mipagent.conf(4)
NAME
mipagent.conf - configuration file for Mobile IP mobility
agent
SYNOPSIS
/etc/inet/mipagent.conf
DESCRIPTION
/etc/inet/mipagent.conf is the configuration file used to
initialize the Mobile IP mobility agent described in
mipagent(1M). Three sample configuration files are located
in the /etc/inet directory:
o /etc/inet/mipagent.conf-sample
o /etc/inet/mipagent.conf.ha-sample
o /etc/inet/mipagent.conf.fa-sample
Blank lines are ignored. Lines beginning with the hash char-
acter (#) are treated as comments. Sections are denoted by
identifiers in brackets. Each section can contain multiple
attribute-value pairs. The syntax of an attribute-value pair
is an identifier, followed by an equal sign (=), followed by
a value.
The following sections and attribute-value pairs must be
present in /etc/inet/mipagent.conf:
[ General ]
This section contains the Version attribute.
Version
Version is required. For the current release of
Mobile IP in Solaris, Version must be 1. Conse-
quently, the default value is 1.
[ Advertisements interface ]
This section identifies the interfaces that will
serve as Mobile IP mobility agents. interface is the
interface name of the advertising interface. Advertis-
ing interface name must be specified in the
mipagent.conf file, if the interface is already con-
figured. interface attribute has two components, dev-
ice name and device number, that is, interface=le0
indicates device name is le and the device number is
0. The device number part of interface attribute can
also have a special symbol * which indicates support
of advertisments on interfaces that are configured
after the mipagent has started. For example, if le0
and le1 are defined specifically on the mipagent.conf
file, then the advertisement should be done based on
that configuration. If le* is present in an Advertise-
ments section, then * represents dynamic interfaces,
that is, only those those interfaces that are not
already configured in the mipagent.conf file and newly
created on the system while mipagent is running. One
or more of the following attribute-value pairs may be
found in this section:
AdvLifeTime
Lifetime (in seconds) advertised in the ICMP
router discovery portion of an agent advertise-
ment. See RFC 1256. The default value is 300.
RegLifeTime
Lifetime (in seconds) advertised in the mobility
extension of an agent advertisement. The default
value is 300.
AdvFrequency
The frequency at which agent advertisements are
sent and when different entries are aged. This
interval must be less than one-third of AdvLife-
Time. The recommended value for AdvFrequency is
1 when AdvLimitSolicited is set to yes.The
default value is 4.
AdvInitCount
The initial number of unsolicited advertisements
which are sent when an interface first starts
advertising. If this value is set to zero, no
unsolicited advertisements are sent out on the
interface. The default value is 1.
AdvLimitUnsolicited
Determines whether the interface performs lim-
ited or unlimited unsolicited agent advertise-
ments. The agent always responds to the agent
solicitations in both cases.
yes If the value is set to yes, then the
interface performs AdvInitCount number of
advertisements when it comes up and then
it stops sending unsolicited advertise-
ments.
no When the value is set to no, the interface
performs periodic and unlimited number of
unsolicited advertisements. The default
value for AdvLimitUnsolicited is no. When
AdvLimitUnsolicited is set to the default
value, advInitCount is also set to its
default value.
HomeAgent
Indicates if this agent can act as a home agent.
The default value is yes.
ForeignAgent
Indicates if this agent can act as a foreign
agent. The default value is yes.
PrefixFlags
Enables the prefix length extension. The default
value is yes.
NAIExt
Enables the Network Access Identifier (NAI)
extension. The default value is yes.
ReverseTunnel
Indicates if this interface supports reverse
tunneling as specified in RFC 2344. ReverseTun-
nel can contain one of the following values:
no or neither
Indicates this interface does not support
reverse tunneling.
FA Indicates only the foreign agent supports
reverse tunneling.
HA Indicates only the home agent supports
reverse tunneling.
yes or both
Indicates that both foreign and home
agents support reverse tunneling as speci-
fied in RFC 2344.
The default value for ReverseTunnel is no.
ReverseTunnelRequired
Indicates if this interface will require reverse
tunneling as specified in RFC 2344. ReverseTun-
nelRequired can contain one of the following
values:
no or neither
Indicates this interface will not require
reverse tunneling.
FA Indicates only the foreign agent will
require a reverse tunnel.
HA Indicates only the home agent will require
a reverse tunnel.
yes or both
Indicates that both foreign and home
agents will require a reverse tunnel.
The default value for ReverseTunnelRequired is no.
[ GlobalSecurityParameters ]
This section defines the global security parameters
that will be used to authenticate mobile nodes. MN-HA
authentication is always enabled. This section may
contain one or more the of the following attribute-
value pairs:
Challenge
Enables the foreign agent challenge extension.
The default value is no.
HA-FAAuth
Enables home agent - foreign agent authentica-
tion. The default value is yes.
MN-FAAuth
Enables mobile node - foreign agent authentica-
tion. The default value is no.
MaxClockSkew
The maximum allowable difference in clocks, in
seconds, that will be tolerated. This is used
for replay protection. The default value is 300.
KeyDistribution
This attribute defines where keys are found. The
default for this Version of Solaris Mobile IP
software is files.
[ SPI number ]
These sections define multiple Security Parameter
Indices (SPIs). One section is required for each secu-
rity context. These SPI values are used in the Address
section to define the security used for a particular
mobile node or agent. In this section, both the Key
and ReplayMethod attributes must be present.
Key The hexadecimal representation of the key used
for authentication.
ReplayMethod
The replay method. Possible values are times-
tamps or none.
[ Pool number ]
These sections define address pools for dynamically
assigned IP addresses. The Start and Length attributes
both must be present.
Start The beginning range of the IP address from which
to allocate an IP address in dotted quad nota-
tion.
Length
The length of the IP address range.
[ Address NAI | IPaddr |node-default ]
This section defines the security policy used for each
host for which an NAI or IP address is specified in
the section header. The keyword node-default is used
to create a single entry that can be used by any
mobile node that has the correct SPI and associated
keying information. This section specifies the SPI,
and in the case of mobile nodes, pool numbers for NAI
addresses.
Type Indicates whether the address entry specifies a
mobile node or a mobility agent.
SPI The SPI used for this Address.
Pool The Pool used for this NAI address. The Pool
keyword may only be present if the Type operand
is set to mobile node.
The following entries are valid only for Addresss sections
where type = agent:
IPsecRequest
The IPsec policies to add to the global IPsec
policy file so as to be enforced for Registra-
tion Requests to and from this mobility agent
peer. These are the IPsec properties which
foreign agent's apply, and which home agents
permit.
IPsecReply
The IPsec policis to add to the global IPsec
policy file so as to be enforced for Registra-
tion Replies to and from this mobility agent
peer. These are the IPsec properties which home
agents apply, and which foreign agents permit.
IPsecTunnel
The IPsec policies to enforce on all tunnel
traffic with this mobility agent peer. These are
the IPsec properties which home agent's apply,
and which foreign agents permit.
Mobility agents can be functioning as home agents for some
mobile nodes, and as foreign agents for others. To allow for
different policy configurations as both a home agent for
some mobile nodes, and as a foreign agent for other mobile
nodes all using the same mobility agent peer, apply and per-
mit policies need to be specified for the same entry. This
is achieved by using a colon (:) to separte the IPsec poli-
cies. For example:
IPsecRequest apply {properties} : permit {properties}
This configuration for IPsecRequest could indicate a
set of properties that are to be applied when sending
regisration requests, and a different property to
enforce when receiving registration requests in a ses-
sion with the same mobility agent peer.
EXAMPLES
Example 1: Configuration for Providing Mobility Services on
One Interface
The following example shows the configuration file for a
mobility agent that provides mobility services on one inter-
face (le0). The mobility agent acts both as a home agent as
well as a foreign agent on that interface. It includes the
prefix length in its advertisements. Its home and foreign
agent functions support reverse tunneling, but only the
foreign agent requires that a reverse tunnel be configured.
The mobility agent has IPsec relationships with two mobilty
agent peers, 192.168.10.1 - with which it will be a foreig-
nagent peer, and 192.168.10.2 - with which it will be a
home- agent peer.
All registration request packets being sent to 192.168.10.1
will use md5 as the IPsec authentication algorithm, and all
registration replies from 192.168.10.1 must be protected
using md5 as the IPsec authentication algorithm. Should a
tunnel be established with this mobility agent peer, all
tunnel traffic must arrive using md5 as an encryption
authentication algorithm, and must also be encrypted using
triple-DES. If a reverse tunnel is configured, all reverse
tunnel traffic will be sent using md5 as the encryption
authentication algorithm, and will also be enctrypted using
triple-DES.
Identically, all registration requeset packets being
received from 192.168.10.2 must be protected using md5 as
the IPsec authentication algorithm, and all registration
replies sent to 192.168.10.2 will use md5 as the IPsec
authentication algorithm. Should a tunnel be established
with 192.168.10.2, all tunnel traffic sent will be protected
using md5 as the encryption authentication algorithm, and
will also be encrypted using triple-DES. Should a reverse
tunnel be configured as well, tunnel traffic must arrive
secured with md5 as the encryption authentication algorithm,
and must also have been encrypted using triple-DES as the
encryption algorithm.
Any registration or tunnel traffic that does not conform to
these policies will be silently dropped by IPsec. Note that
ipsec Keys are managed through IPsec. See ipsec(7P).
The mobility agent provides home agent services to three
mobile nodes: 192.168.10.17, 192.168.10.18, and the NAI
address user@defaultdomain.com.The configuration file also
indicates that it provides foreign agent service on any PPP
interfaces that are dynamically created after the mipagent
starts.
With the first mobile node, the agent uses an SPI of 257
(decimal) and a shared secret key that is six bytes long
containing alternate bytes that are 0 and 255 (decimal). For
the second mobile node, the SPI is 541 (decimal), the key is
10 bytes, and it contains the decimal values 11 through 20
in those bytes. The first mobile node uses no replay protec-
tion, and the second uses timestamps. The third mobile node
uses NAI and gets its address from Pool 1.
The mobile node will also need to be configured with the
same security association that is specified in the home
agent's configuration file.
# start of file
[ General ]
Version = 1
[ Advertisements le0 ]
AdvLifeTime = 200
RegLifetime = 200
AdvFrequency = 5
AdvInitCount = 1
AdvLimitUnsolicited = no
AdvertiseOnBcast = yes
HomeAgent = yes
ForeignAgent = yes
PrefixFlags = yes
ReverseTunnel = both
ReverseTunnelRequired = FA
# Advertisements over PPP interfaces that are created
# while the mipagent is running. Note we are doing limited
# unsolicited advertisements here.
[Advertisements ppp*]
homeagent = no
foreignagent = yes
PrefixFlags = 1
reglifetime = 200
advlifetime = 200
advFrequency = 1
advInitCount = 2
advLimitUnsolicited = yes
reverseTunnel = yes
reverseTunnelReq = no
[ GlobalSecurityParameters ]
HA-FAAuth = no
MN-FAAuth = no
KeyDistribution = files
[ SPI 257 ]
Key = 00ff00ff00ff
ReplayMethod = none
[ SPI 541 ]
Key = 0b0c0d0e0f1011121314
ReplayMethod = timestamps
[ Pool 1 ]
Start = 192.168.167.1
Length = 250
[ Address 192.168.10.1 ]
Type = agent
SPI = 257
IPsecRequest = apply {auth_algs md5 sa shared}
IPsecReply = permit {auth_algs md5}
IPsecTunnel = permit {encr_auth_algs md5 encr_algs 3des}
[ Address 192.168.10.2 ]
Type = agent
SPI = 257
IPsecRequest = permit {auth_algs md5}
IPsecReply = apply {auth_algs md5 sa shared}
IPsecTunnel = apply {encr_auth_algs md5 encr_algs 3des}
[ Address 192.168.10.17 ]
Type = node
SPI = 257
[ Address 192.168.10.18 ]
Type = node
SPI = 541
[ Address user@defaultdomain.com ]
Type = node
SPI = 541
Pool = 1
[ Address node-default ]
Type = node
SPI = 541
Pool = 1
#end of file
FILES
/etc/inet/mipagent.conf
Configuration file for Mobile IP mobility agent
/etc/inet/mipagent.conf-sample
Sample configuration file for mobility agents.
/etc/inet/mipagent.conf.ha-sample
Sample configuration file for home agent functional-
ity.
/etc/inet/mipagent.conf.fa-sample
Sample configuration file for foreign agent func-
tionality.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWmipr |
|_____________________________|_____________________________|
SEE ALSO
mipagent(1M), mipagentconfig(1M), attributes(5), ipsec(7P)
Deering, S., Editor. RFC 1256, ICMP Router Discovery Mes-
sages. Network Working Group. September 1991.
Montenegro, G., Editor. RFC 2344, Reverse Tunneling For
Mobile IP. Network Working Group. May 1998.
Perkins, C., Editor. RFC 2002, IP Mobility Support. Network
Working Group. October 1996.
NOTES
The base Mobile IP protocol, RFC 2002, does not address the
problem of scalable key distribution and treats key distri-
bution as an orthogonal issue. The Solaris Mobile IP
software utilizes manually configured keys only, specified
in a configuration file.
The * symbol for the interface number determines only those
interfaces that are newly configured while mipagent is run-
ning. Thus the symbol * in the interface excludes any pre-
configured interfaces in the system. Interfaces that are
already configured in the system need to be specifically
mentioned in the mipagent.conf file for advertisement on
those interfaces.
The AdvLimitUnsolicited parameter is useful when someone
wants to limit unsolicited advertisements on the interface.
Limited unsolicited agent advertisment is required for some
wireless mobile IP usage.
Note that IPsec protection requires keying information that
depends on the algorithms being used. IPsec manages its own
keys, whether they are manually configured, or managed with
some other mechanism such as Internet Key Exchange (IKE).
See ipsec(7P).
Man(1) output converted with
man2html