Configuration File Sections and Labels (Mobile IP Administration Guide)

Mobile IP Administration Guide

Configuration File Sections and Labels

The Mobile IP configuration file contains the following sections:

General (Required)
Advertisements (Required)
GlobalSecurityParameters (Optional)
Pool (Optional)
SPI (Optional)
Address (Optional)

The General and GlobalSecurityParameters sections contain information relevant to the operation of the Mobile IP agent and can appear only once in the configuration file.

`General` Section

The General section contains only one label: the version number of the configuration file. The General section has the following syntax:

[General]
     Version = 1.0

`Advertisements` Section

The Advertisements section contains the HomeAgent and ForeignAgent labels, as well as other labels. You must include a different Advertisements section for each interface on the local host that provides Mobile IP services. The Advertisements section has the following syntax:

[Advertisements Interface-name]
     HomeAgent = <yes/no>
     ForeignAgent = <yes/no>
     .
     .

Typically, your system has a single interface (le0, hme0, and so on) and supports both home agent and foreign agent operations. If this is the case, say for hme0, then the yes value is assigned to both the HomeAgent and ForeignAgent labels as follows:

[Advertisements hme0]
     HomeAgent = yes
     ForeignAgent = yes
     .
     .

The following table describes the labels and values that you can use in the Advertisements section.

Table 2-1 Advertisements Section Labels and Values


Label	Value	Description
`HomeAgent`	`yes` or `no`	Determines if mipagent provides home agent functionality.
`ForeignAgent`	`yes` or `no`	Determines if mipagent provides foreign agent functionality
`PrefixFlags`	`yes` or `no`	Specifies if advertisements include the optional prefix length extension.
`RegLifetime`	`n`	The maximum lifetime value accepted in registration requests, in seconds.
`AdvLifetime`	`n`	The maximum length of time that the advertisement is considered valid in the absence of further advertisements, in seconds.
`AdvFrequency`	`n`	Time between two consecutive advertisements, in seconds.

`GlobalSecurityParameters` Section

The GlobalSecurityParameters section contains the maxClockSkew, HA-FAauth, MN-FAauth, Challenge, and KeyDistribution labels. This section defines the security parameters. The GlobalSecurityParameters section has the following syntax:

[GlobalSecurityParameters]
     MaxClockSkew = n
     HA-FAauth = <yes/no>
     MN-FAauth = <yes/no>
     Challenge = <yes/no>
     KeyDistribution = files

The Mobile IP protocol provides message replay protection by allowing timestamps to be present in the messages. If the clocks differ, the home agent returns an error to the mobile node with the current time and the mobile node can re-register using the current time. You use the MaxClockSkew label to configure the maximum number of seconds that differ between the home agent and the mobile node's clocks. The default value is 300 seconds.

The HA-FAauth and MN-FAauth labels enable or disable the requirement for home-foreign and mobile-foreign authentication, respectively. The default value is disabled. You use the challenge label so that the foreign agent issues challenges to the mobile node in its advertisements. The label is used for replay protection. The default value is disabled here, also.

The following table describes the labels and values that you can use in the GlobalSecurityParameters section.

Table 2-2 GlobalSecurityParameters Section Labels and Values


Label	Value	Description
`MaxClockSkew`	`n`	The number of seconds that mipagent accepts as a difference between its own local time and the time found in registration requests.
`HA-FAauth`	`yes` or `no`	Specifies if HA-FA authentication extensions must be present in registration requests and replies.
`MN-FAauth`	`yes` or `no`	Specifies if MN-FA authentication extensions must be present in registration requests and replies.
`Challenge`	`yes` or `no`	Specifies if the foreign agent includes challenges in its mobility advertisements.
`KeyDistribution`	`files`	Must be set to files.

`Pool` Section

Mobile nodes can be assigned dynamic addresses by the home agent. The dynamic address assignment is done within the mipagent independently of DHCP. You can create an address pool that can be used by mobile nodes requesting a home address. Address pools are configured through the Pool section in the configuration file.

The Pool section contains the BaseAddress and Size labels. The Pool section has the following syntax:

[Pool Pool-identifier]
     BaseAddress = IP-address
     Size = size

Note -

If you use a Pool identifier, then it must also exist in the mobile node's Address section.

You use the Pool section to define address pools that can be assigned to the mobile nodes. You use the BaseAddress label to set the first IP address in the pool. You use the Size to specify the number of addresses available in the pool.

For example, if IP Addresses 192.168.1.1 through 192.168.1.100 are reserved in pool 10, the Pool section has the following entry:

[Pool 10]
     BaseAddress = 192.168.1.1
     Size = 100

Note -

Address ranges should not encompass the broadcast address. For example, you should not assign BaseAddress = 192.168.1.200 and Size = 60, because this range encompasses the broadcast address 192.168.1.255.

The following table describes the labels and values used in the Pool section.

Table 2-3 Pool Section Labels and Values


Label	Value	Description
`BaseAddress`	`n.n.n.n`	First address in the address pool
`Size`	`n`	Number of addresses in the pool

`SPI` Section

Because the Mobile IP protocol requires message authentication, you must identify the security context using a Security Parameter Index (SPI). You define the security context in the SPI section. You must include a different SPI section for each security context defined. A numerical ID identifies the security context. The Mobile IP protocol reserves the first 256 SPIs. Therefore, you should use only SPI values greater than 256. The SPI section contains security-related information, such as shared secrets and replay protection.

The SPI section also contains the ReplayMethod and Key labels. This section defines the security contexts. The SPI section has the following syntax:

[SPI SPI-identifier]
     ReplayMethod = <none/timestamps>
     Key = key

Two communicating peers must share the same SPI identifier. You must configure them with the same key and replay method. You specify the key as a string of hex digits. The maximum length is 16 bytes. For example, if the key is 16 bytes long, and contains the hex values 0 through f, the key string might look like:

Key = 0102030405060708090a0b0c0d0e0f10

Keys must have an even number of digits (corresponding to the two digits per byte representation).

The following table describes the labels and values that you can use in the SPI section.

Table 2-4 SPI Section Labels and Values


Label	Value	Description
`ReplayMethod`	`none` or `timestamps`	Specifies the type of replay authentication used for the SPI.
`Key`	`x`	Authentication key in hexadecimal.

`Address` Section

The Solaris implementation of Mobile IP enables you to configure mobile nodes in one of three methods. Each method is configured in the Address section. The first method follows the traditional Mobile IP protocol, and requires that each mobile node have a home address. The second method enables a mobile node to be identified through its Network Access Identifier (NAI). The last method enables you to configure a default mobile node, which can be used by any mobile node that has the proper SPI value and related keying material.

Mobile Node With a Home Address

The Address section for a mobile node with a home address contains the Type and SPI labels that define the address type and SPI identifier. The Address section has the following syntax:

[Address address]
     Type = <agent/node>
     SPI = SPI-identifier

You must include an Address section in a home agent's configuration file for each mobile node supported. Mobile nodes have the Type label set to node.

If Mobile IP message authentication is required between the foreign and home agent, you must include an Address section for each peer with which an agent needs to communicate. Mobility agents have the Type field set to agent.

The SPI value that you configure must represent an SPI section that is present in the configuration file.

The following table describes the labels and values that you can use in the Address section for a mobile node with a home address.

Table 2-5 Address Section Labels and Values--Mobile Node With a Home Address


Label	Value	Description
`Type`	`node` or `agent`	Specifies that the entry is for a mobile node or a mobility agent.
`SPI`	`n`	Specifies the SPI value for the associated entry.

Mobile Node Identified by its NAI

The Address section for a mobile node identified by its NAI contains the Type, SPI, and Pool labels. The NAI parameter enables you to identify mobile nodes through their NAI. The Address section, using the NAI parameter, has the following syntax:

[Address NAI]
     Type = Node
     SPI = SPI-identifier
     Pool = Pool-identifier

In order to make use of pools, you identify mobile nodes through their NAI. The Address section permits you to configure an NAI, as opposed to a home address. An NAI uses the format user@domain format. You use the Pool label to specify which address pool to use in order to allocate the home address to the mobile node.

The following table describes the labels and values that you can use in the Address section for a mobile node identified by its NAI.

Table 2-6 Address Section Labels and Values--Mobile Node Identified by its NAI


Label	Value	Description
`Type`	`node`	Specifies entry for a mobile node.
`SPI`	`n`	Specifies SPI value for the associated entry.
`Pool`	`n`	Allocates the pool from which an address is assigned to a mobile node.

You must have corresponding SPI and Pool sections for the SPI and Pool labels defined in an Address section with a mobile node identified by its NAI, as shown in the following illustration.

Figure 2-1 Corresponding SPI and Pool Sections for Address Section With Mobile Node Identified by its NAI

Default Mobile Node

The Address section for a default mobile node contains the Type, SPI, and Pool labels. The Default-Node parameter enables you to permit all mobile nodes to get service if they have the correct SPI (defined in this section). The Address section, using the Default-Node parameter, has the following syntax:

[Address Default-Node]
     Type = Node
     SPI = SPI-identifier
     Pool = Pool-identifier

The Default-Node enables you to reduce the size of the configuration file; otherwise, each mobile node requires its own section. However, the Default-Node does pose a security risk. If a mobile node is no longer trusted for any reason, you need to update the security information on all trusted mobile nodes. This task can be very tedious. However, you can use the Default-Node in networks that consider security risks unimportant.

The following table describes the labels and values that you can use in the Address section for a default mobile node.

Table 2-7 Address Section Labels and Values--Default Mobile Node


Label	Value	Description
`Type`	`node`	Specifies entry for a mobile node.
`SPI`	`n`	Specifies SPI value for the associated entry.
`Pool`	`n`	Allocates the pool from which an address is assigned to a mobile node.

You must have corresponding SPI and Pool sections for the SPI and Pool labels defined in the Address section with a default mobile node, as shown in the following illustration.