X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/1a19f86595b5c07ebf7ca7193093c54a75a15310..b5c45da15703d85b506a1ea1eb38c318c3418ed3:/doc/tripe.8 diff --git a/doc/tripe.8 b/doc/tripe.8 index caacbe79..929f0191 100644 --- a/doc/tripe.8 +++ b/doc/tripe.8 @@ -37,12 +37,20 @@ tripe \- a simple VPN daemon .RB [ \-D ] .RB [ \-d .IR dir ] +.RB [ \-b +.IR addr ] .RB [ \-p .IR port ] +.br + .RB [ \-U .IR user ] .RB [ \-G .IR group ] +.RB [ \-a +.IR socket ] +.RB [ \-T +.IR trace-opts ] .br .RB [ \-k @@ -51,12 +59,6 @@ tripe \- a simple VPN daemon .IR pub-keyring ] .RB [ \-t .IR key-tag ] -.br - -.RB [ \-a -.IR socket ] -.RB [ \-T -.IR trace-opts ] .SH "DESCRIPTION" The .B tripe @@ -166,6 +168,14 @@ Give a current directory of .B . if you don't want it to change directory at all. .TP +.BI "\-b, \-\-bind-address="addr +Bind the UDP socket to IP address +.I addr +rather than the default of +.BR INADDR_ANY . +This is useful if your main globally-routable IP address is one you want +to tunnel through the VPN. +.TP .BI "\-p, \-\-port=" port Use the specified UDP port for all communications with peers, rather than an arbitarary kernel-assigned port. @@ -399,6 +409,69 @@ server to talk to .hP 7. Congratulations. The two servers will exchange keys and begin sending packets almost immediately. You've set up a virtual private network. +.SS "Using elliptic curve keys" +The +.B tripe +server can use elliptic curve Diffie-Hellman for key exchange, rather +than traditional integer Diffie-Hellman. Given current public +knowledge, elliptic curves can provide similar or better security to +systems based on integer discrete log problems, faster, and with less +transmitted data. It's a matter of controversy whether this will +continue to be the case. The author uses elliptic curves. +.PP +The server works out which it +should be doing based on the key type, which is either +.B tripe\-dh +for standard Diffie-Hellman, or +.B tripe\-ec +for elliptic curves. To create elliptic curve keys, say something like +.VS +key add \-aec\-param \-Cnist-p192 \-eforever \e + \-tparam tripe\-ec\-param +.VE +to construct a parameters key, using your preferred elliptic curve in +the +.B \-C +option (see +.BR key (1) +for details); and create the private keys by +.VS +key add \-aec \-pparam \-talice \e + \-e"now + 1 year" tripe\-ec +.VE +Now start +.B tripe +with the +.B \-ttripe\-ec +option, and all should be well. +.SS "Using other symmetric algorithms" +The default symmetric algorithms +.B tripe +uses are Blowfish (by Schneier) for symmetric encryption, and RIPEMD-160 +(by Dobbertin, Bosselaers and Preneel) for hashing and as a MAC (in HMAC +mode, designed by Bellare, Canetti and Krawczyk). These can all be +overridden by setting attributes on your private key, as follows. +.TP +.B cipher +Names the symmetric encryption scheme to use. The default is +.BR blowfish\-cbc . +.TP +.B hash +Names the hash function to use. The default is +.BR rmd160 . +.TP +.B mac +Names the message authentication code to use. The name of the MAC may +be followed by a +.RB ` / ' +and the desired tag length in bits. The default is +.IB hash \-hmac +at half the underlying hash function's output length. +.TP +.B mgf +A `mask-generation function', used in the key-exchange. The default is +.IB hash \-mgf +and there's no good reason to change it. .SS "About the name" The program's name is .BR tripe ,