Commit | Line | Data |
---|---|---|
8dea8d37 SE |
1 | * Planned for the future |
2 | ||
3b83c932 SE |
3 | Please note that the 0.1 series of secnet releases is now 'maintenance |
4 | only'; further development continues in secnet-0.2. | |
5 | ||
3b83c932 SE |
6 | Debconf support - if you are using the Debian packaged version and |
7 | your secnet configuration is autogenerated using debconf then the | |
8 | upgrade to version 0.2.0 should just involve installing the package; | |
9 | an appropriate 0.2-style configuration file will be generated | |
10 | automatically. | |
11 | ||
ca58ee48 SE |
12 | * New in version 0.1.18 |
13 | ||
14 | ipaddr.py now declares its character encoding; required by recent | |
15 | versions of Python | |
16 | ||
1dadd8be SE |
17 | * New in version 0.1.17 |
18 | ||
19 | autoconf updates for cross-compilation / more modern autoconf from | |
20 | Ross Younger <ross@crazyscot.com> | |
21 | ||
22 | MacOS X support from Richard Kettlewell <richard@sfere.greenend.org.uk> | |
23 | ||
24 | Makefile fix: Update bison pattern rule to indicate that both the | |
25 | .tab.c and .tab.h files are generated by the same command. | |
26 | ||
27 | i386 ip_csum implementation updated to work with modern gcc | |
28 | ||
29 | Rename global 'log' to 'slilog' to avoid conflict with gcc built-in | |
30 | log() function. | |
31 | ||
3b83c932 SE |
32 | * New in version 0.1.16 |
33 | ||
34 | XXX XXX PROTOCOL COMPATIBILITY IS BROKEN BETWEEN VERSION 0.1.16 AND | |
35 | XXX XXX ALL PREVIOUS VERSIONS. | |
36 | ||
37 | Bugfix: rsa.c private-key now works properly when you choose not to | |
38 | verify it. | |
39 | ||
40 | Bugfix: serpent key setup was only using the first 8 bytes of the key | |
41 | material. (Oops!) Ian Jackson contributed a fix so the full 32 bytes | |
42 | are used, in big-endian mode. | |
43 | ||
44 | Debatable-bugfix: RSA operations now use PKCS1 v1.5-style padding | |
45 | ||
46 | "Hacky parallelism" contributed by Ian Jackson; this permits | |
47 | public-key operations to be performed in a subprocess during key | |
48 | exchange, to make secnet more usable on very slow machines. This is | |
49 | not compiled in by default; if you find you need it (because key | |
50 | exchanges are taking more than a second or two) then add | |
51 | -DHACKY_PARALLEL to FLAGS in the Makefile.in and recompile. | |
52 | ||
53 | udp module updates from Peter Benie: | |
54 | 1) Handle the case where authbind-helper terminates with a signal | |
55 | 2) Cope with signals being delivered during waitpid | |
56 | 3) Add 'address' (optional) to the udp settings. This is an IP address | |
57 | that the socket will be bound to. | |
58 | 4) Change the endianess of the arguments to authbind-helper. | |
59 | sprintf("%04X") already translates from machine repesentation to most | |
60 | significant octet first so htons reversed it again. | |
61 | ||
62 | All uses of alloca() expunged by Peter Benie. | |
63 | ||
64 | make-secnet-sites now supports configurations where each tunnel gets | |
65 | its own interface on the host, and the IP router code in secnet is | |
66 | disabled. make-secnet-sites has been rewritten for clarity. For | |
67 | information on how to configure secnet for one-interface-per-tunnel, | |
68 | see the example.conf file. | |
ff05a229 | 69 | |
fe5e9cc4 SE |
70 | * New in version 0.1.15 |
71 | ||
72 | Now terminates with an error when an "include" filename is not | |
73 | specified in the configuration file (thanks to RJK). | |
74 | ||
75 | RSA private key operations optimised using CRT. Thanks to SGT. | |
76 | ||
77 | Now compiles cleanly with -Wwrite-strings turned on in gcc. | |
78 | ||
79 | Anything sent to stderr once secnet has started running in the | |
80 | background is now redirected to the system/log facility. | |
81 | ||
4f5e39ec | 82 | * New in version 0.1.14 |
ff05a229 | 83 | |
4f5e39ec SE |
84 | The --help and --version options now send their output to stdout. |
85 | ||
86 | Bugfix: TUN flavour "BSD" no longer implies a BSD-style ifconfig and | |
87 | route command invocation. Instead "ioctl"-style is used, which should | |
88 | work on both BSD and linux-2.2 systems. | |
89 | ||
90 | If no "networks" parameter is specified for a netlink device then it | |
91 | is assumed to be 0.0.0.0/0 rather than the empty set. So, by default | |
92 | there is a default route from each netlink device to the host machine. | |
93 | The "networks" parameter can be used to implement a primitive | |
94 | firewall, restricting the destination addresses of packets received | |
95 | through tunnels; if a more complex firewall is required then implement | |
96 | it on the host. | |
ff05a229 SE |
97 | |
98 | * New in version 0.1.13 | |
99 | ||
100 | site.c code cleaned up; no externally visible changes | |
101 | ||
102 | secnet now calls setsid() after becoming a daemon. | |
103 | ||
104 | secnet now supports TUN on Solaris 2.5 and above (and possibly other | |
105 | STREAMS-based systems as well). | |
106 | ||
107 | The TUN code now tries to auto-detect the type of "TUN" in use | |
108 | (BSD-style, Linux-style or STREAMS-style). If your configuration file | |
109 | specifies "tun-old" then it defaults to BSD-style; however, since | |
110 | "tun-old" will be removed in a future release, you should change your | |
111 | configuration file to specify "tun" and if there's a problem also | |
112 | specify the flavour in use. | |
113 | ||
114 | Example: | |
115 | netlink tun-old { | |
116 | ... | |
117 | }; | |
118 | should be rewritten as | |
119 | netlink tun { | |
120 | flavour "bsd"; | |
121 | ... | |
122 | }; | |
123 | ||
124 | The flavours currently defined are "bsd", "linux" and "streams". | |
125 | ||
126 | The TUN code can now be configured to configure interfaces and | |
127 | add/delete routes using one of several methods: invoking a | |
128 | "linux"-style ifconfig/route command, a "bsd"-style ifconfig/route | |
129 | command, "solaris-2.5"-style ifconfig/route command or calling ioctl() | |
130 | directly. These methods can be selected using the "ifconfig-type" and | |
131 | "route-type" options. | |
132 | ||
133 | Example: | |
134 | netlink tun { | |
135 | ifconfig-type "ioctl"; | |
136 | route-type "ioctl"; | |
137 | ... | |
138 | }; | |
139 | ||
140 | The ioctl-based method is now the default for Linux systems. | |
141 | ||
142 | Magic numbers used within secnet are now collected in the header file | |
143 | "magic.h". | |
144 | ||
145 | netlink now uses ICMP type=0 code=13 for 'administratively prohibited' | |
146 | instead of code 9. See RFC1812 section 5.2.7.1. | |
147 | ||
148 | The UDP comm module now supports a proxy server, "udpforward". This | |
149 | runs on a machine which is directly accessible by secnet and which can | |
150 | send packets to appropriate destinations. It's useful when the proxy | |
151 | machine doesn't support source- and destination-NAT. The proxy server | |
152 | is specified using the "proxy" key in the UDP module configuration; | |
153 | parameters are IP address (string) and port number. | |
154 | ||
155 | Bugfix: ipset_to_subnet_list() in ipaddr.c now believed to work in all | |
156 | cases, including 0.0.0.0/0 | |
157 | ||
d3fe100d SE |
158 | * New in version 0.1.12 |
159 | ||
160 | IMPORTANT: fix calculation of 'now' in secnet.c; necessary for correct | |
161 | operation. | |
162 | ||
163 | (Only interesting for people building and modifying secnet by hand: | |
164 | the Makefile now works out most dependencies automatically.) | |
165 | ||
166 | The netlink code no longer produces an internal routing table sorted | |
167 | by netmask length. Instead, netlink instances have a 'priority'; the | |
168 | table of routes is sorted by priority. Devices like laptops that have | |
169 | tunnels that must sometimes 'mask' parts of other tunnels should be | |
170 | given higher priorities. If a priority is not specified it is assumed | |
171 | to be zero. | |
172 | ||
173 | Example usage: | |
174 | site laptop { ... | |
175 | link netlink { | |
176 | route "192.168.73.74/31"; | |
177 | priority 10; | |
178 | }; | |
179 | }; | |
180 | ||
794f2398 SE |
181 | * New in version 0.1.11 |
182 | ||
183 | Lists of IP addresses in the configuration file can now include | |
184 | exclusions as well as inclusions. For example, you can specify all | |
185 | the hosts on a subnet except one as follows: | |
186 | ||
187 | networks "192.168.73.0/24","!192.168.73.70"; | |
188 | ||
189 | (If you were only allowed inclusions, you'd have to specify that like | |
190 | this: | |
191 | networks "192.168.73.71/32","192.168.73.68/31","192.168.73.64/30", | |
192 | "192.168.73.72/29","192.168.73.80/28","192.168.73.96/27", | |
193 | "192.168.73.0/26","192.168.73.128/25"; | |
194 | ) | |
195 | ||
196 | secnet now ensures that it invokes userv-ipif with a non-overlapping | |
197 | list of subnets. | |
198 | ||
199 | There is a new command-line option, --sites-key or -s, that enables | |
200 | the configuration file key that's checked to determine the list of | |
201 | active sites (default "sites") to be changed. This enables a single | |
202 | configuration file to contain multiple cofigurations conveniently. | |
203 | ||
204 | NAKs are now sent when packets arrive that are not understood. The | |
205 | tunnel code initiates a key setup if it sees a NAK. Future | |
206 | developments should include configuration options that control this. | |
207 | ||
208 | The tunnel code notifies its peer when secnet is terminating, so the | |
209 | peer can close the session. | |
210 | ||
211 | The netlink "exclude-remote-networks" option has now been replaced by | |
212 | a "remote-networks" option; instead of specifying networks that no | |
213 | site may access, you specify the set of networks that remote sites are | |
214 | allowed to access. A sensible example: "192.168.0.0/16", | |
215 | "172.16.0.0/12", "10.0.0.0/8", "!your-local-network" | |
469fd1d9 SE |
216 | |
217 | * New in version 0.1.10 | |
218 | ||
219 | WARNING: THIS VERSION MAKES A CHANGE TO THE CONFIGURATION FILE FORMAT | |
220 | THAT IS NOT BACKWARD COMPATIBLE. However, in most configurations the | |
221 | change only affects the sites.conf file, which is generated by the | |
222 | make-secnet-sites script; after you regenerate your sites.conf using | |
223 | version 0.1.10, everything should continue to work. | |
224 | ||
225 | Netlink devices now interact slightly differently with the 'site' | |
226 | code. When you invoke a netlink closure like 'tun' or 'userv-ipif', | |
227 | you get another closure back. You then invoke this closure (usually | |
228 | in the site definitions) to specify things like routes and options. | |
229 | The result of this invocation should be used as the 'link' option in | |
230 | site configurations. | |
231 | ||
232 | All this really means is that instead of site configurations looking | |
233 | like this: | |
234 | ||
235 | foo { | |
236 | name "foo"; | |
237 | networks "a", "b", "c"; | |
238 | etc. | |
239 | }; | |
240 | ||
241 | ...they look like this: | |
242 | ||
243 | foo { | |
244 | name "foo"; | |
245 | link netlink { routes "a", "b", "c"; }; | |
246 | etc. | |
247 | }; | |
248 | ||
249 | This change was made to enable the 'site' code to be completely free | |
250 | of any knowledge of the contents of the packets it transmits. It | |
251 | should now be possible in the future to tunnel other protocols like | |
252 | IPv6, IPX, raw Ethernet frames, etc. without changing the 'site' code | |
253 | at all. | |
254 | ||
255 | Point-to-point netlink devices work slightly differently; when you | |
256 | apply the 'tun', 'userv-ipif', etc. closure and specify the | |
257 | ptp-address option, you must also specify the 'routes' option. The | |
258 | result of this invocation should be passed directly to the 'link' | |
259 | option of the site configuration. You can do things like this: | |
260 | ||
261 | sites site { | |
262 | name "foo"; | |
263 | link tun { | |
264 | networks "192.168.73.76/32"; | |
265 | local-address "192.168.73.76"; # IP address of interface | |
266 | ptp-address "192.168.73.75"; # IP address of other end of link | |
267 | routes "192.168.73.74/32"; | |
268 | mtu 1400; | |
269 | buffer sysbuffer(); | |
270 | }; | |
271 | etc. | |
272 | }; | |
273 | ||
274 | The route dump obtained by sending SIGUSR1 to secnet now includes | |
275 | packet counts. | |
276 | ||
277 | Point-to-point mode has now been tested. | |
278 | ||
279 | tun-old has now been tested, and the annoying 'untested' message has | |
280 | been removed. Thanks to SGT and JDA. | |
281 | ||
282 | secnet now closes its stdin, stdout and stderr just after | |
283 | backgrounding. | |
284 | ||
285 | Bugfix: specifying network "0.0.0.0/0" (or "default") now works | |
286 | correctly. | |
287 | ||
8dea8d37 SE |
288 | * New in version 0.1.9 |
289 | ||
290 | The netlink code may now generate ICMP responses to ICMP messages that | |
291 | are not errors, eg. ICMP echo-request. This makes Windows NT | |
292 | traceroute output look a little less strange. | |
293 | ||
294 | configure.in and config.h.bot now define uint32_t etc. even on systems | |
295 | without stdint.h and inttypes.h (needed for Solaris 2.5.1) | |
296 | ||
297 | GNU getopt is included for systems that lack it. | |
298 | ||
299 | We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris | |
300 | 2.5.1 doesn't have it.) | |
301 | ||
302 | Portable snprintf.c from http://www.ijs.si/software/snprintf/ is | |
303 | included for systems that lack snprintf/vsnprintf. | |
304 | ||
305 | make-secnet-sites.py renamed to make-secnet-sites and now installed in | |
306 | $prefix/sbin/make-secnet-sites; ipaddr.py library installed in | |
307 | $prefix/share/secnet/ipaddr.py. make-secnet-sites searches | |
308 | /usr/local/share/secnet and /usr/share/secnet for ipaddr.py | |
309 | ||
c6f79b17 SE |
310 | * New in version 0.1.8 |
311 | ||
312 | Netlink devices now support a 'point-to-point' mode. In this mode the | |
313 | netlink device does not require an IP address; instead, the IP address | |
314 | of the other end of the tunnel is specified using the 'ptp-address' | |
315 | option. Precisely one site must be configured to use the netlink | |
8dea8d37 SE |
316 | device. (I haven't had a chance to test this because 0.1.8 turned into |
317 | a 'quick' release to enable secnet to cope with the network problems | |
318 | affecting connections going via LINX on 2001-10-16.) | |
c6f79b17 SE |
319 | |
320 | The tunnel code in site.c now initiates a key setup if the | |
321 | reverse-transform function fails (wrong key, bad MAC, too much skew, | |
322 | etc.) - this should make secnet more reliable on dodgy links, which | |
323 | are much more common than links with active attackers... (an attacker | |
324 | can now force a new key setup by replaying an old packet, but apart | |
325 | from minor denial of service on slow links or machines this won't | |
8dea8d37 | 326 | achieve them much). This should eventually be made configurable. |
c6f79b17 SE |
327 | |
328 | The sequence number skew detection code in transform.c now only | |
329 | complains about 'reverse skew' - replays of packets that are too | |
330 | old. 'Forward skew' (gaps in the sequence numbers of received packets) | |
331 | is now tolerated silently, to cope with large amounts of packet loss. |