* Planned for the future Please note that the 0.1 series of secnet releases is now 'maintenance only'; further development continues in secnet-0.2. Debconf support - if you are using the Debian packaged version and your secnet configuration is autogenerated using debconf then the upgrade to version 0.2.0 should just involve installing the package; an appropriate 0.2-style configuration file will be generated automatically. * New in version 0.1.18 ipaddr.py now declares its character encoding; required by recent versions of Python * New in version 0.1.17 autoconf updates for cross-compilation / more modern autoconf from Ross Younger MacOS X support from Richard Kettlewell Makefile fix: Update bison pattern rule to indicate that both the .tab.c and .tab.h files are generated by the same command. i386 ip_csum implementation updated to work with modern gcc Rename global 'log' to 'slilog' to avoid conflict with gcc built-in log() function. * New in version 0.1.16 XXX XXX PROTOCOL COMPATIBILITY IS BROKEN BETWEEN VERSION 0.1.16 AND XXX XXX ALL PREVIOUS VERSIONS. Bugfix: rsa.c private-key now works properly when you choose not to verify it. Bugfix: serpent key setup was only using the first 8 bytes of the key material. (Oops!) Ian Jackson contributed a fix so the full 32 bytes are used, in big-endian mode. Debatable-bugfix: RSA operations now use PKCS1 v1.5-style padding "Hacky parallelism" contributed by Ian Jackson; this permits public-key operations to be performed in a subprocess during key exchange, to make secnet more usable on very slow machines. This is not compiled in by default; if you find you need it (because key exchanges are taking more than a second or two) then add -DHACKY_PARALLEL to FLAGS in the Makefile.in and recompile. udp module updates from Peter Benie: 1) Handle the case where authbind-helper terminates with a signal 2) Cope with signals being delivered during waitpid 3) Add 'address' (optional) to the udp settings. This is an IP address that the socket will be bound to. 4) Change the endianess of the arguments to authbind-helper. sprintf("%04X") already translates from machine repesentation to most significant octet first so htons reversed it again. All uses of alloca() expunged by Peter Benie. make-secnet-sites now supports configurations where each tunnel gets its own interface on the host, and the IP router code in secnet is disabled. make-secnet-sites has been rewritten for clarity. For information on how to configure secnet for one-interface-per-tunnel, see the example.conf file. * New in version 0.1.15 Now terminates with an error when an "include" filename is not specified in the configuration file (thanks to RJK). RSA private key operations optimised using CRT. Thanks to SGT. Now compiles cleanly with -Wwrite-strings turned on in gcc. Anything sent to stderr once secnet has started running in the background is now redirected to the system/log facility. * New in version 0.1.14 The --help and --version options now send their output to stdout. Bugfix: TUN flavour "BSD" no longer implies a BSD-style ifconfig and route command invocation. Instead "ioctl"-style is used, which should work on both BSD and linux-2.2 systems. If no "networks" parameter is specified for a netlink device then it is assumed to be 0.0.0.0/0 rather than the empty set. So, by default there is a default route from each netlink device to the host machine. The "networks" parameter can be used to implement a primitive firewall, restricting the destination addresses of packets received through tunnels; if a more complex firewall is required then implement it on the host. * New in version 0.1.13 site.c code cleaned up; no externally visible changes secnet now calls setsid() after becoming a daemon. secnet now supports TUN on Solaris 2.5 and above (and possibly other STREAMS-based systems as well). The TUN code now tries to auto-detect the type of "TUN" in use (BSD-style, Linux-style or STREAMS-style). If your configuration file specifies "tun-old" then it defaults to BSD-style; however, since "tun-old" will be removed in a future release, you should change your configuration file to specify "tun" and if there's a problem also specify the flavour in use. Example: netlink tun-old { ... }; should be rewritten as netlink tun { flavour "bsd"; ... }; The flavours currently defined are "bsd", "linux" and "streams". The TUN code can now be configured to configure interfaces and add/delete routes using one of several methods: invoking a "linux"-style ifconfig/route command, a "bsd"-style ifconfig/route command, "solaris-2.5"-style ifconfig/route command or calling ioctl() directly. These methods can be selected using the "ifconfig-type" and "route-type" options. Example: netlink tun { ifconfig-type "ioctl"; route-type "ioctl"; ... }; The ioctl-based method is now the default for Linux systems. Magic numbers used within secnet are now collected in the header file "magic.h". netlink now uses ICMP type=0 code=13 for 'administratively prohibited' instead of code 9. See RFC1812 section 5.2.7.1. The UDP comm module now supports a proxy server, "udpforward". This runs on a machine which is directly accessible by secnet and which can send packets to appropriate destinations. It's useful when the proxy machine doesn't support source- and destination-NAT. The proxy server is specified using the "proxy" key in the UDP module configuration; parameters are IP address (string) and port number. Bugfix: ipset_to_subnet_list() in ipaddr.c now believed to work in all cases, including 0.0.0.0/0 * New in version 0.1.12 IMPORTANT: fix calculation of 'now' in secnet.c; necessary for correct operation. (Only interesting for people building and modifying secnet by hand: the Makefile now works out most dependencies automatically.) The netlink code no longer produces an internal routing table sorted by netmask length. Instead, netlink instances have a 'priority'; the table of routes is sorted by priority. Devices like laptops that have tunnels that must sometimes 'mask' parts of other tunnels should be given higher priorities. If a priority is not specified it is assumed to be zero. Example usage: site laptop { ... link netlink { route "192.168.73.74/31"; priority 10; }; }; * New in version 0.1.11 Lists of IP addresses in the configuration file can now include exclusions as well as inclusions. For example, you can specify all the hosts on a subnet except one as follows: networks "192.168.73.0/24","!192.168.73.70"; (If you were only allowed inclusions, you'd have to specify that like this: networks "192.168.73.71/32","192.168.73.68/31","192.168.73.64/30", "192.168.73.72/29","192.168.73.80/28","192.168.73.96/27", "192.168.73.0/26","192.168.73.128/25"; ) secnet now ensures that it invokes userv-ipif with a non-overlapping list of subnets. There is a new command-line option, --sites-key or -s, that enables the configuration file key that's checked to determine the list of active sites (default "sites") to be changed. This enables a single configuration file to contain multiple cofigurations conveniently. NAKs are now sent when packets arrive that are not understood. The tunnel code initiates a key setup if it sees a NAK. Future developments should include configuration options that control this. The tunnel code notifies its peer when secnet is terminating, so the peer can close the session. The netlink "exclude-remote-networks" option has now been replaced by a "remote-networks" option; instead of specifying networks that no site may access, you specify the set of networks that remote sites are allowed to access. A sensible example: "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8", "!your-local-network" * New in version 0.1.10 WARNING: THIS VERSION MAKES A CHANGE TO THE CONFIGURATION FILE FORMAT THAT IS NOT BACKWARD COMPATIBLE. However, in most configurations the change only affects the sites.conf file, which is generated by the make-secnet-sites script; after you regenerate your sites.conf using version 0.1.10, everything should continue to work. Netlink devices now interact slightly differently with the 'site' code. When you invoke a netlink closure like 'tun' or 'userv-ipif', you get another closure back. You then invoke this closure (usually in the site definitions) to specify things like routes and options. The result of this invocation should be used as the 'link' option in site configurations. All this really means is that instead of site configurations looking like this: foo { name "foo"; networks "a", "b", "c"; etc. }; ...they look like this: foo { name "foo"; link netlink { routes "a", "b", "c"; }; etc. }; This change was made to enable the 'site' code to be completely free of any knowledge of the contents of the packets it transmits. It should now be possible in the future to tunnel other protocols like IPv6, IPX, raw Ethernet frames, etc. without changing the 'site' code at all. Point-to-point netlink devices work slightly differently; when you apply the 'tun', 'userv-ipif', etc. closure and specify the ptp-address option, you must also specify the 'routes' option. The result of this invocation should be passed directly to the 'link' option of the site configuration. You can do things like this: sites site { name "foo"; link tun { networks "192.168.73.76/32"; local-address "192.168.73.76"; # IP address of interface ptp-address "192.168.73.75"; # IP address of other end of link routes "192.168.73.74/32"; mtu 1400; buffer sysbuffer(); }; etc. }; The route dump obtained by sending SIGUSR1 to secnet now includes packet counts. Point-to-point mode has now been tested. tun-old has now been tested, and the annoying 'untested' message has been removed. Thanks to SGT and JDA. secnet now closes its stdin, stdout and stderr just after backgrounding. Bugfix: specifying network "0.0.0.0/0" (or "default") now works correctly. * New in version 0.1.9 The netlink code may now generate ICMP responses to ICMP messages that are not errors, eg. ICMP echo-request. This makes Windows NT traceroute output look a little less strange. configure.in and config.h.bot now define uint32_t etc. even on systems without stdint.h and inttypes.h (needed for Solaris 2.5.1) GNU getopt is included for systems that lack it. We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris 2.5.1 doesn't have it.) Portable snprintf.c from http://www.ijs.si/software/snprintf/ is included for systems that lack snprintf/vsnprintf. make-secnet-sites.py renamed to make-secnet-sites and now installed in $prefix/sbin/make-secnet-sites; ipaddr.py library installed in $prefix/share/secnet/ipaddr.py. make-secnet-sites searches /usr/local/share/secnet and /usr/share/secnet for ipaddr.py * New in version 0.1.8 Netlink devices now support a 'point-to-point' mode. In this mode the netlink device does not require an IP address; instead, the IP address of the other end of the tunnel is specified using the 'ptp-address' option. Precisely one site must be configured to use the netlink device. (I haven't had a chance to test this because 0.1.8 turned into a 'quick' release to enable secnet to cope with the network problems affecting connections going via LINX on 2001-10-16.) The tunnel code in site.c now initiates a key setup if the reverse-transform function fails (wrong key, bad MAC, too much skew, etc.) - this should make secnet more reliable on dodgy links, which are much more common than links with active attackers... (an attacker can now force a new key setup by replaying an old packet, but apart from minor denial of service on slow links or machines this won't achieve them much). This should eventually be made configurable. The sequence number skew detection code in transform.c now only complains about 'reverse skew' - replays of packets that are too old. 'Forward skew' (gaps in the sequence numbers of received packets) is now tolerated silently, to cope with large amounts of packet loss.