一、PPP的产生--SLIP
SLIP(serial line internet protocol )是在串行链路上支IP数据包进行封装的简单协议,由于其封装格式十分简单,无法进行IP地址等参数的协商,并且不具备校验功能。随之PPP(point top point protocol)被提出,PPP是在点对点链路上运行的数据链路层(二层)协议。
二、PPP的优点
支持同步或异步串行链路传输;支持多种网络协议、错误检测、网络层地址协商、用户认证,并且允许进行数据压缩。
三、PPP之PAP与CHAP经典验证案例
1、HDLC
由于CISCO设备默认封装为HDCL协议,此协议优点是简单,也因此决定了其不支持认证,不能保证安全性。
R1#show int s1/0 #可查看到接口S1/0默认封装的协议是HDLC
R1(config-if)#encapsulation hdlc #封装为HDLC协议(CISCO默认封装方式)
当通信双方的某一方封装格式为HDLC,而另外一方为PPP,则双方协商会失败,并且不能通信。
2、PPP封装过程
1)先建立LCP(Layer control protocol)保证物理链路的协商、建立、回拔、认证、数据压缩,多链路捆绑。
Step1:R1(config)#int s1/0 R2(config)#int s1/0
Step2:R1(config-if)#encapsulation ppp R2(config-if)#encapsulation ppp #封装PPP
Step3:R1(config-if)#no shutdown R2(config-if)#no shutdown
2)再建立NCP(Network control protocol)对网络层的多种网络协议提供支持封装、无差别接口(IPCP/IPXCP)等
Step1:R1(config-if)#ip add 12.0.0.1 255.0.0.0 R2(config-if)#ip add 12.0.0.2 255.0.0.0
Step2:R1(config-if)#clock rate 64000 R2(config-if)#clock rate 64000 #配置时钟
3)在R1和R2上查看PPP协商过程,验证完后记得在R1/R2上关闭debug R1#no debug ppp negotiation
Step1:R1#debug ppp negotiation R2#debug ppp negotiation
Step2:R1(config-if)#shutdown R2(config-if)#shutdown #让链路断,出现协商过程关闭,因为已成功协商
*Aug 22 09:58:15.479: Se1/0 PPP: Sending Acct Event[Down] id[2]
*Aug 22 09:58:15.479: Se1/0 IPCP: State is Closed
*Aug 22 09:58:15.479: Se1/0 CDPCP: State is Closed
*Aug 22 09:58:15.483: Se1/0 IPCP: Remove link info for cef entry 12.0.0.2
*Aug 22 09:58:15.483: Se1/0 PPP: Phase is TERMINATING
*Aug 22 09:58:15.483: Se1/0 LCP: State is Closed
*Aug 22 09:58:15.483: Se1/0 PPP: Phase is DOWN
*Aug 22 09:58:15.483: Se1/0 IPCP: Remove route to 12.0.0.2
R1(config-if)#no shutdown R2(config-if)#no shutdown #让链路连接,出现协商成功
*Aug 22 09:58:21.875: Se1/0 LCP: State is Open
Se1/0 IPCP: State is Open
*Aug 22 09:58:23.891: Se1/0 CDPCP: State is Open
3、PPP的PAP(Password Authentication Protocol)即密码认证协议
PAP采用两次握手协议,首先被认证方将帐号/密码以明文的方式发给主认证方,后由主认证方返回成功与否的信息。由于PAP在链路上采用明文方式传输,不够安全。
1)在R1与R2之间配置PAP双向认证
Step1:R1#show running-config int s1/0 R2#show running-config int s1/0 #先确认链路为PPP链路
Step2:R1#(config)#username R2 password R2 R2(config)#username R1 password R1 #为对方建立认证用的帐号及密码
Step3:R1#(config-if)#ppp authentication pap R2#(config-if)#ppp authentication pap #在接口s1/0上启用PAP认证
Step4:R1#(config-if)#ppp pap sent-username R1 password R1
R2#(config-if)#ppp pap sent-username R2 password R2
Step5:R1#debug ppp authentication #观察认证过程
R1#debug ppp negotiation
2)在R1与R2之间配置PAP单向认证(R2向R1请求认证)
Step1:R1#show running-config int s1/0
R2#show running-config int s1/0 #先确保R1/R2的链路为PPP链路,并配置IP
Step2:R1#(config)#username R2 password R2 #为R2建立认证用的帐号及密码
Step3:R1#(config-if)#ppp authentication pap #在接口s1/0上启用PAP认证
Step4:R2#(config-if)#ppp pap sent-username R2 password R2 #R2将帐号密码发给验证方验证
4、PPP的CHAP(challenge handshake authentication protocol)即质询(挑战)握手协议
CHAP采用三次握手。首先,当被认证方要同主认证方建立连接时,主认证方发送挑战随机数给被认证方;其次,被认证方根据收到的用户名查询自己数据库,调出相应密码,将密码和随机数一起放入MD5加密器中加密将得到的hash返回给主认证方;最后,主认证方根据被认证方发来的用户名找到对应的密码并在自己的数据库进行计算得到的hash与接收到的hash进行对比,相同则验证成功,不同则失败。
1)在R1与R3之间配置CHAP双向认证
Step1:R1(config)#username R3 password cisco
R3(config)#username R1 password cisco #用户名为对方路由器的名字,密码需要一致。
Step2:R1(config)#int s1/1 R3(config)#int s1/1
R1(config)#clock rate 64000 R3(config)#clock rate 64000
R1(config-if)#ip add 13.0.0.1 255.0.0.0 R3(config-if)#ip add 13.0.0.3 255.0.0.0
R1(config)#no shutdown R3(config)#no shutdown
Step3: R1(config-if)#encapsulation ppp R3(config-if)#encapsulation ppp
Step4: R1(config-if)#ppp authentication chap R3(config-if)#ppp authentication chap
Step5:R1#debug ppp authentication #验证认证协商过程
*Aug 22 13:16:51.983: Se1/1 PPP: Authorization required
*Aug 22 13:16:52.043: Se1/1 CHAP: O CHALLENGE id 1 len 23 from "R1"
*Aug 22 13:16:52.043: Se1/1 CHAP: I CHALLENGE id 1 len 23 from "R3"
*Aug 22 13:16:52.047: Se1/1 CHAP: Using hostname from unknown source
*Aug 22 13:16:52.051: Se1/1 CHAP: Using password from AAA
*Aug 22 13:16:52.051: Se1/1 CHAP: O RESPONSE id 1 len 23 from "R1"
*Aug 22 13:16:52.083: Se1/1 CHAP: I RESPONSE id 1 len 23 from "R3"
*Aug 22 13:16:52.083: Se1/1 PPP: Sent CHAP LOGIN Request
*Aug 22 13:16:52.087: Se1/1 PPP: Received LOGIN Response PASS
*Aug 22 13:16:52.087: Se1/1 PPP: Sent LCP AUTHOR Request
*Aug 22 13:16:52.091: Se1/1 PPP: Sent IPCP AUTHOR Request
*Aug 22 13:16:52.091: Se1/1 CHAP: I SUCCESS id 1 len 4
*Aug 22 13:16:52.095: Se1/1 LCP: Received AAA AUTHOR Response PASS
*Aug 22 13:16:52.095: Se1/1 IPCP: Received AAA AUTHOR Response PASS
*Aug 22 13:16:52.095: Se1/1 CHAP: O SUCCESS id 1 len 4
*Aug 22 13:16:52.099: Se1/1 PPP: Sent CDPCP AUTHOR Request
*Aug 22 13:16:52.099: Se1/1 CDPCP: Received AAA AUTHOR Response PASS
*Aug 22 13:16:52.143: Se1/1 PPP: Sent IPCP AUTHOR Request
2)在R1与R3之间配置CHAP单向认证(R3向R1请求认证)
Step1:R1(config)#username R3 password cisco #为被认证方创建用户名及密码。
Step2:R1(config)#int s1/1 R3(config)#int s1/1
R1(config)#clock rate 64000 R3(config)#clock rate 64000
R1(config-if)#ip add 13.0.0.1 255.0.0.0 R3(config-if)#ip add 13.0.0.3 255.0.0.0
R1(config)#no shutdown R3(config)#no shutdown
Step3: R1(config-if)#encapsulation ppp R3(config-if)#encapsulation ppp
Step4: R1(config-if)#ppp authentication chap
Step5:R3(config-if)#ppp chap hostname R3 #R3向R1请求认证的用户名
R3(config-if)#ppp chap password cisco #R3向R1请求认证的密码
Step6: R1#debug ppp authentication #验证协商过程
*Aug 22 14:18:03.274: Se1/1 PPP: Authorization required
*Aug 22 14:18:03.334: Se1/1 CHAP: O CHALLENGE id 13 len 23 from "R1"
*Aug 22 14:18:03.478: Se1/1 CHAP: I RESPONSE id 13 len 23 from "R3"
*Aug 22 14:18:03.478: Se1/1 PPP: Sent CHAP LOGIN Request
*Aug 22 14:18:03.482: Se1/1 PPP: Received LOGIN Response PASS
*Aug 22 14:18:03.486: Se1/1 PPP: Sent LCP AUTHOR Request
*Aug 22 14:18:03.486: Se1/1 PPP: Sent IPCP AUTHOR Request
*Aug 22 14:18:03.490: Se1/1 LCP: Received AAA AUTHOR Response PASS
*Aug 22 14:18:03.490: Se1/1 IPCP: Received AAA AUTHOR Response PASS
*Aug 22 14:18:03.490: Se1/1 CHAP: O SUCCESS id 13 len 4
*Aug 22 14:18:03.494: Se1/1 PPP: Sent CDPCP AUTHOR Request
*Aug 22 14:18:03.494: Se1/1 CDPCP: Received AAA AUTHOR Response PASS
*Aug 22 14:18:03.586: Se1/1 PPP: Sent IPCP AUTHOR Request
R3(config-if)#do debug ppp authentication
*Aug 22 14:18:03.318: Se1/1 PPP: Using default call direction
*Aug 22 14:18:03.318: Se1/1 PPP: Treating connection as a dedicated line
*Aug 22 14:18:03.318: Se1/1 PPP: Session handle[DC00000C] Session id[13]
*Aug 22 14:18:03.322: Se1/1 PPP: Authorization required
*Aug 22 14:18:03.430: Se1/1 PPP: No authorization without authentication
*Aug 22 14:18:03.506: Se1/1 CHAP: I CHALLENGE id 13 len 23 from "R1"
*Aug 22 14:18:03.510: Se1/1 CHAP: Using hostname from interface CHAP
*Aug 22 14:18:03.510: Se1/1 CHAP: Using password from interface CHAP
*Aug 22 14:18:03.510: Se1/1 CHAP: O RESPONSE id 13 len 23 from "R3"
*Aug 22 14:18:03.614: Se1/1 CHAP: I SUCCESS id 13 len 4