Tell a little bit more about security.

[tinc] / NEWS

version 1.0pre5              Feb  9 2002

* Security enhancements:

  * Added sequence number and optional message authentication code to
    the packets.

  * Configurable encryption cipher and digest algorithms.

* More robust handling of dis- and reconnects.

* Added a "switch" and a "hub" mode to allow bridging setups.

* Preliminary support for routing of IPv6 packets.

* Supports Linux, FreeBSD, OpenBSD and Solaris.


It looks like this might be the last release before 1.0.


version 1.0pre4              Jan 17 2001

* Updated documentation; the documentation now reflects the
  configuration as it is.

* Some internal changes to make tinc scale better for large
  networks, such as using AVL trees instead of linked lists for the
  connection list.  

* RSA keys can be stored in separate files if needed.  See the
  documentation for more information.

* tinc has now been reported to run on Linux PowerPC and FreeBSD x86.



version 1.0pre3              Oct 31 2000

* The protocol has been redesigned, and although some details are
  still under discussion, this is secure.  Care has been taken to
  resist most, if not all, attacks.
  
* Unfortunately this protocol is not compatible with earlier versions,
  nor are earlier versions compatible with this version.  Because the
  older protocol has huge security flaws, we feel that not
  implementing backwards compatibility is justified.

* Some data about the protocol:

  * It uses public/private RSA keys for authentication (this is the
    actual fix for the security hole).

  * All cryptographic functions have been taken out of tinc, instead
    it uses the OpenSSL library functions.

  * Offers support for multiple subnets per tinc daemon.

* New is also the support for the universal tun/tap device.  This
  means better portability to FreeBSD and Solaris.

* tinc is tested to compile on Solaris, Linux x86, Linux alpha.

* tinc now uses the OpenSSL library for cryptographic operations.
  More information on getting and installing OpenSSL is in the manual.
  This also means that the GMP library is no longer required.

* Further, thanks to Enrique Zanardi, we have Spanish messages; Matias
  Carrasco provided us with a Spanish translation of the manual.


What still needs to be done before 1.0:

* Documentation.  Especially since the protocol has changed, and a lot
  of configuration directives have been added.




version 1.0pre2              May 31 2000

* This version has been internationalized; and a Dutch translation has          
  been included.                                                                
                                                                                
* Two configuration variables have been added:                                  
  * VpnMask - the IP network mask for the entire VPN, not just our              
    subnet (as given by MyVirtualIP).  The Redhat and Debian packages           
    use this variable in their system startup scripts, but it is                
    ignored by tinc.                                                            
  * Hostnames - if set to `yes', look up the names of IP addresses              
    trying to connect to us.  Default set to `no', to prevent lockups           
    during lookups.                                                             
                                                                                
* The system startup scripts for Debian and Redhat use                          
  /etc/tinc/nets.boot to find out which networks need to be started             
  during system boot.                                                           
                                                                                
* Fixes to prevent denial of service attacks by sending random data             
  after connecting (and even when the connection has been established),         
  either random garbage or just nonsensical protocol fields.                    
                                                                                
* tinc will retry to connect upon startup, does not quit if it doesn't          
  work the first time.                                                          
                                                                                
* Hosts that are disconnected implicitly if we lose a connection get            
  deleted from the internal list, to prevent hogging eachother with             
  add and delete requests when the connection is restored.                      
                                                                                
                                                                                
What still needs to be done before 1.0:                                         
                                                                                
* Documentation.                                                                
* Failover ConnectTo lines, try another one if the first doesn't work.          




version 1.0pre1              May 12 2000
 * New meta-protocol
 * Various other bugfixes
 * Documentation updates

version 0.3.3                Feb  9 2000
 * Fixed bug that made tinc stop working with latest kernels (Guus
   Sliepen)
 * Updated the manual

version 0.3.2                Nov 12 1999
 * no more `Invalid filedescriptor' when working with multiple
   connections
 * forward unknown packets to uplink

version 0.3.1                Oct 20 1999
 * fixed a bug where tinc would exit without a trace

version 0.3                  Aug 20 1999
 * pings now work immediately
 * all packet sizes get transmitted correctly

version 0.2.26               Aug 15 1999
 * fixed some remaining bugs
 * --sysconfdir works with configure
 * last version before 0.3

version 0.2.25               Aug  8 1999
 * improved stability, going towards 0.3 now.

version 0.2.24               Aug  7 1999
 * added key aging, there's a new config variable, KeyExpire.
 * updated man and info pages

version 0.2.23               Aug  5 1999
 * all known bugs fixed, this is a candidate for 0.3

version 0.2.22               Apr 11 1999
 * multiconnection thing is now working nearly perfect :)

version 0.2.21               Apr 10 1999
 * You shouldn't notice a thing, but a lot has changed wrt key
management - except that it refuses to talk to versions < 0.2.20

version 0.2.20

version 0.2.19               Apr  3 1999
 * don't install a libcipher.so

version 0.2.18               Apr  3 1999
 * blowfish library dynamically loaded upon execution
 * included Eric Young's IDEA library

version 0.2.17               Apr  1 1999
 * tincd now re-executes itself in case of a segmentation fault.

version 0.2.16               Apr  1 1999
 * wrote tincd.conf(5) man page, which still needs a lot of work.
 * config file now accepts and tolerates spaces, and any integer base
for integer variables, and better error reporting. See
doc/tincd.conf.sample for an example.

version 0.2.15               Mar 29 1999
 * fixed bugs

version 0.2.14               Feb 10 1999
 * added --timeout flag and PingTimeout configuration
 * did some first syslog cleanup work

version 0.2.13               Jan 23 1999
 * bugfixes

version 0.2.12               Jan 23 1999
 * fixed nauseating bug so that it would crash whenever a connection
got lost

version 0.2.11               Jan 22 1999
 * framework for multiple connections has been done
 * simple manpage for tincd

version 0.2.10               Jan 18 1999
 * passphrase support added

version 0.2.9                Jan 13 1999
 * bugs fixed.

version 0.2.8                Jan 11 1999
 * a reworked protocol version
 * a ping/pong system
 * more reliable networking code
 * automatic reconnection
 * still does not work with more than one connection :)
 * strips MAC addresses before sending, so there's less overhead, and
less redundancy

version 0.2.7                Jan  3 1999
 * several updates to make extending more easy.

version 0.2.6                Dec 20 1998
 * Point-to-Point connections have been established, including
blowfish encryption and a secret key-exchange.

version 0.2.5                Dec 16 1998
 * Project renamed to tinc, in honour of TINC.

version 0.2.4                Dec 16 1998
 * now it really does ;)

version 0.2.3                Nov 24 1998
 * it sort of works now

version 0.2.2                Nov 20 1998
 * uses GNU gmp.

version 0.2.1                Nov 14 1998

 * Bare version.