Colin Walls, in
Embedded Software (Second Edition), 2012 PPP (Point-to-Point Protocol) provides a standard method for transporting multiprotocol datagrams over point-to-point
links. In the context of a network application, PPP allows IP datagrams to be exchanged with a node at the other end of a point-to-point link. Typically, a client will initiate a PPP connection by using a modem to dial into a foreign server through the public telephone system. However, PPP is also used in environments where the physical medium is not always point-to-point. One such example is Ethernet. The PPPoE and L2TP protocols enable support for transmission of PPP packets over Ethernet. A PPP implementation may include support for a PPP client and a PPP server, perhaps even being utilized as both at the same time. Applications only have to be aware that PPP is being used as the underlying link-layer driver when establishing and breaking the physical link—that is, during dial-up and hang up. In all other respects, the application is not aware that PPP is the low-level driver being used. Because PPP is now being adapted for use over various types of physical mediums, including ATM and broadcast mediums such as Ethernet, it is necessary to recognize PPP as providing for communications over logical point-to-point links as well as physical point-to-point links. To provide for flexibility in supporting multiple link layers, the interface to the link layer is commonly
abstracted. The interface to each link layer is thus a self-contained module. Serial (HDLC) and Ethernet (PPPoE, L2TP) link layers are examples. This modularization of PPP results in greater system flexibility, efficient code reuse, and hardware transparency for easier application development. It also makes it straightforward for users to plug in support for new link layers; for example, PPPoA (PPP over ATM). PPP originated as a protocol for sending datagrams over serial point-to-point links. These links were usually dial-up links. Today this is still by far the primary use for PPP. As a result, PPP usually includes support for HDLC framing, as well as basic support for driving a Hayes-compatible modem. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124158221000088 Network Communications Protocols and Built-in SecurityTimothy Stapko, in Practical Embedded Security, 2008 Point to Point Protocol (PPP)PPP is a relatively old communications protocol, described in 1994 in RFC 1661,1 and was designed to provide connectivity over serial hardware channels. PPP was originally developed to allow higher-level protocols to utilize these serial channels in a consistent manner. This protocol, though losing out to newer, faster technologies, is still used widely for embedded systems due to the fact that simple serial hardware is much less expensive than the hardware that some of the newer standards require. PPP consists of a few protocols designed to establish the serial link, encapsulate the higher-level data, and to control each of the high level protocols that can be used. Many different high-level protocols are compatible with PPP, but since we are discussing Internet security, it is reasonable to restrict our discussion to cover only the Internet Protocol, or IP. We will see in a minute how IP and PPP work together, but first we will look at the link establishment and discuss what it means for our embedded applications. PPP, as with many low-level protocols, is designed to be the connection between the network hardware and the application. Link establishment in PPP is controlled by the Link Control Protocol, or LCP. The LCP divides the link establishment procedure into 4 distinct steps: 1.Establish the serial link using the hardware. 2.Optionally, test the quality of the link to determine if the hardware can handle the communication level desired. 3.Negotiate and configure the higher-level protocol for transmission. 4.Terminate the link and release the hardware. To illustrate how we can adapt the protocol for our needs, let's look at the steps of the LCP. Obviously, we have to have a hardware connection in order to communicate with the remote device. However, the link quality test is an optional step; leaving it out may result in subpar communications, but it will definitely save on code size, and the link can be established faster. If we were trying to use PPP on an 8-bit CPU with only 64KB of program and data space (combined), this is a place where we can definitely cut corners to save on precious space. The tradeoff here is that while we obviously gain more space for our program and a small performance advantage, we lose some guarantee of robustness, and therefore, security. Imagine that an attacker could interfere with your communications by generating a high amount of electronic noise near the wire used for communications. Without the link quality test, you will not be able to determine if the link can handle the connection you need. The attacker then can hinder your application without having to cut a wire or hack into the system. This is the type of tradeoff that we will focus on in developing secure applications that need to fit onto our resource-constrained devices. On one hand, we have the strict size requirement, on the other a potential security risk. Depending on the requirements of the application, it may be more desirable to remove the optional step and save precious space. We will look at some of these requirements so you can understand how to look for these types of options when dissecting security and communications protocols. For now, let's continue looking at PPP and see what we can do with the communication protocol itself. PPP is an inherently configurable protocol, allowing for many implementation options. For each network-layer protocol, there is a corresponding Network Control Protocol (NCP) that allows the protocol to utilize PPP as the link-layer transport mechanism. Each NCP is designed to provide the correct functionality to allow PPP to transport the higher-level packets. This functionality includes any security protocols inherent to the higher level protocols, such as IPSEC (security for IP). The selection of NCP's to support is another option we have to conserve code space. If we know that our application will only need to support one higher-level protocol (such as IP), then we only have to implement the functionality specific for the NCP for that particular protocol. We can tailor the implementation to fit the protocol, and since we do not have to support the other NCP's, we can simply reject any protocols that we do not support. We need to be sure that the rejection mechanism is robust, however, since if the mechanism is not well behaved, it could set up a situation where a denial-of-service or buffer overflow might be possible. For example, if the LCP on the remote end (asking for a link to the device) sends a protocol request mechanism that is very large, it can overflow local buffers, allowing a user on the remote end to crash the device or run arbitrary code (depending on the local implementation). If the rejection mechanism is slow, or if the implementation allows multiple connections from a single remote device with no limit between retransmissions, a remote device could send a flurry of connection requests, effectively preventing the device from serving legitimate requests. This is an example of where robust design and programming can make the device more secure.
 Figure 3. PPP Structure PPP has its own security mechanisms that we can use to authenticate connection requests, allowing the implementation to protect the device from unauthorized use. The security mechanisms supported by PPP are password authentication and a challenge-handshake. Again, we can choose to support either of these mechanisms. The password mechanism will have a simpler implementation, since the challenge-handshake will require additional states in the PPP state machine to handle the additional messages. However, we may also choose not to support any PPP security, instead relying on the higher-level protocols to provide security for the application. Depending on the application, the no-security option may be more desirable. If the network is not secure, sending a password would allow anyone eavesdropping on the network to read the password. The challenge-handshake protocol, though more complex, is also more secure than the password protocol. The common challenge-handshake protocol for PPP is defined in RFC 1994 (written in 1996), and is referred to as the Challenge Handshake Authentication Protocol, or CHAP. CHAP provides decent security for devices with a previously defined trusted relationship, but since it requires shared secret keys (cryptographic keys stored on each end), it is not practical for general-purpose security (connecting to arbitrary remote systems). Without an established relationship, the secret for the challenge mechanism must be sent plaintext over the network—which is obviously not secure at all. Whether or not such a relationship can be established should be a factor in deciding whether or not to support the authentication protocol. As was mentioned previously, PPP is an older technology, but is still popular on smaller embedded devices because of its ability to use inexpensive networking hardware. However, current technology is moving toward newer, more complex low-level protocols, and these new technologies have more security options, but also more security challenges. Your application requirements will determine whether PPP or one of these other technologies should be used. Next we will look at another applicable technology that has gained widespread popularity and is practically the only technology used for Local Area Networks (LANs). This technology is practically a household word—Ethernet. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780750682152500033 Exploring the Foundations of BluetoothIn Bluetooth Application Developer's Guide, 2002 PPPThe Point-to-Point Protocol (PPP) is the existing method used when transferring Transmission Control Protocol/Internet Protocol (TCP/IP) data over modem connections. The Bluetooth specification reuses this protocol in the local area network (LAN) Access Profile to route network data over an RFCOMM port. Work is already underway on a TCP/IP layer that will sit directly above L2CAP, bypassing and removing the overhead of PPP and RFCOMM. This work is hinted at in some areas of the specification, but in v1.1 PPP, is all that's available. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781928994428500057 Configuring PPP and CHAPDale Liu, ... Luigi DiGrande, in Cisco CCNA/CCENT Exam 640-802, 640-822, 640-816 Preparation Kit, 2009 Exam Objectives Fast TrackUnderstanding PPP and CHAP■ PPP is a point-to-point WAN protocol that works at the data link layer of the OSI model. PPP is more stable than SLIP and includes error-checking features. ■PPP can operate on a variety of DTE/DCE physical interfaces, including asynchronous serial, synchronous serial, HSSI, and ISDN. ■When PPP is used on a link, it will negotiate with the other side of the link. PPP negotiation consists of three phases: LCP, Authentication, and NCP. ■PPP uses LCP to set up, configure, and test a data link connection. ■PPP uses NCP to establish and configure different network layer protocols. PPP is designed to allow the simultaneous use of multiple network layer protocols, including IPv4 and v6, IPX, and AppleTalk. ■PPP operates using different network layer protocols (e.g., IPX and AppleTalk), whereas SLIP uses only TCP/IP-based IP. PPP and SLIP will encapsulate a datagram and other network layer protocol information over point-to-point links. These are called NCPs. ■The phases of PPP are Link Dead, Link Establishment, Authentication, Network Layer Protocol, and Link Termination, at which point the Link Dead phase is initiated again. ■PPP uses HDLC as a basis for encapsulating datagrams over point-to-point links. ■PAP is the older of the two PPP authentication protocols. It has major security flaws, including the sending of passwords in clear text and allowing a client to choose when it sends a password. ■When CHAP is used over a WAN connection, the router receiving the connection sends a challenge which includes a random number that can be input into an MD5 hash algorithm. MD5 hashing and server control is a function of CHAP. ■CHAP uses a three-way handshake comprising the local host requesting authentication, the remote host sending an encrypted response, and the local host comparing the received information and then accepting or rejecting the connection. PAP only uses a two-way handshake and is much less secure. ■MS-CHAP is nearly identical to CHAP in terms of how it operates. The main difference between the two is that MS-CHAP is Microsoft's proprietary version of CHAP and is not an open standard. You will not be tested on MS-CHAP on the CCNA exam directly, but you should know about its use and its proprietary nature. ■CHAP and PAP are open standards-based protocols. Configuring and Implementing PPP and CHAP on Cisco Routers■ You use the show interface command to verify the current state of PPP LCP negotiations. ■You use the debug ppp negotiations command to troubleshoot and resolve issues with LCP communications between peers. This command will display PPP packets transmitted during PPP startup where PPP options are first negotiated. ■You use the debug ppp packet command to display the PPP packets that are being sent and received, and when this occurs. This command also displays low-level packet dumps. ■You use the debug ppp errors command to display output relating to protocol errors that occur while in the connection negotiation and operation phases. Protocol errors are shown in detail. ■You use the debug ppp chap command to display CHAP and PAP packet exchanges between peers. This is helpful in determining whether your peers have a misconfiguration. ■You use the debug ppp authentication command to troubleshoot and resolve issues with authentication attempts using protocols such as CHAP and PAP. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597493062000208 Network Link TechnologiesWalter Goralski, in The Illustrated Network (Second Edition), 2017 PPP and DSLWhy is PPP used with DSL (and SONET)? The core of the issue is that ISPs needed some kind of tunneling protocol. Tunneling occurs when the normal message-packet-frame encapsulation sequence of the layers of a networking protocol suite are violated. When a message is placed inside a packet, then inside a frame, and this frame is placed inside another type of frame (or even another frame-packet-frame sequence), this is a tunneling situation. Although many tunneling methods have been standardized at several different TCP/IP layers, tunneling works as long as the tunnel endpoints understand the correct sequence of headers and content (which can also be encrypted for secure tunnels). In DSL, the tunneling protocol had to carry the point-to-point “circuits” from the central networking location to the customer’s premises and across the shared media LAN to the end user device (host). There are many ways to do this, such as using IP-in-IP tunneling, a virtual private network (VPN), or lower level tunneling. ISPs chose PPP as the solution for this role in DSL. Using PPP made perfect sense. For years, ISPs had used PPP to manage their WAN dial-in users. PPP could easily assign and manage the ISP’s IP address space, compartmentalize users for billing purposes, and so on. As a LAN technology, Ethernet had none of those features. PPP also allowed user authentication methods such as RADIUS to be used, methods completely absent on most LAN technologies (if you’re on the LAN, it’s assumed you belong there). Of course, keeping PPP meant putting the PPP frame inside the Ethernet frame, a scheme called Point-to-Point Protocol over Ethernet (PPPoE), described in RFC 2516. Since tunneling is just another form of encapsulation, all was well. PPP is not the only data link layer framing and negotiation procedure (PPP is not a full data link layer specification) from the IETF. Before PPP became popular, the Serial Line Internet Protocol (SLIP) and a closely related protocol using compression (CSLIP, or Compressed SLIP) were used to link individual PCs and workstations not connected by a LAN, but still running TCP/IP, to the Internet over a dial-up, asynchronous analog telephone line with modems. SLIP/CSLIP was also once used to link routers on widely separated TCP/IP networks over asynchronous analog leased telephone lines, again using modems. SLIP/CSLIP is specified in RFC 1055/STD 47. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128110270000035 MCSA/MCSE 70-291: Configuring the Windows 2003 Routing and Remote Access Service LAN Routing, Dial-up Services, and Routing ProtocolsDeborah Littlejohn Shinder, ... Laura Hunter, in MCSA/MCSE (Exam 70-291) Study Guide, 2003 PPP Multilink ProtocolPPP has, by Internet standards, a long history with the Internet Engineering Task Force (IETF). The basic documented history of PPP dates back to 1989 when “A Proposal for Multi-Protocol Transmission of Datagrams Over Point-to-Point Links” was specified in Request For Comments (RFC) 1134. The official implementation, as used by Microsoft, comes from RFP 1990. Capabilities were added and subsequent modifications to the standard were made leading up to PPP as it exists today. In 1994, a documented standard was proposed for “The PPP Multilink Protocol” in RFC 1717. At the time, other proposals existed to combine streams of data at the bit level (basically a hardware solution). This proposal described a software-based solution for the need to combine multiple streams of data into one. This solution was well-suited to the twin bearer channels of ISDN (2B+D). The PPP Multilink Protocol must be enabled on both the remote access client and the remote access server. PPP Multilink is enabled on the remote access server via remote access policy, using the Routing and Remote Access Service management console or the Internet Authentication Service (IAS). The nature of multilink requires dialing to multiple devices or endpoints. To enable Multilink on a remote access client, you must enable multiple device dialing on the client system through the Network and Dial-up Connections folder. Again, if unlimited connectivity is not available, the nature of Multilink presents cost prohibitive problems due to the lack of provisions to link and unlink extra physical connections on an as-needed basis.
|
| Phase | Description |
|---|---|
| Link Dead | The link necessarily begins and ends with this phase. When an external event (such as carrier detection or network administrator configuration) indicates that the physical layer is ready to be used. PPP proceeds to the Link Establishment phase. During this phase, the LCP automaton (described later in this chapter) will be in the Initial or Starting states. The transition to the Link Establishment phase signals an Up event (discussed later in this chapter; to the LCP automaton. |
| Establish Link | The link control protocol (LCP) is used to establish the connection through an exchange of configuration packets. An establish link phase is entered once a Confiure-Ack packet (described later in this chapter) has been both sent and received. |
| Authentication | Authentication is an optional PPP mechanism. If it does take place, it typically does so soon after the establish link phase. |
| Phase | Description |
| Network Layer Protocol | Ono: PPP has completed the establish or authentication phases, each network-layer protocol (such as IP. IPX. orAppleTalk) MUST he separately configured by the appropriate network control protocol <NCP). |
| Link Termination | PPP can terminate the link at any time, after which PPP should proceed to the Link Dead phase. |
How these phases interact to configure, maintain, and terminate a point-to-point link is shown in Figure 4.25.
Figure 4.25. PPP Phases8
As defined by PPP layer 1 (i.e., RFC1662), data are encapsulated within the PPP frame, an example of which is shown in Figure 4.26.
Figure 4.26. PPP HDLC-like Frame8
The flag bytes mark the beginning and end of a frame, and are each set to 0x7E. The address byte is a high-level data-link control (HDLC) broadcast address and is always set to 0xFF, since PPP does not assign individual device addresses. The control byte is an HDLC command for UI (unnumbered information) and is set to 0x03. The protocol field defines the protocol of the data within the information field (i.e., 0x0021 means the information field contains IP datagram, 0xC021 means the information field contains link control data, 0x8021 means the information field contains network control data – see Table 4.2). Finally, the information field contains the data for higher-level protocols, and the FCS (frame check sequence) field contains the frame's checksum value.
Table 4.2. Protocol Information8
| Value (in hex) | Protocol Name |
|---|---|
| 0001 | Padding Protocol |
| 0003 to 001 f | Reserved (transparency inefficient) |
| 007d | Reserved (Control Escape) |
| 00cf | Reserved (PPP NLPID) |
| 00ff | Reserved (compression inefficient) |
| 8001 to 801 f | Unused |
| 807d | Unused |
| 80cf | Unused |
| 80ff | Unused |
| c021 | Link Control Protocol |
| c023 | Password Authentication Protocol |
| c025 | Link Quality Report |
| c223 | Challenge Handshake Authentication Protocol |
The data-link protocol may also define a frame format. An LCP frame, for example, is as shown in Figure 4.27.
Figure 4.27. LCP Frame8
The data field contains the data intended for higher networking layers, and is made up of information (type, length, and data). The length field specifies the size of the entire LCP frame. The identifier is used to match client and server requests and responses. Finally, the code field specifies the type of LCP packet (indicating the kind of action being taken); the possible codes are summarized in Table 4.3. Frames with codes 1–4 are called link configuration frames, 5 and 6 are link termination frames, and the rest are link management packets.
Table 4.3. LCP Codes8
| Code | Definition |
|---|---|
| I | Configure-Request |
| 2 | Configure-Ack |
| 3 | Configure-Nak |
| 4 | Configure-Reject |
| 5 | Terminate-Request |
| 6 | Terminate-Ack |
| 7 | Code-Reject |
| 8 | Protocol-Reject |
| 9 | Echo-Request |
| 10 | Echo-Reply |
| 11 | Discard-Request |
| 12 | Link Quality Report |
The LCP code of an incoming LCP datagram determines how the datagram is processed, as shown in the pseudocode example below.
In order for two devices to be able to establish a PPP link, each must transmit a data-link protocol frame, such as LCP frames, to configure and test the data-link connection. As mentioned, LCP is one possible protocol that can be implemented for PPP, to handle PPP handshaking. After the LCP frames have been exchanged (and thereby a PPP link established), authentication can then occur. It is at this point where authentication protocols, such as PPP Authentication Protocol or PAP, can be used to manage security, through password authentication and so forth. Finally, Network Control Protocols (NCP) such as IPCP (Internet Protocol Control Protocol) establish and configure upper-layer protocols in the network layer protocol settings, such as IP and IPX.
At any given time, a PPP connection on a device is in a particular state, as shown in Figure 4.28; the PPP states are outlined in Table 4.4.
Figure 4.28. PPP Connection States and Events8
Table 4.4. PPP States8
| States | Definition |
|---|---|
| Initial | PPP link is in the Initial state, the lower layer is unavailable (Down), and no Open event has occurred. The Restart timer is not running in the Initial state. |
| Starting | The Starting state is the Open counterpart to the Initial state. An administrative Open has been initiated, but the lower layer is still unavailable (Down). The Restart timer is not running in the Starting state. When the lower layer becomes available (Up), a Configure-Request is sent. |
| Stopped | The Stopped state is the Open counterpart to the Closed state. It is entered when the automaton is waiting for a Down event after the This-Layer-Finished action, or after sending a Terminate-Ack. The Restart timer is not running in the Stopped state. |
| Closed | ln the Closed state, the link is available (Up), but no Open has occurred. The Restart timer is not running in the Closed state. Upon reception of Configure-Request packets, a Terminate-Ack is sent. Terminate-Acks are silently discarded to avoid creating a loop. |
| Stopping | The Stopping state is the Open counterpart to the Closing state. A Terminate-Request has been sent and the Restart timer is running, but a Terminate-Ack has not yet been received. |
| Closing | In the Closing state, an attempt is made to terminate the connection. A Terminate-Request has been sent and the Restart timer is running, but a Terminate-Ack has not yet been received. Upon reception of a Terminate-Ack, the Closed state is entered. Upon the expiration of the Restart timer, a new Terminate-Request is transmitted, and the Restart timer is restarted. After the Restart timer has expired Max-Terminate times, the Closed state is entered. |
| Request-Sent | In the Request-Sent state an attempt is made to Configure the connection. A Configure-Request has been sent and the Restart timer is running, but a Configure-Ack has not yet been received nor has one been sent. |
| Ack-Sent | In the Ack-Received state, a Configure-Request has been sent and a Configure-Ack has been received. The Restart timer is still running, since a Configure-Ack has not yet been sent. |
| Opened | In the Opened state, a Configure-Ack has been both sent and received. The Restart timer is not running. When entering the Opened state, the implementation SHOULD signal the upper layers that it is now Up. Conversely, when leaving the Opened state, the implementation SHOULD signal the upper layers that it is now Down. |
Events (also shown in Figure 4.28) are what cause a PPP connection to transition from state to state. The LCP codes (from the RFC1661 spec) in Table 4.5 define the types of events that cause a PPP state transition.
Table 4.5. PPP Events8
| Event Label | Event | Description |
|---|---|---|
| Up | lower layer is Up | This event occurs when a lower layer indicates that it is ready to carry packets. |
| Down | lower layer is Down | This event occurs when a lower layer indicates that it is no longer ready to carry packets. |
| Open | administrative open | This event indicates that the link is administratively available for traffic; that is, the network administrator (human or program) has indicated that the link is allowed to be Opened. When this event occurs, and the link is not in the Opened state, the automaton attempts to send configuration packets to the peer. |
| Close | administrative close | This event indicates that the link is not available for traffic; that is, the network administrator (human or program) has indicated that the link is not allowed to be Opened. When this event occurs, and the link is not in the Closed state, the automaton attempts to terminate the connection. Further attempts to re-configure the link are denied until a new Open event occurs. |
| TO+ | timeout with counter > 0 | This event indicates the expiration of the Restart timer.The Restart timer is used to time responses to Configure-Request and Termimate-Request packets. The TO+ event indicates that the Restart counter continues to be greater than zero, which triggers the corresponding Configure-Request or Terminate-Request packet to be retransmitted. The TO− event indicates that the Restart counter is not greater than zero, and no more packets need to be retransmitted. |
| TO− | timeout with counter expired | |
| RCR+ | receive configure request good | An implementation wishing to open a connection MUST transmit a Configure-Request. The Options field is filled with any desired changes to the link defaults.Configuration Options SHOULD NOT be included with default values. |
| RCR− | receive configure request bad | |
| RCA | receive configure ack | This event occurs when a valid Configure-Ack packet is received from the peer. The Configure-Ack packet is a positive response to a Configure-Request packet. An out of sequence or otherwise invalid packet is silently discarded. If every Configuration Option received in a Configure-Request is recognizable and all values are acceptable, then the implementation MUST transmit a Configure-Ack. The acknowledged Configuration Options MUST NOT be reordered or modified in any way. On reception of a Configure-Ack, the Identifier field MUST match that of the last transmitted Configure-Request. Additionally, the Configuration Options in a Configure-Ack MUST exactly match those of the last transmitted Configure-Request. Invalid packets are silently discarded. |
| RCN | receive configure nak/rej | This event occurs when a valid Configure-Nak or Configure-Reject packet is received from the peer. The Configure-Nak and Configure-Reject packets are negative responses to a Configure-Request packet. An out of sequence or otherwise invalid packet is silently discarded. |
| RTR | receive terminate request | This event occurs when a Terminate-Request packet is received. The Terminate-Request packet indicates the desire of the peer to close the connection. |
| RTA | receive terminate ack | This event occurs when a Terminate-Ack packet is received from the peer. The Terminate-Ack packet is usually a response to a Terminate-Request packet. The Terminate-Ack packet may also indicate that the peer is in Closed or Stopped states, and serves to re-synchronize the link configuration. |
| RUC | receive unknown code | This event occurs when an uninterpretable packet is received from the peer. A Code-Reject packet is sent in response. |
| RXJ+ | receive code reject permitted or receive protocol reject | This event occurs when a Code-Reject or a Protocol-Reject packet is received from the peer. The RXJ+ event arises when the rejected value is acceptable, such as a Code-Reject of an extended code, or a Protocol-Reject of an NCR. These are within the scope of normal operation. The implementation MUST stop sending the offending packet type. The RXJ− event arises when the rejected value is catastrophic, such as a Code-Reject of Configure-Request, or a Protocol-Reject of LCP! This event communicates an unrecoverable error that terminates the connection. |
| RXJ− | receive code reject catastrophic or receive protocol reject | |
| RXR | receive echo request, receive echo reply, or receive discard request | This event occurs when an Echo-Request, Echo-Reply or Discard-Request packet is received from the peer. The Echo-Reply packet is a response to an Echo-Request packet. There is no reply to an Echo-Reply or Discard-Request packet. |
As PPP connections transition from state to state, certain actions are taken stemming from these events, such as the transmission of packets and/or the starting or stopping of the Restart timer, as outlined in Table 4.6.
Table 4.6. PPP Actions8
| Action Label | Action | Definition |
|---|---|---|
| tlu | this layer up | This action indicates to the upper layers that the automaton is entering the Opened state. Typically, this action is used by the LCP to signal the Up event to an NCP, Authentication Protocol, or Link Quality Protocol, or MAY be used by an NCP to indicate that the link is available for its network layer traffic. |
| tld | this layer down | This action indicates to the upper layers that the automaton is leaving the Opened state. Typically, this action is used by the LCP to signal the Down event to an NCP, Authentication Protocol, or Link Quality Protocol, or MAY be used by an NCP to indicate that the link is no longer available for its network layer traflic. |
| tls | this layer started | This action indicates to the lower layers that the automaton is entering the Starting state, and the lower layer is needed for the link. The lower layer SHOULD respond with an Up event when the lower layer is available. The results of this action are highly implementation dependent. |
| tlf | this layer finished | This action indicates to the lower layers that the automaton is entering the Initial, Closed or Stopped states, and the lower layer is no longer needed for the link. The lower layer SHOULD respond with a Down event when the lower layer has terminated. Typically, this action MAY be used by the LCP to advance to the Link Dead phase, or MAY be used by an NCP to indicate to the LCP that the link may terminate when there are no other NCPs open. This results of this action are highly implementation dependent. |
| irc | initialize restart count | This action sets the Restart counter to the appropriate value (Max-Terminate or Max-Configure). The counter is decremented for each transmission, including the first. |
| zrc | zero restart count | This action sets the Restart counter to zero. |
| scr | send configure request | Configure-Request packet is transmitted. This indicates the desire to open a connection with a specified set of Configuration Options. The Restart timer is started when the Configure-Request packet is transmitted, to guard against packet loss. The Restart counter is decremented each time a Configure-Request is sent. |
| sca | send configure ack | A Configure-Ack packet is transmitted. This acknowledges the reception of a Configure-Request packet with an acceptable set of Configuration Options. |
| scn | send configure nak/rej | A Configure-Nak or Configure-Reject packet is transmitted, as appropriate. This negative response reports the reception of a Configure-Request packet with an unacceptable set of Configuration Options, Configure-Nak packets are used to refuse a Configuration Option value, and to suggest a new, acceptable value, Configure-Reject packets are used to refuse all negotiation about a Configuration Option, typically because it is not recognized or implemented. The use of Configure-Nak versus Configure-Reject is more fully described in the chapter on LCP Packet Formats. |
| str | send terminate request | A Terminate-Request packet is transmitted. This indicates the desire to close a connection. The Restart timer is started when the Terminate-Request pocket is transmitted, to guard against packet loss. The Restart counter is decremented each time a Terminate-Request is sent. |
| sta | send terminate ack | A Terminate-Ack packet is transmitted. This acknowledges the reception of a Terminate-Request packet or otherwise serves to synchronize the automatons. |
| scj | send code reject | A Code-Reject packet is transmitted. This indicates the reception of an unknown type of packet. |
| ser | send echo reply | An Echo-Reply packet is transmitted. This acknowledges the reception of an Echo-Request packet. |
PPP states, actions, and events are usually created and configured by the platform-specific code at boot-time, some of which is shown in pseudocode form on the next several pages. A PPP connection is in an initial state upon creation; thus, among other things, the ‘initial’ state routine is executed. This code can be called later at runtime to create and configure PPP, as well as respond to PPP runtime events (i.e., as frames are coming in from lower layers for processing). For example, after PPP software demuxes a PPP frame coming in from a lower layer, and the checksum routine determines the frame is valid, the appropriate field of the frame can then be used to determine what state a PPP connection is in and thus what associated software state, event, and/or action function needs to be executed. If the frame is to be passed to a higher layer protocol, then some mechanism is used to indicate to the higher layer protocol that there are data to receive (IPReceive for IP, for example).
Figure 4.29. Initial LCP State
Read full chapter
URL: https://www.sciencedirect.com/science/article/pii/B9780750684552000042
The SSH Server Basics
In Next Generation SSH2 Implementation, 2009
PPP over SSH
The point-to-point-protocol describes the connection and the following communication steps between two virtual network interfaces. Through a simple configuration, it is possible to tunnel communications through ssh.
As you can see, ssh represents a plus, which allows most services to add the security concept in the transmission and authentication without turning to compromises other than that of the time required for the initial setup of the environment. We can protect any type of service by differentiating which communications are protected from ssh and which are not. The use of ssh is therefore recommended for all services that do not natively offer the protection and check for the integrity of the media.
Read full chapter
URL: https://www.sciencedirect.com/science/article/pii/B9781597492836000076
Domain 4
Eric Conrad, ... Joshua Feldman, in Eleventh Hour CISSP® (Third Edition), 2017
VPN
Virtual private networks (VPNs secure data sent via insecure networks like the Internet. The goal is to virtually provide the privacy afforded by a circuit, such as a T1. The basic construction of VPNs involves secure authentication, cryptographic hashes such as SHA-1 to provide integrity, and ciphers such as AES to provide confidentiality.
PPP
PPP (point-to-point protocol) is a layer 2 protocol that provides confidentiality, integrity, and authentication via point-to-point links. PPP supports synchronous links, such as T1s, in addition to asynchronous links, such as modems.
IPsec
IPv4 has no built-in confidentiality; higher-layer protocols like TLS provide security. To address this lack of security at layer 3, IPsec (Internet protocol security) was designed to provide confidentiality, integrity, and authentication via encryption for IPv6. IPsec is ported to IPv4. IPsec is a suite of protocols; the major two are encapsulating security protocol (ESP) and authentication header (AH). Each has an IP protocol number; ESP is protocol 50 and AH is protocol 51.
SSL and TLS
Secure sockets layer (SSL) protects HTTP data: HTTPS uses TCP port 443. TLS is the latest version of SSL, equivalent to SSL version 3.1. The current version of TLS is 1.2.
Though initially focused on the web, SSL or TLS may be used to encrypt many types of data and can be used to tunnel other IP protocols to form VPN connections. SSL VPNs can be simpler than their IPsec equivalents: IPsec makes fundamental changes to IP networking, so installation of IPsec software changes the operating system, which requires super-user privileges. SSL client software does not require altering the operating system. Also, IPsec is difficult to firewall, while SSL is much simpler.
Read full chapter
URL: https://www.sciencedirect.com/science/article/pii/B9780128112489000048
MCSA/MCSE 70-291: Configuring the Windows Server 2003 Routing and Remote Access Service VPN Services
Deborah Littlejohn Shinder, ... Laura Hunter, in MCSA/MCSE (Exam 70-291) Study Guide, 2003
L2TP/IPSec
L2TP, first introduced with Windows 2000, combines the benefits of PPTP with Cisco System’s Layer Two Forwarding (L2F) protocol. Generally, a layer-two connection is used to connect a remote client with a remote access server, and consequently the PPP connection also terminates at the same endpoints as the layer two connections.
L2TP extends PPP to allow the PPP and layer-two endpoints to reside on different devices. Whereas PPTP connects systems over an IP network only, L2TP allows for connectivity over IP, X.25, Frame Relay, or Asynchronous Transfer Mode (ATM). When IP is used as a transport mechanism, L2TP uses UDP packets and special L2TP messages to handle tunnel management. L2TP also carries the tunneled data in UDP encapsulated PPP flames. Remember that Microsoft’s PPTP provides encryption via MPPE as well as compression via Microsoft Point-to-Point Compression (MPPC). L2TP has provisions for encrypted and compressed PPP encapsulated payloads; however, the Microsoft implementation of L2TP does not provide for these features directly. To encrypt the encapsulated PPP payload, Microsoft’s implementation of L2TP must be used with IPSec’s Encapsulating Security Payload (ESP) protocol.
Note
L2TP can be used only if both the VPN server and VPN client support it. Windows 2000 and Windows XP clients and Windows 2000 and Windows Server 2003 servers include built-in L2TP/IPSec support. Windows 9x and Windows NT clients do not include L2TP support, but you can download an L2TP/IPSec client for Windows 98, Windows ME, and Windows NT Workstation 4.0 from Microsoft’s Web site at http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/12tpclient.asp.
L2TP is described in IETF RFC 2661. The combination of L2TP with IPSec is described in IETF RFC 3193.
Head of the Class…
NAT Traversal
Using IPSec encrypts not only the data payload, but also the UDP header. This presents a problem if the data needs to be tunneled behind a NAT server or router. The UDP header specifies the UDP port number for packet forwarding to a specific service. Encryption of the UDP header means encryption of the UDP port number information, and consequently no forwarding of L2TP/IPSec traffic.
The solution to this problem is a technology called NAT traversal (NAT-T), which was developed by a consortium of technology companies, including Cisco Systems and Microsoft NAT-T uses UDP encapsulation, placing the IPSec packet inside a UCP/IP header. This way, NAT devices can change the IP address or port number without changing the IPSec packet. NAT traversal communications are transmitted through UDP port 500 (which is normally open for IKE when IPSec is used).
If the VPN client and server both support NAT-T, the client and/or server may be placed behind a NAT server or router. Windows Server 2003, unlike Windows 2000 Server, provides special NAT-T capabilities. Microsoft offers a new VPN client that supports client-side NAT-T for Windows NT 4.0, Windows 98, and Windows ME clients, to be used when connecting to a Windows Server 2003 server.
Both L2TP/IPSec and PPTP/MPPE exhibit certain advantages and disadvantages. Table 7.2 compares L2TP/IPSec with PPTP/MPPE.
Table 7.2. Comparison of L2TP/IPSec and PPTP/MPPE
| Factor | PPTP Advantages and Constraints | L2TP/IPSec Advantages and Constraints |
|---|---|---|
| Client operating systems supported | Supported on clients running Windows 2000, Windows XP, Windows Server 2003, Windows NT Workstation 4.0, Windows ME, or Windows 98 | Built-in support on clients running Windows 2000, Windows XP, or Windows Server 2003. MIs2tp.exe must be installed for support on clients running Windows 98, Windows Me, or Windows NT Workstation 4.0. |
| Certificate support | PPTP requires a certificate infrastructure for EAP-TLS infrastructure for EAO-TLS authenticating server and user certificates to all VPN clients or to issue smart cards to all user, | L2TP/IPSec requires a certificate infrastructure or a preshared key(PSK) to issue computer certificates to the VPN server and all VPN clients |
| Security | Captured packets cannot be interpreted without the encryption key—confidentiality, Does not provide proof that the data was not modified in transit—data integrity. Does not provide proof that the data was sent by the authorized user—data origin authentication. Use MS-CHAP v2 as the authentication with strong passwords to increase security. | Provides data confidentiality, data integrity, data origin authentication, and replay protection. Offers the highest level of security. |
| Performance | A VPN server is capable of supporting more PPTP connections than L2TP/IPSec connections. | IPSec encryption is processing-intensive. A VPN server supports fewer L2TP connections than PPTP connections because of additional processing overhead. To support additional L2TP connections, increase CPU processing power or network adapters designed for encrypted traffic. |
| NAT support | PPTP-based VPN clients can be located behind a NAT if the NAT includes an editor that can translate PPTR | If you locate L2TP/IPSec-based clients or servers behind a NAT, both client and server must support IPSec NAT traversal (NAT-T). |
Exam Warning
L2TP is still the latest and greatest for VPN security. Ensure that you understand the similarities and differences between L2TP and PPTP. Although L2TP/IPSec tends to provide a more secure VPN solution, PPTP still has its advantages as well. Make sure you understand the advantages and disadvantages of each.
Now that you understand the basic concepts and terminology associated with Windows Server 2003 VPNs, we will move on to practice some hands-on configurations and you’ll learn how to put the concepts to work. The following preconfiguration checklist will simplify the configuration settings outlined in the next section:
1.Review the basic VPN concepts. Determine the type of VPN you wish to configure: router-to-router or client-server.
2.Ensure hardware is compatible and install necessary hardware.
3.Install and enable the Routing and Remote Access service as outlined in Exercise 7.01.
Read full chapter
URL: https://www.sciencedirect.com/science/article/pii/B9781931836920500135
