Toronto 2014 meetup: Difference between revisions
Jump to navigation
Jump to search
Paul Wouters (talk | contribs) No edit summary |
Paul Wouters (talk | contribs) No edit summary |
||
| Line 9: | Line 9: | ||
* uncrustify discussion | * uncrustify discussion | ||
* state machine revisited | |||
* refactoring to reduce crypto boundary | * refactoring to reduce crypto boundary | ||
* clang / coverity | * clang / coverity (add comments about false positives) | ||
* [https://bugs.libreswan.org/show_bug.cgi?id=192 uniqueid handling] | * [https://bugs.libreswan.org/show_bug.cgi?id=192 uniqueid handling] | ||
* [https://bugs.libreswan.org/show_bug.cgi?id=194 modp group restrictions ] | * [https://bugs.libreswan.org/show_bug.cgi?id=194 modp group restrictions ] | ||
* OE IPsec, AUTH_NONE, left/rightauthby=, adns lookups | * OE IPsec, AUTH_NONE, left/rightauthby=, adns lookups | ||
* CREATE_CHILD_SA | * CREATE_CHILD_SA | ||
* logging function sanity | |||
* hostpair documentation / teachings in code (and/or wiki) | |||
* SADB userland documentation / teachings | |||
* relations between state and connection, switching, instantiation - teaching | |||
* CP payload (modeconfig for ikev2) | * CP payload (modeconfig for ikev2) | ||
* EAP (auth for IKEv2) | * EAP (auth for IKEv2) | ||
| Line 28: | Line 33: | ||
* ADNS -> unbound | * ADNS -> unbound | ||
* false "can not start crypto helper: failed to find any available worker" and load (also force_busy) | * false "can not start crypto helper: failed to find any available worker" and load (also force_busy) | ||
* decloning code | |||
* Resolving "warning comments", XXX TODO ??? | |||
* Fix known missing code and/or file finding missing code as a bug in the tracker | |||
* cleanup tbug tracker | |||
* retransmit timers, creating options, creating keywords, fuzzing sender/receivier, subsecond timers, retransmit fail parent state linger, 60s max? | |||
* fix retransitmit=no, fix impair-retransmit and environment variable | |||
* when to release whack on failure (now after 20 minutes :) | |||
* multicast ipsec - rgb has interest | |||
* what features can be dropped or simplified? | |||
* ipsec failover (WIP at IETF) | |||
* NSS CRL/OCSP, phasing out /etc/ipsec.d/cacerts/ | |||
* fips failure should install %hold then fail | |||
* "ipsec eroute" / ip xfrm xxxx replacement requirements for enduser/admin | |||
* ipsec status "brief" command for enduser/admin | |||
* make rpm / deb daily packages | |||
* modularity of source files - directories | |||
* Makefile fixes for lib/ so "make programs" updates it properly | |||
* Makefile fixes for "make programs" when whack.c is updated | |||
* Makefile fixes for not updating man pages when xml files did not change (put all xml in one dir?) | |||
* kvmplutotest vs containertest | |||
* KLIPS: what to do? namespace support? what minimal kernel version ? (note OCF) | |||
* netkey uses pf_key, herbert wants us to stop that | |||
* machine parsable propeties for test suite description | |||
* changing/updating testsuite for new requirements (fuzzing, nfs/9p, convert from beaker?) | |||
* IKEv1 / IKEv2 cleanup / separation ? | |||
Revision as of 00:54, 22 July 2014
This meetup will be held immediately after IETF-90 in Toronto.
It will be hosted by Paul Wouters
Scheduled to attend: Antony Antony, D. Hugh Redelmeier, Matt Rogers, Tuomo Soini, Kim Heino and Paul Wouters
Agenda items (raw)
- uncrustify discussion
- state machine revisited
- refactoring to reduce crypto boundary
- clang / coverity (add comments about false positives)
- uniqueid handling
- modp group restrictions
- OE IPsec, AUTH_NONE, left/rightauthby=, adns lookups
- CREATE_CHILD_SA
- logging function sanity
- hostpair documentation / teachings in code (and/or wiki)
- SADB userland documentation / teachings
- relations between state and connection, switching, instantiation - teaching
- CP payload (modeconfig for ikev2)
- EAP (auth for IKEv2)
- NSS and some userland IKE algo support (AES_GCM, AES_CCM, AES_CTR)
- Default proposal list (decouple v1/v2, update v2 ?)
- ike/esp parser
- parser and generic restrictions (conflicting conns loading, etc)
- CA chains
- UNH certification
- FIPS certification
- audit support and statsd
- dynamic interfacing and whack --listen / NM etc
- ADNS -> unbound
- false "can not start crypto helper: failed to find any available worker" and load (also force_busy)
- decloning code
- Resolving "warning comments", XXX TODO ???
- Fix known missing code and/or file finding missing code as a bug in the tracker
- cleanup tbug tracker
- retransmit timers, creating options, creating keywords, fuzzing sender/receivier, subsecond timers, retransmit fail parent state linger, 60s max?
- fix retransitmit=no, fix impair-retransmit and environment variable
- when to release whack on failure (now after 20 minutes :)
- multicast ipsec - rgb has interest
- what features can be dropped or simplified?
- ipsec failover (WIP at IETF)
- NSS CRL/OCSP, phasing out /etc/ipsec.d/cacerts/
- fips failure should install %hold then fail
- "ipsec eroute" / ip xfrm xxxx replacement requirements for enduser/admin
- ipsec status "brief" command for enduser/admin
- make rpm / deb daily packages
- modularity of source files - directories
- Makefile fixes for lib/ so "make programs" updates it properly
- Makefile fixes for "make programs" when whack.c is updated
- Makefile fixes for not updating man pages when xml files did not change (put all xml in one dir?)
- kvmplutotest vs containertest
- KLIPS: what to do? namespace support? what minimal kernel version ? (note OCF)
- netkey uses pf_key, herbert wants us to stop that
- machine parsable propeties for test suite description
- changing/updating testsuite for new requirements (fuzzing, nfs/9p, convert from beaker?)
- IKEv1 / IKEv2 cleanup / separation ?