X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/blobdiff_plain/3b83c93292fbf6c4e859ce513bdf54ad90733f96..446353cd8ce62c2feecafb91e7a6cbe97aaa8914:/README diff --git a/README b/README index 564b216..3736b89 100644 --- a/README +++ b/README @@ -285,12 +285,14 @@ site: dict argument setup-retries (integer): max number of times to transmit a key negotiation packet [5] setup-timeout (integer): time between retransmissions of key negotiation - packets, in ms [1000] + packets, in ms [2000] wait-time (integer): after failed key setup, wait this long (in ms) before allowing another attempt [20000] renegotiate-time (integer): if we see traffic on the link after this time - then renegotiate another session key immediately [depends on key-lifetime] - keepalive (bool): if True then attempt always to keep a valid session key + then renegotiate another session key immediately (in ms) + [half key-lifetime, or key-lifetime minus 5 mins, whichever is longer]. + keepalive (bool): if True then attempt always to keep a valid session key. + Not actually currently implemented. [false] log-events (string list): types of events to log for this site unexpected: unexpected key setup packets (may be late retransmissions) setup-init: start of attempt to setup a session key @@ -302,7 +304,24 @@ site: dict argument packet-drop: whenever we throw away an outgoing packet dump-packets: every key setup packet we see errors: failure of name resolution, internal errors + peer-addrs: changes to sets of peer addresses (interesting for mobile peers) all: everything (too much!) + mobile (bool): if True then peer is "mobile" ie we assume it may + change its apparent IP address and port number without either it + or us being aware of the change; so, we remember the last several + port/addr pairs we've seen and send packets to all of them + (subject to a timeout). We maintain one set of addresses for key + setup exchanges, and another for data traffic. Two communicating + peers must not each regard the other as mobile, or all the traffic + in each direction will be triplicated (strictly, transmitted + mobile-peers-max times) and anyway two peers whose public contact + address may suddenly change couldn't communicate reliably because + their contact addresses might both change at once. [false] + mobile-peers-max (integer): Maximum number of peer port/addr pairs we + remember and send to. Must be at least 1 and no more than 5. [3] + mobile-peer-expiry (integer): For "mobile" peers only, the length + of time (in seconds) for which we will keep sending to multiple + address/ports from which we have not seen incoming traffic. [120] ** transform @@ -317,8 +336,8 @@ Defines: null-netlink: dict argument name (string): name for netlink device, used in log messages networks (string list): networks on the host side of the netlink device - exclude-remote-networks (string list): networks that may never be claimed - by any remote site using this netlink device + remote-networks (string list): networks that may be claimed + by the remote site using this netlink device local-address (string): IP address of host's tunnel interface secnet-address (string): IP address of this netlink device ptp-address (string): IP address of the other end of a point-to-point link @@ -336,7 +355,7 @@ a netlink closure: options (string list): allow-route: allow packets coming from this tunnel to be routed to other tunnels as well as the host (used for mobile devices like laptops) - soft-route: remove these routes from the host's routing table when + soft: remove these routes from the host's routing table when the tunnel link quality is zero mtu (integer): default MTU over this link; may be updated by tunnel code