| Page -> Home agent | Vistas : Página Discusión Ver fuente Historial |
De DIT-CDC
Revisión a fecha de 08:35 28 feb 2007; Gabi (Discusión | contribuciones)
# $Id: dynhad.conf,v 1.37 2001/07/13 13:41:36 jm Exp $ # Home Agent configuration file # # Dynamic hierarchial IP tunnel # Copyright (C) 1998-2001, Dynamics group # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. See README and COPYING for # more details. # ####################################################################### # # NOTE! # This is an example configuration file designed to give # perspective to the system configuration AND to provide # a basis for a working simple test environment. # The values of some of the parameters may not be the # same as the daemon's defaults, so don't get confused. # # ####################################################################### # # Interfaces to be used for Mobile IP services # interface: name of the interface, e.g. eth0 # ha_disc: # 0 = do not allow dynamic HA discovery # 1 = allow dynamic HA discovery with broadcast messages # agentadv: # 0 = do not send agent advertisements without agent solicitation # 1 = send agent advertisements regularly # interval: number of seconds to wait between two agentadvs # (if allowed for this interface) # force_IP_addr: local address to be forced for this interface # (can be used to select one of the multiple virtual # addresses); if not entered, the primary address of the # interface is used INTERFACES_BEGIN # interface ha_disc agentadv interval force_IP_addr eth0 1 1 1 INTERFACES_END # Network Access Identifier (NAI) of this HA # Unique identifier for this HA. A macro [interface] can be used to get # the hardware address of an interface in dot-separated format. # This is needed, if private address space is used in the home network. # NetworkAccessIdentifier "[eth0]@example.com" NetworkAccessIdentifier "cancun_ha" # Surrogate HA IP Address # This is only needed, if private address space and a surrogate HA are used in # the home network. # SHAIPAddress 10.10.10.10 # Private HA Identifier at SHA # Unique identifier (32-bit number) at SHA for this private HA. # This is only needed, if private address space and a surrogate HA are used in # the home network. # PrivateHAIdentifier 1 # UDP port to listen for registration requests # The default is 434. Don't modify this field for compatibility with other RFC 2002 compliant implementations. UDPPort 434 # Socket priority for signaling sockets (UDP) can be set with SO_PRIORITY to # allow easier QoS configuration. If this argument is set, the given value is # used as a priority for the signaling socket. E.g. CBQ class can be used to # make sure that signaling is not disturbed by other traffic on a congested # link. # This feature is still undocumented and can be left commented. # # SocketPriority 1 # MaxBindings can be used to restrict the maximum number of Mobile Nodes # that are concurrently attached to this Home Agent. # The default is 20. MaxBindings 20 # The default tunnel lifetime is suggested also by the HA. # The default lifetime is 500. HADefaultTunnelLifetime 600 # The Registration error reply interval should be restricted to # avoid system overloading situations when receiving too much # incorrect Registration Reply messages. # The default value for RegErrorReplyInterval is 1 second. RegErrorReplyInterval 1 # Triangle tunnel means that the packages to MNs are send via the HA, but # packages from MN are routed directly (i.e. FA use normal IP routing). # EnableTriangleTunneling < TRUE | FALSE > EnableTriangleTunneling TRUE # Reverse tunnel means bi-directional tunneling in which both the packages # from and to MN are send via HA # EnableReverseTunneling < TRUE | FALSE > EnableReverseTunneling TRUE ######################################################################## # The Home Agent needs to know what kind of security parameters each # authorized Mobile Node uses. that is why there is a tbale that maps # (in many-to-many relationship) SPI numbers, or SPI-number ranges to # IP adresses - or IP-address ranges defined by network adresses and # netmasks. The netmask may be defined in two ways: either in # "bit offset notation" (the third row in the example) or in the # "dotted decimal notation" (the fifth row in the example below). # The list of Mobile Node information is separated between two # keywords: AUTHORIZEDLIST_BEGIN and AUTHORIZEDLIST_END. # # < SPI | SPI-range IP | network/netmask > # Example: AUTHORIZEDLIST_BEGIN # SPI IP #1000 192.168.240.2 #1001 192.168.240.3 #1002 0.0.0.0/0 #11000-11999 192.168.241.4 #12000 192.168.250.0/255.255.255.0 #13000-14000 192.168.251.0/28 998 193.146.185.44 999 193.146.185.43 AUTHORIZEDLIST_END # The Home Agents needs a security association for each authorized Mobile # Node. The association includes following information. # # SPI (Security Parameter Index): a key for the other fields. # # Authentication Algorithm: # 1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002] # 4: HMAC-MD5 [RFC 2104] # 5: SHA-1 [FIPS 180-1] # 6: HMAC-SHA1 [RFC 2104] # Note! MD5/prefix+suffix has known weaknesses and use of HMAC-MD5 is # recommented. MD5/prefix+suffix algorithm is for backwards compatability with # older versions that do not support more secure HMAC-MD5. # # Replay Protection Method: # 0: none # 1: timestamps # 2: nonces # # Timestamp tolerance indicates how many seconds the MN's timestamp can differ # from the HA's clock. 7 seconds is the recommended default value. This # tolerance is checked only when timestamps are used for replay protection. # # The maximum lifetime for the binding is given in seconds. # Special case: 65535 (or more) seconds means unlimited time (the binding will # not expire) # # Shared Secret: a secret data known by MN and HA. It can be given as # a HEX code string, i.e. two characters (0-F) correspond to one octet. # The shared secret can also be given as a character string (e.g. # "ABCDE" corresponds to 4142434445). # Note: RFC 2002 specifies that the default key size is 128 bits (i.e. # 16 bytes or 32 hex 'characters'). Dynamics supports also other key lengths. # # The SPI is the key identificator for the rest of the security parameters # on the same line. SPI number ranges may be assigned the same security # parameters. # # The list of Mobile Node information is separated between two # keywords: SECURITY_BEGIN and SECURITY_END. # SECURITY_BEGIN # auth. replay timestamp max shared # SPI alg. meth. tolerance lifetime secret 998 4 0 120 600 "clav16caracteres" 999 4 0 120 600 "clav16caracteres" 1000 4 1 120 600 "test" #1002 4 2 60 120 01020304050607 #10000 4 1 60 300 016A352B2F235E #10001 4 1 120 180 0EF42BD234ECCAA2 SECURITY_END # ######################################################################## # Home Agent may have optional security associations with Foreign # Agents. If the security association exists the session key can be # encrypted with the help of shared secret and thus man-in-the-middle # style attacks can be prevented. If no security association is set # for a certain Foreign Agent - Home Agent pair, public key encryption # (RSA) is used. # # When private address space is used, this list must have a security # association with the surrogate HA instead of the FAs. Possible security # associations with the FAs are then configured to the SHA. # # The following list contains the shared secrets indexed by SPI (and # Foreign Agent IP address). The algorithm field specifies the method # used for authentication and key distribution: # 1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002] # 4: HMAC-MD5 [RFC 2104] # 5: SHA-1 [FIPS 180-1] # 6: HMAC-SHA1 [RFC 2104] # The format of the share secret field is identical to the one used with the # MN-HA security association list above. # FA_SECURITY_BEGIN # SPI FA IP Alg. Shared Secret #2001 192.168.0.1 4 0123456789ABCDEF #2002 192.168.0.2 4 "eslkfj89jr3hduh3R!as" FA_SECURITY_END # # The Highest FA public key can be protected from man-in-the-middle style # attacks between the HFA and the HA with hash code. The use of this hash # is optional, but recommented. The HA can have different ways of checking # the hash code. # Methods: # 0: skip the hash code completely (not recommented) # 1: if the hash code is received, check the public key with it # 2: require the correct hash code for every registration message # with a public key (this may prevent the use of some organizations # which do not advertise the hash code) PublicKeyHashMethod 0 #PublicKeyHashMethod 1 # ######################################################################## # The log messages are written through syslog service. The facility to be # used defaults to LOG_LOCAL0, but it can be set with this parameter # to any of the possible facilities (LOG_AUTHPRIV, LOG_DAEMON, and so on). # The processing of log messages is defined in /etc/syslog.conf file. SyslogFacility LOG_DAEMON # Home Agents (and Foreign Agents) use unix domain sockets # to communicate through their API interfaces. # The group and owner must be names as strings, no groupIDs or userIDs are # allowed. The file permissions are set in octal values like in chmod(1). # The configuration parameters of the two API sockets are as follows: HAAPIReadSocketPath "/var/run/dynamics_ha_read" HAAPIReadSocketGroup "root" HAAPIReadSocketOwner "root" HAAPIReadSocketPermissions 0766 # HAAPIAdminSocketPath "/var/run/dynamics_ha_admin" HAAPIAdminSocketGroup "root" HAAPIAdminSocketOwner "root" HAAPIAdminSocketPermissions 0700 # # Every configuration file must end to the keyword 'END'. END
