Está en la página 1de 18

BO CO N MN HC H THNG INTERNET V DCH V TI: NGHIN CU V TRIN KHAI IPSEC TRONG IPV6 V NG DNG TRN VPN

CNG CHI TIT

Chng I. Tm hiu v IPv6: 1. Gii thiu v IPv6: 1.1 Nguyn nhn pht trin IPv6
Nm 1973, TCP/IP c gii thiu v ng dng vo mng ARPANET. Vo thi im ,

mng ARPANET ch c khong 250 Site kt ni vi nhau,vi khong 750 my tnh. Internet v ang pht trin vi tc khng khip, n nay c hn 60 triu ngi dng trn ton th gii. Theo tnh ton ca gii chuyn mn, mng Internet hin nay ang kt ni hng trm ngn Site vi nhau, vi khong hn 10 triu my tnh, trong tng lai khng xa, nhng con s ny khng ch dng li . S pht trin nhanh chng ny i hi phi km theo s m rng, nng cp khng ngng ca c s h tng mng va cng ngh s dng.
Bc sang nhng nm u ca th k XXI, ng dng ca Internet pht trin nhm cung cp

dch v cho ngi dng notebook, cellualar modem v thm ch n cn thm nhp vo nhiu ng dng dn dng khc nh TV, my pha c ph,... Nhng mt thc t m khng ch gii chuyn mn, m ngay c cc ISP cng nhn thc c l ti nguyn mng ngy cng hn hp. Vic pht trin v thit b, c s h tng, nhn lc, khng phi l mt kh khn ln. Vn y l a ch IP. 1.2 Nhng gii hn v vn qun l a ch IPv4 1.2.1 Gii hn a ch IPv4: IPv4 h tr trng a ch 32 bit, tc l khon 4,3 t a ch khc nhau IPv4 ngy nay hu nh khng cn p ng c nhucu s dng ca mng Internet. Hai vn ln m IPv4 ang phi i mt l victhiu ht cc a ch, c bit l cc khng gian a ch tm trung (lp B) v vic phttrin v kch thc rt nguy him ca cc bng nh tuyn trong Internet. Thm vo , nhu cu t ng cu hnh (Auto-config) ngy cng tr nn cn thit. a ch IPv4 trong thi k u c phn loi da vo dung lng ca a ch (slng a ch IPv4 ). a ch IPv4 c chia thnh cc lp 3 lp u tin c s dng ph bin nht. Cc lp a ch ny khc nhau s lng cc bit dng nh ngha Network ID. 1.2.2 Vn qun l a ch IPv4.

Bn cnh nhng gii hn nu trn, m hnh ny cn c mt hn ch na

chnh l s tht that a ch nu s dng cc lp a ch khng hiu qu. Mc d lng a ch IPv4 hin nay c th p ng nhu cu s dng trn th gii, nhng cch thc phn b a ch IPv4 khng thc hin c chuyn . V d: mt t chc c nhu cu trin khai mng vi s lng Host khong 300.

phn a ch IPv4 cho t chc ny, ngi ta dng a ch lp B. Tuy nhin, a ch lp B c th dng gn cho 65536 Host. Dng a ch lp B cho t chc ny lm tha hn 65000 a ch. Cc t chc khc s khng th no s dng khong a ch ny. y l iu ht sc lng ph.

Trong nhng nm 1990, k thut Classless Inter-Domain Routing (CIDR) c

xy dng da trn khi nim mt n a ch (address mask). CIDR tm thi khc phc c nhng vn nu trn. Kha cnh t chc mang tnh phn cp (Hierachical) ca CIDR ci tin kh nng m rng ca IPv4. Phng php ny gip hn ch nh hng ca cu trc phn lp a ch IPv4. Phng php ny cho php phn b a ch IPv4 linh ng hn nh vo Subnet mask. di ca Network ID vo Host ID ph thuc vo s bit 1 ca Subnet mask, do , dung lng ca a ch IP tr nn linh ng hn.

V d: s dng a ch IP lp C vi di Subnet Mask 23 (x.x.x.x/23) cho t

chc trn. a ch ny c Host ID c nh ngha bi 9 bit, tng ng vi 512 Host. a ch ny l ph hp.

Tuy nhin, CIDR c nhc im l Router ch c th xc nh c Network ID

v Host ID nu bit c Subnet mask. Mc d c thm nhiu cng c khc ra i nh k thut Subnetting (1985), k thut VLSM (1987) v CIDR (1993), cc k thut trn khng cu vt IPv4 ra khi mt vn n gin: khng c a ch cho cc nhu cu tng lai. C khong 4 t a ch IPv4 nhng khong a ch ny l s khng trong tng lai vi nhng thit b kt ni vo Internet v cc thit b ng dng trong gia nh c th yu cu a ch IP.

Mt vi gii php ngn hn, chng hn nh ng dng RFC 1918 trong dng

mt phn khng gian a ch lm cc a ch dnh ring v NAT l mt cng c cho php hng ngn Host truy cp vo Internet ch vi mt vi IP hp l. Tuy nhin, gii php mang tnh di hn l vic a vo IPv6 vi cu trc a ch 128 bit. Khng gian a ch rng ln ca IPv6 khng ch cung cp nhiu khng gian a ch hn IPv4 m cn c nhng ci tin v cu trc. Vi 128 bit, s c 340,282,366,920,938,463,463,374,607,431,768,211,45 6 a ch, mt con s khng l.Trong nm 1994, IETF xut IPv6 trong RFC 1752. IPv6 khc phc mt s vn nh thiu ht a ch, cht lng dch v, t ng cu hnh a ch, vn xc th v bo mt.

1.3 Mt s c im ca IPv6: 1.3.1 Tng kch thc ca tm a ch: IPv6 s dng 128 bit a ch trong khi IPv4 ch s dng 32 bit; ngha l IPv6 c ti 2128 a ch khc nhau; 3 bit u lun l 001 c dnh cho cc a ch kh nh tuyn ton cu (Globally Routable Unicast GRU). Ngha l cn li 2125 a ch. Mt con s khng l. iu c ngha l a ch IPv6 s cha 1028 tm a ch IPv4.

1.3.2 Tng s phn cp a ch: IPv6 chia a ch thnh mt tp hp cc tm xc nh hay boundary: 3 bit u

cho php bit c a ch c thuc a ch kh nh tuyn ton cu (GRU) hay khng, gip cc thit b nh tuyn c th x l nhanh hn. Top Level Aggregator (TLA) ID c s dng v 2 mc ch: th nht, n c s dng ch nh mt khi a ch ln m t cc khi a ch nh hn c to ra cung cp s kt ni cho nhng a ch no mun truy cp vo Internet; th hai, n c s dng phn bit mt ng (Route) n t u. Nu cc khi a ch ln c cp pht cho cc nh cung cp dch v v sau c cp pht cho khch hng th s d dng nhn ra cc mng chuyn tip m ng i qua cng nh mng m t Route xut pht. Vi IPv6, vic tm ra ngun ca 1 Route s rt d dng. Next Level Aggregator (NLA) l

mt khi a ch c gn bn cnh khi TLA, nhng a ch ny c tm tt li thnh nhng khi TLA ln hn, khi chng c trao i gia cc nh cung cp dch v trong li Internet, ch li ca loi cu trc a ch ny l: Th nht, s n nh v nh tuyn, nu chng ta c 1 NLA v mun cung cp dch v cho cc khch hng, ta s c cung cp dch v y nht, tt nht. Th hai, chng ta cng mun cho php cc khch hng nhn c y bng nh tuyn nu h mun, to vic nh tuyn theo chnh sch, cn bng ti... thc hin vic ny chng ta phi mang tt c cc thng tin v ng i trong Backbone c th chuyn cho h.

1.3.3 n gin ha vic t a ch Host: IPv6 s dng 64 bit sau cho a ch Host, trong 64 bit c c 48 bit l a ch

MAC ca my, do , phi m vo mt s bit c nh ngha trc m cc thit b nh tuyn s bit c nhng bit ny trn subnet. Ngy nay, ta s dng chui 0xFF v 0xFE (:FF:FE: trong IPv6) m vo a ch MAC. Bng cch ny, mi Host s c mt Host ID duy nht trong mng. Sau ny nu s dng ht 48 bit MAC th c th s s dng lun 64 bit m khng cn m.

1.3.4 a ch Anycast: IPv6 nh ngha mt loi a ch mi: a ch Anycast. Mt a ch Anycast l

mt a ch IPv6 c gn cho mt nhm cc my c chung chc nng, mc ch. Khi packet c gi cho mt a ch Anycast, vic nh tuyn s xc nh thnh vin no ca nhm s nhn c packet qua vic xc nh my gn ngun nht.Vic s dng Anycast c 2 ch li: Mt l, nu chng ta ang n mt my gn nht trong mt nhm, chng ta s tit kim c thi gian bng cch giao tip vi my gn nht. Th hai l vic giao tip vi my gn nht gip tit kim c bng thng. a ch Anycast khng c cc tm a ch c nh ngha ring nh Multicast, m n ging nh mt a ch Unicast, ch c khc l c th c nhiu my khc cng c nh s vi cng scope trong cng mt khu vc xc nh. Anycast c s dng trong cc ng dng nh DNS... 1.3.5 Vic t cu hnh a ch n gin hn:

Mt a ch Multicast c th c gn cho nhiu my, a ch Anycast l cc gi

Anycast s gi cho ch gn nht (mt trong nhng my c cng a ch) trong khi Multicast packet c gi cho tt c my c chung a ch (trong mt nhm Multicast). Kt hp Host ID vi Multicast ta c th s dng vic t cu hnh nh sau: khi mt my c bt ln, n s thy rng n ang c kt ni v n s gi mt gi Multicast vo LAN; gi tin ny s c a ch l mt a ch Multicast c tm cc b (Solicited Node Multicast address). Khi mt Router thy gi tin ny, n s tr li mt a ch mng m my ngun c th t t a ch, khi my ngun nhn c gi tin tr li ny, n s c a ch mng m Router gi; sau , n s t gn cho n mt a ch IPv6 bng cch thm Host ID (c ly t a ch MAC ca interface kt ni vi subnet ) vi a ch mng, Do , tit kim c cng sc gn a ch IP.

1.3.6 Bo mt: IPv6 tch hp tnh bo mt vo trong kin trc ca mnh bng cch gii thiu 2

Header m rng ty chn: Authentication Header (AH) v Encrypted Security Payload (ESP) Header. Hai Header ny c th c s dng chung hay ring h tr nhiu chc nng bo mt.

AH quan trng nht trong Header ny l trng Integriry Check Value (ICU). ICU

c tnh bi ngun v c tnh li bi ch xc minh. Qu trnh ny cung cp vic xc minh tnh ton vn v xc minh ngun gc ca d liu. AH cng cha c mt s th t nhn ra mt tn cng bng cc packet replay gip ngn cc gi tin c nhn bn. - ESP Header: ESP Header cha mt trng : Security Parameter Index (SPI) gip ch ca gi tin bit payload c m ha nh th no. ESP Header c th c s dng khi tunneling, trong tunnelling th c Header v payload gc s c m ha v b vo mt ESP Header bc ngoi, khi n gn ch th cc gateway bo mt s b Header bc ngoi ra v gii m tm ra Header v payload gc.

1.3.7 Tnh di ng:

IPv6 h tr tt cc my di ng nh laptop. IPv6 gii thiu 4 khi nim gip h tr

tnh ton di ng gm: Home address; Care-of address; Binding; Home agent. g Trong IPv6 th cc my di ng c xc nh bi mt a ch Home address m khn

cn bit hin ti n c gn vo u. Khi mt my di ng thay i t mt subnet ny sang subnet khc; n phi c mt Care-of address qua mt qu trnh t cu hnh. S kt hp gia Home address v Care-of address c gi l mt Binding. Khi mt my di ng nhn c mt Care-of address, n s bo cho Home agent ca n bng gi tin c gi l Binding update Home agent c th cp nht li Binding cche ca Home agent v Care-of address ca my di ng va gi. Home agent s duy tr mt nh x gia cc Home address v Care-of address v b n vo Binding cache. Mt my di ng c th c truy cp bng cch gi mt packet n cc Home address ca n. Nu my di ng khng c kt ni trn subnet ca Home agent th Home agent s gi packet cho my di ng qua Care-of address ca my trong Binding cache ca Home agent (Lc ny, Home agent c xem nh my trung gian my ngun c th n c my di ng). My di ng sau s gi mt gi tin Binding update cho my ngun ca gi tin. My ngun sau s cp nht Binding cche ca n, th sau ny my ngun mun gi n my di ng, ch cn gi trc tip n cho my di ng qua Care-of address cha trong Binding cche ca n m khng cn phi gi qua Home address. Do , ch c gi tin u tin l qua Home agent.

1.3.8 Hiu sut:

IPv6 cung cp cc li ch sau:

Gim c thi gian x l Header, gim Overhead v chuyn dch a ch: v

trong IPv4 c s dng private address trnh ht a ch, Do , xut hin k thut NAT dch a ch, nn tng Overhead cho gi tin. Trong IPv6 do khng thiu a ch nn khng cn private address, nn khng cn dch a ch.

Gim c thi gian x l nh tuyn: nhiu khi a ch IPv4 c phn

pht cho cc user nhng li khng tm tt c, nn phi cn cc entry trong bng nh tuyn lm tng kch thc ca bng nh tuyn v thm Overhead cho qu trnh nh tuyn. Ngc li, cc a ch IPv6 c phn pht qua cc ISP theo mt kiu phn cp a ch gip gim c Overhead.

Tng n nh cho cc ng: trong IPv4, hin tng route flapping thng xy ra,

trong IPv6, mt ISP c th tm tt cc route ca nhiu mng thnh mt mng n, ch qun l mng n v cho php hin tng flapping ch nh hng n ni b ca mng b flapping.

Gim Broadcast: trong IPv4 s dng nhiu Broadcast nh ARP, trong khi IPv6 s

dng Neighbor Discovery Protocol thc hin chc nng tng t trong qu trnh t cu hnh m khng cn s dng Broadcast.

Multicast c gii hn: trong IPv6, mt a ch Multicast c cha mt trng

scope c th hn ch cc gi tin Multicast trong cc Node, trong cc link, hay trong mt t chc. Khng c checksum.

2. Phn loi IPv6: Unicast Address a. b. c. d. Global Unicast Address Link-Local Address Site-Local Address Unique Local Address

2.2 Anycast Address 2.3 Muticast Address 2.4 Cc loi a ch IPv6 c bit 3. Header IPv6:

Header ca IPv6 n gin v hp l hn IPv4. IPv6 ch c 6 trng v 2 a ch,

trong khi IPv4 cha 10 trng v 2 a ch. IPv6 Header c dng:

IPv6 cung cp cc n gin ha sau: nh dng c n gin ha: IPv6 Header c kch thc c nh 40 octet vi t trng hn IPv4 nn gim c thi gian x l Header, tng linh hot. Khng c Header checksum: Trng checksum ca IPv4 c b i v cc lin kt ngy nay nhanh hn v c tin cy cao hn v vy ch cn cc Host tnh checksum cn Router th khng. Chng II. Tm hiu IP SEC 1. Tng quan v IP SEC

IPSEC ( Internet Protocol Security) l giao thc lp Network (OSI) cho php gi xc nhn cc gi IP c m ha. Ty theo mc cn thit, IPSEC c th cung cp c tnh bo mt v xc thc cho qu trnh trao i d liu da trn hai kiu dch v m ha: AH, ESP. Mc ch chnh ca vic pht trin IPSEC l cung cp mt c cu bo mt tng 3 trong m hnh OSI IPSEC cng l mt thnh phn quan trng h tr giao thc L2TP ( Layer two tunneling protocol) trong cng ngh mng ring o VPN.
2. Kin trc giao thc IP SEC M hnh chung:

Hnh 2.1: M hnh chung ca giao thc IPSEC

2.2 Cc giao thc c bn trong IPSEC Hai giao thc c bn thc thi IPSEC l AH v ESP. AH ch cung cp cc dch v xc thc, ESP va cung cp cc dch v bo mt va cung cp cc dch v xc thc. 2.3 Lin kt bo mt: SA (Security Associations): L mt khi nim c bn ca b giao thc IPSEC. SA l mt kt ni l lun theo phng hng duy nht gia hai thc th s dng cc dch v IPSEC. SA gm c 3 trng :

Hnh 2.3 : Ba trng trong SA SPI (Security Paramater Index) : l mt trng 32 bits dng nhn dng giao thc bo mt, c nh ngha bi trng Security Protocol, trong b giao thc IPSEC ang dng. SPI nh l phn u ca giao thc bo mt v thng c chn bi h thng ch trong sut qu trnh tha thun ca SA. Destination IP Address : a ch IP ch. C ch qun l hin ti ca SA ch c nh ngha cho h thng Unicast mc d n c th l a ch Broadcast, Unicast hay Multicast. Security Protocol: M t giao thc bo mt IPSEC, l AH hoc l ESP.SA trong IPSEC c trin khai bng 2 ch l Tunnel Mode v Transport Mode. 2.4 Transport Mode v Tunnel Mode: Hin ti, IPSEC c hai ch lm vic : Transport v Tunnel Mode. C AH

v ESP u c th lm vic vi mt trong hai ch ny. Hnh 2.4 : Ch lm vic ca IPSEC

3. Mode 4.1 Transport Mode 4.2 Tunnel Mode 4. Giao thc ESP 4.1 Cc c ch bo v c cung cp bi c ch ESP : ESP cung cp hai c ch bo v, mt c ch l ca ring ESP v mt l s lp li ca mt c ch c cung cp bi AH. Cc c ch bo v sau c cung cp bi ESP m khng c trong AH : o Tnh ring t (Confidentialy) : iu kin ny m bo mt thng ip nu b bt trn ng truyn th bn trung gian khng th hiu c ni dung ca thng ip m iu ny ch c bn gi v bn nhn mi hiu c. o Bo v vic phn tch truyn thng ( Ch c trong Tunnel Mode) : iu ny m bo rng cc bn trung gia khng th cc nh c cc i tng ang lin lc vi nhau, tn s v lng thng tin trao i gia cc bn. Esp c th cung cp mt s c ch bo v c cung cp trong AH : Tnh ton vn d liu, xc thc ngun gc, chng pht li. C mt s im khc bit v tnh ton vn d liu v xc thc ngun c cung cp bi AH v ESP. Mt AH hot ng Transport Mode bo v c IP Header trong gi IP, trong khi Transport Mode ESP ch bo v d liu trong gi tin. Trong ch tunnel c 2 c ch u bo v Header, tuy nhin ch mnh AH bo v bn ngoi Header. Tuy nhin vic to ra SA c th gin tip xc thc a ch IP, do xa b c s khc bit ny. 4.2 Cu trc ESP :

Hnh 4.2: ESP Header Format. ESP gm cc trng sau : o SPI gi tr c b vo trong SAD. o Sequence Number: Tng t i vi AH o Play Load Data: l gi d liu IP c m ha. o Padding( di bt k) v Pad Length ( 8bits) d liu chn v kch thc ca n. o Next Header: Loi d liu bn trong ESP o Authentiaction Data(bi s ca 32bits): Thng tin xc thc c tnh trn ton b gi Esp ngoi tr phn Authentiaction Data. ESP Header thng c chia lm 4 phn nh sau: o Intial ESP Header cha SPI v Sequence Number. o Data cha mt s d liu c bit khng m ha( nu c), phn Header m rng ca a ch ch theo sau ESP Header( ch xt trong IPv6), TCP hoc UDP Header v d liu ca thng ip. o ESP Trailer cha Padding(nu c), trng Pad Length v trng Next Header. o ESP Authentiaction Data cha cc d liu xc thc nu c. 4.3 V tr v cc Mode lm vic ca ESP ESP Header c th c s dng trong c Transport Mode v Tunnel Mode. Hnh di y m t v tr ca ESP Transport header trong c IPv4 v IPv6. Trong IPv4 n c th theo sau bi IP Header hoc AH. K l trng Next Header (TCP, UDP, ICMP). Trong IPv6 khng hoc nhiu Header m rng ( Hop by hop, routing, flagment hoc Destination Header Option) c th ng trc ESP Header. Ngoi ra trng Destination Header Option c th ng sau ESP Header. V tr tng quan gia trng ny v ESP Header ty thuc vo qu trnh x l ring ca n c thc hin trc hay sau qu trnh x l ESP. Nu gi tin c m ha mt Destination Option Header theo sau trng ESP Header m khng bt c mt ch n khng gian no c th c c.

Hnh 4.3.1: V tr ca ESP Transport header trong c IPv4 v IPv6 Hnh tip theo minh ha v tr ca ESP Header trong Tunnel Mode. Trong IPv4 ESP Header theo sau IP Header mi v IP Header gc. Trong IPv6 ESP theo sau cc trng m rng( nu c) nh trong Transport Mode v ng trc IP Header gc.

Hnh 4.3.2: V tr ca ESP Header trong Tunnel Mode c IPv4 v IPv6 4.4 Nested v Adjacent header trong ESP Vi hai loi Security Header vic p dng nhiu hn mt SA cho mt thng ip tr nn phc tp hn. Nu Adjacent Header c s dng( v d: khi cc im u, cui ca c hai SA l ging nhau), AH Header s ng trc ESP Header. iu ny c ngha l gi tin s c m ha trc ri mi c xc thc. Bng cch ny gi tin c m ha, c bo v khi vn xo trn. Tuy nhin kt qu ny c th t c mt cch tt hn bng cch s dng mt ESP Header cung cp c xc thc v m ha. Nested header thng c s dng thng xuyn hn. Trong trng hp hai ( trnh by phn AH), nu 2 GateWay SG1 v SG2 yu cu tt c cc truyn thng Gateway to Gateway u c xc thc v m ha. iu ny c th thc hin bng hai cch nh sau: Thng qua mt ESP SA cung cp c xc thc v m ha, hoc thng qua mt Adjacent AH v ESP SA. i vi nhng GateWay bo v truyn thng gia cc host H! v H2, SA nn l tunnel mode SA. Tuy nhin iu ny dn ti vic truyn d liu gia H1 v SG1 cha c bo v. Nu H1 khng tng Security Gateway ca n truyn d liu, hoc c mt user trong mng cc b ca H1 khng

ng tin cy, lc ny H1 cng cn xc nhn ng truyn trong mng cc b. t c iu ny, s dng mt Nested (lng) SA l gii php l tng. Mt cp ESP tunnel mode SA gia SG1 v SG2 v mt cp SSH transport mode SA gia H1 v H2. Hnh di y m t cch s dng ca mt nested SA.

Hnh 4.4.1 : Cch s dng ca mt Nested SA Trong trng hp ny khi mt thng ip c truyn t H1 n H2, n cso mt Transport mode AH k t thi im n ri H1 n khi n ti SG1. Khi n c truyn t SG1 n SG2 n kt hp gia Ah v ESP thng qua mt Inner Transport Mode AH Header v mt Outer Tunnle mode ESP Header. Khi truyn t SG2 n H2, lc ny n ch cn Transport Mode AH Header. 4.5 Qu trnh x l ESP i vi cc thng ip OutBond : Mt s bc x l din ra tng t nh i vi AH. Nhng bc ny s khng c trnh by li chi tit y. Mt khi xc nh thng ip Outbond c bo v bi ESP Header v Outbond SA m nhn vic qun l thng ip ny c tm thy hoc c tha thun, thng ip ny c chuyn sang cc qu trnh x l trong IPSEC, bao gm cc bc sau : o Thm mt khun dng ESP Header vo v tr thch hp. o Thm vo trng SPI bng gi tr SPI ca SA c chn. o Tnh ton trng sequence number o Nu qu trnh m ha din ra, thut ton m ha ph hp s yu cu

mt s d liu cn thit( khng c m ha) v thm nhng d liu ny vo gi tin. o Thm tunnel header nu cn thit. o Thm cc d liu cn li ca gi tin. o Tnh ton chiu di ca phn padding nu cn thit. Cc gi tr padding cn phi c xc nh bi mt thut ton m ha xc nh hoc nu khng xc nh trc mt thut ton m ha mt chui cc s t nhin lin tip c th s dng lm phn padding. o Thm trng next header. o M ha thng ip nu SA yu cu m ha d liu. Cc trng packet data, padding, pad length v next header c m ha cng vi tunnel header ca tunnel mode SA. Cc thut ton m ha c xc nh cho cc qu trnh x l IPSEC i vi ESP l DES-CBC hoc null encycrypt algorithm. Thut tonas sau khng cung cp s m ha d liu. Bi v ESP header cn phi cung cp tnh ring t, tnh xc thc hoc c hai, khi null encycrypt algortithm c s dng cho vic m ha, null authentication algorithm khng c s dng xc thc. o Tnh ton d liu xc thc nu vic xc thc c yu cu bi SA. Cc d liu c xc thc gm c intianl ESP header cng nh cc d liu c m ha. Thut ton xc thc c dng trong qu trnh x l IPSEC i vi ESP l HMAC-MD5, HMAC-SHA1 v null authentication algorithm. Thut ton cui cng khng cung cp s xc thc. Bi v ESP header cn phi cung cp tnh ton vn, tnh xc thc hoc c hai, nn khi null authentication algorithm c s dng xc thc th null encycrypt algortithm khng c s dng m ha. o Phn mnh nu cn thit. 4.6 Qu trnh x l ESP i vi cc thng ip Inbond: Khi nhn c mt thng ip c cha ESP header. Qu trnh x l gi tin IP s m bo tng hp tt c cc phn mnh thnh mt thng ip hon thin. Thng ip sau c chuyn sang qu trnh x l IPSEC gm cc bc sau: o Tm kim trong SAD xc nh inbound SA ph hp qun l thng ip ny. o Nu bn nhn c s dng chc nng chng pht li, thc hin vic kim tra chng pht li, o Kim tra tnh xc thc. Nu vic kim tra xc nh rng gi tin khng xc thc c th s loi b gi tin ny, ngc li tip tc chuyn sang bc tip theo. Vic thc hin xc thc trc qu trnh gii m gip bt tnh chi ph tnh ton m ha khi thng ip b xo trn ( khng th xc thc ng). o M ha phn cn li ca gi tin. Nu qu trnh gii m khng thnh cng hoc kt qu gii m b xo trn so v v tr ca cc trng th thng ip s b hy b.

o Loi b phn padding nu chng c thm vo. o Loi b trng ESP header v tip tc qu trnh x l IPSEC i vi bt k tiu IPSEC no cn li. o Kim tra s SPI m bo cc chnh sch IPSEC p dng cho thng ip trn ph hp vi cc chnh sch IPSEC c yu cu cho thng ip. Vic xc thc v m ha thnh cng mt thng ip inbound bng mt SA trong SAD cha chc m bo SA ny nn c s dng bo v cc loi truyn thng tng t. Trong trng hp 1( c trnh by chng trc), gi s H1 v H2 thit lp mt s SA bo v truyn thng gia hai u cui ca chng. SA1 v SA2 bo v cc gi tin HTTP khng b xo trn l cc AH SA, SA3 v SA4 bo v cc gi tin FTP l cc ESP SA.

Hnh 4.6.1: Erroneous SA usage Khi mt thng ip n H2 v cc thng s nh SPI, protocol (ESP) v a ch ch gn gi tin vi SA3, SA ny s c s dng m ha thng ip. Tuy nhin iu g xy ra nu H1 s dng nhm SA3 cho cc gi tin HTTP gi tin n H2. Cc ch s thng ip inbound nh a ch ch, SPI, protocol (ESP) tt c u ch n SA3. Ch s port number ( ch s ny dng xc nh gi tin ny khng phi l gi FTP( lu rng theo gi nh ca ta SA3 ch dng bo v cc gi FTP) khng th c c trc khi gi tin c m ha. Gi tin ny s c m ha tip tc v n xc nh c mt SA ph hp trong SAD. Qu trnh kim tra cc policy p dng cho gi tin xc nh rng policy p dng cho gi tin trn khng ging vi cc policy yu cu i vi SA3 v do gi tin b hy. Vic ny khin chi ph tnh ton m ha l v ch. Mt tnh hung nghim trng hn khi SA s dng mt SA budle, mt nhm cc SA c quan h vi nhau, bo v cng mt thng ip

Hnh 4.6.2: SA bundel applicastions: (a) erroneous application and (b) correct application Gi s H1 v H2 thit lp hai SA bo v u cui: SA1 v SA2 l cc ESP enncycrypt only SA v SA3, SA4 l cc AH SA xc thc cc thng ip c m ha v IP Header ca chng. iu ji xy ra nu H1 ch s dng SA1 gi cc FTP request n H2. Cc thng s ca c gi tin inboud nh SPI, protocol, a ch ch u ch n SA1. Gi tin s c m ha thnh cng v n ch n mt SA hp l trong SAD. Tuy nhin khi chuyn sang qu trnh kim tra cc policy p dng c gi tin trn c ph hp khng th gi tin trn s b loi v qu trnh kim tra policy xc nh rng gi tin trn phi c hai security header tuy nhin n ch c mt security header. Trng hp a trong hnh trn m t tnh hung s dng sai SA bundle cn trng hp b m t tnh hung s dng SA bundle ng. 5.1 Authentication Header (AH). 5.2 Encapsilating Security payload (ESP). 5. Trao i kha trong IPSEC Key Exchange (IKE): 6.1 Trao i kha trong IPSEC Key Exchange (IKE) 6.1.1 ISAKMP Phase 1

6.1.2 ISAKIMP Phase 2 6.2 IKE Modes Chng III. TM HIU CNG NGH MNG RING O (VPN)

1. Khi nim VPN, cc thnh phn cn thit to kt ni VPN. 2. Cc giao thc VPN: L2TP,GRE,IPSec,PPTP. 3. Cc dng kt ni VPN: Remote Access VPN,Site-to-site VPN,Dynamic VPN... Chng IV. AN TON D LIU TRONG VPN VI CNG NGH IPSEC 1. M ho: mt m,h thng mt m kho i xng,bt i xng, Thut ton trao i kho Diffie-Hellman. 2. Xc thc thng tin: cc hm bm. 3. Qun l kho trong IPSec. 4. Thit lp IPSec/VPN