[Swan] Wildcarding rightid

Paul Wouters paul at nohats.ca
Mon Apr 8 10:48:46 UTC 2019


On Mon, 8 Apr 2019, Nick Howitt wrote:

> I may have missed something, but what happens if you do right=%any? At that point the rightid becomes irrelevant , doesn't it? Nick

It will then default to ID_IP, and so if you are coming from behind
NAT, you will present the "wrong" ID.

Most right=%any are limited by the authby= method. When using
authby=secret, we do ignore the ID_IP just because too many
clients behind NAT send such a non-sense ID. When using authby=rsasig,
like when using certificates, the ID is still checked to be a
valid SAN entry on the certificate.

The ID is also often used to detect a reconnect from the same client
versus a connect from a different other client, so we can more quickly
purge old replaced client connections. So while there might not be a
security purpose when used with a single PSK client, it still serves
other purposes.

Paul



More information about the Swan mailing list