diff options
Diffstat (limited to 'src/pluto/TODO')
-rw-r--r-- | src/pluto/TODO | 129 |
1 files changed, 129 insertions, 0 deletions
diff --git a/src/pluto/TODO b/src/pluto/TODO new file mode 100644 index 000000000..7db4a9ebc --- /dev/null +++ b/src/pluto/TODO @@ -0,0 +1,129 @@ +Pluto TODO list +=============== +RCSID $Id: TODO,v 1.1 2004/03/15 20:35:28 as Exp $ + +- should all log entries that are for errors say ERROR? + +- Add a "plug-in" facility so that others can add features without + changing the mainline code. This is how X509/LDAP/biometric stuff + might be added. + +- (internal change only) routines for outputting payloads should plug + "np" into the previous payload so that a payload generating routine + need not know what the next payload will be. This may be more bother + than it is worth. + +- notifications, in and out + + delete + + first contact + + last contact? (not part of drafts, but would be nice) + +- Make DNS usage for asynchronous (non-blocking) + + looking up KEY and TXT records during negotiation + + perhaps not for whack command arguments and ipsec.secrets since the + library code uses gethostbyname + +- check that ipsec auto and whack to agree on what is worth reporting + +- Should Pluto (rather than ipsec manual) install %passthrough conns? + That way Pluto would know of them. + +- For responding to Road Warriors, how can we decide if the RW has + gone away? The rekeying event is perhaps too imprecise. Even if + rekeying event is good enough, how do we know if the route should be + torn down? Perhaps limiting a Phase 1 ID to one IP address would + help (limiting a client subnet to one peer already helps). Perhaps + (in some rate-limited way) we can take an ICMP host unreachable + as a hint to do some authenticated and reliable probe. + +- it is annoying that Pluto and auto have different models for public keys. + + auto specifies one per connection + + Pluto allows one to be specified per id + Two connections with the same id are going to use the same key: + the one of the last conn to be added! + + I think auto ought to be fixed. It is hard for Pluto to warn when + there is a conflict since the deletion of a connection doesn't + prompt auto to tell pluto to delete the public key. + +- different connections with the same host IP addresses are randomly + interchangeable until the ID payload is received. At least for the + Responder case (and eventually for the opportunistic Initiator). + Worse, all Road Warriors must be considered to have the + indistinguishable IP addresses. This affects ISAKMP SA negotiation. + Currently, there is little flexibility in this negotiation, so the + problem is limited to the specification of acceptable authentication + method(s). Correct, but more work than seems worthwhile, would be + to select the conn based on what is proposed. + + Warning about such confusion at connection definition time isn't great + because there is no confusion when explicitly initiated (a particular + conn is specified). Warning for a Road Warrior conn is possible + since it cannot be initiated (and has been implemented). + +- characterize and ameliorate DOS attacks. Lots of rate limiting. + +- look at John Denker's wish list: http://www.quintillion.com/moat/wish.list + +- use of random numbers needs to be audited. + +- unknown (not just unimplemented) transforms cause a negotiation to + fail. Only the transform should be rejected. + +- we need better policy control. Our present flags need to be + modulated (forbid, allow, offer, require) + +- HS will specify how --copyright and --version should behave + +- HS will initiate project-wide terminology replacing ISAKMP SA, IPSEC + SA, Protection Suite, Phase 1, Main Mode, Phase 2, Quick Mode, ... + Simplicity and clarity will be a goal. + +- interface discovery ought to match what is specified in ipsec.conf. + This probably means grokking /proc/net/ipsec_tncfg. Documented in + ipsec_tncfg(5). This won't do for Hugh's debugging setup. + + +Protocol Issues +=============== + +Notification and delete payloads seem to be "escape hatches" for the +protocols. As such, anything implemented using them seems to be +kludged without being well designed or well situated or well +constrained in the protocols. Often the precise meaning (if any) or +usage is under specified. An implementation is allowed to ignore +them, so they cannot really matter (but they too often do). Their +specification ought to be scrutinized by a protocol guru. + +Any extra payload in last main mode message is not protected (not +authenticated by hash). + +Should notification payloads be interpreted before or after the normal +payloads (i.e. understood in the context of, executed in the context of). + +What is the precise result of an INITIAL_CONNECTION? What is a +"system" (eg. does Phase 1 Identity count)? What is "earlier" or +"before" (simultaneous negotiation is possible, with time being only a +partial order)? Could it be used for FINAL_CONTACT (needed too)? + +Blasting out a pile of UDP messages, especially to a particular +destination, is likely to provoke message loss. The exchanges are +just that, so they individually are self-throttling. But what about +multiple exchanges simultaneously? What about notifications (example: +when shutting down, a flurry of delete notifications are likely). +Should the RFCs be designed to protect against this problem? + +draft-jenkins-ipsec-rekeying-03.txt rekeying is way too complicated. +Our solution looks sound and simple (we have the Responder install the +incoming IPSEC SA before sending its first reply). In "2.2.1.4 +Responder Pre-Set-up Security Hole", the draft claims that setting up +the IPSEC SA early leaves the Responder open to replay attacks. I +think that this is wrong: the Message Id, since it must not be reused, +serves to prove that this isn't a replay. + +The details for notification messages suggested by +draft-ietf-ipsec-notifymsg-02.txt are over-complicated, just to make +them machine-comprehensible. I think this is over-engineering, +justified only if another level of negotiation is contemplated (ugh!). +Plain text is probably sufficient for informing humans (I admit that +there is a problem with I18N). |