PPP
Point-to-Point protocol is a Data Link layer protocol that can be
used over asynchronous serial (dial-up) and synchronous serial
(ISDN) media and uses the LCP (Link Control Protocol) to build and
maintain data-link connections. The basic purpose of PPP is to
transport layer-3 packets over a Data Link layer point-to-point
link. PPP consists of two main components, LCP (Link Control
Protocol - used to establish, configure, test, maintain, and
terminate the point-to-point connection) and a family of NCPs
(Network Control Protocols) for establishing and configuring
different Network layer protocols -- PPP is designed to allow the
simultaneous use of multiple Network layer protocols.
| The PPP Model |
| Higher-Layer Protocols |
Network Control Protocol (NCP)
(specific to each Network-Layer Protocol)
Examples are:
IPCP - Internet Protocol Control Protocol.
IPXCP - Internetwork Packet Exchange Control Protocol.
BCP - Bridge Control Protocol. |
| Link Control Protocol (LCP) |
| High Level Data Link Control (HDLC) |
| Physical Layer (such as EIA/TIA-232, V.24, V.35) |
- Network Control Protocol (NCP)---A PPP protocol for
negotiating OSI Layer 3 (the network layer) parameters.
- Link Control Protocol (LCP)---A protocol that
establishes, configures, and tests data link connections used by
the PPP.
- High Level Data Link Control (HDLC)---A method for
encapsulating datagrams over serial links.
- Physical layer ---PPP is capable of operating across
any DTE/DCE interface. Examples include EIA/TIA-232-C,
EIA/TIA-422, EIA/TIA-423, and ITU-T V.35. The only
absolute requirement imposed by PPP is the provision of a duplex
circuit, either dedicated or switched, that can operate in
either an asynchronous or synchronous bit-serial mode,
transparent to PPP link-layer frames. PPP doesn't impose
any restrictions regarding transmission rate other than those
imposed by the particular DTE/DCE interface in use.
PPP Link-Control Protocol
The PPP LCP provides a method of establishing, configuring,
maintaining, and terminating the point-to-point connection.
LCP goes through four distinct phases.
- First, link establishment and configuration
negotiation occurs. Before any Network layer datagrams
(e.g. IP) can be exchanged, LCP first must open the connection
and negotiate configuration parameters. This phase is
complete when a configuration-acknowledgment frame has been both
sent and received.
- This is followed by link-quality determination.
LCP allows an optional link-quality determination phase
following the link-establishment and configuration-negotiation
phase. In this phase, the link is tested to determine
whether the link quality is sufficient to bring up Network layer
protocols. This phase is optional. LCP can delay
transmission of Network layer protocol information until this
phase is complete.
- At this point, Network layer protocol configuration
negotiation occurs. After LCP has finished the
link-quality determination phase, Network layer protocols can be
configured separately by the appropriate NCP and can be brought
up and taken down at any time. If LCP closes the link, it
informs the Network layer protocols so they can take appropriate
action.
- Finally, link termination occurs. LCP can
terminate the link at any time. This usually will be done
at the request of a user, but can happen because of a physical
event, such as the loss of carrier or the expiration of an
idle-period timer.
Three classes of LCP frames exist.
- Link-establishment frames are used to establish and
configure a link.
- Link-termination frames are used to terminate a link.
- Link maintenance frames are used to manage and debug
a link.
Link Control Protocol offers PPP encapsulation different options,
including the following:
- Authentication ---Authentication options include PAP
and CHAP.
- Compression ---Data compression increases the
throughput on a network link, by reducing the amount of data
that must be transmitted.
- Error Detection ---Quality and Magic numbers are used
by PPP to ensure a reliable, loop-free data link.
- Multilink ---Supported in IOS 11.1 and later,
multilink is supported on PPP links between Cisco routers. This
splits the load for PPP over two or more parallel circuits and
is called a bundle.
LCP Configuration Options
| Option |
Function |
Protocol |
Command |
| Authentication |
Requires a password >>
Performs a challenge handshake >> |
PAP
CHAP |
ppp authentication pap
ppp authentication chap |
| Compression |
Compresses data at the source>>
Reproduces data at the destination >> |
Stacker
Predictor |
ppp compress stacker
ppp compress predictor |
| Error Detection |
Monitors the data dropped on the link, avoids frame
looping |
Quality, Magic Number |
ppp quality <number 1-100> |
| Multilink |
Performs load balancing across multiple links |
MP |
ppp multilink |
PPP Session Establishment
- Link-establishment phase ---LCP packets are sent by
each PPP device to configure and test the link. LCP
packets contain a Configuration Option field that allows devices
to negotiate on the use of options such as:
- Maximum Receive Unit (MRU).
- Compression of certain PPP fields.
- Link authentication protocol.
If a value for a Configuration Option isn't set, the default is
used.
- Authentication phase (optional) ---The peer may be
authenticated after the link has been established, using the
authentication protocol decided on (CHAP or PAP). If
authentication is used, it must take place prior to starting the
Network layer phase.
- Network layer protocol phase --- In this phase, the
PPP devices send NCP packets to choose and configure one or more
network layer protocols (such as IP, IPX, or AppleTalk).
Once each of the chosen Network layer protocols has been
configured, datagrams from each Network layer protocol can be
sent over the PPP link.
PPP Authentication Methods
- Password Authentication Protocol (PAP)
PAP provides a simple method for a remote node to
establish its identity using a two-way handshake. This is
done only upon initial link establishment. After the PPP
link establishment phase is complete, a username/password pair
is repeatedly sent by the remote node until authentication is
acknowledged, or the connection is terminated.
Passwords are sent across the link in plain text and there is
no protection from playback or trail-and-error attacks.
The remote node is in control of the frequency and timing of the
login attempts. If the local host rejects the username and
password the connection is terminated.
- Challenge and Handshake Protocol (CHAP)
CHAP is used to periodically verify the identity
of the remote node using a 3-way handshake. This is done
upon initial link establishment and can be repeated any time
after the link has been established. After the PPP link
establishment phase is complete, the host sends a challenge
messages to the remote node. The remote node responds with
a value calculated using a one-way hash function (typically
MD5). The host checks the response against its own
calculation of the expected hash value. If the values
match, the authentication is acknowledged. Otherwise, the
connection is terminated.
CHAP provides protection against playback attack through the
use of a variable challenge value that is unique and
unpredictable. The use of repeated challenges is intended
to limit the time of exposure to any single attack. The
host is in control of the frequency and timing of the
challenges.
Configuring PPP on a Cisco Router
Follow these commands to configure PPP on a Cisco router.
Router3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#int s0
Router3(config-if)#encapsulation ppp
Router3(config-if)#exit
Router3(config)#username Router2 password 12pass34
After you set the encapsulation to PPP, you have to exit to
global configuration mode and set the username and password. The
username is the hostname of the remote host connecting via PPP on
the serial line; the password and encapsulation type must be the
same for both routers.
Setting PPP Authentication
Using authentication with PPP is optional, therefore you must
specifically configure PPP authentication on each PPP host in order
for the host to utilize PPP.
CHAP and PAP are specified in RFC 1334. These protocols are
supported on synchronous and asynchronous serial interfaces.
When using CHAP or PAP authentication, each router identifies itself
by a name. This identification process prevents a router from
placing another call to a router to which it is already connected,
and also prevents unauthorized access. Access control using
CHAP or PAP is available on all serial interfaces that use PPP
encapsulation. The authentication feature reduces the risk of
security violations on your router. You can configure either
CHAP or PAP for the interface. Note, to use CHAP or PAP, you
must be running PPP encapsulation. Follow these commands to
configure PPP authentication on a Cisco router.
Command Syntax:
ppp authentication {chap | chap pap | pap chap | pap}
Configure Identification
Add a username entry for each remote system from which the local
router requires authentication. To specify the password to be
used in CHAP or PAP caller identification, perform the following
task in global configuration mode:
Command Syntax:
username name password secret
Example:
Router3(config)#interface serial0
Router3(config-if)#ppp authentication chap pap
Router3(config-if)#exit
Router3(config)#username Router_2 password 123pass321
This tells the router to first use CHAP and then go to PAP if
CHAP isn't available (only uses one) and allows it to setup a
connection to Router_2. The syntax for this command came from the
Cisco documentation CD.
Verifying PPP encapsulation
Use the show interface [type#] command to view interface
encapsulation type
Router3#show interface serial0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 192.168.1.10/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Listen: IPXCP
Open: IPCP, CDPCP
Last input 00:00:09, output 00:00:12, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1921 packets input, 136287 bytes, 0 no buffer
Received 1301 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2165 packets output, 100238 bytes, 0 underruns
0 output errors, 0 collisions, 220 interface resets
0 output buffer failures, 0 output buffers swapped out
279 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
Monitoring PPP
You can monitor PPP activity with the show interface
(shown above) and debug ppp chap commands. The debug
ppp chap command displays the CHAP packet exchanges and PAP
exchanges. Use no debug all to turn off debugging.
debug ppp
Use the debug ppp EXEC command to display information on
traffic and exchanges in an internetwork implementing the
Point-to-Point Protocol (PPP). The no form of this command disables
debugging output.
debug ppp {packet | negotiation | error | chap}
no debug ppp {packet | negotiation | error | chap}
| debug ppp Syntax Description |
| packet |
Causes the debug ppp command to display PPP packets
being sent and received. (This command displays low-level
packet dumps.) |
| negotiation |
Causes the debug ppp command to display PPP packets
transmitted during PPP startup, where PPP options are
negotiated. |
| error |
Causes the debug ppp command to display protocol errors
and error statistics associated with PPP connection
negotiation and operation. |
| chap |
Causes the debug ppp command to display Challenge
Authentication Protocol (CHAP) packet exchanges. |
|