Even as SLIP was being documented as a "nonstandard" in RFC 1055, work was underway for a newer protocol to provide full-featured IP transmission over direct links between pairs of devices. The result is the Point-to-Point Protocol (PPP), which defines a complete method for robust data link connectivity between units using serial lines or other physical layers. It includes numerous capabilities and features, including error detection, compression, authentication, encryption and much more. Even though PPP is called a "protocol", and even though it is considered part of TCP/IP depending on whom you ask it is really more a protocol suite than a particular protocol. The operation of PPP is based on procedures defined in many individual protocols, as we will see in this section. Thus, PPP can be considered a "protocol suite within a protocol suite" Alternately, its components can be viewed as "subprotocols" within PPP. In this section I provide a comprehensive look at the operation of the Point-to-Point Protocol, in four subsections. The first describes the fundamentals of PPP, including its history, standards and an overview of its general operation. The second explains the .core. protocols that are responsible for setting up PPP links and basic operation. The third covers the protocols used to implement various special features in PPP, such as compression and encryption. The last subsection provides detailed information on the various frame formats used by PPP protocols. PPP FUNDAMENTALS AND OPERATION The problem with the Serial Line Internet Protocol was that it was too simple and didn't include enough features. As the saying goes, "be careful what you wish for", especially when the complaint is too much simplicity. The Point-to-Point Protocol (PPP) corrects the lack of features in SLIP, but you could figure out, without really trying, what the cost is: significantly more complexity. Where the operation of SLIP can be explained in a few paragraphs, PPP is much more involved, including a number of specific processes that need to be explained. Before discussing the individual protocols that comprise PPP, I want to take a high-level look at the protocol suite. I start with an overview, history and discussion of the benefits of PPP. I provide a high-level breakdown of the main components of the PPP suite, and a general description of how PPP operates. I then describe the steps involved in setting up and configuring a link, and the phases a PPP link passes through during its .lifetime.. Finally, I categorize and list the standards that define different aspects of PPP's functionality. IPPP OVERVIEW, HISTORY AND BENEFITS Albert Einstein is credited with the following quote: "Everything should be made as simple as possible - but no simpler". The Serial Line Internet Protocol (SLIP) is a good example of this maxim. It provides basic layer two framing for IP, but it is just too simple for many uses. Since all it does is frame the end of each datagram, it doesn't provide many of the features that we really need for reliable, secure and high-performance operation over serial links. This is especially true today when most serial connections are not short LAN cables but dial-up WAN connections over relatively long distances. PPP Development and Standardization SLIP was basically a "hack" to fill a specific need: bridging the gap between IP at layer three and a serial link at layer one. It "gets the job done" but doesn't provide any of the features we really want in a robust protocol for direct links between devices. PPP was developed to be a complete protocol suite that would enable fully-functional layer two connectivity to support not just IP but the transmission of other network layer protocols as well. The history of PPP goes back to the late 1980s, when SLIP was the de facto standard for serial IP implementations. The first formal IETF document related to PPP was RFC 1134, published in 1989. This RFC is not the standard itself but a proposal for what would eventually be defined as the first main PPP standard, RFC 1171, in 1990. This early document has been revised several times and several other documents added that define the various protocols that comprise the entire PPP suite. PPP standards are described later in this section. The IETF is always smart about not reinventing the wheel. Rather than try to develop PPP from scratch, the decision was made to base it on the ISO High-Level Data Link Control (HDLC) protocol, which was initially developed by IBM. HDLC is a derivative of the Synchronous Data Link Control (SDLC) protocol. PPP's developers adapted its framing structure and some of its general operation from the HDLC protocol. PPP General Function and Architecture PPP is a connection-oriented protocol that enables layer two links over a variety of different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in half-duplex or full-duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection. As its name implies, it is for point-to-point connections between exactly two devices, and assumes that frames are sent and received in the same order. PPP fits into the Network Interface layer (Link Layer) in the TCP/IP model, as shown in Figure 23. The operation of PPP follows a specific sequence described in the general operation topic, including a multi-step link establishment phase that may include optional authentication.
Figure 23: PPP Location in TCP/IP Architecture PPP acts as the interface between the Internet Protocol and a physical link such as a serial line or dial-up networking connection. This corresponds to layer two in the OSI Reference Model. PPP Advantages and Benefits A list of PPP's strengths reads very much like a list of SLIP's weaknesses, which I explained in detail in the topic on SLIP. Some of the specific benefits of PPP compared to SLIP include: * A more comprehensive framing mechanism, compared to the single END character in SLIP. * Specification of the encapsulated protocol, to allow multiple layer three protocols to be multiplexed on a single link. * Error detection for each transmitted frame through the use of a CRC code in each frame header. * A robust mechanism for negotiating link parameters, including the maximum frame size permitted. * A method for testing links before datagram transmission takes place, and monitoring link quality. * Support for authentication of the connection using multiple authentication protocols. * Support for additional optional features, including compression, encryption and link aggregation (allowing two devices to use multiple physical links as if they were a single, higher-performance link). The proliferation of serial links, especially for dial-up Internet access, has led to widespread use of PPP. It is now one of the most popular layer two WAN technologies in the networking world, and has replaced SLIP as the standard for serial connections on all but legacy implementations. While most often associated with dial-up modem use, PPP can run across any similar type of physical layer link. For example, it is often used to provide layer two functionality on ISDN B channels. Key Concept: PPP is a complete link layer protocol suite for devices using TCP/IP, which provides framing, encapsulation, authentication, quality monitoring and other features to enable robust operation of TCP/IP over a variety of physical layer connections. PPP's Extensibility A key advantage of PPP is that it is an extensible protocol suite. Over the years new protocols have been added to the suite, to provide additional features or capabilities. For example, PPP is designed not to use just a single authentication protocol, but to allow a choice of which protocol is used for this purpose. PPP's success has even led to the development of derivative protocols like PPP over Ethernet (PPPoE) and PPP over ATM (PPPoA). These actually layer PPP over existing data link layer technologies, which shows you how valued PPP's features are - even when a layer two technology is already in use, applying PPP on top provides authentication and management benefits for services like DSL. PPP COMPONENTS AND GENERAL OPERATION Ptands for the Point-to-Point Protocol, but even the standard that defines PPP immediately starts describing protocols that comprise it, which is why I consider it a protocol suite. At the highest level, the functions of PPP can be broken down into several components. Each of these encompasses a general class of PPP functionality, and is represented by either one protocol in the suite or a set of protocols. Main PPP Components The PPP standard itself describes three main components of PPP: * PPP Encapsulation Method: The primary job of PPP is to take higher-layer messages such as IP datagrams and encapsulate them for transmission over the underlying physical layer link. To this end, PPP defines a special frame format for encapsulating data for transmission, based on the framing used in the HDLC protocol. The PPP frame has been specially designed to be small in size and contain only simple fields, to maximize bandwidth efficiency and speed in processing. * Link Control Protocol (LCP): The PPP Link Control Protocol (LCP) is responsible for setting up, maintaining and terminating the link between devices. It is a flexible, extensible protocol that allows many configuration parameters to be exchanged to ensure that both devices agree on how the link will be used. * Network Control Protocols (NCPs): PPP supports the encapsulation of many different layer three datagram types. Some of these require additional setup before the link can be activated. After the general link setup is completed with LCP, control is passed to the PPP Network Control Protocol (NCP) specific to the layer three protocol being carried on the PPP link. For example, when IP is carried over PPP the NCP used is the PPP Internet Protocol Control Protocol (IPCP). Other NCPs are defined for supporting the IPX protocol, the NetBIOS Frames (NBF) protocol, and so forth. The PPP encapsulation method and LCP are defined in the main PPP standard and some support standards; the NCPs are described in separate standard documents, one per NCP. Additional PPP Functional Groups While the three components above do constitute much of the total package of PPP, I would add to the list of components in the standard two additional functional groups. These represent some of the many extra protocols that have been added over time to the suite to support or enhance the basic operation of PPP: * LCP Support Protocols: Several protocols are included in the PPP suite that are used during the link negotiation process, either to manage it or to configure options. Examples include the authentication protocols CHAP and PAP, which are used by LCP during the optional authentication phase. * LCP Optional Feature Protocols: A number of protocols have been added to the basic PPP suite over the years to enhance its operation after a link has been set up and datagrams are being passed between devices. For example, the PPP Compression Control Protocol (CCP) allows compression of PPP data, the PPP Encryption Control Protocol (ECP) enables datagrams to be encrypted for security, and the PPP Multilink Protocol (PPP MP) allows a single PPP link to be operated over multiple physical links. The use of these features often also requires additional setup during link negotiation, so several define extensions (such as extra configuration options) that are negotiated as part of LCP. Each of these additional protocols is generally defined by a different standards document. You can find a list of some of these in the topic on PPP standards. P's success has even led to the development of derivative protocols like PPP over Ethernet (PPPoE) and PPP over ATM (PPPoA). These actually layer PPP over existing data link layer technologies, which shows you how valued PPP's features are.even when a layer two technology is already in use, applying PPP on top provides authentication and management benefits for services like DSL. PPP's success has even led to the development of derivative protocols like PPP over Ethernet (PPPoE) and PPP over ATM (PPPoA). These actually layer PPP over existing data link layer technologies, which shows you how valued PPP's features are.even when a layer two technology is already in use, applying PPP on top provides authentication and management benefits for services like DSL. PPP's success has even led to the development of derivative protocols like PPP over Ethernet (PPPoE) and PPP over ATM (PPPoA). These actually layer PPP over existing data link layer technologies, which shows you how valued PPP's features are.even when a layer two technology is already in use, applying PPP on top provides authentication and management benefits for services like DSL. PPP General Operation The fact that the PPP suite includes literally dozens of protocols often makes it seem like it must be a really complex technology. In fact, the general operation of PPP is really quite straight-forward. The existence of all those PPP protocols allows PPP to be flexible and extensible, supporting many higher layer datagram types and various features. The bottom line, however, is that PPP operation involves just three basic steps. Beginning in a state where there is no PPP link between the devices, these are the operations that occur in PPP (also illustrated in Figure 24): 1. Link Setup and Configuration: Before the two devices can exchange information, they must make contact and set up a link between them. During link setup, all the parameters needed to manage the operation of the link are agreed upon by the two devices. The LCP begins this process, and invokes the help of support protocols as they are needed, for options like authentication. After the link is set up in general terms, the appropriate NCP is called for whatever layer three technology is being carried on the link to complete link setup. 2. Link Operation: The devices on the link use it to send datagrams. Each device transmits by taking layer three datagrams, encapsulating them and sending them down to layer one to be transmitted. Each device receives by taking PPP frames sent up from its own physical layer, stripping off the PPP header and passing the datagram up to layer three. Where appropriate, optional feature protocols are used here, such as CCP for compression. 3. Link Termination: When either device decides it no longer wants to communicate, it terminates the link. The link can of course be re-established if desired.
Figure 24: Overview of PPP Operation In simplest terms, PPP consists of only three basic steps: link setup, link operation and link termination. Link setup is by far the most complicated of these general steps, as it involves several substeps used to negotiate link parameters and options. The next topic describes the steps in link setup, and discusses the phases that a link passes through as it is set up, used, and eventually terminated. PPP LINK SETUP AND PHASES Before data can be exchanged on a PPP connection, a link must be set up between the two devices. As part of this setup task, a configuration process is undertaken whereby the two configure the link and agree on the parameters for how data should be passed between them. Only after this is completed can frames actually pass over the link. The PPP Link Configuration Protocol (LCP) is generally in charge of setting up and maintaining PPP links. LCP may invoke an authentication protocol (PAP or CHAP) when PPP is configured to use authentication. After an LCP link has been opened, PPP invokes one or more Network Control Protocols (NCPs) for the layer three protocol being carried on the link. These perform any network-layer-specific configuration needed before the link can carry that particular network layer protocol. The operation of a PPP link can be described as having a .life. of sort. Just as humans are born, grow, have an adult life span and then die, a PPP link is established, configured, used and eventually terminated. The process of setting up, using and closing a PPP link is described in the PPP standard as a series of phases or states. This is a type of finite state machine (FSM), a tool used to explain the operation of protocols. PPP Link Phases When we talk about a PPP link overall, we are talking about the status of the LCP connection between the two devices; again, LCP governs the overall state of PPP as a whole. Once an LCP link has been opened, each of the NCPs used on the link can be opened or closed independently of the overall PPP (LCP) link. We'll see how this works momentarily. An excellent way of understanding how PPP works is to look at these phases, and the process by which transition is made from one to the next during the lifetime of the link. For purposes of clarity, this description is based on an example where device A is a PC performing a dial-up networking connection to a remote host B (see Figure 25).
Figure 25: PPP Phases The PPP connection between the two devices begins in the Link Dead state and proceeds through three intermediate phases until the link is fully opened, as shown in the flow chart on the left. It remains in the stable Link Open phase until terminated. The purple boxes show the corresponding change in the status of the PPP link as transitions are made between phases. PPP LINK SETUP AND PHASES Link Dead Phase By design, the PPP link always begins and ends in this phase. This phase represents the situation where there is no physical layer link established between the two devices. It remains here until the physical layer link is set up, at which point the link proceeds to the Link Establishment phase. In our example, when A is first turned on, there is no physical layer connection (modem connection) between it and B. Once the connection is made, the link can proceed to phase 2. (Note that in a direct connection, such as a serial cable linking two PCs, the link may only stay in the Link Dead phase for a fraction of a second, until the physical layer connection is detected.) Link Establishment Phase The physical layer is now connected and LCP performs the basic setup of the link. Device A sends an LCP configuration request message to device B over the physical link, specifying the parameters it wishes to use. If Device B agrees, it replies with an acknowledgement. If B doesn't agree, it sends back a negative acknowledgment or rejection, telling device A what it won't accept. Device A can then try a different configuration request with new parameters that device B will hopefully accept. This process is described in more detail in the topic covering LCP. Hopefully, A and B will eventually come to agreement. If so, the status of the link is considered LCP open, and will proceed to the Authentication phase. If they cannot come to an agreement, the physical link is terminated, and we go back to the Link Dead phase. Authentication Phase In many cases, a device may require authentication before it will permit connection of another device. (This is certainly usually the case when PPP is used for dial-up.) Authentication is not considered mandatory in PPP, however. When it is used, the appropriate authentication protocol (CHAP or PAP) is employed. After successful authentication, the link proceeds to the Network-Layer Protocol phase. If authentication is not successful, the link fails and transitions to the Link Termination phase. Network-Layer Protocol Phase Once the basic link has been configured and authentication completed, the general setup of the LCP link is complete. Now, the specific configuration of the appropriate network layer protocol is performed by invoking the appropriate NCP, such as IPCP, IPXCP and so forth. Each particular network layer protocol whose NCP is successfully configured is considered to be open on the LCP link. More than one NCP can be open on a particular PPP link, and each can be closed independently when it is no longer needed. After all necessary NCPs have been invoked, the link proceeds to the Link Open state, even if none were successfully opened. Link Open Phase In this state, the LCP link and one or more NCP links are open and operational. Data can be passed for each NCP that has been successfully set up. The link can be terminated at any time by either device for a variety of reasons. These may include user request (you hit the .disconnect. button when you want to log off your dial-up session); link quality problems (the modem hangs up on you due to line noise); or some other cause (you spend too much time in the bathroom and your ISP's idle timer logs you out J). When any of these occur the LCP link is broken and the link transitions to the Link Termination phase. Link Termination Phase The device terminating the link sends a special LCP termination frame, and the other device acknowledges it. The link then goes back to the Link Dead phase. In the case where the termination was by request and the physical layer connection is still active, the PPP implementation is supposed to specifically signal the physical layer to terminate the layer one connection. Differentiating LCP and NCP Links Remember that the basic link is established by LCP, and NCP links are set up within the LCP link. Closing an NCP link does not cause the LCP link to be closed. Even if all NCPs are closed, the LCP link remains open. (Of course, no data can be passed until an appropriate NCP link is re-established; a device is required to discard frames received containing any layer three protocol that does not have an opened NCP.) To terminate a PPP connection, only the LCP link needs to be terminated in the Link Termination phase; the NCPs do not need to be explicitly closed. PPP Link Setup and Phase Summary A summary of PPP phases can be found in Table 24. In the table, the LCP Link Status and NCP Link Status columns show the status of the link as the phase starts. Table 24: PPP Phases
Phase/ |
Phase Summary |
LCP Link Status Upon Entry To Phase |
NCP Link Status Upon Entry To Phase |
Transition Requirement |
Transition To Phase |
Link Dead |
Default state; physical layer not connected. |
Closed |
Closed |
Successful |
Link Establishment |
Link Establishment |
Physical layer connected, basic configuration of link performed by LCP. |
Closed |
Closed |
Successful |
Authentication |
Unsuccessful negotiation |
Link Dead |
||||
Authentication |
Basic link is now opened, and optional authentication of device is performed. |
Open |
Closed |
Successful authentication or no authentication required |
Network-Layer Protocol |
Unsuccessful authentication |
Link Termination |
||||
Network-Layer Protocol |
One or more NCPs open an NCP link within the LCP link. |
Open |
Closed |
All NCPs opened |
Link Open |
Link Open |
Link is open and operating normally. |
Open |
Open |
Link failure or close request |
Link Termination |
Link Termination |
LCP link is shut down. |
Open |
Open |
|
Link Dead |
PPP CORE PROTOCOLS: LINK CONTROL, NETWORK CONTROL AND AUTHENTICATION The PPP protocol suite consists of several dozen protocols that cover various aspects of its operation. Of these, a few protocols can be considered the most important or .core. of the suite. It's not that the others are not important, mind you. But this small group is responsible for the basic operation of PPP. In particular, they work together to implement the relatively complex link negotiation process, which is a big part of what PPP is all about. In this section I describe the protocols that are responsible for PPP link setup and basic operation. I begin with a description of the key Link Control Protocol (LCP). I then describe the different Network Control Protocols (NCPs) used to configure PPP for different layer three protocols. Finally, I discuss the two PPP authentication protocols, PAP and CHAP, used to provide authentication during link setup. PPP Link Control Protocol (LCP) Of all the different PPP suite protocols, the single most important protocol is the PPP Link Control Protocol (LCP). LCP is the .boss. of PPP; it is responsible for its overall successful operation, and for .supervising. (in a way) the actions of other protocols. PPP is about links, and LCP is about controlling those links. As I discussed in the PPP fundamentals section, the operation of a PPP link can be thought of as proceeding through various .life stages. just as a biological organism does. There are three main stages of .link life. and LCP plays a key role in each one: * Link Configuration: The process of setting up and negotiating the parameters of a link. * Link Maintenance: The process of managing an opened link. * Link Termination: The process of closing an existing link when it is no longer needed (or when the underlying physical layer connection closes). Each of these functions corresponds to one of the .life phases. of a PPP link. Link configuration is performed during the initial Link Establishment phase of a link; link maintenance occurs while the link is open, and of course, link termination happens in the Link Termination phase. Figure 26 represents a summary of the LCP link, showing the different message exchanges performed by LCP during these different life phases of a PPP connection.
Figure 26: PPP Link Control Protocol (LCP) Message Exchanges This diagram provides an overview of many of the message exchanges performed by LCP during different phases of a PPP connection. Link Configuration is here shown as a simple exchange of a Configure-Request and Configure-Ack. After subsequent exchanges using other PPP protocols to authenticate and configure one or more NCPs, the link enters the Link Open phase. In this example, an Echo-Request and Echo-Reply message are first used to test the link, followed by the sending and receiving of data by both devices. One Data message is shown being rejected due to an invalid Code field. Finally, the link is terminated using Terminate-Request and Terminate-Ack messages. LCP Frames Devices use LCP to control the PPP link by sending special LCP messages across the physical link between them. These messages are called both LCP packets and LCP frames; while the standard uses "packet", the term "frame" is preferred because layer two messages are normally called frames. There are eleven different LCP frame types defined in the main PPP document, which are divided into three groups that correspond to the three link .life stages. above. Four LCP frame types are used for link configuration, five for maintenance and two for termination. The frame formats themselves are described in the topic on LCP frames. Below I will discuss each of the three major functions of LCP and how the frames are used in each. Key Concept: The PPP Link Control Protocol (LCP) is the most important protocol in the PPP suite. It is responsible for configuring, maintaining and terminating the overall PPP link. The two devices using PPP employ a set of LCP frames to conduct LCP operations. LCP Link Configuration Link configuration is arguably the most important job that LCP does in PPP. During the Link Establishment phase, LCP frames are exchanged that enable the two physically-connected devices to negotiate the conditions under which the link will operate. Figure 27 shows the entire procedure, which we will now examine in detail. The process starts with the initiating device (let's call it device A, yeah, isn't that original) creating a Configure-Request frame that contains a variable number of configuration options that it wants to see set up on the link. This is basically device A's .wish list. for how it wants the link created.
Figure 27: PPP LCP Link Configuration Process This flowchart shows in more detail the negotiation process undertaken to configure the link by LCP. This process begins when the PPP link enters the Link Establishment phase. After successful configuration, the connection transitions to the Authentication phase. The main PPP document (RFC 1661) defines a number of different configuration options that the initiator can specify in this request. Any one of these can be included and if so, filled in with the value corresponding to what device A wants for that option. If absent, this means device A is neither requesting nor specifying that option. The six options are: * Maximum-Receive-Unit (MRU): Lets device A specify the maximum size datagram it wants the link to be able to carry. * Authentication-Protocol: Device A can indicate the type of authentication protocol it wishes to use (if any). * Quality-Protocol: If device A wants to enable quality monitoring on the link, what protocol to use (though there is only one currently defined: LQR). * Magic-Number: Used to detect looped back links or other anomalies in the connection. * Protocol-Field-Compression: Allows device A to specify that it wants to use .compressed. (8 bit) Protocol fields in PPP data frames instead of the normal 16 bit Protocol field. This provides a small but free savings (one byte) on each PPP frame. Note that this has nothing to do with the compression feature offered by CCP. See the PPP general frame format topic for more on this feature. * Address-and-Control-Field-Compression (ACFC): The same as the option just above but used to compress the Address and Control fields, again for small bandwidth savings. Again, see the PPP general frame format topic for more. Other options may also be added to this list by optional feature protocols. For example, Multilink PPP adds several options that must be negotiated during link setup. The other device (let's call it say. device B J) receives the Configure-Request and processes it. It then has three choices of how to respond: 1. If every option in it is acceptable in every way, device B sends back a Configure-Ack (.acknowledge.). The negotiation is complete. 2. If all the options that device A sent are valid ones that device B recognizes and is capable of negotiating, but it doesn't accept the values device A sent, then device B returns a Configure-Nak (.negative acknowledge.) frame. This message includes a copy of each configuration option that B found unacceptable. 3. If any of the options that A sent were either unrecognized by B, or represent ways of using the link that B considers not only unacceptable but not even subject to negotiation, it returns a Configure-Reject containing each of the objectionable options. The difference between a Configure-Nak and a Configure-Reject is that the former is like device B saying .I don't accept your terms, but I'm willing to haggle., while the latter is device B basically saying .No way Jose.. For example, if device A tries to request PAP as the authentication protocol but device B wants to use CHAP, it will send a Configure-Nak. If device B doesn't support authentication at all, it will send a Configure-Reject LCP Link Maintenance Once the link has been negotiated, LCP passes control to the appropriate authentication and/or NCP protocols as discussed in the PPP Link Setup and Phases topic. Eventually the link setup will complete and go into the open state. LCP messages can then be used by either device to manage or debug the link: * Code-Reject and Protocol-Reject: These frame types are used to provide feedback when one device receives an invalid frame due to either an unrecognized LCP Code (LCP frame type) or a bad Protocol identifier. * Echo-Request, Echo-Reply and Discard-Request: These frames can be used for testing the link. LCP Link Termination Finally, when the link is ready to be shut down, LCP terminates it. The device initiating the shutdown (which may not be the one that initiated the link in the first place) sends a Terminate-Request message. The other device replies back with a Terminate-Ack. A termination request indicates that the device sending it needs to close the link. Like a four-year-old who tells you he .needs to go now, bad!., this is a request that cannot be denied. J Other LCP Messages The standard RFC 1570, PPP LCP Extensions, also defines two new LCP message types. The Identification message is used to allow a device to identify itself to its peer on the link. The Time-Remaining message lets one device tell the other how much time remains in the current session. Relationship Between LCP and Other PPP Protocols Note that many of the other protocols used in PPP are modeled after LCP. They use the same basic techniques for establishing protocol connections, and send and receive a subset of LCP message types. They also exchange configuration options in a similar manner. The next topic shows how the Network Control Protocols (NCPs) are based on LCP. You will see the same thing in looking at feature protocols such as CCP, ECP and others. PPP NETWORK CONTROL PROTOCOLS (IPCP, IPXCP, NBFCP AND OTHERS) One of the reasons why PPP is such a powerful technology is that it is flexible and expandable. Even though it was originally created with the idea of carrying IP datagrams, PPP's designers recognized that it would be short-sighted to think so narrowly. PPP could easily carry data from many types of network layer protocols, and on some networks, it might even be advantageous to let it carry datagrams from different layer three protocols simultaneously. Allowing PPP to support multiple network layer protocols would require it to have knowledge of each one's idiosyncrasies. If we used only LCP for link configuration, it would need to know all the unique requirements of each layer three protocol. This would also require that LCP be constantly updated as new layer three protocols were defined and as new parameters were defined for existing ones. Instead of this inflexible design, PPP takes a .modular. approach to link establishment. LCP performs the basic link setup, and after (optional) authentication, invokes a Network Control Protocol (NCP) that is specific to each layer three protocol that is to be carried over the link. The NCP conducts a negotiation of any parameters that are unique to the particular network layer protocol. More than one NCP can be run for each LCP link Each of the common network layer technologies has a PPP NCP defined for it in a separate RFC. These documents are usually named in this pattern: .The PPPFigure 28: PPP IP Control Protocol (IPCP) Message Exchanges The overall operation of the NCPs, such as IPCP, is very similar to that of LCP. After LCP configuration (including authentication) is complete, IPCP Configure-Request and Configure-Ack messages are used to establish an IPCP link. IP Data can then be sent over the link. If the IPCP connection is no longer needed it may be terminated, after which the LCP link remains open for other types of data to be transmitted. It is not necessary, however, to explicitly terminate the IPCP link before terminating the LCP connection. Key Concept: After the primary PPP link is established using LCP, each network layer protocol to be carried over the link requires the establishment of the appropriate NCP link. The most important of these is the PPP Internet Protocol Control Protocol (IPCP), which allows IP datagrams to be carried over PPP. An Example NCP: The Internet Protocol Control Protocol (IPCP) Let's look at the NCP for IP, IPCP. When PPP is set up to carry IP datagrams, IPCP is invoked in the Network-Layer Protocol phase (one of the PPP phases) to set up an IP NCP link between the two devices. The setup is carried out using the four .Configure-. messages. For IP, there are two configuration options that can be specified in an IPCP Configure-Request: * IP-Compression-Protocol: Allows devices to negotiate the use of something called .Van Jacobson TCP/IP header compression.. This compresses the size of TCP and IP headers to save bandwidth. Thus, this is similar in concept to the Protocol-Field-Compression and Address-and-Control-Field-Compression (ACFC) options in LCP. * IP-Address: Allows the device sending the Configure-Request to either specify an IP address it wants to use for routing IP over the PPP link, or to request that the other device supply it with one. This is most commonly used for dial-up networking links. Again, the receiving device can send back an IPCP Configure-Ack, an IPCP Configure-Nak, or an IPCP Configure-Reject, just as they work in LCP. The other NCPs are similar, but use different configuration options. After configuration is complete, data can be sent for the layer three protocol corresponding to the NCP negotiated. This is indicated by using the appropriate value for the Protocol field in PPP data frames containing that layer three data. PPP AUTHENTICATION PROTOCOLS: PASSWORD AUTHENTICATION PROTOCOL (PAP) AND CHALLENGE HANDSHAKE AUTHENTICATION PROTOCOL (CHAP) PPP was designed to provide layer two connectivity over a variety of serial links and other physical layer technologies, some of which have much more of a concern about security than others. For example, suppose you hook two machines in your computer lab together with a serial cable and want to run PPP between them. When one of these initiates a PPP link with the other, you don't really need to worry about .who's calling.. On the other hand, consider an Internet Service Provider using PPP for remote dial-in users. They generally want to allow only their customers to connect, not just anyone. The PPP protocol suite was designed to include the use of an optional authentication protocol for links where authentication is important. During basic link setup by LCP, devices can negotiate the use of an authentication protocol. If they agree, after the LCP link is set up a series of authentication messages are sent to verify the identity of the device initiating the link. Only if authentication is successful can the link configuration proceed. The PPP suite initially defined two different authentication protocols: the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP). PAP is a very straight-forward authentication scheme, consisting of only two basic steps, as shown in Figure 29: 1. Authentication Request: The initiating device sends an Authenticate-Request message that contains a name and a password. 2. Authentication Reply: The responding device looks at the name and password and decides whether to accept the initiating device and continue in setting up the link. If so, it sends back an Authenticate-Ack. Otherwise, it sends an Authenticate-Nak.Control Protocol.. The most common ones are The PPP Internet Protocol Control Protocol (IPCP), The PPP Internetworking Packet Exchange Control Protocol (IPXCP), and The PPP NetBIOS Frames Control Protocol (NBFCP). These are the NCPs for IP, IPX and NBF (also called NetBEUI), respectively. A separate NCP is also defined for IP version 6, the PPP IP Version 6 Control Protocol (IPv6CP). Operation of PPP Network Control Protocols Each NCP operates very much like a .lite. version of LCP, as you can see by examining Figure 28 (and comparing it to Figure 26, which shows the messaging for LCP). Like LCP, each NCP performs functions for link setup, maintenance and termination.only it deals with its particular type of NCP link and not the .overall. LCP link. Each NCP uses a subset of seven of the message types defined in LCP, and uses them in very much the same way as the message type of the same name is used in LCP: * Link Configuration: The process of setting up and negotiating the parameters of the particular NCP link (once an LCP link is established) is accomplished using Configure-Request, Configure-Ack, Configure-Nak and Configure-Reject messages just as described in the LCP topic, except these ones are particular to the NCP. The configuration options are of course different; they are the network layer protocol parameters being negotiated. * Link Maintenance: Code-Reject messages can be sent to indicate invalid code values (NCP frame types). * Link Termination: An NCP link can be terminated using Terminate-Request and Terminate-Ack. (Remember that NCP links are set up within an LCP link; there can be more than one NCP link open, and closing NCP links doesn't terminate the LCP link. Also, NCP links do not need to be closed when an LCP link is terminated.)
Figure 29: PPP Password Authentication Protocol (PAP) Authentication PAP works using a simple exchange of a request containing name and password information, and a reply indicating whether or not authentication was successful. Simple. Now, remember what Einstein said about simplicity? PAP is another example of something that is just too simple for its own good. Chief amongst its flaws is that it transmits the user name and password in clear text across the link. This is a big .no-no. in security protocols, as it means any eavesdropper can get the password and use it in the future. PAP also provides no protection against various security attacks. For example, an unauthorized user could simply try different passwords indefinitely and hope he or she eventually found one that worked. PAP also puts control of the authentication squarely on the shoulders of the initiating device (usually a client machine) which is not considered desirable. Challenge Handshake Authentication Protocol (CHAP) The most important difference between PAP and CHAP is that CHAP doesn't transmit the password across the link. Now you may be wondering.if that's the case, how is the password verified? Well, think of it this way. PAP works by the initiator telling the authenticator .here's the password I know, see if it matches yours.. CHAP does this by having each of the devices use the password to perform a cryptographic computation and then check if they each get the same result. If they do, they know they have the same password. CHAP Authentication Procedure In CHAP, a basic LCP link is set up between the initiator (calling client) and authenticator (generally the server that is deciding whether to grant authentication). The authenticator then takes charge of the authentication process, using a technique called a three-way handshake. This is a fairly common general authentication procedure; the same basic technique is used, for example, in IEEE 802.11 Shared Key Authentication. The three-way handshake steps are as follows (and as illustrated in Figure 30): 1. Challenge: The authenticator generates a frame called a Challenge and sends it to the initiator. This frame contains a simple text message (sometimes called the challenge text). The message has no inherent special meaning so it doesn't matter if anyone intercepts it. The important thing is that after receipt of the Challenge both devices have the same challenge message. 2. Response: The initiator uses its password (or some other shared .secret. that the authenticators also knows) to encrypt the challenge text. It then sends the encrypted challenge text as a Response back to the authenticator. 3. Success or Failure: The authenticator performs the same encryption on the challenge text that the initiator did. If the authenticator gets the same result that the initiator sent it in the Response, the authenticator knows that the initiator had the right password when it did its encryption, so the authenticator sends back a Success message. Otherwise, it sends a Failure message.
Figure 30: PPP Challenge Handshake Authentication Protocol (CHAP) Authentication CHAP uses a three-way handshake beginning with a Challenge from the authenticating device (usually the remote server accessed by a host). This message is encrypted and returned to the authenticating device, which checks to see if the device trying to authenticate used the correct password (or other .shared secret.). Benefits of CHAP You can see the beauty of this: it verifies that the two devices have the same .shared secret. but doesn't require that the secret be sent over the link. The Response is calculated based on the password, but the content of the Response is encrypted and thus, much harder to derive the password from. CHAP also provides protection against replay attacks, where an unauthorized user captures a message and tries to send it again later on. This is done by changing an identifier in each message and varying the challenge text. Also, in CHAP the server controls the authentication process, not the client that is initiating the link. Key Concept: PPP supports two authentication protocols: PAP and CHAP. PAP is a simple request/reply authentication protocol that is widely considered to be inadequate since it sends the user name and password in clear text and provides little protection against many security concerns. CHAP uses a three-way handshake procedure and is preferred over PAP in most implementations. CHAP itself is not perfect, but it's a heck of a lot closer to perfection than PAP is. In fact, the IETF made a rather strong statement in this regard when it revised the original RFC describing PAP and CHAP, and included only CHAP in the new standard. Despite this, PAP is still used in some applications, because it is simple. And well, some folks think they are smarter than Einstein. J Seriously though, PAP can be fine in situations where security is not a big deal, but CHAP is much better and still not really that complicated. PPP LINK QUALITY MONITORING/REPORTING (LQM/LQR) PPP includes optional authentication in recognition of the varying security needs of the many different kinds of links over which PPP may operate. These links also differ greatly in terms of their quality. Just as we don't need to worry about authentication much when two machines are linked with a short cable, we also can feel pretty confident that data sent between them is going to arrive intact. Now, contrast that to a PPP session established over a long-distance telephone call. For that matter, how about PPP over a dial-up call using an analog cellular phone? PPP includes in its basic package a provision for detecting errors in sent frames (a CRC field), and higher-layer protocols like TCP also include methods of providing robustness on noisy lines. These techniques allow a link to tolerate problems, but provide little in the way of useful information about what the status of the link is. In some situations, devices may want to be able to keep track of how well the link is working, and perhaps take action on it. For example, a device experiencing too many errors on a dial-up connection might want to cut off and retry a new call. In some cases a device might want to try an alternate method of attachment if the current physical link is not working well. Recognizing this need, the PPP suite includes a feature that allows devices to analyze the quality of the link between them. This is called PPP Link Quality Monitoring or LQM. PPP is set up generically to allow any number of different monitoring functions to be used, but at present there is only one, called Link Quality Reporting (LQR). LQR works by having a device request that its peer (the other device on the link) keep track of statistics about the link and send them in reports on a regular basis. LQR Setup Before LQR can be used it must be set up, which is done by LCP as part of the negotiation of basic link parameters in the Link Establishment phase. The device opening the link requests link monitoring by including the Quality-Protocol configuration option in its Configure-Request frame. Again, LQR is the only quality protocol presently defined. The configuration option also specifies a reporting period that indicates the longest period of time the requesting device wants to go between receiving reports. LQR Counters Assuming that the negotiation is successful, LQR will be enabled. A number of counters are set up that keep track of various link statistics, and a timer used to regulate the sending of quality reports over the link. Each time the timer expires a special link quality report is generated and sent in a PPP frame over the link. These are sent using the special PPP Protocol field hexadecimal value 0xC025. Each counter holds information about a different statistic regarding the use of the link. Each of these counters is reset to zero when LQR is set up and then incremented each time a transmission is made or an event occurs that is relevant to the counter. The statistics tracked include the following: * The number of frames sent/received. * The number of octets (bytes) in all frames sent/received. * The number of errors that have occurred. * The number of frames that had to be discarded. * The number of link quality reports generated. These counters are only reset at the start of the link, so they contain figures kept cumulatively over the life of the connection. The counters can be used in the absolute sense, meaning that the counter value itself is reported. Alternately, they can be expressed as relative (or delta) values, which represent the change since the last report. This is done when a report is received simply by subtracting the previous report's numbers from those in the current report. Using Link Quality Reports LQR specifies the quality reporting mechanism, but not specific standards for link quality, since these are so implementation-dependent. Based on the numbers in these reports, a device can decide for itself what conclusions to draw about link quality, and in turn what action to take, if any. For example: * Some devices might decide to shut down a link if the absolute number of errors seen in any report reaches a certain threshold. * Some might look at the trend in successive reporting periods and take action if they detect certain trends, such as an increase in the rate of discarded frames. * Some devices might just log the information and take no action at all. Note that LQR aggregates its statistics for all higher-layer protocols transmitted over a particular link. It doesn't keep track of statistics for different higher-layer protocols separately (which makes sense, since the quality of the link shouldn't vary from one higher layer protocol to the next). PPP COMPRESSION CONTROL PROTOCOL (CCP) AND COMPRESSION ALGORITHMS PPP is, of course, primarily used to provide data link layer connectivity to physical serial links. One of the biggest problems with serial links compared to many other types of layer one connections is that they are relatively slow. Consider that while 10 Mbps regular Ethernet is considered sluggish by modern LAN standards, it is actually much faster than most serial lines used for WAN connectivity, which can be 10, 100 or even 1000 times slower. One way to improve performance over serial links is to use compression on the data sent over the line. Depending on the data transferred, this can double the performance compared to uncompressed transmissions, and can in some cases do even better than that. For this reason, many hardware devices include the ability to compress the data stream at the physical layer. The best example of this is probably the set of compression protocols used on analog modems. Some physical links don't provide any compression capabilities, but could still benefit from it. To this end, an optional compression feature was created for PPP. It is implemented using two distinct protocol components: * PPP Compression Control Protocol (CCP): This protocol is responsible for negotiating and managing the use of compression on a PPP link. * PPP Compression Algorithms: A set of compression algorithms that perform the actual compression and decompression of data. Several of these are defined in Internet standards (RFCs). In addition, it is possible for two devices to negotiate the use of a proprietary compression method if they want to use one not defined by a public standard. Key Concept: PPP includes an optional compression feature, which can improve performance over slow physical links. A variety of different compression algorithms are supported. To enable compression, both devices on a PPP link use the PPP Compression Control Protocol (CCP) to negotiate a compression algorithm to use. The compression algorithm is then used to compress and decompress PPP data frames. CCP Operation: Compression Setup When most people talk about compression in PPP they mention CCP, which is considered .the. compression protocol for PPP. However, CCP is actually used only to configure and control the use of compression; it is the algorithms that do the real work of compressing and decompressing. This .separation of powers. provides flexibility, since it allows each implementation to choose what type of compression they wish to use. CCP is analogous to the Network Control Protocols (NCPs) that negotiate parameters specific to a network layer protocol sent on the link. An NCP lets two devices decide how they will carry layer three traffic, such as how IPCP lets the devices determine how to carry IP. CCP lets two devices decide how they will compress data, in the same basic way. Similarly, just as each NCP is like a .lite. version of LCP, CCP is also like a .lite. version of LCP. It is used to set up a compression connection called a CCP link within an LCP link between two devices. Once established, compressed frames can be sent between the two devices. CCP also provides messaging capabilities for managing and eventually terminating a CCP link, again very similar to how each network layer protocol sets up a NCP link within LCP. A CCP link is maintained independently of any NCP links. CCP uses the same subset of seven LCP message types that the NCPs use, and adds two additional ones. The use of these messages for each of the .life stages. of a CCP link is as follows, which should look very familiar if you've already read about how the NCPs and LCP itself work: * Link Configuration: Like the NCPs, compression configuration is done once CCP reaches the Network-Layer Protocol phase. The process of setting up compression and negotiating parameters is accomplished using Configure-Request, Configure-Ack, Configure-Nak and Configure-Reject messages just as described in the LCP topic, except the configuration options are particular to CCP. * Link Maintenance: Code-Reject messages can be sent to indicate invalid code values in CCP frames. The two new message types are Reset-Request and Reset-Ack, which are used to reset the compression (the CCP link) in the event of a detected failure in decompression. * Link Termination: A CCP link can be terminated using Terminate-Request and Terminate-Ack. Again, remember that like the NCP links, the CCP link is set up within an LCP link, and closing it doesn't terminate the LCP link which controls PPP overall. CCP Configuration Options and Compression Algorithms CCP configuration options are used for only one purpose: to negotiate the type of compression to be used by the two devices, and the specifics of how that algorithm is to be employed. The device initiating the negotiation sends a Configure-Request with one option for each of the compression algorithms it supports. The other device compares this list of options to the algorithms it understands. It also checks for any specific details relevant to the option to see if it agrees on how that algorithm should be used. It then sends back the appropriate reply (Ack, Nak or Reject) and a negotiation ensues until the two devices come up with a common algorithm both understand. If so, compression is turned on; otherwise, it is not enabled. The CCP configuration options begin with a Type value that indicates the compression algorithm. When the Type value is 0, this indicates that the option contains information about a special, proprietary compression algorithm not covered by any RFC standards, which can be used if both devices understand it. Several values from 1 to 254 indicate compression algorithms that have been defined for use with CCP. Table 30 shows the most common values of the Type field, including the compression algorithm each corresponds to and the number of the RFC that defines it:Table 30: PPP Compression Control Protocol (CCP) Compression Algorithms
CCP Option Type Value |
Defining RFC |
Compression Algorithm (As Given in RFC Title) |
0 |
|
Proprietary |
1 and 2 |
1978 |
PPP Predictor Compression Protocol |
17 |
1974 |
PPP Stac LZS Compression Protocol |
18 |
2118 |
Microsoft Point-To-Point Compression (MPPC) Protocol |
19 |
1993 |
PPP Gandalf FZA Compression Protocol |
21 |
1977 |
PPP BSD Compression Protocol |
23 |
1967 |
PPP LZS-DCP Compression Protocol (LZS-DCP) |
26 |
1979 |
PPP Deflate Protocol |
Compression Algorithm Operation: Compressing and Decompressing Data Once an algorithm has been successfully negotiated, the compression algorithm is used to compress data before transmission, and to decompress it once received. To compress, the transmitting device takes the data that would normally be put in the Information field of an uncompressed PPP frame and runs it through the compression algorithm. To indicate that a frame has been compressed, the special value 0x00FD (hexadecimal) is placed in the PPP Protocol field. When compression is used with multiple links and the links are compressed independently, a different value is used: 0x00FB. Recall that in a regular uncompressed frame, the Protocol field indicates what layer three protocol the data comes from; since we still need to know this, the original Protocol value is actually prepended to the data before compression. When the data is decompressed, this value is used to restore the original Protocol field, so the receiving device knows what higher layer the data belongs to. For example, if we use IPCP to encapsulate IP data in PPP, the uncompressed frame would have a value of 0x8021 (hex) in the Protocol field. This value (0x8021) would be placed at the start of the data to be compressed. The compressed data would be put in a PPP frame with a Protocol value of 0x00FD. The receiving device would see the value 0x00FD in the Protocol field, recognize the frame as compressed, decompress it and restore the original frame with 0x8021 as the Protocol value. The PPP general frame format topic covers this in more detail. In theory, a compression algorithm can put more than one PPP data frame into a compressed PPP data frame. Despite this, many if not most of the algorithms maintain a one-to-one correspondence, putting each PPP data frame into one compressed frame. Note that LCP frames are not compressed, nor are the control frames used for other protocols. For example, a data frame carrying IP traffic would be compressed, but a control frame for IPCP (the Network Control Protocol for IP) would not be. Compression can be combined with encryption; in this case compression is done before encryption. PPP ENCRYPTION CONTROL PROTOCOL (ECP) AND ENCRYPTION ALGORITHMS The PPP authentication protocols PAP and CHAP can be used to ensure that only authorized devices can establish a PPP connection. Once that is done, PPP normally provides no other security to the data being transmitted. In particular, all data is normally sent .in the clear. (unencrypted), making it easy for someone who intercepts it to read. For important data that must be kept secure, encryption prior to transmission is a good idea. This can be done at higher layers using something like IPSec, but PPP also provides an optional feature that allows data to be encrypted and decrypted at the data link layer itself. PPP data encryption is implemented using two protocol components: * PPP Encryption Control Protocol (ECP): This protocol is responsible for negotiating and managing the use of encryption on a PPP link. * PPP Encryption Algorithms: A family of encryption algorithms that perform the actual encryption and decryption of data. Several of these are defined in Internet standards (RFCs), and two devices can also negotiate a proprietary encryption method if they want to use one not defined by a public standard. ECP is usually the only part mentioned when encryption in PPP is discussed. ECP is in fact used only to configure and control the use of encryption; it is the algorithms that do the real work. This technique allows each implementation to choose what type of encryption they wish to use. The original ECP defined only a single encryption method, and a couple of others have since been added. Key Concept: PPP includes an optional encryption feature, which provides privacy for data transported over PPP. A number of encryption algorithms are supported. To enable encryption, both devices on a PPP link use the PPP Encryption Control Protocol (ECP) to negotiate which algorithm to use. The selected algorithm is then used to encrypt and decrypt PPP data frames. Like CCP, ECP is analogous to the Network Control Protocols (NCPs) that negotiate parameters specific to a network layer protocol sent on the link, but deals with how devices encrypt data rather than how they transport layer three traffic. This also means that like the NCPs, ECP is a "lite" version of LCP and works in the same basic way. Once an ECP link is negotationed, encrypted frames can be sent between devices. When no longer needed, the ECP link can be terminated. ECP uses the same subset of seven LCP message types that the NCPs use, and adds two more. The use of these messages for each of the .life stages. of an ECP link is as follows: * Link Configuration: Like the NCPs (and also like CCP of course), encryption configuration is done once ECP reaches the Network-Layer Protocol phase. The process of setting up encryption and negotiating parameters is accomplished using Configure-Request, Configure-Ack, Configure-Nak and Configure-Reject messages just as described in the LCP topic, except the configuration options are particular to ECP. * Link Maintenance: Code-Reject messages can be sent to indicate invalid code values in ECP frames. The two new message types are Reset-Request and Reset-Ack, which are used to reset the encryption (the ECP link) in the event of a detected failure in decryption. * Link Termination: An ECP link can be terminated using Terminate-Request and Terminate-Ack. Again, remember that like the NCP links, the ECP link is set up within an LCP link, so closing it doesn't terminate the LCP link. ECP Configuration Options and Encryption Algorithms ECP configuration options are used only to negotiate the type of encryption algorithm to be used by the two devices, and the specifics of how that algorithm is to be employed. The device initiating the negotiation sends a Configure-Request with one option for each of the encryption algorithms it supports. The other device compares this list of options to the algorithms it understands. It also checks for any details relevant to the option to see if it agrees on how that algorithm should be used. It then sends back the appropriate reply (Ack, Nak or Reject) and a negotiation ensues until the two devices come up with a common algorithm both understands. If so, encryption is enabled, and otherwise, it is left turned off. The ECP configuration options begin with a Type value that indicates the encryption algorithm. When the Type value is 0, this indicates that the option contains information about a special, proprietary encryption method not covered by any RFC standards, which can be used if both devices understand it. Values in the range from 1 to 254 indicate encryption algorithms that have been defined for use with ECP; at present, only two are defined. Table 31 shows the values of the Type field, including the encryption algorithm each corresponds to and the number of the RFC that defines it:
ECP Option Type Value |
Defining RFC |
Encryption Algorithm (As Given in RFC Title) |
0 |
|
Proprietary |
2 |
2420 |
The PPP Triple-DES Encryption Protocol (3DESE) |
3 |
2419 |
The PPP DES Encryption Protocol, Version 2 (DESE-bis) |
Encryption Algorithm Operation: Encrypting and Decrypting Data After an encryption algorithm has been successfully negotiated, it is used to encrypt data before transmission, and to decrypt data received. To encrypt, the transmitting device takes the data that would normally be put in the Information field of an unencrypted PPP frame and runs it through the encryption algorithm. To indicate that a frame has been encrypted, the special value 0x0053 (hexadecimal) is placed in the PPP Protocol field. When encryption is used with multiple links and the links are encrypted independently, a different value is used: 0x0055. Recall that in a regular unencrypted frame, the Protocol field indicates what layer three protocol the data comes from; since we still need to know this, the original Protocol value is actually prepended to the data before encryption. When the data is decrypted, this value is used to restore the original Protocol field, so the receiving device knows what higher layer the data belongs to. For example, if we use IPCP to encapsulate IP data in PPP, the unencrypted frame would have a value of 0x8021 (hex) in the Protocol field. This value (0x8021) would be placed at the start of the data to be encrypted. The encrypted data would be put in a PPP frame with a Protocol value of 0x0053. The receiving device would see the value 0x0053 in the Protocol field, recognize the frame as encrypted, decrypt it and restore the original frame with 0x8021 as the Protocol value.The discussion of the PPP general frame format covers this more completely. Each encrypted PPP data frame carries exactly one PPP data frame. Note that unlike what we saw in compression, LCP frames and the control frames used for other protocols can be encrypted. Compression can be combined with encryption; in this case compression is done before encryption. PPP MULTILINK PROTOCOL (MP/MLP/MLPPP) Most of the time, there is only a single physical layer link between two devices. There are some situations, however, when there may actually be two layer one connections between the same pair of devices. This may seem strange; why would there be more than one link between any pair of machines? There are in fact a number of situations in which this can occur. One common one is when two links are intentionally placed between a pair of devices. This is often done to increase performance by .widening the pipe. between two devices, without going to a newer, more expensive technology. For example, if two machines are connected to each other using a regular analog modem and it is too slow, a relatively simple solution is to just use two analog modem pairs connecting the machines to double bandwidth. A slightly different situation occurs when multiplexing creates the equivalent of several physical layer .channels. between two devices even if they only have one hardware link between them. Consider ISDN for example. The most common form of ISDN service (ISDN basic rate interface or BRI) creates two 64,000 bps B channels between a pair of devices. These B channels are time division multiplexed and carried along with a D channel on a single pair of copper wire, but to the devices they appear as if there were two physical layer links between devices, each of which carries 64 kbps of data. And the ISDN primary rate interface (PRI) actually creates 23 or even more channels, all between the same pair of hardware devices. In a situation where we have multiple links, we could of course just establish PPP over each connection independently. However, this is far from an ideal solution, because we would then have to manually distribute our traffic over the two (or more) channels or links that connect them. If you wanted to connect to the Internet, you'd have to make separate connections and then choose which to use for each action. Not exactly a recipe for fun, and what's worse is that you could never use all the bandwidth for a single purpose, such as downloading the latest 100 megabyte Microsoft security patch. What we really want is a solution that will let us combine multiple links and use them as if they were one high-performance link. Some hardware devices actually allow this to be done at the hardware level itself; in ISDN this technology is sometimes called bonding when done at layer one. For those hardware units that don't provide this capability, PPP makes it available in the form of the PPP Multilink Protocol (MP). PPP Multilink Protocol Architecture MP is an optional feature of PPP, so it must be designed to integrate seamlessly into regular PPP operation. To accomplish this, MP is implemented as a new architectural .sublayer. within PPP. In essence, an MP sublayer is inserted between the .regular. PPP mechanism and any network layer protocols using PPP, as shown in Figure 31. This allows MP to take all network layer data to be sent over the PPP link and spread it over multiple physical connections, without causing either the normal PPP mechanisms or the network layer protocol interfaces to PPP to .break..
Figure 31: Multilink PPP Architecture The column on the left shows the TCP/IP model architecture with corresponding OSI Reference Model layer numbers. The center column shows the normal PPP layer architecture. When Multilink PPP is used, there are separate PPP implementations running over each of two or more physical links. Multilink PPP sits, architecturally, between these links and any network layer protocols to be transported over those links. (In this diagram only IP is shown, since it is most common, but Multilink PPP can in fact work with multiple network layer protocols, each being sent over each physical link.) Key Concept: The PPP Multilink Protocol (MP) allows PPP to bundle multiple physical links and use them like a single, high-capacity link. It must be enabled during link configuration. Once operational, it works by fragmenting whole PPP frames and sending the fragments over different physical links. PPP Multilink Protocol Setup and Configuration To use MP, both devices must have it implemented as part of their PPP software and must negotiate its use. This is done by LCP as part of the negotiation of basic link parameters in the Link Establishment phase (just like Link Quality Reporting). Three new configuration options are defined to be negotiated to enable MP: * Multilink Maximum Received Reconstructed Unit: Provides the basic indication that the device starting the negotiation supports MP and wants to use it. The option contains a value specifying the maximum size of PPP frame it supports. If the device receiving this option does not support MP it must respond with a Configure-Reject LCP message. * Multilink Short Sequence Number Header Format: Allows devices to negotiate use of a shorter sequence number field for MP frames, for efficiency. (See the topic on MP frames for more.) * Endpoint Discriminator: Uniquely identifies the system; used to allow devices to determine which links go to which other devices. Before MP can be used, a successful negotiation of at least the Multilink Maximum Received Reconstructed Unit option must be performed on each of the links between the two devices. Once this is done and an LCP link exists for each of the physical links, a virtual bundle is made of the LCP links and MP is enabled. PPP Multilink Protocol Operation As mentioned above, MP basically sits between the network layer and the regular PPP links and acts as a .middleman.. Here is what it does for each .direction. of communication: * Transmission: MP accepts datagrams received from any of the network layer protocols configured using appropriate NCPs. It first encapsulates them into a modified version of the regular PPP frame. It then takes that frame and decides how to transmit it over the multiple physical links. Typically, this is done by dividing the frame into fragments that are evenly spread out over the set of links. These are then encapsulated and sent over the physical links. However, an alternate strategy can also be implemented as well, such as alternating full-sized frames between the links. Also, smaller frames are typically not fragmented, nor are control frames such as those used for link configuration. * Reception: MP takes the fragments received from all physical links and reassembles them into the original PPP frame. That frame is then processed like any PPP frame, by looking at its Protocol field and passing it to the appropriate network layer protocol. The fragments used in MP are similar in concept to IP fragments, but of course these are different protocols running at different layers. To PPP or MP, an IP fragment is just an IP datagram like any other. The fragmenting of data in MP introduces a number of complexities that the protocol must handle. For example, since fragments are being sent roughly concurrently, we need to identify them with a sequence number to facilitate reassembly. We also need some control information to identify the first and last fragments. A special frame format is used for MP fragments to carry this extra information, which I describe in the section on PPP frame formats. That topic also contains more information about how fragmenting is accomplished, as well as an illustration that demonstrates how it works.