Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

"Theodore Y. Ts'o" <tytso@mit.edu> Wed, 21 November 2018 20:55 UTC

Return-Path: <tytso@thunk.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92BE6130DC5; Wed, 21 Nov 2018 12:55:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thunk.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0zDYNwo_prYF; Wed, 21 Nov 2018 12:55:32 -0800 (PST)
Received: from imap.thunk.org (imap.thunk.org [IPv6:2600:3c02::f03c:91ff:fe96:be03]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56A2C12F295; Wed, 21 Nov 2018 12:55:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rCTr7QYQw73tQED8o5983ldZgcWn714Z/PFWiQ9drIQ=; b=iXGWZZGbFfJBNdfzPzzyshkPRF 1mknDmiRKnhR4HmQHADYdUmXhKO/F3rm5Peiu3rO7W07bjWAGQ4ZeNDga3QbTOXUdDkY1hGjKoJSc Tb6in7QW5VCd301GZ4wLPxxbQBOx5fnTjf8/KveRtTt11bWh9TpvaiYgj97ETN1nXgcA=;
Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from <tytso@thunk.org>) id 1gPZWz-0000vk-SS; Wed, 21 Nov 2018 20:55:29 +0000
Received: by callcc.thunk.org (Postfix, from userid 15806) id DB2257A2EA3; Wed, 21 Nov 2018 15:55:28 -0500 (EST)
Date: Wed, 21 Nov 2018 15:55:28 -0500
From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Paul Wouters <paul@nohats.ca>, ipsec@ietf.org, Warren Kumari <warren@kumari.net>, The IESG <iesg@ietf.org>
Message-ID: <20181121205528.GI26006@thunk.org>
References: <154275299932.29937.5149382512933072864.idtracker@ietfa.amsl.com> <25704.1542816043@localhost> <3A9700FB-EF0B-415B-9338-72070DE8A335@nohats.ca> <31884.1542824729@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <31884.1542824729@localhost>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Gyi4bC8jx5owImvC6b6-pi69sgk>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 20:55:34 -0000

On Wed, Nov 21, 2018 at 01:25:29PM -0500, Michael Richardson wrote:
> 
>     > Almost all VPN providers for apple (OSX and iOS) use IKEv2 with
>     > CP. Based on numbers of concurrent users I have seen from some vendors
>     > using libreswan, we are talking in the orders of 100’s of thousands of
>     > users.
> 
> That's awesome news to learn!!!
> I haven't seen this in the wild myself, and it's not the case in Android as
> you point out.

FWIW, I use Private Interent Access (privateinternetaccess.com), and
while it's "user friendly Linux install is effectively "curl | sudo
/bin/sh" it did have a manual install procedure, and all the manual
install procedure did was install the package
network-manager-openvpn-gnome and then make configuration changes to
Network Manager so it new where to find the PIA servers.

So yes, no VPN software was downloaded, and while you could argue that
if most users are trusting a "curl .... | sudo /bin/sh" install, there
are plenty of ways for a VPN provider to completely take over your
machine (never mind your DNS!), at least a security expert can audit
the script, and someone who is sufficiently paranoid can run the
commands and/or edit the config files by hand.

Cheers,

						- Ted