L Thuyt v NAT: 1) Gii thiu: Lc u, khi NAT c pht minh ra n ch gii quyt cho vn thiu IP .

.Vo lc y khng ai ngh rng NAT c nhiu hu ch v c l nhiu ng dng trong nhng vn khc ca NAT vn cha c tm thy. Trong ng cnh nhiu ngi c gng tm hiu vai tr ca NAT v li ch ca n trong tng lai.Khi m IPv6 c hin thc th n khng ch gii quyt cho vn thiu IP.Qua nhiu cuc th nghim h ch ra rng vic chuyn hon ton qua IPv6 th khng c vn g v mau l nhng gii quyt nhng vn lin qua gia IPv6 v IPv4 l kh khn.Bi vy c kh nng IPv4 s l giao thc ch yu cho Internet v Intranet lu di hn nhng g h mong mun. Trc khi gii thch vai tr ca NAT ngy nay v trong tng lai ,nhng ngi ny mun ch ra s khc nhau v phm vi ca NAT c s dng vo ngy .S gii thch s a ra mt ci nhn tng quan v h khng khuyn rng lm th no v nn dng loi NAT no.Sau y ch l gii thiu v phn loi cc NAT phn chi tit s c tho lun v cp trong chng sau khi hin thc NAT l mt laid out. Phn trnh by c chia lm 2 phn : - Phn u c t tn l CLASSIC NAT n l cc k thut NAT vo nhng thi k s khai (u nhng nm 90) c trnh by chi tit trong RFC 1931. ng dng ca n ch yu gii quyt cho bi ton thiu IP trn Internet. - Phn hai trnh by nhng k thut NAT c tm ra gn y v ng dng trong nhiu mc ch khc. 2)Cc k thut NAT c in: Ni v NAT chng ta phi bit rng c 2 cch l tnh v ng .Trong trng hp u th s phn chia IP l r rng cn trng hp sau th ngc li.Vi NAT tnh th mt IP ngun lun c chuyn thnh ch mt IP ch m thi trong bt k thi gian no.Trong khi NAT ng th IP ny l thay i trong cc thi gian v trong cc kt ni khc nhau. Trong phn ny chng ta nh nghia : m: s IP cn c chuyn i (IP ngun) n: s IP sn c cho vic chuyn i (IP NATs hay gi l IP ch) * NAT tnh Yu cu m,n>=1;m=n(m,n l s t nhin) Vi c ch IP tinh chng ta c th chuyn i cng mt s lng cc IP ngun v ch .Trng hp c bit l khi c 2 ch cha duy nht mt IP v d netmask l 255.255.255.255 .Cch thc hin thc NAT tnh th d dng v ton b c ch dch a ch c thc hin bI mt cng thc n gin: a ch ch =a ch mng mi OR (a ch ngun AND ( NOT netmask)) Khng c thng tin v trng thi kt ni.N ch cn tm cc IP ch thch hp l . Cc kt ni t bn ngoi h thng vo bn trong h thng th ch khc nhau v IP v th c ch NAT tnh th hu nh hon ton trong sut. V d mt rule cho NAT tnh: Dch ton b IP trong mng 138.201.148.0 n mng c a ch l 94.64.15.0,netmask l

255.255.255.0 cho c hai mng. Di y l m t vic dch t a ch c IP l 138.201.148.27 n 94.64.15.27,cc ci khc tng t. 10001010.11001001.10010100.00011011 (host 138.201.148.0) AND 00000000.00000000.00000000.11111111 (reverse netmask) 01011110.01000000.00001111 (new net: 94.64.15.0) 01011110.01000000.00001111.00011011 (a ch mi ) * NAT ng Yu cu m>=1 v m>=n NAT ng c s dng khi s IP ngun khng bng s IP ch.S host chia s ni chung b gii hn bi s IP ch c sn.NAT ng phc tp hn NAT tnh v th chng phi lu gi li thng tin kt ni v thm ch tm thng tin ca TCP trong packet. Nh cp trn NAT ng cng c th s dng nh mt NAT tnh khi m=n.Mt s ngi dng n thay cho NAT tnh v mc ch bo mt.Nhng k t bn ngoi khng th tm c IP no kt ni vi host ch nh v ti thi im tip theo host ny c th nhn mt IP hon ton khc.Trong trng hp c bit thm ch c nhiu a ch ch hn a ch ngun (m<n) Nhng kt ni t bn ngoi th ch c th khi nhng host ny vn cn nm gi mt IP trong bng NAT ng.Ni m NAT router lu gi nhng thng tin v IP bn trong (IP ngun )c lin kt vi NAT-IP(IP ch).Cho mt v d trong mt session ca FPT nonpassive.Ni m server c gng thit lp mt knh truyn d liu v th khi server c gng gi mt IP packet n FTP client th phi c mt entry cho client trong bng NAT.N vn phi cn lin kt mt IPclient vi cng mt NAT-IPs khi client bt u mt knh truyn control tr khi FTP session ri sau mt thi gian timeout.Xin ni thm giao thc FTP c 2 c ch l passive v non-passive .Giao thc FTP lun dng 2 port (control v data) .Vi c ch passive (th ng ) host kt ni s nhn thng tin v data port t server v ngc li non-passive th host kt ni s ch nh dataport yu cu server lng nghe kt ni ti.Tham kho thm v FTP protocol trong RFC 959 Bt c khi no nu mt k t bn ngoi mun kt ni vo mt host ch nh bn trong mng ti mt thi im ty ch c 2 trng hp : + Host bn trong khng c mt entry trong bng NAT khi s nhn c thng tin host unreachable hoc c mt entry nhng NAT-IPs l khng bit. + Bit c IP ca mt kt ni bi v c mt kt ni t host bn trong ra ngoi mng.Tuy nhin ch l NAT-IPs v khng phi l IP tht ca host.V thng tin ny s b mt sau mt thii gian timeout ca entry ny trong bng NAT router. V d v mt rule cho NAT ng: Dch ton b nhng IP trong class B ,a ch mng 138.201.0.0 n IP trong class C 178.201.112.0.Mi kt ni mi t bn trong s c lin kt vi tp IP ca class C khi m IP khng c s dng. Xem thm hnh v m t trong ti liu NAT ca SuSe *Masquerading(NAPT) Yu cu m>=1 v n=1 y l mt trng hp c bit ca NAT ng.Thut ng Masquerading tr nn ni ting bi v n c hin thc trong th gii Linux .N l loi NAT c s dng hu ht vo thi im .Vi c ch ny nhiu a ch IP c n i di mt a ch duy nht.N

tng phn vi NAT ng ,rng ch c mt kt ni cho mt IP duy nht ti mt thi im .Trong masquerading nhiu kt ni n cng mt IP s c phn chia thng qua TCP Port.Vn c bit ca Masquerading l mt s service trn host ch nh ch chp nhn kt ni t nhng port c quyn m bo rng kt ni i vo khng phi l t mt user bnh thng.C l ch superuser c th x l nhng port ny.V trn DOS hoc Window mi ngi u c th s dng chng nn mt s chng trnh khng th s dng kt ni masquerading.Masquerading thng s dng nhng port mt tm vc cao.Trong Linux ,bt u l 61000 v kt thc l 61000+4096.Mc nh ny c th thay i bng cch edit /linux/include/net/ip_masq.h iu ny cng ch ra rng Linux hin thc masquerading ch cho ng thi 4096 kt nI masquerading .Kt ni masquerading cn phi lu gi nhiu thng tin v trng thi kt ni.V d trn Linux, n xem nh tt c cc packet vi Destination IP= Local IP v Destination port nm trong tm port cho php ca Masquerading khi phi demasqueraded(phn gii nhng packet c masqueraded) Thc cht l vic thay i destination address v source address trong header packet. R rng Masquerading ch c mt chiu . Nhng kt ni vo th khng th Masquerading .V thm ch khi mt host c mt entry trong masquerading table ca NAT device th entry ny ch hp l khi mt kt ni ang c active.Ngay c mt ICMP-Reply lin quan n kt ni (host/port unreachable) cng phi c filter v relay bi NAT router. Trong khi tht s kt ni vo khng th Masquerading nhng chng ta c th thm vo cho php iu tuy nhin chng khng phi l mt phn thuc v Masquerading .Chng ta c th lm iu v d setup mt NAT device n relay tt c cc kt ni t bn ngoi n port telnet ca mt host bn trong Tuy nhin v chng ta ch c mt IP c thy t bn ngoi cho php kt ni vo cho cng mt service nhng cho cc host khc nhau bn trong mng .Chng ta phi cho lng nghe trn mt port khc V nhiu service trn nhng well-known port th khng th thay i hoc vic thay i l bt tin c bit trn nhng pulic server.V d 80 cho HTTP , 23 cho TELNET. Ch c mt cch gii quyt l phi c nhiu IP ch khi cc service ny tng ln.Mt IP ch c th vn uc chia s bi nhng service khc nhau v ri c remap vi nhng IP ngun khc bn trong mng .Nhng y khng phi l Masquerading. V d cho mt rule ca Masquerading - Masquerading cho mng 138.201.0.0 dng NAT n IP local - Cho mi packet IP i ra source IP s c thay bi IP ca NAT router.Source port s c i thnh mt port nm trong tm ca Masquerading. Xem thm hnh v m t trong ti liu NAT ca SuSe Li ch ln nht ca Masquerading l ch cn mt IP c cp m ton mng vn c th kt ni trc tip n Internet ,iu ny l quan trng v a ch IP th qa mc.Mc d i vi nhng ng dng mc gateway chng ta khng cn thm bt k IP v bt k loi NAT no v mt IP th vn nhng cho mt s giao thc th d tt c UDP based service n th khng ch l mc gateway m cn phi kt ni IP trc tip. Tham kho thm RFC 1631(NAT) c cp l Network Address Port Translation (NAPT) 4) Cc vn cn gii quyt cho k thut NAT C 5 khi nim lin quan n mt connection cho NAT lrotocol,source IP v port ,Destination IP v port.V c ch NAT thay i cc thng tin trong mt packet nn ta c th tm chia thnh 3 section: -section 1: tin trnh packet i t source n NAT-router

-section 2: tin trnh packet i t NAT-router n Destination -section 3: hot ng din ra trong NAT-router,NAT router phi bit c 2 section 1 v 2 Nh vy ch c NAT-router bit nhng g tht s xy ra cho mt packet. iu cng c ngha l NAT-device phi lu gi hu ht thng tin v mt kt ni quyt nh con ng i ca packet. Chng ta thy NAT-router phn no ging nh mt firewall bi v n khng ch relay packet t ni ny n ni khc ,m n cn iu khin lung d liu.NAT-router bit nhiu v mi kt ni nh th cc thit b mng bit v kt ni ca n.Ngha l chng phi lu gi thng tin trng thi .Chng c th c thng tin t cc packet ,so snh v thay i n. * Lu gi thng tin trng thi Ngoi tr NAT tnh,cc ci cn lI i hi chng ta cn phI lu tr v qun l thng tin ng t client ang s dng h thng l mt router.Thng tin ny phI c mt i sau mt thi gian timeout NAT-IP c gn cho mt host cn c th c s dng li.Thi gian timeout cng l mt l do tI sao phI c thng tin TCP-header.Timeout c th ngn cho mt TCP-connection va c ng v cao cho TCP-connection vn cn c thit lp.V d nhiu telnet session c th treo trong mt thI gian di khng c s trao I bt k packet no .Trong trng hp ny,nu chng ta c NAT-IP chng ta khng cn ngt kt nI ny ,nhng gi s trong trng hp nhiu kt nI mI c yu cu v NAT-IP cn c thm IP th chng ta s cho telnet session ny b cht ly lI IP. Mt cch khc l chng ta khng gi thng tin trng thi m ch cn tm IP ch nh (NAT-ip) N th n gin hn cho vic hin thc NAT v trong nhiu trng hp s lm vic tt cho cc gii quyt trn.Khi lun c NAT-IP cn d cho vic s dng chng ta khng ch ti chi tit khc nhau ca 2 cch ,ngoi tr trong mt telnet session hoc cc chng trnh lin quan chng hn nh ssh.Ch khi s NAT-IP khng nhiu v khng ,chng ta mi cn lu gi thng tin trng thi v chng ta c th nhn ra ngay chnh xc mt kt ni va mi ng v c th ly li ngay IP cp pht m khng cn ht thi gian timeout.Vic lu gi du vt ca cc kt ni khc nhau phc v cho mc ch bo mt nu n c s dng bI firewall, y khng hn ch l NAT. C mt s trng hp vic NAT ch truy tm ch IP th hon ton khng hiu qa. l trong cc ng dng virtual server v virtual network bI v traffic c sinh ra bI mt IP th khng th no phn chia c na.Khi chng ta yu cu NAT truy tm thm c TCP/UDP port th chng ta c th cn bng tI v gim traffic tt hn bng cch remap cc kt nI n mt IP thch hp Xem thm hnh v m t trong ti liu NAT ca SuSe * Phn chia (fragmentation) Quan h mt thit vI vic lu gi thng tin trng thi v TCP v c th l UDP l vn IP fragment.N quyt nh vic thay I khng phI ch IP address m cn TCP/UDP port.Telnet packet c th c I x khc vI HTTP packet.Cho mt v d ch s dng mt virtual server hoc DNS cho tt c cc service n c map ti cc host cung cp service thc s ,nhiu service thm ch c cung cp bI virtual host.Mt firewall l gateway mc application c th lm c iu ny nhng gateway th hu nh l khng trong sut. Vn l ngay khi mt packet c fragment n NAT-router ,n khng th cung cp thng tin v port ngoI tr fragment u tin cha TCP-header. l l do tI sao chng ta phI lu gi nhng thng tin trng thi v mI fragment.Chng ta phI lu gi tt c

thng d liu ca fragment u tin gm TCP/UDP port ca n m chng ta c th bit port ca nhng fragment khc ang hot ng.Nhiu khi phng php ny khng thch ng v IP layer khng m bo packet ti vi ng s th t (sequence) V d fragment th 3 ca packet c fragment c th i qua NAT router u tin trc khi fragment u tin vn cn lu gi thng tin port .Trong trng hp ny chng ta s ngn lI cc fragment khng phI l fragment s 1 n khi fragment s 1 tI ch chng ta bit chng ta c cn phI thay I thng tin ca packet hay khng .Xem thm v IP fragment cc ti liu khc.Vic thay I khng ch IP m cn TCP/UDP port th khng quan trng nhng chc chn hu ch. V d chng ta s dng mt virtual server .Gi s chng ta mun to mt virtual webserver v deamon ca webserver tht s ang chy trn nhng my khc nhau v lng nghe trn nhng port khc nhau v mt s l do.Khi nu chng ta khng ghi nhn lI destination port trong packet , default l port 80 n virtual server v thay destination port l port m real webserver ang lng nghe vo packet reply th chng ta khng th c c nhng g chng ta mong mun.Khi tt c cc real webserver phI lng nghe trn cng mt port m virtual server cung cp dch v web (default l port 80).Xin ni thm l mt TCP connection thc hin c ch handshaking 3 ln nh vy nu packet reply khng ch ra ng port kt nI tI th kt nI s khng c thit lp. * nh ra giao thc (protocol) c th NAT khng phI lun lun trong sut nh ni ,n ch hon ton trong sut khi m IP l giao thc nm gi thng tin v IP ca mt packet.C mt s giao thc chng gI IP l mt phn ca d liu truyn i.Nh vy nu IP ny c thay I vI NAT router th chng ta s gp nhiu vn trc trc khi gI tI ngI nhn .N khng th ng IP c truyn i.Mt cch giI quyt cho vn ny l tm thng tin data truyn i da trn mt giao thc no bit c thng tin v IP c thm vo.Qa trnh ny ch lm thm overhead v phc tp hn. *Mt s v d cho nhng Protocol lm vic vI NAT FTP FTP command PORT v response PASV c 2 u send mt IP v port cho u kt nI bn kia .Cho FTP lm vic vI mt kt nI b thay I chng ta phI thay th IP trong message . iu ny rt phc tp v IP v port c truyn i dI dng m ASSCII m t cho mt s thp phn.Tc l mI s thp phn n l c m t l mt byte trong packet .V l do ny IP th khng c mt chiu di c nh trong mt FTP-packet, by gi chng ta thay th IP hin tI bI mt IP khc t hoc nhiu s hn ,packet s ln hoc nh i iu ny buc phI chnh lI TCP sequence number v th chng ta phI gi mt s thng tin v nhng kt nI ny iu chnh cc sequence number thch hp trong mI packet . y khng ch l vn cho giao thc FTP m cn cho nhiu giao thc khc m khi thay I IP th n lm thay I chiu di packet ICMP Mt s ICMP message ph thuc vo loI message ,nu thm vo header ca packet c th gy ra nhng vn .Nu packet ny c thay I th header ny s cha NAT-Ip ch khng phI IP ca host s nhn message ICMP ny .Da trn iu ny nu by gi chng ta khng thay local IP m l thm vo NAT-Ip vo header th iu ny s c giI quyt. DNS D thy vn y l nu mt name service ca mt IP bn trong mun cung cp ra

ngoi NAT-domain.Mt cch giI quyt l s dng 2 DNS service .Mt cho vic giI p cho cc IP bn trong v mt ci khc giI p cho cc IP ngoi mng .D nhin cc IP c giI p bI DNS server th 2 khng c a vo danh sch nhm IP ng cho NAT.NAT router th hu ht c t trn ranh gii gia cc mng phn chia internal DNS v external DNS v c m rng s dng cho l do bo mt Nu s dng mt cch tip cn phc tp hn l ghi li tt c cc DNS data c relay bI NAT router chng ta nn s dng mt gateway mc ng dng hn l hin thc mt NAT bI v DNS thch hp vI mc gateway hn v chng ta ch nn tc ng tI kernel khi tht s cn thit(xy dng NAT) BOOTP Giao thc ny khng c vn g vI NAT v n khng i ra khI ranh giI ca mt NAT-domain. Routing Protocol (RIP,EGP) Khng cn phI giI thch tI sao routing protocol gp rt nhiu vn vI NAT .C nhiu giao thc tm ng khc nhau v lm vic vI n th khng d dng cht no C 3 cch giI quyt l: - Khng s dng nhng giao thc ny ,ch s dng static routing. y l cch chn la tt cho phn ln cc kt nI t mng chng ta ra bn ngoi thng qua NAT router - S dng mt gateway mc ng dng - Ghi lI thng tin ca packet NAT TRN THIT B ROUTER

1. Gii thiu NAT (Network Address Translation) l mt chc nng ca Router, cho php chuyn dch t mt a ch IP ny thnh mt a ch IP khc. Thng thng NAT c dng chuyn dch t a ch IP private sang IP public, cho php cc host t mng bn trong truy cp n mng cng cng (internet). V tr thc hin NAT l ni (router) kt ni gia hai mng.

a ch private v a ch public a ch private c nh ngha trong RFC 1918 10.0.0.0 10.255.255.255

172.16.0.0 172.31.255.255 192.168.0.0 192.168.255.255 a ch public Cc a ch cn li. Cc a ch public l cc a ch c cung cp bi cc t chc c thm quyn 2. Static NAT Gii thiu Static NAT c thit k nh x mt a ch IP ny sang mt a ch khc, thng thng l t mt a ch ni b sang mt a ch cng cng v qu trnh ny c ci t th cng, ngha l a ch nh x v a ch c nh x c ch nh r rng tng ng duy nht. Static NAT rt hu ch trong trng hp nhng host cn phi c a ch c nh truy cp t internet. Nhng host ny c th l nhng public server: mail server, web server,....

Cu hnh static - NAT Cc lnh c s dng trong cu hnh Static-NAT: Router(config)#ip nat inside source static local_ip global_ip Router(config-if)#ip nat inside Router(config-if)#ip nat outside ngha cc cu lnh: - Thit lp mi quan h chuyn i gia a ch ni b bn trong v a ch i din bn ngoi. Router(config)#ip nat inside source static local-ip global-ip - Xc nh interface kt ni vo mng bn trong Router(config-if)#ip nat inside - Xc nh interface kt ni ra mng cng cng bn ngoi Router(config-fi)#ip nat outside V d:

Cu hnh trn Router:

Router(config)#ip nat inside sourece static 10.1.1.2 172.69.68.10 Router(config)#interface Ethernet 0 Router(config-if)#ip nat inside Router(config)#interface serial 0 Router(config-if)#ip nat outside 2. Dynamic NAT Gii thiu Dynamic NAT c thit k nh x mt a ch IP ny sang mt a ch khc mt cch t ng, thng thng l nh x t mt a ch private sang mt a ch public. Bt k mt a ch IP no nm trong di a ch IP cng cng (public) c nh trc u c th c gn cho mt host bn trong mng (private).

Cu hnh Dynamic NAT - Cc cu lnh dng trong dynamic NAT Router(config)#ip nat pool name start_ip end_ip { netmask netmask | prefix-length prefix-length } Router(config)#access-list access-list-number permit source [source-wildcard] Router(config)#ip nat inside source list access-number pool pool-name ngha s dng ca cc cu lnh nh sau: - Xc nh di a ch i din bn ngoi (public): cc a ch NAT Router(config)# ip nat pool name start-ip end-ip [netmask netmask/prefix-length prefixlength] - Thit lp ACL cho php nhng a ch ni b bn trong (private) no c chuyn i : cc a ch c NAT Router(config)# access-list access-list-number pertmit source [source-wildcard] -Thit lp mi quan h gia a ch ngun c xc nh trong ACL vi di a ch i din ra bn ngoi Router(config)# ip nat inside source list access-list-number pool name - Xc nh interface kt ni vo mng ni b Router(config-if)# ip nat inside - Xc nh interface kt ni ra bn ngoi Router(config-if)#ip nat outside V d:

3. NAT Overload

Gii thiu NAT Overload l mt dng ca Dynamic NAT, n thc hin nh x nhiu a ch private thnh mt a ch public (many to one) bng cch s dng cc ch s port khc nhau phn bit tng chuyn dch. NAT Overload cn c tn gi l PAT (Port Address Translation). PAT s dng s port ngun cng vi a ch IP ring bn trong phn bit khi chuyn i. S port c m ha 16 bit, do c ti 65536 a ch ni b c th c chuyn i sang mt a ch cng cng.

Cu hnh NAT Overload - Dng 1: S dng chung mt a ch IP cng cng duy nht. Router(config)#access-list access-number permit source source-wildcard Router(config)#ip nat inside source list access-list-number interface interface overload - Dng 2: ISP cung cp nhiu a ch IP cng cng Xc nh dy a ch bn trong cn chuyn dch ra ngoi (private ip addresses range) Router(config)# access-list access-list-number permit source source-wildcard Xc nh dy a ch s i din ra bn ngoi (public ip addresses pool) Router(config)# ip nat pool name start-ip end-ip [netmask netmask/prefix-length prefixlength] Thit lp chuyn dch ng t cc a ch bn trong thnh a ch bn ngoi Router(config)# ip nat inside source list acl-number pool name overload Xc nh interface inside v outside i vi interface inside: router(config-if)#ip nat inside i vi interface outside: router(config-if)#ip nat outside * PAP : R1------------------R2 + R1 : #conf t #hostname R1 #username R2 password cisco (lnh ny c ngha to 1 cp username v password khi R2 gi n th so snh authen) #int s0

#ip add......... #encapsulation PPP #ppp authentication pap ( chn kiu authen l pap ) #ppp pap sent-username R1 password cisco (lnh ny c ngha l mnh gi cp username password ca chnh mnh n router R2 authen ) #clock rate.......(nu l DCE) #no shut +R2 : #conf t #hostname R2 #username R1 pass cisco #int s0 #ip add #encapsulation PPP #PPP authentication pap #ppp pap sent-username R2 pass cisco #no shut Cu hnh CHAP : 2 route R1 v R2 c kt ni trc tip vi nhau nh trong cu hnh PAP + Cu hnh R1 : #conf t #hostname R1 #username R2 password cisco #int s0 #ip add &lt; ip address & subnet mask > #encapsulation ppp #ppp authentication chap #ppp chap hostname R1 #ppp chap password cisco #clockrate 64000 #no shut Ctrl+z #copy run start + cu hnh R2 : #conf t #hostname R2 #username R1 password cisco #int s0 #ip add &lt; ip address & subnet mask > #encapsulation ppp #ppp authentication chap #ppp chap hostname R2

#ppp chap password cisco #clockrate 64000 #no shut Ctrl+z #copy run start

Khi cu hnh CHAP: R1----------------------R2 Mi u phi c khai bo username v password, username bn R1 phi l tn hostname ca R2 v username khai bo bn R2 l hostname ca R1, password hai bn phi ging nhau, khng cn dng lnh "ppp chap hostname" Qu trnh din ra xc thc bng CHAP nh sau: R1: hostname R1 username R2 password cisco R2: hostname R2 username R1 password cisco username R3 password cisco1 1. R1 quay s vo R2, khi n s gi hostname ca n cho R2 ng thi dng thut ton hashing m ha password ( y l cisco), nhng ko gi password ny i 2. R2 check danh sch username (nu cu hnh nhiu username) tm ra username no ging hostname R1 ( y l username R1) 3. Sau khi tm c username , n dng thut ton hashing m ha password tng ng vi username ( y password l cisco) 4. N gi password c m ha sang R1, y R1 s so snh password m n t m ha trong bc 1 vi password m ha m n va nhn c t R2, nu 2 ci ny ging nhau th xc thc thnh cng. Khng ging nh PAP truyn password clear-text, CHAP khng truyn password dng clear-text m password ch c truyn sau khi m ha. Vy th khi no phi dng lnh "ppp chap hostname"? ngi ta dng lnh ny trong

trng hp tn hostname v username khc nhau. Theo v d trn khi xc thc th R1 s gi hostname ca n sang R2, nhng nu ta cu hnh "ppp chap hostname test" th chui username m n gi sang R2 khng phi l "R1" na m l "test" v lc ny tng ng bn R2 phi c dng "username test password cisco". Phi lm nh th trong trng hp mng ln v ca nhiu n v khc nhau, trong mng ca V1 th t tn hostname Router theo mt quy tc ca h, v mng V2 li t Database username theo quy tc ca h v khng bn no mun sa li gi tr ny. Khi nu V 1 mun quay s sang V 2 th phi c lnh: "ppp chap hostname <username khai bao ben DV2>" Cn trong trng hp ngi ta ch mun xc thc mt chiu. VD nh khi thu bao quay s t Router ca mnh sang Router ca ISP th ch cn Router ca ISP xc thc thu bao ch thu bao khng cn xc thc ISP th ta dng lnh sau trong cu hnh ca thu bao: "ppp authentication chap callin"