> -----Original Message-----
> From: Alan Olsen [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 12 February 2001 12:38
> To: Ben Nagy
> Cc: [EMAIL PROTECTED]
> Subject: RE: VPN technology
[...]
> > > Some real good information on ptpp can be found at
> > > http://www.counterpane.com/.
> > >
> > > It explains why you do not want to use it. (Both versions are
> > > very broken
> > > in some amazing ways.)
> >
> > Steady on there.
> >
> > Unless I've missed some new work PPTPv2 isn't _very_
> broken. [blah blah blah]
>
> My understanding is that you can get PPTP v2 to fall back to
> PPTP v1. If
> this happens, then you have a problem.
Under certain circumstances. You can configure the server not to accept
PPTPv1. All the stuff about "Oh, that means editing the (gasp) REGISTRY
which is oh so tricky" is just FUD, IMO. Vulnerabilities that are actually
configuration errors don't interest me.
I do agree that M$ should probably patch to make not accepting PPTPv1 the
default, and have a registry hack required to turn it on, though.
[...]
>
> I did not quite say that. I should have added the "as implemented by
> Microsoft" warning label as well. PPTP v2 has supposedly
> been done right
> by others.
"Standard" PPTP (RFC 2637) doesn't cover any confidentiality or auth issues
- much like L2TP. In other words, it defines all the tunnel stuff but says
encrypting it is Someone Elses Problem. PPTPv2 is pretty much PPTP with
MS-CHAPv2 extensions - so it's unlikely that anyone has done it right.
As I understand it, PPTP has been dropped by the IETF in favour of L2TP -
which still is not a complete VPN solution in and of itself.
[snip me ranting]
>
> My experience with IPSec is that it tends to not work well with other
> implementations. I have heard of too many cases where verious
> implementations do not negotiate well with other implementations.
> Hopefully these will get hammered out, but they are still a
> problem. (This
> was a year or so ago. It may have improved since them.)
Interop issues are the least of my worries. I'm waiting for someone to screw
up the crypto ("Hey, it would save cycles if we just used a timestamp as
this "IV" thingy, wouldn't it?").
> > People may find the the Counterpane "PPTP FAQ" floating
> around - you should
> > be aware (and it's not mentioned in the document) that this
> FAQ applies ONLY
> > to PPTPv1. PPTPv1 was indeed truly broken in some very
> spectacular ways.
>
> Actually they examined PPTP v2 as well. They said it was better, but
> there were still problems. (The fall-back problem the worst
> of the lot.)
>
> http://www.counterpane.com/pptpv2-paper.html for more info on the
> brokenness of PPTP v2.
Yah - I'm just noting that the scathing FAQ remains posted on the site, with
no indication that it refers to an old version of the protocol. That's
likely to mislead some people.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
