[strongSwan-dev] ANNOUNCE: strongswan-4.5.2rc1 released

Martin Willi martin at strongswan.org
Mon May 9 20:39:39 CEST 2011


Hi Yaron,

> looking at the Coupling plug-in, I'm wondering at the feature
> definition - or maybe I'm misunderstanding it.

The plugin was primarily defined for coupling two devices. Let's assume
you have two (embedded) devices talking exclusively with each other.
After coupling them (by the manufacturer?), they don't accept any other
certificate. Even if the CA is compromised, the devices are limited to
the coupled peer certificate.

Having more than one coupled device is just an extension. You could
think of 5 devices doing a full mesh. Once the mesh is up, no other
device could ever join the mesh.

> Suppose GW1 has 10 peers, I would naturally set the Max value to 10.
> But if only 8 peers ever show up,

That's not the intention. It is meant for setups where you know how many
peers will connect, and you'll have to make sure they actually do.

> I believe this feature would be much more useful if the coupling were
> per-DN. And then I can envision it being extended in the future
> towards all sorts of opportunistic encryption scenarios.

This would be a different use case. The coupling plugin does not add
trust to unknown certificates, it limits acceptable peers/certificates
to ones already seen.

Regards
Martin





More information about the Dev mailing list