Copyright 1995-2003 Peter Benie
Copyright 2011 Richard Kettlewell
Copyright 2012 Matthew Vernon
- Copyright 2013 Mark Wooding
+ Copyright 2013-2019 Mark Wooding
Copyright 1995-2013 Simon Tatham
secnet is distributed under the terms of the GNU General Public
--help display this help and exit
--version output version information and exit
+* base91s
+
+secnet defines a variant of the base91 encoding `basE91', from
+ http://base91.sourceforge.net/
+
+base91s is the same as baseE91 except that:
+ - in the encoded charset, `"' is replaced with `-'
+ - spaces, newlines etc. and other characters outside the charset
+ are not permitted (although in some places they may be ignored,
+ this is not guaranteed).
+
* secnet builtin modules
** resolver
buffer (buffer closure): buffer for incoming packets
authbind (string): optional, path to authbind-helper program
max-interfaces (number): optional, max number of different interfaces to
- use (also, maximum steady-state amount of packet multiplication)
+ use (also, maximum steady-state amount of packet multiplication);
+ interfaces marked with `@' do not count.
interfaces (string list): which interfaces to process; each entry is
- optionally `!' or `+' followed by a glob pattern (which is applied to a
- prospective interface using fnmatch with no flags). If no list is
- specified, or the list ends with a `!' entry, a default list is
- used/appended: "!tun*","!tap*","!sl*","!userv*","!lo","*". Patterns
- which do not start with `*' or an alphanumeric need to be preceded
- by `!' or `+'.
+ optionally `!' or `+' or `@' followed by a glob pattern (which is
+ applied to a prospective interface using fnmatch with no flags).
+ `+' or nothing means to process normally. `!' means to ignore;
+ `@' means to use only in conjunction with dedicated-interface-addr.
+ If no list is specified, or the list ends with a `!' entry, a
+ default list is used/appended:
+ "!tun*","!tap*","!sl*","!userv*","!lo","@hippo*","*".
+ Patterns which do not start with `*' or an alphanumeric need to be
+ preceded by `!' or `+' or `@'.
monitor-command (string list): Program to use to monitor appearance
and disappearance of addresses on local network interfaces. Should
produce lines of the form `+|-<ifname> 4|6 <addr>' where <addr> is
mobile the address selection machinery might fixate on an unsuitable
address.
+polypath takes site-specific informtion as passed to the `comm-info'
+site closure parameter. The entries understood in the dictionary
+are:
+ dedicated-interface-addr (string): IPv4 or IPv6 address
+ literal. Interfaces specified with `@' in `interfaces' will be
+ used for the corresponding site iff the interface local address
+ is this address.
+
For an interface to work with polypath, it must either have a suitable
default route, or be a point-to-point interface. In the general case
this might mean that the host would have to have multiple default
syslog (closure => log closure)
logfile: dict argument
- filename (string): where to log to
+ filename (string): where to log to; default is stderr
+ prefix (string): added to messages [""]
class (string list): what type of messages to log
{ "debug-config", M_DEBUG_CONFIG },
{ "debug-phase", M_DEBUG_PHASE },
them.
resolver (resolver closure)
random (randomsrc closure)
- local-key (rsaprivkey closure)
+ key-cache (privcache closure)
+ local-key (sigprivkey closure): Deprecated; use key-cache instead.
address (string list): optional, DNS name(s) used to find our peer;
address literals are supported too if enclosed in `[' `]'.
port (integer): mandatory if 'address' is specified: the port used
to contact our peer
- key (rsapubkey closure): our peer's public key
+ peer-keys (string): path (prefix) for peer public key set file(s);
+ see README.make-secnet-sites re `pub' etc. and NOTES.peer-keys.
+ key (sigpubkey closure): our peer's public key (obsolete)
transform (transform closure): how to mangle packets sent between sites
dh (dh closure)
- hash (hash closure)
+ hash (hash closure): used for keys whose algorithm (or public
+ or private key file) does not imply the hash function
key-lifetime (integer): max lifetime of a session key, in ms
[one hour; mobile: 2 days]
setup-retries (integer): max number of times to transmit a key negotiation
packet [5; mobile: 30]
setup-timeout (integer): time between retransmissions of key negotiation
packets, in ms [2000; mobile: 1000]
- wait-time (integer): after failed key setup, wait this long (in ms) before
- allowing another attempt [20000; mobile: 10000]
+ wait-time (integer): after failed key setup, wait roughly this long
+ (in ms) before allowing another attempt [20000; mobile: 10000]
+ Actual wait time is randomly chosen between ~0.5x and ~1.5x this.
renegotiate-time (integer): if we see traffic on the link after this time
then renegotiate another session key immediately (in ms)
[half key-lifetime, or key-lifetime minus 5 mins (mobile: 12 hours),
should be reflected in the local private interface MTU, ie the mtu
parameter to netlink). If this parameter is not set, or is set
to 0, the default is to use the local private link mtu.
+ comm-info (dict): Information for the comm, used when this site
+ wants to transmit. If the comm does not support this, it is
+ ignored.
Links involving mobile peers have some different tuning parameter
default values, which are generally more aggressive about retrying key
I recommend you don't specify the 'interface' option unless you're
doing something that requires the interface name to be constant.
+** privcache
+
+Cache of dynamically loaded private keys.
+
+Defines:
+ priv-cache (closure => privcache closure)
+
+priv-cache: dict argument
+ privkeys (string): path prefix for private keys. Each key is
+ looked for at this path prefix followed by the 10-character
+ hex key id.
+ privcache-size (integer): optional, maximum number of private
+ keys to retain at once. [5]
+ privkey-max (integer): optional, maximum size of private key
+ file in bytes. [4095]
+
** rsa
Defines:
- rsa-private (closure => rsaprivkey closure)
- rsa-public (closure => rsapubkey closure)
+ sigscheme algorithm 00 "rsa1"
+ rsa-private (closure => sigprivkey closure)
+ rsa-public (closure => sigpubkey closure)
+
+rsa1 sigscheme algorithm:
+ private key: SSH private key file, version 1, no password
+ public key: SSH public key file, version 1
+ (length, restrictions, email, etc., ignored)
rsa-private: string[,bool]
arg1: filename of SSH private key file (version 1, no password)
~ianmdlvl / secnet.git / blobdiff