Seguridad y Redes: PPP

a las 16:01

HDLC (High-Level Data Link Control, control de enlace síncrono de datos) es un protocolo de comunicaciones de propósito general punto a punto y multipunto, que opera a nivel de enlace de datos. Se basa en ISO 3309 e ISO 4335. Surge como una evolución del anterior SDLC. Proporciona recuperación de errores en caso de pérdida de paquetes de datos, fallos de secuencia y otros, por lo que ofrece una comunicación confiable entre el transmisor y el receptor. De este protocolo derivan otros como LAPB, LAPF, LLC y PPP.

Configuración de HDLC

R1#configure terminal
R1(config)#interface Serial0/0
R1(config-if)#encapsulation hdlc
R1(config-if)#ip address 192.168.12.1 255.255.255.252
R1(config-if)#no shutdown

R2#configure terminal
R2(config)#interface Serial0/0
R2(config-if)#encapsulation hdlc
R2(config-if)#ip address 192.168.12.2 255.255.255.252
R2(config-if)#no shutdown

R1#show interface Serial0/0
Serial0/0 is up, line protocol is up
Hardware is GT96K Serial
Internet address is 192.168.12.1/30
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
CRC checking enabled
Last input 00:00:01, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:34:44
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations 0/1/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     239 packets input, 16566 bytes, 0 no buffer
     Received 234 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     249 packets output, 17471 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=up DSR=up DTR=up RTS=up CTS=up

R2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/35/72 ms

Point-to-Point Protocol

Point-to-point Protocol (Protocolo punto a punto), también conocido por su acrónimo PPP, es un protocolo de nivel de enlace estandarizado en el documento RFC 1661. Por tanto, se trata de un protocolo asociado a la pila TCP/IP de uso en Internet.

R1#configure terminal
R1(config)#interface Serial0/0
R1(config-if)#encapsulation ppp
R1(config-if)#ip address 192.168.12.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#

R2#configure terminal
R2(config)#interface Serial0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ip address 192.168.12.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#

R2#show interface Serial0/0
Serial0/0 is up, line protocol is up
Hardware is GT96K Serial
Internet address is 192.168.12.2/30
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, loopback not set
Keepalive set (10 sec)
CRC checking enabled
Last input 00:00:16, output 00:00:08, output hang never
Last clearing of "show interface" counters 00:06:03
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations 0/1/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     83 packets input, 3580 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     83 packets output, 3580 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=up DSR=up DTR=up RTS=up CTS=up

R2#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/46/68 ms

Comandos debug de PPP

debug ppp authentication
debug ppp negotiation
debug ppp packet
debug ppp error
debug ppp chap

a las 20:54

Configuración de PPP y CHAP

En este post veremos como configurar PPP (Point-to-Point Protocol) y CHAP (Challenge Handshake Authentication Protocol), en primer lugar debemos de comprender que tipo de conexión estamos haciendo. Un diagrama de red nos podría ayudar, tal como se muestra en la siguiente imagen donde se muestra una conexión básica de PPP y CHAP.

Configuración de PPP y CHAP en el Router2

Router#configure terminal
Router(config)#hostname Router1
Router1(config)#username Router2 password cisco
Router1(config)#interface serial1/0
Router1(config-if)#clockrate 64000
Router1(config-if)#ip address 192.168.1.130 255.255.255.252
Router1(config-if)#encapsulation ppp
Router1(config-if)#ppp authentication chap
Router1(config-if)#no shut
Router1(config-if)#end
Router1#ping 192.168.1.129

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/72/156 ms

Configuración de PPP y CHAP en el Router2

Router#configure terminal
Router(config)#hostname Router2
Router2(config)#username Router1 password cisco
Router2(config)#interface serial1/0
Router2(config-if)#ip address 192.168.1.129 255.255.255.252
Router2(config-if)#encapsulation ppp
Router2(config-if)#ppp authentication chap
Router2(config-if)#no shut
Router2(config-if)#end
Router2#ping 192.168.1.130

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.130, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/46/92 ms

Troubleshooting PPP y CHAP

Ahora que tenemos configurado PPP + CHAP, verificaremos la configuración de PPP en las interfaces configurada con el comando show interface, como se muestra a continuación.

Verificacion de la interface serial1/0 en el Router1

Router1#show interface serial1/0
Serial1/0 is up, line protocol is up
Hardware is M4T
Internet address is 192.168.1.130/30
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, crc 16, loopback not set
Keepalive set (10 sec)
Restart-Delay is 0 secs
Last input 00:00:25, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:04:19
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations  0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
31 packets input, 1988 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
33 packets output, 1419 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 output buffer failures, 0 output buffers swapped out
1 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Verificación de la interface serial1/0 en el Router2

Router2#show interface serial1/0
Serial1/0 is up, line protocol is up
Hardware is M4T
Internet address is 192.168.1.129/30
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: IPCP, CDPCP, crc 16, loopback not set
Keepalive set (10 sec)
Restart-Delay is 0 secs
Last input 00:00:07, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:03:09
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations  0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
34 packets input, 1727 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
35 packets output, 2052 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 output buffer failures, 0 output buffers swapped out
1 carrier transitions     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Comandos debug de PPP

Estos comandos nos puedes ser utilices para mostrar el proceso de PPP en las interfaces. También sirven de gran ayuda para administrar la red y así resolver problemas de enlace. Los comandos mas útiles son los siguientes.

Debugging PPP Authentication

El comando debug ppp authentication nos mostrara el proceso de autenticación de CHAP. Si la encapsulacion PPP y la autención estan configurados correctamente en los routers, asi como los nombres de usuario con sus respectivas contraseñas, se mostrara en la salida algo similar a lo siguiente.

Router1#debug ppp authentication
PPP authentication debugging is on
Router1#
*Mar  1 00:16:42.699: Se1/0 PPP: Authorization required
*Mar  1 00:16:42.707: Se1/0 CHAP: O CHALLENGE id 3 len 28 from "Router1"
*Mar  1 00:16:42.707: Se1/0 CHAP: I CHALLENGE id 3 len 28 from "Router2"
*Mar  1 00:16:42.711: Se1/0 CHAP: I RESPONSE id 3 len 28 from "Router2"
*Mar  1 00:16:42.723: Se1/0 PPP: Sent CHAP LOGIN Request
*Mar  1 00:16:42.723: Se1/0 CHAP: Using hostname from unknown source
*Mar  1 00:16:42.727: Se1/0 CHAP: Using password from AAA
*Mar  1 00:16:42.727: Se1/0 CHAP: O RESPONSE id 3 len 28 from "Router1"
*Mar  1 00:16:42.731: Se1/0 PPP: Received LOGIN Response PASS
*Mar  1 00:16:42.735: Se1/0 PPP: Sent LCP AUTHOR Request
*Mar  1 00:16:42.739: Se1/0 PPP: Sent IPCP AUTHOR Request
*Mar  1 00:16:42.743: Se1/0 LCP: Received AAA AUTHOR Response PASS
*Mar  1 00:16:42.747: Se1/0 IPCP: Received AAA AUTHOR Response PASS
*Mar  1 00:16:42.747: Se1/0 CHAP: O SUCCESS id 3 len 4
*Mar  1 00:16:42.935: Se1/0 CHAP: I SUCCESS id 3 len 4
*Mar  1 00:16:42.939: Se1/0 PPP: Sent CDPCP AUTHOR Request
*Mar  1 00:16:42.943: Se1/0 PPP: Sent IPCP AUTHOR Request
*Mar  1 00:16:42.955: Se1/0 CDPCP: Received AAA AUTHOR Response PASS
Router1#

Debug PPP Negotiation

Este comando nos muestra los procesos de negociacion de PPP, aqui un ejemplo.

Router1#debug ppp negotiation
PPP protocol negotiation debugging is on
Router1#
*Mar  1 00:20:47.199: Se1/0 LCP: I CONFREQ [Open] id 5 len 15
*Mar  1 00:20:47.199: Se1/0 LCP:    AuthProto CHAP (0x0305C22305)
*Mar  1 00:20:47.199: Se1/0 LCP:    MagicNumber 0x011C567B (0x0506011C567B)
*Mar  1 00:20:47.203: Se1/0 CDPCP: State is Closed
*Mar  1 00:20:47.203: Se1/0 IPCP: State is Closed
*Mar  1 00:20:47.207: Se1/0 PPP: Phase is TERMINATING
*Mar  1 00:20:47.211: Se1/0 PPP: Phase is ESTABLISHING
*Mar  1 00:20:47.211: Se1/0 LCP: O CONFREQ [Open] id 8 len 15
*Mar  1 00:20:47.211: Se1/0 LCP:    AuthProto CHAP (0x0305C22305)
*Mar  1 00:20:47.215: Se1/0 LCP:    MagicNumber 0x001D100F (0x0506001D100F)
*Mar  1 00:20:47.215: Se1/0 LCP: O CONFACK [Open] id 5 len 15
*Mar  1 00:20:47.215: Se1/0 LCP:    AuthProto CHAP (0x0305C22305)
*Mar  1 00:20:47.215: Se1/0 LCP:    MagicNumber 0x011C567B (0x0506011C567B)
*Mar  1 00:20:47.219: Se1/0 IPCP: Remove route to 192.168.1.129
*Mar  1 00:20:47.223: Se1/0 LCP: I CONFACK [ACKsent] id 8 len 15
*Mar  1 00:20:47.227: Se1/0 LCP: AuthProto CHAP (0x0305C22305)
*Mar  1 00:20:47.227: Se1/0 LCP:  MagicNumber 0x001D100F (0x0506001D100F)
*Mar  1 00:20:47.227: Se1/0 LCP: State is Open
*Mar  1 00:20:47.227: Se1/0 PPP: Phase is AUTHENTICATING, by both
*Mar  1 00:20:47.231: Se1/0 CHAP: O CHALLENGE id 5 len 28 from "Router1"
*Mar  1 00:20:47.231: Se1/0 CHAP: I CHALLENGE id 5 len 28 from "Router2"
*Mar  1 00:20:47.235: Se1/0 CHAP: I RESPONSE id 5 len 28 from "Router2"
*Mar  1 00:20:47.235: Se1/0 PPP: Phase is FORWARDING, Attempting Forward
*Mar  1 00:20:47.243: Se1/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar  1 00:20:47.247: Se1/0 CHAP: Using hostname from unknown source
*Mar  1 00:20:47.247: Se1/0 CHAP: Using password from AAA
*Mar  1 00:20:47.247: Se1/0 CHAP: O RESPONSE id 5 len 28 from "Router1"
*Mar  1 00:20:47.251: Se1/0 PPP: Phase is FORWARDING, Attempting Forward
*Mar  1 00:20:47.255: Se1/0 PPP: Phase is AUTHENTICATING, Authenticated User
*Mar  1 00:20:47.263: Se1/0 CHAP: O SUCCESS id 5 len 4
*Mar  1 00:20:47.455: Se1/0 CHAP: I SUCCESS id 5 len 4
*Mar  1 00:20:47.459: Se1/0 PPP: Phase is UP
*Mar  1 00:20:47.459: Se1/0 IPCP: O CONFREQ [Closed] id 1 len 10
*Mar  1 00:20:47.459: Se1/0 IPCP:    Address 192.168.1.130 (0x0306C0A80182)
*Mar  1 00:20:47.463: Se1/0 PPP: Process pending ncp packets
*Mar  1 00:20:47.463: Se1/0 IPCP: I CONFREQ [REQsent] id 1 len 10
*Mar  1 00:20:47.467: Se1/0 IPCP:    Address 192.168.1.129 (0x0306C0A80181)
*Mar  1 00:20:47.467: Se1/0 AAA/AUTHOR/IPCP: Start.  Her address 192.168.1.129, we want 0.0.0.0
*Mar  1 00:20:47.471: Se1/0 CDPCP: I CONFREQ [Closed] id 1 len 4
*Mar  1 00:20:47.479: Se1/0 AAA/AUTHOR/IPCP: Reject 192.168.1.129, using 0.0.0.0
*Mar  1 00:20:47.479: Se1/0 AAA/AUTHOR/IPCP: Done.  Her address 192.168.1.129, we want 0.0.0.0
*Mar  1 00:20:47.483: Se1/0 IPCP: O CONFACK [REQsent] id 1 len 10
*Mar  1 00:20:47.483: Se1/0 IPCP:    Address 192.168.1.129 (0x0306C0A80181)
*Mar  1 00:20:47.483: Se1/0 IPCP: I CONFACK [ACKsent] id 1 len 10
*Mar  1 00:20:47.483: Se1/0 IPCP:    Address 192.168.1.130 (0x0306C0A80182)
*Mar  1 00:20:47.487: Se1/0 IPCP: State is Open
*Mar  1 00:20:47.487: Se1/0 CDPCP: O CONFREQ [Closed] id 1 len 4
*Mar  1 00:20:47.499: Se1/0 IPCP: Install route to 192.168.1.129
*Mar  1 00:20:47.547: Se1/0 CDPCP: I CONFACK [REQsent] id 1 len 4
*Mar  1 00:20:49.463: Se1/0 CDPCP: Timeout: State ACKrcvd
*Mar  1 00:20:49.463: Se1/0 CDPCP: O CONFREQ [ACKrcvd] id 2 len 4
*Mar  1 00:20:49.503: Se1/0 CDPCP: I CONFACK [REQsent] id 2 len 4
*Mar  1 00:20:49.527: Se1/0 CDPCP: I CONFREQ [ACKrcvd] id 2 len 4
*Mar  1 00:20:49.527: Se1/0 CDPCP: O CONFACK [ACKrcvd] id 2 len 4
*Mar  1 00:20:49.527: Se1/0 CDPCP: State is Open

Los otros comandos utiles son los siguientes:

debug ppp packet
debug ppp error
debug ppp chap

Seguridad y Redes

Configuración de PPP y CHAP

Labels

Popular Posts