1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
$OpenBSD: TO-DO,v 1.14 1999/07/07 22:14:56 niklas Exp $
$EOM: TO-DO,v 1.40 1999/06/15 11:33:36 niklas Exp $
This file is pretty lame as it should really contain a lot more given that
the program is far from ready in any area.
* Add debugging messages, maybe possible to control asynchronously. [done]
* Implement the local policy governing logging and notification of exceptional
conditions.
* A field description mechanism used for things like making packet dumps
readable etc. Both Photurisd and Pluto does this. [done]
* Fix the cookies. <Niels> [done]
* Garbage collect transports (ref-counting?). [done]
* Retransmission/dup packet handling. [done]
* Generic payload checks. [mostly done]
* For math, speed up multiplication and division functions.
* Cleanup of SAs when dropping messages. [done]
* Look over message resource tracking. [done]
* Retransmission timing & count adaptivity and configurability.
[configurability done]
* Quick mode exchanges [done]
* Aggressive mode exchange. [done]
* Finish main mode exchange [done]
* Separation of key exchange from the IPSEC DOI, i.e. factor out IKE details.
* Setup the IPSEC situation field in the main mode. [done]
* Kernel interface for IPSEC parameter passing. [done]
* Notify of unsupported situations.
* Set/get field macros generated from the field descriptions. [done]
* SIGHUP handler with reparsing of config file. [done]
* RSA signature authentication. <Niels> [done]
* DSS signature authentication.
* RSA encryption authentication.
* New group mode.
* DELETE payload handling, and generation from ui. [generation done]
* Deal well with incoming informational exchanges. [done]
* Generate all possible SA attributes in quick mode. [done]
* Validate incoming attribute according to policy, main mode. [done]
* Validate incoming attribute according to policy, quick mode. [done]
* Cleanup reserved SPIs on cleanup of associated SAs. [done]
* Validate attribute types (i.e. that what the specs tells should be
basic).
* Cleanup reserved SPIs in proposals never chosen. [done]
* Add time measuring and reporting to the exchange code for catching of
bottlenecks.
* Rescan interfaces on SIGHUP and on reception of messages on the INADDR_ANY
listener socket.
* Validate the configuration file.
* Do a soft-limit on ISAKMP SA lifetime. [done]
* Let the hard-limit on ISAKMP SA lifetime destroy the SA ASAP. [done]
* IPsec rekeying. [done]
* Store tunnels into SPD, and handle acquire SA events. [pf_encap done]
* If an exchange is on-going when a rekey event happens, drop the request.
[done]
* INITIAL CONTACT notification sending when appropriate. [done]
* INITIAL CONTACT notification handling. [done]
* IPsec SAs could also do with timers protecting its lifetime, if say,
someone changed the lifetime of the IPsec SA in stack under us. [done]
* Handle notifications showing the peer did not want to continue this exchange.
* Flexible identification.
* Remove referring flows when a SPI is removed.
* IPCOMP.
* Remove log_fatals from policy code, if error in policy file reading fall
back to check policy against connections.
|