5.4.1 Virtual Private Network VPN

Enterprise 2023-06-24 23:13:56 views: null

5.4.1 Virtual Private Network VPN

We have learned the Internet routing protocol ( 5.3.1 Internet routing protocol (1) , 5.3.2 Internet routing protocol (2) RIP protocol based on distance vector algorithm , 5.3.3 Internet routing protocol (3) OSPF protocol , 5.3.4 Internet Routing Protocols (4) BGP Protocol ) Now that we know how routers get their own routing tables according to different routing protocols, what we want to learn here is the private network interconnection technology.

The so-called private network generally refers to the internal network of enterprises and institutions. With the development of economic globalization, more and more enterprises need to establish multiple branches throughout the country and even the world. Each subsidiary or office in the traditional private network The information transmission between the Internet is generally realized by leased line. The biggest defect of this connection method is that it is expensive and not flexible enough. With the development of Internet technology, more and more modern enterprises prefer to build Virtual Private Network (Virtual Private Network). Network) referred to as VPN.

1. Virtual private network

A virtual private network abandons the connection method of a dedicated line, but a private private network constructed by using a public network. The public network can be the Internet or various types of wide area networks such as frame relay networks, ATM networks, etc. For a deeper understanding, let's take an example. as shown in the picture

VPN

Assuming that an enterprise has two departments, Department A and Department B, which are distributed in different locations, may be in different cities or in different countries, in order to realize the effective communication and information between the two departments in order to realize the private network within the enterprise Sharing, we can directly connect the two departments to the public network, and use the public network platform to build a virtual private network. The use of VPN technology makes the communication between departments A and B invisible to the Internet, thereby ensuring the privacy required by the private sector.

2. Addressing of VPN

Before learning the working principle of VPN, let's learn the addressing in VPN

  • The addressing option provided by the VPN is the same as that of the private network, and the local addressing scheme can be selected, that is to say, it can allocate global network addresses or use private addresses ( 5.2.12 Forwarding of IP packets (3) ). We have said before that the local address does not need to apply to the Internet management agency, it is limited to use in the internal network, and is allocated by the internal network itself. The global address needs to apply to the Internet management agency. In the case of shortage of IPv4 addresses, most VPNs use local addressing methods.

    • Local address - the IP address used only within the organization, which can be assigned by the organization itself, without the need to apply to the Internet management agency. The local address is also called a private address and can only be used for internal communication, that is, it can only be used for communication between hosts within a LAN, because each unit can use these addresses,

      IANA, the organization responsible for address allocation on the Internet, clearly stipulates that the three address block spaces can only be used for the IP address space of private Internet internal communication, that is, private addresses . (RFC1918)

      prefix minimum address highest address
      10/8 10.0.0.0 10.255.255.255
      172.16/12 172.16.0.0 172.31.255.255
      192.168/16 192.168.0.0 192.168.255.255

    • Global address - the only IP address in the world, which must be applied to the Internet management agency.

  • Let's take the previous picture as an example,

    example

    In the VPN established by two departmental networks, we assume that 10.0.0.0 is used for addressing. The address assigned to a host X in department A is 10.1.0.1, and the address assigned to host Y in department B is 10.2.0.3, because these addresses None of them belong to the global address, so if the Internet router finds that the destination address carried by the message is these addresses when forwarding the datagram, it will consider the address to be wrong and discard it directly without any other processing. So how to use the public network platform to build a dedicated What about the net?

3. Working principle of VPN

Let's introduce the working principle of VPN through an example. as shown in the picture

working principle

Department A is connected to the Internet through router R1, and department B is connected to the Internet through router R2. Assume that a host X in the network of department A sends a datagram to a host Y in the network of department B. The datagram generated by X must be It will flow through the Internet to reach the B network, which will cause two problems

  1. Both the source IP address 10.1.0.1 and the destination IP address 10.2.0.3 in the header of the datagram generated by X belong to the internal addresses of the network, and the datagram cannot be directly transmitted through the Internet.
  2. The private network pays attention to the privacy of communication. It is hoped that the communication details between any users in the private network are invisible to the public network. How to protect the privacy of users and ensure the privacy of communication on the open Internet platform also needs to be solved. question.

How does VPN solve the above two problems?

  • The realization of VPN here mainly uses two basic technologies: tunnel transmission and encryption technology .
  • In order to realize the data transmission between two VPN sites, it is necessary to establish a transmission tunnel between the routers of the two sites . Of course, the tunnel is a more vivid term. It does not represent the dedicated line for transmission between routers. Tunnel transmission is only Complete an IP-in-IP protocol re-encapsulation process, that is, **VPN defines a tunnel between routers of two networks through the Internet, and uses IP-in-IP encapsulation to forward datagrams through the tunnel.
  • In addition, the VPN encrypts the datagram generated at the source and encapsulates it in the outer datagram for transmission. That is, in order to ensure confidentiality, the VPN encrypts the outgoing datagram and encapsulates it in another datagram for transmission.
  • The tunnel accepting router decrypts the datagram, restores the inner layer datagram, and then forwards the datagram.

Let us combine the above example to illustrate the transmission process of VPN using tunneling technology. as shown in the picture

transfer process

Host X generates an IP datagram. The source address and destination address in the header are 10.1.0.1 and 10.2.0.3 respectively. The datagram reaches router R1 through the transmission of departmental network A. Router R1 takes the IP datagram as the data part and completely encapsulates it. To the data part of a new IP datagram, the source IP address in the header of the new IP datagram is the global IP address of router R1, and the destination address of 125.1.2.3 is filled with the global IP address 194.4.5.6 of R2. The IP datagram after re-encapsulation can be successfully transmitted to the R2 router through the Internet. After the datagram reaches R2, the router R2 extracts the internal datagram, and according to the destination address 10.2.0.3 in the internal datagram header, in the department The final delivery task is completed in the B network. It can be seen from the whole transmission process that the VPN uses the re-encapsulation process of the tunnel to solve the problem that the private network with local addressing communicates through the public network.

Of course, in addition to solving the internal address problem, the tunneling technology is also conducive to protecting the privacy of users. In the process of parsing, forwarding and processing the datagram, the router on the public network only checks the header information of the outer datagram and observes the communication details between routers R1 and R2. The report is regarded as the data part, so the communication process between all hosts in the private network is transparent to the router of the external network. In addition, in order to prevent malicious users on the Internet from intercepting and tampering with the data inside the private network, and strengthen the security of private network data transmission , the IP datagram generated by X is also encrypted before being encapsulated on the R1 router.

Guess you like

Origin blog.csdn.net/nytcjsjboss/article/details/131290523
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com