Está en la página 1de 128

HC VIN CNG NGH BU CHNH VIN THNG

N TT NGHIP I HC

NGHIN CU CC GII PHP VPN TRN NN CNG NGH MPLS


Gio vin hng dn : Ths Hong Trng Minh Sinh vin thc hin : Nguyn Mnh Hng Lp : D2004VT1

H Ni 11 - 2008

HC VIN CNG NGH BU CHNH VIN THNG KHOA VIN THNG 1 -------***-------

N TT NGHIP I HC
ti:

NGHIN CU CC GII PHP VPN TRN NN CNG NGH MPLS


Gio vin hng dn : Ths Hong Trng Minh Sinh vin thc hin : Nguyn Mnh Hng Lp : D2004VT 1

H Ni 11 - 2008

HC VIN CNG NGH BU CHNH VIN THNG KHOA VIN THNG 1 --------o0o---------

CNG HO X HI CH NGHA VIT NAM

c lp - T do - Hnh phc
--------o0o---------

TI N TT NGHIP I HC
H v tn : Lp : Kho : Ngnh : Nguyn Mnh Hng D2004-VT1 2004 2009 in t Vin thng

TN TI: "CNG NGH MNG RING O VPN TRN NN MPLS" NI DUNG N : Phn I: Gii thiu chung v cng ngh VPN v cc giao thc uc s dng i vi cng ngh VPN l: L2F, PPTP, L2TP, IPSec.

Phn II: Gii thiu v cng ngh VPN trn nn MPLS. Ngy giao ti: Ngy np n: .

H Ni, ngy

thng

nm 2008

Gio vin hng dn

Hong Trng Minh

NHN XT CA GIO VIN HNG DN: im: (Bng ch: H Ni, Ngy ) thng nm 2008

Gio vin hng dn

Hong Trng Minh

NHN XT CA GIO VIN PHN BIN: im: (Bng ch: ) Ngy thng nm 2008 Gio vin phn bin

n tt nghip i Hc

Li ni u

LI NI U
Ngy nay, vi s pht trin nhanh chng ca khoa hc k thut c bit l Cng ngh thng tin v Vin thng tr thnh mt ng lc quan trng trong s pht trin kinh t th gii. Cc t chc, doanh nghip c nhiu chi nhnh, cc cng ty a quc gia trong qu trnh hot ng lun phi trao i thng tin vi khch hng, i tc, nhn vin ca h. Chnh v vy i hi phi lun nm bt c thng tin mi nht, chnh xc nht, ng thi phi m bo tin cy cao gia cc chi nhnh ca mnh trn khp th gii, cng nh vi cc i tc v khch hng. p ng c nhng yu cu , trong qu kh c hai loi hnh dch v Vin thng m cc t chc, doanh nghip c th chn la s dng cho kt ni l: Th nht, thu cc ng thng tin ring (Leased-line) ca cc nh cung cp dch v kt ni tt c cc mng con ca cng ty li vi nhau. Phng php ny rt tn km cho vic xy dng ban u cng nh trong qu trnh vn hnh, bo dng hay m rng sau ny. Th hai, h c th s dng chung h tng ca nh khai thc, gii php ny c nhiu bt cp khi khng p ng c cc yu cu c th ca dch v. V d nh cht lng, tin cy an ton thng tin.

S ra i ca k thut mng ring o VPN dung ho hai loi hnh dch v trn, n c th xy dng trn c s h tng sn c nhng li c c cc tnh cht ca mt mng cc b nh khi s dng cc ng Leased-line. V vy, c th ni VPN chnh l s la chn ti u cho cc doanh nghip kinh t. Vi chi ph hp l, VPN c th gip doanh nghip tip xc ton cu nhanh chng v hiu qu hn so vi cc gii php mng din rng WAN. Vi VPN, ta c th gim chi ph xy dng do tn dng c c s h tng cng cng sn c, gim chi ph thng xuyn, mm do trong xy dng. tip cn cc hng cng ngh mi ang trin khai trong mi trng mng vin thng hin nay, ti la chn ti Nghin cu cc gii php VPN trn nn cng

Nguyn Mnh Hng, Lp D04VT1

n tt nghip i Hc

Li ni u

ngh MPLS. Nhm lnh hi cc kin thc v xc nh im mu cht ca gii php hng ti, lm ch cng ngh. Ni dung tm hiu ca n gm 3 chng chia thnh 2 phn ln: Phn I: Gii thiu chung v cng ngh VPN v cc giao thc uc s dng i vi cng ngh VPN l: L2F, PPTP, L2TP, IPSec. Phn II: Gii thiu v cng ngh VPN trn nn MPLS. Ni dung ca mi chng c th nh sau: Chng I: GII THIU TNG QUAN V VPN. Trong chng ny ch ra cc khi nim c bn v cng ngh mng ring o v cc loi VPN ang c trin khai hin nay. Chng II: CC GIAO THC HOT NG TRONG VPN. Chng ny gii thiu hai giao thc c bn l IPSec h tr cho bo mt ca VPN trn nn IP v giao thc ng hm lp 2 l xu hng pht trin mnh m nh hin nay. cng l nhng qu trnh tc ng trc tip ti cc m hnh VPN trn cc h tng lp hai nh ATM/MPLS. Chng III: MNG RING O TRN NN MPLS. Vi cc c tnh ca hai cng ngh ang c trin khai hin nay, chng ny ch ra cc gii php c th v cc phn tch nhm th hin cc u nhc im ca cng ngh cng nh nh gi s pht trin ca cng ngh VPN/MPLS. Do nhiu mt cn hn ch nn ni dung ca ti kh trnh khi nhng sai st. Tc gi rt mong nhn c kin ng gp ca cc thy c v bn c. Em xin chn thnh cm n Ths Hong Trng Minh tn tnh hng dn em hon thnh ti.

H ni, ngy thng nm 2008

Sinh vin: Nguyn Mnh Hng

Nguyn Mnh Hng, Lp D04VT1

ii

n tt nghip i Hc

Mc lc

MC LC
PHN I...............................................................................................................................................1 CHNG I: GII THIU TNG QUAN V VPN........................................................................1 1.1 Khi nim mng ring o..........................................................................................................1 1.2 Nhng li ch do VPN em li.................................................................................................3 1.3 Nhc im v mt s vn cn phi khc phc...................................................................4 1.4 Phn loi VPN v ng dng......................................................................................................5 1.4.1 VPN truy nhp t xa..........................................................................................................5 1.4.2 VPN im ti im............................................................................................................7 1.4.2.1 VPN cc b.................................................................................................................8 1.4.2.2. VPN m rng.............................................................................................................9 1.5 Cc loi mng VPN................................................................................................................10 1.5.1 Ngi dng truy nhp t xa thng qua Internet (Access VPN).......................................10 1.5.2 Ni cc mng trn Internet (Intranet VPN)......................................................................11 1.5.3 Ni cc my tnh trn mt Intranet (Extranet VPN)........................................................12 1.6 Kt lun...................................................................................................................................13 2.1 Dng thc hot ng...............................................................................................................14 2.1.1 Kt hp bo mt SA.........................................................................................................14 2.1.2 Xc thc tiu AH........................................................................................................15 2.1.3 Bc gi bo mt ti ESP..................................................................................................17 2.1.4 Ch lm vic...............................................................................................................19 2.2 Qun l kha...........................................................................................................................21 2.2.1 Cc ch ca Oakley v cc pha ca ISAKMP............................................................22 2.2.2 m phn SA...................................................................................................................26 2.3 S dng IPSec.........................................................................................................................26 2.3.1 Cc cng ni bo mt.......................................................................................................27 2.3.2 Cc SA i din...............................................................................................................27 2.3.3 Host t xa.........................................................................................................................28 2.3.4 Mt v d minh ha..........................................................................................................29 2.4 Cc vn cn tn ng trong IPSec.....................................................................................30 2.5 Cc giao thc ng hm.......................................................................................................31 2.5.1 Gii thiu v cc giao thc ng hm...........................................................................31 2.5.2 Giao thc chuyn tip lp 2 L2F..................................................................................32 2.5.2.1. Cu trc gi L2F......................................................................................................32 2.5.2.2 Hot ng ca L2F....................................................................................................33 2.5.2.3 u nhc im ca L2F...........................................................................................35 2.5.3 Giao thc ng hm im ti im PPTP .................................................................35 2.5.3.1 Khi qut v hot ng ca PPTP.............................................................................35 2.5.3.2 Duy tr ng hm bng kt ni iu khin PPTP...................................................37 2.5.3.3 ng gi d liu ng hm PPTP..........................................................................37 2.5.3.4 X l d liu ti u cui ng hm PPTP............................................................40 2.5.3.5 Trin khai VPN da trn PPTP.................................................................................40 2.5.3.6 u nhc im v kh nng ng dng ca PPTP....................................................42 2.5.4 Giao thc L2TP................................................................................................................42 2.5.4.1 Dng thc ca L2TP.................................................................................................43 2.5.4.2 S dng L2TP...........................................................................................................53 Nguyn Mnh Hng, Lp D04VT1 iii

n tt nghip i Hc

Mc lc

2.5.4.3 Kh nng p dng ca L2TP.....................................................................................56 PHN II............................................................................................................................................58 CHNG III: MNG RING O TRN NN MPLS..................................................................58 3.1 Cc thnh phn ca MPLS VPN..........................................................................................58 3.1.1 H thng cung cp dch v MPLS VPN.......................................................................58 3.1.2 B nh tuyn bin ca nh cung cp dch v.................................................................59 3.1.3 Bng nh tuyn v chuyn tip o..................................................................................60 3.2 Cc m hnh MPLS VPN.....................................................................................................62 3.2.1 M hnh V3VPN..............................................................................................................62 3.2.2 M hnh L2VPN..............................................................................................................63 3.3 Hot ng ca MPLS VPN..................................................................................................64 3.3.1 Truyn thng tin nh tuyn.............................................................................................64 3.3.2 a ch VPN IP.............................................................................................................66 3.3.3 Chuyn tip gi tin VPN.................................................................................................69 3.4 Bo mt trong MPLS - VPN...................................................................................................73 3.5 Cht lng dch v trong MPLS VPN.................................................................................75 3.5.1 M hnh ng.....................................................................................................................75 3.5.2 M hnh vi......................................................................................................................77 3.6 So snh cc c im ca VPN trn nn IPSec v MPLS......................................................79 3.6.1 Cc tiu ch nh gi........................................................................................................79 3.6.2 Cc c im ni bt ca IPSec VPN v MPLS VPN...............................................80 3.8 Kt chng..............................................................................................................................83 BI TON M PHNG MNG MPLS VPN.............................................................................84 1. T VN .........................................................................................................................84 2. XY DNG BI TON.........................................................................................................84 3. S DNG CNG C M PHNG......................................................................................100 3.1 Phn mm GNS3...............................................................................................................100 3.2 Phm mm NS2................................................................................................................101 3.3 La chn phn mm m phng........................................................................................102 4. KT QU V NH GI....................................................................................................102 KT LUN.....................................................................................................................................109 TI LIU THAM KHO..............................................................................................................111 LI CM N.................................................................................................................................112

Nguyn Mnh Hng, Lp D04VT1

iv

n tt nghip i Hc

Danh mc hnh v

DANH MC HNH V
Hnh 1.1: M hnh VPN truy cp t xa...............................................................................................6 Hnh 1.2: M hnh VPN cc b..........................................................................................................8 Hnh 1.3: M hnh VPN m rng.......................................................................................................9 Hnh 1.4: Dng VPN kt ni client t xa n mng LAN ring..................................................11 Hnh 1.5: T chc truy nhp Ipass....................................................................................................11 Hnh 1.6: Dng VPN kt ni 2 v tr t xa...................................................................................12 Hnh 1.7: Dng VPN kt ni hai my tnh t xa trong cng mt LAN.......................................13 Hnh 2.1: Khun dng gi tin Ipv4 trc v sau khi x l AH........................................................16 Hnh 2.2: Khun dng gi tin Ipv6 trc v sau khi x l AH........................................................16 Hnh 2.3: Bc gi bo mt ti...........................................................................................................17 Hnh 2.4: So snh xc thc bi AH v ESP......................................................................................18 Hnh 2.5: Ch ng hm AH.....................................................................................................19 Hnh 2.6: Ch ng hm ESP....................................................................................................20 Hnh 2.7: Cc trng hp ca ch giao vn v ng hm.........................................................20 Hnh 2.8: Ch chnh ISAKMP.....................................................................................................23 Hnh 2.9: Ch nng ng ISAKMP.............................................................................................24 Hnh 2.10: Ch nhanh ISAKMP..................................................................................................25 Hnh 2.11: Cc thnh phn ca mt Internet VPN...........................................................................26 Hnh 2.12: IPSec v cc chnh sch bo mt....................................................................................29 Hnh 2.13: V d v IPSec VPN.......................................................................................................30 Hnh 2.14: Khun dng ca gi L2F................................................................................................32 Hnh 2.15: M hnh h thng s dng L2F......................................................................................33 Hnh 2.18: S ng gi PPTP......................................................................................................39 Hnh 2.19: Cc thnh phn ca h thng cung cp VPN da trn PPTP.........................................41 Hnh 2.20: Kin trc ca L2TP.........................................................................................................44 Hnh 2.21: Cc giao thc s dng trong mt kt ni L2TP..............................................................45 Hnh 2.22: Bc gi L2TP..................................................................................................................45 Hnh 2.23: Cc ng hm t nguyn v bt buc...........................................................................46 Hnh 2.24: M ha gi cho ng hm bt buc..............................................................................50 Hnh 2.26: M ha gi cho ng hm t nguyn...........................................................................51 Hnh 2.27: ng hm L2TP kt ni LAN LAN..........................................................................52 Hnh 2.28: Cc thnh phn c bn ca L2TP...................................................................................54 Hnh 2.29: Quay s L2TP trong VPN...............................................................................................56 Hnh 3.1: H thng cung cp dch v MPLS VPN v cc thnh phn.........................................59 Hnh 3.2: B nh tuyn PE v s kt ni cc site khch hng...................................................60 Hnh 3.3: M hnh MPLS L3VPN....................................................................................................62 Hnh 3.4: M hnh MPLS L2VPN....................................................................................................64 Hnh 3.5: a ch VPN Ipv4..........................................................................................................67 Hnh 3.6: Khun dng trng phn bit tuyn.................................................................................67 Hnh 3.7: S dng nhn chuyn tip gi tin VPN........................................................................70 Hnh 3.8: S dng ngn xp nhn chuyn tip gi tin VPN........................................................71 Hnh 3.9: Hot ng chuyn tip d liu VPN qua mng MPLS.....................................................72 Hnh 3.10: M hnh ng cht lng dch v trong MPLS VPN....................................................77 Hnh 3.11: M hnh vi cht lng dch v trong MPLS VPN.....................................................78 Nguyn Mnh Hng, Lp D04VT1 v

n tt nghip i Hc

Danh mc hnh v

Nguyn Mnh Hng, Lp D04VT1

vi

n tt nghip i Hc

Thut ng vit tt

THUT NG VIT TT
VIT TT
AC ATM ASN AN BGP BGPv4 CHAP

TING ANH
A Access Concentrator Asynchronous Transfer Mode Autonomous System Number Assigned Number B Border Gateway Protocol Border Gateway Protocol version 4 C Challenge Handshake Authentication Protocol E Egress Committed Rate Extensible Authentication Protocol Encapsulating Security Payload F File Transfer Protocol Frame Check Sequence Frame Relay G Generic Routing Encapsulation H Hashed-keyed Message Authenticaiton Code I Internet Protocol Ingress Committed Rate Intermediate System to Intermediate System Internet Protocol Security Internet Security Association and Key Management Protocol Internet Key Exchange Internet Control Message Protocol IP Authentication Header

TING VIT
B tp kt truy nhp Phng thc truyn ti khng ng b S h t tr S gn Giao thc cng bin Giao thc cng bin phin bn 4 Giao thc xc thc i hi bt tay

ECR EAP ESP FTP FCS FR GRE HMAC

Tc cam kt u ra Giao thc xc thc m rng ng gi bo mt ti Giao thc truyn file Chui kim tra khung Chuyn tip khung ng gi nh tuyn chung M nhn thc bn tin bm

IP ICR IS IS IPSec ISAKMP IKE ICMP IP AH

Giao thc Internet Tc cam kt u vo

Bo mt giao thc Internet Giao thc kt hp an ninh v qun l kha qua Internet Giao thc trao i kha Giao thc bn tin iu khin Internet Xc thc tiu IP
vii

Nguyn Mnh Hng, Lp D04VT1

n tt nghip i Hc

Thut ng vit tt

ISDN ISP IMAP

Intergrated Service Digital Network Internet Service Provider Internet Message Access Protocol L

Mng s tch hp a dch v Nh cung cp dch v Internet Giao thc truy cp nhp thng tin Internet Mng ring o lp 2 Mng ring o lp 3 Giao thc iu khin ng truyn Giao thc ng hm lp 2 Giao thc chuyn tip lp 2 Mng cc b a giao thc BGP B nh tuyn chuyn mch nhn Thut ton tm tt bn tin MD5 Bin dch a ch mng My ch truy nhp mng Giao thc nh tuyn OSPF im hin din Giao thc ng hm im ti im C s h tng kha cng cng Giao thc im ti im My ch truy nhp t xa Dch v nhn thc ngi dng quay s t xa Cc tha thun mc dch v Lin kt an ninh Ch s thng s an ninh Thut ton bm SHA-1 ng bao ti hiu dng ng b

L2VPN L3VPN LCP L2TP L2F LAN MP - BGP MPLS MD5 NAT NAS OSPF POP PPTP PKI PPP PAP RAS RADIUS

Layer Two VPN Layer Three VPN Link Control Protocol Layer Two Tunneling Protocol Layer Two Forwarding Local Area Network M Multiprotocol BGP Multi Protocol Laber Switching Message Digest 5 N Network Address Translation Network Access Server O Open Shortest Path First (ATM) P Point of Presence Point to Point Tunneling Protocol Public Key Infrastructure Point-to-Point Protocol Password Authentication Protocol R Remote Access Server Remote Authentication Dial-in User Service S Service Level Agreements Security Association Security Parameter Index Secure Hash Algorithm-1 (Sonet) Synchronous Payload Envelop

SLA SA SPI SHA-1 SPE

Nguyn Mnh Hng, Lp D04VT1

viii

n tt nghip i Hc

Thut ng vit tt

TACACS+ TCP UDP

T Terminal Access Controller Access Control System Plus Transmission Control Protocol U User Datagram Protocol V

H thng iu khin b iu khin truy nhp u cui Giao thc iu khin truyn ti Giao thc Datagram ca khch hng Mng ring o Bng nh tuyn chuyn tip o Mng din rng Trang tin ton cu ng dy thu bao s loi

VPN VRF WAN WWW xDSL

Virtual Private Network Virtual Routing and Forwording W Wide Area Network World Wide Web X X-Type Digital Subscriber Line

Nguyn Mnh Hng, Lp D04VT1

ix

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

PHN I
CHNG I: GII THIU TNG QUAN V VPN
VPN c th c hiu nh l mng kt ni cc site khch hng m bo an ninh trn c s h tng mng chung cng vi cc chnh sch iu khin truy nhp v bo mt nh mt mng ring. Tuy c xy dng trn c s h tng sn c ca mng cng cng nhng VPN li c c cc tnh cht ca mt mng cc b nh khi s dng cc ng knh thu ring. Trong phn gii thiu ny chng ta s xem xt n nhng vn c bn v VPN, cc loi hnh VPN, nhng li ch m n em li, cng vi mt s vn lin quan.

1.1 Khi nim mng ring o


Mng ring o l phng php lm cho mt mng cng cng (v d nh mng Internet) hot ng ging nh mt mng cc b, c cng cc c tnh nh bo mt v tnh u tin m ngi dng tng a thch. VPN cho php thnh lp cc kt ni ring vi nhng ngi dng xa, cc vn phng chi nhnh ca cng ty v i tc ca cng ty ang s dng chung mt mng cng cng. Mng din rng WAN (Wide Area Network) truyn thng yu cu cng ty phi chi ph v duy tr nhiu loi ng dy ring, song song vi vic u t cc thit b v i ng cn b. Nhng nhng vn v chi ph lm cho cc cng ty d mun hng nhng li ch m vic m rng mng em li nhng i khi h khng thc hin ni. Trong khi , VPN khng b nhng ro cn v chi ph nh cc mng WAN trn do c thc hin qua mt mng cng cng. Thc ra, khi nim VPN khng phi l mt cng ngh mi, chng tng c s dng trong cc mng in thoi (Telephone Networks) cch y nhiu nm v tr nn ph bin do s pht trin ca mng thng minh. Cc mng VPN ch tr nn thc s mi m khi chng chuyn thnh cc mng IP (mng s dng giao thc Internet) chng hn nh mng Internet. VPN s dng vic m ha d liu ngn nga cc ngi dng khng c php truy cp n d liu v bo m d liu khng b sa i. nh ng hm (tunneling) l mt c ch dng cho vic ng gi (encapsulate) mt giao thc vo trong mt giao thc khc. Trong ng cnh Internet, nh ng hm cho php cc giao thc nh IPX, AppleTalk v IP c m ha, sau ng gi trong
Nguyn Mnh Hng, Lp D04VT1 1

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

IP. Tng t, trong ng cnh VPN, nh ng hm che giu giao thc lp mng nguyn thy bng cch m ha gi d liu v cha gi m ha vo trong mt v bc IP (IP envelope). V bc IP ny, thc ra l mt gi IP, sau s c chuyn i mt cch bo mt qua mng Internet. Ti bn nhn, sau khi nhn c gi trn s tin hnh g b v bc bn ngoi v gii m thng tin d liu trong gi ny v phn phi n thit b truy cp thch hp, chng hn nh mt b nh tuyn. VPN cn cung cp cc tha thun v cht lng dch v (QoS), nhng tha thun ny thng c nh ra cho mt gii hn trn cho php v tr trung bnh ca gi tin trong mng. Ngoi ra, cc tha thun trn c th km theo mt s ch nh cho gii hn di ca bng thng hiu dng cho mi ngi dng. Cc tha thun ny c pht trin thng qua cc tha thun mc dch v SLA (Service Level Agreements) vi nh cung cp dch v. Qua nhng vn trnh by trn ta c th nh ngha VPN mt cch ngn gn qua cng thc sau: VPN = nh ng hm + Bo mt + Cc tha thun v QoS Nh vo li th ca cc ng dng quan trng c trin khai trn mng Intranet v cc mng truy cp t xa lm cho khch hng tha mn hn trong cng vic ca h, cc hot ng kinh doanh ca cng ty tr nn hp l, hiu qu v t ti nhng th trng rng ln hn. Tuy nhin cc vn v chi ph mng (bao gm chi ph thit b, ng dy, chi ph cho vic bo dng) cng nh vic qun l mng l nhng vn quan trng i vi nhiu cng ty, c bit l nhng cng ty mun thu hi vn nhanh ti sn xut. Do ngi ta a ra gii php xy dng nhng mng ring o gim thiu chi ph mng cho cng ty, thay th cho cc gii php dng ng truyn chuyn bit truyn thng nh trc y. Nh vo vic ni mng qua VPN tit kim chi ph hn hn gii php thu bao ng truyn, cc doanh nghip c th t mnh m rng tm hot ng ca cng ty mc ton cu (thng qua mng Internet) m khng cn u t mc quy m ton cu. VPN c vai tr quan trng trong doanh nghip nh vo vic gim chi ph kt ni i vi cc nhn vin lu ng (mobile worker) v cc cng ty c nhiu chi nhnh trn th gii th i ng nhn vin ca h ng, nhiu ngi phi lm vic nhng quc gia xa trung tm m rng Intranet n vn phng chi nhnh, lin lc vi i tc v khch hng ch yu thng qua mng Extranet. Sau y chng ta s cp n mt s li ch,
Nguyn Mnh Hng, Lp D04VT1 2

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

gi tr ca VPN, cc thut ng lin quan n VPN, cng nh trnh by tng qut cc phng thc hot ng hin nay ca cc VPN, to iu kin cho vic la chn phng thc thch hp, hiu qu nht xy dng mt VPN.

1.2 Nhng li ch do VPN em li VPN mang li li ch thc s v tc thi cho cng ty. C th dng VPN n gin ha vic truy cp i vi cc nhn vin lm vic v ngi dng lu ng, m rng Intranet n tng vn phng chi nhnh, thm ch trin khai Extranet n tn khch hng v cc i tc ch cht v iu quan trng l nhng cng vic trn u c chi ph thp hn nhiu so vi vic mua thit b v ng dy cho mng WAN ring. VPN do mt nh cung cp dch v lm ch v qun l, bng quy m kinh t v cc cng ngh tin tin, h c th phc v nhiu t chc trn cng mt mng, dng cc phn mm hin i phn bit lu lng d liu ca cng ty ny c tch ring vi cc cng ty khc. C th dn chng nhng u im ca VPN nh sau: Gim chi ph thng xuyn VPN cho php tit kim n 60% chi ph so vi thu ng truyn v gim ng k tin cc gi n ca cc nhn vin lm vic xa. Gim c cc ph ng di khi truy cp VPN cho cc nhn vin di ng v cc nhn vin lm vic xa nh vo vic h truy cp vo mng thng qua cc im kt ni POP (Point of Presence) a phng, hn ch gi ng di n cc modem tp trung. Gim chi ph u t S khng tn chi ph u t cho my ch, b nh tuyn cho mng ng trc v cc b chuyn mch phc v cho vic truy cp bi v cc thit b ny do cc nh cung cp dch v qun l v lm ch. Cng ty cng khng phi mua, thit lp cu hnh hoc qun l cc nhm modem phc tp. Ngoi ra h cng c th thu vi gi r cc thit b phc v khch hng, thng c sn cc nh cung cp dch v, hoc t cc cng ty dch v gi tr gia tng, nh th vic nng cp mng cng tr nn d dng v t tn km hn. Gim chi ph qun l v h tr Vi quy m kinh t ca mnh, cc nh cung cp dch v c th mang li cho cng ty nhng khon tit kim c gi tr so vi vic t qun l mng, gim hay loi tr hn yu cu nhn vin ti nh. Hn na, nhn c s h tr v phc v 24/24 do nhng nhn vin lnh ngh lun sn sng p ng mi lc, gii quyt nhanh chng cc s c.
Nguyn Mnh Hng, Lp D04VT1 3

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

Truy cp mi lc, mi ni Khch hng ca VPN qua mng m rng ny, c quyn truy cp v kh nng nh nhau i vi cc dch v trung tm bao gm WWW, email, FTP cng nh cc ng dng thit thc khc, khi truy cp chng thng qua nhng phng tin khc nhau nh qua mng cc b LAN (Local Area Network), modem, modem cp, ng dy thu bao s xDSL m khng cn quan tm n nhng phn phc tp bn di. Kh nng m rng Do VPN xy dng trn c s h tng mng cng cng nn bt c ni no c mng cng cng (nh Internet) u c th trin khai VPN. Ngy nay mng Internet c mt khp mi ni nn kh nng m rng ca VPN rt d dng. Kh nng m rng cn th hin ch, khi mt vn phng hay mt chi nhnh yu cu bng thng ln hn th n c th c nng cp d dng. Ngoi ra, cng c th dng g b VPN khi khng c nhu cu.

1.3 Nhc im v mt s vn cn phi khc phc S ri ro an ninh Mt mng ring o thng r v hiu qu hn so vi gii php s dng thu knh ring. Tuy nhin, n cng tim n nhin ri ro an ninh kh lng trc. Mc d hu ht cc nh cung cp dch v qung co rng gii php ca h l m bo an ton, s an ton khng bao gi l tuyt i. Cng c th lm cho VPN kh ph hoi hn bng cch bo v tham s ca mng mt cch thch hp, song iu ny li nh hng n gi thnh ca dch v. tin cy v s thc thi VPN s dng phng php m ha bo mt d liu, v cc hm mt m phc tp c th dn n lu lng ti trn cc my ch l kh nng. Nhim v ca ngi qun tr mng l qun l ti trn my ch bng cch gii hn s kt ni ng thi bit my ch no c th iu khin. Tuy nhin, khi s ngi c gng kt ni ti VPN t nhin tng vt v ph v ht qu trnh truyn tin, th chnh cc nhn vin qun tr ny cng khng th kt ni c v tt c cc cng ca VPN u bn. iu chnh l ng c thc y ngi qun tr to ra cc kha ng dng lm vic m khng i hi VPN. Chng hn thit lp dch v proxy hoc dch v Internet Message Access Protocol cho php nhn vin truy nhp e-mail t nh hay trn ng. Vn la chn giao thc
Nguyn Mnh Hng, Lp D04VT1 4

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

Vic la chn giao thc gia IPSec hay SSL/TLS l mt vn kh quyt nh, cng nh vin cnh s dng chng nh th no cng kh c th ni trc. Mt iu cn cn nhc l SSL/TLS c th lm vic thng qua mt tng la da trn bng bin dch a ch NAT, cn IPSec th khng. Nhng nu c hai giao thc lm vic qua tng la th s khng dch c a ch. IPSec m ha tt c cc lu lng IP truyn ti gia hai my tnh, cn SSL/TLS th c t mt ng dng. SSL/TLS dng cc hm m ha khng i xng thit lp kt ni v n bo v hiu qu hn so vi dng cc hm m ha i xng. Trong cc ng dng trong thc t, ngi qun tr c th quyt nh kt hp v ghp cc giao thc to ra s cn bng tt nht cho s thc thi v an ton ca mng. V d, cc client c th kt ni ti mt Web server thng qua tng la dng ng dn an ton ca SSL/TLS, Web server c th kt ni ti mt dch v ng dng dng IPSec, v dch v ng dng c th kt ni ti mt c s d liu thng qua cc tng la khc dng SSL.

1.4 Phn loi VPN v ng dng Mng ring o VPN cung cp nhiu kh nng ng dng khc nhau. Yu cu c bn i vi VPN l phi iu khin c quyn truy nhp ca khch hng, cc nh cung cp dch v cng nh cc i tng bn ngoi khc. Da vo hnh thc ng dng v kh nng m mng ring o mang li, c th phn chng thnh hai loi nh sau:
VPN truy nhp t xa (Remote Access VPN) VPN im ti im (Site-to-Site VPN): VPN cc b (Intranet VPN) VPN m rng (Extranet VPN)

1.4.1 VPN truy nhp t xa Cc VPN truy nhp t xa cung cp kh nng truy nhp t xa cho ngi s dng (Hnh 1.1). Ti mi thi im, cc nhn vin hay chi nhnh vn phng di ng c th s dng cc phn mm VPN truy nhp vo mng ca cng ty thng qua gateway hoc b tp trung VPN (bn cht l mt server). Gii php ny v th cn c gi l gii php client/server. VPN truy nhp t xa l kiu VPN in hnh nht, bi v chng c th c thit lp vo bt k thi im no v t bt c ni no c mng Internet.

Nguyn Mnh Hng, Lp D04VT1

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

Hnh 1.1: M hnh VPN truy cp t xa

VPN truy nhp t xa m rng mng cng ty ti nhng ngi s dng thng qua c s h tng chia s chung, trong khi nhng chnh sch mng cng ty vn duy tr. Chng c th dng cung cp truy cp an ton cho nhng nhn vin thng xuyn phi i li, nhng chi nhnh hay nhng bn hng ca cng ty. Nhng kiu VPN ny c thc hin thng qua c s h tng cng cng bng cch s dng cng ngh ISDN, quay s, IP di ng, DSL hay cng ngh cp v thng xuyn yu cu mt vi kiu phn mm client chy trn my tnh ca ngi s dng. Mt hng pht trin kh mi trong VPN truy nhp t xa l dng VPN khng dy (Wireless), trong mt nhn vin c th truy nhp v mng ca h thng qua kt ni khng dy. Trong thit k ny, cc kt ni khng dy cn phi kt ni v mt trm khng dy (Wireless Terminal) v sau v mng ca cng ty. Trong c hai trng hp (c dy v khng dy), phm mm client trn my PC u cho php khi to cc kt ni bo mt, cn c gi l ng hm. Mt vn quan trng l vic thit k qu trnh xc thc ban u m bo yu cu c xut pht t mt ngun tin cy. Thng th giai on ban u ny da trn cng mt chnh sch v bo mt ca cng ty. Chnh sch ny bao gm mt s qui trnh
Nguyn Mnh Hng, Lp D04VT1 6

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

k thut v cc ng dng ch, v d Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), Cc u im ca VPN truy nhp t xa so vi cc phng php truy nhp t xa truyn thng: - VPN truy nhp t xa khng cn s h tr ca nhn vin mng bi v qu trnh kt ni t xa c cc ISP thc hin. - Gim c cc chi ph cho kt ni t khong cch xa bi v cc kt ni khong cch xa c thay th bi cc kt ni cc b thng qua mng Internet. - Cung cp dch v kt ni gi r cho nhng ngi s dng xa. - Do kt ni truy nhp l ni b nn cc modem kt ni hot ng tc cao hn so vi cch truy nhp khong cch xa. - VPN cung cp kh nng truy nhp tt hn n cc site ca cng ty bi v chng h tr mc thp nht ca dch v kt ni. Mc d c nhiu u im nhng mng VPN truy nhp t xa vn cn nhng nhc im c hu i cng nh: - VPN truy nhp t xa khng h tr cc dch v m bo QoS. - Nguy c b mt d liu cao do cc gi c th phn pht khng n ni hoc b mt. - Do thut ton m ha phc tp nn tiu giao thc tng mt cch ng k.

1.4.2 VPN im ti im VPN im ti im (Site-to-Site hay LAN-to-LAN) l gii php kt ni cc h thng mng nhng ni khc nhau vi mng trung tm thng qua VPN. Trong trng hp ny, qu trnh xc thc ban u cho ngi s dng s l qu trnh xc thc gia cc thit b. Cc thit b ny hot ng nh cng an ninh (Security Gateway), truyn lu lng mt cch an ton t Site ny n Site kia. Cc thit b nh tuyn hay tng la vi h tr VPN u c kh nng thc hin kt ni ny. S khc nhau gia VPN truy nhp t xa v VPN im ti im ch mang tnh tng trng. Nhiu thit b VPN mi c th hot ng theo c hai cch ny. VPN im ti im c th c xem nh mt VPN cc b hoc m rng xt t quan im qun l chnh sch. Nu h tng mng c chung mt ngun qun l, n c th c xem nh VPN cc b. Ngc li, n c th c coi l m rng. Vn truy nhp gia cc im phi c kim sot cht ch bi cc thit b tng ng.
Nguyn Mnh Hng, Lp D04VT1 7

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

1.4.2.1 VPN cc b VPN cc b l mt dng cu hnh tiu biu ca VPN im ti im, c s dng bo mt cc kt ni gia cc a im khc nhau ca mt cng ty (hnh 1.2). N lin kt tr s chnh, cc vn phng, chi nhnh trn c s h tng chung s dng cc kt ni lun c m ha bo mt. iu ny cho php tt c cc a im c th truy nhp an ton cc ngun d liu c php trong ton b mng ca cng ty.

Hnh 1.2: M hnh VPN cc b

VPN cc b cung cp nhng c tnh ca mng WAN nh kh nng m rng, tnh tin cy v h tr cho nhiu kiu giao thc khc nhau vi chi ph thp nhng vn m bo tnh mm do. Nhng u im chnh ca gii php VPN cc b bao gm: - Cc mng cc b hay din rng c th c thit lp thng qua mt hay nhiu nh cung cp dch v. - Gim c s nhn vin k thut h tr trn mng i vi nhng ni xa. - Do kt ni trung gian c thc hin thng qua Internet, nn n c th d dng thit lp thm mt lin kt ngang hng mi. - Tit kim chi ph t vic s dng ng hm VPN thng qua Internet kt hp vi cc cng ngh chuyn mch tc cao. Tuy nhin gii php mng cc b da trn VPN cng c nhng nhc im i cng nh:
Nguyn Mnh Hng, Lp D04VT1 8

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

Do d liu c truyn ngm qua mng cng cng nh Internet nn vn cn nhng mi e da v mc bo mt d liu v cht lng dch v (QoS). Kh nng cc gi d liu b mt trong khi truyn dn vn cn kh cao. Trng hp cn truyn khi lng ln d liu nh a phng tin vi yu cu tc cao v m bo thi gian thc l thch thc ln trong mi trng Internet.

1.4.2.2. VPN m rng VPN m rng c cu hnh nh mt VPN im ti im, cung cp ng hm bo mt gia cc khch hng, nh cung cp v i tc thng qua mt c s h tng mng cng cng (hnh 1.3). Kiu VPN ny s dng cc kt ni lun c bo mt v n khng b c lp vi th gii bn ngoi nh cc trng hp VPN cc b hay truy nhp t xa.

Hnh 1.3: M hnh VPN m rng

Gii php VPN m rng cung cp kh nng iu khin truy nhp ti nhng ngun ti nguyn mng cn thit m rng ti nhng i tng kinh doanh. S khc nhau gia VPN cc b v VPN m rng l s truy nhp mng c cng nhn mt trong hai u cui ca VPN Nhng u im chnh ca mng VPN m rng: - Chi ph cho VPN m rng thp hn nhiu so vi cc gii php kt ni khc cng t c mc ch nh vy. - D dng thit lp, bo tr v thay i i vi mng ang hot ng.

Nguyn Mnh Hng, Lp D04VT1

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

Do VPN m rng c xy dng da trn mng Internet nn c nhiu c hi trong vic cung cp dch v v chn la gii php ph hp vi cc nhu cu ca tng cng ty. Cc kt ni Internet c nh cung cp dch v Internet bo tr nn c th gim c s lng nhn vin k thut h tr mng, v do vy gim chi ph vn hnh ca ton mng. Bn cnh nhng u im, gii php VPN m rng cng c nhng nhc im i cng: Vn bo mt thng tin gp kh khn hn trong mi trng m rng nh vy, vn ny lm tng nguy c ri ro i vi mng cc b ca cng ty. Kh nng mt d liu trong khi truyn qua mng cng cng vn cn tn ti. Vic truyn khi lng ln d liu vi yu cu tc cao v thi gian thc vn cn l mt thch thc ln cn gii quyt.

1.5 Cc loi mng VPN


C hai cch ch yu s dng cc mng ring o VPN. Trc tin cc mng VPN c th kt ni hai mng vi nhau. iu ny c bit n nh mt mng kt ni LANLAN VPN hay mt mng site-to-site VPN. Th hai, mt VPN truy nhp t xa c th kt ni mt ngi dng t xa vi mng.

1.5.1 Ngi dng truy nhp t xa thng qua Internet (Access VPN) Cung cp cc truy nhp t xa n mt Intranet hay Extranet da trn cu trc h tng chia s Access VPN, ngi dng c kh nng truy cp n cc ti nguyn trong VPN bt c khi no, u m n cn. ng truyn trong Access VPN c th l tng t, quay s, ISDN, cc ng thu bao s (DSL), IP di ng v cp ni cc ngi dng di chuyn, my tnh t xa hay cc vn phng li vi nhau. V d minh ha trn hnh 1.5

Nguyn Mnh Hng, Lp D04VT1

10

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

Hnh 1.4: Dng VPN kt ni client t xa n mng LAN ring

Hnh 1.5: T chc truy nhp Ipass

1.5.2 Ni cc mng trn Internet (Intranet VPN) C hai phng php s dng mng VPN kt ni cc mng cc b LAN (Local Area Network) ti cc im cui xa: - Dng cc ng thu knh ring ni mt vn phng chi nhnh n mng LAN cng ty: Cc vn phng chi nhnh v cc b nh tuyn c th s dng mt
Nguyn Mnh Hng, Lp D04VT1 11

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

mng dnh ring cc b v ISP a phng kt ni n Internet. Phn mm VPN s dng cc cuc ni ISP ni b v Internet cng cng to mt VPN gia cc vn phng chi nhnh v b nh tuyn ca cc hub hp nht. - Dng ng dy quay s kt ni mt vn phng chi nhnh n LAN: B nh tuyn vn phng chi nhnh quay s n ISP, phm mm VPN s dng cuc ni n ISP to mt VPN gia b nh tuyn ca vn phng chi nhnh v b nh tuyn ca hub thng qua Internet. Ch : Trong c hai trng hp, c s h tng ni vn phng chi nhnh v cc vn phng lin kt n Internet mang tnh cc b. C VPN dng client-server v serverserver s tit kim c chi ph rt ln trong vic s dng phng php truy nhp quay s. Cc my ch VPN c ni n ISP bng mt ng knh thu ring (leased line) v phi hot ng 24/24 nhn lung d liu n.

Hnh 1.6: Dng VPN kt ni 2 v tr t xa

1.5.3 Ni cc my tnh trn mt Intranet (Extranet VPN) Trong mt s cc lin kt mng, mt s ngi tiu dng trong LAN ca mt phng, ban no khng c kt ni bng ng truyn vt l th s ny sinh vn v kh nng truy cp thng tin ca ngi dng . VPN s cho php nhiu LAN c kt ni vt l n mng hp nht v c phn chia bi mt my ch VPN. Ch rng, my ch VPN khng hot ng ging nh mt b nh tuyn gia cc mng hp nht v cc LAN. Mt b nh tuyn s kt ni n hai mng, cho php quyn truy cp n LAN. Bng cch s dng mt VPN, ngi qun tr mng c th m bo rng ch c nhng ngi dng trn cc mng hp nht c cc tiu chun ph hp (da trn mt chnh sch ca cng ty) c th thit lp mt VPN vi my ch VPN v truy cp c n cc ti nguyn c bo v ca
Nguyn Mnh Hng, Lp D04VT1 12

n tt nghip i hc

Chng I: Gii thiu tng quan v VPN

phng ban . Thm vo , tt c d liu trong VPN c ng gp mt cch tin cy. Ngi dng no khng c cc quyn thch hp khng th truy cp vo LAN.

Hnh 1.7: Dng VPN kt ni hai my tnh t xa trong cng mt LAN

Tt c hot ng kinh doanh hot ng c ch ging nhau nh trong mt mng ring, bao gm cc vn v bo mt, cht lng dch v QoS, qun tr v tin cy.

1.6 Kt lun
VPN c nh ngha nh l mng kt ni cc site khch hng m bo an ninh trn c s h tng mng chung cng vi cc chnh sch iu khin truy nhp v bo mt nh mt mng ring. Tuy c xy dng trn c s h tng sn c ca mt mng cng cng nhng VPN li c c cc tnh cht ca mng cc b nh khi s dng cc ng knh thu ring. N cho php ni lin cc chi nhnh ca mt cng ty cng nh l vi i tc, cung cp kh nng iu khin quyn truy nhp ca khch hng, cc nh cung cp dch v hoc cc i tng bn ngoi khc. Kh nng ng dng ca VPN l rt ln. Theo nh d on ca nhiu hng trn th gii th VPN s l dch v pht trin mnh trong tng lai.

Nguyn Mnh Hng, Lp D04VT1

13

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

CHNG II: IPSEC


Cc giao thc nguyn thy TCP/IP khng bao gm cc c tnh vn c. Trong giai on u ca Internet khi m ngi dng thuc cc trng i hc v cc vin nghin cu th vn bo mt d liu khng phi l vn quan trng, nhng by gi khi m cc ng dng thng mi c mt khp ni trn Internet. thit lp tnh bo mt trong IP cp gi, IETF a ra h giao thc IPSec. H giao thc IPSec u tin, cho m ha, xc thc cc gi d liu IP, c chun ha thnh cc RFC t 1825 n 1829 vo nm 1995. H giao thc ny m t kin trc c bn ca IPSec bao gm hai loi tiu c s dng trong gi IP. Gi IP l n v d liu c s trong mng IP. IPSec nh ngha hai loi tiu cho cc gi IP iu khin qu trnh xc thc v m ha: Mt l xc thc tiu IP-AH (IP Authentication Header) iu khin vic xc thc v hai l ng gi bo mt ti ESP (Encapsulating Security Payload) cho mc ch m ha. IPSec c pht trin nhm vo h giao thc IP k tip l Ipv6 nhng do vic chp nhn Ipv6 cn lu v cn thit cho vic bo mt cc gi IP nn IPSec c thay i cho ph hp vi Ipv4. Vic h tr cho IPSec ch l ty chn ca Ipv4 nhng i vi Ipv6 th c sn IPSec.

2.1 Dng thc hot ng Hot ng ca IPSec mc c bn i hi phi c cc phn chnh l: - Kt hp bo mt SA (Security Association). - Xc thc tiu AH (Authentication Header.) - ng gi bo mt ti ESP (Encapsulating Security Payload). - Ch lm vic. 2.1.1 Kt hp bo mt SA hai bn c th truyn d liu c bo mt (d liu c xc thc hoc c m ha hoc c hai) c hai bn phi cng thng nht s dng gii thut m ha, lm cch no chuyn kha v chuyn kha nu nh cn. C hai bn cng cn tha thun bao lu th s thay i kha mt ln. Tt c cc tha thun trn l do SA m trch. Vic truyn thng gia bn gi v bn nhn i hi t nht mt SA v c th i hi nhiu hn v mi giao thc IPSec i hi phi c mt SA cho ring n. Do mt
Nguyn Mnh Hng, Lp D04VT1 14

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

gi c xc thc i hi mt SA, mt gi c m ha cng yu cu phi c mt SA. Thm ch nu cng dng chung mt gii thut cho xc thc v m ha th cng cn phi c hai SA khc nhau do s dng nhng b kha khc nhau. Mt IPSec SA m t cc vn sau: - Gii thut xc thc s dng cho AH v kha ca n. - Dng thc v kch thc ca b mt m s dng trong gii thut m ha. - Giao thc, gii thut, kha s dng cho vic truyn thng. - Giao thc, gii thut m ha, kha s dng cho vic truyn thng ring. - Bao lu th thay i kha. - Gii thut xc thc, kiu, chc nng s dng trong ESP v kha c s dng bi gii thut . - Thi gian sng ca kha. - Thi gian sng ca SA. C th xem SA nh mt knh bo mt thng qua mt mng cng cng n mt ngi hay mt nhm lm vic c th.

2.1.2 Xc thc tiu AH Trong h thng IPSec, xc thc tiu AH (Authentication Header) c s dng cho cc dch v xc thc. AH c chn vo gia tiu IP v ni dung pha sau (hnh 3.3), khng lm thay i ni dung ca gi d liu Xc thc tiu gm nm trng: Trng tiu k tip (Next Header Field), chiu di ti (Payload Length), ch s tham s bo mt SPI (Security Parameter Index), s tun t (Sequence Number), d liu xc thc (Authentication Data). Hai khi nim mi trong AH l SPI mang ngha ch ra thit b nhn gi bit h giao thc bo mt m phi gi dng trong truyn thng, hai l d liu xc thc mang thng tin v gii thut m ha c nh ngha bi SPI. HMAC kt hp vi MD5, HMAC kt hp vi SHA-1 l gii thut m ha c chn lm nhng phng thc mc nh cho vic tnh ton tng kim tra (checksum). Cc mc nh ny l kt qu ca nhng thay i IPSec ci thin c ch xc thc bi v mc nh trc MD5 c pht hin l khng trnh c cc tn cng ng . Th tc s dng cho cc phng php ny (HMAC-MD5 hay HMAC-SHA-1) ging nhau. Tuy nhin SHA-1 c chc nng bm hn MD5. Trong c hai trng hp, gii thut hot ng trn nhng khi d liu 64 byte. Phng thc HMAC-MD5 sinh
Nguyn Mnh Hng, Lp D04VT1 15

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

ra b xc thc 128 bit trong khi HMAC-SAH-1 sinh ra b xc thc 160 bit. Bi v chiu di mc nh ca xc thc c nh ngha trong AH ch c 96 bit nn cc gi tr xc thc sinh ra phi c chia nh trc khi lu vo trng xc thc ca AH.

Hnh 2.1: Khun dng gi tin Ipv4 trc v sau khi x l AH

Hnh 2.2: Khun dng gi tin Ipv6 trc v sau khi x l AH Nguyn Mnh Hng, Lp D04VT1 16

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Khi nhn gi d liu, u nhn s tnh ton gi tr b xc thc ca ring n l 128 bit hay 160 bit (ty theo l s dung loi no), chia nh n ra ty theo chiu di c ch nh trong trng xc thc v so snh gi tr ca n vi gi tr xc thc nhn c. Khi m c hai ging nhau th d liu khng b thay i trn ng truyn. Do c th c cuc tn cng bng cch chn mt lot cc gi v sau pht li chng vo thi im sau khi AH cung cp dch v chng pht li ngn cc tn cng da trn cch thc trn. Cn ch l AH khng gi cho d liu b mt c. Nu mt k tn cng chn cc gi trn mng li v s dng mt mt m thch hp th cng c th c c ni dung ca d liu mc d khng th thay i c ni dung d liu. bo mt d liu chng li vic nghe trm chng ta cn phi s dng thnh phn th hai ca IPSec l ESP.

2.1.3 Bc gi bo mt ti ESP Bc gi bo mt ti ESP (Encapsulating Security Payload) c s dng cho vic m ha d liu. Ging nh tiu AH, tiu ESP c chn vo gia tiu IP v ni dung tip theo ca gi (Hnh 2.3). Tuy nhin ESP c nhim v m ha d liu nn ni dung ca gi s b thay i.

Hnh 2.3: Bc gi bo mt ti

Ging nh tiu AH, ESP gm c SPI ch cho bn nhn bit c ch bo mt thch hp cho vic s l gi. S tun t trong tiu ESP l b m s tng mi khi mt gi c gi n cng mt a ch v s dng cng SPI. S tun t ch ra c bao nhiu gi c gi c cng mt nhm cc tham s. S tun t gip cho vic bo mt chng li cc v tn cng bng cch chp cc gi v gi chng sai th t lm ri

Nguyn Mnh Hng, Lp D04VT1

17

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

lon qu trnh truyn thng. Phn cn li ca gi (ngoi tr xc thc d liu) s c m ha trc khi gi ln mng. ESP c th h tr bt k giao thc m ha no. Ngi dng c th dng nhng giao thc khc nhau cho mi kt ni truyn thng. Tuy nhin IPSec qui nh mt m DES-CBC (DES with Cipher Block Chaining) l gi tr mc nh bo m tnh hot ng lin mng. S dng ESP yu cu kha DES 56 bit. s dng mt chui cc t m, mt vector 64 bit c khi ng v d liu c x l theo tng khi 64 bit. ESP cng c th s dng cho mc ch xc thc. Trng xc thc ESP, mt trng ty chn trong tiu ESP, bao gm tng kim tra m ha. di ca tng kim tra ny thay i ty theo gii thut xc thc c s dng. N cng c th c b qua nu nh dch v xc thc khng c chn trong ESP. Xc thc c tnh ton sau khi tin trnh m ha d liu hon thnh. Dch v xc thc cung cp bi AH khc so vi ESP l dch v xc thc trong ESP khng bo mt tiu IP t trc ESP mc d n bo mt tiu IP ng gi trong ch ng hm. Hnh 2.4 minh ha s khc bit gia chng.

Hnh 2.4: So snh xc thc bi AH v ESP Nguyn Mnh Hng, Lp D04VT1 18

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Nu nh AH c s dng vi mc ch xc thc th ti sao cn ty chn xc thc trong ESP? AH ch s dng trong trng hp khi xc thc gi l cn thit. Mt khc khi xc thc v tnh ring t c yu cu th s dung ESP vi ty chn xc thc s tt hn. S dng ESP cho m ha v xc thc, thay v s dng AH v ESP khng c ty chn xc thc, s gim kch thc nn cc gi s c x l hiu qu hn.

2.1.4 Ch lm vic C hai ch lm vic trong IPSec: - Ch giao vn (Transport mode): Ch c on lp giao vn trong gi l c x l. - Ch ng hm (Tunnel mode): Ton b gi s c x l cho m ha xc thc. Ch giao vn s dng cho c cng ni v host, cung cp c ch bo mt cho cc giao thc lp trn. Trong ch giao vn, AH c chn vo sau tiu IP v trc cc giao thc lp trn (TCP, UDP hay ICMP) hoc trc bt k tiu IPSec c chn vo trong . Trong ch ng hm tiu IP cha a ch ngun v a ch ch, trong khi b xut tiu IP cha cc a ch IP khc (chng hn nh a ch ca cng ni). AH bo mt ton b gi IP bao gm c b nhp tiu IP (hnh 2.5)

Hnh 2.5: Ch ng hm AH

Bi v AH ch bo mt chng li vic thay i ni dung d liu nn cn phi c phng tin khc m bo tnh ring t ca d liu. Trong ch ng hm iu c thc hin bng cch m rng bo mt ni dung tiu IP c bit l a ch ngun v a ch ch. Mc d trong ch giao vn ESP bo mt chng li nghe trm
Nguyn Mnh Hng, Lp D04VT1 19

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

mt cch hiu qu nhng n khng bo mt c ton b lu lng. Mt v tn cng tinh vi vn c th c c a ch ngun v a ch ch sau s phn tch lu lng bit c phng thc truyn thng.

Hnh 2.6: Ch ng hm ESP

Hnh 2.7: Cc trng hp ca ch giao vn v ng hm

Nguyn Mnh Hng, Lp D04VT1

20

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Ch ng hm ESP cung cp thm cc c ch bo mt cho cc gi bng cch m ha ton b gi (hnh 2.6) Sau khi ton b ni dung d liu (bao gm tiu gc) c m ha, ch ng hm ESP s to ra mt tiu IP mi nh tuyn cho cc gi d liu t bn gi n bn nhn. Thm ch trong ch ng hm, ESP cng khng bo m chng li c tt c cc loi phn tch lu lng v a ch IP ca bn gi v ca cng ni nhn vn c th c c trong tiu ca gi. iu ny cho php k nghe trm bit c c hai i tng ang truyn thng vi nhau nhng li khng c cht manh mi no bit hai i tng y l ai. c th p dng c AH v ESP trong ch ng hm hay ch giao vn, IPSec yu cu phi h tr c cho t hp ca ch ng hm v ch giao vn (hnh 2.7). iu ny c thc hin bng cch s dng ch ng hm m ha v xc thc cc gi v tiu ca n ri gn AH, ESP hoc dng c hai trong ch giao vn bo mt cho tiu mi c to ra. Cn ch l AH v ESP khng th s dng chung trong ch ng hm. L do l ESP c ring ty chn xc thc, ty chn ny nn s dng trong ch ng hm khi cc gi cn phi m ha v xc thc.

2.2 Qun l kha Trong truyn thng s dng giao thc IPSec i hi phi c chuyn giao kha do i hi phi c c ch qun l kha. C hai phng thc chuyn kha l chuyn kha bng tay v chuyn kha Internet IKE (Internet Key Exchange). C hai phng thc ny khng th thiu c trong IPSec. Mt h thng IPSec ph thuc phi h tr phng thc chuyn kha bng tay. Phng thc cha kha trao tay ny chng hn nh kha thng mi ghi trn giy, trn a mm hay thng qua gi bu phm hoc e-mail. Mc d phng thc cha kha trao tay thch hp vi mt s lng nh cc site nhng mt phng thc qun l t ng v kim sot c th ph hp vi yu cu to nhng SA. Giao thc qun l chuyn giao kha mc nh trong IPSec l IKE l kt hp gia bo mt Internet ISA (Internet Security Association) v giao thc chuyn kha (ISAKMP). IKE cn c mt tn gi khc l ISAKMP/Oakley. IKE c cc kh nng sau:

Nguyn Mnh Hng, Lp D04VT1

21

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Cung cp cc phng tin cho hai bn tha thun s dng cc giao thc, gii thut v kha. - m bo ngay t lc bt u chuyn kha l truyn thng ng i tng. - Qun l cc kha sau khi chng c chp nhn trong tin trnh tha thun. - m bo cc kha c chuyn mt cch b mt. Chuyn kha tng t nh qun l kt hp (Internet Association). Khi cn to mt SA cn phi chuyn kha. Do cu trc ca IKE ng gi chng li vi nhau v chuyn chng i mt gi tch hp

2.2.1 Cc ch ca Oakley v cc pha ca ISAKMP Theo nh ngha nguyn thy trong ISAKMP th IKE hot ng hai giai on. Giai on mt thit lp mt ng hm bo mt cho cc hot ng ISAKMP din ra trn . Giai on hai l tin trnh m phn cc mc ch SA. Oakley a ra ba ch chuyn kha v ci t cc ISAKMP SA: - Ch chnh (Main mode): Hon thnh giai on mt ca SAKMP sau khi thit lp mt knh bo mt - Ch nng ng (Aggressive mode): Mt cch khc hon thnh giai on mt ca ISAKMP. N n gin hn v nhanh hn ch chnh, nhng khng bo nhn dng cho vic m phn gia cc node, bi v chng truyn nhn dng ca chng trc khi m phn c mt knh bo mt. - Ch nhanh (Quick mode): Hon thnh giai on hai ca ISAKM bng cch m phn mt SA cho mc ch ca vic truyn thng. IKE cng cn mt ch khc l ch nhm mi, ch ny khng tht s l ca giai on mt hay giai on hai. Ch nhm mi theo sau m phn ca giai on v a ra mt c ch nh ngha nhm ring cho chuyn giao Diffie-Hellman thit lp mt bo mt IKE cho mt node, mt host hay mt cng ni cn t nht bn yu t: - Mt gii thut m ha bo mt d liu. - Mt gii thut bm gim d liu cho bo hiu. - Mt phng thc xc thc cho bo hiu d liu. - Thng tin v nhm lm vic qua tng i. Yu t thc nm c th c a ra trong SA, hm gi ngu nhin (pseudorandom function) s dng bm gi tr hin ti xung qu trnh chuyn kha cho mc
Nguyn Mnh Hng, Lp D04VT1 22

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

ch kim tra. Nu trong SA khng bao gm n th HMAC ca gii thut bm (yu t th hai) c s dng. Ch chnh: Ch chnh a ra c ch thit lp giai on mt ca ISAKMP SA, bao gm cc bc sau: - S dng ch chnh khi ng mt ISAKMP SA cho kt ni tm. - S dng ch nhanh m phn mt SA. - S dng SA c to ra trn truyn thng cho n khi n ht hn.

Hnh 2.8: Ch chnh ISAKMP

Bc th nht, s dng ch chnh bo mt mt ISAKMP SA, din ra theo ba bc trao i hai chiu gia SA gi v SA nhn (hnh 2.8). Bc trao i u tin tha thun v gii thut bm. Bc trao i th hai chuyn giao kha chung v cc nonce ca nhau (l nhng con s ngu nhin m mt bn ghi v tr li chng minh

Nguyn Mnh Hng, Lp D04VT1

23

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

danh nh ca n). Bc th ba, hai bn s kim tra danh nh ca nhau v tin trnh trao i hon tt. Hai bn c th s dng kha dng chung khi chng nhn c. Hai bn phi bm chng ba ln: u tin to ra mt kha gc ( s dng to kha ph trong ch nhanh sau ny), sau l kha xc thc v cui cng l kha m s dng cho ISAKMP SA. Ch chnh bo mt danh nh ca cc i tng truyn thng. Nu nh khng cn vic bo mt, cho vic trao i nhanh hn, th ch nng ng c s dng. Ch nng ng: Ch nng ng (Aggressive mode) a ra dch v cng tng t nh ch chnh l thit lp mt ISAKMP SA nguyn thy. Ch nng ng trng cng ging nh ch chnh ngoi tr ch c hai bc trao i thay v ba bc nh ch chnh. Trong ch nng ng khi bt u chuyn i bn pht s to ra mt i Diffie-Hellman, a ra mt SA, chuyn i gi tr Diffie-Hellman cng cng, gi mt nonce cho u kia ghi nhn v gi mt gi ID bn p ng c th s dng kim tra danh nh. Pha p ng c th gi tr v mi th cn thit hon tt qu trnh chuyn i. Vic p ng ny t hp ba bc p ng trong ch chnh thnh mt do bn khi u ch cn xc thc vic chuyn i (hnh 2.9)

Hnh 2.9: Ch nng ng ISAKMP

Do ch nng ng khng a ra mt cch bo mt danh nh cho cc bn tham gia truyn thng nn cn phi trao i thng tin danh nh trc khi thit lp mt

Nguyn Mnh Hng, Lp D04VT1

24

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

SA bo mt. Ai theo di vic chuyn i theo ch nng ng c th nhn din ai thit lp mt SA mi. u im ca ch nng ng l tc . Ch nhanh: Sau khi hai i tng thit lp mt ISAKMP SA bng ch chnh hay ch nng ng th tip n l s dng ch nhanh (Quick Mode). Ch nhanh c hai mc ch l: m phn v dch v bo mt IPSec v to ra vt liu kha ti (fresh keying material). Ch nhanh c coi l n gin hn ch chnh v ch nng ng. Bi v n c sn mt ng hm bn trong (tt c cc gi u c m ha). Cc gi ch nhanh u c m ha v c khi to vi mt ti bm. Ti bm c to ra bng cch dng mt hm to gi ngu nhin c ng trc v mt kha xc thc nhn c. Ti bm dng xc thc phn cn li ca gi d liu. Ch nhanh nh ngha nhng phn no ca gi d liu nm trong phn bm. Kha c th c lm ti bng mt trong hai cch: Nu nh khng cn chuyn tip mt cch b mt hon ton th ch nhanh ch lm ti kha trong ch chnh hay ch nng ng vi bm thm. Hai i tng truyn thng c th gi cc nonce qua ng hm bo mt v dng chng bm kha ang tn ti. Nu nh cn chuyn tip mt cch b mt hon ton th c th yu cu thm mt chuyn i Diffie-Hellman thng qua SA ang tn ti v i gi tr ca kha.

Hnh 2.10: Ch nhanh ISAKMP

Nguyn Mnh Hng, Lp D04VT1

25

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

2.2.2 m phn SA thit lp mt SA bn khi to gi mt thng bo ch nhanh thng qua yu cu mt SA mi ca ISAKMP SA. Mt m phn SA l kt qu ca hai SA: Mt hng v (inbound) n bn khi to v mt hng i (outbound). trnh xung t v SPI, nt nhn phi lun chn SPI. Do trong ch nhanh bn pht thng bo cho bn p ng bit SPI s c s dng v bn p ng s theo SPI c chn. Mi SPI, kt hp vi a ch IP ch, ch nh mt IPSec SA n duy nht. Tuy nhin trn thc t nhng SA ny lun c hai hng v v i, chng c danh nh v tham s, gii thut, kha, bm l mt phn trong SPI. 2.3 S dng IPSec Hnh 2.11 l mt v d v ng dng Internet VPN. C ba ni trang b phn mm IPSec l: Cng ni bo mt, client di ng (mobile client) v cc host. Tuy nhin, khng phi tt c cc thit b u cn phi ci phn mm IPSec m ty theo yu cu thit k mng. V d cn to kt ni LAN-LAN VPN th cng ni bo mt IPSec l . Nu cn cho cc trm lm vic t xa quay s truy cp vo mng thng qua cc ISP th phn mm client IPSec cn ci trn cc my tnh ca cc i tng di ng. Nu mun to mt VPN m tt c cc my tnh c th lin lc vi cc my tnh thng qua giao thc IPSec th cn phi ci t phn mm IPSec trn tt c cc my.

Hnh 2.11: Cc thnh phn ca mt Internet VPN

Nguyn Mnh Hng, Lp D04VT1

26

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

2.3.1 Cc cng ni bo mt Cc cng ni bo mt (Security gateway) l mt thit b mng chng hn nh b nh tuyn hay tng la, chia ct v bo mt mng bn trong chng li xm nhp khng c cho php t bn ngoi. S dng IPSec trn cng ni bo mt lm cho lu lng qua cng ni bo mt b tht nt c chai trc khi ra bn ngoi. Khi xy dng mt VPN th cn ci cng ni bo mt ti cc vn phng chnh v sau thit lp lin kt bo mt gia cc cng ni bo mt vi nhau. S dng cng ni bo mt lm gim phc tp ca vic qun l cc kha v ch cn gn mt kha duy nht cho cng ni bo mt. Cng ni bo mt c th chuyn cc gi d l ch giao vn hay ch ng hm. cho bo mt cao th ch ng hm thch hp hn do n giu i cc a ch IP thc s ca ngi gi v ngi nhn v bo mt chng li cc tn cng ct-dn tiu (header cut-and-paste). Tuy nhin ch ng hm i hi c tnh ton cng ni bo mt v lm tng kch thc gi nn s lm gim tng chi ph truyn thng nhng n khng giu a ch IP ngun v ch. Nu nh bo mt i din (wild card) khng c s dng cho lu lng qua cng ni bo mt th c ch qun l kha s thm phc tp hn. 2.3.2 Cc SA i din Bo mt i din (wild card) lm cho vic truyn thng gia cc host c bo mt bi cng ni bo mt tr nn n gin hn. Thay v kt hp mt SA vi mt a ch IP host duy nht th bo mt i din kt hp tt c cc host trn LAN c phc v bi cng ni bo mt. Sau y l mt s c tnh v kh nng m mt cng bo mt phi c: - H tr cc kt ni mng cho vn bn n gin hoc vn bn c m ha. - Chiu di ca t kha phi khng ph thuc vo mt thng tin truyn trn lp lin kt d liu. - Phi h tr c AH v ESP. - H tr to SA bng tay, bao gm c bo mt i din. - C c ch bo mt kha. - H thng thay i kha mt cch t ng v h thng qun l kha phi n gin nhng bo mt. - SA phi c cc thng bo v li.

Nguyn Mnh Hng, Lp D04VT1

27

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

2.3.3 Host t xa. Khi dng mt my tnh quay s kt ni vo mng VPN cn phi c mt phn mm client IPSec ci trn . Vi Ipv4 th IPSec c chn trong chng giao thc TCP/IP. M IPSec c th c chn vo gia lp giao vn v lp mng. IPSec cng c th c chn vo nh ming thm gia lp lin kt d liu v lp mng. Vi m IPSec c chn vo gia lp giao vn v lp mng rt mm do i vi ngi dng v n cho php h gn nhng SA khc nhau cho cc phn mm khc nhau hay ni mt cch khc mt s lu lng c th truyn i m khng c IPSec do n khng cn thit, phn lu lng quan trng cn li truyn i vi bo mt IPSec. Ming thm (shim) c th tip cn mt cch d dng hn nhng n ch c hiu lc bo mt mc a ch IP cn khng hiu lc mc nhn dng ngi dng. Cc yu cu i vi phn mm client IPSec: - Tng thch vi cc cng c IPSec khc (chng hn nh thch hp vi my ch m ha ca cc site). - a ra mt ch bo r rng khi IPSec ang hot ng. - H tr ti SA v - Hm bm x l c cc a ch IP ng. - C c ch bo mt kha chng li k trm (m ha kha vi mt khu). - C c ch chuyn i m ha mt cch t ng v nh k. - Chn hon ton cc lu lng khng-IPSec

Nguyn Mnh Hng, Lp D04VT1

28

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Hnh 2.12: IPSec v cc chnh sch bo mt.

2.3.4 Mt v d minh ha minh ha vic s dng IPSec xy dng VPN, hy xem xt mt thit k n gin trong hnh 2.13 gm hai site: Mt vn phng chnh v mt vn phng chi nhnh. Mng cng cung cp kh nng cho ngi dng di ng c th quay s truy cp vo VPN thng qua cc ISP a phng. S dng b nh tuyn m ha lm cng ni bo mt. Lng truyn bn trong mng di dng vn bn n gin v dng k thut bo mt chng li s tn cng t bn ngoi l tng la hay danh sch iu khin truy cp trn my ch. Ch c lu lng gia cc site hay gia cc ngi di ng v cc site l c bo mt bi IPSec.
Nguyn Mnh Hng, Lp D04VT1 29

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

bo mt cho h thng, cn phi c c ch bo mt vt l m bo tt c cc host trong phm vi site c ng cc tham s vt l v mi ng ra bn ngoi u phi i qua b nh tuyn m ha. Tt c cc kt ni t cc site bn trong mng v cc site ngoi mng cn phi c kha li vi c quyn truy cp. Nu nh s lng site trong mng tng ln th cn phi c mt trung tm lm nhim v gn cc SA v kha.

Hnh 2.13: V d v IPSec VPN

2.4 Cc vn cn tn ng trong IPSec Mc d IPSec a ra cc c tnh cn thit cho vic bo mt mt VPN thng qua Internet nhng n vn cn trong giai on pht trin. Tt c cc gi c x l theo IPSec s lm tng kch thc do thm vo cc tiu IPSec lm cho thng lng ca mng gim i. iu ny c th gii quyt bng cch nn ni dung d liu trc khi m ha. - IKE l mt cng ngh cha thc s khng nh c kh nng ca mnh. Phng thc chuyn kha th cng li khng thch hp cho mng c s lng ln cc i tng di ng. - IPSec c thit k ch h tr bo mt cho lu lng IP, khng h tr cc dung lng khc. - Vic tnh ton nhiu gii thut phc tp vn cn l mt vn kh i vi cc trm lm vic v my PC nng lc yu. - Vic phn phi cc phn cng v phn mm mt m vn cn b hn ch i vi chnh ph ca mt s quc gia.
Nguyn Mnh Hng, Lp D04VT1 30

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

2.5 Cc giao thc ng hm ng hm l mt trong nhng khi nim nn tng ca VPN. Giao thc ng hm thc hin vic ng d liu vi cc phn tiu tng ng truyn qua Internet. Trong chng ny gii thiu v cc giao thc ng hm ph bin ang tn ti v s dng cho IP-VPN, bao gm L2F, PPTP, L2TP. 2.5.1 Gii thiu v cc giao thc ng hm Cc giao thc ng hm l nn tng ca cng ngh VPN. C nhiu giao thc ng hm khc nhau, v vic s dng giao thc no lin quan ti cc phng php xc thc v mt m i km. Cc giao thc ng hm ph bin hin nay l: - Giao thc chuyn tip lp 1 (L2F Layer Two Forwarding). - Giao thc ng hm im ti im (PPTP Point to Point Tunneling Protocol). - Giao thc ng hm lp 2 (L2TP Layer Two Tunneling Protocol). - Giao thc bo mt IP (IPSec Internet Protocol Security). L2F v PPTP u c pht trin da trn giao thc PPP (Point to Point Protocol). PPP l mt giao thc truyn thng ni tip lp 2, c th s dng ng gi d liu lin mng IP v h tr a giao thc lp trn. Trn c s L2F v PPTP, IETF pht trin giao thc ng hm L2TF. Hin nay cc giao thc PPTP v L2TF c s dng ph bin hn L2F. Trong cc giao thc ng hm ni trn, IPSec l gii php ti u v mt an ninh d liu. N h tr cc phng php xc thc v mt m mnh nht. Ngoi ra, IPSec cn c tnh linh hot cao, khng b rng buc bi bt c thut ton xc thc hay bo mt m no. IPSec c th s dng ng thi cng vi cc giao thc ng hm khc tng tnh an ton cho h thng. Cc giao thc PPTP v L2TP l cc chun c hon thin, nn sn phm h tr chng tng i ph bin. PPTP c th trin khai vi mt h thng mt khu n gin m khng cn s dng PKI. Ngoi ra, PPTP v L2TP cn c mt s u im khc so vi IPSec nh kh nng h tr a giao thc lp trn. V vy, trong khi IPSec cn ang hon thin th PPTP v L2TP vn c s dng rng ri. C th PPTP v L2TP thng c s dng trong cc ng dng truy nhp t xa.

Nguyn Mnh Hng, Lp D04VT1

31

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

2.5.2 Giao thc chuyn tip lp 2 L2F Giao thc L2F c pht trin sm nht, l phng php truyn thng cho nhng ngi s dng xa truy cp vo mt mng cng ty thng qua thit b truy nhp t xa. L2F cung cp gii php cho dch v quay s o bng cch thit lp mt ng hm bo mt thng qua c s h tng cng cng nh Internet. N cho php ng gi cc gi PPP trong khun dng L2F v nh ng hm lp lin kt d liu. 2.5.2.1. Cu trc gi L2F Khun dng gi tin L2F c cu trc nh hnh sau:

Hnh 2.14: Khun dng ca gi L2F

ngha cc trng trong gi L2F nh sau: F: Ch nh trng Offset c mt. K: Ch nh trng Key c mt. P (Priority): Thit lp u tin cho gi. S: Ch nh trng Sequence c mt. Reserved: Lun c t l 00000000. Version: Phin bn ca L2F dng to gi. Protocol: Xc nh giao thc ng gi L2F. Sequence: S chui c a ra nu trong tiu L2F bit S bng 1. Multiplex ID: Nhn dng mt kt ni ring trong mt ng hm. Client ID: Gip tch ng hm ti nhng im cui. Length: Chiu di gi (tnh bng byte) khng bao gm phn checksum. Offset: xc nh s byte cch tiu L2F, ti d liu ti tin c bt u. Trng ny c mt khi bit F bng 1. Key: L mt phn ca qu trnh xc thc (c mt khi bit K bng 1).
32

Nguyn Mnh Hng, Lp D04VT1

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Checksum: Tng kim tra ca gi (c mt khi bit C bng 1).

2.5.2.2 Hot ng ca L2F L2F ng gi d liu lp 2 (trong trng hp ny l PPP), sau truyn chng qua mng. H thng s dng L2F bao gm thnh phn sau (hnh 2.15): - My ch truy nhp mng NAS (Network Access Server): Hng lu lng n v i gia my khch xa (Remote Client) v Home Gateway. Mt h thng ERX c th hot ng nh NAS. - ng hm (Tunnel): nh hng ng i gia NAS v Home Gateway. Mt ng hm gm mt s kt ni. - Home Gateway: Ngang hng vi NAS, l phn t ca ng thuc mng ring. - Kt ni (Connection): L mt kt ni PPP trong ng hm. Trong CLI, mt kt ni L2F c xem nh l mt phin. - im ch (Destination): L im kt thc u xa ca ng hm. Trong trng hp ny th Home Gateway l im ch.

Hnh 2.15: M hnh h thng s dng L2F

Cc hot ng ca L2F bao gm: Thit lp kt ni, ng hm v phin lm vic. Cc bc thc hin c th nh sau: 1) Mt ngi s dng xa quay s ti h thng NAS v khi u mt kt ni PPP ti ISP. 2) H thng NAS v my khch trao i cc gi giao thc iu khin lin kt LCP (Link Control Protocol).
Nguyn Mnh Hng, Lp D04VT1 33

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

3) NAS s dng c s d lic cc b lin quan ti tn min hay xc thc RADIUS quyt nh xem ngi s dng c hay khng yu cu dch v L2F. 4) Nu ngi s dng yu cu L2F th qu trnh tip tc, NAS thu nhn a ch ca Gateway ch (Home Gateway). 5) Mt ng hm c thit lp t NAS n Gateway ch nu gia chng cha c ng hm no. S thnh lp ng hm bao gm giai on xc thc t ISP ti Gateway ch chng li tn cng bi nhng k th ba. 6) Mt kt ni PPP mi c to ra trong ng hm, iu ny c tc ng ko di phin PPP t ngi s dng xa ti Home Gateway. Kt ni ny c thit lp nh sau: Home Gateway tip nhn cc la chn v tt c thng tin xc thc PAP/CHAP nh tha thun bi u cui ngi s dng v NAS. Home Gateway chp nhn kt ni hay tha thun li LCP v xc thc li ngi s dng. 7) Khi NAS tip nhn lu lng d liu t ngi s dng, n ng gi lu lng vo trong cc khung L2F v hng chng vo trong ng hm. 8) Ti Home Gateway khung L2F c tch b, v d liu ng gi c hng ti mng cng ty. Khi h thng thit lp im ch, ng hm v nhng phin kt ni, ta phi iu khin v qun l lu lng L2F nh sau: - Ngn cn to nhng im ch, ng hm v phin mi. - ng v m li tt c hay chn la nhng im ch, ng hm v phin. - C kh nng kim tra tng UDP. - Thit lp thi gian ri cho h thng v lu gi c s d liu vo ca cc ng hm v kt ni. S thay i mt im ch lm nh hng ti tt c nhng ng hm v phin ti im ch . S thay i ng hm lm nh hng ti tt c cc phin trong ng hm . V d, s kt thc im ch ng tt c cc ng hm v phin ti im ch . L2F cung cp mt s lnh thc hin cc chc nng ca n, v d: - L2F checksum: kim tra ton vn d liu trong cc khung L2F s dng kim tra tng UDP, v d host 1 (config)#l2f checksum. - L2F destruct timeout: thit lp thi gian ri, gi tr thit lp trong di 10 -3600 giy, v d host1(config)#l2f destruct-timeout 1200.
Nguyn Mnh Hng, Lp D04VT1 34

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

2.5.2.3 u nhc im ca L2F Giao thc L2F c cc u im sau y: - Cho php thit lp ng hm a giao thc. - c h tr bi nhiu nh cung cp. Cc nhc im chnh ca L2F l: - Khng c m ha. - Hn ch trong vic xc thc ngi dng. - Khng c iu khin lung cho ng hm. 2.5.3 Giao thc ng hm im ti im PPTP Giao thc im ti im c a ra u tin bi mt nhm cc cng ty gi l PPTP Forum. tng c s ca giao thc ny l tch cc chc nng chung v ring ca truy nhp t xa, li dng c s h tng Internet sn c to kt ni bo mt gia ngi dng xa (client) v mng ring. Ngi dng xa ch vic quay s ti nh cung cp dch v Internet a phng l c th to ng hm bo mt ti mng ring ca h. Giao thc PPTP c xy dng trn c s chc nng ca PPP, cung cp kh nng quay s truy nhp to ra mt ng hm bo mt thng qua Internet n cc site ch. PPTP s dng giao thc ng gi nh tuyn chung GRE c m t li ng v tch gi PPP. Giao thc ny cho php PPTP mm do x l cc giao thc khc khng phi IP nh IPX, NETBEUI. 2.5.3.1 Khi qut v hot ng ca PPTP PPP tr thnh giao thc truy nhp vo Internet v cc mng IP rt ph bin hin nay. Lm vic lp lin kt d liu trong m hnh OSI, PPP bao gm cc phng thc ng, tch gi cho cc loi gi d liu khc nhau truyn ni tip. PPP c th ng cc gi IP, IPX, NETBEUI v truyn i trn kt ni im im t my gi n my nhn. PPTP ng gi cc khung d liu ca giao thc PPP vo cc IP datagram truyn qua mng IP (Internet hoc Intranet). PPTP dng mt kt ni TCP (gi l kt ni iu khin PPTP) khi to, duy tr, kt thc ng hm, v mt phin bn ca giao thc GRE ng gi cc khung PPP. Phn ti tin ca khung PPP c th c mt m v /hoc nn. PPTP s dng PPP thc hin cc chc nng:
Nguyn Mnh Hng, Lp D04VT1 35

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Thit lp v kt thc kt ni vt l. Xc thc ngi dng. To cc gi d liu PPP. PPTP gi nh tn ti mt mng IP gia PPTP client (VPN client s dng PPTP) v PPTP server (VPN server s dng PPTP). PPTP client c th c ni trc tip thng qua vic quay s ti my ch truy nhp mng NAS thit lp kt ni IP. Khi mt kt ni PPP c thit lp th ngi dng thng c xc thc. y l giai on ty chn trong PPP, tuy nhin n lun lun c cung cp bi cc ISP. Vic xc thc qu trnh thit lp kt ni da trn PPTP s dng c ch xc thc ca kt ni PPP. Cc c ch xc thc c th l: - EAP (Extensible Authentication Protocol) Giao thc xc thc m rng. - CHAP (Challenge Handshake Authentication Protocol) Giao thc xc thc i hi bt tay. - PAP (Password Authentication Protocol ) Giao thc xc thc mt khu. Vi PAP mt khu c gi thng qua kt ni di dng vn bn n gin v khng c bo mt. CHAP l mt giao thc xc thc mnh hn, s dng phng thc bt tay ba chiu. CHAP chng li cc v tn cng quay li bng cch s dng cc gi tr thch (Challenge Value) duy nht v khng th on trc c. PPTP cng tha hng vic mt m v/hoc nn phn ti tin ca PPP. mt m phn ti tin PPP c th s dng phng thc m ha im ti im MPPE (Microsoft Point to Point Encryption). MPPE ch cung cp mt m mc truyn dn, khng cung cp mt m u cui ti u cui. Nu cn s dng mt m u cui ti u cui th c th s dng IPSec mt m lu lng IP gia cc u cui sau khi ng hm PPTP c thit lp. Sau khi PPTP thit lp kt ni, PPTP s dng cc quy lut ng gi ca PPP ng cc gi truyn dn trong ng hm. tn dng u im ca kt ni to ra bi PPP, PPTP nh ngha hai loi gi l iu khin v d liu, sau gn chng vo hai knh ring l knh iu khin v knh d liu. PPTP phn tch cc knh iu khin v knh d liu thnh lung iu khin vi giao thc TCP v lung d liu vi giao thc IP. Kt ni TCP to gia my trm PPTP (client) v my ch PPTP (server) c s dng truyn thng bo iu khin. Cc gi d liu l d liu thng thng ca ngi dng. Cc gi iu khin c gi theo chu k ly thng tin v trng thi kt ni v qun l bo hiu gia
Nguyn Mnh Hng, Lp D04VT1 36

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

ng dng khch PPTP v my ch PPTP. Cc gi iu khin cng c dng gi cc thng tin qun l thit b, thng tin cu hnh gia hai u ng hm. Knh iu khin c yu cu cho vic thit lp mt ng hm gia my trm v my ch PPTP. My ch PPTP l mt server s dng giao thc PPTP vi mt giao din ni vi Internet v mt giao din khc ni vi Intranet, cn phn mm client c th nm my ngi dng t xa hoc ti my ch ca ISP.

2.5.3.2 Duy tr ng hm bng kt ni iu khin PPTP Kt ni iu khin PPTP l kt ni gia a ch IP ca my trm PPTP (c cng TCP c cp pht ng) v a ch IP ca my ch PPTP (s dng cng TCP dnh ring 1723). Kt ni iu khin PPTP mang cc bn tin iu khin v qun l c s dng duy tr ng hm PPTP. Cc bn tin ny bao gm PPTP Echo Request v PPTP Echo Reply nh k pht hin cc li kt ni gia my trm v my ch PPTP. Cc gi ca kt ni iu khin PPTP bao gm tiu IP, tiu TCP, bn tin iu khin PPTP v tiu , phn ui ca lp lin kt d liu (hnh 2.16).

Hnh 2.16: Gi d liu kt ni iu khin PPTP 2.5.3.3 ng gi d liu ng hm PPTP ng gi khung PPP v GRE D liu ng hm PPTP c ng gi thng qua nhiu mc. Hnh 2.17 l cu trc d liu c ng gi.

Hnh 2.17: ng gi d liu ng hm PPTP.

Phn ti ca khung PPP ban u c mt m v ng gi vi tiu to ra khung PPP. Khung PPP sau c ng gi vi phn tiu ca phin bn giao thc GRE sa i. GRE l giao thc ng gi chung, cung cp c ch ng gi d liu nh tuyn qua mng IP. i vi PPTP, phn tiu ca GRE c sa i mt s im nh
Nguyn Mnh Hng, Lp D04VT1 37

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

sau: -

Mt trng xc nhn di 32 bit c thm vo. Mt bit xc nhn c s dng ch nh s c mt ca trng xc nhn 32 bit. - Trng Key c thay th bng trng di Payload 16 bit v trng ch s cuc gi 16 bit. Trng ch s cuc gi c thit lp bi my trm PPTP trong qu trnh khi to ng hm PPTP. ng gi IP Phn ti PPP ( c mt m) v cc tiu GRE sau c ng gi vi mt tiu IP cha thng tin a ch ngun v ch thch hp cho my trm v my ch PPTP. ng gi lp lin kt d liu. c th ng gi truyn qua mng LAN hoc WAN, gi IP cui cng s c ng gi vi mt tiu v phn ui ca lp lin kt d liu giao din vt l u ra. V d, nu gi IP c gi qua giao din Ethernet, n s c gi vi phn tiu v ui Ethernet. Nu gi IP c gi qua ng truyn WAN im ti im (nh ng in thoi tng t hoc ISDN), n s c ng gi vi phn tiu v ui ca giao thc. S ng gi. Hnh 2.18 l v d s ng gi PPTP t mt my trm qua kt ni truy nhp VPN t xa s dng modem tng t.

Nguyn Mnh Hng, Lp D04VT1

38

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Hnh 2.18: S ng gi PPTP

Qu trnh ng gi c m t c th nh sau: Cc gi IP, IPX hoc khung NETBEUI c a ti giao din o i din cho kt ni VPN bng giao thc tng ng s dng NDIS (Network Driver Interface Specification). NDIS a gi d liu ti NDISWAN, ni thc hin mt m, nn d liu v cung cp tiu PPP. Phn tiu PPP ny ch gm trng m s giao thc PPP (PPP Protocol ID Field), khng c cc trng Flags v FCS (Frame Check Sequence). Gi nh trng a ch v iu khin c tha thun giao thc iu khin ng truyn LCP (Link Control Protocol) trong qu trnh kt ni PPP. NDISWAN gi d liu ti giao thc PPTP, ni ng gi khung PPP vi phn tiu GRE. Trong tiu GRE, trng ch s cuc gi c t gi tr thch hp xc nh ng hm. Giao thc PPTP sau s gi gi va hnh thnh ti TCP/IP. TCP/IP ng gi d liu ng hm PPTP vi phn tiu IP, sau gi kt qu n giao din i din cho kt ni quay s ti ISP cc b s dng NDIS.
39

Nguyn Mnh Hng, Lp D04VT1

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

NDIS gi gi tin ti NDISWAN, ni cung cp cc phn tiu v ui PPP. NDISWAN gi khung PPP kt qu ti cng WAN tng ng i din cho phn cng quay s (v d, cng khng ng b cho kt ni modem).

2.5.3.4 X l d liu ti u cui ng hm PPTP Khi nhn c d liu ng hm PPTP, my trm v my ch PPTP s thc hin cc bc sau: - X l v loi b phn tiu v ui ca lp lin kt d liu. - X l v loi b tiu IP. - X l v loi b tiu GRE v PPP. - Gii m v/hoc gii nn phn ti PPP (nu cn thit). - X l phn ti tin nhn hoc chuyn tip. 2.5.3.5 Trin khai VPN da trn PPTP trin khai VPN da trn giao thc PPTP yu cu h thng ti thiu phi c cc thnh phn thit b nh ch ra trn hnh 2.19, c th bao gm: - Mt my ch truy nhp mng dng cho phng thc quay s truy nhp bo mt vo VPN. - Mt my ch PPTP. - My trm PPTP vi phn mm client cn thit.

Nguyn Mnh Hng, Lp D04VT1

40

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Hnh 2.19: Cc thnh phn ca h thng cung cp VPN da trn PPTP.

Cc my ch PPTP c th t ti mng ca cng ty v do nhn vin trong cng ty qun l. My ch PPTP My ch PPTP thc hin hai chc nng chnh: ng vai tr l im kt ni ca ng hm PPTP v chuyn cc gi n t ng hm ti mng LAN ring. My ch PPTP chuyn cc gi n my ch bng cch x l cc gi PPTP c c a ch mng ca my tnh ch. My ch PPTP cng c kh nng lc gi. Bng cch s dng c ch lc gi PPTP my ch c th ngn cm, ch cho php truy nhp vo Internet, mng ring hay c hai. Thit lp my ch PPTP ti site mng c mt hn ch nu nh my ch PPTP nm sau tng la. PPTP c thit k sao cho ch c mt cng TCP 1723 c s dng chuyn d liu i. S khim khuyt ca cu hnh cng ny c th lm cho tng la d b tn cng hn. Nu nh tng la c cu hnh lc gi th phi thit lp n cho php GRE i qua. Mt thit b khc c khi xng nm 1998 bi hng 3Com c chc nng tng t my ch PPTP gi l chuyn mch ng hm. Mc ch ca chuyn mch ng hm l m rng ng hm t mt mng n mt mng khc, tri rng ng hm t mng ca ISP n mng ring. Chuyn mch ng hm c th s dng ti tng la lm tng kh nng qun l truy nhp t xa vo ti nguyn ca mng ni b. N c th kim tra cc gi n v v, giao thc ca cc khung PPP hoc tn ca ngi dng t xa. Phn mm client PPTP Nu nh cc thit b ca ISP h tr PPTP th khng cn phn cng hay phn mm b sung no cho cc my trm, ch cn mt kt ni PPP chun. Nu nh cc thit b ca ISP khng h tr PPTP th mt phn mm ng dng client vn c th to kt ni bo mt bng cch u tin quay s kt ni ti ISP bng PPP, sau quay s mt ln na thng qua cng PPTP o c thit lp my trm. Phn mm client PPTP c sn trong Windows , NT v cc h iu hnh sau ny. Khi chn client PPTP cn phi so snh cc chc nng ca n vi my ch PPTP c. Khng phi tt c cc phn mm client PPTP u h tr MS CHAP, nu thiu cng c ny th khng th tn dng c u im m ha trong RRAS. My ch truy nhp mng
Nguyn Mnh Hng, Lp D04VT1 41

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

My ch truy nhp mng NAS cn c tn gi khc l my ch truy nhp t xa (Remote Access Server) hay b tp trung truy nhp (Access Concentrator). NAS cung cp kh nng truy nhp ng dy da trn phn mm, c kh nng tnh cc v c kh nng chu ng li ti ISP POP. NAS ca ISP c thit k cho php mt s lng ln ngi dng c th quay s truy nhp vo cng mt lc. Nu mt ISP cung cp dch v PPTP th cn phi ci mt NAS cho php PPTP h tr cc client chy trn cc nn khc nhau nh Unix, Windows, Macintosh, v.v Trong trng hp ny, my ch ISP ng vai tr nh mt client PPTP kt ni vi my ch PPTP ti mng ring v my ch ISP tr thnh mt im cui ca ng hm, im cui cn li l my ch ti u mng ring.

2.5.3.6 u nhc im v kh nng ng dng ca PPTP u im ca PPTP l c thit k hot ng lp 2 (lin kt d liu) trong khi IPSec chy lp ba ca m hnh OSI. Bng cch h tr vic truyn d liu lp hai, PPTP c th truyn trong ng hm bng cc giao thc khc IP trong khi IPSec ch c th truyn cc gi IP trong ng hm. Tuy nhin, PPTP l mt gii php tm thi v hu ht cc nh cung cp u c k hoch thay th PPTP bng L2TP khi m giao thc ny c chun ha. PPTP thch hp cho quay s truy nhp vi s lng ngi dng gii hn hn l cho VPN kt ni LAN LAN. Mt vn ca PPTP l x l xc thc ngi dng thng qua Windows NT hay thng qua RADIUS. My ch PPTP cng qu ti vi mt s lng ln ngi dng quay s truy nhp hay mt lu lng ln d liu truyn qua, m iu ny l mt yu cu ca kt ni LAN LAN. Khi s dng VPN da trn PPTP m c h tr thit b ca ISP th mt s quyn qun l phi chia s cho ISP. Tnh bo mt ca PPTP khng mnh bng IPSec. Tuy nhin, qun l bo mt trong PPTP li n gin hn. 2.5.4 Giao thc L2TP Giao thc nh ng hm lp 2 L2TP (Layer 2 Tunneling Protocol) l s kt hp gia hai giao thc l PPTP v chuyn tip lp 2 L2F (Layer 2 Forwarding). PPTP do Microsoft a ra cn L2F do Cisco khi xng. Hai cng ty ny hp tc cng kt hp hai giao thc li v ng k chun ha ti IETF. Ging nh PPTP, L2F l giao thc ng hm, n s dng tiu ng gi ring cho vic truyn cc gi lp 2. Mt im khc bit chnh gia L2F v PPTP l
Nguyn Mnh Hng, Lp D04VT1 42

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

L2F khng ph thuc vo IP v GRE, cho php n c th lm vic mi trng vt l khc. Bi v GRE khng s dng giao thc ng gi, nn L2F nh ngha ring cch thc cc gi c iu khin trong mi trng khc. Tng t nh PPTP, L2F tn dng PPP xc thc ngi dng quay s truy cp. Nhng n cng h tr TACACS+ v RADIUS cho vic xc thc. C hai mc xc thc ngi dng: u tin ISP trc khi thit lp ng hm, sau l cng ni ca mng ring sau khi kt ni c thit lp. L2TP mang cc c tnh ca PPTP v L2F. Tuy nhin L2TP nh ngha ring mt giao thc ng hm da trn hot ng ca L2F. N cho php L2TP truyn thng qua nhiu mi trng khc nhau nh X.25, Frame Relay, ATM. Mc d nhiu cng c ch yu ca L2TP tp trung cho UDP ca mng IP, nhng c th thit lp mt h thng L2TP m khng cn phi s dng IP lm giao thc ng hm. Mt mng ATM hay Frame Relay c th p dng cho ng hm L2TP. Do L2TP l giao thc lp 2 nn n cho php ngi dng s dng cc giao thc iu khin mt cch mm do khng ch l IP m c th l IPX hoc NETBEUI. Cng ging nh PPTP, L2TP cng c c ch xc thc PAT, CHAP hay RADIUS. Mc d Microsoft lm cho PPTP tr nn cch chn la ph bin khi xy dng VPN bng cch h tr giao thc ny sn trong h iu hnh Windows nhng cng ty cng c k hoch h tr thm L2TP trong Windows NT 4.0 v Window 98 tr ln.

2.5.4.1 Dng thc ca L2TP

Nguyn Mnh Hng, Lp D04VT1

43

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Hnh 2.20: Kin trc ca L2TP

Nhng phn chnh ca L2TP bao gm: Giao thc im im, ng hm v h thng xc thc. Tuy nhin tng thm bo mt th L2TP.

2.5.4.1.1 PPP v L2TP PPP v L2TP da trn PPP to kt ni quay s gia client v my ch truy cp mng (NAS). L2TP s dng PPP to kt ni vt l, tin hnh giai on xc thc, to gi d liu PPP v ng kt ni khi kt thc phin lm vic. Sau khi PPP to kt ni xong, L2TP s xc nh NAS ti site chnh c chp nhn ngi dng v sn sng ng vai tr l im kt thc ng hm cho ngi dng . Sau khi ng hm c to, L2TP s ng gi cc gi PPP ri truyn ln mi trng m ISP gn cho ng hm (Hnh 2.21). L2TP to ng hm gia NAS ca ISP v my ch mng ca client, n c th gn nhiu phin lm vic cho ng hm. L2TP to ra cc s nhn dng cuc gi (Call ID) cho mi phin lm vic v chn Call ID vo tiu L2TP ca mi gi ch ra n thuc phin lm vic no.

Nguyn Mnh Hng, Lp D04VT1

44

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Hnh 2.21: Cc giao thc s dng trong mt kt ni L2TP

L2TP cng c th to ra nhiu ng hm NAS ca ISP v my ch truy cp mng client. Bng vic chn gn mt phin lm vic ca ngi dng cho mt ng hm thay v ghp nhiu phin lm vic vo mt ng hm, cho php gn cc ngi dng khc nhau vo cc mi trng ng hm ty theo cht lng dch v ca h. Ging nh PPTP, L2TP cng nh ngha hai loi thng bo l thng bo iu khin v thng bo d liu. Tuy nhin khng ging nh PPTP, L2TP truyn c hai loi thng bo chung trn mt lung. Nu nh ng hm c dng cho truyn trn mng IP th c hai loi thng bo u c gi trn cng gi d liu UDP. Do L2TP lm vic lp hai nn trong thng bo d liu L2TP bao gm tiu mi trng ch ra ng hm lm vic trong mi trng no (hnh 2.22). Ty theo nh ISP m mi trng c th l Ethernet, X.25, Frame Relay, ATM hay lin kt PPP.

Hnh 2.22: Bc gi L2TP

L2TP cng gip lm gim ti trn mng, n gip my ch gii quyt tc nghn bng c ch iu khin lung gia NAS, theo thut ng gi l b tp trung truy cp L2TP LAC (L2TP Access Concerntrator) v my ch ca mng ring, theo thut ng gi l my ch mng L2TP LNS (L2TP Network Server). Thng bo iu khin
Nguyn Mnh Hng, Lp D04VT1 45

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

cho bit tc truyn v tham s ca b m dng iu khin lung cc gi PPP trong mt phin lm vic.

2.5.4.1.2 ng hm L2TP L2TP s dng nhng lp ng hm tng t nh PPTP (cc ng hm t nguyn v bt buc) ty theo ngi s dng client PPP hay client L2TP khi to kt ni. ng hm t nguyn c to theo yu cu ca ngi dng cho mc ch s dng c th. ng hm bt buc c to t ng khng cn bt k hnh ng no t pha ngi dng v c bit l khng cho php ngi dng c s la chn no.

Hnh 2.23: Cc ng hm t nguyn v bt buc.

Khi ngi dng s dng ng hm t nguyn th c th ng thi m ng hm bo mt thng qua Internet v va c th truy cp vo mt host bt k trn Internet theo giao thc TCP/IP bnh thng. im kt thc ng hm ca ng hm t nguyn nm my tnh ngi dng. ng hm t nguyn thng c s dng
Nguyn Mnh Hng, Lp D04VT1 46

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

cung cp tnh ring t v ton vn d liu cho lu lng Intranet c gi thng qua Internet. Do ng hm bt buc c to ra khng thng qua ngi dng nn n trong sut i vi ngi dng u cui. im kt thc ca ng hm bt buc nm LAC ca ISP. Tt c d liu truyn i t ngi dng qua ng hm L2TP thng qua LAC. Truy cp vo nhng dch v khc ngoi Intranet cn phi thng qua nh qun l mng. Cn lu l L2TP cho php a kt ni cng ti trn mt ng hm, iu ny lm tng dung lng cho L2TP. Bi v ng hm bt buc nh trc im kt thc v ngi dng khng th truy nhp phn cn li ca Internet nn n iu khin truy nhp tt hn l ng hm t nguyn. Nu nh v tnh bo mt m khng cho ngi dng truy cp Internet cng cng th ng hm bt buc ngn chn khng cho h truy nhp Internet cng cng nhng vn cho php dng Internet truy cp VPN (ngha l ch truy nhp c cc site trong VPN m thi). Mt u im na ca ng hm bt buc l mt ng hm c th ti nhiu kt ni. c tnh ny lm gim yu cu bng thng mng cho cc ng dng a phin lm vic. Mt khuyt im ca ng hm bt buc l kt ni t LAC n ngi dng nm ngoi ng hm nn d b tn cng. iu ny l mt trong nhng l do L2TP s dng mt s c im ca IPSec bo mt lu lng. Mc d ISP c th chn cch thip lp tnh nh ngha ng hm cho ngi dng, nhng iu ny lm lng ph ti nguyn mng nu nh ng hm tnh khng c s dng thng xuyn. C cch khc mm do hn l chn ng hm ng khi m ngi dng kt ni vi RAS hay LAC, cho php s dng ti nguyn ca mng hiu qu hn. Nhng ng hm ng ny c thit lp trong L2TP bng cch kt ni h thng ti my ch RADIUS. S dng RADIUS cung cp ng hm bt buc c mt vi u im. Cc ng hm c th nh ngha v kim tra da trn xc thc ngi dng v tnh cc c th da trn s in thoi, hoc cc phng php xc thc khc, chng hn nh th bi hay card thng minh. RADIUS c th iu khin vic thit lp mt ng hm, n cn phi lu cc thuc tnh ca ng hm. Cc thuc tnh ny bao gm giao thc ng hm c s dng (PPTP hay L2TP), a ch ca my ch v mi trng truyn dn trong ng hm c s dng.

Nguyn Mnh Hng, Lp D04VT1

47

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

2.5.4.1.3 Xc thc v m ha trong L2TP Vic xc thc ngi dng din ra trong ba giai on: Giai on mt din ra ti ISP, giai on hai v giai on ba (ty chn) din ra my ch ca mng ring. Trong giai on u, ISP c th s dng s in thoi ca ngi dng hoc tn ngi dng xc nh dch v L2TP c yu cu v khi to kt ni ng hm n my ch ca mng ring. Khi ng hm c thit lp, LAC ca ISP phi ch nh mt s nhn dng cuc gi (Call ID) mi nh danh cho kt ni trong ng hm v khi to phin lm vic bng cch chuyn thng tin xc thc n my ch ca mng ring. My ch ca mng ring s tin hnh tip bc th hai l quyt nh c chp nhn hay t chi cuc gi. Cuc gi t ISP chuyn n c th mang CHAP, PAP, EAP hay bt k thng tin no, my ch s da vo cc thng tin ny quyt nh chp nhn hay t chi cuc gi ny. Sau khi cuc gi c chp nhn th my ch mng c th khi ng giai on th ba ca vic xc thc ti lp PPP. Bc ny tng t nh my ch xc thc mt ngi dng quay s truy cp vo thng my ch. Mc d bai giai on ny cho php ngi dng, ISP v my ch ca mng ring xc nh c tnh chnh xc ca cuc gi nhng vn cha bo mt cho d liu trnh khi s can thip sa i. Gia hai u ca ng hm xc thc lung qua li ln nhau trong sut qu trnh thit lp ng hm. C ch xc thc cng tng t nh thuc tnh bo mt ca CHAP bo mt chng li cc v tn cng trong sut tin trnh thit lp ng hm. Tuy nhin n vn cn n gin cho k tn cng xen vo v chim ng hm ngay khi qu trnh xc thc ng hm va mi hon tt. Mc d xc thc L2TP cho php xc thc qua li ln nhau gia LAC v LNS trong sut qu trnh thit lp ng hm nhng n khng bo mt cho cc lung thng bo iu khin v thng bo d liu. S khim khuyt ny lm cho ng hm d b tn cng bao gm vic chn gi d liu vo chim quyn iu khin ng hm hay kt ni PPP, hoc ph v vic m phn PPP, ly c mt khu ngi dng Xc thc PPP t client n LNS nhng n khng cung cp xc thc cho gi, khng ton vn d liu, hoc bo mt. M ha PPP l mt yu cu tin cy cho lung PPP nhng n khng c xc thc a ch, ton vn d liu, qun l kha nn lm cho n tr thnh cng c bo mt yu km, khng th gip cho bo mt trong knh L2TP.
Nguyn Mnh Hng, Lp D04VT1 48

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

xc thc trong L2TP c nh mong mun, cn phi phn phi kha. Mc d phn phi kha bng tay c th kh thi trong mt s trng hp, nhng yu cu phi c mt giao thc qun l kha cho mi trng hp. i vi ng hm L2TP trn IP, bo mt gi IP s dng IPSec cung cp kh nng bo mt cao cho ng hm. Vic bo mt ny khng i hi phi sa i giao thc L2TP. Cn ch l mt vi loi tn cng c tin hnh trn kt ni PPP gia client quay s v NAS/LAC. L2TP s l mt gii php tt cho VPN nu nh n bo mt d liu u cui u cui. iu ny dn n phi c k hoch s dng IPSec m ha cc gi, ti thiu l cho cc ng hm da trn IP. Bi v cc chc nng ca ESP c nh ngha trn ti IP nn tiu IP khng cn thit cho ESP. Do L2TP trn cc mng khng phi IP c th chuyn c cc gi ESP. Nhng vic chuyn kha v m phn SA li l vn khc. i vi IKE, cc thng bo ti trn UDP, iu ny lm cho cc mi trng khng phi l IP phi h tr vic truyn gi d liu UDP. Hy xem xt IPSec c thc thi nh th no trong ng hm t nguyn v bt buc. Trong trng hp ng hm bt buc, ngi dng gi nhng gi PPP n LAC m khng cn quan tm n ng hm c to gia LAC v LNS ti mng ring. Mt SA c thit lp gia LAC v LNS da trn yu cu v danh nh ca ngi dng v SA ny ch c bit n bi LAC v LNS, ngi dng khng quan tm n.

Nguyn Mnh Hng, Lp D04VT1

49

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Hnh 2.24: M ha gi cho ng hm bt buc.

Do ngi dng u cui khng quan tm n dch v bo mt d liu nm gia LAC v LNS, nn cch gii quyt tt nht cho ngi dng u cui l IPSec c thc thi ngay ti my ca h. Tuy nhin khng phi cc im kt thc ng hm no cng tng thch IPSec, iu ny c th gii quyt bng cch m phn li ch s dng m ha PPP (Hnh 2.25). Trong c hai trng hp LAC ca ISP phi chn IPSec AH vo lung d liu nhng li cho ngi dng u cui chn l ESP cho u cui tng thch IPSec hay m ha PPP cho u cui tng thch khng IPSec. Trong trng hp ng hm t nguyn, ngi dng ng vai tr l im kt thc ng hm, do c th tin hnh m phn SA vi LNS ti mng ring. Tuy nhin vic m phn li ph thuc vo c hai u c thng thch vi IPSec hay khng (Hnh 2.26). Do ngi dng ng vai tr l im kt thc ca ng hm nn IPSec AH c p dng ngay my ca h ch khng phi trn thit b ca ISP. Nu nh ch n khng tng thch IPSec th m ha ESP ch bo mt d liu cho n khi n n LNS ca mng ring.

Nguyn Mnh Hng, Lp D04VT1

50

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Hnh 2.26: M ha gi cho ng hm t nguyn

2.5.4.1.4 ng hm kt ni LAN LAN Mc d chc nng chnh ca L2TP l cho quay s truy nhp VPN s dng client PPP, nhng n cng thch hp cho kt ni LAN LAN trong VPN. ng hm kt ni LAN LAN c thit lp gia hai my ch ca L2TP vi t nht mt trong hai my ch phi c kt ni quay s ti ISP khi to phin lm vic PPP. Thit k ny thch hp cho mng LAN ca vn phng chi nhnh kt ni vo vn phng chnh khi kt ni khng cn phi duy tr thng xuyn. Hai bn ng vai tr va l LAC v LNS, khi to v kt thc ng hm khi cn thit (hnh 2.27). i vi LAN kt ni vo LAN thng xuyn thng qua Internet (s dng Frame Relay, T1,) cn tn ti ng tt trong tin trnh xc thc bi v RAS ca ISP khng ng vai tr l LAC.

Nguyn Mnh Hng, Lp D04VT1

51

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Hnh 2.27: ng hm L2TP kt ni LAN LAN

2.5.4.1.5 Qun l kha Khi hai i tng mun chuyn giao d liu mt cch bo mt th h cn phi chc l c hai bn x l d liu nh nhau. C hai bn phi cng s dng chung gii thut m ha, cng chiu di t kha, cng chung mt kha th d liu truyn mi c bo mt. iu ny c x l thng qua bo mt kt hp SA (Security Association). Mt IPSec SA m t cc vn sau: - Gii thut xc thc s dng cho AH v kha ca n. - Gii thut m ha ESP v kha ca n. - Dng thc v kch thc ca ng b mt m s dng trong gii thut m ha. - Giao thc, gii thut, kha s dng cho vic truyn thng. - Giao thc, gii thut m ha, kha s dng cho vic truyn thng ring. - Bao lu th kha c thay i. - Gii thut xc thc, kiu, chc nng s dng trong ESP v kha c s dng bi gii thut . - Thi gian sng ca kha. - Thi gian sng ca SA. - a ch ngun SA. Mc d SA gip hai i tng truyn thng nh ngha phng thc m ha m h s thc hin nhng vic chuyn giao kha li do IKE m nhim. IKE c cc kh nng sau: - Cung cp cc phng tin cho hai bn tha thun s dng cc giao thc, gii thut v kha. - m bo ngay t lc bt u chuyn kha l truyn thng ng i tng.
Nguyn Mnh Hng, Lp D04VT1 52

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Qun l kha sau khi chng c chp nhn trong tin trnh tha thun. m bo cc kha c chuyn mt cch bo mt. Chuyn kha ging tng t nh qun l SA. Khi cn to mt SA cn phi chuyn kha. Do cu trc ca IKE bc chng li vi nhau v chuyn chng i nh mt gi tch hp. Bi v IKE da trn IP nn n d dng c ghp vo L2TP chy trn mng IP hn l trn mng khng phi l IP.

2.5.4.2 S dng L2TP Bi v chc nng chnh ca L2TP l cho quay s truy cp VPN thng qua Internet nn cc thnh phn ca L2TP cng tng t nh PPTP. Thnh phn quan trng nht ca L2TP l nh ngha im kt thc mt ng hm L2TP, LAC v LNS (hnh 2.28). Bi v cc im ny c th nm trn thit b ISP nn phn mm cho client di ng c th khng cn thit. Mc d LNS c th ci t ngay ti cng ty v iu hnh bi mt nhm lm vic ca cng ty, nhng LAC nn c h tr da trn ISP. Thc ra nu nh trn my client t xa c ci sn client L2TP th ISP khng cn phi h tr thm L2TP. Ti site ca mng ring, my ch L2TP ng vai tr nh mt cng ni bo mt, ni kt xc thc vi RADIUS hay cc min Windowns. Client L2TP ti my tnh xch tay ca ngi dng c th thc thi nhng chc nng ging nh phn mm client IPSec. 2.5.4.2.1 Cc my ch mng L2TP Mt my ch L2TP c hai chc nng chnh l: N ng vai tr l im kt thc ca ng hm PPTP v chuyn cc gi n t ng hm n mng LAN ring. My ch L2TP chuyn cc gi n cc my ch bng cch x l gi L2TP c c a ch mng ca my tnh ch.

Nguyn Mnh Hng, Lp D04VT1

53

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Hnh 2.28: Cc thnh phn c bn ca L2TP Khng ging nh PPTP, L2TP khng c kh nng lc cc gi. H thng dnh nhim v cho tng la. Khi c tch hp gia my ch mng v tng la th L2TP c u im hn PPTP. Trc ht, L2TP khng i hi ch c mt cng duy nht gn cho tng la nh PPTP (cng mc nh cho L2TP l 1701). Chng trnh qun l c ty chn cng gn cho tng la, iu ny gy kh khn cho k tn cng vo mt cng bit trong khi cng c th c i thnh mt s khc. Th hai l lung d liu v thng tin iu khin c truyn trn cng mt cng UDP, vic thit lp tng la s n gin hn. Do mt tng la tng la khng c h tr GRE nn chng tng thch vi L2TP hn l vi PPTP.

2.5.4.2.2 Phn mm client L2TP Nu nh cc thit b ca ISP h tr L2TP th khng cn phn cng hay phn mm no cho cc client, ch cn kt ni chun PPP l . Nhng ch l thit lp trn khng s dng c m ha ca IPSec, iu c ngha l nn s dng cc client tng thch L2TP cho L2TP VPN. Sau y l mt s c im ca phn mm client L2TP:

Nguyn Mnh Hng, Lp D04VT1

54

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

Tng thch vi nhng thnh phn khc ca IPSec (nh my ch m ha, giao thc chuyn kha, gii thut m ha). a ra mt ch bo r rng khi IPSec ang hot ng. H tr ti SA v. Hm bm x l c cc a ch IP ng. C c ch bo mt kha chng li k trm (m ha kha vi mt khu). C c ch chuyn i m ha mt cch t ng v nh k. Chn ton b cc lu lng khng IPSec.

2.5.4.2.3 Cc b tp trung truy cp mng Khng ging nh IPSec VPN, trong mt s trng hp thit k ca L2TP VPN ph thuc vo giao thc h tr bi ISP. Vic h tr c bit quan trng khi cc client t xa khng c client L2TP c th s dng client PPP truy cp. Bi v cc ISP c th cung cp cc dch v L2TP m khng cn phi thm h tr L2TP vo my ch truy cp ca h, iu ny i hi tt c ngi dng phi c client L2TP ti my ca h. iu ny mang li u im l ngi dng c th s dng dch v ca nhiu ISP khi m m hnh mng ca h rng ln v mt a l. Mt ISP cung cp dch v L2TP cn phi ci mt NAS cho php L2TP h tr cho cc client L2TP chy trn cc nn khc nhau nh Unix, Windows, Macintosh. Trong cc trng hp nh th ISP ACS ng vai tr nh im cui ca ng hm L2TP bt buc im kt thc cn li l my ch ti u mng ring. Vic la chn mt nh ISP cung cp dch v L2TP VPN c th thay i ty theo yu cu thit k mng. Nu thit k mt VPN i hi m ha u cui u cui th cn ci cc client tng thch L2TP ti cc host u xa v tha thun vi ISP l s x l m ha t my u xa n tn my ch ca mng VPN. Nu xy dng mt mng t bo mt hn, kh nng chu ng li cao hn v ch mun bo mt d liu khi n i trong ng hm trn Internet th tha thun vi ISP h h tr LAC v m ha d liu ch t on LAC n LNS ca mng ring VPN. 2.5.4.2.4 Mt s v d minh ha ng dng L2TP trong VPN Trong v d ch cp n vic trao i d liu gia hai im cui, khng quan tm n thng tin trong mng c bo mt nh th no (s dng tng la chng hn). Cc host c ni ti my ch L2TP v mi ng i ra ngoi u phi thng qua my ch L2TP kt hp vi tng la. Kt ni gia site trong mng v site bn ngoi
Nguyn Mnh Hng, Lp D04VT1 55

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

phi c kha li sao cho ch c ngi qun tr mng mi truy cp ti c my ch m ha. Trong v d hnh 2.29, cng ty A quyt nh s dng dch v VPN c h tr ca ISP. iu ny c ngha l ISP cung cp kt ni Internet cho cng ty A c my ch proxy RADIUS v LAC. ti cng ty A vn c duy tr my ch RADIUS v LNS. Do ISP c h tr L2TP nn cc my u xa khng cn phi ci client L2TP.

Hnh 2.29: Quay s L2TP trong VPN

2.5.4.3 Kh nng p dng ca L2TP L2TP l mt th h giao thc quay s truy cp mi ca VPN. N phi hp nhng c im tt nht ca PPTP v L2F. Hu ht cc nh cung cp sn phm PPTP u a ra cc sn phm tng thch L2TP hoc s gii thiu sau ny. Mc d L2TP ch yu chy trn mng IP, nhng kh nng chy trn cc mng khc nh Frame Relay, ATM lm n thm ph bin.

Nguyn Mnh Hng, Lp D04VT1

56

n tt nghip i Hc

Chng II: Cc giao thc hot ng trong VPN

L2TP cho php mt s lng ln client t xa c kt ni vo VPN hay cho cc kt ni LAN LAN c dung lng ln. L2TP c c ch iu khin lung lm gim i tc nghn trn ng hm L2TP. L2TP cho php thit lp nhiu ng hm vi cng LAC v LNS. Mi ng hm c th c gn cho mt ngi dng xc nh, hoc mt nhm cc ngi dng v gn cho cc mi trng khc nhau ty theo thuc tnh cht lng dch v QoS ca ngi dng.

Nguyn Mnh Hng, Lp D04VT1

57

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

PHN II
CHNG III: MNG RING O TRN NN MPLS
MPLS VPN c coi l s kt hp cc u im ca c hai m hnh mng ring o chng ln v ngang hng. Vic thit lp cc mng ring o trn nn MPLS cho php m bo nh tuyn ti u gia cc site khch hng, phn bit a ch khch hng thng qua nhn dng nh tuyn v h tr xy dng cc m hnh VPN phc tp trn c s ch nh tuyn. Trong phn ny trnh by nhng vn c bn v mng ring o trn nn MPLS, nguyn l hot ng cng nh kh nng m MPLS VPN mang li. Cc c im chnh ca hai loi hnh mng ring o trn nn IPSec v MPLS cng c so snh qua lm ni bt nhng u im ca gii php VPN MPLS.

3.1 Cc thnh phn ca MPLS VPN 3.1.1 H thng cung cp dch v MPLS VPN Mt khi nim quan trng cn nhc li khi nghin cu v mng ring o trn nn MPLS l cc site. VPN l mt tp hp nhiu site chia s cng thng tin nh tuyn chung. Nh vy, mt site c th thuc v nhiu hn mt VPN nu n nm gi cc quyn t mi VPN ring. iu ny cung cp kh nng xy dng cc VPN cc b, m rng cng nh cc VPN truy nhp t xa. Khi cc site ca VPN thuc v mt doanh nghip th VPN c coi l cc b, cn nu cc site ca VPN thuc v nhng doanh nghip khc nhau th VPN l VPN m rng. Mt cch khi qut, m hnh h thng cung cp dch v MPLS VPN c th hin trn hnh 3.1

Nguyn Mnh Hng, Lp D04VT1

58

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

Hnh 3.1: H thng cung cp dch v MPLS VPN v cc thnh phn.

Nh trn hnh v ta c th thy, cc thnh phn c bn trong MPLS VPN bao gm: - Mng li IP/MPLS c qun tr bi nh cung cp dch v. - B nh tuyn li ca mng nh cung cp. - B nh tuyn bin ca mng, cung cp thng tin nh tuyn ca khch hng v thc hin p ng dch v cho khch hng t pha nh cung cp. - B nh tuyn bin ca cc h t tr AS (Autonomous System), thc hin vai tr kt ni vi cc AS khc. Nhng AS ny c th c cng hoc khc nh iu hnh. - Mng khch hng, c coi l mng truy nhp ti vng mng li. - B nh tuyn khch hng, ng vai tr l cu ni gia mng khch hng v mng ca nh cung cp. Nhng b nh tuyn ny c th c qun tr bi khch hng hoc nh cung cp dch v.

3.1.2 B nh tuyn bin ca nh cung cp dch v Nh gii thiu trn, thnh phn rt quan trng v khng th thiu khi trin khai MPLS VPN l cc thit b nh tuyn bin ca nh cung cp dch v. Cc b nh tuyn bin PE trong MPLS VPN c kin trc ging nh kin trc VPN ngang hng dng chung b nh tuyn chia s, ch c s khc bit l ton b mi th c tp trung trong mt thit b vt l (hnh 3.2)

Nguyn Mnh Hng, Lp D04VT1

59

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

Hnh 3.2: B nh tuyn PE v s kt ni cc site khch hng.

Nh th hin trong hnh v, mi site khch hng ng k mt bng nh tuyn c lp gi l bng nh tuyn o, tng ng vi mt b nh tuyn o nh trong m hnh VPN ngang hng. Mt b nh tuyn o cho php nhiu site ca khch hng cng kt ni ti n. Vic nh tuyn qua mng ca nh cung cp c thc hin bi mt tin trnh nh tuyn khc, s dng bng nh tuyn ton cc.

3.1.3 Bng nh tuyn v chuyn tip o. S kt hp gia bng nh tuyn v bng chuyn tip VPN to thnh mt bng nh tuyn chuyn tip o VRF (Vitual Routing and Forwarding). Mi VPN u c mt bng nh tuyn v chuyn tip ring ca n trong b nh tuyn PE, v mi b nh tuyn PE duy tr mt hoc nhiu bng VRF. Mi site m c b nh tuyn PE ni vo s lin kt vi mt trong cc bng ny. a ch IP ch ca mt gi tin ch c kim tra trong bng VRF m n thuc v nu gi tin ny n trc tip t site tng ng vi bng VRF . Mt VRF n gin ch l mt tp hp cc tuyn thch hp cho mt site no (hoc mt tp hp gm nhiu site) kt ni n b nh tuyn PE. Cc tuyn ny c th thuc v mt hoc nhiu VPN. V d, gi s c ba b nh tuyn PE l PE1, PE2, PE3, v ba b nh tuyn CE l CE1, CE2, CE3. Cng gi s rng PE1 tip nhn t CE1 cc tuyn hp l site CE1,
Nguyn Mnh Hng, Lp D04VT1 60

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

cn PE2 v PE3 tng ng c ni ti cc site CE2 v CE3. C ba site ny u thuc v cng mt VPN V. Khi PE1 s s dng BGP phn phi cho PE2 v PE3 cc tuyn m n hc c t cc site CE1. PE2 v PE3 s dng cc tuyn ny a vo bng chuyn tip dnh cho site CE2 v CE3. Cc tuyn t nhng site khng thuc vo VPN V s khng xut hin trong bng chuyn tip ny, c ngha l cc gi tin CE2 v CE3 khng th gi n nhng site khng thuc VPN V. Nu mt site thuc v nhiu VPN, bng chuyn tip tng ng vi site c th c nhiu tuyn lin quan n tt c VPN m n ph thuc. PE ch duy tr mt bng VRF cho nhiu site. Cc site khc nhau c th chia s cng mt bng VRF nu s dng tp hp cc tuyn mt cch chnh xc nh trong bng VRF . Nu tt c cc site c thng tin nh tuyn ging nhau (iu ny thng do cc site cng thuc v tp hp VPN) th chng s c php lin lc trc trip vi nhau, v nu kt ni ti cng mt b nh tuyn PE th chng s c t vo cng mt bng VRF chung. Gi s b nh tuyn PE nhn c gi tin t mt site ni trc tip vi n. Ta gi site ny l site A nhng a ch ch ca gi tin khng c trong tt c cc thc th ca bng chuyn tip tng ng vi site A. Nu nh cung cp dch v khng cung cp kh nng truy nhp Internet cho site A th gi tin s b loi b v khng th phn phi c ti ch. Nhng nu nh cung cp dch v c h tr truy nhp Internet cho site A th lc ny a ch ch ca gi tin s c tm kim trong bng nh tuyn ton cc. Do , bt k b nh tuyn PE no trong mng MPLS VPN cng u c nhiu bng nh tuyn trn mi VRF v mt bng nh tuyn ton cc. Bng nh tuyn ny c s dng tm cc b nh tuyn khc trong mng nh cung cp dch v cng nh cc ch thuc v mng bn ngoi (v d nh Internet). Tm li, VRF c s dng cho mt site VPN hoc nhiu site kt ni n cng mt b nh tuyn PE min l nhng site ny chia s chnh xc cc yu cu kt ni ging nhau. Do , cu trc ca bng VRF c th bao gm: - Bng nh tuyn IP. - Bng chuyn tip. - Tp hp cc quy tc v cc tham s giao thc nh tuyn (gi l Routing Protocol Context). - Danh sch cc giao din s dng trong VRF.

Nguyn Mnh Hng, Lp D04VT1

61

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

3.2 Cc m hnh MPLS VPN Hin nay c hai m hnh trin khai mng ring o trn nn MPLS ph bin l mng ring o lp 3 (L3VPN) v mng ring o lp 2 (L2VPN). Sau y s gii thiu nhng c im chnh ca hai m hnh ny. 3.2.1 M hnh V3VPN Kin trc mng ring o L3VPN c chia thnh hai lp, tng ng vi cc lp 3 v lp 2 trong m hnh OSI. L3VPN da trn RFC 2547 bits, m rng mt s c tnh c bn ca giao thc cng bin BGP (Border Gateway Protocol) v tp trung vo hng a giao thc ca BGP nhm phn b cc thng tin nh tuyn qua mng li ca nh cung cp dch v cng nh l chuyn tip cc lu lng VPN qua mng li. Trong kin trc L3VPN, cc b nh tuyn khch hng ca nh cung cp c coi l cc phn t ngang hng. B nh tuyn bin khch hng CE cung cp thng tin nh tuyn ti b nh tuyn bin nh cung cp PE. PE lu cc thng tin nh tuyn trong bng nh tuyn v chuyn tip o VRF. Mi khon mc ca VRF tng ng vi mt mng khch hng v hon ton bit lp vi cc mng khch hng khc. Ngi s dng VPN ch c php truy nhp ti cc site hoc my ch trong cng mt mng ring ny. B nh tuyn PE cn h tr cc bng nh tuyn thng thng nhm chuyn tip lu lng ca khch hng qua mng cng cng. Mt cu hnh mng L3VPN da trn MPLS c ch ra trn hnh 3.3.

Hnh 3.3: M hnh MPLS L3VPN Nguyn Mnh Hng, Lp D04VT1 62

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

Cc gi tin IP qua min MPLS c gn hai loi nhn, bao gm nhn MPLS ch th ng dn chuyn mch nhn LSP v nhn ch th nh tuyn/chuyn tip o VRF. Ngn xp nhn c thip lp cha cc nhn trn. Cc b nh tuyn P ca nh cung cp x l nhn LSP chuyn tip cc gi tin qua min MPLS. Nhn VRF ch c x l ti thit b nh tuyn bin PE ni vi b nh tuyn khch hng. M hnh L3VPN c u im l khng gian a ch khch hng c qun l bi nh khai thc, v nh vy n cho php n gin ha vic trin khai kt ni vi nh cung cp. Ngoi ra, L3VPN cn cung cp kh nng nh tuyn ng phn phi cc thng tin nh tuyn vi cc b VPN. Tuy nhin, L3VPN ch h tr cc lu lng IP hoc lu lng ng gi vo gi tin IP. ng thi, vic tn ti hai bng nh tuyn ti cc thit b bin mng cng l mt vn phc tp trong iu hnh v nh hng ti kh nng m rng cc h thng thit b.

3.2.2 M hnh L2VPN M hnh mng ring o lp 2 c pht trin sau v cc tiu chun vn trong giai on hon thin. Cch tip cn L2VPN hng ti vic thit lp cc ng hm qua mng MPLS x l cc kiu lu lng khc nhau nh Ethernet, FR, ATM, v PPP/HDLC. C hai dng L2VPN c bn l: - im ti im: Tng t nh trong cng ngh ATM v FR, nhm thit lp cc ng dn chuyn mch o qua mng. - im ti a im: H tr cc cu hnh mt li v phn cp. Trong nhng nm gn y, dch v LAN o da trn m hnh L2VPN a im s dng cng ngh truy nhp Ethernet c trin khai rng ri. Gii php ny cho php lin kt cc mng Ethernet qua h tng MPLS trn c s nhn dng lp hai, v vy gim c phc tp ca cc b nh tuyn lp ba. Trong m phng L2VPN cc b nh tuyn CE v PE khng nht thit phi c coi l ngang hng (hnh 3.4). Thay vo , ch cn tn ti kt ni lp hai gia cc b nh tuyn ny. B nh tuyn PE chuyn mch cc lung lu lng vo trong cc ng hm c cu hnh trc ti cc b nh tuyn PE khc.

Nguyn Mnh Hng, Lp D04VT1

63

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

Hnh 3.4: M hnh MPLS L2VPN

L2VPN xc nh kh nng tm kim qua mt phng d liu bng a ch hc c t cc b nh tuyn ln cn. L2VPN s dng ngn xp nhn tng t nh trong L3VPN. Nhn MPLS bn ngoi c s dng xc nh ng dn cho lu lng qua min MPLS, cn nhn knh o VC nhn dng cc mng LAN o, VPN hoc kt ni ti cc im cui. Mt trng nhn ty chn s dng iu khin ng cc kt ni lp hai c t trong cng ngn xp st vi trng d liu. L2VPN c u im quan trng nht l cho php cc giao thc lp cao c truyn trong sut i vi MPLS. N c th hot ng trn hu ht cc cng ngh lp hai gm ATM, FR, Ethernet v m ra kh nng tch hp cc mng phi kt ni IP vi cc mng hng kt ni. Ngoi ra, trong gii php ny ngi s dng u cui khng cn phi cu hnh nh tuyn cho cc b nh tuyn khch hng CE.

3.3 Hot ng ca MPLS VPN. 3.3.1 Truyn thng tin nh tuyn Cc b nh tuyn PE cn phi trao i thng tin trong cc bng nh tuyn o m bo vic nh tuyn d liu gia cc site khch hng ni vi nhng b nh tuyn
Nguyn Mnh Hng, Lp D04VT1 64

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

ny. Bi ton t ra l phi c mt giao thc nh tuyn truyn thng tin tt c cc tuyn khch hng dc theo mng nh cung cp m vn duy tr c khng gian a ch c lp gia cc khch hng khc nhau. Mt gii php c xut trn c s s dng giao thc nh tuyn ring cho mi khch hng. Cc b nh tuyn PE c th c kt ni thng qua cc ng hm im im (v giao thc nh tuyn cho mi khch hng s hot ng gia cc b nh tuyn PE) hoc l b nh tuyn P ca nh cung cp c th tham gia vo qu trnh nh tuyn ca khch hng. Gii php ny mc d thc hin n gin nhng li khng c kh nng m rng v phi i mt vi nhiu vn khi c nhu cu cung cp dch v VPN cho s lng ln khch hng. Nhng kh khn ny lin quan ti vic cc b nh tuyn PE phi chy mt s lng ln giao thc nh tuyn, cn b nh tuyn P th phi lu thng tin ca tt c cc tuyn khch hng. Mt gii php khc da trn vic trin khai mt giao thc nh tuyn trao i thng tin ca tt c cc tuyn khch hng dc theo mng nh cung cp dch v. R rng gii php ny c u im hn nhng b nh tuyn P vn phi tham gia vo nh tuyn khch hng do vn khng gii quyt c vn m rng. hiu r hn vn m rng khi trin khai mt giao thc nh tuyn trn mt VPN, ta xem xt v d sau y: Gi s mng ng trc ca nh cung cp dch v phi m bo cho hn 100 khch hng VPN kt ni ti hai b nh tuyn bin PE s dng giao thc nh tuyn OSPF. B nh tuyn PE trong mng ng trc s chy hn 100 bn copy tin trnh nh tuyn OSPF c lp nhau, vi mi bn copy phi gi cc gi tin hello v gi tin lm ti nh k qua mng. chy nhiu hn mt bn copy OSPF qua cng mt lin kt, ta cn cu hnh subinterface cho mt VPN trn lin kt gia PE v CE, kt qu l s to ra mt m hnh phc tp. Ngoi ra, cn phi chy 100 thut ton SPE cng nh duy tr c s d liu v cc cu hnh ring r trong nhng b nh tuyn P ca mng li. V vy, gii php ti u hn l vic truyn thng tin nh tuyn khch hng s do mt giao thc nh tuyn gia cc b nh tuyn PE iu hnh, cn cc b nh tuyn P khng tham gia vo qu trnh nh tuyn ny. Gii php ny mang li hiu qu cao v n c kh nng m rng do s lng giao thc nh tuyn gia cc b nh tuyn PE khng tng khi tng s lng khch hng. ng thi b nh tuyn P cng khng mang thng tin v cc tuyn ca khch hng.
Nguyn Mnh Hng, Lp D04VT1 65

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

Khi s lng khch hng ln, giao thc nh tuyn c la chn s dng l BGP v giao thc ny c th h tr s lng ln cc tuyn. Cng vi BGP, cc giao thc EIGRP v IS IS cng c th mang thng tin nh tuyn cho nhiu lp a ch khc nhau, nhng IS IS v EIGRP khng c kh nng m rng do khng mang c mt s lng ln cc tuyn nh BGP, BGP c thit k trao i thng tin nh tuyn gia cc b nh tuyn khng kt ni trc tip, v c im ny h tr vic lu gi thng tin nh tuyn ti cc thit b bin m khng cn phi trao i vi cc b nh tuyn li ca mng nh cung cp. Giao thc BGP dng trong MPLS VPN c gi l Multiprotocol BGP (MP - BGP).

3.3.2 a ch VPN IP Vi vic trin khai giao thc nh tuyn BGP trao i tt c cc tuyn ca khch hng gia cc b nh tuyn PE t ra mt vn l lm th no m BGP c th truyn nhng tin t xc nh thuc v cc khch hng khc nhau gia cc b nh tuyn PE. BGP s dng a ch IP chn mt ng i gia tt c cc ng c th i n ch. Do , BGP khng th lm vic ng nu khch hng s dng cng khng gian a ch. Ch c mt gii php gii quyt vn ny l m rng tin t a ch IP ca khch hng vi mc ch lm cho a ch ny tr nn duy nht ngay c khi c s trng lp a ch. Ngoi ra, phi m bo rng chnh sch s dng chn mt ng nh tuyn no trong s cc tuyn c BGP s dng ch c th c trong mt bng VRF duy nht. Vic m rng tin t a ch IP ca khch hng VPN dn n mt khi nim mi l a ch VPN IP. a ch VPN IP c to ra bng cch ghp hai phn c di khng i l trng phn bit tuyn (Route Distinguisher) v a ch IP c s ( hnh 3.5).

Nguyn Mnh Hng, Lp D04VT1

66

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn Hnh 3.5: a ch VPN Ipv4

Yu t phn bit thuc v trng a phn bit tuyn khi mng khch hng c cng a ch IP. Trng ny c cu trc cho php mi nh cung cp dch v VPN t to ra mt gi tr nhn dng cho tuyn m khng s b trng vi gi tr tng t s dng bi nh cung cp dch v khc. Trng phn bit tuyn bao gm ba loi nh ch ra trn hnh 3.6

Hnh 3.6: Khun dng trng phn bit tuyn.

Trng s h t tr ASN (Autonomous System Number) cha gi tr s i din cho h thng ca nh cung cp dch v VPN. Trng s gn (Assigned Nember) do mi nh cung cp dch v mng VPN t qun. Trong hu ht cc trng hp, nh cung cp dch v n nh mt gi tr trng s gn cho mt mng VPN, tuy nhin i khi cng c th gn nhiu gi tr cho mt mng VPN. Hai mng VPN do mt nh cung cp dch v qun l s khng s dng chung mt s gn, v s h t tr ASN cng l duy nht trong mng ton cu. Do s khng c hai mng VPN no c trng phn bit tuyn trng nhau. Khi a ch IP l duy nht trong mt mng VPN th cng c ngha l a ch VPN IP l duy nht trong mng ton cu.

Nguyn Mnh Hng, Lp D04VT1

67

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

i vi giao thc BGP th vic qun l cc tuyn ng vi a ch VPN IP khng khc g vic qun l tuyn ng vi a ch IP c s. Kh nng h tr a giao thc ca MP BGP lm cho n c th qun l tuyn ng vi nhiu h a ch khc nhau. Mt im quan trng cn lu l cu trc a ch VPN IP cng nh cu trc ca trng phn bit tuyn ng vi a ch VPN IP l hon ton m i vi BGP. BGP ch so snh phn mo u ca hai a ch VPN IP ch n khng quan tm n cu trc ca chng. V vy trong trng hp ny, BGP khng cn h tr thm cc giao thc ph m ch s dng nhng c tnh sn c. Cc c tnh m giao thc BGP s dng cho MPLS VPN nh: c tnh cng ng (Community), nh tuyn lc da trn cng ng hay s dng tuyn d phng. Cc c tnh trn c p dng i vi cc tuyn ng vi a ch VPN IP cng ging nh cc tuyn ng vi a ch IP thng thng. a ch VPN IP ch hon ton gii hn trong nh cung cp dch v, v cc khch hng VPN (c th l cc thit b ca khch hng) khng c khi nim g v n. a ch VPN IP ch c nhn bit v gn b nh tuyn bin ca nh cung cp PE. i vi mi kt ni VPN, b nh tuyn PE c cu hnh ng vi mt gi tr ca trng phn bit tuyn. Khi PE nhn c mt tuyn t CE kt ni trc tip ti n th n cn xc nh CE thuc VPN no trc khi chuyn thng tin v tuyn ny cho BGP ca nh cung cp dch v. B nh tuyn PE s chuyn a ch IP c s ca tuyn thnh a ch VPN IP bng cch s dng trng phn bit tuyn t cho VPN . Mt cch tng t khi PE nhn mt tuyn t BGP ca nh cung cp dch v, n s chuyn thng tin a ch VPN IP ca tuyn thnh thng tin a ch IP c s. Sau y chng ta so snh ca trng phn bit tuyn v cc c tnh cng ng ca BGP. C hai vn tch bit nhau, v tng ng vi hai vn ny l hai c ch ring bit. Th nht l lm th no gii quyt vic khng duy nht ca a ch IP trong mng ton cu. khc phc vn ny, chng ta a vo s dng mt loi a ch mi l a ch VPN IP v s dng trng phn bit tuyn lm cho cc a ch ny l duy nht trong mng ton cu. Nh vy, trng phn bit tuyn khng th s dng cho nh tuyn lc. Th hai l cn gii quyt vic lm th no kt ni tun th cc iu kin rng buc. Vn rng buc thng tin nh tuyn c thc hin da trn qu trnh lc cc c tnh cng ng ca BGP. Song cc c tnh cng ng ca BGP li khng lm cho cc a ch IP tr thnh duy nht.

Nguyn Mnh Hng, Lp D04VT1

68

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

Lu rng trong khi mt trng phn bit tuyn khng c s dng chung cho cc VPN khc nhau, th mt VPN li c th s dng nhiu trng phn bit tuyn. Tng t nh vy, trong khi cc mng VPN khng th dng chung mt cng ng BGP nhng mt mng VPN li c th s dng nhiu cng ng ca BGP. V vy, trng phn bit tuyn cng nh c tnh cng ng khng th s dng xc nh mt VPN. iu ny cng ph hp vi nh ngha mng VPN l mt tp hp cc chnh sch iu khin kt ni v quy nh cht lng dch v gia cc site. Nh ta bit, BGPv4 hin nay ch c th thc hin c vi cc a ch Ipv4. Khi , vic truyn thng tin tuyn ca khch hng dc theo mng MPLS VPN s c thc hin nh sau: - B nh tuyn CE gi cp nht nh tuyn Ipv4 n b nh tuyn PE. - B nh tuyn PE sau thm trng phn bit tuyn (64bit) vo trng a ch Ipv4 (32bit) m n nhn, kt qu l to ra a ch VPN IPv4 96bit duy nht. - a ch VPN Ipv4 ny c truyn thng qua phin MP iBGP n cc b nh tuyn PE khc. - B nh tuyn PE nhn s loi b trng phn bit tuyn t a ch VPN Ipv4 to thnh a ch Ipv4 nh ban u m CE u xa gi. - a ch Ipv4 ny c chuyn tip n b nh tuyn CE khc trong bn cp nht nh tuyn Ipv4. Mt im quan trng cn nhn mnh l a ch VPN IP ch c s l trong cc giao thc nh tuyn ch khng c ti trong phn mo u ca gi IP. V vy VPN IP khng th s dng mt cch trc tip chuyn tip gi. Nhim v chuyn tip cc gi c thc hin da trn MPLS v s trnh by phn sau.

3.3.3 Chuyn tip gi tin VPN Cc yu t cn thit m bo cho s hot ng ca MPLS VPN bao gm giao thc nh tuyn v phng thc truyn gi tin qua mng MPLS trong khi vn m bo c tnh cht ca VPN. Vi cc tuyn khch hng c truyn dc theo mng ng trc MPLS VPN lu lng gia cc b nh tuyn CE v PE mc nh l lu lng ca cc gi tin IP. B nh tuyn khch hng CE h tr cc giao thc nh tuyn IP chun v khng tham gia vo MPLS VPN, b nh tuyn PE ch phi chuyn gi tin IP nhn c t b nh tuyn khch hng n cc b nh tuyn PE khc. R rng l gii php ny rt kh
Nguyn Mnh Hng, Lp D04VT1 69

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

thc hin bi v b nh tuyn P khng bit r v cc tuyn ca khch hng, v v th mt s yu cu cht lng dch v s kh c kh nng p ng. Phng php khc c v kh quan hn l s dng ng dn chuyn mch nhn LSP gia cc b nh tuyn PE chuyn tip cc gi tin IP theo gi tr nhn gn vo chng (hnh 3.7)

Hnh 3.7: S dng nhn chuyn tip gi tin VPN

Trong phng php ny, gi tin IP ca khch hng c gn mt nhn ng k cho b nh tuyn PE u ra (Egress). Cc b nh tuyn li khng cn bit a ch IP ca khch hng, v ch c gi tin no c gn nhn s c chuyn n b nh tuyn PE u ra. Cc b nh tuyn li ch thc hin cc hot ng chuyn tip v phn phi gi tin khch hng n b nh tuyn PE u ra. Tuy nhin, ti b nh tuyn PE u ra, gi tin IP ca khch hng khng c thng tin no v VPN hay l VRF b nh tuyn c th thc hin kim tra VRF, do n c th b mt. Mt phng php ti u hn c th c la chn chuyn tip cc gi tin l s dng ngn xp nhn (Hnh 3.8)

Nguyn Mnh Hng, Lp D04VT1

70

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

Hnh 3.8: S dng ngn xp nhn chuyn tip gi tin VPN

Ngn xp nhn MPLS c s dng ch th cho b nh tuyn PE u ra bit phi lm g vi gi tin VPN. Ngn xp nhn bao gm hai nhn xp chng ln nhau gi l nhn bn trong (inner label) v nhn bn ngoi (outer label). Khi gi tin vo mng, b nh tuyn PE u vo gn hai loi nhn ny vo gi tin IP. Nhn trn cng trong ngn xp l ca ng dn chuyn mch nhn (cn gi l LDP), m bo cho gi tin c truyn qua mng MPLS VPN ng trc n b nh tuyn PE u ra. MPLS s dng ngn nhn ngoi chuyn tip gi tin t b nh tuyn PE u vo qua mng li. mi b nh tuyn P nhn ny c s dng chuyn tip gi tin, n chnh l ch s trong bng chuyn tip ca b nh tuyn. Cc b nh tuyn P chuyn tip gi tin dc theo LSP theo phng php hon i nhn v khng bao gi kim tra nhn bn trong hoc a ch ch IP ca gi tin. Khi gi tin n PE u ra, b nh tuyn ny thc hin tch b nhn ngoi ri x l nhn trong. Nhn trong l nhn c b nh tuyn PE ng k cho mi VRF, v PE s s dng n quyt nh VRF no m gi tin thuc v. Ni cch khc, nhn trong quyt nh CE no gi tin s c gi n. Theo mc nh, b nh tuyn PE u ra thc hin tm kim trong bng chuyn tip VRF s dng a ch IP ch ca gi tin. Sau , n chuyn tip gi IP khng nhn n site khch hng thch hp. Bn thn cc nhn bn trong c lin lc gia cc PE trong cc bn tin cp nht m rng MP iBGP. Nhn th hai trong ngn xp nhn cn c s dng ch trc tip n giao din u ra ti khch hng. Trong trng hp ny, b nh tuyn PE u ra ch thc hin kim tra nhn trn gi tin VPN. Tnh hung ny thng c dng khi b nh tuyn CE l bc k tip ca tuyn VPN v nhn
Nguyn Mnh Hng, Lp D04VT1 71

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

ny c th ch n mt VRF n nht. B nh tuyn PE u ra thc hin kim tra nhn trc tm c VRF ch, sau mi thc hin kim tra a ch IP trong VRF. hiu r hn c ch hot ng ca qu trnh chuyn tip gi tin VPN ta xem mt v d trn hnh 5.9. Trong v d ny PE1 l b nh tuyn u vo, cn PE2 l b nh tuyn u ra. B nh tuyn PE u vo c hai nhn lin quan ti tuyn VPN u xa. Mt nhn dnh cho BGP next hop, c ng k bi b nh tuyn P k tip thng qua giao thc phn b nhn LDP v c ly t bng LIB cc b. Cn nhn th hai c ng k bi b nh tuyn PE u xa v c truyn i thng qua cc cp nht MP iBGP. C hai nhn ny c kt hp trong ngn xp nhn v a vo bng VRF.

Hnh 3.9: Hot ng chuyn tip d liu VPN qua mng MPLS

Gi s ng dn chuyn mch nhn LSP c thit lp gia PE1 v PE2, v Host 1 mun gi d liu ti Host 2. Host 1 gi gi tin n b nh tuyn CE1. CE1 s ng gi gi tin v chuyn n PE1. PE1 nhn gi tin, v da trn giao din m gi tin n, n quyt nh s dng bng chuyn tip ca VRF A nh tuyn gi tin. PE1 kim tra a ch ch ca Host 2 trong bng chuyn tip ca VRF A v tm thy c a ch trong . PE1 dn nhn 16 vo gi tin. y l nhn bn trong nhn din VRF

Nguyn Mnh Hng, Lp D04VT1

72

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

trn b nh tuyn PE2. Nhn 16 trc c chuyn t PE2 n PE1 thng qua phin lm vic MP iBGP. Tip theo, PE1 dn nhn 21 vo gi tin v chuyn gi dn nhn n b nh tuyn P1. Nhn 21 c t vo trong ngn xp sau nhn 16. Nh vy, nhn 21 l nhn bn ngoi v s c thay i sau mi phn on gia hai b nh tuyn LSR vi nhau. P1 nhn gi tin t PE1 v ly nhn 21 ra kim tra trong bng chuyn tip. N quyt nh dn nhn 19 thay cho nhn 21 ri chuyn tip gi tin n P. P2 nhn gi tin v ly nhn 19 ra kim tra trong bng chuyn tip. Kt qu kim tra ch th rng n phi dn nhn 46 thay cho nhn 19 ri chuyn tip gi tin n PE2. PE2 nhn gi tin t P2, kim tra nhn 46. PE2 c nhn bit l b nh tuyn u ra ca ng chuyn mch nhn LSP nn n gii phng nhn 46. Sau n kim tra nhn tip theo l 16 v xc nh c gi tin s i n VRF A. a ch IP ca gi tin c kim tra trong VRF A xc nh ch v giao din u ra cho gi tin. PE2 chuyn tip gi tin n CE6. CE6 nhn gi tin IP t PE2 v kim tra a ch ch Host 2. Ti y vic nh tuyn c thc hin da trn cc giao thc nh tyn IGP thng thng. M hnh h thng trn c hai mng ring o l VPN A v VPN B, VPN A gm c CE1, CE5 v CE6. VPN B gm c CE2, CE3, CE4. CE1 c lu lng n ch l CE5 v CE6. V cc site ny cng chung mt VPN, nn PE1 s dng chung bng chuyn tip l VRF A. Nhn bn trong xc nh VRF ch v n ging nhau trong tt c cc gi tin thuc v VPN , ngay c nu cc gi tin ny c chuyn tip n cc site khc nhau. CE2 v CE3 c lu lng n ch l CE4. V cc b nh tuyn ny thuc v VPN B, PE1 s dng bng chuyn tip khc cho VPN ny l VRF B.Tuy nhin, c hai VPN s dng cng mt ng chuyn mch nhn LSP v chng u c cng b nh tuyn vo PE1 v b nh tuyn ra PE2.

3.4 Bo mt trong MPLS - VPN Bo mt l mt trong nhng yu t quan trng nht i vi tt c cc gii php mng VPN. V kha cnh bo mt th gii php VPN da trn BGP/MPLS c th t c mc tng ng vi cc gii php VPN xy dng trn cng ngh ATM hoc Frame Relay. Bo mt cho VPN phi m bo c s cch ly v thng tin nh tuyn cng nh v khng gian a ch ca mi VPN. Ngha l vic cp a ch ca mi VPN l
Nguyn Mnh Hng, Lp D04VT1 73

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

hon ton c lp nhau. Thng tin nh tuyn t VPN ny khng c php sang VPN khc v ngc li. Yu cu th hai l bo mt phi m bo c cu trc mng li hon ton trong sut vi khch hng s dng dch v. Th ba, bo mt phi m bo c vic trnh lm gi nhn nh vic lm gi a ch IP v chng li cc cuc tn cng t chi dch v (Denial of Service) cng nh tn cng truy nhp dch v (Instrusion). thy r vic bo mt trong MPLS VPN c thc hin nh th no, trc ht cn hiu rng MPLS VPN cho php s dng cng khng gian a ch gia cc VPN nhng vn m bo c tnh duy nht ca a ch cc site khch hng nh vo gi tr 64bit ca trng phn bit tuyn. Do , khch hng s dng dch v MPLS VPN khng cn thay i a ch hin ti ca mnh. Vic nh tuyn trong mng ca nh cung cp dch v VPN c thc hin trn chuyn mch nhn ch khng phi da trn a ch IP truyn thng. Hn na, mi LSP tng ng vi mt tuyn VPN IP c bt u v kt thc ti cc b nh tuyn PE ch khng phi bt u v kt thc mt im trung gian no trong mng ca nh cung cp. Do mng li bn trong hon ton trong sut i vi khch hng. Mi b nh tuyn PE duy tr mt bng VRF ring cho tng VPN, v VRF ny ch ph bin cc tuyn thuc v VPN . Nh vy m bo c s cch ly thng tin nh tuyn gia cc VPN vi nhau. i vi gii php MPLS VPN, tht kh c th tn cng trc tip vo VPN. Ch c th tn cng vo mng li MPLS, ri t tn cng vo VPN. Mng li c th tn cng theo hai cch l trc tip vo b nh tuyn PE hoc vo c ch bo hiu MPLS. Tuy nhin, tn cng vo mng, trc ht cn phi bit a ch IP ca n. Nhng mng li MPLS li hon ton trong sut vi bn ngoi, do k tn cng khng th bit a ch IP ca bt k b nh tuyn no trong mng li. Chng c th on a ch v gi gi tin n nhng a ch ny. Song trong mng MPLS mi gi tin i vo u c xem nh l thuc v khng gian a ch no ca khch hng, do kh c th tm c cc b nh tuyn bn trong ngay c khi on c a ch. C th vic trao i thng tin nh tuyn gia cc b nh tuyn PE v CE s l im yu trong mng MPLS VPN, nhng trn b nh tuyn PE c th dng ACL v cc phng php xc thc ca giao thc nh tuyn dng trn kt ni s m bo c vn bo mt. Vic lm gi nhn cng kh c th xy ra v b nh tuyn PE ch

Nguyn Mnh Hng, Lp D04VT1

74

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

chp nhn nhng gi tin t b nh tuyn CE gi n khng c nhn. Nu gi tin l c nhn th nhn phi do PE kim sot v qun l. T nhng vn nu trn, c th thy vic bo mt trong MPLS VPN c m bo mc rt cao v hon ton c th so snh ngang bng vi vic bo mt trong cc gii php da trn ATM hay Frame Relay.

3.5 Cht lng dch v trong MPLS VPN Cht lng dch v lun l mt vn c quan tm hng u i vi cc nh khai thc v qun tr mng. Cc c ch QoS c s dng phi mm do p ng nhng yu cu khc ca khch hng, ng thi phi c kh nng m rng c th h tr mt s lng ln khch hng VPN. V d nh nh cung cp dch v phi cung cp cho khch hng VPN nhiu mc dch v (CoS) khc nhau cho mi VPN, trong cc ng dng khc nhau trong cng mt VPN c th nhn cc CoS khc nhau. Theo cch ny, dch v Email c th c mt CoS trong khi mt s ng dng thi gian thc nh dch v thoi li c th c CoS khc. Ngoi ra, CoS m ng dng nhn c trong mt VPN c th khc so vi CoS m ng dng ny nhn c trong mt VPN khc. Tc l cc c ch h tr QoS cho php quyt nh loi d liu no nhn CoS no cho tng VPN. Hn na, khng phi mi VPN u phi s dng tt c cc CoS m mt nh cung cp dch v a ra. Do , mt tp cc c ch h tr QoS cho php quyt nh loi CoS no c s dng to c s cho VPN. Hai dng m hnh cht lng dch v s dng cho mng ring o trn nn MPLS l m hnh ng (pipe) v m hnh vi (hose). 3.5.1 M hnh ng Trong m hnh ng, nh cung cp dch v cung cp cho khch hng VPN mc cht lng dch v QoS nht nh gia cc CE trong cng mt VPN. V hnh thc, c th hnh dung m hnh ny nh mt ng ng kt ni hai b nh tuyn vi nhau, v lu lng gia hai b nh tuyn trong ng ny c m bo mt mc QoS xc nh. V d v mt hnh thc m bo QoS c th cung cp trong m hnh ng l m bo gi tr bng thng nh nht gia hai Site. Cc b nh tuyn bin pha nh cung cp PE ti hai u ca ng s thc hin qu trnh lc v loi b cc lu lng d nhm m bo bng thng cho lung lu lng trong ng. C th ci tin m hnh ng bng vic ch cho php mt s loi lu
Nguyn Mnh Hng, Lp D04VT1 75

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

lng (ng vi mt s ng dng) t mt CE ti cc CE khc s dng ng ng. Quy nh lu lng no c th s dng ng ng c xc nh ti b nh tuyn PE pha u ng. Ch l m hnh ng kh ging vi m hnh QoS m cc khch hng VPN c c vi cc gii php da trn Frame Relay hay ATM. im khc nhau c bn l vi ATM hay Frame Relay th cc kt ni l song cng, trong khi m hnh ng cung cp cc kt ni m bo theo mt hng. c im mt hng ny ca m hnh ng cho php thit lp cc kt ni cho nhng ng dng s dng lung lu lng khng i xng, trong lu lng t mt Site ti Site khc c th khc vi lu lng theo hng ngc li. Hnh 3.10 minh ha mt v d v m hnh ng cht lng dch v. Nh ch ra trn hnh v, cc nh cung cp dch v cung cp cho VPN A mt ng ng m bo bng thng 7 Mb/s cho lu lng t Site 3 n Site 1 (c th hn l CE A3 n CE A1) v mt ng ng khc m bo bng thng 10 Mb/s cho lu lng t Site 3 n Site 2 (t CE A3 n CE A2). Nh vy, mt b nh tuyn CE c th c nhiu hn mt ng sut pht t n (v d hai ng xut pht t Site 3). Tng t, c th c hn mt ng kt thc ti mt Site.

Nguyn Mnh Hng, Lp D04VT1

76

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

Hnh 3.10: M hnh ng cht lng dch v trong MPLS VPN

Mt u im ca m hnh ng l n ging vi m hnh QoS ang c khch hng VPN s dng vi FR hay ATM, do khch hng c th d dng ng dng. Tuy nhin m hnh ng cng c mt s nhc im. V d, n i hi khch hng VPN phi kim sot ton b ma trn lu lng gia cc Site. iu ny c ngha l, khch hng phi bit tng lu lng i t mt site ti tt cc cc Site khc. Thng thng th thng tin ny khng c sn, thm ch l nu c th cng b li thi. M hnh ng gn ging vi m hnh tch hp dch v cung cp cht lng dch v m bo. MPLS VPN cung cp kh nng m bo bng thng cho cc LSP v cho php s dng m hnh ng ny mt cch n gin. Cc LSP khi to v kt cui ti cc PE s m bo bng thng qua mng li, cn tha thun dch v gia PE v CE s m bo QoS t u cui ti u cui. t c hiu qu tt nht i vi m hnh ng, khch hng VPN cn bit r yu cu s dng lu lng trong k hoch mng.

3.5.2 M hnh vi Trong m hnh vi, nh cung cp dch v VPN cung cp cho khch hng mt s m bo QoS cho lu lng m mt b nh tuyn CE ca khch hng gi i v nhn v t cc b nh tuyn CE khc trong cng VPN. Trong trng hp khc, khch hng phi ch nh cch phn phi lu lng ti cc b nh tuyn CE trong mng. Nh vy, i vi khch hng, m hnh vi cung cp cht lng dch v trong tng VPN v khng yu cu phi phn tch lu lng hoc lp k hoch lu lng cho ti tng CE, nh m gim bt c gnh nng cho cc khch hng s dng dch v VPN. M hnh vi s dng hai tham s tc l tc cam kt u vo ICR (Ingress Committed Rate) v tc cam kt u ra ECR (Egress Committed Rate). Trong ICR l tc lin quan ti lu lng m CE u vo c th gi ti nhng CE khc, cn ECR l tc lin quan ti lu lng m mt CE c th nhn t cc CE khc. Ni cch khc, ECR i din cho tng lu lng t mt CE c th, trong khi ECR i din cho tng lu lng ti mt CE c th. Lu l i vi mt CE khng nht thit ICR phi bng ECR. Hnh 3.11 minh ha v d v m hnh vi cht lng dch v. y nh cung cp dch v cung cp cho VPN B s m bo bng thng 15Mbit/s cho lu lng t Site 2 ti cc Site khc (ICR = 15Mb/s) m khng quan tm n vic lu lng ny i ti Site 1 v Site 3. Tng t, nh cung cp dch v cung cp cho VPN A s m bo
Nguyn Mnh Hng, Lp D04VT1 77

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

bng thng 7Mb/s cho lu lng t Site 3 gi ti cc Site khc trong cng VPN (ICR = 7Mb/s) m khng quan tm ti vic lu lng ti cc Site 1 v Site 2. Cng nh vy, nh cung cp dch v cung cp cho VPN B s m bo bng thng 15Mb/s cho lu lng gi ti Site 2 (ECR = 15Mb/s) m khng quan tm ti vic lu lng sut pht t Site 1 hay Site 3.

Hnh 3.11: M hnh vi cht lng dch v trong MPLS VPN

M hnh vi h tr nhiu mc CoS ng vi cc dch v c nhiu tham s khc nhau. V d, mt dch v c th yu cu tham s v mt gi tin t hn so vi dch v khc. h tr lp dch v ta phi a vo m hnh vi, cho php nh cung cp dch v s dng c ch phn bit dch v cng vi MPLS. V vy, m hnh vi l hng tip cn t m hnh phn bit dch v Diffserv. Vi cc dch v i hi phi c s m bo chc chn (nh v bng thng), th m hnh ng ph hp hn. Nh cung cp dch v c th cung cp cho khch hng VPN m hnh ng, m hnh vi hoc t hp ca c hai dng m hnh trn nhm p ng cc yu cu c th v QoS. Cc b nh tuyn bin PE ca nh cung cp dch v xc nh lu lng c nhn trong cc lp dch v. Ty thuc vo giao din u vo, a ch ngun, a ch ch, ch s cng v cc tham s cht lng dch v m cc gi s c nh du cho ph hp vi yu cu v cht lng dch v.
Nguyn Mnh Hng, Lp D04VT1 78

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

3.6 So snh cc c im ca VPN trn nn IPSec v MPLS Kin trc mng ring o VPN L3 c rt nhiu cng ty la chn v kh nng kt ni din rng, kh nng m rng, cc ty chn kt ni v kh nng pht trin nhiu loi hnh dch v. Tuy nhin, khng c mt gii php no l ton din trong vic cung cp a dch v, v vn la chn kin trc VPN trn nn IPSec hay MPLS ph thuc rt nhiu vo yu cu c th ca tng cng ty. Trong phn ny s a ra mt s so snh v phn tch cc c im c bn ca hai kin trc trn. 3.6.1 Cc tiu ch nh gi Trc ht, chng ta phn tch cc iu kin v tiu ch nh gi kin trc mng VPN cho doanh nghip. Cc tiu ch nh gi c tp trung vo kh dng, tnh bo mt, cht lng dch v, mm do v kh nng qun l. kh dng Mt mng ring o VPN cn d on cc dch v c kh dng cao cho ngi dng doanh nghip v cc i tc ca h. Khch hng c th va yu cu tin cy ca mng cao va yu cu d phng ln. Mt s nh cung cp dch v a ra cc tha thun mc cht lng dch v (SLA), trong nh ngha cc tham s m mng c th cung cp cho khch hng. SLA c th ty chn cc mc dch v cho nhng kiu lu lng khc nhau nhm ti u ha lu lng v gi thnh ca mng. Tnh bo mt Trn thc t c rt nhiu cng ty chia s cc nh cung cp dch v qua mt mng li, do vn bo mt lun c t ln hng u. h tr cho vn ny, cc nh cung cp dch v c th a ra nhng k thut m bo an ton thng tin nh ng hm, ng gi, m ha, phn b nh tuyn rng buc, tch cc bng nh tuyn, tch lu lng, xc thc gi, xc thc ngi s dng v iu khin truy nhp. Cht lng dch v Cc tham s QoS nh bng thng, tr, bin ng tr hay t l mt gi l nhng yu t c bn cho php nh gi cht lng ca dch v m nh cung cp a ra cho khch hng. Mt s m hnh cht lng dch v c th c p dng vo VPN nhm mc ch phn lp lu lng v xc nh th t u tin cho cc lung lu lng khc nhau ca khch hng. mm do

Nguyn Mnh Hng, Lp D04VT1

79

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

Bng thng v cc tuyn kt ni trong mng lun thay i theo thi gian. Cc yu cu thay i bng thng i vi khch hng VPN cng khng phi l ngoi l. Cc nh cung cp dch v lun quan tm ti kh nng m rng v thay i yu cu bng thng cu khch hng VPN ti u ha h thng v p ng yu cu cht lng dch v mt cch mm do. Kh nng qun l Vic qun l VPN tri rng t Site trung tm ti cc chi nhnh phn tn nhiu ni, v vy cc tnh nng qun l v gi thnh qun l c xu hng tng cng chiu. Cc dch v qun l bao gm: - Cung cp mi trng qun l. - Phn b v ci t phn mm qun l VPN - Ci t bo mt v chnh sch QoS. - H tr tha thun mc dch v. - H tr cc mng khc qua VPN. - Thc hin qun l hiu nng mng, nh v v sa li, ha n, bo co, thm/loi b hay thay i chc nng dch v.

3.6.2 Cc c im ni bt ca IPSec VPN v MPLS VPN IPSec VPN bo mt d liu qua mng cng cng, giao thc IPSec h tr t hp cc chc nng bo mt nh sau: - Nhn dng v m ha cc gi tin trc khi truyn dn. - Xc thc cc gi nhm m bo tnh ton vn d liu. - Xc thc d liu nguyn thy ca cc ngun gi tin. - Xc nhn v loi b cc gi qu hn, gi lp v t chi cc gi lp. Giao thc IPSec cung cp kh nng bo v cc gi tin IP theo thit k mng ch ra cc lu lng c bit cn bo v. IPSec nh ngha cch thc bo v lu lng v iu khin thit b nhn lu lng. VPN trn nn IPSec thay th hoc b xung cc mng ring da trn c s h tng WAN truyn thng nh ng dy thu ring, Frame Relay hoc ATM. u im ni bt ca IPSec l n p ng c cc yu cu ca mng v mt gi thnh. Khi mt doanh nghip s dng IPSec VPN, nh cung cp dch v thng cu hnh IPSec trong cu hnh Hub and Spoke, ni tt c cc nhm Spoke duy tr kt ni
Nguyn Mnh Hng, Lp D04VT1 80

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

im im vi u cui. IPSec ph hp vi cu hnh VPN im ti im v truy nhp t xa. Mt s c im khin cho cc doanh nghip la chn gii php IPSec VPN l: - IPSec cung cp h thng bo mt rt tt, h tr cho cc doanh nghip cn bo mt bng m ha d liu v nhn dng thit b. - Gi thnh trin khai mng thp do IPSec VPN c th thc hin trn bt k mng IP no tn ti. - Kh nng trin khai cc dch v nhanh, k c vic b sung hoc loi b cc Site - Lung lu lng r nhnh theo Hub and Spoke. Thng thng ngi s dng VPN dng phn mm VPN la chn ch thch hp cho cc thng tin cn gi qua mng. Mt khi nhn dng thnh cng v ng hm IPSec c thit lp, ngi s dng c th truy nhp t xa ti cc ng dng mt cch n gin m khng cn phi sa i hng lot cc tham s ti cc Site. Vi cc kt ni im im qua IPSec VPN, ngi s dng khng cn phi c phn mm client trn my tnh ca h. Ngi s dng ti cc nhnh khi to ng dng nu n tn ti trong Site, hoc trong mt phin vi trung tm. Sau khi phin tha thun v nhn dng thnh cng, mt ng hm m bo gia cc nhnh v trung tm c thit lp khng ph thuc vo hot ng ca ngi dng. MPLS VPN MPLS cung cp mi trng nh tuyn thng minh v hiu nng chuyn mch cao nh trnh by trn. u im ni bt nht ca MPLS VPN l kh nng m rng nhiu VPN trn cng mt mng li. Thm vo l cc c tnh m bo QoS, sa li nhanh, bo v ng dn v cung cp nn tng pht trin cc dch v gi tr gia tng. Mt s l do cc doanh nghip la chn MPLS VPN l: - Cc cng ty cn tha thun mc cht lng dch v SLA. - Bo mt c h tr bi vic tch cc lung lu lng tng t nh Frame Relay v ATM. - Cc mu lu lng ph hp vi c cu hnh tng phn v y . - Cc doanh nghip mun hi t nhiu dch v a phng tin trn cng mt mng. - Cc doanh nghip mun pht trin nhng kt ni Multicast.

Nguyn Mnh Hng, Lp D04VT1

81

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

Kha cnh an ton mng ca MPLS da trn vic phn tch lung lu lng gia cc VPN trn cng mng li thng qua trng phn bit tuyn. Cc tuyn c phn bit m bo tnh ring t ca MPLS VPN tng t nh trong mng din rng Frame Relay hay ATM. Cc nh cung cp c th d dng thit k v ti u ha mng do khch hng khng cn bit kin trc mng li, cn cc b nh tuyn li th khng cn bit thng tin v mng bin ca khch hng. MPLS VPN c mm do v linh hot cao, n khng yu cu cu hnh kt ni y hoc ngang hng i vi cc kt cui nh cc m hnh khc i hi. Mt khc MPLS VPN cng h tr tt cc tha thun mc dch v SLA. y l iu m khch hng VPN quan tm nhiu nht, n cho php p ng cc yu cu v hiu nng v tnh n hi ca mng. Ngoi ra, MPLS VPN cn h tr cc k thut lu lng nhm p ng yu cu QoS, h tr chnh sch qun l v phn b lu lng ti u ha cho mng. Bng 3.1 di y s tng kt cc c im ca hai gii php mng ring o trn nn IPSec v MPLS
Bng 3.1: So snh IPSec VPN v MPLS VPN

c im Cu hnh

MPLS VPN IPSec VPN im ti im, Hub-and-Spoke, im ti im, Hub-andcu hnh y Spoke, cu hnh y Tnh ring t Tch lu lng thnh cc lung S dng m ha v k thut ring bit ng hm thch hp ti lp a ch mng. Bo mt/ Thit lp cch thnh vin VPN Xc thc qua chng thc s Xc thc phin trong qu trnh cung cp dch v, hoc kha xc nh. nh ngha truy nhp ti nhm Loi b gi khng ph hp vi dch v trong khi cu hnh, t chi chnh sch bo mt. cc truy nhp khng hp php QoS v SLA Cho php lp cc SLA vi nhiu Khng ch ra cc QoS v SLA mc, c cc k thut m bo trc tip QoS v k tht lu lng. Kh nng m C kh nng m rng cao v Chp nhn cc kiu m rng rng khng yu cu cu hnh y theo kiu Hub-and-Spoke. Kh
Nguyn Mnh Hng, Lp D04VT1 82

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

hoc ngang hng

H tr im-im C H tr truy nhp C nu c kt ni vi IPSec t xa Cung cp Cn mt ln cung cp cc thit b Gim chi ph iu hnh qua khch hng v thit b bin mng mng Dch v Nh cung cp Phng php cung cp tp trung Trin khai dch Yu cu cc phn t mng MPLS C th trin khai trn bt k h v m dch v ti cc thit b li v tng mng IP c sn. bin ca mng nh cung cp Phn mm Client Khng yu cu, ngi s dng Cn phi c khi to cc VPN khng cn phn mm tng tc phn mm chc nng. vi mng.

nng m rng ko theo hng lot cc thch thc v k hoch, phn phi cc kha, qun l kha v cu hnh cc thit b ngang hng. C C

3.8 Kt chng
Trong nhng nm gn y, cng ngh chuyn mch nhn a giao thc MPLS c rt nhiu quc gia la chn xy dng v pht trin h thng mng vin thng ca mnh. Mt trong nhng ng dng in hnh ca MPLS l dch v mng ring o MPLS VPN. Dch v ny gp phn rt ln vo s pht trin nhanh chng ca MPLS v m ra nhiu kh nng ng dng mi. Trong chng ny trnh by v cc thnh phn c bn ca MPLS VPN, cc m hnh trin khai MPLS VPN ti lp hai v lp ba, nhng k thut then cht trong MPLS VPN nh truyn thng tin nh tuyn, a ch VPN IP v hot ng chuyn tip gi tin VPN. Ngoi ra, trong ni dung ca chng ny cng cp n mt s vn lin quan n kha cnh bo mt v cht lng dch v trong MPLS VPN. Cui chng c a ra mt s phn tch v so snh cc c im ni bt ca hai gii php VPN da trn IPSec v MPLS. C th ni, vic trin khai cng ngh VPN trn nn

Nguyn Mnh Hng, Lp D04VT1

83

n tt nghip i Hc MPLS

Chng III: Mng ring o trn nn

MPLS ha hn nhiu thun li mi v chc chn s l gii php l tng cho mng ring o trong tng lai.

Nguyn Mnh Hng, Lp D04VT1

84

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

BI TON M PHNG MNG MPLS VPN


1. T VN hiu r vn trong mng MPLS VPN, cng nh qu trnh cu hnh thc t s dng. Em xy dng mt m hnh mng kim tra hot ng, kh nng kt ni cng, cu hnh bng nh tuyn ca mng ring o trn nn MPLS. 2. XY DNG BI TON M hnh m phng mng:

MPLS VPN virtual routing & forwarding VRF

Nh trn s chng ta thy cn 7 router trong c 3 router li l PE-1, P, PE2 v 4 router khch hng l CE-A1, CE-A2, CE-B1, CE-B2. Trong CE-A1 v CE-A2 thuc v VPN A, CE-B1 v CE-B2 thuc v VPN B. Yu cu cu hnh to ra hai mng ring o VPN A v VPN B. Mun thc hin iu ny chng ta cn: + Cu hnh MPLS domain gia 3 router core PE-1, P, PE-2 s dng RIPv2. + Cu hnh BGP AS1 gia PE-1 v PE-2. + To VRF trn router PE ng vi cc khch hng A1 A2 v B1 B2.
84

Nguyn Mnh Hng, Lp D04VT1

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

+ Gia cc khch hng dng nh tuyn ng EIGRP. Cu hnh cc router lm uc iu ny cn c nhng bc thc hin chng. Cc bc thc hin :
Bc 1: Cu hnh c bn cho cc thit b: Router(config)#hostname name //cu hnh tn router Router(config)#no ip domain lookup //khng t ng phn gii tn min Router(config)#line console 0 Router(config-line)#exec-timeout 0 0 Router(config)#line vty 0 4 Router(config-line)#previlege level 15 Router(config-line)#no login Bc 2: Cu hnh a ch IP cho cc router Router(config-if)#ip address IP_address Router(config-if)#no shutdown Router(config-if)#clock rate x //dng cho interface seri@l Router(config)#interface loopback 0 Bc 3: Cu hnh nh tuyn c bn cho 3 router core Router(config)#router rip Router(config-router)#version 2 Router(config-router)#network network wildcardmask Router(config-router)#no auto-summary Bc 4: Cu hnh MPLS cho router Core Router(config)#ip cef Router(config-if)#mpls ip Router(config-if)#mpls label protocol ldp Router(config-if)#mpls mtu size Kim tra cc cu hnh trn: Router#show ip cef detail Router#show mpls forwarding-table Router#show mpls ip binding Router#show mpls ldp neighbor Router#ping //ping m rng Router#traceroute Bc 5: Cu hnh bng nh tuyn VRF cho cc khch hng: Router(config)#ip vrf customer_name Router(config-vrf)#rd ASN:nn Router(config-vrf)route-target import AS:nn Router(config-vrf)route-target export AS:nn

Nguyn Mnh Hng, Lp D04VT1

85

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

Bc 6: Cu hnh VRF forwarding cho interface Router(config)#ip vrf forwarding customer_name Bc 7: Cu hnh nh tuyn VRF dng EIGRP Router(config)#router eigrp 100 Router(config-router)#address-family ipv4 vrf customer_name Router(config-router-af)#network network wildcardmask Router(config-router-af)#autonomous-system AS Router(config-router-af)#no auto-summary Router(config-router-af)#exit-address-family Bc 8: Cu hnh nh tuyn EIGRP cho router khch hng Router(config)#router eigrp as Router(config-router)#network network wildcardmask Router(config-router)#no auto-summary Bc 9: Cu hnh BGP gia 2 router PE Router(config)#router bgp as Router(config-router)#no synchronization Router(config-router)#bgp log-neighbor-changes Router(config-router)#neighbor ip_address remote-as 1 Router(config-router)#neighbor ip_address update-source loopback 0 Router(config-router)#no auto-summary Bc 10: Cu hnh vpnv4 Router(config-router)#address-family vpnv4 Router(config-router-af)#neighbor ip_address activate Router(config-router-af)#neighbor ip_address send-community extended Router(config-router-af)#exit-address-family Bc 11: Cu hnh bng VRF cho BGP Router(config-router)#address-family ipv4 vrf Customer_name Router(config-router-af)#no auto-summary Router(config-router-af)#no synchronization Router(config-router-af)#exit-address-family Bc 12: Redistribute EIGRP vo BGP Router(config-router)#address-family ipv4 vrf Customer_name Router(config-router-af)#redistribute eigrp AS Bc 13: Redistribute BGP v EIGRP Router(config)#router eigrp AS Router(config-router)#address-family ipv4 vrf Customer Router(config-router-af)#redistribute bgp 1 metric 1000 100 100 100 100

Nguyn Mnh Hng, Lp D04VT1

86

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

Bc 14: Kim tra cu hnh bng cc lnh sau: Router#show ip route Router#show ip route vrf Customer_name Router#show mpls forwarding-table //kim tra bng LFIB Router#show ip bgp summary Router#ping //ping m rng Router#traceroute

- CU HNH C TH TRN TNG ROUTER Router CE-A1:


Current configuration : 916 bytes ! version 12.3 service timestamps debug datetime service timestamps log datetime ms no service password-encryption ! hostname A1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip subnet-zero ip cef ! ! ! no ip domain lookup ip audit po max-events 100 ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial0/0 ip address 10.0.1.2 255.255.255.0 clock rate 64000 ! interface FastEthernet0/1 no ip address Nguyn Mnh Hng, Lp D04VT1 87

n tt nghip i Hc shutdown duplex auto speed auto ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! router eigrp 10 network 1.1.1.0 0.0.0.255 network 10.0.1.0 0.0.0.255 no auto-summary ! ip classless ! ip http server no ip http secure-server ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 privilege level 15 no login ! end

Bi ton m phng mng MPLS VPN

Router CE-B1:
Current configuration : 916 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname B1 ! boot-start-marker boot-end-marker ! no aaa new-model ip subnet-zero ip cef ! no ip domain lookup ip audit po max-events 100 Nguyn Mnh Hng, Lp D04VT1 88

n tt nghip i Hc ! interface Loopback0 ip address 3.3.3.3 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial0/0 ip address 10.0.3.2 255.255.255.0 clock rate 64000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! router eigrp 30 network 3.3.3.0 0.0.0.255 network 10.0.3.0 0.0.0.255 no auto-summary ! ip classless ! ip http server no ip http secure-server ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 privilege level 15 no login ! End

Bi ton m phng mng MPLS VPN

Router PE-1:
Current configuration : 2132 bytes ! Nguyn Mnh Hng, Lp D04VT1 89

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname PE-1 ! boot-start-marker boot-end-marker ! enable secret 5 $1$JG0r$cUJA5UZoSPdooIJqe3oEX1 ! no aaa new-model ip subnet-zero ip cef ! ! ! ip vrf A1 rd 1:100 route-target export 1:100 route-target import 1:100 ! ip vrf B1 rd 1:200 route-target export 1:200 route-target import 1:200 ! ip audit po max-events 100 ! interface Loopback0 ip address 5.5.5.5 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 duplex auto speed auto tag-switching mtu 1512 tag-switching ip ! interface Serial0/0 ip vrf forwarding A1 ip address 10.0.1.1 255.255.255.0 clock rate 64000 ! interface FastEthernet0/1 no ip address Nguyn Mnh Hng, Lp D04VT1 90

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

shutdown duplex auto speed auto ! interface Serial0/1 ip vrf forwarding B1 ip address 10.0.3.1 255.255.255.0 clock rate 64000 ! router eigrp 100 auto-summary ! address-family ipv4 vrf B1 redistribute bgp 1 metric 1000 100 100 100 100 network 10.0.3.0 0.0.0.255 no auto-summary autonomous-system 30 exit-address-family ! address-family ipv4 vrf A1 redistribute bgp 1 metric 1000 100 100 100 100 network 10.0.1.0 0.0.0.255 no auto-summary autonomous-system 10 exit-address-family ! router rip version 2 network 5.0.0.0 network 192.168.1.0 no auto-summary ! router bgp 1 bgp log-neighbor-changes neighbor 6.6.6.6 remote-as 1 neighbor 6.6.6.6 update-source Loopback0 ! address-family ipv4 neighbor 6.6.6.6 activate no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 6.6.6.6 activate neighbor 6.6.6.6 send-community extended exit-address-family Nguyn Mnh Hng, Lp D04VT1 91

n tt nghip i Hc ! address-family ipv4 vrf B1 redistribute eigrp 30 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf A1 redistribute eigrp 10 no auto-summary no synchronization exit-address-family ! ip classless ! ip http server no ip http secure-server ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 password cisco login ! End

Bi ton m phng mng MPLS VPN

Router P:
Current configuration : 906 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname P ! boot-start-marker boot-end-marker ! enable secret 5 $1$FFLE$B9/ljnPAqne9Huc1MDgAQ1 ! Nguyn Mnh Hng, Lp D04VT1 92

n tt nghip i Hc no aaa new-model ip subnet-zero ip cef ! ip audit po max-events 100 ! interface Loopback0 no ip address ! interface FastEthernet0/0 description link to PE-1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto tag-switching ip ! interface FastEthernet0/1 description link to PE-2 ip address 192.168.2.1 255.255.255.0 duplex auto speed auto tag-switching ip ! router rip version 2 network 192.168.1.0 network 192.168.2.0 no auto-summary ! ip classless ! ip http server no ip http secure-server ! line con 0 exec-timeout 0 0 login Nguyn Mnh Hng, Lp D04VT1

Bi ton m phng mng MPLS VPN

93

n tt nghip i Hc line aux 0 line vty 0 4 exec-timeout 0 0 password cisco login ! End

Bi ton m phng mng MPLS VPN

Router PE -2:
Current configuration : 2105 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname PE-2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip subnet-zero ip cef ! ! ! ip vrf A2 rd 1:100 route-target export 1:100 route-target import 1:100 ! ip vrf B2 rd 1:200 route-target export 1:200 route-target import 1:200

Nguyn Mnh Hng, Lp D04VT1

94

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

! ip audit po max-events 100 ! interface Loopback0 ip address 6.6.6.6 255.255.255.0 ! interface FastEthernet0/0 description link to P router ip address 192.168.2.2 255.255.255.0 duplex auto speed auto tag-switching ip ! interface Serial0/0 description link to Customer A2 ip vrf forwarding A2 ip address 10.0.2.1 255.255.255.0 clock rate 64000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 description link to Customer B2 ip vrf forwarding B2 ip address 10.0.4.1 255.255.255.0 clock rate 64000 ! router eigrp 100 auto-summary ! address-family ipv4 vrf B2 redistribute bgp 1 metric 1000 100 100 100 100 network 10.0.4.0 0.0.0.255 Nguyn Mnh Hng, Lp D04VT1 95

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

no auto-summary autonomous-system 40 exit-address-family ! address-family ipv4 vrf A2 redistribute bgp 1 metric 1000 100 100 100 100 network 10.0.2.0 0.0.0.255 no auto-summary autonomous-system 20 exit-address-family ! router rip version 2 network 6.0.0.0 network 192.168.2.0 no auto-summary ! router bgp 1 bgp log-neighbor-changes neighbor 5.5.5.5 remote-as 1 neighbor 5.5.5.5 update-source Loopback0 ! address-family ipv4 neighbor 5.5.5.5 activate no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 5.5.5.5 activate neighbor 5.5.5.5 send-community extended exit-address-family ! address-family ipv4 vrf B2 redistribute eigrp 40 no auto-summary no synchronization Nguyn Mnh Hng, Lp D04VT1 96

n tt nghip i Hc exit-address-family ! address-family ipv4 vrf A2 redistribute eigrp 20 no auto-summary no synchronization exit-address-family ! ip classless ! ip http server no ip http secure-server ! line con 0 line aux 0 line vty 0 4 login ! End

Bi ton m phng mng MPLS VPN

Router CE-A2:
Current configuration : 916 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname A2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip subnet-zero ip cef ! no ip domain lookup ip audit po max-events 100 ! interface Loopback0 ip address 2.2.2.2 255.255.255.0 Nguyn Mnh Hng, Lp D04VT1 97

n tt nghip i Hc ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial0/0 ip address 10.0.2.2 255.255.255.0 clock rate 64000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 no ip address shutdown clock rate 2000000 ! router eigrp 20 network 2.2.2.0 0.0.0.255 network 10.0.2.0 0.0.0.255 no auto-summary ! ip classless ! ip http server no ip http secure-server ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 privilege level 15 no login ! End

Bi ton m phng mng MPLS VPN

Router CE-B2:
Current configuration : 884 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec Nguyn Mnh Hng, Lp D04VT1 98

n tt nghip i Hc no service password-encryption ! hostname B2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip subnet-zero ip cef ! ip audit po max-events 100 ! interface Loopback0 ip address 4.4.4.4 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface Serial0/0 no ip address clock rate 64000 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/1 ip address 10.0.4.2 255.255.255.0 clock rate 64000 ! router eigrp 40 network 4.4.4.0 0.0.0.255 network 10.0.4.0 0.0.0.255 no auto-summary ! ip classless ! ip http server no ip http secure-server ! Nguyn Mnh Hng, Lp D04VT1

Bi ton m phng mng MPLS VPN

99

n tt nghip i Hc line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 privilege level 15 no login ! end

Bi ton m phng mng MPLS VPN

3. S DNG CNG C M PHNG C rt nhiu phn mm c s dng m phng s mng MPLS VPN. Sau y chng ta s tm hiu v mt s phn mm nh GNS3, NS2, . 3.1 Phn mm GNS3 GNS3 l mt trnh gi lp mng c giao din ha (graphical network simulator) cho php bn d dng thit k cc m hnh mng v sau chy gi lp trn chng. Ti thi im hin ti GNS3 h tr cc IOS ca Router, ATM/Frame Relay/Ethernet switch v hub. Bn thm ch c th m rng mng ca mnh bng cch kt ni n vo mng o ny. lm c iu ny, GNS3 da trn Dynamips v mt phn Dynagen, n pht trin bng Python v thng qua PyQt v phn giao din ha th s dng th vin Qt, rt ni ting v tnh hu dng ca n trong d n KDE. GNS3 cng s dng k thut SVG (Scalable Vector Graphics) cung cp cc biu tng cht lng cao cho vic thit k m hnh mng ca bn. Gii thiu v Dynamips Dynamips l mt trnh m phng router Cisco c vit bi Christophe Fillot. N m phng cc dng 1700, 2600, 3600, v 7200, s dng cc IOS image chun. Phn mm m phng loi ny c th s dng cho: - c s dng nh mt cng c thc tp, vi phn mm s dng trong th gii thc. N cho php mi ngi lm quen hn vi cc thit b ca Cisco, Cisco hin ang l cng hng u trn th gii v k thut mng. - Th nghim v lm quen vi cc c tnh ca Cisco IOS. - Kim tra nhanh chng cc cu hnh trin khai sau ny trn cc router tht. D nhin, phn mm m phng ny khng th thay th cho router tht, n ch n gin l mt cng c b sung cho cc bi lab thc t ca cc nh qun l mng Cisco hoc nhng ai mun vt qua k thi CCNA/CCNP/CCIE. Gii thiu v Dynagen Dynagen l mt giao tip da trn nn vn bn (text-base) dnh cho Dynamips, cung cp mt b OOP API ring c s dng bi GNS3 tng tc vi Dynamips. GNS3 cng s dng tp tin cu hnh tng t INI cu Dynagen v c tch hp trnh qun l CLI ca Dynagen cho php ngi dng kit k cc thit b, tm ngng v np li cc th hin (ca cc thit b - ND), xc nh v qun l cc gi tr idle-pc, bt gi tin,
Nguyn Mnh Hng, Lp D04VT1 100

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

3.2 Phm mm NS2 NS l b cng c m phng mng iu khin theo cc s kin ri rc, c xy dng v pht trin bi trng i hc Berkekey - M, cho php m phng nhiu kiu mng IP khc nhau, m phng cc giao thc mng: TCP, UDP cng nh cc dng ngun lu lng: TFP, Telnet, Web, CBR, VBR, m phng cc hng i trong cc b nh tuyn: DropTail, RED, CBQ, m phng cc gii thut nh tuyn. Ngoi ra NS cn cho php thc hin vic pht a lung v mt s giao thc lp MAC i vi m phng mng LAN. NS c xy dng bng ngn ng lp trnh h thng C++ v ngn ng m phng Otcl. Otcl l dng ngn ng kch bn Tcl c m rng theo m hnh hng i tng
Otcl: B thng dich Tcl vi phn m rng hng i tng Th vin m phong NS Cac i tng inh trinh s kin Cac i tng phn t mang Cac module tr giup thit lp mang
Phn tich Kt qua m phong

Otcl Script

NAM NetWork

NS theo quan im ngi dng Theo quan im ngi dung thun tuy, NS la mt b thng dich cac kich ban Tcl hng i tng. NS gm co cac b inh trinh cac s kin m phong, cac th vin i tng thanh phn mang, th vin cac mdule tao lp mang (thc t vic kt ni cac module c thc hin bng cac ham thanh vin cua cac i tng m phong c ban). Khi s dung NS, ngi dung phai lp trinh bng ngn ng kich ban Tcl. tao lp va trin khai mt mang m phong, ngi dung vit mt kich ban Tcl khi tao mt b inh trinh s kin, thit lp topo mang thng qua vic s dung cac i tng thanh phn mang va cac hanh lin kt trong cac th vin cua NS. Vic thit lp mt mang la ghep ni cac ng d liu gia cac i tng mang bng cach t con tro cua mt i tng nay ti ia chi cua mt i tng khac tng ng. Khi mun tao mt i tng mang mi, thi ngi dung co th tao ra i tng o bng cach xy dng mt i tng mi hoc t hp cac i tng co sn trong cac th vin i tng cua NS va tao ra cac ng lin kt d liu gia chung. Bn li ch nht ca NS-2 mang li: Kh nng kim tra tnh n nh ca giao thc mng ang tn ti.

Nguyn Mnh Hng, Lp D04VT1

101

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

Kh nng nh gi cc giao thc mng mi trc khi a vo s dng. Kh nng thc thi nhng m hnh mng ln m gn nh ta khng th thc thi c trong thc t. Kh nng m phng nhiu loi mng.

3.3 La chn phn mm m phng


Vi nhng phn tch v 2 loi phm mm nh trn, chng ta nhn thy m phng bi ton MPLS VPN dng phn mm GNS3 l tin ch v d dng s dng hn. Chng trnh m phng thn thin vi ngi s dng hn v GNS3 c ci t trn nn h iu hnh Windows XP, cn NS2 ci t trn h iu hnh Linux di hi ngi s dng phi c kin thc v h iu hnh Linux v cch thc s dng.

4. KT QU V NH GI KT QU

Vi topo mng c nh trnh by phn trn, v m phng trn phn mm GNS3. Chng ta c giao din nh trn, cc qu trnh cu hnh cho tng router cng
Nguyn Mnh Hng, Lp D04VT1 102

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

c th hin nh trn. Kt qu to ra c hai mng VPN ring bit l VPN A bao gm khch hng CE-A1 v CE-A2, v VPN B bao gm khch hng CE-B1 v CE-B2. Hat ng ca mng c kim tra nh sau: KIM TRA CU HNH:
Kiem tra bang LFIB: PE-1: PE-1#show mpls forwarding-table Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 Untagged 1.1.1.0/24[V] 0 Se0/0 point2point 17 Aggregate 10.0.1.0/24[V] 1684 18 Untagged 3.3.3.0/24[V] 0 Se0/1 point2point 19 Aggregate 10.0.3.0/24[V] 0 20 Pop tag 192.168.2.0/24 0 Fa0/0 192.168.1.1 21 17 6.6.6.0/24 0 Fa0/0 192.168.1.1 PE-2: PE-2#show mpls forwarding-table Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 16 16 5.5.5.0/24 0 Fa0/0 192.168.2.1 17 Pop tag 192.168.1.0/24 0 Fa0/0 192.168.2.1 18 Aggregate 10.0.4.0/24[V] 0 19 Aggregate 10.0.2.0/24[V] 0 20 Untagged 2.2.2.0/24[V] 1144 Se0/0 point2point 21 Untagged 4.4.4.0/24[V] 0 Se0/1 point2point Kiem tra co che chuyen mach nhan: PE-1#traceroute vrf A1 2.2.2.2 Type escape sequence to abort. Tracing the route to 2.2.2.2 1 192.168.1.1 [MPLS: Labels 17/20 Exp 0] 596 msec 976 msec 408 msec 2 10.0.2.1 [MPLS: Label 20 Exp 0] 316 msec 484 msec 132 msec 3 10.0.2.2 356 msec 436 msec * PE-1#traceroute vrf B1 4.4.4.4 Type escape sequence to abort. Tracing the route to 4.4.4.4 1 192.168.1.1 [MPLS: Labels 17/21 Exp 0] 444 msec 536 msec 596 msec 2 10.0.4.1 [MPLS: Label 21 Exp 0] 272 msec 452 msec 680 msec 3 10.0.4.2 692 msec 188 msec 444 msec PE-2#traceroute vrf A2 1.1.1.1 Type escape sequence to abort. Tracing the route to 1.1.1.1 Nguyn Mnh Hng, Lp D04VT1 103

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

1 192.168.2.1 [MPLS: Labels 16/16 Exp 0] 732 msec 684 msec 388 msec 2 10.0.1.1 [MPLS: Label 16 Exp 0] 272 msec 252 msec 816 msec 3 10.0.1.2 328 msec 1104 msec * PE-2#traceroute vrf B2 3.3.3.3 Type escape sequence to abort. Tracing the route to 3.3.3.3 1 192.168.2.1 [MPLS: Labels 16/18 Exp 0] 448 msec 340 msec 244 msec 2 10.0.3.1 [MPLS: Label 18 Exp 0] 444 msec 328 msec 596 msec 3 10.0.3.2 372 msec 944 msec 492 msec Kiem tra hoat dong VPN: A1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 392/768/1720 ms A1#ping 4.4.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) A1#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) B1#ping 4.4.4.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 308/828/1524 ms B1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Kiem tra bang dinh tuyen vrf: PE-1#show ip route vrf A1 Routing Table: A1 Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area Nguyn Mnh Hng, Lp D04VT1 104

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set D B B C 1.0.0.0/24 is subnetted, 1 subnets 1.1.1.0 [90/2297856] via 10.0.1.2, 00:49:05, Serial0/0 2.0.0.0/24 is subnetted, 1 subnets 2.2.2.0 [200/2297856] via 6.6.6.6, 00:41:52 10.0.0.0/24 is subnetted, 2 subnets 10.0.2.0 [200/0] via 6.6.6.6, 00:42:08 10.0.1.0 is directly connected, Serial0/0

PE-1#show ip route vrf B1 Routing Table: B1 Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set D B C B 3.0.0.0/24 is subnetted, 1 subnets 3.3.3.0 [90/2297856] via 10.0.3.2, 00:42:34, Serial0/1 4.0.0.0/24 is subnetted, 1 subnets 4.4.4.0 [200/2297856] via 6.6.6.6, 00:40:19 10.0.0.0/24 is subnetted, 2 subnets 10.0.3.0 is directly connected, Serial0/1 10.0.4.0 [200/0] via 6.6.6.6, 00:41:25

PE-2#show ip route vrf A2 Routing Table: A2 Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set Nguyn Mnh Hng, Lp D04VT1 105

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

1.0.0.0/24 is subnetted, 1 subnets 1.1.1.0 [200/2297856] via 5.5.5.5, 00:44:02 2.0.0.0/24 is subnetted, 1 subnets D 2.2.2.0 [90/2297856] via 10.0.2.2, 00:40:34, Serial0/0 10.0.0.0/24 is subnetted, 2 subnets C 10.0.2.0 is directly connected, Serial0/0 B 10.0.1.0 [200/0] via 5.5.5.5, 00:44:03 B PE-2#show ip route vrf B2 Routing Table: B2 Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 3.0.0.0/24 is subnetted, 1 subnets 3.3.3.0 [200/2297856] via 5.5.5.5, 00:43:05 4.0.0.0/24 is subnetted, 1 subnets D 4.4.4.0 [90/2297856] via 10.0.4.2, 00:41:01, Serial0/1 10.0.0.0/24 is subnetted, 2 subnets B 10.0.3.0 [200/0] via 5.5.5.5, 00:44:24 C 10.0.4.0 is directly connected, Serial0/1 B Kiem tra bang dinh tuyen cua khach hang: A1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets 1.1.1.0 is directly connected, Loopback0 2.0.0.0/24 is subnetted, 1 subnets D EX 2.2.2.0 [170/3097600] via 10.0.1.1, 00:51:39, Serial0/0 10.0.0.0/24 is subnetted, 2 subnets D EX 10.0.2.0 [170/3097600] via 10.0.1.1, 00:52:11, Serial0/0 C 10.0.1.0 is directly connected, Serial0/0 C Nguyn Mnh Hng, Lp D04VT1 106

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

B1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback0 4.0.0.0/24 is subnetted, 1 subnets D EX 4.4.4.0 [170/3097600] via 10.0.3.1, 00:49:13, Serial0/0 10.0.0.0/24 is subnetted, 2 subnets C 10.0.3.0 is directly connected, Serial0/0 D EX 10.0.4.0 [170/3097600] via 10.0.3.1, 00:50:39, Serial0/0 A2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets D EX 1.1.1.0 [170/3097600] via 10.0.2.1, 00:49:36, Serial0/0 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback0 10.0.0.0/24 is subnetted, 2 subnets C 10.0.2.0 is directly connected, Serial0/0 D EX 10.0.1.0 [170/3097600] via 10.0.2.1, 00:49:36, Serial0/0 B2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Nguyn Mnh Hng, Lp D04VT1 107

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

Gateway of last resort is not set 3.0.0.0/24 is subnetted, 1 subnets D EX 3.3.3.0 [170/3097600] via 10.0.4.1, 00:50:14, Serial0/0 4.0.0.0/24 is subnetted, 1 subnets C 4.4.4.0 is directly connected, Loopback0 10.0.0.0/24 is subnetted, 2 subnets D EX 10.0.3.0 [170/3097600] via 10.0.4.1, 00:50:14, Serial0/0 C 10.0.4.0 is directly connected, Serial0/0 Kiem tra hoat dong cua BGP: PE-1#show ip bgp summary BGP router identifier 5.5.5.5, local AS number 1 BGP table version is 1, main routing table version 1 Neighbor 6.6.6.6 V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 4 1 67 59 1 0 0 00:48:13 0

PE-2#show ip bgp summary BGP router identifier 6.6.6.6, local AS number 1 BGP table version is 1, main routing table version 1 Neighbor 5.5.5.5 V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 4 1 59 67 1 0 0 00:48:34 0

NH GI

Bi ton thc hin c ng mc tiu ra, cu hnh cc router li v router mng ca khch hng to ra hai mng ring o l VPN A v VPN B. Cc qu trnh kim tra bng LFIB, kim tra c ch chuyn mch nhn, kim tra hat ng VPN, kim tra bng nh tuyn vrf, kim tra bng nh tuyn ca khch hng, kim tra hat ng BGP thnh cng chng t rng mng hat ng tt v cc qua trnh cu hnh hon tt.

Nguyn Mnh Hng, Lp D04VT1

108

n tt nghip i Hc

Bi ton m phng mng MPLS VPN

Nguyn Mnh Hng, Lp D04VT1

109

n tt nghip i Hc

Kt lun

KT LUN
Cng ngh mng ring o VPN cho php tn dng c s h tng mng cng cng xy dng mng WAN ring, vi nhng u im v mt gi thnh, phm vi khng hn ch, linh hot trong trin khai v m rng mng. Ngy nay, VPN rt hu ch v s cng hu ch trong tng lai. Cc chun c thi hnh, iu s ci tin kh nng lin vn hnh v qun l. Cht lng mng trn cc VPN cng s c ci thin, cho php cung cp cc ng dng mi nh hi ngh truyn hnh, in thoi IP, cc dch v a phng tin. Quyn n ny tm hiu mt s vn k thut lin quan n vic thc hin VPN, ni dung gm nhng vn chnh: Cc khi nim c bn, c im ca cc giao thc ng hm L2F, PPTP, L2TP v IPSec. Nguyn tc hot hot ng ca VPN da trn cc giao thc ng hm. Trong s cc giao thc ng hm hin c, IPSec p ng c tt cc nhu cu cao v an ton d liu, l gii php chnh cho bo mt cc VPN ca cc t chc, cng ty. Tuy nhin, IPSec ch h tr lung IP mt chiu; nu cc gi d liu IP mt chiu c ng hm ho, sau mt kiu ng gi duy nht c cung cp bi IPSec l v n gin cu hnh v sa cha. to ng hm cho IP nhiu hng ta c th s dng L2TP, vi lung lu lng mng s dng mng, thit b ca Microsoft th L2TP l s la chn tt nht. L2TP cng ph hp vi cc VPN truy cp t xa h tr a giao thc. Tuy nhin, L2TP khng h tr m ho d liu v tnh ton vn d liu v th s dng IPSec kt hp vi L2TP l gii php ton vn. Mt s vn v bo mt trong VPN, bo mt d liu chng li cc truy cp v thay i tri php. Bo mt trong VPN phi thc hin hai qu trnh l: Xc thc v mt m. Phn ny gii thiu mt s thut ton xc thc, mt m thng c s dng trong mng VPN nh PAP, CHAP, MD, SHA, MAC, DES, AES, RAS, DH. Hin nay, IETF v nhiu t chc uy tn a ra nhiu thut ton xc thc v m ho hon thin cc chun cho cng ngh ny.

Nguyn Mnh Hng, Lp D04VT1

109

n tt nghip i Hc

Kt lun

Cc vn v qun l VPN, bao gm: qun l bo mt, qun l a ch v qun l cht lng. Trong xu th ton cu ho, thng mi ho cc mng IP c thit k truyn thng thng nht xung quanh World Wide Web (WWW) v Extranet, ph hp vi cc ng dng trong giao dch thng mi, kinh doanh. Extranet thng c thit lp gia cc i tc kinh doanh v c thc y bi nhu cu cho cc ng dng kinh doanh chi tit, x l nhanh hn iu khin b kim ton tt hn cn VPN c pht trin vi nhu cu cung cp lin lc bo mt trn Internet chung, bt k loi lu lng no m khng cn quan tm n ng dng nn trong tng lai s m rng cc VPN n Extranet. Ta c th xy dng Extranet trn c s ca mt VPN, cc bc chnh trong vic m rng mt VPN n mt Extranet l chuyn nhng quyn truy cp cc i tc Extranet n cc ti nguyn c bit bn trong v b sung c s d liu v i tc n cc h thng xc thc. Vi nhiu nh qun l, Extranet c nhiu thun li cho vic lin lc gia nhiu i tc kinh doanh l: Cc Extranet thng c xy dng da trn giao thc TCP/IP, m giao thc ny thun li cho vic lin kt cc mng con (ring). - S dng Internet lin kt cc mng vi linh ng cao hn trong cc th tc v kt thc cc hot ng ngn hn khi cn. - Extranet c lun chuyn xung quanh WWW, iu ny gip cung cp giao tip ngi dng chung ti nhiu ng dng qua cc ranh gii cng ty. Trong n trnh by v cc thnh phn c bn ca MPLS VPN, cc m hnh trin khai MPLS VPN ti lp hai v lp ba, nhng k thut then cht trong MPLS VPN nh truyn thng tin nh tuyn, a ch VPN IP v hot ng chuyn tip gi tin VPN. Ngoi ra, trong ni dung ca chng ny cng cp n mt s vn lin quan n kha cnh bo mt v cht lng dch v trong MPLS VPN. Cui chng c a ra mt s phn tch v so snh cc c im ni bt ca hai gii php VPN da trn IPSec v MPLS. C th ni, vic trin khai cng ngh VPN trn nn MPLS ha hn nhiu thun li mi v chc chn s l gii php l tng cho mng ring o trong tng lai. -

Nguyn Mnh Hng, Lp D04VT1

110

n tt nghip i Hc

Ti liu tham kho

TI LIU THAM KHO


[1] Cisco Secure Virtual Private Networks (Volume 1,2) Copyright 2001, Cisco System, Inc. [2] Security Protocols Overview Copyright 1999, RSA Data Security, Inc. [3] Virtual Private Networking and Intranet Security Copyright 1999, Microsoft Corperation, Inc. [4] Network Protocol Handbook Matthew G.Naugle, McGraw-Hill, Inc.1994. [5] Building and Managing Virtual Private networks Dave kosiur, USA, 1998. [6] VPN technologies: Definitions and Requirements Copyright 2002, VPN Consortium. [7] Understanding Virtual Private networking Copyright 2001, ADTRAN, Inc. [8] Next Generation Enterprise MPLS VPN-Based MAN Design and Implementation Guide 2006 Cisco Systems, Inc. All rights reserved. Cc Websites chnh http:// www.vpnlabs.org http:// www.vpnc. org http:// www. ietf. Org http:// www.techguide.com http:// www.javvin.com http:// www.techRepublic.com Cc chun RFCs RFC 2403- Use of HMAC-MD5-96 winthin ESP and AH RFC 2402- IP Authentication Header (AH) RFC 2404- Encapsulation Security Payload (ESP) RFC 2341- layer 2 Forwarding Protocol (L2F) RFC 2647- Point-to-Point Tunneling Protocol (PPTP) RFC 2661- Layer 2 Tunnling Protocol (L2TP)

Nguyn Mnh Hng, Lp D04VT1

111

n tt nghip i Hc

Li cm n

LI CM N
Em xin trn thnh cm n cc thy c gio trong khoa vin thng I v c bit l cc thy c trong b mn khoa vin thng. Em xin gi n thy gio Ths. Hong Trng Minh li cm n chn thnh nht, thy tn tnh hng dn em hon thnh n v cung cp cng nh hng dn la chn nhng ti liu thit thc i vi lnh vc nghin cu ca n. Xin cm n gia nh ti, nhng ngi lun bn ti trong lc kh khn nht, Cui cng xin cm n bn b ti nhng ngi bn tht tt, lun cnh ti trong sut thi gian qua.

Nguyn Mnh Hng, Lp D04VT1

112