Hi Yaron, > looking at the Coupling plug-in, I'm wondering at the feature > definition - or maybe I'm misunderstanding it.
The plugin was primarily defined for coupling two devices. Let's assume you have two (embedded) devices talking exclusively with each other. After coupling them (by the manufacturer?), they don't accept any other certificate. Even if the CA is compromised, the devices are limited to the coupled peer certificate. Having more than one coupled device is just an extension. You could think of 5 devices doing a full mesh. Once the mesh is up, no other device could ever join the mesh. > Suppose GW1 has 10 peers, I would naturally set the Max value to 10. > But if only 8 peers ever show up, That's not the intention. It is meant for setups where you know how many peers will connect, and you'll have to make sure they actually do. > I believe this feature would be much more useful if the coupling were > per-DN. And then I can envision it being extended in the future > towards all sorts of opportunistic encryption scenarios. This would be a different use case. The coupling plugin does not add trust to unknown certificates, it limits acceptable peers/certificates to ones already seen. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
