src/sbin/isakmpd/TO-DO - view

Return to TO-DO CVS log

Up to [local] / src / sbin / isakmpd

File: [local] / src / sbin / isakmpd / TO-DO (download)

Revision 1.26, Thu Aug 28 14:43:35 2003 UTC (20 years, 9 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE, OPENBSD_7_5, OPENBSD_7_4_BASE, OPENBSD_7_4, OPENBSD_7_3_BASE, OPENBSD_7_3, OPENBSD_7_2_BASE, OPENBSD_7_2, OPENBSD_7_1_BASE, OPENBSD_7_1, OPENBSD_7_0_BASE, OPENBSD_7_0, OPENBSD_6_9_BASE, OPENBSD_6_9, OPENBSD_6_8_BASE, OPENBSD_6_8, OPENBSD_6_7_BASE, OPENBSD_6_7, OPENBSD_6_6_BASE, OPENBSD_6_6, OPENBSD_6_5_BASE, OPENBSD_6_5, OPENBSD_6_4_BASE, OPENBSD_6_4, OPENBSD_6_3_BASE, OPENBSD_6_3, OPENBSD_6_2_BASE, OPENBSD_6_2, OPENBSD_6_1_BASE, OPENBSD_6_1, OPENBSD_6_0_BASE, OPENBSD_6_0, OPENBSD_5_9_BASE, OPENBSD_5_9, OPENBSD_5_8_BASE, OPENBSD_5_8, OPENBSD_5_7_BASE, OPENBSD_5_7, OPENBSD_5_6_BASE, OPENBSD_5_6, OPENBSD_5_5_BASE, OPENBSD_5_5, OPENBSD_5_4_BASE, OPENBSD_5_4, OPENBSD_5_3_BASE, OPENBSD_5_3, OPENBSD_5_2_BASE, OPENBSD_5_2, OPENBSD_5_1_BASE, OPENBSD_5_1, OPENBSD_5_0_BASE, OPENBSD_5_0, OPENBSD_4_9_BASE, OPENBSD_4_9, OPENBSD_4_8_BASE, OPENBSD_4_8, OPENBSD_4_7_BASE, OPENBSD_4_7, OPENBSD_4_6_BASE, OPENBSD_4_6, OPENBSD_4_5_BASE, OPENBSD_4_5, OPENBSD_4_4_BASE, OPENBSD_4_4, OPENBSD_4_3_BASE, OPENBSD_4_3, OPENBSD_4_2_BASE, OPENBSD_4_2, OPENBSD_4_1_BASE, OPENBSD_4_1, OPENBSD_4_0_BASE, OPENBSD_4_0, OPENBSD_3_9_BASE, OPENBSD_3_9, OPENBSD_3_8_BASE, OPENBSD_3_8, OPENBSD_3_7_BASE, OPENBSD_3_7, OPENBSD_3_6_BASE, OPENBSD_3_6, OPENBSD_3_5_BASE, OPENBSD_3_5, OPENBSD_3_4_BASE, OPENBSD_3_4, HEAD
Changes since 1.25: +2 -2 lines

support AES in phase 1, too. switch to OpenSSL EVP interface;
with Hans-Joerg.Hoexer at yerbouti.franken.de; ok ho@

$OpenBSD: TO-DO,v 1.26 2003/08/28 14:43:35 markus Exp $
$EOM: TO-DO,v 1.45 2000/04/07 22:47:38 niklas Exp $

This file mixes small nitpicks with large projects to be done.

* Add debugging messages, maybe possible to control asynchronously. [done]

* Implement the local policy governing logging and notification of exceptional
  conditions.

* A field description mechanism used for things like making packet dumps
  readable etc.  Both Photurisd and Pluto does this. [done]

* Fix the cookies. <Niels> [done]

* Garbage collect transports (ref-counting?). [done]

* Retransmission/dup packet handling. [done]

* Generic payload checks. [mostly done]

* For math, speed up multiplication and division functions.

* Cleanup of SAs when dropping messages. [done]

* Look over message resource tracking. [done]

* Retransmission timing & count adaptivity and configurability.
  [configurability done]

* Quick mode exchanges [done]

* Aggressive mode exchange. [done]

* Finish main mode exchange [done]

* Separation of key exchange from the IPsec DOI, i.e. factor out IKE details.

* Setup the IPsec situation field in the main mode. [done]

* Kernel interface for IPsec parameter passing. [done]

* Notify of unsupported situations.

* Set/get field macros generated from the field descriptions. [done]

* SIGHUP handler with reparsing of config file. [done]

* RSA signature authentication. <Niels> [done]

* DSS signature authentication.

* RSA encryption authentication.

* New group mode.

* DELETE payload handling, and generation from ui. [generation done]

* Deal well with incoming informational exchanges. [done]

* Generate all possible SA attributes in quick mode. [done]

* Validate incoming attribute according to policy, main mode. [done]

* Validate incoming attribute according to policy, quick mode. [done]

* Cleanup reserved SPIs on cleanup of associated SAs. [done]

* Validate attribute types (i.e. that what the specs tells should be
  basic).

* Cleanup reserved SPIs in proposals never chosen. [done]

* Add time measuring and reporting to the exchange code for catching of
  bottlenecks.

* Rescan interfaces on SIGHUP and on reception of messages on the INADDR_ANY
  listener socket. [done]

* Validate the configuration file.

* Do a soft-limit on ISAKMP SA lifetime. [done]

* Let the hard-limit on ISAKMP SA lifetime destroy the SA ASAP. [done]

* IPsec rekeying. [done]

* Store tunnels into SPD, and handle acquire SA events. [done]

* If an exchange is on-going when a rekey event happens, drop the request.
  [done]

* INITIAL CONTACT notification sending when appropriate. [done]

* INITIAL CONTACT notification handling. [done]

* IPsec SAs could also do with timers protecting its lifetime, if say,
  someone changed the lifetime of the IPsec SA in stack under us. [done]

* Handle notifications showing the peer did not want to continue this exchange.

* Flexible identification.

* Remove referring flows when a SPI is removed. [done]

* IPCOMP.

* Acknowledged notification exchange.

* Tiger hash.

* El-Gamal public key encryption.

* Check of attributes not being changed by the responder in phase 2.

* See to the commit bit will never be used in phase 1.  Give INVALID-FLAGS
  if seeing it.

* Base mode.

* IKECFG [protocol done, configuration controls remain]

* XAUTH framework.

* PKCS#11

* XAUTH hybrid frame work.

* Specify extra certificates to send somehow.

* Handle CERTs anywhere in an exchange.

* Add a way to do multiple configuration commands via ui.

* Replace ui's fifo with a slightly more versatile interface.

* Report current configuration. [done]

* IPv6 [done]

* AES in phase 1 [done]

* x509_certreq_validate needs implementing.

* Smartcard support.