This is a good paper. It covered almost all of the failures of MS PPTP. However, I think it missed a big one. It is possible to recover all the clear text from a PPTP session, even if most of the traffic is going in one direction only. The failure is in MPPE. When MPPE gets a sequenceing error, it resets the key. This causes the cipher stream to be reset. It is partially covered in section 5.4 . Since RC4 is a stream cipher, it generates the same cipher stream for a given key. This cipher stream is XORed with the clear text. To recover the clear text, an attacker just needs to force a resyncronization by sending a packet that has a bogus coherency count. If the attacker captures the original stream and the resynchronized stream a simple XOR of the two streams results in an XOR of the cleartext. While compression does make it harder to determine what the cleartext is, It is likely that a determined attacker can decrypt and decompress the XORed result. Brad Brad Kemp Indus River Networks, Inc. BradKemp@indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111