How to setup a Mobile IPv6 testbed (with IPsec sta... http://www.umip.org/docs/umip-mip6.

html

How to setup a Mobile IPv6 testbed

with IPsec static keying

Back to index

Intro HA MN Operations Changelog

Introduction
This section describes the UMIP configuration for a Mobile IPv6 testbed. The first part of this section
covers the Home Agent (HA) configuration, the second one the Mobile Node (MN) configuration.
Configuration for IPsec static keying is also considered. The changes required to configure a NEMO Basic
Support testbed are covered in another article available here.

To avoid spending hours at debugging trivial issues, you should definitely get familiar with the UMIP
configuration in general (reading the man pages, setting up simple configuration of UMIP without static
keying).

Below is a figure of the testbed setup, followed by some comments.

1 of 8 01/02/2011 09:19 PM
How to setup a Mobile IPv6 testbed (with IPsec sta... http://www.umip.org/docs/umip-mip6.html

The main elements we consider are the HA and its MN:

HA: the egress interface, connected to the Internet (possibly through other routers of the site) is
eth1. The interface eth0 is the one connected to the home link of the MN. The address configured
on eth0 is 2001:db8:ffff:0::1000/64.
MN: it has two interfaces (802.11 and ethernet), the ethernet being the preferred one. The MN is
presented in its Home network (bottom), then after a handover to a foreign network where it is
connected using its ethernet interface (middle) and then in a second foreign network, which
provides only a wifi access. The Home Address (HoA) of the MN is 2001:db8:ffff:0::1/64.

When it is not connected to its Home Link, the traffic exchanged between the MN and its HA is IPsec
protected (tunnel mode). In all cases, its signaling traffic is protected using transport mode. Those set of
Security Associations are depicted by the red arrows.

Intro HA MN Operations Changelog

Configuring the Home Agent

In this subsection, we cover the configuration of the HA.

UMIP configuration

The UMIP Home Agent configuration file will be stored in /usr/local/etc/mip6d.conf. Here is a sample
file for our test network.

# Sample UMIP configuration file for a MIPv6 Home Agent

NodeConfig HA;

# Set DebugLevel to 0 if you do not want debug messages

DebugLevel 10;

# Replace eth0 with the interface connected to the home link

Interface "eth0";

# Binding information
BindingAclPolicy 2001:db8:ffff:0::1 allow;
DefaultBindingAclPolicy deny;

# Enable IPsec static keying

UseMnHaIPsec enabled;
KeyMngMobCapability disabled;

# IPsec Security Policies information

2 of 8 01/02/2011 09:19 PM
How to setup a Mobile IPv6 testbed (with IPsec sta... http://www.umip.org/docs/umip-mip6.html

IPsecPolicySet {
HomeAgentAddress 2001:db8:ffff:0::1000
HomeAddress 2001:db8:ffff:0::1/64;

IPsecPolicy Mh UseESP 10;

IPsecPolicy TunnelPayload UseESP 11;
}

The value of the NodeConfig parameter should not be a surprise. The Interface parameter is set to
"eth0" to declare the interface of the HA that is connected to the home link.

We define a specific binding ACL for every MN. This is the purpose of the BindingAclPolicy
2001:db8:ffff:0::1 allow; entry, which references the HoA of the MN and allows binding for it. The
DefaultBindingAclPolicy is set to deny to prevent binding of peers that are not explicitly allowed.

The parameter UseMnHaIPsec indicates that MIPv6 signaling between the HA and its MN must be
protected by IPsec. The next configuration block (IPsecPolicySet) is of particular interest. It deals with
the IPsec protection of the traffic between the HA and the MN (data and signaling). The addresses of the
Home Agent (HomeAgentAddress) and the Home Address of the MN (HomeAddress) are provided,
followed by some very simple IPsec policy descriptions (IPsecPolicy items). Here, we simply ask for
IPsec protection using ESP for:

Signaling traffic between the MN and the HA, i.e. traffic using Mobility Header (IPsecPolicy Mh
UseESP 10;),
Data traffic tunneled between the MN and the HA (IPsecPolicy TunnelPayload UseESP 11;).

These rules cover all traffic (data and MIPv6 signaling) between the MN and the HA. UMIP will use the
information to setup a set of specific IPsec Security Policies for the two rules, which will require IPsec
Security Associations (SA) to be present in order for the associated traffic to flow. We present below how
to install such SA.

Note: if you want to split your mip6d.conf file into multiple configuration files (for example if you want to
have one file per MN in which you can store the BindingAclPolicy and IPsecPolicySet specific to each of
them), it is possible to use an include statement in the mip6d.conf file. Wildcards are accepted, so you
can use it for example with:

include "/etc/mip6d.conf.d/*.conf"

Please refer to the mip6d.conf manpage for further details on its use.

IPsec SA configuration

Now that UMIP configuration has been performed, the HA still lacks the Security Associations (SAs) to
protect the flows referenced by the Security Policies we have required. The IPsetPolicySet we configured
above uses the below IPsec SAs. Copy them in /usr/local/etc/setkey.conf:

# IPsec Security Associations

# HA address: 2001:db8:ffff:0::1000;
# MR HoAs: 2001:db8:ffff:0::1/64;

# Flush the SAD and SPD

flush;
spdflush;

# MN1 -> HA transport SA for BU

add 2001:db8:ffff:0::1 2001:db8:ffff:0::1000 esp 1000
-u 10
-m transport
-E 3des-cbc "MIP6-010--12345678901234"
-A hmac-sha1 "MIP6-010--1234567890" ;

# HA -> MN1 transport SA for BA

add 2001:db8:ffff:0::1000 2001:db8:ffff:0::1 esp 1001
-u 10
-m transport

3 of 8 01/02/2011 09:19 PM
How to setup a Mobile IPv6 testbed (with IPsec sta... http://www.umip.org/docs/umip-mip6.html

-E 3des-cbc "MIP6-010--12345678901234"
-A hmac-sha1 "MIP6-010--1234567890" ;

# MN1 -> HA any traffic

add 2001:db8:ffff:0::1 2001:db8:ffff:0::1000 esp 1002
-u 11
-m tunnel
-E 3des-cbc "MIP6-011--12345678901234"
-A hmac-sha1 "MIP6-011--1234567890" ;

# HA -> MN1 any traffic

add 2001:db8:ffff:0::1000 2001:db8:ffff:0::1 esp 1003
-u 11
-m tunnel
-E 3des-cbc "MIP6-011--12345678901234"
-A hmac-sha1 "MIP6-011--1234567890" ;

Router Advertisement configuration

The Home Agent also needs to advertise the Home Link prefix in its Home Link using Router
Advertisements. For that purpose, we use the radvd software with the below configuration. Copy it in
/etc/radvd.conf:

# Home Agent radvd configuration file

# Replace eth0 with the interface connected to the home link
interface eth0
{
AdvSendAdvert on;
MaxRtrAdvInterval 3;
MinRtrAdvInterval 1;
AdvIntervalOpt on;
AdvHomeAgentFlag on;
AdvHomeAgentInfo on;
HomeAgentLifetime 1800;
HomeAgentPreference 10;

# Home Agent address

prefix 2001:db8:ffff:0::1000/64
{
AdvRouterAddr on;
AdvOnLink on;
AdvAutonomous on;
};
};

Note: even though you do not plan to use the Home Link (e.g. in a Virtual Home Link configuration), you
still have to advertise Router Advertisements with the home link prefix: mip6d needs it to configure its
Home Agent list. In that case, you can use a dummy interface and advertise the Home Link prefix on it.
Here is the procedure. You need the dummy kernel module:

# modprobe dummy

This will create a dummy0 interface. Bring it up and configure it with the Home Agent address:

# ifconfig dummy0 up
# ifconfig dummy0 inet6 add 2001:db8:ffff:0::1000/64

You can now use the dummy0 interface as the home link interface. You must thus use dummy0 instead of
eth0 in all the Home Agent configuration files (mip6d.conf and radvd.conf). In the radvd.conf file, you
should also use the UnicastOnly on; parameter.

We will also explain in the next section how to setup automatically a dummy interface on startup.

Misc. configuration

4 of 8 01/02/2011 09:19 PM
How to setup a Mobile IPv6 testbed (with IPsec sta... http://www.umip.org/docs/umip-mip6.html

IPv6 forwarding must be activated on the Home Agent. In order to enable it automatically at startup, you
can add (or uncomment) the following line in the /etc/sysctl.conf file:

net.ipv6.conf.all.forwarding=1

You can also do it manually with the following command:

# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

You should also configure statically the address of your Home Agent on its Home Link interface. You can
update the /etc/network/interfaces file with the below configuration. The address will thus be
automatically configured at startup:

# Configuration of the home link interface

allow-hotplug eth0
iface eth0 inet6 static
address 2001:db8:ffff:0::1000
netmask 64

If you prefer to use a dummy interface on your Home Agent as explained in the previous section, you can
add the following in the configuration of the interface connected to the Internet (e.g. eth1):

allow-hotplug eth1
iface eth1 inet6 static
[...]
up modprobe dummy
up ifconfig dummy0 up
up ifconfig dummy0 inet6 add 2001:db8:ffff:0::1000/64

Also, do not forget to advertise your Home Link prefix in the routing infrastructure of your testbed. For
that purpose, you may choose static routing in your testbed, or you can use a routing protocol such as
ripng. The quagga routing software suite provides such routing protocol. Please refer to the quagga
homepage for more information.

Starting the daemons

Now that everything is ready, let's start the Home Agent operations. For that purpose, you need to install
first the IPsec SAs, then start the mobility and radvd daemon as explained below.

In order to install automatically the IPsec SA at boot, you can copy this S19setkey script into your
/etc/rc2.d directory. This script requires the setkey command, which is provided by the ipsec-tools
package. If you want to install the IPsec SA manually, you can do so by using directly the setkey
command as follow:

# setkey -f /usr/local/etc/setkey.conf

In order to automatically start the mobility daemon at boot, you can copy this S20mip6d script into
your /etc/rc2.d directory. This script will also log all the mobility daemon operations in /var/log
/mip6d.log. If you want to start the mobility daemon manually, you can use the following command:

# mip6d -c /usr/local/etc/mip6d.conf

The radvd daemon is supposed to start automatically on startup when it finds a suitable radvd.conf file in
the /etc directory. You can also start it manually with the following command:

# radvd -C /etc/radvd.conf

Intro HA MN Operations Changelog

Configuring the Mobile Node

5 of 8 01/02/2011 09:19 PM
How to setup a Mobile IPv6 testbed (with IPsec sta... http://www.umip.org/docs/umip-mip6.html

In this subsection, we cover the configuration of the Mobile Node (MN).

UMIP configuration

The UMIP Mobile Node configuration file will be stored in /usr/local/etc/mip6d.conf. Here is a sample
file for our test network:

# Sample UMIP configuration file for a MIPv6 Mobile Node

NodeConfig MN;

# Set DebugLevel to 0 if you do not want debug messages

DebugLevel 10;

# Enable the optimistic handovers

OptimisticHandoff enabled;

# Disable RO with other MNs (it is not compatible

# with IPsec Tunnel Payload)
DoRouteOptimizationMN disabled;

# The Binding Lifetime (in sec.)

MnMaxHaBindingLife 60;

# List here the interfaces that you will use

# on your mobile node. The available one with
# the smallest preference number will be used.
Interface "eth0" {
MnIfPreference 1;
}
Interface "wlan0" {
MnIfPreference 2;
}

# Replace eth0 with one of your interface used on

# your mobile node
MnHomeLink "eth0" {
HomeAgentAddress 2001:db8:ffff:0::1000;
HomeAddress 2001:db8:ffff:0::1/64;
}

# Enable IPsec static keying

UseMnHaIPsec enabled;
KeyMngMobCapability disabled;

# IPsec Security Policies information

IPsecPolicySet {
HomeAgentAddress 2001:db8:ffff:0::1000;
HomeAddress 2001:db8:ffff:0::1/64 ;

IPsecPolicy Mh UseESP 10;

IPsecPolicy TunnelPayload UseESP 11;
}

Quite obviously, the NodeConfig parameter is set to MN. The OptimisticHandoff parameters enables
the use of tunnels as soon as the Binding Update message is sent (i.e. without waiting for a Binding Ack).
Enabling it allows to reduce the handover time.

As we do not want our MN to initiate Route Optimization with Correspondent Nodes (which would imply
losing IPsec protection for traffic leaving/entering the foreign network), it is disabled using the
DoRouteOptimizationMN parameter. The MnMaxHaBindingLife can be used to set the binding lifetime

6 of 8 01/02/2011 09:19 PM
How to setup a Mobile IPv6 testbed (with IPsec sta... http://www.umip.org/docs/umip-mip6.html

(in sec.).

Then, comes the configuration of interfaces on our MN which is pretty easy to understand: we
preferentially use our ethernet interface eth0 (better throughput and lower latency) if the link is available
and if UMIP manages to configure it an IPv6 address usable as a Care-of Address (CoA). If it is not the
case, then the Wifi interface wlan0 is used. If you plan to use an interface that is in fact a tunnel interface,
you should probably use the Tunnel enabled; option. Please refer to the this documentation or to the
mip6d.conf manpage for more information on its use.

The parameter UseMnHaIPsec indicates that MIPv6 signaling between the MN and its HA must be
protected by IPsec. The IPsecPolicySet block is identical to the HA counterpart specific to that client that
we previously described.

IPsec SA configuration

The IPsec SAs needed on the MN are the same as the one installed on the HA for that MN. You can then
use the same IPsec SAs than the one we described in the HA section, and copy them on the MN in the
/usr/local/etc/setkey.conf file.

Miscs. configuration

UMIP will take care of configuring the Home Address automatically on the correct interface.

Beside, UMIP will use IPv6 autoconfiguration to configure a CoA on its interfaces. Make sure that the
interfaces that connect to the network (eth0 and wlan0 in our testbed) will be up at startup (especially
that your wireless interface is correctly configured to connect to the desired access point). Also, make sure
that you receive Router Advertisements from the foreign networks.

Starting the daemons

The MN needs to install the IPsec SAs and start the mip6d daemon. You can do that in the same way as it
was explained for the HA. Especially, you can use the same startup scripts as the one linked from the HA
section.

Intro HA MN Operations Operations Changelog

Operations
Once your HA is running, you can boot the MN. Once it is started, make sure that the MN is reachable
(using ping6 for example) when it is in the Home Link. If it is not reachable, you certainly have a
configuration or routing problem in your testbed.

If your MN is reachable, then you can try to move it from the Home Link to a foreign network. The MN
will then register to the HA and will still be reachable at its Home Address.

You can check that the registration to the HA was successful by checking the Binding Update List on the
MN and the Binding Cache on the HA. For that purpose, we can use the Virtual Terminal of UMIP on the
MN:

# telnet localhost 7777

mip6d> verbose yes
yes
mip6d> bul
== BUL_ENTRY ==
Home address 2001:db8:ffff:0::1
Care-of address 2001:db8:ffff:f300:feed:beef:feed:beef
CN address 2001:db8:ffff:0::1000
lifetime = 8, delay = 7000
flags: IP6_MH_BU_HOME IP6_MH_BU_ACK
ack ready
dev eth0 last_coa 2001:db8:ffff:f300:feed:beef:feed:beef
lifetime 4 / 8 seq 51006 resend 0 delay 7(after 3s) expires 4

7 of 8 01/02/2011 09:19 PM
How to setup a Mobile IPv6 testbed (with IPsec sta... http://www.umip.org/docs/umip-mip6.html

mps 2332741 / 2332798

We can see that the Care-of Address 2001:db8:ffff:f300:feed:beef:feed:beef which is bound to the Home
Address 2001:db8:ffff:0::1 is registered to the Correspondent Node (here, the Home Agent) whose address
is 2001:db8:ffff:0::1000. On the Home Agent, you can get similar information with the bc command of the
Virtual Terminal, which displays all the Binding Cache entries.

You can also display some statistcs about your HA or MN with the stats command:

# telnet localhost 7777

mip6d> stats
Input Statistics:
11 Mobility Headers
0 HoTI messages
[...]

Intro HA MN Operations Changelog

Changelog
2010/10/04: Added some note on the radvd UnicastOnly option when using dummy interfaces;
some note on the nested configuration (include statement) and Tunnel option of mip6d.conf; some
note on the statistics feature of the virtual terminal.
2009/11/02: First version of this document.

8 of 8 01/02/2011 09:19 PM