As a point of amplification, both L2TP and PPTP are tunneling protocols
without any inherent encryption built in.
In Microsoft's Windows 2K/2K3 implementation, L2TP uses IPSec for
encryption, and PPTP uses MPPE. IIRC, Microsoft's L2TP requires the use of
certificates for authentication and encryption, which means if you choose
that route you must set up a public key infrastructure. That means a little
more work, but also better security.
You might be interested in this paper by Bruce Schneier and Mudge, which
discusses some of the continuing problems with MS-CHAPv2 in conjunction with
MPPE.
http://www.schneier.com/paper-pptpv2.html
Microsoft offers other methods of authentication now in place of MS-CHAPv2,
so I'm not sure if the weaknesses Schneier and Mudge discuss are still as
much of an issue. But there is no question that IPSec based VPN are more
secure than those that use MPPE.
without any inherent encryption built in.
In Microsoft's Windows 2K/2K3 implementation, L2TP uses IPSec for
encryption, and PPTP uses MPPE. IIRC, Microsoft's L2TP requires the use of
certificates for authentication and encryption, which means if you choose
that route you must set up a public key infrastructure. That means a little
more work, but also better security.
You might be interested in this paper by Bruce Schneier and Mudge, which
discusses some of the continuing problems with MS-CHAPv2 in conjunction with
MPPE.
http://www.schneier.com/paper-pptpv2.html
Microsoft offers other methods of authentication now in place of MS-CHAPv2,
so I'm not sure if the weaknesses Schneier and Mudge discuss are still as
much of an issue. But there is no question that IPSec based VPN are more
secure than those that use MPPE.
zm
[ reply ]