PAP: Password Authentication Protocol for PPP Links

The Password Authentication Protocol (PAP), a Link Control Protocol in the PPP suite, provides a simple method for the peer to establish its identity using a 2-way handshake. This is done only upon initial link establishment.

After the Link Establishment phase is complete, an Id/Password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated.

PAP is not a strong authentication method. Passwords are sent over the circuit in text format, and there is no protection from sniffing, playback or repeated trial and error attacks. The peer is in control of the frequency and timing of the attempts. Any implementations which include a stronger authentication method (such as CHAP) MUST offer to negotiate that method prior to PAP.

This authentication method is most appropriately used where a plaintext password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.

• Type - 3
• Length - 4
• Authentication-Protocol - C023 (Hex) for Password Authentication Protocol

Password Authentication Protocol (PAP) packet format:

• Code - The Code field is one octet and identifies the type of PAP packet. PAP Codes are assigned as follows:
  • Authenticate-Request
  • Authenticate-Ack
  • Authenticate-Nak
• Identifier - The Identifier field is one octet and aids in matching requests and replies.
• Length - The Length field is two octets and indicates the length of the PAP packet including the Code, Identifier, Length and Data fields. Octets outside the range of the Length field should be treated as Data Link Layer padding and should be ignored on reception.
• Data - The Data field is zero or more octets. The format of the Data field is determined by the Code field.

PAP is defined by IETF (http://www.ietf.org ) RFC 1334 and replaced by RFC 1994.