[vpn] Thoughts on VPN

Neale Banks neale at lowendale.com.au
Tue Oct 30 21:35:10 EST 2001


On Thu, 25 Oct 2001, Thierry Blanchard wrote:

> After reading some articles, I want to make sure that what I think is right.
> 
> #1: VPN is based on different protocols.
> #2: Using a layer 2 protocol, main protocols are either PPTP (comes from MS)
> or L2TP.
> #3: Because of security holes in PPTP, L2TP is better.
> #4: Using a layer 3 protocol, the main protocol is IPSec.
> 
> Knowing that we can't compare L2TP and IPSec (because they reside on
> different layer), how more secure is IPSec ?

See http://www.ietf.org/internet-drafts/draft-ietf-l2tpext-security-08.txt
it has some interesting discussion on these issues in section 2

Seeing as:

* it says that PPP authentication (which is what PPTP uses) isn't up to
the task
* L2TP is the successor to PPTP (and L2F)
* Microsoft is strongly represented in the authors (2 of 5)

It may be possbile to infer some admission of shortcomings of MSCHAP(-V2)
and/or MPPE (both used by MS for PPP).  OTOH, there's no specific
finger-pointing at these particular implementations.

Interestingly, AFAIK Win2k defaults to requiring L2TP/IPSec (registry
tweak needed to get around this).  IOW if that's a significant cause of
interoperability issues.

Regards,
Neale.


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list