Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP
ok mikeb@

fixup from/to specification

take a stab at documenting when arguments need quoted, and valid macro
characters;

prompted by a diff from robert peichaer org

thanks gilles and henning for feedback
ok deraadt zinke

undo an error introduced by myself in previous;
spotted by Sebastian Rother

make -column lists pretty again;

specifically, rewrite them to permit some markup in the column headers,
and use "Ta" instead of literal tabs; mandoc does not currently match groff
100%, but a mando

make -column lists pretty again;

specifically, rewrite them to permit some markup in the column headers,
and use "Ta" instead of literal tabs; mandoc does not currently match groff
100%, but a mandoc fix may be some time off, and we've gone enough releases
with poorly formatting column lists.

in some cases i have rewritten the lists as -tag, where -column made
little sense.

show more ...

as with other list types, column lists generally do not need a Pp/-compact
construct;

this also sidesteps what seems to be a problem with mandoc, in that
"-column -compact" seems to mess up the form

as with other list types, column lists generally do not need a Pp/-compact
construct;

this also sidesteps what seems to be a problem with mandoc, in that
"-column -compact" seems to mess up the formatting. thus these pages should
now have their lists formatted nicely (i.e. correctly aligned and with indent
applied);

as a side note, the fact that headers are not properly marked up is another
issue which will be addressed separately (a mandoc fix is needed, i think).
i have fudged a few of these to mark up properly, since the workaround does
make sense for some pages.

as another side note, i haven;t fixed man7, as i need to prepare a separate
diff for kristaps and ingo.

show more ...

tweak previous;

Reimplement the iked(8) policy evaluation for incoming connections to
use the last matching semantics of PF. The previous rbtree-based
implementation was broken and tried to do a longest prefix matc

Reimplement the iked(8) policy evaluation for incoming connections to
use the last matching semantics of PF. The previous rbtree-based
implementation was broken and tried to do a longest prefix match. But
instead of prefix match and using radix-trees to fix it I decided with
mikeb@ to implement it as last matching policy evaluation. The last
matching policy wins; the "quick" keyword can enforce first matching;
additional keywords like "skip" are specific to iked(8). See
iked.conf(5) for more details.

The implementation also uses skip steps based on PF's code. It
significantly speeds up the evaluation of many policies but also adds
a little delay when loading them (only noticeable with thousands of
policies). This allows iked(8) to scale well with thousands of
configured policies but I also liked the fact to have skip steps in
another piece of code.

ok dhartmei@ for using his skip step code under the ISC license in policy.c
ok mikeb@, jmc@

show more ...

Tweak the grammar a little bit by requiring a "bytes" keyword before the
bytes value ("lifetime 123 bytes 456" instead of "lifetime 123 456").

child sa rekeying revamp plus numerous bugfixes;
with suggestions and OK from reyk

support for aes-gcm

OK reyk

Add support for the tap extension (ikev2 ... tap "enc1") that will
tell the kernel to send all IPsec traffic for derived SAs to the
specified enc(4) interface instead of enc0.

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, be

Include the Id type in the generated SA tag that is passed to the
kernel, just like isakmpd does it. In difference to isakmpd, the Id
type is printed in capital letters, eg. FQDN/foo.example.com, because
it is using the existing print_map() API. For consistency, rename a
few Id types in grammar and code from the RFC-names to the
OpenBSD-style names; including RFC822_ADDR to UFQDN, IPV4_ADDR to just
IPV4, DER_ASN1_DN to ASN1_DN etc.

show more ...

rename the ec groups to either ec2n or ecp (eg. ec155 -> ec2n155 or
ec521 -> ecp521). this matches the common naming for ec groups better.

don't print keywords as underlined arguments.

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use i

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

show more ...

various tweaks; ok reyk

manpage tweaks

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
im

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

show more ...