Scroll to navigation

mip6d.conf(5) Mobile IPv6 and NEMO Daemon Configuration mip6d.conf(5)

NAME

mip6d.conf - MIPL Mobile IPv6 and NEMO Configuration file

SYNOPSIS

/etc/mip6d.conf

DESCRIPTION

MIPL Mobile IPv6 and NEMO daemon's configuration file

Below is a list of currently supported configuration options. All configuration lines are terminated with a semicolon. Sub-sections are enclosed in '{' and '}'. Strings are quoted with double quotes.

COMMON OPTIONS

The file contains the following common definitions:

Includes content from other files based on provided pattern. Usual shell wildcards are supported ('?', '*', '['). See man (7) glob for details. The number of included files is virtually unlimited but only five levels of recursion are authorized to prevent loops. Note that if given pattern does not match any file, a simple warning is issued but parsing continues. Unlike most configuration statements, no ';' is expected after the pattern.

Example: include "/etc/mip6d.conf.d/*.conf"

Indicates if the daemon should run in Correspondent Node, Home Agent or Mobile Node mode.

Default: CN

Indicates the debug level of the daemon. If the value is greater than zero, the daemon will not detach from tty (i.e. debug messages will be printed on the controlling tty).

Default: 0

Indicates if a node should participate in route optimization with a Mobile Node.

Default: enabled

This option is currently ignored. Binding cache is always stored in volatile memory, and is not retained between shutdown and startup.

OPTIONS COMMON TO HOME AGENT AND MOBILE NODE

Interface name {
	MnIfPreference number;
	IfType CN | HA | MN;
	Tunnel boolean;
}

Specifies an interface and options associated with it. If no options are present, Interface can be terminated with semi-colon. This is used for home agent to specify which interfaces are used for HA operation. For the home agent to function properly, a Router Advertisement daemon (e.g. radvd) must broadcast advertisements with the Home Agent bit and Home Agent Information Option set on these interfaces. This option is also used by multihomed Mobile Nodes to define which interfaces are used by it. For MN and CN, it is posible to provide interfaces that are not already available when the daemon is started. Those will be used when available.

MnIfPreference sets the interface preference value for an interface in a multi-homed Mobile Node. The most preferred interfaces have preference 1, the second most preferred have 2, etc. Values between 0 and 10 are allowed. A preference of zero means the interface will not be used.

The interface preference has a direct impact on the metric of default routes configured by the daemon from RA information. Note that if two interfaces with associated default routes have the same preference value, the routes will end up having the same metric, except if different default router preference (RFC 4191) values are provided in RA. In a sense, MnIfPreference value value is the primary selector for interface and default route selection and default router preference value provided in RA can then be used to break a tie.

Default: 10

IfType overrides the default node behavior for this interface. If a MN doesn't wish to use this interface for mobility, or a node doesn't act as HA on this interface, the interface type should be set to CN.

Default: same as NodeConfig

Tunnel

When enabled, this flag explicitly marks the interface as a tunnel interface and modify the behavior of UMIP regarding the router discovery, address configuration and route addition steps for the interface. Those are expected to be done externally (manually or by another automatic process (for instance when using a Teredo interface). Note that the handling of routing via the interface is still partly handled by UMIP but leaves some latitude to the user or the automatic process that setup the interface. UMIP looks for default routes in the main table that use the interface as output device and replaces them by a default route with a proper preference. If a gateway was present for the route (there is one for 6to4, but none when miredo is used), it is kept in the new route. Other routes that are defined for the device (including other default routes in other tables) are left untouched.

Limitations and details:

1) Tunnel interfaces are only allowed for MN and CN (not HA).

2) They are never considered as home link (i.e. you will never be at home on a tunnel).

3) Unlike for physical interfaces, link detection is not reliable for tunnel interfaces. If the tunnel interface state is directly dependent of some physical interface link status, that status must be monitored externally (i.e. not by UMIP) and reflected by having either the interface being set down/up or address being removed/added for UMIP to detect the change in interface configuration.

4) An address must be configured on the interface for it to be selected. If no adress is available, UMIP will simply not consider the interface at all (even if it provides a default route).

5) Routes that include specific sources are not considered by UMIP.

Example:

When using a teredo interface, the default route through the teredo device is found and its preference changed. Link local routes are kept unchanged. Address configuration is kept unmodified.

When using a 6to4 tunnel interface, a default route through the 6to4 device exists. It uses the 6to4 relay address (::192.88.99.1 anycast address or another specific one) as gateway. UMIP finds this default route and install a new default one with the same gateway but an updated metric.

Default: disabled

Indicates if the MN-HA MIPv6 signalling should be protected with IPsec.

Default: enabled

If dynamic keying with MIPv6-aware IKE is used, this options should be enabled. It turns on the K-bit for binding updates and binding acknowledgements.

Default: disabled

IPsecPolicySet {
	HomeAgentAddress address;
	HomeAddress address/length;
	IPsecPolicy ...
	...
}

IPsecPolicySet is a set of policies to apply for matching packets. A policy set can contain multiple HomeAddress options, but only one HomeAgentAddress option. For home agent, home agent address field contains its own address, and home address fields may contain any number of mobile nodes for which the same policy applies.

IPsecPolicy has the following format:

Field type can be one of HomeRegBinding, Mh, MobPfxDisc, ICMP, any, TunnelMh, TunnelHomeTesting, or TunnelPayload. The any option protects all transport mode communication between the MN and HA. Currently only the ESP IPsec protocol is supported, but in the future AH and IPComp might also be available. The two remaining numeric fields are the IPsec reqid values, the first one used for MN - HA, the second one for HA - MN communication. If just one value is defined, the same reqid will be used in both directions. If no reqid is given, reqid will not be used.

If more that one IPsec transport mode or tunnel mode policy is defined between the MN and HA in each direction, reqid can be used to provide an unambiguous one-to-one mapping between IPsec policies and SAs. Otherwise the policies will just share a common SA.

HOME AGENT SPECIFIC OPTIONS

The following definitions are ignored unless the node is configured as a HA:

Limits the maximum lifetime (in seconds) for Mobile Node home registrations.

Default: 262140

Controls whether home agent sends Mobile Prefix Advertisements to mobile nodes in foreign networks.

Controls whether home agent send unsolicited Mobile Prefix Advertisements to mobile nodes in foreign networks.

Sets a minimum interval (in seconds) for Mobile Prefix Advertisements.

Default: 600

Sets a maximum interval (in seconds) for Mobile Prefix Advertisements.

Default: 86400

Indicates if the HA accepts Mobile Router bindings.

Default: disabled;

Prefix is an IPv6 prefix and length is the prefix length. Defines the whole aggregated or extended prefix the HA serves. This option is only used for MR bindings and is only needed if the MRs derive their Home Addresses from their Mobile Network Prefixes, instead of one of the home link prefixes.

Defines if a MN is allowed to register with the HA or not. The home address of the MN is given in the address field. The mobile network prefixes belonging a NEMO Mobile Router are listed in the MNP list. The list can either be an empty string or a comma separated list of network prefixes enclosed in braces, for example: (3ffe:2620:6:3::/64, 3ffe:2620:6:4::/64)

Defines the default policy if no matching BindingAclPolicy entry is found for a MN.

Default: allow

MOBILE NODE SPECIFIC OPTIONS

The following definitions are ignored unless the node is configured as a MN:

Limits the maximum lifetime (in seconds) for Mobile Node home registrations.

Default: 262140

Limits the maximum lifetime (in seconds) for Mobile Node Correspondent Node registrations.

Default: 420

Toggles if the Mobile Node should discard ICMPv6 Parameter Problem messages from its Home Agent. As the ICMPv6 error messages won't normally be protected by IPsec, a malicious third party can quite easily impersonate the HA to the MN. Having the MN accept these messages therefore leaves it open to Denial of Service attacks, even though its home registration signalling is protected by IPsec.

Default: disabled

Controls whether mobile node sends Mobile Prefix Solicitations to the home network.

Indicates if the Mobile Node should initialize route optimization with Corresponent Nodes.

Default: enabled

Indicates if all interfaces should be used for mobility. The preference of these interfaces is always 1. Unless you use dynamically created and named network interfaces you should normally disable this option and use Interface options to explicitly list the used interfaces.

Default: disabled

Toggles between explicit or implicit mode home registrations in the MR.

Default: enabled

Indicates if the Acknowledge bit should be set in Binding Updates sent to Corresponent Nodes.

Default: disabled

Indicates how many times the MN should send Neighbor Unreachability Detection (NUD) probes to its old router after receiving a Router Advertisement (RA) from a new one. If the option is set to zero or the new router advertises a strictly higher default preference value than the old one (as defined in RFC 4191), the MN will move to the new router straight away.

Default: 0

Indicates how long (in seconds) the MN should wait for a reply during a access router Neighbor Unreachability Detection probe. If set, it overrides any default Neighbor Solicitation Retransmit Timer value greater than MnRouterProbeTimeout. For example, if the interface Retransmit Timer is 1 second, but MnRouterProbeTimeout is just 0.2 seconds, the MN will only wait 0.2 seconds for a Neighbor Advertisement before proceeding with the handoff.

Default: 0

When a Mobile Node sends a Binding Update to the Home Agent, no Route Optimized or reverse tunneled traffic is sent until a Binding Acknowledgement is received. When enabled, this option allows the Mobile Node to assume that the binding was successful right after the BU has been sent, and does not wait for a positive acknowledgement before using RO or reverse tunneling.

Default: disabled;

MnHomeLink name {
	HomeAddress address/length MNP list;
	HomeAgentAddress address;
	MnRoPolicy ...
	...
}

Each MnHomeLink definition has a name. This is the name (enclosed in double quotes) of the interface used for connecting to the physical home link. To set up multiple Home Addresses on the Mobile Node, you need to define multiple MnHomeLink structures. The interface names don't have to be unique in these definitions. All the home link specific definitions are detailed below:

Address is an IPv6 address, and length the prefix length of the address, usually 64. The MNP list contains the mobile network prefixes belonging to that particular NEMO Mobile Router. The MNP list is of the same format as in BindingAclPolicy. This option must be included in a home link definition.

Address is the IPv6 address of the Mobile Node's Home Agent. DHAAD is used if it is the unspecified address ::.

Default: ::

Defines if the MN is a NEMO MR.

Default: disabled

Any number of these policies may be defined. If no policies are defined default behavior depends on the DoRouteOptimizationMN option.

The fields for a route optimization policy entry are as follows: address defines the Correspondent Node this policy applies to, if left undefined the uspecified address is used as a wildcard value boolean sets route optimization either enabled or disabled for packets matching this entry.

EXAMPLES

NodeConfig HA;
Interface "eth0";
HaAcceptMobRtr enabled;
HaServedPrefix 3ffe:2620:6::/48;
DefaultBindingAclPolicy deny;
BindingAclPolicy 3ffe:2620:6:1::1234 (3ffe:2620:6:2::/64, 3ffe:2620:6:3::/64) allow;
BindingAclPolicy 3ffe:2620:6:1::1235 allow;
UseMnHaIPsec disabled;

NodeConfig MN;
DoRouteOptimizationCN disabled;
DoRouteOptimizationMN disabled;
Interface "eth0";
MnRouterProbes 1;
MobRtrUseExplicitMode enabled;
MnHomeLink "eth0" {

IsMobRtr enabled;
HomeAgentAddress 3ffe:2620:6:1::1;
HomeAddress 3ffe:2620:6:1::1234/64 (3ffe:2620:6:2::/64, 3ffe:2620:6:3::/64); } UseMnHaIPsec disabled;

NodeConfig CN;
DoRouteOptimizationCN enabled;

NodeConfig HA;
Interface "eth0";
Interface "eth1";
UseMnHaIPsec enabled;
IPsecPolicySet {

HomeAgentAddress 3ffe:2620:6:1::1;
HomeAddress 3ffe:2620:6:1::1234/64;
HomeAddress 3ffe:2620:6:1::1235/64;
IPsecPolicy HomeRegBinding UseESP;
IPsecPolicy TunnelMh UseESP; }

NodeConfig MN;
DoRouteOptimizationCN enabled;
DoRouteOptimizationMN enabled;
UseCnBuAck enabled;
MnHomeLink "eth0" {

HomeAgentAddress 3ffe:2620:6:1::1;
HomeAddress 3ffe:2620:6:1::1234/64;
# address opt.
#MnRoPolicy 3ffe:2060:6:1::3 enabled;
#MnRoPolicy disabled; } UseMnHaIPsec enabled; IPsecPolicySet {
HomeAgentAddress 3ffe:2620:6:1::1;
HomeAddress 3ffe:2620:6:1::1234/64;
IPsecPolicy HomeRegBinding UseESP;
IPsecPolicy TunnelMh UseESP; }

SEE ALSO

mip6d(1), mipv6(7),

RFC3775: Mobility Support in IPv6,

RFC3776: Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents

January 31, 2006