> -----Original Message-----
> From: Alan Olsen [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 12 February 2001 11:43
> To: Mark Jones
> Cc: [EMAIL PROTECTED]
> Subject: Re: VPN technology
>
>
> On Mon, 12 Feb 2001, Mark Jones wrote:
>
> > I am trying to find some information on the following
> > PPTP
>
> Some real good information on ptpp can be found at
> http://www.counterpane.com/.
>
> It explains why you do not want to use it. (Both versions are
> very broken
> in some amazing ways.)
Steady on there.
Unless I've missed some new work PPTPv2 isn't _very_ broken. With the high
encryption pack the only real crypto problem was that the shared-key relied
on the user password, making it vulnerable to a password guessing attack.
That's hardly 'broken'. Kerberos, for example, is in widespread use and it's
vulnerable to password guessing as well. It's just a risk one needs to
understand.
Yes, I would rather see the protocol _not_ derive session keys from the
passwords, but I think that saying "the MPPE keys are as weak as the user
passwords" is a much better way of assessing the protcol than saying "It's
broken, it's eeeevil, it will give you cancer".
I still recommend IPSec over PPTP, but I don't rate PPTP as unuseable. With
strong user passwords and for low threat sites I have recommended it a few
times. PPTP has some good points. It's NATable, for one.
Note that IPSec is hardly the VPN Messiah - I'm just waiting for the first
boneheaded implementation error to surface. It's a very complex protocol
with a few useless bits and pieces - someone _will_ screw it up.
People may find the the Counterpane "PPTP FAQ" floating around - you should
be aware (and it's not mentioned in the document) that this FAQ applies ONLY
to PPTPv1. PPTPv1 was indeed truly broken in some very spectacular ways.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
