current-users: NetBSD packages for poptop and mppe for testing

Subject: NetBSD packages for poptop and mppe for testing
To: None <current-users@netbsd.org>
From: Darrin B. Jewell <jewell@mit.edu>
List: current-users
Date: 09/30/1999 04:35:58
I have created two netbsd `packages' for the poptop pptp server and
microsoft encryption extensions to ppp.  The NetBSD package system
allows for simple installation and management of third party software
on the NetBSD operating system.

I am making them available at:

 <URL: ftp://sipb.mit.edu/pub/jewell/poptop.netbsd.pkgsrc.19990930.tgz >
 <URL: ftp://sipb.mit.edu/pub/jewell/ppp-mppe.netbsd.pkgsrc.19990930.tgz >

I am subscribed to current-users@netbsd.org and pptp-server@lists.schulte.org.
It is probably more useful to hold discussion in one of those forums than
it is to send me personal mail, unless you have something that needs to be
incorporated into the package.

Please read the notes below.  In particular, note that the MPPE module
is not ready for production use.

Enjoy,
Darrin

Darrin B. Jewell <jewell@mit.edu>  1999-09-30T04:30:19-0400

poptop notes:
 . The poptop package uses the distribution of poptop pretty much out
   of the box.  The only significant modification was to accept a
   configure option to allow the use of an alternate pppd than the one
   shipped with NetBSD.
 . Setting POPTOP_USE_MPPE=yes in /etc/mk.conf will cause poptop top use
   the ppp-mppe package to support microsoft point to point encryption.
 . Your kernel should not be compiled with any gre(4) devices.  Comment
   out lines like this from your kernel config file:
    #pseudo-device	gre		2	# generic L3 over IP tunnel
   It might be useful at some point to have pptpd be able to use the built
   in netbsd gre(4) driver, but at the moment it will just keep them from
   getting to the pptpd.

ppp-mppe notes:
 . This is not yet ready for production use, but does work well enough that
   I could bring up an encrypted connection from an NT client to a NetBSD server.
   Still, it is easy to crash.  Feel free to fix.
 . Provides a replacement pppd and a loadable kernel module (lkm)
     which provides the mppe encryption.  Alternately, it could be compiled
     into the kernel if you know what your are doing and don't want to use a lkm.
 . It is based on the linux mppe ppp patches available from the poptop web site.
 . It uses ppp-2.3.9 and openssl-0.9.2b
 . STAC LZS compression is not included.
 . I test it on a netbsd-1.4.1 server with an NT client, but it should work
      on -current as well.  I don't really use it myself, which is one
      reason that I'm making it available even though it isn't really ready.
 . In order to use 128 bit encryption, you probably need to increase the
     value of CCP_MAX_OPTION_LENGTH from 32 (64 is a good value, but 35
     should be minimal) in /sys/net/ppp-comp.h and rebuild
     your kernel.  Otherwise, there isn't enough room to transfer the keys
     from the pppd to the kernel module.
 . Your kernel config file should have at least these:
     options 	PPP_FILTER	# Active filter support for PPP (requires bpf)
     pseudo-device	ppp		2	# Point-to-Point Protocol
 . The lkm pretty much misuses the ppp compression/decompression hooks
     to perform its encryption.  This creates a few bugs, some of which are
     security related.  Know that MPPE is not particularly secure. (<==notice!)
 . Doesn't deal correctly with the ppp mtu because MPPE expands the packet size.
 . Is easy to crash.  It doesn't successfully recover from lost packets
     or decryption failure.  I can immediately bring cause it to hang
     by doing a `ping -s 50000 -c 1 remote-ip'.  Fixes are appreciated,
     I cannot guarantee that I will address problems myself.
 . Lacks documentation.  UTSL.
 . The patches provided in the package are rougly divided into these groups
     patch-a* -- sync ppp-2.3.9 to netbsd-current
     patch-b* -- add mppe to ppp-2.3.9
     patch-c* -- creates a lkm for mppe that works with the ppp already in
                  the kernel.
     patch-d* -- misc tweaks to deal with various netbsd kernel versions,
                  compiling as a package, and a non-function ppp lkm.
                  (See source for details.)
 . requires the kernel source to be present to compile.  This is due to
     the issues discussed in netbsd PR 5377.
 . Makes a gross assumption about an internal structure in the pcap library
     to do ppp filtering.  This allows the package to build without the
     complete netbsd source code tree online.

References:
  NetBSD:
   <URL: http://www.netbsd.org >
  
  The NetBSD package system:
   <URL: http://www.netbsd.org/Documentation/software/packages.html >
  
  The PoPToP pptp server:
   <URL: http://www.moretonbay.com/vpn/pptp.html >
  
  Microsoft VPN software:
   <URL: http://www.microsoft.com/technet/network/vpntwk/vpntwk.htm >
  
  Point to Point Networking standards:
   <URL: http://www.ietf.org/html.charters/pppext-charter.html >

  Unix PPP implementation:
   <URL: ftp://cs.anu.edu.au/pub/software/ppp/ >