[VPN] PPTP as a VPN solution

[Martin Peikert]

Hello,

Ryan Malayter wrote:
> From: Martin Peikert [mailto:lists at nolog.org]
>> I cannot agree to "Microsoft deprecates PPTP"
> ...
>> Maybe I am wrong here, but from that I can only conclude: They do
>> *not* deprecate the "industry standard" PPTP.
> 
> I think you're wrong.

Can you finally give a *proof* of that?

> If MS really thought PPTP was great and the way of the future, they 
> would not have implemented IPsec in Windows 2000 at all!

That's a really interesting point of view. Can you give a proof?

> Of course I wrote something concerning that... I stated that while it
>  was correct - MS-CHAPv2 is still broken - it didn't matter, because 
> better alternatives are available.

If it does matter or not, I don't care about. Venicio Vilas-Bôas asked
if the problems found in this FAQ relative to PPTP are solved. My answer
was: No, they are not.

> That *is* an answer. Not a simple yes/no answer, of course - it has 
> qualifications - nor apparently is it the one you want to hear. But
> it is an answer to the question. For the record, my answer is this:
> "Yes, the authentication portion of PPTP is still broke, but so what,
> there is a much better alternative built into the more recent
> versions of windows."

Your answer to what question? If you had answered Venicio's mail, I
could see the relation to the question, but you quoted my answer without
giving any argument against my statement. You just said: Use L2TP/IPSec
instead, but that had no relation to my mail.

Is there a reason why you quoted me?

> What do the authentication methods used on an internal network have
> to do with this discussion anyway?

That was an example for "tunneled crap is still crap".

> What I'm saying is that PPTP uses the NT password for authentication,
> whereas IPsec requires a (presumably long) shared secret or a 
> high-entropy certificate.

Not true. You _can_ use really short shared secrets. Doesn't make sense,
but you can.

GTi