To: pptp-server@lists.schulte.org Subject: NetBSD packages for poptop and mppe for testing From: Darrin B. Jewell Cc: Darrin B. Jewell --text follows this line-- I have created two netbsd `packages' for the poptop pptp server and microsoft encryption extensions to ppp. The NetBSD package system allows for simple installation and management of third party software on the NetBSD operating system. I am making them available at: I am subscribed to current-users@netbsd.org and pptp-server@lists.schulte.org. It is probably more useful to hold discussion in one of those forums than it is to send me personal mail, unless you have something that needs to be incorporated into the package. Please read the notes below. In particular, note that the MPPE module is not ready for production use. Enjoy, Darrin Darrin B. Jewell 1999-09-30T04:30:19-0400 poptop notes: . The poptop package uses the distribution of poptop pretty much out of the box. The only significant modification was to accept a configure option to allow the use of an alternate pppd than the one shipped with NetBSD. . Setting POPTOP_USE_MPPE=yes in /etc/mk.conf will cause poptop top use the ppp-mppe package to support microsoft point to point encryption. . Your kernel should not be compiled with any gre(4) devices. Comment out lines like this from your kernel config file: #pseudo-device gre 2 # generic L3 over IP tunnel It might be useful at some point to have pptpd be able to use the built in netbsd gre(4) driver, but at the moment it will just keep them from getting to the pptpd. ppp-mppe notes: . This is not yet ready for production use, but does work well enough that I could bring up an encrypted connection from an NT client to a NetBSD server. Still, it is easy to crash. Feel free to fix. . Provides a replacement pppd and a loadable kernel module (lkm) which provides the mppe encryption. Alternately, it could be compiled into the kernel if you know what your are doing and don't want to use a lkm. . It is based on the linux mppe ppp patches available from the poptop web site. . It uses ppp-2.3.9 and openssl-0.9.2b . STAC LZS compression is not included. . I test it on a netbsd-1.4.1 server with an NT client, but it should work on -current as well. I don't really use it myself, which is one reason that I'm making it available even though it isn't really ready. . In order to use 128 bit encryption, you probably need to increase the value of CCP_MAX_OPTION_LENGTH from 32 (64 is a good value, but 35 should be minimal) in /sys/net/ppp-comp.h and rebuild your kernel. Otherwise, there isn't enough room to transfer the keys from the pppd to the kernel module. . Your kernel config file should have at least these: options PPP_FILTER # Active filter support for PPP (requires bpf) pseudo-device ppp 2 # Point-to-Point Protocol . The lkm pretty much misuses the ppp compression/decompression hooks to perform its encryption. This creates a few bugs, some of which are security related. Know that MPPE is not particularly secure. (<==notice!) . Doesn't deal correctly with the ppp mtu because MPPE expands the packet size. . Is easy to crash. It doesn't successfully recover from lost packets or decryption failure. I can immediately bring cause it to hang by doing a `ping -s 50000 -c 1 remote-ip'. Fixes are appreciated, I cannot guarantee that I will address problems myself. . Lacks documentation. UTSL. . The patches provided in the package are rougly divided into these groups patch-a* -- sync ppp-2.3.9 to netbsd-current patch-b* -- add mppe to ppp-2.3.9 patch-c* -- creates a lkm for mppe that works with the ppp already in the kernel. patch-d* -- misc tweaks to deal with various netbsd kernel versions, compiling as a package, and a non-function ppp lkm. (See source for details.) . requires the kernel source to be present to compile. This is due to the issues discussed in netbsd PR 5377. . Makes a gross assumption about an internal structure in the pcap library to do ppp filtering. This allows the package to build without the complete netbsd source code tree online. References: NetBSD: The NetBSD package system: The PoPToP pptp server: Microsoft VPN software: Point to Point Networking standards: Unix PPP implementation: