How to setup a Mobile IPv6 testbed
with IPsec static keying

Back to index

Intro   HA   MN   Operations   Changelog

Introduction

This section describes the UMIP configuration for a Mobile IPv6 testbed. The first part of this section covers the Home Agent (HA) configuration, the second one the Mobile Node (MN) configuration. Configuration for IPsec static keying is also considered. The changes required to configure a NEMO Basic Support testbed are covered in another article available here.

To avoid spending hours at debugging trivial issues, you should definitely get familiar with the UMIP configuration in general (reading the man pages, setting up simple configuration of UMIP without static keying).

Below is a figure of the testbed setup, followed by some comments.

Figure of HA and MN

The main elements we consider are the HA and its MN:

When it is not connected to its Home Link, the traffic exchanged between the MN and its HA is IPsec protected (tunnel mode). In all cases, its signaling traffic is protected using transport mode. Those set of Security Associations are depicted by the red arrows.

Intro   HA   MN   Operations   Changelog

Configuring the Home Agent

In this subsection, we cover the configuration of the HA.

Figure of HA

UMIP configuration

The UMIP Home Agent configuration file will be stored in /usr/local/etc/mip6d.conf. Here is a sample file for our test network.

# Sample UMIP configuration file for a MIPv6 Home Agent
NodeConfig HA;

# Set DebugLevel to 0 if you do not want debug messages
DebugLevel 10;

# Replace eth0 with the interface connected to the home link
Interface "eth0";

# Binding information
BindingAclPolicy 2001:db8:ffff:0::1 allow;
DefaultBindingAclPolicy deny;

# Enable IPsec static keying
UseMnHaIPsec enabled;
KeyMngMobCapability disabled;

# IPsec Security Policies information
IPsecPolicySet {
    HomeAgentAddress 2001:db8:ffff:0::1000;
    HomeAddress 2001:db8:ffff:0::1/64;
 
    # All MH packets (BU/BA/BERR)
    IPsecPolicy Mh UseESP 11 12;
    # All tunneled packets (HoTI/HoT, payload)
    IPsecPolicy TunnelPayload UseESP 13 14;
    # All ICMP packets (MPS/MPA, ICMPv6)
    IPsecPolicy ICMP UseESP 15 16;
}

The value of the NodeConfig parameter should not be a surprise. The Interface parameter is set to "eth0" to declare the interface of the HA that is connected to the home link.

We define a specific binding ACL for every MN. This is the purpose of the BindingAclPolicy 2001:db8:ffff:0::1 allow; entry, which references the HoA of the MN and allows binding for it. The DefaultBindingAclPolicy is set to deny to prevent binding of peers that are not explicitly allowed.

The parameter UseMnHaIPsec indicates that MIPv6 signaling between the HA and its MN must be protected by IPsec. The next configuration block (IPsecPolicySet) is of particular interest. It deals with the IPsec protection of the traffic between the HA and the MN (data and signaling). The addresses of the Home Agent (HomeAgentAddress) and the Home Address of the MN (HomeAddress) are provided, followed by IPsec policy descriptions (IPsecPolicy items). Here, we ask for IPsec protection using ESP for:

These rules cover all traffic (data and MIPv6 signaling) between the MN and the HA. UMIP will use the information to setup a set of specific IPsec Security Policies for the three rules, which will require IPsec Security Associations (SA) to be present in order for the associated traffic to flow. We present below how to install such SA.

Note: if you want to split your mip6d.conf file into multiple configuration files (for example if you want to have one file per MN in which you can store the BindingAclPolicy and IPsecPolicySet specific to each of them), it is possible to use an include statement in the mip6d.conf file. Wildcards are accepted, so you can use it for example with:

include "/etc/mip6d.conf.d/*.conf"

It is also possible to create these files while UMIP is running and send a SIGHUP signal to UMIP in order to ask UMIP to reload the configuration. Please refer to the mip6d.conf manpage for further details on the include statement and the configuration reload.


IPsec SA configuration

Now that UMIP configuration has been performed, the HA still lacks the Security Associations (SAs) to protect the flows referenced by the Security Policies we have required. The IPsetPolicySet we configured above uses the below IPsec SAs. Copy them in /usr/local/etc/setkey.conf:

# IPsec Security Associations
# HA address: 2001:db8:ffff:0::1000;
# MR HoAs:    2001:db8:ffff:0::1/64;

# Flush the SAD and SPD
flush;
spdflush;

# MN1 -> HA transport SA for BU
add 2001:db8:ffff:0::1 2001:db8:ffff:0::1000 esp 0x11
    -u 11
    -m transport
    -E 3des-cbc "MIP6-011--12345678901234"
    -A hmac-sha1 "MIP6-011--1234567890" ;

# HA -> MN1 transport SA for BA
add 2001:db8:ffff:0::1000 2001:db8:ffff:0::1 esp 0x12
    -u 12
    -m transport
    -E 3des-cbc "MIP6-012--12345678901234"
    -A hmac-sha1 "MIP6-012--1234567890" ;

# MN1 -> HA tunnel SA for any traffic
add 2001:db8:ffff:0::1 2001:db8:ffff:0::1000 esp 0x13
    -u 13
    -m tunnel
    -E 3des-cbc "MIP6-013--12345678901234"
    -A hmac-sha1 "MIP6-013--1234567890" ;

# HA -> MN1 tunnel SA for any traffic
add 2001:db8:ffff:0::1000 2001:db8:ffff:0::1 esp 0x14
    -u 14
    -m tunnel
    -E 3des-cbc "MIP6-014--12345678901234"
    -A hmac-sha1 "MIP6-014--1234567890" ;

# MN1 -> HA transport SA for ICMP (including MPS/MPA)
add 2001:db8:ffff:0::1 2001:db8:ffff:0::1000 esp 0x15
    -u 15
    -m transport
    -E 3des-cbc "MIP6-015--12345678901234"
    -A hmac-sha1 "MIP6-015--1234567890" ;

# HA -> MN1 transport SA for ICMP (including MPS/MPA)
add 2001:db8:ffff:0::1000 2001:db8:ffff:0::1 esp 0x16
    -u 16
    -m transport
    -E 3des-cbc "MIP6-016--12345678901234"
    -A hmac-sha1 "MIP6-016--1234567890" ;

Router Advertisement configuration

The Home Agent also needs to advertise the Home Link prefix in its Home Link using Router Advertisements. For that purpose, we use the radvd software with the below configuration. Copy it in /etc/radvd.conf:

# Home Agent radvd configuration file
# Replace eth0 with the interface connected to the home link
interface eth0
{
    AdvSendAdvert on;
    MaxRtrAdvInterval 3;
    MinRtrAdvInterval 1;
    AdvIntervalOpt on;
    AdvHomeAgentFlag on;
    AdvHomeAgentInfo on;
    HomeAgentLifetime 1800;
    HomeAgentPreference 10;

    # Home Agent address
    prefix 2001:db8:ffff:0::1000/64
    {
        AdvRouterAddr on;
        AdvOnLink on;
        AdvAutonomous on;
    };
};

The radvd daemon is supposed to start automatically on startup when it finds a suitable radvd.conf file in the /etc directory. If needed, you can also start it manually with the following command:

# radvd -C /etc/radvd.conf

Note: even though you do not plan to use the Home Link (e.g. in a Virtual Home Link configuration), you still have to advertise Router Advertisements with the home link prefix: mip6d needs it to configure its Home Agent list. In that case, you can use a dummy interface and advertise the Home Link prefix on it. Here is the procedure. You need the dummy kernel module:

# modprobe dummy

This will create a dummy0 interface. Bring it up and configure it with the Home Agent address:

# ifconfig dummy0 up
# ifconfig dummy0 multicast
# ifconfig dummy0 inet6 add 2001:db8:ffff:0::1000/64

You can now use the dummy0 interface as the home link interface. You must thus use dummy0 instead of eth0 in all the Home Agent configuration files (mip6d.conf and radvd.conf).

We will also explain in the next section how to setup automatically a dummy interface on startup.


Misc. configuration

IPv6 forwarding must be activated on the Home Agent. In order to enable it automatically at startup, you can add (or uncomment) the following line in the /etc/sysctl.conf file:

net.ipv6.conf.all.forwarding=1
You can also do it manually with the following command:
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

You should also configure statically the address of your Home Agent on its Home Link interface. You can update the /etc/network/interfaces file with the below configuration. The address will thus be automatically configured at startup:

# Configuration of the home link interface
allow-hotplug eth0
iface eth0 inet6 static
    address 2001:db8:ffff:0::1000
    netmask 64

If you prefer to use a dummy interface on your Home Agent as explained in the previous section, you can add the following configuration:

auto dummy0
iface dummy0 inet6 static
        pre-up modprobe dummy
        up ip link set dev dummy0 up
        up ip link set dummy0 multicast on
        address 2001:db8:ffff:0::1000/64

Also, do not forget to advertise your Home Link prefix in the routing infrastructure of your testbed. For that purpose, you may choose static routing in your testbed, or you can use a routing protocol such as ripng. The quagga routing software suite provides such routing protocol. Please refer to the quagga homepage for more information.

Intro   HA   MN   Operations   Changelog

Configuring the Mobile Node

In this subsection, we cover the configuration of the Mobile Node (MN).

Figure of MN

UMIP configuration

The UMIP Mobile Node configuration file will be stored in /usr/local/etc/mip6d.conf. Here is a sample file for our test network:

# Sample UMIP configuration file for a MIPv6 Mobile Node
NodeConfig MN;

# Set DebugLevel to 0 if you do not want debug messages
DebugLevel 10;

# Enable the optimistic handovers
OptimisticHandoff enabled;

# Disable RO with other MNs (it is not compatible 
# with IPsec Tunnel Payload)
DoRouteOptimizationMN disabled;
 
# The Binding Lifetime (in sec.)
MnMaxHaBindingLife 60;

# List here the interfaces that you will use 
# on your mobile node. The available one with 
# the smallest preference number will be used.
Interface "eth0" {
    MnIfPreference 1;
}
Interface "wlan0" {
    MnIfPreference 2;
}

# Replace eth0 with one of your interface used on
# your mobile node
MnHomeLink "eth0" {
    HomeAgentAddress 2001:db8:ffff:0::1000;
    HomeAddress 2001:db8:ffff:0::1/64;
}

# Enable IPsec static keying
UseMnHaIPsec enabled;
KeyMngMobCapability disabled;

# IPsec Security Policies information
IPsecPolicySet {
    HomeAgentAddress 2001:db8:ffff:0::1000;
    HomeAddress 2001:db8:ffff:0::1/64;
 
    # All MH packets (BU/BA/BERR)
    IPsecPolicy Mh UseESP 11 12;
    # All tunneled packets (HoTI/HoT, payload)
    IPsecPolicy TunnelPayload UseESP 13 14;
    # All ICMP packets (MPS/MPA, ICMPv6)
    IPsecPolicy ICMP UseESP 15 16;
}

Quite obviously, the NodeConfig parameter is set to MN. The OptimisticHandoff parameters enables the use of tunnels as soon as the Binding Update message is sent (i.e. without waiting for a Binding Ack). Enabling it allows to reduce the handover time.

As we do not want our MN to initiate Route Optimization with Correspondent Nodes (which would imply losing IPsec protection for traffic leaving/entering the foreign network), it is disabled using the DoRouteOptimizationMN parameter. The MnMaxHaBindingLife can be used to set the binding lifetime (in sec.).

Then, comes the configuration of interfaces on our MN which is pretty easy to understand: we preferentially use our ethernet interface eth0 (better throughput and lower latency) if the link is available and if UMIP manages to configure it an IPv6 address usable as a Care-of Address (CoA). If it is not the case, then the Wifi interface wlan0 is used. If you plan to use an interface that is in fact a tunnel interface, you should probably use the Tunnel enabled; option. Please refer to the this documentation or to the mip6d.conf manpage for more information on its use.

The parameter UseMnHaIPsec indicates that MIPv6 signaling between the MN and its HA must be protected by IPsec. The IPsecPolicySet block is identical to the HA counterpart specific to that client that we previously described.


IPsec SA configuration

The IPsec SAs needed on the MN are the same as the one installed on the HA for that MN. You can then use the same IPsec SAs than the one we described in the HA section, and copy them on the MN in the /usr/local/etc/setkey.conf file.


Miscs. configuration

UMIP will take care of configuring the Home Address automatically on the correct interface.

Beside, UMIP will use IPv6 autoconfiguration to configure a CoA on its interfaces. Make sure that the interfaces that connect to the network (eth0 and wlan0 in our testbed) will be up at startup (especially that your wireless interface is correctly configured to connect to the desired access point). Also, make sure that you receive Router Advertisements from the foreign networks.

Intro   HA   MN   Operations   Changelog

Operations


Starting the daemons

Now that all the configuration is ready, let's start the Home Agent and then the Mobile Node. For that purpose, we just need to execute the below operations on each entity. We will first install first the IPsec SAs, then start the mobility daemon.

In order to install automatically the IPsec SA at boot, we can use the setkey init.d script that is provided by the ipsec-tools package (install it if needed - it is required for IPsec). You can simply set the path to your setkey configuration file in /etc/default/setkey and the IPsec SA will be set at boot:

SETKEY_CONF=/usr/local/etc/setkey.conf

If you prefer to install the IPsec SA manually, you can do so by using directly the setkey command as follow:

# setkey -f /usr/local/etc/setkey.conf

In order to automatically start the mobility daemon at boot, you can copy this mip6d init.d script into your /etc/init.d directory and execute:

# chmod +x /etc/init.d/mip6d
# update-rc.d mip6d defaults

You can indicate your configuration file location and other items by creating the /etc/default/mip6d file and set:

RUN="yes"
MIP6D=/usr/local/sbin/mip6d
MIP6D_CONF=/usr/local/etc/mip6d.conf
MIP6D_DEBUG_LOG=/var/log/mip6d.log

mip6d will start as a daemon at boot, and all its operations will be logged in /var/log/mip6d.log. If you prefer to start the mobility daemon manually, you can use the following command:

# mip6d -c /usr/local/etc/mip6d.conf

Monitoring

After booting the HA, and then the MN, you can test if your MN is reacheable from the HA (using ping6 for example) when it is in the Home Link. If it is not reachable, you certainly have a configuration or routing problem in your testbed.

If your MN is reachable, then you can try to move it from the Home Link to a foreign network. The MN will then register to the HA and will still be reachable at its Home Address.

You can check that the registration to the HA was successful by checking the Binding Update List on the MN and the Binding Cache on the HA. For that purpose, we can use the Virtual Terminal of UMIP on the MN:

# telnet localhost 7777
mip6d> verbose yes
yes
mip6d> bul
== BUL_ENTRY ==
Home address    2001:db8:ffff:0::1
Care-of address 2001:db8:ffff:f300:feed:beef:feed:beef
CN address      2001:db8:ffff:0::1000
 lifetime = 8,  delay = 7000
 flags: IP6_MH_BU_HOME IP6_MH_BU_ACK 
 ack ready
 dev eth0 last_coa 2001:db8:ffff:f300:feed:beef:feed:beef
 lifetime 4 / 8 seq 51006 resend 0 delay 7(after 3s) expires 4
 mps 2332741 / 2332798

We can see that the Care-of Address 2001:db8:ffff:f300:feed:beef:feed:beef which is bound to the Home Address 2001:db8:ffff:0::1 is registered to the Correspondent Node (here, the Home Agent) whose address is 2001:db8:ffff:0::1000. On the Home Agent, you can get similar information with the bc command of the Virtual Terminal, which displays all the Binding Cache entries.

You can also display some statistcs about your HA or MN with the stats command:

# telnet localhost 7777
mip6d> stats
Input Statistics:
     11 Mobility Headers
     0 HoTI messages
     [...]
Intro   HA   MN   Operations   Changelog

Changelog