1

HC VIN CNG NGH BU CHNH VIN THNG

TRN QUC TH

BO MT TRONG MNG RING O

CHUYN NGNH : TRUYN D LIU V MNG MY TNH

M S : 60.48.15

TM TT LUN VN THC S

NGI HNG DN KHOA HC:

TS. NGUYN TRNG NG

H NI - 2013

2

Lun vn c hon thnh ti:

HC VIN CNG NGH BU CHNH VIN THNG

Ngi hng dn Khoa hc: TS. Nguyn Trng ng

Phn bin 1: ................................................................................................

Phn bin 2: ................................................................................................

Lun vn s c bo trc Hi ng chm lun vn thc s ti Hc vin

Cng ngh Bu chnh Vin thng.

Vo lc gi Ngy thng 09 nm 2013

3

M U Ngy nay, s pht trin nhanh chng ca cc cng ngh vin thng tin tin

nh ISDN, ATM, ASDL v c bit l Internet trong cc nm qua ko theo s pht

trin hng lot cc dch v mi p ng cc nhu cu a dng ca vic ng dng cng

ngh thng tin. Mt trong cc loi dch v l cng ngh mng ring o - VPN

(Virtual Private Network)

Theo IETF, VPN l mng din rng s dng cc thit b, phng tin truyn

thng ca mng cng cng cng vi cc chc nng bo mt nh to ng hm

(tunnel), mt m ha d liu (encryption), xc thc (authentication) vi mc ch t

c tnh bo mt nh mt mng c thit lp dng ring.

Trong xu hng ton cu ha s ko theo s pht trin ca cc cng ty a quc

gia, cc chi nhnh hoc cc vn phng i din ca cc cng ty ln khng ph thuc

vo v tr a l, nhu cu truy cp t xa, xu hng hi nhp v m rng dn n s

pht trin ca dch v VPN l tt yu, l s kt hp hon ho gia Internet v cc

mng dng ring.

X hi ngy cng pht trin, nhu cu s dng cc dch v tc nghip trc tuyn

ngy cng cao, s pht trin mnh m ca nhiu nh cung cp dch v vi h thng

kin trc mng khc nhau cng cc trang thit b, sn phm vin thng a dng to

ra nhng thch thc, ro cn ln i vi mng dng ring trong vic kt ni cc mng

ny vi nhau, VPN chnh l mt gii php thch hp trong nhu cu ny.

Bn cnh , chi ph cho vic thit lp v qun tr mt mng din rng l rt

ln, trong khi s dng VPN va tit kim v vn bo m c tnh an ton v bo

mt, iu ny c ngha i vi cc cng ty c nhiu vn phng chi nhnh.

Hai cng ngh ni tri hn c ng dng to ra cc VPN l MPLS v

IPSec. Mi k thut c gi tr v v tr ring trong h thng mng. VPN MPLS trin

khai rt tt trong vng li (core) ca mng cc nh cung cp dch v. Trong khi

VPN IPSec rt ph hp vi cu hnh bo mt end-to-end. Vic thc thi m hnh mng

bao gm c VPN MPLS v IPSec s em li hiu qu li ch tt nht.

Cng ngh MPLS cung cp cc cng c ci thin k thut lu lng mng IP

cho php nh cung cp dch v d dng o c, gim st v p ng cc mc dch v

khc nhau. MPLS em n nhiu u im, tn dng s thng minh ca b nh tuyn

v tc chuyn mch, cung cp phng thc nh x gi tin IP vo kt ni c hng

nh ATM hoc FR. Ngoi ra cung cp c ch nh ngha QoS trong header MPLS.

MPLS s dng thng tin nh tuyn lp 3 thit lp bng nh tuyn v nh r ti

nguyn, ng thi s dng cc giao thc lp 2 (FR, ATM) chuyn mch hoc nh

hng thng tin trn ng dn tng ng. MPLS c coi l cng ngh mng tn

tin gii quyt c nhiu nhc im ca mng IP, ATM. V th cng ngh MPLS l

mt trong nhng la chn ph hp cho mng th h sau NGN.

Vi nhng l do trn, ti tp trung nghin cu bo mt trong mng ring o

VPN trn nn mng cng cng nh IPSec, MPLS, ng thi phn tch, thit k cc m

hnh, kin trc mng VPN/MPLS v a ra cc c s ng dng ti Ngn hng.

4

Mc tiu ca lun vn:

Tp trung nghin cu bo mt trong mng ring o VPN trn nn mng cng

cng nh IPSec, MPLS, ng thi phn tch, thit k cc m hnh, kin trc mng

VPN/MPLS v a ra cc c s trin khai trn m hnh thc t ca c quan, doanh

nghip

Tm hiu tng quan v mng ring o, nhng kin thc c bn v cc thnh

phn trn mng ring o, cc loi mng ring o v cc giao thc.

Nghin cu cc c ch an ninh, bo mt c s dng trong mng VPN: Xc

thc, m ha, ch k in t, to ng hm. Cng ngh chuyn mch nhn a giao

thc MPLS - MPLS/VPN.

Trin khai MPLS/VPN

i tng nghin cu:

- Bo mt trong mng ring o VPN trn nn tng cng ngh chnh l IPSec v

MPLS

- Nghin cu bi ton c th vi vic kt ni gia cc Khch hng trn mng li

ca nh cung cp trn phn mm m phng GNS3. Trong m hnh trin khai chia lm

hai phn: Customer (Khch hng, Ngn hng), Service Provider (Nh cung cp dch

v) trao i thng tin.

Phng php nghin cu:

- Nghin cu cc ti liu, bo co trong nc v nc ngoi c lin quan k

thut chuyn mch nhn a giao thc MPLS

- Tin hnh ci t v th nghim

5

CHNG I: TNG QUAN V CNG NGH MNG RING O VPN

1.1. Gii thiu v VPN

Vn an ninh, bo mt trong h thng mng ang rt c quan tm, nht l

khi c s h tng v cng ngh mng WAN dn p ng tt cc yu cu v bng

thng, cht lng dch v, ng thi vn tn cng trn mng vi mc ch chnh tr

v kinh t gia tng nhanh chng th bo mt ngy cng c quan tm. An ninh mng

khng ch quan trng i vi cc nh cung cp dch v ISP m cn c ngha quyt

nh i vi cc c quan chnh ph v cc doanh nghip. Cc gii php cho h thng

WAN nh s dng ng dy thu ring (Leaseline), FR khng c s mm do linh

hot v mt kt ni, m rng mng cng nh an ton thng tin, chi ph li rt cao, cc

gii php tng la cng ch m bo chng li cc cuc tn cng t bn ngoi ti h

thng vo cn thng tin trn ng truyn th c th c c, nguy c b sao chp v

n cp thng tin cao. Khi a ra gii php an ninh bo mt ton din cho mt h thng

mng th khng th khng nhc n gii php mng ring o VPN

S ra i ca mng ring o VPN gii quyt vn bo mt, tit kim chi

ph, linh hot trong vic qun l cc site v khch hng quay s t xa, cng nh h tr

tt nhng cng ngh, giao thc mi.

Khi mng ring o tr nn thng dng v khng th thiu i vi cc doanh

nghip cc nc pht trin, v iu thc s mng li li ch ln cho doanh nghip,

bi an ton thng tin gn lin vi s pht trin ca doanh nghip.

Mng ring o (VPN) hot ng trn nn giao thc IP ngy cng tr nn ph

bin. Cng ngh ny cho php to lp mt mng ring thng qua c s h tng chung

ca nh cung cp dch v (ISP). Cc k thut m bo an ninh khc nhau c p

dng bo v thng tin ca ngi s dng khi trao i trong mt mi trng chia s

nh Internet.

Mng ring o VPN l mt mi trng thng tin vic truy nhp c kim

sot v ch cho php thc hin kt ni thuc phm vi c xc nh trc. VPN

c xy dng thng qua vic chia s cc phng tin, mi trng truyn thng

chung. Vic cung cp cc dch v cho mng ring c thc hin thng qua cc

phng tin, mi trng ny.

Mng ring o VPN l mt mng ring c xy dng trn c s h tng ca

mng Internet.

6

Hnh 1.1. M hnh c bn VPN

1.2. Phn loi VPN

C hai loi mng ring o VPN l: VPN truy cp t xa v VPN kt ni hai

mng vi nhau, cn c gi l site to site hay LAN to LAN VPN.

1.2.1. VPN truy cp t xa (Remote access VPN)

VPN truy cp t xa (hnh 1.2) c dng cho nhng user lm vic di ng, cn

phi truy cp an ton ti mng ring ca cng ty t bt k v tr a l no thng qua

mt mi trng chia s, thng dng nh mng Internet. Mt s vn phng nh cng c

th s dng kiu truy cp ny ni vi mng ring ca cng ty mnh.

1.2.2. Intranet VPN

VPN kt ni hai mng vi nhau (site to site VPN) c chia lm hai loi l

Intranet VPN v Extranet VPN. V mt m hnh mng th hai loi trn khng khc

nhau nhng khc nhau v chnh sch bo mt. c s dng kt ni cc vn phng,

chi nhnh trong cng mt cng ty, cung cp kt ni tin cy, s dng nhiu ti nguyn

mng ca Cng ty.

1.2.3. Extranet VPN

c s dng khi c nhu cu trao i thng tin gia mng ca cng ty vi

mng ca i tc bn ngoi. Vi m hnh ny i hi cc chnh sch bo mt cao hn

so vi m hnh trn hn ch vic truy cp cc ti nguyn ca cng ty.

1.3. Cc thnh phn trong mng VPN

Mt mng VPN c th bao gm cc thnh phn c bn sau:

- My phc v truy cp mng NAS - Network Access Server

- B nh tuyn - Router

- My ngun ng hm TOS - Tunnel Origination Server

- My ch ng hm TTS - Tunnel Termination Server

- My phc v xc thc - Authentication Server

- Tng la (Firewall)

- My phc v thit lp chnh sch (Policy Server)

- VPN Gateway

1.3.1. VPN Gateway

1.3.2. ng hm (Tunneling)

ng hm l khi nim ch mt knh logic trn cc gi tin c ng

trong mt khung vi a ch ngun v a ch ch mi (hoc s dng giao thc mi).

Nh vy, phn a ch ca gi tin ban u s c n trong gi tin mi. y l bin

php tng cng an ninh v cht lng dch v. nh dng gi tin trong ng hm c

dng

1.3.3. Cc giao thc to ng hm trong VPN

7

Giao thc ng hm im ni im (PPTP)

Giao thc chuyn tip lp 2 (L2F)

Giao thc to ng hm lp hai (L2TP)

Cc giao thc ring khc.

a. Giao thc PPTP (Point-to-point Tunning Protocol)

b. Giao thc L2TP (Layer 2 Tunneling Protocol)

L2TP c to ra bng cch kt hp cc u im ca hai giao thc PPTP v L2F

(Layer 2 Forwarding - do Cisco thit k). Hai cng ty Microsoft v Cisco cng hp

tc a ra giao thc L2TP.

L2F c nhiu im ging PPTP. L2F c thit k lm vic vi PPP v cc

giao thc khng nh tuyn khc. L2F l mt giao thc thuc lp hai. im khc nhau

chnh gia PPTP v L2F l vic to ng hm trong L2F khng ph thuc vo IP v

GRE, iu ny cho php lm vic vi cc phng tin truyn vt l khc.

L2F ngoi vic s dng PPP xc thc ngi dng cn h tr cho TACACS+ v

RADIUS xc thc. L2F khc PPTP vic nh ngha cc kt ni bn trong mt

ng hm, cho php mt ng hm h tr nhiu kt ni.

Ging nh PPTP, L2F s dng chc nng ca PPP cung cp mt kt ni truy

cp t xa. L2TP nh ngha giao thc to ng hm ring, da trn cu trc ca L2F.

C cu ny cho php trin khai ng hm khng ch trn mng IP m cn trn cc

mng chuyn mch gi nh X25, Frame Relay v ATM.

Hnh 1.8. ng hm L2TP

c. Giao thc IPSec

IPSec cung cp cc chun m ha, xc thc v qun l kha mnh. S dng

IPSec, hai bn tham gia c th m ha tng gi tin cng nh xc thc ln nhau. C hai

ch thng tin c s dng trong IPSec l giao vn v ng hm.

Thnh phn ca IPSec:

Authentication Header (AH)

Encapsulating Security Payload (ESP)

d. SSL VPN (Secure Socket Layer VPN)

- ng dng: IPSec VPN h tr tt c cc ng dng trn nn tng IP. Mt khi

knh IPSec c thit lp, tt c cc dch v ng dng t cc ng dng truyn thng

8

nh Web, th in t, truyn tp n ng dng khc nh: ICMP, VoIP , cc ng

dng a dch v cho php i qua knh ny. y l mt u im ca IPSec VPN,

nht l IPSec VPN c th cung cp kt ni an ton cho cc ng dng khng da trn

nn Web. V vy, cc my khc dng IPSec thc hin kt ni VPN c gi l fat-

client do kh nng ng dng v dch v. Trong khi kh nng truy cp cc ng dng,

dch v ca SSL VPN hn ch hn. SSL VPN cung cp cc ng dng da trn nn

web: Email (POP3, IMAP, SMTP). Cc my khch ch cn dng trnh duyt c h tr

SSL, hoc thc hin kt ni VPN m khng cn ci t phn mm client. a s cc

gii php SSL VPN khng cung cp cc ng dng dng cng TCP ng nh FTP hay

VoIP. Tuy nhin, SSL VPN cng h tr c mt s ng dng trn nn TCP s dng

chng trnh chuyn tip cng nh: Terminal Services

Tng kt chng 1

Trong chng mt gii thiu khi qut v k thut VPN. Bn cnh nhng k

thut c bn, cn c cc u im cng nh nhc im ca VPN. Chng mt ny

cng cp n cc dng ca mng VPN hin ti. i vi ngi dng ph thng th

vai quan trng nht ca VPN chnh l kh nng bo mt cao v chi ph u t hp l.

9

CHNG 2.BO MT TRONG VPN

2.1. Cc dch v bo mt

iu quan trong nht trong ng dng cng ngh mng ring o l tnh bo mt

hay tnh ring t. Trong hu ht cc ng dng c bn ca n, tnh ring t mang

ngha l mt ng hm gia 2 ngi dng trn mt mng VPN nh mt lin kt ring

chy trn mi trng chung nh Internet. c bit i vi doanh nghip trong kt ni

phi mang tnh bo mt, ngha l VPN cn cung cp cc dch v gii hn m bo

an ton cho d liu:

- Xc thc (Authentication): m bo d liu n t mt ngun xc nh

- iu khin truy cp (Access Control): hn ch, khng cho php nhng ngi

dng bt hp php truy cp vo mng.

- Tin cy (Confidentiality): ngn khng cho mt ai c hay sao chp d liu

khi d liu c truyn i qua mng Internet.

- Tnh ton vn d liu (Data integrity): m bo d liu khng b thay i khi

truyn trn mng Internet.

Cc dch v trn c cung cp ti lp 2 - Lin kt d liu v lp 3 - lp mng

ca OSI. Vic pht trin cc dch v bo mt ti cc lp thp ca OSI lm cho cc dch

v ny tr nn trong sut i vi ngi dng.

2.1.1. Xc thc

- Giao thc xc thc mt khu PAP (Password Authentication Protocol):

- Giao thc bt tay theo yu cu CHAP (Challenge Handshake Authentication

Protocol)

- H thng iu khin truy cp b iu khin u cui - TACACS

- Dch v xc thc ngi dng thng qua quay s - RADIUS

2.1.2. Ch k in t

2.1.3. Kim sot truy cp

2.1.4. Tnh b mt d liu

2.1.5. Tnh ton vn d liu

2.2. Bo mt trong giao thc PPTP

Xc thc: xc thc ngi s dng, PPTP cng s dng cc phng php xc

thc ging nh PPP: PAP, CHAP. Tuy nhin, PPTP c b sung EAP (Extensible

authentication protocol). EAP h tr nhiu c ch xc thc s dng mt khu tc thi,

th bi Ring i vi h iu hnh Windows cn h tr thm giao thc xc thc

ngi dng l MS-CHAP s dng thut ton bm MD4

10

M ha: PPTP s dng m ha gi tin ca PPP. i vi PPTP do Microsoft a

ra s dng giao thc m ha MPPE (Microsoft Point to Point Encryption) da trn

chun RC4 RSA. MPPE ch p ng trong trng hp cc giao thc xc thc EAP-

TLS hoc MS-CHAP (phin bn 1 hoc 2) c s dng.

MPPE c th dng cc kha m 40-bit, 56 bit hoc 128 bit. Ngm nh kha c

tin cy cao nht c h tr bi VPN Client v VPN Server c xc nh trong

qu trnh thit lp kt ni. Nu VPN server yu cu mt kha c tin cy cao hn

kha c h tr bi VPN Client, th Client s b t chi khi c gng truy cp.

2.3. Bo mt trong giao thc L2TP

C ch bo mt ging nh trong c ch xc thc ca PPP: PAP, CHAP, MS-

CHAP, EAP. V mt m ha, bn thn L2TP khng cung cp dch v m ha d liu.

N ch k tha vic s dng m ha ca PPP. Tuy nhin nng cao bo mt, c th

kt hp L2TP vi IPSec. Lc ny gi tin L2TP s c ng gi trong mt gi itn IP.

Cu trc:

IP Header UDP Header L2TP Header PPP Header PPP Payload

Do gi tin L2TP c ng gi trong mt gi tin IP, cho nn c th p dng giao

thc IPSec cho gi tin ny tng cng tnh bo mt khi n c truyn qua mng.

2.4. Bo mt trong IPSec

IPSec l chun m, cho php truyn tin bo mt trn mng cng cng da trn

thut ton DES, 3DES nhm thc hin vic m ha v gii m. C hai thnh phn

chnh ca IPSec l: Xc thc header (AH) v phng thc bo mt ti tin (ESP).

2.4.1. Bo mt trong AH

2.4.2. Bo mt trong ESP

2.4.3. Qun l v trao i kha

2.5.Cng ngh chuyn mch nhn a giao thc MPLS

2.5.1. Gii thiu cng ngh MPLS

MPLS l mt cng ngh kt hp c im tt nht gia nh tuyn lp ba v

chuyn mch lp hai cho php chuyn ti cc gi rt nhanh trong mng li (core) v

nh tuyn tt mng bin (Edge) bng cch da vo nhn (Label). MPLS l mt

phng php ci tin vic chuyn tip gi trn mng bng cc nhn c gn vi mi

gi IP, t bo ATM, hoc frame lp hai. Phng php chuyn mch nhn gip cc

Router v MPLS-Enable ATM switch ra quyt nh theo ni dung nhn tt hn vic

nh tuyn phc tp theo a ch IP ch. MPLS kt hp tnh thc thi v kh nng

chuyn mch lp hai vi nh tuyn lp ba. Cho php cc ISP cung cp nhiu dch v

khc nhau m khng cn phi b i c s h tng sn c. Cu trc MPLS c tnh mm

do trong bt k s phi hp vi cng ngh lp hai no.

11

c im mng MPLS:

- Khng c MPLS API, cng khng c thnh phn giao thc pha host.

- MPLS ch nm trn cc router trong mng li.

- MPLS l giao thc c lp nn c th hot ng cng vi giao thc khc IP nh

IPX, ATM, Frame Relay,

- MPLS gip n gin ho qu trnh nh tuyn v lm tng tnh linh ng ca

cc tng trung gian.

2.5.2. Chun ha MPLS

2.5.3. Cc thnh phn ca MPLS

- LSR (Label switch router)

- LSR bin

- LSR da trn khung

- ATM-LSR

- Label - nhn

- FEC (forwaring equivalence classes)

- Ngn xp nhn (Label stack)

- LSP (path)

- Min ATM-LSR

2.5.4. Cc ch hot ng ca MPLS

a. Ch hot ng khung

Ch hot ng ny xut hin khi s dng MPLS trong mi trng cc thit b

nh tuyn thun nht nh tuyn cc gi tin IP im - im. Cc gi tin gn nhn c

chuyn tip trn c s khung lp 2.

Qu trnh chuyn tip mt gi IP qua mng MPLS c thc hin qua mt s

bc c bn sau:

LSR bin li vo nhn gi IP, phn loi gi vo nhm chuyn tip tng

ng FEC v gn nhn cho gi vi ngn xp nhn tng ng FEC xc

nh. Trong trng hp nh tuyn mt a ch ch, FEC s tng ng vi

mng con ch v vic phn loi gi s n gin l vic so snh bng nh

tuyn lp 3 truyn thng.

LSR li nhn gi c nhn v s dng bng chuyn tip nhn thay i

nhn ni vng trong gi n vi nhn ngoi vng tng ng cng vi vng

FEC (trong trng hp ny l mng con IP)

Khi LSR bin li ra ca vng FEC ny nhn c gi c nhn, n loi b

nhn v thc hin vic chuyn tip gi IP theo bng nh tuyn lp 3 truyn

thng.

12

Header nhn MPLS

Trong ch hot ng khung, nhn MPLS c chn vo gia header lp 2 v

ni dung thng tin lp 3 ca khung lp 2 nh hnh di y:

Hnh 2.7. Nhn MPLS trong khung lp 2

Chuyn mch nhn trong ch khung

- Sau khi nhn khung PPP lp 2 t router bin LSR bin s 1, LSR li 1 lp tc

nhn dng gi nhn c l gi c nhn da trn gi tr trng giao thc PPP v thc

hin vic kim tra nhn trong c s d liu chuyn tip (LFIB - Label forwarding

Information Base).

- Kt qu nhn vo l 30 c thay bng nhn ra 28 tng ng vi vic gi tin

s c chuyn tip n LSR li 3.

- Ti y nhn c kim ra, nhn s 28 c thay bng nhn s 37 v cng ra

c xc nh. Gi tin c chuyn tip n LSR bin s 4.

- LSR bin s 4, nhn 37 b loi b v vic kim tra a ch lp 3 c thc hin,

gi tin c chuyn tip n nt router tip theo ngoi mng MPLS.

Nh vy qu trnh chuyn i nhn c thc hin trn cc LSR li da trn

bng nh tuyn. Bng nh tuyn ny phi c cp nht y m bo mi LSR

(hay router) trong mng MPLS c y thng tin v tt c cc hng chuyn tip.

Qu trnh ny xy ra trc khi thng tin c truyn trong mng v thng thng

c gi l qu trnh lin kt nhn (label binding).

Cc bc chuyn mch trn c p dng i vi cc gi tin c nhn hay gi tin

c nhiu nhn (trong trng hp s dng VPN thng thng mt nhn c gn c

nh cho VPN server).

Qu trnh lin kt v lan truyn nhn

Khi xut hin mt LSR mi trong mng MPLS hay bt u khi to mng

MPLS, cc thnh vin LSR trong mng MPLS phi c lin lc vi nhau trong qu

trnh khai bo thng qua bn tin Hello. Sau khi bn tin ny c gi mt phin giao

dch gia 2 LSR c thc hin. Th tc trao i l giao thc LDP.

Gi IP khng

nhn trong khung

lp 2

Gi IP c nhn

trong khung lp 2 Nhn MPLS

13

Ngay sau khi LIB (c s d liu nhn) c to ra trong LSR, nhn c gn

cho mi FEC m LSR nhn bit c. i vi nh tuyn da trn unicast, FEC tng

ng vi prefix trong bng nh tuyn IP v bng chuyn i cha trong LIB. Bng

chuyn i nh tuyn ny c cp nht lin tc khi xut hin nhng tuyn ni vng

mi, nhn mi s c gn cho tuyn mi.

Do LSR gn nhn cho mi IP prefix trong bng nh tuyn ca chng ngay sau

khi prefix xut hin trong bng nh tuyn v nhn l phng tin c LSR khc s

dng khi gi gi tin cho nhn n chnh LSR nn phng php gn v phn phi

nhn ny c gi l nhn iu khin c lp vi qu trnh phn phi ngc khng

yu cu.

Vic lin kt cc nhn c qung b ngay n tt c cc router thng qua phin

LDP.

b. Ch hot ng t bo

Khi thc hin trin khai MPLS qua ATM cn phi gii quyt mt s vn sau:

Khng thc hin trao i trc tip cc gi IP gia 2 nt MPLS cn k qua

giao din ATM. Tt c cc s liu trao i qua giao din ATM phi thc

hin qua knh o ATM.

Cc tng i ATM khng th thc hin vic kim tra nhn hay a ch lp 3.

Kh nng duy nht ca tng i ATM l chuyn i VC u vo sang

VC u ra ca giao din ra.

Do , MPLS xy dng mt s c ch m bo thc thi chuyn mch nhn

a giao thc qua ATM nh sau:

Cc gi IP trong mng iu khin (Control Frame) khng th trao i trc

tip qua giao din ATM. Mt knh o VC phi c thit lp gia 2 nt

MPLS cn k trao i gi thng tin iu khin.

Nhn trn cng trong ngn xp nhn phi c s dng cho cc gi tr

VPI/VCI.

Cc th tc gn v phn phi nhn phi c sa i m bo cc tng

i ATM khng phi kim tra a ch lp 3.

2.5.5. Cc giao thc s dng trong mng MPLS

Tham gia vo qu trnh truyn thng tin trong mng MPLS c mt s giao thc

nh LDP, RSVP.

a. Giao thc phn phi nhn LDP

b. Giao thc nh tuyn cng bc CR-LDP

c. Giao thc bo hiu RSVP

2.6. ng dng mng ring ring o trong MPLS

14

2.6.1. M hnh Overlay VPN

2.6.2. M hnh ngang hng

2.6.3. Cc b nh tuyn o trong MPLS VPN

2.6.4. Kin trc MPLS VPN

Trong kin trc mng MPLS VPN, cc router bin mang thng tin nh tuyn

khch hng, cung cp nh tuyn ti u cho lu lng gia cc site ca khch hng.

M hnh MPLS-based VPN cng gip cho khch hng s dng khng gian a ch

trng lp (Overlapping address spaces), khng ging nh m hnh peer-to-peer truyn

thng trong vic nh tuyn lu lng khch hng yu cu nh cung cp phi gn a

ch IP ring cho mi khch hng (hoc khch hng phi thc hin NAT) trnh trng

lp khng gian a ch. MPLS VPN l mt dng thc thi y ca m hnh peer-to-

peer. MPLS VPN backbone v cc site khch hng trao i thng tin nh tuyn lp 3,

v d liu c chuyn tip gia cc site khch hng s dng MPLS-enable SP IP

Backbone. Min (domain) MPLS VPN, ging nh VPN truyn thng, gm mng ca

khch hng v mng ca nh cung cp. M hnh MPLS VPN ging vi m hnh router

PE dnh ring (dedicated PE router model) trong cc dng thc thi VPN ngang cp

peer-to-peer VPN. Tuy nhin, thay v trin khai cc router PE khc nhau cho tng

khch hng, lu lng khch hng c tch ring trn cng router PE nhm cung cp

kh nng kt ni vo mng ca nh cung cp cho nhiu khch hng. Cc thnh phn

ca mt MPLS VPN c trnh by trong hnh sau:

Hnh 2.13. Kin trc MPLS VPN

LSP ring

LSP cng cng

2.6.5. Vn bo mt trong MPLS VPN

a. Bo mt nh tuyn

b. Bo mt d liu

15

c. Bo mt mng vt l

2.6.6. Cht lng dch v trong mng MPLS VPN

Cht lng dch v c m t thng qua cc thng s bng thng, tr, t l

mt gi tin, tc truyn Thut ng QoS v CoS (class of service) c s lin quan

cht ch vi nhau nhng cng c s khc bit nh. QoS l s m bo v vic cung

cp mt mc dch v yu cu, cn CoS l loi ca dch v c yu cu bi mt gi

ngha l mt phn ca lu lng ng dng c bit. Chng c kt hp vi nhau

cung cp cc dch v c cht lng dch v nh mong mun. Bt u t im vo ca

mt tuyn, gi tr trng CoS c n nh. Trng CoS ny sau c phn tch

bi mi qu trnh QoS hot ng trong cc nt dc theo tuyn ng gi di chuyn

cho ti khi gi t ti ch ca n vi cht lng dch v c thit lp.

Tng kt chng 2

Trong chng ny tm hiu v:

- Cc dch v bo mt trong VPN: PPTP, L2TP, IPSec bao gm:

an ton, tnh sn sng, cht lng dch v, tin cy, tnh tng thch

v tnh c th qun l c.

- Cng ngh chuyn mch nhn a giao thc MPLS:

Cc ch hot ng

Cc giao thc s dng trong mng MPLS

ng dng mng ring o trong MPLS

16

CHNG 3. TRIN KHAI VPN MPLS THC T

Trong nn kinh t hin nay, li nhun ca nh cung cp dch v xoay quanh

trong tm cung cp cc dch v gi tr gia tng. Theo hng Frost and Sullivan, th

trng mng ring o (VPN) khu vc chu - Thi Bnh Dng d kin t 5,15 t

USD vo nm 2009, tng hn 200% so vi nm 2003.

Cng ty nghin cu cng cho bit th trng ny nm nay s tng 25,7%, t hn

2 t USD, t con s 1,687 t USD ca nm ngoi. Nm 2003, th trng mng ring

o pht trin mnh ti Nht Bn, Australia v Trung Quc. VPN hin c coi l th

trng dch v vin thng c tc pht trin nhanh nht, c tng 20,4% mi nm

trong vng 6 nm na.

Cng theo Frost and Sullivan, Nht Bn l th trng VPN ln nht chu -

Thi Bnh Dng, chim 60% doanh thu, trong khi Australia ng th hai vi 21%.

Tuy nhin, n cui nm 2009, Trung Quc v n c d on l hai th trng

VPN trng im ca khu vc

Cc dch v mng ring o rt a dng bao gm thng mi in t, in thoi

IP, an ninh qun l, sao lu t xa, thu ng dng v cc ng dng a phng tin

S la chn v trin khai mt trong cc kin trc ca VPN - MPLS, IPSec hay l s

phi hp ca c hai cu trc s nh hng n phm vi th trng, cc dch v cung

cp v doanh thu.

Trong xu hng pht trin . Tng cng ty Bu chnh vin thng Vit Nam

trin khai MPLS trong mng li ca VNPT. Cc LSR bin s c tip tc u t v

m rng ti cc im c nhu cu ln nh Hi Phng, Qung Ninh, Nng, Khnh

Ha , tng bc chuyn i sang mng NGN. Cc nh cung cp dch v nh VDC,

FPT . Cng a ra cc dch v mng ring o, iu ny cho thy th trng

VPN/MPLS y tim ny v cn pht trin trong tng lai.

i tng s dng khng k cc Doanh nghip v vn phng i din nc

ngoi, c rt nhiu DN trong nc trong lnh vc ti chnh, bo him, ngn hng s

dng dch v ny. Vi VPN da trn MPLS, cc t chc, doanh nghip c th t

c nhiu mc tiu ca mnh nh iu khin nhiu hn trn h tng mng, cung cp

a lp dch v cho ngi dng.

3.1. So snh IPSec v MPLS

3.1.1. Vai tr ca MPLS

3.1.2. IPSec

3.1.3. Tch hp VPN IPSec v VPN MPLS

Nh cung cp dch v c th t c cc li ch cao nht khi p dng c hai

cng ngh IPSec v MPLS. V d, c th s dng IPSec cho cc giao thng off-net, v

17

ng truyn cn c xc thc tt v tnh tin cn cao v s dng MPLS mng li cho

kt ni rng m hn, ng thi h tr cc k thut nh tuyn lu lng v cht lng

dch v.

Cc nh sn xut thit b nh Cisco, Nokia Checkpoint, Juniper network c th

cung cp cc gii php cho php nh cung cp dch v ghp cc phin IPSec trc tip

vo mt VPN MPLS. Cc tip cn ny gip cc nh cung cp dch v m rng cc

dch v VPN ra ngoi bin ca mt mng MPLS thng qua vic s dng mt c s h

tng mng IP cng cng.

3.2. Trin khai ng dng VPN ti Ngn hng

Ngn hng l c quan c chc nng qun l tin t, cc hot ng ti ngn hng

i s nhanh chng, chnh xc v an ton cao. p ng iu , Ngn hng nh

nc VN l mt trong n v i u trong lnh vc ng dng cng ngh thng tin hin

i nhm mc ch phc v cho hot ng chuyn mn nghip v ca mnh. Trong xu

hng hi nhp kinh t, quc t, vic ng dng thng mi in t (TMT) l tt yu

nhm m bo an ninh, an ton trong TMT. Bn cnh xy dng h thng thanh

ton in t ngn hng t ng m rng cc dch v ngn hng in t.

thc c tm quan trng ca vic ng dng cng ngh thng tin vo lnh vc

ngn hng, ngay t u cc ngn hng nh nc xy dng c s h tng thng tin

hin i, vi mng LAN, WAN c trin khai hu ht cc chi nhnh Tnh, Thnh ph

trn ton quc. Hin nay l h thng mng SBVNet (Mng din rng ca Ngn hng

nh nc Vit Nam Sate Bank of Vietnam and Wide computer Network) phc v iu

hnh qun l, h thng chuyn tin, thanh ton lin ngn hng

Vi c th ca ngnh ngn hng mang tnh bo mt cao, NHNN trin khai

cc gii php an ninh nhiu lp, trang b cc cng c kim sot v gim st truy nhp,

m ha d liu trn ng truyn, s dng tng la, h thng chng thc (CA) v

ch k in t nhm m bo an ton, bo mt tuyt i cho cc giao dch thanh ton.

Trong phi k n thit lp mng ring o ca Cisco, Checkpoint v ca Microsoft

c s dng n tin hc ha qun l hnh chnh nh nc - Ngn hng Nh nc

Vit Nam

18

3.2.1. Gii php VPN ca Microsoft

3.2.2. Gii php VPN ca Cisco

19

Customer A

Site 1

EIGRP AS 101

Customer A

Site 2

EIGRP AS 101

Customer B

Site 2

Customer B

Site 1

EIGRP AS 202EIGRP AS 201

5.5.5.5/241.1.1.1/24

7.7.7.7/246.6.6.6/24

VPN-B

VPN-A VPN-A

VPN-B

F0/0.1

192.168.12.0/24

F0/0

.2

2

S1/3

S1/3

.4

.3.3

S1/2 S1/0

F0/1

F0/0

F0/0 .5

F0/1.7

.4F0/1

.2

F0/1 .6

Loopback 0

2.2.2.2/32

192.1

68.23

.0/24

192.168.34.0/24

Loopback 0

4.4.4.4/32

.4

192.

168.

45.0

/24

192.168.47.0/24192.

168.

26.0

/24

Mng trc ca nh cung cp dch

v MPLS

R1-CE R5-CE

R6-CE R7-CE

R3-P

R2-PE R4-PE

Tng kt chng 3

Trong chng ny tm hiu v:

- IPSec v MPLS u v nhc im

- Trin khai ng dng MPLS VPN

20

KT LUN V HNG PHT TRIN

Ngy nay, cc ng dng Internet c s dng rng ri trong mi lnh vc,

khp mi ni trn th gii. S m rng ca Internet ko theo s ci tin khng ngng

ca cc m hnh mng, ko theo l cc dch v mng p ng nhu cu truyn

thng tin mt cch an ton, hiu qu, p ng c nhiu yu cu trn nhiu h tng

mng khc nhau. Mt trong nhng ng dng quan trng l mng ring o.

Bn cnh tm hiu chung v mng ring o, lun vn cn phn tch cc loi mng

ring o hin nay, nhng hn ch cn tn ti trong mi m hnh, nhng th mnh ca

mi m hnh t c ci nhn tng quan v mi m hnh t la chn p dng

vo mi m hnh sao cho c hiu qa nht.

Hin nay c nhiu cng ngh mi ra i nhm nghin cu phng thc truyn

tin trn mng mt cch an ton mt trong nhng cng ngh ang c ng dng rng

ri hin nay l MPLS VPN. Lun vn trnh by khi nim v phng thc hot

ng ca cng ngh MPLS i su vo phn tch cu trc MPLS cng nh cch thc

truyn gi tin gn nhn i trong mng t mt a ch ngun ti mt a ch ch mt

cch an ton.

Trin khai MPLS-VPN trong thc t, so snh hai cng ngh mng ring o IPSec

v MPLS, trn c s trin khai ng dng mng ring o VPN ti ngn hng nh

nc vi gii php ca Cisco v Microsoft.

Tuy nhin lun vn cn nhiu hn ch: cha trin khai c trn h thng mng

thc t, ch thc hin trn h thng m phng, cha tm hiu k v MPLS c trin

khai thc t trong hot ng Ngn hng c th.

21

TI LIU THAM KHO

TI LIU TING VIT

1. Nghin cu cng ngh chuyn mch nhn MPLS v xut cc kin ngh p

dng cng ngh MPLS trong mng th h mi NGN ca tng cng ty. TG: L Ngc

Giao, Trn Ho Bu, Phm Thy Phong, Trn Vit Tun, Phm Huy T, Nguyn

Ngc Thnh, ng Thu H, Phan H Trung)

TI LIU TING ANH

2. Cisco System, Overview of Virtual Private Networks and IPSec Technologies.

3. Cisco VPN solution, www.cisco.com/go/vpn

4. Harkins, D. and Carrel, D. (1998), The Internet Key Exchange, RFC 2409,

November 1998.

5 IETF Working Group

5.1. IETF RFC 2637: Point - to - Point Tunneling Protocol (PPTP)

5.2. IETF RFC 1701: Generic Routing Encapsulation (GRE)

5.3. IETF RFC 2661: Layer Two Tunnuling Protocol (L2TP)

5.4. IETF RFC 2409: The Internet Key Exchange (IKE)

6. Ivan Pepelnjak and Jim Guichard, MPLS and VPN Architectures - A practical

guide to understanding, designing and deploying MPLS and MPLS-VPN enabled

VPNs, Cisco Systems, IN-USA, 2001

7. R.C.Sreijl - Analysis of Managed Virtual Private Network, 2000

8. RSA Security Inc - A Guide to Security Technologies, www.rsasecurity.com

9. Cc ti liu t Internet