+strongswan-4.1.1
+----------------
+
+- Server side cookie support. If to may IKE_SAs are in CONNECTING state,
+ cookies are enabled and protect against DoS attacks with faked source
+ addresses. Number of IKE_SAs in CONNECTING state is also limited per
+ peer address to avoid resource exhaustion. IKE_SA_INIT messages are
+ compared to properly detect retransmissions and incoming retransmits are
+ detected even if the IKE_SA is blocked (e.g. doing OCSP fetches).
+
strongswan-4.1.0
----------------
!
Apr ! - PRF in CHILD_SA rekeying
! - configuration managament refactoring
- ! - interface in charon for the new SMP management interface
+ ! - credentials backend redesign
+ ! - interface in charon for the XML based SMP management interface
! - reimplement IKEv2 p2p NATT support
!
- May ! - XML configuration interface
+ May ! - SMP configuration client
!
Jun ! - start with IKEv1 migration strategy
!
- configure flag which allows to ommit vendor id in pluto
- reduce printf handlers count to 10, as uClibc does not support more
-Denail of service
------------------
-- Cookie support on server
-- thread exhaustion (multiple messages to a single IKE_SA)
-
Certificate support
-------------------
- New trustchain mechanism?
----
- PFS support for creating/rekeying CHILD_SAs
- Address pool/backend for virtual IP assignement
+- fix iterator->insert_before/after