mipagent.conf - configuration file for Mobile IP mobility agent
/etc/inet/mipagent.conf
/etc/inet/mipagent.conf is the configuration file used to initialize the Mobile IP mobility agent described in mipagent(1M). Three sample configuration files are located in the /etc/inet directory:
/etc/inet/mipagent.conf-sample
/etc/inet/mipagent.conf.ha-sample
/etc/inet/mipagent.conf.fa-sample
Blank lines are ignored. Lines beginning with the hash character (#) are treated as comments. Sections are denoted by identifiers in brackets. Each section can contain multiple attribute-value pairs. The syntax of an attribute-value pair is an identifier, followed by an equal sign (=), followed by a value.
The following sections and the following attribute-value pairs must be present in /etc/inet/mipagent.conf:
[ General ]
This section contains the Version attribute.
Version
Version is required. For the current release of Mobile IP in Solaris, Version must be 1. Consequently, the default value is 1.
[ Advertisements interface ]
This section identifies the interfaces that serve as Mobile IP mobility agents. interface is the interface name of the advertising interface. Advertising interface name must be specified in the mipagent.conf file, if the interface is already configured. interface attribute has two components, device name and device number, that is, interface=eri0 indicates device name is eri and the device number is 0. The device number part of interface attribute can also have a special symbol * , which indicates support of advertisments on interfaces that are configured after the mipagent has started. For example, if eri0 and eri1 are defined specifically on the mipagent.conf file, then the advertisement should be done based on that configuration. If eri* is present in an Advertisements section, then * represents dynamic interfaces. * represents those interfaces that are not already configured in the mipagent.conf file and are newly created on the system while mipagent is running. One or more of the following attribute-value pairs might be found in this section:
AdvLifeTime
Lifetime, in seconds, advertised in the ICMP router discovery portion of an agent advertisement. See RFC 1256. The default value is 300.
RegLifeTime
Lifetime, in seconds, advertised in the mobility extension of an agent advertisement. The default value is 300.
AdvFrequency
The frequency at which agent advertisements are sent and when different entries are aged. This interval must be less than one-third of AdvLifeTime. The recommended value for AdvFrequency is 1 when AdvLimitSolicited is set to yes.The default value is 4.
AdvInitCount
The initial number of unsolicited advertisements which are sent when an interface first starts advertising. If this value is set to zero, no unsolicited advertisements are sent out on the interface. The default value is 1.
AdvLimitUnsolicited
Determines whether the interface performs limited or unlimited unsolicited agent advertisements. The agent always responds to the agent solicitations in both cases.
yes If the value is set to yes, then the interface performs AdvInitCount number of advertisements when it comes up and then it stops sending unsolicited advertisements.
no When the value is set to no, the interface performs periodic and unlimited number of unsolicited advertisements. The default value for AdvLimitUnsolicited is no. When AdvLimitUnsolicited is set to the default value, advInitCount is also set to its default value.
HomeAgent
Indicates if this agent can act as a home agent. The default value is yes.
ForeignAgent
Indicates if this agent can act as a foreign agent. The default value is yes.
registrationRequired
Indicates whether or not registration with a foreign agent is required. If set to yes, then registration is required, even when using a co-located care-of-address. The default value for this label is no, thus the advertisement flag does not set the "R" bit by default.
PrefixFlags
Enables the prefix length extension. The default value is yes.
NAIExt
Enables the Network Access Identifier (NAI) extension. The default value is yes.
ReverseTunnel
Indicates if this interface supports reverse tunneling as specified in RFC 3024. ReverseTunnel can contain one of the following values:
no or neither Indicates this interface does not support reverse tunneling.
FA Indicates only the foreign agent supports reverse tunneling.
HA Indicates only the home agent supports reverse tunneling.
yes or both Indicates that both foreign and home agents support reverse tunneling as specified in RFC 3024.
The default value for ReverseTunnel is no.
ReverseTunnelRequired
Indicates if this interface will require reverse tunneling as specified in RFC 3024. ReverseTunnelRequired can contain one of the following values:
no or neither Indicates this interface will not require reverse tunneling.
FA Indicates only the foreign agent will require a reverse tunnel.
HA Indicates only the home agent will require a reverse tunnel.
yes or both Indicates that both foreign and home agents will require a reverse tunnel.
The default value for ReverseTunnelRequired is no.
[ GlobalSecurityParameters ]
This section defines the global security parameters that will be used to authenticate mobile nodes. MN-HA authentication is always enabled. This section may contain one or more the of the following attribute-value pairs:
Challenge Enables the foreign agent challenge extension. The default value is no.
HA-FAAuth Enables home agent - foreign agent authentication. The default value is yes.
MN-FAAuth Enables mobile node - foreign agent authentication. The default value is no.
MaxClockSkew The maximum allowable difference in clocks, in seconds, that will be tolerated. This is used for replay protection. The default value is 300.
KeyDistribution This attribute defines where keys are found. The default for this Version of Solaris Mobile IP software is files.
[ SPI number ]
These sections define multiple Security Parameter Indices (SPIs). One section is required for each security context. These SPI values are used in the Address section to define the security used for a particular mobile node or agent. In this section, both the Key and ReplayMethod attributes must be present.
Key The hexadecimal representation of the key used for authentication.
ReplayMethod The replay method. Possible values are timestamps or none.
[ Pool number ]
These sections define address pools for dynamically assigned IP addresses. The Start and Length attributes both must be present.
Start The beginning range of the IP address from which to allocate an IP address in dotted quad notation.
Length The length of the IP address range.
[ Address NAI | IPaddr |node-default ]
This section defines the security policy used for each host for which an NAI or IP address is specified in the section header. The keyword node-default is used to create a single entry that can be used by any mobile node that has the correct SPI and associated keying information. This section specifies the SPI, and in the case of mobile nodes, pool numbers for NAI addresses.
Type Indicates whether the address entry specifies a mobile node or a mobility agent.
SPI The SPI used for this Address.
Pool The Pool used for this NAI address. The Pool keyword may only be present if the Type operand is set to mobile node.
The following entries are valid only for Addresss sections where type = agent:
IPsecRequest The IPsec policies to add to the global IPsec policy file so as to be enforced for Registration Requests to and from this mobility agent peer. These are the IPsec properties which foreign agent's apply, and which home agents permit.
IPsecReply The IPsec policis to add to the global IPsec policy file so as to be enforced for Registration Replies to and from this mobility agent peer. These are the IPsec properties which home agents apply, and which foreign agents permit.
IPsecTunnel The IPsec policies to enforce on all tunnel traffic with this mobility agent peer. These are the IPsec properties which home agent's apply, and which foreign agents permit.
Mobility agents can be functioning as home agents for some mobile nodes, and as foreign agents for others. To allow for different policy configurations as both a home agent for some mobile nodes, and as a foreign agent for other mobile nodes all using the same mobility agent peer, apply and permit policies need to be specified for the same entry. This is achieved by using a colon (:) to separte the IPsec policies. For example:
IPsecRequest apply {properties} : permit {properties}
This configuration for IPsecRequest could indicate a set of properties that are to be applied when sending regisration requests, and a different property to enforce when receiving registration requests in a session with the same mobility agent peer.
Example 1: Configuration for Providing Mobility Services on One Interface
The following example shows the configuration file for a mobility agent that provides mobility services on one interface (eri0). The mobility agent acts both as a home agent as well as a foreign agent on that interface. It includes the prefix length in its advertisements. Its home and foreign agent functions support reverse tunneling, but only the foreign agent requires that a reverse tunnel be configured.
The mobility agent has IPsec relationships with two mobilty agent peers, 192.168.10.1 - with which it will be a foreignagent peer, and 192.168.10.2 - with which it will be a home- agent peer.
All registration request packets being sent to 192.168.10.1 will use md5 as the IPsec authentication algorithm, and all registration replies from 192.168.10.1 must be protected using md5 as the IPsec authentication algorithm. Should a tunnel be established with this mobility agent peer, all tunnel traffic must arrive using md5 as an encryption authentication algorithm, and must also be encrypted using triple-DES. If a reverse tunnel is configured, all reverse tunnel traffic will be sent using md5 as the encryption authentication algorithm, and will also be enctrypted using triple-DES.
Identically, all registration requeset packets being received from 192.168.10.2 must be protected using md5 as the IPsec authentication algorithm, and all registration replies sent to 192.168.10.2 will use md5 as the IPsec authentication algorithm. Should a tunnel be established with 192.168.10.2, all tunnel traffic sent will be protected using md5 as the encryption authentication algorithm, and will also be encrypted using triple-DES. Should a reverse tunnel be configured as well, tunnel traffic must arrive secured with md5 as the encryption authentication algorithm, and must also have been encrypted using triple-DES as the encryption algorithm.
Any registration or tunnel traffic that does not conform to these policies will be silently dropped by IPsec. Note that ipsec Keys are managed through IPsec. See ipsec(7P).
The mobility agent provides home agent services to three mobile nodes: 192.168.10.17, 192.168.10.18, and the NAI address [email protected].The configuration file also indicates that it provides foreign agent service on any PPP interfaces that are dynamically created after the mipagent starts.
With the first mobile node, the agent uses an SPI of 257 (decimal) and a shared secret key that is six bytes long containing alternate bytes that are 0 and 255 (decimal). For the second mobile node, the SPI is 541 (decimal), the key is 10 bytes, and it contains the decimal values 11 through 20 in those bytes. The first mobile node uses no replay protection, and the second uses timestamps. The third mobile node uses NAI and gets its address from Pool 1.
The mobile node will also need to be configured with the same security association that is specified in the home agent's configuration file.
# start of file
[ General ]
Version = 1
[ Advertisements eri0 ]
AdvLifeTime = 200
RegLifetime = 200
AdvFrequency = 5
AdvInitCount = 1
AdvLimitUnsolicited = no
AdvertiseOnBcast = yes
HomeAgent = yes
ForeignAgent = yes
PrefixFlags = yes
ReverseTunnel = both
ReverseTunnelRequired = FA
[ Advertisements hme1 ]
ForeignAgent = yes
HomeAgent = yes
registrationRequired = yes
# Advertisements over PPP interfaces that are created
# while the mipagent is running. Note we are doing limited
# unsolicited advertisements here.
[Advertisements sppp*]
homeagent = no
foreignagent = yes
PrefixFlags = 1
reglifetime = 200
advlifetime = 200
advFrequency = 1
advInitCount = 2
advLimitUnsolicited = yes
reverseTunnel = yes
reverseTunnelReq = no
[ GlobalSecurityParameters ]
HA-FAAuth = no
MN-FAAuth = no
KeyDistribution = files
[ SPI 257 ]
Key = 00ff00ff00ff
ReplayMethod = none
[ SPI 541 ]
Key = 0b0c0d0e0f1011121314
ReplayMethod = timestamps
[ Pool 1 ]
Start = 192.168.167.1
Length = 250
[ Address 192.168.10.1 ]
Type = agent
SPI = 257
IPsecRequest = apply {auth_algs md5 sa shared}
IPsecReply = permit {auth_algs md5}
IPsecTunnel = permit {encr_auth_algs md5 encr_algs 3des}
[ Address 192.168.10.2 ]
Type = agent
SPI = 257
IPsecRequest = permit {auth_algs md5}
IPsecReply = apply {auth_algs md5 sa shared}
IPsecTunnel = apply {encr_auth_algs md5 encr_algs 3des}
[ Address 192.168.10.17 ]
Type = node
SPI = 257
[ Address 192.168.10.18 ]
Type = node
SPI = 541
[ Address [email protected] ]
Type = node
SPI = 541
Pool = 1
[ Address node-default ]
Type = node
SPI = 541
Pool = 1
#end of file
/etc/inet/mipagent.conf Configuration file for Mobile IP mobility agent
/etc/inet/mipagent.conf-sample Sample configuration file for mobility agents.
/etc/inet/mipagent.conf.ha-sample Sample configuration file for home agent functionality.
/etc/inet/mipagent.conf.fa-sample Sample configuration file for foreign agent functionality.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Availability | SUNWmipr |
mipagent(1M), mipagentconfig(1M), attributes(5), ipsec(7P)
Deering, S., Editor. RFC 1256, ICMP Router Discovery Messages. Network Working Group. September 1991.
Montenegro, G., editor. RFC 3024, Reverse Tunneling for Mobile IP, revised. The Internet Society. January, 2001.
Perkins, C., Editor. RFC 2002, IP Mobility Support. Network Working Group. October 1996.
The base Mobile IP protocol, RFC 2002, does not address the problem of scalable key distribution and treats key distribution as an orthogonal issue. The Solaris Mobile IP software utilizes manually configured keys only, specified in a configuration file.
The * symbol for the interface number determines only those interfaces that are newly configured while mipagent is running. Thus the symbol * in the interface excludes any preconfigured interfaces in the system. Interfaces that are already configured in the system need to be specifically mentioned in the mipagent.conf file for advertisement on those interfaces.
The AdvLimitUnsolicited parameter is useful when someone wants to limit unsolicited advertisements on the interface. Limited unsolicited agent advertisment is required for some wireless mobile IP usage.
Note that IPsec protection requires keying information that depends on the algorithms being used. IPsec manages its own keys, whether they are manually configured, or managed with some other mechanism such as Internet Key Exchange (IKE). See ipsec(7P).
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |