\input texinfo @c -*-texinfo-*-
-@c $Id: tinc.texi,v 1.8.4.24 2002/03/25 15:01:32 guus Exp $
+@c $Id: tinc.texi,v 1.8.4.28 2002/04/09 11:43:29 guus Exp $
@c %**start of header
@setfilename tinc.info
@settitle tinc Manual
<itimmermans@@bigfoot.com>, Guus Sliepen <guus@@sliepen.warande.net> and
Wessel Dankers <wsl@@nl.linux.org>.
-$Id: tinc.texi,v 1.8.4.24 2002/03/25 15:01:32 guus Exp $
+$Id: tinc.texi,v 1.8.4.28 2002/04/09 11:43:29 guus Exp $
Permission is granted to make and distribute verbatim copies of this
manual provided the copyright notice and this permission notice are
<itimmermans@@bigfoot.com>, Guus Sliepen <guus@@sliepen.warande.net> and
Wessel Dankers <wsl@@nl.linux.org>.
-$Id: tinc.texi,v 1.8.4.24 2002/03/25 15:01:32 guus Exp $
+$Id: tinc.texi,v 1.8.4.28 2002/04/09 11:43:29 guus Exp $
Permission is granted to make and distribute verbatim copies of this
manual provided the copyright notice and this permission notice are
connection with that host.
@cindex Subnet
-@item Subnet = <address[/masklength]>
+@item Subnet = <address[/prefixlength]>
The subnet which this tinc daemon will serve.
tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet.
If the packet matches a subnet,
Subnets can either be single MAC, IPv4 or IPv6 addresses,
in which case a subnet consisting of only that single address is assumed,
-or they can be a IPv4 or IPv6 network address with a masklength.
+or they can be a IPv4 or IPv6 network address with a prefixlength.
+Shorthand notations are not supported.
For example, IPv4 subnets must be in a form like 192.168.1.0/24,
where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask.
Note that subnets like 192.168.1.1/24 are invalid!
MAC addresses are notated like 0:1a:2b:3c:4d:5e.
@cindex CIDR notation
-masklength is the number of bits set to 1 in the netmask part; for
+prefixlength is the number of bits set to 1 in the netmask part; for
example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
/22. This conforms to standard CIDR notation as described in
@uref{ftp://ftp.isi.edu/in-notes/rfc1519.txt, RFC1519}
If this variable is set to yes, then the packets are tunnelled over a
TCP connection instead of a UDP connection. This is especially useful
for those who want to run a tinc daemon from behind a masquerading
-firewall, or if UDP packet routing is disabled somehow. This is
-experimental code, try this at your own risk. It may not work at all.
+firewall, or if UDP packet routing is disabled somehow.
Setting this options also implicitly sets IndirectData.
@end table
@item Something is not configured right. Packets are being sent out to the
virtual network device, but according to the Subnet directives in your host configuration
file, those packets should go to your own host. Most common mistake is that
-you have a Subnet line in your host configuration file with a netmask which is
-just as large as the netmask of the virtual network interface. The latter should in almost all
+you have a Subnet line in your host configuration file with a prefix length which is
+just as large as the prefix of the virtual network interface. The latter should in almost all
cases be larger. Rethink your configuration.
Note that you will only see this message if you specified a debug
level of 5 or higher!
@item Add the `ifconfig $INTERFACE -arp' to tinc-up.
@end itemize
-@item Network address and subnet mask do not match!
+@item Network address and prefix length do not match!
@itemize
@item The Subnet field must contain a @emph{network} address.
+------------------> name of node on one side of the edge
origin ADD_SUBNET node 192.168.1.0/24
- | | +--> masklength
+ | | +--> prefixlength
| +--------> IPv4 network address
+------------------> owner of this subnet
--------------------------------------------------------------------------
But in order to be ``immune'' to eavesdropping, you'll have to encrypt
your data. Because tinc is a @emph{Secure} VPN (SVPN) daemon, it does
exactly that: encrypt.
-tinc uses blowfish encryption in CBC mode, sequence numbers and message authentication codes
-to make sure eavesdroppers cannot get and cannot change any information at all from the packets they can intercept.
+tinc by default uses blowfish encryption with 128 bit keys in CBC mode, 32 bit
+sequence numbers and 4 byte long message authentication codes to make sure
+eavesdroppers cannot get and cannot change any information at all from the
+packets they can intercept. The encryption algorithm and message authentication
+algorithm can be changed in the configuration. The length of the message
+authentication codes is also adjustable. The length of the key for the
+encryption algorithm is always the default length used by OpenSSL.
@menu
* Authentication protocol::