$OpenBSD: BUGS,v 1.5 1999/02/26 03:29:20 niklas Exp $ $EOM: BUGS,v 1.23 1999/02/24 15:48:05 niklas Exp $ Until we have a bug-tracking system setup, we might just add bugs to this file: ------------------------------------------------------------------------------ * message_drop frees the message, this is sometimes wrong and can cause duplicate frees, for example when a proposal does not get chosen. [fixed] * Notifications should be their own exchanges, otherwise the IV gets disturbed. [fixed] * We need a death timeout on half-ready SAs just like exchanges. At the moment we leak SAs. * When we establish a phase 2 exchange we seem to get the wrong IV set, according to SSH's logs. [fixed] * If a phase 1 SA negotiation exists with a cause that is to be sent in a NOTIFY to the peer, we get multiple free calls on the cleanup of the informational exchange. * IKE mandates that a HASH should be added to informational exchanges in phase 2. * Message_send requires an exchange to exist, and potentially it tries to encrypt a message multiple times when retransmitting. [fixed] * Multiple protocol proposals seems to fail. [fixed] * The initiator fails to match the responders choice of protocol suite with the correct one of its own when several are offered. [fixed] * Duplicate specified sections is not detected. [fixed] * Quick mode establishments via UI using -P bind-addr gets "Address already in use". * Not chosen proposals should be deleted from the protos list in the sa structure. [fixed] * Setting SPIs generates "Invalid argument" errors due to one tunnel endpoint being INADDR_ANY. [fixed] * ipsec_proto structs are never allocated. [fixed] * Remove SPIs of unused proposals. [fixed] * If the first proposal is turned down, the initiator gets confused. * Renegotiation after a failed phase 1 fails. * Phase 1 rekey event removal seems to be done twice. [fixed] * PF_ENCAP expirations does not find the proper phase 2 SA to remove. * ISAKMP SA expirations should have a soft/hard timeout just like IPsec ones. The soft one should put a watchdog on the SA, and start a renegotiation as soon as something used the SA. Hard ones should just clean it up, no renegotiation at all. * ISAKMP SAs does not get removed after rekeying. * On-demand PF_ENCAP SAs does not get reestablished. * Rekeying is now done automatically on expirations, it should not. The SAs should be brought up on-demand just like the first time.