Re: NM and IETF MIF working group

From: "David Woodhouse" <dwmw2 infradead org>
To: "Wet"Dan Williams"" <dcbw redhat com>
Cc: Leonardo Jelenkovic <leonardo jelenkovic fer hr>, David Woodhouse <dwmw2 infradead org>, networkmanager-list gnome org, "Dejan Škvorc" <dejan skvorc fer hr>
Subject: Re: NM and IETF MIF working group
Date: Thu, 1 Oct 2015 16:58:41 -0000

On Mon, 2015-09-28 at 22:29 +0200, Stjepan Groš wrote:

On 28.09.2015 11:48, David Woodhouse wrote:

On Mon, 2015-09-07 at 12:05 +0200, Stjepan Groš wrote:

Two colleagues of mine and I started to work on MIF implementation on
Fedora. In case someone doesn't know, IETF MIF working group (
https://datatracker.ietf.org/wg/mif/charter/) tries to solve the
problems of a single node having multiple parallel connections to
different destinations (Internet, VPN, some private networks, etc.).

Please ensure you take proxies into account.

If my local DHCP server handed me a proxy PAC file, and if I connect

to

a split-tunnel VPN which *also* provides a proxy PAC file, I expect
that requests I make to to the company VPN (within its domain names

and

IP ranges) to use one proxy configuration, while requests to the
Internet at large should use my local proxy.


If I understand it correctly, PAC information received from DHCP is send
by NM via DBus, but otherwise not used in any way? So, it is necessary
to use some tool like proxydriver
(https://github.com/jimlawton/proxydriver) that will modify system
settings based on this info?


Yes, NM gets the information from DHCP and exposes it on D-Bus but does
not make any further use of it.  That's up to whatever proxy
implementation you have that wants to process PAC files, at least at
this point.  I think that's the point of libproxy/pacrunner though,
where apps need to say "how must I access http://it.foobar.com"; and the
proxy library consults the list of methods to get there, and returns an
answer like "you must use this proxy" or "just go there directly".  Apps
do need to be smarter here.


Right. The plan  (which is mostly in my head for now) is that NM and
PacRunner cooperate so that apps can just query PacRunner "what proxy for
this URL" and get the right answer for VPN, non-VPN resources.

Once they'll actually be getting the *right* answer, then we can push (and
introduce distribution packaging guidelines) to fix the apps. They can
query PacRunner directly or use libproxy.

-- 
dwmw2

References:
- Re: NM and IETF MIF working group
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]