$OpenBSD: TO-DO,v 1.16 1999/07/18 09:33:06 niklas Exp $ $EOM: TO-DO,v 1.42 1999/07/18 09:12:57 niklas Exp $ This file is pretty lame as it should really contain a lot more given that the program is far from ready in any area. * Add debugging messages, maybe possible to control asynchronously. [done] * Implement the local policy governing logging and notification of exceptional conditions. * A field description mechanism used for things like making packet dumps readable etc. Both Photurisd and Pluto does this. [done] * Fix the cookies. [done] * Garbage collect transports (ref-counting?). [done] * Retransmission/dup packet handling. [done] * Generic payload checks. [mostly done] * For math, speed up multiplication and division functions. * Cleanup of SAs when dropping messages. [done] * Look over message resource tracking. [done] * Retransmission timing & count adaptivity and configurability. [configurability done] * Quick mode exchanges [done] * Aggressive mode exchange. [done] * Finish main mode exchange [done] * Separation of key exchange from the IPSEC DOI, i.e. factor out IKE details. * Setup the IPSEC situation field in the main mode. [done] * Kernel interface for IPSEC parameter passing. [done] * Notify of unsupported situations. * Set/get field macros generated from the field descriptions. [done] * SIGHUP handler with reparsing of config file. [done] * RSA signature authentication. [done] * DSS signature authentication. * RSA encryption authentication. * New group mode. * DELETE payload handling, and generation from ui. [generation done] * Deal well with incoming informational exchanges. [done] * Generate all possible SA attributes in quick mode. [done] * Validate incoming attribute according to policy, main mode. [done] * Validate incoming attribute according to policy, quick mode. [done] * Cleanup reserved SPIs on cleanup of associated SAs. [done] * Validate attribute types (i.e. that what the specs tells should be basic). * Cleanup reserved SPIs in proposals never chosen. [done] * Add time measuring and reporting to the exchange code for catching of bottlenecks. * Rescan interfaces on SIGHUP and on reception of messages on the INADDR_ANY listener socket. * Validate the configuration file. * Do a soft-limit on ISAKMP SA lifetime. [done] * Let the hard-limit on ISAKMP SA lifetime destroy the SA ASAP. [done] * IPsec rekeying. [done] * Store tunnels into SPD, and handle acquire SA events. [pf_encap done] * If an exchange is on-going when a rekey event happens, drop the request. [done] * INITIAL CONTACT notification sending when appropriate. [done] * INITIAL CONTACT notification handling. [done] * IPsec SAs could also do with timers protecting its lifetime, if say, someone changed the lifetime of the IPsec SA in stack under us. [done] * Handle notifications showing the peer did not want to continue this exchange. * Flexible identification. * Remove referring flows when a SPI is removed. * IPCOMP. * Remove log_fatals from policy code, if error in policy file reading fall back to check policy against connections. * Acknowledged notification exchange. * Tiger hash. * El-Gamal public key encryption. * Check of attributes not being changed by the responder in phase 2. * See to the commit bit will never be used in phase 1. Give INVALID-FLAGS if seeing it. * Can we do the X.509 stuff optional for systems without libcrypto? * Base mode. * IKECFG * XAUTH framework. * PKCS#11 * XAUTH hybrid frame work. * Specify extra certificates to send somehow. * Handle CERTs anywhere in an exchange.