RE: PPTP versus L2TP and possible attacks

From: Zachary Mutrux (zmutrux_at_compumentor.org)
Date: 02/13/04

  • Next message: James D. Stallard: "RE: PPTP versus L2TP and possible attacks - what next?"
    To: <focus-ms@securityfocus.com>
    Date: Fri, 13 Feb 2004 09:30:40 -0800
    
    
    

    As a point of amplification, both L2TP and PPTP are tunneling protocols
    without any inherent encryption built in.

    In Microsoft's Windows 2K/2K3 implementation, L2TP uses IPSec for
    encryption, and PPTP uses MPPE. IIRC, Microsoft's L2TP requires the use of
    certificates for authentication and encryption, which means if you choose
    that route you must set up a public key infrastructure. That means a little
    more work, but also better security.

    You might be interested in this paper by Bruce Schneier and Mudge, which
    discusses some of the continuing problems with MS-CHAPv2 in conjunction with
    MPPE.
    http://www.schneier.com/paper-pptpv2.html

    Microsoft offers other methods of authentication now in place of MS-CHAPv2,
    so I'm not sure if the weaknesses Schneier and Mudge discuss are still as
    much of an issue. But there is no question that IPSec based VPN are more
    secure than those that use MPPE.

    zm

    
    



  • Next message: James D. Stallard: "RE: PPTP versus L2TP and possible attacks - what next?"

    Relevant Pages

    • Re: VPN server
      ... You have to choose either/both PPTP or L2TP (which uses IPSec) for the ... (Dial-in tab even though this is VPN) ...
      (microsoft.public.windows.server.active_directory)
    • Re: L2TP/PPTP
      ... Though pptp can be very secure if configured correctly and a complex password is used ... l2tp is more secure for a number of reasons. ... the biggest advantages is it requires certificate machine authentication in addition ... > PPTP is encrypted with Microsoft Encryption. ...
      (microsoft.public.cert.exam.mcse)
    • Re: VPN protocols
      ... Go for PPTP or L2TP ... Must: IPSec or SSL ...
      (Security-Basics)
    • Re: L2TP and encryption strangth
      ... The right answer is: L2TP doesn't feature encryption. ... In Windows VPN, L2TP traffic is secured using IPsec. ...
      (microsoft.public.windows.server.security)
    • Re: VPN aus Netz nach extern
      ... >Abhängig, ob PPTP oder L2TP erlaubt werden soll, sind die ... >Bei PPTP ist es der Port upd/1723 und das Protokoll! ... da L2TP IPSec als Verschlüsselung nutzt ... kann IPSec over NAT Traversal benutzt ...
      (microsoft.public.de.german.isaserver)