Fw: [pptp-server] Managing multiple authentication domains
mike at bayoffice.net
mike at bayoffice.net
Fri May 5 12:16:02 CDT 2000
On Thu, 4 May 2000, Terrelle Shaw wrote:
>
> Then why don't you create the vpn "ip's" on a network that you use access
> lists or routes to keep them from going where you dont want them too?
>
I don't think I've made the problem clear -
Single | |---10.1.1.0/24
public | poptop|
--------| server|---10.1.2.0/24
ip addr | |
| |---10.1.3.0/34
The poptop server is a router connected to many networks as shown
here. The challenge is that users who connect to the poptop server should
only be assigned 'local' and 'remote' addresses which fall within the
range of their assigned network. Packet filtering and vlan technology
enforces this seperation once packets are leaving the router, but it's
mission critical that clients are given the right addresses in the first
place. So you can see, access lists or routing table entries isn't going
to fix the underlaying problem - the client must be given the right
addresses and cannot be trusted to just get it right on their own. That
trust would amount to having zero access security as all it would take for
someone to access another network thru our router would be simply to
reconfigure their end, and this is unacceptable.
John Van Ostrand had the suggestion to simply run multiple copies
of the pptpd. That's _almost_ a solution (although I hate blowing off
multiple public IP's for this application). The problem however is the
chap-secrets file, which is shared by all invocations of pppd. This means
that any user listed in chap-secrets could connect to any of the running
pptpd's, thus bypassing access controls again.
The binding between credentials and ip assignement needs to be
stong and not dependent on anything the user does or does not do. My take
is that the thinking has been that a poptop server would be serving only
one authentication domain (meaning that certain assumtions are true, such
as uniqueness of DOMAIN\\username and trustworthyness of the users with
respect to their access to ip ranges from the server). Since I'm more
directly affected by this issue, I may want to think about patching
poptop/pppd to accomplish this end.
Some thoughts in the direction would include allowing poptop to
specify the base directory for the options/chap-secrets files to use for
'this' connection. This would enhance the listen-on-multiple-ip-address
idea so that I could give certain clients a different ip address to vpn in
to.
--
Mike Ireton
Senior Systems Engineer
Bay Office Net - http://www.bayoffice.net
Voice (415) 643-8700 "Where do you want to go today?"
Fax (415) 643-8777 With Linux, I'm already there....
More information about the pptp-server
mailing list