site: dynamically create and destroy transform instances

[secnet.git] / README

diff --git a/README b/README
index 7e40edf2024f109df94f4e9134db21927af82017..71a5a44094aede754a76cd593f6827982f4629db 100644 (file)
--- a/README
+++ b/README
@@ -6,11 +6,6 @@ secnet is Copyright (C) 1995--2003 Stephen Early <steve@greenend.org.uk>
 It is distributed under the terms of the GNU General Public License,
 version 2 or later.  See the file COPYING for more information.
 
 It is distributed under the terms of the GNU General Public License,
 version 2 or later.  See the file COPYING for more information.
 

-The portable snprintf implementation in snprintf.c is Copyright (C)
-1999 Mark Martinec <mark.martinec@ijs.si> and is distributed under the
-terms of the Frontier Artistic License.  You can find the standard
-version of snprintf.c at http://www.ijs.si/software/snprintf/
-

 The IP address handling library in ipaddr.py is Copyright (C)
 1996--2000 Cendio Systems AB, and is distributed under the terms of
 the GPL.
 The IP address handling library in ipaddr.py is Copyright (C)
 1996--2000 Cendio Systems AB, and is distributed under the terms of
 the GPL.


@@ -270,7 +265,10 @@ site: dict argument
   local-name (string): this site's name for itself
   name (string): the name of the site's peer
   link (netlink closure)
   local-name (string): this site's name for itself
   name (string): the name of the site's peer
   link (netlink closure)

-  comm (comm closure)
+  comm (one or more comm closures): if there is more than one, the
+   first one will be used for any key setups initiated by us using the
+   configured address.  Others are only used if our peer talks to
+   them.

   resolver (resolver closure)
   random (randomsrc closure)
   local-key (rsaprivkey closure)
   resolver (resolver closure)
   random (randomsrc closure)
   local-key (rsaprivkey closure)


@@ -281,16 +279,18 @@ site: dict argument
   transform (transform closure): how to mangle packets sent between sites
   dh (dh closure)
   hash (hash closure)
   transform (transform closure): how to mangle packets sent between sites
   dh (dh closure)
   hash (hash closure)

-  key-lifetime (integer): max lifetime of a session key, in ms [one hour]
+  key-lifetime (integer): max lifetime of a session key, in ms
+    [one hour; mobile: 2 days]

   setup-retries (integer): max number of times to transmit a key negotiation
   setup-retries (integer): max number of times to transmit a key negotiation

-    packet [5]
+    packet [5; mobile: 30]

   setup-timeout (integer): time between retransmissions of key negotiation
   setup-timeout (integer): time between retransmissions of key negotiation

-    packets, in ms [2000]
+    packets, in ms [2000; mobile: 1000]

   wait-time (integer): after failed key setup, wait this long (in ms) before
   wait-time (integer): after failed key setup, wait this long (in ms) before

-    allowing another attempt [20000]
+    allowing another attempt [20000; mobile: 10000]

   renegotiate-time (integer): if we see traffic on the link after this time
     then renegotiate another session key immediately (in ms)
   renegotiate-time (integer): if we see traffic on the link after this time
     then renegotiate another session key immediately (in ms)

-    [half key-lifetime, or key-lifetime minus 5 mins, whichever is longer].
+    [half key-lifetime, or key-lifetime minus 5 mins (mobile: 12 hours),
+     whichever is longer].

   keepalive (bool): if True then attempt always to keep a valid session key.
     Not actually currently implemented. [false]
   log-events (string list): types of events to log for this site
   keepalive (bool): if True then attempt always to keep a valid session key.
     Not actually currently implemented. [false]
   log-events (string list): types of events to log for this site


@@ -327,9 +327,21 @@ site: dict argument
     for us have "mobile True" (and if we find a site configuration for
     ourselves in the config, we insist on this).  The effect is to
     check that there are no links both ends of which are allegedly
     for us have "mobile True" (and if we find a site configuration for
     ourselves in the config, we insist on this).  The effect is to
     check that there are no links both ends of which are allegedly

-    mobile (which is not supported, so those links are ignored). [false]
+    mobile (which is not supported, so those links are ignored) and
+    to change some of the tuning parameter defaults. [false]
+
+Links involving mobile peers have some different tuning parameter
+default values, which are generally more aggressive about retrying key
+setup but more relaxed about using old keys.  These are noted with
+"mobile:", above, and apply whether the mobile peer is local or
+remote.
+
+** transform-eax
+
+Defines:
+   eax-serpent (closure => transform closure)

 
 

-** transform
+** transform-cbcmac

 
 Defines:
   serpent256-cbc (closure => transform closure)
 
 Defines:
   serpent256-cbc (closure => transform closure)