1IPPPD(8)                  Linux System Administration                 IPPPD(8)
2
3
4

NAME

6       ipppd - (ISDN) Point to Point Protocol daemon
7

SYNOPSIS

9       /usr/sbin/ipppd [ options ] [ device ]
10

DESCRIPTION

12       The  Point-to-Point  Protocol  (PPP) provides a method for transmitting
13       datagrams over serial point-to-point links.  PPP is composed  of  three
14       parts:  a  method  for  encapsulating  datagrams  over serial links, an
15       extensible Link Control Protocol (LCP), and a family of Network Control
16       Protocols  (NCP)  for  establishing  and configuring different network-
17       layer protocols.
18
19       The encapsulation scheme is provided by  driver  code  in  the  kernel.
20       ipppd  provides  the  basic LCP, authentication support, and an NCP for
21       establishing and configuring the Internet Protocol (IP) (called the  IP
22       Control Protocol, IPCP).
23

NOTES for (ISDN) IPPPD

25       This  special  (ISDN) PPP daemon is a modified version of pppd and pro‐
26       vides synchronous PPP for ISDN connections.
27
28       If you need asynchronous PPP over ISDN lines use pppd instead with  the
29       ISDN character devices, see ttyI(4).
30
31       The  ipppd  can handle multiple devices. This is necessary to link sev‐
32       eral connections together to one bundle.  ipppd should be started once.
33       It  opens the devices and waits for connections.  If the connections is
34       closed ipppd reopens the device automatically (the  device,  that's  it
35       ...  not  the  link to the remote).  So you shouldn't kill the ipppd to
36       close a link. Instead, trigger a hangup  on  the  netdevice  layer   by
37       'isdnctrl hangup <device>'.
38
39       The  facility  to configure the daemon via file /etc/ppp/ioptions.<dev‐
40       name> is disabled.  The 'file' option or the command line may  be  used
41       for individual configuration.
42
43       Do  not set the permissions of the program to 'setuid to root on execu‐
44       tion'. Call the daemon as root instead.  No common user should have the
45       need to call the daemon!
46

OPTIONS

48       <device>
49              Communicate  over  the  named  device.   The  string  "/dev/" is
50              prepended if necessary.  If no device name is given, or  if  the
51              name  of  the  controlling terminal is given, ipppd will use the
52              controlling terminal, and will not fork to  put  itself  in  the
53              background.
54
55       <local_IP_address>:<remote_IP_address>
56              Set  the local and/or remote interface IP addresses.  Either one
57              may be omitted.  The IP addresses can be specified with  a  host
58              name  or  in  decimal  dot  notation  (e.g. 150.234.56.78).  The
59              default local address is the (first) IP address  of  the  system
60              (unless  the  noipdefault  option is given).  The remote address
61              will be obtained from the peer if not specified in  any  option.
62              Thus,  in simple cases, this option is not required.  If a local
63              and/or remote IP address is specified with  this  option,  ipppd
64              will  not  accept  a  different  value from the peer in the IPCP
65              negotiation, unless the  ipcp-accept-local  and/or  ipcp-accept-
66              remote options are given, respectively.
67
68       active-filter filter-expression
69              Specifies  a  packet  filter  to  be  applied to data packets to
70              determine which packets are to be regarded as link activity, and
71              therefore  reset the idle timer, or cause the link to be brought
72              up in demand-dialling mode. This option is useful in conjunction
73              with the idle option if there are packets being sent or received
74              regularly over the link (for example, routing information  pack‐
75              ets)  which would otherwise prevent the link from ever appearing
76              to be idle.  The filter-expression syntax is  as  described  for
77              tcpdump(1), except that qualifiers which are inappropriate for a
78              PPP link, such as ether and arp, are  not  permitted.  Generally
79              the  filter  expression  should  be enclosed in single-quotes to
80              prevent whitespace in the expression from being  interpreted  by
81              the  shell.  This option is currently only available if both the
82              kernel and ipppd were compiled with IPPP_FILTER defined.
83
84       -ac    Disable Address/Control compression  negotiation  (use  default,
85              i.e.  address/control field compression disabled).
86
87       -all   Don't  request  or  allow negotiation of any options for LCP and
88              IPCP (use default values).
89
90       auth   Require the peer to authenticate itself before allowing  network
91              packets to be sent or received.
92
93       bsdcomp nr,nt
94              Request  that the peer compress packets that it sends, using the
95              BSD-Compress scheme, with a maximum code size of  nr  bits,  and
96              agree  to  compress packets sent to the peer with a maximum code
97              size of nt bits.  If nt is not specified,  it  defaults  to  the
98              value given for nr.  Values in the range 9 to 15 may be used for
99              nr and nt; larger values give  better  compression  but  consume
100              more kernel memory for compression dictionaries.  Alternatively,
101              a value of 0 for nr or nt disables  compression  in  the  corre‐
102              sponding direction.
103
104       -bsdcomp
105              Disables  compression;  ipppd  will not request or agree to com‐
106              press packets using the BSD-Compress scheme.
107
108       callback <string>
109              Request the peer to call back at the location given in <string>.
110              Usually  this  is a phone number, but it may be interpreted dif‐
111              ferently (or ignored) depending on the callback-type option.  If
112              <string> is the empty string, ipppd automatically tries to nego‐
113              tiate a callback type that does not need a location to be speci‐
114              fied.
115
116       callback-delay <n>
117              Callback  delay  for  CBCP in seconds. If callback is negotiated
118              using CBCP, request that the peer waits  at  least  <n>  seconds
119              before calling back. Ignored if callback is negotiated as speci‐
120              fied in RFC 1570. Legal range is 0..255, default is 5.
121
122       callback-cbcp
123              Enable callback negotiation via CBCB (default).
124
125       -callback-cbcp
126              Disable callback negotiation via CBCB.
127
128       no-callback-cbcp
129              Disable callback negotiation via CBCB.
130
131       callback-cbcp-preferred
132              If both CBCP and RFC 1570 style callback negotiation is enabled,
133              CBCP is preferred (default)
134
135       callback-rfc1570-preferred
136              If both CBCP and RFC 1570 style callback negotiation is enabled,
137              RFC 1570 style is preferred.
138
139       callback-rfc1570
140              Enable RFC 1570 style callback negotiation (default).
141
142       -callback-rfc1570
143              Disable RFC 1570 style callback negotiation.
144
145       no-callback-rfc1570
146              Disable RFC 1570 style callback negotiation (default).
147
148       callback-type <n>
149              Specifies how to interpret  the  location  identifier  given  as
150              parameter of the callback option. Legal values are 0..4. A value
151              of 0 means that only callback types should  be  negotiated  that
152              need no extra location id. No location id is sent to the peer in
153              this case.  For RFC 1570 style callback negotiation, the  values
154              1..4 indicate how the peer should interpret the location identi‐
155              fier: 1 - id is a system specific dial string,  2 - id  is  used
156              for database lookup by the peer, 3 - id is a phone number, and 4
157              id is a name. For CBCP callback negotiation, the location id  is
158              always interpreted as a phone number.
159
160       -ccp   Necessary for a few netblazers on the remote side.
161
162       noccp  same as -ccp
163
164       +chap  Require  the  peer  to  authenticate  itself using CHAP [Crypto‐
165              graphic Handshake Authentication Protocol] authentication.
166
167       -chap  Don't agree to authenticate using CHAP.
168
169       chap-interval <n>
170              If this option is given, ipppd will rechallenge the  peer  every
171              <n> seconds.
172
173       chap-max-challenge <n>
174              Set  the  maximum  number of CHAP challenge transmissions to <n>
175              (default 10).
176
177       chap-restart <n>
178              Set the CHAP restart interval (retransmission timeout for  chal‐
179              lenges) to <n> seconds (default 3).
180
181       debug  Increase debugging level (same as -d).  If this option is given,
182              ipppd will log the contents  of  all  control  packets  sent  or
183              received  in  a  readable  form.  The packets are logged through
184              syslog with facility daemon and level debug.   This  information
185              can  be directed to a file by setting up /etc/syslog.conf appro‐
186              priately (see syslog.conf(5)).
187
188       -d     Increase debugging level (same as the debug option).
189
190       defaultroute
191              Add a default route to the system routing tables, using the peer
192              as the gateway, when IPCP negotiation is successfully completed.
193              This entry is removed when the PPP connection is broken.
194
195       -defaultroute
196              Disable the defaultroute option.  The system  administrator  who
197              wishes  to prevent users from creating default routes with ipppd
198              can do so by placing this option in the /etc/ppp/ioptions file.
199
200       deldefaultroute
201              Replace default route if it already exists.  Together  with  the
202              option  defaultroute,  this  will  replace  any existing default
203              route by a new one through this ipppd's interface when it  comes
204              up.
205
206       -detach
207              Don't  fork to become a background process (otherwise ipppd will
208              do so if a serial device other than its controlling terminal  is
209              specified).
210
211       domain <d>
212              Append  the domain name <d> to the local host name for authenti‐
213              cation purposes.  For example, if gethostname() returns the name
214              porsche,    but    the    fully   qualified   domain   name   is
215              porsche.Quotron.COM, you would use the domain option to set  the
216              domain name to Quotron.COM.
217
218       file <f>
219              Read options from file <f> (the format is described below).
220
221       -ip    Disable  IP  address  negotiation.   If this option is used, the
222              remote IP address must be specified with an option on  the  com‐
223              mand line or in an options file.
224
225       +ip-protocol
226              Enable the IPCP and IP protocols. This is the default condition.
227              This option is only needed if the default setting is  -ip-proto‐
228              col.
229
230       -ip-protocol
231              Disable  the  IPCP and IP protocols. This should only be used if
232              you know that you are using a client which only understands  IPX
233              and you don't want to confuse the client with the IPCP protocol.
234
235       +ipx-protocol
236              Enable  the  IPXCP and IPX protocols. This is the default condi‐
237              tion if your kernel supports IPX. This option is only needed  if
238              the  default  setting  is -ipx-protocol. If your kernel does not
239              support IPX then this option will have no effect.
240
241       -ipx-protocol
242              Disable the IPXCP and IPX protocols. This should only be used if
243              you  know  that you are using a client which only understands IP
244              and you don't want to confuse the client with the  IPXCP  proto‐
245              col.
246
247       ipcp-accept-local
248              With this option, ipppd will accept the peer's idea of our local
249              IP address, even if the local IP address  was  specified  in  an
250              option.
251
252       ipcp-accept-remote
253              With  this  option,  ipppd  will  accept  the peer's idea of its
254              (remote) IP address, even if the remote IP address was specified
255              in an option.
256
257       ipcp-max-configure <n>
258              Set  the  maximum number of IPCP configure-request transmissions
259              to <n> (default 10).
260
261       ipcp-max-failure <n>
262              Set the maximum number of IPCP  configure-NAKs  returned  before
263              starting to send configure-Rejects instead to <n> (default 10).
264
265       ipcp-max-terminate <n>
266              Set  the  maximum number of IPCP terminate-request transmissions
267              to <n> (default 3).
268
269       ipcp-restart <n>
270              Set the IPCP restart interval (retransmission  timeout)  to  <n>
271              seconds (default 3).
272
273       ipparam string
274              Provides  an  extra  parameter to the ip-up and ip-down scripts.
275              If this option is given, the string supplied is given as the 6th
276              parameter to those scripts.
277
278       ipx-network <n>
279              Set  the IPX network number in the IPXCP configure request frame
280              to <n>. There is no valid default. If this option is not  speci‐
281              fied  then  the network number is obtained from the peer. If the
282              peer does not have the network number, the IPX protocol will not
283              be  started. This is a hexadecimal number and is entered without
284              any leading sequence such as 0x. It is  related  to  the  ipxcp-
285              accept-network option.
286
287       ipx-node <n>:<m>
288              Set  the  IPX  node  numbers. The two node numbers are separated
289              from each other with a colon character. The first number <n>  is
290              the  local node number. The second number <m> is the peer's node
291              number. Each node number is a hexadecimal number, to the maximum
292              of  ten  significant digits. The node numbers on the ipx-network
293              must be unique. There is no valid default. If this option is not
294              specified  then  the node number is obtained from the peer. This
295              option is a related to the ipxcp-accept-local and  ipxcp-accept-
296              remote options.
297
298       ipx-router-name <string>
299              Set  the name of the router. This is a string and is sent to the
300              peer as information data.
301
302       ipx-routing <n>
303              Set the routing protocol to be received by this  option.  Use  a
304              comma-separated list if you want to specify more than one proto‐
305              col.  The 'none'  option  (0)  may  be  specified  as  the  only
306              instance  of  ipx-routing.  The  values may be 0 for NONE, 2 for
307              RIP/SAP, and 4 for NLSP.
308
309       ipxcp-accept-local
310              Accept the peer's NAK for the node number specified in the  ipx-
311              node  option.  If a node number was specified, and non-zero, the
312              default is to insist that the value be used. If you include this
313              option  then  you  will permit the peer to override the entry of
314              the node number.
315
316       ipxcp-accept-network
317              Accept the peer's NAK for the network number  specified  in  the
318              ipx-network  option. If a network number was specified, and non-
319              zero, the default is to insist that the value be  used.  If  you
320              include  this  option  then you will permit the peer to override
321              the entry of the node number.
322
323       ipxcp-accept-remote
324              Use the peer's network number specified in the configure request
325              frame.  If  a  node  number  was specified for the peer and this
326              option was not specified, the peer will be  forced  to  use  the
327              value which you have specified.
328
329       ipxcp-max-configure <n>
330              Set  the  maximum number of IPXCP configure request frames which
331              the system will send to <n>. The default is 10.
332
333       ipxcp-max-failure <n>
334              Set the maximum number of IPXCP NAK frames which the local  sys‐
335              tem  will  send before it rejects the options. The default value
336              is 3.
337
338       ipxcp-max-terminate <n>
339              Set the maximum number of IPXCP terminate request frames  before
340              the  local  system  considers  that the peer is not listening to
341              them. The default value is 3.
342
343       kdebug n
344              Enable debugging code in the kernel-level PPP driver.  The argu‐
345              ment  n  is a number which is the sum of the following values: 1
346              to enable general debug messages, 2 to request that the contents
347              of  received  packets be printed, and 4 to request that the con‐
348              tents of transmitted packets be printed.
349
350       lcp-echo-failure <n>
351              If this option is given, ipppd will presume the peer to be  dead
352              if  n  LCP  echo-requests are sent without receiving a valid LCP
353              echo-reply.  If this happens, ipppd will terminate  the  connec‐
354              tion.  Use of this option requires a non-zero value for the lcp-
355              echo-interval parameter.  This option  can  be  used  to  enable
356              ipppd to terminate after the physical connection has been broken
357              (e.g., the line hung up) in situations where no  hardware  modem
358              control lines are available.
359
360       lcp-echo-interval <n>
361              If  this  option  is  given, ipppd will send an LCP echo-request
362              frame to the peer every n seconds.  With Linux, the echo-request
363              is  sent  when no packets have been received from the peer for n
364              seconds.  Normally the peer should respond to  the  echo-request
365              by sending an echo-reply.  This option can be used with the lcp-
366              echo-failure option to detect that the peer is  no  longer  con‐
367              nected.
368
369       lcp-max-configure <n>
370              Set the maximum number of LCP configure-request transmissions to
371              <n> (default 10).
372
373       lcp-max-failure <n>
374              Set the maximum number of  LCP  configure-NAKs  returned  before
375              starting to send configure-Rejects instead to <n> (default 10).
376
377       lcp-max-terminate <n>
378              Set the maximum number of LCP terminate-request transmissions to
379              <n> (default 3).
380
381       lcp-restart <n>
382              Set the LCP restart interval  (retransmission  timeout)  to  <n>
383              seconds (default 3).
384
385       lock   Specifies  that  ipppd  should create a UUCP-style lock file for
386              the serial device to ensure exclusive access to the device.
387
388       login  Use the system password database  for  authenticating  the  peer
389              using PAP, and record the user in the system wtmp file.
390
391       -mn    Disable  magic number negotiation.  With this option, ipppd can‐
392              not detect a looped-back line.
393
394       +mp    enables MPPP negotiation
395
396       mru <n>
397              Set the MRU [Maximum Receive Unit] value to <n> for negotiation.
398              ipppd  will  ask  the  peer  to send packets of no more than <n>
399              bytes.  The minimum MRU value is 128.  The default MRU value  is
400              1500.   A  value  of 296 is recommended for slow links (40 bytes
401              for TCP/IP header + 256 bytes of data).
402
403       -mru   Disable MRU  [Maximum  Receive  Unit]  negotiation.   With  this
404              option, ipppd will use the default MRU value of 1500 bytes.
405
406       ms-dns <n>
407              This option sets the IP address or addresses for the Domain Name
408              Server. It is used by Microsoft Windows clients. The primary DNS
409              address is specified by the first instance of the ms-dns option.
410              The secondary is specified by the second instance.
411
412       ms-get-dns
413              Implements the client side of RFC1877.  If ipppd is acting as  a
414              client  to a server that implements RFC1877 such as one intended
415              to be used with Microsoft Windows clients,  this  option  allows
416              ipppd  to  obtain  one or two DNS (Domain Name Server) addresses
417              from the server.  It does not do anything with  these  addresses
418              except  put  them  in  the environment (MS_DNS1 MS_DNS2) that is
419              passed to scripts.  For compatibility with the async pppd,  DNS1
420              DNS2 environment variables are also set. A sample resolv.conf is
421              created  in  /etc/ppp/resolv.conf.   The  /etc/ppp/ip-up  script
422              should  use  this  information to perform whatever adjustment is
423              necessary.  Note: RFC1877 is a horrible protocol layering viola‐
424              tion,  the  correct approach would be to use DHCP after the IPCP
425              phase.
426
427       ms-get-wins
428              As ms-get-dns but for  WINS  (Windows  Internet  Name  Services)
429              server   addresses.   Environment  variables  are  MS_WINS1  and
430              MS_WINS2.
431
432       mtu <n>
433              Set the MTU [Maximum Transmit Unit] value to  <n>.   Unless  the
434              peer  requests  a  smaller value via MRU negotiation, ipppd will
435              request that the kernel networking code send data packets of  no
436              more than n bytes through the PPP network interface.
437
438       name <n>
439              Set  the name of the local system for authentication purposes to
440              <n>.
441
442       netmask <n>
443              Set the interface netmask to <n>, a 32 bit netmask  in  "decimal
444              dot"  notation  (e.g.  255.255.255.0).  If this option is given,
445              the value specified is  ORed  with  the  default  netmask.   The
446              default  netmask  is  chosen  based  on the negotiated remote IP
447              address; it is the appropriate network mask for the class of the
448              remote  IP address, ORed with the netmasks for any non point-to-
449              point network interfaces in the system which  are  on  the  same
450              network.
451
452       noipdefault
453              Disables the default behaviour when no local IP address is spec‐
454              ified, which is to determine (if possible) the local IP  address
455              from the hostname.  With this option, the peer will have to sup‐
456              ply the local IP address  during  IPCP  negotiation  (unless  it
457              specified explicitly on the command line or in an options file).
458
459       passive
460              Enables  the  "passive"  option  in  the LCP.  With this option,
461              ipppd will attempt to initiate a  connection;  if  no  reply  is
462              received  from the peer, ipppd will then just wait passively for
463              a valid LCP packet from the peer (instead of exiting, as it does
464              without this option).
465
466       -p     Same as the passive option.
467
468       +pap   Require the peer to authenticate itself using PAP.
469
470       -pap   Don't agree to authenticate using PAP.
471
472       papcrypt
473              Indicates  that  all  secrets  in  the /etc/ppp/pap-secrets file
474              which are used  for  checking  the  identity  of  the  peer  are
475              encrypted,  and  thus  ipppd  should not accept a password which
476              (before  encryption)  is  identical  to  the  secret  from   the
477              /etc/ppp/pap-secrets file.
478
479       pap-max-authreq <n>
480              Set the maximum number of PAP authenticate-request transmissions
481              to <n> (default 10).
482
483       pap-restart <n>
484              Set the PAP restart interval  (retransmission  timeout)  to  <n>
485              seconds (default 3).
486
487       pap-timeout <n>
488              Set  the  maximum  time  that  ipppd  will  wait for the peer to
489              authenticate itself with PAP to <n> seconds (0 means no limit).
490
491       pass-filter filter-expression
492              Specifies a packet filter to applied to data packets being  sent
493              or  received  to  determine  which  packets should be allowed to
494              pass.  Packets which are rejected by  the  filter  are  silently
495              discarded.  This  option can be used to prevent specific network
496              daemons (such as routed) using up link bandwidth, or to  provide
497              a basic firewall capability.  The filter-expression syntax is as
498              described for tcpdump(1), except that qualifiers which are inap‐
499              propriate for a PPP link, such as ether and arp, are not permit‐
500              ted. Generally the filter expression should be enclosed in  sin‐
501              gle-quotes  to  prevent  whitespace in the expression from being
502              interpreted by the shell. Note that it is possible to apply dif‐
503              ferent  constraints  to  incoming and outgoing packets using the
504              inbound and outbound qualifiers. This option is  currently  only
505              available  if  both  the  kernel  and  ipppd  were compiled with
506              IPPP_FILTER defined.
507
508       -pc    Disable protocol field  compression  negotiation  (use  default,
509              i.e.  protocol field compression disabled).
510
511       pidfile <filename>
512              Use <filename> instead of /var/run/ipppd.pid
513
514       pred1comp
515              Attempt  to  request  that the peer send the local system frames
516              which have been compressed by the Predictor-1  compression.  The
517              compression  protocols  must  be  loaded  or this option will be
518              ignored.
519
520       -pred1comp
521              Do not accept Predictor-1 compression, even if the peer wants to
522              send  this  type  of compression and support has been defined in
523              the kernel.
524
525       proxyarp
526              Add an entry to this system's ARP [Address Resolution  Protocol]
527              table  with  the IP address of the peer and the Ethernet address
528              of this system.
529
530       -proxyarp
531              Disable the  proxyarp  option.   The  system  administrator  who
532              wishes  to  prevent  users  from creating proxy ARP entries with
533              ipppd can do so by placing this option in the  /etc/ppp/ioptions
534              file.
535
536       remotename <n>
537              Set  the  assumed  name  of the remote system for authentication
538              purposes to <n>.
539
540       set_userip
541              You may define valid IPs in /etc/ppp/useriptab
542
543       silent With this option, ipppd will not transmit LCP packets to  initi‐
544              ate  a  connection until a valid LCP packet is received from the
545              peer (as for the  `passive'  option  with  ancient  versions  of
546              ipppd).
547
548       +ua <p>
549              Agree  to authenticate using PAP [Password Authentication Proto‐
550              col] if requested by the peer, and use the data in file <p>  for
551              the user and password to send to the peer. The file contains the
552              remote user name, followed by a newline, followed by the  remote
553              password, followed by a newline.  This option is obsolescent.
554
555       usefirstip
556              Gets  the  remote  address from the first entry in the auth file
557              (if there is an IP address entry). This address should be a full
558              IP  address  not  an  address  from  a masked area.  Ipppd calls
559              'gethostbyname()' and negotiates the result.  IP from auth  file
560              will  overwrite  the  remote  address gotten from the interface.
561              'usefirstip' is UNTESTED!
562
563       usehostname
564              Enforce the use of the hostname as the name of the local  system
565              for authentication purposes (overrides the name option).
566
567       usepeerdns
568              Same as ms-get-dns for compatibility with async pppd.
569
570       user <u>
571              Set  the  user  name to use for authenticating this machine with
572              the peer using PAP to <u>.
573
574       useifip
575              will get (if not set to 0.0.0.0) the IP address for the negotia‐
576              tion from the attached network-interface.  (also: ipppd will try
577              to negotiate 'pointopoint' IP as remote IP) interface address ->
578              local IP pointopoint address -> remote IP
579
580       -vj    Disable negotiation of Van Jacobson style TCP/IP header compres‐
581              sion (use default, i.e. no compression).
582
583       -vjccomp
584              Disable the connection-ID compression  option  in  Van  Jacobson
585              style  TCP/IP  header compression.  With this option, ipppd will
586              not omit the connection-ID byte  from  Van  Jacobson  compressed
587              TCP/IP headers, nor ask the peer to do so.
588
589       vj-max-slots n
590              Sets the number of connection slots to be used by the Van Jacob‐
591              son TCP/IP header compression and decompression code to n, which
592              must be between 2 and 16 (inclusive).
593

OPTIONS FILES

595       Options  can  be  taken  from files as well as the command line.  ipppd
596       reads options from the file /etc/ppp/ioptions  before  looking  at  the
597       command line.  An options file is parsed into a series of words, delim‐
598       ited by whitespace.  Whitespace can be included in a word by  enclosing
599       the  word  in quotes (").  A backslash (\) quotes the following charac‐
600       ter.  A hash (#) starts a comment, which continues until the end of the
601       line.
602

AUTHENTICATION

604       ipppd  provides  system  administrators  with sufficient access control
605       that PPP access to a server machine can be provided to legitimate users
606       without  fear of compromising the security of the server or the network
607       it's on.  In part this is provided by the /etc/ppp/ioptions file, where
608       the  administrator can place options to require authentication whenever
609       ipppd is run, and in part by the PAP and CHAP secrets files, where  the
610       administrator  can  restrict  the  set of IP addresses which individual
611       users may use.
612
613       The  default  behaviour  of  ipppd  is  to  agree  to  authenticate  if
614       requested,  and  to not require authentication from the peer.  However,
615       ipppd will not agree to authenticate itself with a particular  protocol
616       if it has no secrets which could be used to do so.
617
618       Authentication  is  based  on  secrets, which are selected from secrets
619       files (/etc/ppp/pap-secrets for PAP, /etc/ppp/chap-secrets  for  CHAP).
620       Both secrets files have the same format, and both can store secrets for
621       several combinations of server (authenticating peer) and  client  (peer
622       being authenticated).  Note that ipppd can be both a server and client,
623       and that different protocols can be  used  in  the  two  directions  if
624       desired.
625
626       A secrets file is parsed into words as for a options file.  A secret is
627       specified by a line containing at least 3 words, in  the  order  client
628       name,  server  name,  secret.  Any following words on the same line are
629       taken to be a list of acceptable IP  addresses  for  that  client.   If
630       there  are  only 3 words on the line, it is assumed that any IP address
631       is OK; to disallow all IP addresses, use "-".   If  the  secret  starts
632       with  an  `@',  what  follows  is assumed to be the name of a file from
633       which to read the secret.  A "*" as the client or server  name  matches
634       any  name.   When  selecting a secret, ipppd takes the best match, i.e.
635       the match with the fewest wildcards.
636
637       Thus a secrets file contains both secrets  for  use  in  authenticating
638       other  hosts, plus secrets which we use for authenticating ourselves to
639       others.  Which secret to use is chosen based on the names of  the  host
640       (the `local name') and its peer (the `remote name').  The local name is
641       set as follows:
642
643       if the usehostname option is given,
644          then the local name is the hostname of this machine (with the domain
645          appended, if given)
646
647       else if the name option is given,
648          then use the argument of the first name option seen
649
650       else if the local IP address is specified with a hostname,
651          then use that name
652
653       else  use  the  hostname  of this machine (with the domain appended, if
654       given)
655
656       When authenticating ourselves using PAP, there  is  also  a  `username'
657       which is the local name by default, but can be set with the user option
658       or the +ua option.
659
660       The remote name is set as follows:
661
662       if the remotename option is given,
663          then use the argument of the last remotename option seen
664
665       else if the remote IP address is specified with a hostname,
666          then use that host name
667
668       else the remote name is the null string "".
669
670       Secrets are selected from the PAP secrets file as follows:
671
672       * For authenticating the peer, look for a secret with client  ==  user‐
673         name  specified  in the PAP authenticate-request, and server == local
674         name.
675
676       * For authenticating ourselves to the peer,  look  for  a  secret  with
677         client == our username, server == remote name.
678
679       When authenticating the peer with PAP, a secret of "" matches any pass‐
680       word supplied by the peer.  If the password doesn't match  the  secret,
681       the  password is encrypted using crypt() and checked against the secret
682       again; thus secrets for  authenticating  the  peer  can  be  stored  in
683       encrypted  form.   If  the  papcrypt  option is given, the first (unen‐
684       crypted) comparison is omitted, for better security.
685
686       If the login option was specified, the username and password  are  also
687       checked  against the system password database.  Thus, the system admin‐
688       istrator can set up the pap-secrets file to allow PPP  access  only  to
689       certain  users,  and to restrict the set of IP addresses that each user
690       can use.  Typically,  when  using  the  login  option,  the  secret  in
691       /etc/ppp/pap-secrets  would  be  "", to avoid the need to have the same
692       secret in two places.
693
694       Secrets are selected from the CHAP secrets file as follows:
695
696       * For authenticating the peer, look for a secret with  client  ==  name
697         specified in the CHAP-Response message, and server == local name.
698
699       * For  authenticating  ourselves  to  the  peer, look for a secret with
700         client == local name, and server == name specified in the  CHAP-Chal‐
701         lenge message.
702
703       Authentication  must  be  satisfactorily  completed before IPCP (or any
704       other Network Control Protocol)  can  be  started.   If  authentication
705       fails,  ipppd will terminated the link (by closing LCP).  If IPCP nego‐
706       tiates an unacceptable IP address for the remote  host,  IPCP  will  be
707       closed.  IP packets can only be sent or received when IPCP is open.
708
709       In some cases it is desirable to allow some hosts which can't authenti‐
710       cate themselves to connect and use  one  of  a  restricted  set  of  IP
711       addresses,  even when the local host generally requires authentication.
712       If the peer refuses to authenticate itself when requested, ipppd  takes
713       that  as  equivalent  to authenticating with PAP using the empty string
714       for the username and password.  Thus, by adding  a  line  to  the  pap-
715       secrets  file which specifies the empty string for the client and pass‐
716       word, it is possible to allow restricted access to hosts  which  refuse
717       to authenticate themselves.
718

ROUTING

720       When  IPCP negotiation is completed successfully, ipppd will inform the
721       kernel of the local and remote IP  addresses  for  the  ppp  interface.
722       This  is  sufficient  to  create  a host route to the remote end of the
723       link, which will enable the peers to exchange IP  packets.   Communica‐
724       tion  with  other  machines  generally requires further modification to
725       routing tables and/or ARP (Address  Resolution  Protocol)  tables.   In
726       some  cases  this will be done automatically through the actions of the
727       routed or gated daemons, but in most cases some further intervention is
728       required.
729
730       Sometimes  it  is  desirable  to add a default route through the remote
731       host, as in the case of a machine whose only connection to the Internet
732       is  through the ppp interface.  The defaultroute option causes ipppd to
733       create such a default route when IPCP comes up, and delete it when  the
734       link is terminated.
735
736       In some cases it is desirable to use proxy ARP, for example on a server
737       machine connected to a LAN, in order to allow other hosts  to  communi‐
738       cate  with  the  remote host.  The proxyarp option causes ipppd to look
739       for a network interface on the same  subnet  as  the  remote  host  (an
740       interface supporting broadcast and ARP, which is up and not a point-to-
741       point or loopback interface).  If found,  ipppd  creates  a  permanent,
742       published  ARP  entry  with  the  IP address of the remote host and the
743       hardware address of the network interface found.
744

DIAGNOSTICS

746       Messages are sent to  the  syslog  daemon  using  facility  LOG_DAEMON.
747       (This  can  be  overriden  by  recompiling ipppd with the macro LOG_PPP
748       defined as the desired facility.)  In order to see the error and  debug
749       messages,  you  will  need to edit your /etc/syslog.conf file to direct
750       the messages to the desired output device or file.
751
752       The debug option causes the contents of all  control  packets  sent  or
753       received  to  be  logged,  that is, all LCP, PAP, CHAP or IPCP packets.
754       This can be useful if the PPP negotiation does not succeed.  If  debug‐
755       ging  is  enabled  at  compile time, the debug option also causes other
756       debugging messages to be logged.
757
758       Debugging can also be enabled or disabled by sending a SIGUSR1  to  the
759       ipppd process.  This signal acts as a toggle.
760

FILES

762       /var/run/ipppd.pid
763              Process-ID for ipppd process on ppp interface unit n.
764
765       /etc/ppp/ip-up
766              A program or script which is executed when the link is available
767              for sending and receiving IP packets (that  is,  IPCP  has  come
768              up).  It is executed with the parameters
769
770              interface-name   tty-device  speed  local-IP-address  remote-IP-
771              address
772
773              and with its standard input, output and error streams redirected
774              to /dev/null.
775
776              This program or script is executed with the same real and effec‐
777              tive user-ID as ipppd, that is, at least the  effective  user-ID
778              and  possibly the real user-ID will be root.  This is so that it
779              can be used to manipulate routes, run privileged  daemons  (e.g.
780              sendmail),   etc.    Be   careful   that  the  contents  of  the
781              /etc/ppp/ip-up and /etc/ppp/ip-down scripts  do  not  compromise
782              your system's security.
783
784       /etc/ppp/ip-down
785              A program or script which is executed when the link is no longer
786              available for sending and receiving IP packets.  This script can
787              be  used  for  undoing the effects of the /etc/ppp/ip-up script.
788              It is invoked with the same parameters as the ip-up script,  and
789              the  same  security  considerations  apply, since it is executed
790              with the same effective and real user-IDs as ipppd.
791
792       /etc/ppp/ipx-up
793              A program or script which is executed when the link is available
794              for  sending  and receiving IPX packets (that is, IPXCP has come
795              up).  It is executed with the parameters
796
797              interface-name tty-device speed  network-number  local-IPX-node-
798              address    remote-IPX-node-address    local-IPX-routing-protocol
799              remote-IPX-routing-protocol  local-IPX-router-name   remote-IPX-
800              router-name ipparam ipppd-pid
801
802              and with its standard input, output and error streams redirected
803              to /dev/null.
804
805              The local-IPX-routing-protocol  and  remote-IPX-routing-protocol
806              field may be one of the following:
807
808              NONE      to indicate that there is no routing protocol
809              RIP       to indicate that RIP/SAP should be used
810              NLSP      to indicate that Novell NLSP should be used
811              RIP NLSP  to indicate that both RIP/SAP and NLSP should be used
812
813              This program or script is executed with the same real and effec‐
814              tive user-ID as ipppd, that is, at least the  effective  user-ID
815              and  possibly the real user-ID will be root.  This is so that it
816              can be used to manipulate routes, run privileged  daemons  (e.g.
817              ripd), etc.  Be careful that the contents of the /etc/ppp/ipx-up
818              and /etc/ppp/ipx-down scripts do not  compromise  your  system's
819              security.
820
821       /etc/ppp/ipx-down
822              A program or script which is executed when the link is no longer
823              available for sending and receiving IPX  packets.   This  script
824              can  be  used  for  undoing  the  effects of the /etc/ppp/ipx-up
825              script.  It is invoked with the same parameters  as  the  ipx-up
826              script,  and the same security considerations apply, since it is
827              executed with the same effective and real user-IDs as ipppd.
828
829       /etc/ppp/auth-up
830              This program or script is executed after successful  authentica‐
831              tion  with the following parameters: interface name, authentica‐
832              tion user name, username of  ipppd,  devicename,  speed,  remote
833              number
834
835       /etc/ppp/auth-down
836              This  program  or  script is executed after a disconnection with
837              the following parameters: interface  name,  authentication  user
838              name, username of ipppd, devicename, speed, remote number
839
840       /etc/ppp/auth-fail
841              This  program or script is executed after a authentication fail‐
842              ure with the following parameters: interface  name,  authentica‐
843              tion  user  name,  username  of ipppd, devicename, speed, remote
844              number, failure reason
845               Valid reasons are:
846                1 = Timeout during pap auth
847                2 = pap protocol rejected
848                3 = pap secrets invalid
849                9 = Timeout during chap auth
850               10 = chap protocol rejected
851               11 = chap secrets invalid
852
853       /etc/ppp/pap-secrets
854              Usernames, passwords and IP addresses for PAP authentication.
855
856       /etc/ppp/chap-secrets
857              Names, secrets and IP addresses for CHAP authentication.
858
859       /etc/ppp/ioptions
860              System default options  for  ipppd,  read  before  user  default
861              options or command-line options.
862

SEE ALSO

864       ttyI(4), isdnctrl(8), ipppstats(8),
865
866       RFC1144
867              Jacobson,  V.   Compressing  TCP/IP headers for low-speed serial
868              links.  1990 February.
869
870       RFC1321
871              Rivest, R.  The MD5 Message-Digest Algorithm.  1992 April.
872
873       RFC1332
874              McGregor, G.  PPP Internet  Protocol  Control  Protocol  (IPCP).
875              1992 May.
876
877       RFC1334
878              Lloyd,  B.;  Simpson,  W.A.  PPP authentication protocols.  1992
879              October.
880
881       RFC1548
882              Simpson, W.A.  The Point-to-Point Protocol (PPP).   1993  Decem‐
883              ber.
884
885       RFC1549
886              Simpson, W.A.  PPP in HDLC Framing.  1993 December
887

NOTES

889       The  following signals have the specified effect when sent to the ipppd
890       process.
891
892       SIGINT, SIGTERM
893              These signals cause ipppd to  terminate  the  link  (by  closing
894              LCP), restore the serial device settings, and exit.
895
896       SIGHUP This  signal  causes  ipppd  to  terminate the link, restore the
897              serial device settings, and close the  serial  device.   If  the
898              persist  option has been specified, ipppd will try to reopen the
899              serial device and start  another  connection.   Otherwise  ipppd
900              will exit.
901
902       SIGUSR2
903              This  signal  causes ipppd to renegotiate compression.  This can
904              be useful to re-enable compression after it has been disabled as
905              a  result of a fatal decompression error.  With the BSD Compress
906              scheme, fatal decompression errors generally indicate a  bug  in
907              one or other implementation.
908

AUTHORS

910       Originally  written  by  Drew  Perkins,  Brad  Clements, Karl Fox, Greg
911       Christy, Brad Parker, Paul Mackerras <paulus@cs.anu.edu.au> for (origi‐
912       nal) pppd.
913
914       Changes  for  ipppd  by  Klaus  Franken  <kfr@suse.de> and Michael Hipp
915       <Michael.Hipp@student.uni-tuebingen.de>.
916
917       Removal  of  pppd  specific  options  and  polish   by   Frank   Elsner
918       <Elsner@zrz.TU-Berlin.DE>.
919
920
921
922isdn4k-utils-3.13                 2003/07/01                          IPPPD(8)
Impressum