agent.h revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 1999-2003 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#ifndef _AGENT_H
#define _AGENT_H
#pragma ident "%Z%%M% %I% %E% SMI"
/*
* This file contains definitions for structures used by
* Mobility Agents (either Home Agents or Foreign Agents)
*/
#ifdef __cplusplus
extern "C" {
#endif
#include <synch.h>
#include <pthread.h>
#include <netinet/if_ether.h>
#include "mip.h"
#include "hash.h"
#include "aaa.h"
/* Hash types */
#define HASH_IT 0
#define MD5_HASH 1
#define MAX_FN_LEN 256
#define VERSION_MAJOR 1
#define VERSION_MINOR 0
/*
* We do not current support simultaneous bindings
* due to the new tunnel driver architecture. This
* is something that we may wish to change in the
* future.
*/
#define MAX_SIMULTANEOUS_BINDINGS 7
#define DEFAULT_MAX_REG_TIME 300
#define DEFAULT_MAX_ADV_TIME 300
#define DEFAULT_MAX_INTERVAL 10
#define DEFAULT_MIN_INTERVAL 1
#define ADV_INIT_COUNT_DEFAULT 1
#define ADV_INIT_COUNT_MIN 0
#define DEFAULT_FRESHNESS_SLACK 300
#define DEFAULT_ADVERTISEMENT_INTERVAL 5
#define MIP_PORT 434
/*
* These are for the IPsec flags in the MobilityAgentEntry.
*/
#define IPSEC_REQUEST 0x01
#define IPSEC_REPLY 0x02
#define IPSEC_TUNNEL 0x04
#define IPSEC_REVERSE_TUNNEL 0x08
#define APPLY(x) (x)
#define PERMIT(x) ((x) << 4)
/*
* We define the other way so we can have indexes into validIPsecAction[],
* and the maIPsec*'s in the MobilityAgentEntry struct, too.
*/
#define FIRST_IPSEC_ACTION 0
#define IPSEC_APPLY 0
#define IPSEC_PERMIT 1
#define LAST_IPSEC_ACTION 2
/*
* The above pair of 6 macros yield the following:
*
* bit 1 -> APPLY(IPSEC_REQUEST) = IPSEC_REQUEST_APPLY
* bit 2 -> APPLY(IPSEC_REPLY) = IPSEC_REPLY_APPLY
* bit 3 -> APPLY(IPSEC_TUNNEL) = IPSEC_TUNNEL_APPLY
* bit 4 -> APPLY(IPSEC_REVERSE_TUNNEL) = IPSEC_REVERSE_TUNNEL_APPLY
* bit 5 -> PERMIT(IPESC_REQUEST) = IPSEC_REQUEST_PERMIT
* bit 6 -> PERMIT(IPSEC_REPLY) = IPSEC_REPLY_PERMIT
* bit 7 -> PERMIT(IPSEC_TUNNEL) = IPSEC_TUNNEL_PERMIT
* bit 8 -> PERMIT(IPSEC_REVERSE_TUNNEL) = IPSEC_REVERSE_TUNNEL_PERMIT
*/
#define IPSEC_REQUEST_APPLY 0x01
#define IPSEC_REPLY_APPLY 0x02
#define IPSEC_TUNNEL_APPLY 0x04
#define IPSEC_REVERSE_TUNNEL_APPLY 0x08
#define IPSEC_REQUEST_PERMIT 0x10
#define IPSEC_REPLY_PERMIT 0x20
#define IPSEC_TUNNEL_PERMIT 0x40
#define IPSEC_REVERSE_TUNNEL_PERMIT 0x80
/*
* Bitmasks for the maIPsecSAFlags[] members of the MobilityAgentEntry struct
* that we pass to mipagentstat. As the HA_PEER we use request-permit,
* reply-apply, tunnel-apply, and reverse-tunnel permit. This means we have to
* mask-in reply and tunnel from maIPsecSAFlags[IPSEC_APPLY], and request and
* reverse tunnel from maIPsecSAFlags[IPSEC_PERMIT]. As an FA_PEER we use
* request-apply, reply-permit, tunnel-permit, and reverse-tunnel-apply. This
* means we have to mask-in request and reverse-tunnel from
* maIPsecSAFlags[IPSEC_APPLY], and reply and tunnel from
* maIsecSAFlags[IPSEC_PERMIT].
*/
/* type: RQRPFTRT */
/* SA : AEAEAEAE */
/* 0x3c, 00111100b */
/* 0xc3, 11000011b */
/* 0xc3, 11000011b */
/* 0x3c, 00111100b */
#define IPSEC_CONF_COMMAND_SIZE 37
#define CONF_FILE_NAME "/etc/inet/mipagent.conf"
/* easy flag to index algorithm (warning: use on flags only!) */
#define ADD_POLICY 0
#define SUB_POLICY 1
#define IPSEC(x) ipsec_policy_action[x]
/*
* Maximum number of visitor entries (accepted + pending) maintained
* at a Foreign Agent. A foreign agent sets the busy bit 'B' in its
* advertisements when number of visitors reaches DEFAULT_HIGH_VISITORS
* and does not reset it till it drops below DEFAULT_LOW_VISITORS.
* A pending entry is kept in the visitor table for at most
* DEFAULT_VISITOR_EXPIRY seconds.
*
* The new solaris Mobile-IP does not have any such restrictions,
* therefore we will set the visitor entry threshold to some ungodly
* large number, which can be overriden by the administrator.
*/
#define DEFAULT_HIGH_VISITORS -1
#define DEFAULT_LOW_VISITORS -5
#define DEFAULT_VISITOR_EXPIRY 30
#ifdef FIREWALL_SUPPORT
/* Max number of address intervals for specifying protected domain */
#define MAX_ADDR_INTERVALS 6
/* Max. number of firewalls */
#define MAX_FIREWALLS 3
#endif /* FIREWALL_SUPPORT */
#define MAX_IFNAME_LEN 8
#define MAX_HWADDR_LEN sizeof (struct ether_addr)
#define MAX_TIME_STRING_SIZE 32
/*
* The following bits are set depending on the value of 'ReverseTunnelAllowed
* and ReverseTunnelRequired' parameter in the mipagent.conf file. By default
* the value for each is RT_NONE. It's a policy set by the configuration file
* to check if Reverse Tunnel bit must be present or NOT in the registration
* request. For example a FA may only accept registration packet with 'T' bit
* on while the HA accepts regReq with or without T bit on. These are for
* reverse tunnel settings. We advertise the T-bit on a per-interface level,
* so discern only on a per-interface, and not a per-agent-per-interface level
* (e.g. advertise the 'T' bit, but only enforce reverse-tunnel-required on
* the HA). These will allow us to do that.
*/
#define RT_NONE 0x0
#define RT_HA 0x1
#define RT_FA 0x2
#define RT_BOTH 0x3
/*
* The following are the minimum and maximum values
* that one can configure for garbage collection. Note
* that this feature is largely undocumented, and can be
* used to alter the frequency that the agent attempts to
* clean up expired data structures.
*/
#define MIN_GARBAGE_COLLECTION_INTERVAL 5
#define MAX_GARBAGE_COLLECTION_INTERVAL 120
#define DEFAULT_GARBAGE_COLLECTION_INTERVAL 15
#define UNSOLICITED_ADV 1
#define SOLICITED_ADV 2
/* One such entry for each mobility-supporting interface */
typedef struct {
/*
* The nodeLock field MUST be the first field present in
* this structure, and is required by the hashing mobule.
*/
int maIfaceIcmpSock; /* ICMP socket bound to ifaceAddr */
int maIfaceUnicastSock; /* UDP socket bound to IfaceAddr */
int maIfaceBcastSock; /* ... bound to subnet bcastAddr */
int maIfaceDirBcastSock; /* ... to directed bcast Addr */
int maIfaceAdvMulticastSock; /* ... bound to mcastAddr */
int maIfaceRegMulticastSock; /* ... bound to mcastAddr */
/* boolean maAdvResponseSolicitationOnly; */
unsigned short maAdvSeqNum;
/* dynamic interface support */
/* maAdvLimitUnsolicited is true */
/*
* Mobile tunnel specific data
*/
typedef struct {
} MipTunlEntry;
/* One entry for each visiting mobile node at a foreign agent. */
typedef struct {
/*
* The nodeLock field MUST be the first field present in
* this structure, and is required by the hashing mobule.
*/
/* which visitor is reachable */
/* reg. request is recvd */
/*
* The Home Agent maintains one such entry for each mobility binding.
* A single mobile node may have multiple bindings.
*/
typedef struct habindingentry {
/*
* The Home Agent maintains one mobile node entry for each supported Mobile
* Node. In addition, the Home Agent keeps a MipSecAssocEntry for
* for every other node with which it shares a mobility security
* association. By using the interface information, the home agent
* can filter out broadcast packets that it picks up from subnets
* other than the mobile node's home subnet.
*/
typedef struct {
/*
* The nodeLock field MUST be the first field present in
* this structure, and is required by the hashing mobule.
*/
/* node's home subnet */
/* protection */
int haMnBindingCnt; /* Number of current bindings */
#ifdef RADIUS_ENABLED
char *haRadiusState; /* maintains radius state info */
#endif /* RADIUS_ENABLED */
/* successful registrations */
/* failed registrations */
/* service time */
/* service was provided */
/* service was denied */
/* code */
/*
* Mobility Agent Authentication Information.
*/
typedef struct {
/*
* The nodeLock field MUST be the first field present in
* this structure, and is required by the hashing mobule.
*/
/*
* The following value is used during garbage collection to check
* if this Mobility Agent has expired.
*/
/*
* How is IPsec securing traffic to this agent-peer? Ultimately, all
* we should need are the ipsec_req_t structs here, but that wont
* happen until either ipsec has an API, or they support multiple
* policies per socket. Until then, we need the char strings to pass
* to ipsecconf(1M). We do use the ipsec_req_t structs for our tunnel
* setup, but not at this time for the registration traffic. Still,
* this is setup at init time, so why not parse everything in
* anticipation of ipsec support. Note, also, until ipsec supports
* multiple policies per socket, we can only support symmetric tunnel
* polices (forward tunnel policy = reverse tunnel policy). IPSEC_ORDER
* here refers to the 'depth' of ipsec protection, that is how many
* different actions do we support. This is done this way for
* expandability.
*/
/*
* The SA flags are arranged like this:
*
* Request Reply Tunnel RTunnel
* | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
* AH ESP AH ESP AH ESP AH ESP
*
* So bits 0, 1 say whether AH or ESP are protecting requests, but
* 2, 3 say whether AH or ESP are protecting replies, etc.
* We need one of these SA flag fields for each of our actions.
* This way we know which are specific for APPLY = outbound, PERMIT =
* inbound, (etc, should there be more someday).
*/
/* these are the chars mentioned above that should go away */
#ifdef FIREWALL_SUPPORT
/* Data structure to store the information regarding protected domain */
typedef struct {
} DomainInfo;
#endif /* FIREWALL_SUPPORT */
/*
* Counters common to all Mobility Agents
*
* Note: We will not be locking this structure before modifying it,
* even though we know that we are multi-threaded. The worst case
* scenario is that we will return incorrect statistics to the snmp
* requestor. The cost of locking and unlocking this structure is
* simply not worth it.
*/
typedef struct {
/*
* Counters maintained by Foreign Agents
*
* Note: We will not be locking this structure before modifying it,
* even though we know that we are multi-threaded. The worst case
* scenario is that we will return incorrect statistics to the snmp
* requestor. The cost of locking and unlocking this structure is
* simply not worth it.
*/
typedef struct {
/*
* Counters maintained by Home Agents
*
* Note: We will not be locking this structure before modifying it,
* even though we know that we are multi-threaded. The worst case
* scenario is that we will return incorrect statistics to the snmp
* requestor. The cost of locking and unlocking this structure is
* simply not worth it.
*/
typedef struct {
/* denied with code 137 */
/*
* Mobile-IP is a simple protocol, with limited extensions. Today
* the number of extensions in a single message cannot exceed 10.
*/
#define MAX_EXPECTED_EXTENSIONS 16
/*
* Mobile IP Packets are relatively small, and cannot really
* exceed 2k in size.
*/
#define MAX_PKT_SIZE 2048
#define MAXDLBUF 8192
typedef struct messagehdr {
enum {
MIP_PKT_FROM_FA = 1,
} pktSource;
enum {
PKT_UDP = 1,
} pktType;
unsigned char pkt[MAX_PKT_SIZE];
unsigned int mnNAILen;
enum {
} ifType;
/*
* The following is some AAA Stuff, and can ONLY be set
* if the packet source is AAA.
*/
unsigned char *faNAI;
#ifdef KEY_DISTRIBUTION
/*
* KEY_DISTRIBUTION MUST ONLY BE COMPILED FOR TESTING!!!
*
* interface. The DIAMETER server generates keying
* material that is sent to the Home Agent. The keys
* sent are both for the Home Agent, and for the Mobile
* Node. The keys for the Mobile Nodes are added to the
* registration reply, and the keys for the Home Agent
* cause the Home Agent to create a local SA.
*
* distribution must still be tested, we have added some
* test code in mipagent. When KEY_DISTRIBUTION is enabled,
* the home agent creates and encrypts session keys for
* the Mobile Node (mimicking DIAMETER), and creates local
* SAs. Further, since the session keys MUST also be sent
* to the Foreign Agent, the session keys are sent in the
* clear to the Foreign Agent through Vendor Specific
* extensions.
*
* Again, this code is for testing purpose only and must not
* be enabled for production code, since it hasn't been
* fully tested.
*/
#endif /* KEY_DISTRIBUTION */
/*
* Ancillary data gleaned from the registration request
*/
struct messagehdr *next;
} MessageHdr;
/*
* This entry holds the dynamic interface type and the common
* information that will be applied to all dynamic interfaces
* of the same type. For example, for an entry of interfacename
* ppp*, there will be one such entry.
*/
typedef struct dynamicIfacetype {
struct dynamicIfacetype *next;
int RegLifetime;
int AdvLifetime;
char dynamicIfcetype[LIFNAMSIZ];
/* DynamicInterface, dynamicIfaceHead variables are set in agentInit.c */
/*
* This data structure keeps track of existing interfaces
* at the time of mipagent startup
*/
typedef struct staticIface {
struct staticIface *next;
/* \
* Support for non-traditional \
* extension header formats \
* \
* Get a pointer to the data and its length \
*/ \
break; \
} \
} \
/* \
* Support for non-traditional \
* extension header formats \
* \
* Get a pointer to the data and its length \
*/ \
break; \
} \
} \
/*
*/
REG_GEN_AUTH_EXT_TYPE) && \
/* \
* Get a pointer to the data and its length \
*/ \
break; \
} \
} \
/*
* Support for vendor specific extensions.
*/
/* \
* Get a pointer to the data and its length \
*/ \
break; \
} \
} \
#define GET_TIME(currentTime) \
{ \
currentTime = 0; \
} else { \
} \
}
#define GENERATE_NET_BROADCAST_ADDR(entry) \
/* Common agent functions used by multiple files */
extern int CreateListOfExistingIntfce(void);
extern int startDynamicInterfaceThread(void);
extern int killDynamicInterfaceThread(void);
extern int InitSockets(MaAdvConfigEntry *);
extern void docleanup(void);
extern void disableService(struct hash_table *);
#ifdef __cplusplus
}
#endif
#endif /* _AGENT_H */