Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] VPN with pptp
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Fri, 14 Jun 2002 10:22:38 +0200
  • Message-id: <20020614102238.C5455@xxxxxxxxx>
* Peter van den Heuvel wrote on Thu, Jun 13, 2002 at 11:55 +0200:
> > the install script does everything for you; patch the kernel,
> > build & install it :-)
> The less kernel patches required, the better I like it.

But the origin of the patches are more important :)

> The simpler it is the better I like it (both from a maintenance as well
> as a security point of view).

That is an important point I think! But IPSec is straight-forward,
but of course you need to read half a page about IPSec to
understand it. Well, there are multiple "modes" for IPSec
operation and so on, at least here is potential for
misconfigurations or such.

> Complex -> much code -> many bugs.

This rule is definitly wrong. The number (and kind) of bugs
depend on the quality which itselfs depend on the software
creation processes. And many small "hacked-in" things are
horrible :)

> Much configuration -> much time and many mistakes that are hard
> to find.

Yes, this is correct. But you cannot implement a solution which
is more easy than the problem, usually ;) Well, VPN is not a
trivial theme, even if M$ and all those stuff suggests. If you
use simple protocols, maybe they are just so simple since they
are bad by design?

> Also have a look at cipe.
> - It's not a standard (no co-op with Cisco and friends).
> - It's a module without kernel patches.

Where is the difference to a kernel patch? A module runs in
kernel space and has access to any resource, and a wild pointer
can happily crash your system.

> - It runs on most Microsoft platforms.

Well, for Win it may be ok, and insecure VPN for insecure
systems :) SCNR.

> - It uses UDP for transport (never use TCP for serious tunnelling).

Hum, why UDP? IPSec uses protocol 50,51 IIRC. Well, tunneling UDP
Packets in a TCP tunnel would dramaticall increase the reliance
:)

> - It's got one small config file (and even that causes enough problems
> to those who don't know - their networking basics).

Without knowledge noone should start :)

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >