Network Working Group                                           J. Arkko
Internet-Draft                              Ericsson Research NomadicLab
Expires: June 15, 2007                                           C. Vogt
                                             Universitaet Karlsruhe (TH)
                                                               W. Haddad
                                                       Ericsson Research
                                                       December 12, 2006


              Enhanced Route Optimization for Mobile IPv6
                   draft-ietf-mipshop-cga-cba-02.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on June 15, 2007.

Copyright Notice

   Copyright (C) The IETF Trust (2006).

Abstract

   This document specifies an enhanced version of Mobile IPv6 route
   optimization, providing lower handoff delays, increased security, and
   reduced signaling overhead.





Arkko, et al.             Expires June 15, 2007                 [Page 1]


Internet-Draft         Enhanced Route Optimization         December 2006


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Objectives . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     2.1.  Handoff Latency  . . . . . . . . . . . . . . . . . . . . .  6
     2.2.  Security . . . . . . . . . . . . . . . . . . . . . . . . .  6
     2.3.  Signaling Overhead . . . . . . . . . . . . . . . . . . . .  8
   3.  Protocol Design  . . . . . . . . . . . . . . . . . . . . . . .  8
     3.1.  Cryptographically Generated Home Addresses . . . . . . . .  9
     3.2.  Non-Cryptographic Care-of Addresses  . . . . . . . . . . .  9
     3.3.  Semi-Permanent Security Associations . . . . . . . . . . .  9
     3.4.  Initial Home Address Tests . . . . . . . . . . . . . . . . 10
     3.5.  Concurrent Care-of Address Tests . . . . . . . . . . . . . 10
     3.6.  Credit-Based Authorization . . . . . . . . . . . . . . . . 10
     3.7.  Parallel home and correspondent registrations  . . . . . . 11
   4.  Protocol Operation . . . . . . . . . . . . . . . . . . . . . . 12
     4.1.  Sending Binding Update Messages  . . . . . . . . . . . . . 12
     4.2.  Receiving Binding Update Messages  . . . . . . . . . . . . 20
     4.3.  Sending Binding Acknowledgment Messages  . . . . . . . . . 24
     4.4.  Receiving Binding Acknowledgment Messages  . . . . . . . . 25
     4.5.  Sending CGA Parameters . . . . . . . . . . . . . . . . . . 27
     4.6.  Receiving CGA Parameters . . . . . . . . . . . . . . . . . 28
     4.7.  Sending Permanent Home Keygen Tokens . . . . . . . . . . . 29
     4.8.  Receiving Permanent Home Keygen Tokens . . . . . . . . . . 30
     4.9.  Renewing Permanent Home Keygen Tokens  . . . . . . . . . . 30
     4.10. Handling Payload Packets . . . . . . . . . . . . . . . . . 30
     4.11. Credit Aging . . . . . . . . . . . . . . . . . . . . . . . 33
     4.12. Simultaneous Movements . . . . . . . . . . . . . . . . . . 34
   5.  Option Formats and Status Codes  . . . . . . . . . . . . . . . 34
     5.1.  CGA Parameters Option  . . . . . . . . . . . . . . . . . . 34
     5.2.  Signature Option . . . . . . . . . . . . . . . . . . . . . 35
     5.3.  Permanent Home Keygen Token Option . . . . . . . . . . . . 36
     5.4.  Care-of Test Init Option . . . . . . . . . . . . . . . . . 37
     5.5.  Care-of Test Option  . . . . . . . . . . . . . . . . . . . 37
     5.6.  CGA Parameters Request Option  . . . . . . . . . . . . . . 38
     5.7.  Status Codes . . . . . . . . . . . . . . . . . . . . . . . 39
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 40
     6.1.  Home Address Ownership . . . . . . . . . . . . . . . . . . 41
     6.2.  Care-of Address Ownership  . . . . . . . . . . . . . . . . 44
     6.3.  Credit-Based Authorization . . . . . . . . . . . . . . . . 45
     6.4.  Time Shifting Attacks  . . . . . . . . . . . . . . . . . . 48
     6.5.  Replay Attacks . . . . . . . . . . . . . . . . . . . . . . 49
     6.6.  Resource Exhaustion  . . . . . . . . . . . . . . . . . . . 49
     6.7.  IP Address Ownership of Correspondent Node . . . . . . . . 50
   7.  Protocol Constants and Configuration Variables . . . . . . . . 51
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 52
   9.  Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 52
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 54



Arkko, et al.             Expires June 15, 2007                 [Page 2]


Internet-Draft         Enhanced Route Optimization         December 2006


     10.1. Normative References . . . . . . . . . . . . . . . . . . . 54
     10.2. Informative References . . . . . . . . . . . . . . . . . . 54
   Appendix A.  Change Log  . . . . . . . . . . . . . . . . . . . . . 55
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 59
   Intellectual Property and Copyright Statements . . . . . . . . . . 60














































Arkko, et al.             Expires June 15, 2007                 [Page 3]


Internet-Draft         Enhanced Route Optimization         December 2006


1.  Introduction

   Mobile IPv6 route optimization [1] enables mobile and correspondent
   nodes to communicate via a direct routing path despite changes in IP
   connectivity on the mobile node side.  Both end nodes use a stable
   "home address" in identifying the mobile node at stack layers above
   IP, while payload packets are sent or received via a "care-of
   address" that routes to the mobile node's current network attachment.
   Mobile IPv6 swaps the home and care-of addresses when a payload
   packet traverses the IP layer.  The association between a mobile
   node's home address and care-of address is called a "binding" for the
   mobile node.  It is the responsibility of the mobile node to update
   its binding at the correspondent node through a "correspondent
   registration" when it changes IP connectivity.  A correspondent
   registration further involves the mobile node's home agent, which
   proxies the mobile node at the home address and mainly serves as a
   relay for payload packets exchanged with correspondent nodes that do
   not support route optimization.  The mobile node keeps the home agent
   up to date about its current care-of address by means of "home
   registrations".

   From a security perspective, the establishment of a binding during a
   correspondent registration requires the correspondent node to verify
   the mobile node's ownership of both the home address and the care-of
   address.  Unprecedented impersonation and flooding threats [4] would
   arise if correspondent nodes took liberties with respect to these
   obligations.  A correspondent registration hence incorporates a "home
   address test" and a "care-of address test", collectively called the
   "return routability procedure".  These tests allow the correspondent
   node to probe the mobile node's reachability at the home and care-of
   addresses in an ad-hoc, non-cryptographic manner.  Successful
   reachability verification at both IP addresses indicates (though it
   does not guarantee) the mobile node's ownership of the IP addresses,
   and hence that a binding between the home address and the care-of
   address is legitimate.

   The advantage of the return routability procedure is that it is
   lightweight and does not depend on a public-key infrastructure or on
   a preexisting relationship between the mobile node and the
   correspondent node.  This facilitates a broad deployment.  On the
   other hand, the procedure has an adverse impact on handoff delays
   since both the home address test and the care-of address test consist
   of an end-to-end message exchange between the mobile node and the
   correspondent node.  The latency of the home address test may be
   particularly high because it routes through the home agent.  The
   return routability procedure is also vulnerable to attackers that are
   in a position where they can interpose in the home or care-of address
   test.  The value of interposing is limited in that the return



Arkko, et al.             Expires June 15, 2007                 [Page 4]


Internet-Draft         Enhanced Route Optimization         December 2006


   routability procedure must be repeated in intervals of at most 7
   minutes, even in the absence of changes in IP connectivity on the
   mobile node side.  But this comes at the cost of an increased
   signaling overhead.  Much effort has therefore gone into improvements
   for Mobile IPv6 route optimization [5] that mitigate these
   disadvantages.

   This document specifies Enhanced Route Optimization, an amendment to
   route optimization in base Mobile IPv6.  Enhanced Route Optimization
   secures a mobile node's home address against impersonation through an
   interface identifier that is cryptographically and verifiably bound
   [6] to the public component of the mobile node's public/private-key
   pair.  The mobile node proves ownership of the home address by
   providing evidence that it knows the corresponding private key.  An
   initial home address test validates the home address prefix;
   subsequent home address tests are unnecessary.  Enhanced Route
   Optimization further allows mobile and correspondent nodes to resume
   bidirectional communications in parallel with pursuing a care-of
   address test.  The latency of the home and care-of address tests are
   therefore eliminated in most cases.  The use of cryptographically
   generated home addresses also mitigates the threat of impersonators
   that can interpose on the home address test and thereby facilitate
   longer binding lifetimes.  This leads to increased security and a
   reduction in signaling overhead.  Cryptographically generated home
   addresses and concurrent care-of address test are preferably applied
   together, but a mobile node may choose to use only one of these
   enhancements.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [2].




2.  Objectives

   The design of route optimization in base Mobile IPv6 is in many ways
   conservative, leaving room to optimize handoff delay, security, and
   signaling overhead.  Enhanced Route Optimization tackles these issues
   and thus constitutes a more progressive variant of Mobile IPv6.

   Despite any Mobile IPv6 optimizations, it is important to take into
   account that mobility-related activities elsewhere in the protocol
   stack may have their own impact.  For example, attachment procedures,
   access control, and authentication at the link layer contribute their
   own handoff delays.  So do IP layer tasks such as router discovery,
   neighbor discovery, movement detection, and IP address configuration.



Arkko, et al.             Expires June 15, 2007                 [Page 5]


Internet-Draft         Enhanced Route Optimization         December 2006


   The handoff delays and signaling overhead of Mobile IPv6 are
   typically small compared to the total delay and overhead.  The
   improvements of Enhanced Route Optimization hence ought to be seen in
   view of the entire protocol stack.


2.1.  Handoff Latency

   The typical handoff delay in base Mobile IPv6 route optimization is
   one round-trip time between the mobile node and the home agent for
   the home registration, one round-trip time between the mobile node
   and the home agent plus one round-trip time between the home agent
   and the correspondent node for the return routability procedure, and
   one one-way time from the mobile node to the correspondent node for
   the propagation of the Binding Update message.  (The assumption here
   is that the latency of the return routability procedure is dominated
   by the home address test.)  The first payload packet sent to the new
   care-of address requires one additional one-way time to propagate
   from the correspondent node to the mobile node.  The mobile node can
   resume transmissions right after it has dispatched the Binding Update
   message.  But if it requests a Binding Acknowledgment message from
   the correspondent node, communications are usually delayed until this
   is received.

   Handoff delays in base Mobile IPv6 route optimization are additive to
   other delays at IP layer or link layer.  They can cause perceptible
   quality degradations for interactive and real-time applications.  TCP
   bulk-data transfers are likewise affected since long handoff
   latencies may lead to successive retransmission timeouts and degraded
   throughput [7].  An objective of Enhanced Route Optimization is hence
   a reduction of the handoff latency.


2.2.  Security

   The return routability procedure was designed with the objective to
   provide a level of security which compares to that of today's non-
   mobile Internet [4].  As such, it protects against impersonation,
   denial-of-service, and flooding threats which do not exist in the
   non-mobile Internet, but which the introduction of mobility would
   introduce in the absence of appropriate countermeasures.  In
   particular, the return routability procedure satisfies the following
   requirements:

   o  An attacker off the path from a correspondent node to a victim
      should not be able to trick a correspondent node into redirecting
      packets, which should normally be delivered to a victim, to itself
      or to a third IP address.  The attacker could otherwise



Arkko, et al.             Expires June 15, 2007                 [Page 6]


Internet-Draft         Enhanced Route Optimization         December 2006


      impersonate the victim to the correspondent node or cause denial
      of service against the victim.  The attacker may launch these
      attacks from an arbitrary position, which would not necessarily
      have to be on the path between the victim and the correspondent
      node.

   o  An attacker off the path from a correspondent node to a victim
      should not be able to trick the correspondent node into
      redirecting packets, which should normally be delivered to the
      attacker itself, to the victim.  The attacker could otherwise
      flood the victim with unrequested packets.  Such "redirection-
      based flooding" may be appealing to the attacker because the
      burden of generating the flooding packets and sending them to the
      victim would be on correspondent node rather than on the attacker.
      The attacker could spoof multiple correspondent nodes into
      flooding the same victim.  This would enable the attacker to
      impact the victim much stronger than with a direct flooding
      attack, where the attacker itself would generate and send the
      flooding packets.  Comparable amplification is today only possible
      through an army of compromised nodes [8].

      One way to cause redirection-based flooding is this: The attacker
      could accomplish the initial TCP handshake for a voluminous file
      download through its own IP address, and subsequently bind the
      victim's IP address (as a care-of address) to the attacker's own
      IP address (or home address).  The correspondent node thereby
      redirects the download to the victim.  The attacker could spoof
      acknowledgments on behalf of the victim based on the sequence
      numbers it learned during the initial handshake in order to
      maintain or accelerate the download.  The acknowledgments would be
      smaller and typically less than the full-sized segments that the
      correspondent node generates, hence facilitating the
      amplification.

   o  Attackers should not be able to cause denial of service against
      mobile and correspondent nodes through exploiting expensive
      computations involved in the mobility protocol.

   The return routability procedure precludes impersonation, denial of
   service, and redirection-based flooding by attackers that are not on
   the path from a correspondent node to a victim, and it is
   sufficiently lightweight not to expose expensive operations.  But the
   return routability procedure fails to protect against attackers that
   are located on the path from the correspondent node to the victim.
   Applications that require a higher security level are generally
   advised to use end-to-end protection such as IPsec or TLS.  But even
   then are they vulnerable to denial of service or flooding.
   Furthermore, end-to-end security mechanisms generally require mobile



Arkko, et al.             Expires June 15, 2007                 [Page 7]


Internet-Draft         Enhanced Route Optimization         December 2006


   and correspondent nodes to be preconfigured with authentication
   credentials, or they depend on a public-key infrastructure.  Both
   would hinder a wide deployment of Mobile IPv6 route optimization if
   it was a prerequisite for the protocol.  An objective of Enhanced
   Route Optimization is hence to securely authenticate mobile nodes
   without preconfigured credentials or a public-key infrastructure,
   even in the presence of attackers on the path from the correspondent
   node to the victim.


2.3.  Signaling Overhead

   A complete correspondent registration involves 6 message
   transmissions at the mobile node, totaling about 376 bytes [9].  This
   signaling overhead may be acceptable if movements are infrequent.
   For example, a mobile node that moves once every 30 minutes generates
   an average of 1.7 bits/s of signaling traffic.  Higher mobility
   causes more substantial overhead, however.  A cell size of 100 meters
   and a speed of 120 km/h yields a change in IP connectivity every 3 s
   and about 1,000 bits/s of signaling traffic.  This is significant
   compared to a highly compressed voice stream with a typical data rate
   of 10,000 to 30,000 bits/s.

   Furthermore, base Mobile IPv6 requires mobile nodes to renew a
   correspondent registration at least every 7 minutes.  The signaling
   overhead amounts to 7.16 bits/s if the mobile node communicates with
   a stationary node [9].  It doubles if both peers are mobile.  This
   overhead may be negligible when the nodes communicate, but it can be
   an issue for mobile nodes that are inactive and stay at the same
   location for a while.  These nodes typically prefer to go to standby
   mode to conserve battery power.  Also, the periodic refreshments
   consume a fraction of the wireless bandwidth that one could use more
   efficiently.  These observations lead to the objective of Enhanced
   Route Optimization to reduce the signaling overhead of a base Mobile
   IPv6 correspondent registrations as much as possible, in particular
   when the mobile node does not move for a while.




3.  Protocol Design

   Enhanced Route Optimization consists of a set of optimizations which
   collectively afford the achievement of the objectives discussed in
   Section 2.  These optimizations are summarized in the following.






Arkko, et al.             Expires June 15, 2007                 [Page 8]


Internet-Draft         Enhanced Route Optimization         December 2006


3.1.  Cryptographically Generated Home Addresses

   A Mobile IPv6 binding is conceptually a packet redirection from a
   home address to a care-of address.  The home address is the source of
   the redirection and the care-of address is the destination.  The
   packets to be redirected can hence be identified based on the home
   address.  This motivates a cryptographic ownership proof for the home
   address.  Enhanced Route Optimization applies cryptographically
   generated home addresses for this purpose [10][11].  In general, a
   CGA provides a strong binding between its interface identifier and
   the CGA owner's public key.  This enables other nodes to securely
   authenticate the CGA owner as such, modulo the correctness of the
   CGA's subnet prefix.  Cryptographically generated home addresses can
   supersede home address tests with the exception of an initial test
   for validating the home address prefix.  This facilitates lower
   handoff delays and longer binding lifetimes, as well as reduced
   signaling overhead for mobile nodes which temporarily do not move.
   Enhanced Route Optimization also optionally enables the correspondent
   node to prove ownership of its IP address.


3.2.  Non-Cryptographic Care-of Addresses

   In contrast to a home address, a care-of address does not have
   identifying functionality.  There is hence little benefit in a
   cryptographic ownership proof of a care-of address.  Given that the
   care-of address is the destination of a packet redirection, it is
   rather the mobile node's reachability at the care-of address which
   matters.  Enhanced Route Optimization uses care-of address tests for
   this purpose, but allows correspondent nodes to send packets to a new
   care-of address already before the mobile node is found to be
   reachable there.


3.3.  Semi-Permanent Security Associations

   CGA-based authentication involves public-key cryptography and is
   hence computationally much less efficient than authentication through
   a shared secret key.  The technique further requires a substantial
   amount of supplementary CGA parameters to be piggybacked onto
   protected messages.  Enhanced Route Optimization mitigates these
   disadvantages in that it utilizes an initial CGA-based authentication
   to securely exchange a secret permanent home keygen token between a
   mobile node and a correspondent node.  The permanent home keygen
   token is used to authenticate the mobile node more efficiently in
   subsequent correspondent registrations.  Mobile and correspondent
   nodes renew the permanent home keygen token on an infrequent basis.
   The token is therefore neither constant nor short-lived, which is why



Arkko, et al.             Expires June 15, 2007                 [Page 9]


Internet-Draft         Enhanced Route Optimization         December 2006


   the security association between the mobile node and the
   correspondent node is called "semi-permanent".


3.4.  Initial Home Address Tests

   An initial home address test is necessary despite a cryptographic
   proof of home address ownership to protect against spoofed subnet
   prefixes in home addresses.  In the complete absence of home address
   tests, a malicious node could cryptographically generate a home
   address with the subnet prefix of a victim network, and request a
   correspondent node to register a binding between this spoofed home
   address and the attacker's own care-of address.  The attacker then
   tricks the correspondent node into sending a stream of packets to the
   care-of address and subsequently deregisters the binding or lets it
   expire.  The consequence is that the correspondent node redirects the
   packet stream "back" to the home address, causing the victim network
   to be flooded with unrequested packets.  To preclude such misuse, an
   initial home address test is required for the mobile node and the
   correspondent node to establish a semi-permanent security
   association.  The home address test is, if possible, executed in
   proactive manner so as to save a potentially costly message exchange
   via the home agent during the critical handoff period.  The home
   address test does not need to be repeated upon subsequent movements.


3.5.  Concurrent Care-of Address Tests

   Enhanced Route Optimization allows a correspondent node to send
   payload packets to a mobile node's new care-of address already before
   the mobile node has been found to be reachable at the care-of
   address.  When the mobile node changes IP connectivity, it first
   updates its binding at the correspondent node to the new care-of
   address without providing a proof of reachability.  The correspondent
   node registers the new care-of address on a tentative basis and sets
   it to UNVERIFIED state.  Payload packets can then be exchanged
   bidirectionally via the new care-of address, while the mobile node's
   reachability at the new care-of address is verified concurrently.
   The correspondent node moves the care-of address to VERIFIED state
   once reachability verification completes.


3.6.  Credit-Based Authorization

   Concurrent care-of address tests without additional protection would
   enable an attacker to trick a correspondent node into temporarily
   redirecting payload packets, which would otherwise be addressed to
   the attacker itself, to the IP address of a victim.  Such



Arkko, et al.             Expires June 15, 2007                [Page 10]


Internet-Draft         Enhanced Route Optimization         December 2006


   "redirection-based flooding" [4] may be appealing to the attacker
   because not the attacker, but the correspondent node generates the
   flooding packets and sends them to the victim.  This enables the
   attacker to amplify the strength of the attack to a significant
   degree compared to a direct flooding attack where the attacker itself
   would generate the flooding packets.

   Enhanced Route Optimization protects against redirection-based
   flooding attacks through the use of Credit-Based Authorization.
   Credit-Based Authorization manages the effort that a correspondent
   node expends in sending payload packets to a care-of address in
   UNVERIFIED state so as to ensure that a redirection-based flooding
   attack cannot be more effective than direct flooding.  The ability to
   send unrequested packets is an inherent property of packet-oriented
   networks, and direct flooding is a threat that results from this.
   Since direct flooding exists with and without mobility support, and
   redirection-based flooding attacks cannot be any more efficient than
   this, Credit-Based Authorization increases the security level
   provided by Enhanced Route Optimization with respect to flooding to
   that of the non-mobile Internet.  Enhanced Route Optimization
   therefore satisfies the objective to provide a security level
   comparable to that of the non-mobile Internet.

   The measuring and limiting of effort is technically realized through
   the concept of "credit", which a correspondent node maintains to put
   its own effort in relation to the effort that a mobile node expends
   during regular communications with the correspondent node.  The
   correspondent node increases the credit for payload packets it
   receives from a care-of address of the mobile node in VERIFIED state,
   and it reduces the credit in proportion to its own effort for sending
   payload packets to a care-of address of the mobile node in UNVERIFIED
   state.


3.7.  Parallel home and correspondent registrations

   Enhanced Route Optimization enables mobile nodes to pursue a
   correspondent registration in parallel with the respective home
   registration.  This reduces handoff delays compared to base Mobile
   IPv6, which requires mobile nodes to wait for a Binding
   Acknowledgment message indicating a successful home registration
   before they initiate a correspondent registration.









Arkko, et al.             Expires June 15, 2007                [Page 11]


Internet-Draft         Enhanced Route Optimization         December 2006


4.  Protocol Operation

   Enhanced Route Optimization allows a mobile node to securely
   authenticate to a correspondent node based on the CGA property of its
   home address, and to request a concurrent care-of address test for
   increased handoff efficiency.  Depending on whether the mobile node
   wishes to take advantage of either or both of these enhancements, the
   messages exchanged during a correspondent registration are different.
   This is described in the following.


4.1.  Sending Binding Update Messages

   A mobile node may initiate a correspondent registration for any of
   the following reasons:

   o  To establish a new binding at a correspondent node while away from
      its home link so that subsequent packets will be route-optimized
      and no longer be routed through the mobile node's home agent.

   o  To update an existing binding at the correspondent node while
      moving from one point of IP attachment to another.

   o  To follow up an early Binding Update message with a complete
      Binding Update message after receiving a Binding Acknowledgment
      message with a Care-of Test option.

   o  To refresh an existing binding at the correspondent node without
      changing the current point of IP attachment.

   o  To request the correspondent node to renew an existing permanent
      home keygen token shared between the mobile node and the
      correspondent node (see Section 4.5).

   o  To request the correspondent node to deregister an existing
      binding.















Arkko, et al.             Expires June 15, 2007                [Page 12]


Internet-Draft         Enhanced Route Optimization         December 2006


     Mobile node               Home agent           Correspondent node
         |                         |                         |
         |                         |                         |
         ~ Handoff                 |                         |
         |                         |                         |
         |-Binding Update--------->|                         |
         |-early Binding Update + Care-of Test Init option-->|
         |                         |                         |
         |                         |                         |
         |<------------Binding Ack-|                         |
         |<----------early Binding Ack + Care-of Test option-|
         |                         |                         |
         |                         |                         |
         |-Binding Update----------------------------------->|
         |                         |                         |
         |                         |                         |
         |<--------------------------------------Binding Ack-|
         |                         |                         |

    Figure 1: Correspondent registration with authentication by a proof
     of the mobile node's knowledge of a permanent home keygen token;
                      concurrent care-of address test


   In any of these cases, the mobile node sends a Binding Update message
   to the correspondent node.  The Binding Update message is
   authenticated by one of the following three authentication methods:

   o  If the mobile node's home address is a CGA, but the mobile node
      does not have a permanent home keygen token in its Binding Update
      List entry for the correspondent node, the mobile node SHOULD
      authenticate the Binding Update message based on the CGA property
      of its home address.  This requires the mobile node to send its
      CGA parameters and signature to the correspondent node and to pass
      a check of reachability at the home address.

   o  If the mobile node's home address is a CGA, and the mobile node
      has a permanent home keygen token in its Binding Update List entry
      for the correspondent node, the mobile node MUST authenticate the
      Binding Update message by a proof of its knowledge of the
      permanent home keygen token.

   o  If the mobile node's home address is not a CGA, the mobile node
      MUST authenticate the Binding Update message through a proof of
      reachability at its home address.

   The lifetime requested by the mobile node in the Lifetime field of
   the Binding Update message MUST NOT exceed MAX_CGA_BINDING_LIFETIME



Arkko, et al.             Expires June 15, 2007                [Page 13]


Internet-Draft         Enhanced Route Optimization         December 2006


   (see Section 7) if the Binding Update message is to be authenticated
   based on the CGA property of the mobile node's home address or by a
   proof of the mobile node's knowledge of a permanent home keygen
   token.  If the selected authentication method is a proof of the
   mobile node's reachability at the home address, the lifetime MUST NOT
   exceed MAX_RR_BINDING_LIFETIME [1].  It is RECOMMENDED in all cases
   that the mobile node requests the maximum permitted lifetime in order
   to avoid unnecessary binding refreshes and thus reduce signaling
   overhead.  The Lifetime field of a Binding Update message that
   requests the deletion of an existing binding at the correspondent
   node MUST be set to zero.

   If the selected authentication method is by way of the CGA property
   of the mobile node's home address, the mobile node includes its CGA
   parameters and signature in the Binding Update message by adding one
   or more CGA Parameters options (see Section 5.1) directly followed by
   a Signature option (see Section 5.2).  This is described in
   Section 4.5.  Once a permanent home keygen token has been obtained
   from the correspondent node, the mobile node MUST authenticate all
   subsequent Binding Update messages by a proof of its knowledge of
   this permanent home keygen token until either the binding lifetime
   expires, the permanent home keygen token is renewed, or the mobile
   node explicitly deregisters the binding at the correspondent node.
   This ensures that an attacker on the path from the correspondent node
   to the mobile node's home address cannot downgrade the mobile node's
   chosen authentication method to a proof of reachability at the home
   address.  The mobile node MAY choose to ignore the CGA property of
   its home address and authenticate Binding Update messages through a
   proof of reachability at the home address.  However, this behavior
   increases the vulnerability to on-path attackers and is therefore NOT
   RECOMMENDED.




















Arkko, et al.             Expires June 15, 2007                [Page 14]


Internet-Draft         Enhanced Route Optimization         December 2006


     Mobile node              Home agent          Correspondent node
         |                         |                         |
         |                         |                         |
         |-Home Test Init--------->|------------------------>|
         |                         |                         |
         |<------------------------|<--------------Home Test-|
         |                         |                         |
         |                         |                         |
         ~ Handoff                 |                         |
         |                         |                         |
         |-Binding Update--------->|                         |
         |-early Binding Update + Care-of Test Init option-->|
         |                         |                         |
         |                         |                         |
         |<------------Binding Ack-|                         |
         |<----------early Binding Ack + Care-of Test option-|
         |                         |                         |
         |                         |                         |
         |-Binding Update----------------------------------->|
         |                         |                         |
         |                         |                         |
         |<--------------------------------------Binding Ack-|
         |                         |                         |

     Figure 2: Correspondent registration with authentication based on
     reachability verification at the home address; concurrent care-of
                               address test


   The mobile node also includes its CGA parameters in the Binding
   Update message when it intends to renew an existing permanent home
   keygen token shared with the correspondent node.  This is
   accomplished, as before, by adding to the message one or more CGA
   Parameters options and a Signature option.

   The authenticator for the Binding Update message is calculated based
   on a permanent or temporary home keygen token.  Which type of home
   keygen token the mobile node uses in calculating the authenticator
   depends on the authentication method:

   o  If the Binding Update message is to be authenticated based on the
      CGA property of the mobile node's home address, the mobile node
      MUST use a temporary home keygen token from the correspondent
      node.  The mobile node may already have a valid temporary home
      keygen token in its Binding Update List entry for the
      correspondent node, or it may retrieve one through the exchange of
      a Home Test Init message and a Home Test message.




Arkko, et al.             Expires June 15, 2007                [Page 15]


Internet-Draft         Enhanced Route Optimization         December 2006


   o  If the Binding Update message is to be authenticated by a proof of
      the mobile node's knowledge of a permanent home keygen token, the
      mobile node MUST use the permanent home keygen token that is has
      in its Binding Update List entry for the correspondent node.

   o  If the Binding Update message is to be authenticated through a
      proof of reachability at the home address, the mobile node MUST
      use a temporary home keygen token from the correspondent node.  As
      before, the mobile node may already have a valid temporary home
      keygen token in its Binding Update List entry for the
      correspondent node, or it may retrieve one through the exchange of
      a Home Test Init message and a Home Test message.

   Unless the purpose of the Binding Update message is to delete an
   existing binding at the correspondent node, the authenticator is also
   calculated based on a care-of keygen token.  The mobile node selects
   this as follows:

   o  If the mobile node has a valid care-of keygen token for the to-be-
      registered care-of address in its Binding Update List entry for
      the correspondent node, the mobile node MUST use this in
      calculating the authenticator for the Binding Update message.  The
      Binding Update message is in this case "complete".

   o  If the mobile node does not have a valid care-of keygen token in
      its Binding Update List entry for the correspondent node, the
      mobile node SHOULD define the care-of keygen token to be zero and
      use this in calculating the authenticator for the Binding Update
      message.  The Binding Update message is in this case "early".

   o  If the mobile node does not have a valid care-of keygen token in
      its Binding Update List entry for the correspondent node, the
      mobile node MAY choose to retrieve a care-of keygen token through
      the exchange of a Care-of Test Init message and a Care-of Test
      message, as defined in [1], without sending an early Binding
      Update message.  In this case, the mobile node waits for receipt
      of the Care-of Test message and uses the care-of keygen token
      contained therein in calculating the authenticator for a complete
      Binding Update message.  This approach increases the handoff
      latency, however, and is therefore NOT RECOMMENDED.

   For reduced handoff delays, the mobile node SHOULD simultaneously
   initiate home and correspondent registrations for a particular
   care-of address.  The mobile node SHOULD also pursue home and
   correspondent deregistrations in parallel if it wishes to discontinue
   Mobile IPv6 service while away from its home link.  However, when the
   mobile node commits home and correspondent deregistrations after
   returning back to the home link after a period of roaming, the mobile



Arkko, et al.             Expires June 15, 2007                [Page 16]


Internet-Draft         Enhanced Route Optimization         December 2006


   node MUST initiate the home deregistration first, and it MUST wait
   for a Binding Acknowledgment message indicating a successful home
   deregistration before it initiates the correspondent deregistration.
   This behavior ensures that the home agent does not proxy the mobile
   node's home address while the mobile node is on the home link, hence
   preventing interference between the mobile node and the home agent
   during Duplicate Address Detection.  Since a home deregistration
   consumes only a link-local round-trip time when the mobile node
   pursues it from the home link, the cost of not parallelizing it with
   a correspondent deregistration, in terms of increased handoff delay,
   is typically negligible.

   Moreover, when the Binding Update message for the correspondent
   registration is to be authenticated based on the CGA property of the
   mobile node's home address or through a proof of reachability at the
   home address, the mobile node SHOULD initiate the exchange of Home
   Test Init and Home Test messages prior to handoff in order to
   proactively elicit a fresh home keygen token from the correspondent
   node.  This reduces handoff delays further.  A Home Test Init message
   may be sent periodically whenever the home keygen token previously
   acquired from the correspondent node is about to expire.  Tokens are
   valid for 3.5 minutes [1], so the interval between successive Home
   Test Init messages should be a little less.  Alternatively, the
   mobile node may be able to send the Home Test Init message right in
   time if its link layer provides a trigger announcing imminent
   handoff.  Proactive home address tests are technically feasible
   because a home address does not change across handoffs.

   If the mobile node initiates the home address test from the home
   link, it MUST address the Home Test Init message directly to the
   correspondent node.  The Home Test message will then be received
   directly from the correspondent node.  If the home address test is
   initiated from a visited link, the mobile node MUST tunnel the Home
   Test Init message to the home agent.  The Home Test message will then
   be tunneled back to the mobile node by the home agent.  A home
   address test SHOULD NOT overlap with a home registration or home
   deregistration since this could result in the loss of the Home Test
   Init or Home Test message.

   If the Binding Update message is early, the mobile node MUST add a
   Care-of Test Init option (see Section 5.4) to the message, requesting
   the correspondent node to return a new care-of keygen token.  The
   Care-of Test Init option MUST follow the CGA Parameters and Signature
   options, if those exist in the Binding Update message.  Once a
   responding Binding Acknowledgment message with a Care-of Test option
   (see Section 5.5) is received, the mobile node MUST use the care-of
   keygen token contained therein in calculating the authenticator for a
   complete Binding Update message and send this message to the



Arkko, et al.             Expires June 15, 2007                [Page 17]


Internet-Draft         Enhanced Route Optimization         December 2006


   correspondent node.

   If the Binding Update message is authenticated based on the CGA
   property of the mobile node's home address, the mobile node MAY add a
   CGA Parameters Request option (see Section 5.6) to the Binding Update
   message so as to request the correspondent node to prove ownership of
   its IP address within the Binding Acknowledgment message.  This
   ownership proof enables the mobile node to verify that the permanent
   home keygen token returned in the Binding Acknowledgment message was
   generated by the right correspondent node.

   The mobile node includes the nonce indices associated with the
   selected home and care-of keygen tokens in the Binding Update message
   using a Nonce Indices option [1].  The home nonce index is thereby
   determined as follows:

   o  If the Binding Update message is to be authenticated based on the
      CGA property of the mobile node's home address, the mobile node
      uses a temporary home keygen token to calculate the authenticator
      for the Binding Update message, and the associated home nonce
      index MUST be taken from the Home Test message with which the home
      keygen token was obtained.

   o  If the Binding Update message is to be authenticated by a proof of
      the mobile node's knowledge of a permanent home keygen token, the
      home nonce index MUST be set to zero.

   o  If the Binding Update message is to be authenticated through a
      proof of the mobile node's reachability at the home address, the
      mobile node uses a temporary home keygen token to calculate the
      authenticator for the Binding Update message, and the associated
      home nonce index MUST be taken from the Home Test message with
      which the home keygen token was obtained.

   The care-of nonce index is determined according to the following
   rules:

   o  If the Binding Update message is complete, the care-of nonce index
      is taken from the Care-of Test option or Care-of Test message with
      which the care-of keygen token used to calculate the authenticator
      for the Binding Update message was obtained.

   o  If the Binding Update message is early, the care-of nonce index
      MUST be set to zero.

   o  If the purpose of the Binding Update message is to delete a
      binding at the correspondent node, the care-of nonce index MUST be
      set zero.



Arkko, et al.             Expires June 15, 2007                [Page 18]


Internet-Draft         Enhanced Route Optimization         December 2006


   The Nonce Indices option follows the CGA Parameters, Signature,
   Care-of Test Init, and CGA Parameters Request options if those are
   included in the Binding Update message as well.

   The mobile node finally calculates an authenticator for the Binding
   Update message based on the selected home and care-of keygen tokens,
   following the rules described in Section 5.2 and Section 6.2.7 of
   [1].  For a Binding Update message that requests the deletion of an
   existing binding at the correspondent node, the authenticator is
   calculated based on only a home keygen token, and it does not
   incorporate a care-of keygen token.  The authenticator is placed into
   the Authenticator field of a Binding Authorization Data option [1],
   which the mobile node adds to the Binding Update message as the last
   option.

     Mobile node               Home agent           Correspondent node
         |                         |                         |
         |                         |                         |
         ~ Handoff                 |                         |
         |                         |                         |
         |-Binding Update--------->|                         |
         |-Care-of Test Init-------------------------------->|
         |                         |                         |
         |                         |                         |
         |<------------Binding Ack-|                         |
         |<-------------------------------------Care-of Test-|
         |                         |                         |
         |                         |                         |
         |-Binding Update----------------------------------->|
         |                         |                         |
         |                         |                         |
         |<--------------------------------------Binding Ack-|
         |                         |                         |

    Figure 3: Correspondent registration with authentication by a proof
     of the mobile node's knowledge of a permanent home keygen token;
                       explicit care-of address test


   The time-sequence diagrams in Figure 1 through Figure 3 illustrate
   the operation of Enhanced Route Optimization based on a few selected
   message exchanges.  Figure 1 shows the messages exchanged for a
   correspondent registration where an early Binding Update message is
   authenticated by a proof of the mobile node's knowledge of a
   permanent home keygen token.  A Care-of Test Init option in the early
   Binding Update message requests the correspondent node to add to the
   Binding Acknowledgment message a fresh care-of keygen token in a
   Care-of Test option.  The mobile node finally concludes the



Arkko, et al.             Expires June 15, 2007                [Page 19]


Internet-Draft         Enhanced Route Optimization         December 2006


   correspondent registration with a complete Binding Update message.
   Figure 2 shows the procedure of a correspondent registration where
   the Binding Update message is authenticated with a proof of
   reachability at the home address.  The home address test is
   proactively performed prior to handoff, permitting the mobile node to
   issue a Binding Update message directly after the handoff.  The
   Binding Update message is again early, and a care-of keygen token is
   delivered to the mobile node along with the Binding Acknowledgment
   message.  Figure 3 depicts a correspondent registration where the
   mobile node initially obtains a fresh care-of keygen token through
   the dedicated exchange of Care-of Test Init and Care-of Test
   messages.  It subsequently issues a complete Binding Update message
   that is authenticated with the CGA property of the home address.


4.2.  Receiving Binding Update Messages

   When the correspondent node receives a Binding Update message, it
   must first verify whether the sending mobile node is the legitimate
   owner of the home address specified in the message.  The
   correspondent node selects the authentication method based on the
   home nonce index given in the Nonce Indices option of the Binding
   Update message, and on the existence of CGA Parameters and Signature
   options in the Binding Update message:

   o  If the home nonce index is set to a non-null value and the Binding
      Update message includes one or more CGA Parameters options
      followed by a Signature option, the correspondent node MUST
      authenticate the Binding Update message based on the CGA property
      of the mobile node's home address.

   o  If the home nonce index is zero and the Binding Update message
      does not include one or more CGA Parameters options followed by a
      Signature option, the correspondent node MUST authenticate the
      Binding Update message by a proof of the mobile node's knowledge
      of a permanent home keygen token.

   o  If the home nonce index is set to a non-null value and the Binding
      Update message does not include one or more CGA Parameters options
      followed by a Signature option, the correspondent node MUST
      authenticate the Binding Update message through a proof of the
      mobile node's reachability at the home address.

   In addition to the validation procedure for Binding Update messages
   specified in [1], the correspondent node must take the following
   additional steps to reject Binding Update messages that are
   inappropriately authenticated:




Arkko, et al.             Expires June 15, 2007                [Page 20]


Internet-Draft         Enhanced Route Optimization         December 2006


   o  If the Binding Update message includes one or more CGA Parameters
      options followed by a Signature option and the home nonce index is
      zero, the correspondent node MUST send a Binding Acknowledgment
      message with status code TBD ("Non-null home nonce index
      expected").  This ensures that a Binding Update message that is
      authenticated based on the CGA property of the mobile node's home
      address must also provide a proof of the mobile node's
      reachability at the home address.

   o  If the Binding Update message is to be authenticated by a proof of
      the mobile node's knowledge of a permanent home keygen token, the
      correspondent node MUST verify that it has a Binding Cache entry
      for the mobile node that includes a permanent home keygen token.
      In case the correspondent node does not have a Binding Cache entry
      for the mobile node, or if the existing Binding Cache entry for
      the mobile node does not include a permanent home keygen token,
      the correspondent node MUST reject the Binding Update message by
      sending a Binding Acknowledgment message with status code TBD
      ("Permanent home keygen token unavailable").

   o  If the Binding Update message is to be authenticated through a
      proof of the mobile node's reachability at the home address, the
      correspondent node MUST verify that it does not have a permanent
      home keygen token in its Binding Cache entry for the mobile node.
      If the correspondent node has a permanent home keygen token in its
      Binding Cache entry for the mobile node, it MUST reject the
      Binding Update message by sending a Binding Acknowledgment message
      with status code TBD ("Permanent home keygen token exists").  This
      ensures that an attacker cannot downgrade the authentication
      method to hijack the binding of a legitimate mobile node.

   The authenticator for the Binding Update message is calculated based
   on a permanent or temporary home keygen token.  Which type of home
   keygen token the correspondent node uses in validating the
   authenticator, and how it retrieves or recomputes the home keygen
   token, depends on the authentication method:

   o  If the Binding Update message is to be authenticated based on the
      CGA property of the mobile node's home address, the correspondent
      node MUST recompute the temporary home keygen token defined by the
      (non-null) home nonce index in the Nonce Indices option of the
      Binding Update message, and it MUST use this recomputed token in
      validating the authenticator of the message.

   o  If the Binding Update message is to be authenticated by a proof of
      the mobile node's knowledge of a permanent home keygen token, the
      correspondent node MUST use the permanent home keygen token that
      it has in its Binding Cache entry for the mobile node in



Arkko, et al.             Expires June 15, 2007                [Page 21]


Internet-Draft         Enhanced Route Optimization         December 2006


      validating the authenticator of the Binding Update message.

   o  If the Binding Update message is to be authenticated through
      verification of the mobile node's reachability at the home
      address, the correspondent node MUST recompute the temporary home
      keygen token defined by the (non-null) home nonce index in the
      Nonce Indices option of the Binding Update message, and it MUST
      use this recomputed token in validating the authenticator of the
      message.

   Unless the purpose of the Binding Update message is to delete an
   existing binding at the correspondent node, the authenticator is also
   calculated based on a care-of keygen token.  Which care-of keygen
   token the correspondent node uses in validating the authenticator
   depends on whether the Binding Update message is complete or early:

   o  If the care-of nonce index in the Nonce Indices option of the
      Binding Update message is set to a non-null value, the Binding
      Update message is complete.  In this case, the correspondent node
      MUST recompute the care-of keygen token that is identified by the
      care-of nonce index, and it MUST use this recomputed token in
      validating the authenticator of the message.

   o  If the care-of nonce index in the Nonce Indices option of the
      Binding Update message is zero, the Binding Update message is
      early.  The care-of keygen token to be used by the correspondent
      node in validating the authenticator of the Binding Update message
      is zero in this case.

   The correspondent node finally validates the authenticator in the
   Binding Update message based on the selected home and care-of keygen
   tokens, following the algorithm described in Section 9.5.1 of [1].

   If the validation fails, the correspondent node MUST discard the
   Binding Update message.  The correspondent node may have to send a
   Binding Acknowledgment message with a status code indicating the
   failure, as described in [1].

   Provided that the validation of the authenticator in the Binding
   Update message succeeds, the correspondent node registers the mobile
   node's new care-of address, either updating an existing Binding Cache
   entry, if one exists, or creating a new Binding Cache entry.  The
   lifetime granted for the binding depends on the lifetime requested by
   the mobile node in the Lifetime field of the Binding Update message
   and the method by which the Binding Update message is authenticated.
   If the Binding Update message is authenticated based on the CGA
   property of the mobile node's home address or by a proof of the
   mobile node's knowledge of a permanent home keygen token, the



Arkko, et al.             Expires June 15, 2007                [Page 22]


Internet-Draft         Enhanced Route Optimization         December 2006


   lifetime for the binding SHOULD be set to the maximum of
   MAX_CGA_BINDING_LIFETIME and the value specified in the Lifetime
   field of the Binding Update message.  If the Binding Update message
   is authenticated through a proof of the mobile node's reachability at
   the home address, then the lifetime for the binding SHOULD be set to
   the maximum of MAX_RR_BINDING_LIFETIME [1] and the value specified in
   the Lifetime field of the Binding Update message.  The correspondent
   node may in either case grant a further reduced lifetime, but it MUST
   NOT accept a higher lifetime.

   The state of the new care-of address depends on whether the Binding
   Update message is complete or early:

   o  If the Binding Update message is complete, the new care-of address
      is set to VERIFIED state.  The correspondent node may then
      immediately send packets to the new care-of address without
      restrictions.

   o  If the Binding Update message is early, the new care-of address is
      set to UNVERIFIED state.  The correspondent node MUST then follow
      the rules defined in Section 4.10 for sending packets to this
      care-of address until the care-of address is set in VERIFIED
      state.

   If the Binding Update message contains one or multiple CGA Parameters
   options, the mobile node is requesting the correspondent node to
   accept the included CGA parameters either for establishing a new, or
   for renewing an existing permanent home keygen token shared between
   the mobile node and the correspondent node.  The correspondent node
   MUST in this case check if the CGA Parameters options are directly
   followed by a Signature option and, if so, validate the CGA
   parameters and signature as described in Section 4.6.

   If the CGA Parameters option is not directly followed by a Signature
   option, or the validation of the included CGA parameters and
   signature fails, the correspondent node MUST discard the Binding
   Update message and send a Binding Acknowledgment message with status
   code TBD ("CGA and signature verification failed") to the mobile
   node.

   Provided that the signature included in the Signature option is
   correct, the correspondent node generates a permanent home keygen
   token to be shared with the mobile node and stores it in its Binding
   Cache entry for the mobile node.  The permanent home keygen token is
   sent to the mobile node within a Binding Acknowledgment message as
   described in Section 4.3.





Arkko, et al.             Expires June 15, 2007                [Page 23]


Internet-Draft         Enhanced Route Optimization         December 2006


4.3.  Sending Binding Acknowledgment Messages

   Upon receipt of a valid Binding Update message, the correspondent
   node returns to the mobile node a Binding Acknowledgment message in
   any of the following cases:

   o  The Acknowledge flag in the Binding Update message is set.

   o  The Binding Update message contains one or multiple CGA Parameters
      options directly followed by a Signature option, and the signature
      included in the latter was determined to be correct.

   o  The Binding Update message is early and includes a Care-of Test
      Init option.

   If the Binding Update message further contains a CGA Parameters
   Request option and the correspondent node's IP address is a CGA, the
   correspondent node MUST include its CGA parameters and signature in
   the Binding Acknowledgment message by adding one or more CGA
   Parameters options directly followed by a Signature option.  The
   correspondent node's CGA parameters and signature enable the mobile
   node to verify that the permanent home keygen token received in the
   Binding Acknowledgment message was generated by the right
   correspondent node.  If the Binding Update message contains a CGA
   Parameters Request option, but the correspondent node's IP address is
   not a CGA, the correspondent node ignores the CGA Parameters Request
   option and processes the Binding Update message further as described
   below.

   If the Binding Update message contains one or multiple CGA Parameters
   options directly followed by a Signature option, and the signature
   included in the latter was determined to be correct, the
   correspondent node MUST add a Permanent Home Keygen Token option (see
   Section 5.3) with a new permanent home keygen token to the Binding
   Acknowledgment message.  The correspondent node also stores this
   permanent home keygen token in its Binding Cache entry for the mobile
   node.

   If the Binding Update message includes a Care-of Test Init option,
   the correspondent node MUST append to the Binding Acknowledgment
   message a Care-of Test option with a pseudo-random value in the
   Care-of Keygen Token field.  The Care-of Test Init option MUST appear
   after the Permanent Home Keygen Token option in case both options are
   present in the Binding Acknowledgment message.

   A Binding Authorization Data option must be added to the Binding
   Acknowledgment message as a last option, as described in Section 5.2
   and Section 6.2.7 of [1].



Arkko, et al.             Expires June 15, 2007                [Page 24]


Internet-Draft         Enhanced Route Optimization         December 2006


4.4.  Receiving Binding Acknowledgment Messages

   A mobile node first verifies a received Binding Acknowledgment
   message according to the rules specified in [1].  Provided that the
   Binding Acknowledgment message is not rejected based on these rules,
   the mobile node takes the following additional steps.

   If the mobile node included a CGA Parameters Request option in the
   Binding Update message and the Binding Acknowledgment message
   contains a Permanent Home Keygen Token option, the mobile node first
   processes any CGA Parameters and Signature options in the Binding
   Acknowledgment message in the following manner.  If the Binding
   Acknowledgment message contains one or more CGA Parameters options
   that are directly followed by a Signature option, the mobile node
   MUST check the ownership of the correspondent node's IP address by
   verifying the included CGA parameters and signature as described in
   Section 4.6.  If the validation of the CGA parameters and signature
   fails, the mobile node MUST silently discard the Binding
   Acknowledgment message.  The mobile node MUST also silently discard
   the Binding Acknowledgment message if the message includes one or
   more CGA Parameters options that are not directly followed by a
   Signature option, or if the Binding Acknowledgment message lacks any
   CGA Parameters options in the presence of a Signature option.

   If the mobile node did not include a CGA Parameters Request option in
   the Binding Update message or the Binding Acknowledgment message does
   not contain a Permanent Home Keygen Token option, the mobile node
   ignores any CGA Parameters and Signature options that the Binding
   Acknowledgment message may contain.  Careful use of the CGA
   Parameters Request option in Binding Update messages enables the
   mobile node to control the processing resources it spends on the
   verification of a correspondent node's CGA as well as to disable such
   verification in the case of persistent verification failures, which
   may be due to misconfigured or outdated CGA software [12] on the
   correspondent node side or at the mobile node itself.  Specifically,
   if the mobile node repeatedly fails to receive a Binding
   Acknowledgment message including valid CGA Parameters and Signature
   options in response to sending a Binding Update message with a CGA
   Parameters Request option, the mobile node SHOULD refrain from
   including a CGA Parameters Request option in future Binding Update
   messages for the same correspondent node.

   If the mobile node included a CGA Parameters Request option in the
   Binding Update message, but the Binding Acknowledgment message does
   not contain any CGA Parameters or Signature options, the mobile node
   cannot be sure if the correspondent node's IP address is simply not a
   CGA, or if the Binding Acknowledgment message originates from an
   attacker on the path from the mobile node to the correspondent node.



Arkko, et al.             Expires June 15, 2007                [Page 25]


Internet-Draft         Enhanced Route Optimization         December 2006


   To avoid accepting a permanent home keygen token from an on-path
   attacker, the mobile node MUST give precedence to Binding
   Acknowledgment messages that include valid CGA Parameters and
   Signature options over Binding Acknowledgment messages without such
   options.  One possible algorithm for the mobile node to follow in
   this regard is to always accept the Binding Acknowledgment message
   received first, and if this message does not contain valid CGA
   Parameters or Signature options and another Binding Acknowledgment
   message including such options is received later on, to revert any
   state changes involved in accepting the first Binding Acknowledgment
   in favor of this subsequent Binding Acknowledgment message.  Giving
   precedence to Binding Acknowledgment messages with valid CGA
   Parameters and Signature options over Binding Acknowledgment messages
   without such options enables the mobile node to communicate with
   correspondent nodes which do not use a CGA, and at the same time
   protects against most on-path attackers.  The strategy does not
   protect against an attacker that can intercept Binding Acknowledgment
   messages from the correspondent node, but such an attacker could
   preclude mobility management between the mobile node and the
   correspondent node anyway.  When the mobile node has permanently
   accepted a Binding Acknowledgment message without valid CGA
   Parameters and Signature options, the mobile node SHOULD refrain from
   including a CGA Parameters Request option in future Binding Update
   messages for the same correspondent node.

   If the Binding Acknowledgment message contains a Permanent Home
   Keygen Token option, the mobile node extracts the permanent home
   keygen token included in this option and stores it in its Binding
   Update List entry for the correspondent node.  Future Binding Update
   messages will then be authenticated based on the CGA property of the
   mobile node's home address.

   If the Binding Acknowledgment message contains a Care-of Test option,
   the mobile node extracts the care-of keygen token included in this
   option, stores the token in its Binding Update List entry for the
   correspondent node, and sends the correspondent node a complete
   Binding Update message as defined in Section 4.1.  Note that the
   complete Binding Update message will be authenticated based on the
   CGA property of the mobile node's home address if the Binding
   Acknowledgment message also includes a Permanent Home Keygen Token
   option.  This is independent of the authentication method that was
   used for the corresponding early Binding Update message.

   A mobile node MUST ensure that, while it has a binding for a certain
   home address at a correspondent node, it also has a valid binding at
   its home agent for the same home address.  This may at times require
   the mobile node to extend the binding lifetime at the home agent,
   request a correspondent node to use a binding lifetime less than the



Arkko, et al.             Expires June 15, 2007                [Page 26]


Internet-Draft         Enhanced Route Optimization         December 2006


   permitted maximum, or explicitly deregister an existing binding at a
   correspondent node.

   If the mobile node authenticates Binding Update messages for a
   particular correspondent node by proving its knowledge of a permanent
   home keygen token, but registrations at this correspondent node
   persistently fail, the mobile node SHOULD renew the permanent home
   keygen token by sending a Binding Update message that is
   authenticated based on the CGA property of its home address.  This
   Binding Update message includes the mobile node's CGA parameters and
   signature, and it requests the correspondent node to generate a new
   permanent home keygen token and send this to the mobile node within a
   Binding Acknowledgment message.

   If the mobile node persistently receives Binding Acknowledgment
   messages with status code TBD ("CGA and signature verification
   failed") from a correspondent node, the mobile node SHOULD
   authenticate future Binding Update messages for the same
   correspondent nodes through a proof of its reachability at the home
   address.  This enables the mobile node to recover from misconfigured
   or outdated CGA software [12] on the correspondent node side or at
   the mobile node itself.


4.5.  Sending CGA Parameters

   A mobile node includes its CGA parameters and signature in a Binding
   Update message for a correspondent node in any of the following
   situations:

   o  To acquire a permanent home keygen token if the mobile node's home
      address is a CGA, and the mobile node does not yet have a
      permanent home keygen token from the correspondent node.

   o  To extent the lifetime of an existing binding if the mobile node
      already has a permanent home keygen token from the correspondent
      node, and the lifetime of the binding at the correspondent node is
      about to expire.

   o  To renew an existing permanent home keygen token to prevent replay
      attacks in the imminent event of a sequence number rollover, or
      for improved protection against cryptanalysis.

   A correspondent node whose IP address is a CGA includes its CGA
   parameters and signature in a Binding Acknowledgment message for the
   mobile node when it receives a Binding Update message with a CGA
   Parameters Request option.




Arkko, et al.             Expires June 15, 2007                [Page 27]


Internet-Draft         Enhanced Route Optimization         December 2006


   CGA parameters are transmitted in the format of the CGA Parameters
   data structure defined in [6].  The CGA Parameters data structure is
   split over one or more CGA Parameters options as described in
   Section 5.1.  The last CGA Parameters option MUST be directly
   followed by a Signature option.

   The value for the Signature field in the Signature option is
   calculated according to the signature generation algorithm defined in
   Section 6 of [6].  The value is calculated with the mobile or
   correspondent node's private key over the following sequence of
   octets:

      mobility data =
         care-of address | correspondent node IP address | MH data

   where "|" denotes concatenation.  "Care-of address" is the mobile
   node's care-of address, and "correspondent node IP address" is the IP
   address of the correspondent node that is visible to protocol layers
   above IP.  In case the correspondent node is mobile, "correspondent
   node IP address" refers to the correspondent node's home address.
   "MH data" is the content of the Binding Update or Binding
   Acknowledgment message including the mobility header and all options
   up to the last CGA Parameters option.  That is, "MH data" excludes
   the IPv6 header and any IPv6 extension headers other than the
   mobility header itself.  The "mobility data" constitutes what is
   referred to as the "message" in Section 6 of [6].

   The value for the Signature field is calculated as if the Checksum
   field in the mobility header was zero.  The Checksum field in the
   transmitted packet is still calculated in the usual manner, with the
   calculated value in the Signature field being a part of the packet
   protected by the checksum.


4.6.  Receiving CGA Parameters

   Mobile and correspondent nodes that receive a Binding Update or
   Binding Acknowledgment message including one or more CGA Parameters
   options directly followed by a Signature option first process the
   message as described in [1].  This includes a verification of the
   authenticator in the Authenticator field of the Binding Authorization
   Data option.  If the Binding Update or Binding Acknowledgment message
   is rejected due to an incorrect authenticator or for any other
   reason, the message is not processed further.

   Otherwise, if the validation of the Binding Update or Binding
   Acknowledgment message succeeds, the mobile or correspondent node
   reassembles the CGA Parameters data structure from the CGA Parameters



Arkko, et al.             Expires June 15, 2007                [Page 28]


Internet-Draft         Enhanced Route Optimization         December 2006


   options included in the message as described in Section 5.1, and
   executes the CGA verification algorithm defined in Section 5 of [6].
   The CGA verification algorithm takes the to-be-verified CGA and the
   reassembled CGA Parameters data structure as input.  The to-be-
   verified CGA is the mobile node's home address when the CGA
   verification algorithm is executed by the correspondent node.  When
   the mobile node executes the CGA verification algorithm, the to-be-
   verified CGA is the correspondent node's IP address that is visible
   to protocol layers above IP.  This is the correspondent node's home
   address in case the correspondent node is mobile.  The following
   steps are skipped if the CGA verification fails.

   If the CGA verification succeeds, the mobile or correspondent node
   performs a more time-consuming check of the signature.  It extracts
   the signature from the Signature field in the Signature option and
   executes the signature verification algorithm defined in Section 6 of
   [6].  The signature verification algorithm takes as input the to-be-
   verified CGA as defined above, the reassembled CGA Parameters data
   structure, the MH data as defined in Section 4.5, the CGA Message
   Type tag of Enhanced Route Optimization as defined in Section 7, and
   the signature itself.


4.7.  Sending Permanent Home Keygen Tokens

   A correspondent node assigns a mobile node a new permanent home
   keygen token after it has received from the mobile node a Binding
   Update message with included CGA Parameters and Signature options,
   and these options have been successfully validated as described in
   Section 4.6.  The permanent home keygen token is a 64-bit value
   randomly generated by the correspondent node.  The correspondent node
   stores the permanent home keygen token in the binding cache entry
   that it maintains for the mobile node.

   The correspondent node sends the permanent home keygen token to the
   mobile node in encrypted form within a Permanent Home Keygen Token
   option in a Binding Acknowledgment message.  It sends this message
   even if the Acknowledge flag in the corresponding Binding Update
   message was clear.  The correspondent node encrypts the permanent
   home keygen token with the mobile node's public key using the RSAES-
   PKCS1-v1_5 format [3], and places the ciphertext into the Permanent
   Home Keygen Token field of the Permanent Home Keygen Token option.

   The Binding Authorization Data option MUST be the last option in the
   Binding Acknowledgment message.  That is, the authenticator in the
   Binding Authorization Data option covers the Permanent Home Keygen
   Token option.




Arkko, et al.             Expires June 15, 2007                [Page 29]


Internet-Draft         Enhanced Route Optimization         December 2006


4.8.  Receiving Permanent Home Keygen Tokens

   A mobile node that receives a Binding Acknowledgment message first
   processes the message as described in [1], independent of whether the
   message includes a Permanent Home Keygen Token option.  This includes
   a verification of the authenticator in the Authenticator field of the
   Binding Authorization Data option.  If the Binding Acknowledgment
   message is rejected due to an incorrect authenticator or for any
   other reason, the mobile node does not process the message further.

   Otherwise, if the mobile node accepts the Binding Acknowledgment
   message and the message includes a Permanent Home Keygen Token
   option, the mobile node extracts the ciphertext from the Permanent
   Home Keygen Token field in this option and decrypts it with its
   private key using the RSAES-PKCS1-v1_5 format [3].  The result of the
   encryption is the permanent home keygen token to be used in further
   registrations with the correspondent node.  The mobile node stores
   the permanent home keygen token in the Binding Update List entry that
   it maintains for the correspondent node.


4.9.  Renewing Permanent Home Keygen Tokens

   A mobile node that shares a permanent home keygen token with a
   correspondent node MUST NOT use the same sequence number twice with
   this permanent home keygen token in order to protect against replay
   attacks.  The mobile node MUST renew the permanent home keygen token
   by including its CGA parameters and signature in a Binding Update
   message for the correspondent node when a sequence number rollover is
   imminent.  In addition, the mobile node MAY renew its permanent home
   keygen token at any time.  Periodic renewal of the permanent home
   keygen token provides increased protection against cryptanalysis.
   Finally, the mobile node may in most cases want to renew the
   permanent home keygen token when the lifetime of its binding at the
   correspondent node expires.


4.10.  Handling Payload Packets

   The immediate exchange of an early Binding Update message after a
   handoff on the mobile node side enables mobile and correspondent
   nodes to quickly reestablish route-optimized communications via the
   mobile node's new care-of address.  The mobile node may send payload
   packets to the correspondent node from the new care-of address as
   soon as it has dispatched the early Binding Update message.  The
   correspondent node redirects outgoing payload packets for the mobile
   node to the new care-of address once it has received the early
   Binding Update message and registered the new care-of address.  Here,



Arkko, et al.             Expires June 15, 2007                [Page 30]


Internet-Draft         Enhanced Route Optimization         December 2006


   a "payload packet" is defined as a packet that originates at a
   protocol layer above IP.

           Inbound
        payload packet
              |
              |
              V
      _________________                           _____________________
     /                 \                         |                     |
    /  Care-of address  \     Yes                |   Increase credit   |
   |         in          |---------------------> |     counter by      |
    \  VERIFIED state?  /                        | payload packet size |
     \_________________/                         |_____________________|
              |                                             |
              |                                             |
              | No                                          |
              |                                             V
              |                                   _____________________
              |                                  |                     |
              |                                  |   Deliver payload   |
              +--------------------------------> |   packet to upper-  |
                                                 |    layer protocol   |
                                                 |_____________________|

                Figure 5: Handling outbound payload packets


   A new care-of address that was registered with an early Binding
   Update message is maintained in UNVERIFIED state by the correspondent
   node until the correspondent node receives a complete Binding Update
   message from the mobile node.  The correspondent node then sets the
   care-of address to VERIFIED state.  The state of the care-of address
   determines the maximum amount of data which the correspondent node is
   allowed to send to the care-of address, as is necessary to prevent
   amplified, redirection-based flooding attacks.  For this purpose, the
   correspondent node maintains a "credit counter" for each mobile node
   with an entry in its Binding Cache.  Whenever a payload packet
   arrives from a mobile node with a care-of address in VERIFIED state,
   the correspondent node SHOULD increase the mobile node's credit
   counter by the size of the received payload packet.  The
   correspondent node MAY be restricted by policy to increase the credit
   counter by a lower value or to not increase the credit at all.  The
   credit counter does not change when an inbound payload packet is
   received from a care-of address in UNVERIFIED state.  Figure 5 shows
   a flow chart of this procedure.





Arkko, et al.             Expires June 15, 2007                [Page 31]


Internet-Draft         Enhanced Route Optimization         December 2006


           Outbound
        payload packet
              |
              |
              V
      _________________                           _____________________
     /                 \                         |                     |
    /  Care-of address  \     Yes                |    Send payload     |
   |         in          |---------------------> |      packet to      |
    \  VERIFIED state?  /                        |   care-of address   |
     \_________________/                         |_____________________|
              |
              |                                   _____________________
              | No                               |                     |
              |                                  |   Discard payload   |
              |                      +---------> |        packet       |
              |                      |           |     immediately     |
              V                      |           |_____________________|
      _________________              |            _____________________
     /                 \             |           |                     |
    /  Credit counter   \   Yes     / \          |    Send payload     |
   |  less than payload  |-------> |   |-------> |      packet to      |
    \   packet size?    /           \ /          |    home address     |
     \_________________/             |           |_____________________|
              |                      |            _____________________
              |                      |           |                     |
              | No                   |           |   Buffer payload    |
              |                      +---------> |     packet for      |
              |                                  | later transmission  |
              |                                  |_____________________|
              V
    _____________________                         _____________________
   |                     |                       |                     |
   |    Reduce credit    |                       |    Send payload     |
   |     counter by      |---------------------> |      packet to      |
   | payload packet size |                       |   care-of address   |
   |_____________________|                       |_____________________|

                Figure 6: Handling outbound payload packets


   When the correspondent node has a payload packet to send to the
   mobile node, further treatment of the payload packet depends on the
   state of the mobile node's care-of address and the current value of
   the mobile node's credit counter, as illustrated in Figure 6: The
   correspondent node MUST send the payload packet to the mobile node's
   care-of address if the care-of address is in VERIFIED state.  If the
   care-of address is in UNVERIFIED state and the value of the credit



Arkko, et al.             Expires June 15, 2007                [Page 32]


Internet-Draft         Enhanced Route Optimization         December 2006


   counter is higher than or equal to the size of the payload packet,
   the correspondent node MUST reduce the mobile node's credit counter
   by the size of the payload packet and send the payload packet to the
   care-of address as well.  However, if the care-of address is in
   UNVERIFIED state and the credit counter is less than the size of the
   payload packet, the payload packet MUST NOT be sent to the mobile
   node's care-of address.  The correspondent node SHOULD then discard
   the payload packet, although it MAY alternatively buffer the payload
   packet until the care-of address moves to VERIFIED state, or send the
   payload packet to the mobile node's home address.  The credit counter
   of the mobile node does not change when the correspondent node sends
   a payload packet to the mobile node's care-of address while the
   care-of address is in VERIFIED state.

   The amount of data that the mobile node may send to the correspondent
   node is never restricted due to the state of the mobile node's
   care-of address.  The care-of address state also does not change the
   addressing and routing of payload packets in either traffic
   direction: All payload packets that originate from the mobile node
   have the care-of address in the Source Address field of the IPv6
   header and the home address in the Home Address option of the IPv6
   Destination Options extension header.  Vice versa, all payload
   packets from the correspondent node have the care-of address in the
   Destination Address field of the IPv6 header and the home address in
   the IPv6 Routing extension header.


4.11.  Credit Aging

   A correspondent node ensures that all credit counters that it
   maintains gradually decrease over time.  Each credit counter is
   multiplied with a factor, CreditAgingFactor, of less than one in
   fixed time intervals of CreditAgingInterval length.  Such "credit
   aging" limits the total credit that a mobile node can earn, provided
   that the replenishing rate for the credit is constant or nearly
   constant.  It thereby enforces an upper bound on the rate at which
   the correspondent node can durably sent to the mobile node's care-of
   address while the care-of address is in UNVERIFIED state.  In the
   absence of credit aging, a malicious node with poor up-link capacity
   could adopt the role of a mobile node, build up credit at a very slow
   speed and over a long period, and spend this credit during a much
   shorter period on redirecting a burst of payload packets to the IP
   address of a victim.

   Choosing appropriate values for CreditAgingFactor and
   CreditAgingInterval is important to facilitate applications where the
   correspondent node sends at a higher rate than the mobile node.  If
   CreditAgingFactor or CreditAgingInterval are too small, the credit



Arkko, et al.             Expires June 15, 2007                [Page 33]


Internet-Draft         Enhanced Route Optimization         December 2006


   counter might persistently prevent the transmission of payload
   packets to a care-of address in UNVERIFIED state.  The values given
   in Section 7 are RECOMMENDED as they work well when the correspondent
   node transfers a file to the mobile node via a TCP connection and the
   end-to-end round-trip time does not exceed 500 milliseconds.


4.12.  Simultaneous Movements

   As specified in [1], Binding Update messages are sent to a mobile
   correspondent node's home address.  This makes it possible for two
   mobile nodes to continue communications even if both of them change
   IP connectivity at the same time.




5.  Option Formats and Status Codes

   Enhanced Route Optimization uses a set of new mobility options and
   status codes in addition to the mobility options and status codes
   defined in [1].  These are described below.


5.1.  CGA Parameters Option

   The CGA Parameters option is used in Binding Update and Binding
   Acknowledgment messages.  It contains part of the mobile or
   correspondent node's CGA parameters. [1] limits mobility header
   options to a maximum length of 255 bytes, excluding the Option Type
   and Option Length fields.  Since the CGA parameters are likely to
   exceed this limit, multiple CGA Parameters options may have to be
   concatenated to carry all CGA parameters.

   The format of the CGA Parameters option is as follows:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                     |  Option Type  | Option Length |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     :                                                               :
     :                          CGA Parameters                       :
     :                                                               :
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+




Arkko, et al.             Expires June 15, 2007                [Page 34]


Internet-Draft         Enhanced Route Optimization         December 2006


   Option Type

      8-bit identifier of the type of this mobility option.  Its value
      is <To Be Assigned By IANA>.

   Option Length

      8-bit unsigned integer representing the length of the CGA
      Parameters field in octets.

   CGA Parameters

      This field contains up to 255 bytes of the CGA Parameters data
      structure defined in [6].  The concatenation of all CGA Parameters
      options in the order they appear in the Binding Update message
      MUST result in the original CGA Parameters data structure.  All
      CGA Parameters options in the Binding Update message except the
      last one MUST contain exactly 255 bytes in the CGA Parameters
      field, and the Option Length field MUST be set to 255 accordingly.
      All CGA Parameters options MUST appear directly one after another,
      that is, a mobility option of a different type MUST NOT be placed
      in between two CGA Parameters options.


5.2.  Signature Option

   The Signature option is used in Binding and Binding Acknowledgment
   Update messages.  It contains a signature that the mobile or
   correspondent node generates with its private key over one or more
   preceding CGA Parameters options.

   The format of the Signature option is as follows:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                     |  Option Type  | Option Length |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     :                                                               :
     :                            Signature                          :
     :                                                               :
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+







Arkko, et al.             Expires June 15, 2007                [Page 35]


Internet-Draft         Enhanced Route Optimization         December 2006


   Option Type

      8-bit identifier of the type of this mobility option.  Its value
      is <To Be Assigned By IANA>.

   Option Length

      8-bit unsigned integer representing the length of the Signature
      field in octets.

   Signature

      This field contains the mobile or correspondent node's signature,
      generated with the mobile or correspondent node's private key as
      specified in Section 4.5.


5.3.  Permanent Home Keygen Token Option

   The Permanent Home Keygen Token option is used in Binding
   Acknowledgment messages.  It contains a permanent home keygen token,
   which the correspondent node sends to the mobile node after it has
   received a Binding Update message containing one or more CGA
   Parameters options directly followed by a Signature option from the
   mobile node.

   The format of the Permanent Home Keygen Token option is as follows:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                     |  Option Type  | Option Length |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     :                                                               :
     :                  Permanent Home Keygen Token                  :
     :                                                               :
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Option Type

      8-bit identifier of the type of this mobility option.  Its value
      is <To Be Assigned By IANA>.







Arkko, et al.             Expires June 15, 2007                [Page 36]


Internet-Draft         Enhanced Route Optimization         December 2006


   Option Length

      8-bit unsigned integer representing the length of the Permanent
      Home Keygen Token field in octets.

   Permanent Home Keygen Token

      This field contains the permanent home keygen token generated by
      the correspondent node.  The content of this field MUST be
      encrypted with the mobile node's public key as defined in
      Section 4.7.  The length of the permanent home keygen token is 8
      octets before encryption, though the ciphertext [3] and, hence,
      the Permanent Home Keygen Token field may be longer.


5.4.  Care-of Test Init Option

   The Care-of Test Init option is included in Binding Update messages.
   It requests a correspondent node to return a Care-of Test option with
   a fresh care-of keygen token in the Binding Acknowledgment message.

   The format of the Care-of Test Init option is as follows:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                     |  Option Type  | Option Length |
                                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Option Type

      8-bit identifier of the type of this mobility option.  Its value
      is <To Be Assigned By IANA>.

   Option Length

      This field MUST be set to zero.


5.5.  Care-of Test Option

   The Care-of Test option is used in Binding Acknowledgment messages.
   It contains a fresh care-of keygen token, which the correspondent
   node sends to the mobile node after it has received a Care-of Test
   Init option in a Binding Update message.

   The format of the Care-of Test option is as follows:




Arkko, et al.             Expires June 15, 2007                [Page 37]


Internet-Draft         Enhanced Route Optimization         December 2006


      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                     |  Option Type  | Option Length |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     +                     Care-of Keygen Token                      +
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Option Type

      8-bit identifier of the type of this mobility option.  Its value
      is <To Be Assigned By IANA>.

   Option Length

      This field MUST be set to 8.  It represents the length of the
      Care-of Keygen Token field in octets.

   Care-of Keygen Token

      This field contains the care-of keygen token generated by the
      correspondent node, as specified in Section 4.3.



5.6.  CGA Parameters Request Option

   The CGA Parameters Request option is included in Binding Update
   messages that are authenticated based on the CGA property of the
   mobile node's home address.  It requests a correspondent node to
   return its CGA parameters and signature in the Binding Acknowledgment
   message, enabling the mobile node to verify that the permanent home
   keygen token returned in the Binding Acknowledgment message was
   generated by the right correspondent node.

   The format of the CGA Parameters Request option is as follows:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                     |  Option Type  | Option Length |
                                     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+







Arkko, et al.             Expires June 15, 2007                [Page 38]


Internet-Draft         Enhanced Route Optimization         December 2006


   Option Type

      8-bit identifier of the type of this mobility option.  Its value
      is <To Be Assigned By IANA>.

   Option Length

      This field MUST be set to zero.


5.7.  Status Codes

   Enhanced Route Optimization uses the following three new status codes
   for Binding Acknowledgment messages in addition to the status codes
   defined in [1]:

   Permanent home keygen token unavailable (<To Be Allocated By IANA>)

      A correspondent node returns a Binding Acknowledgment message with
      status code TBD to a mobile node if it has received from the
      mobile node a Binding Update message that was authenticated
      through the CGA property of the mobile node's home address, but
      the correspondent node either does not have a Binding Cache entry
      for the mobile node, or the existing Binding Cache entry for the
      mobile node does not contain a permanent home keygen token.  A
      Binding Acknowledgment message with status code TBD indicates to
      the mobile node that it should request a new permanent home keygen
      token from the correspondent node by sending the correspondent
      node a Binding Update message including its CGA parameters and
      signature.  This in particular enables the mobile node to quickly
      recover from state loss at the correspondent node.

      [1] does not allow a correspondent node to send a Binding
      Acknowledgment message with a status code indicating failure when
      the authenticator of a received Binding Update message turns out
      to be incorrect.  This causes additional handoff latency with high
      probability because the mobile node can detect the problem only
      after the expiration of a retransmission timer.  The mobile node
      is furthermore likely to assume packet loss and resend the
      incorrectly authenticated Binding Update message additional times.
      A Binding Acknowledgment message with status code TBD helps the
      mobile node to identify the underlying problem more efficiently
      when the correspondent node could not verify the CGA property of
      the mobile node's home address.







Arkko, et al.             Expires June 15, 2007                [Page 39]


Internet-Draft         Enhanced Route Optimization         December 2006


   CGA and signature verification failed (<To Be Allocated By IANA>)

      A correspondent node returns a Binding Acknowledgment message with
      status code TBD to a mobile node if it has received from the
      mobile node a Binding Update message that includes one or more CGA
      Parameters options directly followed by a Signature option, but
      either the CGA property of the home address cannot be verified
      based on the contents of the CGA Parameters options, or the
      verification of the signature in the Signature option has failed.

   Permanent home keygen token exists (<To Be Allocated By IANA>)

      A correspondent node returns a Binding Acknowledgment message with
      status code TBD to a mobile node if it has received from the
      mobile node a Binding Update message that was authenticated
      through verification of the mobile node's reachability at the home
      address and does not include one or more CGA Parameters options
      directly followed by a Signature option, but the correspondent
      node has a permanent home keygen token in its Binding Cache entry
      for the mobile node.  The Binding Update message is processed
      further if it includes one or more CGA Parameters options directly
      followed by a Signature option.  This enables a mobile node to
      obtain a new permanent home keygen token from the correspondent
      node in case it has lost the existing one, for instance, due to a
      reboot.  Whether the correspondent node accepts the Binding Update
      message in this case depends on the verification of the CGA
      parameters and the signature provided in the Binding Update
      message.

   Non-null home nonce index expected (<To Be Allocated By IANA>)

      A correspondent node returns a Binding Acknowledgment message with
      status code TBD to a mobile node if it has received from the
      mobile node a Binding Update message that includes one or more CGA
      Parameters options directly followed by a Signature option, but
      the home nonce index specified in the Nonce Indices option is
      zero.  This behavior ensures that a Binding Update message that is
      authenticated based on the CGA property of the mobile node's home
      address must also provide a proof of the mobile node's
      reachability at the home address.




6.  Security Considerations

   Enhanced Route Optimization differs from base Mobile IPv6 in that it
   applies a set of optimizations for increased handoff performance,



Arkko, et al.             Expires June 15, 2007                [Page 40]


Internet-Draft         Enhanced Route Optimization         December 2006


   stronger security, and reduced signaling overhead.  These
   optimizations entail the following conceptual changes to the security
   model of base Mobile IPv6 [1]:

   o  Base Mobile IPv6 conducts periodic tests of a mobile node's
      reachability at the home address as a proof of home address
      ownership.  Enhanced Route Optimization applies an initial
      cryptographic home address ownership proof in combination with a
      verification of the mobile node's reachability at the home address
      in order to securely exchange a secret permanent home keygen
      token.  The permanent home keygen token is used for cryptographic
      authentication of the mobile node during subsequent correspondent
      registrations, so that these later correspondent registrations can
      be securely bound to the initial home address ownership proof.  No
      further, periodic reachability verification at the home address
      tests is performed.

   o  Base Mobile IPv6 requires a mobile node to prove its reachability
      at a new care-of address during a correspondent registration.
      This implies that the mobile node and the correspondent node must
      exchange Care-of Test Init and Care-of Test messages before the
      mobile node can initiate the binding update.  Enhanced Route
      Optimization allows the mobile node to initiate the binding update
      first and follow up with a proof of reachability at the care-of
      address.  Mobile and correspondent nodes can so resume
      communications early on after a handoff, while reachability
      verification proceeds concurrently.  The amount of data that the
      correspondent node is permitted to send to the care-of address
      until reachability verification completes is governed by Credit-
      Based Authorization.

   o  The maximum binding lifetime for correspondent registrations is 7
      minutes in base Mobile IPv6.  A mobile node must hence
      periodically refresh a correspondent registration in cases where
      it does not change IP connectivity for a while.  This protocol
      increases the maximum binding lifetime to 24 hours, reducing the
      need for periodic refreshes to a negligible degree.

   The ensuing discussion addresses the implications that these
   conceptual changes of the Mobile IPv6 security model have.  The
   discussion ought to be seen in context with the security
   considerations of [1], [6], and [4].


6.1.  Home Address Ownership

   Enhanced Route Optimization requires a mobile node to deliver a
   strong cryptographic proof [6] that it is the legitimate owner of the



Arkko, et al.             Expires June 15, 2007                [Page 41]


Internet-Draft         Enhanced Route Optimization         December 2006


   home address it wishes to use.  The proof is based on the true home
   address owner's knowledge of the private component in a public/
   private-key pair with the following two properties:

   o  As an input to an irreversible CGA generation function along with
      a set of auxiliary CGA parameters, the public key results in the
      mobile node's home address.

   o  Amongst the CGA parameters that are fed into the CGA generation
      function is a modifier which, as an input to an irreversable hash
      extension function along with the public key, results in a string
      with a certain minimum number of leading zeroes.  Three reserved
      bits in the home address encode this minimum number.

   The first property cryptographically binds the home address to the
   mobile node's public key and, by virtue of public-key cryptography,
   to the private key.  It allows the mobile node to claim ownership of
   the home address by proving its knowledge of the private key.  The
   second property increases the cost of searching in brute-force manner
   for a public/private-key pair which suffices the first property.
   This increases the security of a cryptographically generated home
   address despite its limitation to 59 bits with cryptographic
   significance.  Solely enforcing the first property would otherwise
   allow an attacker to find a suitable public/private-key pair in
   O(2^59) steps.  By addition of the second property, the complexity of
   a brute-force search can be increased to O(2^(59+N)) steps, where N
   is the minimum number of leading zeroes that the result of the hash
   extension function is required to have.

   In practice, for a legitimate mobile node to cryptographically
   generate a home address, the mobile node must first accomplish a
   brute-force search for a suitable modifier, and then use this
   modifier to execute the CGA generation function.  An attacker who is
   willing to spoof the mobile node's home address, so-called "IP
   address stealing" [4], then has two options: It could either generate
   its own public/private-key pair and perform a brute-force search for
   a modifier which, in combination with the generated public key,
   suffices the initially described two properties; or it could integer-
   factor the mobile node's public key, deduce the corresponding private
   key, and copy the mobile node's modifier without a brute-force
   search.  The cost of the attack can be determined by the mobile node
   in either case: Integer-factoring a public key becomes increasingly
   complex as the length of the public key grows, and the key length is
   at the discretion of the mobile node.  The cost of a brute-force
   search for a suitable modifier increases with the number of leading
   zeroes which the result of the hash extension function is required to
   have.  This number, too, is a parameter that the mobile node can
   choose.  Downgrading attacks, where the attacker reduces the cost of



Arkko, et al.             Expires June 15, 2007                [Page 42]


Internet-Draft         Enhanced Route Optimization         December 2006


   spoofing a cryptographically generated home address by choosing a set
   of CGA parameters that are less secure than the CGA parameters the
   mobile node has used to generate the home address, are hence
   impossible.

   The CGA specification [6] requires the use of RSA public and private
   keys, and it stipulates a minimum key length of 384 bit.  This
   requirement that was tailored to Secure Neighbor Discovery for IPv6
   [13], the original CGA application.  Enhanced Route Optimization does
   not increase the minimum key length because, in the absence of
   downgrading attacks as explained before, the ability to use short
   keys does not compromise the security of home addresses that were
   cryptographically generated using longer keys.  Moreover, extensions
   to [6] may eventually permit the use of public/private key classes
   other than RSA.  Such extensions are compatible with the CGA
   application of Enhanced Route Optimization.  Care must be taken in
   selecting an appropriate key class and length, however.  Home
   addresses are typically rather stable in nature, so the chosen
   parameters must be secure for a potentially long home address
   lifetime.  Where RSA keys are used, a minimum key length of 1024 bit
   is therefore RECOMMENDED.

   While the CGA generation function cryptographically ties the
   interface identifier of a home address to the subnet prefix of the
   home address, the function accepts any subnet prefix and hence does
   not prevent a node from cryptographically generating a home address
   with a spoofed subnet prefix.  As a consequence, the CGA property of
   a home address does not guarantee the owner's reachability at the
   home address.  This could be misused for a "return-to-home flooding
   attack" [4], where the attacker uses its own public key to
   cryptographically generate a home address with a subnet prefix from a
   victim network, requests a correspondent node to bind this to the
   attacker's current care-of address, initiates the download of a large
   file via the care-of address, and finally deregisters the binding or
   lets it expire. the correspondent node would then redirect the
   packets being downloaded to the victim network identified by the
   subnet prefix of the attacker's spoofed home address.  The protocol
   defined in this document performs a reachability test for the home
   address at the time the home address is first registered with the
   correspondent node.  This precludes return-to-home flooding.

   The verification of the CGA property of a mobile node's home address
   involves asymmetric public-key cryptography, which is relatively
   complex compared to symmetric cryptography.  Enhanced Route
   Optimization mitigates this disadvantage through the use of symmetric
   cryptography after an initial public-key-based verification of the
   mobile node's home address has been performed.  Specifically, the
   correspondent node assigns the mobile node a permanent home keygen



Arkko, et al.             Expires June 15, 2007                [Page 43]


Internet-Draft         Enhanced Route Optimization         December 2006


   token during the initial correspondent registration based on which
   the mobile node can authenticate to the correspondent node during
   subsequent correspondent registrations.  Such authentication enables
   the correspondent node to bind a subsequent correspondent
   registration back to the initial public-key-based verification of the
   mobile node's home address.  The permanent home keygen token is never
   sent in plain text; it is encrypted with the mobile node's public key
   when initially assigned, and irreversibly hashed during subsequent
   correspondent registrations.


6.2.  Care-of Address Ownership

   A secure proof of home address ownership can mitigate the threat of
   IP address stealing, but an attacker may still bind a correct home
   address to a false care-of address and thereby trick a correspondent
   node into redirecting packets, which would otherwise be delivered to
   the attacker itself, to a third party.  Neglection to verify a mobile
   node's reachability at its claimed care-of address could therefore
   cause one or multiple correspondent nodes to unknowingly contribute
   to a redirection-based flooding attack against a victim chosen by the
   attacker.

   Redirection-based flooding attacks may target a single node, a link,
   or a router or other critical network device upstream an entire
   network.  Accordingly, the attacker's spoofed care-of address may be
   the IP address of a node, a random IP address from a subnet prefix of
   a particular link, or the IP address of a router or other network
   device.  An attack against a network potentially impacts a larger
   number of nodes than an attack against a specific node, although
   neighbors of a victim node on a broadcast link typically suffer the
   same damage as the victim itself.

   Requiring mobile nodes to cryptographically generate care-of
   addresses in the same way as they generate home addresses would
   mitigate the threat of redirection-based flooding only marginally.
   While it would prevent an attacker from registering as its care-of
   address the IP address of a specific victim node, the attacker could
   still generate a different CGA-based care-of address with the same
   subnet prefix as that of the victim's IP address.  Flooding packets
   redirected towards this care-of address would then not have to be
   received and processed by any specific node, but they would impact an
   entire link or network and thus cause comparable damage.  CGA-based
   care-of addresses are therefore little effective with respect to
   flooding protection.  On the other hand, they would require a
   computationally expensive, public-key-based ownership proof whenever
   the care-of address changes.  Enhanced Route Optimization uses
   regular IPv6 care-of addresses for these reasons.



Arkko, et al.             Expires June 15, 2007                [Page 44]


Internet-Draft         Enhanced Route Optimization         December 2006


   A common misconception is that a strong proof of home address
   ownership would mitigate the threat of redirection-based flooding and
   consequently eliminate the need to verify a mobile node's
   reachability at a new care-of address.  This notion may originate
   from the specification of a base Mobile IPv6 home registration in
   [1], which calls for the authentication of a mobile node based on an
   IPsec security association, but does not require this to be
   supplemented by a verification of the mobile nodes reachability at
   the care-of address.  However, the reason not to mandate reachability
   verification for a home registration is in this case the existence of
   an administrative relationship between the home agent and the mobile
   node, rather than the fact that the home agent can securely verify
   the mobile node's home address ownership, or that the home
   registration is IPsec-protected.  The administrative relationship
   with the mobile node allows the home agent, first, to trust in the
   correctness of a mobile node's care-of address and, second, to
   quickly identify the mobile node should it still start behaving
   maliciously, for example, due to infection by malware.  Section 15.3
   in [1] and Section 1.3.2 in [4] explain these prerequisites.

   Assuming trust and an administrative relationship between the mobile
   node and its home agent is viable given that the home agent is an
   integral part of the mobility services which a mobile user typically
   subscribes to, sets up her- or himself, or receives based on a
   business relationship.  A Mobile IPv6 extension [14] that leverages a
   shared authentication key, pre-configured on the mobile node and the
   correspondent node, preassumes the same relationship between the
   mobile node and a correspondent node.  While this assumption limits
   the applicability of the protocol (Section 2 of [14] acknowledges
   this), it permits omission of care-of address reachability
   verification as in the case of the home registration.  Enhanced
   Router Optimization does not make assumptions on the relationship
   between mobile and correspondent nodes.  This renders the protocol
   applicable to arbitrary scenarios, but necessitates that
   correspondent nodes must verify a mobile node's reachability at every
   new care-of address.


6.3.  Credit-Based Authorization

   Enhanced Route Optimization enables mobile and correspondent nodes to
   resume bidirectional communications after a handoff on the mobile-
   node side already before the mobile node's reachability at the new
   care-of address has been verified by the correspondent node.  Such
   concurrency would in the absence of appropriate protection
   reintroduce the threat of redirection-based flooding, which
   reachability verification was originally designed to eliminate: Given
   that the correspondent node is in general unaware of the round-trip



Arkko, et al.             Expires June 15, 2007                [Page 45]


Internet-Draft         Enhanced Route Optimization         December 2006


   time to the mobile node, and since reachability verification may fail
   due to packet loss, the correspondent node must accept a sufficiently
   long concurrency period for reachability verification to complete.
   An attacker could misuse this to temporarily trick the correspondent
   node into redirecting packets to the IP address of a victim.  The
   attacker may also successively postpone reachability verification in
   that it registers with the correspondent node anew, possibly with a
   different spoofed care-of address, shortly before the correspondent
   node's maximum permitted concurrency period elapses and the
   correspondent node switches to waiting for the completion of
   reachability verification without sending further packets.  This
   behavior cannot necessarily be considered malicious on the
   correspondent node side since even a legitimate mobile node's
   reachability may fail to become verified before the mobile node's
   care-of address changes again.  This may be due to high mobility on
   the mobile node side, or to persistent packet loss on the path
   between the mobile node and the correspondent node.  It is generally
   non-trivial to decide on the correspondent node side whether the
   party at the other end behaves legitimately under adverse conditions
   or maliciously.

   Enhanced Route Optimization eliminates the threat of redirection-
   based flooding despite concurrent reachability verification through
   the use of Credit-Based Authorization.  Credit-Based Authorization
   manages the effort that a correspondent node expends in sending
   payload packets to a care-of address in UNVERIFIED state.  This is
   accomplished based on the following three hypotheses:

   1.  A flooding attacker typically seeks to shift the burden of
       assembling and sending flooding packets to a third party.
       Bandwidth is an ample resource for many attractive victims, so
       the effort for sending the high rate of flooding packets required
       to impair the victim's ability to communicate may exceed the
       attacker's own capacities.

   2.  The attacker can always flood a victim directly by generating
       bogus packets itself and sending those to the victim.  Such an
       attack is not amplified, so the attacker must be provisioned
       enough to generate a packet flood sufficient to bring the victim
       down.

   3.  Consequently, the additional effort required to set up and
       coordinate a redirection-based flooding attack pays off for the
       attacker only if the correspondent node can be tricked into
       contributing to and amplifying the attack.

   Non-amplified redirection-based flooding is hence, from an attacker's
   perspective, no more attractive than pure direct flooding, where the



Arkko, et al.             Expires June 15, 2007                [Page 46]


Internet-Draft         Enhanced Route Optimization         December 2006


   attacker itself sends bogus packets to the victim.  It is actually
   less attractive given that the attacker needs to maintain a context
   for mobility management in order to coordinate the redirection.  On
   this basis, Credit-Based Authorization extinguishes the motivation
   for redirection-based flooding by preventing the amplification that
   could be reached through it, rather than eliminating malicious packet
   redirection in the first place.  The ability to send unrequested
   packets is an inherent property of packet-oriented networks, and
   direct flooding is a threat that results from this.  Since direct
   flooding exists with and without mobility support, it constitutes a
   reasonable measure in comparing the security provided by Enhanced
   Route Optimization to the security of the non-mobile Internet.
   Through the use of Credit-Based Authorization, Enhanced Route
   Optimization satisfies the objective to provide a security level
   comparable to that of the non-mobile Internet.

   Since the perpetrator of a redirection-based flooding attack would
   take on the role of a mobile node, Credit-Based Authorization must be
   enforced on the correspondent node side.  The correspondent node
   continuously monitors the effort that the mobile node spends in
   communicating with the correspondent node.  The mobile node's effort
   is then taken as a limit on the effort that the correspondent node
   may spend in sending payload packets when the mobile node's care-of
   address is in UNVERIFIED state.  The permission for the correspondent
   node to send a limited amount of payload packets to a care-of address
   in UNVERIFIED state enables immediate resumption of bidirectional
   communications once the mobile node has registered a new IP address
   with the correspondent node after a handoff.

   If what appears to be a mobile node is in fact an attacker who tricks
   the correspondent node into redirecting payload packets to the IP
   address of a victim, Credit-Based Authorization ensures that the
   stream of flooding packets ceases before the effort that the
   correspondent node spends on generating the stream exceeds the effort
   that the attacker has recently spent itself.  The flooding attack is
   therefore at most as effective as a direct flooding attack, and
   consequently fails to produce any amplification.

   Another property of Credit-Based Authorization is that it does not
   assign a mobile node credit while its care-of addresses is in
   UNVERIFIED state.  This deserves justification since it would
   technically be feasibly to assign credit independent of the state of
   the mobile node's care-of address.  However, the assignment of credit
   for packets received from a care-of address in UNVERIFIED state would
   introduce a vulnerability to sustained reflection attacks.
   Specifically, an attacker could cause a correspondent node to
   redirect packets for the attacker to the IP address of a victim, and
   sustain the packet flow towards the victim in that it continuously



Arkko, et al.             Expires June 15, 2007                [Page 47]


Internet-Draft         Enhanced Route Optimization         December 2006


   replenishes its credit by sending packets to the correspondent node.
   Although such a redirection-based reflection attack would fail to
   produce any amplification, it may still be appealing to an attacker
   who wishes to pursue an initial transport protocol handshake with the
   correspondent node---which typically requires the attacker to receive
   some unguessable data---, and redirect the download to the victim's
   IP address afterwards.  Credit-Based Authorization ensures that the
   attacker in this case cannot acquire additional credit once the
   download has been redirected, and thereby forces the attack to end
   quickly.


6.4.  Time Shifting Attacks

   Base Mobile IPv6 limits the lifetime of a correspondent registration
   to 7 minutes and so arranges that a mobile node's reachability at its
   home and care-of addresses is reverified periodically.  This ensures
   that the return routability procedure's vulnerability to
   eavesdropping cannot be exploited by an attacker that is only
   temporarily on the path between the correspondent node and the
   spoofed home or care-of address.  Such "time shifting attacks" [4]
   could otherwise be misused for off-path IP address stealing, return-
   to-home flooding, or flooding against care-of addresses.

   Enhanced Route Optimization neither repeats the initial home address
   test nor any care-of address test in order to decrease handoff delays
   and signaling overhead.  This does not limit the protocol's
   robustness to IP address stealing attacks because the required CGA-
   based ownership proof for home addresses already eliminates such
   attacks.  Reachability verification does not add further protection
   in this regard.  On the other hand, the restriction to an initial
   reachability verification facilitates time-shifted, off-path flooding
   attacks---either against home addresses with incorrect prefixes, or
   against spoofed care-of addresses---, if the perpetrator can
   interpose in the exchange before it moves to a different location.

   The design choice against repeated home and care-of address tests was
   made based on the observation that time shifting attacks are already
   an existing threat in the non-mobile Internet of today.
   Specifically, an attacker can temporarily move onto the path between
   a victim and a correspondent node, request a stream of packets from
   the correspondent node on behalf of the victim, and then move to a
   different location.  Most transport protocols do not verify an
   initiator's reachability at the claimed IP address after an initial
   verification during connection establishment.  It enables an attacker
   to participate only in connection establishment and then move to an
   off-path position, from where it can spoof acknowledgments to feign
   continued presence at the victim's IP address.  The threat of time



Arkko, et al.             Expires June 15, 2007                [Page 48]


Internet-Draft         Enhanced Route Optimization         December 2006


   shifting hence already applies to the non-mobile Internet.

   It should still be acknowledged that the time at which Enhanced Route
   Optimization verifies a mobile node's reachability at a home or
   care-of address may well antecede the establishment of any transport
   layer connection.  This gives an attacker more time to move away from
   the path between the correspondent node and the victim and so makes a
   time shifting attack more practicable.  If the lack of periodic
   reachability verification is considered too risky, a correspondent
   node may enforce reruns of home or care-of address tests by limiting
   the registration lifetime, or by sending Binding Refresh Request
   messages to a mobile node.


6.5.  Replay Attacks

   The protocol specified in this document relies on 16-bit base Mobile
   IPv6 sequence numbers and periodic rekeying to avoid replay attacks.
   Rekeying allows mobile and correspondent nodes to reuse sequence
   numbers without exposing themselves to replay attacks.  It must be
   pursued at least once every 24 hours due to the maximum permitted
   binding lifetime for correspondent registrations.  Mobile and
   correspondent nodes also rekey whenever a rollover in sequence number
   space becomes imminent.  This is unlikely to happen frequently,
   however, given that available sequence numbers are sufficient for up
   to 32768 correspondent registrations, each consisting of an early and
   a complete Binding Update message.  The sequence number space thus
   permits an average rate of 22 correspondent registrations per minute
   without exposing a need to rekey throughout the 24-hour binding
   lifetime.


6.6.  Resource Exhaustion

   While a CGA-based home address ownership proof provides protection
   against unauthenticated Binding Update messages, it can expose a
   correspondent node to denial-of-service attacks since it requires
   computationally expensive public-key cryptography.  Enhanced Route
   Optimization limits the use of public-key cryptography to only the
   first correspondent registration and if/when rekeying is needed.  It
   is RECOMMENDED that correspondent nodes in addition track the amount
   of processing resources they spend on CGA-based home address
   ownership verification, and that they reject new correspondent
   registrations that involve public-key cryptography when these
   resources exceed a predefined limit. [6] discusses the feasibility of
   CGA-based resource exhaustion attacks in depth.





Arkko, et al.             Expires June 15, 2007                [Page 49]


Internet-Draft         Enhanced Route Optimization         December 2006


6.7.  IP Address Ownership of Correspondent Node

   Enhanced Route Optimization enables mobile nodes to authenticate a
   received Binding Acknowledgment message based on a CGA property of
   the correspondent node's IP address, provided that the correspondent
   node has a CGA.  The mobile node requests this authentication by
   including a CGA Parameters Request option in the Binding Update
   message that it sends to the correspondent node, and the
   correspondent node responds by adding its CGA parameters and
   signature to the Binding Acknowledgment message within CGA Parameters
   and Signature options.  Proving ownership of the correspondent node's
   IP address protects the mobile node from accepting a spoofed Binding
   Acknowledgment message and from storing the included permanent home
   keygen token for use during future correspondent registrations.  Such
   an attack would result in denial of service against the mobile node
   because it would prevent the mobile node to transact any binding
   updates with the obtained permanent home keygen token.  Enhanced
   Route Optimization recommends renewal of a permanent home keygen
   token in case of persistent correspondent registration failures,
   allowing mobile nodes to recover from denial-of-service attacks that
   involve spoofed permanent home keygen tokens.

   The threat of the described denial-of-service attack is to some
   extent mitigated by requirements on the attacker's location: A
   Binding Update message that requests a correspondent node to provide
   a permanent home keygen token is authenticated based on the CGA
   property of the mobile node's home address.  This authentication
   method involves a home address test, providing the mobile node with a
   home keygen token based on which it can calculate the authenticator
   of the Binding Update message.  Since the mobile node expects the
   authenticator of the returning Binding Acknowledgment message to be
   calculated with the same home keygen token, an attacker that is
   willing to spoof a Binding Acknowledgment message that includes a
   permanent home keygen token must eavesdrop on the home address test.
   The attacker must hence be present on the path from the correspondent
   node to the mobile node's home agent while the home address test
   proceeds.  Moreover, if the Binding Update message requesting the
   permanent home keygen token is complete, its authenticator is further
   calculated based on a care-of keygen token.  The attacker must then
   also know this care-of keygen token to generate the authenticator of
   the Binding Acknowledgment message.  This requires the attacker to be
   on the path from the correspondent node to the mobile node's current
   IP attachment at the time the correspondent node sends the care-of
   keygen token to the mobile node within a Care-of Test message or the
   Care-of Test option of a Binding Acknowledgment message.

   Since a mobile node in general does not know whether a particular
   correspondent node's IP address is a CGA, the mobile node must be



Arkko, et al.             Expires June 15, 2007                [Page 50]


Internet-Draft         Enhanced Route Optimization         December 2006


   prepared to receive a Binding Acknowledgment message without CGA
   Parameters and Signature options in response to sending a Binding
   Update message with an included CGA Parameters Request option.  Per
   se, this mandatory behavior may enable downgrading attacks where the
   attacker would send, on the correspondent node's behalf, a Binding
   Acknowledgment message without CGA Parameters and Signature options,
   claiming that the correspondent node's IP address is not a CGA.
   Enhanced Route Optimization mitigates this threat in that it calls
   for mobile nodes to prioritize Binding Acknowledgment messages with
   valid CGA Parameters and Signature options over Binding
   Acknowledgment messages without such options.  This protects against
   downgrading attacks unless the attacker can intercept Binding
   Acknowledgment messages from the correspondent node.  Given that the
   attacker must be on the path from the correspondent node to the
   mobile node's home agent at roughly the same time as explained above,
   the attacker may not be able to intercept the correspondent node's
   Binding Acknowledgment messages.  On the other hand, an attacker that
   can intercept Binding Acknowledgment messages from the correspondent
   node is anyway in a position where it can pursue denial of service
   against the mobile node and the correspondent node.  This is a threat
   that already exists in the non-mobile Internet, and it is not
   specific to Enhanced Route Optimization.

   External mechanisms may enable the mobile node to obtain certainty
   about whether a particular correspondent node's IP address is a CGA.
   The mobile node may then insist on an IP address ownership proof from
   the correspondent node, in which case it would discard any received
   Binding Acknowledgment messages that do not contain valid CGA
   Parameters and Signature options.  One conceivable means for mobile
   nodes to distinguish between standard IPv6 addresses and CGAs might
   be an extension to the Domain Name System.




7.  Protocol Constants and Configuration Variables

   [6] defines a CGA Message Type name space from which CGA applications
   draw CGA Message Type tags to be used in signature calculations.
   Enhanced Route Optimization uses the following constant, randomly
   generated CGA Message Type tag:

      0x5F27 0586 8D6C 4C56 A246 9EBB 9B2A 2E13

   [1] bounds the lifetime for bindings that were established with
   correspondent nodes by way of the return routability procedure to
   MAX_RR_BINDING_LIFETIME.  Enhanced Route Optimization adopts this
   limit for bindings that are authenticated through a proof of the



Arkko, et al.             Expires June 15, 2007                [Page 51]


Internet-Draft         Enhanced Route Optimization         December 2006


   mobile node's reachability at the home address.  However, the binding
   lifetime is limited to the more generous constant value of
   MAX_CGA_BINDING_LIFETIME when the binding is authenticated through
   the CGA property of the mobile node's home address:

      MAX_CGA_BINDING_LIFETIME   86400 seconds

   Credit aging incorporates two configuration variables to gradually
   decrease a mobile node's credit counter over time.  It is RECOMMENDED
   that a correspondent node uses the following values:

      CreditAgingFactor          7/8
      CreditAgingInterval        5 seconds




8.  IANA Considerations

   This document defines a set of new mobility options, which must be
   assigned type values within the mobility option numbering space of
   [1].

   This document allocates four new status codes---"Permanent home
   keygen token unavailable", "CGA and signature verification failed",
   "Permanent home keygen token exists", and "Non-null home nonce index
   expected"---for Binding Acknowledgment messages.  The values to be
   assigned for these status codes must all be greater than or equal to
   128, indicating that the respective Binding Update message was
   rejected by the receiving correspondent node.

   This document also defines a new 128-bit value under the CGA Message
   Type name space [6].




9.  Acknowledgment

   The authors would like to thank Tuomas Aura, Gabriel Montenegro,
   Pekka Nikander, Mike Roe, Greg O'Shea, Vesa Torvinen (in alphabetical
   order) for interesting discussions around cryptographically generated
   addresses.

   The authors would also like to thank Marcelo Bagnulo, Roland Bless,
   Zhen Cao, Samita Chakrabarti, Greg Daley, Mark Doll, Lakshminath
   Dondeti, Francis Dupont, Manhee Jo, James Kempf, Suresh Krishnan,
   Tobias Kuefner, Lila Madour, Vidya Narayanan, and Mohan Parthasarathy



Arkko, et al.             Expires June 15, 2007                [Page 52]


Internet-Draft         Enhanced Route Optimization         December 2006


   for their reviews of and comments on this document and the
   predecessors of this document.

   Finally, the authors would also like to emphasize that [15] pioneered
   the use of cryptographically generated addresses in the context of
   Mobile IPv6 route optimization, and that this document consists
   largely of material from [16], [17], and [18] and the contributions
   of their authors.











































Arkko, et al.             Expires June 15, 2007                [Page 53]


Internet-Draft         Enhanced Route Optimization         December 2006


10.  References

10.1.  Normative References

   [1]   Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in
         IPv6", IETF Request for Comments 3775, June 2004.

   [2]   Bradner, S., "Key Words for Use in RFCs to Indicate Requirement
         Levels", IETF Request for Comments 2119, Best Current Practice
         14, March 1997.

   [3]   Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards
         (PKCS) #1: RSA Cryptography Specifications Version 2.1",
         IETF Request for Comments 3447, February 2003.

10.2.  Informative References

   [4]   Nikander, P., Arkko, J., Aura, T., Montenegro, G., and E.
         Nordmark, "Mobile IP Version 6 Route Optimization Security
         Design Background", IETF Request for Comments 4225,
         December 2005.

   [5]   Vogt, C. and J. Arkko, "Taxonomy and Analysis of Enhancements
         to Mobile IPv6 Route Optimization", IETF Internet Draft
         draft-irtf-mobopts-ro-enhancements-08.txt (work in progress),
         May 2006.

   [6]   Aura, T., "Cryptographically Generated Addresses (CGA)",
         IETF Request for Comments 3972, March 2005.

   [7]   Vogt, C. and M. Doll, "Efficient End-to-End Mobility Support in
         IPv6", Proceedings of the IEEE Wireless Communications and
         Networking Conference, IEEE, April 2006.

   [8]   Mirkovic, J. and P. Reiher, "A Taxonomy of DDoS Attack and DDoS
         Defense Mechanisms", ACM SIGCOMM Computer Communication Review,
         Vol. 34, No. 2, ACM Press, April 2004.

   [9]   Arkko, J. and C. Vogt, "Credit-Based Authorization for Binding
         Lifetime Extension", IETF Internet Draft
         draft-arkko-mipv6-binding-lifetime-extension-00.txt (work in
         progress), May 2004.

   [10]  O'Shea, G. and M. Roe, "Child-Proof Authentication for MIPv6
         (CAM)", ACM SIGCOMM Computer Communication Review, ACM Press,
         Vol. 31, No. 2, April 2001.

   [11]  Nikander, P., "Denial-of-Service, Address Ownership, and Early



Arkko, et al.             Expires June 15, 2007                [Page 54]


Internet-Draft         Enhanced Route Optimization         December 2006


         Authentication in the IPv6 World", Revised papers from the
         International Workshop on Security Protocols, Springer-Verlag,
         April 2002.

   [12]  Bagnulo, M. and J. Arkko, "Support for Multiple Hash Algorithms
         in Cryptographically Generated  Addresses (CGAs)",
         IETF Internet Draft draft-bagnulo-multiple-hash-cga-01.txt
         (work in progress), October 2006.

   [13]  Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
         Neighbor Discovery (SEND)", IETF Request for Comments 3971,
         March 2005.

   [14]  Perkins, C., "Securing Mobile IPv6 Route Optimization Using a
         Static Shared Key", IETF Request for Comments 4449, June 2006.

   [15]  Roe, M., Aura, T., O'Shea, G., and J. Arkko, "Authentication of
         Mobile IPv6 Binding Updates and Acknowledgments", IETF Internet
         Draft draft-roe-mobileip-updateauth-02.txt (work in progress),
         March 2002.

   [16]  Haddad, W., Madour, L., Arkko, J., and F. Dupont, "Applying
         Cryptographically Generated Addresses to Optimize MIPv6  (CGA-
         OMIPv6)", IETF Internet Draft
         draft-haddad-mip6-cga-omipv6-04.txt (work in progress),
         May 2005.

   [17]  Vogt, C., Bless, R., Doll, M., and T. Kuefner, "Early Binding
         Updates for Mobile IPv6", IETF Internet Draft
         draft-vogt-mip6-early-binding-updates-00.txt (work in
         progress), February 2004.

   [18]  Vogt, C., Arkko, J., Bless, R., Doll, M., and T. Kuefner,
         "Credit-Based Authorization for Mobile IPv6 Early Binding
         Updates", IETF Internet Draft
         draft-vogt-mipv6-credit-based-authorization-00.txt (work in
         progress), May 2004.




Appendix A.  Change Log

   The following is a list of technical changes that were made from
   version 01 to version 02 of this document.  Editorial revisions are
   not explicitly mentioned.





Arkko, et al.             Expires June 15, 2007                [Page 55]


Internet-Draft         Enhanced Route Optimization         December 2006


   o  Section 4.1: Included directions for the mobile node to choose the
      binding lifetime to be requested in a Binding Update message.

   o  Clarified ordering of Mobility Header message options in
      Section 4.1.

   o  Section 4.1 now explicitly permits parallel home and correspondent
      registrations (RFC 3775 recommends that they be sequential) and
      also recommends a proactive home address test.

   o  Added figures (and an associated explanation of the figures) to
      Section 4.1 to illustrate the correspondent registration process.
      This was suggested by James Kempf.

   o  Section 4.2: Specified error handling when a received Binding
      Update message includes the mobile node's CGA parameters and
      signature, but the message is authenticated by a permanent home
      keygen token and hence does not provide a proof of the mobile
      node's reachability at the home address.

   o  Section 4.2: Included directions for the correspondent node to
      decide which lifetime to grant in the event of a received Binding
      Update message.

   o  Section 4.3 and Section 4.4: A correspondent node MUST include a
      Permanent Home Keygen Token option in a Binding Acknowledgment
      message before a Care-of Test option, and the options MUST also be
      processed by the mobile node in this order.  This enables the
      mobile node to already use the permanent home keygen token when a
      complete Binding Update message is sent as part of processing the
      subsequent Care-of Test option.

   o  Section 4.3: Correspondent nodes now send their CGA parameters and
      signature within a Binding Acknowledgment message if they receive
      a Binding Update message including a CGA Parameters Request
      option.  This allows mobile nodes to verify that a received
      permanent home keygen token originates with the right
      correspondent node.  Without such a CN-side IP address ownership
      proof, the MN may be tricked into accepting an attacker's
      permanent home keygen token.  This was discussed before; it was
      also brought up on the mailing list by Manhee Jo.

   o  Added requirement in Section 4.4 for mobile nodes to ensure the
      existence of a home registration for a particular home address
      while there is at least one correspondent registration for the
      same home address.





Arkko, et al.             Expires June 15, 2007                [Page 56]


Internet-Draft         Enhanced Route Optimization         December 2006


   o  Revised Section 4.10 and Section 4.11 to clarify the operation of
      Credit-Based Authorization.

   o  Added discussion about public/private key class and length to
      Section 6.1.  This was suggested by Zhen Cao.

   o  Added explanation of Credit-Based Authorization in Section 6.3.

   o  Rewrote discussion on IP Address ownership of correspondent nodes
      in Section 6.7.

   o  The performance benefits of Enhanced Route Optimization are
      already described in Section 2 and Section 3.  Section
      "Performance Considerations" (formerly Section 7) was therefore
      removed.

   o  Moved protocol configuration variables to Section 7.

   o  Added new CGA Parameters Request option to Section 5.

   o  Added new status codes "CGA and signature verification failed" and
      "Non-null home nonce index expected" to Section 5 and Section 8.

   o  Removed CGA and CBA overview appendices.  CBA is now described in
      Section 3.6.  An overview of CGAs is not necessary given that this
      document already refers to the CGA specification.  Some details of
      CGAs are likely to change in the near future anyway [12], so it
      may be better to refer to external documents rather than including
      a separate description in this document.

   o  Updated references.

   The following is a list of technical changes that were made from
   version 00 to version 01 of this document.  Editorial revisions are
   not explicitly mentioned.

   o  Revised Section 1 to reflect the comments from Vidya and
      Lakshminath.  The text now makes it much clearer that there are
      two individual optimizations for home and care-of address
      verification.

   o  Added Section 4.5 describing when the mobile node sends CGA
      parameters to the correspondent node and how the CGA Parameters
      and Signature options are used to accomplish this.

   o  Added Section 4.6 describing the correspondent node's operation
      upon receiving a Binding Update message with included CGA
      Parameters and Signature options.



Arkko, et al.             Expires June 15, 2007                [Page 57]


Internet-Draft         Enhanced Route Optimization         December 2006


   o  Added Section 4.7 describing how a correspondent node generates
      and encrypts a permanent home keygen token and sends the token in
      a Permanent Home Keygen Token option within a Binding
      Acknowledgment message to the mobile node.

   o  Added Section 4.8 describing how a mobile node decrypts a
      permanent home keygen token received in a Binding Acknowledgment
      message with a Permanent Home Keygen Token option.

   o  Removed Section "Renewing a Permanent Home Keygen Token" (formerly
      Section 4.7).  The section described when the mobile node should
      renew an existing permanent home keygen token.  This is now
      explained in Section 4.5.

   o  Section 4.10 now also describes when mobile and correspondent
      nodes resume route-optimized payload transmission after handoff on
      the mobile node side.

   o  Removed Section "Cryptographic Calculations" (formerly Section
      4.10).  The section described how the signature in a Signature
      option and the contents of the former SKey option are calculated.
      The signature calculation is now described in Section 4.5.  The
      SKey option was replaced by the Permanent Home Keygen Token
      option, and the contents of this are now described in Section 4.7.

   o  Cleaned up section Section 5.

   o  Replaced status code "Lost Kbmperm State" in Section 5.7 with a
      new status code, "Permanent Home Keygen Token Unavailable".  Added
      a second status code "Permanent home keygen token exists".
      Section 4 ("Protocol Operation") and Section 8 ("IANA
      Considerations") were modified accordingly.

   o  Revised Section 6 so that it now addresses the comments made by
      Vidya and Lakshminath.  In particular, the text now explains why a
      care-of address test is required in spite of the more secure, CGA-
      based home address verification.  The section also starts with an
      overview of the conceptual changes that the proposed protocol
      applies to RFC 3775.

   o  Added Section 7 defining the CGA Message Type tag to be allocated
      for this protocol.









Arkko, et al.             Expires June 15, 2007                [Page 58]


Internet-Draft         Enhanced Route Optimization         December 2006


Authors' Addresses

   Jari Arkko
   Ericsson Research NomadicLab
   FI-02420 Jorvas
   Finland

   Email: jari.arkko@ericsson.com


   Christian Vogt
   Institute of Telematics
   Universitaet Karlsruhe (TH)
   P.O. Box 6980
   76128 Karlsruhe
   Germany

   Email: chvogt@tm.uka.de


   Wassim Haddad
   Ericsson Research
   8400, Decarie Blvd
   Town of Mount Royal
   Quebec H4P 2N2, Canada

   Email: wassim.haddad@ericsson.com
























Arkko, et al.             Expires June 15, 2007                [Page 59]


Internet-Draft         Enhanced Route Optimization         December 2006


Full Copyright Statement

   Copyright (C) The IETF Trust (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Arkko, et al.             Expires June 15, 2007                [Page 60]