> I still recommend IPSec over PPTP, but I don't rate PPTP as unuseable.
With
> strong user passwords and for low threat sites I have recommended it a few
> times. PPTP has some good points. It's NATable, for one.
A slight correction. IPSec is also NATable if you are not using the
Authentication Header (AH).
Use of AH or AH/ESP mode through NAT breaks because NAT packet mangling
makes HMAC checksums
calculate to an incorrect value. (See RFC 2709)
This is a personal site I put together so I could keep my head on straight
with some of the implemenation issues.
http://comsec.millennium-computing.com/useful_docs.html
If you are going to understand IPSec I suggest first finding documents
relating to the overall architecture. With reference to IPSec you should
understand ESP and AH and their uses in the architecture before you try to
comprehend the specific algorithms used to implement IPSec. Search for
articles/RFCs written
by Stephen Kent. This is a good source for foundational documents on IPSec.
http://www.networksorcery.com/enp/authors/KentStephen.htm
With reference to PPTPv2 I cannot offer any technical advice. However, I
have noticed that history has a tendency to repeat itself.
Regards,
-Sam
>
> Note that IPSec is hardly the VPN Messiah - I'm just waiting for the first
> boneheaded implementation error to surface. It's a very complex protocol
> with a few useless bits and pieces - someone _will_ screw it up.
>
> People may find the the Counterpane "PPTP FAQ" floating around - you
should
> be aware (and it's not mentioned in the document) that this FAQ applies
ONLY
> to PPTPv1. PPTPv1 was indeed truly broken in some very spectacular ways.
>
> Cheers,
>
> --
> Ben Nagy
> Network Security Specialist
> Marconi Services Australia Pty Ltd
> Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
