\input texinfo @c -*-texinfo-*- @setfilename ppp.info @settitle PPP @iftex @finalout @end iftex @ifinfo @format START-INFO-DIR-ENTRY * PPP: (ppp). Point-to-Point Protocol. END-INFO-DIR-ENTRY @end format @titlepage @title PPP-2.x Users' Guide @author by Paul Mackerras @end titlepage @node Top, Introduction, (dir), (dir) @ifinfo This file documents how to use the ppp-2.x package to set up network links over serial lines with the Point-to-Point Protocol. @end ifinfo @menu * Introduction:: Basic concepts of the Point-to-Point Protocol and the ppp-2.x package. * Installation:: How to compile and install the software. * Configuration:: How to set up your system for establishing a link to another system. * Security:: Avoid creating security holes. * Compression:: Using compression of various kinds to improve throughput. @end menu @node Introduction, Installation, Top, Top @chapter Introduction The Point-to-Point Protocol (PPP) is the protocol of choice for establishing network links over serial lines. This package (ppp-2.x) provides an implementation of PPP which supports the Internet Protocols (TCP/IP, UDP/IP, etc.) and which runs on a range of Unix workstations. The protocols in the PPP family are produced by the Point-to-Point Working Group of the Internet Engineering Task Force, and are specified in RFC (Request for Comments) documents, available by anonymous FTP from several sites. A typical use of PPP is to provide a network connection, via a pair of modems and a telephone connection, from one system to a second system which has a permanent link to the Internet. When this network connection is established, the first system is then also connected to the Internet. It can establish connections with any other Internet host. Users can then use a wide range of network-based applications on the first system, such as telnet, ftp, rlogin, email, WWW browsers, sup, or X clients and servers. Features of PPP include: @itemize @bullet @item Multi-protocol support. The PPP packet encapsulation includes a protocol field, allowing packets from many different protocols to be multiplexed across a single link. @item Negotiation of link characteristics. During link establishment, the two systems negotiate about the link configuration parameters, such as the IP addresses of each end of the link. @item Authentication. Optionally, each system can be configured to require the other system to authenticate itself. In this way, access can be restricted to authorized systems. @item Transparency. On asynchronous serial lines, PPP can be configured to transmit certain characters as a two-character escape sequence. @item Compression. PPP includes support for various kinds of compression to be applied to the packets before they are transmitted. @end itemize The ppp-2.x software consists of two parts: @itemize @bullet @item Kernel code, which establishes a network interface and passes packets between the serial port, the kernel networking code and the PPP daemon (@file{pppd}). This code is implemented using STREAMS modules on Solaris 2, SunOS 4.x, AIX 4.1 and OSF/1, and as a tty line discipline under Ultrix, NextStep, NetBSD, FreeBSD, and Linux. @item The PPP daemon (@file{pppd}), which negotiates with the peer to establish the link and sets up the ppp network interface. Pppd includes support for authentication. It can authenticate itself to the other system and/or require the other system to authenticate itself, so that you can control which other systems may make a PPP connection and what IP addresses they may use. @end itemize @menu * PPP Concepts:: Basic concepts and terms used with PPP. * PPP packet format:: How data is packaged up for transmission. * LCP negotiation:: The parameters which are negotiated using the Link Control Protocol. * IPCP negotiation:: The parameters which are negotiated using the IP Control Protocol. @end menu @node PPP Concepts, PPP packet format, Introduction, Introduction @section PPP Concepts To use PPP to provide a network connection between two machines, there must be some way that a stream of bytes, or characters, can be passed from one to the other, in both directions independently. We refer to this as the ``serial link''. Very often the serial link involves asynchronous communications ports and modems, but other kinds of serial link are possible. The serial link must transmit (at least) 8 bits per character; PPP cannot work over a serial link which transmits only 7 bits per character. However, it need not transmit all byte values transparently. PPP has a mechanism to avoid sending certain characters if it is known that the some element of the serial link interprets them specially. For example, the DC1 and DC3 ASCII characters (control-Q and control-S) may be trapped by a modem if it is set for ``software'' flow control. PPP can send these characters as a two-character ``escape'' sequence. The set of characters which are to be transmitted as an escape sequence is represented in an ``async control character map'' (ACCM). The ``async'' part refers to the fact that this facility is used for asynchronous serial links. For synchronous serial connections, the HDLC bit-stuffing procedure is used instead. The two systems connected by the serial link are called ``peers''. When we are talking from the point of view of one of the systems, the other is often referred to as ``the peer''. Sometimes we may refer to one system as a ``client'' and the other as a ``server''. This distinction refers mainly to the way the serial link is set up; usually the client is the peer that initiates the connection, for example by dialling the server with its modem. During the lifetime of a PPP connection, it proceeds through several phases: @enumerate @item Serial link establishment. In this phase, the serial link is set up and PPP protocol software is attached to each end of the serial link. The precise steps involved in doing this vary greatly, depending on the nature of the serial link. For the common case of modems connected through the telephone network, this involves first sending commands to the modem to cause it to dial the remote system. When the remote system answers, the local system usually has to supply a username and password, and then issue a command to invoke PPP software on the remote system. The ``chat'' program supplied with ppp-2.x provides a way to automate a dialog with the modem and the remote system. This phase is not standardized; it is outside the scope of the PPP protocol specifications. @item Link Control Protocol (LCP) negotiation. In this phase, the peers send LCP packets to each other to negotiate various parameters of the connection, such as the ACCM to be used in each direction, whether authentication is required, and whether or not to use various forms of compression. When the peers reach agreement on these parameters, LCP is said to be ``up''. @item Authentication. If one (or both) of the peers requires the other peer to authenticate itself, that occurs next. If one of the peers cannot successfully authenticate itself, the other peer terminates the link. @item Network Control Protocol (NCP) negotiation. PPP can potentially support several different network protocols, although IP is the only network protocol (NP) supported by the ppp-2.x package. Each NP has an associated NCP defined for it, which is used to negotiate the specific parameters which affect that NP. For example, the IP Control Protocol (IPCP) is used to negotiate the IP addresses for each end of the link, and whether the TCP header compression method described by Van Jacobsen in RFC 1144 (``VJ compression'') is to be used. @item Network communication. When each NCP has successfully negotiated the parameters for its NP, that NCP is said to be ``up''. At that point, the PPP link is made available for data traffic from that NP. For example, when IPCP comes up, the PPP link is then available for carrying IP packets (which of course includes packets from those protocols which are layered above IP, such as TCP, UDP, etc.) @item Termination. When the link is no longer required, it is terminated. Usually this involves an exchange of LCP packets so that one peer can notify the other that it is shutting down the link, enabling both peers to shut down in an orderly manner. But of course there are occasions when the link terminates because the serial link is interrupted, for example, when a modem loses carrier and hangs up. @end enumerate PPP is defined in several RFC (Request For Comments) documents, in particular RFCs 1661, 1662, and 1334. IPCP is defined in RFC 1332. Other RFCs describe the control protocols for other network protocols (e.g., DECnet, OSI, Appletalk). RFCs are available by anonymous FTP from several sites including nic.ddn.mil, nnsc.nsf.net, nic.nordu.net, ftp.nisc.sri.com, and munnari.oz.au. @node PPP packet format, LCP negotiation, PPP Concepts, Introduction @section PPP packet format PPP transmits packets over the serial link using a simple encapsulation scheme. First, a two-byte PPP Protocol field is inserted before the data to be sent. The value in this field identifies which higher-level protocol (either a network protocol such as IP or a PPP control protocol such as LCP) should receive the data in the packet. By default, a one-byte Address field with the value 0xFF, and a one-byte Control field with the value 0x03, are inserted before the PPP Protocol field (apparently this is supposed to provide compatibility with HDLC, in case there is a synchronous to asynchronous converter in the serial link). On slow serial links, these fields can be compressed down to one byte in most cases. The PPP Address and Control fields are compressed by simply omitting them (``address/control compression''). The PPP Protocol field values are chosen so that bit 0 (the least-significant bit) of the first (most significant) byte is always 0, and bit 0 of the second byte is always 1. The PPP Protocol field can be compressed by omitting the first byte, provided that it is 0 (``protocol compression''). The values for this field are assigned so that the first byte is zero for all of the commonly-used network protocols. For example, the PPP Protocol field value for IP is 0x21. For asynchronous serial links, which do not provide any packet framing or transparency, a further encapsulation is used as follows. First a 16-bit Frame Check Sequence (FCS) is computed over the packet to be sent, and appended as two bytes to the end of the packet. Then each byte of the packet is examined, and if it contains one of the characters which are to be escaped, it is replaced by a two byte sequence: the 0x7d character '}', followed by the character with bit 5 inverted. For example, the control-C character (0x03) could be replaced by the two-byte sequence 0x7d, 0x23 ('}#'). The 0x7d and 0x7e ('~') characters are always escaped, and the 0x5e ('^') character may not be escaped. Finally, a ``flag'' character (0x7e, '~') is inserted at the beginning and end of the packet to mark the packet boundaries. The initial flag may be omitted if this packet immediately follows another packet, as the ending flag for the previous packet can serve as the beginning flag of this packet. @node LCP negotiation, IPCP negotiation, PPP packet format, Introduction @section LCP negotiation The LCP negotiation process actually involves two sets of negotiations, one for each direction of the PPP connection. Thus A will send B packets (``Configure-Requests'') describing what characteristics A would like to have apply to the B -> A direction of the link, that is, to the packets that A will receive. Similarly B will send A packets describing the characteristics it would like to have apply to the packets it will be receiving. These characteristics need not necessarily be the same in both directions. The parameters which are negotiated for each direction of the connection using LCP are: @itemize @bullet @item Maximum Receive Unit (MRU): indicates the maximum packet size which we are prepared to receive (specifically the maximum size of the data portion of the packet). The default value is 1500, but on slow serial links, smaller values give better response. The choice of MRU is discussed below (see xxx). @item Async Control Character Map (ACCM): indicates the set of control characters (characters with ASCII values in the range 0 - 31) which we wish to receive in escaped form. The default is that the sender should escape all characters in the range 0 - 31. @item Authentication Protocol: indicates which protocol we would like the peer to use to authenticate itself. Common choices are the Password Authentication Protocol (PAP) and the Cryptographic Handshake Authentication Protocol (CHAP). @item Quality Protocol: indicates which protocol which we would like the peer to use to send us link quality reports. The ppp-2.x package does not currently support link quality reports. @item Magic Number: a randomly-chosen number, different from the peer's magic number. If we persistently receive our own magic number in the peer's configure-request packets, then we can conclude that the serial link is looped back. @item Protocol Field Compression: indicates that we wish the peer to compress the PPP Protocol field to one byte, where possible, in the packets it sends. @item Address/Control Field Compression: indicates that we wish the peer to compress the PPP Address/Control fields (by simply omitting them) in the packets it sends. @end itemize @node IPCP negotiation, , LCP negotiation, Introduction @section IPCP negotiation The IPCP negotiation process is very similar to the LCP negotiation process, except that of course different parameters are negotiated. The parameters which are negotiated using IPCP are: @itemize @bullet @item IP Address: the IP address (32-bit host IP number) which we plan to use as the local address for our end of the link. @item TCP header compression: indicates (a) that we wish the peer to compress the TCP/IP headers of TCP/IP packets that it sends, using the Van Jacobson algorithm as described in RFC1144; (b) the maximum slot ID that we wish the peer to use, and (c) whether we are prepared to accept packets with the slot ID field compressed (omitted). With Van Jacobson (VJ) compression, the receiver and transmitter (for one direction of the connection) both keep a table, with a certain number of ``slots'', where each slot holds the TCP/IP header of the most recently transmitted packet for one TCP connection. If a packet is to be transmitted for a TCP connection which does not have a slot currently allocated, the VJ scheme will allocate one of the slots and send the entire TCP/IP header, together with the slot number. For many packets, there will be a slot already allocated for the TCP connection, and the VJ scheme will then often be able to replace the entire TCP/IP header with a much smaller compressed header (typically only 3 - 7 bytes) describing which fields of the TCP/IP header have changed, and by how much. If there are many more active connections than slots, the efficiency of the VJ scheme will drop, because it will not be able to send compressed headers as often. Usually the compressed header includes a one-byte slot index, indicating which TCP connection the packet is for. It is possible to reduce the header size by omitting the slot index when the packet has the same slot index as the previous packet. However, this introduces a danger if the lower levels of the PPP software can sometimes drop damaged packets without informing the VJ decompressor, as it may then assume the wrong slot index for packets which have the slot index field omitted. With the ppp-2.x software, however, the probability of this happening is generally very small (see xxx). @end itemize @node Installation, Configuration, Introduction, Top @chapter Installation Because ppp-2.x includes code which must be incorporated into the kernel, its installation process is necessarily quite heavily system-dependent. In addition, you will require super-user privileges (root access) to install the code. Some systems provide a ``modload'' facility, which allows you to load new code into a running kernel without relinking the kernel or rebooting. Under Solaris 2, SunOS 4.x, Linux, AIX 4.1, OSF/1 and NextStep, this is the recommended (or only) way to install the kernel portion of the ppp-2.x package. Under the remaining supported operating systems (NetBSD, FreeBSD, Ultrix), it is necessary to go through the process of creating a new kernel image and reboot. (Note that NetBSD and FreeBSD have a modload facility, but ppp-2.x is currently not configured to take advantage of it.) Detailed installation instructions for each operating system are contained in the README files in the ppp-2.x distribution. In general, the process involves executing the commands @samp{./configure}, @samp{make} and (as root) @samp{make install} in the ppp-2.x distribution directory. (The Linux port requires the installation of some header files before compiling; see README.linux for details.) @node Configuration, Security, Installation, Top @chapter Configuration Once the ppp-2.x software is installed, you need to configure your system for the particular PPP connections you wish to allow. Typically, the elements you need to configure are: @itemize @bullet @item How the serial link is established and how pppd gets invoked. @item Setting up syslog to log messages from pppd to the console and/or system log files. @item Pppd options to be used. @item Authentication secrets to use in authenticating us to the peer and/or the peer to us. @item The IP addresses for each end of the link. @end itemize In most cases, the system you are configuring will either be a @dfn{client} system, actively initiating a PPP connection on user request, or it will be a @dfn{server} system, passively waiting for connections from client systems. Other arrangements are possible, but the instructions in this system assume that you are configuring either a client or a server. These instructions also assume that the serial link involves a serial communications port (that is, a tty device), since pppd requires a serial port. @menu * Client machines:: * Server machines:: * Setting up syslog:: * Pppd options:: * Authentication secrets files:: * IP Addresses:: @end menu @node Client machines, Server machines, Configuration, Configuration @section Client machines On a client machine, the way that the user requests that a connection be established is by running pppd, either directly or through a shell script. Pppd should be given the name of the serial port to use as an option. In this mode, pppd will fork and detach itself from its controlling terminal, so that the shell will return to its prompt. (If this behaviour is not desired, use the -detach option.) Usually, the connect option should also be used. The connect option takes an argument which is a command to run to establish the serial link and invoke PPP software on the remote machine. This command is run with its standard input and standard output connected to the serial port. Giving the connect option to pppd also has the side-effect of causing pppd to open the serial port without waiting for the modem carrier detect signal. The process of establishing the serial link often involves a dialog. If the serial port is connected to a modem, we first need to send some commands to the modem to configure it and dial the remote system. Often there is then a dialog with the remote system to supply a username and password. The @file{chat} program supplied with the ppp-2.x package is useful for automating such dialogs. Chat uses a @dfn{script} consisting of alternately strings to expect to receive on the serial port, and strings to send on the serial port. The script can also specify strings which indicate an error and abort the dialog. @node Server machines, , Client machines, Configuration @section Server machines There are generally three ways in which a server machine can be set up to allow client machines to establish a PPP link: @enumerate @item Client machines log in as regular users (often via a serial port connected to a modem, but possibly through a telnet or rlogin session) and then run pppd as a shell command. @item Client machines log in using a username whose login shell is pppd or a script which runs pppd. @item Client machines connect to a serial port which has a pppd running permanently on it (instead of a "getty" or other program providing a login service). @end enumerate Method 1 is very simple to set up, and is useful where existing users of a system have remote machines (for example at home) from which they want to establish a PPP connection from time to time. Methods 2 and 3 possibly have a security advantage in that they do not allow PPP client systems access to a shell. Method 2 allows regular logins and PPP connections on the same port, while with method 3, would-be crackers may well be frustrated (unless they speak fluent PPP). With any of these methods, I strongly recommend that you configure PPP to require authentication from the client, by including the `auth' option in the /etc/ppp/options file. @node Setting up syslog, , Server machines, Configuration @section Setting up syslog Pppd uses the @file{syslog} facility to report information about the state of the connection, as does @file{chat}. It is useful to set up syslog to print some of these messages on the console, and to record most of them to a file. The messages from pppd are logged with facility @samp{daemon} and one of three levels: @itemize @bullet @item @samp{notice} for messages about important events such as the connection becoming available for IP traffic and the local and remote IP addresses in use. @item @samp{info} for messages about less important events, such as detecting a modem hangup. @item @samp{debug} for messages which are of use in working out why the connection is not working properly. @end itemize The messages from chat are logged with facility @samp{local2} and level @samp{debug}. Syslog is controlled by the syslog configuration file @file{/etc/syslog.conf}. Generally the standard configuration will log facility @samp{daemon} messages with level @samp{notice} and above to a system log file such as @file{/var/log/syslog} (the name may vary on different systems). I find it useful to have the notice level messages from pppd displayed on the console, and all messages from pppd and chat logged to a file such as @file{/etc/ppp/log}. To achieve this, find the line in /etc/syslog.conf which has /dev/console on the right-hand side, and add `daemon.notice' on the left. This line should end up something like this: @example *.err;kern.debug;auth.notice;mail.crit;daemon.notice /dev/console @end example And add a line like this: @example daemon,local2.debug /etc/ppp/log @end example The space between the left and right hand sides is one or more tabs, not spaces, and there are no tabs or spaces at the beginning of the line. You will need to create an empty @file{/etc/ppp/log} file; syslogd will not create it. Once you have modified @file{/etc/syslog.conf}, you need to either reboot or notify syslogd to re-read the file. On most systems, you notify syslogd by sending it a SIGHUP signal. Syslogd's process ID is usually stored in a file such as @file{/etc/syslogd.pid} or @file{/var/run/syslog.pid}. Thus you can notify syslogd to re-read the file by executing a command such as: @example kill -HUP `cat /etc/syslogd.pid` @end example @node Pppd options, , Setting up syslog, Configuration @section Pppd options @node Authentication secrets files, , Pppd options, Configuration @section Authentication secrets files @node IP Addresses, , Authentication secrets files, Configuration @section IP Addresses @node Security, Compression, Configuration, Top @chapter Security @node Compression, , Security, Top @chapter Compression @bye