Internet Engineering Task Force C. Perkins, editor
INTERNET DRAFT IBM
21 March 1995
IP Mobility Support
draft-ietf-mobileip-protocol-09.txt
Status of This Memo
This document is a submission by the Mobile-IP Working Group of the
Internet Engineering Task Force (IETF). Comments should be submitted
to the mobile-ip@sunroof.eng.sun.com mailing list.
Distribution of this memo is unlimited.
This document is an Internet-Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months, and may be updated, replaced, or obsoleted by other documents
at any time. It is not appropriate to use Internet Drafts as
reference material, or to cite them other than as a ``working draft''
or ``work in progress.''
To learn the current status of any Internet-Draft, please check
the ``1id-abstracts.txt'' listing contained in the internet-drafts
Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim).
Abstract
This document specifies protocol enhancements that allow transparent
routing of IP datagrams to mobile nodes in the Internet. Each
mobile node is always identified by its home address, regardless of
its current point of attachment to the Internet. While situated
away from its home, a mobile node is also associated with a
care-of address, which provides information about its current point
of attachment to the Internet. The protocol provides for registering
the care-of address with a home agent. The home agent sends traffic
destined for the mobile node through a tunnel to the care-of address.
Perkins, editor Expires 21 September 1995 [Page i]
Internet Draft IP Mobility Support 21 March 1995
Contents
Status of This Memo i
Abstract i
1. Introduction 1
1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 3
1.4. Specification Language . . . . . . . . . . . . . . . . . 3
1.5. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Agent Discovery 6
2.1. Agent Solicitation . . . . . . . . . . . . . . . . . . . 6
2.2. Agent Advertisement . . . . . . . . . . . . . . . . . . . 7
3. Registration 9
3.1. Authentication . . . . . . . . . . . . . . . . . . . . . 9
3.2. Registration Request . . . . . . . . . . . . . . . . . . 10
3.3. Registration Reply . . . . . . . . . . . . . . . . . . . 12
4. Mobility Message Extensions 14
4.1. Mobility Extension . . . . . . . . . . . . . . . . . . . 15
4.2. Key Identifier Extension . . . . . . . . . . . . . . . . 16
4.3. Mobile-Home Authentication Extension . . . . . . . . . . 17
4.4. Mobile-Foreign Authentication Extension . . . . . . . . . 17
4.5. Foreign-Home Authentication Extension . . . . . . . . . . 18
4.6. Minimal Encapsulation Extension . . . . . . . . . . . . . 18
4.7. GRE Encapsulation Extension . . . . . . . . . . . . . . . 19
5. Forwarding Datagrams to the Mobile Node 20
5.1. IP in IP Encapsulation . . . . . . . . . . . . . . . . . 20
5.2. Minimal Encapsulation . . . . . . . . . . . . . . . . . . 20
6. Mobile Node Considerations 23
6.1. Configuration and Registration Tables . . . . . . . . . . 23
6.2. Registration When Away From Home . . . . . . . . . . . . 23
6.3. Registration with a dynamically assigned care-of address 24
6.4. De-registration When At Home . . . . . . . . . . . . . . 25
6.5. Registration Replies . . . . . . . . . . . . . . . . . . 25
6.6. Registration Retransmission . . . . . . . . . . . . . . . 25
6.7. Simultaneous mobility bindings . . . . . . . . . . . . . 26
6.8. Mobile Routers . . . . . . . . . . . . . . . . . . . . . 26
Perkins, editor Expires 21 September 1995 [Page ii]
Internet Draft IP Mobility Support 21 March 1995
7. Foreign Agent Considerations 28
7.1. Configuration and Registration Tables . . . . . . . . . . 28
7.2. Receiving Registration Requests . . . . . . . . . . . . . 29
7.3. Receiving Registration Replies . . . . . . . . . . . . . 29
7.4. Decapsulation . . . . . . . . . . . . . . . . . . . . . . 29
8. Home Agent Considerations 30
8.1. Configuration and Registration Tables . . . . . . . . . . 30
8.2. Receiving Registration Requests . . . . . . . . . . . . . 30
8.3. Simultaneous mobility bindings . . . . . . . . . . . . . 31
8.4. Registration Expiration . . . . . . . . . . . . . . . . . 31
8.5. Encapsulation . . . . . . . . . . . . . . . . . . . . . . 32
8.6. Broadcast and Multicast . . . . . . . . . . . . . . . . . 32
9. Security Considerations 33
9.1. Message Authentication Codes . . . . . . . . . . . . . . 33
9.2. Tunneling to Care-of Addresses . . . . . . . . . . . . . 33
9.3. Key management . . . . . . . . . . . . . . . . . . . . . 33
9.4. Picking good random numbers . . . . . . . . . . . . . . . 34
9.5. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 34
9.6. Replay Protection for Registration Requests . . . . . . . 34
9.6.1. Replay Protection using Nonces . . . . . . . . . 35
9.6.2. Replay Protection using Timestamps . . . . . . . 36
10. Acknowledgements 36
A. Gratuitous and Proxy ARP 37
B. Link-Layer considerations 38
B.1. Point-to-Point Link-Layers . . . . . . . . . . . . . . . 38
B.2. Multi-Point Link-Layers . . . . . . . . . . . . . . . . . 39
C. TCP Considerations 39
C.1. TCP Timers . . . . . . . . . . . . . . . . . . . . . . . 39
C.2. TCP Congestion Management . . . . . . . . . . . . . . . . 39
D. Tunnel Management 40
Chair's Address 43
Editor's Address 43
Perkins, editor Expires 21 September 1995 [Page iii]
Internet Draft IP Mobility Support 21 March 1995
1. Introduction
Current versions of the Internet Protocol make an implicit assumption
that a node's point of attachment remains fixed, and that its IP
address identifies the network to which it is attached. Datagrams
are sent to a node based on the location information contained in the
node's IP address.
If a node moves while keeping its IP address unchanged, its network
number will not reflect its new point of attachment. Existing
routing protocols will be unable to route datagrams to it correctly.
This document defines new functions that allow a node to roam on the
Internet, without changing its IP address.
The following entities are defined:
Mobile Node
A host or router that changes its point of attachment from one
network or subnetwork to another.
Home Agent
A router that maintains a registry of the current mobility
bindings for that mobile node, and encapsulates datagrams for
delivery to the mobile node while it is away from home.
Foreign Agent
A router that assists a locally reachable mobile node that is
away from its home network.
Care-of Address
The care-of address terminates the end of a tunnel toward a
mobile node. Depending on the network configuration, the
care-of address may be either dynamically assigned to the
mobile node or associated with a foreign agent.
The following support services are defined:
Agent Discovery
Home agents and foreign agents advertise their availability
on each link for which they provide service. A newly arrived
mobile node can send a solicitation on the link to learn if any
prospective agents are present.
Perkins, editor Expires 21 September 1995 [Page 1]
Internet Draft IP Mobility Support 21 March 1995
Registration
When the mobile node is away from home, it registers its
care-of address with its home agent. Depending on its method
of attachment, the mobile node will register either directly
with its home agent, or through a foreign agent which forwards
the registration to the home agent.
Encapsulation
Once a mobile node has registered a care-of address with its
home agent, that home agent intercepts datagrams destined for
the mobile node, builds another datagram with the intercepted
datagram enclosed within, and forwards the resulting datagram
to the entity at the care-of address. This process is also
known as "tunneling".
Decapsulation
At the care-of address, the enclosed datagram is extracted.
When the mobile node receives packets sent to its own
care-of address, it decapsulates its own datagrams. When the
care-of address is associated with a foreign agent, the foreign
agent decapsulates the datagrams. If the datagram is addressed
to a mobile node which the foreign agent is currently serving,
it will deliver the datagram to the mobile node.
1.1. Requirements
A mobile node using its home address shall be able to communicate
with other nodes after having been disconnected from the Internet,
and then reconnected at a different point of attachment.
Implementation of the protocol described in this document shall not
adversely affect a mobile node's capability to communicate with other
nodes that do not implement these mobility functions. No protocol
enhancements are required in hosts or routers that are not serving
any of the mobility functions.
A mobile node shall provide authentication in its registration
messages, ad described in subsection 3.1.
1.2. Goals
The mobile node's directly attached link is likely to be bandwidth
limited. Only a few administrative messages should be sent between a
Perkins, editor Expires 21 September 1995 [Page 2]
Internet Draft IP Mobility Support 21 March 1995
mobile node and an agent. The size of these messages should be kept
as short as possible.
As few messages as possible which duplicate functionality are sent
on mobile links. This is particularly important on wireless and
congested links.
1.3. Assumptions
The protocols defined in this document place no additional
constraints on assignment of IP addresses. That is, a mobile node
can be assigned an IP address by the organization that owns the
machine, and will be able to use that IP address regardless of the
current point of attachment.
It is assumed that mobile nodes will not change their point of
attachment to the Internet more frequently than once per second.
It is assumed that IP unicast datagrams are routed based on the
destination address in the datagram header; routing is not based on
the datagram's source address.
1.4. Specification Language
In this document, several words are used to signify the requirements
of the specification. These words are often capitalized.
MUST This word, or the adjective "required", means
that the definition is an absolute requirement
of the specification.
MUST NOT This phrase means that the definition is an
absolute prohibition of the specification.
SHOULD This word, or the adjective "recommended",
means that there may exist valid reasons in
particular circumstances to ignore this item,
but the full implications must be understood
and carefully weighed before choosing a
different course.
MAY This word, or the adjective "optional", means
that this item is one of an allowed set of
alternatives. An implementation which does
not include this option MUST be prepared to
Perkins, editor Expires 21 September 1995 [Page 3]
Internet Draft IP Mobility Support 21 March 1995
interoperate with another implementation which
does include the option.
silently discard The implementation discards the packet without
further processing, and without indicating an
error to the sender. The implementation SHOULD
provide the capability of logging the error,
including the contents of the discarded packet,
and SHOULD record the event in a statistics
counter.
1.5. Terminology
This document frequently uses the following terms:
Agent Advertisement
A periodic advertisement constructed by attaching a special
extension to a router advertisement [5] message.
Correspondent
A peer with which a mobile node is communicating. The
correspondent may be either mobile or stationary.
Home Address
A long-term IP address that is assigned to a mobile node. It
remains unchanged regardless of where the node is attached
to the Internet. Datagrams addressed to the home address
are intercepted by the home agent while the mobile node is
registered with that home agent.
Link
A communication facility or medium over which nodes can
communicate at the link layer; a link underlies the network
layer.
Mobility Agent
Either a home agent or a foreign agent.
Mobility Binding
The association of a home address with a care-of address, and
the remaining lifetime of the association.
Perkins, editor Expires 21 September 1995 [Page 4]
Internet Draft IP Mobility Support 21 March 1995
Mobility Security Association
The mobility security association between a pair of nodes
identifies the security context to be applied to Mobile IP
protocol messages which they exchange. This relationship
includes the authentication type (i.e., algorithm and algorithm
mode), the secret (such as a shared key, or appropriate
public/private key pair), and information about the style
of replay protection in use. Note that a single algorithm
(such as DES) might have several modes (for example, CBC and
ECB)(see [16], [11]).
Source Address
An IP address belonging to the interface on which this message
is sent.
Perkins, editor Expires 21 September 1995 [Page 5]
Internet Draft IP Mobility Support 21 March 1995
2. Agent Discovery
To communicate with a foreign or home agent, a mobile node must
learn either the IP address or the link address of that agent. It
is assumed that a link-layer connection has been established between
the agent and the mobile node. The method used to establish such
a link-layer connection is not specified in this document. After
establishing a link-layer connection, the mobile node learns whether
there are any agents available. If the address of any agent matches
the mobile node's stored address for its home agent, the mobile node
is at home.
An agent which is not indicated by a link-layer protocol MUST
implement ICMP Router Discovery [5]. The router advertisements
indicate whether the router is also a home agent or a foreign agent.
When multiple methods of agent identification are in use, the
mobile node SHOULD first attempt registration with routers sending
router advertisements in preference to those sending link-layer
advertisements. This ordering maximizes the likelihood that the
registration will be recognized, thereby minimizing the number of
registration attempts.
An administrative domain MAY require a visiting mobile node to
register via a foreign agent. This facility (see subsection 4.1) is
envisioned for service providers with packet filtering fire-walls,
or visiting policies (such as accounting) which require exchanges of
authorization.
No authentication is required for the advertisement and solicitation
process. These messages MAY be authenticated using the IP
Authentication Header [14], which is external to the messages
described here. Further specification of authentication of
advertisement and solicitation is outside of the scope of this
document.
Whenever an externally authenticated message fails authentication,
the message is silently discarded.
2.1. Agent Solicitation
Every mobile node MUST implement ICMP Router Solicitation (RFC
1256 [5]) if it needs to obtain a care-of address in an agent
advertisement. However, the solicitation is only sent when no
care-of address has been determined through a link-layer protocol
or prior router advertisement. Any mobility agent which is not
Perkins, editor Expires 21 September 1995 [Page 6]
Internet Draft IP Mobility Support 21 March 1995
identified by a link-layer protocol MUST respond to ICMP Router
Solicitation.
The same procedures, defaults, and constants are used as described
in RFC 1256, except that the mobile node may solicit more often
than once every three seconds and MAX_SOLICITATIONS does not
apply for mobile nodes that are currently unconnected to any
foreign agent. A mobile node MAY send a solicitation once each
MOBILE_SOLICITATION_INTERVAL (1 second?) until the solicitation is
answered by a mobility agent, and the mobile node can finally issue a
registration request.
2.2. Agent Advertisement
Mobile nodes must process ICMP router advertisements[5]. Any
mobility agent which is not indicated by a link-layer protocol MUST
send ICMP Router Advertisements. An agent which is indicated by a
link-layer protocol SHOULD also implement router advertisements.
However, the advertisements need not be sent, except when the site
policy requires registration with the agent, or as a response to a
specific solicitation.
The same procedures, defaults, and constants are used as described in
RFC 1256 [5], except as specified herein; a foreign agent MUST NOT
send router advertisements more often than once per second.
ICMP router advertisements that carry extensions can be identified
by examining the number of advertised addresses. When the IP total
length indicates that the ICMP message is longer than needed for the
number of addresses present, the remaining data is interpreted as
extensions. The extensions are described in section 4.
The Mobility Extension (subsection 4.1) is required, and indicates
that the router is a mobility agent. Other extensions indicate
optionally supported features (see, e.g., subsection 5.2).
Perkins, editor Expires 21 September 1995 [Page 7]
Internet Draft IP Mobility Support 21 March 1995
The Code field of the ICMP router advertisement is interpreted as
follows:
0 If the Mobility Extension is present, the router supports
mobility registration. The router also handles common
traffic -- that is, IP data packets not necessarily related
to mobile nodes.
16 A home or foreign agent which supports registration, but is
not routing common traffic.
A foreign agent's router advertisement MUST contain at least one
router address.
Upon receipt of an agent advertisement, a mobile node compares the
router address to that of the home agent(s) in its list. If there
is an exact match, the mobile node is at home. Otherwise, the
care-of address may be chosen from among advertising agents in the
same fashion as the mobile node would choose a first hop router.
The highest preference router address, which falls within a subnet
that the mobile node has configured on (one of) its interface(s), is
used for the care-of address. It is very likely that no advertised
routing prefix matches when the mobile node is not at home. In this
case, the highest preference non-matching router address is used for
the care-of address.
A home agent which does not provide foreign agent services will have
preference values less than the highest foreign agent preference.
DISCUSSION: What is this value?
Perkins, editor Expires 21 September 1995 [Page 8]
Internet Draft IP Mobility Support 21 March 1995
3. Registration
The registration function exchanges information between a mobile
node and its home agent. Registration creates a mobility binding,
associating the mobile node's home address with a care-of address
which can be used to reach the mobile node.
When it has been dynamically assigned a care-of address, a mobile
node can act without a foreign agent, and register or de-register
directly with a home agent by the exchange of only 2 messages:
a) The mobile node sends a registration request to a home agent,
asking that home agent to provide the requested service.
b) The home agent sends a registration reply to the mobile node,
granting or denying service.
An administrative domain MAY require registration through a foreign
agent (see the description of the "R" bit, in subsection 4.1).
When the care-of address is associated with a foreign agent, the
foreign agent acts as a relay between the mobile node and home
agent. This extended registration process involves the exchange of 4
messages:
a) The mobile node sends a registration request to the prospective
foreign agent to begin the registration process.
b) The foreign agent relays the request to the home agent, asking
that home agent to provide the requested service.
c) The home agent sends a registration reply to the foreign agent to
grant or deny service.
d) The foreign agent relays the registration reply to the mobile
node to inform it of the disposition of its request.
The registration messages defined in this section(3.2, 3.3) use the
User Datagram Protocol header [18]. A nonzero UDP checksum SHOULD be
included in the header, and checked by each recipient.
3.1. Authentication
Each mobile node, foreign agent, and home agent MUST support
the maintenance of an internal table holding a list of security
associations for mobile entities, indexed by their IP address. See
section 9.1 for support requirements for authentication algorithms.
Perkins, editor Expires 21 September 1995 [Page 9]
Internet Draft IP Mobility Support 21 March 1995
Only one mobility security association at a time is in effect between
any given pair of participating nodes. Whenever a mobility security
association exists between a pair of nodes, all registration messages
between these nodes MUST be authenticated.
In particular, registration messages between mobile node and
home agent are required to be authenticated with the Mobile-Home
Authentication Extension (see subsection 4.3). This extension
immediately follows all non-authentication extensions, except those
foreign agent specific extensions which may be added to the packet
after the mobile node computes the authentication.
3.2. Registration Request
A mobile node sends a registration request message so that its home
agent can create a new mobility binding for that mobile node (with a
new lifetime). The request may be relayed to the home agent by the
foreign agent from which the mobile node is accepting service, or it
may be sent directly in case the mobile node has received a temporary
care-of address by some other means (e.g, DHCP [6]).
IP fields:
Source An IP address belonging to the interface on which
this message is sent.
A mobile node MUST use the transient care-of address
when assigned; otherwise, the home address is used.
DISCUSSION: Why?!
Destination The IP address of the agent, when known.
When the IP address is unknown (the agent was
discovered via a link-layer protocol), the "All
Mobility Agents" multicast address (224.0.0.11) is
used. The link-layer unicast address is used to
deliver the datagram to the correct agent.
Perkins, editor Expires 21 September 1995 [Page 10]
Internet Draft IP Mobility Support 21 March 1995
UDP fields:
Source Port variable
Destination Port 434
The UDP Header is followed by the Mobile-IP fields shown below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Agent |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Care-of Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Identification +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions ...
+-+-+-+-+-+-+-+-
Type 1
Code Optional capabilities:
0 remove prior mobility bindings
1 retain prior mobility bindings
Lifetime The number of seconds remaining before the
registration is considered expired. A value of
zero indicates a request for deregistration. A
value of all ones indicates infinity.
Home Address The IP address of the mobile node.
Home Agent The IP address of a home agent.
Care-of Address The IP address for the decapsulation end of a
tunnel.
Identification A 64-bit number, constructed by the mobile
node, used to assist in matching requests with
Perkins, editor Expires 21 September 1995 [Page 11]
Internet Draft IP Mobility Support 21 March 1995
replies, and in protecting against replay
attacks (see subsections 9.4, 9.6).
3.3. Registration Reply
The registration reply message is returned by a home agent to a
mobile node which has sent a registration request (subsection 3.2)
message. If the mobile node is accepting service from a foreign
agent, that foreign agent will receive the reply from the home
agent and subsequently relay it to the mobile node. The reply
message contains the necessary codes to inform the mobile node about
the status of its request, along with the lifetime granted by the
home agent, which MAY be smaller than the original request. See
subsection 8.2 for details regarding the selection of the reply
identification. When the lifetime of the reply is greater than
the original request, the excess time SHOULD be ignored. When the
lifetime of the reply is smaller than the original request, another
registration SHOULD occur before the lifetime expires.
IP fields:
The source and destination IP addresses of the request message
are swapped for the reply message.
UDP fields:
The source port and destination port of the request message are
swapped for the reply message.
A foreign agent that has received a registration request message must
save the IP source address and the UDP source port from that message
so that it will be able to send the subsequent registration reply
message to the correct UDP port on the mobile node.
The UDP Header is followed by the Mobile-IP fields shown below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Identification +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions ...
+-+-+-+-+-+-+-+-
Perkins, editor Expires 21 September 1995 [Page 12]
Internet Draft IP Mobility Support 21 March 1995
Code One of the following codes:
0 service will be provided.
1 service will be provided; simultaneous
mobility bindings unsupported.
Service denied by the foreign agent:
16 reason unspecified.
17 administratively prohibited.
18 insufficient resources.
19 mobile node failed authentication.
20 home agent failed authentication.
21 requested lifetime too long.
22 home agent unreachable (ICMP error)
Service denied by the home agent:
32 reason unspecified.
33 administratively prohibited.
34 insufficient resources.
35 mobile node failed authentication.
36 foreign agent failed authentication.
37 identification mismatch.
Up-to-date values of the Code field are specified
in the most recent "Assigned Numbers" [20].
Lifetime The seconds remaining before the registration is
considered expired. A value of zero confirms a
request for deregistration. A value of all ones
indicates infinity.
Identification The registration identification is derived from
the request message, for use by the mobile
node in matching its reply with an outstanding
request.
Perkins, editor Expires 21 September 1995 [Page 13]
Internet Draft IP Mobility Support 21 March 1995
4. Mobility Message Extensions
Each message begins with a short fixed part, followed by one or more
mobility message extensions in type-length-value format. These
extensions may apply to agent advertisement messages (subsection 2.2)
and registration messages (section 3).
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Extension | Length | Data ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Extension
Current values are assigned as follows:
16 Mobility
18 Key Identifier
32 Mobile-Home Authentication
33 Mobile-Foreign Authentication
34 Foreign-Home Authentication
64 Minimal Encapsulation
65 GRE Encapsulation
Up-to-date values are specified in the most recent "Assigned
Numbers" [20].
Length
Indicates the length (in bytes) of the data field. The length
does not include the Extension and Length bytes.
Data
This field is zero or more bytes in length and contains the
value(s) for this extension. The format and length of the data
field is determined by the extension and length fields.
Extensions allow variable amounts of information to be carried within
each datagram. The end of the list of extensions is indicated by the
total length of the IP datagram.
When an extension is encountered which is not recognized, it is
ignored. The length field of the extension is used to skip the data
field in searching for the next extension.
Perkins, editor Expires 21 September 1995 [Page 14]
Internet Draft IP Mobility Support 21 March 1995
4.1. Mobility Extension
The Mobility Extension is used to indicate that a router
advertisement message is actually an agent advertisement being sent
by a mobility agent (see subsection 2.2). When foreign agents cannot
accept new requests for service from mobile clients, they will set
the Busy bit; if the Busy bit is turned off, the agent may attract
new mobile clients. An agent which wishes to serve as a foreign
agent, sets the 'F' bit in the mobility extension; likewise an
agent which wishes to serve as a home agent sets the 'H' bit in the
mobility extension. Any home agent must always be prepared to serve
its mobile clients; it is an error to have the 'B' bit set without
also having the 'F' bit set.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extension | Length | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |R|B|H|F| reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| zero or more Care-of Addresses |
| ... |
Extension 16
Length (6 + 4*N), where N is the number of
care-of addresses advertised.
Sequence Number Contains a count of advertisement messages sent
since the agent was initialized, equal to 256
more than the absolute number of advertisements,
as described below.
Lifetime The longest lifetime (measured in seconds)
that the agent is willing to accept in any
registration request. A value of all ones
indicates infinity.
R Foreign agent registration required bit. When
this bit is set to 1, the mobile node SHOULD
register through the foreign agent, even
when the mobile node has acquired a transient
care-of address.
B Busy bit. The foreign agent is not willing to
accept any more registrations, even though it
Perkins, editor Expires 21 September 1995 [Page 15]
Internet Draft IP Mobility Support 21 March 1995
continues to send advertisements with a positive
preference.
H Agent is offering service as a home agent.
F Agent is offering service as a foreign agent.
reserved Sent as zero; ignored on reception.
Care of Addresses If the agent is a foreign agent, the
care-of addresses it offers are listed here.
The sequence number begins with 256 and wraps to zero (0). When
the sequence number decreases to a number outside the range
0-255, the mobile node MUST assume that any current registration
has been lost. This field cannot roll over in less than
MIN_ADVERTISEMENT_INTERVAL*(2**16) seconds (more than 18 hours),
and rollover is unambiguously indicated by the presence of sequence
numbers in the range between 0 and 255. When the mobile node detects
a sequence number in the range 0-255, it may assume that the sequence
number field has rolled over through 0, thus possibly avoiding an
extraneous registration request.
4.2. Key Identifier Extension
The key identifier extension is found in registration requests
(see subsection 3.2). This extension informs the home agent that
authentication is performed using a cryptographic key or algorithm
different than the home agent would use by default. If a home
agent receives a registration request which does not contain
this extension, the home agent assumes that the mobile node used
the default Message Authentication Code (see subsection 9.1) to
authenticate the registration.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extension | Length | Key Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Extension 18
Length 2
reserved Sent as zero; ignored on reception.
Key Identifier
Perkins, editor Expires 21 September 1995 [Page 16]
Internet Draft IP Mobility Support 21 March 1995
The key identifier may be chosen from a list which is privately
configured between the home agent and the mobile node. In this case,
the identifier is completely opaque; the cryptographic algorithm to
be used cannot be determined from the value of the key identifier.
4.3. Mobile-Home Authentication Extension
This extension must be present in all registration requests and
replies, and is intended to eliminate problems([2]) which result from
the uncontrolled propagation of remote redirects in the Internet.
See subsection 9.1 for information about support requirements for
message authentication codes, etc.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extension | Length | Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Extension 32
Length The number of data bytes in the extension.
Authenticator (variable length) A hash value taken over a
stream of bytes including the shared secret, the
source and destination port numbers from the UDP
header, all UDP data (that is, the registration
request or reply data), all prior extensions in
their entirety, and the type and length of this
extension, but not including the Authenticator
field itself.
4.4. Mobile-Foreign Authentication Extension
This extension may be found in registration requests replies where
a security association exists between the mobile node and a foreign
agent. See subsection 9.1 for information about support requirements
for message authentication codes, etc.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extension | Length | Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Extension 33
Perkins, editor Expires 21 September 1995 [Page 17]
Internet Draft IP Mobility Support 21 March 1995
Length The number of data bytes in the extension.
Authenticator (variable length) A hash value taken over a
stream of bytes including the shared secret, the
source and destination port numbers from the UDP
header, all UDP data (that is, the registration
request or reply data), all prior extensions in
their entirety, and the type and length of this
extension, but not including the Authenticator
field itself.
4.5. Foreign-Home Authentication Extension
This extension may be found in registration requests and replies
where a security association exists between the foreign agent and
a home agent. See subsection 9.1 for information about support
requirements for message authentication codes, etc.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extension | Length | Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Extension 34
Length The number of data bytes in the extension.
Authenticator (variable length) A hash value taken over a
stream of bytes including the shared secret, the
source and destination port numbers from the UDP
header, all UDP data (that is, the registration
request or reply data), all prior extensions in
their entirety, and the type and length of this
extension, but not including the Authenticator
field itself.
4.6. Minimal Encapsulation Extension
The Minimal Encapsulation Extension is found in agent advertisements
(subsection 2.2) and registration requests (subsection 3.2). In
both cases, it specifies that the foreign agent or mobile node may
Perkins, editor Expires 21 September 1995 [Page 18]
Internet Draft IP Mobility Support 21 March 1995
receive data encapsulated with the Minimal Encapsulation protocol
(subsection 5.2).
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extension | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Extension 64
Length 0
4.7. GRE Encapsulation Extension
The GRE Encapsulation Extension is found in agent advertisements
(subsection 2.2) and registration requests (subsection 3.2). In
either case, it specifies that the foreign agent or mobile node
may receive data encapsulated with the GRE Encapsulation protocol
(see [9]).
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extension | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Extension 65
Length 0
Perkins, editor Expires 21 September 1995 [Page 19]
Internet Draft IP Mobility Support 21 March 1995
5. Forwarding Datagrams to the Mobile Node
5.1. IP in IP Encapsulation
Support for IP in IP encapsulated datagrams is required in home
agents and foreign agents, and any mobile node which has been
dynamically assigned its own care-of address. When a datagram is
already fragmented prior to encapsulating, IP in IP is used.
An outer, full-sized IP fragmentation header is inserted before the
datagram's IP header:
+---------------------------+
| Outer IP Header |
+---------------------------+ +---------------------------+
| IP Header | | IP Header |
+---------------------------+ ====> +---------------------------+
| | | |
| IP Payload | | IP Payload |
| | | |
+---------------------------+ +---------------------------+
The format of the IP header is described in RFC 791[19]. The outer
IP header source and destination addresses identify the "endpoints"
of the tunnel. The inner IP header source and destination addresses
identify the sender and recipient of the datagram.
The protocol field in the outer IP header is set to protocol number 4
for the encapsulation protocol. The destination field in the outer
IP header is set to the care-of address of the mobile node. The
source field in the outer IP header is set to the IP address of the
encapsulating agent.
When the datagram is encapsulated, the Time To Live (TTL) field in
the outer IP header is set to be the same as the original datagram.
When decapsulating, the outer TTL minus one is inserted into the
inner IP TTL. Thus, hops are counted, but the actual routers interior
to the tunnel are not identified.
5.2. Minimal Encapsulation
A minimal forwarding header is defined for datagrams which are not
fragmented prior to encapsulating. Use of this encapsulating method
is optional. Minimal encapsulation must not be used when an original
datagram is already fragmented.
Perkins, editor Expires 21 September 1995 [Page 20]
Internet Draft IP Mobility Support 21 March 1995
A foreign agent which is capable of decapsulating the minimal header
must include the Minimal Encapsulation Extension (subsection 4.6)
in its agent advertisements. A mobile node, after receiving such
an extension in an agent advertisement, indicates the capability of
decapsulating the minimal header at the care-of address by including
the Minimal Encapsulation Extension in its registration request. A
mobile node MUST NOT include the Minimal Encapsulation Extension
unless its foreign agent has advertised that the foreign agent
supports it.
The Minimal Encapsulation Extension is not included in the
registration reply. The use of the minimal header is entirely at the
discretion of the home agent.
The minimal encapsulation process produces a datagram structured as
shown below; the IP header of the original datagram is modified, then
followed by the minimal forwarding header, followed by the unmodified
IP payload of the original datagram.
+---------------------------+ +---------------------------+
| IP Header | | Modified IP Header |
+---------------------------+ ====> +---------------------------+
| | | Minimal Forwarding Header |
| IP Payload | +---------------------------+
| | | |
+---------------------------+ | IP Payload |
| |
+---------------------------+
The protocol field in the IP header is replaced by protocol number 55
for the minimal encapsulation protocol. The destination field in the
IP header is replaced by the care-of address of the mobile node. If
the encapsulating agent is not the original source of the datagram,
the source field in the IP header is replaced by the IP address of
the encapsulating agent.
When decapsulating a datagram, the fields in the forwarding header
are restored to the IP header, and the forwarding header is removed
from the datagram.
Perkins, editor Expires 21 September 1995 [Page 21]
Internet Draft IP Mobility Support 21 March 1995
The format of the minimal forwarding header is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol |S| reserved | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: Correspondent Source Address :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Protocol
Copied from the protocol field in the original IP header.
S
Source field present bit, which indicates that the
Correspondent Source Address field is present.
0 not present.
1 present.
reserved
Sent as zero; ignored on reception.
Header Checksum
The 16-bit one's complement of the one's complement sum of the
encapsulation header. For computing the checksum, the checksum
field is set to 0.
Home Address
Copied from the destination field in the original IP header.
Correspondent Source Address
Copied from the source field in the original IP header.
Present only if the S-bit is set.
Perkins, editor Expires 21 September 1995 [Page 22]
Internet Draft IP Mobility Support 21 March 1995
6. Mobile Node Considerations
A mobile node listens for agent advertisements at all times that it
has a link connection. In this manner, it can learn that its foreign
agent has changed, or that it has arrived home.
Whenever a mobile node detects a change in its point of attachment,
it MUST initiate the registration process. When it is away from
home, the mobile node's registration request allows its home agent to
create a mobility binding, (see subsections 3.2, 2.2). When it is at
home, the mobile node's registration request allows its home agent
to erase any previous mobility binding (subsection 6.4). A mobile
node operates without the support of mobility functions when it is at
home.
Appendix B discusses the interaction of this mobility specification
with some link layer implementations for media which may be used with
mobile nodes.
A mobile node SHOULD NOT register with a new foreign agent simply
because it has received an ICMP Redirect from the foreign agent that
is currently providing service to it.
6.1. Configuration and Registration Tables
A mobile node must be configured with:
- home address
- one or more home agents
- mobility security association for each home agent
For each pending registration:
- MAC address of foreign agent, if applicable
- care-of address
- registration identification
- lifetime
6.2. Registration When Away From Home
In the absence of link-layer indications of changes in point of
attachment, agent advertisements from new agents do not necessarily
affect a current registration. In the absence of link-layer
indications, a mobile node MUST NOT attempt to register more
often than once per second. A mobile node may register with a
different agent when transport-layer protocols indicate excessive
Perkins, editor Expires 21 September 1995 [Page 23]
Internet Draft IP Mobility Support 21 March 1995
retransmissions. The mobile node should not register with a new
agent simply because a higher preference agent has appeared, or the
preference values change for the agent with which it is currently
registered. Within these constraints, the mobile node MAY register
again at any time.
If a mobile node detects a reduction in the sequence number of
an agent advertisement from a foreign agent through which it has
registered, the mobile node MUST register again. Such a reduction
does not include the wrap of the sequence number to a number in the
range from 0 to 255.
A mobile node SHOULD NOT request a lifetime for its registration that
exceeds the lifetime learned in an agent advertisement. When the
method by which the care-of address is learned does not include a
lifetime, the default router advertisement lifetime (1800 seconds)
may be used. The lifetime MAY be modified by the home agent in its
reply. A mobile node SHOULD register again before the lifetime of
its registration expires. A mobile node MAY ask a home agent to
terminate forwarding service to a particular care-of address, by
sending a registration with a lifetime of zero (see subsection 8.2).
The mobile node SHOULD construct its registration identification by
concatenating another value of its own choice to the most recent
nonce received from its home agent. This value in the trailing bits
of the identification can be another nonce, or a duplicate of the
nonce received from the home agent (see subsection 9.6.1).
6.3. Registration with a dynamically assigned care-of address
In cases where a mobile node away from home is able to dynamically
acquire a transient IP address (e.g, via DHCP [6]), the mobile node
can serve without a foreign agent, using the transient address as
the care-of address. Then all communication between the mobile
node and its home agent can proceed without the intervention of
foreign agents. This eliminates the need to deploy foreign agents as
separate entities. This feature MUST NOT be used unless the mobile
node has mechanisms to detect changes in its link-layer connectivity,
and can initiate acquisition of a new transient address each time
such a change occurs. The lifetime of such a registration is chosen
by the mobile node.
When the mobile node is away from home and detects an agent
advertisement that has the "R" bit (registration required) set in
the Mobility Extension (see subsection 2.2), the mobile node SHOULD
register through an appropriate foreign agent, even when it has
obtained a dynamically assigned care-of address.
Perkins, editor Expires 21 September 1995 [Page 24]
Internet Draft IP Mobility Support 21 March 1995
6.4. De-registration When At Home
When a mobile node is attached to its home link, it will no longer
need any forwarding service from its home agent. A deregistration
procedure MUST be used between the mobile node and its home agent.
The deregistration process involves the exchange of only two
messages:
a) The mobile node sends a registration request directly to its home
agent, with the lifetime set to zero, and the Code field set to
0, to indicate that the home agent remove all related entries.
The care-of address is set to the home address.
b) The home agent sends a registration reply to the mobile node to
indicate the success or failure of the mobile node's attempted
deregistration.
A mobile node need not register again with a home agent when a change
of sequence number occurs, or the advertisement lifetime expires,
since it isn't seeking service from the home agent.
6.5. Registration Replies
To be accepted, the reply must match the registration identification
of its most recent registration request to the sender; otherwise, the
message is silently discarded. If nonces are in use, the mobile node
records the first 32 bits for use in its next registration request;
otherwise, if timestamps are in use, the entire 64 bit field may be
used for identification (see subsection 9.6).
When a reply is received which has a code indicating rejection by
the foreign agent, the Mobile-Home Authenticator will be missing or
invalid. If a later authenticated reply is received, that reply
supersedes the unauthenticated reply. Otherwise, when a reply is
received with an invalid authenticator, the message is silently
discarded. The mobile node is not required to issue any message in
response to a registration reply.
6.6. Registration Retransmission
When no reply has been received within a reasonable time, a
new registration request is transmitted. A new registration
identification is chosen for each retransmission; thus it counts as a
new registration.
Perkins, editor Expires 21 September 1995 [Page 25]
Internet Draft IP Mobility Support 21 March 1995
The maximum time until a new registration request is sent SHOULD be
no greater than the requested lifetime of the registration request.
The minimum value SHOULD be large enough to account for the size
of the packets, twice the round trip time for transmission at the
link speed, and at least an additional 100 milliseconds to allow
for processing the packets before responding. Some circuits add
another 200 milliseconds of satellite delay. The minimum time
between registration requests MUST NOT be less than 1 second. Each
successive wait SHOULD be at least twice the previous wait, as long
as that is less than the maximum.
6.7. Simultaneous mobility bindings
Multiple simultaneous mobility bindings are likely to be useful when
a mobile node moves within range of multiple cellular systems. IP
explicitly allows duplication of datagrams. When the home agent
allows simultaneous bindings, it will encapsulate a separate copy of
each arriving datagram to each care-of address, and the mobile node
will receive multiple copies of its datagrams.
In order to request this optional capability, the mobile node sends
the registration request with the Code set to 1. The return code
in the registration reply is the same. No error occurs if the home
agent is unable to fulfill the request. When the need for multiple
mobility bindings has passed, the mobile node SHOULD register again
with the Code set to 0, to remove the other bindings.
6.8. Mobile Routers
A mobile node can be a router, which is responsible for the mobility
of one or more entire networks moving together, perhaps on an
airplane, a ship, a train, an automobile, a bicycle, or a kayak.
The nodes connected to a network served by the mobile router may
themselves be fixed nodes or mobile nodes or routers. In this
subsection, such networks are called "mobile networks".
A mobile router may provide a care-of address to mobile nodes
connected to the mobile network. In this case, when a correspondent
host sends a packet to the mobile node, the following actions should
occur.
Normal routing procedures will route the packet addressed to the
mobile node from the correspondent host to the mobile node's home
agent. This home agent's binding for the mobile node causes it to
tunnel the packet to the mobile router. Normal routing procedures
will route the packet from this home agent to the mobile router's
Perkins, editor Expires 21 September 1995 [Page 26]
Internet Draft IP Mobility Support 21 March 1995
home agent. That home agent's binding for the mobile router causes
the packet to be doubly tunneled to the mobile router's care-of
address. For the sake of discussion, assume there is a foreign agent
available at that care-of address.
The mobile router's foreign agent will then detunnel the packet
and use its visitor list entry to deliver the packet to the mobile
router. The mobile router will then detunnel the packet and use its
visitor list entry to deliver the packet finally to the mobile node.
If a fixed node is connected to a mobile network then either of two
methods may be used to cause packets from correspondent hosts to be
routed to the fixed node.
A home agent may be configured that has a permanent registration for
the fixed node that indicates the mobile router's address as the
fixed host's care-of address. The mobile router's home agent will
usually be used for this purpose. The home agent is then responsible
for advertising connectivity using normal routing protocols to
the fixed node. Any packets sent to the fixed node will thus use
recursive tunneling as described above.
Alternatively, the mobile router may advertise connectivity to the
fixed node using normal routing protocols through its own home agent.
This method avoids the need for recursive tunneling of packets.
Perkins, editor Expires 21 September 1995 [Page 27]
Internet Draft IP Mobility Support 21 March 1995
7. Foreign Agent Considerations
The foreign agent is passive and has a minimal role; it relays
registration requests between the home agent and the mobile node, and
decapsulates datagrams for delivery to the mobile node.
The foreign agent MUST NOT originate a request or reply that has not
been prompted by the mobile node. No request or reply is generated
to indicate that the service lifetime has expired. A foreign agent
MUST NOT originate a message that asks for deregistration of a mobile
node; however, it MUST relay valid deregistration requests originated
by the mobile node.
The foreign agent MUST NOT advertise the presence of a mobile node
which is a router to other routers in its routing domain, nor any
other mobile node.
The preference in the agent advertisements is used to regulate the
number of mobile nodes which register with the foreign agent. When
the foreign agent would otherwise need to reject new registrations
because of insufficient resources, the foreign agent SHOULD reduce
its preference values until resources become available.
7.1. Configuration and Registration Tables
Each foreign agent will need a care-of address. In addition, for
each pending or current registration, the foreign agent will need a
visitor list entry containing:
- Media address of mobile node
- home address
- home agent
- lifetime
For each pending registration, a foreign agent must also store the
registration identification. As with any host on the internet, a
foreign agent may also maintain a security association for each
pending or current registrant, and use it to authenticate the
registration requests and replies of the mobile node or its home
agent (subsections 4.4, 4.5). The foreign agent may use an available
security association with the home agent to create an authentication
for the foreign-home authentication extension. Even if a foreign
agent implements authentication, it might not use authentication with
each registration, because of the key management difficulties.
Perkins, editor Expires 21 September 1995 [Page 28]
Internet Draft IP Mobility Support 21 March 1995
7.2. Receiving Registration Requests
If the foreign agent is able to satisfy an incoming registration
request, then it forwards the request to the home agent. Otherwise,
it denies the request by sending a registration reply to the mobile
node with an appropriate code. If the request is being denied
because the requested lifetime is too long, the foreign agent puts
in an acceptable value for the lifetime in the registration reply
containing the rejection code. The foreign agent must maintain a
list of pending requests, which includes the IP source address and
UDP source port, in order that a correctly addressed reply can be
returned to the mobile node.
7.3. Receiving Registration Replies
A registration reply which is unrelated to any pending request must
be silently discarded. If the registration reply is sent from the
home agent with a status code indicating a successful registration,
then the foreign agent updates its visitor list accordingly. If the
foreign agent receives an ICMP error instead of a registration reply
in response to the registration request, then it returns the "Home
Agent Unreachable" failure code to the mobile node.
7.4. Decapsulation
Every foreign agent which receives an encapsulated packet sent to
its advertised care-of address MUST compare the inner destination
address to those entries in its visitor list. When the destination
does not match any node currently in the visitor list, the foreign
agent MUST NOT forward the datagram without modifications to the
original IP header, because otherwise a routing loop is likely to
result. The datagram SHOULD be silently discarded. ICMP Destination
Unreachable MUST NOT be sent when a foreign agent is unable to
forward a datagram. A foreign agent that doesn't support minimal
encapsulation SHOULD silently discard any received datagram addressed
to itself that makes use of the minimal encapsulation.
Perkins, editor Expires 21 September 1995 [Page 29]
Internet Draft IP Mobility Support 21 March 1995
8. Home Agent Considerations
The home agent has primary responsibility for processing and
coordinating mobility services.
The home agent for a given mobile node SHOULD be located on the link
identified by the home address, if the home network is not merely a
virtual network.
The home agent SHOULD advertise the presence of the mobile node which
is a router to other routers in its routing domain.
8.1. Configuration and Registration Tables
Each home agent will need an IP address, and the prefix size for the
home network, if there is one. For each authorized mobile node, the
home agent will need:
- home address
- mobility security association
- prefix size(s) for the mobile network(s), if any
For each registered mobile node, the home agent will need a
forwarding list entry containing:
- care-of address
- registration identification
- lifetime
8.2. Receiving Registration Requests
Upon receipt of a registration request (subsection 3.2), the
home agent grants or denies the service requested, by sending a
registration reply (subsection 3.2) to the sender of the request with
the appropriate code set. If service permission is granted, the home
agent will update its forwarding list with the care-of address of the
tunnel. The home agent MAY impose a shorter lifetime than was asked
for in the Registration Request message.
The request is validated by checking that the registration
identification is not the same as a preceding request, and the
Mobile-Home Authentication Extension (subsection 4.3) is correct.
Other authentication extensions are also validated when present.
When the registration request is valid, the home agent may select
a new nonce for use by the mobile node upon its next registration
request, and include it in the first 32 bits of the identification
Perkins, editor Expires 21 September 1995 [Page 30]
Internet Draft IP Mobility Support 21 March 1995
field of the registration reply. The trailing 32 bits of that field
remain as is for use by the mobile node in matching the registration
reply with one of its outstanding registration requests.
When a registration request is invalid, a registration reply is
sent with the appropriate error code. This reply will be used by
a foreign agent to clear its pending request list, if a foreign
agent was involved in relaying the registration request. If the
request was invalid because of the use of an unexpected value in the
identification field of the registration request, the home agent
SHOULD use the high-order bits of the current identification to
provide a new identification value for the mobile node. In this
case, the home agent MAY report an authentication exception to its
network management support software. The registration reply status
code in this case is 37. If the registration request was invalid
because of an invalid authenticator value, the home agent MUST issue
an authentication exception. The registration reply status code is
then 35.
A mobile node requests termination of service by indicating a
lifetime of zero. If the Code field set to 1, the home agent removes
the mobility binding for that care-of address from its forwarding
list. Otherwise, if the Code field is set to 0, the home agent
removes the mobility bindings for all foreign agents associated
with that mobile node from its forwarding list. On termination, no
special reply is sent to additional associated foreign agents. The
entries in their visitor lists are allowed to expire naturally.
8.3. Simultaneous mobility bindings
When a home agent supports the optional capability of multiple
simultaneous mobility bindings, any datagrams forwarded are simply
duplicated, and a copy is sent to each care-of address. If the
home agent is unable to fulfill requests for simultaneous bindings,
it returns the appropriate status in the registration reply
(subsection 3.3) to the mobile node. When the mobile node makes
future registration requests, it will then be able to determine
whether it can expect simultaneous service at two care-of addresses.
DISCUSSION: Do we limit the number of simultaneous bindings?
8.4. Registration Expiration
If the lifetime for a given mobility binding expires before the home
agent has received another registration request, then that binding is
erased from the forwarding list. No special registration reply is
Perkins, editor Expires 21 September 1995 [Page 31]
Internet Draft IP Mobility Support 21 March 1995
sent to the foreign agents. The entries in the visitor lists will
expire naturally, and probably at the same time. When a mobility
binding's lifetime expires, the HA drops it regardless of whether or
not simultaneous bindings are supported.
8.5. Encapsulation
Every home agent must examine the IP header of all arriving
traffic to see if it contains a destination address equal to the
home address of any of its mobile nodes. Packets with matching
destination addresses are encapsulated and delivered to the indicated
care-of address found in the associated mobility binding. If the
mobile node is at home, the home agent will simply forward the
datagram directly to it; however, in this case, it is expected
that the datagram will never be received by the home agent. When
previously encapsulated datagrams arrive that are associated with the
mobile node, the home agent simply alters the outer destination to
the care-of address, unless that care-of address is the same as the
origination point of the encapsulated datagram. If the home agent
receives a datagram whose destination address matches an entry in
its forwarding list, the home agent MUST discard the packet if its
IP source address is identical to the care-of address contained in
the forwarding list. This avoids recursive encapsulation. Other
previously encapsulated datagrams are recursively encapsulated.
8.6. Broadcast and Multicast
When a home agent receives a broadcast packet, it MUST NOT transmit
the packet to the mobile nodes on its forwarding list. If it is
determined that some broadcasts should be forwarded to mobile nodes
by the home agent, those broadcasts will be specifically mentioned as
exceptions.
Similarly, multicast packets to the home agent are not expected to
be forwarded to mobile hosts. However, the issues surrounding the
maintenance of multicast routing trees containing mobile nodes have
not been worked out at the time of this draft.
Perkins, editor Expires 21 September 1995 [Page 32]
Internet Draft IP Mobility Support 21 March 1995
9. Security Considerations
The mobile computing environment is potentially very different from
the ordinary computing environment. In many cases, mobile computers
will be connected to the network via wireless links. Such links
are particularly vulnerable to passive eavesdropping, active replay
attacks, and other active attacks.
9.1. Message Authentication Codes
Home agents and mobile nodes MUST be able to perform authentication.
The default algorithm is keyed MD5 [21], with a key size of 128
bits. The default mode of operation is to both precede and follow
the data to be hashed, by the 128-bit key; that is, MD5 is to be
used in suffix+prefix mode. The foreign agent SHOULD also support
authentication using keyed MD5 and key sizes of 128 bits or greater,
with manual key distribution. More authentication algorithms,
algorithm modes, key distribution methods, and key sizes MAY also be
supported.
9.2. Tunneling to Care-of Addresses
The registration protocol described in this document will result
in a mobile node's traffic being tunneled to its care-of address.
This tunneling feature could be a significant vulnerability if the
registration were not authentic. Such remote redirection, for
instance as performed by the mobile registration protocol, is widely
understood to be a security problem in the current Internet([2]).
Moreover, the Address Resolution Protocol (ARP) is not authenticated,
and can potentially be used to steal another host's traffic. The use
of "Gratuitous ARP" (see Appendix A) brings with it all of the risks
associated with the use of ARP.
9.3. Key management
This specification requires a strong authentication mechanism
(keyed MD5) which precludes many potential attacks based on the
Mobile IP registration protocol. However, because key distribution
is difficult in the absence of a network key management protocol,
messages with the foreign agent are not all required to be
authenticated. In a commercial environment it might be important
to authenticate all messages between the foreign agent and the home
agent, so that billing is possible, and service providers don't
provide service to users that are not legitimate customers of that
service provider.
Perkins, editor Expires 21 September 1995 [Page 33]
Internet Draft IP Mobility Support 21 March 1995
9.4. Picking good random numbers
The strength of any authentication mechanism is dependent on
several factors, including the innate strength of the authentication
algorithm, the secrecy of the key used, the strength of the key used,
and the quality of the particular implementation. This specification
requires implementation of keyed MD5 for authentication, but does not
preclude the use of other authentication algorithms and modes. For
keyed MD5 authentication to be useful, the 128-bit key must be both
secret (that is, known only to authorized parties) and pseudo-random.
If nonces are used in connection with replay protection, they must
also be selected carefully. Eastlake, et.al. ([7]) provides more
information on generating pseudo-random numbers.
9.5. Privacy
Users who have sensitive data that they do not wish others to see
should use mechanisms outside the scope of this document (such as
encryption) to provide appropriate protection. Users concerned about
traffic analysis should consider appropriate use of link encryption.
If absolute location privacy is desired, the Mobile Node can create a
tunnel to its Home Agent. Then, packets destined for correspondent
hosts will appear to emanate from the Home Network, and it may be
more difficult to pinpoint the location of the mobile node.
9.6. Replay Protection for Registration Requests
The Identification field is used to let the home agent verify that a
registration message has been freshly generated by the mobile node,
not replayed by an attacker from some previous registration. The
exact method of using the field depends upon the mobile security
association defined between the mobile node and home agent. Two
methods are described here: using random "nonce" values (preferred),
and another method using timestamps.
Whatever method is used, the low order 32 bits of the identification
MUST be copied unchanged from the registration request to the reply.
The foreign agent uses those bits to match registration requests with
corresponding replies. The mobile node MUST verify that the low
order 32 bits of any registration reply are identical to the bits it
sent in the registration request.
The Identification MUST NOT be the same as in an immediately
preceding request, and SHOULD NOT repeat during the lifetime of the
mobility security association between the mobile node and the home
agent.
Perkins, editor Expires 21 September 1995 [Page 34]
Internet Draft IP Mobility Support 21 March 1995
There is no provision for the Foreign Agent to generate
identification values, but it can use the values supplied by the
mobile node and the home agent.
9.6.1. Replay Protection using Nonces
The basic principle of nonce replay protection is that Node A
includes a new random number in every message to node B, and checks
that Node B returns that same number in its next message to node
A. Both messages use a cryptographic checksum to protect against
alteration by an attacker. At the same time Node B can send its own
nonces in all messages to Node A (to be echoed by node A), so that it
too can verify that it is receiving fresh messages.
The home agent may be expected to have resources for computing
pseudo-random numbers useful as nonces[7]. It inserts a new
nonce as the high-order 32 bits of the identification field of
every registration reply. The home agent copies the low-order
(trailing) 32 bits of the Identification from the registration
request message. When the mobile node receives an authenticated
registration reply from the home agent, it saves the high order 32
bits of the identification for use as the high-order 32 bits of its
next registration request.
The mobile node is responsible for generating the low order 32
bits of the Identification in each registration request. Ideally
it should generate its own random nonces. However it may use any
expedient method, including duplication of the random value sent by
the home agent. The method chosen is of concern only to the mobile
node, because it is the node that checks for valid values in the
registration reply. The high-order and low-order 32 bits of the
identification chosen SHOULD both differ from their previous values.
The home agent needs a new high order value; both foreign agent and
mobile node need a new low order value.
If a registration message is rejected because of an invalid nonce,
the reply always provides the mobile node with a new nonce to
be used in the next registration. Thus the nonce protocol is
self-synchronizing.
DISCUSSION: The use of nonces for replay protection may
depend partially on the resolution of a patent issue. A
mobile node and its home agent must agree on the use of
replay protection, because if a home agent expects only a
nonce, it is unlikely to accept the mobile node's time value.
Perkins, editor Expires 21 September 1995 [Page 35]
Internet Draft IP Mobility Support 21 March 1995
9.6.2. Replay Protection using Timestamps
The basic principle of timestamp replay protection is that the node
generating a message inserts the current time of day, and the node
receiving the message checks that this timestamp is sufficiently
close to its own time of day. Obviously the two nodes must have
adequately synchronized time of day clocks. As usual all messages
are protected against tampering by a cryptographic checksum.
If timestamps are used, the mobile node sets the Identification
field to a 64-bit value formated as specified by the Network Time
Protocol [15]. The low-order 32 bits of the NTP format represent
fractional seconds, and those bits which are not available from a
time source SHOULD be generated from a good source of randomness.
If the timestamp in an authenticated registration request is close
enough to the home agent's time of day, the home agent copies the
entire Identification into the registration reply. If the timestamp
is unacceptable, the home agent copies only the low order 32 bits
into the registration reply, and supplies the high order 32 bits
from its own time of day. The error code in the registration reply
indicates an identification mismatch. The mobile node MUST verify
that the low order 32 bits of the identification in the registration
reply are identical to those in the rejected registration attempt,
before using the high order bits for clock resynchronization. Time
tolerances and resynchronization details are specific to a particular
mobile security association.
10. Acknowledgements
Special thanks to Steve Deering (Xerox PARC), along with Dan Duchamp
and John Ioannidis (Columbia), for forming the working group,
chairing it, and putting so much effort into its early development.
Thanks also to Greg Minshall for his contributions to the group while
performing the duties of chairperson.
Perkins, editor Expires 21 September 1995 [Page 36]
Internet Draft IP Mobility Support 21 March 1995
Thanks to the active members of the Mobile-IP working group,
particularly those who contributed text, including (in alphabetical
order)
- Ran Atkinson (Naval Research Lab),
- Dave Johnson (Carnegie Mellon University),
- Andrew Myles (Macquarie University),
- John Penners (US West),
- Al Quirt (Bell Northern Research),
- Yakov Rekhter (IBM), and
- Fumio Teraoka (Sony).
Thanks to Charlie Kunzinger, the editor who produced the first drafts
for the Working Group, and to Bill Simpson, who has produced a lot
of the text of this draft, reflecting the discussions of the Working
Group.
Thanks to Greg Minshall (Novell) and Phil Karn (Qualcomm) for their
generous support in hosting interim Working Group meetings.
A. Gratuitous and Proxy ARP
Many people will use their computers for extended periods of time
on a single link, whether or not it is at their home network. When
doing so, they will expect the same level of service from their
infrastructure as they receive today on the home network.
Mobile nodes do not need a separate "virtual" IP address block; this
would require a small network to have an extra router between the
mobile and non-mobile nodes, which is an unacceptable expense.
This section details the special care to be taken when using ARP [17]
with nodes on the same link as a mobile node.
A problem can arise if a mobile node which has previously answered an
ARP Request moves away from the link, leaving behind a stale entry in
another node's ARP cache. For example, if a router which forwards
datagrams into the home network has a stale ARP cache entry for the
mobile node, any datagrams arriving through that router for the
mobile node will be lost. Thus, it is important that ARP caches of
nodes populating the link be updated as soon as possible.
A gratuitous ARP is an ARP Reply that is broadcast to all nodes
on a link, but not in response to any ARP Request. When an ARP
Reply is broadcast, all hosts are required to update their local
ARP caches, whether or not the ARP Reply was in response to an ARP
Request they had issued. With gratuitous ARP, the source IP address
Perkins, editor Expires 21 September 1995 [Page 37]
Internet Draft IP Mobility Support 21 March 1995
is the home address of the mobile node, the MAC address is the source
link-layer address for the interface used, the target IP address is
the all-systems multicast address, and the target link-layer address
is the general broadcast address.
When there is a physical link which corresponds to the home network,
a gratuitous ARP is issued by the home agent on behalf of a mobile
node whenever the home agent receives a valid registration. That
should cause the remaining nodes to associate the home address of the
mobile node with the link-layer address of the home agent which is
now serving the mobile node.
While the mobile node is away from its home network, the home agent
performs proxy ARP Replies for the mobile node. When a mobile node
returns to its home network, it SHOULD issue a gratuitous ARP on its
own behalf, immediately before sending its deregistration request to
the home agent.
Although the gratuitous ARP can be lost, this is not different from
the usual ARP Reply problems, which are outside the scope of this
document. A home agent may repeat the gratuitous ARP a small number
of times.
B. Link-Layer considerations
The mobile node primarily uses link-layer mechanisms to decide that
its point of attachment has changed. Such indications include
the Down/Testing/Up interface status [12], and changes in cell or
administration. The mechanisms will be specific to the particular
link-layer technology, and are outside the scope of this document.
B.1. Point-to-Point Link-Layers
The Point-to-Point-Protocol (PPP) [22] and its Internet Protocol
Control Protocol (IPCP) [13], negotiates the use of IP addresses.
The mobile node SHOULD first attempt to specify its home address.
This allows an unrouted link to function correctly.
When the home address is not accepted by the peer, but a transient
IP address is dynamically assigned, that address MAY be used as the
care-of address for registration. When the peer specifies its own IP
address, that address MUST NOT be assumed to be the care-of address
of a foreign agent or the IP address of a home agent.
Perkins, editor Expires 21 September 1995 [Page 38]
Internet Draft IP Mobility Support 21 March 1995
When router advertisements are received which contain the Mobility
Extension, registration with the agent SHOULD take place as usual.
If the link is bandwidth limited, this method is preferred over use
of the transient care-of address. The encapsulation will be removed
by the peer, allowing header compression techniques to function
correctly [10].
B.2. Multi-Point Link-Layers
Another link establishment protocol, IEEE 802.11 [1], might yield the
link address of an agent. This link-layer address SHOULD be used to
attempt registration.
The receipt of an agent's address via a router advertisement
supersedes that obtained via IEEE 802.11.
C. TCP Considerations
C.1. TCP Timers
Most hosts and routers which implement TCP/IP do not permit easy
configuration of the TCP timer values. When high-delay (e.g.
SATCOM) or low-bandwidth (e.g. High-Frequency Radio) links are
in use, the default TCP timer values in many systems may cause
retransmissions or timeouts, even when the link and network is
actually operating properly with greater than usual delays because
of the medium in use. This can cause an inability to create or
maintain connections over such links, and can also cause unneeded
retransmissions which consume already scarce bandwidth. Vendors are
encouraged to make TCP timers more configurable. Vendors of systems
designed for the mobile computing markets should pick default timer
values more suited to low-bandwidth, high-delay links. Users of
mobile nodes should be sensitive to the possibility of timer-related
difficulties.
C.2. TCP Congestion Management
Mobility nodes are likely to use media which have low bandwidth and
are more likely to introduce errors, effectively causing more packets
to be dropped. This introduces a conflict with the mechanisms for
congestion management found in modern versions of TCP. Now, when
a packet is dropped, the correspondent's TCP implementation is
likely to react as if there were a source of network congestion,
and initiate the slow-start mechanisms [4] designed for controlling
that problem. However, those mechanisms are inappropriate for
Perkins, editor Expires 21 September 1995 [Page 39]
Internet Draft IP Mobility Support 21 March 1995
overcoming errors introduced by the links themselves, and have the
effect of magnifying the discontinuity introduced by the dropped
packet. This problem has been analyzed by Caceres, et. al.([3]);
there is no easy solution available, and certainly no solution likely
to be installed soon on all correspondents. While this problem has
nothing to do with any of the specifications in this document, it
does illustrate that providing performance transparency to mobile
nodes involves understanding mechanisms outside the network layer.
It also indicates the need to avoid designs which systematically drop
packets; such designs might otherwise be considered favorably when
making engineering tradeoffs.
D. Tunnel Management
It is possible that one of the routers along the tunnel interior
might encounter an error while processing the datagram, causing it
to return an IP ICMP error message to the source end of the tunnel.
ICMP errors that can occur in this circumstance are:
- Datagram Too Big
- Time Exceeded
- Destination Unreachable
Unfortunately, ICMP only requires IP routers to return 8 bytes (64
bits) of the datagram beyond the IP header. This is not enough to
include the encapsulated header, so it is not generally possible
for the home agent to immediately reflect the ICMP message from the
interior of a tunnel back to the source host.
However, by carefully maintaining "soft state" about its tunnels,
the encapsulating router can return accurate ICMP messages in most
cases. The router SHOULD maintain at least the following soft state
information about each tunnel:
- MTU of the tunnel
- TTL (path length) of the tunnel
- Reachability of the end of the tunnel
The router uses the ICMP messages it receives from the interior of a
tunnel to update the soft state information for that tunnel. When
subsequent datagrams arrive that would transit the tunnel, the router
checks the soft state for the tunnel. If the datagram would violate
the state of the tunnel (such as, the TTL is less than the tunnel
TTL) the router sends an ICMP error message back to the source, but
also forwards the datagram into the tunnel.
Perkins, editor Expires 21 September 1995 [Page 40]
Internet Draft IP Mobility Support 21 March 1995
Using this technique, the ICMP error messages sent by encapsulating
routers will not always match up one-to-one with errors encountered
within the tunnel, but they will accurately reflect the state of the
network.
The Don't Fragment bit is always set within the tunnel. This enables
the proper MTU of the tunnel to be determined. Fragmentation which
occurs because of the size of the encapsulation header is done before
encapsulation, preventing more than one layer of fragmentation in a
single datagram.
DISCUSSION: Would anyone like to provide more explanation?
Or, should we just delete most of it
and be satisfied with a reference in the
section about Home Agent Considerations?
Tunnel soft state was originally developed for the IP address
encapsulation (IPAE) specification [8].
References
[1] Wireless LAN Medium Access Control (MAC) and Physical Layer
(PHY) Specifications. IEEE Document P802.11/D1, Dec 1994.
[2] S.M. Bellovin. Security Problems in the TCP/IP Protocol Suite.
ACM Computer Communications Review, 19(2), March 1989.
[3] Ramon Caceres and Liviu Iftode. The Effects of Mobility on
Reliable Transport Protocols. In Proceedings of the 14th
International Conference on Distributed Computing Systems, June
1994.
[4] Douglas E. Comer. Internetworking with TCP/IP, volume 1.
Prentice Hall, 1991.
[5] S. Deering. Router Discovery. RFC 1256, September 1991.
[6] R. Droms. Dynamic Host Configuration Protocol. RFC 1541,
October 1993.
[7] D.E. Eastlake, S.D. Crocker, and J.I. Schiller. Randomness
Requirements for Security. RFC 1750, December 1994.
[8] R. Gilligan, E. Nordmark, and B. Hinden. IPAE: The SIPP
Interoperability and Transition Mechanism. Internet Draft --
work in progress, March 1994.
Perkins, editor Expires 21 September 1995 [Page 41]
Internet Draft IP Mobility Support 21 March 1995
[9] S. Hanks, T. Li, D. Farinacci, and P. Traina. Generic routing
encapsulation (gre). draft-hanks-gre-00.txt -- work in
progress, October 1994.
[10] V. Jacobson. Compressing TCP/IP Headers for Low-Speed Serial
Links. RFC 1144, February 1990.
[11] J. Kohl and C. Newman. The Kerberos Network Authentication
Service (V5). RFC 1510, September 1993.
[12] K. McCloghrie and F. Kastenholz. Evolution of the Interfaces
Group MIP-II. RFC 1573, January 1994.
[13] G. McGregor. The PPP Internet Procotol Control Protocol (IPCP).
RFC 1332, May 1992.
[14] P. Metzger and B. Simpson. Authentication Header (AH).
draft-metzger-ah-01.txt -- work in progress, March 1995.
[15] D. Mills. Network Time Protocol (Version 3). RFC 1305, March
1992.
[16] National Bureau of Standards. Data Encryption Standard.
Federal Information Processing Standards, 1977.
[17] D. Plummer. An Ethernet Address Resolution Protocol. RFC 826,
November 1982.
[18] J. Postel. User Datagram Protocol. RFC 768, August 1980.
[19] J. Postel. Internet Protocol. RFC 791, September 1981.
[20] J. Reynolds and J. Postel. Assigned Numbers. RFC 1700, October
1994.
[21] R. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, April
1992.
[22] W. Simpson (Editor). The Point-to-Point Protocol (PPP). RFC
1661, July 1994.
Perkins, editor Expires 21 September 1995 [Page 42]
Internet Draft IP Mobility Support 21 March 1995
Chair's Addresses
The working group can be contacted via the current chairs:
Jim Solomon Tony Li
Motorola, Inc. 170 W. Tasman Dr.
San Jose CA 95134
Work: +1-708-576-2753 Work: +1-408-526-8186
E-mail: solomon@comm.mot.com E-mail: tli@cisco.com
Editor's Address
Questions about this memo can also be directed to:
Charles Perkins
Room J1-A25
T. J. Watson Research Center
IBM Corporation
30 Saw Mill River Rd.
Hawthorne, NY 10532
Work: +1 914 7847350
Fax: +1 914 7847007
E-mail: perk@watson.ibm.com
Perkins, editor Expires 21 September 1995 [Page 43]
