That paper (great work!) tells about the Microsoft PPTP problems. But what about the Linux GRE tunnel documented in the HOWTO? Does it have the same implementation problems? - Greg -----Original Message----- From: Michael T. Babcock [mailto:mbabcock@fibrespeed.net] Sent: Wednesday, January 09, 2002 11:58 AM To: Greg Scott Cc: LARTC List Subject: Re: [LARTC] Gre Tunneling Problem On Wed, Jan 09, 2002 at 12:01:09PM -0600, Greg Scott wrote: > What I don't understand is, how does the security work? I think the > two tunnel endpoints are supposed to authenticate eachother with the > TCP port 1723 packets, but what do the Linux systems use for a shared > secret? I would use this all over the place if I felt good about its > security. If you want the gory details on the (in)security of it, go to Google and search for "pptp mudge counterpane". The first link you get should be a security audit of PPtP at counterpane.com done by Mudge of L0pht.com fame and Bruce Schneier, author of Applied Cryptography and Secrets and Lies (as well as both having general Internet recognition in security). The paper deals mostly with MS-CHAP2 which is the authentication protocol Microsoft uses in its PPTP stuff. For those who don't like PDFs, the HTML version can be seen (as rendered by Google) at (one line): http://www.google.com/search?q=cache:fKZC3BSAczQC:www.counterpane.com/pptp.p df+pptp+mudge+counterpane+pdf&hl=en -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
