added a roadmap of the strongSwan project (TODO)
added some NEWS
This commit is contained in:
parent
532f2347dc
commit
2b4405a3e7
10
NEWS
10
NEWS
|
@ -1,3 +1,13 @@
|
|||
strongswan-4.0.6
|
||||
----------------
|
||||
|
||||
- IKEv2: Support for reauthentication when rekeying
|
||||
|
||||
- fixed most (all?) bugs related to byte order
|
||||
|
||||
- a lot of bugfixes
|
||||
|
||||
|
||||
strongswan-4.0.5
|
||||
----------------
|
||||
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
-------------------------
|
||||
strongSwan - Roadmap
|
||||
-------------------------
|
||||
|
||||
These notes mostly belong to charon, the new IKEv2 daemon. The plan is to
|
||||
migrate IKEv1 into charon. It's hard to say how much effort is needed to
|
||||
do that, and how much code we can reuse from pluto. But a port IS necessary to
|
||||
gain hassle-free confiugration, version negotiation and maintainability.
|
||||
|
||||
Roadmap for 2007
|
||||
================
|
||||
|
||||
Jan ¦ - first stable release of the strongSwan 4.x branch, 4.1.0?
|
||||
¦
|
||||
Feb ¦ - refactoring of exchange handling for better code sharing,
|
||||
¦ we need to separate specific tasks to reuse them in multiple
|
||||
¦ exchanges
|
||||
¦ - merge of EAP authentication code / plugin loader
|
||||
¦ - merge of the virtual IP support currently in the pipeline
|
||||
¦ - merge of the experimental "mediated double-NAT" support
|
||||
¦ - write an IETF draft for this feature
|
||||
¦
|
||||
Mar ¦ - interface in charon for the new SMP management interface
|
||||
¦ - full certificate support
|
||||
¦ - Cookie support, other fixes to mature against DoS
|
||||
¦
|
||||
Apr ¦ - start porting efforts of IKEv1 into charon
|
||||
¦ - support of IKEv1 messages and payloads in charon
|
||||
¦
|
||||
May ¦ - migration of plutos state machine into charon
|
||||
¦
|
||||
Jun ¦ - get a useable IKEv1 implementation for simple cases
|
||||
¦
|
||||
Jul ¦ - first release of charon supporting IKEv2 and IKEv1, 4.9.0?
|
||||
¦ - holidays :-)
|
||||
¦
|
||||
Aug ¦ - get IKEv1 support to the level of pluto
|
||||
¦
|
||||
Sep ¦
|
||||
¦
|
||||
Oct ¦
|
||||
¦
|
||||
Nov ¦
|
||||
¦
|
||||
Dec ¦ - feature complete release, 5.0.0!
|
||||
¦ - world domination
|
||||
|
||||
|
||||
TODO-List
|
||||
=========
|
||||
|
||||
A set of TODOs. This is only a list of things I write down to not forget them.
|
||||
Watch out for TODOs in the code.
|
||||
|
||||
Build system
|
||||
------------
|
||||
- configure flag which allows to ommit vendor id in pluto
|
||||
- reduce printf handlers count to 10, as uClibc does not support more
|
||||
|
||||
Denail of service
|
||||
-----------------
|
||||
- Cookie support
|
||||
- thread exhaustion (multiple messages to a single IKE_SA)
|
||||
|
||||
Certificate support
|
||||
-------------------
|
||||
- New trustchain mechanism?
|
||||
- proper CERTREQ support
|
||||
- proper handling of multiple certificate payloads (import order)
|
||||
- synchronized CRL fetcher
|
||||
- OCSP support
|
||||
- Smartcard interface
|
||||
- Attribute certificates
|
||||
|
||||
Stroke interface
|
||||
----------------
|
||||
- add a Rekey-Counter for SAs in "statusall"
|
||||
- ipsec statusall bytecount
|
||||
- detach console after first keyingtry
|
||||
- proper handling of CTRL+C console detach (SIG_PIPE)
|
||||
|
||||
Misc
|
||||
----
|
||||
- retry transaction on failure while keyingtries > 1
|
|
@ -1,84 +0,0 @@
|
|||
Todo-List for charon
|
||||
--------------------
|
||||
|
||||
+ = done, / = partial, - = todo, ordered by priority
|
||||
|
||||
|
||||
+ private key loading: der, without passphrase
|
||||
+ load all private keys from ipsec.d/private/ in stroke.c
|
||||
+ handle leftcert and rightcert in starterstroke.c/stroke.c
|
||||
+ load specified certs in stroke.c
|
||||
+ extract public keys from certs
|
||||
+ public key authentication
|
||||
+ release for Andreas
|
||||
|
||||
+ stroke loglevels
|
||||
+ stroke up
|
||||
+ ike_sa_manager checkout_by_hosts
|
||||
+ stroke down
|
||||
+ stroke output redirection
|
||||
+ stroke status
|
||||
|
||||
+ libx509
|
||||
+ new charon build - libstrong?
|
||||
+ transforms
|
||||
+ utils (plus host)
|
||||
+ logger_manager instance in lib
|
||||
+ leak detective usable for charon and pluto and anything else
|
||||
+ integrate asn1 parser/oid (asn1/oid)
|
||||
+ integrate basic PEM loading
|
||||
+ port x509 stuff
|
||||
|
||||
+ doxygen cleanup (charon/lib)
|
||||
+ new build environment (autotools?)
|
||||
|
||||
+ useable certificate support
|
||||
+ more id types (use atodn from pluto)
|
||||
+ rewrite certificate storage the clean way
|
||||
+ further subjectAltName support
|
||||
+ certificate validation/chaining
|
||||
+ certificate exchange
|
||||
|
||||
+ Apply -W's from Makefile.program to charon
|
||||
+ do ipsec status via starter
|
||||
|
||||
+ stroke status should show configured connections
|
||||
+ stroke loglevel update
|
||||
+ stroke argument parsing via getopts/gperf?
|
||||
|
||||
+ ipsec.secrets parsing
|
||||
|
||||
+ trapping
|
||||
+ proper delete messages
|
||||
+ notifys on connection setup failure
|
||||
+ create child sa message/rekeying
|
||||
+ IKE_SA rekeying
|
||||
+ handle all simultaneous rekeying/delete/create cases
|
||||
|
||||
+ replace state machine with something more transaction oriented
|
||||
+ find existing IKE_SA on CHILD_SA initiation
|
||||
|
||||
+ use dpdaction/dpddelay parameters from ipsec.conf
|
||||
+ add firewall script support
|
||||
+ do not link unneeded libraries in bins
|
||||
+ include only a minimum of NATD payloads
|
||||
+ implement 3DES to load encrypted pem files
|
||||
+ implement a "event bus" mechanism
|
||||
+ add more output to to up/down, somehow...
|
||||
- detach console after first keyingtry
|
||||
- proper handling of CTRL+C console detach (SIG_PIPE)
|
||||
- configure flag which allows to ommit vendor id in pluto
|
||||
- ikelifetime should optionally enforce reauthentication
|
||||
- cookies/DDoS prevention
|
||||
- implement a mechanism against thread exhaustion
|
||||
when a blocked IKE_SA receives a lot of messages
|
||||
- add a crl fetch mechanism which synchronizes equal fetches
|
||||
- add support for CERTREQs
|
||||
- proper handling of multiple certificate payloads (import order)
|
||||
- add a Rekey-Counter for SAs in "statusall"
|
||||
- ipsec status:
|
||||
+ on one line: ip, id, spi
|
||||
+ no key age, rekey for IKE
|
||||
- byte count
|
||||
- retry transaction on failure while keyingtries > 1
|
||||
- reduce printf handlers count to 10, as uClibc does not support more
|
Loading…
Reference in New Issue