Transcript 4. Point-to-Point Protocol

Point-to-Point Protocol
Cisco Networking Academy
Semester 4
1
• WAN connections are controlled by
protocols that perform the same basic
functions as layer 2 LAN protocols.
• In LAN environment in order to move data
between any two nodes or routers a data
path must be established and flow control
procedures must be in place to assure
delivery of data.
• This is also true in the WAN environment
and is accomplished by using WAN
protocols.
2
3
The Point-to-Point Protocol (PPP) is
generally viewed as the successor to the
Serial Line IP (SLIP) protocol.
SLIP (FYI)
• SLIP protocol stack encapsulated IP packets into HDLC
(High-Level Data Link Control) frames.
• SLIP can only transport IP Packets (no protocol field).
• User must manually configure MTU (Maximum
Transmission Unit) and MRU (Maximum Receive Unit)
4
PPP provides:
• router-to-router connections
• host-to-network connections
• over both asynchronous (dialup) and
synchronous circuits (T1, T3, ISDN).
5
• PPP emerged in the late 1980s in response
to a lack of encapsulation protocols for the
Internet that was blocking growth of serialline access.
• PPP was basically created to solve remote
Internet connectivity problems.
• PPP supports a number of network layer
protocols, including Novell IPX, TCP/IP
and AppleTalk.
6
7
PPP uses a layered architecture.
Physical Layer
With its lower-level functions, PPP can use:
 Synchronous physical media like those
that connect ISDN.
 Asynchronous physical media like those
that use basic telephone service for modem
dialup connections.
8
Data Link Layer
• PPP offers a rich set of services that control
setting up a data link.
• These services are options in LCP and are
primarily negotiation and checking frames
to implement the point-to-point controls an
administrator specifies for the call.
9
Data Link and Network Layer
• With its higher-level functions, PPP carries
packets from several network-layer
protocols in NCPs.
• These are functional fields containing
standardized codes to indicate the networklayer protocol type that PPP encapsulates.
10
11
PPP Components
PPP datagram transmission employs three
key components to provide effective data
transmission:
1. Encapsulation
2. Link Control Protocol (LCP)
3. Network Control Protocols (NCPs)
12
PPP connections are established in stages:
– An originating PPP node first sends LCP
frames to configure and test the data link.
– Next, the link is established, and facilities are
negotiated.
– The originating PPP node then sends NCP
frames to choose and configure network layer
protocols.
– The chosen network layer protocols, such as
TCP/IP, Novell IPX and AppleTalk, are
configured, and packets from each network
layer protocol are sent.
13
PPP datagram transmission employs three
key components
• Encapsulation - PPP supports the HighLevel Data Link Control (HDLC) protocol
to provide encapsulation.
• Link Control Protocol (LCP) - An
extensible LCP is used to establish,
configure, and test the data link connection.
• Network Control Protocols (NCPs) - a
family of NCPs are used to establish and
configure different network layer protocols.
14
15
• Flag - Indicates the beginning or end of a
frame and consists of the binary sequence
01111110.
• Address - Consists of the standard
broadcast address, binary sequence
11111111. PPP does not assign individual
station addresses.
16
• Control - 1 byte that consists of the binary
sequence 00000011, which calls for
transmission of user data in an unsequenced
frame. A connectionless link service similar
to that of Logical Link Control (LLC) Type
1 is provided.
• Protocol - 2 bytes that identify the protocol
encapsulated in the data (Information) field
of the frame. The most up-to-date values of
the Protocol field are specified in the most
recent Assigned Numbers Request For
Comments (RFC).
17
• Data - Zero or more bytes that contain the
datagram for the protocol specified in the
Protocol field. The end of the Information
field is found by locating the closing flag
sequence and allowing 2 bytes for the FCS
field. The default maximum length of the
data (Information) field is 1,500 bytes. By
prior agreement, consenting PPP
implementations can use other values for
the maximum Information field length.
18
• Frame Check Sequence (FCS) - Normally
16 bits (2 bytes). (16 bit checksum) By prior
agreement, consenting PPP implementations
can use a 32-bit (4-byte) FCS for improved
error detection.
• Note - The PPP Link Control Protocol
(LCP) can negotiate modifications to the
standard PPP frame structure. However,
modified frames will be clearly
distinguishable from standard frames.
19
20
Authentication options require that the
calling side of the link enter information to
help ensure the caller has the network
administrator’s permission to make the call.
Peer routers exchange authentication
messages.
Two alternatives are:
 Password Authentication Protocol (PAP)
 Challenge Handshake Authentication
Protocol (CHAP)
21
Compression options increase the effective
throughput on PPP connections by reducing
the amount of data in the frame that must
travel across the link.
The protocol decompresses the frame at its
destination.
Two compression protocols available in
Cisco routers are:
• Stacker
• Predictor
22
Error-detection mechanisms with PPP
enable a process to identify fault conditions.
23
Multilink PPP provides load balancing over the
router interfaces that PPP uses.
• Packet fragmentation and sequencing, as
specified in RFC 1717, splits the load for PPP and
sends fragments over parallel circuits.
• Multilink works over asynchronous serial
interfaces, BRIs, and PRIs
• In some cases, this “bundle” of multilink PPP
pipes functions as a single logical link, improving
throughput and reducing latency between peer
routers.
24
25
26
The PPP Link Control Protocol (LCP)
provides a method of establishing,
configuring, maintaining, and terminating
the point-to-point connection.
LCP goes through four distinct phases:
1. Link establishment and configuration
negotiation (then authentication)
2. Link-quality determination
3. Network layer protocol configuration
negotiation (NCP)
4. Link termination
27
1. Link Establishment and
Configuration Negotiation
• Before any network layer datagrams (for
example, IP) can be exchanged, LCP must
first open the connection and negotiate the
configuration parameters.
• This phase is complete when a
configuration acknowledgment frame has
been sent and received.
28
Link establishment phase
• In this phase, each PPP device sends LCP packets
to configure and test the data link.
• LCP packets contain a Configuration Option field
that allows devices to negotiate on the use of
options such as the maximum receive unit,
compression of certain PPP fields, and the link
authentication protocol.
• Layer 2 configuration
• If a Configuration Option is not included in an
LCP packet, the default value for that
Configuration Option is assumed.
29
• PPP is not like a client/server model
• All connections are peer to peer
• So, when there is a caller and receiver, both
ends have to agree on the parameters and
protocols
30
2. Link-Quality Determination
(PPP Authentication)
• LCP allows an optional link-quality
determination phase following the link
establishment and configuration negotiation
phase.
• In the link-quality determination phase, the
link is tested to determine whether the link
quality is sufficient to bring up network layer
protocols.
• LCP can delay transmission of network layer
protocol information until this phase is
completed.
31
Authentication (optional), takes place here.
PPP supports two authentication protocols:
• PAP (Password Authentication Protocol)
• CHAP (Challenge Handshake Authentication
Protocol)
Authentication phase (optional)
• After the link has been established, and the
authentication protocol decided on, the peer may
be authenticated.
• Authentication, if used, takes place before entering
the network-layer protocol phase.
• PPP supports two authentication protocols: PAP
and CHAP.
32
3. Network Layer Protocol
Configuration Negotiation
• When LCP finishes the link-quality
determination phase, network layer
protocols can be separately configured by
the appropriate NCP and can be brought up
and taken down at any time.
• If LCP closes the link, it informs the
network layer protocols so that they can
take appropriate action.
33
Network-layer protocol phase (cont’d)
• In this phase, the PPP devices send NCP
packets to choose and configure one or
more network-layer protocol (such as IP).
• Layer 3 configuration
• Once each of the chosen network-layer
protocols has been configured, datagrams
from each network-layer protocol can be
sent over the link.
34
4. Link Termination
LCP can terminate the link at any time.
This will usually be done:
• at the request of a user
• because of a physical event such as the loss
of carrier
• the expiration of an idle-period timer.
35
36
When configuring PPP authentication, you
can select:
• PAP or CHAP.
• In general, CHAP is the preferred protocol.
37
PAP (Password Authentication Protocol)
• PAP provides a simple method for a remote node
to establish its identity using a two-way
handshake.
• PAP is done only upon initial link establishment.
After the PPP link establishment phase is
complete:
• A username/password pair is repeatedly sent by
the remote node to the router until authentication
is acknowledged, or the connection is terminated.
38
PAP (cont)
PAP is not a strong authentication protocol.
• Passwords are sent across the link in
cleartext
• There is no protection from playback or
repeated trial-and-error attacks.
• The remote node is in control of the
frequency and timing of the login attempts.
39
Mkting
Gateway
.2/S0
172.25.3.0/24
Serial
.1/S0
Mkting’s running-config
Gateway’s running-config
username Gateway password
username Mkting password
interface Serial0
encapsulation ppp
ppp authentication pap
ppp pap sent-username Mkting
password secret
interface Serial0
encapsulation ppp
ppp authentication pap
ppp pap sent-username
Gateway password secret
secret
secret
40
Passwords
Rtr(config)# username remote-host password secret
Rtr(config-if)# ppp pap sent-username this-host password
secret
The passwords secret, must be the same in the two
commands.
It does not need to be the same as the enable-secret
password.
The secret passwords must be the same on both ends.
41
Option:
Rtr(config)# username remote-host password 0|7|line
secret
Nosmo(config)#username remote-host password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
42
43
CHAP (Challenge Handshake Authentication Protocol)
CHAP is used:
• startup of a link
and
• periodically, to verify the identity of the
remote node using a three-way handshake
– CHAP is done upon initial link establishment
and can be repeated any time after the link has
been established.
44
CHAP (cont.)
Operation
– After the PPP link establishment phase is
complete, the local router sends a “challenge”
message to the remote node.
– The remote node responds with a value
– The local router checks the response against its
own calculation of the expected hash value.
– If the values match, the authentication is
acknowledged. Otherwise, the connection is
terminated immediately.
45
CHAP (cont.)
Advantages
– CHAP provides protection against playback
attack through the use of a variable challenge
value that is unique and unpredictable.
– The use of repeated challenges is intended to
limit the time of exposure to any single attack.
– The local router is in control of the frequency
and timing of the challenges.
46
CHAP (cont.)
debug ppp authentication command
• to display the exchange sequence as it
occurs.
An example of a CHAP exchange follows:
47
debug ppp authentication
PPP Serial1: Send CHAP challenge id=34 to remote
PPP Serial1: CHAP challenge from P1R2
PPP Serial1: CHAP response received from P1R2
PPP Serial1: CHAP response id=34 received from
P1R2
PPP Serial1: Send CHAP success id=34 to remote
PPP Serial1: remote passed CHAP authentication.
PPP Serial1: Passed CHAP authentication with
remote
48
Engin
Admin
.1/S0
172.25.7.0/24
Serial
.2/S0
Engin’s running-config
Admin’s running-config
username Admin password secret
username Engin password secret
interface Serial0
encapsulation ppp
ppp authentication chap
interface Serial0
encapsulation ppp
ppp authentication chap
49
Passwords
Rtr(config)# username remote-host password secret
It does not need to be the same as the enablesecret password.
The secret passwords must be the same on
both ends.
50
51
To configure PPP authentication, do the
following:
Step 1 On each router, define the username
and password to expect from the remote
router.
• Router(config)#username name password
secret
– name - This is the host name of the remote
router. Note that it is case sensitive.
– secret - On Cisco routers, the secret password
must be the same for both routers.
52
• Username entry
– Add a username entry for each remote system
that the local router communicates with and
requires authentication from.
– The remote device must also have a username
entry for the local router.
• Note To enable the local router to respond
to remote CHAP challenges, one username
name entry must be the same as the host
name name entry that has already been
assigned to your device.
53
Step 2 Enter interface configuration mode for
the desired interface.
Step 3 Configure the interface for PPP
encapsulation.
Router(config- if)#encapsulation ppp
54
55
Step 4 Configure PPP authentication.
Router(config-if)#ppp authentication
{chap | chap pap | pap chap | pap}
56
Step 5
• If both methods are enabled, then the first
method specified will be requested during
link negotiation.
• If the peer suggests using the second
method or simply refuses the first method,
then the second method will be tried.
57
Step 6 (PAP or CHAP)
In Cisco IOS Release 11.1 or later, if you
choose PAP, and are configuring the router
that will send the PAP information (in other
words, the router responding to a PAP
request), you must enable PAP on the
interface.
58
PAP is disabled by default
To enable PAP, enter:
Router(config-if)#
ppp pap sent-username username password password
59
CHAP
The following commands can be used to simplify
CHAP configuration tasks on the router:
Using the same host name on multiple routers:
• When you want remote users to think they are
connecting to the same router when
authenticating, configure the same host name
on each router:
Router(config-if)#ppp chap hostname hostname
60
Use a password to authenticate to an unknown
host
• To limit the number of username/password
entries in the router, configure a password that
will be sent to hosts that want to authenticate
the router:
Router(config-if)#ppp chap password secret
• This password is not used when the router
authenticates a remote device.
61
• When PPP is configured, you can check its
LCP and NCP states using the show
interfaces command.
62
63
Point-to-Point Protocol
Cisco Networking Academy
Semester 4
64