Installing and Administering PPP Edition 1 B2355-90137 HP 9000 Networking E0497 Printed in: United States © Copyright 1997, Hewlett-Packard Company.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
©copyright 1980, 1984, 1986 Novell, Inc. ©copyright 1986-1992 Sun Microsystems, Inc. ©copyright 1985-86, 1988 Massachusetts Institute of Technology. ©copyright 1989-93 The Open Software Foundation, Inc. ©copyright 1986 Digital Equipment Corporation. ©copyright 1990 Motorola, Inc. ©copyright 1990, 1991, 1992 Cornell University ©copyright 1989-1991 The University of Maryland ©copyright 1988 Carnegie Mellon University ©copyright 1997 Progressive Systems, Inc.
Contents 1. Introduction Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Dialing In to an HP 9000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Dialing Out from an HP 9000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Direct Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 HP-UX PPP Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Creating a Simple Filter File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Note on Systems and Devices Entries . . . . . . . . . . . . . . . . . . . . . . . . . 41 IP Addresses on the pppd Command Line. . . . . . . . . . . . . . . . . . . . . . 42 3. SLIP to PPP Migration SLIP and PPP Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Migration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Link Quality Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72 Guides for Evaluation of Link Quality . . . . . . . . . . . . . . . . . . . . . . . . .72 Adjusting LQM Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72 Weighing the Costs of LQM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 LQM Response to Link Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Filter Stanzas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Packets Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet Protocol (IP) Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet Control Message Protocol (ICMP) Level . . . . . . . . . . . . . . . . Transmission Control Protocol (TCP) Level . . . . . . . . . . . . . . . . . . . .
Contents Open Policy Default Rulesets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116 A Note on Using the ‘log rejected’ Filter . . . . . . . . . . . . . . . . . . . . . . .116 Closed Policy Default Rulesets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116 Block All Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 Block All Packets Except Electronic Mail . . . . . . . . . . . . . . . . . . . . . .
Contents HP Modem Cables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Null-Modem Cables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Dial Up Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Printing History The manual printing date and part number indicate its current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. the manual part number will change when extensive changes are made. Manual updates may be issued between editions to correct errors or document product changes. To ensure that you receive the updated or new editions, you should subscribe to the appropriate product support service.
Preface PPP is a Hewlett-Packard networking product that allows data transfer using either the Internet-standard Point-to-Point Protocol (PPP) or the non-standard, but widely-used Serial Line Internet Protocol (SLIP). The Installing and Administering PPP manual provides information about configuring and using the PPP product. The manual also describes how to migrate SLIP connections from earlier HP-UX releases to the SLIP mode of the PPP product.
1 Introduction 15
Introduction PPP is a networking product that allows data transfer using both the Internet standard point-to-point protocol (PPP) and the non-standard but widely-used serial line internet protocol (SLIP). PPP is supplied with HP’s LAN/9000 product.This chapter describes the PPP product.
Introduction Product Overview Product Overview Terrain, distance, and property rights often limit LAN cabling. Where coax is restricted, network connections can be made by serial lines. Serial lines are relatively inexpensive and easy to install. However, you need special software, such as PPP, to run TCP/IP applications over a serial line.
Introduction Product Overview For a connection without a login, the user simply dials in to a preset HP 9000 serial line where the serial protocol is already running on the line. Dialing Out from an HP 9000 HP 9000 users can establish dial-out IP connections with or without login. This may be to any remote host that runs a supported serial IP protocol. For a login connection, the user simply invokes pppd at the HP-UX shell prompt. pppd establishes a modem link to the specified host and logs in.
Introduction Product Overview • Minimizes transmission overhead. PPP compresses HDLC address control and protocol fields, as well as TCP headers. This improves both throughput and interactive response on typical modem connections. The PPP interface to HP-UX TCP/IP implements Van Jacobson’s TCP “fast queue” scheme, whereby interactive packets have priority to transmission on a congested link. PPP does not support traffic encryption.
Introduction PPP and SLIP PPP and SLIP If you must link with a peer host that cannot use the point-to-point protocol, you can use PPP’s SLIP option. SLIP, a non-standard but popular protocol, is really only a framing convention for arranging IP packets on a link. Many other PPP options are available when running the SLIP option. Automatic dialing, idle line hangup, packet filtering, the exec option, and most other management facilities can be invoked in conjunction with SLIP.
Introduction Installation Installation You do not need to manually install the PPP software if: • the LAN/9000 networking product was pre-installed on your system (instant ignition). • you used the HP-UX swinstall program to install the Core Networking Bundle. The PPP-RUN fileset is part of this software bundle.
Introduction Installation • sample configuration files for communicating to PPP (for example, /etc/ppp/Devices.ex, /etc/ppp/Dialers.ex, and /etc/ppp/Systems.ex) • example configuration files for communicating to other PPP implementations (for example, /etc/ppp/Examples/Exec-Portmaster.
2 Setting Up PPP Connections This chapter describes how to configure PPP for inbound and outbound connections.
Setting Up PPP Connections Configuration Overview Configuration Overview A pppd process on a local system negotiates with the pppd process on a remote or peer system to establish the PPP connection. The following files are used for PPP connections: • /etc/ppp/Autostart starts pppd for on-demand outbound calls. • /etc/ppp/Systems contains the hostname or IP address of peers and how to connect with peers. • /etc/ppp/Devices associates dialer types with physical devices and speeds.
Setting Up PPP Connections Configuration Overview After PPP connections are configured on both systems and robin is re-booted, the Autostart file on robin starts pppd for an on-demand connection from robin to lark. If IP traffic is initiated to lark, the following occurs, as shown in Figure 2-2: Figure 2-2 PPP Connection Example (continued) lark robin IP traffic to “lark” 1 Systems file: name ... speed ... chat script 2 Devices file: dialer ... speed ...
Setting Up PPP Connections Configuration Overview 3. When a match of the speed is found in the Devices file, the dialer field in the matching entry is noted. The Dialers file is then searched for an entry that matches the dialer field in the Devices file entry. 4. The phone number for lark is dialed. 5. The chat script specified for “lark” in the Systems file sends robin’s login name and password to lark. 6. lark verifies robin’s password by comparing it to the entry in its /etc/passwd file. 7.
Setting Up PPP Connections Configuration Overview Outbound Inbound Step 4: Create entry in /etc/ppp/Devices. Optionally, add entries to /etc/ppp/Dialers or Dialers.local. See “Configuring Outbound Connections.” Step 4: Add user accounts to /etc/passwd to allow incoming connections. See “Configuring Inbound Connections.” Step 5: Define dial-out connection in /etc/ppp/Systems. See “Configuring Outbound Connections.” Step 5: Create Login shell script. See “Configuring Inbound Connections.
Setting Up PPP Connections Creating Device Files for Serial Ports Creating Device Files for Serial Ports You need to create device files in the /dev directory for serial ports. Each serial port used for pppd may require one to four device files. Depending on the hardware attached, you may need files for dial-in, dial-out, or direct connection. Use the System Administration Manager (SAM) to create device files. Creating the device files with appropriate minor numbers is important.
Setting Up PPP Connections Creating Device Files for Serial Ports PP Two hexadecimal digits (8 bits) to indicate the port number of this device on the serial interface. On a Series 700 serial port, this will always be 0. H One hexadecimal digit (4 bits) to control diagnostic access and hardware flow control (HP J2094A only). Bit 0 controls RTS/CTS hardware flow control.
Setting Up PPP Connections Increasing the Number of IP Tunnels Increasing the Number of IP Tunnels pppd uses IP tunnels to pass packets between the serial port and IP layer. During bootup, /sbin/init.d/ppp creates 16 IP tunnels (the default value is defined in /etc/ppp/tunconf) which will support 16 concurrent pppd processes. Each IP tunnel creates three device files. Each pppd process facilitates a PPP connection. The kernel can support a maximum of 64 IP tunnels.
Setting Up PPP Connections Configuring Your Modem Configuring Your Modem The following are general recommendations for configuring modems to use with PPP: • Choose the highest asynchronous serial speed both modem and computer can support. • Enable error correction. If possible, choose CCITT V.42 for compatibility with CCITT V.42bis data compression. • Enable data compression. HP recommends CCITT V.42bis for higher maximum compression ratios and handling of precompressed data streams. • Enable flow control.
Setting Up PPP Connections Configuring Your Modem • Set the modem to disconnect the call and restore its saved values when the computer deasserts the Data Terminal Ready (DTR) signal HP recommends that you verify that your modem connection is working correctly before configuring a PPP connection. This will detect any hardware, software, or modem configuration problems that are not related to the protocol.
Setting Up PPP Connections Configuring Outbound Connections Configuring Outbound Connections The following files are used for outbound calls: • /etc/ppp/Devices associates dialer types with physical devices and speeds. pppd examines the file when it places a call. If no suitable speed is found or if all devices associated with that speed are busy, pppd tries again later. • /etc/ppp/Dialers describes how to dial each type of modem attached to the HP-UX system that is to be made available for outbound calls.
Setting Up PPP Connections Configuring Outbound Connections Refer to the ppp.Dialers(4) man page for more information. In our example, the Dialers file is already installed on robin.
Setting Up PPP Connections Configuring Outbound Connections Using what device: ACU (any call unit that matches the speed listed in the next field). At what DTE speed: 19200 (19200 bps) At what telephone #: 5551212 Expect what string: in: substring of login: if true, send next field. If false, send string between dashes followed by carriage return and expect in: Can be used to elicit a response out of peer. Send what string: Probin (followed by an implicit carriage return).
Setting Up PPP Connections Configuring Outbound Connections Idle timer value: 36 150 (shut down the link if 150 seconds pass without receiving or transmitting a packet.
Setting Up PPP Connections Configuring Inbound Connections Configuring Inbound Connections On machines that only accept incoming calls, pppd does not need to be started at boot time, since pppd is started when a PPP login occurs. Machines that both initiate and receive calls must start pppd at boot time, and must also prepare accounts for incoming connections. User accounts must be created in the /etc/passwd file for the system to be able to accept incoming calls.
Setting Up PPP Connections Configuring Inbound Connections Look carefully at the last line in the sample script shown below. Notice that the word 'hostname' is surrounded by backquotes, not regular quotes or apostrophes. `hostname`, with the backquotes, tells the system to insert the output of the command hostname(1) in this space in the pppd command line. We recommend that you make sure backquotes are used by copying this script from /etc/ppp/Login.ex, rather than inserting them manually.
Setting Up PPP Connections Testing the Connection Testing the Connection When PPP is installed, configured, running and connected on both ends of the link, users should be able to access each peer machine using any TCP/IP application such as telnet, ftp, etc. Once you have configured the PPP connection on both the local and remote systems, follow these steps to test the outbound connection. 1. Either reboot your machine or run /etc/ppp/Autostart to start pppd. 2.
Setting Up PPP Connections Additional Information Additional Information This section discusses some additional information that may be useful when configuring PPP connections. Non-Generic Login Scripts In most cases, all inbound PPP logins can use the same generic Login script. But if you want a host to start pppd with a special option like 'require authentication', make that login account use a specific login shell that is tailored to that host.
Setting Up PPP Connections Additional Information Bring up the connection for any traffic other than Network Time Protocol (NTP) packets, ICMP Network Unreachable messages, and packets from the in.rwhod daemon. (!send) (!ntp) (!3/icmp) (!who) Keep up the link for all packets except those sent by robin and those that will not bring up the connection. (!route) Pass all packets except for RIP routing messages between routed daemons.
Setting Up PPP Connections Additional Information IP Addresses on the pppd Command Line Soft Addresses If an IP address is input on the pppd command line, the address is offered during IPCP negotiations. However, at connection time, some terminal servers and other peers wish to assign an address for the host running PPP to use for the duration of the connection.
Setting Up PPP Connections Additional Information IP=192.0.2.2 ;; esac exec pppd ‘hostname‘:$IP idle 300 Address Calculated From tty Name This script also uses the tty name to guarantee uniqueness of the addresses it assigns. You must define ttyN in your /etc/hosts file, NIS hosts map, NetInfo hosts map, or DNS database, according to the system used. This works better in a larger installation with many ports and a configuration that tends to change often.
Setting Up PPP Connections Additional Information 44 Chapter 2
3 SLIP to PPP Migration This chapter describes how to migrate pre-HP-UX 10.30 SLIP connections to PPP SLIP mode connections. If you did not run SLIP on a previous version of HP-UX, skip this chapter.
SLIP to PPP Migration The purpose of this chapter is to describe how SLIP configurations may be migrated to PPP using SLIP mode on HP-UX 10.30. The SLIP-RUN fileset is replaced with a PPP-RUN fileset. The configuration requirements for PPP are similar to the SLIP configuration requirements, but the configuration files have different names and different formats.
SLIP to PPP Migration SLIP and PPP Configuration Files SLIP and PPP Configuration Files There are four main files used to set up SLIP connections with the SLIP product: • /etc/ppl/ppl.remotes • /etc/uucp/Systems • /etc/uucp/Devices • /etc/uucp/Dialers Table 3-1 shows how the configuration information in the files and fields used with SLIP relate to the files and fields used with PPP.
SLIP to PPP Migration SLIP and PPP Configuration Files Table 3-1 Relationship of SLIP and PPP Configuration Information SLIP Files SLIP Fields PPP Files PPP Fields /etc/ppl/ppl.
SLIP to PPP Migration SLIP and PPP Configuration Files during the swinstall process. If there is a need to move any entries from the /etc/ppp/Dialers.ex file to the /etc/ppp/Dialers file, it would be up to you, the system administrator, to do this. It is also possible for you to create a /etc/ppp/Dialers.local file for system-specific dialers. For more information about PPP configuration files, refer to the following: ppp.Dialers(4), ppp.Devices(4), and ppp.Systems(4).
SLIP to PPP Migration Migration Examples Migration Examples The sections below discuss how to set up the PPP configuration files from SLIP configuration files. Three types of SLIP configurations are used as examples. Case 1: Dialout SLIP Connection without UUCP System Name This type of connection is represented by an entry in /etc/ppl/ppl.remotes where type=DIALOUT, modem_control=YES and there is no uucp_system name.
SLIP to PPP Migration Migration Examples login: test password: blue # log in info ““ ppl\s-i\s ewok # command name /etc/uucp/Devices. The dialout SLIP connection is defined in /etc/uucp/Devices by: ACU cul1b1 - 9600 hayes Command Line. The command line for the dialout SLIP connection is: ppl -o keywest PPP Configuration /etc/ppp/Systems. Information in the /etc/ppp/Systems file corresponds to the following information from the /etc/ppl/ppl.remotes file: /etc/ppp/Systems /etc/ppl/ppl.
SLIP to PPP Migration Migration Examples /etc/ppp/Devices /etc/uucp/Devices dialer dialer_token (hayes) device device_file (cul1b1) speed speed (9600) After migration, the dialout PPP connection is defined in /etc/ppp/Devices by: hayes cul1b1 9600 /etc/ppp/Autostart. The /etc/ppp/Autostart entry for the dialout PPP connection is: pppd ewok:keywest auto idle 350 Case 2: Direct SLIP Connection without UUCP System Name This type of connection is represented by an entry in /etc/ppl/ppl.
SLIP to PPP Migration Migration Examples NONE # line parity [EVEN] [ODD] [NONE] 57600 # line speed tty1p0 # serial line # phone number NO # modem control available [YES][NO] # log in info # command name /etc/uucp/Devices. The direct SLIP connection is defined in /etc/uucp/Devices by: Direct tty1p0 - 57600 direct Command Line. The command line for the direct SLIP connection is: ppl -o keywest PPP Configuration /etc/ppp/Systems.
SLIP to PPP Migration Migration Examples /etc/ppp/Devices /etc/uucp/Devices dialer set to Direct device device_file (tty1p0) speed speed (57600) After migration, the direct PPP connection is defined by: Direct tty1p0 57600 /etc/ppp/Autostart. The /etc/ppp/Autostart entry for the direct PPP connection is: pppd ewok:keywest auto Case 3: Dialout SLIP Connection with UUCP System Name This type of connection is represented by an entry in /etc/ppl/ppl.
SLIP to PPP Migration Migration Examples # line speed # serial line # phone number YES # modem control available [YES][NO] # log in info # command name /etc/uucp/Systems. The dialout SLIP connection is defined in /etc/uucp/Systems by: kqu ANY;1 ACU 9600 89659 login: test password: blueSky /etc/uucp/Devices. The dialout SLIP connection is defined in /etc/uucp/Devices by: kqu cul1b1 - 9600 hayes Command Line.
SLIP to PPP Migration Migration Examples * A numerical value for retry in /etc/uucp/System must be converted to seconds. After migration, the dialout PPP connection is defined in /etc/ppp/Systems by: keywest Any;1 ACU 9600 89659 login: test password: blueSky /etc/ppp/Devices. An entry in /etc/ppp/Devices will be created by searching the /etc/uucp/Devices file with an entry corresponding to an entry with device_type=ACU, and speed=speed from /etc/uucp/Systems.
SLIP to PPP Migration Setting up Outbound PPP Connections Setting up Outbound PPP Connections All outbound PPP connections are started through the user-generated /etc/ppp/Autostart file. The start-up script for PPP, /sbin/init.d/ppp, looks for this file and sources it if it exists. /sbin/init.d/ppp is shipped in PPP-RUN. The SLIP product does not have a start-up script.
SLIP to PPP Migration Setting up Inbound PPP Connections Setting up Inbound PPP Connections On machines that only accept incoming calls, pppd does not need to be started at boot time, since pppd is started when a PPP login occurs. Machines that both initiate and receive calls must start pppd at boot time, and must also prepare accounts for incoming connections. User accounts must be created in the /etc/passwd file for the system to be able to accept incoming calls.
SLIP to PPP Migration Accounting and Logging Accounting and Logging In SLIP, there is an option to create a status file which can be displayed by the command pplstat. There is also the ability to record connection information by creating a billing file. Similar functionality is available in PPP by using the acct and/or log options on the pppd command line. See pppd(1) for command line options.
SLIP to PPP Migration ppl.users and ppl.ipool ppl.users and ppl.ipool In SLIP, ppl.users maps each user name to a single remote host. This allows a dial-in user to invoke ppl without identifying the remote host that is calling. It allows a dial-out user to invoke ppl without specifying the remote host that is being called. PPP does not provide such functionality. The ppl.ipool in SLIP specifies a pool of local Internet addresses to be used for modem connections. PPP does not provide such functionality.
SLIP to PPP Migration SLIP and PPP Interoperability SLIP and PPP Interoperability The command_name option in the ppl.remotes file for SLIP allows the execution of a ppl command on the called host. For an HP-UX system running SLIP to communicate seamlessly with an HP-UX 10.30 system running PPP in SLIP mode, either the command_name option must be changed to execute pppd or the 10.30 system must recognize a ppl command and be able to convert that to a corresponding pppd command.
SLIP to PPP Migration Flow Control Flow Control HP ppl requires the Xon/Xoff modem setting to be turned off because SLIP and CSLIP do not allow Xon/Xoff. PPP supports the Xon/Xoff modem setting for a PPP connection. However, if pppd is run in SLIP mode, the Xon/Xoff modem setting should be turned off.
4 Common pppd Options The PPP daemon has several sets of configuration options for fine-tuning PPP communications.
Common pppd Options signaling. pppd running on most links is basic and defined by a handful of options, but each daemon can be remarkably different with a minor change of options. This section presents some of the more common and useful pppd command line options. Most, like the active, passive and idle timer options, control some aspect of link management. One important pppd option, filter, is discussed at length in the section on security in Chapter 5.
Common pppd Options Link Management Link Management Link management options define how PPP establishes, maintains and monitors a communications link. These factors, and the condition of the link, help PPP decide when to bring a link up and down in situations other than on-demand dialups. Active vs. Passive PPP Negotiations HP-UX PPP, like most PPP implementations, expects to actively initiate the negotiation process.
Common pppd Options Link Management Idle Timer Link Control The idle option allows you to limit the number of seconds that can pass without receiving or transmitting the type of packets specified in the filter file's keepup field. The timer shuts down the link when the specified number of seconds elapse. The idle option works on both the calling and the answering pppd. If both have the idle option set, the end that specifies the shorter interval shuts down the line first.
Common pppd Options Link Management number. On the other hand, if it provides its services via a 976 or 900 number scheme, you may not want to specify any timeout interval since each unit of connection time increases the answering system's revenue.
Common pppd Options The exec Option The exec Option The exec option invokes a command or shell script when a link is brought up or taken down. Exec can be used on the link’s calling or answering end and the command or shell script is executed immediately when the link changes state. The first argument of the command or shell script invoked by exec is either “up” or “down." The second argument is the peer’s IP address. Exec’s third and subsequent arguments are those with which pppd was invoked.
Common pppd Options The exec Option Variable Description PPP_ORIG_NETMASK Original netmask. PPP_INTERFACE Name of PPP interface (DUX). PPP_DEVICE Name of device being used for serial stream. PPP_LOGFILE Self-explanatory. PPP_ACCTFILE Self-explanatory. PPP_AUTHNAME Peer name if CHAP/PAP is used, else “name” parameter from command line, if given. Else user name of user that started pppd. PPP_PID pppd user process PID.
Common pppd Options SLIP Framing Option SLIP Framing Option Unlike PPP, SLIP cannot perform Internet Protocol Control Protocol (IPCP) negotiations. Therefore a SLIP connection cannot be assigned an address by a peer at connection time. Normally, PPP can use the tilde (~) on the pppd command line for this purpose.
Common pppd Options SLIP Framing Option script. The daemon passes the assigned address to the UNIX end of the point-to-point networking interface. See Systems.ex for an example use of this facility.
Common pppd Options Link Quality Monitoring Link Quality Monitoring The Link Quality Monitoring (LQM) option is defined in the PPP protocol specification. When the PPP implementation supports LQM, PPP can make policy decisions based on the quality of the link between peers. When LQM is invoked, pppd requests that the other end of the connection send Link Quality Report (LQR) packets back to pppd. If the link goes down or is degraded, many or all of the LQR packets will be lost.
Common pppd Options Link Quality Monitoring Weighing the Costs of LQM pppd discovers line failures more quickly if you decrease the lqrinterval because LQR's will arrive more frequently. However, sending more LQR's increases monitoring traffic, slowing down the transfer of user data. So you should remember to also consider raising the lqthreshold. If the lqthreshold is ’lqthreshold 5/6’, no more than one LQR can be dropped per minute. If two LQRs in a row are dropped, pppd shuts down the line.
Common pppd Options Link Quality Monitoring Peer Refusal to Comply with LQM Request If, during LCP option negotiation, the peer refuses to send Link Quality Reports, pppd instead begins sending LCP Echo-Request messages at the requested lqrinterval and use the arriving LCP Echo-Response messages to make the link quality decision.
Common pppd Options Compression Compression In addition to in-modem data compression, PPP supports compression at several different layers of the communications stack. HDLC Frame Compression The PPP frame format is based on the established HDLC format. Synchronous PPP links almost always use the full PPP/HDLC frame because the link hardware supports it. But lower-speed asynchronous links typically handle framing in software and several of the fields carry the same contents in each message.
Common pppd Options Compression Van Jacobson TCP Header Compression Each layer a TCP/IP datagram passes through adds a header to the user data. For example, many streams can potentially pass between two hosts. Therefore, in addition to its source and destination addresses, each packet contains a tag to identify which stream it belongs to. These headers are very large, and a comparison between successive packets reveals strong similarities.
Common pppd Options Compression • The modem or CSU/DSU communication device does not support data compression. PPP link compression over modems that support V.42bis compression may provide no performance advantage, except in cases where the link’s bandwidth is limited by slow serial interfaces. Predictor-1 Predictor-1 compresses typical binary data 1.5:1, absorbs relatively little of the host’s CPU, and adds very little latency to interactive traffic.
Common pppd Options Unique PPP Implementations Unique PPP Implementations Although most implementations of PPP occur over aysnchronous dial up connections, PPP can be used for synchronous transmission over high speed serial interfaces. It can also be used on dedicated lines and constantly open telephone lines. The latter is a dial-up connection, but it is not on-demand. Synchronous PPP PPP can run in synchronous mode using a high speed serial interface at line speeds up to T1 (1.544Mb/s).
Common pppd Options Unique PPP Implementations The Dialers file is ignored when “Direct” is found in the dialer field of the Devices field. See the discussion below regarding line failovers and using an auto-dial modem as a backup link. Automatic Failover The Automatic Failover option is a dial-up backup that maintains connectivity so that IP traffic can continue when a synchronous or dedicated asynchronous connection is dropped.
Common pppd Options Unique PPP Implementations reconnect using the next entry in Systems, or, if no additional entries exist, pppd wraps around to the first entry in the file which is the dedicated connection. Constantly-Open Telephone Calls Some PPP connections are always up. The system does not use pppd’s on-demand dialing to reestablish a link for new traffic.
Common pppd Options IP Routing Tips IP Routing Tips The UNIX host’s IP implementation sees PPP as a point-to-point network connection between two known addresses. If neither end-point resides on an IP-based local area network (LAN), packets simply flow in both directions as soon as the PPP connection is established.
Common pppd Options IP Routing Tips Figure 4-1 #!/bin/sh PATH=/usr/bin:/usr/etc:/etc:/bin mesg n stty -tostop exec pppd `hostname`: idle 180 Designate subnet 6 for remote machines. Assign nomad the IP address 134.19.6.17. The PPP daemon on nomad would be started in the Autostart script as: pppd 134.19.6.17:134.19.5.
Common pppd Options IP Routing Tips ARP Table Manipulation. If a separate subnet number is unavailable for use by remote-access machines, it is possible to assign the remote machines addresses on the same subnet number as the departmental LAN. As above, suppose the organization’s class B network number is 134.19, and they are subnetting with a class C-sized network mask of 0xffffff00. The departmental LAN is subnet 134.19.5.0, populated by hosts alpha (134.19.5.22) and bravo (134.19.5.41).
Common pppd Options IP Routing Tips arp -s nomad 8:0:9:30:dc:91 pub (The hexadecimal sequence 8:0:9:30:dc:91 is the Mac address of the Ethernet card in alpha. Substitute the Mac address for your machine’s Ethernet card in the command above.) This would add a permanent entry to alpha’s ARP table, and cause it to be provided to other systems on the local Ethernet.
Common pppd Options IP Routing Tips route add net 134.19.0.0 gate-b 1 ws-a should have a route like route add net 134.19.14.0 gate-a 1 or, again depending upon the structure of LAN b, perhaps route add net 134.19.0.0 gate-a 1 Connecting a Host or LAN to the Internet If your LAN is connected to the Internet, or if you have arranged an account at a Point Of Presence (POP) of a PPP or SLIP-talking Internet connectivity vendor (say foo.
Common pppd Options IP Routing Tips 86 Chapter 4
5 Security Techniques It is impractical to impose thorough security policies on each internal host of the networks linked by an PPP connection. But PPP's strong security features support a variety of techniques that strengthen your network's ability to prevent loss.
Security Techniques In most cases, a single connection can be supported by more than one of PPP's security features.
Security Techniques Static Packet Filtering Static Packet Filtering We recommend that you establish a security policy before you write a packet filter. A security policy is a statement based on thorough analysis of access needs, vulnerabilities, and real, or perceived, threats to your assets. You must identify the types of network traffic associated with these issues before you can create a packet filter that supports your security policy.
Security Techniques Static Packet Filtering • the special keyword, ‘default’. You may write a specific ruleset for each connecting host, or a default ruleset will be used. The pppd parser searches for a ruleset that matches the IP address or hostname of the remote PPP/SLIP host, called the peer. This usually corresponds to the IP address placed on the right hand side of the colon on the pppd command line. Ruleset Design Rulesets are designed on a per-connecting-host basis rather than a per-interface basis.
Security Techniques Filters Filters A ruleset is made up of one to four filters that regulate the response to a packet. The filter’s actions are defined by its initial keyword. Each type of filter may be used one time per connection. The following table explains the keywords, the types of packets affected by the filters, and the filter’s actions: Keyword Packet Type Action bringup outgoing dialup Defines packets that cause a connection to be established.
Security Techniques Filter Stanzas Filter Stanzas Each filter is composed of a filter name followed by one or more stanzas (rules). Each packet passing through the interface is compared to the rules in the stanzas until a match is found, completing the filter operation. The ordering of the stanzas is therefore extremely important.
Security Techniques Packets Overview Packets Overview Each stanza represents a template used to find matching packets. The features you can place in your stanzas correspond to the fields in network messages. This allows you to filter at the IP level or the TCP/UDP/ICMP level. Internet Protocol (IP) Level Figure 5-1 *RFC-791 (IP) The fields available at the IP level include the protocol (e.g., 1 [ICMP], 2 [IGMP], 6 [TCP], 8 [EGP], 17 [UDP], etc.), an address (i.e.
Security Techniques Packets Overview Internet Control Message Protocol (ICMP) Level Figure 5-2 * RFC-792 [ICMP] ICMP messages may be filtered on the type and code fields. In general, it is not a good idea to block all inbound or outbound ICMP messages because ICMP messages are an important way that status information is conveyed over an IP network. For instance, blocking ICMP Source Quench messages (Type 4), used to tell a packet source to slow down, can cause problems for other users and sites.
Security Techniques Packets Overview Transmission Control Protocol (TCP) Level Figure 5-3 * RFC-793 [TCP] The TCP header fields available for matching include port numbers for the source or destination port, the presence of the SYN bit without ACK, and the ACK, FIN and RST bits. PPP does not provide a method for filtering on TCP options, the presence of URG/EOM bits in the TCP options, or other TCP header fields. Establishing a TCP connection requires synchronization.
Security Techniques Packets Overview Packets 2 and 3 are normally combined into a single "SYN ACK" packet This is called a three-way handshake. The SYN bit is set, with no ACK bit set, to show a TCP connection request. By blocking packets with the SYN bit set in a single direction, you may permit TCP connections in a single direction. User Datagram Protocol (UDP) Level Figure 5-4 * RFC-768 [UDP] The UDP header fields available are the source and destination port numbers.
Security Techniques Building a Stanza - General Building a Stanza - General Some general concepts to remember when writing a stanza are listed here: • Each stanza includes one or more numbers, addresses, or keywords, separated by slashes (/). • Each number, address, or keyword adds an additional qualifier to the stanza. • Each qualifier or pattern must match for the rule to be applied to the packet. • A stanza can be used to either permit or deny a matching packet.
Security Techniques Building a Stanza - Specifics Building a Stanza - Specifics The section below explains how different features of a stanza should be written and the ways you include them in a stanza to affect the operations of the filter. The features are described in subsections which include a general explanation, an example, and a comment on the action caused by the example. The comments are shown on the same line as the example and begin with a ‘#’ character.
Security Techniques Building a Stanza - Specifics IP Addresses An IP address may be represented in hexadecimal (for example, 0xc0000201) or dotted quad (for example, 192.0.2.1) notation and represent either a host address or a network address. Network addresses are simply used to represent contiguous ranges of hosts and therefore do not necessarily correspond to actual networks. A network address uses all zeros for the host portion of the address. Example: !192.168.199.1 # block packets to/from host 192.
Security Techniques Building a Stanza - Specifics 25/tcp # permit SMTP mail You may specify a range of ports using a hyphen-separated pair of numbers. Example: !0-1023/udp # block privileged UDP ports Port Numbers and Services Many systems provide a list of well-known UDP and TCP port numbers in a services file or they supply contents of the file through a database service such as NIS or NetInfo. Filter stanzas may use the symbolic names for these port numbers.
Security Techniques Building a Stanza - Specifics Example: !3/0/icmp # block ICMP Unreachable "bad net" messages Keywords with Origins and Destinations Frequently, a host acts as a router between two end points so packets may not originate or terminate at that host. Use the ‘src’ keyword to specify the point of origin or source and the ‘dst’ keyword to specify the endpoint or destination. The source or destination can be either an IP address or a service or port.
Security Techniques Building a Stanza - Specifics Keywords Based on TCP Packet Header Bits Only one TCP field can be specified in a rule; specifying more in the same rule is a syntax error. Some qualifiers (keywords) may only be used in combination with other qualifiers. For example, ‘syn’, ‘fin’, ‘rst’, ‘ack’ and ‘estab’ are options or fields in TCP packet headers and may only be used when the qualifier ‘tcp’, is directly stated in the rule or implied by a TCP protocol service.
Security Techniques Building a Stanza - Specifics Keywords Based on IP Options The ‘ip-opt=’ keyword can be used to select packets based on whether they bear various IP options, including those described in the table below: OPTION DESCRIPTION rr Record Route is used to trace the route an internet datagram takes. ts Time Stamp. security Security is used to carry Security, Compartmentation, User Group (TCC), and Handling - Restriction Codes compatible with DOD requirements.
Security Techniques Building a Stanza - Specifics all Keyword The special keyword ‘all’ matches any packet. It typically appears at the end of a filter to either permit or block all unspecified packets. The software automatically implicitly adds ‘!all’ at the end of a stanza list if the last stanza is not negated, and ‘all’ at the end of a stanza list if the last stanza is negated. While not strictly necessary, it is a good idea to explicitly state your preference.
Security Techniques Building a Stanza - Specifics The ‘unreach=’ keyword causes an ICMP Destination Unreachable message to be sent to the packet's source address, bearing the indicated code field. The ICMP Code may be specified numerically or mnemonically. A list of the messages appears on the following page. See the footnotes below for information on related RFCs.
Security Techniques Building a Stanza - Specifics # Name Description 9 (see Note 2) Communication with the destination network is administratively prohibited. This code was intended for use by end-to-end encryption devices used by U.S. military agencies. Routers should use the newly defined Code 13 (CommunicationAdministratively Prohibited) if they administratively filter packets. 10 (see Note 2) Communication with the destination host is administratively prohibited.
Security Techniques Building a Stanza - Specifics Example 2: tcp/syn/send/log # pass and log all outbound TCP connection # requests There are two ways to invoke the ‘log’ keyword. The log filter allows you to define, in one location, all the packets you wish to log. Or you can add the log keyword to the individual rules in the ‘pass’ filter as shown in the above examples.
Security Techniques Writing a Stanza - A Complex UDP Example Writing a Stanza - A Complex UDP Example The following section describes the writing of a rather complex packet filter involving the Domain Name System (DNS). It provides a good example of why you need to understand the applications in use when writing packet filters. It also shows the difficulty of writing static packet filters for UDP packets without permitting inbound network access in order to permit outbound service.
Security Techniques Writing a Stanza - A Complex UDP Example The packet exchange looks similar to those shown below, where the entries mean the following: • ‘dns’ is the IP address of the domain name server • ‘domain’ is UDP port 53 • ‘any’ is any IP address on the inside or outside network (as appropriate) • arrows represent the direction of travel dns.domain -> any.domain dns.domain <- any.
Security Techniques Writing a Stanza - A Complex UDP Example a) udp/srcaddr=192.168.199.11/srcport=domain/send/dstport=domain udp/dstaddr=192.168.199.11/dstport=domain/recv/srcport=domain Alternatively, group (a) can be combined and simplified into a single rule similar to: 2) udp/192.168.199.11/dstport=domain/srcport=domain Both the outbound request and the inbound response match this template and no packets to UDP ports other than domain (53) are permitted by the rule.
Security Techniques Writing a Stanza - A Complex UDP Example In this situation, if you combined the original rules as in example (2), it can be modified to permit the inbound request by removing the restriction on ‘srcport’. However, the revised rule (2) still blocks the outbound response, causing the query to fail. To permit the outbound packet, you must add another rule following rule (2). Call it rule (3). (2) udp/192.168.199.11/dstport=domain (3) udp/srcaddr=192.168.199.
Security Techniques Writing a Stanza - A Complex UDP Example domain port, does not have a source address of the domain name server. After making the change to accommodate the differences, by removing the restriction on direction (‘send') and relaxing the restriction on address, you have replaced rule (3) with the edited rule resembling (4). (2) udp/192.168.199.11/dstport=domain (4) udp/192.168.199.
Security Techniques Writing a Stanza - A Complex UDP Example The condensed version of the rules also requires that rule (4) be modified to permit proper operation. The modification is required because the outbound packet has a destination port ‘domain’ , but it is not to or from the IP address of the domain name server (192.168.199.11).
Security Techniques Writing a Stanza - TCP Examples Writing a Stanza - TCP Examples To open a TCP data stream, the initiator sends a packet to the intended recipient. The SYN bit (with no ACK bit) is set in the TCP header to show a TCP connection request. The special keyword ‘syn’ matches packets that have the SYN bit set, but no ACK bit set. This allows you to filter or log packets that start connections. The TCP protocol requires more than a single SYN packet for a TCP connection to work.
Security Techniques Writing a Stanza - TCP Examples We recommend that you use an IP address, but if you use a hostname, it is important that the system can resolve the hostname locally. If the link must be up to resolve the name, the hostname matching fails and the interface is forced to use the default ruleset. This changes the meaning of your filter file and causes long delays because the connection times out while waiting for name resolution.
Security Techniques Writing a Stanza - TCP Examples Working with Default Rulesets The default ruleset is: default bringup all pass all keepup all log !all This is probably an unacceptable default if you are trying to filter packets. Your default should be the same as your most restrictive ruleset because it keeps your site secure if connection-specific filtering fails due to a misconfigured IP address or hostname. The following sections deal with two approaches to writing default rulesets.
Security Techniques Writing a Stanza - TCP Examples Block All Packets If your security policy changes and you must block packets from a formerly acceptable site, you might change the default filter to the following: default bringup !all pass !all keepup !all log rejected !all Block All Packets Except Electronic Mail Most sites are willing to permit electronic mail through the workstation or system.
Security Techniques Writing a Stanza - TCP Examples However, nothing is perfectly reliable. Being explicit can cause other problems if you change the address of the server. The reliability of using an IP address instead of a hostname, or vice versa, may only be decided on a site-by-site basis. Still, we strongly favor using IP addresses over using hostnames. One benefit is that specifying the explicit IP address prevents people from changing the meaning of your rulesets by DNS spoofing.
Security Techniques Closed Policy Filter Example Closed Policy Filter Example The following is an example static filter configuration, appropriate for a system using pppd to create a PPP/SLIP link between the system 192.168.199.1 and a peer, 10.0.0.1, that is acting as the gateway to the Internet. The complete filter, minus the comments, follows this section. The filter design reflects a fail-safe, or closed, policy.
Security Techniques Closed Policy Filter Example Do not allow any incoming packets with the Source Route option set in the IP header. Respond with an ICMP Destination Unreachable message with the Source Route Failed code value. !192.168.199.0/recv/src/unreach=net # Block IP spoofing attacks !192.168.199.0/send/dst/unreach=net # Block IP spoofing attacks Block any incoming packets that claim to be from your net, and block any outgoing packets that claim to be destined for your net.
Security Techniques Closed Policy Filter Example Allow incoming electronic mail connection requests to reach your SMTP server, allow no other incoming SMTP connection requests, and allow yourself unlimited outbound SMTP access. www/syn/recv/192.168.199.13/dst !www/syn/recv/unreach=host www # (80/tcp) # # Allow incoming World Wide Web connection requests to reach your WWW server. Allow no other incoming WWW connection requests. And allow yourself unlimited outbound WWW access.
Security Techniques Closed Policy Filter Example The traceroute tool probes high-numbered UDP ports and is so useful that you should let it through. !5/icmp 8/icmp/192.168.199.1 8/icmp/192.168.199.10 8/icmp/192.168.199.11 8/icmp/192.168.199.12 8/icmp/192.168.199.13 8/icmp/192.168.199.
Security Techniques Closed Policy Filter Example Complete Filter Example default pass !all # block all other packets log rejected # packets rejected by packet filter 10.0.0.1 bringup !3/icmp # ICMP unreachable messages !5/icmp # ICMP redirect messages !11/icmp # ICMP time exceeded messages !who # WHO service (513/udp) !route # routed/gated RIP service (520/udp) !ntp # Network Time service (123/udp) all # all other packets pass !recv/ip-opt=srcrt/unreach=srcfail # block SRCRT attacks !192.168.199.
Security Techniques Closed Policy Filter Example 8/icmp/192.168.199.11 8/icmp/192.168.199.12 8/icmp/192.168.199.13 8/icmp/192.168.199.
Security Techniques Open Policy Filter Example Open Policy Filter Example This example of a filter is the product of an open policy. It was developed for the same system configuration as was used in the previous example demonstrating a filter developed for a closed policy. The system uses pppd to create a PPP/SLIP link between the system, 192.168.201.1, and a peer, 10.0.0.1, that is acting as the gateway to the Internet.
Security Techniques Open Policy Filter Example Block any incoming packets that claim to be from your net, and block any outgoing packets that claim to be destined for your net. Respond with an ICMP Destination Unreachable message that has the Bad Net code value. !127.0.0.0;8 # block IP spoofing attacks Silently block all packets that claim to be either to or from the loopback network.
Security Techniques Open Policy Filter Example all # permit all other packets Permit all traffic except that which you have explicitly specified as blocked through the firewall.
Security Techniques Open Policy Filter Example queries, but TCP for zone transfers. If you try to block inbound requests for a zone transfer you must remember to add the ‘tcp’ qualifier to the service name ‘domain’ to prevent a syntax error. Attempting to Send Hostnames Requiring Resolution over Down Network Links You can easily (but mistakenly) use a hostname that needs to be resolved because it is is not defined or that requires DNS, over a network link that is down. This causes failures and/or delays.
Security Techniques Open Policy Filter Example !127.0.0.
Security Techniques Time-To-Call Restrictions Time-To-Call Restrictions The second field on each line in the Systems file specifies the times pppd is allowed to attempt to establish connections. Two benefits of time restrictions are: • Assurance that there will be personnel on each end of the link to monitor connection attempt. • Assurance that connections take place when the most favorable telephone calling rates apply. See ppp.Systems(4) for details. The when field is very flexible.
Security Techniques Dial-Back Dial-Back PPP supports the ability to maintain a connection when calling a modem that has a dial-back security feature. The Systems file chat script option \M allows this by disabling delivery of SIGHUP to pppd. This signal usually results from loss of Carrier Detect and tells pppd to abruptly disconnect from the active session. Dial-Back Process Typically, an answering modem with dial-back capability responds to a call by taking the following steps: 1.
Security Techniques Dial-Back Reversing Instructions with \m Option After the disconnection period, through the ‘send’ phase option \m, pppd tells the system’s serial drivers to reverse the first instruction and respect the modem’s full variety of control. For example, to dial into a system protected by a dial-back modem, the Systems chat script might be written like this: # # This connects to a system protected by a Telebit T3000 callback # modem # with S46=2.
Security Techniques Link Peer Authentication Link Peer Authentication PPP implements both the Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). If pppd is invoked with any of the authentication options, it demands that the peer (either calling or called) authenticate itself. The ppp.Auth(4) file contains pairs of either names and secrets for CHAP negotiation, or usernames and passwords for PAP negotiation.
Security Techniques Replacing getty with pppd Replacing getty with pppd Incoming calls most often invoke the getty program because it enables login on a serial port. However, in some cases, pppd can be invoked in place of getty. Invoking pppd offers additional security because people find the beginning of LCP option negotiations much more difficult to circumvent than a simple ‘login:’ prompt.
6 Troubleshooting pppd This troubleshooting chapter describes solutions to common problems.
Troubleshooting pppd Scenario: pppd dials, the modems connect, the modem data lights flash briefly, and then the log file shows ’Hangup’ or ’SIGHUP.’ Solution: Increase pppd’s debug level to 2 (chat script processing) to see if any error messages are printed by the peer at startup. ’Login incorrect’ indicates that the login and/or password in the calling machine’s Systems file don’t match those in the answering machine’s passwd file.
Troubleshooting pppd Restart pppd with the novjcomp option. If this fixes the problem, then the peer may be using a buggy IPCP option negotiation algorithm. Try running pppd with the rfc1172-vj or the rfc1172-typo-vj option. If these options do not work, go back to novjcomp and complain to the vendor of the peer’s implementation of PPP. Scenario: PPP connects and everything works, but it is slow and erratic. Solution: Check if your Telebit modem is using the PEP protocol.
Troubleshooting pppd Solution: Some routers implement a security feature that causes them to not believe the second IP address that is claimed to be associated with a particular Ethernet address. If your remote workstation can exchange packets with all the hosts on your LAN but not with any that are reachable only through a particular router, then that router is probably skeptical of your ARP entry. This router security feature is usually configurable.
Troubleshooting pppd An LQM failure one minute after connection startup, particularly during successful user data transfers, indicates that the peer neither properly Configure-Rejected LQM during LCP negotiations, nor properly Protocol-Rejected HP-UX PPP’s first LQR. Scenario: When the modem abruptly gets hung up, pppd does not notice. Solution: Make sure that the modem drops the Carrier Detect (CD), also called Data Carrier Detect (DCD), signal when the carrier is lost. On a Telebit T1600, set ’&C1.
Troubleshooting pppd Scenario: When you telnet to test if the answering PPP account is set up correctly, you are greeted with what looks like line noise. This is the PPP Link control Protocol Configure-Request packet, but it takes a long time for pppd to give up and go away. Solution: The easy way to instruct the answering pppd to exit and close the connection is to type the four-character sequence of a tilde (~), followed by three control-Cs.
Troubleshooting pppd Scenario: With the debugging verbosity level set to 2 or more, messages appear in the log file like ‘Bad FCS received,’ ‘Bad protocol (even), flushing frame,’ ‘Short frame received (3 bytes),’ ‘Frame too long, flushing frame,’ ‘Missed ALLSTATIONS, flushing frame,’ or ‘Missed UI, flushing frame.’ Solution: Some of the incoming messages are getting damaged in transit.
Troubleshooting pppd Run a local name server that is either Start of Authority (SOA) or an authoritative secondary Name Server (NS) for your name space (forward mapping) and your address space (reverse mapping). An authoritative secondary NS is one that is listed in the SOA’s Resource Record (RR) for that domain. Scenario: Using PPP on a system or network where Frame (a WYSIWYG document production system) is installed, pppd dials the modem hourly even though no users are actively using it. The pppd.
A Modem Connections This appendix includes some basic information about types of transmissions, proper cabling between serial ports, and modem configuration.
Modem Connections HP-UX system and modem documentation. The system and modem manuals should take precedence if you have any questions about configuration and equipment.
Modem Connections RS-232 Interface RS-232 Interface The types of signals carried by the RS-232 interface are listed below: Signal Description Signal Ground (SG) Common electrical ground path for all interface circuits. Transmit Data (TD) Command codes or data sent from DTE to DCE; won't be sent unless RTS, CTS, DSR and DTR are set to on. Receive Data (RD) DCE responses to DTE commands or data received from a remote DCE.
Modem Connections RS-232 Interface The RS-232 standard utilizes nine pins for signaling, although many serial interfaces provide 25. The other 16 pins can be used for testing or secondary signaling. Smaller 9-pin connectors support standard signals and save space.
Modem Connections RS-232 Interface Pin Signal Signal Direction 1 Carrier Detect (CD) from DCE 2 Receive Data (RD) from DCE 3 Transmit Data (TD) from DTE 4 Data Terminal Ready (DTR) from DTE 5 Signal Ground both 6 Data Set Ready (DSR) from DCE 7 Request To Send (RTS) from DTE 8 Clear To Send (CTS) from DCE 9 Ring Indicator (RI) from DCE DB-9 to DB-25 Conversion This wiring diagram shows the standard conversion from DB-9 to DB-25: Pin DB-9 Pin DB-25 Pin Carrier Detect (CD)
Modem Connections RS-232 Interface HP Modem Cables Most HP systems do not use straight through modem cables to connect the modem to the system. Make sure you are using the correct cable that is proper for your system. HP Modem Cable (Series 700) The HP 9000/700 series workstation provides a DB-9 port for connection to aysnchronous serial devices. Hewlett-Packard recommends that you use cable part number 24542M to connect a 9000/700 system to a DB-25 asynchronous modem.
Modem Connections RS-232 Interface CPU DIRECTION MODEM Gnd 1 both 1 Gnd TD 2 from Modem 3 RD RD 3 from DTE 2 TD RTS 4 from Modem 8 DCD DSR 6 from DTE 20 DTR GND 7 BOTH 7 GND DCD 8 from DTE 4 RTS 9 from Modem 22 RI DTR 20 from Modem 6 DSR RI 22 from Modem 5 CTS Null-Modem Cables You can directly connect the serial ports of two systems with a null-modem cable. Null-modem cables connect pins of one machine to their symmetric counterparts on another machine.
Modem Connections RS-232 Interface DB-25 to DB-25 Null-Modem Connections DTE Signal DTE Pin DCE Pin DCE Signal Protective Ground 1 1 Protective Ground Ground 7 7 Ground Transmit Data (TD) 2 3 Receive Data (RD) Receive Data (RD) 3 2 Transmit Data (TD) Data Set Ready (DSR) & Carrier Detect (CD) 6+8 20 Data Terminal Ready (DTR) Data Terminal Ready (DTR 20 6+8 Data Set Ready (DSR) & Carrier Detect (CD) Request To Send (RTS) 4 5 Clear To Send (CTS) Clear To Send (CTS) 5 4 Req
Modem Connections Dial Up Modems Dial Up Modems PPP works well with any number of brand-name, non-proprietary, dial-up modems. Modems for dial up protocols like PPP should conform to non-proprietary standards because the local user will probably have little knowledge of the equipment at the remote end of the connection. A non-proprietary modem's ability to match carrier speed will make a usable connection with whatever type of modem is operating at the other end of a connection.
Modem Connections Dial Up Modems data transmitted, and MNP 7 offers 3:1 compression. CCITT-sanctioned V.42bis can compress data 4 to 1 under the best conditions. If your modem offers a choice between an MNP protocol and V.42bis, choose the latter. In addition to having a better compression algorithm, it works better with precompressed data streams. Run the serial port at its maximum speed (usually 38400 bps) to gain the most benefit from in-modem data compression.
Modem Connections Dial Up Modems damaged. The protocol used determines whether just the corrupted data, or all data sent since the error was discovered, is transmitted again. MNP 4 and later protocols can also respond to poor transmission quality by causing the data to be shipped in smaller packets, increasing the number of checks and decreasing the amount of data corrupted by line bursts. Flow Control Flow control provides the modem with a buffer for storing received data from the system.
Modem Connections Dial Up Modems If you configure for software control, make sure both ends of the PPP connection have the 0x000A0000 bits turned on in their asynchronous control character map (asyncmap). This is the default for PPP. A computer and modem using software flow control can talk to a computer and modem using hardware flow control, but both ends must have the asyncmap set to accommodate software flow control.
Modem Connections Dial Up Modems Common Commands Description &Wn Save current modem settings as n. \Nn Select error control mode. \Qn Select serial port flow control. S Registers S registers are settings stored in the modem's memory. The S register format is Sr=n where r is the register's number and n is the register's value. For example, S0=1 indicates the modem should answer an incoming call after the first ring.
Modem Connections Dial Up Modems Common Modem Configurations In the next section you will find some suggestions for Telebit modem settings which have worked well during testing. The examples here show the complete register settings for a Telebit T1600 and a description of the settings. Following this information are some command strings that will provide the proper register settings for Telebit's T1600, Qblazer and T3000 modems. Most modems should provide equivalent settings.
Modem Connections Dial Up Modems Command or setting Result &f Load factory default settings. s0=1 Answer after one ring. s7=120 Wait 120 seconds for a valid carrier tone to be sent from the remote modem. s48=1 Compare all eight bits when checking for control characters. s51=6 Latch the DTE interface at 38400 bps. s58=2 Use full-duplex RTS/CTS flow control so the modem sends data to the DTE when RTS is on and will not send data to the DTE when RTS is off.
Modem Connections Dial Up Modems Command or setting Result &c1 Turn ON the DCD signal when a remote modem carrier is detected and turn DCD OFF when the carrier is dropped. &d3 Recall the current user configuration parameters from nonvolatile memory and enter command mode when the DTR signal is switched from ON to OFF. &s1 Turn DSR ON after the answer tone is detected and leave it ON throughout the connection. &w Save the current configuration settings to nonvolatile RAM.
Modem Connections Dial Up Modems &E6 means Xon/Xoff not passed through &E8 means Enq/Ack pacing off &E10 means Normal Mode flow control off &E13 means Pacing on &E15 means data compression enabled $MB9600 selects 9600 bps on-line $SB9600 selects 9600 bps at serial port $BA0 means Baud Adjust is off, speed conversion is on &W1 causes modem to store its current parameters into non-volatile RAM, and modem will load these for future sessions instead of reading factory ROM and DIP switch defaults Enabling Hardw
Modem Connections Dial Up Modems Outbound devices begin with the string "cu" and inbound devices begin with the string "tty." 3. Type the following, substituting device names you wrote down in step 2 for the italicized device names in this example: ls -l /dev/cul0p1 /dev/ttyd0p1 Output similar to the following appears. crw-rw-rwcrw-rw-rw- 1 bin 1 bin bin bin 1 0x000001 Jul 8 13:51 cul0p1 1 0x000002 Jul 8 13:51 ttyd0p1 The output contains important device configuration information.
Modem Connections Dial Up Modems Setting Hardware Flow Control The output in step 3 of “Adding the Devices” shows that neither device has hardware flow control set. This is indicated by the zero (0) in the next to last place of the minor device number in each line. This example shows how to turn on hardware flow control by creating new devices with the proper minor mode bits set to one (1). 1.
Modem Connections Dial Up Modems done with the modem command AT&R1. Unfortunately, hardware flow control will no longer work reliably on this port. If you encounter problems, you should consider using software flow control instead.
Glossary Active-Open: an event internal to the PPP configuration finite state machine that causes PPP to start sending Configure-Request messages to the peer. bps: bits per second. Challenge Handshake Authentication Protocol (CHAP): a challenge-response LCP authentication protocol resistant to playback attacks. CHAP runs after LCP negotiation is complete but before any NCPs are started. CHAP: see Challenge Handshake Authentication Protocol. DNS: see Domain Name System.
Glossary International Standards Organization (ISO): organization that publishes a broad range of international standards for industry, including a large number that are identical or nearly identical to CCITT standards. Internet Protocol (IP): the layer of the Internet family of protocols that is responsible for packet routing and datagram fragmentation and reassembly. Internet Protocol Control Protocol (IPCP): the Network Control Protocol for the Internet Protocol. IP: see Internet Protocol.
Glossary Maximum Receive Unit (MRU): the size of the data field in the largest PPP message a PPP implementation can receive. Maximum Transmission Unit (MTU): the size of the largest IP datagram an IP interface can send. MRU: see Maximum Receive Unit. MTU: see Maximum Transmission Unit. NCP: see Network Control Protocol. Network Control Protocol (NCP): any of a group of protocols that run after LCP has successfully connected and whose purpose is to establish and configure a network-layer protocol.
Glossary SCSI: see Small Computer System Interface. Serial Line Internet Protocol (SLIP): a simple protocol for carrying IP datagrams over serial links. No error detection or configuration negotiation is included. modems that carries asynchronous data using the LAPM protocol over a synchronous connection. V.42bis: a data compression method used by many V.32 and V.32bis modems. V.42bis can only be used over V.42. SLIP: see Serial Line Internet Protocol.
Index Symbols /etc/passwd, 24, 37 /etc/ppl/ppl.remotes, 61 /etc/ppp/Autostart, 24, 33, 35 /etc/ppp/Devices, 24, 33, 41 /etc/ppp/Dialers, 24, 33 /etc/ppp/Login, 24 /etc/ppp/ppl.
Index L LAN connections via PPP, 81 LAN/9000, 16 Link management, 65 Link peer authentication, 133 Link Quality Monitoring.SeeLQM.
Index origin and destination keywords, 101 port numbers, 99 port numbers and services, 100 syntax, 107 TCP examples, 114 TCP packet header keywords, 102 time-based keywords, 104 trace keyword, 106 UDP example, 108 unreach keyword, 104 writing, 97, 98 Steps in configuring connections, 26 System Administration Manager. See SAM.