| 1 | * New in version 0.1.8 |
| 2 | |
| 3 | Netlink devices now support a 'point-to-point' mode. In this mode the |
| 4 | netlink device does not require an IP address; instead, the IP address |
| 5 | of the other end of the tunnel is specified using the 'ptp-address' |
| 6 | option. Precisely one site must be configured to use the netlink |
| 7 | device. |
| 8 | |
| 9 | The tunnel code in site.c now initiates a key setup if the |
| 10 | reverse-transform function fails (wrong key, bad MAC, too much skew, |
| 11 | etc.) - this should make secnet more reliable on dodgy links, which |
| 12 | are much more common than links with active attackers... (an attacker |
| 13 | can now force a new key setup by replaying an old packet, but apart |
| 14 | from minor denial of service on slow links or machines this won't |
| 15 | achieve them much). |
| 16 | |
| 17 | The sequence number skew detection code in transform.c now only |
| 18 | complains about 'reverse skew' - replays of packets that are too |
| 19 | old. 'Forward skew' (gaps in the sequence numbers of received packets) |
| 20 | is now tolerated silently, to cope with large amounts of packet loss. |