Covenant
Premium,MVM
join:2003-07-01
England
2 edits | reply to aryoba
Re: [Info] Why is PPP necessary for "dedicated connection"?
The only significant difference between HDLC and PPP encapsulation is the HDLC in the Cisco router is Cisco proprietary, while PPP was included to be multi-vendor friendly. Cisco HDLC reserves some frames for proprietary data, which may or may not be ignored by another router. So, Cisco to Cisco, HDLC is fine, Cisco to non-Cisco, run PPP.
Some background:
High-Level Data Link Control
HDLC (High-level Data Link Control) is a CISCO Encapsulation. Default setting for CISCO routers in serial interfaces. It is simple but reliable. It is used whenever you are going to connect a serial circuit with CISCO routers across the entire network. It allows you to work with all routing protocols and simple features (pings, telnet, loopback, among others).
If both ends of a leased-line connection are routers or access servers running Cisco IOS software, HDLC encapsulation is typically used. HDLC is a bit-oriented, data link layer protocol derived from the Synchronous Data Link Control (SDLC) encapsulation protocol. HDLC provides an encapsulation method for synchronous serial links with a 32-bit checksum.
The serial interface on the access server does not require special configuration because HDLC encapsulation is configured as the default.
Point-to-Point Protocol
PPP (Point to Point Protocol) is a standard encapsulation. It is a little more complex than HDLC.
The really important point is that with this encapsulation you can configure more features. I.E. Authentication, Multilink, compression, callback.
PPP encapsulation provides Cisco IOS software to devices that are not running Cisco IOS software connectivity over leased WAN lines. PPP uses a more complex model than HDLC to ensure interoperability between networking vendors. This interoperability involves several additional protocols, including Link Control Protocol for negotiating basic line interoperability and a family of network control protocols for negotiating individual Layer 3 protocols and their options (such as IPCP for IP and options such as compression).
When the PPP link is negotiated, a link control protocol is negotiated to establish the link and then additional network control protocols are negotiated.
If IP, AppleTalk, or IPX, are configured on the serial line, IP control protocol (IPCP), AppleTalk control protocol (ATCP), or IPX control protocol (IPXCP), respectively, is negotiated to conform to the protocols requirements.
said by aryoba  :
I notice some ISPs employ PPP to their dedicated connection (e.g. DSL and T1) customer; and other ISPs don't (just static IP without enter username and password). I wonder,
(1) Why the differences?
HDLC is the default encapsulation of a serial interface, if the router is connected to another Cisco device, then we don't need to change the encapsulation.
said by aryoba :
(2) How is the PPP necessity to dedicated connection service?
You can use PPP or HDLC, it depends on the standards of each ISP.
said by aryoba :
(3) Are services without PPP employment less secure than ones with? Does PPP employment increase security of some sense?
PPP has the option to add authentication to the link. It means that before the T1 line comes up both routers will negotiate some parameters including authentication, both routers exchange username and passwords before the line can be used. PPP allows security at the link layer only (OSI L2).
said by aryoba :
(4) In services without PPP; how do ISPs know that people using their service connect with valid account?
In connections without ppp the authentication is relayed to higher layer protocols.
said by aryoba :
ISPs that do not employ PPP for DSL or T1 connections offer less security to the customer than ISPs that do employ?
In some way connections not using ppp are less secure because the routers don't exchange username and passwords before the link comes up.
Here is a good link about ppp that you may find helpful.
Understanding debug ppp negotiation output:
»www.cisco.com/en/US/tech/tk713/t···45.shtml
said by aryoba :
But the issue is not whether I don't understand PPP or not.
Well if you understood PPP or any of the other data link protocols, you would know the advantages and disadvantages of each protocol and know when to apply it or not as the case maybe. You would also have been able to answer at least 2 of the questions you originally posted.
Its not a problem though, that is what we are here for.  |
|
gleirvik
join:2002-06-28
Norway |  Very good response, Covenant, looks like we were writing in parallell.
Hope my posting can add to your excellent overview.
Geir |
|
Covenant
Premium,MVM
join:2003-07-01
England
| Thanks for the compliment gleirvik , your posting is excellent as it adds another level onto my comments.
Lets hope aryoba is satisfied with the posts. |
|
aryoba
Premium,MVM
join:2002-08-22
| reply to Covenant
The authentication
said by Covenant :
Well if you understood PPP or any of the other data link protocols, you would know the advantages and disadvantages of each protocol and know when to apply it or not as the case maybe. You would also have been able to answer at least 2 of the questions you originally posted.
Maybe my questions weren't clear enough to open up the issues I'm sending. Let me see if I can rephrase the questions. OK, here it goes.
Let's say that there is an ISP that doesn't employ PPP to their DSL connection service. They only give their customers static IP address, gateway, subnet, and DNS. Using these settings, customer A successfully connects to Internet.
Let's say there is a customer B "borrow" the customer A settings to connect to the Internet. Without PPP employment (the authentication), how can the ISP find out that customer B is using customer A's settings instead of his own? |
|
Covenant
Premium,MVM
join:2003-07-01
England
| In this case a DSL connection works like a dedicated line. If customer B who "borrows" customer's A settings to connect to the Internet, customer B needs to connect his router to customers A line. So there is no way for customer B to use the same settings as customer A unless customer B connects his router at customer's A site. |
|
aryoba
Premium,MVM
join:2002-08-22
| Let's say A is down
said by Covenant :
If customer B who "borrows" customer's A settings to connect to the Internet, customer B needs to connect his router to customers A line. So there is no way for customer B to use the same settings as customer A unless customer B connects his router at customer's A site.
What if A is not using his account; and B borrows at this time; would B be able to connect using A's account from B's location?
If yes, how would the ISP find out if B was using A's instead of his own? |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| If there is no authentication occuring then there is no dynamic configuration occuring. All of the user's configuration is hard coded on the ISP's side in this case, so it is impossible for user B to steal user A's configuration. The ISP's router will not route user B's traffic because it is not configured for user A's settings on user B's interface.
--
Remember what they say: "There are 10 types of people in the world.. those who understand binary, and those who don't." |
|
aryoba
Premium,MVM
join:2002-08-22
| "Hard coded"
said by rolande :
If there is no authentication occuring then there is no dynamic configuration occuring. All of the user's configuration is hard coded on the ISP's side in this case.
When you said "hard coded"; did it mean that the ISP always check all customer's MAC address before routing their traffic?
Or maybe there is another checking method? |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| They use static routing to the physical interface. The only way you could reuse user A's configuration is if you were physically connected to the same circuit. The ISP controls what traffic routes to where by the routes they add to their network. As a customer, you do not have control of these routes just by adding another user's configuration to your own network.
In a dynamic config scenario, the user authenticates either via PPP or PPPoE or something similar and all of the settings are passed to the client via a control protocol. The ISP's upstream router then dynamically inserts the new route into its routing tables and announces it to the rest of the ISP network using the local routing protocol. In that case, if you knew user A's username and password you could potentially steal their configuration and reuse it on another physical circuit and interface, since it is dynamically configured as a part of authentication.
--
Remember what they say: "There are 10 types of people in the world.. those who understand binary, and those who don't." |
|
aryoba
Premium,MVM
join:2002-08-22
| With both PPP and static routing
said by rolande :
They use static routing to the physical interface. The only way you could reuse user A's configuration is if you were physically connected to the same circuit. The ISP controls what traffic routes to where by the routes they add to their network. As a customer, you do not have control of these routes just by adding another user's configuration to your own network.
In a dynamic config scenario, the user authenticates either via PPP or PPPoE or something similar and all of the settings are passed to the client via a control protocol. The ISP's upstream router then dynamically inserts the new route into its routing tables and announces it to the rest of the ISP network using the local routing protocol. In that case, if you knew user A's username and password you could potentially steal their configuration and reuse it on another physical circuit and interface, since it is dynamically configured as a part of authentication.
Some ISPs give out PPP settings to all their static IP customers. Does it mean the ISP router use static routing to physical interface AND authentication? |
|
Covenant
Premium,MVM
join:2003-07-01
England
| reply to aryoba
Re: Let's say A is down
I will assume this is a typical xdsl environment, so all users connect to a dslam. The dslam contains linecards that have modem ports, not like dialup modems, but modems none-the less. This means that there is a dedicated connection or one-to-one ratio of client's to modems. The linecard usually has LEDs that indicated various status conditions on the ports. If you are doing ppp, they can verify your username and ip address as well at the datalink layer.
Now I have one question for you aryoba :
Why the interest in authentication and line security???? |
|
