How to setup a NEMO Basic Support testbed
with IPsec static keying

Back to index

Intro   HA   MR   Operations   Changelog

Introduction

This section describes the UMIP configuration for a NEMO Basic Support testbed. It explains the small modifications to perform in order to turn your HA into a NEMO HA and your MN into a Mobile Router (MR). The remaining of this document is based on the one describing how to setup a Mobile IPv6 testbed. It is thus preferable that you already have a working Mobile IPv6 testbed before going any further.

Below is a figure of the testbed setup, followed by some comments.

Figure of HA and MR

The mobile network is connected to the eth1 interface of the MR (it is called the ingress interface). The MR advertises a prefix (called the Mobile Network Prefix, MNP) in his mobile network. In our testbed, this MNP is 2001:db8:ffff:ff01::/64. The MR also configures an address on its ingress interface (2001:db8:ffff:ff01::1).

The MNP used by the MR must be routable towards the HA. For that purpose, an address space dedicated to a set of MNP is assigned to the HA: 2001:db8:ffff:ff00::/56. This prefix must be advertised by the HA in the routing infrastructure.

Intro   HA   MR   Operations   Changelog

Configuring the NEMO Home Agent

In this subsection, we cover the configuration of the NEMO HA.

Figure of NEMO HA

UMIP configuration

Here is a modified UMIP Home Agent configuration for NEMO operations. Changes made in the file are marked with NEMO ADDITION. Modify your /usr/local/etc/mip6d.conf file accordingly.

# Sample UMIP configuration file for a NEMO Home Agent
NodeConfig HA;

# Set DebugLevel to 0 if you do not want debug messages
DebugLevel 10;

# Replace eth0 with the interface connected to the home link
Interface "eth0";

# Accept registrations from Mobile Routers
HaAcceptMobRtr enabled;                     ## NEMO ADDITION ##
HaServedPrefix 2001:db8:ffff:0::/64;        ## NEMO ADDITION ##

# Binding information
BindingAclPolicy 2001:db8:ffff:0::1 (2001:db8:ffff:ff01::/64) allow;  ## NEMO ADDITION ##
DefaultBindingAclPolicy deny;

# Enable IPsec static keying
UseMnHaIPsec enabled;
KeyMngMobCapability disabled;

# IPsec Security Policies information
IPsecPolicySet {
    HomeAgentAddress 2001:db8:ffff:0::1000;
    HomeAddress 2001:db8:ffff:0::1/64;
 
    # All MH packets (BU/BA/BERR)
    IPsecPolicy Mh UseESP 11 12;
    # All tunneled packets (HoTI/HoT, payload)
    IPsecPolicy TunnelPayload UseESP 13 14;
    # All ICMP packets (MPS/MPA, ICMPv6)
    IPsecPolicy ICMP UseESP 15 16;
}

The first thing to do is to allow the HA to accept binding by enabling the HaAcceptMobRtr parameter. The HaServedPrefix option defines from which prefix the HoA of your MR is defined. With NEMO Basic Support, it is possible to define an HoA from the MNP allocated to your MR. In our testbed, this is not the case, so we just put the Home Link prefix (2001:db8:ffff:0::/64) for the HaServedPrefix parameter.

The HA needs to declare which MNP is associated to the MR. This is done by listing between parenthesis the set of prefixes the MR is allowed to request in the BindingAclPolicy parameter.

No changes are needed in the IPsec configuration. All the traffic towards the mobile network will also automatically be protected with IPsec tunnel mode.


IPsec SA configuration

No changes are needed in the IPsec SA configuration. You can keep the same /usr/local/etc/setkey.conf file than the one you created for your Mobile IPv6 Home Agent.


Router Advertisement configuration

A new option is needed in your /etc/radvd.conf file. The AdvMobRtrSupportFlag option must be set to on in order to advertise that is supports NEMO registrations.

# NEMO Home Agent radvd configuration file
# Replace eth0 with the interface connected to the home link
interface eth0
{
    AdvSendAdvert on;
    MaxRtrAdvInterval 3;
    MinRtrAdvInterval 1;
    AdvIntervalOpt on;
    AdvHomeAgentFlag on;
    AdvHomeAgentInfo on;
    HomeAgentLifetime 1800;
    HomeAgentPreference 10;
    
    ## NEMO ADDITION ##
    AdvMobRtrSupportFlag on;

    # Home Agent address
    prefix 2001:db8:ffff:0::1000/64
    {
        AdvRouterAddr on;
        AdvOnLink on;
        AdvAutonomous on;
    };
};

Routing configuration

All the traffic towards the MNP must be routed through your HA. It must thus advertise its set of MNP over the routing infrastructure. For that purpose, you may choose static routing in your testbed, or you can use a routing protocol such as ripng. The quagga routing software suite provides such routing protocol. Please refer to the quagga homepage for more information.

Also, when the MR is at home, the HA lacks the routing information towards the MNP. A static route can be installed on the HA in order to allow the routing to the mobile network when the MR is at home. Such route will not be used when the MR is in a foreign network (the route installed by UMIP towards the MR-HA tunnel will be chosen instead). In order to install such static route at startup, you can update the /etc/network/interfaces file with the below configuration:

# Configuration of the home link interface
allow-hotplug eth0
iface eth0 inet6 static
    [...]
    up ip -6 route add 2001:db8:ffff:ff01::/64 via 2001:db8:ffff:0::1
Intro   HA   MR   Operations   Changelog

Configuring the Mobile Router

In this subsection, we cover the configuration of the Mobile Router (MR).

Figure of MR

UMIP configuration

Here is a modified UMIP Mobile Router configuration. Changes made in the file are marked with NEMO ADDITION. Modify your /usr/local/etc/mip6d.conf file accordingly.

# Sample UMIP configuration file for a Mobile Router
NodeConfig MN;

# Set DebugLevel to 0 if you do not want debug messages
DebugLevel 10;

# Enable the optimistic handovers
OptimisticHandoff enabled;

# Disable RO with other MNs (it is not compatible 
# with IPsec Tunnel Payload)
DoRouteOptimizationMN disabled;
 
# The Binding Lifetime (in sec.)
MnMaxHaBindingLife 60;

# Use NEMO Explicit Mode
MobRtrUseExplicitMode enabled;      ## NEMO ADDITION ##

# List here the interfaces that you will use 
# on your mobile node. The available one with 
# the smallest preference number will be used.
Interface "eth0" {
    MnIfPreference 1;
}
Interface "wlan0" {
    MnIfPreference 2;
}

# Replace eth0 with one of your interface used on
# your mobile node
MnHomeLink "eth0" {
    IsMobRtr enabled;               ## NEMO ADDITION ##
    HomeAgentAddress 2001:db8:ffff:0::1000;
    HomeAddress 2001:db8:ffff:0::1/64 (2001:db8:ffff:ff01::/64);  ## NEMO ADDITION ##
}

# Enable IPsec static keying
UseMnHaIPsec enabled;
KeyMngMobCapability disabled;

# IPsec Security Policies information
IPsecPolicySet {
    HomeAgentAddress 2001:db8:ffff:0::1000;
    HomeAddress 2001:db8:ffff:0::1/64;
 
    # All MH packets (BU/BA/BERR)
    IPsecPolicy Mh UseESP 11 12;
    # All tunneled packets (HoTI/HoT, payload)
    IPsecPolicy TunnelPayload UseESP 13 14;
    # All ICMP packets (MPS/MPA, ICMPv6)
    IPsecPolicy ICMP UseESP 15 16;
}

We enable the NEMO explicit registration mode with the MobRtrUseExplicitMode parameter. Note that this is not mandatory as this is enabled by default.

All the other changes take place in the MnHomeLink block. We allow the MR to act as a router by enabling the IsMobRtr parameter. The prefix that we previously configured on the NEMO HA side has been added to the HomeAddress statement.

No changes are needed in the IPsec configuration. All the traffic from the mobile network will also automatically be protected with IPsec tunnel mode.


IPsec SA configuration

No changes are needed in the IPsec SA configuration. You can keep the same /usr/local/etc/setkey.conf file than the one you created for your Mobile IPv6 Mobile Node.


Router Advertisement configuration

The MR needs to advertise its MNP in the mobile network using Router Advertisements (RA). For that purpose, we use the radvd software with the below configuration. Copy it in /etc/radvd.conf:

# Mobile Router radvd configuration file
# Replace eth1 with your ingress interface name
interface eth1
{
    AdvSendAdvert on;
    MaxRtrAdvInterval 3;
    MinRtrAdvInterval 1;
    AdvIntervalOpt on;
    IgnoreIfMissing on;
    
    # Mobile Router address on the ingress interface
    prefix 2001:db8:ffff:ff01::1/64
    {
        AdvRouterAddr on;
        AdvOnLink on;
        AdvAutonomous on;
        AdvPreferredLifetime 60;
        AdvValidLifetime 120;
        AdvLinkMTU 1280;
    };
};

The radvd daemon is supposed to start automatically on startup when it finds a suitable radvd.conf file in the /etc directory. If needed, you can also start it manually with the following command:

# radvd -C /etc/radvd.conf

Miscs. configuration

IPv6 forwarding must be activated on the MR. In order to enable it automatically at startup, you can add (or uncomment) the following line in the /etc/sysctl.conf file:

net.ipv6.conf.all.forwarding=1

You can also do it manually with the following command:

# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

You should also configure statically the address of your ingress interface (2001:db8:ffff:ff01::1 on eth1 in our testbed). You can update the /etc/network/interfaces file with the below configuration. The address will thus be automatically configured at startup:

# Configuration of the ingress interface (mobile network)
allow-hotplug eth1
iface eth1 inet6 static
    address 2001:db8:ffff:ff01::1
    netmask 64
Intro   HA   MR   Operations   Changelog

Operations


Starting the daemons

The procedure to start the daemons (setkey, mip6d and radvd) is similar to the one explained in the Mobile IPv6 testbed documentation. You can keep the same startup scripts as the one used for your Mobile IPv6 testbed. The only difference is that the MR must also run radvd on the interface connected to its mobile network.


Monitoring

You can connect any kind of IPv6 devices in your mobile network. They will keep the same IPv6 address (configured from the advertised MNP) although the MR moves from one network to another.

After booting the HA, and then the MR, you can test if your MR and the devices connected into the mobile network are reacheable from the HA (using ping6 for example) when the RM is in the Home Link. If they are not reachable, you certainly have a configuration or routing problem in your testbed.

If they are reachable, then you can try to move the MR from the Home Link to a foreign network. The MR will then register to the HA and will still be reachable at its Home Address. All the devices in the mobile network will also be reachable at the same address as before.

You can check that the registration to the HA was successful by checking the Binding Update List on the MR and the Binding Cache on the HA by using the virtual terminal, similarly to what was done for your Mobile IPv6 testbed.

Intro   HA   MR   Operations   Changelog

Changelog