blob: b096faa8268ecc03365086f2eb0548fc1f34a432 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
Todo-List for charon
--------------------
+ = done, / = partial, - = todo, ordered by priority
+ private key loading: der, without passphrase
+ load all private keys from ipsec.d/private/ in stroke.c
+ handle leftcert and rightcert in starterstroke.c/stroke.c
+ load specified certs in stroke.c
+ extract public keys from certs
+ public key authentication
+ release for Andreas
+ stroke loglevels
+ stroke up
+ ike_sa_manager checkout_by_hosts
+ stroke down
+ stroke output redirection
+ stroke status
+ libx509
+ new charon build - libstrong?
+ transforms
+ utils (plus host)
+ logger_manager instance in lib
+ leak detective usable for charon and pluto and anything else
+ integrate asn1 parser/oid (asn1/oid)
+ integrate basic PEM loading
+ port x509 stuff
+ doxygen cleanup (charon/lib)
+ new build environment (autotools?)
+ useable certificate support
+ more id types (use atodn from pluto)
+ rewrite certificate storage the clean way
+ further subjectAltName support
+ certificate validation/chaining
+ certificate exchange
+ Apply -W's from Makefile.program to charon
+ do ipsec status via starter
+ stroke status should show configured connections
+ stroke loglevel update
+ stroke argument parsing via getopts/gperf?
+ ipsec.secrets parsing
+ trapping
+ proper delete messages
+ notifys on connection setup failure
+ create child sa message/rekeying
+ IKE_SA rekeying
+ handle all simultaneous rekeying/delete/create cases
+ replace state machine with something more transaction oriented
+ find existing IKE_SA on CHILD_SA initiation
+ use dpdaction/dpddelay parameters from ipsec.conf
/ add firewall script support
+ do not link unneeded libraries in bins
+ include only a minimum of NATD payloads
+ implement 3DES to load encrypted pem files
+ implement a "event bus" mechanism
/ add more output to to up/down, somehow...
- detach console after first keyingtry
- proper handling of CTRL+C console detach (SIG_PIPE)
- configure flag which allows to ommit vendor id in pluto
- ikelifetime should optionally enforce reauthentication
- cookies/DDoS prevention
- implement a mechanism against thread exhaustion
when a blocked IKE_SA receives a lot of messages
- add a crl fetch mechanism which synchronizes equal fetches
- add support for CERTREQs
- proper handling of multiple certificate payloads (import order)
- add a Rekey-Counter for SAs in "statusall"
- ipsec status:
+ on one line: ip, id, spi
- no key age, rekey for IKE
- byte count
- retry transaction on failure while keyingtries > 1
|
