Written by Keiichi SHIMA @ { KAME Project | Internet Initiative Japan }
This documents decsribes the step-by-step instruction to use the KAME Mobile IPv6(KAME/MIP6) features. Since the KAME/MIP6 is still under developping, these information may be outdated at the time when you are reading this document. Please refer the latest documentation included in the KAME kit in such a case.
KAME/MIP6 is based on the three implementations (Ericsson, NEC, Keio Univ.) those have been built on the KAME IPv6 protocol stack before. When we planned to start to provide a MIP6 protocol stack with KAME base distribution, we dicided to rebuild the stack so that we could maintain the code easily and effectively. The initial KAME/MIP6 was mainly based on the Ericcson's code and some userland application are contributed from from NEC with the notation of a virtual home interface which is taken from the stack design of Keio Univ. Since then, we made many enhancement on KAME/MIP6 code and we now have highly interoperable, BSD-like licenced MIP6 stack.
Currently, FreeBSD and NetBSD is proved to work as a home agent / a mobile node / a correspondent node. Regerding to OpenBSD, we have no plan to supprot for a home agent and a mobile node functions because OpenBSD has completely differnt IPsec stack which makes it difficult to port KAME/MIP6 to OpenBSD. A correspondent node function for OpenBSD is planned but not tested yet.
The KAME/MIP6 is under developping. You should use the latest KAME snap kit always. Get the latest kit from the KAME Project website.
MIP6 features are not enabled by default. You must prepare a new kernel configuration file and rebuild your kernel that is able to speak the MIP6 protocol. Also, some user-space programs need to be rebuilt. Follow the instruction below.
To enable a mobile node feature, set the following kernel options in your kernel configuration file and rebuild the kernel.
options MIP6 options MIP6_MOBILE_NODE pseudo-device hif 1
To enable a home agent feature, set the following kernel options in your kernel configuration file and rebuild the kernel.
options MIP6 options MIP6_HOME_AGENT
If you just want a stationaly node which have Mobile IPv6 support (route optimization), set the following kernel options in your kernel configuration file and rebuild the kernel.
options MIP6
There are 4 user-space programs related to MIP6.
Go to the directory of rtadvd (${KAME}/freebsd4/sbin/rtadvd/ for example, if you use FreeBSD), add the following line to its Makefile
CFLAGS+=-DMIP6
Recompile rtadvd and install it.
$ make clean $ make $ su (become the super user) # make install
With -DMIP6, rtadvd is compiled with the -m switch which enables MIP6 related features of rtadvd.
had, mip6control, mip6stat are build automatically when other user-space programs are build. They are installed to /usr/local/v6/sbin/.
The KAME/MIP6 uses KAME IPsec to protect binding update messages and tunneled home test init/home test messages. You need to set up the security associations and policies properly.
Since the parameters are too complex enough to write down by hand, there are some utilities to aid this work. You can find mip6makeconfig.sh and mip6seccontrol.sh in the kame/kame/kame/mip6control/ directory.
First of all, you must create a configuration directory that holds MIP6 related IPsec set up files.
(become a super user) # mkdir /usr/local/v6/etc/mobileip6
Next, create directories for each mobile node. For example,
# mkdir /usr/local/v6/etc/mobileip6/mobile_node_0
The name of the directory is arbitrary.
Next, create a file named config in the directory. The contents of the file is looks like as below.
mobile_node=2001:200:0:0:201:11ff:fe54:4fde home_agent=2001:200:0:0:201:11ff:fe54:5ffc transport_spi_mn_to_ha=2000 transport_spi_ha_to_mn=2001 transport_protocol=esp transport_esp_algorithm=blowfish-cbc transport_esp_secret='"THIS_IS_ESP_SECRET!!"' transport_auth_algorithm=hmac-sha1 transport_auth_secret='"THIS_IS_AH_SECRET!!!"' tunnel_spi_mn_to_ha=2002 tunnel_spi_ha_to_mn=2003 tunnel_uid_mn_to_ha=2002 tunnel_uid_ha_to_mn=2003 tunnel_esp_algorithm=blowfish-cbc tunnel_esp_secret='"THIS_IS_ESP_SECRET!!"' tunnel_auth_algorithm=hmac-sha1 tunnel_auth_secret='"THIS_IS_AH_SECRET!!!"'
mobile_node is an address of a mobile node. home_agent is an address of a home agent.
transport_spi_mn_to_ha is a SPI value of a SA to protect home registration packets which are sent from the mobile node to the home agent. transport_spi_ha_to_mn is the reverse. transport_protocol is a protocol name to protect home registration packets. You can specify either ah or esp.
If you choose esp in transport_protocol, you must specify both an encription algorithm/key and a hash algorithm/key by transport_esp_algorighm/transport_esp_secret and transport_auth_algorighm/transport_auth_secret.
If you use ah, you can omit transport encription parameters from your configuration file.
The lines which start with tunnel_ are the parameters for RR (Return Routability) signaling packets. The protocol is fixed to ESP. You cannot change this. As you have done in the above setting, specify the SPIs and the algorithm and the secret to protect signaling packets. In addition, you must specify tunnel_uid_mn_to_ha and tunnel_uid_ha_to_mn. They are used as unique identifiers to specify SAs for RR signaling.
Next, create parameter setting files by using mip6makeconfig.sh. For example,
# mip6makeconfig.sh mobile_node_0
Where mobile_node_0 is the directory name you have created in the /usr/local/v6/etc/mobileip6. After successful execution of this program, you will find 6 files created in the per node directory. Each file contains parameters for the IPsec (actually, the parameters for the setkey program).
mip6seccontrol.sh is a utility program to set/unset IPsec parameters.
You should invoke the program on your mobile node like:
# mip6seccontrol.sh -m installall
This installs the IPsec parameters for all mobile nodes stored in the /usr/local/v6/etc/mobileip6 directory.
On the home agent, you should invoke the program like:
# mip6seccontrol.sh -g installall
This installs the IPsec parameters for all mobile nodes stored in the /usr/local/v6/etc/mobileip6 directory.
We provide a startup script for the KAME/MIP6.
If you are using FreeBSD4, you will find rc and rc.mobileip6 in the /kame/freebsd4/etc directory. Copy those files to the /etc directory.
If you are using NetBSD, you will find mobileip6 in the /kame/netbsd/etc/rc.d/ directory. Copy this file to /etc/rc.d directory.
To start a home agent, add the following lines to your /etc/rc.conf.
ipv6_mobile_enable="YES" ipv6_mobile_config_dir="/usr/local/v6/etc/mobileip6" ipv6_mobile_nodetype="home_agent" ipv6_mobile_home_prefixes="2001:200:0:0::/64" ipv6_mobile_home_link="fxp0"
Do not forget to replace ipv6_mobile_home_prefixes with your home prefix and ipv6_mobile_home_link with the interface name you use for the home network.
Since a home agent is a router, you will need other configuration parameters required for a generic IPv6 router. For example,
ipv6_gateway_enable="YES" ipv6_router_enable="YES" ipv6_router="/usr/local/v6/sbin/route6d" ipv6_ifconfig_fxp0="2001:200:1:2::1"
To make a node as a mobile node, add the following lines to your /etc/rc.conf.
ipv6_mobile_enable="YES" ipv6_mobile_config_dir="/usr/local/v6/etc/mobileip6" ipv6_mobile_nodetype="mobile_node" ipv6_mobile_home_prefixes="2001:200:1:2::/64"
Replace ipv6_mobile_home_prefixes with your home prefix.
You may need to decrease an interval between unsolicited router advertisement of access routers for fast movement detection. This technique is effective to a certain degree.
fxp0:\ :maxinterval#6:mininterval#4:
fxp0 is the name of the interface which your access router advertises router advertisemetn messages.
Create a rtadvd.conf and place it in a proper directory. The directory is /usr/local/v6/etc if you are using KAME, otherwise /etc.
NOTE: Mobile IPv6 relaxes the maxinterval/mininterval values to 0.07/0.03. But you shouldn't expect a significant performance gain with this tuning. It will end up with a heavy CPU load on the node which rtadvd is running.
Please mail your problems to snap-users@kame.net .