unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

mipagent.conf(4)                 File Formats                 mipagent.conf(4)



NAME
       mipagent.conf - configuration file for Mobile IP mobility agent

SYNOPSIS
       /etc/inet/mipagent.conf

DESCRIPTION
       /etc/inet/mipagent.conf  is  the  configuration file used to initialize
       the Mobile IP mobility agent described in  mipagent(1M).  Three  sample
       configuration files are located in the /etc/inet directory:

            /etc/inet/mipagent.conf-sample

            /etc/inet/mipagent.conf.ha-sample

            /etc/inet/mipagent.conf.fa-sample


       Blank  lines  are  ignored. Lines beginning with the hash character (#)
       are treated as comments. Sections are denoted by identifiers in  brack-
       ets.  Each section can contain multiple attribute-value pairs. The syn-
       tax of an attribute-value pair is an identifier, followed by  an  equal
       sign (=), followed by a value.

       The  following sections and the following attribute-value pairs must be
       present in /etc/inet/mipagent.conf:

       [ General ]

           This section contains the Version attribute.

           Version

               Version is required. For the current release of  Mobile  IP  in
               Solaris,  Version must be 1. Consequently, the default value is
               1.





       [ Advertisements interface ]

           This section identifies the interfaces  that  serve  as  Mobile  IP
           mobility agents. interface is the interface name of the advertising
           interface. Advertising interface name  must  be  specified  in  the
           mipagent.conf  file, if the interface is already configured. inter-
           face attribute has two components, device name and  device  number,
           that is, interface=eri0 indicates device name is eri and the device
           number is 0. The device number part of interface attribute can also
           have  a special symbol * , which indicates support of advertisments
           on interfaces that are configured after the mipagent  has  started.
           For example, if eri0 and eri1 are defined specifically on the mipa-
           gent.conf file, then the advertisement should be done based on that
           configuration.  If  eri*  is  present in an Advertisements section,
           then * represents dynamic interfaces. * represents those interfaces
           that  are  not already configured in the mipagent.conf file and are
           newly created on the system while mipagent is running. One or  more
           of  the following attribute-value pairs might be found in this sec-
           tion:


           AdvLifeTime

               Lifetime, in seconds, advertised in the ICMP  router  discovery
               portion  of  an  agent advertisement. See RFC 1256. The default
               value is 300.




           RegLifeTime

               Lifetime, in seconds, advertised in the mobility  extension  of
               an agent advertisement. The default value is 300.



           AdvFrequency

               The  frequency  at which agent advertisements are sent and when
               different entries are aged. This interval  must  be  less  than
               one-third  of  AdvLifeTime.  The  recommended value for AdvFre-
               quency is 1 when AdvLimitSolicited is set  to  yes.The  default
               value is 4.



           AdvInitCount

               The initial number of unsolicited advertisements which are sent
               when an interface first starts advertising. If  this  value  is
               set  to zero, no unsolicited advertisements are sent out on the
               interface. The default value is 1.



           AdvLimitUnsolicited

               Determines whether the interface performs limited or  unlimited
               unsolicited  agent advertisements. The agent always responds to
               the agent solicitations in both cases.


               yes      If the value is set to yes, then  the  interface  per-
                        forms  AdvInitCount  number  of advertisements when it
                        comes up and then it stops sending unsolicited  adver-
                        tisements.




               no       When  the  value  is set to no, the interface performs
                        periodic and unlimited number  of  unsolicited  adver-
                        tisements.  The  default value for AdvLimitUnsolicited
                        is no. When AdvLimitUnsolicited is set to the  default
                        value, advInitCount is also set to its default value.



           HomeAgent

               Indicates  if  this  agent can act as a home agent. The default
               value is yes.



           ForeignAgent

               Indicates if this agent can act as a foreign agent. The default
               value is yes.



           registrationRequired

               Indicates  whether  or not registration with a foreign agent is
               required. If set to yes, then registration  is  required,  even
               when  using a co-located care-of-address. The default value for
               this label is no, thus the advertisement flag does not set  the
               "R" bit by default.



           PrefixFlags

               Enables the prefix length extension. The default value is yes.



           NAIExt

               Enables  the  Network  Access  Identifier  (NAI) extension. The
               default value is yes.



           ReverseTunnel

               Indicates if this interface supports reverse tunneling as spec-
               ified in RFC 3024. ReverseTunnel can contain one of the follow-
               ing values:


               no or neither   Indicates  this  interface  does  not   support
                               reverse tunneling.




               FA              Indicates   only  the  foreign  agent  supports
                               reverse tunneling.



               HA              Indicates only the home agent supports  reverse
                               tunneling.



               yes or both     Indicates  that  both  foreign  and home agents
                               support reverse tunneling as specified  in  RFC
                               3024.


               The default value for ReverseTunnel is no.


           ReverseTunnelRequired

               Indicates  if  this interface will require reverse tunneling as
               specified in RFC 3024. ReverseTunnelRequired can contain one of
               the following values:


               no or neither   Indicates   this  interface  will  not  require
                               reverse tunneling.




               FA              Indicates only the foreign agent will require a
                               reverse tunnel.



               HA              Indicates  only  the  home agent will require a
                               reverse tunnel.



               yes or both     Indicates that both  foreign  and  home  agents
                               will require a reverse tunnel.


           The default value for ReverseTunnelRequired is no.


       [ GlobalSecurityParameters ]

           This  section  defines  the global security parameters that will be
           used to authenticate mobile nodes. MN-HA authentication  is  always
           enabled.  This section may contain one or more the of the following
           attribute-value pairs:


           Challenge               Enables the foreign agent challenge  exten-
                                   sion. The default value is no.




           HA-FAAuth               Enables  home agent - foreign agent authen-
                                   tication. The default value is yes.



           MN-FAAuth               Enables mobile node - foreign agent authen-
                                   tication. The default value is no.



           MaxClockSkew            The maximum allowable difference in clocks,
                                   in seconds, that will be tolerated. This is
                                   used  for  replay  protection.  The default
                                   value is 300.



           KeyDistribution         This  attribute  defines  where  keys   are
                                   found.  The  default  for  this  Version of
                                   Solaris Mobile IP software is files.



       [ SPI number ]

           These sections define multiple Security Parameter  Indices  (SPIs).
           One section is required for each security context. These SPI values
           are used in the Address section to define the security used  for  a
           particular  mobile node or agent. In this section, both the Key and
           ReplayMethod attributes must be present.


           Key             The hexadecimal representation of the key used  for
                           authentication.




           ReplayMethod    The  replay  method. Possible values are timestamps
                           or none.



       [ Pool number ]

           These sections define address pools  for  dynamically  assigned  IP
           addresses. The Start and Length attributes both must be present.


           Start           The beginning range of the IP address from which to
                           allocate an IP address in dotted quad notation.




           Length          The length of the IP address range.



       [ Address NAI | IPaddr |node-default ]

           This section defines the security policy used  for  each  host  for
           which  an NAI or IP address is specified in the section header. The
           keyword node-default is used to create a single entry that  can  be
           used  by  any  mobile  node that has the correct SPI and associated
           keying information. This section specifies the SPI, and in the case
           of mobile nodes, pool numbers for NAI addresses.


           Type            Indicates  whether  the  address  entry specifies a
                           mobile node or a mobility agent.




           SPI             The SPI used for this Address.



           Pool            The Pool used for this NAI address. The  Pool  key-
                           word may only be present if the Type operand is set
                           to mobile node.


           The following entries are valid only for  Addresss  sections  where
           type = agent:


           IPsecRequest            The  IPsec  policies  to  add to the global
                                   IPsec policy file so as to be enforced  for
                                   Registration  Requests  to  and  from  this
                                   mobility agent peer. These  are  the  IPsec
                                   properties which foreign agent's apply, and
                                   which home agents permit.



           IPsecReply              The IPsec policis  to  add  to  the  global
                                   IPsec  policy file so as to be enforced for
                                   Registration  Replies  to  and  from   this
                                   mobility  agent  peer.  These are the IPsec
                                   properties which  home  agents  apply,  and
                                   which foreign agents permit.



           IPsecTunnel             The IPsec policies to enforce on all tunnel
                                   traffic  with  this  mobility  agent  peer.
                                   These  are  the IPsec properties which home
                                   agent's apply,  and  which  foreign  agents
                                   permit.


           Mobility  agents  can be functioning as home agents for some mobile
           nodes, and as foreign agents for others.  To  allow  for  different
           policy  configurations  as both a home agent for some mobile nodes,
           and as a foreign agent for other mobile nodes all  using  the  same
           mobility agent peer, apply and permit policies need to be specified
           for the same entry. This is achieved by using a colon (:) to  sepa-
           rte the IPsec policies. For example:


           IPsecRequest apply {properties} : permit {properties}

           This configuration for IPsecRequest could indicate a set of proper-
           ties that are to be applied when sending regisration requests,  and
           a   different  property  to  enforce  when  receiving  registration
           requests in a session with the same mobility agent peer.


EXAMPLES
       Example 1: Configuration for Providing Mobility Services on One  Inter-
       face

       The following example shows the configuration file for a mobility agent
       that provides mobility services on one interface (eri0).  The  mobility
       agent  acts  both  as  a  home agent as well as a foreign agent on that
       interface. It includes the prefix length  in  its  advertisements.  Its
       home  and  foreign  agent functions support reverse tunneling, but only
       the foreign agent requires that a reverse tunnel be configured.

       The mobility agent has  IPsec  relationships  with  two  mobilty  agent
       peers,  192.168.10.1  -  with which it will be a foreignagent peer, and
       192.168.10.2 - with which it will be a home- agent peer.

       All registration request packets being sent to  192.168.10.1  will  use
       md5 as the IPsec authentication algorithm, and all registration replies
       from 192.168.10.1 must be protected using md5 as the IPsec  authentica-
       tion algorithm. Should a tunnel be established with this mobility agent
       peer, all tunnel traffic must arrive using md5 as an encryption authen-
       tication  algorithm,  and must also be encrypted using triple-DES. If a
       reverse tunnel is configured, all reverse tunnel traffic will  be  sent
       using  md5 as the encryption authentication algorithm, and will also be
       enctrypted using triple-DES.

       Identically, all registration  requeset  packets  being  received  from
       192.168.10.2  must  be  protected using md5 as the IPsec authentication
       algorithm, and all registration replies sent to 192.168.10.2  will  use
       md5  as  the  IPsec authentication algorithm. Should a tunnel be estab-
       lished with 192.168.10.2, all tunnel traffic  sent  will  be  protected
       using  md5 as the encryption authentication algorithm, and will also be
       encrypted using triple-DES. Should a reverse tunnel  be  configured  as
       well,  tunnel  traffic  must  arrive secured with md5 as the encryption
       authentication algorithm, and  must  also  have  been  encrypted  using
       triple-DES as the encryption algorithm.

       Any registration or tunnel traffic that does not conform to these poli-
       cies will be silently dropped by IPsec. Note that ipsec Keys  are  man-
       aged through IPsec. See ipsec(7P).

       The  mobility agent provides home agent services to three mobile nodes:
       192.168.10.17,  192.168.10.18,  and  the  NAI  address  user@defaultdo-
       main.com.The configuration file also indicates that it provides foreign
       agent service on any PPP interfaces that are dynamically created  after
       the mipagent starts.

       With  the first mobile node, the agent uses an SPI of 257 (decimal) and
       a shared secret key that is six bytes long containing  alternate  bytes
       that  are  0  and 255 (decimal). For the second mobile node, the SPI is
       541 (decimal), the key is 10 bytes, and it contains the decimal  values
       11 through 20 in those bytes. The first mobile node uses no replay pro-
       tection, and the second uses timestamps. The third mobile node uses NAI
       and gets its address from Pool 1.

       The  mobile node will also need to be configured with the same security
       association that is specified in the home agent's configuration file.

       # start of file
       [ General ]
       Version = 1

       [ Advertisements eri0 ]
       AdvLifeTime = 200
       RegLifetime = 200
       AdvFrequency = 5
       AdvInitCount = 1
       AdvLimitUnsolicited = no
       AdvertiseOnBcast = yes
       HomeAgent = yes
       ForeignAgent = yes
       PrefixFlags = yes
       ReverseTunnel = both
       ReverseTunnelRequired = FA

       [ Advertisements hme1 ]
       ForeignAgent = yes
       HomeAgent = yes
       registrationRequired = yes

       # Advertisements over PPP interfaces that are created
       # while the mipagent is running. Note we are doing limited
       # unsolicited advertisements here.

       [Advertisements sppp*]
       homeagent = no
       foreignagent = yes
       PrefixFlags = 1
       reglifetime = 200
       advlifetime = 200
       advFrequency = 1
       advInitCount = 2
       advLimitUnsolicited = yes
       reverseTunnel = yes
       reverseTunnelReq = no

       [ GlobalSecurityParameters ]
       HA-FAAuth = no
       MN-FAAuth = no
       KeyDistribution = files

       [ SPI 257 ]
       Key = 00ff00ff00ff
       ReplayMethod = none

       [ SPI 541 ]
       Key = 0b0c0d0e0f1011121314
       ReplayMethod = timestamps

       [ Pool 1 ]
       Start = 192.168.167.1
       Length = 250


       [ Address 192.168.10.1 ]
           Type = agent
           SPI = 257
           IPsecRequest = apply {auth_algs md5 sa shared}
           IPsecReply = permit {auth_algs md5}
           IPsecTunnel = permit {encr_auth_algs md5 encr_algs 3des}

       [ Address 192.168.10.2 ]
           Type = agent
           SPI = 257
           IPsecRequest = permit {auth_algs md5}
           IPsecReply = apply {auth_algs md5 sa shared}
           IPsecTunnel = apply {encr_auth_algs md5 encr_algs 3des}

       [ Address 192.168.10.17 ]
            Type = node
            SPI = 257

       [ Address 192.168.10.18 ]
            Type = node
            SPI = 541


       [ Address userATdefaultdomain.com ]
            Type = node
            SPI = 541
            Pool = 1


       [ Address node-default ]
            Type = node
            SPI = 541
            Pool = 1

       #end of file


FILES
       /etc/inet/mipagent.conf                 Configuration file  for  Mobile
                                               IP mobility agent



       /etc/inet/mipagent.conf-sample          Sample  configuration  file for
                                               mobility agents.



       /etc/inet/mipagent.conf.ha-sample       Sample configuration  file  for
                                               home agent functionality.



       /etc/inet/mipagent.conf.fa-sample       Sample  configuration  file for
                                               foreign agent functionality.



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE AvailabilitySUNWmipr


SEE ALSO
       mipagent(1M), mipagentconfig(1M), attributes(5), ipsec(7P)

       Deering,  S., Editor. RFC 1256, ICMP Router Discovery Messages. Network
       Working Group. September 1991.

       Montenegro, G., editor. RFC 3024,  Reverse  Tunneling  for  Mobile  IP,
       revised. The Internet Society. January, 2001.

       Perkins,  C.,  Editor.  RFC  2002, IP Mobility Support. Network Working
       Group. October 1996.

NOTES
       The base Mobile IP protocol, RFC 2002, does not address the problem  of
       scalable  key distribution and treats key distribution as an orthogonal
       issue. The Solaris Mobile IP software utilizes manually configured keys
       only, specified in a configuration file.

       The  * symbol for the interface number determines only those interfaces
       that are newly configured while mipagent is running. Thus the symbol  *
       in  the  interface excludes any preconfigured interfaces in the system.
       Interfaces that are already configured in the system need to be specif-
       ically  mentioned  in the mipagent.conf file for advertisement on those
       interfaces.

       The AdvLimitUnsolicited parameter is useful when someone wants to limit
       unsolicited  advertisements on the interface. Limited unsolicited agent
       advertisment is required for some wireless mobile IP usage.

       Note that IPsec protection requires keying information that depends  on
       the algorithms being used. IPsec manages its own keys, whether they are
       manually configured, or managed  with  some  other  mechanism  such  as
       Internet Key Exchange (IKE). See ipsec(7P).



SunOS 5.10                        18 Feb 2003                 mipagent.conf(4)