IPsec README for MIPL 2.0

Contents
========

	1. Introduction
	2. Limitation/Requirements
	3. How to Make IPsec Configuration
		3.1 HomeRegBinding
		3.2 MobPfxDisc
		3.3 TunnelHomeTesting
		3.4 TunnelMh
		3.5 TunnelPayload
	4. Manual Operation
		4.1. HA Operation
		4.2. MN Operation
	5. Automated Operation


1. Introduction
===============

Mobile IPv6 uses IPsec to protect mobility signaling messages that are
exchanged between MN and HA.

In MIPL 2.0, mip6d manages the Security Policy (SP) entries required
for Mobile IPv6 operation by itself, while the Security Association
(SA) entries have to be provided by either (a) manual operation or (b)
automated operation (i.e., IKE).  By automated operation, resiliency
against replay attack becomes stronger.

Following is a summary of IPsec usage in MIPv6 operation specified in
RFC 3775.  In MIPL 2.0, configuration of IPsec is specified in
configuration file of mip6d.

	+-------------------------------------------------+
	| Type     | IPsec protocol/mode | Requirements   |
	|=================================================|
	| BU/BA    | ESP/Transport       | Mandatory      |
        |----------+---------------------+----------------|
	| MPS/MPA  | ESP/Transport       | Recommended    |
        |----------+---------------------+----------------|
	| HoTI/HoT | ESP/Tunnel          | Recommended    |
        |----------+---------------------+----------------|
	| Payload  | ESP/Tunnel          | Optional       |
        +-------------------------------------------------+

A tunnel mode IPsec SA established between the MN and HA should hold
the end-point addresses of the tunnel, namely the care-of address
(CoA) of the MN and the HA's address as shown in the figure below.

                                          HA's
            +----+ CoA                    address +----+
            | MN |=========(IPsec tunnel)=========| HA |
            +----+                                +----+

When the MN is at a foreign link and successfully makes the home
registration to its HA, the IPsec tunnel end-point address should be
set as the MN's CoA.  On the other hand, when the MN is at home, the
end-point address (MN side) should be initialized with its home
address (HoA).


2. Limitation/Requirements
==========================

The following are limitations of MIPL 2.0 when IPsec is enabled.

Request ID (reqid) setting -- When there are several IPsec
transport/tunnel mode SPs configured between the MN and HA, (e.g. SP
entries for BU/BA and MPS/MPA) you need to add an identifier called
reqid to both the policies and SAs to make sure that the IPsec stack
can properly maintain association between SP and SA entries.

IPsec tunnel mode and Route Optimization -- When the SP is set in a
way that any payload packet (protocol unspecified) is to be protected
by an IPsec tunnel, route optimization cannot be performed between the
MN and its peer.


3. How to Make the IPsec Configuration
======================================

First of all, in order to activate IPsec the following line should be
included in the configuration file.

	UseMnHaIPsec enabled;

Next, IPsecPolicySet clause needs to be properly configured.  The
following is an example of IPsecPolicySet.  Note that you need to
specify IP addresses according to your home network configuration.
Each IPsecPolicy option enables protection of particular Mobility
Header (MH) messages.  The following is the list of options for
IPsecPolicy:

	HomeRegBinding
	MobPfxDisc
	TunnelHomeTesting
	TunnelMh
	TunnelPayload

Note that in order to enable IPsec tunnel for protecting MH messages,
any one of TunnelHomeTesting, TunnelMh, and TunnelPayload must be
specified.

Each IPsecPolicySet clause can be defined if several HA addresses are
used.

	IPsecPolicySet {
	        HomeAgentAddress 3ffe:501:ffff:100::feed;
	        HomeAddress 3ffe:501:ffff:100::beef/64;

	        IPsecPolicy HomeRegBinding UseESP 1 2;	  # BU/BA
	        IPsecPolicy MobPfxDisc UseESP 3 4;        # MPS/MPA
		IPsecPolicy TunnelHomeTesting UseESP 5 6; # HoTI/HoT
	}


3.1 HomeRegBinding
==================

This option enables protection of BU and BA messages in ESP transport
mode.  When this option is specified along with MobPfxDisc option, a
pair of unique reqid should be specified ("1" and "2" in the example
below).

	IPsecPolicy HomeRegBinding UseESP 1 2;	  # BU/BA

3.2 MobPfxDisc
==============

This option enables protection of MPS and MPA messages in ESP
transport mode.  When this option is specified along with
HomeRegBinding option, a pair of unique reqid should be specified ("3"
and "4" in the example below).

        IPsecPolicy MobPfxDisc UseESP 3 4;        # MPS/MPA

3.3 TunnelHomeTesting
=====================

This options enables protection of HoTI and HoT messages in ESP tunnel
mode.  Note that this configuration conforms to RFC 4877 in the sense
that MH type is specified in the traffic selector of SP entries.  It
is recommended to enable this option for protecting HoTI and HoT
messages.  When this option is specified along with the HomeRegBinding
option and/or the MobPfxDisc option, a pair of unique reqid should be
specified ("5" and "6" in the example below).

	IPsecPolicy TunnelHomeTesting UseESP 5 6; # HoTI/HoT

3.4 TunnelMh
============

This option is EXPERIMENTAL.  This option enables protection of HoTI
and HoT messages in ESP tunnel mode as similar to TunnelHomeTesting.
The difference is that MH type is not specified in the traffic
selector of SP entries.  It should be noted that with this option, the
MN may fail to receive some MH messages sent from its peer to the home
address.  More specifically, the MN would not be able to receive MH
messages that are sent in a route optimized manner.  When this option
is specified along with the HomeRegBinding option and/or the
MobPfxDisc option, a pair of unique reqid should be specified ("5" and
"6" in the example below).

	IPsecPolicy TunnelMh UseESP 5 6;

3.5 TunnelPayload
=================

This option is EXPERIMENTAL.  This option enables protection of all
the user traffic including MH messages.  It should be noted that the
MN may fail to receive some MH messages sent from its peer to the home
address.  There are also some other potential issues.  When this
option is specified along with the HomeRegBinding option and/or the
MobPfxDisc option, a pair of unique reqid should be specified ("5" and
"6" in the example below).

	IPsecPolicy TunnelPayload UseESP 5 6;


4. Manual Operation
===================

After you make the IPsec configuration of the MIPL 2.0 daemon, you
should prepare scripts to manually configure the SAs on both the MN
and HA.  Below is an example of an input file for setkey to manually
configure the SAs.  The input file can be passed to setkey by "setkey
-f sa.conf" with super-user privileges.  For detailed information of
SA configuration, see the ipsec-tools documentation.

sa.conf example:
----------------
# 3ffe:501:ffff:100::beef is home address of MN
# and 3ffe:501:ffff:100::feed is address of HA

# MN -> HA transport SA for BU
add 3ffe:501:ffff:100::beef 3ffe:501:ffff:100::feed esp 2000
	-u 1
        -m transport
        -E des-cbc "TAHITEST"
        -A hmac-sha1 "this is the test key" ;

# HA -> MN transport SA for BA
add 3ffe:501:ffff:100::feed 3ffe:501:ffff:100::beef esp 2001
	-u 2
        -m transport
        -E des-cbc "TAHITEST"
        -A hmac-sha1 "this is the test key" ;

# MN -> HA transport SA for MPS
add 3ffe:501:ffff:100::beef 3ffe:501:ffff:100::feed esp 2002
	-u 3
        -m transport
        -E des-cbc "TAHITEST"
        -A hmac-sha1 "this is the test key" ;

# HA -> MN transport SA for MPA
add 3ffe:501:ffff:100::feed 3ffe:501:ffff:100::beef esp 2003
	-u 3
        -m transport
        -E des-cbc "TAHITEST"
        -A hmac-sha1 "this is the test key" ;

# MN -> HA tunnel SA for HoTI
add 3ffe:501:ffff:100::beef 3ffe:501:ffff:100::feed esp 2004
        -m tunnel
        -E des-cbc "TAHITEST"
        -A hmac-sha1 "this is the test key" ;

# HA -> MN tunnel SA for HoT
add 3ffe:501:ffff:100::feed 3ffe:501:ffff:100::beef esp 2005
        -m tunnel
        -E des-cbc "TAHITEST"
        -A hmac-sha1 "this is the test key" ;

4.1. HA Operation
=================

(1) make sure that you made the IPsec configuration in mip6d.conf properly
(2) manually configure SA with setkey
(3) run mip6d

4.2. MN Operation
=================

(1) make sure that you made the IPsec configuration in mip6d.conf properly
(2) manually configure SA with setkey
(3) run mip6d


5. Automated Operation
======================

In automated operation, SAs are automatically managed by an Internet Key
Exchange (IKE) daemon.  With regard to the mip6d operation, there is
nothing special to be done in automated operation.

However, there is no MIPv6-aware-IKE daemon publicly available yet.