|
|
© 1996 The Santa Cruz Operation, Inc. © 1991-1996 Morning Star Technologies, Inc. All rights reserved.
No part of this publication may be reproduced, transmitted, stored in a retrieval system, nor translated into any human or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of the copyright owner, The Santa Cruz Operation, Inc., 400 Encinal Street, Santa Cruz, California, 95060, USA. Copyright infringement is a serious matter under the United States and foreign Copyright Laws.
Information in this document is subject to change without notice and does not represent a commitment on the part of The Santa Cruz Operation, Inc.
SCO, the SCO logo, The Santa Cruz Operation, ODT, ODT, Panner, SCO Global Access, SCO MultiView, SCO Visual Tcl, Skunkware, VP/ix, SCO OpenServer, UnixWare, SCO OK, and the SCO OK logo are trademarks or registered trademarks of The Santa Cruz Operation, Inc. in the United States and other countries. Windows Friendly and Wintif are trademarks of IXI Limited. Visionware is a registered trademark of Visionware Limited. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Limited. All other brand or product names are or may be trademarks of, and are used to identify products or services of, their respective owners.
The software that accompanies this publication is commercial computer software and, together with any related documentation, is subject to the restrictions on US Government use as set forth below. If this procurement is for a DOD agency, the following DFAR Restricted Rights Legend applies:
RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of Rights in Technical Data and Computer Software Clause at DFARS 252.227-7013. Contractor/Manufacturer is The Santa Cruz Operation, Inc., 400 Encinal Street, Santa Cruz, CA 95060.
If this procurement is for a civilian government agency, this FAR Restricted Rights Legend applies:
RESTRICTED RIGHTS LEGEND: This computer software is submitted with restricted rights under Government Contract No. _________ (and Subcontract No. ________, if appropriate). It may not be used, reproduced, or disclosed by the Government except as provided in paragraph (g)(3)(i) of FAR Clause 52.227-14 alt III or as otherwise expressly stated in the contract. Contractor/Manufacturer is The Santa Cruz Operation, Inc., 400 Encinal Street, Santa Cruz, CA 95060.
The copyrighted software that accompanies this publication is licensed to the End User only for use in strict accordance with the End User License Agreement, which should be read carefully before commencing use of the software.
Document Version: 1.1
11 October 1996
This section on serial connections includes information about types of transmission, proper cabling between serial ports, and modem configuration. The information is general and the MST PPP manual is not a substitute for specific instructions that were provided with your system and/or the modem you plan to use for dialup communications. The system and modem manuals should take precedence if you have any questions about configuration and equipment.
However, where possible, we have supplied advice derived from our testing of
MST PPP on many types of equipment and operating systems.
Synchronous transmission requires two perfectly matched external clocks. Each end of the connection times the transmission elements by its own clock. For example, each end agrees that a new message will contain a certain number of elements that will begin at a prearranged interval. Therefore, if the ends agree that new messages will begin every five seconds, the receiving end knows that each element it receives at five, ten, fifteen, and twenty seconds will be the start of a new message. The drawback to synchronous transmission is the necessity to keep the clocks at each end in sync with each other.
Asynchronous transmission does utilize timing, so it is not
unsynchronous, but the timing is continuously reset using elements of
the data transmitted. Through negotiations, each end agrees that a particular
message will signal the start of a transmission. As in synchronous
transmission, each message that is not a "start" message contains a
certain number of elements, delivered at a prearranged interval. The difference
is that a "start" message controls the timing, not two clocks which
must be kept in sync. Timing begins when a "start" message is
received. This prevents the decay of local and remote synchronization over time.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The table below shows typical null-modem pin connections between two DB-25 ports. Please read the system-specific information under Configuring Serial Ports if you have a system which provides a MiniDIN-8 serial port connector. More information about null-modem connections for MiniDIN-8 connectors appears there.
|
Pin |
Pin |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
See "Supported modems" in Chapter 7 of SCO Internet FastStart for a list of supported modems.
This section discusses, generally, a few features of modem performance and configuration. Beyond speed of transmission, these features include error correction, data compression, flow control, command mode, and S registers.
/usr/include/sys/termio.h.
This allows you to receive the maximum advantage of the modem's data compression capability.
Run the serial port at its maximum speed to gain the most benefit from in-modem data compression. Usually this is 115200 BPS. Some modem's data compression adds significant latency to data throughput, adversely affecting interactive responsiveness between local and remote users. Experiment with your modem and the type of data you transmit to find the best configuration.
MST PPP supports several other kinds of compression that work at different
layers of the communications stack. For more information on the following types
of compression supported by MST PPP, see the MST_PPP manual pages.
Error correction verifies data that has traveled across the communications connection. Noisy lines destroy data in transmission, especially when the transmission is high speed. Depending on the protocol, bits, bytes or packets are subjected to some form cyclical redundancy check to ensure the integrity of the received data. The connection's receiving end informs the transmitting end when the data has been damaged. The protocol used determines whether just the corrupted data, or all data sent since the error was discovered, is transmitted again. MNP 4 and later protocols can also respond to poor transmission quality by causing the data to be shipped in smaller packets, increasing the number of checks and decreasing the amount of data corrupted by line bursts.
Flow control can be provided by system software or modem hardware. Although the MST PPP daemon's default status is no flow control, you should use one of the two types if your system supports flow control. Given the option, choose hardware flow control.
Hardware flow control is managed by the Request To Send (RTS) and Clear To Send (CTS) signals. If you use hardware control, make sure a connecting cable carries both signals. Indicate to MST PPP that you wish to use hardware flow control by adding the option rtscts to the pppd command line. Some operating systems require using a special tty device to enable hardware flow control. Use the option xonxoff to choose software flow control. Another method for choosing flow control is to specify rtscts or xonxoff in the Devices file.
If you configure for software control, make sure both ends of the PPP connection have the 0x000A0000 bits turned on in their Async Control Character Maps. This is the default for MST PPP. A computer and modem using software flow control can talk to a computer and modem using hardware flow control, but both ends must have the asyncmap set to accommodate software flow control.
Commands |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There are 256 possible S registers, although some are reserved and many are not used at all. Each manufacturer has a proprietary license to use S registers as it likes, but some registers are fairly consistent. Some are shown in the table below, although there is no guarantee they will match your modem's settings. The best advice is to review your system or modem documentation to determine the meanings and values of your modem's S registers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Since your modems will likely be used for purposes besides PPP (such as UUCP or interactive users), it's best to set their default parameters to accommodate dial-in applications and have outgoing UUCP or PPP dialers change them if necessary. The PPP-specific register settings in Dialers or Dialers.local ensure that an otherwise general-purpose modem will work as well as possible with MST PPP, for the duration of the PPP session.
In the next section, you will find some suggestions for Telebit modem settings which have worked well during Morning Star's testing procedures. The examples here show the complete register settings for a Telebit T1600 and a description of what the settings accomplish. Following this information are some command strings which will provide the proper register settings for Telebit's T1600, Qblazer, and T3000 modems. Most modems should provide equivalent settings. Check your user guide for help in composing the command string for similar settings.
T1600: at &f s0=1s7=120s48=1s51=6s58=2s59=15s61=0s63=2tq2x12&c1&d3&s1 &w
The commands produced the following list of settings for the Telebit T1600. The list is the output from the command AT&V.
T3000: at &f9 s0=1s7=120s48=1s51=6s58=2s59=15s61=0s63=1tq2x12&c1&d3&s1 &w
Qblazer: at &f s0=1s7=120s48=1s51=6s58=2s59=15s61=0s63=2tq0x4&c1&d3&s1 &w
S000:1 S001=0 S002=43 S003=13 S004=10 S005=8 S006=2 S007:120
at&v
The table below shows the features and S register values set by the T1600
commands. Many of these settings, particularly the S registers, only apply to
Telebit modems. However, your own modem will likely respond to a different
command or register value in the same way the T1600 does to these. Use your
modem's command set and register semantics to set features like RTS/CTS
hardware flow control. Refer to
Dialers
for descriptions of several more modem configurations.
T1600 - Version LA1.00 -Active Configuration
B1 E1 L0 M0 Q2 T V1 X12 Y0
&C1 &D3 &G0 &J0 &L0 &Q0 &R3 &S1 &T4 &X0
S008=2 S009=6 S010=14 S011=70 S012=50 S018=0 S025=5 S026=1
S038=0 S041=0 S045=0 S046=0 S047=4 S048:1 S050=0 S051:6
S056=17 S057=19 S058:2 S059:15 S060=0 S061:0 S062=15 S063:2
S064=0 S068=255 S069=0 S090=0 S093=8 S094=1 S100=0 S102=0
S104=0 S105=1 S111=255 S112=1 S180=2 S181=1 S183=25 S190=1
S253=10 S254=255 S255=255 OK
or setting |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Possible link protocol suffixes: nothing, REL, or LAPM Possible compression suffixes: nothing or COMP |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RFC 1144 "VJ" TCP header compression reduces the packet header size by transmitting only the header segments that change from one packet to the next. TCP and IP header overhead is reduced from over 40 octets to as few as 4. TCP header compression has a dramatic effect on interactive responsiveness over low-speed links, because it reduces a typical single-character telnet or rlogin packet from over 40 octets to 5 or 6 octets. It has a much smaller effect on batch data throughput, like X bitmap displays, or FTP or rcp file transfers. That sort of data flows in much larger packets. Reducing frame size from 1500 to 1460 octets produces a much smaller percentage improvement than a reduction from 45 to 5 octets.
The option vjslots followed by a numerical value between 3 and 256 sets the number of compression slots for Van Jacobson compression. The default is 16 slots.
TCP header compression is enabled by default on async PPP and SLIP links, and disabled by default on synchronous PPP links.
If you use MST PPP over an interface like MSTs SnapLink, connecting in synchronous mode at T1 speeds to another host or router using port 0 and emulating SCSI disk device 2 on its own SnapLink, use a /usr/lib/mstppp/Systems entry like this:
hostname Any;5 rsd2a/0 1536000
The Devices entry looks like this:
Direct rsd2a/0 1536000
If there is a fatal disconnect, through LQM failures or loss of the Carrier Detect signal, pppd closes the device and consults the Systems file to find another entry matching the peer's name on the pppd command line. If no additional entries exist, then pppd waits for the call retry delay to pass and tries the original connection again. Normally, no getty or login process is run on a dedicated line device and both ends of the circuit actively try to connect to their peer. Each machine's Autostart script should contain aline like:
pppd local:remote auto dedicated
The Systems file should specify a device name like tty1a in the "device" field. "ACU" (for Any Call Unit) should not be used. For example:
remote Any tty1A 38400 0
The Devices file should contain a line like:
Direct tty1a 38400 rtscts
The Dialers file is not consulted when "Direct" is found in the "dialer" field of the Devices file.. See the discussion below regarding line failovers and using an auto-dial modem as a backup link.
remote Any ACU 19200 5551212 in:--in: pppback word: password
You also need an entry in the Devices file that accesses a device
the modem is attached to. Instead of using "Direct" in the "dialer" field,
substitute a dialer entry for your modem. For example:
USR-SPORTSTER tty1A 19200 rtscts
In this example, the Dialers file would have a "USR-SPORTSTER" dialer entry to use to dial out. The modem would be attached to a serial port which is accessed through device "tty1A" with a DTE speed of 19200.
MST PPP has been tested successfully with several other PPP implementations, routers and terminal servers, including those shown in the alphabetical list below. MST PPP also runs successfully in SLIP mode with SLIP implementations in several types of terminal servers, PCs, LAN probes, Macintoshes, and other workstations
Following the list is configuration information which may be useful if your users connect to systems using some of these applications or hardware. The first section on configuration deals exclusively with Telebit( NetBlazer hubs, the second with PPP implementations, and the third with routers.
Telebit's NetBlazer software, version 1.41x11, has been successfully tested with MST PPP. Try this adjustment if your NetBlazer runs an earlier release: put novjcomp on the pppd command line.
This extensive information about Telebit NetBlazer software provides insight into workstation and hub configurations for inbound and outbound connections between UNIX stations and NetBlazer hubs.
This configuration can occur when several remote workstations dial into a NetBlazer serving as a hub for a LAN, or when connecting a remote workstation or LAN to the Internet through an IP connectivity vendor's NetBlazer point of presence (POP). The NetBlazer may be set up as if the UNIX machine were just another remote "dynamic-interface" NetBlazer, using the PPP encapsulation protocol in "packet mode".
This arrangement works if a hub NetBlazer needs to connect to several remote workstations on demand.
#For a UNIX system running Morning Star Technologies PPP
#no crypto challenge/response, longer timeouts, short
#expect strings login shell script must 'echo Packet mode
#enabled' before 'exec pppd'
:unix
e1,20,30,2,in:
u2,5,100,3 s3,5,100,4,\r
e4,10,30,5,word:
o99,Packet mode enabled
p5,5,100,6
s6,5,100,7,\r
e7,20,30,99,Packet mode enabled
o32,in:
s30,5,100,31,\r\r
e31,20,100,32,in:
u32,5,100,33 s33,5,100,34,\r
e34,10,100,35,word:
o99,Packet mode enabled
p35,5,100,36
s36,5,100,37,\r
e37,20,100,99,Packet mode enabled
o100,in:
r99,0
r100,1
#
The following changes must be made to a UNIX system running MST PPP to accommodate inbound calls from a NetBlazer:
Se1A:234:respawn:/etc/getty tty1A -t60 6
#!/bin/sh
PATH=/usr/lib/mstppp:/usr/bin:/etc:/bin
mesg n
stty -tostop
echo Packet mode enabled
exec pppd 'hostname': idle 130 rtscts
# chmod 755 /usr/lib/mstppp/Login-netblazer
If the NetBlazer hangs up, it might be receiving too much text from the UNIX system before it sees the 'Packet Mode Enabled' welcome message. Keep that 'user' from seeing the /etc/motd by entering the command shown below where netblazer-login is the name of the NetBlazer's entry in the UNIX system's passwd database:
# touch ˜netblazer-login/.hushlogin
Several PPP implementations for UNIX systems are freely available, though not in the public domain. Many are based on work by Drew Perkins, Greg Clements, Karl Fox, Greg Christy, and other maintainers and contributors. They seem to share a common bug, as discussed in the section on Link Quality Monitoring above:
This section includes information about preparing a UNIX system for an inbound DOS PC and vice versa.
FTP Software's PC/TCP PPP (PC-227) versions 2.10 and 2.11 interoperate with MST PPP with some adjustments.
FTP Software's PC/TCP PPP version 2.05 requires these adjustments to interoperate with MST PPP:
Configure the PC as described in FTP Software's manual. No special arrangements are required to talk to a UNIX system running Morning Star PPP.
The Hewlett-Packard( HP( 4995A LanProbe II/Ethernet SLIP implementation interoperates with MST PPP running the SLIP option if you make this adjustment:
KA9Q NOS PPP for MS-DOS( interoperates with MST PPP with this adjustment:
The PPP implementation included with SCO( TCP/IP version 1.2, which is also part of SCO Open Desktop( 2.0, interoperates with MST PPP with this adjustment:
SCO Open Desktop 3.0 with TCP/IP 1.2.1 solves the above problem. However, different adjustments must still be made:
MST PPP interoperates with the Livingston Portmaster 2e terminal serverdial-up router. Use no special measures for the UNIX system to dial into the Portmaster. Portmaster's Login script for dialing into the UNIX system should resemble this:
#!/bin/sh
PATH=/usr/bin:/usr/etc:/usr/ucb:/usr/bsd:/etc:/bin
mesg n
stty -tostop
echo PPP
exec pppd 'hostname': idle 300 rtscts
MST PPP interoperates with Network Application Technology's LANB-820 router.
MST PPP Interoperates with version 4.1 of Novell's Lan WorkPlace for DOS.
MST PPP interoperates with the Proteon cnx500 router, if the cnx500 is running software load 'V12.0c [PPP fix]', 12.1, or release 13.
MST PPP interoperates with the Xylogics Annex-3 communications server running v7.0.10beta of the Annex firmware.
MST PPP interoperates with Xyplex terminal servers running PPP.
The MST PPP daemon has nine sets of configuration options for fine-tuning PPP communications. The sets include over eighty different selections that affect daemon management, communications, link management, Internet Protocol, authentication, encryption, compression, logging and signaling. pppd running on most links is basic, defined by a handful of options, but the number of ways configuration can be tweaked means each daemon can be remarkably different, or merely personalized by a minor change of options.
This section addresses some of the more common, yet useful, options and reasons you might add them to the pppd command line. Most, like the active, passive, and idle timer options, control some aspect of link management. One important pppd option, filter, is discussed at length in the section on security later in the manual. Beyond this discussion of options for link management are short sections on synchronous PPP connections, MST PPP-supported compression options, and IP address assignment.
This is an example of the pppd command line for outbound passive connections:
pppd hostname:peer
auto passive
#!/bin/sh
PATH=/usr/lib/mstppp:/usr/bin:/etc:/bin
PPPHOME=/usr/lib/mstppp
export PPPHOME PATH
mesg n
stty -tostop
exec pppd 'hostname': idle 130 rtscts exec $PPPHOME/Exec
#!/bin/sh
case "$1" in
up) echo link is up at 'date' > /dev/console ;
/usr/lib/sendmail -q < /dev/null ;;
down) echo link is down at 'date' > /dev/console ;;
esac
However, SLIP provides few of the PPP protocol's advanced facilities. Pppd invoked with the SLIP option cannot provide the following:
Unlike PPP, SLIP cannot perform IPCP negotiations. Therefore, a SLIP connection cannot be assigned an address by a peer at connection time. PPP can use tilde (~) in the pppd command line for this purpose. To obtain a similar "feature" a remote side SLIP connection must provide the IP address during the connection process and a new local address must be obtained using the /usr/lib/mstppp/Systems file "\A" chat script feature.
The /usr/bin/mstppp/Login script can tell the peer its address textually, just before invoking pppd, if you include something like this in the script:
#!/bin/sh
localaddr=`calculate`
peeraddr=`calculate`
echo my address is $localaddr and your address is $peeraddr
exec pppd $localaddr:$peeraddr slip idle 120 rtscts...
The incoming peer is responsible for parsing the "my address is" line, and doing something sensible with the addresses it finds there.
koko
When LQM is invoked, pppd requests that the other end of the connection send Link Quality Report (LQR) packets back to the pppd . If the link goes down or is degraded, many, or all, of the LQR packets will be lost. This also indicates that data packets have been lost and the connection is too bad to warrant continued traffic. pppd counts the arriving LQRs, and if too many have been lost, pppd closes the connection. Link Quality Monitoring packets do not count against an idle line disconnection timer, since they are part of the Point-to-Point Protocol rather than user data.
lqrinterval 5 lqthreshold 1/12
Or, you can demand that no more than one LQR be lost each minute by specifying:
lqrinterval 5 lqthreshold 11/12
pppd
will discover line failures more quickly if you decrease the lqrinterval because LQR's will arrive more frequentl. However, sending more LQR's, increases monitoring traffic, slowing down the transfer of user data. So you should remember to also consider raising the lqthreshold. If the lqthreshold is
lqthreshold 5/6', no more than one LQR can be dropped per minute. If two LQRs in a row are dropped, pppd shuts down the line.
5/7-13:45:27-1514 LQM: Pkt: 1/1 Oct: 53/53 LQRs: 5/5
This means that, during the last testing interval, this system transmitted one packet and received one packet. 53 octets crossed the link in each direction. And this system has received responses to all five of the most recent five Link Quality Report s it sent. The LQR packet is 36 octets long, and the default lqrinterval of ten seconds will cause the additional traffic to be unnoticed on most connections. However, if the application is very sensitive to speed and requires absolutely every bit of available line bandwidth, use the nolqm argument to disable Link Quality Monitoring.
The examples below describe how to establish static routes when the machines boot. This is cumbersome, because any topology change requires that all machines even remotely involved must be reconfigured by editing their boot-time shell scripts. An alternative to static routes would be to use some automated system for updating all the hosts routing tables. This is usually implemented as a daemon running on all the hosts involved. Many networks use the RIP protocol and run in.routed on their UNIX systems. If you use in.routed to propagate routing information, you'll need to create a file called /etc/gateways (as described in routed(8)) on the system running pppd, and specify the PPP link as leading to a passive gateway.
Some sites prefer other routing protocols, and they use the Gate Daemon instead. If you use gated , you should invoke pppd with the netmask argument set to the same value as used on the LAN, if that subnet mask is different from the default for the class of your network.
Designate subnet 6 for remote machines. Assign nomad the IP address 134.19.6.17. The MST PPP daemon on nomad would be started in the PPPHOME/Autostart script.
pppd 134.19.6.17:134.19.5.22 auto idle 180
or, if all the names can be found in the local /etc/hosts (or resolved via NIS/YP, NetInfo, the Domain Name Service, or some other mechanism without first needing to bring up the PPP link), it could look like
pppd nomad:alpha auto idle 180
The next line in nomad's $PPPHOME/Autostart would set up an IP route through the dial-in gateway:
route add net 134.19.0.0 134.19.5.22 1
Alternatively, and necessarily if the LAN were also connected to the Internet:
route add default alpha 1
Similarly, the PPP daemon on alpha would be started as:
pppd alpha:nomad auto idle 180
bravo's /etc/rc2.d/P88USRDEFINE would contain a line like:
route add net 134.19.6.0 alpha 1
#Proxy ARP table for proxyarpd
#Service provided for hosts on 134.19.5.0 that do not understand
#internet subnetting.
#
#Fields are:
#1)interface to service (same as on command line)
#2)net to tell attached hosts that we "are"
#3)host on net 1) to send traffic to (gateway)
#
le0 134.19.6.0 134.19.5.22
Assign nomad the IP address 134.19.5.114. The MST PPP daemon on nomad would be started in the $PPPHOME/Autostart script.
pppd 134.19.5.114:134.19.5.22 auto idle 180
or, if all the names can be found in the local /etc/hosts:
pppd nomad:alpha auto idle 180
The next line in nomad's $PPPHOME/Autostart would set up an IP route through the dial-in gateway:
route add net 134.19.0.0 134.19.5.22 1
Alternatively, and necessarily if the LAN were also connected to the Internet:
route add default alpha
Similarly, the PPP daemon on alpha would be started as:
pppd alpha:nomad auto idle 180
Alpha's /etc/rc2.d/S89mstppp would contain a line like:
arp -s nomad `ifconfig le0 | sed -n "/ether/s/ether//gp"` pub
(If your system's Ethernet interface is named something other than `le0', use that name instead.) This would add a permanent entry to alpha's ARP table, and cause it to be provided to other systems on the local Ethernet. Any time a host on that LAN tries to find the Ethernet address corresponding to nomad's IP address, the request will be answered with instructions to forward the packets to alpha. Since nomad appears to be directly connected to the LAN, no hosts on the LAN, nor on any other IP-connected network, would require routing table modifications.
gate-b's PPP daemon should be started as:
pppd gate-b:gate-a auto idle 130
and gate-b should have a route like:
route add net 192.9.200.0 gate-a
ws-b should have a route like:
route add net 192.9.200.0 gate-b
Similarly, gate-a's PPP daemon should be started as:
pppd gate-a:gate-b auto idle 130
and gate-a should have a route like:
route add net 134.19.14.0 gate-b
or, depending upon the structure of LAN b, maybe:
route add net 134.19.0.0 gate-b
ws-a should have a route like:
route add net 134.19.14.0 gate-a
or, again depending upon the structure of LAN b, perhaps:
route add net 134.19.0.0 gate-a
pppd hotel:pop.foo.net auto idle 240
and would arrange a route as:
route add default pop.foo.net 1
Any hosts on the LAN `behind' hotel would set a route like:
route add default hotel 1
A machine's default route should point to the next machine along its path "outward " to the Internet. If hotel were a remote machine dialing into one machine in a complex corporate intranet, its default route should point to that hub machine, expecting that the hub will deal with the issues of routing hotel's packets to their destination, whether on the LAN or elsewhere on the corporate intranet or onto the Internet.
Autostart starts pppd's for on-demand outbound calls. Login is used for inbound ppp calls. The following files are used for outbound ppp calls:
Before opening the business, the owner assesses the company's communication needs. Obviously, its telecommunications system must support on-demand communications and inbound and outbound calling. The list of communications needs includes:
|
|
|
|
Could also need a dedicated line for security alarm |
Could also handle a dedicated, or Direct connection
|
|
|
|
|
|
|
|
|
|
Of course, the contemporary business could have many other communications needs, such as voice mail, fax machines, Internet service, etc. But those listed in the table are, at least, supportive of outbound, dialed connections. Hopefully they help illustrate the way the Systems, Devices, and Dialers files support on-demand, outbound PPP connections.
If you follow the steps outlined below, substituting names and addresses for your own local and remote machines, you will be able to test a simple PPP connection. These procedures are not comprehensive and contain minimal instructions about such things as setting up a packet filter for security. This, and configuration of other important PPP options, such as Link Management, Data Compression and Authentication, are explained elsewhere, and the manual pages in the appendix contain details on incorporating those features, and more, in your PPP configuration.
1. Autostart starts the daeomn for an on-demand connection from robin to lark.
2. If IP traffic is initiatied to lark, pppd will dial out to lark as follows:
3.
pppd searches the lines of the Systems file looking for an entry in the name field which matches lark's hostname or IP address.
4. When the match of a hostname or IP address is made, the Systems speed field provides an index to an entry in the Devices file with a matching speed.
5. The dialer field in Devices provides an index to an entry in the Dialers file.
6. Lark's phone number is dialed.
7. Robin's chat script (in the Systems file), sends robin's login name and password to lark.
8. Lark verifies robin's password by comparing it to the entry in the /etc/passwd file.
9. If the login is successful, /usr/lib/mstppp/Login-robin is run.
10. /usr/lib/mstppp/Login-robin will start pppd on lark, which
will comunicate with pppd on robin to negotiate and establish a
PPP connection.
When robin is booted a PPP daemon will be started for the outbond link to lark. There is no example /usr/lib/mstppp/Autostart file; you must create it. It contains the one line necessary to start pppd. In our example, here's what we would put in Autostart:
pppd robin:lark auto idle 150
The pppd started here has this connection configuration:
Add this line to robin's /usr/lib/mstppp/Systems file:
199.199.199.2 Any ACU 38400 5551212 "" \r\d in:--in: \dprobin word: \qpassword
This provides the following configuration for robin's connection to lark:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
T1600 tty1A 38400 rtscts
This line provides this configuration for robin's connection to lark:
T1600 ABORT NO\sCARRIER ABORT NO\sDIALTONE ABORT BUSY \
ABORT RRING\r\n\r\nRRING\r\n\r\nRRING ABORT ERROR \
TIMEOUT 5 "" AT OK-AT-OK ATS111=0DT\T TIMEOUT 60 CONNECT
This elaborate dialer string will cause pppd to abort the connection attempt if any of several things go wrong with the telephone call, then will disable UUCP spoofing in the modem before dialing the destination telephone number. Look through the Dialers file for modem entries for your type of modem. If none are defined, use the dialer entry "GENERIC".
Probin::105:42:Robin's PPP login:/usr/lib/mstppp:/usr/lib/mstppp/Login-robin
# passwd Probin
New password: some password
Retype new password: some password
#
The '105' in the password entry is a unique user ID (uid) for this PPP login. The '42' is the group ID (gid) associated with the 'ppp' group in lark's /etc/group file.
Robin's PPP user's login shell script can be located anywhere and named whatever you choose. For purposes of this illustration, the login script will be /usr/lib/mstppp/Login-robin. Look carefully at the last line in the sample script shown below before you create the file and manually add the lines. Notice that the word 'hostname' is surrounded by backquotes, not regular quotes or apostrophes. `hostname`, with the backquotes, tells the system to insert the output of the command hostname in this space in the pppd command line. We recommend that you make sure backquotes are used by copying this script from /usr/lib/mstppp/Examples/Login.ex, rather than inserting them manually.
#!/bin/sh
# PPP login shell example for SystemV Unix
PATH=/usr/bin:/usr/lib/mstppp:/etc:/bin
PPPHOME=/usr/lib/mstppp
export PATH PPPHOME
mesg n
stty -tostop
exec pppd `hostname`:robin idle 150 rtscts
hostname will return lark, the current machine and robin is the peer. The idle timer is set to 150 seconds and pppd will use hardware flow control.
Following the creation of the shell script, make sure the script is executable with the following command:
# chmod 755 /usr/lib/mstppp/Login-robin
Lark's PPP daemon should be mode 4750, meaning it is suid root and executable by members of its group, but not by general users. Perform this test to find out if this is true:
# ls -l /usr/lib/mstppp/pppd
The results should look something like this:
-rwsr-x--- 1 root ppp 338527 Oct 2 07:37 /usr/lib/mstppp/pppd
If not, use chmod and chown to change mode and ownership as follows:
# chmod 4750 /usr/lib/mstppp/pppd
# chown root:ppp /usr/lib/mstppp/pppd
The PPP configuration is now complete. Follow these steps to test the outbound connection from robin to lark.
# more /usr/adm/pppd.log
8/4-14:14:43-14902 Morning Star Technologies PPP
8/4-14:14:43-14902 Version 2.0
8/4-14:14:43-14902 du0: pppd robin:lark auto idle 150
# telnet lark
Trying lark...
Pause
Connected to lark.
Escape character is '^]'.
(Operating system) (lark) (ttyp3)
lark login: ^Dconnection closed by foreign host.
The log file will be appended to and will show how the link was initiated:
8/4-14:14:53-14902 tcp 137.175.2.11/1204-> 131.187.1.131 \
telnet 40 syn bringup
8/4-14:14:54-14902 Dialing lark (cua 38400 5551212 T1600)
8/4-14:15:23-14902 PPP connected to 131.187.1.131
This log file snippet shows that the telnet session to lark caused the link to be initiated.
MST PPP is installed, configured, running and connected on both ends of our links. When the link is up, users should be able to access each peer machine using any TCP/IP application such as telnet, ftp, etc.
If either machine is connected to a local area network, you can set up IP routing on the two networks so that hosts on either network can communicate with hosts on the other, using machines on the ends of the PPP links as routers. Routing is discussed in later sections.
In most cases, all inbound PPP logins can use the same generic Login script. But if you want a host to start pppd with a special option like "require authentication", make that login account use a specific login shell tailored to that host. Call it /usr/lib/mstppp/Login-host, for example, and change the pppd line to reflect whatever options you wish to have:
exec pppd `hostname`:robin idle 130 rtscts requireauth
Note: A filter file is not necessary for pppd operation. It is only discussed here as an example on how you might use the Filter file.
The MST PPP Filter file specifies the ways in which static packet filtering handles outbound and inbound TCP packets. Though the filtering can be very complex if desired, a simple filter will suffice for demonstration purposes between robin and lark.
An example other than the one shown below is in /usr/lib/mstppp/Examples/Filter.ex and a lengthy explanation of static packet filtering is included in this manual.
Here is the Filter file to use for testing the robin-lark link:
default bringup !ntp !3/icmp !who
keepup !send !ntp !3/icmp !who
pass !route
log !nntp tcp/syn /recv
This filter says to:
Network Time Protocol packets ICMP Network Unreachable messages packets from the in.rwhod daemon |
(!3/icmp) (!who) |
and those that will not bringup the connection |
(!ntp) (!3/icmp) (!who) |
|
|
except for NNTP connections |
(!nntp) |
In both Systems and Devices, pppd selects the first line that matches its search criteria. If the connection attempt fails while using the method described by that line, pppd will search for the next matching line. Pppd will report a failure only when all the criteria-matching lines have been tried and exhausted.
For example, suppose two lines in Systems differed only by the values in the telephone number field like this:
lark Any;50 ACU 38400 5551212 in:--in: Probin word: mypasswd
lark Any;50 ACU 38400 5551223 in:--in: Probin word: mypasswd
Pppd would first try to connect by dialing 5551212. If pppd received a BUSY from the modem, it would dial the second number, 5551223.
Similarly, suppose a host has two different modems attached which can be used for outbound calls. The Devices entries might look like this:
T3000 tty1A 38400 rtscts
USRv32bis tty1B 38400 rtscts
Pppd would try to call out through /dev/tty1A. But suppose it's busy because an incoming UUCP connection is on /dev/tty1B. pppd will try /dev/tty1B instead.
If an IP address is input on the pppd command line, the address is offered during IPCP negotiations. However, at connection time, some terminal servers and other peers wish to assign an address for the host running MST PPP to use for the duration of the connection. Instruct MST PPP to allow assignment of an address that's different from the one on the pppd command line, by including a line like the following:
pppd `hostname`:192.0.2.5 auto idle 300
Because SLIP does not perform any IPCP negotiations, the tilde option will not function. See Common pppd Options for more information.
When an answering pppd is invoked in Login, it is told a pair of IP addresses on the command line. In the Login script, use any means to decide what IP addresses are put on the command line. Have them looked up in a file or a database, calculated algorithmically based on the incoming connection's username or other distinguishing feature, or invoke a program to ask a BOOTP server. The pppd command line arguments provide the mechanism; your Login script provides the policy.
#!/bin/sh
TTY=`tty`
case $TTY in
/dev/tty1)
IP=192.0.2.1
;;
/dev/tty2)
IP=192.0.2.2
;;
esac
exec pppd `hostname`:$IP idle 300 rtscts
#!/bin/sh
TTY=`/bin/basename \`/bin/tty\``
exec pppd `hostname`:$TTY idle 300 rtscts
It's impractical to impose thorough security policies on each internal host of the networks linked by an MST PPP connection. But MST PPP's strong security features support a variety of techniques that strengthen your network's ability to prevent loss.
In most cases, a single connection can be supported by more than one of MST PPP's security features. For example, a connection might use the following:
Morning Star Technologies' flexible filter-writing mechanism will also support your policy as you create your filter. Our philosophy is to provide a mechanism that won't force policy changes for the sake of writing acceptable rules.
The first strategy permits a few specific services and blocks everything else. If you follow this philosophy, a service will be unavailable if you commit an error of omission. This is a fail-safe, or closed, policy.
The second strategy blocks only specific services and permits everything else. If you begin from this premise, an error of omission may leave you unintentionally vulnerable when a fragile service is not blocked.
If you need aid in developing security policies, or would like more general information about network security and packet filtering, we recommend you begin by reading two books, "Firewalls and Internet Security " by Bill Cheswick and Steve Bellovin and "Building Internet Firewalls" by Brent Chapman and Elizabeth Zwicky.
A filter file contains rulesets for filtering packets. Each ruleset begins with one of the following:
Rulesets are designed on a per-connecting-host basis rather than a per-interface basis. This provides support for devices acting as PPP or SLIP routing hubs. A hub workstation allows multiple hosts to establish IP connections and may support multiple hosts establishing connections at different times on the same interface.
If a hub supports different classes of users, MST PPP filters allow you to define different access policies for each group. A single hub workstation may support all of the following PPP/SLIP connections, each defined by a different ruleset:
Default rulesets are permitted. They simplify configuration when a single machine supports similar multiple hosts/connections which can be controlled by the same security policy.
The order in which rulesets appear is important. Default rulesets should appear early in the file because, after they are parsed, the parser continues searching for more matching rulesets. However, when addresses or hostnames in packets and rulesets match, the packet is processed and the parser stops its search.
When a match is found and the `non-default' ruleset is processed, its individual filters replace any default filters "remembered" from earlier in the file. This means that packet filtering may behave differently if thedefault' rule appears early or late in the file.
A ruleset is made up of one to four filters which regulate the response to a packet. The filter's actions are defined by its initial keyword. Each type of filter may be used one time per connection. This table explains the keywords, the types of packets affected by the filters, and the filter's actions:
|
|
|
|
|
|
|
dialup |
|
|
|
|
|
|
|
Filters defined in a ruleset replace any previous default definition for that filter. Defined filters are not additive with a default filter. If one of the keyword filters does not appear in a ruleset, that filter is defined by its the most recently parsed default ruleset. If there is no previous default ruleset, the implicit default is `all', except for the log filter, which defaults to ` !all'.
Each filter is composed of a filter name followed by one or more stanzas (i.e., rules). Each packet passing through the interface is compared to the rules in the stanzas until a match is found, completing the filter operation. The ordering of the stanzas is therefore extremely important. Packets may match on many types of values, including:
A stanza optionally begins with the negation operator, the exclamation mark (!). The mark is followed by one or more values and keywords, each separated by a slash (/). These value and keyword combinations create a specification for a packet.
An exclamation mark is a powerful specification in any filter rule. If an exclamation mark is placed at the beginning of a rule, it negates the action of the stanza's keyword. For example, compare the defaults for the Pass and Log filters:
Pass
all
Log
!all
The specification for Pass, and the lack of an exclamation mark, indicates the default is to pass all packets. On the other hand, the `!all' default designation for Log means no packets are logged.
MST does not provide a filter keyword for matching the version,
IHL, TOS, length, ID, TTL or checksum header fields.
In general, it is not a good idea to block all inbound or outbound ICMP messages because ICMP messages are an important way that status information is conveyed over an IP network. For instance, blocking ICMP Source Quench messages (Type 4), used to tell a packet source to slow down, can cause problems for other users and sites.
It is true that you should probably not permit ICMP Redirect messages (Type 5) to pass through your router since the routing on an internal node should not be changed by an external site.
If you want to block ping from being used for host discovery, then you should block inbound ICMP Echo packets (Type 8).
MST does not provide a method for filtering on TCP options, the presence of URG/EOM bits in the TCP options, or other TCP header fields.
Establishing a TCP connection requires synchronization. Each side must send it's own initial sequence nu