Commit | Line | Data |
---|---|---|
8dea8d37 SE |
1 | * Planned for the future |
2 | ||
3 | New configuration syntax for netlinks: basic 'netlink' closure yields | |
4 | a pure closure that can be applied in each site() to generate a | |
5 | netlink for that site (with routes, options, etc.). Works well for | |
6 | point-to-point: that netlink can be used directly by just one site. | |
7 | Much cleaner separation between site() and netlink code this way. | |
8 | ||
9 | (Backward compatibility will be kept for a while.) | |
10 | ||
11 | * New in version 0.1.9 | |
12 | ||
13 | The netlink code may now generate ICMP responses to ICMP messages that | |
14 | are not errors, eg. ICMP echo-request. This makes Windows NT | |
15 | traceroute output look a little less strange. | |
16 | ||
17 | configure.in and config.h.bot now define uint32_t etc. even on systems | |
18 | without stdint.h and inttypes.h (needed for Solaris 2.5.1) | |
19 | ||
20 | GNU getopt is included for systems that lack it. | |
21 | ||
22 | We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris | |
23 | 2.5.1 doesn't have it.) | |
24 | ||
25 | Portable snprintf.c from http://www.ijs.si/software/snprintf/ is | |
26 | included for systems that lack snprintf/vsnprintf. | |
27 | ||
28 | make-secnet-sites.py renamed to make-secnet-sites and now installed in | |
29 | $prefix/sbin/make-secnet-sites; ipaddr.py library installed in | |
30 | $prefix/share/secnet/ipaddr.py. make-secnet-sites searches | |
31 | /usr/local/share/secnet and /usr/share/secnet for ipaddr.py | |
32 | ||
c6f79b17 SE |
33 | * New in version 0.1.8 |
34 | ||
35 | Netlink devices now support a 'point-to-point' mode. In this mode the | |
36 | netlink device does not require an IP address; instead, the IP address | |
37 | of the other end of the tunnel is specified using the 'ptp-address' | |
38 | option. Precisely one site must be configured to use the netlink | |
8dea8d37 SE |
39 | device. (I haven't had a chance to test this because 0.1.8 turned into |
40 | a 'quick' release to enable secnet to cope with the network problems | |
41 | affecting connections going via LINX on 2001-10-16.) | |
c6f79b17 SE |
42 | |
43 | The tunnel code in site.c now initiates a key setup if the | |
44 | reverse-transform function fails (wrong key, bad MAC, too much skew, | |
45 | etc.) - this should make secnet more reliable on dodgy links, which | |
46 | are much more common than links with active attackers... (an attacker | |
47 | can now force a new key setup by replaying an old packet, but apart | |
48 | from minor denial of service on slow links or machines this won't | |
8dea8d37 | 49 | achieve them much). This should eventually be made configurable. |
c6f79b17 SE |
50 | |
51 | The sequence number skew detection code in transform.c now only | |
52 | complains about 'reverse skew' - replays of packets that are too | |
53 | old. 'Forward skew' (gaps in the sequence numbers of received packets) | |
54 | is now tolerated silently, to cope with large amounts of packet loss. |