ProHoster > Блог > Gudanarwa > Yadda ake Aunawa da Kwatanta na'urorin boye-boye na Ethernet

Yadda ake Aunawa da Kwatanta na'urorin boye-boye na Ethernet

Na rubuta wannan bita (ko, idan kun fi so, jagorar kwatanta) lokacin da aka ba ni aikin kwatanta na'urori da yawa daga masu siyarwa daban-daban. Bugu da ƙari, waɗannan na'urori sun kasance na azuzuwan daban-daban. Dole ne in fahimci gine-gine da halayen duk waɗannan na'urori kuma in haifar da "tsarin daidaitawa" don kwatanta. Zan yi farin ciki idan nazari na ya taimaka wa wani:

  • Fahimtar kwatance da ƙayyadaddun na'urorin ɓoyewa
  • Bambance halaye na "takarda" daga waɗanda suke da mahimmanci a rayuwa ta ainihi
  • Ku wuce saitin dillalai na yau da kullun kuma haɗa da la'akari da kowane samfuran da suka dace don magance matsalar
  • Yi tambayoyin da suka dace yayin shawarwari
  • Zana buƙatun taushi (RFP)
  • Fahimci irin halayen da za a yi hadaya idan an zaɓi wani samfurin na'ura

Abin da za a iya tantancewa

A ƙa'ida, hanyar ta dace da kowane na'urori masu zaman kansu waɗanda suka dace don ɓoye zirga-zirgar hanyar sadarwa tsakanin sassan Ethernet mai nisa (ɓoye-ɓoye na giciye). Wato, “akwatuna” a cikin wani akwati daban (to, za mu kuma haɗa da ruwan wukake/modules don chassis a nan), waɗanda aka haɗa ta ɗaya ko fiye da tashoshin Ethernet zuwa cibiyar sadarwa ta gida (campus) Ethernet tare da zirga-zirgar da ba a ɓoye ba, kuma ta hanyar. wata tashar (s) zuwa tashar/cibiyar sadarwa wadda ta riga an rufaffen zirga-zirga zuwa wasu sassa na nesa. Irin wannan bayani na ɓoyewa za a iya tura shi a cikin hanyar sadarwa mai zaman kansa ko mai aiki ta hanyar nau'ikan "transporting" daban-daban (fiber duhu, kayan aikin rarraba mitar, Ethernet mai sauyawa, da kuma "pseudowires" da aka shimfiɗa ta hanyar hanyar sadarwa tare da tsarin gine-gine daban-daban, mafi yawancin MPLS. ), tare da ko ba tare da fasahar VPN ba.

Yadda ake Aunawa da Kwatanta na'urorin boye-boye na Ethernet
Rufin hanyar sadarwa a cikin hanyar sadarwar Ethernet da aka rarraba

Na'urorin da kansu na iya zama ko dai na musamman (wanda aka yi niyya musamman don ɓoyewa), ko multifunctional (matasan, convergent), wato, yin wasu ayyuka (misali, Firewall ko na'ura mai ba da hanya tsakanin hanyoyin sadarwa). Dillalai daban-daban suna rarraba na'urorin su zuwa nau'o'i / nau'ikan daban-daban, amma wannan ba kome ba - abu mai mahimmanci shine ko za su iya ɓoye zirga-zirgar yanar gizo, da kuma irin halayen da suke da su.

Kamar dai, ina tunatar da ku cewa “rufe hanyar sadarwa”, “ɓoye sirrin zirga-zirga”, “encryptor” kalmomi ne na yau da kullun, kodayake galibi ana amfani da su. Wataƙila ba za ku same su a cikin dokokin Rasha ba (ciki har da waɗanda ke gabatar da GOSTs).

Matakan ɓoyewa da hanyoyin watsawa

Kafin mu fara bayyana halayen da kansu waɗanda za a yi amfani da su don kimantawa, za mu fara fahimtar abu ɗaya mai mahimmanci, wato "matakin ɓoyewa". Na lura cewa sau da yawa ana ambaton shi duka a cikin takaddun dillalai na hukuma (a cikin kwatancin, litattafai, da sauransu) da kuma cikin tattaunawa na yau da kullun (a tattaunawar, horo). Wato kamar kowa ya san abin da muke magana a kai, amma ni da kaina na ga wani rudani.

Don haka menene "matakin ɓoyewa"? A bayyane yake cewa muna magana ne game da adadin OSI/ISO ƙirar ƙirar hanyar sadarwa wanda ɓoye ke faruwa. Mun karanta GOST R ISO 7498-2-99 “Fasahar bayanai. Haɗin kai na buɗaɗɗen tsarin. Basic reference model. Sashe na 2. Tsarin tsaro na bayanai." Daga wannan takarda za a iya fahimtar cewa matakin sabis na sirri (daya daga cikin hanyoyin samar da wanda shine ɓoyewa) shine matakin ƙa'idar, toshe bayanan sabis ("payload", bayanan mai amfani) wanda aka ɓoye. Kamar yadda kuma aka rubuta a cikin ma'auni, ana iya ba da sabis ɗin duka a matakin ɗaya, "a kan kansa," kuma tare da taimakon ƙananan matakin (wannan shine yadda, alal misali, ana aiwatar da shi sau da yawa a MACsec) .

A aikace, hanyoyi guda biyu na watsa bayanan rufaffiyar kan hanyar sadarwa suna yiwuwa (IPsec nan da nan ya zo a hankali, amma ana samun nau'ikan nau'ikan a cikin wasu ka'idoji). IN sufuri (wani lokaci kuma ana kiransa ɗan ƙasa) yanayin rufaffen asiri ne kawai hidima toshe bayanai, kuma masu kan suna zama “buɗe”, ba a ɓoye su (wani lokaci ana ƙara ƙarin filayen tare da bayanan sabis na algorithm na ɓoyewa, kuma ana gyara wasu filayen kuma ana sake ƙididdige su). IN rami yanayin iri ɗaya duka yarjejeniya toshe bayanan (wato fakitin kanta) an ɓoye kuma an ɓoye shi a cikin toshe bayanan sabis na matakin ɗaya ko mafi girma, wato, an kewaye shi da sabbin kanun labarai.

Matsayin ɓoyayyen da kansa a hade tare da wasu yanayin watsawa ba shi da kyau ko mara kyau, don haka ba za a iya cewa, alal misali, L3 a cikin yanayin sufuri ya fi L2 a yanayin rami. Sai dai kawai yawancin halayen da ake kimanta na'urorin sun dogara da su. Misali, sassauci da dacewa. Don yin aiki a cikin hanyar sadarwa L1 (bit stream relay), L2 (frame switching) da L3 (fakitin routing) a cikin yanayin sufuri, kuna buƙatar mafita waɗanda ke ɓoye a matakin ɗaya ko mafi girma (in ba haka ba za a ɓoye bayanan adireshin kuma bayanan za su kasance. bai kai inda aka nufa ba) , kuma yanayin rami ya shawo kan wannan iyakance (ko da yake yana sadaukar da wasu muhimman halaye).

Yadda ake Aunawa da Kwatanta na'urorin boye-boye na Ethernet
Hanyoyin ɓoye na sufuri da rami L2

Yanzu bari mu ci gaba zuwa nazarin halaye.

Yawan aiki

Don boye-boye na hanyar sadarwa, aiki yana da sarkakiya, ra'ayi mai yawa. Yana faruwa cewa wani samfurin, yayin da ya fi girma a cikin sifa ɗaya, yana da ƙasa a cikin wani. Don haka, yana da amfani koyaushe a yi la'akari da duk abubuwan da ke tattare da aikin ɓoyewa da tasirinsu akan aikin hanyar sadarwa da aikace-aikacen da suke amfani da shi. A nan za mu iya zana wani kwatanci tare da mota, wanda ba kawai matsakaicin gudun ne da muhimmanci, amma kuma hanzari lokaci zuwa "daruruwan", man fetur amfani, da dai sauransu. Kamfanonin tallace-tallace da abokan cinikinsu masu yuwuwa suna ba da kulawa sosai ga halayen aiki. A matsayinka na mai mulki, ana jera na'urorin boye-boye bisa aiki a cikin layin masu siyarwa.

A bayyane yake cewa aikin ya dogara ne da rikitarwa na hanyoyin sadarwa da ayyukan sirri da aka yi akan na'urar (ciki har da yadda za a iya daidaita waɗannan ayyuka da bututun mai), da kuma aikin na'urar da ingancin firmware. Don haka, tsofaffin samfura suna amfani da ƙarin kayan masarufi masu fa'ida; wani lokacin yana yiwuwa a ba shi ƙarin na'urori masu sarrafawa da na'urorin ƙwaƙwalwar ajiya. Akwai hanyoyi da yawa don aiwatar da ayyukan sirri: akan maƙasudin maƙasudi na tsakiya (CPU), ƙayyadaddun aikace-aikacen hadedde da'ira (ASIC), ko tsarin dabaru mai haɗawa da filin (FPGA). Kowace hanya tana da fa'ida da rashin amfani. Misali, CPU na iya zama ƙulli na ɓoye, musamman idan mai sarrafawa ba shi da takamaiman umarni don tallafawa algorithm ɓoye (ko kuma idan ba a yi amfani da su ba). Ƙwararren kwakwalwan kwamfuta ba su da sassauci; ba koyaushe zai yiwu a “sake walƙiya” su don haɓaka aiki, ƙara sabbin ayyuka, ko kawar da lahani ba. Bugu da ƙari, amfani da su ya zama riba ne kawai tare da babban adadin samar da kayayyaki. Abin da ya sa "ma'anar zinariya" ya zama sananne sosai - amfani da FPGA (FPGA a cikin Rashanci). A kan FPGAs ne ake yin abin da ake kira accelerators na crypto - ginannun ciki ko toshe kayan masarufi na musamman don tallafawa ayyukan sirri.

Tunda muna magana ne hanyar sadarwa boye-boye, yana da ma'ana cewa ya kamata a auna aikin mafita a cikin adadi daidai da na sauran na'urorin cibiyar sadarwa - kayan aiki, yawan asarar firam da latency. Wadannan dabi'u an bayyana su a cikin RFC 1242. Af, babu abin da aka rubuta game da bambancin jinkiri da aka ambata akai-akai a cikin wannan RFC. Yadda za a auna waɗannan adadi? Ban sami wata hanyar da aka yarda da ita ba a cikin kowane ma'auni (na hukuma ko na hukuma kamar RFC) musamman don ɓoyayyen hanyar sadarwa. Zai zama ma'ana don amfani da hanyoyin don na'urorin cibiyar sadarwa da aka tsara a cikin daidaitattun RFC 2544. Yawancin dillalai suna bin ta - da yawa, amma ba duka ba. Misali, suna aika zirga-zirgar gwaji ta hanya ɗaya kawai maimakon duka biyu, kamar shawarar misali. Duk da haka.

Auna aikin na'urorin ɓoye hanyar sadarwa har yanzu yana da halayensa. Da fari dai, daidai ne a aiwatar da duk ma'aunai na na'urori biyu: ko da yake ɓoyayyun algorithms suna da siffa, jinkiri da asarar fakiti yayin ɓoyewa da ɓoyewa ba lallai ba ne su zama daidai. Abu na biyu, yana da ma'ana don auna delta, tasirin ɓoyewar hanyar sadarwa akan aikin cibiyar sadarwa ta ƙarshe, kwatanta saiti guda biyu: ba tare da na'urorin ɓoyewa ba kuma tare da su. Ko, kamar yadda lamarin yake tare da na'urori masu haɗaka, waɗanda ke haɗa ayyuka da yawa ban da ɓoyewar hanyar sadarwa, tare da ɓoyewa da kashewa. Wannan tasiri na iya zama daban-daban kuma ya dogara da tsarin haɗin kai na na'urorin ɓoyewa, akan hanyoyin aiki, kuma a ƙarshe, akan yanayin zirga-zirga. Musamman ma, yawancin sigogi na aiki sun dogara ne akan tsawon fakiti, wanda shine dalilin da ya sa, don kwatanta aikin mafita daban-daban, ana amfani da jadawali na waɗannan sigogi dangane da tsawon fakiti, ko kuma ana amfani da IMIX - rarraba zirga-zirga ta hanyar fakiti. tsayi, wanda kusan yana nuna ainihin. Idan muka kwatanta daidaitattun asali guda ɗaya ba tare da ɓoyewa ba, za mu iya kwatanta hanyoyin ɓoye hanyar sadarwa da aka aiwatar da su daban-daban ba tare da shiga cikin waɗannan bambance-bambance ba: L2 tare da L3, kantin sayar da-da-gaba ) tare da yanke-yanke, ƙwarewa tare da convergent, GOST tare da AES da sauransu.

Yadda ake Aunawa da Kwatanta na'urorin boye-boye na Ethernet
Tsarin haɗin kai don gwajin aiki

Siffa ta farko da mutane ke kula da ita ita ce "gudun" na na'urar ɓoyewa, wato bandwidth (bandwidth) na mu'amalar hanyar sadarwar sa, yawan kwararar bit. An ƙaddara ta hanyar ma'auni na cibiyar sadarwa waɗanda ke tallafawa ta hanyar musaya. Don Ethernet, lambobin da aka saba sune 1 Gbps da 10 Gbps. Amma, kamar yadda muka sani, a kowace cibiyar sadarwa matsakaicin ka'idar kayan aiki (tasiri) a kowane matakan sa koyaushe yana da ƙarancin bandwidth: ɓangaren bandwidth yana "cinye" ta hanyar tsaka-tsakin tsaka-tsakin, masu kai sabis, da sauransu. Idan na'urar tana da ikon karɓa, sarrafawa (a cikin yanayinmu, ɓoye ko ɓoyewa) da kuma watsa zirga-zirga a cikin cikakken saurin hanyar sadarwar cibiyar sadarwa, wato, tare da mafi girman kayan aiki na ka'idar wannan matakin ƙirar hanyar sadarwa, to an ce. yin aiki a saurin layi. Don yin wannan, yana da mahimmanci cewa na'urar ba ta rasa ko zubar da fakiti a kowane girman kuma a kowane mita. Idan na'urar ɓoyewa ba ta goyan bayan aiki a cikin saurin layi, to yawanci ana ƙayyade yawan abin da ake samarwa a cikin gigabits iri ɗaya a sakan daya (wani lokaci yana nuna tsayin fakitin - guntun fakiti, ƙananan abubuwan da aka samar yawanci shine). Yana da matukar muhimmanci a fahimci cewa matsakaicin kayan aiki shine matsakaicin babu asara (ko da na'urar zata iya "fasa" zirga-zirga ta hanyar kanta a cikin sauri mafi girma, amma a lokaci guda rasa wasu fakiti). Har ila yau, ku sani cewa wasu dillalai suna auna jimlar abin da aka samu tsakanin duk nau'ikan tashoshin jiragen ruwa, don haka waɗannan lambobin ba su da ma'ana sosai idan duk zirga-zirgar ɓoyayyiyar tana tafiya ta tashar jiragen ruwa guda ɗaya.

A ina yake da mahimmanci musamman don aiki a saurin layi (ko, a wasu kalmomi, ba tare da asarar fakiti ba)? A cikin babban bandwidth, manyan hanyoyin haɗin kai (kamar tauraron dan adam), inda babban girman taga TCP dole ne a saita don kula da saurin watsawa, kuma inda asarar fakiti ke rage yawan aikin cibiyar sadarwa.

Amma ba duk bandwidth ake amfani dashi don canja wurin bayanai masu amfani ba. Dole ne mu yi la'akari da abin da ake kira tsadar kaya (sama) bandwidth. Wannan shine ɓangaren kayan aikin ɓoyayyen na'urar (a matsayin kaso ko bytes kowane fakiti) wanda a zahiri ya ɓace (ba za a iya amfani dashi don canja wurin bayanan aikace-aikacen ba). Kudaden da ake kashewa sun taso, da farko, saboda haɓakar girman (ƙari, “kaya”) na filin bayanai a cikin fakitin hanyar sadarwa da aka ɓoye (dangane da ɓoyayyen algorithm da yanayin aiki). Abu na biyu, saboda haɓaka tsayin fakitin buga kai (yanayin rami, shigar da sabis na ka'idar ɓoyewa, shigar da siminti, da sauransu dangane da ka'ida da yanayin aiki na cipher da yanayin watsawa) - yawanci waɗannan farashin sama sune mafi mahimmanci, kuma suna kula da farko. Na uku, saboda rarrabuwar fakiti a lokacin da mafi girman girman naúrar bayanai (MTU) ya wuce (idan cibiyar sadarwa ta iya raba fakitin da ya wuce MTU zuwa biyu, yana kwafin rubutunsa). Na huɗu, saboda bayyanar ƙarin zirga-zirgar sabis (iko) akan hanyar sadarwa tsakanin na'urorin ɓoye (don musanya maɓalli, shigar rami, da sauransu). Ƙananan sama yana da mahimmanci inda ƙarfin tashar ya iyakance. Wannan yana bayyana musamman a cikin zirga-zirga daga ƙananan fakiti, alal misali, murya - inda farashi mai yawa zai iya "ci" fiye da rabin saurin tashar!

Yadda ake Aunawa da Kwatanta na'urorin boye-boye na Ethernet
Bandwidth

A ƙarshe, akwai ƙari gabatar da jinkiri - Bambanci (a cikin ɓangarorin daƙiƙa) a cikin jinkirin hanyar sadarwa (lokacin da ake ɗaukar bayanai don wucewa daga shigar da hanyar sadarwar zuwa barin ta) tsakanin watsa bayanai ba tare da ɓoyewar hanyar sadarwa ba. Gabaɗaya magana, ƙananan latency ("latency") na cibiyar sadarwar, mafi mahimmancin latency da na'urorin ɓoyewa ke zama. Ana gabatar da jinkiri ta hanyar ɓoye bayanan da kanta (dangane da ɓoyayyen algorithm, tsayin toshe da yanayin aiki na cipher, da kuma ingancin aiwatar da shi a cikin software), da sarrafa fakitin cibiyar sadarwa a cikin na'urar. . Latency da aka gabatar ya dogara da yanayin sarrafa fakiti (wucewa-ta ko kantin-da-gaba) da aikin dandamali (aiwatar da kayan aiki akan FPGA ko ASIC gabaɗaya yana da sauri fiye da aiwatar da software akan CPU). L2 kusan ko da yaushe yana da ƙarancin latency fiye da ɓoyayyen L3 ko L4, saboda gaskiyar cewa na'urorin ɓoye na L3/L4 galibi suna haɗuwa. Misali, tare da manyan encryptors na Ethernet mai sauri da aka aiwatar akan FPGAs da ɓoyewa akan L2, jinkirin saboda aikin ɓoyayyen abu kaɗan ne - wani lokacin idan aka kunna ɓoyayyen abu akan na'urori biyu, jimillar jinkirin da suka gabatar har ma yana raguwa! Ƙananan latency yana da mahimmanci inda aka kwatanta da jinkirin tashar gabaɗaya, gami da jinkirin yaduwa, wanda shine kusan 5 μs a kowace kilomita. Wato, muna iya cewa ga cibiyoyin sadarwa na birane (dubun kilomita a fadin), microseconds na iya yanke shawara da yawa. Misali, don kwafin bayanai na aiki tare, ciniki mai yawa, blockchain iri ɗaya.

Yadda ake Aunawa da Kwatanta na'urorin boye-boye na Ethernet
Gabatar da jinkiri

Ƙimar ƙarfi

Manyan cibiyoyin sadarwa da aka rarraba zasu iya haɗawa da dubban nodes da na'urorin cibiyar sadarwa, ɗaruruwan sassan cibiyar sadarwar gida. Yana da mahimmanci cewa hanyoyin ɓoye bayanan ba su sanya ƙarin hani akan girman da topology na cibiyar sadarwar da aka rarraba ba. Wannan yana aiki da farko ga matsakaicin adadin mai watsa shiri da adiresoshin cibiyar sadarwa. Ana iya fuskantar irin waɗannan iyakoki, alal misali, lokacin aiwatar da rufaffiyar hanyar sadarwa ta hanyar sadarwa mai yawa (tare da amintattun hanyoyin sadarwa, ko ramuka) ko ɓoye ɓoye (misali, ta lambar yarjejeniya ko VLAN). Idan a wannan yanayin ana amfani da adiresoshin cibiyar sadarwa (MAC, IP, VLAN ID) azaman maɓalli a cikin tebur wanda adadin layuka ya iyakance, to waɗannan ƙuntatawa suna bayyana anan.

Bugu da kari, manyan cibiyoyin sadarwa galibi suna da nau'ikan tsari iri-iri, gami da babban hanyar sadarwa, kowannensu yana aiwatar da nasa tsarin magancewa da nasa tsarin tafiyar da hanya. Don aiwatar da wannan hanya, ana amfani da tsarin firam na musamman (kamar Q-in-Q ko MAC-in-MAC) da ƙayyadaddun ƙayyadaddun hanyoyin. Don kar a hana gina irin waɗannan cibiyoyin sadarwa, dole ne na'urorin ɓoyewa su riƙa sarrafa irin waɗannan firam ɗin daidai (wato, ta wannan ma'ana, haɓakawa zai haifar da dacewa - ƙari akan abin da ke ƙasa).

Sassauci

Anan muna magana ne game da goyan bayan jeri daban-daban, tsarin haɗin gwiwa, topologies da sauran abubuwa. Misali, don hanyoyin sadarwar da aka canza dangane da fasahar Carrier Ethernet, wannan yana nufin goyan bayan nau'ikan hanyoyin haɗin kai (E-Line, E-LAN, E-Tree), nau'ikan sabis daban-daban (duka ta tashar jiragen ruwa da VLAN) da fasahohin sufuri daban-daban. (an riga an jera su a sama). Wato, dole ne na'urar ta sami damar yin aiki a cikin layi biyu ("point-to-point") da kuma hanyoyin multipoint, kafa ramukan ramuka daban-daban don VLANs daban-daban, da ba da izinin isar da fakiti ba tare da izini ba a cikin tashoshi mai tsaro. Ikon zaɓar hanyoyin sifa daban-daban (gami da tare da ko ba tare da ingantaccen abun ciki ba) da nau'ikan watsa fakiti daban-daban yana ba ku damar daidaita daidaito tsakanin ƙarfi da aiki dangane da yanayin yanzu.

Har ila yau, yana da mahimmanci don tallafawa cibiyoyin sadarwa masu zaman kansu, kayan aikin da ke mallakar wata ƙungiya ɗaya (ko hayar su), da kuma cibiyoyin sadarwar masu aiki, sassan daban-daban na kamfanoni daban-daban suna sarrafa su. Yana da kyau idan bayani ya ba da damar gudanarwa duka a cikin gida da kuma ta wani ɓangare na uku (ta amfani da samfurin sabis ɗin sarrafawa). A cikin cibiyoyin sadarwar afareta, wani muhimmin aiki shine goyan baya ga masu ba da haya da yawa (raba ta abokan ciniki daban-daban) ta hanyar keɓance sirrin kowane abokin ciniki (masu biyan kuɗi) waɗanda zirga-zirgar zirga-zirgar su ke wucewa iri ɗaya ta na'urorin ɓoyewa. Wannan yawanci yana buƙatar amfani da maɓalli daban-daban da takaddun shaida ga kowane abokin ciniki.

Idan an sayi na'urar don takamaiman yanayin, to duk waɗannan fasalulluka na iya zama ba su da mahimmanci sosai - kawai kuna buƙatar tabbatar da cewa na'urar tana goyan bayan abin da kuke buƙata yanzu. Amma idan an sayi mafita "don girma", don tallafawa al'amuran gaba kuma, kuma an zaɓi shi a matsayin "ma'auni na kamfani", to sassauci ba zai zama mai wuce gona da iri ba - musamman la'akari da hani kan haɗin gwiwar na'urori daga dillalai daban-daban ( ƙari akan wannan a ƙasa).

Sauki da saukakawa

Sauƙin sabis kuma ra'ayi ne mai yawa. Kusan, zamu iya cewa wannan shine jimlar lokacin da ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun ƙwararrun masu sana'a ke yin amfani da su a cikin wani nau'i na cancantar da ake bukata don tallafawa wani bayani a matakai daban-daban na rayuwarta. Idan babu farashi, kuma shigarwa, daidaitawa, da aiki gaba ɗaya na atomatik, to farashin ba su da sifili kuma dacewa cikakke ne. Tabbas hakan baya faruwa a duniyar gaske. Ma'auni mai ma'ana shine samfuri "kulli akan waya" (bump-in-the-waya), ko haɗin kai na gaskiya, wanda ƙarawa da kashe na'urorin ɓoyewa baya buƙatar kowane jagora ko canje-canje ta atomatik zuwa saitunan cibiyar sadarwa. A lokaci guda, ana sauƙaƙa da mafita: zaku iya kunna aikin ɓoyewa cikin aminci kuma kashewa, kuma idan ya cancanta, kawai "kewaye" na'urar tare da kebul na cibiyar sadarwa (wato, haɗa kai tsaye zuwa waɗannan tashoshin jiragen ruwa na kayan aikin cibiyar sadarwa zuwa ga waɗanda suke. an haɗa shi). Gaskiya, akwai matsala guda ɗaya - mai kai hari zai iya yin haka. Don aiwatar da ka'idar "kumburi akan waya", dole ne a la'akari ba kawai zirga-zirga ba Layer dataamma sarrafawa da sarrafa yadudduka - dole ne na'urori su kasance masu gaskiya a gare su. Don haka, irin wannan zirga-zirgar za a iya ɓoyewa ne kawai lokacin da babu masu karɓar irin waɗannan nau'ikan zirga-zirga a cikin hanyar sadarwa tsakanin na'urorin ɓoyewa, tunda idan an jefar da shi ko an ɓoye shi, to lokacin da kuka kunna ko kashe ɓoyewa, saitin hanyar sadarwa na iya canzawa. Na'urar ɓoyewa kuma tana iya zama bayyananne ga siginar Layer na zahiri. Musamman idan sigina ta ɓace, dole ne ta watsa wannan asarar (wato, kashe masu watsawa) gaba da gaba ("don kanta") zuwa hanyar siginar.

Taimako a cikin rabon iko tsakanin tsaro na bayanai da sassan IT, musamman sashen cibiyar sadarwa, yana da mahimmanci. Maganin boye-boye dole ne ya goyi bayan tsarin kula da samun dama ga ƙungiyar da samfurin dubawa. Ya kamata a rage buƙatar hulɗa tsakanin sassa daban-daban don gudanar da ayyuka na yau da kullum. Don haka, akwai fa'ida dangane da dacewa ga na'urori na musamman waɗanda ke goyan bayan ayyukan ɓoyewa kawai kuma suna da fa'ida sosai ga ayyukan cibiyar sadarwa. A taƙaice, ma'aikatan tsaro na bayanai bai kamata su sami dalilin tuntuɓar "ƙwararrun cibiyar sadarwa" don canza saitunan cibiyar sadarwa ba. Kuma waɗancan, bi da bi, bai kamata su sami buƙatar canza saitunan ɓoyewa yayin kiyaye hanyar sadarwar ba.

Wani abu kuma shine iyawa da dacewa da abubuwan sarrafawa. Ya kamata su zama na gani, ma'ana, samar da shigo da-fitar da saituna, aiki da kai, da sauransu. Nan da nan ya kamata ku kula da abin da zaɓuɓɓukan gudanarwa ke samuwa (yawanci yanayin gudanarwa na kansu, haɗin yanar gizon yanar gizon da layin umarni) da kuma wane saitin ayyuka kowannensu yana da (akwai iyakoki). Wani muhimmin aiki shine tallafi fita daga band sarrafawa (daga-band), wato, ta hanyar cibiyar sadarwa mai kwazo, da in-band (in-band) sarrafawa, wato, ta hanyar hanyar sadarwa ta gama gari wacce ake watsa zirga-zirga masu amfani. Dole ne kayan aikin gudanarwa su nuna alamun duk wani yanayi mara kyau, gami da abubuwan tsaro na bayanai. Na yau da kullun, ayyuka masu maimaitawa yakamata a yi ta atomatik. Wannan da farko yana da alaƙa da gudanarwa mai mahimmanci. Ya kamata a samar da su / rarraba su ta atomatik. Tallafin PKI babban ƙari ne.

karfinsu

Wato, dacewa da na'urar tare da ka'idodin cibiyar sadarwa. Haka kuma, wannan yana nufin ba ma'auni na masana'antu kawai waɗanda ƙungiyoyi masu iko irin su IEEE suka karɓa ba, har ma da ka'idojin mallaka na shugabannin masana'antu, kamar Cisco. Akwai manyan hanyoyi guda biyu don tabbatar da dacewa: ko dai ta hanyar nuna gaskiya, ko ta hanyar goyon baya bayyananne ladabi (lokacin da na'urar ɓoyewa ta zama ɗaya daga cikin nodes na hanyar sadarwa don wata ƙa'ida da aiwatar da zirga-zirgar zirga-zirgar wannan yarjejeniya). Daidaitawa tare da cibiyoyin sadarwa ya dogara da cikawa da daidaito na aiwatar da ka'idojin sarrafawa. Yana da mahimmanci don tallafawa zaɓuɓɓuka daban-daban don matakin PHY (gudu, matsakaicin watsawa, makircin ɓoyewa), firam ɗin Ethernet na tsari daban-daban tare da kowane MTU, ka'idodin sabis na L3 daban-daban (musamman dangin TCP/IP).

Ana tabbatar da gaskiya ta hanyoyin maye gurbi (canza abubuwan da ke cikin buɗaɗɗen kanun labarai na ɗan lokaci a cikin zirga-zirga tsakanin masu ɓoyewa), tsallakewa (lokacin da fakiti ɗaya ba a ɓoye ba) da shigar da farkon ɓoyewa (lokacin da galibi ba a ɓoye fakitin fakitin).

Yadda ake Aunawa da Kwatanta na'urorin boye-boye na Ethernet
Yadda ake tabbatar da gaskiya

Don haka, koyaushe bincika daidai yadda aka bayar da goyan baya ga takamaiman yarjejeniya. Sau da yawa goyan baya a yanayin bayyane ya fi dacewa kuma abin dogaro.

Haɗin kai

Wannan kuma dacewa ne, amma a wata ma'ana ta daban, wato ikon yin aiki tare da wasu samfuran na'urorin ɓoyewa, gami da na wasu masana'antun. Yawancin ya dogara da yanayin daidaita ƙa'idodin ɓoyewa. Babu ƙa'idodin ɓoye gabaɗaya da aka yarda akan L1.

Akwai ma'auni na 2ae (MACsec) don ɓoyewar L802.1 akan cibiyoyin sadarwar Ethernet, amma baya amfani karshen-zuwa-karshe (ƙarshe-zuwa-ƙarshe), kuma shiga tsakani, "Hop-by-hop" boye-boye, kuma a cikin asali na asali bai dace ba don amfani da shi a cikin cibiyoyin sadarwar da aka rarraba, don haka abubuwan da suka mallaka sun bayyana wanda ya shawo kan wannan iyakance (hakika, saboda haɗin kai tare da kayan aiki daga wasu masana'antun). Gaskiya ne, a cikin 2018, an ƙara goyon baya ga cibiyoyin sadarwar da aka rarraba zuwa ma'auni na 802.1ae, amma har yanzu babu goyon baya ga GOST boye-boye algorithm sets. Sabili da haka, masu mallakar mallaka, ka'idodin ɓoyewa na L2 marasa daidaituwa, a matsayin mai mulkin, an bambanta su ta hanyar ingantaccen inganci (musamman, ƙananan bandwidth sama) da sassauci (ikon canza tsarin ɓoye ɓoyayyen da halaye).

A mafi girma matakan (L3 da L4) akwai sanannun ƙa'idodi, da farko IPsec da TLS, amma a nan ma ba abu ne mai sauƙi ba. Gaskiyar ita ce, kowane ɗayan waɗannan ma'auni tsari ne na ƙa'idodi, kowannensu yana da nau'i daban-daban da kari da ake buƙata ko zaɓi don aiwatarwa. Bugu da kari, wasu masana'antun sun fi son yin amfani da ka'idojin boye-boye na mallakar su akan L3/L4. Sabili da haka, a mafi yawan lokuta bai kamata ku ƙidaya cikakken haɗin kai ba, amma yana da mahimmanci cewa an tabbatar da aƙalla hulɗar tsakanin samfura daban-daban da tsararraki daban-daban na masana'anta iri ɗaya.

AMINCI

Don kwatanta mafita daban-daban, zaku iya amfani da ko dai ma'anar lokaci tsakanin gazawa ko yanayin samuwa. Idan waɗannan lambobin ba su samuwa (ko kuma babu amana a cikinsu), to ana iya yin kwatancen inganci. Na'urorin da ke dacewa da gudanarwa za su sami fa'ida (ƙananan haɗarin kurakuran daidaitawa), ƙwararrun ɓoyayyen ɓoye (saboda wannan dalili), da kuma mafita tare da ƙaramin lokaci don ganowa da kawar da gazawar, gami da hanyar "zafi" madadin dukan nodes da na'urori.

kudin

Lokacin da ya zo kan farashi, kamar yadda yake tare da mafi yawan hanyoyin IT, yana da ma'ana don kwatanta jimlar kuɗin mallakar. Don ƙididdige shi, ba lallai ne ku sake ƙirƙira dabaran ba, amma yi amfani da kowace dabarar da ta dace (misali, daga Gartner) da kowane ƙididdiga (misali, wanda aka riga aka yi amfani da shi a cikin ƙungiyar don ƙididdige TCO). A bayyane yake cewa don maganin ɓoyayyen hanyar sadarwa, jimlar kuɗin mallakar ya ƙunshi kai tsaye halin kaka na siye ko hayar maganin da kanta, abubuwan more rayuwa don ɗaukar kayan aiki da farashin turawa, gudanarwa da kulawa (ko a cikin gida ko a cikin nau'ikan sabis na ɓangare na uku), da kuma daga kaikaice halin kaka daga lokacin warware matsalar (wanda ya haifar da asarar yawan amfanin mai amfani na ƙarshe). Wataƙila akwai dabara ɗaya kawai. Za'a iya la'akari da tasirin aikin maganin ta hanyoyi daban-daban: ko dai a matsayin farashin kai tsaye wanda ya haifar da asarar yawan aiki, ko kuma a matsayin "na zahiri" farashin kai tsaye na siye / haɓakawa da kiyaye kayan aikin cibiyar sadarwa wanda ke rama asarar aikin cibiyar sadarwa saboda amfani da boye-boye. A kowane hali, kudaden da ke da wuyar ƙididdigewa tare da isasshen daidaito sun fi kyau a bar su daga lissafin: ta wannan hanyar za a sami ƙarin amincewa a ƙimar ƙarshe. Kuma, kamar yadda aka saba, a kowane hali, yana da ma'ana don kwatanta na'urori daban-daban ta TCO don takamaiman yanayin amfani da su - na gaske ko na yau da kullun.

Karfin hali

Kuma siffa ta ƙarshe ita ce dagewar mafita. A mafi yawan lokuta, ana iya kimanta karrewa kawai ta hanyar kwatanta mafita daban-daban. Dole ne mu tuna cewa na'urorin ɓoye ba hanya ce kawai ba, har ma wani abu ne na kariya. Za su iya fuskantar barazana iri-iri. A kan gaba akwai barazanar keta sirri, haifuwa da gyara saƙonni. Ana iya samun waɗannan barazanar ta hanyar lahani na cipher ko yanayin sa na mutum ɗaya, ta hanyar lahani a cikin ƙa'idodin ɓoyewa (ciki har da matakan kafa haɗin gwiwa da haɓakawa / rarraba maɓallai). Amfanin zai kasance don mafita waɗanda ke ba da izinin canza ɓoyayyen algorithm ko canza yanayin cipher (aƙalla ta hanyar sabunta firmware), mafita waɗanda ke ba da cikakkiyar ɓoyayyen ɓoyewa, ɓoyewa daga maharin ba kawai bayanan mai amfani ba, har ma da adireshin da sauran bayanan sabis. , kazalika da hanyoyin fasaha waɗanda ba kawai ɓoyewa ba, har ma suna kare saƙonni daga haifuwa da gyare-gyare. Ga duk algorithms na ɓoye na zamani, sa hannu na lantarki, tsara maɓalli, da dai sauransu, waɗanda aka tsara su a cikin ma'auni, ana iya ɗaukar ƙarfi iri ɗaya ne (in ba haka ba za ku iya ɓacewa kawai a cikin daji na cryptography). Ya kamata waɗannan dole ne su zama GOST algorithms? Komai yana da sauƙi a nan: idan yanayin aikace-aikacen yana buƙatar takardar shaidar FSB don CIPF (kuma a cikin Rasha wannan shine mafi yawan lokuta; don yawancin yanayin ɓoye hanyar sadarwa wannan gaskiya ne), to muna zaɓar kawai tsakanin masu ba da izini. Idan ba haka ba, to babu ma'ana a ware na'urori ba tare da takaddun shaida daga la'akari ba.

Wata barazanar ita ce barazanar shiga ba tare da izini ba, damar shiga na'urori ba tare da izini ba (ciki har da shiga jiki a waje da cikin harka). Ana iya aiwatar da barazanar ta hanyar
rauni a cikin aiwatarwa - a cikin hardware da code. Sabili da haka, mafita tare da ƙaramin "kai hari" ta hanyar hanyar sadarwa, tare da shingen kariya daga samun damar shiga jiki (tare da na'urori masu auna firikwensin kutse, kariyar bincike da sake saita mahimman bayanai ta atomatik lokacin da aka buɗe shinge), da kuma waɗanda ke ba da izinin sabunta firmware za su sami. wani fa'ida a cikin taron cewa rauni a cikin lambar ya zama sananne. Akwai wata hanya kuma: idan duk na'urorin da aka kwatanta suna da takaddun FSB, to, ajin CIPF wanda aka ba da takardar shaidar za a iya la'akari da juriya ga hacking.

A ƙarshe, wani nau'in barazanar shine kurakurai yayin saiti da aiki, abubuwan ɗan adam a cikin mafi kyawun tsari. Wannan yana nuna wata fa'ida ta ƙwararrun masu ɓoye ɓoyayyiyi akan hanyoyin haɗin gwiwa, waɗanda galibi ana nufin ƙwararrun “ƙwararrun hanyoyin sadarwa” kuma suna iya haifar da matsala ga “tallakawa”, ƙwararrun tsaro na bayanai gabaɗaya.

Don takaitawa

A ka'ida, a nan zai yiwu a ba da shawarar wani nau'i mai nuna alama don kwatanta na'urori daban-daban, wani abu kamar

$$ nuni$$K_j=∑p_i r_{ij}$$ nuni$$

inda p shine nauyin mai nuna alama, kuma r shine matsayin na'urar bisa ga wannan alamar, kuma kowane ɗayan halayen da aka lissafa a sama za'a iya raba su zuwa alamun "atomic". Irin wannan dabara na iya zama da amfani, misali, lokacin kwatanta shawarwari masu taushi bisa ga ka'idojin da aka riga aka yi yarjejeniya. Amma zaka iya samun ta tare da tebur mai sauƙi kamar

Характеристика
Na'ura 1
Na'ura 2
...
Na'urar N

Bandwidth
+
+

+++

Yawan wuce gona da iri
+
++

+++

Jinkirtawa
+
+

++

Ƙimar ƙarfi
+++
+

+++

Sassauci
+++
++

+

Haɗin kai
++
+

+

karfinsu
++
++

+++

Sauki da saukakawa
+
+

++

hakuri da laifi
+++
+++

++

kudin
++
+++

+

Karfin hali
++
++

+++

Zan yi farin cikin amsa tambayoyi da suka mai ma'ana.

source: www.habr.com

Add a comment