X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=blobdiff_plain;f=README;h=71a5a44094aede754a76cd593f6827982f4629db;hp=7e40edf2024f109df94f4e9134db21927af82017;hb=fcad4b0b370b9fc232db98895fbfe22177436433;hpb=dba19f848cfefc8af7e6067ca8713c3236610753 diff --git a/README b/README index 7e40edf..71a5a44 100644 --- a/README +++ b/README @@ -6,11 +6,6 @@ secnet is Copyright (C) 1995--2003 Stephen Early It is distributed under the terms of the GNU General Public License, version 2 or later. See the file COPYING for more information. -The portable snprintf implementation in snprintf.c is Copyright (C) -1999 Mark Martinec and is distributed under the -terms of the Frontier Artistic License. You can find the standard -version of snprintf.c at http://www.ijs.si/software/snprintf/ - The IP address handling library in ipaddr.py is Copyright (C) 1996--2000 Cendio Systems AB, and is distributed under the terms of the GPL. @@ -270,7 +265,10 @@ site: dict argument local-name (string): this site's name for itself name (string): the name of the site's peer link (netlink closure) - comm (comm closure) + comm (one or more comm closures): if there is more than one, the + first one will be used for any key setups initiated by us using the + configured address. Others are only used if our peer talks to + them. resolver (resolver closure) random (randomsrc closure) local-key (rsaprivkey closure) @@ -281,16 +279,18 @@ site: dict argument transform (transform closure): how to mangle packets sent between sites dh (dh closure) hash (hash closure) - key-lifetime (integer): max lifetime of a session key, in ms [one hour] + key-lifetime (integer): max lifetime of a session key, in ms + [one hour; mobile: 2 days] setup-retries (integer): max number of times to transmit a key negotiation - packet [5] + packet [5; mobile: 30] setup-timeout (integer): time between retransmissions of key negotiation - packets, in ms [2000] + packets, in ms [2000; mobile: 1000] wait-time (integer): after failed key setup, wait this long (in ms) before - allowing another attempt [20000] + allowing another attempt [20000; mobile: 10000] renegotiate-time (integer): if we see traffic on the link after this time then renegotiate another session key immediately (in ms) - [half key-lifetime, or key-lifetime minus 5 mins, whichever is longer]. + [half key-lifetime, or key-lifetime minus 5 mins (mobile: 12 hours), + whichever is longer]. keepalive (bool): if True then attempt always to keep a valid session key. Not actually currently implemented. [false] log-events (string list): types of events to log for this site @@ -327,9 +327,21 @@ site: dict argument for us have "mobile True" (and if we find a site configuration for ourselves in the config, we insist on this). The effect is to check that there are no links both ends of which are allegedly - mobile (which is not supported, so those links are ignored). [false] + mobile (which is not supported, so those links are ignored) and + to change some of the tuning parameter defaults. [false] + +Links involving mobile peers have some different tuning parameter +default values, which are generally more aggressive about retrying key +setup but more relaxed about using old keys. These are noted with +"mobile:", above, and apply whether the mobile peer is local or +remote. + +** transform-eax + +Defines: + eax-serpent (closure => transform closure) -** transform +** transform-cbcmac Defines: serpent256-cbc (closure => transform closure)