[An e-mail circa 1995. Much has improved, but PPTP and especially Microsoft's awful implementation of it have not.]

Mike --

Seeing that PPTP is Al Rudoph's hot issue, I thought you might want a summary of my research. Free from me to you, to do with as you please.

PPTP is a draft standard, proposed by Ascend, Microsoft, 3Com, and U.S. Robotics to the Internet Engineering Task Force (IETF). The draft can be viewed at http://src.doc.ic.ac.uk/computing/internet/internet-drafts/draft-ietf-pppext-pptp-00.txt.Z

PPTP is a new vehicle for carrying PPP traffic, with a server that offers access to a network on one end, and some dial-up client offering that machine and (potentially) others access to the server's network. As such, it provides one (but only one) "tunnel" for IP and any other network packets desired to be transported between the end-points. The session starts with a handshake exchange of encrypted username/password information, with the client opening TCP port 1723 on the server, and using IP protocol 47.

Encryption and authentication techniques are not addressed by the standard, but are commonly implemented (e.g., in NT 4.0) using weak encryption (specifically, 40-bit RC-4 or DES), with the same key used for authentication also used to encrypt the subsequent session data. Authentication reliability and protection against eavesdropping are (at best) no better than the encryption protcol's strength. Integrity, the third security concern, is addressed at other protocol levels. However....

Aside from encryption strength, the PPTP protocol as described in the draft is vulnerable to playback attacks and substitution (man in the middle attacks). Therefore, it's considered not especially secure even if you were to substitute strong encryption.

That brings us to the NT 4.0 implementation: In Microsoft's words, it provides "limited support" for PPTP. It cannot bridge two LANs, but does just host-to-LAN. Nor can it do multiple connections (forget about San Mateo/Singapore/Hong Kong). Basically, it's a remote-access client-PC protocol with half-baked crypto -- with NetBEUI and IPX/SPX carried along for the ride (but why?).

Here's a damning security analysis of Microsoft's PPTP implementation, from Bruce Schneier of Counterpane Labs and L0pht Heavy Industries: http://www.schneier.com/pptp.html

Contrary to what you'll see widely claimed on the Net, NT 4.0 does not have the only client implementation of PPTP: For Win95, one can add it by installing Microsoft Dial Up Networking v. 1.2. A freeware (and very solid) client with source code is out for Linux, too. See http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP/

At the minimum, Ascend, 3Com, and U.S. Robotics routers include PPTP starting 1997. I have a feeling that everyone does, and without NT 4.0's functionality restrictions. (However, I haven't researched that.)

Alternatives: L2TP, L2F (Cisco's Layer Two Forwarding). SSH is zero-cost, high-security, does not tunnel other protocols. It would be my clear choice for VPN, at the moment. (What's not to like?)

IPv.6 will include "secure" tunnelling (with IPsec), is already in Linux; is a true comprehensive solution (but the Internet isn't yet based on it -- it uses good ol' IPv.4).