www/67.html - diff

Return to 67.html CVS log

Up to [local] / www

Diff for /www/67.html between version 1.38 and 1.39

-version 1.38, 2020/05/07 08:26:40
+version 1.39, 2020/05/07 10:50:18
 Line 724
 Line 724
 Line 724
      <li>Added point-to-point <a
          href="https://man.openbsd.org/ospf6d">ospf6d(8)</a> support for
          broadcast interfaces.
- <!-- iked -->
+ <!-- other daemons -->
-     <li>Added <a href="https://man.openbsd.org/iked">iked(8)</a>
-         support for switching rdomain on <a
-         href="https://man.openbsd.org/ipsec">ipsec(4)</a>
-         encryption/decryption, configurable per policy with the new 'rdomain'
-         option in <a
-         href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
-     <li>Added support for automatically moving traffic between
-         rdomains on <a href="https://man.openbsd.org/ipsec">ipsec(4)</a>
-         encryption or decryption, reducing the attack surface for network
-         sidechannel attacks.
-     <li>Modified <a href="https://man.openbsd.org/iked">iked(8)</a> to
-         always prefer generic signature authentication.
-     <li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a>
-         pubkey leak in the CA process for ASN-DN IDs.
      <li>Reduced temporary address valid lifetime to 2 days in <a
          href="https://man.openbsd.org/slaacd">slaacd(8)</a>.
-     <li>Fixed user database corruption resulting from use of the <a
-         href="https://man.openbsd.org/ikectl">ikectl(8)</a> reload command.
-     <li>Added the <a
-         href="https://man.openbsd.org/ikectl">ikectl(8)</a> "show sa" command
-         to print information about the state of negotiated IKE SAs, their
-         Child SAs and the resulting IPsec flows.
-     <li>Added an <a
-         href="https://man.openbsd.org/ikectl">ikectl(8)</a> "reset id" command
-         to reset all SAs from policies with matching destination IDs.
-     <li>Corrected <a href="https://man.openbsd.org/iked">iked(8)</a>
-         calculation of IPv6 address leases from small address pools.
-     <li>Added a policy relookup to <a
-         href="https://man.openbsd.org/iked">iked(8)</a> to replace the default
-         policy based on a received cryptographic parameter proposal.
-     <li>Added transport mode for child SAs to <a
-         href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
-     <li>Extended the <a
-         href="https://man.openbsd.org/ipsecctl">ipsecctl(8)</a> parser to set
-         the udpencap flag and port number of an SA.
-     <li>Added a -p command line option to <a
-         href="https://man.openbsd.org/iked">iked(8)</a> allowing configuration
-         of the UDP encapsulation port.
-     <li>Removed IPsec flow blocking unencrypted IPv6 traffic in <a
-         href="https://man.openbsd.org/iked">iked(8)</a>.
-     <li>Fixed <a href="https://man.openbsd.org/isakmpd">isakmpd(8)</a>
-         IKE pcap file creation.
-     <li>Enabled ESP UDP-encapsulation with the <a
-         href="https://man.openbsd.org/iked">iked(8)</a> -t flag.
- <!-- other daemons -->
      <li>Validated authentication lengths in <a
          href="https://man.openbsd.org/ripd">ripd(8)</a> before use to prevent
          crashes.
-Line 929
+Line 886
 Line 929
 Line 886
          asynchronous resolver directly with DHCP-provided nameservers.
          Switched to the ASR resolver rather than DHCP when behind a captive
          portal.
+   </ul>
+ <li><a href="https://man.openbsd.org/ipsec">ipsec(4)</a> improvements and
+     bugfixes:
+   <ul>
+     <li>Added support for automatically moving traffic between
+         rdomains on <a href="https://man.openbsd.org/ipsec">ipsec(4)</a>
+         encryption or decryption, reducing the attack surface for network
+         sidechannel attacks.
+     <li>Added <a href="https://man.openbsd.org/iked">iked(8)</a>
+         support for switching rdomain on <a
+         href="https://man.openbsd.org/ipsec">ipsec(4)</a>
+         encryption/decryption, configurable per policy with the new
+         'rdomain' option in <a
+         href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
+     <li>Changed the default ipsec level set by <a
+         href="https://man.openbsd.org/iked">iked(8)</a> and <a
+         href="https://man.openbsd.org/isakmpd">isakmpd(8)</a> to
+         IPSEC_LEVEL_REQUIRE. Unencrypted packets matching incoming
+         ipsec flows are no longer accepted by default.
+     <li>Added curve25519, ecp256, ecp384, ecp521, modp3072 and modp4096 to
+         the default Diffie-Hellman group configuration for IKE SAs in
+         <a href="https://man.openbsd.org/iked">iked(8)</a>.
+     <li>Removed support for the insecure EC2N Diffie-Hellman groups in <a
+         href="https://man.openbsd.org/iked">iked(8)</a>.
+     <li>Changed the default authentication method in <a
+         href="https://man.openbsd.org/iked">iked(8)</a> to
+         generic signature authentication (RFC 7427).
+     <li>Added ESN configuration options for ikesa in <a
+         href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
+     <li>Added transport mode for child SAs to <a
+         href="https://man.openbsd.org/iked">iked(8)</a>.
+     <li>Added active probing for lost connection in <a
+         href="https://man.openbsd.org/iked">iked(8)</a> resulting in a
+         faster connection reset.
+     <li>Added a -p command line option to <a
+         href="https://man.openbsd.org/iked">iked(8)</a> allow configuration
+         of a non-standard UDP encapsulation port.
+     <li>Added support for multiple x509 extensions and multiple
+         subjectAltName fields in certificates used with <a
+         href="https://man.openbsd.org/iked">iked(8)</a>.
+     <li>Added support for certificates with uppercase subjectAltNames
+         in <a href="https://man.openbsd.org/iked">iked(8)</a>.
+     <li>Removed automatically installed <a
+         href="https://man.openbsd.org/ipsec">ipsec(4)</a> flow blocking
+         unencrypted IPv6 traffic in <a
+         href="https://man.openbsd.org/iked">iked(8)</a>.
+     <li>Reduced size of IKE_AUTH message by eliminating duplicate traffic
+         selectors in <a href="https://man.openbsd.org/iked">iked(8)</a>.
+     <li>Added an <a
+         href="https://man.openbsd.org/ikectl">ikectl(8)</a> "show sa"
+         command to print information about the state of negotiated IKE SAs,
+         their child SAs and the resulting IPsec flows.
+     <li>Added an <a
+         href="https://man.openbsd.org/ikectl">ikectl(8)</a> "reset id"
+         command to reset all SAs from policies with matching destination IDs.
+     <li>Added support for UDP encapsulation in manual SAs set up with <a
+         href="https://man.openbsd.org/ipsec.conf">ipsec.conf(5)</a>.
+     <li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a>
+         bug that lead to connection loss after simultaneous rekeying.
+     <li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a>
+         public key leak in the CA process for ASN-DN IDs.
+     <li>Fixed  a bug that lead to a lost EAP ID after rekeying in <a
+         href="https://man.openbsd.org/iked">iked(8)</a>.
+     <li>Fixed EAP user database corruption resulting from use of the <a
+         href="https://man.openbsd.org/ikectl">ikectl(8)</a> reload command.
+     <li>Corrected <a href="https://man.openbsd.org/iked">iked(8)</a>
+         calculation of IPv6 address leases from small address pools.
+     <li>Fixed several bugs that could lead to <a
+         href="https://man.openbsd.org/iked">iked(8)</a> selecting a false policy
+         for incoming requests, resulting in a failed handshake.
+     <li>Fixed a bug that broke PSK authentication against Strongswan.
+     <li>Enabled UDP-encapsulation in Child SAs if <a
+         href="https://man.openbsd.org/iked">iked(8)</a> was started with -t.
+     <li>Fixed <a href="https://man.openbsd.org/isakmpd">isakmpd(8)</a>
+         IKE pcap file creation.
    </ul>
  <li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes: