[strongSwan-dev] ANNOUNCE: strongswan-4.5.2rc1 released
Yaron Sheffer
yaronf.ietf at gmail.com
Tue May 10 12:47:01 CEST 2011
Hi Martin,
I understand what it's for, but it's not scalable. You have to actually
count that all your intended peers have already connected once.
A simple way of getting the same behavior but without the hassle is to
indicate a point in time after which you don't allow any new certs.
Thanks,
Yaron
On 9.5.2011 21:39, Martin Willi wrote:
> Hi Yaron,
>
>> looking at the Coupling plug-in, I'm wondering at the feature
>> definition - or maybe I'm misunderstanding it.
> The plugin was primarily defined for coupling two devices. Let's assume
> you have two (embedded) devices talking exclusively with each other.
> After coupling them (by the manufacturer?), they don't accept any other
> certificate. Even if the CA is compromised, the devices are limited to
> the coupled peer certificate.
>
> Having more than one coupled device is just an extension. You could
> think of 5 devices doing a full mesh. Once the mesh is up, no other
> device could ever join the mesh.
>
>> Suppose GW1 has 10 peers, I would naturally set the Max value to 10.
>> But if only 8 peers ever show up,
> That's not the intention. It is meant for setups where you know how many
> peers will connect, and you'll have to make sure they actually do.
>
>> I believe this feature would be much more useful if the coupling were
>> per-DN. And then I can envision it being extended in the future
>> towards all sorts of opportunistic encryption scenarios.
> This would be a different use case. The coupling plugin does not add
> trust to unknown certificates, it limits acceptable peers/certificates
> to ones already seen.
>
> Regards
> Martin
>
More information about the Dev
mailing list