Point-to-point tunneling protocol

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP does not provide confidentiality or encryption; It relies on the protocol being tunneled to provide privacy. Layer 2 Tunneling Protocol (L2TP) and IPSec may one day obsolete PPTP. However it currently remains quite popular.

PPTP specification

A specification for PPTP was published as RFC 2637. PPTP has not been proposed or ratified as a standard by the IETF.

PPTP works by sending a regular PPP session to the peer with the Generic Routing Encapsulation (GRE) protocol. A second session on TCP port 1723 is used to initiate and manage the GRE session. PPTP is difficult to forward past a network firewall because it requires two network sessions. As such, firewalls are unable to let pass this traffic flawlessly, resulting in an inability to connect.

PPTP connections are authenticated with Microsoft MSCHAP-v2 or EAP-TLS. VPN traffic is optionally protected by Microsoft Point-to-Point Encryption (MPPE), which is described by RFC 3078.

PPTP enables you to encrypt and encapsulate in an IP header multi-protocol traffic that then is sent across an IP network or a public IP network, such as the Internet. You can use PPTP for remote access and site-to-site VPN connections. When using the Internet as the VPN public network, the PPTP server is a PPTP-enabled VPN server with one interface on the Internet and a second interface on the intranet.

Encapsulation: PPTP encapsulates PPP frames in IP datagrams for network transmission. PPTP uses a TCP connection for tunnel management and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. Payloads of the encapsulated PPP frames can be encrypted, compressed, or both.

Encryption: The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using encryption keys generated from the MS-CHAPv2 or EAP-TLS authentication process. VPN clients must use the MS-CHAPv2 or EAP-TLS authentication protocol so that the payloads of PPP frames to be encrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previously encrypted PPP frame.

The protocol was developed by a vendor consortium formed by Microsoft, Ascend Communications (today part of Alcatel-Lucent), 3COM, and others, as described by the RFC document.^[1]

MSCHAP-v2 can be compromised if users choose weak passwords. The certificate-based EAP-TLS provides a superior security option for PPTP.

PPTP implementations

PPTP is popular because it is easy to configure and it was the first VPN protocol that was supported by Microsoft Dial-up Networking. All releases of Microsoft Windows since Windows 95 OSR2 are bundled with a PPTP client, although they are limited to only 2 concurrent outbound connections. The Routing And Remote Access Service for Microsoft Windows contains a PPTP server.

Until recently, Linux distributions lacked full PPTP support because MPPE was believed to be patent encumbered. Full MPPE support was added to the Linux 2.6.13 branch that is maintained by Andrew Morton. SuSE Linux 10 was the first Linux distribution to provide a complete working PPTP client. Official support for PPTP was added to the official kernel release in version 2.6.14 on October 28, 2005.

Mac OS X (including the version loaded on the iPhone) is bundled with a PPTP client. Cisco and Efficient Networks sell PPTP clients for older Mac OS releases. Palm PDA devices with Wi-Fi are bundled with the Mergic PPTP client.^{[citation needed]}

Microsoft Windows Mobile 2003 and higher also support the PPTP protocol.

Windows Vista and later support the use of PEAP with PPTP. The authentication mechanisms supported are PEAPv0/EAP-MSCHAPv2 (passwords) and PEAP-TLS (smartcards and certificates).

PPTP security concerns

The neutrality of this article is disputed. Please see the discussion on the talk page. Please do not remove this message until the dispute is resolved. (October 2008)

"Security concerns have dogged PPTP since its inception. It is the author’s opinion that PPTP is inherently insecure because there are too many unauthenticated control packets that are readily spoofed."^[2]

A typical upgrade path for PPTP will be L2TP/IPsec. The adoption of improved VPN technologies has been slow because PPTP is convenient and easy to configure, whereas L2TP/IPsec requires a shared key or machine certificates. Another reason is the IOS on Cisco routers may need to be changed to a crypto version which may require upgrading the hardware.

Other VPN Protocols

• IPsec
• OpenVPN
• HIP Host Identity Protocol
• L2F Layer 2 Forwarding Protocol
• L2TP Layer 2 Tunneling Protocol
• PLIP Parallel Line Internet Protocol
• PPP Point-to-Point Protocol
• SLIP Serial Line Internet Protocol
• SSL/TLS Secure Sockets Layer / Transport Layer Security

References

External links

• On PPTP security
• Windows NT: Understanding PPTP from Microsoft
• FAQ on security flaws in Microsoft's implementation, Bruce Schneier, 1998
• Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2), Bruce Schneier, 1999
• Poptop, a PPTP Server for Linux
• PPTP Client, a Linux, FreeBSD, NetBSD and OpenBSD client
• pptpproxy, a Linux, FreeBSD, NetBSD and OpenBSD pptp protocol forwarder (proxy)
• ASLEAP , a PPTP password cracker and traffic sniffer
• PPTP Protocol Security by James Cameron and Peter Mueller
• Configuring PPTP VPN in Windows
• Setting up EAP-TLS security for PPTP