No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C00 Feature Description - WAN Access 01

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
PPP Link Establishment Process

PPP Link Establishment Process

A PPP link is set up through a series of negotiations, as shown in Figure 4-3.

Figure 4-3  PPP link establishment process

The PPP link establishment process is as follows:

  1. Two devices enter the Establish phase if one of them sends a PPP connection request to the other.

  2. In the Establish phase, the two devices perform an LCP negotiation to negotiate the working mode, maximum receive unit (MRU), authentication mode, and magic number. The working mode can be either Single-Link PPP (SP) or Multilink PPP (MP). If the LCP negotiation succeeds, LCP enters the Opened state, which indicates that a lower-layer link has been established.

  3. If authentication is configured, the two devices enter the Authentication phase and perform Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) authentication. If no authentication is configured, the two devices enter the Network phase.

  4. In the Authentication phase, if PAP or CHAP authentication fails, the two devices enter the Terminate phase. The link is torn down and LCP enters the Down state. If PAP or CHAP authentication succeeds, the two devices enter the Network phase, and LCP remains in the Opened state.

  5. In the Network phase, the two devices perform an NCP negotiation to select a network-layer protocol and to negotiate network-layer parameters. After the two devices succeed in negotiating a network-layer protocol, packets can be sent over this PPP link using the network-layer protocol.

    Various control protocols, such as IP Control Protocol (IPCP) and Multiprotocol Label Switching Control Protocol (MPLSCP), can be used in NCP negotiation. IPCP mainly negotiates the IP addresses of the two devices.

  6. If the PPP connection is interrupted during PPP operation, for example, if the physical link is disconnected, the authentication fails, the negotiation timer expires, or the connection is torn down by the network administrator, the two devices enter the Termination phase.

  7. In the Termination phase, the two devices release all resources and enter the Dead phase. The two devices remain in the Dead phase until a new PPP connection is established between them.

Dead Phase

The physical layer is unavailable during the Dead phase. A PPP link begins and ends with this phase.

When two devices detect that the physical link between them has been activated, for example, when carrier signals are detected on the physical link, the two devices move from the Dead phase to the Establish phase.

After the PPP link is terminated, the two devices enter the Dead phase.

Establish Phase

In the Establish phase, the two devices perform an LCP negotiation to negotiate the working mode (SP or MP), MRU, authentication mode, and magic number. After the LCP negotiation is complete, the two devices enter the next phase.

In the Establish phase, the LCP status changes as follows:

  • If the link is unavailable (in the Dead phase), LCP is in the Initial or Starting state. When the physical layer detects that the link is available, the physical layer sends an Up event to the link layer. Upon receipt, the link layer changes the LCP status to Request-Sent. Then, the devices at both ends send Configure-Request packets to each other to configure a data link.

  • If the local device first receives a Configure-Ack packet from the peer, the LCP status changes from Request-Sent to Ack-Received. After the local device sends a Configure-Ack packet to the peer, the LCP status changes from Ack-Received to Open.

  • If the local device first sends a Configure-Ack packet to the peer, the LCP status changes from Request-Sent to Ack-Sent. After the local device receives a Configure-Ack packet from the peer, the LCP status changes from Ack-Sent to Open.

  • After LCP enters the Open state, the next phase starts.

The next phase is the Authentication or Network phase, depending on whether authentication is required.

Authentication Phase

The Authentication phase is optional. By default, PPP does not perform authentication during PPP link establishment. If authentication is required, the authentication protocol must be specified in the Establish phase.

PPP provides two password authentication modes: PAP authentication and CHAP authentication.

NOTE:

Two authentication methods are available: unidirectional authentication and bidirectional authentication. In unidirectional authentication, the device on one end functions as the authenticating device, and the device on the other end functions as the authenticated device. In bidirectional authentication, each device functions as both the authenticating and authenticated device. In practice, only unidirectional authentication is used.

PAP Authentication Process

PAP is a two-way handshake authentication protocol that transmits passwords in simple text.

Figure 4-4 shows the PAP authentication process.

Figure 4-4  PAP authentication process

  1. The authenticated device sends the local user name and password to the authenticating device.

  2. The authenticating device checks whether the received user name is in the local user list.
    • If the received user name is in the local user list, the authenticating device checks whether the received password is correct.
      • If the password is correct, the authentication succeeds.
      • If the password is incorrect, the authentication fails.
    • If the received user name is not in the local user list, the authentication fails.

PAP Packet Format

A PAP packet is encapsulated into the Information field of a PPP packet with the Protocol field value 0xC023. Figure 4-5 shows the PAP packet format.
Figure 4-5  PAP packet format

Table 4-4 describes the fields in a PAP packet.
Table 4-4  PAP packet fields

Field

Length in Bytes

Description

Code

1

Type of a PAP packet:
  • 0x01 for Authenticate-Request packets
  • 0x02 for Authenticate-Ack packets
  • 0x03 for Authenticate-Nak packets

Identifier

1

Whether requests match replies.

Length

2

Length of a PAP packet, including the lengths of the Code, Identifier, Length, and Data fields.

Bytes outside the range of the Length field are treated as padding and are discarded.

Data

0 or more

Data contents that are determined by the Code field.

CHAP Authentication Process

CHAP is a three-way handshake authentication protocol. CHAP transmits only user names but not passwords, so it is more secure than PAP.

Figure 4-6 shows the CHAP authentication process.

Figure 4-6  CHAP authentication process

Unidirectional CHAP authentication applies to the following scenarios:

  • The authenticating device is configured with a user name (this scenario is recommended). In this scenario:

    1. The authenticating device initiates an authentication request by sending a randomly-generated Challenge packet that carries the local user name to the authenticated device.

    2. After the authenticated device receives the Challenge packet at an interface, the authenticated device checks whether the CHAP password is used on the interface.
      • If the password is used, the authenticated device encrypts the Challenge packet with the packet ID and password using the Message Digest 5 (MD5) algorithm. Then the authenticated device sends a Response packet carrying the generated ciphertext and local user name to the authenticating device.
      • If the password is not configured, the authenticated device searches the local user table for the password matching the user name of the authenticating device in the received Challenge packet, and encrypts the Challenge packet with the packet ID and user password using the MD5 algorithm. Then the authenticated device sends a Response packet carrying the generated ciphertext and local user name to the authenticating device.
    3. The authenticating device uses the MD5 algorithm to encrypt the Challenge packet with the saved password of the authenticated device. Then the authenticating device compares the generated ciphertext with that carried in the received Response packet and returns a response based on the result of the check. If the two passwords are the same, the authentication succeeds. If the two passwords are different, the authentication fails.

  • The authenticating device is not configured with a user name. In this scenario:

    1. The authenticating device initiates an authentication request by sending a randomly-generated Challenge packet.

    2. After the authenticated device receives the Challenge packet, the authenticated device uses the MD5 algorithm to encrypt the Challenge packet with the packet ID and password configured by the ppp chap password command. Then the authenticated device sends a Response packet carrying the generated ciphertext and local user name to the authenticating device.

    3. The authenticating device uses the MD5 algorithm to encrypt the Challenge packet with the saved password of the authenticated device. Then the authenticating device compares the generated ciphertext with that carried in the received Response packet and returns a response based on the result of the check. If the two passwords are the same, the authentication succeeds. If the two passwords are different, the authentication fails.

CHAP Packet Format

A CHAP packet is encapsulated into the Information field of a PPP packet with the Protocol field value 0xC023. Figure 4-7 shows the CHAP packet format.
Figure 4-7  CHAP packet format

Table 4-5 describes the fields in a CHAP packet.
Table 4-5  Fields in a CHAP packet

Field

Length in Bytes

Description

Code

1

Type of a CHAP packet:
  • 0x01 for Challenge packets
  • 0x02 for Response packets
  • 0x03 for Success packets
  • 0x04 for Failure packets

Identifier

1

Relationships between Challenge and Response packets.

Length

2

Length of a CHAP packet, including the lengths of the Code, Identifier, Length, and Data fields.

Bytes outside the range of the Length field are treated as padding and are discarded.

Data

0 or more

Data contents that are determined by the Code field.

NOTE:
The differences between PAP and CHAP authentication are as follows:
  • In PAP authentication, passwords are sent over links in simple text. After a PPP link is established, the authenticated device repeatedly sends the user name and password until authentication finishes. PAP authentication is used on networks that do not require high security.

  • CHAP is a three-way handshake authentication protocol. In CHAP authentication, the authenticated device sends only a user name to the authenticating device. Compared with PAP, CHAP features higher security because passwords are not transmitted. CHAP authentication is used on networks that require high security.

Network Phase

In the Network phase, NCP negotiation is performed to select a network-layer protocol and to negotiate network-layer parameters. An NCP can enter the Open or Closed state at any time. After an NCP enters the Open state, network-layer data can be transmitted over the PPP link.

Termination Phase

PPP can terminate a link at any time. A link can be terminated manually by an administrator or be terminated due to carrier loss, an authentication failure, or other causes.

Download
Updated: 2018-07-04

Document ID: EDOC1100027168

Views: 12062

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next