For the network, we usually use the access network. How are protocols defined? Next, let's take a look at the relevant content of the access network protocol. Because the layer-3 tunnel Protocol relies heavily on the characteristics of the PPP protocol, it is necessary to discuss the PPP protocol in depth. The PPP access network protocol is designed to establish a point-to-point connection to send data through a dial-up or leased line. The PPP protocol encapsulates IP, IPX, and NETBEUI packets in the PP queue and sends them through point-to-point links. The PPP access network protocol is mainly used to connect dial-up users and NAS. PPP dialing sessions can be divided into four different stages. They are as follows:
Phase 1: Create a PPP link
PPP uses the Link Control Protocol LCP) to create, maintain, or terminate a physical connection. In the early stage of the LCP stage, the basic communication mode will be selected. Note that in the Link creation phase, only authentication protocols are selected, and user authentication will be implemented in phase 1. Similarly, in the LCP phase, it will also determine whether the two sides of the link peer need to negotiate on the use of data compression or encryption. The actual selection of data compression/encryption algorithms and other details will be achieved in Stage 1.
Phase 2: user verification
In stage 1, the customer sends the user's identity to the remote access server. This phase uses a security authentication method to prevent a third party from stealing data or impersonating a remote client to take over the connection with the client. Most PPP solutions only provide limited verification methods, including password verification protocol PAP), Challenge Handshake verification protocol CHAP) and Microsoft Challenge Handshake verification protocol MSCHAP ).
1. Password verification access network protocol PAP)
PAP is a simple plaintext verification method. NAS requires the user to provide the user name and password, and PAP returns the user information in plaintext. Obviously, this authentication method is less secure. A third party can easily obtain the transferred user name and password, and use this information to establish a connection with NAS to obtain all the resources provided by NAS. Therefore, once a user's password is stolen by a third party, PAP cannot provide protection measures to avoid being attacked by a third party.
2. Challenge-handshake verification of the access network protocol CHAP)
CHAP is an encrypted authentication method that prevents the user's real password from being transmitted when a connection is established. NAS sends a challenge Password challenge to remote users, including the session ID and an arbitrary challenge string arbitrary challengestring ). Remote users must use the MD5 one-way hash algorithm one-wayhashingalgorithm) to return the user name and the challenge password for encryption, session ID, and user password. The user name is sent in non-Hash mode.
CHAP improves PAP and does not directly send plaintext passwords through links. Instead, it uses challenge passwords to encrypt passwords using hash algorithms. Because the server contains the client's plaintext password, the server can repeat the operations performed by the client and compare the results with the password returned by the user. CHAP generates a challenge string for each verification to prevent replay attacks. replay attack ). throughout the connection process, CHAP repeatedly sends the challenge password to the client from time to prevent attacks by impersonating remote client impersonation by the third party.
3. Microsoft challenge-handshake to verify the access network protocol MS-CHAP)
Like CHAP, MS-CHAP is also an encryption verification mechanism. Like CHAP, when using MS-CHAP, NAS sends a challenge password containing session IDs and any generated challenge strings to remote customers. The remote client must return the user name and the MD4 hash value of the challenge string, session ID, and user password encrypted by the MD4 hash algorithm. In this way, the server only stores the user password encrypted by the hash algorithm instead of the plaintext password, which can provide further security protection. In addition, the MS-CHAP also supports additional error codes, including password expiration codes and client-server encryption that allows users to modify their own passwords. Using the MS-CHAP, both the client and the NAS each generate a START key for subsequent data encryption. MS-CHAP uses MPPE-based data encryption, which is important to explain why MS-CHAP verification is required when MPPE-based data encryption is enabled.