Cabletron Systems CSX200 manual Point-to-Point Protocol PPP, PAP and CHAP Security

CSX200 Firmware Support

The ANSI standard defines a mechanism for the network to signal the existence of congestion, called Explicit Congestion Notification (ECN) bits. Frame Relay uses FECN (Forward ECN) and BECN (Backward ECN) bits to notify end user devices about network congestion. Although the Frame Relay Protocol does not respond to congestion, some higher layer protocols for end-user devices may respond to ECNs by recognizing that delays have increased, or that frames have been dropped.

Point-to-Point Protocol (PPP)

PPPis a data link layer industry standard WAN protocol for transferring multi-protocol data traffic over point-to-point connections. With this protocol, options such as security, data compression, and network protocols can be negotiated over the connection. Data compression allows Frame Relay to negotiate compression over Frame Relay permanent virtual circuits (PVCs). Frame Relay is a packet-switching data communications protocol that statistically multiplexes many data conversations over a single transmission link.

The CSX200 supports synchronous PPP over an ISDN WAN port (WPIM-S/T). In Single Link Mode, PPP uses one ISDN B channel for data transmission. PPP runs over each ISDN B channel for two separate conversations (split B channel). In Multi-Link Protocol mode, PPP simultaneously sends and receives data over two ISDN B channels on the same connection to optimize bandwidth usage. The STAC Electronics Stacker LZS Compression Protocol is supported over PPP, providing up to 4:1 data compression.

PAP and CHAP Security

The CSX200 supports the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) under PPP.

PAP provides verification of passwords between devices using a two-way handshake. One device (peer) sends the system name and password to the other device (authenticator). Then the authenticator checks the peer’s password against the configured remote peer’s password and returns acknowledgment.

CHAP is more secure than PAP as unencrypted passwords are not sent across the network. CHAP uses a 3-way handshake and supports full or half-duplex operation. In half-duplex operation, the authenticator device challenges the peer device by generating a CHAP challenge. The challenge contains an MD5 algorithm with a random number that your encrypted password and system name. The peer device then applies a one-way hash algorithm to the random number and returns this encrypted information along with the system name in the CHAP response. The authenticator then runs the same algorithm and compares the result with the expected value. This authentication method depends upon a password or secret, known only to both ends locally.