Network Working Group                                           K. Leung
Internet-Draft                                                G. Dommety
Expires: April 10, 2008                                    Cisco Systems
                                                            V. Narayanan
                                                          Qualcomm, Inc.
                                                             A. Petrescu
                                                                Motorola
                                                         October 5, 2007


          Network Mobility (NEMO) Extensions for Mobile IPv4
                 draft-ietf-mip4-nemo-v4-base-04.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on  April 10, 2008.

Copyright Notice

   Copyright (C) The Internet Society (2007).

Abstract

   This document describes a protocol for supporting Mobile Networks
   between a Mobile Router and a Home Agent by extending the Mobile IPv4
   protocol.  A Mobile Router is responsible for the mobility of one or
   more network segments or subnets moving together.  The Mobile Router
   hides its mobility from the nodes on the mobile network.  The nodes
   on the Mobile Network may be fixed in relationship to the Mobile
   Router and may not have any mobility function.

   Extensions to Mobile IPv4 are introduced to support Mobile Networks.





Leung, et al.             Expires April 10, 2008               [Page i]


Internet-Draft                Mobile Router                October 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 1
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . . 2
   3.  Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3
   4.  Mobile Network Extensions  . . . . . . . . . . . . . . . . . . 3
     4.1.  Mobile Network Request Extension . . . . . . . . . . . . . 3
     4.2.  Mobile Network Acknowledgement Extension . . . . . . . . . 4
   5.  Mobile Router Operation  . . . . . . . . . . . . . . . . . . . 6
     5.1.  Error Processing . . . . . . . . . . . . . . . . . . . . . 6
   6.  Home Agent Operation . . . . . . . . . . . . . . . . . . . . . 7
     6.1.  Summary  . . . . . . . . . . . . . . . . . . . . . . . . . 7
     6.2.  Data Structures  . . . . . . . . . . . . . . . . . . . . . 8
       6.2.1.  Registration Table . . . . . . . . . . . . . . . . . . 8
       6.2.2.  Prefix Table . . . . . . . . . . . . . . . . . . . . . 8
     6.3.  Mobile Network Prefix Registration . . . . . . . . . . . . 8
     6.4.  Advertising Mobile Network Reachability  . . . . . . . . .10
     6.5.  Establishment of Bi-directional Tunnel . . . . . . . . . .10
     6.6.  Sending Registration Replies . . . . . . . . . . . . . . .10
     6.7.  Mobile Network Prefix De-registration  . . . . . . . . . .11
   7.  Data Forwarding Operation  . . . . . . . . . . . . . . . . . .11
   8.  Nested Mobile Networks . . . . . . . . . . . . . . . . . . . .11
   9.  Routing Protocol between Mobile Router and Home Agent. . . . .12
   10. Security Considerations  . . . . . . . . . . . . . . . . . . .13
     10.1 Security when Dynamic Routing Protocol is Used. . . . . . .13
   11. IANA Considerations  . . . . . . . . . . . . . . . . . . . . .14
   12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .15
   13. References . . . . . . . . . . . . . . . . . . . . . . . . . .15
     13.1. Normative References . . . . . . . . . . . . . . . . . . .15
     13.2. Informative References . . . . . . . . . . . . . . . . . .15
   13. Changelog  . . . . . . . . . . . . . . . . . . . . . . . . . .16
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .17
   Intellectual Property and Copyright Statements . . . . . . . . . .18

1.  Introduction

   This document describes protocol extensions to Mobile IPv4 as per
   [RFC3344] and its update [2], to enable support for Mobile
   Networks.  This draft addresses mainly the co-located Care-of
   Address mode.  Foreign Agent Care-of Address mode (with 'legacy'
   Foreign Agents, RFC 3344) are supported but without optimization,
   double encapsulation being used.  For an optimization of this mode,
   the gentle reader is directed to [1].

   A Mobile Network is defined as a network segment or subnet that can
   change its point of attachment to the routing infrastructure.  Such
   movement is performed by a Mobile Router, which is the mobility
   entity that provides connectivity and reachability as well as
   session continuity for all the nodes in the Mobile Network.  The
   Mobile Router typically serves as the default gateway for the hosts
   on the Mobile Network.

   Mobility for the Mobile Network is supported by the Mobile Router
   registering the point of attachment to its Home Agent.  This
   signaling sets up the tunnel between the two entities.

Leung, et al.             Expires April 10, 2008               [Page 1]


Internet-Draft                Mobile Router                October 2007

   The Mobile Networks (either implicitly configured on the Home Agent
   or explicitly identified by the Mobile Router) are advertised by
   the Home Agent for route propagation.  Traffic to and from nodes in
   the Mobile Network are tunneled by the Home Agent to the Mobile
   Router, and vice versa.  Though packets from the Mobile Network can
   be forwarded directly without tunneling (if reverse tunneling is
   not used) packets will be dropped if ingress filtering is turned
   on.

   This document specifies an additional tunnel between Mobile
   Router's Home Address and the Home Agent.  This tunnel is
   encapsulated within the normal tunnel between the Care-of Address
   (CoA) and Home Agent.  In Foreign Agent CoA mode, the tunnel
   between the Mobile Router and Home Agent is needed to allow the
   Foreign Agent to direct the decapsulated packet to the proper
   visiting Mobile Router.  However, in Collocated CoA mode, the
   additional tunnel is not essential and could be eliminated because
   the Mobile Router is the recipient of the encapsulated packets for
   the Mobile Network; a proposal for this feature is in [1].

   All traffic between the nodes in the Mobile Network and Correspondent
   Nodes passes through the Home Agent.  This document does not cover
   route optimization of this traffic.

   A similar protocol has been documented in [RFC3963] for supporting
   IPv6 mobile networks with Mobile IPv6 extensions.

   Multihoming for Mobile Routers is outside the scope of this
   document.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Terminology for network mobility support is defined in [RFC3344]
   and its update [2].  In addition, this document defines the
   following terms.

      Mobile Network Prefix

         The network prefix of the subnet delegated to a Mobile Router
         as the Mobile Network.

      Prefix Table

         A list of Mobile Network Prefixes indexed by the Home Address
         of a Mobile Router.  The Home Agent manages and uses Prefix
         Table to determine which Mobile Network Prefixes belong to a
         particular Mobile Router.





Leung, et al.             Expires April 10, 2008               [Page 2]


Internet-Draft                Mobile Router                October 2007

3.  Requirements

   Although Mobile IPv4 stated that Mobile Network can be supported by
   the Mobile Router and Home Agent using static configuration or
   running a routing protocol, there is no solution for explicit
   registration of the Mobile Networks served by the Mobile Router.  A
   solution needs to provide the Home Agent a means to ensure that a
   Mobile Router claiming a certain Mobile Network Prefix is
   authorized to do so.  A solution would also expose the Mobile
   Network Prefixes (and potentially other subnet-relevant
   information) in the exchanged messages, to aid in network
   debugging.

   The following requirements for Mobile Network support are
   enumerated:

   o  A Mobile Router should be able to operate in explicit or implicit
      mode.  A Mobile Router may explicitly inform the Home Agent which
      Mobile Network(s) need to be propagated via routing protocol.  A
      Mobile Router may also function in implicit mode, where the Home
      Agent may learn the mobile networks through other means, such as
      from the AAA server, via pre-configuration or via a dynamic
      routing protocol.

   o  The Mobile Network should be supported using Foreign Agents that
      are compliant to RFC 3344 without any changes ('legacy' Foreign
      Agents).

   o  The mobile network should allow Fixed nodes, Mobile Nodes, or
      Mobile Routers to be on it.

4.  Mobile Network Extensions

4.1.  Mobile Network Request Extension

   For Explicit Mode, the Mobile Router informs the Home Agent about
   the Mobile Network Prefixes during registration.  The Registration
   Request contains zero, one or several Mobile Network Request
   extensions in addition to any other extensions defined by or in the
   context of [RFC3344].  When several Mobile Networks are needed to
   be registered, each is included in a separate Mobile Network
   Request extension, with its own Type, Length, Sub-Type, Prefix
   Length and Prefix fields.  A Mobile Network Request extension is
   encoded in Type-Length-Value (TLV) format and respects the
   following format:











Leung, et al.             Expires April 10, 2008               [Page 3]


Internet-Draft                Mobile Router                October 2007

       0               1               2               3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |   Sub-Type    | Prefix Length |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Prefix                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


      Type:

         Mobile Network Extension (skippable type range to be assigned
         by IANA)

      Length:

         6

      Sub-Type:

         1 (Mobile Network Request)

      Prefix Length:

         8-bit unsigned integer indicating the number of bits covering
         the network part of the address contained in the Prefix field.

      Prefix:

         32-bit unsigned integer in network byte-order containing an
         IPv4 address whose first Prefix Length bits make up the Mobile
         Network Prefix.

4.2.  Mobile Network Acknowledgement Extension

   The Registration Reply contains zero, one or several Mobile Network
   Acknowledgement extensions in addition to any other extensions
   defined by or in the context of [RFC3344] and its update [2].
   For Implicit Mode, the Mobile Network Acknowledgement informs the
   Mobile Router the prefixes for which the Home Agent sets up
   forwarding with respect to this Mobile Router.  Policies such as
   permitting only traffic from these Mobile Networks to be tunneled
   to the Home Agent may be applied by the Mobile Router.  For
   Explicit Mode, when several Mobile Networks are needed to be
   acknowledged explicitly, each is included in a separate Mobile
   Network Acknowledgement extension, with its own Type, Sub-Type,
   Length and Prefix Length fields.  Optionally, all requested Mobile
   Networks could be acknowledged using only one Mobile Network
   Acknowledgement extension with "Prefix Length" and "Prefix" fields
   set to zero.  At least one Mobile Network Acknowledgement extension
   MUST be in a successful Registration Reply to indicate to the
   Mobile Router that the Mobile Network Request extension was
   processed, thereby not skipped by the Home Agent.



Leung, et al.             Expires April 10, 2008               [Page 4]


Internet-Draft                Mobile Router                October 2007

   A Registration Reply may contain any non-zero number of Explicit
   Mode and Implicit Mode Acknowledgements sub-types.  Both sub-types
   can be present in a single Registration Reply.  A Mobile Network
   Acknowledgement extension is encoded in Type-Length-Value (TLV)
   format.  When the registration is denied with code HA_MOBNET_ERROR,
   the Code field in the extension provides the reason for the
   failure.

      0               1               2               3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Type      |    Length     |   Sub-Type    |      Code     |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Prefix Length |    Reserved   |            Prefix
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                     |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Type:

         Mobile Network Extension (skippable type range to be assigned
         by IANA)

      Length:

         8

      Sub-Type:

         TBA (Explicit Mode Acknowledgement)

         TBA (Implicit Mode Acknowledgement)

      Code:

         Value indicating success or failure.

            0 Success

            TBA Invalid prefix (MOBNET_INVALID_PREFIX_LEN)

            TBA Mobile Router is not authorized for prefix
               (MOBNET_UNAUTHORIZED)

            TBA Forwarding setup failed (MOBNET_FWDING_SETUP_FAILED)

      Prefix Length:

         8-bit unsigned integer indicating the number of bits covering
         the network part of the address contained in the Prefix field.

      Reserved:

         Sent as zero; ignored on reception.


Leung, et al.             Expires April 10, 2008               [Page 5]


Internet-Draft                Mobile Router                October 2007

      Prefix:

         32-bit unsigned integer in network byte-order containing an
         IPv4 address whose first Prefix Length bits make up the Mobile
         Network Prefix.

5.  Mobile Router Operation

   A Mobile Router's operation is generally derived from the behavior
   of a Mobile Node, as set in [RFC3344] and its update [2].  In
   addition to maintaining mobility bindings for its Home Address, the
   Mobile Router, together with the Home Agent, maintains forwarding
   information for the Mobile Network Prefix(es) assigned to the
   Mobile Router.

   A Mobile Router SHOULD set the 'T' bit to 1 in all Registration
   Request messages it sends to indicate the need for reverse tunnels
   for all traffic.  Without reverse tunnels, all the traffic from the
   mobile network will be subject to ingress filtering in the visited
   networks.  Upon reception of successful registration reply, the
   Mobile Router processes the registration in accordance to RFC 3344.
   In addition, the following steps are taken:

   o  Check for Mobile Network Acknowledgement extension(s) in
      Registration Reply

   o  Create tunnel to the Home Agent if registered in reverse tunneling
      mode

   o  Set up default route via this tunnel or egress interface when
      registered with or without reverse tunneling, respectively

   In accordance with this specification, a Mobile Router may operate in
   one of the following two modes: explicit and implicit.  In explicit
   mode, the Mobile Router includes Mobile Network Prefix information in
   all Registration Requests (as Mobile Network Request extensions),
   while in implicit mode it does not include this information in any
   Registration Request.  In this latter case, the Home Agent obtains
   the Mobile Network Prefixes by other means than Mobile IP.  One
   example of obtention of the Mobile Network Prefix is through static
   configuration on the Home Agent.

   A Mobile Router can obtain a Collocated or Foreign Agent Care-of-
   Address while operating in explicit or implicit modes.

   For de-registration, the Mobile Router sends a registration request
   with lifetime set to zero without any Mobile Network Request
   extensions.

5.1.  Error Processing

   A Mobile Router interprets the values of the Code field in Mobile
   Network Acknowledgement Extension of the Registration Reply in order
   to identify any error related to managing the Mobile Network Prefixes
   by the Home Agent.

Leung, et al.             Expires April 10, 2008               [Page 6]


Internet-Draft                Mobile Router                October 2007

   If the value of the Code field in the Registration Reply is set to
   HA_MOBNET_DISALLOWED, then the Mobile Router MUST stop sending
   Registration Requests with any Mobile Network Prefix extensions to
   that Home Agent.

   If the value of the Code field in the Registration Reply is set to
   HA_MOBNET_ERROR then the Mobile Router MUST stop sending Registration
   Requests that contain any of the Mobile Network Prefixes that are
   defined by the values of the fields Prefix and Prefix Length in the
   Mobile Network Acknowledgement extension.  Note that the registration
   is denied in this case and no forwarding for any Mobile Network
   Prefixes would be set up by the Home Agent for the Mobile Router.

   It is possible that the Mobile Router receives a registration reply
   with no mobile network extensions if the registration was processed
   by a Mobile IPv4 home agent that does not support this specification
   at all.  In that case, the absence of mobile network extensions must
   be interpreted by the Mobile Router as the case where the Home Agent
   does not support mobile networks.

   All the error code values are TBA (To Be Assigned) subject to IANA
   allocation.

6.  Home Agent Operation

6.1.  Summary

   A Home Agent MUST support all the operations specified in [RFC3344]
   and its update [2] for mobile node support.  The Home Agent MUST
   support both implicit and explicit modes of operation for a Mobile
   Router.

   The Home Agent processes the registration in accordance to RFC 3344,
   which includes route set up to the Mobile Router's home address via
   the tunnel to the Care-of Address.  In addition, for a Mobile Router
   registering in explicit mode, the following steps are taken:

   1.  Check that the Mobile Network Prefix information is valid

   2.  Ensure the Mobile Network Prefix(es) is or are authorized to be
       on the Mobile Router

   3.  Create tunnel to the Mobile Router if it does not already exist

   4.  Set up route for the Mobile Network Prefix via this tunnel

   5.  Propagate Mobile Network Prefix routes via routing protocol

   6.  Send the Registration Reply with the Mobile Network
       Acknowledgement extension(s)

   If there are any subnet routes via the tunnel to the Mobile Router
   that are not specified in the Mobile Network extensions, these routes
   are removed.


Leung, et al.             Expires April 10, 2008               [Page 7]


Internet-Draft                Mobile Router                October 2007

   In the case where the Mobile Node is not permitted to act as a Mobile
   Router, the Home Agent sends a registration denied message with error
   code HA_MOBNET_DISALLOWED.

   For a Mobile Router registering in implicit mode, the Home Agent
   performs steps 3-6 above, once the registration request is processed
   successfully.

   For deregistration, the Home Agent removes the tunnel to the Mobile
   Router and all routes using this tunnel.  The Mobile Network
   extensions are ignored.

6.2.  Data Structures

6.2.1.  Registration Table

   The Registration Table in the Home Agent, in accordance with
   [RFC3344] and its update [2], contains binding information for
   every Mobile Node registered with it.  [RFC3344] and its update [2]
   define the format of Registration Table.  In addition to all the
   parameters specified by [RFC3344] and its update [2], the Home
   Agent MUST store the Mobile Network Prefixes associated with the
   Mobile Router in the corresponding registration entry, when the
   corresponding registration was performed in explicit mode.  When
   the Home Agent is advertising reachability to Mobile Network
   Prefixes served by a Mobile Router, this information stored in the
   Registration Table can be used.

6.2.2.  Prefix Table

   The Home Agent must be able to authorize a Mobile Router for use of
   Mobile Network Prefixes when the Mobile Router is operating in
   explicit mode.  Also, when the Mobile Router operates in implicit
   mode, the Home Agent must be able to locate the Mobile Network
   Prefixes associated with that Mobile Router.  The Home Agent may
   store the home address of the Mobile Router along with the mobile
   network prefixes associated with that Mobile Router.  If the Mobile
   Router does not have a home address assigned, this table may store
   the NAI [RFC2794] of the Mobile Router that will be used in dynamic
   home address assignment.

6.3.  Mobile Network Prefix Registration

   The Home Agent must process registration requests coming from
   Mobile Routers in accordance with this section.  The document
   [RFC3344] and its update [2] specify that the home address of a
   mobile node registering with a Home Agent must belong to a prefix
   advertised on the home network.  In accordance with this
   specification, however, the home address must be configured from a
   prefix that is served by the Home Agent, not necessarily the one on
   the home network.

   If the registration request is valid, the Home Agent checks to see
   if there are any Mobile Network Prefix extensions included in the
   Registration Request.

Leung, et al.             Expires April 10, 2008               [Page 8]


Internet-Draft                Mobile Router                October 2007

   If so, the Mobile Network Prefix information is obtained from the
   included extensions, and the Home Address from the Home Address
   field of the UDP header Registration Request.  For every Mobile
   Network Prefix extension included in the registration request, the
   Home Agent MUST perform a check against the Prefix Table.  If the
   Prefix Table does not contain at least one entry pairing that Home
   Address to that Mobile Network Prefix then the check fails,
   otherwise it succeeds.

   Following this check against the Prefix Table, the Home Agent MUST
   construct a Registration Reply containing Mobile Network
   Acknowledgement extensions.  For a Mobile Network Prefix for which
   the check was unsuccessfull the Code field in the corresponding
   Mobile Network Acknowledgement extension should be set to
   MOBNET_UNAUTHORIZED.

   For a Mobile Network Prefix for which the check was successfull the
   Code field in the respective Mobile Network Acknowledgement
   extensions should be set to 0.

   The Home Agent MUST attempt to set up forwarding for each Mobile
   Network Prefix extension for which the Prefix Table check was
   successfull.  If the forwarding setup fails for a particular Mobile
   Network Prefix (for reasons like not enough memory available, or
   not enough devices available, or other similar) the Code field in
   the respective Mobile Network Acknowledgement extension should be
   set to MOBNET_FWDING_SETUP_FAILED.

   If forwarding and setup was successful for at least one Mobile
   Network Prefix then the Code field of the Registration Reply
   message should be set to 0.  Otherwise that Code should be
   HA_MOBNET_ERROR.

   If the registration request is sent in implicit mode, i.e., without
   any Mobile Network Request extension, the Home Agent may use pre-
   configured mobile network prefix information for the Mobile Router to
   set up forwarding.

   If the Home Agent is updating an existing binding entry for the
   Mobile Router, it MUST check all the prefixes in the registration
   table against the prefixes included in the registration request.
   If one or more mobile network prefix is missing from the included
   information in the registration request, it MUST delete those
   prefixes from the registration table.  Also, the Home Agent MUST
   disable forwarding for those prefixes.

   If all checks are successful, the Home Agent either creates a new
   entry for the Mobile Router or updates an existing binding entry
   for it and returns a successful registration reply back to the
   Mobile Router or the Foreign Agent (if the registration request was
   received from a Foreign Agent).

   In accordance with [RFC3344], the Home Agent does proxy ARP for the
   Mobile Router home address, when the Mobile Router home address is
   derived from the home network.

Leung, et al.             Expires April 10, 2008               [Page 9]


Internet-Draft                Mobile Router                October 2007

   If the 'T' bit is set, the Home Agent creates a bi-directional
   tunnel for the corresponding mobile network prefixes or updates the
   existing bi-directional tunnel.  This tunnel is maintained
   independent of the reverse tunnel for the Mobile Router home
   address itself.

6.4.  Advertising Mobile Network Reachability

   If the mobile network prefixes served by the Home Agent are
   aggregated with the home network prefix and if the Home Agent is
   the default router on the home network, the Home Agent does not
   have to advertise the Mobile Network Prefixes.  The routes for the
   Mobile Network Prefix are automatically aggregated into the home
   network prefix (it is assumed that the Mobile Network Prefixes are
   automatically aggregated into the home network prefix).  If the
   Mobile Router updates the mobile network prefix routes via a
   dynamic routing protocol, the Home Agent SHOULD propagate the
   routes on the appropriate networks.

6.5.  Establishment of Bi-directional Tunnel

   The Home Agent creates and maintains a bi-directional tunnel for the
   mobile network prefixes of a Mobile Router registered with it.  A
   home agent supporting IPv4 Mobile Router operation MUST be able to
   forward packets destined to the mobile network prefixes served by the
   mobile router to its care-of-address.  Also, the Home Agent MUST be
   able to accept packets tunneled by the Mobile Router with the source
   address of the outer header is set to the care-of-address of the
   mobile router and that of the inner header is set to the Mobile
   Router's home address or an address from one of the registered mobile
   network prefixes.

6.6.  Sending Registration Replies

   The Home Agents MUST set the status code in the registration reply to
   0 to indicate successful processing of the registration request and
   successful set up of forwarding for all the mobile network prefixes
   served by the Mobile Router.  The registration reply MUST contain at
   least one Mobile Network Acknowledgement extension.

   If the Home Agent is unable to set up forwarding for one of more
   mobile network prefixes served by the Mobile Router, it MUST set the
   Mobile Network Acknowledgement Extension status code in the
   registration reply to MOBNET_FWDING_SETUP_FAILED.  When the prefix
   length is zero or greater than 32, the status code MUST be set to
   MOBNET_INVALID_PREFIX_LEN.

   If the Mobile Router is not authorized to forward packets to one or
   mobile network prefixes included in the request, the Home Agent MUST
   set the code to MOBNET_UNAUTHORIZED_MR.






Leung, et al.             Expires April 10, 2008              [Page 10]


Internet-Draft                Mobile Router                October 2007

6.7.  Mobile Network Prefix De-registration

   If the received registration request is for de-registration of the
   care-of-address, the Home Agent, upon successful processing of it,
   MUST delete the entry(ies) from its registration table.  The home
   agent tears down the bi-directional tunnel and stops forwarding any
   packets to/from the Mobile Router.  The Home Agent MUST ignore any
   included Mobile Network Request extension in a de-registration
   request.

7.  Data Forwarding Operation

   For traffic to the nodes in the Mobile Network, the Home Agent MUST
   perform double tunneling of the packet, if the Mobile Router had
   registered with a Foreign Agent care-of-address.  In this case, the
   Home Agent MUST encapsulate the packet with tunnel header (source IP
   address set to Home Agent and destination IP address set to Mobile
   Router's home address) and then encapsulate one more time with tunnel
   header (source IP address set to Home Agent and destination IP
   address set to CoA).

   For optimization, the Home Agent SHOULD only encapsulate the packet
   with the tunnel header (source IP address set to Home Agent and
   destination IP address set to CoA) for Collocated CoA mode.

   When a Home Agent receives a packet from the mobile network prefix in
   the bi-directional tunnel, it MUST de-encapsulate the packet and
   route it as a normal IP packet.  It MUST verify that the incoming
   packet has the source IP address set to the care-of-address of the
   Mobile Router.  The packet MUST be dropped if the source address is
   not set to the care-of-address of the Mobile Router.

   For traffic from the nodes in the Mobile Network, the Mobile Router
   encapsulates the packet with tunnel header (source IP address set to
   Mobile Router's home address and destination IP address set to Home
   Agent) if reverse tunnel is enabled.  Otherwise, the packet is routed
   directly to the Foreign Agent or access router.

   In Collocated CoA mode, the Mobile Router MAY encapsulate one more
   times with tunnel header (source IP address set to the CoA and
   destination IP address set to Home Agent).

8.  Nested Mobile Networks

   Nested Network Mobility is a scenario where a Mobile Router allows
   another Mobile Router to attach to its Mobile Network.  There could
   be arbitrary levels of nested mobility.  The operation of each Mobile
   Router remains the same whether the Mobile Router attaches to another
   Mobile Router or to a fixed Access Router on the Internet.  The
   solution described here does not place any restriction on the number
   of levels for nested mobility.  But note that this might introduce
   significant overhead on the data packets as each level of nesting
   introduces another tunnel header encapsulation.



Leung, et al.             Expires April 10, 2008              [Page 11]


Internet-Draft                Mobile Router                October 2007

9.  Routing Protocol between Mobile Router and Home Agent

   There are several benefits of running a dynamic routing protocol
   between the Mobile Router and the Home Agent.  If the mobile
   network is relatively large, including several wireless subnets,
   then the topology changes within the moving network can be exposed
   from the Mobile Router to the Home Agent by using a dynamic routing
   protocol.  The purpose of the NEMOv4 protocol extensions to Mobile
   IPv4, as defined in previous sections, is not to inform the Home
   Agent about these topology changes, but to manage the mobility of
   the Mobile Router.

   Similarly, topology changes in the home network can be exposed to
   the Mobile Router by using a dynamic routing protocol.  This may be
   necessary when new fixed networks are added in the home network.
   Here too, the purpose of NEMOv4 extensions is not to inform the
   Mobile Router about topology changes at home.

   Examples of dynamic routing protocol include but are not limited to
   OSPF Version 2 [RFC2328], BGP [RFC4271] and RIP [RFC2453].

   The recommendations are related to how the routing protocol and the
   Mobile IPv4 implementation work in tandem on the Mobile Router and
   on the Home Agent (1) without creating incoherent states in the
   forwarding information bases at home and on the Mobile Router (2)
   without introducing topologically incorrect addressing information
   in the visited domain and (3) efficiently avoid duplication of sent
   data or over-provisioning of security.

   The information exchanged between the Mobile Router and the Home
   Agent is sent over the bi-directional tunnel established by the
   Mobile IPv4 exchange Registration Request - Registration Reply (see
   section 6.5).  If a network address and prefix about a subnet in
   the moving network is sent by the Mobile Router within a routing
   protocol message then they SHOULD NOT be sent in the Mobile IPv4
   Registration Request too, in order to avoid incoherencies in the
   forwarding information bases.  The Mobile Router SHOULD use NEMOv4
   implicit mode in this case (see section 3).

   The Mobile Router SHOULD NOT send routing protocol information
   updates in the foreign network.  The subnet addresses and prefixes
   valid in the moving network are topologically incorrect in the
   visited network.

   If the Mobile Router and the Home Agent use a dynamic routing
   protocol over the tunnel interface, and if that protocol offers
   security mechanisms to protect that protocol's messages, then the
   security recommendations in section 10.1 apply.








Leung, et al.             Expires April 10, 2008              [Page 12]


Internet-Draft                Mobile Router                October 2007

10. Security Considerations

   The Mobile Network extension is protected by the same rules for
   Mobile IP extensions in registration messages.  See the Security
   Considerations section in RFC 3344.

   The Home Agent MUST be able to verify that the Mobile Router is
   authorized to provide mobility service for the Mobile Networks in
   the registration request, before anchoring these Mobile Network
   Prefixes on behalf of the Mobile Router.  Forwarding for prefixes
   MUST NOT be set up without successful authorization of the Mobile
   Router for those prefixes.  A registration failure MUST be notified
   to the mobile router when it cannot be successfully authorized for
   prefixes requested by it.

   All registration requests and replies MUST be authenticated by the
   MN-HA Authentication Extension as specified in [RFC3344] and its
   update [2].  When the registration request is sent in explicit
   mode, i.e., with one or more Mobile Network Prefix extensions, all
   the Mobile Network Prefix extensions MUST be included before the
   MN-HA Authentication extension.  Also, these extensions MUST be
   included in the calculation of the MN-HA authenticator value.

   The Mobile Router should perform ingress filtering on all the packets
   received on the mobile network prior to reverse tunneling them to the
   Home Agent.  The Mobile Router MUST drop any packets that do not have
   a source address belonging to the mobile network.

   The Mobile Router MUST also ensure that the source address of
   packets arriving on the mobile network is not the same as the
   Mobile Router's IP address on any interface.  These checks will
   protect against nodes attempting to launch IP spoofing attacks
   through the bi-directional tunnel.

   The Home Agent, upon receiving packets through the bi-directional
   tunnel, MUST verify that the source addresses of the outer IP header
   of the packets are set to the Mobile Router's care-of-address.  Also,
   it MUST ensure that the source address of the inner IP header is a
   topologically correct address on the mobile network.  This will
   prevent nodes from using the Home Agent to launch attacks inside the
   protected network.

10.1 Security when Dynamic Routing Protocol is Used

   If a dynamic routing protocol is used between the Mobile Router and
   the Home Agent to propagate the mobile network information into the
   home network, the routing updates SHOULD be protected with IPsec ESP
   confidentiality between the Mobile Router and Home Agent, to prevent
   information about home network topology from being visible to
   eavesdroppers.

   A routing protocol message protected with ESP, and sent through the
   Mobile Router - Home Agent bidirectional tunnel, SHOULD NOT contain
   the Mobile IPv4 Mobile-Home Authentication Extension, since ESP
   provides enough security.

Leung, et al.             Expires April 10, 2008              [Page 13]


Internet-Draft                Mobile Router                October 2007

11.  IANA Considerations

   IANA to modify rules for the existing registry "Mobile IPv4 numbers -
   per RFC 3344".  The numbering space for Extensions that may appear in
   Mobile IP control messages (those sent to and from UDP port number
   434) should be modified.

   The new Values and Names for the Type for Extensions appearing in
   Mobile IP control messages are the following:


               Value  Name
                -----  ------------------------------------------
                  TBA  Mobile Network Extension (To Be Assigned by IANA)

   The new Values and Names for the Sub-Type for Mobile Network
   Extension are the following:


               Value  Name
                -----  ------------------------------------------
                  TBA  Mobile Network Request Extension
                  TBA  Explicit Mode Acknowledgement Extension
                  TBA  Implicit Mode Acknowledgement Extension

   The new Code values for Mobile IP Registration Reply messages are
   the following:


      Code Values for Mobile IP Registration Reply messages
      -----------------------------------------------------

      Registration denied by the Home Agent: (To Be Assigned by IANA)

         TBA     Mobile Network Prefix operation error (HA_MOBNET_ERROR)
         TBA     Mobile Router operation is not permitted
                 (HA_MOBNET_DISALLOWED)



   The new Code Values for Mobile IP Registration Reply messages are the
   following:

      Code Values for Mobile Network Acknowledgement Extension
      --------------------------------------------------------

      Registration denied by the Home Agent:

         TBA     Invalid prefix length (MOBNET_INVALID_PREFIX_LEN)
         TBA     Mobile Router is not authorized for prefix
                 (MOBNET_UNAUTHORIZED)
         TBA     Forwarding setup failed (MOBNET_FWDING_SETUP_FAILED)




Leung, et al.             Expires April 10, 2008              [Page 14]


Internet-Draft                Mobile Router                October 2007

   The current non-modified numbering spaces could be consulted at the
   following URL: http://www.iana.org/assignments/mobileip-numbers
   (contents last updated 2007-07-02 and last browsed 2007-10-04,
   October).

12.  Acknowledgements

   The authors would like to thank Christophe Janneteau, George
   Popovich, Ty Bekiares, Ganesh Srinivasan, Alpesh Patel, Ryuji
   Wakikawa, George Tsirtsis, and Henrik Levkowetz for their helpful
   discussions, reviews and comments.  Vijay Devarapalli extensively
   reviewed one of the later versions of the draft.

13.  References

13.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2794]  Calhoun, P. and C. Perkins, "Mobile IP Network Access
              Identifier Extension for IPv4", RFC 2794, March 2000.

   [RFC2453]  Malkin, G., "RIP Version 2", RFC 2453, STD 56, November
              1998.

   [RFC2328]  Moy, J., "OSPF Version 2", RFC 2328, STD 54, April
              1998.

   [RFC3344]  Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
              August 2002.

   [RFC4271]  Rekhter, Y, Ed., Li, T. and S. Hares, "A Border Gateway
              Protocol (BGP-4)", RFC 4271, January 2006.

13.2.  Informative References

   [RFC3963]  Devarapalli, V., Wakikawa, R., Petrescu, A., and P.
              Thubert, "Network Mobility (NEMO) Basic Support Protocol",
              RFC 3963, January 2005.

   [1]        Tsirtsis, G., Park, V., Narayanan, V., and K. Leung, "FA
              extensions to NEMOv4 Base",
              draft-ietf-mip4-nemov4-fa-01.txt, IETF Internet-Draft,
              Work in Progress, March 19, 2007.

   [2]        Perkins, C., Ed., "IP Mobility Support for IPv4,
              revised",  draft-ietf-mip4-rfc3344bis-05.txt, IETF
              Internet-Draft, Work in Progress, July 9, 2007.







Leung, et al.             Expires April 10, 2008              [Page 15]


Internet-Draft                Mobile Router                October 2007

14.  Changelog

   The changes are listed in reverse chronological order, most recent
   changes appearing at the top of the list:

   From draft-ietf-mip4-nemo-v4-base-03.txt to
        draft-ietf-mip4-nemo-v4-base-04.txt
      -more changes in Introduction to say that with FA mode only the
       non-optimized double-encapsulation operation is supported and
       [1] proposes optimization.

   From draft-ietf-mip4-nemo-v4-base-02.txt to
        draft-ietf-mip4-nemo-v4-base-03.txt
      -changed a sentence in the introduction to say that FA mode _is_
       supported but unoptimized, and that a reference [1] optimizes
       that mode.
      -added reference [2] to the rfc3344bis draft.

   From draft-ietf-mip4-nemo-v4-base-01.txt to
        draft-ietf-mip4-nemo-v4-base-02.txt
      -changed title from "IPv4 Network Mobility (NEMO) Protocol" to
       "Network Mobility (NEMO) Extensions for Mobile IPv4"

   From draft-ietf-mip4-nemo-v4-base-00.txt to
        draft-ietf-mip4-nemo-v4-base-01.txt
      -added a section on Routing Protocol between Mobile Router and
       Home Agent.
      -added a security subsection about running simultaneously a
       secure routing protocol with secure Mobile IPv4.
      -added a date tag on the IANA URL for Mobile IP numbering
       spaces.
      -substituted 'Mobile Router' for 'MR' everywhere.
      -updated reference to NEMOv4 FA draft.

   From draft-ietf-nemo-v4-base-01.txt to
        draft-ietf-mip4-nemo-v4-base-00.txt:
      -changed draft name, headers and footers.
      -changed title.
      -a more coherent use of terms 'subnet', 'prefix' and 'mobile
       network'.
      -clarified only co-located CoA mode is supported (not FA CoA).
       for Mobile Routers in this specification.  And added reference
       to the FA NEMO optimizations draft.
      -changed 'devices' to 'hosts'.
      -changed 'moving networks' to 'mobile networks'.
      -clarified what 'reachability' in a certain context is: packets
       may be dropped if ingress filtering is turned on.
      -removed the MR-FA-CoA tunnel overhead optimization.  There is
       still an issue with text at HA doing optimization.

   This document was first presented as an individual contribution to
   the NEMO Working Group, then adopted as a WG item to that group.
   The 01 version in the NEMO WG has been Last Called on the
   INFORMATIONAL track.  The evolution was:


Leung, et al.             Expires April 10, 2008              [Page 16]


Internet-Draft                Mobile Router                October 2007

   From version draft-ietf-nemo-v4-base-00 to
                draft-ietf-nemo-v4-base-01:
      -removed error code HA_MOBNET_UNSUPPORTED.
      -changed all values to be assigned by IANA, from specific
       numbers to "TBA" (To Be Assigned).
      -substituted "egress interface" for "roaming interface".
      -changed HA behaviour upon reception of MNPs.  In 00 the HA
       replied positively only if all MNPs in RegReq were valid, in 01
       a reply is constructed specifying which MNP was valid and which
       not.
      -clarified a 3-line paragraph saying that RegRep may contain
       both implicit and explicit acknowledgements.

Authors' Addresses

   Kent Leung
   Cisco Systems
   170 W. Tasman Drive
   San Jose, CA  95134
   US

   Phone: +1 408-526-5030
   Email: kleung@cisco.com


   Gopal Dommety
   Cisco Systems
   170 W. Tasman Drive
   San Jose, CA  95134
   US

   Phone: +1 408-525-1404
   Email: gdommety@cisco.com


   Vidya Narayanan
   QUALCOMM, Inc.
   5775 Morehouse Dr
   San Diego, CA
   USA

   Phone: +1 858-845-2483
   Email: vidyan@qualcomm.com


   Alexandru Petrescu
   Motorola
   Parc les Algorithmes Saint Aubin
   Gif-sur-Yvette  91193
   France

   Email: Alexandru.Petrescu@motorola.com




Leung, et al.             Expires April 10, 2008              [Page 17]


Internet-Draft                Mobile Router                October 2007

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on
   an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
   REPRESENTS OR IS SPONSORED BY (IF ANY), THE IETF TRUST AND THE
   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The IETF Trust (2007).  This document is subject to
   the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.










Leung, et al.             Expires April 10, 2008              [Page 18]