rfc2341.txt

来自「<VC++网络游戏建摸与实现>源代码」· 文本 代码 · 共 1,585 行 · 第 1/5 页

Valencia, et. al.               Historic                       [Page 17]

RFC 2341                       Cisco L2F                        May 1998


4.4 L2F management message types

   When an L2F packet's Proto field specifies L2F management, the body
   of the packet is encoded as zero or more options.  An option is a
   single octet "message type", followed by zero or more sub-options.
   Each sub-option is a single byte sub-option value, and further bytes
   as appropriate for the sub-option.

   Options in L2F are:


   Hex Value       Abbreviation       Description
   --------        ------------       -----------
    0x00            Invalid           Invalid message
    0x01            L2F_CONF          Request configuration
    0x02            L2F_CONF_NAME     Name of peer sending L2F_CONF
    0x03            L2F_CONF_CHAL     Random number peer challenges with
    0x04            L2F_CONF_CLID     Assigned_CLID for peer to use
    0x02            L2F_OPEN          Accept configuration
    0x01            L2F_OPEN_NAME     Name received from client
    0x02            L2F_OPEN_CHAL     Challenge client received
    0x03            L2F_OPEN_RESP     Challenge response from client
    0x04            L2F_ACK_LCP1      LCP CONFACK accepted from client
    0x05            L2F_ACK_LCP2      LCP CONFACK sent to client
    0x06            L2F_OPEN_TYPE     Type of authentication used
    0x07            L2F_OPEN_ID       ID associated with authentication
    0x08            L2F_REQ_LCP0      First LCP CONFREQ from client
    0x03            L2F_CLOSE         Request disconnect
    0x01            L2F_CLOSE_WHY     Reason code for close
    0x02            L2F_CLOSE_STR     ASCII string description
    0x04            L2F_ECHO          Verify presence of peer
    0x05            L2F_ECHO_RESP     Respond to L2F_ECHO

4.4.1 L2F message type: Invalid

   If a message is received with this value, or any value higher than
   the last recognized option value, or if an illegal packet as defined
   by other parts of this specification is received, the packet is
   considered invalid.  The packet MUST be discarded, and an L2F_CLOSE
   of the entire tunnel MUST be requested.  Upon receipt of an
   L2F_CLOSE, the tunnel itself may be closed.  All other received
   message MUST be discarded.  An implementation MAY close the tunnel
   after an interval of time appropriate to the characteristics of the
   tunnel.







Valencia, et. al.               Historic                       [Page 18]

RFC 2341                       Cisco L2F                        May 1998


   Note that packets with an invalid Key are discarded, but disconnect
   is not initiated.  This prevents denial-of-service attacks.  Invalid
   option types within a message MUST be treated as if the entire
   message type was invalid.

4.4.2 L2F_CONF

   The L2F message type is used to establish the tunnel between the NAS
   and the Home Gateway.  MID is always set to 0.  The body of such a
   message starts with the octet 0x01 (L2F_CONF), followed by all three
   of the sub-options below.

   The L2F_CONF_NAME sub-option MUST be present.  It is encoded as the
   octet value 0x02, followed by an octet specifying a non-zero length,
   followed by the indicated number of bytes, which are interpreted as
   the sender's ASCII name.

   The L2F_CONF_CHAL sub-option MUST be present.  It is encoded as the
   octet value 0x03, followed by a non-zero octet, followed by a number
   of bytes specified by this non-zero octet.

   The challenge value should be generated using whatever techniques
   provide the highest quality of random numbers available to a given
   implementation.

   The L2F_CONF_CLID sub-option MUST be present.  It is encoded as the
   octet 0x04, followed by four bytes of Assigned_CLID value.  The
   Assigned_CLID value is generated as a non-zero 16-bit integer value
   unique across all tunnels which exist on the sending system.  The
   least significant two octets of Assigned_CLID are set to this value,
   and the most significant two octets MUST be set to 0.

   The CLID field is sent as 0 in the initial L2F_CONF packet from NAS
   to Home Gateway, and otherwise MUST be sent containing the value
   specified in the Assigned_CLID field of the last L2F_CONF message
   received.

   Key MUST be set to 0 in all L2F_CONF packets, and no key field is
   included in the packet.

   When sent from a NAS to a Home Gateway, the L2F_CONF is the initial
   packet in the conversation.

   When sent from the Home Gateway to the NAS, an L2F_CONF indicates the
   Home Gateway's recognition of the tunnel creation request.  The Home
   Gateway MUST provide its name and its own challenge in the message
   body.




Valencia, et. al.               Historic                       [Page 19]

RFC 2341                       Cisco L2F                        May 1998


   In all packets following the L2F_CONF, the Key MUST be set to the
   CHAP-style hash of the received challenge bytes.  The CHAP-style hash
   is done over the concatenation of the low 8 bits of the assigned
   CLID, the secret, and the challenge value.  Generation of the 32-bit
   key value is discussed in section 4.2.11.

4.4.3 L2F_OPEN, tunnel establishment

   The L2F_OPEN message is used to provide tunnel setup closure (for a
   MID of 0) or to establish a client connection within a tunnel
   previously established by L2F_CONF and L2F_OPEN messages (MID not
   equal to 0).  This section describes tunnel establishment; section
   4.4.4 following describes clients established within the tunnel.

   An L2F_OPEN for tunnel establishment MUST contain only the sub-option
   0x03, L2F_OPEN_RESP.  This option MUST be followed by the octet 0x10,
   specifying the size of the 128-bit MD5 digest resulting from
   encrypting the challenge value in the L2F_CONF, along with the low
   byte of the Assigned_CLID.  After this byte MUST be the sixteen bytes
   of the generated MD5 digest.

   If during tunnel establishment an L2F_OPEN is received with an
   incorrect L2F_OPEN_RESP, the packet MUST be silently discarded.  It
   is recommended that such an event generate a log event as well.

4.4.4 L2F_OPEN, client establishment

   An L2F_OPEN (with non-zero MID) sent from the NAS to the Home Gateway
   indicates the presence of a new dial-in client.  When sent back from
   the Home Gateway to the NAS, it indicates acceptance of the client.
   This message starts with the octet 0x02.  When sent from the NAS, it
   may contain further sub-options.  When sent from the Home Gateway, it
   may not contain any sub-options.  All further discussion of sub-
   options in this section apply only to the NAS to Home Gateway
   direction.

   The L2F_OPEN_TYPE sub-option MUST be present.  It is encoded as the
   octet 0x06, followed by a single byte describing the type of
   authentication the NAS exchanged with the client in detecting the
   client's claimed identification.  Implicit in the authentication type
   is the encapsulation to be carried over the life of the session.  The
   authentication types are:

      0x01 Textual username/password exchange for SLIP
      0x02 PPP CHAP
      0x03 PPP PAP
      0x04 PPP no authentication
      0x05 SLIP no authentication



Valencia, et. al.               Historic                       [Page 20]

RFC 2341                       Cisco L2F                        May 1998


   The L2F_OPEN_NAME sub-option is encoded as the octet 0x01, followed
   by an octet specifying the length of the name, followed by the
   indicated number of bytes of the name.  This field MUST be present
   for any authentication type except 0x04 (None).  It MUST contain the
   name specified in the client's authentication response.

   The L2F_OPEN_CHAL sub-option is encoded as the octet 0x02, followed
   by an octet specifying the length of the challenge sent, followed by
   the challenge itself.  This field is only present for CHAP, and MUST
   contain the challenge value sent to the client by the NAS.

   The L2F_OPEN_RESP sub-option is encoded as the octet 0x03, followed
   by an octet specifying the length of the response received, followed
   by the client's response to the challenge.  For CHAP, this field
   contains the response value received by the NAS.  For PAP or textual
   authentication, it contains the clear text password received from the
   client by the NAS.  This field is absent for authentication 0x04
   "None".

   The L2F_ACK_LCP1 and L2F_ACK_LCP2 sub-options are encoded as the
   octets 0x04 and 0x05 respectively, followed in either case by two
   octets in network byte order specifying the length of the LCP CONFACK
   last received from or sent to the client.  Following these octets is
   an exact copy of the CONFACK packet.  L2F_ACK_LCP1 specifies a copy
   of the closing CONFACK received from the client, and L2F_ACK_LCP2
   specifies a copy of the closing CONFACK sent to the client by the
   NAS.

   The L2F_REQ_LCP0 sub-option is encoded as the octet 0x08, followed by
   two octets in network byte order specifying the length of the LCP
   CONFREQ initially received from the client.  This may be used by the
   Home Gateway to detect capabilities of the client which were
   negotiated away while starting LCP with the NAS.  Detection of such
   options may be used by the Home Gateway to decide to renegotiate LCP.

   The L2F_OPEN_ID sub-option is encoded as the octet 0x06, followed by
   a single octet.  This sub-option is only present for CHAP; the single
   octet contains the CHAP Identifier value sent to the client during
   the CHAP challenge.

   The Home Gateway may choose to ignore any sub-option of the L2F_OPEN,
   and accept the connection anyway.  The Home Gateway would then have
   to undertake its own LCP negotiations and authentication.  To
   maximize the transparency of the L2F tunnel, it is recommended that
   extra negotiations and authentication be avoided if possible.






Valencia, et. al.               Historic                       [Page 21]

RFC 2341                       Cisco L2F                        May 1998


4.4.5 L2F_CLOSE

   This message is encoded as the byte 0x03.  An L2F_CLOSE may be sent
   by either side of the tunnel at any time.  When sent with MID of 0,
   it indicates the desire to terminate the entire tunnel and all
   clients within the tunnel.  When sent from the Home Gateway in
   response to an L2F_OPEN, it indicates that the Home Gateway has
   declined the connection.  When sent with a non-zero MID, it indicates
   the termination of that client within the tunnel.

   The L2F_CLOSE_WHY sub-option is encoded as the byte 0x01 followed
   four bytes in network byte order specifying a bit mask of reasons for
   the disconnection.  The bits are encoded as:

      0x00000001 Authentication failed
      0x00000002 Out of resources
      0x00000004 Administrative intervention
      0x00000008 User quota exceeded
      0x00000010 Protocol error
      0x00000020 Unknown user
      0x00000040 Incorrect password
      0x00000080 PPP configuration incompatible
      0x00000100 Wrong multilink PPP destination

   Bits in the mask 0xFF000000 are reserved for per-vendor
   interpretation.

   An implementation can choose to not provide status bits even if it
   detects a condition described by one of these bits.  For instance, an
   implementation may choose to not use 0x00000020 due to security
   considerations, as it can be used to probe user name space.

   The L2F_CLOSE_STR sub-option is encoded as the byte 0x02, followed by
   a two-byte length in network byte order, followed by the indicated
   number of bytes, which are interpreted as descriptive ASCII text
   associated with the disconnection.  This string may be ignored, but
   could be recorded in a log to provide detailed or auxiliary
   information associated with the L2F_CLOSE.

4.4.6 L2F_ECHO

   Transmission of L2F_ECHO messages is optional.  If an implementation
   transmits L2F_ECHO messages, it MUST not transmit more than one such
   request each second.  The payload size MUST be 64 bytes or less in
   length.  It is recommended that at least 5 L2F_ECHO messages be sent
   without response before an implementation assumes that its peer has
   terminated.




Valencia, et. al.               Historic                       [Page 22]

RFC 2341                       Cisco L2F                        May 1998


   The L2F_ECHO message is encoded as the single byte 0x04.  It may be
   sent by either side once the tunnel is established.  MID MUST be 0.
   An L2F_ECHO_RESP (documented below) MUST be sent back in response.

4.4.7 L2F_ECHO_RESP

   All implementations MUST respond to L2F_ECHO, using L2F_ECHO_RESP.
   The received packet MUST be sent back verbatim, except that the CLID,
   sequence number, and checksum (if any) MUST be updated, and the
   L2F_ECHO message type changed to an L2F_ECHO_RESP.  Payload data
   following the 0x04 octet, if any, MUST be preserved in the response.

   When an L2F_ECHO_RESP is received, the payload data may be used to
   associate this response with a previously sent L2F_ECHO, or the
   packet may be silently discarded.

4.5 L2F Message Delivery

   L2F is designed to operate over point-to-point unreliable links.  It
   is not designed to provide flow control of the data traffic, nor does
   it provide reliable delivery of this traffic; each protocol tunnel
   carried via L2F is expected to manage flow control and retry itself.
   Thus, it is only L2F control messages which must be retransmitted;
   this process is described in this section.

4.5.1 Sequenced delivery

   All L2F control messages (i.e., those L2F packets with a protocol
   type of 0x01) are transmitted with a sequence number.  The sequence
   number is a per-L2F tunnel free running counter which is incremented