Internet Engineering Task Force C. Perkins, editor
INTERNET DRAFT IBM
11 August 1995
IP Mobility Support
draft-ietf-mobileip-protocol-12.txt
Status of This Memo
This document is a submission by the Mobile-IP Working Group of the
Internet Engineering Task Force (IETF). Comments should be submitted
to the mobile-ip@tadpole.com mailing list.
Distribution of this memo is unlimited.
This document is an Internet-Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months, and may be updated, replaced, or obsoleted by other documents
at any time. It is not appropriate to use Internet Drafts as
reference material, or to cite them other than as a ``working draft''
or ``work in progress.''
To learn the current status of any Internet-Draft, please check
the ``1id-abstracts.txt'' listing contained in the internet-drafts
Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim).
Abstract
This document specifies protocol enhancements that allow transparent
routing of IP datagrams to mobile nodes in the Internet. Each
mobile node is always identified by its home address, regardless of
its current point of attachment to the Internet. While situated
away from its home, a mobile node is also associated with a
care-of address, which provides information about its current point
of attachment to the Internet. The protocol provides for registering
the care-of address with a home agent. The home agent sends packets
destined for the mobile node through a tunnel to the care-of address.
After arriving at the end of the tunnel, the packets are then
delivered to the mobile node.
Perkins, editor Expires 11 February 1996 [Page i]
Internet Draft IP Mobility Support 11 August 1995
Contents
Status of This Memo i
Abstract i
1. Introduction 1
1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 2
1.4. Specification Language . . . . . . . . . . . . . . . . . 3
1.5. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.6. Overview of Protocol Events . . . . . . . . . . . . . . . 5
2. Agent Discovery 6
2.1. Agent Solicitation . . . . . . . . . . . . . . . . . . . 6
2.2. Agent Advertisement . . . . . . . . . . . . . . . . . . . 7
2.3. Sequence Numbers, and Rollover Handling . . . . . . . . . 7
3. Registration 9
3.1. Authentication . . . . . . . . . . . . . . . . . . . . . 10
3.2. Registration Request . . . . . . . . . . . . . . . . . . 10
3.3. Registration Reply . . . . . . . . . . . . . . . . . . . 12
4. Mobility Message Extensions 15
4.1. Mobile Service Extension . . . . . . . . . . . . . . . . 16
4.2. Mobile-Home Authentication Extension . . . . . . . . . . 17
4.3. Mobile-Foreign Authentication Extension . . . . . . . . . 17
4.4. Foreign-Home Authentication Extension . . . . . . . . . . 18
4.5. Prefix Length Extension . . . . . . . . . . . . . . . . . 19
5. Encapsulation techniques 20
6. Mobile Node Considerations 21
6.1. Configuration and Registration Tables . . . . . . . . . . 21
6.2. Registration When Away From Home . . . . . . . . . . . . 21
6.3. Registration with a dynamically assigned care-of address 22
6.4. Deregistration When At Home . . . . . . . . . . . . . . . 23
6.5. Registration Replies . . . . . . . . . . . . . . . . . . 23
6.6. Registration Retransmission . . . . . . . . . . . . . . . 24
6.7. Simultaneous mobility bindings . . . . . . . . . . . . . 24
6.8. Mobile Routers . . . . . . . . . . . . . . . . . . . . . 24
7. Foreign Agent Considerations 26
Perkins, editor Expires 11 February 1996 [Page ii]
Internet Draft IP Mobility Support 11 August 1995
7.1. Configuration and Registration Tables . . . . . . . . . . 26
7.2. Receiving Registration Requests . . . . . . . . . . . . . 27
7.3. Receiving Registration Replies . . . . . . . . . . . . . 27
7.4. Decapsulation . . . . . . . . . . . . . . . . . . . . . . 27
8. Home Agent Considerations 28
8.1. Configuration and Registration Tables . . . . . . . . . . 28
8.2. Receiving Registration Requests . . . . . . . . . . . . . 28
8.3. Simultaneous mobility bindings . . . . . . . . . . . . . 30
8.4. Registration Expiration . . . . . . . . . . . . . . . . . 30
8.5. Encapsulation . . . . . . . . . . . . . . . . . . . . . . 30
8.6. Broadcast packets . . . . . . . . . . . . . . . . . . . . 31
8.7. Multicast packets . . . . . . . . . . . . . . . . . . . . 31
9. Security Considerations 32
9.1. Message Authentication Codes . . . . . . . . . . . . . . 32
9.2. Areas of security concern in this protocol . . . . . . . 32
9.3. Key management . . . . . . . . . . . . . . . . . . . . . 32
9.4. Picking good random numbers . . . . . . . . . . . . . . . 33
9.5. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 33
9.6. Replay Protection for Registration Requests . . . . . . . 33
9.6.1. Replay Protection using Nonces . . . . . . . . . 34
9.6.2. Replay Protection using Timestamps . . . . . . . 34
10. Acknowledgements 35
A. Gratuitous and Proxy ARP 36
B. Link-Layer considerations 37
B.1. Point-to-Point Link-Layers . . . . . . . . . . . . . . . 38
B.2. Multi-Point Link-Layers . . . . . . . . . . . . . . . . . 38
C. TCP Considerations 38
C.1. TCP Timers . . . . . . . . . . . . . . . . . . . . . . . 38
C.2. TCP Congestion Management . . . . . . . . . . . . . . . . 39
Chair's Address 41
Editor's Address 41
Perkins, editor Expires 11 February 1996 [Page iii]
Internet Draft IP Mobility Support 11 August 1995
1. Introduction
IPv4 and earlier versions of the Internet Protocol make two implicit
assumptions:
- that a node's point of attachment remains fixed, and
- that a node's IP address identifies the network to which it is
attached.
Datagrams are sent to a node based on the network number portion of
the node's IP address.
If a node moves while keeping its IP address unchanged, its network
number will not reflect its new point of attachment. Existing
routing protocols will be unable to route datagrams to it correctly.
This document defines new functions that allow a node to roam on the
Internet, without changing its IP address.
The following entities are defined:
Mobile Node
A host or router that changes its point of attachment from one
network or subnetwork to another.
Home Agent
A router that maintains a registry of the current mobility
bindings for that mobile node, and encapsulates datagrams for
delivery to the mobile node while it is away from home.
Foreign Agent
A router that assists a locally reachable mobile node that is
away from its home network.
Care-of Address
The care-of address is the IP address of the decapsulation
(termination) end of a tunnel toward a mobile node. Depending
on the network configuration, the care-of address may be either
dynamically assigned to the mobile node or associated with a
foreign agent.
Perkins, editor Expires 11 February 1996 [Page 1]
Internet Draft IP Mobility Support 11 August 1995
The following support services are defined:
Agent Discovery
Home agents and foreign agents advertise their availability
on each link for which they provide service. A newly arrived
mobile node can send a solicitation on the link to learn if any
prospective agents are present.
Registration
When the mobile node is away from home, it registers its
care-of address with its home agent. Depending on its method
of attachment, the mobile node will register either directly
with its home agent, or through a foreign agent which forwards
the registration to the home agent.
1.1. Requirements
A mobile node using its home address shall be able to communicate
with other nodes despite changing its point of physical attachment.
Implementation of the protocol described in this document shall not
cause a mobile node to be unable to communicate with other nodes that
do not implement these mobility functions. No protocol enhancements
are required in hosts or routers that are not providing any of the
mobility functions.
A mobile node shall provide authentication in its registration
messages, as described in subsection 3.1.
1.2. Goals
The link by which the mobile node is directly attached to the
Internet is likely to be bandwidth limited, and experience a higher
rate of errors than traditional wired networks. Moreover, mobile
nodes are more likely to be battery powered, and minimizing power
consumption is important. Therefore, only a few administrative
messages should be sent between a mobile node and an agent, and the
size of these messages should be kept as short as possible.
1.3. Assumptions
The protocols defined in this document place no additional
constraints on assignment of IP addresses. That is, a mobile node
Perkins, editor Expires 11 February 1996 [Page 2]
Internet Draft IP Mobility Support 11 August 1995
can be assigned an IP address by the organization that owns the
machine, and will be able to use that IP address regardless of the
current point of attachment.
It is assumed that mobile nodes will not change their point of
attachment to the Internet more frequently than once per second.
It is assumed that IP unicast datagrams are routed based on the
destination address in the datagram header.
1.4. Specification Language
In this document, several words are used to signify the requirements
of the specification. These words are often capitalized.
MUST This word, or the adjective "required", means
that the definition is an absolute requirement
of the specification.
MUST NOT This phrase means that the definition is an
absolute prohibition of the specification.
SHOULD This word, or the adjective "recommended",
means that there may exist valid reasons in
particular circumstances to ignore this item,
but the full implications must be understood
and carefully weighed before choosing a
different course.
MAY This word, or the adjective "optional", means
that this item is one of an allowed set of
alternatives. An implementation which does
not include this option MUST be prepared to
interoperate with another implementation which
does include the option.
silently discard The implementation discards the packet without
further processing, and without indicating an
error to the sender. The implementation SHOULD
provide the capability of logging the error,
including the contents of the discarded packet,
and SHOULD record the event in a statistics
counter.
Perkins, editor Expires 11 February 1996 [Page 3]
Internet Draft IP Mobility Support 11 August 1995
1.5. Terminology
This document frequently uses the following terms:
Agent Advertisement
A periodic advertisement constructed by attaching a special
extension to a router advertisement [6] message.
Correspondent
A peer with which a mobile node is communicating. The
correspondent may be either mobile or stationary.
Home Address
An IP address that is assigned for an extended period of time
to a mobile node. It remains unchanged regardless of where the
node is attached to the Internet. Datagrams addressed to the
home address are intercepted by the home agent while the mobile
node is registered with that home agent.
Link
A facility or medium over which nodes can communicate at the
link layer. A link underlies the network layer.
Link-Layer Address
The address used to identify the endpoints of the communication
over a physical link. Also commonly known as a MAC address.
Mobility Agent
Either a home agent or a foreign agent.
Mobility Binding
The association of a home address with a care-of address, along
with the remaining lifetime of that association.
Mobility Security Association
The mobility security association between a pair of nodes is
a collection of security contexts which may be applied to
Mobile IP protocol messages exchanged by them. Each context
includes the MAC type (subsection 9.1), the secret (a shared
Perkins, editor Expires 11 February 1996 [Page 4]
Internet Draft IP Mobility Support 11 August 1995
key, or appropriate public/private key pair), and the style of
replay protection in use (subsection 9.6).
Nonce
A random value, different from previous choices, inserted in a
packet to protect against replays.
Security Parameter Index (SPI)
The SPI[2] indicates the security context between a pair
of nodes among those available in the Mobility Security
Association.
Tunnel
The path followed by a packet while it is encapsulated. The
model is that, while it is encapsulated, a packet is routed to
a knowledgeable decapsulating agent, which decapsulates the
packet and then correctly delivers it.
Visitor List
The list of mobile nodes visiting a foreign agent.
1.6. Overview of Protocol Events
The following is a rough outline of the mobile-IP protocol:
- Mobility agents advertise their presence via Agent Advertisements
(see section 2).
- A mobile node receives these advertisements and determines
whether it is on its home subnet or a foreign subnet.
- The mobile node, when it detects that it has moved to a foreign
subnet, obtains a care-of address on the foreign subnet. The
care-of address can either be obtained from the advertisements,
or by some assignment mechanism (for example, DHCP [7]).
- The mobile node then registers its new care-of address with its
home agent, possibly via a foreign agent (see section 3).
- Packets sent to the mobile node's Home Address are received by
the home agent and delivered (possibly through a foreign agent)
to the mobile node via encapsulation, using the care-of address
as the new destination (see subsection 8.5).
Perkins, editor Expires 11 February 1996 [Page 5]
Internet Draft IP Mobility Support 11 August 1995
2. Agent Discovery
To communicate with a foreign or home agent, a mobile node must
learn either the IP address or the link address of that agent. It
is assumed that a link-layer connection has been established between
the agent and the mobile node. The method used to establish such
a link-layer connection is not specified in this document. After
establishing a link-layer connection, the mobile node learns whether
there are any agents available. If the address of any home agent
matches the mobile node's stored address for its home agent, the
mobile node is at home.
An agent which is not indicated by a link-layer protocol MUST
implement agent advertisements. The agent advertisements indicate
whether the mobility agent is a home agent or a foreign agent; mobile
nodes MUST process these agent advertisements.
When multiple methods of agent identification are in use, the mobile
node SHOULD first attempt registration with agents including Mobile
Service extensions in their router advertisements in preference
to those sending link-layer advertisements. This order maximizes
the likelihood that the registration will be recognized, thereby
minimizing the number of registration attempts.
No authentication is required for advertisement and solicitation
messages. They MAY be authenticated using the IP Authentication
Header [2], which is external to the messages described here.
Further specification of authentication of advertisement and
solicitation is outside of the scope of this document.
2.1. Agent Solicitation
An agent solicitation, as specified in this document, is an ICMP
Router Solicitation (RFC 1256 [6]). Every mobile node MUST implement
agent solicitations and process agent advertisements, if it needs to
obtain a care-of address in an agent advertisement. However, the
solicitation is only sent when no care-of address has been determined
through a link-layer protocol or other means. Mobility agents which
are not identified by a link-layer protocol MUST respond to agent
solicitations. Mobility agents which are identified by a link-layer
protocol SHOULD respond to agent solicitations.
The same procedures, defaults, and constants are used for agent
solicitation as described in RFC 1256, except that the mobile
node may solicit more often than once every three seconds and
MAX_SOLICITATIONS does not apply for mobile nodes that are currently
unconnected to any foreign agent. A mobile node MAY send a
Perkins, editor Expires 11 February 1996 [Page 6]
Internet Draft IP Mobility Support 11 August 1995
solicitation once each MOBILE_SOLICITATION_INTERVAL (1 second) until
the solicitation is answered by a mobility agent, and the mobile node
can finally issue a registration request.
2.2. Agent Advertisement
Agent advertisements, as specified in this document, are ICMP Router
Advertisements (RFC 1256 [6]) that have been modified to carry the
Mobile Service Extension (subsection 4.1). They can be identified
by examining the number of advertised addresses. When the IP total
length indicates that the ICMP message is longer than needed for the
number of addresses present, the remaining data is interpreted as
one or more extensions. The extensions are described in section 4.
Other extensions may indicate optionally supported features.
Any mobility agent which is not indicated by a link-layer protocol
MUST send agent advertisements. An agent which is indicated by a
link-layer protocol SHOULD also implement agent advertisements.
However, the advertisements need not be sent, except when the site
policy requires registration with the agent, or as a response to a
specific solicitation.
The same procedures, defaults, and constants are used in agent
advertisements as described in RFC 1256 [6], except that:
- a foreign agent MUST limit the rate at which it sends agent
advertisements; a recommended maximum rate is once per second,
and
- a mobility agent that receives a Router Solicitation does not
check that the IP Source Address is the address of a neighbor
(i.e., an address that matches one of the router's own addresses
on the arrival interface, under the subnet mask associated with
that address.)
The Code field of the agent advertisement is interpreted as follows:
0 The mobility agent handles common traffic -- that is, IP data
packets not necessarily related to mobile nodes.
16 The mobility agent does not route common traffic.
2.3. Sequence Numbers, and Rollover Handling
The sequence number in agent advertisements ranges from 0 to
0xffff. After booting, an agent shall use the number 0 for its first
Perkins, editor Expires 11 February 1996 [Page 7]
Internet Draft IP Mobility Support 11 August 1995
advertisement. Each subsequent advertisement shall use the sequence
number one greater, with the exception that the sequence number
0xffff shall be followed by sequence number 256. In this way, mobile
clients can distinguish reductions in sequence numbers that result
from reboots, from reductions that result in rollover of the sequence
number after it attains the value 0xffff.
Perkins, editor Expires 11 February 1996 [Page 8]
Internet Draft IP Mobility Support 11 August 1995
3. Registration
Registration messages exchange information between a mobile node and
its home agent. Registration creates or modifies a mobility binding,
associating the mobile node's home address with a care-of address
which can be used to reach the mobile node.
If a mobile node itself is assigned a care-of address, it can act
without a foreign agent, and register or deregister directly with a
home agent by the exchange of only 2 messages:
a) The mobile node sends a registration request to a home agent,
asking it to provide service.
b) The home agent sends a registration reply to the mobile node,
granting or denying service.
When the care-of address is associated with a foreign agent, the
foreign agent acts as a relay between the mobile node and home agent.
This extended registration process requires 4 messages:
a) The mobile node sends a registration request to the prospective
foreign agent to begin the registration process.
b) The foreign agent relays the request to the home agent, asking
the home agent to register the mobile node at the foreign agent's
care-of address.
c) The home agent sends a registration reply to the foreign agent to
grant or deny service.
d) The foreign agent relays the registration reply to the mobile
node to inform it of the disposition of its request.
The registration messages defined in subsections 3.2 and 3.3 use the
User Datagram Protocol header [17]. A nonzero UDP checksum SHOULD be
included in the header, and checked by each recipient.
An administrative domain MAY require a visiting mobile node to
register via a foreign agent (see the description of the "R" bit, in
subsection 4.1). Service providers may use this feature with packet
filtering fire-walls, or visiting policies (such as accounting) which
require exchanges of authorization.
Perkins, editor Expires 11 February 1996 [Page 9]
Internet Draft IP Mobility Support 11 August 1995
3.1. Authentication
Each mobile node, foreign agent, and home agent MUST be able
to support a mobility security association for mobile entities,
indexed by their IP address. See section 9.1 for requirements
for support of authentication algorithms. Registration messages
between mobile node and home agent MUST be authenticated with
the Mobile-Home Authentication Extension (subsection 4.2). This
extension immediately follows all non-authentication extensions,
except those foreign agent specific extensions which may be added to
the packet after the mobile node computes the authentication.
3.2. Registration Request
A mobile node sends a registration request message so that its home
agent can create or modify a mobility binding for that mobile node
(with a new lifetime). The request may be relayed to the home agent
by the foreign agent from which the mobile node is accepting service,
or it may be sent directly in case the mobile node has received a
care-of address by some other means (e.g, DHCP [7]).
IP fields:
Source For registering with a foreign agent whose IP
address is known, the source address of Registration
Request from the mobile node to the foreign agent
is the IP address of the interface from which the
packet is sent. For registering without a foreign
agent, the source address on the registration
request MUST be its care-of address.
Destination When the IP address is unknown (e.g., the agent was
discovered via a link-layer protocol), the "All
Mobility Agents" multicast address (224.0.0.11) is
used. The link-layer unicast address is used to
deliver the datagram to the correct agent.
Any Registration Request sent from the mobile node
to a foreign agent should have the destination
address of the foreign agent, as learned from the
source address of the Agent Advertisement from which
the mobile node discovered its proposed care-of
address. For registering without a foreign agent,
the destination address should be the address that
the mobile node uses for its home agent.
Perkins, editor Expires 11 February 1996 [Page 10]
Internet Draft IP Mobility Support 11 August 1995
UDP fields:
Source Port variable
Destination Port 434
The UDP header is followed by the Mobile-IP fields shown below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type |S|B|D|M|G|rsvd | Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Agent |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Care-of Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions ...
+-+-+-+-+-+-+-+-
Type 1, for version 1 of this protocol
S If the 'S' bit is set, the mobile client is
requesting that the home agent retain its
prior mobility bindings, as described in
subsection 6.7.
B If the 'B' bit is set, the mobile client
requests that the home agent send to it, all
broadcasts on the home network, as described in
subsection 8.6.
D If the 'D' bit is set, the mobile client will
itself decapsulate datagrams which are sent to
the care-of address.
M If the 'M' bit is set, the mobile node asks its
home agent to use minimal encapsulation [15].
G If the 'G' bit is set, the mobile node asks its
home agent to use GRE encapsulation [9].
Perkins, editor Expires 11 February 1996 [Page 11]
Internet Draft IP Mobility Support 11 August 1995
Lifetime The number of seconds remaining before the
registration is considered expired. A value of
zero indicates a request for deregistration. A
value of all ones indicates infinity.
Home Address The IP address of the mobile node.
Home Agent The IP address of a home agent.
Care-of Address The IP address for the end of a tunnel.
Identification A 64-bit number, constructed by the mobile node,
useful for matching requests with replies, and
for protecting against replay attacks (see
subsections 9.4, 9.6).
3.3. Registration Reply
The registration reply message is returned by a home agent to a
mobile node which has sent a registration request (subsection 3.2)
message. If the mobile node is accepting service from a foreign
agent, that foreign agent will receive the reply from the home
agent and subsequently relay it to the mobile node. The reply
message contains the necessary codes to inform the mobile node about
the status of its request, along with the lifetime granted by the
home agent, which MAY be smaller than the original request. If a
foreign agent receives a registration reply with status code greater
than or equal to 128, it must use the home agent field from the
registration reply when it relays the request to the mobile node.
See subsection 8.2 for details regarding the selection of the reply
identification.
Mobility agents MUST NOT increase the lifetime selected by the mobile
node in the registration request. If the lifetime of the reply is
greater than the original request, the excess time MUST be ignored.
When the lifetime of the reply is smaller than the original request,
another registration SHOULD occur before the smaller lifetime
expires.
Perkins, editor Expires 11 February 1996 [Page 12]
Internet Draft IP Mobility Support 11 August 1995
IP fields:
Source copied from the destination address of the
Registration Request to which the agent is replying
Destination copied from the source address of the Registration
Request to which the agent is replying
UDP fields:
Source Port variable
Destination Port variable, depending upon the source port of the
request
A foreign agent that has received a registration request message must
save the IP source address and the UDP source port from that message
so that it will be able to send the subsequent registration reply
message to the correct UDP port on the mobile node (subsection 7.1).
The UDP header is followed by the Mobile-IP fields shown below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Agent |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions ...
+-+-+-+-+-+-+-+-
Type 3
Code One of the following codes:
0 service will be provided
1 service will be provided; simultaneous
mobility bindings unsupported
Perkins, editor Expires 11 February 1996 [Page 13]
Internet Draft IP Mobility Support 11 August 1995
Service denied by the foreign agent:
64 reason unspecified
65 administratively prohibited
66 insufficient resources
67 mobile node failed authentication
68 home agent failed authentication
69 requested lifetime too long
70 poorly formed request
71 poorly formed reply
80 home network unreachable (ICMP error)
81 home agent host unreachable (ICMP error)
82 home agent port unreachable (ICMP error)
88 home agent unreachable (other ICMP error)
Service denied by the home agent:
128 reason unspecified
129 administratively prohibited
130 insufficient resources
131 mobile node failed authentication
132 foreign agent failed authentication
133 identification mismatch
134 poorly formed request
135 too many simultaneous mobility bindings
136 unknown home agent address
Up-to-date values of the Code field are specified
in the most recent "Assigned Numbers" [18].
Lifetime The seconds remaining before the registration is
considered expired. A value of zero confirms a
request for deregistration. A value of all ones
indicates infinity.
Home Address The IP address of the mobile node.
Home Agent The IP address of a home agent.
Identification The registration identification is copied from
the request message, for use by the mobile
node in matching its reply with an outstanding
request.
Perkins, editor Expires 11 February 1996 [Page 14]
Internet Draft IP Mobility Support 11 August 1995
4. Mobility Message Extensions
Each message begins with a short fixed part, followed by one or more
mobility message extensions, in type-length-value format. These
extensions may apply to agent advertisement messages (subsection 2.2)
and registration messages (section 3).
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Data ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
Current values are assigned as follows:
16 Mobile Service
19 Prefix Lengths
32 Mobile-Home Authentication
33 Mobile-Foreign Authentication
34 Foreign-Home Authentication
Up-to-date values are specified in the most recent "Assigned
Numbers" [18].
Length
Indicates the length (in bytes) of the data field. The length
does not include the Type and Length bytes.
Data
This field is zero or more bytes in length and contains the
value(s) for this extension. The format and length of the data
field is determined by the type and length fields.
Extensions allow variable amounts of information to be carried within
each datagram. The end of the list of extensions is indicated by the
total length of the IP datagram.
When an extension numbered in the range 0-127 is encountered but not
recognized, the packet containing the extension must be dropped.
When an extension numbered in the range 128-255 is encountered which
is not recognized, that particular extension is ignored, but the rest
of the extensions and packet data can still be processed. The length
field of the extension is used to skip the data field in searching
for the next extension.
Perkins, editor Expires 11 February 1996 [Page 15]
Internet Draft IP Mobility Support 11 August 1995
4.1. Mobile Service Extension
The Mobile Service Extension is used to indicate that a router
advertisement message is actually an agent advertisement being sent
by a mobility agent (see subsection 2.2). When foreign agents cannot
accept new requests for service from mobile clients, they will set
the Busy bit; if the Busy bit is turned off, the agent may attract
new mobile clients. An agent which wishes to serve as a foreign
agent, sets the 'F' bit in the flags field of the extension; likewise
an agent which wishes to serve as a home agent sets the 'H' bit.
Any home agent must always be prepared to serve its mobile clients.
Thus, it is an error to have the 'B' bit set without also having the
'F' bit set, since only foreign agents are permitted to be too busy
to service new requests. When the 'R' bit is set to 1, the mobile
node SHOULD register through the foreign agent, even when the mobile
node has been assigned another care-of address.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |R|B|H|F|M|G| reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| zero or more Care-of Addresses |
| ... |
Type 16
Length (6 + 4*N), where N is the number of
care-of addresses advertised.
Sequence number The count of advertisement messages sent since
the agent was initialized (see section 2.2).
Lifetime The longest lifetime (measured in seconds)
that the agent is willing to accept in any
registration request. A value of all ones
indicates infinity.
R Foreign agent registration required bit.
B Busy bit. The foreign agent is not willing to
accept any more registrations. Only valid if
F=1.
H Agent offers service as a home agent.
Perkins, editor Expires 11 February 1996 [Page 16]
Internet Draft IP Mobility Support 11 August 1995
F Agent offers service as a foreign agent.
M Agent offers minimal encapsulation (see [15]).
G Agent offers GRE encapsulation (see [9]).
reserved Sent as zero; ignored on reception.
Care of Address a foreign agent's care-of addresses
4.2. Mobile-Home Authentication Extension
This extension must be present in all registration requests and
replies, and is intended to eliminate problems[3] which result from
the uncontrolled propagation of remote redirects in the Internet.
See subsection 9.1 for information about support requirements
for message authentication codes, etc. The location of the
authentication extension marks the end of the authenticated data.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... SPI (cont.) | Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 32
Length The number of data bytes in the extension.
SPI Security Parameter Index (4 bytes)
Authenticator (variable length) A value computed from a stream
of bytes including the shared secret, the UDP
payload (that is, the registration request
or reply data), all prior extensions in their
entirety, and the type and length of this
extension, but not including the Authenticator
field itself nor the UDP header.
4.3. Mobile-Foreign Authentication Extension
This extension may be found in registration requests and replies
where a security association exists between the mobile node and a
Perkins, editor Expires 11 February 1996 [Page 17]
Internet Draft IP Mobility Support 11 August 1995
foreign agent. See subsection 9.1 for information about support
requirements for message authentication codes, etc.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... SPI (cont.) | Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 33
SPI Security Parameter Index (4 bytes)
Length The number of data bytes in the extension.
Authenticator (variable length) A value computed from a stream
of bytes including the shared secret, the UDP
payload (that is, the registration request
or reply data), all prior extensions in their
entirety, and the type and length of this
extension, but not including the Authenticator
field itself nor the UDP header.
4.4. Foreign-Home Authentication Extension
This extension may be found in registration requests and replies
where a security association exists between the foreign agent and
a home agent. See subsection 9.1 for information about support
requirements for message authentication codes, etc.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... SPI (cont.) | Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 34
SPI Security Parameter Index (4 bytes)
Length The number of data bytes in the extension.
Perkins, editor Expires 11 February 1996 [Page 18]
Internet Draft IP Mobility Support 11 August 1995
Authenticator (variable length) A value computed from a stream
of bytes including the shared secret, the UDP
payload (that is, the registration request
or reply data), all prior extensions in their
entirety, and the type and length of this
extension, but not including the Authenticator
field itself nor the UDP header.
4.5. Prefix Length Extension
The Prefix Lengths extension may be found in agent advertisements
(see subsection 2.2). This extension allows a mobile node to
determine the subnet prefixes used by the agent for the router
interfaces listed in the agent's advertisements.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Prefix Length | ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 19
Length 2
Prefix length (multiple prefixes may be specified) The number
of leading bits which define the network number
of an advertised router interface.
The prefix length may be used by mobile nodes to determine whether or
not a newly detected care-of address should cause the initiation of
a registration request using that new care-of address. The mobile
node can compare the local IP addresses known from several received
advertisements, mask off the number of bits if the advertised prefix
lengths are the same, and determine whether or not the foreign agents
are advertising over the same local medium. If the mobile node
determines that they are, then it may wish to avoid submitting a new
registration request.
Note that extreme caution is indicated in the use and interpretation
of this extension. In the case of wireless interfaces, it is
almost impossible for two different foreign agents to provide
identical coverage in space, so that they cannot claim to have
wireless interfaces situated on the same subnetwork. In the case
of wired interfaces, a mobile node connecting to a new point of
attachment to another is likely to send in a new registration
request no matter whether the new advertisement is on the same
Perkins, editor Expires 11 February 1996 [Page 19]
Internet Draft IP Mobility Support 11 August 1995
medium as the last recorded advertisement. And, finally, in areas
with dense populations of foreign agents it would seem unwise
to require the propagation via routing protocols of the subnet
prefixes associated with each individual wireless foreign agent;
such a strategy could lead to quick depletion of available space
for routing tables, unwarranted increases in the time required for
processing routing updates, and longer decision times for route
selection if routes (which are almost always unnecessary) are stored
for wireless "subnets". Moreover, in the latter case, there is no
expected improvement from the use of subnet prefixes for the wireless
interfaces in the foreign agents.
5. Encapsulation techniques
Support for IP in IP encapsulation [14] is required in home
agents and foreign agents, and any mobile node which can accept a
dynamically assigned care-of address. Minimal encapsulation [15] and
GRE encapsulation [9] are alternate encapsulation methods which may
optionally be supported by mobility agents. Minimal encapsulation
may only be used when an original datagram is not a fragment.
A foreign agent which is capable of using minimal decapsulation
includes the 'M' bit (subsection 4.1) in its agent advertisements.
A mobile node, after receiving this indication in an agent
advertisement, indicates the capability of decapsulating the minimal
header at the care-of address by setting the 'M' bit (subsection 3.2)
in its registration request. A mobile node MUST NOT set this bit
unless its foreign agent has advertised support for it. The use of
the minimal header is entirely at the discretion of the home agent.
Similar considerations hold for use of GRE encapsulation and setting
the 'G' bit (subsections 3.2, 4.1)
Perkins, editor Expires 11 February 1996 [Page 20]
Internet Draft IP Mobility Support 11 August 1995
6. Mobile Node Considerations
A mobile node listens for agent advertisements at all times that
it has a link connection. In this manner, it can learn that its
foreign agent has changed, or that it has arrived home. Whenever a
mobile node detects such a change in its network connectivity, it
should initiate the registration process. When it is away from home,
the mobile node's (de)registration request allows its home agent to
create or modify a mobility binding, (subsections 3.2, 7.3). When it
is at home, the mobile node's registration request allows its home
agent to erase any previous mobility binding (subsection 6.4). A
mobile node operates without the support of mobility functions when
it is at home.
Appendix B discusses the interaction of this mobility specification
with some link layer implementations for media which may be used with
mobile nodes.
A mobile node MUST NOT register with a new foreign agent because
it has received an ICMP Redirect from the foreign agent that is
currently providing service to it.
6.1. Configuration and Registration Tables
A mobile node must be configured with its IP home address, and a
mobility security association for each home agent. In addition, a
mobile node may be configured with the IP address of one or more of
its home agents.
For each pending registration, the mobile host needs the following:
- link-layer address of foreign agent, if applicable
- care-of address
- registration identification
- lifetime
6.2. Registration When Away From Home
In the absence of link-layer indications of changes in point of
attachment, agent advertisements from new agents do not necessarily
affect a current registration. In the absence of link-layer
indications, a mobile node MUST NOT attempt to register more
often than once per second. A mobile node may register with a
different agent when transport-layer protocols indicate excessive
retransmissions. Within these constraints, the mobile node MAY
register again at any time.
Perkins, editor Expires 11 February 1996 [Page 21]
Internet Draft IP Mobility Support 11 August 1995
If a mobile node detects two successive values of the sequence number
in the advertisements from its foreign agent, the second of which is
less than the first and inside the range 0 to 255, the mobile node
MUST register again. If the second value is less than the first, but
greater than or equal to 256, the mobile node may assume that the
sequence number has rolled over past its maximum value (0xffff), and
that there is no need to re-register (see subsection 2.2).
If the mobile node does not know the address of any of its home
agents, it may send a registration request to the directed broadcast
address of the home network. In this case, any registration
reply that is returned to the mobile node will contain a valid
address for a home agent, so that the mobile node can re-issue
the registration request with the correct home agent address if
necessary. This registration reply MUST contain a lifetime of 0.
Note that those home agents which are not satisfied with the mobile
node's authentication extension may choose not to reply to such a
registration request. This may indicate that several or all the home
agents on the home network should share the same key for the mobile
node.
A mobile node SHOULD NOT request a lifetime for its registration that
exceeds the lifetime learned in an agent advertisement. When the
method by which the care-of address is learned does not include a
lifetime, the default router advertisement lifetime (1800 seconds)
may be used. The lifetime MAY be modified by the home agent in its
reply. A mobile node SHOULD register again before the lifetime of
its registration expires. A mobile node MAY ask a home agent to
terminate forwarding service to a particular care-of address, by
sending a registration with a lifetime of zero (see subsection 8.2).
The mobile node SHOULD construct its registration identification by
concatenating another value of its own choice to the most recent
nonce received from its home agent. This value in the low order 32
bits of the identification can be another nonce, or a duplicate of
the nonce received from the home agent (see subsection 9.6.1).
6.3. Registration with a dynamically assigned care-of address
In cases where a mobile node away from home is able to dynamically
acquire a transient IP address (e.g. via DHCP [7]), the mobile node
can operate indepently of any foreign agent, using the transient
address as the care-of address. This feature MUST NOT be used unless
the mobile node has mechanisms to detect changes in its link-layer
connectivity, and can initiate acquisition of a new transient address
each time such a change occurs. The lifetime of such a registration
is chosen by the mobile node.
Perkins, editor Expires 11 February 1996 [Page 22]
Internet Draft IP Mobility Support 11 August 1995
When the mobile node is away from home and detects a foreign agent
advertisement that has the "R" bit (registration required) set in the
Mobile Service Extension (subsection 4.1), the mobile node SHOULD
register through an appropriate foreign agent, even when it has
obtained a dynamically assigned care-of address.
6.4. Deregistration When At Home
When a mobile node is attached to its home link, it will no longer
need any forwarding service from its home agent. A deregistration
procedure SHOULD be used between the mobile node and its home
agent. The deregistration process involves the exchange of only two
messages:
a) The mobile node sends a registration request directly to its home
agent, with the lifetime set to zero, and the Code field set to
0, to indicate that the home agent remove all bindings for the
mobile node. The care-of address is set to the mobile node's
home address.
b) The home agent sends a registration reply to the mobile node to
indicate the success or failure of the mobile node's attempted
deregistration.
A mobile node on its home network need not register again with a home
agent when a change of sequence number occurs, or the advertisement
lifetime expires, or even when the home agent crashes, since it isn't
seeking service from the home agent.
6.5. Registration Replies
To be accepted, the reply must match the registration identification
of its most recent registration request to the sender; otherwise, the
message is silently discarded. If nonces are in use, the mobile node
records the first 32 bits for use in its next registration request;
otherwise, if timestamps are in use, the entire 64 bit field may be
used for identification (see subsection 9.6).
When a reply is received which has a code indicating rejection by
the foreign agent, the Mobile-Home Authenticator will be missing or
invalid. If a later authenticated reply is received, and if the
previous registration is remembered, that later reply supersedes the
unauthenticated reply. Otherwise, when a reply is received with
an invalid authenticator, the message is silently discarded. The
mobile node is not required to issue any message in response to a
registration reply.
Perkins, editor Expires 11 February 1996 [Page 23]
Internet Draft IP Mobility Support 11 August 1995
6.6. Registration Retransmission
When no reply has been received within a reasonable time,
another registration request is transmitted. When timestamps
are used, a new registration identification is chosen for each
retransmission; thus it counts as a new registration. When nonces
are used, the unanswered request is retransmitted unchanged;
thus the retransmission does not count as a new registration (see
subsection 9.6). In this way a retransmission will not require the
home agent to resynchronize with the mobile node by issuing another
nonce.
The maximum time until a new registration request is sent SHOULD be
no greater than the requested lifetime of the registration request.
The minimum value SHOULD be large enough to account for the size
of the packets, twice the round trip time for transmission at the
link speed, and at least an additional 100 milliseconds to allow
for processing the packets before responding. Some circuits add
another 200 milliseconds of satellite delay. The minimum time
between registration requests MUST NOT be less than 1 second. Note
that retransmissions with nonces do not count as new registration
requests. Each successive wait SHOULD be at least twice the previous
wait, as long as that is less than the maximum.
6.7. Simultaneous mobility bindings
Multiple simultaneous mobility bindings are likely to be useful when
a mobile node moves within range of multiple cellular systems. IP
explicitly allows duplication of datagrams. When the home agent
allows simultaneous bindings, it will encapsulate a separate copy of
each arriving datagram to each care-of address, and the mobile node
will receive multiple copies of its datagrams.
In order to request this optional capability, the mobile node sends
the registration request with the 'S' bit set to 1. The return code
in the registration reply indicates whether or not previous bindings
were maintained. When the need for multiple mobility bindings has
passed, the mobile node SHOULD register again, to remove the other
bindings.
6.8. Mobile Routers
A mobile node can be a router, which is responsible for the mobility
of one or more entire networks moving together, perhaps on an
airplane, a ship, a train, an automobile, a bicycle, or a kayak.
The nodes connected to a network served by the mobile router may
Perkins, editor Expires 11 February 1996 [Page 24]
Internet Draft IP Mobility Support 11 August 1995
themselves be fixed nodes or mobile nodes or routers. In this
subsection, such networks are called "mobile networks".
A mobile router may provide a care-of address to mobile nodes
connected to the mobile network. In this case, when a correspondent
host sends a packet to the mobile node, the actions described in the
next paragraph should occur.
Normal IP procedures will route the packet addressed to the mobile
node from the correspondent host to the mobile node's home agent.
This home agent's binding for the mobile node causes it to tunnel the
packet to the mobile router. Normal IP procedures will then route
the packet from this home agent to the mobile router's home agent.
That home agent's binding for the mobile router causes the packet
to be doubly tunneled to the mobile router's care-of address. For
the sake of discussion, assume there is a foreign agent available at
that care-of address. The mobile router's foreign agent will then
detunnel the packet and use its visitor list entry to deliver the
packet to the mobile router. The mobile router will then detunnel
the packet and use its visitor list entry to deliver the packet
finally to the mobile node.
If a fixed node is connected to a mobile network then either of two
methods may be used to cause packets from correspondent hosts to be
routed to the fixed node.
A home agent may be configured that has a permanent registration for
the fixed node that indicates the mobile router's address as the
fixed host's care-of address. The mobile router's home agent will
usually be used for this purpose. The home agent is then responsible
for advertising connectivity using normal routing protocols to
the fixed node. Any packets sent to the fixed node will thus use
recursive tunneling as described above.
Alternatively, the mobile router may advertise connectivity to the
fixed node using normal routing protocols through its own home agent.
This method avoids the need for recursive tunneling of packets.
Perkins, editor Expires 11 February 1996 [Page 25]
Internet Draft IP Mobility Support 11 August 1995
7. Foreign Agent Considerations
The foreign agent is passive and has a minimal role; it relays
registration requests between the home agent and the mobile node,
and decapsulates datagrams for delivery to the mobile node. It may
advertise its services to prospective mobile clients as described in
subsections 2.2 and 4.1.
The foreign agent MUST NOT originate a request or reply that has not
been prompted by the mobile node. No request or reply is generated
to indicate that the service lifetime has expired. A foreign agent
MUST NOT originate a message that asks for deregistration of a mobile
node; however, it MUST relay valid deregistration requests originated
by the mobile node.
The foreign agent MUST NOT advertise to other routers in its routing
domain, nor to any other mobile node, the presence of a mobile
router. The foreign agent SHOULD be able to serve as a default
router for the mobile nodes registered with it.
7.1. Configuration and Registration Tables
Each foreign agent will need a care-of address. In addition, for
each pending or current registration, the foreign agent will need a
visitor list entry containing:
- Media address of mobile node
- home address
- home agent
- lifetime
For each pending registration, a foreign agent must also store
the low-order 32 bits of the registration identification, as sent
by the mobile node. (The high-order 32 bits may differ in the
registration reply. See subsection 9.6). In addition, the foreign
agent must store the source port from which the mobile node's
registration request was sent, so that the foreign agent can properly
return the eventual registration reply. As with any host on the
internet, a foreign agent may also maintain a security association
for each pending or current registrant, and use it to authenticate
the registration requests and replies of the mobile node or its
home agent (subsections 4.3, 4.4). The foreign agent may use an
available security association with the home agent to compute the
authentication data for the foreign-home authentication extension.
Even if a foreign agent implements authentication, it might not use
authentication with each registration, because of the key management
difficulties.
Perkins, editor Expires 11 February 1996 [Page 26]
Internet Draft IP Mobility Support 11 August 1995
7.2. Receiving Registration Requests
If the foreign agent is able to satisfy an incoming registration
request, then it relays the request to the home agent. Otherwise, it
denies the request by sending a registration reply to the mobile node
with an appropriate code. If the request is being denied because
the requested lifetime is too long, the foreign agent replaces
it with an acceptable value for the lifetime in the registration
reply containing the rejection code. If the foreign agent denies a
registration request, the home agent field in the registration reply
should be copied from the request message. The foreign agent must
maintain a list of pending requests, which includes the IP source
address and UDP source port, in order that a correctly addressed
reply can be returned to the mobile node. If a foreign agent
receives a deregistration request from a mobile node in its visitor
list, the visitor list entry SHOULD NOT be purged until the home
agent sends back a status indicating success.
7.3. Receiving Registration Replies
A registration reply should be silently discarded unless its
identification matches a pending registration request. If the
registration reply is sent from the home agent with a status code
indicating a successful registration, then the foreign agent updates
its visitor list accordingly. If the foreign agent receives an ICMP
error instead of a registration reply in response to the registration
request, then it returns an appropriate "Home Agent Unreachable"
failure code (within the range 80-95, inclusive) to the mobile node.
7.4. Decapsulation
Every foreign agent which receives an encapsulated packet sent to
its advertised care-of address MUST compare the inner destination
address to those entries in its visitor list. When the destination
does not match any node currently in the visitor list, the foreign
agent MUST NOT forward the datagram without modifications to the
original IP header, because otherwise a routing loop is likely to
result. The datagram SHOULD be silently discarded. ICMP Destination
Unreachable MUST NOT be sent when a foreign agent is unable to
forward an incoming tunneled datagram.
Perkins, editor Expires 11 February 1996 [Page 27]
Internet Draft IP Mobility Support 11 August 1995
8. Home Agent Considerations
The home agent has primary responsibility for processing and
coordinating mobility services. Packets destined for mobile clients
will arrive at a home agent that advertises connectivity to the home
network containing the addresses of those mobile clients. The home
agent will then encapsulate the packet and deliver it to the care-of
address most recently reported by the mobile client.
Often, the home agent will advertise connectivity to a home network
which does not correspond to any particular physical medium (e.g,
extent of Ethernet cabling). This is described by saying that the
mobile clients have addresses on a virtual home network.
The home agent for a given mobile node SHOULD be located on the link
identified by the home address, if the home network is not merely a
virtual network. In this case, the home agent MUST send out agent
advertisements with the 'H' bit (see subsection 4.1) set, so that
mobile nodes on their home network will be able to determine that
they are indeed at home.
8.1. Configuration and Registration Tables
Each home agent will need an IP address, and the prefix size for the
home network, if the home network is not a virtual network. The
home agent will need to know home address and mobility security
association of each authorized mobile node. When an authorized
mobile node becomes registered, the home agent will create or modify
its mobility binding list entry containing:
- care-of address
- registration identification
- lifetime
8.2. Receiving Registration Requests
Upon receipt of a registration request (subsection 3.2), the
home agent grants or denies the service requested, by sending a
registration reply (subsection 3.2) to the sender of the request with
the appropriate code set. The home agent sends the registration
reply back to the same UDP port from which it was sent. If service
permission is granted, the home agent will update its mobility
binding list with the care-of address of the tunnel. The home
agent MAY impose a shorter lifetime than was requested for in the
Registration Request message. If the Registration Request duplicates
Perkins, editor Expires 11 February 1996 [Page 28]
Internet Draft IP Mobility Support 11 August 1995
an accepted current Registration Request, the new lifetime MUST NOT
extend beyond the lifetime originally granted.
The request is validated by checking the registration identification
(see subsection 9.6), and the Mobile-Home Authentication Extension
(subsection 4.2) using the context selected by the security parameter
index. Other authentication extensions are also validated when
present. When the registration request is valid, the home agent
may select a new nonce for use by the mobile node upon its next
registration request, and include it in the first 32 bits of the
identification field of the registration reply. The low order 32
bits of that field remain unmodified for use by the mobile node
in matching the registration reply with one of its outstanding
registration requests.
When a registration request is invalid, a registration reply is
sent with the appropriate error code. This reply will be used by a
foreign agent to delete its pending request list entry, if a foreign
agent was involved in relaying the registration request. If the
request was invalid because of the use of an unexpected value in the
identification field of the registration request, the home agent
SHOULD use the high-order bits of the current identification to
provide a new identification value for the mobile node. In this
case, the home agent MAY report an authentication exception to its
network management support software. The registration reply status
code in this case is 133. If the registration request was invalid
because of an invalid authenticator value, the home agent MUST issue
an authentication exception. The registration reply status code is
then 131.
If the registration request is sent to the directed broadcast
address of the home network, any home agent may deny the registration
request, returning status code 136. In this case, the registration
reply will contain the home agent's address, so that the mobile node
can re-issue the registration request with the correct home agent
address.
A mobile node requests termination of service by indicating a
lifetime of zero. If the Code field is 1, the home agent removes
the mobility binding for that care-of address from its forwarding
list. Otherwise, if the Code field is 0, the home agent removes the
mobility bindings for all foreign agents associated with that mobile
node from its mobility binding list. On termination, no reply is
sent to additional associated foreign agents. The entries in their
visitor lists are allowed to expire naturally.
Perkins, editor Expires 11 February 1996 [Page 29]
Internet Draft IP Mobility Support 11 August 1995
8.3. Simultaneous mobility bindings
When a home agent supports the optional capability of multiple
simultaneous mobility bindings, any datagrams forwarded are
simply duplicated, and a copy is sent to each care-of address.
If the home agent is unable to fulfill requests for simultaneous
bindings but is otherwise willing to approve the mobile node's
registration request, it returns the appropriate status (1) in
the registration reply (subsection 3.3) to the mobile node. When
the mobile node makes future registration requests, it will then
be able to determine whether it can expect simultaneous service
at multiple care-of addresses. A home agent can limit the number
of simultaneous registrations for a mobile client, by rejecting
any registrations that would cause its limit to be exceeded, and
returning a registration reply with error code 135.
8.4. Registration Expiration
If the lifetime for a given mobility binding expires before the home
agent has received another registration request, then that binding is
erased from the mobility binding list. No special registration reply
is sent to the foreign agents. The entries in the visitor lists will
expire naturally, and probably at the same time. When a mobility
binding's lifetime expires, the home agent drops it regardless of
whether or not simultaneous bindings are supported.
8.5. Encapsulation
Every home agent must examine the IP header of all arriving
traffic to see if it contains a destination address equal to the
home address of any of its mobile nodes. Packets with matching
destination addresses are encapsulated and delivered to the indicated
care-of address found in the associated mobility binding. If the
mobile node is at home, the home agent will simply forward the
datagram directly to it; however, in this case, it is expected
that the datagram will never be received by the home agent. See
section 5) about methods of encapsulation that may be used.
Maintenance of "soft tunnel state" (described in [14]) effectively
reduces transmission errors in the tunnel.
Suppose an encapsulated datagram arrives at the home agent, that is
to be delivered to one of its mobile clients. If the destination of
the inner header is not that same the mobile client, the home agent
may recursively encapsulated it for delivery to its care-of address.
Otherwise, the home agent may simply alter the outer destination
to the care-of address, unless the care-of address is the same as
Perkins, editor Expires 11 February 1996 [Page 30]
Internet Draft IP Mobility Support 11 August 1995
the origination point of the encapsulated datagram. In the latter
case, if the home agent receives a datagram for one of its mobile
clients, and the packet's IP source address is identical to the
care-of address contained in the mobility binding list, the home
agent MUST discard that packet. If the packet were forwarded back to
the care-of address, a loop might result.
8.6. Broadcast packets
When a home agent receives a broadcast packet, it transmits the
packet to only those mobile nodes on its mobility binding list that
have requested broadcast service. Mobile nodes request encapsulated
delivery of broadcast packets by setting the 'B' bit in their
Registration Request packets (subsection 3.2). If the mobile node is
using its own dynamically-assigned care-of address, as indicated by
the 'D' bit in its Registration Request packet (subsection 3.2), the
home agent simply tunnels each received broadcast IP datagram to this
care-of address. Otherwise, when the mobile node registered through
a foreign agent, the home agent first encapsulates the broadcast
datagram in a unicast datagram addressed to the mobile node's home
address, and then tunnels this encapsulated datagram to the foreign
agent. This extra level of encapsulation is required so that foreign
agent can determine which mobile node should receive the packet after
it is decapsulated. When received by the foreign agent, the unicast
encapsulated datagram is detunneled and delivered to the mobile
node in the same way as any other datagram. In either case, the
mobile node must decapsulate the datagram it receives to recover the
original broadcast datagram.
8.7. Multicast packets
The rules regarding multicast packets to mobile clients are much the
same as those relevant to multicast to other clients.
Perkins, editor Expires 11 February 1996 [Page 31]
Internet Draft IP Mobility Support 11 August 1995
9. Security Considerations
The mobile computing environment is potentially very different from
the ordinary computing environment. In many cases, mobile computers
will be connected to the network via wireless links. Such links
are particularly vulnerable to passive eavesdropping, active replay
attacks, and other active attacks.
9.1. Message Authentication Codes
Home agents and mobile nodes MUST be able to perform authentication.
The default algorithm is keyed MD5 [19], with a key size of 128
bits. The default mode of operation is to both precede and follow
the data to be hashed, by the 128-bit key; that is, MD5 is to be
used in suffix+prefix mode. The foreign agent SHOULD also support
authentication using keyed MD5 and key sizes of 128 bits or greater,
with manual key distribution. More authentication algorithms,
algorithm modes, key distribution methods, and key sizes MAY also be
supported.
9.2. Areas of security concern in this protocol
The registration protocol described in this document will result
in a mobile node's traffic being tunneled to its care-of address.
This tunneling feature could be a significant vulnerability if the
registration were not authentic. Such remote redirection, for
instance as performed by the mobile registration protocol, is widely
understood to be a security problem in the current Internet([3]).
Moreover, the Address Resolution Protocol (ARP) is not authenticated,
and can potentially be used to steal another host's traffic. The use
of "Gratuitous ARP" (see Appendix A) brings with it all of the risks
associated with the use of ARP.
9.3. Key management
This specification requires a strong authentication mechanism
(keyed MD5) which precludes many potential attacks based on the
Mobile IP registration protocol. However, because key distribution
is difficult in the absence of a network key management protocol,
messages with the foreign agent are not all required to be
authenticated. In a commercial environment it might be important
to authenticate all messages between the foreign agent and the home
agent, so that billing is possible, and service providers don't
provide service to users that are not legitimate customers of that
service provider.
Perkins, editor Expires 11 February 1996 [Page 32]
Internet Draft IP Mobility Support 11 August 1995
9.4. Picking good random numbers
The strength of any authentication mechanism is dependent on
several factors, including the innate strength of the authentication
algorithm, the secrecy of the key used, the strength of the key used,
and the quality of the particular implementation. This specification
requires implementation of keyed MD5 for authentication, but does not
preclude the use of other authentication algorithms and modes. For
keyed MD5 authentication to be useful, the 128-bit key must be both
secret (that is, known only to authorized parties) and pseudo-random.
If nonces are used in connection with replay protection, they must
also be selected carefully. Eastlake, et.al. ([8]) provides more
information on generating pseudo-random numbers.
9.5. Privacy
Users who have sensitive data that they do not wish others to see
should use mechanisms outside the scope of this document (such as
encryption) to provide appropriate protection. Users concerned about
traffic analysis should consider appropriate use of link encryption.
If absolute location privacy is desired, the Mobile Node can create a
tunnel to its Home Agent. Then, packets destined for correspondent
hosts will appear to emanate from the Home Network, and it may be
more difficult to pinpoint the location of the mobile node.
9.6. Replay Protection for Registration Requests
The Identification field is used to let the home agent verify that a
registration message has been freshly generated by the mobile node,
not replayed by an attacker from some previous registration. The
exact method of using the field depends upon the mobile security
association defined between the mobile node and home agent. Two
methods are described here: using random "nonce" values (preferred),
and another method using timestamps. A mobile node and its home
agent must agree on the use of replay protection, because if a home
agent expects only a nonce, it is unlikely to accept the mobile
node's time value.
Whatever method is used, the low order 32 bits of the identification
MUST be copied unchanged from the registration request to the reply.
The foreign agent uses those bits to match registration requests with
corresponding replies. The mobile node MUST verify that the low
order 32 bits of any registration reply are identical to the bits it
sent in the registration request.
Perkins, editor Expires 11 February 1996 [Page 33]
Internet Draft IP Mobility Support 11 August 1995
The Identification in a new registration request MUST NOT be the same
as in an immediately preceding request, and SHOULD NOT repeat during
the lifetime of the selected security context between the mobile node
and the home agent. Retransmission as in subsection 6.6 is allowed.
9.6.1. Replay Protection using Nonces
The basic principle of nonce replay protection is that Node A
includes a new random number in every message to node B, and checks
that Node B returns that same number in its next message to node
A. Both messages use a cryptographic checksum to protect against
alteration by an attacker. At the same time Node B can send its own
nonces in all messages to Node A (to be echoed by node A), so that it
too can verify that it is receiving fresh messages.
The home agent may be expected to have resources for computing
pseudo-random numbers useful as nonces[8]. It inserts a new nonce
as the high-order 32 bits of the identification field of every
registration reply. The home agent copies the low-order 32 bits of
the Identification from the registration request message. When the
mobile node receives an authenticated registration reply from the
home agent, it saves the high order 32 bits of the identification for
use as the high-order 32 bits of its next registration request.
The mobile node is responsible for generating the low order 32
bits of the Identification in each registration request. Ideally
it should generate its own random nonces. However it may use any
expedient method, including duplication of the random value sent by
the home agent. The method chosen is of concern only to the mobile
node, because it is the node that checks for valid values in the
registration reply. The high-order and low-order 32 bits of the
identification chosen SHOULD both differ from their previous values.
The home agent needs a new high order value and the mobile node needs
a new low-order value for replay protection. The foreign agent needs
a new low-order value to correctly match registration replies with
pending requests (see subsection 7.1).
If a registration message is rejected because of an invalid nonce,
the reply always provides the mobile node with a new nonce to
be used in the next registration. Thus the nonce protocol is
self-synchronizing.
9.6.2. Replay Protection using Timestamps
The basic principle of timestamp replay protection is that the node
generating a message inserts the current time of day, and the node
Perkins, editor Expires 11 February 1996 [Page 34]
Internet Draft IP Mobility Support 11 August 1995
receiving the message checks that this timestamp is sufficiently
close to its own time of day. Obviously the two nodes must have
adequately synchronized time of day clocks. As usual all messages
are protected against tampering by a cryptographic checksum.
If timestamps are used, the mobile node sets the Identification
field to a 64-bit value formatted as specified by the Network Time
Protocol [13]. The low-order 32 bits of the NTP format represent
fractional seconds, and those bits which are not available from a
time source SHOULD be generated from a good source of randomness.
If the timestamp in a registration request that has passed
authentication is close enough to the home agent's time of day, the
home agent copies the entire Identification into the registration
reply. If the timestamp is unacceptable, the home agent copies only
the low order 32 bits into the registration reply, and supplies the
high order 32 bits from its own time of day. The error code in the
registration reply indicates an identification mismatch. The mobile
node MUST verify that the low order 32 bits of the identification
in the registration reply are identical to those in the rejected
registration attempt, before using the high order bits for clock
resynchronization. Time tolerances and resynchronization details are
specific to a particular mobile security association.
10. Acknowledgements
Special thanks to Steve Deering (Xerox PARC), along with Dan Duchamp
and John Ioannidis (Columbia), for forming the working group,
chairing it, and putting so much effort into its early development.
Thanks also to Kannan Alaggapan and Greg Minshall for their
contributions to the group while performing the duties of
chairperson.
Perkins, editor Expires 11 February 1996 [Page 35]
Internet Draft IP Mobility Support 11 August 1995
Thanks to the active members of the Mobile-IP working group,
particularly those who contributed text, including (in alphabetical
order)
- Ran Atkinson (Naval Research Lab),
- Dave Johnson (Carnegie Mellon University),
- Frank Kastenholz (FTP Software)
- Anders Klemets (KTH)
- Chip Maguire (KTH - also, John Ioannidis's advisor and early
contributor)
- Andrew Myles (Macquarie University),
- John Penners (US West),
- Al Quirt (Bell Northern Research),
- Yakov Rekhter (IBM), and
- Fumio Teraoka (Sony).
Thanks to Charlie Kunzinger and to Bill Simpson, the editors who
produced the first drafts for of this document, reflecting the
discussions of the Working Group.
Thanks to Greg Minshall (Novell), Phil Karn (Qualcomm), and Frank
Kastenholz (FTP Software) for their generous support in hosting
interim Working Group meetings.
Implementors may note that Anders Klemets has an implementation
of the protocol specified here for mobile nodes, foreign agents,
and home agents running under SunOS v4.1.3. He is willing to
provide it to people wishing to perform beta testing. Contact
him at <klemets@sics.se> if you would like a copy. There
is also a version of mobile-IP which was developed by Vipul
Gupta <vgupta@cs.binghamton.edu> at the State University of
New York Binghamton. It is available via anonymous ftp from
anchor.cs.binghamton.edu in pub/Linux-MobileIP/Linux-MobileIP.tar.gz.
A. Gratuitous and Proxy ARP
Many people will use their computers for extended periods of time
on a single link, whether or not it is at their home network. When
doing so, they will expect the same level of service from their
infrastructure as they receive today on the home network.
Mobile nodes do not need a separate "virtual" IP address block; this
would require a small network to have an extra router between the
mobile and non-mobile nodes, which is an unacceptable expense.
This section details the special care to be taken when using ARP [16]
with nodes on the same link as a mobile node.
Perkins, editor Expires 11 February 1996 [Page 36]
Internet Draft IP Mobility Support 11 August 1995
A problem can arise if a mobile node which has previously answered an
ARP Request moves away from the link, leaving behind a stale entry in
another node's ARP cache. For example, if a router which forwards
datagrams into the home network has a stale ARP cache entry for the
mobile node, any datagrams arriving through that router for the
mobile node will be lost. Thus, it is important that ARP caches of
nodes populating the link be updated as soon as possible.
A gratuitous ARP is an ARP Reply that is broadcast to all nodes on a
link, but not in response to any ARP Request. When an ARP Reply is
broadcast, all hosts are required to update their local ARP caches,
whether or not the ARP Reply was in response to an ARP Request they
had issued. With gratuitous ARP, the source IP address is the home
address of the mobile node, the link-layer address is the source
link-layer address for the interface used, the target IP address is
the all-systems multicast address, and the target link-layer address
is the general broadcast address.
When there is a physical link which corresponds to the home network,
a gratuitous ARP is issued by the home agent on behalf of a mobile
node whenever the home agent receives a valid registration. That
should cause the remaining nodes to associate the home address of the
mobile node with the link-layer address of the home agent which is
now serving the mobile node.
While the mobile node is away from its home network, the home agent
performs proxy ARP Replies for the mobile node. When a mobile node
returns to its home network, it SHOULD issue a gratuitous ARP on its
own behalf, immediately before sending its deregistration request to
the home agent.
Although the gratuitous ARP can be lost, this is not different from
the usual ARP Reply problems, which are outside the scope of this
document. A home agent may repeat the gratuitous ARP a small number
of times.
B. Link-Layer considerations
The mobile node primarily uses link-layer mechanisms to decide that
its point of attachment has changed. Such indications include
the Down/Testing/Up interface status [11], and changes in cell or
administration. The mechanisms will be specific to the particular
link-layer technology, and are outside the scope of this document.
Perkins, editor Expires 11 February 1996 [Page 37]
Internet Draft IP Mobility Support 11 August 1995
B.1. Point-to-Point Link-Layers
The Point-to-Point-Protocol (PPP) [20] and its Internet Protocol
Control Protocol (IPCP) [12], negotiates the use of IP addresses.
The mobile node SHOULD first attempt to specify its home address.
This allows an unrouted link to function correctly.
When the home address is not accepted by the peer, but a transient
IP address is dynamically assigned, that address MAY be used as the
care-of address for registration. When the peer specifies its own IP
address, that address MUST NOT be assumed to be the care-of address
of a foreign agent or the IP address of a home agent.
When router advertisements are received which contain the Mobile
Service Extension, registration with the agent SHOULD take place as
usual. If the link is bandwidth limited, this method is preferred
over use of the transient care-of address. The encapsulation will
be removed by the peer, allowing header compression techniques to
function correctly [10].
B.2. Multi-Point Link-Layers
Another link establishment protocol, IEEE 802.11 [1], might yield the
link address of an agent. This link-layer address SHOULD be used to
attempt registration.
The receipt of an agent's address via a router advertisement
supersedes that obtained via IEEE 802.11.
C. TCP Considerations
C.1. TCP Timers
Most hosts and routers which implement TCP/IP do not permit easy
configuration of the TCP timer values. When high-delay (e.g.
SATCOM) or low-bandwidth (e.g. High-Frequency Radio) links are
in use, the default TCP timer values in many systems may cause
retransmissions or timeouts, even when the link and network is
actually operating properly with greater than usual delays because
of the medium in use. This can cause an inability to create or
maintain connections over such links, and can also cause unneeded
retransmissions which consume already scarce bandwidth. Vendors are
encouraged to make TCP timers more configurable. Vendors of systems
designed for the mobile computing markets should pick default timer
values more suited to low-bandwidth, high-delay links. Users of
Perkins, editor Expires 11 February 1996 [Page 38]
Internet Draft IP Mobility Support 11 August 1995
mobile nodes should be sensitive to the possibility of timer-related
difficulties.
C.2. TCP Congestion Management
Mobility nodes are likely to use media which have low bandwidth and
are more likely to introduce errors, effectively causing more packets
to be dropped. This introduces a conflict with the mechanisms for
congestion management found in modern versions of TCP. Now, when
a packet is dropped, the correspondent's TCP implementation is
likely to react as if there were a source of network congestion,
and initiate the slow-start mechanisms [5] designed for controlling
that problem. However, those mechanisms are inappropriate for
overcoming errors introduced by the links themselves, and have the
effect of magnifying the discontinuity introduced by the dropped
packet. This problem has been analyzed by Caceres, et. al.([4]);
there is no easy solution available, and certainly no solution likely
to be installed soon on all correspondents. While this problem has
nothing to do with any of the specifications in this document, it
does illustrate that providing performance transparency to mobile
nodes involves understanding mechanisms outside the network layer.
It also indicates the need to avoid designs which systematically drop
packets; such designs might otherwise be considered favorably when
making engineering tradeoffs.
References
[1] Draft Standard, Wireless LAN MAC and PHY Specifications, Rev.
D1. IEEE Document P802.11/D1-94/12, Dec 1994.
[2] R. Atkinson. IP Authentication Header. RFC 1826, August 1995.
[3] S.M. Bellovin. Security Problems in the TCP/IP Protocol Suite.
ACM Computer Communications Review, 19(2), March 1989.
[4] Ramon Caceres and Liviu Iftode. The Effects of Mobility on
Reliable Transport Protocols. In Proceedings of the 14th
International Conference on Distributed Computing Systems, June
1994.
[5] Douglas E. Comer. Internetworking with TCP/IP, volume 1.
Prentice Hall, 1991.
[6] S. Deering. Router Discovery. RFC 1256, September 1991.
Perkins, editor Expires 11 February 1996 [Page 39]
Internet Draft IP Mobility Support 11 August 1995
[7] R. Droms. Dynamic Host Configuration Protocol. RFC 1541,
October 1993.
[8] D.E. Eastlake, S.D. Crocker, and J.I. Schiller. Randomness
Requirements for Security. RFC 1750, December 1994.
[9] S. Hanks, T. Li, D. Farinacci, and P. Traina. Generic Routing
Encapsulation (GRE). RFC 1701, October 1994.
[10] V. Jacobson. Compressing TCP/IP Headers for Low-Speed Serial
Links. RFC 1144, February 1990.
[11] K. McCloghrie and F. Kastenholz. Evolution of the Interfaces
Group MIP-II. RFC 1573, January 1994.
[12] G. McGregor. The PPP Internet Procotol Control Protocol (IPCP).
RFC 1332, May 1992.
[13] D. Mills. Network Time Protocol (Version 3). RFC 1305, March
1992.
[14] C. Perkins. IP Encapsulation within IP. Internet Draft -- work
in progress, October 1995.
[15] C. Perkins. Minimal Encapsulation within IP. Internet Draft --
work in progress, July 1995.
[16] D. Plummer. An Ethernet Address Resolution Protocol. RFC 826,
November 1982.
[17] J. Postel. User Datagram Protocol. RFC 768, August 1980.
[18] J. Reynolds and J. Postel. Assigned Numbers. RFC 1700, October
1994.
[19] R. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, April
1992.
[20] W. Simpson (Editor). The Point-to-Point Protocol (PPP). RFC
1661, July 1994.
Perkins, editor Expires 11 February 1996 [Page 40]
Internet Draft IP Mobility Support 11 August 1995
Chair's Addresses
The working group can be contacted via the current chairs:
Jim Solomon Tony Li
Motorola, Inc. cisco systems
1301 E. Algonquin Rd. 170 W. Tasman Dr.
Schaumburg, IL 60196 San Jose, CA 95134
Work: +1-708-576-2753 Work: +1-408-526-8186
E-mail: solomon@comm.mot.com E-mail: tli@cisco.com
Editor's Address
Questions about this memo can also be directed to:
Charles Perkins
Room J1-A25
T. J. Watson Research Center
IBM Corporation
30 Saw Mill River Rd.
Hawthorne, NY 10532
Work: +1-914-784-7350
Fax: +1-914-784-7007
E-mail: perk@watson.ibm.com
Perkins, editor Expires 11 February 1996 [Page 41]
