2 * RCSID $Id: TODO,v 1.75 2002/03/08 21:30:12 rgb Exp $
11 by destination, most memory intensive
13 write FS ICMP/MTU policy
14 mess around with dst cache MSS
15 fordhr: enforce 4k msg limit.
16 fix pfkey_update:new tdb should add to, not replace original: oe lifespan
17 implement self-documenting kernel code:
18 http://kernelbook.sourceforge.net/#kdocs
19 replace IKE bypass machinery with SPD entries.
20 implement eroute reject IMCP "communication administratively prohibited"
21 fix lifetime_byte_c len/ilen assignment
23 pick-next-less-specific-eroute for intermediate tunnel lookup
25 sparc64:klips/net/ipsec/ipsec_tunnel.c:2106/2912:
26 only 16B copied, 32 required, see:
27 arch/sparc64/kernel/ioctl32.c:450/3806:dev_ifname32()
28 BUGS: order of spigrp options somewhat important. debug before all
29 leakage on ipsec startup?
31 2.0.xx problems reported with LFS1.1: MTU/fragmentation, instability.
32 0/0 - extruded subnets on 2.2
33 denker and crashing moats, NMI board from denker
34 timeout SA after configured time of non-use
37 UML test bench and battery of tests
40 SHA-256/384/512 hashes
42 Priorities and resources:
44 - discussions with OpenBSD and KAME
46 - research for spd decision, spd decision
47 - sharing SAs not mandatory, but perhaps desirable?
49 - include community code
52 - minidenker - different IP address on ipsec I/F than attached I/F
53 - inbound eroute/subnet checking for DHR
55 advanced policy routing from HS
59 2.3 merge comments from dmiller:
60 non-US contribution policy big problem
61 2.3 merge comments from ankuznetsov:
62 remove deprecated sklist_{insert,remove,destroy}_socket() calls
64 ditch compiler directives
67 2.3 merge comments from akleen:
68 modular not reason for putting in main tree
69 use the routing table for security policy
70 do transport mode early in packet creation
71 handle MTU handling more cleanly
73 non-US contribution policy big problem
74 as of 2.3.xx init calls are not necessary
75 type __init function(){}
76 type __exit function(){}
78 Features for 1.0: klips kernel
79 Most Provide more useful error messages from kernel
80 Most Sanitize klips headers for use above and below kernel/user I/F.
81 Part #defines for kernel constants ie. hash function magic numbers, etc.
82 1.0 Clear all eroutes and spis when last ipsec device is ifconfiged down.
84 Per-SA statistics via /proc/net/ipsec_spi:
87 Features for 1.0: klips utils
88 Errors: what is wrong, where in code, what can't do, what is fix
89 Use consistent units: ie. hex digits, bytes or bits.
90 Most Include 'ipsec' prefix in all manual utils calls in test scripts
92 Features for 1.0: klips documentation
93 Xform to standards/doc_draft_refs mapping in source header comments
94 Create HOWTO-debug_IPSEC (troubleshooting guide)
97 Features for 1.0: general
98 1.1 Audit for info leaks
100 1.1 Audit for bugs ?!?
101 HS? Make 'check' (gnu coding standard, make, make check, make install)
102 Errors: when,who,to whom,what,what can't do,what is wrong,how to fix
103 error reporting: (1) programmer's debugging (2) user's debugging
110 signal userspace process (use select on listening processes) (written, needs testing)
111 parse extension types:
112 ident (written, needs testing)
113 sens (written, needs testing)
114 prop (written, needs testing)
115 supported (written, needs testing)
117 parse message types, in kernel:
118 get (written, needs testing)
119 acquire (written, needs testing)
120 register (written, needs testing)
121 expire (written, needs testing)
125 initiate message types, in kernel:
126 acquire (written, needs testing)
127 expire (written, needs testing)
128 Most Expire SA's on soft/hard time/seq/qty and signal user (pfkey) (written, needs testing)
130 satot() conversion for /proc spi display
131 xlen, skb->len review for bogus packets, skb->len must be larger than ip->totlen
134 Port to ipchains/netfilter (with ifdefs to virtual device paradigm)
135 Kernel interface documentation (this will change on PF_KEY2 and 2.2.xx)
136 Convert to AES algorithm I/F to be able to add algorithms.
137 http://www.seven77.demon.co.uk/aes.htm
140 Check for weak keys and reject (k1==k2, k2==k3) (des_is_weak_key(), des_set_odd_parity())
141 Add processing for IP options in outgoing and incoming packets
142 (rfc2402, 3.3.3.1.1.2, appendix A)
143 Add support for userspace udp/500 blasting at selected port number. (SPD)
144 Be able to use <uid>, <proto>, <sport> and <dport> in SPD.
145 pt.fw Force all incoming packets through IPSEC SPD check
146 Separate in/out/IF SPD/SADs (rfc2401-4.4)
147 Accept IP ranges (pluto or eroute?)
148 Config option to accept or reject unauthenticated ICMP traffic (rfc2401-6.)
149 Config option to copy DF bit to new tunnel (rfc2401-6.1.1, Appendix.B)
150 Dynamic Assignment of the "inside" tunnel address for the road warrior.
151 http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-01.txt
152 http://www.ietf.org/internet-drafts/draft-gupta-ipsec-remote-access-01.txt
153 http://www.ietf.org/internet-drafts/draft-ietf-nat-hnat-00.txt
154 http://www.sandelman.ottawa.on.ca/SSW/ietf/draft-richardson-ipsec-traversal-cert-01.txt
156 Standardise for code portability -- standard C (ask HS)
163 * Revision 1.75 2002/03/08 21:30:12 rgb
164 * Add note about pfkey update being able to simply change lifetimes of
167 * Revision 1.74 2002/01/07 20:01:38 rgb
170 * Revision 1.73 2001/12/15 05:52:46 rgb
173 * Revision 1.72 2001/11/12 19:30:29 rgb
174 * Notes from recent meeting.
176 * Revision 1.71 2001/08/15 08:43:10 rgb
179 * Revision 1.70 2001/06/01 07:25:19 rgb
180 * Clean up miscellaneous stuff...
182 * Revision 1.69 2001/05/19 02:30:00 rgb
183 * Added a couple of klips utils doc bugs.
185 * Revision 1.68 2001/04/19 19:03:37 rgb
186 * Added note to update in update rather than replace.
188 * Revision 1.67 2001/03/16 07:30:20 rgb
189 * Add 2.4 ipcomp asm note.
191 * Revision 1.66 2001/02/26 20:11:12 rgb
192 * Post 1.9 candidate, magic SAs and email purge updates.
194 * Revision 1.65 2001/01/29 22:29:46 rgb
195 * Add dhr suggestion.
197 * Revision 1.64 2000/11/06 05:09:00 rgb
200 * Revision 1.63 2000/09/29 19:45:57 rgb
201 * Post-interop update.
203 * Revision 1.62 2000/09/08 19:24:08 rgb
204 * Bypass frag update.
206 * Revision 1.61 2000/09/08 18:52:04 rgb
207 * Updated pfkey status.
209 * Revision 1.60 2000/08/22 18:08:38 rgb
212 * Revision 1.59 2000/07/28 14:52:23 rgb
213 * List sparc64 tncfg bug.
215 * Revision 1.58 2000/07/05 17:25:09 rgb
216 * Update to reflect manpage update and remove noise from DONE.
218 * Revision 1.57 2000/06/21 17:07:29 rgb
219 * Update for current manpage mods.
221 * Revision 1.56 2000/06/20 22:40:28 rgb
222 * Updated for 1.4. Re-prioritized/cleaned up.
224 * Revision 1.55 2000/03/16 06:10:43 rgb
225 * Ottawa meeting notes.
226 * 2.3 potential merge notes.
228 * Revision 1.54 2000/01/26 10:02:17 rgb
231 * Revision 1.53 1999/11/23 23:09:45 rgb
232 * Updates since just after 1.1, includes more PFKEY detail.
234 * Revision 1.52 1999/10/16 04:21:45 rgb
235 * Long-overdue update including a few pre-1.1 things, but more post-1.1
236 * stuff that has been waiting to be added.
238 * Revision 1.51 1999/09/18 11:36:05 rgb
239 * Clarify 2.2/ipchains/netfilter goals.
241 * Revision 1.50 1999/08/06 16:02:26 rgb
242 * Add JSD's tunnel statistics wish list.
244 * Revision 1.49 1999/08/03 17:38:38 rgb
247 * Revision 1.48 1999/04/29 15:28:45 rgb
248 * Updates since 1.00.
250 * Revision 1.47 1999/04/06 04:54:23 rgb
251 * Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes