Tunnel Protocol

Important Facts

Microsoft RRAS Available Authentication SCHEMES (I do not believe these are specific to tunneling)

Available Encryption SCHEMES

PPTP

OSI Layer 2 protocol using PPP, so PPTP is an extension of PPP.

A PPTP packet is a PPP packet w/ a GRE header (Generic Routing Encapsulation)

By default configured for five ports.

No header compression. (2151 Mod. 5 p. 21 says Yes)

No header authentication.

Single tunnel.

CAN work through NAT.

Supports NetBEUI, IPX, IP LAN protocols.

Tunnel must be IP based.

CAN provide address assignments.

None

PAP (Password Authentication Protocol), clear text

SPAP, Shiva

CHAP, non-Microsoft

MS-CHAP

MS-CHAP v.2 (for Win2000)

EAP-TLS (Extensible Auth. Protocol [req’d for smart card usage])

(No Kerberos)

(Microsoft Point to Point Encryption), which is      based on RSA/RC4, a symmetric key method)

MPPE 40 bit

MPPE 56 bit

MPPE 128 bit

For MPPE to be used, either MS-CHAP, MS-CHAPv.2, or EAP-TLS must be used.

.

IPSec

Used between networks, implemented by routers & RRAS in Win2K.

IPSec can use ESP (Encapsulating Security Payload) to encrypt the IP headers.

Operates at a layer below the TCP/IP stack.

Does not require L2TP.

Cannot provide address assignments.

Can’t pass through NAT. (Sure?)

No user based authentication.

Controlled by a Security Policy.

Where do Oakley and ISAKMP fit in?

Kerberos v.5

Certificates

Pre-shared keys, mutually agreed upon.

Supported authentication                 encryption modes:

                SHA-160bit

                MD5-128 bit

See also my IPSec Policy anatomy document

Transport Mode

The default IPSec mode.

Tunnel Mode

Aka IP over IP tunnel mode.

An encrypted IP packet contained within a plain IP header.

L2TP

A feature combination  of IPSec & L2F.

Supports header authentication.

Supports header compression.

Uses PPP for authentication and compression, but IPSec for encryption.

Intermediate routers need only support IP.

L2TP + IPSec w/ESP CANNOT go through a NAT box.

Uses IPSec, which uses machine based certificates.

Supports multiple tunnels.

Supports NetBEUI, IPX, IP LAN protocols.

Supports more types of internetworks than PPTP, which supports IP only.

Use IPSec encryption

40 bit DES (for France)

56 bit DES, for apps like e-mail

3DES (3, 56-bit keys, total of 168)

Can use IPSec ESP.

RADIUS (Remote Authentication Dial-In User Service)

Provides the ability for remote authentication using non-Win2000 methods.

RADIUS centralizes the mgmt. of client authentication and  acctg. For remote access servers.