KAME Mobile IPv6 How To

Keiichi SHIMA @ {KAME Project | Internet Initiative Japan}


This document describes the step-by-step instruction to use KAME Mobile IPv6(KAME/MIP6) features. Since KAME/MIP6 is still under developing, these information may be outdated at the time when you are reading this document (this document targets the kame-20020128-*-snap.tgz). Please refer the latest documentation included in the KAME kit in such a case.

(NOTE: there is a bug in authentication data processing in kame-20020128-*-snap.tgz. You should get the latest source from the cvs repository if you are using 20020128 snap and have a plan to use the authentication data sub-option feature.)

History of the KAME/MIP6

Some of you may know that KAME had a MIP6 code contributed from Ericsson. At the same time, we also had two different MIP6 codes. One was from NEC and the other was from SFC. We thought we should provide one common MIP6 stack for KAME/MIP6 users. Since each MIP6 code had its own advantage, we decided to try to merge them into one KAME/MIP6 code. Now, some part/code/idea of the current KAME/MIP6 are from Ericsson, some from NEC and some from SFC. We are developing MIP6 code to support the latest MIP6 specification and trying to provide a stable, full featured MIP6 for KAME users.

Supported Platforms

Currently, FreeBSD and NetBSD have been checked to work as a home agent, a mobile node and a correspondent node. Other BSDs (OpenBSD and BSD/OS) have not been tested yet.


KAME/MIP6 is under developing. You should use the latest KAME snap kit. The latest is always the best to use. Get the latest snap kit from the KAME Project web site

Compile with MIP6 extension

MIP6 is not enabled by default. You should prepare a new kernel configuration file and rebuild your kernel that is able to speak the MIP6 protocol. Also, some user-space commands need recompilation. Follow the instruction below.

recompile your kernel

To enable MIP6 features, specify following kernel options in your kernel configuration file and recompile the kernel.

options MIP6
options MIP6_DEBUG
# options MIP6_DRAFT13
pseudo-device hif 1

If you specify MIP6_DEBUG, the kernel will print many debugging messages. Though it may be annoying you, it is very useful when you encounter some problems. These debug messages can be enabled/disabled at run time using the mip6control program.

MIP6_ALLOW_COA_FALLBACK enables the CoA fallback feature. In the MIP6 specification, the author declares that all IPv6 node must support the home address destination option. But, there are not so many implementations those support the option. If the peer doesn't recognizes the home address destination option, the mobile node can't communicate with that node. If you specify MIP6_ALLOW_COA_FALLBACK, the kernel will try to use its home address as a source address WITHOUT the home address destination option. If this approach fails, the kernel will use CoA as its source address in the next time to connect to the same peer. Yes, I know that the former violates MIP6 specification and the latter prevents the mobile node from moving from one network to another network, though, it is very useful in such a transition period that not all implementations support the home address destination option.

If you want to use MIP6 which is compliant to draft-ietf-mobileip-ipv6-13, MIP6_DRAFT13 enables this. Note that, we are usually focusing to the latest draft. The backward compatibility is not promised to be available forever. The rest of this document is for users who are using draft-ietf-mobileip-ipv6-15, not 13.

Build user space commands

There are three user-space commands related to MIP6. One is rtadvd and the next is mip6control and the last is had. If you want to have a home agent, you must rebuild rtadvd with MIP6 option and build had. mip6control is a control command of KAME/MIP6 functions. All users need to build mip6control to use KAME/MIP6.

recompile rtadvd

Go to the directory of rtadvd (${KAME}/freebsd4/sbin/rtadvd/ for FreeBSD), add the following line to Makefile

Recompile rtadvd and install it.
$ make clean
$ make
$ su (become the super user)
# make install

build had

Currently, had is not automatically built/installed. Go to ${KAME}/kame/kame/had/ and make it.

$ make
$ su (become the super user)
# make install

build mip6control

If you are using other operating system than FreeBSD, go to ${KAME}/kame/kame/mip6control/ and just make.

$ make
$ su (become the super user)
# make install

The latest KAME/FreeBSD4 will automatically compile mip6control and install it to the proper directory.

Set up a home agent

To become a home agent, complete the following settings.

Assign home agent subnet anycast address

Assigning a home agent subnet anycast address makes it possible to do DHAAD (Dynamic Home Agent Address Discovery). The anycast address is calculated as follows.

If you have 64 bits length prefix, concatenated address of your prefix and 0xfdfffffffffffffe is the home agent subnet anycast address. If your prefix is not 64 bits, fill host part bits from curving proper bits from the value 0xfffffffffffffffffffffffffffffffe. For example, if your prefix is 2001:200:1:2::/64, the home agent subnet anycast address is 2001:200:1:2:fdff:ffff:ffff:fffe.

# ifconfig fxp0 inet6 2001:200:1:2:fdff:ffff:ffff:fffe anycast alias

This address must be configured before had is invoked.

Prepare rtadvd.conf for a home agent

Here is the example of the rtadvd.conf.


When rtadvd is invoked with -m switch, it will automatically generate the proper router advertisement for mobile use. Basically, you need not to prepare rtadvd.conf. The above example is for users who want to change the advertising interval from the default value.

Invoke rtadvd

Invoke rtadvd with -m option. This option enables MIP6 feature of rtadvd. For example, if you have a fxp0 interface,

# /usr/local/v6/sbin/rtadvd -m fxp0

Invoke had

Invoke had with the interface name that you want to enable the DHAAD on. Without had the DHAAD feature will not work.

# /usr/local/v6/sbin/had fxp0

Starting MIP6

Starting a home agent

To start a home agent, invoke the following command. Of course, you must have finished the setting of the anycast address and daemons described above.

# mip6control -g

That's all.

Starting a mobile node

To make a node as a mobile node, you must specify your home network prefix. To do this, invoke the following command.

# mip6control -H2001:200:1:1:: -P64 

Replace '2001:200:1:1::' with your home prefix. After prefix setting has finished, enable mobile function using -m option.

# mip6control -m

To detect movement, a mobile node need to receive Router Advertisement packets. The easy way is to invoke rtsol command. You may want to run rtsold with -a -m options to make the node detect its location quickly.

Setting up the security features

The KAME/MIP6 can protect the binding update/binding ack using a security mechanism. By default, the KAME/MIP6 uses the authentication sub-option defined in the draft-ietf-mobileip-ipv6-15 to protect them. To protect them, you must set up the security associations between the nodes. Currently the KAME/MIP6 re-uses the security association database for the IPsec stack of the KAME. So, you need to use setkey program to set up the security associations.

For example, if you want to protect the binding update/ack between the mobile node which address is A and the home agent which address is B, set up the security association described bellow:

add A B ah 1500 -m transport -A hmac-sha1 "AH SA configuration!";
add B A ah 1600 -m transport -A hmac-sha1 "AH SA configuration!";

Also, you must set up the security policy as follows:

spdadd ::/0[any] ::/0[any] ipv6-opts -P out ipsec ah/transport//require;

If you don't want to protect them, you can disable this feature using mip6control program. To disable the authentication data protection, type the following:

# mip6control -T 0

To Do

There are many things to do. Followings are some of them. The detailed items are described in TODO.mobile-ip6 in the top of the KAME directory.

Keiichi SHIMA
Last modified: Thu Jan 31 18:55:08 JST 2002