What is PPP
PPP is a data link layer protocol based on IOS DHLC and is the most familiar protocol used in WAN. It is used for dial-up, leased line, DSL, FTTH, etc., from abundant options such as authentication and compression.
PPP is used for point-to-point connections.
PPP also supports multiprotocol environments. Multi-protocol environments are supported by using IPCP when using IP in the network layer, IPXCP when using IPX, and ATALKCP (Apple Talk Control Protocol) when using Apple Talk.
PPP has layers called "LCP" and "NCP".
LCP is responsible for establishing, tearing down, and maintaining links.
Also, in the LCP option,
NCP negotiates network layer protocols. By using IPCP, IPXCP, and ATALKCP, it supports a multi-protocol environment.
(1) Link establishment phase
- Sends LCP frames to set up and test the data link.
• Negotiate MTU, compression, link authentication, etc.
• When using authentication, it starts before the network layer protocol phase.
* It is not necessary to use the authentication function.
(3) Network layer protocol phase
・Send NCP packets to select and configure network layer protocols.
After establishing a physical link, PPP sends a username and password for authentication to allow the connection.
You can select PAP or CHAP as the authentication method, but you can omit the authentication setting if authentication is not required. The characteristics of the confirmation certificate are shown in the table below.
|PAP||- Exchange passwords in clear text.|
・Authentication is only for the first time.
|CHAP||- Exchange encrypted passwords.|
・Regularly authenticate with a different character string each time.
Here, we will explain PAP.
PAP stands for Password Authentication Protocol, and usernames and passwords are sent in clear text. If the user name and password are sent over the line in clear text, there is a risk that they can be easily intercepted by a third party.
Then, if you say that CHAP has been mainly used because PAP is not preferable in terms of security, that is not the case. PAP has been used a lot when connecting to a provider from home.
This is because the section where passwords flow in cleartext is a telephone line, which is relatively safer than the exposed Internet.
The authentication flow is a two-way handshake as shown in the diagram below.
CHAP stands for Challenge Handshake Authentication Protocol. A challenge-response method is used to ensure that the password itself is not transmitted over the line.
As explained in "PPP (PAP)" above, PAP sends usernames and passwords in clear text over the wire. Select CHAP if you want to use more secure authentication. Authentication by CHAP is performed by encryption processing based on the user name and password, so it is possible to perform authentication with higher security than PAP.
The authentication flow is a 3-way handshake as shown in the diagram below.