PPTP viability (was RE: Gauntlet & NTLM)

[Philip Cox <pcc () llnl gov>]

At 08:50 AM 10/14/97 -0400, Marcus J. Ranum wrote:
> Ah! That's an interesting situation. Does anyone actually *implement*
> the PPP RFCs for security? I know that there are all kinds of useful
> things in the RFC but I don't think, for example, that my W95 PPP
> stack supports encryption.

It is my understanding that when you add the PPTP patch to W95, then PPP
encryption (along with other things) becomes "supported".

An aside. I have a situation in which I am seriously considering using PPTP
because it is availible today*. This would be in a sensitive and possibly
classified environment. The desire is to have mutual authentication of
client and server, along with traffic encryption. I have an off the shelf
app which is a client-server model, and I don't (can't) modify the app for
say SSL support. I would be interested in any current WORKING
implementations of network layer (host network layer that is, not
encrypting routers) or transport layer (no app mods needed) secure
communications. I have been trying to think if some, but am drawing a
blank, except PPTP.
 
I would like comments on two specific points:

1. Is PPTP a viable option for sensitive or possibly classified level
encryption?

2. If PPTP is not, what are the other options. ( I can think of 2,
encrypting routers, or code mods to support SSL)


Phil

* As opposed to L2TP or IPSEC for out of the box support
> [A general class of security problems occurs when one layer rests
> on another and the lower layer's security properties have not yet
> been implemented or contain flaws. I can imagine an un-funny
> situation in which PPTP doesn't do encryption and authentication
> because that's PPP's problem, and PPP doesn't do encryption
> because that's IPSEC's problem, and IPSEC isn't available.]
>
> mjr.
>
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr