X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=README;h=c27375ab7bf563702272c62870e4d51222518331;hb=1b8af2f7f86131a5364f2270865895ea597c591e;hp=424f756ecf682d114c4e9fed8051cccaae2c3166;hpb=5dfe538bae53c5dc90151043c7da782bd54cb44c;p=secnet.git diff --git a/README b/README index 424f756..c27375a 100644 --- a/README +++ b/README @@ -18,7 +18,7 @@ secnet is Copyright 1995-2003 Peter Benie Copyright 2011 Richard Kettlewell Copyright 2012 Matthew Vernon - Copyright 2013 Mark Wooding + Copyright 2013-2019 Mark Wooding Copyright 1995-2013 Simon Tatham secnet is distributed under the terms of the GNU General Public @@ -236,14 +236,18 @@ polypath: dict argument buffer (buffer closure): buffer for incoming packets authbind (string): optional, path to authbind-helper program max-interfaces (number): optional, max number of different interfaces to - use (also, maximum steady-state amount of packet multiplication) + use (also, maximum steady-state amount of packet multiplication); + interfaces marked with `@' do not count. interfaces (string list): which interfaces to process; each entry is - optionally `!' or `+' followed by a glob pattern (which is applied to a - prospective interface using fnmatch with no flags). If no list is - specified, or the list ends with a `!' entry, a default list is - used/appended: "!tun*","!tap*","!sl*","!userv*","!lo","*". Patterns - which do not start with `*' or an alphanumeric need to be preceded - by `!' or `+'. + optionally `!' or `+' or `@' followed by a glob pattern (which is + applied to a prospective interface using fnmatch with no flags). + `+' or nothing means to process normally. `!' means to ignore; + `@' means to use only in conjunction with dedicated-interface-addr. + If no list is specified, or the list ends with a `!' entry, a + default list is used/appended: + "!tun*","!tap*","!sl*","!userv*","!lo","@hippo*","*". + Patterns which do not start with `*' or an alphanumeric need to be + preceded by `!' or `+' or `@'. monitor-command (string list): Program to use to monitor appearance and disappearance of addresses on local network interfaces. Should produce lines of the form `+|- 4|6 ' where is @@ -272,6 +276,14 @@ parameter set to `true'. When the local site site is not marked mobile the address selection machinery might fixate on an unsuitable address. +polypath takes site-specific informtion as passed to the `comm-info' +site closure parameter. The entries understood in the dictionary +are: + dedicated-interface-addr (string): IPv4 or IPv6 address + literal. Interfaces specified with `@' in `interfaces' will be + used for the corresponding site iff the interface local address + is this address. + For an interface to work with polypath, it must either have a suitable default route, or be a point-to-point interface. In the general case this might mean that the host would have to have multiple default @@ -303,7 +315,8 @@ Defines: syslog (closure => log closure) logfile: dict argument - filename (string): where to log to + filename (string): where to log to; default is stderr + prefix (string): added to messages [""] class (string list): what type of messages to log { "debug-config", M_DEBUG_CONFIG }, { "debug-phase", M_DEBUG_PHASE }, @@ -383,8 +396,9 @@ site: dict argument packet [5; mobile: 30] setup-timeout (integer): time between retransmissions of key negotiation packets, in ms [2000; mobile: 1000] - wait-time (integer): after failed key setup, wait this long (in ms) before - allowing another attempt [20000; mobile: 10000] + wait-time (integer): after failed key setup, wait roughly this long + (in ms) before allowing another attempt [20000; mobile: 10000] + Actual wait time is randomly chosen between ~0.5x and ~1.5x this. renegotiate-time (integer): if we see traffic on the link after this time then renegotiate another session key immediately (in ms) [half key-lifetime, or key-lifetime minus 5 mins (mobile: 12 hours), @@ -446,7 +460,7 @@ site: dict argument to 0, the default is to use the local private link mtu. comm-info (dict): Information for the comm, used when this site wants to transmit. If the comm does not support this, it is - ignored. (Currently nothing uses this.) + ignored. Links involving mobile peers have some different tuning parameter default values, which are generally more aggressive about retrying key @@ -532,6 +546,22 @@ tun: dict argument I recommend you don't specify the 'interface' option unless you're doing something that requires the interface name to be constant. +** privcache + +Cache of dynamically loaded private keys. + +Defines: + priv-cache (closure => privcache closure) + +priv-cache: dict argument + privkeys (string): path prefix for private keys. Each key is + looked for at this path prefix followed by the 10-character + hex key id. + privcache-size (integer): optional, maximum number of private + keys to retain at once. [5] + privkey-max (integer): optional, maximum size of private key + file in bytes. [4095] + ** rsa Defines: