Authentication for the PPP suite is what most people think of as password-protection. In other words, the user must provide a password to set up the PPP link.
The PPP protocol suite includes three authentication protocols:
Password Authentication Protocol (PAP)
Challenge Handshake Authentication Protocol (CHAP)
Extensible Authentication Protocol (EAP)
For this discussion, the peer that requires authentication is called the authenticator.
The peer that wants to establish a link with the authenticator is called simply the peer. For example, when you connect to the Internet from a home computer, your modem or broadband router is the peer. Your Internet service provider’s router requires a password and is the authenticator.
2 – 16 HP Restricted Rev. 5.21
PAP
PAP is the simplest possible authentication scheme. The peer is provided a password, and the authenticator knows what that password is. The peer sends its password to the authenticator. The authenticator acknowledges the password, and the link is established.
CHAP
Passwords in PAP pass directly over the wire. Anyone capable of tapping into the wire can obtain the password. CHAP solves this security problem by using the following process:
1. The authenticator challenges the peer.
2. The peer combines its password with a string of text and then performs a calculation called hashing on the resulting string. Hashing results in an encryption, or hash value, that the peer sends to the authenticator.
3. The authenticator knows both the agreed-upon string of text and the peer’s password. The authenticator performs the same hashing calculation and compares its hash value to the hash value it received from the peer.
4. If the hash values match, the authenticator acknowledges the authentication, and the authenticator and the peer can proceed with the link. If the hash values do not match, the authenticator continues to issue challenges until the peer returns a matching hash value or runs out of retry attempts.
2 – 18 HP Restricted Rev. 5.21
EAP
CHAP is more secure than PAP, but it is not the most secure authentication protocol available today. EAP makes it possible for PPP to use authentication schemes that are not part of its own protocol suite. For example, the authenticator and the peer might use the authentication scheme defined by a network operating system. In this case, EAP encapsulates the authentication information from the network operating system and transmits it over the PPP link.
Although EAP enables you to use authentication schemes, it is not actually an authentication protocol.
NCP
PPP supports NCPs for many network-layer protocols, including IP, IPX,
AppleTalk, and Systems Network Architecture (SNA). Each protocol in the NCP family has a unique set of configuration options. These options specify parameters required by the protocol that NCP is managing.
For example, IPCP includes configuration options that communicate important IP addresses—such as the addresses for the primary and secondary Domain Name Services (DNS) servers—to the receiving peer before frames are sent. Most of the other network-layer NCPs include a configuration option that serves a similar purpose.
IPCP also includes an IP-Compression-Protocol configuration option, which indicates a request to compress the IP datagram in the PPP frames. Most of the other network-layer NCPs include configuration options that similarly indicate requests to compress their respective network-layer protocol packets encapsulated in the PPP frames.
For more information about IPCP and other network layer protocol configuration options, see http://www.iana.org/assignments/ppp-numbers.
2 – 20 HP Restricted Rev. 5.21
Compression Control Protocol
The PPP suite includes a protocol that enables data compression across the link:
Compression Control Protocol (CCP). The CCP configuration options enable you to specify which type of data-compression algorithm is applied to the datagrams.
CCP can support nearly any compression algorithm. The IANA has already assigned numbers to many of these compression algorithms, including those listed above. Developers of compression algorithms can apply to have the IANA assign a number to their algorithm.
Some developers may not need to get an IANA-assigned number. Organizations that have purchased an Organization Unique Identifier (OUI) from the Institute of Electrical and Electronic Engineers (IEEE) can use their OUIs to identify
proprietary blocks of code, including compression algorithms and encryption keys.
(An OUI must be purchased by any organization that assigns MAC addresses to hardware; the OUI is the first 24 bits in a MAC address.)
CCP includes the option to identify compression algorithms by an OUI.
Encryption Control Protocol
The PPP suite includes a protocol that enables data encryption across the link:
Encryption Control Protocol (ECP). To encrypt text, devices that support ECP apply a mathematical algorithm to the text, and this algorithm changes the text into nonsense. The algorithm includes an assigned variable known as the key. Only devices with the appropriate key can decrypt the encrypted text.
The configuration options in ECP enable you to specify which type of encryption algorithm to apply to the datagrams. Like CCP, ECP includes the option to use proprietary encryption methods (indicated by their association with OUIs). The IANA has also assigned values to standard encryption methods, such as the Data Encryption Standard (DES) or the Triple Data Encryption Standard (3DES). (DES and 3DES are described in Module 7: Virtual Private Networks.)
2 – 22 HP Restricted Rev. 5.21