Toronto 2014 meetup: Difference between revisions

From Libreswan
Jump to navigation Jump to search
No edit summary
No edit summary
Line 33: Line 33:
* audit support and statsd
* audit support and statsd
* dynamic interfacing and whack --listen / NM / libevent select loop replacement
* dynamic interfacing and whack --listen / NM / libevent select loop replacement
* ADNS -> unbound
* ADNS helpers,eventloop -> libunbound,libevent
* false "can not start crypto helper: failed to find any available worker" and load (also force_busy)
* false "can not start crypto helper: failed to find any available worker" and load (also force_busy)
* decloning code
* decloning code
* Resolving "warning comments", XXX TODO ???  
* Resolving "warning comments", markers like "paul ZZZ XXX TODO ???"
* Fix known missing code and/or file finding missing code as a bug in the tracker
* cleanup/explain/delete/justify #if 0
* cleanup tbug tracker
* Fix known missing code and/or file finding missing code as a bug in the tracker. link comments and bug#
* retransmit timers, creating options, creating keywords, fuzzing sender/receivier, subsecond timers, retransmit fail parent state linger, 60s max?
* cleanup bug tracker
* fix retransitmit=no, fix impair-retransmit and environment variable
* retransmit timers, creating options, creating keywords, fuzzing sender/receiver, subsecond timers, retransmit fail parent state linger, 60s max?
* fix retransmit=no, fix impair-retransmit and environment variable
* re-inventory of rekey margin/timing/fuzz/counter parameters (and others). Which should be removed from user config?
* when to release whack on failure (now after 20 minutes :)
* when to release whack on failure (now after 20 minutes :)
* multicast ipsec - rgb has interest
* multicast ipsec - rgb has interest
* what features can be dropped or simplified?
* ipsec failover (WIP at IETF)
* ipsec failover (WIP at IETF)
* NSS CRL/OCSP, phasing out /etc/ipsec.d/cacerts/
* NSS CRL/OCSP, phasing out /etc/ipsec.d/cacerts/ (for matt)
* fips failure should install %hold then fail
* fips failure should install %hold then fail
* "ipsec eroute" / ip xfrm xxxx replacement requirements for enduser/admin
* ipsec status "brief" command for enduser/admin
* make rpm / deb daily packages
* make rpm / deb daily packages
* modularity of source files - directories
* modularity of source files - directories

Revision as of 03:11, 26 July 2014

This meetup will be held immediately after IETF-90 in Toronto.

It will be hosted by Paul Wouters

Scheduled to attend: Antony Antony, D. Hugh Redelmeier, Matt Rogers, Tuomo Soini, Kim Heino and Paul Wouters

Agenda items (raw)

  • uncrustify discussion
  • state machine revisited
  • Simplifying the IKEv2 by expanding the state machine
  • refactoring to reduce crypto boundary
  • clang / coverity (add comments about false positives)
  • uniqueid handling
  • modp group restrictions
  • OE IPsec, AUTH_NONE, left/rightauthby=, adns lookups
  • CREATE_CHILD_SA
  • logging function sanity
  • hostpair documentation / teachings in code (and/or wiki)
  • relations between state and connection, switching, instantiation - teaching
  • CP payload (modeconfig for ikev2)
  • EAP (auth for IKEv2)
  • NSS and some userland IKE algo support (AES_GCM, AES_CCM, AES_CTR)
  • Default proposal list (decouple v1/v2, update v2 ?)
  • SADB userland documentation / teachings
  • ike=/esp= parser
  • parser and generic restrictions (conflicting conns loading, etc)
  • CA chains
  • UNH certification
  • FIPS certification
  • TAHI tests
  • audit support and statsd
  • dynamic interfacing and whack --listen / NM / libevent select loop replacement
  • ADNS helpers,eventloop -> libunbound,libevent
  • false "can not start crypto helper: failed to find any available worker" and load (also force_busy)
  • decloning code
  • Resolving "warning comments", markers like "paul ZZZ XXX TODO ???"
  • cleanup/explain/delete/justify #if 0
  • Fix known missing code and/or file finding missing code as a bug in the tracker. link comments and bug#
  • cleanup bug tracker
  • retransmit timers, creating options, creating keywords, fuzzing sender/receiver, subsecond timers, retransmit fail parent state linger, 60s max?
  • fix retransmit=no, fix impair-retransmit and environment variable
  • re-inventory of rekey margin/timing/fuzz/counter parameters (and others). Which should be removed from user config?
  • when to release whack on failure (now after 20 minutes :)
  • multicast ipsec - rgb has interest
  • ipsec failover (WIP at IETF)
  • NSS CRL/OCSP, phasing out /etc/ipsec.d/cacerts/ (for matt)
  • fips failure should install %hold then fail
  • make rpm / deb daily packages
  • modularity of source files - directories
  • Makefile fixes for lib/ so "make programs" updates it properly
  • Makefile fixes for "make programs" when whack.c is updated
  • Makefile fixes for not updating man pages when xml files did not change (put all xml in one dir?)
  • kvmplutotest vs containertest
  • KLIPS: what to do? namespace support? what minimal kernel version ? (note OCF)
  • netkey uses pf_key, herbert wants us to stop that
  • machine parsable propeties for test suite description
  • changing/updating testsuite for new requirements (fuzzing, nfs/9p, convert from beaker?)
  • IKEv1 / IKEv2 cleanup / separation ?
  • NS and ipsec.secrets :RSA entries (obsolete, remove?)
Retrieved from "https://libreswan.org/wiki/index.php?title=Toronto_2014_meetup&oldid=20271"