[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
System Management Guide: Communications and Networks
Mobile IPv6
Mobile IPv6 provides mobility support in for IPv6. It allows you to keep
the same internet address all over the world, and allows applications using
that address to maintain transport and upper-layer connections when
you change locations. It allows mobility across homogenous and heterogeneous
media. For example, Mobile IPv6 facilitates node movement from an Ethernet
segment to a wireless LAN cell, with the mobile node's IP address remaining
unchanged.
In Mobile IPv6, each mobile node is identified by two IP addresses: its
home address and its care-of address. The home address is a permanent
IP address that identifies the mobile node regardless of its location. The
care-of address changes at each new point of attachment and provides
information about the mobile node's current situation. When a mobile node
arrives to a visited network, it must acquire a care-of address, which
will be used during the time that the mobile node is under this location in
the visited network. It may use the methods of IPv6 Neighborhood Discovery
to get the care-of address (see Neighbor Discovery/Stateless Address Autoconfiguration). Both stateless
and stateful autoconfiguration are possible. The care-of address can
also be manually configured. How the care-of address is acquired is
irrelevant to Mobile IPv6.
There must be at least one home agent configured on the home network, and
the mobile node must be configured to know the IP address of its home agent.
The mobile node sends a packet containing a binding update destination option
to the home agent. The home agent gets the packet and makes an association
between the home address to the mobile node and the care-of address it received.
The home agent responds with a packet containing a binding acknowledgment
destination option.
The home agent keeps a binding cache containing associations between the
home addresses and the care-of addresses for the mobile nodes it serves.
The home agent will intercept any packets destined for the home address and
forward them to the mobile nodes. A mobile node will then send a binding update
to the correspondent node informing it of its care-of address, and the
correspondent node will create a binding cache entry so that it can send future
traffic directly to the mobile node at its care-of address.
Mobility support in AIX provides the following basic functions:
As a Home Agent node:
- Maintain an entry in its binding cache for each mobile node for which
it is serving.
- Intercept packets addressed to a mobile node for which it is currently
serving as the home agent, on that mobile node's home link, while the mobile
node is away from home.
- Encapsulate such intercepted packets in order to tunnel them to the primary
care-of address for the mobile node indicated in its binding in the
home agent's binding cache.
- Return a binding acknowledgment option in response to a binding update
option received with the acknowledge bit set.
As a Stationary Correspondent Node:
- Process a home address option received in any IPv6 packet
- Process a binding update option received in a packet and to return a binding
acknowledgement option if the acknowledge (A) bit is set in the received binding
update
- Maintain a binding cache of the bindings received in accepted binding
updates
- Send packets using a routing header when there is a binding cache entry
for a mobile node that contains the mobile node's current care-of address
As a Router Node in a Network visited by the mobile
- Send an advertisement interval option in its router advertisements to
aid movement detection by mobile nodes. It is configurable by the -m parameter in the ndpd-router daemon
- Support sending unsolicited multicast router advertisements at the faster
rate described in RFC 2461. It is configurable by the parameter -m in the ndpd-router daemon
IP Security
- Tunnels must be statically predefined using the home addresses between
the home agent and the mobile node or between the correspondent and the mobile
node
- Only AH-ESP in transport mode is supported
- When filtering on protocol 60, only packets with the destination options
BU, BA and BR are securized
- When filtering on all the traffic, all Mobility Packets (BU, BA signalization
and other packets containing also data) are securized
- IP Security filtering on protocol 60 should always be used when mobility
is in use. Some mobile nodes may not accept BA and BU packets unless IP Security
is used, and accepting these packets when IP Security was not used can be
a serious security problem.
IP Security with IKE
- IKE acts as responder on the home agent or the correspondent
- Only aggressive mode supported
Configure Mobile IPv6
Start Mobile IPv6 with IP Security
Home Agent
- Define IKE tunnels (phase 1 and phase 2) and responder and for a AH protocol
in the database between the home agent IP address and the home address of
each mobile node on the home agent is susceptible to communicate with. See
IP Security in the AIX Security Guide for details.
- Define the AH IP Security Association between the home agent IP address
and each mobile home address the correspondent is susceptible to communicate
with.
- Run the following command:
/etc/rc.mobip6 start -H -S
Correspondent
- Define IKE tunnels (phase 1 and phase 2) and responder and for a AH protocol
in the database between the home agent IP address and the home address of
each mobile node on the home agent is susceptible to communicate with. See
IP Security in the AIX Security Guide for details.
- Define the AH IP Security Association between the home agent IP address
and each mobile home address the correspondent is susceptible to communicate
with.
- Run the following command:
/etc/rc.mobip6 start -S
Router
Run the following to facilitate movement detection:
ndpd-router -m
Start Mobile IPv6 without IP Security
Although Mobile IPv6 can be started without IP Security, this is not recommended.
IP Security protects the binding packets (the filtering on protocol 60). Using
Mobile IPv6 without IP Security leaves a security hole.
Home Agent
Run the following command:
/etc/rc.mobip6 start -H
Correspondent
Run the following command:
/etc/rc.mobip6 start
Router
Run the following to facilitate the movement detection:
ndpd-router -m
Stopping Mobile IPv6
To stop Mobile IPv6 and leave the system functioning as an IPv6 gateway,
run the following command:
/etc/rc.mobip6 stop
To stop mobile IPv6 and disable IPv6 gateway functionality, run the following
command:
/etc/rc.mobip6 stop -N -F
Troubleshooting Mobile IPv6
- Get the binding states by running the following:
mobip6ctrl -b
- See TCP/IP Problem Determination for information on using the TCP/IP troubleshooting
utilities.
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]