1. The Point-to-Point Protocol (PPP)
provides a standard method for transporting
multi-protocol datagrams over point-to-point links. See
http://www.rfc-editor.org/rfc/rfc1661.txt . The protocol
stack is:
A layer 3 network layer protocol (IP, IPv6, Appletalk, Novell
IPX, etc.)
A layer “2.5” PPP packet containing the network packet above.
A layer 2 point-to-point link frame (V.90 modem, ISDN, HDLC,
Ethernet,
frame relay, ATM, SONET, etc.) containing the PPP
packet.
2. PPP has three main components:
1. A method for encapsulating datagrams over serial links
(e.g. how to
put an IP datagram inside a PPP packet).
2. A Link Control Protocol (LCP) for establishing,
configuring, and
testing the data-link connection. For
example, LCP allows you to
configure the maximum transfer unit (MTU)
for the link.
3. A family of Network Control Protocols (NCPs) for
establishing and
configuring different network-layer
protocols. For example, the PPP
Internet Protocol Control Protocol (IPCP)
allows you to configure
an IP address.
3. In addition, there is a family of protocols for encapsulating PPP
packets in various link layer frames (V.90 modem, ISDN, HDLC,
Ethernet,
frame relay, ATM, SONET, etc.)
4. PPP Frame Format – PPP frame consists of a 2-byte network, NCP, or LCP
protocol number followed by the network, NCP or LCP packet.
For example,
the following shows an IP packet carried inside a PPP packet
carried
inside an HDLC frame (each line contains one or two bytes).
+-+-+-+-+-+-+-+-+
|0 1 1 1 1 1 1 0|
HDLC Flag
+-+-+-+-+-+-+-+-+
|1 1 1 1 1 1 1 1|
HDLC Address Byte 0xFF
+-+-+-+-+-+-+-+-+
|0 0 0 0 0 0 1 1|
HDLC Control Byte 0x03
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1| PPP
Protocol 0x0021
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service|
Total Length | IP
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... (rest of IP packet)
5. PPP Protocol numbers (0x0001 to 0xFEFF are classified into three types.
(The protocol numbers follow ISO 3309 extension mechanism for
address
fields - all bytes except the last are even and the last byte
is odd).
For a complete list (77 entries at last count), See “PPP DLL
PROTOCOL
NUMBERS” in http://www.rfc-editor.org/rfc/rfc1700.txt
1. Encapsulated Network-layer protocols (network layer data),
0*** to 3***
0021 Internet
Protocol Version 4
0029
Appletalk
002b Novell
IPX
0053
Encrypted datagram
0057 Internet
Protocol Version 6
00fd
Compressed datagram
2. Network Control Protocols (NCPs), 8*** to b***
8021 The PPP
Internet Protocol Control Protocol (IPCP)
(http://www.rfc-editor.org/rfc/rfc1332.txt)
8029 The PPP
AppleTalk Control Protocol (ATCP)
(http://www.rfc-editor.org/rfc/rfc1378.txt)
802b The PPP
Internetwork Packet Exchange Control Protocol (IPXCP)
(http://www.rfc-editor.org/rfc/rfc1552.txt)
8053 The PPP
Encryption Control Protocol (ECP)
(http://www.rfc-editor.org/rfc/rfc1968.txt)
8057 IP
Version 6 over PPP
(http://www.rfc-editor.org/rfc/rfc2472.txt)
80FD The PPP
Compression Control Protocol (CCP)
(http://www.rfc-editor.org/rfc/rfc1962.txt)
3. Link-layer Control Protocols (e.g. LCP), c*** to f***
c021 Link
Control Protocol (this document)
(http://www.rfc-editor.org/rfc/rfc1661.txt)
c023 PPP
Authentication Protocols (obsolete)
(http://www.rfc-editor.org/rfc/rfc1334.txt
c223 PPP
Challenge Handshake Authentication Protocol (CHAP)
(ftp://ftp.rfc-editor.org/in-notes/rfc1994.txt)
C227 PPP
Extensible Authentication Protocol (EAP)
(ftp://ftp.rfc-editor.org/in-notes/rfc2284.txt
6. Link Control Protocol Packet Format (encapsulated in a PPP frame with
PPP protocol c021). Used by most of the PPP Network Control
Protocols
(8*** to b***) and Link-layer Control Protocols (c*** to
f***). Each
LCP packet consists of an 8-bit Code, an 8-bit Identifier, a
16-bit
Length, and zero or more options.
+-+-+-+-+-+-+-+-+
|0 1 1 1 1 1 1 0|
HDLC Flag
+-+-+-+-+-+-+-+-+
|1 1 1 1 1 1 1 1|
HDLC Address Byte 0xFF
+-+-+-+-+-+-+-+-+
|0 0 0 0 0 0 1 1|
HDLC Control Byte 0x03
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PPP protocol 0xc021
|
PPP
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LCP Code | Identifier
| Length
| LCP
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type
| Length | Data ...
option
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type
| Length | Data ...
option
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type
| Length | Data ...
option
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
7. LCP Codes (1 to 13) identify the type of LCP packet. Most Network
Control
Protocols (NCP’s) use the same packet format and also use
codes 1 to 7.
See “PPP LCP AND IPCP CODES” in http://www.rfc-editor.org/rfc/rfc1700.txt.
(* indicates code only used by LCP.)
1. Link Configuration packets used to establish
and configure a Link.
code 1 Configure-Request
(new ID, zero or more options)
2
Configure-Ack (copy of ID, same options)
3
Configure-Nak (copy of ID, Nak’ed options and new values)
4
Configure-Reject (copy of ID, rejected options)
2. Link Termination packets used to terminate a
link.
code 5 Terminate-Request
(new ID, unspecified data)
6
Terminate-Ack (copy of ID, unspecified data)
3. Link Maintenance packets used to manage and
debug a link.
code 7 Code-Reject (new
ID, copy of rejected LCP packet)
8* Protocol-Reject (rejected PPP protocol, rejected packet)
9* Echo-Request (new ID, 4-byte magic number, arbitrary data)
10*
Echo-Reply (copy of ID, magic number, and data)
11*
Discard-Request (new ID, 4-byte magic number, data)
12*
Identification
13*
Time-Remaining
8. Each LCP packet contains zero or more options with the format:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type
| Length | Data ...
option
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The allowable option Types (0x00 through 0xff) depend on the
LPC Code.
For a list of the 21 currently defined option types, see “PPP
LCP
CONFIGURATION OPTION TYPES” in http://www.rfc-editor.org/rfc/rfc1700.txt.
49. The allowable LCP Link Configuration Options (type codes for LCP codes
1 to 4) are:
0 RESERVED
1 Maximum-Receive-Unit -
Default is 1500 bytes
3 Authentication-Protocol
c023 Password Authentication Protocol
c223 Challenge Handshake Authentication Protocol
4 Quality-Protocol
c025 Link Quality Report
5 Magic-Number – random
number to detect loopback
7
Protocol-Field-Compression (1 v.s. 2 bytes for protocol)
8
Address-and-Control-Field-Compression (link headers predictable)
9. Operation
0. Prepare a link to carry PPP packets (e.g. dial a phone
number) using a
link-specific protocol, e.g.
1. PPP in HDLC-like Framing (http://www.rfc-editor.org/rfc/rfc1662.txt
2. A Method for Transmitting PPP Over
Ethernet (PPPoE)
(http://www.rfc-editor.org/rfc/rfc2516.txt)
3. PPP Over Asynchronous Transfer Mode
Adaptation Layer 2 (AAL2)
(http://www.rfc-editor.org/rfc/rfc3336.txt)
4. PPP over SONET/SDH (http://www.rfc-editor.org/rfc/rfc2615.txt)
5. PPP Over AAL5 (http://www.rfc-editor.org/rfc/rfc2364.txt)
6. PPP in Frame Relay (http://www.rfc-editor.org/rfc/rfc1973.txt)
7. PPP over ISDN (http://www.rfc-editor.org/rfc/rfc1618.txt)
1. Send LCP packets to configure the PPP link. Example – LCP
packet to
set the MTU to 1024 (0x400) bytes.
1. Any of several link layer protocol (V.90
modem, HDLC, frame relay
or ATM virtual circuit,
etc.).
2. PPP header
2-byte
protocol field = 0xc021 = Link Control Protocol
3. Link Control Protocol
1-byte code
field = 0x01 = Configure-Request
1-byte ID
field = 0x?? (select two digits, response must match)
2-byte length
field = 0x08
4. LCP Maximum-Receive-Unit option
1-byte option
field = 0x01 = Maximum-Receive Unit
1-byte option
length field = 0x04
2-byte max
MTU field = 0x0400 = 1024 decimal
2. Send NCP packets to configure the encapsulated protocol
(e.g.
Response packet to assign an IP address to
my computer
1. Any of several link layer protocol (V.90
modem, HDLC, frame relay
or ATM virtual circuit,
etc.).
2. PPP header
2-byte
protocol field = 8021 = IP Control Protocol (IPCP)
3. Internet Protocol Control Protocol
1-byte code
field = 0x02 = Configure-Response
1-byte ID
field = 0x?? (must match request ID field)
2-byte length
field = 0x0A = 10 decimal
4. LCP IP Address option
1-byte option
field = 0x03 = IP Address
1-byte option
length field = 0x06
4-byte IP
address
3. Send encapsulated network packets. Example – IP packet.
1. Any of several link layer protocol (V.90
modem, HDLC, frame relay
or ATM virtual circuit,
etc.).
2. PPP header
2-byte
protocol field = 0x0021 = Internet Protocol
3. IP Packet
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
|Version| IHL
|Type of Service| Total
Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
10. PPP Encryption Control Protocol
PPP Encryption Control Protocol (ECP) is used to negotiate
any encryption
Protocol to be used on the link. ECP (PPP protocol number
0x8053)
resembles LCP (PPP protocol number 0xc021) including the use
of codes 1
through 7 (Configure-Request, Configure-Ack, Configure-Nak,
Configure-
Reject, Terminate-Request, Terminate-Ack and Code-Reject).
ECP uses the
same option format as LCP (8-bit type, 8-bit length, data
bytes) but the
types specify encryption techniques. Once the encryption
algorithm has
been negotiated, encrypted packets are exchanged using PPP
protocol
number 0x0053 (Encrypted datagram). See the PPP Encryption
Control
Protocol (ECP), http://www.rfc-editor.org/rfc/rfc1968.txt.
ECP allows systems to negotiate a variety of encryption
techniques.
1. The PPP DES Encryption Protocol, Version 2 (DESE-bis)
(http://www.rfc-editor.org/rfc/rfc2419.txt).
The shared secret is
a 56-bit DES key. This protocol is
requested by ECP (PPP protocol
number 0x8053) using configuration type
0x02, length 0x08, and a
6-byte initialization vector (exclusive
or’ed with the first 8-bytes
of data).
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 3 |
Length = 10 | 8-byte initialization vector ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
After initialization, data is exchanged
using PPP protocol 0x00fd
(Compressed datagram). The data consists of
a 16-bit sequence number
(for reordering the data packets) followed
by the encrypted data.
2. The PPP Triple-DES Encryption Protocol (3DESE)
(http://www.rfc-editor.org/rfc/rfc2420.txt).
Similar to DESE-bis
except that the shared secret is three
56-bit DES keys, and type 0x02
is used in the ECP packet.
11. PPP Compression Protocols
PPP Compression Control Protocol (CCP) is used to negotiate
any
compression Protocol to be used on the link. CCP (PPP
protocol number
0x80fd) is just like the PPP Encryption Control Protocol (ECP)
except
that the PPP protocol number is 0x805d (rather than 0x8053)
and
the type fields for Configure-Request, Configure-Ack,
Configure-Nak,
and Configure-Reject packets refer to compression methods.
CCP type field Compression type
CCP type field Compression type
0
OUI (private type)
17 Stac Electronics LZS
1
Predictor type 1
18 Microsoft PPC
2
Predictor type 2
19 Gandalf FZA
3
Puddle Jumper
20 V.42bis compression
4-15
unassigned
21 BSD LZW Compress
16
Hewlett-Packard PPC 255
Reserved
Once the compression algorithm has been negotiated,
compressed packets
are exchanged using PPP protocol 0x00fd (Compressed
datagram). See The
PPP Compression Control Protocol (CCP),
http://www.rfc-editor.org/rfc/rfc1962.txt
12. PPP Authentication Protocols
1. The simplest PPP authentication protocol, Password
Authentication
Protocol (PPP protocol number 0xc023) is
based on a shared secret
password. The client sends a “Peer-Id” (an
account) and a Password
over the link using the LPC packet format.
The codes protocol uses
codes Authenticate-Request, Authenticate-Ack
and Authenticate-Nak.
The Authenticate-Request packet contains
fields for the Peer-Id and
Password. See http://www.rfc-editor.org/rfc/rfc1334.txt
2. The PPP Challenge Handshake Authentication Protocol (CHAP)
is also
based on a shared secret password but the
password itself is never
sent. The server creates a “challenge” that
consists of an arbitrary
stream of bytes. The client concatenates
the 1-byte identifier
(which immediately follows the PPP protocol
number 0xC223), the bytes
of the password, and the bytes of the
challenge and then computes the
MD5 “hash” of the result. The client
returns the 16-byte hash to the
server. The client can authenticate the
server by reversing the
process. See http://www.rfc-editor.org/rfc/rfc1994.txt
3. More recent authentication protocols use the PPP
Extensible
Authentication Protocol (EAP) which is
similar to ECP and CCP
above. EAP uses LCP-style packets with code
fields to specify
Request (1), Response (2), Success (3), and
Failure (4). Type
fields are defined for type values:
1
Identity (to
query the identity of the peer)
2
Notification (display message to user)
3
Nak (Response only) (unacceptable authentication type)
4
MD5-Challenge – (similar to CHAP)
5
One-Time Password (OTP, see RFC 2289)
6
Generic Token Card
13
EAP TLS
See http://www.rfc-editor.org/rfc/rfc2284.txt
4. PPP EAP TLS Authentication Protocol (RFC-2716) describes
the use
of the Transport Layer Security (TLS)
protocol (RFC-2246) with
the PPP Extensible Authentication Protocol
(EAP). See
http://www.rfc-editor.org/rfc/rfc2716.txt
and
http://www.rfc-editor.org/rfc/rfc2246.txt
13. Protocols for encapsulation
1. PPP in HDLC-like Framing (http://www.rfc-editor.org/rfc/rfc1662.txt)
+----------+----------+----------+
| Flag | Address
| Control |
HDLC frame header
| 01111110 | 11111111 | 00000011 |
+----------+----------+----------+
+----------+-------------+---------+
| Protocol | Information
| Padding | PPP
Frame
| 8/16 bits|
* | * |
+----------+-------------+---------+
+----------+----------+-----------------
|
FCS | Flag | Inter-frame Fill
HDLC frame trailer
|16/32
bits| 01111110 | or next Address
+----------+----------+-----------------
2. A Method for Transmitting PPP Over Ethernet (PPPoE)
(http://www.rfc-editor.org/rfc/rfc2516.txt)
During the Discovery stage, a PPoE client finds
and selects a PPoE
server (called an Access Concentrator) by
broadcasting an
initialization packet using the Ethernet
destination address
ff:ff:ff:ff:ff:ff and an Ethertype field of
0x8863. One or more access
concentrators respond with Offer packets. The
host selects one and
sends a Session Request packet, and the selected
Access Concentrator
responds by returning a Conformation packet that
includes a Session ID.
Once the session is established, the host and
Access Concentrator
exchange Ethernet packets using an Ethertype
field of 0x8864. The data
field of the Ethernet packet contains:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VER=1 | TYPE=1| CODE = 0
| SESSION_ID
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
LENGTH |
the PPP payload ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Code is used during the discovery phase to
distinguish Initiation
(0x09), Offer (0x07), Request (0x19),
Session-confirmation (0x65), and
Terminate (0xa7) packets. Since Ethernet has a
maximum payload of 1500
bytes, the PPP payload is limited to 1500 – 8 or
1492 bytes.