[tripe] / doc / tripe.8

.\" -*-nroff-*-
.\".
.de hP
.IP
\h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c
..
.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.ie t \{\
.  ds o \(bu
.  ds ss \s8\u
.  ds se \d\s0
.  if \n(.g \{\
.    fam P
.  \}
.\}
.el \{\
.  ds o o
.  ds ss ^
.  ds se
.\}
.TH tripe 8 "10 February 2001" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
.SH "NAME"
tripe \- a simple VPN daemon
.SH "SYNOPSIS"
.B tripe
.RB [ \-D ]
.RB [ \-d
.IR dir ]
.RB [ \-p
.IR port ]
.RB [ \-U
.IR user ]
.RB [ \-G
.IR group ]
.br
	
.RB [ \-k
.IR priv-keyring ]
.RB [ \-K
.IR pub-keyring ]
.RB [ \-t
.IR key-tag ]
.br
	
.RB [ \-a
.IR socket ]
.RB [ \-T
.IR trace-opts ]
.SH "DESCRIPTION"
The
.B tripe
program is a server which can provide strong IP-level encryption and
authentication between co-operating hosts.  The program and its protocol
are deliberately very simple, to make analysing them easy and to help
build trust rapidly in the system.
.SS "Overview"
The
.B tripe
server manages a number of secure connections to other `peer' hosts.
Each daemon is given a private key of its own, and a file of public keys
for the peers with which it is meant to communicate.  It is responsible
for negotiating sets of symmetric keys with its peers, and for
encrypting, encapsulating and sending IP packets to its peers, and
decrypting, checking and de-encapsulating packets it receives from
them.
.PP
When the server starts, it creates a Unix-domain socket on which it
listens for administration commands.  It also logs warnings and
diagnostic information to the programs connected to its admin socket.
Clients connected to the socket can add new peers, and remove or find
out about existing peers.  The textual protocol used to give the
.B tripe
server admin commands is described in
.BR tripe\-admin (5).
A client program
.BR tripectl (1)
is provided to allow commands to be sent to the server either
interactively or by simple scripts.
.SS "Command-line arguments"
If not given any command-line arguments,
.B tripe
will initialize by following these steps:
.hP 1.
It sets the directory named by the
.B TRIPEDIR
environment variable (or
.B /var/lib/tripe
if the variable is unset) as the current directory.
.hP 2.
It acquires a UDP socket with an arbitrary kernel-selected port number.
It will use this socket to send and receive all communications with its
peer servers.  The port chosen may be discovered by means of the
.B PORT
admin command (see
.BR tripe\-admin (5)).
.hP 3.
It loads the private key with the tag or type name
.B tripe\-dh
from the Catacomb-format file
.BR keyring ,
and loads the file
.B keyring.pub
ready for extracting the public keys of peers as they're introduced.
(The format of these files is described in
.BR keyring (5).
They are maintained using the program
.BR key (1)
provided with the Catacomb distribution.)
.hP 4.
It creates and listens to the Unix-domain socket
.BR tripesock .
.PP
Following this, the server enters its main loop, accepting admin
connections and obeying any administrative commands, and communicating
with peers.  It also treats its standard input and standard output
streams as an admin connection, reading commands from standard input and
writing responses and diagnostics messages to standard output.  Finally,
it will reload keys from its keyring files if it notices that they've
changed (it checks inode number and modification time) \- there's no
need to send a signal.
.PP
Much of this behaviour may be altered by giving
.B tripe
suitable command-line options:
.TP
.B "\-h, \-\-help"
Writes a brief description of the command-line options available to
standard output and exits with status 0.
.TP
.B "\-v, \-\-version"
Writes
.BR tripe 's
version number to standard output and exits with status 0.
.TP
.B "\-u, \-\-usage"
Writes a brief usage summary to standard output and exits with status 0.
.TP
.B "\-D, \-\-daemon"
Dissociates from its terminal and starts running in the background after
completing the initialization procedure described above.  If running as
a daemon,
.B tripe
will not read commands from standard input or write diagnostics to
standard output.  A better way to start
.B tripe
in the background is with
.BR tripectl (1).
.TP
.BI "\-d, \-\-directory=" dir
Makes
.I dir
the current directory, instead of
.BR /var/lib/tripe .
Give a current directory of
.B .
if you don't want it to change directory at all.
.TP
.BI "\-p, \-\-port=" port
Use the specified UDP port for all communications with peers, rather
than an arbitarary kernel-assigned port.
.TP
.BI "\-U, \-\-setuid=" user
Set uid to that of
.I user
(either a user name or integer uid) after initialization.  Also set gid
to
.IR user 's
primary group, unless overridden by a
.B \-G
option.
.TP
.BI "\-G, \-\-setgid=" group
Set gid to that of
.I group
(either a group name or integer gid) after initialization.
.TP
.BI "\-k, \-\-priv\-keyring=" file
Reads the private key from
.I file
rather than the default
.BR keyring .
.TP
.BI "\-K, \-\-pub\-keyring=" file
Reads public keys from
.I file
rather than the default
.BR keyring.pub .
This can be the same as the private keyring, but that's not recommended.
.TP
.BI "\-t, \-\-tag=" tag
Uses the private key whose tag or type is
.I tag
rather than the default
.BR tripe\-dh .
.TP
.BI "\-a, \-\-admin\-socket=" socket
Accept admin connections to a Unix-domain socket named
.I socket
rather than the default
.BR tripesock .
.TP
.BI "\-T, \-\-trace=" trace-opts
Allows the enabling or disabling of various internal diagnostics.  See
below for the list of options.
.SS "Setting up a VPN with tripe"
The
.B tripe
server identifies peers by name.  While it's
.I possible
for each host to maintain its own naming system for its peers, this is
likely to lead to confusion, and it's more sensible to organize a naming
system that works everywhere.  How you manage this naming is up to you.
The only restriction on the format of names is that they must be valid
Catacomb key tags, since this is how
.B tripe
identifies which public key to use for a particular peer: they may not
contain whitespace characters, or a colon
.RB ` : '
or dot
.RB ` . ',
.PP
Allocating IP addresses for VPNs can get quite complicated.  I'll
attempt to illustrate with a relatively simple example.  Our objective
will be to set up a virtual private network between two sites of
.BR example.com .
The two sites are using distinct IP address ranges from the private
address space described in RFC1918: site A is using addresses from
10.0.1.0/24 and site B is using 10.0.2.0/24.  Each site has a gateway
host set up with both an address on the site's private network, and an
externally-routable address from the public IP address space.  Site A's
gateway machine,
.BR alice ,
has the addresses 10.0.1.1 and 200.0.1.1; site B's gateway is
.B bob
and has addresses 10.0.2.1 and 200.0.2.1.
.PP
This isn't quite complicated enough.  Each of
.B alice
and
.B bob
needs an extra IP address which we'll use when setting up the
point-to-point link.  These addresses need to be routable, at least
within the virtual private network: unfortunately, you can't just use
the same pair everywhere.  We'll assign
.B alice
the point-to-point address 192.168.0.1, and
.B bob
the address 192.168.0.2.
.hP 1.
Install
.B tripe
on both of the gateway hosts.  Create the directory
.BR /var/lib/tripe .
.hP 2.
On
.BR alice ,
make
.B /var/lib/tripe
the current directory and generate a Diffie-Hellman group:
.RS
.VS
key add \-adh\-param \-LS \-b2048 \-B256 \e
	\-eforever \-tparam tripe\-dh\-param
.VE
(See
.BR key (1)
from the Catacomb distribution for details about the
.B key
command.)  Also generate a private key for
.BR alice :
.VS
key add \-adh \-pparam \-talice \e
	\-e"now + 1 year" tripe\-dh
.VE
Extract the group parameters and
.BR alice 's
public key to
.I separate
files, and put the public key in
.BR keyring.pub :
.VS
key extract param param
key extract \-f\-secret alice.pub alice
key \-kkeyring.pub merge alice.pub
.VE
Send the files
.B param
and
.B alice.pub
to
.B bob
in some secure way (e.g., in PGP-signed email, or by using SSH), so that
you can be sure they've not been altered in transit.
.RE
.hP 3.
On
.B bob
now, make
.B /var/lib/tripe
the current directory, and import the key material from
.BR alice :
.RS
.VS
key merge param
key \-kkeyring.pub merge alice.pub
.VE
Generate a private key for
.B bob
and extract the public half, as before:
.VS
key add \-adh \-pparam \-tbob \e
	\-e"now + 1 year" tripe\-dh
key extract \-f\-secret bob.pub bob
key \-kkeyring.pub merge bob.pub
.VE
and send
.B bob.pub
back to
.B alice
using some secure method.
.RE
.hP 4
On
.BR alice ,
merge
.B bob 's
key into the public keyring.  Now, on each host, run
.RS
.VS
key \-kkeyring.pub fingerprint
.VE
and check that the hashes match.  If the two sites have separate
administrators, they should read the hashes to each other over the
telephone (assuming that they can recognize each other's voices).
.RE
.hP 5.
Start the
.B tripe
servers up.  Run
.RS
.VS
tripectl \-slD \-S\-P23169
.VE
on each of
.B alice
and
.BR bob .
(The
.RB ` \-P23169 '
forces the server to use UDP port 23169: use some other number if 23169
is inappropriate for your requirements.  I chose it by reducing the
RIPEMD160 hash of
.RB ` tripe\-port\-number\e0 '
modulo 2\*(ss16\*(se.)
.RE
.hP 6.
To get
.B alice
talking to
.BR bob ,
run this shell script (or one like it):
.RS
.VS
#! /bin/sh

tripectl add bob 200.0.2.1 23169
ifname=`tripectl ifname bob`
ifconfig $ifname \e
	192.168.0.1 \e
	pointopoint 192.168.0.2
route add -net \e
	10.0.2.0 netmask 255.255.255.0 \e
	gw 192.168.0.2
.VE
Read
.BR ifconfig (8)
and
.BR route (8)
to find out about your system's variants of these commands.  The
versions shown above assume a Linux system.
Run a similar script on
.BR bob ,
to tell its
.B tripe
server to talk to
.BR alice .
.RE
.hP 7.
Congratulations.  The two servers will exchange keys and begin sending
packets almost immediately.  You've set up a virtual private network.
.SS "About the name"
The program's name is
.BR tripe ,
all in lower-case.  The name of the protocol it uses is `TrIPE', with
four capital letters and one lower-case.  The name stands for `Trivial
IP Encryption'.
.SH "BUGS"
The code hasn't been audited.  It may contain security bugs.  If you
find one, please inform the author
.IR immediately .
.SH "SEE ALSO"
.BR key (1),
.BR tripectl (1),
.BR tripe\-admin (5).
.PP
.IR "The Trivial IP Encryption Protocol" ,
.IR "The Wrestlers Protocol" .
.SH "AUTHOR"
Mark Wooding, <mdw@nsict.org>
Commit	Line	Data
74eb47db	1	.\" --nroff--
	2	.\".
	3	.de hP
	4	.IP
	5	\h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c
	6	..
	7	.de VS
	8	.sp 1
	9	.RS
	10	.nf
	11	.ft B
	12	..
	13	.de VE
	14	.ft R
	15	.fi
	16	.RE
	17	.sp 1
	18	..
	19	.ie t \{\
	20	. ds o \(bu
	21	. ds ss \s8\u
	22	. ds se \d\s0
	23	. if \n(.g \{\
	24	. fam P
	25	. \}
	26	.\}
	27	.el \{\
	28	. ds o o
	29	. ds ss ^
d6623498	30	. ds se
74eb47db	31	.\}
	32	.TH tripe 8 "10 February 2001" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
	33	.SH "NAME"
	34	tripe \- a simple VPN daemon
	35	.SH "SYNOPSIS"
	36	.B tripe
	37	.RB [ \-D ]
74eb47db	38	.RB [ \-d
74eb47db	39	.IR dir ]
33ced0d3	40	.RB [ \-p
	41	.IR port ]
	42	.RB [ \-U
	43	.IR user ]
	44	.RB [ \-G
	45	.IR group ]
74eb47db	46	.br
	47
	48	.RB [ \-k
	49	.IR priv-keyring ]
	50	.RB [ \-K
	51	.IR pub-keyring ]
	52	.RB [ \-t
	53	.IR key-tag ]
33ced0d3	54	.br
	55
	56	.RB [ \-a
	57	.IR socket ]
	58	.RB [ \-T
	59	.IR trace-opts ]
74eb47db	60	.SH "DESCRIPTION"
	61	The
	62	.B tripe
	63	program is a server which can provide strong IP-level encryption and
1a19f865	64	authentication between co-operating hosts. The program and its protocol
	65	are deliberately very simple, to make analysing them easy and to help
	66	build trust rapidly in the system.
74eb47db	67	.SS "Overview"
	68	The
	69	.B tripe
	70	server manages a number of secure connections to other `peer' hosts.
	71	Each daemon is given a private key of its own, and a file of public keys
	72	for the peers with which it is meant to communicate. It is responsible
	73	for negotiating sets of symmetric keys with its peers, and for
	74	encrypting, encapsulating and sending IP packets to its peers, and
	75	decrypting, checking and de-encapsulating packets it receives from
	76	them.
	77	.PP
	78	When the server starts, it creates a Unix-domain socket on which it
	79	listens for administration commands. It also logs warnings and
	80	diagnostic information to the programs connected to its admin socket.
	81	Clients connected to the socket can add new peers, and remove or find
	82	out about existing peers. The textual protocol used to give the
	83	.B tripe
	84	server admin commands is described in
	85	.BR tripe\-admin (5).
	86	A client program
	87	.BR tripectl (1)
	88	is provided to allow commands to be sent to the server either
	89	interactively or by simple scripts.
	90	.SS "Command-line arguments"
	91	If not given any command-line arguments,
	92	.B tripe
	93	will initialize by following these steps:
1a19f865	94	.hP 1.
	95	It sets the directory named by the
	96	.B TRIPEDIR
	97	environment variable (or
	98	.B /var/lib/tripe
	99	if the variable is unset) as the current directory.
	100	.hP 2.
74eb47db	101	It acquires a UDP socket with an arbitrary kernel-selected port number.
	102	It will use this socket to send and receive all communications with its
	103	peer servers. The port chosen may be discovered by means of the
	104	.B PORT
	105	admin command (see
	106	.BR tripe\-admin (5)).
1a19f865	107	.hP 3.
74eb47db	108	It loads the private key with the tag or type name
	109	.B tripe\-dh
	110	from the Catacomb-format file
	111	.BR keyring ,
	112	and loads the file
	113	.B keyring.pub
	114	ready for extracting the public keys of peers as they're introduced.
	115	(The format of these files is described in
	116	.BR keyring (5).
	117	They are maintained using the program
	118	.BR key (1)
	119	provided with the Catacomb distribution.)
1a19f865	120	.hP 4.
74eb47db	121	It creates and listens to the Unix-domain socket
	122	.BR tripesock .
	123	.PP
	124	Following this, the server enters its main loop, accepting admin
	125	connections and obeying any administrative commands, and communicating
	126	with peers. It also treats its standard input and standard output
	127	streams as an admin connection, reading commands from standard input and
33ced0d3	128	writing responses and diagnostics messages to standard output. Finally,
	129	it will reload keys from its keyring files if it notices that they've
	130	changed (it checks inode number and modification time) \- there's no
	131	need to send a signal.
74eb47db	132	.PP
	133	Much of this behaviour may be altered by giving
	134	.B tripe
	135	suitable command-line options:
	136	.TP
	137	.B "\-h, \-\-help"
	138	Writes a brief description of the command-line options available to
	139	standard output and exits with status 0.
	140	.TP
	141	.B "\-v, \-\-version"
	142	Writes
	143	.BR tripe 's
	144	version number to standard output and exits with status 0.
	145	.TP
	146	.B "\-u, \-\-usage"
	147	Writes a brief usage summary to standard output and exits with status 0.
	148	.TP
	149	.B "\-D, \-\-daemon"
	150	Dissociates from its terminal and starts running in the background after
	151	completing the initialization procedure described above. If running as
	152	a daemon,
	153	.B tripe
	154	will not read commands from standard input or write diagnostics to
	155	standard output. A better way to start
	156	.B tripe
	157	in the background is with
	158	.BR tripectl (1).
	159	.TP
	160	.BI "\-d, \-\-directory=" dir
	161	Makes
	162	.I dir
	163	the current directory, instead of
	164	.BR /var/lib/tripe .
	165	Give a current directory of
	166	.B .
	167	if you don't want it to change directory at all.
	168	.TP
	169	.BI "\-p, \-\-port=" port
	170	Use the specified UDP port for all communications with peers, rather
	171	than an arbitarary kernel-assigned port.
	172	.TP
33ced0d3	173	.BI "\-U, \-\-setuid=" user
	174	Set uid to that of
	175	.I user
	176	(either a user name or integer uid) after initialization. Also set gid
	177	to
	178	.IR user 's
	179	primary group, unless overridden by a
	180	.B \-G
	181	option.
	182	.TP
	183	.BI "\-G, \-\-setgid=" group
	184	Set gid to that of
	185	.I group
	186	(either a group name or integer gid) after initialization.
	187	.TP
74eb47db	188	.BI "\-k, \-\-priv\-keyring=" file
	189	Reads the private key from
	190	.I file
	191	rather than the default
	192	.BR keyring .
	193	.TP
	194	.BI "\-K, \-\-pub\-keyring=" file
	195	Reads public keys from
	196	.I file
	197	rather than the default
	198	.BR keyring.pub .
	199	This can be the same as the private keyring, but that's not recommended.
	200	.TP
	201	.BI "\-t, \-\-tag=" tag
	202	Uses the private key whose tag or type is
	203	.I tag
	204	rather than the default
	205	.BR tripe\-dh .
	206	.TP
	207	.BI "\-a, \-\-admin\-socket=" socket
	208	Accept admin connections to a Unix-domain socket named
	209	.I socket
	210	rather than the default
	211	.BR tripesock .
	212	.TP
	213	.BI "\-T, \-\-trace=" trace-opts
	214	Allows the enabling or disabling of various internal diagnostics. See
	215	below for the list of options.
d6623498	216	.SS "Setting up a VPN with tripe"
	217	The
	218	.B tripe
	219	server identifies peers by name. While it's
	220	.I possible
	221	for each host to maintain its own naming system for its peers, this is
	222	likely to lead to confusion, and it's more sensible to organize a naming
	223	system that works everywhere. How you manage this naming is up to you.
	224	The only restriction on the format of names is that they must be valid
	225	Catacomb key tags, since this is how
	226	.B tripe
	227	identifies which public key to use for a particular peer: they may not
	228	contain whitespace characters, or a colon
	229	.RB ` : '
	230	or dot
	231	.RB ` . ',
	232	.PP
	233	Allocating IP addresses for VPNs can get quite complicated. I'll
	234	attempt to illustrate with a relatively simple example. Our objective
	235	will be to set up a virtual private network between two sites of
	236	.BR example.com .
	237	The two sites are using distinct IP address ranges from the private
	238	address space described in RFC1918: site A is using addresses from
	239	10.0.1.0/24 and site B is using 10.0.2.0/24. Each site has a gateway
	240	host set up with both an address on the site's private network, and an
	241	externally-routable address from the public IP address space. Site A's
	242	gateway machine,
	243	.BR alice ,
	244	has the addresses 10.0.1.1 and 200.0.1.1; site B's gateway is
	245	.B bob
	246	and has addresses 10.0.2.1 and 200.0.2.1.
	247	.PP
	248	This isn't quite complicated enough. Each of
	249	.B alice
	250	and
	251	.B bob
	252	needs an extra IP address which we'll use when setting up the
	253	point-to-point link. These addresses need to be routable, at least
	254	within the virtual private network: unfortunately, you can't just use
	255	the same pair everywhere. We'll assign
	256	.B alice
	257	the point-to-point address 192.168.0.1, and
	258	.B bob
	259	the address 192.168.0.2.
	260	.hP 1.
	261	Install
	262	.B tripe
	263	on both of the gateway hosts. Create the directory
	264	.BR /var/lib/tripe .
	265	.hP 2.
	266	On
	267	.BR alice ,
	268	make
	269	.B /var/lib/tripe
	270	the current directory and generate a Diffie-Hellman group:
	271	.RS
74eb47db	272	.VS
	273	key add \-adh\-param \-LS \-b2048 \-B256 \e
	274	\-eforever \-tparam tripe\-dh\-param
	275	.VE
d6623498	276	(See
	277	.BR key (1)
	278	from the Catacomb distribution for details about the
	279	.B key
	280	command.) Also generate a private key for
	281	.BR alice :
	282	.VS
	283	key add \-adh \-pparam \-talice \e
	284	\-e"now + 1 year" tripe\-dh
	285	.VE
	286	Extract the group parameters and
	287	.BR alice 's
	288	public key to
	289	.I separate
	290	files, and put the public key in
	291	.BR keyring.pub :
74eb47db	292	.VS
74eb47db	293	key extract param param
37075862	294	key extract \-f\-secret alice.pub alice
d6623498	295	key \-kkeyring.pub merge alice.pub
74eb47db	296	.VE
d6623498	297	Send the files
	298	.B param
	299	and
	300	.B alice.pub
	301	to
	302	.B bob
	303	in some secure way (e.g., in PGP-signed email, or by using SSH), so that
	304	you can be sure they've not been altered in transit.
	305	.RE
	306	.hP 3.
	307	On
	308	.B bob
	309	now, make
	310	.B /var/lib/tripe
	311	the current directory, and import the key material from
	312	.BR alice :
	313	.RS
74eb47db	314	.VS
74eb47db	315	key merge param
d6623498	316	key \-kkeyring.pub merge alice.pub
74eb47db	317	.VE
d6623498	318	Generate a private key for
	319	.B bob
	320	and extract the public half, as before:
74eb47db	321	.VS
d6623498	322	key add \-adh \-pparam \-tbob \e
d6623498	323	\-e"now + 1 year" tripe\-dh
383f2a0b	324	key extract \-f\-secret bob.pub bob
d6623498	325	key \-kkeyring.pub merge bob.pub
74eb47db	326	.VE
d6623498	327	and send
	328	.B bob.pub
	329	back to
	330	.B alice
	331	using some secure method.
	332	.RE
	333	.hP 4
	334	On
	335	.BR alice ,
	336	merge
	337	.B bob 's
	338	key into the public keyring. Now, on each host, run
	339	.RS
	340	.VS
	341	key \-kkeyring.pub fingerprint
	342	.VE
	343	and check that the hashes match. If the two sites have separate
	344	administrators, they should read the hashes to each other over the
	345	telephone (assuming that they can recognize each other's voices).
	346	.RE
	347	.hP 5.
	348	Start the
	349	.B tripe
	350	servers up. Run
	351	.RS
	352	.VS
	353	tripectl \-slD \-S\-P23169
	354	.VE
	355	on each of
	356	.B alice
	357	and
	358	.BR bob .
	359	(The
	360	.RB ` \-P23169 '
	361	forces the server to use UDP port 23169: use some other number if 23169
	362	is inappropriate for your requirements. I chose it by reducing the
	363	RIPEMD160 hash of
	364	.RB ` tripe\-port\-number\e0 '
	365	modulo 2\(ss16\(se.)
	366	.RE
	367	.hP 6.
	368	To get
	369	.B alice
	370	talking to
	371	.BR bob ,
	372	run this shell script (or one like it):
	373	.RS
	374	.VS
	375	#! /bin/sh
74eb47db	376
d6623498	377	tripectl add bob 200.0.2.1 23169
	378	ifname=`tripectl ifname bob`
	379	ifconfig $ifname \e
	380	192.168.0.1 \e
	381	pointopoint 192.168.0.2
	382	route add -net \e
	383	10.0.2.0 netmask 255.255.255.0 \e
	384	gw 192.168.0.2
	385	.VE
	386	Read
	387	.BR ifconfig (8)
	388	and
	389	.BR route (8)
	390	to find out about your system's variants of these commands. The
	391	versions shown above assume a Linux system.
	392	Run a similar script on
	393	.BR bob ,
	394	to tell its
	395	.B tripe
	396	server to talk to
	397	.BR alice .
	398	.RE
	399	.hP 7.
	400	Congratulations. The two servers will exchange keys and begin sending
	401	packets almost immediately. You've set up a virtual private network.
74eb47db	402	.SS "About the name"
	403	The program's name is
	404	.BR tripe ,
	405	all in lower-case. The name of the protocol it uses is `TrIPE', with
	406	four capital letters and one lower-case. The name stands for `Trivial
	407	IP Encryption'.
	408	.SH "BUGS"
74eb47db	409	The code hasn't been audited. It may contain security bugs. If you
	410	find one, please inform the author
	411	.IR immediately .
	412	.SH "SEE ALSO"
	413	.BR key (1),
	414	.BR tripectl (1),
	415	.BR tripe\-admin (5).
	416	.PP
	417	.IR "The Trivial IP Encryption Protocol" ,
	418	.IR "The Wrestlers Protocol" .
	419	.SH "AUTHOR"
	420	Mark Wooding, <mdw@nsict.org>