Version: 1.1 Date: May 22nd, 2009. Author: Sebastien Decugis, Nautilus6 project Support mailing-list: support@ml.nautilus6.org
Latest version always available at http://www.nautilus6.org/doc/dk-howto/Howto_dynamic_keying.html 2009.05.22 (1.1): * Fix a bug in racoon2 configuration files (missing quote). 2007.09.26 (1.0): * New gutsy repository. * Patchs are now online at http://www.nautilus6.org/~sdecugis/dynamic_keying/ * Updated build process. * New script for managing the X509 certificates creation. 2007.08.13 (draft-1): * Initial release.
Mobile IPv6 is a protocol that allows a node (called Mobile Node -- MN) to move its point of attachement to the IPv6 network (and therefore its IPv6 address, called Care-of Address -- CoA) and remain reachable at a constant IPv6 address (called its Home Address -- HoA). That Home Address belongs to a network for which a routeur that serves the prefix of the HoA will have a special role in the Mobile IPv6 protocol. That routeur is called the Home Agent (HA). Basically, when a packet reaches the Home Link and the mobile is in a foreign network (with a Care-of Address registered to the Home Agent), then the Home Agent will tunnel the packet to the Mobile Node. RFC3775 standardizes the Mobile IPv6 protocol.
The Mobile IPv6 protocol makes mandatory the use of IPsec to protect some of the exchanges of packets between the MN and the HA, and optionnally protect other exchanges. RFC4877 explains how IKEv2 protocol can be used to negociate the Security Associations between the MN and the HA to protect Mobile IPv6 traffic.
The internet draft draft-sugimoto-mip6-pfkey-migrate-03 gives some more detail on how the Mobile IPv6 daemon and the IKEv2 daemon can exchange information. The solution that is described in this HowTo uses the MIGRATE and SADB_X_EXT_PACKET extension as described in this draft.
The following components are involved:
$ pwdSince the repository is quite big, that operation will take a while.
/home/dk
$ git clone git://git.linux-ipv6.org/gitroot/nakam/linux-2.6-mip6
Initialized empty Git repository in /home/dk/linux-2.6-mip6/.git/
(...)
$ cd linux-2.6-mip6At that point, we have the linux-2.6.22 source tree with mobile IPv6 patchs applied.
$ git checkout 91e704f7727
HEAD is now at 91e704f... [PATCH 2/3] [IPV6]: Do not send RH0 anymore.
$ wget http://www.nautilus6.org/~sdecugis/dynamic_keying/kernel/SADB_X_EXT_PACKET-linux-2.6-mip6-branch2.6.22.patchWe also need a workaround to avoid kernel panic in some cases:
$ wget http://www.nautilus6.org/~sdecugis/dynamic_keying/kernel/kernel_panic_tunnel_payload_workaround.patchNow, apply these patchs on the tree:
$ cat *.patch | patch -p1Next step is to configure this kernel. Here are a few configure directives that you should ensure to set properly.
(in general)
CONFIG_LOCALVERSION="-mip6dk"
(in networking)
CONFIG_XFRM
CONFIG_XFRM_USER
CONFIG_XFRM_SUB_POLICY
CONFIG_XFRM_MIGRATE
CONFIG_NET_KEY
CONFIG_NET_KEY_MIGRATE
CONFIG_SADB_X_EXT_PACKET
CONFIG_IPV6
CONFIG_INET6_AH
CONFIG_INET6_ESP
CONFIG_IPV6_MIP6
CONFIG_INET6_XFRM_MODE_TRANSPORT
CONFIG_INET6_XFRM_MODE_TUNNEL
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION
CONFIG_IPV6_TUNNEL
CONFIG_IPV6_MULTIPLE_TABLES
CONFIG_IPV6_SUBTREES
(in Cryptographic API)
CONFIG_CRYPTO_HMAC
CONFIG_CRYPTO_XCBC
CONFIG_CRYPTO_NULL
CONFIG_CRYPTO_MD5
CONFIG_CRYPTO_SHA1
CONFIG_CRYPTO_SHA256
CONFIG_CRYPTO_SHA512
CONFIG_CRYPTO_ECB
CONFIG_CRYPTO_CBC
CONFIG_CRYPTO_DES
CONFIG_CRYPTO_AES
CONFIG_CRYPTO_AES_586
Then, make and install your kernel. On Ubuntu this can be done with:
$ make oldconfig
$ make
$ make modules
$ sudo make modules_install
$ sudo make install
$ sudo update-initramfs -c -k 2.6.22-mip6dk
Don't forget to edit your /boot/grub/menu.lst file to add an entry to your new kernel (or use update-grub utility). Then reboot your machine on the new kernel.
$ cvs -d :pserver:anoncvs:anoncvs@anoncvs.racoon2.wide.ad.jp:/anoncvs/racoon2 co racoon2
$ cd racoon2
You will need also the set of patchs for implementing mobility support in racoon2. The patchs were submitted to racoon2-users mailing list, in this post: http://www.racoon2.wide.ad.jp/ml/racoon2-users/200708/msg248.html. You can find a short explanation of each part of the patch there.
You can download directly the patchs at the following URLs:
$ wget http://www.nautilus6.org/~sdecugis/dynamic_keying/racoon2/01_fix_transmit_response_addresses.patch
$ wget http://www.nautilus6.org/~sdecugis/dynamic_keying/racoon2/02_support_altcoa_in_ext-packet.patch
$ wget http://www.nautilus6.org/~sdecugis/dynamic_keying/racoon2/03_support_asymetrical_TS_for_MH.patch
$ wget http://www.nautilus6.org/~sdecugis/dynamic_keying/racoon2/04_support_external_spd_entries.patch
$ wget http://www.nautilus6.org/~sdecugis/dynamic_keying/racoon2/05_support_dynamic_conf_reload-lite.patch
$ wget http://www.nautilus6.org/~sdecugis/dynamic_keying/racoon2/06_fix_make_install.patch
Then patch you racoon2 souce tree:
$ cat *.patch | patch -p1Now you are ready to configure and compile racoon2.
$ ./configure --with-kernel-build-dir=/home/dk/linux-2.6-mip6 --enable-updateifaddr --prefix=/usr --sysconfdir=/etc/racoon2Note that a sample configuration file is created in /etc/racoon2/ directory. You will need to edit this file later.
$ make
$ sudo make install
$ wget ftp://ftp.linux-ipv6.org/pub/usagi/patch/mipv6/umip-0.4/daemon/tarball/mipv6-daemon-umip-0.4.tar.gzPatches are not needed for mip6d daemon. We provide some convenient features in Nautilus 6 package, such as ability to split the configuration file (based on each mobile node, for example.) You can retrieve our patchs by using apt-get source.
$ tar zxf mipv6-daemon-umip-0.4.tar.gz
$ cd mipv6-daemon-umip-0.4The configuration file for this daemon is /etc/mip6d.conf. We will see in next section how it must be configured.
$ autoreconf -i
$ CPPFLAGS=-I/home/dk/linux-2.6-mip6/include ./configure --enable-vt --prefix=/usr --sysconfdir=/etc
$ make
$ sudo make install
CoA3 and CoA4 are the other possible points of attachement when the mobile node is not at home link.
----------------------------------------------------------- uplink (to the Internet) prefix: 2001:DB8:0:1::/64
| | |
| 2001:DB8:0:1::3 | 2001:DB8:0:1::4 | 2001:DB8:0:1::1
R3 R4 HA
| 2001:DB8:0:3::/64 | 2001:DB8:0:4::/64 | 2001:DB8:0:2::1/64
(CoA3) (CoA4) (HoA)
# mkdir /etc/openssl-caYou can get some help on the script by typing "make". We will now initialize our lite CA:
# cd /etc/openssl-ca
# wget http://www.nautilus6.org/~sdecugis/dynamic_keying/pki/Makefile
# wget http://www.nautilus6.org/~sdecugis/dynamic_keying/pki/openssl.cnf
# make init CA_CN=dk-ha.mydomain.com CA_mail=ha-admin@mydomain.comYou can of course set the values as you want. This command creates a basical CA structure. We will use the CA certificate for the HA (for simplicity, but this should never be the case in real-life), and now we generate another certificate for the MN:
# make newcsr name=mn.mydomain.com email=mn-user@mydomain.comNow, you need to copy the MN's private key (/etc/openssl-ca/clients/privkeys/mn.mydomain.com.key.pem) and certificate (/etc/openssl-ca/clients/certs/mn.mydomain.com.cert), and the HA certificate (/etc/openssl-ca/public-www/cacert.pem) to the /etc/racoon2/certs folder on the MN.
# make cert name=mn.mydomain.com
# cd /etc/racoon2
# cp default.conf.sample default.conf
Create a new file racoon2.conf. Here is the (minimal) content:
interface {
ike { MY_IP; };
spmd { unix "/var/run/racoon2/spmif"; };
spmd_password "/etc/racoon2/spmd.pwd";
};
resolver {
resolver off;
};
include "/etc/racoon2/default.conf";
include "/etc/racoon2/ha.conf";
Then edit the default.conf file. You have to check that the default { remote { } } directive contains acceptable_kmp with at least ikev2. You can adjust the values for SA lifetimes, algorithms, and so on in this file if you need.
Finally, create the file ha.conf. Here is a sample:
# Home Agent address: 2001:DB8:0:2::1
# MN Home address : 2001:DB8:0:2::2
remote MobileNode {
ikev2 {
my_id x509_subject "/etc/openssl-ca/public-www/cacert.pem";
peers_id x509_subject "/etc/openssl-ca/clients/certs/mn.mydomain.com.cert";
kmp_auth_method { rsasig; };
my_public_key x509pem
"/etc/openssl-ca/public-www/cacert.pem"
"/etc/openssl-ca/private/cakey.pem";
peers_public_key x509pem
"/etc/openssl-ca/clients/certs/mn.mydomain.com.cert"
"";
};
};
# Policy and selector for protecting the BU/BA messages for Home Registration.
policy HomeRegBinding {
remote_index MobileNode;
ipsec_mode transport;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 2001:DB8:0:2::2;
my_sa_ipaddr 2001:DB8:0:2::1;
install off;
};
selector HomeRegBinding_out {
direction outbound;
dst 2001:DB8:0:2::2;
src 2001:DB8:0:2::1;
policy_index HomeRegBinding;
upper_layer_protocol 135 6 5;
reqid 201; # Note: you may choose whatever value you want but must be in sync with mip6d.conf and unique.
};
# Policy and selector for protecting the MPS/MPA messages for Mobile Prefix Discovery.
policy MobPfxDisc {
remote_index MobileNode;
ipsec_mode transport;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 2001:DB8:0:2::2;
my_sa_ipaddr 2001:DB8:0:2::1;
install off;
};
selector MobPfxDisc_out {
direction outbound;
dst 2001:DB8:0:2::2;
src 2001:DB8:0:2::1;
policy_index MobPfxDisc;
upper_layer_protocol 135 93 92;
reqid 203;
};
# Tunnel all traffic between MN and HA when the MN is not at home.
policy TunnelPayload {
remote_index MobileNode;
ipsec_mode tunnel;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 2001:DB8:0:2::2;
my_sa_ipaddr 2001:DB8:0:2::1;
install off;
};
selector TunnelPayload_out {
direction outbound;
dst 2001:DB8:0:2::2;
src 2001:DB8:0:2::1;
policy_index TunnelPayload;
reqid 205;
};
This is just an example configuration file showing how you can define different SA for protecting different messages. You could define different parameters for IPsec for each of these policies. In any case, don't forget to set the "reqid" to a value consistent with mip6d.conf file and the "install off;" flag in the policies that are meant to be used with mip6d. You don't need to define the "inbound" selectors because they will not be used (this is due to the fact that the SPD entries are installed by mip6d, not racoon2.)
If later you want to have the racoon2 started automatically at system reboot, some initialization scripts are provided in /etc/racoon2/init.d directory. This is not documented in this HowTo.
You must create the /etc/mip6d.conf file. Here is an example of content for the Home Agent:
NodeConfig HA;See man mip6d.conf for more information on this file contents.
Interface eth0; # the interface that serves the Home Link
UseMnHaIPsec enabled;
KeyMngMobCapability enabled; # currently has no effect, but should be set.
IPsecPolicySet {
HomeAgentAddress 2001:DB8:0:2::1;
HomeAddress 2001:DB8:0:2::2/64;
IPsecPolicy HomeRegBinding UseESP 201; # the value must match reqid from racoon2 conf
IPsecPolicy MobPfxDisc UseESP 203;
IPsecPolicy TunnelPayload UseESP 205;
}
# Home Agent address: 2001:DB8:0:2::1As for the Home Agent, you may want to adjust the values here. Note that the MN is the initiator of IKEv2 exchanges, at least as far as transport-mode SA are concerned, so the SA lifetime should be set carefully as MN should be the node that initiates the rekeying requests.
# MN Home address : 2001:DB8:0:2::2
remote HomeAgent {
ikev2 {
my_id x509_subject "/etc/racoon2/certs/mn.mydomain.com.cert";
peers_id x509_subject "/etc/racoon2/certs/cacert.pem";
kmp_auth_method { rsasig; };
my_public_key x509pem
"/etc/racoon2/certs/mn.mydomain.com.cert"
"/etc/racoon2/certs/mn.mydomain.com.key.pem";
peers_public_key x509pem
"/etc/racoon2/certs/cacert.pem"
"";
};
};
# Policy and selector for protecting the BU/BA messages for Home Registration.
policy HomeRegBinding {
remote_index HomeAgent;
ipsec_mode transport;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 2001:DB8:0:2::1;
my_sa_ipaddr 2001:DB8:0:2::2;
install off;
};
selector HomeRegBinding_out {
direction outbound;
dst 2001:DB8:0:2::1;
src 2001:DB8:0:2::2;
policy_index HomeRegBinding;
upper_layer_protocol 135 5 6;
reqid 200; # Note: you may choose whatever value you want but must be in sync with mip6d.conf and unique.
};
# Policy and selector for protecting the MPS/MPA messages for Mobile Prefix Discovery.
policy MobPfxDisc {
remote_index HomeAgent;
ipsec_mode transport;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 2001:DB8:0:2::1;
my_sa_ipaddr 2001:DB8:0:2::2;
install off;
};
selector MobPfxDisc_out {
direction outbound;
dst 2001:DB8:0:2::1;
src 2001:DB8:0:2::2;
policy_index MobPfxDisc;
upper_layer_protocol 135 92 93;
reqid 202;
};
# Tunnel all traffic between MN and HA when the MN is not at home.
policy TunnelPayload {
remote_index HomeAgent;
ipsec_mode tunnel;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 2001:DB8:0:2::1;
my_sa_ipaddr 2001:DB8:0:2::2;
install off;
};
selector TunnelPayload_out {
direction outbound;
dst 2001:DB8:0:2::1;
src 2001:DB8:0:2::2;
policy_index TunnelPayload;
reqid 204;
};
NodeConfig MN;
DoRouteOptimizationMN disabled; # In case you want to TunnelPayload. Otherwise you must protect HoTi/CoTi exchanges instead.
UseCnBuAck enabled;
MnDiscardHaParamProb enabled;
MnRouterProbes 1;
Interface "eth0";
MnHomeLink "eth0" {
HomeAddress 2001:DB8:0:2::2/64;
HomeAgentAddress 2001:DB8:0:2::1;
}
UseMnHaIPsec enabled;
KeyMngMobCapability enabled;
IPsecPolicySet {
HomeAddress 2001:DB8:0:2::2/64;
HomeAgentAddress 2001:DB8:0:2::1;
IPsecPolicy HomeRegBinding UseESP 200;
IPsecPolicy MobPfxDisc UseESP 202;
IPsecPolicy TunnelPayload UseESP 204;
}
# /usr/sbin/spmd -FdddWhen you start you Mobile Node in a foreign network, and capture packets on its interface, here is the exchange that you should see:
# /usr/sbin/iked -Fddd
# /usr/sbin/mip6d -d 10
MN -> HA: IKE_SA_INITThen, when an exchange is started between the MN and a correspondent, a new CREATE_CHILD_SA exchange is started, either by the MN (if MN is initiating the exchange) or by HA (if the correspondent is initiating the exchange), and the negociated SA is used to protect all traffic between MN and HA.
MN <- HA: IKE_SA_INIT
MN -> HA: IKE_AUTH
MN <- HA: IKE_AUTH
MN -> HA: ESP (spi#1, contains the BU message)
MN <- HA: ESP (spi#2, contains the BA)
MN -> HA: CREATE_CHILD_SA
MN <- HA: CREATE_CHILD_SA
MN -> HA: ESP (spi#3, contains MPS)
MN <- HA: ESP (spi#4, contains MPA)