PPP server

Overview

The Point-to-Point Protocol PPP is a data link protocol commonly used in establishing a direct connection between two networking nodes. It provides a standard method for transporting multi-protocol datagrams over point-to-point links. Virtual Service Router supports PPPoE protocol.

Multiple PPP server instances can be hosted in Virtual Service Router. Using different VRs allows complete separation of those instances.

Supported services & features

  • Multi-VRF support

  • RADIUS support

  • User authentication

  • Multi-session support

  • IPv6 Autoconfiguration

  • IPv6 Prefix Delegation

  • IPv4 and IPv6 routing context

  • Hierarchical QoS

RADIUS support

Virtual Service Router supports interacting with a RADIUS server in order to assure authentication, authorization and accounting (AAA) functions. It also supports dynamic-request change of authorization (CoA) as well as disconnect operations.

Authentication and Authorization:

Besides local authentication, Virtual Service Router offers remote authentication, where user information, including username, password, and other attributes, are configured on a remote RADIUS server. Virtual Service Router will send an Access-Request with NAS-Identifier, NAS-IP-Address and user information to the RADIUS server. If the RADIUS server is unable to perform the requested authentication and doesn’t return a response within a length of time, the request is re-sent multiple times according to the configuration. If no response is provided by this server, Virtual Service Router attempts to send the Access-Request to other backup RADIUS servers if any are configured. If no response is received, the session fails.

If the RADIUS server successfully authenticates the user, it will reply with an Access-Accept. The authorization is defined by the set of attributes contained in this reply which determines the actual capabilities and restrictions applied to that subscriber.

Accounting:

Virtual Service Router supports sending user accounting information showing how much time, packets, bytes, and other resources were consumed during the session to a RADIUS accounting server.

See also

Change of Authorization

Virtual Service Router supports the change of authorization for online users through CoA packets. This means that Virtual Service Router can dynamically update user authorization information for specific RADIUS attributes. The supported attributes can be found in the section 6WIND vendor-specific RADIUS attributes

See also

The following tables list the supported RADIUS attributes. A more detailed explanation for each attribute can be found in the sections below.

RADIUS standard-attributes support:

Number

Attribute name

AAA packet presence

1

User-Name

Access-Request, Access-Accept

2

User-Password

Access-Request

3

CHAP-Password

Access-Request

4

NAS-IP-Address

Access-Request

6

Service-Type

Access-Request, Access-Accept

7

Framed-Protocol

Access-Request, Access-Accept

8

Framed-IP-Address

Access-Accept

22

Framed-Route

Access-Accept

27

Session-Timeout

Access-Accept

28

Idle-Timeout

Access-Accept

30

Called-Station-Id

Access-Request

31

Calling-Station-Id

Access-Request

32

NAS-Identifier

Access-Request

44

Acct-Session-Id

Access-Request, Accounting-Request

61

NAS-Port-Type

Access-Request

60

CHAP-Challenge

Access-Request

85

Acct-Interim-Interval

Access-Accept

87

NAS-Port-Id

Access-Request, Accounting-Request

96

Framed-Interface-Id

Access-Accept

97

Framed-IPv6-Prefix

Access-Accept

99

Framed-IPv6-Route

Access-Accept

6WIND vendor-specific RADIUS attributes:

Number

Attribute name

AAA packet presence

7

6WIND-limit

Access-Accept, COA

23

6WIND-iface-rpf

Access-Accept, COA

24

6WIND-qos-template-name

Access-Accept, COA

Microsoft vendor-specific RADIUS attributes:

Number

Attribute name

AAA packet presence

28

MS-Primary-DNS-Server

Access-Accept

1

MS-CHAP-Response

Access-Request

11

MS-CHAP-Challenge

Access-Request

25

MS-CHAP2-Response

Access-Request

26

MS-CHAP2-Success

Access-Accept

RADIUS standard-attributes support

User-Name

The user to be authenticated in the Access-Request. It may be sent in an Access-Accept packet, in which case Virtual Service Router will use this User-Name in all Accounting-Request packets for this session.

RFC 2865#section-5.1

User-Password

This attribute is sent in Access-Request packets when the peer authentication mode is PAP and PPP client is configured accordingly.

RFC 2865#section-5.2

CHAP-Password

This attribute is sent in Access-Request packets when Challenge-Handshake Authentication Protocol (CHAP) is enabled for peer authentication mode and PPP client is configured accordingly.

RFC 2865#section-5.3

CHAP-Challenge

This attribute contains the CHAP Challenge sent by Virtual Service Router to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is sent in the Access-Request packets.

RFC 2865#section-5.40

NAS-IP-Address

This attribute indicates the identifying IP Address of Virtual Service Router. It is sent in Access-Request and Accounting-Request packets.

RFC 2865#section-5.4

Service-Type

The type of service the PPPoE user has requested, or the type of service to be provided for the PPPoE user. Included as “Service-Type = Framed-User” in the Access-Request as a hint to the RADIUS server that this user is looking for PPP.

RFC 2865#section-5.6

Framed-Protocol

This attribute indicates the framing to be used for framed access. Virtual Service Router includes it as “Framed-Protocol = PPP” in the Access-Request as a hint to the RADIUS server that this user is looking for PPP.

RFC 2865#section-5.7

Framed-IP-Address

An IPv4 address provided by the RADIUS server to assign to the user’s PPP interface.

RFC 2865#section-5.8

Framed-Route

A static IPv4 route provided by RADIUS server to install in Virtual Service Router routing table for the PPP user.

RFC 2865#section-5.22

Session-Timeout

This attribute sets the maximum number of seconds of service to be provided to the PPP user before the Virtual Service Router terminates the session.

RFC 2865#section-5.27

Idle-Timeout

This attribute defines the maximum number of consecutive seconds a user can remain connected without activity before the Virtual Service Router terminates the session.

RFC 2865#section-5.28

Called-Station-Id

This attribute is included in the Access-Request and is set to the MAC address of the PPP server interface that received the PPP client’s access request.

RFC 2865#section-5.30

Calling-Station-Id

This attribute is included in the Access-Request and is set to the MAC address of the PPP client.

RFC 2865#section-5.31

NAS-Identifier

This attribute contains a configured string identifying the Virtual Service Router. It is sent in Access-Request and Accounting-Request packets.

RFC 2865#section-5.32

Acct-Session-Id

This attribute is a unique Accounting ID. It is included by the Virtual Service Router in the Access-Request and in all the accounting packets.

RFC 2866#section-5.5

NAS-Port-Type

This attribute indicates the type of the physical port of the NAS which is authenticating the user. It is only used in Access-Request packets.

RFC 2865#section-5.41

NAS-Port-Id

This attribute contains a text string which identifies the port of the NAS authenticating the user. It is included in Access-Request and Accounting-Request packets. In Accounting-Request, this attribute is duplicated, the second instance contains the name of the NAS PPP interface.

RFC 2869#section-5.17

Acct-Interim-Interval

This attribute indicates the number of seconds between each interim update in seconds for the session.

RFC 2869#section-5.16

Framed-Interface-Id

An IPv6 interface identifier to be configured on the user’s PPP interface.

RFC 3162#section-3.2

Framed-IPv6-Prefix

An IPv6 prefix to be configured for the user. The prefix should have a 64 bit mask. For example 2001:db8:0:100::/64.

RFC 3162#section-2.3

Framed-IPv6-Route

IPv6 routing information provided by RADIUS to be configured for the user in Virtual Service Router routing table. It should be described as follows “PREFIX/MASK USER-IPv6-ADDRESS METRICS”.

For example: 2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1.

  • PREFIX/MASK is the destination prefix optionally followed by a mask.

  • USER-IPv6-ADDRESS is the gateway address. This parameter can be omitted. For instance, the following format is also accepted: 2000:0:0:106::/64 :: 1.

RFC 3162#section-2.5

Delegated-IPv6-Prefix-Pool

The IPv6 prefix delegation pool name to use for the user.

RFC 6911#section-2.4

Delegated-IPv6-Prefix

The IPv6 prefix to give to the user through DHCPv6 IPv6 prefix delegation. For example 2001:db8:0:100::/64.

RFC 4818

6WIND vendor-specific RADIUS attributes

The following section defines the 6WIND proprietary RADIUS attributes. Note that a RADIUS attribute dictionary is provided with Virtual Service Router. the dictionary includes the attribute number, attribute name, attribute type as well as 6WIND vendor ID. So it may be loaded to RADIUS servers.

6WIND-limit

Type

string

Description

This is the Traffic Limiting IPv4 attribute, PPP server supports the basic rate-limiting QoS policy which means that if the rate-limit parameters are exceeded, the traffic is dropped. the attribute is a string with the following format “type=cir cbs eir ebs unit”.

  • type: can take either “in” for ingress or “out” for egress.

  • cir: Committed Information Rate.

  • cbs: Committed Burst Size.

  • eir: Excess Information Rate.

  • ebs: Excess Burst Size.

  • unit: in pps or bps. The unit could also be set in kilo (kbps/kpps), in mega (mpps/mbps) or in giga (gpps/gbps).

This attribute may be present in Access-Accept or CoA packets.

6WIND-iface-rpf

Type

integer

Description

This is the Reverse Path Filtering attribute. The value “0” means disabling the Reverse Path Filtering. This attribute may be present in Access-Accept or CoA packets.

6WIND-qos-template-name

Type

string

Description

This attribute contains the name of an hierarchical QoS template to be applied to the user. The template has to be configured on the Virtual Service Router, otherwise the default template is applied. This attribute may be present in Access-Accept.

Microsoft vendor-specific RADIUS attributes

The following Microsoft vendor-specific attributes are supported by the Virtual Service Router.

MS-Primary-DNS-Server

Used to supply the IPv4 address of a DNS server to the PPP client. It may be included the Access-Request packet.

RFC 2548#section-2.7.6

MS-CHAP-Response

This attribute contains the response value provided by a PPP user when Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is configured for the PPP peer authentication mode. It is only used in Access-Request packet.

RFC 2548#section-2.1.3

MS-CHAP-Challenge

This attribute contains the challenge sent by Virtual Service Router when a Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is configured for the PPP peer authentication mode. It is included in the Access-Request packet.

RFC 2548#section-2.1.2

MS-CHAP2-Response

This attribute contains the response value provided by an MS-CHAP-V2 peer in response to the challenge. It is used when MS-CHAP-V2 is enabled for PPP peer authentication mode. It is only used in Access-Request packets.

RFC 2548#section-2.3.2

MS-CHAP2-Success

This attribute is used when MS-CHAP-V2 is configured for PPP peer authentication mode. The string contained in this attribute is included in the Success Message sent from Virtual Service Router to the PPP client. It is only used in Access-Accept packets.

RFC 2548#section-2.3.3

A FreeRADIUS configuration example

Here is a configuration file example with FreeRadius.

client_1 Cleartext-Password := "test123"
        Acct-Interim-Interval = 15,
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = 10.4.128.1,
        Framed-Route = 15.200.0.0/24,
        Session-Timeout = 1200,
        6WIND-limit += "in=10 10 10 10 Kpps",
        6WIND-limit += "out=5 5 5 5 Kpps"

Note

It’s necessary to include the 6WIND vendor-specific dictionary in the FreeRADIUS dictionary list for this example to work.

Here is the client state on the Virtual Service Router:

dut-vm> show state vrf main ppp-server instance ppp-server-1 session-state
session-state ppp0
    username client_1
    peer-ip 10.4.128.1
    local-ip 192.168.0.1
    type pppoe
    state active
    uptime 00:02:10
    rx-bytes 272
    tx-bytes 1238

IPv6 Autoconfiguration Support

Currently PPP server supports IPv6 stateless autoconfiguration. Stateless means that there is no database used to keep track of what addresses have been assigned and what addresses are still available for assignment. PPP server sends a router advertisement message (as described in RFC 4861) with an IPv6 prefix and a non zero router lifetime to the user so it can create a global unicast IPv6 address through stateless autoconfiguration. DNS information such as RDNS and DNS search list can also be included in the message.

Note

An IPv6 prefix configured locally in the PPPoE configuration section of a PPP server has a higher priority over an IPv6 prefix specified by the attribute Framed-IPv6-Prefix of a RADIUS Access-Accept message.

IPv6 Prefix Delegation Support

PPP server supports IPv6 prefix delegation. When a PPP session is established, the PPP server listens for DHCPv6 packets in order to send the IPv6 prefix to use on LAN side.

Configuration examples

By default, the PPP server is disabled. Through the CLI you can enable a PPP server over an Ethernet connection.

First, configure the Ethernet interface:

dut-vm running config# vrf main interface
dut-vm running interface# physical eth1
dut-vm running physical eth1#! port pci-b0s5
dut-vm running physical eth1# enabled true
dut-vm running physical eth1# commit
Configuration committed.

Then, enable a PPP server over an Ethernet connection using the interface eth1:

dut-vm running config# vrf main ppp-server instance ppp-server-1
dut-vm running instance ppp-server-1# pppoe interface eth1
dut-vm running interface eth1# commit
Configuration committed.

Example 1: Without a RADIUS server

Here are some features configuration examples without using RADIUS.

Choosing an authentication method & adding a user’s authentication information:

dut-vm running instance ppp-server-1#  auth peer-auth-mode chap
dut-vm running instance ppp-server-1#  auth peer-secrets secrets john.doe password test123*

Enabling IPCP and configuring peers IPv4 address pools:

dut-vm running instance ppp-server-1# ppp ipcp allow
dut-vm running instance ppp-server-1# ip-pool default-local-ip 192.164.0.2
dut-vm running instance ppp-server-1#! ip-pool pool pool1 peer-pool 192.164.0.2/32
dut-vm running instance ppp-server-1# pppoe ip-pool pool1

Enabling IP6CP and IPv6 autoconfiguration:

dut-vm running instance ppp-server-1# ppp ipv6cp allow
dut-vm running instance ppp-server-1# ipv6-neighbor-discovery enabled true
dut-vm running instance ppp-server-1# ipv6-pool pool pool2 prefix 2001:db8:22:33::/48 prefix-len 64
dut-vm running instance ppp-server-1# pppoe ipv6-pool pool2

Adding DNS information:

dut-vm running instance ppp-server-1# dns server 8.8.8.8
dut-vm running instance ppp-server-1# dns server 2001:4860:4860::8888
dut-vm running instance ppp-server-1# dns dns-search-list google.com dns-search-list 6wind.com

Example 2: With a RADIUS server

Here is another configuration example where a RADIUS server will be used for authentication, accounting and change of authorization.

First, configure the interface to use for RADIUS communication:

dut-vm running config# vrf main
dut-vm running vrf main# interface
dut-vm running interface# physical ntfp2
dut-vm running physical ntfp2#! port pci-b0s4
dut-vm running physical ntfp2# enabled true
dut-vm running physical ntfp2# ipv4
dut-vm running ipv4# address 10.100.0.2/24

Then, add RADIUS information:

dut-vm running config# vrf main ppp-server instance ppp-server-1
dut-vm running instance ppp-server-1# auth radius enabled true
dut-vm running instance ppp-server-1#! auth radius nas ip-address 10.100.0.2 identifier vsr
dut-vm running instance ppp-server-1#! auth radius server address 10.100.0.1 auth-port 1812 acct-port 1813 secret 'test#%&123*123*'
dut-vm running instance ppp-server-1# auth radius backup-server address 10.100.1.1 auth-port 1814 acct-port 1815 secret 'test#456*123*'
dut-vm running instance ppp-server-1# auth radius default-local-ip 19.168.100.1
dut-vm running instance ppp-server-1# auth radius change-of-authorization-server secret testing123
dut-vm running instance ppp-server-1# auth radius accounting session-id-in-authentication true interim-interval 5

Quality of Service Support

Virtual Service Router provides support for multi-level hierarchical quality of service for PPPoE sessions. This feature allows latency and throughput optimization and ensures that each subscribers gets the appropriate network resources. This is achieved through classifying, policing and scheduling the traffic.

The QoS is configured in the CLI, triggered by RADIUS and dynamically applied by the PPP server for each subscriber session.

The deployment of QoS involves two main components, an HTB based scheduler and a PPP server QoS template:

  • The HTB scheduler:

    All subscriber queues will be organized in a tree structure scheduler that determines how available bandwidth is distributed among them.

    The user should first create the root queue as well as the default queue of this HTB scheduler in the global QoS context and associate it to the PPP server interface, as described in the chapter scheduling.

    The user can also add inner static queues to suit his bandwidth redistribution and his different subscriber plans. This part of the scheduler is static and is called the base-scheduler, it is referenced by the scheduler-interface configuration node.

    When a PPPoE session is established, all its queues will be appended dynamically as child queues to the base-scheduler according to PPP server QoS template.

  • PPP server QoS template:

    The PPP server QoS template is a profile that provides queue models for BNG subscribers. A queue model allows the user to configure minimum guaranteed bandwidth, maximum authorized bandwidth, priority, traffic mark and other related QoS parameters.

    Once the subscriber authenticates to the network and its session is established, QoS queues will be dynamically created according to the queue models configured in its template. The template name must be received in the RADIUS Access-Accept packet via the 6WIND attribute 6WIND-qos-template-name. Please refer to 6WIND attributes section for more details.

Traffic classification:

Each queue can be associated with a different form of traffic like video, data, VOIP and so on. This traffic classification into the queues is achieved through the mark of the queue template. When a packet mark matches a queue mark, the packet is classified into the matching queue.

Restrictions:
  • Users can configure up to 255 queue marks.

  • Only egress is supported.

  • The sum of CIR bandwidth of all existing dynamic queues must not exceed the CIR bandwidth of the parent queue

  • Unlike the queue configuration in the global QoS context, it’s not possible to add a policer for a queue in the PPP server QoS template.

  • Static inner queues can’t be assigned QoS classes.

  • To reach good performance, the NIC must support RSS on PPPoE protocol.

Let’s consider the following example, where the service provider offers 2 subscriber plans premium and non-premium. Each plan provides its user with specific guaranteed bandwidth for voip and data traffic.

../../../_images/bng_qos.svg

Step 1: Configure the fast path limits

Set the maximum number of QoS policies to the number of the subscribers, and the maximum number of QoS classes to the number of subscribers times the maximum number of QoS queues per subscribers.

For instance, with 10K subscribers and 3 queues per subscriber, use the following fast path limits:

vsr running config# / system fast-path limits
vsr running limits# qos-max-classes 31500
vsr running limits# qos-max-policies 10500

Step 2: Configure the static base-scheduler

vsr running config# / qos
vsr running qos# scheduler scheduler-1
vsr running scheduler scheduler-1#! htb
vsr running htb# queue 1
vsr running queue 1#! bandwidth 40G
vsr running queue 1# ceiling 40G
vsr running queue 1# ceiling-priority 1
vsr running queue 1# child-queue 2
vsr running queue 1#! child-queue 3
vsr running queue 1#! child-queue 4
vsr running queue 1#! ..
vsr running htb#! queue 2
vsr running queue 2#! description "This is the static parent queue for premium subscribers queues"
vsr running queue 2#! bandwidth 30G
vsr running queue 2#! ceiling 40G
vsr running queue 2#! ceiling-priority 1
vsr running queue 2#! ..
vsr running htb#! queue 3
vsr running queue 3#! description "This is the static parent queue for non-premium subscribers queues"
vsr running queue 3#! bandwidth 10G
vsr running queue 3#! ceiling 40G
vsr running queue 3#! ceiling-priority 2
vsr running queue 3#! ..
vsr running htb#! queue 4
vsr running queue 4#! description "This is the default queue"
vsr running queue 4#! bandwidth 10K
vsr running queue 4# ceiling 40G
vsr running queue 4# ceiling-priority 9
vsr running queue 4# ..
vsr running htb# default-queue 4

Step 3: Add the base-scheduler to the PPP server interface

vsr running config# vrf main interface physical eth1 qos egress scheduler scheduler-1

Step 4: Configure the templates

The base-scheduler is referenced by the interface on which it is set as an egress scheduler, as done in previous step. Here, it is eth1. The static-parent node references queue indexes in this base-scheduler.

vsr running config# / vrf main ppp-server instance ppp-server-1 qos
vsr running qos# template premium-subscribers scheduler-interface eth1
vsr running qos#! template premium-subscribers queue prem static-parent 2
vsr running qos#! template premium-subscribers queue prem bandwidth 7M
vsr running qos# template premium-subscribers queue prem ceiling 2G
vsr running qos# template premium-subscribers queue prem-voip dynamic-parent prem
vsr running qos#! template premium-subscribers queue prem-voip bandwidth 5M
vsr running qos# template premium-subscribers queue prem-voip ceiling 2G
vsr running qos# template premium-subscribers queue prem-voip mark 0x1
vsr running qos# template premium-subscribers queue prem-data dynamic-parent prem
vsr running qos#! template premium-subscribers queue prem-data bandwidth 2M
vsr running qos# template premium-subscribers queue prem-data ceiling 2G
vsr running qos# template premium-subscribers queue prem-data mark 0x0

vsr running qos# template non-premium-subscribers scheduler-interface eth1
vsr running qos#! template non-premium-subscribers queue non-prem static-parent 3
vsr running qos#! template non-premium-subscribers queue non-prem bandwidth 4M
vsr running qos# template non-premium-subscribers queue non-prem ceiling 1G
vsr running qos# template non-premium-subscribers queue non-prem-voip dynamic-parent non-prem
vsr running qos#! template non-premium-subscribers queue non-prem-voip bandwidth 3M
vsr running qos# template non-premium-subscribers queue non-prem-voip ceiling 1G
vsr running qos# template non-premium-subscribers queue non-prem-voip mark 0x1
vsr running qos# template non-premium-subscribers queue non-prem-data dynamic-parent non-prem
vsr running qos#! template non-premium-subscribers queue non-prem-data bandwidth 1M
vsr running qos# template non-premium-subscribers queue non-prem-data ceiling 1G
vsr running qos# template non-premium-subscribers queue non-prem-data mark 0x0

vsr running qos# default-template non-premium-subscribers

Once the configuration in place, the RADIUS setup of a user should include its QoS template name, for instance, for a premium user the attribute is 6WIND-qos-template-name = premium-subscribers

If no attribute can be retrieved from RADIUS server, the default template is used (non-premium-subscribers).

Step 5: Configure the flow marking

In this example, the VOIP traffic has to be marked with 0x1. The other traffic has the mark 0x0 (equivalent to no mark).

The marking can be done using the IP packet filtering context.

PPP server state and KPIs

In order to display a PPP server state use the following command:

dut-vm running vrf main# show state vrf main ppp-server instance ppp-server-1
    instance ppp-server-1
        enabled true
        single-session disable
        max-sessions 0
        max-starting 0
        log-level debug
        ppp
            verbose false
            min-mtu 100
            ipcp allow
            ipv6cp deny
            lcp
                echo-interval 0
                echo-failure 0
                ..
            ..
        pppoe
            enabled true
            verbose true
            padi-limit 0
            interface ntfp2
                padi-limit 5
                ..
            ip-pool pool1
            ip-pool pool2

The CLI also provides KPIs support via the command show ppp-server statistics:

dut-vm> show ppp-server statistics vrf main instance ppp-server-1
    Sessions counters
    active    : 2
    starting  : 0
    finishing : 0

    PPPoE counters
    active        : 2
    starting      : 0
    PADI received : 2
    PADI dropped  : 0
    PADO sent     : 2
    PADR received : 2
    PADS sent     : 2

    Radius counters
    Radius server 1
    IP address               : 10.100.0.1
    state                    : active
    auth sent                : 88
    acct-start-stop sent     : 2
    acct-interim-update sent : 344

See also

Please refer to PPP server command reference for the complete list of supported options.