ADSL & PPPoE & RADIUS

Seminar paper from Miao,yi WS04/05 11.2004

Content
1, Introduction 2, Overview 3ADSL
31 32 33 The principle of the signal transmitting The physical issues of signal transmission Proposed modulation formats for ADSL The modulation technique Frequency modulation Amplitude modulation Phase modulation QAM Quadrature Amplitude modulation CAP Carrierless Amplitude phase DMT Discrete multi tone (multi carrier modulation) 3 3 4 4 5 5 5 5 6 6 6 6 7 7 8 10 10 10 11 12 14 14 15 16 16 17 18 19

331

3311 3312 3313 332 3321 3322 3323 34 4, 1 4, 2

Three different modulation of ADSL

The xDSL Introduction Two phases of PPPoE PPPoE Discovery PPPoE session

4PPPoE

421 422

43PPPoE Security Considerations 44The data flower 45 The Experiment of the PPPoE Introduce Operations RADIUS Security Considerations

RADIUS

51 51 53

Reference

1, Introduction
Asymmetric Digital Subscriber Lines (ADSL) is used to deliver high-rate digital data over existing ordinary phone-lines. This makes it possible for all the users who use phone line and modem to connect the Internet to get the cheap and rapid solution. And it also keeps the original familiar operation interface. There are some inconsistent targets for the modem internet connection: not only to connect remote multi-users host via a connection device, but also to provide some functionalities such connection control, fee calculation and reduce the configuration for the users. The PPPOE Protocol and RADIUS Protocol are to resolve the issues above. PPPoE (PPP over Ethernet) is a Point to Point protocol on the Ethernet which is created after 1998. For the connection control and fee calculation, Remote Authentication Dial In User Service (RADIUS) will provide. In the paperI will describe the relationships among the three parts, the principle of each part and the running mode of them in detail. I will show an implementation based on the Point to Point protocol via Ethernet under Linux OS. And some samples to connect the Internet via ADSL.

2, Overview
Why we use ADSL today? The most cost-effective method to connect multiple hosts to the customer premise access device is via Ethernet. It is important to require little or no configuration on the end user side while keeping the cost of this device as low as possible. By combining two standards, Ethernet and PPP, into PPP over Ethernet (PPPoE), it is required of the end user only to set up standard dial-up Internet access. The PPPoE solution uses existing PC hardware and software, existing Ethernet NICs, and existing ADSL/DSL modems. It requires no special configuration or additions to the customer premise modem or ADSL/DSL access network. It requires no special wire for the high-speed networks and services. Actually ADSL is fit into the existing equipment and operation system with little disruption to ongoing subscriber services. A user places a telephone call to establish physical layer connectivity. The voice signal and the data signal will be departed via Splitter. The Splitter will modulate the signal from ADSL Modem to high frequency signal. In this way, the ADSL and ISBN can be used with phone at the same time. Using Dial-Up Networking in Windows, the user makes a connection to the ISP via an ADSL/DSL access device (modem). ISPs are accustomed to providing consumer Internet access through PPP sessions. PPP can be easily adapted to broadband services with no changes to the existing protocol. When the ISPs began to prepare their networks for the
3

introduction of ADSL Internet access services, they preserve the existing dial ISP model for user authentication, provisioning, and accounting, typically based on the combination of Point to Point Protocol (PPP) sessions and RADIUS AAA servers.

Figure 1: The overview of ADSL&PPPoE&RADIUS

In the Figure 1, we can see the overview of the ADSL. An example of ADSL connection is better for the understanding of the three parts in my paper. On the PC, user clicks the browser or start the PPPoE-Client-Software, the data packages will be transmitted to ADSL-Modem via the Ethernet. There these packages will be parsed and transmitted to the Splitter. Then the data will go to DSLAM (Digital Subscriber Line Access Multiplexer (big Splitter)) via phone line. The voice signal will be transmitted to the telephone agency continuously and the data signal will be transmitted to B-RAS (Broadband-Remote Access Server) via ATM. B-RAS will send a package back via the same line. When the PPPoE-Client on the PC in home receives the package, it will send back a feedback package. After the B-RAS receives that feedback package from the user PPPoE-Client, it will send a package with accounting information to RADIUS-Server, where the account will be authorized and validated. Then the related data and status of OK will be sent back to the correct IP-Address in the same session. PPPoE-Client will start to configurate the PPP-Interface of the PC, and then the PPPoE-Client will set the current B-RAS IP-Address as the default route in the routing table and store it in the system. This means from now on all the data packages will be sent to B-RAS via the PPP-Interface (B-RAS will be treated as an Internet gateway) and continue the routing. At this point, the user is connected to the service provider (and the Internet).

3ADSL

Figure 2: The ADSL in the OSI seven layer model

The Open Systems Interconnection Reference Model (OSI Model or OSI Reference Model for short) is a layered abstract description for communications and computer network protocol in networking. It is also called the OSI seven layer model. The ADSL/DSL is in the first layer: physical layer in the OSI seven layer models. Because the physical layer concerns itself with the transmission of bits, I will introduce the physical aspects of the signal transmission in the next part. 31 The principle of the signal transmission

If the sender wants to send information, it will modulate the information to signals and transmit them to the receiver via the physical intermediate. The receiver will demodulate the signals to the original information, which can be used. The transform is done by a device called modem. 32 The physical issues of signal transmission

When signal is transmitting in the intermediate, it will be attenuated because of characteristic of the intermediate. After we know these issues, we can try our best to reduce attenuation of signals when doing the prophetic works. a) Attenuation of signal: With the continuous attenuation and weakening often signals in the transmitting process, it is possible that the signals cannot reach the receiver. b) Disturbance of signal: Because there might be some disturbance in the transmitting process, such as some other signals from other signal sources,
5

what the receiver received would not be the original signals any more. 33 Proposed modulation formats for ADSL

Modulation is a technique that converts the digital signal (binary 0 and 1) to analogy signal (such as the sine curve). The signal, that is modulated, is consist of a whole RF carrier. The modulation is the process of varying the amplitude, frequency, or phase of an RF carrier wave, the process whereby some characteristic of one wave is varied in accordance with some characteristic of another wave. The basic types of modulation are angle modulation, including the special cases of frequency modulation, amplitude modulation and phase modulation. The next part is the introduction of different modulation techniques, which are used in ADSL. 331 The modulation technique Frequency modulation

3311

Frequency modulation is the simplest modulation. The definition of frequency is that the number of times an electromagnetic signal repeats an identical cycle (sine curve) in a unit of time, usually one second. The unit of frequency is Hz. One Hertz (Hz) is one cycle per second. There is a simple sample: if on a simple 300 band modem, 1070 Hz stands for binary value 0 and 1270 Hz stands for binary 1. Then we can transmit the binary values 0 and 1 by using these 2 frequencies. Of course, we can use more frequencies to transmit more signals. We can use A, B, C, D four frequencies to stand for 00, 01, 10, 11 four different signals. This makes the speed of transmit more quick. And we also transmit 3 bit information at same time when we use different 8 frequencies. 3312 Amplitude modulation

After we know the principle of the frequency modulation it is easier to understand the amplitude and phase modulation. In the amplitude modulation we distinguish the different information via changing the amplitudewhich is the height of the amplitude. The principle is same as the frequency modulation. 3313 Phase modulation

To change the phase of cycle (sine curve) in a specific period, then we should send a new sine curve when stop to send the old sine curve in the sender. The new sine curve has the same frequency and the amplitude as the old sine curve. If we stop the old sine curve and start the new sine curve at the same, then there will not any difference between the new signal and the old
6

one. But if we delay the sending of the new curve, that is to say: the phase of the sine curve will be changed. We can evaluate the unit of the change: degree. For the sin curve, 360 degree is a period. Using the different degree value in the different periods, we have more types to stand for more bits. 332 Three different modulation of ADSL If a technique of modulation only uses one carrier, then the modulation belong to single carrier modulation. Or it is multi carrier modulation. I will only introduce the three modulations related with ADSL, which are used frequently: QAM, CAP and DMT. 3321 QAM Quadrature Amplitude modulation (single carrier modulation)

QAM is the combination of the phase modulation and amplitude modulation techniques. First it distinguishes the different types on the phase of the base frequencies. Then it changes the amplitude. This technique can stands for 4bits and can be used on the modems which speed could be 14.4K 28.8K and 33.6K. Now it is no longer used on the 56K modem. But it is still used on the 56K modem to transmit the signals from PC to phone line. See the diagram below. The diagram is a sample of 16QAM. It uses 12 different phases and four different amplitudes.

Figure 3: Example of the QAM modulation

3322

CAP Carrierless Amplitude phase (single carrier modulation)

CAP is the first modulation technique which is used on the ADSL and is replaced with the DMT. CAP is also a technique that is combined the carrier
7

amplitude with the phase modulation. The efficiency of the single carrier modulation is low because it is not only treated as the intermediate but also needs to transmit signals. The next will be the multi carrier modulation. 3323 DMT Discrete multi tone (multi carrier modulation)

Multi carriers modulation uses multiple carriers which we call as subcarriers On each subcarrier, we can use different single carrier modulation.

Figure 4: ADSL Frequency Spectra

Now most of the ADSL and VDSL use DMT. The basic idea of DMT is to split the available bandwidth into a large number of subcarriers. DMT is able to allocate data so that the throughput of every single subcarrier is maximized. If some subcarrier can not carry any data, it can be turned off and the use of available bandwidth is optimised. First an equal number per tone is transmitted to measure the characteristics of the line. The processing of the signal takes place in ATU-R, and the optimised bit distribution information will be delivered for ATU-C by using the same phone-line at a secure low speed. ADSL DMT-systems the downstream carriers are divided into 256 4-kHz-wide tones. The upstream channels are divided into 32 subcarriers. 34 The xDSL

ADSL is the most popular form of xDSL technology. xDSL (Digital subscriber line) is technology backed by telephone companies to provide next generation high bandwidth services to the home and business using the existing telephone cabling infrastructure. There are of xDSL, each designed for specific goals and the needs of the marketplace. By using the different
8

modulation techniquesxDSL can be divided to several forms. The most frequently used are ADSLHDSLSDSL and VDSL. ADSL: Asymmetric DSL, with a larger portion of the capacity downstream, less upstream POTS (Plain Old Telephone Service). This is the current existing telecom device. The frequency values that can be used are from 300Hz to 3.4 KHz. Then the ADSL technique has enough space to transmit signals. When signals are transmitting to home via the phone line, the splitter will depart the low frequency signals. The signals which frequencies are lower than 4 KHz are telephone signals. The splitter will transmit these signals to telephone device. Those signals that are in high frequencies will be passed to the modem. And the modem will modulate the signals until they become the binary values what can be used by computer. The diagram below is the work principle of ADSL. In the diagram, the upload speed is from 16 to 768kbps and the download speed is from 1.5 to 9Mbps. Because most of the users receive their emails and read the news when they use Internet, the download speed is more than the upload speed. Because of the different upload speed and download speed, it is called Asymmetric DSL. The ADSL cable line must be shorter than 6km.

Figure 5: Detailed ADSL Configuration

The ADSL what uses the CAP modulation technique will use 25-160Khz as the upload channel and 240kHz-200kHz as download channel. The ADSL what uses the DMT modulation technique will use 25kHz 200kHz as the upload channel and 240kHz 1.1Mhz as the download channel. HDSL: High-bit-rate DSL, a technology for the business market. This technique uses two wire pairs. It was invented in 1980s and developed for voice broadcasting first. And later it was used for the data transmitting. The length of the cable should be 34km. The limitation of the cable length is decided by the physical characteristics of the signal transmission. The HDSL is
9

symmetric, that means the upload speed and download speed are same. If single wire is used, then the speed is 1.544mbit per second. If both of the wires are used, then the speed is 2mbit per second. Because of the same speeds and the dual wires it is more expensive than the ADSL and mostly used in companies. The HDSL uses the 300 -3.4Hz in the phone lienso it doesnt provide the POTS service like ADSL. SDSL: Symmetric DSL is a variation of HDSL using only one wire pair. The name has become more generic over time to refer to symmetric service at a variety of rates over a single loop. VDSL: Very high-bit-rate DSL which provides speeds up to 52 Mbps, but only for rather short distances, highest data rate of allThe intermediate of the technique are the wire which is consisted of fiber. The limitation of the cable is from 300m to 1.5km. The upload speed is 1.56.4Mbits per second and the download speed is 1352Mbits per secondIn fact is uses the frequencies above the voice frequency like ADSL. So it also uses POTS. The above different DSL are work in the physical layer of OSI, now coming the point of the network layer. In this layer, ADSL use PPP protocol to transmit the information packets.

4PPPoE
PPP, is a communications protocol for transmitting information over standard telephone lines. It is a member of the TCP/IP suite of network protocols. TCP/IP by itself cannot be transmitted over a serial link, so that we use the PPP transmit TCP/IP packets over a serial link. Since PPP was designed to do things that are not with Ethernet, there may be some confusion as to use PPP over Ethernet. PPP over Ethernet (PPPoE) is the solution that let the PPP (designed for serial communications) be adapted to an Ethernet network. 4, 1 Introduction

By combining the most economical LAN technique and the features of extensibility and the manageable control of the Ethernet Point to Point protocol, the network service providers and the telecom agencies can use the reliable and familiar techniques to speed up the deployment of high-speed internet service. It makes the service providers easier to support the multi-user wide-band connection services when they use the ADSL, cable modem or wireless connection. It also simplifies the configuration for the end users when they choose these services.
10

PPPoE, defined in RFC 2516 (A Method for Transmitting PPP over Ethernet (PPPoE)) allows PPP transmission over Ethernet. This enables the provider both the advantages of the well-known Ethernet media and the advantages of a dial-up connection, in an always-on access network. PPPoE provides the ability to connect a network of hosts over a simple bridging access device to a remote Access Concentrator (AC). With this model, each host utilizes it's own PPP stack and the user is presented with a familiar user interface. PPPoE is easy to use - users accustomed to traditional dial-up will already be familiar with the PPPoE connection model. The below is the detail position of the PPPoE protocol in the data flow:

Figure 6: Detailed position of the PPPoE protocol in the data flow

4, 2

Two phases of PPPoE

There are phases to create a session based on the Point to Point protocol of the Ethernet: PPPoE discovery and PPPoE session. But when a user to creat the connection using the PPPoE, it is difficult to distinguish this phases. Because the PPPoE discovery phase is the phase that to creating the validation of the user connection of and connection contact phase. But the PPPoE session phase is a normal PPP phase after the connection is built. 421 PPPoE Discovery

In the phase, a user host will find a correct server, and then build the connection. The process can be four steps below: 1. At the beginning, the user host broadcast the packages of PPPoE PADI (PPPoE Active Discovery Initiation) to find all the servers that can be connected possibly. Until it gets the PADO (PPPoE Active Discovery Offer)
11

packages which were sent by one or more servers (most is one BRAS). The user hosts Ethernet target address is the a broadcast address which is 0xfffffff and CODE field is 0x09SESSION_ID is 0x0000. The PADI package should contain one tag of service name (The filed of the tag type is 0x0101) and the service which is asked for the server. A whole PADI (including the head of PPPoE) cannot exceed 1484 bytes to remain the enough for agent devices adding the tag of Relay-Session-Id. 2. When the server receives the package of PADI in its service range it will send the PADO package to reponse the request. The PADO package must contain one tag (AC-Name) of connecting device type (The field of the AC-Name is 0x0102) and one or more tags of service names which indicates what the service types that can provide to the user hosts are. The CODE field is 0x07 and SESSION_ID still is 0x0000. 3. The user host could choose one of connection devices after it received the PADO packages. The rule to choose is according the service name tags and the content in the tags. The user host chooses that one that the account is used in the server. Then the user host will send PPPoE PADR (PPPoE Discovery Request) package to the selected server to build a connection with the server. The CODE is 0x19 and SESSION_ID is still 0x0000. The PADR package must include one service name tag to confirm the service type which requests to the connection devices. When the user host doesnt receive PADO in specific time, it will send PADI again and wait double time at the same time. This process could be repeated several times if necessary. 4. It starts the PPP session when the server received PADR package. After that it sends a PPPoE PADS package. The field of CODE is 0x65 and SESSION_ID is a unique session identity which is generated by the server. The ID is corresponded to the MAC of the server. 0xffff is the remain resource and cannot be used as SESSION_ID. PADS package must contains a service name tag to confirm the services provided to the user host. When the user host received the confirmation package both of them go into the session phase. If the server cannot recognize the service name tag which is in the PADR, it wills response a PADS package which contains service name error. The SESSION_ID is still 0x0000. If the user host doesnt receive the PADS in a specific time, it will do the same as not receiving the PADS package. There is another package named PPPoE PADT. It can be sent at any time when the session is created by any part of the server or the user host to indicate the session is terminated. The PADT package doesnt need any tags and the code field is 0xA7 and the SESSION_ID is the session id of the PPP
12

session that needs to be terminated. If you open software such Ethereal or Packet Sniffer when using the ADSL, then these packets which are in the 4 steps of PPPoE Discovery can be got. What should be noticed of the configuration in the PPPoE Discover phase is the value of MTU (Maximum Transfer Unit). The maximum value of the Ethernet packet is 1500bytes. But the header of PPPoE needs 8 bytes. That is to say: when we setting the value of MTU, we have to minus the 8 bytes of the PPPoE header. So the maximum value of MTU should be 1492 bytes and not is 1500 bytes.

422

PPPoE session

Once each side knows the other's Ethernet address and the session number, the PPP session can begin. This PPP session is just like the normal PPP protocol. This phase is also the phase when ADSL user does his login operation at the ISP and prepares for later data transfer. In PPP phase, LCP (Link Control Protocol) will be adopted to authenticate by negotiating the appropriate protocol to proceed validation. LCP will also be adopted to handle some other properties of point-to-point connection.

Figure 7: PPPoE Session Packets

In order to establish such connection, both side of the communication will send a LCP packet to each other, which contains all possible options of connection. A LCP Acknowledge packet will be sent back in the case that both
13

sides agree with these options. Otherwise, a LCP Nak (Not Acknowledge) packet will be sent back if some options are not accepted and the sender will keep waiting for the new Request packet. When the connection breaks finally, both sides should know the broken status. So we can see the importance of a sniffer program for the error control, because without a sniffer there is no other way to know why and where the connection is broken. There are two different ways to validate username and corresponding password over PPP connection: A) PAP Password Authentification Protocol B) CHAP Challenge Handshake Authentification Protocol PAP is simply sent the information of the username and password as the plaintext in packet without encryption. Obviously, it is dangerous. Anyone along the datalink can easily capture such critical information. So the second way, CHAP, is securer for such sensible information. By CHAP, sensible information such as password is not sent directly over the connection. In stead, Server sends to Client a Challenge including session ID and arbitrary challenge string; Client receives the Challenge, uses one-way-hash or MD5 algorithm to encrypt its sensible information and the received Challenge and sends the encrypted data back. Because Server knows all usernames and their corresponding passwords, it can encrypt the challenge and compares with the received the data. By this way, CHAP ensures the security over peer-peer connection. In ADSL technique, the authentication of the user login information is doing by the RADIUS server via the B-RAS. 43PPPoE Security Considerations To prevent attack of DOS (Denial of Service)Access Device should be able to generate a unique value according to the source address of PADR, which can ensure the reachability of PADI and limit the count of concurrent connections of this address. Although AC-Cookie is very useful and efficient, it cannot prevent all attacks of DOS. Some other techniques and methods can be used to against DOS on Access Device. 44The data flower The following sample explains the process of data transfer over PPP connection. Whenever a user wants to browse a normal webpage, he will input the right URL address in the web browser like FireFox and press return. The Web browser encapsulates all necessary information into a request packet according to HTTP protocol and sends it. These data will normally be
14

transferred directly via TCP/IP stack and then physical layer. Now with PPPOE, system knows that the net is connected by AC and PPP-Interface. Instead of being sent to Ethernet Interface, these data will be sent to a virtual PPP Interface according to PPP protocol format. The purpose of PPPoE is to simulate a virtual PPP Interface, to encapsulate all received data with PPP packet format from the virtual Interface into Ethernet packet format, and then to send out all these encapsulated Ethernet data packet via the real Ethernet network device.

Figure 8: Pseudo PPP TTY via PPPoE

45

The Experiment of the PPPoE

To see how the PPP protocol can work via Ethernet, and to analyze all the packets of PPPoE, I did the flowing experiment of the PPPoE in the university. Experimental environment: The university intranet PCs Operation systemSUSE 9.1 Because the SUSE 9.1 has the PPPD, PPPoE and the PPPoE Server packages, so that I must not to install them again. If we use other Linux OS, maybe we should install such packages before. At first I chose a PC as the PPPoE server There are many options for the PPPoE Server, I selected the basic options. >pppoeserver I etho F N 10 noauth And then I chose a PC to connect that PPPoE Server >pppd ptyppoe I etho noauth
15

At the same time I turn on the Ethereal, and I can catch all the packets of PPPoE under Ethereal. If there are many PPPoE Server in the intranet, we can use the useful option: Server name of the PPPoE Server >pppoeserver I etho N 10 S servername noauth >pppd ptyppoe I etho S servername noauth For the authentication of the PPPoE connection, that is just like in normal PPP connection.

Figure 9: PPPoE packets in Ethereal

RADIUS

PPP can authenticate the user name and password, but many Tele companies have more than one AC (Access Concentrator) or B-RAS and they also provide several different services. So it is necessary to maintain a corresponding login record for each user to each ISP. The RADIUS is a solution for that. In stead of the PPP protocol work in the network layer of OSI model, the RADIUS protocol work in the application layer. 51 Introduce

16

RADIUS (Remote Authentication Dialin User Service Protocol) implements centralized authentication, authorization, and accounting for remote dial-up users in Client/Server mode. A RADIUS Client is typically a Network Access Server (NAS) and it passes user information to RADIUS Server. The RADIUS Server authenticates and authorizes the request from RADIUS Client, and sends back the configuration information of the user. To ensure the security of data transmission, all data between Client and Server are encrypted by MD5. There are two different types of communication: Access Request and Accounting Request. RADIUS bases on UDP protocol and all RADIUS messages are sent and received as UDP packets. Authentication Service listens to port 1812 and Accounting Service listens to port 1813. RADIUS message consists of data fields as Code, ID, Length, Authenticator and Attributes. The login record data from user contains the username and password. Furthermore, some other user information such as surfing time and fee should also be stored in somewhere. That all of these different kinds of information should be kept in databases makes it a real challenge to manage. A good solution is to use central DBMS. So that RADIUS is the solution that widely used in ADSL systems. RADIUS has two different kinds of databases: one is for authentication with username and password information. The other is used to store some other information as time and fee. By this way, RADIUS system accesses the second database for users corresponding data after passing the authentication. Client is B-RAS. When establishing a PPP connection, the task of authentication is passed to RADIUS Server instead of previously local database. RADIUS Server will perform authentication by checking whether the given password matches the stored password or not. The B-RAS now takes over and carries the later actions according to the result of authentication 51 Operations

The type of packet is specified by the first byte of the packet. 1) AccessRequest This request is send by a RADIUS Client to Server when requesting authentication and authorization for a network access connection attempt. The request consists of username, password and NAS_Port and so on. Server will check for the corresponding record. When the given data match the stored data, Access-Accept response packet will be returned, otherwise Access-Reject. 2) AccessAccept As mentioned, Server will return Client the Access-Accept response when the given data are all right, which means that the connection attempt is
17

authenticated and authorized. Some configuration parameters are returned in the same response packet. 3) AccessReject Opposite to Access-Accept, Access-Reject is sent by Server to Client as the response to failed authentication and authorization, which means that the connection attempt is rejected. 4) AccountingRequest This request is Send by the RADIUS Client to specify accounting information for an accepted connection. There are two kinds of situations. One is to inform Server to begin accounting when the connection passes authentication and authorization successfully. The other situation is to inform Server to stop accounting when the connection is broken. All of these information are stored for future usage. 5) AccountingResponse This response is Send by the RADIUS server in response to the Accounting-Request message which informs the RADIUS Client the successful receipt and processing of the Accounting-Request message. 53 RADIUS Security Considerations

RADIUS actually doesn't send the password via internet. Instead, it generates a 128 bit random number (termed the "Request Authenticator"), appends the "shared secret" (the RADIUS password) to the number, and runs a one-way hash function or MD5 over it. It then takes this number and XORs the entered password against it, and sticks this in the "Password" attribute of an "Access-Request" packet. Because that RADIUS clients stick the random number into the packet, as the "Authenticator" field of the RADIUS packet, so that if an intruder already knows the password that the NAS is trying to clear with the RADIUS server, and the intruder can intercept the Access-Request packet sent by the NAS to the RADIUS server, the intruder has enough information to launch a dictionary attack against the RADIUS shared secret. The other kind of attack is that a remote user can flood a NAS with PPP requests that contain an invalid password, causing the NAS to turn around and send an Access-Request to the RADIUS server. While the flooding attack is in progress, it is reported that the RADIUS will lock up. When the attack stops, the server reportedly will resume normal operation.

18

Reference

R. Stevens, TCP/IP Illustrated Vol. 1 [RFC-2516 ] PPP over Ethernet (PPPoE) [RFC-1661 ] The Point-to-Point-Protocol (PPP) [RFC-1334 ] Password Authenti_cation Protocol (PAP) [RFC-1994 ] Challenge Handshake Authenti_cation Protocol (CHAP) [RFC-2139 ] RADIUS Accounting [RFC-2865 ] Remote Authentication Dial In User Service (RADIUS) http://www.adslguide.org.uk/howitworks/authentication.asp http://homepage.interaccess.com/~jkristof/xdsl-faq.txt http://www.ks.uni-freiburg.de/download/inetworkSS04/pdf/inetwork04-11.pdf http://www.webopedia.com/TERM/R/RADIUS.html http://www.riverstonenet.com/solutions/802.1x.shtml

19