Microsoft's implementation of L2TP does not *require* the use of
certificates. The default policy does, but technically, one does not have to
use certificate-based IPSec for L2TP. With that said, it's a better idea to
do so.
Laura
> -----Original Message-----
> From: Zachary Mutrux [mailto:zmutrux (at) compumentor (dot) org [email concealed]]
> Sent: Friday, February 13, 2004 12:31 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: PPTP versus L2TP and possible attacks
>
> As a point of amplification, both L2TP and PPTP are tunneling
> protocols without any inherent encryption built in.
>
> In Microsoft's Windows 2K/2K3 implementation, L2TP uses IPSec
> for encryption, and PPTP uses MPPE. IIRC, Microsoft's L2TP
> requires the use of certificates for authentication and
> encryption, which means if you choose that route you must set
> up a public key infrastructure. That means a little more
> work, but also better security.
>
> You might be interested in this paper by Bruce Schneier and
> Mudge, which discusses some of the continuing problems with
> MS-CHAPv2 in conjunction with MPPE.
> http://www.schneier.com/paper-pptpv2.html
>
> Microsoft offers other methods of authentication now in place
> of MS-CHAPv2, so I'm not sure if the weaknesses Schneier and
> Mudge discuss are still as much of an issue. But there is no
> question that IPSec based VPN are more secure than those that
> use MPPE.
>
> zm
>
------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
certificates. The default policy does, but technically, one does not have to
use certificate-based IPSec for L2TP. With that said, it's a better idea to
do so.
Laura
> -----Original Message-----
> From: Zachary Mutrux [mailto:zmutrux (at) compumentor (dot) org [email concealed]]
> Sent: Friday, February 13, 2004 12:31 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: PPTP versus L2TP and possible attacks
>
> As a point of amplification, both L2TP and PPTP are tunneling
> protocols without any inherent encryption built in.
>
> In Microsoft's Windows 2K/2K3 implementation, L2TP uses IPSec
> for encryption, and PPTP uses MPPE. IIRC, Microsoft's L2TP
> requires the use of certificates for authentication and
> encryption, which means if you choose that route you must set
> up a public key infrastructure. That means a little more
> work, but also better security.
>
> You might be interested in this paper by Bruce Schneier and
> Mudge, which discusses some of the continuing problems with
> MS-CHAPv2 in conjunction with MPPE.
> http://www.schneier.com/paper-pptpv2.html
>
> Microsoft offers other methods of authentication now in place
> of MS-CHAPv2, so I'm not sure if the weaknesses Schneier and
> Mudge discuss are still as much of an issue. But there is no
> question that IPSec based VPN are more secure than those that
> use MPPE.
>
> zm
>
------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
------------------------------------------------------------------------
---
[ reply ]