mipagent.conf(4) File Formats mipagent.conf(4)NAMEmipagent.conf - configuration file for Mobile IP mobility agent
SYNOPSIS
/etc/inet/mipagent.conf
DESCRIPTION
/etc/inet/mipagent.conf is the configuration file used to initialize
the Mobile IP mobility agent described in mipagent(1M). Three sample
configuration files are located in the /etc/inet directory:
/etc/inet/mipagent.conf-sample
/etc/inet/mipagent.conf.ha-sample
/etc/inet/mipagent.conf.fa-sample
Blank lines are ignored. Lines beginning with the hash character (#)
are treated as comments. Sections are denoted by identifiers in brack‐
ets. Each section can contain multiple attribute-value pairs. The syn‐
tax of an attribute-value pair is an identifier, followed by an equal
sign (=), followed by a value.
The following sections and the following attribute-value pairs must be
present in /etc/inet/mipagent.conf:
[ General ]
This section contains the Version attribute.
Version
Version is required. For the current release of Mobile IP in
Solaris, Version must be 1. Consequently, the default value is
1.
[ Advertisements interface ]
This section identifies the interfaces that serve as Mobile IP
mobility agents. interface is the interface name of the advertising
interface. Advertising interface name must be specified in the
mipagent.conf file, if the interface is already configured. inter‐
face attribute has two components, device name and device number,
that is, interface=eri0 indicates device name is eri and the device
number is 0. The device number part of interface attribute can also
have a special symbol * , which indicates support of advertisments
on interfaces that are configured after the mipagent has started.
For example, if eri0 and eri1 are defined specifically on the mipa‐
gent.conf file, then the advertisement should be done based on that
configuration. If eri* is present in an Advertisements section,
then * represents dynamic interfaces. * represents those interfaces
that are not already configured in the mipagent.conf file and are
newly created on the system while mipagent is running. One or more
of the following attribute-value pairs might be found in this sec‐
tion:
AdvLifeTime
Lifetime, in seconds, advertised in the ICMP router discovery
portion of an agent advertisement. See RFC 1256. The default
value is 300.
RegLifeTime
Lifetime, in seconds, advertised in the mobility extension of
an agent advertisement. The default value is 300.
AdvFrequency
The frequency at which agent advertisements are sent and when
different entries are aged. This interval must be less than
one-third of AdvLifeTime. The recommended value for AdvFre‐
quency is 1 when AdvLimitSolicited is set to yes.The default
value is 4.
AdvInitCount
The initial number of unsolicited advertisements which are sent
when an interface first starts advertising. If this value is
set to zero, no unsolicited advertisements are sent out on the
interface. The default value is 1.
AdvLimitUnsolicited
Determines whether the interface performs limited or unlimited
unsolicited agent advertisements. The agent always responds to
the agent solicitations in both cases.
yes If the value is set to yes, then the interface per‐
forms AdvInitCount number of advertisements when it
comes up and then it stops sending unsolicited adver‐
tisements.
no When the value is set to no, the interface performs
periodic and unlimited number of unsolicited adver‐
tisements. The default value for AdvLimitUnsolicited
is no. When AdvLimitUnsolicited is set to the default
value, advInitCount is also set to its default value.
HomeAgent
Indicates if this agent can act as a home agent. The default
value is yes.
ForeignAgent
Indicates if this agent can act as a foreign agent. The default
value is yes.
registrationRequired
Indicates whether or not registration with a foreign agent is
required. If set to yes, then registration is required, even
when using a co-located care-of-address. The default value for
this label is no, thus the advertisement flag does not set the
"R" bit by default.
PrefixFlags
Enables the prefix length extension. The default value is yes.
NAIExt
Enables the Network Access Identifier (NAI) extension. The
default value is yes.
ReverseTunnel
Indicates if this interface supports reverse tunneling as spec‐
ified in RFC 3024. ReverseTunnel can contain one of the follow‐
ing values:
no or neither Indicates this interface does not support
reverse tunneling.
FA Indicates only the foreign agent supports
reverse tunneling.
HA Indicates only the home agent supports reverse
tunneling.
yes or both Indicates that both foreign and home agents
support reverse tunneling as specified in RFC
3024.
The default value for ReverseTunnel is no.
ReverseTunnelRequired
Indicates if this interface will require reverse tunneling as
specified in RFC 3024. ReverseTunnelRequired can contain one of
the following values:
no or neither Indicates this interface will not require
reverse tunneling.
FA Indicates only the foreign agent will require a
reverse tunnel.
HA Indicates only the home agent will require a
reverse tunnel.
yes or both Indicates that both foreign and home agents
will require a reverse tunnel.
The default value for ReverseTunnelRequired is no.
[ GlobalSecurityParameters ]
This section defines the global security parameters that will be
used to authenticate mobile nodes. MN-HA authentication is always
enabled. This section may contain one or more the of the following
attribute-value pairs:
Challenge Enables the foreign agent challenge exten‐
sion. The default value is no.
HA-FAAuth Enables home agent - foreign agent authen‐
tication. The default value is yes.
MN-FAAuth Enables mobile node - foreign agent authen‐
tication. The default value is no.
MaxClockSkew The maximum allowable difference in clocks,
in seconds, that will be tolerated. This is
used for replay protection. The default
value is 300.
KeyDistribution This attribute defines where keys are
found. The default for this Version of
Solaris Mobile IP software is files.
[ SPI number ]
These sections define multiple Security Parameter Indices (SPIs).
One section is required for each security context. These SPI values
are used in the Address section to define the security used for a
particular mobile node or agent. In this section, both the Key and
ReplayMethod attributes must be present.
Key The hexadecimal representation of the key used for
authentication.
ReplayMethod The replay method. Possible values are timestamps
or none.
[ Pool number ]
These sections define address pools for dynamically assigned IP
addresses. The Start and Length attributes both must be present.
Start The beginning range of the IP address from which to
allocate an IP address in dotted quad notation.
Length The length of the IP address range.
[ Address NAI | IPaddr |node-default ]
This section defines the security policy used for each host for
which an NAI or IP address is specified in the section header. The
keyword node-default is used to create a single entry that can be
used by any mobile node that has the correct SPI and associated
keying information. This section specifies the SPI, and in the case
of mobile nodes, pool numbers for NAI addresses.
Type Indicates whether the address entry specifies a
mobile node or a mobility agent.
SPI The SPI used for this Address.
Pool The Pool used for this NAI address. The Pool key‐
word may only be present if the Type operand is set
to mobile node.
The following entries are valid only for Addresss sections where
type = agent:
IPsecRequest The IPsec policies to add to the global
IPsec policy file so as to be enforced for
Registration Requests to and from this
mobility agent peer. These are the IPsec
properties which foreign agent's apply, and
which home agents permit.
IPsecReply The IPsec policis to add to the global
IPsec policy file so as to be enforced for
Registration Replies to and from this
mobility agent peer. These are the IPsec
properties which home agents apply, and
which foreign agents permit.
IPsecTunnel The IPsec policies to enforce on all tunnel
traffic with this mobility agent peer.
These are the IPsec properties which home
agent's apply, and which foreign agents
permit.
Mobility agents can be functioning as home agents for some mobile
nodes, and as foreign agents for others. To allow for different
policy configurations as both a home agent for some mobile nodes,
and as a foreign agent for other mobile nodes all using the same
mobility agent peer, apply and permit policies need to be specified
for the same entry. This is achieved by using a colon (:) to sepa‐
rte the IPsec policies. For example:
IPsecRequest apply {properties} : permit {properties}
This configuration for IPsecRequest could indicate a set of proper‐
ties that are to be applied when sending regisration requests, and
a different property to enforce when receiving registration
requests in a session with the same mobility agent peer.
EXAMPLES
Example 1: Configuration for Providing Mobility Services on One Inter‐
face
The following example shows the configuration file for a mobility agent
that provides mobility services on one interface (eri0). The mobility
agent acts both as a home agent as well as a foreign agent on that
interface. It includes the prefix length in its advertisements. Its
home and foreign agent functions support reverse tunneling, but only
the foreign agent requires that a reverse tunnel be configured.
The mobility agent has IPsec relationships with two mobilty agent
peers, 192.168.10.1 - with which it will be a foreignagent peer, and
192.168.10.2 - with which it will be a home- agent peer.
All registration request packets being sent to 192.168.10.1 will use
md5 as the IPsec authentication algorithm, and all registration replies
from 192.168.10.1 must be protected using md5 as the IPsec authentica‐
tion algorithm. Should a tunnel be established with this mobility agent
peer, all tunnel traffic must arrive using md5 as an encryption authen‐
tication algorithm, and must also be encrypted using triple-DES. If a
reverse tunnel is configured, all reverse tunnel traffic will be sent
using md5 as the encryption authentication algorithm, and will also be
enctrypted using triple-DES.
Identically, all registration requeset packets being received from
192.168.10.2 must be protected using md5 as the IPsec authentication
algorithm, and all registration replies sent to 192.168.10.2 will use
md5 as the IPsec authentication algorithm. Should a tunnel be estab‐
lished with 192.168.10.2, all tunnel traffic sent will be protected
using md5 as the encryption authentication algorithm, and will also be
encrypted using triple-DES. Should a reverse tunnel be configured as
well, tunnel traffic must arrive secured with md5 as the encryption
authentication algorithm, and must also have been encrypted using
triple-DES as the encryption algorithm.
Any registration or tunnel traffic that does not conform to these poli‐
cies will be silently dropped by IPsec. Note that ipsec Keys are man‐
aged through IPsec. See ipsec(7P).
The mobility agent provides home agent services to three mobile nodes:
192.168.10.17, 192.168.10.18, and the NAI address user@defaultdo‐
main.com.The configuration file also indicates that it provides foreign
agent service on any PPP interfaces that are dynamically created after
the mipagent starts.
With the first mobile node, the agent uses an SPI of 257 (decimal) and
a shared secret key that is six bytes long containing alternate bytes
that are 0 and 255 (decimal). For the second mobile node, the SPI is
541 (decimal), the key is 10 bytes, and it contains the decimal values
11 through 20 in those bytes. The first mobile node uses no replay pro‐
tection, and the second uses timestamps. The third mobile node uses NAI
and gets its address from Pool 1.
The mobile node will also need to be configured with the same security
association that is specified in the home agent's configuration file.
# start of file
[ General ]
Version = 1
[ Advertisements eri0 ]
AdvLifeTime = 200
RegLifetime = 200
AdvFrequency = 5
AdvInitCount = 1
AdvLimitUnsolicited = no
AdvertiseOnBcast = yes
HomeAgent = yes
ForeignAgent = yes
PrefixFlags = yes
ReverseTunnel = both
ReverseTunnelRequired = FA
[ Advertisements hme1 ]
ForeignAgent = yes
HomeAgent = yes
registrationRequired = yes
# Advertisements over PPP interfaces that are created
# while the mipagent is running. Note we are doing limited
# unsolicited advertisements here.
[Advertisements sppp*]
homeagent = no
foreignagent = yes
PrefixFlags = 1
reglifetime = 200
advlifetime = 200
advFrequency = 1
advInitCount = 2
advLimitUnsolicited = yes
reverseTunnel = yes
reverseTunnelReq = no
[ GlobalSecurityParameters ]
HA-FAAuth = no
MN-FAAuth = no
KeyDistribution = files
[ SPI 257 ]
Key = 00ff00ff00ff
ReplayMethod = none
[ SPI 541 ]
Key = 0b0c0d0e0f1011121314
ReplayMethod = timestamps
[ Pool 1 ]
Start = 192.168.167.1
Length = 250
[ Address 192.168.10.1 ]
Type = agent
SPI = 257
IPsecRequest = apply {auth_algs md5 sa shared}
IPsecReply = permit {auth_algs md5}
IPsecTunnel = permit {encr_auth_algs md5 encr_algs 3des}
[ Address 192.168.10.2 ]
Type = agent
SPI = 257
IPsecRequest = permit {auth_algs md5}
IPsecReply = apply {auth_algs md5 sa shared}
IPsecTunnel = apply {encr_auth_algs md5 encr_algs 3des}
[ Address 192.168.10.17 ]
Type = node
SPI = 257
[ Address 192.168.10.18 ]
Type = node
SPI = 541
[ Address user@defaultdomain.com ]
Type = node
SPI = 541
Pool = 1
[ Address node-default ]
Type = node
SPI = 541
Pool = 1
#end of file
FILES
/etc/inet/mipagent.conf Configuration file for Mobile
IP mobility agent
/etc/inet/mipagent.conf-sample Sample configuration file for
mobility agents.
/etc/inet/mipagent.conf.ha-sample Sample configuration file for
home agent functionality.
/etc/inet/mipagent.conf.fa-sample Sample configuration file for
foreign agent functionality.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWmipr │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOmipagent(1M), mipagentconfig(1M), attributes(5), ipsec(7P)
Deering, S., Editor. RFC 1256, ICMP Router Discovery Messages. Network
Working Group. September 1991.
Montenegro, G., editor. RFC 3024, Reverse Tunneling for Mobile IP,
revised. The Internet Society. January, 2001.
Perkins, C., Editor. RFC 2002, IP Mobility Support. Network Working
Group. October 1996.
NOTES
The base Mobile IP protocol, RFC 2002, does not address the problem of
scalable key distribution and treats key distribution as an orthogonal
issue. The Solaris Mobile IP software utilizes manually configured keys
only, specified in a configuration file.
The * symbol for the interface number determines only those interfaces
that are newly configured while mipagent is running. Thus the symbol *
in the interface excludes any preconfigured interfaces in the system.
Interfaces that are already configured in the system need to be specif‐
ically mentioned in the mipagent.conf file for advertisement on those
interfaces.
The AdvLimitUnsolicited parameter is useful when someone wants to limit
unsolicited advertisements on the interface. Limited unsolicited agent
advertisment is required for some wireless mobile IP usage.
Note that IPsec protection requires keying information that depends on
the algorithms being used. IPsec manages its own keys, whether they are
manually configured, or managed with some other mechanism such as
Internet Key Exchange (IKE). See ipsec(7P).
SunOS 5.10 18 Feb 2003 mipagent.conf(4)
