ITEM: CK3507L

PPP demand interfaces for static IP addresses on AIX 4.2


env:
        AIX 4.2.0.0
        7012-32H

description:
                You are having difficulties limiting ppp access to 
                certain ttys. You were using morningstar software at
                3.2.5 aix which accomplished that.  he is trying to
                find a way around the dynamic ip addressing for
                clients that call in. he is at a university and
                fears becoming a free ISP for the community,
                so needs to restrict access. 

Peter just upgraded from 3.2.5 to 4.2.0 and at 3.2.5 he has 
Morningstar PPP for AIX which gave him the ability to associated
a certain IP address with a particular tty - you login to tty\#\#
and start PPP and you are assigned by the PPP server a static IP
the server associates with that tty... This way he could have a
pool of modems and restrict it so that callers could only start
up PPP on certain tty's... Any way to accomplish this under AIX
4.2's PPP?

ACT:

1) You can't restrict PPP from being started on a certain tty.  Suggest
   writing a script that checks the output of the `tty` command and
   only starts pppattachd server if you are on a certain tty.

2) To assign out a static IP address to a PPP caller, use demand
   interfaces to assign it a static IP.

We began by installing latest PPP maintenance: bos.net.ppp at the 
4.2.0.8 level

To setup an AIX machine as a PPP demand server I did the
following:

smit ppp
  Link control
    Add link control
      0 client
      0 server
      1 demand       (my system on has one modem on it)
     
  PPP interfaces
    Add a demand interface
      Local IP:            My server IP for the connection
      Starting remote IP:  The IP address I want to assign out
                           for THIS demand interface
                           
  stop and then restart PPP.
  
  Now netstat -in will show the ppp interface created above (pp0
  in my case) has an IP address and if I do an ifconfig pp0 I see
  that in addition, it has the remote IP address its going to
  assign out also.
  
  
  I created a user called "ppp" and in then in that user's .profile
  I put the following:
  
  export PPP_DEMAND_NET=0
  exec /usr/sbin/pppattachd demand
  
  So, when some one calls up to my system and logs in as "ppp" they
  will always be given the same IP address, the client IP address
  assigned the IP addresses corresponding to pp\# interface where \#
  is the value in PPP_DEMAND_NET.  Another example, if I set
  PPP_DEMAND_NET=5 then the caller would be assigned the IP address
  seen in ifconfig pp5.
  

        Wrote a small sample script to restrict which tty's PPP could
        be started from:

\#!/bin/ksh

if [ `tty` = "/dev/tty\#\#" ]
then
   PPP_DEMAND_NET=\#\#
   exec /usr/sbin/pppattachd demand
else
   echo "You can't run PPP from `tty` "
fi


Instead of putting the above into .profile you created a script
called "ppplogin" which users run to start PPP.  Your script was
something like this:

\#!/bin/ksh
PPP_DEMAND_NET=0
exec /usr/sbin/pppattachd demand

We did a kill -30 on the PID of pppcontrold to put ppp into detailed
debugging mode and when we do this the server shows this in its output 
to syslog when some one dials in and runs the script above:

Feb 11 13:27:40 /usr/sbin/pppcontrold[11484]: 0838-301 DEBUG TURNED ON
Feb 11 13:29:04 pppattachd[10770]: 0838-005 Invalid arguments specified

Suspected that this may have something to do with starting a new
shell - you're execing pppattachd, but not from the lowest level
(login) shell.

After much testing this version of ppplogin script fails:

PPP_DEMAND_NET=0
exec /usr/sbin/pppattachd demand

This works flawlessly:

export PPP_DEMAND_NET=0
exec /usr/sbin/pppattachd demand

Now the PC dialing in using Trumpet Winsock can ping the RS/6000 and
vice-versa.  Since you have the ppp IP addresses on a seperate subnet
(good!) there is no need to do pseudo proxy arp to get the RS/6000 to
pick up packets destined for the PC's IP.  Just added a route into
your routers routing table making the RS/6000's ethernet interface the
gateway to the PPP subnet.

Now in order to get AIX to forward packets between its IP interfaces
(the pp\# and en\# interface in this case):

        no -o ipforwarding=1

        and added routes to your router so that it knew to forward
        packets to the RS/6000's ethernet interface as the gateway
        to the ppp subnet.   To make this change take affect on each
        reboot, you can add the above no command to /etc/rc.net

Though you have done this correctly by putting the PPP IP's on a 
seperate subnet, just as FYI if the PPP interfaces and the en0 interface
were IP addresses that were on the same subnet, you could get the 
RS/6000's ethernet interface to pick up packets destined for the PPP
client's IP address with:

        arp -s ether  \  \  perm






Support Line: PPP demand interfaces for static IP addresses on AIX 4.2 ITEM: CK3507L

Dated: February 1997 Category: N/A

This HTML file was generated 99/06/24~13:30:17

Comments or suggestions?
Contact us