Compared with the traditional access method, PPPoE has a higher performance-price ratio, which is widely used in a series of applications including cell network construction, and the current popular broadband access mode ADSL uses the PPPoE protocol. with the growing popularity of low-cost broadband technology, DSL (Digital subscriber line) technology is making many computers surf the internet. But it also adds to the concerns of DSL service providers about cybersecurity . Most of the computers that surf the Internet through ADSL are connected to the Internet via the Ethernet card (Ethernet). The same is common use of TCP/IP, and there is no new protocol attached. On the other hand, the modem dial-up access to the Internet , using the PPP protocol, that is, point-to-dot Protocol, A-Z protocol, the protocol has user authentication and notification IP address function. The PPP over Ethernet (PPPoE) protocol is a technique for relaying PPP frame information in an Ethernet network, especially for ADSL.
Introduction to PPP protocol----------------------------ppp:point-to-point Protocol, Link layer protocol. The user implements point-to-point communication. The PPP protocol provides a set of solutions to solve the problems of link establishment, maintenance, demolition, upper level protocol negotiation and authentication. Specifically contains the following parts: Link Control Protocol LCP (link controls Protocol), the Network Control Protocol NCP ("Protocol"), authentication protocol, the most commonly used include Password Authentication protocol PAP (Password Authentication Protocol) and Challenge Handshake Authentication Protocol CHAP (CHALLENGE-HANDSHAKE authentication Protocol).
The frame format is similar to HDLC, and the difference is that PPP is character-oriented and HDLC is bit-oriented. The PPP frame format is as follows:
See a total of 8 bytes, where the first and the first byte are the frame's start and end flag bits, a for address, and C for control. The two fields of the agreement, which represent what the data protocol is in the following information section, including: The 0x0021--information field is the IP datagram
0xc021--information fields are link control data LCP
0x8021--Information field is the network control data NCP
0xc023--Information field is security certified PAP
0xc025--Information field is LQR
0xc223--information field is security authentication chap
working process of PPP protocol---------------------------------PPP communication is the communication between two endpoints, each end must first send LCP packets data to set up and test the data link, when the link is established, peer can be certified, after the authentication is completed, By sending the NCP packets to select the Network layer protocol, these subsequent communications can be done at the network layer.
The specific process is as follows: 1.
Link Quiesce State: The link must begin and end at this stage. When an external event (such as carrier listening or network administrator settings) indicates that the physical layer is ready, PPP enters the link establishment phase. At this stage, the LCP automatic machine will be in the initial state, the transition to the link establishment phase will give the LCP automatic machine an up event signal.
2.
Link Establishment Status: LCP is used to Exchange configuration packets (Configure packets) to establish a connection. Once a configuration Success message packet (Configure-ackpacket) is sent and received, the interchange is completed and the LCP is turned on. All configuration options assume that the default value is used unless changed by the configured interchange. One thing to note: Only configuration options that do not rely on special network layer protocols are configured by LCP. In the Network layer protocol phase, the configuration of individual network layer protocols is handled by an individual network Control Protocol (NCP). Any non-lcppackets received at this stage must be silentlydiscarded (silently discarded). Receiving Lcpconfigure-request (LCP configuration requirements) enables the link to be returned from the Network layer protocol phase or the authentication phase to the link establishment phase.
3.
Certification Phase: On some links, one end of the link may need peer to authenticate it before allowing the network layer protocol to packets exchange. Authentication does not require enforcement. If one execution expects the peer to be authenticated according to a specific authentication protocol, then it must require the use of that authentication protocol during the link establishment phase. Authentication should be done as soon as possible after the link is established. Link quality checks can occur at the same time. Before the authentication is complete, it is forbidden to advance from the authentication phase to the Network layer protocol phase. If authentication fails, the authenticator should jump to the link termination phase. In this phase, only the link control protocol, the authentication protocol, and the packets of the link Quality Monitoring protocol are allowed. Other packets received during this phase must be silently discarded.
4.
Network Layer Protocol phase: Once PPP has completed the previous phase, each network layer protocol (for example, Ip,ipx, or AppleTalk) must be set separately by the appropriate network Control Protocol (NCP). For example, the NCP can assign a temporary IP address to a newly accessed PC so that the PC becomes a host on the Internet. Each NCP can be turned on and off at any time. When an NCP is in the opened state, PPP will carry the corresponding Network layer protocol packets. When the corresponding NCP is not in the opened state, any received supported Network layer protocol packets will be silently discarded.
5.
Link Termination phase: PPP can terminate the link at any time. There are many reasons for link termination: Carrier loss, authentication failure, link quality failure, idle cycle timer expiration, or administrator shutdown link. LCP terminates the link with the method of exchanging terminate (terminating) packets. When the link is being closed, PPP notifies the network layer protocol so that they can take the correct action. After swapping terminate (terminating) packets, execution should notify the physical layer to disconnect so that the link is forced to terminate, especially if authentication fails. Terminate-request (termination-requirement) sender, after receiving terminate-ack (termination-Allow), or after the restart counter expires, should be disconnected. The party receiving the terminate-request should wait for peer to cut off, after the terminate-request, at least after a restarttime (restart time), to allow disconnection. PPP should advance to the link death phase. Any non-lcppackets received at that stage must be silently discarded.
PPPoE Protocol and its working process-----------------------------------------pppoe:ppp over Ethernet, is a variant protocol that is often used on DSL links (RFC 2516), in addition PPPoA is sometimes used (PPP Over ATM). PPPoE is typically used in DSL access networks, as shown in: The message of PPPoE is to add the Ethernet header in front of the PPP message, allowing PPPoE to connect to the remote access device via a simple bridging device. But here we find that the PPP content in the PPPoE message is not the same as the original PPP. You can also refer to the entire PPPoE message (including Ethernet Frame): In detail, that is, the following content:
Explain the significance of the key fields in the PPPoE message above. Ether_type:
0x8863 |
Discovery Stage |
0x8864 |
PPP Session Stage |
CODE:
0x00 |
PPP Session Stage |
0x09 |
PPPOE Active Discovery Initiation (PADI) packet |
0x07 |
PPPOE Active Discovery Offer (pado) packet |
0x19 |
PPPOE Active Discovery Request (PADR) packet |
0x65 |
PPPOE Active Discovery session-confirmation (PADS) packet |
0xa7 |
PPPOE Active Discovery Terminate (PADT) packet |
Tag_types: (For negotiation parameters in Discovery stage)
0x0000 end-of-list
0x0101 Service-name
0x0102 Ac-name
0x0103 Host-uniq
0x0104 Ac-cookie
0x0105 vendor-specific
0x0110 Relay-session-id
0x0201 Service-name-error
0x0202 Ac-system-error
0x0203 Generic-error
The working process of PPPoE is divided into two stages, namely the discovery phase (Discorvery) and the PPP session phase.
The specific process of the discovery phase (Discovery stage) is as follows: 1. The user host sends out the PADI (PPPOE Active Discovery initiatio) packet in a broadcast manner, ready to get all the connected access devices (to get its MAC address); 2. After receiving the PADI package, the Access device returns Pado (PPPOE Active Discovery offer) as a response; 3. The user host selects a suitable access device from multiple Pado packages received, depending on its name Type name or service name, and then sends the PADR (PPPOE Active Discovery Request) package, In addition, if a user host does not receive Pado within the specified time after the PADI issue, the padi;4 will be re-issued. After the access device receives the PADR packet, it returns the Pas (PPPOE Active Discovery session-confirmation) package, which contains a unique session ID, both of which enter the PPP session phase.
The PPP session phase, which is the communication phase after the session is established. In addition, either the user host or the access device can initiate a PADT packet at any time to abort the communication.
The entire process of communicating with PPPoE is as follows:
the implementation of PPPoE on BAS
PPPoE Dial-up software is already mature in the application (with Windows XP and above), and the following focuses on how PPPoE is implemented in the Access server BAS.
efficiency of 3.1PPPoE
As can be seen from the PPPoE protocol model, BAS aggregates all of the user's data streams, it must take each PPPoE packet apart check processing, which is to a large extent inherited the traditional PPP processing, although there is good security, but once the user a lot, the number of packets is large, It takes a lot of time to unpack, and BAS is very focused on checking the user's data packets, creating a "bottleneck" for access.
Therefore, the hardware structure of BAS can be designed with Distributed network Processor (NP) and ASIC chip. Network processor is specialized for telecommunication network equipment development of dedicated processor, it has a special set of instructions for the processing of telecommunications network protocols and services, can greatly improve the processing capacity of equipment. At the same time, the ASIC chip forwards the data packet close to the hardware forwarding performance, is far from the CPU software way comparable, uses this way the PPPoE data stream processing and the forwarding separates, the work efficiency greatly enhances. In addition, the software system structure should be combined with other technologies to better perform the performance of PPPoE.
the combination of 3.2PPPoE and VLAN
VLAN is a virtual local area network, which realizes the technology of virtual workgroup by logically dividing the devices in the LAN into different network segments. The purpose of partition VLAN, one is to improve the security of the network, the data of different VLANs can not communicate freely, need to accept the third layer of inspection, the second is to isolate the broadcast information, Partition VLAN, the broadcast domain narrowing, to improve network performance, to be able to control the broadcast storm within a VLAN.
PPPoE is a client/server protocol that the client needs to send the PADI package to find BAS, so it must be in the same broadcast two-tier network as BAS, and the combination with the VLAN is a good solution to this security risk. In addition, by assigning users of different business types to different VLAN processing, you have the flexibility to do business and speed up the processing process, and of course VLAN planning must be coordinated across two-tier devices and BAS.
when BAS receives the upstream PPPoE packet, it first identifies the category of the VLAN ID, and if it is a regular dial-up user, it determines whether it is a discovery phase or a session-time packet, and is processed strictly in accordance with the PPPoE protocol. At the session stage, the IP address is assigned to the user from different address pools according to different user types, and the address pool is configured by the upper level network management. If it is a user's packet that has been authenticated, it is handled according to the service type of the user, for example, if it is a locally authenticated dial-up user and the other party requests the same functionality, it is forwarded directly locally.
if it is a dedicated line user, it does not have to pass the complex authentication process of PPPoE, directly according to the user's VLAN ID can enter the line user processing process, access speed greatly improved. In addition, for unified network management, there is a need for communication between BAS and other devices, which are internal packets and can be distinguished by VLAN ID.
for downlink data, because BAS is responsible for assigning and resolving the user's IP, and the function of the gateway, it receives the destination IP of the packet is the user, so the IP index to find the user's information more convenient than according to the Mac, this is different from the ordinary switch, the specific process is similar to upstream processing.
3.3PPPoE support for multi-service options
Multi-Service selection refers to the user's choice of a PPP connection to BAS to choose a variety of services provided by the backend network operator autonomously. The reason to support the choice of multi-service, on the one hand, because the specific implementation of various services in the technical focus is different, the requirements of network performance is not the same, the previous approach to the fixed allocation is very inconvenient; on the other hand, from the development of network applications, Network content service provider ICP and network access ISP separation is an inevitable trend, in the access aggregation side, the ISP must strictly ensure that the user selected business flow to the corresponding ICP.
at present, the method is that the user selects the corresponding business in the PPPoE dialing software first, then confirms the business authorization to the user, and finally activates the corresponding processing module within BAS. But in this way, users can only know the name of the business, can not intuitively and comprehensively understand the various types of business BAS provide, especially in the development of new business is very difficult, there are great limitations.
Therefore, BAS can be combined with the backend business selection gateway and RADIUS server to take the first authentication after the choice of business, the following specific operation:
(1) The host sends the PADI Search Bas,padi contains a service name type of tag, its value is NULL, indicating that the user can accept any type of service.
(2) BAS received the packet loopback Pado,pado contains all the services available in the tag, but also contains a service named General tag.
(3) The host sends Padr. The user chooses a known service name, or you can select the General Service.
(4) BAS receives the PADR package and assigns resources to the user and begins the PPP negotiation process. In the PPP process, BAS sends information such as user-entered accounts and passwords to the RADIUS server for authentication.
(5) Authenticated users enjoy the service provided by BAS, but if you choose general, you are forced to access the service selection gateway that is directly connected to BAS. The service selection gateway in the background is a server with Web server function, the user can get the information about the optional business (including cost, bandwidth, etc.) through the interactive web interface, and display the information corresponding to the user account.
(6) The user selects the corresponding business, and the service selection gateway defines the business scope and operation rights of various users.
(7) Service selection gateway activates the corresponding business model within the access server to implement the business. The above method is strictly in accordance with the PPPoE protocol, and the current popular dial-up software is fully compatible, if the user is not interested in the other business is very familiar with the business has been applied, does not affect the user's habits.
from the perspective of BAS, the operation flow of PPPoE has not changed much, just add a service type. If the carrier does not currently have a service selection gateway, it can be configured through the network management, in response to the PADI package does not include the General Service.
A detailed description of how PPPoE works