Date: Wed, 30 Jul 2003 08:50:08 +0200 From: Christophe Prevotaux <c.prevotaux@hexanet.fr> To: Brett Glass <brett@lariat.org> Cc: net@freebsd.org Subject: Re: NAT and PPTP Message-ID: <20030730085008.341c4393.c.prevotaux@hexanet.fr> In-Reply-To: <4.3.2.7.2.20030729175603.0395da70@localhost> References: <4.3.2.7.2.20030724225832.02bd6bc0@localhost> <4.3.2.7.2.20030723233055.02ceaa30@localhost> <4.3.2.7.2.20030724225832.02bd6bc0@localhost> <4.3.2.7.2.20030729175603.0395da70@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for answering my email , even though I am not a programmer I can surely test things out to the best of my abilities. It would be nice to be able to have something like a pptpd integrated into = the FreeBSD tree (STABLE and CURRENT) , it would nice of course to be able to s= etup pptp tunnel dynamically and not only statically like it is the case right n= ow in mpd (AFAIK). My own purpose for using this is securing a bit more 802.11(whatever) in a large WISP setup. One of my question is how many pptp or pppoe sessions=20 can be handled by one FreeBSD box knowing each pptp or pppoe sessions have to be shaped traffic wise symetrically or asymetrically.=20 So having the ability to shape inbound bandwidth and outbound bandwidth dir= ectly inside the pptpd and pppoe thru radius and directly (for some cases) thru p= pp.conf would be really nice (it would require having a special dictionary for radi= us (I think)) I don't know if this is achievable without too much hassle in the current P= PP (PPPOE) code and if it is at all possible in a PPTP environment? On Tue, 29 Jul 2003 18:17:33 -0600 Brett Glass <brett@lariat.org> wrote: > Cristophe: >=20 > Nothing was decided in private e-mail. I'd really like to go for this, > but will likely need some help analyzing the existing code, abstracting=20 > the right parts from pppoed and mpd, and gluing everything together. > That's why I was hoping to ask Archie and Brian for help. The code for=20 > both is tricky and not well documented. >=20 > I do agree that a BSD-licensed pptpd that's made to work with FreeBSD's > (and NetBSD's, and OpenBSD's) userland PPP is needed. PoPToP is a Linux- > oriented, GPLed project and cannot be trusted to maintain compatibility > with the BSDs. (The version in the FreeBSD Ports Collection has serious > bugs, too, and is far behind the developers' latest version.) What's more= ,=20 > professional programmers, or ones who work on BSD-licensed projects, can'= t=20 > safely look at the code because it's GPLed and license contamination is > a serious legal threat. >=20 > PPTP is really very close to PPPoE, except that it runs over TCP (for cal= l=20 > setup and control) and GRE (for the PPP session) rather than raw MAC-laye= r=20 > Ethernet. The call control mechnism has no real security, and I've > always thought it wouldn't be too hard to hijack. PPP over SSH would > probably be more secure, but Windows doesn't support that and most of us > need to support Windows clients. >=20 > In any event, the most difficult part of PPTP to implement seems to be th= at > call control mechanism, which has far more features than necessary. This = is=20 > what would be good to extract from mpd, since I'll bet Archie spent a LOT= =20 > of time figuring out how to do it. >=20 > By the way, one thing that surprised me, when I researched it, was that e= ven=20 > though it's supposedly a secure "tunneling" protocol, there's no requirem= ent=20 > that a PPTP session actually use encryption. (In fact, several models of= =20 > Linksys routers have a PPTP implementation that does no encryption. This = is=20 > likely to mislead consumers, who will assume that if they're using PPTP t= hey=20 > have encryption.) On the other hand, PPPoE can be just as secure as PPTP,= =20 > since either can use MPPE to wedge encryption in where PPP normally has=20 > compression. >=20 > By the way, is there BSD-licensed code for the enhanced version of MPPE > that does both encryption AND compression (I believe it's called MPPC)?=20 > I understand that Microsoft Windows has it built in, and that it's availa= ble > for Linux as well. >=20 > --Brett >=20 > At 03:12 AM 7/29/2003, Christophe Prevotaux wrote: > =20 > >Hello, > > > >Any hopes for anything like a pptpd (like the pppoed)=20 > >any time soon ? , discussion stopped in the thread > >so maybe you guys discussed this further privately > >and decided something ?=20 > > > >pptpd is a much needed feature nowdays. > > > >On Thu, 24 Jul 2003 23:00:45 -0600 > >Brett Glass <brett@lariat.org> wrote: > > > >> At 08:50 PM 7/24/2003, Archie Cobbs wrote: > >> =20 > >> >I don't have time to do any real work.. however, the PPTP control > >> >layer can be used pretty much as is.. i.e., the files pptp_ctrl.[ch]. > >> >It has a fairly clean API that any PPP daemon could use, and all they > >> >require is some kind of event support. > >>=20 > >> We wouldn't be doing it quite that way; we'd be using it just to > >> steer the call through PPP (which wouldn't know that it was PPTP; > >> it would just think the call was PPP with MPPE on the CCP layer). > >> So, the PPP implementation wouldn't need to know about PPTP call > >> control. > >>=20 > >> --Brett > > > >-- > >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >Christophe Prevotaux Email: c.prevotaux@hexanet.fr > >HEXANET SARL URL: http://www.hexanet.fr/ > >Z.A.C Les Charmilles Tel: +33 (0)3 26 79 30 05=20 > >3 All=E9e Thierry Sabine Direct: +33 (0)3 26 61 77 72=20 > >BP202 Fax: +33 (0)3 26 79 30 06 > >51686 Reims Cedex 2 =20 > >FRANCE HEXANET Network Operation Center =20 > >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 -- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Christophe Prevotaux Email: c.prevotaux@hexanet.fr HEXANET SARL URL: http://www.hexanet.fr/ Z.A.C Les Charmilles Tel: +33 (0)3 26 79 30 05=20 3 All=E9e Thierry Sabine Direct: +33 (0)3 26 61 77 72=20 BP202 Fax: +33 (0)3 26 79 30 06 51686 Reims Cedex 2 =20 FRANCE HEXANET Network Operation Center =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030730085008.341c4393.c.prevotaux>