Subject: Re: NetBSD packages for poptop and mppe for testing
To: None <current-users@netbsd.org>
From: Scott Ellis <scotte@warped.com>
List: current-users
Date: 09/30/1999 09:22:41
Speaking of PPTP, has anyone had any any success with a PPTP client (either
via ppp + gre, or the 'pptp for linux' software) connecting to an NT Server?
The pptp client (http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP/)
builds and seems to run w/o incident, but I can't actually get it to connect
properly. It runs pppd, which then just times out. ;-/
ScottE
----- Original Message -----
From: "Darrin B. Jewell" <jewell@mit.edu>
To: <current-users@netbsd.org>
Cc: "Darrin B. Jewell" <jewell@mit.edu>
Sent: Thursday, September 30, 1999 1:35 AM
Subject: NetBSD packages for poptop and mppe for testing
>
> I have created two netbsd `packages' for the poptop pptp server and
> microsoft encryption extensions to ppp. The NetBSD package system
> allows for simple installation and management of third party software
> on the NetBSD operating system.
>
> I am making them available at:
>
> <URL: ftp://sipb.mit.edu/pub/jewell/poptop.netbsd.pkgsrc.19990930.tgz >
> <URL: ftp://sipb.mit.edu/pub/jewell/ppp-mppe.netbsd.pkgsrc.19990930.tgz >
>
> I am subscribed to current-users@netbsd.org and
pptp-server@lists.schulte.org.
> It is probably more useful to hold discussion in one of those forums than
> it is to send me personal mail, unless you have something that needs to be
> incorporated into the package.
>
> Please read the notes below. In particular, note that the MPPE module
> is not ready for production use.
>
> Enjoy,
> Darrin
>
> Darrin B. Jewell <jewell@mit.edu> 1999-09-30T04:30:19-0400
>
> poptop notes:
> . The poptop package uses the distribution of poptop pretty much out
> of the box. The only significant modification was to accept a
> configure option to allow the use of an alternate pppd than the one
> shipped with NetBSD.
> . Setting POPTOP_USE_MPPE=yes in /etc/mk.conf will cause poptop top use
> the ppp-mppe package to support microsoft point to point encryption.
> . Your kernel should not be compiled with any gre(4) devices. Comment
> out lines like this from your kernel config file:
> #pseudo-device gre 2 # generic L3 over IP tunnel
> It might be useful at some point to have pptpd be able to use the built
> in netbsd gre(4) driver, but at the moment it will just keep them from
> getting to the pptpd.
>
> ppp-mppe notes:
> . This is not yet ready for production use, but does work well enough
that
> I could bring up an encrypted connection from an NT client to a NetBSD
server.
> Still, it is easy to crash. Feel free to fix.
> . Provides a replacement pppd and a loadable kernel module (lkm)
> which provides the mppe encryption. Alternately, it could be
compiled
> into the kernel if you know what your are doing and don't want to use
a lkm.
> . It is based on the linux mppe ppp patches available from the poptop web
site.
> . It uses ppp-2.3.9 and openssl-0.9.2b
> . STAC LZS compression is not included.
> . I test it on a netbsd-1.4.1 server with an NT client, but it should
work
> on -current as well. I don't really use it myself, which is one
> reason that I'm making it available even though it isn't really
ready.
> . In order to use 128 bit encryption, you probably need to increase the
> value of CCP_MAX_OPTION_LENGTH from 32 (64 is a good value, but 35
> should be minimal) in /sys/net/ppp-comp.h and rebuild
> your kernel. Otherwise, there isn't enough room to transfer the keys
> from the pppd to the kernel module.
> . Your kernel config file should have at least these:
> options PPP_FILTER # Active filter support for PPP (requires bpf)
> pseudo-device ppp 2 # Point-to-Point Protocol
> . The lkm pretty much misuses the ppp compression/decompression hooks
> to perform its encryption. This creates a few bugs, some of which
are
> security related. Know that MPPE is not particularly secure.
(<==notice!)
> . Doesn't deal correctly with the ppp mtu because MPPE expands the packet
size.
> . Is easy to crash. It doesn't successfully recover from lost packets
> or decryption failure. I can immediately bring cause it to hang
> by doing a `ping -s 50000 -c 1 remote-ip'. Fixes are appreciated,
> I cannot guarantee that I will address problems myself.
> . Lacks documentation. UTSL.
> . The patches provided in the package are rougly divided into these
groups
> patch-a* -- sync ppp-2.3.9 to netbsd-current
> patch-b* -- add mppe to ppp-2.3.9
> patch-c* -- creates a lkm for mppe that works with the ppp already in
> the kernel.
> patch-d* -- misc tweaks to deal with various netbsd kernel versions,
> compiling as a package, and a non-function ppp lkm.
> (See source for details.)
> . requires the kernel source to be present to compile. This is due to
> the issues discussed in netbsd PR 5377.
> . Makes a gross assumption about an internal structure in the pcap
library
> to do ppp filtering. This allows the package to build without the
> complete netbsd source code tree online.
>
> References:
> NetBSD:
> <URL: http://www.netbsd.org >
>
> The NetBSD package system:
> <URL: http://www.netbsd.org/Documentation/software/packages.html >
>
> The PoPToP pptp server:
> <URL: http://www.moretonbay.com/vpn/pptp.html >
>
> Microsoft VPN software:
> <URL: http://www.microsoft.com/technet/network/vpntwk/vpntwk.htm >
>
> Point to Point Networking standards:
> <URL: http://www.ietf.org/html.charters/pppext-charter.html >
>
> Unix PPP implementation:
> <URL: ftp://cs.anu.edu.au/pub/software/ppp/ >
>