WAN Fundamentals

Abstract

With the accelerated economic globalization and digital transformation, enterprises are expanding in scale and more and more branches are established in different geographical areas. The network of each branch office is considered as a Local Area Network (LAN), and communication between headquarters and branch offices needs to span a certain geographical area. Therefore, enterprises need to connect these geographically dispersed branch offices through Wide Area Network (WAN) so as to improve their business.

With the accelerated economic globalization and digital transformation, enterprises are expanding in scale and more and more branches are established in different geographical areas. The network of each branch office is considered as a Local Area Network (LAN), and communication between headquarters and branch offices needs to span a certain geographical area. Therefore, enterprises need to connect these geographically dispersed branch offices through Wide Area Network (WAN) so as to improve their business.

The development of WAN technology is accompanied by the continuous upgrade of bandwidth. The WAN protocol X.25 that emerged in the earlier stage could only provide 64 kbit/s bandwidth, while the subsequent Digital Data Network (DDN), Frame Relay (FR) and Asynchronous Transfer Mode (ATM) further increased the bandwidth to 10 Gbit/s, and it is finally developed to the current IP-based WAN of 10 Gbit/s or even higher bandwidth.

The WAN uses GSMA/CD protocol, and there are many protocols for WAN links, such as High-Level Data Link Control (HDLC) protocol, Point-to-Point Protocol (PPP), X.25, Frame Relay. PPP is a typical protocol used for point to point WAN links, and is the protocol used by routers to connect to WANs.

CSMA/CD protocol does not support the authentication of access devices. PPP supports the authentication of devices that access the network and assigns IP addresses to access devices. If the Ethernet switch is made to be able to authenticate users of the access devices and assign IP addresses to those devices, then the PPPoE (PPP over Ethernet) protocol is required. A router can act as a PPPoE server or a PPPoE client, and a Windows system can also function as a PPPoE client to set up a dial-up connection to the PPPoE server.

14.1 Overview of WAN

WAN normally covers a large geographical distance, ranging from a few kilometers to several thousands of kilometers. Meanwhile, it can provide long-distance communication, connect multiple cities or countries, or even span several continents to form an international long-distance network. A LAN is usually connected to the WAN as an end-user of the WAN. As shown in Fig. 14.1, a company has three LANs in Beijing, Shanghai and Shenzhen, which are interconnected through the network of a telecom carrier that provides WAN connection for the enterprise.

Fig. 14.1

LAN and WAN illustration

LANs are usually set up, managed and maintained by enterprises themselves by purchasing network equipment such as routers and switches. WAN, the other hand, is typically set up, managed and maintained by telecom department or telecom company, and provides communication-oriented paid services to the whole society, whose traffic will be recorded and billed. For example, home users accessing the Internet through dial up or through optical fibers is one of the applications of WAN.

As shown in Fig. 14.2, LAN1 (Ethernet) and LAN2 (Ethernet2) are connected through WAN links. In the figure, the interface on the router that connects to the WAN is the Serial interface. There are several standards of Serial interfaces, and the figure shows two kinds of interfaces, “asynchronous interface and synchronous interfaces” and “non-channelized E1/T1 WAN interface”.

Fig. 14.2

WAN illustration

As shown in Fig. 14.2, WAN links can have different protocols. The serial link between routers AR1 and AR2 uses the high-level data link control protocol, that between AR2 and AR3 uses the point to point protocol, and AR3 and AR4 that are connected by the frame relay switch use the frame relay protocol.

As can be seen in Fig. 14.2, different links can use different data link layer protocols. Each data link layer protocol defines the corresponding data link layer encapsulation (frame format), and data packets passing through different links have to be encapsulated into different frames. The diagram shows the whole process of sending packets from PC1 to PC2. First, the packets are encapsulated into Ethernet frames when they pass through Ethernet1. They are encapsulated into HDLC frames when they are transmitted on the link between AR1 and AR2, encapsulated into PPP frames on the link between AR2 and AR3, encapsulated into relay frames on the link between AR3 and AR4, and encapsulated into Ethernet frames when they are sent from AR4 to PC2.

This chapter focuses on two protocols, PPP and PPPoE, and analyzes the process of PPP link establishment.

14.2 Principles and Configuration of PPP

14.2.1 Overview of PPP

PPP is a common WAN data link layer protocol, mainly used for point to point data transmission over a full-duplex link. The predecessors of PPP are Serial Line Internet Protocol (SLIP) and CSLIP (Compressed SLIP), which are basically out of use now. However, since its introduction in the 1990s, PPP has been widely used and is now the most universally used data link layer protocol for Internet access.

PPP provides Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP) and Link Control Protocol (LCP) for the negotiation of various link layer parameters, such as maximum receive unit (MRU), authentication mode and magic number. It also provides various Network Control Protocols (NCPs), such as IP Control Protocol (IPCP), for the negotiation of various network layer parameters so as to better support the network layer protocols.

PPP can be combined with ADSL, Cable Modem, LAN and other technologies to enable various types of broadband access. PPP has good scalability. For example, it can be extended to PPPoE when it is needed to carry PPP on Ethernet links. The most commonly used broadband access method in homes is PPPoE. This is a technology that uses Ethernet resources and runs PPP on Ethernet to authenticate users when they access networks. PPP is responsible for establishing a communication link between the user and the carrier’s access server.

CMSA/CD protocol works on Ethernet interfaces and Ethernet links, while PPP works on serial interfaces and serial links. There are various types of serial interfaces, such as EIA RS-232-C interface, EIARS-422 interface, EIARS-423 interface and ITU-T V.35 interface. These are common serial interfaces and can support PPP. In fact, any serial interface that can support full-duplex communication supports PPP. In addition, PPP does not have any special rules for the information transmission rate of serial interfaces, but only requires serial interfaces to have consistent rate at both ends of the serial link. This chapter collectively refers to the serial interfaces that support and run PPP as PPP interfaces.

14.2.2 PPP Frame Format

The data frame encapsulation format of PPP is shown in Fig. 14.3. Its header has five bytes, of which the Flag field is a one-byte start frame delimiter (0x7E); the Address field is one byte; the Control field is one byte; and the two-byte Protocol field is used to indicate what protocol the information part. Its footer has three bytes, two of which are the frame check sequence while the other one is the end frame delimiter (0x7E). Its information part does not exceed 1500 bytes.

Fig. 14.3

PPP frame format

The encapsulation of PPP is largely based on the HDLC protocol specification, and PPP uses the exact flag fields and the frame check sequence (FCS) fields from the HDLC protocol encapsulation. In addition, many fields in PPP data frames have fixed values. Given that PPP is purely a protocol applied in a point to point environment, where messages sent by any party are only received and processed by a designated other party, the existence of the address field is no longer necessary, so the value of the PPP address field is specified as all 1s, indicating all interfaces on this link. Finally, the value of the PPP Control field is also explicitly fixed at 0x03.

There are also some differences between the encapsulation of PPP and HDLC protocols, for example, PPP adds a protocol field to the encapsulation field.

14.2.3 Three Stages of PPP Negotiation

A link using PPP needs to go through a three-stage negotiation process before it can communicate: link layer negotiation, authentication negotiation (optional) and network layer negotiation.

1. 1.

   Link layer negotiation. Link parameters are negotiated through Link Control Protocol (LCP) messages to establish link-layer connections. Link parameter negotiation can be used to determine different parameters, such as maximum receive unit, authentication mode and magic number. Parameters that are not negotiated use the default operation.

2. 2.

   Authentication negotiation (optional). Authentication is performed through the authentication mode negotiated at the link layer. If one party needs to authenticate, the other party is required to show their account and password. The most common authentication protocols include Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). PAP and CHAP are typically applied on links that use PPP and they provide secure authentication.

3. 3.

   Network layer negotiation. The configuration parameters of network layer protocols are negotiated through NCP. NCP is not a specific protocol, but refers to a series of protocols in PPP that control different network layer transport protocols. Each type of different network layer protocols has a corresponding NCP, for example, IPv4 protocol corresponds to IPCP, IPv6 protocol corresponds to IPv6CP, IPX protocol corresponds to IPXCP, AppleTalk protocol corresponds to ATCP, etc. Taking IPCP as an example, the configuration parameters to be negotiated include whether the PPP and IP headers of the message are compressed, what algorithm is used for the compression and the IPv4 address of the PPP interface.

14.2.4 PPP Working Process

The basic PPP working process consists of five phases: Link Dead, Link Establishment, Authentication, Network Layer Protocol, and Link Termination.

1. 1.

   Before communication, the link is Dead. When the two communicating devices establish a PPP link, they first enter the link establishment phase.

2. 2.

   Link layer negotiation is performed during the link establishment phase. Parameters such as the maximum receive unit of both communicating parties, authentication mode and magic number are negotiated. After successful negotiation, the link turns opened, indicating that a lower-layer link has been established.

3. 3.

   If authentication is configured, the two devices enter the authentication phase. Otherwise, the devices will go directly to the network layer protocol phase.

4. 4.

   In the authentication phase, the link will be authenticated according to the authentication mode negotiated in the link establishment phase. There are two authentication modes: PAP and CHAP. If the authentication is successful, the devices enter the network layer protocol phase, otherwise they enter the link termination phase. The link is removed, and the LCP turns Down.

5. 5.

   In the network layer protocol phase, the PPP link will perform an NCP negotiation. The NCP negotiation is used to select and configure a network layer protocol and to negotiate network layer parameters.

6. 6.

   In the link termination phase, the two devices enter the Dead phase after all resources are released. The connection may be interrupted at any time during the PPP operation, for example, the physical link is disconnected, the PPP authentication fails, the negotiation timer expires, or the administrator closes the connection through configuration, and after the interruption, the link enters the link termination phase.

The following is a detailed description of the three phases of PPP working process: link establishment phase, authentication phase and network layer protocol phase.

1. 1.

   Link establishment phase

   The first phase of the basic PPP working process is the link dead phase. In this phase, the physical layer function of the PPP interface has not yet entered the normal state. Only when the physical layer functions of both the local interface and the peer interface enter the normal state, PPP can enter the next working phase, i.e., the link establishment phase. In this phase, the local interface and the peer interface will send PPP frames carrying LCP messages to each other.

   The LCP message format is shown in Fig. 14.4.

   The Protocol field is used to indicate the protocol message type encapsulated by PPP. 0xC021 represents LCP messages, 0xC023 represents PAP messages, and 0xC223 represents CHAP messages. When the Protocol field is 0xC021, there is a Code field to identify the different types of LCP messages.

   The information part contains the contents of the specified protocol in the Protocol field, and the maximum length of this field is called Maximum Receive Unit (MRU), whose default value is 1500. When the Protocol field is 0xC021, the structure of the information part is as follows.

   • The Identifier field is used to match and respond to the request and it takes up one byte.

   • The value of the Length field is the total number of bytes of the LCP message.

   • The Data field carries various configuration parameters, such as the TLV (Type, Length, Value).

     Some common configuration parameters carried by LCP messages are MRU, authentication protocol and magic number.

   • On the Versatile Routing Platform (VRP), the MRU parameter is expressed using the maximum transmission unit (MTU) value configured on the interface.

   • The common PPP authentication protocols are PAP and CHAP. Different authentication modes can be used at the two ends of a PPP link to authenticate the peer, but the authenticatee must support the authentication protocol required by the authenticator and properly configure the authentication information such as username and password.

   • LCP uses magic numbers to detect routing loops and other anomalies. A magic number is a randomly generated number, and the random generation mechanism needs to ensure that it is almost impossible to generate same magic numbers at both ends.

     As shown in Fig. 14.5, RA and RB are connected using a serial link and running PPP. After the physical layer link becomes available, RA and RB use LCP to negotiate link parameters. The following steps describe the process of link parameter negotiation between RA and RB.

     • RA first sends a Configure-Request message that contains the link layer parameters configured on RA.

     • After receiving this Configure-Request message, RB responds with a Configure-Ack message to the RA if it can recognize and accept all the parameters in this message. In this example, RB cannot receive the MRU value so it sends a Configure-Nak message to RA containing the link layer parameters that cannot be received and the values (or value range) that RB can receive. In this example, the Configure-Nak message contains the MRU parameters that cannot be received and the value of MRU that can be received, which is 1500.

     • After receiving the Configure-Nak message, RA reselects the other locally configured parameters according to the link layer parameters in this message and sends a new Configure-Request message.

     • After receiving the Configure-Request message, RB responds with a Configure-Ack message to RA if it can identify and receive all parameters in this message.

     • Similarly, RB needs to send a Configure-Request message to RA, carrying its interface parameters.

     • Use RA to check if the parameters of RB are acceptable. If they are all acceptable, a configuration acknowledgement message will be sent.

       If RA does not receive the Configure-Ack message or Configure-Nak message, it will resend the Configure-Request message every 3 s. If it sends the Configure-Request message 10 times in a row but does not receive the Configure-Ack message, it will consider RB unavailable and stops sending Configure-Request messages.

2. 2.

   Authentication phase

   After the link is successfully established, the authentication negotiation (optional) will be carried out. There are two modes of authentication negotiation: PAP and CHAP. In this example, RA requires the authentication mode to be PAP in the LCP negotiation parameters, so RA is the authenticator and RB is the authenticatee. The PAP authentication protocol is a two-way handshake protocol, and its password will be transmitted in plain text on the link, as shown in Fig. 14.6.

   • The authenticatee sends the configured username and password to the authenticator in plain text by the Authenticate-Request message.

   • After receiving the username and password sent by the authenticatee, the authenticator checks whether the username and password match based on the locally configured username and password database. If they match, it responds with an Authenticate-Request message, indicating successful authentication; otherwise, it responds with an Authenticate-Nak message, indicating that the authentication is failed.

     In this example, after LCP negotiation is completed, RB requires RA to use CHAP mode for authentication. Both sides of the CHAP authentication perform the three-way handshaking, and the negotiation message is encrypted and then transmitted on the link. The process is shown in Fig. 14.7.

   • The authenticator RA initiates the authentication request and sends the authenticatee RB a Challenge message, which contains a random number (Random) and ID (the sequence number of this authentication).

   • After receiving the Challenge message, the authenticated RB performs an encryption operation using the MD5 formula (ID + random number + password), which means that the ID, random number and password are concatenated into a string, and then MD5 is performed on this string to get a 16-byte digest information, which is then encapsulated with the CHAP username configured on the interface in the Response message and sent back to the authenticator RA.

   • After receiving the Response message from the authenticatee RB, the authenticator RA finds the local corresponding password information according to the username in it. After getting the password information, it performs an encryption operation in the same way as the authenticatee’s encryption operation, and then compares the digest information obtained from the encryption operation with the digest information encapsulated in the Response message. If the information is the same, the authentication is successful; if not, the authentication fails.

     When using CHAP authentication mode, the password of the authenticatee is encrypted before transmission, which significantly improves the security.

     When using encryption algorithms, MD5 (in digital signature scenarios and password encryption) encryption algorithm is less secure and is subject to security risks. Within the range of encryption algorithms supported by the protocol, it is recommended to use more secure encryption algorithms, such as AES/RSA (2043 bits or more)/SHA2/ HMAC-SHA2.

3. 3.

   Network layer protocol stage

   After the PPP authentication, both parties enter the network layer protocol phase to negotiate the format and type of packets to be transmitted over the data link, and establish and configure different network layer protocols. Take the common IPCP protocol as an example. IPCP protocol is divided into static IP address negotiation and dynamic IP address negotiation.

   Static IP address negotiation requires manual configuration of IP addresses on both ends of the link. The process of static IP address negotiation is shown in Fig. 14.8.

   • Each end sends a Configure-Request message, which contains the locally configured IP address.

   • After each end receives the Configure-Request message from the other end, it checks the IP address in it. If the IP address is a legitimate unicast IP address and is different from the locally configured IP address (no IP address conflict), it is considered that the peer end be able to use the IP address and a Configure-Ack message is sent to the peer end.

     Dynamic IP address negotiation supports the configuration of IP addresses for the peer at one end of the PPP link. The process of a dynamic IP address negotiation is shown in Fig. 14.9.

   • RA sends RB a Configure-Request message, which contains an IP address 0.0.0.0, indicating that it requests an IP address from the peer.

   • After receiving the above Configure-Request message, RB considers that the IP address 0.0.0.0 in the message is illegitimate and responds with a new IP address 10.1.1.1 using Configure-Nak.

   • After receiving this Configure-Nak message, RA updates the local IP address and resends a Configure-Request message with the new IP address 10.1.1.1.

   • After receiving the Configure-Request message, RB considers the IP address in the message to be legitimate and responds with a Configure-Ack message.

   • In the meantime, RB also sends a Configure-Request message to RA to request the use of address 10.1.1.12.

   • If RA considers this address legitimate, it responds with a Configure-Ack message.

Fig. 14.4

LCP message format

Fig. 14.5

LCP negotiation process

Fig. 14.6

PAP authentication

Fig. 14.7

CHAP authentication

Fig. 14.8

Static IP address negotiation

Fig. 14.9

Dynamic IP address negotiation

14.2.5 Configure PPP: PAP Mode for Authentication

Configure routers AR1 and AR2 in the network according to Fig. 14.10 for the following functions.

• Configure PPP as the data link layer protocol on the link between AR1 and AR2.

• Create a user and password on AR1 for PPP authentication.

• Configure the PPP authentication mode as PAP on interface Serial 2/0/0 of AR1.

• Configure the account and password presented to router AR1 on interface Serial 2/0/1 of AR2.

From the figure, you can see that interface Serial 2/0/0 of router AR1 is configured to use PPP for the data link layer, and the Huawei router serial interface also uses PPP by default. By the following operation, you can check the data link layer protocols supported by the serial interface, and the same interface can be specified to use different data link layer protocols.

[AR1]interface Serial 2/0/0 [AR1-Serial2/0/0]link-protocol ? --View data link layer protocols supported by the serial interface fr Select FR as line protocol hdlc Enable HDLC protocol lapb LAPB(X.25 level 2 protocol) ppp Point-to-Point protocol sdlc SDLC(Synchronous Data Line Control) protocol x25 X.25 protocol [AR1-Serial2/0/0]link-protocol ppp --Specify PPP as the data link layer protocol

Fig. 14.10

Configure PPP: PAP mode for authentication

Check the state of interface Serial 2/0/0 of router AR1. The returned message shows the physical layer state is UP, indicating that the interfaces at both ends are properly connected, and the data link layer state is UP, indicating that the protocols at both ends are consistent.

<AR1>display interface Serial 2/0/0 Serial2/0/0 current state : UP                --Physical layer state is UP Line protocol current state : UP           --Data link layer state is UP Description:HUAWEI, AR Series, Serial2/0/0 Interface Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec) Internet Address is 192.168.1.1/24 Link layer protocol is PPP                    --Data link layer protocol is PPP LCP reqsent ……

Create a user for PPP authentication on AR1.

[AR1]aaa [AR1-aaa]local-user Auser password cipher Huawei123 --Create user Auser with the password Huawei123 [AR1-aaa]local-user Auser service-type ppp      --Specify Auser for PPP authentication [AR1-aaa]quit

Configure the interface Serial 2/0/0 of AR1; PPP requires authentication to connect, and the authentication mode is PAP.

[AR1]interface Serial 2/0/0 [AR1-Serial2/0/0]ppp authentication-mode ?      --View PPP authentication mode  chap  Enable CHAP authentication                --Password secure transmission  pap   Enable PAP authentication                --Password plain text transmission [AR1-Serial2/0/0]ppp authentication-mode pap    --PAP authentication is required

If you want to remove the PPP authentication of this interface, the following commands shall be executed.

[AR1-Serial2/0/0]undo ppp authentication-mode pap

Configure interface Serial 2/0/1 of router AR2 to use PPP at the data link layer, and specify the account and password to present to AR1.

[AR2]interface Serial 2/0/1 [AR2-Serial2/0/1]link-protocol ppp [AR2-Serial2/0/1]ppp pap local-user Auser password cipher Huawei123

Note	The “[AR2-Serial2/0/1] ppp authentication-mode pap” is not executed on interface Serial 2/0/1 of AR2, and AR1 does not need to present the account and password when connecting to AR2 using PPP.

14.2.6 Configure PPP: CHAP Mode for Authentication

The previous configuration only allows AR1 to authenticate AR2, now you need to configure to allow AR2 to authenticate AR1. Create user Buser on AR2 with password huawei@123. Configure interface Serial 2/0/1 of AR2 to use PPP and require authentication using the authentication mode CHAP. Configure interface Serial 2/0/0 of AR1 to present the account and password, as shown in Fig. 14.11.

Fig. 14.11

Configure PPP: CHAP mode for authentication

Create a user for PPP authentication on AR2. Configure interface Serial 2/0/1 and PPP requires authentication for connection.

[AR2]aaa [AR2-aaa]local-user Buser password cipher huawei@123 [AR2-aaa]local-user Buser service-type ppp [AR2-aaa]quit [AR2]interface Serial 2/0/1 [AR2-Serial2/0/1]ppp authentication-mode chap         --Authentication is required for connection [AR2-Serial2/0/1]quit

The configuration on AR1 is as follows. First specify the account to be used for PPP authentication and then the password.

[AR1]interface Serial 2/0/0 [AR1-Serial2/0/0]ppp chap user Buser                  --Account [AR1-Serial2/0/0]ppp chap password cipher huawei@123    --Password [AR1-Serial2/0/0]quit

14.2.7 Packet Capture Analysis for PPP Link Establishment Process

After completing the configuration in Sect. 14.2.5, the PPP frames of the point to point link can be captured, as shown in Fig. 14.12. It can be seen from the figure that frames 1 to 5 are sent in the link establishment phase using PPP LCP, frames 6 to 7 are sent in the authentication phase using PPP PAP, and frames 8 to 11 are sent in the network layer protocol phase using PPP IPCP. After three phases of establishing the PPP link, IP packets can be sent. Frames 12 to 18 in Fig. 14.12 are encapsulated IP packets.

Fig. 14.12

Three phases of PPP link establishment

The process of PPP link establishment is analyzed below by observing the captured frames PPP uses to establish the connection. The numbers describing the frames below are based on the sequence numbers of the frames captured in Fig. 14.12.

As shown in Fig. 14.13, Frame 2 is a configuration request frame sent by router AR1 during the link establishment phase, with Link Control Protocol as the Protocol and Configuration Request as the Code. The three interface parameters are as follows: the maximum receive unit is 1500, the Authentication Protocol is Password Authentication Protocol, and the magic number is 0x328c2356, which is randomly generated by AR1.

Fig. 14.13

Link establishment phase: AR1 interface parameter negotiation

After receiving the configuration request frame from AR1, AR2 first identifies and accepts these three parameters, and then sends a configuration acknowledgment frame (Frame 3) to AR1. Note that the magic number of Frame 3 is the same as that of Frame 2, so that Frame 3 is ensured to be the configuration acknowledgement frame of Frame 2. We can also see that the configuration acknowledgement frame contains all the parameters of the configuration request frame.

As shown in Fig. 14.14, Frame 4 is the configuration request frame sent by AR2 to AR1, which has only two parameters to negotiate with AR1: the maximum receive unit and the magic number. Frame 5 is a configuration acknowledgement frame sent by AR1 to RA2, which indicates that it can recognize and accept these two parameters. Note that the magic numbers in Frame 4 and 5 are also identical.

Fig. 14.14

Link establishment phase: AR2 interface parameter negotiation

In the link establishment phase, AR1 enters the authentication phase by requesting PAP authentication. As shown in Fig. 14.15, Frame 6 is the authentication request sent by AR2 to AR1. The Protocol is Password Authentication Protocol, and the Data part contains the username Auser and the password Huawei123. The figure shows that the account and password are transmitted in plain text. After receiving the authentication request, AR1 starts to verify the username and password, and if they pass the authentication, it sends an authentication acknowledgment frame (Frame 7).

Fig. 14.15

Authentication phase: AR1 authenticates AR2

What follows the authentication phase is the network layer protocol phase. As shown in Fig. 14.16, Frame 8 is the configuration request frame sent by AR1. Note that the Protocol is Internet Protocol Control Protocol (IPCP) and the Options includes the IP address of interface Serial 2/0/0 of AR1. Frame 9 is a configuration request frame sent by AR1. Note that the Protocol is Internet Protocol Control Protocol (IPCP) and the Options includes the IP address of interface Serial 2/0/1 of AR 2.

Fig. 14.16

Network protocol phase: send configuration request

After receiving the configuration request sent in the network protocol phase, you have to determine whether the IP address presented by the other party conflicts with your own IP address and whether it is in the same network segment. If the address is legitimate, a configuration acknowledgment is sent to the other party, as shown in Fig. 14.17, Frame 10 is the configuration acknowledgment sent by AR2 to AR1, and Frame 11 is the configuration acknowledgment sent by AR1 to AR2.

Fig. 14.17

Network protocol phase: send configuration acknowledgement

14.3 PPPoE

14.3.1 Overview of PPPoE

Now let’s first take a look at a typical networking scenario for home users to access the Internet. As shown in Fig. 14.18, a PC and a Home Gateway (HG) form a home network. In this home network, the end PC is typically connected to the HG through a common standard Ethernet link or Fast Ethernet link. HG1 is the egress gateway for Home Network 1. In order to use the already laid telephone link for communication, HG1 uses Asymmetric Digital Subscriber Line (ADSL) technology to modulate the Ethernet data frames ready for outbound transmission into a physical signal suitable for transmission over the telephone link before they are sent. The network carrier’s IP-DSLAM (IP Digital Subscriber Line Multiplexer) equipment will receive the ADSL signals from different HGs, demodulates the Ethernet data frame information in them, and sends these Ethernet data frames over a GE (Gigabit Ethernet) link to a device named AC (Access Concentrator). From a data link layer perspective, an IP-DSLAM device is a normal Layer 2 Ethernet aggregation switch.

Fig. 14.18

A networking scenario for home users to access the Internet.

The network carrier is responsible for charging home users for Internet access and other access controls. However, the Ethernet data frame forwarded by the IP-DSLAM to the AC is unable to indicate whether it is sent from gateway HG-1 or HG-2. Furthermore, there is no field in the frame structure carrying information such as the “user name” and “password”. If the carrier cannot distinguish the data traffic from different home users, it cannot perform management and control actions such as billing. Therefore, in Fig. 14.18, the AC device must identify the home users corresponding to these frames based on the Ethernet data frames received, and authenticate the different home users by usernames and passwords. This makes it possible for the carrier to perform management and control actions such as billing for the home user’s Internet activity.

PPP itself is capable of authentication in the form of username and password. However, PPP is only applicable to the point-to-point network. In Fig. 14.18, the Ethernet formed by different HGs and ACs is a Multi-Access Network, and PPP cannot be directly applied to such a network. In order to apply PPP to Ethernet (Multi-Access Network), a protocol called PPPoE (PPP over Ethernet) has been created.

PPPoE is essentially a protocol that allows the creation of point to point tunnels between two Ethernet interfaces in an Ethernet broadcast domain (all interfaces that a broadcast frame can reach are a Layer 2 broadcast domain; usually, a network formed by a switch is a broadcast domain, and a VLAN is a broadcast domain if it is created). It describes how to encapsulate PPP frames in Ethernet data frames. From the perspective of PPPoE, the access network address in Fig. 14.18 can be simplified to the network shown in Fig. 14.19.

Fig. 14.19

View the access network from the perspective of PPPoE

By using the PPPoE protocol, each home user’s HG can establish a virtual PPP link (a PPP link in the logical sense) with the AC, that is, the HG and the AC are able to interact with PPP frames. However, these PPP frames are not passed on the real physical PPP link, but are encapsulated in the Ethernet data frames that are exchanged between the HG and the AC and pass along with these Ethernet data frames on the Ethernet link.

Figure 14.19 shows the basic architecture of the PPPoE protocol. The PPPoE protocol uses the Client/Server model. In the standard terminology of the PPPoE protocol, the device running the PPPoE Client program is called Host, and the device running the PPPoE Server program is called AC. The home gateway’s router HG in Fig. 14.19 is the Host, and the carrier’s router is the AC.

14.3.2 PPPoE Message Format

PPP does not support Ethernet environment, so the Ethernet network adapter (network interface card) can only encapsulate data into Ethernet data frame format, but not into PPP frame format. Therefore, people come up with a solution: to encapsulate the encapsulated PPP data frames into another layer of Ethernet data frames, and then put this nested Ethernet data frame with PPP data frames into Ethernet for transmission. In this way, when the carrier’s device receives the Ethernet data frame, it will first obtain the encapsulated PPP data frame by decapsulating it, and then process the data frame according to the protocol encapsulated inside the PPP data frame.

Figure 14.20 shows the format of a PPPoE message. If the value of the Type field of the Ethernet data frame is 0x8863 or 0x8864, it means that the load data of this Ethernet data frame is a PPPoE message.

Fig. 14.20

PPPoE message format

The PPPoE message is divided into two parts, PPPoE header and PPPoE payload. In the PPPoE header, the value of VER field (Version field) is always 0x1, the value of Type field is always 0x1, the Code field can be used to represent different types of PPPoE messages, the Session-ID field can be used to distinguish different PPPoE sessions, and the Length field can be used to indicate the length of the whole PPPoE message. The PPP frame is in the PPPoE Payload.

14.3.3 Working Process of PPPoE

The working process of PPPoE is divided into two different phases: Discovery phase and PPP Session phase.

1. 1.

   Discovery phase

   As shown in Fig. 14.21, during the discovery phase of PPPoE, four different types of PPPoE messages are exchanged between the Host and the AC, that is PADI (PPPoE Active Discovery Initiation) message (the value of the Code field in the PPPoE header is 0x09), PPPoE Active Discovery Offer) message (the value of the Code field in the PPPoE header is 0x07), PADR (PPPoE Active Discovery Request) message (the value of the Code field in the PPPoE header is 0x19), and PADS (PPPoE Active Discovery Session-confirmation) message (the value of the Code field in the PPPoE header is 0x65).

   First, the Host sends a PADI message as a broadcast message (see Fig. 14.22), aiming to find an AC in the network and telling the AC the information about the type of services it wishes to obtain. The Payload of the PADI message contains several Tag fields in the form of Type-Length-Value, which represent the various types of service information that the Host wants to obtain. Note that the value of the Session-ID field in the PADI message is 0.

   After receiving a PADI message, AC compares the service requested in the PADI message with the services it can provide. If the AC is able to provide the service requested by the Host, it replies with a unicast PADO message; if not, it does not respond at all.

   If there are multiple ACs in the network, the Host may receive PADO messages from different ACs in response. Normally, Host will select the AC corresponding to the first received PADO message as its own PPPoE Server and send a unicast PADR message to this AC. The value of the Session-ID field in the PADR message is still 0.

   After receiving the PADR message, the AC determines a PPPoE Session-ID and includes this PPPoE Session-ID in the unicast PADS message sent to the Host. The value of the Session-ID field in the PADS message is 0xXXXX, which is the PPPoE Session_ID.

   The Host receives the PADS message and is informed of the PPPoE Session-ID, marking the successful establishment of a PPPoE Session between the Host and the AC. Next, the Host and the AC can enter the PPP Session phase.

2. 2.

   PPP Session Phase

   In the PPP Session phase, the interaction between the Host and the AC is still conducted by Ethernet data frames, but these Ethernet data frames carry PPP frames. Figure 14.23 shows the contents of the Ethernet data frames exchanged between the Host and the AC during the PPP Session phase. The value of the Type field of the Ethernet data frame is 0x8864 (Note: in the Discovery phase, the value of the Type field of the Ethernet data frame is always 0x8863), indicating that the payload data of the Ethernet data frame is a PPPoE message. The value of the Code field in the PPPoE message is 0x00 and that of the Session-ID field remains the value determined at the Discovery phase. Now we can finally see that the Payload of the PPPoE message at this point is a PPP frame! However, it is important to note that the Payload of the PPPoE message is not a complete PPP frame as we are previously familiar with, but only the Protocol and Information fields of the PPP frame. This is because the other fields of the PPP frame are no longer necessary on this virtual PPP link.

   We can see that through the intermediary of the PPPoE protocol, the PPP frames can be interacted between the Host and the AC at the PPP phase. Through the interaction of PPP frames, the Host and AC can go through the Link Establishment phase, Authentication phase and Network Layer Protocol phase of PPP, and finally realize the PPP function.

Fig. 14.21

Discovery phase of PPPoE

Fig. 14.22

PADI message format

Fig. 14.23

Ethernet data frame carrying a PPP frame

14.3.4 Configure Windows PPPoE Dial-Up Access

As shown in Fig. 14.24, PC1 and PC2 are two computers in an enterprise intranet, which are connected to router AR1 through switch LSW1, and then they are connected to the internet through AR1. For security reasons, computers in the enterprise intranet must verify the user’s identity before being allowed to access the Internet. The experiment below configures router AR1 as a PPPoE Server and create a dial-up account and password for each user in the enterprise. As the PPPoE Clients, PC1 and PC2 need to establish a PPPoE dial-up connection, and users can only get a legal address to access the Internet after their identity is verified.

Fig. 14.24

PPPoE experimental network topology

First configure router AR1 as the PPPoE server, and create accounts and passwords for PC1 and PC2 for PPP dial-up.

[AR1]aaa [AR1-aaa]local-user hanligang password cipher huawei@123 [AR1-aaa]local-user lishengchun password cipher Huawei123 [AR1-aaa]local-user hanligang service-type ppp [AR1-aaa]local-user lishengchun service-type ppp [AR1-aaa]quit

Create an address pool. If the PPPoE dial-up is successful, you need to assign IP addresses to computers that need dial up.

[AR1]ip pool PPPoE1 [AR1-ip-pool-PPPoE1]network 192.168.10.0 mask 24 [AR1-ip-pool-PPPoE1]quit

Create an interface virtual template which can be bound to multiple physical interfaces

[AR1]interface Virtual-Template ?   <0-1023>  Virtual template interface number [AR1]interface Virtual-Template 1     [AR1-Virtual-Template1]remote address pool PPPoE1    --The address pool this virtual interface assigns to the PPPoE Client [AR1-Virtual-Template1]ip address 192.168.10.100 24  --The IP address this virtual interface assigns [AR1-Virtual-Template1]ppp ipcp dns 8.8.8.8 114.114.114.114  --Assign master and slave DNS servers for PPPoE Client [AR1-Virtual-Template1]quit

Bind the virtual interface template to interface GigabitEthernet 0/0/0 which does not require an IP address.

[AR1]interface GigabitEthernet 0/0/0 [AR1-GigabitEthernet0/0/0]undo ip address               --Remove the configured IP address [AR1-GigabitEthernet0/0/0]pppoe-server bind virtual-template 1  --Bind the virtual interface template to this interface [AR1-GigabitEthernet0/0/0]quit

A virtual interface template can be bound to multiple physical interfaces of the PPPoE Server.

As shown in Fig. 14.25, router AR1 has two Ethernet interfaces connected to two Ethernet networks. Computers in these two Ethernet networks need PPPoE dial-up Internet access, and the addresses assigned to them belong to network segment 192.168.10.0/24, so that the virtual interface template can be bound to these two physical interfaces.

Fig. 14.25

Topology for binding a virtual interface template to a physical interface

To set up Windows PPPoE dial-up Internet access, you need to configure your Windows computer as a PPPoE client, that is, to create a PPPoE dial-up connection on your Windows operating system.

1. 1.

   Log in to Windows 10, open “Network and Sharing Center”, and click “Set up a new connection or network”.

2. 2.

   In the “Choose a connection option” dialog box that appears, tick the “Connect to the Internet” option, and then click “Next”.

3. 3.

   In the “How you want to connect” dialog box that appears, click “Broadband (PPPoE)”.

4. 4.

   In the “Type the information from your Internet Service Provider (ISP)” dialog box that appears, type the username, password, and connection name, and then click “Connect”, as shown in Fig. 14.26.

5. 5.

   After dialing in, type “ipconfig /all” at the command prompt to view the IP address and DNS obtained from the dial-up.

   C:\Users\win10>ipconfig /all Windows IP Configuration  Host name  . . . . . . . . . . . . . : win10-PC  Primary DNS Suffix . . . . . . . . . . . :  Node Type  . . . . . . . . . . . . : Hybrid  IP Routing Enabled . . . . . . . . . . : No  WINS Proxy enabled . . . . . . . . . : No PPP adaptor to Internet:    --PPPoE dial up to obtain IP address and DNS  Connection-specific DNS Suffix . . . . . . . :  Description. . . . . . . . . . . . . . . : toInternet  Physical Address. . . . . . . . . . . . . :  DHCP Enabled . . . . . . . . . . . : No  Autoconfiguration Enabled. . . . . . . . . . : Yes  IPv4 address . . . . . . . . . . . . : 192.168.10.254(Preferred)   Subnet Mast  . . . . . . . . . . . . : 255.255.255.255 – Subnet mask obtained by PPPoE dial up is 255.255.255.255  Default Gateway. . . . . . . . . . . . . : 0.0.0.0  DNS Server  . . . . . . . . . . . : 8.8.8.8                            114.114.114.114  NetBIOS over TCPIP  . . . . . . . : Disabled

   On router AR1, you can see which PPPoE clients are dialing in, as well as the MAC address of the PPPoE client, that is, the RemMAC.

   <AR1>display pppoe-server session all SID Intf State OIntf RemMAC LocMAC 1 Virtual-Template1:0 UP GE0/0/0 000c.2920.c578 00e0.fc4d.3146

   After establishing a PPPoE dial-up connection, packet capture analysis can be used to analyze the frame format of PPPoE packets. Run the packet capture tool on Windows 10 to start capturing packets and ping 24.12.8.1. As shown in Fig. 14.27, observe the 411th packet. The PPPoE Payload encapsulates the PPPoE header, and then encapsulates it into the Ethernet data frame with the type field 0x8864. In the PPPoE header encapsulation, it can be seen that the Session-ID is 0x0001.

Fig. 14.26

Enter the PPPoE dial-up user name and password

Fig. 14.27

View the frame format of PPPoE packet

14.4 Exercises

1. 1.

   (Multi-selection) Which of the following operations are necessary when configuring the PPP authentication mode as PAP? ( )

   1. A.

      Add the username and password of the authenticatee to the local user list of the authenticator

   2. B.

      Configure the encapsulation type of the interface connected to the peer device as PPP

   3. C.

      Set the authentication mode of PPP to CHAP

   4. D.

      Configure the username and password sent by the authenticatee to the authenticator

2. 2.

   When configuring encapsulation PPP on the serial interface of Huawei router, the command you need to enter in the interface view is ( ).

   1. A.

      link-protocol ppp

   2. B.

      encapsulation ppp

   3. C.

      enable ppp

   4. D.

      address ppp

3. 3.

   Two routers are connected via serial interface and the data link layer protocol is PPP. If you want to improve security by configuring PPP authentication on both routers, which of the following PPP authentications is more secure? ( )

   1. A.

      CHAP

   2. B.

      PAP

   3. C.

      MD5

   4. D.

      SSH

4. 4.

   In a multipoint access network like Ethernet, the PPPoE server can establish a PPP connection to many PPPoE clients through a single Ethernet interface, so the PPPoE server must establish a unique session identifier for each PPP session to distinguish between the different connections. What parameter does PPPoE use to establish the session identifier? ( )

   1. A.

      MAC address

   2. B.

      IP address and MAC address

   3. C.

      MAC address and PPP-ID

   4. D.

      MAC address and Session-ID

5. 5.

   What does the ip address ppp-negotiate command do? ( )

   1. A.

      To enable the function of requesting the peer for IP addresses

   2. B.

      To enable the function of receiving IP address request from the remote end

   3. C.

      To enable the static IP address assignment

   4. D.

      All of the above options are incorrect

6. 6.

   (Multi-selection) Which of the following descriptions of PPP is correct ( ).

   1. A.

      PPP supports bundling multiple physical links into one logical link to increase the bandwidth

   2. B.

      PPP supports plain text and cipher text authentication

   3. C.

      PPP has poor scalability and cannot be deployed on Ethernet links

   4. D.

      For physical layers, PPP supports asynchronous and synchronous links

   5. E.

      PPP supports various network layer protocols, such as IPCP and IPXCP

7. 7.

   The PPPoE client sends PADI messages to the Server, and the Server responds with PADO messages. What is the frame of the PADO message? ( )

   1. A.

      Multicast

   2. B.

      Broadcast

   3. C.

      Unicast

   4. D.

      Anycast

8. 8.

   (Multi-selection) Which of the following protocols is PPP composed of? ( )

   1. A.

      Authentication protocol

   2. B.

      NCP

   3. C.

      LCP

   4. D.

      PPPoE

9. 9.

   If the authenticatee sends the wrong username and password to the authenticator during the PPP authentication process, which type of the message will the authenticator send to the authenticatee? ( )

   1. A.

      Authenticate-Reject

   2. B.

      Authenticate-Ack

   3. C.

      Authenticate-Nak

   4. D.

      Authenticate-Reply

10. 10.

    Which level of the encapsulation format in the OSI reference model is defined by PPP? ( )

    1. A.

       Network layer

    2. B.

       Data link layer

    3. C.

       Presentation layer

    4. D.

       Application layer

11. 11.

    Which of the following statements about PPP configuration and deployment is correct ( ).

    1. A.

       PPP does not support two-way authentication

    2. B.

       PPP cannot modify the keepalive time

    3. C.

       PPP cannot be used to assign IP addresses

    4. D.

       PPP supports both CHAP and PAP authentication modes

12. 12.

    (Multi-selection) Which of the following advantages does PPP have? ( )

    1. A.

       PPP supports the negotiation of link layer parameters

    2. B.

       PPP supports the negotiation of network layer parameters

    3. C.

       PPP supports both synchronous and asynchronous transmission

    4. D.

       PPP supports authentication