Ftp Web Hosting - J2Ee Hosting Sun Java Developing Blog

faultroute option.49 The default route simplifies your routing by causing any IP datagram destined to a nonlocal host to be sent to c3po; this makes sense since it is the only way they can be reached. There are a number of different routing schemes pppd supports, which we will cover in detail later in this chapter. Using Options Files Before pppd parses its command-line arguments, it scans several files for default options. These files may contain any valid command-line arguments spread out across an arbitrary number of lines. Hash signs introduce comments. The first options file is /etc/ppp/options, which is always scanned when pppd starts up. Using it to set some global defaults is a good idea, because it allows you to keep your users from doing several things that may compromise security. For instance, to make pppd require some kind of authentication (either PAP or CHAP) from the peer, you add the auth option to this file. This option cannot be overridden by the user, so it becomes impossible to establish a PPP connection with any system that is not in your authentication databases. Note, however, that some options can be overridden; the connect string is a good example. The other options file, which is read after /etc/ppp/options, is .ppprc in the user’s home directory. It allows each user to specify her own set of default options. A sample /etc/ppp/options file might look like this: # Global options for pppd running on vlager.vbrew.com lock # use UUCP-style device locking auth # require authentication usehostname # use local hostname for CHAP domain vbrew.com # our domain name The lock keyword makes pppd comply to the standard UUCP method of device locking. With this convention, each process that accesses a serial device, say /dev/ttyS3, creates a lock file with a name like LCK..ttyS3 in a special lock-file directory to signal that the device is in use. This is necessary to prevent signal other programs, such as minicomor uucico, from opening the serial device while it is used by PPP. The next three options relate to authentication and, therefore, to system security. The authentication options are best placed in the global configuration file because they are “privileged” and cannot be overridden by users’ ~/.ppprc options files. Using chat to Automate Dialing One of the things that may have struck you as inconvenient in the previous example is that you had to establish the connection manually before you could fire up pppd. Unlike dip, pppd does not have its own scripting language for dialing the remote system and logging in, but relies on an external program or shell script to do this. The command to be executed can be given to pppd with the connect command-line option. pppd will redirect the command’s standard input and output to the serial line. The pppd software package is supplied with a very simple program called chat, which is capable of being used in this way to automate simple login sequences. We’ll talk about this command in some detail. If your login sequence is complex, you will need something more powerful than chat. One useful alternative you might consider is expect, written by Don Libes. It has a very powerful language based on Tcl, and was designed exactly for this sort of application. Those of you whose login sequence requires, for example, challenge/ response authentication involving calculator-like key generators will find expect powerful enough to handle the task. Since there are so many possible variations on this theme, we won’t describe how to develop an appropriate expect script in this book. Suffice it to say, you’d call your expect script by specifying its name using the pppdconnect option. It’s also important to note that when the script is running, the standard input and output will be attached to the modem, not to the terminal that invoked pppd. If you require user interaction, you should manage it by opening a spare virtual terminal, or arrange some other means. The default network route is installed only if none is already present.

Like SLIP, PPP is implemented by a special line discipline. To use a serial line as a PPP link, you first establish the connection over your modem as usual, and subsequently convert the line to PPP mode. In this mode, all incoming data is passed to the PPP driver, which checks the incoming HDLC frames for validity (each HDLC frame carries a 16-bit checksum), and unwraps and dispatches them. Currently, PPP is able to transport both the IP protocol, optionally using Van Jacobson header compression, and the IPX protocol. pppd aids the kernel driver, performing the initialization and authentication phase that is necessary before actual network traffic can be sent across the link. pppd’s behavior may be fine-tuned using a number of options. As PPP is rather complex, it is impossible to explain all of them in a single chapter. This book therefore cannot cover all aspects of pppd, but only gives you an introduction. For more information, consult Using & Managing PPP or the pppd manual pages, and READMEs in the pppd source distribution, which should help you sort out most questions this chapter fails to discuss. The PPP-HOWTO might also be of use. Probably the greatest help you will find in configuring PPP will come from other users of the same Linux distribution. PPP configuration questions are very common, so try your local usergroup mailing list or the IRC Linux channel. If your problems persist even after reading the documentation, you could try the comp.protocols.ppp newsgroup. This is the place where you can find most of the people involved in pppd development. Running pppd When you want to connect to the Internet through a PPP link, you have to set up basic networking capabilities, such as the loopback device and the resolver. Both have been covered in Chapter 5, Configuring TCP/IP Networking, and Chapter 6, Name Service and Resolver Configuration. You can simply configure the name server of your Internet Service Provider in the /etc/resolv.conf file, but this will mean that every DNS request is sent across your serial link. This situation is not optimal; the closer (network-wise) you are to your name server, the faster the name lookups will be. An alternative solution is to configure a caching-only name server at a host on your network. This means that the first time you make a DNS query for a particular host, your request will be sent across your serial link, but every subsequent request will be answered directly by your local name server, and will be much faster. This configuration is described in Chapter 6, in “Caching-only named Configuration”. As an introductory example of how to establish a PPP connection with pppd, assume you are at vlager again. First, dial in to the PPP server c3po and log in to the ppp account. c3po will execute its PPP driver. After exiting the communications program you used for dialing, execute the following command, substituting the name of the serial device you used for the ttyS3 shown here: # pppd /dev/ttyS3 38400 crtscts defaultroute This command flips the serial line ttyS3 to the PPP line discipline and negotiates an IP link with c3po. The transfer speed used on the serial port will be 38,400 bps. The crtscts option turns on hardware handshake on the port, which is an absolute must at speeds above 9,600 bps. The first thing pppd does after starting up is negotiate several link characteristics with the remote end using LCP. Usually, the default set of options pppd tries to negotiate will work, so we won’t go into this here. Expect to say that part of this negotiation involves requesting or assigning the IP addresses at each end of the link. For the time being, we also assume that c3po doesn’t require any authentication from us, so the configuration phase is completed successfully. pppd will then negotiate the IP parameters with its peer using IPCP, the IP control protocol. Since we didn’t specify any particular IP address to pppd earlier, it will try to use the address obtained by having the resolver look up the local hostname. Both will then announce their addresses to each other. Usually, there’s nothing wrong with these defaults. Even if your machine is on an Ethernet, you can use the same IP address for both the Ethernet and the PPP interface. Nevertheless, pppd allows you to use a different address, or even to ask your peer to use some specific address. These options are discussed later in the “IP Configuration Options” section. After going through the IPCP setup phase, pppd will prepare your host’s networking layer to use the PPP link. It first configures the PPP network interface as a point-to-point link, using ppp0 for the first PPP link that is active, ppp1 for the second, and so on. Next, it sets up a routing table entry that points to the host at the other end of the link. In the previous example, pppd made the default network route point to c3po, because we gave it the de

Chapter 8 - The Point-to-Point Protocol Like SLIP, PPP is a protocol used to send datagrams across a serial connection; however, it addresses a couple of the deficiencies of SLIP. First, it can carry a large number of protocols and is thus not limited to the IP protocol. It provides error detection on the link itself, while SLIP accepts and forwards corrupted datagrams as long as the corruption does not occur in the header. Equally important, it lets the communicating sides negotiate options, such as the IP address and the maximum datagram size at startup time, and provides client authorization. This built-in negotiation allows reliable automation of the connection establishment, while the authentication removes the need for the clumsy user login accounts that SLIP requires. For each of these capabilities, PPP has a separate protocol. In this chapter, we briefly cover these basic building blocks of PPP. This discussion of PPP is far from complete; if you want to know more about PPP, we urge you to read its RFC specification and the dozen or so companion RFCs.45 There is also a comprehensive O’Reilly book on the topic of Using & Managing PPP, by Andrew Sun. At the very bottom of PPP is the High-Level Data Link Control (HDLC) protocol, which defines the boundaries around the individual PPP frames and provides a 16-bit checksum.46 As opposed to the more primitive SLIP encapsulation, a PPP frame is capable of holding packets from protocols other than IP, such as Novell’s IPX or Appletalk. PPP achieves this by adding a protocol field to the basic HDLC frame that identifies the type of packet carried by the frame. The Link Control Protocol, (LCP) is used on top of HDLC to negotiate options pertaining to the data link. For instance, the Maximum Receive Unit (MRU), states the maximum datagram size that one side of the link agrees to receive. An important step at the configuration stage of a PPP link is client authorization. Although it is not mandatory, it is really a must for dialup lines in order to keep out intruders. Usually the called host (the server) asks the client to authorize itself by proving it knows some secret key. If the caller fails to produce the correct secret, the connection is terminated. With PPP, authorization works both ways; the caller may also ask the server to authenticate itself. These authentication procedures are totally independent of each other. There are two protocols for different types of authorization, which we will discuss further in this chapter: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Each network protocol that is routed across the data link (like IP and AppleTalk) is configured dynamically using a corresponding Network Control Protocol (NCP). To send IP datagrams across the link, both sides running PPP must first negotiate which IP address each of them uses. The control protocol used for this negotiation is the Internet Protocol Control Protocol (IPCP). Besides sending standard IP datagrams across the link, PPP also supports Van Jacobson header compression of IP datagrams. This technique shrinks the headers of TCP packets to as little as three bytes. It is also used in CSLIP, and is more colloquially referred to as VJ header compression. The use of compression may be negotiated at startup time through IPCP, as well. PPP on Linux On Linux, PPP functionality is split into two parts: a kernel component that handles the low-level protocols (HDLC, IPCP, IPXCP, etc.) and the user space pppd daemon that handles the various higher-level protocols, such as PAP and CHAP. The current release of the PPP software for Linux contains the PPP daemon pppd and a program named chat that automates the dialing of the remote system. The PPP kernel driver was written by Michael Callahan and reworked by Paul Mackerras. pppd was derived from a free PPP implementation47 for Sun and 386BSD machines that was written by Drew Perkins and others, and is maintained by Paul Mackerras. It was ported to Linux by Al Longyear. chat was written by Karl Fox.48 45 Relevant RFCs are listed in the Bibiliography at the end of this book. 46 In fact, HDLC is a much more general protocol devised by the International Standards Organization (ISO) and is also an essential component of the X.25 specification. 47 If you have any general questions about PPP, ask the people on the Linux-net mailing list at vger.rutgers.edu. 48 Karl can be reached at karl@morningstar.com.

After a successful login, diplogin proceeds by flipping the serial line to CSLIP or SLIP mode, and sets up the interface and route. This connection remains established until the user disconnects and the modem drops the line. diplogin then returns the line to normal line discipline and exits. diplogin requires superuser privilege. If you don’t have dip running setuid root, you should make dip- login a separate copy of dip instead of a simple link. diplogin can then safely be made setuid without affecting the status of dip itself.

When our SLIP user dent logs in, dip starts up as a server. To find out if he is indeed permitted to use SLIP, it looks up the username in /etc/diphosts. This file details the access rights and connection parameter for each SLIP user. The general format for an /etc/diphosts entry looks like: # /etc/diphosts user:password:rem-addr:loc-addr:netmask:comments:protocol,MTU# Each of the fields is described in Table 7.2. Table 7.2: /etc/diphosts Field Description Field Description user The username of the user invoking dip that this entry will apply to. password Field 2 of the /etc/diphosts file is used to add an extra layer of password-based security on the connection. You can place a password in encrypted form here (just as in /etc/passwd) and diplogin will prompt for the user to enter the password before allowing SLIP access. Note that this password is used in addition to the normal login-based password the user will enter. rem-addr The address that will be assigned to the remote machine. This address may be specified either as a hostname that will be resolved or an IP address in dotted quad notation. loc-addr The IP address that will be used for this end of the SLIP link. This may also be specified as a resolvable hostname or in dotted quad format. netmask The netmask that will be used for routing purposes. Many people are confused by this entry. The netmask doesn’t apply to the SLIP link itself, but is used in combination with the rem-addr field to produce a route to the remote site. The netmask should be that used by the network supported by that of the remote host. comments This field is free-form text that you may use to help document the /etc/diphosts file. It serves no other purpose. protocol This field is where you specify what protocol or line discipline you want applied to this connection. Valid entries here are the same as those valid for the -p argument to the slattach command. MTU The maximum transmission unit that this link will carry. This field describes the largest datagram that will be transmitted across the link. Any datagram routed to the SLIP device that is larger than the MTU will be fragmented into datagrams no larger than this value. Usually, the MTU is configured identically at both ends of the link. A sample entry for dent could look like this: dent::dent.beta.com:vbrew.com:255.255.255.0:Arthur Dent:CSLIP,296 Our example gives our user dent access to SLIP with no additional password required. He will be assigned the IP address associated with dent.beta.com with a netmask of 255.255.255.0. His default route should be directed to the IP address of vbrew.com, and he will use the CSLIP protocol with an MTU of 296 bytes. When dent logs in, diplogin extracts the information on him from the diphosts file. If the second field contains a value, diplogin will prompt for an “external security password.” The string entered by the user is encrypted and compared to the password from diphosts. If they do not match, the login attempt is rejected. If the password field contains the string s/key, and dip was compiled with S/Key support, S/Key authentication will take place. S/Key authentication is described in the documentation that comes in the dip source package.

The if and goto commands The if command is a conditional branch, rather than a full-featured programming if statement. Its syntax is: if var op number goto label The expression must be a simple comparison between one of the variables $errlvl, $locip, and $rmtip. var must be an integer number; the operator op may be one of ==, !=, <, >, <=, and >=. The goto command makes the execution of the script continue at the line following that bearing the label. A label must be the first word on the line and must be followed immediately by a colon. send, wait, and sleep These commands help implement simple chat scripts in dip. The send command outputs its arguments to the serial line. It does not support variables, but understands all C-style backslash character sequences, such as \n for newline and \b for backspace. The tilde character (~) can be used as an abbreviation for carriage return/newline. The wait command takes a word as an argument and will read all input on the serial line until it detects a sequence of characters that match this word. The word itself may not contain any blanks. Optionally, you may give wait a timeout value as a second argument; if the expected word is not received within that many seconds, the command will return with an $errlvl value of 1. This command is used to detect login and other prompts. The sleep command may be used to wait for a certain amount of time; for instance, to patiently wait for any login sequence to complete. Again, the interval is specified in seconds. mode and default These commands are used to flip the serial line to SLIP mode and configure the interface. The mode command is the last command executed by dip before going into daemon mode. Unless an error occurs, the command does not return. mode takes a protocol name as argument. dip currently recognizes SLIP, CSLIP, SLIP6, CSLIP6, PPP, and TERM as valid names. The current version of dip does not understand adaptive SLIP, however. After enabling SLIP mode on the serial line, dip executes ifconfig to configure the interface as a point-topoint link, and invokes route to set the route to the remote host. If, in addition, the script executes the default command before mode, dip creates a default route that points to the SLIP link. Running in Server Mode Setting up your SLIP client was the hard part. Configuring your host to act as a SLIP server is much easier. There are two ways of configuring a SLIP server. Both ways require that you set up one login account per SLIP client. Assume you provide SLIP service to Arthur Dent at dent.beta.com. You might create an account named dent by adding the following line to your passwd file: dent:*:501:60:Arthur Dent’s SLIP account:/tmp:/usr/sbin/diplogin Afterwards, you would set dent’s password using the passwd utility. The dip command can be used in server mode by invoking it as diplogin. Usually diplogin is a link to dip. Its main configuration file is /etc/diphosts, which is where you specify what IP address a SLIP user will be assigned when he or she dials in. Alternatively, you can also use the sliplogin command, a BSD-derived tool featuring a more flexible configuration scheme that lets you execute shell scripts whenever a host connects and disconnects.

The init command selects an initialization string to be passed to the modem before dialing. The default for Hayes modems is “ATE0 Q0 V1 X1″, which turns on echoing of commands and long result codes, and selects blind dialing (no checking of dial tone). Modern modems have a good factory default configuration, so this is a little unnecessary, though it does no harm. The dial command sends the initialization string to the modem and dials up the remote system. The default dial command for Hayes modems is ATD. The echo command The echo command serves as a debugging aid. Calling echo on makes dip echo to the console everything it sends to the serial device. This can be turned off again by calling echo off. dip also allows you to leave script mode temporarily and enter terminal mode. In this mode, you can use dip just like any ordinary terminal program, writing the characters you type to the serial line, reading data from the serial line, and displaying the characters. To leave this mode, enter Ctrl-]. The get command The get command is dip’s way of setting a variable. The simplest form is to set a variable to a constant, as we did in cowslip.dip. You may, however, also prompt the user for input by specifying the keyword ask instead of a value: DIP> get $local ask Enter the value for $local: _ A third method is to obtain the value from the remote host. Bizarre as it seems at first, this is very useful in some cases. Some SLIP servers will not allow you to use your own IP address on the SLIP link, but will rather assign you one from a pool of addresses whenever you dial in, printing some message that informs you about the address you have been assigned. If the message looks something like “Your address: 192.168.5.74″, the following piece of dip code would let you pick up the address: # finish login wait address: 10 get $locip remote The print command This is the command used to echo text to the console from which dip was started. Any of dip’s variables may be used in print commands. Here’s an example: DIP> print Using port $port at speed $speed Using port ttyS3 at speed 38400 Variable names dip understands only a predefined set of variables. A variable name always begins with a dollar symbol and must be written in lowercase letters. The $local and $locip variables contain the local host’s name and IP address. When you store the canonical host- name in $local, dip will automatically attempt to resolve the hostname to an IP address and to store it in the $locip variable. A similar but backward process occurs when you assign an IP address to the $locip variable; dip will attempt to perform a reverse lookup to identify the name of the host and store it in the $local variable. The $remote and $rmtip variables operate in the same way for the remote host’s name and address. $mtu contains the MTU value for the connection. These five variables are the only ones that may be assigned values directly using the get command. A number of other variables are set as a result of the configuration commands bearing the same name, but may be used in print statements; these variables are $modem, $port, and $speed. $errlvl is the variable through which you can access the result of the last command executed. An error level of 0 indicates success, while a nonzero value denotes an error.

In dip’s scripting language, keywords prefixed with a dollar symbol denote variable names. dip has a predefined set of variables, which will be listed below. $remote and $local, for instance, contain the hostnames of the remote and local hosts involved in the SLIP link. The first two statements in the sample script are get commands, which is dip’s way to set a variable. Here, the local and remote hostnames are set to vlager and cowslip, respectively. The next five statements set up the terminal line and the modem. reset sends a reset string to the modem. The next statement flushes out the modem response so that the login chat in the next few lines works properly. This chat is pretty straightforward: it simply dials 41988, the phone number of cowslip, and logs in to the account Svlager using the password knockknock. The wait command makes dip wait for the string given as its first argument; the number given as its second argument makes the wait time out after that many seconds if no such string is received. The if commands interspersed in the login procedure check that no error occurred while executing the command. The final commands executed after logging in are default, which makes the SLIP link the default route to all hosts, and mode, which enables SLIP mode on the line and configures the interface and routing table for you. A dip Reference In this section, we will give a reference for most of dip’s commands. You can get an overview of all the commands it provides by invoking dip in test mode and entering the help command. To learn about the syntax of a command, you may enter it without any arguments. Remember that this does not work with commands that take no arguments. The following example illustrates the help command: # dip -t DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96) Written by Fred N. van Kempen, MicroWalt Corporation. Debian version 3.3.7p-2 (debian). DIP> help DIP knows about the following commands: beep bootp break chatkey config databits dec default dial echo flush get goto help if inc init mode modem netmask onexit parity password proxyarp print psend port quit reset securidfixed securid send shell skey sleep speed stopbits term timeout wait DIP> echo Usage: echo on|off DIP> Throughout the following section, examples that display the DIP> prompt show how to enter a command in test mode and what output it produces. Examples lacking this prompt should be taken as script excerpts. The modem commands dip provides a number of commands that configure your serial line and modem. Some of these are obvious, such as port, which selects a serial port, and speed, databits, stopbits, and parity, which set the common line parameters. The modem command selects a modem type. Currently, the only type supported is HAYES (capitalization required). You have to provide dip with a modem type, or else it will refuse to execute the dial and reset commands. The reset command sends a reset string to the modem; the string used depends on the modem type selected. For Hayes-compatible modems, this string is ATZ. The flush code can be used to flush out all responses the modem has sent so far. Otherwise, a chat script following reset might be confused because it reads the OK responses from earlier commands.

ous attacks on your network. If you want to allow your users to fire up a SLIP connection, write small wrapper programs for each prospective SLIP server and have these wrappers invoke dip with the specific script that establishes the connection. Carefully written wrapper programs can then safely be made setuid to root.44 An alternative, more flexible approach is to give trusted users root access to dip using a program like sudo. A Sample Script Assume that the host to which we make our SLIP connection is cowslip, and that we have written a script for dip to run called cowslip.dip that makes our connection. We invoke dip with the script name as argument: # dip cowslip.dip DIP: Dialup IP Protocol Driver version 3.3.7 (12/13/93) Written by Fred N. van Kempen, MicroWalt Corporation. connected to cowslip.moo.com with addr 192.168.5.74 # The script itself is shown in Example 7.1. Example 7.1: A Sample dip Script # Sample dip script for dialing up cowslip # Set local and remote name and address get $local vlager-slip get $remote cowslip port ttyS3 # choose a serial port speed 38400 # set speed to max modem HAYES # set modem type reset # reset modem and tty flush # flush out modem response # Prepare for dialing. send ATQ0V1E1X1\r wait OK 2 if $errlvl != 0 goto error dial 41988 if $errlvl != 0 goto error wait CONNECT 60 if $errlvl != 0 goto error # Okay, we’re connected now sleep 3 send \r\n\r\n wait ogin: 10 if $errlvl != 0 goto error send Svlager\n wait ssword: 5 if $errlvl != 0 goto error send knockknock\n wait running 30 if $errlvl != 0 goto error # We have logged in, and the remote side is firing up SLIP. print Connected to $remote with address $rmtip default # Make this link our default route mode SLIP # We go to SLIP mode, too # fall through in case of error error: print SLIP to $remote failed. After connecting to cowslip and enabling SLIP, dip will detach from the terminal and go to the background. You can then start using the normal networking services on the SLIP link. To terminate the connection, simply invoke dip with the -k option. This sends a hangup signal to dip, using the process ID dip records in /etc/dip.pid: # dip -k 44 diplogin must be run as setuid to root, too. See the section at the end of this chapter.

For the remainder of this chapter we will always use vlager-slip to refer to the address of the local SLIP interface. When taking down the SLIP link, you should first remove all routes through cowslip using route with the del option, then take the interface down, and send slattach the hangup signal. The you must hang up the modem using your terminal program again: # route del default # route del cowslip # ifconfig sl0 down # kill -HUP 516 Note that the 516 should be replaced with the process id (as shown in the output of ps ax) of the slattach command controlling the slip device you wish to take down. Dealing with Private IP Networks You will remember from Chapter 5, Configuring TCP/IP Networking, that the Virtual Brewery has an Ethernet- based IP network using unregistered network numbers that are reserved for internal use only. Packets to or from one of these networks are not routed on the Internet; if we were to have vlager dial into cowslip and act as a router for the Virtual Brewery network, hosts within the Brewery’s network could not talk to real Internet hosts directly because their packets would be dropped silently by the first major router. To work around this dilemma, we will configure vlager to act as a kind of launch pad for accessing Internet services. To the outside world, it will present itself as a normal SLIP-connected Internet host with a registered IP address (probably assigned by the network provider running cowslip). Anyone logged in to vlager can use text- based programs like ftp, telnet, or even lynx to make use of the Internet. Anyone on the Virtual Brewery LAN can therefore telnet and log in to vlager and use the programs there. For some applications, there may be solutions that avoid logging in to vlager. For WWW users, for example, we could run a so-called proxy server on vlager, which would relay all requests from your users to their respective servers. Having to log in to vlager to make use of the Internet is a little clumsy. But apart from eliminating the paperwork (and cost) of registering an IP network, it has the added benefit of going along well with a firewall setup. Fire- walls are dedicated hosts used to provide limited Internet access to users on your local network without exposing the internal hosts to network attacks from the outside world. Simple firewall configuration is covered in more detail in Chapter 9, TCP/IP Firewall. In Chapter 11, IP Masquerade and Network Address Translation, we’ll discuss a Linux feature called “IP masquerade” that provides a powerful alternative to proxy servers. Assume that the Brewery has been assigned the IP address 192.168.5.74 for SLIP access. All you have to do to realize that the setup discussed above is to enter this address into your /etc/hosts file, naming it vlager-slip. The procedure for bringing up the SLIP link itself remains unchanged. Using dip Now that was rather simple. Nevertheless, you might want to automate the steps previously described. It would be much better to have a simple command that performs all the steps necessary to open the serial device, cause the modem to dial the provider, log in, enable the SLIP line discipline, and configure the network interface. This is what the dip command is for. dip means Dialup IP. It was written by Fred van Kempen and has been patched very heavily by a number of people. Today there is one strain that is used by almost everyone: Version dip337p-uri, which is included with most modern Linux distributions, or is available from the metalab.unc.edu FTP archive. dip provides an interpreter for a simple scripting language that can handle the modem for you, convert the line to SLIP mode, and configure the interfaces. The script language is powerful enough to suit most configurations. To be able to configure the SLIP interface, dip requires root privilege. It would now be tempting to make dip setuid to root so that all users can dial up some SLIP server without having to give them root access. This is very dangerous, though, because setting up bogus interfaces and default routes with dip may disrupt routing on your network. Even worse, this action would give your users power to connect to any SLIP server and launch danger