rfc3078.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 676 行 · 第 1/2 页
TXT
676 行
Network Working Group G. Pall
Request for Comments: 3078 Microsoft Corporation
Category: Informational G. Zorn
Updates: 2118 cisco Systems
March 2001
Microsoft Point-To-Point Encryption (MPPE) Protocol
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
The Point-to-Point Protocol (PPP) provides a standard method for
transporting multi-protocol datagrams over point-to-point links.
The PPP Compression Control Protocol provides a method to negotiate
and utilize compression protocols over PPP encapsulated links.
This document describes the use of the Microsoft Point to Point
Encryption (MPPE) to enhance the confidentiality of PPP-encapsulated
packets.
Specification of Requirements
In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT" are to be interpreted as
described in [5].
1. Introduction
The Microsoft Point to Point Encryption scheme is a means of
representing Point to Point Protocol (PPP) packets in an encrypted
form.
MPPE uses the RSA RC4 [3] algorithm to provide data confidentiality.
The length of the session key to be used for initializing encryption
tables can be negotiated. MPPE currently supports 40-bit and 128-bit
session keys.
Pall & Zorn Informational [Page 1]
RFC 3078 MPPE Protocol March 2001
MPPE session keys are changed frequently; the exact frequency depends
upon the options negotiated, but may be every packet.
MPPE is negotiated within option 18 [4] in the Compression Control
Protocol.
2. Configuration Option Format
Description
The CCP Configuration Option negotiates the use of MPPE on the
link. By default (i.e., if the negotiation of MPPE is not
attempted), no encryption is used. If, however, MPPE negotiation
is attempted and fails, the link SHOULD be terminated.
A summary of the CCP Configuration Option format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Supported Bits |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Supported Bits |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
18
Length
6
Supported Bits
This field is 4 octets, most significant octet first.
3 2 1
1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |H| |M|S|L|D| |C|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Pall & Zorn Informational [Page 2]
RFC 3078 MPPE Protocol March 2001
The 'C' bit is used by MPPC [4] and is not discussed further in this
memo. The 'D' bit is obsolete; although some older peers may attempt
to negotiate this option, it SHOULD NOT be accepted. If the 'L' bit
is set (corresponding to a value of 0x20 in the least significant
octet), this indicates the desire of the sender to negotiate the use
of 40-bit session keys. If the 'S' bit is set (corresponding to a
value of 0x40 in the least significant octet), this indicates the
desire of the sender to negotiate the use of 128-bit session keys.
If the 'M' bit is set (corresponding to a value of 0x80 in the least
significant octet), this indicates the desire of the sender to
negotiate the use of 56-bit session keys. If the 'H' bit is set
(corresponding to a value of 0x01 in the most significant octet),
this indicates that the sender wishes to negotiate the use of
stateless mode, in which the session key is changed after the
transmission of each packet (see section 10, below). In the
following discussion, the 'S', 'M' and 'L' bits are sometimes
referred to collectively as "encryption options".
All other bits are reserved and MUST be set to 0.
2.1. Option Negotiation
MPPE options are negotiated as described in [2]. In particular, the
negotiation initiator SHOULD request all of the options it supports.
The responder SHOULD NAK with a single encryption option (note that
stateless mode may always be negotiated, independent of and in
addition to an encryption option). If the responder supports more
than one encryption option in the set requested by the initiator, the
option selected SHOULD be the "strongest" option offered.
Informally, the strength of the MPPE encryption options may be
characterized as follows:
STRONGEST
128-bit encryption ('S' bit set)
56-bit encryption ('M' bit set)
40-bit encryption ('L' bit set)
WEAKEST
This characterization takes into account the generally accepted
strength of the cipher.
The initiator SHOULD then either send another request containing the
same option(s) as the responder's NAK or cancel the negotiation,
dropping the connection.
Pall & Zorn Informational [Page 3]
RFC 3078 MPPE Protocol March 2001
3. MPPE Packets
Before any MPPE packets are transmitted, PPP MUST reach the Network-
Layer Protocol phase and the CCP Control Protocol MUST reach the
Opened state.
Exactly one MPPE datagram is encapsulated in the PPP Information
field. The PPP Protocol field indicates type 0x00FD for all
encrypted datagrams.
The maximum length of the MPPE datagram transmitted over a PPP link
is the same as the maximum length of the Information field of a PPP
encapsulated packet.
Only packets with PPP Protocol numbers in the range 0x0021 to 0x00FA
are encrypted. Other packets are not passed thru the MPPE processor
and are sent with their original PPP Protocol numbers.
Padding
It is recommended that padding not be used with MPPE. If the
sender uses padding it MUST negotiate the Self-Describing-
Padding Configuration option [10] during LCP phase and use
self-describing pads.
Reliability and Sequencing
The MPPE scheme does not require a reliable link. Instead, it
relies on a 12-bit coherency count in each packet to keep the
encryption tables synchronized. If stateless mode has not been
negotiated and the coherency count in the received packet does
not match the expected count, the receiver MUST send a CCP
Reset-Request packet to cause the resynchronization of the RC4
tables.
MPPE expects packets to be delivered in sequence.
MPPE MAY be used over a reliable link, as described in "PPP
Reliable Transmission" [6], but this typically just adds
unnecessary overhead since only the coherency count is
required.
Data Expansion
The MPPE scheme does not expand or compress data. The number
of octets input to and output from the MPPE processor are the
same.
Pall & Zorn Informational [Page 4]
RFC 3078 MPPE Protocol March 2001
3.1. Packet Format
A summary of the MPPE packet format is shown below. The fields are
transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PPP Protocol |A|B|C|D| Coherency Count |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Encrypted Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
PPP Protocol
The PPP Protocol field is described in the Point-to-Point
Protocol Encapsulation [1].
When MPPE is successfully negotiated by the PPP Compression
Control Protocol, the value of this field is 0x00FD. This
value MAY be compressed when Protocol-Field-Compression is
negotiated.
Bit A
This bit indicates that the encryption tables were initialized
before this packet was generated. The receiver MUST re-
initialize its tables with the current session key before
decrypting this packet. This bit is referred to as the FLUSHED
bit in this document. If the stateless option has been
negotiated, this bit MUST be set on every encrypted packet.
Note that MPPC and MPPE both recognize the FLUSHED bit;
therefore, if the stateless option is negotiated, it applies to
both MPPC and MPPE.
Bit B
This bit does not have any significance in MPPE.
Bit C
This bit does not have any significance in MPPE.
Bit D
This bit set to 1 indicates that the packet is encrypted. This
bit set to 0 means that this packet is not encrypted.
Pall & Zorn Informational [Page 5]
RFC 3078 MPPE Protocol March 2001
Coherency Count
The coherency count is used to assure that the packets are sent
in proper order and that no packet has been dropped. It is a
monotonically increasing counter which incremented by 1 for
each packet sent. When the counter reaches 4095 (0x0FFF), it
is reset to 0.
Encrypted Data
The encrypted data begins with the protocol field. For
example, in case of an IP packet (0x0021 followed by an IP
header), the MPPE processor will first encrypt the protocol
field and then encrypt the IP header.
If the packet contains header compression, the MPPE processor
is applied AFTER header compression is performed and MUST be
applied to the compressed header as well. For example, if a
packet contained the protocol type 0x002D (for a compressed
TCP/IP header), the MPPE processor would first encrypt 0x002D
and then it would encrypt the compressed Van-Jacobsen TCP/IP
header.
Implementation Note
If both MPPE and MPPC are negotiated on the same link, the MPPE
processor MUST be invoked after the MPPC processor by the
sender and the MPPE processor MUST be invoked before the MPPC
processor by the receiver.
4. Initial Session Keys
In the current implementation, initial session keys are derived from
peer credentials; however, other derivation methods are possible.
For example, some authentication methods (such as Kerberos [8] and
TLS [9]) produce session keys as side effects of authentication;
these keys may be used by MPPE in the future. For this reason, the
techniques used to derive initial MPPE session keys are described in
separate documents.
5. Initializing RC4 Using a Session Key
Once an initial session key has been derived, the RC4 context is
initialized as follows:
rc4_key(RC4Key, Length_Of_Key, Initial_Session_Key)
Pall & Zorn Informational [Page 6]
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?