summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/TO-DO
blob: f6929ab31535889ca3bef2e17a6cc3eab9b25b6c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
$OpenBSD: TO-DO,v 1.23 2001/07/01 20:43:39 niklas Exp $
$EOM: TO-DO,v 1.45 2000/04/07 22:47:38 niklas Exp $

This file mixes small nitpicks with large projects to be done.

* Add debugging messages, maybe possible to control asynchronously. [done]

* Implement the local policy governing logging and notification of exceptional
  conditions.

* A field description mechanism used for things like making packet dumps
  readable etc.  Both Photurisd and Pluto does this. [done]

* Fix the cookies. <Niels> [done]

* Garbage collect transports (ref-counting?). [done]

* Retransmission/dup packet handling. [done]

* Generic payload checks. [mostly done]

* For math, speed up multiplication and division functions.

* Cleanup of SAs when dropping messages. [done]

* Look over message resource tracking. [done]

* Retransmission timing & count adaptivity and configurability.
  [configurability done]

* Quick mode exchanges [done]

* Aggressive mode exchange. [done]

* Finish main mode exchange [done]

* Separation of key exchange from the IPsec DOI, i.e. factor out IKE details.

* Setup the IPsec situation field in the main mode. [done]

* Kernel interface for IPsec parameter passing. [done]

* Notify of unsupported situations.

* Set/get field macros generated from the field descriptions. [done]

* SIGHUP handler with reparsing of config file. [done]

* RSA signature authentication. <Niels> [done]

* DSS signature authentication.

* RSA encryption authentication.

* New group mode.

* DELETE payload handling, and generation from ui. [generation done]

* Deal well with incoming informational exchanges. [done]

* Generate all possible SA attributes in quick mode. [done]

* Validate incoming attribute according to policy, main mode. [done]

* Validate incoming attribute according to policy, quick mode. [done]

* Cleanup reserved SPIs on cleanup of associated SAs. [done]

* Validate attribute types (i.e. that what the specs tells should be
  basic).

* Cleanup reserved SPIs in proposals never chosen. [done]

* Add time measuring and reporting to the exchange code for catching of
  bottlenecks.

* Rescan interfaces on SIGHUP and on reception of messages on the INADDR_ANY
  listener socket.

* Validate the configuration file.

* Do a soft-limit on ISAKMP SA lifetime. [done]

* Let the hard-limit on ISAKMP SA lifetime destroy the SA ASAP. [done]

* IPsec rekeying. [done]

* Store tunnels into SPD, and handle acquire SA events. [pf_encap done]

* If an exchange is on-going when a rekey event happens, drop the request.
  [done]

* INITIAL CONTACT notification sending when appropriate. [done]

* INITIAL CONTACT notification handling. [done]

* IPsec SAs could also do with timers protecting its lifetime, if say,
  someone changed the lifetime of the IPsec SA in stack under us. [done]

* Handle notifications showing the peer did not want to continue this exchange.

* Flexible identification.

* Remove referring flows when a SPI is removed.

* IPCOMP.

* Acknowledged notification exchange.

* Tiger hash.

* El-Gamal public key encryption.

* Check of attributes not being changed by the responder in phase 2.

* See to the commit bit will never be used in phase 1.  Give INVALID-FLAGS
  if seeing it.

* Base mode.

* IKECFG [protocol done, configuration controls remain]

* XAUTH framework.

* PKCS#11

* XAUTH hybrid frame work.

* Specify extra certificates to send somehow.

* Handle CERTs anywhere in an exchange.

* Add a way to do multiple configuration commands via ui.

* Replace ui's fifo with a slightly more versatile interface.

* Report current configuration. [done]

* IPv6 [done]

* AES in phase 1

* x509_certreq_validate needs implementing.

* Smartcard support.