Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
RE: [suse-security] VPN with pptp
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Fri, 14 Jun 2002 11:19:34 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D1A5700B@xxxxxxxxxxxxxxxxx>
While I agree that IPSec should be favoured over PPTP, I have to make a few
comments about this last post.

> > The simpler it is the better I like it (both from a
> maintenance as well
> > as a security point of view).
>
> That is an important point I think! But IPSec is straight-forward,
> but of course you need to read half a page about IPSec to
> understand it. Well, there are multiple "modes" for IPSec
> operation and so on, at least here is potential for
> misconfigurations or such.

I don't think that's specific to IPSec, but to all VPN solutions. There
isn't a lot to get wrong configuration-wise that's IPSec-specific and
that'll get the connection sort of running. It's more of it either works or
doesn't at all.

However, IPSec isn't that straightforward... CIPE is definitely a lot
simpler by pure design. Hmm, thinking about that, it probably would be
possible to use IPSec pretty much the same way and keep it almost as simple
(still using ESP instead of UDP, though). FreeS/WAN is also not as clean a
package as many would like. It's good enough, though, to prefer it to PPTP,
IMHO.

> > Complex -> much code -> many bugs.
>
> This rule is definitly wrong. The number (and kind) of bugs
> depend on the quality which itselfs depend on the software
> creation processes. And many small "hacked-in" things are
> horrible :)

I disagree, the general rule is quite right. Of course there are ways to
reduce the number of bugs even in complex projects, but it is the rule that
more lines of code mean more bugs. Theoretically, of course, the number of
lines per bug can be extended to infinity, which means that there'll be no
bug at all in the associated code, but I think we all agree that this is a
truly entirely theoretical and unrealistic proposition.

> > Also have a look at cipe.
[snip]
> > - It runs on most Microsoft platforms.
>
> Well, for Win it may be ok, and insecure VPN for insecure
> systems :) SCNR.

He's talking about CIPE, not PPTP.

> > - It uses UDP for transport (never use TCP for serious tunnelling).
>
> Hum, why UDP? IPSec uses protocol 50,51 IIRC.

Why not use UDP? What is the advantage of dedicated IP protocols in this
context? Note that I'm not against either one, which you choose to use
depends on design considerations. It is definitely easier and less hassle to
make use of an existing protocol that's in widespread use, such as UDP,
instead of applying for another IP protocol..

> Well, tunneling UDP
> Packets in a TCP tunnel would dramaticall increase the reliance
> :)

Not that much, really. If UDP packets get lost between two nodes, TCP
packets will almost certainly share their fate. The difference between TCP
and UDP is that TCP will notice that packets have been lost and keep trying
to retransmit them, while UDP alone won't. If the connection really is bad,
though, TCP doesn't have any higher chances of success than UDP. And quite
frequently, the application using UDP will take care of TCP's job. This is
true for most, if not all of the applications that use UDP in a
connection-oriented manner.

Having said all that, I don't know if I'd agree that you shouldn't use TCP
to build tunnels. No reasons are given, unfortunately.

> > - It's got one small config file (and even that causes
> enough problems
> > to those who don't know - their networking basics).
>
> Without knowledge noone should start :)

Amen!

Cheers
Tobias

< Previous Next >
Follow Ups