Got it
Huawei Enterprise Support Community
Community Forums Access Network
Introduction to PPPoE(Poi...

Introduction to PPPoE(Point to Point Protocol over Ethernet)

Latest reply: Apr 16, 2022 05:44:12 92 2 1 0 0
View the author 1#

Hello, Friends of the community.

This time, I'd like to learn something about PPPoE with you.


What is the PPPoE(Point-to-Point Protocol over Ethernet)


PPPoE is short for Point-to-Point Protocol over Ethernet. It enables Ethernet hosts to connect to a remote access concentrator through a simple bridge device. Through PPPoE, the remote access device can control and charge each access user. For example, we often use dial-up Internet access, it's PPPoE. Therefore, PPPoE is implemented based on the PPP protocol.

The PPPoE server is a function provided by some enterprise-level routers. It can provide services similar to ADSL services provided by telecom operators in the LAN

At present, the popular broadband access mode ADSL uses the PPPoE protocol. As low-cost broadband technologies become increasingly popular, DSL (Digital Subscriber Line) enables many computers to connect to the Internet. But it has also raised concerns about network security among DSL service providers. Most computers that access the Internet through ADSL are connected to the Internet through Ethernet cards. The common TCP/IP model is also used, and no new protocols are added. On the other hand, the dial-up access of the modem uses the PPP protocol, that is, the Point to Point Protocol. The PPP protocol has the functions of user authentication and IP address notification

PPP over Ethernet (PPPoE) is a technology that retransmits PPP frame information on an Ethernet network. It is especially applicable to ADSL.

 

PPPoE Packet


A PPPoE packet is preceded by an Ethernet header so that the PPPoE packet can be connected to a remote access device through a simple bridge device.

 

PPPoE Packet


PPPoE Session Establishment Process


The PPPoE session establishment process consists of three phases: discovery, session, and session termination.


PPPoED: PPPoE Discovery


  • PADI(PPPoE Active Discovery Initiation)


The host broadcasts the packet. The destination address of the packet is the Ethernet broadcast address 0xffffffffffff, the CODE field value is 0x09 (PADI Code), and the SESSION-ID field value is 0x0000. PADI grouping must contain at least one label of service name type (The field value is 0x0101) to present the requested service to the access concentrator.


  • PADO (PPPoE Active Discovery Offer)


The access concentrator receives a PADI packet that is in service and sends a PPPoE Valid Discovery Offer packet in response to the request. The value of CODE is 0x07 (PADO Code), and the value of SESSION-ID is still 0x0000. The PADO packet must contain a label of type Access Concentrator Name (The field value is 0x0102), and one or more service name type labels indicating the types of services that can be provided to the host. The host-unit tag values of PADO and PADI are the same.


  • PADR (PPPoE Active Discovery Request)


The host selects an appropriate PADO packet from a plurality of PADO packets that may be received, and then sends a PPPoE valid discovery request packet to the selected access concentrator. The CODE field is 0x19 (PADR Code), and the SESSION_ID field is still 0x0000. The PADR packet must contain a service name type tag that identifies the type of service requested from the access hub (or switch). When the host does not receive a PADO packet within the specified time, it should retransmit its PADI packet and double the wait time. This process is repeated as many times as expected.


  • PADS (PPPoE Active Discovery Session-confirmation)


After receiving the PADR packet, the access concentrator prepares to start a PPP session, and it sends a PPPoE valid discovery session acknowledgment PADS packet. The CODE field value is 0x65 (PADS code), and the SESSION-ID field value is a unique PPPoE session ID generated by the access concentrator. The PADS packet MUST also contain a label of the access concentrator name type to confirm the service provided to the host. When the host receives the PADS packet acknowledgment, the two parties enter the PPP session phase. The host-unit tag values of PADS and PADR are the same.


negotiation


PPPoES: PPPoE Session


To establish a PPP session, the devices at both ends need to send LCP packets to configure and test the data communication link.

The user host and the access concentrator establish a PPP session according to the PPP session connection parameters negotiated in the discovery phase. Once the PPPoE session starts, PPP data can be sent in any other PPP encapsulation form. All Ethernet frames are unicast. The SESSION-ID of the PPPoE session cannot be changed and must be the value assigned during the discovery phase.


  • LCP: Link Control Protocol


Both the host and AC send LCP Request messages to each other. During LCP negotiation, the MTU, whether to perform authentication and the authentication type are negotiated.


 Classification of LCP packets

Link configuration packets: used to establish and configure a link, including Configure-Request, Configure-Ack, Configure-Nak, and Configure-Reject packets.

Link maintenance packets: used to manage and debug links, including Code-Reject, Protocol-Reject, Echo-Request, Echo-Reply, and Discard-Request packets.

Link termination packet: terminates a link, including Terminate-Request and Terminate-Reply packets.


LCP negotiation process

The negotiation parties send an LCP Config-Request message to each other to acknowledge the negotiation options in the received Config-Request message and then respond appropriately based on the support and acceptance of these options. If both ends respond with a Config-ACK message, the LCP link is successfully established. Otherwise, the LCP continues to send Request messages until the peer end responds with an ACK message.


  • PPP Authentication: PAP/CHAP


The two sides of the session are authenticated using the authentication method negotiated by the LCP. If the authentication succeeds, the negotiation at the network layer can be performed. The authentication is performed after the link negotiation is complete.


PAP (Password Authentication Protocol)

PAP is a two-way handshake protocol. It authenticates users based on user names and passwords. The PAP authentication process is as follows:

When data can be transmitted between the two ends, the authenticated party sends the local user name and password to the authenticating party. The authenticating party checks whether the user name exists and whether the password is correct based on the local user table or RADIUS server. If yes, the sends an Authenticate-ACK packet to the peer end to notify the peer end that the peer end is allowed to enter the next phase of negotiation. Otherwise, a NAK packet is sent to notify the peer of the authentication failure. In this case, the link is not directly shut down. The link is shut down only when the number of authentication failures reaches a certain value (10 by default).

PAP transmits user names and passwords in plain text on the network. If they are intercepted during transmission, they may pose great threats to network security. Therefore, it is suitable for environments with relatively low cybersecurity requirements.


CHAP (Challenge Handshake Authentication Protocol)

CHAP is a three-way handshake protocol. Only user names are transmitted over the network, not user passwords. Therefore, it is more secure than PAP. The CHAP authentication process is as follows: The server sends some randomly generated packets to the client and sends the packets with the local hostname to the authenticated party. When the authenticated party receives the authentication request (Challenge) from the peer end to the local end, the authenticated party searches for the user password according to the authenticator's hostname in the packet and the local user table. For example, the authenticated party finds the user whose hostname is the same as the authenticator's hostname in the user table. Use the packet ID and the user's key to generate a response using the Md5 algorithm, and then send the response and the hostname to the. After receiving the response, the authenticator uses the message ID, password (key) reserved by the authenticator, and random packet to obtain the result using the MD5 algorithm. Then, the authenticator compares the result with that of the authenticator and returns the corresponding result (ACK or NAK) based on the comparison result.

(1) The receiving end sends a Challenge message.

(2) The authentication application end sends an authentication request packet.

(3) The authenticator responds with authentication to accept the packet.

After the preceding three packet exchanges, CHAP authentication is complete.


NCP: Network Control Protocol

There are many types of NCP, such as IPCP, BCP, and IPv6CP. The most common NCP is the Internet Protocol Control Protocol (IPCP). The main function of the NCP is to negotiate the network layer parameters of PPP packets, such as the IP address, DNS server IP address and WINS server IP address. PPPoE users obtain IP addresses or IP address segments for accessing the network through IPCP.

The NCP process is similar to the LCP process. After a user and AC send an NCP Config-Request packet to each other and respond with an NCP Config-Ack packet, the NCP negotiation is complete, the user goes online successfully, and the user can access the network normally.

The IPCP negotiation process is based on the PPP state machine. After negotiation, configuration information is exchanged through packets such as configuration requests, configuration confirmation, and configuration denial. The status changes from the initial (or closed) to Opened. The IPCP status changes to Opened only when both the sender and receiver have sent and received acknowledgment packets.

During IPCP negotiation, the negotiation packet may contain multiple options, that is, parameters. The rejection or denial of each option does not affect the Upstate of IPCP. IPCP supports options negotiation, and options negotiation can also go Up. Options include IP Address, Gateway, and Mask. IP Address is the most important option. Some vendors must confirm this option. Most vendors allow this option to be empty.

The user and the access device negotiate several requirements for the IP service phase to determine a contract that both parties can accept.

For example, the IP compression protocol is used in the IP service phase. The protocol negotiation between the two parties is based on the options contained in the packet. Each option is a negotiation issue.

Finally, both parties need to reply with the Configure_Ack packet.


  • Session Keep-alive


The device proactively sends an Echo Request message going on PPPoE heartbeats keepalive. If the device does not receive a response from the server three times, the device releases the IP address. When the LCP Echo Request message is sent, the magic field must be the same as the magic field used in the Configure_Request message.

Some devices or terminals cannot actively send Echo-Request packets but can only respond to Echo-Reply packets.


Session Termination


PPPoE also has a PPPoE Active Discovery Terminate (PADT) packet. The PADT packet can be sent at any time after a session is established to terminate a PPPoE session, that is, session release. It can be sent by the host or the access concentrator, and the destination address is filled with the MAC address of the peer Ethernet.

When the peer party receives a PPPoE Active Discovery Terminate (PADT) packet, the peer party is not allowed to use this session to send PPP services. The PADT packet does not need any label. The CODE field value of the PADT packet is 0xa7 (PADT Code), and the SESSION-ID field value is the session ID number of the PPP session to be terminated. After sending or receiving a PADT, even a normal PPP termination packet does not have to be sent. The PPP peer end should use the PPP protocol itself to terminate the PPPoE session. When PPP is unavailable, PADT can be used.


Function


The PPPoE server can manage the network usage of intranet users by allocating accounts to intranet users. In combination with the online behavior management and bandwidth management functions provided by some routers, the PPPoE server can also manage the online behavior of users, for example, prohibiting the use of IM software and P2P software. Limits games, downloads, web page submission, proxy services, and uplink and downlink bandwidths of users. Supports flexible bandwidth management and management of all online behaviors by time segment and address segment.


Thanks for your reading! That's the end of this post. Hope it can help you.

For more information about PPPoE, please click HCIA - Access | 36 PPPoE.huhuhu

Basic knowledgePPPoE

Like (1) Dislike (0) Favorite(0) Share Report
Previous: Huawei iFAT - an informative product review
Next: Alarm configuration of the access device OLT
(1) (0)
2#
user_3915171
Created 5 days ago

thanks
View more
  • x
  • convention:
(0) (0)
3#
CaoFengying
Admin Created 5 days ago

Posted by user_3915171 at 2022-04-16 04:58 thanks
Thank you for being the first to comment
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.