Configuring Dynamically Allocated PPP Links

A dial-in server with a dynamic point-to-point link gives your site all the advantages of point-to-point communications. Chapter 7, "Understanding PPP," introduces this configuration type. It consists of remote hosts communicating with at least one dial-in server that dynamically allocates point-to-point links on an as-needed basis. The sample configuration shown in Figure 11-1 on page 166 will be used throughout this section.

Figure 11-1

Each remote host communicates with the dial-in server using a standard point-to-point link. However, unlike the multipoint dial-in server in Figure 9-1 on page 134, dial-in servers mojave and nubian connect to a calling host over a dynamic point-to-point link. One of the servers allocates an available link whenever a remote host attempts to establish a connection.

You use the same generic procedures for configuring dynamic links as you do for the remote host-to-multipoint dial-in server link, as described in "Overview of the Configuration Process" on page 131. However, the dynamic point-to-point link has its own set of issues and requires slightly different modifications to the files involved in configuration.

Addressing Issues for Dynamically Allocated Links

You must add host information to the /etc/inet/hosts file for each machine that will use the dynamically allocated PPP link. The IP addresses for the PPP endpoints should follow these conventions:

• For the dial-in servers, you must use the IP address of the server's primary network interface (for example le0 or smc0) as the address of the dynamic link.
• For a remote host, you can use the IP address of the host's primary network interface as the address of its point-to-point link, or you can designate a PPP-specific IP address for its point-to-point link.

Updating the hosts Database for Dynamic Links

You must update the hosts database on all machines involved in the dynamic-link configuration.

· How to Update a Remote Host

When configuring the hosts databases on the remote machines, do the following:

1. Add to the /etc/inet/hosts file the IP address and host name of the primary network interface for each dial-in server on the other end of the link.

   For example, in Figure 11-1 on page 166, nomada will have in its /etc/inet/hosts file the IP addresses of the primary network interfaces of dial-in servers nubian and mojave. The /etc/inet/hosts files for nomadb and nomadc would contain the same information about the dial-in servers.

The /etc/inet/hosts file on nomadc might look like:

# Internet host table # 127.0.0.1 localhost loghost 192.41.43.3 nomadc 192.41.40.45 nubian 192.41.40.55 mojave

2. Add to the /etc/inet/hosts file the IP addresses of any machines on the dial-in server's physical network that the remote host can remotely log in to.

3. Update the databases on any name server on the physical network with the host names and IP addresses of the remote hosts.

· How to Update the Dial-in Server

You do not have to add any PPP-specific address to the hosts database for the dial-in server. The dynamically allocated link must use the server's primary network interface. Therefore, when configuring the hosts database for the dial-in server, do the following:

1. Add entries to the server's /etc/inet/hosts files for each remote host served.

2. Add to the /etc/inet/hosts files of every machine on the physical network entries for any remote hosts they are permitted to communicate with.

Considerations for Other Files

The next steps in the configuration process involve editing the /etc/passwd file and the /etc/shadow file. Edit these files for the dynamic-link configurations just as you would for the remote host-to-multipoint dial-in server configuration. Refer to "Modifying the /etc/passwd File" on page 138 for information regarding the /etc/passwd and /etc/shadow files.

Editing asppp.cf for Dynamic Link

The asppp.cf configuration file for a dynamic-link configuration must contain information about remote hosts and the interfaces to use for the PPP link. After the dial-in server boots, its link manager uses this information to establish communications whenever the server is called by a remote endpoint.

---

Note - Each remote host sets up the point-to-point link described in "Parts of Basic Configuration File" on page 140.

---

Dial-in Server With Dynamic Link

When the dial-in server receives an incoming packet, the link manager reads the path sections of its configuration file to identify the remote endpoint and determine the interface to use. The configuration file shown in Code Example 11-1 does not contain an interface keyword. Instead, the link manager uses interface information established in the defaults section.

The asppp.cf configuration file for a dial-in server with dynamically allocated links might resemble Code Example 11-1 on page 170:

Code Example 11-1 Configuration File for Server With Dynamically Allocated Link

ifconfig ipdptp0 plumb mojave down ifconfig ipdptp1 plumb mojave down ifconfig ipdptp2 plumb mojave down # This means grab whatever interface is available (not in use) defaults interface ipdptp* # Each path specifies a machine that might dial up / log # in to this server path peer_system_name tamerlane # nomada uses the login name # tamerlane peer_ip_address nomada path peer_system_name lawrence # nomadb uses the name lawrence # for login peer_ip_address nomadb path peer_system_name nomadc peer_ip_address azziz

ifconfig Section for Server With Dynamic Links The ifconfig section for a dial-in server with a dynamically allocated link has the syntax:

ifconfig ipdptpn plumb server-name down

Code Example 11-1 contains three ifconfig lines, each initializing a point-to-point interface.

ifconfig ipdptp0 plumb mojave down ifconfig ipdptp1 plumb mojave down ifconfig ipdptp2 plumb mojave down

Each interface has a corresponding modem attached to the dial-in server mojave, as shown in Figure 11-1 on page 166. This enables mojave to have up to three point-to-point links active at one time. Note that since PPP interfaces are virtual (not associated with any hardware), you could just as easily configure three ipdptp interfaces on a server with only one modem, as shown on nubian.

defaults Section for Server With Dynamic Links When you configure a dynamically allocated link, you may want to include a defaults section in the asppp.cf file. This section sets the defaults for the value replacing keyword, wherever keyword subsequently appears in the asppp.cf file. The syntax for the defaults section is:

default

keyword

Code Example 11-1 on page 170 uses the keyword interface to define the interface as ipdptp*, indicating a dynamic link. The asterisk wildcard tells the link manager to use any available ipdptp interface defined in the ifconfig section. Thus the link manager on server mojave will use either ipdptp0, ipdptp1, or ipdptp2--whichever is the first interface configured "down" that it finds.

path Section for Server With Dynamic Links The configuration file for the server with dynamic links must contain path sections for every remote host permitted to establish connections with the server. The path section has the following syntax:

path
       peer_system_name endpoint-username
       peer_ip_address endpoint-hostname

Note that there is no interface keyword defined in the path section because this value is defined in the defaults section.

The peer_system_name and peer_ip_address keywords have the same meaning here as they do in the configuration file for the multipoint server. See "path Section for Multipoint Dial-in Server" on page 144 for more information.

Additional Keywords You can supply other keywords in the asppp.cf file to define how endpoint machines should communicate, including the use of security keywords as explained in "Configuration Keywords" on page 180.

Configuring a Virtual Network

Virtual networks consist of a group of standalone computers, each in an isolated location, that can connect to each other through PPP multipoint links. "Virtual Networks" on page 110 introduces virtual network concepts. This section explains how to configure a virtual network.

Figure 11-2

The network shown in Figure 11-2 consists of three isolated computers. Each member of the network connects to the other members of the network through a multipoint PPP link. Therefore, to create such a network, you (and perhaps other network administrators at the remote location) have to configure a multipoint PPP link on each participating host.

You use the same generic process for configuring multipoint links as you do for configuring a multipoint dial-in server link, as described in "Overview of the Configuration Process" on page 131. However, the virtual network has its own set of issues and requires you to configure each host in the network accordingly.

Addressing Issues for Virtual Networks

You must add host information to the /etc/hosts file for each machine in the virtual network. When typing the IP addresses used for the PPP endpoints,

• Designate a PPP-specific IP address for its point-to-point link. Note that if the machine was not previously configured in a physical network, you will have to create an IP address for the PPP link. This address becomes the host's primary network interface.
• Create a network number for the virtual network. See "Assigning a Network Number to the PPP Link" on page 126 for more information.

Updating hosts and networks Databases

The first step in the configuration process involves updating the hosts and networks databases with information about your virtual network.

/etc/inet/hosts File for the Virtual Network

The /etc/inet/hosts file on each machine must contain the addressing information for every member of the network that this host has permission to access. For example, each host in the network in Figure 11-2 on page 172 would have this information:

# Internet host table # 127.0.0.1 localhost loghost 192.41.47.15 nomada 192.41.47.20 nomadb 192.41.47.12 nomadc

/etc/inet/networks File for the Virtual Network

Since the virtual network requires a unique IP address, you will have to type this address in the networks database. For example, the network shown in Figure 11-2 has the number 192.41.47. Moreover, if the hosts on the network need to communicate with other networks, you should register the network with the InterNIC addressing authority. See Chapter 4, "Configuring TCP/IP on the Network," for information on editing the networks database.

Each host on the virtual network must have an entry with the network's address in the /etc/inet/networks file. For example, each host on network 192.41.47 might have the following in /etc/inet/networks:

# Internet networks # # arpanet 10 arpa # ucb-ether 46 ucbether # # local networks loopback 127 ppp 192.41.47 #remote sales offices

Considerations for Other Files

The next steps in the configuration process involve editing the UUCP databases, the /etc/passwd file, and the /etc/shadow file. You edit these files for the machines in the virtual network just as you would for the multipoint dial-in server configuration. Refer to "Editing UUCP Databases" on page 136 for UUCP-related information and "Modifying the /etc/passwd File" on page 138 for information regarding the passwd file.

asppp.cf Configuration File for a Virtual Network

The configuration file for a local machine on a virtual network must contain information about all remote hosts on the network that the local host can access. Moreover, each machine on the virtual network must be configured for both dial-in and dial-out functions. After the local machine boots, its link manager reads the asppp.cf file to establish communications.

Code Example 11-2 shows a configuration file such as you would set up for nomada on a virtual network 192.41.47.

Code Example 11-2 Configuration File for nomada

# /etc/asppp.cf for hosta ifconfig ipd0 plumb nomada netmask + up defaults interface ipd0 path peer_ip_address nomadb peer_system_name lawrence # name machine logs in with path peer_ip_address nomadc peer_system_name azziz

Code Example 11-3 shows a configuration file such as you would set up for nomadb on virtual network 192.41.47.

Code Example 11-3 Configuration File for nomadb

# /etc/asppp.cf for nomadb ifconfig ipd0 plumb nomadb netmask + up defaults interface ipd0 path peer_ip_address nomada peer_system_name tamerlane # name the machine logs in with path peer_ip_address nomadc peer_system_name azziz

Editing asppp.cf for PAP/CHAP Security

You can edit the asppp.cf file to establish security and to specify whether parts of the link will respond to Password Authentication Protocol (PAP), or Challenge-Handshake Authentication Protocol (CHAP) as described in "PPP Security" on page 116. The asppp.cf file is edited by adding a series of keywords. In this section authenticator is the system starting the link or challenge, and is frequently the server. Peer is the other end of the link, and is often the client.

The keywords to be added are require_authentication and will_do_authentication. The authenticator or server will generally require authentication and the peer or client will generally do authentication.

Table 11-1

require_authentication pap	require_authentication chap
pap_peer_id	chap_peer_secret
pap_peer_password	chap_peer_name

Table 11-2

will_do__authentication pap	will_do_authentication chap
pap_id	chap_secret
pap_password	chap_name

· How to Install PAP/CHAP

1. On the server, become superuser and prepare to edit the /etc/asppp.cf file.

2. Add the require_authentication keyword for each machine on the link to use either CHAP or PAP security.

   a. For each pap keyword add an associated pap_peer_id and pap_peer_password string.

b. For each chap keyword add an associated chap_peer_secret and chap_peer_name string.

You can state the keywords explicitly, or if you prefer, you can use the default for the path. Refer to Table 11-3 on page 178 to see what each keyword specifies. Examples can be found on page 179.

3. On each remote host on the link to use either PAP or CHAP security, add an entry in the remote host's /etc/asppp.cf file with the will_do_authentication keyword.

   a. For each pap keyword entry add an associated pap_id and pap_password string.

   b. For each chap keyword entry add an associated chap_secret and chap_name string.

   You can state the keywords explicitly, or if you prefer, you can use the default for the path. Refer to Table 11-3 on page 178 to see what each keyword specifies. Examples can be found on starting on page 179.

Rules for PAP/CHAP Keywords

• Either server or client can require authentication or offer to do authentication.
• If PAP and CHAP are both present, the authenticator will first try CHAP. If that fails it will try PAP. If both fail, the link is terminated.
• The default value for PAP and CHAP authentication keywords is off. The syntax for keywords is:

  require_authentication           off|pap[chap]|chap[pap]
  will_do_authentication           off | pap [chap] | chap [pap]

• If you fail to specify pap_id and pap_password or pap_peer_id and pap_peer_password keywords and values for the associated path, the corresponding values are set to the NULL string.
• You must specify chap_name,chap_secret,chap_peer_secret and chap_peer_name keywords and values for that path.

Table 11-3

Keywords	Value Definition
require_authentication 1 keywords	Specifies whether the peer must authenticate itself. If either pap or chap is present, the peer must participate in authentication or end the connection. The default value is off.
2 pap_peer_id peername	Specifies the name of the peer to be authenticated for the current path. peername string is one or more octets4. To indicate a zero-length string, do not include the keyword.
3 pap_peer_password string	Specifies password for peer in one or more octets. To indicate a zero-length string, do not include the keyword.
chap_peer_secret string	Specifies the secret used with the challenge value to generate the response sent by the peer. The format is one or more octets, preferably at least 16.
chap_peer_name peername	Specifies the identity of the peer transmitting the packet. The name should not be NULL or terminated with CR/LF. The name is received from the peer in a response packet and consists of one or more octets.
will_do_authentication keywords	Specifies whether the system is willing to participate as the authenticated peer in the specified authentication process. If both pap and chap are present, then the system is willing to participate in either authentication protocol. The default value is off.
pap_id peername	Specifies the name of the system to be sent to the authenticator in the response packet. To indicate a zero-length string, do not include the keyword.
pap_password string	Specifies the password for the system to be sent to the authenticator in the response packet. To indicate a zero-length string, do not include the keyword.
chap_secret string	Contains the secret that is used with the received challenge value to generate the response sent to the authenticator. The format is one or more octets, preferably at least 16
chap_name peername	Specifies the identity of the system. The name should not end with a NULL or CR/LF. The name is sent to the authenticator in a response packet.

1. Keyword alternatives are: off|pap[chap] | chap[pap]

2. peername is the name of the system at the other end of the point-to-point link from the authenticator. It takes the form of a string with the syntax specified in footnote 3.

3. string is a single token without embedded white space. The standard ANSI C \ escape sequence may be used to embed special characters. Use \s for the space character. Any pound sign at the beginning of the string must be escaped (\#) to avoid interpretation as a comment. A NULL (\0) will truncate the string.

4. Octet is the more accurate definition of byte.

PAP/CHAP Examples

This code example shows the asppp.cf file for the server mojave with PAP and CHAP authentication required. The peers are tamerlane (PAP) and lawrence (CHAP).

Code Example 11-4 Code Example for Server mojave

ifconfig ipdptp0 plumb mojave down ifconfig ipdptp1 plumb mojave down defaults interface ipdptp* path peer_system_name tamerlane require_authentication pap #tells tamerlane that mojave #requires pap authentication pap_peer_id desert pap_peer_password oasis path peer_system_name lawrence require_authentication chap #tells lawrence that mojave #requires chap authentication chap_peer_name another\sdesert chap_peer_secret secret\soasis\swith\007bell

The next code sample shows mojave's remote host tamerlane offering to do both PAP and CHAP authentication.

Code Example 11-5 Code Example for Remote Host tamerlane

ifconfig ipdptp0 plumb tamerlane mojave up path interface ipdptp0 peer_system_name mojave will_do_authentication chap pap #tamerlane tells mojave #that it will do chap and #pap authentication pap_id desert pap_password oasis chap_name desert\srain chap_secret %$#@7&*(+|'P'12

Code Example 11-6 Code Example for Remote Host lawrence

ifconfig ipdptp0 plumb lawrence mojave private up path interface ipdptp0 peer_system_name mojave will_do_authentication chap #lawrence tells mojave that it #will do chap authentication chap_name another\sdesert chap_secret secret\soasis\swith\007bell

The code sample above shows mojave's remote host lawrence offering to do CHAP authentication.

Ideally, both CHAP and PAP are included in the configuration file, with the server requiring authentication and the remote host willing to do authentication. However this is reversible so that either side can require authentication. CHAP secrets need to be delivered by secure means. This generally involves handing them over in person.

Configuration Keywords

This section describes the configuration keywords available for the asppp.cf configuration file and the values you must define for them. Most of these keywords are optional. The required ones are indicated. For further explanations of the keywords, refer to RFCs 1331, 1332, 1333, and 1334.

Table 11-4 lists required keywords that must appear in all asppp.cf configuration files.

Table 11-4 asppp.cf

Keywords	Value Definitions
ifconfig parameters	Tells the link manager to run the ifconfig command with the values supplied by parameters. See "ifconfig Section of the asppp.cf File" on page 140, "ifconfig Section for Multipoint Dial-in Server" on page 143, and the ifconfig (1M) man page for more information.
path	Specifies the beginning of the token sequences that are grouped together as attributes of this (current) path. The collection of attributes comprising the current path are terminated by the occurrence of a subsequent path keyword, defaults keyword, or by the end-of-file charachter.
interface (ipdptpn, ipdptp*, or ipdn)	Specifies either an ipdptp (static point-to-point), ipdptp* (dynamic point-to-point), or ipd (multipoint) device for each interface in your network. For ipdptpn and ipdn, this keyword associates the specific interface defined by n with the current path. n must be a nonnegative integer. It matches the interface defined in the path section with the interface stated in the ifconfig section. For the ipdptp* interface, the * indicates that the interface will match any point-to- point interface that is configured as "down."
peer_system_name hostname peer_system_name username	On dial-out machines, specifies the hostname of the remote endpoint that the local machine wants to call. This is the same as the system name in the /etc/uucp/Systems file. Associates the remote system name with the current path. This name is used to look up modem- and peer-specific information for outbound connections in the /etc/uucp/Systems file. On dial-in machines, this specifies the username that remote machines will use when logging in to the dial-in machine. The appropriate path is determined by matching username with the login name that was used to obtain the connection.
peer_ip_address hostname peer_ip_address ip-address	Specifies the destination host address. It is required only for multipoint links. This address is associated with the current path. The value is ignored if the path specifies a point-to-point interface. The address format may be dotted decimal, hexadecimal, or symbolic.

Table 11-5 contains optional keywords for asppp.cf that you can use to further define your PPP configuration.

Table 11-5 asppp.cf

Keywords	Value Definitions
debug_level 0-9	The integer between 0-9 defines how much debugging information should be written to the log file. The higher the number, the more output is generated.
defaults	Indicates that all following token sequences up to the next path keyword, or the end-of-file character, set default attributes that affect subsequently defined paths.
default_route	Tells the link manager to add the path's peer IP address to the route table as the default destination when the IP layer corresponding to the current path is fully operational. The route is removed when the IP layer is brought down.
inactivity_timeout seconds	Specifies the maximum number of seconds that the connection for the current path can remain idle before it is terminated. A zero may be specified to indicate no timeout. The default is 120 seconds.
ipcp_async_map hex-number	Specifies the asynchronous control-character map for the current path. hex-number indicates the natural (big-endian) form of the four octets that comprise the map. The default value is 0x FFFFFFFF.
ipcp_compression (vj or off)	Specifies whether IP compression is enabled. The Van Jacobson compression algorithm (vj) is the default.
lcp_compression (on or off)	Specifies whether PPP address, control, and protocol field compression is enabled. The default is on.
lcp_mru number	Specifies the value of the desired maximum receive unit packet size. The number is the size in octets. The default is 1500.
negotiate_address (on or off)	Indicates whether local IP address assignment is obtained through negotiation and assigned dynamically or not. If enabled, the local address will be obtained from the remote end of the PPP link. If so obtained, any local address other than 0.0.0.0 can be used to initially configure the interface. The default is not to negotiate (off).
peer_ip_address hostname peer_ip_address ip-address	Specifies the destination host address. This keyword is optional for point-to-point links only. address is associated with the current path. The address format may be dotted decimal, hexadecimal, or symbolic.
version n	Specifies that the contents of the configuration file correspond to format version n. If this keyword is present, it must be the first keyword in the file. If absent, the version is assumed to be 1. This book contains the definition of the version 1 format for the configuration file.