1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
|
Network Working Group G. Montenegro, Editor
Request for Comments: 2344 Sun Microsystems, Inc.
Category: Standards Track May 1998
Reverse Tunneling for Mobile IP
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
Abstract
Mobile IP uses tunneling from the home agent to the mobile node's
care-of address, but rarely in the reverse direction. Usually, a
mobile node sends its packets through a router on the foreign
network, and assumes that routing is independent of source address.
When this assumption is not true, it is convenient to establish a
topologically correct reverse tunnel from the care-of address to the
home agent.
This document proposes backwards-compatible extensions to Mobile IP
in order to support topologically correct reverse tunnels. This
document does not attempt to solve the problems posed by firewalls
located between the home agent and the mobile node's care-of address.
Table of Contents
1. Introduction ................................................ 2
1.1. Terminology ............................................... 3
1.2. Assumptions ............................................... 4
1.3. Justification ............................................. 4
2. Overview .................................................... 4
3. New Packet Formats .......................................... 5
3.1. Mobility Agent Advertisement Extension .................... 5
3.2. Registration Request ...................................... 5
3.3. Encapsulating Delivery Style Extension .................... 6
3.4. New Registration Reply Codes .............................. 7
4. Changes in Protocol Behavior ................................ 8
4.1. Mobile Node Considerations ................................ 8
Montenegro Standards Track [Page 1]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
4.1.1. Sending Registration Requests to the Foreign Agent ...... 8
4.1.2. Receiving Registration Replies from the Foreign Agent ... 9
4.2. Foreign Agent Considerations .............................. 9
4.2.1. Receiving Registration Requests from the Mobile Node ... 10
4.2.2. Relaying Registration Requests to the Home Agent ....... 10
4.3. Home Agent Considerations ................................ 10
4.3.1. Receiving Registration Requests from the Foreign Agent . 11
4.3.2. Sending Registration Replies to the Foreign Agent ...... 11
5. Mobile Node to Foreign Agent Delivery Styles ............... 12
5.1. Direct Delivery Style .................................... 12
5.1.1. Packet Processing ...................................... 12
5.1.2. Packet Header Format and Fields ........................ 12
5.2. Encapsulating Delivery Style ............................. 13
5.2.1 Packet Processing ....................................... 13
5.2.2. Packet Header Format and Fields ........................ 14
5.3. Support for Broadcast and Multicast Datagrams ............ 15
5.4. Selective Reverse Tunneling .............................. 15
6. Security Considerations .................................... 16
6.1. Reverse-tunnel Hijacking and Denial-of-Service Attacks ... 16
6.2. Ingress Filtering ........................................ 17
7. Acknowledgements ........................................... 17
References .................................................... 17
Editor and Chair Addresses .................................... 18
Full Copyright Statement ...................................... 19
1. Introduction
Section 1.3 of the Mobile IP specification [1] lists the following
assumption:
It is assumed that IP unicast datagrams are routed based on the
destination address in the datagram header (i.e., not by source
address).
Because of security concerns (for example, IP spoofing attacks), and
in accordance with RFC 2267 [8] and CERT [3] advisories to this
effect, routers that break this assumption are increasingly more
common.
In the presence of such routers, the source and destination IP
address in a packet must be topologically correct. The forward tunnel
complies with this, as its endpoints (home agent address and care-of
address) are properly assigned addresses for their respective
locations. On the other hand, the source IP address of a packet
transmitted by the mobile node does not correspond to the network
prefix from where it emanates.
This document discusses topologically correct reverse tunnels.
Montenegro Standards Track [Page 2]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
Mobile IP does dictate the use of reverse tunnels in the context of
multicast datagram routing and mobile routers. However, the source IP
address is set to the mobile node's home address, so these tunnels
are not topologically correct.
Notice that there are several uses for reverse tunnels regardless of
their topological correctness:
- Mobile routers: reverse tunnels obviate the need for recursive
tunneling [1].
- Multicast: reverse tunnels enable a mobile node away from home
to (1) join multicast groups in its home network, and (2)
transmit multicast packets such that they emanate from its home
network [1].
- The TTL of packets sent by the mobile node (for example, when
sending packets to other hosts in its home network) may be so
low that they might expire before reaching their destination. A
reverse tunnel solves the problem as it represents a TTL
decrement of one [5].
1.1. Terminology
The discussion below uses terms defined in the Mobile IP
specification. Additionally, it uses the following terms:
Forward Tunnel
A tunnel that shuttles packets towards the mobile node. It
starts at the home agent, and ends at the mobile node's care-of
address.
Reverse Tunnel
A tunnel that starts at the mobile node's care-of address and
terminates at the home agent.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [9].
Montenegro Standards Track [Page 3]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
1.2. Assumptions
Mobility is constrained to a common IP address space (that is, the
routing fabric between, say, the mobile node and the home agent is
not partitioned into a "private" and a "public" network).
This document does not attempt to solve the firewall traversal
problem. Rather, it assumes one of the following is true:
- There are no intervening firewalls along the path of the
tunneled packets.
- Any intervening firewalls share the security association
necessary to process any authentication [6] or encryption [7]
headers which may have been added to the tunneled packets.
The reverse tunnels considered here are symmetric, that is, they use
the same configuration (encapsulation method, IP address endpoints)
as the forward tunnel. IP in IP encapsulation [2] is assumed unless
stated otherwise.
Route optimization [4] introduces forward tunnels initiated at a
correspondent host. Since a mobile node may not know if the
correspondent host can decapsulate packets, reverse tunnels in that
context are not discussed here.
1.3. Justification
Why not let the mobile node itself initiate the tunnel to the home
agent? This is indeed what it should do if it is already operating
with a topologically correct co-located care-of address.
However, one of the primary objectives of the Mobile IP specification
is not to require this mode of operation.
The mechanisms outlined in this document are primarily intended for
use by mobile nodes that rely on the foreign agent for forward tunnel
support. It is desirable to continue supporting these mobile nodes,
even in the presence of filtering routers.
2. Overview
A mobile node arrives at a foreign network, listens for agent
advertisements and selects a foreign agent that supports reverse
tunnels. It requests this service when it registers through the
selected foreign agent. At this time, and depending on how the
Montenegro Standards Track [Page 4]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
mobile node wishes to deliver packets to the foreign agent, it also
requests either the Direct or the Encapsulating Delivery Style
(section 5).
In the Direct Delivery Style, the mobile node designates the foreign
agent as its default router and proceeds to send packets directly to
the foreign agent, that is, without encapsulation. The foreign agent
intercepts them, and tunnels them to the home agent.
In the Encapsulating Delivery Style, the mobile node encapsulates all
its outgoing packets to the foreign agent. The foreign agent
decapsulates and re-tunnels them to the home agent, using the foreign
agent's care-of address as the entry-point of this new tunnel.
3. New Packet Formats
3.1. Mobility Agent Advertisement Extension
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |R|B|H|F|M|G|V|T| reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| zero or more Care-of Addresses |
| ... |
The only change to the Mobility Agent Advertisement Extension [1] is
the additional 'T' bit:
T Agent offers reverse tunneling service.
A foreign agent that sets the 'T' bit MUST support the two delivery
styles currently supported: Direct and Encapsulating Delivery Style
(section 5).
Using this information, a mobile node is able to choose a foreign
agent that supports reverse tunnels. Notice that if a mobile node
does not understand this bit, it simply ignores it as per [1].
3.2. Registration Request
Reverse tunneling support is added directly into the Registration
Request by using one of the "rsvd" bits. If a foreign or home agent
that does not support reverse tunnels receives a request with the 'T'
bit set, the Registration Request fails. This results in a
registration denial (failure codes are specified in section 3.4).
Montenegro Standards Track [Page 5]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
Most home agents would not object to providing reverse tunnel
support, because they "SHOULD be able to decapsulate and further
deliver packets addressed to themselves, sent by a mobile node" [1].
In the case of topologically correct reverse tunnels, the packets are
not sent by the mobile node as distinguished by its home address.
Rather, the outermost (encapsulating) IP source address on such
datagrams is the care-of address of the mobile node. Nevertheless,
home agents probably already support the required decapsulation and
further forwarding.
In Registration Requests sent by a mobile node, the Time to Live
field in the IP header MUST be set to 255. This limits a denial of
service attack in which malicious hosts send false Registration
Requests (see Section 6).
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type |S|B|D|M|G|V|T|-| Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Agent |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Care-of Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions ...
+-+-+-+-+-+-+-+-
The only change to the Registration Request packet is the additional
'T' bit:
T If the 'T' bit is set, the mobile node asks its home
agent to accept a reverse tunnel from the care-of
address. Mobile nodes using a foreign agent care-of
address ask the foreign agent to reverse-tunnel its
packets.
3.3. Encapsulating Delivery Style Extension
The Encapsulating Delivery Style Extension MAY be included by the
mobile node in registration requests to further specify reverse
tunneling behavior. It is expected to be used only by the foreign
agent. Accordingly, the foreign agent MUST consume this extension
(that is, it must not relay it to the home agent or include it in
Montenegro Standards Track [Page 6]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
replies to the mobile node). As per Section 3.6.1.3 of [1], the
mobile node MUST include the Encapsulating Delivery Style Extension
after the Mobile-Home Authentication Extension, and before the
Mobile-Foreign Authentication Extension, if present.
The Encapsulating Delivery Style Extension MUST NOT be included if
the 'T' bit is not set in the Registration Request.
If this extension is absent, Direct Delivery is assumed.
Encapsulation is done according to what was negotiated for the
forward tunnel (that is, IP in IP is assumed unless specified
otherwise). For more details on the delivery styles, please refer to
section 5.
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
130
Length
0
3.4. New Registration Reply Codes
Foreign and home agent registration replies MUST convey if the
reverse tunnel request failed. These new reply codes are defined:
Service denied by the foreign agent:
74 requested reverse tunnel unavailable
75 reverse tunnel is mandatory and 'T' bit not set
76 mobile node too distant
and
Service denied by the home agent:
137 requested reverse tunnel unavailable
138 reverse tunnel is mandatory and 'T' bit not set
139 requested encapsulation unavailable
Montenegro Standards Track [Page 7]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
In response to a Registration Request with the 'T' bit set, mobile
nodes may receive (and MUST accept) code 70 (poorly formed request)
from foreign agents and code 134 (poorly formed request) from home
agents. However, foreign and home agents that support reverse
tunneling MUST use codes 74 and 137, respectively.
Absence of the 'T' bit in a Registration Request MAY elicit denials
with codes 75 and 138 at the foreign agent and the home agent,
respectively.
Forward and reverse tunnels are symmetric, that is, both are able to
use the same tunneling options negotiated at registration. This
implies that the home agent MUST deny registrations if an unsupported
form of tunneling is requested (code 139). Notice that Mobile IP [1]
already defines the analogous failure code 72 for use by the foreign
agent.
4. Changes in Protocol Behavior
Unless otherwise specified, behavior specified by Mobile IP [1] is
assumed. In particular, if any two entities share a mobility security
association, they MUST use the appropriate Authentication Extension
(Mobile-Foreign, Foreign-Home or Mobile-Home Authentication
Extension) when exchanging registration protocol datagrams. The
Mobile-Home Authentication Extension MUST always be present.
Reverse tunneling imposes additional protocol processing requirements
on mobile entities. Differences in protocol behavior with respect to
Mobile IP [1] are specified in the subsequent sections.
4.1. Mobile Node Considerations
This section describes how the mobile node handles registrations that
request a reverse tunnel.
4.1.1. Sending Registration Requests to the Foreign Agent
In addition to the considerations in [1], a mobile node sets the 'T'
bit in its Registration Request to petition a reverse tunnel.
The mobile node MUST set the TTL field of the IP header to 255. This
is meant to limit the reverse tunnel hijacking attack (Section 6).
The mobile node MAY optionally include an Encapsulating Delivery
Style Extension.
Montenegro Standards Track [Page 8]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
4.1.2. Receiving Registration Replies from the Foreign Agent
Possible valid responses are:
- A registration denial issued by either the home agent or the
foreign agent:
a. The mobile node follows the error checking guidelines in
[1], and depending on the reply code, MAY try modifying the
registration request (for example, by eliminating the
request for alternate forms of encapsulation), and issuing a
new registration.
b. Depending on the reply code, the mobile node MAY try
zeroing the 'T' bit, eliminating the Encapsulating Delivery
Style Extension (if one was present), and issuing a new
registration. Notice that after doing so the registration
may succeed, but due to the lack of a reverse tunnel data
transfer may not be possible.
- The home agent returns a Registration Reply indicating that the
service will be provided.
In this last case, the mobile node has succeeded in establishing a
reverse tunnel between its care-of address and its home agent. If
the mobile node is operating with a co-located care-of address, it
MAY encapsulate outgoing data such that the destination address of
the outer header is the home agent. This ability to selectively
reverse-tunnel packets is discussed further in section 5.4.
If the care-of address belongs to a separate foreign agent, the
mobile node MUST employ whatever delivery style was requested (Direct
or Encapsulating) and proceed as specified in section 5.
A successful registration reply is an assurance that both the foreign
agent and the home agent support whatever alternate forms of
encapsulation (other than IP in IP) were requested. Accordingly, the
mobile node MAY use them at its discretion.
4.2. Foreign Agent Considerations
This section describes how the foreign agent handles registrations
that request a reverse tunnel.
Montenegro Standards Track [Page 9]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
4.2.1. Receiving Registration Requests from the Mobile Node
A foreign agent that receives a Registration Request with the 'T' bit
set processes the packet as specified in the Mobile IP specification
[1], and determines whether it can accomodate the forward tunnel
request. If it cannot, it returns an appropriate code. In particular,
if the foreign agent is unable to support the requested form of
encapsulation it MUST return code 72.
The foreign agent MAY reject Registration Requests without the 'T'
bit set by denying them with code 75 (reverse tunnel is mandatory and
'T' bit not set).
The foreign agent MUST verify that the TTL field of the IP header is
set to 255. Otherwise, it MUST reject the registration with code 76
(mobile node too distant). The foreign agent MUST limit the rate at
which it sends these registration replies to a maximum of one per
second.
As a last check, the foreign agent verifies that it can support a
reverse tunnel with the same configuration. If it cannot, it MUST
return a Registration Reply denying the request with code 74
(requested reverse tunnel unavailable).
4.2.2. Relaying Registration Requests to the Home Agent
Otherwise, the foreign agent MUST relay the Registration Request to
the home agent.
Upon receipt of a Registration Reply that satisfies validity checks,
the foreign agent MUST update its visitor list, including indication
that this mobile node has been granted a reverse tunnel and the
delivery style expected (section 5).
While this visitor list entry is in effect, the foreign agent MUST
process incoming traffic according to the delivery style, encapsulate
it and tunnel it from the care-of address to the home agent's
address.
4.3. Home Agent Considerations
This section describes how the home agent handles registrations that
request a reverse tunnel.
Montenegro Standards Track [Page 10]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
4.3.1. Receiving Registration Requests from the Foreign Agent
A home agent that receives a Registration Request with the 'T' bit
set processes the packet as specified in the Mobile IP specification
[1] and determines whether it can accomodate the forward tunnel
request. If it cannot, it returns an appropriate code. In
particular, if the home agent is unable to support the requested form
of encapsulation it MUST return code 139 (requested encapsulation
unavailable).
The home agent MAY reject registration requests without the 'T' bit
set by denying them with code 138 (reverse tunnel is mandatory and '
T' bit not set).
As a last check, the home agent determines whether it can support a
reverse tunnel with the same configuration as the forward tunnel. If
it cannot, it MUST send back a registration denial with code 137
(requested reverse tunnel unavailable).
Upon receipt of a Registration Reply that satisfies validity checks,
the home agent MUST update its mobility bindings list to indicate
that this mobile node has been granted a reverse tunnel and the type
of encapsulation expected.
4.3.2. Sending Registration Replies to the Foreign Agent
In response to a valid Registration Request, a home agent MUST issue
a Registration Reply to the mobile node.
After a successful registration, the home agent may receive
encapsulated packets addressed to itself. Decapsulating such packets
and blindly injecting them into the network is a potential security
weakness (section 6.1). Accordingly, the home agent MUST implement,
and, by default, SHOULD enable the following check for encapsulated
packets addressed to itself:
The home agent searches for a mobility binding whose care-of
address is the source of the outer header, and whose mobile node
address is the source of the inner header.
If no such binding is found, or if the packet uses an encapsulation
mechanism that was not negotiated at registration the home agent MUST
silently discard the packet and SHOULD log the event as a security
exception.
Home agents that terminate tunnels unrelated to Mobile IP (for
example, multicast tunnels) MAY turn off the above check, but this
practice is discouraged for the aforementioned reasons.
Montenegro Standards Track [Page 11]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
While the registration is in effect, a home agent MUST process each
valid reverse tunneled packet (as determined by checks like the
above) by decapsulating it, recovering the original packet, and then
forwarding it on behalf of its sender (the mobile node) to the
destination address (the correspondent host).
5. Mobile Node to Foreign Agent Delivery Styles
This section specifies how the mobile node sends its data traffic via
the foreign agent. In all cases, the mobile node learns the foreign
agent's link-layer address from the link-layer header in the agent
advertisement.
5.1. Direct Delivery Style
This delivery mechanism is very simple to implement at the mobile
node, and uses small (non-encapsulated) packets on the link between
the mobile node and the foreign agent (potentially a very slow link).
However, it only supports reverse-tunneling of unicast packets, and
does not allow selective reverse tunneling (section 5.4).
5.1.1. Packet Processing
The mobile node MUST designate the foreign agent as its default
router. Not doing so will not guarantee encapsulation of all the
mobile node's outgoing traffic, and defeats the purpose of the
reverse tunnel. The foreign agent MUST:
- detect packets sent by the mobile node, and
- modify its forwarding function to encapsulate them before
forwarding.
5.1.2. Packet Header Format and Fields
This section shows the format of the packet headers used by the
Direct Delivery style. The formats shown assume IP in IP
encapsulation [2].
Packet format received by the foreign agent (Direct Delivery Style):
IP fields:
Source Address = mobile node's home address Destination Address
= correspondent host's address
Upper Layer Protocol
Packet format forwarded by the foreign agent (Direct Delivery Style):
Montenegro Standards Track [Page 12]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
IP fields (encapsulating header):
Source Address = foreign agent's care-of address
Destination Address = home agent's address
Protocol field: 4 (IP in IP)
IP fields (original header):
Source Address = mobile node's home address
Destination Address = correspondent host's address
Upper Layer Protocol
These fields of the encapsulating header MUST be chosen as follows:
IP Source Address
Copied from the Care-of Address field within the Registration
Request.
IP Destination Address
Copied from the Home Agent field within the Registration
Request.
IP Protocol Field
Default is 4 (IP in IP [2]), but other methods of encapsulation
MAY be used as negotiated at registration time.
5.2. Encapsulating Delivery Style
This mechanism requires that the mobile node implement encapsulation,
and explicitly directs packets at the foreign agent by designating it
as the destination address in a new outermost header. Mobile nodes
that wish to send either broadcast or multicast packets MUST use the
Encapsulating Delivery Style.
5.2.1 Packet Processing
The foreign agent does not modify its forwarding function. Rather,
it receives an encapsulated packet and after verifying that it was
sent by the mobile node, it:
- decapsulates to recover the inner packet,
- re-encapsulates, and sends it to the home agent.
If a foreign agent receives an un-encapsulated packet from a mobile
node which had explicitly requested the Encapsulated Delivery Style,
then the foreign agent MUST NOT reverse tunnel such a packet and
rather MUST forward it using standard, IP routing mechanisms.
Montenegro Standards Track [Page 13]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
5.2.2. Packet Header Format and Fields
This section shows the format of the packet headers used by the
Encapsulating Delivery style. The formats shown assume IP in IP
encapsulation [2].
Packet format received by the foreign agent (Encapsulating Delivery
Style):
IP fields (encapsulating header):
Source Address = mobile node's home address
Destination Address = foreign agent's address
Protocol field: 4 (IP in IP)
IP fields (original header):
Source Address = mobile node's home address
Destination Address = correspondent host's address
Upper Layer Protocol
The fields of the encapsulating IP header MUST be chosen as follows:
IP Source Address
The mobile node's home address.
IP Destination Address
The address of the agent as learned from the IP source address
of the agent's most recent registration reply.
IP Protocol Field
Default is 4 (IP in IP [2]), but other methods of encapsulation
MAY be used as negotiated at registration time.
Packet format forwarded by the foreign agent (Encapsulating Delivery
Style):
IP fields (encapsulating header):
Source Address = foreign agent's care-of address
Destination Address = home agent's address
Protocol field: 4 (IP in IP)
IP fields (original header):
Source Address = mobile node's home address
Destination Address = correspondent host's address
Upper Layer Protocol
These fields of the encapsulating IP header MUST be chosen as
follows:
Montenegro Standards Track [Page 14]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
IP Source Address
Copied from the Care-of Address field within the Registration
Request.
IP Destination Address
Copied from the Home Agent field within the Registration
Request.
IP Protocol Field
Default is 4 (IP in IP [2]), but other methods of encapsulation
MAY be used as negotiated at registration time.
5.3. Support for Broadcast and Multicast Datagrams
If a mobile node is operating with a co-located care-of address,
broadcast and multicast datagrams are handled according to Sections
4.3 and 4.4 of the Mobile IP specification [1]. Mobile nodes using a
foreign agent care-of address MAY have their broadcast and multicast
datagrams reverse-tunneled by the foreign agent. However, any mobile
nodes doing so MUST use the encapsulating delivery style.
This delivers the datagram only to the foreign agent. The latter
decapsulates it and then processes it as any other packet from the
mobile node, namely, by reverse tunneling it to the home agent.
5.4. Selective Reverse Tunneling
Packets destined to local resources (for example, a nearby printer)
might be unaffected by ingress filtering. A mobile node with a co-
located care-of address MAY optimize delivery of these packets by not
reverse tunneling them. On the other hand, a mobile node using a
foreign agent care-of address MAY use this selective reverse
tunneling capability by requesting the Encapsulating Delivery Style,
and following these guidelines:
Packets NOT meant to be reversed tunneled:
Sent using the Direct Delivery style. The foreign agent MUST
process these packets as regular traffic: they MAY be
forwarded but MUST NOT be reverse tunneled to the home agent.
Montenegro Standards Track [Page 15]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
Packets meant to be reverse tunneled:
Sent using the Encapsulating Delivery style. The foreign agent
MUST process these packets as specified in section 5.2: they
MUST be reverse tunneled to the home agent.
6. Security Considerations
The extensions outlined in this document are subject to the security
considerations outlined in the Mobile IP specification [1].
Essentially, creation of both forward and reverse tunnels involves an
authentication procedure, which reduces the risk for attack.
6.1. Reverse-tunnel Hijacking and Denial-of-Service Attacks
Once the tunnel is set up, a malicious node could hijack it to inject
packets into the network. Reverse tunnels might exacerbate this
problem, because upon reaching the tunnel exit point packets are
forwarded beyond the local network. This concern is also present in
the Mobile IP specification, as it already dictates the use of
reverse tunnels for certain applications.
Unauthenticated exchanges involving the foreign agent allow a
malicious node to pose as a valid mobile node and re-direct an
existing reverse tunnel to another home agent, perhaps another
malicious node. The best way to protect against these attacks is by
employing the Mobile-Foreign and Foreign-Home Authentication
Extensions defined in [1].
If the necessary mobility security associations are not available,
this document introduces a mechanism to reduce the range and
effectiveness of the attacks. The mobile node MUST set to 255 the TTL
value in the IP headers of Registration Requests sent to the foreign
agent. This prevents malicious nodes more than one hop away from
posing as valid mobile nodes. Additional codes for use in
registration denials make those attacks that do occur easier to
track.
With the goal of further reducing the attacks the Mobile IP Working
Group considered other mechanisms involving the use of
unauthenticated state. However, these introduce the possibilities of
denial-of-service attacks. The consensus was that this was too much
of a trade-off for mechanisms that guarantee no more than weak (non-
cryptographic) protection against attacks.
Montenegro Standards Track [Page 16]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
6.2. Ingress Filtering
There has been some concern regarding the long-term effectiveness of
reverse-tunneling in the presence of ingress filtering. The
conjecture is that network administrators will target reverse-
tunneled packets (IP in IP encapsulated packets) for filtering. The
ingress filtering recommendation spells out why this is not the case
[8]:
Tracking the source of an attack is simplified when the source is
more likely to be "valid."
7. Acknowledgements
The encapsulating style of delivery was proposed by Charlie Perkins.
Jim Solomon has been instrumental in shaping this document into its
present form.
References
[1] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.
[2] Perkins, C., "IP Encapsulation within IP", RFC 2003, October
1996.
[3] Computer Emergency Response Team (CERT), "IP Spoofing Attacks
and Hijacked Terminal Connections", CA-95:01, January 1995.
Available via anonymous ftp from info.cert.org
in/pub/cert_advisories.
[4] Johnson, D., and C. Perkins, "Route Optimization in Mobile IP",
Work in Progress.
[5] Manuel Rodriguez, private communication, August 1995.
[6] Atkinson, R., "IP Authentication Header", RFC 1826, August 1995.
[7] Atkinson, R., "IP Encapsulating Security Payload", RFC 1827,
August 1995.
[8] Ferguson, P., and D. Senie, "Network Ingress Filtering: Defeating
Denial of Service Attacks which employ IP Source Address
Spoofing", RFC 2267, January 1998.
[9] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
Montenegro Standards Track [Page 17]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
Editor and Chair Addresses
Questions about this document may be directed at:
Gabriel E. Montenegro
Sun Microsystems, Inc.
901 San Antonio Road
Mailstop UMPK 15-214
Mountain View, California 94303
Voice: +1-415-786-6288
Fax: +1-415-786-6445
EMail: gabriel.montenegro@eng.sun.com
The working group can be contacted via the current chairs:
Jim Solomon
Motorola, Inc.
1301 E. Algonquin Rd. - Rm 2240
Schaumburg, IL 60196
Voice: +1-847-576-2753
Fax: +1-847-576-3240
EMail: solomon@comm.mot.com
Erik Nordmark
Sun Microsystems, Inc.
901 San Antonio Road
Mailstop UMPK17-202
Mountain View, California 94303
Voice: +1-415-786-5166
EMail: erik.nordmark@eng.sun.com
Montenegro Standards Track [Page 18]
^L
RFC 2344 Reverse Tunneling for Mobile IP May 1998
Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Montenegro Standards Track [Page 19]
^L
|
