X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=README;h=200da3742ba9ef91d7b4c81273c22184e02883ca;hb=4d9d6e20e19c1aaa0d138e70897d136b36d673c0;hp=424f756ecf682d114c4e9fed8051cccaae2c3166;hpb=5dfe538bae53c5dc90151043c7da782bd54cb44c;p=secnet.git diff --git a/README b/README index 424f756..200da37 100644 --- a/README +++ b/README @@ -18,7 +18,7 @@ secnet is Copyright 1995-2003 Peter Benie Copyright 2011 Richard Kettlewell Copyright 2012 Matthew Vernon - Copyright 2013 Mark Wooding + Copyright 2013-2019 Mark Wooding Copyright 1995-2013 Simon Tatham secnet is distributed under the terms of the GNU General Public @@ -193,6 +193,17 @@ Usage: secnet [OPTION]... --help display this help and exit --version output version information and exit +* base91s + +secnet defines a variant of the base91 encoding `basE91', from + http://base91.sourceforge.net/ + +base91s is the same as baseE91 except that: + - in the encoded charset, `"' is replaced with `-' + - spaces, newlines etc. and other characters outside the charset + are not permitted (although in some places they may be ignored, + this is not guaranteed). + * secnet builtin modules ** resolver @@ -236,14 +247,18 @@ polypath: dict argument buffer (buffer closure): buffer for incoming packets authbind (string): optional, path to authbind-helper program max-interfaces (number): optional, max number of different interfaces to - use (also, maximum steady-state amount of packet multiplication) + use (also, maximum steady-state amount of packet multiplication); + interfaces marked with `@' do not count. interfaces (string list): which interfaces to process; each entry is - optionally `!' or `+' followed by a glob pattern (which is applied to a - prospective interface using fnmatch with no flags). If no list is - specified, or the list ends with a `!' entry, a default list is - used/appended: "!tun*","!tap*","!sl*","!userv*","!lo","*". Patterns - which do not start with `*' or an alphanumeric need to be preceded - by `!' or `+'. + optionally `!' or `+' or `@' followed by a glob pattern (which is + applied to a prospective interface using fnmatch with no flags). + `+' or nothing means to process normally. `!' means to ignore; + `@' means to use only in conjunction with dedicated-interface-addr. + If no list is specified, or the list ends with a `!' entry, a + default list is used/appended: + "!tun*","!tap*","!sl*","!userv*","!lo","@hippo*","*". + Patterns which do not start with `*' or an alphanumeric need to be + preceded by `!' or `+' or `@'. monitor-command (string list): Program to use to monitor appearance and disappearance of addresses on local network interfaces. Should produce lines of the form `+|- 4|6 ' where is @@ -272,6 +287,14 @@ parameter set to `true'. When the local site site is not marked mobile the address selection machinery might fixate on an unsuitable address. +polypath takes site-specific informtion as passed to the `comm-info' +site closure parameter. The entries understood in the dictionary +are: + dedicated-interface-addr (string): IPv4 or IPv6 address + literal. Interfaces specified with `@' in `interfaces' will be + used for the corresponding site iff the interface local address + is this address. + For an interface to work with polypath, it must either have a suitable default route, or be a point-to-point interface. In the general case this might mean that the host would have to have multiple default @@ -303,7 +326,8 @@ Defines: syslog (closure => log closure) logfile: dict argument - filename (string): where to log to + filename (string): where to log to; default is stderr + prefix (string): added to messages [""] class (string list): what type of messages to log { "debug-config", M_DEBUG_CONFIG }, { "debug-phase", M_DEBUG_PHASE }, @@ -368,23 +392,26 @@ site: dict argument them. resolver (resolver closure) random (randomsrc closure) - local-key (rsaprivkey closure) + key-cache (privcache closure) + local-key (sigprivkey closure): Deprecated; use key-cache instead. address (string list): optional, DNS name(s) used to find our peer; address literals are supported too if enclosed in `[' `]'. port (integer): mandatory if 'address' is specified: the port used to contact our peer - key (rsapubkey closure): our peer's public key + peer-keys (string): path (prefix) for peer public key set file(s); + see README.make-secnet-sites re `pub' etc. and NOTES.peer-keys. + key (sigpubkey closure): our peer's public key (obsolete) transform (transform closure): how to mangle packets sent between sites dh (dh closure) - hash (hash closure) key-lifetime (integer): max lifetime of a session key, in ms [one hour; mobile: 2 days] setup-retries (integer): max number of times to transmit a key negotiation packet [5; mobile: 30] setup-timeout (integer): time between retransmissions of key negotiation packets, in ms [2000; mobile: 1000] - wait-time (integer): after failed key setup, wait this long (in ms) before - allowing another attempt [20000; mobile: 10000] + wait-time (integer): after failed key setup, wait roughly this long + (in ms) before allowing another attempt [20000; mobile: 10000] + Actual wait time is randomly chosen between ~0.5x and ~1.5x this. renegotiate-time (integer): if we see traffic on the link after this time then renegotiate another session key immediately (in ms) [half key-lifetime, or key-lifetime minus 5 mins (mobile: 12 hours), @@ -446,7 +473,7 @@ site: dict argument to 0, the default is to use the local private link mtu. comm-info (dict): Information for the comm, used when this site wants to transmit. If the comm does not support this, it is - ignored. (Currently nothing uses this.) + ignored. Links involving mobile peers have some different tuning parameter default values, which are generally more aggressive about retrying key @@ -532,11 +559,42 @@ tun: dict argument I recommend you don't specify the 'interface' option unless you're doing something that requires the interface name to be constant. +** privcache + +Cache of dynamically loaded private keys. + +Defines: + priv-cache (closure => privcache closure) + +priv-cache: dict argument + privkeys (string): path prefix for private keys. Each key is + looked for at this path prefix followed by the 10-character + hex key id. + privcache-size (integer): optional, maximum number of private + keys to retain at once. [5] + privkey-max (integer): optional, maximum size of private key + file in bytes. [4095] + +** pubkeys + +Defines: + make-public (closure => sigpubkey closure) + +make-public: ( + arg1: sigscheme name + arg2: base91s encoded public key data, according to algorithm + ** rsa Defines: - rsa-private (closure => rsaprivkey closure) - rsa-public (closure => rsapubkey closure) + sigscheme algorithm 00 "rsa1" + rsa-private (closure => sigprivkey closure) + rsa-public (closure => sigpubkey closure) + +rsa1 sigscheme algorithm: + private key: SSH private key file, version 1, no password + public key: SSH public key file, version 1 + (length, restrictions, email, etc., ignored) rsa-private: string[,bool] arg1: filename of SSH private key file (version 1, no password) @@ -546,6 +604,11 @@ rsa-public: string,string arg1: encryption key (decimal) arg2: modulus (decimal) +The sigscheme is hardcoded to use sha1. Both rsa-private and +rsa-public look for the following config key in their context: + hash (hash closure): hash function [sha1] + + ** dh Defines: