HIPL

Making HIP responder act as access point

Asked by Santeri Siltala

I am trying to make test where HIP Responder acts as access point. Idea is that traffic between Initator and Responder is protected with ESP. I have been able to change IPsec mode from BEET to tunnel. Problem is that all traffic from Initiator should be directed to the tunnel. Is it even possible to increase the tunnel address space from default /28 into larger one, or will it break whole system? I've been doing some tests without success.

Reason why I am trying to use HIP instead of existing IPsec solutions to do this, is that I have modified HIP to provide some non-repudiation properties for the traffic. So idea is to bound all traffic which comes from initiator and goes through responder to initiators identity.

Question information

Language:
English Edit question
Status:
Answered
For:
HIPL Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Miika Komu (miika-iki) said : 		#1

If you want to change the prefix, check how prefixes are managed in lib/tool/xfrmapi.c and the following defines:

lib/core/protodefs.h:#define HIP_HIT_PREFIX HIP_HIT_TYPE_MASK_100
lib/core/protodefs.h:#define HIP_LSI_PREFIX HIP_LSI_TYPE_MASK_1
lib/core/protodefs.h:#define HIP_HIT_PREFIX_LEN 28 /* bits */
lib/core/protodefs.h:#define HIP_LSI_PREFIX_LEN 24 /* bits */
lib/core/protodefs.h:#define HIP_HIT_PREFIX_STR "/28"
lib/core/protodefs.h:#define HIP_LSI_FULL_PREFIX_STR "/24"

You'll also need to adjust routes in hipd/netdev.c and set /proc/sys/net/ipv6/conf/all/forwarding to 1.

We used to have client-side proxy support in earlier code version but it was dropped due to lack of use. The idea was the client was not using HIP and we had a proxy (router) that converted non-HIP traffic to HIP traffic to the HIP-capable server.

I wonder has anyone tried to combine an existing NAT64 translator to translate to HIT prefix? Perhaps that could eliminate the need for tunnel mode (?).

Revision history for this message
Santeri Siltala (santeri-siltala) said : 		#2

I have change HIP_HIT_PREFIX_LEN to 0 and also modified xfrm_fill_selector() function to use ::0 as sel->daddr. HIP BEX between initator and responder goes through. ip -s xfrm policy shows that for outgoing traffic src is initiator hit and dst is ::0/0 and tmpl source and destination are correct. addresses. ip -s xfrm state shows sel src is initator hit and dst is ::0/0 which is correct I believe. Still initiators traffic won't go the tunnel, even when destination is responder. Do I still need to do some more modifications somewhere?

Revision history for this message
Miika Komu (miika-iki) said : 		#3

I think "won't go throught the tunne" suggests a routing problem. Have you played with "ip route get DESTIP"?

Can you help with this problem?

Provide an answer of your own, or ask Santeri Siltala for more information if necessary.

To post a message you must log in.