Alexey Sopov <suntechnic@gmail.com>

[vpnc.git] / TODO

TODO list

* On opensolaris we need to add -interface in case the route points
  to an interface instead of a next hop, see
  http://www.cwinters.com/blog/2008/02/02/getting_vpnc_to_work_on_opensolaris.html

* Add native ESP support

* Allow PSK without xauth.

* further research into the "packet too short" messages.
  - see http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2005-February/000553.html
    for more information

* pass IPSEC target network to script
  - use it to initialize the tunnel interface and routes

* clean up scripts
  - config-support for vpnc-script
  - customizable handling of routing
  - switch to disable resolv.conf rewriting
  - do $something with split_dns

* beautify packet dump output

* large code cleanup
  - at least one function per packet (instead of one function per phase)
  - factor out a central select-loop, send / receive code, nat-t handling
  - maybe even add some sort of state machine
  - get a rid of remaining (non-const) global variables

* implement phase1 rekeying (with or without xauth-reauthentication)
* implement compression
* try a list of gateways (backup server)
* Generate the manpage command line part directly from vpnc

* optionally use in-kernel-ipsec with pf-key
  - merge patch

* add support for pcap and dump decrypted traffic

* research/bugs:
  - usernames containing "@" unable to login
  - ipsec over tcp
  - nortel support?
  - segfault if > 100 routes/acls (to large packet? read size?)
    (probably "fixed" by increasing the size in r_packet in vpnc.c,
    but why did it crash?)
  - amd64 somehow broken? maybe gcc bugs??
  - some debug prints get the endianess wrong
  - In case the psk in hybrid isn't correct, the server sends annother AM_2
    packet - to port 500 of course, even if we are using nat-t and talked on
    4500 already. We currently don't handle that.

* optional drop root (rekey? reconnect? vpnc-script calls?)
  - Don't drop privileges, ever, but allow to be run suid.
  - If euid != ruid, clear out env on program start.
  - Sanitize variables for vpnc-script (snarf code from
    callscript.c from dhcpclient).
  - If euid != ruid, disable command line options (but not the profile
    parameter).
  - If euid != ruid, treat profiles as filenames only. They must not
    be paths, i.e. contain PATHSEP. Read them relative to /etc/vpnc.
  - Make sure vpnc-disconnect only kills processes owned by same user.

* implement certificate support
* implement dsa certificates in hybrid mode
* Adapt lifetime (when given as time) to certificate lifetime etc
  (rfc2401, 4.4.3)
* implement main mode for phase 1 (needed to *use* certificates in
  many cases)

* factor out crypto stuff (cipher, hmac, dh)
  - http://libtomcrypt.org/features.html
  - http://www.foldr.org/~michaelw/ patch fertig
  - libgcrypt (old too?)
  - autodetect?
  - openssl??
  - relicense to gpl+ssl?

* links to packages, howtos, etc.
  - kvpnc http://home.gna.org/kvpnc/
  - vpnc+Zaurus http://users.ox.ac.uk/~oliver/vpnc.html
  - linux-mipsel (WRT54G) http://openwrt.alphacore.net/vpnc_0.3.2_mipsel.ipk
  - howto-de http://localhost.ruhr.de/~stefan/uni-duisburg.ai/vpnc.shtml

----

* DONE implement hybrid-auth
* DONE implement DPD, RFC 3706 Dead Peer Detection
* DONE --local-address
* DONE implement phase2 rekeying
* DONE support rsa-SecurID token which sometimes needs 2 IDs
* DONE add macosx support
* DONE update "check pfs setting" error message
* DONE make doing xauth optional
* DONE implement udp transport NAT-T
* DONE fix Makefile (install, DESTDIR, CFLAGS, ...)
* DONE implement udp encap via port 10.000
* DONE svn-Repository
* DONE XAUTH Domain: (empty)
* DONE check /dev/net/tun, reject /dev/tun* on linux
* DONE spawn post-connect script
* DONE ask for dns/wins servers, default domain, pfs setting, netmask
* DONE automatic handling of pfs
* DONE send version string
* DONE send lifetime in phase1 and phase2
* DONE accept (== ignore) lifetime update in phase1
* DONE load balancing support (fixes INVALID_EXCHANGE_TYPE in S4.5)
* DONE include OpenBSD support from Nikolay Sturm
* DONE memleak fix from Sebastian Biallas
* DONE fix link at alioth
* DONE include man-page
* DONE post rfcs and drafts
* DONE post link to http://www.liebchen-online.de/vpn-zaurus.html
* DONE passcode == password
* DONE support for new libgcrypt versions
* DONE make /var/run/vpnc as needed
* DONE ignore "metric10 xx"
* DONE ignore attr 32136! (Cisco extension: XAUTH Vendor)
* DONE FreeBSD supported
* DONE NetBSD supported
* DONE fix vpnc-disconnect
* DONE --verbose
* DONE hide user/pass from --debug output
* DONE don't ignore all notifies at ipsec-sa-negotation
* DONE VERSION
* DONE --pid-file
* DONE --non-interactive
* DONE fix delete message
* DONE implement ISAKMP and IPSEC SA negotiate support