KAME Mobile IPv6 How To

Attention

This document is obsoleted. Please find a newer version of Howto document.

Abstract

This documents decsribes the step-by-step instruction to use the KAME Mobile IPv6(KAME/MIP6) features. Since the KAME/MIP6 is still under developping, these information may be outdated at the time when you are reading this document. Please refer the latest documentation included in the KAME kit in such a case.

Supported Platforms

Currently, FreeBSD and NetBSD is proved to work as a home agent / a mobile node / a correspondent node.Other BSDs (OpenBSD and BSD/OS) is not tested yet.

Get the source code

The KAME/MIP6 is under developping. You should use the latest KAME snap kit always. Get the latest kit from the KAME Project website.

Rebuilding with the MIP6 extention

MIP6 features are not enabled by default. You must prepare a new kernel configuration file and rebuild your kernel that is able to speak the MIP6 protocol. Also, some user-space programs need to be rebuilt. Follow the instruction below.

Rebuild your kernel

To enable MIP6 features, set the following kernel options in your kernel configuration file and rebuild the kernel.

options MIP6
options MIP6_DEBUG
pseudo-device hif 1

If you specify MIP6_DEBUG, the kernel will print many debuging messages. Though it may be too noisy in some cases, it is very useful when you encounter some problems.

Build user-space programs

There are 4 user-space programs related to MIP6.

rtadvd: The router advertisement daemon.
had: The dynamic home agent discovery protocol daemon.
mip6control: A control program of the KAME/MIP6 functions.
mip6stat: A program which displays statistics of packets related to MIP6.

Rebuild `rtadvd`

Go to the directory of rtadvd (${KAME}/freebsd4/sbin/rtadvd/ for FreeBSD), add the following line to its Makefile

CFLAGS+=-DMIP6

Recompile rtadvd and install it.

$ make clean
$ make
$ su (become the super user)
# make install

-DMIP6 enables the -m switch which supports MIP6 related features of rtadvd.

Build `had`, `mip6control`, `mip6stat`

had, mip6control, mip6stat are build automatically when other user-space programs are build. They are installed to /usr/local/v6/sbin/.

Create IPsec configuration files

The KAME/MIP6 uses KAME IPsec to protect binding update messages and tunneled home test init/home test messages. You need to set up the security associations and policies properly.

Since the parameters are too complex enough to write down by hand, there are some utilities to aid this work. You can find mip6makeconfig.sh and mip6seccontrol.sh in the kame/kame/kame/mip6control/ directory.

First of all, you must create a configuration directory that holds MIP6 related IPsec set up files.

(become the super user)
# mkdir /usr/local/v6/etc/mobileip6

Next, create directories for each mobile node. For example,

# mkdir /usr/local/v6/etc/mobileip6/mobile_node_0

The name of the directory is arbitrary.

Next, create a file named config in the directory. The contents of the file is looks like as below.

mobile_node=2001:200:0:0:201:11ff:fe54:4fde
home_agent=2001:200:0:0:201:11ff:fe54:5ffc
transport_spi_mn_to_ha=2000
transport_spi_ha_to_mn=2001
transport_protocol=esp
transport_algorithm=blowfish-cbc
transport_secret="THIS_IS_MY_SECRET!!!"
tunnel_spi_mn_to_ha=2002
tunnel_spi_ha_to_mn=2003
tunnel_uid_mn_to_ha=2002
tunnel_uid_ha_to_mn=2003
tunnel_algorithm=blowfish-cbc
tunnel_secret="THIS_IS_MY_SECRET!!!"

mobile_node is an address of a mobile node. home_agent is an address of a home agent.

transport_spi_mn_to_ha is a SPI value of a SA to protect home registration packets from the mobile node to the home agent. transport_spi_ha_to_mn is the reverse. transport_protocol is a protocol name to protect home registration packets. You can specify either ah or esp. transport_algorithm is a name of the algorithm used to protect home registration. transport_secret is a key for the algorithm specified by the transport_algorithm paremeter.

The lines which start with tunnel_ are the parameters for RR (Return Routability) signaling packets. The protocol is fixed to ESP. You cannot change this. As you have done in the above setting, specify the SPIs and the algorithm and the secret to protect signaling packets. In addition, you must specify tunnel_uid_mn_to_ha and tunnel_uid_ha_to_mn. They are used as unique identifiers to specify SAs for RR signaling.

Next, create parameter setting files by using mip6makeconfig.sh. For example,

# mip6makeconfig.sh mobile_node_0

Where mobile_node_0 is the directory name you have created in the /usr/local/v6/etc/mobileip6. After successful execution of this program, you will find 6 files created in the per node directory. Each file contains parameters for the IPsec (actually, the parameters for the setkey program).

mip6seccontrol.sh is a utility program to set/unset IPsec parameters.

You invoke the program on your mobile node like:

# mip6seccontrol.sh -m installall

This installs the IPsec parameters for all mobile nodes stored in the /usr/local/v6/etc/mobileip6 directory.

On the home agent, you invoke the program like:

# mip6seccontrol.sh -g installall

This installs the IPsec parameters for all mobile nodes stored in the /usr/local/v6/etc/mobileip6 directory.

Set up a home agent

To become a home agent, follow the instruction below.

Prepare rtadvd.conf for your home
The home agent subnet anycast address

Prepare `rtadvd.conf` for your home

fxp0:\
        :maxinterval#60:mininterval#40:

fxp0 is the name of the interface which is your home network. If you want quick movement detection by receiving router advertisement messages, you may require a shorter interval than usual.

Create a rtadvd.conf and place it in a proper directory. Usually, the directory is /usr/local/v6/etc.

Assign a home agent subnet anycast address

Assigning a home agent subnet anycast address makes it possible to do DHAAD (Dynamic Home Agent Address Discovery). The anycast address is calculated as follows.

If you have 64 bits length prefix (usually you do), concatinated address of your prefix and 0xfdfffffffffffffe is the home agent subnet anycast addrss. If your prefix is not 64 bits, fill host part bits from curving proper bits from the value 0xfffffffffffffffffffffffffffffffe. For example, if your prefix is 2001:200:1:2::/64, the home agent subnet anycast address is 2001:200:1:2:fdff:ffff:ffff:fffe.

If you are using FreeBSD, a static address configuration is usually done by editing /etc/rc.conf. For example,

ipv6_ifconfig_fxp0_alias0="2001:200:1:2:fdff:ffff:ffff:fffe prefixlen 64 anycast

will assign 2001:200:1:2:fdff:ffff:ffff:fffe as a home agent subnet anycast address to the fxp0 interface at a boot time.

If you are using NetBSD, you need create a file named /etc/ifconfig.fxp0. The file should contain the following line.

inet6 2001:200:1:2:fdff:ffff:ffff:fffe prefixlen 64 anycast alias

This will assign 2001:200:1:2:fdff:ffff:ffff:fffe as a home agent subnet anycast address to the fxp0 interface at a boot time.

Starting MIP6

We provide a startup script for the KAME/MIP6.

If you are using FreeBSD4, you will find rc and rc.mobileip6 in the /kame/freebsd4/etc directory. Copy those files to the /etc directory.

If you are using NetBSD, you can use rc.net6 in the /kame/kame/kame/etc directory. Take a look in this file and cut&paste the MIP6 related part from this script to your /etc/rc.local script.

Starting a home agent

To start a home agent, add the following lines to your /etc/rc.conf.

ipv6_mobile_enable="YES"
ipv6_mobile_config_dir="/usr/local/v6/etc/mobileip6"
ipv6_mobile_nodetype="home_agent"
ipv6_mobile_home_link="fxp0"

fxp0 is the interface name of your home network.

Starting a mobile node

To make a node as a mobile node, add the following lines to your /etc/rc.conf.

ipv6_mobile_enable="YES"
ipv6_mobile_config_dir="/usr/local/v6/etc/mobileip6"
ipv6_mobile_nodetype="mobile_node"
ipv6_mobile_home_prefixes="2001:200:1:2::/64"

Replace '2001:200:1:2::' with your home prefix.

Doesn't work?

Please mail your problems to snap-users@kame.net .