1. Introduction to the Point-to-Point Protocol over Ethernet (PPPoE)
PPPOE, short for Point-to-Point Protocol Over Ethernet, operates on the data link layer of the OSI model. The PPPOE protocol provides a standard for multiple hosts on a broadcast network (like Ethernet) to connect to a remote access concentrator (nowadays notably a broadband access server).
1. Working Principle of PPPOE
The PPPOE protocol encompasses two stages: the PPPOE Discovery Stage and the PPPOE Session Stage. The key difference between the two lies in the encapsulation of the PPPOE header in front of the PPP data packet.
When a host desires to initiate a PPPOE session, it first searches for an access concentrator on the broadcast network. If multiple access concentrators (AC) are present, the host will select one based on the services they offer or pre-configured user preferences. Once the host selects an access concentrator, a PPPOE session process is initiated. During this process, the access concentrator assigns a unique session ID for each PPPOE session. Once the session is established, entering the PPPOE Session Stage, both parties (in a logical point-to-point relationship distinct from PPP) use the PPP protocol to exchange data packets, thereby completing a series of PPP processes and ultimately transmitting network layer data packets over this logical point-to-point channel.
2. PPPOE Data Packet Format
Letās briefly introduce the PPPOE data packet format. A PPPOE data packet is encapsulated within the data field of an Ethernet frame. In simple terms, a PPPOE packet can be divided into two major parts: the PPPOE header and the PPPOE payload (data field), which changes with the session process. Figure 1 below illustrates the format of a PPPOE packet:
āThe PPPOE data packet begins with 4 bits for the version field, with the protocol explicitly specifying that this field should contain 0x1.
- Following the version field is a 4-bit type field, which also must contain 0x1 as per the protocol.
- The code field occupies 1 byte, and its content differs across various stages of PPPOE.
- The session ID field uses 2 bytes. If the access concentrator hasnāt assigned a unique session ID to the user host, the field must be set to 0x0000. Once the host acquires a session ID, all subsequent packets must fill this field with that unique session ID.
- The length field uses 2 bytes to indicate the length of the payload in the PPPOE data packet.
- The data field, sometimes referred to as the payload field, varies significantly in content across different PPPOE stages. During the PPPOE Discovery Stage, this field contains tags; during the Session Stage, it carries PPP packets.
Here we mainly introduce the PPPOE Discovery Stage packet format and its data packets:
1) Tag Format in the PPPOE Data Packet
During the Discovery Stage of the PPPOE data packet, the payload may contain zero or more tags, akin to PPPās configuration options, subject to negotiation. Unlike PPP, which defines many specific parameters, PPPOE does not, leaving implementation to vary across different vendorsā equipment. First, see the tag encapsulation format in the data field of a PPPOE packet, shown in Figure 2,
ļ¼Figure 2 Tag Encapsulation Formatļ¼
From Figure 2, the tag encapsulation format uses the well-known TLV structure, i.e., (Type+Length+Value). The type field of the tag is 2 bytes, as shown in the table below, outlining the meaning of various tag types:
- The length field of the tag is 2 bytes, indicating the length of the tag data field.
- The data field of the tag contains pertinent data corresponding to different tag types.
2) PPPOE Discovery Stage Data Packets
The PPPOE Discovery Stage is divided into four steps, essentially the exchange of four types of data packets. Upon completing these steps, the user host and access concentrator learn each otherās MAC address and unique session ID, proceeding to the next stage (PPPOE Session Stage). Once both parties learn the otherās MAC address, a one-to-one correspondence is established on the broadcast network. The session ID field is added to ensure the connectionās validity and flexibility in the PPPOE protocol, confirming a point-to-point relationship between the parties through these two conditions.
Initially, since the access user does not know the MAC address of the access concentrator, a mechanism similar to ARP resolution is used to acquire the access concentratorās MAC address. The user initially sends a broadcast packet from their side. If the access concentrator is configured with PPPOE services, it monitors packets on the network, and upon detecting PPPOE packets carried in Ethernet frames (identified by the protocol field), it hands them to the appropriate module for processing. Upon receiving the initial packet, the access concentrator responds to the user with a packet. If many such access concentrators exist on the network and receive the userās initial packet, they will all respond with a confirmation packet. When the user receives these packets, they choose a unique access concentrator based on the packet contents or local configurations to proceed with the session. This completes the first two steps, and the remaining two steps involve negotiating the service options provided and acquiring the necessary session ID value for the PPPOE session.
Note: Throughout this stage, all data packets are carried within the Ethernet data field, with the Ethernet frameās protocol field consistently set to 0x8863.
During the four steps of the PPPOE Discovery Stage, four packet types appear: PADI, PADO, PADR, and PADS. The PADT packet in PPPOE is used to terminate a session.
- PADI (PPPoE Active Discovery Initiation) Packet
The first step of the PPPOE Discovery Stage, initiated by the user side, involves sending this packet. The user host broadcasts this packet, so the destination address field of the corresponding Ethernet frame should be filled with all 1s, and the source address should contain the user hostās MAC address. The broadcast packet can be received by multiple access concentrators.
- PADO (PPPoE Active Discovery Offer) Packet
The second step of the PPPOE Discovery Stage is when the access concentrator responds to the user hostās PADI packet. The source address field of the corresponding Ethernet frame is filled with the access concentratorās MAC address, while the destination address is derived from the user hostās MAC address obtained from the PADI.
- PADR (PPPoE Active Discovery Request) Packet
The third step of the PPPOE Discovery Stage occurs when the user host sends a unicast request packet to the access server. Upon receiving the PADO packet, the user host selects an access concentrator from these packets for subsequent sessions. Since the user host learns the access concentratorās MAC address from the PADO packets, the Ethernet source address of the PADR packet is filled with the user hostās MAC address, and the destination address is filled with the access concentratorās MAC address.
- PADS (PPPoE Active Discovery Session-confirmation) Packet
The fourth and final step of the PPPOE Discovery Stage is when the access concentrator is ready to initiate a PPP session upon receiving the PADR packet. At this point, the access concentrator allocates a unique session ID for the session and includes it in the PADS packet sent to the host. If the access concentrator cannot meet the services requested by the user, it sends a PADS packet containing a tag indicating a service name error, with the session ID filled as 0x0000.
- PADT (PPPoE Active Discovery Terminate) Packet
The PADT packet can be sent at any time after the session has begun, primarily to terminate the PPPOE session. It can be sent by either the host or the access concentrator, with the destination address filled with the peerās Ethernet MAC address.
2. Detailed Decoding of PPPOE Discovery
We use the Colasoft Network Analysis System to capture PPPOE packets, as shown in Figure 3,
ļ¼Figure 3 Detailed Decoding of PPPOE Discoveryļ¼
Upon examining the detailed decoding in the Colasoft Network Analysis System, we recognize it as the first step of the PPPOE Discovery Stage, the PADI packet. Hereās a detailed explanation:
- Version: 1, with an explicit protocol stipulation to fill this field with 0x1.
- Type: 1, also prescribed by the protocol to be filled with 0x1.
- Code: 0x09, indicating this packet is a PADI packet from the Discovery Stage.
- Session ID: 0, indicating no session ID is yet assigned.
- Length: 16, specifying the length of the payload in the PPPOE data packet.
- PPP Discovery Tag: Refer to the tag types table we listed earlier.
The above is an introduction to the PPPOE Discovery protocol and its detailed decoding.