*
* RCSID $Id: TODO,v 1.47 1999/04/06 04:54:23 rgb Exp $
*

Bugs as of 0.91:
test	spi --add/--del memory leak
	
Features for 1.0: klips kernel
	Dropped packet reporting
1.0		count replay errors
1.0		count bad auth
1.0		count bad padding
1.0		count bad algo
Most	Provide more useful error messages from kernel
Most	Sanitize klips headers for use above and below kernel/user I/F.
Part	#defines for kernel constants ie. hash function magic numbers, etc.
1.0	Clear all eroutes and spis when last ipsec device is ifconfiged down.
	Per-bundle debugging.
	Do kernel-based inbound SA detection.

Features for 1.0: klips utils
	Errors:  what is wrong, where in code, what can't do, what is fix
	Implement standard gnu command format long option names: spigrp
	Utils with useful parse errors (not generic usage txt): spigrp
	Use consistent units: ie. hex digits, bytes or bits.
	Enable klips manual utils to use monolithic SA specifier.
		spigrp
Most	include 'ipsec' prefix in all manual utils calls in test scripts

Features for 1.0: klips documentation
	Xform to standards/doc_draft_refs mapping in source header comments
	Create HOWTO-debug_IPSEC (troubleshooting guide)
	clarify extruded section of modes.html (ie. no masquerading)
	mobile-ipsec

Features for 1.0: general
1.1	Audit for info leaks
1.1	Audit for specs
1.1	Audit for bugs ?!?
HS?	Make 'check' (gnu coding standard, make, make check, make install)
	Errors: when,who,to whom,what,what can't do,what is wrong,how to fix   
	error reporting: (1) programmer's debugging (2) user's debugging
	GNATS DB -- HS?

Features for 2.0:
	Add PF_KEY2 to send/receive messages to/from kernel (PF_NET?)
	ICMP event to trigger pluto (via PFKEYv2)
HS?	Create user library from common user-space code (pfkey,...)
	Kernel interface documentation (this will change on PF_KEY2 and 2.2.xx)
	Add {start,up,remain}{times,bytes,pkts} to /proc/net/ipsec_spi
	Expire SA's on soft/hard time/seq/qty and signal user (pfkey)(user timeout too)
	Convert to AES algorithm I/F to be able to add algorithms. http://www.seven77.demon.co.uk/aes.htm
	Add xforms
		IPPCP-Deflate
		IPPCP-LZS (proprietary?)
	Update transforms
		AH-MD5-128 (RFC1828?)
		ESP-DES-CBC (RFC1829?)
	Bulletproof /proc/net/ipsec_spinew (use proto+IP to get new spi)
	Check for weak keys and reject (k1==k2, k2==k3) (des_is_weak_key(), des_set_odd_parity())
	Add processing for IP options in outgoing and incoming packets
		(rfc2402, 3.3.3.1.1.2, appendix A)
	Add support for userspace udp/500 blasting at selected port number. (SPD)
	Be able to use <uid>, <proto>, <sport> and <dport> in SPD.
	Force all incoming packets through IPSEC SPD check
	Separate in/out/IF SPD/SADs (rfc2401-4.4)
	Accept IP ranges (pluto or eroute?)
	Investigate PMTU (rfc2401-4.4.2, 6.1.2)
	Fragment after processing iff(DF && (effective PMTU is too small)) (rfc2401-6.1.2.2)
	Config option to accept or reject unauthenticated ICMP traffic (rfc2401-6.)
	Config option to copy DF bit to new tunnel (rfc2401-6.1.1, Appendix.B)
	Convert to new world networking which must solve current routing
		limitations (ipchains and firewalls)
	- Dynamic Assignment of the "inside" tunnel address for the road
		warrior. There's a draft on this 
		http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-01.txt
	http://www.ietf.org/internet-drafts/draft-gupta-ipsec-remote-access-01.txt
	http://www.ietf.org/internet-drafts/draft-ietf-nat-hnat-00.txt
	http://www.sandelman.ottawa.on.ca/SSW/ietf/draft-richardson-ipsec-traversal-cert-01.txt
	Port to 2.2.xx linux kernels (with ifdefs to 2.0.x)
DHR?	Port to DNSSEC
	Standardise for code portability -- standard C (ask HS)
	L2TP?
	LDAP?
	SNMPv3
3.0	Port to IPv6

*
* $Log: TODO,v $
* Revision 1.47  1999/04/06 04:54:23  rgb
* Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
* patch shell fixes.
*
*
