[secnet] / INSTALL

INSTALLATION INSTRUCTIONS for SECNET

USE AT YOUR OWN RISK.  THIS IS ALPHA TEST SOFTWARE.  I DO NOT
GUARANTEE THAT THERE WILL BE PROTOCOL COMPATIBILITY BETWEEN DIFFERENT
VERSIONS.

PROTOCOL COMPATIBILITY WAS BROKEN BETWEEN secnet-0.06, secnet-0.07 AND
secnet-0.08 FOR ENDIANNESS FIXES.

THERE WILL BE ANOTHER CHANGE IN PROTOCOL IN THE secnet-0.1.x SERIES

* Preparation

** System software support

Ensure that you have libgmp2-dev and adns installed (and bison and
flex, and for that matter gcc...).

[On BSD install /usr/ports/devel/bison]

If you intend to configure secnet to obtain packets from the kernel
through userv-ipif, install and configure userv-ipif.  It is part of
userv-utils, available from ftp.chiark.greenend.org.uk in
/users/ian/userv

If you intend to configure secnet to obtain packets from the kernel
using the universal TUN/TAP driver, make sure it's configured in your
kernel (it's under "network device support" in Linux-2.4) and that
you've created the appropriate device files; see
linux/Documentation/networking/tuntap.txt

If you're using TUN/TAP on a platform other than Linux-2.4, see
http://vtun.sourceforge.net/tun/

Note than TUN comes in two flavours, one (called 'tun' in the secnet
config file) which has only one device file (usually /dev/net/tun) and
the other (called 'tun-old') which has many device files (/dev/tun*).
Linux-2.4 has new-style TUN, Linux-2.2, BSD and Solaris have old-style
TUN.

** System and network configuration

If you intend to start secnet as root, I suggest you create a userid
for it to run as once it's ready to drop its privileges.  Example (on
Debian):
# adduser --system --no-create-home secnet

If you're using the 'soft routes' feature (for some classes of mobile
device) you'll have to run as root all the time, to enable secnet to
add and remove routes from your kernel's routing table.  (This
restriction may be relaxed later if someone writes a userv service to
modify the routing table.)

If you are joining an existing VPN, read that VPN's documentation now.
It may supersede the next paragraph.

You will need to allocate two IP addresses for use by secnet.  One
will be for the tunnel interface on your tunnel endpoint machine (i.e.
the address you see in 'ifconfig' when you look at the tunnel
interface).  The other will be for secnet itself.  These addresses
should probably be allocated from the range used by your internal
network: if you do this, you should provide appropriate proxy-ARP on
the internal network interface of the machine running secnet (eg. add
an entry net/ipv4/conf/eth_whatever/proxy_arp = 1 to /etc/sysctl.conf
on Debian systems and run sysctl -p).  Alternatively the addresses
could be from some other range - this works well if the machine
running secnet is the default route out of your network - but this
requires more thought.

http://www.ucam.org/cam-grin/ may be useful.

* Installation

If you installed the Debian package of secnet, skip to "If installing
for the first time", below, and note that example.conf can be found in
/usr/share/doc/secnet/examples.

To install secnet do

$ ./configure
$ make
# make install
# mkdir /etc/secnet

(Note: you may see the following warning while compiling
conffile.tab.c; I believe this is a bison bug:
/usr/share/bison/bison.simple: In function `yyparse':
/usr/share/bison/bison.simple:285: warning: `yyval' might be used
 uninitialized in this function
)

Any other warnings or errors should be reported to
steve@greenend.org.uk.

If installing for the first time, do

# cp example.conf /etc/secnet/secnet.conf
# cd /etc/secnet
# ssh-keygen -f key -N ""

[On BSD use
$ LDFLAGS="-L/usr/local/lib" ./configure
$ gmake CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
XXX this should eventually be worked out automatically by 'configure'.]

Generate a site file fragment for your site (see below), and submit it
for inclusion in your VPN's 'sites' file.  Download the vpn-sites file
to /etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the
sites file contains public keys for all the sites in the VPN.  Use the
make-secnet-sites program provided with the secnet distribution to
convert the distributed sites file into one that can be included in a
secnet configuration file:

# make-secnet-sites sites sites.conf

* Configuration

Should be reasonably obvious - edit /etc/secnet/secnet.conf as
prompted by the comments.  XXX Fuller documentation of the
configuration file format should be forthcoming in time.  Its syntax
is described in the README file at the moment.

* Constructing your site file fragment

You need the following information:

1. the name of your VPN.

2. the name of your location(s).

3. a short name for your site, eg. "sinister".  This is used to
identify your site in the vpn-sites file, and should probably be the
same as its hostname.

4. the DNS name of the machine that will be the "front-end" for your
secnet installation.  This will typically be the name of the gateway
machine for your network, eg. sinister.dynamic.greenend.org.uk

secnet does not actually have to run on this machine, as long as the
machine can be configured to forward UDP packets to the machine that
is running secnet.

5. the port number used to contact secnet at your site.  This is the
port number on the front-end machine, and does not necessarily have to
match the port number on the machine running secnet.  If you want to
use a privileged port number we suggest 410.  An appropriate
unprivileged port number is 51396.  (These numbers were picked at
random.)

6. the list of networks accessible at your site over the VPN.

7. the public part of the RSA key you generated during installation
(in /etc/secnet/key.pub if you followed the installation
instructions).  This file contains three numbers and a comment on one
line.

If you are running secnet on a particularly slow machine, you may like
to specify a larger value for the key setup retry timeout than the
default, to prevent unnecessary retransmissions of key setup packets.
See the notes in the example configuration file for more on this.

The site file fragment should look something like this:

vpn sgo
location greenend
contact steve@greenend.org.uk
site sinister
  networks 192.168.73.0/24 192.168.1.0/24 172.19.71.0/24
  address sinister.dynamic.greenend.org.uk 51396
  pubkey 1024 35 142982503......[lots more].....0611 steve@sinister
Commit	Line	Data
2fe58dfd SE	1	INSTALLATION INSTRUCTIONS for SECNET
2fe58dfd SE	2
974d0468	3	USE AT YOUR OWN RISK. THIS IS ALPHA TEST SOFTWARE. I DO NOT
df1b18fc SE	4	GUARANTEE THAT THERE WILL BE PROTOCOL COMPATIBILITY BETWEEN DIFFERENT
	5	VERSIONS.
	6
8689b3a9 SE	7	PROTOCOL COMPATIBILITY WAS BROKEN BETWEEN secnet-0.06, secnet-0.07 AND
8689b3a9 SE	8	secnet-0.08 FOR ENDIANNESS FIXES.
59635212	9
baa06aeb SE	10	THERE WILL BE ANOTHER CHANGE IN PROTOCOL IN THE secnet-0.1.x SERIES
baa06aeb SE	11
df1b18fc SE	12	* Preparation
	13
	14	** System software support
	15
2fe58dfd SE	16	Ensure that you have libgmp2-dev and adns installed (and bison and
	17	flex, and for that matter gcc...).
	18
8dea8d37	19	[On BSD install /usr/ports/devel/bison]
59635212	20
2fe58dfd	21	If you intend to configure secnet to obtain packets from the kernel
974d0468	22	through userv-ipif, install and configure userv-ipif. It is part of
2fe58dfd SE	23	userv-utils, available from ftp.chiark.greenend.org.uk in
	24	/users/ian/userv
	25
4efd681a SE	26	If you intend to configure secnet to obtain packets from the kernel
4efd681a SE	27	using the universal TUN/TAP driver, make sure it's configured in your
974d0468 SE	28	kernel (it's under "network device support" in Linux-2.4) and that
974d0468 SE	29	you've created the appropriate device files; see
4efd681a SE	30	linux/Documentation/networking/tuntap.txt
4efd681a SE	31
df1b18fc	32	If you're using TUN/TAP on a platform other than Linux-2.4, see
4efd681a SE	33	http://vtun.sourceforge.net/tun/
4efd681a SE	34
df1b18fc SE	35	Note than TUN comes in two flavours, one (called 'tun' in the secnet
df1b18fc SE	36	config file) which has only one device file (usually /dev/net/tun) and
974d0468 SE	37	the other (called 'tun-old') which has many device files (/dev/tun*).
974d0468 SE	38	Linux-2.4 has new-style TUN, Linux-2.2, BSD and Solaris have old-style
8689b3a9	39	TUN.
df1b18fc SE	40
	41	** System and network configuration
	42
974d0468 SE	43	If you intend to start secnet as root, I suggest you create a userid
974d0468 SE	44	for it to run as once it's ready to drop its privileges. Example (on
df1b18fc SE	45	Debian):
	46	# adduser --system --no-create-home secnet
	47
b2a56f7c SE	48	If you're using the 'soft routes' feature (for some classes of mobile
	49	device) you'll have to run as root all the time, to enable secnet to
	50	add and remove routes from your kernel's routing table. (This
	51	restriction may be relaxed later if someone writes a userv service to
	52	modify the routing table.)
	53
	54	If you are joining an existing VPN, read that VPN's documentation now.
	55	It may supersede the next paragraph.
	56
974d0468 SE	57	You will need to allocate two IP addresses for use by secnet. One
	58	will be for the tunnel interface on your tunnel endpoint machine (i.e.
	59	the address you see in 'ifconfig' when you look at the tunnel
	60	interface). The other will be for secnet itself. These addresses
b2a56f7c SE	61	should probably be allocated from the range used by your internal
	62	network: if you do this, you should provide appropriate proxy-ARP on
	63	the internal network interface of the machine running secnet (eg. add
	64	an entry net/ipv4/conf/eth_whatever/proxy_arp = 1 to /etc/sysctl.conf
	65	on Debian systems and run sysctl -p). Alternatively the addresses
	66	could be from some other range - this works well if the machine
	67	running secnet is the default route out of your network - but this
	68	requires more thought.
df1b18fc SE	69
	70	http://www.ucam.org/cam-grin/ may be useful.
	71
df1b18fc SE	72	* Installation
df1b18fc SE	73
9d3a4132 SE	74	If you installed the Debian package of secnet, skip to "If installing
	75	for the first time", below, and note that example.conf can be found in
	76	/usr/share/doc/secnet/examples.
	77
df1b18fc	78	To install secnet do
2fe58dfd SE	79
	80	$ ./configure
	81	$ make
974d0468	82	# make install
9d3a4132	83	# mkdir /etc/secnet
8689b3a9	84
558fa3fb SE	85	(Note: you may see the following warning while compiling
	86	conffile.tab.c; I believe this is a bison bug:
	87	/usr/share/bison/bison.simple: In function `yyparse':
	88	/usr/share/bison/bison.simple:285: warning: `yyval' might be used
	89	uninitialized in this function
	90	)
	91
	92	Any other warnings or errors should be reported to
	93	steve@greenend.org.uk.
	94
8689b3a9 SE	95	If installing for the first time, do
8689b3a9 SE	96
2fe58dfd SE	97	# cp example.conf /etc/secnet/secnet.conf
	98	# cd /etc/secnet
	99	# ssh-keygen -f key -N ""
	100
8689b3a9 SE	101	[On BSD use
	102	$ LDFLAGS="-L/usr/local/lib" ./configure
	103	$ gmake CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib"
	104	XXX this should eventually be worked out automatically by 'configure'.]
2fe58dfd	105
df1b18fc	106	Generate a site file fragment for your site (see below), and submit it
558fa3fb SE	107	for inclusion in your VPN's 'sites' file. Download the vpn-sites file
558fa3fb SE	108	to /etc/secnet/sites - MAKE SURE YOU GET AN AUTHENTIC COPY because the
b2a56f7c	109	sites file contains public keys for all the sites in the VPN. Use the
8dea8d37	110	make-secnet-sites program provided with the secnet distribution to
b2a56f7c SE	111	convert the distributed sites file into one that can be included in a
	112	secnet configuration file:
	113
8dea8d37	114	# make-secnet-sites sites sites.conf
2fe58dfd	115
df1b18fc	116	* Configuration
2fe58dfd	117
df1b18fc	118	Should be reasonably obvious - edit /etc/secnet/secnet.conf as
974d0468 SE	119	prompted by the comments. XXX Fuller documentation of the
	120	configuration file format should be forthcoming in time. Its syntax
	121	is described in the README file at the moment.
df1b18fc SE	122
df1b18fc SE	123	* Constructing your site file fragment
2fe58dfd SE	124
	125	You need the following information:
	126
b2a56f7c	127	1. the name of your VPN.
2fe58dfd	128
b2a56f7c	129	2. the name of your location(s).
2fe58dfd	130
b2a56f7c SE	131	3. a short name for your site, eg. "sinister". This is used to
	132	identify your site in the vpn-sites file, and should probably be the
	133	same as its hostname.
	134
	135	4. the DNS name of the machine that will be the "front-end" for your
974d0468	136	secnet installation. This will typically be the name of the gateway
9d3a4132	137	machine for your network, eg. sinister.dynamic.greenend.org.uk
2fe58dfd SE	138
	139	secnet does not actually have to run on this machine, as long as the
	140	machine can be configured to forward UDP packets to the machine that
	141	is running secnet.
	142
b2a56f7c	143	5. the port number used to contact secnet at your site. This is the
2fe58dfd	144	port number on the front-end machine, and does not necessarily have to
b2a56f7c SE	145	match the port number on the machine running secnet. If you want to
	146	use a privileged port number we suggest 410. An appropriate
	147	unprivileged port number is 51396. (These numbers were picked at
	148	random.)
2fe58dfd	149
b2a56f7c	150	6. the list of networks accessible at your site over the VPN.
2fe58dfd	151
b2a56f7c	152	7. the public part of the RSA key you generated during installation
2fe58dfd	153	(in /etc/secnet/key.pub if you followed the installation
974d0468	154	instructions). This file contains three numbers and a comment on one
b2a56f7c	155	line.
2fe58dfd SE	156
	157	If you are running secnet on a particularly slow machine, you may like
	158	to specify a larger value for the key setup retry timeout than the
974d0468 SE	159	default, to prevent unnecessary retransmissions of key setup packets.
974d0468 SE	160	See the notes in the example configuration file for more on this.
2fe58dfd SE	161
	162	The site file fragment should look something like this:
	163
b2a56f7c SE	164	vpn sgo
	165	location greenend
	166	contact steve@greenend.org.uk
	167	site sinister
	168	networks 192.168.73.0/24 192.168.1.0/24 172.19.71.0/24
	169	address sinister.dynamic.greenend.org.uk 51396
	170	pubkey 1024 35 142982503......[lots more].....0611 steve@sinister