summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3775.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc3775.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc3775.txt')
-rw-r--r--doc/rfc/rfc3775.txt9243
1 files changed, 9243 insertions, 0 deletions
diff --git a/doc/rfc/rfc3775.txt b/doc/rfc/rfc3775.txt
new file mode 100644
index 0000000..cd207f7
--- /dev/null
+++ b/doc/rfc/rfc3775.txt
@@ -0,0 +1,9243 @@
+
+
+
+
+
+
+Network Working Group D. Johnson
+Request for Comments: 3775 Rice University
+Category: Standards Track C. Perkins
+ Nokia Research Center
+ J. Arkko
+ Ericsson
+ June 2004
+
+
+ Mobility Support in IPv6
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2004).
+
+Abstract
+
+ This document specifies a protocol which allows nodes to remain
+ reachable while moving around in the IPv6 Internet. Each mobile node
+ is always identified by its home address, regardless of its current
+ point of attachment to the Internet. While situated away from its
+ home, a mobile node is also associated with a care-of address, which
+ provides information about the mobile node's current location. IPv6
+ packets addressed to a mobile node's home address are transparently
+ routed to its care-of address. The protocol enables IPv6 nodes to
+ cache the binding of a mobile node's home address with its care-of
+ address, and to then send any packets destined for the mobile node
+ directly to it at this care-of address. To support this operation,
+ Mobile IPv6 defines a new IPv6 protocol and a new destination option.
+ All IPv6 nodes, whether mobile or stationary, can communicate with
+ mobile nodes.
+
+
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 1]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2. Comparison with Mobile IP for IPv4 . . . . . . . . . . . . 6
+ 3. Terminology. . . . . . . . . . . . . . . . . . . . . . . . 7
+ 3.1. General Terms . . . . . . . . . . . . . . . . . . . 8
+ 3.2. Mobile IPv6 Terms . . . . . . . . . . . . . . . . . 10
+ 4. Overview of Mobile IPv6. . . . . . . . . . . . . . . . . . 13
+ 4.1. Basic Operation . . . . . . . . . . . . . . . . . . 13
+ 4.2. New IPv6 Protocol . . . . . . . . . . . . . . . . . 15
+ 4.3. New IPv6 Destination Option . . . . . . . . . . . . 17
+ 4.4. New IPv6 ICMP Messages. . . . . . . . . . . . . . . 17
+ 4.5. Conceptual Data Structure Terminology . . . . . . . 17
+ 4.6. Site-Local Addressability . . . . . . . . . . . . . 18
+ 5. Overview of Mobile IPv6 Security . . . . . . . . . . . . . 18
+ 5.1. Binding Updates to Home Agents. . . . . . . . . . . 18
+ 5.2. Binding Updates to Correspondent Nodes. . . . . . . 20
+ 5.2.1. Node Keys . . . . . . . . . . . . . . . . . 20
+ 5.2.2. Nonces. . . . . . . . . . . . . . . . . . . 20
+ 5.2.3. Cookies and Tokens. . . . . . . . . . . . . 21
+ 5.2.4. Cryptographic Functions . . . . . . . . . . 22
+ 5.2.5. Return Routability Procedure. . . . . . . . 22
+ 5.2.6. Authorizing Binding Management Messages . . 27
+ 5.2.7. Updating Node Keys and Nonces . . . . . . . 29
+ 5.2.8. Preventing Replay Attacks . . . . . . . . . 30
+ 5.3. Dynamic Home Agent Address Discovery. . . . . . . . 30
+ 5.4. Mobile Prefix Discovery . . . . . . . . . . . . . . 30
+ 5.5. Payload Packets . . . . . . . . . . . . . . . . . . 30
+ 6. New IPv6 Protocol, Message Types, and Destination Option . 31
+ 6.1. Mobility Header . . . . . . . . . . . . . . . . . . 31
+ 6.1.1. Format. . . . . . . . . . . . . . . . . . . 32
+ 6.1.2. Binding Refresh Request Message . . . . . . 34
+ 6.1.3. Home Test Init Message. . . . . . . . . . . 35
+ 6.1.4. Care-of Test Init Message . . . . . . . . . 36
+ 6.1.5. Home Test Message . . . . . . . . . . . . . 37
+ 6.1.6. Care-of Test Message. . . . . . . . . . . . 38
+ 6.1.7. Binding Update Message. . . . . . . . . . . 39
+ 6.1.8. Binding Acknowledgement Message . . . . . . 42
+ 6.1.9. Binding Error Message . . . . . . . . . . . 44
+ 6.2. Mobility Options. . . . . . . . . . . . . . . . . . 46
+ 6.2.1. Format. . . . . . . . . . . . . . . . . . . 46
+ 6.2.2. Pad1. . . . . . . . . . . . . . . . . . . . 47
+ 6.2.3. PadN. . . . . . . . . . . . . . . . . . . . 48
+ 6.2.4. Binding Refresh Advice. . . . . . . . . . . 48
+ 6.2.5. Alternate Care-of Address . . . . . . . . . 49
+ 6.2.6. Nonce Indices . . . . . . . . . . . . . . . 49
+ 6.2.7. Binding Authorization Data. . . . . . . . . 50
+ 6.3. Home Address Option . . . . . . . . . . . . . . . . 51
+
+
+
+Johnson, et al. Standard Track [Page 2]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ 6.4. Type 2 Routing Header . . . . . . . . . . . . . . . 53
+ 6.4.1. Format. . . . . . . . . . . . . . . . . . . 54
+ 6.5. ICMP Home Agent Address Discovery Request Message . 55
+ 6.6. ICMP Home Agent Address Discovery Reply Message . . 56
+ 6.7. ICMP Mobile Prefix Solicitation Message Format. . . 57
+ 6.8. ICMP Mobile Prefix Advertisement Message Format . . 59
+ 7. Modifications to IPv6 Neighbor Discovery . . . . . . . . . 61
+ 7.1. Modified Router Advertisement Message Format. . . . 61
+ 7.2. Modified Prefix Information Option Format . . . . . 62
+ 7.3. New Advertisement Interval Option Format. . . . . . 64
+ 7.4. New Home Agent Information Option Format. . . . . . 65
+ 7.5. Changes to Sending Router Advertisements. . . . . . 67
+ 8. Requirements for Types of IPv6 Nodes . . . . . . . . . . . 69
+ 8.1. All IPv6 Nodes. . . . . . . . . . . . . . . . . . . 69
+ 8.2. IPv6 Nodes with Support for Route Optimization. . . 69
+ 8.3. All IPv6 Routers. . . . . . . . . . . . . . . . . . 71
+ 8.4. IPv6 Home Agents. . . . . . . . . . . . . . . . . . 71
+ 8.5. IPv6 Mobile Nodes . . . . . . . . . . . . . . . . . 73
+ 9. Correspondent Node Operation . . . . . . . . . . . . . . . 74
+ 9.1. Conceptual Data Structures. . . . . . . . . . . . . 74
+ 9.2. Processing Mobility Headers . . . . . . . . . . . . 75
+ 9.3. Packet Processing . . . . . . . . . . . . . . . . . 76
+ 9.3.1. Receiving Packets with Home Address Option. 76
+ 9.3.2. Sending Packets to a Mobile Node. . . . . . 77
+ 9.3.3. Sending Binding Error Messages. . . . . . . 78
+ 9.3.4. Receiving ICMP Error Messages . . . . . . . 79
+ 9.4. Return Routability Procedure. . . . . . . . . . . . 79
+ 9.4.1. Receiving Home Test Init Messages . . . . . 80
+ 9.4.2. Receiving Care-of Test Init Messages. . . . 80
+ 9.4.3. Sending Home Test Messages. . . . . . . . . 80
+ 9.4.4. Sending Care-of Test Messages . . . . . . . 81
+ 9.5 Processing Bindings . . . . . . . . . . . . . . . . 81
+ 9.5.1. Receiving Binding Updates . . . . . . . . . 81
+ 9.5.2. Requests to Cache a Binding . . . . . . . . 84
+ 9.5.3. Requests to Delete a Binding. . . . . . . . 84
+ 9.5.4. Sending Binding Acknowledgements. . . . . . 85
+ 9.5.5. Sending Binding Refresh Requests. . . . . . 86
+ 9.6. Cache Replacement Policy. . . . . . . . . . . . . . 86
+ 10. Home Agent Operation . . . . . . . . . . . . . . . . . . . 87
+ 10.1. Conceptual Data Structures. . . . . . . . . . . . . 87
+ 10.2. Processing Mobility Headers . . . . . . . . . . . . 88
+ 10.3. Processing Bindings . . . . . . . . . . . . . . . . 88
+ 10.3.1. Primary Care-of Address Registration. . . . 88
+ 10.3.2. Primary Care-of Address De-Registration . . 92
+ 10.4. Packet Processing . . . . . . . . . . . . . . . . . 94
+ 10.4.1. Intercepting Packets for a Mobile Node. . . 94
+ 10.4.2. Processing Intercepted Packets. . . . . . . 95
+ 10.4.3. Multicast Membership Control. . . . . . . . 96
+
+
+
+Johnson, et al. Standard Track [Page 3]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ 10.4.4. Stateful Address Autoconfiguration. . . . . 98
+ 10.4.5. Handling Reverse Tunneled Packets . . . . . 98
+ 10.4.6. Protecting Return Routability Packets . . . 99
+ 10.5. Dynamic Home Agent Address Discovery. . . . . . . . 99
+ 10.5.1. Receiving Router Advertisement Messages . . 100
+ 10.6. Sending Prefix Information to the Mobile Node . . . 102
+ 10.6.1. List of Home Network Prefixes . . . . . . . 102
+ 10.6.2. Scheduling Prefix Deliveries. . . . . . . . 102
+ 10.6.3. Sending Advertisements. . . . . . . . . . . 104
+ 10.6.4. Lifetimes for Changed Prefixes. . . . . . . 105
+ 11. Mobile Node Operation. . . . . . . . . . . . . . . . . . . 105
+ 11.1. Conceptual Data Structures. . . . . . . . . . . . . 105
+ 11.2. Processing Mobility Headers . . . . . . . . . . . . 107
+ 11.3. Packet Processing . . . . . . . . . . . . . . . . . 107
+ 11.3.1. Sending Packets While Away from Home. . . . 107
+ 11.3.2. Interaction with Outbound IPsec Processing. 110
+ 11.3.3. Receiving Packets While Away from Home. . . 112
+ 11.3.4. Routing Multicast Packets . . . . . . . . . 114
+ 11.3.5. Receiving ICMP Error Messages . . . . . . . 115
+ 11.3.6. Receiving Binding Error Messages. . . . . . 116
+ 11.4. Home Agent and Prefix Management. . . . . . . . . . 117
+ 11.4.1. Dynamic Home Agent Address Discovery. . . . 117
+ 11.4.2. Sending Mobile Prefix Solicitations . . . . 118
+ 11.4.3. Receiving Mobile Prefix Advertisements. . . 118
+ 11.5. Movement. . . . . . . . . . . . . . . . . . . . . . 120
+ 11.5.1. Movement Detection. . . . . . . . . . . . . 120
+ 11.5.2. Forming New Care-of Addresses . . . . . . . 122
+ 11.5.3. Using Multiple Care-of Addresses. . . . . . 123
+ 11.5.4. Returning Home. . . . . . . . . . . . . . . 124
+ 11.6. Return Routability Procedure. . . . . . . . . . . . 126
+ 11.6.1. Sending Test Init Messages. . . . . . . . . 126
+ 11.6.2. Receiving Test Messages . . . . . . . . . . 127
+ 11.6.3. Protecting Return Routability Packets . . . 128
+ 11.7. Processing Bindings . . . . . . . . . . . . . . . . 128
+ 11.7.1. Sending Binding Updates to the Home Agent . 128
+ 11.7.2. Correspondent Registration. . . . . . . . . 131
+ 11.7.3. Receiving Binding Acknowledgements. . . . . 134
+ 11.7.4. Receiving Binding Refresh Requests. . . . . 136
+ 11.8. Retransmissions and Rate Limiting . . . . . . . . . 137
+ 12. Protocol Constants . . . . . . . . . . . . . . . . . . . . 138
+ 13. Protocol Configuration Variables . . . . . . . . . . . . . 138
+ 14. IANA Considerations. . . . . . . . . . . . . . . . . . . . 139
+ 15. Security Considerations. . . . . . . . . . . . . . . . . . 142
+ 15.1. Threats . . . . . . . . . . . . . . . . . . . . . . 142
+ 15.2. Features. . . . . . . . . . . . . . . . . . . . . . 144
+ 15.3. Binding Updates to Home Agent . . . . . . . . . . . 145
+ 15.4. Binding Updates to Correspondent Nodes. . . . . . . 148
+ 15.4.1. Overview. . . . . . . . . . . . . . . . . . 149
+
+
+
+Johnson, et al. Standard Track [Page 4]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ 15.4.2. Achieved Security Properties. . . . . . . . 149
+ 15.4.3. Comparison to Regular IPv6 Communications . 150
+ 15.4.4. Replay Attacks. . . . . . . . . . . . . . . 152
+ 15.4.5. Denial-of-Service Attacks . . . . . . . . . 152
+ 15.4.6. Key Lengths . . . . . . . . . . . . . . . . 153
+ 15.5. Dynamic Home Agent Address Discovery. . . . . . . . 154
+ 15.6. Mobile Prefix Discovery . . . . . . . . . . . . . . 155
+ 15.7. Tunneling via the Home Agent. . . . . . . . . . . . 155
+ 15.8. Home Address Option . . . . . . . . . . . . . . . . 156
+ 15.9. Type 2 Routing Header . . . . . . . . . . . . . . . 156
+ 16. Contributors . . . . . . . . . . . . . . . . . . . . . . . 157
+ 17. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 157
+ 18. References . . . . . . . . . . . . . . . . . . . . . . . . 158
+ 18.1. Normative References. . . . . . . . . . . . . . . . 158
+ 18.2. Informative References. . . . . . . . . . . . . . . 159
+ Appendix A. Future Extensions . . . . . . . . . . . . . . . . . 161
+ A.1. Piggybacking. . . . . . . . . . . . . . . . . . . . 161
+ A.2. Triangular Routing. . . . . . . . . . . . . . . . . 161
+ A.3. New Authorization Methods . . . . . . . . . . . . . 161
+ A.4. Dynamically Generated Home Addresses. . . . . . . . 161
+ A.5. Remote Home Address Configuration . . . . . . . . . 162
+ A.6. Neighbor Discovery Extensions . . . . . . . . . . . 163
+ Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . . . 164
+ Full Copyright Statement. . . . . . . . . . . . . . . . . . . . . 165
+
+1. Introduction
+
+ This document specifies a protocol which allows nodes to remain
+ reachable while moving around in the IPv6 Internet. Without specific
+ support for mobility in IPv6 [11], packets destined to a mobile node
+ would not be able to reach it while the mobile node is away from its
+ home link. In order to continue communication in spite of its
+ movement, a mobile node could change its IP address each time it
+ moves to a new link, but the mobile node would then not be able to
+ maintain transport and higher-layer connections when it changes
+ location. Mobility support in IPv6 is particularly important, as
+ mobile computers are likely to account for a majority or at least a
+ substantial fraction of the population of the Internet during the
+ lifetime of IPv6.
+
+ The protocol defined in this document, known as Mobile IPv6, allows a
+ mobile node to move from one link to another without changing the
+ mobile node's "home address". Packets may be routed to the mobile
+ node using this address regardless of the mobile node's current point
+ of attachment to the Internet. The mobile node may also continue to
+ communicate with other nodes (stationary or mobile) after moving to a
+
+
+
+
+
+Johnson, et al. Standard Track [Page 5]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ new link. The movement of a mobile node away from its home link is
+ thus transparent to transport and higher-layer protocols and
+ applications.
+
+ The Mobile IPv6 protocol is just as suitable for mobility across
+ homogeneous media as for mobility across heterogeneous media. For
+ example, Mobile IPv6 facilitates node movement from one Ethernet
+ segment to another as well as it facilitates node movement from an
+ Ethernet segment to a wireless LAN cell, with the mobile node's IP
+ address remaining unchanged in spite of such movement.
+
+ One can think of the Mobile IPv6 protocol as solving the network-
+ layer mobility management problem. Some mobility management
+ applications -- for example, handover among wireless transceivers,
+ each of which covers only a very small geographic area -- have been
+ solved using link-layer techniques. For example, in many current
+ wireless LAN products, link-layer mobility mechanisms allow a
+ "handover" of a mobile node from one cell to another, re-establishing
+ link-layer connectivity to the node in each new location.
+
+ Mobile IPv6 does not attempt to solve all general problems related to
+ the use of mobile computers or wireless networks. In particular,
+ this protocol does not attempt to solve:
+
+ o Handling links with unidirectional connectivity or partial
+ reachability, such as the hidden terminal problem where a host is
+ hidden from only some of the routers on the link.
+
+ o Access control on a link being visited by a mobile node.
+
+ o Local or hierarchical forms of mobility management (similar to
+ many current link-layer mobility management solutions).
+
+ o Assistance for adaptive applications.
+
+ o Mobile routers.
+
+ o Service Discovery.
+
+ o Distinguishing between packets lost due to bit errors vs. network
+ congestion.
+
+2. Comparison with Mobile IP for IPv4
+
+ The design of Mobile IP support in IPv6 (Mobile IPv6) benefits both
+ from the experiences gained from the development of Mobile IP support
+ in IPv4 (Mobile IPv4) [22, 23, 24], and from the opportunities
+ provided by IPv6. Mobile IPv6 thus shares many features with Mobile
+
+
+
+Johnson, et al. Standard Track [Page 6]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ IPv4, but is integrated into IPv6 and offers many other improvements.
+ This section summarizes the major differences between Mobile IPv4 and
+ Mobile IPv6:
+
+ o There is no need to deploy special routers as "foreign agents", as
+ in Mobile IPv4. Mobile IPv6 operates in any location without any
+ special support required from the local router.
+
+ o Support for route optimization is a fundamental part of the
+ protocol, rather than a nonstandard set of extensions.
+
+ o Mobile IPv6 route optimization can operate securely even without
+ pre-arranged security associations. It is expected that route
+ optimization can be deployed on a global scale between all mobile
+ nodes and correspondent nodes.
+
+ o Support is also integrated into Mobile IPv6 for allowing route
+ optimization to coexist efficiently with routers that perform
+ "ingress filtering" [26].
+
+ o The IPv6 Neighbor Unreachability Detection assures symmetric
+ reachability between the mobile node and its default router in the
+ current location.
+
+ o Most packets sent to a mobile node while away from home in Mobile
+ IPv6 are sent using an IPv6 routing header rather than IP
+ encapsulation, reducing the amount of resulting overhead compared
+ to Mobile IPv4.
+
+ o Mobile IPv6 is decoupled from any particular link layer, as it
+ uses IPv6 Neighbor Discovery [12] instead of ARP. This also
+ improves the robustness of the protocol.
+
+ o The use of IPv6 encapsulation (and the routing header) removes the
+ need in Mobile IPv6 to manage "tunnel soft state".
+
+ o The dynamic home agent address discovery mechanism in Mobile IPv6
+ returns a single reply to the mobile node. The directed broadcast
+ approach used in IPv4 returns separate replies from each home
+ agent.
+
+3. Terminology
+
+ The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in BCP 14, RFC 2119 [2].
+
+
+
+
+
+Johnson, et al. Standard Track [Page 7]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+3.1. General Terms
+
+ IP
+
+ Internet Protocol Version 6 (IPv6).
+
+ node
+
+ A device that implements IP.
+
+ router
+
+ A node that forwards IP packets not explicitly addressed to
+ itself.
+
+ unicast routable address
+
+ An identifier for a single interface such that a packet sent to it
+ from another IPv6 subnet is delivered to the interface identified
+ by that address. Accordingly, a unicast routable address must
+ have either a global or site-local scope (but not link-local).
+
+ host
+
+ Any node that is not a router.
+
+ link
+
+ A communication facility or medium over which nodes can
+ communicate at the link layer, such as an Ethernet (simple or
+ bridged). A link is the layer immediately below IP.
+
+ interface
+
+ A node's attachment to a link.
+
+ subnet prefix
+
+ A bit string that consists of some number of initial bits of an IP
+ address.
+
+ interface identifier
+
+ A number used to identify a node's interface on a link. The
+ interface identifier is the remaining low-order bits in the node's
+ IP address after the subnet prefix.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 8]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ link-layer address
+
+ A link-layer identifier for an interface, such as IEEE 802
+ addresses on Ethernet links.
+
+ packet
+
+ An IP header plus payload.
+
+ security association
+
+ An IPsec security association is a cooperative relationship formed
+ by the sharing of cryptographic keying material and associated
+ context. Security associations are simplex. That is, two
+ security associations are needed to protect bidirectional traffic
+ between two nodes, one for each direction.
+
+ security policy database
+
+ A database that specifies what security services are to be offered
+ to IP packets and in what fashion.
+
+ destination option
+
+ Destination options are carried by the IPv6 Destination Options
+ extension header. Destination options include optional
+ information that need be examined only by the IPv6 node given as
+ the destination address in the IPv6 header, not by routers in
+ between. Mobile IPv6 defines one new destination option, the Home
+ Address destination option (see Section 6.3).
+
+ routing header
+
+ A routing header may be present as an IPv6 header extension, and
+ indicates that the payload has to be delivered to a destination
+ IPv6 address in some way that is different from what would be
+ carried out by standard Internet routing. In this document, use
+ of the term "routing header" typically refers to use of a type 2
+ routing header, as specified in Section 6.4.
+
+ "|" (concatenation)
+
+ Some formulas in this specification use the symbol "|" to indicate
+ bytewise concatenation, as in A | B. This concatenation requires
+ that all of the octets of the datum A appear first in the result,
+ followed by all of the octets of the datum B.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 9]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ First (size, input)
+
+ Some formulas in this specification use a functional form "First
+ (size, input)" to indicate truncation of the "input" data so that
+ only the first "size" bits remain to be used.
+
+3.2. Mobile IPv6 Terms
+
+ home address
+
+ A unicast routable address assigned to a mobile node, used as the
+ permanent address of the mobile node. This address is within the
+ mobile node's home link. Standard IP routing mechanisms will
+ deliver packets destined for a mobile node's home address to its
+ home link. Mobile nodes can have multiple home addresses, for
+ instance when there are multiple home prefixes on the home link.
+
+ home subnet prefix
+
+ The IP subnet prefix corresponding to a mobile node's home
+ address.
+
+ home link
+
+ The link on which a mobile node's home subnet prefix is defined.
+
+ mobile node
+
+ A node that can change its point of attachment from one link to
+ another, while still being reachable via its home address.
+
+ movement
+
+ A change in a mobile node's point of attachment to the Internet
+ such that it is no longer connected to the same link as it was
+ previously. If a mobile node is not currently attached to its
+ home link, the mobile node is said to be "away from home".
+
+ L2 handover
+
+ A process by which the mobile node changes from one link-layer
+ connection to another. For example, a change of wireless access
+ point is an L2 handover.
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 10]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ L3 handover
+
+ Subsequent to an L2 handover, a mobile node detects a change in an
+ on-link subnet prefix that would require a change in the primary
+ care-of address. For example, a change of access router
+ subsequent to a change of wireless access point typically results
+ in an L3 handover.
+
+ correspondent node
+
+ A peer node with which a mobile node is communicating. The
+ correspondent node may be either mobile or stationary.
+
+ foreign subnet prefix
+
+ Any IP subnet prefix other than the mobile node's home subnet
+ prefix.
+
+ foreign link
+
+ Any link other than the mobile node's home link.
+
+ care-of address
+
+ A unicast routable address associated with a mobile node while
+ visiting a foreign link; the subnet prefix of this IP address is a
+ foreign subnet prefix. Among the multiple care-of addresses that
+ a mobile node may have at any given time (e.g., with different
+ subnet prefixes), the one registered with the mobile node's home
+ agent for a given home address is called its "primary" care-of
+ address.
+
+ home agent
+
+ A router on a mobile node's home link with which the mobile node
+ has registered its current care-of address. While the mobile node
+ is away from home, the home agent intercepts packets on the home
+ link destined to the mobile node's home address, encapsulates
+ them, and tunnels them to the mobile node's registered care-of
+ address.
+
+ binding
+
+ The association of the home address of a mobile node with a care-
+ of address for that mobile node, along with the remaining lifetime
+ of that association.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 11]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ registration
+
+ The process during which a mobile node sends a Binding Update to
+ its home agent or a correspondent node, causing a binding for the
+ mobile node to be registered.
+
+ mobility message
+
+ A message containing a Mobility Header (see Section 6.1).
+
+ binding authorization
+
+ Correspondent registration needs to be authorized to allow the
+ recipient to believe that the sender has the right to specify a
+ new binding.
+
+ return routability procedure
+
+ The return routability procedure authorizes registrations by the
+ use of a cryptographic token exchange.
+
+ correspondent registration
+
+ A return routability procedure followed by a registration, run
+ between the mobile node and a correspondent node.
+
+ home registration
+
+ A registration between the mobile node and its home agent,
+ authorized by the use of IPsec.
+
+ nonce
+
+ Nonces are random numbers used internally by the correspondent
+ node in the creation of keygen tokens related to the return
+ routability procedure. The nonces are not specific to a mobile
+ node, and are kept secret within the correspondent node.
+
+ nonce index
+
+ A nonce index is used to indicate which nonces have been used when
+ creating keygen token values, without revealing the nonces
+ themselves.
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 12]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ cookie
+
+ A cookie is a random number used by a mobile node to prevent
+ spoofing by a bogus correspondent node in the return routability
+ procedure.
+
+ care-of init cookie
+
+ A cookie sent to the correspondent node in the Care-of Test Init
+ message, to be returned in the Care-of Test message.
+
+ home init cookie
+
+ A cookie sent to the correspondent node in the Home Test Init
+ message, to be returned in the Home Test message.
+
+ keygen token
+
+ A keygen token is a number supplied by a correspondent node in the
+ return routability procedure to enable the mobile node to compute
+ the necessary binding management key for authorizing a Binding
+ Update.
+
+ care-of keygen token
+
+ A keygen token sent by the correspondent node in the Care-of Test
+ message.
+
+ home keygen token
+
+ A keygen token sent by the correspondent node in the Home Test
+ message.
+
+ binding management key (Kbm)
+
+ A binding management key (Kbm) is a key used for authorizing a
+ binding cache management message (e.g., Binding Update or Binding
+ Acknowledgement). Return routability provides a way to create a
+ binding management key.
+
+4. Overview of Mobile IPv6
+
+4.1. Basic Operation
+
+ A mobile node is always expected to be addressable at its home
+ address, whether it is currently attached to its home link or is away
+ from home. The "home address" is an IP address assigned to the
+ mobile node within its home subnet prefix on its home link. While a
+
+
+
+Johnson, et al. Standard Track [Page 13]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ mobile node is at home, packets addressed to its home address are
+ routed to the mobile node's home link, using conventional Internet
+ routing mechanisms.
+
+ While a mobile node is attached to some foreign link away from home,
+ it is also addressable at one or more care-of addresses. A care-of
+ address is an IP address associated with a mobile node that has the
+ subnet prefix of a particular foreign link. The mobile node can
+ acquire its care-of address through conventional IPv6 mechanisms,
+ such as stateless or stateful auto-configuration. As long as the
+ mobile node stays in this location, packets addressed to this care-of
+ address will be routed to the mobile node. The mobile node may also
+ accept packets from several care-of addresses, such as when it is
+ moving but still reachable at the previous link.
+
+ The association between a mobile node's home address and care-of
+ address is known as a "binding" for the mobile node. While away from
+ home, a mobile node registers its primary care-of address with a
+ router on its home link, requesting this router to function as the
+ "home agent" for the mobile node. The mobile node performs this
+ binding registration by sending a "Binding Update" message to the
+ home agent. The home agent replies to the mobile node by returning a
+ "Binding Acknowledgement" message. The operation of the mobile node
+ is specified in Section 11, and the operation of the home agent is
+ specified in Section 10.
+
+ Any node communicating with a mobile node is referred to in this
+ document as a "correspondent node" of the mobile node, and may itself
+ be either a stationary node or a mobile node. Mobile nodes can
+ provide information about their current location to correspondent
+ nodes. This happens through the correspondent registration. As a
+ part of this procedure, a return routability test is performed in
+ order to authorize the establishment of the binding. The operation
+ of the correspondent node is specified in Section 9.
+
+ There are two possible modes for communications between the mobile
+ node and a correspondent node. The first mode, bidirectional
+ tunneling, does not require Mobile IPv6 support from the
+ correspondent node and is available even if the mobile node has not
+ registered its current binding with the correspondent node. Packets
+ from the correspondent node are routed to the home agent and then
+ tunneled to the mobile node. Packets to the correspondent node are
+ tunneled from the mobile node to the home agent ("reverse tunneled")
+ and then routed normally from the home network to the correspondent
+ node. In this mode, the home agent uses proxy Neighbor Discovery to
+ intercept any IPv6 packets addressed to the mobile node's home
+
+
+
+
+
+Johnson, et al. Standard Track [Page 14]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ address (or home addresses) on the home link. Each intercepted
+ packet is tunneled to the mobile node's primary care-of address.
+ This tunneling is performed using IPv6 encapsulation [15].
+
+ The second mode, "route optimization", requires the mobile node to
+ register its current binding at the correspondent node. Packets from
+ the correspondent node can be routed directly to the care-of address
+ of the mobile node. When sending a packet to any IPv6 destination,
+ the correspondent node checks its cached bindings for an entry for
+ the packet's destination address. If a cached binding for this
+ destination address is found, the node uses a new type of IPv6
+ routing header [11] (see Section 6.4) to route the packet to the
+ mobile node by way of the care-of address indicated in this binding.
+
+ Routing packets directly to the mobile node's care-of address allows
+ the shortest communications path to be used. It also eliminates
+ congestion at the mobile node's home agent and home link. In
+ addition, the impact of any possible failure of the home agent or
+ networks on the path to or from it is reduced.
+
+ When routing packets directly to the mobile node, the correspondent
+ node sets the Destination Address in the IPv6 header to the care-of
+ address of the mobile node. A new type of IPv6 routing header (see
+ Section 6.4) is also added to the packet to carry the desired home
+ address. Similarly, the mobile node sets the Source Address in the
+ packet's IPv6 header to its current care-of addresses. The mobile
+ node adds a new IPv6 "Home Address" destination option (see Section
+ 6.3) to carry its home address. The inclusion of home addresses in
+ these packets makes the use of the care-of address transparent above
+ the network layer (e.g., at the transport layer).
+
+ Mobile IPv6 also provides support for multiple home agents, and a
+ limited support for the reconfiguration of the home network. In
+ these cases, the mobile node may not know the IP address of its own
+ home agent, and even the home subnet prefixes may change over time.
+ A mechanism, known as "dynamic home agent address discovery" allows a
+ mobile node to dynamically discover the IP address of a home agent on
+ its home link, even when the mobile node is away from home. Mobile
+ nodes can also learn new information about home subnet prefixes
+ through the "mobile prefix discovery" mechanism. These mechanisms
+ are described starting from Section 6.5.
+
+4.2. New IPv6 Protocol
+
+ Mobile IPv6 defines a new IPv6 protocol, using the Mobility Header
+ (see Section 6.1). This Header is used to carry the following
+ messages:
+
+
+
+
+Johnson, et al. Standard Track [Page 15]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Home Test Init
+
+ Home Test
+
+ Care-of Test Init
+
+ Care-of Test
+
+ These four messages are used to perform the return routability
+ procedure from the mobile node to a correspondent node. This
+ ensures authorization of subsequent Binding Updates, as described
+ in Section 5.2.5.
+
+ Binding Update
+
+ A Binding Update is used by a mobile node to notify a
+ correspondent node or the mobile node's home agent of its current
+ binding. The Binding Update sent to the mobile node's home agent
+ to register its primary care-of address is marked as a "home
+ registration".
+
+ Binding Acknowledgement
+
+ A Binding Acknowledgement is used to acknowledge receipt of a
+ Binding Update, if an acknowledgement was requested in the Binding
+ Update, the binding update was sent to a home agent, or an error
+ occurred.
+
+ Binding Refresh Request
+
+ A Binding Refresh Request is used by a correspondent node to
+ request a mobile node to re-establish its binding with the
+ correspondent node. This message is typically used when the
+ cached binding is in active use but the binding's lifetime is
+ close to expiration. The correspondent node may use, for
+ instance, recent traffic and open transport layer connections as
+ an indication of active use.
+
+ Binding Error
+
+ The Binding Error is used by the correspondent node to signal an
+ error related to mobility, such as an inappropriate attempt to use
+ the Home Address destination option without an existing binding.
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 16]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+4.3. New IPv6 Destination Option
+
+ Mobile IPv6 defines a new IPv6 destination option, the Home Address
+ destination option. This option is described in detail in Section
+ 6.3.
+
+4.4. New IPv6 ICMP Messages
+
+ Mobile IPv6 also introduces four new ICMP message types, two for use
+ in the dynamic home agent address discovery mechanism, and two for
+ renumbering and mobile configuration mechanisms. As described in
+ Section 10.5 and Section 11.4.1, the following two new ICMP message
+ types are used for home agent address discovery:
+
+ o Home Agent Address Discovery Request, described in Section 6.5.
+
+ o Home Agent Address Discovery Reply, described in Section 6.6.
+
+ The next two message types are used for network renumbering and
+ address configuration on the mobile node, as described in Section
+ 10.6:
+
+ o Mobile Prefix Solicitation, described in Section 6.7.
+
+ o Mobile Prefix Advertisement, described in Section 6.8.
+
+4.5. Conceptual Data Structure Terminology
+
+ This document describes the Mobile IPv6 protocol in terms of the
+ following conceptual data structures:
+
+ Binding Cache
+
+ A cache of bindings for other nodes. This cache is maintained by
+ home agents and correspondent nodes. The cache contains both
+ "correspondent registration" entries (see Section 9.1) and "home
+ registration" entries (see Section 10.1).
+
+ Binding Update List
+
+ This list is maintained by each mobile node. The list has an item
+ for every binding that the mobile node has or is trying to
+ establish with a specific other node. Both correspondent and home
+ registrations are included in this list. Entries from the list
+ are deleted as the lifetime of the binding expires. See Section
+ 11.1.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 17]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Home Agents List
+
+ Home agents need to know which other home agents are on the same
+ link. This information is stored in the Home Agents List, as
+ described in more detail in Section 10.1. The list is used for
+ informing mobile nodes during dynamic home agent address
+ discovery.
+
+4.6. Site-Local Addressability
+
+ This specification requires that home and care-of addresses MUST be
+ unicast routable addresses. Site-local addresses may be usable on
+ networks that are not connected to the Internet, but this
+ specification does not define when such usage is safe and when it is
+ not. Mobile nodes may not be aware of which site they are currently
+ in, it is hard to prevent accidental attachment to other sites, and
+ ambiguity of site-local addresses can cause problems if the home and
+ visited networks use the same addresses. Therefore, site-local
+ addresses SHOULD NOT be used as home or care-of addresses.
+
+5. Overview of Mobile IPv6 Security
+
+ This specification provides a number of security features. These
+ include the protection of Binding Updates both to home agents and
+ correspondent nodes, the protection of mobile prefix discovery, and
+ the protection of the mechanisms that Mobile IPv6 uses for
+ transporting data packets.
+
+ Binding Updates are protected by the use of IPsec extension headers,
+ or by the use of the Binding Authorization Data option. This option
+ employs a binding management key, Kbm, which can be established
+ through the return routability procedure. Mobile prefix discovery is
+ protected through the use of IPsec extension headers. Mechanisms
+ related to transporting payload packets - such as the Home Address
+ destination option and type 2 routing header - have been specified in
+ a manner which restricts their use in attacks.
+
+5.1. Binding Updates to Home Agents
+
+ The mobile node and the home agent MUST use an IPsec security
+ association to protect the integrity and authenticity of the Binding
+ Updates and Acknowledgements. Both the mobile nodes and the home
+ agents MUST support and SHOULD use the Encapsulating Security Payload
+ (ESP) [6] header in transport mode and MUST use a non-NULL payload
+ authentication algorithm to provide data origin authentication,
+ connectionless integrity and optional anti-replay protection. Note
+ that Authentication Header (AH) [5] is also possible but for brevity
+ not discussed in this specification.
+
+
+
+Johnson, et al. Standard Track [Page 18]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ In order to protect messages exchanged between the mobile node and
+ the home agent with IPsec, appropriate security policy database
+ entries must be created. A mobile node must be prevented from using
+ its security association to send a Binding Update on behalf of
+ another mobile node using the same home agent. This MUST be achieved
+ by having the home agent check that the given home address has been
+ used with the right security association. Such a check is provided
+ in the IPsec processing, by having the security policy database
+ entries unequivocally identify a single security association for
+ protecting Binding Updates between any given home address and home
+ agent. In order to make this possible, it is necessary that the home
+ address of the mobile node is visible in the Binding Updates and
+ Acknowledgements. The home address is used in these packets as a
+ source or destination, or in the Home Address Destination option or
+ the type 2 routing header.
+
+ As with all IPsec security associations in this specification, manual
+ configuration of security associations MUST be supported. The used
+ shared secrets MUST be random and unique for different mobile nodes,
+ and MUST be distributed off-line to the mobile nodes.
+
+ Automatic key management with IKE [9] MAY be supported. When IKE is
+ used, either the security policy database entries or the Mobile IPv6
+ processing MUST unequivocally identify the IKE phase 1 credentials
+ which can be used to authorize the creation of security associations
+ for protecting Binding Updates for a particular home address. How
+ these mappings are maintained is outside the scope of this
+ specification, but they may be maintained, for instance, as a locally
+ administered table in the home agent. If the phase 1 identity is a
+ Fully Qualified Domain Name (FQDN), secure forms of DNS may also be
+ used.
+
+ Section 11.3.2 discusses how IKE connections to the home agent need a
+ careful treatment of the addresses used for transporting IKE. This
+ is necessary to ensure that a Binding Update is not needed before the
+ IKE exchange which is needed for securing the Binding Update.
+
+ When IKE version 1 is used with preshared secret authentication
+ between the mobile node and the home agent, aggressive mode MUST be
+ used.
+
+ The ID_IPV6_ADDR Identity Payload MUST NOT be used in IKEv1 phase 1.
+
+ Reference [21] contains a more detailed description and examples on
+ using IPsec to protect the communications between the mobile node and
+ the home agent.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 19]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+5.2. Binding Updates to Correspondent Nodes
+
+ The protection of Binding Updates sent to correspondent nodes does
+ not require the configuration of security associations or the
+ existence of an authentication infrastructure between the mobile
+ nodes and correspondent nodes. Instead, a method called the return
+ routability procedure is used to assure that the right mobile node is
+ sending the message. This method does not protect against attackers
+ who are on the path between the home network and the correspondent
+ node. However, attackers in such a location are capable of
+ performing the same attacks even without Mobile IPv6. The main
+ advantage of the return routability procedure is that it limits the
+ potential attackers to those having an access to one specific path in
+ the Internet, and avoids forged Binding Updates from anywhere else in
+ the Internet. For a more in depth explanation of the security
+ properties of the return routability procedure, see Section 15.
+
+ The integrity and authenticity of the Binding Updates messages to
+ correspondent nodes is protected by using a keyed-hash algorithm.
+ The binding management key, Kbm, is used to key the hash algorithm
+ for this purpose. Kbm is established using data exchanged during the
+ return routability procedure. The data exchange is accomplished by
+ use of node keys, nonces, cookies, tokens, and certain cryptographic
+ functions. Section 5.2.5 outlines the basic return routability
+ procedure. Section 5.2.6 shows how the results of this procedure are
+ used to authorize a Binding Update to a correspondent node.
+
+5.2.1. Node Keys
+
+ Each correspondent node has a secret key, Kcn, called the "node key",
+ which it uses to produce the keygen tokens sent to the mobile nodes.
+ The node key MUST be a random number, 20 octets in length. The node
+ key allows the correspondent node to verify that the keygen tokens
+ used by the mobile node in authorizing a Binding Update are indeed
+ its own. This key MUST NOT be shared with any other entity.
+
+ A correspondent node MAY generate a fresh node key at any time; this
+ avoids the need for secure persistent key storage. Procedures for
+ optionally updating the node key are discussed later in Section
+ 5.2.7.
+
+5.2.2. Nonces
+
+ Each correspondent node also generates nonces at regular intervals.
+ The nonces should be generated by using a random number generator
+ that is known to have good randomness properties [1]. A
+ correspondent node may use the same Kcn and nonce with all the
+ mobiles it is in communication with.
+
+
+
+Johnson, et al. Standard Track [Page 20]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Each nonce is identified by a nonce index. When a new nonce is
+ generated, it must be associated with a new nonce index; this may be
+ done, for example, by incrementing the value of the previous nonce
+ index, if the nonce index is used as an array pointer into a linear
+ array of nonces. However, there is no requirement that nonces be
+ stored that way, or that the values of subsequent nonce indices have
+ any particular relationship to each other. The index value is
+ communicated in the protocol, so that if a nonce is replaced by new
+ nonce during the run of a protocol, the correspondent node can
+ distinguish messages that should be checked against the old nonce
+ from messages that should be checked against the new nonce. Strictly
+ speaking, indices are not necessary in the authentication, but allow
+ the correspondent node to efficiently find the nonce value that it
+ used in creating a keygen token.
+
+ Correspondent nodes keep both the current nonce and a small set of
+ valid previous nonces whose lifetime has not yet expired. Expired
+ values MUST be discarded, and messages using stale or unknown indices
+ will be rejected.
+
+ The specific nonce index values cannot be used by mobile nodes to
+ determine the validity of the nonce. Expected validity times for the
+ nonces values and the procedures for updating them are discussed
+ later in Section 5.2.7.
+
+ A nonce is an octet string of any length. The recommended length is
+ 64 bits.
+
+5.2.3. Cookies and Tokens
+
+ The return routability address test procedure uses cookies and keygen
+ tokens as opaque values within the test init and test messages,
+ respectively.
+
+ o The "home init cookie" and "care-of init cookie" are 64 bit values
+ sent to the correspondent node from the mobile node, and later
+ returned to the mobile node. The home init cookie is sent in the
+ Home Test Init message, and returned in the Home Test message.
+ The care-of init cookie is sent in the Care-of Test Init message,
+ and returned in the Care-of Test message.
+
+ o The "home keygen token" and "care-of keygen token" are 64-bit
+ values sent by the correspondent node to the mobile node via the
+ home agent (via the Home Test message) and the care-of address (by
+ the Care-of Test message), respectively.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 21]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The mobile node should set the home init or care-of init cookie to a
+ newly generated random number in every Home or Care-of Test Init
+ message it sends. The cookies are used to verify that the Home Test
+ or Care-of Test message matches the Home Test Init or Care-of Test
+ Init message, respectively. These cookies also serve to ensure that
+ parties who have not seen the request cannot spoof responses.
+
+ Home and care-of keygen tokens are produced by the correspondent node
+ based on its currently active secret key (Kcn) and nonces, as well as
+ the home or care-of address (respectively). A keygen token is valid
+ as long as both the secret key (Kcn) and the nonce used to create it
+ are valid.
+
+5.2.4. Cryptographic Functions
+
+ In this specification, the function used to compute hash values is
+ SHA1 [20]. Message Authentication Codes (MACs) are computed using
+ HMAC_SHA1 [25, 20]. HMAC_SHA1(K,m) denotes such a MAC computed on
+ message m with key K.
+
+5.2.5. Return Routability Procedure
+
+ The Return Routability Procedure enables the correspondent node to
+ obtain some reasonable assurance that the mobile node is in fact
+ addressable at its claimed care-of address as well as at its home
+ address. Only with this assurance is the correspondent node able to
+ accept Binding Updates from the mobile node which would then instruct
+ the correspondent node to direct that mobile node's data traffic to
+ its claimed care-of address.
+
+ This is done by testing whether packets addressed to the two claimed
+ addresses are routed to the mobile node. The mobile node can pass
+ the test only if it is able to supply proof that it received certain
+ data (the "keygen tokens") which the correspondent node sends to
+ those addresses. These data are combined by the mobile node into a
+ binding management key, denoted Kbm.
+
+ The figure below shows the message flow for the return routability
+ procedure.
+
+
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 22]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Mobile node Home agent Correspondent node
+ | |
+ | Home Test Init (HoTI) | |
+ |------------------------->|------------------------->|
+ | | |
+ | Care-of Test Init (CoTI) |
+ |---------------------------------------------------->|
+ | |
+ | | Home Test (HoT) |
+ |<-------------------------|<-------------------------|
+ | | |
+ | Care-of Test (CoT) |
+ |<----------------------------------------------------|
+ | |
+
+ The Home and Care-of Test Init messages are sent at the same time.
+ The procedure requires very little processing at the correspondent
+ node, and the Home and Care-of Test messages can be returned quickly,
+ perhaps nearly simultaneously. These four messages form the return
+ routability procedure.
+
+ Home Test Init
+
+ A mobile node sends a Home Test Init message to the correspondent
+ node (via the home agent) to acquire the home keygen token. The
+ contents of the message can be summarized as follows:
+
+ * Source Address = home address
+
+ * Destination Address = correspondent
+
+ * Parameters:
+
+ + home init cookie
+
+ The Home Test Init message conveys the mobile node's home address
+ to the correspondent node. The mobile node also sends along a
+ home init cookie that the correspondent node must return later.
+ The Home Test Init message is reverse tunneled through the home
+ agent. (The headers and addresses related to reverse tunneling
+ have been omitted from the above discussion of the message
+ contents.) The mobile node remembers these cookie values to
+ obtain some assurance that its protocol messages are being
+ processed by the desired correspondent node.
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 23]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Care-of Test Init
+
+ The mobile node sends a Care-of Test Init message to the
+ correspondent node (directly, not via the home agent) to acquire
+ the care-of keygen token. The contents of this message can be
+ summarized as follows:
+
+ * Source Address = care-of address
+
+ * Destination Address = correspondent
+
+ * Parameters:
+
+ + care-of init cookie
+
+ The Care-of Test Init message conveys the mobile node's care-of
+ address to the correspondent node. The mobile node also sends
+ along a care-of init cookie that the correspondent node must
+ return later. The Care-of Test Init message is sent directly to
+ the correspondent node.
+
+ Home Test
+
+ The Home Test message is sent in response to a Home Test Init
+ message. It is sent via the home agent. The contents of the
+ message are:
+
+ * Source Address = correspondent
+
+ * Destination Address = home address
+
+ * Parameters:
+
+ + home init cookie
+
+ + home keygen token
+
+ + home nonce index
+
+
+
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 24]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ When the correspondent node receives the Home Test Init message,
+ it generates a home keygen token as follows:
+
+ home keygen token :=
+ First (64, HMAC_SHA1 (Kcn, (home address | nonce | 0)))
+
+ where | denotes concatenation. The final "0" inside the HMAC_SHA1
+ function is a single zero octet, used to distinguish home and
+ care-of cookies from each other.
+
+ The home keygen token is formed from the first 64 bits of the MAC.
+ The home keygen token tests that the mobile node can receive were
+ messages sent to its home address. Kcn is used in the production
+ of home keygen token in order to allow the correspondent node to
+ verify that it generated the home and care-of nonces, without
+ forcing the correspondent node to remember a list of all tokens it
+ has handed out.
+
+ The Home Test message is sent to the mobile node via the home
+ network, where it is presumed that the home agent will tunnel the
+ message to the mobile node. This means that the mobile node needs
+ to already have sent a Binding Update to the home agent, so that
+ the home agent will have received and authorized the new care-of
+ address for the mobile node before the return routability
+ procedure. For improved security, the data passed between the
+ home agent and the mobile node is made immune to inspection and
+ passive attacks. Such protection is gained by encrypting the home
+ keygen token as it is tunneled from the home agent to the mobile
+ node as specified in Section 10.4.6. The security properties of
+ this additional security are discussed in Section 15.4.1.
+
+ The home init cookie from the mobile node is returned in the Home
+ Test message, to ensure that the message comes from a node on the
+ route between the home agent and the correspondent node.
+
+ The home nonce index is delivered to the mobile node to later
+ allow the correspondent node to efficiently find the nonce value
+ that it used in creating the home keygen token.
+
+ Care-of Test
+
+ This message is sent in response to a Care-of Test Init message.
+ This message is not sent via the home agent, it is sent directly
+ to the mobile node. The contents of the message are:
+
+ * Source Address = correspondent
+
+ * Destination Address = care-of address
+
+
+
+Johnson, et al. Standard Track [Page 25]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ * Parameters:
+
+ + care-of init cookie
+
+ + care-of keygen token
+
+ + care-of nonce index
+
+ When the correspondent node receives the Care-of Test Init
+ message, it generates a care-of keygen token as follows:
+
+ care-of keygen token :=
+ First (64, HMAC_SHA1 (Kcn, (care-of address | nonce | 1)))
+
+ Here, the final "1" inside the HMAC_SHA1 function is a single
+ octet containing the hex value 0x01, and is used to distinguish
+ home and care-of cookies from each other. The keygen token is
+ formed from the first 64 bits of the MAC, and sent directly to the
+ mobile node at its care-of address. The care-of init cookie from
+ the Care-of Test Init message is returned to ensure that the
+ message comes from a node on the route to the correspondent node.
+
+ The care-of nonce index is provided to identify the nonce used for
+ the care-of keygen token. The home and care-of nonce indices MAY
+ be the same, or different, in the Home and Care-of Test messages.
+
+ When the mobile node has received both the Home and Care-of Test
+ messages, the return routability procedure is complete. As a result
+ of the procedure, the mobile node has the data it needs to send a
+ Binding Update to the correspondent node. The mobile node hashes the
+ tokens together to form a 20 octet binding key Kbm:
+
+ Kbm = SHA1 (home keygen token | care-of keygen token)
+
+ A Binding Update may also be used to delete a previously established
+ binding (Section 6.1.7). In this case, the care-of keygen token is
+ not used. Instead, the binding management key is generated as
+ follows:
+
+ Kbm = SHA1(home keygen token)
+
+ Note that the correspondent node does not create any state specific
+ to the mobile node, until it receives the Binding Update from that
+ mobile node. The correspondent node does not maintain the value for
+ the binding management key Kbm; it creates Kbm when given the nonce
+ indices and the mobile node's addresses.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 26]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+5.2.6. Authorizing Binding Management Messages
+
+ After the mobile node has created the binding management key (Kbm),
+ it can supply a verifiable Binding Update to the correspondent node.
+ This section provides an overview of this registration. The below
+ figure shows the message flow.
+
+ Mobile node Correspondent node
+ | |
+ | Binding Update (BU) |
+ |---------------------------------------------->|
+ | (MAC, seq#, nonce indices, care-of address) |
+ | |
+ | |
+ | Binding Acknowledgement (BA) (if sent) |
+ |<----------------------------------------------|
+ | (MAC, seq#, status) |
+
+ Binding Update
+
+ To authorize a Binding Update, the mobile node creates a binding
+ management key Kbm from the keygen tokens as described in the
+ previous section. The contents of the Binding Update include the
+ following:
+
+ * Source Address = care-of address
+
+ * Destination Address = correspondent
+
+ * Parameters:
+
+ + home address (within the Home Address destination option if
+ different from the Source Address)
+
+ + sequence number (within the Binding Update message header)
+
+ + home nonce index (within the Nonce Indices option)
+
+ + care-of nonce index (within the Nonce Indices option)
+
+ + First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
+ | BU)))
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 27]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The Binding Update contains a Nonce Indices option, indicating to
+ the correspondent node which home and care-of nonces to use to
+ recompute Kbm, the binding management key. The MAC is computed as
+ described in Section 6.2.7, using the correspondent node's address
+ as the destination address and the Binding Update message itself
+ ("BU" above) as the MH Data.
+
+ Once the correspondent node has verified the MAC, it can create a
+ Binding Cache entry for the mobile.
+
+ Binding Acknowledgement
+
+ The Binding Update is in some cases acknowledged by the
+ correspondent node. The contents of the message are as follows:
+
+ * Source Address = correspondent
+
+ * Destination Address = care-of address
+
+ * Parameters:
+
+ + sequence number (within the Binding Update message header)
+
+ + First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
+ | BA)))
+
+ The Binding Acknowledgement contains the same sequence number as
+ the Binding Update. The MAC is computed as described in Section
+ 6.2.7, using the correspondent node's address as the destination
+ address and the message itself ("BA" above) as the MH Data.
+
+ Bindings established with correspondent nodes using keys created
+ by way of the return routability procedure MUST NOT exceed
+ MAX_RR_BINDING_LIFETIME seconds (see Section 12).
+
+ The value in the Source Address field in the IPv6 header carrying
+ the Binding Update is normally also the care-of address which is
+ used in the binding. However, a different care-of address MAY be
+ specified by including an Alternate Care-of Address mobility
+ option in the Binding Update (see Section 6.2.5). When such a
+ message is sent to the correspondent node and the return
+ routability procedure is used as the authorization method, the
+ Care-of Test Init and Care-of Test messages MUST have been
+ performed for the address in the Alternate Care-of Address option
+ (not the Source Address). The nonce indices and MAC value MUST be
+ based on information gained in this test.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 28]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Binding Updates may also be sent to delete a previously
+ established binding. In this case, generation of the binding
+ management key depends exclusively on the home keygen token and
+ the care-of nonce index is ignored.
+
+5.2.7. Updating Node Keys and Nonces
+
+ Correspondent nodes generate nonces at regular intervals. It is
+ recommended to keep each nonce (identified by a nonce index)
+ acceptable for at least MAX_TOKEN_LIFETIME seconds (see Section 12)
+ after it has been first used in constructing a return routability
+ message response. However, the correspondent node MUST NOT accept
+ nonces beyond MAX_NONCE_LIFETIME seconds (see Section 12) after the
+ first use. As the difference between these two constants is 30
+ seconds, a convenient way to enforce the above lifetimes is to
+ generate a new nonce every 30 seconds. The node can then continue to
+ accept tokens that have been based on the last 8 (MAX_NONCE_LIFETIME
+ / 30) nonces. This results in tokens being acceptable
+ MAX_TOKEN_LIFETIME to MAX_NONCE_LIFETIME seconds after they have been
+ sent to the mobile node, depending on whether the token was sent at
+ the beginning or end of the first 30 second period. Note that the
+ correspondent node may also attempt to generate new nonces on demand,
+ or only if the old nonces have been used. This is possible, as long
+ as the correspondent node keeps track of how long a time ago the
+ nonces were used for the first time, and does not generate new nonces
+ on every return routability request.
+
+ Due to resource limitations, rapid deletion of bindings, or reboots
+ the correspondent node may not in all cases recognize the nonces that
+ the tokens were based on. If a nonce index is unrecognized, the
+ correspondent node replies with an error code in the Binding
+ Acknowledgement (either 136, 137, or 138 as discussed in Section
+ 6.1.8). The mobile node can then retry the return routability
+ procedure.
+
+ An update of Kcn SHOULD be done at the same time as an update of a
+ nonce, so that nonce indices can identify both the nonce and the key.
+ Old Kcn values have to be therefore remembered as long as old nonce
+ values.
+
+ Given that the tokens are normally expected to be usable for
+ MAX_TOKEN_LIFETIME seconds, the mobile node MAY use them beyond a
+ single run of the return routability procedure until
+ MAX_TOKEN_LIFETIME expires. After this the mobile node SHOULD NOT
+ use the tokens. A fast moving mobile node MAY reuse a recent home
+ keygen token from a correspondent node when moving to a new location,
+ and just acquire a new care-of keygen token to show routability in
+ the new location.
+
+
+
+Johnson, et al. Standard Track [Page 29]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ While this does not save the number of round-trips due to the
+ simultaneous processing of home and care-of return routability tests,
+ there are fewer messages being exchanged, and a potentially long
+ round-trip through the home agent is avoided. Consequently, this
+ optimization is often useful. A mobile node that has multiple home
+ addresses, MAY also use the same care-of keygen token for Binding
+ Updates concerning all of these addresses.
+
+5.2.8. Preventing Replay Attacks
+
+ The return routability procedure also protects the participants
+ against replayed Binding Updates through the use of the sequence
+ number and a MAC. Care must be taken when removing bindings at the
+ correspondent node, however. Correspondent nodes must retain
+ bindings and the associated sequence number information at least as
+ long as the nonces used in the authorization of the binding are still
+ valid. Alternatively, if memory is very constrained, the
+ correspondent node MAY invalidate the nonces that were used for the
+ binding being deleted (or some larger group of nonces that they
+ belong to). This may, however, impact the ability to accept Binding
+ Updates from mobile nodes that have recently received keygen tokens.
+ This alternative is therefore recommended only as a last measure.
+
+5.3. Dynamic Home Agent Address Discovery
+
+ No security is required for dynamic home agent address discovery.
+
+5.4. Mobile Prefix Discovery
+
+ The mobile node and the home agent SHOULD use an IPsec security
+ association to protect the integrity and authenticity of the Mobile
+ Prefix Solicitations and Advertisements. Both the mobile nodes and
+ the home agents MUST support and SHOULD use the Encapsulating
+ Security Payload (ESP) header in transport mode with a non-NULL
+ payload authentication algorithm to provide data origin
+ authentication, connectionless integrity and optional anti-replay
+ protection.
+
+5.5. Payload Packets
+
+ Payload packets exchanged with mobile nodes can be protected in the
+ usual manner, in the same way as stationary hosts can protect them.
+ However, Mobile IPv6 introduces the Home Address destination option,
+ a routing header, and tunneling headers in the payload packets. In
+ the following we define the security measures taken to protect these,
+ and to prevent their use in attacks against other parties.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 30]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ This specification limits the use of the Home Address destination
+ option to the situation where the correspondent node already has a
+ Binding Cache entry for the given home address. This avoids the use
+ of the Home Address option in attacks described in Section 15.1.
+
+ Mobile IPv6 uses a Mobile IPv6 specific type of a routing header.
+ This type provides the necessary functionality but does not open
+ vulnerabilities discussed in Section 15.1.
+
+ Tunnels between the mobile node and the home agent are protected by
+ ensuring proper use of source addresses, and optional cryptographic
+ protection. The mobile node verifies that the outer IP address
+ corresponds to its home agent. The home agent verifies that the
+ outer IP address corresponds to the current location of the mobile
+ node (Binding Updates sent to the home agents are secure). The home
+ agent identifies the mobile node through the source address of the
+ inner packet. (Typically, this is the home address of the mobile
+ node, but it can also be a link-local address, as discussed in
+ Section 10.4.2. To recognize the latter type of addresses, the home
+ agent requires that the Link-Local Address Compatibility (L) was set
+ in the Binding Update.) These measures protect the tunnels against
+ vulnerabilities discussed in Section 15.1.
+
+ For traffic tunneled via the home agent, additional IPsec ESP
+ encapsulation MAY be supported and used. If multicast group
+ membership control protocols or stateful address autoconfiguration
+ protocols are supported, payload data protection MUST be supported.
+
+6. New IPv6 Protocol, Message Types, and Destination Option
+
+6.1. Mobility Header
+
+ The Mobility Header is an extension header used by mobile nodes,
+ correspondent nodes, and home agents in all messaging related to the
+ creation and management of bindings. The subsections within this
+ section describe the message types that may be sent using the
+ Mobility Header.
+
+ Mobility Header messages MUST NOT be sent with a type 2 routing
+ header, except as described in Section 9.5.4 for Binding
+ Acknowledgement. Mobility Header messages also MUST NOT be used with
+ a Home Address destination option, except as described in Section
+ 11.7.1 and Section 11.7.2 for Binding Update. Binding Update List or
+ Binding Cache information (when present) for the destination MUST NOT
+ be used in sending Mobility Header messages. That is, Mobility
+ Header messages bypass both the Binding Cache check described in
+ Section 9.3.2 and the Binding Update List check described in Section
+
+
+
+
+Johnson, et al. Standard Track [Page 31]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ 11.3.1 which are normally performed for all packets. This applies
+ even to messages sent to or from a correspondent node which is itself
+ a mobile node.
+
+6.1.1. Format
+
+ The Mobility Header is identified by a Next Header value of 135 in
+ the immediately preceding header, and has the following format:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Payload Proto | Header Len | MH Type | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Checksum | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
+ | |
+ . .
+ . Message Data .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Payload Proto
+
+ 8-bit selector. Identifies the type of header immediately
+ following the Mobility Header. Uses the same values as the IPv6
+ Next Header field [11].
+
+ This field is intended to be used by a future extension (see
+ Appendix B.1).
+
+ Implementations conforming to this specification SHOULD set the
+ payload protocol type to IPPROTO_NONE (59 decimal).
+
+ Header Len
+
+ 8-bit unsigned integer, representing the length of the Mobility
+ Header in units of 8 octets, excluding the first 8 octets.
+
+ The length of the Mobility Header MUST be a multiple of 8 octets.
+
+ MH Type
+
+ 8-bit selector. Identifies the particular mobility message in
+ question. Current values are specified in Section 6.1.2 and
+ onward. An unrecognized MH Type field causes an error indication
+ to be sent.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 32]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Reserved
+
+ 8-bit field reserved for future use. The value MUST be
+ initialized to zero by the sender, and MUST be ignored by the
+ receiver.
+
+ Checksum
+
+ 16-bit unsigned integer. This field contains the checksum of the
+ Mobility Header. The checksum is calculated from the octet string
+ consisting of a "pseudo-header" followed by the entire Mobility
+ Header starting with the Payload Proto field. The checksum is the
+ 16-bit one's complement of the one's complement sum of this
+ string.
+
+ The pseudo-header contains IPv6 header fields, as specified in
+ Section 8.1 of RFC 2460 [11]. The Next Header value used in the
+ pseudo-header is 2. The addresses used in the pseudo-header are
+ the addresses that appear in the Source and Destination Address
+ fields in the IPv6 packet carrying the Mobility Header.
+
+ Note that the procedures of calculating upper layer checksums
+ while away from home described in Section 11.3.1 apply even for
+ the Mobility Header. If a mobility message has a Home Address
+ destination option, then the checksum calculation uses the home
+ address in this option as the value of the IPv6 Source Address
+ field. The type 2 routing header is treated as explained in [11].
+
+ The Mobility Header is considered as the upper layer protocol for
+ the purposes of calculating the pseudo-header. The Upper-Layer
+ Packet Length field in the pseudo-header MUST be set to the total
+ length of the Mobility Header.
+
+ For computing the checksum, the checksum field is set to zero.
+
+ Message Data
+
+ A variable length field containing the data specific to the
+ indicated Mobility Header type.
+
+ Mobile IPv6 also defines a number of "mobility options" for use
+ within these messages; if included, any options MUST appear after the
+ fixed portion of the message data specified in this document. The
+ presence of such options will be indicated by the Header Len field
+ within the message. When the Header Len value is greater than the
+ length required for the message specified here, the remaining octets
+ are interpreted as mobility options. These options include padding
+ options that can be used to ensure that other options are aligned
+
+
+
+Johnson, et al. Standard Track [Page 33]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ properly, and that the total length of the message is divisible by 8.
+ The encoding and format of defined options are described in Section
+ 6.2.
+
+ Alignment requirements for the Mobility Header are the same as for
+ any IPv6 protocol Header. That is, they MUST be aligned on an 8-
+ octet boundary.
+
+6.1.2. Binding Refresh Request Message
+
+ The Binding Refresh Request (BRR) message requests a mobile node to
+ update its mobility binding. This message is sent by correspondent
+ nodes according to the rules in Section 9.5.5. When a mobile node
+ receives a packet containing a Binding Refresh Request message it
+ processes the message according to the rules in Section 11.7.4.
+
+ The Binding Refresh Request message uses the MH Type value 0. When
+ this value is indicated in the MH Type field, the format of the
+ Message Data field in the Mobility Header is as follows:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . Mobility options .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Reserved
+
+ 16-bit field reserved for future use. The value MUST be
+ initialized to zero by the sender, and MUST be ignored by the
+ receiver.
+
+ Mobility Options
+
+ Variable-length field of such length that the complete Mobility
+ Header is an integer multiple of 8 octets long. This field
+ contains zero or more TLV-encoded mobility options. The encoding
+ and format of defined options are described in Section 6.2. The
+ receiver MUST ignore and skip any options which it does not
+ understand.
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 34]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ There MAY be additional information, associated with this Binding
+ Refresh Request message that need not be present in all Binding
+ Refresh Request messages sent. Mobility options allow future
+ extensions to the format of the Binding Refresh Request message to
+ be defined. This specification does not define any options valid
+ for the Binding Refresh Request message.
+
+ If no actual options are present in this message, no padding is
+ necessary and the Header Len field will be set to 0.
+
+6.1.3. Home Test Init Message
+
+ A mobile node uses the Home Test Init (HoTI) message to initiate the
+ return routability procedure and request a home keygen token from a
+ correspondent node (see Section 11.6.1). The Home Test Init message
+ uses the MH Type value 1. When this value is indicated in the MH
+ Type field, the format of the Message Data field in the Mobility
+ Header is as follows:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + Home Init Cookie +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . Mobility Options .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Reserved
+
+ 16-bit field reserved for future use. This value MUST be
+ initialized to zero by the sender, and MUST be ignored by the
+ receiver.
+
+ Home Init Cookie
+
+ 64-bit field which contains a random value, the home init cookie.
+
+ Mobility Options
+
+ Variable-length field of such length that the complete Mobility
+ Header is an integer multiple of 8 octets long. This field
+ contains zero or more TLV-encoded mobility options. The receiver
+
+
+
+Johnson, et al. Standard Track [Page 35]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ MUST ignore and skip any options which it does not understand.
+ This specification does not define any options valid for the Home
+ Test Init message.
+
+ If no actual options are present in this message, no padding is
+ necessary and the Header Len field will be set to 1.
+
+ This message is tunneled through the home agent when the mobile node
+ is away from home. Such tunneling SHOULD employ IPsec ESP in tunnel
+ mode between the home agent and the mobile node. This protection is
+ indicated by the IPsec security policy database. The protection of
+ Home Test Init messages is unrelated to the requirement to protect
+ regular payload traffic, which MAY use such tunnels as well.
+
+6.1.4. Care-of Test Init Message
+
+ A mobile node uses the Care-of Test Init (CoTI) message to initiate
+ the return routability procedure and request a care-of keygen token
+ from a correspondent node (see Section 11.6.1). The Care-of Test
+ Init message uses the MH Type value 2. When this value is indicated
+ in the MH Type field, the format of the Message Data field in the
+ Mobility Header is as follows:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + Care-of Init Cookie +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . Mobility Options .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Reserved
+
+ 16-bit field reserved for future use. The value MUST be
+ initialized to zero by the sender, and MUST be ignored by the
+ receiver.
+
+ Care-of Init Cookie
+
+ 64-bit field which contains a random value, the care-of init
+ cookie.
+
+
+
+
+Johnson, et al. Standard Track [Page 36]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Mobility Options
+
+ Variable-length field of such length that the complete Mobility
+ Header is an integer multiple of 8 octets long. This field
+ contains zero or more TLV-encoded mobility options. The receiver
+ MUST ignore and skip any options which it does not understand.
+ This specification does not define any options valid for the
+ Care-of Test Init message.
+
+ If no actual options are present in this message, no padding is
+ necessary and the Header Len field will be set to 1.
+
+6.1.5. Home Test Message
+
+ The Home Test (HoT) message is a response to the Home Test Init
+ message, and is sent from the correspondent node to the mobile node
+ (see Section 5.2.5). The Home Test message uses the MH Type value 3.
+ When this value is indicated in the MH Type field, the format of the
+ Message Data field in the Mobility Header is as follows:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Home Nonce Index |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + Home Init Cookie +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + Home Keygen Token +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . Mobility options .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Home Nonce Index
+
+ This field will be echoed back by the mobile node to the
+ correspondent node in a subsequent Binding Update.
+
+ Home Init Cookie
+
+ 64-bit field which contains the home init cookie.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 37]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Home Keygen Token
+
+ This field contains the 64 bit home keygen token used in the
+ return routability procedure.
+
+ Mobility Options
+
+ Variable-length field of such length that the complete Mobility
+ Header is an integer multiple of 8 octets long. This field
+ contains zero or more TLV-encoded mobility options. The receiver
+ MUST ignore and skip any options which it does not understand.
+ This specification does not define any options valid for the Home
+ Test message.
+
+ If no actual options are present in this message, no padding is
+ necessary and the Header Len field will be set to 2.
+
+6.1.6. Care-of Test Message
+
+ The Care-of Test (CoT) message is a response to the Care-of Test Init
+ message, and is sent from the correspondent node to the mobile node
+ (see Section 11.6.2). The Care-of Test message uses the MH Type
+ value 4. When this value is indicated in the MH Type field, the
+ format of the Message Data field in the Mobility Header is as
+ follows:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Care-of Nonce Index |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + Care-of Init Cookie +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + Care-of Keygen Token +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . Mobility Options .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Care-of Nonce Index
+
+ This value will be echoed back by the mobile node to the
+ correspondent node in a subsequent Binding Update.
+
+
+
+Johnson, et al. Standard Track [Page 38]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Care-of Init Cookie
+
+ 64-bit field which contains the care-of init cookie.
+
+ Care-of Keygen Token
+
+ This field contains the 64 bit care-of keygen token used in the
+ return routability procedure.
+
+ Mobility Options
+
+ Variable-length field of such length that the complete Mobility
+ Header is an integer multiple of 8 octets long. This field
+ contains zero or more TLV-encoded mobility options. The receiver
+ MUST ignore and skip any options which it does not understand.
+ This specification does not define any options valid for the
+ Care-of Test message.
+
+ If no actual options are present in this message, no padding is
+ necessary and the Header Len field will be set to 2.
+
+6.1.7. Binding Update Message
+
+ The Binding Update (BU) message is used by a mobile node to notify
+ other nodes of a new care-of address for itself. Binding Updates are
+ sent as described in Section 11.7.1 and Section 11.7.2.
+
+ The Binding Update uses the MH Type value 5. When this value is
+ indicated in the MH Type field, the format of the Message Data field
+ in the Mobility Header is as follows:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sequence # |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |A|H|L|K| Reserved | Lifetime |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . Mobility options .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Acknowledge (A)
+
+ The Acknowledge (A) bit is set by the sending mobile node to
+ request a Binding Acknowledgement (Section 6.1.8) be returned upon
+ receipt of the Binding Update.
+
+
+
+Johnson, et al. Standard Track [Page 39]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Home Registration (H)
+
+ The Home Registration (H) bit is set by the sending mobile node to
+ request that the receiving node should act as this node's home
+ agent. The destination of the packet carrying this message MUST
+ be that of a router sharing the same subnet prefix as the home
+ address of the mobile node in the binding.
+
+ Link-Local Address Compatibility (L)
+
+ The Link-Local Address Compatibility (L) bit is set when the home
+ address reported by the mobile node has the same interface
+ identifier as the mobile node's link-local address.
+
+ Key Management Mobility Capability (K)
+
+ If this bit is cleared, the protocol used for establishing the
+ IPsec security associations between the mobile node and the home
+ agent does not survive movements. It may then have to be rerun.
+ (Note that the IPsec security associations themselves are expected
+ to survive movements.) If manual IPsec configuration is used, the
+ bit MUST be cleared.
+
+ This bit is valid only in Binding Updates sent to the home agent,
+ and MUST be cleared in other Binding Updates. Correspondent nodes
+ MUST ignore this bit.
+
+ Reserved
+
+ These fields are unused. They MUST be initialized to zero by the
+ sender and MUST be ignored by the receiver.
+
+ Sequence #
+
+ A 16-bit unsigned integer used by the receiving node to sequence
+ Binding Updates and by the sending node to match a returned
+ Binding Acknowledgement with this Binding Update.
+
+ Lifetime
+
+ 16-bit unsigned integer. The number of time units remaining
+ before the binding MUST be considered expired. A value of zero
+ indicates that the Binding Cache entry for the mobile node MUST be
+ deleted. (In this case the specified care-of address MUST also be
+ set equal to the home address.) One time unit is 4 seconds.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 40]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Mobility Options
+
+ Variable-length field of such length that the complete Mobility
+ Header is an integer multiple of 8 octets long. This field
+ contains zero or more TLV-encoded mobility options. The encoding
+ and format of defined options are described in Section 6.2. The
+ receiver MUST ignore and skip any options which it does not
+ understand.
+
+ The following options are valid in a Binding Update:
+
+ * Binding Authorization Data option (this option is mandatory in
+ Binding Updates sent to a correspondent node)
+
+ * Nonce Indices option.
+
+ * Alternate Care-of Address option
+
+ If no options are present in this message, 4 octets of padding are
+ necessary and the Header Len field will be set to 1.
+
+ The care-of address is specified either by the Source Address field
+ in the IPv6 header or by the Alternate Care-of Address option, if
+ present. The care-of address MUST be a unicast routable address.
+ IPv6 Source Address MUST be a topologically correct source address.
+ Binding Updates for a care-of address which is not a unicast routable
+ address MUST be silently discarded. Similarly, the Binding Update
+ MUST be silently discarded if the care-of address appears as a home
+ address in an existing Binding Cache entry, with its current location
+ creating a circular reference back to the home address specified in
+ the Binding Update (possibly through additional entries).
+
+ The deletion of a binding can be indicated by setting the Lifetime
+ field to 0 and by setting the care-of address equal to the home
+ address. In deletion, the generation of the binding management key
+ depends exclusively on the home keygen token, as explained in Section
+ 5.2.5. (Note that while the senders are required to set both the
+ Lifetime field to 0 and the care-of address equal to the home
+ address, Section 9.5.1 rules for receivers are more liberal, and
+ interpret either condition as a deletion.)
+
+ Correspondent nodes SHOULD NOT delete the Binding Cache entry before
+ the lifetime expires, if any application hosted by the correspondent
+ node is still likely to require communication with the mobile node.
+ A Binding Cache entry that is de-allocated prematurely might cause
+ subsequent packets to be dropped from the mobile node, if they
+ contain the Home Address destination option. This situation is
+ recoverable, since a Binding Error message is sent to the mobile node
+
+
+
+Johnson, et al. Standard Track [Page 41]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ (see Section 6.1.9); however, it causes unnecessary delay in the
+ communications.
+
+6.1.8. Binding Acknowledgement Message
+
+ The Binding Acknowledgement is used to acknowledge receipt of a
+ Binding Update (Section 6.1.7). This packet is sent as described in
+ Section 9.5.4 and Section 10.3.1.
+
+ The Binding Acknowledgement has the MH Type value 6. When this value
+ is indicated in the MH Type field, the format of the Message Data
+ field in the Mobility Header is as follows:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Status |K| Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sequence # | Lifetime |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . Mobility options .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Key Management Mobility Capability (K)
+
+ If this bit is cleared, the protocol used by the home agent for
+ establishing the IPsec security associations between the mobile
+ node and the home agent does not survive movements. It may then
+ have to be rerun. (Note that the IPsec security associations
+ themselves are expected to survive movements.)
+
+ Correspondent nodes MUST set the K bit to 0.
+
+ Reserved
+
+ These fields are unused. They MUST be initialized to zero by the
+ sender and MUST be ignored by the receiver.
+
+
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 42]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Status
+
+ 8-bit unsigned integer indicating the disposition of the Binding
+ Update. Values of the Status field less than 128 indicate that
+ the Binding Update was accepted by the receiving node. Values
+ greater than or equal to 128 indicate that the Binding Update was
+ rejected by the receiving node. The following Status values are
+ currently defined:
+
+ 0 Binding Update accepted
+
+ 1 Accepted but prefix discovery necessary
+
+ 128 Reason unspecified
+
+ 129 Administratively prohibited
+
+ 130 Insufficient resources
+
+ 131 Home registration not supported
+
+ 132 Not home subnet
+
+ 133 Not home agent for this mobile node
+
+ 134 Duplicate Address Detection failed
+
+ 135 Sequence number out of window
+
+ 136 Expired home nonce index
+
+ 137 Expired care-of nonce index
+
+ 138 Expired nonces
+
+ 139 Registration type change disallowed
+
+ Up-to-date values of the Status field are to be specified in the IANA
+ registry of assigned numbers [19].
+
+ Sequence #
+
+ The Sequence Number in the Binding Acknowledgement is copied from
+ the Sequence Number field in the Binding Update. It is used by
+ the mobile node in matching this Binding Acknowledgement with an
+ outstanding Binding Update.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 43]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Lifetime
+
+ The granted lifetime, in time units of 4 seconds, for which this
+ node SHOULD retain the entry for this mobile node in its Binding
+ Cache.
+
+ The value of this field is undefined if the Status field indicates
+ that the Binding Update was rejected.
+
+ Mobility Options
+
+ Variable-length field of such length that the complete Mobility
+ Header is an integer multiple of 8 octets long. This field
+ contains zero or more TLV-encoded mobility options. The encoding
+ and format of defined options are described in Section 6.2. The
+ receiver MUST ignore and skip any options which it does not
+ understand.
+
+ There MAY be additional information, associated with this Binding
+ Acknowledgement that need not be present in all Binding
+ Acknowledgements sent. Mobility options allow future extensions
+ to the format of the Binding Acknowledgement to be defined. The
+ following options are valid for the Binding Acknowledgement:
+
+ * Binding Authorization Data option (this option is mandatory in
+ Binding Acknowledgements sent by a correspondent node, except
+ where otherwise noted in Section 9.5.4)
+
+ * Binding Refresh Advice option
+
+ If no options are present in this message, 4 octets of padding are
+ necessary and the Header Len field will be set to 1.
+
+6.1.9. Binding Error Message
+
+ The Binding Error (BE) message is used by the correspondent node to
+ signal an error related to mobility, such as an inappropriate attempt
+ to use the Home Address destination option without an existing
+ binding; see Section 9.3.3 for details.
+
+
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 44]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The Binding Error message uses the MH Type value 7. When this value
+ is indicated in the MH Type field, the format of the Message Data
+ field in the Mobility Header is as follows:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Status | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + +
+ | |
+ + Home Address +
+ | |
+ + +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ . .
+ . Mobility Options .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Status
+
+ 8-bit unsigned integer indicating the reason for this message.
+ The following values are currently defined:
+
+ 1 Unknown binding for Home Address destination option
+
+ 2 Unrecognized MH Type value
+
+ Reserved
+
+ A 8-bit field reserved for future use. The value MUST be
+ initialized to zero by the sender, and MUST be ignored by the
+ receiver.
+
+ Home Address
+
+ The home address that was contained in the Home Address
+ destination option. The mobile node uses this information to
+ determine which binding does not exist, in cases where the mobile
+ node has several home addresses.
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 45]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Mobility Options
+
+ Variable-length field of such length that the complete Mobility
+ Header is an integer multiple of 8 octets long. This field
+ contains zero or more TLV-encoded mobility options. The receiver
+ MUST ignore and skip any options which it does not understand.
+
+ There MAY be additional information, associated with this Binding
+ Error message that need not be present in all Binding Error
+ messages sent. Mobility options allow future extensions to the
+ format of the format of the Binding Error message to be defined.
+ The encoding and format of defined options are described in
+ Section 6.2. This specification does not define any options valid
+ for the Binding Error message.
+
+ If no actual options are present in this message, no padding is
+ necessary and the Header Len field will be set to 2.
+
+6.2. Mobility Options
+
+ Mobility messages can include zero or more mobility options. This
+ allows optional fields that may not be needed in every use of a
+ particular Mobility Header, as well as future extensions to the
+ format of the messages. Such options are included in the Message
+ Data field of the message itself, after the fixed portion of the
+ message data specified in the message subsections of Section 6.1.
+
+ The presence of such options will be indicated by the Header Len of
+ the Mobility Header. If included, the Binding Authorization Data
+ option (Section 6.2.7) MUST be the last option and MUST NOT have
+ trailing padding. Otherwise, options can be placed in any order.
+
+6.2.1. Format
+
+ Mobility options are encoded within the remaining space of the
+ Message Data field of a mobility message, using a type-length-value
+ (TLV) format as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Type | Option Length | Option Data...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 46]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Option Type
+
+ 8-bit identifier of the type of mobility option. When processing
+ a Mobility Header containing an option for which the Option Type
+ value is not recognized by the receiver, the receiver MUST quietly
+ ignore and skip over the option, correctly handling any remaining
+ options in the message.
+
+ Option Length
+
+ 8-bit unsigned integer, representing the length in octets of the
+ mobility option, not including the Option Type and Option Length
+ fields.
+
+ Option Data
+
+ A variable length field that contains data specific to the option.
+
+ The following subsections specify the Option types which are
+ currently defined for use in the Mobility Header.
+
+ Implementations MUST silently ignore any mobility options that they
+ do not understand.
+
+ Mobility options may have alignment requirements. Following the
+ convention in IPv6, these options are aligned in a packet so that
+ multi-octet values within the Option Data field of each option fall
+ on natural boundaries (i.e., fields of width n octets are placed at
+ an integer multiple of n octets from the start of the header, for n =
+ 1, 2, 4, or 8) [11].
+
+6.2.2. Pad1
+
+ The Pad1 option does not have any alignment requirements. Its format
+ is as follows:
+
+ 0
+ 0 1 2 3 4 5 6 7
+ +-+-+-+-+-+-+-+-+
+ | Type = 0 |
+ +-+-+-+-+-+-+-+-+
+
+ NOTE! the format of the Pad1 option is a special case - it has
+ neither Option Length nor Option Data fields.
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 47]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The Pad1 option is used to insert one octet of padding in the
+ Mobility Options area of a Mobility Header. If more than one octet
+ of padding is required, the PadN option, described next, should be
+ used rather than multiple Pad1 options.
+
+6.2.3. PadN
+
+ The PadN option does not have any alignment requirements. Its format
+ is as follows:
+
+ 0 1
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
+ | Type = 1 | Option Length | Option Data
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
+
+ The PadN option is used to insert two or more octets of padding in
+ the Mobility Options area of a mobility message. For N octets of
+ padding, the Option Length field contains the value N-2, and the
+ Option Data consists of N-2 zero-valued octets. PadN Option data
+ MUST be ignored by the receiver.
+
+6.2.4. Binding Refresh Advice
+
+ The Binding Refresh Advice option has an alignment requirement of 2n.
+ Its format is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type = 2 | Length = 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Refresh Interval |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The Binding Refresh Advice option is only valid in the Binding
+ Acknowledgement, and only on Binding Acknowledgements sent from the
+ mobile node's home agent in reply to a home registration. The
+ Refresh Interval is measured in units of four seconds, and indicates
+ remaining time until the mobile node SHOULD send a new home
+ registration to the home agent. The Refresh Interval MUST be set to
+ indicate a smaller time interval than the Lifetime value of the
+ Binding Acknowledgement.
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 48]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+6.2.5. Alternate Care-of Address
+
+ The Alternate Care-of Address option has an alignment requirement of
+ 8n+6. Its format is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type = 3 | Length = 16 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + +
+ | |
+ + Alternate Care-of Address +
+ | |
+ + +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Normally, a Binding Update specifies the desired care-of address in
+ the Source Address field of the IPv6 header. However, this is not
+ possible in some cases, such as when the mobile node wishes to
+ indicate a care-of address which it cannot use as a topologically
+ correct source address (Section 6.1.7 and Section 11.7.2) or when the
+ used security mechanism does not protect the IPv6 header (Section
+ 11.7.1).
+
+ The Alternate Care-of Address option is provided for these
+ situations. This option is valid only in Binding Update. The
+ Alternate Care-of Address field contains an address to use as the
+ care-of address for the binding, rather than using the Source Address
+ of the packet as the care-of address.
+
+6.2.6. Nonce Indices
+
+ The Nonce Indices option has an alignment requirement of 2n. Its
+ format is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type = 4 | Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Home Nonce Index | Care-of Nonce Index |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 49]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The Nonce Indices option is valid only in the Binding Update message
+ sent to a correspondent node, and only when present together with a
+ Binding Authorization Data option. When the correspondent node
+ authorizes the Binding Update, it needs to produce home and care-of
+ keygen tokens from its stored random nonce values.
+
+ The Home Nonce Index field tells the correspondent node which nonce
+ value to use when producing the home keygen token.
+
+ The Care-of Nonce Index field is ignored in requests to delete a
+ binding. Otherwise, it tells the correspondent node which nonce
+ value to use when producing the care-of keygen token.
+
+6.2.7. Binding Authorization Data
+
+ The Binding Authorization Data option does not have alignment
+ requirements as such. However, since this option must be the last
+ mobility option, an implicit alignment requirement is 8n + 2. The
+ format of this option is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type = 5 | Option Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + +
+ | Authenticator |
+ + +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The Binding Authorization Data option is valid in the Binding Update
+ and Binding Acknowledgement.
+
+ The Option Length field contains the length of the authenticator in
+ octets.
+
+ The Authenticator field contains a cryptographic value which can be
+ used to determine that the message in question comes from the right
+ authority. Rules for calculating this value depends on the used
+ authorization procedure.
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 50]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ For the return routability procedure, this option can appear in the
+ Binding Update and Binding Acknowledgements. Rules for calculating
+ the Authenticator value are the following:
+
+ Mobility Data = care-of address | correspondent | MH Data
+ Authenticator = First (96, HMAC_SHA1 (Kbm, Mobility Data))
+
+ Where | denotes concatenation. "Care-of address" is the care-of
+ address which will be registered for the mobile node if the Binding
+ Update succeeds, or the home address of the mobile node if this
+ option is used in de-registration. Note also that this address might
+ be different from the source address of the Binding Update message,
+ if the Alternative Care-of Address mobility option is used, or when
+ the lifetime of the binding is set to zero.
+
+ The "correspondent" is the IPv6 address of the correspondent node.
+ Note that, if the message is sent to a destination which is itself
+ mobile, the "correspondent" address may not be the address found in
+ the Destination Address field of the IPv6 header; instead the home
+ address from the type 2 Routing header should be used.
+
+ "MH Data" is the content of the Mobility Header, excluding the
+ Authenticator field itself. The Authenticator value is calculated as
+ if the Checksum field in the Mobility Header was zero. The Checksum
+ in the transmitted packet is still calculated in the usual manner,
+ with the calculated Authenticator being a part of the packet
+ protected by the Checksum. Kbm is the binding management key, which
+ is typically created using nonces provided by the correspondent node
+ (see Section 9.4). Note that while the contents of a potential Home
+ Address destination option are not covered in this formula, the rules
+ for the calculation of the Kbm do take the home address in account.
+ This ensures that the MAC will be different for different home
+ addresses.
+
+ The first 96 bits from the MAC result are used as the Authenticator
+ field.
+
+6.3. Home Address Option
+
+ The Home Address option is carried by the Destination Option
+ extension header (Next Header value = 60). It is used in a packet
+ sent by a mobile node while away from home, to inform the recipient
+ of the mobile node's home address.
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 51]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The Home Address option is encoded in type-length-value (TLV) format
+ as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Type | Option Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + +
+ | |
+ + Home Address +
+ | |
+ + +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Option Type
+
+ 201 = 0xC9
+
+ Option Length
+
+ 8-bit unsigned integer. Length of the option, in octets,
+ excluding the Option Type and Option Length fields. This field
+ MUST be set to 16.
+
+ Home Address
+
+ The home address of the mobile node sending the packet. This
+ address MUST be a unicast routable address.
+
+ The alignment requirement [11] for the Home Address option is 8n+6.
+
+ The three highest-order bits of the Option Type field are encoded to
+ indicate specific processing of the option [11]; for the Home Address
+ option, these three bits are set to 110. This indicates the
+ following processing requirements:
+
+ o Any IPv6 node that does not recognize the Option Type must discard
+ the packet, and if the packet's Destination Address was not a
+ multicast address, return an ICMP Parameter Problem, Code 2,
+ message to the packet's Source Address. The Pointer field in the
+ ICMP message SHOULD point at the Option Type field. Otherwise,
+ for multicast addresses, the ICMP message MUST NOT be sent.
+
+ o The data within the option cannot change en route to the packet's
+ final destination.
+
+
+
+Johnson, et al. Standard Track [Page 52]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The Home Address option MUST be placed as follows:
+
+ o After the routing header, if that header is present
+
+ o Before the Fragment Header, if that header is present
+
+ o Before the AH Header or ESP Header, if either one of those headers
+ are present
+
+ For each IPv6 packet header, the Home Address Option MUST NOT appear
+ more than once. However, an encapsulated packet [15] MAY contain a
+ separate Home Address option associated with each encapsulating IP
+ header.
+
+ The inclusion of a Home Address destination option in a packet
+ affects the receiving node's processing of only this single packet.
+ No state is created or modified in the receiving node as a result of
+ receiving a Home Address option in a packet. In particular, the
+ presence of a Home Address option in a received packet MUST NOT alter
+ the contents of the receiver's Binding Cache and MUST NOT cause any
+ changes in the routing of subsequent packets sent by this receiving
+ node.
+
+6.4. Type 2 Routing Header
+
+ Mobile IPv6 defines a new routing header variant, the type 2 routing
+ header, to allow the packet to be routed directly from a
+ correspondent to the mobile node's care-of address. The mobile
+ node's care-of address is inserted into the IPv6 Destination Address
+ field. Once the packet arrives at the care-of address, the mobile
+ node retrieves its home address from the routing header, and this is
+ used as the final destination address for the packet.
+
+ The new routing header uses a different type than defined for
+ "regular" IPv6 source routing, enabling firewalls to apply different
+ rules to source routed packets than to Mobile IPv6. This routing
+ header type (type 2) is restricted to carry only one IPv6 address.
+ All IPv6 nodes which process this routing header MUST verify that the
+ address contained within is the node's own home address in order to
+ prevent packets from being forwarded outside the node. The IP
+ address contained in the routing header, since it is the mobile
+ node's home address, MUST be a unicast routable address.
+ Furthermore, if the scope of the home address is smaller than the
+ scope of the care-of address, the mobile node MUST discard the packet
+ (see Section 4.6).
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 53]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+6.4.1. Format
+
+ The type 2 routing header has the following format:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Next Header | Hdr Ext Len=2 | Routing Type=2|Segments Left=1|
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + +
+ | |
+ + Home Address +
+ | |
+ + +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Next Header
+
+ 8-bit selector. Identifies the type of header immediately
+ following the routing header. Uses the same values as the IPv6
+ Next Header field [11].
+
+ Hdr Ext Len
+
+ 2 (8-bit unsigned integer); length of the routing header in 8-
+ octet units, not including the first 8 octets.
+
+ Routing Type
+
+ 2 (8-bit unsigned integer).
+
+ Segments Left
+
+ 1 (8-bit unsigned integer).
+
+ Reserved
+
+ 32-bit reserved field. The value MUST be initialized to zero by
+ the sender, and MUST be ignored by the receiver.
+
+ Home Address
+
+ The Home Address of the destination Mobile Node.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 54]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ For a type 2 routing header, the Hdr Ext Len MUST be 2. The Segments
+ Left value describes the number of route segments remaining; i.e.,
+ number of explicitly listed intermediate nodes still to be visited
+ before reaching the final destination. Segments Left MUST be 1. The
+ ordering rules for extension headers in an IPv6 packet are described
+ in Section 4.1 of RFC 2460 [11]. The type 2 routing header defined
+ for Mobile IPv6 follows the same ordering as other routing headers.
+ If both a type 0 and a type 2 routing header are present, the type 2
+ routing header should follow the other routing header. A packet
+ containing such nested encapsulation should be created as if the
+ inner (type 2) routing header was constructed first and then treated
+ as an original packet by the outer (type 0) routing header
+ construction process.
+
+ In addition, the general procedures defined by IPv6 for routing
+ headers suggest that a received routing header MAY be automatically
+ "reversed" to construct a routing header for use in any response
+ packets sent by upper-layer protocols, if the received packet is
+ authenticated [6]. This MUST NOT be done automatically for type 2
+ routing headers.
+
+6.5. ICMP Home Agent Address Discovery Request Message
+
+ The ICMP Home Agent Address Discovery Request message is used by a
+ mobile node to initiate the dynamic home agent address discovery
+ mechanism, as described in Section 11.4.1. The mobile node sends the
+ Home Agent Address Discovery Request message to the Mobile IPv6
+ Home-Agents anycast address [16] for its own home subnet prefix.
+ (Note that the currently defined anycast addresses may not work with
+ all prefix lengths other than those defined in RFC 2373 [3, 35].)
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Code | Checksum |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Identifier | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 144
+
+ Code
+
+ 0
+
+
+
+
+
+Johnson, et al. Standard Track [Page 55]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Checksum
+
+ The ICMP checksum [14].
+
+ Identifier
+
+ An identifier to aid in matching Home Agent Address Discovery
+ Reply messages to this Home Agent Address Discovery Request
+ message.
+
+ Reserved
+
+ This field is unused. It MUST be initialized to zero by the
+ sender and MUST be ignored by the receiver.
+
+ The Source Address of the Home Agent Address Discovery Request
+ message packet is typically one of the mobile node's current care-of
+ addresses. At the time of performing this dynamic home agent address
+ discovery procedure, it is likely that the mobile node is not
+ registered with any home agent. Therefore, neither the nature of the
+ address nor the identity of the mobile node can be established at
+ this time. The home agent MUST then return the Home Agent Address
+ Discovery Reply message directly to the Source Address chosen by the
+ mobile node.
+
+6.6. ICMP Home Agent Address Discovery Reply Message
+
+ The ICMP Home Agent Address Discovery Reply message is used by a home
+ agent to respond to a mobile node that uses the dynamic home agent
+ address discovery mechanism, as described in Section 10.5.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Code | Checksum |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Identifier | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + +
+ . .
+ . Home Agent Addresses .
+ . .
+ + +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 56]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Type
+
+ 145
+
+ Code
+
+ 0
+
+ Checksum
+
+ The ICMP checksum [14].
+
+ Identifier
+
+ The identifier from the invoking Home Agent Address Discovery
+ Request message.
+
+ Reserved
+
+ This field is unused. It MUST be initialized to zero by the
+ sender and MUST be ignored by the receiver.
+
+ Home Agent Addresses
+
+ A list of addresses of home agents on the home link for the mobile
+ node. The number of addresses presented in the list is indicated
+ by the remaining length of the IPv6 packet carrying the Home Agent
+ Address Discovery Reply message.
+
+6.7. ICMP Mobile Prefix Solicitation Message Format
+
+ The ICMP Mobile Prefix Solicitation Message is sent by a mobile node
+ to its home agent while it is away from home. The purpose of the
+ message is to solicit a Mobile Prefix Advertisement from the home
+ agent, which will allow the mobile node to gather prefix information
+ about its home network. This information can be used to configure
+ and update home address(es) according to changes in prefix
+ information supplied by the home agent.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Code | Checksum |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Identifier | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 57]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ IP Fields:
+
+ Source Address
+
+ The mobile node's care-of address.
+
+ Destination Address
+
+ The address of the mobile node's home agent. This home agent must
+ be on the link that the mobile node wishes to learn prefix
+ information about.
+
+ Hop Limit
+
+ Set to an initial hop limit value, similarly to any other unicast
+ packet sent by the mobile node.
+
+ Destination Option:
+
+ A Home Address destination option MUST be included.
+
+ ESP header:
+
+ IPsec headers MUST be supported and SHOULD be used as described in
+ Section 5.4.
+
+ ICMP Fields:
+
+ Type
+
+ 146
+
+ Code
+
+ 0
+
+ Checksum
+
+ The ICMP checksum [14].
+
+ Identifier
+
+ An identifier to aid in matching a future Mobile Prefix
+ Advertisement to this Mobile Prefix Solicitation.
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 58]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Reserved
+
+ This field is unused. It MUST be initialized to zero by the
+ sender and MUST be ignored by the receiver.
+
+ The Mobile Prefix Solicitation messages may have options. These
+ options MUST use the option format defined in RFC 2461 [12]. This
+ document does not define any option types for the Mobile Prefix
+ Solicitation message, but future documents may define new options.
+ Home agents MUST silently ignore any options they do not recognize
+ and continue processing the message.
+
+6.8. ICMP Mobile Prefix Advertisement Message Format
+
+ A home agent will send a Mobile Prefix Advertisement to a mobile node
+ to distribute prefix information about the home link while the mobile
+ node is traveling away from the home network. This will occur in
+ response to a Mobile Prefix Solicitation with an Advertisement, or by
+ an unsolicited Advertisement sent according to the rules in Section
+ 10.6.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Code | Checksum |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Identifier |M|O| Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Options ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ IP Fields:
+
+ Source Address
+
+ The home agent's address as the mobile node would expect to see it
+ (i.e., same network prefix).
+
+ Destination Address
+
+ If this message is a response to a Mobile Prefix Solicitation,
+ this field contains the Source Address field from that packet.
+ For unsolicited messages, the mobile node's care-of address SHOULD
+ be used. Note that unsolicited messages can only be sent if the
+ mobile node is currently registered with the home agent.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 59]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Routing header:
+
+ A type 2 routing header MUST be included.
+
+ ESP header:
+
+ IPsec headers MUST be supported and SHOULD be used as described in
+ Section 5.4.
+
+ ICMP Fields:
+
+ Type
+
+ 147
+
+ Code
+
+ 0
+
+ Checksum
+
+ The ICMP checksum [14].
+
+ Identifier
+
+ An identifier to aid in matching this Mobile Prefix Advertisement
+ to a previous Mobile Prefix Solicitation.
+
+ M
+
+ 1-bit Managed Address Configuration flag. When set, hosts use the
+ administered (stateful) protocol for address autoconfiguration in
+ addition to any addresses autoconfigured using stateless address
+ autoconfiguration. The use of this flag is described in [12, 13].
+
+ O
+
+ 1-bit Other Stateful Configuration flag. When set, hosts use the
+ administered (stateful) protocol for autoconfiguration of other
+ (non-address) information. The use of this flag is described in
+ [12, 13].
+
+ Reserved
+
+ This field is unused. It MUST be initialized to zero by the
+ sender and MUST be ignored by the receiver.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 60]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The Mobile Prefix Advertisement messages may have options. These
+ options MUST use the option format defined in RFC 2461 [12]. This
+ document defines one option which may be carried in a Mobile Prefix
+ Advertisement message, but future documents may define new options.
+ Mobile nodes MUST silently ignore any options they do not recognize
+ and continue processing the message.
+
+ Prefix Information
+
+ Each message contains one or more Prefix Information options.
+ Each option carries the prefix(es) that the mobile node should use
+ to configure its home address(es). Section 10.6 describes which
+ prefixes should be advertised to the mobile node.
+
+ The Prefix Information option is defined in Section 4.6.2 of RFC
+ 2461 [12], with modifications defined in Section 7.2 of this
+ specification. The home agent MUST use this modified Prefix
+ Information option to send home network prefixes as defined in
+ Section 10.6.1.
+
+ If the Advertisement is sent in response to a Mobile Prefix
+ Solicitation, the home agent MUST copy the Identifier value from that
+ message into the Identifier field of the Advertisement.
+
+ The home agent MUST NOT send more than one Mobile Prefix
+ Advertisement message per second to any mobile node.
+
+ The M and O bits MUST be cleared if the Home Agent DHCPv6 support is
+ not provided. If such support is provided then they are set in
+ concert with the home network's administrative settings.
+
+7. Modifications to IPv6 Neighbor Discovery
+
+7.1. Modified Router Advertisement Message Format
+
+ Mobile IPv6 modifies the format of the Router Advertisement message
+ [12] by the addition of a single flag bit to indicate that the router
+ sending the Advertisement message is serving as a home agent on this
+ link. The format of the Router Advertisement message is as follows:
+
+
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 61]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Code | Checksum |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Cur Hop Limit |M|O|H| Reserved| Router Lifetime |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Reachable Time |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Retrans Timer |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Options ...
+ +-+-+-+-+-+-+-+-+-+-+-+-
+
+ This format represents the following changes over that originally
+ specified for Neighbor Discovery [12]:
+
+ Home Agent (H)
+
+ The Home Agent (H) bit is set in a Router Advertisement to
+ indicate that the router sending this Router Advertisement is also
+ functioning as a Mobile IPv6 home agent on this link.
+
+ Reserved
+
+ Reduced from a 6-bit field to a 5-bit field to account for the
+ addition of the above bit.
+
+7.2. Modified Prefix Information Option Format
+
+ Mobile IPv6 requires knowledge of a router's global address in
+ building a Home Agents List as part of the dynamic home agent address
+ discovery mechanism.
+
+ However, Neighbor Discovery [12] only advertises a router's link-
+ local address, by requiring this address to be used as the IP Source
+ Address of each Router Advertisement.
+
+ Mobile IPv6 extends Neighbor Discovery to allow a router to advertise
+ its global address, by the addition of a single flag bit in the
+ format of a Prefix Information option for use in Router Advertisement
+ messages. The format of the Prefix Information option is as follows:
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 62]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Prefix Length |L|A|R|Reserved1|
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Valid Lifetime |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Preferred Lifetime |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Reserved2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ + +
+ | |
+ + Prefix +
+ | |
+ + +
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ This format represents the following changes over that originally
+ specified for Neighbor Discovery [12]:
+
+ Router Address (R)
+
+ 1-bit router address flag. When set, indicates that the Prefix
+ field contains a complete IP address assigned to the sending
+ router. The indicated prefix is the first Prefix Length bits of
+ the Prefix field. The router IP address has the same scope and
+ conforms to the same lifetime values as the advertised prefix.
+ This use of the Prefix field is compatible with its use in
+ advertising the prefix itself, since Prefix Advertisement uses
+ only the leading bits. Interpretation of this flag bit is thus
+ independent of the processing required for the On-Link (L) and
+ Autonomous Address-Configuration (A) flag bits.
+
+ Reserved1
+
+ Reduced from a 6-bit field to a 5-bit field to account for the
+ addition of the above bit.
+
+ In a Router Advertisement, a home agent MUST, and all other routers
+ MAY, include at least one Prefix Information option with the Router
+ Address (R) bit set. Neighbor Discovery specifies that, if including
+ all options in a Router Advertisement causes the size of the
+ Advertisement to exceed the link MTU, multiple Advertisements can be
+ sent, each containing a subset of the options [12]. Also, when
+ sending unsolicited multicast Router Advertisements more frequently
+
+
+
+Johnson, et al. Standard Track [Page 63]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ than the limit specified in RFC 2461 [12], the sending router need
+ not include all options in each of these Advertisements. However, in
+ both of these cases the router SHOULD include at least one Prefix
+ Information option with the Router Address (R) bit set in each such
+ advertisement, if this bit is set in some advertisement sent by the
+ router.
+
+ In addition, the following requirement can assist mobile nodes in
+ movement detection. Barring changes in the prefixes for the link,
+ routers that send multiple Router Advertisements with the Router
+ Address (R) bit set in some of the included Prefix Information
+ options SHOULD provide at least one option and router address which
+ stays the same in all of the Advertisements.
+
+7.3. New Advertisement Interval Option Format
+
+ Mobile IPv6 defines a new Advertisement Interval option, used in
+ Router Advertisement messages to advertise the interval at which the
+ sending router sends unsolicited multicast Router Advertisements.
+ The format of the Advertisement Interval option is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Advertisement Interval |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 7
+
+ Length
+
+ 8-bit unsigned integer. The length of the option (including the
+ type and length fields) is in units of 8 octets. The value of
+ this field MUST be 1.
+
+ Reserved
+
+ This field is unused. It MUST be initialized to zero by the
+ sender and MUST be ignored by the receiver.
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 64]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Advertisement Interval
+
+ 32-bit unsigned integer. The maximum time, in milliseconds,
+ between successive unsolicited Router Advertisement messages sent
+ by this router on this network interface. Using the conceptual
+ router configuration variables defined by Neighbor Discovery [12],
+ this field MUST be equal to the value MaxRtrAdvInterval, expressed
+ in milliseconds.
+
+ Routers MAY include this option in their Router Advertisements. A
+ mobile node receiving a Router Advertisement containing this option
+ SHOULD utilize the specified Advertisement Interval for that router
+ in its movement detection algorithm, as described in Section 11.5.1.
+
+ This option MUST be silently ignored for other Neighbor Discovery
+ messages.
+
+7.4. New Home Agent Information Option Format
+
+ Mobile IPv6 defines a new Home Agent Information option, used in
+ Router Advertisements sent by a home agent to advertise information
+ specific to this router's functionality as a home agent. The format
+ of the Home Agent Information option is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Home Agent Preference | Home Agent Lifetime |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 8
+
+ Length
+
+ 8-bit unsigned integer. The length of the option (including the
+ type and length fields) in units of 8 octets. The value of this
+ field MUST be 1.
+
+ Reserved
+
+ This field is unused. It MUST be initialized to zero by the
+ sender and MUST be ignored by the receiver.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 65]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Home Agent Preference
+
+ 16-bit unsigned integer. The preference for the home agent
+ sending this Router Advertisement, for use in ordering the
+ addresses returned to a mobile node in the Home Agent Addresses
+ field of a Home Agent Address Discovery Reply message. Higher
+ values mean more preferable. If this option is not included in a
+ Router Advertisement in which the Home Agent (H) bit is set, the
+ preference value for this home agent MUST be considered to be 0.
+ Greater values indicate a more preferable home agent than lower
+ values.
+
+ The manual configuration of the Home Agent Preference value is
+ described in Section 8.4. In addition, the sending home agent MAY
+ dynamically set the Home Agent Preference value, for example
+ basing it on the number of mobile nodes it is currently serving or
+ on its remaining resources for serving additional mobile nodes;
+ such dynamic settings are beyond the scope of this document. Any
+ such dynamic setting of the Home Agent Preference, however, MUST
+ set the preference appropriately, relative to the default Home
+ Agent Preference value of 0 that may be in use by some home agents
+ on this link (i.e., a home agent not including a Home Agent
+ Information option in its Router Advertisements will be considered
+ to have a Home Agent Preference value of 0).
+
+ Home Agent Lifetime
+
+ 16-bit unsigned integer. The lifetime associated with the home
+ agent in units of seconds. The default value is the same as the
+ Router Lifetime, as specified in the main body of the Router
+ Advertisement. The maximum value corresponds to 18.2 hours. A
+ value of 0 MUST NOT be used. The Home Agent Lifetime applies only
+ to this router's usefulness as a home agent; it does not apply to
+ information contained in other message fields or options.
+
+ Home agents MAY include this option in their Router Advertisements.
+ This option MUST NOT be included in a Router Advertisement in which
+ the Home Agent (H) bit (see Section 7.1) is not set. If this option
+ is not included in a Router Advertisement in which the Home Agent (H)
+ bit is set, the lifetime for this home agent MUST be considered to be
+ the same as the Router Lifetime in the Router Advertisement. If
+ multiple Advertisements are being sent instead of a single larger
+ unsolicited multicast Advertisement, all of the multiple
+ Advertisements with the Router Address (R) bit set MUST include this
+ option with the same contents, otherwise this option MUST be omitted
+ from all Advertisements.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 66]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ This option MUST be silently ignored for other Neighbor Discovery
+ messages.
+
+ If both the Home Agent Preference and Home Agent Lifetime are set to
+ their default values specified above, this option SHOULD NOT be
+ included in the Router Advertisement messages sent by this home
+ agent.
+
+7.5. Changes to Sending Router Advertisements
+
+ The Neighbor Discovery protocol specification [12] limits routers to
+ a minimum interval of 3 seconds between sending unsolicited multicast
+ Router Advertisement messages from any given network interface
+ (limited by MinRtrAdvInterval and MaxRtrAdvInterval), stating that:
+
+ "Routers generate Router Advertisements frequently enough that
+ hosts will learn of their presence within a few minutes, but not
+ frequently enough to rely on an absence of advertisements to
+ detect router failure; a separate Neighbor Unreachability
+ Detection algorithm provides failure detection."
+
+ This limitation, however, is not suitable to providing timely
+ movement detection for mobile nodes. Mobile nodes detect their own
+ movement by learning the presence of new routers as the mobile node
+ moves into wireless transmission range of them (or physically
+ connects to a new wired network), and by learning that previous
+ routers are no longer reachable. Mobile nodes MUST be able to
+ quickly detect when they move to a link served by a new router, so
+ that they can acquire a new care-of address and send Binding Updates
+ to register this care-of address with their home agent and to notify
+ correspondent nodes as needed.
+
+ One method which can provide for faster movement detection, is to
+ increase the rate at which unsolicited Router Advertisements are
+ sent. Mobile IPv6 relaxes this limit such that routers MAY send
+ unsolicited multicast Router Advertisements more frequently. This
+ method can be applied where the router is expecting to provide
+ service to visiting mobile nodes (e.g., wireless network interfaces),
+ or on which it is serving as a home agent to one or more mobile nodes
+ (who may return home and need to hear its Advertisements).
+
+ Routers supporting mobility SHOULD be able to be configured with a
+ smaller MinRtrAdvInterval value and MaxRtrAdvInterval value to allow
+ sending of unsolicited multicast Router Advertisements more often.
+ The minimum allowed values are:
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 67]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o MinRtrAdvInterval 0.03 seconds
+
+ o MaxRtrAdvInterval 0.07 seconds
+
+ In the case where the minimum intervals and delays are used, the mean
+ time between unsolicited multicast router advertisements is 50 ms.
+ Use of these modified limits MUST be configurable (see also the
+ configuration variable MinDelayBetweenRas in Section 13 which may
+ also have to be modified accordingly). Systems where these values
+ are available MUST NOT default to them, and SHOULD default to values
+ specified in RFC 2461. Knowledge of the type of network interface
+ and operating environment SHOULD be taken into account in configuring
+ these limits for each network interface. This is important with some
+ wireless links, where increasing the frequency of multicast beacons
+ can cause considerable overhead. Routers SHOULD adhere to the
+ intervals specified in RFC 2461 [12], if this overhead is likely to
+ cause service degradation.
+
+ Additionally, the possible low values of MaxRtrAdvInterval may cause
+ some problems with movement detection in some mobile nodes. To
+ ensure that this is not a problem, Routers SHOULD add 20 ms to any
+ Advertisement Intervals sent in RAs, which are below 200 ms, in order
+ to account for scheduling granularities on both the MN and the
+ Router.
+
+ Note that multicast Router Advertisements are not always required in
+ certain wireless networks that have limited bandwidth. Mobility
+ detection or link changes in such networks may be done at lower
+ layers. Router advertisements in such networks SHOULD be sent only
+ when solicited. In such networks it SHOULD be possible to disable
+ unsolicited multicast Router Advertisements on specific interfaces.
+ The MinRtrAdvInterval and MaxRtrAdvInterval in such a case can be set
+ to some high values.
+
+ Home agents MUST include the Source Link-Layer Address option in all
+ Router Advertisements they send. This simplifies the process of
+ returning home, as discussed in Section 11.5.4.
+
+ Note that according to RFC 2461 [12], AdvDefaultLifetime is by
+ default based on the value of MaxRtrAdvInterval. AdvDefaultLifetime
+ is used in the Router Lifetime field of Router Advertisements. Given
+ that this field is expressed in seconds, a small MaxRtrAdvInterval
+ value can result in a zero value for this field. To prevent this,
+ routers SHOULD keep AdvDefaultLifetime in at least one second, even
+ if the use of MaxRtrAdvInterval would result in a smaller value.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 68]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+8. Requirements for Types of IPv6 Nodes
+
+ Mobile IPv6 places some special requirements on the functions
+ provided by different types of IPv6 nodes. This section summarizes
+ those requirements, identifying the functionality each requirement is
+ intended to support.
+
+ The requirements are set for the following groups of nodes:
+
+ o All IPv6 nodes.
+
+ o All IPv6 nodes with support for route optimization.
+
+ o All IPv6 routers.
+
+ o All Mobile IPv6 home agents.
+
+ o All Mobile IPv6 mobile nodes.
+
+ It is outside the scope of this specification to specify which of
+ these groups are mandatory in IPv6. We only describe what is
+ mandatory for a node that supports, for instance, route optimization.
+ Other specifications are expected to define the extent of IPv6.
+
+8.1. All IPv6 Nodes
+
+ Any IPv6 node may at any time be a correspondent node of a mobile
+ node, either sending a packet to a mobile node or receiving a packet
+ from a mobile node. There are no Mobile IPv6 specific MUST
+ requirements for such nodes, and basic IPv6 techniques are
+ sufficient. If a mobile node attempts to set up route optimization
+ with a node with only basic IPv6 support, an ICMP error will signal
+ that the node does not support such optimizations (Section 11.3.5),
+ and communications will flow through the home agent.
+
+ An IPv6 node MUST NOT support the Home Address destination option,
+ type 2 routing header, or the Mobility Header unless it fully
+ supports the requirements listed in the next sections for either
+ route optimization, mobile node, or home agent functionality.
+
+8.2. IPv6 Nodes with Support for Route Optimization
+
+ Nodes that implement route optimization are a subset of all IPv6
+ nodes on the Internet. The ability of a correspondent node to
+ participate in route optimization is essential for the efficient
+ operation of the IPv6 Internet, for the following reasons:
+
+
+
+
+
+Johnson, et al. Standard Track [Page 69]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o Avoidance of congestion in the home network, and enabling the use
+ of lower-performance home agent equipment even for supporting
+ thousands of mobile nodes.
+
+ o Reduced network load across the entire Internet, as mobile devices
+ begin to predominate.
+
+ o Reduction of jitter and latency for the communications.
+
+ o Greater likelihood of success for QoS signaling as tunneling is
+ avoided and, again, fewer sources of congestion.
+
+ o Improved robustness against network partitions, congestion, and
+ other problems, since fewer routing path segments are traversed.
+
+ These effects combine to enable much better performance and
+ robustness for communications between mobile nodes and IPv6
+ correspondent nodes. Route optimization introduces a small amount of
+ additional state for the peers, some additional messaging, and up to
+ 1.5 roundtrip delays before it can be turned on. However, it is
+ believed that the benefits far outweigh the costs in most cases.
+ Section 11.3.1 discusses how mobile nodes may avoid route
+ optimization for some of the remaining cases, such as very short-term
+ communications.
+
+ The following requirements apply to all correspondent nodes that
+ support route optimization:
+
+ o The node MUST be able to validate a Home Address option using an
+ existing Binding Cache entry, as described in Section 9.3.1.
+
+ o The node MUST be able to insert a type 2 routing header into
+ packets to be sent to a mobile node, as described in Section
+ 9.3.2.
+
+ o Unless the correspondent node is also acting as a mobile node, it
+ MUST ignore type 2 routing headers and silently discard all
+ packets that it has received with such headers.
+
+ o The node SHOULD be able to interpret ICMP messages as described in
+ Section 9.3.4.
+
+ o The node MUST be able to send Binding Error messages as described
+ in Section 9.3.3.
+
+ o The node MUST be able to process Mobility Headers as described in
+ Section 9.2.
+
+
+
+
+Johnson, et al. Standard Track [Page 70]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The node MUST be able to participate in a return routability
+ procedure (Section 9.4).
+
+ o The node MUST be able to process Binding Update messages (Section
+ 9.5).
+
+ o The node MUST be able to return a Binding Acknowledgement (Section
+ 9.5.4).
+
+ o The node MUST be able to maintain a Binding Cache of the bindings
+ received in accepted Binding Updates, as described in Section 9.1
+ and Section 9.6.
+
+ o The node SHOULD allow route optimization to be administratively
+ enabled or disabled. The default SHOULD be enabled.
+
+8.3. All IPv6 Routers
+
+ All IPv6 routers, even those not serving as a home agent for Mobile
+ IPv6, have an effect on how well mobile nodes can communicate:
+
+ o Every IPv6 router SHOULD be able to send an Advertisement Interval
+ option (Section 7.3) in each of its Router Advertisements [12], to
+ aid movement detection by mobile nodes (as in Section 11.5.1).
+ The use of this option in Router Advertisements SHOULD be
+ configurable.
+
+ o Every IPv6 router SHOULD be able to support sending unsolicited
+ multicast Router Advertisements at the faster rate described in
+ Section 7.5. If the router supports a faster rate, the used rate
+ MUST be configurable.
+
+ o Each router SHOULD include at least one prefix with the Router
+ Address (R) bit set and with its full IP address in its Router
+ Advertisements (as described in Section 7.2).
+
+ o Routers supporting filtering packets with routing headers SHOULD
+ support different rules for type 0 and type 2 routing headers (see
+ Section 6.4) so that filtering of source routed packets (type 0)
+ will not necessarily limit Mobile IPv6 traffic which is delivered
+ via type 2 routing headers.
+
+8.4. IPv6 Home Agents
+
+ In order for a mobile node to operate correctly while away from home,
+ at least one IPv6 router on the mobile node's home link must function
+ as a home agent for the mobile node. The following additional
+ requirements apply to all IPv6 routers that serve as a home agent:
+
+
+
+Johnson, et al. Standard Track [Page 71]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o Every home agent MUST be able to maintain an entry in its Binding
+ Cache for each mobile node for which it is serving as the home
+ agent (Section 10.1 and Section 10.3.1).
+
+ o Every home agent MUST be able to intercept packets (using proxy
+ Neighbor Discovery [12]) addressed to a mobile node for which it
+ is currently serving as the home agent, on that mobile node's home
+ link, while the mobile node is away from home (Section 10.4.1).
+
+ o Every home agent MUST be able to encapsulate [15] such intercepted
+ packets in order to tunnel them to the primary care-of address for
+ the mobile node indicated in its binding in the home agent's
+ Binding Cache (Section 10.4.2).
+
+ o Every home agent MUST support decapsulating [15] reverse tunneled
+ packets sent to it from a mobile node's home address. Every home
+ agent MUST also check that the source address in the tunneled
+ packets corresponds to the currently registered location of the
+ mobile node (Section 10.4.5).
+
+ o The node MUST be able to process Mobility Headers as described in
+ Section 10.2.
+
+ o Every home agent MUST be able to return a Binding Acknowledgement
+ in response to a Binding Update (Section 10.3.1).
+
+ o Every home agent MUST maintain a separate Home Agents List for
+ each link on which it is serving as a home agent, as described in
+ Section 10.1 and Section 10.5.1.
+
+ o Every home agent MUST be able to accept packets addressed to the
+ Mobile IPv6 Home-Agents anycast address [16] for the subnet on
+ which it is serving as a home agent, and MUST be able to
+ participate in dynamic home agent address discovery (Section
+ 10.5).
+
+ o Every home agent SHOULD support a configuration mechanism to allow
+ a system administrator to manually set the value to be sent by
+ this home agent in the Home Agent Preference field of the Home
+ Agent Information Option in Router Advertisements that it sends
+ (Section 7.4).
+
+ o Every home agent SHOULD support sending ICMP Mobile Prefix
+ Advertisements (Section 6.8), and SHOULD respond to Mobile Prefix
+ Solicitations (Section 6.7). If supported, this behavior MUST be
+ configurable, so that home agents can be configured to avoid
+ sending such Prefix Advertisements according to the needs of the
+ network administration in the home domain.
+
+
+
+Johnson, et al. Standard Track [Page 72]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o Every home agent MUST support IPsec ESP for protection of packets
+ belonging to the return routability procedure (Section 10.4.6).
+
+ o Every home agent SHOULD support the multicast group membership
+ control protocols as described in Section 10.4.3. If this support
+ is provided, the home agent MUST be capable of using it to
+ determine which multicast data packets to forward via the tunnel
+ to the mobile node.
+
+ o Home agents MAY support stateful address autoconfiguration for
+ mobile nodes as described in Section 10.4.4.
+
+8.5. IPv6 Mobile Nodes
+
+ Finally, the following requirements apply to all IPv6 nodes capable
+ of functioning as mobile nodes:
+
+ o The node MUST maintain a Binding Update List (Section 11.1).
+
+ o The node MUST support sending packets containing a Home Address
+ option (Section 11.3.1), and follow the required IPsec interaction
+ (Section 11.3.2).
+
+ o The node MUST be able to perform IPv6 encapsulation and
+ decapsulation [15].
+
+ o The node MUST be able to process type 2 routing header as defined
+ in Section 6.4 and Section 11.3.3.
+
+ o The node MUST support receiving a Binding Error message (Section
+ 11.3.6).
+
+ o The node MUST support receiving ICMP errors (Section 11.3.5).
+
+ o The node MUST support movement detection, care-of address
+ formation, and returning home (Section 11.5).
+
+ o The node MUST be able to process Mobility Headers as described in
+ Section 11.2.
+
+ o The node MUST support the return routability procedure (Section
+ 11.6).
+
+ o The node MUST be able to send Binding Updates, as specified in
+ Section 11.7.1 and Section 11.7.2.
+
+ o The node MUST be able to receive and process Binding
+ Acknowledgements, as specified in Section 11.7.3.
+
+
+
+Johnson, et al. Standard Track [Page 73]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The node MUST support receiving a Binding Refresh Request (Section
+ 6.1.2), by responding with a Binding Update.
+
+ o The node MUST support receiving Mobile Prefix Advertisements
+ (Section 11.4.3) and reconfiguring its home address based on the
+ prefix information contained therein.
+
+ o The node SHOULD support use of the dynamic home agent address
+ discovery mechanism, as described in Section 11.4.1.
+
+ o The node MUST allow route optimization to be administratively
+ enabled or disabled. The default SHOULD be enabled.
+
+ o The node MAY support the multicast address listener part of a
+ multicast group membership protocol as described in Section
+ 11.3.4. If this support is provided, the mobile node MUST be able
+ to receive tunneled multicast packets from the home agent.
+
+ o The node MAY support stateful address autoconfiguration mechanisms
+ such as DHCPv6 [29] on the interface represented by the tunnel to
+ the home agent.
+
+9. Correspondent Node Operation
+
+9.1. Conceptual Data Structures
+
+ IPv6 nodes with route optimization support maintain a Binding Cache
+ of bindings for other nodes. A separate Binding Cache SHOULD be
+ maintained by each IPv6 node for each of its unicast routable
+ addresses. The Binding Cache MAY be implemented in any manner
+ consistent with the external behavior described in this document, for
+ example by being combined with the node's Destination Cache as
+ maintained by Neighbor Discovery [12]. When sending a packet, the
+ Binding Cache is searched before the Neighbor Discovery conceptual
+ Destination Cache [12].
+
+ Each Binding Cache entry conceptually contains the following fields:
+
+ o The home address of the mobile node for which this is the Binding
+ Cache entry. This field is used as the key for searching the
+ Binding Cache for the destination address of a packet being sent.
+
+ o The care-of address for the mobile node indicated by the home
+ address field in this Binding Cache entry.
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 74]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o A lifetime value, indicating the remaining lifetime for this
+ Binding Cache entry. The lifetime value is initialized from the
+ Lifetime field in the Binding Update that created or last modified
+ this Binding Cache entry.
+
+ o A flag indicating whether or not this Binding Cache entry is a
+ home registration entry (applicable only on nodes which support
+ home agent functionality).
+
+ o The maximum value of the Sequence Number field received in
+ previous Binding Updates for this home address. The Sequence
+ Number field is 16 bits long. Sequence Number values MUST be
+ compared modulo 2**16 as explained in Section 9.5.1.
+
+ o Usage information for this Binding Cache entry. This is needed to
+ implement the cache replacement policy in use in the Binding
+ Cache. Recent use of a cache entry also serves as an indication
+ that a Binding Refresh Request should be sent when the lifetime of
+ this entry nears expiration.
+
+ Binding Cache entries not marked as home registrations MAY be
+ replaced at any time by any reasonable local cache replacement policy
+ but SHOULD NOT be unnecessarily deleted. The Binding Cache for any
+ one of a node's IPv6 addresses may contain at most one entry for each
+ mobile node home address. The contents of a node's Binding Cache
+ MUST NOT be changed in response to a Home Address option in a
+ received packet.
+
+9.2. Processing Mobility Headers
+
+ Mobility Header processing MUST observe the following rules:
+
+ o The checksum must be verified as per Section 6.1. Otherwise, the
+ node MUST silently discard the message.
+
+ o The MH Type field MUST have a known value (Section 6.1.1).
+ Otherwise, the node MUST discard the message and issue a Binding
+ Error message as described in Section 9.3.3, with Status field set
+ to 2 (unrecognized MH Type value).
+
+ o The Payload Proto field MUST be IPPROTO_NONE (59 decimal).
+ Otherwise, the node MUST discard the message and SHOULD send ICMP
+ Parameter Problem, Code 0, directly to the Source Address of the
+ packet as specified in RFC 2463 [14]. Thus no Binding Cache
+ information is used in sending the ICMP message. The Pointer
+ field in the ICMP message SHOULD point at the Payload Proto field.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 75]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The Header Len field in the Mobility Header MUST NOT be less than
+ the length specified for this particular type of message in
+ Section 6.1. Otherwise, the node MUST discard the message and
+ SHOULD send ICMP Parameter Problem, Code 0, directly to the Source
+ Address of the packet as specified in RFC 2463 [14]. (The Binding
+ Cache information is again not used.) The Pointer field in the
+ ICMP message SHOULD point at the Header Len field.
+
+ Subsequent checks depend on the particular Mobility Header.
+
+9.3. Packet Processing
+
+ This section describes how the correspondent node sends packets to
+ the mobile node, and receives packets from it.
+
+9.3.1. Receiving Packets with Home Address Option
+
+ Packets containing a Home Address option MUST be dropped if the given
+ home address is not a unicast routable address.
+
+ Mobile nodes can include a Home Address destination option in a
+ packet if they believe the correspondent node has a Binding Cache
+ entry for the home address of a mobile node. Packets containing a
+ Home Address option MUST be dropped if there is no corresponding
+ Binding Cache entry. A corresponding Binding Cache entry MUST have
+ the same home address as appears in the Home Address destination
+ option, and the currently registered care-of address MUST be equal to
+ the source address of the packet. These tests MUST NOT be done for
+ packets that contain a Home Address option and a Binding Update.
+
+ If the packet is dropped due the above tests, the correspondent node
+ MUST send the Binding Error message as described in Section 9.3.3.
+ The Status field in this message should be set to 1 (unknown binding
+ for Home Address destination option).
+
+ The correspondent node MUST process the option in a manner consistent
+ with exchanging the Home Address field from the Home Address option
+ into the IPv6 header and replacing the original value of the Source
+ Address field there. After all IPv6 options have been processed, it
+ MUST be possible for upper layers to process the packet without the
+ knowledge that it came originally from a care-of address or that a
+ Home Address option was used.
+
+ The use of IPsec Authentication Header (AH) for the Home Address
+ option is not required, except that if the IPv6 header of a packet is
+ covered by AH, then the authentication MUST also cover the Home
+ Address option; this coverage is achieved automatically by the
+ definition of the Option Type code for the Home Address option, since
+
+
+
+Johnson, et al. Standard Track [Page 76]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ it indicates that the data within the option cannot change en route
+ to the packet's final destination, and thus the option is included in
+ the AH computation. By requiring that any authentication of the IPv6
+ header also cover the Home Address option, the security of the Source
+ Address field in the IPv6 header is not compromised by the presence
+ of a Home Address option.
+
+ When attempting to verify AH authentication data in a packet that
+ contains a Home Address option, the receiving node MUST calculate the
+ AH authentication data as if the following were true: The Home
+ Address option contains the care-of address, and the source IPv6
+ address field of the IPv6 header contains the home address. This
+ conforms with the calculation specified in Section 11.3.2.
+
+9.3.2. Sending Packets to a Mobile Node
+
+ Before sending any packet, the sending node SHOULD examine its
+ Binding Cache for an entry for the destination address to which the
+ packet is being sent. If the sending node has a Binding Cache entry
+ for this address, the sending node SHOULD use a type 2 routing header
+ to route the packet to this mobile node (the destination node) by way
+ of its care-of address. However, the sending node MUST not do this
+ in the following cases:
+
+ o When sending an IPv6 Neighbor Discovery [12] packet.
+
+ o Where otherwise noted in Section 6.1.
+
+ When calculating authentication data in a packet that contains a type
+ 2 routing header, the correspondent node MUST calculate the AH
+ authentication data as if the following were true: The routing header
+ contains the care-of address, the destination IPv6 address field of
+ the IPv6 header contains the home address, and the Segments Left
+ field is zero. The IPsec Security Policy Database lookup MUST based
+ on the mobile node's home address.
+
+ For instance, assuming there are no additional routing headers in
+ this packet beyond those needed by Mobile IPv6, the correspondent
+ node could set the fields in the packet's IPv6 header and routing
+ header as follows:
+
+ o The Destination Address in the packet's IPv6 header is set to the
+ mobile node's home address (the original destination address to
+ which the packet was being sent).
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 77]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The routing header is initialized to contain a single route
+ segment, containing the mobile node's care-of address copied from
+ the Binding Cache entry. The Segments Left field is, however,
+ temporarily set to zero.
+
+ The IP layer will insert the routing header before performing any
+ necessary IPsec processing. Once all IPsec processing has been
+ performed, the node swaps the IPv6 destination field with the Home
+ Address field in the routing header, sets the Segments Left field to
+ one, and sends the packet. This ensures the AH calculation is done
+ on the packet in the form it will have on the receiver after
+ advancing the routing header.
+
+ Following the definition of a type 2 routing header in Section 6.4,
+ this packet will be routed to the mobile node's care-of address,
+ where it will be delivered to the mobile node (the mobile node has
+ associated the care-of address with its network interface).
+
+ Note that following the above conceptual model in an implementation
+ creates some additional requirements for path MTU discovery since the
+ layer that decides the packet size (e.g., TCP and applications using
+ UDP) needs to be aware of the size of the headers added by the IP
+ layer on the sending node.
+
+ If, instead, the sending node has no Binding Cache entry for the
+ destination address to which the packet is being sent, the sending
+ node simply sends the packet normally, with no routing header. If
+ the destination node is not a mobile node (or is a mobile node that
+ is currently at home), the packet will be delivered directly to this
+ node and processed normally by it. If, however, the destination node
+ is a mobile node that is currently away from home, the packet will be
+ intercepted by the mobile node's home agent and tunneled to the
+ mobile node's current primary care-of address.
+
+9.3.3. Sending Binding Error Messages
+
+ Section 9.2 and Section 9.3.1 describe error conditions that lead to
+ a need to send a Binding Error message.
+
+ A Binding Error message is sent directly to the address that appeared
+ in the IPv6 Source Address field of the offending packet. If the
+ Source Address field does not contain a unicast address, the Binding
+ Error message MUST NOT be sent.
+
+ The Home Address field in the Binding Error message MUST be copied
+ from the Home Address field in the Home Address destination option of
+ the offending packet, or set to the unspecified address if no such
+ option appeared in the packet.
+
+
+
+Johnson, et al. Standard Track [Page 78]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Note that the IPv6 Source Address and Home Address field values
+ discussed above are the values from the wire, i.e., before any
+ modifications possibly performed as specified in Section 9.3.1.
+
+ Binding Error messages SHOULD be subject to rate limiting in the same
+ manner as is done for ICMPv6 messages [14].
+
+9.3.4. Receiving ICMP Error Messages
+
+ When the correspondent node has a Binding Cache entry for a mobile
+ node, all traffic destined to the mobile node goes directly to the
+ current care-of address of the mobile node using a routing header.
+ Any ICMP error message caused by packets on their way to the care-of
+ address will be returned in the normal manner to the correspondent
+ node.
+
+ On the other hand, if the correspondent node has no Binding Cache
+ entry for the mobile node, the packet will be routed through the
+ mobile node's home link. Any ICMP error message caused by the packet
+ on its way to the mobile node while in the tunnel, will be
+ transmitted to the mobile node's home agent. By the definition of
+ IPv6 encapsulation [15], the home agent MUST relay certain ICMP error
+ messages back to the original sender of the packet, which in this
+ case is the correspondent node.
+
+ Thus, in all cases, any meaningful ICMP error messages caused by
+ packets from a correspondent node to a mobile node will be returned
+ to the correspondent node. If the correspondent node receives
+ persistent ICMP Destination Unreachable messages after sending
+ packets to a mobile node based on an entry in its Binding Cache, the
+ correspondent node SHOULD delete this Binding Cache entry. Note that
+ if the mobile node continues to send packets with the Home Address
+ destination option to this correspondent node, they will be dropped
+ due to the lack of a binding. For this reason it is important that
+ only persistent ICMP messages lead to the deletion of the Binding
+ Cache entry.
+
+9.4. Return Routability Procedure
+
+ This subsection specifies actions taken by a correspondent node
+ during the return routability procedure.
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 79]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+9.4.1. Receiving Home Test Init Messages
+
+ Upon receiving a Home Test Init message, the correspondent node
+ verifies the following:
+
+ o The packet MUST NOT include a Home Address destination option.
+
+ Any packet carrying a Home Test Init message which fails to satisfy
+ all of these tests MUST be silently ignored.
+
+ Otherwise, in preparation for sending the corresponding Home Test
+ Message, the correspondent node checks that it has the necessary
+ material to engage in a return routability procedure, as specified in
+ Section 5.2. The correspondent node MUST have a secret Kcn and a
+ nonce. If it does not have this material yet, it MUST produce it
+ before continuing with the return routability procedure.
+
+ Section 9.4.3 specifies further processing.
+
+9.4.2. Receiving Care-of Test Init Messages
+
+ Upon receiving a Care-of Test Init message, the correspondent node
+ verifies the following:
+
+ o The packet MUST NOT include a Home Address destination option.
+
+ Any packet carrying a Care-of Test Init message which fails to
+ satisfy all of these tests MUST be silently ignored.
+
+ Otherwise, in preparation for sending the corresponding Care-of Test
+ Message, the correspondent node checks that it has the necessary
+ material to engage in a return routability procedure in the manner
+ described in Section 9.4.1.
+
+ Section 9.4.4 specifies further processing.
+
+9.4.3. Sending Home Test Messages
+
+ The correspondent node creates a home keygen token and uses the
+ current nonce index as the Home Nonce Index. It then creates a Home
+ Test message (Section 6.1.5) and sends it to the mobile node at the
+ latter's home address.
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 80]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+9.4.4. Sending Care-of Test Messages
+
+ The correspondent node creates a care-of keygen token and uses the
+ current nonce index as the Care-of Nonce Index. It then creates a
+ Care-of Test message (Section 6.1.6) and sends it to the mobile node
+ at the latter's care-of address.
+
+9.5. Processing Bindings
+
+ This section explains how the correspondent node processes messages
+ related to bindings. These messages are:
+
+ o Binding Update
+
+ o Binding Refresh Request
+
+ o Binding Acknowledgement
+
+ o Binding Error
+
+9.5.1. Receiving Binding Updates
+
+ Before accepting a Binding Update, the receiving node MUST validate
+ the Binding Update according to the following tests:
+
+ o The packet MUST contain a unicast routable home address, either in
+ the Home Address option or in the Source Address, if the Home
+ Address option is not present.
+
+ o The Sequence Number field in the Binding Update is greater than
+ the Sequence Number received in the previous valid Binding Update
+ for this home address, if any.
+
+ If the receiving node has no Binding Cache entry for the indicated
+ home address, it MUST accept any Sequence Number value in a received
+ Binding Update from this mobile node.
+
+ This Sequence Number comparison MUST be performed modulo 2**16, i.e.,
+ the number is a free running counter represented modulo 65536. A
+ Sequence Number in a received Binding Update is considered less than
+ or equal to the last received number if its value lies in the range
+ of the last received number and the preceding 32768 values,
+ inclusive. For example, if the last received sequence number was 15,
+ then messages with sequence numbers 0 through 15, as well as 32783
+ through 65535, would be considered less than or equal.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 81]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ When the Home Registration (H) bit is not set, the following are also
+ required:
+
+ o A Nonce Indices mobility option MUST be present, and the Home and
+ Care-of Nonce Index values in this option MUST be recent enough to
+ be recognized by the correspondent node. (Care-of Nonce Index
+ values are not inspected for requests to delete a binding.)
+
+ o The correspondent node MUST re-generate the home keygen token and
+ the care-of keygen token from the information contained in the
+ packet. It then generates the binding management key Kbm and uses
+ it to verify the authenticator field in the Binding Update as
+ specified in Section 6.1.7.
+
+ o The Binding Authorization Data mobility option MUST be present,
+ and its contents MUST satisfy rules presented in Section 5.2.6.
+ Note that a care-of address different from the Source Address MAY
+ have been specified by including an Alternate Care-of Address
+ mobility option in the Binding Update. When such a message is
+ received and the return routability procedure is used as an
+ authorization method, the correspondent node MUST verify the
+ authenticator by using the address within the Alternate Care-of
+ Address in the calculations.
+
+ o The Binding Authorization Data mobility option MUST be the last
+ option and MUST NOT have trailing padding.
+
+ If the Home Registration (H) bit is set, the Nonce Indices mobility
+ option MUST NOT be present.
+
+ If the mobile node sends a sequence number which is not greater than
+ the sequence number from the last valid Binding Update for this home
+ address, then the receiving node MUST send back a Binding
+ Acknowledgement with status code 135, and the last accepted sequence
+ number in the Sequence Number field of the Binding Acknowledgement.
+
+ If a binding already exists for the given home address and the home
+ registration flag has a different value than the Home Registration
+ (H) bit in the Binding Update, then the receiving node MUST send back
+ a Binding Acknowledgement with status code 139 (registration type
+ change disallowed). The home registration flag stored in the Binding
+ Cache entry MUST NOT be changed.
+
+ If the receiving node no longer recognizes the Home Nonce Index
+ value, Care-of Nonce Index value, or both values from the Binding
+ Update, then the receiving node MUST send back a Binding
+ Acknowledgement with status code 136, 137, or 138, respectively.
+
+
+
+
+Johnson, et al. Standard Track [Page 82]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Packets carrying Binding Updates that fail to satisfy all of these
+ tests for any reason other than insufficiency of the Sequence Number,
+ registration type change, or expired nonce index values, MUST be
+ silently discarded.
+
+ If the Binding Update is valid according to the tests above, then the
+ Binding Update is processed further as follows:
+
+ o The Sequence Number value received from a mobile node in a Binding
+ Update is stored by the receiving node in its Binding Cache entry
+ for the given home address.
+
+ o If the Lifetime specified in the Binding Update is nonzero and the
+ specified care-of address is not equal to the home address for the
+ binding, then this is a request to cache a binding for the home
+ address. If the Home Registration (H) bit is set in the Binding
+ Update, the Binding Update is processed according to the procedure
+ specified in Section 10.3.1; otherwise, it is processed according
+ to the procedure specified in Section 9.5.2.
+
+ o If the Lifetime specified in the Binding Update is zero or the
+ specified care-of address matches the home address for the
+ binding, then this is a request to delete the cached binding for
+ the home address. In this case, the Binding Update MUST include a
+ valid home nonce index, and the care-of nonce index MUST be
+ ignored by the correspondent node. The generation of the binding
+ management key depends then exclusively on the home keygen token
+ (Section 5.2.5). If the Home Registration (H) bit is set in the
+ Binding Update, the Binding Update is processed according to the
+ procedure specified in Section 10.3.2; otherwise, it is processed
+ according to the procedure specified in Section 9.5.3.
+
+ The specified care-of address MUST be determined as follows:
+
+ o If the Alternate Care-of Address option is present, the care-of
+ address is the address in that option.
+
+ o Otherwise, the care-of address is the Source Address field in the
+ packet's IPv6 header.
+
+ The home address for the binding MUST be determined as follows:
+
+ o If the Home Address destination option is present, the home
+ address is the address in that option.
+
+ o Otherwise, the home address is the Source Address field in the
+ packet's IPv6 header.
+
+
+
+
+Johnson, et al. Standard Track [Page 83]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+9.5.2. Requests to Cache a Binding
+
+ This section describes the processing of a valid Binding Update that
+ requests a node to cache a binding, for which the Home Registration
+ (H) bit is not set in the Binding Update.
+
+ In this case, the receiving node SHOULD create a new entry in its
+ Binding Cache for this home address, or update its existing Binding
+ Cache entry for this home address, if such an entry already exists.
+ The lifetime for the Binding Cache entry is initialized from the
+ Lifetime field specified in the Binding Update, although this
+ lifetime MAY be reduced by the node caching the binding; the lifetime
+ for the Binding Cache entry MUST NOT be greater than the Lifetime
+ value specified in the Binding Update. Any Binding Cache entry MUST
+ be deleted after the expiration of its lifetime.
+
+ Note that if the mobile node did not request a Binding
+ Acknowledgement, then it is not aware of the selected shorter
+ lifetime. The mobile node may thus use route optimization and send
+ packets with the Home Address destination option. As discussed in
+ Section 9.3.1, such packets will be dropped if there is no binding.
+ This situation is recoverable, but can cause temporary packet loss.
+
+ The correspondent node MAY refuse to accept a new Binding Cache entry
+ if it does not have sufficient resources. A new entry MAY also be
+ refused if the correspondent node believes its resources are utilized
+ more efficiently in some other purpose, such as serving another
+ mobile node with higher amount of traffic. In both cases the
+ correspondent node SHOULD return a Binding Acknowledgement with
+ status value 130.
+
+9.5.3 Requests to Delete a Binding
+
+ This section describes the processing of a valid Binding Update that
+ requests a node to delete a binding when the Home Registration (H)
+ bit is not set in the Binding Update.
+
+ Any existing binding for the given home address MUST be deleted. A
+ Binding Cache entry for the home address MUST NOT be created in
+ response to receiving the Binding Update.
+
+ If the Binding Cache entry was created by use of return routability
+ nonces, the correspondent node MUST ensure that the same nonces are
+ not used again with the particular home and care-of address. If both
+ nonces are still valid, the correspondent node has to remember the
+ particular combination of nonce indexes, addresses, and sequence
+ number as illegal until at least one of the nonces has become too
+ old.
+
+
+
+Johnson, et al. Standard Track [Page 84]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+9.5.4. Sending Binding Acknowledgements
+
+ A Binding Acknowledgement may be sent to indicate receipt of a
+ Binding Update as follows:
+
+ o If the Binding Update was discarded as described in Section 9.2 or
+ Section 9.5.1, a Binding Acknowledgement MUST NOT be sent.
+ Otherwise the treatment depends on the following rules.
+
+ o If the Acknowledge (A) bit set is set in the Binding Update, a
+ Binding Acknowledgement MUST be sent. Otherwise, the treatment
+ depends on the below rule.
+
+ o If the node rejects the Binding Update due to an expired nonce
+ index, sequence number being out of window (Section 9.5.1), or
+ insufficiency of resources (Section 9.5.2), a Binding
+ Acknowledgement MUST be sent. If the node accepts the Binding
+ Update, the Binding Acknowledgement SHOULD NOT be sent.
+
+ If the node accepts the Binding Update and creates or updates an
+ entry for this binding, the Status field in the Binding
+ Acknowledgement MUST be set to a value less than 128. Otherwise, the
+ Status field MUST be set to a value greater than or equal to 128.
+ Values for the Status field are described in Section 6.1.8 and in the
+ IANA registry of assigned numbers [19].
+
+ If the Status field in the Binding Acknowledgement contains the value
+ 136 (expired home nonce index), 137 (expired care-of nonce index), or
+ 138 (expired nonces) then the message MUST NOT include the Binding
+ Authorization Data mobility option. Otherwise, the Binding
+ Authorization Data mobility option MUST be included, and MUST meet
+ the specific authentication requirements for Binding Acknowledgements
+ as defined in Section 5.2.
+
+ If the Source Address field of the IPv6 header that carried the
+ Binding Update does not contain a unicast address, the Binding
+ Acknowledgement MUST NOT be sent and the Binding Update packet MUST
+ be silently discarded. Otherwise, the acknowledgement MUST be sent
+ to the Source Address. Unlike the treatment of regular packets, this
+ addressing procedure does not use information from the Binding Cache.
+ However, a routing header is needed in some cases. If the Source
+ Address is the home address of the mobile node, i.e., the Binding
+ Update did not contain a Home Address destination option, then the
+ Binding Acknowledgement MUST be sent to that address and the routing
+ header MUST NOT be used. Otherwise, the Binding Acknowledgement MUST
+ be sent using a type 2 routing header which contains the mobile
+ node's home address.
+
+
+
+
+Johnson, et al. Standard Track [Page 85]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+9.5.5. Sending Binding Refresh Requests
+
+ If a Binding Cache entry being deleted is still in active use when
+ sending packets to a mobile node, then the next packet sent to the
+ mobile node will be routed normally to the mobile node's home link.
+ Communication with the mobile node continues, but the tunneling from
+ the home network creates additional overhead and latency in
+ delivering packets to the mobile node.
+
+ If the sender knows that the Binding Cache entry is still in active
+ use, it MAY send a Binding Refresh Request message to the mobile node
+ in an attempt to avoid this overhead and latency due to deleting and
+ recreating the Binding Cache entry. This message is always sent to
+ the home address of the mobile node.
+
+ The correspondent node MAY retransmit Binding Refresh Request
+ messages as long as the rate limitation is applied. The
+ correspondent node MUST stop retransmitting when it receives a
+ Binding Update.
+
+9.6. Cache Replacement Policy
+
+ Conceptually, a node maintains a separate timer for each entry in its
+ Binding Cache. When creating or updating a Binding Cache entry in
+ response to a received and accepted Binding Update, the node sets the
+ timer for this entry to the specified Lifetime period. Any entry in
+ a node's Binding Cache MUST be deleted after the expiration of the
+ Lifetime specified in the Binding Update from which the entry was
+ created or last updated.
+
+ Each node's Binding Cache will, by necessity, have a finite size. A
+ node MAY use any reasonable local policy for managing the space
+ within its Binding Cache.
+
+ A node MAY choose to drop any entry already in its Binding Cache in
+ order to make space for a new entry. For example, a "least-recently
+ used" (LRU) strategy for cache entry replacement among entries should
+ work well, unless the size of the Binding Cache is substantially
+ insufficient. When entries are deleted, the correspondent node MUST
+ follow the rules in Section 5.2.8 in order to guard the return
+ routability procedure against replay attacks.
+
+ If the node sends a packet to a destination for which it has dropped
+ the entry from its Binding Cache, the packet will be routed through
+ the mobile node's home link. The mobile node can detect this and
+ establish a new binding if necessary.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 86]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ However, if the mobile node believes that the binding still exists,
+ it may use route optimization and send packets with the Home Address
+ destination option. This can create temporary packet loss, as
+ discussed earlier, in the context of binding lifetime reductions
+ performed by the correspondent node (Section 9.5.2).
+
+10. Home Agent Operation
+
+10.1. Conceptual Data Structures
+
+ Each home agent MUST maintain a Binding Cache and Home Agents List.
+
+ The rules for maintaining a Binding Cache are the same for home
+ agents and correspondent nodes and have already been described in
+ Section 9.1.
+
+ The Home Agents List is maintained by each home agent, recording
+ information about each router on the same link that is acting as a
+ home agent. This list is used by the dynamic home agent address
+ discovery mechanism. A router is known to be acting as a home agent,
+ if it sends a Router Advertisement in which the Home Agent (H) bit is
+ set. When the lifetime for a list entry (defined below) expires,
+ that entry is removed from the Home Agents List. The Home Agents
+ List is similar to the Default Router List conceptual data structure
+ maintained by each host for Neighbor Discovery [12]. The Home Agents
+ List MAY be implemented in any manner consistent with the external
+ behavior described in this document.
+
+ Each home agent maintains a separate Home Agents List for each link
+ on which it is serving as a home agent. A new entry is created or an
+ existing entry is updated in response to receipt of a valid Router
+ Advertisement in which the Home Agent (H) bit is set. Each Home
+ Agents List entry conceptually contains the following fields:
+
+ o The link-local IP address of a home agent on the link. This
+ address is learned through the Source Address of the Router
+ Advertisements [12] received from the router.
+
+ o One or more global IP addresses for this home agent. Global
+ addresses are learned through Prefix Information options with the
+ Router Address (R) bit set and received in Router Advertisements
+ from this link-local address. Global addresses for the router in
+ a Home Agents List entry MUST be deleted once the prefix
+ associated with that address is no longer valid [12].
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 87]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The remaining lifetime of this Home Agents List entry. If a Home
+ Agent Information Option is present in a Router Advertisement
+ received from a home agent, the lifetime of the Home Agents List
+ entry representing that home agent is initialized from the Home
+ Agent Lifetime field in the option (if present); otherwise, the
+ lifetime is initialized from the Router Lifetime field in the
+ received Router Advertisement. If Home Agents List entry lifetime
+ reaches zero, the entry MUST be deleted from the Home Agents List.
+
+ o The preference for this home agent; higher values indicate a more
+ preferable home agent. The preference value is taken from the
+ Home Agent Preference field in the received Router Advertisement,
+ if the Router Advertisement contains a Home Agent Information
+ Option and is otherwise set to the default value of 0. A home
+ agent uses this preference in ordering the Home Agents List when
+ it sends an ICMP Home Agent Address Discovery message.
+
+10.2. Processing Mobility Headers
+
+ All IPv6 home agents MUST observe the rules described in Section 9.2
+ when processing Mobility Headers.
+
+10.3. Processing Bindings
+
+10.3.1. Primary Care-of Address Registration
+
+ When a node receives a Binding Update, it MUST validate it and
+ determine the type of Binding Update according to the steps described
+ in Section 9.5.1. Furthermore, it MUST authenticate the Binding
+ Update as described in Section 5.1. An authorization step specific
+ for the home agent is also needed to ensure that only the right node
+ can control a particular home address. This is provided through the
+ home address unequivocally identifying the security association that
+ must be used.
+
+ This section describes the processing of a valid and authorized
+ Binding Update when it requests the registration of the mobile node's
+ primary care-of address.
+
+ To begin processing the Binding Update, the home agent MUST perform
+ the following sequence of tests:
+
+ o If the node implements only correspondent node functionality, or
+ has not been configured to act as a home agent, then the node MUST
+ reject the Binding Update. The node MUST also return a Binding
+ Acknowledgement to the mobile node, in which the Status field is
+ set to 131 (home registration not supported).
+
+
+
+
+Johnson, et al. Standard Track [Page 88]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o Else, if the home address for the binding (the Home Address field
+ in the packet's Home Address option) is not an on-link IPv6
+ address with respect to the home agent's current Prefix List, then
+ the home agent MUST reject the Binding Update and SHOULD return a
+ Binding Acknowledgement to the mobile node, in which the Status
+ field is set to 132 (not home subnet).
+
+ o Else, if the home agent chooses to reject the Binding Update for
+ any other reason (e.g., insufficient resources to serve another
+ mobile node as a home agent), then the home agent SHOULD return a
+ Binding Acknowledgement to the mobile node, in which the Status
+ field is set to an appropriate value to indicate the reason for
+ the rejection.
+
+ o A Home Address destination option MUST be present in the message.
+ It MUST be validated as described in Section 9.3.1 with the
+ following additional rule. The Binding Cache entry existence test
+ MUST NOT be done for IPsec packets when the Home Address option
+ contains an address for which the receiving node could act as a
+ home agent.
+
+ If home agent accepts the Binding Update, it MUST then create a new
+ entry in its Binding Cache for this mobile node or update its
+ existing Binding Cache entry, if such an entry already exists. The
+ Home Address field as received in the Home Address option provides
+ the home address of the mobile node.
+
+ The home agent MUST mark this Binding Cache entry as a home
+ registration to indicate that the node is serving as a home agent for
+ this binding. Binding Cache entries marked as a home registration
+ MUST be excluded from the normal cache replacement policy used for
+ the Binding Cache (Section 9.6) and MUST NOT be removed from the
+ Binding Cache until the expiration of the Lifetime period.
+
+ Unless this home agent already has a binding for the given home
+ address, the home agent MUST perform Duplicate Address Detection [13]
+ on the mobile node's home link before returning the Binding
+ Acknowledgement. This ensures that no other node on the home link
+ was using the mobile node's home address when the Binding Update
+ arrived. If this Duplicate Address Detection fails for the given
+ home address or an associated link local address, then the home agent
+ MUST reject the complete Binding Update and MUST return a Binding
+ Acknowledgement to the mobile node, in which the Status field is set
+ to 134 (Duplicate Address Detection failed). When the home agent
+ sends a successful Binding Acknowledgement to the mobile node, the
+ home agent assures to the mobile node that its address(es) will be
+ kept unique by the home agent for as long as the lifetime was granted
+ for the binding.
+
+
+
+Johnson, et al. Standard Track [Page 89]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The specific addresses, which are to be tested before accepting the
+ Binding Update and later to be defended by performing Duplicate
+ Address Detection, depend on the setting of the Link-Local Address
+ Compatibility (L) bit, as follows:
+
+ o L=0: Defend only the given address. Do not derive a link-local
+ address.
+
+ o L=1: Defend both the given non link-local unicast (home) address
+ and the derived link-local. The link-local address is derived by
+ replacing the subnet prefix in the mobile node's home address with
+ the link-local prefix.
+
+ The lifetime of the Binding Cache entry depends on a number of
+ factors:
+
+ o The lifetime for the Binding Cache entry MUST NOT be greater than
+ the Lifetime value specified in the Binding Update.
+
+ o The lifetime for the Binding Cache entry MUST NOT be greater than
+ the remaining valid lifetime for the subnet prefix in the mobile
+ node's home address specified with the Binding Update. The
+ remaining valid lifetime for this prefix is determined by the home
+ agent based on its own Prefix List entry [12].
+
+ The remaining preferred lifetime SHOULD NOT have any impact on the
+ lifetime for the binding cache entry.
+
+ The home agent MUST remove a binding when the valid lifetime of
+ the prefix associated with it expires.
+
+ o The home agent MAY further decrease the specified lifetime for the
+ binding, for example based on a local policy. The resulting
+ lifetime is stored by the home agent in the Binding Cache entry,
+ and this Binding Cache entry MUST be deleted by the home agent
+ after the expiration of this lifetime.
+
+ Regardless of the setting of the Acknowledge (A) bit in the Binding
+ Update, the home agent MUST return a Binding Acknowledgement to the
+ mobile node constructed as follows:
+
+ o The Status field MUST be set to a value indicating success. The
+ value 1 (accepted but prefix discovery necessary) MUST be used if
+ the subnet prefix of the specified home address is deprecated, or
+ becomes deprecated during the lifetime of the binding, or becomes
+ invalid at the end of the lifetime. The value 0 MUST be used
+
+
+
+
+
+Johnson, et al. Standard Track [Page 90]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ otherwise. For the purposes of comparing the binding and prefix
+ lifetimes, the prefix lifetimes are first converted into units of
+ four seconds by ignoring the two least significant bits.
+
+ o The Key Management Mobility Capability (K) bit is set if the
+ following conditions are all fulfilled, and cleared otherwise:
+
+ * The Key Management Mobility Capability (K) bit was set in the
+ Binding Update.
+
+ * The IPsec security associations between the mobile node and the
+ home agent have been established dynamically.
+
+ * The home agent has the capability to update its endpoint in the
+ used key management protocol to the new care-of address every
+ time it moves.
+
+ Depending on the final value of the bit in the Binding
+ Acknowledgement, the home agent SHOULD perform the following
+ actions:
+
+ K = 0
+
+ Discard key management connections, if any, to the old care-of
+ address. If the mobile node did not have a binding before
+ sending this Binding Update, discard the connections to the
+ home address.
+
+ K = 1
+
+ Move the peer endpoint of the key management protocol
+ connection, if any, to the new care-of address. For an IKE
+ phase 1 connection, this means that any IKE packets sent to the
+ peer are sent to this address, and packets from this address
+ with the original ISAKMP cookies are accepted.
+
+ Note that RFC 2408 [8] Section 2.5.3 gives specific rules that
+ ISAKMP cookies must satisfy: they must depend on specific
+ parties and can only be generated by the entity itself. Then
+ it recommends a particular way to do this, namely a hash of IP
+ addresses. With the K bit set to 1, the recommended
+ implementation technique does not work directly. To satisfy
+ the two rules, the specific parties must be treated as the
+ original IP addresses, not the ones in use at the specific
+ moment.
+
+ o The Sequence Number field MUST be copied from the Sequence Number
+ given in the Binding Update.
+
+
+
+Johnson, et al. Standard Track [Page 91]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The Lifetime field MUST be set to the remaining lifetime for the
+ binding as set by the home agent in its home registration Binding
+ Cache entry for the mobile node, as described above.
+
+ o If the home agent stores the Binding Cache entry in nonvolatile
+ storage, then the Binding Refresh Advice mobility option MUST be
+ omitted. Otherwise, the home agent MAY include this option to
+ suggest that the mobile node refreshes its binding before the
+ actual lifetime of the binding ends.
+
+ If the Binding Refresh Advice mobility option is present, the
+ Refresh Interval field in the option MUST be set to a value less
+ than the Lifetime value being returned in the Binding
+ Acknowledgement. This indicates that the mobile node SHOULD
+ attempt to refresh its home registration at the indicated shorter
+ interval. The home agent MUST still retain the registration for
+ the Lifetime period, even if the mobile node does not refresh its
+ registration within the Refresh period.
+
+ The rules for selecting the Destination IP address (and possibly
+ routing header construction) for the Binding Acknowledgement to the
+ mobile node are the same as in Section 9.5.4.
+
+ In addition, the home agent MUST follow the procedure defined in
+ Section 10.4.1 to intercept packets on the mobile node's home link
+ addressed to the mobile node, while the home agent is serving as the
+ home agent for this mobile node. The home agent MUST also be
+ prepared to accept reverse tunneled packets from the new care-of
+ address of the mobile node, as described in Section 10.4.5. Finally,
+ the home agent MUST also propagate new home network prefixes, as
+ described in Section 10.6.
+
+10.3.2. Primary Care-of Address De-Registration
+
+ A binding may need to be de-registered when the mobile node returns
+ home or when the mobile node knows that it will not have any care-of
+ addresses in the visited network.
+
+ A Binding Update is validated and authorized in the manner described
+ in the previous section; note that when the mobile node de-registers
+ when it is at home, it may not include the Home Address destination
+ option, in which case the mobile node's home address is the source IP
+ address of the de-registration Binding Update. This section
+ describes the processing of a valid Binding Update that requests the
+ receiving node to no longer serve as its home agent, de-registering
+ its primary care-of address.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 92]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ To begin processing the Binding Update, the home agent MUST perform
+ the following test:
+
+ o If the receiving node has no entry marked as a home registration
+ in its Binding Cache for this mobile node, then this node MUST
+ reject the Binding Update and SHOULD return a Binding
+ Acknowledgement to the mobile node, in which the Status field is
+ set to 133 (not home agent for this mobile node).
+
+ If the home agent does not reject the Binding Update as described
+ above, then it MUST delete any existing entry in its Binding Cache
+ for this mobile node. Then, the home agent MUST return a Binding
+ Acknowledgement to the mobile node, constructed as follows:
+
+ o The Status field MUST be set to a value 0, indicating success.
+
+ o The Key Management Mobility Capability (K) bit is set or cleared
+ and actions based on its value are performed as described in the
+ previous section. The mobile node's home address is used as its
+ new care-of address for the purposes of moving the key management
+ connection to a new endpoint.
+
+ o The Sequence Number field MUST be copied from the Sequence Number
+ given in the Binding Update.
+
+ o The Lifetime field MUST be set to zero.
+
+ o The Binding Refresh Advice mobility option MUST be omitted.
+
+ In addition, the home agent MUST stop intercepting packets on the
+ mobile node's home link that are addressed to the mobile node
+ (Section 10.4.1).
+
+ The rules for selecting the Destination IP address (and, if required,
+ routing header construction) for the Binding Acknowledgement to the
+ mobile node are the same as in the previous section. When the Status
+ field in the Binding Acknowledgement is greater than or equal to 128
+ and the Source Address of the Binding Update is on the home link, the
+ home agent MUST send it to the mobile node's link layer address
+ (retrieved either from the Binding Update or through Neighbor
+ Solicitation).
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 93]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+10.4. Packet Processing
+
+10.4.1. Intercepting Packets for a Mobile Node
+
+ While a node is serving as the home agent for mobile node it MUST
+ attempt to intercept packets on the mobile node's home link that are
+ addressed to the mobile node.
+
+ In order to do this, when a node begins serving as the home agent it
+ MUST multicast onto the home link a Neighbor Advertisement message
+ [12] on behalf of the mobile node. For the home address specified in
+ the Binding Update, the home agent sends a Neighbor Advertisement
+ message [12] to the all-nodes multicast address on the home link to
+ advertise the home agent's own link-layer address for this IP address
+ on behalf of the mobile node. If the Link-Layer Address
+ Compatibility (L) flag has been specified in the Binding Update, the
+ home agent MUST do the same for the link-local address of the mobile
+ node.
+
+ All fields in each Neighbor Advertisement message SHOULD be set in
+ the same way they would be set by the mobile node if it was sending
+ this Neighbor Advertisement [12] while at home, with the following
+ exceptions:
+
+ o The Target Address in the Neighbor Advertisement MUST be set to
+ the specific IP address for the mobile node.
+
+ o The Advertisement MUST include a Target Link-layer Address option
+ specifying the home agent's link-layer address.
+
+ o The Router (R) bit in the Advertisement MUST be set to zero.
+
+ o The Solicited Flag (S) in the Advertisement MUST NOT be set, since
+ it was not solicited by any Neighbor Solicitation.
+
+ o The Override Flag (O) in the Advertisement MUST be set, indicating
+ that the Advertisement SHOULD override any existing Neighbor Cache
+ entry at any node receiving it.
+
+ o The Source Address in the IPv6 header MUST be set to the home
+ agent's IP address on the interface used to send the
+ advertisement.
+
+ Any node on the home link that receives one of the Neighbor
+ Advertisement messages (described above) will update its Neighbor
+ Cache to associate the mobile node's address with the home agent's
+ link layer address, causing it to transmit any future packets
+ normally destined to the mobile node to the mobile node's home agent.
+
+
+
+Johnson, et al. Standard Track [Page 94]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Since multicasting on the local link (such as Ethernet) is typically
+ not guaranteed to be reliable, the home agent MAY retransmit this
+ Neighbor Advertisement message up to MAX_NEIGHBOR_ADVERTISEMENT (see
+ [12]) times to increase its reliability. It is still possible that
+ some nodes on the home link will not receive any of the Neighbor
+ Advertisements, but these nodes will eventually be able to detect the
+ link-layer address change for the mobile node's address through use
+ of Neighbor Unreachability Detection [12].
+
+ While a node is serving as a home agent for some mobile node, the
+ home agent uses IPv6 Neighbor Discovery [12] to intercept unicast
+ packets on the home link addressed to the mobile node. In order to
+ intercept packets in this way, the home agent MUST act as a proxy for
+ this mobile node and reply to any received Neighbor Solicitations for
+ it. When a home agent receives a Neighbor Solicitation, it MUST
+ check if the Target Address specified in the message matches the
+ address of any mobile node for which it has a Binding Cache entry
+ marked as a home registration.
+
+ If such an entry exists in the home agent's Binding Cache, the home
+ agent MUST reply to the Neighbor Solicitation with a Neighbor
+ Advertisement giving the home agent's own link-layer address as the
+ link-layer address for the specified Target Address. In addition,
+ the Router (R) bit in the Advertisement MUST be set to zero. Acting
+ as a proxy in this way allows other nodes on the mobile node's home
+ link to resolve the mobile node's address and for the home agent to
+ defend these addresses on the home link for Duplicate Address
+ Detection [12].
+
+10.4.2. Processing Intercepted Packets
+
+ For any packet sent to a mobile node from the mobile node's home
+ agent (in which the home agent is the original sender of the packet),
+ the home agent is operating as a correspondent node of the mobile
+ node for this packet and the procedures described in Section 9.3.2
+ apply. The home agent then uses a routing header to route the packet
+ to the mobile node by way of the primary care-of address in the home
+ agent's Binding Cache.
+
+ While the mobile node is away from home, the home agent intercepts
+ any packets on the home link addressed to the mobile node's home
+ address, as described in Section 10.4.1. In order to forward each
+ intercepted packet to the mobile node, the home agent MUST tunnel the
+ packet to the mobile node using IPv6 encapsulation [15]. When a home
+ agent encapsulates an intercepted packet for forwarding to the mobile
+ node, the home agent sets the Source Address in the new tunnel IP
+ header to the home agent's own IP address and sets the Destination
+ Address in the tunnel IP header to the mobile node's primary care-of
+
+
+
+Johnson, et al. Standard Track [Page 95]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ address. When received by the mobile node, normal processing of the
+ tunnel header [15] will result in decapsulation and processing of the
+ original packet by the mobile node.
+
+ However, packets addressed to the mobile node's link-local address
+ MUST NOT be tunneled to the mobile node. Instead, these packets MUST
+ be discarded and the home agent SHOULD return an ICMP Destination
+ Unreachable, Code 3, message to the packet's Source Address (unless
+ this Source Address is a multicast address). Packets addressed to
+ the mobile node's site-local address SHOULD NOT be tunneled to the
+ mobile node by default.
+
+ Interception and tunneling of the following multicast addressed
+ packets on the home network are only done if the home agent supports
+ multicast group membership control messages from the mobile node as
+ described in the next section. Tunneling of multicast packets to a
+ mobile node follows similar limitations to those defined above for
+ unicast packets addressed to the mobile node's link-local and site-
+ local addresses. Multicast packets addressed to a multicast address
+ with link-local scope [3], to which the mobile node is subscribed,
+ MUST NOT be tunneled to the mobile node. These packets SHOULD be
+ silently discarded (after delivering to other local multicast
+ recipients). Multicast packets addressed to a multicast address with
+ a scope larger than link-local, but smaller than global (e.g., site-
+ local and organization-local [3], to which the mobile node is
+ subscribed, SHOULD NOT be tunneled to the mobile node. Multicast
+ packets addressed with a global scope, to which the mobile node has
+ successfully subscribed, MUST be tunneled to the mobile node.
+
+ Before tunneling a packet to the mobile node, the home agent MUST
+ perform any IPsec processing as indicated by the security policy data
+ base.
+
+10.4.3. Multicast Membership Control
+
+ This section is a prerequisite for the multicast data packet
+ forwarding, described in the previous section. If this support is
+ not provided, multicast group membership control messages are
+ silently ignored.
+
+ In order to forward multicast data packets from the home network to
+ all the proper mobile nodes, the home agent SHOULD be capable of
+ receiving tunneled multicast group membership control information
+ from the mobile node in order to determine which groups the mobile
+ node has subscribed to. These multicast group membership messages
+ are Listener Report messages specified in MLD [17] or in other
+ protocols such as [37].
+
+
+
+
+Johnson, et al. Standard Track [Page 96]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The messages are issued by the mobile node, but sent through the
+ reverse tunnel to the home agent. These messages are issued whenever
+ the mobile node decides to enable reception of packets for a
+ multicast group or in response to an MLD Query from the home agent.
+ The mobile node will also issue multicast group control messages to
+ disable reception of multicast packets when it is no longer
+ interested in receiving multicasts for a particular group.
+
+ To obtain the mobile node's current multicast group membership the
+ home agent must periodically transmit MLD Query messages through the
+ tunnel to the mobile node. These MLD periodic transmissions will
+ ensure the home agent has an accurate record of the groups in which
+ the mobile node is interested despite packet losses of the mobile
+ node's MLD group membership messages.
+
+ All MLD packets are sent directly between the mobile node and the
+ home agent. Since all of these packets are destined to a link-scope
+ multicast address and have a hop limit of 1, there is no direct
+ forwarding of such packets between the home network and the mobile
+ node. The MLD packets between the mobile node and the home agent are
+ encapsulated within the same tunnel header used for other packet
+ flows between the mobile node and home agent.
+
+ Note that at this time, even though a link-local source is used on
+ MLD packets, no functionality depends on these addresses being
+ unique, nor do they elicit direct responses. All MLD messages are
+ sent to multicast destinations. To avoid ambiguity on the home
+ agent, due to mobile nodes which may choose identical link-local
+ source addresses for their MLD function, it is necessary for the home
+ agent to identify which mobile node was actually the issuer of a
+ particular MLD message. This may be accomplished by noting which
+ tunnel such an MLD arrived by, which IPsec SA was used, or by other
+ distinguishing means.
+
+ This specification puts no requirement on how the functions in this
+ section and the multicast forwarding in Section 10.4.2 are to be
+ achieved. At the time of this writing it was thought that a full
+ IPv6 multicast router function would be necessary on the home agent,
+ but it may be possible to achieve the same effects through a "proxy
+ MLD" application coupled with kernel multicast forwarding. This may
+ be the subject of future specifications.
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 97]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+10.4.4. Stateful Address Autoconfiguration
+
+ This section describes how home agents support the use of stateful
+ address autoconfiguration mechanisms such as DHCPv6 [29] from the
+ mobile nodes. If this support is not provided, then the M and O bits
+ must remain cleared on the Mobile Prefix Advertisement Messages. Any
+ mobile node which sends DHCPv6 messages to the home agent without
+ this support will not receive a response.
+
+ If DHCPv6 is used, packets are sent with link-local source addresses
+ either to a link-scope multicast address or a link-local address.
+ Mobile nodes desiring to locate a DHCPv6 service may reverse tunnel
+ standard DHCPv6 packets to the home agent. Since these link-scope
+ packets cannot be forwarded onto the home network, it is necessary
+ for the home agent to either implement a DHCPv6 relay agent or a
+ DHCPv6 server function itself. The arriving tunnel or IPsec SA of
+ DHCPv6 link-scope messages from the mobile node must be noted so that
+ DHCPv6 responses may be sent back to the appropriate mobile node.
+ DHCPv6 messages sent to the mobile node with a link-local destination
+ must be tunneled within the same tunnel header used for other packet
+ flows.
+
+10.4.5. Handling Reverse Tunneled Packets
+
+ Unless a binding has been established between the mobile node and a
+ correspondent node, traffic from the mobile node to the correspondent
+ node goes through a reverse tunnel. Home agents MUST support reverse
+ tunneling as follows:
+
+ o The tunneled traffic arrives to the home agent's address using
+ IPv6 encapsulation [15].
+
+ o Depending on the security policies used by the home agent, reverse
+ tunneled packets MAY be discarded unless accompanied by a valid
+ ESP header. The support for authenticated reverse tunneling
+ allows the home agent to protect the home network and
+ correspondent nodes from malicious nodes masquerading as a mobile
+ node.
+
+ o Otherwise, when a home agent decapsulates a tunneled packet from
+ the mobile node, the home agent MUST verify that the Source
+ Address in the tunnel IP header is the mobile node's primary
+ care-of address. Otherwise, any node in the Internet could send
+ traffic through the home agent and escape ingress filtering
+ limitations. This simple check forces the attacker to know the
+ current location of the real mobile node and be able to defeat
+ ingress filtering. This check is not necessary if the reverse-
+ tunneled packet is protected by ESP in tunnel mode.
+
+
+
+Johnson, et al. Standard Track [Page 98]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+10.4.6. Protecting Return Routability Packets
+
+ The return routability procedure, described in Section 5.2.5, assumes
+ that the confidentiality of the Home Test Init and Home Test messages
+ is protected as they are tunneled between the home agent and the
+ mobile node. Therefore, the home agent MUST support tunnel mode
+ IPsec ESP for the protection of packets belonging to the return
+ routability procedure. Support for a non-null encryption transform
+ and authentication algorithm MUST be available. It is not necessary
+ to distinguish between different kinds of packets during the return
+ routability procedure.
+
+ Security associations are needed to provide this protection. When
+ the care-of address for the mobile node changes as a result of an
+ accepted Binding Update, special treatment is needed for the next
+ packets sent using these security associations. The home agent MUST
+ set the new care-of address as the destination address of these
+ packets, as if the outer header destination address in the security
+ association had changed [21].
+
+ The above protection SHOULD be used with all mobile nodes. The use
+ is controlled by configuration of the IPsec security policy database
+ both at the mobile node and at the home agent.
+
+ As described earlier, the Binding Update and Binding Acknowledgement
+ messages require protection between the home agent and the mobile
+ node. The Mobility Header protocol carries both these messages as
+ well as the return routability messages. From the point of view of
+ the security policy database these messages are indistinguishable.
+ When IPsec is used to protect return routability signaling or payload
+ packets, this protection MUST only be applied to the return
+ routability packets entering the IPv6 encapsulated tunnel interface
+ between the mobile node and the home agent. This can be achieved,
+ for instance, by defining the security policy database entries
+ specifically for the tunnel interface. That is, the policy entries
+ are not generally applied on all traffic on the physical interface(s)
+ of the nodes, but rather only on traffic that enters the tunnel.
+ This makes use of per-interface security policy database entries [4]
+ specific to the tunnel interface (the node's attachment to the tunnel
+ [11]).
+
+10.5. Dynamic Home Agent Address Discovery
+
+ This section describes how a home agent can help mobile nodes to
+ discover the addresses of the home agents. The home agent keeps
+ track of the other home agents on the same link and responds to
+ queries sent by the mobile node.
+
+
+
+
+Johnson, et al. Standard Track [Page 99]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+10.5.1. Receiving Router Advertisement Messages
+
+ For each link on which a router provides service as a home agent, the
+ router maintains a Home Agents List recording information about all
+ other home agents on that link. This list is used in the dynamic
+ home agent address discovery mechanism, described in Section 10.5.
+ The information for the list is learned through receipt of the
+ periodic unsolicited multicast Router Advertisements, in a manner
+ similar to the Default Router List conceptual data structure
+ maintained by each host for Neighbor Discovery [12]. In the
+ construction of the Home Agents List, the Router Advertisements are
+ from each (other) home agent on the link and the Home Agent (H) bit
+ is set in them.
+
+ On receipt of a valid Router Advertisement, as defined in the
+ processing algorithm specified for Neighbor Discovery [12], the home
+ agent performs the following steps in addition to any steps already
+ required of it by Neighbor Discovery:
+
+ o If the Home Agent (H) bit in the Router Advertisement is not set,
+ delete the sending node's entry in the current Home Agents List
+ (if one exists). Skip all the following steps.
+
+ o Otherwise, extract the Source Address from the IP header of the
+ Router Advertisement. This is the link-local IP address on this
+ link of the home agent sending this Advertisement [12].
+
+ o Determine the preference for this home agent. If the Router
+ Advertisement contains a Home Agent Information Option, then the
+ preference is taken from the Home Agent Preference field in the
+ option; otherwise, the default preference of 0 MUST be used.
+
+ o Determine the lifetime for this home agent. If the Router
+ Advertisement contains a Home Agent Information Option, then the
+ lifetime is taken from the Home Agent Lifetime field in the
+ option; otherwise, the lifetime specified by the Router Lifetime
+ field in the Router Advertisement SHOULD be used.
+
+ o If the link-local address of the home agent sending this
+ Advertisement is already present in this home agent's Home Agents
+ List and the received home agent lifetime value is zero,
+ immediately delete this entry in the Home Agents List.
+
+ o Otherwise, if the link-local address of the home agent sending
+ this Advertisement is already present in the receiving home
+ agent's Home Agents List, reset its lifetime and preference to the
+ values determined above.
+
+
+
+
+Johnson, et al. Standard Track [Page 100]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o If the link-local address of the home agent sending this
+ Advertisement is not already present in the Home Agents List
+ maintained by the receiving home agent, and the lifetime for the
+ sending home agent is non-zero, create a new entry in the list,
+ and initialize its lifetime and preference to the values
+ determined above.
+
+ o If the Home Agents List entry for the link-local address of the
+ home agent sending this Advertisement was not deleted as described
+ above, determine any global address(es) of the home agent based on
+ each Prefix Information option received in this Advertisement in
+ which the Router Address (R) bit is set (Section 7.2). Add all
+ such global addresses to the list of global addresses in this Home
+ Agents List entry.
+
+ A home agent SHOULD maintain an entry in its Home Agents List for
+ each valid home agent address until that entry's lifetime expires,
+ after which time the entry MUST be deleted.
+
+ As described in Section 11.4.1, a mobile node attempts dynamic home
+ agent address discovery by sending an ICMP Home Agent Address
+ Discovery Request message to the Mobile IPv6 Home-Agents anycast
+ address [16] for its home IP subnet prefix. A home agent receiving a
+ Home Agent Address Discovery Request message that serves this subnet
+ SHOULD return an ICMP Home Agent Address Discovery Reply message to
+ the mobile node with the Source Address of the Reply packet set to
+ one of the global unicast addresses of the home agent. The Home
+ Agent Addresses field in the Reply message is constructed as follows:
+
+ o The Home Agent Addresses field SHOULD contain all global IP
+ addresses for each home agent currently listed in this home
+ agent's own Home Agents List (Section 10.1).
+
+ o The IP addresses in the Home Agent Addresses field SHOULD be
+ listed in order of decreasing preference values, based either on
+ the respective advertised preference from a Home Agent Information
+ option or on the default preference of 0 if no preference is
+ advertised (or on the configured home agent preference for this
+ home agent itself).
+
+ o Among home agents with equal preference, their IP addresses in the
+ Home Agent Addresses field SHOULD be listed in an order randomized
+ with respect to other home agents with equal preference every time
+ a Home Agent Address Discovery Reply message is returned by this
+ home agent.
+
+ o If more than one global IP address is associated with a home
+ agent, these addresses SHOULD be listed in a randomized order.
+
+
+
+Johnson, et al. Standard Track [Page 101]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The home agent SHOULD reduce the number of home agent IP addresses
+ so that the packet fits within the minimum IPv6 MTU [11]. The
+ home agent addresses selected for inclusion in the packet SHOULD
+ be those from the complete list with the highest preference. This
+ limitation avoids the danger of the Reply message packet being
+ fragmented (or rejected by an intermediate router with an ICMP
+ Packet Too Big message [14]).
+
+10.6. Sending Prefix Information to the Mobile Node
+
+10.6.1. List of Home Network Prefixes
+
+ Mobile IPv6 arranges to propagate relevant prefix information to the
+ mobile node when it is away from home, so that it may be used in
+ mobile node home address configuration and in network renumbering.
+ In this mechanism, mobile nodes away from home receive Mobile Prefix
+ Advertisements messages. These messages include Prefix Information
+ Options for the prefixes configured on the home subnet interface(s)
+ of the home agent.
+
+ If there are multiple home agents, differences in the advertisements
+ sent by different home agents can lead to an inability to use a
+ particular home address when changing to another home agent. In
+ order to ensure that the mobile nodes get the same information from
+ different home agents, it is preferred that all of the home agents on
+ the same link be configured in the same manner.
+
+ To support this, the home agent monitors prefixes advertised by
+ itself and other home agents on the home link. In RFC 2461 [12] it
+ is acceptable for two routers to advertise different sets of prefixes
+ on the same link. For home agents, the differences should be
+ detected for a given home address because the mobile node
+ communicates only with one home agent at a time and the mobile node
+ needs to know the full set of prefixes assigned to the home link.
+ All other comparisons of Router Advertisements are as specified in
+ Section 6.2.7 of RFC 2461.
+
+10.6.2. Scheduling Prefix Deliveries
+
+ A home agent serving a mobile node will schedule the delivery of the
+ new prefix information to that mobile node when any of the following
+ conditions occur:
+
+ MUST:
+
+ o The state of the flags changes for the prefix of the mobile node's
+ registered home address.
+
+
+
+
+Johnson, et al. Standard Track [Page 102]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The valid or preferred lifetime is reconfigured or changes for any
+ reason other than advancing real time.
+
+ o The mobile node requests the information with a Mobile Prefix
+ Solicitation (see Section 11.4.2).
+
+ SHOULD:
+
+ o A new prefix is added to the home subnet interface(s) of the home
+ agent.
+
+ MAY:
+
+ o The valid or preferred lifetime or the state of the flags changes
+ for a prefix which is not used in any Binding Cache entry for this
+ mobile node.
+
+ The home agent uses the following algorithm to determine when to send
+ prefix information to the mobile node.
+
+ o If a mobile node sends a solicitation, answer right away.
+
+ o If no Mobile Prefix Advertisement has been sent to the mobile node
+ in the last MaxMobPfxAdvInterval seconds (see Section 13), then
+ ensure that a transmission is scheduled. The actual transmission
+ time is randomized as described below.
+
+ o If a prefix matching the mobile node's home registration is added
+ on the home subnet interface or if its information changes in any
+ way that does not deprecate the mobile node's address, ensure that
+ a transmission is scheduled. The actual transmission time is
+ randomized as described below.
+
+ o If a home registration expires, cancel any scheduled
+ advertisements to the mobile node.
+
+ The list of prefixes is sent in its entirety in all cases.
+
+ If the home agent has already scheduled the transmission of a Mobile
+ Prefix Advertisement to the mobile node, then the home agent will
+ replace the advertisement with a new one to be sent at the scheduled
+ time.
+
+ Otherwise, the home agent computes a fresh value for RAND_ADV_DELAY
+ which offsets from the current time for the scheduled transmission.
+ First calculate the maximum delay for the scheduled Advertisement:
+
+
+
+
+
+Johnson, et al. Standard Track [Page 103]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ MaxScheduleDelay = min (MaxMobPfxAdvInterval, Preferred Lifetime),
+
+ where MaxMobPfxAdvInterval is as defined in Section 12. Then compute
+ the final delay for the advertisement:
+
+ RAND_ADV_DELAY = MinMobPfxAdvInterval +
+ (rand() % abs(MaxScheduleDelay - MinMobPfxAdvInterval))
+
+ Here rand() returns a random integer value in the range of 0 to the
+ maximum possible integer value. This computation is expected to
+ alleviate bursts of advertisements when prefix information changes.
+ In addition, a home agent MAY further reduce the rate of packet
+ transmission by further delaying individual advertisements, when
+ necessary to avoid overwhelming local network resources. The home
+ agent SHOULD periodically continue to retransmit an unsolicited
+ Advertisement to the mobile node, until it is acknowledged by the
+ receipt of a Mobile Prefix Solicitation from the mobile node.
+
+ The home agent MUST wait PREFIX_ADV_TIMEOUT (see Section 12) before
+ the first retransmission and double the retransmission wait time for
+ every succeeding retransmission until a maximum number of
+ PREFIX_ADV_RETRIES attempts (see Section 12) has been tried. If the
+ mobile node's bindings expire before the matching Binding Update has
+ been received, then the home agent MUST NOT attempt any more
+ retransmissions, even if not all PREFIX_ADV_RETRIES have been
+ retransmitted. In the meantime, if the mobile node sends another
+ Binding Update without returning home, then the home agent SHOULD
+ begin transmitting the unsolicited Advertisement again.
+
+ If some condition, as described above, occurs on the home link and
+ causes another Prefix Advertisement to be sent to the mobile node,
+ before the mobile node acknowledges a previous transmission, the home
+ agent SHOULD combine any Prefix Information options in the
+ unacknowledged Mobile Prefix Advertisement into a new Advertisement.
+ The home agent then discards the old Advertisement.
+
+10.6.3. Sending Advertisements
+
+ When sending a Mobile Prefix Advertisement to the mobile node, the
+ home agent MUST construct the packet as follows:
+
+ o The Source Address in the packet's IPv6 header MUST be set to the
+ home agent's IP address to which the mobile node addressed its
+ current home registration or its default global home agent address
+ if no binding exists.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 104]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o If the advertisement was solicited, it MUST be destined to the
+ source address of the solicitation. If it was triggered by prefix
+ changes or renumbering, the advertisement's destination will be
+ the mobile node's home address in the binding which triggered the
+ rule.
+
+ o A type 2 routing header MUST be included with the mobile node's
+ home address.
+
+ o IPsec headers MUST be supported and SHOULD be used.
+
+ o The home agent MUST send the packet as it would any other unicast
+ IPv6 packet that it originates.
+
+ o Set the Managed Address Configuration (M) flag if the
+ corresponding flag has been set in any of the Router
+ Advertisements from which the prefix information has been learned
+ (including the ones sent by this home agent).
+
+ o Set the Other Stateful Configuration (O) flag if the corresponding
+ flag has been set in any of the Router Advertisements from which
+ the prefix information has been learned (including the ones sent
+ by this home agent).
+
+10.6.4. Lifetimes for Changed Prefixes
+
+ As described in Section 10.3.1, the lifetime returned by the home
+ agent in a Binding Acknowledgement MUST not be greater than the
+ remaining valid lifetime for the subnet prefix in the mobile node's
+ home address. This limit on the binding lifetime serves to prohibit
+ use of a mobile node's home address after it becomes invalid.
+
+11. Mobile Node Operation
+
+11.1. Conceptual Data Structures
+
+ Each mobile node MUST maintain a Binding Update List.
+
+ The Binding Update List records information for each Binding Update
+ sent by this mobile node, in which the lifetime of the binding has
+ not yet expired. The Binding Update List includes all bindings sent
+ by the mobile node either to its home agent or correspondent nodes.
+ It also contains Binding Updates which are waiting for the completion
+ of the return routability procedure before they can be sent.
+ However, for multiple Binding Updates sent to the same destination
+ address, the Binding Update List contains only the most recent
+ Binding Update (i.e., with the greatest Sequence Number value) sent
+ to that destination. The Binding Update List MAY be implemented in
+
+
+
+Johnson, et al. Standard Track [Page 105]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ any manner consistent with the external behavior described in this
+ document.
+
+ Each Binding Update List entry conceptually contains the following
+ fields:
+
+ o The IP address of the node to which a Binding Update was sent.
+
+ o The home address for which that Binding Update was sent.
+
+ o The care-of address sent in that Binding Update. This value is
+ necessary for the mobile node to determine if it has sent a
+ Binding Update while giving its new care-of address to this
+ destination after changing its care-of address.
+
+ o The initial value of the Lifetime field sent in that Binding
+ Update.
+
+ o The remaining lifetime of that binding. This lifetime is
+ initialized from the Lifetime value sent in the Binding Update and
+ is decremented until it reaches zero, at which time this entry
+ MUST be deleted from the Binding Update List.
+
+ o The maximum value of the Sequence Number field sent in previous
+ Binding Updates to this destination. The Sequence Number field is
+ 16 bits long and all comparisons between Sequence Number values
+ MUST be performed modulo 2**16 (see Section 9.5.1).
+
+ o The time at which a Binding Update was last sent to this
+ destination, as needed to implement the rate limiting restriction
+ for sending Binding Updates.
+
+ o The state of any retransmissions needed for this Binding Update.
+ This state includes the time remaining until the next
+ retransmission attempt for the Binding Update and the current
+ state of the exponential back-off mechanism for retransmissions.
+
+ o A flag specifying whether or not future Binding Updates should be
+ sent to this destination. The mobile node sets this flag in the
+ Binding Update List entry when it receives an ICMP Parameter
+ Problem, Code 1, error message in response to a return routability
+ message or Binding Update sent to that destination, as described
+ in Section 11.3.5.
+
+ The Binding Update List is used to determine whether a particular
+ packet is sent directly to the correspondent node or tunneled via the
+ home agent (see Section 11.3.1).
+
+
+
+
+Johnson, et al. Standard Track [Page 106]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The Binding Update list also conceptually contains the following data
+ related to running the return routability procedure. This data is
+ relevant only for Binding Updates sent to correspondent nodes.
+
+ o The time at which a Home Test Init or Care-of Test Init message
+ was last sent to this destination, as needed to implement the rate
+ limiting restriction for the return routability procedure.
+
+ o The state of any retransmissions needed for this return
+ routability procedure. This state includes the time remaining
+ until the next retransmission attempt and the current state of the
+ exponential back-off mechanism for retransmissions.
+
+ o Cookie values used in the Home Test Init and Care-of Test Init
+ messages.
+
+ o Home and care-of keygen tokens received from the correspondent
+ node.
+
+ o Home and care-of nonce indices received from the correspondent
+ node.
+
+ o The time at which each of the tokens and nonces were received from
+ the correspondent node, as needed to implement reuse while moving.
+
+11.2. Processing Mobility Headers
+
+ All IPv6 mobile nodes MUST observe the rules described in Section 9.2
+ when processing Mobility Headers.
+
+11.3. Packet Processing
+
+11.3.1. Sending Packets While Away from Home
+
+ While a mobile node is away from home, it continues to use its home
+ address, as well as also using one or more care-of addresses. When
+ sending a packet while away from home, a mobile node MAY choose among
+ these in selecting the address that it will use as the source of the
+ packet, as follows:
+
+ o Protocols layered over IP will generally treat the mobile node's
+ home address as its IP address for most packets. For packets sent
+ that are part of transport-level connections established while the
+ mobile node was at home, the mobile node MUST use its home
+ address. Likewise, for packets sent that are part of transport-
+ level connections that the mobile node may still be using after
+ moving to a new location, the mobile node SHOULD use its home
+ address in this way. If a binding exists, the mobile node SHOULD
+
+
+
+Johnson, et al. Standard Track [Page 107]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ send the packets directly to the correspondent node. Otherwise,
+ if a binding does not exist, the mobile node MUST use reverse
+ tunneling.
+
+ o The mobile node MAY choose to directly use one of its care-of
+ addresses as the source of the packet, not requiring the use of a
+ Home Address option in the packet. This is particularly useful
+ for short-term communication that may easily be retried if it
+ fails. Using the mobile node's care-of address as the source for
+ such queries will generally have a lower overhead than using the
+ mobile node's home address, since no extra options need be used in
+ either the query or its reply. Such packets can be routed
+ normally, directly between their source and destination without
+ relying on Mobile IPv6. If application running on the mobile node
+ has no particular knowledge that the communication being sent fits
+ within this general type of communication, however, the mobile
+ node should not use its care-of address as the source of the
+ packet in this way.
+
+ The choice of the most efficient communications method is
+ application specific, and outside the scope of this specification.
+ The APIs necessary for controlling the choice are also out of
+ scope.
+
+ o While not at its home link, the mobile node MUST NOT use the Home
+ Address destination option when communicating with link-local or
+ site-local peers, if the scope of the home address is larger than
+ the scope of the peer's address.
+
+ Similarly, the mobile node MUST NOT use the Home Address
+ destination option for IPv6 Neighbor Discovery [12] packets.
+
+ Detailed operation of these cases is described later in this section
+ and also discussed in [31].
+
+ For packets sent by a mobile node while it is at home, no special
+ Mobile IPv6 processing is required. Likewise, if the mobile node
+ uses any address other than one of its home addresses as the source
+ of a packet sent while away from home, no special Mobile IPv6
+ processing is required. In either case, the packet is simply
+ addressed and transmitted in the same way as any normal IPv6 packet.
+
+ For packets sent by the mobile node sent while away from home using
+ the mobile node's home address as the source, special Mobile IPv6
+ processing of the packet is required. This can be done in the
+ following two ways:
+
+
+
+
+
+Johnson, et al. Standard Track [Page 108]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Route Optimization
+
+ This manner of delivering packets does not require going through the
+ home network, and typically will enable faster and more reliable
+ transmission.
+
+ The mobile node needs to ensure that a Binding Cache entry exists for
+ its home address so that the correspondent node can process the
+ packet (Section 9.3.1 specifies the rules for Home Address
+ Destination Option Processing at a correspondent node). The mobile
+ node SHOULD examine its Binding Update List for an entry which
+ fulfills the following conditions:
+
+ * The Source Address field of the packet being sent is equal to the
+ home address in the entry.
+
+ * The Destination Address field of the packet being sent is equal to
+ the address of the correspondent node in the entry.
+
+ * One of the current care-of addresses of the mobile node appears as
+ the care-of address in the entry.
+
+ * The entry indicates that a binding has been successfully created.
+
+ * The remaining lifetime of the binding is greater than zero.
+
+ When these conditions are met, the mobile node knows that the
+ correspondent node has a suitable Binding Cache entry.
+
+ A mobile node SHOULD arrange to supply the home address in a Home
+ Address option, and MUST set the IPv6 header's Source Address field
+ to the care-of address which the mobile node has registered to be
+ used with this correspondent node. The correspondent node will then
+ use the address supplied in the Home Address option to serve the
+ function traditionally done by the Source IP address in the IPv6
+ header. The mobile node's home address is then supplied to higher
+ protocol layers and applications.
+
+ Specifically:
+
+ * Construct the packet using the mobile node's home address as the
+ packet's Source Address, in the same way as if the mobile node
+ were at home. This includes the calculation of upper layer
+ checksums using the home address as the value of the source.
+
+ * Insert a Home Address option into the packet with the Home Address
+ field copied from the original value of the Source Address field
+ in the packet.
+
+
+
+Johnson, et al. Standard Track [Page 109]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ * Change the Source Address field in the packet's IPv6 header to one
+ of the mobile node's care-of addresses. This will typically be
+ the mobile node's current primary care-of address, but MUST be an
+ address assigned to the interface on the link being used.
+
+ By using the care-of address as the Source Address in the IPv6
+ header, with the mobile node's home address instead in the Home
+ Address option, the packet will be able to safely pass through any
+ router implementing ingress filtering [26].
+
+ Reverse Tunneling
+
+ This is the mechanism which tunnels the packets via the home
+ agent. It is not as efficient as the above mechanism, but is
+ needed if there is no binding yet with the correspondent node.
+
+ This mechanism is used for packets that have the mobile node's
+ home address as the Source Address in the IPv6 header, or with
+ multicast control protocol packets as described in Section 11.3.4.
+ Specifically:
+
+ * The packet is sent to the home agent using IPv6 encapsulation
+ [15].
+
+ * The Source Address in the tunnel packet is the primary care-of
+ address as registered with the home agent.
+
+ * The Destination Address in the tunnel packet is the home
+ agent's address.
+
+ Then, the home agent will pass the encapsulated packet to the
+ correspondent node.
+
+11.3.2. Interaction with Outbound IPsec Processing
+
+ This section sketches the interaction between outbound Mobile IPv6
+ processing and outbound IP Security (IPsec) processing for packets
+ sent by a mobile node while away from home. Any specific
+ implementation MAY use algorithms and data structures other than
+ those suggested here, but its processing MUST be consistent with the
+ effect of the operation described here and with the relevant IPsec
+ specifications. In the steps described below, it is assumed that
+ IPsec is being used in transport mode [4] and that the mobile node is
+ using its home address as the source for the packet (from the point
+ of view of higher protocol layers or applications, as described in
+ Section 11.3.1):
+
+
+
+
+
+Johnson, et al. Standard Track [Page 110]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The packet is created by higher layer protocols and applications
+ (e.g., by TCP) as if the mobile node were at home and Mobile IPv6
+ were not being used.
+
+ o Determine the outgoing interface for the packet. (Note that the
+ selection between reverse tunneling and route optimization may
+ imply different interfaces, particularly if tunnels are considered
+ interfaces as well.)
+
+ o As part of outbound packet processing in IP, the packet is
+ compared against the IPsec security policy database to determine
+ what processing is required for the packet [4].
+
+ o If IPsec processing is required, the packet is either mapped to an
+ existing Security Association (or SA bundle), or a new SA (or SA
+ bundle) is created for the packet, according to the procedures
+ defined for IPsec.
+
+ o Since the mobile node is away from home, the mobile is either
+ using reverse tunneling or route optimization to reach the
+ correspondent node.
+
+ If reverse tunneling is used, the packet is constructed in the
+ normal manner and then tunneled through the home agent.
+
+ If route optimization is in use, the mobile node inserts a Home
+ Address destination option into the packet, replacing the Source
+ Address in the packet's IP header with the care-of address used
+ with this correspondent node, as described in Section 11.3.1. The
+ Destination Options header in which the Home Address destination
+ option is inserted MUST appear in the packet after the routing
+ header, if present, and before the IPsec (AH [5] or ESP [6])
+ header, so that the Home Address destination option is processed
+ by the destination node before the IPsec header is processed.
+
+ Finally, once the packet is fully assembled, the necessary IPsec
+ authentication (and encryption, if required) processing is
+ performed on the packet, initializing the Authentication Data in
+ the IPsec header.
+
+ RFC 2402 treatment of destination options is extended as follows.
+ The AH authentication data MUST be calculated as if the following
+ were true:
+
+ * the IPv6 source address in the IPv6 header contains the mobile
+ node's home address,
+
+
+
+
+
+Johnson, et al. Standard Track [Page 111]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ * the Home Address field of the Home Address destination option
+ (Section 6.3) contains the new care-of address.
+
+ o This allows, but does not require, the receiver of the packet
+ containing a Home Address destination option to exchange the two
+ fields of the incoming packet to reach the above situation,
+ simplifying processing for all subsequent packet headers.
+ However, such an exchange is not required, as long as the result
+ of the authentication calculation remains the same.
+
+ When an automated key management protocol is used to create new
+ security associations for a peer, it is important to ensure that the
+ peer can send the key management protocol packets to the mobile node.
+ This may not be possible if the peer is the home agent of the mobile
+ node and the purpose of the security associations would be to send a
+ Binding Update to the home agent. Packets addressed to the home
+ address of the mobile node cannot be used before the Binding Update
+ has been processed. For the default case of using IKE [9] as the
+ automated key management protocol, such problems can be avoided by
+ the following requirements when communicating with its home agent:
+
+ o When the mobile node is away from home, it MUST use its care-of
+ address as the Source Address of all packets it sends as part of
+ the key management protocol (without use of Mobile IPv6 for these
+ packets, as suggested in Section 11.3.1).
+
+ o In addition, for all security associations bound to the mobile
+ node's home address established by IKE, the mobile node MUST
+ include an ISAKMP Identification Payload [8] in the IKE phase 2
+ exchange, giving the mobile node's home address as the initiator
+ of the Security Association [7].
+
+ The Key Management Mobility Capability (K) bit in Binding Updates and
+ Acknowledgements can be used to avoid the need to rerun IKE upon
+ movements.
+
+11.3.3. Receiving Packets While Away from Home
+
+ While away from home, a mobile node will receive packets addressed to
+ its home address, by one of two methods:
+
+ o Packets sent by a correspondent node, that does not have a Binding
+ Cache entry for the mobile node, will be sent to the home address,
+ captured by the home agent and tunneled to the mobile node.
+
+ o Packets sent by a correspondent node that has a Binding Cache
+ entry for the mobile node that contains the mobile node's current
+ care-of address, will be sent by the correspondent node using a
+
+
+
+Johnson, et al. Standard Track [Page 112]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ type 2 routing header. The packet will be addressed to the mobile
+ node's care-of address, with the final hop in the routing header
+ directing the packet to the mobile node's home address; the
+ processing of this last hop of the routing header is entirely
+ internal to the mobile node, since the care-of address and home
+ address are both addresses within the mobile node.
+
+ For packets received by the first method, the mobile node MUST check
+ that the IPv6 source address of the tunneled packet is the IP address
+ of its home agent. In this method, the mobile node may also send a
+ Binding Update to the original sender of the packet as described in
+ Section 11.7.2 and subject to the rate limiting defined in Section
+ 11.8. The mobile node MUST also process the received packet in the
+ manner defined for IPv6 encapsulation [15], which will result in the
+ encapsulated (inner) packet being processed normally by upper-layer
+ protocols within the mobile node as if it had been addressed (only)
+ to the mobile node's home address.
+
+ For packets received by the second method, the following rules will
+ result in the packet being processed normally by upper-layer
+ protocols within the mobile node as if it had been addressed to the
+ mobile node's home address.
+
+ A node receiving a packet addressed to itself (i.e., one of the
+ node's addresses is in the IPv6 destination field) follows the next
+ header chain of headers and processes them. When it encounters a
+ type 2 routing header during this processing, it performs the
+ following checks. If any of these checks fail, the node MUST
+ silently discard the packet.
+
+ o The length field in the routing header is exactly 2.
+
+ o The segments left field in the routing header is 1 on the wire.
+ (But implementations may process the routing header so that the
+ value may become 0 after the routing header has been processed,
+ but before the rest of the packet is processed.)
+
+ o The Home Address field in the routing header is one of the node's
+ home addresses, if the segments left field was 1. Thus, in
+ particular the address field is required to be a unicast routable
+ address.
+
+ Once the above checks have been performed, the node swaps the IPv6
+ destination field with the Home Address field in the routing header,
+ decrements segments left by one from the value it had on the wire,
+ and resubmits the packet to IP for processing the next header.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 113]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Conceptually, this follows the same model as in RFC 2460. However,
+ in the case of type 2 routing header this can be simplified since it
+ is known that the packet will not be forwarded to a different node.
+
+ The definition of AH requires the sender to calculate the AH
+ integrity check value of a routing header in the same way it appears
+ in the receiver after it has processed the header. Since IPsec
+ headers follow the routing header, any IPsec processing will operate
+ on the packet with the home address in the IP destination field and
+ segments left being zero. Thus, the AH calculations at the sender
+ and receiver will have an identical view of the packet.
+
+11.3.4. Routing Multicast Packets
+
+ A mobile node that is connected to its home link functions in the
+ same way as any other (stationary) node. Thus, when it is at home, a
+ mobile node functions identically to other multicast senders and
+ receivers. Therefore, this section describes the behavior of a
+ mobile node that is not on its home link.
+
+ In order to receive packets sent to some multicast group, a mobile
+ node must join that multicast group. One method, in which a mobile
+ node MAY join the group, is via a (local) multicast router on the
+ foreign link being visited. In this case, the mobile node MUST use
+ its care-of address and MUST NOT use the Home Address destination
+ option when sending MLD packets [17].
+
+ Alternatively, a mobile node MAY join multicast groups via a bi-
+ directional tunnel to its home agent. The mobile node tunnels its
+ multicast group membership control packets (such as those defined in
+ [17] or in [37]) to its home agent, and the home agent forwards
+ multicast packets down the tunnel to the mobile node. A mobile node
+ MUST NOT tunnel multicast group membership control packets until (1)
+ the mobile node has a binding in place at the home agent, and (2) the
+ latter sends at least one multicast group membership control packet
+ via the tunnel. Once this condition is true, the mobile node SHOULD
+ assume it does not change as long as the binding does not expire.
+
+ A mobile node that wishes to send packets to a multicast group also
+ has two options:
+
+ 1. Send directly on the foreign link being visited.
+
+ The application is aware of the care-of address and uses it as a
+ source address for multicast traffic, just like it would use a
+ stationary address. The mobile node MUST NOT use Home Address
+ destination option in such traffic.
+
+
+
+
+Johnson, et al. Standard Track [Page 114]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ 2. Send via a tunnel to its home agent.
+
+ Because multicast routing in general depends upon the Source
+ Address used in the IPv6 header of the multicast packet, a mobile
+ node that tunnels a multicast packet to its home agent MUST use
+ its home address as the IPv6 Source Address of the inner
+ multicast packet.
+
+ Note that direct sending from the foreign link is only applicable
+ while the mobile node is at that foreign link. This is because the
+ associated multicast tree is specific to that source location and any
+ change of location and source address will invalidate the source
+ specific tree or branch and the application context of the other
+ multicast group members.
+
+ This specification does not provide mechanisms to enable such local
+ multicast session to survive hand-off and to seamlessly continue from
+ a new care-of address on each new foreign link. Any such mechanism,
+ developed as an extension to this specification, needs to take into
+ account the impact of fast moving mobile nodes on the Internet
+ multicast routing protocols and their ability to maintain the
+ integrity of source specific multicast trees and branches.
+
+ While the use of bidirectional tunneling can ensure that multicast
+ trees are independent of the mobile nodes movement, in some case such
+ tunneling can have adverse affects. The latency of specific types of
+ multicast applications (such as multicast based discovery protocols)
+ will be affected when the round-trip time between the foreign subnet
+ and the home agent is significant compared to that of the topology to
+ be discovered. In addition, the delivery tree from the home agent in
+ such circumstances relies on unicast encapsulation from the agent to
+ the mobile node. Therefore, bandwidth usage is inefficient compared
+ to the native multicast forwarding in the foreign multicast system.
+
+11.3.5. Receiving ICMP Error Messages
+
+ Any node that does not recognize the Mobility header will return an
+ ICMP Parameter Problem, Code 1, message to the sender of the packet.
+ If the mobile node receives such an ICMP error message in response to
+ a return routability procedure or Binding Update, it SHOULD record in
+ its Binding Update List that future Binding Updates SHOULD NOT be
+ sent to this destination. Such Binding Update List entries SHOULD be
+ removed after a period of time in order to allow for retrying route
+ optimization.
+
+ New Binding Update List entries MUST NOT be created as a result of
+ receiving ICMP error messages.
+
+
+
+
+Johnson, et al. Standard Track [Page 115]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Correspondent nodes that have participated in the return routability
+ procedure MUST implement the ability to correctly process received
+ packets containing a Home Address destination option. Therefore,
+ correctly implemented correspondent nodes should always be able to
+ recognize Home Address options. If a mobile node receives an ICMP
+ Parameter Problem, Code 2, message from some node indicating that it
+ does not support the Home Address option, the mobile node SHOULD log
+ the error and then discard the ICMP message.
+
+11.3.6. Receiving Binding Error Messages
+
+ When a mobile node receives a packet containing a Binding Error
+ message, it should first check if the mobile node has a Binding
+ Update List entry for the source of the Binding Error message. If
+ the mobile node does not have such an entry, it MUST ignore the
+ message. This is necessary to prevent a waste of resources on, e.g.,
+ return routability procedure due to spoofed Binding Error messages.
+
+ Otherwise, if the message Status field was 1 (unknown binding for
+ Home Address destination option), the mobile node should perform one
+ of the following two actions:
+
+ o If the mobile node has recent upper layer progress information,
+ which indicates that communications with the correspondent node
+ are progressing, it MAY ignore the message. This can be done in
+ order to limit the damage that spoofed Binding Error messages can
+ cause to ongoing communications.
+
+ o If the mobile node has no upper layer progress information, it
+ MUST remove the entry and route further communications through the
+ home agent. It MAY also optionally start a return routability
+ procedure (see Section 5.2).
+
+ If the message Status field was 2 (unrecognized MH Type value), the
+ mobile node should perform one of the following two actions:
+
+ o If the mobile node is not expecting an acknowledgement or response
+ from the correspondent node, the mobile node SHOULD ignore this
+ message.
+
+ o Otherwise, the mobile node SHOULD cease the use of any extensions
+ to this specification. If no extensions had been used, the mobile
+ node should cease the attempt to use route optimization.
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 116]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+11.4. Home Agent and Prefix Management
+
+11.4.1. Dynamic Home Agent Address Discovery
+
+ Sometimes when the mobile node needs to send a Binding Update to its
+ home agent to register its new primary care-of address, as described
+ in Section 11.7.1, the mobile node may not know the address of any
+ router on its home link that can serve as a home agent for it. For
+ example, some nodes on its home link may have been reconfigured while
+ the mobile node has been away from home, such that the router that
+ was operating as the mobile node's home agent has been replaced by a
+ different router serving this role.
+
+ In this case, the mobile node MAY attempt to discover the address of
+ a suitable home agent on its home link. To do so, the mobile node
+ sends an ICMP Home Agent Address Discovery Request message to the
+ Mobile IPv6 Home-Agents anycast address [16] for its home subnet
+ prefix. As described in Section 10.5, the home agent on its home
+ link that receives this Request message will return an ICMP Home
+ Agent Address Discovery Reply message. This message gives the
+ addresses for the home agents operating on the home link.
+
+ The mobile node, upon receiving this Home Agent Address Discovery
+ Reply message, MAY then send its home registration Binding Update to
+ any of the unicast IP addresses listed in the Home Agent Addresses
+ field in the Reply. For example, the mobile node MAY attempt its
+ home registration to each of these addresses, in turn, until its
+ registration is accepted. The mobile node sends a Binding Update to
+ an address and waits for the matching Binding Acknowledgement, moving
+ on to the next address if there is no response. The mobile node
+ MUST, however, wait at least InitialBindackTimeoutFirstReg seconds
+ (see Section 13) before sending a Binding Update to the next home
+ agent. In trying each of the returned home agent addresses, the
+ mobile node SHOULD try each of them in the order they appear in the
+ Home Agent Addresses field in the received Home Agent Address
+ Discovery Reply message.
+
+ If the mobile node has a current registration with some home agent
+ (the Lifetime for that registration has not yet expired), then the
+ mobile node MUST attempt any new registration first with that home
+ agent. If that registration attempt fails (e.g., timed out or
+ rejected), the mobile node SHOULD then reattempt this registration
+ with another home agent. If the mobile node knows of no other
+ suitable home agent, then it MAY attempt the dynamic home agent
+ address discovery mechanism described above.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 117]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ If, after a mobile node transmits a Home Agent Address Discovery
+ Request message to the Home Agents Anycast address, it does not
+ receive a corresponding Home Agent Address Discovery Reply message
+ within INITIAL_DHAAD_TIMEOUT (see Section 12) seconds, the mobile
+ node MAY retransmit the same Request message to the same anycast
+ address. This retransmission MAY be repeated up to a maximum of
+ DHAAD_RETRIES (see Section 12) attempts. Each retransmission MUST be
+ delayed by twice the time interval of the previous retransmission.
+
+11.4.2. Sending Mobile Prefix Solicitations
+
+ When a mobile node has a home address that is about to become
+ invalid, it SHOULD send a Mobile Prefix Solicitation to its home
+ agent in an attempt to acquire fresh routing prefix information. The
+ new information also enables the mobile node to participate in
+ renumbering operations affecting the home network, as described in
+ Section 10.6.
+
+ The mobile node MUST use the Home Address destination option to carry
+ its home address. The mobile node MUST support and SHOULD use IPsec
+ to protect the solicitation. The mobile node MUST set the Identifier
+ field in the ICMP header to a random value.
+
+ As described in Section 11.7.2, Binding Updates sent by the mobile
+ node to other nodes MUST use a lifetime no greater than the remaining
+ lifetime of its home registration of its primary care-of address.
+ The mobile node SHOULD further limit the lifetimes that it sends on
+ any Binding Updates to be within the remaining valid lifetime (see
+ Section 10.6.2) for the prefix in its home address.
+
+ When the lifetime for a changed prefix decreases, and the change
+ would cause cached bindings at correspondent nodes in the Binding
+ Update List to be stored past the newly shortened lifetime, the
+ mobile node MUST issue a Binding Update to all such correspondent
+ nodes.
+
+ These limits on the binding lifetime serve to prohibit use of a
+ mobile node's home address after it becomes invalid.
+
+11.4.3. Receiving Mobile Prefix Advertisements
+
+ Section 10.6 describes the operation of a home agent to support boot
+ time configuration and renumbering a mobile node's home subnet while
+ the mobile node is away from home. The home agent sends Mobile
+ Prefix Advertisements to the mobile node while away from home, giving
+ "important" Prefix Information options that describe changes in the
+ prefixes in use on the mobile node's home link.
+
+
+
+
+Johnson, et al. Standard Track [Page 118]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The Mobile Prefix Solicitation is similar to the Router Solicitation
+ used in Neighbor Discovery [12], except it is routed from the mobile
+ node on the visited network to the home agent on the home network by
+ usual unicast routing rules.
+
+ When a mobile node receives a Mobile Prefix Advertisement, it MUST
+ validate it according to the following test:
+
+ o The Source Address of the IP packet carrying the Mobile Prefix
+ Advertisement is the same as the home agent address to which the
+ mobile node last sent an accepted home registration Binding Update
+ to register its primary care-of address. Otherwise, if no such
+ registrations have been made, it SHOULD be the mobile node's
+ stored home agent address, if one exists. Otherwise, if the
+ mobile node has not yet discovered its home agent's address, it
+ MUST NOT accept Mobile Prefix Advertisements.
+
+ o The packet MUST have a type 2 routing header and SHOULD be
+ protected by an IPsec header as described in Section 5.4 and
+ Section 6.8.
+
+ o If the ICMP Identifier value matches the ICMP Identifier value of
+ the most recently sent Mobile Prefix Solicitation and no other
+ advertisement has yet been received for this value, then the
+ advertisement is considered to be solicited and will be processed
+ further.
+
+ Otherwise, the advertisement is unsolicited, and MUST be
+ discarded. In this case the mobile node SHOULD send a Mobile
+ Prefix Solicitation.
+
+ Any received Mobile Prefix Advertisement not meeting these tests MUST
+ be silently discarded.
+
+ For an accepted Mobile Prefix Advertisement, the mobile node MUST
+ process Managed Address Configuration (M), Other Stateful
+ Configuration (O), and the Prefix Information Options as if they
+ arrived in a Router Advertisement [12] on the mobile node's home
+ link. (This specification does not, however, describe how to acquire
+ home addresses through stateful protocols.) Such processing may
+ result in the mobile node configuring a new home address, although
+ due to separation between preferred lifetime and valid lifetime, such
+ changes should not affect most communications by the mobile node, in
+ the same way as for nodes that are at home.
+
+ This specification assumes that any security associations and
+ security policy entries that may be needed for new prefixes have been
+ pre-configured in the mobile node. Note that while dynamic key
+
+
+
+Johnson, et al. Standard Track [Page 119]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ management avoids the need to create new security associations, it is
+ still necessary to add policy entries to protect the communications
+ involving the home address(es). Mechanisms for automatic set-up of
+ these entries are outside the scope of this specification.
+
+11.5. Movement
+
+11.5.1. Movement Detection
+
+ The primary goal of movement detection is to detect L3 handovers.
+ This section does not attempt to specify a fast movement detection
+ algorithm which will function optimally for all types of
+ applications, link-layers and deployment scenarios; instead, it
+ describes a generic method that uses the facilities of IPv6 Neighbor
+ Discovery, including Router Discovery and Neighbor Unreachability
+ Detection. At the time of this writing, this method is considered
+ well enough understood to recommend for standardization, however it
+ is expected that future versions of this specification or other
+ specifications may contain updated versions of the movement detection
+ algorithm that have better performance.
+
+ Generic movement detection uses Neighbor Unreachability Detection to
+ detect when the default router is no longer bi-directionally
+ reachable, in which case the mobile node must discover a new default
+ router (usually on a new link). However, this detection only occurs
+ when the mobile node has packets to send, and in the absence of
+ frequent Router Advertisements or indications from the link-layer,
+ the mobile node might become unaware of an L3 handover that occurred.
+ Therefore, the mobile node should supplement this method with other
+ information whenever it is available to the mobile node (e.g., from
+ lower protocol layers).
+
+ When the mobile node detects an L3 handover, it performs Duplicate
+ Address Detection [13] on its link-local address, selects a new
+ default router as a consequence of Router Discovery, and then
+ performs Prefix Discovery with that new router to form new care-of
+ address(es) as described in Section 11.5.2. It then registers its
+ new primary care-of address with its home agent as described in
+ Section 11.7.1. After updating its home registration, the mobile
+ node then updates associated mobility bindings in correspondent nodes
+ that it is performing route optimization with as specified in Section
+ 11.7.2.
+
+ Due to the temporary packet flow disruption and signaling overhead
+ involved in updating mobility bindings, the mobile node should avoid
+ performing an L3 handover until it is strictly necessary.
+ Specifically, when the mobile node receives a Router Advertisement
+ from a new router that contains a different set of on-link prefixes,
+
+
+
+Johnson, et al. Standard Track [Page 120]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ if the mobile node detects that the currently selected default router
+ on the old link is still bi-directionally reachable, it should
+ generally continue to use the old router on the old link rather than
+ switch away from it to use a new default router.
+
+ Mobile nodes can use the information in received Router
+ Advertisements to detect L3 handovers. In doing so the mobile node
+ needs to consider the following issues:
+
+ o There might be multiple routers on the same link, thus hearing a
+ new router does not necessarily constitute an L3 handover.
+
+ o When there are multiple routers on the same link they might
+ advertise different prefixes. Thus even hearing a new router with
+ a new prefix might not be a reliable indication of an L3 handover.
+
+ o The link-local addresses of routers are not globally unique, hence
+ after completing an L3 handover the mobile node might continue to
+ receive Router Advertisements with the same link-local source
+ address. This might be common if routers use the same link-local
+ address on multiple interfaces. This issue can be avoided when
+ routers use the Router Address (R) bit, since that provides a
+ global address of the router.
+
+ In addition, the mobile node should consider the following events as
+ indications that an L3 handover may have occurred. Upon receiving
+ such indications, the mobile node needs to perform Router Discovery
+ to discover routers and prefixes on the new link, as described in
+ Section 6.3.7 of RFC 2461 [12].
+
+ o If Router Advertisements that the mobile node receives include an
+ Advertisement Interval option, the mobile node may use its
+ Advertisement Interval field as an indication of the frequency
+ with which it should expect to continue to receive future
+ Advertisements from that router. This field specifies the minimum
+ rate (the maximum amount of time between successive
+ Advertisements) that the mobile node should expect. If this
+ amount of time elapses without the mobile node receiving any
+ Advertisement from this router, the mobile node can be sure that
+ at least one Advertisement sent by the router has been lost. The
+ mobile node can then implement its own policy to determine how
+ many lost Advertisements from its current default router
+ constitute an L3 handover indication.
+
+ o Neighbor Unreachability Detection determines that the default
+ router is no longer reachable.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 121]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o With some types of networks, notification that an L2 handover has
+ occurred might be obtained from lower layer protocols or device
+ driver software within the mobile node. While further details
+ around handling L2 indications as movement hints is an item for
+ further study, at the time of writing this specification the
+ following is considered reasonable:
+
+ An L2 handover indication may or may not imply L2 movement and L2
+ movement may or may not imply L3 movement; the correlations might
+ be a function of the type of L2 but might also be a function of
+ actual deployment of the wireless topology.
+
+ Unless it is well-known that an L2 handover indication is likely
+ to imply L3 movement, instead of immediately multicasting a router
+ solicitation it may be better to attempt to verify whether the
+ default router is still bi-directionally reachable. This can be
+ accomplished by sending a unicast Neighbor Solicitation and
+ waiting for a Neighbor Advertisement with the solicited flag set.
+ Note that this is similar to Neighbor Unreachability detection but
+ it does not have the same state machine, such as the STALE state.
+
+ If the default router does not respond to the Neighbor
+ Solicitation it makes sense to proceed to multicasting a Router
+ Solicitation.
+
+11.5.2. Forming New Care-of Addresses
+
+ After detecting that it has moved a mobile node SHOULD generate a new
+ primary care-of address using normal IPv6 mechanisms. This SHOULD
+ also be done when the current primary care-of address becomes
+ deprecated. A mobile node MAY form a new primary care-of address at
+ any time, but a mobile node MUST NOT send a Binding Update about a
+ new care-of address to its home agent more than MAX_UPDATE_RATE times
+ within a second.
+
+ In addition, a mobile node MAY form new non-primary care-of addresses
+ even when it has not switched to a new default router. A mobile node
+ can have only one primary care-of address at a time (which is
+ registered with its home agent), but it MAY have an additional care-
+ of address for any or all of the prefixes on its current link.
+ Furthermore, since a wireless network interface may actually allow a
+ mobile node to be reachable on more than one link at a time (i.e.,
+ within wireless transmitter range of routers on more than one
+ separate link), a mobile node MAY have care-of addresses on more than
+ one link at a time. The use of more than one care-of address at a
+ time is described in Section 11.5.3.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 122]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ As described in Section 4, in order to form a new care-of address, a
+ mobile node MAY use either stateless [13] or stateful (e.g., DHCPv6
+ [29]) Address Autoconfiguration. If a mobile node needs to use a
+ source address (other than the unspecified address) in packets sent
+ as a part of address autoconfiguration, it MUST use an IPv6 link-
+ local address rather than its own IPv6 home address.
+
+ RFC 2462 [13] specifies that in normal processing for Duplicate
+ Address Detection, the node SHOULD delay sending the initial Neighbor
+ Solicitation message by a random delay between 0 and
+ MAX_RTR_SOLICITATION_DELAY. Since delaying DAD can result in
+ significant delays in configuring a new care-of address when the
+ Mobile Node moves to a new link, the Mobile Node preferably SHOULD
+ NOT delay DAD when configuring a new care-of address. The Mobile
+ Node SHOULD delay according to the mechanisms specified in RFC 2462
+ unless the implementation has a behavior that desynchronizes the
+ steps that happen before the DAD in the case that multiple nodes
+ experience handover at the same time. Such desynchronizing behaviors
+ might be due to random delays in the L2 protocols or device drivers,
+ or due to the movement detection mechanism that is used.
+
+11.5.3. Using Multiple Care-of Addresses
+
+ As described in Section 11.5.2, a mobile node MAY use more than one
+ care-of address at a time. Particularly in the case of many wireless
+ networks, a mobile node effectively might be reachable through
+ multiple links at the same time (e.g., with overlapping wireless
+ cells), on which different on-link subnet prefixes may exist. The
+ mobile node MUST ensure that its primary care-of address always has a
+ prefix that is advertised by its current default router. After
+ selecting a new primary care-of address, the mobile node MUST send a
+ Binding Update containing that care-of address to its home agent.
+ The Binding Update MUST have the Home Registration (H) and
+ Acknowledge (A) bits set its home agent, as described on Section
+ 11.7.1.
+
+ To assist with smooth handovers, a mobile node SHOULD retain its
+ previous primary care-of address as a (non-primary) care-of address,
+ and SHOULD still accept packets at this address, even after
+ registering its new primary care-of address with its home agent.
+ This is reasonable, since the mobile node could only receive packets
+ at its previous primary care-of address if it were indeed still
+ connected to that link. If the previous primary care-of address was
+ allocated using stateful Address Autoconfiguration [29], the mobile
+ node may not wish to release the address immediately upon switching
+ to a new primary care-of address.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 123]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Whenever a mobile node determines that it is no longer reachable
+ through a given link, it SHOULD invalidate all care-of addresses
+ associated with address prefixes that it discovered from routers on
+ the unreachable link which are not in the current set of address
+ prefixes advertised by the (possibly new) current default router.
+
+11.5.4. Returning Home
+
+ A mobile node detects that it has returned to its home link through
+ the movement detection algorithm in use (Section 11.5.1), when the
+ mobile node detects that its home subnet prefix is again on-link.
+ The mobile node SHOULD then send a Binding Update to its home agent,
+ to instruct its home agent to no longer intercept or tunnel packets
+ for it. In this home registration, the mobile node MUST set the
+ Acknowledge (A) and Home Registration (H) bits, set the Lifetime
+ field to zero, and set the care-of address for the binding to the
+ mobile node's own home address. The mobile node MUST use its home
+ address as the source address in the Binding Update.
+
+ When sending this Binding Update to its home agent, the mobile node
+ must be careful in how it uses Neighbor Solicitation [12] (if needed)
+ to learn the home agent's link-layer address, since the home agent
+ will be currently configured to intercept packets to the mobile
+ node's home address using Duplicate Address Detection (DAD). In
+ particular, the mobile node is unable to use its home address as the
+ Source Address in the Neighbor Solicitation until the home agent
+ stops defending the home address.
+
+ Neighbor Solicitation by the mobile node for the home agent's address
+ will normally not be necessary, since the mobile node has already
+ learned the home agent's link-layer address from a Source Link-Layer
+ Address option in a Router Advertisement. However, if there are
+ multiple home agents it may still be necessary to send a
+ solicitation. In this special case of the mobile node returning
+ home, the mobile node MUST multicast the packet, and in addition set
+ the Source Address of this Neighbor Solicitation to the unspecified
+ address (0:0:0:0:0:0:0:0). The target of the Neighbor Solicitation
+ MUST be set to the mobile node's home address. The destination IP
+ address MUST be set to the Solicited-Node multicast address [3]. The
+ home agent will send a multicast Neighbor Advertisement back to the
+ mobile node with the Solicited flag (S) set to zero. In any case,
+ the mobile node SHOULD record the information from the Source Link-
+ Layer Address option or from the advertisement, and set the state of
+ the Neighbor Cache entry for the home agent to REACHABLE.
+
+ The mobile node then sends its Binding Update to the home agent's
+ link-layer address, instructing its home agent to no longer serve as
+ a home agent for it. By processing this Binding Update, the home
+
+
+
+Johnson, et al. Standard Track [Page 124]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ agent will cease defending the mobile node's home address for
+ Duplicate Address Detection and will no longer respond to Neighbor
+ Solicitations for the mobile node's home address. The mobile node is
+ then the only node on the link receiving packets at the mobile node's
+ home address. In addition, when returning home prior to the
+ expiration of a current binding for its home address, and configuring
+ its home address on its network interface on its home link, the
+ mobile node MUST NOT perform Duplicate Address Detection on its own
+ home address, in order to avoid confusion or conflict with its home
+ agent's use of the same address. This rule also applies to the
+ derived link-local address of the mobile node, if the Link Local
+ Address Compatibility (L) bit was set when the binding was created.
+ If the mobile node returns home after the bindings for all of its
+ care-of addresses have expired, then it SHOULD perform DAD.
+
+ After the Mobile Node sends the Binding Update, it MUST be prepared
+ to reply to Neighbor Solicitations for its home address. Such
+ replies MUST be sent using a unicast Neighbor Advertisement to the
+ sender's link-layer address. It is necessary to reply, since sending
+ the Binding Acknowledgement from the home agent may require
+ performing Neighbor Discovery, and the mobile node may not be able to
+ distinguish Neighbor Solicitations coming from the home agent from
+ other Neighbor Solicitations. Note that a race condition exists
+ where both the mobile node and the home agent respond to the same
+ solicitations sent by other nodes; this will be only temporary,
+ however, until the Binding Update is accepted.
+
+ After receiving the Binding Acknowledgement for its Binding Update to
+ its home agent, the mobile node MUST multicast onto the home link (to
+ the all-nodes multicast address) a Neighbor Advertisement [12], to
+ advertise the mobile node's own link-layer address for its own home
+ address. The Target Address in this Neighbor Advertisement MUST be
+ set to the mobile node's home address, and the Advertisement MUST
+ include a Target Link-layer Address option specifying the mobile
+ node's link-layer address. The mobile node MUST multicast such a
+ Neighbor Advertisement for each of its home addresses, as defined by
+ the current on-link prefixes, including its link-local address and
+ site-local address. The Solicited Flag (S) in these Advertisements
+ MUST NOT be set, since they were not solicited by any Neighbor
+ Solicitation. The Override Flag (O) in these Advertisements MUST be
+ set, indicating that the Advertisements SHOULD override any existing
+ Neighbor Cache entries at any node receiving them.
+
+ Since multicasting on the local link (such as Ethernet) is typically
+ not guaranteed to be reliable, the mobile node MAY retransmit these
+ Neighbor Advertisements [12] up to MAX_NEIGHBOR_ADVERTISEMENT times
+ to increase their reliability. It is still possible that some nodes
+
+
+
+
+Johnson, et al. Standard Track [Page 125]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ on the home link will not receive any of these Neighbor
+ Advertisements, but these nodes will eventually be able to recover
+ through use of Neighbor Unreachability Detection [12].
+
+ Note that the tunnel via the home agent typically stops operating at
+ the same time that the home registration is deleted.
+
+11.6. Return Routability Procedure
+
+ This section defines the rules that the mobile node must follow when
+ performing the return routability procedure. Section 11.7.2
+ describes the rules when the return routability procedure needs to be
+ initiated.
+
+11.6.1. Sending Test Init Messages
+
+ A mobile node that initiates a return routability procedure MUST send
+ (in parallel) a Home Test Init message and a Care-of Test Init
+ messages. However, if the mobile node has recently received (see
+ Section 5.2.7) one or both home or care-of keygen tokens, and
+ associated nonce indices for the desired addresses, it MAY reuse
+ them. Therefore, the return routability procedure may in some cases
+ be completed with only one message pair. It may even be completed
+ without any messages at all, if the mobile node has a recent home
+ keygen token and has previously visited the same care-of address so
+ that it also has a recent care-of keygen token. If the mobile node
+ intends to send a Binding Update with the Lifetime set to zero and
+ the care-of address equal to its home address - such as when
+ returning home - sending a Home Test Init message is sufficient. In
+ this case, generation of the binding management key depends
+ exclusively on the home keygen token (Section 5.2.5).
+
+ A Home Test Init message MUST be created as described in Section
+ 6.1.3.
+
+ A Care-of Test Init message MUST be created as described in Section
+ 6.1.4. When sending a Home Test Init or Care-of Test Init message
+ the mobile node MUST record in its Binding Update List the following
+ fields from the messages:
+
+ o The IP address of the node to which the message was sent.
+
+ o The home address of the mobile node. This value will appear in
+ the Source Address field of the Home Test Init message. When
+ sending the Care-of Test Init message, this address does not
+ appear in the message, but represents the home address for which
+ the binding is desired.
+
+
+
+
+Johnson, et al. Standard Track [Page 126]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The time at which each of these messages was sent.
+
+ o The cookies used in the messages.
+
+ Note that a single Care-of Test Init message may be sufficient even
+ when there are multiple home addresses. In this case the mobile node
+ MAY record the same information in multiple Binding Update List
+ entries.
+
+11.6.2. Receiving Test Messages
+
+ Upon receiving a packet carrying a Home Test message, a mobile node
+ MUST validate the packet according to the following tests:
+
+ o The Source Address of the packet belongs to a correspondent node
+ for which the mobile node has a Binding Update List entry with a
+ state indicating that return routability procedure is in progress.
+ Note that there may be multiple such entries.
+
+ o The Binding Update List indicates that no home keygen token has
+ been received yet.
+
+ o The Destination Address of the packet has the home address of the
+ mobile node, and the packet has been received in a tunnel from the
+ home agent.
+
+ o The Home Init Cookie field in the message matches the value stored
+ in the Binding Update List.
+
+ Any Home Test message not satisfying all of these tests MUST be
+ silently ignored. Otherwise, the mobile node MUST record the Home
+ Nonce Index and home keygen token in the Binding Update List. If the
+ Binding Update List entry does not have a care-of keygen token, the
+ mobile node SHOULD continue waiting for the Care-of Test message.
+
+ Upon receiving a packet carrying a Care-of Test message, a mobile
+ node MUST validate the packet according to the following tests:
+
+ o The Source Address of the packet belongs to a correspondent node
+ for which the mobile node has a Binding Update List entry with a
+ state indicating that return routability procedure is in progress.
+ Note that there may be multiple such entries.
+
+ o The Binding Update List indicates that no care-of keygen token has
+ been received yet.
+
+ o The Destination Address of the packet is the current care-of
+ address of the mobile node.
+
+
+
+Johnson, et al. Standard Track [Page 127]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The Care-of Init Cookie field in the message matches the value
+ stored in the Binding Update List.
+
+ Any Care-of Test message not satisfying all of these tests MUST be
+ silently ignored. Otherwise, the mobile node MUST record the Care-of
+ Nonce Index and care-of keygen token in the Binding Update List. If
+ the Binding Update List entry does not have a home keygen token, the
+ mobile node SHOULD continue waiting for the Home Test message.
+
+ If after receiving either the Home Test or the Care-of Test message
+ and performing the above actions, the Binding Update List entry has
+ both the home and the care-of keygen tokens, the return routability
+ procedure is complete. The mobile node SHOULD then proceed with
+ sending a Binding Update as described in Section 11.7.2.
+
+ Correspondent nodes from the time before this specification was
+ published may not support the Mobility Header protocol. These nodes
+ will respond to Home Test Init and Care-of Test Init messages with an
+ ICMP Parameter Problem code 1. The mobile node SHOULD take such
+ messages as an indication that the correspondent node cannot provide
+ route optimization, and revert back to the use of bidirectional
+ tunneling.
+
+11.6.3. Protecting Return Routability Packets
+
+ The mobile node MUST support the protection of Home Test and Home
+ Test Init messages as described in Section 10.4.6.
+
+ When IPsec is used to protect return routability signaling or payload
+ packets, the mobile node MUST set the source address it uses for the
+ outgoing tunnel packets to the current primary care-of address. The
+ mobile node starts to use a new primary care-of address immediately
+ after sending a Binding Update to the home agent to register this new
+ address.
+
+11.7. Processing Bindings
+
+11.7.1. Sending Binding Updates to the Home Agent
+
+ After deciding to change its primary care-of address as described in
+ Section 11.5.1 and Section 11.5.2, a mobile node MUST register this
+ care-of address with its home agent in order to make this its primary
+ care-of address.
+
+ Also, if the mobile node wants the services of the home agent beyond
+ the current registration period, the mobile node should send a new
+ Binding Update to it well before the expiration of this period, even
+ if it is not changing its primary care-of address. However, if the
+
+
+
+Johnson, et al. Standard Track [Page 128]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ home agent returned a Binding Acknowledgement for the current
+ registration with Status field set to 1 (accepted but prefix
+ discovery necessary), the mobile node should not try to register
+ again before it has learned the validity of its home prefixes through
+ mobile prefix discovery. This is typically necessary every time this
+ Status value is received, because information learned earlier may
+ have changed.
+
+ To register a care-of address or to extend the lifetime of an
+ existing registration, the mobile node sends a packet to its home
+ agent containing a Binding Update, with the packet constructed as
+ follows:
+
+ o The Home Registration (H) bit MUST be set in the Binding Update.
+
+ o The Acknowledge (A) bit MUST be set in the Binding Update.
+
+ o The packet MUST contain a Home Address destination option, giving
+ the mobile node's home address for the binding.
+
+ o The care-of address for the binding MUST be used as the Source
+ Address in the packet's IPv6 header, unless an Alternate Care-of
+ Address mobility option is included in the Binding Update. This
+ option MUST be included in all home registrations, as the ESP
+ protocol will not be able to protect care-of addresses in the IPv6
+ header. (Mobile IPv6 implementations that know they are using
+ IPsec AH to protect a particular message might avoid this option.
+ For brevity the usage of AH is not discussed in this document.)
+
+ o If the mobile node's link-local address has the same interface
+ identifier as the home address for which it is supplying a new
+ care-of address, then the mobile node SHOULD set the Link-Local
+ Address Compatibility (L) bit.
+
+ o If the home address was generated using RFC 3041 [18], then the
+ link local address is unlikely to have a compatible interface
+ identifier. In this case, the mobile node MUST clear the Link-
+ Local Address Compatibility (L) bit.
+
+ o If the IPsec security associations between the mobile node and the
+ home agent have been established dynamically, and the mobile node
+ has the capability to update its endpoint in the used key
+ management protocol to the new care-of address every time it
+ moves, the mobile node SHOULD set the Key Management Mobility
+ Capability (K) bit in the Binding Update. Otherwise, the mobile
+ node MUST clear the bit.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 129]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The value specified in the Lifetime field MUST be non-zero and
+ SHOULD be less than or equal to the remaining valid lifetime of
+ the home address and the care-of address specified for the
+ binding.
+
+ Mobile nodes that use dynamic home agent address discovery should
+ be careful with long lifetimes. If the mobile node loses the
+ knowledge of its binding with a specific home agent, registering a
+ new binding with another home agent may be impossible as the
+ previous home agent is still defending the existing binding.
+ Therefore, to ensure that mobile nodes using home agent address
+ discovery do not lose information about their binding, they SHOULD
+ de-register before losing this information, or use small
+ lifetimes.
+
+ The Acknowledge (A) bit in the Binding Update requests the home agent
+ to return a Binding Acknowledgement in response to this Binding
+ Update. As described in Section 6.1.8, the mobile node SHOULD
+ retransmit this Binding Update to its home agent until it receives a
+ matching Binding Acknowledgement. Once reaching a retransmission
+ timeout period of MAX_BINDACK_TIMEOUT, the mobile node SHOULD restart
+ the process of delivering the Binding Update, but trying instead the
+ next home agent returned during dynamic home agent address discovery
+ (see Section 11.4.1). If there was only one home agent, the mobile
+ node instead SHOULD continue to periodically retransmit the Binding
+ Update at this rate until acknowledged (or until it begins attempting
+ to register a different primary care-of address). See Section 11.8
+ for information about retransmitting Binding Updates.
+
+ With the Binding Update, the mobile node requests the home agent to
+ serve as the home agent for the given home address. Until the
+ lifetime of this registration expires, the home agent considers
+ itself the home agent for this home address.
+
+ Each Binding Update MUST be authenticated as coming from the right
+ mobile node, as defined in Section 5.1. The mobile node MUST use its
+ home address - either in the Home Address destination option or in
+ the Source Address field of the IPv6 header - in Binding Updates sent
+ to the home agent. This is necessary in order to allow the IPsec
+ policies to be matched with the correct home address.
+
+ When sending a Binding Update to its home agent, the mobile node MUST
+ also create or update the corresponding Binding Update List entry, as
+ specified in Section 11.7.2.
+
+ The last Sequence Number value sent to the home agent in a Binding
+ Update is stored by the mobile node. If the sending mobile node has
+ no knowledge of the correct Sequence Number value, it may start at
+
+
+
+Johnson, et al. Standard Track [Page 130]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ any value. If the home agent rejects the value, it sends back a
+ Binding Acknowledgement with a status code 135, and the last accepted
+ sequence number in the Sequence Number field of the Binding
+ Acknowledgement. The mobile node MUST store this information and use
+ the next Sequence Number value for the next Binding Update it sends.
+
+ If the mobile node has additional home addresses, then the mobile
+ node SHOULD send an additional packet containing a Binding Update to
+ its home agent to register the care-of address for each such other
+ home address.
+
+ The home agent will only perform DAD for the mobile node's home
+ address when the mobile node has supplied a valid binding between its
+ home address and a care-of address. If some time elapses during
+ which the mobile node has no binding at the home agent, it might be
+ possible for another node to autoconfigure the mobile node's home
+ address. Therefore, the mobile node MUST treat the creation of a new
+ binding with the home agent using an existing home address, the same
+ as creation of a new home address. In the unlikely event that the
+ mobile node's home address is autoconfigured as the IPv6 address of
+ another network node on the home network, the home agent will reply
+ to the mobile node's subsequent Binding Update with a Binding
+ Acknowledgement containing a Status of 134 (Duplicate Address
+ Detection failed). In this case, the mobile node MUST NOT attempt to
+ re-use the same home address. It SHOULD continue to register the
+ care-of addresses for its other home addresses, if any. (Mechanisms
+ outlined in Appendix B.5 may in the future allow mobile nodes to
+ acquire new home addresses to replace the one for which Status 134
+ was received.)
+
+11.7.2. Correspondent Registration
+
+ When the mobile node is assured that its home address is valid, it
+ can initiate a correspondent registration with the purpose of
+ allowing the correspondent node to cache the mobile node's current
+ care-of address. This procedure consists of the return routability
+ procedure followed by a registration.
+
+ This section defines when the correspondent registration is to be
+ initiated and the rules to follow while it is being performed.
+
+ After the mobile node has sent a Binding Update to its home agent,
+ registering a new primary care-of address (as described in Section
+ 11.7.1), the mobile node SHOULD initiate a correspondent registration
+ for each node that already appears in the mobile node's Binding
+ Update List. The initiated procedures can be used to either update
+ or delete binding information in the correspondent node.
+
+
+
+
+Johnson, et al. Standard Track [Page 131]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ For nodes that do not appear in the mobile node's Binding Update
+ List, the mobile node MAY initiate a correspondent registration at
+ any time after sending the Binding Update to its home agent.
+
+ Considerations regarding when (and if) to initiate the procedure
+ depend on the specific movement and traffic patterns of the mobile
+ node and are outside the scope of this document.
+
+ In addition, the mobile node MAY initiate the correspondent
+ registration in response to receiving a packet that meets all of the
+ following tests:
+
+ o The packet was tunneled using IPv6 encapsulation.
+
+ o The Destination Address in the tunnel (outer) IPv6 header is equal
+ to any of the mobile node's care-of addresses.
+
+ o The Destination Address in the original (inner) IPv6 header is
+ equal to one of the mobile node's home addresses.
+
+ o The Source Address in the tunnel (outer) IPv6 header differs from
+ the Source Address in the original (inner) IPv6 header.
+
+ o The packet does not contain a Home Test, Home Test Init, Care-of
+ Test, or Care-of Test Init message.
+
+ If a mobile node has multiple home addresses, it becomes important to
+ select the right home address to use in the correspondent
+ registration. The used home address MUST be the Destination Address
+ of the original (inner) packet.
+
+ The peer address used in the procedure MUST be determined as follows:
+
+ o If a Home Address destination option is present in the original
+ (inner) packet, the address from this option is used.
+
+ o Otherwise, the Source Address in the original (inner) IPv6 header
+ of the packet is used.
+
+ Note that the validity of the original packet is checked before
+ attempting to initiate a correspondent registration. For instance,
+ if a Home Address destination option appeared in the original packet,
+ then rules in Section 9.3.1 are followed.
+
+ A mobile node MAY also choose to keep its topological location
+ private from certain correspondent nodes, and thus need not initiate
+ the correspondent registration.
+
+
+
+
+Johnson, et al. Standard Track [Page 132]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Upon successfully completing the return routability procedure, and
+ after receiving a successful Binding Acknowledgement from the Home
+ Agent, a Binding Update MAY be sent to the correspondent node.
+
+ In any Binding Update sent by a mobile node, the care-of address
+ (either the Source Address in the packet's IPv6 header or the Care-of
+ Address in the Alternate Care-of Address mobility option of the
+ Binding Update) MUST be set to one of the care-of addresses currently
+ in use by the mobile node or to the mobile node's home address. A
+ mobile node MAY set the care-of address differently for sending
+ Binding Updates to different correspondent nodes.
+
+ A mobile node MAY also send a Binding Update to such a correspondent
+ node, instructing it to delete any existing binding for the mobile
+ node from its Binding Cache, as described in Section 6.1.7. Even in
+ this case a successful completion of the return routability procedure
+ is required first.
+
+ If the care-of address is not set to the mobile node's home address,
+ the Binding Update requests that the correspondent node create or
+ update an entry for the mobile node in the correspondent node's
+ Binding Cache. This is done in order to record a care-of address for
+ use in sending future packets to the mobile node. In this case, the
+ value specified in the Lifetime field sent in the Binding Update
+ SHOULD be less than or equal to the remaining lifetime of the home
+ registration and the care-of address specified for the binding. The
+ care-of address given in the Binding Update MAY differ from the
+ mobile node's primary care-of address.
+
+ If the Binding Update is sent to the correspondent node, requesting
+ the deletion of any existing Binding Cache entry it has for the
+ mobile node, the care-of address is set to the mobile node's home
+ address and the Lifetime field set to zero. In this case, generation
+ of the binding management key depends exclusively on the home keygen
+ token (Section 5.2.5). The care-of nonce index SHOULD be set to zero
+ in this case. In keeping with the Binding Update creation rules
+ below, the care-of address MUST be set to the home address if the
+ mobile node is at home, or to the current care-of address if it is
+ away from home.
+
+ If the mobile node wants to ensure that its new care-of address has
+ been entered into a correspondent node's Binding Cache, the mobile
+ node needs to request an acknowledgement by setting the Acknowledge
+ (A) bit in the Binding Update.
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 133]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ A Binding Update is created as follows:
+
+ o The current care-of address of the mobile node MUST be sent either
+ in the Source Address of the IPv6 header, or in the Alternate
+ Care-of Address mobility option.
+
+ o The Destination Address of the IPv6 header MUST contain the
+ address of the correspondent node.
+
+ o The Mobility Header is constructed according to rules in Section
+ 6.1.7 and Section 5.2.6, including the Binding Authorization Data
+ (calculated as defined in Section 6.2.7) and possibly the Nonce
+ Indices mobility options.
+
+ o The home address of the mobile node MUST be added to the packet in
+ a Home Address destination option, unless the Source Address is
+ the home address.
+
+ Each Binding Update MUST have a Sequence Number greater than the
+ Sequence Number value sent in the previous Binding Update to the same
+ destination address (if any). The sequence numbers are compared
+ modulo 2**16, as described in Section 9.5.1. There is no
+ requirement, however, that the Sequence Number value strictly
+ increase by 1 with each new Binding Update sent or received, as long
+ as the value stays within the window. The last Sequence Number value
+ sent to a destination in a Binding Update is stored by the mobile
+ node in its Binding Update List entry for that destination. If the
+ sending mobile node has no Binding Update List entry, the Sequence
+ Number SHOULD start at a random value. The mobile node MUST NOT use
+ the same Sequence Number in two different Binding Updates to the same
+ correspondent node, even if the Binding Updates provide different
+ care-of addresses.
+
+ The mobile node is responsible for the completion of the
+ correspondent registration, as well as any retransmissions that may
+ be needed (subject to the rate limitation defined in Section 11.8).
+
+11.7.3. Receiving Binding Acknowledgements
+
+ Upon receiving a packet carrying a Binding Acknowledgement, a mobile
+ node MUST validate the packet according to the following tests:
+
+ o The packet meets the authentication requirements for Binding
+ Acknowledgements defined in Section 6.1.8 and Section 5. That is,
+ if the Binding Update was sent to the home agent, underlying IPsec
+ protection is used. If the Binding Update was sent to the
+ correspondent node, the Binding Authorization Data mobility option
+ MUST be present and have a valid value.
+
+
+
+Johnson, et al. Standard Track [Page 134]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o The Binding Authorization Data mobility option, if present, MUST
+ be the last option and MUST not have trailing padding.
+
+ o The Sequence Number field matches the Sequence Number sent by the
+ mobile node to this destination address in an outstanding Binding
+ Update.
+
+ Any Binding Acknowledgement not satisfying all of these tests MUST be
+ silently ignored.
+
+ When a mobile node receives a packet carrying a valid Binding
+ Acknowledgement, the mobile node MUST examine the Status field as
+ follows:
+
+ o If the Status field indicates that the Binding Update was accepted
+ (the Status field is less than 128), then the mobile node MUST
+ update the corresponding entry in its Binding Update List to
+ indicate that the Binding Update has been acknowledged; the mobile
+ node MUST then stop retransmitting the Binding Update. In
+ addition, if the value specified in the Lifetime field in the
+ Binding Acknowledgement is less than the Lifetime value sent in
+ the Binding Update being acknowledged, the mobile node MUST
+ subtract the difference between these two Lifetime values from the
+ remaining lifetime for the binding as maintained in the
+ corresponding Binding Update List entry (with a minimum value for
+ the Binding Update List entry lifetime of 0). That is, if the
+ Lifetime value sent in the Binding Update was L_update, the
+ Lifetime value received in the Binding Acknowledgement was L_ack,
+ and the current remaining lifetime of the Binding Update List
+ entry is L_remain, then the new value for the remaining lifetime
+ of the Binding Update List entry should be
+
+ max((L_remain - (L_update - L_ack)), 0)
+
+ where max(X, Y) is the maximum of X and Y. The effect of this
+ step is to correctly manage the mobile node's view of the
+ binding's remaining lifetime (as maintained in the corresponding
+ Binding Update List entry) so that it correctly counts down from
+ the Lifetime value given in the Binding Acknowledgement, but with
+ the timer countdown beginning at the time that the Binding Update
+ was sent.
+
+ Mobile nodes SHOULD send a new Binding Update well before the
+ expiration of this period in order to extend the lifetime. This
+ helps to avoid disruptions in communications which might otherwise
+ be caused by network delays or clock drift.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 135]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o Additionally, if the Status field value is 1 (accepted but prefix
+ discovery necessary), the mobile node SHOULD send a Mobile Prefix
+ Solicitation message to update its information about the available
+ prefixes.
+
+ o If the Status field indicates that the Binding Update was rejected
+ (the Status field is greater than or equal to 128), then the
+ mobile node can take steps to correct the cause of the error and
+ retransmit the Binding Update (with a new Sequence Number value),
+ subject to the rate limiting restriction specified in Section
+ 11.8. If this is not done or it fails, then the mobile node
+ SHOULD record in its Binding Update List that future Binding
+ Updates SHOULD NOT be sent to this destination.
+
+ The treatment of a Binding Refresh Advice mobility option within the
+ Binding Acknowledgement depends on where the acknowledgement came
+ from. This option MUST be ignored if the acknowledgement came from a
+ correspondent node. If it came from the home agent, the mobile node
+ uses the Refresh Interval field in the option as a suggestion that it
+ SHOULD attempt to refresh its home registration at the indicated
+ shorter interval.
+
+ If the acknowledgement came from the home agent, the mobile node
+ examines the value of the Key Management Mobility Capability (K) bit.
+ If this bit is not set, the mobile node SHOULD discard key management
+ protocol connections, if any, to the home agent. The mobile node MAY
+ also initiate a new key management connection.
+
+ If this bit is set, the mobile node SHOULD move its own endpoint in
+ the key management protocol connections to the home agent, if any.
+ The mobile node's new endpoint should be the new care-of address.
+ For an IKE phase 1 connection, this means that packets sent to this
+ address with the original ISAKMP cookies are accepted.
+
+11.7.4. Receiving Binding Refresh Requests
+
+ When a mobile node receives a packet containing a Binding Refresh
+ Request message, the mobile node has a Binding Update List entry for
+ the source of the Binding Refresh Request, and the mobile node wants
+ to retain its binding cache entry at the correspondent node, then the
+ mobile node should start a return routability procedure. If the
+ mobile node wants to have its binding cache entry removed, it can
+ either ignore the Binding Refresh Request and wait for the binding to
+ time out, or at any time, it can delete its binding from a
+ correspondent node with an explicit binding update with a zero
+ lifetime and the care-of address set to the home address. If the
+
+
+
+
+
+Johnson, et al. Standard Track [Page 136]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ mobile node does not know if it needs the binding cache entry, it can
+ make the decision in an implementation dependent manner, such as
+ based on available resources.
+
+ Note that the mobile node should be careful to not respond to Binding
+ Refresh Requests for addresses not in the Binding Update List to
+ avoid being subjected to a denial of service attack.
+
+ If the return routability procedure completes successfully, a Binding
+ Update message SHOULD be sent, as described in Section 11.7.2. The
+ Lifetime field in this Binding Update SHOULD be set to a new
+ lifetime, extending any current lifetime remaining from a previous
+ Binding Update sent to this node (as indicated in any existing
+ Binding Update List entry for this node), and the lifetime SHOULD
+ again be less than or equal to the remaining lifetime of the home
+ registration and the care-of address specified for the binding. When
+ sending this Binding Update, the mobile node MUST update its Binding
+ Update List in the same way as for any other Binding Update sent by
+ the mobile node.
+
+11.8. Retransmissions and Rate Limiting
+
+ The mobile node is responsible for retransmissions and rate limiting
+ in the return routability procedure, registrations, and in solicited
+ prefix discovery.
+
+ When the mobile node sends a Mobile Prefix Solicitation, Home Test
+ Init, Care-of Test Init or Binding Update for which it expects a
+ response, the mobile node has to determine a value for the initial
+ retransmission timer:
+
+ o If the mobile node is sending a Mobile Prefix Solicitation, it
+ SHOULD use an initial retransmission interval of
+ INITIAL_SOLICIT_TIMER (see Section 12).
+
+ o If the mobile node is sending a Binding Update and does not have
+ an existing binding at the home agent, it SHOULD use
+ InitialBindackTimeoutFirstReg (see Section 13) as a value for the
+ initial retransmission timer. This long retransmission interval
+ will allow the home agent to complete the Duplicate Address
+ Detection procedure mandated in this case, as detailed in Section
+ 11.7.1.
+
+ o Otherwise, the mobile node should use the specified value of
+ INITIAL_BINDACK_TIMEOUT for the initial retransmission timer.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 137]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ If the mobile node fails to receive a valid matching response within
+ the selected initial retransmission interval, the mobile node SHOULD
+ retransmit the message until a response is received.
+
+ The retransmissions by the mobile node MUST use an exponential back-
+ off process in which the timeout period is doubled upon each
+ retransmission, until either the node receives a response or the
+ timeout period reaches the value MAX_BINDACK_TIMEOUT. The mobile
+ node MAY continue to send these messages at this slower rate
+ indefinitely.
+
+ The mobile node SHOULD start a separate back-off process for
+ different message types, different home addresses and different
+ care-of addresses. However, in addition an overall rate limitation
+ applies for messages sent to a particular correspondent node. This
+ ensures that the correspondent node has a sufficient amount of time
+ to respond when bindings for multiple home addresses are registered,
+ for instance. The mobile node MUST NOT send Mobility Header messages
+ of a particular type to a particular correspondent node more than
+ MAX_UPDATE_RATE times within a second.
+
+ Retransmitted Binding Updates MUST use a Sequence Number value
+ greater than that used for the previous transmission of this Binding
+ Update. Retransmitted Home Test Init and Care-of Test Init messages
+ MUST use new cookie values.
+
+12. Protocol Constants
+
+ DHAAD_RETRIES 4 retransmissions
+ INITIAL_BINDACK_TIMEOUT 1 second
+ INITIAL_DHAAD_TIMEOUT 3 seconds
+ INITIAL_SOLICIT_TIMER 3 seconds
+ MAX_BINDACK_TIMEOUT 32 seconds
+ MAX_NONCE_LIFETIME 240 seconds
+ MAX_TOKEN_LIFETIME 210 seconds
+ MAX_RR_BINDING_LIFETIME 420 seconds
+ MAX_UPDATE_RATE 3 times
+ PREFIX_ADV_RETRIES 3 retransmissions
+ PREFIX_ADV_TIMEOUT 3 seconds
+
+13. Protocol Configuration Variables
+
+ MaxMobPfxAdvInterval Default: 86,400 seconds
+ MinDelayBetweenRAs Default: 3 seconds,
+ Min: 0.03 seconds
+ MinMobPfxAdvInterval Default: 600 seconds
+ InitialBindackTimeoutFirstReg Default: 1.5 seconds
+
+
+
+
+Johnson, et al. Standard Track [Page 138]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Home agents MUST allow the first three variables to be configured by
+ system management, and mobile nodes MUST allow the last variable to
+ be configured by system management.
+
+ The default value for InitialBindackTimeoutFirstReg has been
+ calculated as 1.5 times the default value of RetransTimer [12] times
+ the default value of DupAddrDetectTransmits [13].
+
+ The value MinDelayBetweenRAs overrides the value of the protocol
+ constant MIN_DELAY_BETWEEN_RAS, as specified in RFC 2461 [12]. This
+ variable SHOULD be set to MinRtrAdvInterval, if MinRtrAdvInterval is
+ less than 3 seconds.
+
+14. IANA Considerations
+
+ This document defines a new IPv6 protocol, the Mobility Header,
+ described in Section 6.1. This protocol has been assigned protocol
+ number 135.
+
+ This document also creates a new name space "Mobility Header Type",
+ for the MH Type field in the Mobility Header. The current message
+ types are described starting from Section 6.1.2, and are the
+ following:
+
+ 0 Binding Refresh Request
+
+ 1 Home Test Init
+
+ 2 Care-of Test Init
+
+ 3 Home Test
+
+ 4 Care-of Test
+
+ 5 Binding Update
+
+ 6 Binding Acknowledgement
+
+ 7 Binding Error
+
+ Future values of the MH Type can be allocated using Standards Action
+ or IESG Approval [10].
+
+ Furthermore, each mobility message may contain mobility options as
+ described in Section 6.2. This document defines a new name space
+ "Mobility Option" to identify these options. The current mobility
+ options are defined starting from Section 6.2.2 and are the
+ following:
+
+
+
+Johnson, et al. Standard Track [Page 139]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ 0 Pad1
+
+ 1 PadN
+
+ 2 Binding Refresh Advice
+
+ 3 Alternate Care-of Address
+
+ 4 Nonce Indices
+
+ 5 Authorization Data
+
+ Future values of the Option Type can be allocated using Standards
+ Action or IESG Approval [10].
+
+ Finally, this document creates a third new name space "Status Code"
+ for the Status field in the Binding Acknowledgement message. The
+ current values are described in Section 6.1.8, and are the following:
+
+ 0 Binding Update accepted
+
+ 1 Accepted but prefix discovery necessary
+
+ 128 Reason unspecified
+
+ 129 Administratively prohibited
+
+ 130 Insufficient resources
+
+ 131 Home registration not supported
+
+ 132 Not home subnet
+
+ 133 Not home agent for this mobile node
+
+ 134 Duplicate Address Detection failed
+
+ 135 Sequence number out of window
+
+ 136 Expired home nonce index
+
+ 137 Expired care-of nonce index
+
+ 138 Expired nonces
+
+ 139 Registration type change disallowed
+
+
+
+
+
+Johnson, et al. Standard Track [Page 140]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Future values of the Status field can be allocated using Standards
+ Action or IESG Approval [10].
+
+ All fields labeled "Reserved" are only to be assigned through
+ Standards Action or IESG Approval.
+
+ This document also defines a new IPv6 destination option, the Home
+ Address option, described in Section 6.3. This option has been
+ assigned the Option Type value 0xC9.
+
+ This document also defines a new IPv6 type 2 routing header,
+ described in Section 6.4. The value 2 has been allocated by IANA.
+
+ In addition, this document defines four ICMP message types, two used
+ as part of the dynamic home agent address discovery mechanism, and
+ two used in lieu of Router Solicitations and Advertisements when the
+ mobile node is away from the home link. These messages have been
+ assigned ICMPv6 type numbers from the informational message range:
+
+ o The Home Agent Address Discovery Request message, described in
+ Section 6.5;
+
+ o The Home Agent Address Discovery Reply message, described in
+ Section 6.6;
+
+ o The Mobile Prefix Solicitation, described in Section 6.7; and
+
+ o The Mobile Prefix Advertisement, described in Section 6.8.
+
+ This document also defines two new Neighbor Discovery [12] options,
+ which have been assigned Option Type values within the option
+ numbering space for Neighbor Discovery messages:
+
+ o The Advertisement Interval option, described in Section 7.3; and
+
+ o The Home Agent Information option, described in Section 7.4.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 141]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+15. Security Considerations
+
+15.1. Threats
+
+ Any mobility solution must protect itself against misuses of the
+ mobility features and mechanisms. In Mobile IPv6, most of the
+ potential threats are concerned with false Bindings, usually
+ resulting in Denial-of-Service attacks. Some of the threats also
+ pose potential for Man-in-the-Middle, Hijacking, Confidentiality, and
+ Impersonation attacks. The main threats this protocol protects
+ against are the following:
+
+ o Threats involving Binding Updates sent to home agents and
+ correspondent nodes. For instance, an attacker might claim that a
+ certain mobile node is currently at a different location than it
+ really is. If a home agent accepts such spoofed information sent
+ to it, the mobile node might not get traffic destined to it.
+ Similarly, a malicious (mobile) node might use the home address of
+ a victim node in a forged Binding Update sent to a correspondent
+ node.
+
+ These pose threats against confidentiality, integrity, and
+ availability. That is, an attacker might learn the contents of
+ packets destined to another node by redirecting the traffic to
+ itself. Furthermore, an attacker might use the redirected packets
+ in an attempt to set itself as a Man-in-the-Middle between a
+ mobile and a correspondent node. This would allow the attacker to
+ impersonate the mobile node, leading to integrity and availability
+ problems.
+
+ A malicious (mobile) node might also send Binding Updates in which
+ the care-of address is set to the address of a victim node. If
+ such Binding Updates were accepted, the malicious node could lure
+ the correspondent node into sending potentially large amounts of
+ data to the victim; the correspondent node's replies to messages
+ sent by the malicious mobile node will be sent to the victim host
+ or network. This could be used to cause a Distributed Denial-of-
+ Service attack. For example, the correspondent node might be a
+ site that will send a high-bandwidth stream of video to anyone who
+ asks for it. Note that the use of flow-control protocols such as
+ TCP does not necessarily defend against this type of attack,
+ because the attacker can fake the acknowledgements. Even keeping
+ TCP initial sequence numbers secret does not help, because the
+ attacker can receive the first few segments (including the ISN) at
+ its own address, and only then redirect the stream to the victim's
+ address. These types of attacks may also be directed to networks
+ instead of nodes. Further variations of this threat are described
+ elsewhere [27, 34].
+
+
+
+Johnson, et al. Standard Track [Page 142]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ An attacker might also attempt to disrupt a mobile node's
+ communications by replaying a Binding Update that the node had
+ sent earlier. If the old Binding Update was accepted, packets
+ destined for the mobile node would be sent to its old location as
+ opposed to its current location.
+
+ In conclusion, there are Denial-of-Service, Man-in-the-Middle,
+ Confidentiality, and Impersonation threats against the parties
+ involved in sending legitimate Binding Updates, and Denial-of-
+ Service threats against any other party.
+
+ o Threats associated with payload packets: Payload packets exchanged
+ with mobile nodes are exposed to similar threats as that of
+ regular IPv6 traffic. However, Mobile IPv6 introduces the Home
+ Address destination option, a new routing header type (type 2),
+ and uses tunneling headers in the payload packets. The protocol
+ must protect against potential new threats involving the use of
+ these mechanisms.
+
+ Third parties become exposed to a reflection threat via the Home
+ Address destination option, unless appropriate security
+ precautions are followed. The Home Address destination option
+ could be used to direct response traffic toward a node whose IP
+ address appears in the option. In this case, ingress filtering
+ would not catch the forged "return address" [36, 32].
+
+ A similar threat exists with the tunnels between the mobile node
+ and the home agent. An attacker might forge tunnel packets
+ between the mobile node and the home agent, making it appear that
+ the traffic is coming from the mobile node when it is not. Note
+ that an attacker who is able to forge tunnel packets would
+ typically also be able to forge packets that appear to come
+ directly from the mobile node. This is not a new threat as such.
+ However, it may make it easier for attackers to escape detection
+ by avoiding ingress filtering and packet tracing mechanisms.
+ Furthermore, spoofed tunnel packets might be used to gain access
+ to the home network.
+
+ Finally, a routing header could also be used in reflection
+ attacks, and in attacks designed to bypass firewalls. The
+ generality of the regular routing header would allow circumvention
+ of IP-address based rules in firewalls. It would also allow
+ reflection of traffic to other nodes. These threats exist with
+ routing headers in general, even if the usage that Mobile IPv6
+ requires is safe.
+
+ o Threats associated with dynamic home agent and mobile prefix
+ discovery.
+
+
+
+Johnson, et al. Standard Track [Page 143]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o Threats against the Mobile IPv6 security mechanisms themselves: An
+ attacker might, for instance, lure the participants into executing
+ expensive cryptographic operations or allocating memory for the
+ purpose of keeping state. The victim node would have no resources
+ left to handle other tasks.
+
+ As a fundamental service in an IPv6 stack, Mobile IPv6 is expected to
+ be deployed in most nodes of the IPv6 Internet. The above threats
+ should therefore be considered as being applicable to the whole
+ Internet.
+
+ It should also be noted that some additional threats result from
+ movements as such, even without the involvement of mobility
+ protocols. Mobile nodes must be capable to defend themselves in the
+ networks that they visit, as typical perimeter defenses applied in
+ the home network no longer protect them.
+
+15.2. Features
+
+ This specification provides a series of features designed to mitigate
+ the risk introduced by the threats listed above. The main security
+ features are the following:
+
+ o Reverse Tunneling as a mandatory feature.
+
+ o Protection of Binding Updates sent to home agents.
+
+ o Protection of Binding Updates sent to correspondent nodes.
+
+ o Protection against reflection attacks that use the Home Address
+ destination option.
+
+ o Protection of tunnels between the mobile node and the home agent.
+
+ o Closing routing header vulnerabilities.
+
+ o Mitigating Denial-of-Service threats to the Mobile IPv6 security
+ mechanisms themselves.
+
+ The support for encrypted reverse tunneling (see Section 11.3.1)
+ allows mobile nodes to defeat certain kinds of traffic analysis.
+
+ Protecting those Binding Updates that are sent to home agents and
+ those that are sent to arbitrary correspondent nodes requires very
+ different security solutions due to the different situations. Mobile
+ nodes and home agents are naturally expected to be subject to the
+ network administration of the home domain.
+
+
+
+
+Johnson, et al. Standard Track [Page 144]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Thus, they can and are supposed to have a security association that
+ can be used to reliably authenticate the exchanged messages. See
+ Section 5.1 for the description of the protocol mechanisms, and
+ Section 15.3 below for a discussion of the resulting level of
+ security.
+
+ It is expected that Mobile IPv6 route optimization will be used on a
+ global basis between nodes belonging to different administrative
+ domains. It would be a very demanding task to build an
+ authentication infrastructure on this scale. Furthermore, a
+ traditional authentication infrastructure cannot be easily used to
+ authenticate IP addresses because IP addresses can change often. It
+ is not sufficient to just authenticate the mobile nodes;
+ Authorization to claim the right to use an address is needed as well.
+ Thus, an "infrastructureless" approach is necessary. The chosen
+ infrastructureless method is described in Section 5.2, and Section
+ 15.4 discusses the resulting security level and the design rationale
+ of this approach.
+
+ Specific rules guide the use of the Home Address destination option,
+ the routing header, and the tunneling headers in the payload packets.
+ These rules are necessary to remove the vulnerabilities associated
+ with their unrestricted use. The effect of the rules is discussed in
+ Section 15.7, Section 15.8, and Section 15.9.
+
+ Denial-of-Service threats against Mobile IPv6 security mechanisms
+ themselves concern mainly the Binding Update procedures with
+ correspondent nodes. The protocol has been designed to limit the
+ effects of such attacks, as will be described in Section 15.4.5.
+
+15.3. Binding Updates to Home Agent
+
+ Signaling between the mobile node and the home agent requires message
+ integrity. This is necessary to assure the home agent that a Binding
+ Update is from a legitimate mobile node. In addition, correct
+ ordering and anti-replay protection are optionally needed.
+
+ IPsec ESP protects the integrity of the Binding Updates and Binding
+ Acknowledgements by securing mobility messages between the mobile
+ node and the home agent.
+
+ IPsec can provide anti-replay protection only if dynamic keying is
+ used (which may not always be the case). IPsec does not guarantee
+ correct ordering of packets, only that they have not been replayed.
+ Because of this, sequence numbers within the Mobile IPv6 messages are
+ used to ensure correct ordering (see Section 5.1). However, if the
+ 16 bit Mobile IPv6 sequence number space is cycled through, or the
+ home agent reboots and loses its state regarding the sequence
+
+
+
+Johnson, et al. Standard Track [Page 145]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ numbers, replay and reordering attacks become possible. The use of
+ dynamic keying, IPsec anti-replay protection, and the Mobile IPv6
+ sequence numbers can together prevent such attacks. It is also
+ recommended that use of non-volatile storage be considered for home
+ agents, to avoid losing their state.
+
+ A sliding window scheme is used for the sequence numbers. The
+ protection against replays and reordering attacks without a key
+ management mechanism works when the attacker remembers up to a
+ maximum of 2**15 Binding Updates.
+
+ The above mechanisms do not show that the care-of address given in
+ the Binding Update is correct. This opens the possibility for
+ Denial-of-Service attacks against third parties. However, since the
+ mobile node and home agent have a security association, the home
+ agent can always identify an ill-behaving mobile node. This allows
+ the home agent operator to discontinue the mobile node's service, and
+ possibly take further actions based on the business relationship with
+ the mobile node's owner.
+
+ Note that the use of a single pair of manually keyed security
+ associations conflicts with the generation of a new home address [18]
+ for the mobile node, or with the adoption of a new home subnet
+ prefix. This is because IPsec security associations are bound to the
+ used addresses. While certificate-based automatic keying alleviates
+ this problem to an extent, it is still necessary to ensure that a
+ given mobile node cannot send Binding Updates for the address of
+ another mobile node. In general, this leads to the inclusion of home
+ addresses in certificates in the Subject AltName field. This again
+ limits the introduction of new addresses without either manual or
+ automatic procedures to establish new certificates. Therefore, this
+ specification restricts the generation of new home addresses (for any
+ reason) to those situations where a security association or
+ certificate for the new address already exists. (Appendix B.4 lists
+ the improvement of security for new addresses as one of the future
+ developments for Mobile IPv6.)
+
+ Support for IKE has been specified as optional. The following should
+ be observed about the use of manual keying:
+
+ o As discussed above, with manually keyed IPsec, only a limited form
+ of protection exists against replay and reordering attacks. A
+ vulnerability exists if either the sequence number space is cycled
+ through, or if the home agent reboots and forgets its sequence
+ numbers (and uses volatile memory to store the sequence numbers).
+ Assuming the mobile node moves continuously every 10 minutes, it
+
+
+
+
+
+Johnson, et al. Standard Track [Page 146]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ takes roughly 455 days before the sequence number space has been
+ cycled through. Typical movement patterns rarely reach this high
+ frequency today.
+
+ o A mobile node and its home agent belong to the same domain. If
+ this were not the case, manual keying would not be possible [28],
+ but in Mobile IPv6 only these two parties need to know the
+ manually configured keys. Similarly, we note that Mobile IPv6
+ employs standard block ciphers in IPsec, and is not vulnerable to
+ problems associated with stream ciphers and manual keying.
+
+ o It is expected that the owner of the mobile node and the
+ administrator of the home agent agree on the used keys and other
+ parameters with some off-line mechanism.
+
+ The use of IKEv1 with Mobile IPv6 is documented in more detail in
+ [21]. The following should be observed from the use of IKEv1:
+
+ o It is necessary to prevent a mobile node from claiming another
+ mobile node's home address. The home agent must verify that the
+ mobile node trying to negotiate the SA for a particular home
+ address is authorized for that home address. This implies that
+ even with the use of IKE, a policy entry needs to be configured
+ for each home address served by the home agent.
+
+ It may be possible to include home addresses in the Subject
+ AltName field of certificate to avoid this. However,
+ implementations are not guaranteed to support the use of a
+ particular IP address (care-of address) while another address
+ (home address) appears in the certificate. In any case, even this
+ approach would require user-specific tasks in the certificate
+ authority.
+
+ o If preshared secret authentication is used, IKEv1 main mode cannot
+ be used. Aggressive mode or group preshared secrets need to be
+ used with corresponding security implications instead.
+
+ Note that, like many other issues, this is a general IKEv1 issue
+ related to the ability to use different IP addresses, and not
+ specifically related to Mobile IPv6. For further information, see
+ Section 4.4 in [21].
+
+ o Due to the problems outlined in Section 11.3.2, IKE phase 1
+ between the mobile node and its home agent is established using
+ the mobile node's current care-of address. This implies that when
+ the mobile node moves to a new location, it may have to re-
+ establish phase 1. A Key Management Mobility Capability (K) flag
+
+
+
+
+Johnson, et al. Standard Track [Page 147]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ is provided for implementations that can update the IKE phase 1
+ endpoints without re-establishing phase 1, but the support for
+ this behavior is optional.
+
+ o When certificates are used, IKE fragmentation can occur as
+ discussed in Section 7 in [21].
+
+ o Nevertheless, even if per-mobile node configuration is required
+ with IKE, an important benefit of IKE is that it automates the
+ negotiation of cryptographic parameters, including the SPIs,
+ cryptographic algorithms, and so on. Thus, less configuration
+ information is needed.
+
+ o The frequency of movements in some link layers or deployment
+ scenarios may be high enough to make replay and reordering attacks
+ possible, if only manual keying is used. IKE SHOULD be used in
+ such cases. Potentially vulnerable scenarios involve continuous
+ movement through small cells, or uncontrolled alternation between
+ available network attachment points.
+
+ o Similarly, in some deployment scenarios the number of mobile nodes
+ may be very large. In these cases, it can be necessary to use
+ automatic mechanisms to reduce the management effort in the
+ administration of cryptographic parameters, even if some per-
+ mobile node configuration is always needed. IKE SHOULD also be
+ used in such cases.
+
+ o Other automatic key management mechanisms exist beyond IKEv1, but
+ this document does not address the issues related to them. We
+ note, however, that most of the above discussion applies to IKEv2
+ [30] as well, at least as it is currently specified.
+
+15.4. Binding Updates to Correspondent Nodes
+
+ The motivation for designing the return routability procedure was to
+ have sufficient support for Mobile IPv6, without creating significant
+ new security problems. The goal for this procedure was not to
+ protect against attacks that were already possible before the
+ introduction of Mobile IPv6.
+
+ The next sections will describe the security properties of the used
+ method, both from the point of view of possible on-path attackers who
+ can see those cryptographic values that have been sent in the clear
+ (Section 15.4.2 and Section 15.4.3) and from the point of view of
+ other attackers (Section 15.4.6).
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 148]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+15.4.1. Overview
+
+ The chosen infrastructureless method verifies that the mobile node is
+ "live" (that is, it responds to probes) at its home and care-of
+ addresses. Section 5.2 describes the return routability procedure in
+ detail. The procedure uses the following principles:
+
+ o A message exchange verifies that the mobile node is reachable at
+ its addresses, i.e., is at least able to transmit and receive
+ traffic at both the home and care-of addresses.
+
+ o The eventual Binding Update is cryptographically bound to the
+ tokens supplied in the exchanged messages.
+
+ o Symmetric exchanges are employed to avoid the use of this protocol
+ in reflection attacks. In a symmetric exchange, the responses are
+ always sent to the same address the request was sent from.
+
+ o The correspondent node operates in a stateless manner until it
+ receives a fully authorized Binding Update.
+
+ o Some additional protection is provided by encrypting the tunnels
+ between the mobile node and home agent with IPsec ESP. As the
+ tunnel also transports the nonce exchanges, the ability of
+ attackers to see these nonces is limited. For instance, this
+ prevents attacks from being launched from the mobile node's
+ current foreign link, even when no link-layer confidentiality is
+ available.
+
+ The resulting level of security is in theory the same even without
+ this additional protection: the return routability tokens are
+ still exposed only to one path within the whole Internet.
+ However, the mobile nodes are often found on an insecure link,
+ such as a public access Wireless LAN. Thus, in many cases, this
+ addition makes a practical difference.
+
+ For further information about the design rationale of the return
+ routability procedure, see [27, 34, 33, 32]. The mechanisms used
+ have been adopted from these documents.
+
+15.4.2. Achieved Security Properties
+
+ The return routability procedure protects Binding Updates against all
+ attackers who are unable to monitor the path between the home agent
+ and the correspondent node. The procedure does not defend against
+ attackers who can monitor this path. Note that such attackers are in
+ any case able to mount an active attack against the mobile node when
+
+
+
+
+Johnson, et al. Standard Track [Page 149]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ it is at its home location. The possibility of such attacks is not
+ an impediment to the deployment of Mobile IPv6 because these attacks
+ are possible regardless of whether or not Mobile IPv6 is in use.
+
+ This procedure also protects against Denial-of-Service attacks in
+ which the attacker pretends to be mobile, but uses the victim's
+ address as the care-of address. This would cause the correspondent
+ node to send the victim some unexpected traffic. This procedure
+ defends against these attacks by requiring at least the passive
+ presence of the attacker at the care-of address or on the path from
+ the correspondent to the care-of address. Normally, this will be the
+ mobile node.
+
+15.4.3. Comparison to Regular IPv6 Communications
+
+ This section discusses the protection offered by the return
+ routability method by comparing it to the security of regular IPv6
+ communications. We will divide vulnerabilities into three classes:
+ (1) those related to attackers on the local network of the mobile
+ node, home agent, or the correspondent node, (2) those related to
+ attackers on the path between the home network and the correspondent
+ node, and (3) off-path attackers, i.e., the rest of the Internet.
+
+ We will now discuss the vulnerabilities of regular IPv6
+ communications. The on-link vulnerabilities of IPv6 communications
+ include Denial-of-Service, Masquerading, Man-in-the-Middle,
+ Eavesdropping, and other attacks. These attacks can be launched
+ through spoofing Router Discovery, Neighbor Discovery and other IPv6
+ mechanisms. Some of these attacks can be prevented with the use of
+ cryptographic protection in the packets.
+
+ A similar situation exists with on-path attackers. That is, without
+ cryptographic protection, the traffic is completely vulnerable.
+
+ Assuming that attackers have not penetrated the security of the
+ Internet routing protocols, attacks are much harder to launch from
+ off-path locations. Attacks that can be launched from these
+ locations are mainly Denial-of-Service attacks, such as flooding and/
+ or reflection attacks. It is not possible for an off-path attacker
+ to become a Man-in-the-Middle.
+
+ Next, we will consider the vulnerabilities that exist when IPv6 is
+ used together with Mobile IPv6 and the return routability procedure.
+ On the local link, the vulnerabilities are the same as those in IPv6,
+ but Masquerade and Man-in-the-Middle attacks can now also be launched
+ against future communications, and not just against current
+ communications. If a Binding Update was sent while the attacker was
+ present on the link, its effects remain for the lifetime of the
+
+
+
+Johnson, et al. Standard Track [Page 150]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ binding. This happens even if the attacker moves away from the link.
+ In contrast, an attacker who uses only plain IPv6 generally has to
+ stay on the link in order to continue the attack. Note that in order
+ to launch these new attacks, the IP address of the victim must be
+ known. This makes this attack feasible, mainly in the context of
+ well-known interface IDs, such as those already appearing in the
+ traffic on the link or registered in the DNS.
+
+ On-path attackers can exploit similar vulnerabilities as in regular
+ IPv6. There are some minor differences, however. Masquerade, Man-
+ in-the-Middle, and Denial-of-Service attacks can be launched with
+ just the interception of a few packets, whereas in regular IPv6 it is
+ necessary to intercept every packet. The effect of the attacks is
+ the same regardless of the method, however. In any case, the most
+ difficult task an attacker faces in these attacks is getting on the
+ right path.
+
+ The vulnerabilities for off-path attackers are the same as in regular
+ IPv6. Those nodes that are not on the path between the home agent
+ and the correspondent node will not be able to receive the home
+ address probe messages.
+
+ In conclusion, we can state the following main results from this
+ comparison:
+
+ o Return routability prevents any off-path attacks beyond those that
+ are already possible in regular IPv6. This is the most important
+ result, preventing attackers on the Internet from exploiting any
+ vulnerabilities.
+
+ o Vulnerabilities to attackers on the home agent link, the
+ correspondent node link, and the path between them are roughly the
+ same as in regular IPv6.
+
+ o However, one difference is that in basic IPv6 an on-path attacker
+ must be constantly present on the link or the path, whereas with
+ Mobile IPv6, an attacker can leave a binding behind after moving
+ away.
+
+ For this reason, this specification limits the creation of
+ bindings to at most MAX_TOKEN_LIFETIME seconds after the last
+ routability check has been performed, and limits the duration of a
+ binding to at most MAX_RR_BINDING_LIFETIME seconds. With these
+ limitations, attackers cannot take any practical advantages of
+ this vulnerability.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 151]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ o There are some other minor differences, such as an effect to the
+ Denial-of-Service vulnerabilities. These can be considered to be
+ insignificant.
+
+ o The path between the home agent and a correspondent node is
+ typically easiest to attack on the links at either end, in
+ particular if these links are publicly accessible wireless LANs.
+
+ Attacks against the routers or switches on the path are typically
+ harder to accomplish. The security on layer 2 of the links plays
+ then a major role in the resulting overall network security.
+ Similarly, security of IPv6 Neighbor and Router Discovery on these
+ links has a large impact. If these were secured using some new
+ technology in the future, this could change the situation
+ regarding the easiest point of attack.
+
+ For a more in-depth discussion of these issues, see [32].
+
+15.4.4. Replay Attacks
+
+ The return routability procedure also protects the participants
+ against replayed Binding Updates. The attacker is unable replay the
+ same message due to the sequence number which is a part of the
+ Binding Update. It is also unable to modify the Binding Update since
+ the MAC verification would fail after such a modification.
+
+ Care must be taken when removing bindings at the correspondent node,
+ however. If a binding is removed while the nonce used in its
+ creation is still valid, an attacker could replay the old Binding
+ Update. Rules outlined in Section 5.2.8 ensure that this cannot
+ happen.
+
+15.4.5. Denial-of-Service Attacks
+
+ The return routability procedure has protection against resource
+ exhaustion Denial-of-Service attacks. The correspondent nodes do not
+ retain any state about individual mobile nodes until an authentic
+ Binding Update arrives. This is achieved through the construct of
+ keygen tokens from the nonces and node keys that are not specific to
+ individual mobile nodes. The keygen tokens can be reconstructed by
+ the correspondent node, based on the home and care-of address
+ information that arrives with the Binding Update. This means that
+ the correspondent nodes are safe against memory exhaustion attacks
+ except where on-path attackers are concerned. Due to the use of
+ symmetric cryptography, the correspondent nodes are relatively safe
+ against CPU resource exhaustion attacks as well.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 152]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Nevertheless, as [27] describes, there are situations in which it is
+ impossible for the mobile and correspondent nodes to determine if
+ they actually need a binding or whether they just have been fooled
+ into believing so by an attacker. Therefore, it is necessary to
+ consider situations where such attacks are being made.
+
+ Even if route optimization is a very important optimization, it is
+ still only an optimization. A mobile node can communicate with a
+ correspondent node even if the correspondent refuses to accept any
+ Binding Updates. However, performance will suffer because packets
+ from the correspondent node to the mobile node will be routed via the
+ mobile's home agent rather than a more direct route. A correspondent
+ node can protect itself against some of these resource exhaustion
+ attacks as follows. If the correspondent node is flooded with a
+ large number of Binding Updates that fail the cryptographic integrity
+ checks, it can stop processing Binding Updates. If a correspondent
+ node finds that it is spending more resources on checking bogus
+ Binding Updates than it is likely to save by accepting genuine
+ Binding Updates, then it may silently discard some or all Binding
+ Updates without performing any cryptographic operations.
+
+ Layers above IP can usually provide additional information to help
+ decide if there is a need to establish a binding with a specific
+ peer. For example, TCP knows if the node has a queue of data that it
+ is trying to send to a peer. An implementation of this specification
+ is not required to make use of information from higher protocol
+ layers, but some implementations are likely to be able to manage
+ resources more effectively by making use of such information.
+
+ We also require that all implementations be capable of
+ administratively disabling route optimization.
+
+15.4.6. Key Lengths
+
+ Attackers can try to break the return routability procedure in many
+ ways. Section 15.4.2 discusses the situation where the attacker can
+ see the cryptographic values sent in the clear, and Section 15.4.3
+ discusses the impact this has on IPv6 communications. This section
+ discusses whether attackers can guess the correct values without
+ seeing them.
+
+ While the return routability procedure is in progress, 64 bit cookies
+ are used to protect spoofed responses. This is believed to be
+ sufficient, given that to blindly spoof a response a very large
+ number of messages would have to be sent before success would be
+ probable.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 153]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ The tokens used in the return routability procedure provide together
+ 128 bits of information. This information is used internally as
+ input to a hash function to produce a 160 bit quantity suitable for
+ producing the keyed hash in the Binding Update using the HMAC_SHA1
+ algorithm. The final keyed hash length is 96 bits. The limiting
+ factors in this case are the input token lengths and the final keyed
+ hash length. The internal hash function application does not reduce
+ the entropy.
+
+ The 96 bit final keyed hash is of typical size and is believed to be
+ secure. The 128 bit input from the tokens is broken in two pieces,
+ the home keygen token and the care-of keygen token. An attacker can
+ try to guess the correct cookie value, but again this would require a
+ large number of messages (an the average 2**63 messages for one or
+ 2**127 for two). Furthermore, given that the cookies are valid only
+ for a short period of time, the attack has to keep a high constant
+ message rate to achieve a lasting effect. This does not appear
+ practical.
+
+ When the mobile node is returning home, it is allowed to use just the
+ home keygen token of 64 bits. This is less than 128 bits, but
+ attacking it blindly would still require a large number of messages
+ to be sent. If the attacker is on the path and capable of seeing the
+ Binding Update, it could conceivably break the keyed hash with brute
+ force. However, in this case the attacker has to be on the path,
+ which appears to offer easier ways for denial-of-service than
+ preventing route optimization.
+
+15.5. Dynamic Home Agent Address Discovery
+
+ The dynamic home agent address discovery function could be used to
+ learn the addresses of home agents in the home network.
+
+ The ability to learn addresses of nodes may be useful to attackers
+ because brute-force scanning of the address space is not practical
+ with IPv6. Thus, they could benefit from any means which make
+ mapping the networks easier. For example, if a security threat
+ targeted at routers or even home agents is discovered, having a
+ simple ICMP mechanism to easily find out possible targets may prove
+ to be an additional (though minor) security risk.
+
+ Apart from discovering the address(es) of home agents, attackers will
+ not be able to learn much from this information, and mobile nodes
+ cannot be tricked into using wrong home agents, as all other
+ communication with the home agents is secure.
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 154]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+15.6. Mobile Prefix Discovery
+
+ The mobile prefix discovery function may leak interesting information
+ about network topology and prefix lifetimes to eavesdroppers; for
+ this reason, requests for this information has to be authenticated.
+ Responses and unsolicited prefix information needs to be
+ authenticated to prevent the mobile nodes from being tricked into
+ believing false information about the prefixes and possibly
+ preventing communications with the existing addresses. Optionally,
+ encryption may be applied to prevent leakage of the prefix
+ information.
+
+15.7. Tunneling via the Home Agent
+
+ Tunnels between the mobile node and the home agent can be protected
+ by ensuring proper use of source addresses, and optional
+ cryptographic protection. These procedures are discussed in Section
+ 5.5.
+
+ Binding Updates to the home agents are secure. When receiving
+ tunneled traffic, the home agent verifies that the outer IP address
+ corresponds to the current location of the mobile node. This acts as
+ a weak form of protection against spoofing packets that appear to
+ come from the mobile node. This is particularly useful, if no end-
+ to-end security is being applied between the mobile and correspondent
+ nodes. The outer IP address check prevents attacks where the
+ attacker is controlled by ingress filtering. It also prevents
+ attacks when the attacker does not know the current care-of address
+ of the mobile node. Attackers who know the care-of address and are
+ not controlled by ingress filtering could still send traffic through
+ the home agent. This includes attackers on the same local link as
+ the mobile node is currently on. But such attackers could send
+ packets that appear to come from the mobile node without attacking
+ the tunnel; the attacker could simply send packets with the source
+ address set to the mobile node's home address. However, this attack
+ does not work if the final destination of the packet is in the home
+ network, and some form of perimeter defense is being applied for
+ packets sent to those destinations. In such cases it is recommended
+ that either end-to-end security or additional tunnel protection be
+ applied, as is usual in remote access situations.
+
+ Home agents and mobile nodes may use IPsec ESP to protect payload
+ packets tunneled between themselves. This is useful for protecting
+ communications against attackers on the path of the tunnel.
+
+ When site local home addresses are used, reverse tunneling can be
+ used to send site local traffic from another location.
+ Administrators should be aware of this when allowing such home
+
+
+
+Johnson, et al. Standard Track [Page 155]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ addresses. In particular, the outer IP address check described above
+ is not sufficient against all attackers. The use of encrypted
+ tunnels is particularly useful for these kinds of home addresses.
+
+15.8. Home Address Option
+
+ When the mobile node sends packets directly to the correspondent
+ node, the Source Address field of the packet's IPv6 header is the
+ care-of address. Therefore, ingress filtering [26] works in the
+ usual manner even for mobile nodes, as the Source Address is
+ topologically correct. The Home Address option is used to inform the
+ correspondent node of the mobile node's home address.
+
+ However, the care-of address in the Source Address field does not
+ survive in replies sent by the correspondent node unless it has a
+ binding for this mobile node. Also, not all attacker tracing
+ mechanisms work when packets are being reflected through
+ correspondent nodes using the Home Address option. For these
+ reasons, this specification restricts the use of the Home Address
+ option. It may only be used when a binding has already been
+ established with the participation of the node at the home address,
+ as described in Section 5.5 and Section 6.3. This prevents
+ reflection attacks through the use of the Home Address option. It
+ also ensures that the correspondent nodes reply to the same address
+ that the mobile node sends traffic from.
+
+ No special authentication of the Home Address option is required
+ beyond the above, but note that if the IPv6 header of a packet is
+ covered by IPsec Authentication Header, then that authentication
+ covers the Home Address option as well. Thus, even when
+ authentication is used in the IPv6 header, the security of the Source
+ Address field in the IPv6 header is not compromised by the presence
+ of a Home Address option. Without authentication of the packet, any
+ field in the IPv6 header, including the Source Address field or any
+ other part of the packet and the Home Address option can be forged or
+ modified in transit. In this case, the contents of the Home Address
+ option is no more suspect than any other part of the packet.
+
+15.9. Type 2 Routing Header
+
+ The definition of the type 2 routing header is described in Section
+ 6.4. This definition and the associated processing rules have been
+ chosen so that the header cannot be used for what is traditionally
+ viewed as source routing. In particular, the Home Address in the
+ routing header will always have to be assigned to the home address of
+ the receiving node; otherwise the packet will be dropped.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 156]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Generally, source routing has a number of security concerns. These
+ include the automatic reversal of unauthenticated source routes
+ (which is an issue for IPv4, but not for IPv6). Another concern is
+ the ability to use source routing to "jump" between nodes inside, as
+ well as outside a firewall. These security concerns are not issues
+ in Mobile IPv6, due to the rules mentioned above.
+
+ In essence the semantics of the type 2 routing header is the same as
+ a special form of IP-in-IP tunneling where the inner and outer source
+ addresses are the same.
+
+ This implies that a device which implements the filtering of packets
+ should be able to distinguish between a type 2 routing header and
+ other routing headers, as required in Section 8.3. This is necessary
+ in order to allow Mobile IPv6 traffic while still having the option
+ of filtering out other uses of routing headers.
+
+16. Contributors
+
+ Tuomas Aura, Mike Roe, Greg O'Shea, Pekka Nikander, Erik Nordmark,
+ and Michael Thomas worked on the return routability protocols
+ eventually led to the procedures used in this protocol. The
+ procedures described in [34] were adopted in the protocol.
+
+ Significant contributions were made by members of the Mobile IPv6
+ Security Design Team, including (in alphabetical order) Gabriel
+ Montenegro, Erik Nordmark and Pekka Nikander.
+
+17. Acknowledgements
+
+ We would like to thank the members of the Mobile IP and IPng Working
+ Groups for their comments and suggestions on this work. We would
+ particularly like to thank (in alphabetical order) Fred Baker, Josh
+ Broch, Samita Chakrabarti, Robert Chalmers, Noel Chiappa, Greg Daley,
+ Vijay Devarapalli, Rich Draves, Francis Dupont, Thomas Eklund, Jun-
+ Ichiro Itojun Hagino, Brian Haley, Marc Hasson, John Ioannidis, James
+ Kempf, Rajeev Koodli, Krishna Kumar, T.J. Kniveton, Joe Lau, Jiwoong
+ Lee, Aime Le Rouzic, Vesa-Matti Mantyla, Kevin Miles, Glenn Morrow,
+ Thomas Narten, Karen Nielsen, Simon Nybroe, David Oran, Brett
+ Pentland, Lars Henrik Petander, Basavaraj Patil, Mohan Parthasarathy,
+ Alexandru Petrescu, Mattias Petterson, Ken Powell, Phil Roberts, Ed
+ Remmell, Patrice Romand, Luis A. Sanchez, Jeff Schiller, Pekka
+ Savola, Arvind Sevalkar, Keiichi Shima, Tom Soderlund, Hesham
+ Soliman, Jim Solomon, Tapio Suihko, Dave Thaler, Benny Van Houdt,
+ Jon-Olov Vatn, Carl E. Williams, Vladislav Yasevich, Alper Yegin, and
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 157]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ Xinhua Zhao, for their detailed reviews of earlier versions of this
+ document. Their suggestions have helped to improve both the design
+ and presentation of the protocol.
+
+ We would also like to thank the participants of the Mobile IPv6
+ testing event (1999), implementors who participated in Mobile IPv6
+ interoperability testing at Connectathons (2000, 2001, 2002, and
+ 2003), and the participants at the ETSI interoperability testing
+ (2000, 2002). Finally, we would like to thank the TAHI project who
+ has provided test suites for Mobile IPv6.
+
+18. References
+
+18.1. Normative References
+
+ [1] Eastlake 3rd., D., Crocker, S. and J. Schiller, "Randomness
+ Recommendations for Security", RFC 1750, December 1994.
+
+ [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [3] Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6)
+ Addressing Architecture", RFC 3513, April 2003.
+
+ [4] Kent, S. and R. Atkinson, "Security Architecture for the
+ Internet Protocol", RFC 2401, November 1998.
+
+ [5] Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402,
+ November 1998.
+
+ [6] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload
+ (ESP)", RFC 2406, November 1998.
+
+ [7] Piper, D., "The Internet IP Security Domain of Interpretation
+ for ISAKMP", RFC 2407, November 1998.
+
+ [8] Maughan, D., Schertler, M., Schneider, M. and J. Turner,
+ "Internet Security Association and Key Management Protocol
+ (ISAKMP)", RFC 2408, November 1998.
+
+ [9] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
+ RFC 2409, November 1998.
+
+ [10] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+ Considerations Section in RFCs", BCP 26, RFC 2434, October
+ 1998.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 158]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ [11] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
+ Specification", RFC 2460, December 1998.
+
+ [12] Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery
+ for IP Version 6 (IPv6)", RFC 2461, December 1998.
+
+ [13] Thomson, S. and T. Narten, "IPv6 Stateless Address
+ Autoconfiguration", RFC 2462, December 1998.
+
+ [14] Conta, A. and S. Deering, "Internet Control Message Protocol
+ (ICMPv6) for the Internet Protocol Version 6 (IPv6)
+ Specification", RFC 2463, December 1998.
+
+ [15] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6
+ Specification", RFC 2473, December 1998.
+
+ [16] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast
+ Addresses", RFC 2526, March 1999.
+
+ [17] Deering, S., Fenner, W. and B. Haberman, "Multicast Listener
+ Discovery (MLD) for IPv6", RFC 2710, October 1999.
+
+ [18] Narten, T. and R. Draves, "Privacy Extensions for Stateless
+ Address Autoconfiguration in IPv6", RFC 3041, January 2001.
+
+ [19] Reynolds, J., Ed., "Assigned Numbers: RFC 1700 is Replaced by
+ an On-line Database", RFC 3232, January 2002.
+
+ [20] National Institute of Standards and Technology, "Secure Hash
+ Standard", FIPS PUB 180-1, April 1995, <http://
+ www.itl.nist.gov/fipspubs/fip180-1.htm>.
+
+ [21] Arkko, J., Devarapalli, V. and F. Dupont, "Using IPsec to
+ Protect Mobile IPv6 Signaling Between Mobile Nodes and Home
+ Agents", RFC 3776, June 2004.
+
+18.2. Informative References
+
+ [22] Perkins, C., Ed., "IP Mobility Support for IPv4", RFC 3344,
+ August 2002.
+
+ [23] Perkins, C., "IP Encapsulation within IP", RFC 2003, October
+ 1996.
+
+ [24] Perkins, C., "Minimal Encapsulation within IP", RFC 2004,
+ October 1996.
+
+
+
+
+
+Johnson, et al. Standard Track [Page 159]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+ [25] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing
+ for Message Authentication", RFC 2104, February 1997.
+
+ [26] Ferguson, P. and D. Senie, "Network Ingress Filtering:
+ Defeating Denial of Service Attacks which employ IP Source
+ Address Spoofing", BCP 38, RFC 2827, May 2000.
+
+ [27] Aura, T. and J. Arkko, "MIPv6 BU Attacks and Defenses", Work in
+ Progress, March 2002.
+
+ [28] Bellovin, S., "Guidelines for Mandating Automated Key
+ Management", Work in Progress, August 2003.
+
+ [29] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, C. and
+ M. Carney, "Dynamic Host Configuration Protocol for IPv6
+ (DHCPv6)", RFC 3315, July 2003.
+
+ [30] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", Work in
+ Progress, April 2003.
+
+ [31] Draves, R., "Default Address Selection for Internet Protocol
+ version 6 (IPv6)", RFC 3484, February 2003.
+
+ [32] Nikander, P., Aura, T., Arkko, J., Montenegro, G. and E.
+ Nordmark, "Mobile IP version 6 Route Optimization Security
+ Design Background", Work in Progress, April 2003.
+
+ [33] Nordmark, E., "Securing MIPv6 BUs using return routability
+ (BU3WAY)", Work in Progress, November 2001.
+
+ [34] Roe, M., Aura, T., O'Shea, G. and J. Arkko, "Authentication of
+ Mobile IPv6 Binding Updates and Acknowledgments", Work in
+ Progress, March 2002.
+
+ [35] Savola, P., "Use of /127 Prefix Length Between Routers
+ Considered Harmful", RFC 3627, September 2003.
+
+ [36] Savola, P., "Security of IPv6 Routing Header and Home Address
+ Options", Work in Progress, December 2002.
+
+ [37] Vida, R. and L. Costa, Eds., "Multicast Listener Discovery
+ Version 2 (MLDv2) for IPv6", RFC 3810, June 2004.
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 160]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+Appendix A. Future Extensions
+
+A.1. Piggybacking
+
+ This document does not specify how to piggyback payload packets on
+ the binding related messages. However, it is envisioned that this
+ can be specified in a separate document when issues such as the
+ interaction between piggybacking and IPsec are fully resolved (see
+ also Appendix A.3). The return routability messages can indicate
+ support for piggybacking with a new mobility option.
+
+A.2. Triangular Routing
+
+ Due to the concerns about opening reflection attacks with the Home
+ Address destination option, this specification requires that this
+ option be verified against the Binding Cache, i.e., there must be a
+ Binding Cache entry for the Home Address and Care-of Address.
+
+ Future extensions may be specified that allow the use of unverified
+ Home Address destination options in ways that do not introduce
+ security issues.
+
+A.3. New Authorization Methods
+
+ While the return routability procedure provides a good level of
+ security, there exist methods that have even higher levels of
+ security. Secondly, as discussed in Section 15.4, future
+ enhancements of IPv6 security may cause a need to also improve the
+ security of the return routability procedure. Using IPsec as the
+ sole method for authorizing Binding Updates to correspondent nodes is
+ also possible. The protection of the Mobility Header for this
+ purpose is easy, though one must ensure that the IPsec SA was created
+ with appropriate authorization to use the home address referenced in
+ the Binding Update. For instance, a certificate used by IKE to
+ create the security association might contain the home address. A
+ future specification may specify how this is done.
+
+A.4. Dynamically Generated Home Addresses
+
+ A future version of this specification may include functionality that
+ allows the generation of new home addresses without requiring pre-
+ arranged security associations or certificates even for the new
+ addresses.
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 161]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+A.5. Remote Home Address Configuration
+
+ The method for initializing a mobile node's home address upon power-
+ up or after an extended period of being disconnected from the network
+ is beyond the scope of this specification. Whatever procedure is
+ used should result in the mobile node having the same stateless or
+ stateful (e.g., DHCPv6) home address autoconfiguration information it
+ would have if it were attached to the home network. Due to the
+ possibility that the home network could be renumbered while the
+ mobile node is disconnected, a robust mobile node would not rely
+ solely on storing these addresses locally.
+
+ Such a mobile node could be initialized by using the following
+ procedure:
+
+ 1. Generate a care-of address.
+
+ 2. Query DNS for an anycast address associated with the FQDN of the
+ home agent(s).
+
+ 3. Perform home agent address discovery, and select a home agent.
+
+ 4. Configure one home address based on the selected home agent's
+ subnet prefix and the interface identifier of the mobile node.
+
+ 5. Create security associations and security policy database entries
+ for protecting the traffic between the selected home address and
+ home agent.
+
+ 6. Perform a home registration on the selected home agent.
+
+ 7. Perform mobile prefix discovery.
+
+ 8. Make a decision if further home addresses need to be configured.
+
+ This procedure is restricted to those situations where the home
+ prefix is 64 bits and the mobile node knows its own interface
+ identifier, which is also 64 bits.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 162]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+A.6. Neighbor Discovery Extensions
+
+ Future specifications may improve the efficiency of Neighbor
+ Discovery tasks, which could be helpful for fast movements. One
+ factor is currently being looked at: the delays caused by the
+ Duplicate Address Detection mechanism. Currently, Duplicate Address
+ Detection needs to be performed for every new care-of address as the
+ mobile node moves, and for the mobile node's link-local address on
+ every new link. In particular, the need and the trade-offs of re-
+ performing Duplicate Address Detection for the link-local address
+ every time the mobile node moves on to new links will need to be
+ examined. Improvements in this area are, however, generally
+ applicable and progress independently from the Mobile IPv6
+ specification.
+
+ Future functional improvements may also be relevant for Mobile IPv6
+ and other applications. For instance, mechanisms that would allow
+ recovery from a Duplicate Address Detection collision would be useful
+ for link-local, care-of, and home addresses.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 163]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+Authors' Addresses
+
+ David B. Johnson
+ Rice University
+ Dept. of Computer Science, MS 132
+ 6100 Main Street
+ Houston TX 77005-1892
+ USA
+
+ EMail: dbj@cs.rice.edu
+
+
+ Charles E. Perkins
+ Nokia Research Center
+ 313 Fairchild Drive
+ Mountain View CA 94043
+ USA
+
+ EMail: charliep@iprg.nokia.com
+
+
+ Jari Arkko
+ Ericsson
+ 02420 Jorvas
+ Finland
+
+ EMail: jari.arkko@ericsson.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 164]
+
+RFC 3775 Mobility Support in IPv6 June 2004
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2004). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf-
+ ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+Johnson, et al. Standard Track [Page 165]
+