libopenikev2 ChangeLog ---------------------- Version 0.6 - 2011/01/19 ------------------------- o Support for several EAP methods for both, client and server. o Lots of bugfixes. o Solved building issues for new GCC versions. Version 0.5 - 2008/02/19 ------------------------- o New authentication infraestructure, allowing extensibility, o Improved the configuration subsystem. Now, each peer configuration is selected based on the peer IP address, not in the peer ID, and it is maintained for all the IKE_SA lifetime. o Improved reliability. o Lots of bugfixes. Version 0.4 - 2007/07/27 ------------------------- o Huge code refactoring, including: · Intensive use of the RAII programming idiom (autopointers, autolocks, autovectors...), avoiding the use of the "delete". · Use of references when there was no need for more. · Name classes changes, to avoid the "_" at most as possible. · Code factorization, reusing the code for the CHILD SA negotiation from the IKE_AUTH and the CREATE_CHILD_SA exchanges. Also the code for the IKE_SA negotiation from the IKE_SA_INIT and CREATE_CHILD_SA has been factorized in some methods. o BTNS support added (that's is, no authentication at all at IKEv2 level) o Lot of bug fixes. Version 0.3 - 2006/08/25 ------------------------- o All classes are now into "openikev2" namespace to avoid name collision with other libraries. o KEY_LENGHT transform attribute fixed: now it is expresed in bits, not in bytes. o New threading subsystem. Now there is a pool of CommandExecuter (Threads) that execute IKE_SA_Controller Commands. This solves simultaneous established IKE_SAs limitation (previously it was limited by the maximun number of concurrent threads supported by the OS). o Improved the IKE_SA and CHILD_SA state machine. New states have been added in order to detect special condition like exchange collisions or redundant SAs. o All exchange collisions that appears in the IKEv2 clarification document have been covered. o Enhanced the Log subsystem. Now it has clearer and precise output. o Now MessageController has been removed and its functionality has been distributed into NetworkController, ThreadController and CryptoController. o IKE and IPSEC configurations are stored into the IKE_SA_Controller class when it is created. o Reduced the use of exceptions. They are used only if it is mandatory. o Improved COOKIE mechanism: Now IKE_SA creation is not needed when replies with a cookie notify. o A lot of bugs fixed and optimizations. Version 0.2 - 2006/05/25 ------------------------- o All the address configuration methods (used in RoadWarrior scenario) are now abstract. The concrete implementations must define all the related behaviour with CONF payloads. o All the address configuration related attributes have been removed from the IKE_Configuration class. Now, concrete implementations must use the AttributeMap to define its own custom attributes. o Some bugs fixed. Version 0.1 - 2006/05/15 ------------------------- o Now there is a separate package for libopenikev2. o The changes listed here are against the libopenikev2 part of the openikev2-0.9 o Improved the NotifyController interface in order to allow to include notifies in the response messages even when initiator doesn't request them (i.e. reauthentication notification in IKE_AUTH response) o Improved Traffic Selector creation, in order to allow better specification of ICMP type and code. o Improved Policy creation methods · Better specification of ICMP type and code. · Improved the parameter order to make it more "human understandable" o Now the header files are installed in $prefix/libopenikev2 o Implemented the VENDOR payload. Now vendor information is sent and processed using this payload. o Now EAP_Controller has been splitted into EAP_Client_Controller and EAP_Server_Controller and its API has been improved. o Bugs fixed and some memory leaks removed. ---SPLIT---- OpenIKEv2 ChangeLog ------------------- Version 0.9 - 2006/05/02 ------------------------- * libopenikev2: o Certificate support. o Now it's possible to indicate a different authentication method for us and for the peer. In addition, we can indicate different PSK keys for each peer. o A warning message appears when the 1500 bytes IKE message limit is overflowed. If received message size exceeds 3000 bytes, the messsage is ommited. o Improved the authentication mechanism to support more authentication methods like PSK, CERT, RSA, ... o Some improvements in Thread subsystem in order to make it easier. o Policies : · Now is possible to indicate the policy priority in creation. · Now we can flush the policies database (SDP) and the SAs database (SAP). o Replaced the simple "extra" attribute by a more powerful mechanism of attribute storage (AttributeMap). o Some bugs fixed. * openikev2: o X509 certificate support and implemented the "HASH & URL" mechanism. o Some library version incompatibilities problems solved. o Use of http_fetcher library to download the certificates in the HASH & URL mechanims. o Now policies can be configured in the configuration file. It is useful to avoid the use of "setkey" or "ip xfrm" to set the policies. The policies needed to allow IKE traffic on IPv4 and IPv6 are installed automatically, so there is no need to indicate them in the configuration file. Also is allowed some kinds of ICMPv6 traffic for neighbour advertisements and solicitacions. Version 0.81 - 2006/03/30 ------------------------- * libopenikev2: o Bug fixed in message to event translation when error notify received in the EAP_INIT state. * openikev2: o Bug fixed in main function. In background mode there was an error dealing with threads and mutexes. o Now, openikev2 creates a file in the /var/run directory called openikev2.pid to avoid to have multiple instances running at the same time in the same machine. Version 0.8 - 2006/03/27 ------------------------ * libopenikev2: o Included EAP transport support. Note that all the EAP functionallity is out of this library scope. Concrete implementations should inherit from the EAP_Controller abstract class and implement the desired authentication method. We provide an EAP_Controller example using a MD5-Challenge authentication method (see openikev2). o Now, GeneralConfiguration class also has the "extra" attribute that allows to define new general configuration attributes dinamically. o Some bugs fixed. * openikev2: o EAP_Cotroller_OpenIKE implemented. This is a very experimental EAP controller class using MD5-Challenge authentication method. It shouldn't be used in real scenarios, so it doesn't provide Man-In-The-Middle protection and use a cleartext password file. o When Ctrl-C is pressed twice, openikev2 is forced to close. Sometimes, when Crtl-C is pressed, openikev2 may keep waiting so long for closing an IKE_SA. If you don't want to wait for that, you can press Ctrl-C another time in order to exit immediately. o Now, rfc822 identification type is allowed in the configuration file. o Some bugs fixed. Version 0.74 - 2006/03/17 ------------------------- * libopenikev2: o Adapted exchange collisions management to be compliant with the IKEv2 clarifications document version #07. o New notify payload management subsystem. Now it is possible to add dynamically new notification types and to define the associated behaviour to their processing from the libopenikev2 client applications (without recompile libopenikev2). This may be used to extend openikev2 to support MOBIKE (in example). o Notify payloads in INFORMATIONAL exchange processing added. o Improved INVALID_KE_PAYLOAD management in IKE_SA and CREATE_CHILD_SA rekeying. o Improved the dynamic address assignement subsystem. Added support of DHCP for address assignement. o Now IKE_Configuration and IPSEC_Configuration include a hash table that allows to define new configuration attributes dynamically. This method allows to use custom configuration attributes to be used in the custom notify payloads management. See UNAME example from openikev2 to see how to use. o Log output improvements. Better legibility of the log messages. o Some bug fixed and code cleanups. * openikev2: o NetworkControllerImpl_OpenIKE now supports to obtain a IPv4 address to be assigned from a DHCP server. In addition, when fixed address is used, it has a list of assigned addresses in order to avoid duplicated address assignements. o Now IPAddress_OpenIKE supports to resolve names that represents IPv6 addresses. o Included a new test NotifyController, called NotifyController_UNAME, that shows how the new notify payload management subsystem and extensible configuration attributes works. It uses the notification type 17000 and it is used to send "uname" information. o Now the initial thread pool size can be specified in the command line using the -p option. o Some bug fixed and code cleanups. * test: o Some bug fixed and code cleanups. Version 0.7 - 2006/01/18 ------------------------ * libopenikev2: o When initiator request a CHILD_SA REKEY and responder has that CHILD_SA already rekeyed or deleted, then the responder sends an NO_ADDITIONAL_SAS notify to avoid the exchange. If responder doesn't control that CHILD_SA, it sends INVALID_SPI notification (References: "IKEv2: invalid SPI in DELETE payload", Dec 2005, IETF IPsec mailing list). o All needed bus events (at the moment) are now sent thru the Event Bus. They allow receive IKE and CHILD SA notifications using the API. o Now all the CHILD SA SPI values are represented as an hexadecimal value. o Now, the IKE_SA_Controller::close() method is propertly implemented, so DELETE notifies are sent for all the CHILD SAs before closing the IKE_SA. o When a IKE_SA is closed without use the close() method, then all remaining CHILD_SAs are physically deleted before deleting the IKE_SA. o Some bugs fixed releted to address configuration code and multi-thread issues. * openikev2: o Now openikev2 shows its md5 checksum in the log output, in order to allow to know what version is being run. o IPSEC_Controller_PFKEYv2 has been hardly recoded. Now it can create and delete policies and its code is clearer. o Now log mask can be specified into configuration file. o Address configuration section has been added to the configuration file. o Now log implementation can be specified with "-l" option, log output file with "-o" option and ipsec implementation with "-i" option. *tests: o test_API example has been completed. It shows how use the libopenikev2 API to create and controls an IKE_SA. Version 0.62 - 2005/12/28 ------------------------- * libopenikev2: o Fixed some race conditions when a peer requests the creation of a CHILD_SA and the other peer requets a IKE_SA rekey at the same time. We use NO_ADDITIONAL_SAS notification (References: "Problem with exchanges collisions", Dec 2005, IETF IPsec mailing list). o When redundant IKE_SA are created, none of them are started until we know what is the winning one. This will be the only one that inherits the CHILD_SAs. o Some other bugs fixed. * tests: o Fixed some compilation problems with test_direction.cpp (related by Väisänen Teemu) Version 0.6 - 2005/12/12 ------------------------ * libopenikev2: o Retransmition time is increased after each retransmition with a configurable factor. o IPSEC_Controller allows create and delete IPSEC policies. o Better libopenikev2 and openikev2 decoupling. o Support and use of INVALID_IKE_SPI notifies. o IKE_SA_Controller has an Alarm to notify when it is "half open" too time. o Several bugs and memory leaks are fixed. o Detection and deletion of redundant IKE_SAs. * openikev2: o Now it uses the EventBus to determine when program must exit, using the ALL_SAS_CLOSED event. * tests: o New test_API test that shows how to use the libopenikev2 API inside any program to perform IKEv2 exchanges. Still not complete. Version 0.52 - 2005/11/17 ------------------------- * libopenikev2: o SA bundles removed due to code simplification. IKEv2 actually doesn't support them. o Support of Perfect Forward Secret in CHILD_SA creation. o New configuration subsystem has been included in libopenikev2. It allows to dynamically updates configuration to the API client applications. o New event bus subsystem is included into libopenikev2. It allows to receive system events (new IKE_SA, delete IKE_SA, IKE_SA creation success, IKE_SA creation failure, new CHILD_SA...) to the API client applications. * openikev2: o Finally the libconfig++ has been removed from the project. Now libconfuse is used to read and parse a more complex configuration file in openikev2. Version 0.5 - 2005/11/15 ------------------------ * libspike: o Name changed to libopenikev2. Now the library is implementation independent. All concrete implementations must be keeped out of the library. o SA bundles support. o Cookie mechanism support. o INFORMATIONAL exchange finished. Now we can delete SAs. o IKE_SA and CHILD_SA rekey support. o Detection and deletion of redundant CHILD_SAs. o Remote address configuration support. Roadwarrior scenario. o Now all the SAs lifetimes are jittered in order to avoid simultaneous rekeyings. * spike: o Name changed to openikev2. Now all the concrete implementations must be here (PF_KEY, POSIX Threads...) o Now IPSEC_Controller_PFKEY is independent of the libipsec library. o New IPSEC concrete implementation using XFRM. This implementation allows narrowing but it only can be used in Linux environments. o Removed the ECC support due to IPR issues. o Removed the extended MODP groups support due to IPR issues. o Now the libconfig++ library is added to the project, so there is no need to install it separatelly. Version 0.42 - 2005/08/06 ------------------------- * libspike: o Support of ECC groups using borzoi library. o Support of extended MODP groups. Version 0.4 - 2005/07/28 ------------------------- * spike: o Now we have a simple configuration file. Use of libconfig++ to read and parse it. o CREATE_CHILD_SA exchange finished. Now we can add new CHILD_SAs to an existing IKE_SA. Version 0.32 - 2005/07/11 ------------------------- * libspike: o Support of transport mode. Version 0.3 - 2005/05/05 ------------------------ * libspike: o First IKE_SA_INIT + IKE_AUTH exchange success. Only tunnel mode. o IPv6 suppport added and tested. Version 0.22 - 2005/04/25 ------------------------- * libspike: o IKE_SA_INIT exchange finished. o Designed a configuration subsystem. Version 0.2 - 2005/03/03 ------------------------- * spike: o Translated to english. o Splited into libspike (all classes), spike (main program) and test. o Implemented a lot of classes. o Still without functionality. Version 0.1 - 2005/01/31 ------------------------ * spike: o Project begins.