INSTALLATION INSTRUCTIONS for SECNET
+USE AT YOUR OWN RISK. THIS IS ALPHA QUALITY SOFTWARE. I DO NOT
+GUARANTEE THAT THERE WILL BE PROTOCOL COMPATIBILITY BETWEEN DIFFERENT
+VERSIONS.
+
+* Preparation
+
+** System software support
+
Ensure that you have libgmp2-dev and adns installed (and bison and
flex, and for that matter gcc...).
created the appropriate device files; see
linux/Documentation/networking/tuntap.txt
-If you're using TUN/TAP on a platform other than Linux, see
+If you're using TUN/TAP on a platform other than Linux-2.4, see
http://vtun.sourceforge.net/tun/
-Then, to install secnet do
+Note than TUN comes in two flavours, one (called 'tun' in the secnet
+config file) which has only one device file (usually /dev/net/tun) and
+the other (called 'tun-old') which has many device files
+(/dev/tun*). Linux-2.4 has new-style TUN, Linux-2.2, BSD and Solaris
+have old-style TUN. Currently only new-style TUN has been tested with
+secnet.
+
+** System and network configuration
+
+If you intend to start secnet as root, I suggest you create an userid
+for it to run as once it's ready to drop its privileges. Example (on
+Debian):
+# adduser --system --no-create-home secnet
+
+You will need to allocate two IP addresses for use by secnet. One will
+be for the tunnel interface on your tunnel endpoint machine (i.e. the
+address you see in 'ifconfig' when you look at the tunnel
+interface). The other will be for secnet itself. These addresses could
+possibly be allocated from the range used by your internal network: if
+you do this, you should think about providing appropriate proxy-ARP on
+the machine running secnet for the two addresses. Alternatively the
+addresses could be from some other range - this works well if the
+machine running secnet is the default route out of your network.
+
+http://www.ucam.org/cam-grin/ may be useful.
+
+Advanced users: secnet's IP address does not _have_ to be in the range
+of networks claimed by your end of the tunnel; it could be in the
+range of networks claimed by the other end. Doing this is confusing,
+but works (in the case where you can't get the administrator of the
+other end to allocate an IP address for his copy of secnet [hint hint
+Ian]).
+
+* Installation
+
+To install secnet do
$ ./configure
$ make
(When upgrading, just install the new /usr/local/sbin/secnet; keep
your current configuration file.)
-If you intend to start secnet as root, I suggest you create an userid
-for it to run as once it's ready to drop its privileges. Example:
-# adduser --system --no-create-home secnet
+Generate a site file fragment for your site (see below), and submit it
+for inclusion in the vpn-sites file. Download the vpn-sites file to
+/etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the
+sites file contains public keys for all the sites in the VPN.
-Generate a site file fragment for your site, and submit it for
-inclusion in the vpn-sites file. Download the vpn-sites file.
+* Configuration
-* Constructing a site file fragment
+Should be reasonably obvious - edit /etc/secnet/secnet.conf as
+prompted by the comments. XXX Fuller documentation of the
+configuration file format should be forthcoming in time. Its syntax is
+described in the README file at the moment.
+
+* Constructing your site file fragment
You need the following information:
networks "172.18.45.0/24";
key rsa-public("35","153279875126380522437827076871354104097683702803616313419670959273217685015951590424876274370401136371563604396779864283483623325238228723798087715987495590765759771552692972297669972616769731553560605291312242789575053620182470998166393580503400960149506261455420521811814445675652857085993458063584337404329");
};
+
+See 'example-sites-file' for more examples.
.DUMMY: all clean realclean dist install
PACKAGE:=secnet
-VERSION:=0.04
+VERSION:=0.05
@SET_MAKE@
--- /dev/null
+XXX under construction. For now, here are the comments that used to be
+at the top of the example configuration file:
+
+# This file defines a dictionary full of configuration information for
+# secnet. Two keys must be defined in this file for secnet to
+# start. One is "system", a dictionary containing systemwide control
+# parameters. The other is "sites", a list of all the sites that you
+# intend to communicate with.
+
+# Other files can be included inline by writing "include filename" at
+# the start of a line.
+
+# The configuration file has a fairly simple syntax:
+# key definition; or key = definition; (the "=" is optional)
+# ...sets 'key' in the current dictionary to 'definition'.
+#
+# "key" is [[:alpha:]_][[:alnum:]\-_]*
+#
+# definition may be one of the following:
+# a string, in quotes
+# a number, in decimal
+# a dictionary, in { }
+# a path to a key that already exists, to reference that definition
+# a "closure", followed by arguments
+#
+# paths are key1/key2/key3... (starting from wherever we find key1, i.e. in
+# the current dictionary or any of its parents)
+# alternatively /key1/key2/key3... (to start from the root)
+#
+# closures are followed by an argument list in ( ), and may return
+# whatever type they like (including other closures)
+#
+# closure { definitions } is short for closure({definitions}).
+#
+# Whenever secnet looks for a key it checks the (lexical) parent dictionaries
+# as well until it finds it or reaches the root. This is useful for setting
+# defaults for large collections of dictionaries (eg. defining sites).
+#
+# It is also permissible to list other dictionaries before a dictionary
+# definition, eg. <defaults,otherdefaults>{definitions}. These will be
+# searched in order for keys, before the lexical parent. (Not yet implemented)
+#
+# secnet predefines some keys in the root dictionary; some useful ones are:
+# yes, true, True, TRUE: the boolean value True
+# no, false, False, FALSE: the boolean value False
+# makelist: turns a dictionary (arg1) into a list (return value)
+# readfile: reads a file (arg1) and returns it as a string
+#
+# secnet modules also predefine keys, eg. "adns", "randomfile", etc.
+# See the module documentation for more information.
+
+# After the configuration file is read, secnet looks for particular keys
+# in configuration space to tell it what to do:
+# system: system-wide parameters (control, logging, etc.)
+# sites: a list of sites with which to communicate
--- /dev/null
+# This is an example /etc/secnet/sites file. It doesn't define any real
+# sites. The diffie-hellman modulus and generator are real and will work,
+# but if you're setting up your own VPN I suggest you choose your own.
+
+example-vpn {
+
+dh diffie-hellman("8db5f2c15ac96d9f3382d1ef4688fba14dc7908ae7dfd71a9cfe7f479a75d506dc53f159aeaf488bde073fe544bc91c099f101fcf60074f30c06e36263c03ca9e07931ce3fc235fe1171dc6d9316fb097bd4362891e2c36e234e7c16b038fd97b1f165c710e90537de66ee4f54001f5712b050d4e07de3fba07607b19b64f6c3","2");
+hash md5;
+
+key-lifetime 3600000; # One hour = 3600000 milliseconds
+
+some-site {
+ # The 'name' here must match the 'local-name' defined in the
+ # site's /etc/secnet/secnet.conf, because it's used in the
+ # key-setup protocol.
+ # The name of this dictionary doesn't have to - it's local
+ # to the configuration system.
+ name "some-site";
+ address "foo.greenend.org.uk";
+ port 5678;
+ networks "192.168.x.x/24", "192.168.x.x/24";
+ key rsa-public("35","131453873229748492184986747327990913828179255774895541667982108408897406369168730551214152673574619385573519088922707364993860644376262000057302119569116289693520981276177337391324943049983046703853106890057346878967444626093102422836819979338760420960495059950787838142162794317002315919126174831103379472833");
+ };
+
+some-other-site {
+ name "some-other-site";
+ address "bar.greenend.org.uk";
+ port 18436;
+ networks "192.168.x.x/24", "192.168.x.x/24";
+ key rsa-public("35","154107175724781677184264293617887954015562225725852111745852699493257053099810379926047345975839848434403852210573185384327420788855664167034282567346429150999373740871227795773749618022407366186555483566435251279808390618987056868368084933125373643004284007109877210578088697520329039753099981203724057693543");
+ };
+
+a-third-site {
+ name "different-for-a-change";
+ address "baz.greenend.org.uk";
+ port 3234;
+ networks "foo";
+ key-lifetime 1800000; # Can be set per-site as well, you see...
+ setup-retries 10; # So can this
+ setup-timeout 2000; # And this. (And 'wait-time' too.)
+ key rsa-public("e","n");
+ };
+
+};
--- /dev/null
+# secnet example configuration file
+
+# Log facility
+log logfile("secnet","local2"); # Not yet implemented, goes to stderr
+
+# Systemwide configuration (all other configuration is per-site):
+# log a log facility for program messages
+# userid who we try to run as after setup
+# pidfile
+system {
+ userid "secnet";
+ pidfile "/var/run/secnet.pid";
+};
+
+# Parameters for each remote site (arguments to the site() closure):
+# things we configure locally
+# buffer buffer for constructing/sending/receiving packets
+# netlink user/kernel netlink device for this tunnel
+# comm UDP communication
+# resolver resolver to use for name lookups
+# log a log destination for this connection
+# log-events string list: which events we log
+# random a source of randomness
+
+# our local configuration visible to the outside world
+# local-name string: how we identify ourselves to them
+# local-key our own private RSA key
+# local-port port number we listen on
+
+# their configuration visible to us
+# name string: how they identify themselves
+# address string: use with resolver to find their IP address
+# networks string list: their networks for us
+# key the remote site's RSA public key
+# port port we send to to contact remote site
+
+# things both ends must agree on
+# transform routine for bulk encryption
+# dh Diffie-Hellman parameters
+# hash secure hash function
+
+# things both ends ought to agree on, but don't have to
+# key-lifetime max session key lifetime, in milliseconds
+# setup-retries max retransmits of a key setup packet
+# setup-timeout wait between retransmits of key setup packets, in ms
+# wait-time wait between unsuccessful key setup attempts, in ms
+
+# Use the universal TUN/TAP driver to get packets to and from the kernel
+netlink tun {
+ name "netlink-tun"; # Printed in log messages from this netlink
+# interface "tun0"; # You may set your own interface name if you wish;
+ # if you don't one will be chosen for you.
+
+ # local networks served by this netlink device
+ # incoming tunneled packets for other networks will be discarded
+ networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24";
+ local-address "192.168.x.x"; # IP address of host's tunnel interface
+ secnet-address "192.168.x.x"; # IP address of this secnet
+
+ # MTU of the tunnel interface. Should be kept under the path-MTU
+ # (by at least 60 bytes) between this secnet and its peers for
+ # optimum performance.
+ mtu 1400;
+
+ # This buffer is used to pass incoming packets onto the 'site'
+ # module. It should be at least as big as the MTU plus 60 bytes.
+ # Buffers can sometimes be shared between netlink devices - see
+ # full documentation for more details. (XXX TODO)
+ buffer sysbuffer(2048);
+};
+
+# Alternatively (or additionally, if you like) use userv-ipif to get
+# packets to and from the kernel.
+#netlink userv-ipif {
+# name "netlink-userv-ipif";
+# # userv-path "/usr/bin/userv";
+# # service-user "root";
+# # service-name "ipif";
+# networks "whatever";
+# local-address "whatever";
+# secnet-address "whatever";
+# mtu 1400;
+# buffer sysbuffer(2048);
+#};
+
+# This defines the port that this instance of secnet will listen on, and
+# originate packets on. It does not _have_ to correspond to the advertised
+# port for your site: you may be doing network address translation, for
+# example. You need to arrange that any UDP packets sent to the advertised
+# host and port for your site end up on this machine at the port you
+# specify here.
+comm udp {
+ port xxxx;
+ buffer sysbuffer(4096);
+};
+
+# The resolver is used to look up IP addresses from the DNS names provided
+# in the sites file. You may specify an alternative resolv.conf for
+# ADNS here if you wish.
+resolver adns {
+# config=readfile("/etc/secnet/adns.conf");
+};
+
+# log is defined earlier - we share it with the system
+log-events "init","up","down"; # XXX not yet used
+
+# A source of random bits for nonces and session keys. The 'no' specifies
+# that it's non-blocking. XXX 'yes' isn't implemented yet.
+random randomfile("/dev/urandom",no);
+
+local-name "your-site-name";
+local-key rsa-private("/etc/secnet/key");
+
+# On dodgy links you may want to specify a higher maximum sequence number skew
+transform serpent256-cbc {
+ max-sequence-skew 10;
+};
+
+include /etc/secnet/sites
+
+# Here you must list all the VPN sites that you wish to communicate with.
+# The /etc/secnet/sites file contains information on all reachable sites;
+# if the site you want to communicate with isn't listed, you should get
+# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it
+# contains public keys for all sites.
+
+sites
+ site(example-vpn/some-site),
+ site(example-vpn/some-other-site),
+ site(example-vpn/a-third-site);
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * $Id: if_tun.h,v 1.5 2000/10/24 05:13:08 maxk Exp $
+ * $Id: if_tun.h,v 1.2 2001/06/01 18:39:47 davem Exp $
*/
#ifndef __IF_TUN_H
#endif
struct tun_struct {
- char name[8];
+ char *name;
unsigned long flags;
+ int attached;
+ uid_t owner;
- struct fasync_struct *fasync;
wait_queue_head_t read_wait;
+ struct sk_buff_head readq;
struct net_device dev;
- struct sk_buff_head txq;
- struct net_device_stats stats;
+ struct net_device_stats stats;
+
+ struct fasync_struct *fasync;
#ifdef TUN_DEBUG
int debug;
#endif /* __KERNEL__ */
-/* Number of devices */
-#define TUN_MAX_DEV 255
-
-/* TX queue size */
-#define TUN_TXQ_SIZE 10
-
-/* Max frame size */
-#define TUN_MAX_FRAME 4096
+/* Read queue size */
+#define TUN_READQ_SIZE 10
/* TUN device flags */
#define TUN_TUN_DEV 0x0001
#define TUN_FASYNC 0x0010
#define TUN_NOCHECKSUM 0x0020
#define TUN_NO_PI 0x0040
-
-#define TUN_IFF_SET 0x1000
+#define TUN_ONE_QUEUE 0x0080
+#define TUN_PERSIST 0x0100
/* Ioctl defines */
-#define TUNSETNOCSUM (('T'<< 8) | 200)
-#define TUNSETDEBUG (('T'<< 8) | 201)
-#define TUNSETIFF (('T'<< 8) | 202)
+#define TUNSETNOCSUM _IOW('T', 200, int)
+#define TUNSETDEBUG _IOW('T', 201, int)
+#define TUNSETIFF _IOW('T', 202, int)
+#define TUNSETPERSIST _IOW('T', 203, int)
+#define TUNSETOWNER _IOW('T', 204, int)
/* TUNSETIFF ifr flags */
#define IFF_TUN 0x0001
#define IFF_TAP 0x0002
#define IFF_NO_PI 0x1000
+#define IFF_ONE_QUEUE 0x2000
struct tun_pi {
- unsigned short flags;
- unsigned short proto;
+ unsigned short flags;
+ unsigned short proto;
};
#define TUN_PKT_STRIP 0x0001
netlink tun {
name "fred"; # Printed in log messages from this netlink
- interface "fred";
- # userv-path "/usr/bin/userv";
- # service-user "root";
- # service-name "ipif";
+# interface "fred";
# local networks served by this netlink device
# incoming tunneled packets for other networks will be discarded