Strongswan 4.2.9

Voor het beveiligen van verbindingen over openbare netwerken kunnen verschillende protocollen worden gebruikt, zoals het veel toegepaste ipsec. Strongswan is een ipsec-implementatie voor Linux-systemen, waarvan de 4.2-vleugel zich richt op de huidige 2.6-Linux-kernel. Ondersteuning voor ikev1, ikev2 en ipv6 is aanwezig zoals op deze pagina na te lezen is. De ontwikkelaars hebben Strongswan 4.2.9 uitgebracht en van de volgende lijst van aanpassingen voorzien:

Version 4.2.9:

• Flexible configuration of logging subsystem allowing to log to multiple syslog facilities or to files using fine-grained log levels for each target.
• Load testing plugin to do stress testing of the IKEv2 daemon against self or another host. Found and fixed issues during tests in the multi-threaded use of the OpenSSL plugin.
• Added profiling code to synchronization primitives to find bottlenecks if running on multiple cores. Found and fixed an issue where parts of the Diffie-Hellman calculation acquired an exclusive lock. This greatly improves parallelization to multiple cores.
• updown script invocation has been separated into a plugin of its own to further slim down the daemon core.
• Separated IKE_SA/CHILD_SA key derivation process into a closed system, allowing future implementations to use a secured environment in e.g. kernel memory or hardware.
• The kernel interface of charon has been modularized. XFRM NETLINK (default) and PFKEY (--enable-kernel-pfkey) interface plugins for the native IPsec stack of the Linux 2.6 kernel as well as a PFKEY interface for the KLIPS IPsec stack (--enable-kernel-klips) are provided.
• Basic Mobile IPv6 support has been introduced, securing Binding Update messages as well as tunneled traffic between Mobile Node and Home Agent. The installpolicy=no option allows peaceful cooperation with a dominant mip6d daemon and the new type=transport_proxy implements the special MIPv6 IPsec transport proxy mode where the IKEv2 daemon uses the Care-of-Address but the IPsec SA is set up for the Home Adress.
• Implemented migration of Mobile IPv6 connections using the KMADDRESS field contained in XFRM_MSG_MIGRATE messages sent by the mip6d daemon via the Linux 2.6.28 (or appropriately patched) kernel.