Changes to Pluto
================

Changes since 1.4 release by D. Hugh Redelmeier <hugh@mimosa.com>

- reorganized how messages are logged.  More of the serious messages
  are distinguished with the code RC_LOG_SERIOUS and hence should
  make it through ipsec auto's filter.

- Reserve Message IDs only within their ISAKMP SA.  This eliminates
  the unbounded memory requirement when reserving them per peer.

- Pluto's retransmission logic has been improved:
  + the initial retransmission occurs after 10 seconds of silence,
    down from 30 seconds.  The theory is that this will ungum a
    lost-packet situation more quickly
  + the delay after each retransmission is twice the delay before
    it -- exponential backoff
  + In the special case of the first message initiating Main Mode,
    when --keyingtries is 0 (meaning unlimited retries), Pluto
    will attempt more retransmissions at the same rate (no
    exponential backoff).  This cuts down on the pointless
    busywork while a peer isn't responding.

- Pluto will no longer generate SPIs in the range 0x100-0xFFF.
  This has the effect of reserving this range for manual keying.
  Of course Pluto will still allow its peer to use this range.

- Fixed another bug in Road Warrior support.  In responding to Phase 2
  / Quick Mode, once the client subnets (if any) are known, Pluto must
  reselect which connection to use.  If it didn't happen to be using
  the right one already, and no ID was explicitly specified for the
  peer, and the right one is a Road Warrior connection, the right one
  would not be found.


Changes since 1.3 release by D. Hugh Redelmeier <hugh@mimosa.com>

- Pluto can now acquire a public key from DNS.  It must be told
  to do so.  Hint: --pubkeyrsa is optional when specifying keyid.

- On the Responder, if a connection is to be routed, and the peer has
  a client that is a fixed subnet, and that subnet is already routed
  for other connections, and that route conflicts, Pluto will unorient
  the old connections (deleting the SAs that depend on the old route)
  on the theory that they have been superseded.  Too bad we can't
  otherwise tell when a connection is outdated.

- Support for netlink has been removed.  We always use PFKEYV2.
  Pluto no longer #includes any kernel headers!

- Added a TODO file

- Road Warrior support is unconditionally included.  No more need to
  define ROAD_WARRIOR_FUDGE.

- Fixed bug preventing Road Warrior connections being instantiated
  during the connection reselection prompted by receipt of Phase 1 ID
  Payload [Kai Martius <kai@secunet.de>].  Fixed bug that caused Phase
  1 ID to be ignored by connection reselection prompted by receipt of
  Phase 2 client IDs.


Changes since 1.2 release by D. Hugh Redelmeier <hugh@mimosa.com>

- fixed deficiencies in id handling

- changed to use updown script for routing (and firewalling)

- In quick Mode, when Responder, avoid selecting same SPIs as
  initiator.  This prevents KEYMAT being the same in both directions.
  See Ferguson and Schneier: "A Cryptographic Evaluation of IPsec",
  http://www.counterpane.com/ipsec.pdf, 5.6 #2.

- In Quick Mode, when Responder, install inbound IPsec SA one
  message earlier.  This eliminates the chance of a message being
  sent before the SA is established.

- slight complication to RSA private key lookup rules to allow
  match to an entry with multiple identities for the host.

- support per-connection debugging flags

- more use of PFKEY (RGB+DHR)

- inbound SAs are now spigrped and an inbound IPIP SA is created
  if tunneling is used.  This more symmetric with outbound processing
  and it allows KLIPS to check that the correct SAs are all applied.

- The way SA lifetime limits are proposed and accepted is better
  documented.  whack now complains when a specified value exceeds the
  limit.


Changes since 1.1 release by D. Hugh Redelmeier <hugh@mimosa.com>

- Updated constants to track newer IETF drafts

- added support for RSA Signature authentication
  + augmented demux.c to support packet syntax differences
    due to authentication technique.
  + preshared.c now can record RSA private keys
  + whack --keyid --pubkeyrsa records RSA public keys
  + whack --unlisten to allow a sequence of whack operations to be atomic
    with respect to IKE traffic (eg. loading public keys)
  + ipsec_doi.c will now do RSA Signature authentication
  + new policy bits are added to select authentication method (--rsasig, --psk)

- started towards more general ids (@FQDN and user@FQDN,
  in addition to IP addresses).
  + Note: there is *no* meaning attached to the id used beyond
    being an identifier.  Almost no syntax checking is done.
  + these forms of id work in:
    o ipsec.secrets indices
    o whack's --keyid for defining public keys
    o id payloads (generated and accepted)
    o --id option for each side in a connection description
  + the Id may be an IP address that isn't that of one end
    (but it must authenticate)
  + once and ID payload is received, Pluto will reconsider which
    potential connection should be used.  It makes sure that any
    authentication already done would apply to the new connection
    too.  This should make RSASIG + Road Warrior useful.

- [RGB, Peter Onion, and DHR] start of PFKEY2 support


Changes since 1.00 release by D. Hugh Redelmeier <hugh@mimosa.com>

- revamped rekeying:
  + added --rekeyfuzz; defaults to 100% so lifetime must now be
    more than twice rekeymargin
  + added rekeying for responders (but rigged to favour initiators)
  + [BUGFIX] responder of an exchange will not reinitiate
    the exchange if it does not complete

- Renamed --rekeywindow to --rekeymargin to match ipsec.conf.
  The old name will be accepted for a while.

- improved error and debugging messages

- updated list of notification messages (but we still don't support
  them).

- In ID payload, support range representation, but only for a subnet.
  This may improve interoperability

- scatter asterisks in debugging code to support EMACS outline mode.

- many internal changes were made to improve to code.  This should
  make it easier to add new states.  There should be few behaviour
  changes.

- whack --status now shows the SPIs for established SAs.

- [BUGFIX] DH values are now represented with the length specified by
  the group description, not the length actually needed.  About one
  time in 256, this will make a difference.  In those cases, the new
  Pluto won't interoperate with old Plutos.  It looks as if this
  change brings us in line with other IKE daemons.  Added a fudge
  (select with DODGE_DH_MISSING_ZERO_BUG) so that when a problem
  arises, a new replacement exchange is initiated (idea from John
  Gilmore).

- [BUGFIX] whack no longer assumes that UNIX domain sockets preserve
  record boundaries (they don't).  This faulty assumption caused
  whack's exit status to be unreliable

- [BUGFIX] pluto now correctly defaults the client subnet in a
  connection created for a Road Warrior exchange.

- [BUGFIX] Road Warrior code now supports multiple connections
  terminating in a particular Road Warrior node (allowing all
  appropriate combinations of host and subnets to be simultaneously
  connected).

- [BUGFIX] fix various peculiar Road Warrior crashes.

- [BUGFIX] fix spurious deletion of control socket when lock could
  not be acquired (Thomas Bellman <bellman@cendio.se>)

- [BUGFIX] interface discovery properly ignores nonAF_NET interfaces


Changes since .92 release by D. Hugh Redelmeier <hugh@mimosa.com>

- Communication between whack and pluto is now done using UNIX domain
  sockets.  This channel can be secured!

- liberalized ISAKMP SA acceptance.  Now anything up to and including
  16 bytes long is accepted.  How silly.

- All ISAKMP messages in UDP packets generated by pluto are now
  explicitly padded to be a multiple of 4 octets long.  This was wrong
  if certain big numbers (eg. nonces) happened to have leading zero
  octets.

- set socket option SO_REUSEADDR on pluto's whack socket.  This allows
  Pluto to quickly restart.

- Use new, consistent notation for topology:
	client===host---nexthop...nexthop---host===client

- prefix every line of status output with connection name.  This
  allows selection of output using grep.

- Replaced system's assert with passert.  This sends the diagnostic
  to syslog.

- Changed secrets file name processing to support sh-like "globbing"
  for file names.

- Where appropriate, log messages are prefixed by their connection
  name and state object serial numbers.  Connection names are quoted
  with double quotes and serial numbers are prefixed with the number
  sign (#).  Otherwise, where appropriate, log messages are prefixed
  by the IP address and port number from which the current message
  was sent.

- some attempt at making the messages more helpful
  + warnings when authentication (preshared secrets) failure is
    likely cause of the observed symptom
  + status message now highlights which SAs are the most recent
    (those are the ones that are subject to rekeying)and which are
    erouted.
  + state names are slightly improved
  + status message prints the "meaning" of a state after its name.

- the policy options of a connection (--pfs, --authenticate, --encrypt,
  (but not --tunnel)) now apply to negotiations being responded to.
  They continue to apply to negotiations initiated by Pluto.

- The Oakley group used for PFS in Phase 2 is dictated by the initiator.
  We used to dictate one of our choice.  To increase the chances for
  success, we now dictate the same group as was used in Phase 1.

- First, some context.  The "negotiated" lifetime of an SA is actually
  dictated by the initiator.  If the responder doesn't like this
  lifetime, it can tell the initiator in a NOTIFY message.  Pluto
  doesn't do this.  Instead, it will just expire the lifetime sooner
  than negotiated.  In the past, Pluto only initiated rekeying if it
  was the initiator.  Now, a responder Pluto will initiate rekeying if
  it is going to expire the SA earlier than negotiated.  To prevent an
  explosion of SAs, rekeying will only be done if the SA is the newest
  one for its connection.  Rekeying of IPsec SA will respect the
  security properties of the old SA at the level of policy options
  (i.e.  --pfs, --authenticate, --encrypt, --tunnel).

- Replaced --rekeytries with --keyingtries.  This option now applies
  to initial keying as well as rekeying, hence the name change.  Even
  though initial keying will now try more than once, whack logging
  will be stopped after the first attempt.  The value 0 is taken to
  mean, effectively, infinity: don't give up.


Changes since .91 release by D. Hugh Redelmeier <hugh@mimosa.com>

- A hack has been added to support mobile or anonymous initiators.

- The isakmp-secrets file has been renamed ipsec.secrets and the
  format spruced up to aid scalability.  Entries now can be shared
  between relevant machines verbatim.  An include facility was added.
  The file is now only read upon --listen commands.

- If --firewall appears on our end of a connection, Pluto will
  add a firewall rule to enable appropriate forwarding, without
  masquerading for any route it adds.  It will delete the rule
  when it deletes the route.

- When Pluto thinks whack's message is malformed, it now says so
  to whack, not just syslog.

- In addition to the messages traditionally sent back to whack,
  non-debugging messages sent to the log that relate to whack's
  current activity are copied to whack.  Whack's exit status now
  reflects the last message (if any) returned by Pluto.  This should
  allow a script to tell, for example, if an SA was established.

- top-level payload parsing has been centralized.  This should make
  it easier to add new features.  Payload ordering constraints have
  are now just those required by RFC2409 (IKE).  In most cases,
  Pluto will now ignore duplicated packets.  It should recover better
  from the reception of a corrupt packet.

- Interface discovery is more clever.  It notes each configured
  interface with a name ipsec[0-9] as a virtual public interface and
  considers any interface with a different kind of name and the same
  IP address to be the corresponding real public interface.  This is
  only done when Pluto starts, so any interfaces of interest must be
  configured before then.  This feature allows Pluto to support multiple
  public networks.

- Pluto now exploits the fact that eroutes only conflict if their
  local clients AND peer clients are the same.  So we can now support
  multiple subnets behind our security gateway all talking to clients
  behind another security gateway.

- Switched to using ipsec_spi_t to represent SPIs.  In the process
  fixed a related bug found by Peter Onion.


Changes since .9 release by D. Hugh Redelmeier <hugh@mimosa.com>
[incomplete]

- Message IDs are now random, rather than counting up from 1.  This
  should help keep messages in different but simultaneous Phase 2
  exchanges being mixed up.
- syslogged informative (i.e. debugging) messages are now prefixed
  with "| " to make the easier to ignore.
- forbid zero cookies.  Among other things, this prevents feedback
  confusing Pluto.
- Use serial numbers to cause most recent of available ISAKMP SAs
  to be chosen.  Also useful in debugging output.
- Pluto will now only listen to Whack on the loopback interface
  (important security limitation).
- implement rekeying, based on time, for ISAKMP and IPsec SAs
- Whack now talks to Pluto using TCP.  This allows status information
  to be returned to Whack.  For now, not much interesting is sent back.
  The TCP port is the *same* as the IKE port -- no longer 1 greater.
  Pluto closes the socket once the "goal" is established or the
  state object is freed.  All this will evolve.
- For SAs that were initiated by Pluto, Pluto will try to replace
  the SA before it expires.  There is a 10 minute window
  (SA_REPLACEMENT_WINDOW) in which this can occur.
- Support --peer_nexthop for initiator of ISAKMP SA.
- Support --optionsfrom <file>
- be more specific about error conditions: for each STF_FAIL,
  designate which notification message most applies.
- use these results in reporting to whack
- make whack back-talk look like FTP messages
- add and use notion of (potential) connection database.  All scripts change!
- fix handling of the variable form of attribute
- don't allow --initiate before --listen
- use new number for ESP_NULL
- demand each transform include an ENCAPSULATION_MODE attribute
- demand each AH transform include an appropriate AUTH_ALGORITHM attribute
- add not-yet-standardized OAKLEY_GROUP 5 (MODP 1536)
- since KLIPS only allows one IPsec SA to be routed to a particular
  subnet (for a peer's client), detect when a subnet is engaged.
  If we are replacing that SA, OK.  Otherwise, balk.
- [experimental] exploit the new UDP 500 hole to support host mode.
- add --route and --unroute: hysteresis in routing should prevent
  packets flowing in the clear during IPsec SA transitions.
- add --status to display the internal state of Pluto.
- deleted misleading README; other resources fulfill its role
- eliminated EVENT_CLEANUP: using EVENT_RETRANSMIT seemed more correct
- gave special meaning to combination of delete and add
- improved and documented combinations of whack command types
- improved logging
- added and used LEAK_DETECTIVE.  Fixed some leaks.


Changes between .85 and .9 release by D. Hugh Redelmeier <hugh@mimosa.com>
[incomplete]

- change pluto and whack's argument processing to use getopt_long:
  the syntax and expressive power is quite different.
- allow selection of debugging output.  Change pluto to accept
  arguments for specifying this.  Change whack and pluto allow
  settings to change during a run.
- make most controls for debugging run-time rather than compile-time.
  This required the addition of many command line arguments (see README)
- support 3DES encryption of Oakley messages (OAKLEY_3DES_CBC)
- accept modestly long attribute values (32 bits) for
  OAKLEY_LIFE_DURATION and SA_LIFE_DURATION.


Changes between .7alpha and .85 (highlights) by D. Hugh Redelmeier <hugh@mimosa.com>

- support RH5.0 (glibc): avoid clash between
  <netinet/in.h> and <asm/byteorder.h>
- Lessons from porting to Solaris: endianness, careful typing, alignment,
  correct fd_set bugs in call_server(), correct rnd.c to use sig_atomic_t
- Makefile: add distlist target to put out names of files in distribution
- Makefile: when installing binaries, move old ones to .OLD
- add and exploit pb_stream mechanism for systematically decoding and
  encoding packets
- More flexible security policy, but still hard-wired.
- support new Oakley group (2 -- modp 1024)
- make returned IPsec proposal for acceptance a copy of winning proposal
  (as per spec)
- add and use generic interface to hash functions
- add many comments referencing the draft standards
- change all uses of stdout to use stderr instead (choice between stdout
  and stderr was haphazard)
- fix SPI stuff: Oakley and IPSEC SPIs are different beasts
- generate initial IPSEC SPI as a random number (avoid clashes)
- fix layout bug for struct isakmp_transform
- fix several dangerous memory allocation and buffer overflow errors;
  eliminate all inline uses of calloc (use a wrapper)
- avoid memory leak due to uncleared mpz variables
- general tidying and restructuring; get rid of many "magic" numbers
- de-lint everywhere (add -Wall -Wmissing-prototypes to Makefile)
- switch from BSD b* functions to ANSI mem* functions
- get rid of bitfields
- generate the correct amount of keying material (PRF feedback, if needed)
- improve get_preshared_key (new format too)
- improve handling of informational exchanges.  Still poor.
- improve tracing output
- print version information (whack and pluto)
- wherever an enum-like value is printed, print the name of the value
- make duplicate_state() duplicate the st_myidentity_type field.
- make kernel interface do required route commands
- open and close /dev/ipsec more carefully
- support separate keys for esp encryption and esp authentication
