Re: Generic IPSEC vpn plugin

From: Dan Williams <dcbw redhat com>
To: Paul Wouters <paul xelerance com>
Cc: networkmanager-list gnome org
Subject: Re: Generic IPSEC vpn plugin
Date: Tue, 28 Apr 2009 12:22:04 -0400

On Fri, 2009-04-24 at 16:16 -0400, Paul Wouters wrote:
> On Fri, 24 Apr 2009, Dan Williams wrote:
> 
> >> people want to get notifications in userland on tunnels failing, they
> >> should configure the ipsec tunnel to use Dead Peer Detection (RFC3706)
> >
> > Ok, how does that actually show up in userspace?  What can we make the
> > NM vpn plugin daemon listen for?
> 
> You tell me. What infrastructure is there for NM? I know there is dbus,
> but I don't think that channel can be secured at all. Would unauthenticated
> announcements be okay? Does NM have any other listening or polling methods?

D-Bus can certainly be secured.  D-Bus security is based on a few
different mechanisms; one of which is user-based authentication.  So you
can make sure that only the root user can access the D-Bus interface, or
only a certain group, or only users determined to be "at console" (ie,
physically present and not via SSH or remote X).

Beyond that, finer-grained access control is accomplished with stuff
like PolicyKit, but you probably don't need that.

Otherwise, socket-based mechanisms (that user peer credentials to
authenticate the remote UID, which is what D-Bus uses too) would be fine
too, as long as that socket-based API was sane.  I guess I would have
assumed something like this would be available already via whack, but
perhaps I misunderstand how the stack fits together.

Dan

> > Yeah there's support for this.  Basically, you have two classes of
> > connections: system and user.  Just like OS X actually.  User
> > connections credentials and details are stored in the user session and
> > do not survive fast-user-switch.  System connections are stored outside
> > of the user session, and thus are available before login and survive a
> > fast user switch.  So if you don't want your VPN to be avialable to
> > everyone, you keep it as a user connection.  If you don't care, you make
> > it a system connection and "available to all users" as the UI
> > checkbutton puts it.
> 
> That's good.
> 
> Paul

References:
- Generic IPSEC vpn plugin
  - From: Peter Robinson
- Re: Generic IPSEC vpn plugin
  - From: Paul Wouters
- Re: Generic IPSEC vpn plugin
  - From: David Woodhouse
- Re: Generic IPSEC vpn plugin
  - From: Dan Williams
- Re: Generic IPSEC vpn plugin
  - From: Peter Robinson
- Re: Generic IPSEC vpn plugin
  - From: Paul Wouters
- Re: Generic IPSEC vpn plugin
  - From: Dan Williams
- Re: Generic IPSEC vpn plugin
  - From: Paul Wouters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]