PPP is one of the most basic protocols in the network. PPP is the main content of this article. First, let's take a look at the basic concepts of the PPP protocol. The Point-to-Point Protocol is a data link layer Protocol designed to transmit data packets between equal units. This link provides full duplex operations and transmits data packets in sequence. PPP provides a common solution for simple connections based on various hosts, bridges, and routers.
The PPP protocol consists of the following three parts:
1. Data frame encapsulation method.
2. Link Control Protocol LCPLink Control Protocol): it is used to automatically negotiate Encapsulation Format options, establish and terminate connections, and detect Link errors and configuration errors.
3. network Control Protocol (NCP), a family of Network Control protocols for different Network layer protocols, provides a Network Control Protocol for each Network layer Protocol, use them to manage different requirements of different protocols.
PPP protocol details
1. PPP data frame Encapsulation
The PPP protocol defines an encapsulation method for data transmitted over a serial link, which is based on the High-Level Data Link Control HDLC) standard. The format of the PPP data frame is 1.
A ppp frame starts and ends with a flag character of 01111110. The address field is 1 byte in length, the content is standard broadcast address 11111111, and the control field is 00000011. The protocol field is two bytes in length. Its value indicates the network layer protocol to which the subsequent data field belongs. For example, 0x0021 indicates the IP protocol, 0xC021 indicates the LCP data, and 0x8021 indicates the NCP data. The data field contains the Protocol datagram specified in the Protocol field. The length is 0 ~ 1500 bytes. The CRC field is the cyclic redundancy check code of the entire frame. It is used to detect possible data errors during transmission.
Even if all frame header fields are used, PPP protocol frames can be encapsulated in 8 bytes. In the case of low-speed links or bandwidth charges, the PPP protocol allows only the most basic fields to compress the overhead of the frame header to 2 or 4 bytes, this is the so-called PPP frame header compression.
2. Four phases of PPP session
Since we need to explain the PPP protocol in detail, we must understand the four stages of the PPP protocol. A complete PPP session consists of four phases: the link establishment phase, the link quality phase, the Network Layer Control Protocol phase, and the link termination phase 2 ).
(1) link establishment phase: both parties use the Link Control Protocol to exchange configuration information. Once the configuration information is successfully exchanged, the link is established. The default value is usually used for configuration information. Only the configuration options that do not depend on the network control protocol are configured by the Link Control Protocol at this time. It is worth noting that during the process of link establishment, any packages without Link Control Protocols will be discarded without notice.
(2) link quality determination stage: This stage is also called the link authentication stage in some documents. The link control protocol is used to test whether the link quality can carry the network layer protocol. In this phase, the link quality test is an option provided by the PPP protocol and cannot be executed. If you select a verification protocol, the verification process is completed at this stage. PPP supports two authentication protocols: password verification protocol (PAP) and handshake authentication protocol (CHAP ).
(3) Network Layer Control Protocol phase: after both parties complete the above two phases, the PPP session begins to use the corresponding network layer control protocol to configure network layer protocols, such as IP and IPX.
(4) link termination phase: the Link Control Protocol terminates the link by means of an exchange link termination package. There are many causes for Link termination: Carrier loss, authentication failure, link quality failure, expiration of idle cycle timer, or link shutdown by the Administrator.
3. Authentication Mechanism in PPP protocol
The verification process is optional in the PPP protocol. After a connection is established, the sender authentication is performed to Prevent Unauthorized Connection and thus leakage. The PPP protocol supports two verification protocols:
(1) password verification protocol (PAP): the principle of the password verification protocol is that the user name/password pair is repeatedly sent from one end of the connection to the authentication end, wait until the authenticator responds to verify the confirmation or rejection information.
(2) Handshake Authentication Protocol CHAP): CHAP periodically checks peer nodes using the three-way handshake method. The principle is: the authentication end sends "challenge" information to the peer end. After receiving the "challenge" information, the peer end calculates the response information using the specified algorithm and sends it to the authentication end, the authentication end compares the correct response information to determine whether the verification process is successful. If CHAP is used, the authentication end sends a new "challenge" message every time during the connection process to check whether the peer connection is authorized.
The two verification mechanisms are simple and suitable for applications in low-speed links. However, simple protocols generally have other shortcomings. The most prominent one is poor security. On the one hand, the user name/password of the password authentication protocol is transmitted in plain text, which is easy to be stolen. On the other hand, if one verification fails, PAP cannot prevent the peer from sending verification information continuously, therefore, it is prone to forced attacks.
The advantage of the handshake protocol is that the key is not transmitted over the network and will not be eavesdropped. Because the three-way handshake method is used, the initiator cannot perform verification without receiving the "challenge Information". Therefore, to some extent, the challenge handshake protocol is not prone to force attacks. However, keys in CHAP must exist in plain text and cannot be encrypted. Therefore, security cannot be guaranteed. Key storage and distribution is also a challenge of CHAP. In large networks, dedicated servers are usually required to manage keys.
PPP Configuration
The configuration content of the PPP protocol is also included in the detailed explanation. The PPP protocol is widely used in many fields, typically remote Internet connections, among them, vrouters are mostly interconnected with vrouters.
Two routers run the PPP protocol respectively. One uses CHAP authentication and the other uses PAP authentication.
1. Router PPP encapsulation Configuration
In Port mode:
A (config-if) # encapsulation ppp // start the PPP protocol on ports S0 and s1.
B (config-if) # encapsulation ppp // start the PPP protocol on the S0 and S1 ports of vrob B.
2. Configure the user name and password used for PPP authentication
A (config) # username B password cisco // set A user name and password for router B.
B (config) # username A password cisco // set A user name and password for router.
3. Configure PAP Authentication
On the S1 ports of routers A and B:
A (config-if) # ppp authentication pap
B (config-if) # ppp authentication pap
In Cisco IOS 11.1 or later versions, if the router sends or responds to) PAP messages or requests, the PAP protocol must be used on the specified interface.
One-way authentication: for example, if A sends an authentication request to B, it is only configured on A, and B does not need to be configured.
A (config-if) # ppp pap sent-username B password cisco
Two-way authentication: both parties A and B must authenticate each other, so both A and B must be configured.
A (config-if) # ppp pap sent-username B password cisco
B (config-if) # ppp pap sent-username A password cisco
4. Configure CHAP authentication
On the S0 ports of vroa A and B:
A (config-if) # ppp authentication chap
B (config-if) # ppp authentication chap