Commit | Line | Data |
---|---|---|
c6f79b17 SE |
1 | * New in version 0.1.8 |
2 | ||
3 | Netlink devices now support a 'point-to-point' mode. In this mode the | |
4 | netlink device does not require an IP address; instead, the IP address | |
5 | of the other end of the tunnel is specified using the 'ptp-address' | |
6 | option. Precisely one site must be configured to use the netlink | |
7 | device. | |
8 | ||
9 | The tunnel code in site.c now initiates a key setup if the | |
10 | reverse-transform function fails (wrong key, bad MAC, too much skew, | |
11 | etc.) - this should make secnet more reliable on dodgy links, which | |
12 | are much more common than links with active attackers... (an attacker | |
13 | can now force a new key setup by replaying an old packet, but apart | |
14 | from minor denial of service on slow links or machines this won't | |
15 | achieve them much). | |
16 | ||
17 | The sequence number skew detection code in transform.c now only | |
18 | complains about 'reverse skew' - replays of packets that are too | |
19 | old. 'Forward skew' (gaps in the sequence numbers of received packets) | |
20 | is now tolerated silently, to cope with large amounts of packet loss. |