[Swan-dev] Q: mobike on kernel without mobike: load or not load the connection
Paul Wouters
paul at nohats.ca
Wed Jun 12 20:32:33 UTC 2019
On Wed, 12 Jun 2019, D. Hugh Redelmeier wrote:
> Often warnings just get lost or ignored.
But often it is the only thing we can do?
> When would one use each of these in a conn:
> mobike=no
> mobike=auto
> mobike=yes
>
> If one of those would never be used, that should cause one to rethink my
> proposal.
The problem with mobike=auto is that for most static VPN connections,
you do not want to enable mobike. In theory, if one endpoint is briefly
compromised, they can send a mobike message instructing a redirection of
the entire site-to-site deployment. So we cannot default to an automatic
"yes if supported".
But one use of mobike is exactly that, a "failover" kind of scenario, so
we cannot disallow mobike on static conns either.
> If there is no cost to "auto" (no security cost, no payload cost, no
> interop cost) then perhaps the whole mobike feature should just be
> hardwired to auto and the conn option should be removed.
There is a security concern.
So the above no|auto|yes would have to default to no, at which point the
"auto" is really reduced to 'yes if my kernel can', which in my opinion
is exactly what a user would expect from the "yes" value.
Paul
More information about the Swan-dev
mailing list