Hello Yves-Alexis, On 2017-12-04 03:56 PM, Yves-Alexis Perez wrote: > On Thu, 2017-11-30 at 16:31 +0100, Christian Ehrhardt wrote: >> Pushed it to the same debian-submission-nov2017 branch as before. > 85150f06 (kernel-libipsec enable): for reference, this is #739641 and I'm > still not sure I like it. I might pick it but end up disabling it before > release
The plugin is configured /not/ to load by default which means the kernel's implementation will be used as normal. Users would need to opt-in to use this userspace stack. > f9e7f9007 (CCN move): NACK, what's the justification? CCM is apparently more popular in the embedded space so maybe it was a typo for GCM? GCM would make more sense IMHO. > 8dbf648b7 (libcharon-standard-plugin): I can understand the rationale (plugins > for common password-based mobile VPN setup), but I don't really like it. I > don't really like adding a new binary package, and the name is definitely not > good. Also, as far as I understand it, the plugins are useful when you're > actually configuring a client/roadwarrior to imitate a mobile client with its > limitations. I don't think it's a good thing to do, I'd prefer simplifying the > secure uses cases, like pubkeys-based ones. The rational for having EAP-MSCHAPv2 and XAUTH easily available is to support users connecting to corporate VPNs configured to be compatible with Windows and macOS. Public keys would be far better indeed but in the enterprises/govs I had to deal with, they were not popular. In the past 6-7 years, I only had one client using public keys for roadwarrior scenario. Regards, Simon
signature.asc
Description: OpenPGP digital signature
