diff options
author | Niklas Hallqvist <niklas@cvs.openbsd.org> | 1999-06-02 06:32:36 +0000 |
---|---|---|
committer | Niklas Hallqvist <niklas@cvs.openbsd.org> | 1999-06-02 06:32:36 +0000 |
commit | 81340676fd11f514f2ee69e011240e9bb45d1980 (patch) | |
tree | 1b12dd57394bf33df5698e98564821442473afdb | |
parent | 53a335c95846fa5c69305acde6936607359e736b (diff) |
Merge with EOM 1.44
author: niklas
Double dots squashed
author: ho
Updated. Minor typos.
-rw-r--r-- | sbin/isakmpd/DESIGN-NOTES | 28 |
1 files changed, 19 insertions, 9 deletions
diff --git a/sbin/isakmpd/DESIGN-NOTES b/sbin/isakmpd/DESIGN-NOTES index 62dcf4264d5..32b45698c2c 100644 --- a/sbin/isakmpd/DESIGN-NOTES +++ b/sbin/isakmpd/DESIGN-NOTES @@ -1,5 +1,5 @@ -$OpenBSD: DESIGN-NOTES,v 1.10 1999/05/01 20:43:41 niklas Exp $ -$EOM: DESIGN-NOTES,v 1.42 1999/05/01 20:21:04 niklas Exp $ +$OpenBSD: DESIGN-NOTES,v 1.11 1999/06/02 06:32:35 niklas Exp $ +$EOM: DESIGN-NOTES,v 1.44 1999/05/25 07:51:18 niklas Exp $ General coding conventions -------------------------- @@ -36,7 +36,7 @@ cert.c Dispatching certificate related functions to the according module based on the encoding. conf.c Interface to isakmpd configuration. connection.c Handle the high-level connection concept. -constants.c Value to name map of constants.. +constants.c Value to name map of constants. cookie.c Cookie generation. crypto.c Generic cryptography. dh.c Diffie-Hellman exchange logic. @@ -53,7 +53,7 @@ hash.c Generic hash handling. if.c Network interface details. ike_auth.c IKE authentication method abstraction. ike_aggressive.c - IKE's main mode exchange logic. + IKE's aggressive mode exchange logic. ike_main_mode.c IKE's main mode exchange logic. ike_phase_1.c Common parts IKE's main & aggressive modes' exchange logic. ike_quick_mode.c @@ -134,7 +134,7 @@ Phase 2 exchange Cookie pair + message ID. Generic SA Cookie pair + message ID + SPI. However it would be really nice to have a name of any SA that is natural -to use for human beings, for things like deleteing SAs manually. The simplest +to use for human beings, for things like deleting SAs manually. The simplest ID would be the struct sa address. Another idea would be some kind of sequence number, either global or per-destination. Right now I have introduced a name for SAs, non-unique, that binds together SAs and their configuration @@ -207,11 +207,11 @@ User control In order to control the daemon you send commands through a FIFO called isakmpd.fifo. The commands are one-letter codes followed by arguments. -For now, only three commands are planned: +For now, only five such commands are implemented: c connect Establish a connection with a peer d delete Delete an SA given cookies and message-IDs -D debug Toggle some debug flag +D debug Change logging level for a debug class r report Report status information of the daemon t teardown Teardown a connection @@ -231,6 +231,16 @@ and security associations. I am thinking about adding a "q" command for quit. +In addition to giving commands over the FIFO, you may send signals to the +daemon. Currently two such signals are implemented: + +SIGHUP Re-initialize isakmpd (not fully implemented yet) +SIGUSR1 Generate a report, much as the "r" FIFO command. + +For example, to generate a report, you do: + +unix# kill -USR1 <PID of isakmpd process> + The constant descriptions ------------------------- @@ -293,7 +303,7 @@ Identification ISAKMP supports a lot of identity types, and we should too of course. -* Main mode +* Phase 1, Main mode or Aggressive mode Today when we connect we do it based on the peer's IP address. That does not automatically mean we should do policy decision based on IPs, rather we should @@ -317,7 +327,7 @@ Accept= yes Which means niklas.hallqvist.se is allowed to negotiate SAs with us, but noone else. -* Quick mode +* Phase 2, Quick mode In quick mode the identities are implicitly the IP addresses of the peers, which must mean the IP addresses actually used for the ISAKMP tunnel. |