5 \h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c
32 .TH tripe 8 "10 February 2001" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
34 tripe \- a simple VPN daemon
67 program is a server which can provide strong IP-level encryption and
68 authentication between co-operating hosts. The program and its protocol
69 are deliberately very simple, to make analysing them easy and to help
70 build trust rapidly in the system.
74 server manages a number of secure connections to other `peer' hosts.
75 Each daemon is given a private key of its own, and a file of public keys
76 for the peers with which it is meant to communicate. It is responsible
77 for negotiating sets of symmetric keys with its peers, and for
78 encrypting, encapsulating and sending IP packets to its peers, and
79 decrypting, checking and de-encapsulating packets it receives from
82 When the server starts, it creates a Unix-domain socket on which it
83 listens for administration commands. It also logs warnings and
84 diagnostic information to the programs connected to its admin socket.
85 Clients connected to the socket can add new peers, and remove or find
86 out about existing peers. The textual protocol used to give the
88 server admin commands is described in
92 is provided to allow commands to be sent to the server either
93 interactively or by simple scripts.
94 .SS "Command-line arguments"
95 If not given any command-line arguments,
97 will initialize by following these steps:
99 It sets the directory named by the
101 environment variable (or
103 if the variable is unset) as the current directory.
105 It acquires a UDP socket with an arbitrary kernel-selected port number.
106 It will use this socket to send and receive all communications with its
107 peer servers. The port chosen may be discovered by means of the
110 .BR tripe\-admin (5)).
112 It loads the private key with the tag or type name
114 from the Catacomb-format file
118 ready for extracting the public keys of peers as they're introduced.
119 (The format of these files is described in
121 They are maintained using the program
123 provided with the Catacomb distribution.)
125 It creates and listens to the Unix-domain socket
128 Following this, the server enters its main loop, accepting admin
129 connections and obeying any administrative commands, and communicating
130 with peers. It also treats its standard input and standard output
131 streams as an admin connection, reading commands from standard input and
132 writing responses and diagnostics messages to standard output. Finally,
133 it will reload keys from its keyring files if it notices that they've
134 changed (it checks inode number and modification time) \- there's no
135 need to send a signal.
137 Much of this behaviour may be altered by giving
139 suitable command-line options:
142 Writes a brief description of the command-line options available to
143 standard output and exits with status 0.
145 .B "\-v, \-\-version"
148 version number to standard output and exits with status 0.
151 Writes a brief usage summary to standard output and exits with status 0.
154 Writes to standard output a list of the configured tunnel drivers, one
155 per line, and exits with status 0. This is intended for the use of the
156 start-up script, so that it can check that it will actually work.
159 Dissociates from its terminal and starts running in the background after
160 completing the initialization procedure described above. If running as
163 will not read commands from standard input or write diagnostics to
164 standard output. A better way to start
166 in the background is with
169 .BI "\-d, \-\-directory=" dir
172 the current directory, instead of
174 Give a current directory of
176 if you don't want it to change directory at all.
178 .BI "\-b, \-\-bind-address="addr
179 Bind the UDP socket to IP address
181 rather than the default of
183 This is useful if your main globally-routable IP address is one you want
184 to tunnel through the VPN.
186 .BI "\-p, \-\-port=" port
187 Use the specified UDP port for all communications with peers, rather
188 than an arbitarary kernel-assigned port.
190 .BI "\-n, \-\-tunnel=" tunnel
191 Use the specified tunnel driver for new peers by default.
193 .BI "\-U, \-\-setuid=" user
196 (either a user name or integer uid) after initialization. Also set gid
199 primary group, unless overridden by a
203 .BI "\-G, \-\-setgid=" group
206 (either a group name or integer gid) after initialization.
208 .BI "\-k, \-\-priv\-keyring=" file
209 Reads the private key from
211 rather than the default
214 .BI "\-K, \-\-pub\-keyring=" file
215 Reads public keys from
217 rather than the default
219 This can be the same as the private keyring, but that's not recommended.
221 .BI "\-t, \-\-tag=" tag
222 Uses the private key whose tag or type is
224 rather than the default
227 .BI "\-a, \-\-admin\-socket=" socket
228 Accept admin connections to a Unix-domain socket named
230 rather than the default
233 .BI "\-T, \-\-trace=" trace-opts
234 Allows the enabling or disabling of various internal diagnostics. See
235 below for the list of options.
236 .SS "Setting up a VPN with tripe"
239 server identifies peers by name. While it's
241 for each host to maintain its own naming system for its peers, this is
242 likely to lead to confusion, and it's more sensible to organize a naming
243 system that works everywhere. How you manage this naming is up to you.
244 The only restriction on the format of names is that they must be valid
245 Catacomb key tags, since this is how
247 identifies which public key to use for a particular peer: they may not
248 contain whitespace characters, or a colon
253 Allocating IP addresses for VPNs can get quite complicated. I'll
254 attempt to illustrate with a relatively simple example. Our objective
255 will be to set up a virtual private network between two sites of
257 The two sites are using distinct IP address ranges from the private
258 address space described in RFC1918: site A is using addresses from
259 10.0.1.0/24 and site B is using 10.0.2.0/24. Each site has a gateway
260 host set up with both an address on the site's private network, and an
261 externally-routable address from the public IP address space. Site A's
264 has the addresses 10.0.1.1 and 200.0.1.1; site B's gateway is
266 and has addresses 10.0.2.1 and 200.0.2.1.
268 This isn't quite complicated enough. Each of
272 needs an extra IP address which we'll use when setting up the
273 point-to-point link. These addresses need to be routable, at least
274 within the virtual private network: unfortunately, you can't just use
275 the same pair everywhere. We'll assign
277 the point-to-point address 192.168.0.1, and
279 the address 192.168.0.2.
283 on both of the gateway hosts. Create the directory
290 the current directory and generate a Diffie-Hellman group:
293 key add \-adh\-param \-LS \-b2048 \-B256 \e
294 \-eforever \-tparam tripe\-dh\-param
298 from the Catacomb distribution for details about the
300 command.) Also generate a private key for
303 key add \-adh \-pparam \-talice \e
304 \-e"now + 1 year" tripe\-dh
306 Extract the group parameters and
310 files, and put the public key in
313 key extract param param
314 key extract \-f\-secret alice.pub alice
315 key \-kkeyring.pub merge alice.pub
323 in some secure way (e.g., in PGP-signed email, or by using SSH), so that
324 you can be sure they've not been altered in transit.
331 the current directory, and import the key material from
336 key \-kkeyring.pub merge alice.pub
338 Generate a private key for
340 and extract the public half, as before:
342 key add \-adh \-pparam \-tbob \e
343 \-e"now + 1 year" tripe\-dh
344 key extract \-f\-secret bob.pub bob
345 key \-kkeyring.pub merge bob.pub
351 using some secure method.
358 key into the public keyring. Now, on each host, run
361 key \-kkeyring.pub fingerprint
363 and check that the hashes match. If the two sites have separate
364 administrators, they should read the hashes to each other over the
365 telephone (assuming that they can recognize each other's voices).
373 tripectl \-slD \-S\-P23169
381 forces the server to use UDP port 23169: use some other number if 23169
382 is inappropriate for your requirements. I chose it by reducing the
384 .RB ` tripe\-port\-number\e0 '
385 modulo 2\*(ss16\*(se.)
392 run this shell script (or one like it):
397 tripectl add bob 200.0.2.1 23169
398 ifname=`tripectl ifname bob`
401 pointopoint 192.168.0.2
403 10.0.2.0 netmask 255.255.255.0 \e
410 to find out about your system's variants of these commands. The
411 versions shown above assume a Linux system.
412 Run a similar script on
420 Congratulations. The two servers will exchange keys and begin sending
421 packets almost immediately. You've set up a virtual private network.
422 .SS "Using elliptic curve keys"
425 server can use elliptic curve Diffie-Hellman for key exchange, rather
426 than traditional integer Diffie-Hellman. Given current public
427 knowledge, elliptic curves can provide similar or better security to
428 systems based on integer discrete log problems, faster, and with less
429 transmitted data. It's a matter of controversy whether this will
430 continue to be the case. The author uses elliptic curves.
432 The server works out which it
433 should be doing based on the key type, which is either
435 for standard Diffie-Hellman, or
437 for elliptic curves. To create elliptic curve keys, say something like
439 key add \-aec\-param \-Cnist-p192 \-eforever \e
440 \-tparam tripe\-ec\-param
442 to construct a parameters key, using your preferred elliptic curve in
447 for details); and create the private keys by
449 key add \-aec \-pparam \-talice \e
450 \-e"now + 1 year" tripe\-ec
456 option, and all should be well.
457 .SS "Using other symmetric algorithms"
458 The default symmetric algorithms
460 uses are Blowfish (by Schneier) for symmetric encryption, and RIPEMD-160
461 (by Dobbertin, Bosselaers and Preneel) for hashing and as a MAC (in HMAC
462 mode, designed by Bellare, Canetti and Krawczyk). These can all be
463 overridden by setting attributes on your private key, as follows.
466 Names the symmetric encryption scheme to use. The default is
470 Names the hash function to use. The default is
474 Names the message authentication code to use. The name of the MAC may
477 and the desired tag length in bits. The default is
479 at half the underlying hash function's output length.
482 A `mask-generation function', used in the key-exchange. The default is
484 and there's no good reason to change it.
485 .SS "Using SLIP interfaces"
486 Though not for the faint of heart, it is possible to get
488 to read and write network packets to a pair of file descriptors using
489 SLIP encapsulation. No fancy header compression of any kind is
492 Two usage modes are supported: a preallocation system, whereby SLIP
493 interfaces are created and passed to the
495 server at startup; and a dynamic system, where the server runs a script
496 to allocate a new SLIP interface when it needs one. It is possible to
497 use a mixture of these two modes, starting
499 with a few preallocated interfaces and having it allocate more
500 dynamically as it needs them.
504 SLIP driver is controlled by the
506 environment variable. The server will fail to start if this variable is
507 not defined. The variable's value is a colon-delimited list of
508 preallocated interfaces, followed optionally by the filename of a script
509 to run to dynamically allocate more interfaces.
511 A static allocation entry has the form
519 is omitted, the same file descriptor is used for input and output.
521 The dynamic allocation script must be named by an absolute or relative
522 pathname, beginning with
526 The server will pass the script an argument, which is the name of the
527 peer for which the interface is being created. The script should
528 allocate a new SLIP interface (presumably by creating a pty pair),
529 configure it appropriately, and write the interface's name to its
530 standard output, followed by a newline. It should then read and write
531 SLIP packets on its stdin and stdout. The script's stdin will be closed
532 when the interface is no longer needed, and the server will attempt to
535 signal (though this may fail if the script runs with higher privileges
538 The output file descriptor should not block unless it really needs to:
541 daemon assumes that it won't, and will get wait for it to accept output.
543 The program's name is
545 all in lower-case. The name of the protocol it uses is `TrIPE', with
546 four capital letters and one lower-case. The name stands for `Trivial
549 The code hasn't been audited. It may contain security bugs. If you
550 find one, please inform the author
555 .BR tripe\-admin (5).
557 .IR "The Trivial IP Encryption Protocol" ,
558 .IR "The Wrestlers Protocol" .
560 Mark Wooding, <mdw@distorted.org.uk>