As first introduced in Chapter 2, “Wide Area Network (WAN) Technologies,” PPP is a standard for using point-to-point network links that provides the following: ■ A Data Link Layer encapsulation method that supports multiple protocols simultaneously on the same link. ■ A protocol for negotiating the Data Link Layer characteristics of the point-to-point connection named the Link Control Protocol (LCP). ■ A series of protocols for negotiating the Network Layer properties of Network Layer protocols over the point-to-point connection named Network Control Protocols (NCPs). For example, RFCs 1332 and 1877 describe the Internet Protocol Control Protocol (IPCP), the NCP for IP. IPCP is used to negotiate an IP address, the addresses of name servers, and the use of the Van Jacobsen TCP compression protocol. PPP Connection Process There are four phases to a PPP connection, all of which must be completed before data can be sent on the connection. The four phases are the following 1. PPP configuration using LCP 2. Authentication using a PPP authentication protocol (optional 3. Callback 4. Protocol configuration using NCPs Phase 1: PPP Configuration Using LCP In the first phase of the PPP connection process, PPP connection parameters are configured using LCP. With LCP, the PPP peers negotiate a common set of parameters that are used for all subsequent phases of the PPP connection and for sending data. Some of the communication parameters that are negotiated are the following: ■ The maximum receive unit (MRU), the largest PPP frame that can be sent on the connection ■ Whether the Address and Control fields in the PPP header are used (for links that use the High-Level Data Link Control [HDLC] encapsulation that is described in RFC 1662) ■ Whether the Protocol field in the PPP header can be compressed from 2 bytes to 1 byte ■ The PPP authentication protocol to be used during the authentication phase ■ Whether Multilink PPP (MP) is used For more information, see the section titled “Link Control Protocol,” later in this chapter. Phase 2: Authentication After LCP negotiation, the authentication process using the PPP authentication protocol nego tiated during phase 1 is performed. This process is specific to the PPP authentication protocol used. For more information, see the section titled “PPP Authentication Protocols” later in this chapter Phase 3: Callback If the authentication process succeeds and callback behavior is configured, the answering PPP peer terminates the connection and initiates a connection to the original calling PPP peer, a feature of PPP implementations known as callback. The PPP implementation in Windows Server 2008 and Windows Vista uses the Callback Control Protocol (CBCP) to complete the callback phase. For more information, see the section titled “Callback and the Callback Control Protocol,” later in this chapter. Phase 4: Protocol Configuration Using NCPs After PPP is configured, the original initiating PPP peer is authenticated, and callback is done (optional and only if configured), individual data protocols and ancillary PPP services such as encryption and compression are configured using NCPs. For more information, see the section titled “Network Control Protocols,” later in this chapter. PPP Connection Termination After a PPP connection is established, it can be terminated at any time by either the connection-initiating or connection-receiving PPP peer. PPP connections can be terminated by user action, connection policy action (such as terminating the connection after a specific amount of idle time), or link failure. When the PPP connection terminates, PPP informs the data protocols that were operating over it that the point-topoint interface is no longer available. Link Control Protocol LCP, described in RFC 1661, is a simple protocol to configure a common set of PPP connection parameters (for phase 1 of the PPP connection). It is also used by NCPs to configure specific data protocol configuration parameters (for phase 2 of the PPP connection). LCP uses the PPP Protocol ID 0xC0-21. Figure 4-1 shows an LCP f ■ Code A 1-byte field that identifies the type of LCP message ■ Identifier A 1-byte field that identifies a specific pair of LCP messages: the request and ■ Length A 2-byte length field that indicates the size of the LCP message in bytes ■ Data A variable-sized field that contains the LCP frame typespecific data LCP Options The data portion of an LCP message consists of one or more LCP options for the ConfigureRequest, Configure-Ack, Configure-Nak, and ConfigureReject LCP frames. An LCP option is formatted in type-length-value (TLV) format. A 1-byte Type field indicates the option type, a 1-byte Length field indicates the length in bytes of the entire option, and the Option Data field contains the data of the option. Figure 4-2 shows an LCP message that contains LCP options. LCP Negotiation Process LCP is used to negotiate the parameters of PPP when sending data in a single direction on the PPP connection. Different PPP parameters could be negotiated in the two different directions of data travel on a PPP connection. Therefore, each PPP peer must perform a separate LCP negotiation. An LCP negotiation is used by a PPP peer to establish how the other PPP peer should send data to it. Each LCP negotiation is a series of LCP frames to negotiate the use of a common set of parameters for data sent by the PPP peer on the other side of the PPP connection from the LCP negotiation initiator. For two PPP peers, Peer A and Peer B, Peer A initiates an LCP negotiation for the data to be sent by Peer B and Peer B initiates a separate LCP negotiation for the data to be sent by Peer A. An individual LCP negotiation consists of an initial set of LCP options using the LCP Configure-Request message. The specific set of LCP options is negotiated using Configure-Nak and Configure-Reject messages and finally confirmed with a Configure-Ack message. Both negotiations occur simultaneously, making it more difficult to read the captures of PPP connection establishments. PPP Authentication Protocols After LCP negotiation is complete, the authentication protocol agreed on during LCP negotia tion using LCP option 3 is used to establish the identity and credentials of the PPP peer that is requesting the PPP connection, typically a remote access client (for remote access dial-up or vir tual private network [VPN] connections) or a calling router (for router-torouter dial-up or VPN connections). The authentication process is phase 2 of the PPP connection establishment. Windows Server 2008 and Windows Vista support the following PPP authentication protocols: ■ Password Authentication Protocol (PAP) ■ Challenge Handshake Authentication Protocol (CHAP) ■ Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAP v2) ■ Extensible Authentication Protocol (EAP) PAP PAP is a very simple, plain-text authentication protocol described in RFC 1334. The entire PAP negotiation consists of the following messages: 1. The connection-initiating PPP peer (the calling peer) sends a PAP Authenticate-Request message to the authenticating PPP peer (the answering peer), which contains the calling peer’s user name and password in plain-text. 2. The answering peer validates the user name and password. If the user name and password are correct, the answering peer sends a PAP Authenticate-Ack message. If not, the answering peer sends a PAP Authenticate-Nak message. Obviously, PAP is not a secure authentication protocol. A malicious user that can capture the PAP frames sent between the calling peer and answering peer can view the contents of the PAP Authenticate-Request message to determine the user name and password of a valid user account. The use of PAP is highly discouraged and is only included in Windows Server 2008 and Windows Vista for troubleshooting and compatibility with PPP peers that do not support more secure authentication protocols. CHAP CHAP is a more secure authentication protocol, described in RFC 1994, which uses a challenge–response exchange of messages to validate that the calling peer has knowledge of the user’s password. The password itself is never sent. Although more secure than PAP, CHAP does not provide mutual authentication. The calling peer authenticates to the answering peer but the answering peer does not authenticate to the calling peer. Without mutual authentication, a calling peer is unable to determine whether it is calling a valid answering peer. MS-CHAP v2 MS-CHAP v2 is a CHAP-based authentication protocol described in RFC 2759 that, unlike CHAP, provides mutual authentication. With MS-CHAP v2, the answering peer receives confirmation that the calling peer has knowledge of the user account’s password and the calling peer receives confirmation that the answering peer has knowledge of the user account’s password. To provide for this mutual authentication, both peers issue a challenge and must receive a valid response or the connection is terminated EAP EAP was designed as an extension to PPP to allow for more extensibility and flexibility in the implementation of authentication methods for PPP connections. For PAP, CHAP, and MS CHAP v2, the authentication process is a fixed exchange of messages. With EAP, the authenti cation process can consist of an open-ended conversation, in which messages are sent by either PPP peer on an as-needed basis. In addition, unlike the PPP authentication protocols discussed so far in this chapter, EAP does not select a specific authentication method during phase 1 of the connection. Rather, the selection of a specific EAP authentication method, known as an EAP type, is done during phase 3 of the connection. EAP is described in RFC 3748. Callback and the Callback Control Protocol After the authentication phase of the PPP connection process, CBCP negotiates the use of callback. If callback is negotiated, the answering PPP peer terminates the PPP connection, and then calls the original calling PPP peer at a specified phone number. CBCP messages use the PPP Protocol ID 0xC0-29 and have the same structure as LCP messages. However, only the first seven LCP message types are used, corresponding to LCP Codes 1 through 3. For the Callback-Request (Code set to 1), Callback-Response (Code set to 2), and Callback-Ack (Code set to 3) messages, the data portion of the CBCP message contains one or more CBCP options. Network Control Protocols After the callback phase of the PPP connection process, individual NCPs are used to negotiate the configuration of networking protocols, such as TCP/IP, and the additional PPP facilities of compression and encryption. IPCP PCP is used to automatically configure TCP/IP configuration for a calling PPP peer. IPCP as used by Windows-based PPP peers is described in RFCs 1332 and 1877. RFC 1332 defines the original set of IPCP options and RFC 1877 defines an additional set of options to automatically configure the IP address of name servers such as Domain Name System (DNS) and Windows Internet Name Service (WINS) servers. Compression Control Protocol Compression Control Protocol (CCP), described in RFC 1962, allows PPP peers to negotiate the use of a data compression algorithm. CCP messages use the PPP Protocol 0x80-FD and have the same structure as LCP messages. However, only the first seven LCP message types are used, corresponding to LCP Codes 1 through 7. For the Configure-Request (Code set to 1), Configure-Ack (Code set to 2), Configure-Nak (Code set to 3), and Configure-Reject (Code set to 4) CCP messages, the data portion of the CCP message contains one or more CCP options. Table 4-6 lists these CCP options. Encryption Control Protocol Encryption Control Protocol (ECP), described in RFC 1968, allows PPP peers to negotiate the use of a data encryption algorithm. ECP messages use the PPP Protocol IDs 0x80-53 or 0x8055 and have the same structure as LCP messages. However, because Windows-based PPP peers only support the use of MPPE for encryption of PPP payloads, ECP is not supported or used. For more information, see RFC 1968. Network Monitor Example The following summary of Capture 04-01 in the \Captures folder on the companion CD-ROM is an example of a successful PPP connection using the MSCHAP v2 authentication protocol In this example, the following frames show the four phases of the PPP connection: ■ Frames 1 through 8 and frames 10 and 11 are for phase 1, the LCP negotiation. ■ Frames 9, 12, and 13 are for phase 2, authentication. ■ Frames 14 through 16 are for phase 3, callback. ■ Frames 16, 19, 20, and 23 are for CCP negotiation (in phase 4). ■ Frames 18, 21, 22, and 24 through 28 are for IPCP negotiation (in phase 4). PPP over Ethernet PPP over Ethernet (PPPoE) is a method of encapsulating PPP frames so that they can be sent over an Ethernet network. PPPoE was created so that Internet service providers (ISPs) that deploy a broadband Internet access technology in a bridged Ethernet topology, such as cable modems or Digital Subscriber Line (DSL), can use the peruser authentication and connection identification facilities of PPP to identify individual customer connections for accounting and billing purposes. PPPoE is described in RFC 2516. PPPoE Discovery Stage The PPPoE discovery process consists of the following four PPPoE frames 1. The PPPoE Active Discovery Initiation (PADI) frame is sent by the PPPoE client to the Ethernet broadcast address (0xFF-FF-FF-FF-FF-FF). Within the Ethernet payload, the Code field is set to 9, the Session ID is set to 0, and there is a single Service-Name PPPoE tag, as well as other tags as needed. If the network connection in the Network Connections folder corresponding to the broadband Internet adapter has been configured with a service name, that service name is sent. Otherwise, the PADI frame is sent with a null service name. 2. The PPPoE Active Discovery Offer (PADO) frame is sent by the AC to the unicast MAC address of the PPPoE client. Within the Ethernet payload, the Code field is set to 7, the Session ID is set to 0, there are the AC-Name and Service-Name tags, and other tags as needed. If the network connection in the Network Connections folder corresponding to the broadband Internet adapter has not been configured with a service name, it is automatically set to the value of the Service-Name tag in the PADO frame. 3. The PPPoE Active Discovery Request (PADR) frame is sent by the PPPoE client to the unicast MAC address of the AC. Within the Ethernet payload, the Code field is set to 25, the Session ID is set to 0, and there is a Service-Name tag and other tags as needed. 4. The PPPoE Active Discovery Session-confirmation (PADS) frame is sent by the AC to the unicast MAC address of the PPPoE client. Within the Ethernet payload, the Code field is set to 101, the Session ID field is set to the session ID for the PPP session of the PPPoE client, and there is a Service-Name tag, as well as other tags as needed. PPPoE Session Stage Summary PPP is used for encapsulation, link negotiation, and network protocol negotiation for network protocol packets that are sent over a point-to-point link. The PPP connection process has four phases: link negotiation, authentication, callback negotiation, and network protocol negotiation. During link negotiation, each PPP peer determines how it will send PPP frames. During authentication, PPP authentication protocols such as MS-CHAP v2 or EAP-TLS are used to verify the credentials of the calling or answering PPP peer. During callback negotiation, the calling and answering PPP peers determine whether the answering PPP peer will call the calling peer back and at which phone number. During network protocol negotiation, NCPs such as IPCP, CCP, and ECP are used to determine the use and configuration of TCP/IP, compression, and encryption. PPPoE is a method of encapsulating PPP frames so that they can be sent over an Ethernet link. A PPPoE connection consists of two phases: a PPPoE discovery phase and a PPPoE session phase. After a PPPoE connection is negotiated during the discovery phase, PPP is used to negotiate a connection and send network protocol frames during the PPPoE session phase.