--- gvpe/doc/gvpe.5.pod	2013/07/10 01:51:40	1.10
+++ gvpe/doc/gvpe.5.pod	2016/11/02 06:58:35	1.13
@@ -68,8 +68,8 @@
 =item EASY TO SETUP
 
 A few lines of config (the config file is shared unmodified between all
-hosts) and a single run of C<gvpectrl> to generate the keys suffices to
-make it work.
+hosts) and generating an RSA key-pair on each node suffices to make it
+work.
 
 =item MAC-BASED SECURITY
 
@@ -119,8 +119,8 @@
 
 Minimize the header overhead of VPN packets (the above will result in
 only 4 bytes of overhead over the raw ethernet frame). This is a insecure
-configuration because a HMAC length of 4 makes collision attacks based on
-the birthday paradox pretty easy.
+configuration because a HMAC length of 4 makes collision attacks almost
+trivial.
 
 =head2 MINIMIZE CPU TIME REQUIRED
 
@@ -132,11 +132,11 @@
 
 =head2 MAXIMIZE SECURITY
 
-   ./configure --enable-hmac-length=16 --enable-rand-length=16 --enable-digest=sha384
+   ./configure --enable-hmac-length=16 --enable-rand-length=12 --enable-digest=ripemd610
 
 This uses a 16 byte HMAC checksum to authenticate packets (I guess 8-12
 would also be pretty secure ;) and will additionally prefix each packet
-with 16 bytes of random data.
+with 12 bytes of random data.
 
 In general, remember that AES-128 seems to be as secure but faster than
 AES-192 or AES-256, more randomness helps against sniffing and a longer
@@ -191,39 +191,43 @@
 or other means of pseudo-bridging, or (best) full routing - the choice is
 yours.
 
-=head2 STEP 2: create the RSA key pairs for all hosts
+=head2 STEP 2: create the RSA key pair for each node
 
-Run the following command to generate all key pairs for all nodes (that
-might take a while):
+Next you have to generate the RSA keys for the nodes. While you can set
+up GVPE so you can generate all keys on a single host and centrally
+distribute all keys, it is safer to generate the key for each node on the
+node, so that the secret/private key does not have to be copied over the
+network.
 
-   gvpectrl -c /etc/gvpe -g
+To do so, run the following command to generate a key pair:
 
-This command will put the public keys into C<<
-/etc/gvpe/pubkeys/I<nodename> >> and the private keys into C<<
-/etc/gvpe/hostkeys/I<nodename> >>.
+   gvpectrl -c /etc/gvpe -g nodekey
 
-=head2 STEP 3: distribute the config files to all nodes
+This will create two files, F<nodekey> and F<nodekey.privkey>. The former
+should be copied to F<< /etc/gvpe/pubkey/I<nodename> >> on the host where
+your config file is (you will have to create the F<pubkey> directory
+first):
+
+   scp nodekey confighost:/etc/gvpe/pubkey/nodename
 
-Now distribute the config files and private keys to the other nodes. This
-should be done in two steps, since only the private keys meant for a node
-should be distributed (so each node has only it's own private key).
+The private key F<nodekey.privkey> should be moved to F</etc/gvpe/hostkey>:
 
-The example uses rsync-over-ssh
+   mkdir -p /etc/gvpe
+   mv nodekey.privkey /etc/gvpe/hostkey
 
-First all the config files without the hostkeys should be distributed:
+=head2 STEP 3: distribute the config files to all nodes
 
-   rsync -avzessh /etc/gvpe first.example.net:/etc/. --exclude hostkeys
-   rsync -avzessh /etc/gvpe 133.55.82.9:/etc/. --exclude hostkeys
-   rsync -avzessh /etc/gvpe third.example.net:/etc/. --exclude hostkeys
+Now distribute the config files and public keys to the other nodes.
 
-Then the hostkeys should be copied:
+The example uses rsync-over-ssh to copy the config file and all the public
+keys:
 
-   rsync -avzessh /etc/gvpe/hostkeys/first  first.example.net:/etc/hostkey
-   rsync -avzessh /etc/gvpe/hostkeys/second 133.55.82.9:/etc/hostkey
-   rsync -avzessh /etc/gvpe/hostkeys/third  third.example.net:/etc/hostkey
+   rsync -avzessh /etc/gvpe first.example.net:/etc/. --exclude hostkey
+   rsync -avzessh /etc/gvpe 133.55.82.9:/etc/.       --exclude hostkey
+   rsync -avzessh /etc/gvpe third.example.net:/etc/. --exclude hostkey
 
-You should now check the configuration by issuing the command C<gvpectrl -c
-/etc/gvpe -s> on each node and verify it's output.
+You should now check the configuration by issuing the command C<gvpectrl
+-c /etc/gvpe -s> on each node and verify it's output.
 
 =head2 STEP 4: starting gvpe
 
@@ -248,9 +252,28 @@
 
 ... and play around. Sending a -HUP (C<gvpectrl -kHUP>) to the daemon
 will make it try to connect to all other nodes again. If you run it from
-inittab, as is recommended, C<gvpectrl -k> (or simply C<killall gvpe>) will
-kill the daemon, start it again, making it read it's configuration files
-again.
+inittab C<gvpectrl -k> (or simply C<killall gvpe>) will kill the daemon,
+start it again, making it read it's configuration files again.
+
+To run the GVPE daemon permanently from your SysV init, you can add it to
+your F<inittab>, e.g.:
+
+   t1:2345:respawn:/bin/sh -c "exec nice -n-20 /path/to/gvpe -D node >/var/log/gvpe.log 2>&1"
+
+For systems using systemd, you can use a unit file similar to this one:
+
+   [Unit]
+   Description=gvpe
+   After=network.target
+   Before=remote-fs.target
+
+   [Service]
+   ExecStart=/path/to/gvpe -D node
+   KillMode=process
+   Restart=always
+
+   [Install]
+   WantedBy=multi-user.target
 
 =head1 SEE ALSO