Mobile IPv6 for Linux Guide (with USAGI patch)

Introduction

This article provides a tutorial on setting up Mobile IPv6(MIPv6) on Linux.

Basic kernel configuration, IPv6 networking operation, configuration experience and basic MIPv6 knowledge are needed. If you use IPsec, basic IPsec knowledge and IPv6 tunnel gateway configuration experience is also required.

See Known issues at first.

Old information is moved to umip-0.3 or umip-0.1 page.

Configuration

After mip6d is installed, you can see mip6d.conf(5) which has useful information about configuration.

HA specific configuration

router: HA should be configured as an IPv6 router like forwarding=1.
proxy ND: HA should be enabled proxy ND like proxy_ndp=1 (required to support returning-home).
IPsec: See IPsec configuration.
mip6d: See mip6d.conf(5). An example is mip6d-ha.conf.
RD: Send RA with HA related options like "HA flag", HA address as network prefix and "router address flag" on prefix information. See also radvd.conf(5) for the detail if you use radvd. An example is radvd.conf.
(optional): It is recommended smaller router advertisement interval. This also can be said to router on foreign link to where MN moves.

MN specific configuration

IPsec: See IPsec configuration.
mip6d: See mip6d.conf(5). An example is mip6d-mn.conf.

CN specific configuration

See mip6d.conf(5) for mip6d. An example is mip6d-cn.conf.

IPsec configuration

[HA,MN]See README.IPsec included by mip6d source tree. An example is setkey.conf.

Boot sequence

HA boot sequence

Before starting mip6d, the following conditions should be satisfied:
- Be ready as a router
- Be ready for proxying ND (when using returning-home)
- Assigned a global unicast address on home link interface, as HA address
- Configured IPsec SA (when using IPsec with static keying)
Run mip6d
After started mip6d:
- Start RD

An easy example boot script to do the above is mipv6-ha.sh.

MN boot sequence

Before starting mip6d, the following conditions should be satisfied:
- The interface is brought up before you run mip6d.
- IPsec SA configuration (while using IPsec with static keying).
After you made sure these conditions, you can run mip6d.

An easy example boot script is mipv6-mn.sh.

CN boot sequence

Run mip6d

An easy example boot script is mipv6-cn.sh.

Another examples

experimental mip6d init script using LSB (for Debian Distribution)
- Copy init_d-mip6d to /etc/init.d/mip6d
- Copy default-mip6d to /etc/default/mip6d and edit it

Verification

Running

mip6d writes start or stop message to syslog and you can check it.
[HA] Try virtual terminal to see mip6d information like below:
$ telnet localhost 7777 Trying ::1... Trying 127.0.0.1... Connected to ip6-localhost. Escape character is '^]'. mip6d> pl eth1 3ffe:501:ffff:100:200:ff:fe00:a0a0/64 valid 2591997 / 2592000 preferred 604800 flags OAR mip6d>
If you could get home prefix valid lifetime with positive value there, the HA is ready to serve. Otherwise, you should check the RA configuration.

Binding cache

Try virtual terminal to see mip6d information like below:
$ telnet localhost 7777 Trying ::1... Trying 127.0.0.1... Connected to ip6-localhost. Escape character is '^]'. mip6d> bc hoa 3ffe:501:ffff:100::1 status registered coa 3ffe:501:ffff:102::1 flags AH-- local 3ffe:501:ffff:100:200:ff:fe00:a0a0 lifetime 998 / 1000 seq 58722 unreach 0 mpa - / 0 retry 0 mip6d>
If the node has binding cache correctly, you will get entries there with registered [HA], cached [CN] at "status" for each MN HoA respectively.

Binding update list

[MN]Try virtual terminal to see mip6d information like below:
$ telnet localhost 7777 Trying ::1... Connected to localhost. Escape character is '^]'. mip6d> bul == BUL_ENTRY == Home address 3ffe:501:ffff:100::1 Care-of address 3ffe:501:ffff:102::1 CN address 3ffe:501:ffff:100:200:ff:fe00:a0a0 lifetime = 262140, delay = 249033000 flags: IP6_MH_BU_HOME IP6_MH_BU_ACK ack ready lifetime 262124 / 262140 seq 26633 resend 0 delay 249033(after 249017s) mps 214747931 / 214747947 mip6d>
If the MN sent BUs, you can find entries there for HA/CN respectively. To confirm home registration is completed, check the HA entry whose "ack" value is ready

Route optimization

We don't have an easy and good route optimization test for both-direction (other than using TAHI test or dumping packet). On the other hand, with ping6 command from USAGI git iputils-mip6 tree, you can check whether inbound echo reply is route-optimized or not.

Prepare ping6 from iputils-mip6 git tree.
Try ping6 with "-H" option to see extension headers carried by echo reply.

Examples:

[HA,CN] Receiving a route-optimized echo reply from MN
$ ping6 -H -I HACN_ADDR MN_ADDR ... 64 bytes from MN_ADDR[HAO]: icmp_seq=1 ttl=61 time=1.04 ms
[MN] Receiving a route-optimized echo reply from HA,CN
$ ping6 -H HACN_ADDR ... 64 bytes from HACN_ADDR[RT2]: icmp_seq=1 ttl=61 time=1.04 ms

Known issues

Kernel support status

Here is the mainline kernel support status (as of 2.6.23).

node	basic	IPsec
node	basic	transport	tunnel
HA	OK*1	OK*1	OK*3
MN	OK*2	OK*4	OK4,3
CN	OK*1	-5,1	-

*1:2.6.19 or later
*2:2.6.22 or later (Support combination action between source address specific rule and source address selection)
*3:2.6.21 or later (PFKEY_MIGRATE support)
*4:2.6.22 or later (Fix IPsec combination; Restrict upper layer information by bundle)
*5:It works about RO over transport mode IPsec.

Known issues

[MN] MN incorrectly sends bidirectional RO before both BCEs are ready on Inter-MN RO: This issue is proceeded at the following steps:
(1) Two MNs are on (each) foreign link and the both MNs bind each other i.e. bidirectional RO (IPv6-RH2-HAO) communication has been successful.
(2) One MN(a) goes to another foreign link.
(3) The other MN(b) sends unidirectional RO (IPv6-IPv6-HAO) echo request before MN(a) completes binding to MN(b).
(4) MN(a) receives the echo request and sends echo reply back over bidirectional RO incorrectly.
[HA,MN,CN] TCP over RO issue (fixed with USAGI kernel patch or 2.6.24): If the node starts TCP connection without RO, the node incorrectly continues the connection without RO even after RO is ready on kernel. This issue is occurred for TCP over IPsec, too.
[HA] HA sends wrong Redirect for IPsec tunneled packet (fixed with USAGI kernel patch or 2.6.24): IPsec tunnel gateway incorrectly sends redirect to router or sender when network device the IPsec tunneled packet is arrived is the same as the one the de-capsulated packet is sent.
[MN] IPsec tunnel configuration "TunnelMh" and "TunnelPayload" do not work: This is because the daemon has not supported yet to deal with kernel change to use XFRM selector without specified if-index.
[MN] MN sends RO packet to default router's MAC address (fixed with USAGI git (linux-2.6.24-mip6 branch or later) or scheduled for 2.6.26): When MN are on the link where CN is placed, the MN sends RO packet to the CN with not the CN's but default router's MAC address of the link without sending any NS. (The packet may be forwarded to the CN by the router.)
[MN] MN does not learn from Redirect targeted for CN: When MN and CN are on the same link and the MN created a BCE on the CN, the MN does not make neighbor cache for the CN even when the MN is received Redirect targeted the CN from a router on the link.
[MN] MN internally blocks to send BU to HA for the first boot time: (The detailed condition is not determined but) this is occurred when IPsec is disabled or IPsec is enabled with "HomeRegBinding" and "MobPfxDisc". This can be fixed if the daemon restarts.

Mobile IPv6 for Linux Guide (with USAGI patch)

Introduction

Software

For all nodes (HA, MN and CN)

For HA

For HA and MN

Building kernel and mip6d

Configuration

HA specific configuration

MN specific configuration

CN specific configuration

IPsec configuration

Boot sequence

HA boot sequence

MN boot sequence

CN boot sequence

Another examples

Verification

Running

Binding cache

Binding update list

Route optimization

Known issues

Kernel support status

Known issues

Links