74eb47db |
1 | .\" -*-nroff-*- |
2 | .\". |
3 | .de hP |
4 | .IP |
5 | \h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c |
6 | .. |
7 | .de VS |
8 | .sp 1 |
9 | .RS |
10 | .nf |
11 | .ft B |
12 | .. |
13 | .de VE |
14 | .ft R |
15 | .fi |
16 | .RE |
17 | .sp 1 |
18 | .. |
19 | .ie t \{\ |
20 | . ds o \(bu |
21 | . ds ss \s8\u |
22 | . ds se \d\s0 |
23 | . if \n(.g \{\ |
24 | . fam P |
25 | . \} |
26 | .\} |
27 | .el \{\ |
28 | . ds o o |
29 | . ds ss ^ |
d6623498 |
30 | . ds se |
74eb47db |
31 | .\} |
32 | .TH tripe 8 "10 February 2001" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption" |
33 | .SH "NAME" |
34 | tripe \- a simple VPN daemon |
35 | .SH "SYNOPSIS" |
36 | .B tripe |
37 | .RB [ \-D ] |
74eb47db |
38 | .RB [ \-d |
39 | .IR dir ] |
d13e5724 |
40 | .RB [ \-b |
41 | .IR addr ] |
33ced0d3 |
42 | .RB [ \-p |
43 | .IR port ] |
42da2a58 |
44 | .RB [ \-n |
45 | .IR tunnel ] |
d13e5724 |
46 | .br |
47 | |
33ced0d3 |
48 | .RB [ \-U |
49 | .IR user ] |
50 | .RB [ \-G |
51 | .IR group ] |
d13e5724 |
52 | .RB [ \-a |
53 | .IR socket ] |
54 | .RB [ \-T |
55 | .IR trace-opts ] |
74eb47db |
56 | .br |
57 | |
58 | .RB [ \-k |
59 | .IR priv-keyring ] |
60 | .RB [ \-K |
61 | .IR pub-keyring ] |
62 | .RB [ \-t |
63 | .IR key-tag ] |
64 | .SH "DESCRIPTION" |
65 | The |
66 | .B tripe |
67 | program is a server which can provide strong IP-level encryption and |
1a19f865 |
68 | authentication between co-operating hosts. The program and its protocol |
69 | are deliberately very simple, to make analysing them easy and to help |
70 | build trust rapidly in the system. |
74eb47db |
71 | .SS "Overview" |
72 | The |
73 | .B tripe |
74 | server manages a number of secure connections to other `peer' hosts. |
75 | Each daemon is given a private key of its own, and a file of public keys |
76 | for the peers with which it is meant to communicate. It is responsible |
77 | for negotiating sets of symmetric keys with its peers, and for |
78 | encrypting, encapsulating and sending IP packets to its peers, and |
79 | decrypting, checking and de-encapsulating packets it receives from |
80 | them. |
81 | .PP |
82 | When the server starts, it creates a Unix-domain socket on which it |
83 | listens for administration commands. It also logs warnings and |
84 | diagnostic information to the programs connected to its admin socket. |
85 | Clients connected to the socket can add new peers, and remove or find |
86 | out about existing peers. The textual protocol used to give the |
87 | .B tripe |
88 | server admin commands is described in |
89 | .BR tripe\-admin (5). |
90 | A client program |
91 | .BR tripectl (1) |
92 | is provided to allow commands to be sent to the server either |
93 | interactively or by simple scripts. |
94 | .SS "Command-line arguments" |
95 | If not given any command-line arguments, |
96 | .B tripe |
97 | will initialize by following these steps: |
1a19f865 |
98 | .hP 1. |
99 | It sets the directory named by the |
100 | .B TRIPEDIR |
101 | environment variable (or |
102 | .B /var/lib/tripe |
103 | if the variable is unset) as the current directory. |
104 | .hP 2. |
74eb47db |
105 | It acquires a UDP socket with an arbitrary kernel-selected port number. |
106 | It will use this socket to send and receive all communications with its |
107 | peer servers. The port chosen may be discovered by means of the |
108 | .B PORT |
109 | admin command (see |
110 | .BR tripe\-admin (5)). |
1a19f865 |
111 | .hP 3. |
74eb47db |
112 | It loads the private key with the tag or type name |
113 | .B tripe\-dh |
114 | from the Catacomb-format file |
115 | .BR keyring , |
116 | and loads the file |
117 | .B keyring.pub |
118 | ready for extracting the public keys of peers as they're introduced. |
119 | (The format of these files is described in |
120 | .BR keyring (5). |
121 | They are maintained using the program |
122 | .BR key (1) |
123 | provided with the Catacomb distribution.) |
1a19f865 |
124 | .hP 4. |
74eb47db |
125 | It creates and listens to the Unix-domain socket |
126 | .BR tripesock . |
127 | .PP |
128 | Following this, the server enters its main loop, accepting admin |
129 | connections and obeying any administrative commands, and communicating |
130 | with peers. It also treats its standard input and standard output |
131 | streams as an admin connection, reading commands from standard input and |
33ced0d3 |
132 | writing responses and diagnostics messages to standard output. Finally, |
133 | it will reload keys from its keyring files if it notices that they've |
134 | changed (it checks inode number and modification time) \- there's no |
135 | need to send a signal. |
74eb47db |
136 | .PP |
137 | Much of this behaviour may be altered by giving |
138 | .B tripe |
139 | suitable command-line options: |
140 | .TP |
141 | .B "\-h, \-\-help" |
142 | Writes a brief description of the command-line options available to |
143 | standard output and exits with status 0. |
144 | .TP |
145 | .B "\-v, \-\-version" |
146 | Writes |
147 | .BR tripe 's |
148 | version number to standard output and exits with status 0. |
149 | .TP |
150 | .B "\-u, \-\-usage" |
151 | Writes a brief usage summary to standard output and exits with status 0. |
152 | .TP |
42da2a58 |
153 | .B "\-\-tunnels" |
154 | Writes to standard output a list of the configured tunnel drivers, one |
155 | per line, and exits with status 0. This is intended for the use of the |
3cdc3f3a |
156 | start-up script, so that it can check that it will actually work. |
157 | .TP |
74eb47db |
158 | .B "\-D, \-\-daemon" |
159 | Dissociates from its terminal and starts running in the background after |
160 | completing the initialization procedure described above. If running as |
161 | a daemon, |
162 | .B tripe |
163 | will not read commands from standard input or write diagnostics to |
164 | standard output. A better way to start |
165 | .B tripe |
166 | in the background is with |
167 | .BR tripectl (1). |
168 | .TP |
169 | .BI "\-d, \-\-directory=" dir |
170 | Makes |
171 | .I dir |
172 | the current directory, instead of |
173 | .BR /var/lib/tripe . |
174 | Give a current directory of |
175 | .B . |
176 | if you don't want it to change directory at all. |
177 | .TP |
d13e5724 |
178 | .BI "\-b, \-\-bind-address="addr |
179 | Bind the UDP socket to IP address |
180 | .I addr |
181 | rather than the default of |
182 | .BR INADDR_ANY . |
183 | This is useful if your main globally-routable IP address is one you want |
184 | to tunnel through the VPN. |
185 | .TP |
74eb47db |
186 | .BI "\-p, \-\-port=" port |
187 | Use the specified UDP port for all communications with peers, rather |
188 | than an arbitarary kernel-assigned port. |
189 | .TP |
42da2a58 |
190 | .BI "\-n, \-\-tunnel=" tunnel |
191 | Use the specified tunnel driver for new peers by default. |
192 | .TP |
33ced0d3 |
193 | .BI "\-U, \-\-setuid=" user |
194 | Set uid to that of |
195 | .I user |
196 | (either a user name or integer uid) after initialization. Also set gid |
197 | to |
198 | .IR user 's |
199 | primary group, unless overridden by a |
200 | .B \-G |
201 | option. |
202 | .TP |
203 | .BI "\-G, \-\-setgid=" group |
204 | Set gid to that of |
205 | .I group |
206 | (either a group name or integer gid) after initialization. |
207 | .TP |
74eb47db |
208 | .BI "\-k, \-\-priv\-keyring=" file |
209 | Reads the private key from |
210 | .I file |
211 | rather than the default |
212 | .BR keyring . |
213 | .TP |
214 | .BI "\-K, \-\-pub\-keyring=" file |
215 | Reads public keys from |
216 | .I file |
217 | rather than the default |
218 | .BR keyring.pub . |
219 | This can be the same as the private keyring, but that's not recommended. |
220 | .TP |
221 | .BI "\-t, \-\-tag=" tag |
222 | Uses the private key whose tag or type is |
223 | .I tag |
224 | rather than the default |
225 | .BR tripe\-dh . |
226 | .TP |
227 | .BI "\-a, \-\-admin\-socket=" socket |
228 | Accept admin connections to a Unix-domain socket named |
229 | .I socket |
230 | rather than the default |
231 | .BR tripesock . |
232 | .TP |
233 | .BI "\-T, \-\-trace=" trace-opts |
234 | Allows the enabling or disabling of various internal diagnostics. See |
235 | below for the list of options. |
d6623498 |
236 | .SS "Setting up a VPN with tripe" |
237 | The |
238 | .B tripe |
239 | server identifies peers by name. While it's |
240 | .I possible |
241 | for each host to maintain its own naming system for its peers, this is |
242 | likely to lead to confusion, and it's more sensible to organize a naming |
243 | system that works everywhere. How you manage this naming is up to you. |
244 | The only restriction on the format of names is that they must be valid |
245 | Catacomb key tags, since this is how |
246 | .B tripe |
247 | identifies which public key to use for a particular peer: they may not |
248 | contain whitespace characters, or a colon |
249 | .RB ` : ' |
250 | or dot |
251 | .RB ` . ', |
252 | .PP |
253 | Allocating IP addresses for VPNs can get quite complicated. I'll |
254 | attempt to illustrate with a relatively simple example. Our objective |
255 | will be to set up a virtual private network between two sites of |
256 | .BR example.com . |
257 | The two sites are using distinct IP address ranges from the private |
258 | address space described in RFC1918: site A is using addresses from |
259 | 10.0.1.0/24 and site B is using 10.0.2.0/24. Each site has a gateway |
260 | host set up with both an address on the site's private network, and an |
261 | externally-routable address from the public IP address space. Site A's |
262 | gateway machine, |
263 | .BR alice , |
264 | has the addresses 10.0.1.1 and 200.0.1.1; site B's gateway is |
265 | .B bob |
266 | and has addresses 10.0.2.1 and 200.0.2.1. |
267 | .PP |
268 | This isn't quite complicated enough. Each of |
269 | .B alice |
270 | and |
271 | .B bob |
272 | needs an extra IP address which we'll use when setting up the |
273 | point-to-point link. These addresses need to be routable, at least |
274 | within the virtual private network: unfortunately, you can't just use |
275 | the same pair everywhere. We'll assign |
276 | .B alice |
277 | the point-to-point address 192.168.0.1, and |
278 | .B bob |
279 | the address 192.168.0.2. |
280 | .hP 1. |
281 | Install |
282 | .B tripe |
283 | on both of the gateway hosts. Create the directory |
284 | .BR /var/lib/tripe . |
285 | .hP 2. |
286 | On |
287 | .BR alice , |
288 | make |
289 | .B /var/lib/tripe |
290 | the current directory and generate a Diffie-Hellman group: |
291 | .RS |
74eb47db |
292 | .VS |
293 | key add \-adh\-param \-LS \-b2048 \-B256 \e |
294 | \-eforever \-tparam tripe\-dh\-param |
295 | .VE |
d6623498 |
296 | (See |
297 | .BR key (1) |
298 | from the Catacomb distribution for details about the |
299 | .B key |
300 | command.) Also generate a private key for |
301 | .BR alice : |
302 | .VS |
303 | key add \-adh \-pparam \-talice \e |
304 | \-e"now + 1 year" tripe\-dh |
305 | .VE |
306 | Extract the group parameters and |
307 | .BR alice 's |
308 | public key to |
309 | .I separate |
310 | files, and put the public key in |
311 | .BR keyring.pub : |
74eb47db |
312 | .VS |
313 | key extract param param |
37075862 |
314 | key extract \-f\-secret alice.pub alice |
d6623498 |
315 | key \-kkeyring.pub merge alice.pub |
74eb47db |
316 | .VE |
d6623498 |
317 | Send the files |
318 | .B param |
319 | and |
320 | .B alice.pub |
321 | to |
322 | .B bob |
323 | in some secure way (e.g., in PGP-signed email, or by using SSH), so that |
324 | you can be sure they've not been altered in transit. |
325 | .RE |
326 | .hP 3. |
327 | On |
328 | .B bob |
329 | now, make |
330 | .B /var/lib/tripe |
331 | the current directory, and import the key material from |
332 | .BR alice : |
333 | .RS |
74eb47db |
334 | .VS |
335 | key merge param |
d6623498 |
336 | key \-kkeyring.pub merge alice.pub |
74eb47db |
337 | .VE |
d6623498 |
338 | Generate a private key for |
339 | .B bob |
340 | and extract the public half, as before: |
74eb47db |
341 | .VS |
d6623498 |
342 | key add \-adh \-pparam \-tbob \e |
343 | \-e"now + 1 year" tripe\-dh |
383f2a0b |
344 | key extract \-f\-secret bob.pub bob |
d6623498 |
345 | key \-kkeyring.pub merge bob.pub |
74eb47db |
346 | .VE |
d6623498 |
347 | and send |
348 | .B bob.pub |
349 | back to |
350 | .B alice |
351 | using some secure method. |
352 | .RE |
353 | .hP 4 |
354 | On |
355 | .BR alice , |
356 | merge |
357 | .B bob 's |
358 | key into the public keyring. Now, on each host, run |
359 | .RS |
360 | .VS |
361 | key \-kkeyring.pub fingerprint |
362 | .VE |
363 | and check that the hashes match. If the two sites have separate |
364 | administrators, they should read the hashes to each other over the |
365 | telephone (assuming that they can recognize each other's voices). |
366 | .RE |
367 | .hP 5. |
368 | Start the |
369 | .B tripe |
370 | servers up. Run |
371 | .RS |
372 | .VS |
373 | tripectl \-slD \-S\-P23169 |
374 | .VE |
375 | on each of |
376 | .B alice |
377 | and |
378 | .BR bob . |
379 | (The |
380 | .RB ` \-P23169 ' |
381 | forces the server to use UDP port 23169: use some other number if 23169 |
382 | is inappropriate for your requirements. I chose it by reducing the |
383 | RIPEMD160 hash of |
384 | .RB ` tripe\-port\-number\e0 ' |
385 | modulo 2\*(ss16\*(se.) |
386 | .RE |
387 | .hP 6. |
388 | To get |
389 | .B alice |
390 | talking to |
391 | .BR bob , |
392 | run this shell script (or one like it): |
393 | .RS |
394 | .VS |
395 | #! /bin/sh |
74eb47db |
396 | |
d6623498 |
397 | tripectl add bob 200.0.2.1 23169 |
398 | ifname=`tripectl ifname bob` |
399 | ifconfig $ifname \e |
400 | 192.168.0.1 \e |
401 | pointopoint 192.168.0.2 |
402 | route add -net \e |
403 | 10.0.2.0 netmask 255.255.255.0 \e |
404 | gw 192.168.0.2 |
405 | .VE |
406 | Read |
407 | .BR ifconfig (8) |
408 | and |
409 | .BR route (8) |
410 | to find out about your system's variants of these commands. The |
411 | versions shown above assume a Linux system. |
412 | Run a similar script on |
413 | .BR bob , |
414 | to tell its |
415 | .B tripe |
416 | server to talk to |
417 | .BR alice . |
418 | .RE |
419 | .hP 7. |
420 | Congratulations. The two servers will exchange keys and begin sending |
421 | packets almost immediately. You've set up a virtual private network. |
52c03a2a |
422 | .SS "Using elliptic curve keys" |
423 | The |
424 | .B tripe |
425 | server can use elliptic curve Diffie-Hellman for key exchange, rather |
426 | than traditional integer Diffie-Hellman. Given current public |
427 | knowledge, elliptic curves can provide similar or better security to |
428 | systems based on integer discrete log problems, faster, and with less |
429 | transmitted data. It's a matter of controversy whether this will |
430 | continue to be the case. The author uses elliptic curves. |
431 | .PP |
432 | The server works out which it |
433 | should be doing based on the key type, which is either |
434 | .B tripe\-dh |
435 | for standard Diffie-Hellman, or |
436 | .B tripe\-ec |
437 | for elliptic curves. To create elliptic curve keys, say something like |
438 | .VS |
439 | key add \-aec\-param \-Cnist-p192 \-eforever \e |
440 | \-tparam tripe\-ec\-param |
441 | .VE |
442 | to construct a parameters key, using your preferred elliptic curve in |
443 | the |
444 | .B \-C |
445 | option (see |
446 | .BR key (1) |
447 | for details); and create the private keys by |
448 | .VS |
449 | key add \-aec \-pparam \-talice \e |
450 | \-e"now + 1 year" tripe\-ec |
451 | .VE |
452 | Now start |
453 | .B tripe |
454 | with the |
455 | .B \-ttripe\-ec |
456 | option, and all should be well. |
b5c45da1 |
457 | .SS "Using other symmetric algorithms" |
458 | The default symmetric algorithms |
459 | .B tripe |
460 | uses are Blowfish (by Schneier) for symmetric encryption, and RIPEMD-160 |
461 | (by Dobbertin, Bosselaers and Preneel) for hashing and as a MAC (in HMAC |
462 | mode, designed by Bellare, Canetti and Krawczyk). These can all be |
463 | overridden by setting attributes on your private key, as follows. |
464 | .TP |
465 | .B cipher |
466 | Names the symmetric encryption scheme to use. The default is |
467 | .BR blowfish\-cbc . |
468 | .TP |
469 | .B hash |
470 | Names the hash function to use. The default is |
471 | .BR rmd160 . |
472 | .TP |
473 | .B mac |
474 | Names the message authentication code to use. The name of the MAC may |
475 | be followed by a |
476 | .RB ` / ' |
477 | and the desired tag length in bits. The default is |
478 | .IB hash \-hmac |
479 | at half the underlying hash function's output length. |
480 | .TP |
481 | .B mgf |
482 | A `mask-generation function', used in the key-exchange. The default is |
483 | .IB hash \-mgf |
484 | and there's no good reason to change it. |
b9066fbb |
485 | .SS "Using SLIP interfaces" |
486 | Though not for the faint of heart, it is possible to get |
487 | .B tripe |
488 | to read and write network packets to a pair of file descriptors using |
489 | SLIP encapsulation. No fancy header compression of any kind is |
98fdb08d |
490 | supported. |
491 | .PP |
492 | Two usage modes are supported: a preallocation system, whereby SLIP |
493 | interfaces are created and passed to the |
494 | .B tripe |
495 | server at startup; and a dynamic system, where the server runs a script |
496 | to allocate a new SLIP interface when it needs one. It is possible to |
497 | use a mixture of these two modes, starting |
b9066fbb |
498 | .B tripe |
98fdb08d |
499 | with a few preallocated interfaces and having it allocate more |
500 | dynamically as it needs them. |
501 | .PP |
502 | The behaviour of |
503 | .BR tripe 's |
504 | SLIP driver is controlled by the |
505 | .B TRIPE_SLIPIF |
506 | environment variable. The server will fail to start if this variable is |
507 | not defined. The variable's value is a colon-delimited list of |
508 | preallocated interfaces, followed optionally by the filename of a script |
509 | to run to dynamically allocate more interfaces. |
b9066fbb |
510 | .PP |
98fdb08d |
511 | A static allocation entry has the form |
b9066fbb |
512 | .IR infd [ \c |
513 | .BI , outfd \c |
514 | .RB ] \c |
515 | .BI = \c |
98fdb08d |
516 | .IR ifname , |
b9066fbb |
517 | If the |
518 | .I outfd |
519 | is omitted, the same file descriptor is used for input and output. |
520 | .PP |
98fdb08d |
521 | The dynamic allocation script must be named by an absolute or relative |
522 | pathname, beginning with |
523 | .RB ` / ' |
524 | or |
525 | .RB ` . '. |
526 | The server will pass the script an argument, which is the name of the |
527 | peer for which the interface is being created. The script should |
528 | allocate a new SLIP interface (presumably by creating a pty pair), |
529 | configure it appropriately, and write the interface's name to its |
530 | standard output, followed by a newline. It should then read and write |
531 | SLIP packets on its stdin and stdout. The script's stdin will be closed |
532 | when the interface is no longer needed, and the server will attempt to |
533 | send it a |
534 | .B SIGTERM |
535 | signal (though this may fail if the script runs with higher privileges |
536 | than the server). |
537 | .PP |
b9066fbb |
538 | The output file descriptor should not block unless it really needs to: |
539 | the |
540 | .B tripe |
541 | daemon assumes that it won't, and will get wait for it to accept output. |
74eb47db |
542 | .SS "About the name" |
543 | The program's name is |
544 | .BR tripe , |
545 | all in lower-case. The name of the protocol it uses is `TrIPE', with |
546 | four capital letters and one lower-case. The name stands for `Trivial |
547 | IP Encryption'. |
548 | .SH "BUGS" |
74eb47db |
549 | The code hasn't been audited. It may contain security bugs. If you |
550 | find one, please inform the author |
551 | .IR immediately . |
552 | .SH "SEE ALSO" |
553 | .BR key (1), |
554 | .BR tripectl (1), |
555 | .BR tripe\-admin (5). |
556 | .PP |
557 | .IR "The Trivial IP Encryption Protocol" , |
558 | .IR "The Wrestlers Protocol" . |
559 | .SH "AUTHOR" |
d36eda2a |
560 | Mark Wooding, <mdw@distorted.org.uk> |