Project

General

Profile

4.2.9

18.11.2008

100%

2 issues   (2 closed — 0 open)

Version 4.2.9

  • Flexible configuration of logging subsystem allowing to log to multiple
    syslog facilities or to files using fine-grained log levels for each target.
  • Load testing plugin to do stress testing of the IKEv2 daemon against self
    or another host. Found and fixed issues during tests in the multi-threaded
    use of the OpenSSL plugin.
  • Added profiling code to synchronization primitives to find bottlenecks if
    running on multiple cores. Found and fixed an issue where parts of the
    Diffie-Hellman calculation acquired an exclusive lock. This greatly improves
    parallelization to multiple cores.
  • updown script invocation has been separated into a plugin of its own to
    further slim down the daemon core.
  • Separated IKE_SA/CHILD_SA key derivation process into a closed system,
    allowing future implementations to use a secured environment in e.g. kernel
    memory or hardware.
  • The kernel interface of charon has been modularized. XFRM NETLINK (default)
    and PFKEY (--enable-kernel-pfkey) interface plugins for the native IPsec
    stack of the Linux 2.6 kernel as well as a PFKEY interface for the KLIPS
    IPsec stack (--enable-kernel-klips) are provided.
  • Basic Mobile IPv6 support has been introduced, securing Binding Update
    messages as well as tunneled traffic between Mobile Node and Home Agent.
    The installpolicy=no option allows peaceful cooperation with a dominant
    mip6d daemon and the new type=transport_proxy implements the special MIPv6
    IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address
    but the IPsec SA is set up for the Home Adress.
  • Implemented migration of Mobile IPv6 connections using the KMADDRESS
    field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon
    via the Linux 2.6.28 (or appropriately patched) kernel.
Issues by
Bug

2/2