2002-03-11-22:22:45 Kee Hinckley: > At 4:39 PM -0500 3/8/02, Bennett Todd wrote: > >Unless there's been some recent development I haven't heard of, > >incorporating user authentication (like e.g. SecurID) into IPSec > >remains an open research problem. Any solution that's in use today > >is a special one-off ad-hoc hack. Such a hack is easy to make. > > I wouldn't call it "open research". I was connecting to a Cisco > server just today using IPSec and SecurID.
I call Cisco's solution a "special one-off ad-hoc hack". As I said, they're easy to make; but IPSec (as opposed to such hacks) is a standard, interoperable protocol. There are any number of one-off hack VPN solutions, and some of 'em are far nicer designs than IPSec --- IPSec's design target of solving every problem anyone could fantasize having anything to do with encrypting IP, ended up making it pretty wickedly complex. And, sadly, teaching it to support user authentication won't make it simpler:-). > However I agree that there doesn't seem to be a widely supported > solution. I've never been able to find an arbitrary VPN client > that could use SecurID to a server from a different vendor. I believe that would be because any such solution is one vendor's one-off hack, not IPSec. As I said, there are any number of simpler, cleaner designs. Pick any common subset of the problem space that IPSec solves, and you can probably find a cleaner solution. The only excuse for IPSec in my book is that it's interoperable. Lose that --- e.g. by depending on a vendor proprietary extension for user auth --- and all of a sudden you're using the worst of both worlds, an over-complex protocol and no interop, locked into a single vendor. If I wanted to set up a SecurID-authenticating Road Warrier solution, I'd create a simple SSL-secured web page that can be used to temporarily enable a particular cert for normal road-warrier IPSec; that way, even though my server-side implementation would be tied to a particular implementation, it could at least in principle be re-implemented for others, and any client with a web browser and an IPSec implementation could log in. -Bennett
msg00250/pgp00000.pgp
Description: PGP signature