Point-Point Protocol (PPP) by William F. Widulski
PPP Overview Layer 2 WAN Protocol In late 1980’s Serial Line Internet Protocol (SLIP) hindered growth, so PPP (it’s successor) helped solve remote Internet connectivity problems. Was needed to dynamically assign IP addresses and to allow multiple protocols to ride on top.
PPP Overview (con’t) Provides router-to-router and host-to- network connections over both synchronous and asynchronous circuits Most widely used and most popular WAN protocol
PPP features Control of data link setup Assignment and management of IP addresses Network protocol multiplexing Link configuration and link quality testing Error detection
PPP features (con’t) Optional negotiation for capabilities such as network-layer address negotiation and data compression negotiation
PPP Components Three (3) Main Components 1. Method for encapsulating datagrams over serial links, High-level Data Link Control (HDLC) 2. An LCP (Link Control Protocol) to establish, configure, and test the data-link connection 3. A family of NCP for establishing and configuring different network-layer protocols. Today, PPP supports IP, IPX, Appletalk and DECnet.
PPP Layer Functions PPP uses a layered architecture Lower-level functions 1. Synchronous physical media, like those of ISDN 2. Asynchronous physical media, like those used in basic telephone services for modem dialup connections
PPP Layer Functions (con’t) Higher-level functions, carry packets from several network-layer protocols in NCPs 1. BCP (Bridge Control Protocol) 2. IPCP (Internet Protocol Control Protocol) 3. IPXCP (Internetwork Packet Exchange Control Protocol)
PPP Frame Formats
PPP Frame Formats (cont’) Flag – indicates the beginning or end of a frame and consists of the binary sequence Address – consists of the standard broadcast address, which is the binary sequence (Doesn’t assign individual station addresses.) Control – 1 byte that consists of the binary sequence , which calls for transmission of user data in an unsequence frame. A connectionless link service similar to LLC type 1 is provided.
PPP Frame Formats (cont’) Protocol – 2 bytes that identify the protocol encapsulated in the data field of the frame. Data – 0 or more bytes that contain the datagram for the specified protocol. The end is closing flag sequence and allowing 2 bytes for FCS. The maximum length of the data is 1,500 bytes. FCS – normally 2 bytes. Added for error control purposes.
PPP Session Establishment Four (4) distinct phases 1. Link establishment and configuration negotiation 2. Link-quality determination 3. Network-layer protocol configuration negotiation 4. Link termination
Three classes of LCP frames* 1. Link establishment frames – to establish and configure a link. 2. Link termination frames – to terminate a link. 3. Link maintenance frames – to manage and debug a link. * Used to do the work of the 4 LCP phases
Phase 1 Each PPP device sends LCP packets to configure and test the data link. Open the connection Negotiate the configuration parameters (If there is no config. option use default.) This phase ends when a configuration acknowledgment frame has been sent and received
Phase 2 Optional link-quality determination. Tests the link to see if it is good. After the authentication protocol has been decided on (phase 1) – authentication can be done. LCP can delay transmission of phase 3 until this phase is complete.
Phase 3 Once Phase 2 is done, network-layer protocol can be configured by the appropriate NCP (can be put up and taken down at any time.) Sends NCP packets to choose the network- layer protocol Datagrams are then sent over the link If LCP closes the link, it informs the network- layer protocol Show interfaces - checks LCP and NCP states
Phase 4 LCP can terminate the link at any time. Usually the user Could be a physical event – like loss of a carrier or a timeout.
PPP Authentication Optional Requires the calling side to enter authentication info to ensure the user has premission to make the call. Router exchange authentication messages. Select PAP or CHAP (preferred)
PAP Two-way handshake, username/password is repeatedly sent until authentication is acknowledged or connection is terminated. Not strong. (verifies only once) Passwords are sent in plain text. No protection from playback or tria-and-error attacks. Remote host is in control of the number and timing of login attempts.
CHAP Three-way handshake. Done upon initial link establishment and can be repeated any time after. Offers periodic verification to improve security. (more effective than PAP) Doesn’t allow the caller to attempt authentication without a challenge.
CHAP (con’t) Host sends a challenge message to the remote node. Remote node responds with a value. Host checks it against its value if it matches, authentication is acknowledged. Otherwise, the connection is terminated. Protects against playback attacks by using a variable challenge value that is unique and unpredictable.
Configuring PPP Authentication 1. On each router, define the username and password to expect from the remote router: Router(config-if)# username password 2. Enter interface configuration mode for the desired interface. 3. Configure the interface for PPP encapsulation: Router(config-if)# encapsulation ppp
Configuring PPP Authentication (con’t) 4. Configure PPP authentication: Router(config-if)# ppp authentication {chap | chap pap | pap pap | pap} 5. If CHAP and PAP are enabled, the first is the one requested during link negotiation, the second is used if the peer suggests or refuses the first. 6. In Cisco IOS Release 11.1 or later, you must enable PAP on the interface: Router(config-if)# ppp pap sent-username password
Configuring CHAP Can use the same host name on multiple routers-can make remote users to think they are connecting to the same router when authenticating, by configuring the same host name on each router: Router(config-if)# ppp chap hostname Can use a password to authenticate an unknown host. This is to limit the number of username/password entries in the router. To use this, configure a password that will be sent to hosts that want to authenticate the router: Router(config-if)# ppp chap password This password is not used when the router authenticates a remote device.