Point-Point Protocol (PPP) by William F. Widulski

1
Point-Point Protocol(PPP)byWilliam F. Widulski
2
PPP Overview

• Layer 2 WAN Protocol
• In late 1980s Serial Line Internet Protocol
  (SLIP) hindered growth, so PPP (its successor)
  helped solve remote Internet connectivity
  problems.
• Was needed to dynamically assign IP addresses and
  to allow multiple protocols to ride on top.

3
PPP Overview (cont)

• Provides router-to-router and host-to-network
  connections over both synchronous and
  asynchronous circuits
• Most widely used and most popular WAN protocol

4
PPP features

• Control of data link setup
• Assignment and management of IP addresses
• Network protocol multiplexing
• Link configuration and link quality testing
• Error detection

5
PPP features (cont)

• Optional negotiation for capabilities such as
  network-layer address negotiation and data
  compression negotiation

6
PPP Components

• Three (3) Main Components
• Method for encapsulating datagrams over serial
  links, High-level Data Link Control (HDLC)
• An LCP (Link Control Protocol) to establish,
  configure, and test the data-link connection
• A family of NCP for establishing and configuring
  different network-layer protocols. Today, PPP
  supports IP, IPX, Appletalk and DECnet.

7
PPP Layer Functions

• PPP uses a layered architecture
• Lower-level functions
• Synchronous physical media, like those of ISDN
• Asynchronous physical media, like those used in
  basic telephone services for modem dialup
  connections

8
PPP Layer Functions (cont)

• Higher-level functions, carry packets from
  several network-layer protocols in NCPs
• BCP (Bridge Control Protocol)
• IPCP (Internet Protocol Control Protocol)
• IPXCP (Internetwork Packet Exchange Control
  Protocol)

9
PPP Frame Formats
10
PPP Frame Formats (cont)

• Flag indicates the beginning or end of a frame
  and consists of the binary sequence 01111110.
• Address consists of the standard broadcast
  address, which is the binary sequence 11111111.
  (Doesnt assign individual station addresses.)
• Control 1 byte that consists of the binary
  sequence 00000011, which calls for transmission
  of user data in an unsequence frame. A
  connectionless link service similar to LLC type 1
  is provided.

11
PPP Frame Formats (cont)

• Protocol 2 bytes that identify the protocol
  encapsulated in the data field of the frame.
• Data 0 or more bytes that contain the datagram
  for the specified protocol. The end is closing
  flag sequence and allowing 2 bytes for FCS. The
  maximum length of the data is 1,500 bytes.
• FCS normally 2 bytes. Added for error control
  purposes.

12
PPP Session Establishment

• Four (4) distinct phases
• Link establishment and configuration negotiation
• Link-quality determination
• Network-layer protocol configuration negotiation
• Link termination

13
Three classes of LCP frames

• Link establishment frames to establish and
  configure a link.
• Link termination frames to terminate a link.
• Link maintenance frames to manage and debug a
  link.
• Used to do the work of the 4 LCP phases

14
Phase 1

• Each PPP device sends LCP packets to configure
  and test the data link.
• Open the connection
• Negotiate the configuration parameters (If there
  is no config. option use default.)
• This phase ends when a configuration
  acknowledgment frame has been sent and received

15
Phase 2

• Optional link-quality determination.
• Tests the link to see if it is good.
• After the authentication protocol has been
  decided on (phase 1) authentication can be
  done.
• LCP can delay transmission of phase 3 until this
  phase is complete.

16
Phase 3

• Once Phase 2 is done, network-layer protocol can
  be configured by the appropriate NCP (can be put
  up and taken down at any time.)
• Sends NCP packets to choose the network-layer
  protocol
• Datagrams are then sent over the link
• If LCP closes the link, it informs the
  network-layer protocol
• Show interfaces - checks LCP and NCP states

17
Phase 4

• LCP can terminate the link at any time.
• Usually the user
• Could be a physical event like loss of a
  carrier or a timeout.

18
PPP Authentication

• Optional
• Requires the calling side to enter authentication
  info to ensure the user has premission to make
  the call.
• Router exchange authentication messages.
• Select PAP or CHAP (preferred)

19
PAP

• Two-way handshake, username/password is
  repeatedly sent until authentication is
  acknowledged or connection is terminated.
• Not strong. (verifies only once)
• Passwords are sent in plain text.
• No protection from playback or tria-and-error
  attacks.
• Remote host is in control of the number and
  timing of login attempts.

20
CHAP

• Three-way handshake.
• Done upon initial link establishment and can be
  repeated any time after.
• Offers periodic verification to improve security.
  (more effective than PAP)
• Doesnt allow the caller to attempt
  authentication without a challenge.

21
CHAP (cont)

• Host sends a challenge message to the remote
  node.
• Remote node responds with a value.
• Host checks it against its value if it matches,
  authentication is acknowledged. Otherwise, the
  connection is terminated.
• Protects against playback attacks by using a
  variable challenge value that is unique and
  unpredictable.

22
Configuring PPP Authentication

• On each router, define the username and password
  to expect from the remote router
• Router(config-if) username ltnamegt password
  ltpasswordgt
• Enter interface configuration mode for the
  desired interface.
• Configure the interface for PPP encapsulation
• Router(config-if) encapsulation ppp

23
Configuring PPP Authentication (cont)

• Configure PPP authentication
• Router(config-if) ppp authentication chap
  chap pap pap pap pap
• If CHAP and PAP are enabled, the first is the one
  requested during link negotiation, the second is
  used if the peer suggests or refuses the first.
• In Cisco IOS Release 11.1 or later, you must
  enable PAP on the interface
• Router(config-if) ppp pap sent-username
  ltusernamegt password ltpasswordgt

24
Configuring CHAP

• Can use the same host name on multiple
  routers-can make remote users to think they are
  connecting to the same router when
  authenticating, by configuring the same host name
  on each router
• Router(config-if) ppp chap hostname lthostnamegt
• Can use a password to authenticate an unknown
  host.  This is to limit the number of
  username/password entries in the router.  To use
  this, configure a password that will be sent to
  hosts that want to authenticate the router
• Router(config-if) ppp chap password ltsecretgt
• This password is not used when the router
  authenticates a remote device.