What Is PPPoE? What Problems Does PPPoE Solve?
PPPoE is the point-to-point protocol running over the Ethernet at the link layer. It provides PPPoE connections on the Ethernet, sets up PPP sessions, and encapsulates PPP frames into PPPoE frames. PPPoE connects users to a remote access device, providing cost-effective user access and excellent user access control.
PPPoE supports remote access to multiple user hosts over an Ethernet and provides accounting data (such as the number of incoming and outgoing packets, number of bytes, start time, and end time of a connection) for transmission. This helps resolve issues, such as Internet access charging. PPPoE is widely applied for carrier network access.
What Problems Does PPPoE Solve?
PPP stands for a point-to-point protocol. With PPP, one node can access only one other specified node. PPP is located at the second layer in the Open Systems Interconnection (OSI) reference model and at the data link layer in the TCP/IP model. It is mainly used for point-to-point data transmission over full-duplex asynchronous links. Identity authentication is an important function of PPP. However, with PPP, the identity authentication protocol packets of the communicating parties do not provide address information. Because Ethernet is a broadcast multi-access network, PPP cannot be directly applied to Ethernet links.
Ethernet technology is characterized by ease-of-use, cost-effectiveness, and more, but on Ethernet broadcast networks, it is impossible for two communicating parties to authenticate each other's identities. As such, the communication is not secure.
PPPoE solves these problems while ensuring low-cost network operations based on the existing network structure. It authenticates the identities of the two communicating parties like PPP, but with the benefits of Ethernet. Using the PPP networking structure, PPP packets are encapsulated into PPPoE packets to implement point-to-point communication on an Ethernet. In this way, clients on the Ethernet can connect to the remote broadband access device.
PPPoE Characteristics
- PPPoE integrates the advantages of PPP and implements functions such as identity authentication and encryption unsupported by traditional Ethernet.
- PPPoE uses unique session IDs to ensure user security.
PPPoE has the following practical characteristics:
- PPPoE dial-up is the most common method of enabling terminals to connect to the Internet service provider (ISP) network for broadband access.
- PPPoE can be used on Ethernet cables, such as cable modems and digital subscriber lines (DSLs), to provide access services for users through Ethernet protocols.
Simply put, PPPoE combines the cost-effectiveness of Ethernet with the manageability and controllability of PPP to provide Internet access. For carriers, it can fully utilize the current architecture of telecommunication access networks and current dial-up network resources, without any major changes in operations and management. For users, it provides a similar experience to dial-up Internet access.
How Is a PPPoE Connection Established?
This section describes the PPPoE packet structure and the stages of PPPoE connection establishment.
PPPoE Packets
Field |
Description |
---|---|
Ver |
Indicates a PPPoE version number. This field is 4 bits long and must be set to 0x01. |
Type |
Indicates a PPPoE type. This field is 4 bits long and must be set to 0x01. |
Code |
Indicates a PPPoE packet type. This field is 8 bits long. The value can be:
|
Session_ID |
Indicates a PPP session ID. This field is 16 bits long. The value is fixed for a given PPP session and defines a PPP session along with an Ethernet source and destination addresses. A value of 0xffff is reserved for future use and cannot be used. |
Length |
Indicates the length of the PPPoE payload. This field is 16 bits long, excluding the length of the Ethernet and PPPoE headers. |
Stages of PPPoE Connection Establishment
To understand the stages of PPPoE connection establishment, you need to understand the roles involved in the PPPoE network architecture.
PPPoE uses the client/server model. On the network shown in the following figure, the basic roles in PPPoE networking are the PPPoE client, PPPoE server (usually the BRAS), and RADIUS device.
Networking diagram of PPPoE access
The process in which a PPPoE user goes online has two stages: the discovery stage and the PPP session stage. In the discovery stage, a PPPoE server is selected, and the ID of the session to be established is determined. The PPP session stage is the standard PPP process, spanning LCP negotiation, CHAP/PAP authentication, and NCP negotiation.
Working process of PPPoE
The following figure shows the time sequence of the PPPoE discovery and PPP session stages.
Time sequence of the PPPoE discovery and PPP session stages
Discovery stage
In the discovery stage, the device allocates a session ID to the user. The session ID identifies a PPPoE virtual link between the user and the device.
- The PPPoE client broadcasts a PADI packet with the type of service being requested.
- After receiving the PADI packet, all PPPoE servers on the Ethernet compare the requested service in the packet with the services they can provide. The PPPoE server that can provide the requested service responds with a PADO packet.
- The PPPoE client can receive PADO packets from multiple PPPoE servers. The PPPoE client selects a qualified PPPoE server from those that return PADO packets based on certain conditions. The client then sends a PADR packet (non-broadcast) back to the selected server. The PADR packet carries information about the requested service.
- After receiving the PADR packet, the selected PPPoE server generates a unique session ID to identify the PPPoE session between the PPPoE server and PPPoE client. The PPPoE server replies to the PPPoE client with a PADS packet carrying the unique session ID. If there are no errors, the PPPoE server enters the PPP session stage. The PPPoE client also enters the PPP session stage after it receives the PADS packet if there are no errors.
PPP session stage
The PPP session stage includes LCP negotiation, PAP/CHAP authentication, and NCP negotiation.
- LCP negotiation
LCP negotiation starts during the PPP session stage. The LCP negotiation process is as follows:
- The PPPoE client and PPPoE server send LCP Configure-Request packets to each other.
- After receiving the Configure-Request packet, the client and server respond based on the negotiation options in the packet (For details, see the following table.) If both ends reply with a Configure-ACK packet, the LCP link is successfully established. Before this occurs, both ends continually send LCP Configure-Request packets.
- If both ends reply with a Configure-ACK packet within the specified LCP negotiation interval and before the timer for LCP negotiation expires, the LCP link is successfully established.
- If no Configure-ACK packet is received before the timer for LCP negotiation expires, LCP negotiation is terminated.
- After the LCP link is established, the PPPoE server periodically sends LCP Echo-Request packets to the PPPoE client and receives Echo-Reply packets from the PPPoE client to check whether the LCP link is normal.
Table 1-2 List of response packet typesResponse Packet Type
Description
Configure-ACK
If the LCP options received in a Configure-Request packet are all supported, the receive end replies with a Configure-ACK packet that carries the same LCP options as those in the Configure-Request packet.
Configure-NAK
If the negotiation options received in a Configure-Request packet are supported but some values are not acceptable, the receive end replies with a Configure-NAK packet that carries the expected values of the local device. For example, if the Configure-Request packet carries an MRU value of 1500 but the local end expects an MRU value of 1492, the receive end fills the MRU value 1492 in the Configure-NAK packet.
Configure-Reject
If negotiation options received in a Configure-Request packet are not supported, the receive end replies with a Configure-Reject packet that has the unsupported options.
- PAP/CHAP authentication
The authentication stage starts when LCP negotiation is complete. The two supported authentication methods are PAP and CHAP.
PAP authentication
PAP is a two-way handshake protocol that authenticates users based on usernames and passwords. The usernames and passwords are transmitted in cleartext. The PPPoE server (or RADIUS server) checks usernames and passwords against the local user table. This method is used when network security requirements are low.
CHAP authentication
CHAP is a three-way handshake protocol. It can be used by the PPPoE server (or RADIUS server) to check usernames and passwords against the local user table. In CHAP authentication mode, only the username (and not the password) is transmitted over the network. As such, CHAP authentication is more secure than PAP authentication.
- NCP negotiation
NCP negotiation mainly deals with network-layer parameters, such as IPCP and IPv6CP, in PPP packets. A PPPoE client mainly uses IPCP to obtain the IP address or IP address segment for network access.
The NCP negotiation process is similar to the LCP negotiation process. When NCP negotiation is successful, the PPPoE client can access the network normally.
The PPPoE client automatically goes online upon successful NCP negotiation. In this case, the PPPoE server (usually a BRAS) sends an accounting request packet to the RADIUS server, which performs accounting for the PPPoE client.
What Are the Differences Between PPPoE and IPoE?
PPPoE and Internet Protocol over Ethernet (IPoE) are the two most common user access methods. This section describes the differences between them.
IPoE is a user access method in which IP packets are directly encapsulated and transmitted over an Ethernet. IPoE uses DHCP (which does not provide functions such as link establishment, user authentication, or link monitoring) to provide IP addresses. IPoE combines DHCP and Extensible Authentication Protocol (EAP), such as web or 802.1X, to provide the same functions as PPPoE. For comparison details, see the following figure.
Comparison of PPPoE and IPoE
PPPoE authentication is easy to manage and provides strong security. However, it has a limited scope of network application and multicast service development. As such, PPPoE is widely applied in high-speed Internet (HSI) services and fiber broadband dial-up Internet access services to provide fast and convenient broadcast access for campus, enterprise, and home users. IPoE supports self-management of the validity period of IP addresses and can be easily configured on a LAN, without client software. However, it needs to work with other protocols to perform authentication. IPoE is widely applied in Internet Protocol television (IPTV) and Voice over Internet Protocol (VoIP) services.
For security, IPoE requires the collaboration of the home gateway, network access device, and broadband network gateway. The security policies include anti-address spoofing, restriction of the number of terminals, anti-DoS attack, service isolation, suppression of unauthorized multicast sources, and port isolation. The multicast replication function can be implemented for devices close to users in IPoE multicast service scenarios. As such, IPoE is widely applied in IPTV and VoIP services.
- Author: Zhou Xiaoguang, Huang Huixian
- Updated on: 2024-12-17
- Views: 44206
- Average rating: