update readme and --help

2024-06-20 14:09:19 +00:00 · 2018-06-22 13:36:09 -05:00 · 2018-06-22 13:36:09 -05:00 · 65943053ff
commit 65943053ff
parent 52a911b109
3 changed files with 7 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -33,7 +33,7 @@ In FakeTCP header mode,udp2raw simulates 3-way handshake while establishing a co

 ### Encrpytion, Anti-Replay
 * Encrypt your traffic with AES-128-CBC.
-* Protect data integrity by MD5 or CRC32.
+* Protect data integrity by HMAC-SHA1 (or weaker MD5/CRC32).
 * Defense replay attack with an anti-replay window, smiliar to IPSec and OpenVPN. 

 ### Failure Dectection & Stablization (Connection Recovery)
@ -100,7 +100,7 @@ common options,these options must be same on both side:
    --raw-mode            <string>        avaliable values:faketcp(default),udp,icmp
    -k,--key              <string>        password to gen symetric key,default:"secret key"
    --cipher-mode         <string>        avaliable values:aes128cbc(default),xor,none
-    --auth-mode           <string>        avaliable values:md5(default),crc32,simple,none
+    --auth-mode           <string>        avaliable values:hmac_sha1,md5(default),crc32,simple,none
    -a,--auto-rule                        auto add (and delete) iptables rule
    -g,--gen-rule                         generate iptables rule then exit,so that you can copy and
                                          add it manually.overrides -a
@ -143,7 +143,7 @@ other options:
 This program sends packets via raw socket. In FakeTCP mode, Linux kernel TCP packet processing has to be blocked by a iptables rule on both sides, otherwise the kernel will automatically send RST for an unrecongized TCP packet and you will sustain from stability / peformance problems. You can use `-a` option to let the program automatically add / delete iptables rule on start / exit. You can also use the `-g` option to generate iptables rule and add it manually.

 ### `--cipher-mode` and `--auth-mode` 
-It is suggested to use `aes128cbc` + `md5` to obtain maximum security. If you want to run the program on a router, you can try `xor` + `simple`, which can fool packet inspection by firewalls the most of time, but it cannot protect you from serious attacks. Mode none is only for debugging purpose. It is not recommended to set the cipher-mode or auth-mode to none.
+It is suggested to use `aes128cbc` + `hmac_sha1` to obtain maximum security. If you want to run the program on a router, you can try `xor` + `simple`, which can fool packet inspection by firewalls the most of time, but it cannot protect you from serious attacks. Mode none is only for debugging purpose. It is not recommended to set the cipher-mode or auth-mode to none.

 ### `--seq-mode`
 The FakeTCP mode does not behave 100% like a real tcp connection. ISPs may be able to distinguish the simulated tcp traffic from the real TCP traffic (though it's costly). seq-mode can help you change the seq increase behavior slightly. If you experience connection problems, try to change the value. 
--- a/doc/README.zh-cn.md
+++ b/doc/README.zh-cn.md
@ -49,7 +49,7 @@ Client能用单倍的超时时间检测到单向链路的失效，不管是上
 对于有大量client的情况，对于不同client,server发送的心跳是错开时间发送的，不会因为短时间发送大量的心跳而造成拥塞和延迟抖动。

 ### 加密 防重放攻击
-用aes128cbc加密，md5/crc32做数据完整校验。用类似ipsec/openvpn的 replay window机制来防止重放攻击。
+用aes128cbc加密，hmac-sha1/md5/crc32做数据完整校验。用类似ipsec/openvpn的replay window机制来防止重放攻击。

 设计目标是，即使攻击者可以监听到tunnel的所有包，可以选择性丢弃tunnel的任意包，可以重放任意包；攻击者也没办法获得tunnel承载的任何数据，也没办法向tunnel的数据流中通过包构造/包重放插入任何数据。

@ -124,7 +124,7 @@ common options,these options must be same on both side:
    --raw-mode            <string>        avaliable values:faketcp(default),udp,icmp
    -k,--key              <string>        password to gen symetric key,default:"secret key"
    --cipher-mode         <string>        avaliable values:aes128cbc(default),xor,none
-    --auth-mode           <string>        avaliable values:md5(default),crc32,simple,none
+    --auth-mode           <string>        avaliable values:hmac_sha1,md5(default),crc32,simple,none
    -a,--auto-rule                        auto add (and delete) iptables rule
    -g,--gen-rule                         generate iptables rule then exit,so that you can copy and
                                          add it manually.overrides -a
@ -168,7 +168,7 @@ other options:

 用raw收发udp包也类似，只是内核回复的是icmp unreachable。而用raw 收发icmp，内核会自动回复icmp echo。都需要相应的iptables规则。
 ### `--cipher-mode` 和 `--auth-mode` 
-如果要最大的安全性建议用aes128cbc+md5。如果要运行在路由器上，建议用xor+simple，可以节省CPU。但是注意xor+simple只能骗过防火墙的包检测，不能防止真正的攻击者。
+如果要最大的安全性建议用aes128cbc+hmac_sha1。如果要运行在路由器上，建议用xor+simple，可以节省CPU。但是注意xor+simple只能骗过防火墙的包检测，不能防止真正的攻击者。

 ### `--seq-mode`
 facktcp模式并没有模拟tcp的全部。所以理论上有办法把faketcp和真正的tcp流量区分开来（虽然大部分ISP不太可能做这种程度的包检测）。seq-mode可以改变一些seq ack的行为。如果遇到了连接问题，可以尝试更改。在我这边的移动线路用3种模式都没问题。
--- a/misc.cpp
+++ b/misc.cpp
@ -129,7 +129,7 @@ void print_help()
 	printf("    --raw-mode            <string>        avaliable values:faketcp(default),udp,icmp\n");
 	printf("    -k,--key              <string>        password to gen symetric key,default:\"secret key\"\n");
 	printf("    --cipher-mode         <string>        avaliable values:aes128cbc(default),xor,none\n");
-	printf("    --auth-mode           <string>        avaliable values:md5(default),crc32,simple,none\n");
+	printf("    --auth-mode           <string>        avaliable values:hmac_sha1,md5(default),crc32,simple,none\n");
 	printf("    -a,--auto-rule                        auto add (and delete) iptables rule\n");
 	printf("    -g,--gen-rule                         generate iptables rule then exit,so that you can copy and\n");
 	printf("                                          add it manually.overrides -a\n");