===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/67.html,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- www/67.html 2020/05/07 08:26:40 1.38
+++ www/67.html 2020/05/07 10:50:18 1.39
@@ -724,52 +724,9 @@
Added point-to-point ospf6d(8) support for
broadcast interfaces.
-
- Added iked(8)
- support for switching rdomain on ipsec(4)
- encryption/decryption, configurable per policy with the new 'rdomain'
- option in iked.conf(5).
- Added support for automatically moving traffic between
- rdomains on ipsec(4)
- encryption or decryption, reducing the attack surface for network
- sidechannel attacks.
- Modified iked(8) to
- always prefer generic signature authentication.
- Fixed an iked(8)
- pubkey leak in the CA process for ASN-DN IDs.
+
Reduced temporary address valid lifetime to 2 days in slaacd(8).
- Fixed user database corruption resulting from use of the ikectl(8) reload command.
- Added the ikectl(8) "show sa" command
- to print information about the state of negotiated IKE SAs, their
- Child SAs and the resulting IPsec flows.
- Added an ikectl(8) "reset id" command
- to reset all SAs from policies with matching destination IDs.
- Corrected iked(8)
- calculation of IPv6 address leases from small address pools.
- Added a policy relookup to iked(8) to replace the default
- policy based on a received cryptographic parameter proposal.
- Added transport mode for child SAs to iked.conf(5).
- Extended the ipsecctl(8) parser to set
- the udpencap flag and port number of an SA.
- Added a -p command line option to iked(8) allowing configuration
- of the UDP encapsulation port.
- Removed IPsec flow blocking unencrypted IPv6 traffic in iked(8).
- Fixed isakmpd(8)
- IKE pcap file creation.
- Enabled ESP UDP-encapsulation with the iked(8) -t flag.
-
Validated authentication lengths in ripd(8) before use to prevent
crashes.
@@ -929,6 +886,82 @@
asynchronous resolver directly with DHCP-provided nameservers.
Switched to the ASR resolver rather than DHCP when behind a captive
portal.
+
+
+ipsec(4) improvements and
+ bugfixes:
+
+ - Added support for automatically moving traffic between
+ rdomains on ipsec(4)
+ encryption or decryption, reducing the attack surface for network
+ sidechannel attacks.
+
- Added iked(8)
+ support for switching rdomain on ipsec(4)
+ encryption/decryption, configurable per policy with the new
+ 'rdomain' option in iked.conf(5).
+
- Changed the default ipsec level set by iked(8) and isakmpd(8) to
+ IPSEC_LEVEL_REQUIRE. Unencrypted packets matching incoming
+ ipsec flows are no longer accepted by default.
+
- Added curve25519, ecp256, ecp384, ecp521, modp3072 and modp4096 to
+ the default Diffie-Hellman group configuration for IKE SAs in
+ iked(8).
+
- Removed support for the insecure EC2N Diffie-Hellman groups in iked(8).
+
- Changed the default authentication method in iked(8) to
+ generic signature authentication (RFC 7427).
+
- Added ESN configuration options for ikesa in iked.conf(5).
+
- Added transport mode for child SAs to iked(8).
+
- Added active probing for lost connection in iked(8) resulting in a
+ faster connection reset.
+
- Added a -p command line option to iked(8) allow configuration
+ of a non-standard UDP encapsulation port.
+
- Added support for multiple x509 extensions and multiple
+ subjectAltName fields in certificates used with iked(8).
+
- Added support for certificates with uppercase subjectAltNames
+ in iked(8).
+
- Removed automatically installed ipsec(4) flow blocking
+ unencrypted IPv6 traffic in iked(8).
+
- Reduced size of IKE_AUTH message by eliminating duplicate traffic
+ selectors in iked(8).
+
- Added an ikectl(8) "show sa"
+ command to print information about the state of negotiated IKE SAs,
+ their child SAs and the resulting IPsec flows.
+
- Added an ikectl(8) "reset id"
+ command to reset all SAs from policies with matching destination IDs.
+
- Added support for UDP encapsulation in manual SAs set up with ipsec.conf(5).
+
- Fixed an iked(8)
+ bug that lead to connection loss after simultaneous rekeying.
+
- Fixed an iked(8)
+ public key leak in the CA process for ASN-DN IDs.
+
- Fixed a bug that lead to a lost EAP ID after rekeying in iked(8).
+
- Fixed EAP user database corruption resulting from use of the ikectl(8) reload command.
+
- Corrected iked(8)
+ calculation of IPv6 address leases from small address pools.
+
- Fixed several bugs that could lead to iked(8) selecting a false policy
+ for incoming requests, resulting in a failed handshake.
+
- Fixed a bug that broke PSK authentication against Strongswan.
+
- Enabled UDP-encapsulation in Child SAs if iked(8) was started with -t.
+
- Fixed isakmpd(8)
+ IKE pcap file creation.
tmux(1) improvements and bug fixes: