RE: PPTP versus L2TP and possible attacks

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 02/16/04

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #176" 
    To: "'Zachary Mutrux'" <zmutrux@compumentor.org>, <focus-ms@securityfocus.com>
Date: Mon, 16 Feb 2004 11:17:23 -0500

    Microsoft's implementation of L2TP does not *require* the use of
    certificates. The default policy does, but technically, one does not have to
    use certificate-based IPSec for L2TP. With that said, it's a better idea to
    do so.

    Laura
    > -----Original Message-----
    > From: Zachary Mutrux [mailto:zmutrux@compumentor.org]
    > Sent: Friday, February 13, 2004 12:31 PM
    > To: focus-ms@securityfocus.com
    > Subject: RE: PPTP versus L2TP and possible attacks
    >
    > As a point of amplification, both L2TP and PPTP are tunneling
    > protocols without any inherent encryption built in.
    >
    > In Microsoft's Windows 2K/2K3 implementation, L2TP uses IPSec
    > for encryption, and PPTP uses MPPE. IIRC, Microsoft's L2TP
    > requires the use of certificates for authentication and
    > encryption, which means if you choose that route you must set
    > up a public key infrastructure. That means a little more
    > work, but also better security.
    >
    > You might be interested in this paper by Bruce Schneier and
    > Mudge, which discusses some of the continuing problems with
    > MS-CHAPv2 in conjunction with MPPE.
    > http://www.schneier.com/paper-pptpv2.html
    >
    > Microsoft offers other methods of authentication now in place
    > of MS-CHAPv2, so I'm not sure if the weaknesses Schneier and
    > Mudge discuss are still as much of an issue. But there is no
    > question that IPSec based VPN are more secure than those that
    > use MPPE.
    >
    > zm
    >

    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:
    http://www.astaro.com/php/contact/securityfocus.php
    ---------------------------------------------------------------------------

  • Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #176"

    Relevant Pages

    • RE: PPTP versus L2TP and possible attacks - what next?
      ... PPTP versus L2TP and possible attacks ... Watch the security week webcast with Jesper Johannson ... www.microsoft.com/webcasts and he talks about the truth/hype of PPtP. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Focus-Microsoft)
    • Re: XP SP2 VPN and Home Edition
      ... L2TP VPNs need TCP/UDP ... a L2TP security policy when it stated up. ... If I turn on a policy at the RRAS server, ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: PPTP versus L2TP and possible attacks
      ... Which is the better tunnelling protocol in terms of security and ... > functionality, L2TP or PPTP, and why? ... L2TP is superior simply because there have been a few papers written ...
      (Focus-Microsoft)
    • L2TP problem although IPSec is working using certifiactes
      ... I managed to create VPN connection between two w2k machines using PPTP. ... When I try to use L2TP I got this message on VPN client machine (this ... 789 "The L2TP connection attempt failed because the security layer ... The point is I have installed proper certificates and I ...
      (microsoft.public.win2000.ras_routing)
    • Re: Has anyone got Win2K RRAS <-> XP Pre-Shared Keys to work through VPN?
      ... is not hard to set up a Certificate Authority to issue computer certificates ... of setting up a CA to issue ipsec certificates for l2tp. ... Other considerations are that l2tp will not work if NAT is used in the VPN ... be opened on firewalls in the path to the VPN server. ...
      (microsoft.public.win2000.ras_routing)