[Mip4] Mobile IP Implementation

To: asoni at DOMAIN.HIDDEN, mip4 at DOMAIN.HIDDEN, mip4 at ietf.org
Subject: [Mip4] Mobile IP Implementation
From: "Sarika Manepalli" <msarika15 at gmail.com>
Date: Mon, 22 Sep 2008 18:32:14 -0500
Delivered-to: ietfarch-mip4-web-archive at core3.amsl.com
Delivered-to: mip4 at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=uebks2yJs2Q10Ru20QBmhNHPoR8/2zhPDayVienMd80=; b=FXYTquTIz9jxGJXBNbLV188CidBuu7QDONjSPN+sEYsUmw5vvBssk4KLHl68Ddiz1s pyQh8coN7gjzHRWADpi4m51K3mZBMdvgjdQtzJYNUsiIGX5ALHe2HjFzc7oF/cj+gurl 8AGTcTOlDUuIcbhNBSYithl5tyNjTPKfGzisA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=cXP8Y7fD2bCwmIA6aKKmBQxD1NdGWSHcncteGB8R/WjY4z5rZTCMsCS4zDP/gexypP wf4TPka+yOPA3Ie/4qSfnjblX88no5ozuFBLmmK690TM1K/QNchFh0ANADzF+2/mIhtN Wcy1FvVTSJBASh1zXaH10Krvqn5yJ7IIqtxvo=
List-archive: <https://www.ietf.org/mailman/private/mip4>
List-help: <mailto:mip4-request@ietf.org?subject=help>
List-id: Mobility for IPv4 <mip4.ietf.org>
List-post: <mailto:mip4@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
Sender: mip4-bounces at ietf.org

Hi Frnds,
               I am trying to implement Mobile IP on Linux PCs, Cent
OS for HA and FA, Ubuntu for MN. I have configured the nodes but when
MN moves to FA, cannot register with FA. I am using Dynamics Mobile IP
as client. Could you advise me on the issue. I am attaching the
configuration files to this email. I have configured dhcp server on FA
and sub-interfaces on MN. But unable to understand what IP address
should I assign to the sub-interfaces. I can see agents sending
advertisements but the MN cannot receive them..:-((

Any help on this is greatly appreciated.

-- 
There is no key to happiness, the door is always open...!! ;-)

# $Id: dynhad.conf,v 1.39 2001/10/20 13:36:07 jm Exp $
# Home Agent configuration file
#
# Dynamic hierarchial IP tunnel
# Copyright (C) 1998-2001, Dynamics group
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation. See README and COPYING for
# more details.
#
#######################################################################
#
# NOTE! 
#	This is an example configuration file designed to give
#	perspective to the system configuration AND to provide
#	a basis for a working simple test environment.
#	The values of some of the parameters may not be the
#	same as the daemon's defaults, so don't get confused.
#
#
#######################################################################
#

# Interfaces to be used for Mobile IP services. Note that you have to configure
# each interface that may receive or send registration messages.
# interface: name of the interface, e.g. eth0
# ha_disc:
#    0 = do not allow dynamic HA discovery
#    1 = allow dynamic HA discovery with broadcast messages
# agentadv:
#    0 = do not send agent advertisements without agent solicitation
#    1 = send agent advertisements regularly
#   -1 = do not send any (even solicited) agent advertisements
# interval: number of seconds to wait between two agentadvs
#           (if allowed for this interface)
# force_IP_addr: local address to be forced for this interface
#		 (can be used to select one of the multiple virtual
#		 addresses); if not entered, the primary address of the
#		 interface is used
INTERFACES_BEGIN
# interface  ha_disc  agentadv  interval  force_IP_addr
eth0         1        1         10
#eth1        1        1         20        192.168.240.2
INTERFACES_END

# Network Access Identifier (NAI) of this HA
# Unique identifier for this HA. A macro [interface] can be used to get
# the hardware address of an interface in dot-separated format.
# This is needed, if private address space is used in the home network.
# NetworkAccessIdentifier "[eth0] at example.com"

# Surrogate HA IP Address
# This is only needed, if private address space and a surrogate HA are used in
# the home network.
# SHAIPAddress 10.10.10.10

# Private HA Identifier at SHA
# Unique identifier (32-bit number) at SHA for this private HA.
# This is only needed, if private address space and a surrogate HA are used in
# the home network.
# PrivateHAIdentifier 1

# UDP port to listen for registration requests
# The default is 434
UDPPort 434

# Socket priority for signaling sockets (UDP) can be set with SO_PRIORITY to
# allow easier QoS configuration. If this argument is set, the given value is
# used as a priority for the signaling socket. E.g. CBQ class can be used to
# make sure that signaling is not disturbed by other traffic on a congested
# link.
# This feature is still undocumented and can be left commented.
#
# SocketPriority 1

# MaxBindings can be used to restrict the maximum number of Mobile Nodes
# that are concurrently attached to this Home Agent.
# The default is 20.
MaxBindings 20

# The default tunnel lifetime is suggested also by the HA.
# The default lifetime is 500.
HADefaultTunnelLifetime 600

# The Registration error reply interval should be restricted to
# avoid system overloading situations when receiving too much
# incorrect Registration Reply messages.
# The default value for RegErrorReplyInterval is 1 second.
RegErrorReplyInterval 1

# Triangle tunnel means that the packages to MNs are send via the HA, but
# packages from MN are routed directly (i.e. FA use normal IP routing).
# EnableTriangleTunneling < TRUE | FALSE >
EnableTriangleTunneling TRUE

# Reverse tunnel means bi-directional tunneling in which both the packages
# from and to MN are send via HA
# EnableReverseTunneling < TRUE | FALSE >
EnableReverseTunneling TRUE

########################################################################
# The Home Agent needs to know what kind of security parameters each 
# authorized Mobile Node uses. that is why there is a tbale that maps
# (in many-to-many relationship) SPI numbers, or SPI-number ranges to
# IP adresses - or IP-address ranges defined by network adresses and 
# netmasks. The netmask may be defined in two ways: either in
# "bit offset notation" (the third row in the example) or in the
# "dotted decimal notation" (the fifth row in the example below). 
# The list of Mobile Node information is separated between two
# keywords: AUTHORIZEDLIST_BEGIN and AUTHORIZEDLIST_END.
#
# < SPI | SPI-range       IP | network/netmask  >
# Example:

AUTHORIZEDLIST_BEGIN
# SPI           IP
#1000            192.168.240.2
#1001            192.168.240.3
#1002            0.0.0.0/0
#11000-11999     192.168.241.4
#12000           192.168.250.0/255.255.255.0
#13000-14000     192.168.251.0/28
#1000		192.168.242.2
AUTHORIZEDLIST_END

# The Home Agents needs a security association for each authorized Mobile
# Node. The association includes following information.
#
# SPI (Security Parameter Index): a key for the other fields.
#
# Authentication Algorithm:
#    1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002]
#    4: HMAC-MD5 [RFC 2104]
#    5: SHA-1 [FIPS 180-1]
#    6: HMAC-SHA1 [RFC 2104]
# Note! MD5/prefix+suffix has known weaknesses and use of HMAC-MD5 is
# recommented. MD5/prefix+suffix algorithm is for backwards compatability with
# older versions that do not support more secure HMAC-MD5.
#
# Replay Protection Method:
#    0: none
#    1: timestamps
#    2: nonces
#
# Timestamp tolerance indicates how many seconds the MN's timestamp can differ
# from the HA's clock. 7 seconds is the recommended default value. This
# tolerance is checked only when timestamps are used for replay protection.
#
# The maximum lifetime for the binding is given in seconds.
# Special case: 65535 (or more) seconds means unlimited time (the binding will
# not expire)
#
# Shared Secret: a secret data known by MN and HA. It can be given as
# a HEX code string, i.e. two characters (0-F) correspond to one octet.
# The shared secret can also be given as a character string (e.g.
# "ABCDE" corresponds to 4142434445).
# Note: RFC 2002 specifies that the default key size is 128 bits (i.e.
# 16 bytes or 32 hex 'characters'). Dynamics supports also other key lengths.
#
# The SPI is the key identificator for the rest of the security parameters
# on the same line. SPI number ranges may be assigned the same security
# parameters.
#
# The list of Mobile Node information is separated between two
# keywords: SECURITY_BEGIN and SECURITY_END.
#
SECURITY_BEGIN
#       auth.   replay  timestamp       max             shared
# SPI   alg.    meth.   tolerance       lifetime        secret
1000	4	1	120		600		"test"
#1002    4       2       60              120             01020304050607
#10000   4       1       60              300             016A352B2F235E
#10001   4       1       120             180             0EF42BD234ECCAA2
SECURITY_END
#
########################################################################
# Home Agent may have optional security associations with Foreign
# Agents. If the security association exists the session key can be
# encrypted with the help of shared secret and thus man-in-the-middle
# style attacks can be prevented. If no security association is set
# for a certain Foreign Agent - Home Agent pair, public key encryption
# (RSA) is used.
#
# When private address space is used, this list must have a security
# association with the surrogate HA instead of the FAs. Possible security
# associations with the FAs are then configured to the SHA.
#
# The following list contains the shared secrets indexed by SPI (and
# Foreign Agent IP address). The algorithm field specifies the method
# used for authentication and key distribution:
#    1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002]
#    4: HMAC-MD5 [RFC 2104]
#    5: SHA-1 [FIPS 180-1]
#    6: HMAC-SHA1 [RFC 2104]
# The format of the share secret field is identical to the one used with the
# MN-HA security association list above.
#
FA_SECURITY_BEGIN
# SPI		FA IP		Alg.	Shared Secret
#2001		192.168.0.1	4	0123456789ABCDEF
#2002		192.168.0.2	4	"eslkfj89jr3hduh3R!as"
FA_SECURITY_END
#
# The Highest FA public key can be protected from man-in-the-middle style
# attacks between the HFA and the HA with hash code. The use of this hash
# is optional, but recommented. The HA can have different ways of checking
# the hash code.
# Methods:
#    0: skip the hash code completely (not recommented)
#    1: if the hash code is received, check the public key with it
#    2: require the correct hash code for every registration message
#       with a public key (this may prevent the use of some organizations
#       which do not advertise the hash code)
PublicKeyHashMethod 1
#
########################################################################

# The log messages are written through syslog service. The facility to be
# used defaults to LOG_LOCAL0, but it can be set with this parameter
# to any of the possible facilities (LOG_AUTHPRIV, LOG_DAEMON, and so on).
# The processing of log messages is defined in /etc/syslog.conf file.
SyslogFacility LOG_DAEMON

# Home Agents (and Foreign Agents) use unix domain sockets
# to communicate through their API interfaces.
# The group and owner must be names as strings, no groupIDs or userIDs are
# allowed. The file permissions are set in octal values like in chmod(1).
# The configuration parameters of the two API sockets are as follows:
HAAPIReadSocketPath "/var/run/dynamics_ha_read"
HAAPIReadSocketGroup "root"
HAAPIReadSocketOwner "root"
HAAPIReadSocketPermissions 0766
#
HAAPIAdminSocketPath "/var/run/dynamics_ha_admin"
HAAPIAdminSocketGroup "root"
HAAPIAdminSocketOwner "root"
HAAPIAdminSocketPermissions 0700
#
# Every configuration file must end to the keyword 'END'.
END

# $Id: dynfad.conf,v 1.64 2001/10/20 13:36:07 jm Exp $
# Foreign Agent configuration file
#
# Dynamic hierarchial IP tunnel
# Copyright (C) 1998-2001, Dynamics group
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation. See README and COPYING for
# more details.
#
#######################################################################
#
# NOTE! 
#	This is an example configuration file designed to give
#	perspective to the system configuration AND to provide
#	a basis for a working simple test environment.
#	The values of some of the parameters may not be the
#	same as the daemon's defaults, so do not get confused.
#
########################################################################
#
# Interfaces to be used for Mobile IP services
# interface: name of the interface, e.g. eth0
# type:
#    1 = both upper and lower direction
#    2 = only upper direction (to upper FA / HA)
#    3 = only lower direction (to lower FA / MN)
#    Note: Only one interface can be used for upper direction, but
#    multiple interfaces can be used for lower direction.
# agentadv:
#    0 = do not send agent advertisements without agent solicitation
#    1 = send agent advertisements regularly
#   -1 = do not send any (even solicited) agent advertisements
# interval: number of seconds to wait between two agentadvs
#           (if allowed for this interface)
# force_IP_addr: local address to be forced for this interface
#		 (can be used to select one of the multiple virtual
#		 addresses); if not entered, the primary address of the
#		 interface is used
#
# In the example below, interface "eth0" can be used for both upper and lower
# directions, Agent Advertisements are sent regularly with the interval
# of 30 s, and the primary address of the eth0 interface is used. 
# Correspondingly, interface "eth1" would allow only lower direction
# connections (connections with MNs or lower FAs) with periodical 
# Agent Advertisements with an interval of 20 s, and a specific IP address
# would be forced to the interface "eth1".
#
# The last entry that is of type upper (or both upper and lower), is
# used to send messages in the upper direction.
#  
INTERFACES_BEGIN
# interface  type  agentadv  interval  force_IP_addr
eth0         1	   1         30
#eth1        3     1         20	       192.168.240.2
INTERFACES_END
########################################################################

# Network Access Identifier (NAI) of this FA
# Unique identifier for this FA. A macro [interface] can be used to get
# the hardware address of an interface in dot-separated format.
NetworkAccessIdentifier "[eth0] at example.com"

# Address of the highest FA
# This address is used in the communication with the HA and it is advertised
# in agent advertisement messages. This should be from the "public side"
# interface of the FA (i.e., the interface that is toward HA or the default
# gateway).
# If this FA is the highest FA for some organization, use its address here.
# In this case, the address would most probably be from the interface that
# is configured for upper direction (type 1 or 2 in the interface list above).
HighestFAIPAddress 40.1.1.4

# Highest FA public key extension hash
# This hash code is used to protect the public key from active
# man-in-the-middle style attacks. Its use is optional, but recommended. If
# this hash is configured, the FA broadcasts it in the agent advertisements
# and the MNs send it in their registration requests to the HA (protected with
# MN-HA authentication extension).
# The hash code is printed by the rsakeygen utility and if used, it must be
# the hash of this organization's highest FA.
# HighestFAPubKeyHash 78439F9EA1FE32EDD8CE2028062DC96A

# Address of the upper FA
# This is the address of the FA to which the requests are forwarded
# on they way to the Home Agent.
# If this is the same as the FA's own IP address,
# then this FA is really the highest FA and the requests are forwarded
# directly to the Home Agent.
UpperFAIPAddress 40.1.1.4

# HighestFA < TRUE | FALSE >
# Whether this FA is the highest FA (i.e. it does not have any upper FAs and
# it communicates directly with the Home Agents).
HighestFA TRUE

# UDP Port that this FA listens to for signaling messages
UDPPort 434
# The port to be used in signaling with the upper FA
UpperFAUDPPort 434
# The port to be used in signaling with the HA
HAUDPPort 434

# RFC 2344 style tunnel hijacking protection requires that the MN uses TTL
# value 255 on all registration request messages and the FAs check this.
# Since RFC 2002 compliant MN implementations do not necessarily set the TTL
# to 255, this may limit the access of those MNs. This option can be used to
# change the checking of the TTL field in the IP header.
# 0 = no TTL checking (i.e. accept any value)
# 1 = check the TTL only in registration requests that ask for reverse
#     tunneling (i.e. the MN should be RFC 2344 compliant and use the TTL 255)
# 2 = check the TTL on every registration requests (this might deny the access
#     of some MN implementations)
RegistrationTTLCheck 1

# Socket priority for signaling sockets (UDP) can be set with SO_PRIORITY to
# allow easier QoS configuration. If this argument is set, the given value is
# used as a priority for the signaling socket. E.g. CBQ class can be used to
# make sure that signaling is not disturbed by other traffic on a congested
# link.
# This feature is still undocumented and can be left commented.
#
# SocketPriority 1

# Tunnel interface name (FA will use names line TUNL0, TUNL1, ...)
TunnelDevice "TUNL"

# The start of the range of routing tables that this FA can use.
# Linux kernel 2.2.X has 256 routing tables (0 .. 255), but 0, 253, 254, and
# 255
# are reserved.
RoutingTableStart 1
# The end of the range of routing tables that this FA can use. Defaults to 252.
RoutingTableEnd 252
# Available routing table range defaults to 1-252.

###############################################################################
# FA must keep track of the authorized network addresses.
# This list can be used to limit the allowed IP addresses from which the
# registration requests can be sent (lower FAs or MNs).
#
# To allow classless subnetting, also the netmask is included in the list.
# AUTHORIZEDNETWORKS is a list that has a pair
# [ networkaddress ]/[ netmask ]
# on each row separated by the line breaks.
# Here is an example: 
#
#AUTHORIZEDNETWORKS_BEGIN
# [ networkaddress ]/[ netmask ]
#192.168.240.0/255.255.255.0
#192.168.240.0/24
#AUTHORIZEDNETWORKS_END
#
# This does not limit the connections by IP address
AUTHORIZEDNETWORKS_BEGIN
# [ networkaddress ]/[ netmask ]
0.0.0.0/0.0.0.0
AUTHORIZEDNETWORKS_END
#
# Whether or not this FA allows MNs to be connected directly (i.e. whether it
# can be the lowest FA)
AllowMobileNodes TRUE
#
###############################################################################
# A Foreign Agent may have optional security associations with other nodes
# (FA, HA, MN).
#
# If the security association exists the session key can be
# encrypted with the help of shared secret and thus man-in-the-middle
# style attacks can be prevented. If no security association is set
# for a certain Foreign Agent - Foreign Agent pair, public key encryption
# (RSA) is used.
#
# The following list contains the shared secrets indexed by SPI (and
# IP address of the other node).
#
# The node field specifies the type of the node. It used to select the
# approriate authentication extension type.
#    1 = FA
#    2 = HA
#    3 = MN
# The algorithm field specifies the method used for authentication and
# key distribution:
#    1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002]
#    4: HMAC-MD5 [RFC 2104]
#    5: SHA-1 [FIPS 180-1]
#    6: HMAC-SHA1 [RFC 2104]
# Note! MD5/prefix+suffix has known weaknesses and use of HMAC-MD5 is
# recommented. MD5/prefix+suffix algorithm is for backwards compatability with
# older versions that do not support more secure HMAC-MD5.
#
# Shared secret can be given as a HEX code string, i.e. two characters (0-F)
# correspond to one octet. The shared secret can also be given as a character
# string (e.g. "ABCDE" corresponds to 4142434445).
# Note: RFC 2002 specifies that the default key size is 128 bits (i.e.
# 16 bytes or 32 hex 'characters'). Dynamics supports also other key lengths.
#
FA_SECURITY_BEGIN
# SPI		Node IP		Node	Alg.	Shared Secret
#2001		192.168.0.1	1	4	0123456789ABCDEF
#2002		192.168.0.2	2	4	"eslkfj89jr3hduh3R!as"
FA_SECURITY_END
#
# RSA key file
FAKeyFile "/etc/dynfad.key"


# Mobile IPv4 Challenge/Response (RFC 3012)

# Dynamics supports Mobile IPv4 Challenge/Response protocol as an optional
# addition to the Mobile IP registration. This is not used in a default setup
# because the extensions used for challenges will prevent MNs that do not
# support this addition from using the FA at all.
EnableChallengeResponse FALSE

# Number of last advertised challenges that will be accepted (default value
# given in RFC 3012: 2).
ChallengeWindow 2

# Length of the challenge to be used (in bytes; 0 .. 255)
ChallengeLength 4

# Whether the FA requires the challenge to be present in every registration
# request (if not present, request will be denied with MISSING_CHALLENGE
# error). If 'EnableChallengeResponse' is TRUE, the challenge is required from
# MNs which do not have a security association with the FA. With
# 'RequireChallenge' TRUE, the challenge is required also from the MNs that
# have the security association.
RequireChallenge FALSE

# Whether the FA adds new challenge to all the registration replies.
ChallengeInRegReply TRUE


# AAA Keys for Mobile IP (draft-ietf-mobile-aaa-key-07.txt)

# The FA can be configured to deny registration replies that do not have
# an Unsolicited MN-FA Key Material From AAA extension for an MN that does
# not have a security association with the FA.
RequireMNFASecAssoc FALSE

###############################################################################

# The maximum number of tunnels (confirmed bindings) going through this FA
# The default value for MaxBindings is 20.
# If more than MaxBindings Mobile Nodes try to register, the new registrations
# are refused.
MaxBindings 100

# The maximum number of pending registration requests (unconfirmed bindings)
# the FA is willing to maintain (typically 5 according to rfc2002-bis draft).
# Additional registrations will be rejected until at least one of the pending
# registrations has been completed or has timed out.
# Zero means no limit on pending registration requests.
MaxPending 5

# The number of seconds after which pending registration requests MAY be
# deleted. Zero means do not force pending registration request deletion
# before their requested lifetime has expired.
DeletePendingAfter 7

# EnableFADecapsulation < TRUE | FALSE >
EnableFADecapsulation TRUE

# Triangle tunnel means that the packages to MNs are sent via the HA, but
# packages from MN are routed directly (i.e. FA use normal IP routing).
# EnableTriangleTunneling < TRUE | FALSE >
EnableTriangleTunneling TRUE

# Reverse tunnel means bi-directional tunneling in which both the packages
# from and to MN are send via HA
# EnableReverseTunneling < TRUE | FALSE >
EnableReverseTunneling TRUE

# Force FA to use reverse tunneling even if triangle tunneling is requested.
ForceReverseTunneling FALSE

# FA may require registration even from those MNs which have acquired a
# co-located care-of address. This option selects whether the agent
# advertisements messages have 'Registration required' flag or not
RegistrationRequired TRUE

# DefaultTunnelLifetime is the maximum lifetime advertised for this FA.
# This should not be greater than any of the maximum lifetimes configured
# for upper FAs (i.e. best to use the same maximum for whole FA organization).
# The lifetime is defined in seconds, default value is 400.
# The request timer will be limited with this value.
# Special case: 65535 (or more) seconds mean unlimited time (the binding will
# not expire)
FADefaultTunnelLifetime 600

# FA uses a packet socket for raw L2 header access. When sending registration
# messages, this is only used between the lowest FA and the MN. Current code
# does not implement fragmentation and packets larget than the used MTU are
# thus probably dropped. FA can be configured to not use packet socket when
# sending frames, but this may require broadcast ARP for MN's home address
# in the foreign network. This is against RFC 2002, so it should be used only
# if the packet socket does not work.
# Possible values for PacketSocketMode:
#    0 = use packet socket when sending registration replies to MN (default)
#    1 = do not use packet socket at all for sending registration messages
PacketSocketMode 0

# The log messages are written through syslog service. The facility to be
# used defaults to LOG_LOCAL0, but it can be set with this parameter
# to any of the possible facilities (LOG_AUTHPRIV, LOG_DAEMON, and so on).
# The processing of log messages is defined in /etc/syslog.conf file.
SyslogFacility LOG_DAEMON

# Foreign Agents use unix domain sockets to communicate through their API
# interfaces.
# The group and owner must be names as strings, no groupIDs or userIDs are
# allowed. The file permissions are set in octal values like in chmod(1).
# The configuration parameters of the two API sockets are as follows:
FAAPIReadSocketPath "/var/run/dynamics_fa_read"
FAAPIReadSocketGroup "root"
FAAPIReadSocketOwner "root"
FAAPIReadSocketPermissions 0766
#
FAAPIAdminSocketPath "/var/run/dynamics_fa_admin"
FAAPIAdminSocketGroup "root"
FAAPIAdminSocketOwner "root"
FAAPIAdminSocketPermissions 0700
#
# Every configuration file must end with the keyword 'END'.
END

# $Id: dynmnd.conf,v 1.56 2001/10/20 13:36:07 jm Exp $
# Mobile Node configuration file
#
# Dynamic hierarchial IP tunnel
# Copyright (C) 1998-2001, Dynamics group
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation. See README and COPYING for
# more details.
#
#######################################################################
#
# NOTE! 
#	This is an example configuration file designed to give
#	perspective to the system configuration AND to provide
#	a basis for a working simple test environment.
#	The values of some of the parameters may not be the
#	same as the daemon's defaults, so don't get confused.
#
#	To get a minimal test working, you will need to check the
#	following items:
#	  * MNHomeIPAddress
#	  * HAIPAddress
#	  * EnableFADecapsulation
#	  * HomeNetPrefix (if using FA decapsulation or
#	    dynamics HA address resolution)
#	  * SPI and SharedSecret
#	The rest of the items should work with their preset values in
#	most cases and they can be used to fine tune the operations
#	after the basic operation have been tested successfully.
#
#######################################################################
#
# The Mobile Nodes's IP address in the Home Network.
# If using AAA (see UseAAA below), home address can be set to 0.0.0.0 in order
# to request a home address from the AAA infrastructure. This requires that
# also MN NAI is configured.
MNHomeIPAddress 20.1.1.4

# The Mobile Node's Network Access Identifier (NAI) [RFC2794]
# If configured, this NAI is used in registration requests to identify the
# mobile user for AAA services.
#
# MNNetworkAccessIdentifier "user at example.com"

# UseAAA < TRUE | FALSE >. TRUE enables AAA extensions (key requests using
# material from AAA, HA and home address discovery using AAA, etc.). This
# requires that MN NAI and AAA related items below are configured.
# FALSE disables these extensions.
UseAAA FALSE

# The IP address of Mobile Node's Home Agent. In case of a private HA address
# this is the address of the surrogate HA. If the HA address is unknown, set
# this to 0.0.0.0 and make sure that HomeNetPrefix is correct for dynamic
# HA address resolution or use AAA to discover HA address. If the HA has
# multiple interfaces, this should be the address of the "public" interface,
# i.e., the one toward default gateway (it has to be reachable from the foreign
# networks).
HAIPAddress 20.1.1.3

# If the HA has more than one interfaces, HAIPAddress should be configured to
# be the one reachable from the Internet (i.e., from the foreign networks the
# MN may visit). To allows MN to detect other HA's interfaces, their IP
# addresses may be configured here. MN will use this list in addition to
# HAIPAddress when determining whether an agent advertisement is from its own
# HA (i.e., when MN is at home). Multiple lines containing different addresses
# may be used to configure more than one alternative HA address.
# AlternativeHAIPAddress 10.1.2.3
# AlternativeHAIPAddress 10.2.3.4

# AllowHomeAddrFromForeignNet < TRUE | FALSE >. TRUE allows AAA to assign
# a home agent and home address from the foreign network (assuming they are
# set to 0.0.0.0 above). FALSE means that both the home agent and the home
# address must be from the home domain.
AllowHomeAddrFromForeignNet FALSE

# The following configuration options PrivateHAIPAddress, PrivateHAIdentifier,
# and HANetworkAccessIdentifier are only used with home networks that use
# private IP addresses and a surrogate HA. In other cases they should be left
# commented.

# The private IP address of Mobile Node's Home Agent.
# Needed only, if surrogate HA is used.
# PrivateHAIPAddress 192.168.200.200

# The identifier for the private HA in SHA (unique 32-bit number)
# PrivateHAIdentifier 1

# Home Agent Network Access Identifier (NAI)
# If configured, this NAI is used to match the HA agent advertisements when
# a MN is determining whether it is at home or not. This is mainly used with
# private HA address that may not be globally unique.
#
# HANetworkAccessIdentifier "ha at example.com"

# EnableFADecapsulation < TRUE | FALSE >. TRUE enables a mode where
# the FA decapsulates the IP-within-IP encapsulated IP packets.
# FALSE disables this mode and sets the default mode where the 
# MN decapsulates the IP-within-IP encapsulated IP packets.
# With FA decapsulation the MN uses its home address in the interface even in
# the foreign network and with MN decapsulation MN needs to acquire a
# co-located care-of address from the visited network (this needs an external
# program; see man pages for more information).
# The two modes cannot be used simultaneously.
EnableFADecapsulation TRUE

# Network address of home network (CIDR format: a.b.c.d/prefix_length)
# This is used with FA decapsulation and dynamics HA address resolution. If
# commented, the routing entry is not removed nor added. The home net entry
# may optionally be used with MN decapsulation - see MNDecapsRouteHandling
# option below.
#
# Example: 192.168.242.0/24
HomeNetPrefix 20.1.1.0/24

# Home net default gateway
# This entry can be used to force a gateway that the MN uses when it is
# at home. If this is left commented, the MN tries to use the default route
# that was in use when the program was started.
#
# HomeNetGateway 192.168.242.254

#############################################################################
# a SPI (Security Parameter Index) must be defined for every MN.
# It is used for indexing the security association at the Home Agent.
SPI 1000
#
# The SharedSecret is provided as a HEX number string. The shared secret can
# also be given as a character string 
# (e.g. character string "ABCDE" corresponds to HEX number string 4142434445).
# Note: RFC 2002 specifies that the default key size is 128 bits (i.e.
# 16 bytes or 32 hex 'characters'). Dynamics supports also other key lengths.
# This shared secret is used with the HA. This must be commented out when using
# AAA infrastructure for key generation. In this case, the AAA related items
# below must be configured.
# SharedSecret < shared secret >
# SharedSecret 016A352B2F235E
SharedSecret "test"
#
# Authentication algorithm
#    1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002]
#    4: HMAC-MD5 [RFC 2104]
#    5: SHA-1 [FIPS 180-1]
#    6: HMAC-SHA1 [RFC 2104]
# Note! MD5/prefix+suffix has known weaknesses and use of HMAC-MD5 is
# recommented. MD5/prefix+suffix algorithm is for backwards compatability with
# older versions that do not support more secure HMAC-MD5.
AuthenticationAlgorithm 4
#
# Replay prevention method:
#   0: none
#   1: time stamps
#   2: nonces
ReplayMethod 1
#
# Mobile Node may have optional security associations with Foreign
# Agents. If the security association exists an additional Mobile Node -
# Foreign Agent Authentication Extension is added to the registration requests.
#
# The following list contains the shared secrets indexed by SPI (and
# Foreign Agent IP address). The algorithm field specifies the method
# used for key distribution (see the list above). The format of the share
# secret field is identical to the one used with the MN-HA security
# association list above.
#
FA_SECURITY_BEGIN
# SPI		FA IP		Alg.	Shared Secret
#2001		192.168.0.1	4	0123456789ABCDEF
#2002		192.168.0.2	4	"eslkfj89jr3hduh3R!as"
FA_SECURITY_END


# MN-AAA Authentication and Challenge/Response [RFC3012]

# If the MN does not have a security association with an FA, it may use AAA
# infrastructure for authentication. If this is used, also MN NAI
# ('MNNetworkAccessIdentifier' above) should be configured.

# SPI to be used in MN-AAA authentication.
# Reserved SPI values:
#   2 = CHAP_SPI, CHAP style authentication using MD5 [RFC 3012]
#   3 = MD5/prefix+suffix [draft-ietf-mobileip-aaa-key-03.txt]
#   4 = HMAC MD5 [draft-ietf-mobileip-aaa-key-03.txt]
# MN-AAA-SPI 12345

# Shared secret for MN-AAA authentication (see 'SharedSecret' above for format
# instructions)
# MN-AAA-SharedSecret "test"

# Algorithms to be used for MN-AAA authentication and key generation
#   1 = MD5/prefix+suffix (RFC 2002)
#   2 = RADIUS authentication (Sec. 8 of RFC 3012)
#   3 = MD5/prefix+suffix (RFC 2002)  (alias for 1 above)
#   4 = HMAC-MD5 (Sec. 6 of RFC 3012; RFC 2104)
#   5 = SHA-1 (FIPS 180-1)
#   6 = HMAC-SHA1 (RFC 2104)
# Note: with algorithm 2, 'MN-AAA-SPI' should be set to reserved number
# CHAP_SPI (default: 2).
# MN-AAA-AuthenticationAlgorithm 4
# MN-AAA-KeyGenerationAlgorithm 4


#############################################################################
# TunnelingMode < 1 | 2 | 3 | 4 >
# The packets between the MN and a Correspondent Node (CN) can be routed using
# different routes. This option can be used to select, which mode will be
# selected.
# Possible values:
# 1 = automatic, prefer reverse tunnel (i.e. bi-directional tunnel)
# 2 = automatic, prefer triangle tunnel (i.e. tunnel only in CN->MN direction)
# 3 = accept only reverse tunnel
# 4 = accept only triangle tunnel
TunnelingMode 1

# When MN can get its own co-located care-of address and use reverse tunneling,
# the normal method is to set the default route to the tunnel. This means that
# all the packets destined to other networks than the current subnet in the
# visited network are send via the HA. If the co-located COA is public, it can
# be used for sessions that do not need constant IP address (e.g. most of the
# web browsing). The following configuration option specifies the routing
# operation that is used with the co-located COA.
# Possible values:
#   0 = set default route to the tunnel
#   1 = set only the home net route to the tunnel (the above HomeNetPrefix
#       options must be set)
#   2 = do not change the routing entries (i.e. some external means must be
#       used to direct traffic to the tunnel, e.g. manually adding host route
#       to a specific host)
MNDecapsRouteHandling 0

# DefaultTunnelLifetime is the lifetime suggested in registration
# The lifetime is defined in seconds, default value is 300.
# The request timer will be set according to this value. If the FA's agent
# advertisment has a smaller time, it is used instead.
# Special case: 65535 (or more) seconds means unlimited time (the binding will
# not expire)
# MNDefaultTunnelLifetime [ seconds ]
MNDefaultTunnelLifetime 300

# UDP port to be used for sending registration requests
# Port 434 is allocated for Mobile IP signaling and this should not be changed
# unless the network is known to use some other port (i.e. all the FAs and HAs
# must have the same port configured).
UDPPort 434

# Socket priority for signaling sockets (UDP) can be set with SO_PRIORITY to
# allow easier QoS configuration. If this argument is set, the given value is
# used as a priority for the signaling socket. E.g. CBQ class can be used to
# make sure that signaling is not disturbed by other traffic on a congested
# link.
# This feature is still undocumented and can be left commented.
#
# SocketPriority 1

# The log messages are written through syslog service. The facility to be
# used defaults to LOG_LOCAL0, but it can be set with this parameter
# to any of the possible facilities (LOG_AUTHPRIV, LOG_DAEMON, and so on).
# The processing of log messages is defined in /etc/syslog.conf file.
SyslogFacility LOG_DAEMON

# Ignore these interfaces. No agent advertisements are received nor
# agent solicitations sent for these interfaces.
IGNORE_INTERFACES_BEGIN
lo
dummy0
tunl0 
gre0
IGNORE_INTERFACES_END

# Other programs may set routing entries so that the data connection may
# fail. The MN can try to enforce the routes that it believes should be used.
# This operation should currently be used only with FA decapsulation. If the
# route enforcement is activated the MN daemon prevents certain route changes.
EnforceRoutes FALSE

# MN can be instructed to poll for current AP address when using a wireless
# LAN driver that supports wireless extensions. This can be used to speed up
# handoffs when using managed mode (BSS).
# Polling interval is configured in micro seconds
# (i.e., 1000000 equals to 1 second)
# -1 = AP polling disabled
APPollingInterval -1

# MN can be instructed to send periodic agent solicitations to find new FAs.
# Normally, MN uses agent solicitations when it does not have a valid agent
# advertisement. Periodic solicitation occurs even if the connection seems to
# be up. This will cause more broadcast messages and is thus disabled in the
# default configuration, but it can speed up handoffs in some environments.
# Solicitation interval is configured in micro seconds (usec)
# (i.e., 1000000 usec equals to 1 second). A rnadom time between 0 and 0.5
# second will be added to solicitation intervals to prevent unwanted
# synchronization of broadcast messages. In addition, solicitations will not be
# send more often than once per second, so this interval should not be
# configured to be less than 1000000 usec.
# -1 = Periodic agent solicitation disabled
SolicitationInterval -1

#############################################################################
# Mobile Nodes use unix domain sockets to communicate through their API
# interfaces.
# The group and owner must be names as strings, no groupIDs or userIDs are
# allowed. The file permissions are set in octal values like in chmod(1).
# The configuration parameters of the two API sockets are as follows:
MNAPIReadSocketPath "/var/run/dynamics_mn_read"
MNAPIReadSocketGroup "root"
MNAPIReadSocketOwner "root"
MNAPIReadSocketPermissions 0666
#
MNAPIAdminSocketPath "/var/run/dynamics_mn_admin"
MNAPIAdminSocketGroup "root"
MNAPIAdminSocketOwner "root"
MNAPIAdminSocketPermissions 0700
#
# Every configuration file must end to the keyword 'END'.
END

--
Mip4 mailing list: Mip4 at ietf.org
    Web interface: https://www.ietf.org/mailman/listinfo/mip4
     Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/

Prev by Date: [Mip4] DSTM Installation
Next by Date: [no subject]
Previous by thread: Re: [Mip4] Mobile IP implementation
Next by thread: [Mip4] Last Call: 'Mobile IPv4 Regional Registration' to Experimental RFC (draft-ietf-mip4-reg-tunnel)
Index(es):
- Date
- Thread

[Mip4] Mobile IP Implementation

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.