129 lines
5.8 KiB
Text
129 lines
5.8 KiB
Text
This is the protocol documentation for tinc, a Virtual Private Network daemon.
|
|
|
|
Copyright 2000-2002 Guus Sliepen <guus@sliepen.warande.net>,
|
|
2000-2002 Ivo Timmmermans <itimmermans@bigfoot.com>
|
|
|
|
Permission is granted to make and distribute verbatim copies of
|
|
this documentation provided the copyright notice and this
|
|
permission notice are preserved on all copies.
|
|
|
|
Permission is granted to copy and distribute modified versions of
|
|
this documentation under the conditions for verbatim copying,
|
|
provided that the entire resulting derived work is distributed
|
|
under the terms of a permission notice identical to this one.
|
|
|
|
$Id: PROTOCOL,v 1.1.2.5 2002/02/10 21:57:51 guus Exp $
|
|
|
|
|
|
1. Protocols used in tinc
|
|
-------------------------
|
|
|
|
tinc uses several protocols to function correctly. To enter the
|
|
network of tinc daemons that make up the virtual private network, tinc
|
|
makes TCP connections to other tinc daemons. It uses the "meta
|
|
protocol" for these connections. To exchange packets on the virtual
|
|
network, UDP connections are made and the "packet protocol" is used.
|
|
Tinc also needs to exchange network packets with the kernel. This is
|
|
done using the ethertap device or the universal TUN/TAP device that
|
|
can be found in various UNIX flavours.
|
|
|
|
2. Packet protocol
|
|
------------------
|
|
|
|
Normal packets are sent without any state information, so the layout
|
|
is pretty basic.
|
|
|
|
A data packet can only be sent if the encryption key, cipher and digest are
|
|
known to both parties, and the connection is activated. If the encryption key
|
|
is not known, a request is sent to the destination using the meta connection to
|
|
retreive it.
|
|
|
|
0 1 2 3 4 5 6 7 ... 97 98 99 100
|
|
| seqno | data | MAC |
|
|
\____________________________________/\_______________/
|
|
| |
|
|
encrypted using symmetric cipher digest
|
|
|
|
The sequence number prevents replay attacks, the message authentication code
|
|
prevents altered packets from being accepted.
|
|
|
|
3. Meta protocol
|
|
----------------
|
|
|
|
The meta protocol is used to tie all tinc daemons together, and
|
|
exchange information about which tinc daemon serves which virtual
|
|
subnet.
|
|
|
|
The meta protocol consists of requests that can be sent to the other
|
|
side. Each request has a unique number and several parameters. All
|
|
requests are represented in the standard ASCII character set. It is
|
|
possible to use tools such as telnet or netcat to connect to a tinc
|
|
daemon and to read and write requests by hand, provided that one
|
|
understands the numeric codes sent.
|
|
|
|
The authentication scheme is described in the SECURITY2 file. After a
|
|
succesful authentication, the server and the client will exchange all the
|
|
information about other tinc daemons and subnets they know of, so that both
|
|
sides (and all the other tinc daemons behind them) have their information
|
|
synchronised.
|
|
|
|
daemon message
|
|
--------------------------------------------------------------------------
|
|
origin ADD_EDGE node1 12.23.34.45 655 node2 21.32.43.54 655 222 0
|
|
| | | \___________________/ | +-> options
|
|
| | | | +----> weight
|
|
| | | +----------------> see below
|
|
| | +--> UDP port
|
|
| +----------> real address
|
|
+------------------> name of node on one side of the edge
|
|
|
|
origin ADD_SUBNET node 192.168.1.0/24
|
|
| | +--> masklength
|
|
| +--------> IPv4 network address
|
|
+------------------> owner of this subnet
|
|
--------------------------------------------------------------------------
|
|
|
|
In case a connection between two daemons is closed or broken, DEL_EDGE messages
|
|
are sent to inform the other daemons of that fact. Each daemon will calculate a
|
|
new route to the the daemons, or mark them unreachable if there isn't any.
|
|
|
|
The keys used to encrypt VPN packets are not sent out directly. This is
|
|
because it would generate a lot of traffic on VPNs with many daemons, and
|
|
chances are that not every tinc daemon will ever send a packet to every
|
|
other daemon. Instead, if a daemon needs a key it sends a request for it
|
|
via the meta connection of the nearest hop in the direction of the
|
|
destination. If any hop on the way has already learned the key, it will
|
|
act as a proxy and forward its copy back to the requestor.
|
|
|
|
daemon message
|
|
--------------------------------------------------------------------------
|
|
daemon REQ_KEY origin destination
|
|
| +--> name of the tinc daemon it wants the key from
|
|
+----------> name of the daemon that wants the key
|
|
|
|
daemon ANS_KEY origin destination 4ae0b0a82d6e0078 91 64 4
|
|
| | \______________/ | | +--> MAC length
|
|
| | | | +-----> digest algorithm
|
|
| | | +--------> cipher algorithm
|
|
| | +--> 128 bits key
|
|
| +--> name of the daemon that wants the key
|
|
+----------> name of the daemon that uses this key
|
|
|
|
daemon KEY_CHANGED origin
|
|
+--> daemon that has changed it's packet key
|
|
--------------------------------------------------------------------------
|
|
|
|
There is also a mechanism to check if hosts are still alive. Since network
|
|
failures or a crash can cause a daemon to be killed without properly
|
|
shutting down the TCP connection, this is necessary to keep an up to date
|
|
connection list. Pings are sent at regular intervals, except when there
|
|
is also some other traffic.
|
|
|
|
daemon message
|
|
--------------------------------------------------------------------------
|
|
origin PING
|
|
dest. PONG
|
|
--------------------------------------------------------------------------
|
|
|
|
This basically covers everything that is sent over the meta connection by
|
|
tinc.
|