PPP multilink authentication and configuration

When multiple PPP links exist between the same two routers – parallel links – the routers must then determine how to use those links.  With HDLC links, and with PPP links using the simplest configuration, the routers must use Layer 3 load balancing.  This means that the routers have multiple routes for the same destination subnets.

Using Layer 3 logic, the router may choose to send one packet over one link, and the next packet over another.  However, because the packets might be of different sizes, the router may not balance the traffic equally over each link.  In some cases, particularly when most packets are sent to just a few destination hosts, the numbers of packets sent over each link might not even be balanced which may overload one of the links and leave another link idle.

Multilink PPP load-balances the traffic equally over the links while allowing the Layer 3 logic in each router to treat the parallel links as a single link.  When encapsulating a packet, PPP fragments the packet into smaller frames, sending one fragment over each link.  With two links, the router would create two frames for each Layer 3 packet, with each frame holding half the original packet.  Then, PPP sends one fragment of each original packet over each of the two links.  By sending about half of each packet over each link, multilink PPP can more evenly load-balance the traffic.  As an added benefit, multilink PPP allows the Layer 3 routing tables to use a single route that refers to the combined links, keeping the routing table smaller.  A group of interfaces would be called a multilink group.

PPP Authentication

The term authentication refers to a set of security functions that help one device confirm that the other device should be allowed to communicate and is not an impostor.  Authentication provides a way to prove one’s identity.

WAN authentication is most often needed when dial lines are used.  However, the configuration of the authentication features remains the same whether a leased line or dial line is used.

PAP and CHAP authenticate the endpoints on either end of a point-to-point serial link.  CHAP is the preferred method today because the identification process uses values hidden with a Message Digest 5 (MD5) one-way hash, which is more secure than the clear-text passwords sent by PAP.

Both PAP and CHAP require the exchange of messages between devices.  When a dialed line is used, the dialed-to router expects to receive a username and password from the dialing router with both PAP and CHAP.  Whether leased line or dial, with PAP, the username and password are sent in the first message.  With CHAP, the protocol begins with a message called a challenge, which asks the other router to send its username and password.

PAP flows are much less secure than CHAP because PAP sends the hostname and password in clear text in the message.  CHAP instead uses a one-way hash algorithm, with input to the algorithm being a password that never crosses the link, plus a shared random number.  The CHAP challenge states the random number; both routers are preconfigured with the password.  The challenged router runs the hash algorithm using the just-learned random number and the secret password and sends the results back to the router that sent the challenge.  The router that sent the challenge runs the same algorithm using the random number and the password.  If the results match, the passwords must match.

The most interesting part of the CHAP process is that at no time does the password itself ever cross the link.  With the random number, the hash value is different every time.  So even if someone sees the calculated hash value using a trace tool, the value is meaningless as a way to break in next time.  CHAP authentication is difficult to break, even with a tracing tool on the WAN link.