strongswan.git
7 years agoImplement bus_t.listen() directly in controller_t (the only user).
Tobias Brunner [Wed, 21 Dec 2011 16:15:33 +0000 (17:15 +0100)]
Implement bus_t.listen() directly in controller_t (the only user).

This will hopefully allow us to later simplify bus_t.

7 years agoAdd plugin features support to stroke plugin
Martin Willi [Thu, 1 Mar 2012 16:07:08 +0000 (17:07 +0100)]
Add plugin features support to stroke plugin

7 years agoCertificate decoding soft-depends on public key decoding of specific types
Martin Willi [Wed, 29 Feb 2012 15:09:11 +0000 (16:09 +0100)]
Certificate decoding soft-depends on public key decoding of specific types

7 years agoPEM loading plugin features depend on the same feature, they are helpers only
Martin Willi [Wed, 29 Feb 2012 15:08:07 +0000 (16:08 +0100)]
PEM loading plugin features depend on the same feature, they are helpers only

7 years agoDon't depend on a feature that has a dependency to the same feauture during unload
Martin Willi [Wed, 29 Feb 2012 15:07:16 +0000 (16:07 +0100)]
Don't depend on a feature that has a dependency to the same feauture during unload

7 years agoMerge branch 'ikev1'
Martin Willi [Wed, 2 May 2012 09:12:31 +0000 (11:12 +0200)]
Merge branch 'ikev1'

Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c

7 years agoAdded a dedicated sender flush method, delay sender destruction until users gone
Martin Willi [Wed, 2 May 2012 07:03:23 +0000 (09:03 +0200)]
Added a dedicated sender flush method, delay sender destruction until users gone

7 years agoDocumented strongswan.conf options for radattr plugin.
Tobias Brunner [Tue, 1 May 2012 11:32:43 +0000 (13:32 +0200)]
Documented strongswan.conf options for radattr plugin.

7 years agoadd AUTH_RULE_SUBJECT_CERT for raw public keys 4.6.3
Andreas Steffen [Mon, 30 Apr 2012 11:40:48 +0000 (13:40 +0200)]
add AUTH_RULE_SUBJECT_CERT for raw public keys

7 years agoadded missing whitespace
Andreas Steffen [Mon, 30 Apr 2012 09:42:09 +0000 (11:42 +0200)]
added missing whitespace

7 years agoProperly initialize optional subject in PEM builder.
Tobias Brunner [Mon, 30 Apr 2012 08:48:57 +0000 (10:48 +0200)]
Properly initialize optional subject in PEM builder.

7 years agoTypo fixed.
Tobias Brunner [Mon, 30 Apr 2012 08:47:42 +0000 (10:47 +0200)]
Typo fixed.

7 years agoversion bump to 4.6.3
Andreas Steffen [Mon, 30 Apr 2012 07:48:21 +0000 (09:48 +0200)]
version bump to 4.6.3

7 years agooutput validity of raw public key if available
Andreas Steffen [Mon, 30 Apr 2012 07:47:34 +0000 (09:47 +0200)]
output validity of raw public key if available

7 years agoikev2/net2net-pubkey scenario does not need dnskey plugin
Andreas Steffen [Mon, 30 Apr 2012 05:02:08 +0000 (07:02 +0200)]
ikev2/net2net-pubkey scenario does not need dnskey plugin

7 years agoadded ikev2/net2net-pubkey scenario
Andreas Steffen [Sun, 29 Apr 2012 22:33:18 +0000 (00:33 +0200)]
added ikev2/net2net-pubkey scenario

7 years agoadded ikev2/net2net-rsa scenario
Andreas Steffen [Sun, 29 Apr 2012 22:32:58 +0000 (00:32 +0200)]
added ikev2/net2net-rsa scenario

7 years agoadded support for raw RSA public keys to stroke
Andreas Steffen [Sun, 29 Apr 2012 22:31:42 +0000 (00:31 +0200)]
added support for raw RSA public keys to stroke

7 years agoadded ikev2/rw-eap-md5-id-prompt scenario
Andreas Steffen [Sun, 29 Apr 2012 17:10:25 +0000 (19:10 +0200)]
added ikev2/rw-eap-md5-id-prompt scenario

7 years agoFixed Android null terminated password fixup in xauth-eap
Martin Willi [Thu, 26 Apr 2012 12:35:27 +0000 (14:35 +0200)]
Fixed Android null terminated password fixup in xauth-eap

7 years agoFixed null-pointer dereference in smp plugin.
Tobias Brunner [Thu, 26 Apr 2012 06:50:39 +0000 (08:50 +0200)]
Fixed null-pointer dereference in smp plugin.

7 years agoCERT_TRUSTED_PUBKEY stores notBefore, notAfter and subject information
Andreas Steffen [Wed, 25 Apr 2012 18:53:08 +0000 (20:53 +0200)]
CERT_TRUSTED_PUBKEY stores notBefore, notAfter and subject information

7 years agopluto: Fix for null-terminated XAuth secrets (as sent by Android 4).
Tobias Brunner [Tue, 24 Apr 2012 07:25:38 +0000 (09:25 +0200)]
pluto: Fix for null-terminated XAuth secrets (as sent by Android 4).

7 years agoactivated cmac plugin in UML test suites
Andreas Steffen [Sun, 22 Apr 2012 20:22:25 +0000 (22:22 +0200)]
activated cmac plugin in UML test suites

7 years agoisolate a TNC client if an error occurs
Andreas Steffen [Sun, 22 Apr 2012 18:24:59 +0000 (20:24 +0200)]
isolate a TNC client if an error occurs

7 years agoversion bump to 4.6.3rc2
Andreas Steffen [Sun, 22 Apr 2012 15:41:20 +0000 (17:41 +0200)]
version bump to 4.6.3rc2

7 years agoexit if TBOOT dummy measurements are not defined
Andreas Steffen [Sun, 22 Apr 2012 15:40:59 +0000 (17:40 +0200)]
exit if TBOOT dummy measurements are not defined

7 years agoOption added to set identifier for syslog(3) logging.
Tobias Brunner [Fri, 20 Apr 2012 07:21:03 +0000 (09:21 +0200)]
Option added to set identifier for syslog(3) logging.

This identifier is added to each log message by syslog.

7 years agoRemoved auth_cfg_t.replace_value() and replaced usages with add().
Tobias Brunner [Tue, 17 Apr 2012 15:44:10 +0000 (17:44 +0200)]
Removed auth_cfg_t.replace_value() and replaced usages with add().

replace_value() was used to replace identities. Since for these the latest is
now returned by get(), adding the new identity with add() is sufficient.

7 years agoChanged the order and semantics of rules we expect only once in auth_cfg_t.
Tobias Brunner [Tue, 17 Apr 2012 15:37:30 +0000 (17:37 +0200)]
Changed the order and semantics of rules we expect only once in auth_cfg_t.

These rules are now inserted at the front of the internal list, this
allows to retrieve the rule added last with get(). For other rules the
order in which they are added is maintained (this allows to properly
enumerate them).

7 years agoStore password with remote ID to tie it stronger to a specific connection.
Tobias Brunner [Tue, 17 Apr 2012 11:58:18 +0000 (13:58 +0200)]
Store password with remote ID to tie it stronger to a specific connection.

7 years agoAdded stroke user-creds command, to set username/password for a connection.
Tobias Brunner [Tue, 17 Apr 2012 09:18:37 +0000 (11:18 +0200)]
Added stroke user-creds command, to set username/password for a connection.

7 years agoAdded method to add additional shared secrets to stroke_cred_t.
Tobias Brunner [Tue, 17 Apr 2012 09:14:38 +0000 (11:14 +0200)]
Added method to add additional shared secrets to stroke_cred_t.

7 years agoAdditional prompt keyword added to stroke.
Tobias Brunner [Tue, 17 Apr 2012 09:13:44 +0000 (11:13 +0200)]
Additional prompt keyword added to stroke.

7 years agoTypo fixed.
Tobias Brunner [Tue, 17 Apr 2012 09:11:24 +0000 (11:11 +0200)]
Typo fixed.

7 years agoKeep COOKIEs enabled once threshold is hit, until we see no COOKIEs for a few secs
Martin Willi [Tue, 17 Apr 2012 07:36:39 +0000 (09:36 +0200)]
Keep COOKIEs enabled once threshold is hit, until we see no COOKIEs for a few secs

Toggling COOKIEs on/off is problematic: After doing a COOKIE exchange as
initiator, we can't know if the completing IKE_SA_INIT message is to our first
request or the one with the COOKIE. If the responder just enabled/disabled
COOKIEs and packets get retransmitted, both might be true. Avoiding COOKIE
behavior toggling improves the situation, but does not solve the problem during
the initial COOKIE activation.

7 years agoAdded a note about DH/keymat lifecycle for custom implementations
Martin Willi [Mon, 16 Apr 2012 14:57:18 +0000 (16:57 +0200)]
Added a note about DH/keymat lifecycle for custom implementations

7 years agoReuse existing DH value when retrying IKE_SA_INIT with a COOKIE
Martin Willi [Mon, 16 Apr 2012 14:55:14 +0000 (16:55 +0200)]
Reuse existing DH value when retrying IKE_SA_INIT with a COOKIE

7 years agoFix iteration through half-open IKE_SA table
Martin Willi [Mon, 16 Apr 2012 14:47:17 +0000 (16:47 +0200)]
Fix iteration through half-open IKE_SA table

7 years agoUse IP address as ID as responder if not configured or no IDr received.
Tobias Brunner [Mon, 16 Apr 2012 09:55:07 +0000 (11:55 +0200)]
Use IP address as ID as responder if not configured or no IDr received.

7 years agoFall back on IP address as IDi if none is configured at all.
Tobias Brunner [Mon, 16 Apr 2012 09:53:06 +0000 (11:53 +0200)]
Fall back on IP address as IDi if none is configured at all.

7 years agoUse auth_cfg_t.replace_value where appropriate.
Tobias Brunner [Fri, 13 Apr 2012 13:47:25 +0000 (15:47 +0200)]
Use auth_cfg_t.replace_value where appropriate.

7 years agoAdded a simple method to replace the value of a rule in auth_cfg_t.
Tobias Brunner [Fri, 13 Apr 2012 13:46:23 +0000 (15:46 +0200)]
Added a simple method to replace the value of a rule in auth_cfg_t.

7 years agoFixed IDi in case neither left nor leftid is configured.
Tobias Brunner [Wed, 4 Apr 2012 09:46:59 +0000 (11:46 +0200)]
Fixed IDi in case neither left nor leftid is configured.

7 years agofixed parsing of port ranges in Scanner IMV
Andreas Steffen [Sun, 15 Apr 2012 21:39:27 +0000 (23:39 +0200)]
fixed parsing of port ranges in Scanner IMV

7 years agoTypo fixed in NEWS.
Tobias Brunner [Sat, 14 Apr 2012 06:40:27 +0000 (08:40 +0200)]
Typo fixed in NEWS.

7 years agoDon't invoke child_updown hook twice as responder
Martin Willi [Wed, 11 Apr 2012 15:43:30 +0000 (17:43 +0200)]
Don't invoke child_updown hook twice as responder

7 years agoAccept zero-length certificate request payloads
Martin Willi [Tue, 3 Apr 2012 06:35:25 +0000 (08:35 +0200)]
Accept zero-length certificate request payloads

8 years agoProperly initialize src in ike_sa_t.is_any_path_valid().
Tobias Brunner [Fri, 6 Apr 2012 08:53:47 +0000 (10:53 +0200)]
Properly initialize src in ike_sa_t.is_any_path_valid().

8 years agochecksum need a libradius_init() symbol
Andreas Steffen [Thu, 5 Apr 2012 14:52:37 +0000 (16:52 +0200)]
checksum need a libradius_init() symbol

8 years agoversion bump to 4.6.3rc1
Andreas Steffen [Thu, 5 Apr 2012 07:11:47 +0000 (09:11 +0200)]
version bump to 4.6.3rc1

8 years agoremove leading zero in ASN.1 encoded serial numbers
Andreas Steffen [Thu, 5 Apr 2012 07:04:11 +0000 (09:04 +0200)]
remove leading zero in ASN.1 encoded serial numbers

8 years agoASN.1 two's complement encoding prevents overflow in CRL serial number
Andreas Steffen [Wed, 4 Apr 2012 09:29:00 +0000 (11:29 +0200)]
ASN.1 two's complement encoding prevents overflow in CRL serial number

8 years agoMake AES-CMAC actually usable for IKEv2.
Tobias Brunner [Wed, 4 Apr 2012 08:51:46 +0000 (10:51 +0200)]
Make AES-CMAC actually usable for IKEv2.

8 years agoAdded another bunch of commonly used IKEv1 NATT vendor IDs
Martin Willi [Wed, 4 Apr 2012 08:31:57 +0000 (10:31 +0200)]
Added another bunch of commonly used IKEv1 NATT vendor IDs

8 years agorepresent 0 as a single byte
Andreas Steffen [Tue, 3 Apr 2012 12:19:37 +0000 (14:19 +0200)]
represent 0 as a single byte

8 years agomoved chunk_skip_zero to chunk.h
Andreas Steffen [Tue, 3 Apr 2012 12:12:50 +0000 (14:12 +0200)]
moved chunk_skip_zero to chunk.h

8 years agoadded IKEv2 Generic Secure Password Authentication Method
Andreas Steffen [Tue, 3 Apr 2012 10:49:05 +0000 (12:49 +0200)]
added IKEv2 Generic Secure Password Authentication Method

8 years agoadded IKEv2 Generic Secure Password Authentication Method
Andreas Steffen [Tue, 3 Apr 2012 10:48:48 +0000 (12:48 +0200)]
added IKEv2 Generic Secure Password Authentication Method

8 years agoadded GSPM IKEv2 payload
Andreas Steffen [Tue, 3 Apr 2012 10:21:39 +0000 (12:21 +0200)]
added GSPM IKEv2 payload

8 years agofixed typo
Andreas Steffen [Tue, 3 Apr 2012 10:07:13 +0000 (12:07 +0200)]
fixed typo

8 years agoDoxygen fixes.
Tobias Brunner [Tue, 3 Apr 2012 08:56:47 +0000 (10:56 +0200)]
Doxygen fixes.

8 years agoAdded NEWS about cmac plugin.
Tobias Brunner [Tue, 3 Apr 2012 08:48:03 +0000 (10:48 +0200)]
Added NEWS about cmac plugin.

8 years agoAdded test vectors for AES-CMAC.
Tobias Brunner [Tue, 3 Apr 2012 08:45:09 +0000 (10:45 +0200)]
Added test vectors for AES-CMAC.

8 years agoImplemented AES-CMAC based PRF and signer.
Tobias Brunner [Tue, 3 Apr 2012 08:40:47 +0000 (10:40 +0200)]
Implemented AES-CMAC based PRF and signer.

The cmac plugin implements AES-CMAC as defined in RFC 4493 and the
signer and PRF based on it as defined in RFC 4494 and RFC 4615,
respectively.

8 years agoFixed GNU license header in hmac and xcbc plugins.
Tobias Brunner [Tue, 3 Apr 2012 08:33:59 +0000 (10:33 +0200)]
Fixed GNU license header in hmac and xcbc plugins.

8 years agoMore detailed NEWS about RADIUS extensions
Martin Willi [Mon, 2 Apr 2012 11:58:21 +0000 (13:58 +0200)]
More detailed NEWS about RADIUS extensions

8 years agoupdated supported EAP methods
Andreas Steffen [Fri, 30 Mar 2012 09:15:10 +0000 (11:15 +0200)]
updated supported EAP methods

8 years agoAdd support for dnQualifier in DNs.
Tobias Brunner [Thu, 29 Mar 2012 08:01:55 +0000 (10:01 +0200)]
Add support for dnQualifier in DNs.

8 years agoremove leading zeros in ASN.1 encoded serial numbers
Andreas Steffen [Tue, 27 Mar 2012 13:05:36 +0000 (15:05 +0200)]
remove leading zeros in ASN.1 encoded serial numbers

8 years agoAdded NEWS about resolvconf support.
Tobias Brunner [Tue, 27 Mar 2012 07:47:38 +0000 (09:47 +0200)]
Added NEWS about resolvconf support.

8 years agoMake resolvconf interface prefix configurable.
Tobias Brunner [Mon, 26 Mar 2012 13:09:21 +0000 (15:09 +0200)]
Make resolvconf interface prefix configurable.

8 years agoAdded support for the resolvconf framework in resolve plugin.
Tobias Brunner [Mon, 26 Mar 2012 13:00:14 +0000 (15:00 +0200)]
Added support for the resolvconf framework in resolve plugin.

If /sbin/resolvconf is found nameservers are not written directly to
/etc/resolv.conf but instead resolvconf is invoked.

8 years agoUse single DBG2 statements in kernel_netlink plugin (i.e. ignore mark.value).
Tobias Brunner [Tue, 27 Mar 2012 08:37:56 +0000 (10:37 +0200)]
Use single DBG2 statements in kernel_netlink plugin (i.e. ignore mark.value).

8 years agoDon't cast second argument of mem_printf_hook (%b) to size_t.
Tobias Brunner [Thu, 22 Mar 2012 15:13:15 +0000 (16:13 +0100)]
Don't cast second argument of mem_printf_hook (%b) to size_t.

Also treat the given number as unsigned int.

Due to the printf hook registration the second argument of
mem_printf_hook (if called via printf etc.) is always of type int*.
Casting this to a size_t pointer and then dereferencing that as int does
not work on big endian machines if int is smaller than size_t (e.g. on ppc64).

In order to make this change work if the argument is of a type larger
than int, size_t for instance, the second argument for %b has to be casted
to (u_)int.

8 years agosmp: Use proper signed type to get return value of read(2).
Tobias Brunner [Thu, 22 Mar 2012 15:11:39 +0000 (16:11 +0100)]
smp: Use proper signed type to get return value of read(2).

8 years agopluto: Use time_monotonic() instead of a custom implementation.
Tobias Brunner [Thu, 22 Mar 2012 13:10:59 +0000 (14:10 +0100)]
pluto: Use time_monotonic() instead of a custom implementation.

8 years agoDon't include individual glib headers in nm plugin.
Tobias Brunner [Mon, 26 Mar 2012 13:23:17 +0000 (15:23 +0200)]
Don't include individual glib headers in nm plugin.

Expections are glib/gi18n.h, glib/gi18n-lib.h, glib/gprintf.h and
glib/gstdio.h.

8 years agoFix null-terminated XAuth passwords, as sent by Android 4
Martin Willi [Thu, 22 Mar 2012 14:01:35 +0000 (15:01 +0100)]
Fix null-terminated XAuth passwords, as sent by Android 4

8 years agoStore authentication info of a XAUTH round on IKE_SA
Martin Willi [Wed, 21 Mar 2012 15:57:06 +0000 (16:57 +0100)]
Store authentication info of a XAUTH round on IKE_SA

8 years agoAdded a getter for CHILD_SA marks
Martin Willi [Wed, 21 Mar 2012 15:54:24 +0000 (16:54 +0100)]
Added a getter for CHILD_SA marks

8 years agoDefine a special XFRM mark_t.value that dynamically uses the CHILD_SA reqid
Martin Willi [Wed, 21 Mar 2012 14:41:45 +0000 (15:41 +0100)]
Define a special XFRM mark_t.value that dynamically uses the CHILD_SA reqid

8 years agofixed parsing of IF-MAP SOAP responses
Andreas Steffen [Wed, 21 Mar 2012 13:25:19 +0000 (14:25 +0100)]
fixed parsing of IF-MAP SOAP responses

8 years agoReply with received configuration payload identifier in Mode Config
Martin Willi [Tue, 20 Mar 2012 17:06:29 +0000 (18:06 +0100)]
Reply with received configuration payload identifier in Mode Config

8 years agoMerge branch 'ikev1-clean' into ikev1-master
Martin Willi [Tue, 20 Mar 2012 16:56:18 +0000 (17:56 +0100)]
Merge branch 'ikev1-clean' into ikev1-master

Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h

Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.

8 years agoProperly handle retransmitted initial IKE messages.
Tobias Brunner [Thu, 8 Mar 2012 14:23:20 +0000 (15:23 +0100)]
Properly handle retransmitted initial IKE messages.

This change allows to properly handle retransmits of initial IKE
messages when we've already processed them (i.e. our response is now resent
immediately).

8 years agoImplemented table of init hashes without linked_list_t.
Tobias Brunner [Thu, 1 Mar 2012 16:37:38 +0000 (17:37 +0100)]
Implemented table of init hashes without linked_list_t.

8 years agoImplemented table of connected peers without linked_list_t.
Tobias Brunner [Thu, 1 Mar 2012 16:24:44 +0000 (17:24 +0100)]
Implemented table of connected peers without linked_list_t.

8 years agoImplemented table of half open IKE_SAs without linked_list_t.
Tobias Brunner [Thu, 1 Mar 2012 15:34:45 +0000 (16:34 +0100)]
Implemented table of half open IKE_SAs without linked_list_t.

8 years agoDon't use linked_list_t for buckets in main IKE_SA hash table.
Tobias Brunner [Thu, 1 Mar 2012 11:51:34 +0000 (12:51 +0100)]
Don't use linked_list_t for buckets in main IKE_SA hash table.

8 years agoFixed deadlock if checkin_and_destroy is called during shutdown.
Tobias Brunner [Thu, 1 Mar 2012 11:52:17 +0000 (12:52 +0100)]
Fixed deadlock if checkin_and_destroy is called during shutdown.

8 years agoDo not clone hashes of initial IKE messages when storing them in the hash table.
Tobias Brunner [Thu, 1 Mar 2012 17:07:48 +0000 (18:07 +0100)]
Do not clone hashes of initial IKE messages when storing them in the hash table.

8 years agoStore IKEv2 IKE_SAs by local SPI in the IKE_SA manager hash table.
Tobias Brunner [Wed, 29 Feb 2012 17:17:50 +0000 (18:17 +0100)]
Store IKEv2 IKE_SAs by local SPI in the IKE_SA manager hash table.

For IKEv1 the previous behavior of always using the initiator's SPI as
key is maintained.

8 years agoAdded separate hashtable for hashes of initial IKE messages.
Tobias Brunner [Wed, 29 Feb 2012 17:15:42 +0000 (18:15 +0100)]
Added separate hashtable for hashes of initial IKE messages.

This does not require us to do a lookup for an SA by SPI first.

8 years agochunk_equals_ptr added to compare chunks given as pointers.
Tobias Brunner [Wed, 29 Feb 2012 17:06:49 +0000 (18:06 +0100)]
chunk_equals_ptr added to compare chunks given as pointers.

8 years agoStore the major IKE version on ike_sa_id_t.
Tobias Brunner [Wed, 29 Feb 2012 13:47:09 +0000 (14:47 +0100)]
Store the major IKE version on ike_sa_id_t.

8 years agoImplemented handling of UNITY_LOAD_BALANCE as reauthentication.
Tobias Brunner [Fri, 2 Mar 2012 18:17:13 +0000 (19:17 +0100)]
Implemented handling of UNITY_LOAD_BALANCE as reauthentication.

8 years agoCheck if we actually have a packet before retransmitting it
Martin Willi [Tue, 21 Feb 2012 09:23:20 +0000 (10:23 +0100)]
Check if we actually have a packet before retransmitting it

8 years agoUse a single set of FDs for all random plugin RNG instances
Martin Willi [Tue, 21 Feb 2012 09:22:48 +0000 (10:22 +0100)]
Use a single set of FDs for all random plugin RNG instances

8 years agoParse IKEv1 Cisco Load Balancing notify (can't act on it yet).
Tobias Brunner [Fri, 3 Feb 2012 11:58:11 +0000 (12:58 +0100)]
Parse IKEv1 Cisco Load Balancing notify (can't act on it yet).