Commit | Line | Data |
---|---|---|
d6623498 | 1 | .\" -*-nroff-*- |
060ca767 | 2 | .\" |
3 | .ie t \{\ | |
4 | . if \n(.g \{\ | |
5 | . fam P | |
6 | . \} | |
7 | .\} | |
13a55605 MW |
8 | . |
9 | .de SP | |
10 | .TP | |
11 | .. | |
d6623498 | 12 | .TH tripe-admin 5 "18 February 2001" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption" |
13 | .SH NAME | |
14 | tripe-admin \- administrator commands for TrIPE | |
15 | .SH DESCRIPTION | |
16 | This manual page describes the administration interface provided by the | |
17 | .BR tripe (8) | |
18 | daemon. | |
19 | .PP | |
20 | The | |
21 | .BR tripectl (8) | |
22 | program can be used either interactively or in scripts to communicate | |
23 | with the server using this interface. Alternatively, simple custom | |
24 | clients can be written in scripting languages such as Perl, Python or | |
25 | Tcl, or more advanced clients such as GUI monitors can be written in C | |
26 | with little difficulty. | |
27 | .PP | |
28 | By default, the server listens for admin connections on the Unix-domain | |
29 | socket | |
30 | .BR /var/lib/tripe/tripesock . | |
37941236 | 31 | Administration commands use a textual protocol. Each client command or |
32 | server response consists of a line of ASCII text terminated by a single | |
33 | linefeed character. No command may be longer than 255 characters. | |
d6623498 | 34 | .SS "General structure" |
35 | Each command or response line consists of a sequence of | |
36 | whitespace-separated words. The number and nature of whitespace | |
37 | characters separating two words in a client command is not significant; | |
38 | the server always uses a single space character. The first word in a | |
39 | line is a | |
40 | .I keyword | |
41 | identifying the type of command or response contained. Keywords in | |
42 | client commands are not case-sensitive; the server always uses uppercase | |
43 | for its keywords. | |
de014da6 | 44 | .SS "Simple commands" |
45 | For simple client command, the server responds with zero or more | |
d6623498 | 46 | .B INFO |
47 | lines, followed by either an | |
48 | .B OK | |
49 | line or a | |
50 | .B FAIL | |
51 | line. Each | |
52 | .B INFO | |
53 | provides information requested in the command. An | |
54 | .B OK | |
55 | response contains no further data. A | |
56 | .B FAIL | |
3cdc3f3a | 57 | code is followed by a machine-readable explanation of why the command |
d6623498 | 58 | failed. |
59 | .PP | |
de014da6 | 60 | Simple command processing is strictly synchronous: the server reads a |
61 | command, processes it, and responds, before reading the next command. | |
62 | All commands can be run as simple commands. Long-running commands | |
63 | (e.g., | |
64 | .B ADD | |
65 | and | |
66 | .BR PING ) | |
67 | block the client until they finish, but the rest of the server continues | |
68 | running. | |
69 | .SS "Asynchronous messages" | |
70 | There are three types of asynchronous messages which | |
71 | aren't associated with any particular command. | |
72 | .PP | |
73 | The | |
d6623498 | 74 | .B WARN |
3cdc3f3a | 75 | message contains a machine-readable message warning of an error |
d6623498 | 76 | encountered while processing a command, unexpected or unusual behaviour |
77 | by a peer, or a possible attack by an adversary. Under normal | |
de014da6 | 78 | conditions, the server shouldn't emit any warnings. |
79 | .PP | |
80 | The | |
d6623498 | 81 | .B TRACE |
3cdc3f3a | 82 | message contains a human-readable tracing message containing diagnostic |
d6623498 | 83 | information. Trace messages are controlled using the |
84 | .B \-T | |
85 | command-line option to the server, or the | |
86 | .B TRACE | |
87 | administration command (see below). Support for tracing can be disabled | |
88 | when the package is being configured, and may not be available in your | |
de014da6 | 89 | version. |
90 | .PP | |
91 | Finally, the | |
3cdc3f3a | 92 | .B NOTE |
93 | message is a machine-readable notification about some routine but | |
94 | interesting event such as creation or destruction of peers. | |
95 | .PP | |
96 | The presence of asynchronous messages can be controlled using the | |
97 | .B WATCH | |
98 | command. | |
de014da6 | 99 | .SS "Background commands" |
100 | Some commands (e.g., | |
101 | .B ADD | |
102 | and | |
103 | .BR PING ) | |
104 | take a long time to complete. To prevent these long-running commands | |
105 | from tying up a server connection, they can be run in the background. | |
106 | Not all commands can be run like this: the ones that can provide a | |
107 | .B \-background | |
108 | option, which must be supplied with a | |
109 | .IR tag . | |
110 | .PP | |
111 | A command may fail before it starts running in the background. In this | |
112 | case, the server emits a | |
113 | .B FAIL | |
114 | response, as usual. To indicate that a command has started running in | |
115 | the background, the server emits a response of the form | |
116 | .BI "BGDETACH " tag \fR, | |
117 | where | |
118 | .I tag | |
119 | is the value passed to the | |
120 | .B \-background | |
121 | option. From this point on, the server is ready to process more | |
122 | commands and reply to them. | |
123 | .PP | |
124 | Responses to background commands are indicated by a line beginning with | |
125 | one of the tokens | |
126 | .BR BGOK , | |
127 | .BR BGFAIL , | |
128 | or | |
129 | .BR BGINFO , | |
130 | followed by the command tag. These correspond to the | |
131 | .BR OK , | |
132 | .BR FAIL , | |
133 | and | |
134 | .B INFO | |
135 | responses for simple commands: | |
136 | .B BGINFO | |
137 | indicates information from a background command which has not completed | |
138 | yet; and | |
139 | .B BGOK | |
140 | and | |
141 | .B BGFAIL | |
142 | indicates that a background command succeeded or failed, respectively. | |
143 | .PP | |
144 | A background command will never issue an | |
145 | .B OK | |
060ca767 | 146 | or |
147 | .B BGINFO | |
148 | response: it will always detach and then issue any | |
149 | .B BGINFO | |
150 | lines followed by | |
de014da6 | 151 | .B BGOK |
152 | response. | |
3cdc3f3a | 153 | .SS "Network addresses" |
154 | A network address is a sequence of words. The first is a token | |
155 | identifying the network address family. The length of an address and | |
156 | the meanings of the subsequent words depend on the address family. | |
157 | Address family tokens are not case-sensitive on input; on output, they | |
158 | are always in upper-case. | |
159 | .PP | |
160 | At present, only one address family is understood. | |
161 | .TP | |
162 | .BI "INET " address " " port | |
163 | An Internet socket, naming an IPv4 address and UDP port. On output, the | |
164 | address is always in numeric dotted-quad form, and the port is given as | |
165 | a plain number. On input, DNS hostnames and symbolic port names are | |
166 | permitted. Name resolution does not block the main server, but will | |
2acd7cd6 | 167 | block the requesting client, unless the command is run in the background. |
3cdc3f3a | 168 | .PP |
169 | If, on input, no recognised address family token is found, the following | |
170 | words are assumed to represent an | |
171 | .B INET | |
2acd7cd6 MW |
172 | address. Addresses output by the server always have an address family |
173 | token. | |
060ca767 | 174 | .SS "Key-value output" |
175 | Some commands (e.g., | |
176 | .B STATS | |
177 | and | |
178 | .BR SERVINFO ) | |
179 | produce output in the form of | |
180 | .IB key = value | |
181 | pairs, one per word. Neither the | |
182 | .I key | |
183 | nor the | |
184 | .I value | |
185 | contain spaces. | |
186 | .SS "Trace lists" | |
187 | Commands which enable or disable kinds of output (e.g., | |
188 | .B TRACE | |
189 | and | |
190 | .BR WATCH ) | |
191 | work in similar ways. They take a single optional argument, which | |
192 | consists of a string of letters selecting message types, optionally | |
193 | interspersed with | |
194 | .RB ` + ' | |
195 | to enable, or | |
196 | .RB ` \- ' | |
197 | to disable, the subsequently listed types. | |
198 | .PP | |
199 | If the argument is omitted, the available message types are displayed, | |
200 | one to an | |
201 | .B INFO | |
202 | line, in a fixed-column format. Column zero contains the key letter for | |
203 | selecting that message type; column one contains either a space or a | |
204 | .RB ` + ' | |
205 | sign, if the message type is disabled or enabled respectively; and a | |
206 | textual description of the message type begins at column 3 and continues | |
207 | to the end of the line. | |
208 | .PP | |
209 | Lowercase key letters control individual message types. Uppercase key | |
210 | letters control collections of message types. | |
3cdc3f3a | 211 | .SH "COMMAND REFERENCE" |
13a55605 | 212 | .\"* 10 Commands |
d6623498 | 213 | The commands provided are: |
13a55605 | 214 | .SP |
42da2a58 | 215 | .BI "ADD " peer " \fR[" options "\fR] " address "\fR..." |
3cdc3f3a | 216 | Adds a new peer. The peer is given the name |
217 | .IR peer ; | |
218 | the peer's public key is assumed to be in the file | |
219 | .B keyring.pub | |
220 | (or whatever alternative file was specified in the | |
221 | .B \-K | |
222 | option on the command line). The | |
223 | .I address | |
224 | is the network address (see above for the format) at which the peer can | |
42da2a58 | 225 | be contacted. The following options are recognised. |
226 | .RS | |
13a55605 | 227 | .\"+opts |
42da2a58 | 228 | .TP |
de014da6 | 229 | .BI "\-background " tag |
230 | Run the command in the background, using the given | |
231 | .IR tag . | |
232 | .TP | |
0ba8de86 | 233 | .BI "\-keepalive " time |
234 | Send a no-op packet if we've not sent a packet to the peer in the last | |
235 | .I time | |
236 | interval. This is useful for persuading port-translating firewalls to | |
237 | believe that the `connection' is still active. The | |
238 | .I time | |
239 | is expressed as a nonnegative integer followed optionally by | |
240 | .BR d , | |
241 | .BR h , | |
242 | .BR m , | |
243 | or | |
244 | .BR s | |
245 | for days, hours, minutes, or seconds respectively; if no suffix is | |
246 | given, seconds are assumed. | |
247 | .TP | |
248 | .BI "\-tunnel " tunnel | |
42da2a58 | 249 | Use the named tunnel driver, rather than the default. |
13a55605 | 250 | .\"-opts |
42da2a58 | 251 | .RE |
13a55605 | 252 | .SP |
3cdc3f3a | 253 | .BI "ADDR " peer |
254 | Emits an | |
255 | .B INFO | |
256 | line reporting the IP address and port number stored for | |
257 | .IR peer . | |
13a55605 | 258 | .SP |
37941236 | 259 | .BI "CHECKCHAL " challenge |
260 | Verifies a challenge as being one earlier issued by | |
261 | .B GETCHAL | |
262 | and not previously either passed to | |
263 | .B CHECKCHAL | |
264 | or in a greeting message. | |
13a55605 | 265 | .SP |
3cdc3f3a | 266 | .B "DAEMON" |
267 | Causes the server to disassociate itself from its terminal and become a | |
268 | background task. This only works once. A warning is issued. | |
2acd7cd6 | 269 | .SP |
0ba8de86 | 270 | .BI "EPING \fR[" options "\fR] " peer |
271 | Sends an encrypted ping to the peer, and expects an encrypted response. | |
272 | This checks that the peer is running (and not being impersonated), and | |
273 | that it can encrypt and decrypt packets correctly. Options and | |
274 | responses are the same as for the | |
275 | .B PING | |
276 | command. | |
13a55605 | 277 | .SP |
de014da6 | 278 | .BI "FORCEKX " peer |
279 | Requests the server to begin a new key exchange with | |
280 | .I peer | |
281 | immediately. | |
13a55605 | 282 | .SP |
37941236 | 283 | .B "GETCHAL" |
284 | Requests a challenge. The challenge is returned in an | |
285 | .B INFO | |
286 | line, as a base64-encoded string. See | |
287 | .BR CHECKCHAL . | |
13a55605 | 288 | .SP |
37941236 | 289 | .BI "GREET " peer " " challenge |
290 | Sends a greeting packet containing the | |
291 | .I challenge | |
292 | (base-64 encoded) to the named | |
293 | .IR peer . | |
294 | The expectation is that this will cause the peer to recognize us and | |
295 | begin a key-exchange. | |
13a55605 | 296 | .SP |
d6623498 | 297 | .B "HELP" |
298 | Causes the server to emit an | |
299 | .B INFO | |
300 | line for each command it supports. Each line lists the command name, | |
301 | followed by the names of the arguments. This may be helpful as a memory | |
302 | aid for interactive use, or for program clients probing for features. | |
13a55605 | 303 | .SP |
3cdc3f3a | 304 | .BI "IFNAME " peer |
305 | Emits an | |
306 | .B INFO | |
307 | line containing the name of the network interface used to collect IP | |
308 | packets which are to be encrypted and sent to | |
309 | .IR peer . | |
310 | Used by configuration scripts so that they can set up routing tables | |
311 | appropriately after adding new peers. | |
13a55605 | 312 | .SP |
3cdc3f3a | 313 | .BI "KILL " peer |
314 | Causes the server to forget all about | |
315 | .IR peer . | |
316 | All keys are destroyed, and no more packets are sent. No notification | |
317 | is sent to the peer: if it's important that the peer be notified, you | |
318 | must think of a way to do that yourself. | |
13a55605 | 319 | .SP |
3cdc3f3a | 320 | .B "LIST" |
321 | For each currently-known peer, an | |
322 | .B INFO | |
323 | line is written containing the peer's name, as given to | |
324 | .BR ADD . | |
13a55605 | 325 | .SP |
bd58d532 | 326 | .BI "NOTIFY " tokens\fR... |
327 | Issues a | |
328 | .B USER | |
329 | notification to all interested administration clients. | |
13a55605 | 330 | .SP |
060ca767 | 331 | .BI "PEERINFO " peer |
332 | Returns information about a peer, in key-value form. The following keys | |
333 | are returned. | |
334 | .RS | |
335 | .TP | |
336 | .B tunnel | |
337 | The tunnel driver used for this peer. | |
338 | .TP | |
339 | .B keepalive | |
340 | The keepalive interval, in seconds, or zero if no keepalives are to be | |
341 | sent. | |
342 | .RE | |
13a55605 | 343 | .SP |
0ba8de86 | 344 | .BI "PING \fR[" options "\fR] " peer |
345 | Send a transport-level ping to the peer. The ping and its response are | |
346 | not encrypted or authenticated. This command, possibly in conjunction | |
347 | with tracing, is useful for ensuring that UDP packets are actually | |
348 | flowing in both directions. See also the | |
349 | .B EPING | |
350 | command. | |
351 | .IP | |
352 | An | |
353 | .B INFO | |
354 | line is printed describing the outcome: | |
355 | .RS | |
356 | .TP | |
357 | .BI "ping-ok " millis | |
358 | A response was received | |
359 | .I millis | |
360 | after the ping was sent. | |
361 | .TP | |
362 | .BI "ping-timeout" | |
363 | No response was received within the time allowed. | |
364 | .TP | |
365 | .BI "ping-peer-died" | |
366 | The peer was killed (probably by another admin connection) before a | |
367 | response was received. | |
368 | .RE | |
369 | .IP | |
370 | Options recognized for this command are: | |
371 | .RS | |
13a55605 | 372 | .\"+opts |
0ba8de86 | 373 | .TP |
de014da6 | 374 | .BI "\-background " tag |
375 | Run the command in the background, using the given | |
376 | .IR tag . | |
377 | .TP | |
0ba8de86 | 378 | .BI "\-timeout " time |
379 | Wait for | |
380 | .I time | |
2acd7cd6 MW |
381 | seconds before giving up on a response. The default is 5 seconds. The |
382 | .I time | |
383 | is expressed as a nonnegative integer followed optionally by | |
384 | .BR d , | |
385 | .BR h , | |
386 | .BR m , | |
387 | or | |
388 | .BR s | |
389 | for days, hours, minutes, or seconds respectively; if no suffix is | |
390 | given, seconds are assumed. | |
13a55605 | 391 | .\"-opts |
0ba8de86 | 392 | .RE |
13a55605 | 393 | .SP |
3cdc3f3a | 394 | .B "PORT" |
395 | Emits an | |
396 | .B INFO | |
397 | line containing just the number of the UDP port used by the | |
398 | .B tripe | |
399 | server. If you've allowed your server to allocate a port dynamically, | |
400 | this is how to find out which one it chose. | |
13a55605 | 401 | .SP |
de014da6 | 402 | .B "RELOAD" |
403 | Instructs the server to recheck its keyring files. The server checks | |
404 | these periodically anyway but it may be necessary to force a recheck, | |
405 | for example after adding a new peer key. | |
13a55605 | 406 | .SP |
3cdc3f3a | 407 | .B "QUIT" |
408 | Instructs the server to exit immediately. A warning is sent. | |
13a55605 | 409 | .SP |
060ca767 | 410 | .B "SERVINFO" |
411 | Returns information about the server, in the form of key-value pairs. | |
412 | The following keys are used. | |
413 | .RS | |
414 | .TP | |
415 | .B implementation | |
416 | A keyword naming the implementation of the | |
417 | .BR tripe (8) | |
418 | server. The current implementation is called | |
419 | .BR edgeware-tripe . | |
420 | .TP | |
421 | .B version | |
422 | The server's version number, as reported by | |
423 | .BR VERSION . | |
424 | .TP | |
425 | .B daemon | |
426 | Either | |
427 | .B t | |
428 | or | |
429 | .BR nil , | |
430 | if the server has or hasn't (respectively) become a daemon. | |
431 | .RE | |
13a55605 | 432 | .SP |
64cf2223 MW |
433 | .BI "SETIFNAME " peer " " new-name |
434 | Informs the server that the | |
435 | .IR peer 's | |
436 | tunnel-interface name has been changed to | |
437 | .IR new-name . | |
438 | This is useful if firewalling decisions are made based on interface | |
439 | names: a setup script for a particular peer can change the name, and | |
440 | then update the server's records so that they're accurate. | |
441 | .SP | |
3cdc3f3a | 442 | .BI "STATS " peer |
443 | Emits a number of | |
444 | .B INFO | |
445 | lines, each containing one or more statistics in the form | |
446 | .IB name = value \fR. | |
447 | The statistics-gathering is experimental and subject to change. | |
13a55605 | 448 | .SP |
d6623498 | 449 | .BR "TRACE " [\fIoptions\fP] |
060ca767 | 450 | Selects trace outputs: see |
451 | .B "Trace lists" | |
452 | above. Message types provided are: | |
d6623498 | 453 | .RS |
2d752320 | 454 | .PP |
d6623498 | 455 | Currently, the following tracing options are supported: |
456 | .TP | |
457 | .B t | |
458 | Tunnel events: reception of packets to be encrypted, and injection of | |
459 | successfully-decrypted packets. | |
460 | .TP | |
461 | .B r | |
462 | Peer management events: creation and destruction of peer attachments, | |
463 | and arrival of messages. | |
464 | .TP | |
465 | .B a | |
466 | Administration interface: acceptance of new connections, and handling of | |
467 | the backgroud name-resolution required by the | |
468 | .B ADD | |
469 | command. | |
470 | .TP | |
d6623498 | 471 | .B s |
472 | Handling of symmetric keysets: creation and expiry of keysets, and | |
473 | encryption and decryption of messages. | |
474 | .TP | |
475 | .B x | |
476 | Key exchange: reception, parsing and emission of key exchange messages. | |
477 | .TP | |
478 | .B m | |
479 | Key management: loading keys and checking for file modifications. | |
37941236 | 480 | .TP |
481 | .B l | |
482 | Display information about challenge issuing and verification. | |
483 | .TP | |
484 | .B p | |
485 | Display contents of packets sent and received by the tunnel and/or peer | |
486 | modules. | |
487 | .TP | |
488 | .B c | |
489 | Display inputs, outputs and intermediate results of cryptographic | |
490 | operations. This includes plaintext and key material. Use with | |
491 | caution. | |
492 | .TP | |
493 | .B A | |
494 | All of the above. | |
d6623498 | 495 | .PP |
496 | Note that the | |
497 | .B p | |
498 | (packet contents) | |
499 | and | |
500 | .B c | |
501 | (crypto details) | |
502 | outputs provide extra detail for other outputs. Specifying | |
503 | .B p | |
504 | without | |
37941236 | 505 | .BR r |
d6623498 | 506 | or |
507 | .B t | |
508 | isn't useful; neither is specifying | |
509 | .B c | |
510 | without one of | |
511 | .BR s , | |
37941236 | 512 | .BR l , |
d6623498 | 513 | .B x |
514 | or | |
515 | .BR m . | |
516 | .RE | |
13a55605 | 517 | .SP |
060ca767 | 518 | .B "TUNNELS" |
519 | For each available tunnel driver, an | |
520 | .B INFO | |
521 | line is printed giving its name. | |
13a55605 | 522 | .SP |
060ca767 | 523 | .B "VERSION" |
524 | Causes the server to emit an | |
525 | .B INFO | |
526 | line stating its software version, as two words: the server name, and | |
527 | its version string. The server name | |
528 | .B tripe | |
529 | is reserved to the Straylight/Edgeware implementation. | |
13a55605 | 530 | .SP |
3cdc3f3a | 531 | .BR "WATCH " [\fIoptions\fP] |
532 | Enables or disables asynchronous messages | |
533 | .IR "for the current connection only" . | |
060ca767 | 534 | See |
535 | .B "Trace lists" | |
3cdc3f3a | 536 | above. The default watch state for the connection the server opens |
537 | automatically on stdin/stdout is to show warnings and trace messages; | |
538 | other connections show no asynchronous messages. (This is done in order | |
539 | to guarantee that a program reading the server's stdout does not miss | |
540 | any warnings.) | |
541 | .RS | |
542 | .PP | |
060ca767 | 543 | Message types provided are: |
3cdc3f3a | 544 | .TP |
545 | .B t | |
546 | .B TRACE | |
547 | messages. | |
548 | .TP | |
549 | .B n | |
550 | .B NOTE | |
551 | messages. | |
552 | .TP | |
553 | .B w | |
554 | .B WARN | |
555 | messages. | |
556 | .TP | |
37941236 | 557 | .B A |
3cdc3f3a | 558 | All of the above. |
559 | .RE | |
13a55605 | 560 | .SP |
bd58d532 | 561 | .BI "WARN " tokens\fR... |
562 | Issues a | |
563 | .B USER | |
564 | warning to all interested administration clients. | |
3cdc3f3a | 565 | .SH "ERROR MESSAGES" |
13a55605 | 566 | .\"* 20 Error messages (FAIL codes) |
3cdc3f3a | 567 | The following |
568 | .B FAIL | |
de014da6 | 569 | (or |
570 | .BR BGFAIL ) | |
3cdc3f3a | 571 | messages are sent to clients as a result of errors during command |
572 | processing. | |
13a55605 | 573 | .SP |
3cdc3f3a | 574 | .BI "already-daemon" |
575 | (For | |
576 | .BR DAEMON .) | |
577 | The | |
578 | .B tripe | |
579 | server is already running as a daemon. | |
13a55605 | 580 | .SP |
f43df819 | 581 | .BI "bad-addr-syntax " message |
37941236 | 582 | (For commands accepting socket addresses.) The address couldn't be |
583 | understood. | |
13a55605 | 584 | .SP |
f43df819 | 585 | .BI "bad-syntax " cmd " " message |
3cdc3f3a | 586 | (For any command.) The command couldn't be understood: e.g., the number |
587 | of arguments was wrong. | |
13a55605 | 588 | .SP |
0ba8de86 | 589 | .BI "bad-time-spec " word |
590 | The | |
591 | .I word | |
592 | is not a valid time interval specification. Acceptable time | |
593 | specifications are nonnegative integers followed optionally by | |
594 | .BR d , | |
595 | .BR h , | |
596 | .BR m , | |
597 | or | |
598 | .BR s , | |
599 | for days, hours, minutes, or seconds, respectively. | |
13a55605 | 600 | .SP |
3cdc3f3a | 601 | .BI "bad-trace-option " char |
602 | (For | |
603 | .BR TRACE .) | |
604 | An unknown trace option was requested. | |
13a55605 | 605 | .SP |
3cdc3f3a | 606 | .BI "bad-watch-option " char |
607 | (For | |
608 | .BR WATCH .) | |
609 | An unknown watch option was requested. | |
13a55605 | 610 | .SP |
f43df819 | 611 | .BI "daemon-error " ecode " " message |
3cdc3f3a | 612 | (For |
613 | .BR DAEMON .) | |
614 | An error occurred during the attempt to become a daemon, as reported by | |
615 | .IR message . | |
13a55605 | 616 | .SP |
3cdc3f3a | 617 | .BI "invalid-port " number |
618 | (For | |
619 | .BR ADD .) | |
620 | The given port number is out of range. | |
13a55605 | 621 | .SP |
3cdc3f3a | 622 | .BI "peer-create-fail " peer |
623 | (For | |
624 | .BR ADD .) | |
625 | Adding | |
626 | .I peer | |
627 | failed for some reason. A warning should have been emitted explaining | |
628 | why. | |
13a55605 | 629 | .SP |
3cdc3f3a | 630 | .BI "peer-exists " peer |
631 | (For | |
632 | .BR ADD .) | |
633 | There is already a peer named | |
d6623498 | 634 | .IR peer . |
13a55605 | 635 | .SP |
0ba8de86 | 636 | .B "ping-send-failed" |
637 | The attempt to send a ping packet failed, probably due to lack of | |
638 | encryption keys. | |
13a55605 | 639 | .SP |
3cdc3f3a | 640 | .BI "resolve-error " hostname |
641 | (For | |
642 | .BR ADD .) | |
643 | The DNS name | |
644 | .I hostname | |
645 | could not be resolved. | |
13a55605 | 646 | .SP |
3cdc3f3a | 647 | .BI "resolver-timeout " hostname |
648 | (For | |
649 | .BR ADD .) | |
650 | The DNS name | |
651 | .I hostname | |
652 | took too long to resolve. | |
13a55605 | 653 | .SP |
3cdc3f3a | 654 | .BI "unknown-command " token |
655 | The command | |
656 | .B token | |
657 | was not recognised. | |
13a55605 | 658 | .SP |
3cdc3f3a | 659 | .BI "unknown-peer " name |
660 | (For | |
661 | .BR ADDR , | |
662 | .BR IFNAME , | |
663 | .BR KILL , | |
64cf2223 | 664 | .BR SETIFNAME , |
3cdc3f3a | 665 | and |
666 | .BR STATS .) | |
667 | There is no peer called | |
668 | .IR name . | |
13a55605 | 669 | .SP |
3cdc3f3a | 670 | .BI "unknown-service " service |
671 | (For | |
672 | .BR ADD .) | |
673 | The service name | |
674 | .I service | |
675 | couldn't be found in | |
676 | .BR /etc/services . | |
677 | .SH "NOTIFICATIONS" | |
13a55605 | 678 | .\"* 30 Notification broadcasts (NOTE codes) |
3cdc3f3a | 679 | The following notifications are sent to clients who request them. |
13a55605 | 680 | .SP |
42da2a58 | 681 | .BI "ADD " peer " " ifname " " address \fR... |
3cdc3f3a | 682 | A new peer has been added. The peer's name is |
42da2a58 | 683 | .IR peer , |
684 | its tunnel is network interface | |
685 | .IR ifname , | |
3cdc3f3a | 686 | and its network address is |
687 | .IR address . | |
13a55605 | 688 | .SP |
3cdc3f3a | 689 | .BI "DAEMON" |
690 | The server has forked off into the sunset and become a daemon. | |
13a55605 | 691 | .SP |
37941236 | 692 | .BI "GREET " challenge " " address \fR... |
693 | A valid greeting was received, with the given challenge (exactly as it | |
694 | was returned by | |
695 | .B GETCHAL | |
696 | earlier). | |
13a55605 | 697 | .SP |
d6623498 | 698 | .BI "KILL " peer |
3cdc3f3a | 699 | The peer |
700 | .I peer | |
701 | has been killed. | |
13a55605 | 702 | .SP |
3cdc3f3a | 703 | .BI "KXDONE " peer |
704 | Key exchange with | |
705 | .I peer | |
706 | finished successfully. | |
13a55605 | 707 | .SP |
3cdc3f3a | 708 | .BI "KXSTART " peer |
709 | Key exchange with | |
710 | .I peer | |
711 | has begun or restarted. If key exchange keeps failing, this message | |
712 | will be repeated periodically. | |
13a55605 | 713 | .SP |
64cf2223 MW |
714 | .BI "NEWIFNAME " peer " " old-name " " new-name |
715 | The given | |
716 | .IR peer 's | |
717 | tunnel interface name has been changed from | |
718 | .I old-name | |
719 | to | |
720 | .IR new-name , | |
721 | as a result of a | |
722 | .B SETIFNAME | |
723 | command. | |
724 | .SP | |
bd58d532 | 725 | .BI "USER " tokens\fR... |
726 | An administration client issued a notification using the | |
727 | .B NOTIFY | |
728 | command. | |
3cdc3f3a | 729 | .SH "WARNINGS" |
13a55605 MW |
730 | .\"* 40 Warning broadcasts (WARN codes) |
731 | .\"+sep | |
3cdc3f3a | 732 | There are many possible warnings. They are categorized according to |
733 | their first tokens. | |
f43df819 MW |
734 | .PP |
735 | Many of these warnings report system errors. These are reported as a | |
736 | pair of tokens, described below as | |
737 | .I ecode | |
738 | and | |
739 | .IR message . | |
740 | The | |
741 | .I ecode | |
742 | is a string of the form | |
743 | .BI E number | |
744 | giving the | |
745 | .BR errno (3) | |
746 | value of the error; the | |
747 | .I message | |
748 | is the `human-readable' form of the message, as reported by | |
749 | .BR strerror (3). | |
3cdc3f3a | 750 | .SS "ABORT warnings" |
751 | These all indicate that the | |
d6623498 | 752 | .B tripe |
3cdc3f3a | 753 | server has become unable to continue. If enabled, the server will dump |
754 | core in its configuration directory. | |
13a55605 | 755 | .SP |
3cdc3f3a | 756 | .BI "ABORT repeated-select-errors" |
757 | The main event loop is repeatedly failing. If the server doesn't quit, | |
758 | it will probably waste all available CPU doing nothing. | |
759 | .SS "ADMIN warnings" | |
760 | These indicate a problem with the administration socket interface. | |
13a55605 | 761 | .SP |
f43df819 | 762 | .BI "ADMIN accept-error " ecode " " message |
3cdc3f3a | 763 | There was an error while attempting to accept a connection from a new |
764 | client. | |
13a55605 | 765 | .SP |
f43df819 | 766 | .BI "ADMIN client-write-error " ecode " " message |
3cdc3f3a | 767 | There was an error sending data to a client. The connection to the |
768 | client has been closed. | |
37941236 | 769 | .SS "CHAL warnings" |
770 | These indicate errors in challenges, either in the | |
771 | .B CHECKCHAL | |
772 | command or in greeting packets. | |
13a55605 | 773 | .SP |
37941236 | 774 | .B "CHAL impossible-challenge" |
775 | The server hasn't issued any challenges yet. Quite how anyone else | |
776 | thought he could make one up is hard to imagine. | |
13a55605 | 777 | .SP |
37941236 | 778 | .B "CHAL incorrect-tag" |
779 | Challenge received contained the wrong authentication data. It might be | |
780 | very stale, or a forgery. | |
13a55605 | 781 | .SP |
37941236 | 782 | .B "CHAL invalid-challenge" |
783 | Challenge received was the wrong length. We might have changed MAC | |
784 | algorithms since the challenge was issued, or it might just be rubbish. | |
13a55605 | 785 | .SP |
37941236 | 786 | .B "CHAL replay duplicated-sequence" |
787 | Challenge received was a definite replay of an old challenge. Someone's | |
788 | up to something! | |
13a55605 | 789 | .SP |
37941236 | 790 | .B "CHAL replay old-sequence" |
791 | Challenge received was old, but maybe not actually a replay. Try again. | |
3cdc3f3a | 792 | .SS "KEYMGMT warnings" |
793 | These indicate a problem with the keyring files, or the keys stored in | |
794 | them. | |
13a55605 | 795 | .SP |
f43df819 | 796 | .BI "KEYMGMT bad-private-key " message |
3cdc3f3a | 797 | The private key could not be read, or failed a consistency check. If |
798 | there was a problem with the file, usually there will have been | |
799 | .B key-file-error | |
800 | warnings before this. | |
13a55605 | 801 | .SP |
f43df819 | 802 | .BI "KEYMGMT bad-public-keyring " message |
3cdc3f3a | 803 | The public keyring couldn't be read. Usually, there will have been |
804 | .B key-file-error | |
805 | warnings before this. | |
13a55605 | 806 | .SP |
f43df819 | 807 | .BI "KEYMGMT key-file-error " file ":" line " " message |
3cdc3f3a | 808 | Reports a specific error with the named keyring file. This probably |
809 | indicates a bug in | |
810 | .BR key (1). | |
13a55605 | 811 | .SP |
3cdc3f3a | 812 | .BI "KEYMGMT public-key " tag " " tokens\fR... |
813 | These messages all indicate a problem with the public key named | |
814 | .IR tag . | |
13a55605 | 815 | .SP |
3cdc3f3a | 816 | .BI "KEYMGMT public-key " tag " algorithm-mismatch" |
817 | The algorithms specified on the public key don't match the ones for our | |
818 | private key. All the peers in a network have to use the same | |
819 | algorithms. | |
13a55605 | 820 | .SP |
f43df819 | 821 | .BI "KEYMGMT public-key " tag " bad " message |
3cdc3f3a | 822 | The public key couldn't be read, or is invalid. |
13a55605 | 823 | .SP |
3cdc3f3a | 824 | .BI "KEYMGMT public-key " tag " bad-public-group-element" |
825 | The public key is invalid. This may indicate a malicious attempt to | |
826 | introduce a bogus key. | |
13a55605 | 827 | .SP |
3cdc3f3a | 828 | .BI "KEYMGMT public-key " tag " bad-algorithm-selection" |
829 | The algorithms listed on the public key couldn't be understood. The | |
830 | algorithm selection attributes are probably malformed and need fixing. | |
13a55605 | 831 | .SP |
3cdc3f3a | 832 | .BI "KEYMGMT public-key " tag " incorrect-group" |
833 | The public key doesn't use the same group as our private key. All the | |
834 | peers in a network have to use the same group. | |
13a55605 | 835 | .SP |
3cdc3f3a | 836 | .BI "KEYMGMT public-key " tag " not-found" |
837 | The public key for peer | |
838 | .I tag | |
839 | wasn't in the public keyring. | |
13a55605 | 840 | .SP |
3cdc3f3a | 841 | .BI "KEYMGMT public-key " tag " unknown-type" |
842 | The type of the public key isn't understood. Maybe you need to upgrade | |
843 | your copy of | |
844 | .BR tripe . | |
845 | (Even if you do, you'll have to regenerate your keys.) | |
846 | .SS "KX warnings" | |
847 | These indicate problems during key-exchange. Many indicate either a bug | |
848 | in the server (either yours or the remote one), or some kind of attack | |
849 | in progress. All name a | |
850 | .I peer | |
851 | as the second token: this is the peer the packet is apparently from, | |
852 | though it may have been sent by an attacker instead. | |
853 | .PP | |
854 | In the descriptions below, | |
855 | .I msgtoken | |
856 | is one of the tokens | |
857 | .BR pre-challenge , | |
858 | .BR cookie , | |
859 | .BR challenge , | |
860 | .BR reply , | |
861 | .BR switch-rq , | |
862 | or | |
863 | .BR switch-ok . | |
13a55605 | 864 | .SP |
3cdc3f3a | 865 | .BI "KX " peer " bad-expected-reply-log" |
866 | The challenges | |
867 | .B tripe | |
868 | uses in its protocol contain a check value which proves that the | |
869 | challenge is honest. This message indicates that the check value | |
870 | supplied is wrong: someone is attempting to use bogus challenges to | |
871 | persuade your | |
872 | .B tripe | |
873 | server to leak private key information. No chance! | |
13a55605 | 874 | .SP |
bd58d532 | 875 | .BI "KX " peer " decrypt-failed reply\fR|\fBswitch-ok" |
3cdc3f3a | 876 | A symmetrically-encrypted portion of a key-exchange message failed to |
877 | decrypt. | |
13a55605 | 878 | .SP |
3cdc3f3a | 879 | .BI "KX " peer " invalid " msgtoken |
880 | A key-exchange message was malformed. This almost certainly indicates a | |
881 | bug somewhere. | |
13a55605 | 882 | .SP |
bd58d532 | 883 | .BI "KX " peer " incorrect cookie\fR|\fBswitch-rq\fR|\fBswitch-ok" |
3cdc3f3a | 884 | A message didn't contain the right magic data. This may be a replay of |
885 | some old exchange, or random packets being sent in an attempt to waste | |
886 | CPU. | |
13a55605 | 887 | .SP |
3cdc3f3a | 888 | .BI "KX " peer " public-key-expired" |
889 | The peer's public key has expired. It's maintainer should have given | |
890 | you a replacement before now. | |
13a55605 | 891 | .SP |
3cdc3f3a | 892 | .BI "KX " peer " sending-cookie" |
893 | We've received too many bogus pre-challenge messages. Someone is trying | |
894 | to flood us with key-exchange messages and make us waste CPU on doing | |
895 | hard asymmetric crypto sums. | |
13a55605 | 896 | .SP |
3cdc3f3a | 897 | .BI "KX " peer " unexpected " msgtoken |
898 | The message received wasn't appropriate for this stage of the key | |
899 | exchange process. This may mean that one of our previous packets got | |
900 | lost. For | |
901 | .BR pre-challenge , | |
902 | it may simply mean that the peer has recently restarted. | |
13a55605 | 903 | .SP |
3cdc3f3a | 904 | .BI "KX " peer " unknown-challenge" |
905 | The peer is asking for an answer to a challenge which we don't know | |
906 | about. This may mean that we've been inundated with challenges from | |
907 | some malicious source | |
908 | .I who can read our messages | |
909 | and discarded the valid one. | |
13a55605 | 910 | .SP |
3cdc3f3a | 911 | .BI "KX " peer " unknown-message 0x" nn |
912 | An unknown key-exchange message arrived. | |
913 | .SS "PEER warnings" | |
914 | These are largely concerned with management of peers and the low-level | |
915 | details of the network protocol. The second word is usually the name of | |
916 | a peer, or | |
917 | .RB ` \- ' | |
918 | if none is relevant. | |
13a55605 | 919 | .SP |
3cdc3f3a | 920 | .BI "PEER " peer " bad-packet no-type" |
921 | An empty packet arrived. This is very strange. | |
13a55605 | 922 | .SP |
3cdc3f3a | 923 | .BI "PEER " peer " bad-packet unknown-category 0x" nn |
924 | The message category | |
925 | .I nn | |
926 | (in hex) isn't understood. Probably a strange random packet from | |
927 | somewhere; could be an unlikely bug. | |
13a55605 | 928 | .SP |
3cdc3f3a | 929 | .BI "PEER " peer " bad-packet unknown-type 0x" nn |
930 | The message type | |
931 | .I nn | |
932 | (in hex) isn't understood. Probably a strange random packet from | |
933 | somewhere; could be an unlikely bug. | |
13a55605 | 934 | .SP |
0ba8de86 | 935 | .BI "PEER " peer " corrupt-encrypted-ping" |
936 | The peer sent a ping response which matches an outstanding ping, but its | |
937 | payload is wrong. There's definitely a bug somewhere. | |
13a55605 | 938 | .SP |
0ba8de86 | 939 | .BI "PEER " peer " corrupt-transport-ping" |
940 | The peer (apparently) sent a ping response which matches an outstanding | |
941 | ping, but its payload is wrong. Either there's a bug, or the bad guys | |
942 | are playing tricks on you. | |
13a55605 | 943 | .SP |
3cdc3f3a | 944 | .BI "PEER " peer " decrypt-failed" |
945 | An encrypted IP packet failed to decrypt. It may have been mangled in | |
946 | transit, or may be a very old packet from an expired previous session | |
947 | key. There is usually a considerable overlap in the validity periods of | |
948 | successive session keys, so this shouldn't occur unless the key exchange | |
949 | takes ages or fails. | |
13a55605 | 950 | .SP |
0ba8de86 | 951 | .BI "PEER " peer " malformed-encrypted-ping" |
952 | The peer sent a ping response which is hopelessly invalid. There's | |
953 | definitely a bug somewhere. | |
13a55605 | 954 | .SP |
0ba8de86 | 955 | .BI "PEER " peer " malformed-transport-ping" |
956 | The peer (apparently) sent a ping response which is hopelessly invalid. | |
957 | Either there's a bug, or the bad guys are playing tricks on you. | |
13a55605 | 958 | .SP |
3cdc3f3a | 959 | .BI "PEER " peer " packet-build-failed" |
960 | There wasn't enough space in our buffer to put the packet we wanted to | |
961 | send. Shouldn't happen. | |
13a55605 | 962 | .SP |
f43df819 | 963 | .BI "PEER \- socket-read-error " ecode " " message |
3cdc3f3a | 964 | An error occurred trying to read an incoming packet. |
13a55605 | 965 | .SP |
f43df819 | 966 | .BI "PEER " peer " socket-write-error " ecode " " message |
3cdc3f3a | 967 | An error occurred attempting to send a network packet. We lost that |
968 | one. | |
13a55605 | 969 | .SP |
0ba8de86 | 970 | .BI "PEER " peer " unexpected-encrypted-ping 0x" id |
971 | The peer sent an encrypted ping response whose id doesn't match any | |
972 | outstanding ping. Maybe it was delayed for longer than the server was | |
973 | willing to wait, or maybe the peer has gone mad. | |
13a55605 | 974 | .SP |
0ba8de86 | 975 | .BI "PEER \- unexpected-source " address\fR... |
976 | A packet arrived from | |
977 | .I address | |
978 | (a network address \(en see above), but no peer is known at that | |
979 | address. This may indicate a misconfiguration, or simply be a result of | |
980 | one end of a connection being set up before the other. | |
13a55605 | 981 | .SP |
0ba8de86 | 982 | .BI "PEER " peer " unexpected-transport-ping 0x" id |
983 | The peer (apparently) sent a transport ping response whose id doesn't | |
984 | match any outstanding ping. Maybe it was delayed for longer than the | |
985 | server was willing to wait, or maybe the peer has gone mad; or maybe | |
986 | there are bad people trying to confuse you. | |
3cdc3f3a | 987 | .SS "SERVER warnings" |
988 | These indicate problems concerning the server process as a whole. | |
13a55605 | 989 | .SP |
3cdc3f3a | 990 | .BI "SERVER ignore signal " name |
991 | A signal arrived, but the server ignored it. Currently this happens for | |
992 | .B SIGHUP | |
993 | because that's a popular way of telling daemons to re-read their | |
994 | configuration files. Since | |
995 | .B tripe | |
996 | re-reads its keyrings automatically and has no other configuration | |
997 | files, it's not relevant, but it seemed better to ignore the signal than | |
998 | let the server die. | |
13a55605 | 999 | .SP |
3cdc3f3a | 1000 | .BI "SERVER quit signal " \fR[\fInn\fR|\fIname\fR] |
1001 | A signal arrived and | |
1002 | .B tripe | |
1003 | is going to quit. | |
13a55605 | 1004 | .SP |
3cdc3f3a | 1005 | .BI "SERVER quit admin-request" |
1006 | A client of the administration interface issued a | |
1007 | .B QUIT | |
1008 | command. | |
13a55605 | 1009 | .SP |
f43df819 | 1010 | .BI "SERVER select-error " ecode " " message |
3cdc3f3a | 1011 | An error occurred in the server's main event loop. This is bad: if it |
1012 | happens too many times, the server will abort. | |
1013 | .SS "SYMM warnings" | |
1014 | These are concerned with the symmetric encryption and decryption | |
1015 | process. | |
13a55605 | 1016 | .SP |
3cdc3f3a | 1017 | .BI "SYMM replay old-sequence" |
1018 | A packet was received with an old sequence number. It may just have | |
1019 | been delayed or duplicated, or it may have been an attempt at a replay | |
1020 | attack. | |
13a55605 | 1021 | .SP |
3cdc3f3a | 1022 | .BI "SYMM replay duplicated-sequence" |
1023 | A packet was received with a sequence number we've definitely seen | |
1024 | before. It may be an accidental duplication because the 'net is like | |
1025 | that, or a deliberate attempt at a replay. | |
1026 | .SS "TUN warnings" | |
1027 | These concern the workings of the system-specific tunnel driver. The | |
1028 | second word is the name of the tunnel interface in question, or | |
1029 | .RB ` \- ' | |
1030 | if none. | |
13a55605 | 1031 | .SP |
3cdc3f3a | 1032 | .BI "TUN \- bsd no-tunnel-devices" |
1033 | The driver couldn't find an available tunnel device. Maybe if you | |
1034 | create some more | |
1035 | .BI /dev/tun nn | |
1036 | files, it will work. | |
13a55605 | 1037 | .SP |
f43df819 | 1038 | .BI "TUN - " tun-name " open-error " device " " ecode " " message |
3cdc3f3a | 1039 | An attempt to open the tunnel device file |
1040 | .I device | |
1041 | failed. | |
13a55605 | 1042 | .SP |
f43df819 | 1043 | .BI "TUN \- linux config-error " ecode " " message |
3cdc3f3a | 1044 | Configuring the Linux TUN/TAP interface failed. |
13a55605 | 1045 | .SP |
f43df819 | 1046 | .BI "TUN " ifname " " tun-name " read-error " ecode " " message |
42da2a58 | 1047 | Reading from the tunnel device failed. |
13a55605 | 1048 | .SP |
42da2a58 | 1049 | .BI "TUN " ifname " slip bad-escape" |
1050 | The SLIP driver encountered a escaped byte it wasn't expecting to see. | |
1051 | The erroneous packet will be ignored. | |
13a55605 | 1052 | .SP |
b9066fbb | 1053 | .BI "TUN " ifname " slip eof" |
1054 | The SLIP driver encountered end-of-file on its input descriptor. | |
1055 | Pending data is discarded, and no attempt is made to read any more data | |
1056 | from that interface ever. | |
13a55605 | 1057 | .SP |
b9066fbb | 1058 | .BI "TUN " ifname " slip escape-end" |
1059 | The SLIP driver encountered an escaped `end' marker. This probably | |
1060 | means that someone's been sending it junk. The erroneous packet is | |
1061 | discarded, and we hope that we've rediscovered synchronization. | |
13a55605 | 1062 | .SP |
f43df819 | 1063 | .BI "TUN \- slip fork-error " ecode " " message |
42da2a58 | 1064 | The SLIP driver encountered an error forking a child process while |
1065 | allocating a new dynamic interface. | |
13a55605 | 1066 | .SP |
42da2a58 | 1067 | .BI "TUN \- slip no-slip-interfaces" |
1068 | The driver ran out of static SLIP interfaces. Either preallocate more, | |
1069 | or use dynamic SLIP interface allocation. | |
13a55605 | 1070 | .SP |
b9066fbb | 1071 | .BI "TUN " ifname " slip overflow" |
1072 | The SLIP driver gave up reading a packet because it got too large. | |
13a55605 | 1073 | .SP |
f43df819 | 1074 | .BI "TUN \- slip pipe-error " ecode " " message |
42da2a58 | 1075 | The SLIP driver encountered an error creating pipes while allocating a |
1076 | new dynamic interface. | |
13a55605 | 1077 | .SP |
f43df819 | 1078 | .BI "TUN \- slip read-ifname-failed " ecode " " message |
42da2a58 | 1079 | The SLIP driver encountered an error reading the name of a dynamically |
1080 | allocated interface. Maybe the allocation script is broken. | |
13a55605 | 1081 | .SP |
f43df819 | 1082 | .BI "TUN \- unet config-error " ecode " " message |
42da2a58 | 1083 | Configuring the Linux Unet interface failed. Unet is obsolete and |
1084 | shouldn't be used any more. | |
13a55605 | 1085 | .SP |
f43df819 | 1086 | .BI "TUN \- unet getinfo-error " ecode " " message |
42da2a58 | 1087 | Reading information about the Unet interface failed. Unet is obsolete |
1088 | and shouldn't be used any more. | |
13a55605 | 1089 | .SP |
f43df819 | 1090 | .BI "TUN \- unet ifname-too-long" |
42da2a58 | 1091 | The Unet interface's name overflowed, so we couldn't read it properly. |
1092 | Unet is obsolete and shouldn't be used any more. | |
bd58d532 | 1093 | .SS "USER warnings" |
1094 | These are issued by administration clients using the | |
1095 | .B WARN | |
1096 | command. | |
13a55605 | 1097 | .SP |
bd58d532 | 1098 | .BI "USER " tokens\fR... |
1099 | An administration client issued a warning. | |
13a55605 MW |
1100 | .\"-sep |
1101 | .SH "SUMMARY" | |
1102 | .SS "Command responses" | |
1103 | .nf | |
2acd7cd6 | 1104 | .BI "BGDETACH " tag |
13a55605 MW |
1105 | .BI "BGFAIL " tag " " tokens \fR... |
1106 | .BI "BGINFO " tag " " tokens \fR... | |
1107 | .BI "BGOK " tag | |
1108 | .BI "FAIL " tokens \fR... | |
1109 | .BI "INFO " tokens \fR... | |
1110 | .B OK | |
1111 | .fi | |
1112 | .\"= summary | |
d6623498 | 1113 | .SH "SEE ALSO" |
1114 | .BR tripectl (1), | |
1115 | .BR tripe (8). | |
1116 | .PP | |
3cdc3f3a | 1117 | .IR "The Trivial IP Encryption Protocol" . |
d6623498 | 1118 | .SH "AUTHOR" |
d36eda2a | 1119 | Mark Wooding, <mdw@distorted.org.uk> |