Hypertec ISDN 10T Router RIP, SAP, PPP, PAP/CHAP, IPX Spoofing

Concepts and Principles of Operation

Novel IPX also uses Routing Information Protocol (RIP) as a routing protocol. Although it is similarly named to the IP equivalent, it uses a different protocol. IPX RIP broadcasts packets to the network every 60 seconds to inform other IPX routers or servers about its network. Upon receiving an IPX RIP packet, a router adds one to the hop count of each router advertised and broadcasts a RIP packet to other networks it is connected to.

Netware Servers such as file servers use SAP protocols to advertise their service throughout the network. A router such as Hypertec ISDN 10T Router listens to the SAP packets from servers to learn what services are available in the local network. Routers also exchange SAP packets so that the router can learn what services are available at the remote networks. With that global knowledge, the router is able to respond the “find nearest server” request for the remote IPX networks.

A Netware server regularly send a “keep alive” message to a logged -in client every 3-5 minutes for connectivity verification. If a client fails to respond within the allowed limit, the server closes the client’s connection. The IPX “keep alive” packets tend to keep the dial-up connection on line. To minimize the un-necessary dial-up connection time, Hypertec ISDN 10T Router is equipped with an IPX spoofing function which will return the “keep alive” on behalf of the remote Netware clients for a pre-configured period. A dial-up call may be triggered by the “keep alive” packets only after the spoofing timer expires.

The Point-to-Point Protocol (PPP) is the de-facto standard as the link encapsulation protocol for Internet Access. PPP consists of a suite of protocols including LCP, PAP, CHAP, IPCP and other related protocols. Link Control Protocol (LCP) is used to negotiate the link parameters, such as what authentication protocol to use. LCP is specified in RFC 1570. Password Authentication Protocol (PAP), and Challenge Authentication Protocol (CHAP) are used to inform the remote site (eg. ISP) about which router is connecting to it. CHAP and PAP are specified in RFC 1334. IPCP is used to negotiate IP specific parameters such IP address. IPCP is specified in RFC 1332.

When a CHAP authentication connection to the ISP is attempted, the remote router or access server sends a CHAP packet to HyperRoute. The CHAP packet "challenges" Hypertec Router to respond. The challenge packet consists of an ID, a random number, and the host name of the remote router. The required response consists of an encrypted version of the ID, a secret password, and the random number of the local name. When the remote router or access server receives the response, it verifies the secret password by performing the same encryption operation as indicated in the response and looking up the required host/user name. Hypertec Router and the remote router must agree on the identical secret passwords. By transmitting this response, the secret password is never transmitted in clear text, preventing other devices from stealing it and gaining illegal access to the system. Without the proper response, the remote will reject the PPP connection request.

If PAP authentication is enabled, when attempting to connect to the ISP or remote router, it is necessary to send an authentication request including the user name and password. If the user name and password are accepted, the ISP or the remote router sends an authentication acknowledgment to conclude the authentication process.

There is a configuration choice of two sets of authentication protocol and password. One set for Internet connection and one set for Intranet connections. Each set consists of two pairs of authentication configuration. The Dial-out authentication password pair is applied to the PPP connection initiated by Hypertec ISDN 10T Router. The call-in authentication-password pair is applied to the PPP connection initiated from the remote end. The dial-out authentication protocol (none, PAP, CHAP) specifies the authentication protocol that Hypertec ISDN 10T Router will insist on when initiating a PPP connection. The remote end is supposed to accept the specified authentication protocol for the PPP negotiation to proceed. The setting of “either” as the call-in authentication protocol allows

12