X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=doc%2Ftinc.texi;h=fdcbf45cf2c75c2cba7884d74ce9e60c9cb97a96;hp=7d865053060513f9a2c395339fe32c59fce86d80;hb=7e817fcf0fdd25aae58259930006c61048b017cd;hpb=d0ea9c8ff287e879e531af9f1b52529421c0512f diff --git a/doc/tinc.texi b/doc/tinc.texi index 7d865053..fdcbf45c 100644 --- a/doc/tinc.texi +++ b/doc/tinc.texi @@ -12,7 +12,7 @@ This is the info manual for tinc, a Virtual Private Network daemon. -Copyright 1998 Ivo Timmermans +Copyright 1998,199,2000 Ivo Timmermans Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and @@ -34,7 +34,7 @@ Copyright 1998 Ivo Timmermans @page @vskip 0pt plus 1filll -Copyright @copyright{} 1998 Ivo Timmermans +Copyright @copyright{} 1998,1999,2000 Ivo Timmermans Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and @@ -328,12 +328,12 @@ to this daemon. The effect of this is that the daemon will set its configuration ``root'' to /etc/tinc/nn/, where nn is your argument to the -n -option. You'll notice that it appears in syslog as ``tincd.nn''. +option. You'll notice that it appears in syslog as ``tinc.nn''. However, it is not strictly necessary that you call tinc with the -n option. In this case, the network name would just be empty, and it will be used as such. tinc now looks for files in /etc/tinc/, instead of -/etc/tinc/nn/; the configuration file should be /etc/tinc/tincd.conf, +/etc/tinc/nn/; the configuration file should be /etc/tinc/tinc.conf, and the passphrases are now expected to be in /etc/tinc/passphrases/. But it is highly recommended that you use this feature of tinc, because @@ -357,7 +357,7 @@ will try to connect to it, on the given port. If this fails, tinc exits. @section Configuration file The actual configuration of the daemon is done in the file -@file{/etc/tinc/nn/tincd.conf}. +@file{/etc/tinc/nn/tinc.conf}. This file consists of comments (lines started with a #) or assignments in the form of @@ -481,7 +481,7 @@ ifconfig tap0 10.1.54.1 netmask 255.0.0.0 ifconfig eth0 10.1.54.1 netmask 255.255.0.0 broadcast 10.1.255.255 @end example -and in /etc/tinc/tincd.conf: +and in /etc/tinc/tinc.conf: @example TapDevice = /dev/tap0 @@ -496,7 +496,7 @@ ifconfig tap0 10.2.1.12 netmask 255.0.0.0 ifconfig eth0 10.2.43.8 netmask 255.255.0.0 broadcast 10.2.255.255 @end example -and in /etc/tinc/tincd.conf: +and in /etc/tinc/tinc.conf: @example TapDevice = /dev/tap0 @@ -517,7 +517,7 @@ ifconfig tap0 10.3.69.254 netmask 255.0.0.0 ifconfig eth0 10.3.69.254 netmask 255.255.0.0 broadcast 10.3.255.255 @end example -and in /etc/tinc/A/tincd.conf: +and in /etc/tinc/A/tinc.conf: @example MyVirtualIP = 10.3.69.254/16 @@ -537,7 +537,7 @@ ifconfig tap0 10.4.3.32 netmask 255.0.0.0 ifconfig tap0 10.4.3.32 netmask 255.255.0.0 broadcast 10.4.255.255 @end example -and in /etc/tinc/tincd.conf: +and in /etc/tinc/tinc.conf: @example MyVirtualIP = 10.4.3.32/16 @@ -645,7 +645,7 @@ generated automatically, so may be more up-to-date. @table @asis @item -c, --config=FILE Read configuration options from FILE. The default is -@file{/etc/tinc/nn/tincd.conf}. +@file{/etc/tinc/nn/tinc.conf}. @item -d Increase debug level. The higher it gets, the more gets @@ -660,7 +660,7 @@ packets themselves. @item -k, --kill Attempt to kill a running tincd and exit. A TERM signal (15) gets sent -to the daemon that his its PID in /var/run/tincd.nn.pid. +to the daemon that his its PID in /var/run/tinc.nn.pid. Because it kills only one tincd, you should use -n here if you use it normally. @@ -691,7 +691,6 @@ Output version information and exit. @menu * The Connection:: * Security:: -* The Protocol:: @end menu @node The Connection, Security, Technical information, Technical information @@ -766,9 +765,16 @@ have two connections, we also have two protocols. The protocol used for the UDP data is the ``data-protocol,'' the other one is the ``meta-protocol.'' +The reason we don't use TCP for both protocols is that UDP is much +better for encapsulation, even while it is less reliable. The real +problem is that when TCP would be used to encapsulate a TCP stream +that's on the private network, for every packet sent there would be +three ACK's sent instead of just one. Furthermore, if there would be +a timeout, both TCP streams would sense the timeout, and both would +start resending packets. @c ================================================================== -@node Security, The Protocol, The Connection, Technical information +@node Security, , The Connection, Technical information @section About tinc's encryption and other security-related issues. @cindex tinc @@ -862,266 +868,6 @@ Now we have securely hidden our data. But a malicious cracker may still bother you by randomly altering the encrypted data he intercepts. -@c ================================================================== -@node The Protocol, , Security, Technical information -@section Detailed protocol specifications - - - -@menu -* Data protocol:: -* Meta protocol:: -@end menu - -@c ================================================================== -@node Data protocol, Meta protocol, The Protocol, The Protocol -@subsection The data protocol - -The data that is sent through the UDP connection is formatted as follows: - -@example - - bytes | Contents ----------------------- - 0-1 | The length of this packet, including all leading fields - 2-5 | The destination IP address - 6-... | The encrypted data - -@end example - -The method that was used to encrypt the data should be made known via -the meta-protocol, during early identification stages. - - -@c ================================================================== -@node Meta protocol, , Data protocol, The Protocol -@subsection The Meta protocol - -This protocol consists of separate packets of information, that are -generally formatted thusly: - -@example - - bytes | Contents ----------------------- - 0 | The request ID - 1-... | (Optional: arguments) - -@end example - -What follows is a listing of possible request IDs. - -@table @samp -@item ACK -Acknowledge. This generally means that the authentication has been -accepted by the remote computer. Takes no arguments. - -@example - - bytes | Contents ----------------------- - 0 | `1' - -@end example - -@item AUTH_S_INIT -@itemx AUTH_C_INIT -Obsolete. Use @samp{BASIC_INFO}. - -@item AUTH_S_SPP -@itemx AUTH_C_SPP -Obsolete. Use @samp{PASSPHRASE}. - -@item AUTH_S_SKEY -@itemx AUTH_C_SKEY -Obsolete. Use @samp{PUBLIC_KEY}, @samp{REQ_KEY} and @samp{ANS_KEY}. - -@item AUTH_S_SACK -@itemx AUTH_C_RACK -Obsolete. Use @samp{ACK}. - -@item TERMREQ -A request to terminate this connection, for whatever reason. - -@example - - bytes | Contents ----------------------- - 0 | `30' - 1-4 | The VPN IP address of the host that has exited - -@end example - - -@item PINGTIMEOUT -Terminate connection, but the reason must be a ping timeout. - -@example - - bytes | Contents ----------------------- - 0 | `31' - 1-4 | The VPN IP address of the host that has exited - -@end example - - -@item PING -Send probe to the other end, if he hasn't returned a @samp{PONG} within -10 seconds, the connection is considered to be dead and will be -terminated, we should try to notify the other by sending a -@samp{PINGTIMEOUT} packet. - -@example - - bytes | Contents ----------------------- - 0 | `40' - -@end example - - -@item PONG -See explanation for @samp{PING} - -@example - - bytes | Contents ----------------------- - 0 | `41' - -@end example - - -@item ADD_HOST -Send an @samp{ADD_HOST} packet if you want to propagate all your current -connections to a new computer on a network. If we get this request, we -must forward it to everyone that hasn't got it yet. - -@example - - bytes | Contents ----------------------- - 0 | `60' - 1-4 | The real IP address of the new host - 5-8 | The VPN IP address of the new host - 9-12 | The VPN netmask - 13-14 | The port number that the new host listens on - -@end example - - -@item BASIC_INFO -This packet will contain all necessary basic information about -ourselves, such as the port we listen on and our desired VPN IP address. - -@example - - bytes | Contents ----------------------- - 0 | `61' - 1 | The protocol version. - | This chapter describes version 4. - 2-3 | The port number that the new host listens on - 4-7 | The VPN IP address of the new host - 8-11 | The VPN netmask - -@end example - - -@item PASSPHRASE -Send an encrypted passphrase. Should be encrypted with our -@strong{public} key, and it must reach us before a @samp{PUBLIC_KEY} -request. - -@example - - bytes | Contents ----------------------- - 0 | `62' - 1-2 | The length of the encrypted passphrase - 3-... | The encrypted passphrase - -@end example - - -@item PUBLIC_KEY -This is only used during authentication of a new connection, later on we -may use @samp{REQ_KEY} and @samp{ANS_KEY}. - -@example - - bytes | Contents ----------------------- - 0 | `63' - 1-2 | The length of the key - 3-... | The public key, given in base-36 - -@end example - - -@item HOLD -@itemx RESUME -Unused. - -@item CALCULATE -@itemx CALC_RES -@itemx ALMOST_KEY -Never been in use. - -@item REQ_KEY -Request a public key from someone and return it to the sender of this -request using a @samp{ANS_KEY} packet. If we get such request, we must -forward it to the connection that leads to the destination. - -@example - - bytes | Contents ----------------------- - 0 | `160' - 1-4 | The source VPN IP address - 5-8 | The destination VPN IP address - 9-14 | `0' - -@end example - - -@item ANS_KEY -Answer to a @samp{REQ_KEY} request, forward it to the destination if it -is not meant for us. - -@example - - bytes | Contents ----------------------- - 0 | `161' - 1-4 | The source VPN IP address - 5-8 | The destination VPN IP address - 9-12 | The expiration date/time in seconds - 13-14 | The key length - 15-... | The public key in base-36 - -@end example - - -@item KEY_CHANGED -The source computer wants to tell that it has regenerated its private -and public keys, so anything going there must be encrypted with a new -shared key. - -@example - - bytes | Contents ----------------------- - 0 | `162' - 1-4 | The source VPN IP address - -@end example - - -@end table - - @c ================================================================== @node About us, Concept Index, Technical information, Top @chapter About us