Everything You Need to Know About Point-to-Point Protocol Over Ethernet (PPPOE): Workings, Data Packet Format, and Stages

1. Introduction to the Point-to-Point Protocol over Ethernet (PPPoE)

PPPOE, short for Point-to-Point Protocol Over Ethernet, operates on the data link layer of the OSI model. The PPPOE protocol provides a standard for multiple hosts on a broadcast network (like Ethernet) to connect to a remote access concentrator (nowadays notably a broadband access server).

1. Working Principle of PPPOE

The PPPOE protocol encompasses two stages: the PPPOE Discovery Stage and the PPPOE Session Stage. The key difference between the two lies in the encapsulation of the PPPOE header in front of the PPP data packet.

When a host desires to initiate a PPPOE session, it first searches for an access concentrator on the broadcast network. If multiple access concentrators (AC) are present, the host will select one based on the services they offer or pre-configured user preferences. Once the host selects an access concentrator, a PPPOE session process is initiated. During this process, the access concentrator assigns a unique session ID for each PPPOE session. Once the session is established, entering the PPPOE Session Stage, both parties (in a logical point-to-point relationship distinct from PPP) use the PPP protocol to exchange data packets, thereby completing a series of PPP processes and ultimately transmitting network layer data packets over this logical point-to-point channel.

2. PPPOE Data Packet Format

Letā€™s briefly introduce the PPPOE data packet format. A PPPOE data packet is encapsulated within the data field of an Ethernet frame. In simple terms, a PPPOE packet can be divided into two major parts: the PPPOE header and the PPPOE payload (data field), which changes with the session process. Figure 1 below illustrates the format of a PPPOE packet:

Point-to-Point Protocolā€‹The PPPOE data packet begins with 4 bits for the version field, with the protocol explicitly specifying that this field should contain 0x1.

  • Following the version field is a 4-bit type field, which also must contain 0x1 as per the protocol.
  • The code field occupies 1 byte, and its content differs across various stages of PPPOE.
  • The session ID field uses 2 bytes. If the access concentrator hasnā€™t assigned a unique session ID to the user host, the field must be set to 0x0000. Once the host acquires a session ID, all subsequent packets must fill this field with that unique session ID.
  • The length field uses 2 bytes to indicate the length of the payload in the PPPOE data packet.
  • The data field, sometimes referred to as the payload field, varies significantly in content across different PPPOE stages. During the PPPOE Discovery Stage, this field contains tags; during the Session Stage, it carries PPP packets.

Here we mainly introduce the PPPOE Discovery Stage packet format and its data packets:

1) Tag Format in the PPPOE Data Packet

During the Discovery Stage of the PPPOE data packet, the payload may contain zero or more tags, akin to PPPā€™s configuration options, subject to negotiation. Unlike PPP, which defines many specific parameters, PPPOE does not, leaving implementation to vary across different vendorsā€™ equipment. First, see the tag encapsulation format in the data field of a PPPOE packet, shown in Figure 2,

Point-to-Point Protocol

                                                          ļ¼ˆFigure 2 Tag Encapsulation Formatļ¼‰

From Figure 2, the tag encapsulation format uses the well-known TLV structure, i.e., (Type+Length+Value). The type field of the tag is 2 bytes, as shown in the table below, outlining the meaning of various tag types:

  • The length field of the tag is 2 bytes, indicating the length of the tag data field.
  • The data field of the tag contains pertinent data corresponding to different tag types.

2) PPPOE Discovery Stage Data Packets

The PPPOE Discovery Stage is divided into four steps, essentially the exchange of four types of data packets. Upon completing these steps, the user host and access concentrator learn each otherā€™s MAC address and unique session ID, proceeding to the next stage (PPPOE Session Stage). Once both parties learn the otherā€™s MAC address, a one-to-one correspondence is established on the broadcast network. The session ID field is added to ensure the connectionā€™s validity and flexibility in the PPPOE protocol, confirming a point-to-point relationship between the parties through these two conditions.

Initially, since the access user does not know the MAC address of the access concentrator, a mechanism similar to ARP resolution is used to acquire the access concentratorā€™s MAC address. The user initially sends a broadcast packet from their side. If the access concentrator is configured with PPPOE services, it monitors packets on the network, and upon detecting PPPOE packets carried in Ethernet frames (identified by the protocol field), it hands them to the appropriate module for processing. Upon receiving the initial packet, the access concentrator responds to the user with a packet. If many such access concentrators exist on the network and receive the userā€™s initial packet, they will all respond with a confirmation packet. When the user receives these packets, they choose a unique access concentrator based on the packet contents or local configurations to proceed with the session. This completes the first two steps, and the remaining two steps involve negotiating the service options provided and acquiring the necessary session ID value for the PPPOE session.

Note: Throughout this stage, all data packets are carried within the Ethernet data field, with the Ethernet frameā€™s protocol field consistently set to 0x8863.

During the four steps of the PPPOE Discovery Stage, four packet types appear: PADI, PADO, PADR, and PADS. The PADT packet in PPPOE is used to terminate a session.

  • PADI (PPPoE Active Discovery Initiation) Packet

The first step of the PPPOE Discovery Stage, initiated by the user side, involves sending this packet. The user host broadcasts this packet, so the destination address field of the corresponding Ethernet frame should be filled with all 1s, and the source address should contain the user hostā€™s MAC address. The broadcast packet can be received by multiple access concentrators.

  • PADO (PPPoE Active Discovery Offer) Packet

The second step of the PPPOE Discovery Stage is when the access concentrator responds to the user hostā€™s PADI packet. The source address field of the corresponding Ethernet frame is filled with the access concentratorā€™s MAC address, while the destination address is derived from the user hostā€™s MAC address obtained from the PADI.

  • PADR (PPPoE Active Discovery Request) Packet

The third step of the PPPOE Discovery Stage occurs when the user host sends a unicast request packet to the access server. Upon receiving the PADO packet, the user host selects an access concentrator from these packets for subsequent sessions. Since the user host learns the access concentratorā€™s MAC address from the PADO packets, the Ethernet source address of the PADR packet is filled with the user hostā€™s MAC address, and the destination address is filled with the access concentratorā€™s MAC address.

  • PADS (PPPoE Active Discovery Session-confirmation) Packet

The fourth and final step of the PPPOE Discovery Stage is when the access concentrator is ready to initiate a PPP session upon receiving the PADR packet. At this point, the access concentrator allocates a unique session ID for the session and includes it in the PADS packet sent to the host. If the access concentrator cannot meet the services requested by the user, it sends a PADS packet containing a tag indicating a service name error, with the session ID filled as 0x0000.

  • PADT (PPPoE Active Discovery Terminate) Packet

The PADT packet can be sent at any time after the session has begun, primarily to terminate the PPPOE session. It can be sent by either the host or the access concentrator, with the destination address filled with the peerā€™s Ethernet MAC address.

2. Detailed Decoding of PPPOE Discovery

We use the Colasoft Network Analysis System to capture PPPOE packets, as shown in Figure 3,

                                        ļ¼ˆFigure 3 Detailed Decoding of PPPOE Discoveryļ¼‰ 

Upon examining the detailed decoding in the Colasoft Network Analysis System, we recognize it as the first step of the PPPOE Discovery Stage, the PADI packet. Hereā€™s a detailed explanation:

  • Version: 1, with an explicit protocol stipulation to fill this field with 0x1.
  • Type: 1, also prescribed by the protocol to be filled with 0x1.
  • Code: 0x09, indicating this packet is a PADI packet from the Discovery Stage.
  • Session ID: 0, indicating no session ID is yet assigned.
  • Length: 16, specifying the length of the payload in the PPPOE data packet.
  • PPP Discovery Tag: Refer to the tag types table we listed earlier.

The above is an introduction to the PPPOE Discovery protocol and its detailed decoding.