with IPsec static keying
Introduction
This section describes the UMIP configuration for a NEMO Basic Support testbed. It explains the small modifications to perform in order to turn your HA into a NEMO HA and your MN into a Mobile Router (MR). The remaining of this document is based on the one describing how to setup a Mobile IPv6 testbed. It is thus preferable that you already have a working Mobile IPv6 testbed before going any further.
Below is a figure of the testbed setup, followed by some comments.
The mobile network is connected to the eth1 interface of the MR (it is called the ingress interface). The MR advertises a prefix (called the Mobile Network Prefix, MNP) in his mobile network. In our testbed, this MNP is 2001:db8:ffff:ff01::/64. The MR also configures an address on its ingress interface (2001:db8:ffff:ff01::1).
The MNP used by the MR must be routable towards the HA. For that purpose, an address space dedicated to a set of MNP is assigned to the HA: 2001:db8:ffff:ff00::/56. This prefix must be advertised by the HA in the routing infrastructure.
Configuring the NEMO Home Agent
In this subsection, we cover the configuration of the NEMO HA.
UMIP configuration
Here is a modified UMIP Home Agent configuration for NEMO operations. Changes made in the file are marked with NEMO ADDITION. Modify your /usr/local/etc/mip6d.conf file accordingly.
# Sample UMIP configuration file for a NEMO Home Agent
NodeConfig HA;
# Set DebugLevel to 0 if you do not want debug messages
DebugLevel 10;
# Replace eth0 with the interface connected to the home link
Interface "eth0";
# Accept registrations from Mobile Routers
HaAcceptMobRtr enabled; ## NEMO ADDITION ##
HaServedPrefix 2001:db8:ffff:0::/64; ## NEMO ADDITION ##
# Binding information
BindingAclPolicy 2001:db8:ffff:0::1 (2001:db8:ffff:ff01::/64) allow; ## NEMO ADDITION ##
DefaultBindingAclPolicy deny;
# Enable IPsec static keying
UseMnHaIPsec enabled;
KeyMngMobCapability disabled;
# IPsec Security Policies information
IPsecPolicySet {
HomeAgentAddress 2001:db8:ffff:0::1000
HomeAddress 2001:db8:ffff:0::1/64;
IPsecPolicy Mh UseESP 10;
IPsecPolicy TunnelPayload UseESP 11;
}
The first thing to do is to allow the HA to accept binding by enabling the HaAcceptMobRtr parameter. The HaServedPrefix option defines from which prefix the HoA of your MR is defined. With NEMO Basic Support, it is possible to define an HoA from the MNP allocated to your MR. In our testbed, this is not the case, so we just put the Home Link prefix (2001:db8:ffff:0::/64) for the HaServedPrefix parameter.
The HA needs to declare which MNP is associated to the MR. This is done by listing between parenthesis the set of prefixes the MR is allowed to request in the BindingAclPolicy parameter.
No changes are needed in the IPsec configuration. All the traffic towards the mobile network will also automatically be protected with IPsec tunnel mode.
IPsec SA configuration
No changes are needed in the IPsec SA configuration. You can keep the same /usr/local/etc/setkey.conf file than the one you created for your Mobile IPv6 Home Agent.
Router Advertisement configuration
A new option is needed in your /etc/radvd.conf file. The AdvMobRtrSupportFlag option must be set to on in order to advertise that is supports NEMO registrations.
# NEMO Home Agent radvd configuration file
# Replace eth0 with the interface connected to the home link
interface eth0
{
AdvSendAdvert on;
MaxRtrAdvInterval 3;
MinRtrAdvInterval 1;
AdvIntervalOpt on;
AdvHomeAgentFlag on;
AdvHomeAgentInfo on;
HomeAgentLifetime 1800;
HomeAgentPreference 10;
## NEMO ADDITION ##
AdvMobRtrSupportFlag on;
# Home Agent address
prefix 2001:db8:ffff:0::1000/64
{
AdvRouterAddr on;
AdvOnLink on;
AdvAutonomous on;
};
};
Routing configuration
All the traffic towards the MNP must be routed through your HA. It must thus advertise its set of MNP over the routing infrastructure. For that purpose, you may choose static routing in your testbed, or you can use a routing protocol such as ripng. The quagga routing software suite provides such routing protocol. Please refer to the quagga homepage for more information.
Also, when the MR is at home, the HA lacks the routing information towards the MNP. A static route can be installed on the HA in order to allow the routing to the mobile network when the MR is at home. Such route will not be used when the MR is in a foreign network (the route installed by UMIP towards the MR-HA tunnel will be chosen instead). In order to install such static route at startup, you can update the /etc/network/interfaces file with the below configuration:
# Configuration of the home link interface
allow-hotplug eth0
iface eth0 inet6 static
[...]
up ip -6 route add 2001:db8:ffff:ff01::/64 via 2001:db8:ffff:0::1
Starting the daemons
The procedure to start the daemons (setkey, mip6d and radvd) is similar to the one for the Mobile IPv6 Home Agent. You can keep the same startup scripts as the one used for your Mobile IPv6 testbed.
Configuring the Mobile Router
In this subsection, we cover the configuration of the Mobile Router (MR).
UMIP configuration
Here is a modified UMIP Mobile Router configuration. Changes made in the file are marked with NEMO ADDITION. Modify your /usr/local/etc/mip6d.conf file accordingly.
# Sample UMIP configuration file for a Mobile Router
NodeConfig MN;
# Set DebugLevel to 0 if you do not want debug messages
DebugLevel 10;
# Enable the optimistic handovers
OptimisticHandoff enabled;
# Disable RO with other MNs (it is not compatible
# with IPsec Tunnel Payload)
DoRouteOptimizationMN disabled;
# The Binding Lifetime (in sec.)
MnMaxHaBindingLife 60;
# Use NEMO Explicit Mode
MobRtrUseExplicitMode enabled; ## NEMO ADDITION ##
# List here the interfaces that you will use
# on your mobile node. The available one with
# the smallest preference number will be used.
Interface "eth0" {
MnIfPreference 1;
}
Interface "wlan0" {
MnIfPreference 2;
}
# Replace eth0 with one of your interface used on
# your mobile node
MnHomeLink "eth0" {
IsMobRtr enabled; ## NEMO ADDITION ##
HomeAgentAddress 2001:db8:ffff:0::1000;
HomeAddress 2001:db8:ffff:0::1/64 (2001:db8:ffff:ff01::/64); ## NEMO ADDITION ##
}
# Enable IPsec static keying
UseMnHaIPsec enabled;
KeyMngMobCapability disabled;
# IPsec Security Policies information
IPsecPolicySet {
HomeAgentAddress 2001:db8:ffff:0::1000;
HomeAddress 2001:db8:ffff:0::1/64 ;
IPsecPolicy Mh UseESP 10;
IPsecPolicy TunnelPayload UseESP 11;
}
We enable the NEMO explicit registration mode with the MobRtrUseExplicitMode parameter. Note that this is not mandatory as this is enabled by default.
All the other changes take place in the MnHomeLink block. We allow the MR to act as a router by enabling the IsMobRtr parameter. The prefix that we previously configured on the NEMO HA side has been added to the HomeAddress statement.
No changes are needed in the IPsec configuration. All the traffic from the mobile network will also automatically be protected with IPsec tunnel mode.
IPsec SA configuration
No changes are needed in the IPsec SA configuration. You can keep the same /usr/local/etc/setkey.conf file than the one you created for your Mobile IPv6 Mobile Node.
Router Advertisement configuration
The MR needs to advertise its MNP in the mobile network using Router Advertisements (RA). For that purpose, we use the radvd software with the below configuration. Copy it in /etc/radvd.conf:
# Mobile Router radvd configuration file
# Replace eth1 with your ingress interface name
interface eth1
{
AdvSendAdvert on;
MaxRtrAdvInterval 3;
MinRtrAdvInterval 1;
AdvIntervalOpt on;
IgnoreIfMissing on;
# Mobile Router address on the ingress interface
prefix 2001:db8:ffff:ff01::1/64
{
AdvRouterAddr on;
AdvOnLink on;
AdvAutonomous on;
AdvPreferredLifetime 60;
AdvValidLifetime 120;
};
};
Miscs. configuration
IPv6 forwarding must be activated on the MR. In order to enable it automatically at startup, you can add (or uncomment) the following line in the /etc/sysctl.conf file:
net.ipv6.conf.all.forwarding=1
You can also do it manually with the following command:
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
You should also configure statically the address of your ingress interface (2001:db8:ffff:ff01::1 on eth1 in our testbed). You can update the /etc/network/interfaces file with the below configuration. The address will thus be automatically configured at startup:
# Configuration of the home link interface
allow-hotplug eth1
iface eth1 inet6 static
address 2001:db8:ffff:ff01::1
netmask 64
Starting the daemons
In addition to the mip6d daemon and setkey, the MR must also start the radvd daemon. The procedure is exactly the same as for the Mobile IPv6 Home Agent.
Operations
You can connect any kind of IPv6 devices in your mobile network. They will keep the same IPv6 address (configured from the advertised MNP) although the MR moves from one network to another.
Once your HA is running, you can boot the MR. Once it is started, make sure that the MR and the devices in your mobile network are reachable (using ping6 for example) when the MR is in the Home Link. If it is not reachable, you certainly have a configuration or routing problem in your testbed.
If they are reachable, then you can try to move the MR from the Home Link to a foreign network. The MR will then register to the HA and will still be reachable at its Home Address. All the devices in the mobile network will also be reacable at the same address as before.
You can check that the registration to the HA was successful by checking the Binding Update List on the MR and the Binding Cache on the HA, similarly as it was done for your Mobile IPv6 testbed.
Changelog
- 2009/11/04: First version of this document.