About LCP negotiation

Copyright Notice
: During reprinting, please use hyperlinks to indicate the original source and author information of the article and this statement

Http://tianyunxing.blogbus.com/logs/61114327.html

 

During LCP negotiation, the two parties send configure-request to each other and then respond to configure-ack.
The other party sends a response.

PAP verification process:
Two handshakes, when the two links can transmit data to each other, the verified Party sends the user name and password of the local end to the verified party.
If the ACK packet is correctly sent to the other party, otherwise the Nak packet is sent. Verification failure does not directly close the link, but only when the number of verifications reaches a certain value.
To close the link.

Chap verification process:
The three-way handshake protocol transfers user names only over the network, instead of user passwords. First, the validators send random requests to the validators.
Message, and the local host name is attached to the verified party. After receiving the message, the verified party searches for the user password Based on the host name and user table in the message. Find, use the message
Id. the user's key uses the MD5 Algorithm to generate a response. Then, the response and the host name are sent back to the validators. After receiving the response, the user uses the Message ID.
The password key and random packet retained by the local Party are obtained using the MD5 Algorithm and compared with the responses of the verified party. The corresponding results are returned based on the comparison results.

Maximum difference between pap and Chap
Yes:
PAP is first sent to the validators by the authenticated user name and password, while chap is the first verification process initiated by the validators. The main difference is that pap is the plaintext transfer password.
During chap verification, passwords are not transmitted online.

MP multi-link bundling
MP is a PPP Function Extension protocol with only two links
When the discriminator and the authentication mode are completely consistent, the two links can be bound. This means that the MP negotiation process can be completed only after the verification is completed, and the MP will not cause the link
If MP is configured
If the two links do not meet the MP conditions, a new MP channel will be created, which also indicates that MP is allowed as a single link. The MP binding is based on the user. Only the same user can be bound, for example, one end
If the other end of the MP is not supported or the MP is not configured, the established link is a non-MP link.

PPP protocol Introduction

PPP
(Point-to-point)
Protocol) as a data link layer protocol for transmitting and encapsulating network layer data packets on a point-to-point link. It is in the second layer of the TCP/IP protocol stack and is mainly designed
Supports full-duplex data transmission between point-to-point on the same asynchronous link.
PPP consists of three types of Protocols: LCP (Link Control Protocol family) Network Layer Control Protocol family (NCP) and PPP Expansion
Protocol family, in which the Link Control Protocol is mainly used to establish the demolition and monitoring of PPP data links, the network layer control protocol family is mainly used to negotiate the format and type of data packets transmitted on the data link, PPP Expansion
The protocol family is mainly used to provide further support for PPP functions, and PPP also provides verification protocol families (PAP and CHAP) for network security ).
PPP
Protocol features

Unlike other link layer protocols, PPP supports both synchronous and asynchronous links, such as x25
Data link layer protocols such as framerelay only support synchronization links;
Has various NCP protocols such as ipcp,
Ipxcp better supports network layer protocols;
The chap pap protocol is better to ensure network security;

Easy to expand;
PPP negotiation process

PPP requires a series of negotiation processes before establishing a link. The process is as follows: PPP first
Perform LCP negotiation, including MTU (maximum transmission unit), magic number, verification method, asynchronous character ing, and other options (for details, see rfc1661)
After the LCP negotiation is successful, it enters the establish (link establishment) stage. If chap or PAP verification is configured, it enters the chap or PAP verification stage. After the verification is passed, it enters the network level.
Segment negotiation (NCP), such as ipcpipxcp and BCP negotiation, any phase negotiation failure will lead to the removal of the link, magic word, mainly used to detect the link self-ring, PPP by sending echo
Request and Echo Reply packets are used to detect the status of the self-loop and Maintenance Link. If the maximum number of self-loops allowed is exceeded continuously
If the magic word in the request message is the same as the magic word sent last time, it is determined that the network has a self-ring phenomenon. If the link has a self-ring, corresponding measures should be taken to reset the link.
In addition, LCP can also detect the self-ring when sending the config request. After LCP finds the self-ring, it will reset the link after sending a certain number of packets. If the echo sent by PPP
If a request packet is lost, the link is reset after the maximum number of allowed loss is continuously lost to avoid excessive invalid data transmission. asynchronous character ing is used for the same asynchronous conversion.

PAP verification process

PAP is a two-way handshake protocol, which verifies the user by the user name and password. The PAP verification process is as follows: when
When the two links can transmit data to each other, the verified Party sends the user name and password of the local end to the verified party, and the verified party checks whether the user exists based on the Local User table or the RADIUS server, the password is correct, as shown in figure
If it is correct, an ACK message will be sent to the peer, notifying that the Peer has been allowed to enter the next phase of negotiation. Otherwise, the Nak message will be sent, notifying that the peer verification fails, at this time, the link is not directly closed, only when the verification fails.
When the number reaches a certain value, the link is closed to prevent unnecessary LCP re-negotiation due to mistransmission or network interference. PAP is characterized by passing the user name and password in plain text on the network, such
The interception may cause a great threat to network security. Therefore, it is suitable for environments with relatively low network security requirements.
Chap verification process

Chap
It is a three-way handshake protocol. It only transmits user names over the network, but not user passwords. Therefore, it is more secure than pap. The chap verification process is as follows: first, the verification is directed to the verified party.
When a random packet is sent and the Host Name of the local end is attached to the verified party, the verified party receives the challenge request from the peer end, based on this message
Find the user password in the Host Name and user table of the certificate. If you find the user with the same host name in the User table, the Message ID is used. The user's key is generated using the MD5 algorithm.
A, response
Then, the response is sent back to the host name. After receiving the response, the validators use the Message ID, the password reserved by the local Party (key), and the random packet to obtain the result using the MD5 algorithm, compared with the respondent's response
Returns the corresponding results.
Comparison

PAP is first sent to the validators by their usernames and passwords, while chap is the first verification process initiated by the validators. The main difference is that pap is the plaintext transfer password, while
During chap verification, passwords are not transmitted online.

So, this
The reason why we cannot see the password when capturing data packets with the protocol analysis software is that the authentication method adopts chap verification and the password is not transmitted in plaintext online.

Http://www.bbfish.net/vpn/vpn_7551.html