more VPN thoughts

[Colin Walters <walters verbum org>]

Let's take a concrete laptop-road-warrior-VPN usage scenario.  Me :)

At work, I have a wired network, which gives me access to the entire
network, with the most crucial bits being the Kerberos server, CVS
server, and IMAP/SMTP server.  There are also wireless networks at work,
but let's ignore those for now.

While roaming, I generally only use wireless networks.  Outside of the
corporate network, the only access is Cisco-style XAUTH VPN, or ssh
tunneling to a bastion host.

I think the right question to ask is, "Do I have access to the corporate
network", not "Am I on the VPN?" or "Am I at work?".

So how do we answer that?  One approach might be to define it as
"ability to reach internal server X".  This is going to inherently be
site-specific, since at my workplace e.g. the Kerberos server is behind
a firewall, but at other sites it may not be (and in fact you may use
Kerberos *as* your VPN).  Some sites may want to define it as the LDAP
server, or as the fileserver, or the router.

Let's say then that when NM starts, it activates
org.freedesktop.NetworkManagerVPN, if available.  When a network
interface becomes active, NM tells the VPN to start polling.  This
polling is entirely defined by the VPN service, although it could make
use of some builtin NM functions for e.g. doing an ARP request for a MAC
address.  That'd be useful for figuring out if you're truly on the
corporate LAN.

However, for doing e.g. a Kerberos request, you really want to do this
from the user session.  So I'm thinking that there'd be an
org.freedesktop.NetworkManagerVPNInfo daemon that would be launched on
request, and could do the Kerberos/LDAP polling itself.

Another major question here is what the UI is in the user session.
Should there be any at all?  Ideally, e.g. Evolution would show a
"disconnected" icon for your corporate IMAP server.  Still though for
developers who use ssh/cvs, etc, having UI notification would be useful.

Thoughts?