PPP Extensible Authentication Protocol (EAP)

We now turn to EAP, mentioned several times in previous sections, but will now be discussed in some detail.

The Point-to-Point Protocol (PPP)^{[29 ]} provides a standard method for transporting multiprotocol datagrams over point-to-point links. PPP also defines an extensible Link Control Protocol (LCP) that enables the negotiation of a protocol for authenticating its peer before letting Network Layer protocols transmit over the link. RFC 2284^[30] defines the PPP EAP.

In order to establish communication over a point-to-point link, each end of the PPP link must first send LCP packets to configure the data link during the link establishment phase. After the link has been established, PPP provides for an optional authentication phase before proceeding to the Network Layer Protocol phase. By default, authentication is not mandatory. If authentication of the link is desired, an implementation must specify the authentication-protocol configuration option during the link establishment phase.

These authentication protocols are intended for use primarily by hosts and routers that connect to a PPP network server via switched circuits or dial-up lines, but might be applied to dedicated links as well. The server can use the identification of the connecting host or router in the selection of options for Network layer negotiations.

This section defines the PPP EAP. The link establishment and authentication phases, as well as the authentication-protocol configuration option, are defined in PPP.^{[29 ][31]}

The RFC frequently uses the following terms:

• Authenticator The end of the link requiring the authentication. The authenticator specifies the authentication protocol to be used in the configure-request during the link establishment phase.

• Peer The other end of the point-to-point link- the end that is being authenticated by the authenticator.

• Silently discard This means the implementation discards the packet without further processing. The implementation should provide the capability of logging the error, including the contents of the silently discarded packet, and should record the event in a statistics counter.

• Displayable message This is interpreted to be a human-readable string of characters and must not affect the operation of the protocol.

The message encoding must follow the UTF-8 transformation format.^[32]

The PPP EAP is a general protocol for PPP authentication that supports multiple authentication mechanisms. EAP does not select a specific authentication mechanism at the link control phase, but rather postpones this until the authentication phase. This allows the authenticator to request more information before determining the specific authentication mechanism. This also permits the use of a backend server that actually implements the various mechanisms while the PPP authenticator merely passes through the authentication exchange. The authentication consists of the following steps:

1. After the link establishment phase is complete, the authenticator sends one or more requests to authenticate the peer. The request has a type field to indicate what is being requested. Examples of request types include identity, MD5-challenge, one-time passwords, and generic token card. The MD5-challenge type corresponds closely to the Challenge Handshake Authentication Protocol (CHAP).

   Typically, the authenticator will send an initial identity request followed by one or more requests for authentication information.

   However, an initial identity request is not required and may be bypassed in cases where the identity is presumed (leased lines, dedicated dial-ups, and so on).

2. The peer sends a response packet in reply to each request. As with the request packet, the response packet contains a type field that corresponds to the type field of the request.

3. The authenticator ends the authentication phase with a success or failure packet.

Advantages

EAP can support multiple authentication mechanisms without having to prenegotiate a particular one during the LCP phase. Certain devices (such as a network access server [NAS]) do not necessarily have to understand each request type and may be able to simply act as a passthrough agent for a backend server on a host. The device only needs to look for the success/failure code to terminate the authentication phase.

Disadvantages

EAP does require the addition of a new authentication type to LCP and thus PPP implementations will need to be modified to use it. It also strays from the previous PPP authentication model of negotiating a specific authentication mechanism during LCP.

Configuration Option Format

A summary of the authentication-protocol configuration option format for negotiating EAP appears in Figure 4-11. Fields are transmitted from left to right.

Figure 4-11: Authentication- protocol configuration option format

Type 3

Length 4

Authentication Protocol C227 (Hex) for PPP EAP

Packet Format

Exactly one PPP EAP packet is encapsulated in the Information field of a PPP Data Link layer frame where the protocol field indicates type hex C227 (PPP EAP). A summary of the EAP packet format is shown in Figure 4-12. The fields are transmitted from left to right.

Figure 4-12: EAP packet format

• Code The Code field is one octet and identifies the type of EAP packet. EAP codes are assigned as follows:

  1 Request

  2 Response

  3 Success

  4 Failure

• Identifier The Identifier field is one octet and aids in matching responses with requests.

• Length The Length field is two octets and indicates the length of the EAP packet including the Code, Identifier, Length, and Data fields. Octets outside the range of the Length field should be treated as Data Link layer padding and should be ignored on reception.

• Data The Data field is zero or more octets. The Code field determines the format of the Data field.

Request and Response

• Description The request packet is sent by the authenticator to the peer. Each request has a Type field that serves to indicate what is being requested. The authenticator must transmit an EAP packet with the Code field set to 1 (request). Additional request packets must be sent until a valid response packet is received, or an optional retry counter expires. Retransmitted requests must be sent with the same identifier value in order to distinguish them from new requests. The contents of the Data field depend on the request type. The peer must send a response packet in reply to a request packet. Responses must only be sent in reply to a received request and never be retransmitted on a timer. The Identifier field of the response must match that of the request.

• Implementation note Because the authentication process will often involve user input, some care must be taken when deciding upon retransmission strategies and authentication timeouts. It is suggested that a retransmission timer of 6 seconds with a maximum of 10 retransmissions be used as default. One may wish to make these timeouts longer in certain cases (when token cards are involved). Additionally, the peer must be prepared to silently discard received retransmissions while waiting for user input.

See a summary of the request and response packet format in Figure 4-13. Fields are transmitted from left to right.

Figure 4-13: Request and response packet format

• Code 1 for request; 2 for response.

• Identifier The Identifier field is one octet. The Identifier field must be the same if a request packet is retransmitted due to a timeout while waiting for a response. Any new (nonretransmission) requests must modify the Identifier field. If a peer receives a duplicate request for which it has already sent a response, it must resend its response. If a peer receives a duplicate request before it has sent a response to the initial request (it is waiting for user input), it must silently discard the duplicate request.

• Length The Length field is two octets and indicates the length of the EAP packet including the Code, Identifier, Length, Type, and Type-Data fields. Octets outside the range of the Length field should be treated as Data Link layer padding and should be ignored on reception.

• Type The Type field is one octet. This field indicates the type of request or response. Only one type must be specified per EAP request or response. Normally, the Type field of the response will be the same as the type of the request. However, there is also a Nak response type for indicating that a request type is unacceptable to the peer. When sending a Nak in response to a request, the peer may indicate an alternative desired authentication type that it supports.

• Type-Data The Type-Data field varies with the type of request and the associated response.

Success and Failure

• Description The success packet is sent by the authenticator to the peer to acknowledge successful authentication. The authenticator must transmit an EAP packet with the Code field set to 3 (success).

  If the authenticator cannot authenticate the peer (unacceptable responses to one or more requests), then the implementation must transmit an EAP packet with the Code field set to 4 (failure). An authenticator may wish to issue multiple requests before sending a failure response in order to allow for human typing mistakes.

• Implementation note Because the success and failure packets are not acknowledged, they may be potentially lost. A peer must allow for this circumstance. The peer can use a Network Protocol packet as an alternative indication of success. Likewise, the receipt of a LCP Terminate-Request can be taken as a failure.

A summary of the success and failure packet format is shown in Figure 4-14. The fields are transmitted from left to right.

Figure 4-14: Success and failure packet format

• Code 3 for success; 4 for failure.

• Identifier The Identifier field is one octet and aids in matching replies to responses. The Identifier field must match the Identifier field of the response packet that it is sent in response to.

• Length 4.

Initial EAP Request/Response Types

Let's define an initial set of EAP types used in request/response exchanges. Additional types may be defined at a future point in follow-on documents issued by the IETF. The Type field is one octet and identifies the structure of an EAP request or response packet. The first three types are considered special case types. The remaining types define authentication exchanges.

The Nak type is valid only for response packets; it must not be sent in a request. The Nak type must only be sent in response to a request that uses an authentication type code. All EAP implementations must support types 1 through 4. These types, as well as types 5 and 6, are defined:

1 Identity 2 Notification 3 Nak (response only) 4 MD5-challenge 5 One-time password (OTP) (RFC 1938) 6 Generic token card

Identity

• Description The Identity type is used to query the identity of the peer. Generally, the authenticator will issue this as the initial request.

  An optional, displayable message may be included to prompt the peer in the case of interaction with a user. A response must be sent to this request with a type of 1 (identity).

• Implementation note The peer may obtain the identity via user input. It is suggested that the authenticator retry the identity request in the case of an invalid identity or authentication failure to allow for potential typos on the part of the user. It is suggested that the identity request be retried a minimum of three times before terminating the authentication phase with a failure reply. The notification request may be used to indicate an invalid authentication attempt prior to transmitting a new identity request (optionally, the failure may be indicated within the message of the new identity request itself).

• Type 1

• Type-Data This field may contain a displayable message in the request. The response uses this field to return the identity. If the identity is unknown, this field should be zero bytes in length. The field must not be null terminated. The length of this field is derived from the Length field of the request/response packet and hence a null is not required.

Notification

• Description The Notification type is optionally used to convey a displayable message from the authenticator to the peer. The peer should display this message to the user or log it if it cannot be displayed. It is intended to provide an acknowledged notification of some imperative nature. Examples include a password with an expiration time that is about to expire, an OTP sequence integer that is nearing zero, an authentication failure warning, and so on. In most circumstances, notification should not be required.

• Type 2

• Type-Data The Type-Data field in the request contains a displayable message greater than zero octets in length. The length of the message is determined by the Length field of the request packet. The message must not be null terminated. A response must be sent in reply to the request with a Type field of 2 (notification). The Type-Data field of the response is zero octets in length. The response should be sent immediately (independent of how the message is displayed or logged).

Nak

• Description The Nak type is valid only in response messages. It is sent in reply to a request when the desired authentication type is unacceptable. Authentication types are numbered 4 and above. The response contains the authentication type desired by the peer.

• Type 3

• Type-Data This field must contain a single octet indicating the desired authentication type.

MD5-Challenge

• Description The MD5-challenge type is analogous to the PPP CHAP protocol^[33] (with MD5 as the specified algorithm). The PPP CHAP RFC^{[ ]}should be referred to for further implementation specifics. The request contains a 'challenge' message to the peer. A response must be sent in reply to the request. The response may be either of Type 4 (MD5- challenge) or Type 3 (Nak). The Nak reply indicates the peer's desired authentication mechanism type. All EAP implementations must support the MD5-challenge mechanism.

• Type 4

• Type-Data The contents of the Type-Data field are summarized in Figure 4-15. For reference on the use of this field, see the PPP CHAP.^[33]

  
  Figure 4-15: Contents of the Type- Data field

One-Time Password (OTP)

• Description The OTP system is defined in RFC 1938, 'A One-Time Password System.'^[34] The request contains a displayable message containing an OTP challenge. A response must be sent in reply to the request. The response must be of Type 5 (OTP) or Type 3 (Nak). The Nak reply indicates the peer's desired authentication mechanism Type.

• Type 5

• Type-Data The Type-Data field contains the OTP challenge as a displayable message in the request. In the response, this field is used for the six words from the OTP dictionary.^[34] The messages must not be null terminated. The length of the field is derived from the Length field of the request/reply packet.

Generic Token Card

• Description The generic token card type is defined for use with various token card implementations requiring user input. The request contains an ASCII text message and the reply contains the token card information necessary for authentication. Typically, this would be information read by a user from the token card device and entered as ASCII text.

• Type 6

• Type-Data The Type-Data field in the request contains a displayable message greater than zero octets in length. The length of the message is determined by the Length field of the request packet. The message must not be null terminated. A response must be sent in reply to the request with a Type field of six (generic token card). The response contains data from the token card required for authentication. The length of the data is determined by the Length field of the response packet.

Security Considerations for PPP

Security issues are the primary topic of RFC 2284. The interactions of the authentication protocols within PPP are highly implementation dependent. For example, upon failure of authentication, some implementations do not terminate the link. Instead, the implementation limits the kind of traffic in the Network Layer protocols to a filtered subset, which in turn gives the user the opportunity to update secrets or send mail to the network administrator, indicating a problem.

There is no provision for retries of failed authentication. However, the LCP state machine can renegotiate the authentication protocol at any time, thus allowing a new attempt. It is recommended that any counters used for authentication failure not be reset until after successful authentication, or subsequent termination of the failed link.

There is no requirement that authentication be full duplex or that the same protocol be used in both directions. It is perfectly acceptable for different protocols to be used in each direction. This will, of course, depend on the specific protocols negotiated.

In practice, within or associated with each PPP server, it is not anticipated that a particular named user would be authenticated by multiple methods. This would make the user vulnerable to attacks that negotiate the least secure method from among a set (such as the Password Authentication Protocol [PAP] rather than EAP). Instead, for each named user, there should be an indication of exactly one method used to authenticate that user name. If a user needs to make use of different authentication methods under different circumstances, then distinct identities should be employed, each of which identifies exactly one authentication method.^[35]

^{[29 ]} www.mtghouse.com.

^[30]W. Simpson, ' STD 51, RFC 1661: The Point-to-Point Protocol (PPP).' July 1994.

^{[29 ]} www.mtghouse.com.

^[31]L. Blunk and J. Vollbrecht, 'Request for Comments: 2284, PPP Extensible Authentication Protocol (EAP).' March 1998.

^[32]The rest of this section taken from Blunk and Vollbrecht's 'Request for Comments: 2284, PPP Extensible Authentication Protocol (EAP),' March 1998.

^[33]F. Yergeau, 'RFC 2044: UTF-8, a transformation format of Unicode and ISO 10646.' October 1996.

^{[ ]} W. Simpson, 'RFC 1994: PPP Challenge Handshake Authentication Protocol (CHAP).' RFC 1994, August 1996.

^[33]F. Yergeau, 'RFC 2044: UTF-8, a transformation format of Unicode and ISO 10646.' October 1996.

^[34]N. Haller and C. Metz, 'A One-Time Password System.' RFC 1938, May 1996.

^[34]N. Haller and C. Metz, 'A One-Time Password System.' RFC 1938, May 1996.

^[35]RFC 2284 is Copyright © The Internet Society (1998). This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works.