[apple/ipsec.git] / ipsec-tools / racoon / Documents / TODO

$KAME: TODO,v 1.36 2001/09/19 09:41:39 sakane Exp $

Please send any questions or bug reports to snap-users@kame.net.

TODO list

URGENT
o The documents for users convenience.
o split log file based on client.  printf-like config directive, i.e.
  "logfile racoon.%s.log", should be useful here.
  -> beware of possible security issue, don't use sprintf() directly!
     make validation before giving a string to sprintf().
o save decrypted IKE packet in tcpdump format
o IPComp SA with wellknown CPI in CPI field.  how to handle it?
o better rekey

MUST
o multiple certificate payload handling.
o To consider the use with certificate infrastructure.  PXIX ???
o kmstat should be improved.
o Informational Exchange processing properly.
o require less configuration.  phase 2 is easier (as kernel presents racoon
  some hints), phase 1 is harder.  for example,
  - grab phase 2 lifetime and algorith configuration from sadb_comb payloads in
    ACQUIRE message.
  - give reasonable default behavior when no configuration file is present.
  - difficult items:
	how to guess a reasonable phase 1 SA lifetime
		(hardcoded default?  guess from phase 2 lifetime?)
	guess what kind of ID payload to use
	guess what kind of authentication to be used
	guess phase 1 DH group (for aggressive mode, we cannot negotiate it)
	guess if we need phase 2 PFS or not (we cannot negotiate it. so
		we may need to pick from "no PFS" or "same as phase 1 DH group")
	guess how we should negotiate lifetime
		(is "strict" a reasonable default?)
	guess which mode to use for phase 1 negotiation (is main mode useful?
		is base mode popular enough?)
o more acceptable check.

SHOULD
o psk.txt should be a database? (psk.db?)  psk_mkdb?
o Dynamically retry to exchange and resend the packet per nodes.
o To make the list of supported algorithm by sadb_supported payload
  in the SADB_REGISTER message which happens asynchronously.
o fix the structure of ph2handle.
  We can handle the below case.

  node A                            node B
    +--------------SA1----------------+
    +--------------SA2----------------+

  at node A:
  kernel
    acquire(A-B) ------> ph2handle(A=B) -----> ph1handle
                              |
                            policy
                             A=B
                             A=B

  But we can not handle the below case because there is no x?handle.

  node A                            node B                           node C
    +--------------SA1----------------+
    +------------------------------------------------SA2---------------+

  at node A:
  kernel
    acquire(A-C) ---+---> x?handle ---+---> ph2handle(A=B) -------> ph1handle
                    |        |        |
    acquire(A-B) ---+      policy     +---> ph2handle(A=C) -------> ph1handle
                            A=B
                            A=C

o consistency of function name.
o deep copy configuration entry to hander.  It's easy to reload configuration.
o don't keep to hold keymat values, do it ?
o local address's field in isakmpsa handler must be kicked out to rmconf.
o responder policy and initiator policy should be separated.
o for lifetime and key length, something like this should be useful.
  - propose N
  - accept between X and Y
o wildcard "accept any proposal" policy should be allowed.
o replay prevention
  - limited total number of session
  - limited session per peer
  - number of proposal
o full support for variable length SPI.  quickhack support for IPComp is done.

MAY
o Effective code.
o interaction between IKE/IPsec and socket layer.
  at this moment, IKE/IPsec failure is modeled as total packet loss to other
  part of network subsystem, including socket layer.  this presents the
  following behaviors:
  - annoyingly long timeouts on tcp connection attempt, and IKE failure;
    need to wait till tcp socket timeouts.
  - blackhole if there's mismatching SAs.
  we may be able to give socket layer some feedback from IKE/IPsec layer.
  still not sure if those make sense or not.
  for example:
  - send PRU_HOSTDEAD to sockets if IKE negotiation failed
    (sys/netkey/key.c:key_acquire2)
    to do this, we need to remember which ACQUIRE was caused by which socket,
    possibly into larval SAs.
  - PRU_QUENCH on "no SA found on output"
  - kick tcp retransmission timer on first SA establishment
o IKE daemon should handle situations where peer does not run IKE daemon
  (UDP port unreach for port 500) better.
  should use connected UDP sockets for sending IKE datagrams.
o rate-limit log messages from kernel IPsec errors, like "no SA found".

TO BE TESTED.
o IKE retransmit behavior
	see, draft-*-ipsec-rekeying*.txt
o Reboot recovery (peer reboot losing it's security associations)
	see, draft-*-ipsec-rekeying*.txt
o Scenarios
	- End-to-End transport long lived security associations
	  (over night, data transfer >1Gb) with frequent dynamic rekey
	- End-to-GW tunnel long lived security associations
	  (over night, data transfer >1Gb) with frequent dynamic rekey
	- Policy change events while under SA load
	- End-to-End SA through IPsec tunnels, initiation both ways
	- Client End-to-End through client-to-GW tunnel SA, initiate from
	  client for tunnel, then initiation both ways for end-to-end
	- Client-to-GW transport SA for secure management
o behavior to receive multiple auth method proposals and AND proposal

and to be written many many.
Commit	Line	Data
52b7d2ce A	1	$KAME: TODO,v 1.36 2001/09/19 09:41:39 sakane Exp $
	2
	3	Please send any questions or bug reports to snap-users@kame.net.
	4
	5	TODO list
	6
	7	URGENT
	8	o The documents for users convenience.
	9	o split log file based on client. printf-like config directive, i.e.
	10	"logfile racoon.%s.log", should be useful here.
	11	-> beware of possible security issue, don't use sprintf() directly!
	12	make validation before giving a string to sprintf().
	13	o save decrypted IKE packet in tcpdump format
	14	o IPComp SA with wellknown CPI in CPI field. how to handle it?
	15	o better rekey
	16
	17	MUST
	18	o multiple certificate payload handling.
	19	o To consider the use with certificate infrastructure. PXIX ???
	20	o kmstat should be improved.
	21	o Informational Exchange processing properly.
	22	o require less configuration. phase 2 is easier (as kernel presents racoon
	23	some hints), phase 1 is harder. for example,
	24	- grab phase 2 lifetime and algorith configuration from sadb_comb payloads in
	25	ACQUIRE message.
	26	- give reasonable default behavior when no configuration file is present.
	27	- difficult items:
	28	how to guess a reasonable phase 1 SA lifetime
	29	(hardcoded default? guess from phase 2 lifetime?)
	30	guess what kind of ID payload to use
	31	guess what kind of authentication to be used
	32	guess phase 1 DH group (for aggressive mode, we cannot negotiate it)
	33	guess if we need phase 2 PFS or not (we cannot negotiate it. so
	34	we may need to pick from "no PFS" or "same as phase 1 DH group")
	35	guess how we should negotiate lifetime
	36	(is "strict" a reasonable default?)
	37	guess which mode to use for phase 1 negotiation (is main mode useful?
	38	is base mode popular enough?)
	39	o more acceptable check.
	40
	41	SHOULD
	42	o psk.txt should be a database? (psk.db?) psk_mkdb?
	43	o Dynamically retry to exchange and resend the packet per nodes.
	44	o To make the list of supported algorithm by sadb_supported payload
	45	in the SADB_REGISTER message which happens asynchronously.
	46	o fix the structure of ph2handle.
	47	We can handle the below case.
	48
	49	node A node B
	50	+--------------SA1----------------+
	51	+--------------SA2----------------+
	52
	53	at node A:
	54	kernel
	55	acquire(A-B) ------> ph2handle(A=B) -----> ph1handle
	56	\|
	57	policy
	58	A=B
	59	A=B
	60
	61	But we can not handle the below case because there is no x?handle.
	62
	63	node A node B node C
	64	+--------------SA1----------------+
65	+------------------------------------------------SA2---------------+
66
67	at node A:
68	kernel
69	acquire(A-C) ---+---> x?handle ---+---> ph2handle(A=B) -------> ph1handle
70	\| \| \|
71	acquire(A-B) ---+ policy +---> ph2handle(A=C) -------> ph1handle
72	A=B
73	A=C
74
75	o consistency of function name.
76	o deep copy configuration entry to hander. It's easy to reload configuration.
77	o don't keep to hold keymat values, do it ?
78	o local address's field in isakmpsa handler must be kicked out to rmconf.
79	o responder policy and initiator policy should be separated.
80	o for lifetime and key length, something like this should be useful.
81	- propose N
82	- accept between X and Y
83	o wildcard "accept any proposal" policy should be allowed.
84	o replay prevention
85	- limited total number of session
86	- limited session per peer
87	- number of proposal
88	o full support for variable length SPI. quickhack support for IPComp is done.
89
90	MAY
91	o Effective code.
92	o interaction between IKE/IPsec and socket layer.
93	at this moment, IKE/IPsec failure is modeled as total packet loss to other
94	part of network subsystem, including socket layer. this presents the
95	following behaviors:
96	- annoyingly long timeouts on tcp connection attempt, and IKE failure;
97	need to wait till tcp socket timeouts.
98	- blackhole if there's mismatching SAs.
99	we may be able to give socket layer some feedback from IKE/IPsec layer.
100	still not sure if those make sense or not.
101	for example:
102	- send PRU_HOSTDEAD to sockets if IKE negotiation failed
103	(sys/netkey/key.c:key_acquire2)
104	to do this, we need to remember which ACQUIRE was caused by which socket,
105	possibly into larval SAs.
106	- PRU_QUENCH on "no SA found on output"
107	- kick tcp retransmission timer on first SA establishment
108	o IKE daemon should handle situations where peer does not run IKE daemon
109	(UDP port unreach for port 500) better.
110	should use connected UDP sockets for sending IKE datagrams.
111	o rate-limit log messages from kernel IPsec errors, like "no SA found".
112
113	TO BE TESTED.
114	o IKE retransmit behavior
115	see, draft--ipsec-rekeying.txt
116	o Reboot recovery (peer reboot losing it's security associations)
117	see, draft--ipsec-rekeying.txt
118	o Scenarios
119	- End-to-End transport long lived security associations
120	(over night, data transfer >1Gb) with frequent dynamic rekey
121	- End-to-GW tunnel long lived security associations
122	(over night, data transfer >1Gb) with frequent dynamic rekey
123	- Policy change events while under SA load
124	- End-to-End SA through IPsec tunnels, initiation both ways
125	- Client End-to-End through client-to-GW tunnel SA, initiate from
126	client for tunnel, then initiation both ways for end-to-end
127	- Client-to-GW transport SA for secure management
128	o behavior to receive multiple auth method proposals and AND proposal
129
130	and to be written many many.
131