Some Background.  PPTP - Point-to-Point Tunneling Protocol is a tunneling protocol that operates at layer 2 of the OSI model.  It is likely the most prevalent tunneling protocol presently in use.

Personally, I think it would be much better if they called it PPEP for Point-to-Point Encapsulation Protocol.  Common usage says that tunneling is achieved by encapsulation and encryption/decryption.  It is my sincere opinion that the word tunneling is inappropriate in a number of ways.

  • it helps lead users and even somewhat less informed people to believe they are actually using a tunnel which has a number of properties
    • can't really be seen at all in the traffic around it
    • builds some sort of end-to-end tunnel where packets move/exchange directly

Unfortunately, I have seen many "informed" decision makers talk about tunneling using the bullets above!

Encapsulating a packet in another packet can serve a number of purposes

  • encrypting either/both the encapsulated packet and the encapsulating packet to enhance security of the original contents
  • traverse across networks operating on different protocols
    • to switch from Ethernet to ATM a packet is usually encapsulated in aa ATM compatible packet for the duration of its journey across the ATM portion of its journey
      • ATM protocols can neither read nor understand TCP/IP packets and something must be done to make them capable of traversing ATM segments

Microsoft's Impact.  Microsoft led a consortium of companies to extend PPP - Point-to-Point Protocol to enable VPNs.  This consortium is what developed PPTP to enable much greater security when connecting via networks.  PPTP can also be used to enable VPNs across the PSTN - Public Switched Telephone Network.

For most PPTP implementations there are three computers involved.

  • a PPTP client
  • the NAS - Network Access Server (often at an ISP)
  • a PPTP server

This is illustrated in the following diagram.



The PPTP/VPN is established in stages.
  1. the client establishes a PPP connection to the NAS, usually at an ISP
  2. once this is established, a second connection is made over the PPP connection to a PPTP server
  3. once this second connection is established it can work via encryption to give the user an illusion of a tunnel

To establish these connections, TCP uses port 1723.  So in order for PPTP connections to be established, port 1723 must remain open across the firewalls involved.

PPTP allows the use of any PPP authentication approach.  CHAP is used when encryption is specified.  Microsoft chose the RSA/RCA cipher for encryption.  Either a 40 bit or 128 bit session key can be used.  The length of the key is determined by the operating system.  Other sources say that MPPE - Microsoft Point-to-Point Encryption is used to encrypt data.  As is almost always the case, authorities differ.

  • PPTP encrypts the data being transmitted
  • PPTP does not encrypt the data exchanged during the initial negotiation
  • PPTP will only work over IP networks
  • PPTP cannot make use of the added benefits of IPSec

More will be added.