[VPN] PPTP as a VPN solution

Ryan Malayter rmalayter at bai.org
Tue Jul 29 14:13:24 EDT 2003


From: Martin Peikert [mailto:lists at nolog.org] 
>I cannot agree to "Microsoft deprecates PPTP"
...
>Maybe I am wrong here, but from that I can only 
>conclude: They do *not* deprecate the "industry 
>standard" PPTP.

I think you're wrong. Microsoft continues to *support* PPTP, but L2TP
over IPsec is their current technology, is receiving continuing
development (like  NAT traversal), and is recommended going into the
future. At least according to the MS guys who presented IPsec
presentations at TechEd 2003, and every article about VPN's in Windows &
.NET magazine I've ever seen, and a lot of other sources. Of course PPTP
has advantages over IPsec, and the paper points those out. IPsec also
has advantages over PPTP, and the paper points those out as well. The
paper you cite as evidence does not state either way which is the
Microsoft preferred technology, only that both are supported. 

If MS really thought PPTP was great and the way of the future, they
would not have implemented IPsec in Windows 2000 at all!

>That was what I wrote and I can see no argument against 
>that - you didn't write anything even concerning that.

Of course I wrote something concerning that... I stated that while it
was correct - MS-CHAPv2 is still broken - it didn't matter, because
better alternatives are available. 

>You are not answering a question - you just said: 
>Hey, PPTP is deprecated - they use L2TP over IPSec instead.

That *is* an answer. Not a simple yes/no answer, of course - it has
qualifications -  nor apparently is it the one you want to hear. But it
is an answer to the question. For the record, my answer is this: "Yes,
the authentication portion of PPTP is still broke, but so what, there is
a much better alternative built into the more recent versions of
windows."

>An example: In tunneling mode a telnet session is 
>encrypted between the tunneling endpoints (VPN gw 
><-> VPN gw or roadwarrior <-> VPN gw), but not 
>necessarily between the endpoints of the communication. 
>That's why I say: Tunneled crap is still crap. 
>And NOT secure authentication.

You're certainly a master of the obvious. Essentially you state, "If you
use plain text passwords on an unencrypted part of the network, it's not
secure". Gee, I never would have thought of that.

What you state has nothing to do with PPTP or IPsec or anything else
related to VPNs. If you don't trust the network beyond your VPN
termination, you should not be terminating your VPN at that point. The
weak MS-CHAPv2 is only used for the setup of a VPN tunnel with PPTP. It
isn't used for authenticating to machines beyond the termination point
of a PPTP gateway, it is only used for authentication on the gateway
itself. The same is true for IPsec - IKE is only used for authentication
to the VPN gateway, not to machines beyond that gateway. With both
Microsoft VPN technologies, KERBEROS is used by default on Windows 2000
and newer to mutually authenticate users and workstations to servers,
and these Kerberos packets are still a secure form of authentication
even after they leave the VPN tunnel.

What do the authentication methods used on an internal network have to
do with this discussion anyway?

Finally, I want to state this: using long, very random password moves
the PPTP attacks from the realm of the practical back into the
theoretical. TO be sure, PPTP is 65,000 times easier to crack because of
a flaw in the authentication protocol. But if you use 12-character (out
of 95 "type-able" ASCII characters) randomly-generated passwords, you
get about 2^79 possible combinations. Even with the 2^16 advantage the
flaw in PPTP provides, it is still impractical for anyone to break the
tunnel without tens of millions of dollars in investment. The NSA or
distributed.net could break it in a few months, but that's about the
only adversaries you'd need to worry about. 

What I'm saying is that PPTP uses the NT password for authentication,
whereas IPsec requires a (presumably long) shared secret or a
high-entropy certificate. If you give PPTP the same type of entropy as
IPsec, it becomes *practically* secure. It's about 2^16 times less
secure than IPsec using the same shared secret, but still secure enough
to be usable in some environments.

	-Ryan-



More information about the VPN mailing list