[pptp-server] Linux NAT support PPTP packet editor/filter?
Chuck Flink
cwf at infosecana.com
Thu Nov 18 17:01:48 CST 1999
Thanks, Emir.
You remind us all of one of the arguments justifying PPTP and
L2TP. The point is that IPsec deals with a security domain
defined strongly by IP addresses. NAT is philosophically
aimed at what is central to IPsec security. PPTP (and some
forms of L2TP) has PPP as the "tunneled" protocol. It is
only because PPP can carry IP that PPTP tunnels IP at all.
This has the advantage of moving the endpoints of the security
domain to the PPTP gateway machines. The NAT is no
longer a key component in the security analysis of the
"tunneled" address space, though it still protects the home
LAN on which the tunnel end point (PCa) is located.
Of course, as a side of using PPP as the tunneled protocol,
PPTP/L2TP can also carry NetBEUI, IPX and theoretically
any protocol which PPP can carry.
I guess I was too quick to say I'd rather use IPsec than PPTP.
Certainly the IPsec standard is FAR more analyzed and
understood than PPTP, but the security perimeter it supports
in the case in question ends up opening the work domain to
greater risk by exposing it to all PCs on the LAN, not just
the one that I want accessing the work domain.
Interesting business, isn't it.
-Chuck
----- Original Message -----
From: "Toktar, Emir" <EMIR.TOKTAR at bra.xerox.com>
To: "'geoff nordli'" <geoff at gnaa.net>; "'tmk'" <tmk at netmagic.net>; "'Chuck
Flink'" <cwf at att.net>; <pptp-server at lists.schulte.org>
Sent: Thursday, November 18, 1999 8:00 AM
Subject: RE: [pptp-server] Linux NAT support PPTP packet editor/filter?
> Be careful!!
>
> > If you want to do IPSEC with NAT you have to include the IPSEC
> > MASQ
>
> Refs: A Comprehensive Guide to Virtual Private Networks, IBM.
> Virtual Private Networking: An Overview White Paper - DRAFT, 3/18/98
> Microsoft.
> "...
> The weakness of NAT in context to VPNs is that by definition the
NAT-enabled
> machine will change some or all of the address information in an IP
packet.
>
> When end-to-end IPSec authentication is used, a packet whose address has
> been changed will always fail its integrity check under the AH protocol,
> since any change to any bit in the datagram will invalidate the integrity
> check value that was generated by the source.
> Within the IETF, there is a working group that is looking at the
deployment
> issues surrounding NAT. This group has been advised by the Internet
> Engineering Steering Group (IESG) that the IETF will not endorse any
> deployment of NAT that would lead to weaker security that can be obtained
> when NAT is not used. Since NAT makes it impossible to authenticate a
packet
> using IPSec¢ s AH protocol, NAT should be considered as a temporary
measure
> at best, but should NOT BE pursued as a long term solution to the
addressing
> problem when dealing with secure VPNs.
> IPSec protocols offer some solutions to the addressing issues that were
> previously handled with NAT.
> ..."
>
>
>
> Refs: ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
> "...
> VPN Masquerade is the part of IP Masquerade which enables you to use
> IPsec-based and PPTP-based Virtual Private Network clients from behind a
> shared-access firewall.
>
> This is primarily used for masquerading IPsec and PPTP VPN clients:
> IPsec
> Client -.
> | Linux IPsec
> PPTP -+-> Masq and --> Internet --> Firewall --> or PPTP
> Client | Firewall Server
> |
> Others -+
> |
> No other software is needed to masquerade VPN clients.
> It can also be used to provide access to a Private Network IPsec or PPTP
> server behind a Linux firewall...
> IPsec Linux Private-IP
> or PPTP --> Internet --> Firewall --> PPTP or IPsec
> Client Server
> ...
> But,...
> The IPsec AH protocol (51/ip) incorporates a cryptographic checksum
> including the IP addresses in the IP header. Since masquerading changes
> those IP addresses and since the cryptographic checksum cannot be
> recalculated by the masquerading firewall, the masqueraded packets will
fail
> the checksum test and will be discarded by the remote IPsec gateway.
> Therefore, IPsec implementations that use the AH protocol cannot be
> successfully masqueraded. Sorry.
> ..."
>
>
>
> Regards
>
>
> Emir Toktar
>
> +55 (**41) 340-7157
> emir.toktar at bra.xerox.com
> toktar at per.com.br
> toktar at ppgia.pucpr.br
>
> -----Original Message-----
> From: geoff nordli [mailto:geoff at gnaa.net]
> Sent: Wednesday, November 17, 1999 11:47 PM
> To: 'tmk'; 'Chuck Flink'; pptp-server at lists.schulte.org
> Subject: RE: [pptp-server] Linux NAT support PPTP packet editor/filter?
>
>
> If you want to do IPSEC with NAT you have to include the IPSEC
> MASQ
>
> ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
>
> There is a section in there where it talks about masq and IPSEC.
>
> Geoff Nordli
>
> > Desired: Linux configuration on PCb with similar functionality.
>
> linux masq + pptp masq module will do exactly this.
>
> > I believe IPsec / L2TP cannot be filtered / edited to pass through
> > NAT gateways like PPTP can.... correct me if I'm wrong. I'd
> > prefer to use the more open IPsec standard if it could be made
> > to be as transparent as PPTP.
>
> i believe ipsec encrypts everything (that is useful to NAT) but the dest
> address, so masq wont do ipsec to my knowledge.
>
> Kevin
>
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!
>
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!
>
>
More information about the pptp-server
mailing list