Fedora Core 4 Test Update: NetworkManager-0.5.1-1.FC4.1

David Woodhouse dwmw2 at infradead.org
Tue Jan 10 05:10:34 UTC 2006


On Mon, 2006-01-09 at 13:23 -0500, Peter Jones wrote:
> We do implement that concept (though not that method) if you consider
> xen, don't we?

I suppose you _could_ do it like that, but it's fairly unlikely. Surely
you're far more like to set it up with different routing for the various
Xen hosts just as you would if they were external network hosts, rather
than playing with per-user stuff?

> > For Windows, perhaps it's different -- one really can consider a Windows
> > box to be a single-user machine, and it might actually make sense to
> > consider network connections to be a per-user thing. Even VPNs might
> > make some sense in the Windows world, but this isn't Windows.
> 
> VPNs make plenty of sense in Linux.  Let's not characterize the entire
> world's usage based on *your* requirements, or those of any single
> individual.

VPNs make sense in Linux in certain cases, of course -- bridging the
public Internet between two or more sets of 'trusted' machines, for
example. Again, where the network is seen as a system-wide resource.

But that's not what I was referring to -- I was referring to the use of
a VPN from NetworkManager, which is usually done to allow a single user
to access services from a remote point on the public network. That's
something you generally find in the Windows world, where machines are
effectively single-user, rather than in Linux where the network is a
shared resource, and where private access can be achieved in other ways
-- even Evolution can handle accessing IMAP servers over arbitrary
commands like SSH instead of having to be able to connect directly by
TCP to its servers. But we digress. 

> > > This is the same situation as 802.1x certificates for authentication. 
> > > You shouldn't use my certificate to authenticate to the access
> > > server.  Same for WEP keys.
> > 
> > It isn't 'my' WEP key. It is the system's WEP key. You are trying to
> > impose a policy which doesn't make any sense in this environment.
> 
> It doesn't make sense, but why not? 

The policy of WEP keys being per-user, which is the policy
NetworkManager is trying to impose, doesn't make any sense in my home
environment because the key is _not_ a per-user thing. In common with
most WEP users, it's a system-wide thing. I don't expect to have to tell
all the other users of my laptop the WEP key in order for them to be
able to use the network.

>  I think it's because our code
> doesn't do it, not because the idea is totally off base.  I think a WEP
> key can conceptually make sense as either per-host or per-user, but our
> network stack doesn't really support but one of those.

Our network stack doesn't support network devices being per-user. There
are some hacks you can do with iptables, but they're just that -- hacks.

However, you _can_ tell yourself that network connections are a per-user
thing _if_ you have a system which only actually has a single user. Of
course, in that case you might as well have made the setting system-wide
anyway, and satisfied all the users out there with _normal_ setups as
well.

> > Network data being stored system wide is by far the more common
> > arrangement
> 
> *That* I'll agree with.

Yet NetworkManager doesn't deal with that case.

While we can contrive a case for per-user keys, they aren't actually the
norm. I'm not arguing that NetworkManager shouldn't support per-user
keys, but rather that it should support system-wide keys, because that's
what people actually _use_ in the real world, in general.

-- 
dwmw2




More information about the fedora-test-list mailing list