version 1.38, 2020/05/07 08:26:40 |
version 1.39, 2020/05/07 10:50:18 |
|
|
<li>Added point-to-point <a |
<li>Added point-to-point <a |
href="https://man.openbsd.org/ospf6d">ospf6d(8)</a> support for |
href="https://man.openbsd.org/ospf6d">ospf6d(8)</a> support for |
broadcast interfaces. |
broadcast interfaces. |
<!-- iked --> |
<!-- other daemons --> |
<li>Added <a href="https://man.openbsd.org/iked">iked(8)</a> |
|
support for switching rdomain on <a |
|
href="https://man.openbsd.org/ipsec">ipsec(4)</a> |
|
encryption/decryption, configurable per policy with the new 'rdomain' |
|
option in <a |
|
href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>. |
|
<li>Added support for automatically moving traffic between |
|
rdomains on <a href="https://man.openbsd.org/ipsec">ipsec(4)</a> |
|
encryption or decryption, reducing the attack surface for network |
|
sidechannel attacks. |
|
<li>Modified <a href="https://man.openbsd.org/iked">iked(8)</a> to |
|
always prefer generic signature authentication. |
|
<li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a> |
|
pubkey leak in the CA process for ASN-DN IDs. |
|
<li>Reduced temporary address valid lifetime to 2 days in <a |
<li>Reduced temporary address valid lifetime to 2 days in <a |
href="https://man.openbsd.org/slaacd">slaacd(8)</a>. |
href="https://man.openbsd.org/slaacd">slaacd(8)</a>. |
<li>Fixed user database corruption resulting from use of the <a |
|
href="https://man.openbsd.org/ikectl">ikectl(8)</a> reload command. |
|
<li>Added the <a |
|
href="https://man.openbsd.org/ikectl">ikectl(8)</a> "show sa" command |
|
to print information about the state of negotiated IKE SAs, their |
|
Child SAs and the resulting IPsec flows. |
|
<li>Added an <a |
|
href="https://man.openbsd.org/ikectl">ikectl(8)</a> "reset id" command |
|
to reset all SAs from policies with matching destination IDs. |
|
<li>Corrected <a href="https://man.openbsd.org/iked">iked(8)</a> |
|
calculation of IPv6 address leases from small address pools. |
|
<li>Added a policy relookup to <a |
|
href="https://man.openbsd.org/iked">iked(8)</a> to replace the default |
|
policy based on a received cryptographic parameter proposal. |
|
<li>Added transport mode for child SAs to <a |
|
href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>. |
|
<li>Extended the <a |
|
href="https://man.openbsd.org/ipsecctl">ipsecctl(8)</a> parser to set |
|
the udpencap flag and port number of an SA. |
|
<li>Added a -p command line option to <a |
|
href="https://man.openbsd.org/iked">iked(8)</a> allowing configuration |
|
of the UDP encapsulation port. |
|
<li>Removed IPsec flow blocking unencrypted IPv6 traffic in <a |
|
href="https://man.openbsd.org/iked">iked(8)</a>. |
|
<li>Fixed <a href="https://man.openbsd.org/isakmpd">isakmpd(8)</a> |
|
IKE pcap file creation. |
|
<li>Enabled ESP UDP-encapsulation with the <a |
|
href="https://man.openbsd.org/iked">iked(8)</a> -t flag. |
|
<!-- other daemons --> |
|
<li>Validated authentication lengths in <a |
<li>Validated authentication lengths in <a |
href="https://man.openbsd.org/ripd">ripd(8)</a> before use to prevent |
href="https://man.openbsd.org/ripd">ripd(8)</a> before use to prevent |
crashes. |
crashes. |
|
|
asynchronous resolver directly with DHCP-provided nameservers. |
asynchronous resolver directly with DHCP-provided nameservers. |
Switched to the ASR resolver rather than DHCP when behind a captive |
Switched to the ASR resolver rather than DHCP when behind a captive |
portal. |
portal. |
|
</ul> |
|
|
|
<li><a href="https://man.openbsd.org/ipsec">ipsec(4)</a> improvements and |
|
bugfixes: |
|
<ul> |
|
<li>Added support for automatically moving traffic between |
|
rdomains on <a href="https://man.openbsd.org/ipsec">ipsec(4)</a> |
|
encryption or decryption, reducing the attack surface for network |
|
sidechannel attacks. |
|
<li>Added <a href="https://man.openbsd.org/iked">iked(8)</a> |
|
support for switching rdomain on <a |
|
href="https://man.openbsd.org/ipsec">ipsec(4)</a> |
|
encryption/decryption, configurable per policy with the new |
|
'rdomain' option in <a |
|
href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>. |
|
<li>Changed the default ipsec level set by <a |
|
href="https://man.openbsd.org/iked">iked(8)</a> and <a |
|
href="https://man.openbsd.org/isakmpd">isakmpd(8)</a> to |
|
IPSEC_LEVEL_REQUIRE. Unencrypted packets matching incoming |
|
ipsec flows are no longer accepted by default. |
|
<li>Added curve25519, ecp256, ecp384, ecp521, modp3072 and modp4096 to |
|
the default Diffie-Hellman group configuration for IKE SAs in |
|
<a href="https://man.openbsd.org/iked">iked(8)</a>. |
|
<li>Removed support for the insecure EC2N Diffie-Hellman groups in <a |
|
href="https://man.openbsd.org/iked">iked(8)</a>. |
|
<li>Changed the default authentication method in <a |
|
href="https://man.openbsd.org/iked">iked(8)</a> to |
|
generic signature authentication (RFC 7427). |
|
<li>Added ESN configuration options for ikesa in <a |
|
href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>. |
|
<li>Added transport mode for child SAs to <a |
|
href="https://man.openbsd.org/iked">iked(8)</a>. |
|
<li>Added active probing for lost connection in <a |
|
href="https://man.openbsd.org/iked">iked(8)</a> resulting in a |
|
faster connection reset. |
|
<li>Added a -p command line option to <a |
|
href="https://man.openbsd.org/iked">iked(8)</a> allow configuration |
|
of a non-standard UDP encapsulation port. |
|
<li>Added support for multiple x509 extensions and multiple |
|
subjectAltName fields in certificates used with <a |
|
href="https://man.openbsd.org/iked">iked(8)</a>. |
|
<li>Added support for certificates with uppercase subjectAltNames |
|
in <a href="https://man.openbsd.org/iked">iked(8)</a>. |
|
<li>Removed automatically installed <a |
|
href="https://man.openbsd.org/ipsec">ipsec(4)</a> flow blocking |
|
unencrypted IPv6 traffic in <a |
|
href="https://man.openbsd.org/iked">iked(8)</a>. |
|
<li>Reduced size of IKE_AUTH message by eliminating duplicate traffic |
|
selectors in <a href="https://man.openbsd.org/iked">iked(8)</a>. |
|
<li>Added an <a |
|
href="https://man.openbsd.org/ikectl">ikectl(8)</a> "show sa" |
|
command to print information about the state of negotiated IKE SAs, |
|
their child SAs and the resulting IPsec flows. |
|
<li>Added an <a |
|
href="https://man.openbsd.org/ikectl">ikectl(8)</a> "reset id" |
|
command to reset all SAs from policies with matching destination IDs. |
|
<li>Added support for UDP encapsulation in manual SAs set up with <a |
|
href="https://man.openbsd.org/ipsec.conf">ipsec.conf(5)</a>. |
|
<li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a> |
|
bug that lead to connection loss after simultaneous rekeying. |
|
<li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a> |
|
public key leak in the CA process for ASN-DN IDs. |
|
<li>Fixed a bug that lead to a lost EAP ID after rekeying in <a |
|
href="https://man.openbsd.org/iked">iked(8)</a>. |
|
<li>Fixed EAP user database corruption resulting from use of the <a |
|
href="https://man.openbsd.org/ikectl">ikectl(8)</a> reload command. |
|
<li>Corrected <a href="https://man.openbsd.org/iked">iked(8)</a> |
|
calculation of IPv6 address leases from small address pools. |
|
<li>Fixed several bugs that could lead to <a |
|
href="https://man.openbsd.org/iked">iked(8)</a> selecting a false policy |
|
for incoming requests, resulting in a failed handshake. |
|
<li>Fixed a bug that broke PSK authentication against Strongswan. |
|
<li>Enabled UDP-encapsulation in Child SAs if <a |
|
href="https://man.openbsd.org/iked">iked(8)</a> was started with -t. |
|
<li>Fixed <a href="https://man.openbsd.org/isakmpd">isakmpd(8)</a> |
|
IKE pcap file creation. |
</ul> |
</ul> |
|
|
<li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes: |
<li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes: |