summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/BUGS
blob: 8324d10bf5561f93a7818f04b8027076c8ea367f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
$OpenBSD: BUGS,v 1.5 1999/02/26 03:29:20 niklas Exp $
$EOM: BUGS,v 1.23 1999/02/24 15:48:05 niklas Exp $

Until we have a bug-tracking system setup, we might just add bugs to this
file:
------------------------------------------------------------------------------
* message_drop frees the message, this is sometimes wrong and can cause
  duplicate frees, for example when a proposal does not get chosen. [fixed]

* Notifications should be their own exchanges, otherwise the IV gets
  disturbed. [fixed]

* We need a death timeout on half-ready SAs just like exchanges.  At the
  moment we leak SAs.

* When we establish a phase 2 exchange we seem to get the wrong IV set,
  according to SSH's logs. [fixed]

* If a phase 1 SA negotiation exists with a cause that is to be sent in
  a NOTIFY to the peer, we get multiple free calls on the cleanup of the
  informational exchange.

* IKE mandates that a HASH should be added to informational exchanges in
  phase 2.

* Message_send requires an exchange to exist, and potentially it tries to
  encrypt a message multiple times when retransmitting. [fixed]

* Multiple protocol proposals seems to fail. [fixed]

* The initiator fails to match the responders choice of protocol suite with
  the correct one of its own when several are offered. [fixed]

* Duplicate specified sections is not detected. [fixed]

* Quick mode establishments via UI using -P bind-addr gets "Address already in
  use".

* Not chosen proposals should be deleted from the protos list in the sa
  structure. [fixed]

* Setting SPIs generates "Invalid argument" errors due to one tunnel endpoint
  being INADDR_ANY. [fixed]

* ipsec_proto structs are never allocated. [fixed]

* Remove SPIs of unused proposals. [fixed]

* If the first proposal is turned down, the initiator gets confused.

* Renegotiation after a failed phase 1 fails.

* Phase 1 rekey event removal seems to be done twice. [fixed]

* PF_ENCAP expirations does not find the proper phase 2 SA to remove.

* ISAKMP SA expirations should have a soft/hard timeout just like IPsec ones.
  The soft one should put a watchdog on the SA, and start a renegotiation as
  soon as something used the SA.  Hard ones should just clean it up, no
  renegotiation at all.

* ISAKMP SAs does not get removed after rekeying.

* On-demand PF_ENCAP SAs does not get reestablished.

* Rekeying is now done automatically on expirations, it should not.  The
  SAs should be brought up on-demand just like the first time.