X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=NEWS;fp=NEWS;h=d605fe5c5f0baf5951dc852ad9e6086d45af4a37;hb=c6f79b178fe27ee315055dccb371b63ca1a6183a;hp=0000000000000000000000000000000000000000;hpb=042a8da9053c205ea74ec1785c93ca4bcf4ea5e0;p=secnet.git

diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..d605fe5
--- /dev/null
+++ b/NEWS
@@ -0,0 +1,20 @@
+* New in version 0.1.8
+
+Netlink devices now support a 'point-to-point' mode.  In this mode the
+netlink device does not require an IP address; instead, the IP address
+of the other end of the tunnel is specified using the 'ptp-address'
+option.  Precisely one site must be configured to use the netlink
+device.
+
+The tunnel code in site.c now initiates a key setup if the
+reverse-transform function fails (wrong key, bad MAC, too much skew,
+etc.) - this should make secnet more reliable on dodgy links, which
+are much more common than links with active attackers...  (an attacker
+can now force a new key setup by replaying an old packet, but apart
+from minor denial of service on slow links or machines this won't
+achieve them much).
+
+The sequence number skew detection code in transform.c now only
+complains about 'reverse skew' - replays of packets that are too
+old. 'Forward skew' (gaps in the sequence numbers of received packets)
+is now tolerated silently, to cope with large amounts of packet loss.