Background
==========

- Priority scale: High, Medium and Low

- Complexity scale: C1, C2, C4 and C8.  The complexity scale is exponential,
  with complexity 1 being the lowest complexity.  Complexity is a function
  of both task 'complexity' and task 'scope'.

  The general rule of thumb is that a complexity 1 task should take 1-2 weeks
  for a person very familiar with the codebase.  Higher complexity tasks
  require more time and have higher uncertainty.

  Higher complexity tasks should be refined into several lower complexity tasks
  once the task is better understood.


mac80211_hwsim
==============

- Add support for HWSIM_CMD_SET_RADIO command

  To allow modifying an existing radio, add the HWSIM_CMD_SET_RADIO.  The
  first possible feature should be to emulate the hardware RFKILL switch.

  It might be required to add a HWSIM_ATTR_RADIO_HW_RFKILL attribute flag
  to the HWSIM_CMD_NEW_RADIO to enable virtual radios with a hardware
  level RFKILL switch.

  Priority: Medium
  Complexity: C1

- Allow configuration of MAC address or list of MAC addresses

  The radios are auto-generating a fake MAC address.  It would be useful
  to allow specifying a MAC address to be used.  In certain cases it might
  be also useful to provide a list of MAC addresses so that for example
  with secondary interfaces these can be used.

  Priority: Low
  Complexity: C2

- Move mac80211_hwsim.h header file to UAPI includes

  The mac80211_hwsim.h is the public API description of this netlink
  interface and thus it should be provided via UAPI includes.

  For this work work the mac80211_hwsim.h header needs to be modified
  so that it also compiles from userspace.  At the moment it throws
  errors.  And it needs to become part of the UAPI headers of the
  Linux kernel.

  In addition it should provide HWSIM_GENL_NAME that provides the
  generic netlink "MAC82011_HWSIM" family string.

  Priority: Low
  Complexity: C1

- Provide kernel option to allow defining the number of initial radios

  By default the mac80211_hwsim modules creates 2 radios by default unless
  it is overwritten with the radios=x module parameter.

  To allow loading the mac80211_hwsim by default and even with accidental
  loading of the module, it would be good to provide a kernel configuration
  option that allows changing the default value here.

  For our testing we want to load mac80211_hwsim without any radios. Maybe
  this should be the default for the new kernel option.

  If the default of initial radios can be changed to zero, then it is also
  possible to add MODULE_ALIAS_GENL_FAMILY to support auto-loading of
  the mac80211_hwsim kernel module.

  Priority: Low
  Complexity: C1

- New configuration options for radios

  At the moment the radios created are all equal and feature rich.  However
  for testing we want to create radios with different emulated hardware
  capabilities.  Provide new attributes or flags that allow enabling or
  disabling certain mac80211 features.

  For example AP mode, P2P mode, number of interface combinations, TDLS
  support, number of Scan SSIDs, supported ciphers and so on.

  Priority: Low
  Complexity: C2


cfg80211 / nl80211
==================

- Disconnect from network / station when client crashes

  When associating or connecting to a network, it should be possible to
  bind this transaction to a specific netlink client.  So that in case
  this client terminates without, any connection will be also terminated.

  This should affect NL80211_CMD_ASSOCIATE and NL80211_CMD_CONNECT.  It
  seems that this is not needed for NL80211_CMD_AUTHENTICATE since that
  command will eventually time out, but it might be a good idea to even
  support it there.

  Maybe a new attribute similar to NL80211_ATTR_IFACE_SOCKET_OWNER should
  be used for this behavior.

  Priority: High
  Complexity: C4


Wireless monitor
================

- Add support for PACKET_RECV_OUTPUT socket option of AF_PACKET

  Instead of having to switch every interface manually into promiscuous
  mode, it would be useful to set PACKET_RECV_OUTPUT to receive also
  the traffic that leaves the system.

  This would make tracing PAE / EAPoL traffic easy and provides better
  sniffing capabilities.

  Unfortunately, PACKET_RECV_OUTPUT logic is not implemented at all in
  the kernel. So, first implement it in the kernel, and then use it in
  nlmon.c as a set_sockopt option.

  Priority: Low
  Complexity: C8

- Subscribe to all nl80211 multicast groups at startup

  It seems the nlmon packets are limited to actual subscribed mutlicast
  groups.  To get a complete picture of all the nl80211 commands and
  events, it is required that iwmon adds membership to all multicast
  groups that the nl80211 lists.

  This means that the netlink socket used for resolving nl80211 family
  name needs to be kept open and actively processed since it will also
  receive these multicast events.  However the event itself can be dropped
  since the one from nlmon with the proper kernel level timestamps should
  be taken into account.

  An alternative is to fix the netlink_deliver_tap() function in the
  kernel netlink layer to not be affected by the broadcast filtering.

  Priority: Medium
  Complexity: C1

- Add support for writing PCAP files

  The new -w <file> option should allow for writing PCAP files with the
  Linux SLL link type.

  When creating PCAP files using tcpdump a lot of extra information from
  all netlink sockets are written.  This write support should only write
  the information related to nl80211.  However parts from the generic
  netlink control channel from resolving the nl80211 family name must
  be included as well.

  It might be also beneficial to include RTNL messages related to the
  wireless network interfaces.  Currently these are all filtered out.

  Priority: Medium
  Complexity: C2

- Print the 'group' of the decoded message

  Whenever an event / message is received, iwmon should print the genl
  group of the message (e.g. mlme, scan, config, regulatory).  This will
  make it easier to add handling of such events / commands inside iwd.

  Priority: Medium
  Complexity: C1


Wireless simulator
==================

- Add support for builtin wireless access point emulator

  When creating a pair of mac80211_hwsim radios, allow one to operate as
  access point.  The hwsim utility will emulate the access point on the
  second interface for as long as it is running.  Which means that from
  the first interface it is possible to scan and connect to this access
  point using standard wireless tools (including iwd and iwctl).

  Code for the AP mode can be shared from iwd feature for access point
  operation once that has been implemented.

  Priority: Medium
  Complexity: C8


Wireless daemon
===============

- Add support for EAP based authentication and key generation

  Provide full EAP support for enterprise wireless.  However it should be
  possible to build wireless daemon without EAP support.

  It is also intended that this EAP code can be utilized as shared library
  and be beneficial for systemd-networkd for wired authentication.

  Priority: Medium
  Complexity: C8

- Add support for EAP retransmissions

  EAP protocol supports the concept of re-transmissions.  Namely a packet might
  be lost or not properly processed by the peer.  If the peer sends us a
  duplicate request, then our current behavior is to simply drop it on the
  floor.

  Previously generated request will need to be cached somewhere, either by the
  method or by the overall EAP state machine.  Duplicate requests can then be
  served from the cache.

  Priority: High
  Complexity: C4

- Let EAP methods configure timeouts

  Different EAP methods might have different recommendations for various
  timeouts.  E.g. retransmit timeout, overall timeout, etc.  The EAP framework
  should be updated to enable EAP methods to configure these timeouts
  accordingly.  A sane default should also be provided.

  Priority: High
  Complexity: C2

- EAPoL should take EAP timeouts into consideration

  EAPoL state machine currently uses its own (very short) timeout for the
  4-Way handshake / session key generation.  This timeout does not take into
  account the fact that EAP authentication might need to be performed first.

  Priority: High
  Complexity: C1

- Add unit test data with 2nd RSNE in Authenticator 3/4 message

  The specification allows the AP to send a second RSN element in its 4-way
  handshake message 3/4.  Find some test data for this case and create a unit
  test case.

  Priority: Low
  Complexity: C1

- Handle "Use group cipher suite" option for pairwise ciphers

  If the AP specifies "Use group cipher suite" as its only pairwise suite, then
  handle this appropriately inside EAPoL handshaking code.  The install_gtk
  callback might need to be modified to handle this case.

  Priority: Low
  Complexity: C1

- Handle "Group addressed traffic not allowed" option for group ciphers

  If the AP specifies "Group addressed traffic not allowed" as its group cipher
  suite, then make sure that install_gtk callback is not used.

  Priority: Low
  Complexity: C1

- Add support for PMK Caching from 802.11-2007.  This is sometimes referred to
  as "fast, secure roam back".  Essentially the client caches PMKIDs generated
  when connecting to various APs.  If the client roams back to an AP that has
  already been connected to, and the PMK is cached by both, then the 802.1X
  exchange can be skipped.

  Priority: Low
  Complexity: C4

- Add support for Pre-authentication from 802.11-2007.  This allows the client
  to pre-authenticate to a target AP.  The 802.1X exchange is done through the
  currently connected AP, but with the target AP as the 'authenticator'.  The
  process creates a new PMK which is cached by both the target AP and the
  client.  The client can then roam onto the target AP using a process similar
  to PMK caching outlined above.

  Priority: Low
  Complexity: C4

- Add support for Opportunistic Key Caching (OKC).  This is not defined by
  any 802.11 standards, but is made available by major vendors such as Cisco
  and Microsoft.

  Priority: Low
  Complexity: C4

- Add support for Direct Link Setup from 802.11e.

  Priority: Low
  Complexity: C8

- Add support for Automatic Power Save Delivery (APSD).  This includes
  scheduled (s-APSD) and unscheduled (u-APSD).  This will require rudimentary
  support of WMM protocol.  This feature was introduced in 802.11e.

  Priority: Low
  Complexity: C4

- Add support for Radio Resource Management from 802.11k.  If supported by the
  AP, allows the client to optimize its scanning strategy by obtaining the
  channels of nearby APs that are part of the same ESS as the currently
  connected AP.  This requires the client to enable 'RM Enabled Capabilities'
  element (section 8.4.2.47) appropriately, and send appropriately formatted
  Action frames to request relevant reports from the AP.  The reports from the
  AP will be received via Management frames and contain multiple Neighbor
  Report elements (8.4.2.39).  Also examine how AP Channel Report element
  (8.4.2.38) is used.

  Priority: Medium
  Complexity: C4

- Add support for Fast BSS Transition (FT) from 802.11r.  There are a couple
  of modes for FT supported.  'FT over DS' and 'FT over air'.  In FT over DS,
  action frames can be used to perform a 4-way handshake to the target AP
  while still connected to the current AP.  FT over air folds 4-way handshake
  messages into authenticate/authenticate response and
  reassociate/reassociate response messages.

  In theory, it is possible to use FT with PSK networks.

  Priority: Medium
  Complexity: C8

- Add support for 802.11u.  This is required for Passpoint 2.0 support.

  Priority: Low
  Complexity: C8

- Add support for Wireless Network Management (WNM) from 802.11v.  Parts of
  this are needed for Passpoint support.

  Priority: Low
  Complexity: C8

- Add support for Protected Management Frames (PMF) from 802.11w.  This allows
  the management frames to be encrypted and thus secured.  In particular, this
  is extremely important for 802.11r (FT) and 802.11k (RRM) support.

  Priority: High
  Complexity: C4

- Add support for Tunneled Direct Link Setup (TDLS) from 802.11z.

  Priority: Medium
  Complexity: C8


Client
======

- Implement dbus-based command-line client for iwd using ell supporting at least
  the following: Scanning, Connect, Disconnect and agent functionality

  Priority: High
  Complexity: C2