Point-Point Protocol (PPP)

dingdongboomΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 8 μήνες)

71 εμφανίσεις

Point
-
Point Protocol

(PPP)


by

William F. Widulski

PPP Overview

Layer 2 WAN Protocol

In late 1980’s Serial Line Internet
Protocol (SLIP) hindered growth, so
PPP (it’s successor) helped solve
remote Internet connectivity problems.

Was needed to dynamically assign IP
addresses and to allow multiple
protocols to ride on top.

PPP Overview (con’t)

Provides router
-
to
-
router and host
-
to
-
network connections over both
synchronous and asynchronous circuits


Most widely used and most popular
WAN protocol

PPP features

Control of data link setup

Assignment and management of IP
addresses

Network protocol multiplexing

Link configuration and link quality
testing

Error detection

PPP features (con’t)

Optional negotiation for capabilities
such as network
-
layer address
negotiation and data compression
negotiation

PPP Components

Three (3) Main Components


1.
Method for encapsulating datagrams over serial
links, High
-
level Data Link Control (HDLC)

2.
An LCP (Link Control Protocol) to establish,
configure, and test the data
-
link connection

3.
A family of NCP for establishing and configuring
different network
-
layer protocols. Today, PPP
supports IP, IPX, Appletalk and DECnet.

PPP Layer Functions

PPP uses a layered architecture

Lower
-
level functions

1.
Synchronous physical media, like
those of ISDN

2.
Asynchronous physical media, like
those used in basic telephone services
for modem dialup connections

PPP Layer Functions
(con’t)

Higher
-
level functions, carry packets
from several network
-
layer protocols in
NCPs

1.
BCP (Bridge Control Protocol)

2.
IPCP (Internet Protocol Control
Protocol)

3.
IPXCP (Internetwork Packet Exchange
Control Protocol)

PPP Frame Formats

PPP Frame Formats
(cont’)

Flag


indicates the beginning or end of a
frame and consists of the binary sequence
01111110.

Address


consists of the standard broadcast
address, which is the binary sequence
11111111. (Doesn’t assign individual station
addresses.)

Control


1 byte that consists of the binary
sequence 00000011, which calls for
transmission of user data in an unsequence
frame. A connectionless link service similar to
LLC type 1 is provided.

PPP Frame Formats
(cont’)

Protocol


2 bytes that identify the protocol
encapsulated in the data field of the frame.

Data


0 or more bytes that contain the
datagram for the specified protocol. The end
is closing flag sequence and allowing 2 bytes
for FCS. The maximum length of the data is
1,500 bytes.

FCS


normally 2 bytes. Added for error
control purposes.

PPP Session
Establishment

Four (4) distinct phases

1.
Link establishment and configuration
negotiation

2.
Link
-
quality determination

3.
Network
-
layer protocol configuration
negotiation

4.
Link termination

Three classes of LCP
frames*

1.
Link establishment frames


to establish
and configure a link.

2.
Link termination frames


to terminate a link.

3.
Link maintenance frames


to manage and
debug a link.


* Used to do the work of the 4 LCP phases

Phase 1

Each PPP device sends LCP packets to
configure and test the data link.

Open the connection

Negotiate the configuration parameters
(If there is no config. option use default.)

This phase ends when a configuration
acknowledgment frame has been sent
and received

Phase 2

Optional link
-
quality determination.

Tests the link to see if it is good.

After the authentication protocol has
been decided on (phase 1)


authentication can be done.

LCP can delay transmission of phase 3
until this phase is complete.

Phase 3

Once Phase 2 is done, network
-
layer protocol
can be configured by the appropriate NCP
(can be put up and taken down at any time.)

Sends NCP packets to choose the network
-
layer protocol

Datagrams are then sent over the link

If LCP closes the link, it informs the network
-
layer protocol

Show interfaces
-

checks LCP and NCP
states

Phase 4

LCP can terminate the link at any time.


Usually the user


Could be a physical event


like loss of
a carrier or a timeout.

PPP Authentication

Optional

Requires the calling side to enter
authentication info to ensure the user
has premission to make the call.

Router exchange authentication
messages.

Select PAP or CHAP (preferred)

PAP

Two
-
way handshake, username/password is
repeatedly sent until authentication is
acknowledged or connection is terminated.

Not strong. (verifies only once)

Passwords are sent in plain text.

No protection from playback or tria
-
and
-
error
attacks.

Remote host is in control of the number and
timing of login attempts.

CHAP

Three
-
way handshake.

Done upon initial link establishment and
can be repeated any time after.

Offers periodic verification to improve
security. (more effective than PAP)

Doesn’t allow the caller to attempt
authentication without a challenge.

CHAP (con’t)

Host sends a challenge message to the
remote node.

Remote node responds with a value.

Host checks it against its value if it matches,
authentication is acknowledged. Otherwise,
the connection is terminated.

Protects against playback attacks by using a
variable challenge value that is unique and
unpredictable.

Configuring PPP
Authentication

1.
On each router, define the username and
password to expect from the remote router:

Router(config
-
if)#
username <name> password
<password>

2.
Enter interface configuration mode for the
desired interface.

3.
Configure the interface for PPP
encapsulation:

Router(config
-
if)#
encapsulation ppp

Configuring PPP
Authentication (con’t)

4.
Configure PPP authentication:

Router(config
-
if)#

ppp authentication {chap | chap pap |
pap pap | pap}

5.
If CHAP and PAP are enabled, the first is
the one requested during link negotiation,
the second is used if the peer suggests or
refuses the first.

6.
In Cisco IOS Release 11.1 or later, you
must enable PAP on the interface:

Router(config
-
if)#

ppp pap sent
-
username <username>
password <password>

Configuring CHAP

Can use the same host name on multiple routers
-
can make
remote users to think they are connecting to the same router
when authenticating, by configuring the same host name on
each router:

Router(config
-
if)#
ppp chap hostname <hostname>

Can use a password to authenticate an unknown host.


This is
to limit the number of username/password entries in the
router.


To use this, configure a password that will be sent to
hosts that want to authenticate the router:


Router(config
-
if)#
ppp chap password <secret>

This password is not used when the router authenticates a
remote device.