[VPN] PPTP as a VPN solution
Martin Peikert
lists at nolog.org
Thu Jul 31 04:21:25 EDT 2003
Hello,
Ryan Malayter wrote:
> From: Martin Peikert [mailto:lists at nolog.org]
>> I cannot agree to "Microsoft deprecates PPTP"
> ...
>> Maybe I am wrong here, but from that I can only conclude: They do
>> *not* deprecate the "industry standard" PPTP.
>
> I think you're wrong.
Can you finally give a *proof* of that?
> If MS really thought PPTP was great and the way of the future, they
> would not have implemented IPsec in Windows 2000 at all!
That's a really interesting point of view. Can you give a proof?
> Of course I wrote something concerning that... I stated that while it
> was correct - MS-CHAPv2 is still broken - it didn't matter, because
> better alternatives are available.
If it does matter or not, I don't care about. Venicio Vilas-Bôas asked
if the problems found in this FAQ relative to PPTP are solved. My answer
was: No, they are not.
> That *is* an answer. Not a simple yes/no answer, of course - it has
> qualifications - nor apparently is it the one you want to hear. But
> it is an answer to the question. For the record, my answer is this:
> "Yes, the authentication portion of PPTP is still broke, but so what,
> there is a much better alternative built into the more recent
> versions of windows."
Your answer to what question? If you had answered Venicio's mail, I
could see the relation to the question, but you quoted my answer without
giving any argument against my statement. You just said: Use L2TP/IPSec
instead, but that had no relation to my mail.
Is there a reason why you quoted me?
> What do the authentication methods used on an internal network have
> to do with this discussion anyway?
That was an example for "tunneled crap is still crap".
> What I'm saying is that PPTP uses the NT password for authentication,
> whereas IPsec requires a (presumably long) shared secret or a
> high-entropy certificate.
Not true. You _can_ use really short shared secrets. Doesn't make sense,
but you can.
GTi
More information about the VPN
mailing list