The VxWorks implementation of the PPP (Point-to-Point Protocol) is comprised of several different protocols that work together with the PPP network interface driver. Although PPP can, in theory, support a variety of protocols, the VxWorks implementation supports only the TCP/IP stack. The VxWorks PPP implementation is comprised of three main components:

• A method for encapsulating multi-protocol datagrams.

• A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection.

• A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols.

PPP is one method by which VxWorks can communicate with other operating systems over a serial line connection. PPP supports Internet Protocol (IP) layer networking software over point-to-point configurations, such as long-distance telephone lines or RS-232 serial connections between machines. If either end of a PPP connection has other network interfaces (such as Ethernet) and is able to forward packets to other machines, a PPP connection can serve as a gateway between networks.

The basic functionality provided by PPP is similar to that of the Serial Line Internet Protocol (SLIP), with the advantage that PPP is extensible and offers various configurable options.

PPP provides a standard method for transporting multi-protocol datagrams over point-to-point links. It is designed for simple links which transport packets between two peers. These links provide full-duplex, simultaneous operation and are assumed to deliver packets in the order in which they are sent. It is intended that PPP provide a common solution for easy connectivity among a variety of hosts, bridges, and routers.

The following is a list of relevant Requests for Comments (RFCs) associated with the VxWorks PPP implementation:

RFC 1332: The PPP Internet Protocol Control Protocol (IPCP)

RFC 1334: PPP Authentication Protocols

RFC 1548: The Point-to-Point Protocol (PPP)

The USENET news group, comp.protocols.ppp, is dedicated to the discussion of PPP-related issues. Information presented in this forum is often of a general nature (such as equipment, setup, or troubleshooting), but technical details concerning specific PPP implementations are discussed as well.

PPP supports the following features:

• PPP client and server connection support (either active or passive mode). In active mode (default), the PPP software attempts to initiate a PPP link with the peer. In passive mode, the PPP software waits for a peer to try to open a link.

• Multiple unit support. Up to 16 PPP interfaces can be active at any one time.

• Asynchronous character mapping. Users can specify control characters that should be escaped by the peer upon transmission to avoid misinterpretation by the serial driver library or by lower-level modem software.

• Van Jacobsen (VJ) compression. This feature reduces the regular 40-byte TCP/IP header to 3 or 8 bytes, thereby saving valuable link bandwidth.

• Address, control, and protocol field compression. These types of compression allow the PPP network interface driver to reduce the transmission of extraneous PPP header information, thereby saving valuable link bandwidth.

• Link state and link statistics querying. Internal PPP counters and protocol state information may be obtained through query routines. This enables applications to monitor and manage the PPP link.

• IP address negotiation. Using IP address negotiation, one peer may assign the other peer an IP address once the PPP link is established.

• Echo request and reply. One peer may request that the other peer respond to link-layer echoes. This allows for an automatic monitoring of the link's physical status.

• Connect and disconnect hooks. Use of connect and disconnect hooks allows applications to implement routines supporting modem control, dialing software, connection scripting, etc.

• Challenge-Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP). These authentication protocols ensure that the remote peer is authorized to establish a PPP link and that the correct IP address is used.

• Proxy ARP routing. Use of this feature allows hosts on the proxy-server peer's connected network to access the proxy-client peer without manually adding routing entries.

For many years, transferring Internet Protocol (IP) packets over serial lines was handled almost exclusively by the Serial Line Internet Protocol (SLIP). SLIP is a simple link-layer driver that is installed between IP stack code and a serial driver. While SLIP uses less object code than PPP and processes packets more efficiently (using compressed headers in CSLIP), it can carry only IP packets and it is not extensible. Furthermore, SLIP has several different protocol implementations that do not always communicate smoothly with each other. Nevertheless, its general ease of use and large installed base has made it the de facto standard for using IP over point-to-point serial lines.

The Point-to-Point Protocol (PPP) was developed to address the shortcomings of SLIP. Unlike SLIP, PPP is being defined and tracked by the Internet Engineering Task Force (IETF), and the protocol specifications have been published in multiple Request For Comments (RFC) documents. Although SLIP is still an attractive choice for systems that only require basic IP-packet transfers, the advantages of PPP are prompting the rapid growth of its installed base.

PPP supports several features that make it more suitable than SLIP for certain applications:

• Multi-Protocol Support. PPP packet framing includes a protocol field in the header. This allows for the transfer of packets among different network-layer protocols over a link. At present, the only protocols supported by this PPP implementation are IP and the basic PPP protocols (LCP, IPCP, PAP, and CHAP).

• Extensibility. The protocol field in the frame header makes PPP able to accommodate new protocols (both public and proprietary). The Internet Assigned Numbers Authority (IANA) tracks the allocation of protocol field values.

• Error Detection. PPP framing also includes a Frame Check Sequence (FCS). This field automatically ensures the data integrity of every packet received by the PPP network interface driver. If an error is detected, the received packet is dropped and an input error is recorded.

• Link Management. The entire structure of PPP is based around the concept of a point-to-point link which is established between peers (the local and remote systems on either end of the serial connection). The link has several phases and states associated with its life and is managed by its own separate protocol, the Link Control Protocol (LCP). This concept of a link creates an environment that can support features like option negotiation, link-layer user authentication, link quality management, and loopback detection.

• Option Negotiation. PPP allows for the dynamic negotiation of options between peers. To some extent, this allows one end of the link to configure the peer. This is especially useful in heterogeneous environments where a PPP server may need to assign certain properties to the peer, such as the Maximum Receive Unit (MRU).

• Authentication. PPP supports link-layer authentication through two widely used authentication protocols: PAP and CHAP. Both of these protocols check that the peer is authorized to establish a link with the local host by sending and/or receiving password information.

• IP Address Negotiation. Built into the PPP control protocol for IP is the ability to assign an IP address to a peer. This feature allows one peer to act as a PPP server and assign addresses as clients dial in. The IP address can be re-used when the PPP link is terminated.

While many applications do not require any of the features above, they may need to interact with other systems that are using PPP and not SLIP. These two protocols can not communicate with each other; this is perhaps the most compelling reason for using PPP.

PPP provides for the encapsulation of data in frames. It also supports the following protocols:

• Link Control Protocol (LCP)

• Internet Protocol Control Protocol (IPCP)

• Password Authentication Protocol (PAP)

• Challenge-Handshake Authentication Protocol (CHAP)

PPP encapsulation provides for simultaneous multiplexing of different network-layer protocols over the same link. The PPP encapsulation has been carefully designed to retain compatibility with most commonly used supporting hardware. The frame format of a standard PPP frame structure is shown in Figure 3-1.

Figure 3-1:  Format of Standard PPP Frame Structure

In order to promote versatility and be portable to a wide variety of environments, PPP provides a Link Control Protocol (LCP). LCP is used when establishing links and negotiating a variety of configuration options. It is also used to create automatic agreement on encapsulation format options, to handle variable size limits placed on packets, to detect looped-back links and other common configuration errors, and to terminate links.

Other optional facilities provided by LCP include: authentication of the peer on the link by using authentication protocols such as PAP or CHAP, and determination when a link is functioning properly and when it is failing. After the link is established, PPP also allows an optional authentication. For more information, see RFC 1548.

The IP Control Protocol (IPCP) is the Network Control Protocol (NCP) for IP. IPCP is responsible for configuring, enabling, and disabling the IP protocol modules on both ends of the point-to-point link. It uses the same packet exchange mechanism as LCP. IPCP packets are not exchanged until PPP has established a link. IPCP is also responsible for IP address negotiation between peers. For more information, see RFC 1332.

The Password Authentication Protocol (PAP) provides a simple method by which the peer establishes its identity using a two-way handshake. This is done only upon the initial link creation. Once a link is established, an ID/password pair is sent repeatedly by the peer to the authenticator until authentication is acknowledged or the connection is terminated.

PAP is not a robust authentication protocol. Passwords are sent over the circuit "in the clear," without protection from playback or repeated trial-and-error attacks. The peer is in control of the frequency and timing of the attempts. This authentication method is most appropriately used when a plain-text password must be available to simulate a login at a remote host. For information about using PAP, see Using PAP, or refer to RFC 1334.

Challenge-Handshake Authentication Protocol (CHAP) is a more robust authentication protocol offering better security than PAP. CHAP periodically verifies the identity of a peer using a three-way handshake. This is done after an initial link is established, and can be repeated later at any time.

After a link is established, the authenticator sends a "challenge" message to the peer. The peer responds with a value calculated by a one-way hash function. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection is terminated.

CHAP provides protection against playback attack by issuing ever-changing challenges at specified time intervals. The use of repeated challenges is intended to limit the time of exposure to any single attack. The authenticator is in control of the frequency and timing of the challenges.

CHAP authentication for any particular link relies on the use of a "secret" known only to the authenticator and the peer. The secret is not sent over the link; therefore the server and its peer must both have access to it. In Tornado, this is achieved using various methods explained in Using CHAP. For further technical details, refer to RFC 1334.

Configuring your environment for PPP requires both host and target software installation and configuration. See your host's operating system manual for information on installing and configuring PPP on your host.¹

To include the default PPP configuration, configure VxWorks with PPP support. The relevant configuration macro is INCLUDE_PPP.

	CAUTION: A VxWorks image that includes PPP sometimes fails to load. This failure is due to the static maximum size of the VxWorks image allowed by the loader. This problem can be fixed by either reducing the size of the VxWorks image (by removing unneeded options), or by burning new boot ROMs. If you receive a warning from vxsize when building VxWorks, or if the size of your image becomes greater than that supported by the current setting of RAM_HIGH_ADRS, see Creating Bootable Applications in the Tornado User's Guide: Cross-Development for information on how to resolve the problem.

You can include the optional DES cryptographic package for use with the Password Authentication Protocol (PAP). The relevant configuration macro is INCLUDE_PPP_CRYPT. It is not included in the standard Tornado Release; contact your WRS Sales Representative to inquire about the availability of this optional package. The DES package allows user passwords to be stored in encrypted form on the VxWorks target. If the package is installed, then it is useful only when the VxWorks target is acting as a PAP server, that is, when VxWorks is authenticating the PPP peer. Its absence does not preclude the use of PAP. For detailed information about using the DES package with PAP, see Using PAP).

This PPP implementation includes many optional features (approximately 50 in all) that can be configured in to enable the PPP capabilities listed in 3.4.2 PPP Features. There are three methods of configuration:

• At compile-time, by reconfiguring VxWorks as described in the Tornado User's Guide: Projects. Use this method with usrPPPInit( ). (See Initializing a PPP Link.)

• At run-time, by filling in a PPP options structure. Use this method with pppInit( ). (See Initializing a PPP Link.)

• At run-time, by setting options in a PPP options file. This method is used with either usrPPPInit( ) or pppInit( ), and can be used to change the selection of PPP options previously configured by one of the other two configuration methods, provided that the PPP options file can be read without using the PPP link (for example, an options file located on a target's local disk).

Each of these methods is described in a section that follows. For brief descriptions of the various PPP options, see Table 3-3.

The various configuration options offered by this PPP implementation can be initialized at compile-time by defining a number of configuration options.

	NOTE: See the Tornado User's Guide: Projects for information on how to set some configuration options through a graphical user interface, without directly editing config.h.

First, make sure the PPP_OPTIONS_STRUCT constant is defined in config.h (it is defined by default). Unless PPP_OPTIONS_STRUCT is defined, configuration options in config.h cannot be enabled.

Then, specify the default serial interface that will be used by usrPPPInit( ) by defining the PPP_TTY constant. Configuration options can be selected using configuration constants only when usrPPPInit( ) is invoked to initialize PPP. Specify the number of seconds usrPPPInit( ) will wait for a PPP link to be established between a target and peer by defining the PPP_CONNECT_DELAY constant. Table 3-1 lists the principal configuration constants used with PPP.

Table 3-1:  PPP Configuration Constants

Constant		Purpose
INCLUDE_PPP		Include PPP. 1
INCLUDE_PPP_CRYPT		Include DES cryptographic package.
PPP_OPTIONS_STRUCT		Enable configuration options set in config.h.
PPP_TTY		Define default serial interface.
PPP_CONNECT_DELAY		Define time-out delay for link establishment.
1:  If you want to use VxSim for Solaris with PPP as the backend, you must configure VxWorks with BSD 4.3 compatability off. The relevant configuration macro is BSD43_COMPATIBLE. Otherwise, you get an exception in the WDB task when the target server tries to connect to the WDB agent.

Table 3-2 shows the two basic formats used for configuration options in config.h. The full list of options available with PPP appears in column 1 of Table 3-3. By default, all of these options are disabled. To enable any PPP_OPT_option setting, define its value to be 1 (these option constants are boolean values). To set any PPP_STR_optionstring entry, define it by representing the desired value as a string. For example, to set PPP_STR_MTU to 1000, enter:

#define   PPP_STR_MTU   "1000"

Table 3-2:  PPP Configuration Options in config.h

Configuration Option		Option Included
PPP_OPT_option		Specify a PPP configuration option.
PPP_STR_optionstring		Specify a PPP configuration option string.

Setting PPP_OPTIONS_STRUCT, PPP_TTY, and PPP_CONNECT_DELAY in config.h, as well as any configuration options, constitutes a modification to the configuration file. These changes do not actually take effect until after you have recompiled VxWorks and initialized PPP. To initialize PPP, call usrPPPInit( ). You can make this call manually from a target shell (see Initializing a PPP Link) or can include it in the boot code (see Booting over the Network).

PPP options may be set at run-time by filling in a PPP options structure and passing the structure location to the pppInit( ) routine. This routine is the standard entry point for initializing a PPP link (see Initializing a PPP Link).

The PPP options structure is typedefed to PPP_OPTIONS, and its definition is located in h/netinet/ppp/options.h, which is included through h/pppLib.h.

The first field of the structure is an integer, flags, which is a bit field that holds the ORed value of the OPT_option macros displayed in column 2 of Table 3-3. Definitions for OPT_option are located in h/netinet/ppp/options.h. The remaining structure fields in column 2 are character pointers to the various PPP options specified by a string.

The following code fragment is one way to set configuration options using the PPP options structure. It initializes a PPP interface that uses the target's second serial port (/tyCo/1). The local IP address is 90.0.0.1; the IP address of the remote peer is 90.0.0.10. The baud rate is the default rate for the tty device. The VJ compression and authentication options have been disabled, and LCP (Link Control Protocol) echo requests have been enabled.

PPP_OPTIONS pppOpt;   /* PPP configuration options */ 
 
void routine () 
    { 
    pppOpt.flags = OPT_PASSIVE_MODE | OPT_NO_PAP | OPT_NO_CHAP | 
                    OPT_NO_VJ; 
    pppOpt.lcp_echo_interval = "30"; 
    pppOpt.lcp_echo_failure = "10"; 
 
    pppInit (0, "/tyCo/1", "90.0.0.1", "90.0.0.10", 0, &pppOpt, NULL); 
    }

PPP options are most conveniently set using an options file. There is one restriction: the options file must be readable by the target without there being an active PPP link. Therefore the target must either have a local disk or RAM disk or an additional network connection. For more information about using file systems, see VxWorks Programmer's Guide: Local File Systems.

This configuration method can be used with either usrPPPInit( ) or pppInit( ). It also can be used to modify the selection of PPP options previously configured using configuration constants in config.h or the option structure PPP_OPTION.

When using usrPPPInit( ) to initialize PPP, define the configuration constant PPP_OPTIONS_FILE to be the absolute path name of the options file (NULL by default). When using pppInit( ), pass in a character string that specifies the absolute path name of the options file.

The options file format is one option per line; comment lines begin with #. For a description of option syntax, see the manual entry for pppInit( ).

The following code fragment generates the same results as the code example in Selecting PPP Options Using an Options Structure. The difference is that the configuration options are obtained from a file rather than a structure.

pppFile = "mars:/tmp/ppp_options"; /* PPP config. options file */ 
 
void routine () 
    { 
    pppInit (0, "/tyCo/1", "90.0.0.1", "90.0.0.10", 0, NULL, pppFile); 
    }

In this example, mars:/tmp/ppp_options is a file that contains the following:

passive 
no_pap 
no_chap 
no_vj 
lcp_echo_interval 30 
lcp_echo_failure 10

After it is configured and initialized, PPP attaches itself into the VxWorks TCP/IP stack at the driver (link) layer. After a PPP link has been established with the remote peer, all normal VxWorks IP networking facilities are available; the PPP connection is transparent to the user.

A PPP link is initialized by calls to either usrPPPInit( ) or pppInit( ). When either of these routines is invoked, the remote peer should be initialized. When a peer is running in passive mode, it must be initialized first (see PPP Options.)

The usrPPPInit( )routine is in config/all/bootConfig.c and src/config/usrNetwork.c. There are four ways it can be called:

If the boot device is set to ppp, usrPPPInit( ) is called as follows:

• From( )bootConfig.c when booting from boot ROMs.

• From usrNetwork.c when booting from VxWorks boot code.

The PPP interface can also be initialized by calling usrPPPInit( ):

• From the VxWorks shell.

• By user application code.

Use either syntax when calling usrPPPInit( ):

usrPPPInit ("bootDevice", unitNum, "localIPAddress", "remoteIPAddress")  
usrPPPInit ("bootDevice", unitNum, "localHostName", "remoteHostName")

You can use host names in usrPPPInit( ) provided the hosts have been previously added to the host database. For example, you can call usrPPPInit( ) in the following way:

usrPPPInit ("ppp=/tyCo/1,38400", 1, "147.11.90.1", "147.11.90.199") 

The usrPPPInit( ) routine calls pppInit( ), which initializes PPP with the configuration options that were specified at compile-time (see Selecting PPP Options By Configuring VxWorks). The pppInit( ) routine can be called multiple times to initialize multiple channels.² The connection timeout is specified by PPP_CONNECT_DELAY. The return value of this routine indicates whether the link has been successfully established--if the return value is OK, the network connection should be fully operational.

The pppInit( ) routine is the standard entry point for initializing a PPP link. All available PPP options can be set using parameters specified for this routine (see Selecting PPP Options Using an Options Structure). Unlike usrPPPInit( ), the return value of pppInit( ) does not indicate the status of the PPP link; it merely reports whether the link could be initialized. To check whether the link is actually established, call pppInfoGet( ) and make sure that the state of IPCP is OPENED. The following code fragment demonstrates use of this mechanism for PPP unit 2:

PPP_INFO    pppInfo; 
 
if ((pppInfoGet (2, &pppInfo) == OK) && 
    (pppInfo.ipcp_fsm.state == OPENED)) 
    return (OK);                           /* link established */ 
else 
    return (ERROR);                        /* link down */

There are two ways to delete a PPP link:

• When a terminate request packet is received from the peer.

• By calling pppDelete( ) to terminate the link.

Merely deleting the VxWorks tasks that control PPP or rebooting the target severs the link only at the TCP/IP stack, but does not delete the link on the remote peer end.

The return value of pppDelete( ) does not indicate the status of the PPP link. To check whether the link is actually terminated, call pppInfoGet( ) and make sure the return value is ERROR. The following code fragment demonstrates the usage of this mechanism for PPP unit 4:

PPP_INFO    pppInfo; 
 
if (pppInfoGet (4, &pppInfo) == ERROR) 
    return (OK);                          /* link terminated */ 
else 
    return (ERROR);                       /* link still up */

Table 3-3 lists all the configuration options supported by PPP. Each option is shown in its three forms, corresponding to the configuration methods explained in the following sections:

Column 1: Selecting PPP Options By Configuring VxWorks

Column 2: Selecting PPP Options Using an Options Structure

Column 3: Setting PPP Options Using an Options File.

A brief description of each option follows the three formats. Configuration options specified in the options file PPP_OPTIONS_FILE take precedence over any previously set in config.h or set by passing the structure PPP_OPTIONS to pppInit( ). For example:

• If VxWorks is configured with the use of PAP negated, a subsequent setting of require_pap in PPP_OPTIONS_FILE overrides the earlier setting enabling PAP authentication. The relevant configuration macro is PPP_OPT_NO_PAP.

• If char * netmask has been passed in the options structure PPP_OPTIONS to pppInit( ) with a value of FFFF0000, and netmask FFFFFF00 is passed in PPP_OPTIONS_FILE to usrPPPInit( ), the network mask value is set to FFFFFF00. 

  Table 3-3:  PPP Configuration Options 

  Options				Description
  Set in config.h		Set using options structure		Set using options file
  PPP_OPT_DEBUG		OPT_DEBUG		debug		Enable PPP daemon debug mode.
  PPP_OPT_DEFAULT_ROUTE		OPT_DEFAULT_ROUTE		default_route		After IPCP negotiation is successfully completed, add a default route to the system routing tables. Use the peer as the gateway. This entry is removed when the PPP connection is broken.
  PPP_OPT_DRIVER_DEBUG		OPT_DRIVER_DEBUG		driver_debug		Enable PPP driver debug mode.
  PPP_OPT_IPCP_ACCEPT_LOCAL		OPT_IPCP_ACCEPT_LOCAL		ipcp_accept_local		Set PPP to accept the remote peer's idea of the target's local IP address, even if the local IP address was specified.
  PPP_OPT_IPCP_ACCEPT_REMOTE		OPT_IPCP_ACCEPT_REMOTE		ipcp_accept_remote		Set PPP to accept the remote peer's idea of its (remote) IP address, even if the remote IP address was specified.
  PPP_OPT_LOGIN		OPT_LOGIN		login		Use the login password database for PAP authentication of peer.
  PPP_OPT_NO_ACC		OPT_NO_ACC		no_acc		Disable address/control compression.
  PPP_OPT_NO_ALL		OPT_NO_ALL		no_all		Do not request/allow any options.
  PPP_OPT_NO_CHAP		OPT_NO_CHAP		no_chap		Do not allow CHAP authentication with peer.
  PPP_OPT_NO_IP		OPT_NO_IP		no_ip		Disable IP address negotiation in IPCP.
  PPP_OPT_NO_MN		OPT_NO_MN		no_mn		Disable magic number negotiation.
  PPP_OPT_NO_MRU		OPT_NO_MRU		no_mru		Disable MRU (Maximum Receive Unit) negotiation.
  PPP_OPT_NO_PAP		OPT_NO_PAP		no_pap		Do not allow PAP authentication with peer.
  PPP_OPT_NO_PC		OPT_NO_PC		no_pc		Disable protocol field compression.
  PPP_OPT_NO_VJ		OPT_NO_VJ		no_vj		Disable VJ (Van Jacobson) compression.
  PPP_OPT_NO_VJCCOM		OPT_NO_ASYNCMAP		no_asyncmap		Disable async map negotiation.
  PPP_OPT_NO_VJCCOMP		OPT_NO_VJCCOMP		no_vjccomp		Disable VJ (Van Jacobson) connection ID compression.
  PPP_OPT_PASSIVE_MODE		OPT_PASSIVE_MODE		passive_mode		Set PPP in passive mode so it waits for the peer to connect, after an initial attempt to connect.
  PPP_OPT_PROXYARP		OPT_PROXY_ARP		proxy_arp		Add an entry to this system's ARP (Address Resolution Protocol) table with the IP address of the peer and the Ethernet address of this system.
  PPP_OPT_REQUIRE_CHAP		OPT_REQUIRE_CHAP		require_chap		Require CHAP authentication with peer.
  PPP_OPT_REQUIRE_PAP		OPT_REQUIRE_PAP		require_pap		Require PAP authentication with peer.
  PPP_OPT_SILENT_MODE		OPT_SILENT_MODE		silent_mode		Set PPP in silent mode. PPP does not transmit LCP packets to initiate a connection until a valid LCP packet is received from the peer.
  PPP_STR_ASYNCMAP		char * asyncmap		asyncmap value		Set the desired async map to the specified value.
  PPP_STR_CHAP_FILE		char * chap_file		chap_file file		Get CHAP secrets from the specified file. This option is necessary if either peer requires CHAP authentication.
  PPP_STR_CHAP_INTERVAL		char * chap_interval		chap_interval value		Set the interval in seconds for CHAP rechallenge to the specified value.
  PPP_STR_CHAP_RESTART		char * chap_restart		chap_restart value		Set the timeout in seconds for the CHAP negotiation to the specified value.
  PPP_STR_ESACAPE_CHARS		char * escape_chars		escape_chars value		Set the characters to escape on transmission to the specified values.
  PPP_STR_IPCP_MAX_CONFIGURE		char * ipcp_max_configure		ipcp_max_configure value		Set the maximum number of transmissions for IPCP configuration requests to the specified value.
  PPP_STR_IPCP_MAX_FAILURE		char * ipcp_max_failure		ipcp_max_failure value		Set the maximum number of IPCP configuration NAKs to the specified value.
  PPP_STR_IPCP_MAX_TERMINATE		char * ipcp_max_terminate		ipcp_max_terminate value		Set the maximum number of transmissions for IPCP termination requests to the specified value.
  PPP_STR_IPCP_RESTART		char * ipcp_restart		ipcp_restart value		Set the timeout in seconds for the IPCP negotiation to the specified value.
  PPP_STR_LCP_ECHO_FAILURE		char * lcp_echo_failure		lcp_echo_failure value		Set the maximum consecutive LCP echo failures to the specified value.
  PPP_STR_LCP_ECHO_INTERVAL		char * lcp_echo_interval		lcp_echo_interval value		Set the interval in seconds for the LCP negotiation to the specified value.
  PPP_STR_LCP_MAX_CONFIGURE		char * lcp_max_configure		lcp_max_configure value		Set the maximum number of transmissions for LCP configuration requests to the specified value.
  PPP_STR_LCP_MAX_FAILURE		char * lcp_max_failure		lcp_max_failure value		Set the maximum number of LCP configuration NAKs to the specified value.
  PPP_STR_LCP_MAX_TERMINATE		char * lcp_max_terminate		lcp_max_terminate value		Set the maximum number of transmissions for LCP termination requests to the specified value.
  PPP_STR_LCP_RESTART		char * lcp_restart		lcp_restart value		Set the timeout in seconds for the LCP negotiation to the specified value.
  PPP_STR_LOCAL_AUTH_NAME		char * local_auth_name		local_auth_name name		Set the local name for authentication to the specified name.
  PPP_STR_MAX_CHALLENGE		char * max_challenge		max_challenge value		Set the maximum number of transmissions for CHAP challenge requests to the specified value.
  PPP_STR_MRU		char * mru		mru value		Set MRU (Maximum Receive Unit) for negotiation to the specified value.
  PPP_STR_MTU		char * mtu		mtu value		Set MTU (Maximum Transmission Unit) for negotiation to the specified value.
  PPP_STR_NETMASK		char * netmask		netmask value		Set the network mask value for negotiation to the specified value.
  PPP_STR_PAP_FILE		char * pap_file		pap_file file		Get PAP secrets from the specified file. This option is necessary if either peer requires PAP authentication.
  PPP_STR_PAP_MAX_AUTHREQ		char * pap_max_authreq		pap_max_authreq value		Set the maximum number of transmissions for PAP authentication requests to the specified value.
  PPP_STR_PAP_PASSWD		char * pap_passwd		pap_passwd passwd		Set the password for PAP authentication with the peer to the specified password.
  PPP_STR_PAP_RESTART		char * pap_restart		pap_restart value		Set the timeout in seconds for the PAP negotiation to the specified value.
  PPP_STR_PAP_USER_NAME		char * pap_user_name		pap_user_name name		Set the user name for PAP authentication with the peer to the specified name.
  PPP_STR_REMOTE_AUTH_NAME		char * remote_auth_name		remote_auth_name name		Set the remote name for authentication to the specified name.
  PPP_STR_VJ_MAX_SLOTS		char * vj_max_slots		vj_max_slots value		Set the maximum number of VJ compression header slots to the specified value.

PPP provides security through two authentication protocols: PAP (see Password Authentication Protocol (PAP)) and CHAP (see Challenge-Handshake Authentication Protocol (CHAP)). This section introduces the use of PPP link-layer authentication (introduced in Link Control Protocol (LCP)), and describes the format of the secrets files.

In VxWorks, the default behavior of PPP is to provide authentication when requested by a peer but not to require authentication from a peer. If additional security is required, choose PAP or CHAP by enabling the corresponding option. PPP in VxWorks can act as a client (the peer authenticating itself) or a server (the authenticator).

Authentication for both PAP and CHAP is based on secrets, selected from a secrets file or from the secrets database built by the user (which can hold both PAP and CHAP secrets). A secret is represented by a record, which itself is composed of fields. The secrets file and the secrets database contain secrets that authenticate other clients, as well as secrets used to authenticate the VxWorks client to its peer. In the case that a VxWorks target cannot access the secrets file through the file system, use pppSecretAdd( ) to build a secrets database.

Secrets files for PAP and CHAP use identical formats. A secrets record is specified in a file by a line containing at least three words that specify the contents of the fields client, server, and secret, in that order. For PAP, secret is a password which must match the password entered by the client seeking PAP authentication. For CHAP, both client and server must have identical secrets records in their secrets files; the secret consists of a string of one or more words (for example, "an unguessable secret").

Table 3-4 is an example of a secrets file. It could be either a PAP or CHAP secrets file, since their formats are identical.

Table 3-4:  Secrets File Format

client		server		secret		IP address
vxTarget		mars		"vxTargetSECRET"
venus		vxTarget		"venusSECRET"		147.11.44.5
*		mars		"an unguessable secret"
venus		vxTarget		"venusSECRET"		-
vxTarget		mars		@host:/etc/passwd

At the time of authentication, for a given record, PPP interprets any words following client, server, and secret as acceptable IP addresses for the client and secret specified. If there are only three words on the line, it is assumed that any IP address is acceptable; to disallow all IP addresses, use a dash (-). If the secret starts with an @, what follows is assumed to be the name of a file from which to read a secret. An asterisk (*) as the client or server name matches any name. When authentication is initiated, a best-match algorithm is used to find a match to the secret, meaning that, given a client and server name, the secret returned is for the closest match found.

On receiving an authentication request, PPP checks for the existence of secrets either in an internal secrets database or in a secrets file. If PPP does not find the secrets information, the connection is terminated.

The secrets file contains secrets records used to authenticate the peer, and those used to authenticate the VxWorks client to the peer. Selection of a record is based on the local and remote names. By default, the local name is the host name of the VxWorks target, unless otherwise set to a different name by the option local_auth_name in the options file. The remote name is set to a NULL string by default, unless otherwise set to a name specified by the option remote_auth_name in the options file. (Both local_auth_name and remote_auth_name can be specified in two other forms, as can other configuration options listed in Table 3-3.)

Using PAP

The default behavior of PPP is to authenticate itself if requested by a peer but not to require authentication from a peer. For PPP to authenticate itself in response to a server's PAP authentication request, it only requires access to the secrets. For PPP to act as an authenticator, you must turn on the PAP configuration option.

Secrets can be declared in a file or built into a database. The secrets file for PAP can be specified in one of the following ways:

• By reconfiguring VxWorks with the PSP file specified. The relevant configuration macro is PPP_STR_PAP_FILE.

• By setting the pap_file member of the PPP_OPTIONS structure passed to pppInit( ).

• By adding the following line entry in the PPP options file specified in your configuration:

pap_file  /xxx/papSecrets 

If the VxWorks target is unable to access the secrets file, call pppSecretAdd( )to build a secrets database.

If PPP requires the peer to authenticate itself using PAP, the necessary configuration option can be set in one of the following ways:

1. By reconfiguring VxWorks with PAP required. The relevant configuration macro is PPP_OPT_REQUIRE_PAP.

1. By setting the flag OPT_REQUIRE_PAP in the flags bit field of the PPP_OPTIONS structure passed to pppInit( );

1. By adding the following line entry in the options file.

require_pap

Secrets records are first searched in the secrets database; if none are found there, then the PAP secrets file is searched. The search proceeds as follows:

VxWorks as an authenticator:.  

PPP looks for a secrets record with a client field that matches the user name specified in the PAP authentication request packet and a server field matching the local name. If the password does not match the secrets record supplied by the secrets file or the secrets database, it is encrypted, provided the optional DES cryptographic package is installed. Then it is checked against the secrets record again. Secrets records for authenticating the peer can be stored in encrypted form if the optional DES package is used. If the login option was specified, the user name and the password specified in the PAP packet sent by the peer are checked against the system password database. This enables restricted access to certain users.

VxWorks as a client:.  

When authenticating the VxWorks target to the peer, PPP looks for the secrets record with a client field that matches the user name (the local name unless otherwise set by the PAP user name option in the options file) and a server field matching the remote name.

Using CHAP

The default behavior of PPP is to authenticate itself if requested by a peer but not to require authentication from a peer. For PPP to authenticate itself in response to a server's CHAP authentication request, it only requires access to the secrets. For PPP to act as an authenticator, you must turn on the CHAP configuration option.

CHAP authentication is instigated when the authenticator sends a challenge request packet to the peer which responds with a challenge response. Upon receipt of the challenge response from the peer, the authenticator compares it with the expected response and thereby authenticates the peer by sending the required acknowledgment. CHAP uses the MD5 algorithm for evaluation of secrets.

The secrets file for CHAP can be specified in any of the following ways:

• By reconfiguring VxWorks with the CHAP file specified. The relevant configuration macro is PPP_STR_CHAP_FILE.

• By setting the chap_file member of the PPP_OPTIONS structure passed to pppInit( ).

• By adding the following line entry in the options file:

chap_file  /xxx/chapSecrets

If PPP requires the peer to authenticate itself using CHAP, the necessary configuration option can be set in one of the following ways:

• By reconfiguring VxWorks with CHAP required. The relevant configuration macro is PPP_OPT_REQUIRE_CHAP.

• By setting the flag OPT_REQUIRE_CHAP in the flags bit field of the PPP_OPTIONS structure passed to pppInit( ).

• By adding the following line entry in the options file:

require_chap 

Secrets are first searched in the secrets database; if none are found there, then the CHAP secrets file is searched. The search proceeds as follows:

VxWorks as an authenticator:.  

When authenticating the peer, PPP looks for a secrets record with a client field that matches the name specified in the CHAP response packet and a server field matching the local name.

VxWorks as a client:.  

When authenticating the VxWorks target to the peer, PPP looks for the secrets record with a client field that matches the local name and a server field that matches the remote name.

PPP provides connect and disconnect hooks for use with user-specific software. Use the pppHookAdd( ) routine to add a connect hook that executes software before initializing and establishing the PPP connection or a disconnect hook that executes software after the PPP connection has been terminated. The pppHookDelete( ) routine deletes connect and disconnect hooks.

The routine pppHookAdd( ) takes three arguments: the unit number, a pointer to the hook routine, and the hook type (PPP_HOOK_CONNECT or PPP_HOOK_DISCONNECT). The routine pppHookDelete( ) takes two arguments: the unit number and the hook type. The hook type distinguishes between the connect hook and disconnect hook routines.

Two arguments are used to call the connect and disconnect hooks: unit, which is the unit number of the PPP connection, and fd, the file descriptor associated with the PPP channel. If the user hook routines return ERROR, then the link is gracefully terminated and an error message is logged.

The code in Example 3-1 demonstrates how to hook the example routines, connectRoutine( ) and disconnectRoutine( ), into the PPP connection establishment mechanism and termination mechanism, respectively.

Example 3-1:  Using Connect and Disconnect Hooks

#include <vxWorks.h> 
#include <pppLib.h> 
 
/* type declarations */ 
 
void             attachRoutine (void); 
STATIC int   connectRoutine(int unit, int fd); 
STATIC int   disconnectRoutine(int unit, int fd); 
 
void attachRoutine (void) 
    { 
    /* add connect hook to unit 0 */ 
    pppHookAdd (0, connectRoutine, PPP_CONNECT_HOOK); 
 
    /* add disconnect hook to unit 0 */ 
    pppHookAdd (0 , disconnectRoutine, PPP_DISCONNECT_HOOK); 
    } 
 
STATIC int connectRoutine 
    ( 
    int     unit, 
    int     fd 
    ) 
 
    { 
    BOOL        connectOk  = FALSE; 
 
    /* user specfic connection code */ 
        { 
        .......... 
        connectOk = TRUE; 
        } 
    if (connectOk) 
        return (OK); 
    else  
        return (ERROR); 
    }

 
STATIC int disconnectRoutine 
    ( 
    int     unit, 
    int     fd 
    ) 
    { 
    BOOL disconnectOk = FALSE; 
    /* user specific code */ 
        { 
        .......... 
        disconnectOk = TRUE; 
        } 
    if (disconnectOk) 
        return (OK); 
    else 
        return (ERROR); 
    }

PPP can be used in two ways in the Tornado environment. The PPP link can serve as an additional network interface apart from the existing default network interface, or it can be the default network interface on the target, causing PPP to serve as a network back end for the target server on the host.

1. To use this option, rebuild the VxWorks image with PPP included. For more information on how to include PPP, see 3.4.5 PPP Configuration.

1. Boot the image from the regular Tornado boot ROM.

1. Start the Tornado target server and launch Tornado.

1. Start the Tornado shell, and invoke usrPPPInit( ) from the shell. You can also use pppInit( ) from an application to configure the PPP link. For more information on these routines, see Initializing a PPP Link.

1. Configure VxWorks with PPP capability. The relevant configuration macro is INCLUDE_PPP. Make new boot ROMs for the target with this configuration. For more information, see 3.4.5 PPP Configuration.

1. Rebuild a new VxWorks image for the target.

1. Configure and start the pppd daemon on the host. For example, on a Sun host using SunOS, the following command can be run to start the daemon:

% pppd passive /dev/ttyb 38400

1. Change the boot configuration parameters to use the PPP link. For example:

[VxWorks Boot}: c 
boot device          : ppp,38400 
processor number     : 0 
host name            : host 
file name            : /usr/wind/target/config/mv177/vxWorks 
inet on ethernet (e) : 90.0.0.165:ffffff00 
host inet (h)        : 90.0.0.5 
gateway inet (g)     : 90.0.0.5 
user (u)             : thardy 
flags (f)            : 0x4 
target name (tn)     : luna 

1. After booting you should see messages similar to the following:

Attaching network interface ppp0... 
ppp0: ppp 2.1.2 started by  
ppp0: Connect: ppp0 <--> /tyCo/1 
ppp0: local  IP address 90.0.0.165 
ppp0: remote IP address 90.0.0.5 
done. 
Attaching network interface lo0... done. 
Loading... 361620 + 70448 + 34350 
Starting at 0x1000...

 
Attaching network interface ppp0... 
ppp0: ppp 2.1.2 started by  
ppp0: Connect: ppp0 <--> /tyCo/1 
ppp0: local  IP address 90.0.0.165 
ppp0: remote IP address 90.0.0.5 
done. 
Attaching network interface lo0... done. 
NFS client support not included. 

 
                 VxWorks  
Copyright 1984-1995  Wind River Systems, Inc. 
            CPU: Motorola MVME177 
        VxWorks: 5.3 
    BSP version: 1.1/0 
  Creation date: Jan 26 1996 
            WDB: Ready. 

You are now ready to start the target server and run Tornado. For more information on starting Tornado refer to the Tornado User's Guide.

The PPP connection is a network back end established on a serial link. When using the PPP link to communicate with the target, all the Tornado tools work in the same way as any other network back end. (See the Tornado User's Guide.)

	CAUTION: System-level debugging is not available when using the PPP link. To perform system-level debugging, use the regular serial back end described in the Tornado User's Guide.

Because of the complex nature of PPP, you may encounter problems using it in conjunction with VxWorks. Give yourself the opportunity to get familiar with running VxWorks configured with PPP by starting out using a default configuration. Additional options for the local peer should be disabled. (These can always be added later.)

Problems with PPP generally occur in either of two areas: when establishing links and when using authentication. The following sections offer checklists for troubleshooting errors that have occurred during these processes. If, however, difficulties using PPP with VxWorks persist, contact the Wind River Systems technical support organization.

The link is the basic operating element of PPP; a proper connection ensures the smooth functioning of PPP, as well as VxWorks. The following steps should help resolve simple problems encountered when establishing a link.

1. Make sure that the serial port is connected properly to the peer. A null modem may be required.

1. Make sure that the serial driver is correctly configured for the default baud rate of 9600, no parity, 8 DATA bits, and 1 STOP bit.

1. Make sure that there are no problems with the serial driver. PPP may not work if there is a hang up in the serial driver.

1. Start the PPP daemon on the peer in the passive mode.

1. Boot the VxWorks target and start the PPP daemon by typing:

% usrPPPInit

If no arguments are supplied, the target configures the default settings. If a timeout error occurs, reconfigure VxWorks with a larger connect delay time. The relevant configuration macro is PPP_CONNECT_DELAY. By default, the delay is set to 15 seconds, which may not be sufficient in some environments.

1. Once the connection is established, add and test additional options.

Authentication is one of the more robust features of PPP for VxWorks. The following steps may help you troubleshoot basic authentication problems.

1. Turn on the debug option for PPP. The relevant configuration macro is PPP_OPT_DEBUG. You can also use the alternative options in Table 3-3. By turning on the debug option, you can witness various stages of authentication.

1. If the VxWorks target has no access to a file system, use pppSecretAdd( )to build the secrets database.

1. Make sure the secrets file is accessible and readable.

1. Make sure the format of the secrets file is correct.

1. PPP uses the MD5 algorithm for CHAP authentication of secrets. If the peer tries to use a different algorithm for CHAP, then the CHAP option should be turned off.

1. Turn off the VJ compression. It can be turned on after you get authentication working.

1:  If your host operating system does not provide PPP facilities, you can use a publicly available implementation. One popular implementation for SunOS 4.1.x (and several other hosts) is the PPP version 2.1.2 implementation provided in the unsupported/ppp-2.1.2 directory. This code is publicly available and is included only as a convenience. This code is not supported by Wind River Systems.

2:  The usrPPPInit( ) routine can specify the unit number as a parameter. If this number is omitted, PPP defaults to 0.