PPP协议 点到点协议 深圳职业技术学院电信学院网络技术专业
教学目标( Objectives ) 1. PPP组成(PPP Components ) 2. PPP会话建立( PPP Session Establishment ) 3. PPP认证( PPP Authentication ) 4. PAP和CHAP配置( Configure CHAP and PAP ) 5. 验证PPP(Verify PPP configuration)
广域网连接类型:第一层 (WAN Connection Types: Layer 1) 同步串行线路(Synchronous serial) 专线 Leased Line 异步串行线路 Asynchronous serial, ISDN Layer 1 Telephone Company 电路交换 Circuit-switched Synchronous serial 分组交换 Packet-switched Service Provider
串行线路点到点连接 (Serial Point-to-Point Connections) Router connections End user device DTE Purpose: This section describes the various serial standards that support leased line connections. Emphasize: The same 60-pin end that attaches to a Cisco device supports all standards illustrated. Note: Data switching equipment (DSE) is an additional term sometimes used to describe the switch components that appear inside the cloud. The DSE adds and removes channels assigned inside the WAN. The DSE connects traffic from various sources to their final destinations through other switches. Transition: The next layer in the stack is the layer 2, the data link layer. CSU/ DSU DCE Service Provider EIA/TIA-232 EIA/TIA-449 V.35 X.21 EIA-530
第二层典型的广域网封装协议 (Typical WAN Encapsulation Protocols: Layer 2) HDLC, PPP, SLIP 专线 (Leased Line) X.25, Frame Relay, ATM 包交换 (Packet-switched) Service Provider PPP, SLIP, HDLC 电路交换 (Circuit-switched) Telephone Company
广域网的物理连接
HDLC的封装格式 Flag:标志位,表示帧的开始或结束.01111110 Address:地址位,1~2字节,实际上为全1 Control:控制位,表示帧的类型,如信息帧、管理帧等 Proprietary:专有位,是Cisco增加的,标明是Cisco专有的HDLC Data:数据位,封装的数据 FCS:帧校验序列
实际抓包
HDLC命令( HDLC Command) HDLC是串行线路的默认封装 Router(config-if)#encapsulation hdlc HDLC是串行线路的默认封装 HDLC is the default encapsulation on synchronous serial interfaces
数据从PC1到达PC2帧到底发生了什么变化? 帧的变化 数据从PC1到达PC2帧到底发生了什么变化? R1 F0/0 R2 s0/0 s0/0 F0/0 PC1 PC2
帧的变化 PC1发出以太网帧,帧的源Mac为PC1的Mac,目的Mac为R1的f0/0的Mac; R1查了路由表后,从s0/0发送出去时,帧为HDLC,没有MAC地址的概念; R2查了路由表后,从f0/0发送出去时,帧又为以太网的帧,帧的源Mac为R2的f0/0的Mac,帧的目的Mac为PC2的Mac。
PPP组成(PPP Components ) 1. HDLC PPP用HDLC作为点到点链路上基本的封装方法. PPP uses (HDLC) as a basis for encapsulating datagrams over point-to-point links. 2. LCP 建立、配置和测试数据链路的连接 Establishing, configuring, and testing the data-link connection. 3. NCP 建立和配置不同的网络层协议 Establishing and configuring different network-layer protocols.
PPP组成(PPP Components) Multiple protocol encapsulations using NCPs in PPP PPP Encapsulation TCP/IP Novell IPX AppleTalk Purpose: This figure presents an overview of PPP. Emphasize: The figure illustrates the multiple protocols NCP supports. The two arrows pointing to the router interfaces is where PPP encapsulation occurs. The first bullet summarizes the role of NCP. The second bullet summarizes the role of LCP options that the administrator can use to set up and control the data link. Several RFCs are used to specify aspects of PPP. RFC 1548 is the major specification for the major PPP NCP and LCP operations. Link setup and control using LCP in PPP PPP用NCP进行多种协议的封装 PPP can carry packets from several protocol suites using Network Control Programs PPP用LCP进行链路的建立与控制 PPP controls the setup of several link options using LCP
PPP各层元素(Layering PPP Elements) IP IPX Layer 3 Protocols IPCP IPXCP Network Layer Many Others 网络控制协议(Network Control Protocol) PPP Data Link Layer Authentication, other options 链路控制协议(Link Control Protocol) Synchronous or Asynchronous 物理介质(Physical Media) Physical Layer
PPP会话建立(PPP Session Establishment) 1. 链路的建立和配置的协商 Link establishment and configuration negotiation 2.链路质量检测 Link-quality determination 3.网络层协议配置协调 Network-layer protocol configuration negotiation 4.链路终止 Link termination
PPP的帧格式 标志位:指示帧的开始或结束 地址字段:为16进制值FF,PPP不指定单个工作站的地址,而是标准的广播地址 控制字段:为16进制值03 协议字段:用于表示封装在帧中的数据字段的协议类型 数据字段:封装的数据 FCS:帧校验字段,进行差错控制
PPP比HDLC多的功能 支持认证 支持多网络层协议 支持压缩和加密 支持multilink 支持callback(回拨) …….
PPP验证协议--PAP (PPP Authentication Protocol---PAP) PAP :Password Authentication Protocol PAP 2-Way Handshake Remote Router (SantaCruz) Central-Site Router (HQ) “santacruz, boardwalk” Accept/Reject Hostname: santacruz Password: boardwalk username santacruz password boardwalk 密码明文传输 Passwords sent in clear text 对方控制连接请求 Peer in control of attempts
PPP验证协议--CHAP (PPP Authentication Protocol---CHAP) CHAP :Challenge Handshake Authentication Protocol CHAP 3-Way Handshake Remote Router (SantaCruz) Central-Site Router (HQ) Challenge Response Accept/Reject Hostname: santacruz Password: boardwalk username santacruz password boardwalk 密文方式传递密码 Use “secret” known only to authenticator and peer 有效避免再生攻击和尝试攻击 Avoiding playback or repeated trial-and-error attacks
配置PPP(Configuring PPP) Router(config-if)#encapsulation ppp 在端口模式下启动PPP Enable PPP encapsulation
配置PPP认证 (Configuring PPP Authentication) Router(config)#hostname name 指定你自己路由器的主机名 Assigns a host name to your router Router(config)#username name password password 确认被认证路由器的用户名和密码 Identifies the username and password of uthenticating router
配置PPP认证 (Configuring PPP Authentication) Router(config-if)#ppp authentication {chap | chap pap | pap chap | pap} 选择PAP还是CHAP作为认证协议 Enables PAP and/or CHAP authentication
配置PAP实例一 (Configuring PAP Example) Left router Right router PSTN/ISDN hostname left ! int serial 0/0 ip address 10.0.1.1 255.255.255.0 encapsulation ppp ppp pap sent-username left password cisco hostname right username left password cisco ! int serial 0/0 ip address 10.0.1.2 255.255.255.0 encapsulation ppp ppp authentication pap 注意:用户名是对方的,密码一定要相同, 区分大小写
配置PAP实例二 (Configuring PAP Example) Left router Right router PSTN/ISDN hostname left username right password abcde ! int serial 0/0 ip address 10.0.1.1 255.255.255.0 encapsulation ppp ppp authentication pap ppp pap sent-username left password 12345 hostname right username left password 12345 ! int serial 0/0 ip address 10.0.1.2 255.255.255.0 encapsulation ppp ppp authentication pap ppp pap sent-username right password abcde 注意:用户名是对方的,密码一定要相同, 区分大小写
配置CHAP实例 (Configuring CHAP Example) Left router Right router PSTN/ISDN hostname left username right password sameone ! int serial 0/0 ip address 10.0.1.1 255.255.255.0 encapsulation ppp ppp authentication CHAP hostname right username left password sameone ! int serial 0/0 ip address 10.0.1.2 255.255.255.0 encapsulation ppp ppp authentication CHAP 注意:用户名是对方的,密码一定要相同 区分大小写
验证PPP认证 (Verifying PPP Authentication) Left router Service Provider Right router 4d20h: %LINK-3-UPDOWN: Interface Serial0, changed state to up 4d20h: Se0 PPP: Treating connection as a dedicated line 4d20h: Se0 PPP: Phase is AUTHENTICATING, by both 4d20h: Se0 CHAP: O CHALLENGE id 2 len 28 from ”left" 4d20h: Se0 CHAP: I CHALLENGE id 3 len 28 from ”right" 4d20h: Se0 CHAP: O RESPONSE id 3 len 28 from ”left" 4d20h: Se0 CHAP: I RESPONSE id 2 len 28 from ”right" 4d20h: Se0 CHAP: O SUCCESS id 2 len 4 4d20h: Se0 CHAP: I SUCCESS id 3 len 4 4d20h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up debug ppp authentication successful CHAP output
思考题(Questions) 什么是PPP?PPP由哪3部分组成? PPP的两种认证方法是什么?各有什么特点? PAP采用几次握手?CHAP采用几次握手?