When you're deploying remote access
solutions, several encapsulation choices are available. The two most
common encapsulations are PPP and HDLC. ISDN defaults to HDLC. However, PPP is much
more robust than HDLC because it provides an excellent mechanism for
authentication and negotiation of compatible link and protocol
configuration. One of the other encapsulations for end-to-end ISDN is
LAPB (Link Access Procedure Balanced).
ISDN interfaces allow only a single
encapsulation type. Once an ISDN call has been established, the router
can use an ISDN cloud to carry any of the network-layer protocols
required, such as IP to multiple destinations.
Most networking designs use PPP for
encapsulation. PPP is a powerful and modular peer-to-peer mechanism
used to establish data links, provide security, and encapsulate data
traffic. Once a PPP connection is negotiated between two devices, it
can then be used by network protocols such as IP and IPX to establish network connectivity.
PPP is an open standard specified by
RFC 1661. PPP was designed with several features that make it
particularly useful in remote access applications. PPP uses Link
Control Protocol (LCP) to initially establish the link and agree on
configuration. There are built-in security features in the protocol;
Password Authentication Protocol (PAP) and CHAP make robust security
design easier. Challenge Handshake Authentication Protocol (CHAP) is a
popular authentication protocol for call screening.
PPP consists of several components:
- PPP framing -- RFC 1662 discusses the
implementation of PPP in HDLC-like framing. There are differences
in the way PPP is implemented on asynchronous and synchronous
links.
When one end of the link uses
synchronous PPP (such as an ISDN router) and the other uses
asynchronous PPP (such as an ISDN TA connected to a PC serial
port), two techniques are available to provide framing
compatibility. The preferable method is to enable
synchronous-to-asynchronous PPP frame conversion in the ISDN TA.
- LCP -- PPP LCP (Link Control Protocol) provides a method of
establishing, configuring, maintaining, and terminating a
point-to-point connection. Before any network-layer datagrams (for
example, IP) can be exchanged, LCP must first open the connection
and negotiate configuration parameters. This phase is complete
when a configuration acknowledgment frame has been both sent and
received.
- PPP authentication -- PPP
authentication is used to provide primary security on ISDN and
other PPP encapsulated links. The PPP authentication protocols
(PAP and CHAP) are defined in RFC 1334 (and you can find more
information about them in Chapter 10, "PPP"). After LCP
has established the PPP connection, you can implement an optional
authentication protocol before proceeding to the negotiation and
establishment of the Network Control Programs. If authentication
is needed, it must be negotiated as an option at the LCP
establishment phase. Authentication can be bidirectional (each
side authenticates the other-CHAP) or unidirectional (one side,
typically the called side, authenticates the other-PAP).
PPP authentication is enabled with the ppp
authentication interface
command. PAP and CHAP can be used to authenticate the remote
connection. CHAP is considered a superior authentication protocol
because it uses a three-way handshake to avoid sending the password in
clear text on the PPP link.
|