| 1 | .\" -*-nroff-*- |
| 2 | .\". |
| 3 | .de hP |
| 4 | .IP |
| 5 | \h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c |
| 6 | .. |
| 7 | .de VS |
| 8 | .sp 1 |
| 9 | .RS |
| 10 | .nf |
| 11 | .ft B |
| 12 | .. |
| 13 | .de VE |
| 14 | .ft R |
| 15 | .fi |
| 16 | .RE |
| 17 | .sp 1 |
| 18 | .. |
| 19 | .ie t \{\ |
| 20 | . ds o \(bu |
| 21 | . ds ss \s8\u |
| 22 | . ds se \d\s0 |
| 23 | . if \n(.g \{\ |
| 24 | . fam P |
| 25 | . \} |
| 26 | .\} |
| 27 | .el \{\ |
| 28 | . ds o o |
| 29 | . ds ss ^ |
| 30 | . ds se |
| 31 | .\} |
| 32 | .TH tripe 8 "10 February 2001" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption" |
| 33 | .SH "NAME" |
| 34 | tripe \- a simple VPN daemon |
| 35 | .SH "SYNOPSIS" |
| 36 | .B tripe |
| 37 | .RB [ \-D ] |
| 38 | .RB [ \-d |
| 39 | .IR dir ] |
| 40 | .RB [ \-b |
| 41 | .IR addr ] |
| 42 | .RB [ \-p |
| 43 | .IR port ] |
| 44 | .br |
| 45 | |
| 46 | .RB [ \-U |
| 47 | .IR user ] |
| 48 | .RB [ \-G |
| 49 | .IR group ] |
| 50 | .RB [ \-a |
| 51 | .IR socket ] |
| 52 | .RB [ \-T |
| 53 | .IR trace-opts ] |
| 54 | .br |
| 55 | |
| 56 | .RB [ \-k |
| 57 | .IR priv-keyring ] |
| 58 | .RB [ \-K |
| 59 | .IR pub-keyring ] |
| 60 | .RB [ \-t |
| 61 | .IR key-tag ] |
| 62 | .SH "DESCRIPTION" |
| 63 | The |
| 64 | .B tripe |
| 65 | program is a server which can provide strong IP-level encryption and |
| 66 | authentication between co-operating hosts. The program and its protocol |
| 67 | are deliberately very simple, to make analysing them easy and to help |
| 68 | build trust rapidly in the system. |
| 69 | .SS "Overview" |
| 70 | The |
| 71 | .B tripe |
| 72 | server manages a number of secure connections to other `peer' hosts. |
| 73 | Each daemon is given a private key of its own, and a file of public keys |
| 74 | for the peers with which it is meant to communicate. It is responsible |
| 75 | for negotiating sets of symmetric keys with its peers, and for |
| 76 | encrypting, encapsulating and sending IP packets to its peers, and |
| 77 | decrypting, checking and de-encapsulating packets it receives from |
| 78 | them. |
| 79 | .PP |
| 80 | When the server starts, it creates a Unix-domain socket on which it |
| 81 | listens for administration commands. It also logs warnings and |
| 82 | diagnostic information to the programs connected to its admin socket. |
| 83 | Clients connected to the socket can add new peers, and remove or find |
| 84 | out about existing peers. The textual protocol used to give the |
| 85 | .B tripe |
| 86 | server admin commands is described in |
| 87 | .BR tripe\-admin (5). |
| 88 | A client program |
| 89 | .BR tripectl (1) |
| 90 | is provided to allow commands to be sent to the server either |
| 91 | interactively or by simple scripts. |
| 92 | .SS "Command-line arguments" |
| 93 | If not given any command-line arguments, |
| 94 | .B tripe |
| 95 | will initialize by following these steps: |
| 96 | .hP 1. |
| 97 | It sets the directory named by the |
| 98 | .B TRIPEDIR |
| 99 | environment variable (or |
| 100 | .B /var/lib/tripe |
| 101 | if the variable is unset) as the current directory. |
| 102 | .hP 2. |
| 103 | It acquires a UDP socket with an arbitrary kernel-selected port number. |
| 104 | It will use this socket to send and receive all communications with its |
| 105 | peer servers. The port chosen may be discovered by means of the |
| 106 | .B PORT |
| 107 | admin command (see |
| 108 | .BR tripe\-admin (5)). |
| 109 | .hP 3. |
| 110 | It loads the private key with the tag or type name |
| 111 | .B tripe\-dh |
| 112 | from the Catacomb-format file |
| 113 | .BR keyring , |
| 114 | and loads the file |
| 115 | .B keyring.pub |
| 116 | ready for extracting the public keys of peers as they're introduced. |
| 117 | (The format of these files is described in |
| 118 | .BR keyring (5). |
| 119 | They are maintained using the program |
| 120 | .BR key (1) |
| 121 | provided with the Catacomb distribution.) |
| 122 | .hP 4. |
| 123 | It creates and listens to the Unix-domain socket |
| 124 | .BR tripesock . |
| 125 | .PP |
| 126 | Following this, the server enters its main loop, accepting admin |
| 127 | connections and obeying any administrative commands, and communicating |
| 128 | with peers. It also treats its standard input and standard output |
| 129 | streams as an admin connection, reading commands from standard input and |
| 130 | writing responses and diagnostics messages to standard output. Finally, |
| 131 | it will reload keys from its keyring files if it notices that they've |
| 132 | changed (it checks inode number and modification time) \- there's no |
| 133 | need to send a signal. |
| 134 | .PP |
| 135 | Much of this behaviour may be altered by giving |
| 136 | .B tripe |
| 137 | suitable command-line options: |
| 138 | .TP |
| 139 | .B "\-h, \-\-help" |
| 140 | Writes a brief description of the command-line options available to |
| 141 | standard output and exits with status 0. |
| 142 | .TP |
| 143 | .B "\-v, \-\-version" |
| 144 | Writes |
| 145 | .BR tripe 's |
| 146 | version number to standard output and exits with status 0. |
| 147 | .TP |
| 148 | .B "\-u, \-\-usage" |
| 149 | Writes a brief usage summary to standard output and exits with status 0. |
| 150 | .TP |
| 151 | .B "\-\-tunnel" |
| 152 | Writes a string to standard output describing the configured tunnelling |
| 153 | method and exits with status 0. This is intended for the use of the |
| 154 | start-up script, so that it can check that it will actually work. |
| 155 | .TP |
| 156 | .B "\-D, \-\-daemon" |
| 157 | Dissociates from its terminal and starts running in the background after |
| 158 | completing the initialization procedure described above. If running as |
| 159 | a daemon, |
| 160 | .B tripe |
| 161 | will not read commands from standard input or write diagnostics to |
| 162 | standard output. A better way to start |
| 163 | .B tripe |
| 164 | in the background is with |
| 165 | .BR tripectl (1). |
| 166 | .TP |
| 167 | .BI "\-d, \-\-directory=" dir |
| 168 | Makes |
| 169 | .I dir |
| 170 | the current directory, instead of |
| 171 | .BR /var/lib/tripe . |
| 172 | Give a current directory of |
| 173 | .B . |
| 174 | if you don't want it to change directory at all. |
| 175 | .TP |
| 176 | .BI "\-b, \-\-bind-address="addr |
| 177 | Bind the UDP socket to IP address |
| 178 | .I addr |
| 179 | rather than the default of |
| 180 | .BR INADDR_ANY . |
| 181 | This is useful if your main globally-routable IP address is one you want |
| 182 | to tunnel through the VPN. |
| 183 | .TP |
| 184 | .BI "\-p, \-\-port=" port |
| 185 | Use the specified UDP port for all communications with peers, rather |
| 186 | than an arbitarary kernel-assigned port. |
| 187 | .TP |
| 188 | .BI "\-U, \-\-setuid=" user |
| 189 | Set uid to that of |
| 190 | .I user |
| 191 | (either a user name or integer uid) after initialization. Also set gid |
| 192 | to |
| 193 | .IR user 's |
| 194 | primary group, unless overridden by a |
| 195 | .B \-G |
| 196 | option. |
| 197 | .TP |
| 198 | .BI "\-G, \-\-setgid=" group |
| 199 | Set gid to that of |
| 200 | .I group |
| 201 | (either a group name or integer gid) after initialization. |
| 202 | .TP |
| 203 | .BI "\-k, \-\-priv\-keyring=" file |
| 204 | Reads the private key from |
| 205 | .I file |
| 206 | rather than the default |
| 207 | .BR keyring . |
| 208 | .TP |
| 209 | .BI "\-K, \-\-pub\-keyring=" file |
| 210 | Reads public keys from |
| 211 | .I file |
| 212 | rather than the default |
| 213 | .BR keyring.pub . |
| 214 | This can be the same as the private keyring, but that's not recommended. |
| 215 | .TP |
| 216 | .BI "\-t, \-\-tag=" tag |
| 217 | Uses the private key whose tag or type is |
| 218 | .I tag |
| 219 | rather than the default |
| 220 | .BR tripe\-dh . |
| 221 | .TP |
| 222 | .BI "\-a, \-\-admin\-socket=" socket |
| 223 | Accept admin connections to a Unix-domain socket named |
| 224 | .I socket |
| 225 | rather than the default |
| 226 | .BR tripesock . |
| 227 | .TP |
| 228 | .BI "\-T, \-\-trace=" trace-opts |
| 229 | Allows the enabling or disabling of various internal diagnostics. See |
| 230 | below for the list of options. |
| 231 | .SS "Setting up a VPN with tripe" |
| 232 | The |
| 233 | .B tripe |
| 234 | server identifies peers by name. While it's |
| 235 | .I possible |
| 236 | for each host to maintain its own naming system for its peers, this is |
| 237 | likely to lead to confusion, and it's more sensible to organize a naming |
| 238 | system that works everywhere. How you manage this naming is up to you. |
| 239 | The only restriction on the format of names is that they must be valid |
| 240 | Catacomb key tags, since this is how |
| 241 | .B tripe |
| 242 | identifies which public key to use for a particular peer: they may not |
| 243 | contain whitespace characters, or a colon |
| 244 | .RB ` : ' |
| 245 | or dot |
| 246 | .RB ` . ', |
| 247 | .PP |
| 248 | Allocating IP addresses for VPNs can get quite complicated. I'll |
| 249 | attempt to illustrate with a relatively simple example. Our objective |
| 250 | will be to set up a virtual private network between two sites of |
| 251 | .BR example.com . |
| 252 | The two sites are using distinct IP address ranges from the private |
| 253 | address space described in RFC1918: site A is using addresses from |
| 254 | 10.0.1.0/24 and site B is using 10.0.2.0/24. Each site has a gateway |
| 255 | host set up with both an address on the site's private network, and an |
| 256 | externally-routable address from the public IP address space. Site A's |
| 257 | gateway machine, |
| 258 | .BR alice , |
| 259 | has the addresses 10.0.1.1 and 200.0.1.1; site B's gateway is |
| 260 | .B bob |
| 261 | and has addresses 10.0.2.1 and 200.0.2.1. |
| 262 | .PP |
| 263 | This isn't quite complicated enough. Each of |
| 264 | .B alice |
| 265 | and |
| 266 | .B bob |
| 267 | needs an extra IP address which we'll use when setting up the |
| 268 | point-to-point link. These addresses need to be routable, at least |
| 269 | within the virtual private network: unfortunately, you can't just use |
| 270 | the same pair everywhere. We'll assign |
| 271 | .B alice |
| 272 | the point-to-point address 192.168.0.1, and |
| 273 | .B bob |
| 274 | the address 192.168.0.2. |
| 275 | .hP 1. |
| 276 | Install |
| 277 | .B tripe |
| 278 | on both of the gateway hosts. Create the directory |
| 279 | .BR /var/lib/tripe . |
| 280 | .hP 2. |
| 281 | On |
| 282 | .BR alice , |
| 283 | make |
| 284 | .B /var/lib/tripe |
| 285 | the current directory and generate a Diffie-Hellman group: |
| 286 | .RS |
| 287 | .VS |
| 288 | key add \-adh\-param \-LS \-b2048 \-B256 \e |
| 289 | \-eforever \-tparam tripe\-dh\-param |
| 290 | .VE |
| 291 | (See |
| 292 | .BR key (1) |
| 293 | from the Catacomb distribution for details about the |
| 294 | .B key |
| 295 | command.) Also generate a private key for |
| 296 | .BR alice : |
| 297 | .VS |
| 298 | key add \-adh \-pparam \-talice \e |
| 299 | \-e"now + 1 year" tripe\-dh |
| 300 | .VE |
| 301 | Extract the group parameters and |
| 302 | .BR alice 's |
| 303 | public key to |
| 304 | .I separate |
| 305 | files, and put the public key in |
| 306 | .BR keyring.pub : |
| 307 | .VS |
| 308 | key extract param param |
| 309 | key extract \-f\-secret alice.pub alice |
| 310 | key \-kkeyring.pub merge alice.pub |
| 311 | .VE |
| 312 | Send the files |
| 313 | .B param |
| 314 | and |
| 315 | .B alice.pub |
| 316 | to |
| 317 | .B bob |
| 318 | in some secure way (e.g., in PGP-signed email, or by using SSH), so that |
| 319 | you can be sure they've not been altered in transit. |
| 320 | .RE |
| 321 | .hP 3. |
| 322 | On |
| 323 | .B bob |
| 324 | now, make |
| 325 | .B /var/lib/tripe |
| 326 | the current directory, and import the key material from |
| 327 | .BR alice : |
| 328 | .RS |
| 329 | .VS |
| 330 | key merge param |
| 331 | key \-kkeyring.pub merge alice.pub |
| 332 | .VE |
| 333 | Generate a private key for |
| 334 | .B bob |
| 335 | and extract the public half, as before: |
| 336 | .VS |
| 337 | key add \-adh \-pparam \-tbob \e |
| 338 | \-e"now + 1 year" tripe\-dh |
| 339 | key extract \-f\-secret bob.pub bob |
| 340 | key \-kkeyring.pub merge bob.pub |
| 341 | .VE |
| 342 | and send |
| 343 | .B bob.pub |
| 344 | back to |
| 345 | .B alice |
| 346 | using some secure method. |
| 347 | .RE |
| 348 | .hP 4 |
| 349 | On |
| 350 | .BR alice , |
| 351 | merge |
| 352 | .B bob 's |
| 353 | key into the public keyring. Now, on each host, run |
| 354 | .RS |
| 355 | .VS |
| 356 | key \-kkeyring.pub fingerprint |
| 357 | .VE |
| 358 | and check that the hashes match. If the two sites have separate |
| 359 | administrators, they should read the hashes to each other over the |
| 360 | telephone (assuming that they can recognize each other's voices). |
| 361 | .RE |
| 362 | .hP 5. |
| 363 | Start the |
| 364 | .B tripe |
| 365 | servers up. Run |
| 366 | .RS |
| 367 | .VS |
| 368 | tripectl \-slD \-S\-P23169 |
| 369 | .VE |
| 370 | on each of |
| 371 | .B alice |
| 372 | and |
| 373 | .BR bob . |
| 374 | (The |
| 375 | .RB ` \-P23169 ' |
| 376 | forces the server to use UDP port 23169: use some other number if 23169 |
| 377 | is inappropriate for your requirements. I chose it by reducing the |
| 378 | RIPEMD160 hash of |
| 379 | .RB ` tripe\-port\-number\e0 ' |
| 380 | modulo 2\*(ss16\*(se.) |
| 381 | .RE |
| 382 | .hP 6. |
| 383 | To get |
| 384 | .B alice |
| 385 | talking to |
| 386 | .BR bob , |
| 387 | run this shell script (or one like it): |
| 388 | .RS |
| 389 | .VS |
| 390 | #! /bin/sh |
| 391 | |
| 392 | tripectl add bob 200.0.2.1 23169 |
| 393 | ifname=`tripectl ifname bob` |
| 394 | ifconfig $ifname \e |
| 395 | 192.168.0.1 \e |
| 396 | pointopoint 192.168.0.2 |
| 397 | route add -net \e |
| 398 | 10.0.2.0 netmask 255.255.255.0 \e |
| 399 | gw 192.168.0.2 |
| 400 | .VE |
| 401 | Read |
| 402 | .BR ifconfig (8) |
| 403 | and |
| 404 | .BR route (8) |
| 405 | to find out about your system's variants of these commands. The |
| 406 | versions shown above assume a Linux system. |
| 407 | Run a similar script on |
| 408 | .BR bob , |
| 409 | to tell its |
| 410 | .B tripe |
| 411 | server to talk to |
| 412 | .BR alice . |
| 413 | .RE |
| 414 | .hP 7. |
| 415 | Congratulations. The two servers will exchange keys and begin sending |
| 416 | packets almost immediately. You've set up a virtual private network. |
| 417 | .SS "Using elliptic curve keys" |
| 418 | The |
| 419 | .B tripe |
| 420 | server can use elliptic curve Diffie-Hellman for key exchange, rather |
| 421 | than traditional integer Diffie-Hellman. Given current public |
| 422 | knowledge, elliptic curves can provide similar or better security to |
| 423 | systems based on integer discrete log problems, faster, and with less |
| 424 | transmitted data. It's a matter of controversy whether this will |
| 425 | continue to be the case. The author uses elliptic curves. |
| 426 | .PP |
| 427 | The server works out which it |
| 428 | should be doing based on the key type, which is either |
| 429 | .B tripe\-dh |
| 430 | for standard Diffie-Hellman, or |
| 431 | .B tripe\-ec |
| 432 | for elliptic curves. To create elliptic curve keys, say something like |
| 433 | .VS |
| 434 | key add \-aec\-param \-Cnist-p192 \-eforever \e |
| 435 | \-tparam tripe\-ec\-param |
| 436 | .VE |
| 437 | to construct a parameters key, using your preferred elliptic curve in |
| 438 | the |
| 439 | .B \-C |
| 440 | option (see |
| 441 | .BR key (1) |
| 442 | for details); and create the private keys by |
| 443 | .VS |
| 444 | key add \-aec \-pparam \-talice \e |
| 445 | \-e"now + 1 year" tripe\-ec |
| 446 | .VE |
| 447 | Now start |
| 448 | .B tripe |
| 449 | with the |
| 450 | .B \-ttripe\-ec |
| 451 | option, and all should be well. |
| 452 | .SS "Using other symmetric algorithms" |
| 453 | The default symmetric algorithms |
| 454 | .B tripe |
| 455 | uses are Blowfish (by Schneier) for symmetric encryption, and RIPEMD-160 |
| 456 | (by Dobbertin, Bosselaers and Preneel) for hashing and as a MAC (in HMAC |
| 457 | mode, designed by Bellare, Canetti and Krawczyk). These can all be |
| 458 | overridden by setting attributes on your private key, as follows. |
| 459 | .TP |
| 460 | .B cipher |
| 461 | Names the symmetric encryption scheme to use. The default is |
| 462 | .BR blowfish\-cbc . |
| 463 | .TP |
| 464 | .B hash |
| 465 | Names the hash function to use. The default is |
| 466 | .BR rmd160 . |
| 467 | .TP |
| 468 | .B mac |
| 469 | Names the message authentication code to use. The name of the MAC may |
| 470 | be followed by a |
| 471 | .RB ` / ' |
| 472 | and the desired tag length in bits. The default is |
| 473 | .IB hash \-hmac |
| 474 | at half the underlying hash function's output length. |
| 475 | .TP |
| 476 | .B mgf |
| 477 | A `mask-generation function', used in the key-exchange. The default is |
| 478 | .IB hash \-mgf |
| 479 | and there's no good reason to change it. |
| 480 | .SS "About the name" |
| 481 | The program's name is |
| 482 | .BR tripe , |
| 483 | all in lower-case. The name of the protocol it uses is `TrIPE', with |
| 484 | four capital letters and one lower-case. The name stands for `Trivial |
| 485 | IP Encryption'. |
| 486 | .SH "BUGS" |
| 487 | The code hasn't been audited. It may contain security bugs. If you |
| 488 | find one, please inform the author |
| 489 | .IR immediately . |
| 490 | .SH "SEE ALSO" |
| 491 | .BR key (1), |
| 492 | .BR tripectl (1), |
| 493 | .BR tripe\-admin (5). |
| 494 | .PP |
| 495 | .IR "The Trivial IP Encryption Protocol" , |
| 496 | .IR "The Wrestlers Protocol" . |
| 497 | .SH "AUTHOR" |
| 498 | Mark Wooding, <mdw@nsict.org> |