[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Bridging non-IP traffic over IPSec

To: <ipsec@tis.com>
Subject: RE: Bridging non-IP traffic over IPSec
From: "Sumit A. Vakil" <svakil@internetdevices.com>
Date: Mon, 22 Feb 1999 09:50:54 -0800
Importance: Normal
In-Reply-To: <3.0.5.32.19990220220754.007b5320@world.std.com>
Sender: owner-ipsec@ex.tis.com

> Please be aware that this FAQ does not go nearly far enough
> in condemning PPTP.  MS-PPTP is just one particularly weak
> version of challenge-hashed-response authentication for
> passwords (CHRAP), in which, according to the FAQ:
>
> 	"Passwords are protected by hash functions
> 	 so badly that most can be easily recovered."
>
> What the FAQ neglects to say, however, is that even a "good"
> implementation of PPTP, like all similar methods based on
> purely symmetric ciphers or hash functions, necessarily
> exposes *lots* of user passwords to brute-force network attack.
> In my view, this is completely unacceptable.

I agree that any PAP or CHAP like authentication scheme is weak.  But PAP
and CHAP are PPP protocols and not PPTP.  PPP's EAP, through the use of auth
schemes other than PAP/CHAP, provides for stronger authentication.

Sumit

>
> Given the *many* stronger alternatives today, with IPSEC as
> merely one example, there is just no good excuse to use PPTP
> or any similar CHRAP over an otherwise insecure network.
>
> -------------------------
> David P. Jablon
> Integrity Sciences, Inc.
> dpj@world.std.com
> <http://world.std.com/~dpj/>
>
>

References:

RE: Bridging non-IP traffic over IPSec

From: David Jablon <dpj@world.std.com>

Prev by Date: Re: Bridging non-IP traffic over IPSec
Next by Date: Re: Bridging non-IP traffic over IPSec
Prev by thread: Re: Bridging non-IP traffic over IPSec
Next by thread: Re: Bridging non-IP traffic over IPSec
Index(es):
- Main
- Thread