ijackson at chiark.greenend.org.uk
Sun Oct 26 16:02:07 GMT 2014
-----BEGIN PGP SIGNED MESSAGE-----
I am pleased to announce secnet 0.4.0~beta1.
secnet 0.4 contains support for using IPv6 on the public (outside)
secnet 0.4 has support for dynamic use of possibly multiple local
network interfaces, by mobile sites. A mobile site which has multiple
connections to the public internet (for example, wifi and 3G) can now
arrange to send all traffic by all available routes, improving
reliability. This functionality is available even when talking to
earlier versions of secnet, provided that the static peer is running
0.2 or later - although the feature will work best when talking to
another secnet 0.4.
There are also minor bugfixes and logging improvements; but for sites
which do not need IPv6 or polypath support, there is no compelling
reason to upgrade.
(Everyone should be running at least version 0.3.4, as all previous
versions have significant security bugs.)
IPv6 and polypath support are available only if your version of adns
is also IPv6-capable, which means you need adns 1.5.0~rc0 or later.
secnet 0.4.0 needs the modern `ipaddr.py' library, provided on
Debian-derived systems in the package python-ipaddr.
When upgrading to 0.4.x, it is necessary to remove the `ipaddr.py'
library previously provided with secnet (and any corresponding
`ipaddr.pyc' files). If you are using a .deb version of secnet this
is done automatically; if you are using `make install' you may need
`make install-force'; and if you are running out a build tree you will
need to clean out the .pyc (by hand, or with git clean, or some such).
Installing the modern ipaddr.py in python-ipaddr will break secnet
versions before 0.3.3~beta1, but you should be running 0.3.4 anyway.
If you're not and you don't want to change both ipaddr.py and secnet
at once, for some reason: install secnet 0.3.4 first, and then
python-ipaddr, and then secnet 0.4.0.
Apart from this installation wrinkle, secnet 0.4.0 is
backwards-compatible with previous versions.
0.4.0~beta1 can be found here:
(SHA-256 checksums are listed below).
If you are able to do so conveniently, please test it (especially if
you can test IPv6).
For those on the SGO VPN: chiark is currently running an equivalent
version. chiark's secnet is listening on IPv6 [2001:ba8:1e3::]. But
you should not set sites file fragments in the SGO VPN which mention
IPv6 addresses for your own sites because that would make the sites
file incompatible with older secnet versons. You can safely set IPv6
sites file fragments in the `chiark-only' vpn, using the `userv secnet
For a summary of the changes in 0.4.0~beta1 see the changelog extract
below. For full details see the git history.
secnet (0.4.0~beta1) unstable; urgency=low
* Support transport over IPv6. (We do not yet carry IPv6 in the private
network.) IPv6 support depends on IPv6-capable adns (adns 1.5.x).
* New polypath comm, which can duplicate packets so as to send them via
multiple routes over the public network, for increased
reliability/performance (but increased cost). Currently Linux-only
but should be fairly easy to port.
* Support multiple public addresses for peers.
* Discard previously-received packets (by default).
* Report (each first) transmission and reception success and failure.
* Log reason for DNS reolution failure.
* Log unexpected kinds of death from userv.
* Log authbind exit status as errno value (if appropriate).
* Adjust default number of mobile peer addresses to store when a peer
public address is also configured.
* Make specifying peer public port optional. This avoids making special
arrangements to bind to a port for in mobile sites with no public
* Hackypar children will die if they get a terminating signal.
* Fix signal dispositions inherited by secnet's child processes.
* Fix off-by-one error which prevented setting transport-peers-max to 5.
Test, build and internal improvements:
* Use conventional IP address handling library ipaddr.py.
* Provide a fuzzer for the slip decoder.
* Build system improvements.
* Many source code cleanups.
-- Ian Jackson <ijackson at chiark.greenend.org.uk> Sun, 26 Oct 2014 15:28:31 +0000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the sgo-software-announce