HTTP/1.1 200 OK Date: Tue, 09 Apr 2002 05:29:07 GMT Server: Apache/1.3.20 (Unix) Last-Modified: Tue, 30 May 1995 22:00:00 GMT ETag: "3049ab-1921c-2fcb9560" Accept-Ranges: bytes Content-Length: 102940 Connection: close Content-Type: text/plain Internet Engineering Task Force C. Perkins, editor INTERNET DRAFT IBM 27 May 1995 IP Mobility Support draft-ietf-mobileip-protocol-10.txt Status of This Memo This document is a submission by the Mobile-IP Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the mobile-ip@tadpole.com mailing list. Distribution of this memo is unlimited. This document is an Internet-Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months, and may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material, or to cite them other than as a ``working draft'' or ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the internet-drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). Abstract This document specifies protocol enhancements that allow transparent routing of IP datagrams to mobile nodes in the Internet. Each mobile node is always identified by its home address, regardless of its current point of attachment to the Internet. While situated away from its home, a mobile node is also associated with a care-of address, which provides information about its current point of attachment to the Internet. The protocol provides for registering the care-of address with a home agent. The home agent sends traffic destined for the mobile node through a tunnel to the care-of address. Perkins, editor Expires 27 November 1995 [Page i] Internet Draft IP Mobility Support 27 May 1995 Contents Status of This Memo i Abstract i 1. Introduction 1 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 2 1.2. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 3 1.4. Specification Language . . . . . . . . . . . . . . . . . 3 1.5. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2. Agent Discovery 6 2.1. Agent Solicitation . . . . . . . . . . . . . . . . . . . 6 2.2. Agent Advertisement . . . . . . . . . . . . . . . . . . . 7 3. Registration 8 3.1. Authentication . . . . . . . . . . . . . . . . . . . . . 9 3.2. Registration Request . . . . . . . . . . . . . . . . . . 9 3.3. Registration Reply . . . . . . . . . . . . . . . . . . . 11 4. Mobility Message Extensions 14 4.1. Mobility Extension . . . . . . . . . . . . . . . . . . . 15 4.2. Key Identifier Extension . . . . . . . . . . . . . . . . 16 4.3. Mobile-Home Authentication Extension . . . . . . . . . . 16 4.4. Mobile-Foreign Authentication Extension . . . . . . . . . 17 4.5. Foreign-Home Authentication Extension . . . . . . . . . . 18 5. Forwarding Datagrams to the Mobile Node 19 5.1. IP in IP Encapsulation . . . . . . . . . . . . . . . . . 19 5.2. Minimal Encapsulation . . . . . . . . . . . . . . . . . . 19 6. Mobile Node Considerations 22 6.1. Configuration and Registration Tables . . . . . . . . . . 22 6.2. Registration When Away From Home . . . . . . . . . . . . 22 6.3. Registration with a dynamically assigned care-of address 23 6.4. Deregistration When At Home . . . . . . . . . . . . . . . 24 6.5. Registration Replies . . . . . . . . . . . . . . . . . . 24 6.6. Registration Retransmission . . . . . . . . . . . . . . . 25 6.7. Simultaneous mobility bindings . . . . . . . . . . . . . 25 6.8. Mobile Routers . . . . . . . . . . . . . . . . . . . . . 25 7. Foreign Agent Considerations 27 Perkins, editor Expires 27 November 1995 [Page ii] Internet Draft IP Mobility Support 27 May 1995 7.1. Configuration and Registration Tables . . . . . . . . . . 27 7.2. Receiving Registration Requests . . . . . . . . . . . . . 28 7.3. Receiving Registration Replies . . . . . . . . . . . . . 28 7.4. Decapsulation . . . . . . . . . . . . . . . . . . . . . . 28 8. Home Agent Considerations 29 8.1. Configuration and Registration Tables . . . . . . . . . . 29 8.2. Receiving Registration Requests . . . . . . . . . . . . . 29 8.3. Simultaneous mobility bindings . . . . . . . . . . . . . 31 8.4. Registration Expiration . . . . . . . . . . . . . . . . . 31 8.5. Encapsulation . . . . . . . . . . . . . . . . . . . . . . 31 8.6. Broadcast packets . . . . . . . . . . . . . . . . . . . . 32 8.7. Multicast packets . . . . . . . . . . . . . . . . . . . . 32 9. Security Considerations 33 9.1. Message Authentication Codes . . . . . . . . . . . . . . 33 9.2. Tunneling to Care-of Addresses . . . . . . . . . . . . . 33 9.3. Key management . . . . . . . . . . . . . . . . . . . . . 33 9.4. Picking good random numbers . . . . . . . . . . . . . . . 34 9.5. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 34 9.6. Replay Protection for Registration Requests . . . . . . . 34 9.6.1. Replay Protection using Nonces . . . . . . . . . 35 9.6.2. Replay Protection using Timestamps . . . . . . . 36 10. Acknowledgements 36 A. Gratuitous and Proxy ARP 37 B. Link-Layer considerations 38 B.1. Point-to-Point Link-Layers . . . . . . . . . . . . . . . 38 B.2. Multi-Point Link-Layers . . . . . . . . . . . . . . . . . 39 C. TCP Considerations 39 C.1. TCP Timers . . . . . . . . . . . . . . . . . . . . . . . 39 C.2. TCP Congestion Management . . . . . . . . . . . . . . . . 39 D. Tunnel Management 40 Chair's Address 43 Editor's Address 43 Perkins, editor Expires 27 November 1995 [Page iii] Internet Draft IP Mobility Support 27 May 1995 1. Introduction Current versions of the Internet Protocol make an implicit assumption that a node's point of attachment remains fixed, and that its IP address identifies the network to which it is attached. Datagrams are sent to a node based on the location information contained in the node's IP address. If a node moves while keeping its IP address unchanged, its network number will not reflect its new point of attachment. Existing routing protocols will be unable to route datagrams to it correctly. This document defines new functions that allow a node to roam on the Internet, without changing its IP address. The following entities are defined: Mobile Node A host or router that changes its point of attachment from one network or subnetwork to another. Home Agent A router that maintains a registry of the current mobility bindings for that mobile node, and encapsulates datagrams for delivery to the mobile node while it is away from home. Foreign Agent A router that assists a locally reachable mobile node that is away from its home network. Care-of Address The care-of address terminates the end of a tunnel toward a mobile node. Depending on the network configuration, the care-of address may be either dynamically assigned to the mobile node or associated with a foreign agent. The following support services are defined: Agent Discovery Home agents and foreign agents advertise their availability on each link for which they provide service. A newly arrived mobile node can send a solicitation on the link to learn if any prospective agents are present. Perkins, editor Expires 27 November 1995 [Page 1] Internet Draft IP Mobility Support 27 May 1995 Registration When the mobile node is away from home, it registers its care-of address with its home agent. Depending on its method of attachment, the mobile node will register either directly with its home agent, or through a foreign agent which forwards the registration to the home agent. Encapsulation Encapsulation, as used in this draft, means the process of enclosing the data within an IP datagram inside another IP header. This process is also known as "tunneling", since it can be used to hide the original IP header information during delivery to the new IP destination specified in the encapsulated datagram. The enclosing IP header can (and usually will) contain a IP destination address, and/or IP source address, and/or different protocol field which differs from the original IP header. Decapsulation Decapsulation is the inverse process to encapsulation. At the destination, the enclosed datagram is extracted by removing the encapsulating IP header, and possibly creating a new IP header based on the information available in the encapsulating IP header and the data that had been encapsulated. Typically, after decapsulating the resulting datagram may be delivered to another destination. 1.1. Requirements A mobile node using its home address shall be able to communicate with other nodes after having been disconnected from the Internet, and then reconnected at a different point of attachment. Implementation of the protocol described in this document shall not adversely affect a mobile node's capability to communicate with other nodes that do not implement these mobility functions. No protocol enhancements are required in hosts or routers that are not serving any of the mobility functions. A mobile node shall provide authentication in its registration messages, ad described in subsection 3.1. Perkins, editor Expires 27 November 1995 [Page 2] Internet Draft IP Mobility Support 27 May 1995 1.2. Goals The mobile node's directly attached link is likely to be bandwidth limited. Only a few administrative messages should be sent between a mobile node and an agent. The size of these messages should be kept as short as possible. As few messages as possible which duplicate functionality are sent on mobile links. This is particularly important on wireless and congested links. 1.3. Assumptions The protocols defined in this document place no additional constraints on assignment of IP addresses. That is, a mobile node can be assigned an IP address by the organization that owns the machine, and will be able to use that IP address regardless of the current point of attachment. It is assumed that mobile nodes will not change their point of attachment to the Internet more frequently than once per second. It is assumed that IP unicast datagrams are routed based on the destination address in the datagram header. 1.4. Specification Language In this document, several words are used to signify the requirements of the specification. These words are often capitalized. MUST This word, or the adjective "required", means that the definition is an absolute requirement of the specification. MUST NOT This phrase means that the definition is an absolute prohibition of the specification. SHOULD This word, or the adjective "recommended", means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications must be understood and carefully weighed before choosing a different course. MAY This word, or the adjective "optional", means that this item is one of an allowed set of Perkins, editor Expires 27 November 1995 [Page 3] Internet Draft IP Mobility Support 27 May 1995 alternatives. An implementation which does not include this option MUST be prepared to interoperate with another implementation which does include the option. silently discard The implementation discards the packet without further processing, and without indicating an error to the sender. The implementation SHOULD provide the capability of logging the error, including the contents of the discarded packet, and SHOULD record the event in a statistics counter. 1.5. Terminology This document frequently uses the following terms: Agent Advertisement A periodic advertisement constructed by attaching a special extension to a router advertisement [5] message. Correspondent A peer with which a mobile node is communicating. The correspondent may be either mobile or stationary. Home Address A long-term IP address that is assigned to a mobile node. It remains unchanged regardless of where the node is attached to the Internet. Datagrams addressed to the home address are intercepted by the home agent while the mobile node is registered with that home agent. Link A communication facility or medium over which nodes can communicate at the link layer; a link underlies the network layer. Link-Layer Address The address used to identify the endpoints of the communication over a physical link. Also commonly known as a MAC address. Perkins, editor Expires 27 November 1995 [Page 4] Internet Draft IP Mobility Support 27 May 1995 Mobility Agent Either a home agent or a foreign agent. Mobility Binding The association of a home address with a care-of address, and the remaining lifetime of the association. Mobility Security Association The mobility security association between a pair of nodes identifies the security context to be applied to Mobile IP protocol messages which they exchange. This relationship includes the authentication type (i.e., algorithm and algorithm mode), the secret (such as a shared key, or appropriate public/private key pair), and information about the style of replay protection in use. Note that a single algorithm (such as DES) might have several modes (for example, CBC and ECB)(see [16], [11]). Perkins, editor Expires 27 November 1995 [Page 5] Internet Draft IP Mobility Support 27 May 1995 2. Agent Discovery To communicate with a foreign or home agent, a mobile node must learn either the IP address or the link address of that agent. It is assumed that a link-layer connection has been established between the agent and the mobile node. The method used to establish such a link-layer connection is not specified in this document. After establishing a link-layer connection, the mobile node learns whether there are any agents available. If the address of any agent matches the mobile node's stored address for its home agent, the mobile node is at home. An agent which is not indicated by a link-layer protocol MUST implement ICMP Router Discovery [5]. The router advertisements indicate whether the router is also a home agent or a foreign agent. When multiple methods of agent identification are in use, the mobile node SHOULD first attempt registration with routers sending router advertisements in preference to those sending link-layer advertisements. This ordering maximizes the likelihood that the registration will be recognized, thereby minimizing the number of registration attempts. No authentication is required for the advertisement and solicitation process. These messages MAY be authenticated using the IP Authentication Header [14], which is external to the messages described here. Further specification of authentication of advertisement and solicitation is outside of the scope of this document. 2.1. Agent Solicitation Every mobile node MUST implement ICMP Router Solicitation (RFC 1256 [5]) if it needs to obtain a care-of address in an agent advertisement. However, the solicitation is only sent when no care-of address has been determined through a link-layer protocol or prior router advertisement. Any mobility agent which is not identified by a link-layer protocol MUST respond to ICMP Router Solicitation. Mobility agents SHOULD respond to ICMP Router Solicitation. The same procedures, defaults, and constants are used as described in RFC 1256, except that the mobile node may solicit more often than once every three seconds and MAX_SOLICITATIONS does not apply for mobile nodes that are currently unconnected to any foreign agent. A mobile node MAY send a solicitation once each MOBILE_SOLICITATION_INTERVAL (1 second) until the solicitation is Perkins, editor Expires 27 November 1995 [Page 6] Internet Draft IP Mobility Support 27 May 1995 answered by a mobility agent, and the mobile node can finally issue a registration request. 2.2. Agent Advertisement Mobile nodes must process ICMP router advertisements[5]. Any mobility agent which is not indicated by a link-layer protocol MUST send ICMP Router Advertisements. An agent which is indicated by a link-layer protocol SHOULD also implement router advertisements. However, the advertisements need not be sent, except when the site policy requires registration with the agent, or as a response to a specific solicitation. ICMP router advertisements that carry the required Mobility Extension (subsection 4.1) are called agent advertisements in this document, and can be identified by examining the number of advertised addresses. When the IP total length indicates that the ICMP message is longer than needed for the number of addresses present, the remaining data is interpreted as extensions. The extensions are described in section 4. Other extensions may indicate optionally supported features. The same procedures, defaults, and constants are used as described in RFC 1256 [5], except as specified herein; a foreign agent MUST NOT send agent advertisements more often than once per second. The sequence number in agent advertisements ranges from 0 to 0xffff. After booting, an agent shall use the number 0 for its first advertisement. Each subsequent advertisement shall use the sequence number one greater, with the exception that the sequence number 0xffff shall be followed by sequence number 256. In this way, mobile clients can distinguish reductions in sequence numbers that result from reboots, from reductions that result in rollover of the sequence number after it attains the value 0xffff. The Code field of the ICMP router advertisement is interpreted as follows: 0 The router handles common traffic -- that is, IP data packets not necessarily related to mobile nodes. 16 A home or foreign agent which supports registration, but is not routing common traffic. Perkins, editor Expires 27 November 1995 [Page 7] Internet Draft IP Mobility Support 27 May 1995 3. Registration The registration function exchanges information between a mobile node and its home agent. Registration creates a mobility binding, associating the mobile node's home address with a care-of address which can be used to reach the mobile node. When it has been dynamically assigned a care-of address, a mobile node can act without a foreign agent, and register or deregister directly with a home agent by the exchange of only 2 messages: a) The mobile node sends a registration request to a home agent, asking it to provide service. b) The home agent sends a registration reply to the mobile node, granting or denying service. When the care-of address is associated with a foreign agent, the foreign agent acts as a relay between the mobile node and home agent. This extended registration process involves the exchange of 4 messages: a) The mobile node sends a registration request to the prospective foreign agent to begin the registration process. b) The foreign agent relays the request to the home agent, asking it to provide service to the mobile node. c) The home agent sends a registration reply to the foreign agent to grant or deny service. d) The foreign agent relays the registration reply to the mobile node to inform it of the disposition of its request. The registration messages defined in this section(3.2, 3.3) use the User Datagram Protocol header [18]. A nonzero UDP checksum SHOULD be included in the header, and checked by each recipient. An administrative domain MAY require a visiting mobile node to register via a foreign agent (see the description of the "R" bit, in subsection 4.1). This facility is envisioned for service providers with packet filtering fire-walls, or visiting policies (such as accounting) which require exchanges of authorization. Perkins, editor Expires 27 November 1995 [Page 8] Internet Draft IP Mobility Support 27 May 1995 3.1. Authentication Each mobile node, foreign agent, and home agent MUST support the maintenance of an internal table holding a list of security associations for mobile entities, indexed by their IP address. See section 9.1 for support requirements for authentication algorithms. Only one mobility security association at a time is in effect between any given pair of participating nodes. Whenever a mobility security association exists between a pair of nodes, all registration messages between these nodes MUST be authenticated. In particular, registration messages between mobile node and home agent are required to be authenticated with the Mobile-Home Authentication Extension (subsection 4.3). This extension immediately follows all non-authentication extensions, except those foreign agent specific extensions which may be added to the packet after the mobile node computes the authentication. 3.2. Registration Request A mobile node sends a registration request message so that its home agent can create a new mobility binding for that mobile node (with a new lifetime). The request may be relayed to the home agent by the foreign agent from which the mobile node is accepting service, or it may be sent directly in case the mobile node has received a temporary care-of address by some other means (e.g, DHCP [6]). IP fields: Source For registering with a foreign agent whose IP address is known, the source address of Registration Request from the mobile node to the foreign agent is the IP address of the interface from which the packet is sent. For registering without a foreign agent, the source address on the registration request MUST be the temporary address that has been acquired by the mobile node for its care-of address. Destination When the IP address is unknown (the agent was discovered via a link-layer protocol), the "All Mobility Agents" multicast address (224.0.0.11) is used. The link-layer unicast address is used to deliver the datagram to the correct agent. For registering with a foreign agent, the Registration Request from the mobile node to the foreign agent should have the destination address of Perkins, editor Expires 27 November 1995 [Page 9] Internet Draft IP Mobility Support 27 May 1995 the foreign agent, copied from the source address of the Agent Advertisement in which the mobile node learned of that foreign agent. The foreign agent then sends the Registration Request to the home agent, using the destination address copied from the Home Agent field of the Registration Request For registering without a foreign agent, the destination address should be the address that the mobile node uses for its home agent. UDP fields: Source Port variable Destination Port 434 The UDP header is followed by the Mobile-IP fields shown below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type |S|B|F|M|G|rsvd | Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Home Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Home Agent | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Care-of Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extensions ... +-+-+-+-+-+-+-+- Type 1, for version 1 of this protocol S If the 'S' bit is set, the mobile client is requesting that the home agent retain its prior mobility bindings. In this way, the mobile client can be registered at multiple care-of addresses. B If the 'B' bit is set, the mobile client requests that the home agent send to it, all broadcasts on the home network. See subsection 8.6 for a full discussion. Perkins, editor Expires 27 November 1995 [Page 10] Internet Draft IP Mobility Support 27 May 1995 F If the 'F' bit is set, the mobile client is registering with a dynamically assigned care-of address it has obtained. This typically implies that the mobile host will decapsulate datagrams which are sent to the care-of address. M If the 'M' bit is set, the mobile node requests home agent to encapsulate using minimal encapsulation (section 5.2) G If the 'G' bit is set, the mobile node requests home agent to encapsulate using GRE encapsulation ([9]). Lifetime The number of seconds remaining before the registration is considered expired. A value of zero indicates a request for deregistration. A value of all ones indicates infinity. Home Address The IP address of the mobile node. Home Agent The IP address of a home agent. Care-of Address The IP address for the decapsulation end of a tunnel. Identification A 64-bit number, constructed by the mobile node, used to assist in matching requests with replies, and in protecting against replay attacks (see subsections 9.4, 9.6). 3.3. Registration Reply The registration reply message is returned by a home agent to a mobile node which has sent a registration request (subsection 3.2) message. If the mobile node is accepting service from a foreign agent, that foreign agent will receive the reply from the home agent and subsequently relay it to the mobile node. The reply message contains the necessary codes to inform the mobile node about the status of its request, along with the lifetime granted by the home agent, which MAY be smaller than the original request. See subsection 8.2 for details regarding the selection of the reply identification. When the lifetime of the reply is greater than the original request, the excess time MUST be ignored. When the lifetime of the reply is smaller than the original request, another registration SHOULD occur before the lifetime expires. Perkins, editor Expires 27 November 1995 [Page 11] Internet Draft IP Mobility Support 27 May 1995 IP fields: Source copied from the destination address of the Registration Request to which the agent is replying Destination copied from the source address of the Registration Request to which the agent is replying UDP fields: Source Port variable Destination Port variable, depending upon the source port of the request A foreign agent that has received a registration request message must save the IP source address and the UDP source port from that message so that it will be able to send the subsequent registration reply message to the correct UDP port on the mobile node. The UDP header is followed by the Mobile-IP fields shown below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Home Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Home Agent | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extensions ... +-+-+-+-+-+-+-+- Type 3 Code One of the following codes: 0 service will be provided 1 service will be provided; simultaneous mobility bindings unsupported Perkins, editor Expires 27 November 1995 [Page 12] Internet Draft IP Mobility Support 27 May 1995 Service denied by the foreign agent: 16 reason unspecified 17 administratively prohibited 18 insufficient resources 19 mobile node failed authentication 20 home agent failed authentication 21 requested lifetime too long 22 home agent unreachable (ICMP error) 23 poorly formed request 24 poorly formed reply Service denied by the home agent: 32 reason unspecified 33 administratively prohibited 34 insufficient resources 35 mobile node failed authentication 36 foreign agent failed authentication 37 identification mismatch 38 poorly formed request 39 too many simultaneous mobility bindings Up-to-date values of the Code field are specified in the most recent "Assigned Numbers" [20]. Lifetime The seconds remaining before the registration is considered expired. A value of zero confirms a request for deregistration. A value of all ones indicates infinity. Home Address The IP address of the mobile node. Home Agent The IP address of a home agent. Identification The registration identification is derived from the request message, for use by the mobile node in matching its reply with an outstanding request. Perkins, editor Expires 27 November 1995 [Page 13] Internet Draft IP Mobility Support 27 May 1995 4. Mobility Message Extensions Each message begins with a short fixed part, followed by one or more mobility message extensions in type-length-value format. These extensions may apply to agent advertisement messages (subsection 2.2) and registration messages (section 3). 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Extension | Length | Data ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Extension Current values are assigned as follows: 16 Mobility 18 Key Identifier 32 Mobile-Home Authentication 33 Mobile-Foreign Authentication 34 Foreign-Home Authentication Up-to-date values are specified in the most recent "Assigned Numbers" [20]. Length Indicates the length (in bytes) of the data field. The length does not include the Extension and Length bytes. Data This field is zero or more bytes in length and contains the value(s) for this extension. The format and length of the data field is determined by the extension and length fields. Extensions allow variable amounts of information to be carried within each datagram. The end of the list of extensions is indicated by the total length of the IP datagram. When an extension numbered in the range 0-127 is encountered but not recognized, the packet containing the extension must be dropped. When an extension numbered in the range 128-255 is encountered which is not recognized, that particular extension is ignored, but the rest of the packet data can still be processed. The length field of the extension is used to skip the data field in searching for the next extension. Perkins, editor Expires 27 November 1995 [Page 14] Internet Draft IP Mobility Support 27 May 1995 4.1. Mobility Extension The Mobility Extension is used to indicate that a router advertisement message is actually an agent advertisement being sent by a mobility agent (see subsection 2.2). When foreign agents cannot accept new requests for service from mobile clients, they will set the Busy bit; if the Busy bit is turned off, the agent may attract new mobile clients. An agent which wishes to serve as a foreign agent, sets the 'F' bit in the mobility extension; likewise an agent which wishes to serve as a home agent sets the 'H' bit in the mobility extension. Any home agent must always be prepared to serve its mobile clients; it is an error to have the 'B' bit set without also having the 'F' bit set. When the 'R' bit is set to 1, the mobile node SHOULD register through the foreign agent, even when the mobile node has acquired a transient care-of address. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extension | Length | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Lifetime |R|B|H|F|M|G| reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | zero or more Care-of Addresses | | ... | Extension 16 Length (6 + 4*N), where N is the number of care-of addresses advertised. Sequence number The count of advertisement messages sent since the agent was initialized (see section 2.2). Lifetime The longest lifetime (measured in seconds) that the agent is willing to accept in any registration request. A value of all ones indicates infinity. R Foreign agent registration required bit. B Busy bit. The foreign agent is not willing to accept any more registrations. H Agent offers service as a home agent. F Agent offers service as a foreign agent. Perkins, editor Expires 27 November 1995 [Page 15] Internet Draft IP Mobility Support 27 May 1995 M Agent offers minimal encapsulation (section 5.2) G Agent offers GRE encapsulation (see [9]). reserved Sent as zero; ignored on reception. Care of Address a foreign agent's care-of addresses DISCUSSION: Should the agent advertisement include the subnet prefix(es) of the medium to which the mobile client is attached? 4.2. Key Identifier Extension The key identifier extension is found in registration requests (see subsection 3.2). This extension informs the home agent that authentication is performed using a cryptographic key or algorithm different than the home agent would use by default. If a home agent receives a registration request which does not contain this extension, the home agent must assume that the mobile node used the default Message Authentication Code (see subsection 9.1) to authenticate the registration. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extension | Length | Key Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Extension 18 Length 2 reserved Sent as zero; ignored on reception. Key Identifier The key identifier may be chosen from a list which is privately configured between the home agent and the mobile node. In this case, the identifier is completely opaque; the cryptographic algorithm to be used cannot be determined from the value of the key identifier. 4.3. Mobile-Home Authentication Extension This extension must be present in all registration requests and replies, and is intended to eliminate problems([2]) which result from Perkins, editor Expires 27 November 1995 [Page 16] Internet Draft IP Mobility Support 27 May 1995 the uncontrolled propagation of remote redirects in the Internet. See subsection 9.1 for information about support requirements for message authentication codes, etc. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extension | Length | Authenticator ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Extension 32 Length The number of data bytes in the extension. Authenticator (variable length) A value computed from a stream of bytes including the shared secret, the destination port number from the UDP header, the UDP payload (that is, the registration request or reply data), all prior extensions in their entirety, and the type and length of this extension, but not including the Authenticator field itself. 4.4. Mobile-Foreign Authentication Extension This extension may be found in registration requests and replies where a security association exists between the mobile node and a foreign agent. See subsection 9.1 for information about support requirements for message authentication codes, etc. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extension | Length | Authenticator ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Extension 33 Length The number of data bytes in the extension. Authenticator (variable length) A value computed from a stream of bytes including the shared secret, the destination port number from the UDP header, the UDP payload (that is, the registration request or reply data), all prior extensions in their entirety, and the type and length of this Perkins, editor Expires 27 November 1995 [Page 17] Internet Draft IP Mobility Support 27 May 1995 extension, but not including the Authenticator field itself. DISCUSSION: How can the Key Identifier extension be used? 4.5. Foreign-Home Authentication Extension This extension may be found in registration requests and replies where a security association exists between the foreign agent and a home agent. See subsection 9.1 for information about support requirements for message authentication codes, etc. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extension | Length | Authenticator ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Extension 34 Length The number of data bytes in the extension. Authenticator (variable length) A value computed from a stream of bytes including the shared secret, the destination port number from the UDP header, the UDP payload (that is, the registration request or reply data), all prior extensions in their entirety, and the type and length of this extension, but not including the Authenticator field itself. DISCUSSION: How can the Key Identifier extension be used? Perkins, editor Expires 27 November 1995 [Page 18] Internet Draft IP Mobility Support 27 May 1995 5. Forwarding Datagrams to the Mobile Node 5.1. IP in IP Encapsulation Support for IP in IP encapsulated datagrams is required in home agents and foreign agents, and any mobile node which has been dynamically assigned its own care-of address. When a datagram is already fragmented prior to encapsulating, IP in IP is used. An outer IP header is inserted before the datagram's IP header: +---------------------------+ | Outer IP Header | +---------------------------+ +---------------------------+ | IP Header | | IP Header | +---------------------------+ ====> +---------------------------+ | | | | | IP Payload | | IP Payload | | | | | +---------------------------+ +---------------------------+ The format of the IP header is described in RFC 791[19]. The outer IP header source and destination addresses identify the "endpoints" of the tunnel. The inner IP header source and destination addresses identify the sender and recipient of the datagram. The protocol field in the outer IP header is set to protocol number 4 for the encapsulation protocol. The destination field in the outer IP header is set to the care-of address of the mobile node. The source field in the outer IP header is set to the IP address of the encapsulating agent. When the datagram is encapsulated, the Time To Live (TTL) field in the outer IP header is set to be the same as the original datagram. When decapsulating, the outer TTL minus one is inserted into the inner IP TTL. Thus, hops are counted, but the actual routers interior to the tunnel are not identified. This provides loop protection. 5.2. Minimal Encapsulation A minimal forwarding header is defined for datagrams which are not fragmented prior to encapsulating. Use of this encapsulating method is optional. Minimal encapsulation must not be used when an original datagram is already fragmented. A foreign agent which is capable of decapsulating the minimal header includes the 'M' bit (subsection 4.1) in its agent advertisements. Perkins, editor Expires 27 November 1995 [Page 19] Internet Draft IP Mobility Support 27 May 1995 A mobile node, after receiving this indication in an agent advertisement, indicates the capability of decapsulating the minimal header at the care-of address by setting the 'M' bit (subsection 3.2) in its registration request. A mobile node MUST NOT set this bit unless its foreign agent has advertised support for it. The use of the minimal header is entirely at the discretion of the home agent. Similar considerations hold for use of GRE encapsulation and setting the 'G' bit (subsections 4.1, 3.2) The minimal encapsulation process produces a datagram structured as shown below; the IP header of the original datagram is modified, then followed by the minimal forwarding header, followed by the unmodified IP payload of the original datagram. +---------------------------+ +---------------------------+ | IP Header | | Modified IP Header | +---------------------------+ ====> +---------------------------+ | | | Minimal Forwarding Header | | IP Payload | +---------------------------+ | | | | +---------------------------+ | IP Payload | | | +---------------------------+ Encapsulation is performed as follows. The protocol field in the IP header is replaced by protocol number 55 for the minimal encapsulation protocol. The destination field in the IP header is replaced by the care-of address of the mobile node. If the encapsulating agent is not the original source of the datagram, the source field in the IP header is replaced by the IP address of the encapsulating agent. When decapsulating a datagram, the fields in the forwarding header are restored to the IP header, and the forwarding header is removed from the datagram. The format of the minimal forwarding header is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol |S| reserved | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Home Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ : Correspondent Source Address : +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Perkins, editor Expires 27 November 1995 [Page 20] Internet Draft IP Mobility Support 27 May 1995 Protocol Copied from the protocol field in the original IP header. S Source field present bit, which indicates that the Correspondent Source Address field is present. 0 not present. 1 present. reserved Sent as zero; ignored on reception. Header Checksum The 16-bit one's complement of the one's complement sum of the encapsulation header. For computing the checksum, the checksum field is set to 0. Home Address Copied from the destination field in the original IP header. Correspondent Source Address Copied from the source field in the original IP header. Present only if the S-bit is set. Perkins, editor Expires 27 November 1995 [Page 21] Internet Draft IP Mobility Support 27 May 1995 6. Mobile Node Considerations A mobile node listens for agent advertisements at all times that it has a link connection. In this manner, it can learn that its foreign agent has changed, or that it has arrived home. Whenever a mobile node detects such a change in its network connectivity, it should initiate the registration process. When it is away from home, the mobile node's (de)registration request allows its home agent to create a mobility binding, (see subsections 3.2, 2.2). When it is at home, the mobile node's registration request allows its home agent to erase any previous mobility binding (subsection 6.4). A mobile node operates without the support of mobility functions when it is at home. Appendix B discusses the interaction of this mobility specification with some link layer implementations for media which may be used with mobile nodes. A mobile node MUST NOT register with a new foreign agent because it has received an ICMP Redirect from the foreign agent that is currently providing service to it. 6.1. Configuration and Registration Tables A mobile node must be configured with: - home address - mobility security association for each home agent In addition, a mobile node may be configured with the address of one or more of its home agents. For each pending registration: - link-layer address of foreign agent, if applicable - care-of address - registration identification - lifetime 6.2. Registration When Away From Home In the absence of link-layer indications of changes in point of attachment, agent advertisements from new agents do not necessarily affect a current registration. In the absence of link-layer indications, a mobile node MUST NOT attempt to register more often than once per second. A mobile node may register with a different agent when transport-layer protocols indicate excessive Perkins, editor Expires 27 November 1995 [Page 22] Internet Draft IP Mobility Support 27 May 1995 retransmissions. Within these constraints, the mobile node MAY register again at any time. If a mobile node detects two successive values of the sequence number in the agent advertisement, the second of which is less than the first and inside the range 0 to 255, the mobile node MUST register again. If the second value is less than the first, but greater than or equal to 256, the mobile node may assume that the sequence number has rolled over past its maximum value (0xffff), and that there is no need to re-register (see subsection 2.2). If the mobile node does not know the address of any of its home agents, it may send a registration request is sent to the directed broadcast address of the home network. In this case, any registration reply that is returned to the mobile node will contain a valid address for a home agent, so that the mobile node can re-issue the registration request with the correct home agent address if necessary. A mobile node SHOULD NOT request a lifetime for its registration that exceeds the lifetime learned in an agent advertisement. When the method by which the care-of address is learned does not include a lifetime, the default router advertisement lifetime (1800 seconds) may be used. The lifetime MAY be modified by the home agent in its reply. A mobile node SHOULD register again before the lifetime of its registration expires. A mobile node MAY ask a home agent to terminate forwarding service to a particular care-of address, by sending a registration with a lifetime of zero (see subsection 8.2). The mobile node SHOULD construct its registration identification by concatenating another value of its own choice to the most recent nonce received from its home agent. This value in the low order 32 bits of the identification can be another nonce, or a duplicate of the nonce received from the home agent (see subsection 9.6.1). 6.3. Registration with a dynamically assigned care-of address In cases where a mobile node away from home is able to dynamically acquire a transient IP address (e.g, via DHCP [6]), the mobile node can serve without a foreign agent, using the transient address as the care-of address. Then all communication between the mobile node and its home agent can proceed without the intervention of foreign agents. This eliminates the need to deploy foreign agents as separate entities. This feature MUST NOT be used unless the mobile node has mechanisms to detect changes in its link-layer connectivity, and can initiate acquisition of a new transient address each time Perkins, editor Expires 27 November 1995 [Page 23] Internet Draft IP Mobility Support 27 May 1995 such a change occurs. The lifetime of such a registration is chosen by the mobile node. When the mobile node is away from home and detects a foreign agent advertisement that has the "R" bit (registration required) set in the Mobility Extension (see subsection 2.2), the mobile node SHOULD register through an appropriate foreign agent, even when it has obtained a dynamically assigned care-of address. 6.4. Deregistration When At Home When a mobile node is attached to its home link, it will no longer need any forwarding service from its home agent. A deregistration procedure SHOULD be used between the mobile node and its home agent. The deregistration process involves the exchange of only two messages: a) The mobile node sends a registration request directly to its home agent, with the lifetime set to zero, and the Code field set to 0, to indicate that the home agent remove all related entries. The care-of address is set to the home address. b) The home agent sends a registration reply to the mobile node to indicate the success or failure of the mobile node's attempted deregistration. A mobile node on its home network need not register again with a home agent when a change of sequence number occurs, or the advertisement lifetime expires, or even when the home agent crashes, since it isn't seeking service from the home agent. 6.5. Registration Replies To be accepted, the reply must match the registration identification of its most recent registration request to the sender; otherwise, the message is silently discarded. If nonces are in use, the mobile node records the first 32 bits for use in its next registration request; otherwise, if timestamps are in use, the entire 64 bit field may be used for identification (see subsection 9.6). When a reply is received which has a code indicating rejection by the foreign agent, the Mobile-Home Authenticator will be missing or invalid. If a later authenticated reply is received, and if the previous registration is remembered, that later reply supersedes the unauthenticated reply. Otherwise, when a reply is received with an invalid authenticator, the message is silently discarded. The Perkins, editor Expires 27 November 1995 [Page 24] Internet Draft IP Mobility Support 27 May 1995 mobile node is not required to issue any message in response to a registration reply. 6.6. Registration Retransmission When no reply has been received within a reasonable time, another registration request is transmitted. When timestamps are used, a new registration identification is chosen for each retransmission; thus it counts as a new registration. When nonces are used, the unanswered request is retransmitted unchanged. (See subsection 9.6) The maximum time until a new registration request is sent SHOULD be no greater than the requested lifetime of the registration request. The minimum value SHOULD be large enough to account for the size of the packets, twice the round trip time for transmission at the link speed, and at least an additional 100 milliseconds to allow for processing the packets before responding. Some circuits add another 200 milliseconds of satellite delay. The minimum time between registration requests MUST NOT be less than 1 second. Each successive wait SHOULD be at least twice the previous wait, as long as that is less than the maximum. 6.7. Simultaneous mobility bindings Multiple simultaneous mobility bindings are likely to be useful when a mobile node moves within range of multiple cellular systems. IP explicitly allows duplication of datagrams. When the home agent allows simultaneous bindings, it will encapsulate a separate copy of each arriving datagram to each care-of address, and the mobile node will receive multiple copies of its datagrams. In order to request this optional capability, the mobile node sends the registration request with the Code set to 1. The return code in the registration reply is the same. No error occurs if the home agent is unable to fulfill the request. When the need for multiple mobility bindings has passed, the mobile node SHOULD register again with the Code set to 0, to remove the other bindings. 6.8. Mobile Routers A mobile node can be a router, which is responsible for the mobility of one or more entire networks moving together, perhaps on an airplane, a ship, a train, an automobile, a bicycle, or a kayak. The nodes connected to a network served by the mobile router may Perkins, editor Expires 27 November 1995 [Page 25] Internet Draft IP Mobility Support 27 May 1995 themselves be fixed nodes or mobile nodes or routers. In this subsection, such networks are called "mobile networks". A mobile router may provide a care-of address to mobile nodes connected to the mobile network. In this case, when a correspondent host sends a packet to the mobile node, the following actions should occur. Normal routing procedures will route the packet addressed to the mobile node from the correspondent host to the mobile node's home agent. This home agent's binding for the mobile node causes it to tunnel the packet to the mobile router. Normal routing procedures will route the packet from this home agent to the mobile router's home agent. That home agent's binding for the mobile router causes the packet to be doubly tunneled to the mobile router's care-of address. For the sake of discussion, assume there is a foreign agent available at that care-of address. The mobile router's foreign agent will then detunnel the packet and use its visitor list entry to deliver the packet to the mobile router. The mobile router will then detunnel the packet and use its visitor list entry to deliver the packet finally to the mobile node. If a fixed node is connected to a mobile network then either of two methods may be used to cause packets from correspondent hosts to be routed to the fixed node. A home agent may be configured that has a permanent registration for the fixed node that indicates the mobile router's address as the fixed host's care-of address. The mobile router's home agent will usually be used for this purpose. The home agent is then responsible for advertising connectivity using normal routing protocols to the fixed node. Any packets sent to the fixed node will thus use recursive tunneling as described above. Alternatively, the mobile router may advertise connectivity to the fixed node using normal routing protocols through its own home agent. This method avoids the need for recursive tunneling of packets. Perkins, editor Expires 27 November 1995 [Page 26] Internet Draft IP Mobility Support 27 May 1995 7. Foreign Agent Considerations The foreign agent is passive and has a minimal role; it relays registration requests between the home agent and the mobile node, and decapsulates datagrams for delivery to the mobile node. It may advertise its services to prospective mobile clients as described in sections 2.2, 4.1. The foreign agent MUST NOT originate a request or reply that has not been prompted by the mobile node. No request or reply is generated to indicate that the service lifetime has expired. A foreign agent MUST NOT originate a message that asks for deregistration of a mobile node; however, it MUST relay valid deregistration requests originated by the mobile node. The foreign agent MUST NOT advertise to other routers in its routing domain, nor to any other mobile node, the presence of a mobile router. 7.1. Configuration and Registration Tables Each foreign agent will need a care-of address. In addition, for each pending or current registration, the foreign agent will need a visitor list entry containing: - Media address of mobile node - home address - home agent - lifetime For each pending registration, a foreign agent must also store the low-order 32 bits of the registration identification, as sent by the mobile node. (The high-order 32 bits may differ in the registration reply. See subsection 9.6). In addition, the foreign agent must store the source port from which the mobile node's registration request was sent, so that the foreign agent can properly return the eventual registration reply. As with any host on the internet, a foreign agent may also maintain a security association for each pending or current registrant, and use it to authenticate the registration requests and replies of the mobile node or its home agent (subsections 4.4, 4.5). The foreign agent may use an available security association with the home agent to create an authentication for the foreign-home authentication extension. Even if a foreign agent implements authentication, it might not use authentication with each registration, because of the key management difficulties. Perkins, editor Expires 27 November 1995 [Page 27] Internet Draft IP Mobility Support 27 May 1995 7.2. Receiving Registration Requests If the foreign agent is able to satisfy an incoming registration request, then it relays the request to the home agent. Otherwise, it denies the request by sending a registration reply to the mobile node with an appropriate code. If the request is being denied because the requested lifetime is too long, the foreign agent puts in an acceptable value for the lifetime in the registration reply containing the rejection code. The foreign agent must maintain a list of pending requests, which includes the IP source address and UDP source port, in order that a correctly addressed reply can be returned to the mobile node. 7.3. Receiving Registration Replies A registration reply which does not match the identification of to any pending registration request must be silently discarded. If the registration reply is sent from the home agent with a status code indicating a successful registration, then the foreign agent updates its visitor list accordingly. If the foreign agent receives an ICMP error instead of a registration reply in response to the registration request, then it returns the "Home Agent Unreachable" failure code to the mobile node. 7.4. Decapsulation Every foreign agent which receives an encapsulated packet sent to its advertised care-of address MUST compare the inner destination address to those entries in its visitor list. When the destination does not match any node currently in the visitor list, the foreign agent MUST NOT forward the datagram without modifications to the original IP header, because otherwise a routing loop is likely to result. The datagram SHOULD be silently discarded. ICMP Destination Unreachable MUST NOT be sent when a foreign agent is unable to forward an incoming tunneled datagram. Perkins, editor Expires 27 November 1995 [Page 28] Internet Draft IP Mobility Support 27 May 1995 8. Home Agent Considerations The home agent has primary responsibility for processing and coordinating mobility services. Packets destined for mobile clients will arrive at a home agents that advertises connectivity to the home network containing the addresses of those mobile clients. The home agent will then encapsulate the packet and deliver it to the care-of address most recently reported by the mobile client. Often, the home agent will advertise connectivity to a home network which does not correspond to any particular physical medium (e.g, extent of Ethernet cabling). This is described by saying that the mobile clients have addresses on a virtual home network. The home agent for a given mobile node SHOULD be located on the link identified by the home address, if the home network is not merely a virtual network. In this case, the home agent MUST send out agent advertisements with the 'H' bit (see subsection 4.1) set, so that mobile nodes on their home network will be able to determine that they are indeed at home. 8.1. Configuration and Registration Tables Each home agent will need an IP address, and the prefix size for the home network, if the home network is not a virtual network. For each authorized mobile node, the home agent will need: - home address - mobility security association - prefix size(s) for the mobile network(s), if any For each registered mobile node, the home agent will need a mobility binding list entry containing: - care-of address - registration identification - lifetime 8.2. Receiving Registration Requests Upon receipt of a registration request (subsection 3.2), the home agent grants or denies the service requested, by sending a registration reply (subsection 3.2) to the sender of the request with the appropriate code set. The home agent sends the registration reply back to the same UDP port from which it was sent. If service permission is granted, the home agent will update its mobility Perkins, editor Expires 27 November 1995 [Page 29] Internet Draft IP Mobility Support 27 May 1995 binding list with the care-of address of the tunnel. The home agent MAY impose a shorter lifetime than was requested for in the Registration Request message. If the Registration Request duplicates an accepted current Registration Request, the new lifetime MUST NOT extend beyond the lifetime originally granted. The request is validated by checking the registration identification (see subsection 9.6), and the Mobile-Home Authentication Extension (subsection 4.3) according to the mobility security association. Other authentication extensions are also validated when present. When the registration request is valid, the home agent may select a new nonce for use by the mobile node upon its next registration request, and include it in the first 32 bits of the identification field of the registration reply. The low order 32 bits of that field remain unmodified for use by the mobile node in matching the registration reply with one of its outstanding registration requests. When a registration request is invalid, a registration reply is sent with the appropriate error code. This reply will be used by a foreign agent to delete its pending request list entry, if a foreign agent was involved in relaying the registration request. If the request was invalid because of the use of an unexpected value in the identification field of the registration request, the home agent SHOULD use the high-order bits of the current identification to provide a new identification value for the mobile node. In this case, the home agent MAY report an authentication exception to its network management support software. The registration reply status code in this case is 37. If the registration request was invalid because of an invalid authenticator value, the home agent MUST issue an authentication exception. The registration reply status code is then 35. If the registration request is sent to the directed broadcast address of the home network, the home agent may deny the registration request. In this case, the registration reply will contain the home agent's address, so that the mobile node can re-issue the registration request with the correct home agent address. A mobile node requests termination of service by indicating a lifetime of zero. If the Code field set to 1, the home agent removes the mobility binding for that care-of address from its forwarding list. Otherwise, if the Code field is set to 0, the home agent removes the mobility bindings for all foreign agents associated with that mobile node from its mobility binding list. On termination, no reply is sent to additional associated foreign agents. The entries in their visitor lists are allowed to expire naturally. Perkins, editor Expires 27 November 1995 [Page 30] Internet Draft IP Mobility Support 27 May 1995 8.3. Simultaneous mobility bindings When a home agent supports the optional capability of multiple simultaneous mobility bindings, any datagrams forwarded are simply duplicated, and a copy is sent to each care-of address. If the home agent is unable to fulfill requests for simultaneous bindings, it returns the appropriate status in the registration reply (subsection 3.3) to the mobile node. When the mobile node makes future registration requests, it will then be able to determine whether it can expect simultaneous service at multiple care-of addresses. If the home agent has a limit on the number of simultaneous registrations that it can support for a mobile client, then it can just reject any registrations that would cause that limit to be exceeded. 8.4. Registration Expiration If the lifetime for a given mobility binding expires before the home agent has received another registration request, then that binding is erased from the mobility binding list. No special registration reply is sent to the foreign agents. The entries in the visitor lists will expire naturally, and probably at the same time. When a mobility binding's lifetime expires, the home agent drops it regardless of whether or not simultaneous bindings are supported. 8.5. Encapsulation Every home agent must examine the IP header of all arriving traffic to see if it contains a destination address equal to the home address of any of its mobile nodes. Packets with matching destination addresses are encapsulated and delivered to the indicated care-of address found in the associated mobility binding. If the mobile node is at home, the home agent will simply forward the datagram directly to it; however, in this case, it is expected that the datagram will never be received by the home agent. Suppose an encapsulated datagram arrives at the home agent, that is to be delivered to one of its mobile clients. If the destination of the inner header is also the mobile client, the home agent may simply alter the outer destination to the care-of address, unless the care-of address is the same as the origination point of the encapsulated datagram. Otherwise, if the home agent receives a datagram for one of its mobile clients, and the packet's IP source address is identical to the care-of address contained in the mobility binding list, the home agent MUST discard that packet. If the packet were forwarded back to the care-of address, a loop might result. Perkins, editor Expires 27 November 1995 [Page 31] Internet Draft IP Mobility Support 27 May 1995 The mechanism just described is intended to avoid recursive encapsulation. Other encapsulated datagrams arriving at the home agent may be recursively encapsulated. 8.6. Broadcast packets Mobile nodes may request to receive broadcast packets by setting the 'B' bit in their Registration Request packets (subsection 3.2). The method used to forward each depends on whether the mobile node is using its own dynamically-assigned care-of address or is registered using a care-of address associated with a foreign agent (indicated by the 'D' bit in the Registration Request packet). When using a dynamically-assigned care-of address, the home agent simply tunnels each received broadcast IP datagram to this care-of address. When registered through a foreign agent, an extra level of encapsulation is required to indicate to the foreign agent which mobile node to deliver the tunneled datagram to when it is received by the foreign agent. The home agent first encapsulated the broadcast datagram in a unicast datagram addressed to the mobile node's home address, and then tunnels this encapsulated datagram to the foreign agent. When received by the foreign agent, the the unicast encapsulated datagram is detunneled and delivered to the mobile node in the same way as any other datagram. The mobile node must decapsulate this datagram to receive the original broadcast datagram. The extra level of encapsulation is necessary, since otherwise, the mobile node's home address would not appear anywhere in the tunneled datagram received by the foreign agent. Similar extra encapsulation is not required when using a dynamically-assigned care-of address, since the tunnel then terminates with the mobile node rather than with a foreign agent. When a home agent receives a broadcast packet, it transmits the packet to only those mobile nodes on its mobility binding list that have requested broadcast service. If it is determined that some broadcasts should be forwarded to mobile nodes by the home agent, those broadcasts will be specifically mentioned as exceptions. 8.7. Multicast packets The rules regarding multicast packets to mobile clients are much the same as those relevant to multicast to other clients. Perkins, editor Expires 27 November 1995 [Page 32] Internet Draft IP Mobility Support 27 May 1995 9. Security Considerations The mobile computing environment is potentially very different from the ordinary computing environment. In many cases, mobile computers will be connected to the network via wireless links. Such links are particularly vulnerable to passive eavesdropping, active replay attacks, and other active attacks. 9.1. Message Authentication Codes Home agents and mobile nodes MUST be able to perform authentication. The default algorithm is keyed MD5 [21], with a key size of 128 bits. The default mode of operation is to both precede and follow the data to be hashed, by the 128-bit key; that is, MD5 is to be used in suffix+prefix mode. The foreign agent SHOULD also support authentication using keyed MD5 and key sizes of 128 bits or greater, with manual key distribution. More authentication algorithms, algorithm modes, key distribution methods, and key sizes MAY also be supported. 9.2. Tunneling to Care-of Addresses The registration protocol described in this document will result in a mobile node's traffic being tunneled to its care-of address. This tunneling feature could be a significant vulnerability if the registration were not authentic. Such remote redirection, for instance as performed by the mobile registration protocol, is widely understood to be a security problem in the current Internet([2]). Moreover, the Address Resolution Protocol (ARP) is not authenticated, and can potentially be used to steal another host's traffic. The use of "Gratuitous ARP" (see Appendix A) brings with it all of the risks associated with the use of ARP. 9.3. Key management This specification requires a strong authentication mechanism (keyed MD5) which precludes many potential attacks based on the Mobile IP registration protocol. However, because key distribution is difficult in the absence of a network key management protocol, messages with the foreign agent are not all required to be authenticated. In a commercial environment it might be important to authenticate all messages between the foreign agent and the home agent, so that billing is possible, and service providers don't provide service to users that are not legitimate customers of that service provider. Perkins, editor Expires 27 November 1995 [Page 33] Internet Draft IP Mobility Support 27 May 1995 9.4. Picking good random numbers The strength of any authentication mechanism is dependent on several factors, including the innate strength of the authentication algorithm, the secrecy of the key used, the strength of the key used, and the quality of the particular implementation. This specification requires implementation of keyed MD5 for authentication, but does not preclude the use of other authentication algorithms and modes. For keyed MD5 authentication to be useful, the 128-bit key must be both secret (that is, known only to authorized parties) and pseudo-random. If nonces are used in connection with replay protection, they must also be selected carefully. Eastlake, et.al. ([7]) provides more information on generating pseudo-random numbers. 9.5. Privacy Users who have sensitive data that they do not wish others to see should use mechanisms outside the scope of this document (such as encryption) to provide appropriate protection. Users concerned about traffic analysis should consider appropriate use of link encryption. If absolute location privacy is desired, the Mobile Node can create a tunnel to its Home Agent. Then, packets destined for correspondent hosts will appear to emanate from the Home Network, and it may be more difficult to pinpoint the location of the mobile node. 9.6. Replay Protection for Registration Requests The Identification field is used to let the home agent verify that a registration message has been freshly generated by the mobile node, not replayed by an attacker from some previous registration. The exact method of using the field depends upon the mobile security association defined between the mobile node and home agent. Two methods are described here: using random "nonce" values (preferred), and another method using timestamps. A mobile node and its home agent must agree on the use of replay protection, because if a home agent expects only a nonce, it is unlikely to accept the mobile node's time value. Whatever method is used, the low order 32 bits of the identification MUST be copied unchanged from the registration request to the reply. The foreign agent uses those bits to match registration requests with corresponding replies. The mobile node MUST verify that the low order 32 bits of any registration reply are identical to the bits it sent in the registration request. Perkins, editor Expires 27 November 1995 [Page 34] Internet Draft IP Mobility Support 27 May 1995 The Identification in a new registration request MUST NOT be the same as in an immediately preceding request, and SHOULD NOT repeat during the lifetime of the mobility security association between the mobile node and the home agent. Retransmission as in subsection 6.6 is allowed. 9.6.1. Replay Protection using Nonces The basic principle of nonce replay protection is that Node A includes a new random number in every message to node B, and checks that Node B returns that same number in its next message to node A. Both messages use a cryptographic checksum to protect against alteration by an attacker. At the same time Node B can send its own nonces in all messages to Node A (to be echoed by node A), so that it too can verify that it is receiving fresh messages. The home agent may be expected to have resources for computing pseudo-random numbers useful as nonces[7]. It inserts a new nonce as the high-order 32 bits of the identification field of every registration reply. The home agent copies the low-order 32 bits of the Identification from the registration request message. When the mobile node receives an authenticated registration reply from the home agent, it saves the high order 32 bits of the identification for use as the high-order 32 bits of its next registration request. The mobile node is responsible for generating the low order 32 bits of the Identification in each registration request. Ideally it should generate its own random nonces. However it may use any expedient method, including duplication of the random value sent by the home agent. The method chosen is of concern only to the mobile node, because it is the node that checks for valid values in the registration reply. The high-order and low-order 32 bits of the identification chosen SHOULD both differ from their previous values. The home agent needs a new high order value and the mobile node needs a new low-order value for replay protection. The foreign agent needs a new low-order value to correctly match registration replies with pending requests (see subsection 7.1). If a registration message is rejected because of an invalid nonce, the reply always provides the mobile node with a new nonce to be used in the next registration. Thus the nonce protocol is self-synchronizing. Perkins, editor Expires 27 November 1995 [Page 35] Internet Draft IP Mobility Support 27 May 1995 9.6.2. Replay Protection using Timestamps The basic principle of timestamp replay protection is that the node generating a message inserts the current time of day, and the node receiving the message checks that this timestamp is sufficiently close to its own time of day. Obviously the two nodes must have adequately synchronized time of day clocks. As usual all messages are protected against tampering by a cryptographic checksum. If timestamps are used, the mobile node sets the Identification field to a 64-bit value formated as specified by the Network Time Protocol [15]. The low-order 32 bits of the NTP format represent fractional seconds, and those bits which are not available from a time source SHOULD be generated from a good source of randomness. If the timestamp in a registration request that has passed authentication is close enough to the home agent's time of day, the home agent copies the entire Identification into the registration reply. If the timestamp is unacceptable, the home agent copies only the low order 32 bits into the registration reply, and supplies the high order 32 bits from its own time of day. The error code in the registration reply indicates an identification mismatch. The mobile node MUST verify that the low order 32 bits of the identification in the registration reply are identical to those in the rejected registration attempt, before using the high order bits for clock resynchronization. Time tolerances and resynchronization details are specific to a particular mobile security association. 10. Acknowledgements Special thanks to Steve Deering (Xerox PARC), along with Dan Duchamp and John Ioannidis (Columbia), for forming the working group, chairing it, and putting so much effort into its early development. Thanks also to Kannan Alaggapan and Greg Minshall for their contributions to the group while performing the duties of chairperson. Perkins, editor Expires 27 November 1995 [Page 36] Internet Draft IP Mobility Support 27 May 1995 Thanks to the active members of the Mobile-IP working group, particularly those who contributed text, including (in alphabetical order) - Ran Atkinson (Naval Research Lab), - Dave Johnson (Carnegie Mellon University), - Andrew Myles (Macquarie University), - John Penners (US West), - Al Quirt (Bell Northern Research), - Yakov Rekhter (IBM), and - Fumio Teraoka (Sony). Thanks to Charlie Kunzinger, the editor who produced the first drafts for the Working Group, and to Bill Simpson, who has produced a lot of the text of this draft, reflecting the discussions of the Working Group. Thanks to Greg Minshall (Novell) and Phil Karn (Qualcomm) for their generous support in hosting interim Working Group meetings. A. Gratuitous and Proxy ARP Many people will use their computers for extended periods of time on a single link, whether or not it is at their home network. When doing so, they will expect the same level of service from their infrastructure as they receive today on the home network. Mobile nodes do not need a separate "virtual" IP address block; this would require a small network to have an extra router between the mobile and non-mobile nodes, which is an unacceptable expense. This section details the special care to be taken when using ARP [17] with nodes on the same link as a mobile node. A problem can arise if a mobile node which has previously answered an ARP Request moves away from the link, leaving behind a stale entry in another node's ARP cache. For example, if a router which forwards datagrams into the home network has a stale ARP cache entry for the mobile node, any datagrams arriving through that router for the mobile node will be lost. Thus, it is important that ARP caches of nodes populating the link be updated as soon as possible. A gratuitous ARP is an ARP Reply that is broadcast to all nodes on a link, but not in response to any ARP Request. When an ARP Reply is broadcast, all hosts are required to update their local ARP caches, whether or not the ARP Reply was in response to an ARP Request they had issued. With gratuitous ARP, the source IP address is the home Perkins, editor Expires 27 November 1995 [Page 37] Internet Draft IP Mobility Support 27 May 1995 address of the mobile node, the link-layer address is the source link-layer address for the interface used, the target IP address is the all-systems multicast address, and the target link-layer address is the general broadcast address. When there is a physical link which corresponds to the home network, a gratuitous ARP is issued by the home agent on behalf of a mobile node whenever the home agent receives a valid registration. That should cause the remaining nodes to associate the home address of the mobile node with the link-layer address of the home agent which is now serving the mobile node. While the mobile node is away from its home network, the home agent performs proxy ARP Replies for the mobile node. When a mobile node returns to its home network, it SHOULD issue a gratuitous ARP on its own behalf, immediately before sending its deregistration request to the home agent. Although the gratuitous ARP can be lost, this is not different from the usual ARP Reply problems, which are outside the scope of this document. A home agent may repeat the gratuitous ARP a small number of times. B. Link-Layer considerations The mobile node primarily uses link-layer mechanisms to decide that its point of attachment has changed. Such indications include the Down/Testing/Up interface status [12], and changes in cell or administration. The mechanisms will be specific to the particular link-layer technology, and are outside the scope of this document. B.1. Point-to-Point Link-Layers The Point-to-Point-Protocol (PPP) [22] and its Internet Protocol Control Protocol (IPCP) [13], negotiates the use of IP addresses. The mobile node SHOULD first attempt to specify its home address. This allows an unrouted link to function correctly. When the home address is not accepted by the peer, but a transient IP address is dynamically assigned, that address MAY be used as the care-of address for registration. When the peer specifies its own IP address, that address MUST NOT be assumed to be the care-of address of a foreign agent or the IP address of a home agent. Perkins, editor Expires 27 November 1995 [Page 38] Internet Draft IP Mobility Support 27 May 1995 When router advertisements are received which contain the Mobility Extension, registration with the agent SHOULD take place as usual. If the link is bandwidth limited, this method is preferred over use of the transient care-of address. The encapsulation will be removed by the peer, allowing header compression techniques to function correctly [10]. B.2. Multi-Point Link-Layers Another link establishment protocol, IEEE 802.11 [1], might yield the link address of an agent. This link-layer address SHOULD be used to attempt registration. The receipt of an agent's address via a router advertisement supersedes that obtained via IEEE 802.11. C. TCP Considerations C.1. TCP Timers Most hosts and routers which implement TCP/IP do not permit easy configuration of the TCP timer values. When high-delay (e.g. SATCOM) or low-bandwidth (e.g. High-Frequency Radio) links are in use, the default TCP timer values in many systems may cause retransmissions or timeouts, even when the link and network is actually operating properly with greater than usual delays because of the medium in use. This can cause an inability to create or maintain connections over such links, and can also cause unneeded retransmissions which consume already scarce bandwidth. Vendors are encouraged to make TCP timers more configurable. Vendors of systems designed for the mobile computing markets should pick default timer values more suited to low-bandwidth, high-delay links. Users of mobile nodes should be sensitive to the possibility of timer-related difficulties. C.2. TCP Congestion Management Mobility nodes are likely to use media which have low bandwidth and are more likely to introduce errors, effectively causing more packets to be dropped. This introduces a conflict with the mechanisms for congestion management found in modern versions of TCP. Now, when a packet is dropped, the correspondent's TCP implementation is likely to react as if there were a source of network congestion, and initiate the slow-start mechanisms [4] designed for controlling that problem. However, those mechanisms are inappropriate for Perkins, editor Expires 27 November 1995 [Page 39] Internet Draft IP Mobility Support 27 May 1995 overcoming errors introduced by the links themselves, and have the effect of magnifying the discontinuity introduced by the dropped packet. This problem has been analyzed by Caceres, et. al.([3]); there is no easy solution available, and certainly no solution likely to be installed soon on all correspondents. While this problem has nothing to do with any of the specifications in this document, it does illustrate that providing performance transparency to mobile nodes involves understanding mechanisms outside the network layer. It also indicates the need to avoid designs which systematically drop packets; such designs might otherwise be considered favorably when making engineering tradeoffs. D. Tunnel Management It is possible that one of the routers along the tunnel interior might encounter an error while processing the datagram, causing it to return an IP ICMP error message to the source end of the tunnel. ICMP errors that can occur in this circumstance are: - Datagram Too Big - Time Exceeded - Destination Unreachable Unfortunately, ICMP only requires IP routers to return 8 bytes (64 bits) of the datagram beyond the IP header. This is not enough to include the encapsulated header, so it is not generally possible for the home agent to immediately reflect the ICMP message from the interior of a tunnel back to the source host. However, by carefully maintaining "soft state" about its tunnels, the encapsulating router can return accurate ICMP messages in most cases. The router SHOULD maintain at least the following soft state information about each tunnel: - MTU of the tunnel - TTL (path length) of the tunnel - Reachability of the end of the tunnel The router uses the ICMP messages it receives from the interior of a tunnel to update the soft state information for that tunnel. When subsequent datagrams arrive that would transit the tunnel, the router checks the soft state for the tunnel. If the datagram would violate the state of the tunnel (such as, the TTL is less than the tunnel TTL) the router sends an ICMP error message back to the source, but also forwards the datagram into the tunnel. Perkins, editor Expires 27 November 1995 [Page 40] Internet Draft IP Mobility Support 27 May 1995 Using this technique, the ICMP error messages sent by encapsulating routers will not always match up one-to-one with errors encountered within the tunnel, but they will accurately reflect the state of the network. The Don't Fragment bit is always set within the tunnel. This enables the proper MTU of the tunnel to be determined. Fragmentation which occurs because of the size of the encapsulation header is done before encapsulation, preventing more than one layer of fragmentation in a single datagram. Tunnel soft state was originally developed for the IP address encapsulation (IPAE) specification [8]. References [1] Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Document P802.11/D1, Dec 1994. [2] S.M. Bellovin. Security Problems in the TCP/IP Protocol Suite. ACM Computer Communications Review, 19(2), March 1989. [3] Ramon Caceres and Liviu Iftode. The Effects of Mobility on Reliable Transport Protocols. In Proceedings of the 14th International Conference on Distributed Computing Systems, June 1994. [4] Douglas E. Comer. Internetworking with TCP/IP, volume 1. Prentice Hall, 1991. [5] S. Deering. Router Discovery. RFC 1256, September 1991. [6] R. Droms. Dynamic Host Configuration Protocol. RFC 1541, October 1993. [7] D.E. Eastlake, S.D. Crocker, and J.I. Schiller. Randomness Requirements for Security. RFC 1750, December 1994. [8] R. Gilligan, E. Nordmark, and B. Hinden. IPAE: The SIPP Interoperability and Transition Mechanism. Internet Draft -- work in progress, March 1994. [9] S. Hanks, T. Li, D. Farinacci, and P. Traina. Generic routing encapsulation (gre). RFC 1701, October 1994. [10] V. Jacobson. Compressing TCP/IP Headers for Low-Speed Serial Links. RFC 1144, February 1990. Perkins, editor Expires 27 November 1995 [Page 41] Internet Draft IP Mobility Support 27 May 1995 [11] J. Kohl and C. Newman. The Kerberos Network Authentication Service (V5). RFC 1510, September 1993. [12] K. McCloghrie and F. Kastenholz. Evolution of the Interfaces Group MIP-II. RFC 1573, January 1994. [13] G. McGregor. The PPP Internet Procotol Control Protocol (IPCP). RFC 1332, May 1992. [14] P. Metzger and B. Simpson. Authentication Header (AH). draft-metzger-ah-01.txt -- work in progress, March 1995. [15] D. Mills. Network Time Protocol (Version 3). RFC 1305, March 1992. [16] National Bureau of Standards. Data Encryption Standard. Federal Information Processing Standards, 1977. [17] D. Plummer. An Ethernet Address Resolution Protocol. RFC 826, November 1982. [18] J. Postel. User Datagram Protocol. RFC 768, August 1980. [19] J. Postel. Internet Protocol. RFC 791, September 1981. [20] J. Reynolds and J. Postel. Assigned Numbers. RFC 1700, October 1994. [21] R. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, April 1992. [22] W. Simpson (Editor). The Point-to-Point Protocol (PPP). RFC 1661, July 1994. Perkins, editor Expires 27 November 1995 [Page 42] Internet Draft IP Mobility Support 27 May 1995 Chair's Addresses The working group can be contacted via the current chairs: Jim Solomon Tony Li Motorola, Inc. cisco systems 1301 E. Algonquin Rd. 170 W. Tasman Dr. Schaumburg, IL 60196 San Jose, CA 95134 Work: +1-708-576-2753 Work: +1-408-526-8186 E-mail: solomon@comm.mot.com E-mail: tli@cisco.com Editor's Address Questions about this memo can also be directed to: Charles Perkins Room J1-A25 T. J. Watson Research Center IBM Corporation 30 Saw Mill River Rd. Hawthorne, NY 10532 Work: +1-914-784-7350 Fax: +1-914-784-7007 E-mail: perk@watson.ibm.com Perkins, editor Expires 27 November 1995 [Page 43]