Background |
A very basic VPN protocol based on PPP. The PPTP
specification does not actually describe encryption or authentication
features and relies on the PPP protocol being tunneled to implement
security functionality. |
An advanced protocol formally standardized in IETF RFC 3193 and now the recommended replacement for PPTP on Microsoft platforms where secure data encryption is required. |
An advanced open source VPN solution backed by 'OpenVPN
technologies' and which is now the de-facto standard in the open source
networking space. Uses the proven SSL/TLS encryption protocol. |
Data Encryption |
The PPP payload is encrypted using Microsoft's Point-to-Point Encryption protocol (MPPE). MPPE implements the RSA RC4 encryption algorithm with a maximum of 128 bit session keys. |
The L2TP payload is encrypted using the standardized IPSec protocol. RFC 4835
specifies either the 3DES or AES encryption algorithm for
confidentiality. IVPN uses the AES algorithm with 256 bit keys. (AES-256
is the first publicly accessible and open cipher approved by the NSA
for top secret information). |
OpenVPN uses the OpenSSL
library to provide encryption. OpenSSL supports a number of different
cryptographic algorithms such as 3DES, AES, RC5, Blowfish. As with
IPSec, IVPN implements the extremely secure AES algorithm with 256 bit
keys. |
Security weaknesses |
The Microsoft implementation of PPTP has serious security vulnerabilities.
MSCHAP-v2 is vulnerable to dictionary attack and the RC4 algorithm is
subject to a bit-flipping attack. Microsoft strongly recommends
upgrading to IPSec where confidentiality is a concern. |
IPSec has no known major vulnerabilities and is generally
considered secure when used with a secure encryption algorithm such as
AES. However Leaked NSA presentations indicate that IKE is being exploited in an unknown manner to decrypt IPSec traffic. It should also be noted
that when IPSec is configured to use pre-shared keys that are made
public (common with public VPN services) it is vulnerable to an active
MITM attack. This is not a vulnerability of the IPSec protocol but in
the way it is implemented. |
OpenVPN has no major vulnerabilities and is considered
extremely secure when used with a secure encryption algorithm such as
AES. |
Speed |
With RC4 and 128 bit keys, the encryption overhead is least of all three protocols making PPTP the fastest. |
L2TP/IPSEC has a slightly higher overhead than its rivals
due to double encapsulation. Comparable to OpenVPN under most
conditions. |
When used in its default UDP mode on a reliable network OpenVPN should perform better than L2TP/IPSec. |
Ports |
PPTP uses TCP port 1723 and GRE (Protocol 47). PPTP can be easily blocked by restricting the GRE protocol. |
L2TP/IPSEC uses UDP 500 for the the initial key exchange,
protocol 50 for the IPSEC encrypted data (ESP), UDP 1701 for the
initial L2TP configuration and UDP 4500 for NAT traversal. L2TP/IPSec is
easier to block than OpenVPN due to its reliance on fixed protocols and
ports. |
OpenVPN can be easily configured to run on any port using
either UDP or TCP. To bypass restrictive firewalls, OpenVPN can be
configured to use TCP on port 443. |
Setup / Configuration |
All versions of Windows and most other operating systems
(including mobile) have native support for PPTP. PPTP only requires a
username, password and server address making it incredibly simple to
setup and configure. |
All versions of Windows since 2000/XP and Mac OSX 10.3+ and most mobile operating systems have native support for L2TP/IPSec. |
OpenVPN is not included in any operating system release
and requires the installation of client software. The software
installers are very user friendly and installation typically takes less
than 5 minutes. |
Stability / Compatibility |
PPTP is not as realiable, nor does it recover as quickly
as OpenVPN over unstable network connections. Minor compatibility issues
with the GRE protocol and some routers. |
L2TP/IPSec is more complex than OpenVPN and can be more
difficult to configure to work reliably between devices behind NAT
routers. However as long as both the server and client support NAT
traversal, there should be few issues. In practice L2TP/IPSec has shown
itself it be as reliable and stable as OpenVPN for IVPN customers. |
Very stable and fast over wireless, cellular and other
non reliable networks where packet loss and congestion is common.
OpenVPN has a TCP mode for highly unreliable connections but this mode
sacrifices some speed due to the ineffeciency of encapsulating TCP
within TCP. |
Client compatibility |
- Windows
- Mac OSX
- Linux
- Apple iOS
- Android
- DD-WRT
|
- Windows
- Mac OSX
- Linux
- iOS
- Android
|
- Windows
- Mac OSX
- Linux
- Android
- IOS
- DD-WRT (with the correct build)
|
Conclusion |
Due to the major security flaws, there is no good reason
to choose PPTP other than device compatibility. If you have a device on
which neither L2TP/IPsec or OpenVPN is supported then it may be a
reasonable choice. If quick setup and easy configuration are a concern
then L2TP/IPsec should be considered. |
L2TP/IPSec is an excellent choice but due to recent leaks
its security may be compromised (See security section above). If you
are using a mobile device running iOS (iPhone) or Android then it is the
fastest to setup and configure as it is supported natively. However
L2TP/IPSec should not be used with pre-shared keys where security is
important. |
OpenVPN is the best choice for all platforms. It is
extremely fast, secure and reliable. Additionally, the IVPN multihop
network is only available when connecting via OpenVPN. The only minor
downside is the requirement to install the software client but on most
platforms this only takes a few minutes. |
Rating |
|
|
|
0 comentários:
Postar um comentário