[secnet] / NEWS

* Planned for the future

New configuration syntax for netlinks: basic 'netlink' closure yields
a pure closure that can be applied in each site() to generate a
netlink for that site (with routes, options, etc.).  Works well for
point-to-point: that netlink can be used directly by just one site.
Much cleaner separation between site() and netlink code this way.

(Backward compatibility will be kept for a while.)

* New in version 0.1.9

The netlink code may now generate ICMP responses to ICMP messages that
are not errors, eg. ICMP echo-request.  This makes Windows NT
traceroute output look a little less strange.

configure.in and config.h.bot now define uint32_t etc. even on systems
without stdint.h and inttypes.h (needed for Solaris 2.5.1)

GNU getopt is included for systems that lack it.

We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris
2.5.1 doesn't have it.)

Portable snprintf.c from http://www.ijs.si/software/snprintf/ is
included for systems that lack snprintf/vsnprintf.

make-secnet-sites.py renamed to make-secnet-sites and now installed in
$prefix/sbin/make-secnet-sites; ipaddr.py library installed in
$prefix/share/secnet/ipaddr.py.  make-secnet-sites searches
/usr/local/share/secnet and /usr/share/secnet for ipaddr.py

* New in version 0.1.8

Netlink devices now support a 'point-to-point' mode.  In this mode the
netlink device does not require an IP address; instead, the IP address
of the other end of the tunnel is specified using the 'ptp-address'
option.  Precisely one site must be configured to use the netlink
device. (I haven't had a chance to test this because 0.1.8 turned into
a 'quick' release to enable secnet to cope with the network problems
affecting connections going via LINX on 2001-10-16.)

The tunnel code in site.c now initiates a key setup if the
reverse-transform function fails (wrong key, bad MAC, too much skew,
etc.) - this should make secnet more reliable on dodgy links, which
are much more common than links with active attackers...  (an attacker
can now force a new key setup by replaying an old packet, but apart
from minor denial of service on slow links or machines this won't
achieve them much).  This should eventually be made configurable.

The sequence number skew detection code in transform.c now only
complains about 'reverse skew' - replays of packets that are too
old. 'Forward skew' (gaps in the sequence numbers of received packets)
is now tolerated silently, to cope with large amounts of packet loss.
Commit	Line	Data
8dea8d37 SE	1	* Planned for the future
	2
	3	New configuration syntax for netlinks: basic 'netlink' closure yields
	4	a pure closure that can be applied in each site() to generate a
	5	netlink for that site (with routes, options, etc.). Works well for
	6	point-to-point: that netlink can be used directly by just one site.
	7	Much cleaner separation between site() and netlink code this way.
	8
	9	(Backward compatibility will be kept for a while.)
	10
	11	* New in version 0.1.9
	12
	13	The netlink code may now generate ICMP responses to ICMP messages that
	14	are not errors, eg. ICMP echo-request. This makes Windows NT
	15	traceroute output look a little less strange.
	16
	17	configure.in and config.h.bot now define uint32_t etc. even on systems
	18	without stdint.h and inttypes.h (needed for Solaris 2.5.1)
	19
	20	GNU getopt is included for systems that lack it.
	21
	22	We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris
	23	2.5.1 doesn't have it.)
	24
	25	Portable snprintf.c from http://www.ijs.si/software/snprintf/ is
	26	included for systems that lack snprintf/vsnprintf.
	27
	28	make-secnet-sites.py renamed to make-secnet-sites and now installed in
	29	$prefix/sbin/make-secnet-sites; ipaddr.py library installed in
	30	$prefix/share/secnet/ipaddr.py. make-secnet-sites searches
	31	/usr/local/share/secnet and /usr/share/secnet for ipaddr.py
	32
c6f79b17 SE	33	* New in version 0.1.8
	34
	35	Netlink devices now support a 'point-to-point' mode. In this mode the
	36	netlink device does not require an IP address; instead, the IP address
	37	of the other end of the tunnel is specified using the 'ptp-address'
	38	option. Precisely one site must be configured to use the netlink
8dea8d37 SE	39	device. (I haven't had a chance to test this because 0.1.8 turned into
	40	a 'quick' release to enable secnet to cope with the network problems
	41	affecting connections going via LINX on 2001-10-16.)
c6f79b17 SE	42
	43	The tunnel code in site.c now initiates a key setup if the
	44	reverse-transform function fails (wrong key, bad MAC, too much skew,
	45	etc.) - this should make secnet more reliable on dodgy links, which
	46	are much more common than links with active attackers... (an attacker
	47	can now force a new key setup by replaying an old packet, but apart
	48	from minor denial of service on slow links or machines this won't
8dea8d37	49	achieve them much). This should eventually be made configurable.
c6f79b17 SE	50
	51	The sequence number skew detection code in transform.c now only
	52	complains about 'reverse skew' - replays of packets that are too
	53	old. 'Forward skew' (gaps in the sequence numbers of received packets)
	54	is now tolerated silently, to cope with large amounts of packet loss.