Home Explore Help
Sign In
OWEALs
/
tinc
mirror of https://tinc-vpn.org/git/tinc
2
0
Fork 0
Files Issues 0 Wiki
Tree: 0714ac6c59
Branches Tags
tinc
/
doc
/
PROTOCOL

PROTOCOL 6.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151 
  1. This is the protocol documentation for tinc, a Virtual Private Network daemon.
    2. 

  2. 

  3.    Copyright 2000-2006 Guus Sliepen <guus@tinc-vpn.org>,
    4. 

  4.              2000-2005 Ivo Timmmermans
    5. 

  5. 

  6.    Permission is granted to make and distribute verbatim copies of
    7. 

  7.    this documentation provided the copyright notice and this
    8. 

  8.    permission notice are preserved on all copies.
    9. 

  9. 

  10.    Permission is granted to copy and distribute modified versions of
    11. 

  11.    this documentation under the conditions for verbatim copying,
    12. 

  12.    provided that the entire resulting derived work is distributed
    13. 

  13.    under the terms of a permission notice identical to this one.
    14. 

  14. 

  15.    $Id$
    16. 

  16. 

  17. 

  18. 1.  Protocols used in tinc
    19. 

  19. -------------------------
    20. 

  20. 

  21. tinc uses several protocols to function correctly.  To enter the
    22. 

  22. network of tinc daemons that make up the virtual private network, tinc
    23. 

  23. makes TCP connections to other tinc daemons.  It uses the "meta
    24. 

  24. protocol" for these connections.  To exchange packets on the virtual
    25. 

  25. network, UDP connections are made and the "packet protocol" is used.
    26. 

  26. Tinc also needs to exchange network packets with the kernel.  This is
    27. 

  27. done using the ethertap device or the universal TUN/TAP device that
    28. 

  28. can be found in various UNIX flavours.
    29. 

  29. 

  30. 2.  Packet protocol
    31. 

  31. ------------------
    32. 

  32. 

  33. Normal packets are sent without any state information, so the layout
    34. 

  34. is pretty basic.
    35. 

  35. 

  36. A data packet can only be sent if the encryption key, cipher and digest are
    37. 

  37. known to both parties, and the connection is activated. If the encryption key
    38. 

  38. is not known, a request is sent to the destination using the meta connection to
    39. 

  39. retreive it.
    40. 

  40. 

  41. 0   1   2   3   4   5   6   7   ...   97  98  99  100
    42. 

  42. |     seqno     |         data        |     MAC       |
    43. 

  43. \____________________________________/\_______________/
    44. 

  44.                  |                           |
    45. 

  45.   encrypted using symmetric cipher         digest
    46. 

  46. 

  47. The sequence number prevents replay attacks, the message authentication code
    48. 

  48. prevents altered packets from being accepted.
    49. 

  49. 

  50. 3.  Meta protocol
    51. 

  51. ----------------
    52. 

  52. 

  53. The meta protocol is used to tie all tinc daemons together, and
    54. 

  54. exchange information about which tinc daemon serves which virtual
    55. 

  55. subnet.
    56. 

  56. 

  57. The meta protocol consists of requests that can be sent to the other
    58. 

  58. side.  Each request has a unique number and several parameters.  All
    59. 

  59. requests are represented in the standard ASCII character set.  It is
    60. 

  60. possible to use tools such as telnet or netcat to connect to a tinc
    61. 

  61. daemon and to read and write requests by hand, provided that one
    62. 

  62. understands the numeric codes sent.
    63. 

  63. 

  64. The authentication scheme is described in the SECURITY2 file. After a
    65. 

  65. succesful authentication, the server and the client will exchange all the
    66. 

  66. information about other tinc daemons and subnets they know of, so that both
    67. 

  67. sides (and all the other tinc daemons behind them) have their information
    68. 

  68. synchronised.
    69. 

  69. 

  70. daemon	message
    71. 

  71. --------------------------------------------------------------------------
    72. 

  72. origin	ADD_EDGE node1 node2 21.32.43.54 655 222 0
    73. 

  73.                    |     |        |       |   |  +-> options
    74. 

  74.                    |     |        |       |   +----> weight
    75. 

  75. 		           |     |        |       +--------> UDP port of node2
    76. 

  76. 		           |     |        +----------------> real address of node2
    77. 

  77. 		           |     +-------------------------> name of destination node
    78. 

  78.                    +-------------------------------> name of source node
    79. 

  79. 

  80. origin	ADD_SUBNET node 192.168.1.0/24
    81. 

  81.                      |         |     +--> prefixlength
    82. 

  82.                      |         +--------> network address
    83. 

  83.                      +------------------> owner of this subnet
    84. 

  84. --------------------------------------------------------------------------
    85. 

  85. 

  86. The ADD_EDGE messages are to inform other tinc daemons that a connection between
    87. 

  87. two nodes exist. The address of the destination node is available so that
    88. 

  88. VPN packets can be sent directly to that node.
    89. 

  89. 

  90. The ADD_SUBNET messages inform other tinc daemons that certain subnets belong
    91. 

  91. to certain nodes. tinc will use it to determine to which node a VPN packet has
    92. 

  92. to be sent.
    93. 

  93. 

  94. message
    95. 

  95. ------------------------------------------------------------------
    96. 

  96. DEL_EDGE node1 node2
    97. 

  97. 		   |     +----> name of destination node
    98. 

  98.            +----------> name of source node
    99. 

  99. 

  100. DEL_SUBNET node 192.168.1.0/24
    101. 

  101.              |         |     +--> prefixlength
    102. 

  102.              |         +--------> network address
    103. 

  103.              +------------------> owner of this subnet
    104. 

  104. ------------------------------------------------------------------
    105. 

  105. 

  106. In case a connection between two daemons is closed or broken, DEL_EDGE messages
    107. 

  107. are sent to inform the other daemons of that fact. Each daemon will calculate a
    108. 

  108. new route to the the daemons, or mark them unreachable if there isn't any.
    109. 

  109. 

  110. message
    111. 

  111. ------------------------------------------------------------------
    112. 

  112. REQ_KEY origin destination
    113. 

  113.            |       +--> name of the tinc daemon it wants the key from
    114. 

  114.            +----------> name of the daemon that wants the key      
    115. 

  115. 

  116. ANS_KEY origin destination 4ae0b0a82d6e0078 91 64 4
    117. 

  117.            |       |       \______________/ |  |  +--> MAC length
    118. 

  118.            |       |               |        |  +-----> digest algorithm
    119. 

  119.            |       |               |        +--------> cipher algorithm
    120. 

  120.            |       |               +--> 128 bits key
    121. 

  121.            |       +--> name of the daemon that wants the key
    122. 

  122.            +----------> name of the daemon that uses this key
    123. 

  123. 

  124. KEY_CHANGED origin
    125. 

  125.               +--> daemon that has changed it's packet key
    126. 

  126. --------------------------------------------------------------------------
    127. 

  127. 

  128. The keys used to encrypt VPN packets are not sent out directly. This is
    129. 

  129. because it would generate a lot of traffic on VPNs with many daemons, and
    130. 

  130. chances are that not every tinc daemon will ever send a packet to every
    131. 

  131. other daemon. Instead, if a daemon needs a key it sends a request for it
    132. 

  132. via the meta connection of the nearest hop in the direction of the
    133. 

  133. destination. If any hop on the way has already learned the key, it will
    134. 

  134. act as a proxy and forward its copy back to the requestor.
    135. 

  135. 

  136. daemon	message
    137. 

  137. --------------------------------------------------------------------------
    138. 

  138. origin	PING
    139. 

  139. dest.	PONG
    140. 

  140. --------------------------------------------------------------------------
    141. 

  141. 

  142. There is also a mechanism to check if hosts are still alive. Since network
    143. 

  143. failures or a crash can cause a daemon to be killed without properly
    144. 

  144. shutting down the TCP connection, this is necessary to keep an up to date
    145. 

  145. connection list. Pings are sent at regular intervals, except when there
    146. 

  146. is also some other traffic. A little bit of salt (random data) is added
    147. 

  147. with each PING and PONG message, to make sure that long sequences of PING/PONG
    148. 

  148. messages without any other traffic won't result in known plaintext.
    149. 

  149. 

  150. This basically covers everything that is sent over the meta connection by
    151. 

  151. tinc.
    152.