[Design] Raw doc in the policy group files

-----BEGIN PGP SIGNED MESSAGE-----   FYI here are some comments on the doc and operations of the current 2.00 snapshots:

  Is there any reason to put a default "private-or-clear"? The way it is now if someone messes with it 'bad' things can happen. I would suggest putting it in a comment with some supporting text.

  Obviously I am assuming that if this file is not there (and a comments only is supposed to be the same as not there at all) we get the default of 0.0.0.0/0.

  The per-file header doc shoud mention which one of the policies is "OE", "iOE" and "pOE" and (quickly) explain the terms.

  On to the policygroups.html documentation file.

  The first paragraph in there is this:
"""

   Policy groups are a new feature that we're getting ready for 2.0.    Testing is appreciated, as is feedback via design@lists.freeswan.org.
"""

  Obviously it needs a _slight_ rewrite at this point in the process.

  Say what?:
"""

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

   Our Base Policy Groups rely on Opportunistic Encryption (OE) to do    this.
"""

  OE only does three out of the 5, but the sentence as written is just fluf, remove it or get more serious in explaining how OE make it possible to have very few basic policy's cover most situations.

  This page is reading like a group of scattered notes, just sentences with out plan, scatter shot onto paper. It need to be sat down with and the whole thing explained in the first four or five paragraphs.

  Lets continue with minutia for a bit:

  No, this should be all more along the lines of VPN or OE or nothing:
"""

   private (OE-based VPN)

          Attempt to negotiate opportunistically. On failure, block.
"""

  where VPN is done by a more specific policy or conn and if there is none then we try OE and if _that_ fails we block/drop.

  The link in this paragraph:
"""

   All Policy Groups are bidirectional. This chart shows some technical    details. FreeS/WAN does not support one-way encryption, since it can    give users a false sense of security.
"""

  does not take me to a chart but to a table of contents.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

  As above, I hope that this is not quite true:
"""

   Base Policy Groups rely on OE. To use the following examples, you must    first become OE-capable, as described here.
"""

  Rather I would say it's as easy making a shopping list or two. Then going into a bit more detail:
"""

   This is as easy as putting names, IPs or IP ranges in    /etc/ipsec.d/policies/[groupname].
"""

  Right, here is the part that says to comment out the 0.0.0.0/0 to turn OE off. In the case of random file corruption (say sysadmins had one too many bheers...) lets have it fail to secure (OE) rather then fail to clear. We want the built in default to be OE and you have to EXPRESSLY turn OE off, not just corrupt the private-or-clear file.

  Thats enough for now, I hope you get the idea of what I am looking for, both in documentation and in secure robustness.

		||ugh Daniel
		Testing Fool
		hugh@freeswan.org

-----BEGIN PGP SIGNATURE-----

Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPk+oLVZpdJR7FBQRAQGyBgP/a+/zGYRXfop14NgOe7QQvJ81JbC5MMvJ 1BMLIJKaEvr2q/q88ZE7P7jH7bCLcbTtngs3S2PzDR3ZFcFnW0fmqy2FDxuX4WNs 3oynGWc/oKw2gYW+cpE17KVpKUhthZEJh41sTkx2NsrdQs8syjNr8PFysN3zZLZd vzpbnExheLA=
=3CIA
-----END PGP SIGNATURE-----

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek