point to-point-protocol
TRANSCRIPT
![Page 1: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/1.jpg)
Point-to-Point Protocol (PPP) Chapter 2 explained how to configure an
asynchronous line for a dialup connection. In this chapter, you will learn how to configure that dialup connection to connect to the network using point-to-point protocol (PPP) at the data link layer.
It is based on open standards and includes a variety of essential features, making it the de facto standard for dialup and dedicated WAN connections.
![Page 2: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/2.jpg)
Point-to-Point Protocol (PPP) In order for any layer 3 protocol to traverse
the WAN over a dialup or dedicated link, it must be encapsulated by a data-link layer protocol.
PPP, the Serial Line Internet Protocol (SLIP), and the AppleTalk Remote Access Protocol (ARAP) work at the data-link layer (Layer 2) to encapsulate routed protocols like TCP/IP, Novell IPX and Appletalk.
![Page 3: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/3.jpg)
Point-to-Point Protocol (PPP) The rest of this chapter focuses only on
encapsulating TCP/IP. Today, there are essentially two data-
link layer protocols used to encapsulate TCP/IP:
![Page 4: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/4.jpg)
Point-to-Point Protocol (PPP) SLIP - SLIP is a standard protocol for point-
to-point serial connections, using TCP/IP. SLIP was a predecessor of PPP.
PPP - PPP provides router-to-router and host-to-network connections over synchronous and asynchronous circuits, which can be either dialup or leased lines.
![Page 5: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/5.jpg)
PPP PPP is a more recent standard than
SLIP, and is almost always the preferred data-link layer encapsulation on dialup asynchronous links. On a Cisco router, SLIP is the default encapsulation on an asynchronous dialup interface, so you must manually configure the encapsulation in order to use PPP.
![Page 6: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/6.jpg)
PPP SLIP is essentially limited to use with IP,
whereas PPP can be used for other network-layer protocols such as IPX and AppleTalk. Moreover, PPP supports essential features such as dynamic address allocation, PAP authentication, CHAP authentication, and Multilink PPP. SLIP does not support these features.
![Page 7: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/7.jpg)
PPP Overview High-Level Data Link Control (HDLC) is the
default encapsulation for ISDN and serial interfaces on a Cisco router.
Cisco's HDLC is not necessarily compatible with other vendors' HDLC implementations. PPP implementations follow open standards and are almost always compatible. Thus, PPP is the protocol of choice when configuring serial links in a multivendor environment.
![Page 8: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/8.jpg)
PPP Overview It is important to note that PPP actually
uses HDLC as a basis for encapsulating datagrams. However, PPP is more expansible than HDLC because it adds extensions (features) to the link layer.
![Page 9: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/9.jpg)
PPP Overview PPP can negotiate link options dynamically
and can support multiple Layer 3 protocols (IP, IPX, AppleTalk, etc.). PPP accomplishes these two tasks by encapsulating Layer 3 datagrams with a specialized frame. PPP's frame format is based on the HDLC frame format.
PPP defines the Link Control Protocol (LCP). The job of LCP is to establish, configure, and test the data-link connection.
![Page 10: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/10.jpg)
PPP Overview When hosts negotiate a PPP
connection, they exchange LCP packets. These packets allow link partners to dynamically negotiate link options, including authentication, compression, and MLP.
![Page 11: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/11.jpg)
PPP Overview Once the LCP establishes the Layer 2
connection, the Network Control Protocol (NCP) takes over. Link partners exchange NCP packets to establish and configure different network-layer protocols including IP, IPX, and AppleTalk. Each Layer 3 protocol has its own NCP. For example, IP's NCP is IPCP; IPX's NCP is IPXCP, and Appletalk's NCP is ATALKCP.
![Page 12: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/12.jpg)
PPP Overview The NCP can build up and tear down multiple
Layer 3 protocol sessions over a single data link. This capability is called protocol multiplexing. When a host requests that the connection be terminated, the NCP tears down the Layer 3 sessions and then the LCP tears down the data link.
PPP's components operate at Layer 2 of the OSI model.
![Page 13: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/13.jpg)
Configuring PPP You enable PPP encapsulation on an
interface by using the following command: Router(config-if)#encapsulation ppp
Thus, if you want dial-in hosts on terminal line 2 to use PPP, you would enter the following commands:
RTA(config)#interface async 2RTA(config-if)#encapsulation ppp
![Page 14: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/14.jpg)
Configuring PPP Note that the encapsulation
command is issued in interface configuration mode, not line configuration mode.
![Page 15: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/15.jpg)
Configuring PPP When a remote host dials into an access
server's asynchronous interface, it can start an EXEC session with the router. This feature allows remote users to login to the router and issue commands as if the user was connected to the console port. No IP addressing or PPP encapsulation is needed for this type of connection. Data is sent as asynchronous characters.
![Page 16: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/16.jpg)
![Page 17: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/17.jpg)
Configuring PPP Alternately, a remote host can dial in to an
access server and send a Layer 3 protocol packet encapsulated by PPP, SLIP, or ARA. This type of connection allows the remote user to access network resources such as file servers and mail servers.
You can also configure the router's asynchronous interface to automatically select between PPP data sessions and EXEC sessions.
![Page 18: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/18.jpg)
Configuring PPP Generally, you will want to restrict the ability
of remote users to start EXEC sessions with your router. Typical end users do not require access to the router's interface. Instead, they need a Layer 3 protocol (IP, etc.) connection to the corporate network or the Internet. In most cases, you should force the asynchronous interface to use PPP and not allow an EXEC connection.
![Page 19: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/19.jpg)
Configuring interactive PPP sessions With the PPP autoselect feature, you can
configure an access server's terminal line to provide either a PPP session or an EXEC session based on input from the remote host.
Essentially, this feature allows the remote host to determine the session type. The access server automatically detects which type of session is being requested, and responds accordingly.
![Page 20: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/20.jpg)
Configuring interactive PPP sessions Enabling this feature requires two steps. First,
you must configure the asynchronous interface(s) with the async mode interactive command in interface configuration mode.
This command configures the router so that it allows the remote host to choose either a PPP session or an EXEC session.
![Page 21: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/21.jpg)
Configuring interactive PPP sessions The following example shows how to configure
interface async 1: RTA(config)#interface async 1RTA(config-if)#encapsulation pppRTA(config-if)#async mode interactive.
Second, you must configure the corresponding terminal line(s) with the autoselect ppp command in line configuration mode.
![Page 22: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/22.jpg)
Configuring interactive PPP sessions To complete the example configuration,
you would enter the following commands:
RTA(config)#line 1 RTA(config-line)#autoselect ppp during-login
![Page 23: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/23.jpg)
Configuring interactive PPP sessions The autoselect command permits the
access server to allow an appropriate process to start automatically when a starting character is received. If the start character is a return character, then the access server starts an EXEC session. So, users who want to begin an EXEC session typically must press the Return key after establishing a dialup connection.
![Page 24: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/24.jpg)
Configuring interactive PPP sessions On the other hand, if the access server
recognizes the start character as PPP, SLIP, or ARAP, it will begin a session for whichever protocol it detects.
So, if an end user is using a program that sends a PPP frame, the access server will automatically start a PPP session.
![Page 25: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/25.jpg)
![Page 26: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/26.jpg)
Configuring interactive PPP sessions The during-login option of the autoselect command causes the username/password prompt to display in the remote hosts' terminal window without the user having to press the Return key. This command is not required.
After a host has established an EXEC session, the remote user can switch to a PPP session at any time by issuing the ppp command at the router prompt.
![Page 27: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/27.jpg)
![Page 28: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/28.jpg)
Dedicated PPP Sessions In most cases, you will want to configure your
access server's asynchronous lines in dedicated mode so that users are forced into using PPP. In dedicated mode, an interface is automatically configured for PPP connections. There is no user prompt or EXEC level, and no end-user commands are required to initiate remote-node connections.
![Page 29: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/29.jpg)
Dedicated PPP Sessions To ensure that the dial-in user must run PPP on
the specified line, use the async mode dedicated command:
Router(config-if)#async mode dedicated.
To summarize: Interactive mode places the interface in interactive mode: allows an EXEC session. Dedicated Mode places the interface into dedicated PPP/SLIP mode.
![Page 30: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/30.jpg)
Configuring the interface addressing method Most dialup PPP sessions are established for
the purpose of sending and receiving TCP/IP packets. Asynchronous PPP connections allow remote users to dial up and access the corporate IP network or the Internet. In order for remote nodes to be able to participate in a TCP/IP network, they must have an IP address. This means that the remote node's link partner, the router's asynchronous interface, must have an IP address as well.
![Page 31: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/31.jpg)
Configuring the interface addressing method To assign an IP address to an access server's
asynchronous interface, use the ip address command (which is the same command used to assign addresses to Ethernet or Serial interfaces).
The following example configures the IP address of interface async 1:
RTA(config)#interface async 1RTA(config-if)#ip address 10.1.1.1 255.255.255.
![Page 32: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/32.jpg)
Configuring the interface addressing method Because access servers can have literally
hundreds of asynchronous interfaces, and because all of them are not likely to be in use at the same time, you may wish to conserve IP addresses by using the IP unnumbered feature.
Multiple async interfaces on the same router can share the same IP address, including an address assigned by the IP unnumbered feature.
![Page 33: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/33.jpg)
Configuring the interface addressing method The IP unnumbered feature can only be
used with point-to-point configurations. The syntax for the ip unnumbered command is:
Router(config-if)#ip unnumbered type number.
![Page 34: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/34.jpg)
Configuring the interface addressing method With this command, you must specify
the type and number of the interface to borrow the IP address from (Ethernet 0, Loopback 0, etc.). A loopback interface is a virtual interface that never goes down and is therefore an ideal line to use as the reference with the ip unnumbered command.
![Page 35: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/35.jpg)
Configuring the interface addressing method The following commands illustrate how to
configure an asynchronous interface for IP unnumbered using a loopback interface:
RTA(config)#interface loopback 0RTA(config-if)#ip address 10.1.1.1 255.255.255.0RTA(config-if)#exitRTA(config)#interface async 1RTA(config-if)#ip unnumbered loopback 0.
![Page 36: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/36.jpg)
Configuring the interface addressing method Addressing the access server's
asynchronous interface is only half of the IP configuration equation. You must also implement a mechanism for assigning IP addresses to remote dial-in users.
![Page 37: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/37.jpg)
Configuring the interface addressing method PPP allows for the automatic assignment of
IP addresses using a specific address, an address from a pool defined on the router, or Dynamic Host Configuration Protocol (DHCP). Alternately, you can configure the access server to allow the remote host to choose its own address.
To assign a default (predefined) IP address to the remote dial-in host, use the peer default ip address command.
![Page 38: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/38.jpg)
Configuring the interface addressing method Additionally, the pool and dhcp arguments
allow address allocation from a local pool of addresses or a DHCP server.
Router(config-if)#peer default ip address {address | pool pool name | dhcp}.
The following example shows how to configure a group of asynchronous interfaces (rotary group) to assign IP addresses from a locally defined pool.
![Page 39: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/39.jpg)
Configuring the interface addressing method RTA(config)#IP local pool DIAL-IN
10.1.1.2 10.1.1.254. RTA(config)#Interface group-async 1. RTA(config-if)# peer default ip
address pool DIAL-IN.
![Page 40: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/40.jpg)
Configuring the interface addressing method Note that the pool option to the peer default ip address command require a global command to create the pool of addresses; for example, ip local pool pool-name starting-address end-address.
![Page 41: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/41.jpg)
Configuring the interface addressing method If you have configured an asynchronous
interface for interactive mode, you have the option to allow the IP address to be assigned dynamically by the caller. After the remote user enters the ppp EXEC command, the access server will prompt the user for an IP address or logical host name.
![Page 42: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/42.jpg)
Configuring the interface addressing method To enable this dynamic addressing
feature, use the async dynamic address command in interface configuration mode, as shown:
Router(config-if)#async dynamic address.
![Page 43: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/43.jpg)
PPP LCP Options PPP offers a rich set of features that are
configured by LCP during link establishment. The configuration features negotiated through the LCP are:
Authentication, with PAP or CHAP, is used as a security measure with PPP. Authentication allows the dial-up target to identify that any given dialup client is a valid client with a preassigned username and password.
![Page 44: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/44.jpg)
PPP LCP Options Callback is a PPP option used to
provide call and dialup billing consolidation. PPP callback was first supported in Cisco IOS Release 11.0(3).
![Page 45: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/45.jpg)
PPP LCP Options Compression reduces the size of data
frames to be transmitted over a network link which reduces the time required to transmit the frame across the network. PPP compression was first supported in Cisco IOS Release 10.3. Cisco routers support Stacker, Predictor, and Microsoft Point to Point Compression (MPPC). .
![Page 46: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/46.jpg)
PPP LCP Options Multilink PPP (MLP) feature provides load
balancing functionality over multiple WAN links, while providing multivendor interoperability, proper sequencing, and load calculation on both inbound and outbound traffic. Datagrams are split, sequenced, transmitted across multiple links, and then recombined at the destination. The multiple links together are called a bundle.
![Page 47: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/47.jpg)
PPP LCP Options Multilink is especially useful with ISDN
BRI configurations, in which both B channels can be used to achieve 128-kbps throughput. MLP also works with modems to provide additional bandwidth. This protocol was first supported in Cisco IOS Release 11.0(3).
![Page 48: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/48.jpg)
PAP and CHAP Generally, you should always configure
asynchronous lines to require authentication. With PPP, you have the option to require that callers authenticate using one of two authentication protocols, PAP or CHAP. If you are using PPP over a point-to-point leased line, authentication is unnecessary, and should not be configured.
![Page 49: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/49.jpg)
PAP and CHAP PAP is not as good as CHAP
CHAP is considered a superior authentication protocol and should be used when possible. When is it appropriate to run PAP? You may find that hosts running legacy software may not support CHAP, in which case PAP is your only authentication option.
![Page 50: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/50.jpg)
PAP and CHAP When using PAP, the remote host is in
control of the frequency and timing of login requests. This is undesirable, as the access server must respond to all login requests, even the repeated attempts of a hacker to guess, or "brute force," a username/password combination. PAP also sends passwords as clear text over the media, which means a strategically placed packet sniffer could capture and easily decode the password.
![Page 51: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/51.jpg)
PAP and CHAP On the other hand, access servers that
are configured with CHAP are in control of login attempts.
The server must send a challenge packet. The challenge packet consists of an ID, a random number, and the host name of the local router.
![Page 52: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/52.jpg)
PAP and CHAP The CHAP protocol also allows servers
to request that the remote host re-authenticate at any time, which provides another dimension of security. This feature is not typically used with Cisco routers.
![Page 53: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/53.jpg)
Configuring PAP Example Enable PPP encapsulation and PAP
authentication with the following commands: Router(config-if)#encapsulation pppRouter(config-if)#ppp authentication pap
![Page 54: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/54.jpg)
Configuring PAP Example You must also configure the router with a local
username/password database, or point it to a network host that has that information (such as a TACACS+ server). Without access to a username/password database, the router won't know which combinations are authorized and will deny all login attempts. You can configure a local username/password database by using the following command in global configuration mode:
![Page 55: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/55.jpg)
Configuring PAP Example Router(config)#username username password password
Router(config)#username Romeo password Juliet
![Page 56: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/56.jpg)
Configuring PAP Example In some cases, you must also configure a
router's asynchronous interface to place calls to other access servers. If you want to configure an interface to respond to a peer's request to authenticate with PAP, you must use the ppp pap sent-username command:
Router(config-if)#ppp pap sent-username username password password
![Page 57: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/57.jpg)
![Page 58: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/58.jpg)
Configuring PAP Example Note that in router RTA's configuration,
the ppp pap sent-username command is used to specify what username/password information to send in the event that it dials RTB and is asked to authenticate. Router RTB is also configured to send a username and password for PAP, if challenged.
![Page 59: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/59.jpg)
Configuring PAP Example The name included with the username
and dialer map commands is case sensitive. If the remote host's name is RTA, and you create a username entry for rta instead, authentication will fail.
![Page 60: Point to-point-protocol](https://reader036.vdocument.in/reader036/viewer/2022081422/5561ec89d8b42aa5068b5445/html5/thumbnails/60.jpg)
Configuring PAP Example To ensure that both systems in the example
can communicate properly, their asynchronous interfaces have been configured with the dialer map command that includes the remote router's name. By configuring each router with a dialer map statement, each system knows what to do with authentication issues because the systems have prior knowledge of each other's names.