1 point-to-point protocol cisco networking academy semester 4

1

Point-to-Point Protocol

Cisco Networking Academy

Semester 4

2

• WAN connections are controlled by protocols that perform the same basic functions as layer 2 LAN protocols.

• In LAN environment in order to move data between any two nodes or routers a data path must be established and flow control procedures must be in place to assure delivery of data.

• This is also true in the WAN environment and is accomplished by using WAN protocols.

4

The Point-to-Point Protocol (PPP) is generally viewed as the successor to the Serial Line IP (SLIP) protocol.

SLIP (FYI)

• SLIP protocol stack encapsulated IP packets into HDLC (High-Level Data Link Control) frames.

• SLIP can only transport IP Packets (no protocol field).

• User must manually configure MTU (Maximum Transmission Unit) and MRU (Maximum Receive Unit)

5

PPP provides:

• router-to-router connections

• host-to-network connections

• over both asynchronous (dialup) and synchronous circuits (T1, T3, ISDN).

6

• PPP emerged in the late 1980s in response to a lack of encapsulation protocols for the Internet that was blocking growth of serial-line access.

• PPP was basically created to solve remote Internet connectivity problems.

• PPP supports a number of network layer protocols, including Novell IPX, TCP/IP and AppleTalk.

8

PPP uses a layered architecture.

Physical Layer

With its lower-level functions, PPP can use: Synchronous physical media like those

that connect ISDN. Asynchronous physical media like those

that use basic telephone service for modem dialup connections.

9

Data Link Layer

• PPP offers a rich set of services that control setting up a data link.

• These services are options in LCP and are primarily negotiation and checking frames to implement the point-to-point controls an administrator specifies for the call.

10

Data Link and Network Layer

• With its higher-level functions, PPP carries packets from several network-layer protocols in NCPs.

• These are functional fields containing standardized codes to indicate the network-layer protocol type that PPP encapsulates.

12

PPP Components

PPP datagram transmission employs three key components to provide effective data transmission:

1. Encapsulation

2. Link Control Protocol (LCP)

3. Network Control Protocols (NCPs)

13

PPP connections are established in stages:– An originating PPP node first sends LCP

frames to configure and test the data link.

– Next, the link is established, and facilities are negotiated.

– The originating PPP node then sends NCP frames to choose and configure network layer protocols.

– The chosen network layer protocols, such as TCP/IP, Novell IPX and AppleTalk, are configured, and packets from each network layer protocol are sent.

14

PPP datagram transmission employs three key components

• Encapsulation - PPP supports the High-Level Data Link Control (HDLC) protocol to provide encapsulation.

• Link Control Protocol (LCP) - An extensible LCP is used to establish, configure, and test the data link connection.

• Network Control Protocols (NCPs) - a family of NCPs are used to establish and configure different network layer protocols.

16

• Flag - Indicates the beginning or end of a frame and consists of the binary sequence 01111110.

• Address - Consists of the standard broadcast address, binary sequence 11111111. PPP does not assign individual station addresses.

17

• Control - 1 byte that consists of the binary sequence 00000011, which calls for transmission of user data in an unsequenced frame. A connectionless link service similar to that of Logical Link Control (LLC) Type 1 is provided.

• Protocol - 2 bytes that identify the protocol encapsulated in the data (Information) field of the frame. The most up-to-date values of the Protocol field are specified in the most recent Assigned Numbers Request For Comments (RFC).

18

• Data - Zero or more bytes that contain the datagram for the protocol specified in the Protocol field. The end of the Information field is found by locating the closing flag sequence and allowing 2 bytes for the FCS field. The default maximum length of the data (Information) field is 1,500 bytes. By prior agreement, consenting PPP implementations can use other values for the maximum Information field length.

19

• Frame Check Sequence (FCS) - Normally 16 bits (2 bytes). (16 bit checksum) By prior agreement, consenting PPP implementations can use a 32-bit (4-byte) FCS for improved error detection.

• Note - The PPP Link Control Protocol (LCP) can negotiate modifications to the standard PPP frame structure. However, modified frames will be clearly distinguishable from standard frames.

21

Authentication options require that the calling side of the link enter information to help ensure the caller has the network administrator’s permission to make the call.

Peer routers exchange authentication messages.

Two alternatives are: Password Authentication Protocol (PAP) Challenge Handshake Authentication

Protocol (CHAP)

22

Compression options increase the effective throughput on PPP connections by reducing the amount of data in the frame that must travel across the link.

The protocol decompresses the frame at its destination.

Two compression protocols available in Cisco routers are:

• Stacker

• Predictor

23

Error-detection mechanisms with PPP enable a process to identify fault conditions.

24

Multilink PPP provides load balancing over the router interfaces that PPP uses.

• Packet fragmentation and sequencing, as specified in RFC 1717, splits the load for PPP and sends fragments over parallel circuits.

• Multilink works over asynchronous serial interfaces, BRIs, and PRIs

• In some cases, this “bundle” of multilink PPP pipes functions as a single logical link, improving throughput and reducing latency between peer routers.

27

The PPP Link Control Protocol (LCP) provides a method of establishing, configuring, maintaining, and terminating the point-to-point connection.

LCP goes through four distinct phases: 1. Link establishment and configuration

negotiation (then authentication)

2. Link-quality determination

3. Network layer protocol configuration negotiation (NCP)

4. Link termination

28

1. Link Establishment and Configuration Negotiation

• Before any network layer datagrams (for example, IP) can be exchanged, LCP must first open the connection and negotiate the configuration parameters.

• This phase is complete when a configuration acknowledgment frame has been sent and received.

29

Link establishment phase

• In this phase, each PPP device sends LCP packets to configure and test the data link.

• LCP packets contain a Configuration Option field that allows devices to negotiate on the use of options such as the maximum receive unit, compression of certain PPP fields, and the link authentication protocol.

• Layer 2 configuration• If a Configuration Option is not included in an

LCP packet, the default value for that Configuration Option is assumed.

30

• PPP is not like a client/server model

• All connections are peer to peer

• So, when there is a caller and receiver, both ends have to agree on the parameters and protocols

31

2. Link-Quality Determination (PPP Authentication)

• LCP allows an optional link-quality determination phase following the link establishment and configuration negotiation phase.

• In the link-quality determination phase, the link is tested to determine whether the link quality is sufficient to bring up network layer protocols.

• LCP can delay transmission of network layer protocol information until this phase is completed.

32

Authentication (optional), takes place here.

PPP supports two authentication protocols:

• PAP (Password Authentication Protocol)

• CHAP (Challenge Handshake Authentication Protocol)

Authentication phase (optional)• After the link has been established, and the

authentication protocol decided on, the peer may be authenticated.

• Authentication, if used, takes place before entering the network-layer protocol phase.

• PPP supports two authentication protocols: PAP and CHAP.

33

3. Network Layer Protocol Configuration Negotiation

• When LCP finishes the link-quality determination phase, network layer protocols can be separately configured by the appropriate NCP and can be brought up and taken down at any time.

• If LCP closes the link, it informs the network layer protocols so that they can take appropriate action.

34

Network-layer protocol phase (cont’d)

• In this phase, the PPP devices send NCP packets to choose and configure one or more network-layer protocol (such as IP).

• Layer 3 configuration

• Once each of the chosen network-layer protocols has been configured, datagrams from each network-layer protocol can be sent over the link.

35

4. Link TerminationLCP can terminate the link at any time.

This will usually be done:

• at the request of a user

• because of a physical event such as the loss of carrier

• the expiration of an idle-period timer.

37

When configuring PPP authentication, you can select:

• PAP or CHAP.

• In general, CHAP is the preferred protocol.

38

PAP (Password Authentication Protocol)

• PAP provides a simple method for a remote node to establish its identity using a two-way handshake.

• PAP is done only upon initial link establishment.

After the PPP link establishment phase is complete:

• A username/password pair is repeatedly sent by the remote node to the router until authentication is acknowledged, or the connection is terminated.

39

PAP (cont)

PAP is not a strong authentication protocol.

• Passwords are sent across the link in cleartext

• There is no protection from playback or repeated trial-and-error attacks.

• The remote node is in control of the frequency and timing of the login attempts.

40

GatewayMkting172.25.3.0/24

Serial .1/S0.2/S0

Mkting’s running-config

username Gateway password secret

interface Serial0encapsulation pppppp authentication pap ppp pap sent-username Mkting password secret

Gateway’s running-config

username Mkting password secret

interface Serial0encapsulation pppppp authentication papppp pap sent-username Gateway password secret

41

PasswordsRtr(config)# username remote-host password secret

Rtr(config-if)# ppp pap sent-username this-host password secret

The passwords secret, must be the same in the two commands.

It does not need to be the same as the enable-secret password.

The secret passwords must be the same on both ends.

42

Option:

Rtr(config)# username remote-host password 0|7|line secret

Nosmo(config)#username remote-host password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) user password

44

CHAP (Challenge Handshake Authentication Protocol)

CHAP is used:

• startup of a link

and

• periodically, to verify the identity of the remote node using a three-way handshake – CHAP is done upon initial link establishment

and can be repeated any time after the link has been established.

45

CHAP (cont.)

Operation– After the PPP link establishment phase is

complete, the local router sends a “challenge” message to the remote node.

– The remote node responds with a value

– The local router checks the response against its own calculation of the expected hash value.

– If the values match, the authentication is acknowledged. Otherwise, the connection is terminated immediately.

46

CHAP (cont.)

Advantages– CHAP provides protection against playback

attack through the use of a variable challenge value that is unique and unpredictable.

– The use of repeated challenges is intended to limit the time of exposure to any single attack.

– The local router is in control of the frequency and timing of the challenges.

47

CHAP (cont.)

debug ppp authentication command

• to display the exchange sequence as it occurs.

An example of a CHAP exchange follows:

48

debug ppp authentication

PPP Serial1: Send CHAP challenge id=34 to remote

PPP Serial1: CHAP challenge from P1R2

PPP Serial1: CHAP response received from P1R2

PPP Serial1: CHAP response id=34 received from P1R2

PPP Serial1: Send CHAP success id=34 to remote

PPP Serial1: remote passed CHAP authentication.

PPP Serial1: Passed CHAP authentication with remote

49

AdminEngin

Engin’s running-config

username Admin password secret

interface Serial0encapsulation pppppp authentication chap

Admin’s running-config

username Engin password secret

interface Serial0encapsulation pppppp authentication chap

172.25.7.0/24Serial.1/S0 .2/S0

50

PasswordsRtr(config)# username remote-host password secret

It does not need to be the same as the enable-secret password.

The secret passwords must be the same on both ends.

52

To configure PPP authentication, do the following:

Step 1 On each router, define the username and password to expect from the remote router.

• Router(config)#username name password secret– name - This is the host name of the remote

router. Note that it is case sensitive.

– secret - On Cisco routers, the secret password must be the same for both routers.

53

• Username entry– Add a username entry for each remote system

that the local router communicates with and requires authentication from.

– The remote device must also have a username entry for the local router.

• Note To enable the local router to respond to remote CHAP challenges, one username name entry must be the same as the host name name entry that has already been assigned to your device.

54

Step 2 Enter interface configuration mode for the desired interface.

Step 3 Configure the interface for PPP encapsulation.

Router(config- if)#encapsulation ppp

56

Step 4 Configure PPP authentication.

Router(config-if)#ppp authentication

{chap | chap pap | pap chap | pap}

57

Step 5

• If both methods are enabled, then the first method specified will be requested during link negotiation.

• If the peer suggests using the second method or simply refuses the first method, then the second method will be tried.

58

Step 6 (PAP or CHAP)

In Cisco IOS Release 11.1 or later, if you choose PAP, and are configuring the router that will send the PAP information (in other words, the router responding to a PAP request), you must enable PAP on the interface.

59

PAP is disabled by default

To enable PAP, enter:

Router(config-if)#ppp pap sent-username username password password

60

CHAP

The following commands can be used to simplify CHAP configuration tasks on the router:

Using the same host name on multiple routers:

• When you want remote users to think they are connecting to the same router when authenticating, configure the same host name on each router:

Router(config-if)#ppp chap hostname hostname

61

Use a password to authenticate to an unknown host

• To limit the number of username/password entries in the router, configure a password that will be sent to hosts that want to authenticate the router:Router(config-if)#ppp chap password secret

• This password is not used when the router authenticates a remote device.

62

• When PPP is configured, you can check its LCP and NCP states using the show interfaces command.

64

Point-to-Point Protocol

Cisco Networking Academy

Semester 4

1 point-to-point protocol cisco networking academy semester 4

Documents