| 1 | * Planned for the future |
| 2 | |
| 3 | Please note that the 0.1 series of secnet releases is now 'maintenance |
| 4 | only'; further development continues in secnet-0.2. |
| 5 | |
| 6 | Debconf support - if you are using the Debian packaged version and |
| 7 | your secnet configuration is autogenerated using debconf then the |
| 8 | upgrade to version 0.2.0 should just involve installing the package; |
| 9 | an appropriate 0.2-style configuration file will be generated |
| 10 | automatically. |
| 11 | |
| 12 | * New in version 0.1.18 |
| 13 | |
| 14 | ipaddr.py now declares its character encoding; required by recent |
| 15 | versions of Python |
| 16 | |
| 17 | * New in version 0.1.17 |
| 18 | |
| 19 | autoconf updates for cross-compilation / more modern autoconf from |
| 20 | Ross Younger <ross@crazyscot.com> |
| 21 | |
| 22 | MacOS X support from Richard Kettlewell <richard@sfere.greenend.org.uk> |
| 23 | |
| 24 | Makefile fix: Update bison pattern rule to indicate that both the |
| 25 | .tab.c and .tab.h files are generated by the same command. |
| 26 | |
| 27 | i386 ip_csum implementation updated to work with modern gcc |
| 28 | |
| 29 | Rename global 'log' to 'slilog' to avoid conflict with gcc built-in |
| 30 | log() function. |
| 31 | |
| 32 | * New in version 0.1.16 |
| 33 | |
| 34 | XXX XXX PROTOCOL COMPATIBILITY IS BROKEN BETWEEN VERSION 0.1.16 AND |
| 35 | XXX XXX ALL PREVIOUS VERSIONS. |
| 36 | |
| 37 | Bugfix: rsa.c private-key now works properly when you choose not to |
| 38 | verify it. |
| 39 | |
| 40 | Bugfix: serpent key setup was only using the first 8 bytes of the key |
| 41 | material. (Oops!) Ian Jackson contributed a fix so the full 32 bytes |
| 42 | are used, in big-endian mode. |
| 43 | |
| 44 | Debatable-bugfix: RSA operations now use PKCS1 v1.5-style padding |
| 45 | |
| 46 | "Hacky parallelism" contributed by Ian Jackson; this permits |
| 47 | public-key operations to be performed in a subprocess during key |
| 48 | exchange, to make secnet more usable on very slow machines. This is |
| 49 | not compiled in by default; if you find you need it (because key |
| 50 | exchanges are taking more than a second or two) then add |
| 51 | -DHACKY_PARALLEL to FLAGS in the Makefile.in and recompile. |
| 52 | |
| 53 | udp module updates from Peter Benie: |
| 54 | 1) Handle the case where authbind-helper terminates with a signal |
| 55 | 2) Cope with signals being delivered during waitpid |
| 56 | 3) Add 'address' (optional) to the udp settings. This is an IP address |
| 57 | that the socket will be bound to. |
| 58 | 4) Change the endianess of the arguments to authbind-helper. |
| 59 | sprintf("%04X") already translates from machine repesentation to most |
| 60 | significant octet first so htons reversed it again. |
| 61 | |
| 62 | All uses of alloca() expunged by Peter Benie. |
| 63 | |
| 64 | make-secnet-sites now supports configurations where each tunnel gets |
| 65 | its own interface on the host, and the IP router code in secnet is |
| 66 | disabled. make-secnet-sites has been rewritten for clarity. For |
| 67 | information on how to configure secnet for one-interface-per-tunnel, |
| 68 | see the example.conf file. |
| 69 | |
| 70 | * New in version 0.1.15 |
| 71 | |
| 72 | Now terminates with an error when an "include" filename is not |
| 73 | specified in the configuration file (thanks to RJK). |
| 74 | |
| 75 | RSA private key operations optimised using CRT. Thanks to SGT. |
| 76 | |
| 77 | Now compiles cleanly with -Wwrite-strings turned on in gcc. |
| 78 | |
| 79 | Anything sent to stderr once secnet has started running in the |
| 80 | background is now redirected to the system/log facility. |
| 81 | |
| 82 | * New in version 0.1.14 |
| 83 | |
| 84 | The --help and --version options now send their output to stdout. |
| 85 | |
| 86 | Bugfix: TUN flavour "BSD" no longer implies a BSD-style ifconfig and |
| 87 | route command invocation. Instead "ioctl"-style is used, which should |
| 88 | work on both BSD and linux-2.2 systems. |
| 89 | |
| 90 | If no "networks" parameter is specified for a netlink device then it |
| 91 | is assumed to be 0.0.0.0/0 rather than the empty set. So, by default |
| 92 | there is a default route from each netlink device to the host machine. |
| 93 | The "networks" parameter can be used to implement a primitive |
| 94 | firewall, restricting the destination addresses of packets received |
| 95 | through tunnels; if a more complex firewall is required then implement |
| 96 | it on the host. |
| 97 | |
| 98 | * New in version 0.1.13 |
| 99 | |
| 100 | site.c code cleaned up; no externally visible changes |
| 101 | |
| 102 | secnet now calls setsid() after becoming a daemon. |
| 103 | |
| 104 | secnet now supports TUN on Solaris 2.5 and above (and possibly other |
| 105 | STREAMS-based systems as well). |
| 106 | |
| 107 | The TUN code now tries to auto-detect the type of "TUN" in use |
| 108 | (BSD-style, Linux-style or STREAMS-style). If your configuration file |
| 109 | specifies "tun-old" then it defaults to BSD-style; however, since |
| 110 | "tun-old" will be removed in a future release, you should change your |
| 111 | configuration file to specify "tun" and if there's a problem also |
| 112 | specify the flavour in use. |
| 113 | |
| 114 | Example: |
| 115 | netlink tun-old { |
| 116 | ... |
| 117 | }; |
| 118 | should be rewritten as |
| 119 | netlink tun { |
| 120 | flavour "bsd"; |
| 121 | ... |
| 122 | }; |
| 123 | |
| 124 | The flavours currently defined are "bsd", "linux" and "streams". |
| 125 | |
| 126 | The TUN code can now be configured to configure interfaces and |
| 127 | add/delete routes using one of several methods: invoking a |
| 128 | "linux"-style ifconfig/route command, a "bsd"-style ifconfig/route |
| 129 | command, "solaris-2.5"-style ifconfig/route command or calling ioctl() |
| 130 | directly. These methods can be selected using the "ifconfig-type" and |
| 131 | "route-type" options. |
| 132 | |
| 133 | Example: |
| 134 | netlink tun { |
| 135 | ifconfig-type "ioctl"; |
| 136 | route-type "ioctl"; |
| 137 | ... |
| 138 | }; |
| 139 | |
| 140 | The ioctl-based method is now the default for Linux systems. |
| 141 | |
| 142 | Magic numbers used within secnet are now collected in the header file |
| 143 | "magic.h". |
| 144 | |
| 145 | netlink now uses ICMP type=0 code=13 for 'administratively prohibited' |
| 146 | instead of code 9. See RFC1812 section 5.2.7.1. |
| 147 | |
| 148 | The UDP comm module now supports a proxy server, "udpforward". This |
| 149 | runs on a machine which is directly accessible by secnet and which can |
| 150 | send packets to appropriate destinations. It's useful when the proxy |
| 151 | machine doesn't support source- and destination-NAT. The proxy server |
| 152 | is specified using the "proxy" key in the UDP module configuration; |
| 153 | parameters are IP address (string) and port number. |
| 154 | |
| 155 | Bugfix: ipset_to_subnet_list() in ipaddr.c now believed to work in all |
| 156 | cases, including 0.0.0.0/0 |
| 157 | |
| 158 | * New in version 0.1.12 |
| 159 | |
| 160 | IMPORTANT: fix calculation of 'now' in secnet.c; necessary for correct |
| 161 | operation. |
| 162 | |
| 163 | (Only interesting for people building and modifying secnet by hand: |
| 164 | the Makefile now works out most dependencies automatically.) |
| 165 | |
| 166 | The netlink code no longer produces an internal routing table sorted |
| 167 | by netmask length. Instead, netlink instances have a 'priority'; the |
| 168 | table of routes is sorted by priority. Devices like laptops that have |
| 169 | tunnels that must sometimes 'mask' parts of other tunnels should be |
| 170 | given higher priorities. If a priority is not specified it is assumed |
| 171 | to be zero. |
| 172 | |
| 173 | Example usage: |
| 174 | site laptop { ... |
| 175 | link netlink { |
| 176 | route "192.168.73.74/31"; |
| 177 | priority 10; |
| 178 | }; |
| 179 | }; |
| 180 | |
| 181 | * New in version 0.1.11 |
| 182 | |
| 183 | Lists of IP addresses in the configuration file can now include |
| 184 | exclusions as well as inclusions. For example, you can specify all |
| 185 | the hosts on a subnet except one as follows: |
| 186 | |
| 187 | networks "192.168.73.0/24","!192.168.73.70"; |
| 188 | |
| 189 | (If you were only allowed inclusions, you'd have to specify that like |
| 190 | this: |
| 191 | networks "192.168.73.71/32","192.168.73.68/31","192.168.73.64/30", |
| 192 | "192.168.73.72/29","192.168.73.80/28","192.168.73.96/27", |
| 193 | "192.168.73.0/26","192.168.73.128/25"; |
| 194 | ) |
| 195 | |
| 196 | secnet now ensures that it invokes userv-ipif with a non-overlapping |
| 197 | list of subnets. |
| 198 | |
| 199 | There is a new command-line option, --sites-key or -s, that enables |
| 200 | the configuration file key that's checked to determine the list of |
| 201 | active sites (default "sites") to be changed. This enables a single |
| 202 | configuration file to contain multiple cofigurations conveniently. |
| 203 | |
| 204 | NAKs are now sent when packets arrive that are not understood. The |
| 205 | tunnel code initiates a key setup if it sees a NAK. Future |
| 206 | developments should include configuration options that control this. |
| 207 | |
| 208 | The tunnel code notifies its peer when secnet is terminating, so the |
| 209 | peer can close the session. |
| 210 | |
| 211 | The netlink "exclude-remote-networks" option has now been replaced by |
| 212 | a "remote-networks" option; instead of specifying networks that no |
| 213 | site may access, you specify the set of networks that remote sites are |
| 214 | allowed to access. A sensible example: "192.168.0.0/16", |
| 215 | "172.16.0.0/12", "10.0.0.0/8", "!your-local-network" |
| 216 | |
| 217 | * New in version 0.1.10 |
| 218 | |
| 219 | WARNING: THIS VERSION MAKES A CHANGE TO THE CONFIGURATION FILE FORMAT |
| 220 | THAT IS NOT BACKWARD COMPATIBLE. However, in most configurations the |
| 221 | change only affects the sites.conf file, which is generated by the |
| 222 | make-secnet-sites script; after you regenerate your sites.conf using |
| 223 | version 0.1.10, everything should continue to work. |
| 224 | |
| 225 | Netlink devices now interact slightly differently with the 'site' |
| 226 | code. When you invoke a netlink closure like 'tun' or 'userv-ipif', |
| 227 | you get another closure back. You then invoke this closure (usually |
| 228 | in the site definitions) to specify things like routes and options. |
| 229 | The result of this invocation should be used as the 'link' option in |
| 230 | site configurations. |
| 231 | |
| 232 | All this really means is that instead of site configurations looking |
| 233 | like this: |
| 234 | |
| 235 | foo { |
| 236 | name "foo"; |
| 237 | networks "a", "b", "c"; |
| 238 | etc. |
| 239 | }; |
| 240 | |
| 241 | ...they look like this: |
| 242 | |
| 243 | foo { |
| 244 | name "foo"; |
| 245 | link netlink { routes "a", "b", "c"; }; |
| 246 | etc. |
| 247 | }; |
| 248 | |
| 249 | This change was made to enable the 'site' code to be completely free |
| 250 | of any knowledge of the contents of the packets it transmits. It |
| 251 | should now be possible in the future to tunnel other protocols like |
| 252 | IPv6, IPX, raw Ethernet frames, etc. without changing the 'site' code |
| 253 | at all. |
| 254 | |
| 255 | Point-to-point netlink devices work slightly differently; when you |
| 256 | apply the 'tun', 'userv-ipif', etc. closure and specify the |
| 257 | ptp-address option, you must also specify the 'routes' option. The |
| 258 | result of this invocation should be passed directly to the 'link' |
| 259 | option of the site configuration. You can do things like this: |
| 260 | |
| 261 | sites site { |
| 262 | name "foo"; |
| 263 | link tun { |
| 264 | networks "192.168.73.76/32"; |
| 265 | local-address "192.168.73.76"; # IP address of interface |
| 266 | ptp-address "192.168.73.75"; # IP address of other end of link |
| 267 | routes "192.168.73.74/32"; |
| 268 | mtu 1400; |
| 269 | buffer sysbuffer(); |
| 270 | }; |
| 271 | etc. |
| 272 | }; |
| 273 | |
| 274 | The route dump obtained by sending SIGUSR1 to secnet now includes |
| 275 | packet counts. |
| 276 | |
| 277 | Point-to-point mode has now been tested. |
| 278 | |
| 279 | tun-old has now been tested, and the annoying 'untested' message has |
| 280 | been removed. Thanks to SGT and JDA. |
| 281 | |
| 282 | secnet now closes its stdin, stdout and stderr just after |
| 283 | backgrounding. |
| 284 | |
| 285 | Bugfix: specifying network "0.0.0.0/0" (or "default") now works |
| 286 | correctly. |
| 287 | |
| 288 | * New in version 0.1.9 |
| 289 | |
| 290 | The netlink code may now generate ICMP responses to ICMP messages that |
| 291 | are not errors, eg. ICMP echo-request. This makes Windows NT |
| 292 | traceroute output look a little less strange. |
| 293 | |
| 294 | configure.in and config.h.bot now define uint32_t etc. even on systems |
| 295 | without stdint.h and inttypes.h (needed for Solaris 2.5.1) |
| 296 | |
| 297 | GNU getopt is included for systems that lack it. |
| 298 | |
| 299 | We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris |
| 300 | 2.5.1 doesn't have it.) |
| 301 | |
| 302 | Portable snprintf.c from http://www.ijs.si/software/snprintf/ is |
| 303 | included for systems that lack snprintf/vsnprintf. |
| 304 | |
| 305 | make-secnet-sites.py renamed to make-secnet-sites and now installed in |
| 306 | $prefix/sbin/make-secnet-sites; ipaddr.py library installed in |
| 307 | $prefix/share/secnet/ipaddr.py. make-secnet-sites searches |
| 308 | /usr/local/share/secnet and /usr/share/secnet for ipaddr.py |
| 309 | |
| 310 | * New in version 0.1.8 |
| 311 | |
| 312 | Netlink devices now support a 'point-to-point' mode. In this mode the |
| 313 | netlink device does not require an IP address; instead, the IP address |
| 314 | of the other end of the tunnel is specified using the 'ptp-address' |
| 315 | option. Precisely one site must be configured to use the netlink |
| 316 | device. (I haven't had a chance to test this because 0.1.8 turned into |
| 317 | a 'quick' release to enable secnet to cope with the network problems |
| 318 | affecting connections going via LINX on 2001-10-16.) |
| 319 | |
| 320 | The tunnel code in site.c now initiates a key setup if the |
| 321 | reverse-transform function fails (wrong key, bad MAC, too much skew, |
| 322 | etc.) - this should make secnet more reliable on dodgy links, which |
| 323 | are much more common than links with active attackers... (an attacker |
| 324 | can now force a new key setup by replaying an old packet, but apart |
| 325 | from minor denial of service on slow links or machines this won't |
| 326 | achieve them much). This should eventually be made configurable. |
| 327 | |
| 328 | The sequence number skew detection code in transform.c now only |
| 329 | complains about 'reverse skew' - replays of packets that are too |
| 330 | old. 'Forward skew' (gaps in the sequence numbers of received packets) |
| 331 | is now tolerated silently, to cope with large amounts of packet loss. |