CDMACDMA数据网行业数据网行业VPDNVPDN应用系统应用系统解决方案解决方案Starent Networks Proprietary and Confidential2http:/www.docin.com/webmoneyL2TP 1.隧道：借助于L2TP技术，在对现有的透明数据进行再次封装，达到企业用户数据与其他用户数据隔离的安全目的。 2.连接：在Internet网络上，将企业内部网络无限的扩展。3. 安全性：L2TP封装内的用户数据格式并未改变VPDN 服务平台基本概念Starent Networks Proprietary and Confidential3http:/www.docin.com/webmoneyIPSec:1.安全性：强大数据起源身份验证数据起源身份验证 ，数据完整性数据完整性 ，重放保护重放保护 ，数据机密性（数据机密性（64位位,128位位 的加密）2.资源： 耗费较多的CPU, Memory资源，不适于由客户端发起。 VPDN 服务平台基本概念服务平台基本概念Starent Networks Proprietary and Confidential4http:/www.docin.com/webmoneyVR (虚拟路由器）1.资源：PDSN的部分CPU，Memory,端口组成逻辑路由器 2.处理选择：依据NAI中的域名选择处理连接的虚拟路由器3. 安全：处理资源，数据路径，相应的AAA处理可以完全独立VPDN 服务平台基本概念服务平台基本概念Starent Networks Proprietary and Confidential5http:/www.docin.com/webmoneyST40 PDSN,VR,LAC,LNSAAA / VPDN管理平台管理平台管理终端管理终端CDMA 200LANPCFPublicInternetIntranet1Enterprise 3Enterprise 2Leased LineL2TP+IPSecL2TPVPDN服务方案服务方案Starent Networks Proprietary and Confidential6http:/www.docin.com/webmoneyVPDN服务方案服务方案Session Persistence 方案方案ST40 HA,VR,LAC,LNSVPDN管理平台管理平台管理终端管理终端 CDMA2000Client GUILANWLANADSLPDSN/FAPublicInternetIntranet1Enterprise 3Enterprise 2Leased LineL2TP+IPSecL2TPMIP 隧道隧道Starent Networks Proprietary and Confidential7http:/www.docin.com/webmoneyST40PDSN, LACVPDN管理平台管理平台管理终端管理终端LANPCFPublicInternetIntranet1Enterprise 3Enterprise 2L2TP 隧道隧道CDMA 2000LNSVPDN 隧道方案隧道方案1L2TP 方案方案Starent Networks Proprietary and Confidential8http:/www.docin.com/webmoneyST40PDSN, LAC,EDCVPDN管理平台管理平台管理终端管理终端LANPCFPublicInternetIntranet1Enterprise 3Enterprise 2IPSec +L2TP隧道隧道CDMA2000LNSVPDN 隧道方案隧道方案2IPSec整合整合L2TP方案方案Starent Networks Proprietary and Confidential9http:/www.docin.com/webmoneyST40 PDSN, VRVPDN管理平台管理平台管理终端管理终端LANPCFPublicInternetIntranet1Enterprise 3Enterprise 2CDMA1xRouterLeased LineVPDN 隧道方案隧道方案3 VR配合专线方案配合专线方案Starent Networks Proprietary and Confidential10http:/www.docin.com/webmoneyVPDN 隧道方案隧道方案 共享共享VR配合专线方案配合专线方案Starent Networks Proprietary and Confidential11http:/www.docin.com/webmoneyFACNVPDN Management Platform (AAA)ST16 ( PDSN,LAC)MSL2TP VPDN Application Call Flow Establish TCH Check the Domain and IMSI with the DatabaseLNSNegotiate the new PPP connectionAccess RequestIMSI, Username, Domain name , PasswordAccess AcceptVPDN Tunnel attributes Establish L2TP TunnelAuthentication the username and password Assign the Intranet IP address to MSIntranet data CommunicationPCFA11 Register Response With code 0Check the IMSIA11 Register Request IMSIA11 Register Request IMSIA11 Register Respones Code : 0x88 & ST16 IP AddressPPP Negotiation呼叫流程示意图呼叫流程示意图 VPDNVPDN专用专用PDSN+L2TPPDSN+L2TP隧道方案隧道方案Starent Networks Proprietary and Confidential12http:/www.docin.com/webmoneyFACNVPDN Management Platform (AAA)ST16 ( PDSN,LAC)MSEstablish TCH Check the Domain and IMSI with the DatabaseLNSAccess RequestIMSI, Username, Domain name , PasswordAccess AcceptVR Name, Pool Name PCFA11 Register Response With code 0Check the IMSIA11 Register Request IMSIA11 Register Request IMSIPPP NegotiationNegotiate the new PPP connectionAssign the Intranet IP address to MS V RLeased LineIntranet data CommunicationVR+Leased line VPDN Application Call Flow A11 Register Respones Code : 0x88 & ST16 IP Address呼叫流程示意图呼叫流程示意图 VPDNVPDN专用专用PDSN+PDSN+VR配合专线方案配合专线方案Starent Networks Proprietary and Confidential13http:/www.docin.com/webmoney呼叫流程示意图呼叫流程示意图Tunnel Switch+L2tpTunnel Switch+L2tp隧道方案隧道方案AAA1VPDN Management Platform (AAA)ST16 ( LNS,VR)MSL2TP VPDN Application Call Flow LCP Negotiation Check the Domain and IMSI with the DatabaseLNSNegotiate the new PPP connectionAccess RequestIMSI, Username, Domain name , PasswordAccess AcceptVPDN Tunnel attributes Establish L2TP TunnelAuthentication the username and password Assign the Intranet IP address to MSIntranet data CommunicationPDSNCheck the Domain Name in NAIAccess Request Access Accept Tunnel AttributsNegotiates and Establishs L2TP TunnelStarent Networks Proprietary and Confidential14http:/www.docin.com/webmoney呼叫流程示意图呼叫流程示意图 Tunnel Switch+VR配合专线方案配合专线方案AAA1VPDN Management Platform (AAA)ST16 ( LNS,VR)MSCheck the Domain and IMSI with the DatabaseLNSAccess RequestIMSI, Username, Domain name , PasswordAccess AcceptVR Name, Pool Name PCFPPP NegotiationNegotiate the new PPP connectionAssign the Intranet IP address to MS V RLeased LineIntranet data CommunicationVR+Leased line VPDN Application Call Flow LCP Negotiation Check the Domain Name in NAIAccess Request Access Accept Tunnel AttributsNegotiates and Establishs L2TP TunnelStarent Networks Proprietary and Confidential15http:/www.docin.com/webmoney呼叫流程示意图呼叫流程示意图 L2TP整合整合IPSec方案方案1.A subscriber session arrives at the system.2 The system attempts to authenticate the subscriber with the AAA server.3 The profile attributes returned upon successful authentication by the AAA server indicate that session data is to be tunneled using L2TP. 4 The system determines that the crypto map name supplied matches a configured cryptomap.Starent Networks Proprietary and Confidential16http:/www.docin.com/webmoney呼叫流程示意图呼叫流程示意图 L2TP整合整合IPSec方案方案5.From the crypto map, the system determines the following: The map type, in this case dynamic Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA, and if so, what group should be used IPSec SA lifetime parameters The name of one or more configured transform set defining the IPSec SA6 To initiate the IKE SA negotiation, the system performs a Diffie-Hellman exchange of the ISAKMP secret specified in the profile attribute with the specified peer LNS/securitygateway.7 The system and the LNS/security gateway negotiate an ISAKMP (IKE) policy to use toprotect further communications.8 Once the IKE SA has been negotiated, the system negotiates an IPSec SA with theLNS/security gateway using the transform method specified in the transform sets.9 Once the IPSec SA has been negotiated, the system protects the L2TP encapsulated dataStarent Networks Proprietary and Confidential17http:/www.docin.com/webmoney企业侧的解决方案企业侧的解决方案星运行业应用系统解决方案完全支持以下企业侧网络应用模式：企业侧建设AAA和LNS可部署L2TP,IPSec,VR+专线等各种方案。企业侧建设AAA，不建设LNS可部署VR+专线等各种方案企业侧建设LNS，不建设AAA可部署L2TP,IPSec,VR+专线等各种方案，企业侧LNS和AAA都不建设可部署VR+专线等各种方案Starent Networks Proprietary and Confidential18http:/www.docin.com/webmoney案例分析-公安厅移动查询网示意图公安厅移动查询网示意图PDSNCDMA2000-1X无线网络无线网络AAA ServerAAA Server公安厅内部网络公安厅内部网络专线专线公安查公安查询终端询终端VPDN管理系统公安厅专用公安厅专用VR认证请求认证请求判断为判断为VPDN应用，应用，转发给转发给VPDN管理系统管理系统进行用户名进行用户名/域名认证域名认证并进行并进行IMSI比对比对返回相关的属性返回相关的属性新建新建L2TP隧道隧道进行二次认证，进行二次认证，分配内部分配内部IP地址地址AAA ServerStarent Networks Proprietary and Confidential19http:/www.docin.com/webmoney方案组成描述呼叫建立过程：1。移动终端通过无限网络尝试建立PPP到PDSN2。通过LCP协商过程后，PDSN获得移动用户的用户名后通过分析其域名，由专用的VR（专用CPU,Memory,端口等）来处理该用户的连接。3。该VR将认证请求发给AAA服务器，AAA服务器在判断该次呼叫为VPDN应用，则将其转发给VPDN管理系统4。VPDN管理系统对于用户名进行认证，提取该用户IMSI与数据库中属于公安厅的IMSI段进行比对，如果在其中则返回建立隧道所需的属性。Starent Networks Proprietary and Confidential20http:/www.docin.com/webmoney方案组成描述呼叫建立过程：5。VR根据获得的属性后，通过专用的端口及专线与公安厅的路由器协商并建立隧道。6。移动用户的用户名及密码将会隧道送至公安厅内部网络，进行第二次认证。7。认证通过后，公安厅的路由器将分配IP地址给移动终端。 至此，移动终端便可以通过全程与其它用户隔离的通道来访问公安厅内部网络，VPDN接入达到了非常高的安全级别。Starent Networks Proprietary and Confidential21http:/www.docin.com/webmoney1. 1. L2TP , L2TP , IPSecIPSec方案是通过公有网络资方案是通过公有网络资源来构建私有企业网络连接源来构建私有企业网络连接, ,技术本身就技术本身就定义了私有网络数据与公共网络数据之定义了私有网络数据与公共网络数据之间以及相互之间的隔离保障间以及相互之间的隔离保障. .他们之间只他们之间只是在数据安全性上的差异是在数据安全性上的差异. .2. VR+2. VR+专线的方式可以达到企业网络数专线的方式可以达到企业网络数据与其他的网络完全物理隔离据与其他的网络完全物理隔离. . 不同不同VPDN连接之间的数据隔离连接之间的数据隔离Starent Networks Proprietary and Confidential22http:/www.docin.com/webmoney不同不同VPDN连接之间的数据隔离连接之间的数据隔离3. 3. 对于共享对于共享VRVR方案方案: :VRVR为不同域名的用户分配不同的为不同域名的用户分配不同的IPIP地址地址池池各个地址池之间通过各个地址池之间通过ACLACL进行通信限制进行通信限制汇接的路由器进行源地址路由汇接的路由器进行源地址路由ST16 VPDNST16 VPDN平台支持将多个逻辑端口定义平台支持将多个逻辑端口定义在一个物理端口上在一个物理端口上支持支持VLAN Tag,VLAN Tag,即一个物理端口可以定义即一个物理端口可以定义在多个在多个VLANVLAN里面里面VRVR的的IPIP地址池支持源地址路由地址池支持源地址路由, ,分别定义分别定义不同的下一跳地址不同的下一跳地址. . Starent Networks Proprietary and Confidential23http:/www.docin.com/webmoneyQ & A.This presentation is proprietary information of Starent Networks Corporation. The information contained may not be used to create or change any contractual obligation between Starent Networks Corporation and you or your firm. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this presentation by persons or entities other than the intended recipients is prohibited. This presentation is for planning and information purposes only. The specifications contained herein are subject to change without notice.MajpjMVcyzj21HLfrvy96dv02lPPfYgxUS7IYmZkyEmZ0kGeYZS3bpLCkYH1lt4EK7CxmUX3ijoYSOer7ZuaVWYgz4EpZrUirVpMzzvNtf1XZw5oswSXOtFaejnOcmfE1lZgnN1RSXg8wLCG8CVQ3XPJMvodPFWcpiYJgZazNSEPNIaklYSu7qSd1UpaxmZDlpN9zW7kljfsLCLi26Yv109ffbnDH8LbUN1G6ACURQ39eG12KHL9tXsZ1jzgoCK8g1kuNOh5eFvcmVT5ZYVQt9zk3rp3qLnf02FovEXxVRxjCcFRNppiJljNiOuk6fONnyX7fyGg7sXZ49BmCN5oy9VesHpKzdjTKwjrkCEQCFDehVmGax3lrOEbw63VscA3YSijtUKoCyiLzAlVRp7l4QgPNHxvJFFDyjUVN3oHlMah0XBd4uTbkfPIhHtw0evPmYOrdhEDoPwvYhzlGplU1AU9mpyiCXH8gpPCBRYjq77VcnbXumNE1yGfyTsbSj89J63kRTKDkKUg3mdS5sJ4X5cQ8dK7oW9IkScssECQdz2O9UTlpRjAFPChjhLdzopQzwxQf8ozdzOhogwAooXpUF83BX4C3jRgjDJiiXEUDMaNz4vQ4n164vspddHvOIVuBBdMA4xp1YhiHk0vOJ8TL1BxogzVlMpmod6ianYGmksQq6NWCEd56hZF4wfaNyZcrGfNxnPiG6ZAxSkfmhJAKtNmCqbRmppeXp8inz4eq3HkWCMSORyMMX522xpHG6basNr6KQfbZsFbHjzyNlJrruLolKFcC84dqfijBO5Dy2NaBcNEBPgQrT12PgpcKx2or2YChN5DPjs80zzdtdAdTKuW4uVv9bbZu3K2SZ2aEhTlIC1UqrIWibkzwHh6p8gLv26zr01mJybfOzFc4T7kQH1IpPwOzMDnAKPLsLrznXGjFNIA9bSWWms6ibKZwQIKrMzalwbFrQJvOP1rPH8rx2KkyYqrtQk5VRwM1HSX