We have introduced some types of access network protocols. In our general concept, the access network is also a feature of Wired Access. Familiar with PPP protocols. Because the layer-3 tunnel Protocol relies heavily on the characteristics of the PPP protocol, therefore, it is necessary to conduct an in-depth discussion on the PPP protocol. The PPP access network protocol is designed to establish a point-to-point connection to send data through dialing or leased lines, the IPX and NETBEUI packages are encapsulated in the PP community and sent through point-to-point links. The PPP access network protocol is mainly used to connect dial-up users and NAS. The PPP dialing session process can be divided into four different stages::
Phase 1: Create a PPP link
PPP uses the Link Control Protocol (LCP) to create, maintain, or terminate a physical connection. In the early stage of the LCP stage, the basic communication mode will be selected, you only need to select the authentication protocol. User Authentication will be implemented in stage 2nd. Similarly, in the LCP stage, it will also determine whether the two sides of the link peer need to negotiate on the use of data compression or encryption. The actual selection of data compression/encryption algorithms and other details will be achieved in stage 4th 。
Phase 2: user verification
In stage 2nd, the client sends the user's identity to the remote access server. In this phase, a security authentication method is used to prevent a third party from stealing data or impersonating a remote client to take over the connection with the client. Most PPP solutions only limited verification methods are provided, includes password verification protocol (PAP), Challenge Handshake verification protocol (CHAP) and Microsoft Challenge Handshake verification protocol (MSCHAP )。
1. Password verification access network protocol (PAP)
PAP is a simple plaintext authentication method. NAS requires the user to provide the user name and password, and PAP returns the user information in plaintext. Obviously, this authentication method is less secure, third parties can easily obtain the transferred user name and password, and use this information to establish a connection with NAS to obtain all the resources provided by NAS. Therefore, once the user password is stolen by a third party, PAP cannot provide protection against third-party attacks 。
2. Challenge-handshake to verify the access network protocol (CHAP)
CHAP is an encrypted authentication method that prevents real user passwords from being transmitted when a connection is established. NAS sends a challenge password (challenge) to remote users ), this includes the session ID and an arbitrary challenge string (arbitrary challengestring). Remote customers must use the one-wayhashingalgorithm MD5 hash algorithm to return the user name and the challenge password for encryption, session ID and user password. The user name is sent in non-Hash mode 。
CHAP improves PAP and does not directly send plaintext passwords through links. Instead, it uses the challenge password to encrypt the passwords using a hash algorithm, because the server side has the customer's plaintext password, therefore, the server can repeat the operations performed by the client and compare the results with the password returned by the user. CHAP generates a challenge string for each verification to prevent replay attacks (replay attack ). throughout the connection process, CHAP repeatedly sends the challenge password to the client from time to prevent the remote client impersonation attack by the third party 。
3. Microsoft challenge-handshake verification access network protocol (MS-CHAP)
Like CHAP, MS-CHAP is also an encryption authentication mechanism. Like CHAP, when using MS-CHAP, NAS sends a challenge password that contains the session ID and any generated challenge string to the remote client. The remote client must return the user name and the challenge string encrypted by the MD4 hash algorithm, the MD4 hash value of the session ID and user password. In this way, the server only stores the user password encrypted by the hash algorithm instead of the plaintext password, which can provide further security protection, the MS-CHAP also supports additional error codes, including password expiration codes and client-server additional information that allows users to modify their own passwords encrypted. Use the MS-CHAP, both the client and NAS each generate a starting key for subsequent data encryption. MS-CHAP uses MPPE-based data encryption, which is very important, explains why MS-CHAP verification is required when MPPE-based data encryption is enabled 。