On Wed, 12 Jun 2019, D. Hugh Redelmeier wrote:
Often warnings just get lost or ignored.
But often it is the only thing we can do?
When would one use each of these in a conn:
mobike=no
mobike=auto
mobike=yes
If one of those would never be used, that should cause one to rethink my
proposal.
The problem with mobike=auto is that for most static VPN connections,
you do not want to enable mobike. In theory, if one endpoint is briefly
compromised, they can send a mobike message instructing a redirection of
the entire site-to-site deployment. So we cannot default to an automatic
"yes if supported".
But one use of mobike is exactly that, a "failover" kind of scenario, so
we cannot disallow mobike on static conns either.
If there is no cost to "auto" (no security cost, no payload cost, no
interop cost) then perhaps the whole mobike feature should just be
hardwired to auto and the conn option should be removed.
There is a security concern.
So the above no|auto|yes would have to default to no, at which point the
"auto" is really reduced to 'yes if my kernel can', which in my opinion
is exactly what a user would expect from the "yes" value.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
