Point-To-Point Tunneling Protocol (PPTP) is a protocol that allows the secure exchange of data from a client to a server by forming a Virtual Private Network (VPN) via a TCP/IP based network. The strong point of PPTP is its ability to provide on demand, multi-protocol support over existing network infrastructure, such as the Internet. This ability would allow a company to use the Internet to establish a virtual private network without the expense of a leased line.
The technology that makes PPTP possible is an extension of the remote access Point-To-Point Protocol (PPP- which is defined and documented by the Internet Engineering Task Force in RFC 1171). PPTP technology encapsulates PPP packets into IP datagrams for transmission over TCP/IP based networks. PPTP is currently a protocol draft awaiting standardization. The companies involved in the PPTP forum are Microsoft, Ascend Communications, 3Com/Primary Access, ECI Telematics, and US Robotics.
PPTP and Virtual Private Networking
A major feature in the use of PPTP is its support for virtual private networking. The best part of this feature is that it supports VPN's over public-switched telephone networks (PSTNs). By using PPTP a company can greatly reduce the cost of deploying a wide area, remote access solution for mobile users because it provides secure and encrypted communications over existing network structures like PSTNs or the Internet.
Standard PPTP Deployment
* a PPTP client
* a Network Access Server
* a PPTP Server
note: the network access server is optional, and if NOT needed for PPTP deployment. In normal deployment however, they are present.
In a typical deployment of PPTP, it begins with a remote or mobile PC that will be the PPTP client. This PPTP client needs access to a private network by using a local Internet Service Provider (ISP). Clients who are running the WindowsNT Server or Workstation operating systems will use Dial-up networking and the Point-To-Point protocol to connect to their ISP. The client will then connect to a network access server which will be located at the ISP (Network Access Servers are also known as Front-End Processors (FEPs) or Point-Of-Presence servers (POPs)). Once connected, the client has the ability to exchange data over the Internet. The Network Access Server uses the TCP/IP protocol for the handling of all traffic.
After the client has made the initial PPP connection to the ISP, a second Dial-Up networking call is made over the existing PPP connection. Data sent using the second connection is in the form of IP datagrams that contain PPP packets, referred to as encapsulated PPP. It is this second call that creates the virtual private network connection to a PPTP server on the private company network. This is called a tunnel.
Tunneling is the process of exchanging data to a computer on a private network by routing them over some other network. The other network routers cannot access the computer that is on the private network. However, tunneling enables the routing network to transmit the packet to an intermediary computer, such as a PPTP server. This PPTP server is connected to both the company private network and the routing network, which is in this case, the Internet. Both the PPTP client and the PPTP server use tunneling to securely transmit packets to a computer on the private network.
When the PPTP server receives a packet from the routing network (Internet), it sends it across the private network to the destination computer. The PPTP server does this by processing the PPTP packet to obtain the private network computer name or address information which is encapsulated in the PPP packet.
quick note: The encapsulated PPP packet can contain multi-protocol data such as TCP/IP, IPX/SPX, or NetBEUI. Because the PPTP server is configured to communicate across the private network by using private network protocols, it is able to understand Multi-Protocols.
PPTP encapsulates the encrypted and compressed PPP packets into IP datagrams for transmission over the Internet. These IP datagrams are routed over the Internet where they reach the PPTP server. The PPTP server disassembles the IP datagram into a PPP packet and then decrypts the packet using the network protocol of the private network. As mentioned earlier, the network protocols that are supported by PPTP are TCP/IP, IPX/SPX and NetBEUI.
PPTP Clients
* By using an ISP's network access server that supports inbound PPP connections.
* By using a physical TCP/IP-enabled LAN connection to connect to a PPTP server.
PPTP clients attempting to use an ISP's network access server must be properly configured with a modem and a VPN device to make the seperate connections to the ISP and the PPTP server. The first connection is dial-up connection utilizing the PPP protocol over the modem to an Internet Service Provider. The second connection is a VPN connection using PPTP, over the modem and through the ISP. The second connection requires the first connection because the tunnel between the VPN devices is established by using the modem and PPP connections to the internet.
The exception to this two connection process is using PPTP to create a virtual private network between computers physically connected to a LAN. In this scenario the client is already connected to a network and only uses Dial-Up networking with a VPN device to create the connection to a PPTP server on the LAN.
PPTP packets from a remote PPTP client and a local LAN PPTP client are processed differently. A PPTP packet from a remote client is placed on the telecommunication device physical media, while the PPTP packet from a LAN PPTP client is placed on the network adapter physical media.
PPTP Architecture
* PPP Protocol
* PPTP Control Connection
* PPTP Data Tunneling
Architecture Overview:
The secure communication that is established using PPTP typically involves three processes, each of which requires successful completion of the previous process. This will now explain these processes and how they work:
PPP Connection and Communication: A PPTP client utilizes PPP to connect to an ISP by using a standard telephone line or ISDN line. This connection uses the PPP protocol to establish the connection and encrypt data packets.
PPTP Control Connection: Using the connection to the Internet established by the PPP protocol, the PPTP protocol creates a control connection from the PPTP client to a PPTP server on the Internet. This connection uses TCP to establish communication and is called a PPTP Tunnel.
PPTP Data Tunneling: The PPTP protocol creates IP datagrams containing encrypted PPP packets which are then sent through the PPTP tunnel to the PPTP server. The PPTP server disassembles the IP datagrams and decrypts the PPP packets, and the routes the decrypted packet to the private network.
PPP Protocol:
Most PPTP sessions are started by a client dialing up an ISP network access server. The PPP protocol is used to create the dial-up connection between the client and network access server and performs the folloing functions:
* Establishes and ends the physical connection. The PPP protocol uses a sequence defined in RFC 1661 to establish and maintain connections between remote computers.
* Authenticates Users. PPTP clients are authenticated by using PPP. Clear text, encrypted or MS CHAP can be used by the PPP protocol.
* Creates PPP datagrams that contain encrypted IPX, NetBEUI, or TCP/IP packets.
PPTP Control Connection:
The PPTP protocol specifies a series of messages that are used for session control. These messages are sent between a PPTP client and a PPTP server. The control messages establish, maintain and end the PPTP tunnel. The following list present the primary control messages used to establish and maintain the PPTP session.
| Message Type | Purpose |
| | |
| PPTP_START_SESSION_REQUEST | Starts Session |
| PPTP_START_SESSION_REPLY | Replies to Start Session Request |
| PPTP_ECHO_REQUEST | Maintains Session |
| PPTP_ECHO_REPLY | Replies to Maintain Session Request |
| PPTP_WAN_ERROR_NOTIFY | Reports an error in the PPP connection |
| PPTP_SET_LINK_INFO | Configures PPTP Client/Server Connection |
| PPTP_STOP_SESSION_REQUEST | Ends Session |
| PPTP_STOP_SESSION_REPLY | Replies to End Session Request |
The control messages are sent inside of control packets in a TCP datagram. One TCP connection is enabled between the PPTP client and Server. This path is used to send and receive control messages. The datagram contains a PPP header, a TCP Header, a PPTP Control message and appropriate trailers. The construction is as follows
| PPP Delivery Header |
| IP Header |
| PPTP Control Message |
| Trailers |
PPTP Data Transmission
After the PPTP Tunnel has been created, user data is transmitted between the client and PPTP server. Data is sent in IP Datagrams containing PPP packets. The IP datagram is created using a modified version of the Generic Routing Encapsulation (GRE) protocol (GRE is defined in RFC 1701 and 1702). The structure of the IP Datagram is as follows:
| PPP Delivery Header |
| IP Header |
| GRE Header |
| PPP Header |
| IP Header |
| TCP Header |
| Data |
By paying attention to the construction of the packet, you can see how it would be able to be transmitted over the Internet as headers are stripped off. The PPP Delivery header provides information necessary for the datagram to traverse the Internet. The GRE header is used to encapsulate the PPP packet within the IP Datagram. The PPP packet is created by RAS. The PPP Packet is encrypted and if intercepted, would be unintelligible.
Understanding PPTP Security
PPTP uses the strict authentication and encryption security available to computers running RAS under WindowsNT Server version 4.0. PPTP can also protect the PPTP server and private network by ignoring all but PPTP traffic. Despite this security, it is easy to configure a firewall to allow PPTP to access the network.
Authentication: Initial dial-in authentication may be required by an ISP network access server. If this Authentication is required, it is strictly to log on to the ISP, it is not related to Windows NT based Authentication. A PPTP server is a gateway to your network, and as such it requires standard WindowsNT based logon. All PPTP clients must provide a user name and password. Therefore, remote access logon using a PC running under NT server or Workstation is as secure as logging on from a PC connected to a LAN (theoretically). Authentication of remote PPTP clients is done by using the same PPP authentication methods used for any RAS client dialing directly into an NT Server. Because of this, it fully supports MS-CHAP (Microsoft Challenge Handshake Authentication Protocol which uses the MD4 hash as well as earlier LAN Manager methods.)
Access Control: After Authentication, all access to the private LAN continues to use existing NT based security structures. Access to resources on NTFS drives or to other network resources require the proper permissions, just as if you were connected directly to the LAN.
Data Encryption: For data encryption, PPTP uses the RAS "shared-secret" encryption process. It is referred to as a shared-secret because both ends of the connection share the encryption key. Under Microsoft's implementation of RAS, the shared secret is the user password (Other methods include public key encryption). PPTP uses the PPP encryption and PPP compression schemes. The CCP (Compression Control Protocol) is used to negotiate the encryption used. The username and password is available to the server and supplied by the client. An encryption key is generated using a hash of the password stored on both the client and server. The RSA RC4 standard is used to create this 40-bit (128-bit inside the US and Canada
PPTP Packet Filtering: Network security from intruders can be enhanced by enabling PPTP filtering on the PPTP server. When PPTP filtering is enabled, the PPTP server on the private network accepts and routes only PPTP packets. This prevents ALL other packet types from entering the network. PPTP traffic uses port 1723.
PPTP and the Registry
This following is a list of Windows NT Registry Keys where user defined PPTP information can be found:
KEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASPPTPE\
Parameters\Configuration
Values: AuthenticateIncomingCalls
DataType = REG_WORD
Range = 0 - 1
Default = 0
Set this value to 1 to force PPTP to accept calls only from IP addresses listed in the PeerClientIPAddresses registry value. If AuthenticateIncomingCalls is set to 1 and there are no addresses in PeerClientIPAddresses, the no clients will be able to connect.
PeerClientIPAddresses
DataType = REG_MULTI_SZ
Range = The format is a valid IP address
This parameter is a list of IP addresses the server will accept connections from.
KEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<adapter name>\
Parameters\Tcpip
Values: DontAddDefaultGateway
DataType = REG_WORD
Range = 0 - 1
Default = 1
When PPTP is installed, a default route is made for each LAN adapter. This parameter will disable the default route on the corporate LAN adapter.
PPTPFiltering
Key: <adaptername.\Paramters\tcpip
ValueType: REG_WORD
Valid Range: 0 - 1
Default = 0
This parameter controls whether PPTP filtering is enabled or not.
PPTPTcpMaxDataRetransmissions
Key: Tcpip\Parameters
ValueType: REG_WORD - Number of times to retransmit a PPTP packet.
Valid Range: 0 - 0xFFFFFFFF
Default: 9
This setting control how many times PPTP will retransmit a packet.
Special Security Update
SPECIAL REVISION: As a last minute revision to the lecture. A flaw has been discovered in the PPTP architecture. It turns out that if you send a that if you send a pptp start session request with an invalid packet length in the pptp packet header that it will crash an NT box and cause the NT server to do a CoreDump. Fragments of code for a DoS attack package are flying, and the rhino9 team should have a completed DoS Attack program released soon. This program is released, of course, for network administrators wanting to know how the bug works.
