Pages

Wednesday, 13 July 2016

各种VPN的实现方法

VPN是一种逻辑上的专用网络,能够向用户提供专用网络所具有的功能,但本身却不是一个独立的物理网络。为适应全球经济一体化的格局与发展,利用IP协议和现有的Internet来建立企业的安全的专有网络,成为主要VPN发展趋势。  MPLS VPN与IPSec VPN的融合解决方案  VPN(虚拟专用网络,Virtual Private Network),是一种通过对网络数据的封包或加密传输,在公众网络上传输私有数据、达到私有网络的安全级别,从而利用公众网络构筑企业专网的组网技术。VPN是一种逻辑上的专用网络,能够向用户提供专用网络所具有的功能,但本身却不是一个独立的物理网络。  VPN的技术实现方式   VPN是一种广义的概念,即在公众网络上实现私有网络。有多种技术可以实现VPN的功能,一般来说,虚拟专用网络(VPN)可分为如下几种:  1.传统的专线虚拟专用网络  传统的虚拟专用网络主要包括帧中继和ATM,是传统的电信专线业务,是电信运营商通过帧中继或ATM的专用交换设备建立覆盖一定区域的公用交换平台,并通过在此公用交换平台上建立虚电路连接,为用户提供专用网络。  帧中继(Frame Relay,简称FR),是一种面向连接的快速分组交换技术。它使用一组规程将数据信息以帧的形式有效地进行传送,在一个物理连接上可复用多个逻辑连接(即可建立多条逻辑信道),可实现带宽的复用和动态分配。帧中继适合于封装局域网的数据单元,适合传送突发业务(如压缩视频业务、WWW业务等)。  ATM(Asynchronous Transfer Mode),异步传输模式。ATM是面向连接的服务,它摒弃了电路交换中采用的同步时分复用,改用异步时分复用,收发双方的时钟可以不同,可以更有效地利用带宽。它是一种高速分组交换,在协议上它将OSI第三层的纠错、流控功能转移到智能终端上完成,降低了网络时延,提高了交换速度。  2.基于用户端设备的虚拟专用网络  基于用户端设备的虚拟专用网络是指用户端设备使用封装或加密技术,在公众网络上建立安全的隧道连接,实现安全的专用网络。VPN功能都集成在各种各样的CPE设备之中,运营商的公网为客户提供透明的数据传输。这种方式的VPN,其最大缺点就在于需要客户投入较大的人力、物力去管理和维护VPN,同时加密机制也会对设备的转发性能和网络的拓展性产生很大的影响。  IPSec,即Internet安全协议,是被采用得最广泛的VPN技术,是由Internet工程任务组(IETF)开发的一组身份验证和加密的协议,通过对数据加密、认证、完整性检查来保证数据传输的可靠性、私有性和保密性。IPSec实际上是一套协议包而不是一个单个的协议,这一点对于我们认识IPSec是很重要的。  3.网络提供商指配的虚拟专用网络  网络提供商指配的虚拟专用网络是指利用虚拟路由技术和隧道技术,由网络提供商管理的网络端设备为不同用户建立独立的路由表和传输隧道,实现虚拟专用网络。BGP/MPLS VPN技术就是属于此类VPN。  MPLS VPN是一种基于MPLS技术的IP VPN,是在网络路由和交换设备上应用MPLS(Multiprotocol Label Switching,多协议标记交换)技术,简化核心路由器的路由选择方式,利用结合传统路由技术的标记交换实现的IP虚拟专用网络(IP VPN)。MPLS VPN体系中包含三种类型的路由器,CE路由器、PE路由器和P路由器。其中,CE路由器是客户端路由器,为用户提供到PE路由器的连接;PE路由器是运营商边缘路由器,也就是MPLS网络中的标签边缘路由器 (LER);P路由器是运营商网络主干路由器,也就是MPLS网络中的标签交换路由器(LSR)。  4.基于会话的虚拟专用网络  基于会话的虚拟专用网络是指利用工作在第四层协议,即传输层协议及以上的安全协议,实现的虚拟专用网络。目前,主要是指SSL VPN。
  SSL VPN产品采用标准的安全套接层(SSL)对传输中的数据包进行加密。SSL (Secure Socket Layer)又称套接字,是一个运行在原TCP/IP协议栈Transport(传输层,第4层)和其上应用层(5-7层)之间的安全协议。  为适应全球经济一体化的格局与发展,利用IP协议和现有的Internet来建立企业的安全的专有网络,成为主要VPN发展趋势,此类VPN通称为IP VPN。目前,IP VPN主要包括MPLS VPN、IPSec VPN和SSL VPN。  1. MPLS VPN与ATM/FR VPN的比较  MPLS VPN与ATM/FR VPN在价格和服务质量上看,是同质化的产品,但MPLS VPN有更多的优势。  MPLS VPN相比传统专线VPN而言更具高性价比,MPLS VPN技术已经逐渐成为企业进行广域互联的主流技术,已经越来越多的企业把MPLS VPN作为他们建立企业专网的首选广域网技术,同时越来越多的企业正在逐渐考虑把他们的网络从传统的专线VPN网络迁移到MPLS VPN上。  2. MPLS VPN与IPSec/SSL VPN的比较与融合  MPLS VPN构建在专用网络上,能够保证很好的服务质量,但价格与传统专线在同一水平。IPSec/SSL VPN承载在公众互联网上,服务质量基本无法保证,但成本相对比较低。  服务供应商当然可以部署一种或者同时部署多种VPN架构来支持其新型增值服务,但是,如果它们能够把各类VPN融合起来更可以获得优势互补所带来的巨大利益。提供设计优良、运行正常和综合性的VPN服务可以同时提升IPsec和MPLS的应用层次。服务供应商可以对那些需要较高认证和私密性、而对服务质量要求不高的数据流实行IPsec解决方案,而对网络的带宽和服务质量(QoS)要求较高的需求采用MPLS解决方案.
from http://www.enet.com.cn/article/2007/0924/A20070924841218.shtml
---------

【Introduction】
VPN is a logical private network, to provide users with the functionality of the private network, but is not itself a separate physical network. In order to meet the pattern of global economic integration and development, the use of existing IP protocols and Internet to create a secure proprietary corporate network, VPN become a major trend.
VPN is a logical private network , to provide users with the functionality of the private network, but is not itself a separate physical network. In order to meet the pattern of global economic integration and development, the use of existing IP protocols and Internet to create a secure proprietary corporate network, VPN become a major trend.
MPLS VPN and IPSec VPN integration solution
VPN (Virtual Private Network, Virtual Private Network), is a packet through the network or encrypted data transmission, in a public private data transmitted over the network to achieve the level of security of private networks to public networks using networking to build corporate network technology. VPN is a logical private network, to provide users with the functionality of the private network, but is not itself a separate physical network.
VPN technology implementations
VPN is a broad concept, that is, to achieve in the public network a private network. VPN technology can achieve a variety of functions, in general, virtual private network (VPN) can be divided into the following categories:
1. The traditional virtual private network line
The traditional virtual private networks including frame relay and ATM, is the traditional telecom line services, telecommunications operators through a dedicated frame relay or ATM switching equipment to establish a certain area covered by the common exchange platform, and through this common exchange platform to establish virtual circuit connections, to provide users with private networks.
Frame Relay (Frame Relay, referred to as FR), is a connection-oriented fast packet switching technology. It uses a set of data in order to effectively carry out the frame in the form of transfer, in a physical connection can be reused multiple logical connections (to create multiple logical channel), enabling reuse and dynamic bandwidth allocation. Frame Relay encapsulation for the LAN data unit, for sending emergency services (such as compressed video services, WWW services, etc.).
ATM (Asynchronous Transfer Mode), Asynchronous Transfer Mode. ATM is connection-oriented service, which abandoned the use of circuit-switched synchronous time division multiplexing, switching asynchronous time division multiplexing, send and receive sides of the clock can be different, more efficient use of bandwidth. It is a high-speed packet switching, the agreement on the third floor will OSI error correction, flow control functions transferred to the intelligent terminal to complete, reducing the network delay and improve the exchange rate.
2. CPE-based virtual private network
CPE-based virtual private network is the CPE using the package or encryption, the public network to establish a secure tunnel connection, secure private network. VPN capabilities are integrated into a wide variety of CPE devices, operators of public networks to provide transparent data transmission. In this way the VPN, the biggest drawback is that customers need greater investment in human and material resources to manage and maintain the VPN, encryption will also forwarding performance of the equipment and the expansion of the network have a huge impact.
IPSec, the Internet security protocol, is the most widely used VPN technology, Internet Engineering Task Force by the (IETF) developed a set of authentication and encryption protocol, through data encryption, authentication, integrity checks to ensure data transmission reliability, privacy and confidentiality. IPSec is a protocol packet is actually not a single protocol, which is to our understanding of IPSec is very important.
3. Network providers virtual private network assigned
Network providers virtual private network assigned refers to the use of virtual routing and tunneling technology, the network provider's network management equipment for different end users to create separate routing tables and transmission tunnel, virtual private network. BGP / MPLS VPN technology is considered to be a VPN.
MPLS VPN is a technology based on MPLS IP VPN, a network routing and switching equipment in the application of MPLS (Multiprotocol Label Switching, MPLS) technology, simplifying the core router, the routing method, the use of technology combined with traditional routing label switching implementation of IP virtual private network (IP VPN). MPLS VPN system contains three types of routers, CE routers, PE routers and P routers. Which, CE router is the client router, to provide users with a connection to the PE router; PE router is a carrier edge routers, MPLS network that is a label edge router (LER); P router is a carrier network backbone routers, which is MPLS network, label switching router (LSR).
4. Session-based virtual private network
Session-based virtual private network is the use of the work in the fourth layer protocol, transport layer and above the security protocol, to achieve the virtual private network. At present, mainly refers to SSL VPN.
SSL VPN products in a standard Secure Sockets Layer (SSL) packets on the transmission is encrypted. SSL (Secure Socket Layer), also known as a socket, is a run on the original TCP / IP protocol stack Transport (Transport Layer, Layer 4) and its on the application layer (5-7 layers) between the security protocol.
In order to meet the pattern of global economic integration and development, the use of existing IP protocols and Internet to create a secure proprietary corporate network, VPN become a major trend known as such VPN IP VPN. Currently, IP VPN including MPLS VPN, IPSec VPN and SSL VPN.
1. MPLS VPN and ATM / FR VPN Comparison
MPLS VPN and ATM / FR VPN in terms of price and service quality point of view, is the homogenization of the product, but there are more advantages MPLS VPN.
Compared to traditional leased lines, MPLS VPN in terms of more cost-effective VPN, MPLS VPN technology has become the mainstream enterprise wide-area Internet technology, has been more and more enterprises to establish businesses as their MPLS VPN special network technology of choice for wide area network, At the same time more and more enterprises are increasingly considering their networks from traditional leased line network migration to a VPN on MPLS VPN.
2. MPLS VPN and IPSec / SSL VPN Comparison and Integration
MPLS VPN is built on a private network, to ensure good service quality, but prices at the same level with traditional leased lines. IPSec / SSL VPN host in the public Internet , and can not guarantee the basic quality of service, but the cost is relatively low.
Service providers can deploy one or both of course, a variety of VPN architecture to support deployment of its new value-added services, but if they are able to integrate more types of VPN access to the enormous complementary interests. Provide well designed, functioning and integrated IPsec VPN services and MPLS can enhance the application level. Service providers who need a higher authentication and privacy, and less demanding on the quality of service data flow implementation of IPsec solutions, network bandwidth and quality of service (QoS) required by high demand for MPLS solutions.
相关帖子:http://briteming.blogspot.com/2016/03/mpls-vpn.html