ToDo list for NetSPoC, a Network Security Policy Compiler

- Internally we have a large code base for approving the generated
  code to  real devices and for comparing if the device
  configuration has changed. Open source his code as well.

- Add documentation for objects owner, admin and attribute visible.

- Add more documentation for crypto tunnels with different
  authentication methods (certificate, preshared key).

- Describe syntax of host:id for vpn3k devices. 

- Automatically add an internal rule which allows radius trafic from
  router of type vpn3k to its radius hosts.

- Look if check_any_src/dst_rule works correctly at the endpoint of
  crypto tunnels.

- Don't silently ignore rules for interfaces of vpn3k.

- Crypto: Read pairs of [ address preshared_key ] from a separate file.

- ISAKMP: Add attribute for keepalive (= DPD, Dead Peer Detection)
  and NATT-keepalive.

- When implementing crypto rules with "any" as src or dst there may be a
  problem for path_walk to find the matching tunnel, because some network is
  choosen as representative for the "any" object. Possible workaround:
  restrict tunnel endpoint to managed interface for this situation.

- If a rule is affected by dynamic NAT and service has a defined source port,
  source port must be changed to unrestricted (1..65535).

- Add documentation for dynamic NAT of multiple networks to a single address
  space. Work out code generation for this case. Check that hosts of different
  networks aren't statically translated to the same IP address.

- Add more documentation and examples for global NAT definitions.

- Add documentation for automatically generated deny rules which prevent
  unwanted access to interfaces of managed routers.

- PIX statics: For nat/global it isn't correct to look at the dst-networks
  of a rule. Instead we should use src-networks.
  Current results are only correct, because there are rules for both
  directions most of the time.

- Protect own interfaces: currently with NAT; is that ok?
  Do we need additional protection for the original IP addresses?

- Code which uses internal attributes 'managed_intf' and 'deleted' is ugly.

- Documentation: add examples for network address translation and path
  restriction. 

- We have a HTML interface for NetSPoC including a graphical representation of
  the topology, using the graphviz library (http://www.graphviz.org/). Need to
  publish this as open source.

- Generate NAT code for other devices than PIX.

- Documentation: loops / cyclic graphs.

- Currently there is a small problem if an interface is used as
  destination of a rule and if there is a path restriction at the same
  interface: access to the interface would be denied, because the
  interface is located inside the router behind the restricting
  interface, but routing for this interface would be generated because
  the interface having an IP of it's network, is located before the
  restricting interface.
  Possible solution: Generate only a host route for an interface.

- Refine code generation for 'deny any' rules. Currently, not only the access
  from / to a security domain is restricted, but for all network objects on
  the path to dst / from src.

============================================================================
Done:
============================================================================

- crypto access-group: Are rules stateful for IOS_FW?

- crypto ACLs: Are they always stateless? For PIX? For racoon?
  Do we need to automatically generate crypto ACLs for answer packets?

- crypto_match: Are deny rules from policies are handled correctly?

- crypto: Add support for crypto rules with action = "deny".

- crypto: Add support for crypto rules with "any" object as src or dst.

- crypto: We are using path_walk to distribute crypto rules to crypto tunnels.
  Do we always get correct and determinstic results 
  if there are nested tunnels? Do we detect this situation?

- Bug with 'any' objects und path_walk: for cyclic topologies there are cases
  where not all possible paths are found. This is, because we randomly pick
  some network from the 'any' object and use this as source or destination.

- find_active_routes_and_statics: 
  why use different get_path and get_networks for source and destination
  if later source and destination are swapped anyway?

- Add a check for this situation: If network A is subnet of network B 
  then B must not have hosts inside the address space of A.

- Automatically add a pathrestriction for all interfaces belonging to a single
  {virtual} IP address.

- Add syntax for secondary interface.

- NAT domains should get a name, which is derived from NAT tags.
  This would be more understandable in error messages. Currently we
  use the name of some arbitrary network out of the NAT domain.
  ==> Name of NAT domain isn't used any longer in error messages,
      but only in debug statements. The name of the NAT tag is used instead.

- path_walk: If path starts with a loop, we currently assume, there is at
  least one acyclic part before the next loop starts. Is this always true?
  May two loops be directly adjacent?

- Definition of and code generation for IPSec tunnels. 

- HSRP / VRRP: Implementation is incomplete. We only use 'virtual' interfaces
  to get correct routing. But additionally we have to permit multicast
  packets for HSRP / VRRP like we do for dynamic routing protocols.

- HSRP / VRRP: We got asked if the group ID may be specified at virtual
  interface definitions. If group IDs are managed by NetSPoC, a user
  wouldn't use duplicate group numbers accidently.
  To implement this, we would have to change or extend syntax for virtual
  interfaces. 

- Check for duplicate IP addresses or subnet relation even for
  networks with NAT.

- Security domain with only unnumbered networks: We would try to get the  
  first element of an undefined array in get_path. Fixed.

- For a rule with src outside of a loop and dst inside or behind the
  loop, we get duplicate ACLs at the router, where packets from src
  enter the loop.
  Solved by local optimization.

- Too many duplicate 'any' acls for routers inside a loop.
  Disable optimization for 'any' rules inside of loops more selectivly.
  Solved by local optimization.

- Add support for nested loops and path restrictions.

- Support of virtual IP addresses for HSRP / VRRP

- Extend language to easily denote all managed devices
  (e.g. interface:[managed].[all])

- Extend language to easily denote the interface 'on the right side'
  to src or dst (e.g. interface:router.[auto])

- Make NetSPoC aware of network address translation
  - dynamic with pools
  - static for hosts and networks

- Problem with stateless routers and optimization:
  We use IP > TCP during optimization, but we don't automatically
  allow answer packets for IP rules. This may result in missing 
  ACLs for TCP answer packets after optimization.
  Solution: rules for stateless routers are handled separately internally.

- Separate NetSPoC functionality into a perl module. This would allow
  to build some interesting query tools:
  - policy query: give a description of a data packet and answer if it
    is allowed to pass with the current policy.
  - Which rules are applicable to a network object?
  - What are the managed routers between A and B?

- Allow the network topology to have loops.

- Code generation for IOS routers without firewall feature set

- Currently netspoc dies when generating routing entries for unnumered
  interfaces. Workaround: don't use unnumered interfaces at managed
  routers.

- Restrict access to interfaces of managed routers. Currently, if a
  user is allowed to access a network behind a managed router, she gets
  access to the outgoing interface as well.

- Comments for ACL entries with 'any' as src or dst are sometimes
  wrong / misleading.
