[Swan-dev] Q: mobike on kernel without mobike: load or not load the connection

Paul Wouters paul at nohats.ca
Wed Jun 12 20:32:33 UTC 2019

On Wed, 12 Jun 2019, D. Hugh Redelmeier wrote:

> Often warnings just get lost or ignored.

But often it is the only thing we can do?

> When would one use each of these in a conn:
> 	mobike=no
> 	mobike=auto
> 	mobike=yes
> If one of those would never be used, that should cause one to rethink my
> proposal.

The problem with mobike=auto is that for most static VPN connections,
you do not want to enable mobike. In theory, if one endpoint is briefly
compromised, they can send a mobike message instructing a redirection of
the entire site-to-site deployment. So we cannot default to an automatic
"yes if supported".

But one use of mobike is exactly that, a "failover" kind of scenario, so
we cannot disallow mobike on static conns either.

> If there is no cost to "auto" (no security cost, no payload cost, no
> interop cost) then perhaps the whole mobike feature should just be
> hardwired to auto and the conn option should be removed.

There is a security concern.

So the above no|auto|yes would have to default to no, at which point the
"auto" is really reduced to 'yes if my kernel can', which in my opinion
is exactly what a user would expect from the "yes" value.


More information about the Swan-dev mailing list