[support] IPSec in NEMO BS with static keys

Georgopoulos, Panagiotis panos at comp.lancs.ac.uk
Thu Aug 20 21:01:09 JST 2009 

Hello Romain,

	Thanks for your reply! Please see comments inline..


> -----Original Message-----
> From: Romain KUNTZ [mailto:kuntz at lsiit.u-strasbg.fr]
> Sent: 20 August 2009 10:33
> To: Georgopoulos, Panagiotis
> Cc: Support at jules.nautilus6.org
> Subject: Re: [support] IPSec in NEMO BS with static keys
> 
> Hi Panos,
> 
> I've never used IPsec tunnel mode to protect data from a mobile
> network, but here are some thoughts:


Has anyone on the list tried to use IPSec for a mobile network (basically
using umip+nepl)?


> 
> On 2009/08/18, at 17:54, Georgopoulos, Panagiotis wrote:
> >                 I am experimenting with IPSec using static keys over
> > NEMO BS and I would like to use esp in transport mode for my BU and
> > BA and esp in tunnel mode for all the other traffic generated from
> > my Mobile Router (MR) and any other MN that is connected to its
> > access point.
> >
> > Currently traffic generated from my MR to the HA (and anything
> > beyond the HA) seems to be working fine. However, traffic (e.g.
> > pings from the MNN) reach the HA and the HA does nothing.
> >
> >                 My network testbed is very simple, like the
> > following :
> >
> >                 HA -----Home Network------Access Network------------
> > MR------------MNN
> >
> >                 The IP address setup is the following :
> > .         HA : 2001:db91::2
> > .         MR HoA : 2001:db91::2222
> > .         Access network prefix : 2001:db94::/64
> > .         MR's MNP: 2001:db72::/64
> > .         MNN : 2001:db72::2
> >
> > My nemod.conf allows a binding from my mobile router and knows that
> > it is advertising the 2001:db72:: network with the following line :
> > BindingAclPolicy 2001:db91::2222 (2001:db72::/64) NoMCoAReg allow;
> 
> So far configuration seems fine, but from the "NoMCoAReg" keyword it
> seems that you use the MCoA implementation on the HA. Do you also use
> it on the MR? The MCoA implementation is quite experimental and has
> never been tested with IPsec. I'm even pretty sure that it breaks the
> IPsec code.


You are right that using MCoA is complicating things more. I will follow
your advice and disable it for now to see if it helps.


> 
> > I have added the following lines regarding IPSEC in my nemod.conf in
> > both the HA and the MR :
> >
> > ## IPsec configuration
> > UseMnHaIPsec enabled;
> >
> > ## Key Management Mobility Capability
> > KeyMngMobCapability disabled;
> >
> 
> > IPsecPolicySet {
> > HomeAgentAddress 2001:db91::2;
> >
> > #MR4
> > HomeAddress 2001:db91::2222/64;
> >
> > #I want to use esp in tunnel mode for BU and BA
> > IPsecPolicy HomeRegBinding UseESP 10;
> >
> > #I want all traffic (except BUs and Bas) from the MR and all MNs
> > #connected to the MR to be tunnelled using esp
> > #i am not entirely sure if the TunnelPayload option is correct.
> > IPsecPolicy TunnelPayload UseESP 20;
> > }
> >
> > I also imported the following policies using the setkey tool :
> >
> > # MN -> HA transport SA for BU
> > add 2001:db91::2222 2001:db91::2 esp 2000
> >         -u 10
> >         -m transport
> >         -E des-cbc "TAHITEST"
> >         -A hmac-sha1 "this is the test key" ;
> >
> > # HA -> MN transport SA for BA
> > add 2001:db91::2 2001:db91::2222 esp 2001
> >         -u 10
> >         -m transport
> >         -E des-cbc "TAHITEST"
> >         -A hmac-sha1 "this is the test key" ;
> >
> > #Regarding the rules bellow, do they have to match the source and
> > destination
> > # address of every packet or do they have to be just the two end
> > points of the tunnel?
> > #if the former is correct, then the following two rules do not apply
> > to traffic
> >  #being generated from an MN connected to my MR
> > # MN -> HA any traffic
> > add 2001:db91::2222 2001:db91::2 esp 2002
> >         -u 20
> >         -m tunnel
> >         -E des-cbc "TAHITEST"
> >         -A hmac-sha1 "this is the test key" ;
> >
> > # HA -> MN any traffic
> > add 2001:db91::2 2001:db91::2222 esp 2003
> >         -u 20
> >         -m tunnel
> >         -E des-cbc "TAHITEST"
> >         -A hmac-sha1 "this is the test key" ;
> 
> UMIP takes care of installing the IPsec security Policies for the MNP
> (in src/ipsec.c, unless you have a too old version of UMIP? Could you
> send what "setkey -PD" and "setkey -D" deplays on your MR and HA?),
> but I'd guess still need to install the IPSec SA for them.

I am using the latest UMIP version (mipv6-daemon-umip-0.4) with the latest
NEPL patch (mipv6-daemon-umip-0.4-nepl-20090624.patch) on a 2.6.30.2 kernel.
The SAs that are installed do correspond with my above rules (find attached
the output of the setkey -PD and setkey -D)

I think you are very right that I need to install IPSec SAs for MNN for a
MNP, and this is what my experiment verifies. However, I do not have a very
clear understanding of what is the exact use of a SA compared to a SP
(relating to the SAD and SPD) and why they are both needed (if needed). The
two above rules (corresponding to the -u 20 identifier), although seem
generic, they should be able to "cover traffic" generated from a MNN but
going through an MR who has the IPSec rules in place using the TunnelPayload
option.

I keep googling on SA, SAD and SPD and how to properly use them but I find
nothing explaining their use.. Any references would be highly appreciated as
even the man pages are not that explanatory :-/


> 
> > When I run the code and do a binding from my MR to my HA, the BUs
> > and BAs are fine, being esp'ed in transport mode.
> >
> > In addition when I ping from my MR to the HA I see packets which
> > seem to be esp'ed in tunnel mode (at least from what I can tell as
> > it is difficult to debug that).
> >
> > However, when I am trying to ping from my MNN to my HA I see ping
> > requests going up to the HA (esp'ed) but then the HA just ignores
> > them and does not reply at all. Even if I ping something from the
> > MNN to a machine beyond the HA, I see the request reaching the HA
> > and is apparently decapsulated from the ipsec tunnel but it is never
> > forwarded.
> >
> > So, the basic question is, does the above setup put the appropriate
> > rules in place for a node to act as a MR and enable MN to reach the
> > HA and the outside world or do I have to explicitly define something
> > additional (and what?). Are the above sa and nemod confs files fine?
> 
> The above configuration seems fine for MR<->HA data exchange, but
> incomplete to support traffic from MNNs. In particular, I would
> suspect the IPsec SA to lack some conf for the traffic from/to the MNP.

You are right, but the question is do I install IPsec policies in the SAD or
the SPD and how? (relating with the above)

> 
> Cheers,
> romain
> 

Cheers,
Panos
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: setkey_output.txt
Url: http://ml.nautilus6.org/pipermail/support/attachments/20090820/4af918a0/attachment.txt

More information about the Support mailing list