2 * RCSID $Id: DONE,v 1.23 2001/12/15 05:52:45 rgb Exp $
6 send ICMP on by default
9 detach, but don't down ipsec virtual device if attached physical
11 fix tncfg output after attached physical I/F disappears.
13 010226 add hold machinery to store the last packet sent to the hold eroute
14 and re-inject it once the hold is deleted. (eroute entry or
18 auto AH+ESP transport mode oops?
19 ipcomp: fix i[56]86 ASM code 2.4 makefile issues
20 kill single-letter options from klips utils manpages.
21 add --label to klips utils manpages
22 ah tunnel -- 3 esp packets kills the sg
23 single spi ungroup fails
24 elucidate the meaning of 'tdb' in all error message references
25 change AH replay window option to default to 64: NOT!
26 explain need for ipfwadm command in the modes.html masq eg.
27 review command order in modes.html for security/packet loss
28 better kernel error messages for eroute commands
29 check for missing 0x, 0t or 0s on the front of keys for spi command
30 atodata now accepts '0c' along with '0x' and '0s': check calling code
31 0t key format for esp3des transforms
32 Check all klips_debug output for \n
33 spi --ah needs testing
34 bundled AH+ESP crashes older/slower machines
35 ReExamine /proc/net/ipsec_* with 'less' (1pg) vs 'cat' (ok).
36 Default none manual replay bug
37 spi --add/--del memory leak
38 Short-circuit udp/500 for pluto to talk unencumbered. ASK LIST
39 clean up rh5.2 klips compile warnings
40 'cannot record stats' on packets from valid I/F. (intermittant)
41 hard-coded hard_header_len
42 Fixed ping -s 8000 reboots system!!!
43 "kmalloc called nonatomically from interrupt 0x0000000e"
45 Features for 1.0: klips kernel
46 Interop with other IPSEC implementations (verify with others)
47 OpenBSD ESP-3DES-HMAC-MD5-96
48 OpenBSD ESP-DES-HMAC-MD5-96
49 OpenBSD AH-HMAC-MD5-96
50 OpenBSD AH-HMAC-SHA1-96
51 Free all memory used for tdb table and eroute tree when unloading
52 Symbolic proc_net # instead of hardwiring
53 Fixed Examine /proc/net/ipsec_* for limits. Currently, it corrupts the
54 system if more than 3k is printed out.
55 Add /proc/net/ipsec_spinew
56 Add /proc/net/ipsec_versions/transforms/config
57 Move code to /usr/src/linux/net/ipsec with symlinks back to
58 freeswan install directory.
60 Experimental option in kernel config
61 Check for IPIP protocol enabled and either complain, or load it if need.
62 Static link the klips module into the kernel
63 klips_debug prefix on all printk's
64 Dropped packet reporting
70 add protocol to SA selector
71 add a '--replace' or '--delany' option to eroute (and --quiet?)
72 Print out protocol in /proc/net/ipsec_* SAs
73 Short-circuit udp/500 for pluto to talk unencumbered.
74 Change /proc/net/ipsec_spi* to output 'Decrypt' for inbound SAs
75 Set kernel config defaults for virgin kernel. see arch/*/defconfig
76 Switch pointer printing to %p for 64-bit compatability.
77 Sort out routing issues (tunnel -->forward/findroute?, missing route?)
78 Do kernel-based inbound SA detection.
80 Features for 1.0: klips utils
81 Separate auth and encryption keys in esp{3,}des-hmacmd5{96,} (option?)
83 Pluto/kernel.c mods for adding routes and tncfg's (check and add)
84 Fix manual keying split key bug
85 spi key size error checking
86 Install manpages in the right place.
87 Implement standard gnu command format long option names
93 Add error checking for valid input (ip's) to utils
94 Add host/net name lookup and netmask bits to utils
98 Notify user why insufficient perms for non-root (getenv)
99 Utils with useful parse errors (rather than spamming large usage txt)
105 Eliminate invocations of perror()
106 Let utils get keys from files to avoid ps exposure from command line
107 Use 0x for hex in command line parsing and provide for other radices
108 Clear eroute tncfg and spi tables in one command
109 Open: Protocol driver not attached -- elaborate!
110 add protocol to SA selector
111 add a '--replace' or '--delany' option to eroute (and --quiet?)
112 Check error codes from resolver fns.
113 Add SA reference to spi usage errors.
114 --label field to replace the program name on error output.
115 Enable klips manual utils to use monolithic SA specifier.
120 Features for 1.0: klips documentation
121 Html trans/tun, algos, static/insmod/kerneld setup support
122 Prominently mark obsolete xforms (truth in labelling)
123 Add xform usage examples
124 Add FILES and EXAMPLES sections to manpages
126 intro to rgb_setup.txt
127 Xform to standards/doc_draft_refs mapping in:
130 Update Configure.help
131 mention tcpdump in some prominent place as a check tool. (HS)
132 modes.html theory comments
133 Clarify extruded section of modes.html (ie. no masquerading)
135 Features for 1.0: general
136 Add function to get ipsec driver and utils version from userland
137 Provide facility to dump system state (HS)
138 Split patches into a sub-directory
139 Define standard notation for SAs (HS)
140 Utils return values from kernel: real error codes (0 for ok)
143 Fragment after processing iff(DF && (effective PMTU is too small)) (rfc2401-6.1.2.2)
144 2.2.xx support, still virtual device based.
147 Add {start,up,remain}{times,bytes,pkts} to /proc/net/ipsec_spi
148 Per-SA statistics via /proc/net/ipsec_spi:
149 in/out-bound packets/bytes/errors
151 max(cur_rx_seq#-prev_rx_seq#-1,0)
157 parse extension types:
163 address_{flow,mask}{src,dst}
173 x_grpsa (will be obsolete...)
176 Create user library from common user-space code (pfkey,...)
181 ipsec_rcv.c: esp/ah len incorrect parameter used
182 blow hole on udp/500 only when src=local
183 - UDP/500 packets must only go in the clear if they are being sent
184 through an interface whose IP address matches the source address.
185 - disable/delete netlink
188 /proc/net/ipsec_* documentation in ipsec_*.5 manpages
191 Passthrough packets must be sent with frag in mind.
192 update ipsec.8, manual.8, klips/utils/*.[58] for /proc/net/{ipsec_*,pf_key}
195 pfkey_acquire() oops fixed.
196 Oops if IPCOMP not config in KLIPS but negotiated by pluto.
197 Passthrough packets must be sent with frag in mind.
200 Add magic saids for pass, drop, reject, trap, hold
203 Investigate PMTU (rfc2401-4.4.2, 6.1.2)
204 Mark incoming packets as from ipsec0 for accounting and validation
205 Provide more help in debugging key input errors
206 Include protocol (esp or ah) in SA selection
209 ESP-3DES-HMAC-SHA1-96
211 ESP-NULL-HMAC-SHA1-96
214 Make IV truly optional for spi command (need kernel cryptorandom source)
215 /dev/{,u}random|drivers/char/random.c:random_read()
216 Unify esp and ah routines to one of each, calling cipher and
217 authentication sub-routines as needed
218 Have kernel config automatically configure IPIP with IPSEC?
222 * Revision 1.23 2001/12/15 05:52:45 rgb
225 * Revision 1.22 2001/06/01 07:25:19 rgb
226 * Clean up miscellaneous stuff...
228 * Revision 1.21 2001/02/26 20:11:12 rgb
229 * Post 1.9 candidate, magic SAs and email purge updates.
231 * Revision 1.20 2000/11/06 05:09:00 rgb
234 * Revision 1.19 2000/09/08 19:24:08 rgb
235 * Bypass frag update.
237 * Revision 1.18 2000/07/05 17:25:09 rgb
238 * Update to reflect manpage update and remove noise from DONE.
240 * Revision 1.17 2000/06/20 22:39:10 rgb
243 * Revision 1.16 2000/01/26 10:02:17 rgb
246 * Revision 1.15 1999/11/23 23:09:45 rgb
247 * Updates since just after 1.1, includes more PFKEY detail.
249 * Revision 1.14 1999/10/16 04:21:45 rgb
250 * Long-overdue update including a few pre-1.1 things, but more post-1.1
251 * stuff that has been waiting to be added.
253 * Revision 1.13 1999/04/29 15:28:33 rgb
254 * Updates since 1.00.
256 * Revision 1.12 1999/04/06 04:54:22 rgb
257 * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes