Upload
hai-pham-van
View
35
Download
1
Embed Size (px)
Citation preview
1
HC VIN CNG NGH BU CHNH VIN THNG
TRN QUC TH
BO MT TRONG MNG RING O
CHUYN NGNH : TRUYN D LIU V MNG MY TNH
M S : 60.48.15
TM TT LUN VN THC S
NGI HNG DN KHOA HC:
TS. NGUYN TRNG NG
H NI - 2013
2
Lun vn c hon thnh ti:
HC VIN CNG NGH BU CHNH VIN THNG
Ngi hng dn Khoa hc: TS. Nguyn Trng ng
Phn bin 1: ................................................................................................
Phn bin 2: ................................................................................................
Lun vn s c bo trc Hi ng chm lun vn thc s ti Hc vin
Cng ngh Bu chnh Vin thng.
Vo lc gi Ngy thng 09 nm 2013
3
M U Ngy nay, s pht trin nhanh chng ca cc cng ngh vin thng tin tin
nh ISDN, ATM, ASDL v c bit l Internet trong cc nm qua ko theo s pht
trin hng lot cc dch v mi p ng cc nhu cu a dng ca vic ng dng cng
ngh thng tin. Mt trong cc loi dch v l cng ngh mng ring o - VPN
(Virtual Private Network)
Theo IETF, VPN l mng din rng s dng cc thit b, phng tin truyn
thng ca mng cng cng cng vi cc chc nng bo mt nh to ng hm
(tunnel), mt m ha d liu (encryption), xc thc (authentication) vi mc ch t
c tnh bo mt nh mt mng c thit lp dng ring.
Trong xu hng ton cu ha s ko theo s pht trin ca cc cng ty a quc
gia, cc chi nhnh hoc cc vn phng i din ca cc cng ty ln khng ph thuc
vo v tr a l, nhu cu truy cp t xa, xu hng hi nhp v m rng dn n s
pht trin ca dch v VPN l tt yu, l s kt hp hon ho gia Internet v cc
mng dng ring.
X hi ngy cng pht trin, nhu cu s dng cc dch v tc nghip trc tuyn
ngy cng cao, s pht trin mnh m ca nhiu nh cung cp dch v vi h thng
kin trc mng khc nhau cng cc trang thit b, sn phm vin thng a dng to
ra nhng thch thc, ro cn ln i vi mng dng ring trong vic kt ni cc mng
ny vi nhau, VPN chnh l mt gii php thch hp trong nhu cu ny.
Bn cnh , chi ph cho vic thit lp v qun tr mt mng din rng l rt
ln, trong khi s dng VPN va tit kim v vn bo m c tnh an ton v bo
mt, iu ny c ngha i vi cc cng ty c nhiu vn phng chi nhnh.
Hai cng ngh ni tri hn c ng dng to ra cc VPN l MPLS v
IPSec. Mi k thut c gi tr v v tr ring trong h thng mng. VPN MPLS trin
khai rt tt trong vng li (core) ca mng cc nh cung cp dch v. Trong khi
VPN IPSec rt ph hp vi cu hnh bo mt end-to-end. Vic thc thi m hnh mng
bao gm c VPN MPLS v IPSec s em li hiu qu li ch tt nht.
Cng ngh MPLS cung cp cc cng c ci thin k thut lu lng mng IP
cho php nh cung cp dch v d dng o c, gim st v p ng cc mc dch v
khc nhau. MPLS em n nhiu u im, tn dng s thng minh ca b nh tuyn
v tc chuyn mch, cung cp phng thc nh x gi tin IP vo kt ni c hng
nh ATM hoc FR. Ngoi ra cung cp c ch nh ngha QoS trong header MPLS.
MPLS s dng thng tin nh tuyn lp 3 thit lp bng nh tuyn v nh r ti
nguyn, ng thi s dng cc giao thc lp 2 (FR, ATM) chuyn mch hoc nh
hng thng tin trn ng dn tng ng. MPLS c coi l cng ngh mng tn
tin gii quyt c nhiu nhc im ca mng IP, ATM. V th cng ngh MPLS l
mt trong nhng la chn ph hp cho mng th h sau NGN.
Vi nhng l do trn, ti tp trung nghin cu bo mt trong mng ring o
VPN trn nn mng cng cng nh IPSec, MPLS, ng thi phn tch, thit k cc m
hnh, kin trc mng VPN/MPLS v a ra cc c s ng dng ti Ngn hng.
4
Mc tiu ca lun vn:
Tp trung nghin cu bo mt trong mng ring o VPN trn nn mng cng
cng nh IPSec, MPLS, ng thi phn tch, thit k cc m hnh, kin trc mng
VPN/MPLS v a ra cc c s trin khai trn m hnh thc t ca c quan, doanh
nghip
Tm hiu tng quan v mng ring o, nhng kin thc c bn v cc thnh
phn trn mng ring o, cc loi mng ring o v cc giao thc.
Nghin cu cc c ch an ninh, bo mt c s dng trong mng VPN: Xc
thc, m ha, ch k in t, to ng hm. Cng ngh chuyn mch nhn a giao
thc MPLS - MPLS/VPN.
Trin khai MPLS/VPN
i tng nghin cu:
- Bo mt trong mng ring o VPN trn nn tng cng ngh chnh l IPSec v
MPLS
- Nghin cu bi ton c th vi vic kt ni gia cc Khch hng trn mng li
ca nh cung cp trn phn mm m phng GNS3. Trong m hnh trin khai chia lm
hai phn: Customer (Khch hng, Ngn hng), Service Provider (Nh cung cp dch
v) trao i thng tin.
Phng php nghin cu:
- Nghin cu cc ti liu, bo co trong nc v nc ngoi c lin quan k
thut chuyn mch nhn a giao thc MPLS
- Tin hnh ci t v th nghim
5
CHNG I: TNG QUAN V CNG NGH MNG RING O VPN
1.1. Gii thiu v VPN
Vn an ninh, bo mt trong h thng mng ang rt c quan tm, nht l
khi c s h tng v cng ngh mng WAN dn p ng tt cc yu cu v bng
thng, cht lng dch v, ng thi vn tn cng trn mng vi mc ch chnh tr
v kinh t gia tng nhanh chng th bo mt ngy cng c quan tm. An ninh mng
khng ch quan trng i vi cc nh cung cp dch v ISP m cn c ngha quyt
nh i vi cc c quan chnh ph v cc doanh nghip. Cc gii php cho h thng
WAN nh s dng ng dy thu ring (Leaseline), FR khng c s mm do linh
hot v mt kt ni, m rng mng cng nh an ton thng tin, chi ph li rt cao, cc
gii php tng la cng ch m bo chng li cc cuc tn cng t bn ngoi ti h
thng vo cn thng tin trn ng truyn th c th c c, nguy c b sao chp v
n cp thng tin cao. Khi a ra gii php an ninh bo mt ton din cho mt h thng
mng th khng th khng nhc n gii php mng ring o VPN
S ra i ca mng ring o VPN gii quyt vn bo mt, tit kim chi
ph, linh hot trong vic qun l cc site v khch hng quay s t xa, cng nh h tr
tt nhng cng ngh, giao thc mi.
Khi mng ring o tr nn thng dng v khng th thiu i vi cc doanh
nghip cc nc pht trin, v iu thc s mng li li ch ln cho doanh nghip,
bi an ton thng tin gn lin vi s pht trin ca doanh nghip.
Mng ring o (VPN) hot ng trn nn giao thc IP ngy cng tr nn ph
bin. Cng ngh ny cho php to lp mt mng ring thng qua c s h tng chung
ca nh cung cp dch v (ISP). Cc k thut m bo an ninh khc nhau c p
dng bo v thng tin ca ngi s dng khi trao i trong mt mi trng chia s
nh Internet.
Mng ring o VPN l mt mi trng thng tin vic truy nhp c kim
sot v ch cho php thc hin kt ni thuc phm vi c xc nh trc. VPN
c xy dng thng qua vic chia s cc phng tin, mi trng truyn thng
chung. Vic cung cp cc dch v cho mng ring c thc hin thng qua cc
phng tin, mi trng ny.
Mng ring o VPN l mt mng ring c xy dng trn c s h tng ca
mng Internet.
6
Hnh 1.1. M hnh c bn VPN
1.2. Phn loi VPN
C hai loi mng ring o VPN l: VPN truy cp t xa v VPN kt ni hai
mng vi nhau, cn c gi l site to site hay LAN to LAN VPN.
1.2.1. VPN truy cp t xa (Remote access VPN)
VPN truy cp t xa (hnh 1.2) c dng cho nhng user lm vic di ng, cn
phi truy cp an ton ti mng ring ca cng ty t bt k v tr a l no thng qua
mt mi trng chia s, thng dng nh mng Internet. Mt s vn phng nh cng c
th s dng kiu truy cp ny ni vi mng ring ca cng ty mnh.
1.2.2. Intranet VPN
VPN kt ni hai mng vi nhau (site to site VPN) c chia lm hai loi l
Intranet VPN v Extranet VPN. V mt m hnh mng th hai loi trn khng khc
nhau nhng khc nhau v chnh sch bo mt. c s dng kt ni cc vn phng,
chi nhnh trong cng mt cng ty, cung cp kt ni tin cy, s dng nhiu ti nguyn
mng ca Cng ty.
1.2.3. Extranet VPN
c s dng khi c nhu cu trao i thng tin gia mng ca cng ty vi
mng ca i tc bn ngoi. Vi m hnh ny i hi cc chnh sch bo mt cao hn
so vi m hnh trn hn ch vic truy cp cc ti nguyn ca cng ty.
1.3. Cc thnh phn trong mng VPN
Mt mng VPN c th bao gm cc thnh phn c bn sau:
- My phc v truy cp mng NAS - Network Access Server
- B nh tuyn - Router
- My ngun ng hm TOS - Tunnel Origination Server
- My ch ng hm TTS - Tunnel Termination Server
- My phc v xc thc - Authentication Server
- Tng la (Firewall)
- My phc v thit lp chnh sch (Policy Server)
- VPN Gateway
1.3.1. VPN Gateway
1.3.2. ng hm (Tunneling)
ng hm l khi nim ch mt knh logic trn cc gi tin c ng
trong mt khung vi a ch ngun v a ch ch mi (hoc s dng giao thc mi).
Nh vy, phn a ch ca gi tin ban u s c n trong gi tin mi. y l bin
php tng cng an ninh v cht lng dch v. nh dng gi tin trong ng hm c
dng
1.3.3. Cc giao thc to ng hm trong VPN
7
Giao thc ng hm im ni im (PPTP)
Giao thc chuyn tip lp 2 (L2F)
Giao thc to ng hm lp hai (L2TP)
Cc giao thc ring khc.
a. Giao thc PPTP (Point-to-point Tunning Protocol)
b. Giao thc L2TP (Layer 2 Tunneling Protocol)
L2TP c to ra bng cch kt hp cc u im ca hai giao thc PPTP v L2F
(Layer 2 Forwarding - do Cisco thit k). Hai cng ty Microsoft v Cisco cng hp
tc a ra giao thc L2TP.
L2F c nhiu im ging PPTP. L2F c thit k lm vic vi PPP v cc
giao thc khng nh tuyn khc. L2F l mt giao thc thuc lp hai. im khc nhau
chnh gia PPTP v L2F l vic to ng hm trong L2F khng ph thuc vo IP v
GRE, iu ny cho php lm vic vi cc phng tin truyn vt l khc.
L2F ngoi vic s dng PPP xc thc ngi dng cn h tr cho TACACS+ v
RADIUS xc thc. L2F khc PPTP vic nh ngha cc kt ni bn trong mt
ng hm, cho php mt ng hm h tr nhiu kt ni.
Ging nh PPTP, L2F s dng chc nng ca PPP cung cp mt kt ni truy
cp t xa. L2TP nh ngha giao thc to ng hm ring, da trn cu trc ca L2F.
C cu ny cho php trin khai ng hm khng ch trn mng IP m cn trn cc
mng chuyn mch gi nh X25, Frame Relay v ATM.
Hnh 1.8. ng hm L2TP
c. Giao thc IPSec
IPSec cung cp cc chun m ha, xc thc v qun l kha mnh. S dng
IPSec, hai bn tham gia c th m ha tng gi tin cng nh xc thc ln nhau. C hai
ch thng tin c s dng trong IPSec l giao vn v ng hm.
Thnh phn ca IPSec:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
d. SSL VPN (Secure Socket Layer VPN)
- ng dng: IPSec VPN h tr tt c cc ng dng trn nn tng IP. Mt khi
knh IPSec c thit lp, tt c cc dch v ng dng t cc ng dng truyn thng
8
nh Web, th in t, truyn tp n ng dng khc nh: ICMP, VoIP , cc ng
dng a dch v cho php i qua knh ny. y l mt u im ca IPSec VPN,
nht l IPSec VPN c th cung cp kt ni an ton cho cc ng dng khng da trn
nn Web. V vy, cc my khc dng IPSec thc hin kt ni VPN c gi l fat-
client do kh nng ng dng v dch v. Trong khi kh nng truy cp cc ng dng,
dch v ca SSL VPN hn ch hn. SSL VPN cung cp cc ng dng da trn nn
web: Email (POP3, IMAP, SMTP). Cc my khch ch cn dng trnh duyt c h tr
SSL, hoc thc hin kt ni VPN m khng cn ci t phn mm client. a s cc
gii php SSL VPN khng cung cp cc ng dng dng cng TCP ng nh FTP hay
VoIP. Tuy nhin, SSL VPN cng h tr c mt s ng dng trn nn TCP s dng
chng trnh chuyn tip cng nh: Terminal Services
Tng kt chng 1
Trong chng mt gii thiu khi qut v k thut VPN. Bn cnh nhng k
thut c bn, cn c cc u im cng nh nhc im ca VPN. Chng mt ny
cng cp n cc dng ca mng VPN hin ti. i vi ngi dng ph thng th
vai quan trng nht ca VPN chnh l kh nng bo mt cao v chi ph u t hp l.
9
CHNG 2.BO MT TRONG VPN
2.1. Cc dch v bo mt
iu quan trong nht trong ng dng cng ngh mng ring o l tnh bo mt
hay tnh ring t. Trong hu ht cc ng dng c bn ca n, tnh ring t mang
ngha l mt ng hm gia 2 ngi dng trn mt mng VPN nh mt lin kt ring
chy trn mi trng chung nh Internet. c bit i vi doanh nghip trong kt ni
phi mang tnh bo mt, ngha l VPN cn cung cp cc dch v gii hn m bo
an ton cho d liu:
- Xc thc (Authentication): m bo d liu n t mt ngun xc nh
- iu khin truy cp (Access Control): hn ch, khng cho php nhng ngi
dng bt hp php truy cp vo mng.
- Tin cy (Confidentiality): ngn khng cho mt ai c hay sao chp d liu
khi d liu c truyn i qua mng Internet.
- Tnh ton vn d liu (Data integrity): m bo d liu khng b thay i khi
truyn trn mng Internet.
Cc dch v trn c cung cp ti lp 2 - Lin kt d liu v lp 3 - lp mng
ca OSI. Vic pht trin cc dch v bo mt ti cc lp thp ca OSI lm cho cc dch
v ny tr nn trong sut i vi ngi dng.
2.1.1. Xc thc
- Giao thc xc thc mt khu PAP (Password Authentication Protocol):
- Giao thc bt tay theo yu cu CHAP (Challenge Handshake Authentication
Protocol)
- H thng iu khin truy cp b iu khin u cui - TACACS
- Dch v xc thc ngi dng thng qua quay s - RADIUS
2.1.2. Ch k in t
2.1.3. Kim sot truy cp
2.1.4. Tnh b mt d liu
2.1.5. Tnh ton vn d liu
2.2. Bo mt trong giao thc PPTP
Xc thc: xc thc ngi s dng, PPTP cng s dng cc phng php xc
thc ging nh PPP: PAP, CHAP. Tuy nhin, PPTP c b sung EAP (Extensible
authentication protocol). EAP h tr nhiu c ch xc thc s dng mt khu tc thi,
th bi Ring i vi h iu hnh Windows cn h tr thm giao thc xc thc
ngi dng l MS-CHAP s dng thut ton bm MD4
10
M ha: PPTP s dng m ha gi tin ca PPP. i vi PPTP do Microsoft a
ra s dng giao thc m ha MPPE (Microsoft Point to Point Encryption) da trn
chun RC4 RSA. MPPE ch p ng trong trng hp cc giao thc xc thc EAP-
TLS hoc MS-CHAP (phin bn 1 hoc 2) c s dng.
MPPE c th dng cc kha m 40-bit, 56 bit hoc 128 bit. Ngm nh kha c
tin cy cao nht c h tr bi VPN Client v VPN Server c xc nh trong
qu trnh thit lp kt ni. Nu VPN server yu cu mt kha c tin cy cao hn
kha c h tr bi VPN Client, th Client s b t chi khi c gng truy cp.
2.3. Bo mt trong giao thc L2TP
C ch bo mt ging nh trong c ch xc thc ca PPP: PAP, CHAP, MS-
CHAP, EAP. V mt m ha, bn thn L2TP khng cung cp dch v m ha d liu.
N ch k tha vic s dng m ha ca PPP. Tuy nhin nng cao bo mt, c th
kt hp L2TP vi IPSec. Lc ny gi tin L2TP s c ng gi trong mt gi itn IP.
Cu trc:
IP Header UDP Header L2TP Header PPP Header PPP Payload
Do gi tin L2TP c ng gi trong mt gi tin IP, cho nn c th p dng giao
thc IPSec cho gi tin ny tng cng tnh bo mt khi n c truyn qua mng.
2.4. Bo mt trong IPSec
IPSec l chun m, cho php truyn tin bo mt trn mng cng cng da trn
thut ton DES, 3DES nhm thc hin vic m ha v gii m. C hai thnh phn
chnh ca IPSec l: Xc thc header (AH) v phng thc bo mt ti tin (ESP).
2.4.1. Bo mt trong AH
2.4.2. Bo mt trong ESP
2.4.3. Qun l v trao i kha
2.5.Cng ngh chuyn mch nhn a giao thc MPLS
2.5.1. Gii thiu cng ngh MPLS
MPLS l mt cng ngh kt hp c im tt nht gia nh tuyn lp ba v
chuyn mch lp hai cho php chuyn ti cc gi rt nhanh trong mng li (core) v
nh tuyn tt mng bin (Edge) bng cch da vo nhn (Label). MPLS l mt
phng php ci tin vic chuyn tip gi trn mng bng cc nhn c gn vi mi
gi IP, t bo ATM, hoc frame lp hai. Phng php chuyn mch nhn gip cc
Router v MPLS-Enable ATM switch ra quyt nh theo ni dung nhn tt hn vic
nh tuyn phc tp theo a ch IP ch. MPLS kt hp tnh thc thi v kh nng
chuyn mch lp hai vi nh tuyn lp ba. Cho php cc ISP cung cp nhiu dch v
khc nhau m khng cn phi b i c s h tng sn c. Cu trc MPLS c tnh mm
do trong bt k s phi hp vi cng ngh lp hai no.
11
c im mng MPLS:
- Khng c MPLS API, cng khng c thnh phn giao thc pha host.
- MPLS ch nm trn cc router trong mng li.
- MPLS l giao thc c lp nn c th hot ng cng vi giao thc khc IP nh
IPX, ATM, Frame Relay,
- MPLS gip n gin ho qu trnh nh tuyn v lm tng tnh linh ng ca
cc tng trung gian.
2.5.2. Chun ha MPLS
2.5.3. Cc thnh phn ca MPLS
- LSR (Label switch router)
- LSR bin
- LSR da trn khung
- ATM-LSR
- Label - nhn
- FEC (forwaring equivalence classes)
- Ngn xp nhn (Label stack)
- LSP (path)
- Min ATM-LSR
2.5.4. Cc ch hot ng ca MPLS
a. Ch hot ng khung
Ch hot ng ny xut hin khi s dng MPLS trong mi trng cc thit b
nh tuyn thun nht nh tuyn cc gi tin IP im - im. Cc gi tin gn nhn c
chuyn tip trn c s khung lp 2.
Qu trnh chuyn tip mt gi IP qua mng MPLS c thc hin qua mt s
bc c bn sau:
LSR bin li vo nhn gi IP, phn loi gi vo nhm chuyn tip tng
ng FEC v gn nhn cho gi vi ngn xp nhn tng ng FEC xc
nh. Trong trng hp nh tuyn mt a ch ch, FEC s tng ng vi
mng con ch v vic phn loi gi s n gin l vic so snh bng nh
tuyn lp 3 truyn thng.
LSR li nhn gi c nhn v s dng bng chuyn tip nhn thay i
nhn ni vng trong gi n vi nhn ngoi vng tng ng cng vi vng
FEC (trong trng hp ny l mng con IP)
Khi LSR bin li ra ca vng FEC ny nhn c gi c nhn, n loi b
nhn v thc hin vic chuyn tip gi IP theo bng nh tuyn lp 3 truyn
thng.
12
Header nhn MPLS
Trong ch hot ng khung, nhn MPLS c chn vo gia header lp 2 v
ni dung thng tin lp 3 ca khung lp 2 nh hnh di y:
Hnh 2.7. Nhn MPLS trong khung lp 2
Chuyn mch nhn trong ch khung
- Sau khi nhn khung PPP lp 2 t router bin LSR bin s 1, LSR li 1 lp tc
nhn dng gi nhn c l gi c nhn da trn gi tr trng giao thc PPP v thc
hin vic kim tra nhn trong c s d liu chuyn tip (LFIB - Label forwarding
Information Base).
- Kt qu nhn vo l 30 c thay bng nhn ra 28 tng ng vi vic gi tin
s c chuyn tip n LSR li 3.
- Ti y nhn c kim ra, nhn s 28 c thay bng nhn s 37 v cng ra
c xc nh. Gi tin c chuyn tip n LSR bin s 4.
- LSR bin s 4, nhn 37 b loi b v vic kim tra a ch lp 3 c thc hin,
gi tin c chuyn tip n nt router tip theo ngoi mng MPLS.
Nh vy qu trnh chuyn i nhn c thc hin trn cc LSR li da trn
bng nh tuyn. Bng nh tuyn ny phi c cp nht y m bo mi LSR
(hay router) trong mng MPLS c y thng tin v tt c cc hng chuyn tip.
Qu trnh ny xy ra trc khi thng tin c truyn trong mng v thng thng
c gi l qu trnh lin kt nhn (label binding).
Cc bc chuyn mch trn c p dng i vi cc gi tin c nhn hay gi tin
c nhiu nhn (trong trng hp s dng VPN thng thng mt nhn c gn c
nh cho VPN server).
Qu trnh lin kt v lan truyn nhn
Khi xut hin mt LSR mi trong mng MPLS hay bt u khi to mng
MPLS, cc thnh vin LSR trong mng MPLS phi c lin lc vi nhau trong qu
trnh khai bo thng qua bn tin Hello. Sau khi bn tin ny c gi mt phin giao
dch gia 2 LSR c thc hin. Th tc trao i l giao thc LDP.
Gi IP khng
nhn trong khung
lp 2
Gi IP c nhn
trong khung lp 2 Nhn MPLS
13
Ngay sau khi LIB (c s d liu nhn) c to ra trong LSR, nhn c gn
cho mi FEC m LSR nhn bit c. i vi nh tuyn da trn unicast, FEC tng
ng vi prefix trong bng nh tuyn IP v bng chuyn i cha trong LIB. Bng
chuyn i nh tuyn ny c cp nht lin tc khi xut hin nhng tuyn ni vng
mi, nhn mi s c gn cho tuyn mi.
Do LSR gn nhn cho mi IP prefix trong bng nh tuyn ca chng ngay sau
khi prefix xut hin trong bng nh tuyn v nhn l phng tin c LSR khc s
dng khi gi gi tin cho nhn n chnh LSR nn phng php gn v phn phi
nhn ny c gi l nhn iu khin c lp vi qu trnh phn phi ngc khng
yu cu.
Vic lin kt cc nhn c qung b ngay n tt c cc router thng qua phin
LDP.
b. Ch hot ng t bo
Khi thc hin trin khai MPLS qua ATM cn phi gii quyt mt s vn sau:
Khng thc hin trao i trc tip cc gi IP gia 2 nt MPLS cn k qua
giao din ATM. Tt c cc s liu trao i qua giao din ATM phi thc
hin qua knh o ATM.
Cc tng i ATM khng th thc hin vic kim tra nhn hay a ch lp 3.
Kh nng duy nht ca tng i ATM l chuyn i VC u vo sang
VC u ra ca giao din ra.
Do , MPLS xy dng mt s c ch m bo thc thi chuyn mch nhn
a giao thc qua ATM nh sau:
Cc gi IP trong mng iu khin (Control Frame) khng th trao i trc
tip qua giao din ATM. Mt knh o VC phi c thit lp gia 2 nt
MPLS cn k trao i gi thng tin iu khin.
Nhn trn cng trong ngn xp nhn phi c s dng cho cc gi tr
VPI/VCI.
Cc th tc gn v phn phi nhn phi c sa i m bo cc tng
i ATM khng phi kim tra a ch lp 3.
2.5.5. Cc giao thc s dng trong mng MPLS
Tham gia vo qu trnh truyn thng tin trong mng MPLS c mt s giao thc
nh LDP, RSVP.
a. Giao thc phn phi nhn LDP
b. Giao thc nh tuyn cng bc CR-LDP
c. Giao thc bo hiu RSVP
2.6. ng dng mng ring ring o trong MPLS
14
2.6.1. M hnh Overlay VPN
2.6.2. M hnh ngang hng
2.6.3. Cc b nh tuyn o trong MPLS VPN
2.6.4. Kin trc MPLS VPN
Trong kin trc mng MPLS VPN, cc router bin mang thng tin nh tuyn
khch hng, cung cp nh tuyn ti u cho lu lng gia cc site ca khch hng.
M hnh MPLS-based VPN cng gip cho khch hng s dng khng gian a ch
trng lp (Overlapping address spaces), khng ging nh m hnh peer-to-peer truyn
thng trong vic nh tuyn lu lng khch hng yu cu nh cung cp phi gn a
ch IP ring cho mi khch hng (hoc khch hng phi thc hin NAT) trnh trng
lp khng gian a ch. MPLS VPN l mt dng thc thi y ca m hnh peer-to-
peer. MPLS VPN backbone v cc site khch hng trao i thng tin nh tuyn lp 3,
v d liu c chuyn tip gia cc site khch hng s dng MPLS-enable SP IP
Backbone. Min (domain) MPLS VPN, ging nh VPN truyn thng, gm mng ca
khch hng v mng ca nh cung cp. M hnh MPLS VPN ging vi m hnh router
PE dnh ring (dedicated PE router model) trong cc dng thc thi VPN ngang cp
peer-to-peer VPN. Tuy nhin, thay v trin khai cc router PE khc nhau cho tng
khch hng, lu lng khch hng c tch ring trn cng router PE nhm cung cp
kh nng kt ni vo mng ca nh cung cp cho nhiu khch hng. Cc thnh phn
ca mt MPLS VPN c trnh by trong hnh sau:
Hnh 2.13. Kin trc MPLS VPN
LSP ring
LSP cng cng
2.6.5. Vn bo mt trong MPLS VPN
a. Bo mt nh tuyn
b. Bo mt d liu
15
c. Bo mt mng vt l
2.6.6. Cht lng dch v trong mng MPLS VPN
Cht lng dch v c m t thng qua cc thng s bng thng, tr, t l
mt gi tin, tc truyn Thut ng QoS v CoS (class of service) c s lin quan
cht ch vi nhau nhng cng c s khc bit nh. QoS l s m bo v vic cung
cp mt mc dch v yu cu, cn CoS l loi ca dch v c yu cu bi mt gi
ngha l mt phn ca lu lng ng dng c bit. Chng c kt hp vi nhau
cung cp cc dch v c cht lng dch v nh mong mun. Bt u t im vo ca
mt tuyn, gi tr trng CoS c n nh. Trng CoS ny sau c phn tch
bi mi qu trnh QoS hot ng trong cc nt dc theo tuyn ng gi di chuyn
cho ti khi gi t ti ch ca n vi cht lng dch v c thit lp.
Tng kt chng 2
Trong chng ny tm hiu v:
- Cc dch v bo mt trong VPN: PPTP, L2TP, IPSec bao gm:
an ton, tnh sn sng, cht lng dch v, tin cy, tnh tng thch
v tnh c th qun l c.
- Cng ngh chuyn mch nhn a giao thc MPLS:
Cc ch hot ng
Cc giao thc s dng trong mng MPLS
ng dng mng ring o trong MPLS
16
CHNG 3. TRIN KHAI VPN MPLS THC T
Trong nn kinh t hin nay, li nhun ca nh cung cp dch v xoay quanh
trong tm cung cp cc dch v gi tr gia tng. Theo hng Frost and Sullivan, th
trng mng ring o (VPN) khu vc chu - Thi Bnh Dng d kin t 5,15 t
USD vo nm 2009, tng hn 200% so vi nm 2003.
Cng ty nghin cu cng cho bit th trng ny nm nay s tng 25,7%, t hn
2 t USD, t con s 1,687 t USD ca nm ngoi. Nm 2003, th trng mng ring
o pht trin mnh ti Nht Bn, Australia v Trung Quc. VPN hin c coi l th
trng dch v vin thng c tc pht trin nhanh nht, c tng 20,4% mi nm
trong vng 6 nm na.
Cng theo Frost and Sullivan, Nht Bn l th trng VPN ln nht chu -
Thi Bnh Dng, chim 60% doanh thu, trong khi Australia ng th hai vi 21%.
Tuy nhin, n cui nm 2009, Trung Quc v n c d on l hai th trng
VPN trng im ca khu vc
Cc dch v mng ring o rt a dng bao gm thng mi in t, in thoi
IP, an ninh qun l, sao lu t xa, thu ng dng v cc ng dng a phng tin
S la chn v trin khai mt trong cc kin trc ca VPN - MPLS, IPSec hay l s
phi hp ca c hai cu trc s nh hng n phm vi th trng, cc dch v cung
cp v doanh thu.
Trong xu hng pht trin . Tng cng ty Bu chnh vin thng Vit Nam
trin khai MPLS trong mng li ca VNPT. Cc LSR bin s c tip tc u t v
m rng ti cc im c nhu cu ln nh Hi Phng, Qung Ninh, Nng, Khnh
Ha , tng bc chuyn i sang mng NGN. Cc nh cung cp dch v nh VDC,
FPT . Cng a ra cc dch v mng ring o, iu ny cho thy th trng
VPN/MPLS y tim ny v cn pht trin trong tng lai.
i tng s dng khng k cc Doanh nghip v vn phng i din nc
ngoi, c rt nhiu DN trong nc trong lnh vc ti chnh, bo him, ngn hng s
dng dch v ny. Vi VPN da trn MPLS, cc t chc, doanh nghip c th t
c nhiu mc tiu ca mnh nh iu khin nhiu hn trn h tng mng, cung cp
a lp dch v cho ngi dng.
3.1. So snh IPSec v MPLS
3.1.1. Vai tr ca MPLS
3.1.2. IPSec
3.1.3. Tch hp VPN IPSec v VPN MPLS
Nh cung cp dch v c th t c cc li ch cao nht khi p dng c hai
cng ngh IPSec v MPLS. V d, c th s dng IPSec cho cc giao thng off-net, v
17
ng truyn cn c xc thc tt v tnh tin cn cao v s dng MPLS mng li cho
kt ni rng m hn, ng thi h tr cc k thut nh tuyn lu lng v cht lng
dch v.
Cc nh sn xut thit b nh Cisco, Nokia Checkpoint, Juniper network c th
cung cp cc gii php cho php nh cung cp dch v ghp cc phin IPSec trc tip
vo mt VPN MPLS. Cc tip cn ny gip cc nh cung cp dch v m rng cc
dch v VPN ra ngoi bin ca mt mng MPLS thng qua vic s dng mt c s h
tng mng IP cng cng.
3.2. Trin khai ng dng VPN ti Ngn hng
Ngn hng l c quan c chc nng qun l tin t, cc hot ng ti ngn hng
i s nhanh chng, chnh xc v an ton cao. p ng iu , Ngn hng nh
nc VN l mt trong n v i u trong lnh vc ng dng cng ngh thng tin hin
i nhm mc ch phc v cho hot ng chuyn mn nghip v ca mnh. Trong xu
hng hi nhp kinh t, quc t, vic ng dng thng mi in t (TMT) l tt yu
nhm m bo an ninh, an ton trong TMT. Bn cnh xy dng h thng thanh
ton in t ngn hng t ng m rng cc dch v ngn hng in t.
thc c tm quan trng ca vic ng dng cng ngh thng tin vo lnh vc
ngn hng, ngay t u cc ngn hng nh nc xy dng c s h tng thng tin
hin i, vi mng LAN, WAN c trin khai hu ht cc chi nhnh Tnh, Thnh ph
trn ton quc. Hin nay l h thng mng SBVNet (Mng din rng ca Ngn hng
nh nc Vit Nam Sate Bank of Vietnam and Wide computer Network) phc v iu
hnh qun l, h thng chuyn tin, thanh ton lin ngn hng
Vi c th ca ngnh ngn hng mang tnh bo mt cao, NHNN trin khai
cc gii php an ninh nhiu lp, trang b cc cng c kim sot v gim st truy nhp,
m ha d liu trn ng truyn, s dng tng la, h thng chng thc (CA) v
ch k in t nhm m bo an ton, bo mt tuyt i cho cc giao dch thanh ton.
Trong phi k n thit lp mng ring o ca Cisco, Checkpoint v ca Microsoft
c s dng n tin hc ha qun l hnh chnh nh nc - Ngn hng Nh nc
Vit Nam
18
3.2.1. Gii php VPN ca Microsoft
3.2.2. Gii php VPN ca Cisco
19
Customer A
Site 1
EIGRP AS 101
Customer A
Site 2
EIGRP AS 101
Customer B
Site 2
Customer B
Site 1
EIGRP AS 202EIGRP AS 201
5.5.5.5/241.1.1.1/24
7.7.7.7/246.6.6.6/24
VPN-B
VPN-A VPN-A
VPN-B
F0/0.1
192.168.12.0/24
F0/0
.2
2
S1/3
S1/3
.4
.3.3
S1/2 S1/0
F0/1
F0/0
F0/0 .5
F0/1.7
.4F0/1
.2
F0/1 .6
Loopback 0
2.2.2.2/32
192.1
68.23
.0/24
192.168.34.0/24
Loopback 0
4.4.4.4/32
.4
192.
168.
45.0
/24
192.168.47.0/24192.
168.
26.0
/24
Mng trc ca nh cung cp dch
v MPLS
R1-CE R5-CE
R6-CE R7-CE
R3-P
R2-PE R4-PE
Tng kt chng 3
Trong chng ny tm hiu v:
- IPSec v MPLS u v nhc im
- Trin khai ng dng MPLS VPN
20
KT LUN V HNG PHT TRIN
Ngy nay, cc ng dng Internet c s dng rng ri trong mi lnh vc,
khp mi ni trn th gii. S m rng ca Internet ko theo s ci tin khng ngng
ca cc m hnh mng, ko theo l cc dch v mng p ng nhu cu truyn
thng tin mt cch an ton, hiu qu, p ng c nhiu yu cu trn nhiu h tng
mng khc nhau. Mt trong nhng ng dng quan trng l mng ring o.
Bn cnh tm hiu chung v mng ring o, lun vn cn phn tch cc loi mng
ring o hin nay, nhng hn ch cn tn ti trong mi m hnh, nhng th mnh ca
mi m hnh t c ci nhn tng quan v mi m hnh t la chn p dng
vo mi m hnh sao cho c hiu qa nht.
Hin nay c nhiu cng ngh mi ra i nhm nghin cu phng thc truyn
tin trn mng mt cch an ton mt trong nhng cng ngh ang c ng dng rng
ri hin nay l MPLS VPN. Lun vn trnh by khi nim v phng thc hot
ng ca cng ngh MPLS i su vo phn tch cu trc MPLS cng nh cch thc
truyn gi tin gn nhn i trong mng t mt a ch ngun ti mt a ch ch mt
cch an ton.
Trin khai MPLS-VPN trong thc t, so snh hai cng ngh mng ring o IPSec
v MPLS, trn c s trin khai ng dng mng ring o VPN ti ngn hng nh
nc vi gii php ca Cisco v Microsoft.
Tuy nhin lun vn cn nhiu hn ch: cha trin khai c trn h thng mng
thc t, ch thc hin trn h thng m phng, cha tm hiu k v MPLS c trin
khai thc t trong hot ng Ngn hng c th.
21
TI LIU THAM KHO
TI LIU TING VIT
1. Nghin cu cng ngh chuyn mch nhn MPLS v xut cc kin ngh p
dng cng ngh MPLS trong mng th h mi NGN ca tng cng ty. TG: L Ngc
Giao, Trn Ho Bu, Phm Thy Phong, Trn Vit Tun, Phm Huy T, Nguyn
Ngc Thnh, ng Thu H, Phan H Trung)
TI LIU TING ANH
2. Cisco System, Overview of Virtual Private Networks and IPSec Technologies.
3. Cisco VPN solution, www.cisco.com/go/vpn
4. Harkins, D. and Carrel, D. (1998), The Internet Key Exchange, RFC 2409,
November 1998.
5 IETF Working Group
5.1. IETF RFC 2637: Point - to - Point Tunneling Protocol (PPTP)
5.2. IETF RFC 1701: Generic Routing Encapsulation (GRE)
5.3. IETF RFC 2661: Layer Two Tunnuling Protocol (L2TP)
5.4. IETF RFC 2409: The Internet Key Exchange (IKE)
6. Ivan Pepelnjak and Jim Guichard, MPLS and VPN Architectures - A practical
guide to understanding, designing and deploying MPLS and MPLS-VPN enabled
VPNs, Cisco Systems, IN-USA, 2001
7. R.C.Sreijl - Analysis of Managed Virtual Private Network, 2000
8. RSA Security Inc - A Guide to Security Technologies, www.rsasecurity.com
9. Cc ti liu t Internet