IP VPN网络研究及应用
摘要
IP VPN(虚拟专用网络)就是指利用IP设施(包括共用的Internet或专用的IP骨干网等)实现专用广域网设备专线业务(远程拨号、DDN等)的业务仿真。IP VPN构建在开放的IP网(Internet)上,通过IP网建立私有数据传输通道。VPN业务为企业提供二层或三层虚拟专用网互连。如果企业采用专用线路构建企业专网,往往需要租用昂贵的专线。虚拟专用网(VPN)技术是一个很好的解决方案。在北美和欧洲,VPN已经是一项相当普遍的业务。在亚太地区,该项服务也迅速开展起来。在国内,各大电信运营商为了在新的竞争中抢占先机,都开始对用户提供IP VPN业务。
自90年代开始,VPN网络的研究在世界范围内已经取得卓有成效的研究成果,并逐渐形成了比较系统的理论,确立了它在网络理论中应有的地位。经过近20年的发展,VPN技术已日渐成熟,但这种技术存在不足,即运营商和客户的网络都比较脆弱,发生故障后不容易恢复,从而带来了维护和应用的困难。传统的专线业务由于价格昂贵、对用户接入要求高等因素不能很好适应业务的发展。
本文主要研究了IP VPN理论和设计的方法以及利用IP VPN技术在湖南电信宽带IP网上实现VPN的可行性和实际意义。特别是对VPLS网络环路故障产生的各种原因进行了详细的探讨,提出了一种快速方法处理VPLS环路故障,实践结果表明此方法诊断故障准确、快速,减少了局部故障对整个网络的影响,是切实可行的。本文对湖南VPLS网络的维护、环路故障的避免、广播风暴的抑制提出了一些有效的方法。
本文对VPDN技术原理进行了分析,重点研究了湖南体彩VPDN的实现:LNS的组网、业务实现流程,并对VPDN业务维护中的问题进行了分析。
本文对基于IPSec技术的E通VPN进行了研究,重点研究了E通VPN的组网应用,并对E通VPN与其他VPN技术进行了比较,结果表明E通VPN提供业务方式便利,并且组网模式更加灵活。
本文最后对IP VPN网络的指标进行了研究,通过对指标的统计,得出了IP VPN的技术在湖南电信网络的应用是成功的结论。
IP VPN(Virtual Private Network) make use of IP facility (including INTERNET or IP backbone network ) to realize private service simulation in(Wide Area Network) WAN(including Long-distance Dial-up or Digital Data Network). IP VPN establish private data-transmission tunnel through INTERNET. VPN technology provide the second-layer and the third-layer interconnections for enterprises. Physical private network is secure, but it is expensive.VPN is a very good solution. In North America and Europe, VPN already was a quite common service. In the Asian and Pacific area, this service also grow rapidly .In domestic markets , telecommunication business start to provide VPN service in order to keep ahead in the new competition .
VPN begin in the 90’s, have obtained fruitful progeny all over the world, and gradually formed systemic theory, established it’s status in the network theory, and come to maturity after 20 years development. But the technology has an inadequacy to deal with fault because service provider and enterprises network is very frangible, especially network breaks down not easy to restore.It has brought destruction to the maintenance. Traditional private line service don't fit in with the development because of expensive rent and consumer intricacy .
This paper research mainly design method of IP VPN technology and explore the feasibility and practical meaning of implementing VPN in Hunan telecommunication broadband IP network by utilizing IP VPN technology.This paper study the cause of VPLS(Virtual Private LAN Service) loop fault in detail ,and then introduces a method of solving VPLS loop fault . the paper make some feasible suggestion of VPLS network maintenance、VPLS loop fault avoider and broadcast storm restrainability. Fault diagnosis is very accurate by practice result. The method was practical and feasible reduced the partial failure to the entire network influence.
This paper research the VPDN(Virtual Private Dialup Network) technology principle particularly and expatiate on Hunan VPDN realization including the LNS、the service realization and the VPDN service maintenance.
This paper research E-VPN based on IPSec(IPSecurity) technology deeply and expatiate on Hunan E-VPN realization. The paper draw a comparison between E-VPN to the other VPN technology, finally indicate that E-VPN is more flexible and convenient.
In the end, this paper research the performance index of IP VPN.The whole performance test for IP VPN prove the realization of implementing VPN in Hunan telecommunicatio broadband IP network by utilizing IP VPN technology.
自90年代开始,VPN网络的研究在世界范围内已经取得卓有成效的研究成果,并逐渐形成了比较系统的理论,确立了它在网络理论中应有的地位。经过近20年的发展,VPN技术已日渐成熟,但这种技术存在不足,即运营商和客户的网络都比较脆弱,发生故障后不容易恢复,从而带来了维护和应用的困难。传统的专线业务由于价格昂贵、对用户接入要求高等因素不能很好适应业务的发展。
本文主要研究了IP VPN理论和设计的方法以及利用IP VPN技术在湖南电信宽带IP网上实现VPN的可行性和实际意义。特别是对VPLS网络环路故障产生的各种原因进行了详细的探讨,提出了一种快速方法处理VPLS环路故障,实践结果表明此方法诊断故障准确、快速,减少了局部故障对整个网络的影响,是切实可行的。本文对湖南VPLS网络的维护、环路故障的避免、广播风暴的抑制提出了一些有效的方法。
本文对VPDN技术原理进行了分析,重点研究了湖南体彩VPDN的实现:LNS的组网、业务实现流程,并对VPDN业务维护中的问题进行了分析。
本文对基于IPSec技术的E通VPN进行了研究,重点研究了E通VPN的组网应用,并对E通VPN与其他VPN技术进行了比较,结果表明E通VPN提供业务方式便利,并且组网模式更加灵活。
本文最后对IP VPN网络的指标进行了研究,通过对指标的统计,得出了IP VPN的技术在湖南电信网络的应用是成功的结论。
IP VPN(Virtual Private Network) make use of IP facility (including INTERNET or IP backbone network ) to realize private service simulation in(Wide Area Network) WAN(including Long-distance Dial-up or Digital Data Network). IP VPN establish private data-transmission tunnel through INTERNET. VPN technology provide the second-layer and the third-layer interconnections for enterprises. Physical private network is secure, but it is expensive.VPN is a very good solution. In North America and Europe, VPN already was a quite common service. In the Asian and Pacific area, this service also grow rapidly .In domestic markets , telecommunication business start to provide VPN service in order to keep ahead in the new competition .
VPN begin in the 90’s, have obtained fruitful progeny all over the world, and gradually formed systemic theory, established it’s status in the network theory, and come to maturity after 20 years development. But the technology has an inadequacy to deal with fault because service provider and enterprises network is very frangible, especially network breaks down not easy to restore.It has brought destruction to the maintenance. Traditional private line service don't fit in with the development because of expensive rent and consumer intricacy .
This paper research mainly design method of IP VPN technology and explore the feasibility and practical meaning of implementing VPN in Hunan telecommunication broadband IP network by utilizing IP VPN technology.This paper study the cause of VPLS(Virtual Private LAN Service) loop fault in detail ,and then introduces a method of solving VPLS loop fault . the paper make some feasible suggestion of VPLS network maintenance、VPLS loop fault avoider and broadcast storm restrainability. Fault diagnosis is very accurate by practice result. The method was practical and feasible reduced the partial failure to the entire network influence.
This paper research the VPDN(Virtual Private Dialup Network) technology principle particularly and expatiate on Hunan VPDN realization including the LNS、the service realization and the VPDN service maintenance.
This paper research E-VPN based on IPSec(IPSecurity) technology deeply and expatiate on Hunan E-VPN realization. The paper draw a comparison between E-VPN to the other VPN technology, finally indicate that E-VPN is more flexible and convenient.
In the end, this paper research the performance index of IP VPN.The whole performance test for IP VPN prove the realization of implementing VPN in Hunan telecommunicatio broadband IP network by utilizing IP VPN technology.
引文
[1] Kent S, Atkinson R. Security Architecture for the Internet Protocol[S].RFC 2401,March 1998
[2] Kent S,R.Atkinson,IP Authentication Header[S] ,RFC2402,January 1998
[3] Kent S,Atkinson R.IP Encapsulating Security Payload(ESP)[S].RFC 2406,1998
[4] D.Garjubs,D.Carrel,The lntemet Key Exchange(IKE)[S] ,RFC2401,1998
[5] Rochit Rajsuman. System-on-a-Chip:Design and Test, Artech House Publishers, 2000,11-12
[6] Kang N,Iacono L,Efficient Applicafion of IPsec VPNs in Wireless Networks[Z]. Germany,IEEE,March 2006,vol.3,pp.358-362
[7] Berger T.Analysis of Current VPN Technologies[M].University of Salzburg, IEEE,2006, vol.37,pp.54-57
[8] Deal R.The Complete Cisco VPN Configuration Guide[M].America:Cisco Press.Dec 2005,24-26
[9] 何宝宏.IP 虚拟专用网技术.北京:人民邮电出版社,2002,18-25
[10] Rosen E, Callon R, A Vishwanathan. Multi-Protocol Label Switching Archit- ecture. RFC3031, January 2001
[11] Andersson L, Doolan P, Feldman N, Fredette A, R Thomas.Label Distribution Protocol. RFC3036, January 2001
[12] 朱斌,徐林.MPLS 技术在 VPN 中的研究与应用[J].计算机与数字工程, 2005,34(4):83-85
[13] Rosen E, Rehter Y, Tappan D, Farinacci D, Fedorkow G, Li T ,A Conta. “MPLS Label Stack Encoding”, RFC3032, January 2001
[14] 江晓峰,高兴锁,周海涛.基于 MPLS 的 VPN 技术探究.计算机技术与发展,2006,3(3) :52-55
[15] 刘广宇.基于 MPLS 的 VPN 技术原理[J].信息技术,2005,7(4):106-107
[16] 冯径.多协议标签交换技术[M].北京:人民邮电出版社,2002,12-14
[17] 吴伟.下一代 IP 网络技术保障——多协议标签交换[M].北京:清华大学出版社,2002,23-26
[18] 谢希仁.计算机网络(第 3 版)[M].大连:大连理工大学出版社,2000,50-52
[19] 吴卓,陈克非.基于 SOC 的 IPSec 协议实现技术.计算机应用与软件, 2005, 12(22) :19-21
[20] 李果益,林长槛.Virtual Private Networks[M].北京:清华大学出版社,2000,28-29
[21] 武威,石晶林,勾学荣.宽带 MPLS 网络技术综述[J].电信科学,2004,116(9):13-14
[22] 马少武.MPLS VPN 技术综述及业务运营部署策略研究.电信建设,2004,7(2): 16-17
[23] “Multiprotocol Label Switching,Enhancing Routing in the New Public Network”, Juniper networks. September 1999
[24] DOUGLAS E,COMER,DAVID L,STEVENS.用 TCP/IP 进行网际互连:设计、实现和内部构成. 北京:电子工业出版社,1998,49-52
[25] Multiprotocol Label Switching Architecture.Internet draft draft-ietf-mpls-arch- 06.txt, March 1995
[26] Rosen E,Rekhter Y.BGP/MPLS VPNs. RFC 2547, March 1999
[27] 刘向阳,方芳.MPLS—多协议标签交换技术.电信交换,2004,8(2):23-24
[28] Bates T, R Chandrasekaran.BGP Route Reflection: An alternative to full mesh IBGP. RFC 1966, June 1996
[29] Muthukrishnan K,Malis A.A Core MPLS IP VPN Architecture. RFC 2917,2000
[30] Kent S,Atkinson R.Security Architecture for the Internet Protocol.IETF RFC 2401,1998
[31] Fox B, Gleeson B.Virtual Private Networks Identifier. RFC 2685, September 1999
[32] 刘少亭,卢建军,李国民.现代信息网.北京:人民邮电出版社,2000,429-494
[33] 赵慧玲,胡琳,张国宏.宽带 Internet 网络技术.北京:电子工业出版社,1999,178- 190
[34] Ivan Pepelnjak,Jim Guichard.MPLS 和 VPN 体系结构[M] 北京:人民邮电出版社,2001,76-79
[35] CarIton R.Davis. IPSec VPN 的安全实施. 北京:清华大学出版社, 2000,129-131
[36] 敖青云,白英彩.IPSec:构建虚拟专用网的基础[J].网络信息安.2002,16 (10): 17-19
[37] Meyer D.Administratively Scoped IP Multicast. RFC 2365,July 1998
[38] Richard Deal.Cisco VPN 安全配置指南[M].北京:人民邮电出版社.2007, 39-45
[39] Naganand Doraswamy Dan Harkins.IPSec:新一代因特网安全标准[M].北京:机械工业出版社, 2000, 4-6
[40] Whitfield Diffie,Martin Hellman. New Direction in Cryptography[J].IEEE Tran. Inform. Theroy, 1976,22(6) :644-654
[41] Harkins D,Carrel D.The Internet Key Exchange(IKE)[S].RFC 2409,1998
[42] 中科网威 , 许榕生 , 毕学尧 . 入侵防范研究的展望 [J]. 互联网世界 .2001, 17(12):28-29
[43] Maughan D.Internet Security Association and Key Management Protocol (ISAKMP)[S].RFC 2408,1998
[44] Kent S,Atkinson R.IP Authentication Header(AH)[S].RFC 2402,1998
[45] Pete Ldshin. IPv6 详解[M].北京:机械工业出版社. 2000, 69-79
[46] 李津生,洪佩琳著. 下一代 Internet 的网络技术[M].北京:人民邮电出版社. 2001,23-24
[2] Kent S,R.Atkinson,IP Authentication Header[S] ,RFC2402,January 1998
[3] Kent S,Atkinson R.IP Encapsulating Security Payload(ESP)[S].RFC 2406,1998
[4] D.Garjubs,D.Carrel,The lntemet Key Exchange(IKE)[S] ,RFC2401,1998
[5] Rochit Rajsuman. System-on-a-Chip:Design and Test, Artech House Publishers, 2000,11-12
[6] Kang N,Iacono L,Efficient Applicafion of IPsec VPNs in Wireless Networks[Z]. Germany,IEEE,March 2006,vol.3,pp.358-362
[7] Berger T.Analysis of Current VPN Technologies[M].University of Salzburg, IEEE,2006, vol.37,pp.54-57
[8] Deal R.The Complete Cisco VPN Configuration Guide[M].America:Cisco Press.Dec 2005,24-26
[9] 何宝宏.IP 虚拟专用网技术.北京:人民邮电出版社,2002,18-25
[10] Rosen E, Callon R, A Vishwanathan. Multi-Protocol Label Switching Archit- ecture. RFC3031, January 2001
[11] Andersson L, Doolan P, Feldman N, Fredette A, R Thomas.Label Distribution Protocol. RFC3036, January 2001
[12] 朱斌,徐林.MPLS 技术在 VPN 中的研究与应用[J].计算机与数字工程, 2005,34(4):83-85
[13] Rosen E, Rehter Y, Tappan D, Farinacci D, Fedorkow G, Li T ,A Conta. “MPLS Label Stack Encoding”, RFC3032, January 2001
[14] 江晓峰,高兴锁,周海涛.基于 MPLS 的 VPN 技术探究.计算机技术与发展,2006,3(3) :52-55
[15] 刘广宇.基于 MPLS 的 VPN 技术原理[J].信息技术,2005,7(4):106-107
[16] 冯径.多协议标签交换技术[M].北京:人民邮电出版社,2002,12-14
[17] 吴伟.下一代 IP 网络技术保障——多协议标签交换[M].北京:清华大学出版社,2002,23-26
[18] 谢希仁.计算机网络(第 3 版)[M].大连:大连理工大学出版社,2000,50-52
[19] 吴卓,陈克非.基于 SOC 的 IPSec 协议实现技术.计算机应用与软件, 2005, 12(22) :19-21
[20] 李果益,林长槛.Virtual Private Networks[M].北京:清华大学出版社,2000,28-29
[21] 武威,石晶林,勾学荣.宽带 MPLS 网络技术综述[J].电信科学,2004,116(9):13-14
[22] 马少武.MPLS VPN 技术综述及业务运营部署策略研究.电信建设,2004,7(2): 16-17
[23] “Multiprotocol Label Switching,Enhancing Routing in the New Public Network”, Juniper networks. September 1999
[24] DOUGLAS E,COMER,DAVID L,STEVENS.用 TCP/IP 进行网际互连:设计、实现和内部构成. 北京:电子工业出版社,1998,49-52
[25] Multiprotocol Label Switching Architecture.Internet draft draft-ietf-mpls-arch- 06.txt, March 1995
[26] Rosen E,Rekhter Y.BGP/MPLS VPNs. RFC 2547, March 1999
[27] 刘向阳,方芳.MPLS—多协议标签交换技术.电信交换,2004,8(2):23-24
[28] Bates T, R Chandrasekaran.BGP Route Reflection: An alternative to full mesh IBGP. RFC 1966, June 1996
[29] Muthukrishnan K,Malis A.A Core MPLS IP VPN Architecture. RFC 2917,2000
[30] Kent S,Atkinson R.Security Architecture for the Internet Protocol.IETF RFC 2401,1998
[31] Fox B, Gleeson B.Virtual Private Networks Identifier. RFC 2685, September 1999
[32] 刘少亭,卢建军,李国民.现代信息网.北京:人民邮电出版社,2000,429-494
[33] 赵慧玲,胡琳,张国宏.宽带 Internet 网络技术.北京:电子工业出版社,1999,178- 190
[34] Ivan Pepelnjak,Jim Guichard.MPLS 和 VPN 体系结构[M] 北京:人民邮电出版社,2001,76-79
[35] CarIton R.Davis. IPSec VPN 的安全实施. 北京:清华大学出版社, 2000,129-131
[36] 敖青云,白英彩.IPSec:构建虚拟专用网的基础[J].网络信息安.2002,16 (10): 17-19
[37] Meyer D.Administratively Scoped IP Multicast. RFC 2365,July 1998
[38] Richard Deal.Cisco VPN 安全配置指南[M].北京:人民邮电出版社.2007, 39-45
[39] Naganand Doraswamy Dan Harkins.IPSec:新一代因特网安全标准[M].北京:机械工业出版社, 2000, 4-6
[40] Whitfield Diffie,Martin Hellman. New Direction in Cryptography[J].IEEE Tran. Inform. Theroy, 1976,22(6) :644-654
[41] Harkins D,Carrel D.The Internet Key Exchange(IKE)[S].RFC 2409,1998
[42] 中科网威 , 许榕生 , 毕学尧 . 入侵防范研究的展望 [J]. 互联网世界 .2001, 17(12):28-29
[43] Maughan D.Internet Security Association and Key Management Protocol (ISAKMP)[S].RFC 2408,1998
[44] Kent S,Atkinson R.IP Authentication Header(AH)[S].RFC 2402,1998
[45] Pete Ldshin. IPv6 详解[M].北京:机械工业出版社. 2000, 69-79
[46] 李津生,洪佩琳著. 下一代 Internet 的网络技术[M].北京:人民邮电出版社. 2001,23-24