-
Notifications
You must be signed in to change notification settings - Fork 2
/
README.IPsec
259 lines (199 loc) · 8.63 KB
/
README.IPsec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
IPsec README for MIPL 2.0
Contents
========
1. Introduction
2. Limitation/Requirements
3. How to Make IPsec Configuration
3.1 HomeRegBinding
3.2 MobPfxDisc
3.3 TunnelHomeTesting
3.4 TunnelMh
3.5 TunnelPayload
4. Manual Operation
4.1. HA Operation
4.2. MN Operation
5. Automated Operation
1. Introduction
===============
Mobile IPv6 uses IPsec to protect mobility signaling messages that are
exchanged between MN and HA.
In MIPL 2.0, mip6d manages the Security Policy (SP) entries required
for Mobile IPv6 operation by itself, while the Security Association
(SA) entries have to be provided by either (a) manual operation or (b)
automated operation (i.e., IKE). By automated operation, resiliency
against replay attack becomes stronger.
Following is a summary of IPsec usage in MIPv6 operation specified in
RFC 3775. In MIPL 2.0, configuration of IPsec is specified in
configuration file of mip6d.
+-------------------------------------------------+
| Type | IPsec protocol/mode | Requirements |
|=================================================|
| BU/BA | ESP/Transport | Mandatory |
|----------+---------------------+----------------|
| MPS/MPA | ESP/Transport | Recommended |
|----------+---------------------+----------------|
| HoTI/HoT | ESP/Tunnel | Recommended |
|----------+---------------------+----------------|
| Payload | ESP/Tunnel | Optional |
+-------------------------------------------------+
A tunnel mode IPsec SA established between the MN and HA should hold
the end-point addresses of the tunnel, namely the care-of address
(CoA) of the MN and the HA's address as shown in the figure below.
HA's
+----+ CoA address +----+
| MN |=========(IPsec tunnel)=========| HA |
+----+ +----+
When the MN is at a foreign link and successfully makes the home
registration to its HA, the IPsec tunnel end-point address should be
set as the MN's CoA. On the other hand, when the MN is at home, the
end-point address (MN side) should be initialized with its home
address (HoA).
2. Limitation/Requirements
==========================
The following are limitations of MIPL 2.0 when IPsec is enabled.
Request ID (reqid) setting -- When there are several IPsec
transport/tunnel mode SPs configured between the MN and HA, (e.g. SP
entries for BU/BA and MPS/MPA) you need to add an identifier called
reqid to both the policies and SAs to make sure that the IPsec stack
can properly maintain association between SP and SA entries.
IPsec tunnel mode and Route Optimization -- When the SP is set in a
way that any payload packet (protocol unspecified) is to be protected
by an IPsec tunnel, route optimization cannot be performed between the
MN and its peer.
3. How to Make the IPsec Configuration
======================================
First of all, in order to activate IPsec the following line should be
included in the configuration file.
UseMnHaIPsec enabled;
Next, IPsecPolicySet clause needs to be properly configured. The
following is an example of IPsecPolicySet. Note that you need to
specify IP addresses according to your home network configuration.
Each IPsecPolicy option enables protection of particular Mobility
Header (MH) messages. The following is the list of options for
IPsecPolicy:
HomeRegBinding
MobPfxDisc
TunnelHomeTesting
TunnelMh
TunnelPayload
Note that in order to enable IPsec tunnel for protecting MH messages,
any one of TunnelHomeTesting, TunnelMh, and TunnelPayload must be
specified.
Each IPsecPolicySet clause can be defined if several HA addresses are
used.
IPsecPolicySet {
HomeAgentAddress 3ffe:501:ffff:100::feed;
HomeAddress 3ffe:501:ffff:100::beef/64;
IPsecPolicy HomeRegBinding UseESP 1 2; # BU/BA
IPsecPolicy MobPfxDisc UseESP 3 4; # MPS/MPA
IPsecPolicy TunnelHomeTesting UseESP 5 6; # HoTI/HoT
}
3.1 HomeRegBinding
==================
This option enables protection of BU and BA messages in ESP transport
mode. When this option is specified along with MobPfxDisc option, a
pair of unique reqid should be specified ("1" and "2" in the example
below).
IPsecPolicy HomeRegBinding UseESP 1 2; # BU/BA
3.2 MobPfxDisc
==============
This option enables protection of MPS and MPA messages in ESP
transport mode. When this option is specified along with
HomeRegBinding option, a pair of unique reqid should be specified ("3"
and "4" in the example below).
IPsecPolicy MobPfxDisc UseESP 3 4; # MPS/MPA
3.3 TunnelHomeTesting
=====================
This options enables protection of HoTI and HoT messages in ESP tunnel
mode. Note that this configuration conforms to RFC 4877 in the sense
that MH type is specified in the traffic selector of SP entries. It
is recommended to enable this option for protecting HoTI and HoT
messages. When this option is specified along with the HomeRegBinding
option and/or the MobPfxDisc option, a pair of unique reqid should be
specified ("5" and "6" in the example below).
IPsecPolicy TunnelHomeTesting UseESP 5 6; # HoTI/HoT
3.4 TunnelMh
============
This option is EXPERIMENTAL. This option enables protection of HoTI
and HoT messages in ESP tunnel mode as similar to TunnelHomeTesting.
The difference is that MH type is not specified in the traffic
selector of SP entries. It should be noted that with this option, the
MN may fail to receive some MH messages sent from its peer to the home
address. More specifically, the MN would not be able to receive MH
messages that are sent in a route optimized manner. When this option
is specified along with the HomeRegBinding option and/or the
MobPfxDisc option, a pair of unique reqid should be specified ("5" and
"6" in the example below).
IPsecPolicy TunnelMh UseESP 5 6;
3.5 TunnelPayload
=================
This option is EXPERIMENTAL. This option enables protection of all
the user traffic including MH messages. It should be noted that the
MN may fail to receive some MH messages sent from its peer to the home
address. There are also some other potential issues. When this
option is specified along with the HomeRegBinding option and/or the
MobPfxDisc option, a pair of unique reqid should be specified ("5" and
"6" in the example below).
IPsecPolicy TunnelPayload UseESP 5 6;
4. Manual Operation
===================
After you make the IPsec configuration of the MIPL 2.0 daemon, you
should prepare scripts to manually configure the SAs on both the MN
and HA. Below is an example of an input file for setkey to manually
configure the SAs. The input file can be passed to setkey by "setkey
-f sa.conf" with super-user privileges. For detailed information of
SA configuration, see the ipsec-tools documentation.
sa.conf example:
----------------
# 3ffe:501:ffff:100::beef is home address of MN
# and 3ffe:501:ffff:100::feed is address of HA
# MN -> HA transport SA for BU
add 3ffe:501:ffff:100::beef 3ffe:501:ffff:100::feed esp 2000
-u 1
-m transport
-E des-cbc "TAHITEST"
-A hmac-sha1 "this is the test key" ;
# HA -> MN transport SA for BA
add 3ffe:501:ffff:100::feed 3ffe:501:ffff:100::beef esp 2001
-u 2
-m transport
-E des-cbc "TAHITEST"
-A hmac-sha1 "this is the test key" ;
# MN -> HA transport SA for MPS
add 3ffe:501:ffff:100::beef 3ffe:501:ffff:100::feed esp 2002
-u 3
-m transport
-E des-cbc "TAHITEST"
-A hmac-sha1 "this is the test key" ;
# HA -> MN transport SA for MPA
add 3ffe:501:ffff:100::feed 3ffe:501:ffff:100::beef esp 2003
-u 3
-m transport
-E des-cbc "TAHITEST"
-A hmac-sha1 "this is the test key" ;
# MN -> HA tunnel SA for HoTI
add 3ffe:501:ffff:100::beef 3ffe:501:ffff:100::feed esp 2004
-m tunnel
-E des-cbc "TAHITEST"
-A hmac-sha1 "this is the test key" ;
# HA -> MN tunnel SA for HoT
add 3ffe:501:ffff:100::feed 3ffe:501:ffff:100::beef esp 2005
-m tunnel
-E des-cbc "TAHITEST"
-A hmac-sha1 "this is the test key" ;
4.1. HA Operation
=================
(1) make sure that you made the IPsec configuration in mip6d.conf properly
(2) manually configure SA with setkey
(3) run mip6d
4.2. MN Operation
=================
(1) make sure that you made the IPsec configuration in mip6d.conf properly
(2) manually configure SA with setkey
(3) run mip6d
5. Automated Operation
======================
In automated operation, SAs are automatically managed by an Internet Key
Exchange (IKE) daemon. With regard to the mip6d operation, there is
nothing special to be done in automated operation.
However, there is no MIPv6-aware-IKE daemon publicly available yet.