[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 04018) [patch] mip6d daemon: set the (K) bit according to KeyMngMobCapability option



Hi,

This small patch for umip 0.4 aims to properly set the (K) bit in BU and BA messages according to the KeyMngMobCapability option. If a misconfiguration is detected, a message is generated. The information is saved in the bule (MN) or bce (HA) data, and can be used later to check if movement must be signaled to an IKE daemon.

Thanks,
Sebastien.

--
Sebastien Decugis
http://www.nautilus6.org
Support of the (K) flag in BU/BA messages

This patch adds a lite support of the (K) flag (IKE session survival) in
the BU and BA exchanges, conforming to KeyMngMobCapability option.

--- a/src/mn.c
+++ b/src/mn.c
@@ -675,6 +675,8 @@
 	int err = 0;
 	bule->type = BUL_ENTRY;
 	bule->flags = IP6_MH_BU_HOME | IP6_MH_BU_ACK | hai->lladdr_comp;
+	if (conf.UseMnHaIPsec && conf.KeyMngMobCapability)
+		bule->flags |= IP6_MH_BU_KEYM;
 	bule->coa_changed = -1;
 	bule->coa = hai->primary_coa.addr;
 	bule->if_coa = hai->primary_coa.iif;
@@ -1113,8 +1115,18 @@
 		if (bule->flags & IP6_MH_BU_KEYM) {
 			if (ba->ip6mhba_flags & IP6_MH_BA_KEYM) {
 				/* Inform IKE  to send readdress msg */
+
 			} else {
 				/* Inform IKE to renegotiate SAs */
+
+				/* Remove the flag from this bule */
+				bule->flags &= ~IP6_MH_BU_KEYM;
+
+				/* Issue a warning */
+				syslog(LOG_ERR,
+			         "HA does not support IKE session surviving, "
+			         "traffic may be interrupted after movements.\n"
+				 );
 			}
 		}
 		bra = mh_opt(&ba->ip6mhba_hdr, &mh_opts, IP6_MHOPT_BREFRESH);
--- a/src/ha.c
+++ b/src/ha.c
@@ -836,9 +836,28 @@
 	if (!tsisset(lft))
 		bcache_delete(out.src, out.dst);
 
-	if ((bu_flags & IP6_MH_BU_KEYM) && 
-	    conf.pmgr.use_keymgm(out.dst, out.src))
-		ba_flags |= IP6_MH_BA_KEYM;
+	if (conf.pmgr.use_keymgm(out.dst, out.src))
+	{
+		if (bu_flags & IP6_MH_BU_KEYM) {
+			ba_flags |= IP6_MH_BA_KEYM;
+		} else {
+			/* The remote MN does not support session mvt,
+			   so we remove from the bce. */
+			bce->flags &= ~IP6_MH_BU_KEYM;
+			cdbg(
+			 "MN (%x:%x:%x:%x:%x:%x:%x:%x) does not support IKE session movement.\n",
+			 NIP6ADDR(out.src));
+		}
+	} else {
+		if (bu_flags & IP6_MH_BU_KEYM) {
+			/* Local policy does not allow using IKE movement */
+			bce->flags &= ~IP6_MH_BU_KEYM;
+			cdbg(
+			 "MN (%x:%x:%x:%x:%x:%x:%x:%x) would support IKE session movement,"
+			 " but local policy denies it.\n",
+			 NIP6ADDR(out.src));
+		}
+	}
 
 	if (ba_flags & IP6_MH_BA_KEYM) {
 		/* FUTURE */
--- a/src/policy.c
+++ b/src/policy.c
@@ -168,7 +168,7 @@
 int default_use_keymgm(const struct in6_addr *remote_addr,
 		       const struct in6_addr *local_addr)
 {
-	return 0;
+	return conf.KeyMngMobCapability;
 }
 
 /**