Re: Secure legacy authentication for IKEv2

[Steve Dispensa <dispensa@positivenetworks.net>]

On Fri, 2002-12-20 at 12:02, Valery Smyslov wrote:
> > Er, do you really think that the client and server haven't agreed out
> > of band which legacy auth mechanism they will do? In the real world,
> > companies tell their users which auth mechanism they will use, and
> > the information needed to do it.
> 
> I've been thinking of situation when company upgrades its legathy auth
> from one type to another (i.e. from passwords to SecurID). This will
> not happen overnight, so a transition period will take place. During such
> period both types will be in use.

There are other situations where pre-agreement is inconvenient as well.  I run IPSec in a service provider environment in which we connect N remote users to M target networks.  Any N can connect to any M, and each M network is free to specify its preferred auth type, including in particular SecurID and username/password.  Out-of-band agreement can be done (and we're running custom/inconvenient/dubiously secure i fear) code to do it, but it would be much more convenient for my implementation if it were part of the protocol.

[BTW, since i've never posted here before] I'm the CTO of a VPN-based remote access service provider.  We hook remote workers to corporate networks via our hardware, and we add a few value-added services to the mix.  We've been in {beta|production} operation for about 18 months.  The challenges of this architecture inspired me to join this mail list a while ago to keep tabs on progress... perhaps I can make some contribution from the perspective of an operator as well.

 -sd