Why Do Internet Service Providers Use Protocols Such As Ppp And Its Derivatives Pppoa Or Pppoe?

Architecture 2: Betoken-to-Point Protocol Networks

Dial-up access was the first remote-access mechanism and PPP was extensively enhanced to work in this environment. Because of this long deployment experience, PPP is a very mature solution that includes a rich control plane that lends itself to wholesale services. PPP is a more complex protocol than elementary bridging, and this additional cost is incurred both on the client stack and on the router.

The post-obit sections expect at the variants of PPP used in broadband networks. PPPoE, past far the near prevalent variant today, involves a very simple bridging CPE. Every bit you will come across, the PPP session tin can be initiated from a PC. PPPoA is less common and usually (simply not e'er) the session is initiated from a router.

PPP over Ethernet—The CPE equally a Span

PPPoE is an interesting protocol. As the name implies, it involves a PPP session running over an Ethernet MAC layer. PPPoE is interesting because PPP was created for point-to-betoken interfaces, so it needed some enhancements to allow it to run on broadcast media. These enhancements included a discovery procedure very like the one in DHCP, which serves to establish a logical point-to-bespeak relationship between a PPPoE customer and server. All this can sometimes be confusing until you realize that PPPoE is really a superset protocol of PPP in which there is a supplementary setup protocol that runs earlier regular PPP starts. Cisco IOS debug output shows this really well.

Although the explanation that follows is DSL based, PPPoE is besides a perfectly valid possibility for cable and ETTX networks. Effigy ii-14 and the listing that follows describe PPPoE performance in more detail.

Figure 2-fourteen PPPoE Protocol Operation

The PPPoE protocol starts before a PPP session comes up, equally follows:

A host broadcasts an Active Discovery Initiation package, chosen a PADI.
In theory, a number of different servers (chosen Access Concentrators in the RFC) tin now reply with an Active Discovery Offering packet, or PADO. In the case of DSL, all the Ethernet traffic is bridged across an (point-to-point) ATM virtual circuit by the bridged CPE to a single assemblage router, which is, in fact, the PPP Admission Concentrator, then it is hard to imagine a host receiving more than than a single PADO on an operational network. Nevertheless, it is possible. Depending on the implementation of the PPPoE stack on the client, the customer may take only the kickoff PADO returned, or the first PADO returned with the service it wishes to connect to.
The host sends an Active Discovery Asking (PADR) packet to a single Admission Concentrator.
The handshake completes when the Access Concentrator sends an Active Discovery Session-confirmation (PADS) parcel, which contains a session ID. In the adequately rare instance where the Access Concentrator and host are on a broadcast network, this session ID establishes a logical point-to-bespeak connection (The combination of the host MAC address and session ID is unique on the server.)
Standard PPP negotiation starts, with LCP and IPCP, only equally for betoken-to-betoken serial connections.
Either side can finish the session with an Agile Discovery Terminate (PADT) package. This is equivalent to cutting a wire because no more traffic is passed, not even to shut the upper-layer PPP session.

Figure ii-15 shows the Ethernet payload for PPPoE.

Figure 2-15 PPPoE Header (Source: RFC 2516)

Package flow is very simple. Each subscriber is terminated on the PPP peer using a virtual-access interface. But as with dial-upwards functioning in Cisco IOS, these interfaces are cloned from virtual templates. All traffic is routed by the aggregation router to and from each subscriber, often referred to equally hair-pinning. Host routes are also automatically created for each subscriber. The router treats each virtual access equally a directly connected interface, and routing table entries are marked appropriately (with a letter C in a testify ip route control). Figure ii-xvi shows the parcel encapsulations used at unlike points of a PPPoE network.

Effigy 2-16 PPPoE Network Cross Section

PPPoE Configuration

The PPPoE protocol runs over Ethernet frames. The host sends PPP packets in Ethernet frames, which are in turn segmented past the bridge CPE into ATM cells and sent onward over the DSL network. There are two Ethernet type values for PPPoE: 0x8863 for PPPoE discovery and 0x8864 for the actual PPPoE data sessions.

PPPoE is configured in two parts on a Cisco IOS router. The offset office involves creating a PPPoE server. The second part is the standard configuration for PPP. Figure 2-17 shows the typical PPPoE architecture.

Effigy 2-17 PPPoE Architecture

Example 2-14 demonstrates how yous would configure a network such every bit the one shown in Effigy 2-17.

Case 2-fourteen PPPoE Configuration

vpdn enable ! configuration for pppoe server ! interfaces for sessions will be cloned from virtual-template 1 vpdn-grouping ane  accept dialin  protocol pppoe  virtual-template 1 ! enable pppoe on this subinterface ! subscriber interface interface ATM0/0/0.132 point-to-point no ip directed-broadcast pvc i/32  encapsulation aal5snap  protocol pppoe  ! virtual template for pppoe virtual-admission interfaces ! note MTU size adjustment interface virtual-template 1 ip unnumbered loopback0 no ip directed-broadcast ip mtu 1492 peer default ip address pool pppoe-pool ppp authentication pap ! pool of addresses for pppoe subscribers ip local pool pppoe-puddle 192.168.10.10 192.168.10.100

Instance two-xv shows the PPPoE configuration for the network in Effigy 2-16 using Ethernet instead of ATM subscriber interfaces.

Instance two-15 PPPoE Configuration

vpdn-grouping pppoe accept-dialin protocol pppoe virtual-template 1 ! interface FastEthernet2/0.2 encapsulation dot1Q 2 pppoe enable ! interface FastEthernet2/0.three encapsulation dot1Q 3 pppoe enable

NOTE

Examples 2-xiv and two-15 utilise vpdn-grouping commands. In more than recent versions of Cisco IOS, this syntax has been changed to use the newer bba-grouping commands. Chapter 6 shows how to utilize bba-group, simply a lot of networks even so run Cisco IOS images that have vpdn-grouping, which is why those commands are shown here and in Affiliate three, "VPNs in Broadband Networks."

PPPoE Service Selection and Discovery

Another innovation in the PPPoE protocol is the use of PADS messages to advertise services to clients. The premise behind this utilise is that each host potentially is subscribed to multiple network-based services and needs to choose between them or, alternatively, to discover the list of subscribed or permitted service names. Instance services might include a public Internet connectedness, a private VPN connection, and an extranet managed by a financial institution. To switch betwixt each service, the end customer must have some fashion of identifying and selecting the service in the showtime place. Similarly, to subscribe to a make new service, there has to be some way to inform the customer that information technology exists.

Information technology is possible to exercise service pick using PPPoE. To practice this, the PPPoE Admission Concentrator sends a listing of available service names (such as Cyberspace, VPN, SafeShopping) to the PPPoE client. The client then displays the list of services to the user, who can chose whichever ane she wants to utilise.

From an architecture perspective, PPPoE service choice poses an interesting quandary. In the DSL reference model, only ISPs sell services to end users. Notwithstanding here is a protocol that but the wholesale providers (the Access Concentrator is a PTT device) can typically utilise to announce services they practice not typically sell to customers they practise not typically ain.

That said, there is a proposal at the IETF that would allow simply the PADS letters to be carried over L2TP. This would permit the ISP's network server to terminate the PPPoE protocol and manage service announcements, which is probably a more than logical arrangement from a concern perspective. The Cisco implementation is chosen PPPoE Relay.

PPP over ATM: The CPE as a Router

PPPoA was first standardized at the DSL Forum. It is normally used, but non as widely every bit PPPoE. PPPoA is actually simpler than PPPoE because in that location is no need for whatever of the extensions, such as discovery.

PPPoA can exist run directly from a host with an ATM NIC card. This scenario is fairly rare in operational networks because Ethernet NICs are so much cheaper. Our discussion will focus on a CPE with PPPoA.

To college-layer protocols, a PPPoA link appears as a routed connexion, with remote peer authentication and the possibility of dynamic accost consignment.

PPPoA Configuration

PPPoA runs over AAL5 MUX or SNAP encapsulation. The CPE runs IP on its LAN interface and PPP as the link layer protocol on the ATM WAN interface, every bit shown in Effigy 2-18.

Effigy two-18 PPPoA Network Cross Section

As shortly as the PPP software detects that the ATM PVC is up, information technology tries to establish a session in classic PPP fashion. The router sends an LCP request, so changes state to authenticate and remains in this fashion until either authentication succeeds or it times out. In case of timeout, the process starts over until a session is opened. This behavior tin exist disabled using atm pppatm passive but information technology is on by default on Cisco routers.

PPP Accost Assignments

During PPP session negotiation, the customer typically requests an address from the router. The router can find an address in ane of several places. Either an ip pool is configured on the router, every bit in our example, or an address (or pool, for that thing) must be downloaded from a RADIUS server. (There is likewise the option of allowing the remote peer to keep its address, using ip accost negotiate on the virtual template.)

The address download options are every bit follows:

Download of a single address
Download of a pool name
Download of a pool at startup
Use of On-Demand Address Pools

Download of a Single Address

When downloading a single address from RADIUS (using, for example, the framed-ip-accost attribute), preference is given to downloaded attributes over parameters configured from the command line.

Example 2-sixteen shows how to employ this attribute in a subscriber profile.

Example ii-xvi Framed-IP-Address RADIUS Profile

jondoe Password = "cisco"     Service-Type = Framed-User,     Framed-Protocol = PPP,     Framed-IP-Address = "192.168.11.1"

There are some special values for framed-ip-address that you lot should recollect. If the AAA server returns a value of 255.255.255.254, that is an instruction to the router to fetch a dynamic IP accost for this subscriber. In other words, the AAA server says to the router. "I want you to observe a dynamic address for this subscriber." The router will probably do this using DHCP, and Case 2-17 shows the little bit of magic you need to combine DHCP and AAA.

Case 2-17 Pools with DHCP

! global control ip dhcp-server one.1.1.1 ! interface virtual-template 1 peer default ip address puddle dhcp

Download of a Pool Name

In this scenario, a pool is already configured on the router and the RADIUS server merely has to tell the router which one to use.

On the router, y'all would need the configuration in Example 2-eighteen, with a virtual-template that does not have a pool name (or that would override the ane coming from the RADIUS server) and a standard ip address pool.

Example 2-18 Downloading Puddle Names Router Configuration

!Note no puddle proper name interface virtual-template 1 clarification PPPoE Clients ip unnumbered loopback0 ppp authentication chap pap ip local puddle FOO 192.168.10.ten 192.168.10.100

The corresponding AAA contour with a pool proper name would wait like Case ii-19.

Case two-19 Downloading Pool Names RADIUS Profile

janedoe Countersign = "cisco"     Service-Type = Framed-User,     Framed-Protocol = PPP,     av-pair = "ip:addr-pool=FOO"

Download of a Puddle at Startup

This play tricks is very similar to using AAA to download IP routes, in which instance a Cisco IOS router can be configured to read static routing entries from an AAA server when it starts up. (The configuration is a little esoteric.)

The router is configured with a name that it uses to issue a RADIUS Admission-Asking at startup. The Admission-Accept answer from the server includes one or more pools of IP addresses. These can be referenced in subscriber AAA profiles only as if they had been configured on the router. If a subscriber references an unknown puddle, the router tries to download the complete listing again. Example 2-20 shows how to activate this behavior in Cisco IOS. The router now sends an Access-Request using the name load-pools.

Instance 2-20 Downloading Pools Router Configuration

! add this to the router configuration aaa configuration config-username load-pools

Now the RADIUS server needs a user contour that uses the same proper name as the router does, which is the instance of the RADIUS profile in Example two-21.

Instance 2-21 Downloading Pools RADIUS Profile

nas1-pools Password = "cisco"     Service-Type = Outbound-User,     av-pair = "ip:pool-def#one=BAR 1921.168.11.10 192.168.11.100"

You can employ these downloaded pools just similar you exercise an IP accost puddle. Example two-22 shows an example with a virtual-template configuration with a pool called BAR that was defined in Example 2-21.

Instance 2-22 Using Downloaded Pool Definitions

interface virtual-template 2 description PPPoE Clients ip unnumbered loopback0 peer default ip address pool BAR ppp hallmark chap pap

Utilise of On-Need Address Pools

On-Demand Address Pools (ODAP), which is discussed in more than detail in the Chapter 6, "Wholesale MPLS-VPN Related Service Features," is a powerful mechanism to allow a router to request IP pools dynamically from a DHCP server as existing ones are used.

All the techniques just described are well and good, but they let yous classify only a unmarried host accost (or pool from which a single accost will be handed out to the host). What virtually the instance of dwelling networks with a broadband router continued to many different home computers? For that, the service provider needs other techniques, such equally the following:

CPE PAT—The CPE uses port address translation (PAT) to map many individual host addresses to the single, public address assigned during PPP session negotiation.
IPCP subnet mask—The CPE is assigned an IP subnet mask and an accost during PPP session negotiation. It takes the first address of this subnet for its WAN interface and uses the rest of the pool to do network address translation (NAT) of host addresses. Information technology is not possible to assign these addresses using DHCP, or else two links would be on the same IP subnet.

Every bit usual, the subnet mask can either exist configured on a b or in AAA. To make the IPCP subnet option work, yous need to coordinate the aggregator, the CPE, and the AAA server.

Example 2-23 shows the configuration needed on the aggregation router.

Case 2-23 IPCP Subnet Mask Router Configuration

interface Virtual-Template2 ip unnumbered Loopback0 no peer default ip address ppp authentication pap chap ppp ipcp mask 255.255.255.240 !

Example 2-24 shows the configuration on the CPE, which needs to ask for the subnet mask when it brings up its PPP session.

Example 2-24 IPCP Subnet Mask CPE Configuration

! interface Dialer 0 ppp ipcp mask asking

Finally, Example 2-25 shows the RADIUS profile, which has a regular framed-ip-address, only likewise a subnet mask in the framed-ip-netmask attribute.

Example two-25 IPCP Subnet Mask RADIUS Profile

CPE Countersign = "cisco" Service-Blazon = Framed, Framed-Protocol = PPP, Framed-IP-Accost=192.168.2.1 Framed-IP-netmask=255.255.255.248

PPP Quality of Service

At that place are two things to understand regarding QoS on PPP links: what type of QoS is supported and how to provision it.

Ane particular needs clarification at the get-go: IP QoS on PPP interfaces is not as complete as on other Layer 2 interfaces. Depending on the actual router y'all are using, you tin have classification, marking, and policing but probably non queuing. Of course, PPP runs on top of some other Layer 2 interface and you tin can apply the complete range of ATM CoS for DSL subscribers, for case. In each instance (i.e., Layer 2 under PPP, or Layer 3 on the interface itself), use the classic Cisco IOS commands that were covered earlier in the affiliate.

Provisioning QoS for PPP is a little different. Think first nearly what layer you are going to apply to exercise the QoS and what type of QoS y'all demand. Is it the policing at the ATM layer? Or nomenclature at the IP layer? IP QoS commands, such every bit the service-policy command in Case ii-2, should get under the virtual-template on the router. ATM QoS parameters go under the PVC cake. Every bit with most things in PPP, you can provision QoS at either of these layers in a RADIUS profile.

Dynamic Bandwidth Selection (DBS) is the name of the Cisco IOS feature that lets y'all fix a subscriber's ATM CoS profile using RADIUS. The idea behind the name is that a service provider would ascertain different policies for subscribers: 1 for basic Net access, 1 for VoIP, and and so on. If there are different profiles predefined in RADIUS, then all the subscriber needs to practise is to connect with a new username to get the new and improved QoS on his circuit. Using DBS ways that the service provider operations squad doesn't accept to configure annihilation in the network as customers change back and along between different levels of QoS.

Example ii-26 shows how to enable the DBS feature in Cisco IOS under an individual PVC, followed by Instance 2-27, which gives the specific DBS RADIUS attributes.

Example 2-26 DBS Router Configuration

interface atm0/0/0.five point-to-point  ip address 192.168.2.1 255.255.255.0  pvc 1/100  dbs enable  encapsulation aal5snap  protocol ppp virtual-template1

Instance two-27 DBS av-pairs RADIUS Contour

Cisco-Avpair = "atm:peak-cell-rate=155000" Cisco-Avpair = "atm:sustainable-jail cell-rate=155000"

The AAA parameters in Example two-26 set the peak cell rate, which is mandatory and a sustainable prison cell rate. It behaves as UBR if only the PCR is given; otherwise information technology operates as a VRB-nrt circuit.

There is a like fix of special RADIUS attributes that allow y'all download IP policing parameters to the assemblage router.

All in all, PPP is a footling blunt when it comes to QoS support. With bridged access, there are very clear ways to map QoS policy betwixt the IP layer and the transport layers, all of which have a practiced level of native QoS. The extra PPP layer blinds the access network, which cannot expect into the PPP packets to know what QoS level to apply to the frames: There is no QoS mark in the PPP header and the original IP header is too deeply encapsulated to be able to look for the DSCP settings in hardware. In fact, all yous are really doing with PPP QoS is prioritizing traffic on the assemblage router itself. None of the devices downstream (i.e., those between the aggregator and the subscriber) can automatically change its CoS settings if a subscriber uses a different DBS contour: This is not end-to-end QoS. Bridged access does offering, or is closer to offer, stop-to-end QoS.

DSL Forum has been peculiarly active in working on a new model that supports true multiservice traffic throughout the network, non only on the aggregation router. Interested readers should look for WT-59–related documents on the DSL Forum spider web site at http://www.dslforum.org.

PPP Authentication, Bookkeeping, and Security

PPP has excellent authentication and bookkeeping support. Millions of broadband and dial-upward customers around the world use PPP for their Internet connection. The cute thing with PPP is that subscriber configuration tin be centralized on a RADIUS server, which is a much more than scalable way to run a network than to have to configure the devices independently. PPP is very well documented in other books, so the details are not going to exist covered here, with the following two exceptions:

PPP port-based authentication
PPP security

Port-Based Hallmark

Configuring a username in AAA for the CPE might seem easy to exercise but is in fact very awkward, because it means having a different username configured for each and every CPE. If a subscriber changes CPE, the username would have to be updated on the new device to make certain that the subscriber even so gets the correct IP address. Rather than go to the pain of maintaining such a database, wouldn't life be easier if a CPE could be authenticated using the subscriber circuit ID? Happily, this is possible. The syntax on the router is radius-server attribute nas-port format d.

This elementary statement makes the router include the circuit ID in the Radius NAS-port field. The format for ATM, which makes this value globally unique, is IP address/module/port/VPI/VCI. A corresponding format exists for Ethernet and VLANs (even QinQ) also. Obviously, the RADIUS server must support this.

PPP Security

Bridged access security is circuitous because information technology involves many subscribers who are all part of the same broadcast domain. Regardless of the actual tricks, DSL, cable, and Ethernet networks have many different bells and whistles to limit the broadcast domain every bit much as possible, ideally to a single subscriber.

PPP architectures only don't have this trouble, because the subscriber links are actually routed interfaces and the aggregation router knows which address it assigned to whom. This removes a lot of the risk of IP and MAC layer spoofing, especially of the diversity that lets one subscriber attack their neighbor because of weaknesses in the aggregator or the broadband compages itself. Information technology's important to be realistic here: suitably motivated subscribers at the other end of a PPP session can launch DoS and other nasty attacks. However, considering the compages provides a indicate-to-point link for each and every subscriber, there is inherently more security than on a network in which subscribers share the same Layer ii segment.

You lot should remember the bones best practices for securing PPP connections and use CHAP hallmark for the actual session itself. As well, protect the aggregation router. A PPP subscriber tin can still mountain an attack against the default gateway. Ironically, PPP isn't likewise served equally Ethernet (only information technology doesn't take the same risks of ARP- and broadcast-based attacks), but URPF and NetFlow are also really proficient techniques to apply in PPP architectures. A PPP-specific attack would be to launch a DoS assail against the RADIUS server past opening a gazillion sessions, or opening and endmost them constantly. Cisco IOS tin can limit the number of sessions per connection or per MAC address, and this is a good characteristic to turn on. Possibly best of all, RADIUS billing records provide a bully manner to rails unusual usage back to an individual subscriber—even if he spoofs IP addresses and blasts a calendar week's worth of traffic in a couple of hours, his billing tape will show the volume of traffic sent over the subscriber line (ATM VC or Ethernet port).