Ipx spoofing, Pap/chap – Hypertec ISDN 10T Router User Manual

Concepts and Principles of Operation

12

RIP

Novel IPX also uses Routing Information Protocol (RIP) as a routing protocol. Although it is similarly
named to the IP equivalent, it uses a different protocol. IPX RIP broadcasts packets to the network
every 60 seconds to inform other IPX routers or servers about its network. Upon receiving an IPX RIP
packet, a router adds one to the hop count of each router advertised and broadcasts a RIP packet to
other networks it is connected to.

SAP

Netware Servers such as file servers use SAP protocols to advertise their service throughout the
network. A router such as Hypertec ISDN 10T Router listens to the SAP packets from servers to learn
what services are available in the local network. Routers also exchange SAP packets so that the router
can learn what services are available at the remote networks. With that global knowledge, the router is
able to respond the “find nearest server” request for the remote IPX networks.

IPX Spoofing

A Netware server regularly send a “keep alive” message to a logged -in client every 3-5 minutes for
connectivity verification. If a client fails to respond within the allowed limit, the server closes the
client’s connection. The IPX “keep alive” packets tend to keep the dial-up connection on line. To
minimize the un-necessary dial-up connection time, Hypertec ISDN 10T Router is equipped with an
IPX spoofing function which will return the “keep alive” on behalf of the remote Netware clients for a
pre-configured period. A dial-up call may be triggered by the “keep alive” packets only after the
spoofing timer expires.

PPP

The Point-to-Point Protocol (PPP) is the de-facto standard as the link encapsulation protocol for
Internet Access. PPP consists of a suite of protocols including LCP, PAP, CHAP, IPCP and other
related protocols. Link Control Protocol (LCP) is used to negotiate the link parameters, such as what
authentication protocol to use. LCP is specified in RFC 1570. Password Authentication Protocol
(PAP), and Challenge Authentication Protocol (CHAP) are used to inform the remote site (eg. ISP)
about which router is connecting to it. CHAP and PAP are specified in RFC 1334. IPCP is used to
negotiate IP specific parameters such IP address. IPCP is specified in RFC 1332.

PAP/CHAP

When a CHAP authentication connection to the ISP is attempted, the remote router or access server
sends a CHAP packet to HyperRoute. The CHAP packet "challenges" Hypertec Router to respond. The
challenge packet consists of an ID, a random number, and the host name of the remote router. The
required response consists of an encrypted version of the ID, a secret password, and the random
number of the local name. When the remote router or access server receives the response, it verifies the
secret password by performing the same encryption operation as indicated in the response and looking
up the required host/user name. Hypertec Router and the remote router must agree on the identical
secret passwords. By transmitting this response, the secret password is never transmitted in clear text,
preventing other devices from stealing it and gaining illegal access to the system. Without the proper
response, the remote will reject the PPP connection request.

If PAP authentication is enabled, when attempting to connect to the ISP or remote router, it is
necessary to send an authentication request including the user name and password. If the user name
and password are accepted, the ISP or the remote router sends an authentication acknowledgment to
conclude the authentication process.

There is a configuration choice of two sets of authentication protocol and password. One set for
Internet connection and one set for Intranet connections. Each set consists of two pairs of
authentication configuration. The Dial-out authentication password pair is applied to the PPP
connection initiated by Hypertec ISDN 10T Router. The call-in authentication-password pair is applied
to the PPP connection initiated from the remote end. The dial-out authentication protocol (none, PAP,
CHAP) specifies the authentication protocol that Hypertec ISDN 10T Router will insist on when
initiating a PPP connection. The remote end is supposed to accept the specified authentication protocol
for the PPP negotiation to proceed. The setting of “either” as the call-in authentication protocol allows