RE: PPTP versus L2TP and possible attacks

From: Zachary Mutrux (zmutrux_at_compumentor.org)
Date: 02/13/04

  • Next message: James D. Stallard: "RE: PPTP versus L2TP and possible attacks - what next?"
    To: <focus-ms@securityfocus.com>
    Date: Fri, 13 Feb 2004 09:30:40 -0800
    
    
    

    As a point of amplification, both L2TP and PPTP are tunneling protocols
    without any inherent encryption built in.

    In Microsoft's Windows 2K/2K3 implementation, L2TP uses IPSec for
    encryption, and PPTP uses MPPE. IIRC, Microsoft's L2TP requires the use of
    certificates for authentication and encryption, which means if you choose
    that route you must set up a public key infrastructure. That means a little
    more work, but also better security.

    You might be interested in this paper by Bruce Schneier and Mudge, which
    discusses some of the continuing problems with MS-CHAPv2 in conjunction with
    MPPE.
    http://www.schneier.com/paper-pptpv2.html

    Microsoft offers other methods of authentication now in place of MS-CHAPv2,
    so I'm not sure if the weaknesses Schneier and Mudge discuss are still as
    much of an issue. But there is no question that IPSec based VPN are more
    secure than those that use MPPE.

    zm

    
    



  • Next message: James D. Stallard: "RE: PPTP versus L2TP and possible attacks - what next?"