aryoba
Premium,MVM
join:2002-08-22
|  [Info] Why is PPP necessary for "dedicated connection"?
I notice some ISPs employ PPP to their dedicated connection (e.g. DSL and T1) customer; and other ISPs don't (just static IP without enter username and password). I wonder,
(1) Why the differences?
(2) How is the PPP necessity to dedicated connection service?
(3) Are services without PPP employment less secure than ones with? Does PPP employment increase security of some sense?
(4) In services without PPP; how do ISPs know that people using their service connect with valid account?
Thanks for any comments! ...  |
|
Covenant
Premium,MVM
join:2003-07-01
England
| Not to sound facetious, but as you pointed out *several* times to various problem posters that the best info to find as regards technologies or a Cisco product is the cisco website, please allow me to nudge you in the same way that you nudged them:
Have a look at this link:
»www.cisco.com/en/US/tech/tk713/t···ies.html
I believe this is more information than you normally give out.
Read up on PPP and HDLC initially. I would also read up on the PPP protocols which are needed regardless of the layer 3 protocol sent across the link such as LCP and ones that are specific to a layer 3 protocol (IP/IPX) such as IPCP.
I would pay particular attention to the PPP LCP features such as error detection and authentication to name a couple.
I do apologise if I am not handing out the answers to you on a plate but like yourself, I am firm believer in helping someone to help themselves. I may waive the rules for Cisco noobs but for a Cisco veteran such as yourself, I would have expected better. |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| reply to aryoba
PPP is not necessary for a dedicated connection. But some kind of layer 2 protocol is. Are you referring to PPPoE or just plain old PPP? OF course, every ISP builds their networks differently. But, typically, you can't compare DSL service with T-1 service. They are each terminated in a different fashion to the ISP's router and use different layer 2 protocols because of that. PPP itself is not a secure protocol, but it provides access to authentication methods which are like CHAP.
On a point to point T-1 circuit you have to run either PPP, HDLC, Frame-Relay, X.25 or some other kind of layer 2 encapsulation to get your data to and from the other end. You usally have dedicated ports on either end to support these circuits as well. Authentication is mutually exclusive of these protocols but can be facilitated by the protocol, in the case of PPP. When you have dedicated hardware to support the circuit at each end, there is no need for authentication. However, you can still use PPP as your layer 2 protocol, just configured to not force the authentication.
DSL is usually backhauled to the ISP's router over an ATM circuit coming out of the telco DSLAM. This comes into a shared interface on the ISP's router that all or a portion of the ISP's DSL connections will terminate on. If you don't control access to this interface with some kind of authentication, then you have no way of accounting for who is connected to which virtual circuit and/or assigning the correct static routes for those customers with blocks of static IP addresses. So even though DSL is a dedicated connection it uses a shared head-end infrastructure which needs to be controlled with authentication.
--
Remember what they say: "There are 10 types of people in the world.. those who understand binary, and those who don't." |
|
aryoba
Premium,MVM
join:2002-08-22
| reply to Covenant
For clarification
said by Covenant  :
Not to sound facetious, but as you pointed out *several* times to various problem posters that the best info to find as regards technologies or a Cisco product is the cisco website, please allow me to nudge you in the same way that you nudged them.
Covenant,
No need to apologize. You can nudge me anytime you like! ....
Yes, I do like to be nudged by anybody. Sometimes I need a big slap behind my head for silly mistakes! ...
But the issue is not whether I don't understand PPP or not. The issue is that there are some ISPs employ PPP to dedicated connection services and some others are not; and I'd like to know why the differences. Moreover, I try to generate a new FAQ concerning this.
Now rolande had sent the closest response so far.
said by rolande :
Even though DSL is a dedicated connection it uses a shared head-end infrastructure which needs to be controlled with authentication.
So for the best (e.g. more secure) service, PPP is needed in DSL connection?
ISPs that do not employ PPP for DSL or T1 connections offer less security to the customer than ISPs that do employ? |
|
Covenant
Premium,MVM
join:2003-07-01
England
2 edits | reply to aryoba
Re: [Info] Why is PPP necessary for "dedicated connection"?
The only significant difference between HDLC and PPP encapsulation is the HDLC in the Cisco router is Cisco proprietary, while PPP was included to be multi-vendor friendly. Cisco HDLC reserves some frames for proprietary data, which may or may not be ignored by another router. So, Cisco to Cisco, HDLC is fine, Cisco to non-Cisco, run PPP.
Some background:
High-Level Data Link Control
HDLC (High-level Data Link Control) is a CISCO Encapsulation. Default setting for CISCO routers in serial interfaces. It is simple but reliable. It is used whenever you are going to connect a serial circuit with CISCO routers across the entire network. It allows you to work with all routing protocols and simple features (pings, telnet, loopback, among others).
If both ends of a leased-line connection are routers or access servers running Cisco IOS software, HDLC encapsulation is typically used. HDLC is a bit-oriented, data link layer protocol derived from the Synchronous Data Link Control (SDLC) encapsulation protocol. HDLC provides an encapsulation method for synchronous serial links with a 32-bit checksum.
The serial interface on the access server does not require special configuration because HDLC encapsulation is configured as the default.
Point-to-Point Protocol
PPP (Point to Point Protocol) is a standard encapsulation. It is a little more complex than HDLC.
The really important point is that with this encapsulation you can configure more features. I.E. Authentication, Multilink, compression, callback.
PPP encapsulation provides Cisco IOS software to devices that are not running Cisco IOS software connectivity over leased WAN lines. PPP uses a more complex model than HDLC to ensure interoperability between networking vendors. This interoperability involves several additional protocols, including Link Control Protocol for negotiating basic line interoperability and a family of network control protocols for negotiating individual Layer 3 protocols and their options (such as IPCP for IP and options such as compression).
When the PPP link is negotiated, a link control protocol is negotiated to establish the link and then additional network control protocols are negotiated.
If IP, AppleTalk, or IPX, are configured on the serial line, IP control protocol (IPCP), AppleTalk control protocol (ATCP), or IPX control protocol (IPXCP), respectively, is negotiated to conform to the protocols requirements.
said by aryoba :
I notice some ISPs employ PPP to their dedicated connection (e.g. DSL and T1) customer; and other ISPs don't (just static IP without enter username and password). I wonder,
(1) Why the differences?
HDLC is the default encapsulation of a serial interface, if the router is connected to another Cisco device, then we don't need to change the encapsulation.
said by aryoba :
(2) How is the PPP necessity to dedicated connection service?
You can use PPP or HDLC, it depends on the standards of each ISP.
said by aryoba :
(3) Are services without PPP employment less secure than ones with? Does PPP employment increase security of some sense?
PPP has the option to add authentication to the link. It means that before the T1 line comes up both routers will negotiate some parameters including authentication, both routers exchange username and passwords before the line can be used. PPP allows security at the link layer only (OSI L2).
said by aryoba :
(4) In services without PPP; how do ISPs know that people using their service connect with valid account?
In connections without ppp the authentication is relayed to higher layer protocols.
said by aryoba :
ISPs that do not employ PPP for DSL or T1 connections offer less security to the customer than ISPs that do employ?
In some way connections not using ppp are less secure because the routers don't exchange username and passwords before the link comes up.
Here is a good link about ppp that you may find helpful.
Understanding debug ppp negotiation output:
»www.cisco.com/en/US/tech/tk713/t···45.shtml
said by aryoba :
But the issue is not whether I don't understand PPP or not.
Well if you understood PPP or any of the other data link protocols, you would know the advantages and disadvantages of each protocol and know when to apply it or not as the case maybe. You would also have been able to answer at least 2 of the questions you originally posted.
Its not a problem though, that is what we are here for. |
|
gleirvik
join:2002-06-28
Norway
| reply to aryoba
Re: For clarification
said by rolande :
Even though DSL is a dedicated connection it uses a shared head-end infrastructure which needs to be controlled with authentication.
So for the best (e.g. more secure) service, PPP is needed in DSL connection?
ISPs that do not employ PPP for DSL or T1 connections offer less security to the customer than ISPs that do employ?
There are various implementations of DSL networks. Depending on how the network is architected you will or will not need further authentication.
In some cases the SP will have a dedicated end to end PVC (rare if at all seen for consumer services). It also depends how the SP handles IP addressing. For the benefit of the forum I will try to keep this short, while providing a quick review if the options and motivations for doing them and some issues.
RFC1483/2684 Multi Protocol over ATM - routed encapsulation
Used typically for business class services providing static IP addressing by direct configuration of routers (most often) Minimal overhead, still requires a lot of hands on to set up and provision. Requires a router/router functionality as CPE.
RFC1483/2684 Multiprotocol over ATM - bridged encapsulation
The first deployments of DSL where often solved in this way by simply creating a huge flat network with DHCP assigned addressing. As most other attempts to create big flat networks it failed and needed re-design. Since these networks always, at least initially, used modems that could do bridging and that alone. A patch for this has been to provide routers with Routing with Bridged Encapsulation (RBE) or Integrated Routing and Bridging (IRB). This has solved the multiuser issue but has not solved the basic architectural issues.
PPPoE Point to Point Protocol over Ethernet
This is the patch as provided by a some aggregation platform vendors most significantly Redback. By avoiding to replace the DSL modems already purchased and deployed this allowed to re-use the RFC1483/2684 infrastructure by adding an overhead layer. Authentication is one benefit, but also the ability to handle users leveraging the existing dial-infrastructure as the ISP can re-use the complete concept from the dial-in modem era. Also the PPPoE client on the PC also meant that the links would not be up at all times and could be centrally managed in such a way that the ISPs could save IP address space and the Access Service could also hand off to equal access ISPs using PPP mechanisms like L2TP allowing them to deal with addressing in an effective manner. This is the protocol with the most overhead and requires management of MTU sizes or mechanisms of handling the TCP streams to avoid attempts to overfill an ethernet frame payload with a maximum size PPP frame.
Routers typically do that job better than the PC as PC clients are nightmarish especially as the load could prevent certain business applications to work right.
Also routers with embedded modems can leverage a larger MTU possible on the ADSL/ATM network to avoid the overhead of fragmenting the data further. Authentication is generally always used between the PPPoE client (on PC or in router) to ensure some control over users and address management.
In Germany the Telco, Deutsche Telekom (yes, that is the correct spelling), even yanks the connection every few hours to conserve addresses.
PPPoA Point to Point Protocol over ATM
A more direct approach, enables linking QoS from IP more directly to ATM CoS and QoS. Used mostly for professional services for businesses has same benefits as PPPoE, but does not allow for simple modems, does however provide less overhead and no issues with MTU sizes and fragmentation. This approach also requires redesign from the initial RFC 1483 designs but provide a more "correct" and scaleable approach IMHO. Still the operations overhead is just as small as with PPPoE still support wise it is better with respect to not having to deal with PC client support and MTU issues. (with a PC PPPoE client MTU is usually no issue but that has other issues). This approach also allows for running multilink PPP between multiple DSL connection/interfaces. Also allows for L2TP handoff as with PPPoE.
For T1/E1/FR connection you will almost always have a point to point architecture delivering a fixed PVC end-to-end or as with T1 and E1 and non-switched path from end-to-end.
You can run PPP encapsulation over all these connections and it has benefits particularly with address negotiation, parameter exchange as well as authentication.
Authentication can be enabled also for these connection for two way authentication of the end-points and certainly has anti eves-dropping benefits. These connections are however much more expensive and most likely fewer than DSL connections as well as they have been deployed over more years. As such they did not have the same requirements on link security and trimmed operational expense as broadband connections. For added security signatures and encrypted tunnels can be enabled over all these links to optimize the security.
Rgds
Geir |
|
gleirvik
join:2002-06-28
Norway | reply to Covenant
Re: [Info] Why is PPP necessary for "dedicated connection"?
Very good response, Covenant, looks like we were writing in parallell.
Hope my posting can add to your excellent overview.
Geir |
|
Covenant
Premium,MVM
join:2003-07-01
England
| Thanks for the compliment gleirvik , your posting is excellent as it adds another level onto my comments.
Lets hope aryoba is satisfied with the posts. |
|
aryoba
Premium,MVM
join:2002-08-22
| reply to Covenant
The authentication
said by Covenant :
Well if you understood PPP or any of the other data link protocols, you would know the advantages and disadvantages of each protocol and know when to apply it or not as the case maybe. You would also have been able to answer at least 2 of the questions you originally posted.
Maybe my questions weren't clear enough to open up the issues I'm sending. Let me see if I can rephrase the questions. OK, here it goes.
Let's say that there is an ISP that doesn't employ PPP to their DSL connection service. They only give their customers static IP address, gateway, subnet, and DNS. Using these settings, customer A successfully connects to Internet.
Let's say there is a customer B "borrow" the customer A settings to connect to the Internet. Without PPP employment (the authentication), how can the ISP find out that customer B is using customer A's settings instead of his own? |
|
Covenant
Premium,MVM
join:2003-07-01
England
| In this case a DSL connection works like a dedicated line. If customer B who "borrows" customer's A settings to connect to the Internet, customer B needs to connect his router to customers A line. So there is no way for customer B to use the same settings as customer A unless customer B connects his router at customer's A site. |
|
aryoba
Premium,MVM
join:2002-08-22
| Let's say A is down
said by Covenant :
If customer B who "borrows" customer's A settings to connect to the Internet, customer B needs to connect his router to customers A line. So there is no way for customer B to use the same settings as customer A unless customer B connects his router at customer's A site.
What if A is not using his account; and B borrows at this time; would B be able to connect using A's account from B's location?
If yes, how would the ISP find out if B was using A's instead of his own? |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| If there is no authentication occuring then there is no dynamic configuration occuring. All of the user's configuration is hard coded on the ISP's side in this case, so it is impossible for user B to steal user A's configuration. The ISP's router will not route user B's traffic because it is not configured for user A's settings on user B's interface.
--
Remember what they say: "There are 10 types of people in the world.. those who understand binary, and those who don't." |
|
aryoba
Premium,MVM
join:2002-08-22
| "Hard coded"
said by rolande :
If there is no authentication occuring then there is no dynamic configuration occuring. All of the user's configuration is hard coded on the ISP's side in this case.
When you said "hard coded"; did it mean that the ISP always check all customer's MAC address before routing their traffic?
Or maybe there is another checking method? |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| They use static routing to the physical interface. The only way you could reuse user A's configuration is if you were physically connected to the same circuit. The ISP controls what traffic routes to where by the routes they add to their network. As a customer, you do not have control of these routes just by adding another user's configuration to your own network.
In a dynamic config scenario, the user authenticates either via PPP or PPPoE or something similar and all of the settings are passed to the client via a control protocol. The ISP's upstream router then dynamically inserts the new route into its routing tables and announces it to the rest of the ISP network using the local routing protocol. In that case, if you knew user A's username and password you could potentially steal their configuration and reuse it on another physical circuit and interface, since it is dynamically configured as a part of authentication.
--
Remember what they say: "There are 10 types of people in the world.. those who understand binary, and those who don't." |
|
aryoba
Premium,MVM
join:2002-08-22
| With both PPP and static routing
said by rolande :
They use static routing to the physical interface. The only way you could reuse user A's configuration is if you were physically connected to the same circuit. The ISP controls what traffic routes to where by the routes they add to their network. As a customer, you do not have control of these routes just by adding another user's configuration to your own network.
In a dynamic config scenario, the user authenticates either via PPP or PPPoE or something similar and all of the settings are passed to the client via a control protocol. The ISP's upstream router then dynamically inserts the new route into its routing tables and announces it to the rest of the ISP network using the local routing protocol. In that case, if you knew user A's username and password you could potentially steal their configuration and reuse it on another physical circuit and interface, since it is dynamically configured as a part of authentication.
Some ISPs give out PPP settings to all their static IP customers. Does it mean the ISP router use static routing to physical interface AND authentication? |
|
julez_atf
Bleep Bleep
Premium
join:2001-03-01
Montreal, QC
clubs:
| reply to aryoba
Re: [Info] Why is PPP necessary for "dedicated con
For DSL w/o PPP, wouldn't the authentication be done via MAC address?
In this case, if the customer changes modems, then he would no longer be able to access the ISP's services until he registers his new MAC with them.
Please correct me if I am wrong.
--
I'll be your lover... I'll be forever... I'll be tomorrow... I am anything when I am high... |
|
Covenant
Premium,MVM
join:2003-07-01
England
| reply to aryoba
Re: Let's say A is down
I will assume this is a typical xdsl environment, so all users connect to a dslam. The dslam contains linecards that have modem ports, not like dialup modems, but modems none-the less. This means that there is a dedicated connection or one-to-one ratio of client's to modems. The linecard usually has LEDs that indicated various status conditions on the ports. If you are doing ppp, they can verify your username and ip address as well at the datalink layer.
Now I have one question for you aryoba :
Why the interest in authentication and line security???? |
|
Covenant
Premium,MVM
join:2003-07-01
England
| reply to julez_atf
Re: [Info] Why is PPP necessary for "dedicated con
said by julez_atf :
For DSL w/o PPP, wouldn't the authentication be done via MAC address?
In this case, if the customer changes modems, then he would no longer be able to access the ISP's services until he registers his new MAC with them.
Please correct me if I am wrong.
julez_atf , you are quite correct. Authentication by MAC is normally done by Cable ISPs and not xdsl ISPs. Well in the UK at least! |
|
Covenant
Premium,MVM
join:2003-07-01
England
| reply to aryoba
Re: [Info] Why is PPP necessary for "dedicated connection"?
aryoba , I am sure that you are upto speed with xdsl technology but I hope you wont mind if I post some links which might not only shed some light on xdsl for you, but also for our colleagues within this forum:
»www.adslguide.org.uk/howitworks/default.asp
»www.adslguide.org.uk/howitworks/exchange.asp
»www.adslguide.org.uk/howitworks/dslam.asp
»www.adslguide.org.uk/howitworks/atm1.asp
Hope it helps. |
|
dpocoroba
Premium
join:2000-11-14
224.0.0.5
| reply to aryoba
Just started to read this thread very good topic and stuff in here guys. A very interesting and useful read Sheds some light on some of those how stuff works things that come across your mind at times 
--
"Knowledge is contagious, infect" |
|
