thc shay chk s.

Khc vi IPSec, cc giao thc PPTP v L2TP l cc chun c hon thin,nn sn phm h tr chng tng i ph bin. PPTP c th trin khai vi mt h

thng mt khu n gin m khng cn sdng PKI. Ngoi ra, PPTP v L2TP cn cmt su im khc so vi IPSec nh khnng htra giao thc lp trn. V vy,

trong khi IPSec cn ang hon thin th PPTP v L2TP vn c sdng rng ri. Cthl PPTP v L2TP thng c sdng trong cc ng dng truy nhp txa.

2.2 Giao thc chuyn tip lp 2 L2F

Giao thc L2F c pht trin sm nht, l phng php truyn thng chonhng ngi sdng xa truy nhp vo mt mng cng ty thng qua thit b truy


23/99

CHNG 2 - CC GIAO THC NG HM


nhp txa. L2F cung cp gii php cho dch vquay so bng cch thit lp mtng hm bo mt thng qua c sh tng cng cng nh Internet. N cho php

ng gi cc gi PPP trong khun dng L2F v nh ng hm lp lin kt dliu.

2.2.1 Cu trc gi L2F

Khun dng gi tin L2F c cu trc nh trn hnh 2.1.

1bit 1bit 1bit 1bit 8bit 1bit 3bit 8bit 8bit

F K P S Reserved C Version Protocol Sequence

Multiplex ID Client ID

Length Offset

Key

Data

Checksum

Hnh 2.1Khun dng gi ca L2F ngha cc trng trong gi L2F nh sau:

- F:chnh trng Offsetc mt;

- K: chnh trng Keyc mt;

- P (Priority):thit lp u tin cho gi;

- S:chnh trng Sequencec mt;

- Reserved: lun c t l 00000000;

- Version: phin bn ca L2F dng to gi;

- Protocol: xc nh giao thc ng gi L2F;

- Sequence: schui c a ra nu trong tiu L2F bit S bng 1.

- Multiplex ID: nhn dng mt kt ni ring trong mt ng hm (tunnel);

- Client ID: gip tch ng hm ti nhng im cui;

- Length: chiu di ca gi (tnh bng byte) khng bao gm phn checksum;

- Offset: xc nh sbyte cch tiu L2F, ti dliu ti tin c bt u.

Trng ny c mt khi bit F bng 1;

- Key: l mt phn ca qu trnh xc thc (c mt khi bit K bng 1);

- Checksum: tng kim tra ca gi (c mt khi bit C bng 1).

2.2.2 Hot ng ca L2F

L2F ng gi nhng gi tin lp 2 (trong trng hp ny l PPP), sau truynchng xuyn qua mng. Hthng sdng L2F gm cc thnh phn sau (hnh 2.2):


24/99

MNG RINGO


- My chtruy nhp mng NAS (Network Access Server):hng lu lng nv i gia my khch xa (Remote Client) v Home Gateway. Mt hthng

ERX c thhot ng nh NAS.

- ng hm(Tunnel): nh hng ng i gia NAS v Home Gateway.Mt ng hm gm mt skt ni.

- Home Gateway:ngang hng vi NAS, l phn tca ng thuc mng ring.

- Kt ni(Connection):l mt kt ni PPP trong ng hm. Trong CLI, mtkt ni L2F c xem nh l mt phin.

- im ch (Destination): l im kt thc u xa ca ng hm. Trongtrng hp ny th Home Gateway l im ch.

Hnh 2.2M hnh hthng sdng L2F

Cc hot ng ca L2F bao gm: thit lp kt ni, ng hm v phin lm vic.Cc bc thc hin cthnh sau:

1) Mt ngi sdng xa quay s ti h thng NAS v khi u mt ktni PPP ti ISP.

2) Hthng NAS v my khch trao i cc gi giao thc iu khin lin ktLCP (Link Control Protocol).

3)NAS sdng c sdliu cc blin quan ti tn min (domain name)hay xc thc RADIUS quyt nh xem ngi sdng c hay khngyu cu dch vL2F.

4)Nu ngi sdng yu cu L2F th qu trnh tip tc, NAS thu nhn achca Gateway ch (Home Gateway).

5) Mt ng hm c thit lp tNAS ti Gateway ch nu gia chngcha c ng hm no. Sthnh lp ng hm bao gm giai on xc

thc tISP ti Gateway ch chng li tn cng bi nhng kthba.6) Mt kt ni PPP mi c to ra trong ng hm, iu ny c tc ng

ko di phin PPP tngi sdng xa ti Home Gateway. Kt ni ny


25/99



c thit lp nh sau: Home Gateway tip nhn cc la chn v tt cthng tin xc thc PAP/CHAP nh tho thun bi u cui ngi s

dng v NAS. Home Gateway chp nhn kt ni hay tho thun li LCPv xc thc li ngi sdng.

7) Khi NAS tip nhn lu lng d liu tngi sdng, n ng gi lu

lng vo trong cc khung L2F v hng chng vo trong ng hm.8) Ti Home Gateway khung L2F c tch b, v d liu ng gi chng ti mng cng ty.

Khi hthng thit lp im ch, ng hm v nhng phin kt ni, ta phiiu khin v qun l lu lng L2F nh sau:

- Ngn cn to nhng im ch, ng hm v phin mi.

- ng v mli tt chay chn la nhng im ch, ng hm v phin.

- C khnng kim tra tng UDP.

- Thit lp thi gian ri cho h thng v lu gi c s d liu vo ca ccng hm v kt ni.

Sthay i mt im ch lm nh hng ti tt cnhng ng hm v phinti im ch . Sthay i mt ng hm lm nh hng ti tt ccc phin trong

ng hm . V d, skt thc im ch ng tt ccc ng hm v phin tiim ch .

L2F cung cp mt slnh thc hin cc chc nng ca n, v d:

- L2F checksum:kim tra ston vn dliu trong cc khung L2F sdngkim tra tng UDP, v dhost 1(config)#l2f checksum

- L2F destruct-timeout:thit lp thi gian ri, gi trthit lp trong di 10 3600 giy, v d host1 (config)#l2f destruct-timeout 1200

2.2.3 u nhc im ca L2F

Giao thc L2F c cc u im sau y:

- Cho php thit lp ng hm a giao thc;

- c htrbi nhiu nh cung cp.

Cc nhc im chnh ca L2F l:

- Khng c m ho;

- Hn chtrong vic xc thc ngi dng;

- Khng c iu khin lung cho ng hm.


26/99

MNG RINGO


2.3 Giao thc ng hm im ti im PPTP

Giao thc ng hm im ti im c a ra u tin bi mt nhm cccng ty c gi l PPTP Forum. tng c s ca giao thc ny l tch cc chc

nng chung v ring ca truy nhp txa, li dng c shtng Internet sn c tokt ni bo mt gia ngi dng xa (client) v mng ring. Ngi dng xa chvic

quay sti nh cung cp dch vInternet a phng l c thto ng hm bo mtti mng ring ca h.

Giao thc PPTP c xy dng da trn chc nng ca PPP, cung cp khnng

quay s truy nhp to ra mt ng hm bo mt thng qua Internet n site ch.PPTP sdng giao thc ng gi nh tuyn chung GRE c m t li ng vtch gi PPP. Giao thc ny cho php PPTP mm do xl cc giao thc khc khng

phi IP nh IPX, NETBEUI.

2.3.1 Khi qut vhot ng ca PPTP

PPP tr thnh giao thc truy nhp vo Internet v cc mng IP rt phbinhin nay. Lm vic lp lin kt dliu trong m hnh OSI, PPP bao gm cc phngthc ng, tch gi cho cc loi gi dliu khc nhau truyn ni tip. PPP c th

ng cc gi IP, IPX, NETBEUI v truyn i trn kt ni im-im tmy gi nmy nhn.

PPTP ng gi cc khung d liu ca giao thc PPP vo cc IP datagram

truyn qua mng IP (Internet hoc Intranet). PPTP dng mt kt ni TCP (gi l ktni iu khin PPTP) khi to, duy tr, kt thc ng hm, v mt phin bn ca

giao thc GRE ng gi cc khung PPP. Phn ti tin ca khung PPP c thc

mt m v/hoc nn.

PPTP sdng PPP thc hin cc chc nng:

- Thit lp v kt thc kt ni vt l.

- Xc thc ngi dng.

- To cc gi dliu PPP.

PPTP ginh tn ti mt mng IP gia PPTP client (VPN client sdng PPTP)

v PPTP server (VPN server sdng PPTP). PPTP client c thc ni trc tip qua

vic quay sti my chtruy nhp mng NAS thit lp kt ni IP. Khi mt kt niPPP c thit lp th ngi dng thng c xc thc. y l giai on tuchn

trong PPP, tuy nhin n lun lun c cung cp bi cc ISP.

Vic xc thc trong qu trnh thit lp kt ni da trn PPTP sdng cc c chxc thc ca kt ni PPP. Cc c chxc thc c thl:

- EAP (Extensible Authentication Protocol) giao thc xc thc mrng;


27/99



- CHAP (Challenge Handshake Authentication Protocol) giao thc xc thci hi bt tay;

- PAP (Password Authentication Protocol) giao thc xc thc mt khu.

Vi PAP mt khu c gi qua kt ni di dng vn bn n gin v khng c

bo mt. CHAP l mt giao thc xc thc mnh hn, sdng phng thc bt tay bachiu. CHAP chng li cc vtn cng quay li bng cch sdng cc gi trthch

(Challenge Value) duy nht v khng thon trc c.

PPTP cng tha hng vic mt m v/hoc nn phn ti tin ca PPP. mt m

phn ti tin PPP c thsdng phng thc m ho im ti im MPPE (MicrosoftPoint to Point Encryption). MPPE chcung cp mt m mc truyn dn, khng cung

cp mt m u cui n u cui. Nu cn sdng mt m u cui n u cui thc thsdng IPSec mt m lu lng IP gia cc u cui sau khi ng hm

PPTP c thit lp.

Sau khi PPP thit lp kt ni, PPTP sdng cc quy lut ng gi ca PPP ng cc gi truyn trong ng hm. tn dng u im ca kt ni to ra bi PPP,PPTP nh ngha hai loi gi l iu khin v dliu, sau gn chng vo hai knhring l knh iu khin v knh dliu. PPTP phn tch cc knh iu khin v knh

v knh d liu thnh lung iu khin vi giao thc TCP v lung d liu vi giaothc IP. Kt ni TCP to gia my trm PPTP (client) v my chPPTP (server) csdng tryn thng bo iu khin.

Cc gi dliu l dliu thng thng ca ngi dng. Cc gi iu khin cgi theo chu k ly thng tin v trng thi kt ni v qun l bo hiu gia ng

dng khch PPTP v my chPPTP. Cc gi iu khin cng c dng gi ccthng tin qun l thit b, thng tin cu hnh gia hai u ng hm.

Knh iu khin c yu cu cho vic thit lp mt ng hm gia my trm

v my ch PPTP. My chPPTP l mt server sdng giao thc PPTP vi mtgiao din ni vi Internet v mt giao din khc ni vi Intranet, cn phn mm

client c thnm my ngi dng txa hoc ti my chca ISP.

2.3.2 Duy tr ng hm bng kt ni iu khin PPTP

Kt ni iu khin PPTP l kt ni gia a chIP ca my trm PPTP (c cng

TCP c cp pht ng) v a chIP ca my chPPTP (sdng cng TCP dnhring 1723). Kt ni iu khin PPTP mang cc bn tin iu khin v qun l c sdng duy tr ng hm PPTP. Cc bn tin ny bao gm PPTP Echo-Request v

PPTP Echo-Reply nh k pht hin cc li kt ni gia my trm v my chPPTP. Cc gi ca kt ni iu khin PPTP bao gm tiu IP, tiu TCP, bn tin

iu khin PPTP v tiu , phn ui ca lp lin kt dliu (hnh 2.3).


28/99

MNG RINGO


Hnh 2.3Gi dliu kt ni iu khin PPTP

2.3.3 ng gi dliu ng hm PPTP

ng gi khung PPP v GRE

D liu ng hm PPTP c ng gi thng qua nhiu mc. Hnh 2.4 l cu

trc dliu c ng gi.

Tiu IP

Tiu GRE

Tiu PPP

Ti PPP cm ho

(IP, IPX, NETBEUI)

Phn uilin kt dliu

Tiu lin kt dliu

Hnh 2.4ng gi dliu ng hm PPTP

Phn ti ca khung PPP ban u c mt m v ng gi vi tiu PPP tora khung PPP. Khung PPP sau c ng gi vi phn tiu ca phin bn giao

thc GRE sa i.

GRE l giao thc ng gi chung, cung cp c ch ng gi d liu nhtuyn qua mng IP. i vi PPTP, phn tiu ca GRE c sa i mt simnh sau:

- Mt trng xc nhndi 32 bit c thm vo.

- Mt bit xc nhn c sdng chnh sc mt ca trng xc nhn 32

bit.

- Trng Keyc thay thbng trng di Payload16 bit v trng chscuc gi 16 bit. Trng ch s cuc gi c thit lp bi my trm PPTPtrong qu trnh khi to ng hm PPTP.

ng gi IP

Phn ti PPP ( c mt m) v cc tiu GRE sau c ng gi vimt tiu IP cha cc thng tin a chngun v ch thch hp cho my trm v

my chPPTP.

ng gi lp lin kt dliu

c thtruyn qua mng LAN hoc WAN, gi IP cui cng sc ng givi mt tiu v phn ui ca lp lin kt dliu giao din vt l u ra. V d,

nu gi IP c gi qua giao din Ethernet, n sc gi vi phn tiu v uiEthernet. Nu gi IP c gi qua ng truyn WAN im ti im (nh ng in

thoi tng thoc ISDN), n sc ng gi vi phn tiu v ui ca giao thcPPP.


29/99



S ng gi

Hnh 2.5 l v ds ng gi PPTP tmt my trm qua kt ni truy nhpVPN txa sdng modem tng t.

Hnh 2.5 S ng gi PPTP

Qu trnh ng gi c m tcthnh sau:

- Cc gi IP, IPX hoc khung NetBEUI c a ti giao din o i din chokt ni VPN bng giao thc tng ng s dng NDIS (Network Driver

Interface Specification).

- NDIS a gi d liu ti NDISWAN, ni thc hin mt m, nn d liu vcung cp tiu PPP. Phn tiu PPP ny chgm trng m sgiao thc

PPP (PPP Protocol ID Field), khng c cc trng Flags v FCS (FrameCheck Sequence). Ginh trng a chv iu khin c tha thun

giao thc iu khin ng truyn LCP (Link Control Protocol) trong qutrnh kt ni PPP.

- NDISWAN gi dliu ti giao thc PPTP, ni ng gi khung PPP vi phntiu GRE. Trong tiu GRE, trng chscuc gi c t gi trthchhp xc nh ng hm.

- Giao thc PPTP sau sgi gi va hnh thnh ti TCP/IP.

- TCP/IP ng gi dliu ng hm PPTP vi phn tiu IP, sau gi ktquti giao din i din cho kt ni quay sti ISP cc bsdng NDIS.

- NDIS gi gi tin ti NDISWAN, ni cung cp cc phn tiu v ui PPP.

- NDISWAN gi khung PPP kt qu ti cng WAN tng ng i din chophn cng quay s(v d, cng khng ng bcho kt ni modem).


30/99

MNG RINGO


2.3.4 Xl dliu ti u cui ng hm PPTP

Khi nhn c d liu ng hm PPTP, my trm v my chPPTP s thchin cc bc sau:

- Xl v loi bphn tiu v ui ca lp lin kt dliu;

- Xl v loi btiu IP;

- Xl v loi btiu GRE v PPP;

- Gii m v/hoc gii nn phn ti PPP (nu cn thit);

- Xl phn ti tin nhn hoc chuyn tip.

2.3.5 Trin khai VPN da trn PPTP

trin khai VPN da trn giao thc PPTP yu cu h thng ti thiu phi ccc thnh phn thit bnh chra trn hnh 2.6, cthbao gm:

- Mt my ch truy nhp mng dng cho phng thc quay s truy nhp bomt vo VPN;

- Mt my chPPTP;

- My trm PPTP vi phn mm client cn thit.

Hnh 2.6 Cc thnh phn ca hthng cung cp VPN da trn PPTP

Cc my chPPTP c tht ti mng ca cng ty v do nhn vin trong cng tyqun l.

My chPPTP

My chPPTP thc hin hai chc nng chnh: ng vai tr l im kt ni cang hm PPTP v chuyn cc gi n tng hm ti mng LAN ring. My chPPTP chuyn cc gi n my ch bng cch xl gi PPTP c c a chmng

ca my tnh ch. My chPPTP cng c khnng lc gi. Bng cch sdng c


31/99



chlc gi PPTP my chc thngn cm, chcho php truy nhp vo Internet, mngring hay chai.

Thit lp my chPPTP ti site mng c mt hn chnu nh my chPPTPnm sau tng la. PPTP c thit k sao cho chc mt cng TCP 1723 c sdng chuyn d liu i. Skhim khuyt ca cu hnh cng ny c th lm cho

tng la d b tn cng hn. Nu nh tng la c cu hnh lc gi th phithit lp n cho php GRE i qua.

Mt thit b khc c khi xng nm 1998 bi hng 3Com c chc nngtng tmy chPPTP gi l chuyn mch ng hm. Mc ch ca chuyn mch

ng hm l mrng ng hm tmt mng n mt mng khc, tri rng nghm tmng ca ISP n mng ring. Chuyn mch ng hm c thc sdngti tng la lm tng khnng qun l truy nhp txa vo ti nguyn ca mng ni

b. N c thkim tra cc gi n v v, giao thc ca cc khung PPP hoc tn ca

ngi dng txa.

Phn mm client PPTP

Nu nh cc thit bca ISP htrPPTP th khng cn phn cng hay phnmm bsung no cho cc my trm, chcn mt kt ni PPP chun. Nu nh cc thit

bca ISP khng h trPPTP th mt phn mm ng dng client vn c th to ktni bo mt bng cch u tin quay skt ni ti ISP bng PPP, sau quay smtln na thng qua cng PPTP o c thit lp my trm.

Phn mm client PPTP c sn trong Windows 9x, NT v cc hiu hnh sauny. Khi chn client PPTP cn phi so snh cc chc nng ca n vi my chPPTP c. Khng phi tt ccc phn mm client PPTP u htrMS-CHAP, nu thiucng cny th khng thtn dng c u im m ho trong RRAS.

My chtruy nhp mng

My ch truy nhp mng NAS cn c tn gi khc l my ch truy nhp txa(Remote Access Server) hay btp trung truy nhp (Access Concentrator). NAS cungcp khnng truy nhp ng dy da trn phn mm, c khnng tnh cc v c

kh nng chu ng li ti ISP POP. NAS ca ISP c thit k cho php mt slng ln ngi dng c thquay struy nhp vo cng mt lc.

Nu mt ISP cung cp dch vPPTP th cn phi ci mt NAS cho php PPTPhtrcc client chy trn cc nn khc nhau nh Unix, Windows, Macintosh, v.v.Trong trung hp ny, my chISP ng vai tr nh mt client PPTP kt ni vi my

chPPTP ti mng ring v my ch ISP tr thnh mt im cui ca ng hm,im cui cn li l my chti u mng ring.

2.3.6 u nhc im v khnngng dng ca PPTP


32/99

MNG RINGO


u im ca PPTP l c thit khot ng lp 2 (lin kt dliu) trongkhi IPSec chy lp 3 ca m hnh OSI. Bng cch htrvic truyn dliu lp 2,

PPTP c thtruyn trong ng hm bng cc giao thc khc IP trong khi IPSec chc thtruyn cc gi IP trong ng hm.

Tuy nhin, PPTP l mt gii php tm thi v hu ht cc nh cung cp u c k

hoch thay thPPTP bng L2TP khi m giao thc ny c chun ho. PPTP thchhp cho quay struy nhp vi slng ngi dng gii hn hn l cho VPN kt niLAN-LAN. Mt vn ca PPTP l x l xc thc ngi dng thng qua Windows

NT hay thng qua RADIUS. My chPPTP cng qu ti vi mt slng ngi dngquay struy nhp hay mt lu lng ln dliu tryn qua, m iu ny l mt yu

cu ca kt ni LAN-LAN.

Khi sdng VPN da trn PPTP m c htrthit bca ISP th mt squynqun l phi chia scho ISP. Tnh bo mt ca PPTP khng mnh bng IPSec. Tuy

nhin, qun bo mt trong PPTP li n gin hn.

2.4 Giao thc ng hm lp 2 L2TP

2.4.1 Khi qut vhot ng ca L2TP

trnh vic hai giao thc ng hm khng tng thch cng tn ti gy kh

khn cho ngi sdng, IETF kt hp hai giao thc L2F v PPTP v pht trinthnh L2TP. L2TP c xy dng trn c s tn dng cc u im ca cPPTP v

L2F, ng thi c thsdng c trong tt ccc trng hp ng dng ca hai giaothc ny. L2TP c m ttrong khuyn nghRFC 2661.

Mt ng hm L2TP c thkhi to tmt PC xa quay vL2TP NetworkServer (LNS) hay t L2TP Access Concentrator (LAC) v LNS. Mc d L2TP vndng PPP, n nh ngha c ch to ng hm ca ring n, ty thuc vo phng

tin truyn chkhng dng GRE.

L2TP ng gi cc khung PPP truyn qua mng IP, X.25, Frame Relay hocATM. Tuy nhin, hin nay mi chc L2TP trn mng IP c nh ngha. Khi truyn

qua mng IP, cc khung L2TP c ng gi nh cc bn tin UDP. L2TP c thcs dng nh mt giao thc ng hm thng qua Internet hoc cc mng ring

Intranet. L2TP dng cc bn tin UDP qua mng IP cho cc d liu ng hm cng

nh cc dliu duy tr ng hm. Phn ti ca khung PPP ng gi c thcmt m v nn. Mt m trong cc kt ni L2TP thng c thc hin bi IPSec ESP

(chkhng phi MPPE nh i vi PPTP). Cng c th to kt ni L2TP khng sdng mt m IPSec. Tuy nhin, y khng phi l kt ni IP-VPN v d liu ringc ng gi bi L2TP khng c mt m. Cc kt ni L2TP khng mt m c thsdng tm thi sa cc li kt ni L2TP dng IPSec.

L2TP ginh tn ti mng IP gia my trm (VPN client dng giao thc ng

hm L2TP v IPSec) v my chL2TP. My trm L2TP c thc ni trc tip vi


33/99



mng IP truy nhp ti my chL2TP hoc gin tip thng qua vic quay sti mych truy nhp mng NAS thit lp kt ni IP. Vic xc thc trong qu trnh hnh

thnh ng hm L2TP phi sdng cc c chxc thc trong kt ni PPP nh EAP,MS-CHAP, CHAP, PAP. My chL2TP l my chIP-VPN sdng giao thc L2TP

vi mt giao din ni vi Internet v mt giao din khc ni vi mng Intranet.

L2TP c th dng hai kiu bn tin l iu khin v d liu. Cc bn tin iukhin chu trch nhim thit lp, duy tr v hy cc ng hm. Cc bn tin d liung gi cc khung PPP c chuyn trn ng hm. Cc bn tin iu khin dng c

chiu khin tin cy bn trong L2TP m bo vic phn phi, trong khi cc bntin dliu khng c gi li khi bmt trn ng truyn.

2.4.2 Duy tr ng hm bng bn tin iu khin L2TP

Khng ging PPTP, vic duy tr ng hm L2TP khng c thc hin thng

qua mt kt ni TCP ring bit. Cc lu lng iu khin v duy tr cuc gi c gi

i nh cc bn tin UDP gia my trm v my ch L2TP (u s dng cng UDP1701).

Cc bn tin iu khin L2TP qua mng IP c gi nh cc gi UDP. Gi UDPli c mt m bi IPSec ESP nh trn hnh 2.7.

Hnh 2.7Bn tin iu khin L2TP

V khng sdng kt ni TCP, L2TP dng thtbn tin m bo vic truyncc bn tin L2TP. Trong bn tin iu khin L2TP, trng Next-Received (tng t

nh TCP Acknowledgment) v Next-Sent (tng t nh TCP Sequence Number)c sdng duy tr th tcc bn tin iu khin. Cc gi khng ng th tbloi b. Cc trng Next-Sent v Next-Received cng c thc sdng truyndn tun tv iu khin lung cho cc dliu ng hm.

L2TP htrnhiu cuc gi trn mi ng hm. Trong bn tin iu khin L2TP

v phn tiu L2TP ca dliu ng hm c mt m sng hm (Tunnel ID)

xc nh ng hm, v mt m nhn dng cuc gi (Call ID) xc nh cuc gitrong ng hm .

2.4.3 ng gi dliu ng hm L2TP

Dliu ng hm L2TP c thc hin thng qua nhiu mc ng gi nh sau:

ng gi L2TP.Phn ti PPP ban u c ng gi vi mt tiu PPP v

mt tiu L2TP.


34/99

MNG RINGO


ng gi UDP.Gi L2TP sau c ng gi vi mt tiu UDP, cc a

chcng ngun v ch c t bng 1701.

ng gi I PSec.Tuthuc vo chnh sch IPSec, gi UDP c mt m v

ng gi vi tiu IPSec ESP, ui IPSec ESP, ui IPSec Authentication.

ng gi IP.Gi IPSec c ng gi vi tiu IP cha a chIP ngun

v ch ca my trm v my ch. ng gi lp lin kt d liu. truyn i c trn ng truyn LAN

hoc WAN, gi IP cui cng sc ng gi vi phn tiu v ui tng

ng vi kthut lp lin kt dliu ca giao din vt l u ra. V d, khi gi

IP c gi vo giao din Ethernet, n sc ng gi vi tiu v ui

Ethernet. Khi cc gi IP c gi trn ng truyn WAN im ti im

(chng hn ng dy in thoi ISDN), chng c ng gi vi tiu v

ui PPP.

Hnh 2.8 ch ra cu trc cui cng ca gi d liu ng hm L2TP trn nnIPSec.

Hnh 2.8 ng gi dliu ng hmL2TP

Hnh 2.9 l s ng gi L2TP tmt my trm VPN thng qua kt ni truynhp txa sdng modem tng t.


35/99



Hnh 2.9 S ng gi L2TP

Qu trnh ng gi c thc hin thng qua cc bc nh sau:

- Gi tin IP, IPX hoc NetBEUI c a ti giao din o i din cho kt niVPN sdng NDIS bng giao thc thch hp.

- NDIS a cc gi ti NDISWAN, ti y c thnn v cung cp tiu PPPch bao gm trng ch s giao thc PPP. Cc trng Flag hay FCS khngc thm vo.

- NDISWAN gi khung PPP ti giao thc L2TP, ni ng gi khung PPP vimt tiu L2TP. Trong tiu L2TP, chsng hm v chscuc gic thit lp vi cc gi trthch hp xc nh ng hm.

- Giao thc L2TP gi gi thu c ti TCP/IP vi thng tin gi gi L2TPnh mt bn tin UDP tcng UDP 1701 ti cng UDP 1701 theo cc a chIP ca my trm v my ch.

- TCP/IP xy dng gi IP vi cc tiu IP v UDP thch hp. IPSec sau sphn tch gi IP v so snh n vi chnh sch IPSec hin thi. Da trn nhngthit lp trong chnh sch, IPSec ng gi v mt m phn bn tin UDP ca

gi IP s dng cc tiu v ui ESP ph hp. Tiu IP ban u vitrng Protocol c t l 50 v thm vo pha trc ca gi ESP. TCP/IPsau gi gi thu c ti giao din i din cho kt ni quay sti ISP cc

bsdng NDIS.

- NDIS gi sti NDISWAN.

- NDISWAN cung cp tiu v ui PPP, sau gi khung PPP thu c ticng thch hp i din cho phn cng dial-up.


36/99

MNG RINGO


2.4.4 Xl dliu ti u cui ng hm L2TP trn nn IPSec

Khi nhn c d liu ng hm L2TP trn nn IPSec, my trm v my chL2TP sthc hin cc bc sau:

- Xl v loi btiu v ui ca lp lin kt dliu.

- Xl v loi btiu IP.

- Dng phn ui IPSec ESP Auth xc thc ti IP v tiu IPSec ESP.

- Dng tiu IPSec ESP gii m phn gi mt m.

- Xl tiu UDP v gi gi ti L2TP.

- L2TP dng ch sng hm v chs cuc gi trong tiu L2TP xcnh ng hm L2TP cth.

- Dng tiu PPP xc nh ti PPP v chuyn tip n ti ng giao thc xl.

2.4.5 Trin khai VPN da trn L2TP

Hthng cung cp VPN da trn L2TP bao gm cc thnh phn c bn sau: btp trung truy nhp mng, my chL2TP v cc my trm L2TP (hnh 2.10).

Hnh 2.10Cc thnh phn ca hthng cung cp VPN da trn L2TP

My chL2TP

My chL2TP c hai chc nng chnh: ng vai tr l im kt thc ca nghm L2TP v chuyn cc gi n tng hm n mng LAN ring hay ngc li.

My chchuyn cc gi n my tnh ch bng cch xl gi L2TP c c achmng ca my tnh ch.

Khng ging nh my chPPTP, my chL2TP khng c khnng lc cc gi.Chc nng lc gi trong L2TP c thc hin bi tng la.Tuy nhin trong thc t,


37/99



ngi ta thng tch hp my chmng v tng la. Vic tch hp ny mang li mtsu im hn so vi PPTP, l:

- L2TP khng i hi chc mt cng duy nht gn cho tng la nh trongPPTP. Chng trnh qun l c thtuchn cng gn cho tng la, iuny gy kh khn cho k tn cng khi cgng tn cng vo mt cng trong

khi cng c th thay i.

- Lung d liu v thng tin iu khin c truyn trn cng mt UDP nnvic thit lp tng la sn gin hn. Do mt s tng la khng h trGRE nn chng tng thch vi L2TP hn l vi PPTP.

Phn mm client L2TP

Nu nh cc thit bca ISP htrL2TP th khng cn phn cng hay phnmm bsung no cho cc my trm, chcn kt ni chun PPP l . Tuy nhin, vicc thit lp nh vy th khng s dng c m ho ca IPSec. Do vy ta nn s

dng cc phn mm client tng thch L2TP cho kt ni L2TP VPN.

Mt sc im ca phn mm client L2TP l:

- Tng thch vi cc thnh phn khc ca IPSec nh my chm ho, giaothc chuyn kho, gii thut m ho,

- a ra mt chbo r rng khi IPSec ang hot ng;

- Hm bm (hashing) xl c cc a chIP ng;

- C c chbo mt kho (m ho kho vi mt khu);

- C c chchuyn i m ho mt cch tng v nh k;

- Chn hon ton cc lu lng khng IPSec.

Btp trung truy nhp mng

ISP cung cp dch vL2TP cn phi ci mt NAS cho php L2TP htrcc

my trm L2TP chy trn nn cc h iu hnh khc nhau nh Unix, Windows,Macintosh, v.v.

Cc ISP cng c th cung cp cc dch vL2TP m khng cn phi thm cc

thit bhtrL2TP vo my chtruy nhp ca h, iu ny i hi tt cngi dng

phi c phn mm client L2TP ti my ca h. Khi ngi dng c thsdng dchvca nhiu ISP trong trng hp m hnh mng ca hrng ln vmt a l.

2.4.6 u nhc im v khnngng dng ca L2TP

L2TP l mt thhgiao thc quay struy nhp VPN pht trin sau. N phi hpnhng c tnh tt nht ca PPTP v L2F. Hu ht cc nh cung cp sn phm PPTP

u a ra cc sn phm tng thch vi L2TP.


38/99

MNG RINGO


Mc d L2TP ch yu chy trn mng IP, nhng khnng chy trn cc mngcng nghkhc nh Frame Relay hay ATM lm cho n thm phbin. L2TP cho

php mt lng ln khch hng txa c kt ni vo VPN cng nh l cc kt niLAN-LAN c dung lng ln. L2TP c c ch iu khin lung lm gim tc

nghn trn ng hm L2TP.

Vic la chn mt nh cung cp dch vL2TP c ththay i tutheo yu cuthit kmng. Nu thit kmt VPN i hi m ho u cui ti u cui th cn cicc client tng thch L2TP ti cc trm txa v thothun vi ISP l sxl m ho

tmy u xa n tn my ch ca VPN. Nu xy dng mt mng vi mc bomt thp hn, khnng chu ng li cao hn v chmun bo mt dliu khi n i

trong ng hm trn Inernet th thothun vi ISP hhtrLAC v m ho dliu chton LAC n LNS ca mng ring.

L2TP cho php thit lp nhiu ng hm vi cng LAC v LNS. Mi ng

hm c thgn cho mt ngi dng xc nh hoc mt nhm ngi dng v gn cho

cc mi trng khc nhau tu theo thuc tnh cht lng dch vQoS ca ngi sdng.

2.5 Kt chng

Mc bo m an ninh ca s liu khi truyn qua mng ph thuc nhiu vogii php thc hin VPN ca doanh nghip. Chng 2 tp trung vo nhng vn kthut ca gii php mng ring o sdng ng hm. Kthut ng hm ng mt

vai tr rt quan trng trong vic trin khai VPN trn nn mng vin thng cng cng.Cc giao thc ng hm c gii thiu y bao gm L2F, PPTP v L2TP. Mi

giao thc c trnh by tng i chi tit, ts ng gi dliu, nguyn l hotng, qu trnh x l d liu ti u cui ng hm cho n nhng c im trin

khai trn thc t. Trong ni dung trnh by cng a ra nhng phn tch cc c tnhv u nhc im ca tng giao thc nhm thhin r khnng v phm vi ng dngca chng.


39/99


CHNG 3

MNG RING O TRN NN IPSec

Cng vi spht trin v m rng ca Internet th vic trao i thng tin giacc chi nhnh, vn phng xa trong mt cng ty hay vi cc i tc kinh doanh bn

ngoi khng cn l vn kh khn nh trc na. Tuy nhin, i i vi vic htrkinh doanh hiu qu th nguy c mt an ninh d liu hay b tn cng ph hoi quamng cng l iu rt dxy ra. Chnh v vy, vn m bo an ton cho dliu khi

truyn qua mng cng cng trnn c ngha c bit quan trng.

Giao thc IPSec (Internet Protocol Security) c pht trin gii quyt vn bo m an ninh cho thng tin truyn trn mng Internet v c coi l giao thc ti

u nht cho vic thc hin IP-VPN. Chng ny trnh by cc c im quan trng

nht ca IPSec, hot ng ca cc giao thc v tiu chun lin quan cng nh lnhng thut ton v kthut htrcho vic thc hin VPN trn nn IPSec.


q Gii thiu vIPSec

q ng gi thng tin IPSec

q Lin kt an ninh SA v hot ng trao i kha IKE

q Mt svn kthut trong thc hin VPN trn IPSec

q V dthc hin VPN trn nn IPSec

q Cc vn cn tn ti trong IPSec


40/99

MNG RINGO


3.1 Gii thiu vIPSec

Giao thc IPSec c IETF pht trin thit lp tnh bo mt trong mng IP cp gi. IPSec c nh ngha l mt hgiao thc trong tng mng cung cp cc

dch vbo mt, xc thc, ton vn dliu v iu khin truy nhp. N l mt tp hpcc tiu chun m lm vic cng nhau, c gii thiu ln u tin trong cc RFC

1825 1829 vo nm 1995.

IPSec cho php mt ng hm bo mt thit lp gia hai mng ring v xcthc hai u ca ng hm ny. Cc thit bgia hai u ng hm c th l mt

cp host, mt cp Cng an ninh (thit bnh tuyn, firewall, btp trung VPN) hoccp thit bgm mt host v mt Cng an ninh. ng hm ng vai tr l mt knhtruyn bo mt gia hai u v cc gi d liu yu cu an ninh c truyn trn .IPSec cng thc hin ng gi dliu v xl cc thng tin thit lp, duy tr v hy

bknh truyn khi khng dng n na. Cc gi tin truyn trong ng hm c khundng ging nh cc gi tin bnh thng khc v khng lm thay i cc thit b, kin

trc cng nh nhng ng dng hin c trn mng trung gian, qua cho php gimng kchi ph trin khai v qun l.

IPSec c hai c chc bn m bo an ninh dliu l tiu xc thc (AH

Authentication Header) v ng gi ti tin an ton (ESP Encapsulating SecurityPayload), trong IPSec phi h trESP v c th h trAH. C AH v ESP u

cung cp cc phng tin cho iu khin truy nhp da vo sphn phi ca cc khamt m v qun l cc lung lu lng c lin quan n nhng giao thc an ninh ny.

AH cho php xc thc ngun gc dliu, kim tra tnh ton vn dliu v dch

v ty chn chng pht li ca cc gi IP truyn gia hai h thng. AH khng cungcp tnh bo mt, iu ny c ngha l n gi i thng tin di dng bn r. ESP l

mt giao thc cung cp tnh an ninh ca cc gi tin c truyn, bao gm mt m dliu, xc thc ngun gc d liu, kim tra tnh ton vn phi kt ni ca d liu. ESPm bo tnh b mt ca thng tin thng qua vic mt m gi tin IP. Tt clu lngESP u c mt m gia hai hthng. Vi c im ny th ESP c xu hng c

sdng nhiu hn tng tnh bo mt cho dliu.

Cc giao thc AH v ESP c thc p dng mt mnh hay kt hp vi nhau cung cp tp cc giao thc an ninh mong mun trong IPv4 v IPv6, nhng cch

chng cung cp cc dch vl khc nhau. i vi chai giao thc ny, IPSec khngnh ngha cc thut ton an ninh c th, m thay vo l mt khung lm vic chophp sdng cc thut ton tiu chun. IPSec sdng cc thut ton m xc thc bntin trn c shm bm (HMAC), MD5 (Message Digest 5) hay SHA-1 thc hinchc nng ton vn bn tin; DES hay 3DES mt m dliu; kha chia strc, ch

k sRSA v sngu nhin mt m RSA xc thc cc bn. Ngoi ra, cc chuncn nh ngha vic sdng mt sthut ton khc nh IDEA, Blowfish v RC4.


41/99

CHNG 3 - MNG RINGO TRN NN IPSec


IPSec c th sdng giao thc trao i kho IKE (Internet Key Exchange) xc thc hai bn, thng lng cc chnh sch bo mt v xc thc thng qua vic xc

nh thut ton thit lp knh truyn, trao i kha cho mi phin kt ni v dngtrong mi phin truy nhp. Mng dng IPSec bo mt cc dng d liu c th t

ng kim tra tnh xc thc ca thit b bng chng thc sca hai ngi dng trao

i thng tin qua li. Vic thng lng ny cui cng dn n thit lp mt lin ktan ninh (SA Security Association) gia cc cp bo mt.

Lin kt an ninh SA c cha tp cc chnh sch, tham s, thut ton, giao thc

cho qu trnh ng gi d liu gia cc bn tham gia vo phin IPSec. Ti mi ung hm IPSec, SA c sdng xc nh loi lu lng cn c xl IPSec,

giao thc an ninh c sdng (AH hay ESP), thut ton v kha c sdng choqu trnh mt m v xc thc. Thng tin lin kt an ninh c lu trong c sdliu

lin kt an ninh, v khi kt hp mt a chch vi giao thc an ninh th c duy nhtmt SA.

IPSec c pht trin nhm vo hgiao thc IP k tip l IPv6, nhng do victrin khai IPv6 cn chm v scn thit phi bo mt cc gi IP nn IPSec cthay i cho ph hp vi IPv4. Vic htrIPSec chl tuchn ca IPv4 nhng i

vi IPv6 th l c sn. IPSec l s la chn cho bo mt tng th cc VPN v lphng n ti u cho mng ca cng ty. N m bo truyn thng tin cy trn mngIP cng cng i vi cc ng dng VPN.

3.2 ng gi thng tin IPSec

3.2.1 Cc chhot ng

IPSec cung cp hai chxc thc v m ha mc cao thc hin ng gi

thng tin, l ch truyn ti (Transport Mode) v ch ng hm (TunnelMode). Sau y chng ta sxt n hai chny trc khi tm hiu vcc giao thcAH v ESP.

3.2.1.1 Chtruyn tiTrong chtruyn ti, vn an ninh c cung cp bi cc giao thc lp cao

trong m hnh OSI (tlp 4 trln). Chny bo vphn ti tin ca gi nhng vn

phn tiu IP ban u dng gc nh trong nguyn bn (hnh 3.1). a chIP ban

u ny c sdng nh tuyn gi qua Internet.


42/99


43/99


44/99

MNG RINGO


3.2.2.2 Cu trc gi tin AHCc thit b sdng AH schn mt tiu vo gia lu lng cn quan tm

ca gi IP, gia phn tiu IP v tiu lp 4. Bi v AH c lin kt vi IPSec,

IP-VPN c thnh dng chn lu lng no cn c bo vv lu lng nokhng cn phi sdng gii php an ton gia cc bn. V dnh c thchn xl

an ton lu lng email nhng khng cn i vi cc dch vweb. Qu trnh x lchn tiu AH c minh ha trn hnh 3.4.

Hnh 3.4Cu trc tiu AH cho gi tin IPSec

ngha cc trng trong tiu AH nh sau:

Next Header (tiu tip theo).C di 8 bit nhn dng loi dliu ca

phn ti tin theo sau AH. Gi trny c chn la ttp cc gi trsgiaothc IP c nh ngha bi IANA (TCP 6, UDP 17).

Payload Length (di ti tin).C di 8 bit v cha di ca tiu

AH c biu din trong cc t32 bit, tri 2. V d, trong trng hp ca

thut ton ton vn mang li mt gi trxc minh 96 bit (3 x 32 bit), cng vi

3 t32 bit cnh, th trng di ny c gi trl 4. Vi IPv6, tng

di ca tiu phi l bi ca cc khi 8 bit.

Reserved (dtr).Trng 16 bit ny d tr cho ng dng trong tng lai.

Gi trca trng ny c tht bng 0 v c tham gia trong vic tnh dliuxc thc.

Security Parameters Index (SPI chsthng san ninh).Trng ny c

di 32 bit, cng vi a ch IP ch v giao thc an ninh ESP cho php

nhn dng duy nht SA cho gi d liu. Cc gi trSPI t1 n 255 c

dnh ring sdng trong tng lai. SPI l trng bt buc v thng c


45/99


46/99

MNG RINGO


Bc 6:Bn thu so snh m bm m n tnh c vi m bm tch ra ttiu

AH. Hai m ny phi hon ton ging nhau. Nu chng khc nhau, bn thu

lp tc pht hin tnh khng ton vn ca dliu.

Vic xl AH phthuc vo chhot ng ca IPSec v phin bn sdngca giao thc IP. Khun dng ca gi tin IPv4 trc v sau khi xl AH trong hai ch

truyn ti v ng hm c thhin trn hnh 3.5.

Hnh 3.5Khun dng gi tin IPv4 trc v sau khi xl AH

Khun dng ca gi tin IPv6 trc v sau khi xl AH c thhin trn hnh

3.6.

Hnh 3.6Khun dng gi tin IPv6 trc v sau khi xl AH


47/99



3.2.3 Giao thc ng gi ti tin an ton ESP

3.2.3.1 Gii thiuGiao thc ESP c nh ngha trong RFC 1827 v sau c pht trin thnh

RFC 2408. Cng nh AH, giao thc ny c pht trin hon ton cho IPSec. ESPc sdng khi c yu cu vbo mt ca lu lng IPSec cn truyn. N cung cptnh bo mt d liu bng vic mt m ha cc gi tin. Thm vo , ESP cng cho

php xc thc ngun gc dliu, kim tra tnh ton vn dliu, dch vchng pht liv mt sgii hn vlung lu lng cn bo mt.

Tp cc dch vcung cp bi ESP phthuc vo cc la chn ti thi im thit

lp lin kt an ninh, trong dch vbo mt c cung cp c lp vi cc dch vkhc. Tuy nhin, nu khng kt hp sdng cc dch vxc thc v ton vn dliu

th hiu qubo mt skhng c m bo. Hai dch vxc thc v ton vn dliulun i km nhau. Dch v chng pht li ch c th thc hin nu nh dch v xc

thc c la chn.Hnh 3.7 minh ha c chng gi ESP.

Hnh 3.7C chng gi ESP

Hot ng ca ESP khc so vi AH. ESP ng gi tt choc mt phn dliugc. Do htrtt khnng bo mt nn ESP c xu hng c sdng rng ri hn

AH.

3.2.3.2 Cu trc gi tin ESPCu trc gi tin ESP c thhin trn hnh 3.8. Cc trng trong gi tin ESP c

thl bt buc hay ty chn. Nhng trng bt buc lun c mt trong tt ccc giESP. Vic la chn mt trng ty chn c nh ngha trong qu trnh thit lp lin

kt an ninh. Nh vy, khun dng ESP i vi mt SA l cnh trong khong thigian tn ti ca SA .


48/99

MNG RINGO


Hnh 3.8Khun dng gi ESP

Sau y l ngha ca cc trng trong cu trc gi tin ESP.

SPI (chsthng san ninh).L mt sbt k32 bit, cng vi a chIPch v giao thc an ninh ESP cho php nhn dng duy nht SA cho gi d

liu. Cc gi trSPI t0 n 255 c dnh ring sdng trong tng lai.

SPI l trng bt buc v thng c la chn bi pha thu khi thit lp SA.

Sequence Number (stht).Tng tnh trng sthtca AH.

Payload Data (dliu ti tin).y l trng bt buc, bao gm mt slng

bin i cc byte dliu gc hoc mt phn dliu yu cu bo mt c

m t trong trng Next Header. Trng ny c m ha cng vi thut

ton m ha la chn trong sut qu trnh thit lp SA. Nu thut ton yucu cc vect khi to th n cng c bao gm y. Thut ton thng

c dng m ha ESP l DES-CBC. i khi cc thut ton khc cng

c htrnh 3DES hay CDMF.

Padding (m). C nhiu nguyn nhn dn n s c mt ca trng m

nh:

- Nu thut ton mt m s dng yu cu bn r (Clear-text) phi l snguyn ln cc khi byte (v dtrng hp m khi) th trng m csdng in y vo phn bn r ny (bao gm cPayload Data, PadLength, Next Header v Padding) sao cho t ti kch thc theo yu cu.

- Trng m cng cn thit m bo phn dliu mt m (Cipher-text)skt thc bin gii snguyn ln ca 4 byte nhm phn bit r rngvi trng dliu xc thc (Authentication Data).


49/99



- Ngoi ra, trng m cn c thsdng che du di thc ca ti tin,tuy nhin mc ch ny cn phi c cn nhc v n nh hng ti bng

thng truyn dn.

Pad length (di m).Trng ny xc nh sbyte m c thm vo.

Pad length l trng bt buc vi cc gi trph hp nm trong khong t0

n 255 byte.

Next Header (tiu tip theo).Next Header l trng bt buc v c di

8 bit. N xc nh kiu dliu cha trong phn ti tin, v dmt tiu m

rng (Extension Header) trong IPv6 hoc nhn dng ca mt giao thc lp

trn khc. Gi trca trng ny c la chn ttp cc gi trIP Protocol

Number nh ngha bi IANA.

Authentication Data (dliu xc thc).Trng ny c di bin i, cha

mt gi trkim tra tnh ton vn ICV tnh trn d liu ca ton bgi ESP

tr trng Authentication Data. di ca trng ny ph thuc vo thutton xc thc c sdng. Trng ny l ty chn, v chc thm vo

nu dch v xc thc c la chn cho SA ang xt. Thut ton xc thc

phi ch ra di ICV, cc bc x l cng nh cc lut so snh cn thc

hin kim tra tnh ton vn ca gi tin.

3.2.3.3 Xl ESP trong chtruyn ti vng hmVic xl ESP phthuc vo chhot ng ca IPSec v phin bn sdng

ca giao thc IP. Khun dng ca gi tin IPv4 trc v sau khi x l ESP trong hai

chtruyn ti v ng hm c thhin trn hnh 3.9.

Hnh 3.9Khun dng gi tin IPv4 trc v sau khi xl ESP


50/99


51/99



- DES, 3DES trong chCBC;

- HMAC vi MD5;

- HMAC vi SHA-1;

- Khng thut ton xc thc;

- Khng thut ton mt m.Ngoi nhng thut ton ktrn, mt sthut ton khc c thc htr. Lu

l t nht mt trong hai dch vmt m hoc xc thc phi c thc hin, do haithut ton xc thc v mt m khng c ng thi khng c.

Qu trnh gii m

Nu ESP sdng mt m th sphi thc hin qu trnh gii m gi. Nu dch v

mt m khng c sdng, ti pha thu khng c qu trnh gii m ny. Qu trnhgii m gi din ra nh sau:

- Gii m ESP (bao gm trng Payload Data, Padding, Pad Length, NextHeader) sdng kha. Thut ton mt m v kiu thut ton c xc nhbi SA.

- Xl phn m (Padding) theo c tca thut ton. Pha thu cn tm v loibphn m trc khi chuyn dliu gii m ln lp trn.

- Xy dng li cu trc gi IP ban u ttiu IP gc v thng tin giao thclp cao trong ti tin ca ESP (ch truyn ti), hoc tiu IP ngoi vton bgi IP gc trong ti tin ca ESP (chng hm).

Nu d ch vxc thc cng c la chn th qu trnh kim tra ICV v mt mc thtin hnh ni tip hoc song song. Nu tin hnh ni tip th kim tra ICV phi

c thc hin trc. Nu tin hnh song song th kim tra ICV phi hon thnh trckhi gi gii m c chuyn ti bc x l tip theo. Trnh t ny gip loi b

nhanh chng cc gi khng hp l.

Qu trnh gii m c thkhng thnh cng v mt sl do nh sau:

- SA c la chn khng ng (do cc thng sSPI, a chch hay trngProtocol Type bsai);

- di phn m hoc gi trca n bsai;

- Gi ESP mt m bli.

3.3 Lin kt an ninh v hot ng trao i kha

3.3.1 Lin kt an ninh


52/99

MNG RINGO


3.3.1.1 Cc kiu lin kt an ninhIPSec cung cp nhiu la chn thc hin cc gii php mt m v xc thc

lp mng. Phn ny snh ngha cc thtc qun l an ninh cho cIPv4 v IPv6

thc thi AH, ESP hoc chai, phthuc vo la chn ca ngi sdng. Khi thit lpkt ni IPSec, hai bn phi xc nh chnh xc cc thut ton no sc sdng, loi

dch vno cn m bo an ninh. Sau bt u xl thng lng chn mt tpcc tham sv cc gii thut p dng cho m ha bo mt hay xc thc. Nh trn

gii thiu, dch vbo mt quan hgia hai hay nhiu thc th tha thun truynthng an ton c gi l lin kt an ninh SA.

Lin kt an ninh l mt kt ni n cng, ngha l vi mi cp truyn thng A v

B c t nht hai SA (mt tA ti B v mt tB ti A). Khi lu lng cn truyn trctip hai chiu qua VPN, giao thc trao i kha IKE thit lp mt cp SA trc tip vsau c ththit lp thm nhiu SA khc. Mi SA c mt thi gian sng ring. SAc nhn dng duy nht bi bba gm c: chsthng san ninh (SPI), a chIP

ch v mt chthgiao thc an ninh (AH hay ESP). Vnguyn tc, a chIP ch cthl mt a chn hng (Unicast), a chqung b (Broadcast) hay a chnhm(Multicast). Tuy nhin, c chqun l SA ca IPSec hin nay chc nh ngha chonhng SA n hng.

Lin kt an ninh c hai kiu l truyn ti v ng hm, ph thuc vo ch

ca giao thc sdng. SA kiu truyn ti l mt lin kt an ninh gia hai trm, hoc

c yu cu gia hai h thng trung gian dc trn ng truyn. Trong trng hp

khc, kiu truyn ti cng c thc sdng htrIP-in-IP hay ng hm GRE

qua cc SA kiu truyn ti. SA kiu ng hm l mt SA c bn c ng dng timt ng hm IP. SA gia hai cng an ninh l mt SA kiu ng hm in hnh,

ging nh mt SA gia mt trm v mt cng an ninh. Tuy nhin, trong nhng trng

hp m lu lng c nh hnh ttrc nh nhng lnh SNMP, cng an ninh lm

nhim vnh trm v kiu truyn ti c cho php.

SA cung cp nhiu la chn cho cc dch vIPSec, n phthuc vo giao thcan ninh c chn (AH hay ESP), kiu SA, im kt thc ca SA v mt s tuyn

chn ca cc dch vty bn trong giao thc sdng. V dnh khi sdng AH xc minh ngun gc d liu v tnh ton vn phi kt ni cho gi IP, c th sdng

dch vchng pht li hoc khng ty thuc vo cc bn.

Khi mt bn IP-VPN mun gi lu lng IPSec ti u bn kia, n kim tra xem tn ti mt SA trong c sdliu hay cha hai bn c thsdng d ch van

ninh theo yu cu. Nu tm thy mt SA tn ti, n SPI ca SA ny trong tiu IPSec, thc hin cc thut ton m ha v gi gi tin i. Bn thu s ly SPI, a chch, giao thc IPSec (AH hay ESP) v tm SA trong c sdliu ph hp xl


53/99



gi tin . Lu rng vi mt u cui IP-VPN c thng thi tn ti nhiu kt niIPSec, v vy cng c ngha l tn ti nhiu SA.

3.3.1.2 Kt hp cc lin kt an ninhCc gi IP truyn qua mt SA ring bit c cung cp sbo vmt cch an

ton bi giao thc an ninh, c thl AH hoc ESP nhng khng phi l chai. i khimt chnh sch an ninh c thcn n skt hp ca cc dch vcho mt lung giao

thng c bit m khng ththc hin c vi mt SA n l. Trong trng hp cn giao cho nhiu SA thc hin chnh sch an ninh theo yu cu. Thut ngcmSA c sdng chmt chui cc SA c thit lp x l lu lng nhmtha mn mt tp chnh sch an ninh.

i vi kiu ng hm, c ba trng hp in hnh ca kt hp cc lin kt an

ninh c trnh by sau y.

Chai im cui ca cc SA u trng nhau

Mi ng hm bn trong hay ngoi l AH hay ESP, mc d Host 1 c thnhr c hai ng hm l nh nhau, tc l AH bn trong AH v ESP bn trong ESP(hnh 3.11).

Hnh 3.11Kt hp cc SA kiu ng hm khi hai im cui trng nhau

Mt im cui ca cc SA trng nhau

ng hm bn trong hay bn ngoi c thl AH hay ESP (hnh 3.12).

Hnh 3.12Kt hp cc SA kiu ng hm khi mt imcui trng nhau

Khng c im cui no ca cc SA trng nhau

Trm 1Cng anninh 1

Cng anninh 2 Trm 2Internet

Lin kt an ninh 1

Lin kt an ninh 2 (ng hm)

Trm 1Cng anninh 1

Cng anninh 2

Trm 2Internet




54/99

MNG RINGO


Mi ng hm bn trong hay bn ngoi l AH hay ESP (hnh 3.13).

Hnh 3.13Kt hp cc SA kiu ng hm khi khng c im cui trng nhau

Chi tit vkt hp cc SA c c trnh by trong RFC 2401.

3.3.1.3 C sdliu lin kt an ninhC hai c sdliu lin quan n an ninh l:

- C sdliu chnh sch an ninh SPD (Security Policy Database)- C sdliu lin kt an ninh SAD (Security Association Database).

SPD chra nhng dch van ninh c nghcho lu lng IP, phthuc vocc yu t nh ngun, ch, chiu i ra hay i vo. N cha ng mt danh schnhng li vo chnh sch tn ti ring rcho lu lng i vo v i ra. Cc li vo nyc thxc nh mt vi lu lng khng qua xl IPSec, mt vi phi c loi bv

cn li th c x l bi IPSec. Cc li vo ny l tng tcho firewall hay blcgi.

SAD cha thng

Documents

Mang Rieng Ao VPN (Da Hieu Chinh-V2)