Commit | Line | Data |
---|---|---|
8dea8d37 SE |
1 | * Planned for the future |
2 | ||
469fd1d9 | 3 | Netlink device that implements an Ethernet bridge. |
8dea8d37 | 4 | |
469fd1d9 SE |
5 | Modular transform code: choice of block ciphers, modes, sequence |
6 | numbers / timestamps, etc. similar to IWJ's udptunnel | |
8dea8d37 | 7 | |
469fd1d9 SE |
8 | * New in versino 0.1.11 |
9 | ||
10 | * New in version 0.1.10 | |
11 | ||
12 | WARNING: THIS VERSION MAKES A CHANGE TO THE CONFIGURATION FILE FORMAT | |
13 | THAT IS NOT BACKWARD COMPATIBLE. However, in most configurations the | |
14 | change only affects the sites.conf file, which is generated by the | |
15 | make-secnet-sites script; after you regenerate your sites.conf using | |
16 | version 0.1.10, everything should continue to work. | |
17 | ||
18 | Netlink devices now interact slightly differently with the 'site' | |
19 | code. When you invoke a netlink closure like 'tun' or 'userv-ipif', | |
20 | you get another closure back. You then invoke this closure (usually | |
21 | in the site definitions) to specify things like routes and options. | |
22 | The result of this invocation should be used as the 'link' option in | |
23 | site configurations. | |
24 | ||
25 | All this really means is that instead of site configurations looking | |
26 | like this: | |
27 | ||
28 | foo { | |
29 | name "foo"; | |
30 | networks "a", "b", "c"; | |
31 | etc. | |
32 | }; | |
33 | ||
34 | ...they look like this: | |
35 | ||
36 | foo { | |
37 | name "foo"; | |
38 | link netlink { routes "a", "b", "c"; }; | |
39 | etc. | |
40 | }; | |
41 | ||
42 | This change was made to enable the 'site' code to be completely free | |
43 | of any knowledge of the contents of the packets it transmits. It | |
44 | should now be possible in the future to tunnel other protocols like | |
45 | IPv6, IPX, raw Ethernet frames, etc. without changing the 'site' code | |
46 | at all. | |
47 | ||
48 | Point-to-point netlink devices work slightly differently; when you | |
49 | apply the 'tun', 'userv-ipif', etc. closure and specify the | |
50 | ptp-address option, you must also specify the 'routes' option. The | |
51 | result of this invocation should be passed directly to the 'link' | |
52 | option of the site configuration. You can do things like this: | |
53 | ||
54 | sites site { | |
55 | name "foo"; | |
56 | link tun { | |
57 | networks "192.168.73.76/32"; | |
58 | local-address "192.168.73.76"; # IP address of interface | |
59 | ptp-address "192.168.73.75"; # IP address of other end of link | |
60 | routes "192.168.73.74/32"; | |
61 | mtu 1400; | |
62 | buffer sysbuffer(); | |
63 | }; | |
64 | etc. | |
65 | }; | |
66 | ||
67 | The route dump obtained by sending SIGUSR1 to secnet now includes | |
68 | packet counts. | |
69 | ||
70 | Point-to-point mode has now been tested. | |
71 | ||
72 | tun-old has now been tested, and the annoying 'untested' message has | |
73 | been removed. Thanks to SGT and JDA. | |
74 | ||
75 | secnet now closes its stdin, stdout and stderr just after | |
76 | backgrounding. | |
77 | ||
78 | Bugfix: specifying network "0.0.0.0/0" (or "default") now works | |
79 | correctly. | |
80 | ||
8dea8d37 SE |
81 | * New in version 0.1.9 |
82 | ||
83 | The netlink code may now generate ICMP responses to ICMP messages that | |
84 | are not errors, eg. ICMP echo-request. This makes Windows NT | |
85 | traceroute output look a little less strange. | |
86 | ||
87 | configure.in and config.h.bot now define uint32_t etc. even on systems | |
88 | without stdint.h and inttypes.h (needed for Solaris 2.5.1) | |
89 | ||
90 | GNU getopt is included for systems that lack it. | |
91 | ||
92 | We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris | |
93 | 2.5.1 doesn't have it.) | |
94 | ||
95 | Portable snprintf.c from http://www.ijs.si/software/snprintf/ is | |
96 | included for systems that lack snprintf/vsnprintf. | |
97 | ||
98 | make-secnet-sites.py renamed to make-secnet-sites and now installed in | |
99 | $prefix/sbin/make-secnet-sites; ipaddr.py library installed in | |
100 | $prefix/share/secnet/ipaddr.py. make-secnet-sites searches | |
101 | /usr/local/share/secnet and /usr/share/secnet for ipaddr.py | |
102 | ||
c6f79b17 SE |
103 | * New in version 0.1.8 |
104 | ||
105 | Netlink devices now support a 'point-to-point' mode. In this mode the | |
106 | netlink device does not require an IP address; instead, the IP address | |
107 | of the other end of the tunnel is specified using the 'ptp-address' | |
108 | option. Precisely one site must be configured to use the netlink | |
8dea8d37 SE |
109 | device. (I haven't had a chance to test this because 0.1.8 turned into |
110 | a 'quick' release to enable secnet to cope with the network problems | |
111 | affecting connections going via LINX on 2001-10-16.) | |
c6f79b17 SE |
112 | |
113 | The tunnel code in site.c now initiates a key setup if the | |
114 | reverse-transform function fails (wrong key, bad MAC, too much skew, | |
115 | etc.) - this should make secnet more reliable on dodgy links, which | |
116 | are much more common than links with active attackers... (an attacker | |
117 | can now force a new key setup by replaying an old packet, but apart | |
118 | from minor denial of service on slow links or machines this won't | |
8dea8d37 | 119 | achieve them much). This should eventually be made configurable. |
c6f79b17 SE |
120 | |
121 | The sequence number skew detection code in transform.c now only | |
122 | complains about 'reverse skew' - replays of packets that are too | |
123 | old. 'Forward skew' (gaps in the sequence numbers of received packets) | |
124 | is now tolerated silently, to cope with large amounts of packet loss. |