BGP MPLS VPN数据转发过程分析

对BGP MPLS VPN网络的体结构、网络层面中双层标签的功能及双层标签的分发过程进行认真分析.BGP MPLS VPN网络的体结构中的路由器有提供商路由器、提供商边缘路由器、用户边缘路由器三类.一个VPN标签分组内外双层标签分别由扩展BGP协议和标签分发协议提供,内标签标识数据分组发向哪一个服务商边缘路由器及属于哪一个VPN,外层标签建立MPLS骨干网中的标签交换通道.最后给出一个VPN标签分组的转发示例来说明数据分组转发的全过程.     

MPLS VPN在通信企业DCN网络升级中的应用

MPLS技术提供了类似于虚电路的标签交换业务,可以实现底层标签自动的分配,在业务的提供上比传统的VPN技术更廉价,更快速和安全的数据传输。同时MPLS VPN可以充分利用MPLS技术的一些先进特性,提供流量工程能力、服务质量保证等。DCN网络作为公司内部各营业、办公、网管、运维等各信息系统承载的网络平台,在应用系统整合的大趋势下,对网络健壮性、安全性及可控制管理性都提出了更高的要求。MPLS VPN正是在这样的环境背景下,成为DCN网络改造的必然。     

IPSec在MPLS VPN中的应用

随着MPLS技术在骨干网上的广泛使用,网络服务商向用户提供基于MPLS技术的虚拟专用网服务.基于MPLS网络的VPN服务在传输用户数据时存在一定的安全漏洞,文中分析了MPLS VPN的结构及存在的安全缺陷,提出一种方法,把IPSec应用在MPLS VPN中以加强用户数据传输的安全性.对IPSec的安全功能及应用场合进行了研究,给出在用户管理的网络边缘设备CE上配置IPSec的方法.实现了VPN用户数据分组进入骨干网之前的安全保护措施,并对IPSec分组的工作过程做了解释.     

主动网络安全机制的分析与研究

分析了主动网络的安全机制,指出了存在的不足,提出了增强主动网络安全性的新思路--基于MPLS VPN技术的主动网络.由于引入了IPSec和MPLS VPN技术,使得基于MPLS VPN的主动网络既具有了一般主动网络的安全机制,同时也具有了MPLS VPN网络的抗攻击和抗标记欺骗的安全特性,有效提高了主动网络的安全性.     

主动网络安全机制的分析与研究

分析了主动网络的安全机制,指出了存在的不足,提出了增强主动网络安全性的新思路--基于MPLS VPN技术的主动网络.由于引入了IPSec和MPLS VPN技术,使得基于MPLS VPN的主动网络既具有了一般主动网络的安全机制,同时也具有了MPLS VPN网络的抗攻击和抗标记欺骗的安全特性,有效提高了主动网络的安全性.     

DS-TE技术对MPLS VPN中Qos保证的研究

VPN可以使企业能够在Internet上既安全又经济地传输私有信息。MPLS的优点可以在建构VPN中得到充分利用和体现,而服务质量问题是现在网络研究的热点。结合针对基于MPLS的网络的流量工程（DS-TE）技术,可以很好地实现服务质量的保证和细化。因此将其应用于MPLS／VPN的组网中,这更有利于实现VPN配置和管理上的简洁化和智能化。     

基于MPLS的VPN互访技术

针对VPN互访问题,根据IPSec-VPN互访方法的不足,提出动态MPLS-VPN方法.利用随机分配的标签,在需要互访的不同VPN网络节点之间构建MPLS通道,利用互访规则集检验节点的连接申请,根据过滤规则控制数据包的传输,通过设定传输时长限制节点互访的时间,实现VPN之间接节点、按方向、按时间的细粒度互访控制,确保数据传输的安全性和高效性.给出动态MPLS-VPN方法实现互访的步骤,对方法进行分析比较.     

基于MPLS建立VPN的研究

文中简单介绍了VPN的技术基础，分析了它在几个典型传统网络上的应用，提出基于MPLS建立新一代VPN的可行性，概述了MPLS的基本原理及其特点，分析了在MPLS上建立VPN的优点和实现它的关键技术，并且提出了MPLS＿VPN有待解决的问题。     

基于MPLS的区分服务技术

传统的Internet只能提供尽力传送服务,但这种没有任何保证、不可预测的服务已不能满足许多应用的需要。IETF提出的Intserv/RSVP方案从技术角度可以提供灵活的服务质量,满足各种应用的需要,但该方案要求每个路由器保存每个连接的状态,复杂化了核心路由器的处理,因此实现 和配置是非常困难的。IETF提出的Diffserv将各种复杂的接入控制、每个连接的管理交给边界路由器处理,核心路由器只处理流量聚合,因而具有更好的伸缩性和鲁棒性。MPLS是一种可以在多种第二层媒质上进行标签交换的网络技术,将探讨如何结合Diffserv和MPLS两种技术,提供各种服务质量,特别是VPN。     

BGP/MPLS IP VPN的IPv6扩展研究

介绍BGP／MPLS IP VPN技术，又称三层MPLS VPN，它使用BGP进行路由信息的分发和使用MPLS进行包转发，具有较好的服务质量。重点分析BGP／MPLS IP VPN网络在IPv4和IPv6中的应用，并对基于Carrier of Cartier VPN的BGP／MPLS VPN的IPv6扩展方案进行研究，此方案提供了运营级的解决方法，并能利用现有的IPv4资源，有较好的灵活性和扩展性。     

A restorable MPLS-based hose-model VPN network

Design of a restorable MPLS-based Layer-3 VPN network with QoS guarantee is a new and important subject that has not been widely studied before. The main challenge arises from the fact that the Service Level Agreements (SLAs) of a L3-VPN usually only specify the maximum ingress and egress traffic rate, and provide no point-to-point traffic matrix information (i.e., a hose-model VPN). Conventional restoration and traffic engineering techniques do not apply to this type of traffic model. In this paper, we present a restoration network architecture and present two algorithms for solving the routing problem of this type of restoration networks. We demonstrate the effectiveness of our proposed restoration architecture by comparing the throughput performance with other approaches.     

跨域BGP/MPLS VPN转发引擎设计与实现

在对跨域BGP/MPLS VPN各种实现方案进行分析的基础上,结合大规模接入汇聚路由器的实际需求,提出了一种高速条件下的跨域BGP/MPLSVPN转发引擎结构,并针对该转发引擎的查表部分设计了一种基于双表融合的TCAM表项结构,对报文的操作类型进行了合理的设计,最后利用xilinx公司的virtex4 xc4v1x160 FPGA芯片对该转发引擎进行了实现,最终的测试结果表明该转发引擎能够有效的工作,达到了大规模接入汇聚路由器的性能需求.     

Virtual private networks: leveraging the Internet

Proponents say virtual private networks could be the wave of the networking future for one very important reason: VPNs transmit data via the Internet, rather than via expensive traditional private networks. Proponents are quick to mention the significant cost savings organizations can realize by using networks that employ the Internet backbone as a data pipeline rather than networks that rely on leased lines, frame-relay technology, and dialup connections for private WANs. However, as with many Internet technologies, potential VPN users are concerned about possible security, reliability, and performance problems. ln addition, a lack of open standards has created concerns about compatibility. The industry is working toward adoption of such standards, but it remains to be seen whether this will lend credibility to VPN technology     

VPN中的隧道技术研究

大规模的组建VPN网络已经成为一种趋势,越来越多地受到用户的广泛关注。从总体来说。VPN技术非常复杂,它涉及到通信技术、密码技术和现代认证技术,是一项交叉科学。隧道技术对于构建VPN来说,是一个关键性技术。它在源局域网与公网的接口处,将数据作为负载封装在一种可以在公网上传输的数据格式中,在目的局域网与公网的接口处将数据解封装,取出负载。从隧道技术的发展,对各种隧道技术做了一个简单的分析,了解VPN组网的安全技术。     

基于MPLS的VPN中QoS的实现分析

分析了基于MPLS的VPN的特性,介绍了在基于MPLS的VPN中提供QoS保证的两种模型,而后论述了MPLS与流量工程和区分服务相结合提供QoS的实现方法.     

Securing VPN from insider and outsider bandwidth flooding attack

Globalization is the order of the day. Linking globally dispersed corporate offices and securing the data transferred between them is a critical activity. Virtual Private Network (VPN) is a viable and low cost option. VPN is cost effective as the Internet is its backbone. In addition to security, corporate needs uninterrupted and guaranteed service. Internet Protocol Security (IPSec) VPN can live up to their expectations by having reserved bandwidth. IPSec VPN provides confidentiality, availability and integrity. However it does not protect the network from spoofed packet attacks. These attacks target the bandwidth allocated to VPN and degrade the performance of the VPN. Bandwidth Flooding attack on VPN represents a major threat. In this paper we focus on making the reserved bandwidth available fully to the legitimate VPN users. Source end protection architecture is proposed to maximize the utilization of the reserved bandwidth by protecting VPN sites from insider and outsider attacks. The protection from insider attack is based on a probability based rate limiting model. The protection from outsider attack is based on an Access Token Embedded Encapsulating Security Payload (ATEESP) header. We analyze the effectiveness of our proposed architecture through simulation.     

基于多协议标签交换技术的Ad Hoc网络研究

将MPLS(Multiprotocol Label Switching)技术引入到Ad Hoc网络中,目的是为Ad Hoc网络提供快速转发能力、QoS功能和可扩展性。针对传统IP转发机制在移动自组网（Ad Hoc）中的缺陷,研究了基于MPLS技术的Ad Hoc网络,详细描述了其基本结构,并提出了新的在Ad Hoc网络中支持自愈恢复的MPLS信令协议DMSP（Dynamic MPLS Signaling Protocol）,最后通过仿真实验对DMSP的自愈恢复方式进行了性能分析。     

Hierarchical Mobility Label Based Network: System model and performance analysis

Hierarchical Mobility Label Based Network (H-MLBN) is a new approach to the network layer mobility management problem that relies on MPLS-aware control plane and MPLS-based forwarding plane to provide IP mobility support for IPv4 and IPv6 mobile hosts and routers while being able to ensure optimal traffic delivery between the communicating devices. The hierarchical system is capable of both macro- and micro-mobility support without the use of Mobile IP and its derivatives thus eliminating the user and network facing performance penalties associated with triangular routing and bi-directional tunneling. This paper presents a system model and provides performance analysis for H-MLBN and compares its performance with the Mobile IP based schemes. The results indicate significant performance improvements in the forwarding plane traffic delivery as well as the control plane network update costs.     

MPLS及其在IP网络中的应用

多协议标记交换(MPLS)技术是当今网络界研究及讨论的热门话题,它不但能提高传统路由器的分组转发性能,还能应用于流量工程、提供服务质量(QoS)保证以及虚拟网构建等方面。文章重点介绍了MPLS的原理和关键机制,分析了MPLS在IP网络中可能有的应用,同时指出了MPLS所存在的问题。     

A measurement study of persistent forwarding loops on the Internet

In this paper, we present a measurement study of persistent forwarding loops and a flooding attack that exploits persistent forwarding loops. Persistent forwarding loops may share one or more links with forwarding paths to some hosts. An attacker can exploit persistent forwarding loops to overload the shared links and disrupt Internet connectivity to those hosts.To understand the extent of this vulnerability, we perform extensive measurements to systematically study persistent forwarding loops. We find that persistent forwarding loops do exist in the Internet. At least 35 million addresses experience persistent forwarding loops, and at least 11 million addresses can be attacked by exploiting such persistent forwarding loops. In addition, 87.4% of persistent forwarding loops involve routers in destination domains, which can be observed from various locations. This makes it possible to launch attacks from multiple vantage points. We also find that most persistent forwarding loops are just two hops long, which enables an attacker to significantly amplify traffic to them.We further investigate the possible cause of persistent forwarding loops, and find that about 50% of them are caused by neglecting to configure pull-up routes. We show that even if the misconfiguration occurs in a stub network, it may cause persistent forwarding loops involving routers in large ISPs, and can potentially be exploited by attackers to flood links in a backbone network. To the best of our knowledge, this is the first study of exploiting routing misconfigurations to launch DDoS attacks and understanding the impact of such attacks.