PPTP / L2TP with Kerberos -- what specs does it follow?

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Sat Nov 29 16:15:17 EST 2014


> > implemented/supported/documented.  It would require the KDC to be out
> > in the open (to get the ticket used for the VPN auth) and most folks
> > aren't going to do that.
>
> ... can you say more about *why* most folks aren't going to do that?

Caveat: I'm not at all involved with security decisions here at USDA, but I can observe a few things.

Our KDC is integrated with Active Directory. Active Directory (actually, all desktop/workstation oriented technology) is perceived as an intranet technology. "Internet technology" is perceived to be both public facing and web-based. Our SAML IdP has been mandated for use outside the firewall. This, of course, falls apart for those cases where perception is different from reality (i.e., using desktops/workstations for external collaboration).

The CIO has responsibility for issuing and maintaining tens of thousands of predominantly office machines, which are mandated to always be on the intranet, either physically or via VPN. External collaboration is an exception to the rule, the end-to-end responsibility for which rests on the end user. End users would rather not learn Kerberos at all, much less manage a KDC for themselves and all comers. The professionals concern themselves only with internal use.

At least, these are the obstacles I have encountered in my attempts to externally collaborate with desktop technology.

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.



More information about the Kerberos mailing list