Initial understanding of PPPoE Protocol

We all know that PPPoE is a point-to-point transmission protocol in Ethernet. In this article, we will carefully summarize some of the working principles, characteristics, and application content of this protocol, hoping to help you learn it.

I. PPPOE Protocol Introduction

PPPOE, short for Point-to-Point Protocol Over Ethernet, works at the OSI data link layer. PPPOE Provides broadcast-type networks such as Ethernet) multiple hosts are connected to the Remote Access Concentrator. We use a broadband access server as the device that can currently complete the above functions.

1. How PPPOE works

PPPOE protocol consists of two phases: PPPOE Discovery phase PPPOE Discovery Stage) and PPPOE Session Stage ). The main difference between the two is that the PPPOE packet header is encapsulated before the PPP data packets.

When a host wants to start a PPPOE session, it first looks for an Access Concentrator on a broadcast network. Of course, Multiple Access Concentrator may exist on the network, for the host, the selection is based on the services provided by the Access Concentrator AC and Access Concentration or the user's pre-configuration. After the host selects the required Access Concentrator, it starts to establish a PPPOE session process with the Access Concentrator. In this process, the Access Concentrator allocates a unique process ID for each PPPOE session. After the session is established, the PPPOE session phase starts, in this phase, the point-to-point structure of the two sides of the point-to-point connection is different from that of the PPP. It is a logical point-to-point relationship.) The PPP protocol is used to exchange data packets, to complete a series of PPP processes, the network layer datagram is finally transmitted on this point-to-point logical channel.

2. PPPOE data packet format

We will briefly introduce the data packet format of PPPOE. PPPOE data packets are encapsulated in the data domain of the Ethernet frame. To put it simply, we may divide the PPPOE packet into two parts: one is the data header of PPPOE, and the other is the net load data domain of PPPOE ), the content in the data domain of the PPPOE packet will change as the session process progresses.

◆ The first 4 bits of PPPOE data packets are version domains. The Protocol clearly stipulates that the content of this domain is filled with 0x1.

◆ The four digits following the versionfield are type fields. The protocol also stipulates that the content of this field is filled with 0x1.

◆ The code domain occupies 1 byte, And the content in this domain is different for different stages of PPPOE.

◆ The session ID point uses two bytes. If the Access Concentrator has not assigned a unique session ID to the user host, the content in the domain must be filled with 0x0000, once the host obtains the session ID, the unique session ID value must be filled in the domain in all subsequent messages.

◆ The length field is two bytes to indicate the length of the net load in the PPPOE datagram.

◆ The data domain, also known as the Net Load domain, varies greatly in different stages of PPPOE. In the PPPOE discovery phase, some Tag tags will be filled in the domain). In the PPPOE session phase, the domain carries PPP packets.

Here we will mainly introduce the Message format and its packets in the PPPOE discovery phase:

1) Tag in PPPOE datagram) Format

For PPPOE data packets in the discovery phase, its net load may contain zero or multiple Tag tags. In fact, these tags are very similar to PPP Configuration Parameter options, it also needs to be negotiated. The PPPOE protocol does not have much details defined as the PPP Configuration Parameter options, but is just a preliminary definition, therefore, the actual implementation of this process will vary according to the devices of different manufacturers. The type fields of the tag are two bytes. The following table lists the meanings of the tag types:

Description of tag type

0x0000 indicates the end of a string of tags in the data domain of the PPPOE message. It is retained to ensure version compatibility and is applied in some packets.

0x0101 service name, mainly used to indicate some services that the network side can provide to users.

0x0102 Access Concentrator name. When the user side receives the PADO message from the AC response, the user can obtain the name of the Access Concentrator from the flag carried, you can also select the Access Concentrator accordingly.

0x0103 unique host ID, similar to the ID domain in PPP data packets, is mainly used to match the sending and receiving ends, because many PPPOE data packets exist in the broadcast network at the same time.

0x0104 AC-Cookies are mainly used to prevent malicious DOS attacks.

0x0105 the identifier of the seller.

0x0110 relay session ID. For PPPOE data packets, they can also be interrupted to end on another AC like DHCP packets. This field is used to maintain another connection.

0x0201 service name error. When the requested service name is not accepted by the peer end, this flag is carried in the Response Message.

0x0202 Error accessing concentrator name.

0x0203 general error.

◆ The length field is two bytes, which indicates the length of the data field.

◆ The marked data domains are used to place the data corresponding to different types of tags.

2) data packets in the PPPOE discovery phase

The discovery phase of PPPOE can be divided into four steps. In fact, this process is also a process of exchanging the four types of data packets of PPPOE. After completing these four steps, both the host and the Access Concentrator will be able to obtain the MAC address and unique session ID of the other party, so as to enter the next phase of PPPOE session ). In fact, after the two sides know each other's MAC address, they have determined a one-to-one correspondence relationship on the broadcast network. To ensure the validity of this connection, at the same time, the PPPOE protocol can be used more flexibly. Therefore, the session ID field is added to determine the point-to-point relationship between the two parties through these two conditions.

At the beginning of this phase, because the access user does not know the MAC address of the Access Concentrator, a mechanism similar to the ARP parsing process is used to obtain the MAC address of the Access Concentrator. First, an initialized broadcast packet is initiated by the access user. When the Access Concentrator is configured with PPPOE, it will detect packets on the network, when it is found that the Ethernet data frame carries the PPPOE packet, it is differentiated by the Protocol domain content), it will be handed over to the corresponding module for processing. After receiving the initialization packet, the Access Concentrator will respond to the user with a message. If there are many such Access Concentrator on the network and all of them receive the Initialization Packet sent by the user side, they will also send a confirmation packet to the user side, if the user receives the message, a unique Access Concentrator is selected based on the content carried in the message or some local configurations. By now, the first two steps have been completed. The remaining two steps are to negotiate some provided service options and obtain the session ID value required for the PPPOE session phase.

Note: At this stage, all data packets are carried in the Ethernet data domain, and the protocol domain of the Ethernet data frame is always 0x8863.

During the four steps of PPPOE discovery, PPPOE may encounter four types of packets: PADI, PADO, PADR, and PADS. The PADT packet in PPPOE is used to terminate a session.

◆ PADIPPPOE Active Discovery Initiation) Message

The first step in the PPPOE discovery phase is that the user side first sends such a message. The user host sends this message in broadcast mode. Therefore, the destination address domain of the Ethernet frame corresponding to the message should be 1, and the source address domain should be filled with the MAC address of the user host. The broadcast package may be received by Multiple Access Concentrator.

◆ PADOPPPOE Active Discovery Offer) Message

The second step in the PPPOE discovery phase is that the Access Concentrator responds to the PADI packets sent by each user host. At this time, the source address of the Ethernet frame corresponding to the packet is filled with the MAC address of the Access Concentrator, the target address is the MAC address of the user host obtained from PADI.

◆ PADRPPPOE Active Discovery Request) Message

The third step in the PPPOE discovery phase is that the user host sends unicast request packets to the access server. When the user host receives the PADO packet, it selects an Access Concentrator from these packets as the object for subsequent sessions. The user host receives the MAC address of the Access Concentrator after receiving the PADO packet. Therefore, the source address of the Ethernet frame of the PADR packet is filled with the MAC address of the user host, the destination address of Ethernet is the MAC address of the Access Concentrator.

◆ PADSPPPOE Active Discovery Session-confirmation) Message

The fourth step in the PPPOE discovery phase is the last step. When the Access Concentrator receives a PADR message, it is ready to start a PPP session, at this time, the Access Concentrator allocates a unique session process ID for this session and carries this session ID in the PADS message sent to the host. Of course, if the Access Concentrator does not meet the service applied by the user, a PADS message will be sent to the user, with a service name error mark, in this case, the session ID in the PADS packet is filled with 0x0000.

◆ PADTPPPOE Active Discovery Terminate) Message

The PADT message may be sent at any time after the start of the session, mainly used to terminate a PPPOE session. It can be sent by the host or Access Concentrator, And the destination address is filled with the MAC address of the Peer Ethernet.

Ii. Detailed Decoding of PPPOE Discovery

Capture the PPPOE packet. We can see that this is the first PADI packet in the PPPOE discovery phase. Let's describe it in detail:

◆ Version: 1. The Protocol clearly stipulates that the content of this field is filled with 0x1.

◆ Type: the 1 Protocol also provides clear provisions. Here the function is also filled with 0x1

◆ Code: 0x09, indicating that the message is a PADI packet in the detection phase

◆ Session ID: 0, indicating that there is no session ID

◆ Length: 16, indicating the length of the net load in the PPPOE Datagram

◆ PPP discovery Tag: The tag type table listed on the page can be seen.