《CDMA数据网行业VPDN应用系统》由会员分享,可在线阅读,更多相关《CDMA数据网行业VPDN应用系统(24页珍藏版)》请在金锄头文库上搜索。
1、CDMACDMA数据网行业数据网行业VPDNVPDN应用系统应用系统解决方案解决方案Starent Networks Proprietary and Confidential2http:/ 1.隧道:借助于L2TP技术,在对现有的透明数据进行再次封装,达到企业用户数据与其他用户数据隔离的安全目的。 2.连接:在Internet网络上,将企业内部网络无限的扩展。3. 安全性:L2TP封装内的用户数据格式并未改变VPDN 服务平台基本概念Starent Networks Proprietary and Confidential3http:/ ,数据完整性数据完整性 ,重放保护重放保护 ,数据机密性
2、(数据机密性(64位位,128位位 的加密)2.资源: 耗费较多的CPU, Memory资源,不适于由客户端发起。 VPDN 服务平台基本概念服务平台基本概念Starent Networks Proprietary and Confidential4http:/ (虚拟路由器)1.资源:PDSN的部分CPU,Memory,端口组成逻辑路由器 2.处理选择:依据NAI中的域名选择处理连接的虚拟路由器3. 安全:处理资源,数据路径,相应的AAA处理可以完全独立VPDN 服务平台基本概念服务平台基本概念Starent Networks Proprietary and Confidential5htt
3、p:/ PDSN,VR,LAC,LNSAAA / VPDN管理平台管理平台管理终端管理终端CDMA 200LANPCFPublicInternetIntranet1Enterprise 3Enterprise 2Leased LineL2TP+IPSecL2TPVPDN服务方案服务方案Starent Networks Proprietary and Confidential6http:/ Persistence 方案方案ST40 HA,VR,LAC,LNSVPDN管理平台管理平台管理终端管理终端 CDMA2000Client GUILANWLANADSLPDSN/FAPublicInterne
4、tIntranet1Enterprise 3Enterprise 2Leased LineL2TP+IPSecL2TPMIP 隧道隧道Starent Networks Proprietary and Confidential7http:/ LACVPDN管理平台管理平台管理终端管理终端LANPCFPublicInternetIntranet1Enterprise 3Enterprise 2L2TP 隧道隧道CDMA 2000LNSVPDN 隧道方案隧道方案1L2TP 方案方案Starent Networks Proprietary and Confidential8http:/ LAC,EDC
5、VPDN管理平台管理平台管理终端管理终端LANPCFPublicInternetIntranet1Enterprise 3Enterprise 2IPSec +L2TP隧道隧道CDMA2000LNSVPDN 隧道方案隧道方案2IPSec整合整合L2TP方案方案Starent Networks Proprietary and Confidential9http:/ PDSN, VRVPDN管理平台管理平台管理终端管理终端LANPCFPublicInternetIntranet1Enterprise 3Enterprise 2CDMA1xRouterLeased LineVPDN 隧道方案隧道方案
6、3 VR配合专线方案配合专线方案Starent Networks Proprietary and Confidential10http:/ 隧道方案隧道方案 共享共享VR配合专线方案配合专线方案Starent Networks Proprietary and Confidential11http:/ Management Platform (AAA)ST16 ( PDSN,LAC)MSL2TP VPDN Application Call Flow Establish TCH Check the Domain and IMSI with the DatabaseLNSNegotiate the
7、new PPP connectionAccess RequestIMSI, Username, Domain name , PasswordAccess AcceptVPDN Tunnel attributes Establish L2TP TunnelAuthentication the username and password Assign the Intranet IP address to MSIntranet data CommunicationPCFA11 Register Response With code 0Check the IMSIA11 Register Reques
8、t IMSIA11 Register Request IMSIA11 Register Respones Code : 0x88 & ST16 IP AddressPPP Negotiation呼叫流程示意图呼叫流程示意图 VPDNVPDN专用专用PDSN+L2TPPDSN+L2TP隧道方案隧道方案Starent Networks Proprietary and Confidential12http:/ Management Platform (AAA)ST16 ( PDSN,LAC)MSEstablish TCH Check the Domain and IMSI with the Data
9、baseLNSAccess RequestIMSI, Username, Domain name , PasswordAccess AcceptVR Name, Pool Name PCFA11 Register Response With code 0Check the IMSIA11 Register Request IMSIA11 Register Request IMSIPPP NegotiationNegotiate the new PPP connectionAssign the Intranet IP address to MS V RLeased LineIntranet da
10、ta CommunicationVR+Leased line VPDN Application Call Flow A11 Register Respones Code : 0x88 & ST16 IP Address呼叫流程示意图呼叫流程示意图 VPDNVPDN专用专用PDSN+PDSN+VR配合专线方案配合专线方案Starent Networks Proprietary and Confidential13http:/ Switch+L2tpTunnel Switch+L2tp隧道方案隧道方案AAA1VPDN Management Platform (AAA)ST16 ( LNS,VR)M
11、SL2TP VPDN Application Call Flow LCP Negotiation Check the Domain and IMSI with the DatabaseLNSNegotiate the new PPP connectionAccess RequestIMSI, Username, Domain name , PasswordAccess AcceptVPDN Tunnel attributes Establish L2TP TunnelAuthentication the username and password Assign the Intranet IP
12、address to MSIntranet data CommunicationPDSNCheck the Domain Name in NAIAccess Request Access Accept Tunnel AttributsNegotiates and Establishs L2TP TunnelStarent Networks Proprietary and Confidential14http:/ Tunnel Switch+VR配合专线方案配合专线方案AAA1VPDN Management Platform (AAA)ST16 ( LNS,VR)MSCheck the Doma
13、in and IMSI with the DatabaseLNSAccess RequestIMSI, Username, Domain name , PasswordAccess AcceptVR Name, Pool Name PCFPPP NegotiationNegotiate the new PPP connectionAssign the Intranet IP address to MS V RLeased LineIntranet data CommunicationVR+Leased line VPDN Application Call Flow LCP Negotiatio
14、n Check the Domain Name in NAIAccess Request Access Accept Tunnel AttributsNegotiates and Establishs L2TP TunnelStarent Networks Proprietary and Confidential15http:/ L2TP整合整合IPSec方案方案1.A subscriber session arrives at the system.2 The system attempts to authenticate the subscriber with the AAA server
15、.3 The profile attributes returned upon successful authentication by the AAA server indicate that session data is to be tunneled using L2TP. 4 The system determines that the crypto map name supplied matches a configured cryptomap.Starent Networks Proprietary and Confidential16http:/ L2TP整合整合IPSec方案方
16、案5.From the crypto map, the system determines the following: The map type, in this case dynamic Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA, and if so, what group should be used IPSec SA lifetime parameters The name of one or more configured transform set defining the IP
17、Sec SA6 To initiate the IKE SA negotiation, the system performs a Diffie-Hellman exchange of the ISAKMP secret specified in the profile attribute with the specified peer LNS/securitygateway.7 The system and the LNS/security gateway negotiate an ISAKMP (IKE) policy to use toprotect further communicat
18、ions.8 Once the IKE SA has been negotiated, the system negotiates an IPSec SA with theLNS/security gateway using the transform method specified in the transform sets.9 Once the IPSec SA has been negotiated, the system protects the L2TP encapsulated dataStarent Networks Proprietary and Confidential17
19、http:/ Networks Proprietary and Confidential18http:/ ServerAAA Server公安厅内部网络公安厅内部网络专线专线公安查公安查询终端询终端VPDN管理系统公安厅专用公安厅专用VR认证请求认证请求判断为判断为VPDN应用,应用,转发给转发给VPDN管理系统管理系统进行用户名进行用户名/域名认证域名认证并进行并进行IMSI比对比对返回相关的属性返回相关的属性新建新建L2TP隧道隧道进行二次认证,进行二次认证,分配内部分配内部IP地址地址AAA ServerStarent Networks Proprietary and Confident
20、ial19http:/ Networks Proprietary and Confidential20http:/ 至此,移动终端便可以通过全程与其它用户隔离的通道来访问公安厅内部网络,VPDN接入达到了非常高的安全级别。Starent Networks Proprietary and Confidential21http:/ 1. L2TP , L2TP , IPSecIPSec方案是通过公有网络资方案是通过公有网络资源来构建私有企业网络连接源来构建私有企业网络连接, ,技术本身就技术本身就定义了私有网络数据与公共网络数据之定义了私有网络数据与公共网络数据之间以及相互之间的隔离保障间以及相互
21、之间的隔离保障. .他们之间只他们之间只是在数据安全性上的差异是在数据安全性上的差异. .2. VR+2. VR+专线的方式可以达到企业网络数专线的方式可以达到企业网络数据与其他的网络完全物理隔离据与其他的网络完全物理隔离. . 不同不同VPDN连接之间的数据隔离连接之间的数据隔离Starent Networks Proprietary and Confidential22http:/ 3. 对于共享对于共享VRVR方案方案: :VRVR为不同域名的用户分配不同的为不同域名的用户分配不同的IPIP地址地址池池各个地址池之间通过各个地址池之间通过ACLACL进行通信限制进行通信限制汇接的路由器进
22、行源地址路由汇接的路由器进行源地址路由ST16 VPDNST16 VPDN平台支持将多个逻辑端口定义平台支持将多个逻辑端口定义在一个物理端口上在一个物理端口上支持支持VLAN Tag,VLAN Tag,即一个物理端口可以定义即一个物理端口可以定义在多个在多个VLANVLAN里面里面VRVR的的IPIP地址池支持源地址路由地址池支持源地址路由, ,分别定义分别定义不同的下一跳地址不同的下一跳地址. . Starent Networks Proprietary and Confidential23http:/ & A.This presentation is proprietary informa
23、tion of Starent Networks Corporation. The information contained may not be used to create or change any contractual obligation between Starent Networks Corporation and you or your firm. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this presentat
24、ion by persons or entities other than the intended recipients is prohibited. This presentation is for planning and information purposes only. The specifications contained herein are subject to change without notice.MajpjMVcyzj21HLfrvy96dv02lPPfYgxUS7IYmZkyEmZ0kGeYZS3bpLCkYH1lt4EK7CxmUX3ijoYSOer7ZuaV
25、WYgz4EpZrUirVpMzzvNtf1XZw5oswSXOtFaejnOcmfE1lZgnN1RSXg8wLCG8CVQ3XPJMvodPFWcpiYJgZazNSEPNIaklYSu7qSd1UpaxmZDlpN9zW7kljfsLCLi26Yv109ffbnDH8LbUN1G6ACURQ39eG12KHL9tXsZ1jzgoCK8g1kuNOh5eFvcmVT5ZYVQt9zk3rp3qLnf02FovEXxVRxjCcFRNppiJljNiOuk6fONnyX7fyGg7sXZ49BmCN5oy9VesHpKzdjTKwjrkCEQCFDehVmGax3lrOEbw63VscA3Y
26、SijtUKoCyiLzAlVRp7l4QgPNHxvJFFDyjUVN3oHlMah0XBd4uTbkfPIhHtw0evPmYOrdhEDoPwvYhzlGplU1AU9mpyiCXH8gpPCBRYjq77VcnbXumNE1yGfyTsbSj89J63kRTKDkKUg3mdS5sJ4X5cQ8dK7oW9IkScssECQdz2O9UTlpRjAFPChjhLdzopQzwxQf8ozdzOhogwAooXpUF83BX4C3jRgjDJiiXEUDMaNz4vQ4n164vspddHvOIVuBBdMA4xp1YhiHk0vOJ8TL1BxogzVlMpmod6ianYGmksQq
27、6NWCEd56hZF4wfaNyZcrGfNxnPiG6ZAxSkfmhJAKtNmCqbRmppeXp8inz4eq3HkWCMSORyMMX522xpHG6basNr6KQfbZsFbHjzyNlJrruLolKFcC84dqfijBO5Dy2NaBcNEBPgQrT12PgpcKx2or2YChN5DPjs80zzdtdAdTKuW4uVv9bbZu3K2SZ2aEhTlIC1UqrIWibkzwHh6p8gLv26zr01mJybfOzFc4T7kQH1IpPwOzMDnAKPLsLrznXGjFNIA9bSWWms6ibKZwQIKrMzalwbFrQJvOP1rPH8rx2KkyYqrtQk5VRwM1HSX
