[Pkg-swan-devel] Bug#848890: Bug#848890: polished remaining delta for re-review

[Simon Deziel]

Hello Yves-Alexis,

On 2017-12-04 03:56 PM, Yves-Alexis Perez wrote:
> On Thu, 2017-11-30 at 16:31 +0100, Christian Ehrhardt wrote:
>> Pushed it to the same debian-submission-nov2017 branch as before.
> 85150f06 (kernel-libipsec enable): for reference, this is #739641 and I'm
> still not sure I like it. I might pick it but end up disabling it before
> release

The plugin is configured /not/ to load by default which means the
kernel's implementation will be used as normal. Users would need to
opt-in to use this userspace stack.

> f9e7f9007 (CCN move): NACK, what's the justification?

CCM is apparently more popular in the embedded space so maybe it was a
typo for GCM? GCM would make more sense IMHO.

> 8dbf648b7 (libcharon-standard-plugin): I can understand the rationale (plugins
> for common password-based mobile VPN setup), but I don't really like it. I
> don't really like adding a new binary package, and the name is definitely not
> good. Also, as far as I understand it, the plugins are useful when you're
> actually configuring a client/roadwarrior to imitate a mobile client with its
> limitations. I don't think it's a good thing to do, I'd prefer simplifying the
> secure uses cases, like pubkeys-based ones.

The rational for having EAP-MSCHAPv2 and XAUTH easily available is to
support users connecting to corporate VPNs configured to be compatible
with Windows and macOS.

Public keys would be far better indeed but in the enterprises/govs I had
to deal with, they were not popular. In the past 6-7 years, I only had
one client using public keys for roadwarrior scenario.

Regards,
Simon


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20171204/65f66288/attachment.sig>