1 * Planned for the future
3 Please note that the 0.1 series of secnet releases is now 'maintenance
4 only'; further development continues in secnet-0.2.
6 Debconf support - if you are using the Debian packaged version and
7 your secnet configuration is autogenerated using debconf then the
8 upgrade to version 0.2.0 should just involve installing the package;
9 an appropriate 0.2-style configuration file will be generated
12 * New in version 0.1.17
14 autoconf updates for cross-compilation / more modern autoconf from
15 Ross Younger <ross@crazyscot.com>
17 MacOS X support from Richard Kettlewell <richard@sfere.greenend.org.uk>
19 Makefile fix: Update bison pattern rule to indicate that both the
20 .tab.c and .tab.h files are generated by the same command.
22 i386 ip_csum implementation updated to work with modern gcc
24 Rename global 'log' to 'slilog' to avoid conflict with gcc built-in
27 * New in version 0.1.16
29 XXX XXX PROTOCOL COMPATIBILITY IS BROKEN BETWEEN VERSION 0.1.16 AND
30 XXX XXX ALL PREVIOUS VERSIONS.
32 Bugfix: rsa.c private-key now works properly when you choose not to
35 Bugfix: serpent key setup was only using the first 8 bytes of the key
36 material. (Oops!) Ian Jackson contributed a fix so the full 32 bytes
37 are used, in big-endian mode.
39 Debatable-bugfix: RSA operations now use PKCS1 v1.5-style padding
41 "Hacky parallelism" contributed by Ian Jackson; this permits
42 public-key operations to be performed in a subprocess during key
43 exchange, to make secnet more usable on very slow machines. This is
44 not compiled in by default; if you find you need it (because key
45 exchanges are taking more than a second or two) then add
46 -DHACKY_PARALLEL to FLAGS in the Makefile.in and recompile.
48 udp module updates from Peter Benie:
49 1) Handle the case where authbind-helper terminates with a signal
50 2) Cope with signals being delivered during waitpid
51 3) Add 'address' (optional) to the udp settings. This is an IP address
52 that the socket will be bound to.
53 4) Change the endianess of the arguments to authbind-helper.
54 sprintf("%04X") already translates from machine repesentation to most
55 significant octet first so htons reversed it again.
57 All uses of alloca() expunged by Peter Benie.
59 make-secnet-sites now supports configurations where each tunnel gets
60 its own interface on the host, and the IP router code in secnet is
61 disabled. make-secnet-sites has been rewritten for clarity. For
62 information on how to configure secnet for one-interface-per-tunnel,
63 see the example.conf file.
65 * New in version 0.1.15
67 Now terminates with an error when an "include" filename is not
68 specified in the configuration file (thanks to RJK).
70 RSA private key operations optimised using CRT. Thanks to SGT.
72 Now compiles cleanly with -Wwrite-strings turned on in gcc.
74 Anything sent to stderr once secnet has started running in the
75 background is now redirected to the system/log facility.
77 * New in version 0.1.14
79 The --help and --version options now send their output to stdout.
81 Bugfix: TUN flavour "BSD" no longer implies a BSD-style ifconfig and
82 route command invocation. Instead "ioctl"-style is used, which should
83 work on both BSD and linux-2.2 systems.
85 If no "networks" parameter is specified for a netlink device then it
86 is assumed to be 0.0.0.0/0 rather than the empty set. So, by default
87 there is a default route from each netlink device to the host machine.
88 The "networks" parameter can be used to implement a primitive
89 firewall, restricting the destination addresses of packets received
90 through tunnels; if a more complex firewall is required then implement
93 * New in version 0.1.13
95 site.c code cleaned up; no externally visible changes
97 secnet now calls setsid() after becoming a daemon.
99 secnet now supports TUN on Solaris 2.5 and above (and possibly other
100 STREAMS-based systems as well).
102 The TUN code now tries to auto-detect the type of "TUN" in use
103 (BSD-style, Linux-style or STREAMS-style). If your configuration file
104 specifies "tun-old" then it defaults to BSD-style; however, since
105 "tun-old" will be removed in a future release, you should change your
106 configuration file to specify "tun" and if there's a problem also
107 specify the flavour in use.
113 should be rewritten as
119 The flavours currently defined are "bsd", "linux" and "streams".
121 The TUN code can now be configured to configure interfaces and
122 add/delete routes using one of several methods: invoking a
123 "linux"-style ifconfig/route command, a "bsd"-style ifconfig/route
124 command, "solaris-2.5"-style ifconfig/route command or calling ioctl()
125 directly. These methods can be selected using the "ifconfig-type" and
126 "route-type" options.
130 ifconfig-type "ioctl";
135 The ioctl-based method is now the default for Linux systems.
137 Magic numbers used within secnet are now collected in the header file
140 netlink now uses ICMP type=0 code=13 for 'administratively prohibited'
141 instead of code 9. See RFC1812 section 5.2.7.1.
143 The UDP comm module now supports a proxy server, "udpforward". This
144 runs on a machine which is directly accessible by secnet and which can
145 send packets to appropriate destinations. It's useful when the proxy
146 machine doesn't support source- and destination-NAT. The proxy server
147 is specified using the "proxy" key in the UDP module configuration;
148 parameters are IP address (string) and port number.
150 Bugfix: ipset_to_subnet_list() in ipaddr.c now believed to work in all
151 cases, including 0.0.0.0/0
153 * New in version 0.1.12
155 IMPORTANT: fix calculation of 'now' in secnet.c; necessary for correct
158 (Only interesting for people building and modifying secnet by hand:
159 the Makefile now works out most dependencies automatically.)
161 The netlink code no longer produces an internal routing table sorted
162 by netmask length. Instead, netlink instances have a 'priority'; the
163 table of routes is sorted by priority. Devices like laptops that have
164 tunnels that must sometimes 'mask' parts of other tunnels should be
165 given higher priorities. If a priority is not specified it is assumed
171 route "192.168.73.74/31";
176 * New in version 0.1.11
178 Lists of IP addresses in the configuration file can now include
179 exclusions as well as inclusions. For example, you can specify all
180 the hosts on a subnet except one as follows:
182 networks "192.168.73.0/24","!192.168.73.70";
184 (If you were only allowed inclusions, you'd have to specify that like
186 networks "192.168.73.71/32","192.168.73.68/31","192.168.73.64/30",
187 "192.168.73.72/29","192.168.73.80/28","192.168.73.96/27",
188 "192.168.73.0/26","192.168.73.128/25";
191 secnet now ensures that it invokes userv-ipif with a non-overlapping
194 There is a new command-line option, --sites-key or -s, that enables
195 the configuration file key that's checked to determine the list of
196 active sites (default "sites") to be changed. This enables a single
197 configuration file to contain multiple cofigurations conveniently.
199 NAKs are now sent when packets arrive that are not understood. The
200 tunnel code initiates a key setup if it sees a NAK. Future
201 developments should include configuration options that control this.
203 The tunnel code notifies its peer when secnet is terminating, so the
204 peer can close the session.
206 The netlink "exclude-remote-networks" option has now been replaced by
207 a "remote-networks" option; instead of specifying networks that no
208 site may access, you specify the set of networks that remote sites are
209 allowed to access. A sensible example: "192.168.0.0/16",
210 "172.16.0.0/12", "10.0.0.0/8", "!your-local-network"
212 * New in version 0.1.10
214 WARNING: THIS VERSION MAKES A CHANGE TO THE CONFIGURATION FILE FORMAT
215 THAT IS NOT BACKWARD COMPATIBLE. However, in most configurations the
216 change only affects the sites.conf file, which is generated by the
217 make-secnet-sites script; after you regenerate your sites.conf using
218 version 0.1.10, everything should continue to work.
220 Netlink devices now interact slightly differently with the 'site'
221 code. When you invoke a netlink closure like 'tun' or 'userv-ipif',
222 you get another closure back. You then invoke this closure (usually
223 in the site definitions) to specify things like routes and options.
224 The result of this invocation should be used as the 'link' option in
227 All this really means is that instead of site configurations looking
232 networks "a", "b", "c";
236 ...they look like this:
240 link netlink { routes "a", "b", "c"; };
244 This change was made to enable the 'site' code to be completely free
245 of any knowledge of the contents of the packets it transmits. It
246 should now be possible in the future to tunnel other protocols like
247 IPv6, IPX, raw Ethernet frames, etc. without changing the 'site' code
250 Point-to-point netlink devices work slightly differently; when you
251 apply the 'tun', 'userv-ipif', etc. closure and specify the
252 ptp-address option, you must also specify the 'routes' option. The
253 result of this invocation should be passed directly to the 'link'
254 option of the site configuration. You can do things like this:
259 networks "192.168.73.76/32";
260 local-address "192.168.73.76"; # IP address of interface
261 ptp-address "192.168.73.75"; # IP address of other end of link
262 routes "192.168.73.74/32";
269 The route dump obtained by sending SIGUSR1 to secnet now includes
272 Point-to-point mode has now been tested.
274 tun-old has now been tested, and the annoying 'untested' message has
275 been removed. Thanks to SGT and JDA.
277 secnet now closes its stdin, stdout and stderr just after
280 Bugfix: specifying network "0.0.0.0/0" (or "default") now works
283 * New in version 0.1.9
285 The netlink code may now generate ICMP responses to ICMP messages that
286 are not errors, eg. ICMP echo-request. This makes Windows NT
287 traceroute output look a little less strange.
289 configure.in and config.h.bot now define uint32_t etc. even on systems
290 without stdint.h and inttypes.h (needed for Solaris 2.5.1)
292 GNU getopt is included for systems that lack it.
294 We check for LOG_AUTHPRIV before trying to use it in log.c (Solaris
295 2.5.1 doesn't have it.)
297 Portable snprintf.c from http://www.ijs.si/software/snprintf/ is
298 included for systems that lack snprintf/vsnprintf.
300 make-secnet-sites.py renamed to make-secnet-sites and now installed in
301 $prefix/sbin/make-secnet-sites; ipaddr.py library installed in
302 $prefix/share/secnet/ipaddr.py. make-secnet-sites searches
303 /usr/local/share/secnet and /usr/share/secnet for ipaddr.py
305 * New in version 0.1.8
307 Netlink devices now support a 'point-to-point' mode. In this mode the
308 netlink device does not require an IP address; instead, the IP address
309 of the other end of the tunnel is specified using the 'ptp-address'
310 option. Precisely one site must be configured to use the netlink
311 device. (I haven't had a chance to test this because 0.1.8 turned into
312 a 'quick' release to enable secnet to cope with the network problems
313 affecting connections going via LINX on 2001-10-16.)
315 The tunnel code in site.c now initiates a key setup if the
316 reverse-transform function fails (wrong key, bad MAC, too much skew,
317 etc.) - this should make secnet more reliable on dodgy links, which
318 are much more common than links with active attackers... (an attacker
319 can now force a new key setup by replaying an old packet, but apart
320 from minor denial of service on slow links or machines this won't
321 achieve them much). This should eventually be made configurable.
323 The sequence number skew detection code in transform.c now only
324 complains about 'reverse skew' - replays of packets that are too
325 old. 'Forward skew' (gaps in the sequence numbers of received packets)
326 is now tolerated silently, to cope with large amounts of packet loss.