PPPoE Quiz

Explanation: PPPoE stands for Point-to-Point Protocol over Ethernet. It is defined in RFC 2516 and is designed to encapsulate PPP frames inside Ethernet frames. PPPoE combines the authentication and encryption features of PPP with the multi-user support of Ethernet, making it ideal for ISP broadband deployments.

Explanation: PPPoE uses two distinct EtherType values: 0x8863 for the Discovery stage (PADI, PADO, PADR, PADS packets) and 0x8864 for the Session stage (after the session is established). The value 0x0800 is for IPv4, and 0x0806 is for ARP.

Explanation: PADS (PPPoE Active Discovery Session-confirmation) is the final packet of the Discovery stage. When the PPPoE server receives a PADR (Request) packet, it generates a unique Session ID to identify the PPPoE session and sends it back to the client in the PADS packet. This Session ID is used in all subsequent communications during the session.

Explanation: PAP is a two-way handshake protocol that transmits passwords in plaintext over the network. In contrast, CHAP uses a three-way handshake and transmits only a hashed response (using MD5), never sending the actual password. Therefore, CHAP is significantly more secure than PAP.

Explanation: The Discovery stage follows this exact sequence: This four-step process establishes the PPPoE session before moving to the Session stage.

Explanation: The PPPoE Session stage includes three PPP sub-phases:

1. LCP (Link Control Protocol): Establishes and configures the data link connection, negotiating parameters like MRU (Maximum Receive Unit) and authentication protocols.

2. Authentication Phase: Verifies user credentials using PAP or CHAP against a local user table or RADIUS server.

3. NCP (Network Control Protocol): Configures network-layer parameters, primarily using IPCP (IP Control Protocol) to assign IP addresses, DNS servers, and other network settings.

Explanation: The AC-Cookie (Access Concentrator Cookie) is a security mechanism included in PADO packets by the PPPoE server. It contains a unique value that the client must return in the PADR packet. This prevents certain DoS attacks where an attacker might flood the server with spoofed PADR requests, as the server can verify the cookie to ensure the request is legitimate and part of an ongoing discovery process.

Explanation: IPCP (IP Control Protocol) is the specific NCP used for configuring IP-related parameters. During IPCP negotiation, the PPPoE client and server exchange Configure-Request packets to negotiate IP addresses, DNS server addresses, and WINS server addresses. Once both sides send and receive Configure-ACK packets, the PPPoE client can access the network with the assigned IP configuration.

Explanation: The sequence indicates the failure occurs between PADO (received) and PADS (not received). Since PADO was received, the client should send a PADR (PPPoE Active Discovery Request) to the selected server. If PADS is never received, the most likely causes are:

1. The PADR packet is being dropped or not reaching the server (network issues, MAC address filtering)
2. The server is unable to allocate resources for the session

Option B is less likely because server resource exhaustion is rare. Option D is incorrect because LCP negotiation occurs after the Session stage begins (after PADS), not during Discovery. The timing clearly points to a PADR delivery issue.

Explanation: PPPoE and DHCP serve fundamentally different purposes and are not competitors:

PPPoE: Operates at the Data Link Layer (Layer 2), provides user authentication (PAP/CHAP), session management, and creates a point-to-point connection over Ethernet. It is connection-oriented.

DHCP: Operates at the Application Layer (Layer 7) over UDP, provides automatic IP address allocation without authentication. It is connectionless.

In many ISP deployments, they work together: PPPoE authenticates the user and establishes the session, then DHCP may be used within that session for IP allocation, or IPCP may be used instead.

Explanation: CHAP security superiority stems from its mechanism:

Three-way Handshake:
1. Server sends Challenge (random value)
2. Client computes hash = MD5(Packet ID + Password + Challenge) and sends Response (hash + username)
3. Server computes expected hash using stored password and compares

The actual password never traverses the network—only a hash response. Additionally, CHAP uses a unique Challenge for each authentication, preventing replay attacks. PAP simply sends username:password in plaintext, making it vulnerable to eavesdropping.

Explanation: PPPoE is specifically designed for ISP subscriber management:

Per-user Authentication: Each subscriber must provide valid credentials (username/password) via PAP or CHAP, enabling individual access control.

Session Tracking: The unique Session ID assigned during PADS allows the ISP to track individual subscriber sessions, monitor online status, and distinguish traffic between users sharing the same access concentrator.

RADIUS Integration: PPPoE servers (BRAS/BNG) can forward authentication and accounting requests to RADIUS servers, enabling centralized user management, bandwidth control, and detailed usage logging for billing purposes.

Static IP lacks authentication and session management. DHCP lacks built-in authentication and per-session tracking capabilities.