Archive for category Protocol

Inside the PPP stack

Direct from

Establishing A PPP Link:

PPP begins with LCP (Link Control Protocol). The first step, after a
communications channel becomes active, is for each side to send a
Configure-Request packet. This is a standard type of LCP packet that means
the sender is requesting configuration information. Assuming all goes well,
each side should respond in turn with a Configure-ACK packet. As soon as both
sides have sent a Configure-ACK packet, the link is considered established,
and the exchange moves on to the authentication phase. (If one side does not
accept the other side's Configure-Request packet, it will respond with a
Configure-Reject or a Configure-NAK packet.)

Authentication is actually optional; However, virtually all PPP servers will
implement it, since otherwise anybody could log in and start using the system
without authorization to do so. If authentication is used, the type of
authentication required will actually have already been specified; It is part
of the Configure-Request packets that were exchanged earlier. The
Configure-Request packet must explicitly describe if (for example) PAP or
CHAP authentication is desired. Thus, both systems already know what kind of
authentication to use once the authentication phase is reached.

Once the authentication phase is complete, LCP has done its job, and the NCPs
(Network Control Protocols) which the client wishes to use may begin. For
most dial-up Internet access situations, the main NCP used would be IPCP (IP
Control Protocol).

So what exactly goes into an LCP packet? A very basic LCP Configure-Request
packet is this:

01 01 00 04

This is the shortest possible Configure-Request packet. The first byte of an
LCP packet indicates what type of message it contains. The code for
Configure-Request is 1, so the first byte of a Configure-Request packet must
always be 1. The next byte is an identifier. This must be unique for each
separate LCP packet sent over the connection, and can be arbitrarily set to
anything. In this case, we're using 1 (a logical choice for the first
packet). The next two bytes indicate the size of the entire LCP packet, in
bytes. In this case, the whole packet is 4 bytes (the smallest possible LCP
packet). Thus, 0004 is used, and we are left with a complete LCP packet.

Unfortunately, you cannot just dial in to your ISP and send a raw LCP packet,
because they must be encapsulated in PPP format, which is considerably more
complicated. The standard for dial-up ISPs is to use "PPP in HDLC-like
framing", defined in RFC 1662. Under this system, each byte of actual data to
be sent is to be preceded by a 7Dh character (called a "control escape"
character), and the actual bytes are to be XORed with 20h before sending. (I
know, who's the genius who came up with THAT arrangement? It seems ludicrous,
but that's how PPP works.) So, our original LCP byte pattern, under this
system, becomes this:

7D 21 7D 21 7D 20 7D 24

This is almost a complete PPP frame, except for two additions: The beginning
and the end. A PPP LCP frame is supposed to begin with the following six
bytes: 7E FF 7D 23 C0 21. Also, each frame is to be ended with a 7E
character. Adding these to the previous byte string, we now have:

7E FF 7D 23 C0 21 7D 21 7D 21 7D 20 7D 24 7E

This is a complete PPP frame, which you can transmit to a dial-up ISP as soon
as the modem has connected, which will be a valid Configure-Request LCP
packet to it. Sending this to the ISP will probably make it begin
transmitting Configure-Request packets back to you (if it doesn't
automatically do so upon modem connect), and assuming you send it a
Configure-ACK, and it sends you a Configure-ACK as well, an LCP link has been

Now, of course, you've got to understand what the ISP sends you back. To
demonstrate, here's a fairly typical Configure-Request packet that you'll see
from a typical ISP. Slight variations are common, but this shows most of the
configuration options you'll see out there:

7E FF 7D 23 C0 21 7D 21 0F 7D xx xx 7D 22 7D 26 7D xx 7D xx 7D xx 7D xx
7D 23 7D 24 C0 23 7D 25 7D 26 xx xx xx xx 7D 27 7D 22 7D 28 7D 22
(If PPP Multilink Protocol (MP) is used): 7D 31 7D 24 7D xx xx
(If endpoint discriminator option is used): 7D 33 7D xx 7D 21 blah
(Final 3 bytes, consisting of FCS and closing 7E): xx xx 7E

The first six bytes are, again, a signal of the beginning of a PPP LCP frame.
Next, we have 7D 21, which is an LCP byte 1, meaning this is a
Configure-Request message. Immediately after the 21 is a byte 0F, which is
used for the identifier. (Different ISPs may choose different identifier
numbers, but it doesn't matter, it's just an arbitrary number for reference.)
Although technically, according to the RFC, the identifier number *should* be
preceded by another 7D character and XORed with 20, it seems to be in fashion
for ISPs to do neither. Thus, the identifier comes right after the 21, and is
transmitted in its true form, not XORed with 20.

After that comes two more LCP bytes; These are for the size of the entire LCP
packet, in bytes. The actual numbers are simply shown as xx here, since they
will vary. Although technically, you're supposed to use a 7D character for
each new character, it seems to be common practice among ISPs to transmit
both size bytes at once, so instead of 7D xx 7D xx, you might just see it
without the second 7D, to wit: 7D xx xx.

The first three standard LCP fields (packet code, packet identifier, and
packet length) have now been transmitted, and everything following are the
configuration options. You can tell which configuration option is being
configured by the first byte of it. In this case, the next byte after the
size bytes is an LCP byte 2, which is the code for an Async Control Character
Map (ACCM). Next is a 6, indicating that this whole option is 6 bytes long.
The 2 for the code and the 6 for the length count as part of that, meaning
the rest of the code is 4 bytes long. Following that are 4 LCP bytes, which
collectively form the actual ACCM. (Don't worry too much about what the ACCM
itself means right now.)

Next we have an LCP byte 3, which is the code for indicating authentication
protocol. After that is a 4, indicating this field is 4 bytes. The final 2
bytes come immediately without being 7D'd, and they are C0 23, which is the
code for PAP (Password Authentication Protocol). If CHAP were desired, C2 23
would have been used instead. (PAP and CHAP were originally documented in RFC
1334, "PPP Authentication Protocols". The CHAP specification was later
updated in RFC 1994.)

Next is an LCP byte 5, which is the code for a magic number. After that is a
6, meaning this field is 6 bytes long (including these actual code and length
bytes). Right after the 6 come four bytes which together make up the actual
magic number itself. (Does it seem odd that the ACCM had each byte preceded
by a 7D, while the magic number is transmitted directly and without
modification? It's rather silly, but that's how this stuff is implemented.)

Next comes LCP 7 and 2. These two bytes, together, are an indication that the
ISP is letting you know it wants to use Protocol Field Compression (PFC).
After that is an 8 and a 2, which lets you know it also wants to use Address
and Control Field Compression (ACFC).

There are other things which most ISPs nowadays include in the frame as well,
most of which are documented in RFC 1990, "The PPP Multilink Protocol (MP)".
Most common among these are the MRRU (Maximum Received Reconstructed Unit)
option and the endpoint discriminator option. The MRRU begins with an LCP
byte 11, which indicates the MRRU LCP option. (RFC 1990 states that it's a
17, but it's talking decimal, and we're talking hexadecimal here. 17 decimal
equals 11 hexadecimal.) After that is an LCP byte indicating the size of this
option, which is always 4. After that, two bytes in succession (which are not
separated by a 7D, although the first one is preceded by a 7D) which indicate
the actual MRRU size. If the system actually sends the MRRU option, this
indicates that the system sending it implements the PPP Multilink Protocol.
If not rejected, the system will continue to use the PPP MP.

The other PPP MP option commonly configured at this stage is the endpoint
discriminator option. This starts with an LCP byte 13. (Again, RFC 1990 says
this should be a 19, but it's talking decimal. 19 decimal equals 13
hexadecimal.) After that is an LCP byte stating the size of this option,
which is always 3 plus the length of the actual address specified in this
option (we'll get to the address in a moment). The next LCP byte is usually a
1, indicating a locally-assigned address. Immediately following the 1 is a
succession of bytes which are the actual address of the system specified in
this option. (These bytes are represented as "blah" in the sample PPP frame

The PPP frame closes with two bytes which you can safely ignore for now
(they're the FCS (Frame Check Sequence)). The final byte is 7E, which always
closes the PPP frame, just as it opens a new one. So, now you have seen a
fairly realistic PPP frame from an ISP, and you know what to expect in the
real world (pretty much). So how do we acknowledge this to the ISP? With a
Configure-ACK packet. Making a Configure-ACK packet is actually quite simple,
because all we need to do is mirror the options that were sent to us. In
fact, the complete packet would look almost exactly the same as the
Configure-Request packet it is acknowledging, except that instead of
beginning with an LCP byte 1, it begins with an LCP byte 2. The identifier
byte must be the same, the length will be the same, and all the options must
be transmitted back the same way, so the other side of the connection
understands that we are acknowledging all of them. Our complete PPP frame
that we transmit back, then, would look like this:

7E FF 7D 23 C0 21 7D 22 0F 7D xx xx 7D 22 7D 26 7D xx 7D xx 7D xx 7D xx
7D 23 7D 24 C0 23 7D 25 7D 26 xx xx xx xx 7D 27 7D 22 7D 28 7D 22
(If PPP Multilink Protocol (MP) is used): 7D 31 7D 24 7D xx xx
(If endpoint discriminator option is used): 7D 33 7D xx 7D 21 blah
xx xx 7E

Note that the only difference is, the eighth byte has been made 22 instead of
21, making it an LCP byte 2 instead of a 1. As soon as Configure-ACK packets
like this have been sent by each side, the LCP link is open and can continue
to authentication with PAP or CHAP, or to networking with an NCP if no
authentication was specified in the Configure packets.


Hamlton Vera