[secnet] / NOTES

* Design of new, multi-subnet secnet protocol

Like the first (1995/6) version, we're tunnelling IP packets inside
UDP packets. To defeat various restrictions which may be imposed on us
by network providers (like the prohibition of incoming TCP
connections) we're sticking with UDP for everything this time,
including key setup. This means we have to handle retries, etc.

Other new features include being able to deal with subnets hidden
behind changing 'real' IP addresses, and the ability to choose
algorithms and keys per pair of communicating sites.

** Configuration and structure

[The original plan]

The network is made up from a number of 'sites'. These are collections
of machines with private IP addresses. The new secnet code runs on
machines which have interfaces on the private site network and some
way of accessing the 'real' internet.

Each end of a tunnel is identified by a name. Often it will be
convenient for every gateway machine to use the same name for each
tunnel endpoint, but this is not vital. Individual tunnels are
identified by their two endpoint names.

[The new plan]

It appears that people want to be able to use secnet on mobile
machines like laptops as well as to interconnect sites. In particular,
they want to be able to use their laptop in three situations:

1) connected to their internal LAN by a cable; no tunnel involved
2) connected via wireless, using a tunnel to protect traffic
3) connected to some other network, using a tunnel to access the
internal LAN.

They want the laptop to keep the same IP address all the time.

Case (1) is simple.

Case (2) requires that the laptop run a copy of secnet, and have a
tunnel configured between it and the main internal LAN default
gateway. secnet must support the concept of a 'soft' tunnel where it
adds a route and causes the gateway to do proxy-ARP when the tunnel is
up, and removes the route again when the tunnel is down.

The usual prohibition of packets coming in from one tunnel and going
out another must be relaxed in this case (in particular, the
destination address of packets from these 'mobile station' tunnels may
be another tunnel as well as the host).

(Quick sanity check: if chiark's secnet address was in
192.168.73.0/24, would this work properly? Yes, because there will be
an explicit route to it, and proxy ARP will be done for it. Do we want
packets from the chiark tunnel to be able to go out along other
routes? No. So, spotting a 'local' address in a remote site's list of
networks isn't sufficient to switch on routing for a site. We need an
explicit option. NB packets may be routed if the source OR the
destination is marked as allowing routing [otherwise packets couldn't
get back from eg. chiark to a laptop at greenend]).

[the even newer plan]

secnet sites are configured to grant access to particular IP address
ranges to the holder of a particular public key.  The key can certify
other keys, which will then be permitted to use a subrange of the IP
address range of the certifying key.

This means that secnet won't know in advance (i.e. at configuration
time) how many tunnels it might be required to support, so we have to
be able to create them (and routes, and so on) on the fly.

** VPN-level configuration

At a high level we just want to be able to indicate which groups of
users can claim ownership of which ranges of IP addresses. Assuming
these users (or their representatives) all have accounts on a single
machine, we can automate the submission of keys and other information
to make up a 'sites' file for the entire VPN.

The distributed 'sites' file should be in a more restricted format
than the secnet configuration file, to prevent attackers who manage to
distribute bogus sites files from taking over their victim's machines.

The distributed 'sites' file is read one line at a time. Each line
consists of a keyword followed by other information. It defines a
number of VPNs; within each VPN it defines a number of locations;
within each location it defines a number of sites. These VPNs,
locations and sites are turned into a secnet.conf file fragment using
a script.

Some keywords are valid at any 'level' of the distributed 'sites'
file, indicating defaults.

The keywords are:

vpn n: we are now declaring information to do with VPN 'n'. Must come first.

location n: we are now declaring information for location 'n'.

site n: we are now declaring information for site 'n'.
endsite: we're finished declaring information for the current site

restrict-nets a b c ...: restrict the allowable 'networks' for the current
  level to those in this list.
end-definitions: prevent definition of further vpns and locations, and
  modification of defaults at VPN level

dh x y: the current VPN uses the specified group; x=modulus, y=generator

hash x: which hash function to use. Valid options are 'md5' and 'sha1'.

admin n: administrator email address for current level

key-lifetime n
setup-retries n
setup-timeout n
wait-time n
renegotiate-time n

address a b: a=dnsname, b=port
networks a b c ...
pubkey x y z: x=keylen, y=encryption key, z=modulus
mobile: declare this to be a 'mobile' site

** Logging etc.

There are several possible ways of running secnet:

'reporting' only: --version, --help, etc. command line options and the
--just-check-config mode.

'normal' run: perform setup in the foreground, and then background.

'failed' run: setup in the foreground, and terminate with an error
before going to background.

'reporting' modes should never output anything except to stdout/stderr.
'normal' and 'failed' runs output to stdout/stderr before
backgrounding, then thereafter output only to log destinations.

** Protocols

*** Protocol environment:

Each gateway machine serves a particular, well-known set of private IP
addresses (i.e. the agreement over which addresses it serves is
outside the scope of this discussion). Each gateway machine has an IP
address on the interconnecting network (usually the Internet), which
may be dynamically allocated and may change at any point.

Each gateway knows the RSA public keys of the other gateways with
which it wishes to communicate. The mechanism by which this happens is
outside the scope of this discussion. There exists a means by which
each gateway can look up the probable IP address of any other.

*** Protocol goals:

The ultimate goal of the protocol is for the originating gateway
machine to be able to forward packets from its section of the private
network to the appropriate gateway machine for the destination
machine, in such a way that it can be sure that the packets are being
sent to the correct destination machine, the destination machine can
be sure that the source of the packets is the originating gateway
machine, and the contents of the packets cannot be understood other
than by the two communicating gateways.

XXX not sure about the address-change stuff; leave it out of the first
version of the protocol. From experience, IP addresses seem to be
quite stable so the feature doesn't gain us much.

**** Protocol sub-goal 1: establish a shared key

Definitions:

A is the originating gateway machine name
B is the destination gateway machine name
A+ and B+ are the names with optional additional data, see below
PK_A is the public RSA key of A
PK_B is the public RSA key of B
PK_A^-1 is the private RSA key of A
PK_B^-1 is the private RSA key of B
x is the fresh private DH key of A
y is the fresh private DH key of B
k is g^xy mod m
g and m are generator and modulus for Diffie-Hellman
nA is a nonce generated by A
nB is a nonce generated by B
iA is an index generated by A, to be used in packets sent from B to A
iB is an index generated by B, to be used in packets sent from A to B
i? is appropriate index for receiver

Note that 'i' may be re-used from one session to the next, whereas 'n'
is always fresh.

The optional additional data after the sender's name consists of some
initial subset of the following list of items:
 * A 32-bit integer with a set of capability flags, representing the
   abilities of the sender.
 * In MSG3/MSG4: a 16-bit integer being the sender's MTU, or zero.
   (In other messages: nothing.)  See below.
 * More data which is yet to be defined and which must be ignored
   by receivers.
The optional additional data after the receiver's name is not
currently used.  If any is seen, it must be ignored.

Capability flag bits must be in one the following two categories:

1. Early capability flags must be advertised in MSG1 or MSG2, as
   applicable.  If MSG3 or MSG4 advertise any "early" capability bits,
   MSG1 or MSG3 (as applicable) must have advertised them too.  Sadly,
   advertising an early capability flag will produce MSG1s which are
   not understood by versions of secnet which predate the capability
   mechanism.

2. Late capability flags are advertised in MSG2 or MSG3, as
   applicable.  They may also appear in MSG1, but this is not
   guaranteed.  MSG4 must advertise the same set as MSG2.

Currently, the low 16 bits are allocated for negotiating bulk-crypto
transforms.  Bits 8 to 15 are used by Secnet as default capability
numbers for the various kinds of transform closures: bit 8 is for the
original CBCMAC-based transform, and bit 9 for the new EAX transform;
bits 10 to 15 are reserved for future expansion.  The the low eight bits
are reserved for local use, e.g., to allow migration from one set of
parameters for a particular transform to a different, incompatible set
of parameters for the same transform.  The high 16 bits have not yet
been assigned a purpose.

No early capability bits are currently defined.


MTU handling

In older versions of secnet, secnet was not capable of fragmentation
or sending ICMP Frag Needed.  Administrators were expected to configure
consistent MTUs across the network.

It is still the case in the current version that the MTUs need to be
configured reasonably coherently across the network: the allocated
buffer sizes must be sufficient to cope with packets from all other
peers.

However, provided the buffers are sufficient, all packets will be
processed properly: a secnet receiving a packet larger than the
applicable MTU for its delivery will either fragment it, or reject it
with ICMP Frag Needed.

The MTU additional data field allows secnet to advertise an MTU to the
peer.  This allows the sending end to handle overlarge packets, before
they are transmitted across the underlying public network.  This can
therefore be used to work around underlying network braindamage
affecting large packets.

If the MTU additional data field is zero or not present, then the peer
should use locally-configured MTU information (normally, its local
netlink MTU) instead.

If it is nonzero, the peer may send packets up to the advertised size
(and if that size is bigger than the peer's administratively
configured size, the advertiser promises that its buffers can handle
such a large packet).

A secnet instance should not assume that just because it has
advertised an mtu which is lower than usual for the vpn, the peer will
honour it, unless the administrator knows that the peers are
sufficiently modern to understand the mtu advertisement option.  So
secnet will still accept packets which exceed the link MTU (whether
negotiated or assumed).


Messages:

1) A->B: *,iA,msg1,A+,B+,nA

i* must be encoded as 0.  (However, it is permitted for a site to use
zero as its "index" for another site.)

2) B->A: iA,iB,msg2,B+,A+,nB,nA

(The order of B and A reverses in alternate messages so that the same
code can be used to construct them...)

3) A->B: {iB,iA,msg3,A+,B+,[chosen-transform],nA,nB,g^x mod m}_PK_A^-1

If message 1 was a replay then A will not generate message 3, because
it doesn't recognise nA.

If message 2 was from an attacker then B will not generate message 4,
because it doesn't recognise nB.

4) B->A: {iA,iB,msg4,B+,A+,nB,nA,g^y mod m}_PK_B^-1

At this point, A and B share a key, k. B must keep retransmitting
message 4 until it receives a packet encrypted using key k.

5) A: iB,iA,msg5,(ping/msg5)_k

6) B: iA,iB,msg6,(pong/msg6)_k

(Note that these are encrypted using the same transform that's used
for normal traffic, so they include sequence number, MAC, etc.)

The ping and pong messages can be used by either end of the tunnel at
any time, but using msg0 as the unencrypted message type indicator.

**** Protocol sub-goal 2: end the use of a shared key

7) i?,i?,msg0,(end-session/msg7,A,B)_k

This message can be sent by either party. Once sent, k can be
forgotten. Once received and checked, k can be forgotten. No need to
retransmit or confirm reception. It is suggested that this message be
sent when a key times out, or the tunnel is forcibly terminated for
some reason.

**** Protocol sub-goal 3: send a packet

8) i?,i?,msg0,(send-packet/msg9,packet)_k

**** Other messages

9) i?,i?,NAK (NAK is encoded as zero)

If the link-layer can't work out what to do with a packet (session has
gone away, etc.) it can transmit a NAK back to the sender.

This can alert the sender to the situation where the sender has a key
but the receiver doesn't (eg because it has been restarted).  The
sender, on receiving the NAK, will try to initiate a key exchange.

Forged (or overly delayed) NAKs can cause wasted resources due to
spurious key exchange initiation, but there is a limit on this because
of the key exchange retry timeout.

10) i?,i?,msg8,A,B,nA,nB,msg?

This is an obsolete form of NAK packet which is not sent by any even
vaguely recent version of secnet.  (In fact, there is no evidence in
the git history of it ever being sent.)

This message number is reserved.

11) *,*,PROD,A,B

Sent in response to a NAK from B to A.  Requests that B initiates a
key exchange with A, if B is willing and lacks a transport key for A.
(If B doesn't have A's address configured, implicitly supplies A's
public address.)

This is necessary because if one end of a link (B) is restarted while
a key exchange is in progress, the following bad state can persist:
the non-restarted end (A) thinks that the key is still valid and keeps
sending packets, but B either doesn't realise that a key exchange with
A is necessary or (if A is a mobile site) doesn't know A's public IP
address.

Normally in these circumstances B would send NAKs to A, causing A to
initiate a key exchange.  However if A and B were already in the
middle of a key exchange then A will not want to try another one until
the first one has timed out ("setup-time" x "setup-retries") and then
the key exchange retry timeout ("wait-time") has elapsed.

However if B's setup has timed out, B would be willing to participate
in a key exchange initiated by A, if A could be induced to do so.
This is the purpose of the PROD packet.

We send no more PRODs than we would want to send data packets, to
avoid a traffic amplification attack.  We also send them only in state
WAIT, as in other states we wouldn't respond favourably.  And we only
honour them if we don't already have a key.

With PROD, the period of broken communication due to a key exchange
interrupted by a restart is limited to the key exchange total
retransmission timeout, rather than also including the key exchange
retry timeout.
Commit	Line	Data
974d0468	1	* Design of new, multi-subnet secnet protocol
2fe58dfd	2
974d0468 SE	3	Like the first (1995/6) version, we're tunnelling IP packets inside
	4	UDP packets. To defeat various restrictions which may be imposed on us
	5	by network providers (like the prohibition of incoming TCP
	6	connections) we're sticking with UDP for everything this time,
3454dce4	7	including key setup. This means we have to handle retries, etc.
2fe58dfd SE	8
	9	Other new features include being able to deal with subnets hidden
	10	behind changing 'real' IP addresses, and the ability to choose
	11	algorithms and keys per pair of communicating sites.
	12
	13	** Configuration and structure
	14
3454dce4 SE	15	[The original plan]
3454dce4 SE	16
2fe58dfd SE	17	The network is made up from a number of 'sites'. These are collections
	18	of machines with private IP addresses. The new secnet code runs on
	19	machines which have interfaces on the private site network and some
	20	way of accessing the 'real' internet.
	21
	22	Each end of a tunnel is identified by a name. Often it will be
	23	convenient for every gateway machine to use the same name for each
	24	tunnel endpoint, but this is not vital. Individual tunnels are
	25	identified by their two endpoint names.
	26
3454dce4 SE	27	[The new plan]
	28
	29	It appears that people want to be able to use secnet on mobile
	30	machines like laptops as well as to interconnect sites. In particular,
	31	they want to be able to use their laptop in three situations:
	32
	33	1) connected to their internal LAN by a cable; no tunnel involved
	34	2) connected via wireless, using a tunnel to protect traffic
	35	3) connected to some other network, using a tunnel to access the
	36	internal LAN.
	37
	38	They want the laptop to keep the same IP address all the time.
	39
	40	Case (1) is simple.
	41
	42	Case (2) requires that the laptop run a copy of secnet, and have a
	43	tunnel configured between it and the main internal LAN default
	44	gateway. secnet must support the concept of a 'soft' tunnel where it
	45	adds a route and causes the gateway to do proxy-ARP when the tunnel is
	46	up, and removes the route again when the tunnel is down.
	47
	48	The usual prohibition of packets coming in from one tunnel and going
	49	out another must be relaxed in this case (in particular, the
	50	destination address of packets from these 'mobile station' tunnels may
	51	be another tunnel as well as the host).
	52
	53	(Quick sanity check: if chiark's secnet address was in
	54	192.168.73.0/24, would this work properly? Yes, because there will be
	55	an explicit route to it, and proxy ARP will be done for it. Do we want
	56	packets from the chiark tunnel to be able to go out along other
	57	routes? No. So, spotting a 'local' address in a remote site's list of
	58	networks isn't sufficient to switch on routing for a site. We need an
	59	explicit option. NB packets may be routed if the source OR the
	60	destination is marked as allowing routing [otherwise packets couldn't
	61	get back from eg. chiark to a laptop at greenend]).
	62
4f5e39ec SE	63	[the even newer plan]
	64
	65	secnet sites are configured to grant access to particular IP address
	66	ranges to the holder of a particular public key. The key can certify
	67	other keys, which will then be permitted to use a subrange of the IP
	68	address range of the certifying key.
	69
	70	This means that secnet won't know in advance (i.e. at configuration
	71	time) how many tunnels it might be required to support, so we have to
	72	be able to create them (and routes, and so on) on the fly.
	73
3454dce4 SE	74	** VPN-level configuration
	75
	76	At a high level we just want to be able to indicate which groups of
	77	users can claim ownership of which ranges of IP addresses. Assuming
	78	these users (or their representatives) all have accounts on a single
	79	machine, we can automate the submission of keys and other information
	80	to make up a 'sites' file for the entire VPN.
	81
	82	The distributed 'sites' file should be in a more restricted format
	83	than the secnet configuration file, to prevent attackers who manage to
	84	distribute bogus sites files from taking over their victim's machines.
	85
	86	The distributed 'sites' file is read one line at a time. Each line
	87	consists of a keyword followed by other information. It defines a
	88	number of VPNs; within each VPN it defines a number of locations;
	89	within each location it defines a number of sites. These VPNs,
	90	locations and sites are turned into a secnet.conf file fragment using
	91	a script.
	92
	93	Some keywords are valid at any 'level' of the distributed 'sites'
	94	file, indicating defaults.
	95
	96	The keywords are:
	97
	98	vpn n: we are now declaring information to do with VPN 'n'. Must come first.
	99
	100	location n: we are now declaring information for location 'n'.
	101
	102	site n: we are now declaring information for site 'n'.
	103	endsite: we're finished declaring information for the current site
	104
	105	restrict-nets a b c ...: restrict the allowable 'networks' for the current
	106	level to those in this list.
	107	end-definitions: prevent definition of further vpns and locations, and
	108	modification of defaults at VPN level
	109
	110	dh x y: the current VPN uses the specified group; x=modulus, y=generator
	111
	112	hash x: which hash function to use. Valid options are 'md5' and 'sha1'.
	113
	114	admin n: administrator email address for current level
	115
	116	key-lifetime n
	117	setup-retries n
	118	setup-timeout n
	119	wait-time n
	120	renegotiate-time n
	121
	122	address a b: a=dnsname, b=port
	123	networks a b c ...
	124	pubkey x y z: x=keylen, y=encryption key, z=modulus
	125	mobile: declare this to be a 'mobile' site
	126
b2a56f7c SE	127	** Logging etc.
	128
	129	There are several possible ways of running secnet:
	130
	131	'reporting' only: --version, --help, etc. command line options and the
	132	--just-check-config mode.
	133
	134	'normal' run: perform setup in the foreground, and then background.
	135
	136	'failed' run: setup in the foreground, and terminate with an error
	137	before going to background.
	138
	139	'reporting' modes should never output anything except to stdout/stderr.
	140	'normal' and 'failed' runs output to stdout/stderr before
	141	backgrounding, then thereafter output only to log destinations.
	142
2fe58dfd SE	143	** Protocols
	144
	145	*** Protocol environment:
	146
	147	Each gateway machine serves a particular, well-known set of private IP
	148	addresses (i.e. the agreement over which addresses it serves is
	149	outside the scope of this discussion). Each gateway machine has an IP
	150	address on the interconnecting network (usually the Internet), which
	151	may be dynamically allocated and may change at any point.
	152
	153	Each gateway knows the RSA public keys of the other gateways with
	154	which it wishes to communicate. The mechanism by which this happens is
	155	outside the scope of this discussion. There exists a means by which
	156	each gateway can look up the probable IP address of any other.
	157
	158	*** Protocol goals:
	159
	160	The ultimate goal of the protocol is for the originating gateway
	161	machine to be able to forward packets from its section of the private
	162	network to the appropriate gateway machine for the destination
	163	machine, in such a way that it can be sure that the packets are being
	164	sent to the correct destination machine, the destination machine can
	165	be sure that the source of the packets is the originating gateway
	166	machine, and the contents of the packets cannot be understood other
	167	than by the two communicating gateways.
	168
	169	XXX not sure about the address-change stuff; leave it out of the first
	170	version of the protocol. From experience, IP addresses seem to be
	171	quite stable so the feature doesn't gain us much.
	172
	173	**** Protocol sub-goal 1: establish a shared key
	174
	175	Definitions:
	176
1737eeef IJ	177	A is the originating gateway machine name
1737eeef IJ	178	B is the destination gateway machine name
09a385fb	179	A+ and B+ are the names with optional additional data, see below
2fe58dfd SE	180	PK_A is the public RSA key of A
	181	PK_B is the public RSA key of B
	182	PK_A^-1 is the private RSA key of A
	183	PK_B^-1 is the private RSA key of B
	184	x is the fresh private DH key of A
	185	y is the fresh private DH key of B
	186	k is g^xy mod m
	187	g and m are generator and modulus for Diffie-Hellman
	188	nA is a nonce generated by A
	189	nB is a nonce generated by B
	190	iA is an index generated by A, to be used in packets sent from B to A
	191	iB is an index generated by B, to be used in packets sent from A to B
	192	i? is appropriate index for receiver
	193
	194	Note that 'i' may be re-used from one session to the next, whereas 'n'
	195	is always fresh.
	196
09a385fb IJ	197	The optional additional data after the sender's name consists of some
	198	initial subset of the following list of items:
	199	* A 32-bit integer with a set of capability flags, representing the
	200	abilities of the sender.
3ed1846a IJ	201	* In MSG3/MSG4: a 16-bit integer being the sender's MTU, or zero.
3ed1846a IJ	202	(In other messages: nothing.) See below.
09a385fb IJ	203	* More data which is yet to be defined and which must be ignored
	204	by receivers.
	205	The optional additional data after the receiver's name is not
	206	currently used. If any is seen, it must be ignored.
	207
	208	Capability flag bits must be in one the following two categories:
	209
	210	1. Early capability flags must be advertised in MSG1 or MSG2, as
	211	applicable. If MSG3 or MSG4 advertise any "early" capability bits,
	212	MSG1 or MSG3 (as applicable) must have advertised them too. Sadly,
	213	advertising an early capability flag will produce MSG1s which are
	214	not understood by versions of secnet which predate the capability
	215	mechanism.
	216
	217	2. Late capability flags are advertised in MSG2 or MSG3, as
	218	applicable. They may also appear in MSG1, but this is not
	219	guaranteed. MSG4 must advertise the same set as MSG2.
	220
0b5df556 MW	221	Currently, the low 16 bits are allocated for negotiating bulk-crypto
	222	transforms. Bits 8 to 15 are used by Secnet as default capability
	223	numbers for the various kinds of transform closures: bit 8 is for the
	224	original CBCMAC-based transform, and bit 9 for the new EAX transform;
	225	bits 10 to 15 are reserved for future expansion. The the low eight bits
	226	are reserved for local use, e.g., to allow migration from one set of
	227	parameters for a particular transform to a different, incompatible set
	228	of parameters for the same transform. The high 16 bits have not yet
	229	been assigned a purpose.
	230
	231	No early capability bits are currently defined.
09a385fb	232
ff05a229	233
3ed1846a IJ	234	MTU handling
	235
	236	In older versions of secnet, secnet was not capable of fragmentation
	237	or sending ICMP Frag Needed. Administrators were expected to configure
	238	consistent MTUs across the network.
	239
	240	It is still the case in the current version that the MTUs need to be
	241	configured reasonably coherently across the network: the allocated
	242	buffer sizes must be sufficient to cope with packets from all other
	243	peers.
	244
	245	However, provided the buffers are sufficient, all packets will be
	246	processed properly: a secnet receiving a packet larger than the
	247	applicable MTU for its delivery will either fragment it, or reject it
	248	with ICMP Frag Needed.
	249
	250	The MTU additional data field allows secnet to advertise an MTU to the
	251	peer. This allows the sending end to handle overlarge packets, before
	252	they are transmitted across the underlying public network. This can
	253	therefore be used to work around underlying network braindamage
	254	affecting large packets.
	255
	256	If the MTU additional data field is zero or not present, then the peer
	257	should use locally-configured MTU information (normally, its local
	258	netlink MTU) instead.
	259
	260	If it is nonzero, the peer may send packets up to the advertised size
	261	(and if that size is bigger than the peer's administratively
	262	configured size, the advertiser promises that its buffers can handle
	263	such a large packet).
	264
	265	A secnet instance should not assume that just because it has
	266	advertised an mtu which is lower than usual for the vpn, the peer will
	267	honour it, unless the administrator knows that the peers are
	268	sufficiently modern to understand the mtu advertisement option. So
	269	secnet will still accept packets which exceed the link MTU (whether
	270	negotiated or assumed).
	271
	272
2fe58dfd SE	273	Messages:
2fe58dfd SE	274
7e29719e IJ	275	1) A->B: *,iA,msg1,A+,B+,nA
	276
	277	i* must be encoded as 0. (However, it is permitted for a site to use
	278	zero as its "index" for another site.)
2fe58dfd	279
1737eeef	280	2) B->A: iA,iB,msg2,B+,A+,nB,nA
2fe58dfd SE	281
	282	(The order of B and A reverses in alternate messages so that the same
	283	code can be used to construct them...)
	284
5b5f297f	285	3) A->B: {iB,iA,msg3,A+,B+,[chosen-transform],nA,nB,g^x mod m}_PK_A^-1
2fe58dfd SE	286
	287	If message 1 was a replay then A will not generate message 3, because
	288	it doesn't recognise nA.
	289
	290	If message 2 was from an attacker then B will not generate message 4,
	291	because it doesn't recognise nB.
	292
1737eeef	293	4) B->A: {iA,iB,msg4,B+,A+,nB,nA,g^y mod m}_PK_B^-1
2fe58dfd SE	294
	295	At this point, A and B share a key, k. B must keep retransmitting
	296	message 4 until it receives a packet encrypted using key k.
	297
	298	5) A: iB,iA,msg5,(ping/msg5)_k
	299
	300	6) B: iA,iB,msg6,(pong/msg6)_k
	301
	302	(Note that these are encrypted using the same transform that's used
	303	for normal traffic, so they include sequence number, MAC, etc.)
	304
	305	The ping and pong messages can be used by either end of the tunnel at
	306	any time, but using msg0 as the unencrypted message type indicator.
	307
	308	**** Protocol sub-goal 2: end the use of a shared key
	309
	310	7) i?,i?,msg0,(end-session/msg7,A,B)_k
	311
	312	This message can be sent by either party. Once sent, k can be
	313	forgotten. Once received and checked, k can be forgotten. No need to
	314	retransmit or confirm reception. It is suggested that this message be
	315	sent when a key times out, or the tunnel is forcibly terminated for
	316	some reason.
	317
1e80c220	318	**** Protocol sub-goal 3: send a packet
2fe58dfd	319
1e80c220	320	8) i?,i?,msg0,(send-packet/msg9,packet)_k
2fe58dfd	321
1e80c220	322	**** Other messages
974d0468	323
1e80c220	324	9) i?,i?,NAK (NAK is encoded as zero)
2fe58dfd	325
1e80c220 IJ	326	If the link-layer can't work out what to do with a packet (session has
1e80c220 IJ	327	gone away, etc.) it can transmit a NAK back to the sender.
2fe58dfd	328
1e80c220 IJ	329	This can alert the sender to the situation where the sender has a key
	330	but the receiver doesn't (eg because it has been restarted). The
	331	sender, on receiving the NAK, will try to initiate a key exchange.
4f5e39ec	332
1e80c220 IJ	333	Forged (or overly delayed) NAKs can cause wasted resources due to
	334	spurious key exchange initiation, but there is a limit on this because
	335	of the key exchange retry timeout.
4f5e39ec SE	336
4f5e39ec SE	337	10) i?,i?,msg8,A,B,nA,nB,msg?
1e80c220 IJ	338
	339	This is an obsolete form of NAK packet which is not sent by any even
	340	vaguely recent version of secnet. (In fact, there is no evidence in
	341	the git history of it ever being sent.)
	342
	343	This message number is reserved.
dd9209d1 IJ	344
	345	11) ,,PROD,A,B
	346
	347	Sent in response to a NAK from B to A. Requests that B initiates a
	348	key exchange with A, if B is willing and lacks a transport key for A.
	349	(If B doesn't have A's address configured, implicitly supplies A's
	350	public address.)
	351
	352	This is necessary because if one end of a link (B) is restarted while
	353	a key exchange is in progress, the following bad state can persist:
	354	the non-restarted end (A) thinks that the key is still valid and keeps
	355	sending packets, but B either doesn't realise that a key exchange with
	356	A is necessary or (if A is a mobile site) doesn't know A's public IP
	357	address.
	358
	359	Normally in these circumstances B would send NAKs to A, causing A to
	360	initiate a key exchange. However if A and B were already in the
	361	middle of a key exchange then A will not want to try another one until
	362	the first one has timed out ("setup-time" x "setup-retries") and then
	363	the key exchange retry timeout ("wait-time") has elapsed.
	364
	365	However if B's setup has timed out, B would be willing to participate
	366	in a key exchange initiated by A, if A could be induced to do so.
	367	This is the purpose of the PROD packet.
	368
	369	We send no more PRODs than we would want to send data packets, to
	370	avoid a traffic amplification attack. We also send them only in state
	371	WAIT, as in other states we wouldn't respond favourably. And we only
	372	honour them if we don't already have a key.
	373
	374	With PROD, the period of broken communication due to a key exchange
	375	interrupted by a restart is limited to the key exchange total
	376	retransmission timeout, rather than also including the key exchange
	377	retry timeout.