what messages are allowed to pass between those subnets
by default (in the absence of a config file) only hosts on the same subnet are allowed to connect and all messages are allowed to pass between them
There is an MD5 signed handshake at connect time which asks
"would you mind signing this random string catenated with our private passphrase that we both know of course don't we and could you tell me the result please"
The private passphrase is held in a restricted access file on each host
All security violation attempts cause an alert (syslog)
