[support] How to prevent routing header option from being used

Millar, Brian H. brian.millar at ngc.com
Fri Oct 10 07:37:37 JST 2008 

Romain,

I tried the suggestions you had below, but they resulted in the MR
complaining that the HA is unable to handle the binding.

I've tried a couple of different combinations of the code snippets below
and they all resulted in similar errors.

Also, I am running with the MCoA patches in, and did notice that some
the code changes you suggested did included mcoa references.

I created the following patch, and tried to change both things you
suggested and also tried just your first suggestion.

Thanks
Brian


diff -Naur mipv6-daemon-umip-0.4/src/xfrm.c
mipv6-daemon-umip-0.4-ForceRevTun/src/xfrm.c
--- mipv6-daemon-umip-0.4/src/xfrm.c	2008-09-25 12:14:44.000000000
-0400
+++ mipv6-daemon-umip-0.4-ForceRevTun/src/xfrm.c	2008-10-08
08:29:21.000000000 -0400
@@ -1513,11 +1513,18 @@
 	struct xfrm_selector sel;
 
 	/* MN - CN case data out & in */
-	create_rh_tmpl(&tmpl);
+/* ForceRevTun patch 10/8/2009
+*	create_rh_tmpl(&tmpl);
+*	set_selector(peer_addr, our_addr, 0, 0, 0, 0, &sel);
+*	if (xfrm_mip_policy_add(&sel, replace, XFRM_POLICY_OUT,
XFRM_POLICY_ALLOW,
+*				MIP6_PRIO_RO_BCE_DATA, &tmpl, 1))
+*		return -1;
+ */
 	set_selector(peer_addr, our_addr, 0, 0, 0, 0, &sel);
 	if (xfrm_mip_policy_add(&sel, replace, XFRM_POLICY_OUT,
XFRM_POLICY_ALLOW,
-				MIP6_PRIO_RO_BCE_DATA, &tmpl, 1))
+				MIP6_PRIO_RO_BCE_DATA, NULL, 1))
 		return -1;
+/* end ForceRevTun patch */
 	create_dstopt_tmpl(&tmpl, our_addr, peer_addr);
 	set_selector(our_addr, peer_addr, 0, 0, 0, 0, &sel);
 	return xfrm_mip_policy_add(&sel, replace, XFRM_POLICY_IN,
@@ -1994,17 +2001,21 @@
 	 * for traffic from the MN/MR to the HA. Tunnel packets 
 	 * instead.
 	 */
-	if(bule->home->reg_mcoa) {
-		ret = xfrm_mip_policy_add(&sel, 1, XFRM_POLICY_OUT, 
-					   XFRM_POLICY_ALLOW, prio, 
-					   NULL, 0);
-	} else {
-		create_dstopt_tmpl(&tmpls[0], &bule->peer_addr,
&bule->hoa);
-		ret = xfrm_mip_policy_add(&sel, 1, XFRM_POLICY_OUT,
-					  XFRM_POLICY_ALLOW, prio, 
-					  tmpls, 1);
-	}
-
+/* ForceRevTun patch 10/8/2008 */
+	ret = xfrm_mip_policy_add(&sel, 1, XFRM_POLICY_OUT, 
+				   XFRM_POLICY_ALLOW, prio, 
+				   NULL, 0);
+/*	if(bule->home->reg_mcoa) {
+*		ret = xfrm_mip_policy_add(&sel, 1, XFRM_POLICY_OUT, 
+*					   XFRM_POLICY_ALLOW, prio, 
+*					   NULL, 0);
+*	} else {
+*		create_dstopt_tmpl(&tmpls[0], &bule->peer_addr,
&bule->hoa);
+*		ret = xfrm_mip_policy_add(&sel, 1, XFRM_POLICY_OUT,
+*					  XFRM_POLICY_ALLOW, prio, 
+*					  tmpls, 1);
+*	}
+* end ForceRevTun patch */
 	if (ret)
 		XDBG("failed to insert outbound policy\n");
  

-----Original Message-----
From: support-bounces at ml.nautilus6.org
[mailto:support-bounces at ml.nautilus6.org] On Behalf Of Romain KUNTZ
Sent: Monday, September 29, 2008 5:26 AM
To: Support ML
Subject: Re: [support] How to prevent routing header option from being
used

Hi Brian,

On 2008/09/27, at 6:18, Millar, Brian H. wrote:
> Is it possible to configure the NEMOv6 (with MCoA) to always use 
> reverse tunnels and never use the routing header on traffic from the 
> HA to the MR?
>
> The situation we have is that if traffic is originated from the MR, 
> its source IP is it's Home Address, the return packets from the HA 
> then, do not get put into the reverse tunnel.
>
> Instead, they get a packet with a routing header destined to the CoA 
> of the MR, with the MR's Home Address as the option. (I think I have 
> my terms correct)
>
Yes, when the MR/MN communicates with the HA, the specification allows
the use of home address options / routing header type 2, instead of
using the tunnel.

> Any ideas on how to prevent this from occuring?
>
> We've tried to figure out how to get all the IP packets from the MR to

> not be source from its Home Address, and use it's local Mobile network

> address, but don't know how to force source IP address in the routes 
> using the NEMO code.
>

At the moment there are no options to prevent this from occurring.  
You'll have to modify the code but it's quite easy to do. The HoA option
and RHT2 are inserted via the XFRM framework. 2 XFRM rules are taking
care of that, you just need to remove them. I did it for the MCoA
implementation; to remove the HoA option just replace the following code
in xfrm.c/xfrm_post_ba_mod_bule():

-   create_dstopt_tmpl(&tmpls[0], &bule->peer_addr, &bule->hoa);
-   ret = xfrm_mip_policy_add(&sel, 1, XFRM_POLICY_OUT,
-                  XFRM_POLICY_ALLOW, prio, tmpls, 1);
+   ret = xfrm_mip_policy_add(&sel, 1, XFRM_POLICY_OUT,
+                      XFRM_POLICY_ALLOW, prio,
+                      NULL, 0);

You may also need to do the same for the RHT2 option, but it seems I did
not do it for MCoA (I don't remember the reason). I think you'll have to
modify xfrm.c/_xfrm_add_bce() as follow (not 100% sure for this one
though):

-    create_rh_tmpl(&tmpl);
-    set_selector(peer_addr, our_addr, 0, 0, 0, 0, &sel);
-    if (xfrm_mip_policy_add(&sel, replace, XFRM_POLICY_OUT,  
XFRM_POLICY_ALLOW,
-                MIP6_PRIO_RO_BCE_DATA, &tmpl, 1))
-        return -1;
+    set_selector(peer_addr, our_addr, 0, 0, 0, 0, &sel);
+    if (xfrm_mip_policy_add(&sel, replace, XFRM_POLICY_OUT,
XFRM_POLICY_ALLOW,
+                MIP6_PRIO_RO_BCE_DATA, NULL, 0))
+        return -1;


This should remove all HoA and RHT2 options for all data packets. You
may change a bit the selector in order to match only packets destined
to/originated from the HA.

Regards,

--
Romain KUNTZ
kuntz at lsiit.u-strasbg.fr
LSIIT - Networks and Protocols Team
http://clarinet.u-strasbg.fr/~kuntz/

_______________________________________________
Support mailing list
Support at ml.nautilus6.org
http://ml.nautilus6.org/mailman/listinfo/support

More information about the Support mailing list