MPLS VPN技术在组建营口公安专网中的应用
摘要
虚拟专用网技术,是一门网络新技术,为我们提供了一种通过公用网络安全地对企业内部专用网络进行远程访问的连接方式。VPN(Virtual Private Network)能够利用公用骨干网络的广泛而强大的传输能力,降低企业内部网络/Internet的建设成本,极大地提高用户网络运营和管理的灵活性,同时能够满足用户对信息传输安全性、实时性、宽频带、方便性的需要,所以,很受一些大型跨地域集团用户的欢迎。
多协议标签交换MPLS(Multiprotocol Label Switch)是下一代网络的重要技术,它吸收了ATM(Asynchronous Transmission Model)和IP(Internet Protocol)的优点,将ATM的面向连接和IP的选路结合一起。在提供IP业务时能够保证QoS(Quarlity of Service)和安全性,同时也增强了网络的可扩展性和灵活性。MPLS可以提高IP网的服务质量,这些服务包括流量工程和虚拟专用网(VPN)。今天,它己经变为构成下一代网络技术的重要组成部分。
本文首先介绍了VPN、MPLS VPN技术的发展、基本工作原理、优势以及对二层、三层MPLS VPN技术进行阐述.接着按照三层MPLS VPN的体系结构组建了合理的营口网通“金盾工程”MPLS VPN网络,对设备选型和拓扑结构进行了细致的分析,对“金盾工程”MPLS VPN平台的部分核心配置进行了详细的注释,细化的分析了MPLS VPN路由分发机制,说明选择MPLS VPN技术的理由。并以“金盾工程”实例,深入研究了MPLS VPN应用的设计、配置及实现.详细阐述了MPLS VPN技术在该工程中的实际应用。
With the developing of Internet and electronic commerce, the best approach to global economy is the commerce application based on the Internet. With the gradual frequency of business affairs, every corporation allows their business partners, providers to browse their local area network in order to make information easily and speed up the pace of changing information. The cooperation and connect is dynamic, and it is maintained and improved by the Internet , the information communication not only make the Internet complicate ,but also take the problems of supervising and security, so the business on the Internet is confronted with the non-good intention information threat and the security danger. Meanwhile, with the corporations growing and being transnational, there are more affiliates and more general that the network infrastructure is not compatible. Therefore, information technical departments have more difficulties with connecting affiliates, and it is most focused on how to maintain the internet with less money and more effective on the premise of ensuring the security, what the users need is the direct reason of virtual private network. Virtual private network (VPN) can provide the ideal approach to network function what the corporation needs. It cannot only provide the common communication network infrastructure to recent corporations to gain convenience and economic benefit, but also can make sure the security of point to point connect.
Unfortunatly,existing VPN solutions are not all interoperable and may be tied to one equipment vendor and/or a single SP, This has created strong
多协议标签交换MPLS(Multiprotocol Label Switch)是下一代网络的重要技术,它吸收了ATM(Asynchronous Transmission Model)和IP(Internet Protocol)的优点,将ATM的面向连接和IP的选路结合一起。在提供IP业务时能够保证QoS(Quarlity of Service)和安全性,同时也增强了网络的可扩展性和灵活性。MPLS可以提高IP网的服务质量,这些服务包括流量工程和虚拟专用网(VPN)。今天,它己经变为构成下一代网络技术的重要组成部分。
本文首先介绍了VPN、MPLS VPN技术的发展、基本工作原理、优势以及对二层、三层MPLS VPN技术进行阐述.接着按照三层MPLS VPN的体系结构组建了合理的营口网通“金盾工程”MPLS VPN网络,对设备选型和拓扑结构进行了细致的分析,对“金盾工程”MPLS VPN平台的部分核心配置进行了详细的注释,细化的分析了MPLS VPN路由分发机制,说明选择MPLS VPN技术的理由。并以“金盾工程”实例,深入研究了MPLS VPN应用的设计、配置及实现.详细阐述了MPLS VPN技术在该工程中的实际应用。
With the developing of Internet and electronic commerce, the best approach to global economy is the commerce application based on the Internet. With the gradual frequency of business affairs, every corporation allows their business partners, providers to browse their local area network in order to make information easily and speed up the pace of changing information. The cooperation and connect is dynamic, and it is maintained and improved by the Internet , the information communication not only make the Internet complicate ,but also take the problems of supervising and security, so the business on the Internet is confronted with the non-good intention information threat and the security danger. Meanwhile, with the corporations growing and being transnational, there are more affiliates and more general that the network infrastructure is not compatible. Therefore, information technical departments have more difficulties with connecting affiliates, and it is most focused on how to maintain the internet with less money and more effective on the premise of ensuring the security, what the users need is the direct reason of virtual private network. Virtual private network (VPN) can provide the ideal approach to network function what the corporation needs. It cannot only provide the common communication network infrastructure to recent corporations to gain convenience and economic benefit, but also can make sure the security of point to point connect.
Unfortunatly,existing VPN solutions are not all interoperable and may be tied to one equipment vendor and/or a single SP, This has created strong
引文
[1] 何宝宏. I P 虚拟专用网技术. 北京:人民邮电出版社,2002, pp. 1-3
[2] William R C, Steven M R 著, 罗万伯译.防火墙与因特网安全,戴宗坤.北京:机械工业出版社,2002, pp. 2-4
[3]王成儒, 王顺满, 许 楷.VPN 安全网关及其相关技术. 中国数据通信,2000,第 24 卷 7 期,pp. 12-13
[4] Casey W, Peter D 著,魏允韬译. 虚拟专用网的创建与实现. 北京:机械工业出版社,2000, 第 8 期,pp. 6-8
[5] 咸廷伟,孙仁祥,毛琦等.VPN 技术综述及应用.电子技术与应用,2003, 第 3 期,pp. 17-19
[6] Eric C R, Peter P. OSPF as the PE/CE Protocol in BGP/MPLS VPNs. Internet Draft, 2001, 第 2 期,pp. 56-60
[7] 翁亮, 王澄, 储鸿文.虚拟专用网络技术.通信技术 1999, 第 4 期 pp. 26-27
[8] 陈志然, 胡铁. 组建广东电信MPLS VPN网络数据通信, 电信建设, 2002
[9] 吕光宏. 虚拟专用网(VPNs)发展透视. 计算机应用研究, 2002,第29 卷 5 期,pp. 33-36
[10] 马晓莉. 电子政务平台上 MPLS 的应用. 电信技术, 2002
[11] 林锦贤, 沈钧毅. 基于 MPLS-VPN 构筑电子政务系统的网络平台. 四川通信技术, 2003
[12] 沈宇超. 第二层和第三层 MPLS VPN. 有线电视技术, 2002
[13] 裘晓峰, 张春红著. 宽带网络技术及其应用. 北京: 清华大学出版社,1997, 第 7 期, pp. 144-146
[14] Douglas E C,David L S.用 TCP/IP 进行网际互联(第 2 版)第1 卷原理、协议和体系结构,北京:电子工业出版社, 1998
[15] Douglas E C,David L S.用 TCP/IP 进行网际互联(第 2 版)第2 卷设计、实现和内部构成,北京:电子工业出版社, 1998
[16] Douglas E C,David L S.用 TCP/IP 进行网际互联(第 2 版)第3 卷客户机、服务器和应用,北京:电子工业出版社, 1998
[17] (美)Walter J G 著. 张保栋,董晶译.ATM 连网技术(Introduction to ATM networking). 北京:电子工业出版社,1999, 第 2 期, pp. 54-57
[18] Zhang L, Deering S, Esttrin D, et al. RSVP: A New Resource Reservation Protocol. IEEE Network Magazine, September,1993,pp. 8-18
[19] Hardjono T. Router-assistance for receiver access control in PIM-SM. In Proceedings of the Fourth IEEE Symposium on Computers and Communications (ISCC), Antibes, France, July 2000.
[20] Hardjono T, Baugher M, and Harney H. Group key management for IP multicast: Model and architecture. In IEEE 10th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 2001), MIT, Cambridge, MA, June 2001. IEEE.
[21] 杨宗凯. ATM 理论及应用. 西安:西安电子科技大学出版,1996
[22] 王建民. MPLS VPN 与传统专线组网的比较分析研究. 世界电信.2002
[23] 周丽佩, 单志萍, 王瑞仙著.VPN 技术在校园网中的应用. 大庆石油学院学报,2003,第 27 卷 6 期, pp. 123-126
[24] 刘维超,薛凌著.IP 骨干网传送技术比较. 信息技术,2000, 第 2 期
[25] Xipeng X, Alan H, lobo T et al. Traffic Engineering with MPLS in the internet. IEEE Network Magazine, March/April, 2000, pp. 28~33
[26]Jeremy L. Designing Multi-protocol Label Switching Networks. IEEE Commu -nications Magazine, July, 2001 Vol.39, No.7, pp. 134-142
[27] Ayan B. Generalized Multi-protocol Label Switching: An Overview of Signaling Enhancements and Recovery Techniques. IEEE Communications Magazine, July 2001 Vol.39, No.7, pp. 144-151
[28] Peter A S, Ayan B. Generalized MPLS ---Signaling Functional Description, http://www.ietf. org/internet-drafts/draft- ietf- mpls- generalized- signaling-05. txt, July 2001
[29] Peter A S, Ayan B. Generalized MPLS Signaling----RSVP-TE Extensions to RSVP for LSPT unnels [EB/OL]. http://www.ietf.org/internet-drafts/draft-ietf-mpls-generalized-rsvp-lsp- tunnel-04.txt, July 2001
[30] McManus J. Video-on-Demand over ATM: Constant-rate Transmission and Transport. IEEE Journal on Selected Areas in Communications, 1996,14(6)
[31] Awduche D O, Malcolm J, Agogbua J, et al. Requirements for Traffic Engineering Over MPLS, RFC 2702. Sep 1999
[32] Awduche D O. MPLS and Traffic Engineering in IP networks. IEEE Commu -nications Magazine, Dec 1999, pp. 42-53
[33] 高旭,顾冠群,沈苏彬著. 网络多媒体应用层次控制技术分析. 第九届全国多媒体技术学术会议论文集,2000, 第 7 期,pp. 403-409
[34] 王宏宇,顾冠群,高旭,严俊著. IP Telephony 问题研究综述. 通信学报,2000, 第 21 卷 7 期
[35] 毕厚杰,陈启美,方晖著. IP 宽带通信网络技术. 北京:北京邮 电大学出版社,2004
[36] Muthukrishnan K, Malis A. A Core Multi-protocol Label Switching (MPLS) IP VPN Architecture, RFC 2917. September 2000
[37] Hsu C Y, Ortega A, Reibman A R. Joint selection of source, channel rate for VBR transmission under ATM policing constraints. IEEE J. Select. Areas Communication. Vol. 15, August. 1997, pp. 501-510
[38] Andreas K S. An Extended QoS Architecture Supporting Differentiated Resilience Requirements of IP Services, July 2000
[39] Ivan P, Jim G 著,信达工作室译.MPLS 和 VPN 体系结构. 北京:人民邮电出版社,2002, 第 2 期, pp. 12-14
[40] McGraw K, Brown S, Virtual Private Networks [M]. New York:, McGraw-Hill, 1999
[41] Michiael B. Analysis of the Security of the Multi-protocol Label Switching (MPLS) Architecture. Internet Draft, 2001, No.2
[42] Ivan P, Jim G. MPLS and VPN Architectures, Cisco press.2002
[43] Davie B, Lawrence J, Rekhter Y, et al. Multi-protocol Label Switching (MPLS) using LDP and ATM VC Switching, RFC 3035, January 2001
[44] Rosen E, Viswanathan A, Callon R. Multi-protocol label switching (MPLS) architecture. 2001, No.10, pp. 3-8
[45] Scholkopf B,Simard P Y,Smola A J, et al. “Prior knowledge in support vector kernels”, In M.I. Jordan, M.J. Kearns, and S.A. Solla, editors, Advances in Neural information processing systems, Cambridge, MA,MIT Press, Vol.10, 1998, pp.640-646.
[46] Chen W, Dondeti L R. Performance Comparison of Stateful andStateless Group Rekeying Algorithms. In Proceedings of Fourth International Workshop on Networked Group Communication (NGC), Boston, MA, October 2002.
[47] Dondeti L R, Mukherjee S, Samal A. A Dual Protocol for Scalable Secure Multicasting. In Proceedings of the Fourth IEEE Symposium on Computers and Communications (ISCC), Red Sea, Egypt, July 1999.
[48] 陈锦章. 宽带 IP 网络技术.北京:清华大学出版社,2003 年 10月
[49] 高海英,薛元星,辛阳等著.VPN 技术.北京:机械工业出版社,2004 年 3 月
[50] 沈鑫剡.IP 交换网原理、技术及实现. 北京: 人民邮电出版社,2003 年 1 月
[2] William R C, Steven M R 著, 罗万伯译.防火墙与因特网安全,戴宗坤.北京:机械工业出版社,2002, pp. 2-4
[3]王成儒, 王顺满, 许 楷.VPN 安全网关及其相关技术. 中国数据通信,2000,第 24 卷 7 期,pp. 12-13
[4] Casey W, Peter D 著,魏允韬译. 虚拟专用网的创建与实现. 北京:机械工业出版社,2000, 第 8 期,pp. 6-8
[5] 咸廷伟,孙仁祥,毛琦等.VPN 技术综述及应用.电子技术与应用,2003, 第 3 期,pp. 17-19
[6] Eric C R, Peter P. OSPF as the PE/CE Protocol in BGP/MPLS VPNs. Internet Draft, 2001, 第 2 期,pp. 56-60
[7] 翁亮, 王澄, 储鸿文.虚拟专用网络技术.通信技术 1999, 第 4 期 pp. 26-27
[8] 陈志然, 胡铁. 组建广东电信MPLS VPN网络数据通信, 电信建设, 2002
[9] 吕光宏. 虚拟专用网(VPNs)发展透视. 计算机应用研究, 2002,第29 卷 5 期,pp. 33-36
[10] 马晓莉. 电子政务平台上 MPLS 的应用. 电信技术, 2002
[11] 林锦贤, 沈钧毅. 基于 MPLS-VPN 构筑电子政务系统的网络平台. 四川通信技术, 2003
[12] 沈宇超. 第二层和第三层 MPLS VPN. 有线电视技术, 2002
[13] 裘晓峰, 张春红著. 宽带网络技术及其应用. 北京: 清华大学出版社,1997, 第 7 期, pp. 144-146
[14] Douglas E C,David L S.用 TCP/IP 进行网际互联(第 2 版)第1 卷原理、协议和体系结构,北京:电子工业出版社, 1998
[15] Douglas E C,David L S.用 TCP/IP 进行网际互联(第 2 版)第2 卷设计、实现和内部构成,北京:电子工业出版社, 1998
[16] Douglas E C,David L S.用 TCP/IP 进行网际互联(第 2 版)第3 卷客户机、服务器和应用,北京:电子工业出版社, 1998
[17] (美)Walter J G 著. 张保栋,董晶译.ATM 连网技术(Introduction to ATM networking). 北京:电子工业出版社,1999, 第 2 期, pp. 54-57
[18] Zhang L, Deering S, Esttrin D, et al. RSVP: A New Resource Reservation Protocol. IEEE Network Magazine, September,1993,pp. 8-18
[19] Hardjono T. Router-assistance for receiver access control in PIM-SM. In Proceedings of the Fourth IEEE Symposium on Computers and Communications (ISCC), Antibes, France, July 2000.
[20] Hardjono T, Baugher M, and Harney H. Group key management for IP multicast: Model and architecture. In IEEE 10th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 2001), MIT, Cambridge, MA, June 2001. IEEE.
[21] 杨宗凯. ATM 理论及应用. 西安:西安电子科技大学出版,1996
[22] 王建民. MPLS VPN 与传统专线组网的比较分析研究. 世界电信.2002
[23] 周丽佩, 单志萍, 王瑞仙著.VPN 技术在校园网中的应用. 大庆石油学院学报,2003,第 27 卷 6 期, pp. 123-126
[24] 刘维超,薛凌著.IP 骨干网传送技术比较. 信息技术,2000, 第 2 期
[25] Xipeng X, Alan H, lobo T et al. Traffic Engineering with MPLS in the internet. IEEE Network Magazine, March/April, 2000, pp. 28~33
[26]Jeremy L. Designing Multi-protocol Label Switching Networks. IEEE Commu -nications Magazine, July, 2001 Vol.39, No.7, pp. 134-142
[27] Ayan B. Generalized Multi-protocol Label Switching: An Overview of Signaling Enhancements and Recovery Techniques. IEEE Communications Magazine, July 2001 Vol.39, No.7, pp. 144-151
[28] Peter A S, Ayan B. Generalized MPLS ---Signaling Functional Description, http://www.ietf. org/internet-drafts/draft- ietf- mpls- generalized- signaling-05. txt, July 2001
[29] Peter A S, Ayan B. Generalized MPLS Signaling----RSVP-TE Extensions to RSVP for LSPT unnels [EB/OL]. http://www.ietf.org/internet-drafts/draft-ietf-mpls-generalized-rsvp-lsp- tunnel-04.txt, July 2001
[30] McManus J. Video-on-Demand over ATM: Constant-rate Transmission and Transport. IEEE Journal on Selected Areas in Communications, 1996,14(6)
[31] Awduche D O, Malcolm J, Agogbua J, et al. Requirements for Traffic Engineering Over MPLS, RFC 2702. Sep 1999
[32] Awduche D O. MPLS and Traffic Engineering in IP networks. IEEE Commu -nications Magazine, Dec 1999, pp. 42-53
[33] 高旭,顾冠群,沈苏彬著. 网络多媒体应用层次控制技术分析. 第九届全国多媒体技术学术会议论文集,2000, 第 7 期,pp. 403-409
[34] 王宏宇,顾冠群,高旭,严俊著. IP Telephony 问题研究综述. 通信学报,2000, 第 21 卷 7 期
[35] 毕厚杰,陈启美,方晖著. IP 宽带通信网络技术. 北京:北京邮 电大学出版社,2004
[36] Muthukrishnan K, Malis A. A Core Multi-protocol Label Switching (MPLS) IP VPN Architecture, RFC 2917. September 2000
[37] Hsu C Y, Ortega A, Reibman A R. Joint selection of source, channel rate for VBR transmission under ATM policing constraints. IEEE J. Select. Areas Communication. Vol. 15, August. 1997, pp. 501-510
[38] Andreas K S. An Extended QoS Architecture Supporting Differentiated Resilience Requirements of IP Services, July 2000
[39] Ivan P, Jim G 著,信达工作室译.MPLS 和 VPN 体系结构. 北京:人民邮电出版社,2002, 第 2 期, pp. 12-14
[40] McGraw K, Brown S, Virtual Private Networks [M]. New York:, McGraw-Hill, 1999
[41] Michiael B. Analysis of the Security of the Multi-protocol Label Switching (MPLS) Architecture. Internet Draft, 2001, No.2
[42] Ivan P, Jim G. MPLS and VPN Architectures, Cisco press.2002
[43] Davie B, Lawrence J, Rekhter Y, et al. Multi-protocol Label Switching (MPLS) using LDP and ATM VC Switching, RFC 3035, January 2001
[44] Rosen E, Viswanathan A, Callon R. Multi-protocol label switching (MPLS) architecture. 2001, No.10, pp. 3-8
[45] Scholkopf B,Simard P Y,Smola A J, et al. “Prior knowledge in support vector kernels”, In M.I. Jordan, M.J. Kearns, and S.A. Solla, editors, Advances in Neural information processing systems, Cambridge, MA,MIT Press, Vol.10, 1998, pp.640-646.
[46] Chen W, Dondeti L R. Performance Comparison of Stateful andStateless Group Rekeying Algorithms. In Proceedings of Fourth International Workshop on Networked Group Communication (NGC), Boston, MA, October 2002.
[47] Dondeti L R, Mukherjee S, Samal A. A Dual Protocol for Scalable Secure Multicasting. In Proceedings of the Fourth IEEE Symposium on Computers and Communications (ISCC), Red Sea, Egypt, July 1999.
[48] 陈锦章. 宽带 IP 网络技术.北京:清华大学出版社,2003 年 10月
[49] 高海英,薛元星,辛阳等著.VPN 技术.北京:机械工业出版社,2004 年 3 月
[50] 沈鑫剡.IP 交换网原理、技术及实现. 北京: 人民邮电出版社,2003 年 1 月