Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Gio vin hng dn :Nguyn Hng Vit Sinh vin thc hin : Dng Vn Tuyn Nguyn Quc Thun Nguyn Vn Nht
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
HC VIN K THUT MT M
KHOA CNG NGH THNG TIN TI THC TP C S :
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Nhn xt ca gio vin hng dn :.. .. .. .. .. .. .. im chuyn cn ca nhm : . Chm im kt qu bn in hon chnh ca bo co thc tp ..
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Li ni u....4 Chng I.Tm hiu v Window Server 2008 I.1.Gii thiu Window Server 20085 I.2.Cc cng ngh ca Window Server 2008..6 I.2.1.Web...6 I.2.2.o ha...7 I.2.3.Bo mt.....7 I.2.4.Nn tng hp nht cho cng vic ca doanh nghip.....8 I.3.So snh cc h thng Windows,Linux,Unix..9 I.3.1 Windows,Linux(gi c,tnh nng,qun l,bo tr,bo mt.).9 I.3.2 Windows,Unix(gi c,tnh nng,qun l,bo tr,bo mt,.)..9 Chng II.Tm hiu v IPv6 II.1.Gii thiu Ipv610 II. 2.Phn loi IPv612 II.2.1- Unicast Address ..12 a. Global Unicast Address...12 b. Link-local Addresses13 c. Site-Local Addresses....................................................................14 d. Unique Local Address...14 II.2.2 Anycast Address................................................................................14 II.2. 3 Multicast Address............................................................................15 II.2.4 Cc loi a ch IPV6 c bit...........................................................15 II.3.Header Ipv6.16 Chng III. Tm hiu IPSec III.1.Tng quan..19
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
III.2.Cu trc bo mt 19 III.3.Hin trng...20 III.4.Thit k theo yu cu.20 III.5.Mode..2 0 III.5.1.Transport mode 20 III.5.2.Tunnel mode 21 III. 6. Phng thc 21 III.6.1.Authentication Header (AH)...21 III.6.2.Encapsulating Security Payload (ESP)...22 III. 7. Trao i kha trong IPSEC - Key Exchange(IKE).23 III.7.1 Trao i kha trong IpSec - Key Exchange(IKE)..23 III.7.1.1 ISAKMP phase 1.23 III.7.1.2 ISAKIMP phase 2...24 III.7.2 IKE Modes ....24 Chng IV:Demo..27 ( Trin khai Ipsec trn giao thc ipv6 trong window server 2008,dng cc Tool Network monitor,wireshark phn tch gi tin)
Danh mc bng
Bng 1- So snh Windows vi Linuxi Bng 2- So snh Windows vi Unix.ii Bng 3- M hnh AH header iii Bng 4- M hnh ESP...iv
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Danh mc hnh v
Hnh 1- Global Unicast Addressi Hnh 2- Link-local Address...ii Hnh 3- Site-local Address iii Hnh 4- Unique Local Address..iv Hnh 5- Header Ipv6...v Hnh 6- Trao i kha trong IPSec IKE.vi Hnh 7- Main Mode..vii Hnh 8- Aggressive Mode viii Hnh 9- Quick Mode..ix Hnh 10- New Group Mode x
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Li ni u
giao tip trn mng, chng ta cn a ch IP. Tng t cch thc chng ta gi th qua bu in, l th cn ghi r ni gi, ni n, mi gi tin (d liu) khi gi qua mng cng gm 2 thng tin: a ch IP ngun (ni gi), a ch IP ch (ni n). C 2 loi a ch IP: IP cng cng (public IP) cho php cc my tnh giao tip trn Internet, IP ring (private IP) cho php cc my tnh giao tip trong mng ni b (mng LAN). C khong 4 t a ch IPv4, chiu di 32 bit nh phn. a ch IPv6 c chiu di 128 bit nh phn, v vy IPv6 s c khong 340x1036 a ch. Cc chuyn gia cho rng con s a ch ny c th xem l v tn.Ipv4 ang cn kit nn vic chuyn sang Ipv6 l 1 tng lai khng xa. Khi chng ta giao tip qua mng liu c b tn cng , bo mt ra sao.Ring v giao thc IP c phn c ch bo mt thng qua IPSec(Internet Protocol Security) IPSec l tp hp y cc giao thc m bo thng tin truyn gia hai my tnh c m ha v bo mt trong h thng mng khng bo mt. Mng khng bo mt in hnh nht l Internet. IPSec c hai tc dng chnh l bo mt gi tin IP (IP Packet) v chng li cc tn cng. Chnh v s quan trng ca bo mt thng tin gip Nhm chn ti l nghin cu trin khai IPSec trn Ipv6 trong mi trng window server 2008
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
bn trong h iu hnh v kh nng chun on, cho php cc qun tr vin tng c thi gian h tr cho cng vic ca doanh nghip. Windows Server 2008 xy dng trn s thnh cng v sc mnh ca h iu hnh c trc l Windows Server 2003 v nhng cch tn c trong bn Service Pack 1 v Windows Server 2003 R2. Mc d vy Windows Server 2008 hon ton hn hn cc h iu hnh tin nhim. Windows Server 2008 c thit k cung cp cho cc t chc c c nn tng sn xut tt nht cho ng dng, mng v cc dch v web t nhm lm vic n nhng trung tm d liu vi tnh nng ng, tnh nng mi c gi tr v nhng ci thin mnh m cho h iu hnh c bn. Ci thin cho h iu hnh my ch ca Windows Thm vo tnh nng mi, Windows Server 2008 cung cp nhiu ci thim tt hn cho h iu hnh c bn so vi Windows Server 2003. Nhng ci thin c th thy c gm c cc vn v mng, cc tnh nng bo mt nng cao, truy cp ng dng t xa, qun l role my ch tp trung, cc cng c kim tra tin cy v hiu sut, nhm chuyn i d phng, s trin khai v h thng file. Nhng ci thin ny v rt nhiu ci thin khc s gip cc t chc ti a c tnh linh hot, kh nng sn c v kim sot c cc my ch ca h
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
2.2.o ha
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
2.3.Bo mt
10
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
3.So snh cc h thng Windows,Linux,Unix 3.1 Windows,Linux(gi c,tnh nng,qun l,bo tr,bo mt.) Window Server Red Hat Enterprise
11
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
-TCO:Chi Ph trin khai & s dng: $199-$3919 +Gim thi gian bo tr,qun l -Reliability - n nh +D cu hnh,qun l=>n nh hn (Chun ha,cung cp cc cng c qun tr c bn -mnh m..) +Kh nng tng thch,h tr t phn cng nhiu hn.. -Security-Bo mt +Qu trnh ti u ha bo mt,theo chun t khu thit k spbn thng mi +H tr ca cc hng bo mt -Choice-La chn +thuc hng sxpm c lp ln nht th gii +Thng dng,nhiu ng dng.
Chi Ph trin khai & s dng: Free $349-18000$ +Tnh ph h tr cho h iu hnh ny(server, Clustering..)
+Ci theo package(k ..) +Mt time cu hnh li 1 ht trong tng lai(bn v li mi,thiu tnh thng nht,kh support)
+Thiu s h tr t cc hng bo mt(m ngun m..) + nm 2006: l hng bo mt Windows Server <61% Novell Enterprise <73% Red Hat Enterprise Linux http://www.microsoft.com/windowsserver/com pare/ ReportsDetails.mspx?recid=23 )
+Mi sp l c trng ca 1 hng(Red hat,SUSe +Khng thng dng 3.2 Windows,Unix(gi c,tnh nng,qun l,bo tr,bo mt,.) -TCO:Chi ph trin khai: +Chi ph r p ng yu cu thng mi +window Server 2008 p ng nhiu yu cu v gi c,qun l,bo tr. -Mission-Critical Needs (ngdng trng yu). +Chi ph xy dng,bo dng,qun l cao
12
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
+ng dng a dng,ty tng loi,h tr a s cc cng ty va v nh,ln. + tin cy cho h thng ln <Unix +ng dng hn ch,chuyn vit cao,phn -Applications, Partners and Choice - ng dng, i cng gii hn,dng cho cty ln.. tc v la chn +M rng tin cy,bo mt +i tc,chuyn gia,k s hp tc nhiu.. +Phn cng p dng c h tr nhiu -Next Generation Technologies Trong tng lai cng ngh s th no? +Pht trin nhanh chng,hon thin,a dngnn tng cho nhu cu thng mi tng lai +L 1 cng ngh c,cc ng dng trong tng lai C th kh p ng yu cu thng mi +Cc hng phn mm,i tc,k s,chuyn gia t..(ch trng pht trin Unix) +Support kh khn(t ngi am hiu unix..)
13
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
14
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
vit 800 thay v phi vit l 0800 V y l a ch c rt gn: 1088:0:0:0:8:800:200C:463A Nhn chung nh vy cng c ri, nhng IPv6 cn c mt nguyn tc na l bn c th nhm cc s 0 li thnh 2 du hai chm ::, a ch trn, bn c th vit li nh sau: 1088::8:800:200C:463A Qua v d trn, bn s rt ra c 2 nguyn tc: - -Trong dy a ch IPV6, nu c s 0 ng u c th loi b. V d 0800 s c vit thnh 800, hoc 0008 s c vit thnh 8 -- Trong dy a ch IPv6, nu c cc nhm s 0 lin tip, c th n gin cc nhm ny bng 2 du :: ( ch p dng khi dy 0 lin tip nhau) V d 1: FADC:BA98::7654:3210 -> IPv6 c tng cng l 8 nhm, m trn c 4 nhm, nh vy gia 2 du hai chm, s l 4 nhm s 0. Vy a ch trn c th vit y l: FADC:BA98:0:0:0:0:7654:3210 V d 2: FADC:BA98:7654:3210:: -> c a ch y l: FADC:BA98:7654:3210:0:0:0:0 V d 3: ::FADC:BA98:7654:3210 -> c a ch y l: 0:0:0:0:FADC:BA98:7654:3210 C trng hp nh th ny: Gi s c a ch 0:0:0:AB65:8952:0:0:0, nh vy n gin a ch ny ta c 3 phng n nh sau: 1 ::AB65:8952:: 2 ::AB65:8952:0:0:0 3 0:0:0:AB65:8952:: Tuy nhin ch c p n 2 v 3 l ng. Mt nguyn tc na cn phi nh trong IPv6 l bn ch c th s dng 2 du hai chm mt ln vi a ch. Khng c vit nh vy ::AB65:8952::, v nu bn vit nh th s gy nhm ln khi dch ra y . V d: Nu bn vit ::AB65:8952::, th ngi ta c th on a ch y ca n nh th ny 0:0:AB65:8952:0:0:0:0 hoc 0:0:0:0:AB65:8952:0:0 , S dng cc a ch IPv6 trong vic truy cp URL Bn c th truy cp mt trang web bng tn hoc bng a ch IP. V d http://www.google.com.vn/ , c a ch IPv4 tng ng l 64.233.167.104. Vy bn hon ton c th vo website google.com.vn bng cch g: http://64.233.167.104 . Tng t nh vy bn c th truy cp mt trang web bng a ch IPv6 nhng phi n trong cp du {}. V d: http://{FEDL:8435:7356:EADC:BA98:2010:3280:ABCD} Ngoi ra, bn cng c th thm s port vo a ch URL, V d: http://{FEDL:8435:7356:EADC:BA98:2010:3280:ABCD}:80
15
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
+ Unicast Address: Unicast Address dng xc nh mt Interface trong phm vi cc Unicast Address. Gi tin (Packet) c ch n l Unicast Address s thng qua Routing chuyn n 1 Interface duy nht + Anycast Address: Anycast Address dng xc nh nhiu Interfaces. Tuy vy, Packet c ch n l Anycast Address s thng qua Routing chuyn n mt Interface trong s cc Interface c cng Anycast Address, thng thng l Interface gn nht. Ch gn nht y c xc nh thng qua giao thc nh tuyn ang s dng + Multicast Address: Multicast Address dng xc nh nhiu Interfaces. Packet c ch n l Multicast Address s thng qua Routing chuyn n tt c cc Interfaces c cng Multicast Address nhn thy IPv6 khng c a ch Broadcast v chc nng ca a ch ny bao gm trong nhm a ch Multicast Ni tm li, c th hiu nh sau: Unicast : Gi ti 1 a ch xc nh Multicast: Gi ti tt c cc thnh vin ca 1 nhm Anycast: Gi ti 1 thnh vin gn nht ca 1 nhm By gi chng ta s i su vo tng loi : 2.1- Unicast Address: c chia thnh 4 nhm: a/ Global Unicast Address: a ch ny c s dng h tr cho cc ISP. Ni i khi cho d hiu l n ging nh a ch Public ca IPv4.
16
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
001: 3 bits u lun lun c gi tr = 001 TLA ID( Top Level Aggregation): Xc nh nh cung cp cao nht trong h thng cc nh cung cp dch v Res: cha s dng NLA ID (Next Level Aggregation): Xc nh nh cung cp tip theo trong h thng cc nh cung cp dch v SLA ID (Site Level Aggregation): Xc nh cc site to cc subnet Interface ID: L a ch ca Interface trong subnet
17
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
b/ Link-local Addresses: y l loi a ch dng cho cc host khi chng mun giao tip vi cc host khc trong cng mng. Tt c IPv6 ca cc interface u c a ch link local Theo hnh bn di, bn s thy 10 bits u tin lun l: 1111 1110 10 54 bits k tip c gi tr bng 0 -> Nh vy, trong Link Local Address: 64 bit u l gi tr c nh khng thay i (prefix : fe80::/64) + 64 bits cui cng l a ch ca Interface
V c mt lu dnh cho bn: Mt router khng th chuyn bt k gi tin no c a ch ngun hoc a ch ch l Link Local Address c/ Site-Local Addresses: Site-Local Addresses c s dng trong h thng ni b (Intranet) tng t cc a ch Private IPv4 (10.X.X.X, 172.16.X.X, 192.168.X.X). Phm vi s dng Site-Local Addresses l trong cng Site.
10 bits u tin lun l: 1111 1110 11 (Prefix FEC0::/10) 54 bits k tip : l gi tr Subnet ID 64 bits cui cng: l a ch ca Interface d/ Unique Local Address: Unique Local Address l a ch nh tuyn gia cc subnet trn mt private network
18
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
1111 1101 : 8 bits u l gi tr c nh FD00:: /8 40 bits k tip l Global ID : a ch Site (Site ID). C th gn ty 16 bits k tip l Subnet ID : a ch Subnet trong Site, c th to ra 65.536 subnet trong mt site 64 bits cui cng: l a ch ca Interface 2.2- Anycast Address: Anycast Address l a ch c bit c th gn cho nhiu interface, gi tin chuyn n Anycast Address s c vn chuyn bi h thng Routing n Interface gn nht. Hin nay, a ch Anycast c s dng rt hn ch, rt t ti liu ni v cch s dng loi a ch ny. Hu nh Anycast addresss ch c dng t cho Router, khng t cho Host, l do l bi v hin nay a ch ny ch c s dng vo mc ch cn bng ti. V d : khi mt nh cung cp dch v mng c rt nhiu khch hng mun truy cp dch v t nhiu ni khc nhau, nh cung cp mun tit kim nn ch mt Server trung tm phc v tt c, h xy dng nhiu Router kt ni khch hng vi Server trung tm, khi mi khch hng c th c nhiu con ng truy cp dch v. Nh cung cp dch v t a ch Anycast cho cc Interfaces l cc Router kt ni n Server trung tm, by gi mi khch hng ch vic ghi nh v truy cp vo mt a ch Anycast thi, t ng h s c kt ni ti Server thng qua Router gn nht. y tht s l mt cch x l n gin v hiu qu Khi tm hiu v a ch Anycast, chng ta s thy rt nhm ln. Bi v nu nh gn a ch ny cho mt Interface th n y nh l a ch Unicast, nhng khi gn cho nhiu Interfaces th n li c v nh l a ch Multicast 2.3 Multicast Address: Trong a ch IPv6 khng cn tn ti khi nim a ch Broadcast. Mi chc nng ca a ch Broadcast trong IPv4 c m nhim thay th bi a ch IPv6 Multicast. a ch Multicast ging a ch Broadcast ch im ch ca gi tin l mt nhm cc my trong mt mng, song khng phi tt c cc my. Trong khi Broadcast gi trc tip ti mi host trong mt subnet th Multicast ch gi trc tip cho mt nhm xc nh cc host, cc host ny li c th thuc cc subnet khc nhau. Host c th la chn c tham gia vo mt nhm Multicast c th no hay khng (thng c thc hin vi th tc qun l nhm internet Internet Group Management Protocol), trong khi vi Broadcast, mi host l thnh vin ca nhm Broadcast bt k n c mun hay khng. 2.4 Cc loi a ch IPV6 c bit: a. IPv4-Cpompatible Address (IPv4CA) : Format : 0:0:0:0:0:0:w.x.y.z Trong w,x,y,z l cc IPv4 Address Vd : 0:0:0:0:0:0:0:192.168.1.2 Lp AT5C-Hc Vin K Thut Mt M 19
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
IPv4CA l a ch tng thch ca mt IPv4/IPv6 Node. Khi s dng IPv4CA nh mt IPv6 Destination, gi tin s c ng gi (Packet) vi IPv4 Header truyn trong mi trng IPv4 b. IPv4-mapped address (IPv4MA) Format : 0:0:0:0:0:FFFF:w.x.y.z (::FFFF:w.x.y.z) Trong w,x,y,z l cc IPv4 Address Vd : 0:0:0:0:0:FFFF:192.168.1.2 IPv4MA l a ch ca mt IPv4 Only Node i vi mt IPv6 Node, IPv4MA ch c tc dng thng bo v khng c dng nh Resource hoc Destination Address c. 6to4 Address L a ch s dng trong lin lc gia cc IPv4/IPv6 nodes trong h thng h tng IPv4 (IPv4 Routing Infrastructure). 6to4 c to bi Prefix gm 64 bits nh sau : Prefix = 2002/16 + 32 bits IPv4 Address =64 bits 6to4 Address l a ch ca Tunnel (Tulneling Address) nh ngha bi RFC 3056 3.Header Ipv6
20
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
IPv6 l bn nng cp ca IPv4 , nh trong hnh trng Flow Label v Extension headers l nhng trng c thm mi vo trong IPv6 Cc trng c bn ca IPv6 Header: Version(4-bit) Phin bn ca giao thc IP. Trng ny cha gi tr 6 khc vi gi tr 4 ca IPv4 Traffic Class(8-bit) Trng ny c chc nay tng t trng Type of Service(ToS) trong IPv4. N c nh du gi tin IPv6 vi m Differentiated Services Code Point(DSCP), khi mt gi tin c nh du DSCP th cc router s bit gi tin c x l u tin nh th no. Flow Label(20-bit) Trng ny c tc dng nh du lung cho gi tin IPv6, n gip cho cc router chuyn gi tin mt cch lin tc t ngun ti ch . Flow Label c s dng trong IPv6 s h tr tt hn khi thc thi QoS. Khi nim mt dng (flow): Mt dng (flow) l mt chui cc gi tin c gi t mt ngun ti mt ch nht nh (c th l unicast hay multicast). Ngun s yu cu cc router c cc x l c bit i vi cc gi tin thuc mt flow. Vic cn phi x l nh th no i vi gi tin c th c truyn ti router bng mt th tc iu khin, hoc cng c th l thng tin cha trong chnh gi tin ca dng, v d nh header m rng hop-by-hop ca gi tin. Gia mt ngun v mt ch c th c nhiu dng. Vic kt hp gia a ch ngun v mt s Flow label khc 0 s xc nh duy nht mt dng. Nhng gi tin khng thuc dng no c s c thit lp ton b cc bt Flow Label c gi tr 0. Mi gi tin thuc cng mt dng phi c gi vi cng a ch ngun, cng a ch ch, v cng c mt s Flow label khc 0. Router x l gi tin s thit lp trng thi x l i vi mt label c th v c th la chn lu tr thng tin (cache), s dng gi tr a ch ngun v flow label lm kho. i vi nhng gi tin sau , c cng a ch ngun v gi tr flow label, router c th p dng cch thc x l da trn thng tin h tr t vng cache. Mt ngun IPv6 c th s dng 20 bt flow label trong IPv6 header xc nh gi tin gi i trong mt dng nht nh, yu cu cch thc c x c bit ca router. V d ngun yu cu cht lng dch v khng mc nh hoc dch v thi gian thc. Ti thi im hin nay, vic s dng trng ny trong thc thi QoS vn nm mc th nghim, cc tiu chun ho trng ny cn cha hon thin. Hin nay cha c mt cu trc thng dng cho vic s dng n. IETF ang tip tc tiu chun ho v a ra nhng yu cu r rng hn cho Internet v h tr trng Flow Label. Nhiu router, host cha h tr vic s dng trng label. i vi nhng router v host ny, ton b cc bt ca trng label s c thit lp gi tr 0 v cc host, router ny b qua trng khi nhn c gi tin. Payload Length(16-bit) - Dng o chiu di ca phn thng tin theo sau IPv6 Header Next Header(8-bit) Trng ny dng xc nh loi thng tin i sau header c bn ca IPv6. Cc loi thng tin c th l mt giao thc lp trn nh TCP hay UDP,
21
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
hoc n cng c th l Extension header. Trng ny ging vi trng Protocol ca IPv4 IPv6 Extension headers l mt la chn c th theo sau header c bn ca IPv6. Mt gi tin IPv6 c th khng c, c mt hoc l nhiu extension headers. Nh trong hnh ..... khi c nhiu extension headers cng c s dng trong gi tin IPv6, th chng c to thnh mt chui cc danh sch headers v c xc nh bi trng Next header ca header trc n. Khi gi i t ngun n ch, cc Node trung gian khng c php x l cc Extension Header n khi n trm ch, hoc nhng trm ch (trong trng hp Multicast) tr mt vi trng hp ngoi l. V vic x l cc Header ny cng phi din ra theo ng tun t m cc Header sp xp trong gi tin IPv6. Khng bao gi c php xy ra trng hp trm ch qut qua ton b gi tin v chn ra mt Header no x l trc. Trng hp ngoi l nh va cp chnh l trng hp Hop-by-hop Extension Header. S hin din ca Hop-by-hop Extension Header buc gi tin phi b kim tra bi tt c cc Node trung gian trn ng t ngun n ch, bao gm c trm ngun v ch. V vy, Hop-by-hop Extension Header lun phi ng sau IPv6 Header. S hin din ca Extension Header ny c ch th bi gi tr 0 trong Next-Header ca IPv6 Header. -Hop by Hop: l extension header c t u tin ngay sau header c bn. Header ny c s dng xc nh nhng tham s nht nh ti mi bc (hop) trn ng truyn dn gi tin t ngun ti ch. Do vy s c x l ti mi router trn ng truyn dn gi tin. -Destination: c s dng xc nh cc tham s truyn ti gi ti ch tip theo hoc ch cui cng trn ng i ca gi tin. Nu trong gi tin c extension header m "Routing" th extension header "Destination" mang thng tin tham s x l ti mi ch ti tip theo. Ngc li, nu trong gi tin khng c extension header "Routing" th thng tin trong extension header "Destination" l tham s x l ti ch cui cng. -Routing: m nhim xc nh ng dn nh tuyn ca gi tin. Nu mun gi tin c truyn i theo mt ng xc nh (khng la chn ng i ca cc thut ton nh tuyn), node IPv6 ngun c th s dng extension header Routing xc nh ng i, bng cch lit k a ch ca cc router m gi tin phi i qua. Cc a ch thuc danh sch ny s c ln lt dng lm a ch ch ca gi tin IPv6 theo th t c lit k v gi tin s c gi t router ny n router khc, theo danh sch lit k trong extension header Routing. -Fragment: extension header Fragment mang thng tin h tr cho qu trnh phn mnh v ti to gi tin IPv6, c s dng khi ngun IPv6 gi i gi tin ln hn gi tr MTU (Maximum Transmission Unit) nh nht trong ton b ng dn t ngun ti ch. Trong hot ng ca a ch IPv4, mi router trn ng dn cn tin hnh phn mnh gi tin theo gi tr ca MTU t cho mi giao din, iu ny lm gim hiu sut ca router. Bi vy trong a ch IPv6, router khng thc hin phn mnh gi tin. Vic ny c thc hin ti ngun gi gi tin. Node ngun IPv6 s thc hin thut ton tm kim gi tr MTU nh nht trn ton b mt ng dn nht nh t ngun ti ch (gi l gi tr PathMTU) v iu chnh
22
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
kch thc gi tin tu theo gi tr ny trc khi gi chng. Nu ti ngun p dng phng thc ny, n s gi d liu c kch thc ti u, v khng cn thit x l ti tng IP. Tuy nhin, nu ng dng khng s dng phng thc ny, n phi chia nh gi tin c kch thc ln hn PathMTU. Trong trng hp , nhng gi tin ny cn c phn mnh ti tng IP ca node ngun v mo u m rng Fragment c s dng mang nhng thng tin phc v cho qu trnh phn mnh v ti to gi tin IPv6 ti cc u cui ng kt ni. -Authentication and Encapsulating Security Payload : trong hot ng ca a ch IPv6, thc thi IPSec c coi l mt c tnh bt buc. Ty tng trng hp m IPSec c s dng. Khi IPSec c s dng, gi tin IPv6 cn c cc dng extension header Xc thc v M ho". Extension header Xc thc dng xc thc v bo mt tnh ng nht ca d liu .Extension header M ho dng xc nh nhng thng tin lin quan n m ho d liu
23
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Trong cc bc thc hin phi quyt nh ci g cn bo v v cung cp cho mt gi tin outgoing (i ra ngoi), IPsec s dng cc thng s Security Parameter Index (SPI), mi qu trnh Index (nh th t v lu trong d liu Index v nh mt cun danh b in thoi) bao gm Security Association Database (SADB), theo sut chiu di ca a ch ch trong header ca gi tin, cng vi s nhn dng duy nht ca mt tho hip bo mt (tm dch t - security association) cho mi gi tin. Mt qu trnh tng t cng c lm vi gi tin i vo (incoming packet), ni IPsec thc hin qu trnh gii m v kim tra cc kho t SADB. Cho cc gi multicast, mt tho hip bo mt s cung cp cho mt group, v thc hin cho ton b cc receiver trong group . C th c hn mt tho hip bo mt cho mt group, bng cch s dng cc SPI khc nhau, tuy nhin n cng cho php thc hin nhiu mc bo mt cho mt group. Mi ngi gi c th c nhiu tho hip bo mt, cho php xc thc, trong khi ngi nhn ch bit c cc keys c gi i trong d liu. Ch cc chun khng miu t lm th no cc tho hip v la chn vic nhn bn t group ti cc c nhn 3. Hin trng IPsec l mt phn bt bc ca IPv6, c th c la chn khi s dng IPv4. Trong khi cc chun c thit kt cho cc phin bn IP ging nhau, ph bin hin nay l p dng v trin khai trn nn tng IPv4.Cc giao thc IPsec c nh ngha t RFCs 1825 1829, v c ph bin nm 1995. Nm 1998, c nng cp vi cc phin bn RFC 2401 2412, n khng tng thch vi chun 1825 1929. Trong thng 12 nm 2005, th h th 3 ca chun IPSec, RFC 4301 4309. Cng khng khc nhiu so vi chun RFC 2401 2412 nhng th h mi c cung cp chun IKE second. Trong th h mi ny IP security cng c vit tt li l IPsec.S khc nhau trong quy nh vit tt trong th h c quy chun bi RFC 1825 1829 l ESP cn phin bn mi l ESPbis
24
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
4. Thit k theo yu cu. IPsec c cung cp bi Transport mode (end-to-end) p ng bo mt gia cc my tnh giao tip trc tip vi nhau hoc s dng Tunnel mode (portal-toportal) cho cc giao tip gia hai mng vi nhau v ch yu c s dng khi kt ni VPN. IPsec c th c s dng trong cc giao tip VPN, s dng rt nhiu trong giao tip. Tuy nhin trong vic trin khai thc hin s c s khc nhau gia hai mode ny.
25
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Giao tip end-to-end c bo mt trong mng Internet c pht trin chm v phi ch i rt lu. Mt phn b l do tnh ph thng ca no khng cao, hay khng thit thc, Public Key Infrastructure (PKI) c s dng trong phng thc ny. IPsec c gii thiu v cung cp cc dch v bo mt: 1. M ho qu trnh truyn thng tin 2. m bo tnh nguyn ven ca d liu 3. Phi c xc thc gia cc giao tip 4. Chng qu trnh replay trong cc phin bo mt. 5. Modes Cc mode
Hai ch chnh c s dng trong ipsec l : transport v tunnel. AH v ESP u cung cp s bo mt bng cch thm vo trng header bo mt thng tin vo trong datagram.
1) Transport mode :
cch bo v thng tin c th hin khi m gi tin ip c chuyn xung t tng vn chuyn TCP. Th gi tn c s l bi AH hoc ESP thm trng header vo trc trng TCP/UDP header. Lc ny gi tin c chuyn tip hay s l thng qua ipsec header , khng cn s l trn ip header na.
26
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
2) Tunnel mode
Trong ch ng hm, ipsec c s dng bo v qu trnh ng gi ip datagram, sau khi ip header sn sng. Ipsec header c thm vo trc ip header, ri sau mt ip header mi, c thm vo trc ipsec header. Lc ip datagram c bo v.
27
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
28
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
6. Phng thc.
C hai giao thc c pht trin v cung cp bo mt cho cc gi tin ca c hai phin bn IPv4 v IPv6: IP Authentication Header gip m bo tnh ton vn v cung cp xc thc. IP Encapsulating Security Payload cung cp bo mt, v l option bn c th la chn c tnh nng authentication v Integrity m bo tnh ton vn d liu. Thut ton m ho c s dng trong IPsec bao gm HMAC-SHA1 cho tnh ton vn d liu (integrity protection), v thut ton TripleDES-CBC v AES-CBC cho m m ho v m bo an ton ca gi tin. Ton b thut ton ny c th hin trong RFC 4305. a. Authentication Header (AH) AH c s dng trong cc kt ni khng c tnh m bo d liu. Hn na n l la chn nhm chng li cc tn cng replay attack bng cch s dng cng ngh tn cng sliding windows v discarding older packets. AH bo v qu trnh truyn d liu khi s dng IP. Trong IPv4, IP header c bao gm TOS, Flags, Fragment Offset, TTL, v Header Checksum. AH thc hin trc tip trong phn u tin ca gi tin IP. di y l m hnh ca AH header. 5. Cc modes thc hin
16 - 23 bit
24 - 31 bit
RESERVED
Security parameters index (SPI) Sequence number Authentication data (variable) ngha ca tng phn:
29
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Next header Nhn dng giao thc trong s dng truyn thng tin. Payload length ln ca gi tin AH. RESERVED S dng trong tng lai (cho ti thi im ny n c biu din bng cc s 0). Security parameters index (SPI) Nhn ra cc thng s bo mt, c tch hp vi a ch IP, v nhn dng cc thng lng bo mt c kt hp vi gi tin. Sequence number Mt s t ng tng ln mi gi tin, s dng nhm chng li tn cng dng replay attacks. Authentication data Bao gm thng s Integrity check value (ICV) cn thit trong gi tin xc thc. b. Encapsulating Security Payload (ESP) Giao thc ESP cung cp xc thc, ton vn, m bo tnh bo mt cho gi tin. ESP cng h tr tnh nng cu hnh s dng trong tnh hung ch cn bo m ho v ch cn cho authentication, nhng s dng m ho m khng yu cu xc thc khng m bo tnh bo mt. Khng nh AH, header ca gi tin IP, bao gm cc option khc. ESP thc hin trn top IP s dng giao thc IP v mang s hiu 50 v AH mang s hiu 51.
0 - 7 bit
8 - 15 bit
16 - 23 bit
24 - 31 bit
30
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Payload data (variable) Padding (0-255 bytes) Pad Length Authentication Data (variable) Next Header
ngha ca cc phn: Security parameters index (SPI) Nhn ra cc thng s c tch hp vi a ch IP. Sequence number T ng tng c tc dng chng tn cng kiu replay attacks. Payload data Cho d liu truyn i Padding S dng vi block m ho Pad length ln ca padding. Next header Nhn ra giao thc c s dng trong qu trnh truyn thng tin. Authentication data Bao gm d liu xc thc cho gi tin. 7. Trao i kha trong IPSEC - Key Exchange(IKE)
31
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
IPsec c thc hin trong nhn vi cc trnh qun l cc key v qu trnh thng lng bo mt ISAKMP/IKE t ngi dng. Tuy nhin mt chun giao din cho qun l key, n c th c iu khin bi nhn ca IPsec.Bi v c cung cp cho ngi dng cui, IPsec c th c trin khai trn nhn ca Linux. D n FreeS/WAN l d n u tin hon thnh vic thc hin IPsec trong m ngun m c th l Linux. N bao gm mt nhn IPsec stack (KLIPS), kt hp vi trnh qun l key l deamon v rt nhiu shell scripts. D n FreeS/WAN c bt u vo thng 3 nm 2004. Openswan v strongSwan tip tc d n FreeS/WAN. D n KAME cng hon thnh vic trin khai s dng IPsec cho NetBSB, FreeBSB. Trnh qun l cc kho c gi l racoon. OpenBSB c to ra ISAKMP/IKE, vi tn n gin l isakmpd (n cng c trin khai trn nhiu h thng, bao gm c h thng Linux) 7.1 Trao i kha trong IpSec - Key Exchange(IKE) Chc nng chnh ca IKE l chp nhn cc thit b trao i thng tin di mc an ton. Thm vo kha m ha l s dng cho vic chng thc thng tin v m ha thng tin. IKE c bit n nh mt giao thc lai bi v n c phi hp t ba giao thc khc. u tin l ISAKMP(internet secury associaction and key management protocol). Cung cp mt nn tng cho vic trao i kha m ha v bo mt thng tin. ISAKMP h tr nhiu phng thc trao i kha khc nhau, hai giai on chnh ca ISAKMP l
7.1.2 ISAKMP phase 1: Giai on I ca IKE u tin xc nhn cc im thng tin, v sau thit lp mt knh bo mt cho s thit lp SA. Tip , cc bn thng tin tha thun mt ISAKMP SA ng ln nhau, bao gm cc thut
32
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
ton m ha, hm bm, v cc phng php xc nhn bo v m kha. Sau khi c ch m ha v hm bm c ng trn, mt kha chi s b mt c pht sinh. Theo sau l nhng thng tin c dng pht sinh kha b mt : -Gi tr Diffie-Hellman -SPI ca ISAKMP SA dng cookies -S ngu nhin known as nonces (used for signing purposes)
Nu hai bn ng s dng phng php xc nhn da trn public key, chng cng cn trao i IDs. Sau khi trao i cc thng tin cn thit, c hai bn pht sinh nhng key ring ca chnh mnh s dng chng chia s b mt. Theo cch ny, nhng kha m ha c pht sinh m khng cn thc s trao i bt k kha no thng qua mng 7.1.2 ISAKIMP phase 2: Trong khi giai on I tha thun thit lp SA cho ISAKMP, giai on II gii quyt bng vic thit lp SAs cho IPSec. Trong giai on ny, SAs dng nhiu dch v khc nhau tha thun. C ch xc nhn, hm bm, v thut ton m ha bo v gi d liu IPSec tip theo (s dng AH v ESP) dihnh thc mt phn ca giai on SA.S tha thun ca giai on xy ra thng xuyn hn giai on I. in hnh, s tha thun c th lp li sau 4-5 pht. S thay i thng xuyn cc m kha ngn cn cc hacker b gy nhng kha ny v sau l ni dung ca gi d liu. Tng qut, mt phin lm vic giai on II tng ng vi mt phin lmvic n ca giai on I. Tuy nhin, nhiu s thay i giai on II cng c th c h tr bi mt trng hp n giai on I. iu ny lm qu trnh giao dch chm chp ca IKE t ra tng i nhanh hn 7.2 IKE Modes 4 ch IKE ph bin thng c trin khai : Ch chnh (Main mode) Ch linh hot (Aggressive mode) Ch nhanh (Quick mode) Ch nhm mi (New Group mode) 7.2.1. Main Mode
33
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Main mode xc nhn v bo v tnh ng nht ca cc bn c lin quan trong qua trnh giao dch. Trong ch ny, 6 thng ip c trao i gia cc im: 2 thng ip u tin dng tha thun chnh sch bo mt cho s thay i. 2 thng ip k tip phc v thay i cc kha Diffie-Hellman v nonces. Nhng kha sau ny thc hin mt vai tro quan trng trong c ch m ha. Hai thng ip cui cng ca ch ny dng xc nhn cc bn giao dch vi s gip ca ch k, cc hm bm, v tu chn vi chng nhn.
7.2.2 Aggressive Mode Aggressive mode v bn cht ging Main mode. Ch khc nhau thay v main mode c 6 thng ip th cht ny ch c 3 thng ip c trao i. Do , Aggressive mode nhanh hn mai mode. Cc thng ip bao gm : Thng ip u tin dng a ra chnh sch bo mt, pass data cho kha chnh, v trao i nonces cho vic k v xc minh tip theo. Thng ip k tip hi p li cho thng tin u tin. N xc thc ngi nhn v hon thnh chnh sch bo mt bng cc kha. Thng ip cui cng dng xc nhn ngi gi (hoc b khi to ca phin lm vic).
34
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
C Main mode v Aggressive mode u thuc giai on I. 7.2..3 Quick Mode Ch th ba ca IKE, Quick mode, l ch trong giai on II. N dng tha thun SA cho cc dch v bo mt IPSec. Ngoi ra, Quick mode cng c th pht sinh kha chnh mi. Nu chnh sch ca Perfect Forward Secrecy (PFS) c tha thun trong giai on I, mt s thay i hon ton Diffie-Hellman key c khi to. Mt khc, kha mi c pht sinh bng cc gi tr bm
7.2.4 New Group Mode New Group mode c dng tha thun mt private group mi nhm to iu kin trao i Diffie-Hellman key c d dng. Hnh 6-18 m t New Group mode. Mc d ch ny c thc hin sau giai on I, nhng n khng thuc giai on II.
35
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Ngoi 4 ch IKE ph bin trn, cn c thm Informational mode. Ch ny kt hp vi qu trnh thay ca giai on II v SAs. Ch ny cung cp cho cc bn c lin quan mt s thng tin thm, xut pht t nhng tht bi trong qu trnh tha thun. V d, nu vic gii m tht bi ti ngi nhn hoc ch k khng c xc minh thnh cng, Informational mode c dng thng bo cho cc bn khc bit.
36
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Chng IV.Demo Thc hnh: Chun b: -1 Server: Windw Server 2008 ( domain thuchanhipsec.local),ipv6 -1 client: win 2k8 ,ipv6 -Ci wireshark,Network monitor trn my Server
1.Cu hnh TCP/IPv6 Ti my Server, vo Run=>ncpa.cpl Hp thoi Local Area Connection Properties, b du chn Internet Protocol Version 4 (TCP/IPv4), chn Internet Protocol Version 6 (TCP/IPv6), chn Properties
Trong ca s Internet Protocol Version 6 (TCP/IPv6) Properties, nhp thng s nh hnh : IPv6 address: fc00:192:168:5::25 Subnet prefix length: 64 Preferred DNS server: fc00:192:168:5::25
37
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
fc00:192:168:5::25
+ 2 my cha trin khai IPSec. Trn network monitor ca Server. Menu Capture. Nhn Pause thy kt qu khi capture gi tin ICMP (Destination Mac. Source Mac. IP) t my no n my no
--C th gi tin ICMP th trong phn d liu cha c m ha. D liu gm 32 bit. T a n w v a n i i t con s hexa. Trn wireshark: tng t
38
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
** Tng t nu ta gi gi tin ICMP t Server qua my client. Th khi client capture gi tin d liu cng khng b m ha. ( D liu cng l 32 bit t a dn w v a n i i t con s hexa ca gi tin)
3.Cu hnh IP Sec + Chng ta ln lt cu hnh IP Sec trn my Server v my client -Server: Vo Run=> G secpol.msc vo Local Security Policy
39
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
+ Trong Local Security Policy. Right click vo IP Security Policices on Local Computer chn Create IP Security Policy . . .
+ Hp thoi Requests for Secure Communication. G du check Active the default response rule. Nhn Next
40
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
41
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
+ Hp thoi Tunnel Endpoint. mc nh. This rule does not specify a tunnel. Nhn Next
42
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
+ Hp thoi Network Type. Chn Local area network (Lan). Nhn Next
+ Hp thoi IP Filter List. chng ta c th chn All IP Traffic (mc nh ca IPsec). Chn Add.
43
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
44
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Click chn Filter Action,nhn Edit chnh sa kiu Security methods,chn Negotiate security ,sau nhn Edit chnh sa
45
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Chn Custom,click setting ,ti y ta c th chn cc kiu m ha d liu nh MD5,SHA1.. Sau ta chn OK 2 ln
Tip theo lm nh hnh v,ty chn cc Tm dch Accept unsecured communication,but always respond using ipsec(Chp nhn khng c bo m thng tin lin lc, nhng lun lun p ng bng cch s dng ipsec) Allow fallback to unsecured communication if a secure connection can not be established(Cho php d phng giao tip khng c bo m nu mt kt ni an ton khng th c thit lp) Lp AT5C-Hc Vin K Thut Mt M 46
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Use session key perfect forward secrecy(PFS)(S dng kha an ton chuyn tip cho phin lm vic)
n Finish kt thc
47
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
** Trn my Client ta cng lm tng t nh vy. By gi ta kim tra xem gi tin ICMP gi i c m ha hay cha ? ---Trng hp 1: Server cu hnh IPsec,Client khng cu hnh IPSec - Trn my Client thc hin lnh ping t ti Server. Bo khng thy ch n,do ta cu hnh IPsec trn Server Block,negotiate security tt c traffic t bn ngoi vo,tt IPsec trn Client
Trn Network monitor Giao thc IKE xut hin,IKE xc nhn cc im thng tin, v sau thit lp mt knh bo mt cho s thit lp SA. Tip , cc bn thng tin
48
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
tha thun mt ISAKMP SA ng ln nhau, bao gm cc thut ton m ha, hm bm, v cc phng php xc nhn bo v m kha.
Bt wireshark trn Server ta thy: ISAKMP(internet secury associaction and key management protocol) vic trao i xc thc kha 2 bn,nu Client khng c kha s nhn c kt qu nh trn
---Trng hp 2: Server,Client u cu hnh IPsec Khi bt Ipsec trn Client ta thy kt qu Ping t ti Server trn Network moniter trn Server ICMPv6 Echo Reply,Echo Request c thay th bng ESP
49
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
------------------------The end------------------------
50
Trin khai cng ngh IpSec trn giao thc IPv6 trong mi trng Window Server 2008
Ti liu tham kho 1. www.ddth.com/showthread.php/186571-Bi-vit-v-IPsec 2. http://kmasecurity.net 3. http://www.vnpro.vn/ 4. http://technet.microsoft.com 5. http://www.nhatnghe.com/ 6. http://vnexperts.net/ 7. http://ictpress.vn/ 8. http://technet.com.vn/
51