[tripe] / doc / tripe.8

.\" -*-nroff-*-
.\".
.de hP
.IP
\h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c
..
.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.ie t \{\
.  ds o \(bu
.  ds ss \s8\u
.  ds se \d\s0
.  if \n(.g \{\
.    fam P
.  \}
.\}
.el \{\
.  ds o o
.  ds ss ^
.  ds se
.\}
.TH tripe 8 "10 February 2001" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
.SH "NAME"
tripe \- a simple VPN daemon
.SH "SYNOPSIS"
.B tripe
.RB [ \-D ]
.RB [ \-d
.IR dir ]
.RB [ \-p
.IR port ]
.RB [ \-U
.IR user ]
.RB [ \-G
.IR group ]
.br
	
.RB [ \-k
.IR priv-keyring ]
.RB [ \-K
.IR pub-keyring ]
.RB [ \-t
.IR key-tag ]
.br
	
.RB [ \-a
.IR socket ]
.RB [ \-T
.IR trace-opts ]
.SH "DESCRIPTION"
The
.B tripe
program is a server which can provide strong IP-level encryption and
authentication between two co-operating hosts.  The program and its
protocol are deliberately very simple, to make analysing them easy and
to help build trust rapidly in the system.
.SS "Overview"
The
.B tripe
server manages a number of secure connections to other `peer' hosts.
Each daemon is given a private key of its own, and a file of public keys
for the peers with which it is meant to communicate.  It is responsible
for negotiating sets of symmetric keys with its peers, and for
encrypting, encapsulating and sending IP packets to its peers, and
decrypting, checking and de-encapsulating packets it receives from
them.
.PP
When the server starts, it creates a Unix-domain socket on which it
listens for administration commands.  It also logs warnings and
diagnostic information to the programs connected to its admin socket.
Clients connected to the socket can add new peers, and remove or find
out about existing peers.  The textual protocol used to give the
.B tripe
server admin commands is described in
.BR tripe\-admin (5).
A client program
.BR tripectl (1)
is provided to allow commands to be sent to the server either
interactively or by simple scripts.
.SS "Command-line arguments"
If not given any command-line arguments,
.B tripe
will initialize by following these steps:
.hP \*o
It changes directory to
.BR /var/lib/tripe .
.hP \*o
It acquires a UDP socket with an arbitrary kernel-selected port number.
It will use this socket to send and receive all communications with its
peer servers.  The port chosen may be discovered by means of the
.B PORT
admin command (see
.BR tripe\-admin (5)).
.hP \*o
It loads the private key with the tag or type name
.B tripe\-dh
from the Catacomb-format file
.BR keyring ,
and loads the file
.B keyring.pub
ready for extracting the public keys of peers as they're introduced.
(The format of these files is described in
.BR keyring (5).
They are maintained using the program
.BR key (1)
provided with the Catacomb distribution.)
.hP \*o
It creates and listens to the Unix-domain socket
.BR tripesock .
.PP
Following this, the server enters its main loop, accepting admin
connections and obeying any administrative commands, and communicating
with peers.  It also treats its standard input and standard output
streams as an admin connection, reading commands from standard input and
writing responses and diagnostics messages to standard output.  Finally,
it will reload keys from its keyring files if it notices that they've
changed (it checks inode number and modification time) \- there's no
need to send a signal.
.PP
Much of this behaviour may be altered by giving
.B tripe
suitable command-line options:
.TP
.B "\-h, \-\-help"
Writes a brief description of the command-line options available to
standard output and exits with status 0.
.TP
.B "\-v, \-\-version"
Writes
.BR tripe 's
version number to standard output and exits with status 0.
.TP
.B "\-u, \-\-usage"
Writes a brief usage summary to standard output and exits with status 0.
.TP
.B "\-D, \-\-daemon"
Dissociates from its terminal and starts running in the background after
completing the initialization procedure described above.  If running as
a daemon,
.B tripe
will not read commands from standard input or write diagnostics to
standard output.  A better way to start
.B tripe
in the background is with
.BR tripectl (1).
.TP
.BI "\-d, \-\-directory=" dir
Makes
.I dir
the current directory, instead of
.BR /var/lib/tripe .
Give a current directory of
.B .
if you don't want it to change directory at all.
.TP
.BI "\-p, \-\-port=" port
Use the specified UDP port for all communications with peers, rather
than an arbitarary kernel-assigned port.
.TP
.BI "\-U, \-\-setuid=" user
Set uid to that of
.I user
(either a user name or integer uid) after initialization.  Also set gid
to
.IR user 's
primary group, unless overridden by a
.B \-G
option.
.TP
.BI "\-G, \-\-setgid=" group
Set gid to that of
.I group
(either a group name or integer gid) after initialization.
.TP
.BI "\-k, \-\-priv\-keyring=" file
Reads the private key from
.I file
rather than the default
.BR keyring .
.TP
.BI "\-K, \-\-pub\-keyring=" file
Reads public keys from
.I file
rather than the default
.BR keyring.pub .
This can be the same as the private keyring, but that's not recommended.
.TP
.BI "\-t, \-\-tag=" tag
Uses the private key whose tag or type is
.I tag
rather than the default
.BR tripe\-dh .
.TP
.BI "\-a, \-\-admin\-socket=" socket
Accept admin connections to a Unix-domain socket named
.I socket
rather than the default
.BR tripesock .
.TP
.BI "\-T, \-\-trace=" trace-opts
Allows the enabling or disabling of various internal diagnostics.  See
below for the list of options.
.SS "Setting up a VPN with tripe"
The
.B tripe
server identifies peers by name.  While it's
.I possible
for each host to maintain its own naming system for its peers, this is
likely to lead to confusion, and it's more sensible to organize a naming
system that works everywhere.  How you manage this naming is up to you.
The only restriction on the format of names is that they must be valid
Catacomb key tags, since this is how
.B tripe
identifies which public key to use for a particular peer: they may not
contain whitespace characters, or a colon
.RB ` : '
or dot
.RB ` . ',
.PP
Allocating IP addresses for VPNs can get quite complicated.  I'll
attempt to illustrate with a relatively simple example.  Our objective
will be to set up a virtual private network between two sites of
.BR example.com .
The two sites are using distinct IP address ranges from the private
address space described in RFC1918: site A is using addresses from
10.0.1.0/24 and site B is using 10.0.2.0/24.  Each site has a gateway
host set up with both an address on the site's private network, and an
externally-routable address from the public IP address space.  Site A's
gateway machine,
.BR alice ,
has the addresses 10.0.1.1 and 200.0.1.1; site B's gateway is
.B bob
and has addresses 10.0.2.1 and 200.0.2.1.
.PP
This isn't quite complicated enough.  Each of
.B alice
and
.B bob
needs an extra IP address which we'll use when setting up the
point-to-point link.  These addresses need to be routable, at least
within the virtual private network: unfortunately, you can't just use
the same pair everywhere.  We'll assign
.B alice
the point-to-point address 192.168.0.1, and
.B bob
the address 192.168.0.2.
.hP 1.
Install
.B tripe
on both of the gateway hosts.  Create the directory
.BR /var/lib/tripe .
.hP 2.
On
.BR alice ,
make
.B /var/lib/tripe
the current directory and generate a Diffie-Hellman group:
.RS
.VS
key add \-adh\-param \-LS \-b2048 \-B256 \e
	\-eforever \-tparam tripe\-dh\-param
.VE
(See
.BR key (1)
from the Catacomb distribution for details about the
.B key
command.)  Also generate a private key for
.BR alice :
.VS
key add \-adh \-pparam \-talice \e
	\-e"now + 1 year" tripe\-dh
.VE
Extract the group parameters and
.BR alice 's
public key to
.I separate
files, and put the public key in
.BR keyring.pub :
.VS
key extract param param
key extract \-f\-secret alice.pub alice
key \-kkeyring.pub merge alice.pub
.VE
Send the files
.B param
and
.B alice.pub
to
.B bob
in some secure way (e.g., in PGP-signed email, or by using SSH), so that
you can be sure they've not been altered in transit.
.RE
.hP 3.
On
.B bob
now, make
.B /var/lib/tripe
the current directory, and import the key material from
.BR alice :
.RS
.VS
key merge param
key \-kkeyring.pub merge alice.pub
.VE
Generate a private key for
.B bob
and extract the public half, as before:
.VS
key add \-adh \-pparam \-tbob \e
	\-e"now + 1 year" tripe\-dh
key extract \-f\-secret bob.pub bob
key \-kkeyring.pub merge bob.pub
.VE
and send
.B bob.pub
back to
.B alice
using some secure method.
.RE
.hP 4
On
.BR alice ,
merge
.B bob 's
key into the public keyring.  Now, on each host, run
.RS
.VS
key \-kkeyring.pub fingerprint
.VE
and check that the hashes match.  If the two sites have separate
administrators, they should read the hashes to each other over the
telephone (assuming that they can recognize each other's voices).
.RE
.hP 5.
Start the
.B tripe
servers up.  Run
.RS
.VS
tripectl \-slD \-S\-P23169
.VE
on each of
.B alice
and
.BR bob .
(The
.RB ` \-P23169 '
forces the server to use UDP port 23169: use some other number if 23169
is inappropriate for your requirements.  I chose it by reducing the
RIPEMD160 hash of
.RB ` tripe\-port\-number\e0 '
modulo 2\*(ss16\*(se.)
.RE
.hP 6.
To get
.B alice
talking to
.BR bob ,
run this shell script (or one like it):
.RS
.VS
#! /bin/sh

tripectl add bob 200.0.2.1 23169
ifname=`tripectl ifname bob`
ifconfig $ifname \e
	192.168.0.1 \e
	pointopoint 192.168.0.2
route add -net \e
	10.0.2.0 netmask 255.255.255.0 \e
	gw 192.168.0.2
.VE
Read
.BR ifconfig (8)
and
.BR route (8)
to find out about your system's variants of these commands.  The
versions shown above assume a Linux system.
Run a similar script on
.BR bob ,
to tell its
.B tripe
server to talk to
.BR alice .
.RE
.hP 7.
Congratulations.  The two servers will exchange keys and begin sending
packets almost immediately.  You've set up a virtual private network.
.SS "About the name"
The program's name is
.BR tripe ,
all in lower-case.  The name of the protocol it uses is `TrIPE', with
four capital letters and one lower-case.  The name stands for `Trivial
IP Encryption'.
.SH "BUGS"
The code hasn't been audited.  It may contain security bugs.  If you
find one, please inform the author
.IR immediately .
.SH "SEE ALSO"
.BR key (1),
.BR tripectl (1),
.BR tripe\-admin (5).
.PP
.IR "The Trivial IP Encryption Protocol" ,
.IR "The Wrestlers Protocol" .
.SH "AUTHOR"
Mark Wooding, <mdw@nsict.org>
Commit	Line	Data
74eb47db	1	.\" --nroff--
	2	.\".
	3	.de hP
	4	.IP
	5	\h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c
	6	..
	7	.de VS
	8	.sp 1
	9	.RS
	10	.nf
	11	.ft B
	12	..
	13	.de VE
	14	.ft R
	15	.fi
	16	.RE
	17	.sp 1
	18	..
	19	.ie t \{\
	20	. ds o \(bu
	21	. ds ss \s8\u
	22	. ds se \d\s0
	23	. if \n(.g \{\
	24	. fam P
	25	. \}
	26	.\}
	27	.el \{\
	28	. ds o o
	29	. ds ss ^
d6623498	30	. ds se
74eb47db	31	.\}
	32	.TH tripe 8 "10 February 2001" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
	33	.SH "NAME"
	34	tripe \- a simple VPN daemon
	35	.SH "SYNOPSIS"
	36	.B tripe
	37	.RB [ \-D ]
74eb47db	38	.RB [ \-d
74eb47db	39	.IR dir ]
33ced0d3	40	.RB [ \-p
	41	.IR port ]
	42	.RB [ \-U
	43	.IR user ]
	44	.RB [ \-G
	45	.IR group ]
74eb47db	46	.br
	47
	48	.RB [ \-k
	49	.IR priv-keyring ]
	50	.RB [ \-K
	51	.IR pub-keyring ]
	52	.RB [ \-t
	53	.IR key-tag ]
33ced0d3	54	.br
	55
	56	.RB [ \-a
	57	.IR socket ]
	58	.RB [ \-T
	59	.IR trace-opts ]
74eb47db	60	.SH "DESCRIPTION"
	61	The
	62	.B tripe
	63	program is a server which can provide strong IP-level encryption and
	64	authentication between two co-operating hosts. The program and its
	65	protocol are deliberately very simple, to make analysing them easy and
	66	to help build trust rapidly in the system.
	67	.SS "Overview"
	68	The
	69	.B tripe
	70	server manages a number of secure connections to other `peer' hosts.
	71	Each daemon is given a private key of its own, and a file of public keys
	72	for the peers with which it is meant to communicate. It is responsible
	73	for negotiating sets of symmetric keys with its peers, and for
	74	encrypting, encapsulating and sending IP packets to its peers, and
	75	decrypting, checking and de-encapsulating packets it receives from
	76	them.
	77	.PP
	78	When the server starts, it creates a Unix-domain socket on which it
	79	listens for administration commands. It also logs warnings and
	80	diagnostic information to the programs connected to its admin socket.
	81	Clients connected to the socket can add new peers, and remove or find
	82	out about existing peers. The textual protocol used to give the
	83	.B tripe
	84	server admin commands is described in
	85	.BR tripe\-admin (5).
	86	A client program
	87	.BR tripectl (1)
	88	is provided to allow commands to be sent to the server either
	89	interactively or by simple scripts.
	90	.SS "Command-line arguments"
	91	If not given any command-line arguments,
	92	.B tripe
	93	will initialize by following these steps:
	94	.hP \*o
	95	It changes directory to
	96	.BR /var/lib/tripe .
	97	.hP \*o
	98	It acquires a UDP socket with an arbitrary kernel-selected port number.
	99	It will use this socket to send and receive all communications with its
	100	peer servers. The port chosen may be discovered by means of the
	101	.B PORT
	102	admin command (see
	103	.BR tripe\-admin (5)).
	104	.hP \*o
	105	It loads the private key with the tag or type name
	106	.B tripe\-dh
	107	from the Catacomb-format file
	108	.BR keyring ,
	109	and loads the file
	110	.B keyring.pub
	111	ready for extracting the public keys of peers as they're introduced.
	112	(The format of these files is described in
	113	.BR keyring (5).
	114	They are maintained using the program
	115	.BR key (1)
	116	provided with the Catacomb distribution.)
	117	.hP \*o
	118	It creates and listens to the Unix-domain socket
	119	.BR tripesock .
	120	.PP
	121	Following this, the server enters its main loop, accepting admin
	122	connections and obeying any administrative commands, and communicating
	123	with peers. It also treats its standard input and standard output
124	streams as an admin connection, reading commands from standard input and
33ced0d3	125	writing responses and diagnostics messages to standard output. Finally,
	126	it will reload keys from its keyring files if it notices that they've
	127	changed (it checks inode number and modification time) \- there's no
	128	need to send a signal.
74eb47db	129	.PP
	130	Much of this behaviour may be altered by giving
	131	.B tripe
	132	suitable command-line options:
	133	.TP
	134	.B "\-h, \-\-help"
	135	Writes a brief description of the command-line options available to
	136	standard output and exits with status 0.
	137	.TP
	138	.B "\-v, \-\-version"
	139	Writes
	140	.BR tripe 's
	141	version number to standard output and exits with status 0.
	142	.TP
	143	.B "\-u, \-\-usage"
	144	Writes a brief usage summary to standard output and exits with status 0.
	145	.TP
	146	.B "\-D, \-\-daemon"
	147	Dissociates from its terminal and starts running in the background after
	148	completing the initialization procedure described above. If running as
	149	a daemon,
	150	.B tripe
	151	will not read commands from standard input or write diagnostics to
	152	standard output. A better way to start
	153	.B tripe
	154	in the background is with
	155	.BR tripectl (1).
	156	.TP
	157	.BI "\-d, \-\-directory=" dir
	158	Makes
	159	.I dir
	160	the current directory, instead of
	161	.BR /var/lib/tripe .
	162	Give a current directory of
	163	.B .
	164	if you don't want it to change directory at all.
	165	.TP
	166	.BI "\-p, \-\-port=" port
	167	Use the specified UDP port for all communications with peers, rather
	168	than an arbitarary kernel-assigned port.
	169	.TP
33ced0d3	170	.BI "\-U, \-\-setuid=" user
	171	Set uid to that of
	172	.I user
	173	(either a user name or integer uid) after initialization. Also set gid
	174	to
	175	.IR user 's
	176	primary group, unless overridden by a
	177	.B \-G
	178	option.
	179	.TP
	180	.BI "\-G, \-\-setgid=" group
	181	Set gid to that of
	182	.I group
	183	(either a group name or integer gid) after initialization.
	184	.TP
74eb47db	185	.BI "\-k, \-\-priv\-keyring=" file
	186	Reads the private key from
	187	.I file
	188	rather than the default
	189	.BR keyring .
	190	.TP
	191	.BI "\-K, \-\-pub\-keyring=" file
	192	Reads public keys from
	193	.I file
	194	rather than the default
	195	.BR keyring.pub .
	196	This can be the same as the private keyring, but that's not recommended.
	197	.TP
	198	.BI "\-t, \-\-tag=" tag
	199	Uses the private key whose tag or type is
	200	.I tag
	201	rather than the default
	202	.BR tripe\-dh .
	203	.TP
	204	.BI "\-a, \-\-admin\-socket=" socket
	205	Accept admin connections to a Unix-domain socket named
	206	.I socket
	207	rather than the default
	208	.BR tripesock .
	209	.TP
	210	.BI "\-T, \-\-trace=" trace-opts
	211	Allows the enabling or disabling of various internal diagnostics. See
	212	below for the list of options.
d6623498	213	.SS "Setting up a VPN with tripe"
	214	The
	215	.B tripe
	216	server identifies peers by name. While it's
	217	.I possible
	218	for each host to maintain its own naming system for its peers, this is
	219	likely to lead to confusion, and it's more sensible to organize a naming
	220	system that works everywhere. How you manage this naming is up to you.
	221	The only restriction on the format of names is that they must be valid
	222	Catacomb key tags, since this is how
	223	.B tripe
	224	identifies which public key to use for a particular peer: they may not
	225	contain whitespace characters, or a colon
	226	.RB ` : '
	227	or dot
	228	.RB ` . ',
	229	.PP
	230	Allocating IP addresses for VPNs can get quite complicated. I'll
	231	attempt to illustrate with a relatively simple example. Our objective
	232	will be to set up a virtual private network between two sites of
	233	.BR example.com .
	234	The two sites are using distinct IP address ranges from the private
	235	address space described in RFC1918: site A is using addresses from
	236	10.0.1.0/24 and site B is using 10.0.2.0/24. Each site has a gateway
	237	host set up with both an address on the site's private network, and an
	238	externally-routable address from the public IP address space. Site A's
	239	gateway machine,
	240	.BR alice ,
	241	has the addresses 10.0.1.1 and 200.0.1.1; site B's gateway is
	242	.B bob
	243	and has addresses 10.0.2.1 and 200.0.2.1.
	244	.PP
	245	This isn't quite complicated enough. Each of
	246	.B alice
	247	and
	248	.B bob
	249	needs an extra IP address which we'll use when setting up the
	250	point-to-point link. These addresses need to be routable, at least
	251	within the virtual private network: unfortunately, you can't just use
	252	the same pair everywhere. We'll assign
	253	.B alice
	254	the point-to-point address 192.168.0.1, and
	255	.B bob
	256	the address 192.168.0.2.
	257	.hP 1.
	258	Install
	259	.B tripe
	260	on both of the gateway hosts. Create the directory
	261	.BR /var/lib/tripe .
	262	.hP 2.
	263	On
	264	.BR alice ,
	265	make
	266	.B /var/lib/tripe
	267	the current directory and generate a Diffie-Hellman group:
	268	.RS
74eb47db	269	.VS
	270	key add \-adh\-param \-LS \-b2048 \-B256 \e
	271	\-eforever \-tparam tripe\-dh\-param
	272	.VE
d6623498	273	(See
	274	.BR key (1)
	275	from the Catacomb distribution for details about the
	276	.B key
	277	command.) Also generate a private key for
	278	.BR alice :
	279	.VS
	280	key add \-adh \-pparam \-talice \e
	281	\-e"now + 1 year" tripe\-dh
	282	.VE
	283	Extract the group parameters and
	284	.BR alice 's
	285	public key to
	286	.I separate
	287	files, and put the public key in
	288	.BR keyring.pub :
74eb47db	289	.VS
74eb47db	290	key extract param param
37075862	291	key extract \-f\-secret alice.pub alice
d6623498	292	key \-kkeyring.pub merge alice.pub
74eb47db	293	.VE
d6623498	294	Send the files
	295	.B param
	296	and
	297	.B alice.pub
	298	to
	299	.B bob
	300	in some secure way (e.g., in PGP-signed email, or by using SSH), so that
	301	you can be sure they've not been altered in transit.
	302	.RE
	303	.hP 3.
	304	On
	305	.B bob
	306	now, make
	307	.B /var/lib/tripe
	308	the current directory, and import the key material from
	309	.BR alice :
	310	.RS
74eb47db	311	.VS
74eb47db	312	key merge param
d6623498	313	key \-kkeyring.pub merge alice.pub
74eb47db	314	.VE
d6623498	315	Generate a private key for
	316	.B bob
	317	and extract the public half, as before:
74eb47db	318	.VS
d6623498	319	key add \-adh \-pparam \-tbob \e
d6623498	320	\-e"now + 1 year" tripe\-dh
383f2a0b	321	key extract \-f\-secret bob.pub bob
d6623498	322	key \-kkeyring.pub merge bob.pub
74eb47db	323	.VE
d6623498	324	and send
	325	.B bob.pub
	326	back to
	327	.B alice
	328	using some secure method.
	329	.RE
	330	.hP 4
	331	On
	332	.BR alice ,
	333	merge
	334	.B bob 's
	335	key into the public keyring. Now, on each host, run
	336	.RS
	337	.VS
	338	key \-kkeyring.pub fingerprint
	339	.VE
	340	and check that the hashes match. If the two sites have separate
	341	administrators, they should read the hashes to each other over the
	342	telephone (assuming that they can recognize each other's voices).
	343	.RE
	344	.hP 5.
	345	Start the
	346	.B tripe
	347	servers up. Run
	348	.RS
	349	.VS
	350	tripectl \-slD \-S\-P23169
	351	.VE
	352	on each of
	353	.B alice
	354	and
	355	.BR bob .
	356	(The
	357	.RB ` \-P23169 '
	358	forces the server to use UDP port 23169: use some other number if 23169
	359	is inappropriate for your requirements. I chose it by reducing the
	360	RIPEMD160 hash of
	361	.RB ` tripe\-port\-number\e0 '
	362	modulo 2\(ss16\(se.)
	363	.RE
	364	.hP 6.
	365	To get
	366	.B alice
	367	talking to
	368	.BR bob ,
	369	run this shell script (or one like it):
	370	.RS
	371	.VS
	372	#! /bin/sh
74eb47db	373
d6623498	374	tripectl add bob 200.0.2.1 23169
	375	ifname=`tripectl ifname bob`
	376	ifconfig $ifname \e
	377	192.168.0.1 \e
	378	pointopoint 192.168.0.2
	379	route add -net \e
	380	10.0.2.0 netmask 255.255.255.0 \e
	381	gw 192.168.0.2
	382	.VE
	383	Read
	384	.BR ifconfig (8)
	385	and
	386	.BR route (8)
	387	to find out about your system's variants of these commands. The
	388	versions shown above assume a Linux system.
	389	Run a similar script on
	390	.BR bob ,
	391	to tell its
	392	.B tripe
	393	server to talk to
	394	.BR alice .
	395	.RE
	396	.hP 7.
	397	Congratulations. The two servers will exchange keys and begin sending
	398	packets almost immediately. You've set up a virtual private network.
74eb47db	399	.SS "About the name"
	400	The program's name is
	401	.BR tripe ,
	402	all in lower-case. The name of the protocol it uses is `TrIPE', with
	403	four capital letters and one lower-case. The name stands for `Trivial
	404	IP Encryption'.
	405	.SH "BUGS"
74eb47db	406	The code hasn't been audited. It may contain security bugs. If you
	407	find one, please inform the author
	408	.IR immediately .
	409	.SH "SEE ALSO"
	410	.BR key (1),
	411	.BR tripectl (1),
	412	.BR tripe\-admin (5).
	413	.PP
	414	.IR "The Trivial IP Encryption Protocol" ,
	415	.IR "The Wrestlers Protocol" .
	416	.SH "AUTHOR"
	417	Mark Wooding, <mdw@nsict.org>