1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
|
Network Working Group C. Vogt
Request for Comments: 4651 Universitaet Karlsruhe (TH)
Category: Informational J. Arkko
Ericsson Research NomadicLab
February 2007
A Taxonomy and Analysis of Enhancements to
Mobile IPv6 Route Optimization
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
IESG Note:
This RFC is a product of the Internet Research Task Force and is not
a candidate for any level of Internet Standard. The IRTF publishes
the results of Internet-related research and development activities.
These results might not be suitable for deployment.
Abstract
This document describes and evaluates strategies to enhance Mobile
IPv6 Route Optimization, on the basis of existing proposals, in order
to motivate and guide further research in this context. This
document is a product of the IP Mobility Optimizations (MobOpts)
Research Group.
Vogt & Arkko Informational [Page 1]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
Table of Contents
1. Introduction ....................................................3
1.1. A Note on Public-Key Infrastructures .......................4
1.2. A Note on Source Address Filtering .........................5
2. Objectives for Route Optimization Enhancement ...................7
2.1. Latency Optimizations ......................................8
2.2. Security Enhancements ......................................8
2.3. Signaling Optimizations ....................................9
2.4. Robustness Enhancements ....................................9
3. Enhancements Toolbox ............................................9
3.1. IP Address Tests ..........................................10
3.2. Protected Tunnels .........................................10
3.3. Optimistic Behavior .......................................11
3.4. Proactive IP Address Tests ................................11
3.5. Concurrent Care-of Address Tests ..........................12
3.6. Diverted Routing ..........................................13
3.7. Credit-Based Authorization ................................14
3.8. Heuristic Monitoring ......................................17
3.9. Crypto-Based Identifiers ..................................18
3.10. Pre-Configuration ........................................19
3.11. Semi-Permanent Security Associations .....................20
3.12. Delegation ...............................................21
3.13. Mobile Networks ..........................................21
3.14. Location Privacy .........................................22
4. Discussion .....................................................22
4.1. Cross-Layer Interactions ..................................23
4.2. Experimentation and Measurements ..........................23
4.3. Future Research ...........................................24
5. Security Considerations ........................................24
6. Conclusions ....................................................25
7. Acknowledgments ................................................25
8. References .....................................................26
8.1. Normative References ......................................26
8.2. Informative References ....................................26
Vogt & Arkko Informational [Page 2]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
1. Introduction
Mobility support for IPv6, or Mobile IPv6, enables mobile nodes to
migrate active transport connections and application sessions from
one IPv6 address to another. The Mobile IPv6 specification, RFC 3775
[1], introduces a "home agent", which proxies a mobile node at a
permanent "home address". A roaming mobile node connects to the home
agent through a bidirectional tunnel and can so communicate, from its
local "care-of address", as if it was present at the home address.
The mobile node keeps the home agent updated on its current care-of
address via IPsec-protected signaling messages [40].
In case the correspondent node lacks appropriate mobility support, it
communicates with the mobile node's home address, and thus all data
packets are routed via the home agent. This mode, Bidirectional
Tunneling, increases packet-propagation delays. RFC 3775 hence
defines an additional mode for Route Optimization, which allows peers
to communicate on the direct path. It requires that the
correspondent node can cache a binding between the mobile node's home
address and current care-of address. The challenge with Route
Optimization is that an administrative relationship between the
mobile node and the correspondent node can generally not be
presupposed. So how can the two authenticate and authorize the
signaling messages that they exchange?
Mobile IPv6 solves this problem by verifying a routing property of
the mobile node. Specifically, the mobile node is checked to be
reachable at its home address and current care-of address in that it
must prove the reception of a home and care-of keygen token,
respectively. This is called the "return-routability procedure". It
takes place right before a mobile node registers a new care-of
address with a correspondent node and is periodically repeated in
case the mobile node does not move for a while.
The advantage of the return-routability procedure is that it is
lightweight and does not require pre-shared authentication material.
It also requires no state at the correspondent node. On the other
hand, the two reachability tests can lead to a handoff delay
unacceptable for many real-time or interactive applications such as
Voice over IP (VoIP) and video conferencing. Also, the security that
the return-routability procedure guarantees might not be sufficient
for security-sensitive applications. And finally, periodically
refreshing a registration at a correspondent node implies a hidden
signaling overhead that may prevent mobile nodes from hibernation
during times of inactivity.
Manifold enhancements for Route Optimizations have hence been
suggested. This document describes and evaluates various strategies
Vogt & Arkko Informational [Page 3]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
on the basis of existing proposals. It is meant to provide a
conceptual framework for further work, which was found to be
inevitable in the context of Route Optimization. Many scientists
volunteered to review this document. Their names are duly recorded
in Section 7. Section 2 analyzes the strengths and weaknesses of
Route Optimization and identifies potential objectives for
enhancement. Different enhancement strategies are discussed, based
on existing proposals, in Section 3. Section 4 discusses the
different approaches and identifies opportunities for further
research. Section 5 and Section 6 conclude the document.
This document represents the consensus of the MobOpts Research Group.
It has been reviewed by the Research Group members active in the
specific area of work. At the request of their chairs, this document
has been comprehensively reviewed by multiple active contributors to
the IETF MIP6 Working Group. At the time of this writing, some of
the ideas presented in this document have been adopted by the
Mobility for IP: Performance, Signaling and Handoff Optimization
(mipshop) Working Group in the IETF.
1.1. A Note on Public-Key Infrastructures
Mobile IPv6 Route Optimization verifies a mobile node's authenticity
through a routing property. An alternative is cryptographic
authentication, which requires a binding between a node's identity
and some sort of secret information. Although some proposals suggest
installing shared secrets into end nodes when possible (see Section
3.10), pre-configuration is not an option for general Internet use
for scalability reasons. Authentication based on a Public-Key
Infrastructure (PKI) does not require pair-wise pre-configuration.
Here, the secret information is the private component of a
public/private-key pair, and the binding between a node's identity
and private key exists indirectly through the cryptographic
properties of public/private-key pairs and a binding between the
identity and the public key. An authority trusted by both end nodes
issues a certificate that effects this latter binding.
Large-scale use of a PKI, however, was considered unsuitable for
mobility management due to the following reasons.
o There are differing opinions on whether a PKI could scale up to
hundreds of millions of mobile nodes. Some people argue they do,
as there are already examples of certification authorities
responsible for millions of certificates. But more important than
the expected increase in the number of certificates would be a
shift in application patterns. Nowadays, public-key cryptography
is used only for those applications that require strong,
cryptographic authentication.
Vogt & Arkko Informational [Page 4]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
If it was used for mobility management as well, certificate checks
would become mandatory for any type of application, leading to
more checks per user. Busy servers with mobility support might be
unwilling to spent the processing resources required for this
depending on the service they provide.
o Revoked certificates are identified on Certificate Revocation
Lists (CRLs), which correspondent nodes with mobility support
would have to acquire from certification authorities. CRLs must
be kept up to date, requiring periodic downloads. This and the
act of checking a certificate against a CRL create overhead that
some correspondent nodes might be unwilling to spend.
o Certificate verification may take some time and hence interrupt
ongoing applications. This can be disturbing from the user's
perspective, especially when Route Optimization starts in the
middle of a session, or the session is very short-term anyway.
o The bigger a PKI grows, the more attractive it becomes as an
attack target, endangering the Internet as a whole.
o There is little experience with using home addresses as
identifiers in certificates. Although the home address could
theoretically be placed into a certificate's Subject Alternate
Name field, the entities responsible for IP-address assignment and
certification are usually not the same, and it may not be easy to
coordinate the two.
For these reasons, this document does not consider direct
authentication of mobile nodes based on a PKI. Nevertheless, it does
evaluate certificate-based techniques that make the problems
identified above more tractable (see Section 3.12).
1.2. A Note on Source Address Filtering
RFC 3775 uses care-of-address tests to probe a mobile node's presence
at its claimed location. Alternatively, verification of care-of
addresses may be based on infrastructure in the mobile node's local
access network. For instance, the infrastructure can verify that the
IP source addresses of all packets leaving the network are correct.
"Ingress filtering" [38][43] provides this feature to the extent that
it inspects the prefix of IP source addresses and ensures topological
correctness. Network-access providers that use ingress filtering
normally deploy the technique in their first-hop and site-exit
routers. Similarly, ISPs may filter packets originating from a
downstream network.
Vogt & Arkko Informational [Page 5]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
Ingress filtering may eventually provide a way to replace care-of-
address tests. But there are still a number of uncertainties today:
o By definition, ingress filtering can prevent source-address
spoofing only from those networks that do deploy the technique.
As a consequence, ingress filtering needs to be widely, preferably
universally, deployed in order to constitute Internet-wide
protection. As long as an attacker can get network access without
filters, all Internet nodes remain vulnerable.
o There is little incentive for ISPs to deploy ingress filtering
other than conscientiousness. Legal or regulatory prescription as
well as financial motivation does not exist. A corrupt ISP might
even have a financial incentive not to deploy the technique, if
redirection-based denial-of-service (DoS) attacks using Route
Optimization ever become possible and are exploited for financial
gain. A similar issue was observed with, for example, email spam.
o Ingress filtering is most effective, and easiest to configure, at
the first-hop router. However, since only prefixes are checked,
the filters inevitably get less precise the further upstream they
are enforced. This issue is inherent in the technique, so the
best solution is checking packets as close to the originating
nodes as possible, preferably in the first-hop routers themselves.
o A popular implementation of ingress filtering is "Reverse Path
Forwarding" (RPF). This technique relies on routes to be
symmetric, which is oftentimes the case between edge networks and
ISPs, but far less often between peering ISPs. Alternatives to
RPF are either manually configured access lists or dynamic
approaches that are more relaxed, and thereby less secure, than
RPF [43].
o Another problem with ingress filtering is multi-homing. When a
router attempts to forward to one ISP a packet with a source-
address prefix from another ISP, filters at the second ISP would
block the packet. The IETF seeks to find a way around this [39].
For instance, one could tunnel the packet to the topologically
correct ISP, or one could allow source-address changes by means of
a locator-identifier split [45].
o Finally, RFC 3775 defines an Alternative Care-of Address option
that mobile nodes can use to carry a care-of address within a
Binding Update message outside of the IPv6 header. Such an
address is not subject to inspection by ingress filtering and
would have to be verified through other means [14].
Vogt & Arkko Informational [Page 6]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
Although these problems are expected to get solved eventually, there
is currently little knowledge on how applicable and deployable, as a
candidate for care-of-address verification, ingress filtering will
be. High investments or administrative hurdles could prevent a
large, preferably universal deployment of ingress filtering, which
would hinder Internet-wide protection, as mentioned in the first
bullet. For these reasons, this document does not consider ingress
filtering as a viable alternative to care-of-address tests, although
things may be different in the future.
2. Objectives for Route Optimization Enhancement
Wireless environments with frequently moving nodes feature a number
of salient properties that distinguish them from environments with
stationary nodes or nodes that move only occasionally. One important
aspect is the efficiency of mobility management. Nodes may not
bother about a few round-trip times of handoff latency if they do not
change their point of IP attachment often. But the negative impact
that a mobility protocol can have on application performance
increases with the level of mobility. Therefore, in order to
maximize user satisfaction, it is important to reduce the handoff
latency that the mobility protocol adds to existing delays in other
places of the network stack. A related issue is the robustness of
the mobility protocol, given that temporary outage of mobility
support can render mobile nodes incapable of continuing to
communicate.
Furthermore, the wireless nature of data transmissions makes it
potentially easier for an attacker to eavesdrop on other nodes' data
or send data on behalf of other nodes. While applications can
usually authenticate and encrypt their payload if need be, similar
security measures may not be feasible for signaling packets of a
mobility protocol, in particular if communicating end nodes have no
pre-existing relationship.
Given the typically limited bandwidth in a wireless medium, resources
ought to be spent in an economic matter. This is especially
important for the amount of signaling that a mobility protocol
requires.
Endeavors to enhance RFC 3775 Route Optimization generally strive for
reduced handoff latency, higher security, lower signaling overhead,
or increased protocol robustness. These objectives are herein
discussed from a requirements perspective; the technical means to
reach the objectives is not considered, nor is the feasibility of
achieving them.
Vogt & Arkko Informational [Page 7]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
2.1. Latency Optimizations
One important objective for improving Route Optimization is to reduce
handoff latencies. Assuming that the home-address test dominates the
care-of-address test in terms of latency, a Mobile IPv6 handoff takes
one round-trip time between the mobile node and the home agent for
the home registration, a round-trip time between the mobile node and
the home agent plus a round-trip time between the home agent and the
correspondent node for the home-address test, and a one-way time from
the mobile node to the correspondent node for the propagation of the
Binding Update message. The first packet sent to the new care-of
address requires an additional one-way time to propagate from the
correspondent node to the mobile node. The mobile node can resume
communications right after it has dispatched the Binding Update
message. But if it requests a Binding Acknowledgment message from
the correspondent node, communications are usually delayed until this
is received.
These delays are additive and are not subsumed by other delays at the
IP layer or link layer. They can cause perceptible quality
degradations for interactive and real-time applications. TCP bulk-
data transfers are likewise affected since long handoff latencies may
lead to successive retransmission timeouts and degraded throughput.
2.2. Security Enhancements
The return-routability procedure was designed with the objective to
provide a level of security that compares to that of today's non-
mobile Internet [46]. As such, it protects against impersonation,
denial of service, and redirection-based flooding attacks that would
not be possible without Route Optimization. This approach is based
on an assumption that a mobile Internet cannot become any safer than
the non-mobile Internet.
Applications that require a security level higher than what the
return-routability procedure can provide are generally advised to use
end-to-end protection such as IPsec or Transport Layer Security
(TLS). But even then they are vulnerable to denial of service. This
motivates research for stronger Route Optimization security.
Security enhancements may also become necessary if future
technological improvements mitigate some of the existing mobility-
unrelated vulnerabilities.
One particular issue with Route Optimization is location privacy
because route-optimized packets carry both home and care-of addresses
in plaintext. A standard workaround is to fall back to Bidirectional
Tunneling when location privacy is needed. Packets with the care-of
address are then transferred only between the mobile node and the
Vogt & Arkko Informational [Page 8]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
home agent, where they can be encrypted through IPsec Encapsulating
Security Payload (ESP) [42]. But even Bidirectional Tunneling
requires the mobile node to periodically re-establish IPsec security
associations with the home agent so as to become untraceable through
Security Parameter Indexes (SPIs).
2.3. Signaling Optimizations
Route Optimization requires periodic signaling even when the mobile
node does not move. The signaling overhead amounts to 7.16 bits per
second if the mobile node communicates with a stationary node [6].
It doubles if both peers are mobile. This overhead may be negligible
when the nodes communicate, but it can be an issue for mobile nodes
that are inactive and stay at the same location for a while. These
nodes typically prefer to go to standby mode to conserve battery
power. Also, the periodic refreshes consume a fraction of the
wireless bandwidth that one could use more efficiently.
Optimizations for reduced signaling overhead could mitigate these
issues.
2.4. Robustness Enhancements
Route Optimization could conceptually enable continued communications
during periods of temporary home-agent unavailability. The protocol
defined in RFC 3775 does not achieve this independence, however, as
the home agent plays an active role in the return-routability
procedure. Appropriate enhancements could increase the independence
from the home agent and thus enable robust Route Optimization even in
the absence of the home agent.
3. Enhancements Toolbox
A large body of effort has recently gone into improving Mobile IPv6
Route Optimization. Some of the proposed techniques are
modifications to the return-routability procedure, while others
replace the procedure by alternative mechanisms. Some of them
operate end-to-end; others introduce network-side mobility support.
In most cases, it is the combination of a set of techniques that is
required to gain a complete -- that is, efficient and secure --
route-optimization mechanism.
Vogt & Arkko Informational [Page 9]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
3.1. IP Address Tests
RFC 3775 uses IP-address tests to ensure that a mobile node is live
and on the path to a specific destination address: The home-address
test provides evidence that the mobile node is the legitimate owner
of its home address; the care-of-address test detects spoofed care-of
addresses and prevents redirection-based flooding attacks. Both
tests can be performed in parallel.
A home-address test should be initiated by the mobile node so that
the correspondent node can delay state creation until the mobile node
has authenticated. The care-of-address test can conceptually be
initiated by either side. It originates with the mobile node in RFC
3775, but with the correspondent node in [16] and [22]. The
correspondent-node-driven approach suggests itself when
authentication is done through other means than a home-address test.
Important advantages of IP-address tests are zero-configurability and
the independence of ancillary infrastructure. As a disadvantage,
IP-address tests can only guarantee that a node is on the path to the
probed address, not that the node truly owns this address. This does
not lead to new security threats, however, because the types of
attacks that an on-path attacker can do with Route Optimization are
already possible in the non-mobile Internet [46].
3.2. Protected Tunnels
RFC 3775 protects certain signaling messages, exchanged between a
mobile node and its home agent, through an authenticated and
encrypted tunnel. This prevents unauthorized nodes on that path,
including eavesdroppers in the mobile node's wireless access network,
from listening in on these messages.
Given that a pre-existing end-to-end security relationship between
the mobile node and the correspondent node cannot generally be
assumed, this protection exists only for the mobile node's side. If
the correspondent node is immobile, the path between the home agent
and the correspondent node remains unprotected. This is a path
between two stationary nodes, so all types of attacks that a villain
could wage on this path are already possible in the non-mobile
Internet. In case the correspondent node is mobile, it has its own
home agent, and only the path between the two (stationary) home
agents remains unprotected.
Vogt & Arkko Informational [Page 10]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
3.3. Optimistic Behavior
Many Mobile IPv6 implementations [29][31] defer a correspondent
registration until the associated home registration has been
completed successfully. In contrast to such "conservative" behavior,
a more "optimistic" approach is to begin the return-routability
procedure in parallel with the home registration [52]. Conservative
behavior avoids a useless return-routability procedure in case the
home registration fails. This comes at the cost of additional
handoff delay when the home registration is successful. Optimistic
behavior saves this delay, but the return-routability procedure will
be in vain should the corresponding home registration be
unsuccessful.
While a parallelization of the home registration and the return-
routability procedure is feasible within the bounds of RFC 3775, the
specification does not permit mobile nodes to continue with the
correspondent registration, by sending a Binding Update message to
the correspondent node, until a Binding Acknowledgment message
indicating successful home registration has been received. This is
usually not a problem because the return-routability procedure is
likely to take longer than the home registration anyway. However,
some optimizations (see Section 3.4) reduce the delay caused by the
return-routability procedure. A useful improvement is then to allow
Binding Update messages to be sent to correspondent nodes even before
the home registration has been acknowledged.
The drawback of optimistic behavior is that a lost, reordered, or
rejected Binding Update message can cause data packets to be
discarded. Nevertheless, packet loss would have similar negative
impacts on conservative approaches, so the mobile node needs to be
prepared for the possible loss of these packets in any case.
3.4. Proactive IP Address Tests
The critical handoff phase, during which the mobile node and the
correspondent node cannot fully communicate, spans the home
registration and the correspondent registration, including the
return-routability procedure. One technique to shorten this phase is
to accomplish part of the signaling proactively before the handoff.
In particular, the home-address test can be done in advance without
violating the specifications of RFC 3775 [52][51].
In order to have a fresh home keygen token ready for a future
handoff, the mobile node should initiate a proactive home-address
test at least once per token lifetime, that is, every 3.5 minutes.
This does at most double the signaling overhead spent on home-address
tests given that correspondent registrations must be refreshed every
Vogt & Arkko Informational [Page 11]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
7 minutes even when the mobile node does not move for a while. An
optimization is possible where the mobile node's local link layer can
anticipate handoffs and trigger the home-address test in such a case.
[6] or [54] reduce the frequency of home-address tests even further.
Proactive care-of-address tests are possible only if the mobile node
is capable of attaching to two networks simultaneously. Dual
attachment is possible if the link-layer technology enables it with a
single interface [10], or if the mobile node is endowed with multiple
interfaces [7].
3.5. Concurrent Care-of Address Tests
Without the assumption that a mobile node can simultaneously attach
to multiple networks, proactive care-of-address tests, executed prior
to handoff, are not an option. A correspondent node may instead
authorize a mobile node to defer the care-of-address test until an
early, tentative binding has been registered [52][51]. This in
combination with a technique to eliminate the handoff delay of home-
address tests (see Section 3.4 and Section 3.9) facilitates early
resumption of bidirectional communications subsequent to handoff.
The care-of address is called "unverified" during the concurrent
care-of-address test, and it is said to be "verified" once the
correspondent node has obtained evidence that the mobile node is
present at the address. A tentative binding's lifetime can be
limited to a few seconds.
Home-address tests must not be accomplished concurrently, however,
given that they serve the purpose of authentication. They guarantee
that only the legitimate mobile node can create or update a binding
pertaining to a particular home address.
Vogt & Arkko Informational [Page 12]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
mobile node home agent correspondent node
| | |
| | |
|--Home Test Init------>|---------------------->|
| | |
| | |
|<----------------------|<-----------Home Test--|
| | |
| |
~~+~~ handoff |
| |
|--Early Binding Update------------------------>| -+-
|--Care-of Test Init -------------------------->| |
| | |
| | | care-of
|<----------------Early Binding Acknowledgment--| | address
|<-------------------------------Care-of Test---| | unverified
| | |
| | |
|--Binding Update------------------------------>| -+-
| |
| |
|<----------------------Binding Acknowledgment--|
| |
Figure 1: Concurrent Care-of Address Tests
Figure 1 illustrates how concurrent care-of-address tests are used in
[52][51]: As soon as the mobile node has configured a new care-of
address after a handoff, it sends to the correspondent node an Early
Binding Update message. Only a home keygen token, obtained from a
proactive home-address test, is required to sign this message. The
correspondent node creates a tentative binding for the new,
unverified care-of address when it receives the Early Binding Update
message. This address can be used immediately. The mobile node
finally sends a (standard) Binding Update message to the
correspondent node when the concurrent care-of-address test is
complete. Credit-Based Authorization (see Section 3.7) prevents
misuse of care-of addresses while they are unverified.
3.6. Diverted Routing
Given that a home registration is faster than a correspondent
registration in the absence of additional optimizations, the mobile
node may request its traffic to be routed through the home address
until a new binding has been set up at the correspondent node
[52][51]. The performance of such diverted routing depends on the
propagation properties of the involved routes, however.
Vogt & Arkko Informational [Page 13]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
For packets to be diverted via the home address, signaling is
necessary with both the home agent and the correspondent node. The
home agent must be informed about the new care-of address so that it
can correctly forward packets intercepted at the home address. The
correspondent node continues to send packets to the old care-of
address until it receives a Binding Update message indicating that
the current binding is no longer valid and ought to be removed. This
request requires authentication through a home-address test in order
to prevent denial of service by unauthorized nodes. The test can be
accomplished in a proactive way (see Section 3.4).
The mobile node may send packets via the home address as soon as it
has dispatched the Binding Update message to the home agent. It may
send outgoing packets along the direct path once a Binding Update
message for the new care-of address has been sent to the
correspondent node.
It depends on the propagation latency on the end-to-end path via the
home agent relative to the latency on the direct path for how long
the correspondent node should continue to send packets to the home
address. If the former path is slow, it may be better to queue some
of the packets until the correspondent registration is complete and
packets can be sent along the direct route.
3.7. Credit-Based Authorization
Concurrent care-of-address tests (see Section 3.5) require protection
against spoofed unverified care-of addresses and redirection-based
flooding attacks. Credit-Based Authorization [50] is a technique
that provides such protection based on the following three
hypotheses:
1. A flooding attacker typically seeks to somehow multiply the
packets it assembles for the purpose of the attack because
bandwidth is an ample resource for many attractive victims.
2. An attacker can always cause unamplified flooding by generating
bogus packets itself and sending them to its victim directly.
3. Consequently, the additional effort required to set up a
redirection-based flooding attack pays off for the attacker only
if amplification can be obtained this way.
On this basis, rather than eliminating malicious packet redirection
in the first place, Credit-Based Authorization prevents any
amplification that can be reached through it. This is accomplished
by limiting the data a correspondent node can send to an unverified
care-of address of a mobile node by the data that the correspondent
Vogt & Arkko Informational [Page 14]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
node has recently received from that mobile node. (See Section 3.5
for a definition on when a care-of address is verified and when it is
unverified.) A redirection-based flooding attack is thus no more
attractive than pure direct flooding, where the attacker itself sends
bogus packets to the victim. It is actually less attractive given
that the attacker must keep Mobile IPv6 state to coordinate the
redirection.
mobile node correspondent node
| |
| |
address |--data----------------->| credit += size(data)
verified | |
|--data----------------->| credit += size(data)
|<-----------------data--| don't change credit
| |
address + address change |
unverified |<-----------------data--| credit -= size(data)
|--data----------------->| credit += size(data)
|<-----------------data--| credit -= size(data)
| |
|<-----------------data--| credit -= size(data)
| X credit < size(data)
| | ==> Do not send!
address | |
verified |<-----------------data--| don't change credit
| |
Figure 2: Credit-Based Authorization
Figure 2 illustrates Credit-Based Authorization for an exemplifying
exchange of data packets: The correspondent node measures the bytes
received from the mobile node. When the mobile node registers a new
care-of address, the correspondent node labels this address
"unverified" and sends packets there as long as the sum of the packet
sizes does not exceed the measured, received data volume. A
concurrent care-of-address test is meanwhile performed. Once the
care-of address has been verified, the correspondent node relabels
the address from "unverified" to "verified". Packets can then be
sent to the new care-of address without restrictions. When
insufficient credit is left while the care-of address is still
"unverified", the correspondent node stops sending further packets to
the address until the verification completes. The correspondent node
may drop these packets, direct them to the mobile node's home
address, or buffer them for later transmission when the care-of
address is verified. Figure 2 does not show Mobile IPv6 signaling
packets.
Vogt & Arkko Informational [Page 15]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
The correspondent node ensures that the mobile node's acquired credit
gradually decreases over time. This "aging" prevents the mobile node
from building up credit over a long time. A malicious node with a
slow Internet connection could otherwise provision for a burst of
redirected packets that does not relate to its own upstream capacity.
Allocating the mobile node's credit based on the packets that the
mobile node sends and reducing the credit based on packets that the
mobile node receives is defined as "Inbound Mode". (The
correspondent node is in control of credit allocation, and it
computes the credit based on inbound packets received from the mobile
node.) A nice property of Inbound Mode is that it does not require
support from the mobile node. The mobile node neither needs to
understand that Credit-Based Authorization is effective at the
correspondent node, nor does it have to have an idea of how much
credit it has at a particular point in time.
Inbound Mode works fine with applications that send comparable data
volumes into both directions. On the other hand, the mode may
prevent the mobile node from collecting the amount of credit it needs
for a handoff when applications with asymmetric traffic patterns are
in use. For instance, file transfers and media streaming are
characterized by high throughput towards the client, typically the
mobile node, and comparably little throughput towards the serving
correspondent node.
An additional "Outbound Mode" was designed to better accommodate
applications with asymmetric traffic patterns. In Outbound Mode,
packets that the correspondent node sends to the mobile node
determine both, how much the credit increases while the current
care-of address is verified, and how much the credit shrinks while
the care-of address is unverified. This resolves the issue with
asymmetric traffic patterns.
The security of Outbound Mode is based on the further hypothesis that
the mobile node invests comparable effort for packet reception and
transmission in terms of bandwidth, memory, and processing capacity.
This justifies why credit, allocated for packets received by the
mobile node, can be turned into packets that the correspondent node
sends. The question is, though, how the correspondent node can
determine how many of the packets sent to a mobile node are actually
received and processed by that mobile node. Relying on transport-
layer acknowledgments is not an option as such messages can easily be
faked. Outbound Mode hence defines its own feedback mechanism,
Care-of Address Spot Checks, which is robust to spoofing. The
correspondent node periodically tags packets that it sends to the
mobile node with a random, unguessable number, a so-called Spot Check
Token. When the mobile node receives a packet with an attached Spot
Vogt & Arkko Informational [Page 16]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
Check Token, it buffers the token until it sends the next packet to
the correspondent node. The Spot Check Token is then included in
this packet. Upon reception, the correspondent node verifies whether
the returned Spot Check Token matches a token recently sent to the
mobile node. New credit is allocated in proportion to the ratio
between the number of successfully returned Spot Check Tokens and the
total number of tokens sent. This implies that new credit is
approximately proportional to the fraction of packets that have made
their way at least up to the mobile node's IP stack. The preciseness
of Care-of Address Spot Checks can be traded with overhead through
the frequency with which packets are tagged with Spot Check Tokens.
An interesting question is whether Outbound Mode could be misused by
an attacker with asymmetric Internet connection. Widespread digital
subscriber lines (DSL), for example, typically have a much higher
download rate than upload rate. The limited upload rate would render
most denial-of-service attempts through direct flooding meaningless.
But the attacker could leverage the strong download rate to build up
credit at one or multiple correspondent nodes. It could then
illegitimately spend the credit on a stronger, redirection-based
flooding attack. The reason why this has so far not been considered
an issue is that, in order to accumulate enough credit at the remote
end, the attacker would first have to expose itself to the same
packet flood that it could then redirect towards the victim.
3.8. Heuristic Monitoring
Heuristic approaches to prevent misuse of unverified care-of
addresses (see Section 3.5) are conceivable as well. A heuristic,
implemented at the correspondent node and possibly supplemented by a
restrictive lifetime limit for tentative bindings, can prevent, or at
least effectually discourage such misuse. The challenge here seems
to be a feasible heuristic: On one hand, the heuristic must be
sufficiently rigid to quickly respond to malicious intents at the
other side. On the other hand, it should not have a negative impact
on a fair-minded mobile node's communications.
Another problem with heuristics is that they are usually reactive.
The correspondent node can only respond to misbehavior after it
appeared. If sanctions are imposed quickly, attacks may simply not
be worthwhile. Yet premature measures should be avoided. One must
also bear in mind that an attacker may be able to use different home
addresses, and it is in general impossible for the correspondent node
to see that the set of home addresses belongs to the same node. The
attacker may furthermore exploit multiple correspondent nodes for its
attack in an attempt to amplify the result.
Vogt & Arkko Informational [Page 17]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
3.9. Crypto-Based Identifiers
A Crypto-Based Identifier (CBID) is an identifier with a strong
cryptographic binding to the public component of its owner's
public/private-key pair [33]. This allows the owner to prove its
claim on the CBID: It signs a piece of data with its private key and
sends this to the verifier along with its public key and the
parameters necessary to recompute the CBID. The verifier recomputes
the CBID and checks the owner's knowledge of the corresponding
private key.
CBIDs offer three main advantages: First, spoofing attacks against a
CBID are much harder than attacks against a non-cryptographic
identifier like a domain name or a Mobile IPv6 home address. Though
an attacker can always create its own CBID, it is unlikely to find a
public/private-key pair that produces someone else's. Second, a CBID
does not depend on a PKI given its inherent binding to the owner's
public key. Third, a CBID can be used to bind a public key to an IP
address, in which case it is called a Cryptographically Generated
Address (CGA) [44][34][47]. A CGA is syntactically just an ordinary
IPv6 address. It has a standard routing prefix and an interface
identifier generated from a hash on the CGA owner's public key and
additional parameters.
Many applications are conceivable where CGAs are advantageous. In
Mobile IPv6, CGAs can bind a mobile node's home address to its public
key [35][5] and so avoid the home-address test in most correspondent
registrations. This accelerates the registration process and allows
the peers to communicate independently of home-agent availability.
Since only the interface identifier of a CGA is cryptographically
protected, its network prefix can be spoofed, and flooding attacks
against networks are still an issue. An initial home-address test is
hence required to validate the network prefix even when the home
address is a CGA. For the same reason, CGAs are rarely used as
care-of addresses.
One limitation of CGAs compared to other types of CBIDs is that the
cryptographically protected portion is only at most 62 bits long.
The rest of the address is occupied by a 64-bit network prefix as
well as the universal/local and individual/group bits. (The
specification in [44] further hard-codes a 3-bit security parameter
into the address, reducing the cryptographically protected portion to
59 bits.) A brute-force attack might thus reveal a public/private
key public/private-key pair that produces a certain CGA. This
vulnerability can be contained by including the network prefix in the
hash computation for the interface identifier so that an attacker, in
Vogt & Arkko Informational [Page 18]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
case it did find the right public/private key public/private-key
pair, could not form CGAs for multiple networks from it.
To resolve collisions in generating CGAs, a collision count is part
of the input to the hash function. Changing this produces a
different CGA. Unfortunately, the collision count also reduces the
complexity of a brute-force attack against a CGA because it allows
the same private/public-key pair to be used to generate multiple
CGAs. The collision count is therefore limited to a few values only.
Higher security can be achieved through longer CBIDs. For example, a
node's primary identifier in the Host Identity Protocol [21] is a
128-bit hash on the node's public key. It is used as an IP-address
replacement at stack layers above IP. This CBID is not routable, so
there needs to be some external localization mechanism if a node
wants to contact a peer of which it only knows the identifier.
3.10. Pre-Configuration
Where mobile and correspondent nodes can be pre-configured with a
shared key, bound to the mobile node's home address, authentication
through a home-address test can be replaced by a cryptographic
mechanism. This has three advantages. First, cryptography allows
for stronger authentication than address tests. Second, strong
authentication facilitates binding lifetimes longer than the 7-
minute limit that RFC 3775 defines for correspondent registrations.
Third, handoff delays are usually shorter with cryptographic
approaches because the round-trips of the home-address test can be
spared. The disadvantage of pre-configuration is its limited
applicability.
Two proposals for pre-configuration are currently under discussion
within the IETF. [25] endows mobile nodes with the information they
need to compute home and care-of keygen tokens themselves rather than
having to obtain them through the return-routability procedure. [15]
uses the Internet Key Exchange protocol to establish an IPsec
security association between the peers.
From a technical standpoint, pre-configuration can only replace a
home-address test. A test of the care-of address is still necessary
to verify the mobile node's presence at that address. The problem is
circumvented in [25] by postulating that the correspondent node has
sufficient trust in the mobile node to believe that the care-of
address is correct. This assumption discourages the use of pre-
configuration in scenarios where such trust is unavailable, however.
For example, a mobile-phone operator may be able to configure
subscribers with secret keys for authorization to a particular
service, but it may not be able to vouch that all subscribers use
Vogt & Arkko Informational [Page 19]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
this service in a responsible manner. And even if users are
trustworthy, their mobile nodes may become infected with malware and
start behaving unreliably.
Another way to avoid care-of-address verification is to rely on
access networks to filter out packets with incorrect IP source
addresses [38][43]. This approach is taken in [15]. The problem
with local filtering is that it can only protect a network from
becoming the source of an attack, not from falling victim to an
attack. The technique is hence potentially unreliable unless
deployed in access networks worldwide (see Section 1.2).
Care-of-address tests facilitate the use of pre-configuration in
spite of lacking trust relationships or the existence of access
networks without local filtering techniques. For increased
performance, concurrent care-of-address tests can be used in
combination with Credit-Based Authorization or heuristic monitoring.
3.11. Semi-Permanent Security Associations
A compromise between the return-routability procedure and pre-
configuration are semi-permanent security associations. A semi-
permanent security association is established between a mobile node
and a correspondent node upon first contact, and it is used to
authenticate the mobile node during subsequent correspondent
registrations. Semi-permanent security associations eliminate the
need for periodic home-address tests and permit correspondent
registrations with lifetimes longer than the 7-minute limit specified
in RFC 3775.
It is important to verify a mobile node's home address before a
security association is bound to it. An impersonator could otherwise
create a security association for a victim's IP address and then
redirect the victim's traffic at will until the security association
expires. An initial home-address test mitigates this vulnerability
because it requires the attacker to be on the path between the victim
and the victim's peer at least while the security association is
being established. Stronger security can be obtained through
cryptographically generated home addresses (see Section 3.9).
Semi-permanent security associations alone provide no verification of
care-of addresses and must therefore be supplemented by care-of-
address tests. These may be performed concurrently for reduced
handoff delays. Semi-permanent security associations were first
developed in [8] where they were called "purpose-built keys".
Vogt & Arkko Informational [Page 20]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
3.12. Delegation
Section 1.1 lists numerous problems of PKIs with respect to
authentication of mobile nodes. These problems become more
tractable, however, if correspondent nodes authenticate home agents
rather than mobile nodes, and the home agents vouch for the
authenticity and trustworthiness of the mobile nodes [37]. Such
delegation of responsibilities solves the scalability issue with PKIs
given that home agents can be expected to be much less numerous than
mobile nodes. Certificate revocation becomes less delicate as well
because home agents are commonly administrated by a mobility provider
and should as such be more accountable than mobile nodes.
Another advantage of delegation is that it avoids public-key
computations at mobile nodes. On the other hand, the processing
overhead at correspondent nodes increases. This may or may not be an
issue depending on resources available at the correspondent node
relative to the services that the correspondent node provides. The
correspondent node may also be mobile itself, in which case
cryptographic operations would be problematic. Furthermore, the
increased overhead implies a higher risk to resource-exhaustion
attacks.
3.13. Mobile Networks
Mobile nodes may move as a group and attach to the Internet via a
"mobile router" that stays with the group. This happens, for
example, in trains or aircraft where passengers communicate via a
local wireless network that is globally interconnected through a
satellite link.
It is straightforward to support such network mobility [41] with a
single home agent and a tunnel between the mobile router and this
home agent. The mobile nodes themselves then do not have to be
mobility-aware. However, Route Optimization for moving networks
[36][26][27][55] is more complicated. One possibility is to have the
mobile router handle Route Optimization on behalf of the mobile
nodes. This requires the mobile router to modify incoming and
outgoing packets such that they can be routed on the direct path
between the end nodes. The mobile router would also have to perform
Mobile IPv6 signaling on behalf of the mobile nodes. Similarly, a
network of correspondent nodes can communicate with mobile nodes,
through a "correspondent router", in a route-optimized way without
providing mobility support themselves.
Vogt & Arkko Informational [Page 21]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
3.14. Location Privacy
RFC 3775 fails to conceal a mobile node's current position as route-
optimized packets always carry both home and care-of addresses. Both
the correspondent node and a third party can therefore track the
mobile node's whereabouts. A workaround is to fall back to
bidirectional tunneling where location privacy is needed. Packets
carrying the mobile node's care-of address are thus only transferred
between the mobile node and the home agent, where they can be
encrypted through IPsec ESP [42]. But even then should the mobile
node periodically re-establish its IPsec security associations so as
to become untraceable through its SPIs. Early efforts on location
privacy in Route Optimization include [17][13][24][30].
4. Discussion
Common to the proposals discussed in Section 3 is that all of them
affect a trade-off between effectiveness, on one hand, and economical
deployability, administrative overhead, and wide applicability, on
the other. Effectiveness may be equated with low latency, strong
security, reduced signaling, or increased robustness. Economy
implies no, or only moderate requirements in terms of hardware
upgrades and software modifications. Administrative overhead relates
to the amount of manual configuration and intervention that a
technique needs.
The standard return-routability procedure avoids costly pre-
configuration or new network entities. This minimizes both
deployment investments as well as administrative expenses. Variants
with optimistic behavior and proactive or concurrent IP-address tests
have these advantages as well. CBIDs allow for public-key
authentication without a PKI. They constitute a more secure
alternative to home-address tests and are as such most effective when
combined with concurrent reachability verification. CBID-based
authentication may require nodes to be programmed with a mapping
between human-readable identifiers and the corresponding CBIDs.
Pre-configuration is another approach to avoid home-address tests.
It does without computationally expensive public-key algorithms, but
requires pair-wise credentials and, therefore, administrative
maintenance. Where suitable infrastructure is available, end nodes
may delegate authentication and encryption tasks to trusted network
entities which, in turn, vouch for the end nodes. Delegation could
resurrect the use of certificates for the purpose of mobility
support. But it introduces a dependency on the delegatees, adds the
provisioning costs for new network entities, and is likely to be
limited to communities of authorized nodes.
Vogt & Arkko Informational [Page 22]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
4.1. Cross-Layer Interactions
The performance of Route Optimization, as evaluated in this document,
should be put into perspective of handoff-related activities in other
parts of the network stack. These include link-layer attachment
procedures; link-layer security mechanisms such as negotiation,
authentication, and key agreement; as well as IPv6 router discovery,
address configuration, and movement detection. A complete network
attachment in a typical IEEE 802.11 commercial deployment requires
over twenty link- and IP-layer messages. Current protocol stacks
also have a number of limitations in addition to long attachment
delays, such as denial-of-service vulnerabilities, difficulties in
trusting a set of access nodes distributed to physically insecure
locations, or the inability to retrieve sufficient information for
making a handoff decision [2].
A number of proposals have been put forth to improve handoff
performance on different parts of the network stack, mostly focusing
on handoff performance. These include link-layer parameter tuning
[49] and network-access authentication [18][2][32], as well as IPv6
router discovery [11][12], address configuration [23], and movement
detection [19][20]. It is uncertain how far this optimization can be
taken by only looking at the different parts individually. An
integrated approach may eventually become necessary [4][53].
4.2. Experimentation and Measurements
The number and diversity of mobility-related activities within a
typical network stack oftentimes render theoretical analyses
insufficient and call for additional, extensive experimentation or
simulation. The following is a non-exhaustive list of areas where
practical experience is likely to yield valuable insight.
o Conception of a set of standard scenarios that can be used as a
reference for comparable measurements and experimentation.
Ideally, such standard scenarios ought to be derived from real-
world environments, and they should include all features that
would likely be needed in a commercial deployment. These features
include link-layer access control, for instance.
o Measurements of the performance impacts that existing enhancement
proposals have on the different parts of the stack.
o Comparisons of different implementations that are based on the
same specification. For instance, it would be valuable to know
how much implementations differ with regards to the use of
parallelism that RFC 3775 allows in home and correspondent
registrations.
Vogt & Arkko Informational [Page 23]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
o Measurements of the impact that network conditions such as packet
loss can have on existing and new optimizations.
o Statistical data collection on the behavior of mobile nodes in
different networks. Several Route Optimization techniques behave
differently depending on the degree of mobility.
o Measurements of the performance that Route Optimization schemes
show under different application scenarios, such as the use of
applications with symmetric vs. asymmetric traffic patterns.
4.3. Future Research
Future research that goes beyond the techniques discussed in this
document may consider the following items.
o Local mobility support or local route-repair mechanisms that do
not require expensive configuration. This includes
infrastructure-based Route Optimization like [48].
o Care-of-address verification mechanisms that are based on Secure
Neighbor Discovery.
o The introduction of optimizations developed in the context of
Mobile IPv6 to other mobility protocols, such as the Host Identity
Protocol, the Stream Control Transmission Protocol, the Datagram
Congestion Control Protocol, or link-layer mobility solutions.
o The extension of the developed mobility techniques to full multi-
addressing, including multi-homing.
o Further strategies that are based on "asymmetric cost wars" [3],
such as Credit-Based Authorization.
o Integrated techniques taking into account both link- and IP-layer
mobility tasks.
5. Security Considerations
Standard Route Optimization enables mobile nodes to redirect IP
packets at a remote peer from one IP address to another IP address.
This ability introduces new security issues, which are explained and
discussed in depth in [46]. The alternative Route Optimization
techniques described in this document may introduce new security
threats that go beyond those identified in [46]. Where such new
threats exist, they are discussed and analyzed along with the
description of the respective technique in Section 3.
Vogt & Arkko Informational [Page 24]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
6. Conclusions
Mobile IPv6 Route Optimization reduces packet-propagation latencies
so as to facilitate interactive and real-time applications in mobile
environments. Unfortunately, the end-to-end protocol's high handoff
latencies hinder exactly these applications. A large body of effort
has therefore recently been dedicated to Route Optimization
improvements. Some of the proposed techniques operate on an end-to-
end basis, others require new or extended infrastructure in the
network; some need pre-configuration, others are zero-configurable.
This document has compared and evaluated the different strategies
based on a selected set of enhancement proposals. It stands out that
all proposals make a trade-off between effectiveness, on one hand --
be it in terms of reduced handoff latency, increased security, or
lower signaling overhead -- and pre-configuration costs or requisite
network upgrades, on the other. An optimization's investment
requirements, in turn, are in relation to its suitability for
widespread deployment.
However, the real-life performance of end-to-end mobility does not
only depend on enhancements of Route Optimization, but ultimately on
all parts of the protocol stack [2]. Related optimization endeavors
are in fact gaining momentum, and a comprehensive approach towards
Route Optimization must incorporate the most suitable solutions
amongst them [4]. Whichever proposals will eventually reach a
maturity level sufficient for standardization, any effort should be
expended to arrive at that point within the foreseeable future.
Route Optimization requires support from both peers and depends on a
solid basis of installed implementations in correspondent nodes.
This should hence be included in emerging IPv6 stacks early on.
Although IPv6 deployment is yet far away from becoming widespread,
the sooner efficient Route Optimization will be available, the more
likely that it will in the end be ubiquitously supported.
7. Acknowledgments
This document was thoroughly reviewed, in alphabetical order, by
Samita Chakrabarti, Francis Dupont, Thierry Ernst, Gerardo Giaretta,
James Kempf, Rajeev Koodli, Gabriel Montenegro, Vidya Narayanan, and
Fan Zhao. The authors wish to thank these folks for their valuable
comments and suggestions.
Vogt & Arkko Informational [Page 25]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
8. References
8.1. Normative References
[1] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in
IPv6", RFC 3775, June 2004.
8.2. Informative References
[2] Alimian, A. and B. Aboba, "Analysis of Roaming Techniques",
IEEE Contribution 802.11-04/0377r1, March 2004.
[3] Arkko, J. and P. Nikander, "Weak Authentication: How to
Authenticate Unknown Principals without Trusted Parties",
Proceedings of Security Protocols Workshop 2002, Cambridge, UK,
April 2002.
[4] Arkko, J., Eronen, P., Nikander, P., and V. Torvinen, "Secure
and Efficient Network Access", Proceedings of the DIMACS
Workshop on Mobile and Wireless Security, November 2004.
[5] Arkko, J., Vogt, C., and W. Haddad, "Enhanced Route
Optimization for Mobile IPv6", Work in Progress, August 2006.
[6] Arkko, J. and C. Vogt, "Credit-Based Authorization for Binding
Lifetime Extension", Work in Progress, May 2004.
[7] Bahl, P., Adya, A., Padhye, J., and A. Walman, "Reconsidering
Wireless Systems With Multiple Radios", ACM SIGCOMM Computer
Communication Review, ACM Press, Vol. 34, No. 5, October 2004.
[8] Bradner, S., Mankin, A., and J. Schiller, "A Framework for
Purpose-Built Keys (PBK)", Work in Progress, June 2003.
[9] Castellucia, C., Montenegro, G., Laganier, J., and C. Neumann,
"Hindering Eavesdropping via IPv6 Opportunistic Encryption",
Proceedings of the European Symposium on Research in Computer
Security, Lecture Notes in Computer Science, Springer-Verlag,
September 2004.
[10] Chandra, R., Bahl, P., and P. Bahl, "MultiNet: Connecting to
Multiple IEEE 802.11 Networks Using a Single Wireless Card",
Proceedings of the IEEE INFOCOM, Vol. 2, August 2004.
[11] Daley, G., Pentland, B., and R. Nelson, "Effects of Fast
Routers Advertisement on Mobile IPv6 Handovers", Proceedings of
the IEEE International Symposium on Computers and
Communication, Vol. 1, June 2003.
Vogt & Arkko Informational [Page 26]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
[12] Daley, G., Pentland, B., and R. Nelson, "Movement Detection
Optimizations in Mobile IPv6", Proceedings of the IEEE
International Conference on Networks, September 2003.
[13] Daley, G., "Location Privacy and Mobile IPv6", Work in
Progress, January 2004.
[14] Dupont, F., "A Note about 3rd Party Bombing in Mobile IPv6",
Work in Progress, July 2006.
[15] Dupont, F. and J. Combes, "Using IPsec between Mobile and
Correspondent IPv6 Nodes", Work in Progress, August 2004.
[16] Dupont, F. and J. Combes, "Care-of Address Test for MIPv6 using
a State Cookie", Work in Progress, July 2006.
[17] Haddad, W., Nordmark, E., Dupont, F., Bagnulo, M., and B.
Patil, "Privacy for Mobile and Multi-homed Nodes: MoMiPriv
Problem Statement", Work in Progress, June 2006.
[18] "IEEE Standard for Local and Metropolitan Area Networks: Port-
Based Network Access Control", IEEE Standard 802.1X, December
2004.
[19] Choi, J. and E. Nordmark, "DNA with Unmodified Routers: Prefix
List Based Approach", Work in Progress, January 2006.
[20] Narayanan, S., Ed., "Detecting Network Attachment in IPv6
Networks (DNAv6)", Work in Progress, October 2006.
[21] Moskowitz, R., Nikander, P., Jokela, Ed., P., and T. Henderson,
"Host Identity Protocol", Work in Progress, June 2006.
[22] Henderson, T., Ed., "End-Host Mobility and Multihoming with the
Host Identity Protocol", Work in Progress, June 2006.
[23] Moore, N., "Optimistic Duplicate Address Detection (DAD) for
IPv6", RFC 4429, April 2006.
[24] Koodli, R., "IP Address Location Privacy and Mobile IPv6:
Problem Statement", Work in Progress, October 2006.
[25] Perkins, C., "Securing Mobile IPv6 Route Optimization Using a
Static Shared Key", RFC 4449, June 2006.
[26] Ng, C., Thubert, P., Watari, M., and F. Zhao, "Network Mobility
Route Optimization Problem Statement", Work in Progress,
September 2006.
Vogt & Arkko Informational [Page 27]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
[27] Ng, C., Zhao, F., Watari, M., and P. Thubert, "Network Mobility
Route Optimization Solution Space Analysis", Work in Progress,
September 2006.
[28] Arbaugh, W. and B. Aboba, "Handoff Extension to RADIUS", Work
in Progress, October 2003.
[29] "Kame-Shisa", Mobile IPv6 for FreeBSD.
[30] Koodli, R., Devarapalli, V., Flinck, H., and C. Perkins,
"Solutions for IP Address Location Privacy in the Presence of
IP Mobility", Work in Progress, February 2005.
[31] Nuorvala, V., Petander, H., and A. Tuominen, "Mobile IPv6 for
Linux (MIPL)".
[32] Mishra, A., Shin, M., Petroni Jr., N., Clancy, C., and W.
Arbaugh, "Proactive Key Distribution Using Neighbor Graphs",
IEEE Wireless Communications, Vol. 11, No. 1, February 2004.
[33] Montenegro, G. and Claude. Castelluccia, "Crypto-Based
Identifiers (CBIDs): Concepts and Applications", ACM
Transactions on Information and System Security Vol.7, No. 1,
February 2004.
[34] Nikander, P., "Denial-of-Service, Address Ownership, and Early
Authentication in the IPv6 World", Revised papers from the
International Workshop on Security Protocols, Springer-Verlag,
April 2002.
[35] O'Shea, G. and M. Roe, "Child-proof Authentication for MIPv6",
ACM SIGCOMM Computer Communication Review, April 2001.
[36] Perera, E., Sivaraman, V., and A. Seneviratne, "Survey on
Network Mobility Support", ACM SIGCOMM Computer Communication
Review, Vol. 8, No. 2, ACM Press, April 2004.
[37] Bao, F., Deng, R., Qiu, Y., and J. Zhou, "Certificate-
basedBinding Update Protocol (CBU)", Work in Progress, March
2005.
[38] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000.
[39] Abley, J., Black, B., and V. Gill, "Goals for IPv6 Site-
Multihoming Architectures", RFC 3582, August 2003.
Vogt & Arkko Informational [Page 28]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
[40] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to
Protect Mobile IPv6 Signaling Between Mobile Nodes and Home
Agents", RFC 3776, June 2004.
[41] Devarapalli, V., Wakikawa, R., Petrescu, A., and P. Thubert,
"Network Mobility (NEMO) Basic Support Protocol", RFC 3963,
January 2005.
[42] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303,
December 2005.
[43] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, March 2004.
[44] Aura, T., "Cryptographically Generated Addresses (CGA)", RFC
3972, March 2005.
[45] Huston, G., "Architectural Approaches to Multi-homing for
IPv6", RFC 4177, September 2005.
[46] Nikander, P., Arkko, J., Aura, T., Montenegro, G., and E.
Nordmark, "Mobile IP Version 6 Route Optimization Security
Design Background", RFC 4225, December 2005.
[47] Roe, M., Aura, T., O'Shea, G., and J. Arkko, "Authentication of
Mobile IPv6 Binding Updates and Acknowledgments", Work in
Progress, February 2002.
[48] Vadali, R., Li, J., Wu, Y., and G. Cao, "Agent-Based Route
Optimization for Mobile IP", Proceedings of the IEEE Vehicular
Technology Conference, October 2001.
[49] Velayos, H. and G. Karlsson, "Techniques to Reduce IEEE 802.11b
MAC Layer Handoff Time", Laboratory for Communication Networks,
KTH, Royal Institute of Technology, Stockholm, Sweden, TRITA-
IMIT-LCN R 03:02, April 2003.
[50] Vogt, C., "Credit-Based Authorization for Concurrent IP-Address
Tests", Proceedings of the IST Mobile and Wireless
Communications Summit, June 2005.
[51] Vogt, C., Bless, R., Doll, M., and T. Kuefner, "Early Binding
Updates for Mobile IPv6", Proceedings of the IEEE Wireless
Communications and Networking Conference, IEEE, Vol. 3, March
2005.
Vogt & Arkko Informational [Page 29]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
[52] Vogt, C. and M. Doll, "Efficient End-to-End Mobility Support in
IPv6", Proceedings of the IEEE Wireless Communications and
Networking Conference, April 2006.
[53] Vogt, C., "A Comprehensive Delay Analysis for Reactive and
Proactive Handoffs with Mobile IPv6 Route Optimization",
Institute of Telematics, Universitaet Karlsruhe (TH),
Karlsruhe, Germany, TM-2006-1, January 2006.
[54] Zhao, F., Wu, F., and S. Jung, "Extensions to Return
Routability Test in MIP6", Work in Progress, February 2005.
[55] Calderon, M., Bernardos, C., Bagnulo, M., Soto, I., and A. de
la Oliva, "Design and Experimental Evaluation of a Route
Optimisation Solution for NEMO", IEEE Journal on Selected Areas
in Communications, Vol. 24, No. 9, September 2006.
Authors' Addresses
Christian Vogt
Institute of Telematics
Universitaet Karlsruhe (TH)
P.O. Box 6980
76128 Karlsruhe
Germany
EMail: chvogt@tm.uka.de
Jari Arkko
Ericsson Research NomadicLab
FI-02420 Jorvas
Finland
EMail: jari.arkko@ericsson.com
Vogt & Arkko Informational [Page 30]
^L
RFC 4651 MIP6 Route Optimization Enhancements February 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Vogt & Arkko Informational [Page 31]
^L
|