Version 4.2.9¶
- Flexible configuration of logging subsystem allowing to log to multiple
syslog facilities or to files using fine-grained log levels for each target.
- Load testing plugin to do stress testing of the IKEv2 daemon against self
or another host. Found and fixed issues during tests in the multi-threaded
use of the OpenSSL plugin.
- Added profiling code to synchronization primitives to find bottlenecks if
running on multiple cores. Found and fixed an issue where parts of the
Diffie-Hellman calculation acquired an exclusive lock. This greatly improves
parallelization to multiple cores.
- updown script invocation has been separated into a plugin of its own to
further slim down the daemon core.
- Separated IKE_SA/CHILD_SA key derivation process into a closed system,
allowing future implementations to use a secured environment in e.g. kernel
memory or hardware.
- The kernel interface of charon has been modularized. XFRM NETLINK (default)
and PFKEY (--enable-kernel-pfkey) interface plugins for the native IPsec
stack of the Linux 2.6 kernel as well as a PFKEY interface for the KLIPS
IPsec stack (--enable-kernel-klips) are provided.
- Basic Mobile IPv6 support has been introduced, securing Binding Update
messages as well as tunneled traffic between Mobile Node and Home Agent.
The installpolicy=no option allows peaceful cooperation with a dominant
mip6d daemon and the new type=transport_proxy implements the special MIPv6
IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address
but the IPsec SA is set up for the Home Adress.
- Implemented migration of Mobile IPv6 connections using the KMADDRESS
field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon
via the Linux 2.6.28 (or appropriately patched) kernel.