[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lwip-users] PPP MPPE "Optional" Support
From: |
Sylvain Rochet |
Subject: |
Re: [lwip-users] PPP MPPE "Optional" Support |
Date: |
Fri, 12 Aug 2016 00:33:44 +0200 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Hi Patrick,
On Wed, Aug 10, 2016 at 07:49:03PM -0400, Patrick Klos wrote:
>
> It's been a long time since I was a PPP expert,
Well, from here you know more than me about PPP even if I'm maintaining
the lwIP PPP stack for over 4 years now. So don't worry :p
By the way, thank you very much for your ability, better than mine, to
find out what is wrong only from PPP packet traces :-)
> but if I remember correctly, the sequence of PPP negotiations is LCP
> (which negotiates if/which authentication protocol will be used),
> followed by authentication (if any), followed by other negotiations
> (IPCP, CCP, etc). If that's correct, then you won't have to enable
> CCP (and/or MPPE) until after your LCP state machine reaches the
> Opened state, so you'd know by then if MSCHAPv2 was negotiated or not?
>
> I can't say what the implications would be with the LwIP PPP as I
> haven't used it.
The problem here is that MSCHAPv2 have to prepare keys for MPPE since
MPPE keys are derived from MSCHAPv2 challenge hashes, therefore MPPE
must currently be enabled before MSCHAPv2 authentication start.
We could argue whether we should always prepare keys even if MPPE is not
enabled, which would add useless CPU cycles for users which built MPPE
support but are actually not using it, but anyway, user is not supposed
to change PPP options once the session is started :-)
> > Or is even that poor practice to change LCP options in the middle of the
> > negotiation?
>
> CCP (where MPPE would be negotiated) is completely independent of LCP.
> None of your LCP options would have to change once you've gotten to
> the LCP Opened state. Once LCP finishes, you'll know if you've
> negotiated MSCHAPv2 and if you even need to enable CCP (and MPPE)
> negotiations.
I can confirm that, LCP options are probably not going to change once
authentication is started. I'm quite sure the protocol does not disallow
renegotiating some options later, but obviously no one does that, I
can't see any use case for wanting to do that either.
Anyway, I think Greg is just thinking that MPPE is a LCP option, while
obviously it is not, that's all :)
Sylvain
signature.asc
Description: Digital signature