X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=secnet.git;a=blobdiff_plain;f=README;h=84bb3921b2bca567b929aafe0fc9c579e27fdaf0;hp=3736b89bbf5dfe1b8f81574d098e456709058e4e;hb=b4a26b17a38c3dd1cc6e086a17649b94b0ab8e37;hpb=446353cd8ce62c2feecafb91e7a6cbe97aaa8914 diff --git a/README b/README index 3736b89..84bb392 100644 --- a/README +++ b/README @@ -6,11 +6,6 @@ secnet is Copyright (C) 1995--2003 Stephen Early It is distributed under the terms of the GNU General Public License, version 2 or later. See the file COPYING for more information. -The portable snprintf implementation in snprintf.c is Copyright (C) -1999 Mark Martinec and is distributed under the -terms of the Frontier Artistic License. You can find the standard -version of snprintf.c at http://www.ijs.si/software/snprintf/ - The IP address handling library in ipaddr.py is Copyright (C) 1996--2000 Cendio Systems AB, and is distributed under the terms of the GPL. @@ -270,7 +265,10 @@ site: dict argument local-name (string): this site's name for itself name (string): the name of the site's peer link (netlink closure) - comm (comm closure) + comm (one or more comm closures): if there is more than one, the + first one will be used for any key setups initiated by us using the + configured address. Others are only used if our peer talks to + them. resolver (resolver closure) random (randomsrc closure) local-key (rsaprivkey closure) @@ -281,16 +279,18 @@ site: dict argument transform (transform closure): how to mangle packets sent between sites dh (dh closure) hash (hash closure) - key-lifetime (integer): max lifetime of a session key, in ms [one hour] + key-lifetime (integer): max lifetime of a session key, in ms + [one hour; mobile: 2 days] setup-retries (integer): max number of times to transmit a key negotiation - packet [5] + packet [5; mobile: 30] setup-timeout (integer): time between retransmissions of key negotiation - packets, in ms [2000] + packets, in ms [2000; mobile: 1000] wait-time (integer): after failed key setup, wait this long (in ms) before - allowing another attempt [20000] + allowing another attempt [20000; mobile: 10000] renegotiate-time (integer): if we see traffic on the link after this time then renegotiate another session key immediately (in ms) - [half key-lifetime, or key-lifetime minus 5 mins, whichever is longer]. + [half key-lifetime, or key-lifetime minus 5 mins (mobile: 12 hours), + whichever is longer]. keepalive (bool): if True then attempt always to keep a valid session key. Not actually currently implemented. [false] log-events (string list): types of events to log for this site @@ -322,6 +322,19 @@ site: dict argument mobile-peer-expiry (integer): For "mobile" peers only, the length of time (in seconds) for which we will keep sending to multiple address/ports from which we have not seen incoming traffic. [120] + local-mobile (bool): if True then other peers have been told we are + "mobile". This should be True iff the peers' site configurations + for us have "mobile True" (and if we find a site configuration for + ourselves in the config, we insist on this). The effect is to + check that there are no links both ends of which are allegedly + mobile (which is not supported, so those links are ignored) and + to change some of the tuning parameter defaults. [false] + +Links involving mobile peers have some different tuning parameter +default values, which are generally more aggressive about retrying key +setup but more relaxed about using old keys. These are noted with +"mobile:", above, and apply whether the mobile peer is local or +remote. ** transform