INTERNET-DRAFT Thierry Ernst
Ludovic Bellier
Alexis Olivereau
Castelluccia Claude
Hong-Yon Lach
Motorola Labs and INRIA Planete, France
22 June 2001
Mobile Networks Support in Mobile IPv6
(Prefix Scope Binding Updates)
draft-ernst-mobileip-v6-network-02.txt
Status of This Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This draft addresses the problems of routing datagrams to nodes
located in an IPv6 mobile network. A mobile network is one or more
IP-subnets attached to a mobile router and mobile as a unit. The
mobile router dynamically changes its point of attachment.
Applications of mobile networks include networks attached to people
(PANs) and networks of sensors deployed in an aircraft, a boat, or a
car.
Mobile IPv6 [4] is a solution that has been developed to support
mobile nodes, i.e. mobile hosts and mobile routers. We discuss its
ability to support an entire network attached to a mobile router and
Ernst & Bellier Expires 22 December 2001 [Page 1]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
show, by means of an experiment, that the Home Agent is unable to
redirect packets to the mobile network, and that optimal routing can
not be performed. Indeed, some implementations may interpret the
Mobile IPv6 specification in a way that would allow the HA to
redirect packets to the mobile network, but we advocate that is
surely leading to misinterpretation and therefore pitfalls.
We therefore propose to extend Mobile IPv6 with Prefix Scope Binding
Updates to support mobile networks in the Internet. Prefix Scope
Binding Updates both allow redirection from the HA to the mobile
network in a clean way and optimal routing. Prefix Scope Binding
Updates contain a binding between a prefix and a care-of address.
All nodes in the mobile network share the same Mobile Network Prefix
and the care-of address belongs to the Mobile Router. As a result of
the reception of a Prefix Scope Binding Update, the receiver is able
to route via the care-of address of the Mobile Router all packets
intended to nodes in the mobile network.
Contents
Status of This Memo
Abstract
1. Introduction
2. Terminology
2.1. General Terms and Mobile IPv6 terms
2.2. Mobile Network specific terms
2.3. Assumptions
3. Why can't Mobile IPv6 support mobile networks ?
3.1. Review of Mobile IP and Mobile Networks
3.2. Experimentation
3.2.1. Test Bed
3.2.1. Registration with the Home Agent
3.2.2. First experiment: Communication between CN and MR
3.2.3. Second experiment: Communication between CN and SN1
3.3. Discussion
3.4. Conclusion
4. Mobile IPv6 extensions to support mobile networks
4.1. Packet format of the Binding Update
4.1.1. New Binding Update Option format
4.1.2. Mobile Network Prefix Sub-Option
4.2. Cache Management
4.2.1. Binding Cache entries
4.2.2. Searching the Binding Cache entries
Ernst & Bellier Expires 22 December 2001 [Page 2]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
4.3. Extended Mobile IPv6 protocol operation
4.3.1. Correspondent Node Operation
4.3.2. Home Agent Operation
4.3.3. Mobile Router Operation
5. Security Issues
5.1. Authentication
5.2. Authorization
5.2.1. How to certify that the MR owns the prefix
5.2.2. Assumptions concerning the Home Agent
6. Main changes since last draft
7. Acknowledgements
8. References
Author's Addresses
Introduction
Mobile IPv4 [8] and Mobile IPv6 [4] have introduced mobility support
for IPv4 and IPv6 [3] nodes respectively. The purpose of mobility
support is to provide continuous Internet connectivity to mobile
nodes. Mobile IP is a solution to support mobile nodes but does not
handle mobile networks.
There are situations where an entire network might move and attach to
different places in the Internet topology. In this draft, we refer to
a network as a set of nodes that share the same IP prefix and that
are attached to the Internet through a single border router. We refer
to a mobile network as a network whose border router dynamically
changes its point of attachment to the Internet and thus its
reachability in the IP topology. A mobile network may be composed by
one or more IP-subnets. The internal architecture of a mobile
network is preserved while it is roaming. As such, nodes in the
mobile network do not move with respect to the others and shouldn't
take part in mobility management.
Applications of mobile networks include networks attached to people
(Personal Area Network or PANs) and networks of sensors deployed in
aircrafts, boats, cars, trains, etc. (see [8] section 4.5). As an
example of a mobile network, we could imagine that an airways company
provides permanent on-board Internet connectivity. This allows all
passengers to use their laptops to connect to remote hosts, download
music or video from any provider, or browse the web. The Internet
could also be used to exchange information between the aircraft and
air traffic control stations. During the flight, the aircraft changes
Ernst & Bellier Expires 22 December 2001 [Page 3]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
its point of attachment to the Internet and is reachable by distinct
IP addresses owned by distinct Internet service providers. This
scenario justifies that mobile networks may be of a big size,
containing hundreds of hosts and several routers and may attach to
very distant parts of the Internet topology.
Although the designers of Mobile IPv4 claim that it could support
mobile networks equally as mobile nodes ([8] section 4.5, [9] section
5.12, [7] section 11.2), we argue that this is not true for Mobile
IPv6. Indeed, we have carefully studied the adequacy of Mobile IPv6
for supporting mobile networks and we came to the conclusion that
some modifications are needed to support them.
____
| |
| CN |
|____|
___|____________________
| |
| |
| Internet |
| |
|________________________|
__|_ __|_ ____
| | Border | | | |
| FG | Router | BR | | HA |
|____| |____| |____|
_____|________|____ home
Foreign __|_ link
Gateway | |
| MR | Mobile Router
|____|
_________|_______ internal
__|__ __|__ link
| | | |
| SN1 | | SN2 | Stationary Nodes
|_____| |_____|
Figure 1: Mobile Network attached to its home link
2. Terminology
2.1. General terms and Mobile IPv6 terms
General terms and Mobile IPv6 terms are as defined in the Mobile
IPv6 specification [4].
Ernst & Bellier Expires 22 December 2001 [Page 4]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
2.2. Mobile Network specific terms
Mobile Network
A set of nodes which are mobile, as a unit, with respect to the
rest of the Internet, i.e. a Mobile Router and all its attached
nodes. The Mobile Router is dynamically changing its point of
attachment to the Internet and thus its reachability in the IP
topology. All nodes in the mobile network share the same IP
prefix: the Mobile Network Prefix. Note that a Mobile Network
may be composed by one or more IP-subnets.
Mobile IP-subnet
A Mobile Network that is limited to a single IP-subnet.
____
| |
| CN |
|____|
___|____________________
| |
| |
| Internet |
| |
|________________________|
__|_ __|_ ____
| | | | | | Home
| FG | | BR | | HA | Agent
|____| |____| |____|
_______|__ foreign __|________|____ home
__|_ link | link
| |
| MR | Mobile Router
|____|
_____|_________ internal
__|__ __|__ link
| | | |
| SN1 | | SN2 |
|_____| |_____|
Figure 2: Mobile Network attached to a foreign link
Mobile Router (MR)
The border router of the mobile network which attaches the
mobile network to the rest of the Internet. The MR has (at
least) two interfaces. The first interface is attached to the
home link if the mobile network is at home, or it is attached
to a foreign link if the mobile network is in a foreign
Ernst & Bellier Expires 22 December 2001 [Page 5]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
network. Other interfaces are attached to links internal to
the mobile network and are configured with the Mobile Network
Prefix (see below). The Mobile Router maintains the Internet
connectivity for the mobile network. It is used to route
packets between the mobile network and the fixed Internet.
Stationary Node (SN)
Any host or router permanently located within the mobile
network and that is fixed with respect to the MR.
Visiting Mobile Node (VN)
A Mobile Node mobile with respect to the mobile network that is
temporarily visiting the mobile network and whose home network
is not the mobile network itself. A VN may visit the mobile
network and obtain a care-of address from a router within the
mobile network.
Local Mobile Node
A Mobile Node mobile with respect to the mobile network whose
home network is the mobile network itself.
Node behind the MR
A node behind the MR is a Mobile Network Node (MNN). See
definition of MNN.
Mobile Network Node (MNN)
Any host or router located within the mobile network, either
permanently or temporarily. (Mobile Router, Stationary Node,
Visiting mobile Node or a Local mobile Node). From the fixed
network, a MNN is seen as a "Node behind the Mobile Router".
Correspondent Node (CN)
External nodes corresponding with one or more MNNs of the
mobile network.
Foreign Gateways (FGs)
Subsequent points of attachment of the mobile network
Mobile Network Prefix
The network prefix that is common to all IP addresses in the
Mobile Network when the Mobile Router is attached to the home
link. For a mobile network containing only one subnet, the
Mobile Network Prefix is the prefix of this subnet ("home
subnet prefix" as defined in [4]). Note that the Mobile Network
Prefix is NOT the home subnet prefix (i.e. the IP subnet prefix
corresponding to the mobile node's home address, as defined in
[4]).
Ernst & Bellier Expires 22 December 2001 [Page 6]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
An organization wishing to support larger mobile networks may
decide to split the SLA field of the IPv6 address in several
sub-fields (SLA1, SLA2). In this case, the mobile network may
be identified by a unique SLA1 field. If the length of the
SLA1 field is 8 bits, the length of the Mobile Network Prefix
is 60 bits and the mobile network could contain up to 2^4
subnets.
Figure 1 illustrates a mobile network attached to its home link.
In figure 2, the mobile network has moved and attaches to a
foreign link. Figure 3 illustrates a larger mobile network.
____
| |
| CN |
|____|
___|____________________
| |
| |
| Internet |
| |
|________________________|
__|_ __|_ ____
| | Border | | | |
| FG | Router | BR | | HA |
|____| |____| |____|
_____|________|____ home
Foreign _|__ link
Gateway | | |
_____ |__| MR | Mobile Router
| |__| |____|
Stationary | SN3 | | __|_____________ internal
Node |_____| | __|__ __|__ link 1
_____ | | | | |
| |__| | SN1 | | SN2 | Local Nodes
Stationary | SN4 | | |_____| |_____|
Node |_____| |
| internal
link 2
Figure 3: Larger Mobile Network with 2 subnets
2.3. Assumptions
In order to keep things as simple as possible, we make the following
assumptions in our draft:
o the mobile network attaches to the Internet through only one
Ernst & Bellier Expires 22 December 2001 [Page 7]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
mobile router.
o the mobile router is not multihomed.
o all nodes and interfaces in the mobile network are configured
with a common and unique prefix: the mobile network prefix.
o nodes behind the Mobile Router (MNNs) are only Stationary Nodes
(SNs). We therefore do not consider nodes mobile with respect to
the mobile network, i.e. neither local nor visiting mobile nodes
(see section 2.2 for the terminology) as this is illustrated on
figure 4.
Note that the proposal outlined in this draft is not limited to the
above assumptions. The purpose of this draft is to allow
communication between a CN and a SN. It may also be adapted to the
particular case of Visiting Mobile Nodes but we have not already
investigated the particular issues that may arise in this case. Note
that Hierarchical Mobile IPv6 Extended Mode [12] proposes to handle
this case, but may need additional features such as the ones proposed
in this draft.
____
| |
| CN |
|____|
___|____________________
| |
| |
| Internet |
| |
|________________________|
__|_ __|_ ____
| | Border | | | |
| FG | Router | BR | | HA |
|____| |____| |____|
_____|________|____ home
Foreign __|_ link
Gateway | |
| MR | Mobile Router
|____|
_________|_______ internal
__|___ __|___ link
| | | |
| VMN1 | | VMN2 | VISITING MOBILE NODES
|______| |______|
Figure 4: Visiting Mobile Nodes - not covered by this internet draft
Ernst & Bellier Expires 22 December 2001 [Page 8]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
3. Why can't Mobile IPv6 support mobile networks ?
In this section, we first review how the Mobile IP specifications
deal with mobile networks. We then show the results of an
experimentation we have conducted to outline Mobile IPv6's inability
to support mobile networks. Then we discuss why the existing Mobile
IPv6 specification is unable to support mobile networks if the mobile
router MR performs Mobile IPv6.
3.1. Review of Mobile IP and Mobile Networks
The Mobile IPv4 specification proposes to support mobile networks
as standard mobile nodes (see [8] section 4.5, [9] section 5.12,
[7] section 11.2). In this situation, the mobile node is the
border router MR of the mobile network. It has a permanent home
address on its home link and gets a new care-of address at each
subsequent point of attachment. As any mobile node, MR sends a
Binding Update to its home agent HA to instruct it to intercept
and tunnels packets to its care-of address. The HA is therefore
able to intercept packets destined to the home address of MR.
In order to intercept packets intended to Stationary Nodes on the
mobile network:
o either the Home Agent may be configured to have a permanent
registration for each Stationary Node that indicates the Mobile
Router's address as the Stationary Node's care-of address.
o either the mobile router may advertise connectivity to the
entire mobile network using normal IP routing protocols.
Mobile IPv6 and Mobile IPv4 with Routing Optimization [11] could
actually support mobile networks similarly as in Mobile IPv4.
However, although mentioned in the Mobile IPv4 specification, the
current specifications of Mobile IPv4 with Routing Optimization
and Mobile IPv6 don't mention them anymore.
3.2. Experimentation
The following sections describe an experimentation that shows that
the existing Mobile IPv6 specification does not allow to route a
packet from the fixed Internet to a Stationary Node on the mobile
network. This experimentation has been conducted on our IPv6 test
bed using Francis Dupont "INRIA" IPv6 implementation under
FreeBSD.
3.2.1. Test Bed
Ernst & Bellier Expires 22 December 2001 [Page 9]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
As this is illustrated on figure 5, the Mobile Router MR has two
interfaces. The first is attached to the home link
(3ffe:306:1130:100::/64) and is configured with the home address
(3ffe:306:1130:100::eui64). The second interface is on the Mobile
Network (3ffe:306:1130:200::/64).
The Mobile Router MR performs Mobile IPv6. The mobile network
moves and attaches to the foreign link (3ffe:306:5555:7777::/64).
In a first experiment, a Correspondent Node CN in the fixed
Internet sends a ping packet to MR. In a second experiment, the
CN sends a packet to SN1, a Stationary Node on the mobile network.
3.2.2. Registration with the Home Agent
MR obtains a care-of address on the foreign link and registers its
primary care-of address with its Home Agent HA. Once it receives
a valid Binding Update, HA records in its Binding Cache the
binding between the home address of the sender and its care-of
address. The home address is used as the key for searching the
Binding Cache ([4] section 4.6). In order to intercept packets, HA
claims it is the MR. This is performed by the way of a
"gratuitous" Neighbor Advertisement message on behalf of the
mobile node (i.e. MR), as described in section 9.5 of the Mobile
IPv6 specification.
More precisely, when it receives a home registration from MR, the
HA:
o opens a NDP proxy to intercept packets addressed to the home
address of MR.
o opens a tug (a virtual interface, i.e. IPv6 in IPv6 tunnel)
between the care-of address of MR and itself.
o adds a host-specific route (a route to a host, not to a
prefix) for the home address of MR via its care-of address
through the tug.
3.2.3. First experiment: Communication between CN and MR
CN sends a ping packet to MR's home address
(3ffe:306:1130:100::eui64). When the packet gets to the home
network, BR sends NDP messages to discover the MAC address of MR.
HA answers with its address on behalf of MR. The packet gets
routed to the HA. In the standard IPv6 input function of the HA,
the packet is routed through the tug, i.e. tunneled to MR's care-
of address.
Ernst & Bellier Expires 22 December 2001 [Page 10]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
3.2.4. Second experiment: Communication between CN and SN1
CN sends a ping packet to node SN1's IP address
(3ffe:306:1130:200::eui64). When the packet gets to the home
network, BR checks its routing table to reach SN1. BR has a route
to the mobile network; MR's home address is the next hop towards
SN1. BR sends NDP messages to discover the MAC address of MR. HA
answers with its address on behalf of the MR. The HA intercepts
the packet, but does not have a route to the mobile network. So it
sends the ping packet to its default route (i.e. the BR) wich
forward it again to the HA. THE PING PACKET ENTERS A ROUTING LOOP
UNTIL THE TTL EXPIRES.
____
| |
| CN |
|____|
___|____________________
| |
| |
| Internet |
| |
|________________________|
__|_ __|_ ____
| | | | | | Home Agent
| FG | | BR | | HA | Binding cache:
|____| |____| |____| 3ffe:306:1130:100::eui64 -> COA
| | |
_______|_ foreign __|________|____ home link
| link | 3ffe:306:1130:100::/64
| 3ffe:306:5555:7777::/64
__|_
| | Mobile Router
| MR | home address 3ffe:306:1130:100::eui64
|____| COA 3ffe:306:5555:7777::eui64
|
_____|_________ internal link
| | 3ffe:306:1130:200::/64
__|__ __|__
| | | |
| SN1 | | SN2 | Stationary Node 1
|_____| |_____| 3ffe:306:1130:200::eui64
Figure 5: Packets sent from CN to SN1 are dropped by Home Agent
3.3. Discussion
We see that obtaining a care-of address and requesting the HA to
redirect incoming packets intended for the MR doesn't require
Ernst & Bellier Expires 22 December 2001 [Page 11]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
modifications in the Mobile IPv6 specification as this could be
done independently for a host or for a router. As a result,
packets destined to the MR are correctly intercepted by the HA and
tunneled to the MR.
However, although the HA is able to intercept datagrams intended
to the Stationary Nodes on the mobile network, it is unable to
encapsulate them to the care-of address of the MR because it does
not have a route to the mobile network. The MR registration only
tells the HA to record a host-specific route in its routing table.
A network route for the mobile network prefix (prefix of the
second interface of MR) via the care-of address of MR is missing.
Indeed, some other implementations of the Mobile IPv6
specification interpret the behavior of the Home Agent in face of
a Mobile Router registration. In such implementation, the HA may
have a network route for the mobile network via the care-of
address of the MR. We advocate that such implementations do not
strictly follow the Mobile IPv6 specification and may probably not
complain with it. Leaving too much room for interpretation surely
leads to misinterpretation and pitfalls, not to say security
holes. Then, this lack should at least be clarified in an updated
version of the Mobile IPv6 specification.
3.4. Conclusion
Since the HA is unable to redirect packets intended to the
Stationary nodes and CNs don't have an entry in their Binding
Cache to route packets directly to the Stationary Nodes, no
communication at all is possible between CNs and the Stationary
Nodes.
We conclude that the Mobile IPv6 specification needs:
o to be at least explicitly clarified in order for the HA to
redirect all packets intended to the mobile network, but
extensions are more likely needed.
o to be extended in order to transmit packets from the CN to
the Stationary Nodes by the most optimal route.
4. Mobile IPv6 extensions to support mobile networks
4.0. Overview
According to the observations made in section 3.2.4, we propose to
extend Mobile IPv6 with "Prefix Scope Binding Updates". Instead of
establishing a one-to-one relationship between a home address and a
Ernst & Bellier Expires 22 December 2001 [Page 12]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
care-of-address, the binding establishes a many-to-one relationship
between the set of nodes that share the same mobile network prefix
and a care-of-address. Prefix Scope Binding Updates are Binding
Updates that associate a care-of address with the mobile network
prefix instead of the full 128-bits IPv6 home address. The mobile
network prefix is used as a netmask in the Binding Cache.
The Mobile Router sends Prefix Scope Binding Updates containing both
its care-of address and the mobile network prefix to all the
Correspondent Nodes that communicate with itself or any Stationary
Node on the mobile network it is serving. The Prefix Scope Binding
Update instructs its recipients to use the care-of address of the
Mobile Router for all packets which destination address corresponds
to the mobile network prefix.
As a result, a sole copy of the Prefix Scope Binding Update allows
optimal routing between a CN and any Stationary Node on the same
mobile network.
The mobile network prefix is carried in a new Sub-Option and requires
a new flag in the Mobile IPv6 Binding Update Option. The procedure
for searching the Binding Cache is slightly modified.
4.1. Packet Format of the Binding Update
We propose to extend the Mobile IPv6 Binding Update Option with an
extra flag "Prefix Scope Registration" (P) taken from the
"Reserved" field. In addition, the "Mobile Network Prefix" is a
new sub-option that contains the mobile network prefix.
4.1.1. New Binding Update Option format
The Binding Update option is encoded in type-length-value (TLV)
format as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | Option Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|A|H|R|D|P|Rsrvd| Prefix Length | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sub-Options...
+-+-+-+-+-+-+-+-+-+-+-+-
Ernst & Bellier Expires 22 December 2001 [Page 13]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
Prefix Scope Registration (P)
When set, it indicates that the sending mobile node attempts
to register a care-of address for an entire network. It
also requests the receiving node to process the Mobile
Network Prefix Sub-Option and to re-route packets with a
destination address that corresponds to the Mobile Network
Prefix.
Rsrvd
This field is reduced from a 4-bit field to a 3-bit field to
account for the addition of the "Prefix Scope Registration"
bit. The remaining 3 bits are unused and MUST be
initialized to zero by the sender and MUST be ignored by the
receiver.
4.1.2. Mobile Network Prefix Sub-Option
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Sub-Option Type| Sub-Option Len| Prefix Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Mobile Network Prefix +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Mobile Network Prefix is filled by the sending mobile node
to request the receiving node to record a Prefix Scope entry in
the Binding Cache (see section 4.2).
The Prefix Length field is set to the (nonzero) length of the
mobile network prefix.
The Mobile Network Prefix field is set to the prefix of the
mobile network.
4.2. Cache Management
4.2.1. Binding Cache entries
Each Binding Cache entry contains the same fields as defined in
[4]. A new "Prefix Scope Registration" flag is added:
- a flag "Prefix Scope Registration" (P) indicating whether
Ernst & Bellier Expires 22 December 2001 [Page 14]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
or not this Binding Cache entry represents a mobile network
served by a mobile router whose prefix is recorded in the
"Home Address" field.
- the value of the "Prefix Length" field received in the
Binding Update that created or last modified this Binding
Cache entry. This field is only valid if the "Prefix Scope
Registration" flag or the "Home Registration" flag is set on
this Binding Cache entry. If the "Prefix Scope
Registration" flag is set, the "Prefix Length corresponds to
the length of the mobile network prefix, otherwise the
meaning is as defined in [4].
- if the "Prefix Scope Registration" (P) flag is set, the
"home address" field is filled with the mobile network
prefix.
4.2.2. Searching the Binding Cache entries
The Binding Cache is searched for an entry corresponding to the
destination address of the packet. The destination address is
compared with the home address field of entries recorded in the
Binding Cache.
If the "Prefix Scope Registration" flag is set in the entry
under comparison, the comparison is made between the "Prefix
Length" set of initial bits of the destination address and the
"home address" field. If the prefix of the destination matches
the mobile network prefix recorded in the entry, the
destination is located in a mobile network.
If the "Prefix Scope Registration" flag is not set, the
comparison is made on the 128-bits addresses. If the
destination address matches the home address, the destination
is a mobile node.
In both case, the care-of address of the corresponding entry is
returned.
4.3. Extended Mobile IPv6 protocol operation
The Mobile Node operation is extended to set the (P) bit to 1 and
to fill the Mobile Network Prefix Sub-Option when it is a Mobile
Router that serves as the gateway of a mobile network. It is also
extended to send Binding Updates to all CNs that communicate with
any Stationary Node on the mobile network.
The Correspondent Node and the Home Agent operations are extended
Ernst & Bellier Expires 22 December 2001 [Page 15]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
to process Mobile Network Prefix Sub-Option and to transmit
packets to the care-of address of the Mobile Router. The Mobile
Network Prefix Sub-Option is processed if the (P) bit from the
Binding Update Option is set. Packets are transmitted to the
care-of address of the Mobile Router if the destination address
matches the Mobile Network Prefix.
The following sections only describe changes according to sections
8, 9 and 10 of the Mobile IPv6 specification [4].
4.3.1. Correspondent Node Operation
Receiving (Prefix Scope) Binding Updates
Upon receiving a Binding Update, the CN performs validity
checks as described in [4] section 8.2. In addition, if the
"Prefix Scope Registration" (P) bit in the Binding Update
Option is set, the CN received a Binding Update from a
Mobile Router serving a mobile network. The Mobile Network
Prefix Sub-Option MUST be ignored if the "Prefix Scope
Registration" (P) bit from the Binding Update Option is not
set.
If the Binding Update is valid, the CN creates a new entry
in its Binding Cache for this mobile node. This is
performed as described in [4].
In addition, if the (P) bit is set, the CN creates a second
Binding Cache entry similar to the first one and copies in
the Binding Cache entry the "Prefix Scope Registration" bit
from the Binding Update Option, the "Prefix Length" field
from the Mobile Network Prefix Sub-Option. The "Home
Address" field in the Binding Cache is filled from the
Mobile Network Prefix" field in the Mobile Network Prefix
Sub-Option.
Figure 6 shows the content of the Binding Cache.
Sending Packets
Before sending any packet, the sending node examines its
Binding Cache for an entry for the destination address to
which the packet is being sent (see section 4.2.2 "Searching
the Binding Cache"). If the sending node has a Binding
Cache entry, the sending node uses a routing header to route
the packet to the destination node via the returned care-of
address.
Ernst & Bellier Expires 22 December 2001 [Page 16]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
4.3.2. Home Agent Operation
Primary care-of address registration
Upon receiving a Binding Update, the HA performs validity
checks as described in [4] section 9.3. In addition, if the
"Prefix Scope Registration" (P) bit in the Binding Update
Option is set, the HA received a Binding Update from a
Mobile Router serving a mobile network. The Mobile Network
Prefix Sub-Option MUST be ignored if the "Prefix Scope
Registration" (P) bit from the Binding Update Option is not
set.
If the Binding Update is valid, the HA creates a new entry
in its Binding Cache for this mobile node as it is performed
in [4].
In addition, if the (P) bit is set, the sending node is a
Mobile Router and the HA creates a second Binding Cache
entry similar to the first one and copies the "Prefix Scope
Registration" bit from the Binding Update Option, the
"Prefix Length" field from the Mobile Network Prefix Sub-
Option. The "Home Address" field in the Binding Cache is
filled from the Mobile Network Prefix" field in the Mobile
Network Prefix Sub-Option.
Figure 6 shows the content of the Binding Cache.
Intercepting Packets
Datagrams sent by the CN to the IP address of the Stationary
Node are routed towards the home link of the mobile router
where they are intercepted by the HA as specified in [4]
section 9.5.
Tunneling Intercepted Packets to a Mobile Node
For any packet sent to a mobile node or a Stationary Node
for which the Home Agent is the original sender of the
packet, the Home Agent is operating as a Correspondent Node
and the procedures described in section 4.3.2 applies.
While acting as a Home Agent, the Home Agent intercepts any
packet on the home link addressed to a mobile node or to a
Stationary Node. The Home Agent examines its Binding Cache
for an entry for the destination address to which the packet
is being sent (see section 4.2.2 "Searching the Binding
Cache"). If the sending node has a Binding Cache entry, the
Ernst & Bellier Expires 22 December 2001 [Page 17]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
Home Agent tunnels the packet to the care-of address
recorded in that Binding Cache entry.
4.3.3. Mobile Router Operation
Obtaining a care-of address
Similarly to a standard mobile node as defined in the Mobile
IPv6 specification [4], the Mobile Router obtains a new
care-of address at each of its subsequent points of
attachment using either stateless or stateful DHCPv6 address
configuration.
____
| |
| CN | Binding cache:
|____| 3ffe:306:1130:100::eui64 -> COA
| 3ffe:306:1130:200/64 -> COA
___|____________________
| |
| |
| Internet |
| |
|________________________|
__|_ __|_ ____
| | | | | | Home Agent
| FG | | BR | | HA | Binding cache:
|____| |____| |____| 3ffe:306:1130:100::eui64 -> COA
| | | 3ffe:306:1130:200/64 -> COA
| | |
_______|__ foreign __|________|____ home link
| link | 3ffe:306:1130:100::/64
__|_
| | Mobile Router
| MR | home address 3ffe:306:1130:100::eui64
|____| COA 3ffe:306:5555:7777::eui64
|
_____|_________ internal link
| | 3ffe:306:1130:200::/64
__|__ __|__
| | | |
| SN1 | | SN2 | Stationary Node 1
|_____| |_____| 3ffe:306:1130:200::eui64
Figure 6 : Mobile Network Prefix is recorded in the Binding Cache
Ernst & Bellier Expires 22 December 2001 [Page 18]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
Receiving encapsulated packets from the Home Agent
The Mobile Router may receive packet encapsulated to its
care-of address. Those packets may indeed be intended to
the Mobile Router itself or to any MNN served by the Mobile
Router. The reception of an encapsulated packet tunneled
from the Mobile Router's Home Agent is an indication that
the original sender may not have a Binding Cache entry for
the Mobile Network Prefix. In this case, the Mobile Router
may deduce that a Prefix Scope Binding Update should be sent
to the original sender of the packet.
Sending Prefix Scope Binding Updates
A Mobile Router serving as a gateway to a mobile network
sends Prefix Scope Binding Update datagrams to its Home
Agent, its own CNs, and CNs of the Stationary Nodes it is
serving. Prefix Scope Binding Updates are sent as specified
in [4] section 10.6 and 10.8 and the Binding List is filled
accordingly. In addition, the Mobile Router sets the
"Prefix Scope Registration" bit in the Binding Update Option
and inserts a Mobile Network Sub-Option. The "Prefix
Length" and the "Mobile Network Prefix" fields are filled
according to the Mobile Network Prefix owned by the Mobile
Router.
Bypassing ingress filtering
In order to bypass ingress filtering, the Mobile Router may
encapsulate all outgoing packets to the destination with its
care-of address as the outer source address.
5. Security Issues
5.1. Authentication
The registration of the Mobile Router's care-of address for a set
of nodes that share the same network prefix (Mobile Network
Prefix) does not break authentication and does not differ from the
standard Mobile IPv6 registration for a mobile node. In Mobile
IPv6, the Mobile Node is authenticated by the CN based on its home
address, whatever the content of the Binding Update. Similarly,
nothing breaks the authentication of the sender of a Prefix Scope
Binding Update. The Mobile Router operates as a standard Mobile
Node and has a home address. Authentication is still based on this
home address. Recipients of the prefix scope Binding Updates are
not misled about the identity of the sender. The mobile router is
clearly authenticated by its HA and CNs whatever is contained in
Ernst & Bellier Expires 22 December 2001 [Page 19]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
the Binding Update.
5.2. Authorization
Recent discussion in the mailing list and IETF meetings have
advocated a need to extend Mobile IPv6 with authorization. In the
standard Mobile IPv6, the Mobile Node is authenticated by its HA
and CNs but those have no guarantee that the Mobile Node is
allowed to send a Binding Update for the home address specified in
the Binding Update. Indeed, the Mobile IPv6 policy is to accept
whatever is being carried in the Binding Update as long as the
sender is authenticated.
A Mobile Router willing to send Prefix Scope Binding Updates faces
the same authorization issue. In addition, a means is required to
authorize a Mobile Router to register a binding between the Mobile
Network Prefix and its care-of address. In other words, we need a
means to certify that the Mobile Router actually serves the Mobile
Network Prefix.
5.2.1. How to certify that the MR owns the prefix
Proposals [14,15,16] that require the participation of the Home
Agent to authorize a Mobile Node are suitable to operate with
Mobile Routers as well. We consider only BAKE [16] in the
following since it appears to be the most advanced submission
as well as the one that introduces the less computational
overhead. The very aim of BAKE is to distribute keys between a
Mobile Node and a Correspondent Node, making the CN aware that
the MN has actually the right to send a Binding Update for a
specific Home Address. Prior to sending the Binding Update,
three new messages are supposed to be exchanged within that
proposal:
o Binding Warning (MN --> CN)
o Binding Request (CN --> HA & HA --> MN)
o Binding Key Establishment (MN --> CN)
This kind of messaging (involving the Home Agent to check
whether the Mobile Node can be reached at the Home Address it
provided) can be reused with a Mobile Router. A few
modifications are however required to make BAKE support Mobile
Networks. Basically, the authorization mechanism should be
extended so that is supports a Binding Update for a prefix.
Obviously, we must avoid a situation where any node served by
the Mobile Router would be able to send a Prefix Scope Binding
Ernst & Bellier Expires 22 December 2001 [Page 20]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
Update instead of the Mobile Router.
To do so, the easiest way would be to add a flag to the Binding
Request message, telling the HA that the Binding Warning the CN
just received was sent by a Mobile Router (at least claiming to
be one). The HA would then have to check whether this claim is
true; according to the result of this check, the Binding
Request would be either silently discarded or would be
forwarded to the Mobile Router.
5.2.2. Assumptions concerning the Home Agent
The HA MUST be aware that the Mobile Router is not a basic host
but actually a Router. The HA MUST know the Mobile Network
Prefix served by the Mobile Router.
A means MUST be given to the Mobile Router to make it able to
securely (i.e. being both authenticated and authorized) send a
Binding Update to its HA, thus updating the HA binding cache
prior to initiating BAKE procedure (in case of BAKE
implementation).
6. Main changes since last draft
6.2. Changes from draft-v1 to draft-v2
- Abstract rewritten
- Extended section about security issues.
- Clarification between "home subnet prefix" and "Mobile Network
Prefix" in the terminology.
- Section 3.3 divided into 3.3 and 3.4
- Added section "Receiving encapsulated packets from the Home
Agent"
- Minor misspelling corrections
6.1. Changes from draft-v0 to draft-v1
- Updated definitions of the terminology section 2.2,
particularly:
o clarified the distinction between possible kinds of nodes
located in the mobile network: Fixed Nodes (FN) and Visiting
mobile Nodes (VN).
Ernst & Bellier Expires 22 December 2001 [Page 21]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
o clarified that the Mobile Router has (at least) two
interfaces, one on the home link, one on the mobile network
- New example showing IPv6 addresses
- Added a description of an experimentation outlining HA is unable
to tunnel packets to the mobile network if the final destination
is not the Mobile Router itself.
- Enhanced section about security concerns
7. Acknowledgements
We would like to thank Francis Dupont (Francis.Dupont@enst-
bretagne.fr) for his careful reading and his very valuable comments
and suggestions.
8. References
[1] J. Bound and C. Perkins. Dynamic Host Configuration Protocol for
IPv6 (DHCPv6), February 1999. Work in Progress
[2] S. Thomson and T. Narten. IPv6 Stateless Address
Autoconfiguration. RFC 2462, December 1998.
[3] S. Deering and R. Hinden. Internet Protocol Version 6 (IPv6)
Specification. RFC 2460, December 1998.
[4] D. B. Johnson and C. Perkins. Mobility Support in IPv6, April
2000. Work in progress.
[5] S. Kent and R. Atkinson. IP Authentication Header. RFC 2402,
November 1998.
[6] S. Kent and R. Atkinson. IP Encapsulating Security Payload (ESP).
RFC 2406, November 1998.
[7] J. D. Solomon. Mobile IP, The Internet Unplugged. Prentice Hall
Series in Computer Networking and Distributed Systems. Prentice Hall
PTR, 1998. ISBN 0-13-856246-6.
[8] C. Perkins (Editor). IP Mobility Support. RFC 2002, October 1996.
[9] C. E. Perkins. Mobile IP, Design Principles and Practices.
Wireless Communications Series. Addison-Wesley, 1998. ISBN 0-201-
63469-4.
Ernst & Bellier Expires 22 December 2001 [Page 22]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
[10] T. Narten, E. Nordmark, and W. Simpson. Neighbor Discovery for
IP version 6 (IPv6). RFC 2461, December 1998.
[11] C. Perkins and D. B. Johnson. Route Optimization in Mobile IP,
Sun Microsystems and Carnegie Mellon University, February 2000. Work
in progress.
[12] Hesham Soliman, Claude Castelluccia, "Hierarchical MIPv6
mobility management", Internet Draft <draft-ietf-mobileip-hmipv6-
03.txt>, IETF, February 2001. Work in progress.
[13] P. Nikander. An Address Ownership Problem in IPv6, Internet
Draft <draft-nikander-ipng-address-ownership-00.txt>, IETF, February
2001. Work in progress.
[14] Franck Le, Stefano M. Faccin, "Dynamic Diffie Hellman based Key
Distribution for Mobile IPv6", Internet Draft <draft-le-mobileip-dh-
00.txt>, IETF, April 2001. Work in progress.
[15] Michael Thomas, Dave Oran, "Home Agent Cookies for Binding
Updates", Interne Draft <draft-thomas-mobileip-ha-cookies-00.txt>,
IETF, March 2001. Work in progress.
[16] Pekka Nikander, Charles Perkins, "Binding Authentication Key
Establishment Protocol for Mobile IPv6", Internet Draft <draft-
perkins-bake-00.txt>, IETF, April 2001. Work in progress.
Author's Addresses
Please direct questions about this memo to first author
Thierry Ernst
Motorola Labs Paris and INRIA - PLANETE team
ZIRST-655 avenue de l'Europe
38330 Montbonnot Saint Martin, France
http://www.inrialpes.fr/planete/
Phone: +33 4 76 61 52 69
Email: Thierry.Ernst@inrialpes.fr
Ludovic Bellier
INRIA - PLANETE team
ZIRST-655 avenue de l'Europe
38330 Montbonnot Saint Martin, France
Email: Ludovic.Bellier@inrialpes.fr
Alexis Olivereau
Motorola Labs Paris, Networking and Applications Lab (NAL)
Ernst & Bellier Expires 22 December 2001 [Page 23]
INTERNET-DRAFT Mobile Networks Support in Mobile IPv6 22 June 2001
Espace Technologique - Saint Aubin
91193 Gif-sur-Yvette Cedex, France
Phone: +33 1 69 35 25 16
Email: Alexis.Olivereau@crm.mot.com
Claude Castelluccia
INRIA - PLANETE team
ZIRST-655 avenue de l'Europe
38330 Montbonnot Saint Martin, France
Phone: +33 4 76 61 52 15
Email: Claude.Castelluccia@inrialpes.fr
Hong-Yon Lach
Motorola Labs Paris, Lab Manager, Networking and Applications Lab (NAL)
Espace Technologique - Saint Aubin
91193 Gif-sur-Yvette Cedex, France
Phone: +33 1 69 35 25 36
Email: Hong-Yon.Lach@crm.mot.com
Ernst & Bellier Expires 22 December 2001 [Page 24]