240 likes | 278 Vues
Point-Point Protocol (PPP) by William F. Widulski. PPP Overview. Layer 2 WAN Protocol In late 1980’s Serial Line Internet Protocol (SLIP) hindered growth, so PPP (it’s successor) helped solve remote Internet connectivity problems.
E N D
PPP Overview • Layer 2 WAN Protocol • In late 1980’s Serial Line Internet Protocol (SLIP) hindered growth, so PPP (it’s successor) helped solve remote Internet connectivity problems. • Was needed to dynamically assign IP addresses and to allow multiple protocols to ride on top.
PPP Overview (con’t) • Provides router-to-router and host-to-network connections over both synchronous and asynchronous circuits • Most widely used and most popular WAN protocol
PPP features • Control of data link setup • Assignment and management of IP addresses • Network protocol multiplexing • Link configuration and link quality testing • Error detection
PPP features (con’t) • Optional negotiation for capabilities such as network-layer address negotiation and data compression negotiation
PPP Components Three (3) Main Components • Method for encapsulating datagrams over serial links, High-level Data Link Control (HDLC) • An LCP (Link Control Protocol) to establish, configure, and test the data-link connection • A family of NCP for establishing and configuring different network-layer protocols. Today, PPP supports IP, IPX, Appletalk and DECnet.
PPP Layer Functions PPP uses a layered architecture • Lower-level functions • Synchronous physical media, like those of ISDN • Asynchronous physical media, like those used in basic telephone services for modem dialup connections
PPP Layer Functions (con’t) • Higher-level functions, carry packets from several network-layer protocols in NCPs • BCP (Bridge Control Protocol) • IPCP (Internet Protocol Control Protocol) • IPXCP (Internetwork Packet Exchange Control Protocol)
PPP Frame Formats (cont’) • Flag – indicates the beginning or end of a frame and consists of the binary sequence 01111110. • Address – consists of the standard broadcast address, which is the binary sequence 11111111. (Doesn’t assign individual station addresses.) • Control – 1 byte that consists of the binary sequence 00000011, which calls for transmission of user data in an unsequence frame. A connectionless link service similar to LLC type 1 is provided.
PPP Frame Formats (cont’) • Protocol – 2 bytes that identify the protocol encapsulated in the data field of the frame. • Data – 0 or more bytes that contain the datagram for the specified protocol. The end is closing flag sequence and allowing 2 bytes for FCS. The maximum length of the data is 1,500 bytes. • FCS – normally 2 bytes. Added for error control purposes.
PPP Session Establishment Four (4) distinct phases • Link establishment and configuration negotiation • Link-quality determination • Network-layer protocol configuration negotiation • Link termination
Three classes of LCP frames* • Link establishment frames – to establish and configure a link. • Link termination frames – to terminate a link. • Link maintenance frames – to manage and debug a link. * Used to do the work of the 4 LCP phases
Phase 1 • Each PPP device sends LCP packets to configure and test the data link. • Open the connection • Negotiate the configuration parameters (If there is no config. option use default.) • This phase ends when a configuration acknowledgment frame has been sent and received
Phase 2 • Optional link-quality determination. • Tests the link to see if it is good. • After the authentication protocol has been decided on (phase 1) – authentication can be done. • LCP can delay transmission of phase 3 until this phase is complete.
Phase 3 • Once Phase 2 is done, network-layer protocol can be configured by the appropriate NCP (can be put up and taken down at any time.) • Sends NCP packets to choose the network-layer protocol • Datagrams are then sent over the link • If LCP closes the link, it informs the network-layer protocol • Show interfaces - checks LCP and NCP states
Phase 4 • LCP can terminate the link at any time. • Usually the user • Could be a physical event – like loss of a carrier or a timeout.
PPP Authentication • Optional • Requires the calling side to enter authentication info to ensure the user has premission to make the call. • Router exchange authentication messages. • Select PAP or CHAP (preferred)
PAP • Two-way handshake, username/password is repeatedly sent until authentication is acknowledged or connection is terminated. • Not strong. (verifies only once) • Passwords are sent in plain text. • No protection from playback or tria-and-error attacks. • Remote host is in control of the number and timing of login attempts.
CHAP • Three-way handshake. • Done upon initial link establishment and can be repeated any time after. • Offers periodic verification to improve security. (more effective than PAP) • Doesn’t allow the caller to attempt authentication without a challenge.
CHAP (con’t) • Host sends a challenge message to the remote node. • Remote node responds with a value. • Host checks it against its value if it matches, authentication is acknowledged. Otherwise, the connection is terminated. • Protects against playback attacks by using a variable challenge value that is unique and unpredictable.
Configuring PPP Authentication • On each router, define the username and password to expect from the remote router: Router(config-if)# username <name> password <password> • Enter interface configuration mode for the desired interface. • Configure the interface for PPP encapsulation: Router(config-if)# encapsulation ppp
Configuring PPP Authentication (con’t) • Configure PPP authentication: Router(config-if)# ppp authentication {chap | chap pap | pap pap | pap} • If CHAP and PAP are enabled, the first is the one requested during link negotiation, the second is used if the peer suggests or refuses the first. • In Cisco IOS Release 11.1 or later, you must enable PAP on the interface: Router(config-if)# ppp pap sent-username <username> password <password>
Configuring CHAP • Can use the same host name on multiple routers-can make remote users to think they are connecting to the same router when authenticating, by configuring the same host name on each router: Router(config-if)# ppp chap hostname <hostname> • Can use a password to authenticate an unknown host. This is to limit the number of username/password entries in the router. To use this, configure a password that will be sent to hosts that want to authenticate the router: • Router(config-if)# ppp chap password <secret> • This password is not used when the router authenticates a remote device.