ViewVC Help
View File | Revision Log | Show Annotations | Download File
/cvs/gvpe/doc/gvpe.protocol.7
(Generate patch)

Comparing gvpe/doc/gvpe.protocol.7 (file contents):
Revision 1.9 by pcg, Mon Aug 11 16:02:16 2008 UTC vs.
Revision 1.13 by root, Fri Sep 20 11:57:03 2013 UTC

1.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.20)
2.\" 2.\"
3.\" Standard preamble: 3.\" Standard preamble:
4.\" ======================================================================== 4.\" ========================================================================
5.de Sh \" Subsection heading
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
13.de Sp \" Vertical space (when we can't use .PP) 5.de Sp \" Vertical space (when we can't use .PP)
14.if t .sp .5v 6.if t .sp .5v
15.if n .sp 7.if n .sp
16.. 8..
17.de Vb \" Begin verbatim text 9.de Vb \" Begin verbatim text
46. ds PI \(*p 38. ds PI \(*p
47. ds L" `` 39. ds L" ``
48. ds R" '' 40. ds R" ''
49'br\} 41'br\}
50.\" 42.\"
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
51.\" If the F register is turned on, we'll generate index entries on stderr for 47.\" If the F register is turned on, we'll generate index entries on stderr for
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
53.\" entries marked with X<> in POD. Of course, you'll have to process the 49.\" entries marked with X<> in POD. Of course, you'll have to process the
54.\" output yourself in some meaningful fashion. 50.\" output yourself in some meaningful fashion.
55.if \nF \{\ 51.ie \nF \{\
56. de IX 52. de IX
57. tm Index:\\$1\t\\n%\t"\\$2" 53. tm Index:\\$1\t\\n%\t"\\$2"
58.. 54..
59. nr % 0 55. nr % 0
60. rr F 56. rr F
61.\} 57.\}
62.\" 58.el \{\
63.\" For nroff, turn off justification. Always turn off hyphenation; it makes 59. de IX
64.\" way too many mistakes in technical documents. 60..
65.hy 0 61.\}
66.if n .na
67.\" 62.\"
68.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). 63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
69.\" Fear. Run. Save yourself. No user-serviceable parts. 64.\" Fear. Run. Save yourself. No user-serviceable parts.
70. \" fudge factors for nroff and troff 65. \" fudge factors for nroff and troff
71.if n \{\ 66.if n \{\
127.\} 122.\}
128.rm #[ #] #H #V #F C 123.rm #[ #] #H #V #F C
129.\" ======================================================================== 124.\" ========================================================================
130.\" 125.\"
131.IX Title "GVPE.PROTOCOL 7" 126.IX Title "GVPE.PROTOCOL 7"
132.TH GVPE.PROTOCOL 7 "2008-08-10" "2.2" "GNU Virtual Private Ethernet" 127.TH GVPE.PROTOCOL 7 "2013-07-19" "2.25" "GNU Virtual Private Ethernet"
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
133.SH "The GNU-VPE Protocols" 132.SH "The GNU-VPE Protocols"
134.IX Header "The GNU-VPE Protocols" 133.IX Header "The GNU-VPE Protocols"
135.SH "Overview" 134.SH "Overview"
136.IX Header "Overview" 135.IX Header "Overview"
137\&\s-1GVPE\s0 can make use of a number of protocols. One of them is the \s-1GNU\s0 \s-1VPE\s0 136\&\s-1GVPE\s0 can make use of a number of protocols. One of them is the \s-1GNU\s0 \s-1VPE\s0
148reliability, and robustness. 147reliability, and robustness.
149.PP 148.PP
150The following sections describe each transport protocol in more 149The following sections describe each transport protocol in more
151detail. They are sorted by overhead/efficiency, the most efficient 150detail. They are sorted by overhead/efficiency, the most efficient
152transport is listed first: 151transport is listed first:
153.Sh "\s-1RAW\s0 \s-1IP\s0" 152.SS "\s-1RAW\s0 \s-1IP\s0"
154.IX Subsection "RAW IP" 153.IX Subsection "RAW IP"
155This protocol is the best choice, performance\-wise, as the minimum 154This protocol is the best choice, performance-wise, as the minimum
156overhead per packet is only 38 bytes. 155overhead per packet is only 38 bytes.
157.PP 156.PP
158It works by sending the \s-1VPN\s0 payload using raw ip frames (using the 157It works by sending the \s-1VPN\s0 payload using raw \s-1IP\s0 frames (using the
159protocol set by \f(CW\*(C`ip\-proto\*(C'\fR). 158protocol set by \f(CW\*(C`ip\-proto\*(C'\fR).
160.PP 159.PP
161Using raw ip frames has the drawback that many firewalls block \*(L"unknown\*(R" 160Using raw \s-1IP\s0 frames has the drawback that many firewalls block \*(L"unknown\*(R"
162protocols, so this transport only works if you have full \s-1IP\s0 connectivity 161protocols, so this transport only works if you have full \s-1IP\s0 connectivity
163between nodes. 162between nodes.
164.Sh "\s-1ICMP\s0" 163.SS "\s-1ICMP\s0"
165.IX Subsection "ICMP" 164.IX Subsection "ICMP"
166This protocol offers very low overhead (minimum 42 bytes), and can 165This protocol offers very low overhead (minimum 42 bytes), and can
167sometimes tunnel through firewalls when other protocols can not. 166sometimes tunnel through firewalls when other protocols can not.
168.PP 167.PP
169It works by prepending an \s-1ICMP\s0 header with type \f(CW\*(C`icmp\-type\*(C'\fR and a code 168It works by prepending an \s-1ICMP\s0 header with type \f(CW\*(C`icmp\-type\*(C'\fR and a code
170of \f(CW255\fR. The default \f(CW\*(C`icmp\-type\*(C'\fR is \f(CW\*(C`echo\-reply\*(C'\fR, so the resulting 169of \f(CW255\fR. The default \f(CW\*(C`icmp\-type\*(C'\fR is \f(CW\*(C`echo\-reply\*(C'\fR, so the resulting
171packets look like echo replies, which looks rather strange to network 170packets look like echo replies, which looks rather strange to network
172admins. 171administrators.
173.PP 172.PP
174This transport should only be used if other transports (i.e. raw ip) are 173This transport should only be used if other transports (i.e. raw \s-1IP\s0) are
175not available or undesirable (due to their overhead). 174not available or undesirable (due to their overhead).
176.Sh "\s-1UDP\s0" 175.SS "\s-1UDP\s0"
177.IX Subsection "UDP" 176.IX Subsection "UDP"
178This is a good general choice for the transport protocol as \s-1UDP\s0 packets 177This is a good general choice for the transport protocol as \s-1UDP\s0 packets
179tunnel well through most firewalls and routers, and the overhead per 178tunnel well through most firewalls and routers, and the overhead per
180packet is moderate (minimum 58 bytes). 179packet is moderate (minimum 58 bytes).
181.PP 180.PP
182It should be used if \s-1RAW\s0 \s-1IP\s0 is not available. 181It should be used if \s-1RAW\s0 \s-1IP\s0 is not available.
183.Sh "\s-1TCP\s0" 182.SS "\s-1TCP\s0"
184.IX Subsection "TCP" 183.IX Subsection "TCP"
185This protocol is a very bad choice, as it not only has high overhead (more 184This protocol is a very bad choice, as it not only has high overhead (more
186than 60 bytes), but the transport also retries on it's own, which leads 185than 60 bytes), but the transport also retries on it's own, which leads
187to congestion when the link has moderate packet loss (as both the \s-1TCP\s0 186to congestion when the link has moderate packet loss (as both the \s-1TCP\s0
188transport and the tunneled traffic will retry, increasing congestion more 187transport and the tunneled traffic will retry, increasing congestion more
197It is an abuse of the usage a proxy was designed for, so make sure you are 196It is an abuse of the usage a proxy was designed for, so make sure you are
198allowed to use it for \s-1GVPE\s0. 197allowed to use it for \s-1GVPE\s0.
199.PP 198.PP
200This protocol also has server and client sides. If the \f(CW\*(C`tcp\-port\*(C'\fR is 199This protocol also has server and client sides. If the \f(CW\*(C`tcp\-port\*(C'\fR is
201set to zero, other nodes cannot connect to this node directly. If the 200set to zero, other nodes cannot connect to this node directly. If the
202\&\f(CW\*(C`tcp\-port\*(C'\fR is non\-zero, the node can act both as a client as well as a 201\&\f(CW\*(C`tcp\-port\*(C'\fR is non-zero, the node can act both as a client as well as a
203server. 202server.
204.Sh "\s-1DNS\s0" 203.SS "\s-1DNS\s0"
205.IX Subsection "DNS" 204.IX Subsection "DNS"
206\&\fB\s-1WARNING:\s0\fR Parsing and generating \s-1DNS\s0 packets is rather tricky. The code 205\&\fB\s-1WARNING:\s0\fR Parsing and generating \s-1DNS\s0 packets is rather tricky. The code
207almost certainly contains buffer overflows and other, likely exploitable, 206almost certainly contains buffer overflows and other, likely exploitable,
208bugs. You have been warned. 207bugs. You have been warned.
209.PP 208.PP
215traffic even if it doesn't need to transport packets. 214traffic even if it doesn't need to transport packets.
216.PP 215.PP
217In addition, the same problems as the \s-1TCP\s0 transport also plague this 216In addition, the same problems as the \s-1TCP\s0 transport also plague this
218protocol. 217protocol.
219.PP 218.PP
220It's only use is to tunnel through firewalls that do not allow direct 219Its only use is to tunnel through firewalls that do not allow direct
221internet access. Similar to using a \s-1HTTP\s0 proxy (as the \s-1TCP\s0 transport 220internet access. Similar to using a \s-1HTTP\s0 proxy (as the \s-1TCP\s0 transport
222does), it uses a local \s-1DNS\s0 server/forwarder (given by the \f(CW\*(C`dns\-forw\-host\*(C'\fR 221does), it uses a local \s-1DNS\s0 server/forwarder (given by the \f(CW\*(C`dns\-forw\-host\*(C'\fR
223configuration value) as a proxy to send and receive data as a client, 222configuration value) as a proxy to send and receive data as a client,
224and an \f(CW\*(C`NS\*(C'\fR record pointing to the \s-1GVPE\s0 server (as given by the 223and an \f(CW\*(C`NS\*(C'\fR record pointing to the \s-1GVPE\s0 server (as given by the
225\&\f(CW\*(C`dns\-hostname\*(C'\fR directive). 224\&\f(CW\*(C`dns\-hostname\*(C'\fR directive).
226.PP 225.PP
227The only good side of this protocol is that it can tunnel through most 226The only good side of this protocol is that it can tunnel through most
228firewalls mostly undetected, iff the local \s-1DNS\s0 server/forwarder is sane 227firewalls mostly undetected, iff the local \s-1DNS\s0 server/forwarder is sane
229(which is true for most routers, \s-1WLAN\s0 gateways and nameservers). 228(which is true for most routers, wireless \s-1LAN\s0 gateways and nameservers).
230.PP 229.PP
231Finetuning needs to be done by editing \f(CW\*(C`src/vpn_dns.C\*(C'\fR directly. 230Fine-tuning needs to be done by editing \f(CW\*(C`src/vpn_dns.C\*(C'\fR directly.
232.SH "PART 2: The GNU VPE protocol" 231.SH "PART 2: The GNU VPE protocol"
233.IX Header "PART 2: The GNU VPE protocol" 232.IX Header "PART 2: The GNU VPE protocol"
234This section, unfortunately, is not yet finished, although the protocol 233This section, unfortunately, is not yet finished, although the protocol
235is stable (until bugs in the cryptography are found, which will likely 234is stable (until bugs in the cryptography are found, which will likely
236completely change the following description). Nevertheless, it should give 235completely change the following description). Nevertheless, it should give
237you some overview over the protocol. 236you some overview over the protocol.
238.Sh "Anatomy of a \s-1VPN\s0 packet" 237.SS "Anatomy of a \s-1VPN\s0 packet"
239.IX Subsection "Anatomy of a VPN packet" 238.IX Subsection "Anatomy of a VPN packet"
240The exact layout and field lengths of a \s-1VPN\s0 packet is determined at 239The exact layout and field lengths of a \s-1VPN\s0 packet is determined at
241compiletime and doesn't change. The same structure is used for all 240compile time and doesn't change. The same structure is used for all
242transort protocols, be it \s-1RAWIP\s0 or \s-1TCP\s0. 241transport protocols, be it \s-1RAWIP\s0 or \s-1TCP\s0.
243.PP 242.PP
244.Vb 3 243.Vb 3
245\& +\-\-\-\-\-\-+\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-+ 244\& +\-\-\-\-\-\-+\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-+
246\& | HMAC | TYPE | SRCDST | DATA | 245\& | HMAC | TYPE | SRCDST | DATA |
247\& +\-\-\-\-\-\-+\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-+ 246\& +\-\-\-\-\-\-+\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-+
270.PP 269.PP
271\&\s-1RAND\s0 is a sequence of fully random bytes, used to increase the entropy of 270\&\s-1RAND\s0 is a sequence of fully random bytes, used to increase the entropy of
272the data for encryption purposes. 271the data for encryption purposes.
273.PP 272.PP
274\&\s-1SEQNO\s0 is a 32\-bit sequence number. It is negotiated at every connection 273\&\s-1SEQNO\s0 is a 32\-bit sequence number. It is negotiated at every connection
275initialization and starts at some random 31 bit value. \s-1VPE\s0 currently uses 274initialization and starts at some random 31 bit value. \s-1GVPE\s0 currently uses
276a sliding window of 512 packets/sequence numbers to detect reordering, 275a sliding window of 512 packets/sequence numbers to detect reordering,
277duplication and replay attacks. 276duplication and replay attacks.
277.PP
278The encryption is done on \s-1RAND+SEQNO+DATA\s0 in \s-1CBC\s0 mode with zero \s-1IV\s0 (or,
279equivalently, the \s-1IV\s0 is \s-1RAND+SEQNO\s0, encrypted with the block cipher,
280unless \s-1RAND\s0 size is decreased or increased over the default value).
281.PP
282The random prefix itself is generated by using \s-1AES\s0 in \s-1CTR\s0 mode with a
283random key and starting value, which should make them unpredictable even
284before encrypting them again. The sequence number additionally ensures
285that the \s-1IV\s0 is unique.
278.Sh "The authentication protocol" 286.SS "The authentication/key exchange protocol"
279.IX Subsection "The authentication protocol" 287.IX Subsection "The authentication/key exchange protocol"
280Before hosts can exchange packets, they need to establish authenticity of 288Before nodes can exchange packets, they need to establish authenticity of
281the other side and a key. Every host has a private \s-1RSA\s0 key and the public 289the other side and a key. Every node has a private \s-1RSA\s0 key and the public
282\&\s-1RSA\s0 keys of all other hosts. 290\&\s-1RSA\s0 keys of all other nodes.
283.PP 291.PP
284A host establishes a simplex connection by sending the other host an 292When a node wants to establish a connection to another node, it sends an
285\&\s-1RSA\s0 encrypted challenge containing a random challenge (consisting of 293RSA-OEAP-encrypted challenge and an \s-1ECDH\s0 key. The other node replies with
286the encryption key to use when sending packets, more random data and 294it's own \s-1ECDH\s0 key and a \s-1HKDF\s0 of the challange and both \s-1ECDH\s0 keys to proof
287\&\s-1PKCS1_OAEP\s0 padding) and a random 16 byte \*(L"challenge\-id\*(R" (used to detect 295it's identity.
288duplicate auth packets). The destination host will respond by replying
289with an (unencrypted) \s-1RIPEMD160\s0 hash of the decrypted challenge, which
290will authenticate that host. The destination host will also set the
291outgoing encryption parameters as given in the packet.
292.PP 296.PP
293When the source host receives a correct auth reply (by verifying the 297The remote node enganges in exactly the same protocol. When both nodes
294hash and the id, which will expire after 120 seconds), it will start to 298have exchanged their challenge and verified the response, they calculate a
295accept data packets from the destination host. 299cipher key and a \s-1HMAC\s0 key and start exchanging data packets.
296.PP 300.PP
297This means that a host can only initate a simplex connection, telling the 301In detail, the challenge consist of:
298other side the key it has to use when it sends packets. The challenge
299reply is only used to set the current \s-1IP\s0 address of the other side and
300protocol parameters.
301.PP 302.PP
302This protocol is completely symmetric, so to be able to send packets the 303.Vb 1
303destination host must send a challenge in the exact same way as already 304\& RSA\-OAEP (SEQNO MAC CIPHER SALT EXTRA\-AUTH) ECDH1
304described (so, in essence, two simplex connections are created per host 305.Ve
305pair). 306.PP
307That is, it encrypts (with the public key of the remote node) an initial
308sequence number for data packets, key material for the \s-1HMAC\s0 key, key
309material for the cipher key, a salt used by the \s-1HKDF\s0 (as shown later) and
310some extra random bytes that are unused except for authentication. It also
311sends the public key of a curve25519 exchange.
312.PP
313The remote node decrypts the \s-1RSA\s0 data, generates it's own \s-1ECDH\s0 key (\s-1ECDH2\s0), and
314replies with:
315.PP
316.Vb 1
317\& HKDF\-Expand (HKDF\-Extract (ECDH2, RSA), ECDH1, AUTH_DIGEST_SIZE) ECDH2
318.Ve
319.PP
320That is, it extracts from the decrypted \s-1RSA\s0 challenge, using it's \s-1ECDH\s0
321key as salt, and then expands using the requesting node's \s-1ECDH1\s0 key. The
322resulting has is returned as a proof that the node could decrypt the \s-1RSA\s0
323challenge data, together with the \s-1ECDH\s0 key.
324.PP
325After both nodes have done this to each other, they calculate the shared
326\&\s-1ECDH\s0 secrets, cipher and \s-1HMAC\s0 keys for the session (each
327node generates two cipher and \s-1HMAC\s0 keys, one for sending and one for
328receiving).
329.PP
330The \s-1HMAC\s0 key for sending is generated as follow:
331.PP
332.Vb 1
333\& HMAC_KEY = HKDF\-Expand (HKDF\-Extract (REMOTE_SALT, MAC ECDH_SECRET), info, HMAC_MD_SIZE)
334.Ve
335.PP
336It extracts from \s-1MAC\s0 and \s-1ECDH_SECRET\s0 using the \fIremote\fR \s-1SALT\s0, then
337expands using a static info string.
338.PP
339The cipher key is generated in the same way, except using the \s-1CIPHER\s0 part
340of the original challenge.
341.PP
342The result of this process is to authenticate each node to the other
343node, while exchanging keys using both \s-1RSA\s0 and \s-1ECDH\s0, the latter providing
344perfect forward secrecy.
345.PP
346The protocol has been overdesigned where this was possible without
347increasing implementation complexity, in an attempt to protect against
348implementation or protocol failures. For example, if the \s-1ECDH\s0 challenge
349was found to be flawed, perfect forward secrecy would be lost, but
350the data would still be protected. Likewise, standard algorithms and
351implementations are used where possible.
306.Sh "Retrying" 352.SS "Retrying"
307.IX Subsection "Retrying" 353.IX Subsection "Retrying"
308When there is no response to an auth request, the host will send auth 354When there is no response to an auth request, the node will send auth
309requests in bursts with an exponential backoff. After some time it will 355requests in bursts with an exponential back-off. After some time it will
310resort to \s-1PING\s0 packets, which are very small (8 bytes + protocol header) 356resort to \s-1PING\s0 packets, which are very small (8 bytes + protocol header)
311and lightweight (no \s-1RSA\s0 operations required). A host that receives ping 357and lightweight (no \s-1RSA\s0 operations required). A node that receives ping
312requests from an unconnected peer will respond by trying to create a 358requests from an unconnected peer will respond by trying to create a
313connection. 359connection.
314.PP 360.PP
315In addition to the exponential backoff, there is a global rate-limit on 361In addition to the exponential back-off, there is a global rate-limit on
316a per-IP base. It allows long bursts but will limit total packet rate to 362a per-IP base. It allows long bursts but will limit total packet rate to
317something like one control packet every ten seconds, to avoid accidental 363something like one control packet every ten seconds, to avoid accidental
318floods due to protocol problems (like a \s-1RSA\s0 key file mismatch between two 364floods due to protocol problems (like a \s-1RSA\s0 key file mismatch between two
319hosts). 365nodes).
320.PP 366.PP
321The intervals between retries are limited by the \f(CW\*(C`max\-retry\*(C'\fR 367The intervals between retries are limited by the \f(CW\*(C`max\-retry\*(C'\fR
322configuration value. A node with \f(CW\*(C`connect\*(C'\fR = \f(CW\*(C`always\*(C'\fR will always retry, 368configuration value. A node with \f(CW\*(C`connect\*(C'\fR = \f(CW\*(C`always\*(C'\fR will always retry,
323a node with \f(CW\*(C`connect\*(C'\fR = \f(CW\*(C`ondemand\*(C'\fR will only try (and re\-try) to connect 369a node with \f(CW\*(C`connect\*(C'\fR = \f(CW\*(C`ondemand\*(C'\fR will only try (and re-try) to connect
324as long as there are packets in the queue, usually this limits the retry 370as long as there are packets in the queue, usually this limits the retry
325period to \f(CW\*(C`max\-ttl\*(C'\fR seconds. 371period to \f(CW\*(C`max\-ttl\*(C'\fR seconds.
326.PP 372.PP
327Sending packets over the \s-1VPN\s0 will reset the retry intervals as well, which 373Sending packets over the \s-1VPN\s0 will reset the retry intervals as well, which
328means as long as somebody is trying to send packets to a given node, \s-1GVPE\s0 374means as long as somebody is trying to send packets to a given node, \s-1GVPE\s0
329will try to connect every few seconds. 375will try to connect every few seconds.
330.Sh "Routing and Protocol translation" 376.SS "Routing and Protocol translation"
331.IX Subsection "Routing and Protocol translation" 377.IX Subsection "Routing and Protocol translation"
332The \s-1GVPE\s0 routing algorithm is easy: there isn't much routing to speak 378The \s-1GVPE\s0 routing algorithm is easy: there isn't much routing to speak
333of: When routing packets to another node, \s-1GVPE\s0 trues the following 379of: When routing packets to another node, \s-1GVPE\s0 tries the following
334options, in order: 380options, in order:
335.IP "If the two hosts should be able to reach each other directly (common protocol, port known), then \s-1GVPE\s0 will send the packet directly to the other node." 4 381.IP "If the two nodes should be able to reach each other directly (common protocol, port known), then \s-1GVPE\s0 will send the packet directly to the other node." 4
336.IX Item "If the two hosts should be able to reach each other directly (common protocol, port known), then GVPE will send the packet directly to the other node." 382.IX Item "If the two nodes should be able to reach each other directly (common protocol, port known), then GVPE will send the packet directly to the other node."
337.PD 0 383.PD 0
338.ie n .IP "If this isn't possible (e.g. because the node doesn't have a \*(C`hostname\*(C' or known port), but the nodes speak a common protocol and a router is available, then \s-1GVPE\s0 will ask a router to ""mediate"" between both nodes (see below)." 4 384.ie n .IP "If this isn't possible (e.g. because the node doesn't have a \*(C`hostname\*(C' or known port), but the nodes speak a common protocol and a router is available, then \s-1GVPE\s0 will ask a router to ""mediate"" between both nodes (see below)." 4
339.el .IP "If this isn't possible (e.g. because the node doesn't have a \f(CW\*(C`hostname\*(C'\fR or known port), but the nodes speak a common protocol and a router is available, then \s-1GVPE\s0 will ask a router to ``mediate'' between both nodes (see below)." 4 385.el .IP "If this isn't possible (e.g. because the node doesn't have a \f(CW\*(C`hostname\*(C'\fR or known port), but the nodes speak a common protocol and a router is available, then \s-1GVPE\s0 will ask a router to ``mediate'' between both nodes (see below)." 4
340.IX Item "If this isn't possible (e.g. because the node doesn't have a hostname or known port), but the nodes speak a common protocol and a router is available, then GVPE will ask a router to mediate between both nodes (see below)." 386.IX Item "If this isn't possible (e.g. because the node doesn't have a hostname or known port), but the nodes speak a common protocol and a router is available, then GVPE will ask a router to mediate between both nodes (see below)."
341.ie n .IP "If a direct connection isn't possible (no common protocols) or forbidden (\*(C`deny\-direct\*(C'\fR) and there are any routers, then \s-1GVPE\s0 will try to send packets to the router with the highest priority that is connected already \fIand is able (as specified by the config file) to connect directly to the target node." 4 387.ie n .IP "If a direct connection isn't possible (no common protocols) or forbidden (\*(C`deny\-direct\*(C') and there are any routers, then \s-1GVPE\s0 will try to send packets to the router with the highest priority that is connected already \fIand\fR is able (as specified by the config file) to connect directly to the target node." 4
342.el .IP "If a direct connection isn't possible (no common protocols) or forbidden (\f(CW\*(C`deny\-direct\*(C'\fR) and there are any routers, then \s-1GVPE\s0 will try to send packets to the router with the highest priority that is connected already \fIand\fR is able (as specified by the config file) to connect directly to the target node." 4 388.el .IP "If a direct connection isn't possible (no common protocols) or forbidden (\f(CW\*(C`deny\-direct\*(C'\fR) and there are any routers, then \s-1GVPE\s0 will try to send packets to the router with the highest priority that is connected already \fIand\fR is able (as specified by the config file) to connect directly to the target node." 4
343.IX Item "If a direct connection isn't possible (no common protocols) or forbidden (deny-direct) and there are any routers, then GVPE will try to send packets to the router with the highest priority that is connected already and is able (as specified by the config file) to connect directly to the target node." 389.IX Item "If a direct connection isn't possible (no common protocols) or forbidden (deny-direct) and there are any routers, then GVPE will try to send packets to the router with the highest priority that is connected already and is able (as specified by the config file) to connect directly to the target node."
344.IP "If no such router exists, then \s-1GVPE\s0 will simply send the packet to the node with the highest priority available." 4 390.IP "If no such router exists, then \s-1GVPE\s0 will simply send the packet to the node with the highest priority available." 4
345.IX Item "If no such router exists, then GVPE will simply send the packet to the node with the highest priority available." 391.IX Item "If no such router exists, then GVPE will simply send the packet to the node with the highest priority available."
346.IP "Failing all that, the packet will be dropped." 4 392.IP "Failing all that, the packet will be dropped." 4
351port number(s) to zero. It can declare other hosts as unreachable by using 397port number(s) to zero. It can declare other hosts as unreachable by using
352a config-file that disables all protocols for these other hosts. Another 398a config-file that disables all protocols for these other hosts. Another
353option is to disable all protocols on that host in the other config files. 399option is to disable all protocols on that host in the other config files.
354.PP 400.PP
355If two hosts cannot connect to each other because their \s-1IP\s0 address(es) 401If two hosts cannot connect to each other because their \s-1IP\s0 address(es)
356are not known (such as dialup hosts), one side will send a \fImediated\fR 402are not known (such as dial-up hosts), one side will send a \fImediated\fR
357connection request to a router (routers must be configured to act as 403connection request to a router (routers must be configured to act as
358routers!), which will send both the originating and the destination host 404routers!), which will send both the originating and the destination host
359a connection info request with protocol information and \s-1IP\s0 address of the 405a connection info request with protocol information and \s-1IP\s0 address of the
360other host (if known). Both hosts will then try to establish a direct 406other host (if known). Both hosts will then try to establish a direct
361connection to the other peer, which is usually possible even when both 407connection to the other peer, which is usually possible even when both

Diff Legend

Removed lines
+ Added lines
< Changed lines
> Changed lines