From df1b18fc6f4d422268eff0ed1d8f04ae0b11b82f Mon Sep 17 00:00:00 2001 From: Stephen Early Date: Sun, 23 Sep 2001 18:30:00 +0100 Subject: [PATCH] Import release 0.05 --- INSTALL | 66 ++++++++++++++++++++--- Makefile.in | 2 +- README | 55 +++++++++++++++++++ example-sites-file | 44 +++++++++++++++ example.conf | 130 +++++++++++++++++++++++++++++++++++++++++++++ foo.pid | 1 - linux/if_tun.h | 40 +++++++------- testconfig | 5 +- 8 files changed, 309 insertions(+), 34 deletions(-) create mode 100644 README create mode 100644 example-sites-file create mode 100644 example.conf delete mode 100644 foo.pid diff --git a/INSTALL b/INSTALL index 42584ae..bfb9afd 100644 --- a/INSTALL +++ b/INSTALL @@ -1,5 +1,13 @@ INSTALLATION INSTRUCTIONS for SECNET +USE AT YOUR OWN RISK. THIS IS ALPHA QUALITY SOFTWARE. I DO NOT +GUARANTEE THAT THERE WILL BE PROTOCOL COMPATIBILITY BETWEEN DIFFERENT +VERSIONS. + +* Preparation + +** System software support + Ensure that you have libgmp2-dev and adns installed (and bison and flex, and for that matter gcc...). @@ -14,10 +22,45 @@ kernel (it's under "network device support" in Linux) and that you've created the appropriate device files; see linux/Documentation/networking/tuntap.txt -If you're using TUN/TAP on a platform other than Linux, see +If you're using TUN/TAP on a platform other than Linux-2.4, see http://vtun.sourceforge.net/tun/ -Then, to install secnet do +Note than TUN comes in two flavours, one (called 'tun' in the secnet +config file) which has only one device file (usually /dev/net/tun) and +the other (called 'tun-old') which has many device files +(/dev/tun*). Linux-2.4 has new-style TUN, Linux-2.2, BSD and Solaris +have old-style TUN. Currently only new-style TUN has been tested with +secnet. + +** System and network configuration + +If you intend to start secnet as root, I suggest you create an userid +for it to run as once it's ready to drop its privileges. Example (on +Debian): +# adduser --system --no-create-home secnet + +You will need to allocate two IP addresses for use by secnet. One will +be for the tunnel interface on your tunnel endpoint machine (i.e. the +address you see in 'ifconfig' when you look at the tunnel +interface). The other will be for secnet itself. These addresses could +possibly be allocated from the range used by your internal network: if +you do this, you should think about providing appropriate proxy-ARP on +the machine running secnet for the two addresses. Alternatively the +addresses could be from some other range - this works well if the +machine running secnet is the default route out of your network. + +http://www.ucam.org/cam-grin/ may be useful. + +Advanced users: secnet's IP address does not _have_ to be in the range +of networks claimed by your end of the tunnel; it could be in the +range of networks claimed by the other end. Doing this is confusing, +but works (in the case where you can't get the administrator of the +other end to allocate an IP address for his copy of secnet [hint hint +Ian]). + +* Installation + +To install secnet do $ ./configure $ make @@ -30,14 +73,19 @@ $ make (When upgrading, just install the new /usr/local/sbin/secnet; keep your current configuration file.) -If you intend to start secnet as root, I suggest you create an userid -for it to run as once it's ready to drop its privileges. Example: -# adduser --system --no-create-home secnet +Generate a site file fragment for your site (see below), and submit it +for inclusion in the vpn-sites file. Download the vpn-sites file to +/etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the +sites file contains public keys for all the sites in the VPN. -Generate a site file fragment for your site, and submit it for -inclusion in the vpn-sites file. Download the vpn-sites file. +* Configuration -* Constructing a site file fragment +Should be reasonably obvious - edit /etc/secnet/secnet.conf as +prompted by the comments. XXX Fuller documentation of the +configuration file format should be forthcoming in time. Its syntax is +described in the README file at the moment. + +* Constructing your site file fragment You need the following information: @@ -83,3 +131,5 @@ shortname { networks "172.18.45.0/24"; key rsa-public("35","153279875126380522437827076871354104097683702803616313419670959273217685015951590424876274370401136371563604396779864283483623325238228723798087715987495590765759771552692972297669972616769731553560605291312242789575053620182470998166393580503400960149506261455420521811814445675652857085993458063584337404329"); }; + +See 'example-sites-file' for more examples. diff --git a/Makefile.in b/Makefile.in index 8ec05ce..1094ef4 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,7 +1,7 @@ .DUMMY: all clean realclean dist install PACKAGE:=secnet -VERSION:=0.04 +VERSION:=0.05 @SET_MAKE@ diff --git a/README b/README new file mode 100644 index 0000000..b6e8e55 --- /dev/null +++ b/README @@ -0,0 +1,55 @@ +XXX under construction. For now, here are the comments that used to be +at the top of the example configuration file: + +# This file defines a dictionary full of configuration information for +# secnet. Two keys must be defined in this file for secnet to +# start. One is "system", a dictionary containing systemwide control +# parameters. The other is "sites", a list of all the sites that you +# intend to communicate with. + +# Other files can be included inline by writing "include filename" at +# the start of a line. + +# The configuration file has a fairly simple syntax: +# key definition; or key = definition; (the "=" is optional) +# ...sets 'key' in the current dictionary to 'definition'. +# +# "key" is [[:alpha:]_][[:alnum:]\-_]* +# +# definition may be one of the following: +# a string, in quotes +# a number, in decimal +# a dictionary, in { } +# a path to a key that already exists, to reference that definition +# a "closure", followed by arguments +# +# paths are key1/key2/key3... (starting from wherever we find key1, i.e. in +# the current dictionary or any of its parents) +# alternatively /key1/key2/key3... (to start from the root) +# +# closures are followed by an argument list in ( ), and may return +# whatever type they like (including other closures) +# +# closure { definitions } is short for closure({definitions}). +# +# Whenever secnet looks for a key it checks the (lexical) parent dictionaries +# as well until it finds it or reaches the root. This is useful for setting +# defaults for large collections of dictionaries (eg. defining sites). +# +# It is also permissible to list other dictionaries before a dictionary +# definition, eg. {definitions}. These will be +# searched in order for keys, before the lexical parent. (Not yet implemented) +# +# secnet predefines some keys in the root dictionary; some useful ones are: +# yes, true, True, TRUE: the boolean value True +# no, false, False, FALSE: the boolean value False +# makelist: turns a dictionary (arg1) into a list (return value) +# readfile: reads a file (arg1) and returns it as a string +# +# secnet modules also predefine keys, eg. "adns", "randomfile", etc. +# See the module documentation for more information. + +# After the configuration file is read, secnet looks for particular keys +# in configuration space to tell it what to do: +# system: system-wide parameters (control, logging, etc.) +# sites: a list of sites with which to communicate diff --git a/example-sites-file b/example-sites-file new file mode 100644 index 0000000..1249dd1 --- /dev/null +++ b/example-sites-file @@ -0,0 +1,44 @@ +# This is an example /etc/secnet/sites file. It doesn't define any real +# sites. The diffie-hellman modulus and generator are real and will work, +# but if you're setting up your own VPN I suggest you choose your own. + +example-vpn { + +dh diffie-hellman("8db5f2c15ac96d9f3382d1ef4688fba14dc7908ae7dfd71a9cfe7f479a75d506dc53f159aeaf488bde073fe544bc91c099f101fcf60074f30c06e36263c03ca9e07931ce3fc235fe1171dc6d9316fb097bd4362891e2c36e234e7c16b038fd97b1f165c710e90537de66ee4f54001f5712b050d4e07de3fba07607b19b64f6c3","2"); +hash md5; + +key-lifetime 3600000; # One hour = 3600000 milliseconds + +some-site { + # The 'name' here must match the 'local-name' defined in the + # site's /etc/secnet/secnet.conf, because it's used in the + # key-setup protocol. + # The name of this dictionary doesn't have to - it's local + # to the configuration system. + name "some-site"; + address "foo.greenend.org.uk"; + port 5678; + networks "192.168.x.x/24", "192.168.x.x/24"; + key rsa-public("35","131453873229748492184986747327990913828179255774895541667982108408897406369168730551214152673574619385573519088922707364993860644376262000057302119569116289693520981276177337391324943049983046703853106890057346878967444626093102422836819979338760420960495059950787838142162794317002315919126174831103379472833"); + }; + +some-other-site { + name "some-other-site"; + address "bar.greenend.org.uk"; + port 18436; + networks "192.168.x.x/24", "192.168.x.x/24"; + key rsa-public("35","154107175724781677184264293617887954015562225725852111745852699493257053099810379926047345975839848434403852210573185384327420788855664167034282567346429150999373740871227795773749618022407366186555483566435251279808390618987056868368084933125373643004284007109877210578088697520329039753099981203724057693543"); + }; + +a-third-site { + name "different-for-a-change"; + address "baz.greenend.org.uk"; + port 3234; + networks "foo"; + key-lifetime 1800000; # Can be set per-site as well, you see... + setup-retries 10; # So can this + setup-timeout 2000; # And this. (And 'wait-time' too.) + key rsa-public("e","n"); + }; + +}; diff --git a/example.conf b/example.conf new file mode 100644 index 0000000..cfaa847 --- /dev/null +++ b/example.conf @@ -0,0 +1,130 @@ +# secnet example configuration file + +# Log facility +log logfile("secnet","local2"); # Not yet implemented, goes to stderr + +# Systemwide configuration (all other configuration is per-site): +# log a log facility for program messages +# userid who we try to run as after setup +# pidfile +system { + userid "secnet"; + pidfile "/var/run/secnet.pid"; +}; + +# Parameters for each remote site (arguments to the site() closure): +# things we configure locally +# buffer buffer for constructing/sending/receiving packets +# netlink user/kernel netlink device for this tunnel +# comm UDP communication +# resolver resolver to use for name lookups +# log a log destination for this connection +# log-events string list: which events we log +# random a source of randomness + +# our local configuration visible to the outside world +# local-name string: how we identify ourselves to them +# local-key our own private RSA key +# local-port port number we listen on + +# their configuration visible to us +# name string: how they identify themselves +# address string: use with resolver to find their IP address +# networks string list: their networks for us +# key the remote site's RSA public key +# port port we send to to contact remote site + +# things both ends must agree on +# transform routine for bulk encryption +# dh Diffie-Hellman parameters +# hash secure hash function + +# things both ends ought to agree on, but don't have to +# key-lifetime max session key lifetime, in milliseconds +# setup-retries max retransmits of a key setup packet +# setup-timeout wait between retransmits of key setup packets, in ms +# wait-time wait between unsuccessful key setup attempts, in ms + +# Use the universal TUN/TAP driver to get packets to and from the kernel +netlink tun { + name "netlink-tun"; # Printed in log messages from this netlink +# interface "tun0"; # You may set your own interface name if you wish; + # if you don't one will be chosen for you. + + # local networks served by this netlink device + # incoming tunneled packets for other networks will be discarded + networks "192.168.x.x/24", "192.168.x.x/24", "172.x.x.x/24"; + local-address "192.168.x.x"; # IP address of host's tunnel interface + secnet-address "192.168.x.x"; # IP address of this secnet + + # MTU of the tunnel interface. Should be kept under the path-MTU + # (by at least 60 bytes) between this secnet and its peers for + # optimum performance. + mtu 1400; + + # This buffer is used to pass incoming packets onto the 'site' + # module. It should be at least as big as the MTU plus 60 bytes. + # Buffers can sometimes be shared between netlink devices - see + # full documentation for more details. (XXX TODO) + buffer sysbuffer(2048); +}; + +# Alternatively (or additionally, if you like) use userv-ipif to get +# packets to and from the kernel. +#netlink userv-ipif { +# name "netlink-userv-ipif"; +# # userv-path "/usr/bin/userv"; +# # service-user "root"; +# # service-name "ipif"; +# networks "whatever"; +# local-address "whatever"; +# secnet-address "whatever"; +# mtu 1400; +# buffer sysbuffer(2048); +#}; + +# This defines the port that this instance of secnet will listen on, and +# originate packets on. It does not _have_ to correspond to the advertised +# port for your site: you may be doing network address translation, for +# example. You need to arrange that any UDP packets sent to the advertised +# host and port for your site end up on this machine at the port you +# specify here. +comm udp { + port xxxx; + buffer sysbuffer(4096); +}; + +# The resolver is used to look up IP addresses from the DNS names provided +# in the sites file. You may specify an alternative resolv.conf for +# ADNS here if you wish. +resolver adns { +# config=readfile("/etc/secnet/adns.conf"); +}; + +# log is defined earlier - we share it with the system +log-events "init","up","down"; # XXX not yet used + +# A source of random bits for nonces and session keys. The 'no' specifies +# that it's non-blocking. XXX 'yes' isn't implemented yet. +random randomfile("/dev/urandom",no); + +local-name "your-site-name"; +local-key rsa-private("/etc/secnet/key"); + +# On dodgy links you may want to specify a higher maximum sequence number skew +transform serpent256-cbc { + max-sequence-skew 10; +}; + +include /etc/secnet/sites + +# Here you must list all the VPN sites that you wish to communicate with. +# The /etc/secnet/sites file contains information on all reachable sites; +# if the site you want to communicate with isn't listed, you should get +# a newer version. MAKE SURE YOU GET AN AUTHENTIC COPY OF THE FILE - it +# contains public keys for all sites. + +sites + site(example-vpn/some-site), + site(example-vpn/some-other-site), + site(example-vpn/a-third-site); diff --git a/foo.pid b/foo.pid deleted file mode 100644 index cf16ce1..0000000 --- a/foo.pid +++ /dev/null @@ -1 +0,0 @@ -12157 diff --git a/linux/if_tun.h b/linux/if_tun.h index fd610f3..0cfd692 100644 --- a/linux/if_tun.h +++ b/linux/if_tun.h @@ -12,7 +12,7 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * $Id: if_tun.h,v 1.5 2000/10/24 05:13:08 maxk Exp $ + * $Id: if_tun.h,v 1.2 2001/06/01 18:39:47 davem Exp $ */ #ifndef __IF_TUN_H @@ -32,15 +32,18 @@ #endif struct tun_struct { - char name[8]; + char *name; unsigned long flags; + int attached; + uid_t owner; - struct fasync_struct *fasync; wait_queue_head_t read_wait; + struct sk_buff_head readq; struct net_device dev; - struct sk_buff_head txq; - struct net_device_stats stats; + struct net_device_stats stats; + + struct fasync_struct *fasync; #ifdef TUN_DEBUG int debug; @@ -53,14 +56,8 @@ struct tun_struct { #endif /* __KERNEL__ */ -/* Number of devices */ -#define TUN_MAX_DEV 255 - -/* TX queue size */ -#define TUN_TXQ_SIZE 10 - -/* Max frame size */ -#define TUN_MAX_FRAME 4096 +/* Read queue size */ +#define TUN_READQ_SIZE 10 /* TUN device flags */ #define TUN_TUN_DEV 0x0001 @@ -70,22 +67,25 @@ struct tun_struct { #define TUN_FASYNC 0x0010 #define TUN_NOCHECKSUM 0x0020 #define TUN_NO_PI 0x0040 - -#define TUN_IFF_SET 0x1000 +#define TUN_ONE_QUEUE 0x0080 +#define TUN_PERSIST 0x0100 /* Ioctl defines */ -#define TUNSETNOCSUM (('T'<< 8) | 200) -#define TUNSETDEBUG (('T'<< 8) | 201) -#define TUNSETIFF (('T'<< 8) | 202) +#define TUNSETNOCSUM _IOW('T', 200, int) +#define TUNSETDEBUG _IOW('T', 201, int) +#define TUNSETIFF _IOW('T', 202, int) +#define TUNSETPERSIST _IOW('T', 203, int) +#define TUNSETOWNER _IOW('T', 204, int) /* TUNSETIFF ifr flags */ #define IFF_TUN 0x0001 #define IFF_TAP 0x0002 #define IFF_NO_PI 0x1000 +#define IFF_ONE_QUEUE 0x2000 struct tun_pi { - unsigned short flags; - unsigned short proto; + unsigned short flags; + unsigned short proto; }; #define TUN_PKT_STRIP 0x0001 diff --git a/testconfig b/testconfig index 35b3776..9a84119 100644 --- a/testconfig +++ b/testconfig @@ -101,10 +101,7 @@ system { netlink tun { name "fred"; # Printed in log messages from this netlink - interface "fred"; - # userv-path "/usr/bin/userv"; - # service-user "root"; - # service-name "ipif"; +# interface "fred"; # local networks served by this netlink device # incoming tunneled packets for other networks will be discarded -- 2.30.2