From owner-freebsd-current Mon Dec 28 00:11:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA05532 for freebsd-current-outgoing; Mon, 28 Dec 1998 00:11:24 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from smtp2.andrew.cmu.edu (SMTP2.ANDREW.CMU.EDU [128.2.10.82]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA05527 for ; Mon, 28 Dec 1998 00:11:22 -0800 (PST) (envelope-from mwhite@cmu.edu) Received: from DEIMOS.REM.CMU.EDU (DEIMOS.REM.CMU.EDU [128.2.108.154]) by smtp2.andrew.cmu.edu (8.8.5/8.8.2) with ESMTP id DAA06517 for ; Mon, 28 Dec 1998 03:10:58 -0500 (EST) Date: Mon, 28 Dec 1998 03:10:39 -0500 From: Matt White To: freebsd-current@FreeBSD.ORG Subject: Re: PPTP and FreeBSD Message-ID: <4281573128.914814639@DEIMOS.REM.CMU.EDU> In-Reply-To: <199812272119.QAA13600@o2.cs.rpi.edu> Originator-Info: login-id=; server=cyrus.andrew.cmu.edu X-Mailer: Mulberry (Win32) [1.4.0, s/n S-100002] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG L2TP is much the same way. The reason for this is that these protocols are not really designed for what we are using them for. Both PPTP and L2TP are ways of tunneling traffic received from a client by an ISP's remote access device back to a corporate network. There is only one control connection per corporate network endpoint. This has the advantage that the end user doesn't have to set anything up on their computer to take advantage of the tunneling...it is done automatically by the RAS. The difficulty is, of course, that arrangements for these tunnels must be made at all possible access points so I wonder how much L2TP is actually ever going to be used as intended. As far as the amount of work required to implement L2TP or PPTP, I'm not sure about how bad it would be. Keep in mind that a good portion of both of these protocols are implemented elsewhere. It might be more of an issue of sewing the right modules together. Not that I'm going to spend the time to do it. My personal feeling is that VPNs are evil and yet another excuse to not properly secure one's systems (firewalls being the last excuse). -Matt --On Sunday, December 27, 1998, 4:19 PM -0500 "David E. Cross" wrote: >> Regardless, we would like a PPTP server running under >> FreeBSD/Linux/Solaris at this site because we subscribe to a number of >> services that do security by IP address. Our desire would be more to be >> able to assign IPs from our address space to roaming users. > > I had looked into this at the past, and read the relavent RFCs and MS > documentation on it. It is a bad joke, all the way arround. First it > uses a modified version of the GRE protocol (that is why I asked about > GRE support in the kernel way back when), as an encapsulation around the > PPP packets. It also must have a TCP connection between the client and > the server to act as a controll connection. If that control connection > is lost for whatever reason , the tunel is closed. Oh yes, one last > thing, the GRE portion of the tunel, where the data actually goes, has an > ack/nak, sliding window and retransmit system (again, outlined in the MS > documentation). While I think this would be a good thing to have, just > to be compatible, and ideally as a part of a larger 'iptunel' packagel; > it is *alot* of work. > > -- > David Cross > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-current" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message