About LCP negotiation

About LCP negotiation
During LCP negotiation, the two parties send configure-request to each other and then respond to configure-ack. Either party can send the request to the other party, or the other party can respond.
PAP verification process:
Two handshakes: when the two links can transmit data to each other, the authenticated Party sends the user name and password of the local end to the authenticated party. The authenticated Party sends the user name and password of the local end according to the user table (or the radius server) of the local end) check whether the packet is correct. If the ACK packet is correctly sent to the other party, otherwise the NAK packet is sent. If verification fails, the link is disabled only when the number of verifications reaches a certain value. CHAP verification process:
The three-way handshake protocol transfers user names only over the network, instead of user passwords. First, the validators send random packets to the validators, and simultaneously attach the local host names to the validators. After the validators receive the packets, search for the user password Based on the host name and the user table of the validator in the message. The Message id is used to generate a response using the MD5 algorithm, then, the response and the host name will be sent back to the validators. After receiving the response, use the Password Key reserved by the Message ID and the random message. Use the Md5 Algorithm to obtain the result and compare it with the respondent's response. returns the result. The biggest difference between PAP and CHAP is:
PAP is first sent to the validators by the authenticated user name and password, while CHAP verification is the first verification process initiated by the validators. The main difference is that PAP is a plaintext transfer password while CHAP Verification the password is not transmitted online. MP multi-link bundling
MP is a PPP Function Extension protocol. Only when the Discriminator of the two links and the authentication mode are completely consistent can the two links be bundled, this means that the MP negotiation process can be completed only after verification is completed. MP will not cause the link to be removed, if two MP links are configured and do not meet the MP conditions, a new MP channel will be created, which also indicates that MP is allowed as a single link. The MP binding is performed based on the user. Only the same user can be bound. If one end is configured with MP and the other end does not support or the other end is not configured with MP, the established link is a non-MP link. PPP protocol Introduction
The Point-To-Point Protocol (PPP) is a data link layer Protocol that provides Packet encapsulation on the Point-To-Point link, the second layer of the TCP/IP protocol stack is designed to transmit data between point-to-point on the same asynchronous link that supports full duplex. PPP is mainly composed of three types of protocols: the LCP (Link Control Protocol family) Network Layer Control Protocol family (NCP) and the PPP expansion protocol family, the link control protocol is used to establish a data link for demolition and monitoring of PPP data. The Network Layer Control Protocol family is used to negotiate the format and type of data packets transmitted on the data link, the PPP extension protocol family is mainly used to provide further support for PPP functions, and PPP also provides verification protocol families (PAP and CHAP) for network security ).
Characteristics of PPP protocol
Different from other link layer protocols, PPP supports both synchronous and asynchronous links. For example, X25 framerelay and other data link layer protocols only support synchronization links. It has various NCP protocols such as IPCP, IPXCP better supports the network layer protocol; it has the verification protocol chap pap better to ensure the security of the network; it is easy to expand;
PPP negotiation process
Before establishing a link, PPP should carry out a series of negotiation processes. The process is as follows: PPP first carries out LCP negotiation, including: MTU (maximum transmission unit), magic number), verification method, asynchronous character ing, and other options (for details, see RFC1661) after the LCP negotiation is successful, enter the Establish (link establishment) stage, such as configuring CHAP or PAP verification, it enters the CHAP or PAP verification phase. After the verification is passed, it enters the network level negotiation (NCP), such as IPCPIPXCP and BCP negotiation, any phase of negotiation failure will lead to the removal of the link, magic word, mainly used to detect the link self-ring, PPP by sending the Echo Request, Echo Reply report to detect the self-ring and maintain the link status, if it is found that the maximum number of self-loops allowed is exceeded continuously, the magic word in the Echo Request message is the same as that in the last sent magic word, it is determined that the network has a self-loop phenomenon, such as the link has a self-loop, you need to take corresponding measures to reset the link. In addition, when LCP sends the config request, it can also detect the self-ring. After LCP discovers the self-ring After a certain number of packets are sent, the link is reset. If the Echo Request packet sent by PPP is lost, the link is reset after the maximum allowable loss is continuously lost, to avoid excessive invalid data transmission, asynchronous character ing is used for the same asynchronous conversion.
PAP verification process
PAP is a two-way handshake protocol, which verifies the user by the user name and password. The PAP verification process is as follows: when the two links can transmit data to each other, the verified Party sends the user name and password of the local end to the verified party, check whether the user has the correct password. If the password is correct, an ACK message will be sent to the peer, notifying that the Peer has been allowed to proceed to the next phase of negotiation. Otherwise, the NAK message will be sent, if the peer verification fails, the link is not directly closed. The link is closed only when the number of verification attempts reaches a certain value, to prevent unnecessary LCP re-negotiation due to mistransmission or network interference. PAP is characterized by passing user names and passwords in plain text on the network. being intercepted during transmission may pose a great threat to network security. Therefore, it is suitable for environments with relatively low network security requirements.
CHAP verification process
CHAP is a three-way handshake protocol. It only transmits user names over the network and does not transmit user passwords. Therefore, it is more secure than PAP.
High. The CHAP verification process is as follows: first, the validators send random packets to the validators, and simultaneously attach the local host names to the validators, when the verified party receives a Challenge request from the peer end, it searches for the user password Based on the host name of the verified party and the user table of the local end, if you find the user whose host name is the same as that of the validators in the User table, the Message ID is used. The user's key is generated using the Md5 algorithm, and the Response then returns the Response and the host name, after receiving the response, the validators use the Message ID, the password (key) reserved by the local party, and the random message to obtain the result using the Md5 algorithm. The result is compared with the respondent's response, return the corresponding result based on the comparison result.
Comparison
PAP is first sent to the validators by their usernames and passwords, while CHAP is the first verification process initiated by the validators. The main difference is that PAP is the plaintext transfer password, during CHAP verification, passwords are not transmitted online. Therefore, this is why we cannot see the password when capturing data packets using protocol analysis software. It is because the authentication method adopts CHAP verification and the password is not transmitted in plaintext online.