> On Nov 21, 2018, at 23:40, D. Hugh Redelmeier <h...@mimosa.com> wrote:
>
> VPN providers should not provide software to their clients. That's a
> bug and should not be encouraged by the committee.
And you can see the security nightmare it causes in the Android Play Store with
zillions of (un?)modified openvpn code that no one knows what it exactly does.
Where as with Apple, the VPN apps provide a custom UI to the user but it is all
using the systems IKE/IPsec stack and the standard VPN was information tools of
the OS can be used to see what the VPN configuration is (currently not for the
DNS settings but a bug report has been verbally submitted for this a while ago
:)
> The point of a standard is that any IPSec implementation should be
> able to connect with any other IPsec implementation. The default
> provider of VPN software ought to be the provider of the OS for the
> client's machine.
+1
> The client should be able to choose any conformant
> implementation.
For opensource based solutions, sure. For proprietary devices I would hope they
just ship with only one implementation.
> I admit that we have failed to make interop easy
> and normal, but that's where we should be heading.
It is getting much better compared to what we had for IKEv1 (with PFS and rekey
issues being the main thing I see going wrong)
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
