Sunday of my Life

PPP or the Point-to-Point Protocol, is an open-source (I think) protocol for multi-protocol transport on point-to-point serial links. It was designed as an answer to Cisco’s proprietary HDLC protocol, and to address limitations in this protocol, as well as providing a broad, open base protocol that can be extended and updated, to keep pace with emerging protocol technologies. PPP, being an open-source protocol, is available on almost every manufacturer’s platform, unlike HDLC which is only available on Cisco equipment. This makes PPP a more widely spread protocol because, although CIsco is a market leader in internetworking technology, they are far from the only company on the market.

PPP has many features that set it above HDLC as the data-link serial protocol of choice for the growing internet. It is more correctly known as a protocol suite, like TCP, because it contains a number of sub-protocols that provide its greater functionality. This moduler suite design makes PPP almost infinitely extensible, particularly in its unique encapsulation support for different network-layer protocols. PPP also supports two methods of connection authentication in its modular design. Amongst its sub-protocols, the most well-known and notable are LCP (Link Control Protocol), NCP (Network Control Protocol), PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). Below is a description of these protocols:

• LCP: LCP, or the Link Control Protocol, is PPP’s signalling protocol. It provides facilities for call negotiation, setup, maintenance, testing and tear-down. LCP frames may contain data on various configuration parameters, including authentication routines to be used, or status messages, or call-termination signals.
• NCP: NCP, or Network Control Protocol, is almost a protocol suite in its own right. It is the open, modular basis on which PPP’s extensibility rests. For every supported network-layer protocol, there is a corresponding NCP that defines methods of transmission, encapsulation and decapsulation. Since each protocl has its own NCP, it means that new NCPs can be written and andded to the protocol without having to rewrite PPP’s whole structure.
• PAP: PAP, or Password Authentication Protocol, is the older of PPP’s two authentication routines. It takes place at call establishment, immedieately after LCP finishes negotiating the link. The reciever challenges the caller for their credentials, and the caller’s password is then transmitted back in a PPP frame, as clear text. This lack of encryption and predictable sequence makes PAP susceptable ot such attacks as playback¹ and man-in-the-middle². This method of authentication is called a two-way handshake, since the process involves one packet exchange from either end.
• CHAP: CHAP, or Challenge Handshake Authentication (or, sometimes, Acknowledge) Protocol, is the newer and more secure of PPP’s two authentication protocols. At the commencement of the authentication phase of connection, and periodically throughout the duration of the call, the reciever sends a challenge frame to the caller. This frame contains a randomly generated string of characters. Using this string and the password both ends calculate a hash, usually using the MD5 algorithm. The caller then sends this value to the reciever, which will trigger one of two events. Either the reciever will send back an acknowledgement and validation frame if the values match, or it will terminate the session if they do not. Since the challenge string is unique and random, the hash generated will be unique and random, making it impossible to guess the password from a number of intercepted hashes since MD5 is a non-reversible hash. The fact that authentication is repeated periodically — this period being controlled by the caller, and negotiated with LCP a tthe commencement of the call — the damage caused by an intercepted and mis-routed call is mitigated, limiting the time an intruder has to transfer damaging data over the link.

PPP’s method of framing data, preparing it for transmission across the serial link, is quite similar to HDLC, making the two protocols in some ways compatible, although HDLC’s use of a proprietary type field prevents true compatibility. PPP, unlike HDLC, also supports seamlessly both synchronous³ and asynchronous⁴ serial transmissions. As with any transmission protocol PPP’s encapsulation follows a set number of fixed-length fields in a set order, allowing each frame to be decapsulated at the recieving end and interpreted clearly. Below is the framing sequence for PPP, sorted by order of transmission:

1. Start Flag: This 1 byte field indicates the beginning of the PPP frame. It always consists of the binary value 01111110.
2. Address: This 1 byte field always contains the standard broadcast address of 11111111. PPP does not assign addresses to hosts because it is designed purely for point-to-point links, where there will only ever be two hosts.
3. Control: This 1 byte field consists of the binary sequence 00000011, a standardised control number which represents the transmission of unsequenced user data, providing a connectionless transmission not unlike the Logical Link Control protocol.
4. Protocol: The 2-byte protocol field indicates which protocol’s frame is encapsulated in the data field of the PPP frame, thus telling PPP which NCP it will have to use. Different values in this field can indicate such protocols as IP, IPX, and AppleTalk.
5. Data: The data field of the PPP frame can vary between 0 and 1500 bytes in length, containing a full, complete frame of the protocol indicated in the protocol field. Since this frame is variable in length, its end is indicated by the End Flag field immediately proceeding it. This consists of the same value as the Start Flag.
6. FCS: The FCS, or Frame Check Sum, is a 2-byte field consisting of a binary hash of the frame contents preceeding it. It is used as an error-detection mechanism. If the frame on the other end does not sum down t othe same vlaue, then an error has entered the frame data and it is dropped.

In summary, PPP is a serial point-to-point link transmission and control protocol suite that supports by synchronous and asynchornous links, multiple network-layer protocol encapsulations, strong, attack-resistant authentication routines and is a non-proprietary, open-source protocol that can be implemented across many varied hardware platforms, allowing inter-manufacturer communication. It is quickly replacing HDLC as the protocol of choice for point-to-point serial WAN links.

1: Playback Attack: A playback attack is an intrusion or subversion method which involves the attacker intercepting the transmission, accertaining which frame contains the encrypted password and storing that, to be ‘played back’ at the target machine at a later date, attempting to imitate a legitimate user.

2: Man-in-the-middle Attack: A Man-in-the-middle Attack involves that attacker, instead of intruding the system thsemvles, intercepting and holding the communication packets between two end-points and modifying them, in an attempt to get the systems to divulge sensitive data to what they believe to be a legitimate destination.

3: Synchronous Transmission: In data communications a synchronous link involves two end-points using a single set clocking rate to transmit their data at. They constantly monitor the connection for clocking points, modifying the clock rate according to these, allowing constant fine-tuning, so both ends stay in synch. The most prevailent example of this is a 56K dialup modem, which transmits data at the clock rate of 56,000 cycles per second. This constant synchronised clocking allows the use of TDM (Time-Division Multiplexing) to allow multiple connections to share the one communications link. TDM works by allowing each connection to transmit for a set number of cycles before it moves to the next. This sequence is repeated over and over, with the reciever being aware of it. Packets are reassembled at the reciving end using this TDM sequence as a guide.

4: Asynchronous Transmission: Unlike a synchronous link, asynchronous communication does not make use of clocking rates. It instead monitors the connection itself, transmitting data as fast as it can. Connection negotiation can place an upper limit on this transmission type if, for example, a recieving host can only recieve data at a lower rate than the transmitter can send it. This method of transmission relies upon set packet preambles and trailers to define where a packet begins and ends, since packets can be of a variable length depending upon the size of the data field. The link protocol may elimiate this need by maknig use of fixed-length frames, splitting up later packets to make them fit. One of the most common asynchronous protocols which also uses this method of delivery is ATM (Asynchoronous Transfer Mode), which uses fixed-length ‘cells’ of 53 bytes.

This entry was posted on Wednesday, November 23rd, 2005 at 11:17 pm and is filed under Networking, The Inner Geek. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.