PPTP
Point-to-Point
Tunneling Protocol
Written
by:
Paulo Silva
Software Engineering
McMaster University
March 2001
The purpose of this paper is to give an overview of the
Point-to-Point Tunneling Protocol (PPTP). The paper includes the following
topics:
Point-to-Point Tunneling Protocol (PPTP)
is a network protocol that enables the secure transfer of data from a remote
client to a private enterprise server by creating a virtual private network (VPN)
across TCP/IP-based data networks. PPTP supports on-demand, multi-protocol,
virtual private networking over public networks, such as the Internet. It was
developed by the PPTP Forum which consists of the following organizations:
Ascend Communications, Microsoft Corporation, 3 Com/Primary Access, ECI
Telematics, and U.S. Robotics.
The
networking technology of PPTP is an extension of the remote access
Point-to-Point Protocol (PPP). It encapsulates PPP packets into IP datagrams for
transmission over the Internet or other public TCP/IP-based network or it can
also be used in private LAN-to-LAN networking.
The
PPTP protocol is designed to perform the following tasks:
An
important feature in the use of PPTP is its support for VPN by using public
switched telephone networks (PSTNs). This simplifies and reduces costs of
deploying an enterprise-wide, remote access solution for remote or mobile users
because it provides secure and encrypted communications over the public
telephone lines and the Internet.
Generally
there are three computers involved in a PPTP deployment. There is a PPTP client,
a network access server and a PPTP server. In case of a LAN, the network access
server is not required because you are already in the same network. The secure
communication created using the PPTP protocol typically involves three
processes, each of which requires successful completion of the previous process.
They are: PPP connection and communication, PPTP control connection, and PPTP
data tunnelling.
The
first step, the client needs a connection to the Internet by connecting to a
Network Access Server (NAS) via local Internet Service Provider (ISP). A PPTP
client uses PPP to establish this connection. The connection request by a client
consists of access credentials (username, password and domain) and an
authentication protocol in order for the PPTP server to authenticate the client.
Once connected, the client can send and receive packets over the Internet.
Once
the client has made the initial PPP connection to the ISP, a second dial-up
networking call is made over the existing PPP connection. This creates the VPN
connection (control connection) to a PPTP server on the private enterprise LAN
and acts as a tunnel trough which network packets flow. A set of eight control
messages will establish, maintain and end the PPTP tunnel.
After
the PPTP tunnel is established, data is transmitted between client and PPTP
server. Data is send in the form of IP datagrams that contain PPP packets that
are usually referred as encapsulated PPP packets. The IP datagram contain
encrypted IPX, NetBEUI, or TCP/IP packets and have the following format:
PPP Delivery Header |
IP
Header |
GRE
Header |
PPP
Header |
IP
Header |
TCP
Header |
Data |
Figure 1:
IP datagram containing encrypted PPP packets as created by PPTP
The
IP delivery header provides the information necessary for the datagram to
traverse the Internet. The GRE header is used to encapsulate the PPP packet
within the IP datagram. The shaded are represents the encrypted data. The
following figure shows the process of connecting a PPTP client to the private
network.
Figure 2:
Connection between PPTP client and private network
After
the VPN connection is established, the remote user (client) can perform any
operation as a locally connected user can.
One
of the reasons why this protocol is so popular is because of the security
features available. There are three areas in PPTP security that makes it very
appealing. They are: authentication, data encryption and PPTP packet filtering.
Authentication
of a remote PPTP client is done by using the same PPP authentication methods
used for any other RAS client. The user accounts of remote users are set-up so
they are the only ones that are granted specific access to the network through a
trusted domain. The use of secure passwords is one of the best ways to
successful deployment of PPTP.
Data
send back and forward through the PPTP tunnel is encrypted. The network packets
are encrypted at the source (client or server), travel inside the tunnel and are
decrypted at the destination. Also, since the entire network traffic in a PPTP
connection flows inside the tunnel, data is invisible to the outside world. The
packet encryption inside the tunnel provides an additional level of security.
This
is an option that can significantly improve the performance and reliability of
network security if it is enabled on the PPTP server. When enabled, it accepts
and routes only PPTP packets from authorized users. This prevents all other
packets from entering the PPTP server and the private network.
Considering
the fact that current technologies available, such as the Internet, can be used
to enhance and facilitate access to private networks, makes very useful in terms
of using powerful resources for very little cost.
This
approach has two benefits. First, a VPN lets mobile users avoid long-distance
telephone charges (assuming there is access available to a local ISP) and
minimize costs. Second, the service provider is responsible for maintaining,
updating and troubleshooting your WAN’s infrastructure. If every company or
Institution, or organization had to build their own WANs, would be almost
impossible because of the cost behind it.
Also,
the security provided by PPTP and the simplicity in using this protocol makes a
good package and worthwhile implementing it.