sexta-feira, 18 de dezembro de 2015

PPTP vs L2TP/IPSec vs OpenVPN

 PPTPL2TP/IPSecOpenVPN
Background A very basic VPN protocol based on PPP. The PPTP specification does not actually describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality. An advanced protocol formally standardized in IETF RFC 3193 and now the recommended replacement for PPTP on Microsoft platforms where secure data encryption is required. An advanced open source VPN solution backed by 'OpenVPN technologies' and which is now the de-facto standard in the open source networking space. Uses the proven SSL/TLS encryption protocol.
Data Encryption The PPP payload is encrypted using Microsoft's Point-to-Point Encryption protocol (MPPE). MPPE implements the RSA RC4 encryption algorithm with a maximum of 128 bit session keys. The L2TP payload is encrypted using the standardized IPSec protocol. RFC 4835 specifies either the 3DES or AES encryption algorithm for confidentiality. IVPN uses the AES algorithm with 256 bit keys. (AES-256 is the first publicly accessible and open cipher approved by the NSA for top secret information). OpenVPN uses the OpenSSL library to provide encryption. OpenSSL supports a number of different cryptographic algorithms such as 3DES, AES, RC5, Blowfish. As with IPSec, IVPN implements the extremely secure AES algorithm with 256 bit keys.
Security weaknesses The Microsoft implementation of PPTP has serious security vulnerabilities. MSCHAP-v2 is vulnerable to dictionary attack and the RC4 algorithm is subject to a bit-flipping attack. Microsoft strongly recommends upgrading to IPSec where confidentiality is a concern. IPSec has no known major vulnerabilities and is generally considered secure when used with a secure encryption algorithm such as AES. However Leaked NSA presentations indicate that IKE is being exploited in an unknown manner to decrypt IPSec traffic. It should also be noted that when IPSec is configured to use pre-shared keys that are made public (common with public VPN services) it is vulnerable to an active MITM attack. This is not a vulnerability of the IPSec protocol but in the way it is implemented. OpenVPN has no major vulnerabilities and is considered extremely secure when used with a secure encryption algorithm such as AES.
Speed With RC4 and 128 bit keys, the encryption overhead is least of all three protocols making PPTP the fastest. L2TP/IPSEC has a slightly higher overhead than its rivals due to double encapsulation. Comparable to OpenVPN under most conditions. When used in its default UDP mode on a reliable network OpenVPN should perform better than L2TP/IPSec.
Ports PPTP uses TCP port 1723 and GRE (Protocol 47). PPTP can be easily blocked by restricting the GRE protocol. L2TP/IPSEC uses UDP 500 for the the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP), UDP 1701 for the initial L2TP configuration and UDP 4500 for NAT traversal. L2TP/IPSec is easier to block than OpenVPN due to its reliance on fixed protocols and ports. OpenVPN can be easily configured to run on any port using either UDP or TCP. To bypass restrictive firewalls, OpenVPN can be configured to use TCP on port 443.
Setup / Configuration All versions of Windows and most other operating systems (including mobile) have native support for PPTP. PPTP only requires a username, password and server address making it incredibly simple to setup and configure. All versions of Windows since 2000/XP and Mac OSX 10.3+ and most mobile operating systems have native support for L2TP/IPSec. OpenVPN is not included in any operating system release and requires the installation of client software. The software installers are very user friendly and installation typically takes less than 5 minutes.
Stability / Compatibility PPTP is not as realiable, nor does it recover as quickly as OpenVPN over unstable network connections. Minor compatibility issues with the GRE protocol and some routers. L2TP/IPSec is more complex than OpenVPN and can be more difficult to configure to work reliably between devices behind NAT routers. However as long as both the server and client support NAT traversal, there should be few issues. In practice L2TP/IPSec has shown itself it be as reliable and stable as OpenVPN for IVPN customers. Very stable and fast over wireless, cellular and other non reliable networks where packet loss and congestion is common. OpenVPN has a TCP mode for highly unreliable connections but this mode sacrifices some speed due to the ineffeciency of encapsulating TCP within TCP.
Client compatibility
  • Windows
  • Mac OSX
  • Linux
  • Apple iOS
  • Android
  • DD-WRT
  • Windows
  • Mac OSX
  • Linux
  • iOS
  • Android
  • Windows
  • Mac OSX
  • Linux
  • Android
  • IOS
  • DD-WRT (with the correct build)
Conclusion Due to the major security flaws, there is no good reason to choose PPTP other than device compatibility. If you have a device on which neither L2TP/IPsec or OpenVPN is supported then it may be a reasonable choice. If quick setup and easy configuration are a concern then L2TP/IPsec should be considered. L2TP/IPSec is an excellent choice but due to recent leaks its security may be compromised (See security section above). If you are using a mobile device running iOS (iPhone) or Android then it is the fastest to setup and configure as it is supported natively. However L2TP/IPSec should not be used with pre-shared keys where security is important. OpenVPN is the best choice for all platforms. It is extremely fast, secure and reliable. Additionally, the IVPN multihop network is only available when connecting via OpenVPN. The only minor downside is the requirement to install the software client but on most platforms this only takes a few minutes.
Rating 1 out of 5 stars 4 out of 5 stars 5 out of 5 stars

0 comentários: