current-users: Re: NetBSD packages for poptop and mppe for testing

Subject: Re: NetBSD packages for poptop and mppe for testing
To: None <current-users@netbsd.org>
From: Scott Ellis <scotte@warped.com>
List: current-users
Date: 09/30/1999 09:22:41
Speaking of PPTP, has anyone had any any success with a PPTP client (either
via ppp + gre, or the 'pptp for linux' software) connecting to an NT Server?

The pptp client (http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP/)
builds and seems to run w/o incident, but I can't actually get it to connect
properly.  It runs pppd, which then just times out. ;-/

    ScottE

----- Original Message -----
From: "Darrin B. Jewell" <jewell@mit.edu>
To: <current-users@netbsd.org>
Cc: "Darrin B. Jewell" <jewell@mit.edu>
Sent: Thursday, September 30, 1999 1:35 AM
Subject: NetBSD packages for poptop and mppe for testing


>
> I have created two netbsd `packages' for the poptop pptp server and
> microsoft encryption extensions to ppp.  The NetBSD package system
> allows for simple installation and management of third party software
> on the NetBSD operating system.
>
> I am making them available at:
>
>  <URL: ftp://sipb.mit.edu/pub/jewell/poptop.netbsd.pkgsrc.19990930.tgz >
>  <URL: ftp://sipb.mit.edu/pub/jewell/ppp-mppe.netbsd.pkgsrc.19990930.tgz >
>
> I am subscribed to current-users@netbsd.org and
pptp-server@lists.schulte.org.
> It is probably more useful to hold discussion in one of those forums than
> it is to send me personal mail, unless you have something that needs to be
> incorporated into the package.
>
> Please read the notes below.  In particular, note that the MPPE module
> is not ready for production use.
>
> Enjoy,
> Darrin
>
> Darrin B. Jewell <jewell@mit.edu>  1999-09-30T04:30:19-0400
>
> poptop notes:
>  . The poptop package uses the distribution of poptop pretty much out
>    of the box.  The only significant modification was to accept a
>    configure option to allow the use of an alternate pppd than the one
>    shipped with NetBSD.
>  . Setting POPTOP_USE_MPPE=yes in /etc/mk.conf will cause poptop top use
>    the ppp-mppe package to support microsoft point to point encryption.
>  . Your kernel should not be compiled with any gre(4) devices.  Comment
>    out lines like this from your kernel config file:
>     #pseudo-device gre 2 # generic L3 over IP tunnel
>    It might be useful at some point to have pptpd be able to use the built
>    in netbsd gre(4) driver, but at the moment it will just keep them from
>    getting to the pptpd.
>
> ppp-mppe notes:
>  . This is not yet ready for production use, but does work well enough
that
>    I could bring up an encrypted connection from an NT client to a NetBSD
server.
>    Still, it is easy to crash.  Feel free to fix.
>  . Provides a replacement pppd and a loadable kernel module (lkm)
>      which provides the mppe encryption.  Alternately, it could be
compiled
>      into the kernel if you know what your are doing and don't want to use
a lkm.
>  . It is based on the linux mppe ppp patches available from the poptop web
site.
>  . It uses ppp-2.3.9 and openssl-0.9.2b
>  . STAC LZS compression is not included.
>  . I test it on a netbsd-1.4.1 server with an NT client, but it should
work
>       on -current as well.  I don't really use it myself, which is one
>       reason that I'm making it available even though it isn't really
ready.
>  . In order to use 128 bit encryption, you probably need to increase the
>      value of CCP_MAX_OPTION_LENGTH from 32 (64 is a good value, but 35
>      should be minimal) in /sys/net/ppp-comp.h and rebuild
>      your kernel.  Otherwise, there isn't enough room to transfer the keys
>      from the pppd to the kernel module.
>  . Your kernel config file should have at least these:
>      options PPP_FILTER # Active filter support for PPP (requires bpf)
>      pseudo-device ppp 2 # Point-to-Point Protocol
>  . The lkm pretty much misuses the ppp compression/decompression hooks
>      to perform its encryption.  This creates a few bugs, some of which
are
>      security related.  Know that MPPE is not particularly secure.
(<==notice!)
>  . Doesn't deal correctly with the ppp mtu because MPPE expands the packet
size.
>  . Is easy to crash.  It doesn't successfully recover from lost packets
>      or decryption failure.  I can immediately bring cause it to hang
>      by doing a `ping -s 50000 -c 1 remote-ip'.  Fixes are appreciated,
>      I cannot guarantee that I will address problems myself.
>  . Lacks documentation.  UTSL.
>  . The patches provided in the package are rougly divided into these
groups
>      patch-a* -- sync ppp-2.3.9 to netbsd-current
>      patch-b* -- add mppe to ppp-2.3.9
>      patch-c* -- creates a lkm for mppe that works with the ppp already in
>                   the kernel.
>      patch-d* -- misc tweaks to deal with various netbsd kernel versions,
>                   compiling as a package, and a non-function ppp lkm.
>                   (See source for details.)
>  . requires the kernel source to be present to compile.  This is due to
>      the issues discussed in netbsd PR 5377.
>  . Makes a gross assumption about an internal structure in the pcap
library
>      to do ppp filtering.  This allows the package to build without the
>      complete netbsd source code tree online.
>
> References:
>   NetBSD:
>    <URL: http://www.netbsd.org >
>
>   The NetBSD package system:
>    <URL: http://www.netbsd.org/Documentation/software/packages.html >
>
>   The PoPToP pptp server:
>    <URL: http://www.moretonbay.com/vpn/pptp.html >
>
>   Microsoft VPN software:
>    <URL: http://www.microsoft.com/technet/network/vpntwk/vpntwk.htm >
>
>   Point to Point Networking standards:
>    <URL: http://www.ietf.org/html.charters/pppext-charter.html >
>
>   Unix PPP implementation:
>    <URL: ftp://cs.anu.edu.au/pub/software/ppp/ >
>