secnet 0.4.0~beta1

Ian Jackson ijackson at
Sun Oct 26 16:02:07 GMT 2014

Hash: SHA256

I am pleased to announce secnet 0.4.0~beta1.

secnet 0.4 contains support for using IPv6 on the public (outside)

secnet 0.4 has support for dynamic use of possibly multiple local
network interfaces, by mobile sites.  A mobile site which has multiple
connections to the public internet (for example, wifi and 3G) can now
arrange to send all traffic by all available routes, improving
reliability.  This functionality is available even when talking to
earlier versions of secnet, provided that the static peer is running
0.2 or later - although the feature will work best when talking to
another secnet 0.4.

There are also minor bugfixes and logging improvements; but for sites
which do not need IPv6 or polypath support, there is no compelling
reason to upgrade.

(Everyone should be running at least version 0.3.4, as all previous
versions have significant security bugs.)

IPv6 and polypath support are available only if your version of adns
is also IPv6-capable, which means you need adns 1.5.0~rc0 or later.

secnet 0.4.0 needs the modern `' library, provided on
Debian-derived systems in the package python-ipaddr.

When upgrading to 0.4.x, it is necessary to remove the `'
library previously provided with secnet (and any corresponding
`ipaddr.pyc' files).  If you are using a .deb version of secnet this
is done automatically; if you are using `make install' you may need
`make install-force'; and if you are running out a build tree you will
need to clean out the .pyc (by hand, or with git clean, or some such).

Installing the modern in python-ipaddr will break secnet
versions before 0.3.3~beta1, but you should be running 0.3.4 anyway.
If you're not and you don't want to change both and secnet
at once, for some reason: install secnet 0.3.4 first, and then
python-ipaddr, and then secnet 0.4.0.

Apart from this installation wrinkle, secnet 0.4.0 is
backwards-compatible with previous versions.

0.4.0~beta1 can be found here:
(SHA-256 checksums are listed below).

If you are able to do so conveniently, please test it (especially if
you can test IPv6).

For those on the SGO VPN: chiark is currently running an equivalent
version.  chiark's secnet is listening on IPv6 [2001:ba8:1e3::].  But
you should not set sites file fragments in the SGO VPN which mention
IPv6 addresses for your own sites because that would make the sites
file incompatible with older secnet versons.  You can safely set IPv6
sites file fragments in the `chiark-only' vpn, using the `userv secnet
chiarkvpnsites' facility.

For a summary of the changes in 0.4.0~beta1 see the changelog extract
below.  For full details see the git history.

secnet (0.4.0~beta1) unstable; urgency=low

  New features:
  * Support transport over IPv6.  (We do not yet carry IPv6 in the private
    network.)  IPv6 support depends on IPv6-capable adns (adns 1.5.x).
  * New polypath comm, which can duplicate packets so as to send them via
    multiple routes over the public network, for increased
    reliability/performance (but increased cost).  Currently Linux-only
    but should be fairly easy to port.
  * Support multiple public addresses for peers.
  * Discard previously-received packets (by default).

  Logging improvements:
  * Report (each first) transmission and reception success and failure.
  * Log reason for DNS reolution failure.
  * Log unexpected kinds of death from userv.
  * Log authbind exit status as errno value (if appropriate).

  Configuration adjustments:
  * Adjust default number of mobile peer addresses to store when a peer
    public address is also configured.
  * Make specifying peer public port optional.  This avoids making special
    arrangements to bind to a port for in mobile sites with no public
    stable address.

  * Hackypar children will die if they get a terminating signal.
  * Fix signal dispositions inherited by secnet's child processes.
  * Fix off-by-one error which prevented setting transport-peers-max to 5.

  Test, build and internal improvements:
  * Use conventional IP address handling library
  * Provide a fuzzer for the slip decoder.
  * Build system improvements.
  * Many source code cleanups.

 -- Ian Jackson <ijackson at>  Sun, 26 Oct 2014 15:28:31 +0000

9bce26b5dac63457ffeb11c8d86d486927c6fc09dba964d4f1b872da4cd39b5f  secnet_0.4.0~beta1.dsc
3b244d31c888f1abec1e5d64274598d4f6eb714ea5830cbf74cfb3633e148b27  secnet_0.4.0~beta1_i386.changes
437da9003148b1dd7879b01043379dd89e02ef91521fa2b4ffabde2c7ddf28b3  secnet_0.4.0~beta1_i386.deb
7aa0ee18cf9381d8426d48dc7379d99a003cac67a2f496936c94f025ee9714a1  secnet_0.4.0~beta1.tar.gz

Version: GnuPG v1.4.12 (GNU/Linux)


More information about the sgo-software-announce mailing list