[pptp-server] PPTP masquerade && MS non-compliance

[Charlie Brady]

On Fri, 22 Jun 2001, Jamin Collins wrote:

> First, what are good reasons to have multiple connections to the same
> destination?  Second, each connection has overhead associated with it, on
> both ends.  Thus, two client machines routed through a single VPN connection
> to a remote network has a better through put to overhead ratio than both
> clients making their own connections.  As such it is better for the users to
> stick with the current capabilities and look into routing these two systems
> through a single connection.

This discussion started with questions about PPTP masquerade.  In a
masqueraded situation, multiple masqueraded clients can independently
attempt to contact a remote server without any knowledge of each other.
The masquerading server does not have the authentication information to
create a server to remote server route, nor should it create such a route
for all its masqueraded clients, as multiple clients probably don't have
authorization to send or receive packets from that remote server.

It seems reasonable to me for the masquerading server to step back out of
the way and allow each client to individually negotiate authentication and
authorization with the remote server - as long as it can be done reliably
and (moderately) securely. Sure this is inefficient, and there are other
ways to VPN site to site, but that is not the model that we are
considering here.

-- 

  Charlie Brady                         charlieb at e-smith.com
  http://www.e-smith.org (development)  http://www.e-smith.com (corporate)
  Phone: +1 (613) 368 4376 or 564 8000  Fax: +1 (613) 564 7739
  e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada