IETF Mobile IP Working Group                                  D. Johnson
Internet-Draft                                           Rice University
Expires: August 27, 2003                                      C. Perkins
                                                   Nokia Research Center
                                                                J. Arkko
                                                                Ericsson
                                                       February 26, 2003


                        Mobility Support in IPv6
                    draft-ietf-mobileip-ipv6-21.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 27, 2003.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document specifies the operation of the IPv6 Internet with
   mobile computers.  Each mobile node is always identified by its home
   address, regardless of its current point of attachment to the
   Internet.  While situated away from its home, a mobile node is also
   associated with a care-of address, which provides information about
   the mobile node's current location.  IPv6 packets addressed to a
   mobile node's home address are transparently routed to its care-of
   address.  The protocol enables IPv6 nodes to cache the binding of a



Johnson, Perkins, Arkko      Expires August 27, 2003            [Page 1]


Internet-Draft          Mobility Support in IPv6           February 2003


   mobile node's home address with its care-of address, and to then send
   any packets destined for the mobile node directly to it at this
   care-of address.  To support this operation, Mobile IPv6 defines a
   new IPv6 protocol and a new destination option.  All IPv6 nodes,
   whether mobile or stationary can communicate with mobile nodes.

Table of Contents

   1.     Introduction . . . . . . . . . . . . . . . . . . . . . . .   6
   2.     Comparison with Mobile IP for IPv4 . . . . . . . . . . . .   8
   3.     Terminology  . . . . . . . . . . . . . . . . . . . . . . .   9
          3.1    General Terms  . . . . . . . . . . . . . . . . . . .  9
          3.2    Mobile IPv6 Terms  . . . . . . . . . . . . . . . . . 11
   4.     Overview of Mobile IPv6  . . . . . . . . . . . . . . . . .  15
          4.1    Basic Operation  . . . . . . . . . . . . . . . . . . 15
          4.2    New IPv6 Protocol  . . . . . . . . . . . . . . . . . 17
          4.3    New IPv6 Destination Option  . . . . . . . . . . . . 18
          4.4    New IPv6 ICMP Messages . . . . . . . . . . . . . . . 18
          4.5    Conceptual Data Structure Terminology  . . . . . . . 18
          4.6    Site-Local Addressability  . . . . . . . . . . . . . 19
   5.     Overview of Mobile IPv6 Security . . . . . . . . . . . . .  20
          5.1    Binding Updates to Home Agents . . . . . . . . . . . 20
          5.2    Binding Updates to Correspondent Nodes . . . . . . . 21
                 5.2.1  Node Keys  . . . . . . . . . . . . . . . . .  22
                 5.2.2  Nonces . . . . . . . . . . . . . . . . . . .  22
                 5.2.3  Cookies and Tokens . . . . . . . . . . . . .  23
                 5.2.4  Cryptographic Functions  . . . . . . . . . .  23
                 5.2.5  Return Routability Procedure . . . . . . . .  23
                 5.2.6  Authorizing Binding Management Messages  . .  27
                 5.2.7  Updating Node Keys and Nonces  . . . . . . .  29
                 5.2.8  Preventing Replay Attacks  . . . . . . . . .  31
          5.3    Dynamic Home Agent Address Discovery . . . . . . . . 31
          5.4    Prefix Discovery . . . . . . . . . . . . . . . . . . 31
          5.5    Payload Packets  . . . . . . . . . . . . . . . . . . 31
   6.     New IPv6 Protocol, Message Types, and Destination Option .  33
          6.1    Mobility Header  . . . . . . . . . . . . . . . . . . 33
                 6.1.1  Format . . . . . . . . . . . . . . . . . . .  33
                 6.1.2  Binding Refresh Request Message  . . . . . .  35
                 6.1.3  Home Test Init Message . . . . . . . . . . .  36
                 6.1.4  Care-of Test Init Message  . . . . . . . . .  37
                 6.1.5  Home Test Message  . . . . . . . . . . . . .  38
                 6.1.6  Care-of Test Message . . . . . . . . . . . .  39
                 6.1.7  Binding Update Message . . . . . . . . . . .  40
                 6.1.8  Binding Acknowledgement Message  . . . . . .  42
                 6.1.9  Binding Error Message  . . . . . . . . . . .  45
          6.2    Mobility Options . . . . . . . . . . . . . . . . . . 46
                 6.2.1  Format . . . . . . . . . . . . . . . . . . .  47
                 6.2.2  Pad1 . . . . . . . . . . . . . . . . . . . .  48



Johnson, Perkins, Arkko      Expires August 27, 2003            [Page 2]


Internet-Draft          Mobility Support in IPv6           February 2003


                 6.2.3  PadN . . . . . . . . . . . . . . . . . . . .  48
                 6.2.4  Binding Refresh Advice . . . . . . . . . . .  48
                 6.2.5  Alternate Care-of Address  . . . . . . . . .  49
                 6.2.6  Nonce Indices  . . . . . . . . . . . . . . .  49
                 6.2.7  Binding Authorization Data . . . . . . . . .  50
          6.3    Home Address Option  . . . . . . . . . . . . . . . . 51
          6.4    Type 2 Routing Header  . . . . . . . . . . . . . . . 53
                 6.4.1  Format . . . . . . . . . . . . . . . . . . .  53
          6.5    ICMP Home Agent Address Discovery Request Message  . 55
          6.6    ICMP Home Agent Address Discovery Reply Message  . . 56
          6.7    ICMP Mobile Prefix Solicitation Message Format . . . 57
          6.8    ICMP Mobile Prefix Advertisement Message Format  . . 59
   7.     Modifications to IPv6 Neighbor Discovery . . . . . . . . .  62
          7.1    Modified Router Advertisement Message Format . . . . 62
          7.2    Modified Prefix Information Option Format  . . . . . 62
          7.3    New Advertisement Interval Option Format . . . . . . 64
          7.4    New Home Agent Information Option Format . . . . . . 65
          7.5    Changes to Sending Router Advertisements . . . . . . 66
          7.6    Changes to Duplicate Address Detection . . . . . . . 68
   8.     Requirements for Types of IPv6 Nodes . . . . . . . . . . .  69
          8.1    All IPv6 Nodes . . . . . . . . . . . . . . . . . . . 69
          8.2    IPv6 Nodes with Support for Route Optimization . . . 69
          8.3    All IPv6 Routers . . . . . . . . . . . . . . . . . . 71
          8.4    IPv6 Home Agents . . . . . . . . . . . . . . . . . . 71
          8.5    IPv6 Mobile Nodes  . . . . . . . . . . . . . . . . . 73
   9.     Correspondent Node Operation . . . . . . . . . . . . . . .  75
          9.1    Conceptual Data Structures . . . . . . . . . . . . . 75
          9.2    Processing Mobility Headers  . . . . . . . . . . . . 76
          9.3    Packet Processing  . . . . . . . . . . . . . . . . . 76
                 9.3.1  Receiving Packets with Home Address Option .  76
                 9.3.2  Sending Packets to a Mobile Node . . . . . .  77
                 9.3.3  Sending Binding Error Messages . . . . . . .  79
                 9.3.4  Receiving ICMP Error Messages  . . . . . . .  79
          9.4    Return Routability Procedure . . . . . . . . . . . . 80
                 9.4.1  Receiving Home Test Init Messages  . . . . .  80
                 9.4.2  Receiving Care-of Test Init Messages . . . .  80
                 9.4.3  Sending Home Test Messages . . . . . . . . .  80
                 9.4.4  Sending Care-of Test Messages  . . . . . . .  81
          9.5    Processing Bindings  . . . . . . . . . . . . . . . . 81
                 9.5.1  Receiving Binding Updates  . . . . . . . . .  81
                 9.5.2  Requests to Cache a Binding  . . . . . . . .  83
                 9.5.3  Requests to Delete a Binding . . . . . . . .  84
                 9.5.4  Sending Binding Acknowledgements . . . . . .  84
                 9.5.5  Sending Binding Refresh Requests . . . . . .  85
          9.6    Cache Replacement Policy . . . . . . . . . . . . . . 86
   10.    Home Agent Operation . . . . . . . . . . . . . . . . . . .  88
          10.1   Conceptual Data Structures . . . . . . . . . . . . . 88
          10.2   Processing Mobility Headers  . . . . . . . . . . . . 89



Johnson, Perkins, Arkko      Expires August 27, 2003            [Page 3]


Internet-Draft          Mobility Support in IPv6           February 2003


          10.3   Processing Bindings  . . . . . . . . . . . . . . . . 89
                 10.3.1 Primary Care-of Address Registration . . . .  89
                 10.3.2 Primary Care-of Address De-Registration  . .  93
          10.4   Packet Processing  . . . . . . . . . . . . . . . . . 94
                 10.4.1 Intercepting Packets for a Mobile Node . . .  94
                 10.4.2 Processing Intercepted Packets . . . . . . .  95
                 10.4.3 Multicast Membership Control . . . . . . . .  97
                 10.4.4 Stateful Address Autoconfiguration . . . . .  98
                 10.4.5 Handling Reverse Tunneled Packets  . . . . .  98
                 10.4.6 Protecting Return Routability Packets  . . .  99
          10.5   Dynamic Home Agent Address Discovery . . . . . . . . 99
                 10.5.1 Receiving Router Advertisement Messages  . . 100
          10.6   Sending Prefix Information to the Mobile Node  . . .102
                 10.6.1 Aggregate List of Home Network Prefixes  . . 102
                 10.6.2 Scheduling Prefix Deliveries . . . . . . . . 103
                 10.6.3 Sending Advertisements . . . . . . . . . . . 105
                 10.6.4 Lifetimes for Changed Prefixes . . . . . . . 106
   11.    Mobile Node Operation  . . . . . . . . . . . . . . . . . . 107
          11.1   Conceptual Data Structures . . . . . . . . . . . . .107
          11.2   Processing Mobility Headers  . . . . . . . . . . . .108
          11.3   Packet Processing  . . . . . . . . . . . . . . . . .108
                 11.3.1 Sending Packets While Away from Home . . . . 109
                 11.3.2 Interaction with Outbound IPsec Processing . 111
                 11.3.3 Receiving Packets While Away from Home . . . 113
                 11.3.4 Routing Multicast Packets  . . . . . . . . . 114
                 11.3.5 Receiving ICMP Error Messages  . . . . . . . 116
                 11.3.6 Receiving Binding Error Messages . . . . . . 116
          11.4   Home Agent and Prefix Management . . . . . . . . . .117
                 11.4.1 Dynamic Home Agent Address Discovery . . . . 117
                 11.4.2 Sending Mobile Prefix Solicitations  . . . . 118
                 11.4.3 Receiving Mobile Prefix Advertisements . . . 119
          11.5   Movement . . . . . . . . . . . . . . . . . . . . . .120
                 11.5.1 Movement Detection . . . . . . . . . . . . . 120
                 11.5.2 Forming New Care-of Addresses  . . . . . . . 123
                 11.5.3 Using Multiple Care-of Addresses . . . . . . 123
                 11.5.4 Returning Home . . . . . . . . . . . . . . . 124
          11.6   Return Routability Procedure . . . . . . . . . . . .126
                 11.6.1 Sending Test Init Messages . . . . . . . . . 126
                 11.6.2 Receiving Test Messages  . . . . . . . . . . 127
                 11.6.3 Protecting Return Routability Packets  . . . 128
          11.7   Processing Bindings  . . . . . . . . . . . . . . . .128
                 11.7.1 Sending Binding Updates to the Home Agent  . 128
                 11.7.2 Correspondent Binding Procedure  . . . . . . 131
                 11.7.3 Receiving Binding Acknowledgements . . . . . 134
                 11.7.4 Receiving Binding Refresh Requests . . . . . 136
          11.8   Retransmissions and Rate Limiting  . . . . . . . . .137
   12.    Protocol Constants . . . . . . . . . . . . . . . . . . . . 139
   13.    Protocol Configuration Variables . . . . . . . . . . . . . 140



Johnson, Perkins, Arkko      Expires August 27, 2003            [Page 4]


Internet-Draft          Mobility Support in IPv6           February 2003


   14.    IANA Considerations  . . . . . . . . . . . . . . . . . . . 141
   15.    Security Considerations  . . . . . . . . . . . . . . . . . 143
          15.1   Threats  . . . . . . . . . . . . . . . . . . . . . .143
          15.2   Features . . . . . . . . . . . . . . . . . . . . . .145
          15.3   Binding Updates to Home Agent  . . . . . . . . . . .146
          15.4   Binding Updates to Correspondent Nodes . . . . . . .147
                 15.4.1 Overview . . . . . . . . . . . . . . . . . . 147
                 15.4.2 Achieved Security Properties . . . . . . . . 148
                 15.4.3 Comparison to Regular IPv6 Communications  . 149
                 15.4.4 Replay Attacks . . . . . . . . . . . . . . . 151
                 15.4.5 Denial-of-Service Attacks  . . . . . . . . . 151
                 15.4.6 Key Lengths  . . . . . . . . . . . . . . . . 152
          15.5   Dynamic Home Agent Address Discovery . . . . . . . .153
          15.6   Prefix Discovery . . . . . . . . . . . . . . . . . .153
          15.7   Tunneling via the Home Agent . . . . . . . . . . . .153
          15.8   Home Address Option  . . . . . . . . . . . . . . . .154
          15.9   Type 2 Routing Header  . . . . . . . . . . . . . . .155
   16.    Contributors . . . . . . . . . . . . . . . . . . . . . . . 156
   17.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . 157
          Normative References . . . . . . . . . . . . . . . . . . . 158
          Informative References . . . . . . . . . . . . . . . . . . 160
          Authors' Addresses . . . . . . . . . . . . . . . . . . . . 161
   A.     Changes from Previous Version of the Draft . . . . . . . . 162
   B.     Future Extensions  . . . . . . . . . . . . . . . . . . . . 165
          B.1    Piggybacking . . . . . . . . . . . . . . . . . . . .165
          B.2    Triangular Routing . . . . . . . . . . . . . . . . .165
          B.3    New Authorization Methods  . . . . . . . . . . . . .165
          B.4    Dynamically Generated Home Addresses . . . . . . . .165
          B.5    Remote Home Address Configuration  . . . . . . . . .165
          B.6    Neighbor Discovery Extensions  . . . . . . . . . . .166
          Intellectual Property and Copyright Statements . . . . . . 168




















Johnson, Perkins, Arkko      Expires August 27, 2003            [Page 5]


Internet-Draft          Mobility Support in IPv6           February 2003


1. Introduction

   This document specifies how the IPv6 Internet operates with mobile
   computers.  Without specific support for mobility in IPv6 [11],
   packets destined to a mobile node would not be able to reach it while
   the mobile node is away from its home link.  In order to continue
   communication in spite of its movement, a mobile node could change
   its IP address each time it moves to a new link, but the mobile node
   would then not be able to maintain transport and higher-layer
   connections when it changes location.  Mobility support in IPv6 is
   particularly important, as mobile computers are likely to account for
   a majority or at least a substantial fraction of the population of
   the Internet during the lifetime of IPv6.

   The protocol defined in this document, known as Mobile IPv6, allows a
   mobile node to move from one link to another without changing the
   mobile node's "home address".  Packets may be routed to the mobile
   node using this address regardless of the mobile node's current point
   of attachment to the Internet.  The mobile node may also continue to
   communicate with other nodes (stationary or mobile) after moving to a
   new link.  The movement of a mobile node away from its home link is
   thus transparent to transport and higher-layer protocols and
   applications.

   The Mobile IPv6 protocol is just as suitable for mobility across
   homogeneous media as for mobility across heterogeneous media.  For
   example, Mobile IPv6 facilitates node movement from one Ethernet
   segment to another as well as it facilitates node movement from an
   Ethernet segment to a wireless LAN cell, with the mobile node's IP
   address remaining unchanged in spite of such movement.

   One can think of the Mobile IPv6 protocol as solving the
   network-layer mobility management problem.  Some mobility management
   applications -- for example, handover among wireless transceivers,
   each of which covers only a very small geographic area -- have been
   solved using link-layer techniques.  For example, in many current
   wireless LAN products, link-layer mobility mechanisms allow a
   "handover" of a mobile node from one cell to another, re-establishing
   link-layer connectivity to the node in each new location.

   Mobile IPv6 does not attempt to solve all general problems related to
   the use of mobile computers or wireless networks.  In particular,
   this protocol does not attempt to solve:

   o  Handling links with partial reachability, or unidirectional
      connectivity, such as are often found in wireless networks (but
      see Section 11.5.1).




Johnson, Perkins, Arkko      Expires August 27, 2003            [Page 6]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  Access control on a link being visited by a mobile node.

   o  Local or hierarchical forms of mobility management (similar to
      many current link-layer mobility management solutions).

   o  Assistance for adaptive applications

   o  Mobile routers

   o  Service Discovery

   o  Distinguishing between packets lost due to bit errors vs.  network
      congestion






































Johnson, Perkins, Arkko      Expires August 27, 2003            [Page 7]


Internet-Draft          Mobility Support in IPv6           February 2003


2. Comparison with Mobile IP for IPv4

   The design of Mobile IP support in IPv6 (Mobile IPv6) benefits both
   from the experiences gained from the development of Mobile IP support
   in IPv4 (Mobile IPv4) [22, 23, 24], and from the opportunities
   provided by IPv6.  Mobile IPv6 thus shares many features with Mobile
   IPv4, but is integrated into IPv6 and offers many other improvements.
   This section summarizes the major differences between Mobile IPv4 and
   Mobile IPv6:

   o  There is no need to deploy special routers as "foreign agents", as
      in Mobile IPv4.  Mobile IPv6 operates in any location without any
      special support required from the local router.

   o  Support for route optimization is a fundamental part of the
      protocol, rather than a nonstandard set of extensions.

   o  Mobile IPv6 route optimization can operate securely even without
      pre-arranged security associations.  It is expected that route
      optimization can be deployed on a global scale between all mobile
      nodes and correspondent nodes.

   o  Support is also integrated into Mobile IPv6 for allowing route
      optimization to coexist efficiently with routers that perform
      "ingress filtering" [26].

   o  The movement detection mechanism in Mobile IPv6 provides
      bidirectional confirmation of a mobile node's ability to
      communicate with its default router in its current location.

   o  Most packets sent to a mobile node while away from home in Mobile
      IPv6 are sent using an IPv6 routing header rather than IP
      encapsulation, reducing the amount of resulting overhead compared
      to Mobile IPv4.

   o  Mobile IPv6 is decoupled from any particular link layer, as it
      uses IPv6 Neighbor Discovery [12] instead of ARP.  This also
      improves the robustness of the protocol.

   o  The use of IPv6 encapsulation (and the routing header) removes the
      need in Mobile IPv6 to manage "tunnel soft state".

   o  The dynamic home agent address discovery mechanism in Mobile IPv6
      returns a single reply to the mobile node.  The directed broadcast
      approach used in IPv4 returns separate replies from each home
      agent.





Johnson, Perkins, Arkko      Expires August 27, 2003            [Page 8]


Internet-Draft          Mobility Support in IPv6           February 2003


3. Terminology

   The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [2].

3.1 General Terms

   IP

      Internet Protocol Version 6 (IPv6).

   node

      A device that implements IP.

   router

      A node that forwards IP packets not explicitly addressed to
      itself.

   unicast routable address

      An identifier for a single interface such that a packet sent to it
      from another IPv6 subnet is delivered to the interface identified
      by that address.  Accordingly, a unicast routable address must
      have either a global or site-local scope (but not link-local).

   host

      Any node that is not a router.

   link

      A communication facility or medium over which nodes can
      communicate at the link layer, such as an Ethernet (simple or
      bridged).  A link is the layer immediately below IP.

   interface

      A node's attachment to a link.

   subnet prefix

      A bit string that consists of some number of initial bits of an IP
      address.





Johnson, Perkins, Arkko      Expires August 27, 2003            [Page 9]


Internet-Draft          Mobility Support in IPv6           February 2003


   interface identifier

      A number used to identify a node's interface on a link.  The
      interface identifier is the remaining low-order bits in the node's
      IP address after the subnet prefix.

   link-layer address

      A link-layer identifier for an interface, such as IEEE 802
      addresses on Ethernet links.

   packet

      An IP header plus payload.

   security association

      An IPsec security association is a simplex "connection" that
      affords security services to the traffic carried by it.  Security
      services are afforded to a security association by the use of the
      AH and ESP protocols.

   security policy database

      A database that specifies what security services are to be offered
      to IP packets and in what fashion.

   destination option

      Destination options are carried by the IPv6 Destination Options
      extension header.  Destination options include optional
      information that need be examined only by the IPv6 node given as
      the destination address in the IPv6 header, not by routers in
      between.  Mobile IPv6 defines one new destination option, the Home
      Address destination option (see Section 6.3).

   routing header

      A routing header may be present as an IPv6 header extension, and
      indicates that the payload has to be delivered to a destination
      IPv6 address in some way that is different from what would be
      carried out by standard Internet routing.  In this document, use
      of the term "routing header" typically refers to use of a type 2
      routing header, as specified in Section 6.4.

   '|' (concatenation)

      Some formulas in this specification use the symbol '|' indicate



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 10]


Internet-Draft          Mobility Support in IPv6           February 2003


      bytewise concatenation, as in A | B.  This concatenation requires
      that all of the bytes of the datum A appear first in the result,
      followed by all of the bytes of the datum B.

   First (size, input)

      Some formulas in this specification use a functional form "First
      (size, input)" to indicate truncation of the "input" data so that
      only the first "size" bits remain to be used.


3.2 Mobile IPv6 Terms

   home address

      A unicast routable address assigned to a mobile node, used as the
      permanent address of the mobile node.  This address is within the
      mobile node's home link.  Standard IP routing mechanisms will
      deliver packets destined for a mobile node's home address to its
      home link.

   home subnet prefix

      The IP subnet prefix corresponding to a mobile node's home
      address.

   home link

      The link on which a mobile node's home subnet prefix is defined.

   mobile node

      A node that can change its point of attachment from one link to
      another, while still being reachable via its home address.

   movement

      A change in a mobile node's point of attachment to the Internet
      such that it is no longer connected to the same link as it was
      previously.  If a mobile node is not currently attached to its
      home link, the mobile node is said to be "away from home".

   correspondent node

      A peer node with which a mobile node is communicating.  The
      correspondent node may be either mobile or stationary.





Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 11]


Internet-Draft          Mobility Support in IPv6           February 2003


   foreign subnet prefix

      Any IP subnet prefix other than the mobile node's home subnet
      prefix.

   foreign link

      Any link other than the mobile node's home link.

   care-of address

      A unicast routable address associated with a mobile node while
      visiting a foreign link; the subnet prefix of this IP address is a
      foreign subnet prefix.  Among the multiple care-of addresses that
      a mobile node may have at any given time (e.g., with different
      subnet prefixes), the one registered with the mobile node's home
      agent is called its "primary" care-of address.

   home agent

      A router on a mobile node's home link with which the mobile node
      has registered its current care-of address.  While the mobile node
      is away from home, the home agent intercepts packets on the home
      link destined to the mobile node's home address, encapsulates
      them, and tunnels them to the mobile node's registered care-of
      address.

   binding

      The association of the home address of a mobile node with a
      care-of address for that mobile node, along with the remaining
      lifetime of that association.

   registration

      The process during which a mobile node sends a Binding Update to
      its home agent or a correspondent node, causing a binding for the
      mobile node to be registered.

   mobility message

      A message containing a Mobility Header (see Section 6.1).

   binding procedure

      A binding procedure is initiated by the mobile node to inform
      either a correspondent node or the mobile node's home agent of the
      current binding of the mobile node.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 12]


Internet-Draft          Mobility Support in IPv6           February 2003


   binding authorization

      Binding procedure needs to be authorized to allow the recipient to
      believe that the sender has the right to specify a new binding.

   return routability procedure

      The return routability procedure authorizes binding procedures by
      the use of a cryptographic token exchange.

   correspondent binding procedure

      A return routability procedure followed by a binding procedure,
      run between the mobile node and a correspondent node.

   home binding procedure

      A binding procedure between the mobile node and its home agent,
      authorized by the use of IPsec.

   nonce

      Nonces are random numbers used internally by the correspondent
      node in the creation of keygen tokens related to the return
      routability procedure.  The nonces are not specific to a mobile
      node, and are kept secret within the correspondent node.

   nonce index

      A nonce index is used to indicate which nonces have been used when
      creating keygen token values, without revealing the nonces
      themselves.

   cookie

      A cookie is a random number used by a mobile nodes to prevent
      spoofing by a bogus correspondent node in the return routability
      procedure.

   care-of init cookie

      A cookie sent to the correspondent node in the Care-of Test Init
      message, to be returned in the Care-of Test message.

   home init cookie

      A cookie sent to the correspondent node in the Home Test Init
      message, to be returned in the Home Test message.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 13]


Internet-Draft          Mobility Support in IPv6           February 2003


   keygen token

      A keygen token is a number supplied by a correspondent node in the
      return routability procedure to enable the mobile node to compute
      the necessary binding management key for authorizing a Binding
      Update.

   care-of keygen token

      A keygen token sent by the correspondent node in the Care-of Test
      message.

   home keygen token

      A keygen token sent by the correspondent node in the Home Test
      message.

   binding management key (Kbm)

      A binding management key (Kbm) is a key used for authorizing a
      binding cache management message (e.g., Binding Update or Binding
      Acknowledgement).  Return routability provides a way to create a
      binding management key.




























Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 14]


Internet-Draft          Mobility Support in IPv6           February 2003


4. Overview of Mobile IPv6

4.1 Basic Operation

   A mobile node is always expected to be addressable at its home
   address, whether it is currently attached to its home link or is away
   from home.  The "home address" is an IP address assigned to the
   mobile node within its home subnet prefix on its home link.  While a
   mobile node is at home, packets addressed to its home address are
   routed to the mobile node's home link, using conventional Internet
   routing mechanisms.

   While a mobile node is attached to some foreign link away from home,
   it is also addressable at one or more care-of addresses.  A care-of
   address is an IP address associated with a mobile node that has the
   subnet prefix of a particular foreign link.  The mobile node can
   acquire its care-of address through conventional IPv6 mechanisms,
   such as stateless or stateful auto-configuration.  As long as the
   mobile node stays in this location, packets addressed to this care-of
   address will be routed to the mobile node.  The mobile node may also
   accept packets from several care-of addresses, such as when it is
   moving but still reachable at the previous link.

   The association between a mobile node's home address and care-of
   address is known as a "binding" for the mobile node.  While away from
   home, a mobile node registers its primary care-of address with a
   router on its home link, requesting this router to function as the
   "home agent" for the mobile node.  The mobile node performs this
   binding registration by sending a "Binding Update" message to the
   home agent.  The home agent replies to the mobile node by returning a
   "Binding Acknowledgement" message.  The operation of the mobile node
   is specified in Section 11, and the operation of the home agent is
   specified in Section 10.

   Any node communicating with a mobile node is referred to in this
   document as a "correspondent node" of the mobile node, and may itself
   be either a stationary node or a mobile node.  Mobile nodes can
   provide information about their current location to correspondent
   nodes.  This happens through the correspondent binding procedure.  As
   a part of this procedure, a return routability test is performed in
   order to authorize the establishment of the binding.  The operation
   of the correspondent node is specified in Section 9.

   There are two possible modes for communications between the mobile
   node and a correspondent node.  The first mode, bidirectional
   tunneling, does not require Mobile IPv6 support from the
   correspondent node and is available even if the mobile node has not
   registered its current binding with the correspondent node.  Packets



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 15]


Internet-Draft          Mobility Support in IPv6           February 2003


   from the correspondent node are routed to the home agent and then
   tunneled to the mobile node.  Packets to the correspondent node are
   tunneled from the mobile node to the home agent ("reverse tunneled")
   and then routed normally from the home network to the correspondent
   node.  In this mode, the home agent uses proxy Neighbor Discovery to
   intercept any IPv6 packets addressed to the mobile node's home
   address (or home addresses) on the home link.  Each intercepted
   packet is tunneled to the mobile node's primary care-of address.
   This tunneling is performed using IPv6 encapsulation [15].

   The second mode, "route optimization", requires the mobile node to
   register its current binding at the correspondent node.  Packets from
   the correspondent node can be routed directly to the care-of address
   of the mobile node.  When sending a packet to any IPv6 destination,
   the correspondent node checks its cached bindings for an entry for
   the packet's destination address.  If a cached binding for this
   destination address is found, the node uses a new type of IPv6
   routing header [11] (see Section 6.4) to route the packet to the
   mobile node by way of the care-of address indicated in this binding.

   Routing packets directly to the mobile node's care-of address allows
   the shortest communications path to be used.  It also eliminates
   congestion at the mobile node's home agent and home link.  In
   addition, the impact of any possible failure of the home agent or
   networks on the path to or from it is reduced.

   When routing packets directly to the mobile node, the correspondent
   node sets the Destination Address in the IPv6 header to the care-of
   address of the mobile node.  A new type of IPv6 routing header (see
   Section 6.4) is also added to the packet to carry the desired home
   address.  Similarly, the mobile node sets the Source Address in the
   packet's IPv6 header to its current care-of addresses.  The mobile
   node adds a new IPv6 "Home Address" destination option (see Section
   6.3) to carry its home address.  The inclusion of home addresses in
   these packets makes the use of the care-of address transparent above
   the network layer (e.g., at the transport layer).

   Mobile IPv6 also provides support for multiple home agents, and the
   reconfiguration of the home network.  In these cases, the mobile node
   may not know the IP address of its own home agent, and even the home
   subnet prefixes may change over time.  A mechanism, known as "dynamic
   home agent address discovery" allows a mobile node to dynamically
   discover the IP address of a home agent on its home link, even when
   the mobile node is away from home.  Mobile nodes can also learn new
   information about home subnet prefixes through the "prefix discovery"
   mechanism.  These mechanisms are described starting from Section 6.5.





Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 16]


Internet-Draft          Mobility Support in IPv6           February 2003


4.2 New IPv6 Protocol

   Mobile IPv6 defines a new IPv6 protocol, using the Mobility Header
   (see Section 6.1).  This Header is used to carry the following
   messages:

   Home Test Init

   Home Test

   Care-of Test Init

   Care-of Test

      These four messages are used to initiate the return routability
      procedure from the mobile node to a correspondent node.  This
      ensures authorization of subsequent Binding Updates, as described
      in Section 5.2.5.

   Binding Update

      A Binding Update is used by a mobile node to notify a
      correspondent node or the mobile node's home agent of its current
      binding.  The Binding Update sent to the mobile node's home agent
      to register its primary care-of address is marked as a "home
      registration".

   Binding Acknowledgement

      A Binding Acknowledgement is used to acknowledge receipt of a
      Binding Update, if an acknowledgement was requested in the Binding
      Update, the binding update was sent to a home agent, or an error
      occurred.

   Binding Refresh Request

      A Binding Refresh Request is used to request a mobile node to
      re-establish its binding with the correspondent node.  This
      message is typically used when the cached binding is in active use
      but the binding's lifetime is close to expiration.  The
      correspondent node may use, for instance, recent traffic and open
      transport layer connections as an indication of active use.

   Binding Error

      The Binding Error is used by the correspondent node to signal an
      error related to mobility, such as an inappropriate attempt to use
      the Home Address destination option without an existing binding.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 17]


Internet-Draft          Mobility Support in IPv6           February 2003


4.3 New IPv6 Destination Option

   Mobile IPv6 defines a new IPv6 destination option, the Home Address
   destination option.  This option is described in detail in Section
   6.3.

4.4 New IPv6 ICMP Messages

   Mobile IPv6 also introduces four new ICMP message types, two for use
   in the dynamic home agent address discovery mechanism, and two for
   renumbering and mobile configuration mechanisms.  As described in
   Section 10.5 and Section 11.4.1, the following two new ICMP message
   types are used for home agent address discovery:

   o  Home Agent Address Discovery Request, described in Section 6.5.

   o  Home Agent Address Discovery Reply, described in Section 6.6.

   The next two message types are used for network renumbering and
   address configuration on the mobile node, as described in Section
   10.6:

   o  Mobile Prefix Solicitation, described in Section 6.7.

   o  Mobile Prefix Advertisement, described in Section 6.8.


4.5 Conceptual Data Structure Terminology

   This document describes the Mobile IPv6 protocol in terms of the
   following conceptual data structures:

   Binding Cache

      A cache of bindings for other nodes.  This cache is maintained by
      home agents and correspondent nodes.  The cache contains both
      "correspondent registration" entries (see Section 9.1) and "home
      registration" entries (see Section 10.1).

   Binding Update List


      This list is maintained by each mobile node.  The list has an item
      for every binding that the mobile node has or is trying to
      establish with a specific other node.  Both correspondent and home
      registrations are included in this list.  Entries from the list
      are deleted as the lifetime of the binding expires.  See Section
      11.1.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 18]


Internet-Draft          Mobility Support in IPv6           February 2003


   Home Agents List


      Home agents need to know which other home agents are on the same
      link.  This information is stored in the Home Agents List, as
      described in more detail in Section 10.1.  The list is used for
      informing mobile nodes during dynamic home agent address
      discovery.


4.6 Site-Local Addressability

   This specification requires that home and care-of addresses MUST be
   unicast routable addresses.  Site-local addresses may be usable on
   networks that are not connected to the Internet, but this
   specification does not define when such usage is safe and when not.
   Mobile nodes may not be aware of which site they are currently on, it
   is hard to prevent accidental attachment to other sites, and
   ambiguity of site-local addresses can cause problems if the home and
   visited networks use the same addresses.  Therefore, site-local
   addresses SHOULD NOT be used as home or care-of addresses.






























Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 19]


Internet-Draft          Mobility Support in IPv6           February 2003


5. Overview of Mobile IPv6 Security

   This specification provides a number of security features.  These
   include the protection of Binding Updates both to home agents and
   correspondent nodes, the protection of prefix discovery, and the
   protection of the mechanisms that Mobile IPv6 uses for transporting
   data packets.

   Binding Updates are protected by the use of IPsec extension headers,
   or by the use of the Binding Authorization Data option.  This option
   employs a binding management key, Kbm, which can be established
   through the return routability procedure.  Prefix discovery is
   protected through the use of IPsec extension headers.  Mechanisms
   related to transporting payload packets - such as the Home Address
   destination option and type 2 routing header - have been specified in
   a manner which restricts their use in attacks.

5.1 Binding Updates to Home Agents

   The mobile node and the home agent MUST use an IPsec security
   association to protect the integrity and authenticity of the Binding
   Updates and Acknowledgements.  Both the mobile nodes and the home
   agents SHOULD use the Encapsulating Security Payload (ESP) [6] header
   in transport mode and MUST use a non-NULL payload authentication
   algorithm to provide data origin authentication, connectionless
   integrity and optional anti-replay protection.  Note that
   Authentication Header (AH) [5] is also possible but for brevity not
   discussed in this specification.

   In order to protect messages exchanged between the mobile node and
   the home agent with IPsec, appropriate security policy database
   entries must be created.  A mobile node must be prevented from using
   its security association to send a Binding Update on behalf of
   another mobile node using the same home agent.  This MUST be achieved
   by having the home agent check that the given home address has been
   used with the right security association.  Such a check is provided
   in the IPsec processing, by having the security policy database
   entries unequivocally identify a single security association for any
   given home address and home agent.  In order to make this possible,
   it is necessary that the home address of the mobile node is visible
   in the Binding Updates and Acknowledgements.  The home address is
   used in these packets as a source or destination, or in the Home
   Address Destination option or the type 2 routing header.

   As with all IPsec security associations in this specification, manual
   configuration of security associations MUST be supported.  The used
   shared secrets MUST be random and unique for different mobile nodes,
   and MUST be distributed off-line to the mobile nodes.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 20]


Internet-Draft          Mobility Support in IPv6           February 2003


   Automatic key management with IKE [9] MAY be supported.  When IKE is
   used, either the security policy database entries or the MIPv6
   processing MUST unequivocally identify the IKE phase 1 credentials
   which can be used to authorize the creation of security associations
   for a particular home address.  How these mappings are maintained is
   outside the scope of this specification, but they may be maintained,
   for instance, as a locally administered table in the home agent.  If
   the phase 1 identity is a FQDN, secure forms of DNS may also be used.

   Section 11.3.2 discusses how IKE connections to the home agent need a
   careful treatment of the addresses used for transporting IKE.  This
   is necessary to ensure that a Binding Update is not needed before the
   IKE exchange which is needed for securing the Binding Update.

   When IKE version 1 is used with preshared secret authentication
   between the mobile node and the home agent, aggressive mode MUST be
   used.  Similarly, the ID_IPV6_ADDR Identity Payload MUST NOT be used
   in IKEv1 phase 1.

   Reference [21] contains a more detailed description and examples on
   using IPsec to protect the communications between the mobile node and
   the home agent.

5.2 Binding Updates to Correspondent Nodes

   The protection of Binding Updates sent to correspondent nodes does
   not require the configuration of security associations or the
   existence of an authentication infrastructure between the mobile
   nodes and correspondent nodes.  Instead, a method called the return
   routability procedure is used to assure that the right mobile node is
   sending the message.  This method does not protect against attackers
   who are on the path between the home network and the correspondent
   node.  However, attackers in such a location are capable of
   performing the same attacks even without Mobile IPv6.  The main
   advantage of the return routability procedure is that it limits the
   potential attackers to those having an access to one specific path in
   the Internet, and avoids forged Binding Updates from anywhere else in
   the Internet.  For a more in depth explanation of the security
   properties of the return routability procedure, see Section 15.

   The integrity and authenticity of the Binding Updates messages to
   correspondent nodes is protected by using a keyed-hash algorithm.
   The binding management key, Kbm, is used to key the hash algorithm
   for this purpose.  Kbm is established using data exchanged during the
   return routability procedure.  The data exchange is accomplished by
   use of node keys, nonces, cookies, tokens, and certain cryptographic
   functions.  Section 5.2.5 outlines the basic return routability
   procedure.  Section 5.2.6 shows how the results of this procedure are



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 21]


Internet-Draft          Mobility Support in IPv6           February 2003


   used to authorize a Binding Update to a correspondent node.

5.2.1 Node Keys

   Each correspondent node has a secret key, Kcn, called the "node key",
   which it uses to produce the keygen tokens sent to the mobile nodes.
   The node key MUST be a random number, 20 octets in length.  The node
   key allows the correspondent node to verify that the keygen tokens
   used by the mobile node in authorizing a Binding Update are indeed
   its own.  This key MUST NOT be shared with any other entity.

   A correspondent node MAY generate a fresh node key at any time; this
   avoids the need for secure persistent key storage.  Procedures for
   optionally updating the node key are discussed later in Section
   5.2.7.

5.2.2 Nonces

   Each correspondent node also generates nonces at regular intervals.
   The nonces should be generated by using a random number generator
   that is known to have good randomness properties [1].  A
   correspondent node may use the same Kcn and nonce with all the
   mobiles it is in communication with.

   Each nonce is identified by a nonce index.  When a new nonce is
   generated, it must be associated with a new nonce index; this may be
   done, for example, by incrementing the value of the previous nonce
   index, if the nonce index is used as an array pointer into a linear
   array of nonces.  However, there is no requirement that nonces be
   stored that way, or that the values of subsequent nonce indices have
   any particular relationship to each other.  The index value is
   communicated in the protocol, so that if a nonce is replaced by new
   nonce during the run of a protocol, the correspondent node can
   distinguish messages that should be checked against the old nonce
   from messages that should be checked against the new nonce.  Strictly
   speaking, indices are not necessary in the authentication, but allow
   the correspondent node to efficiently find the nonce value that it
   used in creating a keygen token.

   Correspondent nodes keep both the current nonce and a small set of
   valid previous nonces whose lifetime has not yet expired.  Expired
   values MUST be discarded, and messages using stale or unknown indices
   will be rejected.

   The specific nonce index values cannot be used by mobile nodes to
   determine the validity of the nonce.  Expected validity times for the
   nonces values and the procedures for updating them are discussed
   later in Section 5.2.7.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 22]


Internet-Draft          Mobility Support in IPv6           February 2003


   A nonce is an octet string of any length.  The recommended length is
   64 bits.

5.2.3 Cookies and Tokens

   The return routability address test procedure uses cookies and keygen
   tokens as opaque values within the test init and test messages,
   respectively.

   o  The "home init cookie" and "care-of init cookie" are 64 bit values
      sent to the correspondent node from the mobile node, and later
      returned to the mobile node.  The home init cookie is sent in the
      Home Test Init message, and returned in the Home Test message.
      The care-of init cookie is sent in the Care-of Test Init message,
      and returned in the Care-of Test message.

   o  The "home keygen token" and "care-of keygen token" are 64-bit
      values sent by the correspondent node to the mobile node via the
      home agent (via the Home Test message) and the care-of address (by
      the Care-of Test message), respectively.

   The mobile node should set the home init or care-of init cookie to a
   newly generated random number in every Home or Care-of Test Init
   message it sends.  The cookies are used to verify that the Home Test
   or Care-of Test message matches the Home Test Init or Care-of Test
   Init message, respectively.  These cookies also serve to ensure that
   parties who have not seen the request cannot spoof responses.

   Home and care-of keygen tokens are produced by the correspondent node
   based on its currently active secret key (Kcn) and nonces, as well as
   the home or care-of address (respectively).  A keygen token is valid
   as long as both the secret key (Kcn) and the nonce used to create it
   are valid.

5.2.4 Cryptographic Functions

   In this specification, the function used to compute hash values is
   SHA1 [20].  Message Authentication Codes (MACs) are computed using
   HMAC_SHA1 [25, 20].  HMAC_SHA1(K,m) denotes such a MAC computed on
   message m with key K.

5.2.5 Return Routability Procedure

   The Return Routability Procedure enables the correspondent node to
   obtain some reasonable assurance that the mobile node is in fact
   addressable at its claimed care-of address as well as at its home
   address.  Only with this assurance is the correspondent node able to
   accept Binding Updates from the mobile node which would then instruct



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 23]


Internet-Draft          Mobility Support in IPv6           February 2003


   the correspondent node to direct that mobile node's data traffic to
   its claimed care-of address.

   This is done by testing whether packets addressed to the two claimed
   addresses are routed to the mobile node.  The mobile node can pass
   the test only if it is able to supply proof that it received certain
   data (the "keygen tokens") which the correspondent node sends to
   those addresses.  These data are combined by the mobile node into a
   binding management key, denoted Kbm.

   The below figure shows the message flow for the return routability
   procedure.

    Mobile node                 Home agent           Correspondent node
         |                                                     |
         |  Home Test Init (HoTI)   |                          |
         |------------------------->|------------------------->|
         |                          |                          |
         |  Care-of Test Init (CoTI)                           |
         |---------------------------------------------------->|
         |                                                     |
         |                          |  Home Test (HoT)         |
         |<-------------------------|<-------------------------|
         |                          |                          |
         |                             Care-of Test (CoT)      |
         |<----------------------------------------------------|
         |                                                     |

   The Home and Care-of Test Init messages are sent at the same time.
   The procedure requires very little processing at the correspondent
   node, and the Home and Care-of Test messages can be returned quickly,
   perhaps nearly simultaneously.  These four messages form the return
   routability procedure.

   Home Test Init


      A mobile node sends a Home Test Init message to the correspondent
      node to acquire the home keygen token.  The contents of the
      message can be summarized as follows:

      *  Source Address = home address

      *  Destination Address = correspondent

      *  Parameters:

         +  home init cookie



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 24]


Internet-Draft          Mobility Support in IPv6           February 2003



      The Home Test Init message conveys the mobile node's home address
      to the correspondent node.  The mobile node also sends along a
      home init cookie that the correspondent node must return later.
      The Home Test Init message is reverse tunneled through the home
      agent.  (The headers and addresses related to  reverse tunneling
      have been omitted from the above discussion of the message
      contents.) The mobile node remembers these cookie values to obtain
      some assurance that its protocol messages are being processed by
      the desired correspondent node.

   Care-of Test Init


      The mobile node sends a Care-of Test Init message to the
      correspondent node to acquire the care-of keygen token.  The
      contents of this message can be summarized as follows:

      *  Source Address = care-of address

      *  Destination Address = correspondent

      *  Parameters:

         +  care-of init cookie


      The Care-of Test Init message conveys the mobile node's care-of
      address to the correspondent node.  The mobile node also sends
      along a care-of init cookie that the correspondent node must
      return later.  The Care-of Test Init message is sent directly to
      the correspondent node.

   Home Test


      The Home Test message is sent in response to a Home Test Init
      message.  The contents of the message are:

      *  Source Address = correspondent

      *  Destination Address = home address

      *  Parameters:

         +  home init cookie

         +  home keygen token



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 25]


Internet-Draft          Mobility Support in IPv6           February 2003


         +  home nonce index


      When the correspondent node receives the Home Test Init message,
      it generates a home keygen token as follows:

       home keygen token :=
            First (64, HMAC_SHA1 (Kcn, (home address | nonce | 0)))

      where | denotes concatenation.  The final "0" inside the HMAC_SHA1
      function is a single zero octet, used to distinguish home and
      care-of cookies from each other.  The home keygen token is formed
      from the first 64 bits of the MAC.  The home keygen token tests
      that the mobile can receive messages sent to its home address.
      Kcn is used in the production of home keygen token in order to
      allow the correspondent node to verify that it generated the home
      and care-of nonces, without forcing the correspondent node to
      remember a list of all tokens it has handed out.  The Home Test
      message is sent to the mobile node via the home network, where it
      is presumed that the home agent will tunnel the message to the
      mobile node.  This means that the mobile node needs to already
      have sent a Binding Update to the home agent, so that the home
      agent will have received and authorized the new care-of address
      for the mobile node before the return routability procedure.  For
      improved security, the data passed between the home agent and the
      mobile node can be made immune to inspection and passive attacks.
      Such protection can be gained by encrypting the home keygen token
      as it is tunneled from the home agent to the mobile node as
      specified in Section 10.4.6.  The security properties of this
      additional security are discussed in Section 15.4.1.  The home
      init cookie from the mobile node is returned in the Home Test
      message, to ensure that the message comes from a node on the route
      between the home agent and the correspondent node.  The home nonce
      index is delivered to the mobile node to later allow the
      correspondent node to efficiently find the nonce value that it
      used in creating the home keygen token.

   Care-of Test


      This message is sent in response to a Care-of Test Init message.
      The contents of the message are:

      *  Source Address = correspondent

      *  Destination Address = care-of address

      *  Parameters:



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 26]


Internet-Draft          Mobility Support in IPv6           February 2003


         +  care-of init cookie

         +  care-of keygen token

         +  care-of nonce index


      When the correspondent node receives the Care-of Test Init
      message, it generates a care-of keygen token as follows:

       care-of keygen token :=
          First (64, HMAC_SHA1 (Kcn, (care-of address | nonce | 1)))

      Here, the final "1" inside the HMAC_SHA1 function is a single
      octet containing the hex value 0x01, and is used to distinguish
      home and care-of cookies from each other.  The keygen token is
      formed from the first 64 bits of the MAC, and sent directly to the
      mobile node at its care-of address.  The care-of init cookie from
      the from Care-of Test Init message is returned to ensure that the
      message comes from a node on the route to the correspondent node.
      The care-of nonce index is provided to identify the nonce used for
      the care-of keygen token.  The home and care-of nonce indices MAY
      be the same, or different, in the Home and Care-of Test messages.

   When the mobile node has received both the Home and Care-of Test
   messages, the return routability procedure is complete.  As a result
   of the procedure, the mobile node has the data it needs to send a
   Binding Update to the correspondent node.  The mobile node hashes the
   tokens together to form a 20 octet binding key Kbm:

       Kbm = SHA1 (home keygen token | care-of keygen token)

   A Binding Update may also be used to delete a previously established
   binding (Section 6.1.7).  In this case, the care-of keygen token is
   not used.  Instead, the binding management key is generated as
   follows:

       Kbm = SHA1(home keygen token)

   Note that the correspondent node does not create any state specific
   to the mobile node, until it receives the Binding Update from that
   mobile node.  The correspondent node does not maintain the value for
   the binding management key Kbm; it creates Kbm when given the nonce
   indices and the mobile node's addresses.

5.2.6 Authorizing Binding Management Messages

   After the mobile node has created the binding management key (Kbm),



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 27]


Internet-Draft          Mobility Support in IPv6           February 2003


   it can supply a verifiable Binding Update to the correspondent node.
   This section provides an overview of this binding procedure.  The
   below figure shows the message flow.

     Mobile node                                Correspondent node
          |                                               |
          |             Binding Update (BU)               |
          |---------------------------------------------->|
          |  (MAC, seq#, nonce indices, care-of address)  |
          |                                               |
          |                                               |
          |    Binding Acknowledgement (BA) (if sent)     |
          |<----------------------------------------------|
          |              (MAC, seq#, status)              |

   Binding Update


      To authorize a Binding Update, the mobile node creates a binding
      management key Kbm from the keygen tokens as described in the
      previous section.  The contents of the Binding Update include the
      following:

      *  Source Address = care-of address

      *  Destination Address = correspondent

      *  Parameters:

         +  home address (within the Home Address destination option if
            different from the Source Address)

         +  sequence number (within the Binding Update message header)

         +  home nonce index (within the Nonce Indices option)

         +  care-of nonce index (within the Nonce Indices option)

         +  HMAC_SHA1 (Kbm, (care-of address | CN address | BU))


      The Binding Update contains a Nonce Indices option, indicating to
      the correspondent node which home and care-of nonces to use to
      recompute Kbm, the binding management key.  The MAC is computed as
      described in Section 6.2.7, using the correspondent node's address
      as the destination address and the Binding Update message itself
      as the Mobility Header Data.  Once the correspondent node has
      verified the MAC, it can create a Binding Cache entry for the



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 28]


Internet-Draft          Mobility Support in IPv6           February 2003


      mobile.

   Binding Acknowledgement


      The Binding Update is in some cases acknowledged by the
      correspondent node.  The contents of the message are as follows:

      *  Source Address = correspondent

      *  Destination Address = care-of address

      *  Parameters:

         +  sequence number (within the Binding Update message header)

         +  HMAC_SHA1 (Kbm, (care-of address | CN address | BA))


      The Binding Acknowledgement contains the same sequence number as
      the Binding Update.  The MAC is computed as described in Section
      6.2.7, using the correspondent node's address as the destination
      address and the message itself as the Mobility Header Data.

   Bindings established with correspondent nodes using keys created by
   way of the return routability procedure MUST NOT exceed
   MAX_RR_BINDING_LIFETIME seconds (see Section 12).

   The value in the Source Address field in the IPv6 header carrying the
   Binding Update is normally also the care-of address which is used in
   the binding.  However, a different care-of address MAY be specified
   by including an Alternate Care-of Address mobility option in the
   Binding Update (see Section 6.2.5).  When such a message is sent to
   the correspondent node and the return routability procedure is used
   as the authorization method, the Care-of Test Init and Care-of Test
   messages MUST have been performed for the address in the Alternate
   Care-of Address option (not the Source Address).  The nonce indices
   and MAC value MUST be based on information gained in this test.

   Binding Updates may also be sent to delete a previously established
   binding.  In this case, generation of the binding management key
   depends exclusively on the home keygen token and the care-of nonce
   index is ignored.

5.2.7 Updating Node Keys and Nonces

   Correspondent nodes generate nonces at regular intervals.  It is
   recommended to keep each nonce (identified by a nonce index)



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 29]


Internet-Draft          Mobility Support in IPv6           February 2003


   acceptable for at least MAX_TOKEN_LIFETIME seconds (see Section 12)
   after it has been first used in constructing a return routability
   message response.  However, the correspondent node MUST NOT accept
   nonces beyond MAX_NONCE_LIFETIME seconds (see Section 12) after the
   first use.  As the difference between these two constants is 30
   seconds, a convenient way to enforce the above lifetimes is to
   generate a new nonce every 30 seconds.  The node can then continue to
   accept tokens that have been based on the last 8 (MAX_NONCE_LIFETIME
   / 30) nonces.  This results in tokens being acceptable
   MAX_TOKEN_LIFETIME to MAX_NONCE_LIFETIME seconds after they have been
   sent to the mobile node, depending on whether the token was sent at
   the beginning or end of the first 30 second period.  Note that the
   correspondent node may also attempt to generate new nonces on demand,
   or only if the old nonces have been used.  This is possible, as long
   as the correspondent node keeps track of how long a time ago the
   nonces were used for the first time, and does not generate new nonces
   on every return routability request.

   Due to resource limitations, rapid deletion of bindings, or reboots
   the correspondent node may not in all cases recognize the nonces that
   the tokens were based on.  If a nonce index is unrecognized, the
   correspondent node replies with an an error code in the Binding
   Acknowledgement (either 136, 137, or 138 as discussed in Section
   6.1.8).  The mobile node can then retry the return routability
   procedure.

   An update of Kcn SHOULD be done at the same time as an update of a
   nonce, so that nonce indices can identify both the nonce and the key.
   Old Kcn values have to be therefore remembered as long as old nonce
   values.

   Given that the tokens are normally expected to be usable for
   MAX_TOKEN_LIFETIME seconds, the mobile node MAY use them beyond a
   single run of the return routability procedure until
   MAX_TOKEN_LIFETIME expires.  After this the mobile node SHOULD NOT
   use the tokens.  A fast moving mobile node MAY reuse a recent home
   keygen token from a correspondent node when moving to a new location,
   and just acquire a new care-of keygen token to show routability in
   the new location.

   While this does not save the number of round-trips due to the
   simultaneous processing of home and care-of return routability tests,
   there are fewer messages being exchanged, and a potentially long
   round-trip through the home agent is avoided.  Consequently, this
   optimization is often useful.  A mobile node that has multiple home
   addresses, MAY also use the same care-of keygen token for Binding
   Updates concerning all of these addresses.




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 30]


Internet-Draft          Mobility Support in IPv6           February 2003


5.2.8 Preventing Replay Attacks

   The return routability procedure also protects the participants
   against replayed Binding Updates through the use of the sequence
   number and a MAC.  Care must be taken when removing bindings at the
   correspondent node, however.  Correspondent nodes must retain
   bindings and the associated sequence number information at least as
   long as the nonces used in the authorization of the binding are still
   valid.  Alternatively, if memory is very constrained, the
   correspondent node MAY invalidate the nonces that were used for the
   binding being deleted (or some larger group of nonces that they
   belong to).  This may, however, impact the ability to accept Binding
   Updates from mobile nodes that have recently received keygen tokens.
   This alternative is therefore recommended only as a last measure.

5.3 Dynamic Home Agent Address Discovery

   No security is required for dynamic home agent address discovery.

5.4 Prefix Discovery

   The mobile node and the home agent SHOULD use an IPsec security
   association to protect the integrity and authenticity of the Mobile
   Prefix Solicitations and Advertisements.  Both the mobile nodes and
   the home agents SHOULD use the Encapsulating Security Payload (ESP)
   header in transport mode with a non-NULL payload authentication
   algorithm to provide data origin authentication, connectionless
   integrity and optional anti-replay protection.

5.5 Payload Packets

   Payload packets exchanged with mobile nodes can be protected in the
   usual manner, in the same way as stationary hosts can protect them.
   However, Mobile IPv6 introduces the Home Address destination option,
   a routing header, and tunneling headers in the payload packets.  In
   the following we define the security measures taken to protect these,
   and to prevent their use in attacks against other parties.

   This specification limits the use of the Home Address destination
   option to the situation where the correspondent node already has a
   Binding Cache entry for the given home address.  This avoids the use
   of the Home Address option in attacks described in Section 15.1.

   Mobile IPv6 uses a Mobile IPv6 specific type of a routing header.
   This type provides the necessary functionality but does not open
   vulnerabilities discussed in Section 15.1.

   Tunnels between the mobile node and the home agent are protected by



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 31]


Internet-Draft          Mobility Support in IPv6           February 2003


   ensuring proper use of source addresses, and optional cryptographic
   protection.  The mobile node verifies that the outer IP address
   corresponds to its home agent.  The home agent verifies that the
   outer IP address corresponds to the current location of the mobile
   node (Binding Updates sent to the home agents are secure).  The home
   agent identifies the mobile node through the source address of the
   inner packet.  (Typically, this is the home address of the mobile
   node, but it can also be a link-local address, as discussed in
   Section 10.4.2.  To recognize the latter type of addresses, the home
   agent requires that the Link-Local Address Compatibility (L) was set
   in the Binding Update.) These measures protect the tunnels against
   vulnerabilities discussed in Section 15.1.

   For traffic tunneled via the home agent, additional IPsec ESP
   encapsulation MAY be supported and used.  If multicast group
   membership control protocols or stateful address autoconfiguration
   protocols are supported, payload data protection MUST be supported.


































Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 32]


Internet-Draft          Mobility Support in IPv6           February 2003


6. New IPv6 Protocol, Message Types, and Destination Option

6.1 Mobility Header

   The Mobility Header is an extension header used by mobile nodes,
   correspondent nodes, and home agents in all messaging related to the
   creation and management of bindings.  The subsections within this
   section describe the message types that may be sent using the
   Mobility Header.

6.1.1 Format

   The Mobility Header is identified by a Next Header value of TBD <To
   be assigned by IANA> in the immediately preceding header, and has the
   following format:

       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       | Payload Proto |  Header Len   |   MH Type     |   Reserved    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |           Checksum            |                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
       |                                                               |
       .                                                               .
       .                       Message Data                            .
       .                                                               .
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Payload Proto

      8-bit selector.  Identifies the type of header immediately
      following the Mobility Header.  Uses the same values as the IPv6
      Next Header field [11].

      This field is intended to be used by a future extension (see
      Appendix B.1).  Implementations conforming to this specification
      SHOULD set the payload protocol type to IPPROTO_NONE (59 decimal).

   Header Len

      8-bit unsigned integer, representing the length of the Mobility
      Header in units of 8 octets, excluding the first 8 octets.

      The length of the Mobility Header MUST be a multiple of 8 octets.

   MH Type

      8-bit selector.  Identifies the particular mobility message in



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 33]


Internet-Draft          Mobility Support in IPv6           February 2003


      question.  Current values are specified in Section 6.1.2 and
      onward.  An unrecognized MH Type field causes an error indication
      to be sent.

   Reserved

      8-bit field reserved for future use.  The value MUST be
      initialized to zero by the sender, and MUST be ignored by the
      receiver.

   Checksum

      16-bit unsigned integer.  This field contains the checksum of the
      Mobility Header.  The checksum is calculated from the octet string
      consisting of a "pseudo-header" followed by the entire Mobility
      Header starting with the Payload Proto field.  The checksum is the
      16-bit one's complement of the one's complement sum of this
      string.

      The pseudo-header contains IPv6 header fields, as specified in
      Section 8.1 of RFC 2460 [11].  The Next Header value used in the
      pseudo-header is TBD <To be assigned by IANA>.  The addresses used
      in the pseudo-header are the addresses that appear in the Source
      and Destination Address fields in the IPv6 packet carrying the
      Mobility Header.  Note that the procedures of calculating upper
      layer checksums while away from home described in Section 11.3.1
      apply even for the Mobility Header.  If a mobility message has a
      Home Address destination option, then the checksum calculation
      uses the home address in this option as the value of the IPv6
      Source Address field.  The type 2 routing header is treated as
      explained in [11].  The Mobility Header is considered as the upper
      layer protocol for the purposes of calculating the pseudo-header.
      The Upper-Layer Packet Length field in the pseudo-header MUST be
      set to the total length of the Mobility Header.  For computing the
      checksum, the checksum field is set to zero.

   Message Data

      A variable length field containing the data specific to the
      indicated Mobility Header type.

   Mobile IPv6 also defines a number of "mobility options" for use
   within these messages; if included, any options MUST appear after the
   fixed portion of the message data specified in this document.  The
   presence of such options will be indicated by the Header Len field
   within the message.  When the Header Len value is greater than the
   length required for the message specified here, the remaining octets
   are interpreted as mobility options.  These options include padding



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 34]


Internet-Draft          Mobility Support in IPv6           February 2003


   options that can be used to ensure that other options are aligned
   properly, and that the total length of the message is divisible by 8.
   The encoding and format of defined options are described in Section
   6.2.

   Alignment requirements for the Mobility Header are the same as for
   any IPv6 protocol Header.  That is, they MUST be aligned on an
   8-octet boundary.

6.1.2 Binding Refresh Request Message

   The Binding Refresh Request (BRR) message requests a mobile node to
   update its mobility binding.  This message is sent by correspondent
   nodes according to the rules in Section 9.5.5.  When a mobile node
   receives a packet containing a Binding Refresh Request message it
   processes the message according to the rules in Section 11.7.4.

   The Binding Refresh Request message uses the MH Type value 0.  When
   this value is indicated in the MH Type field, the format of the
   Message Data field in the Mobility Header is as follows:

                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |          Reserved             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       .                                                               .
       .                        Mobility options                       .
       .                                                               .
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Reserved

      16-bit field reserved for future use.  The value MUST be
      initialized to zero by the sender, and MUST be ignored by the
      receiver.

   Mobility Options

      Variable-length field of such length that the complete Mobility
      Header is an integer multiple of 8 octets long.  This field
      contains zero or more TLV-encoded mobility options.  The encoding
      and format of defined options are described in Section 6.2.  The
      receiver MUST ignore and skip any options which it does not
      understand.

      There MAY be additional information, associated with this Binding
      Refresh Request message that need not be present in all Binding



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 35]


Internet-Draft          Mobility Support in IPv6           February 2003


      Refresh Request messages sent.  Mobility options allow future
      extensions to the format of the Binding Refresh Request message to
      be defined.  This specification does not define any options valid
      for the Binding Refresh Request message.

   If no actual options are present in this message, no padding is
   necessary and the Header Len field will be set to 0.

6.1.3 Home Test Init Message

   A mobile node uses the Home Test Init (HoTI) message to initiate the
   return routability procedure and request a home keygen token from a
   correspondent node (see Section 11.6.1).  The Home Test Init message
   uses the MH Type value 1.  When this value is indicated in the MH
   Type field, the format of the Message Data field in the Mobility
   Header is as follows:

                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |           Reserved            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                       Home Init Cookie                        +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       .                                                               .
       .                       Mobility Options                        .
       .                                                               .
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Reserved

      16-bit field reserved for future use.  This value MUST be
      initialized to zero by the sender, and MUST be ignored by the
      receiver.

   Home Init Cookie

      64-bit field which contains a random value, the home init cookie.

   Mobility Options

      Variable-length field of such length that the complete Mobility
      Header is an integer multiple of 8 octets long.  This field
      contains zero or more TLV-encoded mobility options.  The receiver
      MUST ignore and skip any options which it does not understand.
      This specification does not define any options valid for the Home



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 36]


Internet-Draft          Mobility Support in IPv6           February 2003


      Test Init message.

   If no actual options are present in this message, no padding is
   necessary and the Header Len field will be set to 1.

   This message is tunneled through the home agent when the mobile node
   is away from home.  Such tunneling SHOULD employ IPsec ESP in tunnel
   mode between the home agent and the mobile node.  This protection is
   indicated by the IPsec security policy database.  The protection of
   Home Test Init messages is unrelated to the requirement to protect
   regular payload traffic, which MAY use such tunnels as well.

6.1.4 Care-of Test Init Message

   A mobile node uses the Care-of Test Init (CoTI) message to initiate
   the return routability procedure and request a care-of keygen token
   from a correspondent node (see Section 11.6.1).  The Care-of Test
   Init message uses the MH Type value 2.  When this value is indicated
   in the MH Type field, the format of the Message Data field in the
   Mobility Header is as follows:

                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |           Reserved            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                      Care-of Init Cookie                      +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       .                                                               .
       .                        Mobility Options                       .
       .                                                               .
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Reserved

      16-bit field reserved for future use.  The value MUST be
      initialized to zero by the sender, and MUST be ignored by the
      receiver.

   Care-of Init Cookie

      64-bit field which contains a random value, the care-of init
      cookie.






Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 37]


Internet-Draft          Mobility Support in IPv6           February 2003


   Mobility Options

      Variable-length field of such length that the complete Mobility
      Header is an integer multiple of 8 octets long.  This field
      contains zero or more TLV-encoded mobility options.  The receiver
      MUST ignore and skip any options which it does not understand.
      This specification does not define any options valid for the
      Care-of Test Init message.

   If no actual options are present in this message, no padding is
   necessary and the Header Len field will be set to 1.

6.1.5 Home Test Message

   The Home Test (HoT) message is a response to the Home Test Init
   message, and is sent from the correspondent node to the mobile node
   (see Section 5.2.5).  The Home Test message uses the MH Type value 3.
   When this value is indicated in the MH Type field, the format of the
   Message Data field in the Mobility Header is as follows:

                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |       Home Nonce Index        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                        Home Init Cookie                       +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                       Home Keygen Token                       +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       .                                                               .
       .                        Mobility options                       .
       .                                                               .
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Home Nonce Index

      This field will be echoed back by the mobile node to the
      correspondent node in a subsequent Binding Update.

   Home Init Cookie

      64-bit field which contains the home init cookie.





Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 38]


Internet-Draft          Mobility Support in IPv6           February 2003


   Home Keygen Token

      This field contains the 64 bit home keygen token used in the
      return routability procedure.

   Mobility Options

      Variable-length field of such length that the complete Mobility
      Header is an integer multiple of 8 octets long.  This field
      contains zero or more TLV-encoded mobility options.  The receiver
      MUST ignore and skip any options which it does not understand.
      This specification does not define any options valid for the Home
      Test message.

   If no actual options are present in this message, no padding is
   necessary and the Header Len field will be set to 2.

6.1.6 Care-of Test Message

   The Care-of Test (CoT) message is a response to the Care-of Test Init
   message, and is sent from the correspondent node to the mobile node
   (see Section 11.6.2).  The Care-of Test message uses the MH Type
   value 4.  When this value is indicated in the MH Type field, the
   format of the Message Data field in the Mobility Header is as
   follows:

                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |      Care-of Nonce Index      |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                      Care-of Init Cookie                      +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                     Care-of Keygen Token                      +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       .                                                               .
       .                        Mobility Options                       .
       .                                                               .
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Care-of Nonce Index

      This value will be echoed back by the mobile node to the
      correspondent node in a subsequent Binding Update.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 39]


Internet-Draft          Mobility Support in IPv6           February 2003


   Care-of Init Cookie

      64-bit field which contains the care-of init cookie.

   Care-of Keygen Token

      This field contains the 64 bit care-of keygen token used in the
      return routability procedure.

   Mobility Options

      Variable-length field of such length that the complete Mobility
      Header is an integer multiple of 8 octets long.  This field
      contains zero or more TLV-encoded mobility options.  The receiver
      MUST ignore and skip any options which it does not understand.
      This specification does not define any options valid for the
      Care-of Test message.

   If no actual options are present in this message, no padding is
   necessary and the Header Len field will be set to 2.

6.1.7 Binding Update Message

   The Binding Update (BU) message is used by a mobile node to notify
   other nodes of a new care-of address for itself.  Binding Updates are
   sent as described in Section 11.7.1 and Section 11.7.2.

   The Binding Update uses the MH Type value 5.  When this value is
   indicated in the MH Type field, the format of the Message Data field
   in the Mobility Header is as follows:

                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |          Sequence #           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |A|H|L|K|        Reserved       |           Lifetime            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       .                                                               .
       .                        Mobility options                       .
       .                                                               .
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Acknowledge (A)

      The Acknowledge (A) bit is set by the sending mobile node to
      request a Binding Acknowledgement (Section 6.1.8) be returned upon
      receipt of the Binding Update.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 40]


Internet-Draft          Mobility Support in IPv6           February 2003


   Home Registration (H)

      The Home Registration (H) bit is set by the sending mobile node to
      request that the receiving node should act as this node's home
      agent.  The destination of the packet carrying this message MUST
      be that of a router sharing the same subnet prefix as the home
      address of the mobile node in the binding.

   Link-Local Address Compatibility (L)

      The Link-Local Address Compatibility (L) bit is set when the home
      address reported by the mobile node has the same interface
      identifier as the mobile node's link-local address.

   Key Management Mobility Capability (K)

      If this bit is cleared, the protocol used for establishing the
      IPsec security associations between the mobile node and the home
      agent does not survive movements.  It may then have to be rerun.
      (Note that the IPsec security associations themselves are expected
      to survive movements.) If manual IPsec configuration is used, the
      bit MUST be set to 1.

      This bit is valid only in Binding Updates sent to the home agent,
      and MUST be cleared in other Binding Updates.  Correspondent nodes
      MUST ignore this bit.

   Reserved

      These fields are unused.  They MUST be initialized to zero by the
      sender and MUST be ignored by the receiver.

   Sequence #

      A 16-bit unsigned integer used by the receiving node to sequence
      Binding Updates and by the sending node to match a returned
      Binding Acknowledgement with this Binding Update.

   Lifetime

      16-bit unsigned integer.  The number of time units remaining
      before the binding MUST be considered expired.  A value of zero
      indicates that the Binding Cache entry for the mobile node MUST be
      deleted.  (In this case the specified care-of address MUST also be
      set equal to the home address.) One time unit is 4 seconds.






Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 41]


Internet-Draft          Mobility Support in IPv6           February 2003


   Mobility Options

      Variable-length field of such length that the complete Mobility
      Header is an integer multiple of 8 octets long.  This field
      contains zero or more TLV-encoded mobility options.  The encoding
      and format of defined options are described in Section 6.2.  The
      receiver MUST ignore and skip any options which it does not
      understand.

      The following options are valid in a Binding Update:

      *  Binding Authorization Data option

      *  Nonce Indices option.

      *  Alternate Care-of Address option

   If no options are present in this message, 4 bytes of padding is
   necessary and the Header Len field will be set to 1.

   The care-of address is specified either by the Source Address field
   in the IPv6 header or by the Alternate Care-of Address option, if
   present.  The care-of address MUST be a unicast routable address.
   IPv6 Source Adress MUST be a topologically correct source address.
   Binding Updates for a care-of address which is not a unicast routable
   address MUST be silently discarded.

   The deletion of a binding can be indicated by setting the Lifetime
   field to 0 and by setting the care-of address equal to the home
   address.  In deletion, the generation of the binding management key
   depends exclusively on the home keygen token, as explained in Section
   5.2.5.  (Note that while the senders are required to set both the
   Lifetime field to 0 and the care-of address equal to the home
   address, Section 9.5.1 rules for receivers are more liberal, and
   interprete either condition as a deletion.)

   Correspondent nodes SHOULD NOT expire the Binding Cache entry before
   the lifetime expires, if any application hosted by the correspondent
   node is still likely to require communication with the mobile node.
   A Binding Cache entry that is deallocated prematurely might cause
   subsequent packets to be dropped from the mobile node, if they
   contain the Home Address destination option.  This situation is
   recoverable, since an Binding Error message is sent to the mobile
   node (see Section 6.1.9); however, it causes unnecessary delay in the
   communications.

6.1.8 Binding Acknowledgement Message




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 42]


Internet-Draft          Mobility Support in IPv6           February 2003


   The Binding Acknowledgement is used to acknowledge receipt of a
   Binding Update (Section 6.1.7).  This packet is sent as described in
   Section 9.5.4 and Section 10.3.1.

   The Binding Acknowledgement has the MH Type value 6.  When this value
   is indicated in the MH Type field, the format of the Message Data
   field in the Mobility Header is as follows:

                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |    Status     |K|  Reserved   |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |           Sequence #          |           Lifetime            |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       .                                                               .
       .                        Mobility options                       .
       .                                                               .
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Key Management Mobility Capability (K)

      If this bit is cleared, the protocol used by the home agent for
      establishing the IPsec security associations between the mobile
      node and the home agent does not survive movements.  It may then
      have to be rerun.  (Note that the IPsec security associations
      themselves are expected to survive movements.)

      Correspondent nodes MUST set the K bit to 0.

   Reserved

      These fields are unused.  They MUST be initialized to zero by the
      sender and MUST be ignored by the receiver.

   Status

      8-bit unsigned integer indicating the disposition of the Binding
      Update.  Values of the Status field less than 128 indicate that
      the Binding Update was accepted by the receiving node.  Values
      greater than or equal to 128 indicate that the Binding Update was
      rejected by the receiving node.  The following Status values are
      currently defined:

           0 Binding Update accepted






Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 43]


Internet-Draft          Mobility Support in IPv6           February 2003


           1 Accepted but prefix discovery necessary

         128 Reason unspecified

         129 Administratively prohibited

         130 Insufficient resources

         131 Home registration not supported

         132 Not home subnet

         133 Not home agent for this mobile node

         134 Duplicate Address Detection failed

         135 Sequence number out of window

         136 Expired home nonce index

         137 Expired care-of nonce index

         138 Expired nonces


      Up-to-date values of the Status field are to be specified in the
      IANA registry of assigned numbers [19].

   Sequence #

      The Sequence Number in the Binding Acknowledgement is copied from
      the Sequence Number field in the Binding Update.  It is used by
      the mobile node in matching this Binding Acknowledgement with an
      outstanding Binding Update.

   Lifetime

      The granted lifetime, in time units of 4 seconds, for which this
      node SHOULD retain the entry for this mobile node in its Binding
      Cache.

      The value of this field is undefined if the Status field indicates
      that the Binding Update was rejected.

   Mobility Options

      Variable-length field of such length that the complete Mobility
      Header is an integer multiple of 8 octets long.  This field



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 44]


Internet-Draft          Mobility Support in IPv6           February 2003


      contains zero or more TLV-encoded mobility options.  The encoding
      and format of defined options are described in Section 6.2.  The
      receiver MUST ignore and skip any options which it does not
      understand.

      There MAY be additional information, associated with this Binding
      Acknowledgement that need not be present in all Binding
      Acknowledgements sent.  Mobility options allow future extensions
      to the format of the Binding Acknowledgement to be defined.  The
      following options are valid for the Binding Acknowledgement:

      *  Binding Authorization Data option

      *  Binding Refresh Advice option

   If no options are present in this message, 4 bytes of padding is
   necessary and the Header Len field will be set to 1.

6.1.9 Binding Error Message

   The Binding Error (BE) message is used by the correspondent node to
   signal an error related to mobility, such as an inappropriate attempt
   to use the Home Address destination option without an existing
   binding; see Section 9.3.3 for details.

   The Binding Error message uses the MH Type value 7.  When this value
   is indicated in the MH Type field, the format of the Message Data
   field in the Mobility Header is as follows:

                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |     Status    |   Reserved    |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                                                               +
       |                                                               |
       +                          Home Address                         +
       |                                                               |
       +                                                               +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       .                                                               .
       .                        Mobility Options                       .
       .                                                               .
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+






Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 45]


Internet-Draft          Mobility Support in IPv6           February 2003


   Status

      8-bit unsigned integer indicating the reason for this message.
      The following values are currently defined:

           1 Unknown binding for Home Address destination option

           2 Unrecognized MH Type value

   Reserved

      A 8-bit field reserved for future use.  The value MUST be
      initialized to zero by the sender, and MUST be ignored by the
      receiver.

   Home Address

      The home address that was contained in the Home Address
      destination option.  The mobile node uses this information to
      determine which binding does not exist, in cases where the mobile
      node has several home addresses.

   Mobility Options

      Variable-length field of such length that the complete Mobility
      Header is an integer multiple of 8 octets long.  This field
      contains zero or more TLV-encoded mobility options.  The receiver
      MUST ignore and skip any options which it does not understand.

      There MAY be additional information, associated with this Binding
      Error message that need not be present in all Binding Error
      messages sent.  Mobility options allow future extensions to the
      format of the format of the Binding Error message to be defined.
      The encoding and format of defined options are described in
      Section 6.2.  This specification does not define any options valid
      for the Binding Error message.

   If no actual options are present in this message, no padding is
   necessary and the Header Len field will be set to 2.

6.2 Mobility Options

   Mobility messages can include zero or more mobility options.  This
   allows optional fields that may not be needed in every use of a
   particular Mobility Header, as well as future extensions to the
   format of the messages.  Such options are included in the Message
   Data field of the message itself, after the fixed portion of the
   message data specified in the message subsections of Section 6.1.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 46]


Internet-Draft          Mobility Support in IPv6           February 2003


   The presence of such options will be indicated by the Header Len of
   the Mobility Header.  If included, the Binding Authorization Data
   option (Section 6.2.7) MUST be the last option and MUST NOT have
   trailing padding.  Otherwise, options can be placed in any order.

6.2.1 Format

   Mobility options are encoded within the remaining space of the
   Message Data field of a mobility message, using a type-length-value
   (TLV) format as follows:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Option Type  | Option Length |   Option Data...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Option Type

      8-bit identifier of the type of mobility option.  When processing
      a Mobility Header containing an option for which the Option Type
      value is not recognized by the receiver, the receiver MUST quietly
      ignore and skip over the option, correctly handling any remaining
      options in the message.

   Option Length

      8-bit unsigned integer, representing the length in octets of the
      mobility option, not including the Option Type and Option Length
      fields.

   Option Data

      A variable length field that contains data specific to the option.

   The following subsections specify the Option types which are
   currently defined for use in the Mobility Header.

   Implementations MUST silently ignore any mobility options that they
   do not understand.

   Mobility options may have alignment requirements.  Following the
   convention in IPv6, these options are aligned in a packet so that
   multi-octet values within the Option Data field of each option fall
   on natural boundaries (i.e., fields of width n octets are placed at
   an integer multiple of n octets from the start of the header, for n =
   1, 2, 4, or 8) [11].




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 47]


Internet-Draft          Mobility Support in IPv6           February 2003


6.2.2 Pad1

   The Pad1 option does not have any alignment requirements.  Its format
   is as follows:

        0
        0 1 2 3 4 5 6 7
       +-+-+-+-+-+-+-+-+
       |   Type = 0    |
       +-+-+-+-+-+-+-+-+

   NOTE! the format of the Pad1 option is a special case - it has
   neither Option Length nor Option Data fields.

   The Pad1 option is used to insert one octet of padding in the
   Mobility Options area of a Mobility Header.  If more than one octet
   of padding is required, the PadN option, described next, should be
   used rather than multiple Pad1 options.

6.2.3 PadN

   The PadN option does not have any alignment requirements.  Its format
   is as follows:

        0                   1
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
       |   Type = 1    | Option Length | Option Data
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -

   The PadN option is used to insert two or more octets of padding in
   the Mobility Options area of a mobility message.  For N octets of
   padding, the Option Length field contains the value N-2, and the
   Option Data consists of N-2 zero-valued octets.  PadN Option data
   MUST be ignored by the receiver.

6.2.4 Binding Refresh Advice

   The Binding Refresh Advice option has an alignment requirement of 2n.
   Its format is as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |   Type = 2    |   Length = 2  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |       Refresh Interval        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 48]


Internet-Draft          Mobility Support in IPv6           February 2003


   The Binding Refresh Advice option is only valid in the Binding
   Acknowledgement, and only on Binding Acknowledgements sent from the
   mobile node's home agent in reply to a home registration.  The
   Refresh Interval is measured in units of four seconds, and indicates
   how long before the mobile node SHOULD send a new home registration
   to the home agent.  The Refresh Interval MUST be set to indicate a
   smaller time interval than the Lifetime value of the Binding
   Acknowledgement.

6.2.5 Alternate Care-of Address

   The Alternate Care-of Address option has an alignment requirement of
   8n+6.  Its format is as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |   Type = 3    |  Length = 16  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                                                               +
       |                                                               |
       +                   Alternate Care-of Address                   +
       |                                                               |
       +                                                               +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Normally, a Binding Update specifies the desired care-of address in
   the Source Address field of the IPv6 header.  However, this is not
   possible in some cases, such as when the mobile node wishes to
   indicate a care-of address which it can not use as a topologically
   correct source address (Section 6.1.7 and Section 11.7.2) or when the
   used security mechanism does not protect the IPv6 header (Section
   11.7.1).

   The Alternate Care-of Address option is provided for these
   situations.  This option is valid only in Binding Update.  The
   Alternate Care-of Address field contains an address to use as the
   care-of address for the binding, rather than using the Source Address
   of the packet as the care-of address.

6.2.6 Nonce Indices

   The Nonce Indices option has an alignment requirement of 2n.  Its
   format is as follows:





Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 49]


Internet-Draft          Mobility Support in IPv6           February 2003


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |   Type = 4    |   Length = 4  |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         Home Nonce Index      |     Care-of Nonce Index       |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The Nonce Indices option is valid only in the Binding Update message
   sent to a correspondent node, and only when present together with a
   Binding Authorization Data option.  When the correspondent node
   authorizes the Binding Update, it needs to produce home and care-of
   keygen tokens from its stored random nonce values.

   The Home Nonce Index field tells the correspondent node which nonce
   value to use when producing the home keygen token.

   The Care-of Nonce Index field is ignored in requests to delete a
   binding.  Otherwise, it tells the correspondent node which nonce
   value to use when producing the care-of keygen token.

6.2.7 Binding Authorization Data

   The Binding Authorization Data option does not have alignment
   requirements as such.  However, since this option must be the last
   mobility option, an implicit alignment requirement is 8n + 2.  The
   format of this option is as follows:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                       |   Type = 5    | Option Length |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                                                               +
       |                         Authenticator                         |
       +                                                               +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   The Binding Authorization Data option is valid in the Binding Update
   and Binding Acknowledgement.

   The Option Length field contains the length of the authenticator in
   octets.

   The Authenticator field contains a cryptographic value which can be
   used to determine that the message in question comes from the right



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 50]


Internet-Draft          Mobility Support in IPv6           February 2003


   authority.  Rules for calculating this value depend on the used
   authorization procedure.

   For the return routability procedure, this option can appear in the
   Binding Update and Binding Acknowledgements.  Rules for calculating
   the Authenticator value are the following:

     Mobility Data = care-of address | final dest | Mobility Header Data
     Authenticator = First (96, HMAC_SHA1 (Kbm, Mobility Data))

   Where | denotes concatenation and "final dest" is the IPv6 address of
   the final destination of the packet.  "Mobility Header Data" is the
   content of the Mobility Header, excluding the Authenticator field
   itself.  The Authenticator value is calculated as if the Checksum
   field in the Mobility Header was zero.  The Checksum in the
   transmitted packet is still calculated in the usual manner, with the
   calculated Authenticator being a part of the packet protected by the
   Checksum.  Kbm is the binding management key, which is typically
   created using nonces provided by the correspondent node (see Section
   9.4).

   The first 96 bits from the MAC result are used as the Authenticator
   field.  Note that, if the message is sent to a destination which is
   itself mobile, the "final dest" address may not be the address found
   in the Destination Address field of the IPv6 header; instead the home
   address from the Home Address destination option should be used.

6.3 Home Address Option

   The Home Address option is carried by the Destination Option
   extension header (Next Header value = 60).  It is used in a packet
   sent by a mobile node while away from home, to inform the recipient
   of the mobile node's home address.

   The Home Address option is encoded in type-length-value (TLV) format
   as follows:















Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 51]


Internet-Draft          Mobility Support in IPv6           February 2003


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                      |  Option Type  | Option Length |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      +                                                               +
      |                                                               |
      +                          Home Address                         +
      |                                                               |
      +                                                               +
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Option Type

      201 = 0xC9

   Option Length

      8-bit unsigned integer.  Length of the option, in octets,
      excluding the Option Type and Option Length fields.  This field
      MUST be set to 16.

   Home Address

      The home address of the mobile node sending the packet.  This
      address MUST be a unicast routable address.

   The alignment requirement [11] for the Home Address option is 8n+6.

   The three highest-order bits of the Option Type field are encoded to
   indicate specific processing of the option [11]; for the Home Address
   option, these three bits are set to 110.  This indicates the
   following processing requirements:

   o  Any IPv6 node that does not recognize the Option Type must discard
      the packet.

   o  If the packet's Destination Address was not a multicast address,
      return an ICMP Parameter Problem, Code 2, message to the packet's
      Source Address; otherwise, for multicast addresses, the ICMP
      message MUST NOT be sent.

   o  The data within the option cannot change en-route to the packet's
      final destination.

   The Home Address option MUST be placed as follows:



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 52]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  After the routing header, if that header is present

   o  Before the Fragment Header, if that header is present

   o  Before the AH Header or ESP Header, if either one of those headers
      is present

   For each IPv6 packet header, the Home Address Option MUST NOT appear
   more than once.  However, an encapsulated packet [15] MAY contain a
   separate Home Address option associated with each encapsulating IP
   header.

   The inclusion of a Home Address destination option in a packet
   affects the receiving node's processing of only this single packet.
   No state is created or modified in the receiving node as a result of
   receiving a Home Address option in a packet.  In particular, the
   presence of a Home Address option in a received packet MUST NOT alter
   the contents of the receiver's Binding Cache and MUST NOT cause any
   changes in the routing of subsequent packets sent by this receiving
   node.

6.4 Type 2 Routing Header

   Mobile IPv6 defines a new routing header variant, the type 2 routing
   header, to allow the packet to be routed directly from a
   correspondent to the mobile node's care-of address.  The mobile
   node's care-of address is inserted into the IPv6 Destination Address
   field.  Once the packet arrives at the care-of address, the mobile
   node retrieves its home address from the routing header, and this is
   used as the final destination address for the packet.

   The new routing header uses a different type than defined for
   "regular" IPv6 source routing, enabling firewalls to apply different
   rules to source routed packets than to Mobile IPv6.  This routing
   header type (type 2) is restricted to carry only one IPv6 address.
   All IPv6 nodes which process this routing header MUST verify that the
   address contained within is the node's own home address in order to
   prevent packets from being forwarded outside the node.  The IP
   address contained in the routing header, since it is the mobile
   node's home address, MUST be a unicast routable address.
   Furthermore, if the scope of the home address is smaller than the
   scope of the care-of address, the mobile node MUST discard the packet
   (see Section 4.6).

6.4.1 Format

   The type 2 routing header has the following format:




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 53]


Internet-Draft          Mobility Support in IPv6           February 2003


       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |  Next Header  | Hdr Ext Len=2 | Routing Type=2|Segments Left=1|
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                            Reserved                           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       +                                                               +
       |                                                               |
       +                         Home Address                          +
       |                                                               |
       +                                                               +
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Next Header

      8-bit selector.  Identifies the type of header immediately
      following the routing header.  Uses the same values as the IPv6
      Next Header field [11].

   Hdr Ext Len

      2 (8-bit unsigned integer);  length of the routing header in
      8-octet units, not including the first 8 octets

   Routing Type

      2 (8-bit unsigned integer).

   Segments Left

      1 (8-bit unsigned integer).

   Reserved

      32-bit reserved field.  The value MUST be initialized to zero by
      the sender, and MUST be ignored by the receiver.

   Home Address

      The Home Address of the destination Mobile Node.

   For a type 2 routing header, the Hdr Ext Len MUST be 2.  The Segments
   Left value describes the number of route segments remaining; i.e.,
   number of explicitly listed intermediate nodes still to be visited
   before reaching the final destination.  Segments Left MUST be 1.  The
   ordering rules for extension headers in an IPv6 packet are described
   in Section 4.1 of RFC 2460 [11].  The type 2 routing header defined



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 54]


Internet-Draft          Mobility Support in IPv6           February 2003


   for Mobile IPv6 follows the same ordering as other routing headers.
   If both a type 0 and a type 2 routing header are present, the type 2
   routing header should follow the other routing header.  A packet
   containing such nested encapsulation should be created as if the
   inner (type 2) routing header was constructed first and then treated
   as an original packet by the outer (type 0) routing header
   construction process.

   In addition, the general procedures defined by IPv6 for routing
   headers suggest that a received routing header MAY be automatically
   "reversed" to construct a routing header for use in any response
   packets sent by upper-layer protocols, if the received packet is
   authenticated [6].  This MUST NOT be done automatically for type 2
   routing headers.

6.5 ICMP Home Agent Address Discovery Request Message

   The ICMP Home Agent Address Discovery Request message is used by a
   mobile node to initiate the dynamic home agent address discovery
   mechanism, as described in Section 11.4.1.  The mobile node sends the
   Home Agent Address Discovery Request message to the Mobile IPv6
   Home-Agents anycast address [16] for its own home subnet prefix.
   (Note that the currently defined anycast addresses may not work with
   all prefix lengths other than those defined in RFC 2373 [3, 33].)

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |            Checksum           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          Identifier           |            Reserved           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      150 <To Be Assigned by IANA>

   Code

      0

   Checksum

      The ICMP checksum [14].

   Identifier

      An identifier to aid in matching Home Agent Address Discovery



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 55]


Internet-Draft          Mobility Support in IPv6           February 2003


      Reply messages to this Home Agent Address Discovery Request
      message.

   Reserved

      This field is unused.  It MUST be initialized to zero by the
      sender and MUST be ignored by the receiver.

   The Source Address of the Home Agent Address Discovery Request
   message packet is typically one of the mobile node's current care-of
   addresses.  At the time of performing this dynamic home agent address
   discovery procedure, it is likely that the mobile node is not
   registered with any home agent.  Therefore, neither the nature of the
   address nor the identity of the mobile node can be established at
   this time.  The home agent MUST then return the Home Agent Address
   Discovery Reply message directly to the Source Address chosen by the
   mobile node.

6.6 ICMP Home Agent Address Discovery Reply Message

   The ICMP Home Agent Address Discovery Reply message is used by a home
   agent to respond to a mobile node that uses the dynamic home agent
   address discovery mechanism, as described in Section 10.5.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |            Checksum           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |           Identifier          |             Reserved          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      +                                                               +
      .                                                               .
      .                      Home Agent Addresses                     .
      .                                                               .
      +                                                               +
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      151 <To Be Assigned by IANA>

   Code

      0




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 56]


Internet-Draft          Mobility Support in IPv6           February 2003


   Checksum

      The ICMP checksum [14].

   Identifier

      The identifier from the invoking Home Agent Address Discovery
      Request message.

   Reserved

      This field is unused.  It MUST be initialized to zero by the
      sender and MUST be ignored by the receiver.

   Home Agent Addresses

      A list of addresses of home agents on the home link for the mobile
      node.  The number of addresses present in the list is indicated by
      the remaining length of the IPv6 packet carrying the Home Agent
      Address Discovery Reply message.


6.7 ICMP Mobile Prefix Solicitation Message Format

   The ICMP Mobile Prefix Solicitation Message is sent by a mobile node
   to its home agent while it is away from home.  The purpose of the
   message is to solicit a Mobile Prefix Advertisement from the home
   agent, which will allow the mobile node to gather prefix information
   about its home network.  This information can be used to configure
   and update home address(es) according to changes in prefix
   information supplied by the home agent.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          Identifier           |            Reserved           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   IP Fields:

   Source Address

      The mobile node's care-of address.






Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 57]


Internet-Draft          Mobility Support in IPv6           February 2003


   Destination Address

      The address of the mobile node's home agent.  This home agent must
      be on the link which the mobile node wishes to learn prefix
      information about.

   Hop Limit

      Set to an initial hop limit value, similarly to any other unicast
      packet sent by the mobile node.

   Destination Option:



      A Home Address destination option MUST be included.

   ESP header:



      IPsec headers MUST be supported and SHOULD be used as described in
      Section 5.4.

   ICMP Fields:

   Type

      152 <To Be Assigned by IANA>

   Code

      0

   Checksum

      The ICMP checksum [14].

   Identifier

      An identifier to aid in matching a future Mobile Prefix
      Advertisement to this Mobile Prefix Solicitation.

   Reserved

      This field is unused.  It MUST be initialized to zero by the
      sender and MUST be ignored by the receiver.




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 58]


Internet-Draft          Mobility Support in IPv6           February 2003


6.8 ICMP Mobile Prefix Advertisement Message Format

   A home agent will send a Mobile Prefix Advertisement to a mobile node
   to distribute prefix information about the home link while the mobile
   node is traveling away from the home network.  This will occur in
   response to a Mobile Prefix Solicitation with an Advertisement, or by
   an unsolicited Advertisement sent according to the rules in Section
   10.6.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          Identifier           |M|O|        Reserved           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |           Options ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   IP Fields:

   Source Address

      The home agent's address as the mobile node would expect to see it
      (i.e., same network prefix).

   Destination Address

      If this message is a response to a Mobile Prefix Solicitation,
      this field contains the Source Address field from that packet.
      For unsolicited messages, the mobile node's care-of address SHOULD
      be used.  Note that unsolicited messages can only be sent if the
      mobile node is currently registered with the home agent.

   Routing header:



      A type 2 routing header MUST be included.

   ESP header:



      IPsec headers MUST be supported and SHOULD be used as described in
      Section 5.4.

   ICMP Fields:



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 59]


Internet-Draft          Mobility Support in IPv6           February 2003


   Type

      153 <To Be Assigned by IANA>

   Code

      0

   Checksum

      The ICMP checksum [14].

   Identifier

      An identifier to aid in matching this Mobile Prefix Advertisement
      to a previous Mobile Prefix Solicitation.

   M

      1-bit Managed Address Configuration flag.  When set, hosts use the
      administered (stateful) protocol for address autoconfiguration in
      addition to any addresses autoconfigured using stateless address
      autoconfiguration.  The use of this flag is described in [12, 13].

   O

      1-bit Other Stateful Configuration flag.  When set, hosts use the
      administered (stateful) protocol for autoconfiguration of other
      (non-address) information.  The use of this flag is described in
      [12, 13].

   Reserved

      This field is unused.  It MUST be initialized to zero by the
      sender and MUST be ignored by the receiver.

   Options:

   Prefix Information

      Each message contains one or more Prefix Information options.
      Each option carries the prefix(es) that the mobile node should use
      to configure its home address(es).  Section 10.6 describes which
      prefixes should be advertised to the mobile node.

      The Prefix Information option is defined in Section 4.6.2 of RFC
      2461 [12], with modifications defined in Section 7.2 of this
      specification.  The home agent MUST use this modified Prefix



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 60]


Internet-Draft          Mobility Support in IPv6           February 2003


      Information option to send the aggregate list of home network
      prefixes as defined in Section 10.6.1.

   Future versions of this protocol may define new option types.  Mobile
   nodes MUST silently ignore any options they do not recognize and
   continue processing the message.

   If the Advertisement is sent in response to a Mobile Prefix
   Solicitation, the home agent MUST copy the Identifier value from that
   message into the Identifier field of the Advertisement.

   The home agent MUST NOT send more than one Mobile Prefix
   Advertisement message per second to any mobile node.

   The M and O bits MUST be cleared if the Home Agent DHCPv6 support is
   not provided.  If such support is provided then they are set in
   concert with the home network's administrative settings.


































Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 61]


Internet-Draft          Mobility Support in IPv6           February 2003


7. Modifications to IPv6 Neighbor Discovery

7.1 Modified Router Advertisement Message Format

   Mobile IPv6 modifies the format of the Router Advertisement message
   [12] by the addition of a single flag bit to indicate that the router
   sending the Advertisement message is serving as a home agent on this
   link.  The format of the Router Advertisement message is as follows:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Code      |          Checksum             |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Cur Hop Limit |M|O|H| Reserved|       Router Lifetime         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Reachable Time                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Retrans Timer                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |   Options ...
      +-+-+-+-+-+-+-+-+-+-+-+-

   This format represents the following changes over that originally
   specified for Neighbor Discovery [12]:

   Home Agent (H)

      The Home Agent (H) bit is set in a Router Advertisement to
      indicate that the router sending this Router Advertisement is also
      functioning as a Mobile IPv6 home agent on this link.

   Reserved

      Reduced from a 6-bit field to a 5-bit field to account for the
      addition of the above bit.


7.2 Modified Prefix Information Option Format

   Mobile IPv6 requires knowledge of a router's global address in
   building a Home Agents List as part of the dynamic home agent address
   discovery mechanism.

   However, Neighbor Discovery [12] only advertises a router's
   link-local address, by requiring this address to be used as the IP
   Source Address of each Router Advertisement.




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 62]


Internet-Draft          Mobility Support in IPv6           February 2003


   Mobile IPv6 extends Neighbor Discovery to allow a router to advertise
   its global address, by the addition of a single flag bit in the
   format of a Prefix Information option for use in Router Advertisement
   messages.  The format of the Prefix Information option is as follows:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     | Prefix Length |L|A|R|Reserved1|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Valid Lifetime                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Preferred Lifetime                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Reserved2                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      +                                                               +
      |                                                               |
      +                            Prefix                             +
      |                                                               |
      +                                                               +
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   This format represents the following changes over that originally
   specified for Neighbor Discovery [12]:

   Router Address (R)

      1-bit router address flag.  When set, indicates that the Prefix
      field contains a complete IP address assigned to the sending
      router.  The indicated prefix is the first Prefix Length bits of
      the Prefix field.  The router IP address has the same scope and
      conforms to the same lifetime values as the advertised prefix.
      This use of the Prefix field is compatible with its use in
      advertising the prefix itself, since Prefix Advertisement uses
      only the leading bits.  Interpretation of this flag bit is thus
      independent of the processing required for the On-Link (L) and
      Autonomous Address-Configuration (A) flag bits.

   Reserved1

      Reduced from a 6-bit field to a 5-bit field to account for the
      addition of the above bit.

   In a Router Advertisement, a home agent MUST, and all other routers
   MAY, include at least one Prefix Information option with the Router



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 63]


Internet-Draft          Mobility Support in IPv6           February 2003


   Address (R) bit set.  Neighbor Discovery specifies that, if including
   all options in a Router Advertisement causes the size of the
   Advertisement to exceed the link MTU, multiple Advertisements can be
   sent, each containing a subset of the options [12].  In this case, at
   least one (not all) of these multiple Advertisements being sent needs
   to satisfy the above requirement.

7.3 New Advertisement Interval Option Format

   Mobile IPv6 defines a new Advertisement Interval option, used in
   Router Advertisement messages to advertise the interval at which the
   sending router sends unsolicited multicast Router Advertisements.
   The format of the Advertisement Interval option is as follows:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |           Reserved            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                     Advertisement Interval                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      7

   Length

      8-bit unsigned integer.  The length of the option (including the
      type and length fields) in units of 8 octets.  The value of this
      field MUST be 1.

   Reserved

      This field is unused.  It MUST be initialized to zero by the
      sender and MUST be ignored by the receiver.

   Advertisement Interval

      32-bit unsigned integer.  The maximum time, in milliseconds,
      between successive unsolicited router Router Advertisement
      messages sent by this router on this network interface.  Using the
      conceptual router configuration variables defined by Neighbor
      Discovery [12], this field MUST be equal to the value
      MaxRtrAdvInterval, expressed in milliseconds.

   Routers MAY include this option in their Router Advertisements.  A
   mobile node receiving a Router Advertisement containing this option



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 64]


Internet-Draft          Mobility Support in IPv6           February 2003


   SHOULD utilize the specified Advertisement Interval for that router
   in its movement detection algorithm, as described in Section 11.5.1.

   This option MUST be silently ignored for other Neighbor Discovery
   messages.

7.4 New Home Agent Information Option Format

   Mobile IPv6 defines a new Home Agent Information option, used in
   Router Advertisements sent by a home agent to advertise information
   specific to this router's functionality as a home agent.  The format
   of the Home Agent Information option is as follows:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |           Reserved            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Home Agent Preference     |      Home Agent Lifetime      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      8

   Length

      8-bit unsigned integer.  The length of the option (including the
      type and length fields) in units of 8 octets.  The value of this
      field MUST be 1.

   Reserved

      This field is unused.  It MUST be initialized to zero by the
      sender and MUST be ignored by the receiver.

   Home Agent Preference

      16-bit unsigned integer.  The preference for the home agent
      sending this Router Advertisement, for use in ordering the
      addresses returned to a mobile node in the Home Agent Addresses
      field of a Home Agent Address Discovery Reply message.  Higher
      values mean more preferable.  If this option is not included in a
      Router Advertisement in which the Home Agent (H) bit is set, the
      preference value for this home agent MUST be considered to be 0.
      Greater values indicate a more preferable home agent than lower
      values.




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 65]


Internet-Draft          Mobility Support in IPv6           February 2003


      The manual configuration of the Home Agent Preference value is
      described in Section 8.4.  In addition, the sending home agent MAY
      dynamically set the Home Agent Preference value, for example
      basing it on the number of mobile nodes it is currently serving or
      on its remaining resources for serving additional mobile nodes;
      such dynamic settings are beyond the scope of this document.  Any
      such dynamic setting of the Home Agent Preference, however, MUST
      set the preference appropriately, relative to the default Home
      Agent Preference value of 0 that may be in use by some home agents
      on this link (i.e., a home agent not including a Home Agent
      Information option in its Router Advertisements will be considered
      to have a Home Agent Preference value of 0).

   Home Agent Lifetime

      16-bit unsigned integer.  The lifetime associated with the home
      agent in units of seconds.  The default value is the same as the
      Router Lifetime, as specified in the main body of the Router
      Advertisement.  The maximum value corresponds to 18.2 hours.  A
      value of 0 MUST NOT be used.  The Home Agent Lifetime applies only
      to this router's usefulness as a home agent; it does not apply to
      information contained in other message fields or options.

   Home agents MAY include this option in their Router Advertisements.
   This option MUST NOT be included in a Router Advertisement in which
   the Home Agent (H) bit (see Section 7.1) is not set.  If this option
   is not included in a Router Advertisement in which the Home Agent (H)
   bit is set, the lifetime for this home agent MUST be considered to be
   the same as the Router Lifetime in the Router Advertisement.  If
   multiple Advertisements are being sent instead of a single larger
   unsolicited multicast Advertisement, all of the multiple
   Advertisements with the Router Address (R) bit set MUST include this
   option with the same contents, otherwise this option MUST be omitted
   from all Advertisements.

   This option MUST be silently ignored for other Neighbor Discovery
   messages.

   If both the Home Agent Preference and Home Agent Lifetime are set to
   their default values specified above, this option SHOULD NOT be
   included in the Router Advertisement messages sent by this home
   agent.

7.5 Changes to Sending Router Advertisements

   The Neighbor Discovery protocol specification [12] limits routers to
   a minimum interval of 3 seconds between sending unsolicited multicast
   Router Advertisement messages from any given network interface



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 66]


Internet-Draft          Mobility Support in IPv6           February 2003


   (limited by MinRtrAdvInterval and MaxRtrAdvInterval), stating that:

      "Routers generate Router Advertisements frequently enough that
      hosts will learn of their presence within a few minutes, but not
      frequently enough to rely on an absence of advertisements to
      detect router failure; a separate Neighbor Unreachability
      Detection algorithm provides failure detection."

   This limitation, however, is not suitable to providing timely
   movement detection for mobile nodes.  Mobile nodes detect their own
   movement by learning the presence of new routers as the mobile node
   moves into wireless transmission range of them (or physically
   connects to a new wired network), and by learning that previous
   routers are no longer reachable.  Mobile nodes MUST be able to
   quickly detect when they move to a link served by a new router, so
   that they can acquire a new care-of address and send Binding Updates
   to register this care-of address with their home agent and to notify
   correspondent nodes as needed.

   One method which can provide for faster movement detection, is to
   increase the rate at which unsolicited Router Advertisements are
   sent.  Mobile IPv6 relaxes this limit such that routers MAY send
   unsolicited multicast Router Advertisements more frequently.  This
   method can be applied where the router is expecting to provide
   service to visiting mobile nodes (e.g., wireless network interfaces),
   or on which it is serving as a home agent to one or more mobile nodes
   (who may return home and need to hear its Advertisements).

   Routers supporting mobility SHOULD be able to be configured with a
   smaller MinRtrAdvInterval value and MaxRtrAdvInterval value to allow
   sending of unsolicited multicast Router Advertisements more often.
   The minimum allowed values are:

   o  MinRtrAdvInterval 0.03 seconds

   o  MaxRtrAdvInterval 0.07 seconds

   In the case where the minimum intervals and delays are used, the mean
   time between unsolicited multicast router advertisements is 50ms.
   Use of these modified limits MUST be configurable (see also the
   configuration variable MinDelayBetweenRas in Section 13 which may
   also have to be modified accordingly).  Systems where these values
   are available MUST NOT default to them, and SHOULD default to values
   specified in RFC 2461.  Knowledge of the type of network interface
   and operating environment SHOULD be taken into account in configuring
   these limits for each network interface.  This is important with some
   wireless links, where increasing the frequency of multicast beacons
   can cause considerable overhead.  Routers SHOULD adhere to the



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 67]


Internet-Draft          Mobility Support in IPv6           February 2003


   intervals specified in RFC 2461 [12], if this overhead is likely to
   cause service degradation.

   Additionally, the possible low values of MaxRtrAdvInterval may cause
   some problems with movement detection in some mobile nodes.  To
   ensure that this is not a problem, Routers SHOULD add 20ms to any
   Advertisement Intervals sent in RAs, which are below 200 ms, in order
   to account for scheduling granularities on both the MN and the
   Router.

   Note that multicast Router Advertisements are not always required in
   certain wireless networks that have limited bandwidth.  Mobility
   detection or link changes in such networks may be done at lower
   layers.  Router advertisements in such networks SHOULD be sent only
   when solicited.  In such networks it SHOULD be possible to disable
   unsolicited multicast Router Advertisements on specific interfaces.
   The MinRtrAdvInterval and MaxRtrAdvInterval in such a case can be set
   to some high values.

   When sending unsolicited multicast Router Advertisements more
   frequently than the limit specified in RFC 2461 [12], the sending
   router need not include all options in each of these Advertisements,
   but it SHOULD include at least one Prefix Information option with the
   Router Address (R) bit set (Section 7.2) in each.

   Home agents MUST include the Source Link-Layer Address option in all
   Router Advertisements they send.  This simplifies the process of
   returning home, as discussed in Section 11.5.4.

7.6 Changes to Duplicate Address Detection

   Upon failing Duplicate Address Detection, [13] requires IPv6 nodes to
   stop using the address and wait for reconfiguration.  In addition, if
   the failed address was a link-local address formed from an interface
   identifier, the interface should be disabled.

   Mobile nodes that wish to avoid this situation MAY use temporary
   link-local addresses as follows.  The mobile node SHOULD generate a
   random interface identifier and use it for assigning itself a
   link-local address.  In order to do this, the mobile node applies to
   the link-local address the procedure described in RFC 3041 [18] for
   global addresses.  At most 5 consecutive attempts SHOULD be performed
   to generate such addresses and test them through Duplicate Address
   Detection.  If after these attempts no unique address was found, the
   mobile node SHOULD log a system error and give up attempting to find
   a link-local address on that interface, until the node moves to a new
   link.




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 68]


Internet-Draft          Mobility Support in IPv6           February 2003


8. Requirements for Types of IPv6 Nodes

   Mobile IPv6 places some special requirements on the functions
   provided by different types of IPv6 nodes.  This section summarizes
   those requirements, identifying the functionality each requirement is
   intended to support.

   The requirements are set for the following groups of nodes:

   o  All IPv6 nodes.

   o  All IPv6 nodes with support for route optimization.

   o  All IPv6 routers.

   o  All Mobile IPv6 home agents.

   o  All Mobile IPv6 mobile nodes.

   It is outside the scope of this specification to specify which of
   these groups are mandatory in IPv6.  We only describe what is
   mandatory for a node that supports, for instance, route optimization.
   Other specifications are expected to define the extent of IPv6.

8.1 All IPv6 Nodes

   Any IPv6 node may at any time be a correspondent node of a mobile
   node, either sending a packet to a mobile node or receiving a packet
   from a mobile node.  There are no Mobile IPv6 specific MUST
   requirements for such nodes, and basic IPv6 techniques are
   sufficient.  If a mobile node attempts to set up route optimization
   with a node with only basic IPv6 support, an ICMP error will signal
   that the node does not support such optimizations (Section 11.3.5),
   and communications will flow through the home agent .

8.2 IPv6 Nodes with Support for Route Optimization

   Nodes that implement route optimization are a subset of all IPv6
   nodes on the Internet.  The ability of a correspondent node to
   participate in route optimization is essential for the efficient
   operation of the IPv6 Internet, for the following reasons:

   o  Avoidance of congestion in the home network, and enabling the use
      of lower-performance home agent equipment even for supporting
      thousands of mobile nodes.

   o  Reduced network load across the entire Internet, as mobile devices
      begin to predominate.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 69]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  Reduction of jitter and latency for the communications.

   o  Greater likelihood of success for QoS signaling as tunneling is
      avoided and, again, fewer sources of congestion.

   o  Improved robustness against network partitions, congestion, and
      other problems, since fewer routing path segments are traversed.

   These effects combine to enable much better performance and
   robustness for communications between mobile nodes and IPv6
   correspondent nodes.  Route optimization introduces a small amount of
   additional state for the peers, some additional messaging, and upto
   1.5 roundtrip delays before it can be turned on.  However, it is
   believed that the benefits far outweight the costs in most cases.
   Section 11.3.1 discusses how mobile nodes may avoid route
   optimization for some of the remaining cases, such as very short-term
   communications.

   The following requirements apply to all correspondent nodes that
   support route optimization:

   o  The node MUST be able validate a Home Address option using an
      existing Binding Cache entry, as described in Section 9.3.1.

   o  The node MUST be able to insert a type 2 routing header into
      packets to be sent to a mobile node, as described in Section
      9.3.2.

   o  Unless the correspondent node is also acting as a mobile node, it
      MUST ignore type 2 routing headers and drop all packets that it
      has received with such headers.

   o  The node SHOULD be able to interpret ICMP messages as described in
      Section 9.3.4.

   o  The node MUST be able to send Binding Error messages as described
      in Section 9.3.3.

   o  The node MUST be able to process Mobility Headers as described in
      Section 9.2.

   o  The node MUST be able to participate in a return routability
      procedure (Section 9.4).

   o  The node MUST be able to process Binding Update messages (Section
      9.5).

   o  The node MUST be able to return a Binding Acknowledgement (Section



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 70]


Internet-Draft          Mobility Support in IPv6           February 2003


      9.5.4).

   o  The node MUST be able to maintain a Binding Cache of the bindings
      received in accepted Binding Updates, as described in Section 9.1
      and Section 9.6.

   o  The node MUST allow route optimization to be administratively
      enabled or disabled.  The default SHOULD be enabled.


8.3 All IPv6 Routers

   All IPv6 routers, even those not serving as a home agent for Mobile
   IPv6, have an effect on how well mobile nodes can communicate:

   o  Every IPv6 router SHOULD be able to send an Advertisement Interval
      option (Section 7.3) in each of its Router Advertisements [12], to
      aid movement detection by mobile nodes (as in Section 11.5.1).
      The use of this option in Router Advertisements SHOULD be
      configurable.

   o  Every IPv6 router SHOULD be able to support sending unsolicited
      multicast Router Advertisements at the faster rate described in
      Section 7.5.  If the router supports a faster rate, the used rate
      MUST be configurable.

   o  Each router SHOULD include at least one prefix with the Router
      Address (R) bit set and with its full IP address in its Router
      Advertisements (as described in Section 7.2).

   o  Routers supporting filtering packets with routing headers SHOULD
      support different rules for type 0 and type 2 routing headers (see
      Section 6.4) so that filtering of source routed packets (type 0)
      will not necessarily limit Mobile IPv6 traffic which is delivered
      via type 2 routing headers.


8.4 IPv6 Home Agents

   In order for a mobile node to operate correctly while away from home,
   at least one IPv6 router on the mobile node's home link must function
   as a home agent for the mobile node.  The following additional
   requirements apply to all IPv6 routers that serve as a home agent:

   o  Every home agent MUST be able to maintain an entry in its Binding
      Cache for each mobile node for which it is serving as the home
      agent (Section 10.1 and Section 10.3.1).




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 71]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  Every home agent MUST be able to intercept packets (using proxy
      Neighbor Discovery [12]) addressed to a mobile node for which it
      is currently serving as the home agent, on that mobile node's home
      link, while the mobile node is away from home (Section 10.4.1).

   o  Every home agent MUST be able to encapsulate [15] such intercepted
      packets in order to tunnel them to the primary care-of address for
      the mobile node indicated in its binding in the home agent's
      Binding Cache (Section 10.4.2).

   o  Every home agent MUST support decapsulating [15] reverse tunneled
      packets sent to it from a mobile node's home address.  Every home
      agent MUST also check that the source address in the tunneled
      packets corresponds to the currently registered location of the
      mobile node (Section 10.4.5).

   o  The node MUST be able to process Mobility Headers as described in
      Section 10.2.

   o  Every home agent MUST be able to return a Binding Acknowledgement
      in response to a Binding Update (Section 10.3.1).

   o  Every home agent MUST maintain a separate Home Agents List for
      each link on which it is serving as a home agent, as described in
      Section 10.1 and Section 10.5.1.

   o  Every home agent MUST be able to accept packets addressed to the
      Mobile IPv6 Home-Agents anycast address [16] for the subnet on
      which it is serving as a home agent, and MUST be able to
      participate in dynamic home agent address discovery (Section
      10.5).

   o  Every home agent SHOULD support a configuration mechanism to allow
      a system administrator to manually set the value to be sent by
      this home agent in the Home Agent Preference field of the Home
      Agent Information Option in Router Advertisements that it sends
      (Section 7.4).

   o  Every home agent SHOULD support sending ICMP Mobile Prefix
      Advertisements (Section 6.8), and SHOULD respond to Mobile Prefix
      Solicitations (Section 6.7).  If supported, this behavior MUST be
      configurable, so that home agents can be configured to avoid
      sending such Prefix Advertisements according to the needs of the
      network administration in the home domain.

   o  Every home agent MUST support IPsec ESP for protection of packets
      belonging to the return routability procedure (Section 10.4.6).




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 72]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  Every home agent SHOULD support the multicast group membership
      control protocols as described in Section 10.4.3.  If this support
      is provided, the home agent MUST be capable of using it to
      determine which multicast data packets to forward via the tunnel
      to the mobile node.

   o  Home agents MAY support stateful address autoconfiguration for
      mobile nodes as described in Section 10.4.4.


8.5 IPv6 Mobile Nodes

   Finally, the following requirements apply to all IPv6 nodes capable
   of functioning as mobile nodes:

   o  The node MUST maintain a Binding Update List (Section 11.1).

   o  The node MUST support sending packets containing a Home Address
      option (Section 11.3.1), and follow the required IPsec interaction
      (Section 11.3.2).

   o  The node MUST be able to perform IPv6 encapsulation and
      decapsulation [15].

   o  The node MUST be able to process type 2 routing header as defined
      in Section 6.4 and Section 11.3.3.

   o  The node MUST support receiving a Binding Error message (Section
      11.3.6).

   o  The node MUST support receiving ICMP errors (Section 11.3.5).

   o  The node MUST support movement detection, care-of address
      formation, and returning home (Section 11.5).

   o  The node MUST be able to process Mobility Headers as described in
      Section 11.2.

   o  The node MUST support the return routability procedure (Section
      11.6).

   o  The node MUST be able to send Binding Updates, as specified in
      Section 11.7.1 and Section 11.7.2.

   o  The node MUST be able to receive and process Binding
      Acknowledgements, as specified in Section 11.7.3.

   o  The node MUST support receiving a Binding Refresh Request (Section



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 73]


Internet-Draft          Mobility Support in IPv6           February 2003


      6.1.2), by responding with a Binding Update.

   o  The node MUST support receiving Mobile Prefix Advertisements
      (Section 11.4.3) and reconfiguring its home address based on the
      prefix information contained therein.

   o  The node SHOULD support use of the dynamic home agent address
      discovery mechanism, as described in Section 11.4.1.

   o  The node MUST allow route optimization to be administratively
      enabled or disabled.  The default SHOULD be enabled.

   o  The node MAY support the multicast address listener part of a
      multicast group membership protocol as described in Section
      11.3.4.  If this support is provided, the mobile node MUST be able
      to receive tunneled multicast packets from the home agent.

   o  The node MAY support stateful address autoconfiguration mechanisms
      such as DHCPv6 [28] on the interface represented by the tunnel to
      the home agent.































Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 74]


Internet-Draft          Mobility Support in IPv6           February 2003


9. Correspondent Node Operation

9.1 Conceptual Data Structures

   IPv6 nodes with route optimization support maintain a Binding Cache
   of bindings for other nodes.  A separate Binding Cache SHOULD be
   maintained by each IPv6 node for each of its unicast routable
   addresses.  The Binding Cache MAY be implemented in any manner
   consistent with the external behavior described in this document, for
   example by being combined with the node's Destination Cache as
   maintained by Neighbor Discovery [12].  When sending a packet, the
   Binding Cache is searched before the Neighbor Discovery conceptual
   Destination Cache [12].  That is, any Binding Cache entry for this
   destination SHOULD take precedence over any Destination Cache entry
   for the same destination.

   Each Binding Cache entry conceptually contains the following fields:

   o  The home address of the mobile node for which this is the Binding
      Cache entry.  This field is used as the key for searching the
      Binding Cache for the destination address of a packet being sent.
      If the destination address of the packet matches the home address
      in the Binding Cache entry, this entry SHOULD be used in routing
      that packet.

   o  The care-of address for the mobile node indicated by the home
      address field in this Binding Cache entry.  If the destination
      address of a packet being routed by a node matches the home
      address in this entry, the packet SHOULD be routed to this care-of
      address.  This is described in Section 9.3.2 for packets
      originated by this node.

   o  A lifetime value, indicating the remaining lifetime for this
      Binding Cache entry.  The lifetime value is initialized from the
      Lifetime field in the Binding Update that created or last modified
      this Binding Cache entry.  Once the lifetime of this entry
      expires, the entry MUST be deleted from the Binding Cache.

   o  A flag indicating whether or not this Binding Cache entry is a
      home registration entry (applicable only on nodes which support
      home agent functionality).

   o  The maximum value of the Sequence Number field received in
      previous Binding Updates for this mobile node home address.  The
      Sequence Number field is 16 bits long.  Sequence Number values
      MUST be compared modulo 2**16 as explained in Section 9.5.1.

   o  Usage information for this Binding Cache entry.  This is needed to



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 75]


Internet-Draft          Mobility Support in IPv6           February 2003


      implement the cache replacement policy in use in the Binding
      Cache.  Recent use of a cache entry also serves as an indication
      that a Binding Refresh Request should be sent when the lifetime of
      this entry nears expiration.

   Binding Cache entries not marked as home registrations MAY be
   replaced at any time by any reasonable local cache replacement policy
   but SHOULD NOT be unnecessarily deleted.  The Binding Cache for any
   one of a node's IPv6 addresses may contain at most one entry for each
   mobile node home address.  The contents of a node's Binding Cache
   MUST NOT be changed in response to a Home Address option in a
   received packet.

9.2 Processing Mobility Headers

   Mobility Header processing MUST observe the following rules:

   o  The checksum must be verified as per Section 6.1.  Otherwise, the
      node MUST silently discard the message.

   o  The MH Type field MUST have a known value (Section 6.1.1).
      Otherwise, the node MUST discard the message and issue a Binding
      Error message as described in Section 9.3.3, with Status field set
      to 2 (unrecognized MH Type value).

   o  The Payload Proto field MUST be IPPROTO_NONE (59 decimal).
      Otherwise, the node MUST discard the message and SHOULD send ICMP
      Parameter Problem [14], Code 0, to the Source Address of the
      packet.

   o  The Header Len field in the Mobility Header MUST NOT be less than
      the length specified for this particular type of message in
      Section 6.1.  Otherwise, the node MUST discard the message and
      SHOULD send ICMP Parameter Problem [14], Code 0, to the Source
      Address of the packet.

   Subsequent checks depend on the particular Mobility Header.

9.3 Packet Processing

   This section describes how the correspondent node sends packets to
   the mobile node, and receives packets from it.

9.3.1 Receiving Packets with Home Address Option

   Packets containing a Home Address option MUST be dropped if the given
   home address is not a unicast routable address.




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 76]


Internet-Draft          Mobility Support in IPv6           February 2003


   Mobile nodes are expected to include a Home Address destination
   option in a packet they believe the correspondent node has a Binding
   Cache entry for the home address of a mobile node.  Packets
   containing a Home Address option MUST be dropped if there is no
   corresponding Binding Cache entry.  A corresponding Binding Cache
   entry MUST have the same home address as appears in the Home Address
   destination option, and the currently registered care-of address MUST
   be equal to the source address of the packet.  These tests MUST NOT
   be done for packets that contain a Home Address option and a Binding
   Update.

   If the packet is dropped due the above tests, the correspondent node
   MUST send the Binding Error message as described in Section 9.3.3.
   The Status field in this message should be set to 1 (unknown binding
   for Home Address destination option).

   The correspondent node MUST process the option in a manner consistent
   with exchanging the Home Address field from the Home Address option
   into the IPv6 header and replacing the original value of the Source
   Address field there.  After all IPv6 options have been processed, it
   MUST be possible for upper layers to process the packet without the
   knowledge that it came originally from a care-of address or that a
   Home Address option was used.

   No additional authentication of the Home Address option is required,
   except that if the IPv6 header of a packet is covered by
   authentication, then that authentication MUST also cover the Home
   Address option; this coverage is achieved automatically by the
   definition of the Option Type code for the Home Address option, since
   it indicates that the data within the option cannot change en-route
   to the packet's final destination, and thus the option is included in
   the authentication computation.  By requiring that any authentication
   of the IPv6 header also cover the Home Address option, the security
   of the Source Address field in the IPv6 header is not compromised by
   the presence of a Home Address option.

   When attempting to verify authentication data in a packet that
   contains a Home Address option, the receiving node MUST calculate the
   authentication data as if the following were true: The Home Address
   option contains the care-of address, and the source IPv6 address
   field of the IPv6 header contains the home address.  This conforms
   with the calculation specified in Section 11.3.2.

9.3.2 Sending Packets to a Mobile Node

   Before sending any packet, the sending node SHOULD examine its
   Binding Cache for an entry for the destination address to which the
   packet is being sent.  If the sending node has a Binding Cache entry



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 77]


Internet-Draft          Mobility Support in IPv6           February 2003


   for this address, the sending node SHOULD use a type 2 routing header
   to route the packet to this mobile node (the destination node) by way
   of its care-of address.  When calculating authentication data in a
   packet that contains a type 2 routing header, the correspondent node
   MUST calculate the authentication data as if the following were true:
   The routing header contains the care-of address, the destination IPv6
   address field of the IPv6 header contains the home address, and the
   Segments Left field is zero.  The IPsec Security Policy Database
   lookup MUST based on the mobile node's home address.

   For instance, assuming there are no additional routing headers in
   this packet beyond those needed by Mobile IPv6, the correspondent
   node could set the fields in the packet's IPv6 header and routing
   header as follows:

   o  The Destination Address in the packet's IPv6 header is set to the
      mobile node's home address (the original destination address to
      which the packet was being sent).

   o  The routing header is initialized to contain a single route
      segment, containing the mobile node's care-of address copied from
      the Binding Cache entry.  The Segments Left field is, however,
      temporarily set to zero.

   The IP layer will insert the routing header before performing any
   necessary IPsec processing.  Once all IPsec processing has been
   performed, the node swaps the IPv6 destination field with the Home
   Address field in the routing header, sets the Segments Left field to
   one, and sends the packet.  This ensures the AH calculation is done
   on the packet in the form it will have on the receiver after
   advancing the routing header.

   Following the definition of a type 2 routing header in Section 6.4,
   this packet will be routed to the mobile node's care-of address,
   where it will be delivered to the mobile node (the mobile node has
   associated the care-of address with its network interface).

   Note that following the above conceptual model in an implementation
   creates some additional requirements for path MTU discovery since the
   layer that decides the packet size (e.g., TCP and applications using
   UDP) needs to be aware of the size of the headers added by the IP
   layer on the sending node.

   If, instead, the sending node has no Binding Cache entry for the
   destination address to which the packet is being sent, the sending
   node simply sends the packet normally, with no routing header.  If
   the destination node is not a mobile node (or is a mobile node that
   is currently at home), the packet will be delivered directly to this



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 78]


Internet-Draft          Mobility Support in IPv6           February 2003


   node and processed normally by it.  If, however, the destination node
   is a mobile node that is currently away from home, the packet will be
   intercepted by the mobile node's home agent and tunneled to the
   mobile node's current primary care-of address.

9.3.3 Sending Binding Error Messages

   Section 9.2 and Section 9.3.1 describe error conditions that lead to
   a need to send a Binding Error message.

   A Binding Error message is sent to the address that appeared in the
   IPv6 Source Address field of the offending packet.  If the Source
   Address field does not contain a unicast address, the Binding Error
   message MUST NOT be sent.

   The Home Address field in the Binding Error message MUST be copied
   from the Home Address field in the Home Address destination option of
   the offending packet, or set to the unspecified address if no such
   option appeared in the packet.

   Binding Error messages SHOULD be subject to rate limiting in the same
   manner as is done for ICMPv6 messages [14].

9.3.4 Receiving ICMP Error Messages

   When the correspondent node has a Binding Cache entry for a mobile
   node, all traffic destined to the mobile node goes directly to the
   current care-of address of the mobile node using a routing header.
   Any ICMP error message caused by packets on their way to the care-of
   address will be returned in the normal manner to the correspondent
   node.

   On the other hand, if the correspondent node has no Binding Cache
   entry for the mobile node, the packet will be routed through the
   mobile node's home link.  Any ICMP error message caused by the packet
   on its way to the mobile node while in the tunnel, will be
   transmitted to the mobile node's home agent.  By the definition of
   IPv6 encapsulation [15], the home agent MUST relay certain ICMP error
   messages back to the original sender of the packet, which in this
   case is the correspondent node.

   Thus, in all cases, any meaningful ICMP error messages caused by
   packets from a correspondent node to a mobile node will be returned
   to the correspondent node.  If the correspondent node receives
   persistent ICMP Destination Unreachable messages after sending
   packets to a mobile node based on an entry in its Binding Cache, the
   correspondent node SHOULD delete this Binding Cache entry.




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 79]


Internet-Draft          Mobility Support in IPv6           February 2003


9.4 Return Routability Procedure

   This subsection specifies actions taken by a correspondent node
   during the return routability procedure.

9.4.1 Receiving Home Test Init Messages

   Upon receiving a Home Test Init message, the correspondent node
   verifies the following:

   o  The packet MUST NOT include a Home Address destination option.

   Any packet carrying a Home Test Init message which fails to satisfy
   all of these tests MUST be silently ignored.

   Otherwise, in preparation for sending the corresponding Home Test
   Message, the correspondent node checks that it has the necessary
   material to engage in a return routability procedure, as specified in
   Section 5.2.  The correspondent node MUST have a secret Kcn and a
   nonce.  If it does not have this material yet, it MUST produce it
   before continuing with the return routability procedure.

   Section 9.4.3 specifies further processing.

9.4.2 Receiving Care-of Test Init Messages

   Upon receiving a Care-of Test Init message, the correspondent node
   verifies the following:

   o  The packet MUST NOT include a Home Address destination option.

   Any packet carrying a Care-of Test Init message which fails to
   satisfy all of these tests MUST be silently ignored.

   Otherwise, in preparation for sending the corresponding Care-of Test
   Message, the correspondent node checks that it has the necessary
   material to engage in a return routability procedure in the manner
   described in Section 9.4.1.

   Section 9.4.4 specifies further processing.

9.4.3 Sending Home Test Messages

   The correspondent node creates a home keygen token and uses the
   current nonce index as the Home Nonce Index.  It then creates a Home
   Test message (Section 6.1.5) and sends it to the mobile node at the
   latter's home address.  Note that the Home Test message is always
   sent to the home address of the mobile node without route



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 80]


Internet-Draft          Mobility Support in IPv6           February 2003


   optimization, even when there is an existing binding for the mobile
   node.

9.4.4 Sending Care-of Test Messages

   The correspondent node creates a care-of nonce and uses the current
   nonce index as the Care-of Nonce Index.  It then creates a Care-of
   Test message (Section 6.1.6) and sends it to the mobile node at the
   latter's care-of address.

9.5 Processing Bindings

   This section explains how the correspondent node processes messages
   related to bindings.  These messages are:

   o  Binding Update

   o  Binding Refresh Request

   o  Binding Acknowledgement

   o  Binding Error


9.5.1 Receiving Binding Updates

   Before accepting a Binding Update, the receiving node MUST validate
   the Binding Update according to the following tests:

   o  The packet MUST contain a unicast routable home address, either in
      the Home Address option or in the Source Address, if the Home
      Address option is not present.

   o  The Sequence Number field in the Binding Update is greater than
      the Sequence Number received in the valid previous Binding Update
      for this home address, if any.

      This Sequence Number comparison MUST be performed modulo 2**16,
      i.e., the number is a free running counter represented modulo
      65536.  A Sequence Number in a received Binding Update is
      considered less than or equal to the last received number if its
      value lies in the range of the last received number and the
      preceding 32767 values, inclusive.  For example, if the last
      received sequence number was 15, then messages with sequence
      numbers 0 through 15, as well as 32784 through 65535, would be
      considered less than or equal.

   When the return routability procedure is used to enable the



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 81]


Internet-Draft          Mobility Support in IPv6           February 2003


   establishment of nonce indices as inputs to the creation of the
   binding key Kbm, the following are also required:

   o  A Nonce Indices mobility option MUST be present, and the Home and
      Care-of Nonce Index values in this option MUST be recent enough to
      be recognized by the correspondent node.  (Care-of Nonce Index
      values are not inspected for requests to delete a binding.)

   o  The correspondent node MUST re-generate the home keygen token and
      the care-of keygen token from the information contained in the
      packet.  It then generates the binding management key Kbm and uses
      it to verify the authenticator field in the Binding Update as
      specified in Section 6.1.7.

   o  The Home Registration (H) bit MUST NOT be set.

   When using Kbm for validating the Binding Update, the following are
   required:

   o  The Binding Authorization Data mobility option MUST be present,
      and its contents MUST satisfy rules presented in Section 5.2.6.
      Note that a care-of address different from the Source Address MAY
      have been specified by including an Alternate Care-of Address
      mobility option in the Binding Update.  When such a message is
      received and the return routability procedure is used as an
      authorization method, the correspondent node MUST verify the
      authenticator by using the address within the Alternate Care-of
      Address in the calculations.

   o  The Binding Authorization Data mobility option MUST be the last
      option and MUST NOT have trailing padding.

   If the mobile node sends a sequence number which is not greater than
   the sequence number from the last successful Binding Update, then the
   receiving node MUST send back a Binding Acknowledgement with status
   code 135, and the last accepted sequence number in the Sequence
   Number field of the Binding Acknowledgement.

   If the receiving node no longer recognizes the Home Nonce Index
   value, Care-of Nonce Index value, or both values from the Binding
   Update, then the receiving node MUST send back a Binding
   Acknowledgement with status code 136, 137, or 138, respectively.

   For packets carrying Binding Updates that fail to satisfy all of
   these tests for any reason other than insufficiency of the Sequence
   Number or expired nonce index values MUST be silently discarded.

   If the Binding Update is valid according to the tests above, then the



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 82]


Internet-Draft          Mobility Support in IPv6           February 2003


   Binding Update is processed further as follows:

   o  If the Lifetime specified in the Binding Update is nonzero and the
      specified care-of address is not equal to the home address for the
      binding, then this is a request to cache a binding for the mobile
      node.  If the Home Registration (H) bit is set in the Binding
      Update, the Binding Update is processed according to the procedure
      specified in Section 10.3.1; otherwise, it is processed according
      to the procedure specified in Section 9.5.2.

   o  If the Lifetime specified in the Binding Update is zero or the
      specified care-of address matches the home address for the
      binding, then this is a request to delete the mobile node's cached
      binding.  In this case, the Binding Update MUST include a valid
      home nonce index, and the care-of nonce index MUST be ignored by
      the correspondent node.  The generation of the binding management
      key depends then exclusively on the home keygen token (Section
      5.2.5).  If the Home Registration (H) bit is set in the Binding
      Update, the Binding Update is processed according to the procedure
      specified in Section 10.3.2; otherwise, it is processed according
      to the procedure specified in Section 9.5.3.

   The specified care-of address MUST be determined as follows:

   o  If the Alternate Care-of Address option is present, the care-of
      address is the address in that option.

   o  Otherwise, the care-of address is the Source Address field in the
      packet's IPv6 header.

   The home address for the binding MUST be determined as follows:

   o  If the Home Address destination option is present, the home
      address is the address in that option.

   o  Otherwise, the home address is the Source Address field in the
      packet's IPv6 header.  This implies that the mobile node is at
      home and is about to perform de-registration.


9.5.2 Requests to Cache a Binding

   This section describes the processing of a valid Binding Update that
   requests a node to cache a mobile node's binding, for which the Home
   Registration (H) bit is not set in the Binding Update.

   In this case, the receiving node SHOULD create a new entry in its
   Binding Cache for this mobile node, or update its existing Binding



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 83]


Internet-Draft          Mobility Support in IPv6           February 2003


   Cache entry for this mobile node, if such an entry already exists.
   The lifetime for the Binding Cache entry is initialized from the
   Lifetime field specified in the Binding Update, although this
   lifetime MAY be reduced by the node caching the binding; the lifetime
   for the Binding Cache entry MUST NOT be greater than the Lifetime
   value specified in the Binding Update.  Any Binding Cache entry MUST
   be deleted after the expiration of its lifetime.

   The Sequence Number value received from a mobile node in a Binding
   Update is stored by a correspondent node in its Binding Cache entry
   for that mobile node.  If the receiving correspondent node has no
   Binding Cache entry for the sending mobile node, it MUST accept any
   Sequence Number value in a received Binding Update from this mobile
   node.

   The correspondent node MAY refuse to accept a new Binding Cache
   entry, if it does not have sufficient resources.  A new entry MAY
   also be refused if the correspondent node believes its resources are
   utilized more efficiently in some other purpose, such as serving
   another mobile node with higher amount of traffic.  In both cases the
   correspondent node SHOULD return a Binding Acknowledgement with
   status value 130.

9.5.3 Requests to Delete a Binding

   This section describes the processing of a valid Binding Update that
   requests a node to delete a mobile node's binding from its Binding
   Cache, for which the Home Registration (H) bit is not set in the
   Binding Update.

   Any existing binding for the mobile node MUST be deleted.  A Binding
   Cache entry for the mobile node MUST NOT be created in response to
   receiving the Binding Update.

   If the Binding Cache entry was created by use of return routability
   nonces, the correspondent node MUST ensure that the same nonces are
   not used again with the particular home and care-of address.  If both
   nonces are still valid, the correspondent node has to remember the
   particular combination of nonce indexes, addresses, and sequence
   number as illegal, until at least one of the nonces has become too
   old.

9.5.4 Sending Binding Acknowledgements

   A Binding Acknowledgement may be sent to indicate receipt of a
   Binding Update as follows:

   o  If the Binding Update was discarded as described in Section 9.2 or



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 84]


Internet-Draft          Mobility Support in IPv6           February 2003


      Section 9.5.1, a Binding Acknowledgement MUST NOT be sent.
      Otherwise the treatment depends on the below rules.

   o  If the Acknowledge (A) bit set is set in the Binding Update, a
      Binding Acknowledgement MUST be sent.  Otherwise, the treatment
      depends on the below rule.

   o  If the node rejects the Binding Update due to an expired nonce
      index, sequence number being out of window (Section 9.5.1), or
      insufficiency of resources (Section 9.5.2), a Binding
      Acknowledgement MUST be sent.  If the node accepts the Binding
      Update, the Binding Acknowledgement SHOULD NOT be sent.

   If the node accepts the Binding Update and creates or updates an
   entry for this binding, the Status field in the Binding
   Acknowledgement MUST be set to a value less than 128.  Otherwise, the
   Status field MUST be set to a value greater than or equal to 128.
   Values for the Status field are described in Section 6.1.8 and in the
   IANA registry of assigned numbers [19].

   If the Status field in the Binding Acknowledgement contains the value
   136 (expired home nonce index), 137 (expired care-of nonce index), or
   138 (expired nonces) then the message MUST NOT include the Binding
   Authorization Data mobility option.  Otherwise, the Binding
   Authorization Data mobility option MUST be included, and MUST meet
   the specific authentication requirements for Binding Acknowledgements
   as defined in Section 5.2.

   If the Source Address field of the IPv6 header that carried the
   Binding Update does not contain a unicast address, the Binding
   Acknowledgement MUST NOT be sent, and the Binding Update packet MUST
   be silently discarded.  Otherwise, the acknowledgement MUST be sent
   to the Source Address.  Unlike the treatment of regular packets, this
   addressing procedure does not use information from the Binding Cache.
   However, a routing header is needed in some cases.  If the Source
   Address is the home address of the mobile node, i.e., the Binding
   Update did not contain a Home Address destination option, then the
   Binding Acknowledgement MUST be sent to that address, and the routing
   header MUST NOT be used.  Otherwise, the Binding Acknowledgement MUST
   be sent using a type 2 routing header which contains the mobile
   node's home address.

   Entries in a node's Binding Cache MUST be deleted when their lifetime
   expires.

9.5.5 Sending Binding Refresh Requests

   If a Binding Cache entry being deleted is still in active use in



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 85]


Internet-Draft          Mobility Support in IPv6           February 2003


   sending packets to a mobile node, the next packet sent to the mobile
   node will be routed normally to the mobile node's home link.
   Communication with the mobile node continues, but the tunneling from
   the home network creates additional overhead and latency in
   delivering packets to the mobile node.

   If the sender knows that the Binding Cache entry is still in active
   use, it MAY send a Binding Refresh Request message to the mobile node
   in an attempt to avoid this overhead and latency due to deleting and
   recreating the Binding Cache entry.  The Binding Refresh Request
   message is sent in the same way as any packet addressed to the mobile
   node (Section 9.3.2).

   The correspondent node MAY retransmit Binding Refresh Request
   messages provided that rate limitation is applied.  The correspondent
   node MUST stop retransmitting when it receives a Binding Update.

9.6 Cache Replacement Policy

   Conceptually, a node maintains a separate timer for each entry in its
   Binding Cache.  When creating or updating a Binding Cache entry in
   response to a received and accepted Binding Update, the node sets the
   timer for this entry to the specified Lifetime period.  Any entry in
   a node's Binding Cache MUST be deleted after the expiration of the
   Lifetime specified in the Binding Update from which the entry was
   created or last updated.

   Each node's Binding Cache will, by necessity, have a finite size.  A
   node MAY use any reasonable local policy for managing the space
   within its Binding Cache, except that any entry marked as a home
   registration (Section 10.3.1) MUST NOT be deleted from the cache
   until the expiration of its lifetime period.  When such home
   registration entries are deleted, the home agent MUST also cease
   intercepting packets on the mobile node's home link addressed to the
   mobile node (Section 10.4.1), just as if the mobile node had
   de-registered its primary care-of address (see Section 10.3.2).

   When attempting to add a new home registration entry in response to a
   Binding Update with the Home Registration (H) bit set, if no
   sufficient space can be found, the home agent MUST reject the Binding
   Update.  Furthermore, the home agent MUST return a Binding
   Acknowledgement to the sending mobile node, in which the Status field
   is set to 130 (insufficient resources).

   A node MAY choose to drop any entry already in its Binding Cache,
   other than home registration entries, in order to make space for a
   new entry.  For example, a "least-recently used" (LRU) strategy for
   cache entry replacement among entries not marked as home



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 86]


Internet-Draft          Mobility Support in IPv6           February 2003


   registrations is likely to work well unless the size of the Binding
   Cache is substantially insufficient.

   If the node sends a packet to a destination for which it has dropped
   the entry from its Binding Cache, the packet will be routed through
   the mobile node's home link.  The mobile node can detect this, and
   establish a new binding if necessary.












































Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 87]


Internet-Draft          Mobility Support in IPv6           February 2003


10. Home Agent Operation

10.1 Conceptual Data Structures

   Each home agent MUST maintain a Binding Cache and Home Agents List.

   The rules for maintaining a Binding Cache are the same for home
   agents and correspondent nodes, and have already been described in
   Section 9.1.

   The Home Agents List is maintained by each home agent, recording
   information about each router on the same link which is acting as a
   home agent; this list is used by the dynamic home agent address
   discovery mechanism.  A router is known to be acting as a home agent,
   if it sends a Router Advertisement in which the Home Agent (H) bit is
   set.  When the lifetime for a list entry (defined below) expires,
   that entry is removed from the Home Agents List.  The Home Agents
   List is thus similar to the Default Router List conceptual data
   structure maintained by each host for Neighbor Discovery [12].  The
   Home Agents List MAY be implemented in any manner consistent with the
   external behavior described in this document.

   Each home agent maintains a separate Home Agents List for each link
   on which it is serving as a home agent.  A new entry is created or an
   existing entry is updated in response to receipt of a valid Router
   Advertisement in which the Home Agent (H) bit is set.  Each Home
   Agents List entry conceptually contains the following fields:

   o  The link-local IP address of a home agent on the link.  This
      address is learned through the Source Address of the Router
      Advertisements [12] received from the router.

   o  One or more global IP addresses for this home agent.  Global
      addresses are learned through Prefix Information options with the
      Router Address (R) bit set, received in Router Advertisements from
      this link-local address.  Global addresses for the router in a
      Home Agents List entry MUST be deleted once the prefix associated
      with that address is no longer valid [12].

   o  The remaining lifetime of this Home Agents List entry.  If a Home
      Agent Information Option is present in a Router Advertisement
      received from a home agent, the lifetime of the Home Agents List
      entry representing that home agent is initialized from the Home
      Agent Lifetime field in the option (if present); otherwise, the
      lifetime is initialized from the Router Lifetime field in the
      received Router Advertisement.  If Home Agents List entry lifetime
      reaches zero, the entry MUST be deleted from the Home Agents List.




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 88]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  The preference for this home agent; higher values indicate a more
      preferable home agent.  The preference value is taken from the
      Home Agent Preference field in the received Router Advertisement,
      if the Router Advertisement contains a Home Agent Information
      Option, and is otherwise set to the default value of 0.  A home
      agent uses this preference in ordering the Home Agents List when
      it sends an ICMP Home Agent Address Discovery message.


10.2 Processing Mobility Headers

   All IPv6 home agents MUST observe the rules described in Section 9.2
   when processing Mobility Headers.

10.3 Processing Bindings

10.3.1 Primary Care-of Address Registration

   When a node receives a Binding Update, it MUST validate it and
   determine the type of Binding Update according to the steps described
   in Section 9.5.1.  Furthermore, it MUST authenticate the Binding
   Update as described in Section 5.1.  An authorization step specific
   for the home agent is also needed to ensure that only the right node
   can control a particular home address.  This is provided through the
   home address unequivocally identifying the security association that
   must be used.

   This section describes the processing of a valid and authorized
   Binding Update, when it requests the registration of the mobile
   node's primary care-of address.

   To begin processing the Binding Update, the home agent MUST perform
   the following sequence of tests:

   o  If the node implements only correspondent node functionality, or
      has not been configured to act as a home agent, then the node MUST
      reject the Binding Update.  The node MUST then also return a
      Binding Acknowledgement to the mobile node, in which the Status
      field is set to 131 (home registration not supported).

   o  Else, if the home address for the binding (the Home Address field
      in the packet's Home Address option) is not an on-link IPv6
      address with respect to the home agent's current Prefix List or if
      the corresponding prefix was not advertised with the Home Agent
      (H) bit set, then the home agent MUST reject the Binding Update
      and SHOULD return a Binding Acknowledgement to the mobile node, in
      which the Status field is set to 132 (not home subnet).




Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 89]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  Else, if the home agent chooses to reject the Binding Update for
      any other reason (e.g., insufficient resources to serve another
      mobile node as a home agent), then the home agent SHOULD return a
      Binding Acknowledgement to the mobile node, in which the Status
      field is set to an appropriate value to indicate the reason for
      the rejection.

   o  A Home Address destination option MUST be present in the message.
      It MUST be validated as described in Section 9.3.1 with the
      following additional rule.  The Binding Cache entry existence test
      MUST NOT be done for IPsec packets when the Home Address option
      contains an address for which the receiving node could act as a
      home agent.

   If home agent accepts the Binding Update, it MUST then create a new
   entry in its Binding Cache for this mobile node, or update its
   existing Binding Cache entry, if such an entry already exists.  The
   Home Address field as received in the Home Address option provides
   the home address of the mobile node.

   The home agent MUST mark this Binding Cache entry as a home
   registration to indicate that the node is serving as a home agent for
   this binding.  Binding Cache entries marked as a home registration
   MUST be excluded from the normal cache replacement policy used for
   the Binding Cache (Section 9.6) and MUST NOT be removed from the
   Binding Cache until the expiration of the Lifetime period.

   Unless this home agent already has a binding for the given home
   address, the home agent MUST perform Duplicate Address Detection [13]
   on the mobile node's home link before returning the Binding
   Acknowledgement.  This ensures that no other node on the home link
   was using the mobile node's home address when the Binding Update
   arrived.  If this Duplicate Address Detection fails for the given
   home address or an associated link local address, then the home agent
   MUST reject the complete Binding Update and MUST return a Binding
   Acknowledgement to the mobile node, in which the Status field is set
   to 134 (Duplicate Address Detection failed).  When the home agent
   sends a successful Binding Acknowledgement to the mobile node, the
   home agent assures to the mobile node that its address(es) will
   continue to be kept unique by the home agent at least as long as the
   lifetime granted for the bindings is not over.

   The specific addresses which are to be tested before accepting the
   Binding Update, and later to be defended by performing Duplicate
   Address Detection, depend on the setting of the Link-Local Address
   Compatibility (L) bit, as follows:

   o  L=0: Defend only the given address.  Do not derive a link-local



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 90]


Internet-Draft          Mobility Support in IPv6           February 2003


      address.

   o  L=1: Defend both the given non link-local unicast (home) address
      and the derived link-local.  The link-local address is derived by
      replacing the subnet prefix in the mobile node's home address with
      the link-local prefix.

   The lifetime of the Binding Cache entry depends on a number of
   factors:

   o  The lifetime for the Binding Cache entry MUST NOT be greater than
      the Lifetime value specified in the Binding Update.

   o  The lifetime for the Binding Cache entry MUST NOT be greater than
      the remaining valid lifetime for the subnet prefix in the mobile
      node's home address specified with the Binding Update.  The
      remaining valid lifetime for this prefix is determined by the home
      agent based on its own Prefix List entry for this prefix [12].

      The remaining preferred lifetime SHOULD NOT have any impact on the
      lifetime for the binding cache entry.  The home agent MUST remove
      a binding when the valid lifetime of the prefix associated with it
      expires.

   o  The home agent MAY further decrease the specified lifetime for the
      binding, for example based on a local policy.  The resulting
      lifetime is stored by the home agent in the Binding Cache entry,
      and this Binding Cache entry MUST be deleted by the home agent
      after the expiration of this lifetime.

   Regardless of the setting of the Acknowledge (A) bit in the Binding
   Update, the home agent MUST return a Binding Acknowledgement to the
   mobile node, constructed as follows:

   o  The Status field MUST be set to a value indicating success.  The
      value 1 (accepted but prefix discovery necessary) MUST be used if
      the subnet prefix of the specified home address is deprecated,
      becomes deprecated during the lifetime of the binding, or becomes
      invalid at the end of the lifetime.  The value 0 MUST be used
      otherwise.  For the purposes of comparing the binding and prefix
      lifetimes, the prefix lifetimes are first converted into units of
      four seconds by ignoring the two least significant bits.

   o  The Key Management Mobility Capability (K) bit is set if the
      following conditions are all fulfilled, and cleared otherwise:

      *  The Key Management Mobility Capability (K) bit was set in the
         Binding Update.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 91]


Internet-Draft          Mobility Support in IPv6           February 2003


      *  The IPsec security associations between the mobile node and the
         home agent have been established dynamically.

      *  The home agent has the capability to update its endpoint in the
         used key management protocol to the new care-of address every
         time it moves


      Depending on the final value of the bit in the Binding
      Acknowledgement, the home agent SHOULD perform the following
      actions:

      K = 0

         Discard key management connections, if any, to the old care-of
         address.  If the mobile node did not have a binding before
         sending this Binding Update, discard the connections to the
         home address.

      K = 1

         Move the peer endpoint of the key management protocol
         connection, if any, to the new care-of address.  For an IKE
         phase 1 connection, this means that any IKE packets sent to the
         peer are sent to this address, and packets from this address
         with the original ISAKMP cookies are accepted.

   o  The Sequence Number field MUST be copied from the Sequence Number
      given in the Binding Update.

   o  The Lifetime field MUST be set to the remaining lifetime for the
      binding as set by the home agent in its home registration Binding
      Cache entry for the mobile node, as described above.

   o  If the home agent stores the Binding Cache entry in nonvolatile
      storage, then the Binding Refresh Advice mobility option MUST be
      omitted.  Otherwise,  the home agent MAY include this option to
      suggest that the mobile node refreshes its binding sooner than the
      actual lifetime of the binding ends.

      If the Binding Refresh Advice mobility option is present, the
      Refresh Interval field in the option MUST be set to a value less
      than the Lifetime value being returned in the Binding
      Acknowledgement.  This indicates that the mobile node SHOULD
      attempt to refresh its home registration at the indicated shorter
      interval.  The home agent MUST still retain the registration for
      the Lifetime period, even if the mobile node does not refresh its
      registration within the Refresh period.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 92]


Internet-Draft          Mobility Support in IPv6           February 2003


   The rules for selecting the Destination IP address (and possibly
   routing header construction) for the Binding Acknowledgement to the
   mobile node are the same as in Section 9.5.4.

   In addition, the home agent MUST follow the procedure defined in
   Section 10.4.1 to intercept packets on the mobile node's home link
   addressed to the mobile node, while the home agent is serving as the
   home agent for this mobile node.  The home agent MUST also be
   prepared to accept reverse tunneled packets from the new care-of
   address of the mobile node, as described in Section 10.4.5.  Finally,
   the home agent MUST also propagate new home network prefixes, as
   described in Section 10.6.

10.3.2 Primary Care-of Address De-Registration

   A binding may need to be de-registered when the mobile node returns
   home, or when the mobile node knows that it will soon not have any
   care-of addresses in the visited network.

   A Binding Update is validated and authorized in the manner described
   in the previous section.  This section describes the processing of a
   valid Binding Update that requests the receiving node to no longer
   serve as its home agent, de-registering its primary care-of address.

   To begin processing the Binding Update, the home agent MUST perform
   the following test:

   o  If the receiving node has no entry marked as a home registration
      in its Binding Cache for this mobile node, then this node MUST
      reject the Binding Update and SHOULD return a Binding
      Acknowledgement to the mobile node, in which the Status field is
      set to 133 (not home agent for this mobile node).

   If the home agent does not reject the Binding Update as described
   above, then it MUST delete any existing entry in its Binding Cache
   for this mobile node.  Then, the home agent MUST return a Binding
   Acknowledgement to the mobile node, constructed as follows:

   o  The Status field MUST be set to a value 0, indicating success.

   o  The Key Management Mobility Capability (K) bit is set or cleared,
      and actions based on its value are performed as described in the
      previous section.  The mobile node's home address is used as its
      new care-of address for the purposes of moving the key management
      connection to a new endpoint.

   o  The Sequence Number field MUST be copied from the Sequence Number
      given in the Binding Update.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 93]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  The Lifetime field MUST be set to zero.

   o  The Binding Refresh Advice mobility option MUST be omitted.

   In addition, the home agent MUST stop intercepting packets on the
   mobile node's home link that are addressed to the mobile node
   (Section 10.4.1).

   The rules for selecting the Destination IP address (and, if required,
   routing header construction) for the Binding Acknowledgement to the
   mobile node are the same as in the previous section.  When the Status
   field in the Binding Acknowledgement is greater than or equal to 128
   and the Source Address of the Binding Update is on the home link, the
   home agent MUST send it to the mobile node's link layer address
   (retrieved either from the Binding Update or through Neighbor
   Solicitation).

10.4 Packet Processing

10.4.1 Intercepting Packets for a Mobile Node

   While a node is serving as the home agent for mobile node it MUST
   attempt to intercept packets on the mobile node's home link that are
   addressed to the mobile node.

   In order to do this, when a node begins serving as the home agent it
   MUST multicast onto the home link a Neighbor Advertisement message
   [12] on behalf of the mobile node.  For the home address specified in
   the Binding Update, the home agent sends a Neighbor Advertisement
   message [12] to the all-nodes multicast address on the home link, to
   advertise the home agent's own link-layer address for this IP address
   on behalf of the mobile node.  If the Link-Layer Address
   Compatibility (L) flag has been specified in the Binding Update, the
   home agent MUST do the same for the link-local address of the mobile
   node.

   All fields in each such Neighbor Advertisement message SHOULD be set
   in the same way they would be set by the mobile node itself if
   sending this Neighbor Advertisement [12] while at home, with the
   following exceptions:

   o  The Target Address in the Neighbor Advertisement MUST be set to
      the specific IP address for the mobile node.

   o  The Advertisement MUST include a Target Link-layer Address option
      specifying the home agent's link-layer address.

   o  The Router (R) bit in the Advertisement MUST be set to zero.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 94]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  The Solicited Flag (S) in the Advertisement MUST NOT be set, since
      it was not solicited by any Neighbor Solicitation.

   o  The Override Flag (O) in the Advertisement MUST be set, indicating
      that the Advertisement SHOULD override any existing Neighbor Cache
      entry at any node receiving it.

   o  The Source Address in the IPv6 header MUST be set to the home
      agent's IP address on the interface used to send the
      advertisement.

   Any node on the home link receiving one of the Neighbor Advertisement
   messages described above will thus update its Neighbor Cache to
   associate the mobile node's address with the home agent's link layer
   address, causing it to transmit any future packets normally destined
   to the mobile node to the mobile node's home agent.  Since
   multicasting on the local link (such as Ethernet) is typically not
   guaranteed to be reliable, the home agent MAY retransmit this
   Neighbor Advertisement message up to MAX_NEIGHBOR_ADVERTISEMENT (see
   [12]) times to increase its reliability.  It is still possible that
   some nodes on the home link will not receive any of these Neighbor
   Advertisements, but these nodes will eventually be able to detect the
   link-layer address change for the mobile node's address, through use
   of Neighbor Unreachability Detection [12].

   While a node is serving as a home agent for some mobile node, the
   home agent uses IPv6 Neighbor Discovery [12] to intercept unicast
   packets on the home link addressed to the mobile node.  In order to
   intercept packets in this way, the home agent MUST act as a proxy for
   this mobile node, and reply to any received Neighbor Solicitations
   for it.  When a home agent receives a Neighbor Solicitation, it MUST
   check if the Target Address specified in the message matches the
   address of any mobile node for which it has a Binding Cache entry
   marked as a home registration.

   If such an entry exists in the home agent's Binding Cache, the home
   agent MUST reply to the Neighbor Solicitation with a Neighbor
   Advertisement, giving the home agent's own link-layer address as the
   link-layer address for the specified Target Address.  In addition,
   the Router (R) bit in the Advertisement MUST be set to zero.  Acting
   as a proxy in this way allows other nodes on the mobile node's home
   link to resolve the mobile node's address, and allows the home agent
   to defend these addresses on the home link for Duplicate Address
   Detection [12].

10.4.2 Processing Intercepted Packets

   For any packet sent to a mobile node from the mobile node's home



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 95]


Internet-Draft          Mobility Support in IPv6           February 2003


   agent (for which the home agent is the original sender of the
   packet), the home agent is operating as a correspondent node of the
   mobile node for this packet and the procedures described in Section
   9.3.2 apply.  The home agent then uses a routing header to route the
   packet to the mobile node by way of the primary care-of address in
   the home agent's Binding Cache.

   While the mobile node is away from home, the home agent intercepts
   any packets on the home link addressed to the mobile node's home
   address, as described in Section 10.4.1.  In order to forward each
   intercepted packet to the mobile node, the home agent MUST tunnel the
   packet to the mobile node using IPv6 encapsulation [15].  When a home
   agent encapsulates an intercepted packet for forwarding to the mobile
   node, the home agent sets the Source Address in the new tunnel IP
   header to the home agent's own IP address, and sets the Destination
   Address in the tunnel IP header to the mobile node's primary care-of
   address.  When received by the mobile node, normal processing of the
   tunnel header [15] will result in decapsulation and processing of the
   original packet by the mobile node.

   However, packets addressed to the mobile node's link-local address
   MUST NOT be tunneled to the mobile node.  Instead, such a packet MUST
   be discarded, and the home agent SHOULD return an ICMP Destination
   Unreachable, Code 3, message to the packet's Source Address (unless
   this Source Address is a multicast address).  Packets addressed to
   the mobile node's site-local address SHOULD NOT be tunneled to the
   mobile node by default.

   Interception and tunneling of the following multicast addressed
   packets on the home network are only done if the home agent supports
   multicast group membership control messages from the mobile node as
   described in the next section.  Tunneling of multicast packets to a
   mobile node follows similar limitations to those defined above for
   unicast packets addressed to the mobile node's link-local and
   site-local addresses.  Multicast packets addressed to a multicast
   address with link-local scope [3], to which the mobile node is
   subscribed, MUST NOT be tunneled to the mobile node; such packets
   SHOULD be silently discarded (after delivering to other local
   multicast recipients).  Multicast packets addressed to a multicast
   address with scope larger than link-local but smaller than global
   (e.g., site-local and organization-local [3]), to which the mobile
   node is subscribed, SHOULD NOT be tunneled to the mobile node.
   Multicast packets addressed with a global scope to which the mobile
   node has successfully subscribed MUST be tunneled to the mobile node.

   Before tunneling a packet to the mobile node, the home agent MUST
   perform any IPsec processing as indicated by the security policy data
   base.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 96]


Internet-Draft          Mobility Support in IPv6           February 2003


10.4.3 Multicast Membership Control

   This section is a prerequisite for the multicast data packet
   forwarding described in the previous section.  If this support is not
   provided, multicast group membership control messages are silently
   ignored.

   In order to forward multicast data packets from the home network to
   all the proper mobile nodes the home agent SHOULD be capable of
   receiving tunneled multicast group membership control information
   from the mobile node in order to determine which groups the mobile
   node has subscribed to.  These multicast group membership messages
   are Listener Report messages specified MLD [17] or in other protocols
   such as [35].

   The messages are issued by the mobile node but sent through the
   reverse tunnel to the home agent.  These messages are issued whenever
   the mobile node decides to enable reception of packets for a
   multicast group or in response to an MLD Query from the home agent.
   The mobile node will also issue multicast group control messages to
   disable reception of multicast packets when it is no longer
   interested in receiving multicasts for a particular group.

   To obtain the mobile node's current multicast group membership the
   home agent must periodically transmit MLD Query messages through the
   tunnel to the mobile node.  These MLD periodic transmissions will
   ensure the home agent has an accurate record of the groups in which
   the mobile node is interested despite packet losses of the mobile
   node's MLD group membership messages.

   All MLD packets are sent directly between the mobile node and the
   home agent.  Since all these packets are destined to a link-scope
   multicast address and have a hop limit of 1, there is no direct
   forwarding of such packets between the home network and the mobile
   node.  The MLD packets between the mobile node and the home agent are
   encapsulated within the same tunnel header used for other packet
   flows between the mobile node and home agent.

   Note that at this time, even though a link-local source is used on
   MLD packets, no functionality depends on these addresses being
   unique, nor do they elicit direct responses.  All MLD messages are
   sent to multicast destinations.  To avoid ambiguity on the home agent
   due to mobile nodes which may choose identical link-local source
   addresses for their MLD function it is necessary for the home agent
   to identify which mobile node was actually the issuer of a particular
   MLD message.  This may be accomplished by noting which tunnel such an
   MLD arrived by, which IPsec SA was used, or by other distinguishing
   means.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 97]


Internet-Draft          Mobility Support in IPv6           February 2003


   This specification puts no requirement on how the functions in this
   section and the multicast forwarding in Section 10.4.2 are to be
   achieved.  At the time of this writing it was thought that a full
   IPv6 multicast router function would be necessary on the home agent,
   but it may be possible to achieve the same effects through a "proxy
   MLD" application coupled with kernel multicast forwarding.  This may
   be the subject of future specifications.

10.4.4 Stateful Address Autoconfiguration

   This section describes how home agents support the use of stateful
   address autoconfiguration mechanisms such as DHCPv6 [28] from the
   mobile nodes.  If this support is not provided, then the M and O bits
   must remain cleared on the Mobile Prefix Advertisement Messages.  Any
   mobile node which issues autoconfiguration queries for servers
   without this support will not receive a response.

   If DHCPv6 is used, packets are sent with link-local source addresses
   either to a link-scope multicast address or a link-local address.
   Mobile nodes desiring to locate a DHCPv6 service may reverse tunnel
   standard DHCPv6 packets to the home agent.  Since these link-scope
   packets can not be forwarded onto the home network it is necessary
   for the home agent to either implement a DHCPv6 relay agent or a
   DHCPv6 server function itself.  The arriving tunnel or IPsec SA of
   DHCPv6 link-scope messages from the mobile node must be noted so that
   DHCPv6 responses may be sent back to the appropriate mobile node.
   DHCPv6 messages sent to the mobile node with a link-local destination
   must be tunneled within the same tunnel header used for other packet
   flows.

10.4.5 Handling Reverse Tunneled Packets

   Unless a binding has been established between the mobile node and a
   correspondent node, traffic from the mobile node to the correspondent
   node goes through a reverse tunnel.  Home agents MUST support reverse
   tunneling as follows:

   o  The tunneled traffic arrives to the home agent's address using
      IPv6 encapsulation [15].

   o  When a home agent decapsulates a tunneled packet from the mobile
      node, the home agent MUST verify that the Source Address in the
      tunnel IP header is the mobile node's primary care-of address.
      Otherwise any node in the Internet could send traffic through the
      home agent and escape ingress filtering limitations.

   Reverse tunneled packets MAY be discarded unless accompanied by a
   valid ESP header, depending on the security policies used by the home



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 98]


Internet-Draft          Mobility Support in IPv6           February 2003


   agent.  The support for authenticated reverse tunneling allows the
   home agent to protect the home network and correspondent nodes from
   malicious nodes masquerading as a mobile node, even if they know the
   current location of the real mobile node.

10.4.6 Protecting Return Routability Packets

   The return routability procedure described in Section 5.2.5 assumes
   that the confidentiality of the Home Test Init and Home Test messages
   is protected as they are tunneled between the home agent to the
   mobile node.  Therefore, the home agent MUST support tunnel mode
   IPsec ESP for the protection of packets belonging to the return
   routability procedure.  Support for a non-null encryption transform
   and authentication algorithm MUST be available.  It isn't necessary
   to distinguish between different kinds of packets within the return
   routability procedure.

   Security associations are needed to provide this protection.  When
   the care-of address for the mobile node changes as a result of an
   accepted Binding Update, special treatment is needed for the next
   packets sent using these security associations.  The home agent MUST
   set the new care-of address as the destination address of these
   packets, as if the destination gateway address in the security
   association had changed [21].

   The above protection SHOULD be used with all mobile nodes.  The use
   is controlled by configuration of the IPsec security policy database
   both at the mobile node and at the home agent.

   As described earlier, the Binding Update and Binding Acknowledgement
   messages require protection between the home agent and the mobile
   node.  The Mobility Header protocol carries both these messages as
   well as the return routability messages.  From the point of view of
   the security policy database these messages are indistinguishable.
   The security policy database entries MUST be defined as if they were
   specifically for the tunnel interface between the mobile node and the
   home agent.  That is, the policy entries are not generally applied on
   all traffic on the physical interface(s) of the nodes, but rather
   only on traffic that enters the tunnel.  This makes use of
   per-interface security policy database entries [4], specific to the
   tunnel interface (the node's attachment to the tunnel [11]).

10.5 Dynamic Home Agent Address Discovery

   This section describes how a home agent can help mobile nodes to
   discover the addresses of the home agents.  The home agent keeps
   track of the other home agents on the same link, and responds to
   queries sent by the mobile node.



Johnson, Perkins, Arkko      Expires August 27, 2003           [Page 99]


Internet-Draft          Mobility Support in IPv6           February 2003


10.5.1 Receiving Router Advertisement Messages

   For each link on which a router provides service as a home agent, the
   router maintains a Home Agents List recording information about all
   other home agents on that link.  This list is used in the dynamic
   home agent address discovery mechanism, described in Section 10.5.
   The information for the list is learned through receipt of the
   periodic unsolicited multicast Router Advertisements, in a manner
   similar to the Default Router List conceptual data structure
   maintained by each host for Neighbor Discovery [12].  In the
   construction of the Home Agents List, the Router Advertisements are
   from each other home agent on the link, and the Home Agent (H) bit is
   set in them.

   On receipt of a valid Router Advertisement, as defined in the
   processing algorithm specified for Neighbor Discovery [12], the home
   agent performs the following steps, in addition to any steps already
   required of it by Neighbor Discovery:

   o  If the Home Agent (H) bit in the Router Advertisement is not set,
      delete the sending node's entry in the current Home Agents List
      (if one exists).  Skip all the following steps.

   o  Otherwise, extract the Source Address from the IP header of the
      Router Advertisement.  This is the link-local IP address on this
      link of the home agent sending this Advertisement [12].

   o  Determine the preference for this home agent.  If the Router
      Advertisement contains a Home Agent Information Option, then the
      preference is taken from the Home Agent Preference field in the
      option; otherwise, the default preference of 0 MUST be used.

   o  Determine the lifetime for this home agent.  If the Router
      Advertisement contains a Home Agent Information Option, then the
      lifetime is taken from the Home Agent Lifetime field in the
      option; otherwise, the lifetime specified by the Router Lifetime
      field in the Router Advertisement SHOULD be used.

   o  If the link-local address of the home agent sending this
      Advertisement is already present in this home agent's Home Agents
      List and the received home agent lifetime value is zero,
      immediately delete this entry in the Home Agents List.

   o  Otherwise, if the link-local address of the home agent sending
      this Advertisement is already present in the receiving home
      agent's Home Agents List, reset its lifetime and preference to the
      values determined above.




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 100]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  If the link-local address of the home agent sending this
      Advertisement is not already present in the Home Agents List
      maintained by the receiving home agent, and the lifetime for the
      sending home agent is non-zero, create a new entry in the list,
      and initialize its lifetime and preference to the values
      determined above.

   o  If the Home Agents List entry for the link-local address of the
      home agent sending this Advertisement was not deleted as described
      above, determine any global address(es) of the home agent based on
      each Prefix Information option received in this Advertisement in
      which the Router Address (R) bit is set (Section 7.2).  Add all
      such global addresses to the list of global addresses in this Home
      Agents List entry.

   A home agent SHOULD maintain an entry in its Home Agents List for
   each valid home agent address until that entry's lifetime expires,
   after which time the entry MUST be deleted.

   As described in Section 11.4.1, a mobile node attempts dynamic home
   agent address discovery by sending an ICMP Home Agent Address
   Discovery Request message to the Mobile IPv6 Home-Agents anycast
   address [16] for its home IP subnet prefix.  A home agent receiving
   such a Home Agent Address Discovery Request message that is serving
   this subnet SHOULD return an ICMP Home Agent Address Discovery Reply
   message to the mobile node, with the Source Address of the Reply
   packet set to one of the global unicast addresses of the home agent.
   The Home Agent Addresses field in the Reply message is constructed as
   follows:

   o  The Home Agent Addresses field SHOULD contain all global IP
      addresses for each home agent currently listed in this home
      agent's own Home Agents List (Section 10.1).

   o  The IP addresses in the Home Agent Addresses field SHOULD be
      listed in order of decreasing preference values, based either on
      the respective advertised preference from a Home Agent Information
      option or on the default preference of 0 if no preference is
      advertised (or on the configured home agent preference for this
      home agent itself).

   o  Among home agents with equal preference, their IP addresses in the
      Home Agent Addresses field SHOULD be listed in an order randomized
      with respect to other home agents with equal preference, each time
      a Home Agent Address Discovery Reply message is returned by this
      home agent.

   o  If more than one global IP address is associated with a home



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 101]


Internet-Draft          Mobility Support in IPv6           February 2003


      agent, these addresses SHOULD be listed in a randomized order.

   o  The home agent SHOULD reduce the number of home agent IP addresses
      so that the packet fits within the minimum IPv6 MTU [11].  The
      home agent addresses selected for inclusion in the packet SHOULD
      be those from the complete list with the highest preference.  This
      limitation avoids the danger of the Reply message packet being
      fragmented (or rejected by an intermediate router with an ICMP
      Packet Too Big message [14]).


10.6 Sending Prefix Information to the Mobile Node

10.6.1 Aggregate List of Home Network Prefixes

   Mobile IPv6 arranges to propagate relevant prefix information to the
   mobile node when it is away from home, so that it may be used in
   mobile node home address configuration, and in network renumbering.
   In this mechanism, mobile nodes away from home receive Mobile Prefix
   Advertisements messages with Prefix Information Options, which give
   the valid lifetime and preferred lifetime for available prefixes on
   the home link.

   The messages relayed to the mobile node are the ones learned via
   Neighbor Discovery on the home link.  The prefix options are
   processed as defined in [12, 13].

   To support this, the home agent monitors prefixes advertised by
   itself and other home agents routers on the home link, and passes
   this aggregated list of relevant subnet prefixes on to the mobile
   node in Mobile Prefix Advertisements.

   The home agent SHOULD construct the aggregate list of home subnet
   prefixes as follows:

   o  Copy prefix information defined in the home agent's AdvPrefixList
      on the home subnet's interfaces to the aggregate list.  Also apply
      any changes made to the AdvPrefixList on the home agent to the
      aggregate list.

   o  Check valid prefixes received in Router Advertisements from the
      home network for consistency with the home agent's AdvPrefixList,
      as specified in Section 6.2.7 of RFC 2461 [12].  Do not update the
      aggregate list with any information from received prefixes that
      fail this check.

   o  For Router Advertisements which have the Home Agent (H) bit set,
      check valid prefixes that are not yet in the aggregate list.  If a



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 102]


Internet-Draft          Mobility Support in IPv6           February 2003


      Prefix Information option has the autonomous address configuration
      (A) flag set and the prefix length is valid for address
      autoconfiguration on the home subnet, add these advertisements and
      preserve the on-link (L) flag value.  Clear the Router Address (R)
      flag and zero the interface-id portion of the prefix field to
      prevent mobile nodes from treating another router's interface
      address as belonging to the home agent.  Treat the lifetimes of
      these prefixes as decrementing in real time, as defined in Section
      6.2.7 of RFC 2461 [12].

   o  Do not perform consistency checks on valid prefixes received in
      Router Advertisements on the home network that do not exist in the
      home agent's AdvPrefixList.  Instead, if the prefixes already
      exist in the aggregate list, update the prefix lifetime fields in
      the aggregate list according to the rules specified for hosts in
      Section 6.3.4 of RFC 2461 [12] and Section 5.5.3 of RFC 2462 [13],
      unless the update would override existing information from this
      home agent.

   o  If the L flag is set on valid prefixes received in a Router
      Advertisement, and that prefix already exists in the aggregate
      list, set the flag in the aggregate list.  Ignore the flag if it
      is clear or if the setting of the flag was already configured in
      this home agent.

   o  Delete prefixes from the aggregate list when their valid lifetimes
      expire.

   The home agent uses the information in the aggregate list to
   construct Mobile Prefix Advertisements.  It may be possible to
   construct an aggregate list by combining information contained in the
   home agent's AdvPrefixList and its Home Agents List used for Dynamic
   Home Agent Address Discovery (Section 11.4.1).

10.6.2 Scheduling Prefix Deliveries

   A home agent serving a mobile node will schedule the delivery of new
   prefix information to that mobile node when any of the following
   conditions occur:

   MUST:

   o  The valid or preferred lifetime or the state of the flags changes
      for the prefix of the mobile node's registered home address.

   o  The mobile node requests the information with a Mobile Prefix
      Solicitation (see Section 11.4.2).




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 103]


Internet-Draft          Mobility Support in IPv6           February 2003


   SHOULD:

   o  A new prefix is added to the aggregate list.

   MAY:

   o  The valid or preferred lifetime or the state of the flags changes
      for a prefix which is not used in any Binding Cache entry for this
      mobile node.

   The home agent uses the following algorithm to determine when to send
   prefix information to the mobile node.

   o  If a mobile node sends a solicitation, answer right away.

   o  If no Mobile Prefix Advertisement has been sent to the mobile node
      in the last MaxMobPfxAdvInterval (see Section 13) seconds, then
      ensure that a transmission is scheduled.  The actual transmission
      time is randomized as described below.

   o  If a prefix in the aggregate list that matches the mobile node's
      home registration is added, or if its information changes in any
      way that does not deprecate the mobile node's address, ensure that
      a transmission is scheduled.  The actual transmission time is
      randomized as described below.

   o  If a home registration expires, cancel any scheduled
      advertisements to the mobile node.

   The aggregate list is sent in its entirety in all cases.

   If the home agent already has scheduled the transmission of a Mobile
   Prefix Advertisement to the mobile node, the home agent replaces the
   advertisement with a new one, to be sent at the scheduled time.

   Otherwise, the home agent computes a fresh value for RAND_ADV_DELAY,
   the offset from the current time for the scheduled transmission as
   follows.  First calculate the maximum delay for the scheduled
   Advertisement:


     MaxScheduleDelay = min (MaxMobPfxAdvInterval, Preferred Lifetime),


   where MaxMobPfxAdvInterval is as defined in Section 12.  Then compute
   the final delay for the advertisement:





Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 104]


Internet-Draft          Mobility Support in IPv6           February 2003


     RAND_ADV_DELAY = MinMobPfxAdvInterval +
           (rand() % abs(MaxScheduleDelay - MinMobPfxAdvInterval))

   Here rand() returns a random integer value in the range of 0 to the
   maximum possible integer value.  This computation is expected to
   alleviate bursts of advertisements when prefix information changes.
   In addition, a home agent MAY further reduce the rate of packet
   transmission by further delaying individual advertisements, if needed
   to avoid overwhelming local network resources.  The home agent SHOULD
   periodically continue to retransmit an unsolicited Advertisement to
   the mobile node, until it is acknowledged by the receipt of a Mobile
   Prefix Solicitation from the mobile node.

   The home agent MUST wait PREFIX_ADV_TIMEOUT (see Section 12) before
   the first retransmission, and double the retransmission wait time for
   every succeeding retransmission, up until a maximum of
   PREFIX_ADV_RETRIES attempts (see Section 12).  If the mobile node's
   bindings expire before the matching Binding Update has been received,
   then the home agent MUST NOT attempt any more retransmissions, even
   if not all PREFIX_ADV_RETRIES have been retransmitted.  If the mobile
   node sends another Binding Update without returning home in the
   meantime, the home agent SHOULD again begin transmitting the
   unsolicited Advertisement.

   If some condition as described above occurs on the home link and
   causes another Prefix Advertisement to be sent to the mobile node,
   before the mobile node acknowledges a previous transmission, the home
   agent SHOULD combine any Prefix Information options in the
   unacknowledged Mobile Prefix Advertisement into a new Advertisement.
   The home agent discards the old Advertisement.

10.6.3 Sending Advertisements

   When sending a Mobile Prefix Advertisement to the mobile node, the
   home agent MUST construct the packet as follows:

   o  The Source Address in the packet's IPv6 header MUST be set to the
      home agent's IP address to which the mobile node addressed its
      current home registration, or its default global home agent
      address if no binding exists.

   o  If the advertisement was solicited, it MUST be destined to the
      source address of the solicitation.  If it was triggered by prefix
      changes or renumbering, the advertisement's destination will be
      the mobile node's home address in the binding which triggered the
      rule.

   o  A type 2 routing header MUST be included with the mobile node's



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 105]


Internet-Draft          Mobility Support in IPv6           February 2003


      home address.

   o  IPsec headers MUST be supported and SHOULD be used.

   o  The home agent MUST send the packet as it would any other unicast
      IPv6 packet that it originates.

   o  Set the Managed Address Configuration (M) flag if the
      corresponding flag has been set in any of the Router
      Advertisements from which the prefix information has been learned
      (including the ones sent by this home agent).

   o  Set the Other Stateful Configuration (O) flag if the corresponding
      flag has been set in any of the Router Advertisements from which
      the prefix information has been learned (including the ones sent
      by this home agent).


10.6.4 Lifetimes for Changed Prefixes

   As described in Section 10.3.1, the lifetime returned by the home
   agent in a Binding Acknowledgement MUST be no greater than the
   remaining valid lifetime for the subnet prefix in the mobile node's
   home address.  This limit on the binding lifetime serves to prohibit
   use of a mobile node's home address after it becomes invalid.


























Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 106]


Internet-Draft          Mobility Support in IPv6           February 2003


11. Mobile Node Operation

11.1 Conceptual Data Structures

   Each mobile node MUST maintain a Binding Update List.

   The Binding Update List records information for each Binding Update
   sent by this mobile node, for which the lifetime of the binding not
   yet expired.  The Binding Update List includes all bindings sent by
   the mobile node either to its home agent or correspondent nodes.  It
   also contains Binding Updates which are waiting for the completion of
   the return routability procedure before they can be sent.  However,
   for multiple Binding Updates sent to the same destination address,
   the Binding Update List contains only the most recent Binding Update
   (i.e., with the greatest Sequence Number value) sent to that
   destination.  The Binding Update List MAY be implemented in any
   manner consistent with the external behavior described in this
   document.

   Each Binding Update List entry conceptually contains the following
   fields:

   o  The IP address of the node to which a Binding Update was sent.

   o  The home address for which that Binding Update was sent.

   o  The care-of address sent in that Binding Update.  This value is
      necessary for the mobile node to determine if it has sent a
      Binding Update giving its new care-of address to this destination
      after changing its care-of address.

   o  The initial value of the Lifetime field sent in that Binding
      Update.

   o  The remaining lifetime of that binding.  This lifetime is
      initialized from the Lifetime value sent in the Binding Update and
      is decremented until it reaches zero, at which time this entry
      MUST be deleted from the Binding Update List.

   o  The maximum value of the Sequence Number field sent in previous
      Binding Updates to this destination.  The Sequence Number field is
      16 bits long, and all comparisons between Sequence Number values
      MUST be performed modulo 2**16 (see Section 9.5.1).

   o  The time at which a Binding Update was last sent to this
      destination, as needed to implement the rate limiting restriction
      for sending Binding Updates.




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 107]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  The state of any retransmissions needed for this Binding Update.
      This state includes the time remaining until the next
      retransmission attempt for the Binding Update, and the current
      state of the exponential back-off mechanism for retransmissions.

   o  A flag specifying whether or not future Binding Updates should be
      sent to this destination.  The mobile node sets this flag in the
      Binding Update List entry when it receives an ICMP Parameter
      Problem, Code 1, error message in response to a return routability
      message or Binding Update sent to that destination, as described
      in Section 11.3.5.

   The Binding Update list also conceptually contains the following data
   related to running the return routability procedure.  This data is
   relevant only for Binding Updates sent to correspondent nodes.

   o  The time at which a Home Test Init or Care-of Test Init message
      was last sent to this destination, as needed to implement the rate
      limiting restriction for the return routability procedure.

   o  The state of any retransmissions needed for this return
      routability procedure.  This state includes the time remaining
      until the next retransmission attempt and the current state of the
      exponential back-off mechanism for retransmissions.

   o  Cookie values used in the Home Test Init and Care-of Test Init
      messages.

   o  Home and care-of keygen tokens received from the correspondent
      node.

   o  Home and care-of nonce indices received from the correspondent
      node.

   o  The time at which each of the tokens and nonces was received from
      this correspondent node, as needed to implement reuse while
      moving.


11.2 Processing Mobility Headers

   All IPv6 mobile nodes MUST observe the rules described in Section 9.2
   when processing Mobility Headers.

11.3 Packet Processing






Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 108]


Internet-Draft          Mobility Support in IPv6           February 2003


11.3.1 Sending Packets While Away from Home

   While a mobile node is away from home, it continues to use its home
   address, as well as also using one or more care-of addresses.  When
   sending a packet while away from home, a mobile node MAY choose among
   these in selecting the address that it will use as the source of the
   packet, as follows:

   o  Protocols layered over IP will generally treat the mobile node's
      home address as its IP address for most packets.  For packets sent
      that are part of transport-level connections established while the
      mobile node was at home, the mobile node MUST use its home
      address.  Likewise, for packets sent that are part of
      transport-level connections that the mobile node may still be
      using after moving to a new location, the mobile node SHOULD use
      its home address in this way.  If a binding exists, the mobile
      node SHOULD send the packets directly to the correspondent node.
      Otherwise, if a binding does not exist, the mobile node MUST use
      reverse tunneling.  Detailed operation for both of these cases is
      described later in this section and also discussed in [29].

   o  The mobile node MAY choose to directly use one of its care-of
      addresses as the source of the packet, not requiring the use of a
      Home Address option in the packet.  This is particularly useful
      for short-term communication that may easily be retried if it
      fails.  Using the mobile node's care-of address as the source for
      such queries will generally have a lower overhead than using the
      mobile node's home address, since no extra options need be used in
      either the query or its reply.  Such packets can be routed
      normally, directly between their source and destination without
      relying on Mobile IPv6.  If application running on the mobile node
      has no particular knowledge that the communication being sent fits
      within this general type of communication, however, the mobile
      node should not use its care-of address as the source of the
      packet in this way.

      The choice of the most efficient communications method is
      application specific, and outside the scope of this specification.
      The APIs necessary for controlling the choice are also out of
      scope.

   o  While not at its home link, the mobile node MUST NOT use the home
      address destination option when communicating with link-local or
      site-local peers, if the scope of the home address is larger than
      the scope of the peer's address.

   For packets sent by a mobile node while it is at home, no special
   Mobile IPv6 processing is required.  Likewise, if the mobile node



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 109]


Internet-Draft          Mobility Support in IPv6           February 2003


   uses any address other than any of its home addresses as the source
   of a packet sent while away from home no special Mobile IPv6
   processing is required.  In either case, the packet is simply
   addressed and transmitted in the same way as any normal IPv6 packet.

   For packets sent by the mobile node sent while away from home using
   the mobile node's home address as the source, special Mobile IPv6
   processing of the packet is required.  This can be done in the
   following two ways:

   Route Optimization

      This manner of delivering packets does not require going through
      the home network, and typically will enable faster and more
      reliable transmission.

      The mobile node may send packets to the correspondent node in this
      manner only if the mobile node is aware that the correspondent
      node already has a Binding Cache entry for the mobile node's home
      address.  Section 9.3.1 specifies the rules for Home Address
      Destination Option Processing at a correspondent node.  The mobile
      node needs to ensure that there exists a Binding Cache entry for
      its home address so that the correspondent node can process the
      packet.  A mobile node SHOULD arrange to supply the home address
      in a Home Address option, and allowing the IPv6 header's Source
      Address field to be set to one of the mobile node's care-of
      addresses; the correspondent node will then use the address
      supplied in the Home Address option to serve the function
      traditionally done by the Source IP address in the IPv6 header.
      The mobile node's home address is then supplied to higher protocol
      layers and applications.  Specifically:

      *  Construct the packet using the mobile node's home address as
         the packet's Source Address, in the same way as if the mobile
         node were at home.  This includes the calculation of upper
         layer checksums using the home address as the value of the
         source.

      *  Insert a Home Address option into the packet, with the Home
         Address field copied from the original value of the Source
         Address field in the packet.

      *  Change the Source Address field in the packet's IPv6 header to
         one of the mobile node's care-of addresses.  This will
         typically be the mobile node's current primary care-of address,
         but MUST be an address assigned to the interface on the link
         being used.




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 110]


      By using the care-of address as the Source Address in the IPv6
      header, with the mobile node's home address instead in the Home
      Address option, the packet will be able to safely pass through any
      router implementing ingress filtering [26].

   Reverse Tunneling


      This is the mechanism which tunnels the packets via the home
      agent.  It isn't as efficient as the above mechanism, but is
      needed if there is no binding yet with the correspondent node.
      This mechanism is used for packets that have the mobile node's
      home address as the Source Address in the IPv6 header, or with
      multicast control protocol packets as described in Section 11.3.4.
      Specifically:

      *  The packet is sent to the home agent using IPv6 encapsulation
         [15].

      *  The Source Address in the tunnel packet is the primary care-of
         address as registered with the home agent.

      *  The Destination Address in the tunnel packet is the home
         agent's address.


      Then, the home agent will pass the encapsulated packet to the
      correspondent node.


11.3.2 Interaction with Outbound IPsec Processing

   This section sketches the interaction between outbound Mobile IPv6
   processing and outbound IP Security (IPsec) processing for packets
   sent by a mobile node while away from home.  Any specific
   implementation MAY use algorithms and data structures other than
   those suggested here, but its processing MUST be consistent with the
   effect of the operation described here and with the relevant IPsec
   specifications.  In the steps described below, it is assumed that
   IPsec is being used in transport mode [4] and that the mobile node is
   using its home address as the source for the packet (from the point
   of view of higher protocol layers or applications, as described in
   Section 11.3.1):

   o  The packet is created by higher layer protocols and applications
      (e.g., by TCP) as if the mobile node were at home and Mobile IPv6
      were not being used.

   o  As part of outbound packet processing in IP, the packet is
      compared against the IPsec security policy database to determine



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 111]


Internet-Draft          Mobility Support in IPv6           February 2003


      what processing is required for the packet [4].

   o  If IPsec processing is required, the packet is either mapped to an
      existing Security Association (or SA bundle), or a new SA (or SA
      bundle) is created for the packet, according to the procedures
      defined for IPsec.

   o  Since the mobile node is away from home, the mobile is either
      using reverse tunneling or route optimization to reach the
      correspondent node.

      If reverse tunneling is used, the packet is constructed in the
      normal manner and then tunneled through the home agent.  If route
      optimization is in use, the mobile node inserts a Home Address
      destination option into the packet, replacing the Source Address
      in the packet's IP header with a care-of address suitable for the
      link on which the packet is being sent, as described in Section
      11.3.1.  The Destination Options header in which the Home Address
      destination option is inserted MUST appear in the packet after the
      routing header, if present, and before the IPsec (AH [5] or ESP
      [6]) header, so that the Home Address destination option is
      processed by the destination node before the IPsec header is
      processed.  Finally, once the packet is fully assembled, the
      necessary IPsec authentication (and encryption, if required)
      processing is performed on the packet, initializing the
      Authentication Data in the IPsec header.  RFC 2402 treatment of
      destination options is extended as follows.  The AH authentication
      data MUST be calculated as if the following were true:

      *  the IPv6 source address in the IPv6 header contains the mobile
         node's home address,

      *  the Home Address field of the Home Address destination option
         (Section 6.3) contains the new care-of address.

   o  This allows, but does not require, the receiver of the packet
      containing a Home Address destination option to exchange the two
      fields of the incoming packet to reach the above situation,
      simplifying processing for all subsequent packet headers.
      However, such an exchange is not required, as long as the result
      of the authentication calculation remains the same.

   When an automated key management protocol is used to create new
   security associations for a peer, it is important to ensure that the
   peer can send the key management protocol packets to the mobile node.
   This may not be possible if the peer is the home agent of the mobile
   node, and the purpose of the security associations would be to send a
   Binding Update to the home agent.  Packets addressed to the home



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 112]


Internet-Draft          Mobility Support in IPv6           February 2003


   address of the mobile node cannot be used before the Binding Update
   has been processed.  For the default case of using IKE [9] as the
   automated key management protocol, such problems can be avoided by
   the following requirements when communicating with its home agent:

   o  When the mobile node is away from home, it MUST use its care-of
      address as the Source Address of all packets it sends as part of
      the key management protocol (without use of Mobile IPv6 for these
      packets, as suggested in Section 11.3.1).

   o  In addition, for all security associations bound to the mobile
      node's home address established by IKE, the mobile node MUST
      include an ISAKMP Identification Payload [8] in the IKE exchange,
      giving the mobile node's home address as the initiator of the
      Security Association [7].

   The Key Management Mobility Capability (K) bit in Binding Updates and
   Acknowledgements can be used avoid the need to rerun IKE upon
   movements.

11.3.3 Receiving Packets While Away from Home

   While away from home, a mobile node will receive packets addressed to
   its home address, by one of three methods:

   o  Packets sent by a correspondent node that does not have a Binding
      Cache entry for the mobile node, will be sent to the home address,
      captured by the home agent and tunneled to the mobile node

   o  Packets sent by a correspondent node that has a Binding Cache
      entry for the mobile node that contains the mobile node's current
      care-of address, will be sent by the correspondent node using a
      type 2 routing header.  The packet will be addressed to the mobile
      node's care-of address, with the final hop in the routing header
      directing the packet to the mobile node's home address; the
      processing of this last hop of the routing header is entirely
      internal to the mobile node, since the care-of address and home
      address are both addresses within the mobile node.

   For packets received by the first of these methods, the mobile node
   MUST check that the IPv6 source address of the tunneled packet is the
   IP address of its home agent.  In this method the mobile node may
   also send a Binding Update to the original sender of the packet, as
   described in Section 11.7.2, subject to the rate limiting defined in
   Section 11.8.  The mobile node MUST also process the received packet
   in the manner defined for IPv6 encapsulation [15], which will result
   in the encapsulated (inner) packet being processed normally by
   upper-layer protocols within the mobile node, as if it had been



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 113]


Internet-Draft          Mobility Support in IPv6           February 2003


   addressed (only) to the mobile node's home address.

   For packets received by the second method, the following rules will
   result in the packet being processed normally by upper-layer
   protocols within the mobile node, as if it had been addressed to the
   mobile node's home address.

   A node receiving a packet addressed to itself (i.e., one of the
   node's addresses is in the IPv6 destination field) follows the next
   header chain of headers and processes them.  When it encounters a
   type 2 routing header during this processing it performs the
   following checks.  If any of these checks fail the node MUST silently
   discard the packet.

   o  The length field in the routing header is exactly 2.

   o  The segments left field in the routing header is 1 on the wire.
      (But implementations may process the routing header so that the
      value may become 0 after the routing header has been processed,
      but before the rest of the packet is processed.)

   o  The Home Address field in the routing header is one of the node's
      home addresses, if the segments left field was 1.  Thus, in
      particular the address field is required to be a unicast routable
      address.

   Once the above checks have been performed, the node swaps the IPv6
   destination field with the Home Address field in the routing header,
   decrements segments left by one from the value it had on the wire,
   and resubmits the packet to IP for processing the next header.
   Conceptually this follows the same model as in RFC 2460.  However, in
   the case of type 2 routing header this can be simplified since it is
   known that the packet will not be forwarded to a different node.

   The definition of AH requires the sender to calculate the AH
   integrity check value of a routing header in a way as it appears in
   the receiver after it has processed the header.  Since IPsec headers
   follow the routing header, any IPsec processing will operate on the
   packet with the home address in the IP destination field and segments
   left being zero.  Thus, the AH calculations at the sender and
   receiver will have an identical view of the packet.

11.3.4 Routing Multicast Packets

   A mobile node that is connected to its home link functions in the
   same way as any other (stationary) node.  Thus, when it is at home, a
   mobile node functions identically to other multicast senders and
   receivers.  This section therefore describes the behavior of a mobile



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 114]


Internet-Draft          Mobility Support in IPv6           February 2003


   node that is not on its home link.

   In order to receive packets sent to some multicast group, a mobile
   node must join that multicast group.  One method by which a mobile
   node MAY join the group is via a (local) multicast router on the
   foreign link being visited.  In this case, the mobile node MUST use
   its care-of address and MUST NOT use the Home Address destination
   option when sending MLD packets [17].

   Alternatively, a mobile node MAY join multicast groups via a
   bi-directional tunnel to its home agent.  The mobile node tunnels its
   multicast group membership control packets (such as those defined in
   [17] or in [35]) to its home agent, and the home agent forwards
   multicast packets down the tunnel to the mobile node.  A mobile node
   MUST NOT tunnel multicast group membership control packets until (1)
   the mobile node has a binding in place at the home agent, and (2) the
   latter sends at least one such multicast group membership control
   packet via the tunnel.  Once this condition is true, the mobile node
   SHOULD assume it does not change as long as the binding does not
   expire.

   A mobile node that wishes to send packets to a multicast group also
   has two options:

   1.  Send directly on the foreign link being visited.

       The application is aware of the care-of address and uses it for
       multicast traffic just like any other stationary address.  The
       mobile node MUST NOT use Home Address destination option in such
       traffic.

   2.  Send via a tunnel to its home agent.

       Because multicast routing in general depends upon the Source
       Address used in the IPv6 header of the multicast packet, a mobile
       node that tunnels a multicast packet to its home agent MUST use
       its home address as the IPv6 Source Address of the inner
       multicast packet.

   Note that direct sending from the foreign link is only applicable
   while the mobile node is at that foreign link.  This is because the
   associated multicast tree is specific to that source location and any
   change of location and source address will invalidate the source
   specific tree or branch and the application context of the other
   multicast group members.

   This specification does not provide mechanisms to enable such local
   multicast session to survive hand-off, and to seamlessly continue



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 115]


Internet-Draft          Mobility Support in IPv6           February 2003


   from a new care-of address on each new foreign link.  Any such
   mechanism, developed as an extension to this specification, needs to
   take into account the impact of fast moving mobile nodes on the
   Internet multicast routing protocols and their ability to maintain
   the integrity of source specific multicast trees and branches.

   While the use of reverse tunneling can ensure that multicast trees
   are independent of the mobile nodes movement, in some case such
   tunneling can have adverse affects.  The latency of specific types of
   multicast applications such as multicast based discovery protocols
   will be affected when the round-trip time between the foreign subnet
   and the home agent is significant compared to that of the topology to
   be discovered.  In addition, the delivery tree from the home agent in
   such circumstances relies on unicast encapsulation from the agent to
   the mobile node and is therefore bandwidth inefficient compared to
   the native multicast forwarding in the foreign multicast system.

11.3.5 Receiving ICMP Error Messages

   Any node that doesn't recognize the Mobility header will return an
   ICMP Parameter Problem, Code 1, message to the sender of the packet.
   If the mobile node receives such an ICMP error message in response to
   a return routability procedure or Binding Update, it SHOULD record in
   its Binding Update List that future Binding Updates SHOULD NOT be
   sent to this destination.

   New Binding Update List entries MUST NOT be created as a result of
   receiving ICMP error messages.

   Correspondent nodes that have participated in the return routability
   procedure MUST implement the ability to correctly process received
   packets containing a Home Address destination option.  Therefore,
   correctly implemented correspondent nodes should always be able to
   recognize Home Address options.  If a mobile node receives an ICMP
   Parameter Problem, Code 2, message from some node indicating that it
   does not support the Home Address option, the mobile node SHOULD log
   the error and then discard the ICMP message.

11.3.6 Receiving Binding Error Messages

   When a mobile node receives a packet containing a Binding Error
   message, it should first check if the mobile node has a Binding
   Update List entry for the source of the Binding Error message.  If
   the mobile node does not have such an entry, it MUST ignore the
   message.  This is necessary to prevent a waste of resources on e.g.
   return routability procedure due to spoofed Binding Error messages.

   Otherwise, if the message Status field was 1 (unknown binding for



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 116]


Internet-Draft          Mobility Support in IPv6           February 2003


   Home Address destination option), the mobile node should perform one
   of the following two actions:

   o  If the mobile node has recent upper layer progress information
      that indicates communications with the correspondent node are
      progressing, it MAY ignore the message.  This can be done in order
      to limit the damage that spoofed Binding Error messages can cause
      to ongoing communications.

   o  If the mobile node has no upper layer progress information, it
      MUST remove the entry and route further communications through the
      home agent.  It MAY also optionally start a return routability
      procedure (see Section 5.2).

   If the message Status field was 2 (unrecognized MH Type value), the
   mobile node should perform one of the following two actions:

   o  If the mobile node is not expecting an acknowledgement or response
      from the correspondent node, the mobile node SHOULD ignore this
      message.

   o  Otherwise, the mobile node SHOULD cease the use of any extensions
      to this specification.  If no extensions had been used, the mobile
      node should cease the attempt to use route optimization.


11.4 Home Agent and Prefix Management

11.4.1 Dynamic Home Agent Address Discovery

   Sometimes, when the mobile node needs to send a Binding Update to its
   home agent to register its new primary care-of address, as described
   in Section 11.7.1, the mobile node may not know the address of any
   router on its home link that can serve as a home agent for it.  For
   example, some nodes on its home link may have been reconfigured while
   the mobile node has been away from home, such that the router that
   was operating as the mobile node's home agent has been replaced by a
   different router serving this role.

   In this case, the mobile node MAY attempt to discover the address of
   a suitable home agent on its home link.  To do so, the mobile node
   sends an ICMP Home Agent Address Discovery Request message to the
   Mobile IPv6 Home-Agents anycast address [16] for its home subnet
   prefix.  As described in Section 10.5, the home agent on its home
   link that receives this Request message will return an ICMP Home
   Agent Address Discovery Reply message.  This message gives the
   addresses for the home agents operating on the home link.




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 117]


Internet-Draft          Mobility Support in IPv6           February 2003


   The mobile node, upon receiving this Home Agent Address Discovery
   Reply message, MAY then send its home registration Binding Update to
   any of the unicast IP addresses listed in the Home Agent Addresses
   field in the Reply.  For example, the mobile node MAY attempt its
   home registration to each of these addresses, in turn, until its
   registration is accepted.  The mobile node sends a Binding Update to
   an address and waits for the matching Binding Acknowledgement, moving
   on to the next address if there is no response.  The mobile node
   MUST, however, wait at least InitialBindackTimeoutFirstReg seconds
   (see Section 13) before sending a Binding Update to the next home
   agent.  In trying each of the returned home agent addresses, the
   mobile node SHOULD try each in the order listed in the Home Agent
   Addresses field in the received Home Agent Address Discovery Reply
   message.

   If the mobile node has a current registration with some home agent
   (the Lifetime for that registration has not yet expired), then the
   mobile node MUST attempt any new registration first with that home
   agent.  If that registration attempt fails (e.g., times out or is
   rejected), the mobile node SHOULD then reattempt this registration
   with another home agent.  If the mobile node knows of no other
   suitable home agent, then it MAY attempt the dynamic home agent
   address discovery mechanism described above.

   If, after a mobile node transmits a Home Agent Address Discovery
   Request message to the Home Agents Anycast address, it does not
   receive a corresponding Home Agent Address Discovery Reply message
   within INITIAL_DHAAD_TIMEOUT (see Section 12) seconds, the mobile
   node MAY retransmit the same Request message to the same anycast
   address.  This retransmission MAY be repeated up to a maximum of
   DHAAD_RETRIES (see Section 12) attempts.  Each retransmission MUST be
   delayed by twice the time interval of the previous retransmission.

11.4.2 Sending Mobile Prefix Solicitations

   When a mobile node has a home address that is about to become
   invalid, it SHOULD send a Mobile Prefix Solicitation to its home
   agent in an attempt to acquire fresh routing prefix information.  The
   new information also enables the mobile node to participate in
   renumbering operations affecting the home network, as described in
   Section 10.6.

   The mobile node MUST use the Home Address destination option to carry
   its home address.  The mobile node MUST support and SHOULD use IPsec
   to protect the solicitation.  The mobile node MUST set the Identifier
   field in the ICMP header to a random value.

   As described in Section 11.7.2, Binding Updates sent by the mobile



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 118]


Internet-Draft          Mobility Support in IPv6           February 2003


   node to other nodes MUST use a lifetime no greater than the remaining
   lifetime of its home registration of its primary care-of address.
   The mobile node SHOULD further limit the lifetimes that it sends on
   any Binding Updates to be within the remaining valid lifetime (see
   Section 10.6.2) for the prefix in its home address.

   When the lifetime for a changed prefix decreases, and the change
   would cause cached bindings at correspondent nodes in the Binding
   Update List to be stored past the newly shortened lifetime, the
   mobile node MUST issue a Binding Update to all such correspondent
   nodes.

   These limits on the binding lifetime serve to prohibit use of a
   mobile node's home address after it becomes invalid.

11.4.3 Receiving Mobile Prefix Advertisements

   Section 10.6 describes the operation of a home agent to support boot
   time configuration and renumbering a mobile node's home subnet while
   the mobile node is away from home.  The home agent sends Mobile
   Prefix Advertisements to the mobile node while away from home, giving
   "important" Prefix Information options that describe changes in the
   prefixes in use on the mobile node's home link.

   The Mobile Prefix Solicitation is similar to the Router Solicitation
   used in Neighbor Discovery [12], except it is routed from the mobile
   node on the visited network to the home agent on the home network by
   usual unicast routing rules.

   When a mobile node receives a Mobile Prefix Advertisement, it MUST
   validate it according to the following test:

   o  The Source Address of the IP packet carrying the Mobile Prefix
      Advertisement is the same as the home agent address to which the
      mobile node last sent an accepted home registration Binding Update
      to register its primary care-of address.  Otherwise, if no such
      registrations have been made, it SHOULD be the mobile node's
      stored home agent address, if one exists.  Otherwise, if the
      mobile node has not yet discovered its home agent's address, it
      MUST NOT accept Mobile Prefix Advertisements.

   o  The packet MUST have a type 2 routing header and SHOULD be
      protected by an IPsec header as described in Section 5.4 and
      Section 6.8.

   o  If a solicitation has been sent recently, the ICMP Identifier
      value MUST be the same as in the solicitation.




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 119]


Internet-Draft          Mobility Support in IPv6           February 2003


   Any received Mobile Prefix Advertisement not meeting these tests MUST
   be silently discarded.

   If the advertisement was unsolicited, the mobile node SHOULD send a
   Mobile Prefix Solicitation.

   For an accepted Mobile Prefix Advertisement, the mobile node MUST
   process Managed Address Configuration (M), Other Stateful
   Configuration (O), and the Prefix Information Options as if they
   arrived in a Router Advertisement [12] on the mobile node's home
   link.  (This specification does not, however, describe how to acquire
   home addresses through stateful protocols.) Such processing may
   result in the mobile node configuring a new home address, although
   due to separation between preferred lifetime and valid lifetime, such
   changes should not affect most communications by the mobile node, in
   the same way as for nodes that are at home.

   This specification assumes that any security associations and
   security policy entries that may be needed for new prefixes have been
   pre-configured in the mobile node.  Note that while dynamic key
   management avoids the need to create new security associations, it is
   still necessary to add policy entries to protect the communications
   involving the home address(es).  Mechanisms for automatic set-up of
   these entries are outside the scope of this specification.

11.5 Movement

11.5.1 Movement Detection

   The primary movement detection mechanism for Mobile IPv6 defined in
   this section uses the facilities of IPv6 Neighbor Discovery,
   including Router Discovery and Neighbor Unreachability Detection.
   The mobile node SHOULD supplement this mechanism with other
   information whenever it is available to the mobile node (e.g., from
   lower protocol layers).  The description here is based on the
   conceptual model of the organization and data structures defined by
   Neighbor Discovery [12].

   Mobile nodes SHOULD use Router Discovery to discover new routers and
   on-link subnet prefixes; a mobile node MAY send Router Solicitations,
   or MAY wait for unsolicited (periodic) multicast Router
   Advertisements, as specified for Router Discovery [12].  Based on
   received Router Advertisements, a mobile node maintains an entry in
   its Default Router List for each router, and an entry in its Prefix
   List for each subnet prefix that it currently considers to be
   on-link.  Each entry in these lists has an associated invalidation
   timer value.  While away from home, a mobile node typically selects
   one default router and one subnet prefix to use as the subnet prefix



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 120]


Internet-Draft          Mobility Support in IPv6           February 2003


   in its primary care-of address.  A mobile node MAY also have
   associated additional care-of addresses, using other subnet prefixes
   from its Prefix List.  The method by which a mobile node selects and
   forms a care-of address from the available subnet prefixes is
   described in Section 11.5.2.  The mobile node registers its primary
   care-of address with its home agent, as described in Section 11.7.1.

   While a mobile node is away from home, it is important for the mobile
   node to quickly detect when its default router becomes unreachable.
   When this happens, the mobile node SHOULD switch to a new default
   router and potentially to a new primary care-of address.  If, on the
   other hand, the mobile node becomes unreachable from its default
   router, it should attempt to become reachable through some other
   router.  To detect when its default router becomes unreachable, a
   mobile node SHOULD use Neighbor Unreachability Detection.

   For a mobile node to detect when it has become unreachable from its
   default router, the mobile node cannot efficiently rely on Neighbor
   Unreachability Detection alone, since the network overhead would be
   prohibitively high in many cases.  Instead, when a mobile node
   receives any IPv6 packets from its current default router at all,
   irrespective of the source IPv6 address, it SHOULD use that as an
   indication that it is still reachable from the router.

   Since the router sends periodic unsolicited multicast Router
   Advertisements, the mobile node will have an opportunity to check if
   it is still reachable from its default router, even in the absence of
   other packets to it from the router.  If Router Advertisements that
   the mobile node receives include an Advertisement Interval option,
   the mobile node MAY use its Advertisement Interval field as an
   indication of the frequency with which it SHOULD expect to continue
   to receive future Advertisements from that router.  This field
   specifies the minimum rate (the maximum amount of time between
   successive Advertisements) that the mobile node SHOULD expect.  If
   this amount of time elapses without the mobile node receiving any
   Advertisement from this router, the mobile node can be sure that at
   least one Advertisement sent by the router has been lost.  It is thus
   possible for the mobile node to implement its own policy for
   determining the number of Advertisements from its current default
   router it is willing to tolerate losing before deciding to switch to
   a different router from which it may currently be correctly receiving
   Advertisements.

   On some types of network interfaces, the mobile node MAY also
   supplement this monitoring of Router Advertisements, by setting its
   network interface into "promiscuous" receive mode, so that it is able
   to receive all packets on the link, including those not addressed to
   it at the link layer (i.e., disabling link-level address filtering).



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 121]


Internet-Draft          Mobility Support in IPv6           February 2003


   The mobile node will then be able to detect any packets sent by the
   router, in order to detect reachability from the router.  This use of
   promiscuous mode may be useful on very low bandwidth (e.g., wireless)
   links.  If this mode is supported, its use MUST be configurable,
   since it is likely to consume additional energy resources.

   If the above means do not provide indication that the mobile node is
   still reachable from its current default router (for instance, the
   mobile node receives no packets from the router for a period of
   time), then the mobile node SHOULD attempt to actively probe the
   router with Neighbor Solicitations, even if it is not otherwise
   actively sending packets to the router.  If it receives a solicited
   Neighbor Advertisement in response from the router, then the mobile
   node can deduce that it is still reachable.  It is expected that the
   mobile node will in most cases be able to determine its reachability
   from the router by listening for packets from the router as described
   above, and thus, such extra Neighbor Solicitation probes should
   rarely be necessary.

   With some types of networks, indications about link-layer mobility
   might be obtained from lower-layer protocol or device driver software
   within the mobile node.  However, all link-layer mobility indications
   from lower layers do not necessarily indicate a movement of the
   mobile node to a new link, such that the mobile node would need to
   switch to a new default router and primary care-of address.  For
   example, movement of a mobile node from one cell to another in many
   wireless LANs can be made transparent to the IP level through use of
   a link-layer "roaming" protocol, as long as the different wireless
   LAN cells all operate as part of the same IP link with the same
   subnet prefix.  Upon lower-layer indication of link-layer mobility,
   the mobile node SHOULD send Router Solicitations to determine if
   additional on-link subnet prefixes are available on its new link.
   The mobile node SHOULD also mark its link-local address as tentative,
   and follow standard Duplicate Address Detection procedures [13].

   Such lower-layer information might also be useful to a mobile node in
   deciding to switch its primary care-of address to one of the other
   care-of addresses it has formed from the on-link subnet prefixes
   currently available through different routers from which the mobile
   node is reachable.  For example, a mobile node MAY use signal
   strength or signal quality information (with suitable hysteresis) for
   its link with the available routers to decide when to switch to a new
   primary care-of address using that router rather than its current
   default router (and current primary care-of address).  Even though
   the mobile node's current default router may still be reachable in
   terms of Neighbor Unreachability Detection, the mobile node MAY use
   such lower-layer information to determine that switching to a new
   default router would provide a better connection.



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 122]


Internet-Draft          Mobility Support in IPv6           February 2003


11.5.2 Forming New Care-of Addresses

   After detecting that it has moved from one link to another (i.e., its
   current default router has become unreachable and it has discovered a
   new default router), a mobile node SHOULD generate a new primary
   care-of address using normal IPv6 mechanisms.  A mobile node MAY form
   a new primary care-of address at any time, but a mobile node MUST NOT
   send a Binding Update about a new care-of address to its home agent
   more than MAX_UPDATE_RATE times within a second.

   In addition, a mobile node MAY form new non-primary care-of addresses
   even when it has not switched to a new default router.  A mobile node
   can have only one primary care-of address at a time (which is
   registered with its home agent), but it MAY have an additional
   care-of address for any or all of the prefixes on its current link.
   Furthermore, since a wireless network interface may actually allow a
   mobile node to be reachable on more than one link at a time (i.e.,
   within wireless transmitter range of routers on more than one
   separate link), a mobile node MAY have care-of addresses on more than
   one link at a time.  The use of more than one care-of address at a
   time is described in Section 11.5.3.

   As described in Section 4, in order to form a new care-of address, a
   mobile node MAY use either stateless [13] or stateful (e.g., DHCPv6
   [28]) Address Autoconfiguration.  If a mobile node needs to use a
   source address (other than the unspecified address) in packets sent
   as a part of address autoconfiguration, it MUST use an IPv6
   link-local address rather than its own IPv6 home address.

   RFC 2462 [13] specifies that in normal processing for Duplicate
   Address Detection, the node SHOULD delay sending the initial Neighbor
   Solicitation message by a random delay between 0 and
   MAX_RTR_SOLICITATION_DELAY.  Since delaying DAD can result in
   significant delays in configuring a new care-of address when the
   Mobile Node moves to a new link, the Mobile Node preferably SHOULD
   NOT delay DAD when configuring a new care-of address.  The Mobile
   Node SHOULD delay according to the mechanisms specified in RFC 2462
   unless the implementation has a behavior that desynchronizes the
   steps that happen before the DAD in the case that multiple nodes
   experience handover at the same time.  Such desynchronizing behaviors
   might be due to random delays in the L2 protocols or device drivers,
   or due to the movement detection mechanism that is used.

11.5.3 Using Multiple Care-of Addresses

   As described in Section 11.5.2, a mobile node MAY use more than one
   care-of address at a time.  Particularly in the case of many wireless
   networks, a mobile node effectively might be reachable through



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 123]


Internet-Draft          Mobility Support in IPv6           February 2003


   multiple links at the same time (e.g., with overlapping wireless
   cells), on which different on-link subnet prefixes may exist.  The
   mobile node MUST ensure that its primary care-of address always has a
   prefix that is considered on-link by its current default router,
   i.e., advertised by its current default router in a solicited Router
   Advertisement.  After selecting a new primary care-of address, the
   mobile node MUST send a Binding Update containing that care-of
   address to its home agent.  The Binding Update MUST have the Home
   Registration (H) and Acknowledge (A) bits set its home agent, as
   described on Section 11.7.1.

   To assist with smooth handovers, a mobile node SHOULD retain its
   previous primary care-of address as a (non-primary) care-of address,
   and SHOULD still accept packets at this address, even after
   registering its new primary care-of address with its home agent.
   This is reasonable, since the mobile node could only receive packets
   at its previous primary care-of address if it were indeed still
   connected to that link.  If the previous primary care-of address was
   allocated using stateful Address Autoconfiguration [28], the mobile
   node may not wish to release the address immediately upon switching
   to a new primary care-of address.

   Whenever a mobile node determines that it is no longer reachable
   through a given link, it SHOULD invalidate all care-of addresses
   associated with address prefixes that it discovered from routers on
   the unreachable link which are not in the current set of address
   prefixes advertised by the (possibly new) current default router.

11.5.4 Returning Home

   A mobile node detects that it has returned to its home link through
   the movement detection algorithm in use (Section 11.5.1), when the
   mobile node detects that its home subnet prefix is again on-link.
   The mobile node SHOULD then send a Binding Update to its home agent,
   to instruct its home agent to no longer intercept or tunnel packets
   for it.  In this home registration, the mobile node MUST set the
   Acknowledge (A) and Home Registration (H) bits, set the Lifetime
   field to zero, and set the care-of address for the binding to the
   mobile node's own home address.  The mobile node MUST use its home
   address as the source address in the Binding Update.

   When sending this Binding Update to its home agent, the mobile node
   must be careful in how it uses Neighbor Solicitation [12] (if needed)
   to learn the home agent's link-layer address, since the home agent
   will be currently configured to intercept packets to the mobile
   node's home address using Duplicate Address Detection (DAD).  In
   particular, the mobile node is unable to use its home address as the
   Source Address in the Neighbor Solicitation until the home agent



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 124]


Internet-Draft          Mobility Support in IPv6           February 2003


   stops defending the home address.

   Neighbor Solicitation by the mobile node for the home agent's address
   will normally not be necessary, since the mobile node has already
   learned the home agent's link-layer address from a Source Link-Layer
   Address option in a Router Advertisement.  However, if there are
   multiple home agents it may still be necessary to send a
   solicitation.  In this special case of the mobile node returning
   home, the mobile node MUST multicast the packet, and in addition set
   the Source Address of this Neighbor Solicitation to the unspecified
   address (0:0:0:0:0:0:0:0).  The target of the Neighbor Solicitation
   MUST be set to the mobile node's home address.  The destination IP
   address MUST be set to the Solicited-Node multicast address [3].  The
   home agent will send a multicast Neighbor Advertisement back to the
   mobile node with the Solicited flag (S) set to zero.  In any case,
   the mobile node SHOULD record the information from the Source
   Link-Layer Address option or from the advertisement, and set the
   state of the Neighbor Cache entry for the home agent to REACHABLE.

   The mobile node then sends its Binding Update to the home agent's
   link-layer address, instructing its home agent to no longer serve as
   a home agent for it.  By processing this Binding Update, the home
   agent will cease defending the mobile node's home address for
   Duplicate Address Detection and will no longer respond to Neighbor
   Solicitations for the mobile node's home address.  The mobile node is
   then the only node on the link receiving packets at the mobile node's
   home address.  In addition, when returning home prior to the
   expiration of a current binding for its home address, and configuring
   its home address on its network interface on its home link, the
   mobile node MUST NOT perform Duplicate Address Detection on its own
   home address, in order to avoid confusion or conflict with its home
   agent's use of the same address.  If the mobile node returns home
   after the bindings for all of its care-of addresses have expired,
   then it SHOULD perform DAD.

   After the Mobile Node sends the Binding Update, it MUST be prepared
   to reply to Neighbor Solicitations from its home agent.  The replies
   MUST be sent using a unicast Neighbor Advertisement to the home
   agent's link-layer address.

   After receiving the Binding Acknowledgement for its Binding Update to
   its home agent, the mobile node MUST multicast onto the home link (to
   the all-nodes multicast address) a Neighbor Advertisement [12], to
   advertise the mobile node's own link-layer address for its own home
   address.  The Target Address in this Neighbor Advertisement MUST be
   set to the mobile node's home address, and the Advertisement MUST
   include a Target Link-layer Address option specifying the mobile
   node's link-layer address.  The mobile node MUST multicast such a



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 125]


Internet-Draft          Mobility Support in IPv6           February 2003


   Neighbor Advertisement for each of its home addresses, as defined by
   the current on-link prefixes, including its link-local address and
   site-local address.  The Solicited Flag (S) in these Advertisements
   MUST NOT be set, since they were not solicited by any Neighbor
   Solicitation.  The Override Flag (O) in these Advertisements MUST be
   set, indicating that the Advertisements SHOULD override any existing
   Neighbor Cache entries at any node receiving them.

   Since multicasting on the local link (such as Ethernet) is typically
   not guaranteed to be reliable, the mobile node MAY retransmit these
   Neighbor Advertisements [12] up to MAX_NEIGHBOR_ADVERTISEMENT times
   to increase their reliability.  It is still possible that some nodes
   on the home link will not receive any of these Neighbor
   Advertisements, but these nodes will eventually be able to recover
   through use of Neighbor Unreachability Detection [12].

11.6 Return Routability Procedure

   This section defines the rules that the mobile node must follow when
   performing the return routability procedure.  Section 11.7.2
   describes the rules when the return routability procedure needs to be
   initiated.

11.6.1 Sending Test Init Messages

   A mobile node that initiates a return routability procedure MUST send
   (in parallel) a Home Test Init message and a Care-of Test Init
   messages.  However, if the mobile node has recently received (see
   Section 5.2.7) one or both home or care-of keygen tokens, and
   associated nonce indices for the desired addresses, it MAY reuse
   them.  Therefore, the return routability procedure may in some cases
   be completed with only one message pair.  It may even be completed
   without any messages at all, if the mobile node has a recent home
   keygen token and and has previously visited the same care-of address
   so that it also has a recent care-of keygen token.  If the mobile
   node intends to send a Binding Update with the Lifetime set to zero
   and the care-of address equal to its home address - such as when
   returning home - sending a Home Test Init message is sufficient.  In
   this case, generation of the binding management key depends
   exclusively on the home keygen token (Section 5.2.5).

   A Home Test Init message MUST be created as described in Section
   6.1.3.  A Care-of Test Init message MUST be created as described in
   Section 6.1.4.  When sending a Home Test Init or Care-of Test Init
   message the mobile node MUST record in its Binding Update List the
   following fields from the messages:

   o  The IP address of the node to which the message was sent.



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 126]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  The home address of the mobile node.  This value will appear in
      the Source Address field of the Home Test Init message.  When
      sending the Care-of Test Init message, this address does not
      appear in the message, but represents the home address for which
      the binding is desired.

   o  The time at which each of these messages was sent.

   o  The cookies used in the messages.

   Note that a single Care-of Test Init message may be sufficient even
   when there are multiple home addresses.  In this case the mobile node
   MAY record the same information in multiple Binding List entries.

11.6.2 Receiving Test Messages

   Upon receiving a packet carrying a Home Test message, a mobile node
   MUST validate the packet according to the following tests:

   o  The Source Address of the packet belongs to a correspondent node
      for which the mobile node has a Binding Update List entry with a
      state indicating that return routability procedure is in progress.
      Note that there may be multiple such entries.

   o  The Binding Update List indicates that no home keygen token has
      been received yet.

   o  The Destination Address of the packet has the home address of the
      mobile node, and the packet has been received in a tunnel from the
      home agent.

   o  The Home Init Cookie field in the message matches the value stored
      in the Binding Update List.

   Any Home Test message not satisfying all of these tests MUST be
   silently ignored.  Otherwise, the mobile node MUST record the Home
   Nonce Index and home keygen token in the Binding Update List.  If the
   Binding Update List entry does not have a care-of keygen token, the
   mobile node SHOULD continue waiting for additional messages.

   Upon receiving a packet carrying a Care-of Test message, a mobile
   node MUST validate the packet according to the following tests:

   o  The Source Address of the packet belongs to a correspondent node
      for which the mobile node has a Binding Update List entry with a
      state indicating that return routability procedure is in progress.
      Note that there may be multiple such entries.




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 127]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  The Binding Update List indicates that no care-of keygen token has
      been received yet.

   o  The Destination Address of the packet is the current care-of
      address of the mobile node.

   o  The Care-of Init Cookie field in the message matches the value
      stored in the Binding Update List.

   Any Care-of Test message not satisfying all of these tests MUST be
   silently ignored.  Otherwise, the mobile node MUST record the Care-of
   Nonce Index and care-of keygen token in the Binding Update List.  If
   the Binding Update List entry does not have a home keygen token, the
   mobile node SHOULD continue waiting for additional messages.

   If after receiving either the Home Test or the Care-of Test message
   and performing the above actions, the Binding Update List entry has
   both the home and the care-of keygen tokens, the return routability
   procedure is complete.  The mobile node SHOULD then proceed with
   sending a Binding Update as described in Section 11.7.2.

   Correspondent nodes from the time before this specification was
   published may not support the Mobility Header protocol.  These nodes
   will respond to Home Test Init and Care-of Test Init messages with an
   ICMP Parameter Problem code 1.  The mobile node SHOULD take such
   messages as an indication that the correspondent node cannot provide
   route optimization, and revert back to the use of bidirectional
   tunneling.

11.6.3 Protecting Return Routability Packets

   The mobile node MUST support the protection of Home Test and Home
   Test Init messages as described in Section 10.4.6.

   When IPsec is used to protect return routability signaling or payload
   packets, the mobile node MUST set the source address it uses for the
   outgoing tunnel packets to the current primary care-of address.  The
   mobile node starts to use a new primary care-of address immediately
   after sending a Binding Update to the home agent to register this new
   address.

11.7 Processing Bindings

11.7.1 Sending Binding Updates to the Home Agent

   After deciding to change its primary care-of address as described in
   Section 11.5.1 and Section 11.5.2, a mobile node MUST register this
   care-of address with its home agent in order to make this its primary



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 128]


Internet-Draft          Mobility Support in IPv6           February 2003


   care-of address.

   Also, if the mobile node wants the services of the home agent beyond
   the current registration period, the mobile node should send a new
   Binding Update to it well before the expiration of this period, even
   if it is not changing its primary care-of address.  However, if the
   home agent returned a Binding Acknowledgement for the current
   registration with Status field set to 1 (accepted but prefix
   discovery necessary), the mobile node should not try to register
   again before it has learned the validity of its home prefixes through
   prefix discovery.  This is typically necessary every time this Status
   value is received, because information learned through prefix
   discovery on an earlier registration may have changed.

   To register a care-of address or to extend the lifetime of an
   existing registration, the mobile node sends a packet to its home
   agent containing a Binding Update, with the packet constructed as
   follows:

   o  The Home Registration (H) bit MUST be set in the Binding Update.

   o  The Acknowledge (A) bit MUST be set in the Binding Update.

   o  The packet MUST contain a Home Address destination option, giving
      the mobile node's home address for the binding.

   o  The care-of address for the binding MUST be used as the Source
      Address in the packet's IPv6 header, unless an Alternate Care-of
      Address mobility option is included in the Binding Update.  This
      option MUST be included in all home registrations, as the ESP
      protocol will not be able to protect care-of addresses in the IPv6
      header.  (Mobile IPv6 implementations that know they are using
      IPsec AH to protect a particular message might avoid this option.
      For brevity the usage of AH is not discussed in this document.)

   o  If the mobile node's link-local address has the same interface
      identifier as the home address for which it is supplying a new
      care-of address, then the mobile node SHOULD set the Link-Local
      Address Compatibility (L) bit.

   o  If the home address was generated using RFC 3041 [18], then the
      link local address is unlikely to have a compatible interface
      identifier.  In this case, the mobile node MUST clear the
      Link-Local Address Compatibility (L) bit.

   o  If the IPsec security associations between the mobile node and the
      home agent have been established dynamically, and the mobile node
      has the capability to update its endpoint in the used key



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 129]


Internet-Draft          Mobility Support in IPv6           February 2003


      management protocol to the new care-of address every time it
      moves, the mobile node SHOULD set the Key Management Mobility
      Capability (K) bit in the Binding Update.  Otherwise, the mobile
      node MUST clear the bit.

   o  The value specified in the Lifetime field SHOULD be less than or
      equal to the remaining valid lifetime of the home address and the
      care-of address specified for the binding.

      Mobile nodes that use dynamic home agent address discovery should
      be careful with long lifetimes.  If the mobile node loses the
      knowledge of its binding with a specific home agent, registering a
      new binding with another home agent may be impossible as the
      previous home agent is still defending the existing binding.
      Therefore, mobile nodes that use home agent address discovery
      SHOULD ensure information about their bindings is not lost,
      de-register before losing this information, or use small
      lifetimes.

   The Acknowledge (A) bit in the Binding Update requests the home agent
   to return a Binding Acknowledgement in response to this Binding
   Update.  As described in Section 6.1.8, the mobile node SHOULD
   retransmit this Binding Update to its home agent until it receives a
   matching Binding Acknowledgement.  Once reaching a retransmission
   timeout period of MAX_BINDACK_TIMEOUT, the mobile node SHOULD restart
   the process of delivering the Binding Update, but trying instead the
   next home agent returned during dynamic home agent address discovery
   (see Section 11.4.1).  If there was only one home agent, the mobile
   node instead SHOULD continue to periodically retransmit the Binding
   Update at this rate until acknowledged (or until it begins attempting
   to register a different primary care-of address).  See Section 11.8
   for information about retransmitting Binding Updates.

   With the Binding Update, the mobile node requests the home agent to
   serve as the home agent for the given home address.  Until the
   lifetime of this registration expires, the home agent considers
   itself the home agent for this home address.

   Each Binding Update MUST be authenticated as coming from the right
   mobile node, as defined in Section 5.1.  The mobile node MUST use its
   home address - either in the Home Address destination option or in
   the Source Address field of the IPv6 header - in Binding Updates sent
   to the home agent.  This is necessary in order to allow the IPsec
   policies to be matched with the right home address.

   When sending a Binding Update to its home agent, the mobile node MUST
   also create or update the corresponding Binding Update List entry, as
   specified in Section 11.7.2.



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 130]


Internet-Draft          Mobility Support in IPv6           February 2003


   The last Sequence Number value sent to the home agent in a Binding
   Update is stored by the mobile node.  If the sending mobile node has
   no knowledge of the right Sequence Number value, it may start at any
   value.  If the home agent rejects the value, it sends back a Binding
   Acknowledgement with status code 135, and the last accepted sequence
   number in the Sequence Number field of the Binding Acknowledgement.
   The mobile node MUST store this information and use the next Sequence
   Number value for the next Binding Update it sends.

   If the mobile node has additional home addresses using a different
   interface identifier, then the mobile node SHOULD send an additional
   packet containing a Binding Update to its home agent to register the
   care-of address for each such other home address (or set of home
   addresses sharing an interface identifier).

   The home agent will only perform DAD for the mobile node's home
   address when the mobile node has supplied a valid binding between its
   home address and a care-of address.  If some time elapses during
   which the mobile node has no binding at the home agent, it might be
   possible for another node to autoconfigure the mobile node's home
   address.  Therefore, the mobile node MUST treat creation of a new
   binding with the home agent using an existing home address the same
   as creation of a new home address.  In the unlikely event that the
   mobile node's home address is autoconfigured as the IPv6 address of
   another network node on the home network, the home agent will reply
   to the mobile node's subsequent Binding Update with a Binding
   Acknowledgement containing a Status of 134 (Duplicate Address
   Detection failed).  In this case, the mobile node MUST NOT attempt to
   re-use the same home address.  It SHOULD continue to register care-of
   addresses for its other home addresses, if any.  The mobile node MAY
   also attempt to acquire a new home address to replace the one for
   which Status 134 was received, for instance by using the techniques
   described in Appendix B.5.

11.7.2 Correspondent Binding Procedure

   When the mobile node is assured that its home address is valid, it
   can initiate a correspondent binding procedure with the purpose of
   allowing the correspondent node to cache the mobile node's current
   care-of address.  This procedure consists of the return routability
   procedure followed by a binding procedure.

   This section defines when to initiate the correspondent binding
   procedure, and rules to follow when performing it.

   After the mobile node has sent a Binding Update to its home agent to
   register a new primary care-of address (as described in Section
   11.7.1), the mobile node SHOULD initiate a correspondent binding



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 131]


Internet-Draft          Mobility Support in IPv6           February 2003


   procedure for each node that already appears in the mobile node's
   Binding Update List.  This is necessary in order to ensure that
   correspondent nodes do not have invalid information about the current
   location of the mobile node.  The initiated procedures can be used to
   either update or delete binding information in the correspondent
   node.

   For nodes that do not appear in the mobile node's Binding Update
   List, the mobile node MAY initiate a correspondent binding procedure
   at any time after sending the Binding Update to its home agent.
   Considerations regarding when (and if) to initiate the procedure
   depend on the specific movement and traffic patterns of the mobile
   node and are outside the scope of this document.

   In addition, when a mobile node receives a packet for which the
   mobile node can deduce that the original sender of the packet has a
   stale Binding Cache entry for the mobile node, the mobile node SHOULD
   initiate a correspondent binding procedure.  In addition, the mobile
   node MAY initiate the procedure in response to receiving a packet
   that meets all of the following tests:

   o  The packet was tunneled using IPv6 encapsulation.

   o  The Destination Address in the tunnel (outer) IPv6 header is equal
      to any of the mobile node's care-of addresses.

   o  The Destination Address in the original (inner) IPv6 header is
      equal to one of the mobile node's home addresses.

   o  The Source Address in the tunnel (outer) IPv6 header differs from
      the Source Address in the original (inner) IPv6 header.

   o  The packet does not contain a Care-of Test Init message.

   If a mobile node has multiple home addresses, it becomes important to
   select the right home address to use in the correspondent binding
   procedure.  The used home address MUST be the Destination Address of
   the original (inner) packet.

   The peer address used in the procedure MUST be determined as follows:

   o  If a Home Address destination option is present in the original
      (inner) packet, the address from this option is used.

   o  Otherwise, the Source Address in the original (inner) IPv6 header
      of the packet is used.

   Note that the validity of the original packet is checked before



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 132]


Internet-Draft          Mobility Support in IPv6           February 2003


   attempting to initiate a correspondent binding procedure.  For
   instance, if a Home Address destination option appeared in the
   original packet, then rules in Section 9.3.1 are followed.

   A mobile node MAY also choose to keep its location private from
   certain correspondent nodes, and thus need not initiate the
   correspondent binding procedure.

   Upon successfully completing the return routability procedure, and
   after receiving a successful Binding Acknowledgement from the Home
   Agent, a Binding Update MAY be sent to the correspondent node.

   In any Binding Update sent by a mobile node, the care-of address
   (either the Source Address in the packet's IPv6 header or the Care-of
   Address in the Alternate Care-of Address mobility option of the
   Binding Update) MUST be set to one of the care-of addresses currently
   in use by the mobile node or to the mobile node's home address.  A
   mobile node MAY set the care-of address differently for sending
   Binding Updates to different correspondent nodes.

   A mobile node MAY also send a Binding Update to such a correspondent
   node to instruct it to delete any existing binding for the mobile
   node from its Binding Cache, as described in Section 6.1.7.  Even in
   this case a successful completion of the return routability procedure
   is required first.

   If set to one of the mobile node's current care-of addresses, the
   Binding Update requests the correspondent node to create or update an
   entry for the mobile node in the correspondent node's Binding Cache
   in order to record this care-of address for use in sending future
   packets to the mobile node.  In this case, the value specified in the
   Lifetime field sent in the Binding Update SHOULD be less than or
   equal to the remaining lifetime of the home registration and the
   care-of address specified for the binding.  The care-of address given
   in the Binding Update MAY differ from the mobile node's primary
   care-of address.

   If the Binding Update is sent to request the correspondent node to
   delete any existing Binding Cache entry that it has for the mobile
   node, the care-of address is set to the mobile node's home address
   and the Lifetime field set to zero.  In this case, generation of the
   binding management key depends exclusively on the home keygen token
   (Section 5.2.5).  The care-of nonce index SHOULD be set to zero in
   this case.  In keeping with the Binding Update creation rules below,
   the care-of address MUST be set to the home address if the mobile
   node is at home, or to the current care-of address if it is away from
   home.




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 133]


Internet-Draft          Mobility Support in IPv6           February 2003


   If the mobile node wants to ensure that its new care-of address has
   been entered into a correspondent node's Binding Cache, the mobile
   node MAY request an acknowledgement by setting the Acknowledge (A)
   bit in the Binding Update.  In this case, however, the mobile node
   SHOULD NOT continue to retransmit the Binding Update once the
   retransmission timeout period has reached MAX_BINDACK_TIMEOUT.

   A Binding Update is created as follows:

   o  The Source Address of the IPv6 header MUST contain the current
      care-of address of the mobile node.

   o  The Destination Address of the IPv6 header MUST contain the
      address of the correspondent node.

   o  The Mobility Header is constructed according to rules in Section
      6.1.7 and Section 5.2.6, including the Binding Authorization Data
      (calculated as defined in Section 6.2.7) and possibly the Nonce
      Indices mobility options.

   o  The home address of the mobile node MUST be added to the packet in
      a Home Address destination option, unless the Source Address is
      the home address.

   Each Binding Update MUST have a Sequence Number greater than the
   Sequence Number value sent in the previous Binding Update to the same
   destination address (if any).  The sequence numbers are compared
   modulo 2**16, as described in Section 9.5.1.  There is no
   requirement, however, that the Sequence Number value strictly
   increase by 1 with each new Binding Update sent or received, as long
   as the value stays within the window.  The last Sequence Number value
   sent to a destination in a Binding Update is stored by the mobile
   node in its Binding Update List entry for that destination.  If the
   sending mobile node has no Binding Update List entry, the Sequence
   Number SHOULD start at a random value.  The mobile node MUST NOT use
   the same Sequence Number in two different Binding Updates to the same
   correspondent node, even if the Binding Updates provide different
   care-of addresses.

   The mobile node is responsible for the completion of the
   correspondent binding procedure, as well as any retransmissions that
   may be needed (subject to the rate limiting defined in Section 11.8).

11.7.3 Receiving Binding Acknowledgements

   Upon receiving a packet carrying a Binding Acknowledgement, a mobile
   node MUST validate the packet according to the following tests:




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 134]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  The packet meets the authentication requirements for Binding
      Acknowledgements, defined in Section 6.1.8 and Section 5.  That
      is, if the Binding Update was sent to the home agent, underlying
      IPsec protection is used.  If the Binding Update was sent to the
      correspondent node, the Binding Authorization Data mobility option
      MUST be present and have a valid value.

   o  The Binding Authorization Data mobility option, if present, MUST
      be the last option and MUST not have trailing padding.

   o  The Sequence Number field matches the Sequence Number sent by the
      mobile node to this destination address in an outstanding Binding
      Update.

   Any Binding Acknowledgement not satisfying all of these tests MUST be
   silently ignored.

   When a mobile node receives a packet carrying a valid Binding
   Acknowledgement, the mobile node MUST examine the Status field as
   follows:

   o  If the Status field indicates that the Binding Update was accepted
      (the Status field is less than 128), then the mobile node MUST
      update the corresponding entry in its Binding Update List to
      indicate that the Binding Update has been acknowledged; the mobile
      node MUST then stop retransmitting the Binding Update.  In
      addition, if the value specified in the Lifetime field in the
      Binding Acknowledgement is less than the Lifetime value sent in
      the Binding Update being acknowledged, then the mobile node MUST
      subtract the difference between these two Lifetime values from the
      remaining lifetime for the binding as maintained in the
      corresponding Binding Update List entry (with a minimum value for
      the Binding Update List entry lifetime of 0).  That is, if the
      Lifetime value sent in the Binding Update was L_update, the
      Lifetime value received in the Binding Acknowledgement was L_ack,
      and the current remaining lifetime of the Binding Update List
      entry is L_remain, then the new value for the remaining lifetime
      of the Binding Update List entry should be

         max((L_remain - (L_update - L_ack)), 0)


      where max(X, Y) is the maximum of X and Y.  The effect of this
      step is to correctly manage the mobile node's view of the
      binding's remaining lifetime (as maintained in the corresponding
      Binding Update List entry) so that it correctly counts down from
      the Lifetime value given in the Binding Acknowledgement, but with
      the timer countdown beginning at the time that the Binding Update



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 135]


Internet-Draft          Mobility Support in IPv6           February 2003


      was sent.  Mobile nodes SHOULD send a new Binding Update well
      before the expiration of this period in order to extend the
      lifetime.  This helps to avoid disruptions in communications,
      which might otherwise be caused by network delays or clock drift.

   o  Additionally, if the Status field value is 1 (Accepted but prefix
      discovery necessary), the mobile node SHOULD send a Mobile Prefix
      Solitation message to update its information about the available
      prefixes.

   o  If the Status field indicates that the Binding Update was rejected
      (the Status field is greater than or equal to 128), then the
      mobile node SHOULD record in its Binding Update List that future
      Binding Updates SHOULD NOT be sent to this destination.

      Optionally, the mobile node MAY then take steps to correct the
      cause of the error and retransmit the Binding Update (with a new
      Sequence Number value), subject to the rate limiting restriction
      specified in Section 11.8.

   The treatment of a Binding Refresh Advice mobility option within the
   Binding Acknowledgement depends on the where the acknowledgement came
   from.  This option MUST be ignored if the acknowledgement came from a
   correspondent node.  If it came from the home agent, the mobile node
   uses Refresh Interval field in the option as a suggestion that it
   SHOULD attempt to refresh its home registration at the indicated
   shorter interval.

   If the acknowledgement came from the home agent, the mobile node
   examines the value of the Key Management Mobility Capability (K) bit.
   If this bit is not set, the mobile node SHOULD discard key management
   protocol connections, if any, to the home agent.  The mobile node MAY
   also initiate a new key management connection.

   If this bit is set, the mobile node SHOULD move its own endpoint in
   the key management protocol connections to the home agent, if any.
   The mobile node's new endpoint should be the new care-of address.
   For an IKE phase 1 connection, this means packets sent to this
   address with the original ISAKMP cookies are accepted.

11.7.4 Receiving Binding Refresh Requests

   When a mobile node receives a packet containing a Binding Refresh
   Request message, the mobile node has a Binding Update List entry for
   the source of the Binding Refresh Request, and the mobile node wants
   to retain its binding cache entry at the correspondent node, then the
   mobile node should start a return routability procedure.  If the
   mobile node wants to have its binding cache entry removed it can



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 136]


Internet-Draft          Mobility Support in IPv6           February 2003


   either ignore the Binding Refresh Request and wait for the binding to
   time out, or it can at any time delete its binding from a
   correspondent node with an explicit binding update with zero lifetime
   and the care-of address set to the home address.  If the mobile node
   does not know if it needs the binding cache entry, it can make the
   decision in an implementation dependent manner, such as based on
   available resources.

   Note that the mobile node should be careful to not respond to Binding
   Refresh Requests for addresses not in the Binding Update List to
   avoid being subjected to a denial of service attack.

   If the return routability procedure completes successfully, a Binding
   Update message SHOULD be sent as described in Section 11.7.2.  The
   Lifetime field in this Binding Update SHOULD be set to a new
   lifetime, extending any current lifetime remaining from a previous
   Binding Update sent to this node (as indicated in any existing
   Binding Update List entry for this node), and lifetime SHOULD again
   be less than or equal to the remaining lifetime of the home
   registration and the care-of address specified for the binding.  When
   sending this Binding Update, the mobile node MUST update its Binding
   Update List in the same way as for any other Binding Update sent by
   the mobile node.

11.8 Retransmissions and Rate Limiting

   The mobile node is responsible for retransmissions and rate limiting
   in the return routability and binding procedures and for solicited
   prefix discovery.

   When the mobile node sends a Mobile Prefix Solicitation, Home Test
   Init, Care-of Test Init or Binding Update for which it expects a
   response, the mobile node has to determine a value for the initial
   retransmission timer:

   o  If the mobile node is sending a Mobile Prefix Solicitation, it
      SHOULD use an initial retransmission interval of
      INITIAL_SOLICIT_TIMER (see Section 12).

   o  If the mobile node is sending a Binding Update and it does not
      have an existing binding at the home agent, it SHOULD use
      InitialBindackTimeoutFirstReg (see Section 13) as a value for the
      initial retransmission timer.  This long retransmission interval
      will allow the home agent to complete the Duplicate Address
      Detection procedure which is mandated in this case, as detailed in
      Section 11.7.1.

   o  Otherwise, the mobile node should use the specified value of



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 137]


Internet-Draft          Mobility Support in IPv6           February 2003


      INITIAL_BINDACK_TIMEOUT for the initial retransmission timer.

   If the mobile node fails to receive a valid, matching response within
   the selected initial retransmission interval, the mobile node SHOULD
   retransmit the message, until a response is received.

   The retransmissions by the mobile node MUST use an exponential
   back-off process, in which the timeout period is doubled upon each
   retransmission until either the node receives a response or the
   timeout period reaches the value MAX_BINDACK_TIMEOUT.  The mobile
   node MAY continue to send these messages at this slower rate
   indefinitely.

   The mobile node SHOULD start a separate back-off process for
   different message types, different home addresses and different
   care-of addresses.  However, in addition an overall rate limitation
   applies for messages sent to a particular correspondent node.  This
   ensures that the correspondent node has sufficient amount of time to
   answer when bindings for multiple home addresses are registered, for
   instance.  The mobile node MUST NOT send Mobility Header messages of
   a particular type to a particular correspondent node more than
   MAX_UPDATE_RATE times within a second.

   Retransmitted Binding Updates MUST use a Sequence Number value
   greater than that used for the previous transmission of this Binding
   Update.  Retransmitted Home Test Init and Care-of Test Init messages
   MUST use new cookie values.
























Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 138]


Internet-Draft          Mobility Support in IPv6           February 2003


12. Protocol Constants

    DHAAD_RETRIES                   4 retransmissions
    INITIAL_BINDACK_TIMEOUT         1 second
    INITIAL_DHAAD_TIMEOUT           3 seconds
    INITIAL_SOLICIT_TIMER           3 seconds
    MAX_BINDACK_TIMEOUT             32 seconds
    MAX_NONCE_LIFETIME              240 seconds
    MAX_TOKEN_LIFETIME              210 seconds
    MAX_RR_BINDING_LIFETIME         420 seconds
    MAX_UPDATE_RATE                 3 times
    PREFIX_ADV_RETRIES              3 retransmissions
    PREFIX_ADV_TIMEOUT              3 seconds






































Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 139]


Internet-Draft          Mobility Support in IPv6           February 2003


13. Protocol Configuration Variables

    MaxMobPfxAdvInterval            Default: 86,400 seconds
    MinDelayBetweenRAs              Default: 3 seconds,
                                    Min: 0.03 seconds
    MinMobPfxAdvInterval            Default: 600 seconds
    InitialBindackTimeoutFirstReg   Default: 1.5 seconds

   Home agents MUST allow the first three variables to be configured by
   system management, and mobile nodes MUST allow the last variable to
   be configured by system management.

   The default value for InitialBindackTimeoutFirstReg has been
   calculated as 1.5 times the default value of RetransTimer [12] times
   the default value of DupAddrDetectTransmits [13].

   The value MinDelayBetweenRAs overrides the value of the protocol
   constant MIN_DELAY_BETWEEN_RAS, as specified in RFC 2461 [12].  This
   variable SHOULD be set to MinRtrAdvInterval, if MinRtrAdvInterval is
   less than 3 seconds.































Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 140]


Internet-Draft          Mobility Support in IPv6           February 2003


14. IANA Considerations

   This document defines a new IPv6 protocol, the Mobility Header,
   described in Section 6.1.  This protocol must be assigned a protocol
   number.

   This document also creates a new name space "Mobility Header Type",
   for the MH Type field in the Mobility Header.  The current message
   types are described starting from Section 6.1.2, and are the
   following:

      0  Binding Refresh Request

      1  Home Test Init

      2  Care-of Test Init

      3  Home Test

      4  Care-of Test

      5  Binding Update

      6  Binding Acknowledgement

      7  Binding Error

   Future values of the MH Type can be allocated using standards action
   [10].

   Furthermore, each mobility message may contain mobility options as
   described in Section 6.2.  This document defines a new name space
   "Mobility Option" to identify these options.  The current mobility
   options are defined starting from Section 6.2.2 and are the
   following:

      0  Pad1

      1  PadN

      2  Binding Refresh Advice

      3  Alternate Care-of Address

      4  Nonce Indices






Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 141]


Internet-Draft          Mobility Support in IPv6           February 2003


      5  Authorization Data

   Future values of the Option Type can be allocated using standards
   action [10].

   This document also defines a new IPv6 destination option, the Home
   Address option, described in Section 6.3.  This option has already
   been assigned the Option Type value 0xC9.

   This document also defines a new IPv6 type 2 routing header,
   described in Section 6.4.  The value 2 is to be allocated by IANA
   when this specification becomes an RFC.

   In addition, this document defines four ICMP message types, two used
   as part of the dynamic home agent address discovery mechanism and two
   used in lieu of Router Solicitations and Advertisements when the
   mobile node is away from the home link.  These messages must be
   assigned ICMPv6 type numbers from the informational message range:

   o  The Home Agent Address Discovery Request message, described in
      Section 6.5;

   o  The Home Agent Address Discovery Reply message, described in
      Section 6.6;

   o  The Mobile Prefix Solicitation, described in Section 6.7; and

   o  The Mobile Prefix Advertisement, described in Section 6.8.

   This document also defines two new Neighbor Discovery [12] options,
   which must be assigned Option Type values within the option numbering
   space for Neighbor Discovery messages:

   o  The Advertisement Interval option, described in Section 7.3; and

   o  The Home Agent Information option, described in Section 7.4.















Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 142]


Internet-Draft          Mobility Support in IPv6           February 2003


15. Security Considerations

15.1 Threats

   Any mobility solution must protect itself against misuses of the
   mobility features and mechanisms.  In Mobile IPv6, most of the
   potential threats are concerned with false Bindings, usually
   resulting in Denial-of-Service attacks.  Some of the threats also
   pose potential for Man-in-the-Middle, Hijacking, Confidentiality, and
   Impersonation attacks.  The main threats this protocol protects
   against are the following:

   o  Threats involving Binding Updates sent to home agents and
      correspondent nodes.  For instance, an attacker might claim that a
      certain mobile node is currently at a different location than it
      really is.  If a home agent accepts such spoofed information sent
      to it, the mobile node might not get traffic destined to it.
      Similarly, a malicious (mobile) node might use the home address of
      a victim node in a forged Binding Update sent to a correspondent
      node.

      These pose threats against confidentiality, integrity, and
      availability.  That is, an attacker might learn the contents of
      packets destined to another node by redirecting the traffic to
      itself.  Furthermore, an attacker might use the redirected packets
      in an attempt to set itself as a Man-in-the-Middle between a
      mobile and a correspondent node.  This would allow the attacker to
      impersonate the mobile node, leading to integrity and availability
      problems.  A malicious (mobile) node might also send Binding
      Updates in which the care-of address is set to the address of a
      victim node.  If such Binding Updates were accepted, the malicious
      node could lure the correspondent node into sending potentially
      large amounts of data to the victim; the correspondent node's
      replies to messages sent by the malicious mobile node will be sent
      to the victim host or network.  This could be used to cause a
      Distributed Denial-of-Service attack.  For example, the
      correspondent node might be a site that will send a high-bandwidth
      stream of video to anyone who asks for it.  Note that the use of
      flow-control protocols such as TCP does not necessarily defend
      against this type of attack, because the attacker can fake the
      acknowledgements.  Even keeping TCP initial sequence numbers
      secret doesn't help, because the attacker can receive the first
      few segments (including the ISN) at its own address, and only then
      redirect the stream to the victim's address.  These types of
      attacks may also be directed to networks instead of nodes.
      Further variations of this threat are described elsewhere
      [27, 32].  An attacker might also attempt to disrupt a mobile
      node's communications by replaying a Binding Update that the node



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 143]


Internet-Draft          Mobility Support in IPv6           February 2003


      had sent earlier.  If the old Binding Update was accepted, packets
      destined for the mobile node would be sent to its old location and
      not its current location.  In conclusion, there are
      Denial-of-Service, Man-in-the-Middle, Confidentiality, and
      Impersonation threats against the parties involved in sending
      legitimate Binding Updates, and Denial-of-Service threats against
      any other party.

   o  Threats associated with payload packets: Payload packets exchanged
      with mobile nodes are exposed to similar threats as regular IPv6
      traffic is.  However, Mobile IPv6 introduces the Home Address
      destination option, a new routing header type (type 2), and uses
      tunneling headers in the payload packets.  The protocol must
      protect against potential new threats involving the use of these
      mechanisms.

      Third parties become exposed to a reflection threat via the Home
      Address destination option, unless appropriate security
      precautions are followed.  The Home Address destination option
      could be used to direct response traffic toward a node whose IP
      address appears in the option.  In this case, ingress filtering
      would not catch the forged "return address" [34, 30].  A similar
      threat exists with the tunnels between the mobile node and the
      home agent.  An attacker might forge tunnel packets between the
      mobile node and the home agent, making it appear that the traffic
      is coming from the mobile node when it is not.  Note that an
      attacker who is able to forge tunnel packets would typically be
      able forge also packets that appear to come directly from the
      mobile node.  This is not a new threat as such.  However, it may
      make it easier for attackers to escape detection by avoiding
      ingress filtering and packet tracing mechanisms.  Furthermore,
      spoofed tunnel packets might be used to gain access to the home
      network.  Finally, a routing header could also be used in
      reflection attacks, and in attacks designed to bypass firewalls.
      The generality of the regular routing header would allow
      circumvention of IP-address based rules in firewalls.  It would
      also allow reflection of traffic to other nodes.  These threats
      exist with routing headers in general, even if the usage that
      Mobile IPv6 requires is safe.

   o  Threats associated with dynamic home agent and prefix discovery.

   o  Threats against the Mobile IPv6 security mechanisms themselves: An
      attacker might, for instance, lure the participants into executing
      expensive cryptographic operations or allocating memory for the
      purpose of keeping state.  The victim node would have no resources
      left to handle other tasks.




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 144]


Internet-Draft          Mobility Support in IPv6           February 2003


   As a fundamental service in an IPv6 stack, Mobile IPv6 is expected to
   be deployed in most nodes of the IPv6 Internet.  The above threats
   should therefore be considered in the light of being applicable to
   the whole Internet.

   It should also be noted that some additional threats result from
   movements as such, even without the involvement of mobility
   protocols.  Mobile nodes must be capable to defend themselves in the
   networks that they visit, as typical perimeter defenses applied in
   the home network no longer protect them.

15.2 Features

   This specification provides a series of features designed to mitigate
   the risk introduced by the threats listed above.  The main security
   features are the following:

   o  Reverse Tunneling as a mandatory feature.

   o  Protection of Binding Updates sent to home agents.

   o  Protection of Binding Updates sent to correspondent nodes.

   o  Protection against reflection attacks that use the Home Address
      destination option.

   o  Protection of tunnels between the mobile node and the home agent.

   o  Closing routing header vulnerabilities.

   o  Mitigating Denial-of-Service threats to the Mobile IPv6 security
      mechanisms themselves.

   The support for encrypted reverse tunneling (see Section 11.3.1)
   allows mobile nodes to defeat certain kinds of traffic analysis.

   Protecting those Binding Updates that are sent to home agents and
   those that are sent to arbitrary correspondent nodes requires very
   different security solutions due to the different situations.  Mobile
   nodes and home agents are expected to be naturally subject to the
   network administration of the home domain.

   Thus, they can and are supposed to have a security association that
   can be used to reliably authenticate the exchanged messages.  See
   Section 5.1 for the description of the protocol mechanisms, and
   Section 15.3 below for a discussion of the resulting level of
   security.




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 145]


Internet-Draft          Mobility Support in IPv6           February 2003


   It is expected that Mobile IPv6 route optimization will be used on a
   global basis between nodes belonging to different administrative
   domains.  It would be a very demanding task to build an
   authentication infrastructure on this scale.  Furthermore, a
   traditional authentication infrastructure cannot be easily used to
   authenticate IP addresses, because IP addresses can change often.  It
   is not sufficient to just authenticate the mobile nodes.
   Authorization to claim the right to use an address is needed as well.
   Thus, an "infrastructureless" approach is necessary.  The chosen
   infrastructureless method is described in Section 5.2 and Section
   15.4 discusses the resulting security level and the design rationale
   of this approach.

   Specific rules guide the use of the Home Address destination option,
   the routing header, and the tunneling headers in the payload packets.
   These rules are necessary to remove the vulnerabilities associated
   with their unrestricted use.  The effect of the rules is discussed in
   Section 15.7, Section 15.8, and Section 15.9.

   Denial-of-Service threats against Mobile IPv6 security mechanisms
   themselves concern mainly the Binding Update procedures with
   correspondent nodes.  The protocol has been designed to limit the
   effects of such attacks, as will be described in Section 15.4.5.

15.3 Binding Updates to Home Agent

   Signaling between the mobile node and the home agent requires message
   integrity, correct ordering and replay protection.  This is necessary
   to assure the home agent that a Binding Update is from a legitimate
   mobile node.

   IPsec ESP protects the integrity of the Binding Updates and Binding
   Acknowledgements, by securing mobility messages between the mobile
   node and the home agent.

   However, IPsec can easily provide replay protection only if dynamic
   security association establishment is used.  IPsec also does not
   guarantee correct ordering of packets, only that they have not been
   replayed.  Because of this, sequence numbers with the Mobile IPv6
   messages ensure correct ordering (see Section 5.1).  However, if a
   home agent reboots and loses its state regarding the sequence
   numbers, replay attacks become possible.  The use of a key management
   mechanism together with IPsec can be used to prevent such replay
   attacks.

   A sliding window scheme is used for the sequence numbers.  The
   protection against replays and reordering attacks without a key
   management mechanism works when the attacker remembers up to a



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 146]


Internet-Draft          Mobility Support in IPv6           February 2003


   maximum of 2**15 Binding Updates.

   The above mechanisms do not show that the care-of address given in
   the Binding Update is correct.  This opens the possibility for
   Denial-of-Service attacks against third parties.  However, since the
   mobile node and home agent have a security association, the home
   agent can always identify an ill-behaving mobile node.  This allows
   the home agent operator to discontinue the mobile node's service, and
   possibly take further actions based on the business relationship with
   the mobile node's owner.

   Note that the use of a single pair of manually keyed security
   associations conflicts with the generation of a new home addresses
   [18] for the mobile node, or with the adoption of a new home subnet
   prefix.  This is because IPsec security associations are bound to the
   used addresses.  While certificate-based automatic keying alleviates
   this problem to an extent, it is still necessary to ensure that a
   given mobile node cannot send Binding Updates for the address of
   another mobile node.  In general, this leads to the inclusion of home
   addresses in certificates in the Subject AltName field.  This again
   limits the introduction of new addresses without either manual or
   automatic procedures to establish new certificates.  Therefore, this
   specification restricts the generation of new home addresses (for any
   reason) to those situations where there already exists a security
   association or certificate for the new address.  (Appendix B.4 lists
   the improvement of security for new addresses as one of the future
   developments for Mobile IPv6.)

15.4 Binding Updates to Correspondent Nodes

15.4.1 Overview

   The motivation for designing the return routability procedure was to
   have sufficient support for Mobile IPv6, without creating significant
   new security problems.  The goal for this procedure was not to
   protect against attacks that were already possible before the
   introduction of Mobile IPv6.

   The chosen infrastructureless method verifies that the mobile node is
   "live" (that is, it responds to probes) at its home and care-of
   addresses.  Section 5.2 describes the return routability procedure in
   detail.  The procedure uses the following principles:

   o  A message exchange verifies that the mobile node is reachable at
      its addresses i.e.  is at least able to transmit and receive
      traffic at both the home and care-of addresses.

   o  The eventual Binding Update is cryptographically bound to the



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 147]


Internet-Draft          Mobility Support in IPv6           February 2003


      tokens supplied in the exchanged messages.

   o  Symmetric exchanges are employed to avoid the use of this protocol
      in reflection attacks.  In a symmetric exchange, the responses are
      always sent to the same address as the request was sent from.

   o  The correspondent node operates in a stateless manner until it
      receives a fully authorized Binding Update.

   o  Some additional protection is provided by encrypting the tunnels
      between the mobile node and home agent with IPsec ESP.  As the
      tunnel transports also the nonce exchanges, this limits the
      ability of attackers to see these nonces.  For instance, this
      prevents attacks launched from the mobile node's current foreign
      link where no link-layer confidentiality is available.

      The resulting level of security is in theory the same even without
      this additional protection: the return routability tokens are
      still exposed only to one path within the whole Internet.
      However, the mobile nodes are often found on an insecure link,
      such as a public access Wireless LAN.  Thus this addition makes a
      practical difference in many cases.

   For further information about the design rationale of the return
   routability procedure, see [27, 32, 31, 30].  The used mechanisms
   have been adopted from these documents.

15.4.2 Achieved Security Properties

   The return routability procedure protects Binding Updates against all
   attackers who are unable to monitor the path between the home agent
   and the correspondent node.  The procedure does not defend against
   attackers who can monitor this path.  Note that such attackers are in
   any case able to mount an active attack against the mobile node when
   it is at its home location.  The possibility of such attacks is not
   an impediment to the deployment of Mobile IPv6, because these attacks
   are possible regardless of whether Mobile IPv6 is in use.

   This procedure also protects against Denial-of-Service attacks in
   which the attacker pretends to be a mobile, but uses the victim's
   address as the care-of address.  This would cause the correspondent
   node to send the victim some unexpected traffic.  The procedure
   defends against these attacks by requiring at least passive presence
   of the attacker at the care-of address or on the path from the
   correspondent to the care-of address.  Normally, this will be the
   mobile node.





Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 148]


Internet-Draft          Mobility Support in IPv6           February 2003


15.4.3 Comparison to Regular IPv6 Communications

   This section discusses the protection offered by the return
   routability method by comparing it to the security of regular IPv6
   communications.  We will divide vulnerabilities in three classes: (1)
   those related to attackers on the local network of the mobile node,
   home agent, or the correspondent node, (2) those related to attackers
   on the path between the home network and the correspondent node, and
   (3) off-path attackers, i.e.  the rest of the Internet.

   We will now discuss the vulnerabilities of regular IPv6
   communications.  The on-link vulnerabilities of IPv6 communications
   include Denial-of-Service, Masquerading, Man-in-the-Middle,
   Eavesdropping, and other attacks.  These attacks can be launched
   through spoofing Router Discovery, Neighbor Discovery and other IPv6
   mechanisms.  Some of these attacks can be prevented with the use of
   cryptographic protection in the packets.

   A similar situation exists with on-path attackers.  That is, without
   cryptographic protection the traffic is completely vulnerable.

   Assuming that attackers have not penetrated the security of the
   Internet routing protocols, attacks are much harder to launch from
   off-path locations.  Attacks that can be launched from these
   locations are mainly Denial-of-Service attacks, such as flooding and/
   or reflection attacks.  It is not possible for an off-path attacker
   to become a Man-in-the-Middle.

   Next, we will consider the vulnerabilities that exist when IPv6 is
   used together with Mobile IPv6 and the return routability procedure.
   On the local link the vulnerabilities are same as those as in IPv6,
   but Masquerade and Man-in-the-Middle attacks can now be launched also
   against future communications, and not just against current
   communications.  If a Binding Update was sent while the attacker was
   present on the link, its effects stay during the lifetime of the
   binding.  This happens even if the attacker moves away from the link.
   In contrast, an attacker who uses only plain IPv6 generally has to be
   stay on the link in order to continue the attack.  Note that in order
   to launch these new attacks, the IP address of the victim must be
   known.  This makes this attack feasible mainly in the context of
   well-known interface IDs, such as those already appearing in the
   traffic on the link or registered in the DNS.

   On-path attackers can exploit similar vulnerabilities as in regular
   IPv6.  There are some minor differences, however.  Masquerade,
   Man-in-the-Middle, and Denial-of-Service attacks can be launched with
   just the interception of a few packets, whereas in regular IPv6 it is
   necessary to intercept every packet.  The effect of the attacks is



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 149]


Internet-Draft          Mobility Support in IPv6           February 2003


   the same regardless of the method, however.  In any case, the most
   difficult task attacker faces in these attacks is getting on the
   right path.

   The vulnerabilities for off-path attackers are the same as in regular
   IPv6.  Those nodes that are not on the path between the home agent
   and the correspondent node will not be able to receive the home
   address probe messages.

   In conclusion, we can state the following main results from this
   comparison:

   o  Return routability procedure prevents any off-path attacks beyond
      those that are already possible in regular IPv6.  This is the most
      important result, and prevents attackers from the Internet from
      exploiting any vulnerabilities.

   o  Vulnerabilities to attackers on the home agent link, the
      correspondent node link, and the path between them are roughly the
      same as in regular IPv6.

   o  However, one difference is that in basic IPv6 an on-path attacker
      must be constantly present on the link or the path, whereas with
      Mobile IPv6 an attacker can leave a binding behind after moving
      away.

      For this reason, this specification limits the creation of
      bindings to at most MAX_TOKEN_LIFETIME seconds after the last
      routability check has been performed, and limits the duration of a
      binding to at most MAX_RR_BINDING_LIFETIME seconds.  With these
      limitation, attackers cannot take practical advantages of this
      vulnerability.  This limited vulnerability can also be compared to
      similar vulnerabilities in IPv6 Neighbor Discovery, with Neighbor
      Cache entries having a limited lifetime.

   o  There are some other minor differences, such as an effect to the
      Denial-of-Service vulnerabilities.  These can be considered to be
      insignificant.

   o  The path between the home agent and a correspondent node is
      typically easiest to attack on the links at either end, in
      particular if these links are publicly accessible wireless LANs.
      Attacks against the routers or switches on the path are typically
      harder to accomplish.  The security on layer 2 of the links plays
      then a major role in the resulting overall network security.
      Similarly, security of IPv6 Neighbor and Router Discovery on these
      links has a large impact.  If these were secured using some new
      technology in the future, this could change the situation



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 150]


Internet-Draft          Mobility Support in IPv6           February 2003


      regarding the easiest point of attack.

   For a more in-depth discussion of these issues, see [30].

15.4.4 Replay Attacks

   The return routability procedure also protects the participants
   against replayed Binding Updates.  The attacker is unable replay the
   same message due to the sequence number which is a part of the
   Binding Update.  It is also unable to modify the Binding Update since
   the MAC verification would fail after such a modification.

   Care must be taken when removing bindings at the correspondent node,
   however.  If a binding is removed while the nonce used in its
   creation is still valid, an attacker could replay the old Binding
   Update.  Rules outlined in Section 5.2.8 ensure that this cannot
   happen.

15.4.5 Denial-of-Service Attacks

   The return routability procedure has protection against resource
   exhaustion Denial-of-Service attacks.  The correspondent nodes do not
   retain any state about individual mobile nodes until an authentic
   Binding Update arrives.  This is achieved through the construct of
   keygen tokens from the nonces and node keys that are not specific to
   individual mobile nodes.  The keygen tokens can be reconstructed by
   the correspondent node, based on the home and care-of address
   information that arrives with the Binding Update.  This means that
   the correspondent nodes are safe against memory exhaustion attacks
   except where on-path attackers are concerned.  Due to the use of
   symmetric cryptography, the correspondent nodes are relatively safe
   against CPU resource exhaustion attacks as well.

   Nevertheless, as [27] describes, there are situations in which it is
   impossible for the mobile and correspondent nodes to determine if
   they actually need a binding or whether they just have been fooled
   into believing so by an attacker.  Therefore, it is necessary to
   consider situations where such attacks are being made.

   Even if route optimization is a very important optimization, it is
   still only an optimization.  A mobile node can communicate with a
   correspondent node even if the correspondent refuses to accept any
   Binding Updates.  However, performance will suffer because packets
   from the correspondent node to the mobile node will be routed via the
   mobile's home agent rather than a more direct route.  A correspondent
   node can protect itself against some of these resource exhaustion
   attacks as follows.  If the correspondent node is flooded with a
   large number of Binding Updates that fail the cryptographic integrity



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 151]


Internet-Draft          Mobility Support in IPv6           February 2003


   checks, it can stop processing Binding Updates.  If a correspondent
   node finds that it is spending more resources on checking bogus
   Binding Updates than it is likely to save by accepting genuine
   Binding Updates, then it may silently discard some or all Binding
   Updates without performing any cryptographic operations.

   Layers above IP can usually provide additional information to decide
   if there is a need to establish a binding with a specific peer.  For
   example, TCP knows if the node has a queue of data that it is trying
   to send to a peer.  An implementation of this specification is not
   required to make use of information from higher protocol layers, but
   some implementations are likely to be able to manage resources more
   effectively by making use of such information.

   We also require that all implementations be capable of
   administratively disabling route optimization.

15.4.6 Key Lengths

   While the return routability procedure is in progress, 64 bit cookies
   are used to protect spoofed responses.  This is believed to be
   sufficient, given that to blindly spoof a response a very large
   number of messages would have to be sent before success would be
   probable.

   The tokens used in the return routability procedure provide together
   128 bits of information.  This information is used internally as an
   input to a hash function to produce a 160 bit quantity suitable for
   producing the keyed hash in the Binding Update using the HMAC_SHA1
   algorithm.  The final keyed hash length is 96 bits.  The limiting
   factors in this case are the input token lengths and the final keyed
   hash length.  The internal hash function application does not reduce
   the entropy.

   The 96 bit final keyed hash is of typical size and believed to be
   secure.  The 128 bit input from the tokens is broken in two pieces,
   the home keygen token and the care-of keygen token.  An attacker can
   try to guess the right cookie value, but again this would require a
   large number of messages, in the average 2**63 messages for one or
   2**127 for two.  Furthermore, given that the cookies are valid only
   for a short period of time, the attack has to keep a high constant
   message rate to achieve a lasting effect.  This does not appear
   practical.

   When the mobile node is returning home, it is allowed to use just the
   home keygen token of 64 bits.  This is less than 128 bits, but
   attacking it blindly would still require a large number of messages
   to be sent.  If the attacker is on the path and capable of seeing the



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 152]


Internet-Draft          Mobility Support in IPv6           February 2003


   Binding Update, it could conceivably break the keyed hash with brute
   force.  However, in this case the attacker has to be on path, which
   appears to offer easier ways for denial-of-service than preventing
   route optimization.

15.5 Dynamic Home Agent Address Discovery

   The dynamic home agent address discovery function could be used to
   learn the addresses of home agents in the home network.

   The ability to learn addresses of nodes may be useful to attackers,
   because brute-force scanning of the address space is not practical
   with IPv6.  Thus, they could benefit from any means which make
   mapping the networks easier.  For example, if a security threat
   targeted at routers or even home agents is discovered, having a
   simple ICMP mechanism to find out possible targets easily may prove
   to be an additional (though minor) security risk.

   Apart from discovering the address(es) of home agents, attackers will
   not be able to learn much from this information, however, and mobile
   nodes cannot be tricked into using wrong home agents as all other
   communication with the home agents is secure.

15.6 Prefix Discovery

   The prefix discovery function may leak interesting information about
   network topology and prefix lifetimes to eavesdroppers, and for this
   reason requests for this information have to be authenticated.
   Responses and unsolicited prefix information needs to be
   authenticated to prevent the mobile nodes from being tricked into
   believing false information about the prefixes, and possibly
   preventing communications with the existing addresses.  Optionally,
   encryption may be applied to prevent leakage of the prefix
   information.

15.7 Tunneling via the Home Agent

   Tunnels between the mobile node and the home agent can be protected
   by ensuring proper use of source addresses, and optional
   cryptographic protection.  These procedures are discussed in Section
   5.5.

   Binding Updates to the home agents are secure.  When receiving
   tunneled traffic the home agent verifies the outer IP address
   corresponds to the current location of the mobile node.  This
   prevents attacks where the attacker is controlled by ingress
   filtering.  It also prevents attacks when the attacker does not know
   the current care-of address of the mobile node.  Attackers who know



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 153]


Internet-Draft          Mobility Support in IPv6           February 2003


   the care-of address and are not controlled by ingress filtering could
   still send traffic through the home agent.  This includes attackers
   on the same local link as the mobile node is currently on.  But such
   attackers could also send spoofed packets without using a tunnel.

   Home agents and mobile nodes may use IPsec ESP to protect payload
   packets tunneled between themselves.  This is useful to protect
   communications against attackers on the path of the tunnel.

   When site local home address are used, reverse tunneling can be used
   to send site local traffic from another location.  Administrators
   should be aware of this when allowing such home addresses.  In
   particular, the outer IP address check described above is not
   sufficient against all attackers.  The use of encrypted tunnels is
   particularly useful for this kind of home addresses.

15.8 Home Address Option

   When the mobile node sends packets directly to the correspondent
   node, the Source Address field of the packet's IPv6 header is the
   care-of address.  Ingress filtering [26] works therefore in the usual
   manner even for mobile nodes, as the Source Address is topologically
   correct.  The Home Address option is used to inform the correspondent
   node of the mobile node's home address.

   However, the care-of address in the Source Address field does not
   survive in replies sent by the correspondent node unless it has a
   binding for this mobile node.  Also, not all attacker tracing
   mechanisms work when packets are being reflected through
   correspondent nodes using the Home Address option.  For these
   reasons, this specification restricts the use of the Home Address
   option.  It may only used when a binding has already been established
   with the participation of the node at the home address, as described
   in Section 5.5 and Section 6.3.  This prevents reflection attacks
   through the use of the Home Address option.  It also ensures that the
   correspondent nodes reply to the same address as the mobile node
   sends traffic from.

   No special authentication of the Home Address option is required
   beyond the above, except that if the IPv6 header of a packet is
   covered by authentication, then that authentication MUST also cover
   the Home Address option; this coverage is achieved automatically by
   the definition of the Option Type code for the Home Address option
   (Section 6.3), since it indicates that the option is included in the
   authentication computation.  Thus, even when authentication is used
   in the IPv6 header, the security of the Source Address field in the
   IPv6 header is not compromised by the presence of a Home Address
   option.  Without authentication of the packet, then any field in the



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 154]


Internet-Draft          Mobility Support in IPv6           February 2003


   IPv6 header, including the Source Address field, and any other parts
   of the packet, including the Home Address option, can be forged or
   modified in transit.  In this case, the contents of the Home Address
   option is no more suspect than any other part of the packet.

15.9 Type 2 Routing Header

   The definition of the type 2 routing header is described in Section
   6.4.  This definition and the associated processing rules have been
   chosen so that the header cannot be used for what is traditionally
   viewed as source routing.  In particular, the Home Address in the
   routing header will always have to be assigned to the home address of
   the receiving node.  Otherwise the packet will be dropped.

   Generally, source routing has a number of security concerns.  These
   include the automatic reversal of unauthenticated source routes
   (which is an issue for IPv4, but not for IPv6).  Another concern is
   the ability to use source routing to "jump" between nodes inside, as
   well as outside a firewall.  These security concerns are not issues
   in Mobile IPv6, due to the rules mentioned above.

   In essence the semantics of the type 2 routing header is the same as
   a special form of IP-in-IP tunneling where the inner and outer source
   addresses are the same.

   This implies that a device which implements filtering of packets
   should be able to distinguish between a type 2 routing header and
   other routing headers, as required in Section 8.3.  This is necessary
   in order to allow Mobile IPv6 traffic while still having the option
   to filter out other uses of routing headers.





















Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 155]


Internet-Draft          Mobility Support in IPv6           February 2003


16. Contributors

   Tuomas Aura, Mike Roe, Greg O'Shea, Pekka Nikander, Erik Nordmark,
   and Michael Thomas worked on the return routability protocols which
   eventually led to the procedures used in this protocol.  The
   procedures described in [32] were adopted in the protocol.

   Significant contributions were made by members of the Mobile IPv6
   Security Design Team, including (in alphabetical order) Gabriel
   Montenegro, Erik Nordmark and Pekka Nikander, who have contributed
   volumes of text to this specification.








































Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 156]


Internet-Draft          Mobility Support in IPv6           February 2003


17. Acknowledgements

   We would like to thank the members of the Mobile IP and IPng Working
   Groups for their comments and suggestions on this work.  We would
   particularly like to thank (in alphabetical order) Fred Baker, Josh
   Broch, Samita Chakrabarti, Robert Chalmers, Noel Chiappa, Greg Daley,
   Vijay Devarapalli, Rich Draves, Francis Dupont, Thomas Eklund,
   Jun-Ichiro Itojun Hagino, Brian Haley, Marc Hasson, John Ioannidis,
   James Kempf, Rajeev Koodli, Krishna Kumar, T.J.  Kniveton, Joe Lau,
   Jiwoong Lee, Aime Le Rouzic, Vesa-Matti Mantyla, Kevin Miles, Glenn
   Morrow, Thomas Narten, Karen Nielsen, Simon Nybroe, David Oran, Brett
   Pentland, Lars Henrik Petander, Basavaraj Patil, Mohan Parthasarathy,
   Alexandru Petrescu, Mattias Petterson, Ken Powell, Phil Roberts, Ed
   Remmell, Patrice Romand, Jeff Schiller, Pekka Savola, Arvind
   Sevalkar, Keiichi Shima, Tom Soderlund, Hesham Soliman, Jim Solomon,
   Tapio Suihko, Dave Thaler, Benny Van Houdt, Jon-Olov Vatn, Carl E.
   Williams, Vladislav Yasevich, Alper Yegin, and Xinhua Zhao, for their
   detailed reviews of earlier versions of this document.  Their
   suggestions have helped to improve both the design and presentation
   of the protocol.

   We would also like to thank the participants in the Mobile IPv6
   testing event held at Nancy, France, September 15-17, 1999, for their
   valuable feedback as a result of interoperability testing of four
   Mobile IPv6 implementations.  Further, we would like to thank the
   feedback from the implementors who participated in the Mobile IPv6
   interoperability testing at Connectathons 2000, 2001, and 2002 in San
   Jose, California.  Similarly, we would like to thank the participants
   at the ETSI interoperability testing at ETSI, in Sophia Antipolis,
   France, during October 2-6, 2000.





















Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 157]


Internet-Draft          Mobility Support in IPv6           February 2003


Normative References

   [1]   Eastlake, D., Crocker, S. and J. Schiller, "Randomness
         Recommendations for Security", RFC 1750, December 1994.

   [2]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March 1997.

   [3]   Hinden, R. and S. Deering, "IP Version 6 Addressing
         Architecture", RFC 2373, July 1998.

   [4]   Kent, S. and R. Atkinson, "Security Architecture for the
         Internet Protocol", RFC 2401, November 1998.

   [5]   Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402,
         November 1998.

   [6]   Kent, S. and R. Atkinson, "IP Encapsulating Security Payload
         (ESP)", RFC 2406, November 1998.

   [7]   Piper, D., "The Internet IP Security Domain of Interpretation
         for ISAKMP", RFC 2407, November 1998.

   [8]   Maughan, D., Schertler, M., Schneider, M. and J. Turner,
         "Internet Security Association and Key Management Protocol
         (ISAKMP)", RFC 2408, November 1998.

   [9]   Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
         RFC 2409, November 1998.

   [10]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
         Considerations Section in RFCs", BCP 26, RFC 2434, October
         1998.

   [11]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
         Specification", RFC 2460, December 1998.

   [12]  Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery
         for IP Version 6 (IPv6)", RFC 2461, December 1998.

   [13]  Thomson, S. and T. Narten, "IPv6 Stateless Address
         Autoconfiguration", RFC 2462, December 1998.

   [14]  Conta, A. and S. Deering, "Internet Control Message Protocol
         (ICMPv6) for the Internet Protocol Version 6 (IPv6)
         Specification", RFC 2463, December 1998.

   [15]  Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 158]


Internet-Draft          Mobility Support in IPv6           February 2003


         Specification", RFC 2473, December 1998.

   [16]  Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast
         Addresses", RFC 2526, March 1999.

   [17]  Deering, S., Fenner, W. and B. Haberman, "Multicast Listener
         Discovery (MLD) for IPv6", RFC 2710, October 1999.

   [18]  Narten, T. and R. Draves, "Privacy Extensions for Stateless
         Address Autoconfiguration in IPv6", RFC 3041, January 2001.

   [19]  Reynolds, J., "Assigned Numbers: RFC 1700 is Replaced by an
         On-line Database", RFC 3232, January 2002.

   [20]  National Institute of Standards and Technology, "Secure Hash
         Standard", FIPS PUB 180-1, April 1995, <http://
         www.itl.nist.gov/fipspubs/fip180-1.htm>.

   [21]  Arkko, J., Devarapalli, V. and F. Dupont, "Using IPsec to
         Protect Mobile IPv6 Signaling betweenMobile Nodes and  Home
         Agents", draft-ietf-mobileip-mipv6-ha-ipsec-03 (work in
         progress), February 2003.





























Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 159]


Internet-Draft          Mobility Support in IPv6           February 2003


Informative References

   [22]  Perkins, C., "IP Mobility Support", RFC 2002, October 1996.

   [23]  Perkins, C., "IP Encapsulation within IP", RFC 2003, October
         1996.

   [24]  Perkins, C., "Minimal Encapsulation within IP", RFC 2004,
         October 1996.

   [25]  Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing
         for Message Authentication", RFC 2104, February 1997.

   [26]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
         Defeating Denial of Service Attacks which employ IP Source
         Address Spoofing", RFC 2267, January 1998.

   [27]  Aura, T. and J. Arkko, "MIPv6 BU Attacks and Defenses",
         draft-aura-mipv6-bu-attacks-01 (work in progress), March 2002.

   [28]  Droms, R., "Dynamic Host Configuration Protocol for IPv6
         (DHCPv6)", draft-ietf-dhc-dhcpv6-28 (work in progress),
         November 2002.

   [29]  Draves, R., "Default Address Selection for IPv6",
         draft-ietf-ipv6-default-addr-select-09 (work in progress),
         August 2002.

   [30]  Nikander, P., Nordmark, E., Montenegro, G. and J. Arkko,
         "Mobile IPv6 Security Design Rationale",
         draft-nikander-mipv6-design-rationale-00.txt (work in
         progress), February 2003.

   [31]  Nordmark, E., "Securing MIPv6 BUs using return routability
         (BU3WAY)", draft-nordmark-mobileip-bu3way-00 (work in
         progress), November 2001.

   [32]  Roe, M., Aura, T., O'Shea, G. and J. Arkko, "Authentication of
         Mobile IPv6 Binding Updates and Acknowledgments",
         draft-roe-mobileip-updateauth-02 (work in progress), March
         2002.

   [33]  Savola, P., "Use of /127 Prefix Length Between Routers
         Considered Harmful", draft-savola-ipv6-127-prefixlen-04 (work
         in progress), June 2002.

   [34]  Savola, P., "Security of IPv6 Routing Header and Home Address
         Options", draft-savola-ipv6-rh-ha-security-03 (work in



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 160]


Internet-Draft          Mobility Support in IPv6           February 2003


         progress), December 2002.

   [35]  Vida, R. and L. Costa, "Multicast Listener Discovery Version 2
         (MLDv2) for IPv6", draft-vida-mld-v2-06 (work in progress),
         December 2002.


Authors' Addresses

   David B. Johnson
   Rice University
   Dept. of Computer Science, MS 132
   6100 Main Street
   Houston  TX 77005-1892
   USA

   EMail: dbj@cs.rice.edu


   Charles E. Perkins
   Nokia Research Center
   313 Fairchild Drive
   Mountain View  CA 94043
   USA

   EMail: charliep@iprg.nokia.com


   Jari Arkko
   Ericsson
   Jorvas  02420
   Finland

   EMail: jari.arkko@ericsson.com

















Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 161]


Internet-Draft          Mobility Support in IPv6           February 2003


Appendix A. Changes from Previous Version of the Draft

   This appendix briefly lists some of the major changes in this draft
   relative to the previous version of this same draft,
   draft-ietf-mobileip-ipv6-20.txt:

   o  The lifetime of a binding on a correspondent is now limited to the
      lifetime of the home registration, not the lifetime of the home
      address (tracked issue 261).

   o  This specification no longer requires site-local forwarding to be
      configurable (tracked issue 258).

   o  Infinite binding lifetimes have been removed (tracked issue 256).

   o  This specification now disallows the use of the Binding
      Authorization Data option in a home registration, and requires
      Binding Updates the home agent with such options to be dropped
      (tracked issue 255).

   o  The verification of Home Address Options without an existing
      Binding Cache entry has been clarified.  IPsec is now sufficient
      for this verification only in the case of the home agent and a
      home address which the home agent is willing to serve (tracked
      issue 253).

   o  Appendix B.6 now describes some potential Neighbor Discovery
      enhancements that may be relevant for Mobile IPv6 in the future
      (tracked issue 252).

   o  The Home Address Option rule has been clarified in Section 11.7.2.
      This rule deals with starting route optimization when a tunneled
      packet has been received (tracked issue 251).

   o  Binding Cache entries can now be created from non-error ICMP
      messages.  This allows Mobile IPv6 to be tested with ping, which
      uses ICMP echo messages (tracked issue 250).

   o  The support for protecting prefix discovery with IPsec has been
      made mandatory, but use is still a SHOULD (tracked issue 249).

   o  It is now required that L=0 registrations do not allow the home
      agent to derive any other address from the home address (tracked
      issue 248).

   o  Prefix fetching interval constants have now been defined (tracked
      issue 245).




Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 162]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  It is now required that mobile nodes must set both lifetime to
      zero and care-of address to the home address when de-registering
      (tracked issue 244).

   o  Requirements for security association and policy configuration for
      new home addresses received through prefix discovery have been
      specified (tracked issue 243).

   o  New Status code 1 has been added to Binding Acknowledgement
      (tracked issue 243).

   o  Mobile nodes are now required to initiate prefix discovery upon
      receiving Status code 1 in a Binding Acknowledgement (tracked
      issue 243).

   o  The set of addresses for which the home agent intercepts packets
      has been clarified (tracked issue 241).

   o  Both pros and cons of route optimization have been discussed in
      Section 8.2 (tracked issue 241).

   o  Checksum validation is now the first check performed for Mobility
      Header messages (tracked issue 241).

   o  Section 6.1 now correctly indicates that for some Mobility Header
      messages the number of options is zero or more, not one or more
      (tracked issue 241).

   o  The security implications of dynamic home agent address discovery
      have been updated (tracked issue 239).

   o  The specification no longer uses RFC 2119 keywords for describing
      when route optimization should be started, continued, or stopped
      (tracked issue 237).

   o  The requirements for configuration mechanisms for various Mobile
      IPv6 parts have been changed (tracked issue 236).

   o  A warning has been included about the use of Dynamic Home Agent
      Address Discovery with extremely long prefix lengths (tracked
      issue 235).

   o  The usage of the Alternate Care-of Address option has been
      clarified in Section 6.2.5 (tracked issue 234).

   o  The security considerations section now contains an analysis of
      the sufficiency of the length of the various cryptographic
      entities (tracked issue 233).



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 163]


Internet-Draft          Mobility Support in IPv6           February 2003


   o  The Home Agent (H) bit is now required to be set in some
      advertisement of a prefix before home addresses based on this
      prefix can be registered (tracked issues 231 and 246).

   o  The conditions for delaying Duplicate Address Detection have been
      rewritten (tracked issue 230).

   o  Text relating to keygen token handling in de-registrations has
      been clarified (tracked issue 229).

   o  IPsec protocol and mode requirements have now been stated as
      minimal requirements and no longer prevent the use of other
      protocols (AH) and modes (tracked issue 228).

   o  Processing rules for Binding Refresh Requests have been rewritten
      (tracked issue 227).

   o  Binding Error processing is now a MUST requirement (tracked issues
      190 and 225).

   o  The source address in proxy Neighbor Advertisements sent by the
      home agent has now been specified (tracked issue 223).

   o  RFC 2119 keywords are now used for describing the reuse of tokens
      in the return routability procedure (tracked issue 221).

   o  The alignment of the Binding Authorization Data option has changed
      (tracked issue 220).

   o  An editorial correction in the processing order of type 0 and type
      2 routing headers has changed the semantics (tracked issue 217).

   o  When returning home, the mobile node no longer targets the home
      agent's address in a Neighbor Solicitation that tries to find the
      link-layer address of the home agent.  Instead, it target's the
      mobile node's own address which the home agent is defending
      (tracked issue 218).

   o  A number of editorial modifications have been performed (tracked
      issues 234, 241, 242, 249, 261, 262, 264, and 266).











Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 164]


Internet-Draft          Mobility Support in IPv6           February 2003


Appendix B. Future Extensions

B.1 Piggybacking

   This document does not specify how to piggyback payload packets on
   the binding related messages.  However, it is envisioned that this
   can be specified in a separate document when currently discussed
   issues such as the interaction between piggybacking and IPsec are
   fully resolved (see also Appendix B.3).  The return routability
   messages can indicate support for piggybacking with a new mobility
   option.

B.2 Triangular Routing

   Due to the concerns about opening reflection attacks with the Home
   Address destination option, this specification requires that this
   option must be verified against the Binding Cache, i.e., there must
   be a Binding Cache entry for the Home Address and Care-of Address.

   Future extensions may be specified that allow the use of unverified
   Home Address destination options in ways that do not introduce
   security issues.

B.3 New Authorization Methods

   While the return routability procedure provides a good level of
   security, there exists methods that have even higher levels of
   security.  Secondly, as discussed in Section 15.4, future
   enhancements of IPv6 security may cause a need to improve also the
   security of the return routability procedure.  Using IPsec as the
   sole method for authorizing Binding Updates to correspondent nodes is
   also possible.  The protection of the Mobility Header for this
   purpose is easy, though one must ensure that the IPsec SA was created
   with appropriate authorization to use the home address referenced in
   the Binding Update.  For instance, a certificate used by IKE to
   create the security association might contain the home address.  A
   future specification may specify how this is done.

B.4 Dynamically Generated Home Addresses

   A future version of this specification may include functionality that
   allows the generation of new home addresses without requiring
   pre-arranged security associations or certificates even for the new
   addresses.

B.5 Remote Home Address Configuration

   The method for initializing a mobile node's home addresses on



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 165]


Internet-Draft          Mobility Support in IPv6           February 2003


   power-up or after an extended period of being disconnected from the
   network is beyond the scope of this specification.  Whatever
   procedure is used should result in the mobile node having the same
   stateless or stateful (e.g., DHCPv6) home address autoconfiguration
   information it would have if it were attached to the home network.
   Due to the possibility that the home network could be renumbered
   while the mobile node is disconnected, a robust mobile node would not
   rely solely on storing these addresses locally.

   Such a mobile node could initialize by using the following procedure:

   1.  Generate a care-of address.

   2.  Query DNS for an anycast address associated with the FQDN of the
       home agent(s).

   3.  Perform home agent address discovery, and select a home agent.

   4.  Configure one home address based on the selected home agent's
       subnet prefix and the interface identifier of the mobile node.

   5.  Create security associations and security policy database entries
       for protecting the traffic between the selected home address and
       home agent.

   6.  Perform a home registration to the selected home agent.

   7.  Perform prefix discovery.

   8.  Make a decision if further home addresses need to be configured.

   This procedure is restricted to those situations where the home
   prefix is 64 bits and the mobile node knows its own interface
   identifier of also 64 bits.

B.6 Neighbor Discovery Extensions

   Future specifications may improve the efficiency of Neighbor
   Discovery tasks, which could be helpful for fast movements.  One
   factor which is currently being looked at is the delays caused by the
   Duplicate Address Detection mechanism.  Currently, Duplicate Address
   Detection needs to be performed for every new care-of address as the
   mobile node moves, and for the mobile node's link-local address on
   every new link.  In particular, the need and the tradeoffs of
   re-performing Duplicate Address Detection for the link-local address
   every time when the mobile node moves on to new links will need to be
   examined.  Improvements in this area are, however, generally
   applicable and progressed independently from Mobile IPv6



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 166]


Internet-Draft          Mobility Support in IPv6           February 2003


   specification.

   Future functional improvements may also be relevant for Mobile IPv6
   and other applications.  For instance, mechanisms that would allow
   recovery from a Duplicate Address Detection collision would be useful
   for link-local, care-of, and home addresses.













































Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 167]


Internet-Draft          Mobility Support in IPv6           February 2003


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.  Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.


Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION



Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 168]


Internet-Draft          Mobility Support in IPv6           February 2003


   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.











































Johnson, Perkins, Arkko      Expires August 27, 2003          [Page 169]