PPP protocol Introduction

 

The Point-to-Point Protocol (PPP) protocol is developed based on slip. Because slip only supports asynchronous transmission mode and has no negotiation process, it is gradually replaced by the PPP protocol. as a data link layer protocol that encapsulates data packets at the transport layer on a point-to-point link, the PPP protocol is on the second layer of the OSI reference model, it is mainly used to support point-to-point transmission on full-duplex asynchronous links.

PPP is widely used in the same asynchronous mode because it provides verification and is easy to expand.

Features of the PPP protocol:

PPP is a data link layer protocol.

Supports point-to-point connections (different from X.25, frame relay, and other data link layer protocols );

The physical layer can be a synchronous or asynchronous circuit (such as frame relay and other data link layer protocols)

Provides various NCP protocols, such as ipcp and ipxcp, to better support network layer protocols;

It has the verification protocol PAP/chap to better ensure network security.

PPP Components

PPP consists of two types of Protocols: LCP and NCP)

The link control protocol is used to establish, remove, and monitor PPP data links. The Network Layer Control Protocol family is used to negotiate the format and type of data packets transmitted on the data link. PPP also provides verification protocol families (PAP and CHAP) for network security ).

Link Control Protocol (LCP): establishes, configures, and tests PPP data link connections;

Network Control Protocol family (NCPs): negotiates the format and type of data packets transmitted on the Link, establishes and configures different network layer protocols, and extends the PPP protocol family: provides further support for PPP functions.

PPP protocol stack

PPP is a layered structure. At the underlying layer, it can use synchronous media (such as isdnh or synchronous ddnleased line), as well as Asynchronous media (such as modem-based dial-up PSTN network ).

On the data link layer, PPP provides a wide range of services for Link Layer establishment, which are provided in the form of LCP negotiation options.

In the upper layer, PPP supports multiple network layer protocols through NCPs. PPP has a Encapsulation Format for each network layer protocol to distinguish their packets.

 

PPP negotiation is divided into several stages: Dead, establish, authenticate, network, and termintate. Different protocols are negotiated at different stages. only after the preceding negotiation results are displayed can we proceed to the next stage for negotiation of the next protocol.

1) when the physical layer is unavailable, the PPP link is in the dead stage, and the link must start and end from this stage. when the physical layer is available, PPP performs LCP negotiation before establishing a link. The negotiation content includes SP or MP, verification method and maximum transmission unit.

2) the LCP enters the establish stage after negotiation. The LCP status is opened, indicating that the link has been established.

3) If authentication (local or local remote verification) is cultivated, it enters the authenticate stage and begins chap or PAP verification.

4) if the verification fails to enter the terminate stage, the link is removed and the LCP status changes to down. If the verification is successful, the network negotiation stage (NCP) is started, and the LCP status is still opened, the ipcp status is changed from initial to request.

5) NCP negotiation supports ipcp negotiation. ipcp negotiation mainly includes the IP addresses of both parties. select and configure a network layer protocol through NCP negotiation. after the selected network layer protocol is configured successfully, the network layer protocol can send packets through this link.

6) The PPP link will maintain communication until a clear LCP or NCP frame closes the link or some external events occur (for example, user intervention ).

Pap, chap Verification

PAP verification is a two-way handshake verification. The password is plain text. The process of PAP verification is as follows:

The verified Party sends the user name and password to the verified party. The verified party checks whether the user exists and the password is correct based on the user configuration, and then returns different responses (acknowledge or not acknowledge ).

If it is correct, an ACK message is sent to the peer end, notifying that the Peer end is allowed to negotiate in the next phase; otherwise, the Nak message is sent, notifying that the peer verification fails. in this case, the link is not directly closed. the link is closed only when the number of verification failures reaches a certain value (4 by default) to prevent unnecessary LCP re-negotiation due to mistransmission or network interference.

PAP is characterized by passing user names and passwords in plain text on the network. If it is intercepted during transmission, it may pose a great threat to network security. therefore, it is suitable for environments with relatively low network security requirements.

 

Chap verification is a three-way handshake verification, and the password is a ciphertext (key). The chap verification process is as follows:

The Authenticator sends random packets to the validators and sends the host names of the local clients to the validators;

When the verified party receives a challenge request from the peer end, it searches for the user password Based on the host name and the user table of the verified party in this message, for example, if the user table has the same host name as the validators, the user generates a response using the received random packet and the user's key using the MD5 Algorithm (

Response), and then send the response back to your host name;

After receiving this response, the validators use the peer user name to search for the password reserved by the local user in the local user table and use the password reserved by the local user (key) the MD5 algorithm is used to obtain the result from the random packet. Compared with the response of the verified Party, the corresponding result (ACK or Nak) is returned based on the comparison result ).

It only transmits user names over the network, instead of user passwords. Therefore, it is more secure than pap.