Mang Rieng Ao VPN (Da Hieu Chinh-V2)

LI NI U
LI NI U
Vi chin lc pht trin ton din mang tnh cht n u v cng ngh nh m to ra tim lc to ln, sc cnh tranh v cht lng v s a dng ha cc dch v gi thnh th p, nng su t lao ng cao, Tp on Bu chnh Vin thng Vit nam c chin lc v k hoch chuyn i mng Vin thng s sang mng th h sau (NGN). Mng NGN c h tng thng tin duy nht da trn cng ngh chuyn mch gi, trin khai dch v mt cch a dng v nhanh chng, p ng s hi t gia thoi v s liu, gia c nh v di ng, bt ngun t s tin b ca cng ngh thng tin v cc u im ca cng ngh chuyn mch gi ni chung v cng ngh IP ni ring v cng ngh truyn dn quang bng rng. Cu trc ca mng th h sau v cc nguyn t c hot ng ca n v c bn khc nhiu so vi cu trc ca mng PSTN hin nay. Do v y i ng k s v cn b k thu t Vin thng cn phi c bi dng cp nht kin thc v cng ngh mi ny, c nh vy h mi kh nng v trnh vn hnh khai thc qun l v trin khai cc dch v Vin thng m t cch an ton v hiu qu. Chng trnh Bi dng k s in t vin thng v cng ngh IP v NGN ca Tp on c xy dng vi mc ch cung cp kin th c v k nng c bn lin quan ti cng ngh IP v NGN cho cc cn b k thu t ang trc tip qun l v khai thc h thng trang thit b ti c s nhm p ng yu cu v chuyn i cng ngh mng li v dch v vin thng ca Tp on. Cun ti liu Mng ring o bao gm 5 chng, gii thiu nhng vn k thut c bn lin quan n vic xy d ng VPN, cc gi i php VPN d a trn nn IPSec v MPLS cng nh l tnh hnh trin khai VPN trn thc tin hin nay. Chng 1 gii thiu nhng khi nim c bn v VPN, cc chc nng v c im ca VPN, t lm c s phn lo i VPN v a ra cc thun li cng nh kh khn khi s dng cc lo i hnh VPN . Chng 2 trnh by v cc giao thc ng hm s dng cho VPN, phn tch hot ng, cc c im v kh nng ng dng ca chng trong cc m h nh VPN khc nhau. Chng 3 trnh by v giao thc bo mt IPSec v mt s vn k thut lin quan n vic thc hin VPN trn nn IPSec nh cc tiu chun m t m, cc cng c kim tra tnh ton vn thng tin, cc thu t ton xc thc cng nh l k thu t qun l v trao i kha. Chng 4 trnh by v cc m hnh VPN trn n n MPLS, cc thnh phn v hot ng ca MPLS-VPN, cc vn v iu khin kt ni, bo mt v QoS trong MPLSVPN. Trong chng ny cng a ra mt s so snh c im v kh nng ng dng ca hai gii php VPN d a trn n n IPSec v MPLS.
Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT
MNG RING O
Chng 5 trnh by v cc m hnh v gi i php trin khai VPN, trong tp trung vo nhng gii php gn y nh t c thc hin trn n n MPLS. Mt s thng tin v tnh hnh trin khai cc lo i hnh dch v VPN hin nay ca VNPT cng c gii thiu trong chng ny. Trong qu trnh bin son, mc d gio vin rt c gng, tuy nhin khng th trnh khi nhng thiu st. Rt mong nhn c kin ng gp ca cc b n c nhng ln xut bn sau ch t lng ca ti liu c tt hn. TRUNG TM O TO BU CHNH VIN THNG 1
ii
MC LC
MC LC
LI NI U .................................................................................................................. i MC LC.......................................................................................................................iii DANH SCH HNH........................................................................................................ v CHNG 1 - GII THIU CHUNG V VPN .............................................................. 1 1.1 Khi nim VPN ...................................................................................................... 2 1.2 Cc chc nng v u nhc im c a VPN ............................................................ 3 1.2.1 Chc nng ....................................................................................................... 3 1.2.2 u im .......................................................................................................... 4 1.2.3 Nhc im v m t s vn cn khc phc .................................................. 5 1.3 Cc m hnh VPN................................................................................................... 6 1.3.1 M hnh ch ng ln .......................................................................................... 6 1.3.2 M hnh ngang hng........................................................................................ 8 1.4 Phn lo i VPN v ng d ng.................................................................................... 9 1.4.1 VPN truy nhp t xa...................................................................................... 10 1.4.2 VPN im ti im ....................................................................................... 11 1.4.3 ng dng VPN ............................................................................................. 13 1.5 Kt chng........................................................................................................... 14 CHNG 2 - CC GIAO THC NG HM ....................................................... 15 2.1 Gii thiu cc giao thc ng hm ..................................................................... 16 2.2 Giao thc chuyn tip lp 2 L2F........................................................................ 16 2.2.1 Cu trc gi L2F ........................................................................................... 17 2.2.2 Hot ng c a L2F........................................................................................ 17 2.2.3 u nhc im c a L2F................................................................................ 19 2.3 Giao thc ng hm im ti im PPTP ........................................................ 20 2.3.1 Khi qut v hot ng c a PPTP.................................................................. 20 2.3.2 Duy tr ng hm b ng kt ni iu khin PPTP ......................................... 21 2.3.3 ng gi d liu ng hm PPTP ............................................................... 22 2.3.4 X l d liu ti u cu i ng hm PPTP................................................... 24 2.3.5 Trin khai VPN d a trn PPTP...................................................................... 24 2.3.6 u nhc im v kh nng ng d ng ca PPTP .......................................... 25 2.4 Giao thc ng hm lp 2 L2TP...................................................................... 26 2.4.1 Khi qut v hot ng c a L2TP.................................................................. 26 2.4.2 Duy tr ng hm b ng bn tin iu khin L2TP ......................................... 27 2.4.3 ng gi d liu ng hm L2TP ............................................................... 27 2.4.4 X l d liu ti u cu i ng hm L2TP trn nn IPSec............................ 30 2.4.5 Trin khai VPN d a trn L2TP...................................................................... 30 2.4.6 u nhc im v kh nng ng d ng ca L2TP .......................................... 31 2.5 Kt chng........................................................................................................... 32 CHNG 3 - MNG RING O TRN NN IPSec ................................................. 33 3.1 Gii thiu v IPSec............................................................................................... 34
iii
MNG RING O
3.2 ng gi thng tin IPSec...................................................................................... 35 3.2.1 Cc ch hot ng .................................................................................... 35 3.2.2 Giao thc tiu xc thc AH....................................................................... 37 3.2.3 Giao thc ng gi ti tin an ton ESP .......................................................... 41 3.3 Lin kt an ninh v ho t ng trao i kha.......................................................... 45 3.3.1 Lin kt an ninh............................................................................................. 45 3.3.2 Ho t ng trao i kha IKE ......................................................................... 48 3.4 M t s vn k thut trong thc hin VPN trn nn IPSec .................................. 54 3.4.1 Mt m.......................................................................................................... 55 3.4.2 Ton vn b n tin............................................................................................ 56 3.4.3 Xc thc cc bn ........................................................................................... 57 3.4.4 Qun l kha.................................................................................................. 58 3.5 V d thc hin VPN trn nn IPSec ..................................................................... 58 3.6 Cc vn cn tn ti trong IPSec........................................................................ 59 3.7 Kt chng........................................................................................................... 60 CHNG 4 - MNG RING O TRN NN MPLS ................................................ 61 4.1 Cc thnh phn c a MPLS-VPN........................................................................... 62 4.1.1 H thng cung cp dch v MPLS-VPN ........................................................ 62 4.1.2 B nh tuyn bin nh cung cp dch v ....................................................... 63 4.1.3 Bng nh tuyn v chuyn tip o ................................................................ 63 4.2 Cc m hnh MPLS-VPN ..................................................................................... 64 4.2.1 M hnh L3VPN............................................................................................ 64 4.2.2 M hnh L2VPN............................................................................................ 66 4.3 Hot ng c a MPLS-VPN................................................................................... 67 4.3.1 Truyn thng tin nh tuyn........................................................................... 67 4.3.2 a ch VPN-IP ............................................................................................. 68 4.3.3 Chuyn tip gi tin VPN ............................................................................... 71 4.4 Bo mt trong MPLS-VPN ................................................................................... 74 4.5 Cht lng dch v trong MPLS-VPN .................................................................. 75 4.5.1 M hnh ng.................................................................................................. 76 4.5.2 M hnh vi................................................................................................... 77 4.6 So snh cc c im ca VPN trn nn IPSec v MPLS...................................... 79 4.6.1 Cc tiu ch nh gi ..................................................................................... 79 4.6.2 Cc c im ni bt ca IPSec-VPN v MPLS-VPN ................................... 80 4.7 Kt chng........................................................................................................... 83 CHNG 5 - TRIN KHAI V NG DNG VPN .................................................... 84 5.1 Cc m hnh trin khai VPN ................................................................................. 85 5.2 Gii php VPN trn nn MPLS c a VNPT ........................................................... 86 5.3 M hnh cung cp d ch v MegaWAN.................................................................. 87 5.4 Kt chng........................................................................................................... 88 THUT NG VIT TT ............................................................................................. 89 TI LIU THAM KHO ............................................................................................. 93
iv
DANH SCH HNH
DANH SCH HNH

Hnh 1.1 M hnh VPN an ton .............................................................................................. 3 Hnh 1.2 M hnh VPN truy nhp t xa ................................................................................ 10 Hnh 1.3 M hnh VPN cc b.............................................................................................. 12 Hnh 1.4 M hnh VPN m rng........................................................................................... 13 Hnh 2.1 Khun dng gi ca L2F ....................................................................................... 17 Hnh 2.2 M hnh h thng s dng L2F .............................................................................. 18 Hnh 2.3 Gi d liu kt n i iu khin PPTP ...................................................................... 22 Hnh 2.4 ng gi d liu ng h m PPTP ....................................................................... 22 Hnh 2.5 S ng gi PPTP ............................................................................................ 23 Hnh 2.6 Cc thnh phn ca h thng cung cp VPN da trn PPTP ................................. 24 Hnh 2.7 Bn tin iu khin L2TP ........................................................................................ 27 Hnh 2.8 ng gi d liu ng h m L2TP........................................................................ 28 Hnh 2.9 S ng gi L2TP ............................................................................................. 29 Hnh 2.10 Cc thnh phn ca h thng cung cp VPN da trn L2TP................................ 30 Hnh 3.1 X l gi tin IP ch truyn ti......................................................................... 36 Hnh 3.2 X l gi tin IP ch ng hm ...................................................................... 36 Hnh 3.3 Thit b mng thc hin IPSec trong ch ng hm ........................................ 37 Hnh 3.4 Cu trc tiu AH cho gi tin IPSec.................................................................... 38 Hnh 3.5 Khun dng gi tin IPv4 trc v sau khi x l AH ............................................... 40 Hnh 3.6 Khun dng gi tin IPv6 trc v sau khi x l AH ............................................... 40 Hnh 3.7 C ch ng gi ESP............................................................................................. 41 Hnh 3.8 Khun dng gi ESP.............................................................................................. 42 Hnh 3.9 Khun dng gi tin IPv4 trc v sau khi x l ESP.............................................. 43 Hnh 3.10 Khun dng gi tin IPv6 trc v sau khi x l ESP............................................ 44 Hnh 3.11 Kt h p cc SA kiu ng hm khi hai im cu i trng nhau ............................. 47 Hnh 3.12 Kt h p cc SA kiu ng hm khi mt im cui trng nhau ............................ 47 Hnh 3.13 Kt h p cc SA kiu ng hm khi khng c im cu i trng nhau.................... 48 Hnh 3.14 Cc pha v ch trao i kha IKE................................................................... 49 Hnh 3.15 Hot ng iu khin truy nhp mt m theo ACL............................................... 50 Hnh 3.16 IKE pha mt s dng ch chnh ...................................................................... 51 Hnh 3.17 Trao i cc tp chuyn i IPSec....................................................................... 53 Hnh 3.18 ng h m IPSec c thit lp ......................................................................... 54 Hnh 3.19 V d thc hin kt n i VPN trn n n IPSec ......................................................... 59 Hnh 4.1 H thng cung cp d ch v MPLS-VPN v cc thnh phn .................................... 62 Hnh 4.2 B nh tuyn PE v s kt ni cc site khch hng .......................................... 63 Hnh 4.3 M hnh MPLS L3VPN .......................................................................................... 65 Hnh 4.4 M hnh MPLS L2VPN .......................................................................................... 66 Hnh 4.5 a ch VPN-IPv4.................................................................................................. 68 Hnh 4.6 Khun dng trng phn bit tuyn....................................................................... 69 Hnh 4.7 S dng nhn chuyn tip gi tin VPN .............................................................. 71 Hnh 4.8 S dng ngn xp nhn chuyn tip gi tin VPN ............................................... 72 Hnh 4.9 Hot ng chuyn tip d liu VPN qua mng MPLS ............................................ 73 Hnh 4.10 M hnh ng ch t lng d ch v trong MPLS-VPN .............................................. 77 Hnh 4.11 M hnh vi cht lng d ch v trong MPLS-VPN ............................................... 78 Hnh 5.1 M hnh cung cp dch v VPN qua mng MPLS ca VNPT .................................. 86 Hnh 5.2 Gii php kt ni MPLS-VPN ca VNPT ............................................................... 87 Hnh 5.3 M hnh mng cung cp dch v MegaWAN .......................................................... 87
CHNG 1
GII THIU CHUNG V VPN

VPN c th c hiu nh l mng kt n i cc site khch hng m bo an ninh trn c s h tng mng chung cng vi cc chnh sch iu khin truy nhp v bo mt nh mt m ng ring. Tuy c xy dng trn c s h tng sn c ca mng cng cng nhng VPN li c c cc tnh ch t ca mt mng c c b nh khi s dng cc ng knh thu ring. Chng ny trnh by nhng khi nim c bn v VPN, cc chc nng v c im ca VPN, t lm c s phn loi VPN v a ra cc thun li cng nh kh khn khi s d ng cc loi hnh VPN khc nhau. Ni dung chng ny bao g m: q Khi nim VPN q Cc chc nng v u nhc im ca VPN q Cc m hnh VPN q Phn loi VPN theo ng dng
MNG RING O
1.1 Khi nim VPN

Mng ring o khng phi l khi nim mi. Chng tng c s dng trong cc mng in thoi trc y nhng do mt s hn ch v cng ngh m cha c c sc mnh v kh nng cnh tranh ln. Trong thi gian gn y, c s h tng mng IP lm cho VPN thc s c tnh mi m. Cc kiu mng ring o xy d ng trn c s h tng mng Internet cng cng mang li m t kh nng mi, mt ci nhn m i cho ngi s dng. Cng ngh VPN l gii php thng tin ti u i vi cc cng ty, t chc c nhiu vn phng hay chi nhnh. Ngy nay, vi s pht trin ca cng ngh v bng n ca mng Internet, kh nng c a VPN ngy mt hon thin v dch v ny tr thnh mt dch v cnh tranh y trin vng. Mng ring o c nh ngh a nh l mt kt ni m ng trin khai trn c s h tng mng cng cng vi cc chnh sch qun l v bo mt ging nh mng cc b. Mng ring o m rng phm vi ca cc mng LAN m khng b hn ch v mt a l. Cc hng thng mi c th dng VPN cung cp quyn truy nhp m ng cho ngi dng di ng v t xa, kt n i cc chi nhnh phn tn thnh m t mng duy nh t v cho php s dng t xa cc trnh ng dng da trn cc dch v trong cng ty. Trong thc t, ngi ta thng ni ti hai khi nim VPN l VPN kiu tin cy (Trusted VPN) v VPN an ton (Secure VPN). Mng ring o kiu tin cy c xem nh mt s mch thu ca m t nh cung cp d ch v vin thng. M i mch thu ring ho t ng nh mt ng dy trong mt mng c c b. Tnh ring t ca Trusted VPN th hin ch nh cung cp dch v s m b o khng c ai s d ng cng mch thu ring . Khch hng ca mng ring o loi ny tin cy vo nh cung cp dch v duy tr tnh ton vn v bo mt ca d liu truyn trn mng. Cc m ng ring xy dng trn cc ng dy thu thuc dng Trusted VPN. Mng ring o an ton l cc mng ring o c s dng mt m bo mt d liu. D liu u ra ca m t mng c mt m ri chuyn vo mng cng cng nh cc d liu khc truyn ti ch v sau c gii m ti pha thu. D liu m t m c th coi nh c truyn trong m t ng h m (tunnel) bo mt t ngun ti ch. Cho d mt k tn cng c th nhn th y d liu trn ng truyn th cng khng c kh nng c c v n c mt m . V d v giao thc s dng trong vic m ho m bo an ton l IPSec. l m t tiu chun cho m ho c ng nh xc thc cc gi IP ti tng mng. IPSec h tr m t tp hp cc giao thc mt m vi hai mc ch: an ninh gi mng v thay i cc kho mt m. IPSec c h tr trong Windows XP, 2000, 2003 v Vista; Linux phin bn 2.6 tr i v nhiu h iu hnh khc na. Nhiu hng nhanh chng pht trin v cung cp cc d ch v IPSec-VPN server v IPSec-VPN client.
CHNG 1 - GII THIU CHUNG V VPN
Mng ring o xy d ng da trn Internet l v d v mng ring o kiu an ton, s dng c s h tng m v phn tn c a Internet cho vic truyn d liu gia cc site c a m ng (h nh 1.1).
H nh 1.1 M h nh VPN an ton Kt n i trong VPN l kt ni ng, ngh a l khng c gn cng v tn ti nh m t kt n i thc khi lu lng mng chuyn qua. Kt n i ny c th thay i v thch ng vi nhiu mi trng khc nhau. Khi c yu cu kt n i th n c thit lp v duy tr b t ch p c s h tng mng gia nhng im u cui. Tnh ring ca VPN th hin ch d liu truyn lun c gi b mt v ch c th b truy nhp b i nhng ngui s dng c trao quyn. iu ny rt quan trng bi v giao thc Internet ban u khng c thit k h tr cc mc bo mt. Do , bo mt s c cung cp bng cch thm phn mm hay phn cng VPN.
1.2 Cc chc nng v u nhc im ca VPN

1.2.1 Chc nng VPN cung cp ba chc nng chnh l tnh xc thc (Authentication), tnh ton vn (Integrity) v tnh b o mt (Confidentiality). Tnh xc thc thit lp mt kt ni VPN th trc ht c hai pha phi xc th c ln nhau khng nh rng mnh ang trao i thng tin vi ngi mnh mong mun ch khng phi l mt ngi khc. Tnh ton vn m b o d liu khng b thay i hay c b t k s xo trn no trong qu trnh truyn dn. Tnh bo mt Ngi gi c th m ho cc gi d liu trc khi truyn qua mng cng cng v d liu s c gii m pha thu. Bng cch lm nh vy, khng mt ai c th truy
MNG RING O
nhp thng tin m khng c php. Thm ch n u c ly c th cng khng c c. 1.2.2 u im Mng ring o mang li li ch thc s v tc th i cho cc cng ty. N khng ch gip n gin ho vic trao i thng tin gia cc nhn vin lm vic xa, ngi dng lu ng, m rng Intranet n tng vn phng, chi nhnh, th m ch trin khai Extranet n tn khch hng v cc i tc ch cht m cn cho php gim chi ph rt nhiu so vi vic mua thit b v ng dy cho mng WAN ring. Nhng li ch trc tip v gin tip m VPN mang li bao gm: tit kim chi ph, tnh linh hot, kh nng m rng, v.v. Tit kim chi ph Vic s d ng VPN s gip cc cng ty gim c chi ph u t v chi ph thng xuyn. Tng gi thnh ca vic s h u mt m ng VPN s c thu nh, do ch phi tr t hn cho vic thu bng thng ng truyn, cc thit b mng ng tr c v duy tr hot ng ca h thng. Nhiu s liu cho thy, gi thnh cho vic kt ni LAN-to-LAN gim t 20 ti 30% so vi vic s dng ng thu ring truyn thng, cn i vi vic truy nh p t xa gim t 60 ti 80%. Tnh linh hot Tnh linh ho t y khng ch th hin trong qu trnh vn hnh v khai thc m n cn thc s mm d o i vi yu cu s dng. Khch hng c th s dng nhiu kiu kt ni khc nhau kt ni cc vn phng nh hay cc i tng di ng. Nh cung cp dch v VPN c th cho php nhiu s la chn kt n i cho khch hng: modem 56 kbit/s, ISDN 128 kbit/s, xDSL, E1, Kh nng m rng Do VPN c xy dng da trn c s h tng mng cng cng nn b t c ni no c mng cng cng (nh Internet) u c th trin khai VPN. Ngy nay mng Internet c mt khp m i ni nn kh nng m rng ca VPN rt d dng. Mt vn phng xa c th kt n i m t cch kh n gin n mng ca cng ty bng cch s dng ng dy in thoi hay ng dy thu bao s DSL. Kh nng m rng cn th hin ch, khi m t vn phng hay chi nhnh yu cu bng thng ln h n th n c th c nng cp d dng. Ngoi ra, cng c th d dng g b VPN khi khng c nhu cu. Gi m thiu cc h tr k thut Vic chun ho trn mt kiu kt ni t i tng di ng n mt POP ca ISP v vic chun ho cc yu cu v bo mt lm gim thiu nhu cu v ngun h tr k thut cho mng VPN. V ngy nay, khi m cc nh cung cp d ch v m nhim
4
vic h tr mng nhiu hn th nhng yu cu h tr k thut i vi ngi s dng ngy cng gim. Gi m thiu cc yu cu v thit b Bng vic cung cp m t gii php truy nhp cho cc doanh nghip qua ng Internet, VPN yu cu v thit b t hn v n gin hn nhiu so vi vic b o tr cc modem ring bit, cc card tng thch cho thit b u cu i v cc my ch truy nhp t xa. M t doanh nghip c th thit lp cc thit b khch hng cho m t mi trng, ch ng h n nh T1 hay E1, phn cn li ca kt n i c thc hin bi ISP. p ng cc nhu cu thng mi i vi cc thit b v cng ngh vin thng mi th nhng vn cn quan tm l chu n ho, cc kh nng qun tr, m rng v tch hp mng, tnh k tha, tin cy v hiu sut hot ng, c bit l kh nng thng mi ca sn phm. Cc sn phm dch v VPN tun theo chun chung hin nay, mt phn m bo kh nng lm vic c a sn ph m nhng c l quan trng hn l sn phm c a nhiu nh cung cp khc nhau c th lm vic vi nhau. 1.2.3 Nhc im v m t s v n cn khc phc S ri ro an ninh Mt mng ring o thng r v hiu qu hn so vi gii php s dng knh thu ring. Tuy nhin, n cng tim n nhiu ri ro an ninh kh lng trc. Mc d hu ht cc nh cung cp dch v qung co rng gii php ca h l m b o an ton, s an ton khng bao gi l tuyt i. Cng c th lm cho mng ring o kh ph hoi hn bng cch bo v tham s ca mng mt cch thch h p, song iu ny li nh hng n gi thnh c a d ch v . tin cy v s thc thi VPN s dng phng php m ho b o mt d liu, v cc hm m t m phc tp c th dn n lu lng ti trn cc my ch l kh nng. Nhim v c a ngi qun tr mng l qun l ti trn my ch bng cch gii hn s kt ni ng thi bit my ch no c th iu khin. Tuy nhin, khi s ngi c gng kt ni ti VPN t nhin tng v t v ph v ht qu trnh truyn tin, th chnh cc nhn vin qun tr ny cng khng th kt ni c v tt c cc cng c a VPN u b n. iu chnh l ng c thc y ngi qun tr to ra cc kho ng dng lm vic m khng i hi VPN. Chng hn thit lp d ch v proxy hoc d ch v Internet Message Access Protocol cho php nhn vin truy nh p e-mail t nh hay trn ng. V n la chn giao thc Vic la chn gia IPSec hay SSL/TLS l mt vn kh quyt nh, cng nh vin cnh s dng chng nh th no cng kh c th ni trc. Mt iu cn cn
MNG RING O
nhc l SSL/TLS c th lm vic thng qua m t tng la da trn bng bin dch a ch NAT, cn IPSec th khng. Nhng nu c hai giao thc lm vic qua tng la th s khng d ch c a ch . IPSec m ho tt c cc lu lng IP truyn ti gia hai my tnh, cn SSL/TLS th c t mt ng dng. SSL/TLS dng cc hm m ho khng i xng thit lp kt n i v n bo v hiu qu hn so vi dng cc hm m ho i xng. Trong cc ng dng trn thc t, ngi qun tr c th quyt nh kt hp v ghp cc giao th c to ra s cn bng t t nht cho s thc thi v an ton ca mng. V d, cc client c th kt ni ti mt Web server thng qua tng la dng ng dn an ton ca SSL/TLS, Web server c th kt ni ti mt dch v ng dng dng IPSec, v dch v ng dng c th kt ni ti m t c s d liu thng qua cc tng la khc cng dng SSL.
1.3 Cc m hnh VPN

C hai m hnh trin khai VPN l: da trn khch hng (Customer-based) v da trn mng (Network-based). M hnh da trn khch hng cn c gi l m h nh chng ln (overlay), trong VPN c cu hnh trn cc thit b ca khch hng v s dng cc giao thc ng h m xuyn qua m ng cng cng. Nh cung cp d ch v s bn cc mch o gia cc site ca khch hng nh l ng kt ni thu ring (leased line). M h nh da trn mng cn c g i l m hnh ngang hng hay ngang cp (peerto-peer), trong VPN c cu h nh trn cc thit b ca nh cung cp dch v v c qun l bi nh cung cp dch v. Nh cung cp d ch v v khch hng trao i thng tin nh tuyn lp 3, sau nh cung cp s sp t d liu t cc site khch hng vo ng i ti u nht m khng cn c s tham gia ca khch hng. 1.3.1 M hnh chng l n M hnh VPN chng ln ra i t rt sm v c trin khai di nhiu cng ngh khc nhau. Ban u, VPN c xy dng bng cch s dng cc ng thu ring cung cp kt n i gia khch hng nhiu v tr khc nhau. Khch hng mua d ch v ng thu ring ca nh cung cp. Cc ng thu ny c thit lp gia cc site c a khch hng cn kt ni v l ng dnh ring cho khch hng. Khi Frame Relay ra i, n c xem nh l m t cng ngh h tr t t cho VPN v p ng c yu cu kt ni cho khch hng nh dch v ng thu ring. im khc l ch khch hng khng c cung cp cc ng dnh ring, m s s dng m t ng chung nhng c ch nh cc mch o. Cc mch o ny m bo lu lng cho m i khch hng l ring bit. Mch o c th gm mch o c nh PVC v mch o chuyn mch SVC.
6
Cung cp mch o cho khch hng ngha l nh cung cp dch v xy dng mt ng hm ring cho lu lng khch hng truyn qua m ng dng chung c a nh cung cp d ch v . Khch hng thit lp phin lin lc gia cc thit b pha khch hng CPE qua knh o. Giao thc nh tuyn chy trc tip gia cc b nh tuyn khch hng thit lp m i quan h cn k v trao i thng tin nh tuyn vi nhau. Nh cung cp d ch v khng h bit n thng tin nh tuyn ca khch hng. Nhim v ca nh cung cp dch v trong m hnh ny ch l m bo vn chuyn d liu im-im gia cc site c a khch hng m thi. VPN chng ln cn c trin khai di dng ng hm. S thnh cng c a cng ngh IP thc y cc nh cung cp dch v trin khai VPN qua IP. Nu khch hng no mun xy d ng mng ring ca h qua Internet th c th dng gii php ny v chi ph thp. Bn cnh l do kinh t, m hnh ng h m cn p ng cho khch hng vic b o mt d liu. Hai cng ngh VPN ng hm ph bin l IPSec (IP Security) v GRE (Generic Routing Encapsulation). Cc cam kt v QoS trong m hnh VPN chng ln thng l cam kt v bng thng trn mt VC. Gi tr ny c gi l CIR (Committed Information Rate). Bng thng c th s dng c t i a trn m t knh o g i l PIR (Peak Information Rate). Vic cam kt bng thng c th c hin thng qua cc thng k t nhin c a d ch v lp 2 nhng li ph thu c vo chin lc c a nh cung cp. iu ny c ngha l t c cam kt khng th t s c bo m. Thng th nh cung cp c th m bo t c nh nh t MIR (Minimum Information Rate). Cam kt v bng thng cng ch l cam kt cho hai im trong mng khch hng. Nu khng c ma trn lu lng y cho tt c cc lp lu lng th tht kh c th thc hin cam kt ny cho khch hng trong m hnh chng ln. V tht kh cung cp nhiu lp dch v v nh cung cp dch v khng th phn bit c lu lng gia mng. Vn ny c th c kh c ph c b ng cch to ra nhiu kt ni (fullmesh), nh trong m ng Frame Relay hay ATM c cc PVC gia cc site khch hng. Tuy nhin, kt n i y thng lm tng thm chi ph ca mng. M h nh VPN chng ln c u im l d thc hin, theo quan im ca c khch hng v nh cung cp dch v. Trong m hnh ny nh cung cp dch v khng tham gia vo nh tuyn lu lng khch hng. Nhim v ca h l vn chuyn d liu im-im gia cc site ca khch hng. Vic nh du im tham chiu gia nh cung cp d ch v v khch hng s cho php qun l d dng hn. M hnh chng ln thch hp cho cc mng khng cn d phng vi t site trung tm v nhiu site u xa, nh ng li kh qun l nu nh cn nhiu kt ni m t li. Vic cung cp nhiu VC i h i phi c s hiu bit cn k v loi lu lng gia cc site, m iu ny thng khng tht s thch hp. Ngoi ra, khi thc hin m
MNG RING O
hnh ny vi cc cng ngh lp 2 th s to ra mt lp mi khng cn thit i vi cc nh cung cp hu ht ch da trn IP, v nh vy lm tng thm chi ph hot ng ca mng. 1.3.2 M hnh ngang hng khc phc cc hn ch ca m h nh VPN chng ln v ti u ha vic vn chuyn d liu qua mng ng trc, m h nh VPN ngang hng ra i. Vi m hnh ny nh cung cp dch v s tham gia vo hot ng nh tuyn c a khch hng. B nh tuyn bin mng nh cung cp PE (Provider Edge) thc hin trao i thng tin nh tuyn trc tip vi b nh tuyn c a khch hng CE (Customer Edge). i vi m h nh VPN ngang hng, vic nh tuyn tr nn n gin hn (nhn t pha khch hng) khi b nh tuyn khch hng ch trao i thng tin nh tuyn vi m t hoc mt vi b nh tuyn bin nh cung cp PE. Trong khi m hnh VPN chng ln, s lng b nh tuyn ln cn c th gia tng vi s lng ln. Ngoi ra, do nh cung cp d ch v bit cu hnh mng ca khch hng nn c th thit lp nh tuyn ti u cho lu lng gia cc site khch hng. Vic cung cp bng thng cng n gin hn bi v khch hng ch ph i quan tm n bng thng u vo v ra mi site m khng cn phi quan tm n ton b lu lng t site ny n site kia nh trong m hnh VPN chng ln. Kh nng m rng trong m h nh VPN ngang hng d dng hn v nh cung cp dch v ch cn thm vo m t site v thay i cu hnh trn b nh tuyn PE. Trong m hnh chng ln, nh cung cp dch v ph i tham gia vo ton b tp hp cc knh o VC t site ny n site khc ca VPN khch h ng. Nh cung cp dch v c th trin khai hai kiu ng dng VPN ngang hng l chia s b nh tuyn v s dng b nh tuyn dnh ring. Phng php chia s b nh tuyn Cc khch hng VPN cng chia s mt b nh tuyn bin m ng nh cung cp PE. phng php ny, nhiu khch hng c th kt n i n cng mt b nh tuyn PE. Do , trn b nh tuyn ny phi cu h nh mt danh sch truy nhp (Access List) cho mi giao din PE-CE m bo chc chn s cch ly gia cc khch hng VPN, ng thi ngn chn VPN ca khch h ng ny th c hin cc tn cng t chi d ch v DoS (Denial of Service) vo VPN c a khch hng khc. Nh cung cp dch v chia cc phn trong khng gian a ch ca n cho khch hng v qun l vic l c gi tin trn b nh tuyn PE. Phng php s dng b nh tuyn dnh ring L phng php m mi khch hng VPN c b nh tuyn PE dnh ring. Trong phng php ny, khch hng VPN ch truy nhp n cc tuyn trong bng nh tuyn c a b nh tuyn PE dnh ring. M i b nh tuyn s dng cc giao thc nh tuyn
8
to ra bng nh tuyn cho mt VPN. Bng nh tuyn ch c cc tuyn c qung b bi khch hng VPN kt n i n chng, kt qu l to ra s cch ly tuyt i gia cc VPN. Vic nh tuyn trn b nh tuyn dnh ring c th c thc hin nh sau: Giao thc nh tuyn gia PE v CE l bt k; Giao thc hot ng gia PE v PE l BGP; PE phn phi cc tuyn nhn c t CE vo BGP, nh du vi nh n dng ID ca khch hng r i truyn cc tuyn n b nh tuyn P, v b nh tuyn ny s c cc tuyn t tt c cc VPN khch hng; B nh tuyn P ch truyn cc tuyn thch hp n b nh tuyn PE, do PE ch nh n cc tuyn t b nh tuyn CE trong VPN.
Phng php dng chung b nh tuyn rt kh duy tr v n yu cu phi c danh sch truy nh p di v phc tp trn mi giao din ca b nh tuyn. Cn trong phng php dng b nh tuyn ring, mc d c v n gin v cu hnh v d duy tr hn nhng nh cung cp dch v phi b ra chi ph ln m b o phc v tt cho s lng ng khch hng. Tt c khch hng dng chung khng gian a ch IP, nn h phi s dng hoc l a ch th t trong mng ring ca h hoc l ph thuc vo nh cung cp dch v c c a ch IP. Trong c hai trng hp, kt ni mt khch hng mi n d ch v VPN ngang hng i hi phi ng k li a ch IP trong mng khch h ng. Hn ch c a m hnh VPN ngang hng l nh cung cp d ch v phi p ng c nh tuyn khch hng cho ng v m bo vic h i t ca mng khch hng khi c li lin kt. Ngoi ra, b nh tuyn P ca nh cung cp dch v phi mang tt c cc tuyn c a khch hng.
1.4 Phn lo i VPN v ng dng

Mng ring o VPN cung cp nhiu kh nng ng dng khc nhau. Yu cu c bn i vi VPN l ph i iu khin c quyn truy nh p ca khch hng, cc nh cung cp d ch v c ng nh cc i tng bn ngoi khc. Da vo hnh thc ng d ng v nhng kh nng m mng ring o mang li, c th phn chng thnh hai lo i nh sau: - VPN truy nhp t xa (Remote Access VPN); - VPN im ti im (Site-to-Site VPN). Trong mng VPN im ti im li c chia thnh hai lo i l: - VPN c c b (Intranet VPN); - VPN m rng (Extranet VPN).
MNG RING O
1.4.1 VPN truy nhp t xa Cc VPN truy nhp t xa cung cp kh nng truy nhp t xa cho ngi s dng (hnh 1.2). Ti m i thi im, cc nhn vin hay chi nhnh vn phng di ng c th s dng cc phn mm VPN truy nhp vo mng ca cng ty thng qua gateway hoc b tp trung VPN (b n cht l m t server). Gii php ny v th cn c g i l gii php client/server. VPN truy nhp t xa l kiu VPN in hnh nht, bi v chng c th c thit lp vo bt k thi im no v t bt c ni no c mng Internet. VPN truy nhp t xa m rng mng cng ty ti nhng ngi s dng thng qua c s h tng chia s chung, trong khi nhng chnh sch mng cng ty vn duy tr. Chng c th dng cung cp truy nh p an ton cho nhng nhn vin thng xuyn phi i li, nhng chi nhnh hay nhng bn hng c a cng ty. Nhng kiu VPN ny c thc hin thng qua c s h tng cng cng b ng cch s dng cng ngh ISDN, quay s, IP di ng, DSL hay cng ngh cp v thng yu cu m t vi kiu phn mm client chy trn my tnh ca ngi s dng. Mt hng pht trin kh m i trong VPN truy nh p t xa l dng VPN khng dy (Wireless), trong mt nhn vin c th truy nh p v mng c a h thng qua kt n i khng dy. Trong thit k ny, cc kt ni khng dy cn phi kt ni v mt trm khng dy (Wireless Terminal) v sau v m ng c a cng ty. Trong c hai trng hp (c dy v khng dy), phn mm client trn my PC u cho php khi to cc kt n i bo mt, cn c gi l ng hm. Mt vn quan trng l vic thit k qu trnh xc thc ban u m bo yu cu c xut pht t m t ngun tin cy. Thng th giai o n ban u ny d a trn cng m t chnh sch v b o mt ca cng ty. Chnh sch ny bao gm mt s qui trnh k thut v cc ng dng ch , v d nh Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+),
Hnh 1.2 M h nh VPN truy nhp t xa Cc u im c a VPN truy nhp t xa so vi cc phng php truy nhp t xa truyn thng l:
10
- VPN truy nhp t xa khng cn s h tr c a nhn vin mng bi v qu trnh kt n i t xa c cc ISP thc hin; - Gim c cc chi ph cho kt n i t khong cch xa b i v cc kt ni khong cch xa c thay th bi cc kt ni cc b thng qua mng Internet; - Cung cp dch v kt ni gi r cho nhng ngi s dng xa; - Do kt ni truy nhp l ni b nn cc modem kt ni hot ng tc cao hn so vi cch truy nhp khong cch xa; - VPN cung cp kh nng truy nhp t t hn n cc site c a cng ty bi v chng h tr mc thp nht ca dch v kt ni. Mc d c nhiu u im nhng mng VPN truy nhp t xa vn cn nhng nhc im c hu i cng nh: - VPN truy nhp t xa khng h tr cc dch v m bo QoS; - Nguy c b mt d liu cao do cc gi c th phn pht khng n ni hoc b mt; - Do thut ton m ho phc tp nn tiu giao thc tng m t cch ng k. 1.4.2 VPN im ti im VPN im ti im (Site-to-Site hay LAN-to-LAN) l gii php kt ni cc h thng mng nhng ni khc nhau vi mng trung tm thng qua VPN. Trong tnh hung ny, qu trnh xc thc ban u cho ngi s dng s l qu trnh xc thc gia cc thit b. Cc thit b ny hot ng nh Cng an ninh (Security Gateway), truyn lu lng mt cch an ton t Site ny n Site kia. Cc thit b nh tuyn hay tng la vi h tr VPN u c kh nng thc hin kt n i ny. S khc nhau gia VPN truy nhp t xa v VPN im ti im ch mang tnh tng trng. Nhiu thit b VPN mi c th hot ng theo c hai cch ny. VPN im ti im c th c xem nh mt VPN cc b hoc m rng xt t quan im qun l chnh sch. Nu h tng mng c chung mt ngun qun l, n c th c xem nh VPN c c b. Ngc li, n c th c coi l m rng. Vn truy nhp gia cc im phi c kim sot cht ch bi cc thit b tng ng. 1.4.2.1 VPN cc b
VPN cc b l mt dng cu hnh tiu biu c a VPN im ti im, c s dng b o mt cc kt ni gia cc a im khc nhau ca mt cng ty (hnh 1.3). N lin kt tr s chnh, cc vn phng, chi nhnh trn m t c s h tng chung s dng cc kt ni lun c m ho bo mt. iu n y cho php tt c cc a im c th truy nh p an ton cc ngun d liu c php trong ton b mng c a cng ty.
11
MNG RING O
Hnh 1.3 M hnh VPN cc b VPN cc b cung cp nhng c tnh c a mng WAN nh kh nng m rng, tnh tin cy v h tr cho nhiu kiu giao thc khc nhau vi chi ph thp nhng vn m b o tnh mm do. Nhng u im chnh ca gii php VPN c c b bao g m: - Cc mng cc b hay din rng c th c thit lp thng qua m t hay nhiu nh cung cp dch v; - Gim c s nhn vin k thut h tr trn mng i vi nhng ni xa; - Do kt ni trung gian c thc hin thng qua Internet, nn n c th d dng thit lp thm mt lin kt ngang hng mi; - Tit kim chi ph t vic s dng ng h m VPN thng qua Internet kt hp vi cc cng ngh chuyn m ch tc cao. Tuy nhin gii php mng cc b da trn VPN cng c nhng nhc im i cng nh: - Do d liu c truyn ngm qua m ng cng cng nh Internet nn vn cn nhng m i e d a v mc bo mt d liu v cht lng dch v (QoS); - Kh nng cc gi d liu b mt trong khi truyn dn vn cn kh cao; - Trng hp cn truyn khi lng ln d liu nh a phng tin vi yu cu tc cao v m bo thi gian thc l thch thc ln trong mi trng Internet. 1.4.2.2 VPN m rng
VPN m rng c cu h nh nh mt VPN im ti im, cung cp ng hm bo mt gia cc khch hng, nh cung cp v i tc thng qua m t c s h tng mng cng cng (hnh 1.4). Kiu VPN ny s dng cc kt ni lun c bo mt v n khng b c lp vi th gii bn ngoi nh cc trng h p VPN cc b hay truy nhp t xa.
12
Remote site
DSL cable
Central site
POP
Internet
Router Extranet
Business-to-business
or
Intranet
Hnh 1.4 M hnh VPN m rng Gii php VPN m rng cung cp kh nng iu khin truy nhp ti nhng ngun ti nguyn m ng cn thit m rng ti nhng i tng kinh doanh. S khc nhau gia VPN cc b v VPN m rng l s truy nhp mng c cng nhn mt trong hai u cui ca VPN. Nh ng u im chnh ca mng VPN m rng bao gm: - Chi ph cho VPN m rng thp hn nhiu so vi cc gii php kt ni khc cng t c mt m c ch nh vy; - D dng thit lp, bo tr v thay i i vi mng ang hot ng; - Do VPN m rng c xy d ng da trn mng Internet nn c nhiu c hi trong vic cung cp d ch v v chn la gii php ph hp vi cc nhu cu c a tng cng ty; - Cc kt ni Internet c nh cung cp dch v Internet bo tr nn c th gim c s lng nhn vin k thu t h tr mng, v do vy gim c chi ph vn hnh ca ton mng. Bn cnh nhng u im trn, gii php VPN m rng cng cn nhng nhc im i cng nh: - Vn b o mt thng tin gp kh khn hn trong mi trng m rng nh vy, v iu ny lm tng nguy c r i ro i vi mng cc b ca cng ty; - Kh nng mt d liu trong khi truyn qua mng cng cng vn tn ti; - Vic truyn kh i lng ln d liu vi yu cu t c cao v thi gian th c vn cn l m t thch thc ln cn gii quyt. 1.4.3 ng dng VPN C VPN truy nh p t xa v VPN im ti im u cung cp gii php xy dng m ng ring o cho doanh nghip. Cc cng ty c th m rng m ng ra nhng ni m trc y khng th m rng. Trong nhiu ng dng, VPN cho php tit kim chi ph m t cch ng k. Thay v cn nhiu kt n i n cng tr s chnh, gii php VPN
13
MNG RING O
tch hp lu lng vo mt kt ni duy nh t, to ra c hi gim chi ph c bn trong v bn ngoi doanh nghip. Mng Internet hin nay l m t h tng tt, cho php doanh nghip thay i mng c a h theo nhiu chiu hng. i vi cc cng ty ln c th d dng nh n thy rng cc kt n i WAN qua knh thu ring l rt tn km v ang dn c thay th bi kt n i VPN. i vi dch v truy nhp t xa, thay v dng cc ng kt ni tc chm hoc cc dch v knh thu ring t tin, ngi s dng by gi c th c cung cp cc d ch v truy nhp tc cao vi gi thnh r. Ngoi ra, nhng ngi dng c ng cng c th tn dng cc kt ni tc cao Ethernet trong cc khch sn, sn bay hay ni cng cng phc v cho cng vic ca mnh mt cch hiu qu. Ch ring yu t ct gim chi ph cuc gi ng di trong trng hp ny cng l mt l do rt thuyt ph c s dng VPN. Mt trong nhng li ch khc c a VPN l gip cc cng ty c th trin khai nhiu ng dng mi trn nn thng mi in t (e-Commerce) mt cch nhanh chng. Tuy nhin, trong trng h p ny m t vi yu t cng cn phi c xem xt m t cch cn thn. Cc tr ngi chnh ca Internet l bo mt, cht lng dch v , tin cy v kh nng qun l.
1.5 Kt chng
VPN c nh ngha nh l mng kt n i cc site khch hng m bo an ninh trn c s h tng mng chung cng vi cc chnh sch iu khin truy nhp v bo mt nh mt m ng ring. Tuy c xy dng trn c s h tng sn c ca mng cng cng nhng VPN li c c cc tnh ch t ca mt mng cc b nh khi s dng cc ng knh thu ring. N cho php ni lin cc chi nhnh c a mt cng ty c ng nh l vi cc i tc, cung cp kh nng iu khin quyn truy nhp ca khch hng, cc nh cung cp dch v hoc cc i tng bn ngoi khc. Kh nng ng d ng ca VPN l rt ln. Theo nh d on c a nhiu hng trn th gii th VPN s l d ch v pht trin mnh trong tng lai. Do , vic tip cn v lm quen vi cng ngh mi ny r rng l v cng cn thit. Chng ny trnh by nhng khi nim c b n v VPN, cc ch c nng v c im c a VPN, cc m h nh xy dng VPN cng nh l phn loi VPN theo h nh thc v phm vi ng dng ca chng. Nhng ni dung c cp ch mang tnh khi qut nhm gip ngi c c c ci nhn t ng quan v VPN. Cc vn k thut lin quan n vic thc hin VPN s c trnh by trong cc chng sau.
14
CHNG 2 CC GIAO THC NG HM
C th ni ng hm l mt trong nhng khi nim nn tng c a VPN. Giao thc ng h m thc hin vic ng gi d liu vi cc phn tiu tng ng truyn qua Internet. Trong chng ny gii thiu v cc giao thc ng hm ph bin ang tn ti v s dng cho IP-VPN, bao gm L2F, PPTP v L2TP. Ring giao th c IPSec s c trnh by chi tit trong chng 3 cng vi nhng c im k thut lin quan trc tip n vic th c hin IP-VPN. Ni dung chng ny bao g m: q Gii thiu cc giao thc ng hm q Giao thc chuyn tip lp 2 L2F q Giao thc ng h m im ti im PPTP q Giao thc ng h m lp 2 L2TP
15
MNG RING O
2.1 Gii thiu cc giao thc ng hm

Cc giao thc ng hm l n n tng ca cng ngh VPN. C nhiu giao thc ng hm khc nhau, v vic s d ng giao thc no lin quan n cc phng php xc thc v m t m i km. Cc giao thc ng hm ph bin hin nay l: Giao thc chuyn tip lp 2 (L2F Layer Two Forwarding); Giao thc ng hm im ti im (PPTP Point to Point Tunneling Protocol); Giao thc ng hm lp 2 (L2TP Layer Two Tunneling Protocol); Giao thc bo mt IP (IPSec Internet Protocol Security). L2F v PPTP u c pht trin da trn giao thc PPP (Point to Point Protocol). PPP l mt giao thc truyn thng ni tip lp 2, c th s dng ng gi d liu lin mng IP v h tr a giao thc lp trn. Giao thc L2F do Cisco pht trin c lp, cn PPTP l do nhiu cng ty hp tc pht trin. Trn c s L2F v PPTP, IETF pht trin giao thc ng hm L2TP. Hin nay cc giao thc PPTP v L2TP c s dng ph bin hn L2F. Trong cc giao thc ng hm ni trn, IPSec l gii php t i u v mt an ninh d liu. N h tr cc phng php xc th c v mt m mnh nht. Ngoi ra, IPSec cn c tnh linh hot cao, khng b rng buc bi bt c thut ton xc thc hay m t m no. IPSec c th s dng ng thi cng vi cc giao thc ng hm khc tng tnh an ton cho h thng. Mc d c nhng u im vt tr i so vi cc giao thc ng hm khc v kh nng m bo an ninh d liu, IPSec cng c mt s nhc im. Th nht, IPSec l m t khung tiu chu n mi v cn ang c tip tc pht trin, do s lng cc nh cung cp sn phm h tr IPSec cha nhiu. Th hai, tn dng kh nng m bo an ninh d liu ca IPSec th cn phi s dng mt c s h tng kha cng khai PKI (Public Key Infrastructure) phc tp gii quyt cc vn nh chng th c s hay ch k s. Khc vi IPSec, cc giao thc PPTP v L2TP l cc chun c hon thin, nn sn phm h tr chng tng i ph bin. PPTP c th trin khai vi m t h thng mt kh u n gin m khng cn s dng PKI. Ngoi ra, PPTP v L2TP cn c m t s u im khc so vi IPSec nh kh nng h tr a giao thc lp trn. V vy, trong khi IPSec cn ang hon thin th PPTP v L2TP vn c s dng rng ri. C th l PPTP v L2TP thng c s dng trong cc ng d ng truy nh p t xa.
2.2 Giao thc chuyn tip lp 2 L2F

Giao th c L2F c pht trin sm nht, l phng php truyn thng cho nhng ngi s dng xa truy nh p vo mt mng cng ty thng qua thit b truy
16
CHNG 2 - CC GIAO THC NG HM
nhp t xa. L2F cung cp gii php cho dch v quay s o bng cch thit lp mt ng h m bo mt thng qua c s h tng cng cng nh Internet. N cho php ng gi cc gi PPP trong khun dng L2F v nh ng hm lp lin kt d liu. 2.2.1 C u trc gi L2F Khun dng gi tin L2F c cu trc nh trn hnh 2.1.
1bit F 1bit K 1bit P 1bit S 8bit Reserved Length Key Data Checksum 1bit C 3bit Version 8bit Protocol Client ID Offset 8bit Sequence
Multiplex ID
Hnh 2.1 Khun dng gi ca L2F ngh a cc trng trong gi L2F nh sau: F: ch nh trng Offset c mt; K: ch nh trng Key c mt; P (Priority): thit lp u tin cho gi; S: ch nh trng Sequence c mt; Reserved: lun c t l 00000000; Version: phin bn ca L2F dng to gi; Protocol: xc nh giao thc ng gi L2F; Sequence: s chui c a ra n u trong tiu L2F bit S bng 1. Multiplex ID: nhn dng m t kt ni ring trong mt ng hm (tunnel); Client ID: gip tch ng hm ti nhng im cui; Length: chiu di ca gi (tnh bng byte) khng bao gm phn checksum; Offset: xc nh s byte cch tiu L2F, ti d liu ti tin c bt u. Trng ny c mt khi bit F bng 1; Key: l mt phn ca qu trnh xc thc (c mt khi bit K bng 1); Checksum: tng kim tra ca gi (c mt khi bit C bng 1).
2.2.2 Hot ng ca L2F L2F ng gi nhng gi tin lp 2 (trong trng hp ny l PPP), sau truyn chng xuyn qua mng. H thng s dng L2F gm cc thnh phn sau (hnh 2.2):
17
MNG RING O
My ch truy nhp mng NAS (Network Access Server): hng lu lng n v i gia my khch xa (Remote Client) v Home Gateway. M t h thng ERX c th hot ng nh NAS. ng hm (Tunnel): nh hng ng i gia NAS v Home Gateway. Mt ng hm gm mt s kt n i. Home Gateway: ngang hng vi NAS, l phn t ca ng thu c mng ring. Kt n i (Connection): l mt kt n i PPP trong ng hm. Trong CLI, mt kt ni L2F c xem nh l m t phin. im ch (Destination): l im kt thc u xa ca ng hm. Trong trng hp ny th Home Gateway l im ch.
Hnh 2.2 M hnh h thng s dng L2F Cc hot ng ca L2F bao gm: thit lp kt n i, ng hm v phin lm vic. Cc bc thc hin c th nh sau: 1) M t ngi s dng xa quay s ti h thng NAS v khi u mt kt n i PPP ti ISP. 2) H thng NAS v my khch trao i cc gi giao thc iu khin lin kt LCP (Link Control Protocol). 3) NAS s dng c s d liu cc b lin quan ti tn min (domain name) hay xc thc RADIUS quyt nh xem ngi s dng c hay khng yu cu d ch v L2F. 4) Nu ngi s dng yu cu L2F th qu trnh tip t c, NAS thu nhn a ch ca Gateway ch (Home Gateway). 5) M t ng hm c thit lp t NAS ti Gateway ch nu gia chng cha c ng h m no. S thnh lp ng hm bao gm giai on xc thc t ISP ti Gateway ch chng li tn cng bi nhng k th ba. 6) M t kt ni PPP mi c to ra trong ng hm, iu ny c tc ng ko di phin PPP t ngi s dng xa ti Home Gateway. Kt n i ny
18
c thit lp nh sau: Home Gateway tip nhn cc la chn v tt c thng tin xc th c PAP/CHAP nh tho thun bi u cui ngi s dng v NAS. Home Gateway chp nhn kt ni hay tho thun li LCP v xc thc li ngi s dng. 7) Khi NAS tip nhn lu lng d liu t ngi s dng, n ng gi lu lng vo trong cc khung L2F v hng chng vo trong ng hm. 8) Ti Home Gateway khung L2F c tch b, v d liu ng gi c hng ti mng cng ty. Khi h thng thit lp im ch, ng h m v nhng phin kt ni, ta phi iu khin v qun l lu lng L2F nh sau: - Ngn cn to nhng im ch, ng h m v phin mi. - ng v m li tt c hay chn la nhng im ch, ng hm v phin. - C kh nng kim tra tng UDP. - Thit lp thi gian ri cho h thng v lu gi c s d liu vo ca cc ng hm v kt ni. S thay i mt im ch lm nh hng ti tt c nhng ng h m v phin ti im ch . S thay i m t ng hm lm nh hng ti tt c cc phin trong ng hm . V d, s kt thc im ch ng tt c cc ng h m v phin ti im ch . L2F cung cp m t s lnh th c hin cc chc nng c a n, v d : - L2F checksum: kim tra s ton vn d liu trong cc khung L2F s dng kim tra tng UDP, v d host 1(config)#l2f checksum - L2F destruct-timeout: thit lp thi gian ri, gi tr thit lp trong d i 10 3600 giy, v d host1 (config)#l2f destruct-timeout 1200 2.2.3 u nhc im ca L2F Giao thc L2F c cc u im sau y: - Cho php thit lp ng h m a giao thc; - c h tr bi nhiu nh cung cp. Cc nhc im chnh ca L2F l: - Khng c m ho; - Hn ch trong vic xc thc ngi dng; - Khng c iu khin lung cho ng h m.
19
MNG RING O
2.3 Giao thc ng hm im ti im PPTP

Giao thc ng hm im ti im c a ra u tin bi m t nhm cc cng ty c gi l PPTP Forum. tng c s ca giao thc ny l tch cc ch c nng chung v ring ca truy nhp t xa, li dng c s h tng Internet sn c to kt n i bo mt gia ngi dng xa (client) v mng ring. Ngi dng xa ch vic quay s ti nh cung cp dch v Internet a phng l c th to ng h m bo mt ti mng ring ca h. Giao thc PPTP c xy d ng da trn chc nng c a PPP, cung cp kh nng quay s truy nhp to ra mt ng h m b o mt thng qua Internet n site ch. PPTP s d ng giao thc ng gi nh tuyn chung GRE c m t li ng v tch gi PPP. Giao th c ny cho php PPTP mm d o x l cc giao th c khc khng phi IP nh IPX, NETBEUI. 2.3.1 Khi qut v hot ng ca PPTP PPP tr thnh giao thc truy nh p vo Internet v cc mng IP rt ph bin hin nay. Lm vic lp lin kt d liu trong m hnh OSI, PPP bao gm cc phng thc ng, tch gi cho cc lo i gi d liu khc nhau truyn n i tip. PPP c th ng cc gi IP, IPX, NETBEUI v truyn i trn kt n i im-im t my gi n my nhn. PPTP ng gi cc khung d liu ca giao thc PPP vo cc IP datagram truyn qua mng IP (Internet ho c Intranet). PPTP dng m t kt ni TCP (gi l kt n i iu khin PPTP) khi to, duy tr, kt thc ng h m, v m t phin bn ca giao th c GRE ng gi cc khung PPP. Phn ti tin ca khung PPP c th c mt m v/hoc nn. PPTP s dng PPP th c hin cc chc nng: - Thit lp v kt thc kt n i vt l. - Xc thc ngi dng. - To cc gi d liu PPP. PPTP gi nh tn ti m t mng IP gia PPTP client (VPN client s dng PPTP) v PPTP server (VPN server s dng PPTP). PPTP client c th c n i trc tip qua vic quay s ti my ch truy nh p mng NAS thit lp kt n i IP. Khi mt kt ni PPP c thit lp th ngi dng thng c xc thc. y l giai on tu chn trong PPP, tuy nhin n lun lun c cung cp bi cc ISP. Vic xc thc trong qu trnh thit lp kt ni da trn PPTP s dng cc c ch xc thc ca kt n i PPP. Cc c ch xc thc c th l: - EAP (Extensible Authentication Protocol) giao thc xc thc m rng;
20
- CHAP (Challenge Handshake Authentication Protocol) giao thc xc thc i h i bt tay; - PAP (Password Authentication Protocol) giao thc xc th c mt kh u. Vi PAP m t khu c gi qua kt ni di dng vn bn n gin v khng c bo mt. CHAP l mt giao thc xc thc mnh hn, s d ng phng thc b t tay ba chiu. CHAP chng li cc v tn cng quay li b ng cch s dng cc gi tr thch (Challenge Value) duy nht v khng th on trc c. PPTP cng tha hng vic m t m v/hoc nn phn ti tin ca PPP. mt m phn ti tin PPP c th s dng phng th c m ho im ti im MPPE (Microsoft Point to Point Encryption). MPPE ch cung cp mt m mc truyn d n, khng cung cp mt m u cu i n u cui. Nu cn s dng mt m u cui n u cu i th c th s dng IPSec m t m lu lng IP gi a cc u cu i sau khi ng h m PPTP c thit lp. Sau khi PPP thit lp kt n i, PPTP s d ng cc quy lut ng gi ca PPP ng cc gi truyn trong ng h m. tn dng u im ca kt n i to ra bi PPP, PPTP nh ngh a hai loi gi l iu khin v d liu, sau gn chng vo hai knh ring l knh iu khin v knh d liu. PPTP phn tch cc knh iu khin v knh v knh d liu thnh lung iu khin vi giao thc TCP v lung d liu vi giao thc IP. Kt n i TCP to gia my trm PPTP (client) v my ch PPTP (server) c s dng tryn thng bo iu khin. Cc gi d liu l d liu thng thng ca ngi dng. Cc gi iu khin c gi theo chu k ly thng tin v trng thi kt ni v qun l bo hiu gia ng dng khch PPTP v my ch PPTP. Cc gi iu khin cng c dng gi cc thng tin qun l thit b , thng tin cu hnh gia hai u ng hm. Knh iu khin c yu cu cho vic thit lp mt ng h m gia my trm v my ch PPTP. My ch PPTP l m t server s dng giao th c PPTP v i m t giao din n i v i Internet v mt giao din khc n i vi Intranet, cn phn mm client c th nm my ngi dng t xa hoc ti my ch c a ISP. 2.3.2 Duy tr ng h m b ng kt ni iu khin PPTP Kt n i iu khin PPTP l kt ni gia a ch IP ca my trm PPTP (c cng TCP c cp pht ng) v a ch IP ca my ch PPTP (s dng cng TCP dnh ring 1723). Kt ni iu khin PPTP mang cc bn tin iu khin v qun l c s dng duy tr ng h m PPTP. Cc b n tin ny bao gm PPTP Echo-Request v PPTP Echo-Reply nh k pht hin cc li kt n i gia my trm v my ch PPTP. Cc gi ca kt n i iu khin PPTP bao gm tiu IP, tiu TCP, bn tin iu khin PPTP v tiu , ph n ui ca lp lin kt d liu (h nh 2.3).
21
MNG RING O
Hnh 2.3 Gi d liu kt ni iu khin PPTP 2.3.3 ng gi d liu ng hm PPTP ng gi khung PPP v GRE D liu ng h m PPTP c ng gi thng qua nhiu mc. Hnh 2.4 l cu trc d liu c ng gi.
Ti PPP c Tiu Tiu Tiu Tiu Phn ui m ho lin kt d liu IP GRE PPP (IP, IPX, NETBEUI) lin kt d liu
Hnh 2.4 ng gi d liu ng hm PPTP Phn ti ca khung PPP ban u c mt m v ng gi vi tiu PPP to ra khung PPP. Khung PPP sau c ng gi vi phn tiu ca phin bn giao thc GRE sa i. GRE l giao thc ng gi chung, cung cp c ch ng gi d liu nh tuyn qua mng IP. i vi PPTP, phn tiu c a GRE c sa i mt s im nh sau: - M t trng xc nhn di 32 bit c thm vo. - M t bit xc nhn c s dng ch nh s c m t ca trng xc nhn 32 bit. - Trng Key c thay th bng trng di Payload 16 bit v trng ch s cuc gi 16 bit. Trng ch s cuc gi c thit lp b i my trm PPTP trong qu trnh khi to ng h m PPTP. ng gi IP Phn ti PPP ( c mt m) v cc tiu GRE sau c ng gi vi m t tiu IP cha cc thng tin a ch ngun v ch thch h p cho my trm v my ch PPTP. ng gi lp lin kt d liu c th truyn qua mng LAN hoc WAN, gi IP cui cng s c ng gi vi mt tiu v phn ui c a lp lin kt d liu giao din vt l u ra. V d, nu gi IP c gi qua giao din Ethernet, n s c gi vi phn tiu v ui Ethernet. Nu gi IP c gi qua ng truyn WAN im ti im (nh ng in thoi tng t hoc ISDN), n s c ng gi vi phn tiu v ui c a giao th c PPP.
22
S ng gi Hnh 2.5 l v d s ng gi PPTP t mt my trm qua kt ni truy nhp VPN t xa s dng modem tng t.
Hnh 2.5 S ng gi PPTP Qu trnh ng gi c m t c th nh sau: - Cc gi IP, IPX hoc khung NetBEUI c a ti giao din o i din cho kt ni VPN b ng giao thc tng ng s dng NDIS (Network Driver Interface Specification). - NDIS a gi d liu ti NDISWAN, ni thc hin mt m, nn d liu v cung cp tiu PPP. Phn tiu PPP ny ch gm trng m s giao thc PPP (PPP Protocol ID Field), khng c cc trng Flags v FCS (Frame Check Sequence). Gi nh trng a ch v iu khin c th a thun giao thc iu khin ng truyn LCP (Link Control Protocol) trong qu trnh kt n i PPP. - NDISWAN gi d liu ti giao thc PPTP, ni ng gi khung PPP vi phn tiu GRE. Trong tiu GRE, trng ch s cuc g i c t gi tr thch hp xc nh ng hm. - Giao thc PPTP sau s gi gi va hnh thnh ti TCP/IP. - TCP/IP ng gi d liu ng hm PPTP vi phn tiu IP, sau gi kt qu ti giao din i din cho kt ni quay s ti ISP cc b s dng NDIS. - NDIS gi gi tin ti NDISWAN, ni cung cp cc phn tiu v ui PPP. - NDISWAN gi khung PPP kt qu ti cng WAN tng ng i din cho phn cng quay s (v d, cng khng ng b cho kt ni modem).
23
MNG RING O
2.3.4 X l d liu ti u cui ng hm PPTP Khi nhn c d liu ng hm PPTP, my trm v my ch PPTP s thc hin cc bc sau: - X l v loi b phn tiu v ui ca lp lin kt d liu; - X l v loi b tiu IP; - X l v loi b tiu GRE v PPP; - Gii m v/hoc gii nn phn ti PPP (n u cn thit); - X l phn ti tin nhn hoc chuyn tip. 2.3.5 Trin khai VPN da trn PPTP trin khai VPN da trn giao thc PPTP yu cu h thng t i thiu phi c cc thnh phn thit b nh ch ra trn hnh 2.6, c th bao gm: - M t my ch truy nhp mng dng cho phng thc quay s truy nhp bo mt vo VPN; - M t my ch PPTP; - My trm PPTP vi phn mm client cn thit.
Hnh 2.6 Cc thnh phn ca h thng cung cp VPN da trn PPTP Cc my ch PPTP c th t ti mng ca cng ty v do nhn vin trong cng ty qun l. My ch PPTP My ch PPTP thc hin hai chc nng chnh: ng vai tr l im kt ni ca ng hm PPTP v chuyn cc gi n t ng hm ti m ng LAN ring. My ch PPTP chuyn cc gi n my ch bng cch x l gi PPTP c c a ch mng c a my tnh ch. My ch PPTP cng c kh nng lc gi. Bng cch s dng c
24
ch lc gi PPTP my ch c th ngn cm, ch cho php truy nh p vo Internet, mng ring hay c hai. Thit lp my ch PPTP ti site mng c mt hn ch n u nh my ch PPTP nm sau tng la. PPTP c thit k sao cho ch c mt cng TCP 1723 c s dng chuyn d liu i. S khim khuyt ca cu hnh cng ny c th lm cho tng la d b tn cng hn. Nu nh tng la c cu hnh lc gi th phi thit lp n cho php GRE i qua. Mt thit b khc c khi xng nm 1998 bi hng 3Com c chc nng tng t my ch PPTP gi l chuyn mch ng h m. Mc ch ca chuyn mch ng hm l m rng ng hm t m t mng n mt mng khc, tri rng ng hm t mng ca ISP n mng ring. Chuyn mch ng hm c th c s dng ti tng la lm tng kh nng qun l truy nhp t xa vo ti nguyn ca mng ni b. N c th kim tra cc gi n v v, giao thc c a cc khung PPP hoc tn c a ngi dng t xa. Phn mm client PPTP Nu nh cc thit b c a ISP h tr PPTP th khng cn phn cng hay phn mm b sung no cho cc my trm, ch cn m t kt ni PPP chun. Nu nh cc thit b ca ISP khng h tr PPTP th mt phn mm ng dng client vn c th to kt ni bo mt b ng cch u tin quay s kt ni ti ISP b ng PPP, sau quay s mt ln na thng qua c ng PPTP o c thit lp my trm. Phn m m client PPTP c sn trong Windows 9x, NT v cc h iu hnh sau ny. Khi chn client PPTP cn phi so snh cc chc n ng ca n vi my ch PPTP c. Khng phi tt c cc phn mm client PPTP u h tr MS-CHAP, nu thiu cng c ny th khng th tn dng c u im m ho trong RRAS. My ch truy nh p m ng My ch truy nhp mng NAS cn c tn gi khc l my ch truy nhp t xa (Remote Access Server) hay b tp trung truy nhp (Access Concentrator). NAS cung cp kh n ng truy nhp ng dy d a trn phn mm, c kh nng tnh cc v c kh nng chu ng li ti ISP POP. NAS ca ISP c thit k cho php mt s lng ln ngi dng c th quay s truy nh p vo cng mt lc. Nu mt ISP cung cp d ch v PPTP th cn phi ci mt NAS cho php PPTP h tr cc client chy trn cc nn khc nhau nh Unix, Windows, Macintosh, v.v. Trong trung hp ny, my ch ISP ng vai tr nh mt client PPTP kt n i vi my ch PPTP ti mng ring v my ch ISP tr thnh mt im cui ca ng hm, im cu i cn li l my ch ti u mng ring. 2.3.6 u nhc im v kh nng ng dng ca PPTP
25
MNG RING O
u im ca PPTP l c thit k ho t ng lp 2 (lin kt d liu) trong khi IPSec chy lp 3 ca m hnh OSI. Bng cch h tr vic truyn d liu lp 2, PPTP c th truyn trong ng hm bng cc giao thc khc IP trong khi IPSec ch c th truyn cc gi IP trong ng h m. Tuy nhin, PPTP l mt gii php tm thi v hu ht cc nh cung cp u c k hoch thay th PPTP bng L2TP khi m giao thc ny c chun ho. PPTP thch hp cho quay s truy nhp vi s lng ngi dng gii hn hn l cho VPN kt ni LAN-LAN. Mt vn ca PPTP l x l xc thc ngi dng thng qua Windows NT hay thng qua RADIUS. My ch PPTP cng qu ti vi mt s lng ngi dng quay s truy nhp hay mt lu lng ln d liu tryn qua, m iu ny l mt yu cu ca kt ni LAN-LAN. Khi s dng VPN da trn PPTP m c h tr thit b c a ISP th mt s quyn qun l phi chia s cho ISP. Tnh bo mt ca PPTP khng mnh bng IPSec. Tuy nhin, qu n b o mt trong PPTP li n gin hn.
2.4 Giao thc ng hm lp 2 L2TP

2.4.1 Khi qut v hot ng ca L2TP trnh vic hai giao thc ng hm khng tng thch cng tn ti gy kh khn cho ngi s dng, IETF kt hp hai giao thc L2F v PPTP v pht trin thnh L2TP. L2TP c xy d ng trn c s tn d ng cc u im c a c PPTP v L2F, ng thi c th s dng c trong tt c cc trng h p ng dng ca hai giao thc ny. L2TP c m t trong khuyn ngh RFC 2661. Mt ng hm L2TP c th khi to t mt PC xa quay v L2TP Network Server (LNS) hay t L2TP Access Concentrator (LAC) v LNS. Mc d L2TP vn dng PPP, n nh ngh a c ch to ng hm ca ring n, ty thu c vo phng tin truyn ch khng dng GRE. L2TP ng gi cc khung PPP truyn qua mng IP, X.25, Frame Relay hoc ATM. Tuy nhin, hin nay mi ch c L2TP trn m ng IP c nh ngha. Khi truyn qua m ng IP, cc khung L2TP c ng gi nh cc bn tin UDP. L2TP c th c s dng nh mt giao thc ng hm thng qua Internet hoc cc mng ring Intranet. L2TP dng cc b n tin UDP qua mng IP cho cc d liu ng h m cng nh cc d liu duy tr ng hm. Phn ti c a khung PPP ng gi c th c mt m v nn. Mt m trong cc kt n i L2TP thng c thc hin bi IPSec ESP (ch khng phi MPPE nh i vi PPTP). Cng c th to kt ni L2TP khng s dng mt m IPSec. Tuy nhin, y khng phi l kt ni IP-VPN v d liu ring c ng gi bi L2TP khng c mt m . Cc kt ni L2TP khng mt m c th s dng tm thi sa cc li kt ni L2TP dng IPSec. L2TP gi nh tn ti mng IP gia my trm (VPN client d ng giao thc ng hm L2TP v IPSec) v my ch L2TP. My trm L2TP c th c ni trc tip vi
26
mng IP truy nh p ti my ch L2TP hoc gin tip thng qua vic quay s ti my ch truy nhp mng NAS thit lp kt n i IP. Vic xc thc trong qu trnh hnh thnh ng h m L2TP phi s dng cc c ch xc thc trong kt ni PPP nh EAP, MS-CHAP, CHAP, PAP. My ch L2TP l my ch IP-VPN s dng giao thc L2TP vi mt giao din n i vi Internet v mt giao din khc ni vi mng Intranet. L2TP c th dng hai kiu bn tin l iu khin v d liu. Cc bn tin iu khin chu trch nhim thit lp, duy tr v h y cc ng hm. Cc bn tin d liu ng gi cc khung PPP c chuyn trn ng h m. Cc b n tin iu khin dng c ch iu khin tin cy bn trong L2TP m bo vic phn phi, trong khi cc bn tin d liu khng c gi li khi b mt trn ng truyn. 2.4.2 Duy tr ng h m b ng bn tin iu khin L2TP Khng gi ng PPTP, vic duy tr ng h m L2TP khng c th c hin thng qua mt kt ni TCP ring bit. Cc lu lng iu khin v duy tr cuc g i c gi i nh cc b n tin UDP gia my trm v my ch L2TP ( u s dng cng UDP 1701). Cc bn tin iu khin L2TP qua mng IP c gi nh cc gi UDP. Gi UDP li c mt m bi IPSec ESP nh trn h nh 2.7.
Hnh 2.7 Bn tin iu khin L2TP V khng s dng kt ni TCP, L2TP dng th t bn tin m b o vic truyn cc b n tin L2TP. Trong bn tin iu khin L2TP, trng Next-Received (tng t nh TCP Acknowledgment) v Next-Sent (tng t nh TCP Sequence Number) c s dng duy tr th t cc bn tin iu khin. Cc gi khng ng th t b loi b . Cc trng Next-Sent v Next-Received cng c th c s dng truyn dn tu n t v iu khin lung cho cc d liu ng h m. L2TP h tr nhiu cuc gi trn mi ng h m. Trong b n tin iu khin L2TP v ph n tiu L2TP c a d liu ng h m c m t m s ng h m (Tunnel ID) xc nh ng hm, v mt m nhn dng cuc g i (Call ID) xc nh cuc gi trong ng hm . 2.4.3 ng gi d liu ng hm L2TP D liu ng hm L2TP c thc hin thng qua nhiu mc ng gi nh sau: ng gi L2TP. Phn ti PPP ban u c ng gi vi mt tiu PPP v mt tiu L2TP.
27
MNG RING O
ng gi UDP. Gi L2TP sau c ng gi vi mt tiu UDP, cc a ch cng ngun v ch c t b ng 1701. ng gi IPSec. Tu thuc vo chnh sch IPSec, gi UDP c m t m v ng gi vi tiu IPSec ESP, ui IPSec ESP, ui IPSec Authentication. ng gi IP. Gi IPSec c ng gi vi tiu IP cha a ch IP ngun v ch ca my trm v my ch . ng gi lp lin k t d liu. truyn i c trn ng truyn LAN hoc WAN, gi IP cu i cng s c ng gi vi phn tiu v ui tng ng vi k thut lp lin kt d liu c a giao din vt l u ra. V d, khi gi IP c gi vo giao din Ethernet, n s c ng gi vi tiu v ui Ethernet. Khi cc gi IP c gi trn ng truyn WAN im ti im (chng hn ng dy in thoi ISDN), chng c ng gi vi tiu v ui PPP. Hnh 2.8 ch ra cu trc cui cng ca gi d liu ng hm L2TP trn n n IPSec.
Hnh 2.8 ng gi d liu ng h m L2TP Hnh 2.9 l s ng gi L2TP t mt my trm VPN thng qua kt n i truy nhp t xa s dng modem tng t.
28
Hnh 2.9 S ng gi L2TP Qu trnh ng gi c thc hin thng qua cc bc nh sau: - Gi tin IP, IPX hoc NetBEUI c a ti giao din o i din cho kt ni VPN s dng NDIS bng giao thc thch hp. - NDIS a cc gi ti NDISWAN, ti y c th nn v cung cp tiu PPP ch bao g m trng ch s giao thc PPP. Cc trng Flag hay FCS khng c thm vo. - NDISWAN gi khung PPP ti giao thc L2TP, ni ng gi khung PPP vi m t tiu L2TP. Trong tiu L2TP, ch s ng h m v ch s cuc gi c thit lp vi cc gi tr thch hp xc nh ng h m. - Giao thc L2TP gi gi thu c ti TCP/IP vi thng tin gi gi L2TP nh m t bn tin UDP t c ng UDP 1701 ti cng UDP 1701 theo cc a ch IP ca my trm v my ch. - TCP/IP xy dng gi IP vi cc tiu IP v UDP thch hp. IPSec sau s phn tch gi IP v so snh n vi chnh sch IPSec hin thi. Da trn nhng thit lp trong chnh sch, IPSec ng gi v mt m phn bn tin UDP c a gi IP s dng cc tiu v ui ESP ph hp. Tiu IP ban u vi trng Protocol c t l 50 v thm vo pha trc ca gi ESP. TCP/IP sau gi gi thu c ti giao din i din cho kt n i quay s ti ISP c c b s dng NDIS. - NDIS gi s ti NDISWAN. - NDISWAN cung cp tiu v ui PPP, sau gi khung PPP thu c ti cng thch hp i din cho phn cng dial-up.
29
MNG RING O
2.4.4 X l d liu ti u cui ng hm L2TP trn nn IPSec Khi nhn c d liu ng hm L2TP trn nn IPSec, my trm v my ch L2TP s thc hin cc bc sau: - X l v loi b tiu v ui ca lp lin kt d liu. - X l v loi b tiu IP. - Dng phn ui IPSec ESP Auth xc thc ti IP v tiu IPSec ESP. - Dng tiu IPSec ESP gii m phn gi m t m. - X l tiu UDP v gi gi ti L2TP. - L2TP dng ch s ng h m v ch s cu c gi trong tiu L2TP xc nh ng hm L2TP c th. - Dng tiu PPP xc nh ti PPP v chuyn tip n ti ng giao thc x l. 2.4.5 Trin khai VPN da trn L2TP H thng cung cp VPN da trn L2TP bao gm cc thnh phn c bn sau: b tp trung truy nhp m ng, my ch L2TP v cc my trm L2TP (hnh 2.10).
Hnh 2.10 Cc thnh phn ca h thng cung cp VPN da trn L2TP My ch L2TP My ch L2TP c hai chc nng chnh: ng vai tr l im kt thc ca ng hm L2TP v chuyn cc gi n t ng hm n mng LAN ring hay ngc li. My ch chuyn cc gi n my tnh ch bng cch x l gi L2TP c c a ch mng ca my tnh ch. Khng ging nh my ch PPTP, my ch L2TP khng c kh nng lc cc gi. Chc nng lc gi trong L2TP c thc hin bi tng la.Tuy nhin trong thc t,
30
ngi ta thng tch hp my ch m ng v tng la. Vic tch hp ny mang li mt s u im hn so vi PPTP, l: - L2TP khng i h i ch c mt cng duy nht gn cho tng la nh trong PPTP. Chng trnh qun l c th tu chn cng gn cho tng la, iu ny gy kh khn cho k tn cng khi c gng tn cng vo m t cng trong khi cng c th thay i. - Lung d liu v thng tin iu khin c truyn trn cng mt UDP nn vic thit lp tng la s n gin hn. Do m t s tng la khng h tr GRE nn chng tng thch vi L2TP hn l vi PPTP. Phn mm client L2TP Nu nh cc thit b c a ISP h tr L2TP th khng cn phn cng hay phn mm b sung no cho cc my trm, ch cn kt ni chun PPP l . Tuy nhin, vi cc thit lp nh vy th khng s dng c m ho ca IPSec. Do vy ta nn s dng cc phn m m client tng thch L2TP cho kt ni L2TP VPN. Mt s c im ca ph n mm client L2TP l: - Tng thch vi cc thnh phn khc ca IPSec nh my ch m ho, giao thc chuyn kho, gii thut m ho, - a ra mt ch bo r rng khi IPSec ang hot ng; - Hm bm (hashing) x l c cc a ch IP ng; - C c ch b o mt kho (m ho kho vi mt khu); - C c ch chuyn i m ho m t cch t ng v nh k; - Chn hon ton cc lu lng khng IPSec. B tp trung truy nhp mng ISP cung cp d ch v L2TP cn phi ci mt NAS cho php L2TP h tr cc my trm L2TP chy trn nn cc h iu hnh khc nhau nh Unix, Windows, Macintosh, v.v. Cc ISP cng c th cung cp cc dch v L2TP m khng cn phi thm cc thit b h tr L2TP vo my ch truy nh p ca h, iu ny i hi tt c ngi dng phi c phn m m client L2TP ti my ca h. Khi ngi dng c th s dng dch v c a nhiu ISP trong trng hp m hnh mng ca h rng ln v mt a l. 2.4.6 u nhc im v kh nng ng dng ca L2TP L2TP l mt th h giao th c quay s truy nhp VPN pht trin sau. N phi h p nhng c tnh tt nht c a PPTP v L2F. Hu h t cc nh cung cp sn phm PPTP u a ra cc sn phm tng thch vi L2TP.
31
MNG RING O
Mc d L2TP ch yu chy trn m ng IP, nhng kh nng chy trn cc mng cng ngh khc nh Frame Relay hay ATM lm cho n thm ph bin. L2TP cho php mt lng ln khch hng t xa c kt n i vo VPN cng nh l cc kt ni LAN-LAN c dung lng ln. L2TP c c ch iu khin lung lm gim tc nghn trn ng hm L2TP. Vic la chn mt nh cung cp dch v L2TP c th thay i tu theo yu cu thit k m ng. Nu thit k mt VPN i hi m ho u cu i ti u cui th cn ci cc client tng thch L2TP ti cc trm t xa v tho thun vi ISP l s x l m ho t my u xa n tn my ch ca VPN. Nu xy dng mt mng vi mc b o mt thp hn, kh nng ch u ng li cao hn v ch mun bo mt d liu khi n i trong ng hm trn Inernet th tho thun vi ISP h h tr LAC v m ho d liu ch t o n LAC n LNS ca mng ring. L2TP cho php thit lp nhiu ng hm vi cng LAC v LNS. Mi ng hm c th gn cho m t ngi dng xc nh hoc mt nhm ngi dng v gn cho cc mi trng khc nhau tu theo thuc tnh cht lng dch v QoS c a ngi s dng.
2.5 Kt chng
Mc b o m an ninh c a s liu khi truyn qua mng ph thuc nhiu vo gii php thc hin VPN ca doanh nghip. Chng 2 tp trung vo nhng vn k thut ca gii php m ng ring o s dng ng hm. K thu t ng h m ng mt vai tr rt quan trng trong vic trin khai VPN trn nn mng vin thng cng cng. Cc giao thc ng hm c gii thiu y bao gm L2F, PPTP v L2TP. Mi giao thc c trnh by tng i chi tit, t s ng gi d liu, nguyn l hot ng, qu trnh x l d liu ti u cui ng hm cho n nhng c im trin khai trn thc t. Trong ni dung trnh by c ng a ra nhng phn tch cc c tnh v u nhc im ca tng giao thc nhm th hin r kh n ng v phm vi ng dng c a chng.
32
CHNG 3
MNG RING O TRN NN IPSec

Cng vi s pht trin v m rng ca Internet th vic trao i thng tin gia cc chi nhnh, vn phng xa trong mt cng ty hay vi cc i tc kinh doanh bn ngoi khng cn l vn kh khn nh trc na. Tuy nhin, i i vi vic h tr kinh doanh hiu qu th nguy c mt an ninh d liu hay b tn cng ph ho i qua mng cng l iu rt d xy ra. Chnh v vy, vn m bo an ton cho d liu khi truyn qua mng cng cng tr nn c ngh a c bit quan trng. Giao thc IPSec (Internet Protocol Security) c pht trin gii quyt vn bo m an ninh cho thng tin truyn trn mng Internet v c coi l giao thc ti u nht cho vic th c hin IP-VPN. Chng ny trnh by cc c im quan trng nht c a IPSec, hot ng ca cc giao thc v tiu chun lin quan cng nh l nhng thut ton v k thut h tr cho vic thc hin VPN trn nn IPSec. Ni dung chng ny bao g m: q Gii thiu v IPSec q ng gi thng tin IPSec q Lin kt an ninh SA v ho t ng trao i kha IKE q M t s vn k thu t trong th c hin VPN trn IPSec q V d th c hin VPN trn n n IPSec q Cc vn cn tn ti trong IPSec
33
MNG RING O
3.1 Gii thiu v IPSec

Giao thc IPSec c IETF pht trin thit lp tnh bo mt trong m ng IP cp gi. IPSec c nh ngha l m t h giao thc trong tng mng cung cp cc dch v b o mt, xc thc, ton vn d liu v iu khin truy nhp. N l mt tp hp cc tiu chun m lm vic cng nhau, c gii thiu ln u tin trong cc RFC 1825 1829 vo nm 1995. IPSec cho php mt ng hm bo mt thit lp gia hai mng ring v xc thc hai u ca ng h m ny. Cc thit b gia hai u ng hm c th l mt cp host, mt cp Cng an ninh (thit b nh tuyn, firewall, b tp trung VPN) hoc cp thit b gm mt host v mt Cng an ninh. ng hm ng vai tr l m t knh truyn bo mt gia hai u v cc gi d liu yu cu an ninh c truyn trn . IPSec cng th c hin ng gi d liu v x l cc thng tin thit lp, duy tr v h y b knh truyn khi khng dng n na. Cc gi tin truyn trong ng hm c khun dng ging nh cc gi tin b nh thng khc v khng lm thay i cc thit b , kin trc cng nh nhng ng dng hin c trn m ng trung gian, qua cho php gim ng k chi ph trin khai v qun l. IPSec c hai c ch c bn m bo an ninh d liu l tiu xc thc (AH Authentication Header) v ng gi ti tin an ton (ESP Encapsulating Security Payload), trong IPSec phi h tr ESP v c th h tr AH. C AH v ESP u cung cp cc phng tin cho iu khin truy nhp da vo s phn phi ca cc kha mt m v qun l cc lu ng lu lng c lin quan n nhng giao thc an ninh ny. AH cho php xc thc ngu n g c d liu, kim tra tnh ton vn d liu v dch v ty chn chng pht li c a cc gi IP truyn gia hai h thng. AH khng cung cp tnh bo mt, iu ny c ngha l n gi i thng tin di d ng bn r. ESP l m t giao thc cung cp tnh an ninh ca cc gi tin c truyn, bao gm mt m d liu, xc thc ngun gc d liu, kim tra tnh ton vn phi kt n i c a d liu. ESP m b o tnh b mt ca thng tin thng qua vic mt m gi tin IP. Tt c lu lng ESP u c m t m gia hai h thng. Vi c im ny th ESP c xu hng c s dng nhiu hn tng tnh bo mt cho d liu. Cc giao thc AH v ESP c th c p dng mt mnh hay kt hp vi nhau cung cp tp cc giao thc an ninh mong mun trong IPv4 v IPv6, nhng cch chng cung cp cc dch v l khc nhau. i vi c hai giao thc ny, IPSec khng nh ngha cc thut ton an ninh c th, m thay vo l m t khung lm vic cho php s dng cc thut ton tiu chun. IPSec s dng cc thut ton m xc thc bn tin trn c s hm bm (HMAC), MD5 (Message Digest 5) hay SHA-1 thc hin chc nng ton vn bn tin; DES hay 3DES mt m d liu; kha chia s trc, ch k s RSA v s ngu nhin mt m RSA xc thc cc bn. Ngoi ra, cc chun cn nh ngha vic s dng mt s thut ton khc nh IDEA, Blowfish v RC4.
34
CHNG 3 - MNG RING O TRN NN IPSec
IPSec c th s dng giao thc trao i kho IKE (Internet Key Exchange) xc thc hai bn, thng lng cc chnh sch bo mt v xc thc thng qua vic xc nh thut ton thit lp knh truyn, trao i kha cho mi phin kt ni v dng trong m i phin truy nh p. Mng dng IPSec bo mt cc dng d liu c th t ng kim tra tnh xc thc c a thit b bng chng th c s ca hai ngi dng trao i thng tin qua li. Vic thng lng ny cu i cng d n n thit lp mt lin kt an ninh (SA Security Association) gia cc cp bo mt. Lin kt an ninh SA c cha tp cc chnh sch, tham s, thut ton, giao thc cho qu trnh ng gi d liu gia cc bn tham gia vo phin IPSec. Ti mi u ng hm IPSec, SA c s dng xc nh loi lu lng cn c x l IPSec, giao thc an ninh c s dng (AH hay ESP), thut ton v kha c s dng cho qu trnh mt m v xc thc. Thng tin lin kt an ninh c lu trong c s d liu lin kt an ninh, v khi kt hp mt a ch ch vi giao thc an ninh th c duy nht m t SA. IPSec c pht trin nhm vo h giao thc IP k tip l IPv6, nhng do vic trin khai IPv6 cn chm v s cn thit phi bo mt cc gi IP nn IPSec c thay i cho ph hp vi IPv4. Vic h tr IPSec ch l tu chn ca IPv4 nhng i vi IPv6 th l c sn. IPSec l s la chn cho b o mt tng th cc VPN v l phng n ti u cho mng c a cng ty. N m bo truyn thng tin cy trn mng IP cng cng i vi cc ng dng VPN.
3.2 ng gi thng tin IPSec

3.2.1 Cc ch ho t ng IPSec cung cp hai ch xc th c v m ha mc cao thc hin ng gi thng tin, l ch truyn ti (Transport Mode) v ch ng hm (Tunnel Mode). Sau y chng ta s xt n hai ch ny trc khi tm hiu v cc giao th c AH v ESP. 3.2.1.1 Ch truyn ti
Trong ch truyn ti, vn an ninh c cung cp bi cc giao thc lp cao trong m hnh OSI (t lp 4 tr ln). Ch ny b o v phn ti tin ca gi nhng vn phn tiu IP ban u dng gc nh trong nguyn b n (hnh 3.1). a ch IP ban u n y c s dng nh tuyn gi qua Internet.
35
MNG RING O
H nh 3.1 X l gi tin IP ch truyn t i Ch truyn ti c u im l ch thm vo gi IP ban u mt s t byte. Nhc im ca ch ny l n cho php cc thit b trong mng nhn thy a ch ngun v ch c a gi tin v c th thc hin mt s x l (v d nh phn tch lu lng) da trn cc thng tin ca tiu IP. Tuy nhin n u d liu c mt m bi ESP th s khng bit c thng tin c th bn trong gi IP l g. Theo IETF th ch truyn ti ch c th c s dng khi hai h thng u cui IP-VPN c thc hin IPSec. 3.2.1.2 Ch ng hm
Trong ch ng h m, ton b gi IP ban u bao gm c tiu c xc thc hoc mt m, sau c ng gi vi mt tiu IP mi (h nh 3.2). a ch IP bn ngoi c s dng cho nh tuyn gi IP qua Internet.
Hnh 3.2 X l gi tin IP ch ng hm Ch ny cho php cc thit b m ng nh b nh tuyn thc hin x l IPSec thay cho cc trm cui (host). Trong v d trn hnh 3.3, b nh tuyn A x l cc gi t trm A, gi chng vo ng h m. B nh tuyn B x l cc gi nhn c trong ng hm, a v dng ban u v chuyn chng ti trm B. Nh vy, cc trm cui khng cn thay i m vn c c tnh an ninh d liu ca IPSec. Ngoi ra, n u s dng ch ng h m, cc thit b trung gian trong m ng s ch nhn thy c cc a ch hai im cui c a ng hm ( y l cc b nh tuyn A v B). Khi s dng
36
ch ng h m, cc u cu i c a IPSec-VPN khng cn phi thay i ng dng hay h iu hnh.
Hnh 3.3 Thit b mng thc hin IPSec trong ch ng hm 3.2.2 Giao thc tiu xc thc AH 3.2.2.1 Gii thiu
Giao th c tiu xc th c AH c nh ngha trong RFC 1826 v sau pht trin li trong RFC 2402. AH cung cp kh nng xc thc ngun g c d liu (Data Origin Authentication), kim tra tnh ton vn d liu (Data Integrity) v dch v chng pht li (Anti-replay Service). n y, cn lm r hn hai khi nim ton vn d liu v ch ng pht li. Ton vn d liu l kim tra nhng thay i ca tng gi tin IP, khng quan tm n v tr cc gi trong lung lu lng. Cn dch v chng pht li l kim tra s pht lp li m t gi tin ti a ch ch nhiu hn m t ln. AH cho php xc th c cc trng ca tiu IP c ng nh d liu ca cc giao thc lp trn. Tuy nhin, do m t s trng ca tiu IP thay i trong khi truyn v pha pht khng d on trc c gi tr ca chng khi ti pha thu, gi tr ca cc trng ny khng bo v c b ng AH. C th ni AH ch bo v m t phn c a tiu IP m thi. AH khng cung cp bt c x l no bo mt d liu ca cc lp trn, tt c u c truyn di dng vn bn r. AH nhanh hn ESP, nn c th chn AH trong trng hp cn yu cu ch c ch n v ngun g c v tnh ton vn ca d liu, cn tnh b o mt d liu th khng yu cu cao. Giao th c AH cung cp chc n ng xc thc bng cch th c hin m t hm bm m t chiu (One-way Hash Function) i vi d liu ca gi to ra m t on m xc thc (Hash hay Message Digest). o n m ny c chn vo thng tin ca gi truyn i. Khi , bt c thay i no i vi ni dung ca gi trong qu trnh truyn i u c pha thu pht hin khi n thc hin cng m t hm bm mt chiu i vi gi d liu nhn c v i chiu vi gi tr m xc thc truyn cng vi gi d liu. Hm bm c thc hin trn ton b gi d liu, tr mt s trng trong tiu IP c gi tr thay i trong qu trnh truyn (v d nh trng thi gian sng TTL ca gi tin).
37
MNG RING O
3.2.2.2
C u trc gi tin AH
Cc thit b s dng AH s chn mt tiu vo gia lu lng cn quan tm c a gi IP, gia phn tiu IP v tiu lp 4. Bi v AH c lin kt vi IPSec, IP-VPN c th nh dng chn lu lng no cn c bo v v lu lng no khng cn phi s dng gii php an ton gia cc bn. V d nh c th chn x l an ton lu lng email nhng khng cn i vi cc dch v web. Qu trnh x l chn tiu AH c minh h a trn hnh 3.4.
Hnh 3.4 Cu trc tiu AH cho gi tin IPSec ngh a cc trng trong tiu AH nh sau: Next Header (tiu tip theo). C di 8 bit nh n dng loi d liu c a phn ti tin theo sau AH. Gi tr ny c chn la t tp cc gi tr s giao thc IP c nh ngh a bi IANA (TCP 6, UDP 17). Payload Length ( di ti tin). C di 8 bit v cha di ca tiu AH c biu din trong cc t 32 bit, tr i 2. V d, trong trng hp c a thut ton ton vn mang li mt gi tr xc minh 96 bit (3 x 32 bit), cng vi 3 t 32 bit c nh, th trng di ny c gi tr l 4. Vi IPv6, tng di c a tiu phi l bi ca cc kh i 8 bit. Reserved (d tr). Trng 16 bit ny d tr cho ng dng trong tng lai. Gi tr ca trng ny c th t b ng 0 v c tham gia trong vic tnh d liu xc thc. Security Parameters Index (SPI ch s thng s an ninh). Trng ny c di 32 bit, cng vi a ch IP ch v giao thc an ninh ESP cho php nhn dng duy nht SA cho gi d liu. Cc gi tr SPI t 1 n 255 c dnh ring s dng trong tng lai. SPI l trng bt buc v thng c
38
la chn b i pha thu khi thit lp SA. Gi tr SPI bng 0 c s dng cc b v c th dng ch ra rng cha c SA no tn ti. Sequence Number (s th t). y l trng 32 bit khng d u cha mt gi tr m khi m i gi c gi i th tng mt n v. Trng ny l bt bu c v lun c a vo bi bn gi ngay c khi bn nhn khng s dng d ch v chng pht li. B m bn gi v nhn c khi to ban u l 0, gi u tin c s th t l 1. Nu dch v chng pht li c s dng th ch s ny khng th lp li. Khi , trnh trng hp b m b trn v lp li cc s th t, s c mt yu cu kt thc phin truyn thng v mt SA mi c thit lp trc khi truyn gi th 232 ca SA hin hnh. Authentication Data (d liu xc thc). Cn c gi l gi tr kim tra tnh ton vn ICV (Integrity Check Value), c di thay i v bng s nguyn ln c a 32 bit i vi IPv4 hay 64 bit i vi IPv6. N c th cha m lp y cho l b i s c a cc kh i bit nh trn. ICV c tnh ton s dng thut ton xc thc, bao gm m xc thc bn tin (MAC Message Authentication Code). MAC n gin c th l thut ton m ha MD5 hoc SHA-1. Cc kha dng cho m ha AH l kha xc thc b mt c chia s gia cc i tng truyn thng, c th l mt s ngu nhin, khng th on trc c. Tnh ton ICV c thc hin i vi gi tin m i a vo. Bt k trng no c th bin i c a tiu IP u c ci t b ng 0, d liu lp trn c gi s l khng bin i. Mi bn u cui VPN s tnh ton gi tr ICV ny mt cch c lp. Nu ICV tnh ton c pha thu v ICV do pha pht truyn n so snh vi nhau m khng ph h p th gi tin b loi b. Bng cch nh vy s m bo rng gi tin khng b gi mo. 3.2.2.3 X l AH trong ch truyn ti v ng hm
Ho t ng ca AH c thc hin qua cc bc nh sau: Bc 1: Ton b gi IP (bao gm c tiu v ti tin) c thc hin qua mt hm bm m t chiu. Bc 2: M bm thu c dng xy dng mt tiu AH, a tiu ny vo gi d liu ban u. Bc 3: Gi d liu sau khi thm tiu AH c truyn ti i tc IPSec. Bc 4: Bn thu thc hin hm bm vi tiu v ti tin IP, kt qu thu c mt m bm. Bc 5: Bn thu tch m bm trong tiu AH.
39
MNG RING O
Bc 6: Bn thu so snh m bm m n tnh c vi m bm tch ra t tiu AH. Hai m ny phi hon ton ging nhau. Nu chng khc nhau, bn thu lp tc pht hin tnh khng ton vn ca d liu. Vic x l AH ph thu c vo ch hot ng c a IPSec v phin bn s dng c a giao thc IP. Khun d ng ca gi tin IPv4 trc v sau khi x l AH trong hai ch truyn ti v ng hm c th hin trn hnh 3.5.
H nh 3.5 Khun dng gi tin IPv4 trc v sau khi x l AH Khun dng c a gi tin IPv6 trc v sau khi x l AH c th hin trn h nh 3.6.
Hnh 3.6 Khun dng gi tin IPv6 trc v sau khi x l AH
40
3.2.3 Giao thc ng gi t i tin an ton ESP 3.2.3.1 Gii thiu
Giao thc ESP c nh ngha trong RFC 1827 v sau c pht trin thnh RFC 2408. Cng nh AH, giao thc ny c pht trin hon ton cho IPSec. ESP c s dng khi c yu cu v b o mt c a lu lng IPSec cn truyn. N cung cp tnh bo mt d liu b ng vic mt m ha cc gi tin. Thm vo , ESP cng cho php xc th c ngun gc d liu, kim tra tnh ton vn d liu, d ch v chng pht li v m t s gii h n v lung lu lng cn bo mt. Tp cc dch v cung cp bi ESP ph thuc vo cc la chn ti thi im thit lp lin kt an ninh, trong d ch v b o mt c cung cp c lp vi cc d ch v khc. Tuy nhin, nu khng kt h p s dng cc dch v xc thc v ton vn d liu th hiu qu bo mt s khng c m bo. Hai dch v xc thc v ton vn d liu lun i km nhau. Dch v chng pht li ch c th thc hin nu nh dch v xc thc c la chn. Hnh 3.7 minh h a c ch ng gi ESP.
Hnh 3.7 C ch ng gi ESP Ho t ng ca ESP khc so vi AH. ESP ng gi tt c hoc m t phn d liu gc. Do h tr tt kh nng b o mt nn ESP c xu hng c s dng rng ri h n AH. 3.2.3.2 Cu trc gi tin ESP
Cu trc gi tin ESP c th hin trn hnh 3.8. Cc trng trong gi tin ESP c th l bt bu c hay ty chn. Nhng trng bt bu c lun c mt trong tt c cc gi ESP. Vic la ch n mt trng ty ch n c nh ngha trong qu trnh thit lp lin kt an ninh. Nh vy, khun d ng ESP i vi m t SA l c nh trong khong thi gian tn ti ca SA .
41
MNG RING O
Hnh 3.8 Khun dng gi ESP Sau y l ngha ca cc trng trong cu trc gi tin ESP. SPI (ch s thng s an ninh). L m t s bt k 32 bit, cng vi a ch IP ch v giao thc an ninh ESP cho php nhn dng duy nht SA cho gi d liu. Cc gi tr SPI t 0 n 255 c dnh ring s dng trong tng lai. SPI l trng b t bu c v thng c la chn bi pha thu khi thit lp SA. Sequence Number (s th t). Tng t nh trng s th t c a AH. Payload Data (d liu t i tin). y l trng bt bu c, bao gm mt s lng bin i cc byte d liu gc hoc mt phn d liu yu cu b o mt c m t trong trng Next Header. Trng ny c m ha cng vi thut ton m ha la chn trong sut qu trnh thit lp SA. Nu thut ton yu cu cc vect khi to th n cng c bao gm y. Thut ton thng c dng m ha ESP l DES-CBC. i khi cc thut ton khc cng c h tr nh 3DES hay CDMF. Padding (m). C nhiu nguyn nhn d n n s c mt c a trng m nh: Nu thut ton mt m s dng yu cu bn r (Clear-text) phi l s nguyn ln cc kh i byte (v d trng hp m khi) th trng m c s dng in y vo phn b n r ny (bao gm c Payload Data, Pad Length, Next Header v Padding) sao cho t ti kch thc theo yu cu. Trng m cng cn thit m bo phn d liu mt m (Cipher-text) s kt thc bin gii s nguyn ln c a 4 byte nhm phn bit r rng vi trng d liu xc thc (Authentication Data).
42
Ngoi ra, trng m cn c th s dng che d u di thc ca ti tin, tuy nhin mc ch ny cn phi c cn nhc v n nh hng ti bng thng truyn dn.
Pad length ( di m). Trng ny xc nh s byte m c thm vo. Pad length l trng b t buc vi cc gi tr ph hp nm trong khong t 0 n 255 byte. Next Header (tiu tip theo). Next Header l trng bt bu c v c di 8 bit. N xc nh kiu d liu cha trong phn ti tin, v d mt tiu m rng (Extension Header) trong IPv6 hoc nhn dng ca mt giao thc lp trn khc. Gi tr c a trng ny c la chn t tp cc gi tr IP Protocol Number nh ngh a bi IANA. Authentication Data (d liu xc thc). Trng ny c di bin i, ch a mt gi tr kim tra tnh ton vn ICV tnh trn d liu c a ton b gi ESP tr trng Authentication Data. di c a trng ny ph thuc vo thut ton xc th c c s dng. Trng ny l ty ch n, v ch c thm vo nu dch v xc thc c la chn cho SA ang xt. Thut ton xc thc phi ch ra di ICV, cc bc x l cng nh cc lut so snh cn thc hin kim tra tnh ton vn c a gi tin. 3.2.3.3 X l ESP trong ch truyn t i v ng hm
Vic x l ESP ph thuc vo ch hot ng ca IPSec v phin b n s dng c a giao thc IP. Khun dng ca gi tin IPv4 trc v sau khi x l ESP trong hai ch truyn ti v ng h m c th hin trn h nh 3.9.
Hnh 3.9 Khun dng gi tin IPv4 trc v sau khi x l ESP
43
MNG RING O
Khun dng c a gi tin IPv6 trc v sau khi x l ESP c th hin trn h nh 3.10.
Hnh 3.10 Khun dng gi tin IPv6 trc v sau khi x l ESP IPSec c th h tr c AH v ESP trong mt t hp cho php ca hai ch truyn ti v ng hm. V d , c th s dng ch ng h m m ho v xc thc cc gi v tiu c a n ri gn AH hoc ESP, hoc c hai trong ch truyn ti bo mt cho tiu m i c to ra. AH v ESP khng th s dng chung trong ch ng hm bi v ESP c c ch tu chn xc thc. Tu chn ny c s dng trong ch ng h m khi cc gi cn phi m ho v xc thc. 3.2.3.4 M ha vi ESP
Cc thut ton m ha Cc thut ton mt m c xc nh bi SA. ESP lm vic vi cc thut ton mt m i xng. V cc gi IP c th n khng ng th t, nn mi gi phi mang thng tin cn thit pha thu c th thit lp ng b m t m (Cryptographic Synchronization) gii m. D liu ny c th c ch nh trong trng Payload, ch ng hn di dng cc vect khi to IV (Initialization Vector), hoc thu c t tiu ca gi. Vi s c mt ca trng Padding, cc thut ton mt m s dng vi ESP c th c cc c tnh kh i (Block) ho c lung (Stream). V dch v mt m l ty chn nn thut ton mt m l khng bt buc. Cc thut ton xc thc s dng tnh ICV c xc nh bi SA. i vi truyn thng im ti im, cc thut ton xc th c thch hp c th l hm bm mt chiu (MD5, SHA-1). V d ch v xc thc l ty chn nn thut ton xc thc l khng bt buc. Cc thut ton sau y c th c s dng vi ESP:
44
- DES, 3DES trong ch CBC; - HMAC vi MD5; - HMAC vi SHA-1; - Khng thut ton xc thc; - Khng thut ton mt m. Ngoi nhng thut ton k trn, mt s thut ton khc c th c h tr. Lu l t nht mt trong hai dch v mt m hoc xc thc phi c thc hin, do hai thut ton xc thc v mt m khng c ng thi khng c. Qu trnh gii m Nu ESP s dng mt m th s phi thc hin qu trnh gii m gi. Nu dch v mt m khng c s dng, ti pha thu khng c qu trnh gii m ny. Qu trnh gii m gi din ra nh sau: - Gii m ESP (bao gm trng Payload Data, Padding, Pad Length, Next Header) s dng kha. Thut ton mt m v kiu thut ton c xc nh bi SA. - X l phn m (Padding) theo c t c a thut ton. Pha thu cn tm v loi b phn m trc khi chuyn d liu gii m ln lp trn. - Xy dng li cu trc gi IP ban u t tiu IP gc v thng tin giao th c lp cao trong ti tin ca ESP ( ch truyn ti), hoc tiu IP ngoi v ton b gi IP gc trong ti tin ca ESP ( ch ng h m). Nu d ch v xc thc cng c la chn th qu trnh kim tra ICV v mt m c th tin hnh n i tip hoc song song. Nu tin hnh ni tip th kim tra ICV phi c thc hin trc. Nu tin hnh song song th kim tra ICV phi hon thnh trc khi gi gii m c chuyn ti bc x l tip theo. Trnh t ny gip loi b nhanh chng cc gi khng h p l. Qu trnh gii m c th khng thnh cng v m t s l do nh sau: - SA c la chn khng ng (do cc thng s SPI, a ch ch hay trng Protocol Type b sai); - di phn m hoc gi tr ca n b sai; - Gi ESP mt m b l i.
3.3 Lin kt an ninh v hot ng trao i kha

3.3.1 Lin kt an ninh
45
MNG RING O
3.3.1.1
Cc kiu lin kt an ninh
IPSec cung cp nhiu la chn thc hin cc gii php mt m v xc thc lp mng. Phn ny s nh ngha cc th tc qun l an ninh cho c IPv4 v IPv6 thc thi AH, ESP hoc c hai, ph thuc vo la chn ca ngi s dng. Khi thit lp kt n i IPSec, hai bn phi xc nh chnh xc cc thut ton no s c s dng, lo i dch v no cn m bo an ninh. Sau bt u x l thng lng chn mt tp cc tham s v cc gii thut p dng cho m ha bo mt hay xc thc. Nh trn gii thiu, d ch v b o mt quan h gia hai hay nhiu thc th tha thu n truyn thng an ton c g i l lin kt an ninh SA. Lin kt an ninh l mt kt ni n cng, ngha l vi mi cp truyn thng A v B c t nh t hai SA (mt t A ti B v mt t B ti A). Khi lu lng cn truyn trc tip hai chiu qua VPN, giao thc trao i kha IKE thit lp m t cp SA trc tip v sau c th thit lp thm nhiu SA khc. Mi SA c mt thi gian sng ring. SA c nhn dng duy nht b i b ba gm c: ch s thng s an ninh (SPI), a ch IP ch v mt ch th giao thc an ninh (AH hay ESP). V nguyn tc, a ch IP ch c th l m t a ch n hng (Unicast), a ch qu ng b (Broadcast) hay a ch nhm (Multicast). Tuy nhin, c ch qun l SA c a IPSec hin nay ch c nh ngha cho nhng SA n hng. Lin kt an ninh c hai kiu l truyn ti v ng hm, ph thu c vo ch c a giao thc s dng. SA kiu truyn ti l m t lin kt an ninh gia hai trm, hoc c yu cu gia hai h thng trung gian dc trn ng truyn. Trong trng h p khc, kiu truyn ti cng c th c s dng h tr IP-in-IP hay ng h m GRE qua cc SA kiu truyn ti. SA kiu ng hm l m t SA c bn c ng dng ti m t ng h m IP. SA gia hai cng an ninh l mt SA kiu ng h m in hnh, ging nh mt SA gia mt trm v mt cng an ninh. Tuy nhin, trong nhng trng hp m lu lng c nh hnh t trc nh nhng lnh SNMP, cng an ninh lm nhim v nh trm v kiu truyn ti c cho php. SA cung cp nhiu la chn cho cc dch v IPSec, n ph thuc vo giao thc an ninh c chn (AH hay ESP), kiu SA, im kt thc ca SA v mt s tuyn chn c a cc dch v ty bn trong giao thc s dng. V d nh khi s dng AH xc minh ngun gc d liu v tnh ton vn phi kt ni cho gi IP, c th s dng dch v chng pht li hoc khng ty thuc vo cc bn. Khi m t bn IP-VPN mun gi lu lng IPSec ti u bn kia, n kim tra xem tn ti mt SA trong c s d liu hay cha hai bn c th s dng d ch v an ninh theo yu cu. Nu tm thy mt SA tn ti, n SPI c a SA ny trong tiu IPSec, th c hin cc thut ton m ha v gi gi tin i. Bn thu s ly SPI, a ch ch, giao thc IPSec (AH hay ESP) v tm SA trong c s d liu ph hp x l
46
gi tin . Lu rng vi mt u cui IP-VPN c th ng thi tn ti nhiu kt ni IPSec, v vy c ng c ngha l tn ti nhiu SA. 3.3.1.2 Kt hp cc lin kt an ninh
Cc gi IP truyn qua mt SA ring bit c cung cp s bo v mt cch an ton b i giao thc an ninh, c th l AH hoc ESP nhng khng phi l c hai. i khi m t chnh sch an ninh c th cn n s kt h p ca cc dch v cho mt lung giao thng c bit m khng th thc hin c vi mt SA n l. Trong trng hp cn giao cho nhiu SA thc hin chnh sch an ninh theo yu cu. Thut ng cm SA c s dng ch mt chui cc SA c thit lp x l lu lng nhm th a m n m t tp chnh sch an ninh. i vi kiu ng hm, c ba trng hp in h nh c a kt h p cc lin kt an ninh c trnh by sau y. C hai im cui ca cc SA u trng nhau Mi ng hm bn trong hay ngoi l AH hay ESP, m c d Host 1 c th nh r c hai ng hm l nh nhau, tc l AH bn trong AH v ESP bn trong ESP (hnh 3.11).
Trm 1
C ng an ninh 1
Internet
Cng an ninh 2
Trm 2
Lin kt an ninh 1 (ng hm) Lin kt an ninh 2 (ng hm)
Hnh 3.11 Kt h p cc SA kiu ng hm khi hai im cui trng nhau Mt im cu i ca cc SA trng nhau ng hm bn trong hay bn ngoi c th l AH hay ESP (hnh 3.12).
Trm 1
C ng an ninh 1
Internet
Cng an ninh 2
Trm 2
Lin kt an ninh 1 (Tunnel) Lin kt an ninh 2 ( ng hm)
Hnh 3.12 Kt hp cc SA kiu ng hm khi mt im cui trng nhau Khng c im cui no ca cc SA trng nhau
47
MNG RING O
Mi ng h m bn trong hay bn ngoi l AH hay ESP (hnh 3.13).
Trm 1
C ng an ninh 1
Internet
Cng an ninh 2
Trm 2
Lin kt an ninh 1
Lin kt an ninh 2 (ng hm)
Hnh 3.13 Kt h p cc SA kiu ng hm khi khng c im cu i trng nhau Chi tit v kt hp cc SA c c trnh by trong RFC 2401. 3.3.1.3 C s d liu lin kt an ninh
C hai c s d liu lin quan n an ninh l: - C s d liu chnh sch an ninh SPD (Security Policy Database) - C s d liu lin kt an ninh SAD (Security Association Database). SPD ch ra nhng d ch v an ninh c ngh cho lu lng IP, ph thuc vo cc yu t nh ngun, ch, chiu i ra hay i vo. N cha ng mt danh sch nhng li vo chnh sch tn ti ring r cho lu lng i vo v i ra. Cc li vo ny c th xc nh mt vi lu lng khng qua x l IPSec, m t vi ph i c lo i b v cn li th c x l bi IPSec. Cc li vo ny l tng t cho firewall hay b lc gi. SAD cha thng s v mi SA, ging nh cc tnh ton v kha AH hay ESP, s trnh t, kiu giao thc v thi gian s ng ca SA. i vi x l i ra, mt l i vo SPD tr ti mt l i vo trong SAD v SAD s quyt nh SA n o c s dng cho gi. i vi x l i vo, SAD c tham kh o quyt nh gi c x l nh th no. 3.3.2 Hot ng trao i kha IKE Kt ni IPSec ch c hnh thnh khi SA c thit lp. Tuy nhin bn thn IPSec khng c c ch thit lp SA. Chnh v vy, IETF chn phng n chia qu trnh thit lp kt n i IPSec ra lm hai phn: IPSec cung cp vic x l mc gi, cn IKMP (Internet Key Management Protocol) chu trch nhim tha thu n cc lin kt an ninh. Sau khi cn nhc m t s phng n, trong c IKE (Internet Key Exchange), SKIP (Simple Key Internet Protocol) v Photuis, IETF quyt nh chn IKE l chun cu hnh SA cho IPSec. Mt ng h m IPSec-VPN c thit lp gia hai bn qua cc bc nh sau: - Bc 1. Quyt nh lu lng no cn c quan tm bo v ti mt giao din yu cu thit lp phin thng tin IPSec;
48
- Bc 2. Thng lng ch chnh (Main Mode) hoc ch linh hot (Aggressive Mode) s d ng IKE, kt qu l to ra lin kt an ninh IKE (IKE SA) gia cc bn IPSec; - Bc 3. Thng lng ch nhanh (Quick Mode) s dng IKE, kt qu l to ra hai IPSec SA gia hai bn IPSec; - Bc 4. D liu bt u truyn qua ng hm m ha s dng k thut ng gi ESP hay AH (hoc c hai); - Bc 5. Kt thc ng h m IPSec-VPN (nguyn nhn c th l do IPSec SA kt thc, ht hn hoc b xa). Tuy qu trnh thit lp kt ni gm bn b c, cc bc th hai v ba l quan trng hn c. Hai bc ny nh ra m t cch r rng rng IKE c tt c hai pha. Pha th nht s dng ch chnh hoc ch linh hot trao i gia cc bn, cn pha th hai c hon thnh nh s dng ch trao i nhanh (h nh 3.14).
Pha I (ISAKMP SA)
Main Mode (6 bn tin)
Aggressive Mode (3 bn tin)

ng hm IPSec mi
Pha II SA (IPSec SA)
Pha II SA (IPSec SA)
Quick Mode
..
Quick Mode
A D liu c bo v
C D liu c bo v
Hnh 3.14 Cc pha v ch trao i kha IKE Sau y chng ta s i xem xt c th cc bc v mc ch c a cc pha IKE. 3.3.2.1 Bc th nht
Vic quyt nh lu lng no cn bo v l mt phn trong chnh sch an ninh c a VPN. Chnh sch s c s dng quyt nh lu lng no cn bo v. Nhng lu lng khc khng cn bo v s c gi di dng bn r (Clear-text). Chnh sch an ninh c phn nh trong m t danh sch truy nhp. Cc bn phi cha danh sch ging nhau, v c th c nhiu danh sch truy nhp cho nhng m c ch khc nhau gia cc bn. Nhng danh sch ny c g i l danh sch iu khin truy nhp ACL (Access Control List). N n gin l danh sch truy nhp IP m rng c a cc b nh tuyn s dng bit lu lng no cn mt m. ACL lm vic da vo cc cu lnh khc nhau l Permit (cho php) v Deny (t chi). Hnh 3.15 trnh
49
MNG RING O
by hot ng iu khin truy nh p mt m theo ACL khi thc hin cc lnh Permit v Deny ti ngun v ch.
Gi bn r Ngun Crypto ACL Permit IPSec Deny ch IPSec
Gi bn r
Deny Permit Crypto ACL Gi AH hoc ESP
Gi AH hoc ESP
Gi AH, ESP hoc bn r
Hnh 3.15 Hot ng iu khin truy nhp mt m theo ACL Cc t kha Permit v Deny c ngh a khc nhau gia thit b ngun v ch. Ti bn ngun ngha c a chng nh sau: Permit: chuyn lu lng ti IPSec xc thc, mt m ha hoc c hai. IPSec thay i gi tin bng cch chn tiu AH hoc ESP, c th mt m mt phn hoc tt c gi tin ngun v truyn chng ti bn ch. Deny: cho qua lu l ng v a cc gi tin b n r ti bn nh n. Ti bn ch ngha ca cc t kha Permit v Deny nh sau: Permit: chuyn lu lng ti IPSec xc thc, gii m hoc c hai. ACL s dng thng tin trong tiu quyt nh. Trong logic ca ACL, nu nh tiu cha ngun, ch, giao thc ng th gi tin c x l bi IPSec ti pha gi v nh vy ph i c x l pha thu. Deny: cho qua vi gi s rng lu lng c gi dng bn r. Khi nhng t kha Permit v Deny c s dng kt hp m t cch chnh xc gia ngun v ch, d liu c truyn v bo v thnh cng. Khi chng khng kt hp chnh xc, d liu s b lo i b. 3.3.2.2 Bc th hai
Bc th hai ny chnh l hot ng IKE pha m t. M c ch ca pha ny l: - Thng lng mt tp cc tham s c s dng xc thc hai bn v mt m mt phn ch chnh, cn ton b trao i thc hin trong ch
50
nhanh. Khng c b n tin n o ch linh hot c mt m nu ch linh hot c s d ng thng lng. - Hai bn tham gia VPN xc thc vi nhau. - To kha s dng lm tc nhn sinh ra kha m v m ha d liu ngay sau khi vic thng lng kt thc. Tt c thng tin thng lng trong ch chnh hay linh ho t, bao gm kha s dng sau to kha cho qu trnh mt m d liu, c lu vi tn gi l lin kt an ninh IKE hay ISAKMP (Internet Security Association and Key Management Protocol). Bt k bn no trong hai bn cng ch c m t lin kt an ninh ISAKMP.
Hnh 3.16 IKE pha mt s dng ch chnh Ch chnh c 6 trao i b n tin (3 trao i hai chiu) gia bn khi to v bin nhn (hnh 3.16). - Trao i th nh t. Cc thut ton m t m v xc thc (s dng b o v cc trao i IKE) s c thng lng v tha thun gia cc i tc. - Trao i th hai. S dng trao i Diffie-Hellman to kha b mt chia s (shared secret keys), trao i cc s ngu nhin (nonces) kh ng nh xc thc ca mi i tc. Kha b mt chia s c s dng to ra tt c cc kha bo mt v xc thc khc. - Trao i th ba. Kim tra xc thc cc bn (i tc). Kt qu ca ch chnh l to ra mt ng truyn thng an ton cho cc trao i tip theo gia hai i tc. Ch nhanh thc hin 3 trao i bn tin. Hu h t cc hot ng u c th c hin trong trao i th nht: th a thun cc tp chnh sch IKE, to kha cng cng Diffie-Hellman, v mt gi xc thc c th s dng xc thc thng qua mt bn th ba. Bn nhn gi tr li mi th cn thit hon thnh vic trao i. Cui cng bn khi to khng nh vic trao i.
51
MNG RING O
Cc t p chnh sch IKE Khi thit lp mt kt n i VPN an ton gia hai trm A v B thng qua Internet, m t ng hm c thit lp gia cc b nh tuyn A v B. Thng qua ng hm, cc giao thc mt m, xc thc v m t s giao thc khc c th a thun. Thay v phi tha thun tng giao thc m t, cc giao thc c nhm thnh cc tp v c g i l tp chnh sch IKE (IKE Policy Set). Cc tp chnh sch IKE c trao i trong IKE pha mt, trao i th nht. Nu mt chnh sch thng nht c tm thy hai pha th trao i c tip tc. Nu khng tm thy chnh sch thng nht no, ng hm s b loi b. V d, b nh tuyn A gi cc tp chnh sch IKE Policy 10 v 20 ti B. B nh tuyn B so snh tp chnh sch ca n, IKE Policy 15, vi cc tp chnh sch nhn c t A. Trong trng hp ny, mt chnh sch thng nht c tm thy: IKE Policy 10 ca b nh tuyn A v IKE Policy 15 ca b nh tuyn B l tng ng. Trong ng dng im-im, m i bn ch cn nh ngha mt tp chnh sch IKE. Tuy nhin mng trung tm c th phi nh ngha nhiu chnh sch IKE p ng nhu cu ca tt c cc i tc t xa. Trao i kha Diffie-Hellman Trao i kha Diffie-Hellman l phng php mt m kha cng khai cho php hai bn thit lp m t kha b mt chung qua m t mi trng truyn thng khng an ton. C 7 thut ton hay nhm Diffie-Hellman c nh ngha (DH 1 7). Trong IKE pha mt, cc bn phi tha thun nhm Diffie-Hellman c s d ng. Khi hon tt vic tha thun nhm, kha b mt chung s c tnh. Xc thc i tc Trao i cui cng ca IKE pha mt c m c ch l xc thc i tc, ngha l kim tra xem ai ang pha bn kia c a ng h m VPN. Cc thit b hai u ng hm VPN phi c xc thc trc khi ng truyn thng c coi l an ton. C ba phng php h tr vic xc thc ngun gc d liu l s dng kha chia s trc, ch k s RSA v s ngu nhin mt m RSA. 3.3.2.3 Bc th ba
Bc th ba chnh l IKE pha hai. Mc ch c a pha ny l th a thun cc thng s an ninh IPSec s dng cho vic bo v ng hm. Ch c m t ch nhanh c s dng cho IKE pha hai. IKE pha hai th c hin cc chc nng sau: - Tha thun cc thng s an ninh IPSec, cc tp chuyn i IPSec; - Thit lp cc lin kt an ninh IPSec; - nh k th a thun li IPSec SA m bo tnh an ninh c a ng h m;
52
- Thc hin m t trao i Diffie-Hellman b sung (cc SA v kha mi c to ra, lm tng tnh an ninh cho ng hm). Ch nhanh cng c s dng tha thun li mt lin kt an ninh mi khi lin kt an ninh c h t h n. Khi cc b n c th khng cn quay tr li b c th hai na m vn m bo thit lp m t SA cho phin truyn thng mi. Cc t p chuyn i IPSec Mc ch cu i cng ca IKE pha hai l thit lp mt phin IPSec an ton gia hai im cui VPN. Trc khi thc hin c iu , mi cp im cui ln lt th a thun mc an ninh cn thit (v d cc thut ton xc thc v mt m dng trong phin). Thay v phi tha thun ring tng giao thc hay thut ton n l, cc giao thc v thut ton ny c nhm thnh cc tp, gi l tp chuyn i IPSec (Transform Set). Cc tp chuyn i ny c trao i gia hai pha trong ch nhanh. Nu tm thy mt tp chuyn i tng ng hai pha th qu trnh thit lp phin tip tc, ngc li th phin s b lo i b.
H nh 3.17 Trao i cc tp chuyn i IPSec Trn hnh 3.17 l v d v vic trao i cc tp chuyn i IPSec. B nh tuyn A gi tp chuyn i 30 v 40 ti B, b nh tuyn B kim tra thy tp chuyn i 50 ph hp vi tp chuyn i 30 c a A, cc thut ton xc thc v mt m trong cc tp chuyn i ny hnh thnh mt lin kt an ninh. Thit lp lin kt an ninh Khi m t tp chuyn i c thng nht gia hai bn, mi thit b IP-VPN s a thng tin ny vo m t c s d liu. Thng tin ny c bit n nh l mt lin
53
MNG RING O
kt an ninh SA. Thit b IP-VPN sau s nh s mi SA bng mt ch s SPI. Khi c yu cu gi gi tin gia hai u VPN, cc thit b s da vo a ch i tc, cc ch s SPI, thut ton IPSec c dng x l gi tin trc khi truyn trong ng hm. Thi gian s ng ca mt lin kt an ninh Thi gian sng ca m t lin kt an ninh cng ln th cng c nhiu kh nng mt an ton. m an ton cho phin truyn thng th cc kha v cc SA ph i c thay i thng xuyn. C hai cch tnh thi gian sng ca SA l theo s lng d liu c truyn i v theo giy. Cc kha v SA c hiu lc cho n khi ht th i gian tn ti c a SA hoc n khi ng hm b ngt, khi SA b xa b. 3.3.2.4 Bc th t
Sau khi hon thnh IKE pha hai v ch nhanh thit lp lin kt an ninh IPSec SA, lu lng c th c trao i gia cc bn IP-VPN thng qua m t ng hm an ton (hnh 3.18). Qu trnh x l gi tin (m ha, m t m, ng gi) ph thuc vo cc thng s c thit lp ca SA.
H nh 3.18 ng h m IPSec c thit lp 3.3.2.5 Kt thc ng hm
Cc lin kt an ninh IPSec SA kt thc khi b xa b hoc ht thi gian tn ti. Khi cc bn IP-VPN khng s dng cc SA ny n a v bt u gii phng c s d liu ca SA. Cc kha cng b loi b. Nu thi im ny cc bn IP-VPN vn cn mun trao i thng tin vi nhau th m t IKE pha hai mi s c thc hin. Trong trng hp cn thit th cng c th thc hin li t IKE pha mt. Thng thng, m b o tnh lin tc ca thng tin th cc SA mi c thit lp trc khi cc SA c ht hn.
3.4 M t s vn k thut trong thc hin VPN trn nn IPSec

IPSec s dng nhiu giao th c v k thut ang tn ti m ha, xc thc d liu v trao i kha. iu ny lm cho IPSec tr thnh tiu chun ph bin trong cc ng dng m bo an ninh thng tin nh VPN. Sau y trnh by khi qut v mt s giao thc v k thut mt m, m b o ton vn thng tin, xc thc cc bn cng nh l qun l v trao i kha. y l nhng k thut c bn c lin quan cht ch n vic thc hin VPN trn nn IPSec.
54
3.4.1 Mt m C th mt m b n tin khi s d ng giao thc ESP. Bn tin mt m cho php gi thng tin qua mng cng cng m khng s b xm phm d liu. Mt s tiu chun c bn mt m d liu l DES (Data Encryption Standard) c d i kho 56 bit, 3DES (Triple DES) c di kho 168 bit v AES (Advanced Encryption Standard) c di kho 128, 192 hoc 256 bit. Cc thut ton ny s dng m t kho m ho v gii m thng tin. DES DES l phng php mt m d liu tiu chu n cho mt s gii php VPN. c IBM pht trin vo nm 1977, DES p dng mt kha 56 bit cho 64 bit d liu v l m t trong nhng k thu t mt m m nh. N c xem nh l khng th b gy ti thi im , nhng sau ny cc my tnh t c cao hn b gy DES trong khong thi gian ngn (t hn mt ngy), v vy DES khng c s dng lu di cho nhng ng dng b o mt cao. K thu t DES-CBC l mt trong rt nhiu phng php ca DES. CBC (Cipher Block Chaining ch chui khi mt m) yu cu m t vect khi to IV (Initialization Vector) bt u mt m. IPSec m b o c hai pha VPN cng c mt IV hay m t kha b mt chia s. Kha b mt chia s c t vo thut ton mt m DES mt m nhng khi 64 bit do bn r chia ra. Bn r c chuyn i thnh dng mt m v c a ti ESP truyn qua bn kia. Khi x l ngc li, kha b mt chia s c s dng to li bn r. 3DES Mt phin b n c a DES l 3DES. N c tn nh vy v thc hin 3 qu trnh m t m. 3DES s dng m t qu trnh ng gi, mt qu trnh m gi v mt qu trnh ng gi khc vi kha 56 bit khc nhau. Ba qu trnh ny to ra mt t h p kha 168 bit, cung cp phng thc m ho mnh. Tt c cc sn phm v phn mm Cisco VPN u h tr thut ton m ho 3DES vi kho 168 bit v thut ton DES 56 bit. AES Hin nay, nhiu t chc uy tn ngh a ra mt s thut ton cho AES nh thut ton MARS (IBM), RC6 (RSA), Twofish (Bruce Schneier), Rijndael (Joan Daemen/Vincent Rijmen), v.v. Nm 2000, NIST (US National Institute of Standard and Technology) chn thut ton Rijndael, thc hin mng hon v thay th ci tin 10 vng cho chun AES. Trong tng lai, AES s l chun mt m khi i xng v s c thc hin trn c phn cng v phn mm. AES s c thit k tng di kho khi cn thit. di kh i d liu c a AES l 128 bit, cn d i kho c th l 128, 192 hoc 256 bit.
55
MNG RING O
3.4.2 Ton vn b n tin S ton vn bn tin c th c hin nh s dng mt hm bm ton hc tnh ton c trng ca bn tin hay c a file d liu. c trng ny c gi l gin lc bn tin MD (Message Digest) v di ph thuc vo hm bm c s dng. Tt c hoc m t phn ca gin lc bn tin c truyn vi d liu ti trm ch, ni m s thc hin cng mt hm bm to gin lc ca b n tin nhn c. Gin lc b n tin ngun v ch s c i chiu, v bt c sai lch no u c ngha l bn tin b bin i k t khi b n tin ngun c thit lp. S tng xng vi nhau c ngha l d liu khng b bin i trong qu trnh truyn. Khi s dng giao thc IPSec, vic to gin lc b n tin c p dng vi cc trng khng bin i trong gi tin IP. Cc trng bin i c thay th bng gi tr 0 hoc gi tr c th d on c. Gin lc bn tin MD sau c t vo trng d liu xc thc (ICV) ca AH. Thit b ch sau sao chp MD t AH v tch trng d liu xc th c trc khi tnh ton li MD. Vi giao th c ESP vic x l cng tng t. Gin lc bn tin c to nh s dng d liu khng bin i trong gi tin IP bt u t tiu ESP v kt thc l phn ui ESP. Gi tr MD tnh ton c sau t vo trng ICV ti cui ca gi tin. Vi ESP, trm ch khng cn tch tr ng ICV b i v n t bn ngoi ph m vi hm b m thng th ng. C hai thut ton chnh h tr ton vn bn tin l MD5 v SHA-1 (Secure Hash Algorithm-1). Chng s dng c ch kha bm gi l HMAC (Hashed-keyed Message Authenticaiton Code). Sau y gii thiu khi qut v nhng cng c m bo ton vn b n tin ny. M xc thc bn tin bm HMAC RFC 2104 trnh by v thut ton HMAC. N c pht trin lm vic cng vi cc thut ton bm ang tn ti l MD5 v SHA-1. Nhiu qu trnh x l an ninh phc tp trong chia s d liu yu cu s dng kha b mt v m t c ch g i l m xc thc bn tin MAC (Message Authentication Code). Mt bn to MAC s dng kha b mt v truyn cho bn kia. Bn nhn to li MAC s dng cng mt kha b mt v so snh hai gi tr MAC vi nhau. MD5 v SHA-1 c nguyn l tng t nhau, nhng chng s d ng kha b mt khc nhau. iu ny chnh l yu cu pht trin HMAC. HMAC thm vo mt kha b mt cho tiu chun thut ton bm tnh ton gin lc b n tin. Kha b mt c thm vo theo th th c cng di nhng kt qu gin lc bn tin s khc nhau khi s dng thut ton khc nhau. Thut ton gin lc bn tin MD5
56
Thut ton MD5 thc hin gin lc b t k bn tin hay trng d liu no thnh m t m t ngn gn 128 bit. Vi HMAC-MD5-96, kha b m t c di l 128 bit. Vi AH v ESP, HMAC ch s dng c 96 bit nm bn tri, t chng vo trng xc thc. Bn ch sau tnh ton li 128 bit gin lc bn tin nhng ch s dng 96 bit nm bn tri so snh vi gi tr c lu trong trng xc thc. MD5 to ra mt gin lc bn tin ngn hn SHA-1, c xem l t an ton hn nhng kt qu li c thc hin tt hn. Tuy nhin, MD5 khng c HMAC l yu hn cho nhng la ch n d ch v bo m t. Thut ton bm an ton SHA Thut ton bm an ton SHA c m t trong RFC 2404. SHA-1 to ra mt gin lc b n tin di 160 bit v s dng kha b mt 160 bit. C th vi m t vi sn phm th n s ly 96 bt bn tri ca gin lc b n tin gi vo trng xc thc. Bn thu to li gin lc bn tin 160 bit s dng kha b mt 160 bit v ch so snh 96 bit bn tri vi gin lc bn tin trong khung ca trng xc th c. Gin lc b n tin SHA-1 di hn v an ton hn so vi MD5. iu ny c xem nh l kh an ton, nhng nu cn mt mc an ton cao cho ton vn bn tin th c th chn thut ton HMAC-SHA-1. 3.4.3 Xc thc cc bn Mt trong nhng x l IKE l thc hin xc thc cc bn. Qu trnh ny din ra trong pha mt s dng thut ton kha bm cng vi mt trong ba loi kha sau: - Kha chia s trc (Pre-shared Keys); - Ch k s RSA (RSA Signatures); - S ngu nhin mt m RSA (RSA-encrypted Nonces). Kha chia s trc X l kha chia s trc l x l th cng. Ngi qun tr ti mt u cu i c a IPSec-VPN ng v kha c s dng, sau t kha vo thit b l trm hoc cng an ninh mt cch th cng. Phng php ny n gin, nhng khng c ng dng rng ri. Ch k s RSA Mt chng th c s c a ngi c quyn ch ng thc (CA Certificate Authority) cung cp ch k s RSA vo lc ng k. Ch k s m bo an ninh hn l kha chia s. M t khi cu h nh ban u c hon thnh, cc bn s dng ch k s RSA c th xc thc i phng m khng cn s can thip c a ngi iu hnh. Khi m t ch k s RSA c yu cu, m t cp kha cng cng v kha ring c sinh ra. Trm s dng kha ring to ra mt ch k s v gi ch k s ca n
57
MNG RING O
ti bn kia. Bn nhn s dng kha cng cng t ch k s ph chun ch k s nhn c t bn gi. S ngu nhin mt m RSA Phng php s ngu nhin mt m RSA s dng chun mt m RSA vi kha cng cng. N yu cu m i bn to ra mt s gi ngu nhin v mt m ha s ny theo kha cng cng ca pha bn kia. Qu trnh xc thc xy ra khi m i bn gii m gi tr s ngu nhin ca pha bn kia vi kha ring cc b , sau s dng s ngu nhin gii m ny tnh ton bm. 3.4.4 Qun l kha Qu n l kha l mt vn quan trng khi lm vic vi IPSec-VPN. C 5 kha c nh cho m i bn IPSec quan h vi nhau, bao gm: - 2 kha ring c lm ch b i mi bn v khng bao gi chia s. Chng c s dng mt m b n tin. - 2 kha cng cng c lm ch bi mi bn v chia s cho mi ngi. Nhng kha ny c s dng kim tra ch k. - Kha th 5 c s dng l kha bo mt chia s. C hai bn s dng kha ny cho mt m v hm bm. y l kha c to ra bi thut ton Diffie-Hellman. Trong thc t, kha ring v kha cng cng c s dng cho nhiu kt ni IPSec do m t bn a ra. i vi m t t chc nh, ton b nhng kha ny c th c qun l th cng. Tuy nhin, khi c gng phn chia x l h tr cho mt s lng ln cc phin VPN th s xut hin nhiu vn cn phi gii quyt. Giao thc Diffie-Hellman v k thut chng thc s thng qua CA l hai trong s nhng gii php hiu qu qun l kha mt cch t ng.
3.5 V d thc hin VPN trn nn IPSec

minh ha ton b qu trnh thc hin kt ni VPN trn nn IPSec, ta xem xt m t v d nh trn hnh 3.19. Trc khi thit lp kt ni IPSec, cn phi chc chn rng cc thit b ang s dng dc theo ng dn ca VPN m bo c h tr IPSec (bao gm cc giao thc, thut ton), v khng c kt n i IPSec no trc hoc nu c th cc tham s trong SA ang tn ti phi khng xung t vi cc tham s chun b thit lp. C th thc hin lnh ping ch c ch n rng kt ni sn sng. Trong v d ny, ngi s dng mun truyn thng an ton vi mng tr s chnh. Khi gi d liu ti b nh tuyn ngi dng (ng vai tr l mt cng an ninh), b nh tuyn ny s kim tra chnh sch an ninh v nhn ra gi d liu cn truyn l m t ng dng ca VPN v cn c bo v. Chnh sch an ninh cu h nh trc cng cho bit b nh tuyn ti mng tr s chnh s l u pha bn kia ca ng hm IPSec-VPN.
58
Hnh 3.19 V d thc hin kt ni VPN trn n n IPSec B nh tuyn ngi dng kim tra xem c lin kt an ninh no c thit lp cho phin truyn thng ny hay cha. Nu cha c th b t u qu trnh thng lng IKE. Certificate Authority c chc nng gip tr s chnh xc th c ngi s dng xem c c php thc hin phin truyn thng ny hay khng. Bin php xc thc y l s dng ch k s c cung cp bi mt i tc c quyn chng thc m hai bn u tin cy. Ngay sau khi hai b nh tuyn tha thun c mt IKE SA th IPSec SA tc thi c to ra. Trong trng h p tha thun IKE SA khng t c th hai bn c th tin hnh thng lng li hoc ngng phin kt ni thng tin. Vic to ra IPSec SA chnh l kt qu c a qu trnh tha thun gia cc bn v cc chnh sch an ninh, thut ton mt m (chng hn l DES), thut ton xc th c (chng hn MD5), v mt kha chia s c s dng. D liu v SA c lu trong c s d liu ca m i bn. Ti y, b nh tuyn ngi s dng s ng gi d liu theo cc yu cu th a thun trong IPSec SA (thut ton mt m, xc thc, giao thc ng gi l AH hay ESP, ), sau th m cc thng tin thch hp a gi tin c m ha ny v dng gi IP v chuyn ti b nh tuyn ni vi mng trung tm. Khi nhn c gi tin t b nh tuyn ngi dng gi n, b nh tuyn mng trung tm tm kim IPSec SA, x l gi theo yu cu, a v dng gi tin ban u v chuyn ti mng trung tm.
3.6 Cc vn cn tn ti trong IPSec

Mc d IPSec sn sng a ra cc c tnh cn thit m bo thit lp kt ni VPN an ton thng qua mng Internet, n vn cn trong giai on pht trin hng ti hon thin. Sau y l mt s vn t ra m IPSec cn ph i gii quyt h tr t t hn cho vic thc hin VPN:
59
MNG RING O
Tt c cc gi c x l theo IPSec s b tng kch thc do phi thm vo cc tiu khc nhau, v iu ny lm cho thng lng hiu dng ca mng gim xung. Vn ny c th c khc phc bng cch nn d liu trc khi m ha, song cc k thut nh vy vn cn ang nghin cu v cha c chun ha. IKE vn l cng ngh cha thc s kh ng nh c kh nng ca mnh. Phng thc chuyn kho th cng li khng thch hp cho mng c s lng ln cc i tng di ng. IPSec c thit k ch h tr bo mt cho lu lng IP, khng h tr cc dng lu lng khc. Vic tnh ton nhiu gii thut phc tp trong IPSec vn cn l mt vn kh i vi cc trm lm vic v my PC n ng lc yu. Vic phn ph i cc phn cng v phn mm mt m vn cn b hn ch i vi chnh ph ca m t s qu c gia.
3.7 Kt chng
Bo mt l mt trong nhng kha cnh quan trng nht ca cc cng ngh trin khai trn nn IP, c bit l i vi cng ngh VPN. Lm ch v ng dng h thng giao thc bo mt mt cch hiu qu nh m em li cc iu kin t t nh t cho ngi s dng d ch v l m c tiu ca h u ht cc nh thit k v khai thc mng. Giao thc IPSec c pht trin gii quyt vn b o m an ninh cho thng tin truyn trn mng Internet v c coi l giao thc t i u nht cho vic thc hin IP-VPN. N l m t tp hp cc tiu chun m, cung cp cc dch v bo mt d liu v iu khin truy nh p. Chng ny trnh by cc c im quan trng nht ca IPSec v hot ng c a cc giao thc lin quan. Trong ni dung c a chng cng cp n nhng vn k thut c bn m bo truyn thng an ton trong IPSec-VPN nh cc tiu chun mt m, cc cng c kim tra tnh ton vn thng tin, cc thut ton xc thc cng nh l k thut qun l v trao i kha. Cu i chng l v d minh h a qu trnh thit lp kt ni VPN v mt s vn t ra i vi vic thc hin VPN trn nn IPSec. Hiu qu bo m an ninh cho s liu truyn trn mng ph thuc nhiu vo cc gii php c trin khai b o mt d liu, cng c kho s dng, cc thut ton m ha v phc tp ca chng, v.v. Qua cc n i dung trnh by trong chng ny, ngi c s nm bt c nhng vn k thut c bn lin quan n vic thc hin VPN da trn IPSec, cc u im, kh nng ng dng cng nh nhng vn cn tn ti cn phi gii quyt trong giao thc IPSec.
60
CHNG 4
MNG RING O TRN NN MPLS

MPLS-VPN c coi l s kt hp cc u im ca c hai m hnh mng ring o chng ln v ngang hng. Vic thit lp cc mng ring o trn nn MPLS cho php m bo nh tuyn ti u gia cc site khch hng, phn bit a ch khch hng thng qua nhn d ng tuyn v h tr xy d ng cc m hnh VPN phc tp trn c s ch nh tuyn. Chng ny trnh by nhng vn c b n nht v mng ring o trn nn MPLS, nguyn l hot ng cng nh nhng kh nng m MPLS-VPN mang li. Cc c im chnh ca hai loi hnh m ng ring o trn nn IPSec v MPLS c ng c so snh qua lm n i bt nhng u im ca gii php MPLS-VPN. Ni dung chng ny bao g m: q Cc thnh phn ca MPLS-VPN q Cc m hnh MPLS-VPN q Hot ng ca MPLS-VPN q Bo mt trong MPLS-VPN q Cht lng d ch v trong MPLS-VPN q So snh cc c im ca VPN trn n n IPSec v MPLS
61
MNG RING O
4.1 Cc thnh phn ca MPLS-VPN

4.1.1 H th ng cung c p dch v MPLS-VPN Mt khi nim quan trng cn nhc li khi nghin cu v mng ring o trn nn MPLS l site. VPN l mt tp hp nhiu site chia s cng thng tin nh tuyn chung. Nh vy, mt site c th thu c v nhiu hn m t VPN nu n nm gi cc tuyn t m i VPN ring. iu ny cung cp kh nng xy dng cc VPN c c b, m rng cng nh cc VPN truy nhp t xa. Khi cc site ca VPN thuc v mt doanh nghip th VPN c coi l cc b, cn nu cc site ca VPN thuc v nhng doanh nghip khc nhau th VPN l VPN m rng. Mt cch khi qut, m hnh h thng cung cp dch v MPLS-VPN c th hin trn hnh 4.1.
Hnh 4.1 H thng cung cp dch v MPLS-VPN v cc thnh phn Nh trn hnh v c th th y, cc thnh phn c bn trong MPLS-VPN bao gm: - Mng li IP/MPLS c qu n tr b i nh cung cp d ch v ; - B nh tuyn li c a m ng nh cung cp; - B nh tuyn bin c a mng, cung cp thng tin nh tuyn ca khch hng v thc hin p ng dch v cho khch h ng t pha nh cung cp; - B nh tuyn bin c a cc h t tr AS (Autonomous System), thc hin vai tr kt ni vi cc AS khc. Nhng AS ny c th c cng hoc khc nh iu hnh; - Mng khch hng, c coi l mng truy nh p ti vng m ng li; - B nh tuyn khch h ng, ng vai tr l cu n i gia mng khch hng v mng ca nh cung cp. Nhng b nh tuyn ny c th c qun tr bi khch hng hoc nh cung cp d ch v.
62
CHNG 4 - MNG RING O TRN NN MPLS
4.1.2 B nh tuyn bin nh cung cp dch v Nh gii thiu trn, thnh phn rt quan trng v khng th thiu khi trin khai MPLS-VPN l cc thit b nh tuyn bin ca nh cung cp dch v. Cc b nh tuyn bin PE trong MPLS-VPN c kin trc ging nh kin trc VPN ngang hng dng chung b nh tuyn chia s, ch c s khc bit l ton b m i th c tp trung trong mt thit b vt l (hnh 4.2).
Khch hng A Site 1 B nh tuyn o cho khch hng A B nh tuyn IP ton cc
Khch hng A Site 2
Khch hng A Site 3 Khch hng B Site 1
Bng nh tuyn o cho khch hng A B nh tuyn o cho khch hng B
Bng nh tuyn IP ton cc
P-Router
Bng nh tuyn o cho khch hng B
PE-Router
Hnh 4.2 B nh tuyn PE v s kt ni cc site khch hng Nh th hin trn hnh v, m i khch hng ng k mt b ng nh tuyn c lp gi l bng nh tuyn o, tng ng vi mt b nh tuyn o nh trong m hnh VPN ngang hng. M t b nh tuyn o cho php nhiu site ca khch hng cng kt ni ti n. Vic nh tuyn qua mng ca nh cung cp c th c hin bi mt tin trnh nh tuyn khc, s dng b ng nh tuyn ton cc. 4.1.3 Bng nh tuyn v chuyn tip o S kt hp gia b ng nh tuyn v bng chuyn tip VPN to thnh m t bng nh tuyn chuyn tip o VRF (Vitual Routing and Forwarding). Mi VPN u c bng nh tuyn v chuyn tip ring ca n trong b nh tuyn PE, v mi b nh tuyn PE duy tr mt hoc nhiu bng VRF. Mi site m c b nh tuyn PE ni vo s lin kt vi mt trong cc b ng ny. a ch IP ch c a mt gi tin ch c kim tra trong bng VRF m n thu c v nu gi tin ny n trc tip t site tng ng vi bng VRF . M t VRF n gin ch l m t tp hp cc tuyn thch hp cho m t site no (hoc mt tp h p gm nhiu site) kt n i n b nh tuyn PE. Cc tuyn ny c th thu c v mt hoc nhiu VPN. V d, gi s c 3 b nh tuyn PE l PE1, PE2, PE3, v 3 b nh tuyn CE l CE1, CE2, CE3. Cng gi s rng PE1 tip nhn t CE1 cc tuyn h p l site CE1,
63
MNG RING O
cn PE2 v PE3 tng ng c ni ti cc site CE2 v CE3. C ba site ny u thuc v cng mt VPN V. Khi PE1 s s dng BGP phn phi cho PE2 v PE3 cc tuyn m n h c c t site CE1. PE2 v PE3 s dng cc tuyn ny a vo bng chuyn tip dnh cho site CE2 v CE3. Cc tuyn t nh ng site khng thuc vo VPN V s khng xut hin trong bng chuyn tip ny, c ngha l cc gi tin t CE2 v CE3 khng th gi n nhng site khng thuc VPN V. Nu mt site thuc v nhiu VPN, bng chuyn tip tng ng vi site c th c nhiu tuyn lin quan n tt c VPN m n ph thuc. PE ch duy tr m t bng VRF cho mt site. Cc site khc nhau c th chia s cng m t bng VRF nu s dng tp hp cc tuyn mt cch chnh xc nh trong bng VRF . Nu tt c cc site c thng tin nh tuyn ging nhau (iu ny thng l do cc site cng thuc v tp hp VPN) th chng s c php lin lc trc tip vi nhau, v nu kt ni n cng m t b nh tuyn PE th chng s c t vo cng mt bng VRF chung. Gi s b nh tuyn PE nhn c gi tin t m t site ni trc tip vi n. Ta gi site ny l site A nhng a ch ch ca gi tin khng c trong tt c cc thc th ca bng chuyn tip tng ng vi site A. Nu nh cung cp d ch v khng cung cp kh nng truy nhp Internet cho site A th gi tin s b loi b v khng th phn ph i c n ch. Nhng nu nh cung cp dch v c h tr truy nhp Internet cho site A th lc ny a ch ch c a gi tin s c tm kim trong bng nh tuyn ton c c. Do , bt k b nh tuyn PE no trong mng MPLS-VPN cng u c nhiu bng nh tuyn trn mi VRF v m t bng nh tuyn ton cc. Bng nh tuyn ny c s dng tm cc b nh tuyn khc trong mng nh cung cp d ch v cng nh cc ch thu c v mng bn ngoi (v d nh Internet). Tm li, VRF c s d ng cho m t site VPN hoc cho nhiu site kt ni n cng mt b nh tuyn PE min l nhng site ny chia s chnh xc cc yu cu kt n i ging nhau. Do , cu trc c a bng VRF c th bao gm: Bng nh tuyn IP; Bng chuyn tip; Tp h p cc quy tc v cc tham s giao thc nh tuyn (gi l Routing Protocol Context); Danh sch cc giao din s dng trong VRF.
4.2 Cc m h nh MPLS-VPN
Hin nay c hai m hnh trin khai mng ring o trn n n MPLS ph bin l mng ring o lp 3 (L3VPN) v mng ring o lp 2 (L2VPN). Sau y s gii thiu nhng c im chnh ca hai m hnh ny. 4.2.1 M hnh L3VPN
64
Kin trc m ng ring o L3VPN c chia thnh hai lp, tng ng vi cc lp 3 v 2 ca m hnh OSI. L3VPN da trn RFC 2547 bis, m rng m t s c tnh c bn ca giao thc cng bin BGP (Border Gateway Protocol) v tp trung vo hng a giao thc ca BGP nhm phn b cc thng tin nh tuyn qua mng li c a nh cung cp d ch v cng nh l chuyn tip cc lu lng VPN qua m ng li. Trong kin trc L3VPN, cc b nh tuyn khch h ng v ca nh cung cp c coi l cc phn t ngang hng. B nh tuyn bin khch hng CE cung cp thng tin nh tuyn ti b nh tuyn bin nh cung cp PE. PE lu cc thng tin nh tuyn trong bng nh tuyn v chuyn tip o VRF. Mi kho n m c ca VRF tng ng vi m t mng khch hng v hon ton bit lp vi cc mng khch hng khc. Ngi s dng VPN ch c php truy nh p ti cc site hoc my ch trong cng m t mng ring ny. B nh tuyn PE cn h tr cc bng nh tuyn thng thng nhm chuyn tip lu lng c a khch hng qua mng cng cng. Mt cu hnh mng L3VPN da trn MPLS c ch ra trn hnh 4.3.
Hnh 4.3 M hnh MPLS L3VPN Cc gi tin IP qua min MPLS c gn hai lo i nhn, bao gm nhn MPLS ch th ng d n chuyn mch nhn LSP v nhn ch th nh tuyn/chuyn tip o VRF. Ngn xp nhn c thit lp cha cc nhn trn. Cc b nh tuyn P c a nh cung cp x l nhn LSP chuyn tip cc gi tin qua min MPLS. Nh n VRF ch c x l ti thit b nh tuyn bin PE ni vi b nh tuyn khch hng. M hnh L3VPN c u im l khng gian a ch khch hng c qun l bi nh khai thc, v do vy n cho php n gin ha vic trin khai kt ni vi nh cung cp. Ngoi ra, L3VPN cn cung cp kh nng nh tuyn ng phn ph i cc thng tin nh tuyn ti cc b nh tuyn VPN. Tuy nhin, L3VPN ch h tr cc lu lng IP hoc lu lng ng gi vo gi tin IP. ng thi, vic tn ti hai bng nh tuyn ti cc thit b bin mng cng l mt vn phc tp trong iu hnh v nh hng ti kh nng m rng cc h th ng thit b.
65
MNG RING O
4.2.2 M hnh L2VPN M hnh mng ring o lp 2 c pht trin sau v cc tiu chun vn ang trong giai on hon thin. Cch tip cn L2VPN hng ti vic thit lp cc ng hm qua mng MPLS x l cc kiu lu lng khc nhau nh Ethernet, FR, ATM v PPP/HDLC. C hai d ng L2VPN c b n l: im ti im: tng t nh trong cng ngh ATM v FR, nhm thit lp cc ng dn chuyn mch o qua mng; im ti a im: h tr cc cu hnh mt li v phn cp.
Trong nhng nm gn y, dch v LAN o da trn m h nh L2VPN a im s dng cng ngh truy nhp Ethernet c trin khai rng ri. Gii php ny cho php lin kt cc mng Ethernet qua h tng MPLS trn c s nhn d ng lp 2, v vy m gim c phc tp ca cc b ng nh tuyn lp 3. Trong m h nh L2VPN cc b nh tuyn CE v PE khng nht thit phi c coi l ngang hng (hnh 4.4). Thay vo , ch cn tn ti kt n i lp 2 gia cc b nh tuyn n y. B nh tuyn PE chuyn mch cc lung lu lng vo trong cc ng h m c cu h nh trc ti cc b nh tuyn PE khc.
Hnh 4.4 M hnh MPLS L2VPN L2VPN xc nh kh nng tm kim qua mt phng d liu b ng a ch hc c t cc b nh tuyn ln cn. L2VPN s dng ngn xp nhn tng t nh trong L3VPN. Nhn MPLS bn ngoi c s dng xc nh ng dn cho lu lng qua min MPLS, cn nhn knh o VC nhn dng cc mng LAN o, VPN hoc kt n i ti cc im cu i. Mt trng nhn tu chn s dng iu khin ng cc kt n i lp 2 c t trong cng ngn xp st vi tr ng d liu. L2VPN c u im quan trng nht l cho php cc giao thc lp cao c truyn trong sut i vi MPLS. N c th hot ng trn hu ht cc cng ngh lp 2 gm ATM, FR, Ethernet v m ra kh nng tch hp cc mng phi kt n i IP vi cc
66
mng hng kt ni. Ngoi ra, trong gii php ny ngi s dng u cu i khng cn phi cu hnh nh tuyn cho cc b nh tuyn khch hng CE. Tuy nhin, L2VPN khng d dng m rng nh L3VPN. Mt cu h nh y cho cc LSP phi c s dng kt n i cc VPN trong mng. Hn n a, L2VPN khng th t ng nh tuyn gia cc site. V vy, tu thuc vo cu hnh mng MPLS v nhu cu c th m c th s dng mt trong hai m hnh ni trn.
4.3 Hot ng ca MPLS-VPN

4.3.1 Truyn thng tin nh tuy n Cc b nh tuyn PE cn ph i trao i thng tin trong cc b ng nh tuyn o m b o vic nh tuyn d liu gia cc site khch hng ni vi nhng b nh tuyn ny. Bi ton t ra l phi c mt giao thc nh tuyn truyn thng tin c a tt c cc tuyn khch hng d c theo mng nh cung cp m vn duy tr c khng gian a ch c lp gia cc khch hng vi nhau. Mt gii php c xut trn c s s dng giao thc nh tuyn ring cho m i khch hng. Cc b nh tuyn PE c th c kt ni thng qua cc ng hm im-im (v giao thc nh tuyn cho m i khch hng s hot ng gia cc b nh tuyn PE) ho c l b nh tuyn P ca nh cung cp c th tham gia vo qu trnh nh tuyn ca khch hng. Gii php ny mc d thc hin n gin nhng li khng c kh nng m rng v phi i mt vi nhiu vn khi c nhu cu cung cp d ch v VPN cho s lng ln khch hng. Nhng kh khn ny lin quan n vic cc b nh tuyn PE phi chy mt s lng ln giao thc nh tuyn, cn b nh tuyn P th phi lu thng tin ca tt c cc tuyn khch hng. Mt gii php khc da trn vic trin khai mt giao thc nh tuyn trao i thng tin c a tt c cc tuyn khch hng dc theo mng nh cung cp. R rng gii php ny c u im hn nhng b nh tuyn P vn ph i tham gia vo nh tuyn khch hng, do vn khng gii quyt c vn m rng. hiu r hn vn m rng khi trin khai mt giao thc nh tuyn trn mt VPN, ta xem xt v d sau y. Gi s mng ng trc ca nh cung cp dch v phi m bo cho hn 100 khch hng VPN kt ni n hai b nh tuyn bin PE s dng giao thc nh tuyn OSPF. B nh tuyn PE trong mng ng trc s chy hn 100 b n copy tin trnh nh tuyn OSPF c lp nhau, vi mi bn copy phi gi cc gi tin hello v gi tin lm ti nh k qua mng. chy hn mt bn copy OSPF qua cng m t lin kt, ta cn cu hnh cc subinterface cho mt VPN trn lin kt gia PE v CE, kt qu l s to ra mt m hnh mng phc tp. Ngoi ra, cn phi chy 100 thut ton SPF cng nh duy tr c s d liu v cc cu h nh ring r trong nhng b nh tuyn P c a mng li.
67
MNG RING O
V vy, gii php ti u hn l vic truyn thng tin nh tuyn khch hng s do m t giao thc nh tuyn gia cc b nh tuyn PE iu hnh, cn cc b nh tuyn P khng tham gia vo qu trnh nh tuyn ny. Gii php ny mang li hiu qu cao v n c kh nng m rng do s lng giao thc nh tuyn gia cc b nh tuyn PE khng tng khi tng s lng khch hng, ng th i b nh tuyn P cng khng mang thng tin v cc tuyn ca khch hng. Khi s lng khch hng ln, giao thc nh tuyn c la chn s dng l BGP v giao thc ny c th h tr s lng ln cc tuyn. Cng vi BGP, cc giao thc EIGRP v IS-IS cng c th mang thng tin nh tuyn cho nhiu lp a ch khc nhau, nhng IS-IS v EIGRP khng c kh nng m rng do khng mang c m t s lng ln cc tuyn nh BGP. BGP c thit k trao i thng tin nh tuyn gia cc b nh tuyn khng kt ni trc tip, v c im ny h tr vic lu gi thng tin nh tuyn ti cc thit b bin m khng cn phi trao i vi cc b nh tuyn li ca mng nh cung cp. Giao thc BGP dng trong MPLS-VPN c g i l Multiprotocol BGP (MP-BGP). 4.3.2 a ch VPN-IP Vi vic trin khai giao th c nh tuyn BGP trao i tt c cc tuyn ca khch hng gia cc b nh tuyn PE t ra m t vn l lm th no m BGP c th truyn nhng tin t xc nh thu c v cc khch hng khc nhau gia cc b nh tuyn PE. BPG s dng a ch IP chn mt ng i gia tt c cc ng c th i n ch. Do , BGP khng th lm vic ng nu khch hng s dng cng khng gian a ch. Ch c m t gii php gii quyt vn ny l m rng tin t a ch IP ca khch hng vi m c ch lm cho a ch ny tr nn duy nht ngay c khi c s trng lp a ch . Ngoi ra, phi m bo rng chnh sch s dng quyt nh tuyn no trong s cc tuyn c BGP s dng ch c th c trong mt b ng VRF duy nht. Vic m rng tin t a ch IP ca khch hng VPN dn n mt khi nim mi l a ch VPN-IP. a ch VPN-IP c to ra bng cch ghp hai thnh phn c di khng i l trng phn bit tuyn (Route Distinguisher) v a ch IP c s (hnh 4.5).
Hnh 4.5 a ch VPN-IPv4
68
Yu t phn bit a ch thu c v trng phn bit tuyn khi m ng khch hng c a ch IP trng nhau. Trng ny c cu trc cho php m i nh cung cp d ch v VPN t to ra mt gi tr nhn d ng cho tuyn m khng s b trng vi gi tr tng t s dng bi nh cung cp dch v khc. Trng phn bit tuyn bao gm 3 lo i nh ch ra trn hnh 4.6.
Hnh 4.6 Khun dng trng phn bit tuyn Trng s h t tr ASN (Autonomous System Number) cha gi tr s i din cho h thng ca nh cung cp dch v VPN. Trng s gn (Assigned Number) do m i nh cung cp dch v mng VPN t qun l. Trong hu ht cc trng hp, nh cung cp dch v n nh mt gi tr trng s gn cho mt mng VPN, tuy nhin i khi cng c th gn nhiu gi tr cho mt mng VPN. Hai mng VPN do mt nh cung cp d ch v qun l s khng s dng chung mt s gn, v s h t tr ASN cng l duy nh t trong mng ton cu. Do s khng c hai mng VPN no c trng phn bit tuyn trng nhau. Khi a ch IP l duy nht trong m t mng VPN th cng c ngha l a ch VPN-IP l duy nh t trong mng ton cu. i vi giao thc BGP th vic qun l cc tuyn ng vi a ch VPN-IP khng khc g vic qun l tuyn ng vi a ch IP c s. Kh nng h tr a giao thc c a MP-BGP lm cho n c th qu n l tuyn ng vi nhiu h a ch khc nhau. Mt im quan trng cn lu l cu trc a ch VPN-IP cng nh cu trc c a trng phn bit tuyn ng vi a ch VPN-IP l hon ton m i vi BGP. BGP ch so snh phn mo u ca hai a ch VPN-IP ch n khng quan tm n cu trc c a chng. V vy trong trng hp ny, BGP khng cn h tr thm cc giao th c ph m ch s dng nhng c tnh sn c. Cc c tnh m giao thc BGP s dng cho MPLS-VPN nh: c tnh cng ng (Community), nh tuyn lc da trn cng ng
69
MNG RING O
hay s dng tuyn d phng. Cc c tnh trn c p dng i vi cc tuyn ng vi a ch VPN-IP cng gi ng nh cc tuyn ng vi a ch IP thng thng. a ch VPN-IP ch hon ton gii h n trong nh cung cp dch v, v cc khch hng VPN (c th l cc thit b ca khch hng) khng c khi nim g v n. a ch VPN-IP ch c nhn bit v gn b nh tuyn bin ca nh cung cp PE. i vi m i kt ni VPN, b nhn tuyn PE c cu hnh ng vi m t gi tr c a trng phn bit tuyn. Khi PE nhn c mt tuyn t CE kt ni trc tip ti n th n cn xc nh CE thuc VPN n o trc khi chuyn thng tin v tuyn ny cho BGP ca nh cung cp d ch v. B nh tuyn PE s chuyn a ch IP c s c a tuyn thnh a ch VPN-IP bng cch s dng trng phn bit tuyn c t cho VPN . Mt cch tng t khi PE nhp mt tuyn t BGP ca nh cung cp dch v, n s chuyn thng tin a ch VPN-IP c a tuyn thnh thng tin a ch IP c s. Sau y chng ta so snh vai tr ca trng phn bit tuyn v cc c tnh cng ng ca BGP. C hai vn tch bit nhau, v tng ng vi hai vn ny l hai c ch ring bit. Th nht l lm th no gii quyt vic khng duy nht c a a ch IP trong mng ton cu. khc ph c vn ny, chng ta a vo s dng mt lo i a ch mi l a ch VPN-IP v s dng trng phn bit tuyn lm cho cc a ch ny l duy nht trong m ng ton cu. Nh vy, trng phn bit tuyn c vai tr lm cho a ch IP tr th nh duy nht. Tuy nhin, trng phn bit tuyn khng th s dng c cho nh tuyn lc. Th hai l cn gii quyt vic lm th no kt ni tun th cc iu kin rng buc. Vn rng buc thng tin nh tuyn c thc hin da trn qu trnh l c cc c tnh cng ng ca BGP. Song cc c tnh cng ng ca BGP li khng lm cho cc a ch IP tr thnh duy nht. Lu rng trong khi mt trng phn bit tuyn khng c s dng chung cho cc VPN khc nhau, th mt VPN li c th s dng nhiu trng phn bit tuyn. Tng t nh vy, trong khi cc mng VPN khng th dng chung m t cng ng BGP nhng m t mng VPN li c th s dng nhiu cng ng ca BGP. V vy, trng phn bit tuyn cng nh c tnh cng ng khng th s dng xc nh m t VPN. iu ny cng ph hp vi nh ngha m ng VPN l mt tp hp cc chnh sch iu khin kt ni v quy nh cht lng d ch v gia cc site. Nh ta bit, BGPv4 hin nay ch c th thc hin c i vi cc a ch IPv4. Khi , vic truyn thng tin tuyn ca khch hng d c theo mng MPLS-VPN s c thc hin nh sau: B nh tuyn CE gi cp nht nh tuyn IPv4 n b nh tuyn PE; B nh tuyn PE sau thm trng phn bit tuyn (64 bit) vo trng a ch IPv4 (32 bit) m n nhn, kt qu l to ra a ch VPN-IPv4 96 bit duy nht;
70
a ch VPN-IPv4 ny c truyn i thng qua phin MP-iBGP n cc b nh tuyn PE khc; B nh tuyn PE nhn s lo i b trng phn bit tuyn t a ch VPN-IPv4 to thnh a ch IPv4 nh ban u m CE u xa gi; a ch IPv4 ny c chuyn tip n b nh tuyn CE khc trong bn cp nht nh tuyn IPv4.
Mt im quan trng cn nhn mnh l a ch VPN-IP ch c x l trong cc giao thc nh tuyn ch khng c ti trong phn mo u c a gi IP. V vy VPNIP khng th s d ng m t cch trc tip chuyn tip gi. Nhim v chuyn tip cc gi c thc hin da trn MPLS v s c trnh by ph n sau. 4.3.3 Chuyn tip gi tin VPN Cc yu t cn thit m b o cho s hot ng ca MPLS-VPN bao gm giao thc nh tuyn v phng thc truyn gi tin qua m ng MPLS trong khi vn m bo c tnh cht ca VPN. Vi cc tuyn khch hng c truyn dc theo mng ng trc MPLS-VPN lu lng gia cc b nh tuyn CE v PE mc nh l lu lng ca cc gi tin IP. B nh tuyn khch hng CE h tr cc giao thc nh tuyn IP chun v khng tham gia vo MPLS-VPN. Trong phng php ny, chuyn tip gi tin dc theo mng ng trc MPLS-VPN, b nh tuyn PE ch phi chuyn gi tin IP nhn c t b nh tuyn khch hng n cc b nh tuyn PE khc. R rng l gii php ny rt kh thc hin bi v b nh tuyn P khng bit r v cc tuyn ca khch hng, v v th m t s yu cu cht lng dch v s kh c kh nng p ng. Phng php khc c v kh quan hn l s dng ng dn chuyn mch nhn LSP gia cc b nh tuyn PE chuyn tip cc gi tin IP theo gi tr nh n gn vo chng (hnh 4.7).
MPLS VPN Backbone CE Router IP L1 IP L2 IP L3 CE Router
IP Ingress - PE
P-Router
P-Router
Egress - PE IP
CE Router
CE Router
Hnh 4.7 S d ng nhn chuyn tip gi tin VPN Trong phng php ny, gi tin IP ca khch hng c gn m t nhn ng k cho b nh tuyn PE u ra (Egress). Cc b nh tuyn li khng cn bit a ch IP c a khch hng, v ch c gi tin no c gn nhn s c chuyn n b nh
71
MNG RING O
tuyn PE u ra. Cc b nh tuyn li ch thc hin cc hot ng chuyn tip v phn phi gi tin khch hng n b nh tuyn PE u ra. Tuy nhin, ti b nh tuyn PE u ra, gi tin IP ca khch hng khng c thng tin no v VPN hay l VRF b nh tuyn c th thc hin kim tra VRF, do n c th b mt. Mt phng php ti u hn c th c la chn chuyn tip cc gi tin l s dng ngn xp nh n (hnh 4.8).
MPLS VPN Backbone CE Router IP V L1 IP V L2 IP V L3 CE Router
IP Ingress - PE
P-Router
P-Router
Egress - PE IP
CE Router
CE Router
Hnh 4.8 S dng ngn xp nhn chuyn tip gi tin VPN Ngn xp nhn MPLS c s d ng ch th cho b nh tuyn PE u ra bit phi lm g vi gi tin VPN. Ngn xp nhn bao gm hai nhn xp chng ln nhau gi l nhn bn trong (inner label) v nhn bn ngoi (outer label). Khi gi tin vo mng, b nh tuyn PE u vo gn hai nhn ny vo gi tin IP. Nhn trn cng trong ngn xp l c a ng dn chuyn mch nhn (cn g i l nhn LDP), m b o cho gi tin c truyn qua mng MPLS-VPN ng trc n b nh tuyn PE u ra. MPLS s dng nhn ngoi chuyn tip gi tin t b nh tuyn PE u vo qua mng li. mi b nh tuyn P nhn ny c s dng chuyn tip gi tin, n chnh l ch s trong bng chuyn tip c a b nh tuyn. Cc b nh tuyn P chuyn tip gi tin dc theo LSP theo phng php hon i nhn v khng bao gi kim tra nhn bn trong hoc a ch ch IP ca gi tin. Khi gi tin n PE u ra, b nh tuyn ny thc hin tch b nhn ngoi ri x l nhn trong. Nhn trong l nhn c b nh tuyn PE ng k cho mi VRF, v PE s s dng n quyt nh VRF no m gi tin thu c v. Ni cch khc, nhn trong quyt nh CE no gi tin s c gi n. Theo mc nh, b nh tuyn PE u ra thc hin tm kim trong b ng chuyn tip VRF s dng a ch IP ch ca gi tin. Sau , n chuyn tip gi IP khng nhn n site khch h ng thch h p. Bn thn cc nhn bn trong c lin lc gia cc PE trong cc bn tin cp nht m rng MP-iBGP. Nhn th hai trong ngn xp nhn cn c s dng ch trc tip n giao din u ra ti khch hng. Trong trng hp ny, b nh tuyn PE u ra ch thc hin kim tra nhn trn gi tin VPN. Tnh hung ny thng c dng khi b nh tuyn CE l bc k tip ca tuyn VPN v nhn ny c th ch n mt VRF n nht. B nh tuyn PE u ra th c
72
hin kim tra nhn trc tm c VRF ch, sau mi thc hin kim tra a ch IP trong VRF. hiu r hn c ch hot ng c a qu trnh chuyn tip cc gi VPN ta xem m t v d nh trn hnh 4.9. Trong v d ny PE1 l b nh tuyn u vo, cn PE2 l b nh tuyn u ra. B nh tuyn PE u vo c hai nhn lin quan ti tuyn VPN u xa. M t nhn dnh cho BGP next-hop, c ng k bi b nh tuyn P k tip thng qua giao thc phn b nhn LDP v c ly t bng LIB cc b. Cn nhn th hai c ng k bi b nh tuyn PE u xa v c truyn i thng qua cc cp nht MP-iBGP. C hai nhn ny c kt hp trong ngn xp nhn v a vo bng VRF.
Site khch hng AS 73
Host 1
Site khch hng AS 88 10.24.0.0/16

CE6 VPN A CE5 VPN A
10.12.0.0/16
CE1 VPN A
Host 2
21
PE1 Default virtual router
16 24
19 19
16 24
46 46
16 24
PE2 Default virtual router
21
VRF A
P1
VRF A AS 777
P2
VRF B
Virtual router 2
VRF B
Virtual router 2
Mng li nh cung cp
CE2 VPN B
CE3 VPN B
CE4 VPN B
Hnh 4.9 Hot ng chuyn tip d liu VPN qua mng MPLS Gi s ng dn chuyn mch nhn LSP c thit lp gia PE1 v PE2, v Host 1 mun gi d liu n Host 2. Host 1 gi gi tin n b nh tuyn CE1. CE1 s ng gi gi tin v chuyn n PE1. PE1 nhn gi tin, v da trn giao din m gi tin n, n quyt nh s dng bng chuyn tip ca VRF A nh tuyn gi tin. PE1 kim tra a ch ch c a Host 2 trong bng chuyn tip c a VRF A v tm thy c a ch trong . PE1 dn nhn 16 vo gi tin. y l nhn bn trong nhn din VRF trn b nh tuyn PE2. Nhn 16 trc c chuyn t PE2 n PE1 thng qua phin lm vic MP-iBGP. Tip theo, PE1 dn thm nhn 21 vo gi tin v chuyn gi dn nhn n b nh tuyn P1. Nhn 21 c t vo trong ngn xp nhn sau nhn 16. Nh vy, nhn 21 l nhn bn ngoi v s c thay i sau mi phn on gia hai b nh tuyn LSR vi nhau. P1 nhn gi tin t PE1 v ly nhn 21 ra kim tra trong bng chuyn
73
MNG RING O
tip. N quyt nh dn nhn 19 thay cho nhn 21 ri chuyn tip gi tin n P2. P2 nhn gi tin v ly nhn 19 ra kim tra trong bng chuyn tip. Kt qu kim tra ch th rng n phi dn nhn 46 thay cho nhn 19 ri chuyn tip gi tin n PE2. PE2 nhn gi tin t P2, kim tra nhn 46. PE2 c nhn bit l b nh tuyn u ra c a ng chuyn mch nhn LSP nn n gii phng nhn 46. Sau n kim tra nhn tip theo l 16 v xc nh c gi tin s i n VRF A. a ch IP ca gi tin c kim tra trong VRF A xc nh ch v giao din u ra cho gi tin. PE2 chuyn tip gi tin n CE6. CE6 nhn gi tin IP t PE2 v kim tra a ch ch Host 2. Ti y vic nh tuyn c thc hin d a trn cc giao th c nh tuyn IGP thng thng. M h nh h th ng trn c hai mng ring o l VPN A v VPN B. VPN A gm c CE1, CE5 v CE6. VPN B gm c CE2, CE3 v CE4. CE1 c lu lng n ch l CE5 v CE6. V cc site ny cng chung mt VPN, nn PE1 s dng chung bng chuyn tip l VRF A. Nhn bn trong xc nh VRF ch v n ging nhau trong tt c cc gi tin thu c v VPN , ngay c nu cc gi tin n y c chuyn n cc site khc nhau. CE2 v CE3 c lu lng n ch l CE4. V cc b nh tuyn n y thuc v VPN B, PE1 s dng b ng chuyn tip khc cho VPN ny l VRF B. Tuy nhin, c hai VPN s dng cng mt ng chuyn mch nh n LSP v chng u c cng b nh tuyn vo PE1 v b nh tuyn ra PE2.
4.4 Bo mt trong MPLS-VPN

Bo m t l m t trong nhng yu t rt quan trng i vi tt c cc gii php mng VPN. V kha cnh bo mt th gii php VPN da trn BGP/MPLS c th t c mc tng ng vi cc gii php VPN xy d ng trn cng ngh ATM hoc Frame Relay. Bo mt cho VPN ph i m bo c s cch ly v thng tin nh tuyn cng nh v khng gian a ch ca m i VPN. Ngha l vic cp a ch ca mi VPN l hon ton c lp nhau. Thng tin nh tuyn t VPN ny khng c php sang VPN khc v ngc li. Yu cu th hai l b o mt phi m b o c cu trc mng li hon ton trong su t vi khch hng s dng dch v. Th ba, bo mt phi m b o c vic trnh lm gi nhn nh vic lm gi a ch IP v chng li cc cuc tn cng t chi d ch v (Denial of Service) cng nh tn cng truy nh p dch v (Instrusion). th y r vic bo mt trong MPLS-VPN c thc hin nh th no, trc h t cn hiu rng MPLS-VPN cho php s dng cng khng gian a ch gia cc VPN nhng vn m bo c tnh duy nh t ca a ch cc site khch hng nh vo gi tr 64 bit c a trng phn bit tuyn. Do , khch hng s dng dch v MPLS-VPN khng cn phi thay i a ch hin ti c a m nh.
74
Vic nh tuyn trong mng ca nh cung cp dch v VPN c thc hin trn chuyn mch nhn ch khng phi da trn a ch IP truyn thng. Hn na, mi LSP tng ng vi mt tuyn VPN-IP c bt u v kt thc ti cc b nh tuyn PE ch khng b t u v kt thc m t im trung gian no trong mng ca nh cung cp. Do mng li bn trong hon ton trong sut i vi khch hng. Mi b nh tuyn PE duy tr mt b ng VRF ring cho tng VPN, v VRF ny ch ph bin cc tuyn thu c v VPN . Nh vy m bo c s cch ly thng tin nh tuyn gia cc VPN vi nhau. i vi gii php MPLS-VPN, tht kh c th tn cng trc tip vo VPN. Ch c th tn cng vo m ng li MPLS, r i t tn cng vo VPN. Mng li c th tn cng theo hai cch l trc tip vo b nh tuyn PE hoc vo cc c ch bo hiu MPLS. Tuy nhin, tn cng vo mng, trc ht cn phi bit a ch IP ca n. Nhng m ng li MPLS li hon ton trong su t vi bn ngoi, do k tn cng khng th bit c a ch IP c a b t k b nh tuyn no trong m ng li. Chng c th on a ch v gi gi tin n nhng a ch ny. Song trong mng MPLS mi gi tin i vo u c xem nh l thuc v khng gian a ch no ca khch hng, do kh c th tm c cc b nh tuyn bn trong ngay c khi on c a ch . C th vic trao i thng tin nh tuyn gia cc b nh tuyn PE v CE s l im yu trong mng MPLS-VPN, nhng trn b nh tuyn PE c th dng ACL v cc phng php xc thc c a giao thc nh tuyn dng trn kt n i s m bo c vn b o mt. Vic lm gi nhn cng kh c th xy ra v b nh tuyn PE ch ch p nhn nhng gi tin t b nh tuyn CE gi n khng c nhn. Nu gi tin l c nhn th nhn phi do PE kim sot v qu n l. T nhng vn nu trn, c th thy vic bo mt trong MPLS-VPN c bo m mc rt cao v hon ton c th so snh ngang bng vi vic bo mt trong cc gii php da trn ATM hay Frame Relay.
4.5 Cht lng dch v trong MPLS-VPN

Cht lng dch v lun l mt vn c quan tm hng u i vi cc nh khai thc v qun tr mng. Cc c ch QoS c s dng phi mm do p ng nhng yu cu khc nhau c a khch hng, ng thi phi c kh nng m rng c th h tr mt s lng ln khch hng VPN. V d nh nh cung cp dch v phi cung cp cho khch hng VPN nhiu mc dch v (CoS) khc nhau cho m i VPN, trong cc ng dng khc nhau trong cng mt VPN c th nhn cc CoS khc nhau. Theo cch ny, dch v Email c th c mt CoS trong khi mt s ng dng th i gian thc nh d ch v thoi li c th c CoS khc. Ngoi ra, CoS m ng dng nhn c trong m t VPN c th khc so vi CoS m ng dng ny nhn c trong m t VPN khc. Tc l cc c ch h tr QoS cho php quyt nh loi d liu no nhn CoS no cho tng VPN. Hn na, khng phi m i VPN u phi s dng tt c cc CoS m
75
MNG RING O
m t nh cung cp d ch v a ra. Do , mt tp cc c ch h tr QoS cho php quyt nh lo i CoS no c s dng to c s cho VPN. Hai d ng m hnh cht lng dch v s dng cho mng ring o trn nn MPLS l m hnh ng (pipe) v m hnh vi (hose). 4.5.1 M hnh ng Trong m hnh ng, nh cung cp dch v cung cp cho khch hng VPN mc ch t lng dch v QoS nht nh gia cc CE trong cng mt VPN. V hnh thc, c th hnh dung m hnh ny nh mt ng ng kt ni hai b nh tuyn vi nhau, v lu lng gia hai b nh tuyn trong ng ny c m bo mt mc QoS xc nh. V d v mt h nh thc m bo QoS c th cung cp trong m hnh ng l m b o gi tr bng thng nh nht gia hai Site. Cc b nh tuyn bin pha nh cung cp PE ti hai u ca ng s thc hin qu trnh lc v lo i b cc lu lng d nhm m b o bng thng cho lung lu lng trong ng. C th ci tin m hnh ng b ng vic ch cho php mt s loi lu lng (ng vi mt s ng dng) t mt CE ti cc CE khc s d ng ng ng. Quy nh lu lng no c th s dng ng ng c xc nh ti b nh tuyn PE pha u ng. Ch l m hnh ng kh ging vi m hnh QoS m cc khch hng VPN c c vi cc gii php da trn Frame Relay hay ATM. im khc nhau c b n l vi ATM hay Frame Relay th cc kt ni l song cng, trong khi m hnh ng cung cp cc kt ni m bo theo mt hng. c im mt hng ny ca m hnh ng cho php thit lp cc kt ni cho nhng ng dng s dng lung lu lng khng i xng, trong lu lng t mt Site ti Site khc c th khc vi lu lng theo hng ngc li. Hnh 4.10 minh ha m t v d v m hnh ng cht lng dch v. Nh ch ra trn hnh v, cc nh cung cp dch v cung cp cho VPN A m t ng ng m b o bng thng 7 Mb/s cho lu lng t Site 3 n Site 1 (c th hn l t CE A3 n CE A1) v m t ng ng khc m b o bng thng 10 Mb/s cho lu lng t Site 3 n Site 2 (t CE A3 n CE A2). Nh vy, mt b nh tuyn CE c th c nhiu hn m t ng xut pht t n (v d hai ng xut pht t Site 3). Tng t, c th c hn m t ng kt thc ti mt Site.
76
Hnh 4.10 M hnh ng cht lng dch v trong MPLS-VPN Mt u im ca m hnh ng l n ging vi m hnh QoS ang c khch hng VPN s dng vi FR hay ATM, do khch hng c th d dng ng dng. Tuy nhin m hnh ng cng c mt s nhc im. V d, n i hi khch hng VPN phi kim sot ton b ma trn lu lng gia cc Site. iu c ngha l, khch hng phi bit tng lu lng i t m t Site ti tt c cc Site khc. Thng thng th thng tin ny khng c sn, thm ch l nu c th cng b li thi. M hnh ng gn ging vi m hnh tch hp d ch v cung cp ch t lng dch v m bo. MPLS-VPN cung cp kh nng m bo bng thng cho cc LSP v cho php s dng m hnh ng ny m t cch n gin. Cc LSP kh i to v kt cui ti cc PE s m bo bng thng qua m ng li, cn th a thun d ch v gia PE v CE s m b o QoS t u cui ti u cui. t c hiu qu t t nht i vi m hnh ng, khch hng VPN cn bit r yu cu s dng lu lng trong k hoch mng. 4.5.2 M hnh vi Trong m hnh vi, nh cung cp dch v VPN cung cp cho khch hng mt s bo m QoS cho lu lng m m t b nh tuyn CE c a khch hng gi i v nhn v t cc b nh tuyn CE khc trong cng VPN. Trong trng hp khc, khch hng phi ch nh cch phn ph i lu lng ti cc b nh tuyn CE trong mng. Nh vy, i vi khch hng, m hnh vi cung cp ch t lng dch v trong tng VPN v khng yu cu phi phn tch lu lng hoc lp k hoch lu lng cho ti tng CE, nh m gim bt c gnh n ng cho cc khch hng s dng dch v VPN.
77
MNG RING O
M h nh vi s dng hai tham s tc l tc cam kt u vo ICR (Ingress Committed Rate) v tc cam kt u ra ECR (Egress Committed Rate). Trong ICR l tc lin quan ti lu lng m CE u vo c th gi ti nhng CE khc, cn ECR l t c lin quan n lu lng m m t CE c th nhn t cc CE khc. Ni cch khc, ICR i din cho tng lu lng t mt CE c th , trong khi ECR i din cho tng lu lng ti mt CE c th . Lu l i vi mt CE khng nht thit ICR phi b ng ECR. Hnh 4.11 minh ha v d v m hnh vi cht lng dch v. y nh cung cp d ch v cung cp cho VPN B s m bo bng thng 15 Mbit/s cho lu lng t Site 2 ti cc Site khc (ICR = 15 Mb/s) m khng quan tm n vic lu lng ny i ti Site 1 hay Site 3. Tng t, nh cung cp dch v cung cp cho VPN A s m bo bng thng 7 Mb/s cho lu lng t Site 3 gi ti cc Site khc trong cng VPN (ICR = 7 Mb/s) m khng quan tm ti vic lu lng ti Site 1 hay Site 2. Cng nh vy, nh cung cp d ch v cung cp cho VPN B s m bo bng thng 15 Mb/s cho lu lng gi ti Site 2 (ECR = 15 Mb/s) m khng quan tm ti vic lu lng xut pht t Site 1 hay Site 3.
Hnh 4.11 M hnh vi ch t lng d ch v trong MPLS-VPN M h nh vi h tr nhiu mc CoS ng vi cc dch v c nhiu tham s khc nhau. V d, mt d ch v c th yu cu tham s v mt gi tin t h n so vi d ch v khc. h tr lp dch v ta phi a vo m hnh vi, cho php nh cung cp dch v s dng c ch phn bit dch v cng vi MPLS. V vy, m hnh vi l hng tip cn t m h nh phn bit dch v Diffserv. Vi cc dch v i hi phi c s m bo chc chn (nh v bng thng), th m hnh ng ph h p hn.
78
Nh cung cp dch v c th cung cp cho khch hng VPN m h nh ng, m hnh vi hoc t hp ca c hai dng m hnh trn nhm p ng cc yu cu c th v QoS. Cc b nh tuyn bin PE c a nh cung cp dch v xc nh lu lng c nhn trong cc lp dch v . Tu thu c vo giao din u vo, a ch ngu n, a ch ch, ch s cng v cc cam kt ch t lng dch v m cc gi s c nh du cho ph hp vi yu cu v cht lng dch v.
4.6 So snh cc c im ca VPN trn nn IPSec v MPLS

Kin trc mng ring o VPN L3 c rt nhiu cng ty la chn v kh nng kt ni din rng, kh nng m rng, cc tu ch n kt ni v kh nng pht trin nhiu loi hnh d ch v. Tuy nhin, khng c m t gii php no l ton din trong vic cung cp a dch v, v vn la ch n kin trc VPN trn nn IPSec hay MPLS ph thuc rt nhiu vo yu cu c th ca tng cng ty. Trong phn ny s a ra mt s so snh v phn tch cc c im c bn ca hai kin trc trn. 4.6.1 Cc tiu ch nh gi Trc h t, chng ta phn tch cc iu kin v tiu ch nh gi kin trc mng VPN cho doanh nghip. Cc tiu ch nh gi c tp trung vo kh dng, tnh bo mt, ch t lng d ch v , mm do v kh nng qun l. kh dng Mt mng ring o VPN cn d on cc dch v c kh dng cao cho ngi dng doanh nghip v cc i tc c a h. Khch hng c th va yu cu tin c y c a m ng cao va yu cu d phng ln. Mt s nh cung cp dch v a ra cc tho thun mc cht lng d ch v (SLA), trong nh ngh a cc tham s m mng c th cung cp cho khch hng. SLA c th tu chn cc mc dch v cho nhng kiu lu lng khc nhau nh m t i u ha lu lng v gi thnh c a mng. Tnh bo mt Trn thc t c rt nhiu cng ty chia s cc nh cung cp dch v qua mt mng li, do vn b o mt lun c t ln hng u. h tr cho vn ny, cc nh cung cp dch v c th a ra nhng k thut m bo an ton thng tin nh ng hm, ng gi, m ho, phn b nh tuyn rng bu c, tch cc b ng nh tuyn, tch lu lng, xc thc gi, xc thc ngi s dng v iu khin truy nhp. Cht lng dch v Cc tham s QoS nh bng thng, tr, bin ng tr hay t l mt gi l nhng yu t c bn cho php nh gi ch t lng ca dch v m nh cung cp a ra cho khch hng. Mt s m hnh cht lng dch v c th c p dng vo VPN nhm mc ch phn lp lu lng v xc nh th t u tin cho cc lung lu lng khc nhau c a khch hng.
79
MNG RING O
mm do Bng thng v cc tuyn kt n i trong mng lun thay i theo thi gian. Cc yu cu thay i bng thng i vi khch hng VPN cng khng l ngoi l. Cc nh cung cp d ch v lun quan tm ti kh nng m rng v thay i yu cu bng thng c a khch hng VPN ti u ha h thng v p ng cc yu cu cht lng dch v m t cch mm do. Kh nng qun l Vic qun l VPN tri rng t site trung tm ti cc chi nhnh phn tn nhiu ni, v vy cc tnh nng qun l v gi thnh qun l c xu hng tng cng chiu. Cc kiu dch v qun l bao gm: Cung cp mi trng qun l; Phn b v ci t phn mm qun l VPN; Ci t bo m t v chnh sch QoS; H tr tho thun mc dch v; H tr cc mng khc qua VPN; Thc hin qun l hiu n ng mng, nh v v sa l i, ho n, bo co, thm/loi b hay thay i ch c nng dch v.
4.6.2 Cc c im n i b t ca IPSec-VPN v MPLS-VPN IPSec-VPN bo v d liu qua mng cng cng, giao thc IPSec h tr t hp cc chc nng bo mt mng sau: Nhn dng v m ho cc gi tin trc khi truyn dn; Xc thc cc gi nhm m bo tnh ton vn ca d liu; Xc thc d liu nguyn thu ca cc ngun gi tin; Xc nhn v loi b cc gi qu h n, gi lp v t chi cc gi lp.
Giao thc IPSec cung cp kh nng bo v cc gi tin IP theo thit k mng ch ra cc lu lng c bit cn bo v. IPSec nh ngha cch thc bo v lu lng v iu khin thit b nhn lu lng. VPN trn nn IPSec thay th hoc b sung cc mng ring da trn h tng WAN truyn thng nh ng dy thu ring, Frame Relay ho c ATM. u im ni tri ca IPSec l n p ng c cc yu cu ca mng v mt gi thnh. Khi mt doanh nghip s dng IPSec-VPN, nh cung cp dch v thng cu hnh IPSec trong cu hnh Hub-and-Spoke, ni tt c cc nhnh Spoke duy tr kt ni
80
im-im vi u cu i. IPSec rt ph hp vi cu hnh VPN im ti im v truy nhp t xa. Mt s c im khin cho cc doanh nghip la chn gii php IPSec-VPN l: IPSec cung cp h thng bo mt rt tt, h tr cho cc doanh nghip cn bo mt bng m ho d liu v nh n dng thit b; Gi thnh trin khai mng th p do IPSec-VPN c th thc hin trn bt k mng IP no tn ti; Kh nng trin khai cc dch v nhanh, k c vic b sung hoc lo i b cc site; Lung lu lng r nhnh theo Hub-and-Spoke.
Thng thng, ngi s dng VPN dng phn mm VPN la chn ch thch hp cho cc thng tin cn gi qua mng. Mt khi nhn d ng thnh cng v ng hm IPSec c thit lp, ngi s dng c th truy nhp t xa ti cc ng dng mt cch n gin m khng cn phi sa i hng lot cc tham s ti cc site. Vi cc kt ni im-im qua IPSec-VPN, ngi s dng khng cn phi c phn mm client trn my tnh ca h. Ngi s dng ti cc nhnh khi to ng d ng nu n tn ti trong site, hoc trong m t phin vi trung tm. Sau khi phin tho thun v nhn dng thnh cng, mt ng hm m bo gia cc nhnh v trung tm c thit lp khng ph thu c vo ho t ng ca ngi dng. MPLS-VPN MPLS cung cp mi trng nh tuyn thng minh v hiu nng chuyn m ch cao nh trnh by trn. u im n i tri nht ca MPLS-VPN l kh nng m rng nhiu VPN trn cng mt mng li. Thm vo l cc c tnh m bo QoS, sa l i nhanh, b o v ng dn v cung cp n n tng pht trin cc dch v gi tr gia tng. Mt s l do cc doanh nghip la chn MPLS-VPN l: Cc cng ty cn tho thun mc cht lng d ch v SLA; Bo mt c h tr bi vic tch cc lu ng lu lng tng t nh Frame Relay v ATM; Cc mu lu lng ph h p vi c cu h nh tng phn v y ; Cc doanh nghip mun hi t nhiu dch v a phng tin trn cng mt mng; Cc doanh nghip mun pht trin nhng kt ni Multicast.
Kha cnh an ton mng ca MPLS d a trn vic phn tch lung lu lng gia cc VPN trn cng mng li thng qua trng phn bit tuyn. Cc tuyn c phn bit m b o tnh ring t c a MPLS-VPN tng t nh trong mng din rng Frame Relay hay ATM. Cc nh cung cp c th d dng thit k v t i u ha mng do
81
MNG RING O
khch hng khng cn bit kin trc mng li, cn cc b nh tuyn li th khng cn bit thng tin v mng bin ca khch hng. MPLS-VPN c mm d o v linh hot cao, n khng yu cu cu hnh kt ni y hoc ngang h ng i vi cc kt cu i nh cc m h nh khc i hi. Mt khc, MPLS-VPN cng h tr t t cc tho thun mc dch v SLA. y l iu m khch hng VPN quan tm nhiu nht, n cho php p ng cc yu cu v hiu nng v tnh n hi ca mng. Ngoi ra, MPLS-VPN cn h tr cc k thut lu lng nhm p ng yu cu QoS, h tr chnh sch qun l v phn b lu lng ti u cho mng. Bng 4.1 di y s tng kt cc c im ca hai gii php m ng ring o trn nn IPSec v MPLS. Bng 4.1 So snh IPSec-VPN v MPLS-VPN
c im Cu hnh MPLS-VPN IPSec-VPN
im ti im, Hub-and-Spoke, im ti im, Hub-and-Spoke, cu cu hnh y hnh y Thit lp cc thnh vin VPN trong qu trnh cung cp d ch v, nh ngha truy nhp ti nhm d ch v trong khi cu hnh, t chi cc truy nhp khng hp php. Xc thc qua chng thc s hoc kha xc nh trc. Loi b gi khng ph hp vi chnh sch b o mt.
Bo mt/ Xc thc phin
Tnh ring t
Tch lu lng thnh cc lu ng S dng m ho v k thut ng hm ring bit. thch hp ti lp a ch mng. Cho php lp cc SLA vi nhiu Khng ch ra cc QoS v SLA trc tip. mc, c cc k thu t m bo QoS v k thu t lu lng.
QoS v SLA
Kh nng m C kh nng m r ng cao v khng Chp nhn cc m r ng theo kiu Hubrng yu cu cu hnh y ho c and-Spoke. Kh nng m r ng ko theo ngang hng. hng lot cc thch thc v k hoch, phn phi cc kho, qun l kho v cu hnh cc thit b ngang hng. H tr imim H tr truy nhp t xa Cung cp C. C.
C nu c kt ni vi IPSec.
C.
Cn m t ln cung cp cc thit b Gim cc chi ph iu hnh mng qua khch hng v thit b bin mng
82
dch v Trin khai dch v
nh cung cp.
phng php cung cp tp trung.
Yu cu cc phn t mng MPLS C th trin khai trn bt k h tng m dch v ti cc thit b li v mng IP c sn. bin ca mng nh cung cp. Khng yu cu, ngi s dng Cn phi c khi to cc phn mm khng cn phn mm tng tc vi chc nng. mng.
Phm mm Client VPN
4.7 Kt chng
Trong nhng nm gn y, cng ngh chuyn mch nhn a giao thc MPLS c rt nhiu quc gia la chn xy dng v pht trin h thng mng vin thng c a mnh. Mt trong nhng ng dng in hnh c a MPLS l d ch v mng ring o MPLS-VPN. Dch v ny gp phn rt ln vo s pht trin nhanh chng ca MPLS v m ra nhiu kh nng ng dng m i. Trong chng ny trnh by v cc thnh phn c bn ca MPLS-VPN, cc m h nh trin khai MPLS-VPN ti lp 2 v lp 3, nhng k thut then cht trong MPLS-VPN nh truyn thng tin nh tuyn, a ch VPN-IP v hot ng chuyn tip gi tin VPN. Ngoi ra, trong ni dung c a chng cng cp n mt s vn lin quan n cc kha cnh bo mt v ch t lng d ch v trong MPLS-VPN. Cui chng c a ra mt s phn tch v so snh cc c im ni bt ca hai gii php VPN da trn IPSec v MPLS. Cc ni dung trnh by c th gip ngi c nm c nhng vn c bn lin quan n MPLS-VPN, cc u nhc im chnh v kh nng m MPLS-VPN mang li cng nh l cc bi ton cn phi gii quyt khi trin khai v ng dng cng ngh ny. C th ni, vic trin khai cng ngh VPN trn nn MPLS ha h n nhiu thun li mi v chc ch n s l gii php l tng cho mng ring o trong tng lai.
83
CHNG 5
TRIN KHAI V NG DNG VPN

Trong xu hng ton cu ha cc hot ng kinh doanh thng mi nh hin nay, cc t chc v doanh nghip c nhiu chi nhnh, cc cng ty a qu c gia lun phi trao i thng tin vi khch hng, i tc hay nhn vin ca h . Vi vic trin khai cc gii php VPN, nhu cu trao i thng tin ny c p ng khng my kh khn. Cc chi nhnh hay nhn vin di ng ca cng ty khp ni trn th gii c th lin lc vi tr s chnh ca mnh mi lc, m i ni m b o nm b t c nhng thng tin mi nht v chnh xc nh t trong qu trnh lm vic. Chng ny gii thiu v cc m hnh thc hin VPN cng nh tnh hnh trin khai v ng dng VPN hin nay Vit nam. Ni dung chng ny bao g m: q Cc m hnh trin khai VPN q Gii php VPN trn nn MPLS ca VNPT q M hnh cung cp dch v MegaWAN
84
CHNG 5 - TRIN KHAI V NG DNG VPN
5.1 Cc m hnh trin khai VPN

Cng ngh mng ring o VPN v ang c trin khai rt mnh m trn ton th gii trong c Vit nam. c rt nhiu m hnh c xut, ch yu d a trn lp 2 v lp 3. Sau y l m t s m hnh trin khai gn y nht c thc hin trn nn MPLS. M hnh ISP l khch hng Trong m h nh ny, cc nh cung cp d ch v Internet ISP l khch hng ca mng ring o VPN. Tng t nh nhng khch hng khc, ISP c th t ti v tr trung tm, ni tp trung v tr thnh im POP, hoc mt h thng h tr kt ni trc tip. th c hin c m hnh ny, mng cn cu hnh mt s tuyn ring m bo cht lng d ch v cho cc ISP. Vi s h tr ca cc cng ngh lp 2 nh truyn dn quang bng thng rt ln, vic coi ISP l khch hng VPN cho php gim mc phc tp c a cc kt ni khi s lng khch hng gia tng khng ngng. Cc th t c nh tuyn trong BGP s thc hin nh tuyn cho CE v PE thng qua qu trnh m rng ca MPLS ti CE. S m rng cho php to LSP t tuyn CE ti tuyn PE. Khi , bin ca cc tuyn cng vi cc a ch c mang vo cc thuc tnh tuyn tip theo ca BGP. B nh tuyn PE thng bo ti cc b nh tuyn khch hng CE cc lin kt nhn. Khi b nh tuyn CE xy d ng cc b ng c s d liu, n s s dng thng tin ca BGP xc nh a ch c a cc lin kt BGP tip theo cng vi cc bc truyn khc. M hnh nh cung cp dch v MPLS-VPN l khch hng Trong m h nh ny, cc nh cung cp dch v mng ring o MPLS-VPN cng c coi nh l khch hng VPN. Nh mt khch hng, nh cung cp dch v MPLSVPN phi c cu hnh y kt n i tt c cc ng VPN-IP ca nh cung cp VPN. Tt c cc tuyn VPN-IP c coi l tuyn bn ngoi, ging nh t mt nh cung cp dch v Internet ISP. S khc bit chnh gia trng h p khch hng l nh cung cp dch v Internet v trng hp khch hng l nh cung cp dch v MPLSVPN l ch tuyn bn ngoi c a khch hng ISP l tuyn IP, cn tuyn bn ngoi c a khch hng MPLS-VPN l tuyn VPN-IP. Trong trng hp tt c cc site c a mt VPN c kt ni ging nh nh cung cp dch v MPLS-VPN v cc site ny cng mu n c kt ni ti nhiu nh cung cp dch v MPLS-VPN khc, mt nhu cu cung cp hot ng a lin kt c t ra trnh s phc tp gia tng trong mng khi m ton b lu lng c to ra bi cc tuyn bin. Gii php nh cung cp hot ng a lin kt cho php cung cp dch v VPN cho khch hng c a MPLS-VPN theo cc tuyn bn trong v bn ngoi da trn giao thc BGP.
85
MNG RING O
5.2 Gii php VPN trn nn MPLS ca VNPT

Ti Vit nam, MPLS ang c xc tin xy d ng trong mng truyn ti c a Tp on BCVT Vit nam (VNPT). Vi d n NGN ang trin khai, VNPT thit lp mng trc MPLS vi 3 LSR li. Cc LSR bin v ang c tip tc u t m rng ti nhiu a im c nhu cu ln trn ton quc. Da trn mng li MPLS thit lp, hin VNPT ang cung cp d ch v MPLS-VPN cho cc khch hng doanh nghip c nhu cu. M hnh cung cp d ch v VPN lp 3 qua mng MPLS ca VNPT th hin trn hnh 5.1.
Hnh 5.1 M hnh cung cp dch v VPN qua mng MPLS ca VNPT Lu lng thoi v d liu trong m ng LAN o s c dn ti VRF ti cc b nh tuyn vn phng chi nhnh v sau chuyn ti thng qua mng WAN n cc Site xa khc. p ng th m cho nhu cu bo mt, gii php ny c th s dng IPSec. Ngoi ra, nh tuyn ni b c th c cu hnh nu c m t trong s cc lin kt chnh b t, tt c lu lng c th c nh tuyn li n cc tuyn thay th khc nh m m b o cc phin lin t c cho tt c ngi dng. Gii php VPN/VNN trn nn MPLS c a VNPT s dng kt ni Local loop (phn on kt ni t pha khch hng ti POP MPLS c a VDC) qua m t ng knh ring t c cao (hnh 5.2).
86
CHNG 5 - TRIN KHAI V NG DNG VPN
Hnh 5.2 Gi i php kt ni MPLS-VPN ca VNPT Khc vi cc cng ngh VPN trn Internet (PPTP, L2TP, IPSec), c ch ng hm y c thit lp hon ton trong mng trc MPLS. Mi kt ni VPN s thit lp m t ng hm ring bit b ng c ch gn nhn v chuyn tip gi IP. Mi kt ni VPN ch nhn mt gi tr nhn duy nht do thit b nh tuyn MPLS trong mng cung cp, do vy cc ng h m trong mng tr c MPLS l ring bit hon ton. Vi kh nng che giu a ch mng li, mi hnh thc tn cng mng nh DDoS, IP Snoofing hay Label Snoofing s rt kh thc hin.
5.3 M hnh cung c p dch v MegaWAN

Dch v MegaWAN ca VNPT cung cp kh nng kt ni m ng ring cho khch hng trn n n IP/MPLS. MegaWAN cho php kt ni cc mng my tnh ca doanh nghip (cc vn phng, chi nhnh, cng tc vin t xa, ) thu c cc v tr a l khc nhau to th nh m t mng duy nht v tin cy thng qua vic s dng cc lin kt bng rng xDSL. M h nh mng cung cp dch v ny th hin trn hnh 5.3.
Hnh 5.3 M hnh mng cung cp d ch v MegaWAN
87
MNG RING O
Vic s dng gii php MPLS-VPN cho php trin khai cc kt n i nhanh chng, n gin v thun tin vi chi ph thp. Ngoi ra, MegaWAN cn cho php va truy nhp mng ring o va truy nhp Internet nu khch hng c nhu cu. MegaWAN h tr truy nhp Internet bng rng qua mng VNN do VNPT cung cp. Dch v ny cho php khch hng truy nhp Internet vi t c cao da trn cng ngh ng dy thu bao s bt i xng ADSL. Thit b nh tuyn bin s dng trong mng MegaWAN l ERX-1410. Cc h thng ny c th h tr MPLS-VPN nhm gi lu lng n cc ch khc nhau mt cch an ton. Ngoi ra, h thng ERX cn cho php nh cung cp dch v ra nhng k hoch pht trin cc cp khc nhau v h tr phn loi tn hiu ng truyn trong m i thu bao s dng. Trong ERX vic truyn tn hiu m thanh l u tin s m t, sau n d liu c a cc thu bao ln (cng ty hay tp on) r i mi n d liu ca nhng khc hng n l.
5.4 Kt chng
Ngy nay VPN c trin khai rng ri trn ton th gii v tr thnh gii php khng th thiu i vi cc cng ty ln c nhiu chi nhnh. Ty thuc vo iu kin v yu cu c th m c th trin khai VPN theo nhiu m hnh khc nhau. Trong chng ny trnh by v cc m hnh thc hin VPN cng nh thc tin trin khai v ng d ng cng ngh VPN Vit nam. Vi h thng mng li MPLS i vo ho t ng, VNPT l nh khai thc vin thng u tin Vit nam cung cp dch v MPLSVPN cho cc khch hng doanh nghip. C th ni gii php MPLS-VPN c a VNPT vi m hnh cung cp dch v MegaWAN t c nh ng kt qu ban u kh quan. Vi c im ca mng vin thng Vit nam l c phn vng v tri di t Bc vo Nam, VPN l mt gii php thch hp v mang li nhiu li ch cho cc doanh nghip ng k dch v. Mc d vic trin khai VPN trn thc t cn b tc ng bi rt nhiu yu t khc ngoi cc yu t k thu t, VPN vn l mt cng ngh y ha hn v chc chn s c ng dng rng ri trong nhng nm ti y.
88
THUT NG VIT TT
THUT NG VIT TT
Thut ng Ting Anh
0-9 3DES A AA AAA AC ACL ADSL AH ARP ATM B BGP C CA CBC CHAP D DCE DES DH DLCI DNS DSL DTE E
Ting Vit
Triple DES
Thut ton m DES b i 3
Access Accept Authentication, Authorization and Accounting Access Control Access Control List Asymmetric Digital Subscriber Line Authentication Header Address Resolution Protocol Asynchronous Transfer Mode
Chp nhn truy nhp Xc thc, cp quyn v thanh ton iu khin truy nhp Danh sch iu khin truy nhp ng dy thu bao s bt i xng Giao thc tiu xc thc Giao thc phn gii a ch Phng thc truyn ti khng ng b
Border Gateway Protocol
Giao thc nh tuyn cng bin
Certificate Authority Cipher Block Chaining Challenge - Handshake Authentication Protocol
Thm quyn chng nhn Ch chui khi mt m Giao thc xc thc i hi bt tay
Data communication Equipment Data Encryption Standard Diffie-Hellman Data Link Connection Identifier Domain Name System Digital Subscriber Line Data Terminal Equipment
Thit b truyn thng d liu Thut ton m DES Giao thc trao i kha Diffie-Hellman Nhn dng kt ni lp lin kt d liu H thng tn min ng dy thu bao s Thit b u cu i s liu
89
MNG RING O
EAP ECB ESP F FCS FR FTP G GRE H HMAC I ICMP ICV IETF IKE IKMP IP IPSec ISAKMP ISO ISP IV L L2F L2TP LAN LCP M MAC 90
Extensible Authentication Protocol Electronic Code Book Mode Encapsulating Security Payload
Giao thc xc thc m r ng Ch sch m in t Giao thc ng gi ti tin an to n
Frame Check Sequence Frame Relay File Transfer Protocol
Chu i kim tra khung Chuyn tip khung Giao thc truyn file
Generic Routing Encapsulation
ng gi nh tuyn chung
Hashed-keyed Message Authenticaiton Code
M xc thc bn tin bm
Internet Control Message Protocol Intergrity Check Value Internet Engineering Task Force Internet Key Exchange Internet Key Management Protocol Internet Protocol IP Security Protocol Internet Security Association and Key Management Protocol International Standard Organization Internet Service Provider Initial Vector
Giao thc bn tin iu khin Internet Gi tr kim tra tnh ton vn T chc tiu chun k thut Internet Trao i kha qua Internet Giao thc qun l kha qua Internet Giao thc Internet Giao thc an ninh Internet Giao thc lin kt an ninh v qun l kha qua Internet T chc chun ha quc t Nh cung cp d ch v Internet Vc t khi to
Layer 2 Forwarding Layer 2 Tunneling Protocol Local Area Network Link Control Protocol
Giao thc chuyn tip lp 2 Giao thc ng hm lp 2 Mng c c b Giao thc iu khin ng truyn
Message Authentication Code
M xc thc bn tin
THUT NG VIT TT
MD5 MTU N NAS NGN NSA O OSI OSPF P PAP PDU PKI POP PPP PPTP PSTN R RADIUS RARP RAS RFC RSA S SA SAD SHA-1
Message Digest 5 Maximum Transfer Unit
Thut ton gin lc bn tin MD5 n v truyn ti cc i
Network Access Server Next Generation Network National Sercurity Agency
My ch truy nhp mng Mng th h sau C quan an ninh quc gia M
Open System Interconnnection Open Shortest Path First
M hnh kt n i cc h thng m Giao thc nh tuyn ng i ngn nht
Password Authentication Protocol Protocol Data Unit Public Key Infrastructure Point of Presence Point to Point Protocol Point to Point Tunneling Protocol Public Switched Telephone Network
Giao thc xc thc mt khu n v d liu giao thc C s h tng kha cng cng im hin din Giao thc im ti im Giao thc ng hm im ti im Mng chuyn mch thoi cng c ng
Remote Authentication Dial-in User Service Reverse Address Resolution Protocol Remote Access Service Request for Comment Rivest-Shamir-Adleman
Dch v xc thc ngi dng quay s t xa Giao thc phn gii a ch ngc Dch v truy nhp t xa Ti liu tiu chu n ca IETF trn Internet Mt loi gii thut mt m bng kha cng c ng
Security Association SA Database Secure Hash Algorithm-1
Lin kt an ninh C s d liu SA Thut ton bm SHA-1
91
MNG RING O
SN SPI T TCP TLS U UDP V VPN W WAN
Sequence Number Security Parameter Index
S th t Ch s thng s an ninh
Transmission Control Protocol Transport Level Security
Giao thc iu khin truyn ti An ninh mc truyn ti
User Data Protocol
Giao thc d liu ngi s dng
Virtual Private Network
Mng ring o
Wide Area Network
Mng din rng
92
TI LIU THAM KHO
TI LIU THAM KHO

[1] [2] [3] [4] [5] [6] [7] Jeff Tyson. How Virtual Private Networks Work. Cisco Press, 2004. IPSec, VPN, and Firewall Concepts. Cisco Press, 2004. James Henry Carmouche. IPsec Virtual Private Network Fundamentals. Cisco Press, 2006. Understanding Virtual Private Networking. ADTRAN, Inc., 2001. Michael H. Behringer, Monique J. Morrow. MPLS VPN Security. Cisco Press, 2005. Ivan Pepelnjak. MPLS and VPN Architectures, Vol. 1. Cisco Press, 2000. Ivan Pepelnjak. MPLS and VPN Architectures, Vol. 2. Cisco Press, 2003.
93

Mang Rieng Ao VPN (Da Hieu Chinh-V2)

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Mang Rieng Ao VPN (Da Hieu Chinh-V2)

Cargado por

Copyright:

Formatos disponibles

LI NI U

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

DANH SCH HNH

DANH SCH HNH

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

GII THIU CHUNG V VPN

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

1.1 Khi nim VPN

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 1 - GII THIU CHUNG V VPN

1.2 Cc chc nng v u nhc im ca VPN

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 1 - GII THIU CHUNG V VPN

1.3 Cc m hnh VPN

CHNG 1 - GII THIU CHUNG V VPN

CHNG 1 - GII THIU CHUNG V VPN

1.4 Phn lo i VPN v ng dng

CHNG 1 - GII THIU CHUNG V VPN

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 1 - GII THIU CHUNG V VPN

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 2 CC GIAO THC NG HM

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

2.1 Gii thiu cc giao thc ng hm

2.2 Giao thc chuyn tip lp 2 L2F

CHNG 2 - CC GIAO THC NG HM

CHNG 2 - CC GIAO THC NG HM

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

2.3 Giao thc ng hm im ti im PPTP

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 2 - CC GIAO THC NG HM

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 2 - CC GIAO THC NG HM

CHNG 2 - CC GIAO THC NG HM

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

2.4 Giao thc ng hm lp 2 L2TP

CHNG 2 - CC GIAO THC NG HM

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 2 - CC GIAO THC NG HM

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 2 - CC GIAO THC NG HM

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

MNG RING O TRN NN IPSec

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

3.1 Gii thiu v IPSec

CHNG 3 - MNG RING O TRN NN IPSec

3.2 ng gi thng tin IPSec

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 3 - MNG RING O TRN NN IPSec

ch ng h m, cc u cu i c a IPSec-VPN khng cn phi thay i ng dng hay h iu hnh.

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 3 - MNG RING O TRN NN IPSec

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

Hnh 3.6 Khun dng gi tin IPv6 trc v sau khi x l AH

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 3 - MNG RING O TRN NN IPSec

3.2.3 Giao thc ng gi t i tin an ton ESP 3.2.3.1 Gii thiu

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

Chng trnh bi dng kin thc IP v NGN cho k s TVT ca VNPT

CHNG 3 - MNG RING O TRN NN IPSec