[Design] Sam's concerns about 2.00

-----BEGIN PGP SIGNED MESSAGE-----
Here's my understanding of Sam's concerns about 2.00. They are centred on defaulting OE to enabled.

1. If one just install FreeS/WAN 2.0 on a Security Gateway and does nothing else, packets will be blocked in ways that might be surprising, confusing, and unwanted.

1a Packets from the SG to an OE-enabled host will not get through

   because the SG will try to negotiate a connection but the other    side won't be able to find authenticating material for the SG in    DNS. 1b Packets from nodes behind the SG will not get out because

   (i) we've installed a default route to direct all packets from

       the SG through ipsec0, and
   (ii) there is no eroute for packets from behind the SG    The result is that the default policy will apply: %drop.

2. OE-by-default will exacerbate the long-standing problem of

   clashing security policies.    

   VPN security assumptions are fundamentally different from OE    assumptions. We know little about OE connections (they are    potentially from strangers). One can decide what nodes one is    willing the have a VPN with, and therefore typically much is known.    FreeS/WAN as yet has no good (convenient, expressive, effective)    way of segregating VPN and OE traffic. This makes VPN and OE on    the same host problematic.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

   OE-by-default is not very safe for SGs with VPN connections.

3. OE-by-default, as it is currently implemented, starts up a bunch of

   machinery, even if it is not going to do anything useful. If    there is no published DNS record to provide authenticating material    for the SG, OE can never succeed. Yet a new default route is    installed, packets are erouted, %pass eroutes are installed, etc.

Hugh Redelmeier
hugh@mimosa.com voice: +1 416 482-8253

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPmeVR8FAuQPManGZAQFPRwQAlCh1QmsOTkJeJ4U8JUBxaNloz+0vwagS 91Gv3pfUzD7u5PCH14rOc/CVOvv+5gSkVzFkUDnDxd0FnwuMOPoT8RwSn6jgrSK8 6hr51dEMUNTRmFvE3UKyFi+aM67uulnqfTAL73oaaeqTifRac4Eehub+MRH+oJVs qvvCp1dU4Mo=
=DR30
-----END PGP SIGNATURE-----