Subject: KAME/NetBSD-1.4 is available
To: None <tech-net@netbsd.org>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: tech-net
Date: 05/17/1999 12:02:01 
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9800.926910077.1@coconut.itojun.org>
Content-Transfer-Encoding: 7bit

	(please notice Reply-to line)

	Hello, this is Jun-ichiro Hagino of KAME project (which is a projecdt
	doing IPv6/IPsec work on *BSDs).

	We start supporting NetBSD-1.4 with our KAME kits.  snapshot
	is available at ftp://ftp.kame.net/pub/kame/snap/, every Monday.
	Please visit http://www.kame.net/ for details.

itojun



------- =_aaaaaaaaaa0
Content-Type: message/rfc822

	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id LAA09327
	for <itojun@itojun.org>; Mon, 17 May 1999 11:45:26 +0900 (JST)
	by orange.kame.net (8.9.1+3.1W/3.7W/smtpfeed 0.89) id LAA21822;
	Mon, 17 May 1999 11:45:20 +0900 (JST)
To: snap-users@kame.net
From: itojun@iijlab.net
Date: Mon, 17 May 1999 11:45:16 +0900
Message-ID: <9313.926909116@coconut.itojun.org>
Reply-To: snap-users@kame.net
Subject: (KAME-snap 618) KAME SNAP 19990517
Errors-To: owner-snap-users@kame.net
Sender: owner-snap-users@kame.net

	Sorry to be late, I overslept :-)
	New SNAP kits are ready for you.

	IMPORTANT: ping6 -w is now not interoperable between past SNAP/STABLE
	kits and future KAME kits, due to IANA official icmp6 type number
	assignment. 

	- fixed ICMP6 type value for node information query/response
	  (now follows IANA assignments).  due to this change, ping6 -w
	  is NOT interoperable with past KAME SNAP kits and STABLE kits.
	- KAME/NetBSD-1.4 is now available (highly experimental).
	  KAME/NetBSD-1.3.3 will be obsoleted in a few weeks.
	- IPsec improvements (FreeBSD228 and BSDI): racoon aggressive mode
	  support, pfkey socket stabilizations, memory leak fix in SAD/SPD,
	  expire fix, IPv6 IPsec tunnel mode support, AH DoS attack avoidance
	- default multicast hoplimit can be configured by sysctl MIB
	  net.inet6.ip6.defmcasthlim.
	- explicit bind(2) to IPv6 anycast address is now prohibited, because
	  sending packets to that socket will result in packet with anycast
	  source address.  (behavior needs review and improvement)
	- IPV6_DSTOPT processing
	- ip6fw on FreeBSD3
	- sbcreatecontrol() allocates mbuf cluster if necessary.
	- v6test now works on loopback
	- dual-stack finger/fingerd (FreeBSD228)
	- port upgrade: ssh, zebra, icecast, inn

itojun


---
			CHANGELOG for KAME kit

$Id: CHANGELOG,v 1.1.2.24.2.23.2.154.2.206.2.397 1999/05/16 13:37:05 itojun Exp $

<199905>
Sun May 16 22:33:41 JST 1999  itojun@iijlab.net
	* kit/sbin/ifconfig (NetBSD 1.4): change behavior of "ifconfig
	  interface" to print all the interface address available, not just
	  inet addresses.  The behavior looks more natural to me.

Sun May 16 03:38:03 JST 1999  itojun@iijlab.net
	* sys/netinet6/in6_ifattach.c (NetBSD 1.4):
	  Add link-local address to the ethernet interfaces (and join
	  mandatory multicast groups), when the interface is made IFF_UP.
	  In NetBSD, pcmcia interfaces are not initialized until IFF_UP,
	  so there seems to be no other option.
	  Good thing is that now we do not need to call in6_ifattach() from
	  drivers.  It is of course okay to call in6_ifattach() from drivers,
	  if you are sure that the driver is proprely initialized.

	  NOTE: this change may break some of the userland tools, which checks
	  IPv6 interface address BEFORE bringing the interface up.

Sun May 16 01:01:24 JST 1999  itojun@iijlab.net
	* kit/pkgsrc/security/ssh, kit/ports/ssh: upgrade to 1.2.27 with
	  latest IPv6 patch.

Sun May 16 00:32:52 JST 1999  itojun@iijlab.net
	* KAME/NetBSD-1.4 is now buildable (both kernel and userland).
	* kit/usr.bin/netstat: add support for "netstat -p tcp6 -P
	  <tcp6cb address>".

Sat May 15 08:20:30 JST 1999  itojun@iijlab.net
	* kit/pkgsrc/net/zebra, kit/ports/zebra: upgrade to 0.65.

Fri May 14 21:18:45 JST 1999  itojun@iijlab.net
	* sys/netkey/key.c (BSDI, FreeBSD228): To transmit SADB_ACQUIRE
	  messages correctly from the kernel, changed the mbuf allocation
	  policy in key_sendup().  Now we allocate non-cluster mbuf chain
	  for most cases.

	  Previously we allocated cluster mbuf for most of the cases, and
	  this caused PF_KEY socket to be considered full and sbappendaddr()
	  to fail.  This is due to wasted space on cluster mbufs
	  (sbspace() checks both actual data size and mbuf area size).

Fri May 14 11:50:15 JST 1999  itojun@iijlab.net
	* sys/netinet6 (BSDI, FreeBSD228): in IPv6 IPsec, tunnel mode now
	  works as well.

	  Note: IPv6 spec suggests the originating node to process HBH option
	  on the packet from the node itself (the originating node is
	  considered as "first hop").  However, we do not do this when
	  you apply IPv6 IPsec tunel onto the packet, since HBH option is
	  already encrypted when it is to be processed.  This should be
	  fixed, however, IMHO this is very rare case.

Thu May 13 22:56:06 JST 1999  itojun@iijlab.net
	* kit/src/v6test/v6test.c: support interface with DLT_NULL
	  bpf encapsulation (i.e. loopback interfaces).

1999-05-13  JINMEI, Tatuya  <jinmei@isl.rdc.toshiba.co.jp>
	* src/v6test/getconfig.c (make_ah): added to support
	authentication header.
	Also added some new tests in ext.conf.

Thu May 13 21:25:51 JST 1999 sakane@ydc.co.jp
	* kit/src/racoon:
	Abbressive mode was supported, but not tested sufficiently.
	XXX There must be Vender ID in fixed place of payload.  TO BE MODIFIED.

1999-05-13  JINMEI, Tatuya  <jinmei@isl.rdc.toshiba.co.jp>
	* uipc_socket2.c (sbcreatecontrol): if a given control message
	is larger than MLEN, allocate an mbuf cluster and store the
	message into the cluster.
	Also, implemented more strict length check.
	This fix is only for FreeBSD(2 and 3) and NetBSD. A similar fix
	for BSDI was already done.

Thu May 13 20:18:37 JST 1999  shin@nd.net.fujitsu.co.jp
	* sys/netinet6/ip6_fw.c, sys/i386/conf/GENERIC.v6 (FreeBSD3.1):
	made compilabel and bootable with ip6fw enabled.
	not tested well enough.

Thu May 13 20:04:35 JST 1999  itojun@iijlab.net
	* sys/netinet6/ah_core.c: drop IPv6 AH packet with too many
	  extension headers, to avoid DoS attacks.
	  Use net.inet6.ip6.hdrnestlimit to configure the number of extension
	  headers allowed.

1999-05-13  JINMEI, Tatuya  <jinmei@isl.rdc.toshiba.co.jp>
	* src/pim6dd/trace.c (accept_mtrace): added to support the
	response part of mtrace(not tested yet).

1999-05-13  JINMEI, Tatuya  <jinmei@isl.rdc.toshiba.co.jp>
	* ip6_output.c (ip6_setpktoptions): added the IPV6_DSTOPTS case,
	which allowed user to specify destination options headers for an
	outgoing packet.
	(compilable, but not tested yet)

1999-05-12  JINMEI, Tatuya  <jinmei@isl.rdc.toshiba.co.jp>
	* in6_pcb.c (in6_pcbbind): prevented binding a socket to an
	address if it's anycast, notready, detached or deprecated.

1999-05-12  JINMEI, Tatuya  <jinmei@isl.rdc.toshiba.co.jp>
	* netstat/inet6.c: sync icmp6names[] with the latest kernel.

1999-05-12  JINMEI, Tatuya  <jinmei@isl.rdc.toshiba.co.jp>
	* icmp6.h:  changed the size of icmp6stat.icp6s_{in, out}hist from
	ICMP6_MAXTYPE + 1 to 256 since the former made the kernel
	vulnerable.

1999-05-12  JINMEI, Tatuya  <jinmei@isl.rdc.toshiba.co.jp>
	* added a sysctl net.inet6.ip6.defmcasthlim, which gets or
	specifies the default hop limit for an outgoing IPv6 multicast
	packet.
	Note that BSDI users must update both kernel and kit/sbin/sysctl
	to enable the new sysctl.

Wed May 12 14:57:54 JST 1999  itojun@iijlab.net
	* kit/libexec/fingerd, kit/usr.bin/finger (FreeBSD228): finger daemon/
	  client fixed for dualstack support.

Wed May 12 14:12:44 JST 1999  itojun@iijlab.net
	* kit/ports/inn (FreeBSD228/31): IPv6-enabled netnews server,
	  version 2.2.
	  From: Satosi KOBAYASI <kobayasi@north.ad.jp>

Wed May 12 10:33:32 JST 1999  itojun@iijlab.net
	* sys/netinet6/icmp6.h: node information query/response got the
	  official ICMPv6 type, so use the official number.
	  NOTE: need recompilation in userland (ping6), and old KAME and new
	  KAME will not interoperate due to the overwrap in number...

Wed May 12 02:29:13 JST 1999 sakane@kame.net
	* sys/netkey/key.c (FreeBSD228/BSDI):
	Fixed to expire SA.  It can't be sent SADB_EXPIRE message due
	to my mistake.
	Added test implement for lifetime by byte counts.
	You must be careful to set its value otherwise it causes many
	SA to be set.
		e.g.	time limit = 22896000(s)
			byte limit = 100(KB)

Tue May 11 18:48:37 JST 1999  sakane@kame.net
	* kit/ports/icecast, kit/pkgsrc/audio/icecast: upgrade to latest
	  IPv6 patch, with song name broadcasting/request hack.

Tue May 11 18:26:06 JST 1999  itojun@ijilab.net
	* sys/netkey (FreeBSD228/BSDI): strictly perform reference count on
	  SPD/SAD.  Now netkey seems to have almost no memory leaks.
	* sys/netkey/key.c, kit/src/setkey/setkey.c (FreeBSD228/BSDI):
	  throw results of SADB_DUMP and SADB_X_SPDDUMP message as separate
	  message to pfkey socket.  This should be more reasonable as each
	  of the result (for single SAD/SPD entry) has sadb_msg header.

Mon May 10 03:16:49 JST 1999  itojun@iijlab.net
	* kit/ports/zebra, kit/pkgsrc/net/zebra: upgrade to zebra 0.64.1.

Sun May  9 16:39:31 JST 1999  itojun@iijlab.net
	* kit/ports/ruby, kit/pkgsrc/lang/ruby: update to use latest IPv6
	  patch.

Sun May  9 03:51:09 JST 1999  itojun@iijlab.net
	* kit/src/racoon: get/set proper source/destination address for IKE
	  packets, using IP_RECVDSTADDR and IPv6 advanced API.
	  this is needed to support hosts with more than 1 IP addresses
	  (i.e. most of IPv6 node needs this).
	  TODO: scoped IPv6 addresses support (link-local and site-local).

------- =_aaaaaaaaaa0--