Why KAME/racoon sucks (was: OpenSWAN ANNOUCEMENT)
Michael K. Johnson
johnsonm at redhat.com
Tue Jan 6 19:04:04 UTC 2004
On Sun, Jan 04, 2004 at 09:36:45AM +0200, Pekka Savola wrote:
> On Sat, 3 Jan 2004, Dax Kelson wrote:
> > g) XAUTH support (authenticate VPN users/tunnels via PAM)
>
> This is dangerous, and has been rejected in the IETF for
> standardization. Why again should this be done then? If you want to
> authenticate users/tunnels via PAM, can't this be done by creating a
> PAM module interfacing IKE?
It's really required for a lot of setups, and it's one of the key
features that makes me feel that it is probably worth the trouble
if OpenSWAN 2.x is ready in time.
You aren't REQUIRED to use it, but for people who aren't in a
position to dictate to their network peers what protocols to
use, the ability to do XAUTH is still valuable. Sure, warn
people about the potential attacks, but not everyone is in a
position to dictate whether or not they will use XAUTH.
And it doesn't really matter, frankly, that it was rejected
as an internet standard; it's a de-facto standard right now
and making it possible for people to use it is not going to
hurt Fedora or Linux...
My opinion, anyway.
michaelkjohnson
"He that composes himself is wiser than he that composes a book."
Linux Application Development -- Ben Franklin
http://people.redhat.com/johnsonm/lad/
More information about the fedora-devel-list
mailing list