[secnet] / NEWS

* Planned for the future

Netlink device that implements an Ethernet bridge.

Modular transform code: choice of block ciphers, modes, sequence
numbers / timestamps, etc. similar to IWJ's udptunnel

* New in versino 0.1.11

* New in version 0.1.10

WARNING: THIS VERSION MAKES A CHANGE TO THE CONFIGURATION FILE FORMAT
THAT IS NOT BACKWARD COMPATIBLE.  However, in most configurations the
change only affects the sites.conf file, which is generated by the
make-secnet-sites script; after you regenerate your sites.conf using
version 0.1.10, everything should continue to work.

Netlink devices now interact slightly differently with the 'site'
code.  When you invoke a netlink closure like 'tun' or 'userv-ipif',
you get another closure back.  You then invoke this closure (usually
in the site definitions) to specify things like routes and options.
The result of this invocation should be used as the 'link' option in
site configurations.

All this really means is that instead of site configurations looking
like this:

foo {
	name "foo";
	networks "a", "b", "c";
	etc.
};

...they look like this:

foo {
	name "foo";
	link netlink { routes "a", "b", "c"; };
	etc.
};

This change was made to enable the 'site' code to be completely free
of any knowledge of the contents of the packets it transmits.  It
should now be possible in the future to tunnel other protocols like
IPv6, IPX, raw Ethernet frames, etc. without changing the 'site' code
at all.

Point-to-point netlink devices work slightly differently; when you
apply the 'tun', 'userv-ipif', etc. closure and specify the
ptp-address option, you must also specify the 'routes' option.  The
result of this invocation should be passed directly to the 'link'
option of the site configuration.  You can do things like this:

sites site {
	name "foo";
	link tun {
		networks "192.168.73.76/32";
		local-address "192.168.73.76"; # IP address of interface
		ptp-address "192.168.73.75"; # IP address of other end of link
		routes "192.168.73.74/32";
		mtu 1400;
		buffer sysbuffer();
	};
	etc.
};

The route dump obtained by sending SIGUSR1 to secnet now includes
packet counts.

Point-to-point mode has now been tested.

tun-old has now been tested, and the annoying 'untested' message has
been removed.  Thanks to SGT and JDA.

secnet now closes its stdin, stdout and stderr just after
backgrounding.

Bugfix: specifying network "0.0.0.0/0" (or "default") now works
correctly.
		
* New in version 0.1.9

The netlink code may now generate ICMP responses to ICMP messages that
are not errors, eg. ICMP echo-request.  This makes Windows NT
traceroute output look a little less strange.

configure.in and config.h.bot now define uint32_t etc. even on systems
without stdint.h and inttypes.h (needed for Solaris 2.5.1)

GNU getopt is included for systems that lack it.

We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris
2.5.1 doesn't have it.)

Portable snprintf.c from http://www.ijs.si/software/snprintf/ is
included for systems that lack snprintf/vsnprintf.

make-secnet-sites.py renamed to make-secnet-sites and now installed in
$prefix/sbin/make-secnet-sites; ipaddr.py library installed in
$prefix/share/secnet/ipaddr.py.  make-secnet-sites searches
/usr/local/share/secnet and /usr/share/secnet for ipaddr.py

* New in version 0.1.8

Netlink devices now support a 'point-to-point' mode.  In this mode the
netlink device does not require an IP address; instead, the IP address
of the other end of the tunnel is specified using the 'ptp-address'
option.  Precisely one site must be configured to use the netlink
device. (I haven't had a chance to test this because 0.1.8 turned into
a 'quick' release to enable secnet to cope with the network problems
affecting connections going via LINX on 2001-10-16.)

The tunnel code in site.c now initiates a key setup if the
reverse-transform function fails (wrong key, bad MAC, too much skew,
etc.) - this should make secnet more reliable on dodgy links, which
are much more common than links with active attackers...  (an attacker
can now force a new key setup by replaying an old packet, but apart
from minor denial of service on slow links or machines this won't
achieve them much).  This should eventually be made configurable.

The sequence number skew detection code in transform.c now only
complains about 'reverse skew' - replays of packets that are too
old. 'Forward skew' (gaps in the sequence numbers of received packets)
is now tolerated silently, to cope with large amounts of packet loss.
Commit	Line	Data
8dea8d37 SE	1	* Planned for the future
8dea8d37 SE	2
469fd1d9	3	Netlink device that implements an Ethernet bridge.
8dea8d37	4
469fd1d9 SE	5	Modular transform code: choice of block ciphers, modes, sequence
469fd1d9 SE	6	numbers / timestamps, etc. similar to IWJ's udptunnel
8dea8d37	7
469fd1d9 SE	8	* New in versino 0.1.11
	9
	10	* New in version 0.1.10
	11
	12	WARNING: THIS VERSION MAKES A CHANGE TO THE CONFIGURATION FILE FORMAT
	13	THAT IS NOT BACKWARD COMPATIBLE. However, in most configurations the
	14	change only affects the sites.conf file, which is generated by the
	15	make-secnet-sites script; after you regenerate your sites.conf using
	16	version 0.1.10, everything should continue to work.
	17
	18	Netlink devices now interact slightly differently with the 'site'
	19	code. When you invoke a netlink closure like 'tun' or 'userv-ipif',
	20	you get another closure back. You then invoke this closure (usually
	21	in the site definitions) to specify things like routes and options.
	22	The result of this invocation should be used as the 'link' option in
	23	site configurations.
	24
	25	All this really means is that instead of site configurations looking
	26	like this:
	27
	28	foo {
	29	name "foo";
	30	networks "a", "b", "c";
	31	etc.
	32	};
	33
	34	...they look like this:
	35
	36	foo {
	37	name "foo";
	38	link netlink { routes "a", "b", "c"; };
	39	etc.
	40	};
	41
	42	This change was made to enable the 'site' code to be completely free
	43	of any knowledge of the contents of the packets it transmits. It
	44	should now be possible in the future to tunnel other protocols like
	45	IPv6, IPX, raw Ethernet frames, etc. without changing the 'site' code
	46	at all.
	47
	48	Point-to-point netlink devices work slightly differently; when you
	49	apply the 'tun', 'userv-ipif', etc. closure and specify the
	50	ptp-address option, you must also specify the 'routes' option. The
	51	result of this invocation should be passed directly to the 'link'
	52	option of the site configuration. You can do things like this:
	53
	54	sites site {
	55	name "foo";
	56	link tun {
	57	networks "192.168.73.76/32";
	58	local-address "192.168.73.76"; # IP address of interface
	59	ptp-address "192.168.73.75"; # IP address of other end of link
	60	routes "192.168.73.74/32";
	61	mtu 1400;
	62	buffer sysbuffer();
	63	};
	64	etc.
	65	};
	66
	67	The route dump obtained by sending SIGUSR1 to secnet now includes
	68	packet counts.
	69
	70	Point-to-point mode has now been tested.
	71
72	tun-old has now been tested, and the annoying 'untested' message has
73	been removed. Thanks to SGT and JDA.
74
75	secnet now closes its stdin, stdout and stderr just after
76	backgrounding.
77
78	Bugfix: specifying network "0.0.0.0/0" (or "default") now works
79	correctly.
80
8dea8d37 SE	81	* New in version 0.1.9
	82
	83	The netlink code may now generate ICMP responses to ICMP messages that
	84	are not errors, eg. ICMP echo-request. This makes Windows NT
	85	traceroute output look a little less strange.
	86
	87	configure.in and config.h.bot now define uint32_t etc. even on systems
	88	without stdint.h and inttypes.h (needed for Solaris 2.5.1)
	89
	90	GNU getopt is included for systems that lack it.
	91
	92	We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris
	93	2.5.1 doesn't have it.)
	94
	95	Portable snprintf.c from http://www.ijs.si/software/snprintf/ is
	96	included for systems that lack snprintf/vsnprintf.
	97
	98	make-secnet-sites.py renamed to make-secnet-sites and now installed in
	99	$prefix/sbin/make-secnet-sites; ipaddr.py library installed in
	100	$prefix/share/secnet/ipaddr.py. make-secnet-sites searches
	101	/usr/local/share/secnet and /usr/share/secnet for ipaddr.py
	102
c6f79b17 SE	103	* New in version 0.1.8
	104
	105	Netlink devices now support a 'point-to-point' mode. In this mode the
	106	netlink device does not require an IP address; instead, the IP address
	107	of the other end of the tunnel is specified using the 'ptp-address'
	108	option. Precisely one site must be configured to use the netlink
8dea8d37 SE	109	device. (I haven't had a chance to test this because 0.1.8 turned into
	110	a 'quick' release to enable secnet to cope with the network problems
	111	affecting connections going via LINX on 2001-10-16.)
c6f79b17 SE	112
	113	The tunnel code in site.c now initiates a key setup if the
	114	reverse-transform function fails (wrong key, bad MAC, too much skew,
	115	etc.) - this should make secnet more reliable on dodgy links, which
	116	are much more common than links with active attackers... (an attacker
	117	can now force a new key setup by replaying an old packet, but apart
	118	from minor denial of service on slow links or machines this won't
8dea8d37	119	achieve them much). This should eventually be made configurable.
c6f79b17 SE	120
	121	The sequence number skew detection code in transform.c now only
	122	complains about 'reverse skew' - replays of packets that are too
	123	old. 'Forward skew' (gaps in the sequence numbers of received packets)
	124	is now tolerated silently, to cope with large amounts of packet loss.