1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
$OpenBSD: BUGS,v 1.5 1999/02/26 03:29:20 niklas Exp $
$EOM: BUGS,v 1.23 1999/02/24 15:48:05 niklas Exp $
Until we have a bug-tracking system setup, we might just add bugs to this
file:
------------------------------------------------------------------------------
* message_drop frees the message, this is sometimes wrong and can cause
duplicate frees, for example when a proposal does not get chosen. [fixed]
* Notifications should be their own exchanges, otherwise the IV gets
disturbed. [fixed]
* We need a death timeout on half-ready SAs just like exchanges. At the
moment we leak SAs.
* When we establish a phase 2 exchange we seem to get the wrong IV set,
according to SSH's logs. [fixed]
* If a phase 1 SA negotiation exists with a cause that is to be sent in
a NOTIFY to the peer, we get multiple free calls on the cleanup of the
informational exchange.
* IKE mandates that a HASH should be added to informational exchanges in
phase 2.
* Message_send requires an exchange to exist, and potentially it tries to
encrypt a message multiple times when retransmitting. [fixed]
* Multiple protocol proposals seems to fail. [fixed]
* The initiator fails to match the responders choice of protocol suite with
the correct one of its own when several are offered. [fixed]
* Duplicate specified sections is not detected. [fixed]
* Quick mode establishments via UI using -P bind-addr gets "Address already in
use".
* Not chosen proposals should be deleted from the protos list in the sa
structure. [fixed]
* Setting SPIs generates "Invalid argument" errors due to one tunnel endpoint
being INADDR_ANY. [fixed]
* ipsec_proto structs are never allocated. [fixed]
* Remove SPIs of unused proposals. [fixed]
* If the first proposal is turned down, the initiator gets confused.
* Renegotiation after a failed phase 1 fails.
* Phase 1 rekey event removal seems to be done twice. [fixed]
* PF_ENCAP expirations does not find the proper phase 2 SA to remove.
* ISAKMP SA expirations should have a soft/hard timeout just like IPsec ones.
The soft one should put a watchdog on the SA, and start a renegotiation as
soon as something used the SA. Hard ones should just clean it up, no
renegotiation at all.
* ISAKMP SAs does not get removed after rekeying.
* On-demand PF_ENCAP SAs does not get reestablished.
* Rekeying is now done automatically on expirations, it should not. The
SAs should be brought up on-demand just like the first time.
|