MPLS VPN实现机制与安全强度研究
摘要
在VPN领域里,MPLS VPN是一种新兴的VPN实现技术。MPLS VPN
简单高效,结合了IP网络和ATM各自的优点,因此有越来越多的商业用
户采用它来组建自己的VPN网络,也有越来越多的服务提供商建设MPLS
核心网络为客户提供基于MPLS技术的VPN服务。
然而,目前的一个普遍观点是:传统的以帧中继/ATM作为链路层的
VPN是非常安全的,而MPLS VPN建立在无连接的IP网络之上,所人
们对它所能达到的安全强度仍有疑虑。本文系统地分析了传统VPN的实
现技术、MPLS协议、MPLS VPN实现技术,并且把传统的VPN和MPLS VPN
做了对比,在这些讨论的基础上从三个方面(地址空间分离/路由隔离、
核心网隐藏、抗攻击性)详细分析MPLS VPN的安全强度,最终得出结论:
MPLS VPN可以达到和帧中继/ATM VPN同样的安全级别。由于MPLS VPN
自身的种种优势,未来企业网的VPN构建,将是MPLS VPN为主,其它方
法为辅的方式。
In the field of VPN, MPLS VPN is a new kind of VPN implementation. MPLS VPN has combined the advantage of IP and ATM. Because of its efficiency and simplicity, there are more and more business customers adopting MPLS based VPN to build their VPN networks, and there are more and more service providers having constructed their MPLS core networks to provide the customers with MPLS VPN service.
But there is a common opinion: traditional layer 2 VPNs based on Frame-Relay or ATM are quite secure, however, MPLS VPN is built on the IP network which is connectless, so people worry about the security MPLS VPN provides. In this paper, we first elaborate the technology of traditional VPNs, MPLS and MPLS based VPN, and then compare the MPLS VPN with traditional VPNs. Based on above discussion, we analyze the security of MPLS VPN from the following three aspects: address space and routing separation, hiding the SP core network, and resistance to attacks. Through the analysis, we draw the conclusion that MPLS VPN is as secure as its layer 2 counterparts such as Frame-Relay or ATM based VPNs. Because MPLS VPN has many kinds of advantage, in future, it will be the main solution to build enterprise VPNs.
简单高效,结合了IP网络和ATM各自的优点,因此有越来越多的商业用
户采用它来组建自己的VPN网络,也有越来越多的服务提供商建设MPLS
核心网络为客户提供基于MPLS技术的VPN服务。
然而,目前的一个普遍观点是:传统的以帧中继/ATM作为链路层的
VPN是非常安全的,而MPLS VPN建立在无连接的IP网络之上,所人
们对它所能达到的安全强度仍有疑虑。本文系统地分析了传统VPN的实
现技术、MPLS协议、MPLS VPN实现技术,并且把传统的VPN和MPLS VPN
做了对比,在这些讨论的基础上从三个方面(地址空间分离/路由隔离、
核心网隐藏、抗攻击性)详细分析MPLS VPN的安全强度,最终得出结论:
MPLS VPN可以达到和帧中继/ATM VPN同样的安全级别。由于MPLS VPN
自身的种种优势,未来企业网的VPN构建,将是MPLS VPN为主,其它方
法为辅的方式。
In the field of VPN, MPLS VPN is a new kind of VPN implementation. MPLS VPN has combined the advantage of IP and ATM. Because of its efficiency and simplicity, there are more and more business customers adopting MPLS based VPN to build their VPN networks, and there are more and more service providers having constructed their MPLS core networks to provide the customers with MPLS VPN service.
But there is a common opinion: traditional layer 2 VPNs based on Frame-Relay or ATM are quite secure, however, MPLS VPN is built on the IP network which is connectless, so people worry about the security MPLS VPN provides. In this paper, we first elaborate the technology of traditional VPNs, MPLS and MPLS based VPN, and then compare the MPLS VPN with traditional VPNs. Based on above discussion, we analyze the security of MPLS VPN from the following three aspects: address space and routing separation, hiding the SP core network, and resistance to attacks. Through the analysis, we draw the conclusion that MPLS VPN is as secure as its layer 2 counterparts such as Frame-Relay or ATM based VPNs. Because MPLS VPN has many kinds of advantage, in future, it will be the main solution to build enterprise VPNs.
引文
[1] 李宏涛,彭涤,基于MPLS的VPN在城域网中的实现,计算机系统应用,2001,000(009) .-39-41
[2] Jason Halpern,白皮书-基于 MPLS 的虚拟专用网,http://www.hzcnc.com/company/exehange main3. htm.
[3] B.Gleeson,"A Framework for IP Based Virtual Private Networks", February 2000
[4] Karthik Muthukrishnan,"A Core MPLS IP-VPN Architecture",June 2000
[5] Y.Rekhter,"A Border Gateway Protocol 4(BGP-4) ",rfc1771,March 1995
[6] Yakov Rekhter,"Carrying Label Information in BGP-4",July 2000
[7] Casey Wilson,Peter Doak著,钟鸣,魏允韬译,《虚拟专用网的创建与实现》,机械工业出版社,2000,p.50-124
[8] 吴江,赵慧玲,对多协议标记交换技术的体系结构及其应用的研究,北京:《中国通信》,1999年4月
[9] Bruce Davie,Yakov Rekhter,多协议标签交换技术与应用,机械工业出版社,2001年1月
[10] Ivan Pepelnjak,Jim Guichard,MPLS和VPN体系结构,人民邮电出版社,2001年8月
[11] IETF,Multiprotocol Label Switching Architecture,RFC3031,January 2001
[12] IETF,MPLS using LDP and ATM VC Switching,RFC3035,January 2001
[13] IETF,LDP Specification,RFC3036,January 2001
[14] 王建民,MPLS VPN与传统专网的应用比较,通信世界,2003. 1
[15] Miercom,White Paper-Cisco MPLS based VPNs:Equivalent to the security of Frame Relay and ATM http://www.miercom.com/
[16] 朱长安,刘嘉勇,刘军,网络层MPLS的安全VPN研究,计算机
工程,3003. 8
[17] 徐迎晓,多协议标签交换(MPLS),自然杂志,Vol.23 No.4
[18] Wu Tim,Riverstone Networks MPLS VPNs:Layer 2 or Layer 3 Understanding the Choice:The White Paper of River Stone Inc,2001,10:1-6
[19] Tanenbaum A S.计算机网络,清华大学出版社,1996
[2] Jason Halpern,白皮书-基于 MPLS 的虚拟专用网,http://www.hzcnc.com/company/exehange main3. htm.
[3] B.Gleeson,"A Framework for IP Based Virtual Private Networks", February 2000
[4] Karthik Muthukrishnan,"A Core MPLS IP-VPN Architecture",June 2000
[5] Y.Rekhter,"A Border Gateway Protocol 4(BGP-4) ",rfc1771,March 1995
[6] Yakov Rekhter,"Carrying Label Information in BGP-4",July 2000
[7] Casey Wilson,Peter Doak著,钟鸣,魏允韬译,《虚拟专用网的创建与实现》,机械工业出版社,2000,p.50-124
[8] 吴江,赵慧玲,对多协议标记交换技术的体系结构及其应用的研究,北京:《中国通信》,1999年4月
[9] Bruce Davie,Yakov Rekhter,多协议标签交换技术与应用,机械工业出版社,2001年1月
[10] Ivan Pepelnjak,Jim Guichard,MPLS和VPN体系结构,人民邮电出版社,2001年8月
[11] IETF,Multiprotocol Label Switching Architecture,RFC3031,January 2001
[12] IETF,MPLS using LDP and ATM VC Switching,RFC3035,January 2001
[13] IETF,LDP Specification,RFC3036,January 2001
[14] 王建民,MPLS VPN与传统专网的应用比较,通信世界,2003. 1
[15] Miercom,White Paper-Cisco MPLS based VPNs:Equivalent to the security of Frame Relay and ATM http://www.miercom.com/
[16] 朱长安,刘嘉勇,刘军,网络层MPLS的安全VPN研究,计算机
工程,3003. 8
[17] 徐迎晓,多协议标签交换(MPLS),自然杂志,Vol.23 No.4
[18] Wu Tim,Riverstone Networks MPLS VPNs:Layer 2 or Layer 3 Understanding the Choice:The White Paper of River Stone Inc,2001,10:1-6
[19] Tanenbaum A S.计算机网络,清华大学出版社,1996