Point-to-Point Protocol(PPP)

Functions of PPP
Creating of header and trailer for passing of data frame over the link.

It supports synchronous as well as asynchronous links.

It allows passage of more than one layer 3 protocols over the same link by defining a protocol Type field in the header.

It provides authentication facility using password Authentication Protocol(PAP) and Challenge Handshake Authentication Protocol(CHAP)

Defines control protocols which help the higher-layer protocols that pass over a ppp link for proper functioning of those protocols.

PPP Frame





PPP defines a protocol type field. This field describes about the type of packet the frame contains. It allows packets from multiple different layer 3 protocols to pass over the same link. 



PPP consists of two control protocols: 

1)Link Control Protocol(LCP): This protocol performs the task of forming, maintaining and end the point-to-point connection. It provides authentication as well. LCP focuses only on Layer 2 protocols over the PPP link 

2)Network Control Protocol(NCP): NCP focuses on layer 3 protocols for transport across the PPP link. It helps the simultaneous use of multiple network layer protocols

PPP Authentication
PPP consists of two authentication protocols: PAP and CHAP.



PAP authentication process
In PAP the device which wants to be authenticated by the other device would start sending the message in order to prove its identity.This message will contain a secret password in clear text format as shown below Fig:




From the above fig, we see that R1 is the device that wants to be authenticated by R2. So R1 starts the authentication process by sending a message which contains its password in clear text format. Here R2 is already configured with R1's password. So when R2 receives the message from R1 then R2 checks its database and confirms that R1 is the correct device if the password is correct. It sends acknowledgment message to R1.
CHAP Authentication Process
CHAP is more secure when compared to PAP. Here the messages are different and the password is hidden. Here the authenticating device starts the process with a challenge message. The challenge message seeks the other device response. The device which needs to be authenticated replies to this challenge message. This reply message hides the password by sending the hash value of that password. The authenticating device is already preconfigured with the authenticating device username and password. The authenticating device can confirm the hashed value sent by the other device is correct. If the password is correct the authenticating device sends back the third message to confirm the successful authentication.






Let's check the example for the CHAP process. In the above figure, R1 is the authenticating device and R2 is the device that needs to be authenticated by R1. 

Here first R1 sends a challenge message to R2 to prove its identity. Then R2 sends the hashed value of its password. When R1 receives that hash value it will cross check if that hash value is correct or not. If the hash value is correct then the R1 sends the acknowledgment message confirming that the password is accepted. Here we can note that R2 does not send its password but instead sends the hash value of the password. By this way the CHAP process is securing the password. 

CHAP uses one-way hash algorithm called message digest 5(MD5). The password will be the input to the hash algorithm. The CHAP process uses the hash value only one time, so that the copy of the hash value cannot be used again.