~mdw / secnet / blame
| Commit | Line | Data |
|---|---|---|
| c6f79b17 SE |
1 | * New in version 0.1.8 |
| 2 | ||
| 3 | Netlink devices now support a 'point-to-point' mode. In this mode the | |
| 4 | netlink device does not require an IP address; instead, the IP address | |
| 5 | of the other end of the tunnel is specified using the 'ptp-address' | |
| 6 | option. Precisely one site must be configured to use the netlink | |
| 7 | device. | |
| 8 | ||
| 9 | The tunnel code in site.c now initiates a key setup if the | |
| 10 | reverse-transform function fails (wrong key, bad MAC, too much skew, | |
| 11 | etc.) - this should make secnet more reliable on dodgy links, which | |
| 12 | are much more common than links with active attackers... (an attacker | |
| 13 | can now force a new key setup by replaying an old packet, but apart | |
| 14 | from minor denial of service on slow links or machines this won't | |
| 15 | achieve them much). | |
| 16 | ||
| 17 | The sequence number skew detection code in transform.c now only | |
| 18 | complains about 'reverse skew' - replays of packets that are too | |
| 19 | old. 'Forward skew' (gaps in the sequence numbers of received packets) | |
| 20 | is now tolerated silently, to cope with large amounts of packet loss. |