# For any information please contact to Tamer Demir, demirt@cmpe.boun.edu.tr
#
#
# Configuration File of the Home Agent in CMPE Domain
# Interfaces to be used for Mobile IP services. Note that you have to configure
# each interface that may receive or send registration messages.
# interface: name of the interface, e.g. eth0
# ha_disc:
#    0 = do not allow dynamic HA discovery
#    1 = allow dynamic HA discovery with broadcast messages
# agentadv:
#    0 = do not send agent advertisements without agent solicitation
#    1 = send agent advertisements regularly
#   -1 = do not send any (even solicited) agent advertisements
# interval: number of seconds to wait between two agentadvs
#           (if allowed for this interface)
# force_IP_addr: local address to be forced for this interface
#		 (can be used to select one of the multiple virtual
#		 addresses); if not entered, the primary address of the
#		 interface is used
INTERFACES_BEGIN
# interface  ha_disc  agentadv  interval  force_IP_addr
eth0         1        1         10
INTERFACES_END

# Network Access Identifier (NAI) of this HA
# Unique identifier for this HA. A macro [interface] can be used to get
# the hardware address of an interface in dot-separated format.
# This is needed, if private address space is used in the home network.
# NetworkAccessIdentifier "[eth0]@example.com"

# Surrogate HA IP Address
# This is only needed, if private address space and a surrogate HA are used in
# the home network.
# SHAIPAddress 10.10.10.10

# Private HA Identifier at SHA
# Unique identifier (32-bit number) at SHA for this private HA.
# This is only needed, if private address space and a surrogate HA are used in
# the home network.
# PrivateHAIdentifier 1

# UDP port to listen for registration requests
# The default is 434
UDPPort 434

# Socket priority for signaling sockets (UDP) can be set with SO_PRIORITY to
# allow easier QoS configuration. If this argument is set, the given value is
# used as a priority for the signaling socket. E.g. CBQ class can be used to
# make sure that signaling is not disturbed by other traffic on a congested
# link.
# This feature is still undocumented and can be left commented.
#
# SocketPriority 1

# MaxBindings can be used to restrict the maximum number of Mobile Nodes
# that are concurrently attached to this Home Agent.
# The default is 20.
MaxBindings 20

# The default tunnel lifetime is suggested also by the HA.
# The default lifetime is 500.
HADefaultTunnelLifetime 600

# The Registration error reply interval should be restricted to
# avoid system overloading situations when receiving too much
# incorrect Registration Reply messages.
# The default value for RegErrorReplyInterval is 1 second.
RegErrorReplyInterval 1

# Triangle tunnel means that the packages to MNs are send via the HA, but
# packages from MN are routed directly (i.e. FA use normal IP routing).
# EnableTriangleTunneling < TRUE | FALSE >
EnableTriangleTunneling TRUE

# Reverse tunnel means bi-directional tunneling in which both the packages
# from and to MN are send via HA
# EnableReverseTunneling < TRUE | FALSE >
EnableReverseTunneling TRUE

########################################################################
# The Home Agent needs to know what kind of security parameters each 
# authorized Mobile Node uses. that is why there is a tbale that maps
# (in many-to-many relationship) SPI numbers, or SPI-number ranges to
# IP adresses - or IP-address ranges defined by network adresses and 
# netmasks. The netmask may be defined in two ways: either in
# "bit offset notation" (the third row in the example) or in the
# "dotted decimal notation" (the fifth row in the example below). 
# The list of Mobile Node information is separated between two
# keywords: AUTHORIZEDLIST_BEGIN and AUTHORIZEDLIST_END.
#
# < SPI | SPI-range       IP | network/netmask  >
# Example:

AUTHORIZEDLIST_BEGIN
# SPI           IP
1000		193.140.196.16
1001		193.140.196.17
1002		193.140.196.18
1003		193.140.196.19
1004		193.140.196.20
AUTHORIZEDLIST_END

# The Home Agents needs a security association for each authorized Mobile
# Node. The association includes following information.
#
# SPI (Security Parameter Index): a key for the other fields.
#
# Authentication Algorithm:
#    1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002]
#    4: HMAC-MD5 [RFC 2104]
#    5: SHA-1 [FIPS 180-1]
#    6: HMAC-SHA1 [RFC 2104]
# Note! MD5/prefix+suffix has known weaknesses and use of HMAC-MD5 is
# recommented. MD5/prefix+suffix algorithm is for backwards compatability with
# older versions that do not support more secure HMAC-MD5.
#
# Replay Protection Method:
#    0: none
#    1: timestamps
#    2: nonces
#
# Timestamp tolerance indicates how many seconds the MN's timestamp can differ
# from the HA's clock. 7 seconds is the recommended default value. This
# tolerance is checked only when timestamps are used for replay protection.
#
# The maximum lifetime for the binding is given in seconds.
# Special case: 65535 (or more) seconds means unlimited time (the binding will
# not expire)
#
# Shared Secret: a secret data known by MN and HA. It can be given as
# a HEX code string, i.e. two characters (0-F) correspond to one octet.
# The shared secret can also be given as a character string (e.g.
# "ABCDE" corresponds to 4142434445).
# Note: RFC 2002 specifies that the default key size is 128 bits (i.e.
# 16 bytes or 32 hex 'characters'). Dynamics supports also other key lengths.
#
# The SPI is the key identificator for the rest of the security parameters
# on the same line. SPI number ranges may be assigned the same security
# parameters.
#
# The list of Mobile Node information is separated between two
# keywords: SECURITY_BEGIN and SECURITY_END.
#
SECURITY_BEGIN
#       auth.   replay  timestamp       max             shared
# SPI   alg.    meth.   tolerance       lifetime        secret
1000	4	1	120		600		"test"
1001	4	1	120		600		"test"
1002	4	1	120		600		"test"
1003	4	1	120		600		"test"
1004	4	1	120		600		"test"
SECURITY_END
#
########################################################################
# Home Agent may have optional security associations with Foreign
# Agents. If the security association exists the session key can be
# encrypted with the help of shared secret and thus man-in-the-middle
# style attacks can be prevented. If no security association is set
# for a certain Foreign Agent - Home Agent pair, public key encryption
# (RSA) is used.
#
# When private address space is used, this list must have a security
# association with the surrogate HA instead of the FAs. Possible security
# associations with the FAs are then configured to the SHA.
#
# The following list contains the shared secrets indexed by SPI (and
# Foreign Agent IP address). The algorithm field specifies the method
# used for authentication and key distribution:
#    1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002]
#    4: HMAC-MD5 [RFC 2104]
#    5: SHA-1 [FIPS 180-1]
#    6: HMAC-SHA1 [RFC 2104]
# The format of the share secret field is identical to the one used with the
# MN-HA security association list above.
#
FA_SECURITY_BEGIN
# SPI		FA IP		Alg.	Shared Secret
#2001		192.168.0.1	4	0123456789ABCDEF
#2002		192.168.0.2	4	"eslkfj89jr3hduh3R!as"
FA_SECURITY_END
#
# The Highest FA public key can be protected from man-in-the-middle style
# attacks between the HFA and the HA with hash code. The use of this hash
# is optional, but recommented. The HA can have different ways of checking
# the hash code.
# Methods:
#    0: skip the hash code completely (not recommented)
#    1: if the hash code is received, check the public key with it
#    2: require the correct hash code for every registration message
#       with a public key (this may prevent the use of some organizations
#       which do not advertise the hash code)
PublicKeyHashMethod 1
#
########################################################################

# The log messages are written through syslog service. The facility to be
# used defaults to LOG_LOCAL0, but it can be set with this parameter
# to any of the possible facilities (LOG_AUTHPRIV, LOG_DAEMON, and so on).
# The processing of log messages is defined in /etc/syslog.conf file.
SyslogFacility LOG_DAEMON

# Home Agents (and Foreign Agents) use unix domain sockets
# to communicate through their API interfaces.
# The group and owner must be names as strings, no groupIDs or userIDs are
# allowed. The file permissions are set in octal values like in chmod(1).
# The configuration parameters of the two API sockets are as follows:
HAAPIReadSocketPath "/var/run/dynamics_ha_read"
HAAPIReadSocketGroup "root"
HAAPIReadSocketOwner "root"
HAAPIReadSocketPermissions 0766
#
HAAPIAdminSocketPath "/var/run/dynamics_ha_admin"
HAAPIAdminSocketGroup "root"
HAAPIAdminSocketOwner "root"
HAAPIAdminSocketPermissions 0700
#
# Every configuration file must end to the keyword 'END'.
END