Point-to-Point Protocol (PPP)
The Point-to-Point Protocol (PPP) is the default RAS protocol in Windows and is a data link-layer protocol used to encapsulate higher network-layer protocols to pass over synchronous and asynchronous communication lines. PPP was originally designed as an encapsulation protocol for transporting multiple network layer traffic over point-to-point links. PPP also established other standards, including asynchronous and bit-oriented synchronous encapsulation, network protocol multiplexing, session negotiation, and data-compression negotiation. PPP also supports protocols other than TCP/IP, such as IPX/SPX and DECnet.
For PPP to transmit data over a serial point-to-point link, it uses three components. Each component has its own separate function but requires the use of the other two to complete its tasks. The following list explains the three components and their purposes:
- PPP uses the High-Level Data-Link Control (HDLC) protocol as the basis to encapsulate its data during transmission.
- PPP uses the Link Control Protocol (LCP) to establish, test, and configure the data link connection.
- Various network control protocols (NCPs) are used to configure the different communications protocols. This system enables the use of different protocols, such as TCP/IP and IPX, over the same line simultaneously.
Network Control Protocols
Although multiple network protocols are available, Microsoft products use three main protocols for PPP. Each NCP is specific to a particular network-layer protocol such as IP or IPX/SPX. The following is a list of network control protocols.
- The Internet Protocol Control Protocol (IPCP) is used to configure, enable, and disable the IP protocol modules at each end of the link.
- The Internet Packet Exchange Control Protocol (IPXCP) is used to enable,
configure, and disable IPX protocol modules at each end of the link.
Although multiple versions of this NCP are available, IPXCP is the most common and is overtaking the other IPX NCPs in popularity.
- The NetBIOS Frames Control Protocol (NBFCP) is used to enable, configure, and disable NetBEUI protocol modules at each end of the link.
How PPP Works
PPP uses these three components together to enable it to communicate. It starts by sending LCP frames to test and configure the data link. Next, the authentication protocols are negotiated. Although numerous authentication protocols are available, the most common are the Challenge Handshaking Authentication Protocol (CHAP) and the Password Authentication Protocol (PAP). They determine the type of validation performed for security. The client then sends NCP frames to configure and set up the network-layer protocols to be used during this session. When this step is complete, each network protocol can pass data through this connection. HDLC is used to encapsulate the data stream as it passes through the PPP connection. The link remains active until an LCP or NCP frame closes the link or until an error or external event, such as a user disconnecting the link, occurs.
A control mechanism is included in PPP to enable each protocol to communicate with the others. Finite-state automation (FSA) processes status messages between each layer to coordinate communications. FSA does not actually participate in data flows; it works with the other protocols to keep them in sync and enables them to concentrate on their own jobs.
PPP framing defines the format in which data is encapsulated before it crosses the network. PPP offers a standard framing solution that enables connections to any standard PPP server because all vendors use the same format. PPP uses HDLC as the basis for its encapsulation framing for serial connections. HDLC is widely used in other implementations and has been slightly modified for use with PPP. The modifications were made to facilitate multiplexing NCP layers.
PPP is capable of operating across any data terminal equipment or data circuit terminating equipment (DTE/DCE) device. Many examples of these devices are available, including the most common, those following the EIA/TIA-232 standard, better known as modems. PPP is able to use any DTE/DCE devices as long as they support full-duplex circuits. These can be dedicated or switched and can operate in an asynchronous or synchronous bit-serial mode. In addition, the limit on transmission rates is specified by the interfaces and is not controlled by PPP.
You should remember that the DTE is the terminal or PC used to communicate with other systems, and the DCE is the modem that actually does the communicating.
With PPP, each system could be required to authenticate itself. This can be done using an authentication protocol. The most common authentication protocols are PAP, CHAP, and the Microsoft adaptation of CHAP, MS-CHAP. When a connection is being established, either end node can require the other to authenticate itself, whether it is the remote host or the originator of the call. The LCP can be used to send information to the other node to specify the authentication type. Using the authentication protocols, you enable the capability to offer a level of security by requiring authentication to make a remote connection; you also have control over the level of security used.
PAP works much like a regular network login. The client authenticates itself to a server by passing the username and password to it. The server then compares this information to its password store. Because the password is passed in clear text, this system would not work well in an environment in which security concerns are an issue. The system opens the door for anyone "listening" to the line, such as with a network sniffer.
Alternatively, CHAP uses an encryption algorithm to pass the authentication data to protect it from hackers. The server sends the client a randomly generated challenge request with its hostname. The client then uses the hostname to look up the appropriate secret password and returns a response using a one-way hash with the client's hostname. The host now compares the result and acknowledges the client if it matches. CHAP also sends challenges at regular intervals to verify that the correct client is still using this connection. The challenge values change during each interval. Because CHAP is so much more secure than PAP, it is used widely on the Internet. PAP is usually used only in public FTP sites or other public areas.
MS-CHAP is a Microsoft adaptation of CHAP. It uses the same type of encryption methodology but is slightly more secure. The server sends a challenge to the originating host, which must return the username and an MD-4 hash of the challenge string, the session ID, and the MD-4 hashed password. This system enables the authenticator to store the passwords in an encrypted format instead of plain text. The authentication protocol selections when using PPP as the dial-in protocol for Windows XP. To obtain a list of the supported protocols, go to your dial-in connection properties and select the Security tab. Once on the Security tab, you can select the Advanced security option and then click Settings to view the authentication protocols.