Chapter 5. Networking Configuration (205)
Prev   Next

Chapter 5. Networking Configuration (205)

Revision: $Revision: 955 $ ($Date: 2012-08-01 14:10:42 +0200 (Wed, 01 Aug 2012) $)

This objective has a weight of 13 points and contains the following objectives:

Objective 205.1; Basic Networking Configuration

Candidates should be able to configure a network device to be able to connect to a local, wired or wireless, and a wide-area network. This objective includes being able to communicate between various subnets within a single network.

Objective 205.2; Advanced Network Configuration and Troubleshooting

The candidate should be able to configure a network device to implement various network-authentication schemes. This objective includes configuring a multi-homed network device, configuring a virtual private network and resolving networking and communication problems.

Objective 205.3; Troubleshooting network issues

Candidates should be able to identify and correct common network setup issues to include knowledge of locations for basic configuration files and commands.

Objective 205.4; Notifying users on system-related issues

Candidates should be able to notify the users about current issues related to the system.

Basic Networking Configuration (205.1)

Candidates should be able to configure a network device to be able to connect to a local, wired or wireless, and a wide-area network. This objective includes being able to communicate between various subnets within a single network.

This objective has a weight of 3 points

Key Knowledge Areas:

  • Utilities to configure and manipulate ethernet network interfaces
  • Configuring wireless networks

The following is a partial list of used files, terms, and utilities:

  • /sbin/route
  • /sbin/ifconfig
  • /sbin/ip
  • /usr/sbin/arp
  • /sbin/iwconfig
  • /sbin/iwlist

Resources: Dawson00, Drake00.

Configuring the network interface

After setting up your hardware, you have to make the devices known to the kernel networking software. A couple of commands are used to configure the network interfaces and initialize the routing table. These tasks are usually performed from the network-initialization script each time you boot the system. The basic tools for this process are called ifconfig (where if stands for interface) and route.

ifconfig is used to make an interface accessible to the kernel networking layer. This involves the assignment of an IP address and other parameters, and activation of the interface, also known as bringing up the interface. Being active here means that the kernel will send and receive IP datagrams through the interface. The simplest way to invoke it is with: 

# ifconfig interface ip-address

This command assigns ip-address to interface and activates it. All other parameters are set to default values. For instance, the default network mask is derived from the network class of the IP address, such as 255.255.0.0 for a class B address.

route allows you to add or remove routes from the kernel routing table. It can be invoked as: 

# route {add|del} [-net|-host] target [if]

The add and del arguments determine whether to add or delete the route to target. The -net and -host arguments tell the route command whether the target is a network or a host (a host is assumed if you don't specify). The if argument specifies the interface and is optional, and allows you to specify to which network interface the route should be directed -- the Linux kernel makes a sensible guess if you don't supply this information.

The Loopback Interface

The very first interface to be activated is the loopback interface: 

# ifconfig lo 127.0.0.1

Occasionally, you will see the dummy hostname localhost being used instead of the IP address. ifconfig will look up the name in the hosts file, where an entry should declare it as the hostname for 127.0.0.1: 

# Sample /etc/hosts entry for localhost
127.0.0.1 localhost

To view the configuration of an interface, you invoke ifconfig, giving it only the interface name as argument: 

$ ifconfig lo
lo        Link encap:Local Loopback inet addr:127.0.0.1
          Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:0
          errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0
          overruns:0 carrier:0 Collisions:0

As you can see, the loopback interface has been assigned a netmask of 255.0.0.0, since 127.0.0.1 is a class A address.

These steps are enough to use networking applications on a stand-alone host. After adding these lines to your network initialization script[2] and making sure it will be executed at boot time, you may reboot your machine and try out various applications. For instance, telnet localhost should establish a telnet connection to your host, giving you a login: prompt.

The loopback interface is useful not only as an example in networking books or as a test bed during development, but is actually used by some applications during normal operation.[3] Therefore, you always have to configure it, regardless of whether your machine is attached to a network or not.

Ethernet Interfaces

Configuring an Ethernet interface is pretty much the same as the loopback interface - it just requires a few more parameters when you are using subnetting.

Suppose we have subnetted the IP network, which was originally a class B network, into class C subnetworks. To make the interface recognize this, the ifconfig invocation would look like this: 

# ifconfig eth0 172.16.1.2 netmask 255.255.255.0

This command assigns the eth0 interface an IP address of 172.16.1.2. If we had omitted the netmask, ifconfig would deduce the netmask from the IP network class, which would result in an incorrect netmask of 255.255.0.0. Now a quick check shows: 

# ifconfig eth0
eth0      Link encap 10Mps Ethernet HWaddr
          00:00:C0:90:B3:42 inet addr 172.16.1.2 Bcast 172.16.1.255 Mask
          255.255.255.0 UP BROADCAST RUNNING MTU 1500 Metric 1 RX packets 0
          errors 0 dropped 0 overrun 0 TX packets 0 errors 0 dropped 0 overrun 0

You can see that ifconfig automatically sets the broadcast address (the Bcast field) to the usual value, which is the host's network number with all the host bits set. Also, the maximum transmission unit (the maximum size of IP datagrams the kernel will generate for this interface) has been set to the maximum size of Ethernet packets: 1,500 bytes. The defaults are usually what you will use, but all these values can be overridden if required.

If you are using a 2.0.x or earlier kernel, you now have to install a routing entry that informs the kernel about the network that can be reached through eth0. For example: 

# route add -net 172.16.1.0

At first this looks a bit like magic because it's not really clear how route detects which interface to route through. However, the trick is rather simple: the kernel checks all interfaces that have been configured so far and compares the destination address (172.16.1.0 in this case) to the network part of the interface address (that is, the bitwise AND of the interface address and the netmask). The only interface that matches is eth0.

Now, what's that -net option for? This is used because route can handle both routes to networks and routes to single hosts. We have to tell route explicitly that it denotes a network, so we give it the -net flag.

Routing Through a Gateway

In the previous section, we only covered the case of a host on a single Ethernet. Quite frequently, however, one encounters networks connected to one another by gateways. These gateways may simply link two or more Ethernets, but may also provide a link to the outside world, such as the Internet. In order to use a gateway, you have to provide additional routing information to the networking layer.

Imagine two ethernets linked through such a gateway, the host romeo. Assuming that romeo has already been configured, we just have to add an entry to our routing table telling the kernel all hosts on the other network can be reached through romeo. The appropriate invocation of route is shown below; the gw keyword tells it that the next argument denotes a gateway: 

# route add -net 172.16.0.0 netmask 255.255.255.0 gw romeo

Of course, any host on the other network you wish to communicate with must have a routing entry for our network. Otherwise you would only be able to send data to the other network, but the hosts on the other network would be unable to reply.

This example only describes a gateway that switches packets between two isolated ethernets. Now assume that romeo also has a connection to the Internet (say, through an additional PPP link). In this case, we would want datagrams to any destination network to be handed to romeo. This action can be accomplished by making it the default gateway: 

# route add default gw romeo

The network name default is a shorthand for 0.0.0.0, which denotes the default route. The default route matches every destination and will be used if a more specific route is not available.

The ip command

The /sbin/ip command is used to show or manipulate routing, devices and policy routing and tunnels. It can be used next to more accepted commands like ifconfig and route. For instance: 

# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: p8p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:90:f5:b6:91:d1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.181/24 brd 192.168.123.255 scope global p8p1
    inet6 fe80::290:f5ff:feb6:91d1/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 88:53:2e:02:df:14 brd ff:ff:ff:ff:ff:ff
4: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff

in contrast to ifconfig 

# ifconfig -a
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:48 errors:0 dropped:0 overruns:0 frame:0
          TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4304 (4.2 KiB)  TX bytes:4304 (4.2 KiB)

p8p1      Link encap:Ethernet  HWaddr 00:90:F5:B6:91:D1  
          inet addr:192.168.123.181  Bcast:192.168.123.255  Mask:255.255.255.0
          inet6 addr: fe80::290:f5ff:feb6:91d1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6653 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7609 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3843849 (3.6 MiB)  TX bytes:938833 (916.8 KiB)
          Interrupt:53 

vboxnet0  Link encap:Ethernet  HWaddr 0A:00:27:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

wlan0     Link encap:Ethernet  HWaddr 88:53:2E:02:DF:14  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:330 (330.0 b)  TX bytes:1962 (1.9 KiB)

Or as counterpart of the route command: 

# ip route show
192.168.123.0/24 dev p8p1  proto kernel  scope link  src 192.168.123.181  metric 1 
default via 192.168.123.254 dev p8p1  proto static

where the output of the route command is: 

# route
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.123.0   *               255.255.255.0   U     1      0        0 p8p1
default         192.168.123.254 0.0.0.0         UG    0      0        0 p8p1

Besides the showing of data the ip command can also be used to manipulate or control network routing or devices. For more information please read the manual pages of ip.

ARP, Address Resolution Protocol

The Internet Protocol is a layer 3 protocol and the NIC is a layer 2 device. In a local network devices know each other by the MAC (Media Access Control) address.

Due to these properties IP communication requires a protocol to map between layer 2 and layer 3. The protocol for this job is the Address Resolution Protocol (ARP). ARP creates a mapping between an IP address and the MAC address where the IP address is configured.

When IP enabled devices in a network want to communicate, the kernel of the originating device hands the IP packet to the network interface and requests to deliver the IP packet to the recipient. In order to find the recipient the network interface on the origination side will send a broadcast, the network interface on the destination side will respond with its MAC address. Now the originating network interface is able to send the IP packet to the recipient.

Besides the protocol arp is also a command which shows the ARP cache. 

# arp
Address                  HWtype  HWaddress           Flags Mask            Iface
10.9.8.126               ether   00:19:bb:2e:df:73   C                     wlan0

See the man pages for more information on the arp command.

Wireless networking

iwconfig

iwconfig is similar to ifconfig, but is dedicated to the wireless interfaces. It is used to set the parameters of the network interface which are specific to the wireless operation (for example : the frequency). Iwconfig may also be used to display those parameters, and the wireless statistics.

All these parameters and statistics are device dependent. Each driver will provide only some of them depending on hardware support, and the range of values may change. Please refer to the man page of each device for details.

Syntax:

# iwconfig [interface]
# iwconfig interface [options]

Some common options:

essid

Set the ESSID (or Network Name - in some products it may also be called Domain ID). With some cards, you may disable the ESSID checking (ESSID promiscuous) with off or any (and on to reenable it). If the ESSID of your network is one of the special keywords (off, on or any), you should use -- to escape it.

mode

Set the operating mode of the device, which depends on the network topology. The mode can be Ad-Hoc (the network is composed of one cell only and is without an Access Point), Managed (the node connects to a network composed of multiple Access Points, with roaming), Master (the node is the synchronisation master or acts as an Access Point), Repeater (the node forwards packets between other wireless nodes), Secondary (the node acts as a backup master/repeater), Monitor (the node is not associated with any cell and passively monitors all packets on the frequency) or Auto.

Examples:

# iwconfig eth0 essid any
# iwconfig eth0 essid "Access Point"
# iwconfig eth0 essid -- "any"
# iwconfig eth0 mode Ad-Hoc

iwlist

iwlist is used to scan for available wireless networks and display additional information about them. The syntax is as follows: 

# iwlist [interface] command

iwlist can display ESSID's, frequency/channel information, bit-rates, encryption type, power management information of other wireless nodes in range. Which information is displayed is hardware dependent.

Some useful options are:

scan[ning]

Returns a list of ad-hoc networks and access points. Depending on the type of card, more information is shown, i.e. ESSID, signal strength, frequency. Scanning can only be done by root. When a non-root users issues the scan command, results from the last scan are returned, if available. This can also be achieved by adding the option last. Furthermore, the option essid can be used to scan for a specific ESSID. Depending on the driver, more options may be available.

keys/enc[ryption]

List the encryption key sizes supported and list all the encryption keys set in the device.

PPP

This section is no longer part of the LPI2 objectives. It is still included in this chapter for historical reasons.

On Linux, PPP functionality is split into two parts: a kernel component that handles the low-level protocols (HDLC, IPCP, IPXCP, etc.) and the user space pppd daemon that handles the various higher-level protocols, such as PAP and CHAP. The current release of the PPP software for Linux contains the PPP daemon pppd and a program called chat that automates the dialing of the remote system.

Like SLIP, PPP is implemented by a special line discipline. To use a serial line as a PPP link, you first establish the connection over your modem as usual, and subsequently convert the line to PPP mode. In this mode, all incoming data is passed to the PPP driver, which checks the incoming HDLC frames for validity (each HDLC frame carries a 16-bit checksum), and unwraps and dispatches them. Currently, PPP is able to transport both the IP protocol, optionally using Van Jacobson header compression, and the IPX protocol.

pppd aids the kernel driver, performing the initialization and authentication phase that is necessary before actual network traffic can be sent across the link. pppd's behaviour may be fine-tuned using a number of options.

PPP is strictly a peer to peer protocol; there is (technically) no difference between the machine that dials in and the machine that is dialed into. However, for clarity's sake, it is useful to think in terms of servers and clients.

When you dial into a machine to establish a PPP connection, you are a client. The machine to which you connect is the server. When you are setting up a Linux box to receive and handle dial-in PPP connections, you are setting up a PPP server.

As PPP is rather complex, it is impossible to explain all of it in a single chapter. This book therefore cannot cover all aspects of pppd, but only gives you an introduction. For more information, consult Using & Managing PPP or the pppd manual pages, and README files in the pppd source distribution, which should help you sort out most questions not covered in this chapter. The PPP-HOWTO might also be of use.

Probably the greatest help you will find in configuring PPP will come from other users of the same Linux distribution. PPP configuration questions are very common, so try your local usergroup mailing list or the IRC Linux channel. If your problems persist even after reading the documentation, you could try the comp.protocols.ppp newsgroup. This is the place where you will find most of the people involved in pppd development.

Running pppd

In this introductory example of how to establish a PPP connection with pppd, we will assume you are at romeo. First, dial in to the PPP server william and log in to the ppp account and william will execute its PPP driver.

PPP Client

After exiting the communications program you used for dialing, execute the following command, substituting the name of the serial device you used for the ttyS3 shown here: 

# pppd /dev/ttyS3 38400 crtscts defaultroute

This command flips the serial line ttyS3 to the PPP line discipline and negotiates an IP link with william. The transfer speed used on the serial port will be 38,400 bps. The crtscts option turns on hardware handshake on the port, which is an absolute must at speeds above 9,600 bps.

The first thing pppd does after starting up is negotiate several link characteristics with the remote end using LCP. Usually, the default set of options pppd tries to negotiate will work, so we won't go into this here, except to say that part of this negotiation involves requesting or assigning the IP addresses at each end of the link.

For the time being, we also assume that william doesn't require any authentication from us, so the configuration phase is completed successfully.

pppd will then negotiate the IP parameters with its peer using IPCP, the IP control protocol. Since we didn't specify any particular IP address to pppd earlier, it will try to use the address obtained by having the resolver look up the local hostname. Both will then announce their addresses to each other.

Usually, there's nothing wrong with these defaults. Even if your machine is on an Ethernet, you can use the same IP address for both the Ethernet and the PPP interface. Nevertheless, pppd allows you to use a different address, or even to ask your peer to use some specific address. These options are discussed later.

After going through the IPCP setup phase, pppd will prepare your host's networking layer to use the PPP link. It first configures the PPP network interface as a point-to-point link, using ppp0 for the first PPP link that is active, ppp1 for the second, and so on. Next, it sets up a routing table entry that points to the host at the other end of the link. In the previous example, pppd made the default network route point to william, because we gave it the defaultroute option. The default route simplifies your routing by causing any IP datagram destined for a nonlocal host to be sent to william; this makes sense since it is the only way it can be reached. There are a number of different routing schemes pppd supports, some of which we will cover later in this chapter.

Of course, the dialing can be automated using the chat(1) command. For more information see the manual page.

PPP Server

Running pppd as a server is just a matter of configuring a serial tty device to invoke pppd with appropriate options when an incoming data call has been received. One way to do this is to create a special account, say ppp, and give it a script or program as a login shell that invokes pppd with these options. Alternatively, if you intend to support PAP or CHAP authentication, you can use the mgetty program to support your modem and exploit its /AutoPPP/ feature.

To build a server using the login method, you add a line similar to the following to your /etc/passwd file: 

ppp:x:500:200:Public PPP Account:/tmp:/etc/ppp/ppplogin

If your system supports shadow passwords, you also need to add an entry to the /etc/shadow file: 

ppp:!:10913:0:99999:7:::

Of course, the UID and GID you use depends on which user should own the connection, and how you've created it. You also have to set the password for this account using the passwd command.

The ppplogin script might look like this: 

#!/bin/sh
# ppplogin - script to fire up pppd on login
mesg n
stty -echo
exec pppd -detach silent modem crtscts

The mesg command disables other users from writing to the tty by using, for example, the write command. The stty command turns off character echoing. This command is necessary; otherwise, everything the peer sends would be echoed back to it. The most important pppd option given is -detach because it prevents pppd from detaching from the controlling tty. If we didn't specify this option, it would go to the background, making the shell script exit. This in turn would cause the serial line to hang up and the connection to be dropped. The silent option causes pppd to wait until it receives a packet from the calling system before it starts sending. This option prevents transmit timeouts from occurring when the calling system is slow in firing up its PPP client. The modem option makes pppd drive the modem control lines of the serial port. You should always turn this option on when using pppd with a modem. The crtscts option turns on hardware handshake.

Besides these options, you might want to force some sort of authentication, for example, by specifying auth on pppd's command line or in the global options file. The manual page also discusses more specific options for turning individual authentication protocols on and off.

If you wish to use mgetty, all you need to do is configure mgetty to support the serial device your modem is connected to, by adding a line similar to the following to /etc/inittab: 

T0:23:respawn:/sbin/mgetty ttyS0

Configure pppd for either PAP or CHAP authentication with the appropriate options in its options file, and finally, add a section similar to the following to your /etc/mgetty/login.config file: 

# Configure mgetty to automatically detect incoming PPP calls and invoke
# the pppd daemon to handle the connection.
#
/AutoPPP/ -     ppp   /usr/sbin/pppd auth -chap +pap login

The first field is a special piece of magic used to detect that an incoming call is a PPP one. You must not change the case of this string; it is case sensitive. The third column (ppp) is the user name which appears in who listings when someone has logged in. The rest of the line is the command to invoke. In our example, we've ensured that PAP authentication is required, disabled CHAP, and specified that the system passwd file should be used for authenticating users. This is probably similar to what you'll want. You can specify the options in the options file (see below), or on the command line if you prefer.

Here is a small checklist of tasks to perform, as well as the sequence in which they should be performed in order to have PPP dial-in working on your machine. Make sure each step works before moving on to the next:

  1. Configure the modem for auto-answer mode. On Hayes-compatible modems, this is performed with a command like ATS0=3. If you're going to be using the mgetty daemon, this isn't necessary.

  2. Configure the serial device with a getty type of command to answer incoming calls. A commonly used getty variant is mgetty.

  3. Consider authentication. Will your callers authenticate using PAP, CHAP or system login?

  4. Configure pppd as server as described in this section.

  5. Consider routing. Will you need to provide a network route to callers? Routing can be performed using the ip-up script.

PPP Configuration Files

Using Options Files

Before pppd parses its command-line arguments, it scans several files for default options. These files may contain any valid command-line arguments spread out across an arbitrary number of lines. Hash signs introduce comments.

The first options file is /etc/ppp/options, which is always scanned when pppd starts up. Using it to set some global defaults is a good idea, because it allows you to keep your users from doing several things that may compromise security. For instance, to make pppd require some kind of authentication (either PAP or CHAP) from the peer, you add the auth option to this file. This option cannot be overridden by the user, so it becomes impossible to establish a PPP connection with any system that is not in your authentication databases. Note, however, that some options can be overridden; the connect string is a good example.

The other options file, which is read after /etc/ppp/options, is .ppprc in the user's home directory. It allows each user to specify her own set of default options.

A sample /etc/ppp/options file might look like this: 

# Global options for pppd running on romeo
lock                 # use UUCP-style device locking
auth                 # require authentication
usehostname          # use local hostname for CHAP
domain example.com   # our domain name

The lock keyword makes pppd comply to the standard UUCP method of device locking. With this convention, each process that accesses a serial device, say /dev/ttyS3, creates a lock file with a name like LCK..ttyS3 in a special lock-file directory to signal that the device is in use. This is necessary to prevent other programs, such as minicom or uucico, from opening the serial device while it is used by PPP.

The next three options relate to authentication and, therefore, to system security. The authentication options are best placed in the global configuration file because they are privileged and cannot be overridden by users' ~/.ppprc options files.

IP Configuration Options

IPCP is used to negotiate a number of IP parameters at link configuration time. Usually, each peer sends an IPCP Configuration Request packet, indicating which values it wants to change from the defaults and the new value. Upon receipt, the remote end inspects each option in turn and either acknowledges or rejects it.

pppd gives you a lot of control over which IPCP options it will try to negotiate. You can tune it through various command-line options that we will discuss in this section.

Choosing IP Addresses

All IP interfaces require IP addresses assigned to them; a PPP device always has an IP address. The PPP suite of protocols provides a mechanism that allows the automatic assignment of IP addresses to PPP interfaces. It is possible for the PPP program at one end of a point-to-point link to assign an IP address for the remote end to use or each may use its own.

Some PPP servers that handle a lot of client sites assign addresses dynamically; addresses are assigned to systems only when calling in and are reclaimed after they have logged off. This allows the number of IP addresses required to be limited to the number of dialup lines. While limitation is convenient for managers of the PPP dialup server, it is often less convenient for users who are dialing in. In order for people to connect to your host, they must know your IP address or the hostname associated with it. If you are a user of a PPP service that assigns you an IP address dynamically, this knowledge is difficult without providing some means of allowing the DNS database to be updated after you are assigned an IP address. Here we'll cover a more preferable approach, which involves you being able to use the same IP address each time you establish your network connection.

In the previous example, we had pppd on romeo dial up william and establish an IP link. No provisions were made to choose a particular IP address on either end of the link. Instead, we let pppd take its default action. It attempts to resolve the local hostname (romeo in our example) to an IP address, which it uses for the local end, while letting the remote machine (william) provide its own. PPP supports several alternatives to this arrangement.

To ask for particular addresses, you generally provide pppd with the following option: 

local_addr:remote_addr

local_addr and remote_addr may be specified either in dotted quad notation or as hostnames[4]. This option makes pppd attempt to use the first address supplied as its own IP address, and the second as the peer's. If the peer rejects either of the addresses during IPCP negotiation, no IP link will be established[5].

If you are dialing in to a server and expect it to assign you an IP address, you should ensure that pppd does not attempt to negotiate one for itself. To do this, use the noipdefault option and leave the local_addr blank. The noipdefault option will stop pppd from trying to use the IP address associated with the hostname as the local address.

If you want to set only the local address but accept any address the peer uses, simply leave out the remote_addr part. To make romeo use the IP address 130.83.4.27 instead of its own, give it 130.83.4.27: on the command line. Similarly, to set the remote address only, leave the local_addr field blank. By default, pppd will then use the address associated with your hostname.

Routing Through a PPP Link

After setting up the network interface, pppd will usually set up a host route to its peer only. If the remote host is on a LAN, you certainly want to be able to connect to hosts behind your peer as well; in that case, a network route must be set up.

We have already seen that pppd can be asked to set the default route using the defaultroute option. This option is very useful if the PPP server you dialed-up acts as your Internet gateway.

The reverse case, in which our system acts as a gateway for a single host, is also relatively easy to accomplish. For example, let us assume a home machine is dialing in to our system (which is configured as a dialin PPP server). If we've configured our system to dynamically assign an IP address that belongs to our subnet, then we can use the proxyarp option with pppd, which will install a proxy ARP entry for oneshot. This automatically makes the home machine accessible from all hosts at our network.

However, things aren't always that simple. Linking two local area networks usually requires adding a specific network route because these networks may have their own default routes. Besides, having both peers use the PPP link as the default route would generate a loop through which packets to unknown destinations would ping-pong between the peers until their time-to-live expired.

Suppose you want to connect a subsidiary network with your machine romeo. The subsidiary runs an Ethernet of its own using the IP network number 172.16.3.0. The subsidiary wants to connect to your network via PPP to update customer databases. The machine romeo acts as the gateway and will support the PPP link; its peer at the new branch is called juliet and has an IP address of 172.16.3.1.

When juliet connects to romeo, it makes the default route point to romeo. On romeo, however, we will have only the point-to-point route to juliet and will have to specially configure a network route for subnet 3 that uses juliet as its gateway. We could do this manually using the route command after the PPP link is established, but this is not a very practical solution. Fortunately, we can configure the route automatically by using a feature of pppd that we haven't discussed yet; the ip-up command. This command is a shell script or program located in /etc/ppp that is executed by pppd after the PPP interface has been configured. When present, it is invoked with the following parameters: 

ip-up iface device speed local_addr remote_addr

The following table summarizes the meaning of each of the arguments (in the first column, we show the number used by the shell script to refer to each argument):

ArgumentNamePurpose
$1ifaceThe network interface used, e.g., ppp0
$2deviceThe pathname of the serial device file used (?/dev/tty, if stdin/stdout are used)
$3speedThe speed of the serial device in bits per second
$4local_addrThe IP address of the remote end of the link in dotted quad notation
$5remote_addrThe IP address of the remote end of the link in dotted quad notation

In our case, the ip-up script may contain the following code fragment: 

#!/bin/sh
case $5 in
172.16.3.1)            # this is juliet
        route add -net 172.16.3.0 gw 172.16.3.1
        ;;
...
esac
exit 0

Similarly, /etc/ppp/ip-down can be used to undo any actions of ip-up after the PPP link has been taken down again. So in our /etc/ppp/ip-down script we would have a route command that removed the route we created in the /etc/ppp/ip-up script.

However, the routing scheme is not yet complete. We have set up routing table entries on both PPP hosts, but, so far, neither of the hosts on either network knows anything about the PPP link. This is not a big problem if all hosts at the subsidiary have their default route pointing at juliet, and all our hosts route to romeo by default. However, if this is not the case, your only option is to use a routing daemon like gated. After creating the network route on romeo, the routing daemon broadcasts the new route to all hosts on the attached subnets.

Authentication with PPP

With PPP, each system may require its peer to authenticate itself using one of two authentication protocols: the Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP). When a connection is established, each end can request the other to authenticate itself, regardless of whether it is the caller or the called. In the description that follows, we will use the phrases client and server when we want to distinguish between the system sending authentication requests and the system responding to them. A PPP daemon on the client can ask its peer on the server for authentication by sending yet another LCP configuration request identifying the desired authentication protocol.

PAP Versus CHAP

PAP, which is offered by many Internet Service Providers, works basically the same way as the normal login procedure. The client authenticates itself by sending a username and a (optionally encrypted) password to the server, which the server compares to its secrets database[6]. This technique is vulnerable to eavesdroppers, who may try to obtain the password by listening in on the serial line, and to repeated trial and error attacks.

CHAP does not have these deficiencies. With CHAP, the server sends a randomly generated challenge string to the client, along with its hostname. The client uses the hostname to look up the appropriate secret, combines it with the challenge and encrypts the string using a one-way hashing function. The result is returned to the server along with the client's hostname. The server now performs the same computation and acknowledges the client if it arrives at the same result.

CHAP also doesn't require the client to authenticate itself only at startup time, but sends challenges at regular intervals to make sure the client hasn't been replaced by an intruder - for instance, by switching phone lines or because of a modem configuration error that causes the PPP daemon not to notice that the original phone call has dropped out and someone else has dialed in.

pppd keeps the secret keys for PAP and CHAP in two separate files called /etc/ppp/pap-secrets and /etc/ppp/chap-secrets. By entering a remote host in one or the other file, you have fine control over whether PAP or CHAP is used to authenticate yourself with your peer, and vice versa.

By default, pppd doesn't require authentication from the remote host, but it will agree to authenticate itself when requested by the remote host. Since CHAP is so much stronger than PAP, pppd tries to use the former whenever possible. If the peer does not support it, or if pppd can't find a CHAP secret for the remote system in its chap-secrets file, it reverts to PAP. If it doesn't have a PAP secret for its peer either, it refuses to authenticate altogether. As a consequence, the connection is shut down.

You can modify this behaviour in several ways. When given the auth keyword, pppd requires the peer to authenticate itself. pppd agrees to use either CHAP or PAP as long as it has a secret for the peer in its CHAP or PAP database. There are other options to turn a particular authentication protocol on or off, but I won't describe them here.

If all systems you talk to with PPP agree to authenticate themselves with you, you should put the auth option in the global /etc/ppp/options file and define passwords for each system in the chap-secrets file. If a system doesn't support CHAP, add an entry for it to the pap-secrets file. That way, you can make sure no unauthenticated system connects to your host.

The next two sections discuss the two PPP secrets files, pap-secrets and chap-secrets. They are located in /etc/ppp and contain triplets of clients, servers and passwords, optionally followed by a list of IP addresses. The interpretation of the client and server fields is different for CHAP and PAP, and it also depends on whether we authenticate ourselves with the peer, or whether we require the server to authenticate itself with us.

The CHAP Secrets File

When it has to authenticate itself with a server using CHAP, pppd searches the chap-secrets file for an entry with the client field equal to the local hostname and the server field equal to the remote hostname sent in the CHAP challenge. When requiring the peer to authenticate itself, the roles are simply reversed: pppd then looks for an entry with the client field equal to the remote hostname (sent in the client's CHAP response), and the server field equal to the local hostname.

The following is a sample chap-secrets file for romeo[7]: 

# CHAP secrets for romeo.example.com
#
# client                server                  secret           addrs
#---------------------------------------------------------------------
romeo.example.com       william.shakespeare.com "Where art thou" romeo.example.com
william.shakespeare.com romeo.example.com       "To be"          william.shakespeare.com
*                       romeo.example.com       "Capulet"        pub.example.com

When romeo establishes a PPP connection with william, william asks romeo to authenticate itself by sending a CHAP challenge. pppd on romeo then scans chap-secrets for an entry with the client field equal to romeo.example.com and the server field equal to william.shakespeare.com, and finds the first line shown in the example[8]. It then produces the CHAP response from the challenge string and the secret (Use The Source Luke), and sends it off to william.

pppd also composes a CHAP challenge for william containing a unique challenge string and its fully qualified hostname (romeo.example.com). A CHAP response in the way we discussed, is formatted by william and returned to romeo. pppd then extracts the client hostname (william.shakespeare.com) from the response and searches the chap-secrets file for a line matching william as a client and romeo as the server. The second line does this, so pppd combines the CHAP challenge and the secret To be, encrypts them, and compares the result to william's CHAP response.

The optional fourth field lists the IP addresses that are acceptable for the client named in the first field. The addresses can be given in dotted quad notation or as hostnames that are looked up with the resolver. For instance, if william asks to use an IP address during IPCP negotiation that is not in this list, the request is rejected, and IPCP is shut down. In the sample file shown above, william is therefore limited to using its own IP address. If the address field is empty, any addresses are allowed; a value of - prevents the use of IP with that client altogether.

The third line of the sample chap-secrets file allows any host to establish a PPP link with romeo because a client or server field of * is a wildcard matching any hostname. The only requirements are that the connecting host must know the secret and that it must use the IP address associated with pub.example.com. Entries with wildcard hostnames may appear anywhere in the secrets file, since pppd will always use the best match it can find for the server/client pair.

pppd may need some help forming hostnames. As explained before, the remote hostname is always provided by the peer in the CHAP challenge or response packet. The local hostname is obtained by calling the gethostname function by default. If you have set the system name to your unqualified hostname, you also have to provide pppd with the domain name using the domain option: 

# pppd ? domain vbrew.com

This provision appends our domain name to romeo for all authentication-related activities. Other options that modify pppd's idea of the local hostname are usehostname and name. When you give the local IP address on the command line using local:remote and local is a name instead of a dotted quad, pppd uses this as the local hostname.

The PAP Secrets File

The PAP secrets file is very similar to CHAP one. The first two fields always contain a username and a hostname; the third holds the PAP secret. When the remote host sends its authentication information, pppd uses the entry that has a server field equal to the local hostname and a user field equal to the username sent in the request. When it is necessary for us to send our credentials to the peer, pppd uses the secret that has a user field equal to the local username and the server field equal to the remote hostname.

A sample PAP secrets file might look like this: 

# /etc/ppp/pap-secrets
#
# user          server          secret          addrs
romeo-pap       william         cresspahl       romeo.example.com
william         romeo           DonaldGNUth     william.shakespeare.com

The first line is used to authenticate ourselves when talking to william. The second line describes how a user named william has to authenticate itself with us.

The name romeo-pap in the first column is the username we send to william. By default, pppd picks the local hostname as the username, but you can also specify a different name by giving the user option followed by that name.

When picking an entry from the pap-secrets file to identify us to a remote host, pppd must know the remote host's name. As it has no way of finding that out, you must specify it on the command line using the remotename keyword followed by the peer's hostname. To use the above entry for authentication with william, for example, we must add the following option to pppd's command line: 

# pppd ... remotename william user romeo-pap

In the fourth field of the PAP secrets file (and all following fields), you can specify what IP addresses are allowed for that particular host, just as in the CHAP secrets file. The peer will be allowed to request only addresses from that list. In the sample file, the entry that william will use when it dials in (the line where william is the client) allows it to use its real IP address and no other.


[2] This is usually included with your distribution.

[3] For example, all applications based on RPC use the loopback interface to register themselves with the portmapper daemon at startup. These applications include NIS and NFS.

[4] Using hostnames in this option has consequences for CHAP authentication. Please refer to the section called “The CHAP Secrets File” elsewhere in this chapter.

[5] The ipcp-accept-local and ipcp-accept-remote options instruct your pppd to accept the local and remote IP addresses being offered by the remote PPP, even if you've supplied some in your configuration. If these options are not configured, your pppd will reject any attempt to negotiate the IP addresses used.

[6] Secret is just the PPP name for passwords. PPP secrets don't have the same length limitation as Linux login passwords.

[7] The double quotes are not part of the secret; they merely serve to protect the whitespace within it.

[8] This hostname is taken from the CHAP challenge.

Copyright Snow B.V. The Netherlands
Prev   Next
Questions and answers Home Advanced Network Configuration and Troubleshooting (205.2)