src/crypto/dist/ipsec-tools/src/racoon/TODO - view

Return to TODO CVS log

Up to [cvs.NetBSD.org] / src / crypto / dist / ipsec-tools / src / racoon

File: [cvs.NetBSD.org] / src / crypto / dist / ipsec-tools / src / racoon / TODO (download)

Revision 1.1.1.1 (vendor branch), Sat Feb 12 11:11:37 2005 UTC (19 years, 2 months ago) by manu
Branch: MAIN, IPSEC_TOOLS
CVS Tags: yamt-pf42-baseX, yamt-pf42-base4, yamt-pf42-base3, yamt-pf42-base2, yamt-pf42-base, yamt-pf42, yamt-pagecache-tag8, yamt-pagecache-base9, yamt-pagecache-base8, yamt-pagecache-base7, yamt-pagecache-base6, yamt-pagecache-base5, yamt-pagecache-base4, yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, yamt-pagecache, wrstuden-revivesa-base-3, wrstuden-revivesa-base-2, wrstuden-revivesa-base-1, wrstuden-revivesa-base, wrstuden-revivesa, wrstuden-fixsa-newbase, wrstuden-fixsa-base-1, wrstuden-fixsa-base, wrstuden-fixsa, tls-maxphys-base, tls-maxphys, tls-earlyentropy-base, tls-earlyentropy, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3, riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2, prg-localcount2-base3, prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, prg-localcount2, phil-wifi-base, phil-wifi-20200421, phil-wifi-20200411, phil-wifi-20200406, phil-wifi-20191119, phil-wifi-20190609, pgoyette-localcount-base, pgoyette-localcount-20170426, pgoyette-localcount-20170320, pgoyette-localcount-20170107, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, pgoyette-localcount, pgoyette-compat-merge-20190127, pgoyette-compat-base, pgoyette-compat-20190127, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521, pgoyette-compat-0502, pgoyette-compat-0422, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315, pgoyette-compat, perseant-stdc-iso10646-base, perseant-stdc-iso10646, netbsd-9-base, netbsd-9-3-RELEASE, netbsd-9-2-RELEASE, netbsd-9-1-RELEASE, netbsd-9-0-RELEASE, netbsd-9-0-RC2, netbsd-9-0-RC1, netbsd-9, netbsd-8-base, netbsd-8-2-RELEASE, netbsd-8-1-RELEASE, netbsd-8-1-RC1, netbsd-8-0-RELEASE, netbsd-8-0-RC2, netbsd-8-0-RC1, netbsd-8, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-2-RELEASE, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-1, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE, netbsd-7-0, netbsd-7, netbsd-6-base, netbsd-6-1-RELEASE, netbsd-6-1-RC4, netbsd-6-1-RC3, netbsd-6-1-RC2, netbsd-6-1-RC1, netbsd-6-1-5-RELEASE, netbsd-6-1-4-RELEASE, netbsd-6-1-3-RELEASE, netbsd-6-1-2-RELEASE, netbsd-6-1-1-RELEASE, netbsd-6-1, netbsd-6-0-RELEASE, netbsd-6-0-RC2, netbsd-6-0-RC1, netbsd-6-0-6-RELEASE, netbsd-6-0-5-RELEASE, netbsd-6-0-4-RELEASE, netbsd-6-0-3-RELEASE, netbsd-6-0-2-RELEASE, netbsd-6-0-1-RELEASE, netbsd-6-0, netbsd-6, netbsd-5-base, netbsd-5-2-RELEASE, netbsd-5-2-RC1, netbsd-5-2-3-RELEASE, netbsd-5-2-2-RELEASE, netbsd-5-2-1-RELEASE, netbsd-5-2, netbsd-5-1-RELEASE, netbsd-5-1-RC4, netbsd-5-1-RC3, netbsd-5-1-RC2, netbsd-5-1-RC1, netbsd-5-1-5-RELEASE, netbsd-5-1-4-RELEASE, netbsd-5-1-3-RELEASE, netbsd-5-1-2-RELEASE, netbsd-5-1-1-RELEASE, netbsd-5-1, netbsd-5-0-RELEASE, netbsd-5-0-RC4, netbsd-5-0-RC3, netbsd-5-0-RC2, netbsd-5-0-RC1, netbsd-5-0-2-RELEASE, netbsd-5-0-1-RELEASE, netbsd-5-0, netbsd-5, netbsd-4-base, netbsd-4-0-RELEASE, netbsd-4-0-RC5, netbsd-4-0-RC4, netbsd-4-0-RC3, netbsd-4-0-RC2, netbsd-4-0-RC1, netbsd-4-0-1-RELEASE, netbsd-4-0, netbsd-4, netbsd-3-base, netbsd-3-1-RELEASE, netbsd-3-1-RC4, netbsd-3-1-RC3, netbsd-3-1-RC2, netbsd-3-1-RC1, netbsd-3-1-1-RELEASE, netbsd-3-1, netbsd-3-0-RELEASE, netbsd-3-0-RC6, netbsd-3-0-RC5, netbsd-3-0-RC4, netbsd-3-0-RC3, netbsd-3-0-RC2, netbsd-3-0-RC1, netbsd-3-0-3-RELEASE, netbsd-3-0-2-RELEASE, netbsd-3-0-1-RELEASE, netbsd-3-0, netbsd-3, netbsd-10-base, netbsd-10-0-RELEASE, netbsd-10-0-RC6, netbsd-10-0-RC5, netbsd-10-0-RC4, netbsd-10-0-RC3, netbsd-10-0-RC2, netbsd-10-0-RC1, netbsd-10, mjf-devfs2-base, mjf-devfs2, matt-premerge-20091211, matt-nb8-mediatek-base, matt-nb8-mediatek, matt-nb6-plus-nbase, matt-nb6-plus-base, matt-nb6-plus, matt-nb5-pq3-base, matt-nb5-pq3, matt-nb5-mips64-u2-k2-k4-k7-k8-k9, matt-nb5-mips64-u1-k1-k5, matt-nb5-mips64-premerge-20101231, matt-nb5-mips64-premerge-20091211, matt-nb5-mips64-k15, matt-nb5-mips64, matt-nb4-mips64-k7-u2a-k9b, matt-mips64-premerge-20101231, matt-mips64-base2, matt-mips64-base, matt-mips64, matt-armv6-prevmlocking, matt-armv6-nbase, matt-armv6-base, matt-armv6, localcount-20160914, khorben-n900, keiichi-mipv6-base, keiichi-mipv6, jym-xensuspend-nbase, jym-xensuspend-base, jym-xensuspend, is-mlppp-base, is-mlppp, ipsec-tools-base, ipsec-tools-0_8_2, ipsec-tools-0_8_1, ipsec-tools-0_8_0, ipsec-tools-0_8-branch, ipsec-tools-0_7_3, ipsec-tools-0_7_2, ipsec-tools-0_7_1, ipsec-tools-0_7-rc1, ipsec-tools-0_7-branch, ipsec-tools-0_7-beta3, ipsec-tools-0_7-beta2, ipsec-tools-0_7-beta1, ipsec-tools-0_7-base, ipsec-tools-0_7-RC1, ipsec-tools-0_7, ipsec-tools-0_6_3, ipsec-tools-0_6_2, ipsec-tools-0_6_1-rc1, ipsec-tools-0_6_1, ipsec-tools-0_6-base, ipsec-tools-0_6-20050317, ipsec-tools-0_6-20050314, ipsec-tools-0_6-20050224, ipsec-tools-0_6-20050223, hpcarm-cleanup-nbase, hpcarm-cleanup-base, hpcarm-cleanup, cube-autoconf-base, cube-autoconf, cjep_sun2x-base1, cjep_sun2x-base, cjep_sun2x, cjep_staticlib_x-base1, cjep_staticlib_x-base, cjep_staticlib_x, cherry-xenmp-base, cherry-xenmp, bouyer-socketcan-base1, bouyer-socketcan-base, bouyer-socketcan, bouyer-quota2-nbase, bouyer-quota2-base, bouyer-quota2, agc-symver-base, agc-symver, abandoned-netbsd-4-base, abandoned-netbsd-4, HEAD
Branch point for: phil-wifi
Changes since 1.1: +0 -0 lines

Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS)
ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many
enhancements.

$KAME: TODO,v 1.36 2001/09/19 09:41:39 sakane Exp $

Please send any questions or bug reports to snap-users@kame.net.

TODO list

URGENT
o The documents for users convenience.
o split log file based on client.  printf-like config directive, i.e.
  "logfile racoon.%s.log", should be useful here.
  -> beware of possible security issue, don't use sprintf() directly!
     make validation before giving a string to sprintf().
o save decrypted IKE packet in tcpdump format
o IPComp SA with wellknown CPI in CPI field.  how to handle it?
o better rekey

MUST
o multiple certificate payload handling.
o To consider the use with certificate infrastructure.  PXIX ???
o kmstat should be improved.
o Informational Exchange processing properly.
o require less configuration.  phase 2 is easier (as kernel presents racoon
  some hints), phase 1 is harder.  for example,
  - grab phase 2 lifetime and algorith configuration from sadb_comb payloads in
    ACQUIRE message.
  - give reasonable default behavior when no configuration file is present.
  - difficult items:
	how to guess a reasonable phase 1 SA lifetime
		(hardcoded default?  guess from phase 2 lifetime?)
	guess what kind of ID payload to use
	guess what kind of authentication to be used
	guess phase 1 DH group (for aggressive mode, we cannot negotiate it)
	guess if we need phase 2 PFS or not (we cannot negotiate it. so
		we may need to pick from "no PFS" or "same as phase 1 DH group")
	guess how we should negotiate lifetime
		(is "strict" a reasonable default?)
	guess which mode to use for phase 1 negotiation (is main mode useful?
		is base mode popular enough?)
o more acceptable check.

SHOULD
o psk.txt should be a database? (psk.db?)  psk_mkdb?
o Dynamically retry to exchange and resend the packet per nodes.
o To make the list of supported algorithm by sadb_supported payload
  in the SADB_REGISTER message which happens asynchronously.
o fix the structure of ph2handle.
  We can handle the below case.

  node A                            node B
    +--------------SA1----------------+
    +--------------SA2----------------+

  at node A:
  kernel
    acquire(A-B) ------> ph2handle(A=B) -----> ph1handle
                              |
                            policy
                             A=B
                             A=B

  But we can not handle the below case because there is no x?handle.

  node A                            node B                           node C
    +--------------SA1----------------+
    +------------------------------------------------SA2---------------+

  at node A:
  kernel
    acquire(A-C) ---+---> x?handle ---+---> ph2handle(A=B) -------> ph1handle
                    |        |        |
    acquire(A-B) ---+      policy     +---> ph2handle(A=C) -------> ph1handle
                            A=B
                            A=C

o consistency of function name.
o deep copy configuration entry to hander.  It's easy to reload configuration.
o don't keep to hold keymat values, do it ?
o local address's field in isakmpsa handler must be kicked out to rmconf.
o responder policy and initiator policy should be separated.
o for lifetime and key length, something like this should be useful.
  - propose N
  - accept between X and Y
o wildcard "accept any proposal" policy should be allowed.
o replay prevention
  - limited total number of session
  - limited session per peer
  - number of proposal
o full support for variable length SPI.  quickhack support for IPComp is done.

MAY
o Effective code.
o interaction between IKE/IPsec and socket layer.
  at this moment, IKE/IPsec failure is modeled as total packet loss to other
  part of network subsystem, including socket layer.  this presents the
  following behaviors:
  - annoyingly long timeouts on tcp connection attempt, and IKE failure;
    need to wait till tcp socket timeouts.
  - blackhole if there's mismatching SAs.
  we may be able to give socket layer some feedback from IKE/IPsec layer.
  still not sure if those make sense or not.
  for example:
  - send PRU_HOSTDEAD to sockets if IKE negotiation failed
    (sys/netkey/key.c:key_acquire2)
    to do this, we need to remember which ACQUIRE was caused by which socket,
    possibly into larval SAs.
  - PRU_QUENCH on "no SA found on output"
  - kick tcp retransmission timer on first SA establishment
o IKE daemon should handle situations where peer does not run IKE daemon
  (UDP port unreach for port 500) better.
  should use connected UDP sockets for sending IKE datagrams.
o rate-limit log messages from kernel IPsec errors, like "no SA found".

TO BE TESTED.
o IKE retransmit behavior
	see, draft-*-ipsec-rekeying*.txt
o Reboot recovery (peer reboot losing it's security associations)
	see, draft-*-ipsec-rekeying*.txt
o Scenarios
	- End-to-End transport long lived security associations
	  (over night, data transfer >1Gb) with frequent dynamic rekey
	- End-to-GW tunnel long lived security associations
	  (over night, data transfer >1Gb) with frequent dynamic rekey
	- Policy change events while under SA load
	- End-to-End SA through IPsec tunnels, initiation both ways
	- Client End-to-End through client-to-GW tunnel SA, initiate from
	  client for tunnel, then initiation both ways for end-to-end
	- Client-to-GW transport SA for secure management
o behavior to receive multiple auth method proposals and AND proposal

and to be written many many.