What is this?

Brooke

> On Dec 5, 2017, at 8:55 AM, kids live safe <si...@sdeziel.info> wrote:
> 
> public safety risk alert
> 
> 
>    
> 
>   
> 
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On 2017-12-05 04:12 AM, Yves-Alexis Perez wrote: > On Tue, 2017-12-05 at 
> 08:31 +0100, Christian Ehrhardt wrote: >> On Mon, Dec 4, 2017 at 9:56 PM, 
> Yves-Alexis Perez wr= ote: >>> On Thu, 2017-11-30 at 16:31 +0100, Christian 
> Ehrhardt wrote: >>>> Pushed it to the same debian-submission-nov2017 branch 
> as before. >>> >>> Thanks, >>> >>> I don't really have good news though. I 
> took a look and first, it seems >>> that >>> the git commit entries aren't 
> really good. git log --format=3Doneline i= s >>> barely >>> readable, for 
> example. >> >> Yeah the format was meant for another tool which made 
> debian/changelog >> entries out of it. >> I could rewrite them the next time 
> we talk about this topic in >> probably 6 months :-) >=20 > Ok :) >> >>> For 
> the commit contents: >>> >>> 1aa409a5 (mass plugin enable): NACK again; I 
> won't enable that many stu= ff >>> (and >>> especially not in one go) >> >> I 
> can understand, this all is just a suggestion. >> Things came up (way before 
> my time) due to user requests and if I did >> history research correctly at 
> that point it was decided to enable a >> few more to not get requests for 
> extra plugins all the time. >> You are not taking all - that is fine, if you 
> take a few that is good >> enough. >=20 > It might help to do one commit per 
> feature (maybe one commit for consiste= nt > groups) too so I can cherry-pick 
> commits. >=20 >> Since I wasn't part of that old enabling activity I wanted 
> to sync >> with you here and even considered dropping a bunch of them next 
> (post >> LTS) cycle. >> Nobody remembers the particular reasons for some of 
> them, so for all >> that make no sense to you in a hard enough way to not 
> even enable them >> for "-extra-plugins I'd consider triggering bug reports 
> in Ubuntu if >> somebody really used them. >=20 > Yes, that could make sense. 
> If no one asks for them, I prefer to keep the= m > disabled in order to 
> reduce attack surface, because strongSwan is really = a > beast. Even if 
> there's the plugin architecture, plugins are default-enabl= ed > and that 
> means a lot of exposed stuff. >=20 > For stuff like algorithms, there's also 
> the security tradeoffs of default > config. I don't want to endorse stuff 
> that's too young for my test (like = the > various PQ bits) or too exotic. 
> That's one reason why it would be great to have AES-GCM available like 
> ChaCha20/Poly1305. Those are the 2 most reputable AEAD ciphers available 
> today. >> I'm fine either way - all I request is that we look and discuss 
> about >> things every half year or so. >> So far we benefitted both each time 
> we did, so it isn't wasted time. >=20 > Indeed :) >> >>> d83c243b (duplicheck 
> disable): one good reason for the NACK just above: >>> it's >>> not enabled 
> in Debian, you just enabled it in 1aa409a5 :) >> >> That is a bummer, at the 
> time I saw it the first time I thought it was >> enabled in Debian and since 
> then carried on. >> /me feels ashamed and obviously drops that part :-) >=20 
> > No problem :) >> >>> 766d4f0d (ha disable): not really sure; it's way 
> easier to have a custo= m >>> kernel than a custom strongSwan >> >> Ok, so 
> you had real cases where you or a Debian user used that? >> Very interesting 
> POV, I think neither is easier than the other but I >> see your point. >=20 > 
> I didn't, but I know for sure that building and using a custom kernel is = 
> way > easier than using a custom strongSwan package. >> >>> 85150f06 
> (kernel-libipsec enable): for reference, this is #739641 and I= 'm >>> still 
> not sure I like it. I might pick it but end up disabling it befor= e >>> 
> release >> >> It is disabled by default as Simon already outlined for the 
> reason to >> be an opt-in. >=20 > Yes, by =E2=80=9Cdisabling=E2=80=9D I meant 
> more disabling at build time. >> >>> a587dc11 (TNC move): I might pick this 
> one because TNC is pretty >>> standalone >>> per-se and it might make sense 
> to split it, but really that's a lot of = new >>> binary packages. >> >> I 
> understand the new-queue fight, but it really came handy for users >> who 
> wanted it standalone. >=20 > Do you have pointers on people asking for it? I 
> would appreciate not having the TNC bits pulled unless I really need them. I 
> never had to deal with TNC so I don't know if a standalone package 
> (cb55e029b7) make sense. On the other hand, I routinely need EAP-MSCHAPv2 and 
> XAUTH and in such cases we don't want the TNC bits that comes from 
> libcharon-extra-plugins. I think that Christian's proposal of having 
> libcharon-standard-plugins (0ef9c2ad736) providing EAP-MSCHAPv2 and XAUTH is 
> a good compromise and I wouldn't mind if the TNC stuff remained in 
> libcharon-extra-plugins. >>> 8dbf648b7 (libcharon-standard-plugin): I can 
> understand the rationale >>> (plugins >>> for common password-based mobile 
> VPN setup), but I don't really like it= . I >>> don't really like adding a 
> new binary package, and the name is definite= ly >>> not >>> good. Also, as 
> far as I understand it, the plugins are useful when you'= re >>> actually 
> configuring a client/roadwarrior to imitate a mobile client wi= th >>> its 
> >>> limitations. I don't think it's a good thing to do, I'd prefer simplify= 
> ing >>> the >>> secure uses cases, like pubkeys-based ones. >> >> >=20 > See 
> my answer above about good practice. Recent iOS can use pubkeys/certs > based 
> setups, not sure about Android (but they can use the strongSwan > 
> application), so there's really no reason to not use them. Every OS I know of 
> support using X.509 certs so it's not a feature support problem but more a 
> lazy sysadmin problem. Certificates are unfortunately very rarely used in the 
> wild for large deployment because they are perceived as hard/cumbersome to 
> deploy. I just did a quick survey of the commercial offering for IPsec VPN 
> providers and all of them required EAP-MSCHAPv2 when using IKEv2: 
> https://www.personalvpn.com/support/setting-up-and-using-your-vpn/android/i= 
> kev2/ https://strongvpn.com/setup-windows-10-ikev2.html 
> https://support.purevpn.com/ikev2-configuration-guide-for-os-x-el-capitan-b= 
> y-purevpn 
> https://nanorep.nordvpn.com/Connectivity/Windows/1047410092/IKEv2-IPSec-for= 
> -Windows-10.htm 
> https://www.acevpn.com/knowledge-base/how-to-setup-ikev2-vpn-android/ The 
> justification for XAUTH is mostly for built-in Android and older iOS/macOS 
> clients where the best you can get is IKEv1+XAUTH using either PSK or X.509. 
> I provided all my arguments so I'll stop barking at this tree ;) and want to 
> thank you both for the excellent work you've been doing! Regards, Simon

Reply via email to