Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] VPN with pptp
  • From: Mark Wassermann <mwassermann@xxxxxxxxx>
  • Date: Fri, 14 Jun 2002 11:10:21 +0200
  • Message-id: <3D09B2FD.7040404@xxxxxxxxx>
hi all

to add another view to this
what if you have a provider that do not route type 50 packets?
you have to use cipe!
I myself use it - and its ok


Steffen Dettmer wrote:

* Peter van den Heuvel wrote on Thu, Jun 13, 2002 at 11:55 +0200:

the install script does everything for you; patch the kernel,
build & install it :-)

The less kernel patches required, the better I like it.

But the origin of the patches are more important :)

The simpler it is the better I like it (both from a maintenance as well
as a security point of view).

That is an important point I think! But IPSec is straight-forward,
but of course you need to read half a page about IPSec to
understand it. Well, there are multiple "modes" for IPSec
operation and so on, at least here is potential for
misconfigurations or such.

Complex -> much code -> many bugs.

This rule is definitly wrong. The number (and kind) of bugs
depend on the quality which itselfs depend on the software
creation processes. And many small "hacked-in" things are
horrible :)

Much configuration -> much time and many mistakes that are hard
to find.

Yes, this is correct. But you cannot implement a solution which
is more easy than the problem, usually ;) Well, VPN is not a
trivial theme, even if M$ and all those stuff suggests. If you
use simple protocols, maybe they are just so simple since they
are bad by design?

Also have a look at cipe.
- It's not a standard (no co-op with Cisco and friends).
- It's a module without kernel patches.

Where is the difference to a kernel patch? A module runs in
kernel space and has access to any resource, and a wild pointer
can happily crash your system.

- It runs on most Microsoft platforms.

Well, for Win it may be ok, and insecure VPN for insecure
systems :) SCNR.

- It uses UDP for transport (never use TCP for serious tunnelling).

Hum, why UDP? IPSec uses protocol 50,51 IIRC. Well, tunneling UDP
Packets in a TCP tunnel would dramaticall increase the reliance

- It's got one small config file (and even that causes enough problems
to those who don't know - their networking basics).

Without knowledge noone should start :)



< Previous Next >