[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 04018) [patch] mip6d daemon: set the (K) bit according to KeyMngMobCapability option
- To: usagi-users@xxxxxxxxxxxxxx
- Subject: (usagi-users 04018) [patch] mip6d daemon: set the (K) bit according to KeyMngMobCapability option
- From: Sebastien Decugis <sdecugis@xxxxxxxxxxxxxxxx>
- Date: Mon, 21 Jan 2008 18:15:42 +0900
- Reply-to: usagi-users@xxxxxxxxxxxxxx
- Resent-date: Tue, 22 Jan 2008 09:41:49 +0900
- Resent-from: nakam@xxxxxxxxxxxxxx
- Resent-message-id: <200801220941.FMLAAB12603.usagi-users@linux-ipv6.org>
- Resent-to: usagi-users@xxxxxxxxxxxxxx (moderated)
- User-agent: Thunderbird 2.0.0.9 (Windows/20071031)
Hi,
This small patch for umip 0.4 aims to properly set the (K) bit in BU and
BA messages according to the KeyMngMobCapability option. If a
misconfiguration is detected, a message is generated. The information is
saved in the bule (MN) or bce (HA) data, and can be used later to check
if movement must be signaled to an IKE daemon.
Thanks,
Sebastien.
--
Sebastien Decugis
http://www.nautilus6.org
Support of the (K) flag in BU/BA messages
This patch adds a lite support of the (K) flag (IKE session survival) in
the BU and BA exchanges, conforming to KeyMngMobCapability option.
--- a/src/mn.c
+++ b/src/mn.c
@@ -675,6 +675,8 @@
int err = 0;
bule->type = BUL_ENTRY;
bule->flags = IP6_MH_BU_HOME | IP6_MH_BU_ACK | hai->lladdr_comp;
+ if (conf.UseMnHaIPsec && conf.KeyMngMobCapability)
+ bule->flags |= IP6_MH_BU_KEYM;
bule->coa_changed = -1;
bule->coa = hai->primary_coa.addr;
bule->if_coa = hai->primary_coa.iif;
@@ -1113,8 +1115,18 @@
if (bule->flags & IP6_MH_BU_KEYM) {
if (ba->ip6mhba_flags & IP6_MH_BA_KEYM) {
/* Inform IKE to send readdress msg */
+
} else {
/* Inform IKE to renegotiate SAs */
+
+ /* Remove the flag from this bule */
+ bule->flags &= ~IP6_MH_BU_KEYM;
+
+ /* Issue a warning */
+ syslog(LOG_ERR,
+ "HA does not support IKE session surviving, "
+ "traffic may be interrupted after movements.\n"
+ );
}
}
bra = mh_opt(&ba->ip6mhba_hdr, &mh_opts, IP6_MHOPT_BREFRESH);
--- a/src/ha.c
+++ b/src/ha.c
@@ -836,9 +836,28 @@
if (!tsisset(lft))
bcache_delete(out.src, out.dst);
- if ((bu_flags & IP6_MH_BU_KEYM) &&
- conf.pmgr.use_keymgm(out.dst, out.src))
- ba_flags |= IP6_MH_BA_KEYM;
+ if (conf.pmgr.use_keymgm(out.dst, out.src))
+ {
+ if (bu_flags & IP6_MH_BU_KEYM) {
+ ba_flags |= IP6_MH_BA_KEYM;
+ } else {
+ /* The remote MN does not support session mvt,
+ so we remove from the bce. */
+ bce->flags &= ~IP6_MH_BU_KEYM;
+ cdbg(
+ "MN (%x:%x:%x:%x:%x:%x:%x:%x) does not support IKE session movement.\n",
+ NIP6ADDR(out.src));
+ }
+ } else {
+ if (bu_flags & IP6_MH_BU_KEYM) {
+ /* Local policy does not allow using IKE movement */
+ bce->flags &= ~IP6_MH_BU_KEYM;
+ cdbg(
+ "MN (%x:%x:%x:%x:%x:%x:%x:%x) would support IKE session movement,"
+ " but local policy denies it.\n",
+ NIP6ADDR(out.src));
+ }
+ }
if (ba_flags & IP6_MH_BA_KEYM) {
/* FUTURE */
--- a/src/policy.c
+++ b/src/policy.c
@@ -168,7 +168,7 @@
int default_use_keymgm(const struct in6_addr *remote_addr,
const struct in6_addr *local_addr)
{
- return 0;
+ return conf.KeyMngMobCapability;
}
/**