idnits 2.17.00 (12 Aug 2021) /tmp/idnits32295/draft-ietf-mobileip-ipv6-22.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 3 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 1071 has weird spacing: '...ated to rever...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Before sending any packet, the sending node SHOULD examine its Binding Cache for an entry for the destination address to which the packet is being sent. If the sending node has a Binding Cache entry for this address, the sending node SHOULD use a type 2 routing header to route the packet to this mobile node (the destination node) by way of its care-of address. However, the mobile node MUST not do this in the following cases: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o The Binding Authorization Data mobility option, if present, MUST be the last option and MUST not have trailing padding. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 26, 2003) is 6935 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1750 (ref. '1') (Obsoleted by RFC 4086) ** Obsolete normative reference: RFC 2373 (ref. '3') (Obsoleted by RFC 3513) ** Obsolete normative reference: RFC 2401 (ref. '4') (Obsoleted by RFC 4301) ** Obsolete normative reference: RFC 2402 (ref. '5') (Obsoleted by RFC 4302, RFC 4305) ** Obsolete normative reference: RFC 2406 (ref. '6') (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2407 (ref. '7') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2408 (ref. '8') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2409 (ref. '9') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2434 (ref. '10') (Obsoleted by RFC 5226) ** Obsolete normative reference: RFC 2460 (ref. '11') (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 2461 (ref. '12') (Obsoleted by RFC 4861) ** Obsolete normative reference: RFC 2462 (ref. '13') (Obsoleted by RFC 4862) ** Obsolete normative reference: RFC 2463 (ref. '14') (Obsoleted by RFC 4443) ** Obsolete normative reference: RFC 3041 (ref. '18') (Obsoleted by RFC 4941) ** Downref: Normative reference to an Informational RFC: RFC 3232 (ref. '19') -- Possible downref: Non-RFC (?) normative reference: ref. '20' == Outdated reference: draft-ietf-mobileip-mipv6-ha-ipsec has been published as RFC 3776 -- Obsolete informational reference (is this intentional?): RFC 2002 (ref. '22') (Obsoleted by RFC 3220) -- Obsolete informational reference (is this intentional?): RFC 2267 (ref. '26') (Obsoleted by RFC 2827) == Outdated reference: draft-bellovin-mandate-keymgmt has been published as RFC 4107 == Outdated reference: draft-ietf-dhc-dhcpv6 has been published as RFC 3315 == Outdated reference: draft-ietf-ipsec-ikev2 has been published as RFC 4306 == Outdated reference: draft-ietf-ipv6-default-addr-select has been published as RFC 3484 == Outdated reference: A later version (-02) exists of draft-nikander-mobileip-v6-ro-sec-00 == Outdated reference: draft-savola-ipv6-127-prefixlen has been published as RFC 3627 == Outdated reference: draft-vida-mld-v2 has been published as RFC 3810 Summary: 17 errors (**), 0 flaws (~~), 14 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF Mobile IP Working Group D. Johnson 3 Internet-Draft Rice University 4 Expires: November 24, 2003 C. Perkins 5 Nokia Research Center 6 J. Arkko 7 Ericsson 8 May 26, 2003 10 Mobility Support in IPv6 11 draft-ietf-mobileip-ipv6-22.txt 13 Status of this Memo 15 This document is an Internet-Draft and is in full conformance with 16 all provisions of Section 10 of RFC2026. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as 21 Internet-Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at http:// 29 www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on November 24, 2003. 36 Copyright Notice 38 Copyright (C) The Internet Society (2003). All Rights Reserved. 40 Abstract 42 This document specifies a protocol which allows nodes to remain 43 reachable while moving around in the IPv6 Internet. Each mobile node 44 is always identified by its home address, regardless of its current 45 point of attachment to the Internet. While situated away from its 46 home, a mobile node is also associated with a care-of address, which 47 provides information about the mobile node's current location. IPv6 48 packets addressed to a mobile node's home address are transparently 49 routed to its care-of address. The protocol enables IPv6 nodes to 50 cache the binding of a mobile node's home address with its care-of 51 address, and to then send any packets destined for the mobile node 52 directly to it at this care-of address. To support this operation, 53 Mobile IPv6 defines a new IPv6 protocol and a new destination option. 54 All IPv6 nodes, whether mobile or stationary can communicate with 55 mobile nodes. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 6 60 2. Comparison with Mobile IP for IPv4 . . . . . . . . . . . . 8 61 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 9 62 3.1 General Terms . . . . . . . . . . . . . . . . . . . 9 63 3.2 Mobile IPv6 Terms . . . . . . . . . . . . . . . . . 11 64 4. Overview of Mobile IPv6 . . . . . . . . . . . . . . . . . 15 65 4.1 Basic Operation . . . . . . . . . . . . . . . . . . 15 66 4.2 New IPv6 Protocol . . . . . . . . . . . . . . . . . 17 67 4.3 New IPv6 Destination Option . . . . . . . . . . . . 18 68 4.4 New IPv6 ICMP Messages . . . . . . . . . . . . . . . 18 69 4.5 Conceptual Data Structure Terminology . . . . . . . 18 70 4.6 Site-Local Addressability . . . . . . . . . . . . . 19 71 5. Overview of Mobile IPv6 Security . . . . . . . . . . . . . 20 72 5.1 Binding Updates to Home Agents . . . . . . . . . . . 20 73 5.2 Binding Updates to Correspondent Nodes . . . . . . . 21 74 5.2.1 Node Keys . . . . . . . . . . . . . . . . . 22 75 5.2.2 Nonces . . . . . . . . . . . . . . . . . . . 22 76 5.2.3 Cookies and Tokens . . . . . . . . . . . . . 23 77 5.2.4 Cryptographic Functions . . . . . . . . . . 23 78 5.2.5 Return Routability Procedure . . . . . . . . 23 79 5.2.6 Authorizing Binding Management Messages . . 28 80 5.2.7 Updating Node Keys and Nonces . . . . . . . 30 81 5.2.8 Preventing Replay Attacks . . . . . . . . . 31 82 5.3 Dynamic Home Agent Address Discovery . . . . . . . . 31 83 5.4 Mobile Prefix Discovery . . . . . . . . . . . . . . 31 84 5.5 Payload Packets . . . . . . . . . . . . . . . . . . 32 85 6. New IPv6 Protocol, Message Types, and Destination Option . 33 86 6.1 Mobility Header . . . . . . . . . . . . . . . . . . 33 87 6.1.1 Format . . . . . . . . . . . . . . . . . . . 33 88 6.1.2 Binding Refresh Request Message . . . . . . 35 89 6.1.3 Home Test Init Message . . . . . . . . . . . 36 90 6.1.4 Care-of Test Init Message . . . . . . . . . 37 91 6.1.5 Home Test Message . . . . . . . . . . . . . 38 92 6.1.6 Care-of Test Message . . . . . . . . . . . . 39 93 6.1.7 Binding Update Message . . . . . . . . . . . 41 94 6.1.8 Binding Acknowledgement Message . . . . . . 43 95 6.1.9 Binding Error Message . . . . . . . . . . . 46 96 6.2 Mobility Options . . . . . . . . . . . . . . . . . . 47 97 6.2.1 Format . . . . . . . . . . . . . . . . . . . 48 98 6.2.2 Pad1 . . . . . . . . . . . . . . . . . . . . 48 99 6.2.3 PadN . . . . . . . . . . . . . . . . . . . . 49 100 6.2.4 Binding Refresh Advice . . . . . . . . . . . 49 101 6.2.5 Alternate Care-of Address . . . . . . . . . 50 102 6.2.6 Nonce Indices . . . . . . . . . . . . . . . 50 103 6.2.7 Binding Authorization Data . . . . . . . . . 51 104 6.3 Home Address Option . . . . . . . . . . . . . . . . 52 105 6.4 Type 2 Routing Header . . . . . . . . . . . . . . . 54 106 6.4.1 Format . . . . . . . . . . . . . . . . . . . 54 107 6.5 ICMP Home Agent Address Discovery Request Message . 56 108 6.6 ICMP Home Agent Address Discovery Reply Message . . 57 109 6.7 ICMP Mobile Prefix Solicitation Message Format . . . 58 110 6.8 ICMP Mobile Prefix Advertisement Message Format . . 60 111 7. Modifications to IPv6 Neighbor Discovery . . . . . . . . . 63 112 7.1 Modified Router Advertisement Message Format . . . . 63 113 7.2 Modified Prefix Information Option Format . . . . . 63 114 7.3 New Advertisement Interval Option Format . . . . . . 65 115 7.4 New Home Agent Information Option Format . . . . . . 66 116 7.5 Changes to Sending Router Advertisements . . . . . . 68 117 8. Requirements for Types of IPv6 Nodes . . . . . . . . . . . 70 118 8.1 All IPv6 Nodes . . . . . . . . . . . . . . . . . . . 70 119 8.2 IPv6 Nodes with Support for Route Optimization . . . 70 120 8.3 All IPv6 Routers . . . . . . . . . . . . . . . . . . 72 121 8.4 IPv6 Home Agents . . . . . . . . . . . . . . . . . . 72 122 8.5 IPv6 Mobile Nodes . . . . . . . . . . . . . . . . . 74 123 9. Correspondent Node Operation . . . . . . . . . . . . . . . 76 124 9.1 Conceptual Data Structures . . . . . . . . . . . . . 76 125 9.2 Processing Mobility Headers . . . . . . . . . . . . 77 126 9.3 Packet Processing . . . . . . . . . . . . . . . . . 77 127 9.3.1 Receiving Packets with Home Address Option . 77 128 9.3.2 Sending Packets to a Mobile Node . . . . . . 78 129 9.3.3 Sending Binding Error Messages . . . . . . . 80 130 9.3.4 Receiving ICMP Error Messages . . . . . . . 80 131 9.4 Return Routability Procedure . . . . . . . . . . . . 81 132 9.4.1 Receiving Home Test Init Messages . . . . . 81 133 9.4.2 Receiving Care-of Test Init Messages . . . . 81 134 9.4.3 Sending Home Test Messages . . . . . . . . . 82 135 9.4.4 Sending Care-of Test Messages . . . . . . . 82 136 9.5 Processing Bindings . . . . . . . . . . . . . . . . 82 137 9.5.1 Receiving Binding Updates . . . . . . . . . 82 138 9.5.2 Requests to Cache a Binding . . . . . . . . 85 139 9.5.3 Requests to Delete a Binding . . . . . . . . 85 140 9.5.4 Sending Binding Acknowledgements . . . . . . 86 141 9.5.5 Sending Binding Refresh Requests . . . . . . 87 142 9.6 Cache Replacement Policy . . . . . . . . . . . . . . 87 143 10. Home Agent Operation . . . . . . . . . . . . . . . . . . . 89 144 10.1 Conceptual Data Structures . . . . . . . . . . . . . 89 145 10.2 Processing Mobility Headers . . . . . . . . . . . . 90 146 10.3 Processing Bindings . . . . . . . . . . . . . . . . 90 147 10.3.1 Primary Care-of Address Registration . . . . 90 148 10.3.2 Primary Care-of Address De-Registration . . 94 149 10.4 Packet Processing . . . . . . . . . . . . . . . . . 95 150 10.4.1 Intercepting Packets for a Mobile Node . . . 95 151 10.4.2 Processing Intercepted Packets . . . . . . . 97 152 10.4.3 Multicast Membership Control . . . . . . . . 98 153 10.4.4 Stateful Address Autoconfiguration . . . . . 99 154 10.4.5 Handling Reverse Tunneled Packets . . . . . 100 155 10.4.6 Protecting Return Routability Packets . . . 100 156 10.5 Dynamic Home Agent Address Discovery . . . . . . . .101 157 10.5.1 Receiving Router Advertisement Messages . . 101 158 10.6 Sending Prefix Information to the Mobile Node . . .103 159 10.6.1 List of Home Network Prefixes . . . . . . . 103 160 10.6.2 Scheduling Prefix Deliveries . . . . . . . . 104 161 10.6.3 Sending Advertisements . . . . . . . . . . . 106 162 10.6.4 Lifetimes for Changed Prefixes . . . . . . . 107 163 11. Mobile Node Operation . . . . . . . . . . . . . . . . . . 108 164 11.1 Conceptual Data Structures . . . . . . . . . . . . .108 165 11.2 Processing Mobility Headers . . . . . . . . . . . .109 166 11.3 Packet Processing . . . . . . . . . . . . . . . . .110 167 11.3.1 Sending Packets While Away from Home . . . . 110 168 11.3.2 Interaction with Outbound IPsec Processing . 113 169 11.3.3 Receiving Packets While Away from Home . . . 115 170 11.3.4 Routing Multicast Packets . . . . . . . . . 116 171 11.3.5 Receiving ICMP Error Messages . . . . . . . 118 172 11.3.6 Receiving Binding Error Messages . . . . . . 118 173 11.4 Home Agent and Prefix Management . . . . . . . . . .119 174 11.4.1 Dynamic Home Agent Address Discovery . . . . 119 175 11.4.2 Sending Mobile Prefix Solicitations . . . . 120 176 11.4.3 Receiving Mobile Prefix Advertisements . . . 121 177 11.5 Movement . . . . . . . . . . . . . . . . . . . . . .122 178 11.5.1 Movement Detection . . . . . . . . . . . . . 122 179 11.5.2 Forming New Care-of Addresses . . . . . . . 124 180 11.5.3 Using Multiple Care-of Addresses . . . . . . 125 181 11.5.4 Returning Home . . . . . . . . . . . . . . . 126 182 11.6 Return Routability Procedure . . . . . . . . . . . .128 183 11.6.1 Sending Test Init Messages . . . . . . . . . 128 184 11.6.2 Receiving Test Messages . . . . . . . . . . 129 185 11.6.3 Protecting Return Routability Packets . . . 130 186 11.7 Processing Bindings . . . . . . . . . . . . . . . .130 187 11.7.1 Sending Binding Updates to the Home Agent . 131 188 11.7.2 Correspondent Registration . . . . . . . . . 133 189 11.7.3 Receiving Binding Acknowledgements . . . . . 136 190 11.7.4 Receiving Binding Refresh Requests . . . . . 138 191 11.8 Retransmissions and Rate Limiting . . . . . . . . .139 192 12. Protocol Constants . . . . . . . . . . . . . . . . . . . . 141 193 13. Protocol Configuration Variables . . . . . . . . . . . . . 142 194 14. IANA Considerations . . . . . . . . . . . . . . . . . . . 143 195 15. Security Considerations . . . . . . . . . . . . . . . . . 145 196 15.1 Threats . . . . . . . . . . . . . . . . . . . . . .145 197 15.2 Features . . . . . . . . . . . . . . . . . . . . . .147 198 15.3 Binding Updates to Home Agent . . . . . . . . . . .148 199 15.4 Binding Updates to Correspondent Nodes . . . . . . .151 200 15.4.1 Overview . . . . . . . . . . . . . . . . . . 151 201 15.4.2 Achieved Security Properties . . . . . . . . 152 202 15.4.3 Comparison to Regular IPv6 Communications . 152 203 15.4.4 Replay Attacks . . . . . . . . . . . . . . . 154 204 15.4.5 Denial-of-Service Attacks . . . . . . . . . 155 205 15.4.6 Key Lengths . . . . . . . . . . . . . . . . 156 206 15.5 Dynamic Home Agent Address Discovery . . . . . . . .157 207 15.6 Mobile Prefix Discovery . . . . . . . . . . . . . .157 208 15.7 Tunneling via the Home Agent . . . . . . . . . . . .157 209 15.8 Home Address Option . . . . . . . . . . . . . . . .158 210 15.9 Type 2 Routing Header . . . . . . . . . . . . . . .159 211 16. Contributors . . . . . . . . . . . . . . . . . . . . . . . 160 212 17. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 161 213 Normative References . . . . . . . . . . . . . . . . . . . 162 214 Informative References . . . . . . . . . . . . . . . . . . 164 215 Authors' Addresses . . . . . . . . . . . . . . . . . . . . 165 216 A. Changes from Previous Version of the Draft . . . . . . . . 166 217 B. Future Extensions . . . . . . . . . . . . . . . . . . . . 169 218 B.1 Piggybacking . . . . . . . . . . . . . . . . . . . . . . . 169 219 B.2 Triangular Routing . . . . . . . . . . . . . . . . . . . . 169 220 B.3 New Authorization Methods . . . . . . . . . . . . . . . . 169 221 B.4 Dynamically Generated Home Addresses . . . . . . . . . . . 169 222 B.5 Remote Home Address Configuration . . . . . . . . . . . . 169 223 B.6 Neighbor Discovery Extensions . . . . . . . . . . . . . . 170 224 Intellectual Property and Copyright Statements . . . . . . 172 226 1. Introduction 228 This document specifies a protocol which allows nodes to remain 229 reachable while moving around in the IPv6 Internet. Without specific 230 support for mobility in IPv6 [11], packets destined to a mobile node 231 would not be able to reach it while the mobile node is away from its 232 home link. In order to continue communication in spite of its 233 movement, a mobile node could change its IP address each time it 234 moves to a new link, but the mobile node would then not be able to 235 maintain transport and higher-layer connections when it changes 236 location. Mobility support in IPv6 is particularly important, as 237 mobile computers are likely to account for a majority or at least a 238 substantial fraction of the population of the Internet during the 239 lifetime of IPv6. 241 The protocol defined in this document, known as Mobile IPv6, allows a 242 mobile node to move from one link to another without changing the 243 mobile node's "home address". Packets may be routed to the mobile 244 node using this address regardless of the mobile node's current point 245 of attachment to the Internet. The mobile node may also continue to 246 communicate with other nodes (stationary or mobile) after moving to a 247 new link. The movement of a mobile node away from its home link is 248 thus transparent to transport and higher-layer protocols and 249 applications. 251 The Mobile IPv6 protocol is just as suitable for mobility across 252 homogeneous media as for mobility across heterogeneous media. For 253 example, Mobile IPv6 facilitates node movement from one Ethernet 254 segment to another as well as it facilitates node movement from an 255 Ethernet segment to a wireless LAN cell, with the mobile node's IP 256 address remaining unchanged in spite of such movement. 258 One can think of the Mobile IPv6 protocol as solving the 259 network-layer mobility management problem. Some mobility management 260 applications -- for example, handover among wireless transceivers, 261 each of which covers only a very small geographic area -- have been 262 solved using link-layer techniques. For example, in many current 263 wireless LAN products, link-layer mobility mechanisms allow a 264 "handover" of a mobile node from one cell to another, re-establishing 265 link-layer connectivity to the node in each new location. 267 Mobile IPv6 does not attempt to solve all general problems related to 268 the use of mobile computers or wireless networks. In particular, 269 this protocol does not attempt to solve: 271 o Handling links with unidirectional connectivity or partial 272 reachability, such as the hidden terminal problem where a host is 273 hidden from only some of the routers on the link. 275 o Access control on a link being visited by a mobile node. 277 o Local or hierarchical forms of mobility management (similar to 278 many current link-layer mobility management solutions). 280 o Assistance for adaptive applications 282 o Mobile routers 284 o Service Discovery 286 o Distinguishing between packets lost due to bit errors vs. network 287 congestion 289 2. Comparison with Mobile IP for IPv4 291 The design of Mobile IP support in IPv6 (Mobile IPv6) benefits both 292 from the experiences gained from the development of Mobile IP support 293 in IPv4 (Mobile IPv4) [22, 23, 24], and from the opportunities 294 provided by IPv6. Mobile IPv6 thus shares many features with Mobile 295 IPv4, but is integrated into IPv6 and offers many other improvements. 296 This section summarizes the major differences between Mobile IPv4 and 297 Mobile IPv6: 299 o There is no need to deploy special routers as "foreign agents", as 300 in Mobile IPv4. Mobile IPv6 operates in any location without any 301 special support required from the local router. 303 o Support for route optimization is a fundamental part of the 304 protocol, rather than a nonstandard set of extensions. 306 o Mobile IPv6 route optimization can operate securely even without 307 pre-arranged security associations. It is expected that route 308 optimization can be deployed on a global scale between all mobile 309 nodes and correspondent nodes. 311 o Support is also integrated into Mobile IPv6 for allowing route 312 optimization to coexist efficiently with routers that perform 313 "ingress filtering" [26]. 315 o The IPv6 Neighbor Unreachability Detection assures symmetric 316 reachability between the mobile node and its default router in the 317 current location. 319 o Most packets sent to a mobile node while away from home in Mobile 320 IPv6 are sent using an IPv6 routing header rather than IP 321 encapsulation, reducing the amount of resulting overhead compared 322 to Mobile IPv4. 324 o Mobile IPv6 is decoupled from any particular link layer, as it 325 uses IPv6 Neighbor Discovery [12] instead of ARP. This also 326 improves the robustness of the protocol. 328 o The use of IPv6 encapsulation (and the routing header) removes the 329 need in Mobile IPv6 to manage "tunnel soft state". 331 o The dynamic home agent address discovery mechanism in Mobile IPv6 332 returns a single reply to the mobile node. The directed broadcast 333 approach used in IPv4 returns separate replies from each home 334 agent. 336 3. Terminology 338 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 339 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 340 document are to be interpreted as described in RFC 2119 [2]. 342 3.1 General Terms 344 IP 346 Internet Protocol Version 6 (IPv6). 348 node 350 A device that implements IP. 352 router 354 A node that forwards IP packets not explicitly addressed to 355 itself. 357 unicast routable address 359 An identifier for a single interface such that a packet sent to it 360 from another IPv6 subnet is delivered to the interface identified 361 by that address. Accordingly, a unicast routable address must 362 have either a global or site-local scope (but not link-local). 364 host 366 Any node that is not a router. 368 link 370 A communication facility or medium over which nodes can 371 communicate at the link layer, such as an Ethernet (simple or 372 bridged). A link is the layer immediately below IP. 374 interface 376 A node's attachment to a link. 378 subnet prefix 380 A bit string that consists of some number of initial bits of an IP 381 address. 383 interface identifier 385 A number used to identify a node's interface on a link. The 386 interface identifier is the remaining low-order bits in the node's 387 IP address after the subnet prefix. 389 link-layer address 391 A link-layer identifier for an interface, such as IEEE 802 392 addresses on Ethernet links. 394 packet 396 An IP header plus payload. 398 security association 400 An IPsec security association is a cooperative relationship formed 401 by the sharing of cryptographic keying material and associated 402 context. Security associations are simplex. That is, two 403 security associations are needed to protect bidirectional traffic 404 between two nodes, one for each direction. 406 security policy database 408 A database that specifies what security services are to be offered 409 to IP packets and in what fashion. 411 destination option 413 Destination options are carried by the IPv6 Destination Options 414 extension header. Destination options include optional 415 information that need be examined only by the IPv6 node given as 416 the destination address in the IPv6 header, not by routers in 417 between. Mobile IPv6 defines one new destination option, the Home 418 Address destination option (see Section 6.3). 420 routing header 422 A routing header may be present as an IPv6 header extension, and 423 indicates that the payload has to be delivered to a destination 424 IPv6 address in some way that is different from what would be 425 carried out by standard Internet routing. In this document, use 426 of the term "routing header" typically refers to use of a type 2 427 routing header, as specified in Section 6.4. 429 '|' (concatenation) 431 Some formulas in this specification use the symbol '|' indicate 432 bytewise concatenation, as in A | B. This concatenation requires 433 that all of the octets of the datum A appear first in the result, 434 followed by all of the octets of the datum B. 436 First (size, input) 438 Some formulas in this specification use a functional form "First 439 (size, input)" to indicate truncation of the "input" data so that 440 only the first "size" bits remain to be used. 442 3.2 Mobile IPv6 Terms 444 home address 446 A unicast routable address assigned to a mobile node, used as the 447 permanent address of the mobile node. This address is within the 448 mobile node's home link. Standard IP routing mechanisms will 449 deliver packets destined for a mobile node's home address to its 450 home link. Mobile nodes can have multiple home addresses, for 451 instance when there are multiple home prefixes on the home link. 453 home subnet prefix 455 The IP subnet prefix corresponding to a mobile node's home 456 address. 458 home link 460 The link on which a mobile node's home subnet prefix is defined. 462 mobile node 464 A node that can change its point of attachment from one link to 465 another, while still being reachable via its home address. 467 movement 469 A change in a mobile node's point of attachment to the Internet 470 such that it is no longer connected to the same link as it was 471 previously. If a mobile node is not currently attached to its 472 home link, the mobile node is said to be "away from home". 474 L2 handover 476 A process by which the mobile node changes from one link-layer 477 connection to another. For example, a change of wireless access 478 point is an L2 handover. 480 L3 handover 482 Subsequent to an L2 handover, a mobile node detects a change in an 483 on-link subnet prefix that would require a change in the primary 484 care-of address. For example, a change of access router 485 subsequent to a change of wireless access point typically results 486 in an L3 handover. 488 correspondent node 490 A peer node with which a mobile node is communicating. The 491 correspondent node may be either mobile or stationary. 493 foreign subnet prefix 495 Any IP subnet prefix other than the mobile node's home subnet 496 prefix. 498 foreign link 500 Any link other than the mobile node's home link. 502 care-of address 504 A unicast routable address associated with a mobile node while 505 visiting a foreign link; the subnet prefix of this IP address is a 506 foreign subnet prefix. Among the multiple care-of addresses that 507 a mobile node may have at any given time (e.g., with different 508 subnet prefixes), the one registered with the mobile node's home 509 agent for a given home address is called its "primary" care-of 510 address. 512 home agent 514 A router on a mobile node's home link with which the mobile node 515 has registered its current care-of address. While the mobile node 516 is away from home, the home agent intercepts packets on the home 517 link destined to the mobile node's home address, encapsulates 518 them, and tunnels them to the mobile node's registered care-of 519 address. 521 binding 523 The association of the home address of a mobile node with a 524 care-of address for that mobile node, along with the remaining 525 lifetime of that association. 527 registration 529 The process during which a mobile node sends a Binding Update to 530 its home agent or a correspondent node, causing a binding for the 531 mobile node to be registered. 533 mobility message 535 A message containing a Mobility Header (see Section 6.1). 537 binding authorization 539 Correspondent registration needs to be authorized to allow the 540 recipient to believe that the sender has the right to specify a 541 new binding. 543 return routability procedure 545 The return routability procedure authorizes registrations by the 546 use of a cryptographic token exchange. 548 correspondent registration 550 A return routability procedure followed by a registration, run 551 between the mobile node and a correspondent node. 553 home registration 555 A registration between the mobile node and its home agent, 556 authorized by the use of IPsec. 558 nonce 560 Nonces are random numbers used internally by the correspondent 561 node in the creation of keygen tokens related to the return 562 routability procedure. The nonces are not specific to a mobile 563 node, and are kept secret within the correspondent node. 565 nonce index 567 A nonce index is used to indicate which nonces have been used when 568 creating keygen token values, without revealing the nonces 569 themselves. 571 cookie 573 A cookie is a random number used by a mobile nodes to prevent 574 spoofing by a bogus correspondent node in the return routability 575 procedure. 577 care-of init cookie 579 A cookie sent to the correspondent node in the Care-of Test Init 580 message, to be returned in the Care-of Test message. 582 home init cookie 584 A cookie sent to the correspondent node in the Home Test Init 585 message, to be returned in the Home Test message. 587 keygen token 589 A keygen token is a number supplied by a correspondent node in the 590 return routability procedure to enable the mobile node to compute 591 the necessary binding management key for authorizing a Binding 592 Update. 594 care-of keygen token 596 A keygen token sent by the correspondent node in the Care-of Test 597 message. 599 home keygen token 601 A keygen token sent by the correspondent node in the Home Test 602 message. 604 binding management key (Kbm) 606 A binding management key (Kbm) is a key used for authorizing a 607 binding cache management message (e.g., Binding Update or Binding 608 Acknowledgement). Return routability provides a way to create a 609 binding management key. 611 4. Overview of Mobile IPv6 613 4.1 Basic Operation 615 A mobile node is always expected to be addressable at its home 616 address, whether it is currently attached to its home link or is away 617 from home. The "home address" is an IP address assigned to the 618 mobile node within its home subnet prefix on its home link. While a 619 mobile node is at home, packets addressed to its home address are 620 routed to the mobile node's home link, using conventional Internet 621 routing mechanisms. 623 While a mobile node is attached to some foreign link away from home, 624 it is also addressable at one or more care-of addresses. A care-of 625 address is an IP address associated with a mobile node that has the 626 subnet prefix of a particular foreign link. The mobile node can 627 acquire its care-of address through conventional IPv6 mechanisms, 628 such as stateless or stateful auto-configuration. As long as the 629 mobile node stays in this location, packets addressed to this care-of 630 address will be routed to the mobile node. The mobile node may also 631 accept packets from several care-of addresses, such as when it is 632 moving but still reachable at the previous link. 634 The association between a mobile node's home address and care-of 635 address is known as a "binding" for the mobile node. While away from 636 home, a mobile node registers its primary care-of address with a 637 router on its home link, requesting this router to function as the 638 "home agent" for the mobile node. The mobile node performs this 639 binding registration by sending a "Binding Update" message to the 640 home agent. The home agent replies to the mobile node by returning a 641 "Binding Acknowledgement" message. The operation of the mobile node 642 is specified in Section 11, and the operation of the home agent is 643 specified in Section 10. 645 Any node communicating with a mobile node is referred to in this 646 document as a "correspondent node" of the mobile node, and may itself 647 be either a stationary node or a mobile node. Mobile nodes can 648 provide information about their current location to correspondent 649 nodes. This happens through the correspondent registration. As a 650 part of this procedure, a return routability test is performed in 651 order to authorize the establishment of the binding. The operation 652 of the correspondent node is specified in Section 9. 654 There are two possible modes for communications between the mobile 655 node and a correspondent node. The first mode, bidirectional 656 tunneling, does not require Mobile IPv6 support from the 657 correspondent node and is available even if the mobile node has not 658 registered its current binding with the correspondent node. Packets 659 from the correspondent node are routed to the home agent and then 660 tunneled to the mobile node. Packets to the correspondent node are 661 tunneled from the mobile node to the home agent ("reverse tunneled") 662 and then routed normally from the home network to the correspondent 663 node. In this mode, the home agent uses proxy Neighbor Discovery to 664 intercept any IPv6 packets addressed to the mobile node's home 665 address (or home addresses) on the home link. Each intercepted 666 packet is tunneled to the mobile node's primary care-of address. 667 This tunneling is performed using IPv6 encapsulation [15]. 669 The second mode, "route optimization", requires the mobile node to 670 register its current binding at the correspondent node. Packets from 671 the correspondent node can be routed directly to the care-of address 672 of the mobile node. When sending a packet to any IPv6 destination, 673 the correspondent node checks its cached bindings for an entry for 674 the packet's destination address. If a cached binding for this 675 destination address is found, the node uses a new type of IPv6 676 routing header [11] (see Section 6.4) to route the packet to the 677 mobile node by way of the care-of address indicated in this binding. 679 Routing packets directly to the mobile node's care-of address allows 680 the shortest communications path to be used. It also eliminates 681 congestion at the mobile node's home agent and home link. In 682 addition, the impact of any possible failure of the home agent or 683 networks on the path to or from it is reduced. 685 When routing packets directly to the mobile node, the correspondent 686 node sets the Destination Address in the IPv6 header to the care-of 687 address of the mobile node. A new type of IPv6 routing header (see 688 Section 6.4) is also added to the packet to carry the desired home 689 address. Similarly, the mobile node sets the Source Address in the 690 packet's IPv6 header to its current care-of addresses. The mobile 691 node adds a new IPv6 "Home Address" destination option (see Section 692 6.3) to carry its home address. The inclusion of home addresses in 693 these packets makes the use of the care-of address transparent above 694 the network layer (e.g., at the transport layer). 696 Mobile IPv6 also provides support for multiple home agents, and a 697 limited support for the reconfiguration of the home network. In 698 these cases, the mobile node may not know the IP address of its own 699 home agent, and even the home subnet prefixes may change over time. 700 A mechanism, known as "dynamic home agent address discovery" allows a 701 mobile node to dynamically discover the IP address of a home agent on 702 its home link, even when the mobile node is away from home. Mobile 703 nodes can also learn new information about home subnet prefixes 704 through the "mobile prefix discovery" mechanism. These mechanisms 705 are described starting from Section 6.5. 707 4.2 New IPv6 Protocol 709 Mobile IPv6 defines a new IPv6 protocol, using the Mobility Header 710 (see Section 6.1). This Header is used to carry the following 711 messages: 713 Home Test Init 715 Home Test 717 Care-of Test Init 719 Care-of Test 721 These four messages are used to perform the return routability 722 procedure from the mobile node to a correspondent node. This 723 ensures authorization of subsequent Binding Updates, as described 724 in Section 5.2.5. 726 Binding Update 728 A Binding Update is used by a mobile node to notify a 729 correspondent node or the mobile node's home agent of its current 730 binding. The Binding Update sent to the mobile node's home agent 731 to register its primary care-of address is marked as a "home 732 registration". 734 Binding Acknowledgement 736 A Binding Acknowledgement is used to acknowledge receipt of a 737 Binding Update, if an acknowledgement was requested in the Binding 738 Update, the binding update was sent to a home agent, or an error 739 occurred. 741 Binding Refresh Request 743 A Binding Refresh Request is used by a correspondent node to 744 request a mobile node to re-establish its binding with the 745 correspondent node. This message is typically used when the 746 cached binding is in active use but the binding's lifetime is 747 close to expiration. The correspondent node may use, for 748 instance, recent traffic and open transport layer connections as 749 an indication of active use. 751 Binding Error 753 The Binding Error is used by the correspondent node to signal an 754 error related to mobility, such as an inappropriate attempt to use 755 the Home Address destination option without an existing binding. 757 4.3 New IPv6 Destination Option 759 Mobile IPv6 defines a new IPv6 destination option, the Home Address 760 destination option. This option is described in detail in Section 761 6.3. 763 4.4 New IPv6 ICMP Messages 765 Mobile IPv6 also introduces four new ICMP message types, two for use 766 in the dynamic home agent address discovery mechanism, and two for 767 renumbering and mobile configuration mechanisms. As described in 768 Section 10.5 and Section 11.4.1, the following two new ICMP message 769 types are used for home agent address discovery: 771 o Home Agent Address Discovery Request, described in Section 6.5. 773 o Home Agent Address Discovery Reply, described in Section 6.6. 775 The next two message types are used for network renumbering and 776 address configuration on the mobile node, as described in Section 777 10.6: 779 o Mobile Prefix Solicitation, described in Section 6.7. 781 o Mobile Prefix Advertisement, described in Section 6.8. 783 4.5 Conceptual Data Structure Terminology 785 This document describes the Mobile IPv6 protocol in terms of the 786 following conceptual data structures: 788 Binding Cache 790 A cache of bindings for other nodes. This cache is maintained by 791 home agents and correspondent nodes. The cache contains both 792 "correspondent registration" entries (see Section 9.1) and "home 793 registration" entries (see Section 10.1). 795 Binding Update List 797 This list is maintained by each mobile node. The list has an item 798 for every binding that the mobile node has or is trying to 799 establish with a specific other node. Both correspondent and home 800 registrations are included in this list. Entries from the list 801 are deleted as the lifetime of the binding expires. See Section 802 11.1. 804 Home Agents List 806 Home agents need to know which other home agents are on the same 807 link. This information is stored in the Home Agents List, as 808 described in more detail in Section 10.1. The list is used for 809 informing mobile nodes during dynamic home agent address 810 discovery. 812 4.6 Site-Local Addressability 814 This specification requires that home and care-of addresses MUST be 815 unicast routable addresses. Site-local addresses may be usable on 816 networks that are not connected to the Internet, but this 817 specification does not define when such usage is safe and when not. 818 Mobile nodes may not be aware of which site they are currently in, it 819 is hard to prevent accidental attachment to other sites, and 820 ambiguity of site-local addresses can cause problems if the home and 821 visited networks use the same addresses. Therefore, site-local 822 addresses SHOULD NOT be used as home or care-of addresses. 824 5. Overview of Mobile IPv6 Security 826 This specification provides a number of security features. These 827 include the protection of Binding Updates both to home agents and 828 correspondent nodes, the protection of mobile prefix discovery, and 829 the protection of the mechanisms that Mobile IPv6 uses for 830 transporting data packets. 832 Binding Updates are protected by the use of IPsec extension headers, 833 or by the use of the Binding Authorization Data option. This option 834 employs a binding management key, Kbm, which can be established 835 through the return routability procedure. Mobile prefix discovery is 836 protected through the use of IPsec extension headers. Mechanisms 837 related to transporting payload packets - such as the Home Address 838 destination option and type 2 routing header - have been specified in 839 a manner which restricts their use in attacks. 841 5.1 Binding Updates to Home Agents 843 The mobile node and the home agent MUST use an IPsec security 844 association to protect the integrity and authenticity of the Binding 845 Updates and Acknowledgements. Both the mobile nodes and the home 846 agents MUST support and SHOULD use the Encapsulating Security Payload 847 (ESP) [6] header in transport mode and MUST use a non-NULL payload 848 authentication algorithm to provide data origin authentication, 849 connectionless integrity and optional anti-replay protection. Note 850 that Authentication Header (AH) [5] is also possible but for brevity 851 not discussed in this specification. 853 In order to protect messages exchanged between the mobile node and 854 the home agent with IPsec, appropriate security policy database 855 entries must be created. A mobile node must be prevented from using 856 its security association to send a Binding Update on behalf of 857 another mobile node using the same home agent. This MUST be achieved 858 by having the home agent check that the given home address has been 859 used with the right security association. Such a check is provided 860 in the IPsec processing, by having the security policy database 861 entries unequivocally identify a single security association for 862 protecting Binding Updates between any given home address and home 863 agent. In order to make this possible, it is necessary that the home 864 address of the mobile node is visible in the Binding Updates and 865 Acknowledgements. The home address is used in these packets as a 866 source or destination, or in the Home Address Destination option or 867 the type 2 routing header. 869 As with all IPsec security associations in this specification, manual 870 configuration of security associations MUST be supported. The used 871 shared secrets MUST be random and unique for different mobile nodes, 872 and MUST be distributed off-line to the mobile nodes. 874 Automatic key management with IKE [9] MAY be supported. When IKE is 875 used, either the security policy database entries or the MIPv6 876 processing MUST unequivocally identify the IKE phase 1 credentials 877 which can be used to authorize the creation of security associations 878 for protecting Binding Updates for a particular home address. How 879 these mappings are maintained is outside the scope of this 880 specification, but they may be maintained, for instance, as a locally 881 administered table in the home agent. If the phase 1 identity is a 882 Fully Qualified Domain Name (FQDN), secure forms of DNS may also be 883 used. 885 Section 11.3.2 discusses how IKE connections to the home agent need a 886 careful treatment of the addresses used for transporting IKE. This 887 is necessary to ensure that a Binding Update is not needed before the 888 IKE exchange which is needed for securing the Binding Update. 890 When IKE version 1 is used with preshared secret authentication 891 between the mobile node and the home agent, aggressive mode MUST be 892 used. Similarly, the ID_IPV6_ADDR Identity Payload MUST NOT be used 893 in IKEv1 phase 1. 895 Reference [21] contains a more detailed description and examples on 896 using IPsec to protect the communications between the mobile node and 897 the home agent. 899 5.2 Binding Updates to Correspondent Nodes 901 The protection of Binding Updates sent to correspondent nodes does 902 not require the configuration of security associations or the 903 existence of an authentication infrastructure between the mobile 904 nodes and correspondent nodes. Instead, a method called the return 905 routability procedure is used to assure that the right mobile node is 906 sending the message. This method does not protect against attackers 907 who are on the path between the home network and the correspondent 908 node. However, attackers in such a location are capable of 909 performing the same attacks even without Mobile IPv6. The main 910 advantage of the return routability procedure is that it limits the 911 potential attackers to those having an access to one specific path in 912 the Internet, and avoids forged Binding Updates from anywhere else in 913 the Internet. For a more in depth explanation of the security 914 properties of the return routability procedure, see Section 15. 916 The integrity and authenticity of the Binding Updates messages to 917 correspondent nodes is protected by using a keyed-hash algorithm. 918 The binding management key, Kbm, is used to key the hash algorithm 919 for this purpose. Kbm is established using data exchanged during the 920 return routability procedure. The data exchange is accomplished by 921 use of node keys, nonces, cookies, tokens, and certain cryptographic 922 functions. Section 5.2.5 outlines the basic return routability 923 procedure. Section 5.2.6 shows how the results of this procedure are 924 used to authorize a Binding Update to a correspondent node. 926 5.2.1 Node Keys 928 Each correspondent node has a secret key, Kcn, called the "node key", 929 which it uses to produce the keygen tokens sent to the mobile nodes. 930 The node key MUST be a random number, 20 octets in length. The node 931 key allows the correspondent node to verify that the keygen tokens 932 used by the mobile node in authorizing a Binding Update are indeed 933 its own. This key MUST NOT be shared with any other entity. 935 A correspondent node MAY generate a fresh node key at any time; this 936 avoids the need for secure persistent key storage. Procedures for 937 optionally updating the node key are discussed later in Section 938 5.2.7. 940 5.2.2 Nonces 942 Each correspondent node also generates nonces at regular intervals. 943 The nonces should be generated by using a random number generator 944 that is known to have good randomness properties [1]. A 945 correspondent node may use the same Kcn and nonce with all the 946 mobiles it is in communication with. 948 Each nonce is identified by a nonce index. When a new nonce is 949 generated, it must be associated with a new nonce index; this may be 950 done, for example, by incrementing the value of the previous nonce 951 index, if the nonce index is used as an array pointer into a linear 952 array of nonces. However, there is no requirement that nonces be 953 stored that way, or that the values of subsequent nonce indices have 954 any particular relationship to each other. The index value is 955 communicated in the protocol, so that if a nonce is replaced by new 956 nonce during the run of a protocol, the correspondent node can 957 distinguish messages that should be checked against the old nonce 958 from messages that should be checked against the new nonce. Strictly 959 speaking, indices are not necessary in the authentication, but allow 960 the correspondent node to efficiently find the nonce value that it 961 used in creating a keygen token. 963 Correspondent nodes keep both the current nonce and a small set of 964 valid previous nonces whose lifetime has not yet expired. Expired 965 values MUST be discarded, and messages using stale or unknown indices 966 will be rejected. 968 The specific nonce index values cannot be used by mobile nodes to 969 determine the validity of the nonce. Expected validity times for the 970 nonces values and the procedures for updating them are discussed 971 later in Section 5.2.7. 973 A nonce is an octet string of any length. The recommended length is 974 64 bits. 976 5.2.3 Cookies and Tokens 978 The return routability address test procedure uses cookies and keygen 979 tokens as opaque values within the test init and test messages, 980 respectively. 982 o The "home init cookie" and "care-of init cookie" are 64 bit values 983 sent to the correspondent node from the mobile node, and later 984 returned to the mobile node. The home init cookie is sent in the 985 Home Test Init message, and returned in the Home Test message. 986 The care-of init cookie is sent in the Care-of Test Init message, 987 and returned in the Care-of Test message. 989 o The "home keygen token" and "care-of keygen token" are 64-bit 990 values sent by the correspondent node to the mobile node via the 991 home agent (via the Home Test message) and the care-of address (by 992 the Care-of Test message), respectively. 994 The mobile node should set the home init or care-of init cookie to a 995 newly generated random number in every Home or Care-of Test Init 996 message it sends. The cookies are used to verify that the Home Test 997 or Care-of Test message matches the Home Test Init or Care-of Test 998 Init message, respectively. These cookies also serve to ensure that 999 parties who have not seen the request cannot spoof responses. 1001 Home and care-of keygen tokens are produced by the correspondent node 1002 based on its currently active secret key (Kcn) and nonces, as well as 1003 the home or care-of address (respectively). A keygen token is valid 1004 as long as both the secret key (Kcn) and the nonce used to create it 1005 are valid. 1007 5.2.4 Cryptographic Functions 1009 In this specification, the function used to compute hash values is 1010 SHA1 [20]. Message Authentication Codes (MACs) are computed using 1011 HMAC_SHA1 [25, 20]. HMAC_SHA1(K,m) denotes such a MAC computed on 1012 message m with key K. 1014 5.2.5 Return Routability Procedure 1015 The Return Routability Procedure enables the correspondent node to 1016 obtain some reasonable assurance that the mobile node is in fact 1017 addressable at its claimed care-of address as well as at its home 1018 address. Only with this assurance is the correspondent node able to 1019 accept Binding Updates from the mobile node which would then instruct 1020 the correspondent node to direct that mobile node's data traffic to 1021 its claimed care-of address. 1023 This is done by testing whether packets addressed to the two claimed 1024 addresses are routed to the mobile node. The mobile node can pass 1025 the test only if it is able to supply proof that it received certain 1026 data (the "keygen tokens") which the correspondent node sends to 1027 those addresses. These data are combined by the mobile node into a 1028 binding management key, denoted Kbm. 1030 The below figure shows the message flow for the return routability 1031 procedure. 1033 Mobile node Home agent Correspondent node 1034 | | 1035 | Home Test Init (HoTI) | | 1036 |------------------------->|------------------------->| 1037 | | | 1038 | Care-of Test Init (CoTI) | 1039 |---------------------------------------------------->| 1040 | | 1041 | | Home Test (HoT) | 1042 |<-------------------------|<-------------------------| 1043 | | | 1044 | Care-of Test (CoT) | 1045 |<----------------------------------------------------| 1046 | | 1048 The Home and Care-of Test Init messages are sent at the same time. 1049 The procedure requires very little processing at the correspondent 1050 node, and the Home and Care-of Test messages can be returned quickly, 1051 perhaps nearly simultaneously. These four messages form the return 1052 routability procedure. 1054 Home Test Init 1056 A mobile node sends a Home Test Init message to the correspondent 1057 node (via the home agent) to acquire the home keygen token. The 1058 contents of the message can be summarized as follows: 1060 * Source Address = home address 1061 * Destination Address = correspondent 1063 * Parameters: 1065 + home init cookie 1067 The Home Test Init message conveys the mobile node's home address 1068 to the correspondent node. The mobile node also sends along a 1069 home init cookie that the correspondent node must return later. 1070 The Home Test Init message is reverse tunneled through the home 1071 agent. (The headers and addresses related to reverse tunneling 1072 have been omitted from the above discussion of the message 1073 contents.) The mobile node remembers these cookie values to obtain 1074 some assurance that its protocol messages are being processed by 1075 the desired correspondent node. 1077 Care-of Test Init 1079 The mobile node sends a Care-of Test Init message to the 1080 correspondent node (directly, not via the home agent) to acquire 1081 the care-of keygen token. The contents of this message can be 1082 summarized as follows: 1084 * Source Address = care-of address 1086 * Destination Address = correspondent 1088 * Parameters: 1090 + care-of init cookie 1092 The Care-of Test Init message conveys the mobile node's care-of 1093 address to the correspondent node. The mobile node also sends 1094 along a care-of init cookie that the correspondent node must 1095 return later. The Care-of Test Init message is sent directly to 1096 the correspondent node. 1098 Home Test 1100 The Home Test message is sent in response to a Home Test Init 1101 message. It is sent via the home agent. The contents of the 1102 message are: 1104 * Source Address = correspondent 1105 * Destination Address = home address 1107 * Parameters: 1109 + home init cookie 1111 + home keygen token 1113 + home nonce index 1115 When the correspondent node receives the Home Test Init message, 1116 it generates a home keygen token as follows: 1118 home keygen token := 1119 First (64, HMAC_SHA1 (Kcn, (home address | nonce | 0))) 1121 where | denotes concatenation. The final "0" inside the HMAC_SHA1 1122 function is a single zero octet, used to distinguish home and 1123 care-of cookies from each other. 1125 The home keygen token is formed from the first 64 bits of the MAC. 1126 The home keygen token tests that the mobile node can receive 1127 messages sent to its home address. Kcn is used in the production 1128 of home keygen token in order to allow the correspondent node to 1129 verify that it generated the home and care-of nonces, without 1130 forcing the correspondent node to remember a list of all tokens it 1131 has handed out. 1133 The Home Test message is sent to the mobile node via the home 1134 network, where it is presumed that the home agent will tunnel the 1135 message to the mobile node. This means that the mobile node needs 1136 to already have sent a Binding Update to the home agent, so that 1137 the home agent will have received and authorized the new care-of 1138 address for the mobile node before the return routability 1139 procedure. For improved security, the data passed between the 1140 home agent and the mobile node is made immune to inspection and 1141 passive attacks. Such protection is gained by encrypting the home 1142 keygen token as it is tunneled from the home agent to the mobile 1143 node as specified in Section 10.4.6. The security properties of 1144 this additional security are discussed in Section 15.4.1. 1146 The home init cookie from the mobile node is returned in the Home 1147 Test message, to ensure that the message comes from a node on the 1148 route between the home agent and the correspondent node. 1150 The home nonce index is delivered to the mobile node to later 1151 allow the correspondent node to efficiently find the nonce value 1152 that it used in creating the home keygen token. 1154 Care-of Test 1156 This message is sent in response to a Care-of Test Init message. 1157 This message is not sent via the home agent, it is sent directly 1158 to the mobile node. The contents of the message are: 1160 * Source Address = correspondent 1162 * Destination Address = care-of address 1164 * Parameters: 1166 + care-of init cookie 1168 + care-of keygen token 1170 + care-of nonce index 1172 When the correspondent node receives the Care-of Test Init 1173 message, it generates a care-of keygen token as follows: 1175 care-of keygen token := 1176 First (64, HMAC_SHA1 (Kcn, (care-of address | nonce | 1))) 1178 Here, the final "1" inside the HMAC_SHA1 function is a single 1179 octet containing the hex value 0x01, and is used to distinguish 1180 home and care-of cookies from each other. The keygen token is 1181 formed from the first 64 bits of the MAC, and sent directly to the 1182 mobile node at its care-of address. The care-of init cookie from 1183 the Care-of Test Init message is returned to ensure that the 1184 message comes from a node on the route to the correspondent node. 1186 The care-of nonce index is provided to identify the nonce used for 1187 the care-of keygen token. The home and care-of nonce indices MAY 1188 be the same, or different, in the Home and Care-of Test messages. 1190 When the mobile node has received both the Home and Care-of Test 1191 messages, the return routability procedure is complete. As a result 1192 of the procedure, the mobile node has the data it needs to send a 1193 Binding Update to the correspondent node. The mobile node hashes the 1194 tokens together to form a 20 octet binding key Kbm: 1196 Kbm = SHA1 (home keygen token | care-of keygen token) 1198 A Binding Update may also be used to delete a previously established 1199 binding (Section 6.1.7). In this case, the care-of keygen token is 1200 not used. Instead, the binding management key is generated as 1201 follows: 1203 Kbm = SHA1(home keygen token) 1205 Note that the correspondent node does not create any state specific 1206 to the mobile node, until it receives the Binding Update from that 1207 mobile node. The correspondent node does not maintain the value for 1208 the binding management key Kbm; it creates Kbm when given the nonce 1209 indices and the mobile node's addresses. 1211 5.2.6 Authorizing Binding Management Messages 1213 After the mobile node has created the binding management key (Kbm), 1214 it can supply a verifiable Binding Update to the correspondent node. 1215 This section provides an overview of this registration. The below 1216 figure shows the message flow. 1218 Mobile node Correspondent node 1219 | | 1220 | Binding Update (BU) | 1221 |---------------------------------------------->| 1222 | (MAC, seq#, nonce indices, care-of address) | 1223 | | 1224 | | 1225 | Binding Acknowledgement (BA) (if sent) | 1226 |<----------------------------------------------| 1227 | (MAC, seq#, status) | 1229 Binding Update 1231 To authorize a Binding Update, the mobile node creates a binding 1232 management key Kbm from the keygen tokens as described in the 1233 previous section. The contents of the Binding Update include the 1234 following: 1236 * Source Address = care-of address 1238 * Destination Address = correspondent 1240 * Parameters: 1242 + home address (within the Home Address destination option if 1243 different from the Source Address) 1245 + sequence number (within the Binding Update message header) 1247 + home nonce index (within the Nonce Indices option) 1249 + care-of nonce index (within the Nonce Indices option) 1251 + First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent 1252 | BU))) 1254 The Binding Update contains a Nonce Indices option, indicating to 1255 the correspondent node which home and care-of nonces to use to 1256 recompute Kbm, the binding management key. The MAC is computed as 1257 described in Section 6.2.7, using the correspondent node's address 1258 as the destination address and the Binding Update message itself 1259 ("BU" above) as the Mobility Header Data. 1261 Once the correspondent node has verified the MAC, it can create a 1262 Binding Cache entry for the mobile. 1264 Binding Acknowledgement 1266 The Binding Update is in some cases acknowledged by the 1267 correspondent node. The contents of the message are as follows: 1269 * Source Address = correspondent 1271 * Destination Address = care-of address 1273 * Parameters: 1275 + sequence number (within the Binding Update message header) 1277 + First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent 1278 | BA))) 1280 The Binding Acknowledgement contains the same sequence number as 1281 the Binding Update. The MAC is computed as described in Section 1282 6.2.7, using the correspondent node's address as the destination 1283 address and the message itself ("BA" above) as the Mobility Header 1284 Data. 1286 Bindings established with correspondent nodes using keys created by 1287 way of the return routability procedure MUST NOT exceed 1288 MAX_RR_BINDING_LIFETIME seconds (see Section 12). 1290 The value in the Source Address field in the IPv6 header carrying the 1291 Binding Update is normally also the care-of address which is used in 1292 the binding. However, a different care-of address MAY be specified 1293 by including an Alternate Care-of Address mobility option in the 1294 Binding Update (see Section 6.2.5). When such a message is sent to 1295 the correspondent node and the return routability procedure is used 1296 as the authorization method, the Care-of Test Init and Care-of Test 1297 messages MUST have been performed for the address in the Alternate 1298 Care-of Address option (not the Source Address). The nonce indices 1299 and MAC value MUST be based on information gained in this test. 1301 Binding Updates may also be sent to delete a previously established 1302 binding. In this case, generation of the binding management key 1303 depends exclusively on the home keygen token and the care-of nonce 1304 index is ignored. 1306 5.2.7 Updating Node Keys and Nonces 1308 Correspondent nodes generate nonces at regular intervals. It is 1309 recommended to keep each nonce (identified by a nonce index) 1310 acceptable for at least MAX_TOKEN_LIFETIME seconds (see Section 12) 1311 after it has been first used in constructing a return routability 1312 message response. However, the correspondent node MUST NOT accept 1313 nonces beyond MAX_NONCE_LIFETIME seconds (see Section 12) after the 1314 first use. As the difference between these two constants is 30 1315 seconds, a convenient way to enforce the above lifetimes is to 1316 generate a new nonce every 30 seconds. The node can then continue to 1317 accept tokens that have been based on the last 8 (MAX_NONCE_LIFETIME 1318 / 30) nonces. This results in tokens being acceptable 1319 MAX_TOKEN_LIFETIME to MAX_NONCE_LIFETIME seconds after they have been 1320 sent to the mobile node, depending on whether the token was sent at 1321 the beginning or end of the first 30 second period. Note that the 1322 correspondent node may also attempt to generate new nonces on demand, 1323 or only if the old nonces have been used. This is possible, as long 1324 as the correspondent node keeps track of how long a time ago the 1325 nonces were used for the first time, and does not generate new nonces 1326 on every return routability request. 1328 Due to resource limitations, rapid deletion of bindings, or reboots 1329 the correspondent node may not in all cases recognize the nonces that 1330 the tokens were based on. If a nonce index is unrecognized, the 1331 correspondent node replies with an an error code in the Binding 1332 Acknowledgement (either 136, 137, or 138 as discussed in Section 1333 6.1.8). The mobile node can then retry the return routability 1334 procedure. 1336 An update of Kcn SHOULD be done at the same time as an update of a 1337 nonce, so that nonce indices can identify both the nonce and the key. 1338 Old Kcn values have to be therefore remembered as long as old nonce 1339 values. 1341 Given that the tokens are normally expected to be usable for 1342 MAX_TOKEN_LIFETIME seconds, the mobile node MAY use them beyond a 1343 single run of the return routability procedure until 1344 MAX_TOKEN_LIFETIME expires. After this the mobile node SHOULD NOT 1345 use the tokens. A fast moving mobile node MAY reuse a recent home 1346 keygen token from a correspondent node when moving to a new location, 1347 and just acquire a new care-of keygen token to show routability in 1348 the new location. 1350 While this does not save the number of round-trips due to the 1351 simultaneous processing of home and care-of return routability tests, 1352 there are fewer messages being exchanged, and a potentially long 1353 round-trip through the home agent is avoided. Consequently, this 1354 optimization is often useful. A mobile node that has multiple home 1355 addresses, MAY also use the same care-of keygen token for Binding 1356 Updates concerning all of these addresses. 1358 5.2.8 Preventing Replay Attacks 1360 The return routability procedure also protects the participants 1361 against replayed Binding Updates through the use of the sequence 1362 number and a MAC. Care must be taken when removing bindings at the 1363 correspondent node, however. Correspondent nodes must retain 1364 bindings and the associated sequence number information at least as 1365 long as the nonces used in the authorization of the binding are still 1366 valid. Alternatively, if memory is very constrained, the 1367 correspondent node MAY invalidate the nonces that were used for the 1368 binding being deleted (or some larger group of nonces that they 1369 belong to). This may, however, impact the ability to accept Binding 1370 Updates from mobile nodes that have recently received keygen tokens. 1371 This alternative is therefore recommended only as a last measure. 1373 5.3 Dynamic Home Agent Address Discovery 1375 No security is required for dynamic home agent address discovery. 1377 5.4 Mobile Prefix Discovery 1379 The mobile node and the home agent SHOULD use an IPsec security 1380 association to protect the integrity and authenticity of the Mobile 1381 Prefix Solicitations and Advertisements. Both the mobile nodes and 1382 the home agents MUST support and SHOULD use the Encapsulating 1383 Security Payload (ESP) header in transport mode with a non-NULL 1384 payload authentication algorithm to provide data origin 1385 authentication, connectionless integrity and optional anti-replay 1386 protection. 1388 5.5 Payload Packets 1390 Payload packets exchanged with mobile nodes can be protected in the 1391 usual manner, in the same way as stationary hosts can protect them. 1392 However, Mobile IPv6 introduces the Home Address destination option, 1393 a routing header, and tunneling headers in the payload packets. In 1394 the following we define the security measures taken to protect these, 1395 and to prevent their use in attacks against other parties. 1397 This specification limits the use of the Home Address destination 1398 option to the situation where the correspondent node already has a 1399 Binding Cache entry for the given home address. This avoids the use 1400 of the Home Address option in attacks described in Section 15.1. 1402 Mobile IPv6 uses a Mobile IPv6 specific type of a routing header. 1403 This type provides the necessary functionality but does not open 1404 vulnerabilities discussed in Section 15.1. 1406 Tunnels between the mobile node and the home agent are protected by 1407 ensuring proper use of source addresses, and optional cryptographic 1408 protection. The mobile node verifies that the outer IP address 1409 corresponds to its home agent. The home agent verifies that the 1410 outer IP address corresponds to the current location of the mobile 1411 node (Binding Updates sent to the home agents are secure). The home 1412 agent identifies the mobile node through the source address of the 1413 inner packet. (Typically, this is the home address of the mobile 1414 node, but it can also be a link-local address, as discussed in 1415 Section 10.4.2. To recognize the latter type of addresses, the home 1416 agent requires that the Link-Local Address Compatibility (L) was set 1417 in the Binding Update.) These measures protect the tunnels against 1418 vulnerabilities discussed in Section 15.1. 1420 For traffic tunneled via the home agent, additional IPsec ESP 1421 encapsulation MAY be supported and used. If multicast group 1422 membership control protocols or stateful address autoconfiguration 1423 protocols are supported, payload data protection MUST be supported. 1425 6. New IPv6 Protocol, Message Types, and Destination Option 1427 6.1 Mobility Header 1429 The Mobility Header is an extension header used by mobile nodes, 1430 correspondent nodes, and home agents in all messaging related to the 1431 creation and management of bindings. The subsections within this 1432 section describe the message types that may be sent using the 1433 Mobility Header. 1435 Mobility Header messages MUST NOT be sent with a type 2 routing 1436 header, except as described in Section 9.5.4 for Binding 1437 Acknowledgement. Mobility Header messages also MUST NOT be used with 1438 a Home Address destination option, except as described in Section 1439 11.7.1 and Section 11.7.2 for Binding Update. Binding Update List or 1440 Binding Cache information (when present) for the destination MUST NOT 1441 be used in sending Mobility Header messages. That is, Mobility 1442 Header messages bypass both the Binding Cache check described in 1443 Section 9.3.2 and the Binding Update List check described in Section 1444 11.3.1 which are normally performed for all packets. This applies 1445 even to messages sent to or from a correspondent node which is itself 1446 a mobile node. 1448 6.1.1 Format 1450 The Mobility Header is identified by a Next Header value of TBD in the immediately preceding header, and has the 1452 following format: 1454 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1455 | Payload Proto | Header Len | MH Type | Reserved | 1456 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1457 | Checksum | | 1458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1459 | | 1460 . . 1461 . Message Data . 1462 . . 1463 | | 1464 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1466 Payload Proto 1468 8-bit selector. Identifies the type of header immediately 1469 following the Mobility Header. Uses the same values as the IPv6 1470 Next Header field [11]. 1472 This field is intended to be used by a future extension (see 1473 Appendix B.1). 1475 Implementations conforming to this specification SHOULD set the 1476 payload protocol type to IPPROTO_NONE (59 decimal). 1478 Header Len 1480 8-bit unsigned integer, representing the length of the Mobility 1481 Header in units of 8 octets, excluding the first 8 octets. 1483 The length of the Mobility Header MUST be a multiple of 8 octets. 1485 MH Type 1487 8-bit selector. Identifies the particular mobility message in 1488 question. Current values are specified in Section 6.1.2 and 1489 onward. An unrecognized MH Type field causes an error indication 1490 to be sent. 1492 Reserved 1494 8-bit field reserved for future use. The value MUST be 1495 initialized to zero by the sender, and MUST be ignored by the 1496 receiver. 1498 Checksum 1500 16-bit unsigned integer. This field contains the checksum of the 1501 Mobility Header. The checksum is calculated from the octet string 1502 consisting of a "pseudo-header" followed by the entire Mobility 1503 Header starting with the Payload Proto field. The checksum is the 1504 16-bit one's complement of the one's complement sum of this 1505 string. 1507 The pseudo-header contains IPv6 header fields, as specified in 1508 Section 8.1 of RFC 2460 [11]. The Next Header value used in the 1509 pseudo-header is TBD . The addresses used 1510 in the pseudo-header are the addresses that appear in the Source 1511 and Destination Address fields in the IPv6 packet carrying the 1512 Mobility Header. 1514 Note that the procedures of calculating upper layer checksums 1515 while away from home described in Section 11.3.1 apply even for 1516 the Mobility Header. If a mobility message has a Home Address 1517 destination option, then the checksum calculation uses the home 1518 address in this option as the value of the IPv6 Source Address 1519 field. The type 2 routing header is treated as explained in [11]. 1521 The Mobility Header is considered as the upper layer protocol for 1522 the purposes of calculating the pseudo-header. The Upper-Layer 1523 Packet Length field in the pseudo-header MUST be set to the total 1524 length of the Mobility Header. 1526 For computing the checksum, the checksum field is set to zero. 1528 Message Data 1530 A variable length field containing the data specific to the 1531 indicated Mobility Header type. 1533 Mobile IPv6 also defines a number of "mobility options" for use 1534 within these messages; if included, any options MUST appear after the 1535 fixed portion of the message data specified in this document. The 1536 presence of such options will be indicated by the Header Len field 1537 within the message. When the Header Len value is greater than the 1538 length required for the message specified here, the remaining octets 1539 are interpreted as mobility options. These options include padding 1540 options that can be used to ensure that other options are aligned 1541 properly, and that the total length of the message is divisible by 8. 1542 The encoding and format of defined options are described in Section 1543 6.2. 1545 Alignment requirements for the Mobility Header are the same as for 1546 any IPv6 protocol Header. That is, they MUST be aligned on an 1547 8-octet boundary. 1549 6.1.2 Binding Refresh Request Message 1551 The Binding Refresh Request (BRR) message requests a mobile node to 1552 update its mobility binding. This message is sent by correspondent 1553 nodes according to the rules in Section 9.5.5. When a mobile node 1554 receives a packet containing a Binding Refresh Request message it 1555 processes the message according to the rules in Section 11.7.4. 1557 The Binding Refresh Request message uses the MH Type value 0. When 1558 this value is indicated in the MH Type field, the format of the 1559 Message Data field in the Mobility Header is as follows: 1561 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1562 | Reserved | 1563 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1564 | | 1565 . . 1566 . Mobility options . 1567 . . 1568 | | 1569 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1571 Reserved 1573 16-bit field reserved for future use. The value MUST be 1574 initialized to zero by the sender, and MUST be ignored by the 1575 receiver. 1577 Mobility Options 1579 Variable-length field of such length that the complete Mobility 1580 Header is an integer multiple of 8 octets long. This field 1581 contains zero or more TLV-encoded mobility options. The encoding 1582 and format of defined options are described in Section 6.2. The 1583 receiver MUST ignore and skip any options which it does not 1584 understand. 1586 There MAY be additional information, associated with this Binding 1587 Refresh Request message that need not be present in all Binding 1588 Refresh Request messages sent. Mobility options allow future 1589 extensions to the format of the Binding Refresh Request message to 1590 be defined. This specification does not define any options valid 1591 for the Binding Refresh Request message. 1593 If no actual options are present in this message, no padding is 1594 necessary and the Header Len field will be set to 0. 1596 6.1.3 Home Test Init Message 1598 A mobile node uses the Home Test Init (HoTI) message to initiate the 1599 return routability procedure and request a home keygen token from a 1600 correspondent node (see Section 11.6.1). The Home Test Init message 1601 uses the MH Type value 1. When this value is indicated in the MH 1602 Type field, the format of the Message Data field in the Mobility 1603 Header is as follows: 1605 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1606 | Reserved | 1607 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1608 | | 1609 + Home Init Cookie + 1610 | | 1611 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1612 | | 1613 . . 1614 . Mobility Options . 1615 . . 1616 | | 1617 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1619 Reserved 1621 16-bit field reserved for future use. This value MUST be 1622 initialized to zero by the sender, and MUST be ignored by the 1623 receiver. 1625 Home Init Cookie 1627 64-bit field which contains a random value, the home init cookie. 1629 Mobility Options 1631 Variable-length field of such length that the complete Mobility 1632 Header is an integer multiple of 8 octets long. This field 1633 contains zero or more TLV-encoded mobility options. The receiver 1634 MUST ignore and skip any options which it does not understand. 1635 This specification does not define any options valid for the Home 1636 Test Init message. 1638 If no actual options are present in this message, no padding is 1639 necessary and the Header Len field will be set to 1. 1641 This message is tunneled through the home agent when the mobile node 1642 is away from home. Such tunneling SHOULD employ IPsec ESP in tunnel 1643 mode between the home agent and the mobile node. This protection is 1644 indicated by the IPsec security policy database. The protection of 1645 Home Test Init messages is unrelated to the requirement to protect 1646 regular payload traffic, which MAY use such tunnels as well. 1648 6.1.4 Care-of Test Init Message 1650 A mobile node uses the Care-of Test Init (CoTI) message to initiate 1651 the return routability procedure and request a care-of keygen token 1652 from a correspondent node (see Section 11.6.1). The Care-of Test 1653 Init message uses the MH Type value 2. When this value is indicated 1654 in the MH Type field, the format of the Message Data field in the 1655 Mobility Header is as follows: 1657 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1658 | Reserved | 1659 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1660 | | 1661 + Care-of Init Cookie + 1662 | | 1663 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1664 | | 1665 . . 1666 . Mobility Options . 1667 . . 1668 | | 1669 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1671 Reserved 1673 16-bit field reserved for future use. The value MUST be 1674 initialized to zero by the sender, and MUST be ignored by the 1675 receiver. 1677 Care-of Init Cookie 1679 64-bit field which contains a random value, the care-of init 1680 cookie. 1682 Mobility Options 1684 Variable-length field of such length that the complete Mobility 1685 Header is an integer multiple of 8 octets long. This field 1686 contains zero or more TLV-encoded mobility options. The receiver 1687 MUST ignore and skip any options which it does not understand. 1688 This specification does not define any options valid for the 1689 Care-of Test Init message. 1691 If no actual options are present in this message, no padding is 1692 necessary and the Header Len field will be set to 1. 1694 6.1.5 Home Test Message 1696 The Home Test (HoT) message is a response to the Home Test Init 1697 message, and is sent from the correspondent node to the mobile node 1698 (see Section 5.2.5). The Home Test message uses the MH Type value 3. 1699 When this value is indicated in the MH Type field, the format of the 1700 Message Data field in the Mobility Header is as follows: 1702 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1703 | Home Nonce Index | 1704 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1705 | | 1706 + Home Init Cookie + 1707 | | 1708 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1709 | | 1710 + Home Keygen Token + 1711 | | 1712 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1713 | | 1714 . . 1715 . Mobility options . 1716 . . 1717 | | 1718 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1720 Home Nonce Index 1722 This field will be echoed back by the mobile node to the 1723 correspondent node in a subsequent Binding Update. 1725 Home Init Cookie 1727 64-bit field which contains the home init cookie. 1729 Home Keygen Token 1731 This field contains the 64 bit home keygen token used in the 1732 return routability procedure. 1734 Mobility Options 1736 Variable-length field of such length that the complete Mobility 1737 Header is an integer multiple of 8 octets long. This field 1738 contains zero or more TLV-encoded mobility options. The receiver 1739 MUST ignore and skip any options which it does not understand. 1740 This specification does not define any options valid for the Home 1741 Test message. 1743 If no actual options are present in this message, no padding is 1744 necessary and the Header Len field will be set to 2. 1746 6.1.6 Care-of Test Message 1748 The Care-of Test (CoT) message is a response to the Care-of Test Init 1749 message, and is sent from the correspondent node to the mobile node 1750 (see Section 11.6.2). The Care-of Test message uses the MH Type 1751 value 4. When this value is indicated in the MH Type field, the 1752 format of the Message Data field in the Mobility Header is as 1753 follows: 1755 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1756 | Care-of Nonce Index | 1757 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1758 | | 1759 + Care-of Init Cookie + 1760 | | 1761 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1762 | | 1763 + Care-of Keygen Token + 1764 | | 1765 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1766 | | 1767 . . 1768 . Mobility Options . 1769 . . 1770 | | 1771 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1773 Care-of Nonce Index 1775 This value will be echoed back by the mobile node to the 1776 correspondent node in a subsequent Binding Update. 1778 Care-of Init Cookie 1780 64-bit field which contains the care-of init cookie. 1782 Care-of Keygen Token 1784 This field contains the 64 bit care-of keygen token used in the 1785 return routability procedure. 1787 Mobility Options 1789 Variable-length field of such length that the complete Mobility 1790 Header is an integer multiple of 8 octets long. This field 1791 contains zero or more TLV-encoded mobility options. The receiver 1792 MUST ignore and skip any options which it does not understand. 1793 This specification does not define any options valid for the 1794 Care-of Test message. 1796 If no actual options are present in this message, no padding is 1797 necessary and the Header Len field will be set to 2. 1799 6.1.7 Binding Update Message 1801 The Binding Update (BU) message is used by a mobile node to notify 1802 other nodes of a new care-of address for itself. Binding Updates are 1803 sent as described in Section 11.7.1 and Section 11.7.2. 1805 The Binding Update uses the MH Type value 5. When this value is 1806 indicated in the MH Type field, the format of the Message Data field 1807 in the Mobility Header is as follows: 1809 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1810 | Sequence # | 1811 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1812 |A|H|L|K| Reserved | Lifetime | 1813 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1814 | | 1815 . . 1816 . Mobility options . 1817 . . 1818 | | 1819 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1821 Acknowledge (A) 1823 The Acknowledge (A) bit is set by the sending mobile node to 1824 request a Binding Acknowledgement (Section 6.1.8) be returned upon 1825 receipt of the Binding Update. 1827 Home Registration (H) 1829 The Home Registration (H) bit is set by the sending mobile node to 1830 request that the receiving node should act as this node's home 1831 agent. The destination of the packet carrying this message MUST 1832 be that of a router sharing the same subnet prefix as the home 1833 address of the mobile node in the binding. 1835 Link-Local Address Compatibility (L) 1837 The Link-Local Address Compatibility (L) bit is set when the home 1838 address reported by the mobile node has the same interface 1839 identifier as the mobile node's link-local address. 1841 Key Management Mobility Capability (K) 1843 If this bit is cleared, the protocol used for establishing the 1844 IPsec security associations between the mobile node and the home 1845 agent does not survive movements. It may then have to be rerun. 1846 (Note that the IPsec security associations themselves are expected 1847 to survive movements.) If manual IPsec configuration is used, the 1848 bit MUST be set to 1. 1850 This bit is valid only in Binding Updates sent to the home agent, 1851 and MUST be cleared in other Binding Updates. Correspondent nodes 1852 MUST ignore this bit. 1854 Reserved 1856 These fields are unused. They MUST be initialized to zero by the 1857 sender and MUST be ignored by the receiver. 1859 Sequence # 1861 A 16-bit unsigned integer used by the receiving node to sequence 1862 Binding Updates and by the sending node to match a returned 1863 Binding Acknowledgement with this Binding Update. 1865 Lifetime 1867 16-bit unsigned integer. The number of time units remaining 1868 before the binding MUST be considered expired. A value of zero 1869 indicates that the Binding Cache entry for the mobile node MUST be 1870 deleted. (In this case the specified care-of address MUST also be 1871 set equal to the home address.) One time unit is 4 seconds. 1873 Mobility Options 1875 Variable-length field of such length that the complete Mobility 1876 Header is an integer multiple of 8 octets long. This field 1877 contains zero or more TLV-encoded mobility options. The encoding 1878 and format of defined options are described in Section 6.2. The 1879 receiver MUST ignore and skip any options which it does not 1880 understand. 1882 The following options are valid in a Binding Update: 1884 * Binding Authorization Data option (this option is mandatory in 1885 Binding Updates sent to a correspondent node) 1887 * Nonce Indices option. 1889 * Alternate Care-of Address option 1891 If no options are present in this message, 4 octets of padding is 1892 necessary and the Header Len field will be set to 1. 1894 The care-of address is specified either by the Source Address field 1895 in the IPv6 header or by the Alternate Care-of Address option, if 1896 present. The care-of address MUST be a unicast routable address. 1897 IPv6 Source Address MUST be a topologically correct source address. 1898 Binding Updates for a care-of address which is not a unicast routable 1899 address MUST be silently discarded. Similarly, the Binding Update 1900 MUST be silently discarded if the care-of address appears as a home 1901 address in an existing Binding Cache entry, with its current location 1902 creating a circular reference back to the home address specified in 1903 the Binding Update (possibly through additional entries). 1905 The deletion of a binding can be indicated by setting the Lifetime 1906 field to 0 and by setting the care-of address equal to the home 1907 address. In deletion, the generation of the binding management key 1908 depends exclusively on the home keygen token, as explained in Section 1909 5.2.5. (Note that while the senders are required to set both the 1910 Lifetime field to 0 and the care-of address equal to the home 1911 address, Section 9.5.1 rules for receivers are more liberal, and 1912 interpret either condition as a deletion.) 1914 Correspondent nodes SHOULD NOT expire the Binding Cache entry before 1915 the lifetime expires, if any application hosted by the correspondent 1916 node is still likely to require communication with the mobile node. 1917 A Binding Cache entry that is deallocated prematurely might cause 1918 subsequent packets to be dropped from the mobile node, if they 1919 contain the Home Address destination option. This situation is 1920 recoverable, since an Binding Error message is sent to the mobile 1921 node (see Section 6.1.9); however, it causes unnecessary delay in the 1922 communications. 1924 6.1.8 Binding Acknowledgement Message 1926 The Binding Acknowledgement is used to acknowledge receipt of a 1927 Binding Update (Section 6.1.7). This packet is sent as described in 1928 Section 9.5.4 and Section 10.3.1. 1930 The Binding Acknowledgement has the MH Type value 6. When this value 1931 is indicated in the MH Type field, the format of the Message Data 1932 field in the Mobility Header is as follows: 1934 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1935 | Status |K| Reserved | 1936 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1937 | Sequence # | Lifetime | 1938 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1939 | | 1940 . . 1941 . Mobility options . 1942 . . 1943 | | 1944 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1946 Key Management Mobility Capability (K) 1948 If this bit is cleared, the protocol used by the home agent for 1949 establishing the IPsec security associations between the mobile 1950 node and the home agent does not survive movements. It may then 1951 have to be rerun. (Note that the IPsec security associations 1952 themselves are expected to survive movements.) 1954 Correspondent nodes MUST set the K bit to 0. 1956 Reserved 1958 These fields are unused. They MUST be initialized to zero by the 1959 sender and MUST be ignored by the receiver. 1961 Status 1963 8-bit unsigned integer indicating the disposition of the Binding 1964 Update. Values of the Status field less than 128 indicate that 1965 the Binding Update was accepted by the receiving node. Values 1966 greater than or equal to 128 indicate that the Binding Update was 1967 rejected by the receiving node. The following Status values are 1968 currently defined: 1970 0 Binding Update accepted 1972 1 Accepted but prefix discovery necessary 1974 128 Reason unspecified 1976 129 Administratively prohibited 1978 130 Insufficient resources 1979 131 Home registration not supported 1981 132 Not home subnet 1983 133 Not home agent for this mobile node 1985 134 Duplicate Address Detection failed 1987 135 Sequence number out of window 1989 136 Expired home nonce index 1991 137 Expired care-of nonce index 1993 138 Expired nonces 1995 139 Registration type change disallowed 1997 Up-to-date values of the Status field are to be specified in the 1998 IANA registry of assigned numbers [19]. 2000 Sequence # 2002 The Sequence Number in the Binding Acknowledgement is copied from 2003 the Sequence Number field in the Binding Update. It is used by 2004 the mobile node in matching this Binding Acknowledgement with an 2005 outstanding Binding Update. 2007 Lifetime 2009 The granted lifetime, in time units of 4 seconds, for which this 2010 node SHOULD retain the entry for this mobile node in its Binding 2011 Cache. 2013 The value of this field is undefined if the Status field indicates 2014 that the Binding Update was rejected. 2016 Mobility Options 2018 Variable-length field of such length that the complete Mobility 2019 Header is an integer multiple of 8 octets long. This field 2020 contains zero or more TLV-encoded mobility options. The encoding 2021 and format of defined options are described in Section 6.2. The 2022 receiver MUST ignore and skip any options which it does not 2023 understand. 2025 There MAY be additional information, associated with this Binding 2026 Acknowledgement that need not be present in all Binding 2027 Acknowledgements sent. Mobility options allow future extensions 2028 to the format of the Binding Acknowledgement to be defined. The 2029 following options are valid for the Binding Acknowledgement: 2031 * Binding Authorization Data option (this option is mandatory in 2032 Binding Acknowledgements sent by a correspondent node, except 2033 where otherwise noted in Section 9.5.4) 2035 * Binding Refresh Advice option 2037 If no options are present in this message, 4 octets of padding is 2038 necessary and the Header Len field will be set to 1. 2040 6.1.9 Binding Error Message 2042 The Binding Error (BE) message is used by the correspondent node to 2043 signal an error related to mobility, such as an inappropriate attempt 2044 to use the Home Address destination option without an existing 2045 binding; see Section 9.3.3 for details. 2047 The Binding Error message uses the MH Type value 7. When this value 2048 is indicated in the MH Type field, the format of the Message Data 2049 field in the Mobility Header is as follows: 2051 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2052 | Status | Reserved | 2053 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2054 | | 2055 + + 2056 | | 2057 + Home Address + 2058 | | 2059 + + 2060 | | 2061 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2062 . . 2063 . Mobility Options . 2064 . . 2065 | | 2066 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2068 Status 2070 8-bit unsigned integer indicating the reason for this message. 2071 The following values are currently defined: 2073 1 Unknown binding for Home Address destination option 2075 2 Unrecognized MH Type value 2077 Reserved 2079 A 8-bit field reserved for future use. The value MUST be 2080 initialized to zero by the sender, and MUST be ignored by the 2081 receiver. 2083 Home Address 2085 The home address that was contained in the Home Address 2086 destination option. The mobile node uses this information to 2087 determine which binding does not exist, in cases where the mobile 2088 node has several home addresses. 2090 Mobility Options 2092 Variable-length field of such length that the complete Mobility 2093 Header is an integer multiple of 8 octets long. This field 2094 contains zero or more TLV-encoded mobility options. The receiver 2095 MUST ignore and skip any options which it does not understand. 2097 There MAY be additional information, associated with this Binding 2098 Error message that need not be present in all Binding Error 2099 messages sent. Mobility options allow future extensions to the 2100 format of the format of the Binding Error message to be defined. 2101 The encoding and format of defined options are described in 2102 Section 6.2. This specification does not define any options valid 2103 for the Binding Error message. 2105 If no actual options are present in this message, no padding is 2106 necessary and the Header Len field will be set to 2. 2108 6.2 Mobility Options 2110 Mobility messages can include zero or more mobility options. This 2111 allows optional fields that may not be needed in every use of a 2112 particular Mobility Header, as well as future extensions to the 2113 format of the messages. Such options are included in the Message 2114 Data field of the message itself, after the fixed portion of the 2115 message data specified in the message subsections of Section 6.1. 2117 The presence of such options will be indicated by the Header Len of 2118 the Mobility Header. If included, the Binding Authorization Data 2119 option (Section 6.2.7) MUST be the last option and MUST NOT have 2120 trailing padding. Otherwise, options can be placed in any order. 2122 6.2.1 Format 2124 Mobility options are encoded within the remaining space of the 2125 Message Data field of a mobility message, using a type-length-value 2126 (TLV) format as follows: 2128 0 1 2 3 2129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2131 | Option Type | Option Length | Option Data... 2132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2134 Option Type 2136 8-bit identifier of the type of mobility option. When processing 2137 a Mobility Header containing an option for which the Option Type 2138 value is not recognized by the receiver, the receiver MUST quietly 2139 ignore and skip over the option, correctly handling any remaining 2140 options in the message. 2142 Option Length 2144 8-bit unsigned integer, representing the length in octets of the 2145 mobility option, not including the Option Type and Option Length 2146 fields. 2148 Option Data 2150 A variable length field that contains data specific to the option. 2152 The following subsections specify the Option types which are 2153 currently defined for use in the Mobility Header. 2155 Implementations MUST silently ignore any mobility options that they 2156 do not understand. 2158 Mobility options may have alignment requirements. Following the 2159 convention in IPv6, these options are aligned in a packet so that 2160 multi-octet values within the Option Data field of each option fall 2161 on natural boundaries (i.e., fields of width n octets are placed at 2162 an integer multiple of n octets from the start of the header, for n = 2163 1, 2, 4, or 8) [11]. 2165 6.2.2 Pad1 2167 The Pad1 option does not have any alignment requirements. Its format 2168 is as follows: 2170 0 2171 0 1 2 3 4 5 6 7 2172 +-+-+-+-+-+-+-+-+ 2173 | Type = 0 | 2174 +-+-+-+-+-+-+-+-+ 2176 NOTE! the format of the Pad1 option is a special case - it has 2177 neither Option Length nor Option Data fields. 2179 The Pad1 option is used to insert one octet of padding in the 2180 Mobility Options area of a Mobility Header. If more than one octet 2181 of padding is required, the PadN option, described next, should be 2182 used rather than multiple Pad1 options. 2184 6.2.3 PadN 2186 The PadN option does not have any alignment requirements. Its format 2187 is as follows: 2189 0 1 2190 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 2191 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - 2192 | Type = 1 | Option Length | Option Data 2193 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - 2195 The PadN option is used to insert two or more octets of padding in 2196 the Mobility Options area of a mobility message. For N octets of 2197 padding, the Option Length field contains the value N-2, and the 2198 Option Data consists of N-2 zero-valued octets. PadN Option data 2199 MUST be ignored by the receiver. 2201 6.2.4 Binding Refresh Advice 2203 The Binding Refresh Advice option has an alignment requirement of 2n. 2204 Its format is as follows: 2206 0 1 2 3 2207 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2208 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2209 | Type = 2 | Length = 2 | 2210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2211 | Refresh Interval | 2212 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2214 The Binding Refresh Advice option is only valid in the Binding 2215 Acknowledgement, and only on Binding Acknowledgements sent from the 2216 mobile node's home agent in reply to a home registration. The 2217 Refresh Interval is measured in units of four seconds, and indicates 2218 how long before the mobile node SHOULD send a new home registration 2219 to the home agent. The Refresh Interval MUST be set to indicate a 2220 smaller time interval than the Lifetime value of the Binding 2221 Acknowledgement. 2223 6.2.5 Alternate Care-of Address 2225 The Alternate Care-of Address option has an alignment requirement of 2226 8n+6. Its format is as follows: 2228 0 1 2 3 2229 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2230 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2231 | Type = 3 | Length = 16 | 2232 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2233 | | 2234 + + 2235 | | 2236 + Alternate Care-of Address + 2237 | | 2238 + + 2239 | | 2240 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2242 Normally, a Binding Update specifies the desired care-of address in 2243 the Source Address field of the IPv6 header. However, this is not 2244 possible in some cases, such as when the mobile node wishes to 2245 indicate a care-of address which it cannot use as a topologically 2246 correct source address (Section 6.1.7 and Section 11.7.2) or when the 2247 used security mechanism does not protect the IPv6 header (Section 2248 11.7.1). 2250 The Alternate Care-of Address option is provided for these 2251 situations. This option is valid only in Binding Update. The 2252 Alternate Care-of Address field contains an address to use as the 2253 care-of address for the binding, rather than using the Source Address 2254 of the packet as the care-of address. 2256 6.2.6 Nonce Indices 2258 The Nonce Indices option has an alignment requirement of 2n. Its 2259 format is as follows: 2261 0 1 2 3 2262 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2264 | Type = 4 | Length = 4 | 2265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2266 | Home Nonce Index | Care-of Nonce Index | 2267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2269 The Nonce Indices option is valid only in the Binding Update message 2270 sent to a correspondent node, and only when present together with a 2271 Binding Authorization Data option. When the correspondent node 2272 authorizes the Binding Update, it needs to produce home and care-of 2273 keygen tokens from its stored random nonce values. 2275 The Home Nonce Index field tells the correspondent node which nonce 2276 value to use when producing the home keygen token. 2278 The Care-of Nonce Index field is ignored in requests to delete a 2279 binding. Otherwise, it tells the correspondent node which nonce 2280 value to use when producing the care-of keygen token. 2282 6.2.7 Binding Authorization Data 2284 The Binding Authorization Data option does not have alignment 2285 requirements as such. However, since this option must be the last 2286 mobility option, an implicit alignment requirement is 8n + 2. The 2287 format of this option is as follows: 2289 0 1 2 3 2290 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2291 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2292 | Type = 5 | Option Length | 2293 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2294 | | 2295 + + 2296 | Authenticator | 2297 + + 2298 | | 2299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2301 The Binding Authorization Data option is valid in the Binding Update 2302 and Binding Acknowledgement. 2304 The Option Length field contains the length of the authenticator in 2305 octets. 2307 The Authenticator field contains a cryptographic value which can be 2308 used to determine that the message in question comes from the right 2309 authority. Rules for calculating this value depend on the used 2310 authorization procedure. 2312 For the return routability procedure, this option can appear in the 2313 Binding Update and Binding Acknowledgements. Rules for calculating 2314 the Authenticator value are the following: 2316 Mobility Data = care-of address | correspondent | MH Data 2317 Authenticator = First (96, HMAC_SHA1 (Kbm, Mobility Data)) 2319 Where | denotes concatenation and "correspondent" is the IPv6 address 2320 of the correspondent node. Note that, if the message is sent to a 2321 destination which is itself mobile, the "correspondent" address may 2322 not be the address found in the Destination Address field of the IPv6 2323 header; instead the home address from the type 2 Routing header 2324 should be used. 2326 "MH Data" is the content of the Mobility Header, excluding the 2327 Authenticator field itself. The Authenticator value is calculated as 2328 if the Checksum field in the Mobility Header was zero. The Checksum 2329 in the transmitted packet is still calculated in the usual manner, 2330 with the calculated Authenticator being a part of the packet 2331 protected by the Checksum. Kbm is the binding management key, which 2332 is typically created using nonces provided by the correspondent node 2333 (see Section 9.4). Note that while the contents of a potential Home 2334 Address destination option are not covered in this formula, the rules 2335 for the calculation of the Kbm do take the home address in account. 2336 This ensures that the MAC will be different for different home 2337 addresses. 2339 The first 96 bits from the MAC result are used as the Authenticator 2340 field. 2342 6.3 Home Address Option 2344 The Home Address option is carried by the Destination Option 2345 extension header (Next Header value = 60). It is used in a packet 2346 sent by a mobile node while away from home, to inform the recipient 2347 of the mobile node's home address. 2349 The Home Address option is encoded in type-length-value (TLV) format 2350 as follows: 2352 0 1 2 3 2353 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2354 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2355 | Option Type | Option Length | 2356 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2357 | | 2358 + + 2359 | | 2360 + Home Address + 2361 | | 2362 + + 2363 | | 2364 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2366 Option Type 2368 201 = 0xC9 2370 Option Length 2372 8-bit unsigned integer. Length of the option, in octets, 2373 excluding the Option Type and Option Length fields. This field 2374 MUST be set to 16. 2376 Home Address 2378 The home address of the mobile node sending the packet. This 2379 address MUST be a unicast routable address. 2381 The alignment requirement [11] for the Home Address option is 8n+6. 2383 The three highest-order bits of the Option Type field are encoded to 2384 indicate specific processing of the option [11]; for the Home Address 2385 option, these three bits are set to 110. This indicates the 2386 following processing requirements: 2388 o Any IPv6 node that does not recognize the Option Type must discard 2389 the packet, and if the packet's Destination Address was not a 2390 multicast address, return an ICMP Parameter Problem, Code 2, 2391 message to the packet's Source Address. The Pointer field in the 2392 ICMP message SHOULD point at the Option Type field. Otherwise, 2393 for multicast addresses, the ICMP message MUST NOT be sent. 2395 o The data within the option cannot change en-route to the packet's 2396 final destination. 2398 The Home Address option MUST be placed as follows: 2400 o After the routing header, if that header is present 2402 o Before the Fragment Header, if that header is present 2404 o Before the AH Header or ESP Header, if either one of those headers 2405 is present 2407 For each IPv6 packet header, the Home Address Option MUST NOT appear 2408 more than once. However, an encapsulated packet [15] MAY contain a 2409 separate Home Address option associated with each encapsulating IP 2410 header. 2412 The inclusion of a Home Address destination option in a packet 2413 affects the receiving node's processing of only this single packet. 2414 No state is created or modified in the receiving node as a result of 2415 receiving a Home Address option in a packet. In particular, the 2416 presence of a Home Address option in a received packet MUST NOT alter 2417 the contents of the receiver's Binding Cache and MUST NOT cause any 2418 changes in the routing of subsequent packets sent by this receiving 2419 node. 2421 6.4 Type 2 Routing Header 2423 Mobile IPv6 defines a new routing header variant, the type 2 routing 2424 header, to allow the packet to be routed directly from a 2425 correspondent to the mobile node's care-of address. The mobile 2426 node's care-of address is inserted into the IPv6 Destination Address 2427 field. Once the packet arrives at the care-of address, the mobile 2428 node retrieves its home address from the routing header, and this is 2429 used as the final destination address for the packet. 2431 The new routing header uses a different type than defined for 2432 "regular" IPv6 source routing, enabling firewalls to apply different 2433 rules to source routed packets than to Mobile IPv6. This routing 2434 header type (type 2) is restricted to carry only one IPv6 address. 2435 All IPv6 nodes which process this routing header MUST verify that the 2436 address contained within is the node's own home address in order to 2437 prevent packets from being forwarded outside the node. The IP 2438 address contained in the routing header, since it is the mobile 2439 node's home address, MUST be a unicast routable address. 2440 Furthermore, if the scope of the home address is smaller than the 2441 scope of the care-of address, the mobile node MUST discard the packet 2442 (see Section 4.6). 2444 6.4.1 Format 2446 The type 2 routing header has the following format: 2448 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2449 | Next Header | Hdr Ext Len=2 | Routing Type=2|Segments Left=1| 2450 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2451 | Reserved | 2452 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2453 | | 2454 + + 2455 | | 2456 + Home Address + 2457 | | 2458 + + 2459 | | 2460 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2462 Next Header 2464 8-bit selector. Identifies the type of header immediately 2465 following the routing header. Uses the same values as the IPv6 2466 Next Header field [11]. 2468 Hdr Ext Len 2470 2 (8-bit unsigned integer); length of the routing header in 2471 8-octet units, not including the first 8 octets 2473 Routing Type 2475 2 (8-bit unsigned integer). 2477 Segments Left 2479 1 (8-bit unsigned integer). 2481 Reserved 2483 32-bit reserved field. The value MUST be initialized to zero by 2484 the sender, and MUST be ignored by the receiver. 2486 Home Address 2488 The Home Address of the destination Mobile Node. 2490 For a type 2 routing header, the Hdr Ext Len MUST be 2. The Segments 2491 Left value describes the number of route segments remaining; i.e., 2492 number of explicitly listed intermediate nodes still to be visited 2493 before reaching the final destination. Segments Left MUST be 1. The 2494 ordering rules for extension headers in an IPv6 packet are described 2495 in Section 4.1 of RFC 2460 [11]. The type 2 routing header defined 2496 for Mobile IPv6 follows the same ordering as other routing headers. 2497 If both a type 0 and a type 2 routing header are present, the type 2 2498 routing header should follow the other routing header. A packet 2499 containing such nested encapsulation should be created as if the 2500 inner (type 2) routing header was constructed first and then treated 2501 as an original packet by the outer (type 0) routing header 2502 construction process. 2504 In addition, the general procedures defined by IPv6 for routing 2505 headers suggest that a received routing header MAY be automatically 2506 "reversed" to construct a routing header for use in any response 2507 packets sent by upper-layer protocols, if the received packet is 2508 authenticated [6]. This MUST NOT be done automatically for type 2 2509 routing headers. 2511 6.5 ICMP Home Agent Address Discovery Request Message 2513 The ICMP Home Agent Address Discovery Request message is used by a 2514 mobile node to initiate the dynamic home agent address discovery 2515 mechanism, as described in Section 11.4.1. The mobile node sends the 2516 Home Agent Address Discovery Request message to the Mobile IPv6 2517 Home-Agents anycast address [16] for its own home subnet prefix. 2518 (Note that the currently defined anycast addresses may not work with 2519 all prefix lengths other than those defined in RFC 2373 [3, 35].) 2521 0 1 2 3 2522 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2523 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2524 | Type | Code | Checksum | 2525 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2526 | Identifier | Reserved | 2527 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2529 Type 2531 150 2533 Code 2535 0 2537 Checksum 2539 The ICMP checksum [14]. 2541 Identifier 2543 An identifier to aid in matching Home Agent Address Discovery 2544 Reply messages to this Home Agent Address Discovery Request 2545 message. 2547 Reserved 2549 This field is unused. It MUST be initialized to zero by the 2550 sender and MUST be ignored by the receiver. 2552 The Source Address of the Home Agent Address Discovery Request 2553 message packet is typically one of the mobile node's current care-of 2554 addresses. At the time of performing this dynamic home agent address 2555 discovery procedure, it is likely that the mobile node is not 2556 registered with any home agent. Therefore, neither the nature of the 2557 address nor the identity of the mobile node can be established at 2558 this time. The home agent MUST then return the Home Agent Address 2559 Discovery Reply message directly to the Source Address chosen by the 2560 mobile node. 2562 6.6 ICMP Home Agent Address Discovery Reply Message 2564 The ICMP Home Agent Address Discovery Reply message is used by a home 2565 agent to respond to a mobile node that uses the dynamic home agent 2566 address discovery mechanism, as described in Section 10.5. 2568 0 1 2 3 2569 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2570 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2571 | Type | Code | Checksum | 2572 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2573 | Identifier | Reserved | 2574 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2575 | | 2576 + + 2577 . . 2578 . Home Agent Addresses . 2579 . . 2580 + + 2581 | | 2582 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2584 Type 2586 151 2588 Code 2590 0 2592 Checksum 2594 The ICMP checksum [14]. 2596 Identifier 2598 The identifier from the invoking Home Agent Address Discovery 2599 Request message. 2601 Reserved 2603 This field is unused. It MUST be initialized to zero by the 2604 sender and MUST be ignored by the receiver. 2606 Home Agent Addresses 2608 A list of addresses of home agents on the home link for the mobile 2609 node. The number of addresses present in the list is indicated by 2610 the remaining length of the IPv6 packet carrying the Home Agent 2611 Address Discovery Reply message. 2613 6.7 ICMP Mobile Prefix Solicitation Message Format 2615 The ICMP Mobile Prefix Solicitation Message is sent by a mobile node 2616 to its home agent while it is away from home. The purpose of the 2617 message is to solicit a Mobile Prefix Advertisement from the home 2618 agent, which will allow the mobile node to gather prefix information 2619 about its home network. This information can be used to configure 2620 and update home address(es) according to changes in prefix 2621 information supplied by the home agent. 2623 0 1 2 3 2624 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2625 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2626 | Type | Code | Checksum | 2627 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2628 | Identifier | Reserved | 2629 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2631 IP Fields: 2633 Source Address 2635 The mobile node's care-of address. 2637 Destination Address 2639 The address of the mobile node's home agent. This home agent must 2640 be on the link which the mobile node wishes to learn prefix 2641 information about. 2643 Hop Limit 2645 Set to an initial hop limit value, similarly to any other unicast 2646 packet sent by the mobile node. 2648 Destination Option: 2650 A Home Address destination option MUST be included. 2652 ESP header: 2654 IPsec headers MUST be supported and SHOULD be used as described in 2655 Section 5.4. 2657 ICMP Fields: 2659 Type 2661 152 2663 Code 2665 0 2667 Checksum 2669 The ICMP checksum [14]. 2671 Identifier 2673 An identifier to aid in matching a future Mobile Prefix 2674 Advertisement to this Mobile Prefix Solicitation. 2676 Reserved 2678 This field is unused. It MUST be initialized to zero by the 2679 sender and MUST be ignored by the receiver. 2681 The Mobile Prefix Solicitation messages may have options. These 2682 options MUST use the option format defined in RFC 2461 [12]. This 2683 document does not define any option types for the Mobile Prefix 2684 Solicitation message, but future documents may define new options. 2685 Home agents MUST silently ignore any options they do not recognize 2686 and continue processing the message. 2688 6.8 ICMP Mobile Prefix Advertisement Message Format 2690 A home agent will send a Mobile Prefix Advertisement to a mobile node 2691 to distribute prefix information about the home link while the mobile 2692 node is traveling away from the home network. This will occur in 2693 response to a Mobile Prefix Solicitation with an Advertisement, or by 2694 an unsolicited Advertisement sent according to the rules in Section 2695 10.6. 2697 0 1 2 3 2698 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2699 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2700 | Type | Code | Checksum | 2701 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2702 | Identifier |M|O| Reserved | 2703 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2704 | Options ... 2705 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2707 IP Fields: 2709 Source Address 2711 The home agent's address as the mobile node would expect to see it 2712 (i.e., same network prefix). 2714 Destination Address 2716 If this message is a response to a Mobile Prefix Solicitation, 2717 this field contains the Source Address field from that packet. 2718 For unsolicited messages, the mobile node's care-of address SHOULD 2719 be used. Note that unsolicited messages can only be sent if the 2720 mobile node is currently registered with the home agent. 2722 Routing header: 2724 A type 2 routing header MUST be included. 2726 ESP header: 2728 IPsec headers MUST be supported and SHOULD be used as described in 2729 Section 5.4. 2731 ICMP Fields: 2733 Type 2735 153 2737 Code 2739 0 2741 Checksum 2743 The ICMP checksum [14]. 2745 Identifier 2747 An identifier to aid in matching this Mobile Prefix Advertisement 2748 to a previous Mobile Prefix Solicitation. 2750 M 2752 1-bit Managed Address Configuration flag. When set, hosts use the 2753 administered (stateful) protocol for address autoconfiguration in 2754 addition to any addresses autoconfigured using stateless address 2755 autoconfiguration. The use of this flag is described in [12, 13]. 2757 O 2759 1-bit Other Stateful Configuration flag. When set, hosts use the 2760 administered (stateful) protocol for autoconfiguration of other 2761 (non-address) information. The use of this flag is described in 2762 [12, 13]. 2764 Reserved 2766 This field is unused. It MUST be initialized to zero by the 2767 sender and MUST be ignored by the receiver. 2769 The Mobile Prefix Advertisement messages may have options. These 2770 options MUST use the option format defined in RFC 2461. This document defines one option 2772 which may be carried in a Mobile Prefix Advertisement message, but 2773 future documents may define new options. Home agents MUST silently 2774 ignore any options they do not recognize and continue processing the 2775 message. 2777 Prefix Information 2779 Each message contains one or more Prefix Information options. 2780 Each option carries the prefix(es) that the mobile node should use 2781 to configure its home address(es). Section 10.6 describes which 2782 prefixes should be advertised to the mobile node. 2784 The Prefix Information option is defined in Section 4.6.2 of RFC 2785 2461 [12], with modifications defined in Section 7.2 of this 2786 specification. The home agent MUST use this modified Prefix 2787 Information option to send home network prefixes as defined in 2788 Section 10.6.1. 2790 If the Advertisement is sent in response to a Mobile Prefix 2791 Solicitation, the home agent MUST copy the Identifier value from that 2792 message into the Identifier field of the Advertisement. 2794 The home agent MUST NOT send more than one Mobile Prefix 2795 Advertisement message per second to any mobile node. 2797 The M and O bits MUST be cleared if the Home Agent DHCPv6 support is 2798 not provided. If such support is provided then they are set in 2799 concert with the home network's administrative settings. 2801 7. Modifications to IPv6 Neighbor Discovery 2803 7.1 Modified Router Advertisement Message Format 2805 Mobile IPv6 modifies the format of the Router Advertisement message 2806 [12] by the addition of a single flag bit to indicate that the router 2807 sending the Advertisement message is serving as a home agent on this 2808 link. The format of the Router Advertisement message is as follows: 2810 0 1 2 3 2811 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2812 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2813 | Type | Code | Checksum | 2814 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2815 | Cur Hop Limit |M|O|H| Reserved| Router Lifetime | 2816 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2817 | Reachable Time | 2818 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2819 | Retrans Timer | 2820 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2821 | Options ... 2822 +-+-+-+-+-+-+-+-+-+-+-+- 2824 This format represents the following changes over that originally 2825 specified for Neighbor Discovery [12]: 2827 Home Agent (H) 2829 The Home Agent (H) bit is set in a Router Advertisement to 2830 indicate that the router sending this Router Advertisement is also 2831 functioning as a Mobile IPv6 home agent on this link. 2833 Reserved 2835 Reduced from a 6-bit field to a 5-bit field to account for the 2836 addition of the above bit. 2838 7.2 Modified Prefix Information Option Format 2840 Mobile IPv6 requires knowledge of a router's global address in 2841 building a Home Agents List as part of the dynamic home agent address 2842 discovery mechanism. 2844 However, Neighbor Discovery [12] only advertises a router's 2845 link-local address, by requiring this address to be used as the IP 2846 Source Address of each Router Advertisement. 2848 Mobile IPv6 extends Neighbor Discovery to allow a router to advertise 2849 its global address, by the addition of a single flag bit in the 2850 format of a Prefix Information option for use in Router Advertisement 2851 messages. The format of the Prefix Information option is as follows: 2853 0 1 2 3 2854 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2855 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2856 | Type | Length | Prefix Length |L|A|R|Reserved1| 2857 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2858 | Valid Lifetime | 2859 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2860 | Preferred Lifetime | 2861 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2862 | Reserved2 | 2863 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2864 | | 2865 + + 2866 | | 2867 + Prefix + 2868 | | 2869 + + 2870 | | 2871 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2873 This format represents the following changes over that originally 2874 specified for Neighbor Discovery [12]: 2876 Router Address (R) 2878 1-bit router address flag. When set, indicates that the Prefix 2879 field contains a complete IP address assigned to the sending 2880 router. The indicated prefix is the first Prefix Length bits of 2881 the Prefix field. The router IP address has the same scope and 2882 conforms to the same lifetime values as the advertised prefix. 2883 This use of the Prefix field is compatible with its use in 2884 advertising the prefix itself, since Prefix Advertisement uses 2885 only the leading bits. Interpretation of this flag bit is thus 2886 independent of the processing required for the On-Link (L) and 2887 Autonomous Address-Configuration (A) flag bits. 2889 Reserved1 2891 Reduced from a 6-bit field to a 5-bit field to account for the 2892 addition of the above bit. 2894 In a Router Advertisement, a home agent MUST, and all other routers 2895 MAY, include at least one Prefix Information option with the Router 2896 Address (R) bit set. Neighbor Discovery specifies that, if including 2897 all options in a Router Advertisement causes the size of the 2898 Advertisement to exceed the link MTU, multiple Advertisements can be 2899 sent, each containing a subset of the options [12]. Also, when 2900 sending unsolicited multicast Router Advertisements more frequently 2901 than the limit specified in RFC 2461 [12], the sending router need 2902 not include all options in each of these Advertisements. However, in 2903 both of these cases the router SHOULD include at least one Prefix 2904 Information option with the Router Address (R) bit set in each such 2905 advertisement, if this bit is set in some advertisement sent by the 2906 router. 2908 In addition, the following requirement can assist mobile nodes in 2909 movement detection. Barring changes in the prefixes for the link, 2910 routers that send multiple Router Advertisements with the Router 2911 Address (R) bit set in some of the included Prefix Information 2912 options SHOULD provide at least one option and router address which 2913 stays the same in all of the Advertisements. 2915 7.3 New Advertisement Interval Option Format 2917 Mobile IPv6 defines a new Advertisement Interval option, used in 2918 Router Advertisement messages to advertise the interval at which the 2919 sending router sends unsolicited multicast Router Advertisements. 2920 The format of the Advertisement Interval option is as follows: 2922 0 1 2 3 2923 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2924 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2925 | Type | Length | Reserved | 2926 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2927 | Advertisement Interval | 2928 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2930 Type 2932 7 2934 Length 2936 8-bit unsigned integer. The length of the option (including the 2937 type and length fields) in units of 8 octets. The value of this 2938 field MUST be 1. 2940 Reserved 2942 This field is unused. It MUST be initialized to zero by the 2943 sender and MUST be ignored by the receiver. 2945 Advertisement Interval 2947 32-bit unsigned integer. The maximum time, in milliseconds, 2948 between successive unsolicited router Router Advertisement 2949 messages sent by this router on this network interface. Using the 2950 conceptual router configuration variables defined by Neighbor 2951 Discovery [12], this field MUST be equal to the value 2952 MaxRtrAdvInterval, expressed in milliseconds. 2954 Routers MAY include this option in their Router Advertisements. A 2955 mobile node receiving a Router Advertisement containing this option 2956 SHOULD utilize the specified Advertisement Interval for that router 2957 in its movement detection algorithm, as described in Section 11.5.1. 2959 This option MUST be silently ignored for other Neighbor Discovery 2960 messages. 2962 7.4 New Home Agent Information Option Format 2964 Mobile IPv6 defines a new Home Agent Information option, used in 2965 Router Advertisements sent by a home agent to advertise information 2966 specific to this router's functionality as a home agent. The format 2967 of the Home Agent Information option is as follows: 2969 0 1 2 3 2970 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2971 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2972 | Type | Length | Reserved | 2973 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2974 | Home Agent Preference | Home Agent Lifetime | 2975 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2977 Type 2979 8 2981 Length 2983 8-bit unsigned integer. The length of the option (including the 2984 type and length fields) in units of 8 octets. The value of this 2985 field MUST be 1. 2987 Reserved 2989 This field is unused. It MUST be initialized to zero by the 2990 sender and MUST be ignored by the receiver. 2992 Home Agent Preference 2994 16-bit unsigned integer. The preference for the home agent 2995 sending this Router Advertisement, for use in ordering the 2996 addresses returned to a mobile node in the Home Agent Addresses 2997 field of a Home Agent Address Discovery Reply message. Higher 2998 values mean more preferable. If this option is not included in a 2999 Router Advertisement in which the Home Agent (H) bit is set, the 3000 preference value for this home agent MUST be considered to be 0. 3001 Greater values indicate a more preferable home agent than lower 3002 values. 3004 The manual configuration of the Home Agent Preference value is 3005 described in Section 8.4. In addition, the sending home agent MAY 3006 dynamically set the Home Agent Preference value, for example 3007 basing it on the number of mobile nodes it is currently serving or 3008 on its remaining resources for serving additional mobile nodes; 3009 such dynamic settings are beyond the scope of this document. Any 3010 such dynamic setting of the Home Agent Preference, however, MUST 3011 set the preference appropriately, relative to the default Home 3012 Agent Preference value of 0 that may be in use by some home agents 3013 on this link (i.e., a home agent not including a Home Agent 3014 Information option in its Router Advertisements will be considered 3015 to have a Home Agent Preference value of 0). 3017 Home Agent Lifetime 3019 16-bit unsigned integer. The lifetime associated with the home 3020 agent in units of seconds. The default value is the same as the 3021 Router Lifetime, as specified in the main body of the Router 3022 Advertisement. The maximum value corresponds to 18.2 hours. A 3023 value of 0 MUST NOT be used. The Home Agent Lifetime applies only 3024 to this router's usefulness as a home agent; it does not apply to 3025 information contained in other message fields or options. 3027 Home agents MAY include this option in their Router Advertisements. 3028 This option MUST NOT be included in a Router Advertisement in which 3029 the Home Agent (H) bit (see Section 7.1) is not set. If this option 3030 is not included in a Router Advertisement in which the Home Agent (H) 3031 bit is set, the lifetime for this home agent MUST be considered to be 3032 the same as the Router Lifetime in the Router Advertisement. If 3033 multiple Advertisements are being sent instead of a single larger 3034 unsolicited multicast Advertisement, all of the multiple 3035 Advertisements with the Router Address (R) bit set MUST include this 3036 option with the same contents, otherwise this option MUST be omitted 3037 from all Advertisements. 3039 This option MUST be silently ignored for other Neighbor Discovery 3040 messages. 3042 If both the Home Agent Preference and Home Agent Lifetime are set to 3043 their default values specified above, this option SHOULD NOT be 3044 included in the Router Advertisement messages sent by this home 3045 agent. 3047 7.5 Changes to Sending Router Advertisements 3049 The Neighbor Discovery protocol specification [12] limits routers to 3050 a minimum interval of 3 seconds between sending unsolicited multicast 3051 Router Advertisement messages from any given network interface 3052 (limited by MinRtrAdvInterval and MaxRtrAdvInterval), stating that: 3054 "Routers generate Router Advertisements frequently enough that 3055 hosts will learn of their presence within a few minutes, but not 3056 frequently enough to rely on an absence of advertisements to 3057 detect router failure; a separate Neighbor Unreachability 3058 Detection algorithm provides failure detection." 3060 This limitation, however, is not suitable to providing timely 3061 movement detection for mobile nodes. Mobile nodes detect their own 3062 movement by learning the presence of new routers as the mobile node 3063 moves into wireless transmission range of them (or physically 3064 connects to a new wired network), and by learning that previous 3065 routers are no longer reachable. Mobile nodes MUST be able to 3066 quickly detect when they move to a link served by a new router, so 3067 that they can acquire a new care-of address and send Binding Updates 3068 to register this care-of address with their home agent and to notify 3069 correspondent nodes as needed. 3071 One method which can provide for faster movement detection, is to 3072 increase the rate at which unsolicited Router Advertisements are 3073 sent. Mobile IPv6 relaxes this limit such that routers MAY send 3074 unsolicited multicast Router Advertisements more frequently. This 3075 method can be applied where the router is expecting to provide 3076 service to visiting mobile nodes (e.g., wireless network interfaces), 3077 or on which it is serving as a home agent to one or more mobile nodes 3078 (who may return home and need to hear its Advertisements). 3080 Routers supporting mobility SHOULD be able to be configured with a 3081 smaller MinRtrAdvInterval value and MaxRtrAdvInterval value to allow 3082 sending of unsolicited multicast Router Advertisements more often. 3083 The minimum allowed values are: 3085 o MinRtrAdvInterval 0.03 seconds 3087 o MaxRtrAdvInterval 0.07 seconds 3088 In the case where the minimum intervals and delays are used, the mean 3089 time between unsolicited multicast router advertisements is 50ms. 3090 Use of these modified limits MUST be configurable (see also the 3091 configuration variable MinDelayBetweenRas in Section 13 which may 3092 also have to be modified accordingly). Systems where these values 3093 are available MUST NOT default to them, and SHOULD default to values 3094 specified in RFC 2461. Knowledge of the type of network interface 3095 and operating environment SHOULD be taken into account in configuring 3096 these limits for each network interface. This is important with some 3097 wireless links, where increasing the frequency of multicast beacons 3098 can cause considerable overhead. Routers SHOULD adhere to the 3099 intervals specified in RFC 2461 [12], if this overhead is likely to 3100 cause service degradation. 3102 Additionally, the possible low values of MaxRtrAdvInterval may cause 3103 some problems with movement detection in some mobile nodes. To 3104 ensure that this is not a problem, Routers SHOULD add 20ms to any 3105 Advertisement Intervals sent in RAs, which are below 200 ms, in order 3106 to account for scheduling granularities on both the MN and the 3107 Router. 3109 Note that multicast Router Advertisements are not always required in 3110 certain wireless networks that have limited bandwidth. Mobility 3111 detection or link changes in such networks may be done at lower 3112 layers. Router advertisements in such networks SHOULD be sent only 3113 when solicited. In such networks it SHOULD be possible to disable 3114 unsolicited multicast Router Advertisements on specific interfaces. 3115 The MinRtrAdvInterval and MaxRtrAdvInterval in such a case can be set 3116 to some high values. 3118 Home agents MUST include the Source Link-Layer Address option in all 3119 Router Advertisements they send. This simplifies the process of 3120 returning home, as discussed in Section 11.5.4. 3122 8. Requirements for Types of IPv6 Nodes 3124 Mobile IPv6 places some special requirements on the functions 3125 provided by different types of IPv6 nodes. This section summarizes 3126 those requirements, identifying the functionality each requirement is 3127 intended to support. 3129 The requirements are set for the following groups of nodes: 3131 o All IPv6 nodes. 3133 o All IPv6 nodes with support for route optimization. 3135 o All IPv6 routers. 3137 o All Mobile IPv6 home agents. 3139 o All Mobile IPv6 mobile nodes. 3141 It is outside the scope of this specification to specify which of 3142 these groups are mandatory in IPv6. We only describe what is 3143 mandatory for a node that supports, for instance, route optimization. 3144 Other specifications are expected to define the extent of IPv6. 3146 8.1 All IPv6 Nodes 3148 Any IPv6 node may at any time be a correspondent node of a mobile 3149 node, either sending a packet to a mobile node or receiving a packet 3150 from a mobile node. There are no Mobile IPv6 specific MUST 3151 requirements for such nodes, and basic IPv6 techniques are 3152 sufficient. If a mobile node attempts to set up route optimization 3153 with a node with only basic IPv6 support, an ICMP error will signal 3154 that the node does not support such optimizations (Section 11.3.5), 3155 and communications will flow through the home agent . 3157 An IPv6 node MUST NOT support the Home Address destination option, 3158 type 2 routing header, or the Mobility Header unless it fully 3159 supports the requirements listed in the next sections for either 3160 route optimization, mobile node, or home agent functionality. 3162 8.2 IPv6 Nodes with Support for Route Optimization 3164 Nodes that implement route optimization are a subset of all IPv6 3165 nodes on the Internet. The ability of a correspondent node to 3166 participate in route optimization is essential for the efficient 3167 operation of the IPv6 Internet, for the following reasons: 3169 o Avoidance of congestion in the home network, and enabling the use 3170 of lower-performance home agent equipment even for supporting 3171 thousands of mobile nodes. 3173 o Reduced network load across the entire Internet, as mobile devices 3174 begin to predominate. 3176 o Reduction of jitter and latency for the communications. 3178 o Greater likelihood of success for QoS signaling as tunneling is 3179 avoided and, again, fewer sources of congestion. 3181 o Improved robustness against network partitions, congestion, and 3182 other problems, since fewer routing path segments are traversed. 3184 These effects combine to enable much better performance and 3185 robustness for communications between mobile nodes and IPv6 3186 correspondent nodes. Route optimization introduces a small amount of 3187 additional state for the peers, some additional messaging, and up to 3188 1.5 roundtrip delays before it can be turned on. However, it is 3189 believed that the benefits far outweigh the costs in most cases. 3190 Section 11.3.1 discusses how mobile nodes may avoid route 3191 optimization for some of the remaining cases, such as very short-term 3192 communications. 3194 The following requirements apply to all correspondent nodes that 3195 support route optimization: 3197 o The node MUST be able validate a Home Address option using an 3198 existing Binding Cache entry, as described in Section 9.3.1. 3200 o The node MUST be able to insert a type 2 routing header into 3201 packets to be sent to a mobile node, as described in Section 3202 9.3.2. 3204 o Unless the correspondent node is also acting as a mobile node, it 3205 MUST ignore type 2 routing headers and silently discard all 3206 packets that it has received with such headers. 3208 o The node SHOULD be able to interpret ICMP messages as described in 3209 Section 9.3.4. 3211 o The node MUST be able to send Binding Error messages as described 3212 in Section 9.3.3. 3214 o The node MUST be able to process Mobility Headers as described in 3215 Section 9.2. 3217 o The node MUST be able to participate in a return routability 3218 procedure (Section 9.4). 3220 o The node MUST be able to process Binding Update messages (Section 3221 9.5). 3223 o The node MUST be able to return a Binding Acknowledgement (Section 3224 9.5.4). 3226 o The node MUST be able to maintain a Binding Cache of the bindings 3227 received in accepted Binding Updates, as described in Section 9.1 3228 and Section 9.6. 3230 o The node SHOULD allow route optimization to be administratively 3231 enabled or disabled. The default SHOULD be enabled. 3233 8.3 All IPv6 Routers 3235 All IPv6 routers, even those not serving as a home agent for Mobile 3236 IPv6, have an effect on how well mobile nodes can communicate: 3238 o Every IPv6 router SHOULD be able to send an Advertisement Interval 3239 option (Section 7.3) in each of its Router Advertisements [12], to 3240 aid movement detection by mobile nodes (as in Section 11.5.1). 3241 The use of this option in Router Advertisements SHOULD be 3242 configurable. 3244 o Every IPv6 router SHOULD be able to support sending unsolicited 3245 multicast Router Advertisements at the faster rate described in 3246 Section 7.5. If the router supports a faster rate, the used rate 3247 MUST be configurable. 3249 o Each router SHOULD include at least one prefix with the Router 3250 Address (R) bit set and with its full IP address in its Router 3251 Advertisements (as described in Section 7.2). 3253 o Routers supporting filtering packets with routing headers SHOULD 3254 support different rules for type 0 and type 2 routing headers (see 3255 Section 6.4) so that filtering of source routed packets (type 0) 3256 will not necessarily limit Mobile IPv6 traffic which is delivered 3257 via type 2 routing headers. 3259 8.4 IPv6 Home Agents 3261 In order for a mobile node to operate correctly while away from home, 3262 at least one IPv6 router on the mobile node's home link must function 3263 as a home agent for the mobile node. The following additional 3264 requirements apply to all IPv6 routers that serve as a home agent: 3266 o Every home agent MUST be able to maintain an entry in its Binding 3267 Cache for each mobile node for which it is serving as the home 3268 agent (Section 10.1 and Section 10.3.1). 3270 o Every home agent MUST be able to intercept packets (using proxy 3271 Neighbor Discovery [12]) addressed to a mobile node for which it 3272 is currently serving as the home agent, on that mobile node's home 3273 link, while the mobile node is away from home (Section 10.4.1). 3275 o Every home agent MUST be able to encapsulate [15] such intercepted 3276 packets in order to tunnel them to the primary care-of address for 3277 the mobile node indicated in its binding in the home agent's 3278 Binding Cache (Section 10.4.2). 3280 o Every home agent MUST support decapsulating [15] reverse tunneled 3281 packets sent to it from a mobile node's home address. Every home 3282 agent MUST also check that the source address in the tunneled 3283 packets corresponds to the currently registered location of the 3284 mobile node (Section 10.4.5). 3286 o The node MUST be able to process Mobility Headers as described in 3287 Section 10.2. 3289 o Every home agent MUST be able to return a Binding Acknowledgement 3290 in response to a Binding Update (Section 10.3.1). 3292 o Every home agent MUST maintain a separate Home Agents List for 3293 each link on which it is serving as a home agent, as described in 3294 Section 10.1 and Section 10.5.1. 3296 o Every home agent MUST be able to accept packets addressed to the 3297 Mobile IPv6 Home-Agents anycast address [16] for the subnet on 3298 which it is serving as a home agent, and MUST be able to 3299 participate in dynamic home agent address discovery (Section 3300 10.5). 3302 o Every home agent SHOULD support a configuration mechanism to allow 3303 a system administrator to manually set the value to be sent by 3304 this home agent in the Home Agent Preference field of the Home 3305 Agent Information Option in Router Advertisements that it sends 3306 (Section 7.4). 3308 o Every home agent SHOULD support sending ICMP Mobile Prefix 3309 Advertisements (Section 6.8), and SHOULD respond to Mobile Prefix 3310 Solicitations (Section 6.7). If supported, this behavior MUST be 3311 configurable, so that home agents can be configured to avoid 3312 sending such Prefix Advertisements according to the needs of the 3313 network administration in the home domain. 3315 o Every home agent MUST support IPsec ESP for protection of packets 3316 belonging to the return routability procedure (Section 10.4.6). 3318 o Every home agent SHOULD support the multicast group membership 3319 control protocols as described in Section 10.4.3. If this support 3320 is provided, the home agent MUST be capable of using it to 3321 determine which multicast data packets to forward via the tunnel 3322 to the mobile node. 3324 o Home agents MAY support stateful address autoconfiguration for 3325 mobile nodes as described in Section 10.4.4. 3327 8.5 IPv6 Mobile Nodes 3329 Finally, the following requirements apply to all IPv6 nodes capable 3330 of functioning as mobile nodes: 3332 o The node MUST maintain a Binding Update List (Section 11.1). 3334 o The node MUST support sending packets containing a Home Address 3335 option (Section 11.3.1), and follow the required IPsec interaction 3336 (Section 11.3.2). 3338 o The node MUST be able to perform IPv6 encapsulation and 3339 decapsulation [15]. 3341 o The node MUST be able to process type 2 routing header as defined 3342 in Section 6.4 and Section 11.3.3. 3344 o The node MUST support receiving a Binding Error message (Section 3345 11.3.6). 3347 o The node MUST support receiving ICMP errors (Section 11.3.5). 3349 o The node MUST support movement detection, care-of address 3350 formation, and returning home (Section 11.5). 3352 o The node MUST be able to process Mobility Headers as described in 3353 Section 11.2. 3355 o The node MUST support the return routability procedure (Section 3356 11.6). 3358 o The node MUST be able to send Binding Updates, as specified in 3359 Section 11.7.1 and Section 11.7.2. 3361 o The node MUST be able to receive and process Binding 3362 Acknowledgements, as specified in Section 11.7.3. 3364 o The node MUST support receiving a Binding Refresh Request (Section 3365 6.1.2), by responding with a Binding Update. 3367 o The node MUST support receiving Mobile Prefix Advertisements 3368 (Section 11.4.3) and reconfiguring its home address based on the 3369 prefix information contained therein. 3371 o The node SHOULD support use of the dynamic home agent address 3372 discovery mechanism, as described in Section 11.4.1. 3374 o The node MUST allow route optimization to be administratively 3375 enabled or disabled. The default SHOULD be enabled. 3377 o The node MAY support the multicast address listener part of a 3378 multicast group membership protocol as described in Section 3379 11.3.4. If this support is provided, the mobile node MUST be able 3380 to receive tunneled multicast packets from the home agent. 3382 o The node MAY support stateful address autoconfiguration mechanisms 3383 such as DHCPv6 [29] on the interface represented by the tunnel to 3384 the home agent. 3386 9. Correspondent Node Operation 3388 9.1 Conceptual Data Structures 3390 IPv6 nodes with route optimization support maintain a Binding Cache 3391 of bindings for other nodes. A separate Binding Cache SHOULD be 3392 maintained by each IPv6 node for each of its unicast routable 3393 addresses. The Binding Cache MAY be implemented in any manner 3394 consistent with the external behavior described in this document, for 3395 example by being combined with the node's Destination Cache as 3396 maintained by Neighbor Discovery [12]. When sending a packet, the 3397 Binding Cache is searched before the Neighbor Discovery conceptual 3398 Destination Cache [12]. 3400 Each Binding Cache entry conceptually contains the following fields: 3402 o The home address of the mobile node for which this is the Binding 3403 Cache entry. This field is used as the key for searching the 3404 Binding Cache for the destination address of a packet being sent. 3406 o The care-of address for the mobile node indicated by the home 3407 address field in this Binding Cache entry. 3409 o A lifetime value, indicating the remaining lifetime for this 3410 Binding Cache entry. The lifetime value is initialized from the 3411 Lifetime field in the Binding Update that created or last modified 3412 this Binding Cache entry. 3414 o A flag indicating whether or not this Binding Cache entry is a 3415 home registration entry (applicable only on nodes which support 3416 home agent functionality). 3418 o The maximum value of the Sequence Number field received in 3419 previous Binding Updates for this home address. The Sequence 3420 Number field is 16 bits long. Sequence Number values MUST be 3421 compared modulo 2**16 as explained in Section 9.5.1. 3423 o Usage information for this Binding Cache entry. This is needed to 3424 implement the cache replacement policy in use in the Binding 3425 Cache. Recent use of a cache entry also serves as an indication 3426 that a Binding Refresh Request should be sent when the lifetime of 3427 this entry nears expiration. 3429 Binding Cache entries not marked as home registrations MAY be 3430 replaced at any time by any reasonable local cache replacement policy 3431 but SHOULD NOT be unnecessarily deleted. The Binding Cache for any 3432 one of a node's IPv6 addresses may contain at most one entry for each 3433 mobile node home address. The contents of a node's Binding Cache 3434 MUST NOT be changed in response to a Home Address option in a 3435 received packet. 3437 9.2 Processing Mobility Headers 3439 Mobility Header processing MUST observe the following rules: 3441 o The checksum must be verified as per Section 6.1. Otherwise, the 3442 node MUST silently discard the message. 3444 o The MH Type field MUST have a known value (Section 6.1.1). 3445 Otherwise, the node MUST discard the message and issue a Binding 3446 Error message as described in Section 9.3.3, with Status field set 3447 to 2 (unrecognized MH Type value). 3449 o The Payload Proto field MUST be IPPROTO_NONE (59 decimal). 3450 Otherwise, the node MUST discard the message and SHOULD send ICMP 3451 Parameter Problem, Code 0, directly to the Source Address of the 3452 packet as specified in RFC 2463 [14]. Thus no Binding Cache 3453 information is used in sending the ICMP message. The Pointer 3454 field in the ICMP message SHOULD point at the Payload Proto field. 3456 o The Header Len field in the Mobility Header MUST NOT be less than 3457 the length specified for this particular type of message in 3458 Section 6.1. Otherwise, the node MUST discard the message and 3459 SHOULD send ICMP Parameter Problem, Code 0, directly to the Source 3460 Address of the packet as specified in RFC 2463 [14]. (The Binding 3461 Cache information is again not used.) The Pointer field in the 3462 ICMP message SHOULD point at the Header Len field. 3464 Subsequent checks depend on the particular Mobility Header. 3466 9.3 Packet Processing 3468 This section describes how the correspondent node sends packets to 3469 the mobile node, and receives packets from it. 3471 9.3.1 Receiving Packets with Home Address Option 3473 Packets containing a Home Address option MUST be dropped if the given 3474 home address is not a unicast routable address. 3476 Mobile nodes can include a Home Address destination option in a 3477 packet if they believe the correspondent node has a Binding Cache 3478 entry for the home address of a mobile node. Packets containing a 3479 Home Address option MUST be dropped if there is no corresponding 3480 Binding Cache entry. A corresponding Binding Cache entry MUST have 3481 the same home address as appears in the Home Address destination 3482 option, and the currently registered care-of address MUST be equal to 3483 the source address of the packet. These tests MUST NOT be done for 3484 packets that contain a Home Address option and a Binding Update. 3486 If the packet is dropped due the above tests, the correspondent node 3487 MUST send the Binding Error message as described in Section 9.3.3. 3488 The Status field in this message should be set to 1 (unknown binding 3489 for Home Address destination option). 3491 The correspondent node MUST process the option in a manner consistent 3492 with exchanging the Home Address field from the Home Address option 3493 into the IPv6 header and replacing the original value of the Source 3494 Address field there. After all IPv6 options have been processed, it 3495 MUST be possible for upper layers to process the packet without the 3496 knowledge that it came originally from a care-of address or that a 3497 Home Address option was used. 3499 The use of IPsec Authentication Header (AH) for the Home Address 3500 option is not required, except that if the IPv6 header of a packet is 3501 covered by AH, then the authentication MUST also cover the Home 3502 Address option; this coverage is achieved automatically by the 3503 definition of the Option Type code for the Home Address option, since 3504 it indicates that the data within the option cannot change en-route 3505 to the packet's final destination, and thus the option is included in 3506 the AH computation. By requiring that any authentication of the IPv6 3507 header also cover the Home Address option, the security of the Source 3508 Address field in the IPv6 header is not compromised by the presence 3509 of a Home Address option. 3511 When attempting to verify AH authentication data in a packet that 3512 contains a Home Address option, the receiving node MUST calculate the 3513 AH authentication data as if the following were true: The Home 3514 Address option contains the care-of address, and the source IPv6 3515 address field of the IPv6 header contains the home address. This 3516 conforms with the calculation specified in Section 11.3.2. 3518 9.3.2 Sending Packets to a Mobile Node 3520 Before sending any packet, the sending node SHOULD examine its 3521 Binding Cache for an entry for the destination address to which the 3522 packet is being sent. If the sending node has a Binding Cache entry 3523 for this address, the sending node SHOULD use a type 2 routing header 3524 to route the packet to this mobile node (the destination node) by way 3525 of its care-of address. However, the mobile node MUST not do this in 3526 the following cases: 3528 o When sending an IPv6 Neighbor Discovery [12] packet. 3530 o Where otherwise noted in Section 6.1. 3532 When calculating authentication data in a packet that contains a type 3533 2 routing header, the correspondent node MUST calculate the AH 3534 authentication data as if the following were true: The routing header 3535 contains the care-of address, the destination IPv6 address field of 3536 the IPv6 header contains the home address, and the Segments Left 3537 field is zero. The IPsec Security Policy Database lookup MUST based 3538 on the mobile node's home address. 3540 For instance, assuming there are no additional routing headers in 3541 this packet beyond those needed by Mobile IPv6, the correspondent 3542 node could set the fields in the packet's IPv6 header and routing 3543 header as follows: 3545 o The Destination Address in the packet's IPv6 header is set to the 3546 mobile node's home address (the original destination address to 3547 which the packet was being sent). 3549 o The routing header is initialized to contain a single route 3550 segment, containing the mobile node's care-of address copied from 3551 the Binding Cache entry. The Segments Left field is, however, 3552 temporarily set to zero. 3554 The IP layer will insert the routing header before performing any 3555 necessary IPsec processing. Once all IPsec processing has been 3556 performed, the node swaps the IPv6 destination field with the Home 3557 Address field in the routing header, sets the Segments Left field to 3558 one, and sends the packet. This ensures the AH calculation is done 3559 on the packet in the form it will have on the receiver after 3560 advancing the routing header. 3562 Following the definition of a type 2 routing header in Section 6.4, 3563 this packet will be routed to the mobile node's care-of address, 3564 where it will be delivered to the mobile node (the mobile node has 3565 associated the care-of address with its network interface). 3567 Note that following the above conceptual model in an implementation 3568 creates some additional requirements for path MTU discovery since the 3569 layer that decides the packet size (e.g., TCP and applications using 3570 UDP) needs to be aware of the size of the headers added by the IP 3571 layer on the sending node. 3573 If, instead, the sending node has no Binding Cache entry for the 3574 destination address to which the packet is being sent, the sending 3575 node simply sends the packet normally, with no routing header. If 3576 the destination node is not a mobile node (or is a mobile node that 3577 is currently at home), the packet will be delivered directly to this 3578 node and processed normally by it. If, however, the destination node 3579 is a mobile node that is currently away from home, the packet will be 3580 intercepted by the mobile node's home agent and tunneled to the 3581 mobile node's current primary care-of address. 3583 9.3.3 Sending Binding Error Messages 3585 Section 9.2 and Section 9.3.1 describe error conditions that lead to 3586 a need to send a Binding Error message. 3588 A Binding Error message is sent directly to the address that appeared 3589 in the IPv6 Source Address field of the offending packet (before any 3590 modifications possibly performed as specified in Section 9.3.1). If 3591 the Source Address field does not contain a unicast address, the 3592 Binding Error message MUST NOT be sent. 3594 The Home Address field in the Binding Error message MUST be copied 3595 from the Home Address field in the Home Address destination option of 3596 the offending packet, or set to the unspecified address if no such 3597 option appeared in the packet. 3599 Binding Error messages SHOULD be subject to rate limiting in the same 3600 manner as is done for ICMPv6 messages [14]. 3602 9.3.4 Receiving ICMP Error Messages 3604 When the correspondent node has a Binding Cache entry for a mobile 3605 node, all traffic destined to the mobile node goes directly to the 3606 current care-of address of the mobile node using a routing header. 3607 Any ICMP error message caused by packets on their way to the care-of 3608 address will be returned in the normal manner to the correspondent 3609 node. 3611 On the other hand, if the correspondent node has no Binding Cache 3612 entry for the mobile node, the packet will be routed through the 3613 mobile node's home link. Any ICMP error message caused by the packet 3614 on its way to the mobile node while in the tunnel, will be 3615 transmitted to the mobile node's home agent. By the definition of 3616 IPv6 encapsulation [15], the home agent MUST relay certain ICMP error 3617 messages back to the original sender of the packet, which in this 3618 case is the correspondent node. 3620 Thus, in all cases, any meaningful ICMP error messages caused by 3621 packets from a correspondent node to a mobile node will be returned 3622 to the correspondent node. If the correspondent node receives 3623 persistent ICMP Destination Unreachable messages after sending 3624 packets to a mobile node based on an entry in its Binding Cache, the 3625 correspondent node SHOULD delete this Binding Cache entry. Note that 3626 if the mobile node continues to send packets with the Home Address 3627 destination option to this correspondent node, they will be dropped 3628 due to the lack of a binding. For this reason it is important that 3629 only persistent ICMP messages lead to the deletion of the Binding 3630 Cache entry. 3632 9.4 Return Routability Procedure 3634 This subsection specifies actions taken by a correspondent node 3635 during the return routability procedure. 3637 9.4.1 Receiving Home Test Init Messages 3639 Upon receiving a Home Test Init message, the correspondent node 3640 verifies the following: 3642 o The packet MUST NOT include a Home Address destination option. 3644 Any packet carrying a Home Test Init message which fails to satisfy 3645 all of these tests MUST be silently ignored. 3647 Otherwise, in preparation for sending the corresponding Home Test 3648 Message, the correspondent node checks that it has the necessary 3649 material to engage in a return routability procedure, as specified in 3650 Section 5.2. The correspondent node MUST have a secret Kcn and a 3651 nonce. If it does not have this material yet, it MUST produce it 3652 before continuing with the return routability procedure. 3654 Section 9.4.3 specifies further processing. 3656 9.4.2 Receiving Care-of Test Init Messages 3658 Upon receiving a Care-of Test Init message, the correspondent node 3659 verifies the following: 3661 o The packet MUST NOT include a Home Address destination option. 3663 Any packet carrying a Care-of Test Init message which fails to 3664 satisfy all of these tests MUST be silently ignored. 3666 Otherwise, in preparation for sending the corresponding Care-of Test 3667 Message, the correspondent node checks that it has the necessary 3668 material to engage in a return routability procedure in the manner 3669 described in Section 9.4.1. 3671 Section 9.4.4 specifies further processing. 3673 9.4.3 Sending Home Test Messages 3675 The correspondent node creates a home keygen token and uses the 3676 current nonce index as the Home Nonce Index. It then creates a Home 3677 Test message (Section 6.1.5) and sends it to the mobile node at the 3678 latter's home address. 3680 9.4.4 Sending Care-of Test Messages 3682 The correspondent node creates a care-of nonce and uses the current 3683 nonce index as the Care-of Nonce Index. It then creates a Care-of 3684 Test message (Section 6.1.6) and sends it to the mobile node at the 3685 latter's care-of address. 3687 9.5 Processing Bindings 3689 This section explains how the correspondent node processes messages 3690 related to bindings. These messages are: 3692 o Binding Update 3694 o Binding Refresh Request 3696 o Binding Acknowledgement 3698 o Binding Error 3700 9.5.1 Receiving Binding Updates 3702 Before accepting a Binding Update, the receiving node MUST validate 3703 the Binding Update according to the following tests: 3705 o The packet MUST contain a unicast routable home address, either in 3706 the Home Address option or in the Source Address, if the Home 3707 Address option is not present. 3709 o The Sequence Number field in the Binding Update is greater than 3710 the Sequence Number received in the previous valid Binding Update 3711 for this home address, if any. 3713 If the receiving node has no Binding Cache entry for the indicated 3714 home address, it MUST accept any Sequence Number value in a 3715 received Binding Update from this mobile node. 3717 This Sequence Number comparison MUST be performed modulo 2**16, 3718 i.e., the number is a free running counter represented modulo 3719 65536. A Sequence Number in a received Binding Update is 3720 considered less than or equal to the last received number if its 3721 value lies in the range of the last received number and the 3722 preceding 32768 values, inclusive. For example, if the last 3723 received sequence number was 15, then messages with sequence 3724 numbers 0 through 15, as well as 32783 through 65535, would be 3725 considered less than or equal. 3727 When the Home Registration (H) bit is not set, the following are also 3728 required: 3730 o A Nonce Indices mobility option MUST be present, and the Home and 3731 Care-of Nonce Index values in this option MUST be recent enough to 3732 be recognized by the correspondent node. (Care-of Nonce Index 3733 values are not inspected for requests to delete a binding.) 3735 o The correspondent node MUST re-generate the home keygen token and 3736 the care-of keygen token from the information contained in the 3737 packet. It then generates the binding management key Kbm and uses 3738 it to verify the authenticator field in the Binding Update as 3739 specified in Section 6.1.7. 3741 o The Binding Authorization Data mobility option MUST be present, 3742 and its contents MUST satisfy rules presented in Section 5.2.6. 3743 Note that a care-of address different from the Source Address MAY 3744 have been specified by including an Alternate Care-of Address 3745 mobility option in the Binding Update. When such a message is 3746 received and the return routability procedure is used as an 3747 authorization method, the correspondent node MUST verify the 3748 authenticator by using the address within the Alternate Care-of 3749 Address in the calculations. 3751 o The Binding Authorization Data mobility option MUST be the last 3752 option and MUST NOT have trailing padding. 3754 If the Home Registration (H) bit is set, the Nonce Indices mobility 3755 option MUST NOT be present. 3757 If the mobile node sends a sequence number which is not greater than 3758 the sequence number from the last valid Binding Update for this home 3759 address, then the receiving node MUST send back a Binding 3760 Acknowledgement with status code 135, and the last accepted sequence 3761 number in the Sequence Number field of the Binding Acknowledgement. 3763 If a binding already exists for the given home address and the home 3764 registration flag has a different value than the Home Registration 3765 (H) bit in the Binding Update, then the receiving node MUST send back 3766 a Binding Acknowledgement with status code 139 (registration type 3767 change disallowed). The home registration flag stored in the Binding 3768 Cache entry MUST NOT be changed. 3770 If the receiving node no longer recognizes the Home Nonce Index 3771 value, Care-of Nonce Index value, or both values from the Binding 3772 Update, then the receiving node MUST send back a Binding 3773 Acknowledgement with status code 136, 137, or 138, respectively. 3775 For packets carrying Binding Updates that fail to satisfy all of 3776 these tests for any reason other than insufficiency of the Sequence 3777 Number, registration type change, or expired nonce index values, they 3778 MUST be silently discarded. 3780 If the Binding Update is valid according to the tests above, then the 3781 Binding Update is processed further as follows: 3783 o The Sequence Number value received from a mobile node in a Binding 3784 Update is stored by the receiving node in its Binding Cache entry 3785 for the given home address. 3787 o If the Lifetime specified in the Binding Update is nonzero and the 3788 specified care-of address is not equal to the home address for the 3789 binding, then this is a request to cache a binding for the home 3790 address. If the Home Registration (H) bit is set in the Binding 3791 Update, the Binding Update is processed according to the procedure 3792 specified in Section 10.3.1; otherwise, it is processed according 3793 to the procedure specified in Section 9.5.2. 3795 o If the Lifetime specified in the Binding Update is zero or the 3796 specified care-of address matches the home address for the 3797 binding, then this is a request to delete the cached binding for 3798 the home address. In this case, the Binding Update MUST include a 3799 valid home nonce index, and the care-of nonce index MUST be 3800 ignored by the correspondent node. The generation of the binding 3801 management key depends then exclusively on the home keygen token 3802 (Section 5.2.5). If the Home Registration (H) bit is set in the 3803 Binding Update, the Binding Update is processed according to the 3804 procedure specified in Section 10.3.2; otherwise, it is processed 3805 according to the procedure specified in Section 9.5.3. 3807 The specified care-of address MUST be determined as follows: 3809 o If the Alternate Care-of Address option is present, the care-of 3810 address is the address in that option. 3812 o Otherwise, the care-of address is the Source Address field in the 3813 packet's IPv6 header. 3815 The home address for the binding MUST be determined as follows: 3817 o If the Home Address destination option is present, the home 3818 address is the address in that option. 3820 o Otherwise, the home address is the Source Address field in the 3821 packet's IPv6 header. 3823 9.5.2 Requests to Cache a Binding 3825 This section describes the processing of a valid Binding Update that 3826 requests a node to cache a binding, for which the Home Registration 3827 (H) bit is not set in the Binding Update. 3829 In this case, the receiving node SHOULD create a new entry in its 3830 Binding Cache for this home address, or update its existing Binding 3831 Cache entry for this home address, if such an entry already exists. 3832 The lifetime for the Binding Cache entry is initialized from the 3833 Lifetime field specified in the Binding Update, although this 3834 lifetime MAY be reduced by the node caching the binding; the lifetime 3835 for the Binding Cache entry MUST NOT be greater than the Lifetime 3836 value specified in the Binding Update. Any Binding Cache entry MUST 3837 be deleted after the expiration of its lifetime. 3839 Note that if the mobile node did not request a Binding 3840 Acknowledgement, it is not aware of the selected shorter lifetime. 3841 The mobile node may thus use route optimization and send packets with 3842 the Home Address destination option. As discussed in Section 9.3.1, 3843 such packets will be dropped if there is no binding. This situation 3844 is recoverable, but can cause temporary packet loss. 3846 The correspondent node MAY refuse to accept a new Binding Cache 3847 entry, if it does not have sufficient resources. A new entry MAY 3848 also be refused if the correspondent node believes its resources are 3849 utilized more efficiently in some other purpose, such as serving 3850 another mobile node with higher amount of traffic. In both cases the 3851 correspondent node SHOULD return a Binding Acknowledgement with 3852 status value 130. 3854 9.5.3 Requests to Delete a Binding 3856 This section describes the processing of a valid Binding Update that 3857 requests a node to delete a binding, when the Home Registration (H) 3858 bit is not set in the Binding Update. 3860 Any existing binding for the given home address MUST be deleted. A 3861 Binding Cache entry for the home address MUST NOT be created in 3862 response to receiving the Binding Update. 3864 If the Binding Cache entry was created by use of return routability 3865 nonces, the correspondent node MUST ensure that the same nonces are 3866 not used again with the particular home and care-of address. If both 3867 nonces are still valid, the correspondent node has to remember the 3868 particular combination of nonce indexes, addresses, and sequence 3869 number as illegal, until at least one of the nonces has become too 3870 old. 3872 9.5.4 Sending Binding Acknowledgements 3874 A Binding Acknowledgement may be sent to indicate receipt of a 3875 Binding Update as follows: 3877 o If the Binding Update was discarded as described in Section 9.2 or 3878 Section 9.5.1, a Binding Acknowledgement MUST NOT be sent. 3879 Otherwise the treatment depends on the below rules. 3881 o If the Acknowledge (A) bit set is set in the Binding Update, a 3882 Binding Acknowledgement MUST be sent. Otherwise, the treatment 3883 depends on the below rule. 3885 o If the node rejects the Binding Update due to an expired nonce 3886 index, sequence number being out of window (Section 9.5.1), or 3887 insufficiency of resources (Section 9.5.2), a Binding 3888 Acknowledgement MUST be sent. If the node accepts the Binding 3889 Update, the Binding Acknowledgement SHOULD NOT be sent. 3891 If the node accepts the Binding Update and creates or updates an 3892 entry for this binding, the Status field in the Binding 3893 Acknowledgement MUST be set to a value less than 128. Otherwise, the 3894 Status field MUST be set to a value greater than or equal to 128. 3895 Values for the Status field are described in Section 6.1.8 and in the 3896 IANA registry of assigned numbers [19]. 3898 If the Status field in the Binding Acknowledgement contains the value 3899 136 (expired home nonce index), 137 (expired care-of nonce index), or 3900 138 (expired nonces) then the message MUST NOT include the Binding 3901 Authorization Data mobility option. Otherwise, the Binding 3902 Authorization Data mobility option MUST be included, and MUST meet 3903 the specific authentication requirements for Binding Acknowledgements 3904 as defined in Section 5.2. 3906 If the Source Address field of the IPv6 header that carried the 3907 Binding Update does not contain a unicast address, the Binding 3908 Acknowledgement MUST NOT be sent, and the Binding Update packet MUST 3909 be silently discarded. Otherwise, the acknowledgement MUST be sent 3910 to the Source Address. Unlike the treatment of regular packets, this 3911 addressing procedure does not use information from the Binding Cache. 3913 However, a routing header is needed in some cases. If the Source 3914 Address is the home address of the mobile node, i.e., the Binding 3915 Update did not contain a Home Address destination option, then the 3916 Binding Acknowledgement MUST be sent to that address, and the routing 3917 header MUST NOT be used. Otherwise, the Binding Acknowledgement MUST 3918 be sent using a type 2 routing header which contains the mobile 3919 node's home address. 3921 9.5.5 Sending Binding Refresh Requests 3923 If a Binding Cache entry being deleted is still in active use in 3924 sending packets to a mobile node, the next packet sent to the mobile 3925 node will be routed normally to the mobile node's home link. 3926 Communication with the mobile node continues, but the tunneling from 3927 the home network creates additional overhead and latency in 3928 delivering packets to the mobile node. 3930 If the sender knows that the Binding Cache entry is still in active 3931 use, it MAY send a Binding Refresh Request message to the mobile node 3932 in an attempt to avoid this overhead and latency due to deleting and 3933 recreating the Binding Cache entry. 3935 The correspondent node MAY retransmit Binding Refresh Request 3936 messages provided that rate limitation is applied. The correspondent 3937 node MUST stop retransmitting when it receives a Binding Update. 3939 9.6 Cache Replacement Policy 3941 Conceptually, a node maintains a separate timer for each entry in its 3942 Binding Cache. When creating or updating a Binding Cache entry in 3943 response to a received and accepted Binding Update, the node sets the 3944 timer for this entry to the specified Lifetime period. Any entry in 3945 a node's Binding Cache MUST be deleted after the expiration of the 3946 Lifetime specified in the Binding Update from which the entry was 3947 created or last updated. 3949 Each node's Binding Cache will, by necessity, have a finite size. A 3950 node MAY use any reasonable local policy for managing the space 3951 within its Binding Cache. 3953 A node MAY choose to drop any entry already in its Binding Cache in 3954 order to make space for a new entry. For example, a "least-recently 3955 used" (LRU) strategy for cache entry replacement among entries is 3956 likely to work well unless the size of the Binding Cache is 3957 substantially insufficient. When entries are deleted, the 3958 correspondent node MUST follow the rules in Section 5.2.8 in order to 3959 guard the return routability procedure against replay attacks. 3961 If the node sends a packet to a destination for which it has dropped 3962 the entry from its Binding Cache, the packet will be routed through 3963 the mobile node's home link. The mobile node can detect this, and 3964 establish a new binding if necessary. 3966 However, if the mobile node believes that the binding still exists, 3967 it may use route optimization and send packets with the Home Address 3968 destination option. This can create temporary packet loss, as 3969 discussed earlier in the context of binding lifetime reductions 3970 performed by the correspondent node (Section 9.5.2). 3972 10. Home Agent Operation 3974 10.1 Conceptual Data Structures 3976 Each home agent MUST maintain a Binding Cache and Home Agents List. 3978 The rules for maintaining a Binding Cache are the same for home 3979 agents and correspondent nodes, and have already been described in 3980 Section 9.1. 3982 The Home Agents List is maintained by each home agent, recording 3983 information about each router on the same link which is acting as a 3984 home agent; this list is used by the dynamic home agent address 3985 discovery mechanism. A router is known to be acting as a home agent, 3986 if it sends a Router Advertisement in which the Home Agent (H) bit is 3987 set. When the lifetime for a list entry (defined below) expires, 3988 that entry is removed from the Home Agents List. The Home Agents 3989 List is thus similar to the Default Router List conceptual data 3990 structure maintained by each host for Neighbor Discovery [12]. The 3991 Home Agents List MAY be implemented in any manner consistent with the 3992 external behavior described in this document. 3994 Each home agent maintains a separate Home Agents List for each link 3995 on which it is serving as a home agent. A new entry is created or an 3996 existing entry is updated in response to receipt of a valid Router 3997 Advertisement in which the Home Agent (H) bit is set. Each Home 3998 Agents List entry conceptually contains the following fields: 4000 o The link-local IP address of a home agent on the link. This 4001 address is learned through the Source Address of the Router 4002 Advertisements [12] received from the router. 4004 o One or more global IP addresses for this home agent. Global 4005 addresses are learned through Prefix Information options with the 4006 Router Address (R) bit set, received in Router Advertisements from 4007 this link-local address. Global addresses for the router in a 4008 Home Agents List entry MUST be deleted once the prefix associated 4009 with that address is no longer valid [12]. 4011 o The remaining lifetime of this Home Agents List entry. If a Home 4012 Agent Information Option is present in a Router Advertisement 4013 received from a home agent, the lifetime of the Home Agents List 4014 entry representing that home agent is initialized from the Home 4015 Agent Lifetime field in the option (if present); otherwise, the 4016 lifetime is initialized from the Router Lifetime field in the 4017 received Router Advertisement. If Home Agents List entry lifetime 4018 reaches zero, the entry MUST be deleted from the Home Agents List. 4020 o The preference for this home agent; higher values indicate a more 4021 preferable home agent. The preference value is taken from the 4022 Home Agent Preference field in the received Router Advertisement, 4023 if the Router Advertisement contains a Home Agent Information 4024 Option, and is otherwise set to the default value of 0. A home 4025 agent uses this preference in ordering the Home Agents List when 4026 it sends an ICMP Home Agent Address Discovery message. 4028 10.2 Processing Mobility Headers 4030 All IPv6 home agents MUST observe the rules described in Section 9.2 4031 when processing Mobility Headers. 4033 10.3 Processing Bindings 4035 10.3.1 Primary Care-of Address Registration 4037 When a node receives a Binding Update, it MUST validate it and 4038 determine the type of Binding Update according to the steps described 4039 in Section 9.5.1. Furthermore, it MUST authenticate the Binding 4040 Update as described in Section 5.1. An authorization step specific 4041 for the home agent is also needed to ensure that only the right node 4042 can control a particular home address. This is provided through the 4043 home address unequivocally identifying the security association that 4044 must be used. 4046 This section describes the processing of a valid and authorized 4047 Binding Update, when it requests the registration of the mobile 4048 node's primary care-of address. 4050 To begin processing the Binding Update, the home agent MUST perform 4051 the following sequence of tests: 4053 o If the node implements only correspondent node functionality, or 4054 has not been configured to act as a home agent, then the node MUST 4055 reject the Binding Update. The node MUST then also return a 4056 Binding Acknowledgement to the mobile node, in which the Status 4057 field is set to 131 (home registration not supported). 4059 o Else, if the home address for the binding (the Home Address field 4060 in the packet's Home Address option) is not an on-link IPv6 4061 address with respect to the home agent's current Prefix List or if 4062 the corresponding prefix was not included in an advertisement sent 4063 with the Home Agent (H) bit set, then the home agent MUST reject 4064 the Binding Update and SHOULD return a Binding Acknowledgement to 4065 the mobile node, in which the Status field is set to 132 (not home 4066 subnet). 4068 o Else, if the home agent chooses to reject the Binding Update for 4069 any other reason (e.g., insufficient resources to serve another 4070 mobile node as a home agent), then the home agent SHOULD return a 4071 Binding Acknowledgement to the mobile node, in which the Status 4072 field is set to an appropriate value to indicate the reason for 4073 the rejection. 4075 o A Home Address destination option MUST be present in the message. 4076 It MUST be validated as described in Section 9.3.1 with the 4077 following additional rule. The Binding Cache entry existence test 4078 MUST NOT be done for IPsec packets when the Home Address option 4079 contains an address for which the receiving node could act as a 4080 home agent. 4082 If home agent accepts the Binding Update, it MUST then create a new 4083 entry in its Binding Cache for this mobile node, or update its 4084 existing Binding Cache entry, if such an entry already exists. The 4085 Home Address field as received in the Home Address option provides 4086 the home address of the mobile node. 4088 The home agent MUST mark this Binding Cache entry as a home 4089 registration to indicate that the node is serving as a home agent for 4090 this binding. Binding Cache entries marked as a home registration 4091 MUST be excluded from the normal cache replacement policy used for 4092 the Binding Cache (Section 9.6) and MUST NOT be removed from the 4093 Binding Cache until the expiration of the Lifetime period. 4095 Unless this home agent already has a binding for the given home 4096 address, the home agent MUST perform Duplicate Address Detection [13] 4097 on the mobile node's home link before returning the Binding 4098 Acknowledgement. This ensures that no other node on the home link 4099 was using the mobile node's home address when the Binding Update 4100 arrived. If this Duplicate Address Detection fails for the given 4101 home address or an associated link local address, then the home agent 4102 MUST reject the complete Binding Update and MUST return a Binding 4103 Acknowledgement to the mobile node, in which the Status field is set 4104 to 134 (Duplicate Address Detection failed). When the home agent 4105 sends a successful Binding Acknowledgement to the mobile node, the 4106 home agent assures to the mobile node that its address(es) will 4107 continue to be kept unique by the home agent at least as long as the 4108 lifetime granted for the binding is not over. 4110 The specific addresses which are to be tested before accepting the 4111 Binding Update, and later to be defended by performing Duplicate 4112 Address Detection, depend on the setting of the Link-Local Address 4113 Compatibility (L) bit, as follows: 4115 o L=0: Defend only the given address. Do not derive a link-local 4116 address. 4118 o L=1: Defend both the given non link-local unicast (home) address 4119 and the derived link-local. The link-local address is derived by 4120 replacing the subnet prefix in the mobile node's home address with 4121 the link-local prefix. 4123 The lifetime of the Binding Cache entry depends on a number of 4124 factors: 4126 o The lifetime for the Binding Cache entry MUST NOT be greater than 4127 the Lifetime value specified in the Binding Update. 4129 o The lifetime for the Binding Cache entry MUST NOT be greater than 4130 the remaining valid lifetime for the subnet prefix in the mobile 4131 node's home address specified with the Binding Update. The 4132 remaining valid lifetime for this prefix is determined by the home 4133 agent based on its own Prefix List entry for this prefix [12]. 4135 The remaining preferred lifetime SHOULD NOT have any impact on the 4136 lifetime for the binding cache entry. 4138 The home agent MUST remove a binding when the valid lifetime of 4139 the prefix associated with it expires. 4141 o The home agent MAY further decrease the specified lifetime for the 4142 binding, for example based on a local policy. The resulting 4143 lifetime is stored by the home agent in the Binding Cache entry, 4144 and this Binding Cache entry MUST be deleted by the home agent 4145 after the expiration of this lifetime. 4147 Regardless of the setting of the Acknowledge (A) bit in the Binding 4148 Update, the home agent MUST return a Binding Acknowledgement to the 4149 mobile node, constructed as follows: 4151 o The Status field MUST be set to a value indicating success. The 4152 value 1 (accepted but prefix discovery necessary) MUST be used if 4153 the subnet prefix of the specified home address is deprecated, 4154 becomes deprecated during the lifetime of the binding, or becomes 4155 invalid at the end of the lifetime. The value 0 MUST be used 4156 otherwise. For the purposes of comparing the binding and prefix 4157 lifetimes, the prefix lifetimes are first converted into units of 4158 four seconds by ignoring the two least significant bits. 4160 o The Key Management Mobility Capability (K) bit is set if the 4161 following conditions are all fulfilled, and cleared otherwise: 4163 * The Key Management Mobility Capability (K) bit was set in the 4164 Binding Update. 4166 * The IPsec security associations between the mobile node and the 4167 home agent have been established dynamically. 4169 * The home agent has the capability to update its endpoint in the 4170 used key management protocol to the new care-of address every 4171 time it moves 4173 Depending on the final value of the bit in the Binding 4174 Acknowledgement, the home agent SHOULD perform the following 4175 actions: 4177 K = 0 4179 Discard key management connections, if any, to the old care-of 4180 address. If the mobile node did not have a binding before 4181 sending this Binding Update, discard the connections to the 4182 home address. 4184 K = 1 4186 Move the peer endpoint of the key management protocol 4187 connection, if any, to the new care-of address. For an IKE 4188 phase 1 connection, this means that any IKE packets sent to the 4189 peer are sent to this address, and packets from this address 4190 with the original ISAKMP cookies are accepted. 4192 Note that Section 2.5.3 in RFC 2408 [8] Section 2.5.3 states 4193 three specifies rules that ISAKMP cookies must satisfy: they 4194 must depend on specific parties and they can only have been 4195 generated by the entity itself. Then it recommends a 4196 particular way to do this, namely a hash of IP addresses. With 4197 the K bit set to 1, the recommended implementation technique 4198 does not work directly. To satisfy the two rules, the specific 4199 parties must be treated as the original IP addresses, not the 4200 ones in use at the specific moment. 4202 o The Sequence Number field MUST be copied from the Sequence Number 4203 given in the Binding Update. 4205 o The Lifetime field MUST be set to the remaining lifetime for the 4206 binding as set by the home agent in its home registration Binding 4207 Cache entry for the mobile node, as described above. 4209 o If the home agent stores the Binding Cache entry in nonvolatile 4210 storage, then the Binding Refresh Advice mobility option MUST be 4211 omitted. Otherwise, the home agent MAY include this option to 4212 suggest that the mobile node refreshes its binding sooner than the 4213 actual lifetime of the binding ends. 4215 If the Binding Refresh Advice mobility option is present, the 4216 Refresh Interval field in the option MUST be set to a value less 4217 than the Lifetime value being returned in the Binding 4218 Acknowledgement. This indicates that the mobile node SHOULD 4219 attempt to refresh its home registration at the indicated shorter 4220 interval. The home agent MUST still retain the registration for 4221 the Lifetime period, even if the mobile node does not refresh its 4222 registration within the Refresh period. 4224 The rules for selecting the Destination IP address (and possibly 4225 routing header construction) for the Binding Acknowledgement to the 4226 mobile node are the same as in Section 9.5.4. 4228 In addition, the home agent MUST follow the procedure defined in 4229 Section 10.4.1 to intercept packets on the mobile node's home link 4230 addressed to the mobile node, while the home agent is serving as the 4231 home agent for this mobile node. The home agent MUST also be 4232 prepared to accept reverse tunneled packets from the new care-of 4233 address of the mobile node, as described in Section 10.4.5. Finally, 4234 the home agent MUST also propagate new home network prefixes, as 4235 described in Section 10.6. 4237 10.3.2 Primary Care-of Address De-Registration 4239 A binding may need to be de-registered when the mobile node returns 4240 home, or when the mobile node knows that it will soon not have any 4241 care-of addresses in the visited network. 4243 A Binding Update is validated and authorized in the manner described 4244 in the previous section. This section describes the processing of a 4245 valid Binding Update that requests the receiving node to no longer 4246 serve as its home agent, de-registering its primary care-of address. 4248 To begin processing the Binding Update, the home agent MUST perform 4249 the following test: 4251 o If the receiving node has no entry marked as a home registration 4252 in its Binding Cache for this mobile node, then this node MUST 4253 reject the Binding Update and SHOULD return a Binding 4254 Acknowledgement to the mobile node, in which the Status field is 4255 set to 133 (not home agent for this mobile node). 4257 If the home agent does not reject the Binding Update as described 4258 above, then it MUST delete any existing entry in its Binding Cache 4259 for this mobile node. Then, the home agent MUST return a Binding 4260 Acknowledgement to the mobile node, constructed as follows: 4262 o The Status field MUST be set to a value 0, indicating success. 4264 o The Key Management Mobility Capability (K) bit is set or cleared, 4265 and actions based on its value are performed as described in the 4266 previous section. The mobile node's home address is used as its 4267 new care-of address for the purposes of moving the key management 4268 connection to a new endpoint. 4270 o The Sequence Number field MUST be copied from the Sequence Number 4271 given in the Binding Update. 4273 o The Lifetime field MUST be set to zero. 4275 o The Binding Refresh Advice mobility option MUST be omitted. 4277 In addition, the home agent MUST stop intercepting packets on the 4278 mobile node's home link that are addressed to the mobile node 4279 (Section 10.4.1). 4281 The rules for selecting the Destination IP address (and, if required, 4282 routing header construction) for the Binding Acknowledgement to the 4283 mobile node are the same as in the previous section. When the Status 4284 field in the Binding Acknowledgement is greater than or equal to 128 4285 and the Source Address of the Binding Update is on the home link, the 4286 home agent MUST send it to the mobile node's link layer address 4287 (retrieved either from the Binding Update or through Neighbor 4288 Solicitation). 4290 10.4 Packet Processing 4292 10.4.1 Intercepting Packets for a Mobile Node 4294 While a node is serving as the home agent for mobile node it MUST 4295 attempt to intercept packets on the mobile node's home link that are 4296 addressed to the mobile node. 4298 In order to do this, when a node begins serving as the home agent it 4299 MUST multicast onto the home link a Neighbor Advertisement message 4300 [12] on behalf of the mobile node. For the home address specified in 4301 the Binding Update, the home agent sends a Neighbor Advertisement 4302 message [12] to the all-nodes multicast address on the home link, to 4303 advertise the home agent's own link-layer address for this IP address 4304 on behalf of the mobile node. If the Link-Layer Address 4305 Compatibility (L) flag has been specified in the Binding Update, the 4306 home agent MUST do the same for the link-local address of the mobile 4307 node. 4309 All fields in each such Neighbor Advertisement message SHOULD be set 4310 in the same way they would be set by the mobile node itself if 4311 sending this Neighbor Advertisement [12] while at home, with the 4312 following exceptions: 4314 o The Target Address in the Neighbor Advertisement MUST be set to 4315 the specific IP address for the mobile node. 4317 o The Advertisement MUST include a Target Link-layer Address option 4318 specifying the home agent's link-layer address. 4320 o The Router (R) bit in the Advertisement MUST be set to zero. 4322 o The Solicited Flag (S) in the Advertisement MUST NOT be set, since 4323 it was not solicited by any Neighbor Solicitation. 4325 o The Override Flag (O) in the Advertisement MUST be set, indicating 4326 that the Advertisement SHOULD override any existing Neighbor Cache 4327 entry at any node receiving it. 4329 o The Source Address in the IPv6 header MUST be set to the home 4330 agent's IP address on the interface used to send the 4331 advertisement. 4333 Any node on the home link receiving one of the Neighbor Advertisement 4334 messages described above will thus update its Neighbor Cache to 4335 associate the mobile node's address with the home agent's link layer 4336 address, causing it to transmit any future packets normally destined 4337 to the mobile node to the mobile node's home agent. Since 4338 multicasting on the local link (such as Ethernet) is typically not 4339 guaranteed to be reliable, the home agent MAY retransmit this 4340 Neighbor Advertisement message up to MAX_NEIGHBOR_ADVERTISEMENT (see 4341 [12]) times to increase its reliability. It is still possible that 4342 some nodes on the home link will not receive any of these Neighbor 4343 Advertisements, but these nodes will eventually be able to detect the 4344 link-layer address change for the mobile node's address, through use 4345 of Neighbor Unreachability Detection [12]. 4347 While a node is serving as a home agent for some mobile node, the 4348 home agent uses IPv6 Neighbor Discovery [12] to intercept unicast 4349 packets on the home link addressed to the mobile node. In order to 4350 intercept packets in this way, the home agent MUST act as a proxy for 4351 this mobile node, and reply to any received Neighbor Solicitations 4352 for it. When a home agent receives a Neighbor Solicitation, it MUST 4353 check if the Target Address specified in the message matches the 4354 address of any mobile node for which it has a Binding Cache entry 4355 marked as a home registration. 4357 If such an entry exists in the home agent's Binding Cache, the home 4358 agent MUST reply to the Neighbor Solicitation with a Neighbor 4359 Advertisement, giving the home agent's own link-layer address as the 4360 link-layer address for the specified Target Address. In addition, 4361 the Router (R) bit in the Advertisement MUST be set to zero. Acting 4362 as a proxy in this way allows other nodes on the mobile node's home 4363 link to resolve the mobile node's address, and allows the home agent 4364 to defend these addresses on the home link for Duplicate Address 4365 Detection [12]. 4367 10.4.2 Processing Intercepted Packets 4369 For any packet sent to a mobile node from the mobile node's home 4370 agent (for which the home agent is the original sender of the 4371 packet), the home agent is operating as a correspondent node of the 4372 mobile node for this packet and the procedures described in Section 4373 9.3.2 apply. The home agent then uses a routing header to route the 4374 packet to the mobile node by way of the primary care-of address in 4375 the home agent's Binding Cache. 4377 While the mobile node is away from home, the home agent intercepts 4378 any packets on the home link addressed to the mobile node's home 4379 address, as described in Section 10.4.1. In order to forward each 4380 intercepted packet to the mobile node, the home agent MUST tunnel the 4381 packet to the mobile node using IPv6 encapsulation [15]. When a home 4382 agent encapsulates an intercepted packet for forwarding to the mobile 4383 node, the home agent sets the Source Address in the new tunnel IP 4384 header to the home agent's own IP address, and sets the Destination 4385 Address in the tunnel IP header to the mobile node's primary care-of 4386 address. When received by the mobile node, normal processing of the 4387 tunnel header [15] will result in decapsulation and processing of the 4388 original packet by the mobile node. 4390 However, packets addressed to the mobile node's link-local address 4391 MUST NOT be tunneled to the mobile node. Instead, such a packet MUST 4392 be discarded, and the home agent SHOULD return an ICMP Destination 4393 Unreachable, Code 3, message to the packet's Source Address (unless 4394 this Source Address is a multicast address). Packets addressed to 4395 the mobile node's site-local address SHOULD NOT be tunneled to the 4396 mobile node by default. 4398 Interception and tunneling of the following multicast addressed 4399 packets on the home network are only done if the home agent supports 4400 multicast group membership control messages from the mobile node as 4401 described in the next section. Tunneling of multicast packets to a 4402 mobile node follows similar limitations to those defined above for 4403 unicast packets addressed to the mobile node's link-local and 4404 site-local addresses. Multicast packets addressed to a multicast 4405 address with link-local scope [3], to which the mobile node is 4406 subscribed, MUST NOT be tunneled to the mobile node; such packets 4407 SHOULD be silently discarded (after delivering to other local 4408 multicast recipients). Multicast packets addressed to a multicast 4409 address with scope larger than link-local but smaller than global 4410 (e.g., site-local and organization-local [3]), to which the mobile 4411 node is subscribed, SHOULD NOT be tunneled to the mobile node. 4412 Multicast packets addressed with a global scope to which the mobile 4413 node has successfully subscribed MUST be tunneled to the mobile node. 4415 Before tunneling a packet to the mobile node, the home agent MUST 4416 perform any IPsec processing as indicated by the security policy data 4417 base. 4419 10.4.3 Multicast Membership Control 4421 This section is a prerequisite for the multicast data packet 4422 forwarding described in the previous section. If this support is not 4423 provided, multicast group membership control messages are silently 4424 ignored. 4426 In order to forward multicast data packets from the home network to 4427 all the proper mobile nodes the home agent SHOULD be capable of 4428 receiving tunneled multicast group membership control information 4429 from the mobile node in order to determine which groups the mobile 4430 node has subscribed to. These multicast group membership messages 4431 are Listener Report messages specified MLD [17] or in other protocols 4432 such as [37]. 4434 The messages are issued by the mobile node but sent through the 4435 reverse tunnel to the home agent. These messages are issued whenever 4436 the mobile node decides to enable reception of packets for a 4437 multicast group or in response to an MLD Query from the home agent. 4438 The mobile node will also issue multicast group control messages to 4439 disable reception of multicast packets when it is no longer 4440 interested in receiving multicasts for a particular group. 4442 To obtain the mobile node's current multicast group membership the 4443 home agent must periodically transmit MLD Query messages through the 4444 tunnel to the mobile node. These MLD periodic transmissions will 4445 ensure the home agent has an accurate record of the groups in which 4446 the mobile node is interested despite packet losses of the mobile 4447 node's MLD group membership messages. 4449 All MLD packets are sent directly between the mobile node and the 4450 home agent. Since all these packets are destined to a link-scope 4451 multicast address and have a hop limit of 1, there is no direct 4452 forwarding of such packets between the home network and the mobile 4453 node. The MLD packets between the mobile node and the home agent are 4454 encapsulated within the same tunnel header used for other packet 4455 flows between the mobile node and home agent. 4457 Note that at this time, even though a link-local source is used on 4458 MLD packets, no functionality depends on these addresses being 4459 unique, nor do they elicit direct responses. All MLD messages are 4460 sent to multicast destinations. To avoid ambiguity on the home agent 4461 due to mobile nodes which may choose identical link-local source 4462 addresses for their MLD function it is necessary for the home agent 4463 to identify which mobile node was actually the issuer of a particular 4464 MLD message. This may be accomplished by noting which tunnel such an 4465 MLD arrived by, which IPsec SA was used, or by other distinguishing 4466 means. 4468 This specification puts no requirement on how the functions in this 4469 section and the multicast forwarding in Section 10.4.2 are to be 4470 achieved. At the time of this writing it was thought that a full 4471 IPv6 multicast router function would be necessary on the home agent, 4472 but it may be possible to achieve the same effects through a "proxy 4473 MLD" application coupled with kernel multicast forwarding. This may 4474 be the subject of future specifications. 4476 10.4.4 Stateful Address Autoconfiguration 4478 This section describes how home agents support the use of stateful 4479 address autoconfiguration mechanisms such as DHCPv6 [29] from the 4480 mobile nodes. If this support is not provided, then the M and O bits 4481 must remain cleared on the Mobile Prefix Advertisement Messages. Any 4482 mobile node which sends DHCPv6 messages to the home agent without 4483 this support will not receive a response. 4485 If DHCPv6 is used, packets are sent with link-local source addresses 4486 either to a link-scope multicast address or a link-local address. 4487 Mobile nodes desiring to locate a DHCPv6 service may reverse tunnel 4488 standard DHCPv6 packets to the home agent. Since these link-scope 4489 packets cannot be forwarded onto the home network it is necessary for 4490 the home agent to either implement a DHCPv6 relay agent or a DHCPv6 4491 server function itself. The arriving tunnel or IPsec SA of DHCPv6 4492 link-scope messages from the mobile node must be noted so that DHCPv6 4493 responses may be sent back to the appropriate mobile node. DHCPv6 4494 messages sent to the mobile node with a link-local destination must 4495 be tunneled within the same tunnel header used for other packet 4496 flows. 4498 10.4.5 Handling Reverse Tunneled Packets 4500 Unless a binding has been established between the mobile node and a 4501 correspondent node, traffic from the mobile node to the correspondent 4502 node goes through a reverse tunnel. Home agents MUST support reverse 4503 tunneling as follows: 4505 o The tunneled traffic arrives to the home agent's address using 4506 IPv6 encapsulation [15]. 4508 o Depending on the security policies used by the home agent, reverse 4509 tunneled packets MAY be discarded unless accompanied by a valid 4510 ESP header. The support for authenticated reverse tunneling 4511 allows the home agent to protect the home network and 4512 correspondent nodes from malicious nodes masquerading as a mobile 4513 node. 4515 o Otherwise, when a home agent decapsulates a tunneled packet from 4516 the mobile node, the home agent MUST verify that the Source 4517 Address in the tunnel IP header is the mobile node's primary 4518 care-of address. Otherwise any node in the Internet could send 4519 traffic through the home agent and escape ingress filtering 4520 limitations. This simple check forces the attacker to at least 4521 know the current location of the real mobile node and be able to 4522 defeat ingress filtering. 4524 10.4.6 Protecting Return Routability Packets 4526 The return routability procedure described in Section 5.2.5 assumes 4527 that the confidentiality of the Home Test Init and Home Test messages 4528 is protected as they are tunneled between the home agent to the 4529 mobile node. Therefore, the home agent MUST support tunnel mode 4530 IPsec ESP for the protection of packets belonging to the return 4531 routability procedure. Support for a non-null encryption transform 4532 and authentication algorithm MUST be available. It is not necessary 4533 to distinguish between different kinds of packets within the return 4534 routability procedure. 4536 Security associations are needed to provide this protection. When 4537 the care-of address for the mobile node changes as a result of an 4538 accepted Binding Update, special treatment is needed for the next 4539 packets sent using these security associations. The home agent MUST 4540 set the new care-of address as the destination address of these 4541 packets, as if the outer header destination address in the security 4542 association had changed [21]. 4544 The above protection SHOULD be used with all mobile nodes. The use 4545 is controlled by configuration of the IPsec security policy database 4546 both at the mobile node and at the home agent. 4548 As described earlier, the Binding Update and Binding Acknowledgement 4549 messages require protection between the home agent and the mobile 4550 node. The Mobility Header protocol carries both these messages as 4551 well as the return routability messages. From the point of view of 4552 the security policy database these messages are indistinguishable. 4553 When IPsec is used to protect return routability signaling or payload 4554 packets, this protection MUST only be applied to the return 4555 routability packets entering the IPv6 encapsulated tunnel interface 4556 between the mobile node and the home agent. This can be achieved, 4557 for instance, by defining the security policy database entries 4558 specifically for the tunnel interface. That is, the policy entries 4559 are not generally applied on all traffic on the physical interface(s) 4560 of the nodes, but rather only on traffic that enters the tunnel. 4561 This makes use of per-interface security policy database entries [4], 4562 specific to the tunnel interface (the node's attachment to the tunnel 4563 [11]). 4565 10.5 Dynamic Home Agent Address Discovery 4567 This section describes how a home agent can help mobile nodes to 4568 discover the addresses of the home agents. The home agent keeps 4569 track of the other home agents on the same link, and responds to 4570 queries sent by the mobile node. 4572 10.5.1 Receiving Router Advertisement Messages 4574 For each link on which a router provides service as a home agent, the 4575 router maintains a Home Agents List recording information about all 4576 other home agents on that link. This list is used in the dynamic 4577 home agent address discovery mechanism, described in Section 10.5. 4578 The information for the list is learned through receipt of the 4579 periodic unsolicited multicast Router Advertisements, in a manner 4580 similar to the Default Router List conceptual data structure 4581 maintained by each host for Neighbor Discovery [12]. In the 4582 construction of the Home Agents List, the Router Advertisements are 4583 from each other home agent on the link, and the Home Agent (H) bit is 4584 set in them. 4586 On receipt of a valid Router Advertisement, as defined in the 4587 processing algorithm specified for Neighbor Discovery [12], the home 4588 agent performs the following steps, in addition to any steps already 4589 required of it by Neighbor Discovery: 4591 o If the Home Agent (H) bit in the Router Advertisement is not set, 4592 delete the sending node's entry in the current Home Agents List 4593 (if one exists). Skip all the following steps. 4595 o Otherwise, extract the Source Address from the IP header of the 4596 Router Advertisement. This is the link-local IP address on this 4597 link of the home agent sending this Advertisement [12]. 4599 o Determine the preference for this home agent. If the Router 4600 Advertisement contains a Home Agent Information Option, then the 4601 preference is taken from the Home Agent Preference field in the 4602 option; otherwise, the default preference of 0 MUST be used. 4604 o Determine the lifetime for this home agent. If the Router 4605 Advertisement contains a Home Agent Information Option, then the 4606 lifetime is taken from the Home Agent Lifetime field in the 4607 option; otherwise, the lifetime specified by the Router Lifetime 4608 field in the Router Advertisement SHOULD be used. 4610 o If the link-local address of the home agent sending this 4611 Advertisement is already present in this home agent's Home Agents 4612 List and the received home agent lifetime value is zero, 4613 immediately delete this entry in the Home Agents List. 4615 o Otherwise, if the link-local address of the home agent sending 4616 this Advertisement is already present in the receiving home 4617 agent's Home Agents List, reset its lifetime and preference to the 4618 values determined above. 4620 o If the link-local address of the home agent sending this 4621 Advertisement is not already present in the Home Agents List 4622 maintained by the receiving home agent, and the lifetime for the 4623 sending home agent is non-zero, create a new entry in the list, 4624 and initialize its lifetime and preference to the values 4625 determined above. 4627 o If the Home Agents List entry for the link-local address of the 4628 home agent sending this Advertisement was not deleted as described 4629 above, determine any global address(es) of the home agent based on 4630 each Prefix Information option received in this Advertisement in 4631 which the Router Address (R) bit is set (Section 7.2). Add all 4632 such global addresses to the list of global addresses in this Home 4633 Agents List entry. 4635 A home agent SHOULD maintain an entry in its Home Agents List for 4636 each valid home agent address until that entry's lifetime expires, 4637 after which time the entry MUST be deleted. 4639 As described in Section 11.4.1, a mobile node attempts dynamic home 4640 agent address discovery by sending an ICMP Home Agent Address 4641 Discovery Request message to the Mobile IPv6 Home-Agents anycast 4642 address [16] for its home IP subnet prefix. A home agent receiving 4643 such a Home Agent Address Discovery Request message that is serving 4644 this subnet SHOULD return an ICMP Home Agent Address Discovery Reply 4645 message to the mobile node, with the Source Address of the Reply 4646 packet set to one of the global unicast addresses of the home agent. 4647 The Home Agent Addresses field in the Reply message is constructed as 4648 follows: 4650 o The Home Agent Addresses field SHOULD contain all global IP 4651 addresses for each home agent currently listed in this home 4652 agent's own Home Agents List (Section 10.1). 4654 o The IP addresses in the Home Agent Addresses field SHOULD be 4655 listed in order of decreasing preference values, based either on 4656 the respective advertised preference from a Home Agent Information 4657 option or on the default preference of 0 if no preference is 4658 advertised (or on the configured home agent preference for this 4659 home agent itself). 4661 o Among home agents with equal preference, their IP addresses in the 4662 Home Agent Addresses field SHOULD be listed in an order randomized 4663 with respect to other home agents with equal preference, each time 4664 a Home Agent Address Discovery Reply message is returned by this 4665 home agent. 4667 o If more than one global IP address is associated with a home 4668 agent, these addresses SHOULD be listed in a randomized order. 4670 o The home agent SHOULD reduce the number of home agent IP addresses 4671 so that the packet fits within the minimum IPv6 MTU [11]. The 4672 home agent addresses selected for inclusion in the packet SHOULD 4673 be those from the complete list with the highest preference. This 4674 limitation avoids the danger of the Reply message packet being 4675 fragmented (or rejected by an intermediate router with an ICMP 4676 Packet Too Big message [14]). 4678 10.6 Sending Prefix Information to the Mobile Node 4680 10.6.1 List of Home Network Prefixes 4682 Mobile IPv6 arranges to propagate relevant prefix information to the 4683 mobile node when it is away from home, so that it may be used in 4684 mobile node home address configuration, and in network renumbering. 4685 In this mechanism, mobile nodes away from home receive Mobile Prefix 4686 Advertisements messages. These messages include Prefix Information 4687 Options for the prefixes configured on the home subnet interface(s) 4688 of the home agent. 4690 If there are multiple home agents, differences in the advertisements 4691 sent by different home agents can lead to an inability to use a 4692 particular home address when changing to another home agent. In 4693 order to ensure that the mobile nodes get the same information from 4694 different home agents, it is desired that all the home agents on the 4695 same link be configured in the same manner. 4697 To support this, the home agent monitors prefixes advertised by 4698 itself and other home agents on the home link. In RFC 2461 [12] it 4699 is acceptable for two routers to advertise different sets of prefixes 4700 on the same link. For home agents such differences should be 4701 detected since for a given home address the mobile node communicates 4702 only with one home agent at a time and the mobile node needs to know 4703 the full set of prefixes assigned to the home link. All other 4704 comparisons of Router Advertisements are as specified in Section 4705 6.2.7 of RFC 2461. 4707 10.6.2 Scheduling Prefix Deliveries 4709 A home agent serving a mobile node will schedule the delivery of new 4710 prefix information to that mobile node when any of the following 4711 conditions occur: 4713 MUST: 4715 o The state of the flags changes for the prefix of the mobile node's 4716 registered home address. 4718 o The valid or preferred lifetime is reconfigured or changes for any 4719 reason other than advancing real time. 4721 o The mobile node requests the information with a Mobile Prefix 4722 Solicitation (see Section 11.4.2). 4724 SHOULD: 4726 o A new prefix is added to the home subnet interface(s) of the home 4727 agent. 4729 MAY: 4731 o The valid or preferred lifetime or the state of the flags changes 4732 for a prefix which is not used in any Binding Cache entry for this 4733 mobile node. 4735 The home agent uses the following algorithm to determine when to send 4736 prefix information to the mobile node. 4738 o If a mobile node sends a solicitation, answer right away. 4740 o If no Mobile Prefix Advertisement has been sent to the mobile node 4741 in the last MaxMobPfxAdvInterval (see Section 13) seconds, then 4742 ensure that a transmission is scheduled. The actual transmission 4743 time is randomized as described below. 4745 o If a prefix matching the mobile node's home registration is added 4746 on the home subnet interface, or if its information changes in any 4747 way that does not deprecate the mobile node's address, ensure that 4748 a transmission is scheduled. The actual transmission time is 4749 randomized as described below. 4751 o If a home registration expires, cancel any scheduled 4752 advertisements to the mobile node. 4754 The list of prefixes is sent in its entirety in all cases. 4756 If the home agent already has scheduled the transmission of a Mobile 4757 Prefix Advertisement to the mobile node, the home agent replaces the 4758 advertisement with a new one, to be sent at the scheduled time. 4760 Otherwise, the home agent computes a fresh value for RAND_ADV_DELAY, 4761 the offset from the current time for the scheduled transmission as 4762 follows. First calculate the maximum delay for the scheduled 4763 Advertisement: 4765 MaxScheduleDelay = min (MaxMobPfxAdvInterval, Preferred Lifetime), 4767 where MaxMobPfxAdvInterval is as defined in Section 12. Then compute 4768 the final delay for the advertisement: 4770 RAND_ADV_DELAY = MinMobPfxAdvInterval + 4771 (rand() % abs(MaxScheduleDelay - MinMobPfxAdvInterval)) 4773 Here rand() returns a random integer value in the range of 0 to the 4774 maximum possible integer value. This computation is expected to 4775 alleviate bursts of advertisements when prefix information changes. 4776 In addition, a home agent MAY further reduce the rate of packet 4777 transmission by further delaying individual advertisements, if needed 4778 to avoid overwhelming local network resources. The home agent SHOULD 4779 periodically continue to retransmit an unsolicited Advertisement to 4780 the mobile node, until it is acknowledged by the receipt of a Mobile 4781 Prefix Solicitation from the mobile node. 4783 The home agent MUST wait PREFIX_ADV_TIMEOUT (see Section 12) before 4784 the first retransmission, and double the retransmission wait time for 4785 every succeeding retransmission, up until a maximum of 4786 PREFIX_ADV_RETRIES attempts (see Section 12). If the mobile node's 4787 bindings expire before the matching Binding Update has been received, 4788 then the home agent MUST NOT attempt any more retransmissions, even 4789 if not all PREFIX_ADV_RETRIES have been retransmitted. If the mobile 4790 node sends another Binding Update without returning home in the 4791 meantime, the home agent SHOULD again begin transmitting the 4792 unsolicited Advertisement. 4794 If some condition as described above occurs on the home link and 4795 causes another Prefix Advertisement to be sent to the mobile node, 4796 before the mobile node acknowledges a previous transmission, the home 4797 agent SHOULD combine any Prefix Information options in the 4798 unacknowledged Mobile Prefix Advertisement into a new Advertisement. 4799 The home agent discards the old Advertisement. 4801 10.6.3 Sending Advertisements 4803 When sending a Mobile Prefix Advertisement to the mobile node, the 4804 home agent MUST construct the packet as follows: 4806 o The Source Address in the packet's IPv6 header MUST be set to the 4807 home agent's IP address to which the mobile node addressed its 4808 current home registration, or its default global home agent 4809 address if no binding exists. 4811 o If the advertisement was solicited, it MUST be destined to the 4812 source address of the solicitation. If it was triggered by prefix 4813 changes or renumbering, the advertisement's destination will be 4814 the mobile node's home address in the binding which triggered the 4815 rule. 4817 o A type 2 routing header MUST be included with the mobile node's 4818 home address. 4820 o IPsec headers MUST be supported and SHOULD be used. 4822 o The home agent MUST send the packet as it would any other unicast 4823 IPv6 packet that it originates. 4825 o Set the Managed Address Configuration (M) flag if the 4826 corresponding flag has been set in any of the Router 4827 Advertisements from which the prefix information has been learned 4828 (including the ones sent by this home agent). 4830 o Set the Other Stateful Configuration (O) flag if the corresponding 4831 flag has been set in any of the Router Advertisements from which 4832 the prefix information has been learned (including the ones sent 4833 by this home agent). 4835 10.6.4 Lifetimes for Changed Prefixes 4837 As described in Section 10.3.1, the lifetime returned by the home 4838 agent in a Binding Acknowledgement MUST be no greater than the 4839 remaining valid lifetime for the subnet prefix in the mobile node's 4840 home address. This limit on the binding lifetime serves to prohibit 4841 use of a mobile node's home address after it becomes invalid. 4843 11. Mobile Node Operation 4845 11.1 Conceptual Data Structures 4847 Each mobile node MUST maintain a Binding Update List. 4849 The Binding Update List records information for each Binding Update 4850 sent by this mobile node, for which the lifetime of the binding has 4851 not yet expired. The Binding Update List includes all bindings sent 4852 by the mobile node either to its home agent or correspondent nodes. 4853 It also contains Binding Updates which are waiting for the completion 4854 of the return routability procedure before they can be sent. 4855 However, for multiple Binding Updates sent to the same destination 4856 address, the Binding Update List contains only the most recent 4857 Binding Update (i.e., with the greatest Sequence Number value) sent 4858 to that destination. The Binding Update List MAY be implemented in 4859 any manner consistent with the external behavior described in this 4860 document. 4862 Each Binding Update List entry conceptually contains the following 4863 fields: 4865 o The IP address of the node to which a Binding Update was sent. 4867 o The home address for which that Binding Update was sent. 4869 o The care-of address sent in that Binding Update. This value is 4870 necessary for the mobile node to determine if it has sent a 4871 Binding Update giving its new care-of address to this destination 4872 after changing its care-of address. 4874 o The initial value of the Lifetime field sent in that Binding 4875 Update. 4877 o The remaining lifetime of that binding. This lifetime is 4878 initialized from the Lifetime value sent in the Binding Update and 4879 is decremented until it reaches zero, at which time this entry 4880 MUST be deleted from the Binding Update List. 4882 o The maximum value of the Sequence Number field sent in previous 4883 Binding Updates to this destination. The Sequence Number field is 4884 16 bits long, and all comparisons between Sequence Number values 4885 MUST be performed modulo 2**16 (see Section 9.5.1). 4887 o The time at which a Binding Update was last sent to this 4888 destination, as needed to implement the rate limiting restriction 4889 for sending Binding Updates. 4891 o The state of any retransmissions needed for this Binding Update. 4892 This state includes the time remaining until the next 4893 retransmission attempt for the Binding Update, and the current 4894 state of the exponential back-off mechanism for retransmissions. 4896 o A flag specifying whether or not future Binding Updates should be 4897 sent to this destination. The mobile node sets this flag in the 4898 Binding Update List entry when it receives an ICMP Parameter 4899 Problem, Code 1, error message in response to a return routability 4900 message or Binding Update sent to that destination, as described 4901 in Section 11.3.5. 4903 The Binding Update List is used to determine whether a particular 4904 packet is sent directly to the correspondent node or tunneled via the 4905 home agent (see Section 11.3.1). 4907 The Binding Update list also conceptually contains the following data 4908 related to running the return routability procedure. This data is 4909 relevant only for Binding Updates sent to correspondent nodes. 4911 o The time at which a Home Test Init or Care-of Test Init message 4912 was last sent to this destination, as needed to implement the rate 4913 limiting restriction for the return routability procedure. 4915 o The state of any retransmissions needed for this return 4916 routability procedure. This state includes the time remaining 4917 until the next retransmission attempt and the current state of the 4918 exponential back-off mechanism for retransmissions. 4920 o Cookie values used in the Home Test Init and Care-of Test Init 4921 messages. 4923 o Home and care-of keygen tokens received from the correspondent 4924 node. 4926 o Home and care-of nonce indices received from the correspondent 4927 node. 4929 o The time at which each of the tokens and nonces was received from 4930 this correspondent node, as needed to implement reuse while 4931 moving. 4933 11.2 Processing Mobility Headers 4935 All IPv6 mobile nodes MUST observe the rules described in Section 9.2 4936 when processing Mobility Headers. 4938 11.3 Packet Processing 4940 11.3.1 Sending Packets While Away from Home 4942 While a mobile node is away from home, it continues to use its home 4943 address, as well as also using one or more care-of addresses. When 4944 sending a packet while away from home, a mobile node MAY choose among 4945 these in selecting the address that it will use as the source of the 4946 packet, as follows: 4948 o Protocols layered over IP will generally treat the mobile node's 4949 home address as its IP address for most packets. For packets sent 4950 that are part of transport-level connections established while the 4951 mobile node was at home, the mobile node MUST use its home 4952 address. Likewise, for packets sent that are part of 4953 transport-level connections that the mobile node may still be 4954 using after moving to a new location, the mobile node SHOULD use 4955 its home address in this way. If a binding exists, the mobile 4956 node SHOULD send the packets directly to the correspondent node. 4957 Otherwise, if a binding does not exist, the mobile node MUST use 4958 reverse tunneling. 4960 o The mobile node MAY choose to directly use one of its care-of 4961 addresses as the source of the packet, not requiring the use of a 4962 Home Address option in the packet. This is particularly useful 4963 for short-term communication that may easily be retried if it 4964 fails. Using the mobile node's care-of address as the source for 4965 such queries will generally have a lower overhead than using the 4966 mobile node's home address, since no extra options need be used in 4967 either the query or its reply. Such packets can be routed 4968 normally, directly between their source and destination without 4969 relying on Mobile IPv6. If application running on the mobile node 4970 has no particular knowledge that the communication being sent fits 4971 within this general type of communication, however, the mobile 4972 node should not use its care-of address as the source of the 4973 packet in this way. 4975 The choice of the most efficient communications method is 4976 application specific, and outside the scope of this specification. 4977 The APIs necessary for controlling the choice are also out of 4978 scope. 4980 o While not at its home link, the mobile node MUST NOT use the Home 4981 Address destination option when communicating with link-local or 4982 site-local peers, if the scope of the home address is larger than 4983 the scope of the peer's address. 4985 Similarly, the mobile node MUST NOT use the Home Address 4986 destination option for IPv6 Neighbor Discovery [12] packets. 4988 Detailed operation of these cases is described later in this section 4989 and also discussed in [31]. 4991 For packets sent by a mobile node while it is at home, no special 4992 Mobile IPv6 processing is required. Likewise, if the mobile node 4993 uses any address other than any of its home addresses as the source 4994 of a packet sent while away from home no special Mobile IPv6 4995 processing is required. In either case, the packet is simply 4996 addressed and transmitted in the same way as any normal IPv6 packet. 4998 For packets sent by the mobile node sent while away from home using 4999 the mobile node's home address as the source, special Mobile IPv6 5000 processing of the packet is required. This can be done in the 5001 following two ways: 5003 Route Optimization 5005 This manner of delivering packets does not require going through 5006 the home network, and typically will enable faster and more 5007 reliable transmission. 5009 The mobile node needs to ensure that there exists a Binding Cache 5010 entry for its home address so that the correspondent node can 5011 process the packet (Section 9.3.1 specifies the rules for Home 5012 Address Destination Option Processing at a correspondent node). 5013 The mobile node SHOULD examine its Binding Update List for an 5014 entry which fulfills the following conditions: 5016 * The Source Address field of the packet being sent is equal to 5017 the home address in the entry. 5019 * The Destination Address field of the packet being sent is equal 5020 to the address of the correspondent node in the entry. 5022 * One of the current care-of addresses of the mobile node appears 5023 as the care-of address in the entry. 5025 * The entry indicates that a binding has been successfully 5026 created. 5028 * The remaining lifetime of the binding is greater than zero. 5030 When these conditions are met, the mobile node knows that the 5031 correspondent node has a suitable Binding Cache entry. 5033 A mobile node SHOULD arrange to supply the home address in a Home 5034 Address option, and MUST set the IPv6 header's Source Address 5035 field to the care-of address which the mobile node has registered 5036 to be used with this correspondent node. The correspondent node 5037 will then use the address supplied in the Home Address option to 5038 serve the function traditionally done by the Source IP address in 5039 the IPv6 header. The mobile node's home address is then supplied 5040 to higher protocol layers and applications. 5042 Specifically: 5044 * Construct the packet using the mobile node's home address as 5045 the packet's Source Address, in the same way as if the mobile 5046 node were at home. This includes the calculation of upper 5047 layer checksums using the home address as the value of the 5048 source. 5050 * Insert a Home Address option into the packet, with the Home 5051 Address field copied from the original value of the Source 5052 Address field in the packet. 5054 * Change the Source Address field in the packet's IPv6 header to 5055 one of the mobile node's care-of addresses. This will 5056 typically be the mobile node's current primary care-of address, 5057 but MUST be an address assigned to the interface on the link 5058 being used. 5060 By using the care-of address as the Source Address in the IPv6 5061 header, with the mobile node's home address instead in the Home 5062 Address option, the packet will be able to safely pass through any 5063 router implementing ingress filtering [26]. 5065 Reverse Tunneling 5067 This is the mechanism which tunnels the packets via the home 5068 agent. It is not as efficient as the above mechanism, but is 5069 needed if there is no binding yet with the correspondent node. 5071 This mechanism is used for packets that have the mobile node's 5072 home address as the Source Address in the IPv6 header, or with 5073 multicast control protocol packets as described in Section 11.3.4. 5074 Specifically: 5076 * The packet is sent to the home agent using IPv6 encapsulation 5077 [15]. 5079 * The Source Address in the tunnel packet is the primary care-of 5080 address as registered with the home agent. 5082 * The Destination Address in the tunnel packet is the home 5083 agent's address. 5085 Then, the home agent will pass the encapsulated packet to the 5086 correspondent node. 5088 11.3.2 Interaction with Outbound IPsec Processing 5090 This section sketches the interaction between outbound Mobile IPv6 5091 processing and outbound IP Security (IPsec) processing for packets 5092 sent by a mobile node while away from home. Any specific 5093 implementation MAY use algorithms and data structures other than 5094 those suggested here, but its processing MUST be consistent with the 5095 effect of the operation described here and with the relevant IPsec 5096 specifications. In the steps described below, it is assumed that 5097 IPsec is being used in transport mode [4] and that the mobile node is 5098 using its home address as the source for the packet (from the point 5099 of view of higher protocol layers or applications, as described in 5100 Section 11.3.1): 5102 o The packet is created by higher layer protocols and applications 5103 (e.g., by TCP) as if the mobile node were at home and Mobile IPv6 5104 were not being used. 5106 o Determine the outgoing interface for the packet. (Note that the 5107 selection between reverse tunneling and route optimization may 5108 imply different interfaces, particularly if tunnels are considered 5109 interfaces as well.) 5111 o As part of outbound packet processing in IP, the packet is 5112 compared against the IPsec security policy database to determine 5113 what processing is required for the packet [4]. 5115 o If IPsec processing is required, the packet is either mapped to an 5116 existing Security Association (or SA bundle), or a new SA (or SA 5117 bundle) is created for the packet, according to the procedures 5118 defined for IPsec. 5120 o Since the mobile node is away from home, the mobile is either 5121 using reverse tunneling or route optimization to reach the 5122 correspondent node. 5124 If reverse tunneling is used, the packet is constructed in the 5125 normal manner and then tunneled through the home agent. 5127 If route optimization is in use, the mobile node inserts a Home 5128 Address destination option into the packet, replacing the Source 5129 Address in the packet's IP header with the care-of address used 5130 with this correspondent node, as described in Section 11.3.1. The 5131 Destination Options header in which the Home Address destination 5132 option is inserted MUST appear in the packet after the routing 5133 header, if present, and before the IPsec (AH [5] or ESP [6]) 5134 header, so that the Home Address destination option is processed 5135 by the destination node before the IPsec header is processed. 5137 Finally, once the packet is fully assembled, the necessary IPsec 5138 authentication (and encryption, if required) processing is 5139 performed on the packet, initializing the Authentication Data in 5140 the IPsec header. 5142 RFC 2402 treatment of destination options is extended as follows. 5143 The AH authentication data MUST be calculated as if the following 5144 were true: 5146 * the IPv6 source address in the IPv6 header contains the mobile 5147 node's home address, 5149 * the Home Address field of the Home Address destination option 5150 (Section 6.3) contains the new care-of address. 5152 o This allows, but does not require, the receiver of the packet 5153 containing a Home Address destination option to exchange the two 5154 fields of the incoming packet to reach the above situation, 5155 simplifying processing for all subsequent packet headers. 5156 However, such an exchange is not required, as long as the result 5157 of the authentication calculation remains the same. 5159 When an automated key management protocol is used to create new 5160 security associations for a peer, it is important to ensure that the 5161 peer can send the key management protocol packets to the mobile node. 5162 This may not be possible if the peer is the home agent of the mobile 5163 node, and the purpose of the security associations would be to send a 5164 Binding Update to the home agent. Packets addressed to the home 5165 address of the mobile node cannot be used before the Binding Update 5166 has been processed. For the default case of using IKE [9] as the 5167 automated key management protocol, such problems can be avoided by 5168 the following requirements when communicating with its home agent: 5170 o When the mobile node is away from home, it MUST use its care-of 5171 address as the Source Address of all packets it sends as part of 5172 the key management protocol (without use of Mobile IPv6 for these 5173 packets, as suggested in Section 11.3.1). 5175 o In addition, for all security associations bound to the mobile 5176 node's home address established by IKE, the mobile node MUST 5177 include an ISAKMP Identification Payload [8] in the IKE exchange, 5178 giving the mobile node's home address as the initiator of the 5179 Security Association [7]. 5181 The Key Management Mobility Capability (K) bit in Binding Updates and 5182 Acknowledgements can be used avoid the need to rerun IKE upon 5183 movements. 5185 11.3.3 Receiving Packets While Away from Home 5187 While away from home, a mobile node will receive packets addressed to 5188 its home address, by one of two methods: 5190 o Packets sent by a correspondent node that does not have a Binding 5191 Cache entry for the mobile node, will be sent to the home address, 5192 captured by the home agent and tunneled to the mobile node 5194 o Packets sent by a correspondent node that has a Binding Cache 5195 entry for the mobile node that contains the mobile node's current 5196 care-of address, will be sent by the correspondent node using a 5197 type 2 routing header. The packet will be addressed to the mobile 5198 node's care-of address, with the final hop in the routing header 5199 directing the packet to the mobile node's home address; the 5200 processing of this last hop of the routing header is entirely 5201 internal to the mobile node, since the care-of address and home 5202 address are both addresses within the mobile node. 5204 For packets received by the first method, the mobile node MUST check 5205 that the IPv6 source address of the tunneled packet is the IP address 5206 of its home agent. In this method the mobile node may also send a 5207 Binding Update to the original sender of the packet, as described in 5208 Section 11.7.2, subject to the rate limiting defined in Section 11.8. 5209 The mobile node MUST also process the received packet in the manner 5210 defined for IPv6 encapsulation [15], which will result in the 5211 encapsulated (inner) packet being processed normally by upper-layer 5212 protocols within the mobile node, as if it had been addressed (only) 5213 to the mobile node's home address. 5215 For packets received by the second method, the following rules will 5216 result in the packet being processed normally by upper-layer 5217 protocols within the mobile node, as if it had been addressed to the 5218 mobile node's home address. 5220 A node receiving a packet addressed to itself (i.e., one of the 5221 node's addresses is in the IPv6 destination field) follows the next 5222 header chain of headers and processes them. When it encounters a 5223 type 2 routing header during this processing it performs the 5224 following checks. If any of these checks fail the node MUST silently 5225 discard the packet. 5227 o The length field in the routing header is exactly 2. 5229 o The segments left field in the routing header is 1 on the wire. 5230 (But implementations may process the routing header so that the 5231 value may become 0 after the routing header has been processed, 5232 but before the rest of the packet is processed.) 5234 o The Home Address field in the routing header is one of the node's 5235 home addresses, if the segments left field was 1. Thus, in 5236 particular the address field is required to be a unicast routable 5237 address. 5239 Once the above checks have been performed, the node swaps the IPv6 5240 destination field with the Home Address field in the routing header, 5241 decrements segments left by one from the value it had on the wire, 5242 and resubmits the packet to IP for processing the next header. 5243 Conceptually this follows the same model as in RFC 2460. However, in 5244 the case of type 2 routing header this can be simplified since it is 5245 known that the packet will not be forwarded to a different node. 5247 The definition of AH requires the sender to calculate the AH 5248 integrity check value of a routing header in a way as it appears in 5249 the receiver after it has processed the header. Since IPsec headers 5250 follow the routing header, any IPsec processing will operate on the 5251 packet with the home address in the IP destination field and segments 5252 left being zero. Thus, the AH calculations at the sender and 5253 receiver will have an identical view of the packet. 5255 11.3.4 Routing Multicast Packets 5257 A mobile node that is connected to its home link functions in the 5258 same way as any other (stationary) node. Thus, when it is at home, a 5259 mobile node functions identically to other multicast senders and 5260 receivers. This section therefore describes the behavior of a mobile 5261 node that is not on its home link. 5263 In order to receive packets sent to some multicast group, a mobile 5264 node must join that multicast group. One method by which a mobile 5265 node MAY join the group is via a (local) multicast router on the 5266 foreign link being visited. In this case, the mobile node MUST use 5267 its care-of address and MUST NOT use the Home Address destination 5268 option when sending MLD packets [17]. 5270 Alternatively, a mobile node MAY join multicast groups via a 5271 bi-directional tunnel to its home agent. The mobile node tunnels its 5272 multicast group membership control packets (such as those defined in 5273 [17] or in [37]) to its home agent, and the home agent forwards 5274 multicast packets down the tunnel to the mobile node. A mobile node 5275 MUST NOT tunnel multicast group membership control packets until (1) 5276 the mobile node has a binding in place at the home agent, and (2) the 5277 latter sends at least one such multicast group membership control 5278 packet via the tunnel. Once this condition is true, the mobile node 5279 SHOULD assume it does not change as long as the binding does not 5280 expire. 5282 A mobile node that wishes to send packets to a multicast group also 5283 has two options: 5285 1. Send directly on the foreign link being visited. 5287 The application is aware of the care-of address and uses it as a 5288 source address for multicast traffic, just like it would use a 5289 stationary address. The mobile node MUST NOT use Home Address 5290 destination option in such traffic. 5292 2. Send via a tunnel to its home agent. 5294 Because multicast routing in general depends upon the Source 5295 Address used in the IPv6 header of the multicast packet, a mobile 5296 node that tunnels a multicast packet to its home agent MUST use 5297 its home address as the IPv6 Source Address of the inner 5298 multicast packet. 5300 Note that direct sending from the foreign link is only applicable 5301 while the mobile node is at that foreign link. This is because the 5302 associated multicast tree is specific to that source location and any 5303 change of location and source address will invalidate the source 5304 specific tree or branch and the application context of the other 5305 multicast group members. 5307 This specification does not provide mechanisms to enable such local 5308 multicast session to survive hand-off, and to seamlessly continue 5309 from a new care-of address on each new foreign link. Any such 5310 mechanism, developed as an extension to this specification, needs to 5311 take into account the impact of fast moving mobile nodes on the 5312 Internet multicast routing protocols and their ability to maintain 5313 the integrity of source specific multicast trees and branches. 5315 While the use of bidirectional tunneling can ensure that multicast 5316 trees are independent of the mobile nodes movement, in some case such 5317 tunneling can have adverse affects. The latency of specific types of 5318 multicast applications such as multicast based discovery protocols 5319 will be affected when the round-trip time between the foreign subnet 5320 and the home agent is significant compared to that of the topology to 5321 be discovered. In addition, the delivery tree from the home agent in 5322 such circumstances relies on unicast encapsulation from the agent to 5323 the mobile node and is therefore bandwidth inefficient compared to 5324 the native multicast forwarding in the foreign multicast system. 5326 11.3.5 Receiving ICMP Error Messages 5328 Any node that does not recognize the Mobility header will return an 5329 ICMP Parameter Problem, Code 1, message to the sender of the packet. 5330 If the mobile node receives such an ICMP error message in response to 5331 a return routability procedure or Binding Update, it SHOULD record in 5332 its Binding Update List that future Binding Updates SHOULD NOT be 5333 sent to this destination. Such Binding Update List entries SHOULD be 5334 removed after a period of time, in order to allow for retrying route 5335 optimization. 5337 New Binding Update List entries MUST NOT be created as a result of 5338 receiving ICMP error messages. 5340 Correspondent nodes that have participated in the return routability 5341 procedure MUST implement the ability to correctly process received 5342 packets containing a Home Address destination option. Therefore, 5343 correctly implemented correspondent nodes should always be able to 5344 recognize Home Address options. If a mobile node receives an ICMP 5345 Parameter Problem, Code 2, message from some node indicating that it 5346 does not support the Home Address option, the mobile node SHOULD log 5347 the error and then discard the ICMP message. 5349 11.3.6 Receiving Binding Error Messages 5351 When a mobile node receives a packet containing a Binding Error 5352 message, it should first check if the mobile node has a Binding 5353 Update List entry for the source of the Binding Error message. If 5354 the mobile node does not have such an entry, it MUST ignore the 5355 message. This is necessary to prevent a waste of resources on e.g. 5356 return routability procedure due to spoofed Binding Error messages. 5358 Otherwise, if the message Status field was 1 (unknown binding for 5359 Home Address destination option), the mobile node should perform one 5360 of the following two actions: 5362 o If the mobile node has recent upper layer progress information 5363 that indicates communications with the correspondent node are 5364 progressing, it MAY ignore the message. This can be done in order 5365 to limit the damage that spoofed Binding Error messages can cause 5366 to ongoing communications. 5368 o If the mobile node has no upper layer progress information, it 5369 MUST remove the entry and route further communications through the 5370 home agent. It MAY also optionally start a return routability 5371 procedure (see Section 5.2). 5373 If the message Status field was 2 (unrecognized MH Type value), the 5374 mobile node should perform one of the following two actions: 5376 o If the mobile node is not expecting an acknowledgement or response 5377 from the correspondent node, the mobile node SHOULD ignore this 5378 message. 5380 o Otherwise, the mobile node SHOULD cease the use of any extensions 5381 to this specification. If no extensions had been used, the mobile 5382 node should cease the attempt to use route optimization. 5384 11.4 Home Agent and Prefix Management 5386 11.4.1 Dynamic Home Agent Address Discovery 5388 Sometimes, when the mobile node needs to send a Binding Update to its 5389 home agent to register its new primary care-of address, as described 5390 in Section 11.7.1, the mobile node may not know the address of any 5391 router on its home link that can serve as a home agent for it. For 5392 example, some nodes on its home link may have been reconfigured while 5393 the mobile node has been away from home, such that the router that 5394 was operating as the mobile node's home agent has been replaced by a 5395 different router serving this role. 5397 In this case, the mobile node MAY attempt to discover the address of 5398 a suitable home agent on its home link. To do so, the mobile node 5399 sends an ICMP Home Agent Address Discovery Request message to the 5400 Mobile IPv6 Home-Agents anycast address [16] for its home subnet 5401 prefix. As described in Section 10.5, the home agent on its home 5402 link that receives this Request message will return an ICMP Home 5403 Agent Address Discovery Reply message. This message gives the 5404 addresses for the home agents operating on the home link. 5406 The mobile node, upon receiving this Home Agent Address Discovery 5407 Reply message, MAY then send its home registration Binding Update to 5408 any of the unicast IP addresses listed in the Home Agent Addresses 5409 field in the Reply. For example, the mobile node MAY attempt its 5410 home registration to each of these addresses, in turn, until its 5411 registration is accepted. The mobile node sends a Binding Update to 5412 an address and waits for the matching Binding Acknowledgement, moving 5413 on to the next address if there is no response. The mobile node 5414 MUST, however, wait at least InitialBindackTimeoutFirstReg seconds 5415 (see Section 13) before sending a Binding Update to the next home 5416 agent. In trying each of the returned home agent addresses, the 5417 mobile node SHOULD try each in the order listed in the Home Agent 5418 Addresses field in the received Home Agent Address Discovery Reply 5419 message. 5421 If the mobile node has a current registration with some home agent 5422 (the Lifetime for that registration has not yet expired), then the 5423 mobile node MUST attempt any new registration first with that home 5424 agent. If that registration attempt fails (e.g., times out or is 5425 rejected), the mobile node SHOULD then reattempt this registration 5426 with another home agent. If the mobile node knows of no other 5427 suitable home agent, then it MAY attempt the dynamic home agent 5428 address discovery mechanism described above. 5430 If, after a mobile node transmits a Home Agent Address Discovery 5431 Request message to the Home Agents Anycast address, it does not 5432 receive a corresponding Home Agent Address Discovery Reply message 5433 within INITIAL_DHAAD_TIMEOUT (see Section 12) seconds, the mobile 5434 node MAY retransmit the same Request message to the same anycast 5435 address. This retransmission MAY be repeated up to a maximum of 5436 DHAAD_RETRIES (see Section 12) attempts. Each retransmission MUST be 5437 delayed by twice the time interval of the previous retransmission. 5439 11.4.2 Sending Mobile Prefix Solicitations 5441 When a mobile node has a home address that is about to become 5442 invalid, it SHOULD send a Mobile Prefix Solicitation to its home 5443 agent in an attempt to acquire fresh routing prefix information. The 5444 new information also enables the mobile node to participate in 5445 renumbering operations affecting the home network, as described in 5446 Section 10.6. 5448 The mobile node MUST use the Home Address destination option to carry 5449 its home address. The mobile node MUST support and SHOULD use IPsec 5450 to protect the solicitation. The mobile node MUST set the Identifier 5451 field in the ICMP header to a random value. 5453 As described in Section 11.7.2, Binding Updates sent by the mobile 5454 node to other nodes MUST use a lifetime no greater than the remaining 5455 lifetime of its home registration of its primary care-of address. 5456 The mobile node SHOULD further limit the lifetimes that it sends on 5457 any Binding Updates to be within the remaining valid lifetime (see 5458 Section 10.6.2) for the prefix in its home address. 5460 When the lifetime for a changed prefix decreases, and the change 5461 would cause cached bindings at correspondent nodes in the Binding 5462 Update List to be stored past the newly shortened lifetime, the 5463 mobile node MUST issue a Binding Update to all such correspondent 5464 nodes. 5466 These limits on the binding lifetime serve to prohibit use of a 5467 mobile node's home address after it becomes invalid. 5469 11.4.3 Receiving Mobile Prefix Advertisements 5471 Section 10.6 describes the operation of a home agent to support boot 5472 time configuration and renumbering a mobile node's home subnet while 5473 the mobile node is away from home. The home agent sends Mobile 5474 Prefix Advertisements to the mobile node while away from home, giving 5475 "important" Prefix Information options that describe changes in the 5476 prefixes in use on the mobile node's home link. 5478 The Mobile Prefix Solicitation is similar to the Router Solicitation 5479 used in Neighbor Discovery [12], except it is routed from the mobile 5480 node on the visited network to the home agent on the home network by 5481 usual unicast routing rules. 5483 When a mobile node receives a Mobile Prefix Advertisement, it MUST 5484 validate it according to the following test: 5486 o The Source Address of the IP packet carrying the Mobile Prefix 5487 Advertisement is the same as the home agent address to which the 5488 mobile node last sent an accepted home registration Binding Update 5489 to register its primary care-of address. Otherwise, if no such 5490 registrations have been made, it SHOULD be the mobile node's 5491 stored home agent address, if one exists. Otherwise, if the 5492 mobile node has not yet discovered its home agent's address, it 5493 MUST NOT accept Mobile Prefix Advertisements. 5495 o The packet MUST have a type 2 routing header and SHOULD be 5496 protected by an IPsec header as described in Section 5.4 and 5497 Section 6.8. 5499 o If the ICMP Identifier value matches the ICMP Identifier value of 5500 the most recently sent Mobile Prefix Solicitation and no other 5501 advertisement has yet been received for this value, then the 5502 advertisement is considered to be solicited and will be processed 5503 further. 5505 Otherwise, the advertisement is unsolicited, and MUST be silently 5506 discarded. In this case the mobile node SHOULD send a Mobile 5507 Prefix Solicitation. 5509 Any received Mobile Prefix Advertisement not meeting these tests MUST 5510 be silently discarded. 5512 For an accepted Mobile Prefix Advertisement, the mobile node MUST 5513 process Managed Address Configuration (M), Other Stateful 5514 Configuration (O), and the Prefix Information Options as if they 5515 arrived in a Router Advertisement [12] on the mobile node's home 5516 link. (This specification does not, however, describe how to acquire 5517 home addresses through stateful protocols.) Such processing may 5518 result in the mobile node configuring a new home address, although 5519 due to separation between preferred lifetime and valid lifetime, such 5520 changes should not affect most communications by the mobile node, in 5521 the same way as for nodes that are at home. 5523 This specification assumes that any security associations and 5524 security policy entries that may be needed for new prefixes have been 5525 pre-configured in the mobile node. Note that while dynamic key 5526 management avoids the need to create new security associations, it is 5527 still necessary to add policy entries to protect the communications 5528 involving the home address(es). Mechanisms for automatic set-up of 5529 these entries are outside the scope of this specification. 5531 11.5 Movement 5533 11.5.1 Movement Detection 5535 The primary goal of movement detection is to detect L3 handovers. 5536 This section does not attempt to specify a fast movement detection 5537 algorithm which will function optimally for all types of 5538 applications, link-layers and deployment scenarios; instead, it 5539 describes a generic method that uses the facilities of IPv6 Neighbor 5540 Discovery, including Router Discovery and Neighbor Unreachability 5541 Detection. At the time of this writing, this method is considered 5542 well enough understood to recommend for standardization, however it 5543 is expected that future versions of this specification or other 5544 specifications may contain updated versions of the movement detection 5545 algorithm that have better performance. 5547 Generic movement detection uses Neighbor Unreachability Detection to 5548 detect when the default router is no longer bi-directionally 5549 reachable, in which case the mobile node must discover a new default 5550 router (usually on a new link). However, this detection only occurs 5551 when the mobile node has packets to send, and in the absence of 5552 frequent Router Advertisements or indications from the link-layer, 5553 the mobile node might become unaware of an L3 handover that occurred. 5554 Therefore, the mobile node should supplement this method with other 5555 information whenever it is available to the mobile node (e.g., from 5556 lower protocol layers). 5558 When the mobile node detects an L3 handover, it performs Duplicate 5559 Address Detection [13] on its link-local address, selects a new 5560 default router as a consequence of Router Discovery, and then 5561 performs Prefix Discovery with that new router to form new care-of 5562 address(es) as described in Section 11.5.2. It then registers its 5563 new primary care-of address with its home agent as described in 5564 Section 11.7.1. After updating its home registration, the mobile 5565 node then updates associated mobility bindings in correspondent nodes 5566 that it is performing route optimization with as specified in Section 5567 11.7.2. 5569 Due to the temporary packet flow disruption and signaling overhead 5570 involved in updating mobility bindings, the mobile node should avoid 5571 performing an L3 handover until it is strictly necessary. 5572 Specifically, when the mobile node receives a Router Advertisement 5573 from a new router that contains a different set of on-link prefixes, 5574 if the mobile node detects that the currently selected default router 5575 on the old link is still bi-directionally reachable, it should 5576 generally continue to use the old router on the old link rather than 5577 switch away from it to use a new default router. 5579 Mobile nodes can use the information in received Router 5580 Advertisements to detect L3 handovers. In doing so the mobile node 5581 needs to consider the following issues: 5583 o There might be multiple routers on the same link, thus hearing a 5584 new router does not necessarily constitute an L3 handover. 5586 o When there are multiple routers on the same link they might 5587 advertise different prefixes. Thus even hearing a new router with 5588 a new prefix might not be a reliable indication of an L3 handover. 5590 o The link-local addresses of routers are not globally unique, hence 5591 after completing an L3 handover the mobile node might continue to 5592 receive Router Advertisements with the same link-local source 5593 address. This might be common if routers use the same link-local 5594 address on multiple interfaces. This issue can be avoided when 5595 routers use the Router Address (R) bit, since that provides a 5596 global address of the router. 5598 In addition, the mobile node should consider the following events as 5599 indications that an L3 handover may have occurred. Upon receiving 5600 such indications, the mobile node needs to perform Router Discovery 5601 to discover routers and prefixes on the new link, as described in 5602 Section 6.3.7 of RFC 2461 [12]. 5604 o If Router Advertisements that the mobile node receives include an 5605 Advertisement Interval option, the mobile node may use its 5606 Advertisement Interval field as an indication of the frequency 5607 with which it should expect to continue to receive future 5608 Advertisements from that router. This field specifies the minimum 5609 rate (the maximum amount of time between successive 5610 Advertisements) that the mobile node should expect. If this 5611 amount of time elapses without the mobile node receiving any 5612 Advertisement from this router, the mobile node can be sure that 5613 at least one Advertisement sent by the router has been lost. The 5614 mobile node can then implement its own policy to determine how 5615 many lost Advertisements from its current default router 5616 constitute an L3 handover indication. 5618 o Neighbor Unreachability Detection determines that the default 5619 router is no longer reachable. 5621 o With some types of networks, notification that an L2 handover has 5622 occurred might be obtained from lower layer protocols or device 5623 driver software within the mobile node. While further details 5624 around handling L2 indications as movement hints is an item for 5625 further study, at the time of writing this specification the 5626 following is considered reasonable: 5628 An L2 handover indication may or may not imply L2 movement and L2 5629 movement may or may not imply L3 movement; the correlations might 5630 be a function of the type of L2 but might also be a function of 5631 actual deployment of the wireless topology. 5633 Unless it is well-known that an L2 handover indication is likely 5634 to imply L3 movement, instead of immediately multicasting a router 5635 solicitation it may be better to attempt to verify whether the 5636 default router is still bi-directionally reachable. This can be 5637 accomplished by sending a unicast Neighbor Solicitation and 5638 waiting for a Neighbor Advertisement with the solicited flag set. 5639 Note that this is similar to Neighbor Unreachability detection but 5640 it does not have the same state machine, such as the STALE state. 5642 If the default router does not respond to the Neighbor 5643 Solicitation it makes sense to proceed to multicasting a Router 5644 Solicitation. 5646 11.5.2 Forming New Care-of Addresses 5648 After detecting that it has moved a mobile node SHOULD generate a new 5649 primary care-of address using normal IPv6 mechanisms. This SHOULD 5650 also be done when the current primary care-of address becomes 5651 deprecated. A mobile node MAY form a new primary care-of address at 5652 any time, but a mobile node MUST NOT send a Binding Update about a 5653 new care-of address to its home agent more than MAX_UPDATE_RATE times 5654 within a second. 5656 In addition, a mobile node MAY form new non-primary care-of addresses 5657 even when it has not switched to a new default router. A mobile node 5658 can have only one primary care-of address at a time (which is 5659 registered with its home agent), but it MAY have an additional 5660 care-of address for any or all of the prefixes on its current link. 5661 Furthermore, since a wireless network interface may actually allow a 5662 mobile node to be reachable on more than one link at a time (i.e., 5663 within wireless transmitter range of routers on more than one 5664 separate link), a mobile node MAY have care-of addresses on more than 5665 one link at a time. The use of more than one care-of address at a 5666 time is described in Section 11.5.3. 5668 As described in Section 4, in order to form a new care-of address, a 5669 mobile node MAY use either stateless [13] or stateful (e.g., DHCPv6 5670 [29]) Address Autoconfiguration. If a mobile node needs to use a 5671 source address (other than the unspecified address) in packets sent 5672 as a part of address autoconfiguration, it MUST use an IPv6 5673 link-local address rather than its own IPv6 home address. 5675 RFC 2462 [13] specifies that in normal processing for Duplicate 5676 Address Detection, the node SHOULD delay sending the initial Neighbor 5677 Solicitation message by a random delay between 0 and 5678 MAX_RTR_SOLICITATION_DELAY. Since delaying DAD can result in 5679 significant delays in configuring a new care-of address when the 5680 Mobile Node moves to a new link, the Mobile Node preferably SHOULD 5681 NOT delay DAD when configuring a new care-of address. The Mobile 5682 Node SHOULD delay according to the mechanisms specified in RFC 2462 5683 unless the implementation has a behavior that desynchronizes the 5684 steps that happen before the DAD in the case that multiple nodes 5685 experience handover at the same time. Such desynchronizing behaviors 5686 might be due to random delays in the L2 protocols or device drivers, 5687 or due to the movement detection mechanism that is used. 5689 11.5.3 Using Multiple Care-of Addresses 5691 As described in Section 11.5.2, a mobile node MAY use more than one 5692 care-of address at a time. Particularly in the case of many wireless 5693 networks, a mobile node effectively might be reachable through 5694 multiple links at the same time (e.g., with overlapping wireless 5695 cells), on which different on-link subnet prefixes may exist. The 5696 mobile node MUST ensure that its primary care-of address always has a 5697 prefix that is considered on-link by its current default router, 5698 i.e., advertised by its current default router in a solicited Router 5699 Advertisement. After selecting a new primary care-of address, the 5700 mobile node MUST send a Binding Update containing that care-of 5701 address to its home agent. The Binding Update MUST have the Home 5702 Registration (H) and Acknowledge (A) bits set its home agent, as 5703 described on Section 11.7.1. 5705 To assist with smooth handovers, a mobile node SHOULD retain its 5706 previous primary care-of address as a (non-primary) care-of address, 5707 and SHOULD still accept packets at this address, even after 5708 registering its new primary care-of address with its home agent. 5709 This is reasonable, since the mobile node could only receive packets 5710 at its previous primary care-of address if it were indeed still 5711 connected to that link. If the previous primary care-of address was 5712 allocated using stateful Address Autoconfiguration [29], the mobile 5713 node may not wish to release the address immediately upon switching 5714 to a new primary care-of address. 5716 Whenever a mobile node determines that it is no longer reachable 5717 through a given link, it SHOULD invalidate all care-of addresses 5718 associated with address prefixes that it discovered from routers on 5719 the unreachable link which are not in the current set of address 5720 prefixes advertised by the (possibly new) current default router. 5722 11.5.4 Returning Home 5724 A mobile node detects that it has returned to its home link through 5725 the movement detection algorithm in use (Section 11.5.1), when the 5726 mobile node detects that its home subnet prefix is again on-link. 5727 The mobile node SHOULD then send a Binding Update to its home agent, 5728 to instruct its home agent to no longer intercept or tunnel packets 5729 for it. In this home registration, the mobile node MUST set the 5730 Acknowledge (A) and Home Registration (H) bits, set the Lifetime 5731 field to zero, and set the care-of address for the binding to the 5732 mobile node's own home address. The mobile node MUST use its home 5733 address as the source address in the Binding Update. 5735 When sending this Binding Update to its home agent, the mobile node 5736 must be careful in how it uses Neighbor Solicitation [12] (if needed) 5737 to learn the home agent's link-layer address, since the home agent 5738 will be currently configured to intercept packets to the mobile 5739 node's home address using Duplicate Address Detection (DAD). In 5740 particular, the mobile node is unable to use its home address as the 5741 Source Address in the Neighbor Solicitation until the home agent 5742 stops defending the home address. 5744 Neighbor Solicitation by the mobile node for the home agent's address 5745 will normally not be necessary, since the mobile node has already 5746 learned the home agent's link-layer address from a Source Link-Layer 5747 Address option in a Router Advertisement. However, if there are 5748 multiple home agents it may still be necessary to send a 5749 solicitation. In this special case of the mobile node returning 5750 home, the mobile node MUST multicast the packet, and in addition set 5751 the Source Address of this Neighbor Solicitation to the unspecified 5752 address (0:0:0:0:0:0:0:0). The target of the Neighbor Solicitation 5753 MUST be set to the mobile node's home address. The destination IP 5754 address MUST be set to the Solicited-Node multicast address [3]. The 5755 home agent will send a multicast Neighbor Advertisement back to the 5756 mobile node with the Solicited flag (S) set to zero. In any case, 5757 the mobile node SHOULD record the information from the Source 5758 Link-Layer Address option or from the advertisement, and set the 5759 state of the Neighbor Cache entry for the home agent to REACHABLE. 5761 The mobile node then sends its Binding Update to the home agent's 5762 link-layer address, instructing its home agent to no longer serve as 5763 a home agent for it. By processing this Binding Update, the home 5764 agent will cease defending the mobile node's home address for 5765 Duplicate Address Detection and will no longer respond to Neighbor 5766 Solicitations for the mobile node's home address. The mobile node is 5767 then the only node on the link receiving packets at the mobile node's 5768 home address. In addition, when returning home prior to the 5769 expiration of a current binding for its home address, and configuring 5770 its home address on its network interface on its home link, the 5771 mobile node MUST NOT perform Duplicate Address Detection on its own 5772 home address, in order to avoid confusion or conflict with its home 5773 agent's use of the same address. This rule also applies to the 5774 derived link-local address of the mobile node, if the Link Local 5775 Address Compatibility (L) bit was set when the binding was created. 5776 If the mobile node returns home after the bindings for all of its 5777 care-of addresses have expired, then it SHOULD perform DAD. 5779 After the Mobile Node sends the Binding Update, it MUST be prepared 5780 to reply to Neighbor Solicitations for its home address. Such 5781 replies MUST be sent using a unicast Neighbor Advertisement to the 5782 sender's link-layer address. It is necessary to reply, since sending 5783 the Binding Acknowledgement from the home agent may require 5784 performing Neighbor Discovery, and the mobile node may not be able to 5785 distinguish Neighbor Solicitations coming from the home agent from 5786 other Neighbor Solicitations. Note that a race condition exists 5787 where both the mobile node and the home agent respond to the same 5788 solicitations sent by other nodes; this will be only temporary, 5789 however, until the Binding Update is accepted. 5791 After receiving the Binding Acknowledgement for its Binding Update to 5792 its home agent, the mobile node MUST multicast onto the home link (to 5793 the all-nodes multicast address) a Neighbor Advertisement [12], to 5794 advertise the mobile node's own link-layer address for its own home 5795 address. The Target Address in this Neighbor Advertisement MUST be 5796 set to the mobile node's home address, and the Advertisement MUST 5797 include a Target Link-layer Address option specifying the mobile 5798 node's link-layer address. The mobile node MUST multicast such a 5799 Neighbor Advertisement for each of its home addresses, as defined by 5800 the current on-link prefixes, including its link-local address and 5801 site-local address. The Solicited Flag (S) in these Advertisements 5802 MUST NOT be set, since they were not solicited by any Neighbor 5803 Solicitation. The Override Flag (O) in these Advertisements MUST be 5804 set, indicating that the Advertisements SHOULD override any existing 5805 Neighbor Cache entries at any node receiving them. 5807 Since multicasting on the local link (such as Ethernet) is typically 5808 not guaranteed to be reliable, the mobile node MAY retransmit these 5809 Neighbor Advertisements [12] up to MAX_NEIGHBOR_ADVERTISEMENT times 5810 to increase their reliability. It is still possible that some nodes 5811 on the home link will not receive any of these Neighbor 5812 Advertisements, but these nodes will eventually be able to recover 5813 through use of Neighbor Unreachability Detection [12]. 5815 11.6 Return Routability Procedure 5817 This section defines the rules that the mobile node must follow when 5818 performing the return routability procedure. Section 11.7.2 5819 describes the rules when the return routability procedure needs to be 5820 initiated. 5822 11.6.1 Sending Test Init Messages 5824 A mobile node that initiates a return routability procedure MUST send 5825 (in parallel) a Home Test Init message and a Care-of Test Init 5826 messages. However, if the mobile node has recently received (see 5827 Section 5.2.7) one or both home or care-of keygen tokens, and 5828 associated nonce indices for the desired addresses, it MAY reuse 5829 them. Therefore, the return routability procedure may in some cases 5830 be completed with only one message pair. It may even be completed 5831 without any messages at all, if the mobile node has a recent home 5832 keygen token and and has previously visited the same care-of address 5833 so that it also has a recent care-of keygen token. If the mobile 5834 node intends to send a Binding Update with the Lifetime set to zero 5835 and the care-of address equal to its home address - such as when 5836 returning home - sending a Home Test Init message is sufficient. In 5837 this case, generation of the binding management key depends 5838 exclusively on the home keygen token (Section 5.2.5). 5840 A Home Test Init message MUST be created as described in Section 5841 6.1.3. 5843 A Care-of Test Init message MUST be created as described in Section 5844 6.1.4. When sending a Home Test Init or Care-of Test Init message 5845 the mobile node MUST record in its Binding Update List the following 5846 fields from the messages: 5848 o The IP address of the node to which the message was sent. 5850 o The home address of the mobile node. This value will appear in 5851 the Source Address field of the Home Test Init message. When 5852 sending the Care-of Test Init message, this address does not 5853 appear in the message, but represents the home address for which 5854 the binding is desired. 5856 o The time at which each of these messages was sent. 5858 o The cookies used in the messages. 5860 Note that a single Care-of Test Init message may be sufficient even 5861 when there are multiple home addresses. In this case the mobile node 5862 MAY record the same information in multiple Binding Update List 5863 entries. 5865 11.6.2 Receiving Test Messages 5867 Upon receiving a packet carrying a Home Test message, a mobile node 5868 MUST validate the packet according to the following tests: 5870 o The Source Address of the packet belongs to a correspondent node 5871 for which the mobile node has a Binding Update List entry with a 5872 state indicating that return routability procedure is in progress. 5873 Note that there may be multiple such entries. 5875 o The Binding Update List indicates that no home keygen token has 5876 been received yet. 5878 o The Destination Address of the packet has the home address of the 5879 mobile node, and the packet has been received in a tunnel from the 5880 home agent. 5882 o The Home Init Cookie field in the message matches the value stored 5883 in the Binding Update List. 5885 Any Home Test message not satisfying all of these tests MUST be 5886 silently ignored. Otherwise, the mobile node MUST record the Home 5887 Nonce Index and home keygen token in the Binding Update List. If the 5888 Binding Update List entry does not have a care-of keygen token, the 5889 mobile node SHOULD continue waiting for the Care-of Test message. 5891 Upon receiving a packet carrying a Care-of Test message, a mobile 5892 node MUST validate the packet according to the following tests: 5894 o The Source Address of the packet belongs to a correspondent node 5895 for which the mobile node has a Binding Update List entry with a 5896 state indicating that return routability procedure is in progress. 5897 Note that there may be multiple such entries. 5899 o The Binding Update List indicates that no care-of keygen token has 5900 been received yet. 5902 o The Destination Address of the packet is the current care-of 5903 address of the mobile node. 5905 o The Care-of Init Cookie field in the message matches the value 5906 stored in the Binding Update List. 5908 Any Care-of Test message not satisfying all of these tests MUST be 5909 silently ignored. Otherwise, the mobile node MUST record the Care-of 5910 Nonce Index and care-of keygen token in the Binding Update List. If 5911 the Binding Update List entry does not have a home keygen token, the 5912 mobile node SHOULD continue waiting for the Home Test message. 5914 If after receiving either the Home Test or the Care-of Test message 5915 and performing the above actions, the Binding Update List entry has 5916 both the home and the care-of keygen tokens, the return routability 5917 procedure is complete. The mobile node SHOULD then proceed with 5918 sending a Binding Update as described in Section 11.7.2. 5920 Correspondent nodes from the time before this specification was 5921 published may not support the Mobility Header protocol. These nodes 5922 will respond to Home Test Init and Care-of Test Init messages with an 5923 ICMP Parameter Problem code 1. The mobile node SHOULD take such 5924 messages as an indication that the correspondent node cannot provide 5925 route optimization, and revert back to the use of bidirectional 5926 tunneling. 5928 11.6.3 Protecting Return Routability Packets 5930 The mobile node MUST support the protection of Home Test and Home 5931 Test Init messages as described in Section 10.4.6. 5933 When IPsec is used to protect return routability signaling or payload 5934 packets, the mobile node MUST set the source address it uses for the 5935 outgoing tunnel packets to the current primary care-of address. The 5936 mobile node starts to use a new primary care-of address immediately 5937 after sending a Binding Update to the home agent to register this new 5938 address. 5940 11.7 Processing Bindings 5941 11.7.1 Sending Binding Updates to the Home Agent 5943 After deciding to change its primary care-of address as described in 5944 Section 11.5.1 and Section 11.5.2, a mobile node MUST register this 5945 care-of address with its home agent in order to make this its primary 5946 care-of address. 5948 Also, if the mobile node wants the services of the home agent beyond 5949 the current registration period, the mobile node should send a new 5950 Binding Update to it well before the expiration of this period, even 5951 if it is not changing its primary care-of address. However, if the 5952 home agent returned a Binding Acknowledgement for the current 5953 registration with Status field set to 1 (accepted but prefix 5954 discovery necessary), the mobile node should not try to register 5955 again before it has learned the validity of its home prefixes through 5956 mobile prefix discovery. This is typically necessary every time this 5957 Status value is received, because information learned earlier may 5958 have changed. 5960 To register a care-of address or to extend the lifetime of an 5961 existing registration, the mobile node sends a packet to its home 5962 agent containing a Binding Update, with the packet constructed as 5963 follows: 5965 o The Home Registration (H) bit MUST be set in the Binding Update. 5967 o The Acknowledge (A) bit MUST be set in the Binding Update. 5969 o The packet MUST contain a Home Address destination option, giving 5970 the mobile node's home address for the binding. 5972 o The care-of address for the binding MUST be used as the Source 5973 Address in the packet's IPv6 header, unless an Alternate Care-of 5974 Address mobility option is included in the Binding Update. This 5975 option MUST be included in all home registrations, as the ESP 5976 protocol will not be able to protect care-of addresses in the IPv6 5977 header. (Mobile IPv6 implementations that know they are using 5978 IPsec AH to protect a particular message might avoid this option. 5979 For brevity the usage of AH is not discussed in this document.) 5981 o If the mobile node's link-local address has the same interface 5982 identifier as the home address for which it is supplying a new 5983 care-of address, then the mobile node SHOULD set the Link-Local 5984 Address Compatibility (L) bit. 5986 o If the home address was generated using RFC 3041 [18], then the 5987 link local address is unlikely to have a compatible interface 5988 identifier. In this case, the mobile node MUST clear the 5989 Link-Local Address Compatibility (L) bit. 5991 o If the IPsec security associations between the mobile node and the 5992 home agent have been established dynamically, and the mobile node 5993 has the capability to update its endpoint in the used key 5994 management protocol to the new care-of address every time it 5995 moves, the mobile node SHOULD set the Key Management Mobility 5996 Capability (K) bit in the Binding Update. Otherwise, the mobile 5997 node MUST clear the bit. 5999 o The value specified in the Lifetime field SHOULD be less than or 6000 equal to the remaining valid lifetime of the home address and the 6001 care-of address specified for the binding. 6003 Mobile nodes that use dynamic home agent address discovery should 6004 be careful with long lifetimes. If the mobile node loses the 6005 knowledge of its binding with a specific home agent, registering a 6006 new binding with another home agent may be impossible as the 6007 previous home agent is still defending the existing binding. 6008 Therefore, mobile nodes that use home agent address discovery 6009 SHOULD ensure information about their bindings is not lost, 6010 de-register before losing this information, or use small 6011 lifetimes. 6013 The Acknowledge (A) bit in the Binding Update requests the home agent 6014 to return a Binding Acknowledgement in response to this Binding 6015 Update. As described in Section 6.1.8, the mobile node SHOULD 6016 retransmit this Binding Update to its home agent until it receives a 6017 matching Binding Acknowledgement. Once reaching a retransmission 6018 timeout period of MAX_BINDACK_TIMEOUT, the mobile node SHOULD restart 6019 the process of delivering the Binding Update, but trying instead the 6020 next home agent returned during dynamic home agent address discovery 6021 (see Section 11.4.1). If there was only one home agent, the mobile 6022 node instead SHOULD continue to periodically retransmit the Binding 6023 Update at this rate until acknowledged (or until it begins attempting 6024 to register a different primary care-of address). See Section 11.8 6025 for information about retransmitting Binding Updates. 6027 With the Binding Update, the mobile node requests the home agent to 6028 serve as the home agent for the given home address. Until the 6029 lifetime of this registration expires, the home agent considers 6030 itself the home agent for this home address. 6032 Each Binding Update MUST be authenticated as coming from the right 6033 mobile node, as defined in Section 5.1. The mobile node MUST use its 6034 home address - either in the Home Address destination option or in 6035 the Source Address field of the IPv6 header - in Binding Updates sent 6036 to the home agent. This is necessary in order to allow the IPsec 6037 policies to be matched with the right home address. 6039 When sending a Binding Update to its home agent, the mobile node MUST 6040 also create or update the corresponding Binding Update List entry, as 6041 specified in Section 11.7.2. 6043 The last Sequence Number value sent to the home agent in a Binding 6044 Update is stored by the mobile node. If the sending mobile node has 6045 no knowledge of the right Sequence Number value, it may start at any 6046 value. If the home agent rejects the value, it sends back a Binding 6047 Acknowledgement with status code 135, and the last accepted sequence 6048 number in the Sequence Number field of the Binding Acknowledgement. 6049 The mobile node MUST store this information and use the next Sequence 6050 Number value for the next Binding Update it sends. 6052 If the mobile node has additional home addresses, then the mobile 6053 node SHOULD send an additional packet containing a Binding Update to 6054 its home agent to register the care-of address for each such other 6055 home address. 6057 The home agent will only perform DAD for the mobile node's home 6058 address when the mobile node has supplied a valid binding between its 6059 home address and a care-of address. If some time elapses during 6060 which the mobile node has no binding at the home agent, it might be 6061 possible for another node to autoconfigure the mobile node's home 6062 address. Therefore, the mobile node MUST treat creation of a new 6063 binding with the home agent using an existing home address the same 6064 as creation of a new home address. In the unlikely event that the 6065 mobile node's home address is autoconfigured as the IPv6 address of 6066 another network node on the home network, the home agent will reply 6067 to the mobile node's subsequent Binding Update with a Binding 6068 Acknowledgement containing a Status of 134 (Duplicate Address 6069 Detection failed). In this case, the mobile node MUST NOT attempt to 6070 re-use the same home address. It SHOULD continue to register care-of 6071 addresses for its other home addresses, if any. (Mechanisms outlined 6072 in Appendix B.5 may in the future allow mobile nodes to acquire new 6073 home addresses to replace the one for which Status 134 was received.) 6075 11.7.2 Correspondent Registration 6077 When the mobile node is assured that its home address is valid, it 6078 can initiate a correspondent registration with the purpose of 6079 allowing the correspondent node to cache the mobile node's current 6080 care-of address. This procedure consists of the return routability 6081 procedure followed by a registration. 6083 This section defines when to initiate the correspondent registration, 6084 and rules to follow when performing it. 6086 After the mobile node has sent a Binding Update to its home agent to 6087 register a new primary care-of address (as described in Section 6088 11.7.1), the mobile node SHOULD initiate a correspondent registration 6089 for each node that already appears in the mobile node's Binding 6090 Update List. The initiated procedures can be used to either update 6091 or delete binding information in the correspondent node. 6093 For nodes that do not appear in the mobile node's Binding Update 6094 List, the mobile node MAY initiate a correspondent registration at 6095 any time after sending the Binding Update to its home agent. 6096 Considerations regarding when (and if) to initiate the procedure 6097 depend on the specific movement and traffic patterns of the mobile 6098 node and are outside the scope of this document. 6100 In addition, the mobile node MAY initiate the procedure in response 6101 to receiving a packet that meets all of the following tests: 6103 o The packet was tunneled using IPv6 encapsulation. 6105 o The Destination Address in the tunnel (outer) IPv6 header is equal 6106 to any of the mobile node's care-of addresses. 6108 o The Destination Address in the original (inner) IPv6 header is 6109 equal to one of the mobile node's home addresses. 6111 o The Source Address in the tunnel (outer) IPv6 header differs from 6112 the Source Address in the original (inner) IPv6 header. 6114 o The packet does not contain a Home Test, Home Test Init, Care-of 6115 Test, or Care-of Test Init message. 6117 If a mobile node has multiple home addresses, it becomes important to 6118 select the right home address to use in the correspondent 6119 registration. The used home address MUST be the Destination Address 6120 of the original (inner) packet. 6122 The peer address used in the procedure MUST be determined as follows: 6124 o If a Home Address destination option is present in the original 6125 (inner) packet, the address from this option is used. 6127 o Otherwise, the Source Address in the original (inner) IPv6 header 6128 of the packet is used. 6130 Note that the validity of the original packet is checked before 6131 attempting to initiate a correspondent registration. For instance, 6132 if a Home Address destination option appeared in the original packet, 6133 then rules in Section 9.3.1 are followed. 6135 A mobile node MAY also choose to keep its topological location 6136 private from certain correspondent nodes, and thus need not initiate 6137 the correspondent registration. 6139 Upon successfully completing the return routability procedure, and 6140 after receiving a successful Binding Acknowledgement from the Home 6141 Agent, a Binding Update MAY be sent to the correspondent node. 6143 In any Binding Update sent by a mobile node, the care-of address 6144 (either the Source Address in the packet's IPv6 header or the Care-of 6145 Address in the Alternate Care-of Address mobility option of the 6146 Binding Update) MUST be set to one of the care-of addresses currently 6147 in use by the mobile node or to the mobile node's home address. A 6148 mobile node MAY set the care-of address differently for sending 6149 Binding Updates to different correspondent nodes. 6151 A mobile node MAY also send a Binding Update to such a correspondent 6152 node to instruct it to delete any existing binding for the mobile 6153 node from its Binding Cache, as described in Section 6.1.7. Even in 6154 this case a successful completion of the return routability procedure 6155 is required first. 6157 If the care-of address is not set to the mobile node's home address, 6158 the Binding Update requests the correspondent node to create or 6159 update an entry for the mobile node in the correspondent node's 6160 Binding Cache. This is done in order to record a care-of address for 6161 use in sending future packets to the mobile node. In this case, the 6162 value specified in the Lifetime field sent in the Binding Update 6163 SHOULD be less than or equal to the remaining lifetime of the home 6164 registration and the care-of address specified for the binding. The 6165 care-of address given in the Binding Update MAY differ from the 6166 mobile node's primary care-of address. 6168 If the Binding Update is sent to request the correspondent node to 6169 delete any existing Binding Cache entry that it has for the mobile 6170 node, the care-of address is set to the mobile node's home address 6171 and the Lifetime field set to zero. In this case, generation of the 6172 binding management key depends exclusively on the home keygen token 6173 (Section 5.2.5). The care-of nonce index SHOULD be set to zero in 6174 this case. In keeping with the Binding Update creation rules below, 6175 the care-of address MUST be set to the home address if the mobile 6176 node is at home, or to the current care-of address if it is away from 6177 home. 6179 If the mobile node wants to ensure that its new care-of address has 6180 been entered into a correspondent node's Binding Cache, the mobile 6181 node needs to request an acknowledgement by setting the Acknowledge 6182 (A) bit in the Binding Update. 6184 A Binding Update is created as follows: 6186 o The current care-of address of the mobile node MUST be sent either 6187 in the Source Address of the IPv6 header or in the Alternate 6188 Care-of Address mobility option. 6190 o The Destination Address of the IPv6 header MUST contain the 6191 address of the correspondent node. 6193 o The Mobility Header is constructed according to rules in Section 6194 6.1.7 and Section 5.2.6, including the Binding Authorization Data 6195 (calculated as defined in Section 6.2.7) and possibly the Nonce 6196 Indices mobility options. 6198 o The home address of the mobile node MUST be added to the packet in 6199 a Home Address destination option, unless the Source Address is 6200 the home address. 6202 Each Binding Update MUST have a Sequence Number greater than the 6203 Sequence Number value sent in the previous Binding Update to the same 6204 destination address (if any). The sequence numbers are compared 6205 modulo 2**16, as described in Section 9.5.1. There is no 6206 requirement, however, that the Sequence Number value strictly 6207 increase by 1 with each new Binding Update sent or received, as long 6208 as the value stays within the window. The last Sequence Number value 6209 sent to a destination in a Binding Update is stored by the mobile 6210 node in its Binding Update List entry for that destination. If the 6211 sending mobile node has no Binding Update List entry, the Sequence 6212 Number SHOULD start at a random value. The mobile node MUST NOT use 6213 the same Sequence Number in two different Binding Updates to the same 6214 correspondent node, even if the Binding Updates provide different 6215 care-of addresses. 6217 The mobile node is responsible for the completion of the 6218 correspondent registration, as well as any retransmissions that may 6219 be needed (subject to the rate limiting defined in Section 11.8). 6221 11.7.3 Receiving Binding Acknowledgements 6223 Upon receiving a packet carrying a Binding Acknowledgement, a mobile 6224 node MUST validate the packet according to the following tests: 6226 o The packet meets the authentication requirements for Binding 6227 Acknowledgements, defined in Section 6.1.8 and Section 5. That 6228 is, if the Binding Update was sent to the home agent, underlying 6229 IPsec protection is used. If the Binding Update was sent to the 6230 correspondent node, the Binding Authorization Data mobility option 6231 MUST be present and have a valid value. 6233 o The Binding Authorization Data mobility option, if present, MUST 6234 be the last option and MUST not have trailing padding. 6236 o The Sequence Number field matches the Sequence Number sent by the 6237 mobile node to this destination address in an outstanding Binding 6238 Update. 6240 Any Binding Acknowledgement not satisfying all of these tests MUST be 6241 silently ignored. 6243 When a mobile node receives a packet carrying a valid Binding 6244 Acknowledgement, the mobile node MUST examine the Status field as 6245 follows: 6247 o If the Status field indicates that the Binding Update was accepted 6248 (the Status field is less than 128), then the mobile node MUST 6249 update the corresponding entry in its Binding Update List to 6250 indicate that the Binding Update has been acknowledged; the mobile 6251 node MUST then stop retransmitting the Binding Update. In 6252 addition, if the value specified in the Lifetime field in the 6253 Binding Acknowledgement is less than the Lifetime value sent in 6254 the Binding Update being acknowledged, then the mobile node MUST 6255 subtract the difference between these two Lifetime values from the 6256 remaining lifetime for the binding as maintained in the 6257 corresponding Binding Update List entry (with a minimum value for 6258 the Binding Update List entry lifetime of 0). That is, if the 6259 Lifetime value sent in the Binding Update was L_update, the 6260 Lifetime value received in the Binding Acknowledgement was L_ack, 6261 and the current remaining lifetime of the Binding Update List 6262 entry is L_remain, then the new value for the remaining lifetime 6263 of the Binding Update List entry should be 6265 max((L_remain - (L_update - L_ack)), 0) 6267 where max(X, Y) is the maximum of X and Y. The effect of this 6268 step is to correctly manage the mobile node's view of the 6269 binding's remaining lifetime (as maintained in the corresponding 6270 Binding Update List entry) so that it correctly counts down from 6271 the Lifetime value given in the Binding Acknowledgement, but with 6272 the timer countdown beginning at the time that the Binding Update 6273 was sent. 6275 Mobile nodes SHOULD send a new Binding Update well before the 6276 expiration of this period in order to extend the lifetime. This 6277 helps to avoid disruptions in communications, which might 6278 otherwise be caused by network delays or clock drift. 6280 o Additionally, if the Status field value is 1 (Accepted but prefix 6281 discovery necessary), the mobile node SHOULD send a Mobile Prefix 6282 Solicitation message to update its information about the available 6283 prefixes. 6285 o If the Status field indicates that the Binding Update was rejected 6286 (the Status field is greater than or equal to 128), then the 6287 mobile node can take steps to correct the cause of the error and 6288 retransmit the Binding Update (with a new Sequence Number value), 6289 subject to the rate limiting restriction specified in Section 6290 11.8. If this is not done, or it fails, then the mobile node 6291 SHOULD record in its Binding Update List that future Binding 6292 Updates SHOULD NOT be sent to this destination. 6294 The treatment of a Binding Refresh Advice mobility option within the 6295 Binding Acknowledgement depends on the where the acknowledgement came 6296 from. This option MUST be ignored if the acknowledgement came from a 6297 correspondent node. If it came from the home agent, the mobile node 6298 uses Refresh Interval field in the option as a suggestion that it 6299 SHOULD attempt to refresh its home registration at the indicated 6300 shorter interval. 6302 If the acknowledgement came from the home agent, the mobile node 6303 examines the value of the Key Management Mobility Capability (K) bit. 6304 If this bit is not set, the mobile node SHOULD discard key management 6305 protocol connections, if any, to the home agent. The mobile node MAY 6306 also initiate a new key management connection. 6308 If this bit is set, the mobile node SHOULD move its own endpoint in 6309 the key management protocol connections to the home agent, if any. 6310 The mobile node's new endpoint should be the new care-of address. 6311 For an IKE phase 1 connection, this means packets sent to this 6312 address with the original ISAKMP cookies are accepted. 6314 11.7.4 Receiving Binding Refresh Requests 6316 When a mobile node receives a packet containing a Binding Refresh 6317 Request message, the mobile node has a Binding Update List entry for 6318 the source of the Binding Refresh Request, and the mobile node wants 6319 to retain its binding cache entry at the correspondent node, then the 6320 mobile node should start a return routability procedure. If the 6321 mobile node wants to have its binding cache entry removed it can 6322 either ignore the Binding Refresh Request and wait for the binding to 6323 time out, or it can at any time delete its binding from a 6324 correspondent node with an explicit binding update with zero lifetime 6325 and the care-of address set to the home address. If the mobile node 6326 does not know if it needs the binding cache entry, it can make the 6327 decision in an implementation dependent manner, such as based on 6328 available resources. 6330 Note that the mobile node should be careful to not respond to Binding 6331 Refresh Requests for addresses not in the Binding Update List to 6332 avoid being subjected to a denial of service attack. 6334 If the return routability procedure completes successfully, a Binding 6335 Update message SHOULD be sent as described in Section 11.7.2. The 6336 Lifetime field in this Binding Update SHOULD be set to a new 6337 lifetime, extending any current lifetime remaining from a previous 6338 Binding Update sent to this node (as indicated in any existing 6339 Binding Update List entry for this node), and lifetime SHOULD again 6340 be less than or equal to the remaining lifetime of the home 6341 registration and the care-of address specified for the binding. When 6342 sending this Binding Update, the mobile node MUST update its Binding 6343 Update List in the same way as for any other Binding Update sent by 6344 the mobile node. 6346 11.8 Retransmissions and Rate Limiting 6348 The mobile node is responsible for retransmissions and rate limiting 6349 in the return routability procedure, registrations, and in solicited 6350 prefix discovery. 6352 When the mobile node sends a Mobile Prefix Solicitation, Home Test 6353 Init, Care-of Test Init or Binding Update for which it expects a 6354 response, the mobile node has to determine a value for the initial 6355 retransmission timer: 6357 o If the mobile node is sending a Mobile Prefix Solicitation, it 6358 SHOULD use an initial retransmission interval of 6359 INITIAL_SOLICIT_TIMER (see Section 12). 6361 o If the mobile node is sending a Binding Update and it does not 6362 have an existing binding at the home agent, it SHOULD use 6363 InitialBindackTimeoutFirstReg (see Section 13) as a value for the 6364 initial retransmission timer. This long retransmission interval 6365 will allow the home agent to complete the Duplicate Address 6366 Detection procedure which is mandated in this case, as detailed in 6367 Section 11.7.1. 6369 o Otherwise, the mobile node should use the specified value of 6370 INITIAL_BINDACK_TIMEOUT for the initial retransmission timer. 6372 If the mobile node fails to receive a valid, matching response within 6373 the selected initial retransmission interval, the mobile node SHOULD 6374 retransmit the message, until a response is received. 6376 The retransmissions by the mobile node MUST use an exponential 6377 back-off process, in which the timeout period is doubled upon each 6378 retransmission until either the node receives a response or the 6379 timeout period reaches the value MAX_BINDACK_TIMEOUT. The mobile 6380 node MAY continue to send these messages at this slower rate 6381 indefinitely. 6383 The mobile node SHOULD start a separate back-off process for 6384 different message types, different home addresses and different 6385 care-of addresses. However, in addition an overall rate limitation 6386 applies for messages sent to a particular correspondent node. This 6387 ensures that the correspondent node has sufficient amount of time to 6388 answer when bindings for multiple home addresses are registered, for 6389 instance. The mobile node MUST NOT send Mobility Header messages of 6390 a particular type to a particular correspondent node more than 6391 MAX_UPDATE_RATE times within a second. 6393 Retransmitted Binding Updates MUST use a Sequence Number value 6394 greater than that used for the previous transmission of this Binding 6395 Update. Retransmitted Home Test Init and Care-of Test Init messages 6396 MUST use new cookie values. 6398 12. Protocol Constants 6400 DHAAD_RETRIES 4 retransmissions 6401 INITIAL_BINDACK_TIMEOUT 1 second 6402 INITIAL_DHAAD_TIMEOUT 3 seconds 6403 INITIAL_SOLICIT_TIMER 3 seconds 6404 MAX_BINDACK_TIMEOUT 32 seconds 6405 MAX_NONCE_LIFETIME 240 seconds 6406 MAX_TOKEN_LIFETIME 210 seconds 6407 MAX_RR_BINDING_LIFETIME 420 seconds 6408 MAX_UPDATE_RATE 3 times 6409 PREFIX_ADV_RETRIES 3 retransmissions 6410 PREFIX_ADV_TIMEOUT 3 seconds 6412 13. Protocol Configuration Variables 6414 MaxMobPfxAdvInterval Default: 86,400 seconds 6415 MinDelayBetweenRAs Default: 3 seconds, 6416 Min: 0.03 seconds 6417 MinMobPfxAdvInterval Default: 600 seconds 6418 InitialBindackTimeoutFirstReg Default: 1.5 seconds 6420 Home agents MUST allow the first three variables to be configured by 6421 system management, and mobile nodes MUST allow the last variable to 6422 be configured by system management. 6424 The default value for InitialBindackTimeoutFirstReg has been 6425 calculated as 1.5 times the default value of RetransTimer [12] times 6426 the default value of DupAddrDetectTransmits [13]. 6428 The value MinDelayBetweenRAs overrides the value of the protocol 6429 constant MIN_DELAY_BETWEEN_RAS, as specified in RFC 2461 [12]. This 6430 variable SHOULD be set to MinRtrAdvInterval, if MinRtrAdvInterval is 6431 less than 3 seconds. 6433 14. IANA Considerations 6435 This document defines a new IPv6 protocol, the Mobility Header, 6436 described in Section 6.1. This protocol must be assigned a protocol 6437 number. 6439 This document also creates a new name space "Mobility Header Type", 6440 for the MH Type field in the Mobility Header. The current message 6441 types are described starting from Section 6.1.2, and are the 6442 following: 6444 0 Binding Refresh Request 6446 1 Home Test Init 6448 2 Care-of Test Init 6450 3 Home Test 6452 4 Care-of Test 6454 5 Binding Update 6456 6 Binding Acknowledgement 6458 7 Binding Error 6460 Future values of the MH Type can be allocated using standards action 6461 [10]. 6463 Furthermore, each mobility message may contain mobility options as 6464 described in Section 6.2. This document defines a new name space 6465 "Mobility Option" to identify these options. The current mobility 6466 options are defined starting from Section 6.2.2 and are the 6467 following: 6469 0 Pad1 6471 1 PadN 6473 2 Binding Refresh Advice 6475 3 Alternate Care-of Address 6477 4 Nonce Indices 6478 5 Authorization Data 6480 Future values of the Option Type can be allocated using standards 6481 action [10]. 6483 This document also defines a new IPv6 destination option, the Home 6484 Address option, described in Section 6.3. This option has already 6485 been assigned the Option Type value 0xC9. 6487 This document also defines a new IPv6 type 2 routing header, 6488 described in Section 6.4. The value 2 is to be allocated by IANA 6489 when this specification becomes an RFC. 6491 In addition, this document defines four ICMP message types, two used 6492 as part of the dynamic home agent address discovery mechanism and two 6493 used in lieu of Router Solicitations and Advertisements when the 6494 mobile node is away from the home link. These messages must be 6495 assigned ICMPv6 type numbers from the informational message range: 6497 o The Home Agent Address Discovery Request message, described in 6498 Section 6.5; 6500 o The Home Agent Address Discovery Reply message, described in 6501 Section 6.6; 6503 o The Mobile Prefix Solicitation, described in Section 6.7; and 6505 o The Mobile Prefix Advertisement, described in Section 6.8. 6507 This document also defines two new Neighbor Discovery [12] options, 6508 which must be assigned Option Type values within the option numbering 6509 space for Neighbor Discovery messages: 6511 o The Advertisement Interval option, described in Section 7.3; and 6513 o The Home Agent Information option, described in Section 7.4. 6515 15. Security Considerations 6517 15.1 Threats 6519 Any mobility solution must protect itself against misuses of the 6520 mobility features and mechanisms. In Mobile IPv6, most of the 6521 potential threats are concerned with false Bindings, usually 6522 resulting in Denial-of-Service attacks. Some of the threats also 6523 pose potential for Man-in-the-Middle, Hijacking, Confidentiality, and 6524 Impersonation attacks. The main threats this protocol protects 6525 against are the following: 6527 o Threats involving Binding Updates sent to home agents and 6528 correspondent nodes. For instance, an attacker might claim that a 6529 certain mobile node is currently at a different location than it 6530 really is. If a home agent accepts such spoofed information sent 6531 to it, the mobile node might not get traffic destined to it. 6532 Similarly, a malicious (mobile) node might use the home address of 6533 a victim node in a forged Binding Update sent to a correspondent 6534 node. 6536 These pose threats against confidentiality, integrity, and 6537 availability. That is, an attacker might learn the contents of 6538 packets destined to another node by redirecting the traffic to 6539 itself. Furthermore, an attacker might use the redirected packets 6540 in an attempt to set itself as a Man-in-the-Middle between a 6541 mobile and a correspondent node. This would allow the attacker to 6542 impersonate the mobile node, leading to integrity and availability 6543 problems. 6545 A malicious (mobile) node might also send Binding Updates in which 6546 the care-of address is set to the address of a victim node. If 6547 such Binding Updates were accepted, the malicious node could lure 6548 the correspondent node into sending potentially large amounts of 6549 data to the victim; the correspondent node's replies to messages 6550 sent by the malicious mobile node will be sent to the victim host 6551 or network. This could be used to cause a Distributed 6552 Denial-of-Service attack. For example, the correspondent node 6553 might be a site that will send a high-bandwidth stream of video to 6554 anyone who asks for it. Note that the use of flow-control 6555 protocols such as TCP does not necessarily defend against this 6556 type of attack, because the attacker can fake the 6557 acknowledgements. Even keeping TCP initial sequence numbers 6558 secret does not help, because the attacker can receive the first 6559 few segments (including the ISN) at its own address, and only then 6560 redirect the stream to the victim's address. These types of 6561 attacks may also be directed to networks instead of nodes. 6562 Further variations of this threat are described elsewhere 6564 [27, 34]. 6566 An attacker might also attempt to disrupt a mobile node's 6567 communications by replaying a Binding Update that the node had 6568 sent earlier. If the old Binding Update was accepted, packets 6569 destined for the mobile node would be sent to its old location and 6570 not its current location. 6572 In conclusion, there are Denial-of-Service, Man-in-the-Middle, 6573 Confidentiality, and Impersonation threats against the parties 6574 involved in sending legitimate Binding Updates, and 6575 Denial-of-Service threats against any other party. 6577 o Threats associated with payload packets: Payload packets exchanged 6578 with mobile nodes are exposed to similar threats as regular IPv6 6579 traffic is. However, Mobile IPv6 introduces the Home Address 6580 destination option, a new routing header type (type 2), and uses 6581 tunneling headers in the payload packets. The protocol must 6582 protect against potential new threats involving the use of these 6583 mechanisms. 6585 Third parties become exposed to a reflection threat via the Home 6586 Address destination option, unless appropriate security 6587 precautions are followed. The Home Address destination option 6588 could be used to direct response traffic toward a node whose IP 6589 address appears in the option. In this case, ingress filtering 6590 would not catch the forged "return address" [36, 32]. 6592 A similar threat exists with the tunnels between the mobile node 6593 and the home agent. An attacker might forge tunnel packets 6594 between the mobile node and the home agent, making it appear that 6595 the traffic is coming from the mobile node when it is not. Note 6596 that an attacker who is able to forge tunnel packets would 6597 typically be able forge also packets that appear to come directly 6598 from the mobile node. This is not a new threat as such. However, 6599 it may make it easier for attackers to escape detection by 6600 avoiding ingress filtering and packet tracing mechanisms. 6601 Furthermore, spoofed tunnel packets might be used to gain access 6602 to the home network. 6604 Finally, a routing header could also be used in reflection 6605 attacks, and in attacks designed to bypass firewalls. The 6606 generality of the regular routing header would allow circumvention 6607 of IP-address based rules in firewalls. It would also allow 6608 reflection of traffic to other nodes. These threats exist with 6609 routing headers in general, even if the usage that Mobile IPv6 6610 requires is safe. 6612 o Threats associated with dynamic home agent and mobile prefix 6613 discovery. 6615 o Threats against the Mobile IPv6 security mechanisms themselves: An 6616 attacker might, for instance, lure the participants into executing 6617 expensive cryptographic operations or allocating memory for the 6618 purpose of keeping state. The victim node would have no resources 6619 left to handle other tasks. 6621 As a fundamental service in an IPv6 stack, Mobile IPv6 is expected to 6622 be deployed in most nodes of the IPv6 Internet. The above threats 6623 should therefore be considered in the light of being applicable to 6624 the whole Internet. 6626 It should also be noted that some additional threats result from 6627 movements as such, even without the involvement of mobility 6628 protocols. Mobile nodes must be capable to defend themselves in the 6629 networks that they visit, as typical perimeter defenses applied in 6630 the home network no longer protect them. 6632 15.2 Features 6634 This specification provides a series of features designed to mitigate 6635 the risk introduced by the threats listed above. The main security 6636 features are the following: 6638 o Reverse Tunneling as a mandatory feature. 6640 o Protection of Binding Updates sent to home agents. 6642 o Protection of Binding Updates sent to correspondent nodes. 6644 o Protection against reflection attacks that use the Home Address 6645 destination option. 6647 o Protection of tunnels between the mobile node and the home agent. 6649 o Closing routing header vulnerabilities. 6651 o Mitigating Denial-of-Service threats to the Mobile IPv6 security 6652 mechanisms themselves. 6654 The support for encrypted reverse tunneling (see Section 11.3.1) 6655 allows mobile nodes to defeat certain kinds of traffic analysis. 6657 Protecting those Binding Updates that are sent to home agents and 6658 those that are sent to arbitrary correspondent nodes requires very 6659 different security solutions due to the different situations. Mobile 6660 nodes and home agents are expected to be naturally subject to the 6661 network administration of the home domain. 6663 Thus, they can and are supposed to have a security association that 6664 can be used to reliably authenticate the exchanged messages. See 6665 Section 5.1 for the description of the protocol mechanisms, and 6666 Section 15.3 below for a discussion of the resulting level of 6667 security. 6669 It is expected that Mobile IPv6 route optimization will be used on a 6670 global basis between nodes belonging to different administrative 6671 domains. It would be a very demanding task to build an 6672 authentication infrastructure on this scale. Furthermore, a 6673 traditional authentication infrastructure cannot be easily used to 6674 authenticate IP addresses, because IP addresses can change often. It 6675 is not sufficient to just authenticate the mobile nodes. 6676 Authorization to claim the right to use an address is needed as well. 6677 Thus, an "infrastructureless" approach is necessary. The chosen 6678 infrastructureless method is described in Section 5.2 and Section 6679 15.4 discusses the resulting security level and the design rationale 6680 of this approach. 6682 Specific rules guide the use of the Home Address destination option, 6683 the routing header, and the tunneling headers in the payload packets. 6684 These rules are necessary to remove the vulnerabilities associated 6685 with their unrestricted use. The effect of the rules is discussed in 6686 Section 15.7, Section 15.8, and Section 15.9. 6688 Denial-of-Service threats against Mobile IPv6 security mechanisms 6689 themselves concern mainly the Binding Update procedures with 6690 correspondent nodes. The protocol has been designed to limit the 6691 effects of such attacks, as will be described in Section 15.4.5. 6693 15.3 Binding Updates to Home Agent 6695 Signaling between the mobile node and the home agent requires message 6696 integrity. This is necessary to assure the home agent that a Binding 6697 Update is from a legitimate mobile node. In addition, correct 6698 ordering and anti-replay protection are optionally needed. 6700 IPsec ESP protects the integrity of the Binding Updates and Binding 6701 Acknowledgements, by securing mobility messages between the mobile 6702 node and the home agent. 6704 IPsec can provide anti-replay protection only if dynamic keying is 6705 used (which may not always be the case). IPsec also does not 6706 guarantee correct ordering of packets, only that they have not been 6707 replayed. Because of this, sequence numbers within the Mobile IPv6 6708 messages are used to ensure correct ordering (see Section 5.1). 6709 However, if the 16 bit Mobile IPv6 sequence number space is cycled 6710 through, or the home agent reboots and loses its state regarding the 6711 sequence numbers, replay and reordering attacks become possible. The 6712 use of dynamic keying, IPsec anti-replay protection, and the Mobile 6713 IPv6 sequence numbers can together prevent such attacks. 6715 A sliding window scheme is used for the sequence numbers. The 6716 protection against replays and reordering attacks without a key 6717 management mechanism works when the attacker remembers up to a 6718 maximum of 2**15 Binding Updates. 6720 The above mechanisms do not show that the care-of address given in 6721 the Binding Update is correct. This opens the possibility for 6722 Denial-of-Service attacks against third parties. However, since the 6723 mobile node and home agent have a security association, the home 6724 agent can always identify an ill-behaving mobile node. This allows 6725 the home agent operator to discontinue the mobile node's service, and 6726 possibly take further actions based on the business relationship with 6727 the mobile node's owner. 6729 Note that the use of a single pair of manually keyed security 6730 associations conflicts with the generation of a new home addresses 6731 [18] for the mobile node, or with the adoption of a new home subnet 6732 prefix. This is because IPsec security associations are bound to the 6733 used addresses. While certificate-based automatic keying alleviates 6734 this problem to an extent, it is still necessary to ensure that a 6735 given mobile node cannot send Binding Updates for the address of 6736 another mobile node. In general, this leads to the inclusion of home 6737 addresses in certificates in the Subject AltName field. This again 6738 limits the introduction of new addresses without either manual or 6739 automatic procedures to establish new certificates. Therefore, this 6740 specification restricts the generation of new home addresses (for any 6741 reason) to those situations where there already exists a security 6742 association or certificate for the new address. (Appendix B.4 lists 6743 the improvement of security for new addresses as one of the future 6744 developments for Mobile IPv6.) 6746 Support for IKE has been specified as optional. The following should 6747 be observed about the use of manual keying: 6749 o As discussed above, with manually keyed IPsec only a limited form 6750 of protection exists against replay and reordering attacks. A 6751 vulnerability exists if either the sequence number space is cycled 6752 through, or if the home agent reboots and forgets its sequence 6753 numbers (and uses volatile memory to store the sequence numbers). 6755 Assuming the mobile node moves continuously every 10 minutes, it 6756 takes roughly 455 days before the sequence number space has been 6757 cycled through. Typical movement patterns today are unlikely to 6758 reach this high frequency. However, if it is expected that this 6759 may happen in a particular deployment scenario, the use of 6760 automated key management is RECOMMENDED. 6762 o A mobile node and its home agent belong to the same domain. If 6763 this were not the case, manual keying would not be possible [28], 6764 but in Mobile IPv6 only these two parties need to know the 6765 manually configured keys. Similarly, we note that Mobile IPv6 6766 employs standard block ciphers in IPsec, and is not vulnerable to 6767 problems associated with stream ciphers and manual keying. 6769 o It is expected that the owner of the mobile node and the 6770 administrator of the home agent agree on the used keys and other 6771 parameters with some off-line mechanism. 6773 The use of IKEv1 with Mobile IPv6 is documented in more detail in 6774 [21]. The following should be observed from the use of IKEv1: 6776 o It is necessary to prevent a mobile node from claiming another 6777 mobile node's home address. The home agent must verify that the 6778 mobile node trying to negotiate the SA for a particular home 6779 address is authorized for that home address. This implies that 6780 even with the use of IKE, a policy entry needs to be configured 6781 for each home address served by the home agent. 6783 It may be possible to include home addresses in the Subject 6784 AltName field of certificate to avoid this. However, 6785 implementations are not guaranteed to support the use of a 6786 particular IP address (care-of address) while another address 6787 (home address) appears in the certificate. In any case, even this 6788 approach would require user-specific tasks in the certificate 6789 authority. 6791 o Nevertheless, even if per-mobile node configuration is required 6792 even with IKE, an important benefit of IKE is that it automates 6793 the negotiation of cryptographic parameters, including the SPIs, 6794 cryptographic algorithms, and so on. Thus less configuration 6795 information is needed. 6797 o If preshared secret authentication is used, IKEv1 main mode cannot 6798 be used. Aggressive mode or group preshared secrets need to be 6799 used instead, with corresponding security implications. 6801 Note that like many other issues, this is a general IKEv1 issue 6802 related to the ability to use different IP addresses, and not 6803 specifically related to Mobile IPv6. For further information, see 6804 Section 4.4 in [21]. 6806 o Due to the problems outlined in Section 11.3.2, IKE phase 1 6807 between the mobile node and its home agent is established using 6808 the mobile node's current care-of address. This implies that when 6809 the mobile node moves to a new location, it may have to 6810 re-establish phase 1. A Key Management Mobility Capability (K) 6811 flag is provided for implementations that can update the IKE phase 6812 1 endpoints without re-establishing phase 1, but the support for 6813 this behavior is optional. 6815 o When certificates are used, IKE fragmentation can occur as 6816 discussed in Section 7 in [21]. 6818 o Other automatic key management mechanisms exist beyond IKEv1, but 6819 this document does not address the issues related to them. We 6820 note, however, that most of the above discussion applies to IKEv2 6821 [30] as well, at least as it is currently specified. 6823 15.4 Binding Updates to Correspondent Nodes 6825 The motivation for designing the return routability procedure was to 6826 have sufficient support for Mobile IPv6, without creating significant 6827 new security problems. The goal for this procedure was not to 6828 protect against attacks that were already possible before the 6829 introduction of Mobile IPv6. 6831 The next sections will describe the security properties of the used 6832 method, both from the point of view of possible on-path attackers who 6833 can see those cryptographic values that have been sent in the clear 6834 (Section 15.4.2 and Section 15.4.3) or from the point of view of 6835 other attackers (Section 15.4.6). 6837 15.4.1 Overview 6839 The chosen infrastructureless method verifies that the mobile node is 6840 "live" (that is, it responds to probes) at its home and care-of 6841 addresses. Section 5.2 describes the return routability procedure in 6842 detail. The procedure uses the following principles: 6844 o A message exchange verifies that the mobile node is reachable at 6845 its addresses i.e. is at least able to transmit and receive 6846 traffic at both the home and care-of addresses. 6848 o The eventual Binding Update is cryptographically bound to the 6849 tokens supplied in the exchanged messages. 6851 o Symmetric exchanges are employed to avoid the use of this protocol 6852 in reflection attacks. In a symmetric exchange, the responses are 6853 always sent to the same address as the request was sent from. 6855 o The correspondent node operates in a stateless manner until it 6856 receives a fully authorized Binding Update. 6858 o Some additional protection is provided by encrypting the tunnels 6859 between the mobile node and home agent with IPsec ESP. As the 6860 tunnel transports also the nonce exchanges, this limits the 6861 ability of attackers to see these nonces. For instance, this 6862 prevents attacks launched from the mobile node's current foreign 6863 link even when no link-layer confidentiality is available. 6865 The resulting level of security is in theory the same even without 6866 this additional protection: the return routability tokens are 6867 still exposed only to one path within the whole Internet. 6868 However, the mobile nodes are often found on an insecure link, 6869 such as a public access Wireless LAN. Thus this addition makes a 6870 practical difference in many cases. 6872 For further information about the design rationale of the return 6873 routability procedure, see [27, 34, 33, 32]. The used mechanisms 6874 have been adopted from these documents. 6876 15.4.2 Achieved Security Properties 6878 The return routability procedure protects Binding Updates against all 6879 attackers who are unable to monitor the path between the home agent 6880 and the correspondent node. The procedure does not defend against 6881 attackers who can monitor this path. Note that such attackers are in 6882 any case able to mount an active attack against the mobile node when 6883 it is at its home location. The possibility of such attacks is not 6884 an impediment to the deployment of Mobile IPv6, because these attacks 6885 are possible regardless of whether Mobile IPv6 is in use. 6887 This procedure also protects against Denial-of-Service attacks in 6888 which the attacker pretends to be a mobile, but uses the victim's 6889 address as the care-of address. This would cause the correspondent 6890 node to send the victim some unexpected traffic. The procedure 6891 defends against these attacks by requiring at least passive presence 6892 of the attacker at the care-of address or on the path from the 6893 correspondent to the care-of address. Normally, this will be the 6894 mobile node. 6896 15.4.3 Comparison to Regular IPv6 Communications 6898 This section discusses the protection offered by the return 6899 routability method by comparing it to the security of regular IPv6 6900 communications. We will divide vulnerabilities in three classes: (1) 6901 those related to attackers on the local network of the mobile node, 6902 home agent, or the correspondent node, (2) those related to attackers 6903 on the path between the home network and the correspondent node, and 6904 (3) off-path attackers, i.e. the rest of the Internet. 6906 We will now discuss the vulnerabilities of regular IPv6 6907 communications. The on-link vulnerabilities of IPv6 communications 6908 include Denial-of-Service, Masquerading, Man-in-the-Middle, 6909 Eavesdropping, and other attacks. These attacks can be launched 6910 through spoofing Router Discovery, Neighbor Discovery and other IPv6 6911 mechanisms. Some of these attacks can be prevented with the use of 6912 cryptographic protection in the packets. 6914 A similar situation exists with on-path attackers. That is, without 6915 cryptographic protection the traffic is completely vulnerable. 6917 Assuming that attackers have not penetrated the security of the 6918 Internet routing protocols, attacks are much harder to launch from 6919 off-path locations. Attacks that can be launched from these 6920 locations are mainly Denial-of-Service attacks, such as flooding and/ 6921 or reflection attacks. It is not possible for an off-path attacker 6922 to become a Man-in-the-Middle. 6924 Next, we will consider the vulnerabilities that exist when IPv6 is 6925 used together with Mobile IPv6 and the return routability procedure. 6926 On the local link the vulnerabilities are same as those as in IPv6, 6927 but Masquerade and Man-in-the-Middle attacks can now be launched also 6928 against future communications, and not just against current 6929 communications. If a Binding Update was sent while the attacker was 6930 present on the link, its effects stay during the lifetime of the 6931 binding. This happens even if the attacker moves away from the link. 6932 In contrast, an attacker who uses only plain IPv6 generally has to 6933 stay on the link in order to continue the attack. Note that in order 6934 to launch these new attacks, the IP address of the victim must be 6935 known. This makes this attack feasible mainly in the context of 6936 well-known interface IDs, such as those already appearing in the 6937 traffic on the link or registered in the DNS. 6939 On-path attackers can exploit similar vulnerabilities as in regular 6940 IPv6. There are some minor differences, however. Masquerade, 6941 Man-in-the-Middle, and Denial-of-Service attacks can be launched with 6942 just the interception of a few packets, whereas in regular IPv6 it is 6943 necessary to intercept every packet. The effect of the attacks is 6944 the same regardless of the method, however. In any case, the most 6945 difficult task attacker faces in these attacks is getting on the 6946 right path. 6948 The vulnerabilities for off-path attackers are the same as in regular 6949 IPv6. Those nodes that are not on the path between the home agent 6950 and the correspondent node will not be able to receive the home 6951 address probe messages. 6953 In conclusion, we can state the following main results from this 6954 comparison: 6956 o Return routability procedure prevents any off-path attacks beyond 6957 those that are already possible in regular IPv6. This is the most 6958 important result, and prevents attackers from the Internet from 6959 exploiting any vulnerabilities. 6961 o Vulnerabilities to attackers on the home agent link, the 6962 correspondent node link, and the path between them are roughly the 6963 same as in regular IPv6. 6965 o However, one difference is that in basic IPv6 an on-path attacker 6966 must be constantly present on the link or the path, whereas with 6967 Mobile IPv6 an attacker can leave a binding behind after moving 6968 away. 6970 For this reason, this specification limits the creation of 6971 bindings to at most MAX_TOKEN_LIFETIME seconds after the last 6972 routability check has been performed, and limits the duration of a 6973 binding to at most MAX_RR_BINDING_LIFETIME seconds. With these 6974 limitation, attackers cannot take practical advantages of this 6975 vulnerability. 6977 o There are some other minor differences, such as an effect to the 6978 Denial-of-Service vulnerabilities. These can be considered to be 6979 insignificant. 6981 o The path between the home agent and a correspondent node is 6982 typically easiest to attack on the links at either end, in 6983 particular if these links are publicly accessible wireless LANs. 6984 Attacks against the routers or switches on the path are typically 6985 harder to accomplish. The security on layer 2 of the links plays 6986 then a major role in the resulting overall network security. 6987 Similarly, security of IPv6 Neighbor and Router Discovery on these 6988 links has a large impact. If these were secured using some new 6989 technology in the future, this could change the situation 6990 regarding the easiest point of attack. 6992 For a more in-depth discussion of these issues, see [32]. 6994 15.4.4 Replay Attacks 6995 The return routability procedure also protects the participants 6996 against replayed Binding Updates. The attacker is unable replay the 6997 same message due to the sequence number which is a part of the 6998 Binding Update. It is also unable to modify the Binding Update since 6999 the MAC verification would fail after such a modification. 7001 Care must be taken when removing bindings at the correspondent node, 7002 however. If a binding is removed while the nonce used in its 7003 creation is still valid, an attacker could replay the old Binding 7004 Update. Rules outlined in Section 5.2.8 ensure that this cannot 7005 happen. 7007 15.4.5 Denial-of-Service Attacks 7009 The return routability procedure has protection against resource 7010 exhaustion Denial-of-Service attacks. The correspondent nodes do not 7011 retain any state about individual mobile nodes until an authentic 7012 Binding Update arrives. This is achieved through the construct of 7013 keygen tokens from the nonces and node keys that are not specific to 7014 individual mobile nodes. The keygen tokens can be reconstructed by 7015 the correspondent node, based on the home and care-of address 7016 information that arrives with the Binding Update. This means that 7017 the correspondent nodes are safe against memory exhaustion attacks 7018 except where on-path attackers are concerned. Due to the use of 7019 symmetric cryptography, the correspondent nodes are relatively safe 7020 against CPU resource exhaustion attacks as well. 7022 Nevertheless, as [27] describes, there are situations in which it is 7023 impossible for the mobile and correspondent nodes to determine if 7024 they actually need a binding or whether they just have been fooled 7025 into believing so by an attacker. Therefore, it is necessary to 7026 consider situations where such attacks are being made. 7028 Even if route optimization is a very important optimization, it is 7029 still only an optimization. A mobile node can communicate with a 7030 correspondent node even if the correspondent refuses to accept any 7031 Binding Updates. However, performance will suffer because packets 7032 from the correspondent node to the mobile node will be routed via the 7033 mobile's home agent rather than a more direct route. A correspondent 7034 node can protect itself against some of these resource exhaustion 7035 attacks as follows. If the correspondent node is flooded with a 7036 large number of Binding Updates that fail the cryptographic integrity 7037 checks, it can stop processing Binding Updates. If a correspondent 7038 node finds that it is spending more resources on checking bogus 7039 Binding Updates than it is likely to save by accepting genuine 7040 Binding Updates, then it may silently discard some or all Binding 7041 Updates without performing any cryptographic operations. 7043 Layers above IP can usually provide additional information to decide 7044 if there is a need to establish a binding with a specific peer. For 7045 example, TCP knows if the node has a queue of data that it is trying 7046 to send to a peer. An implementation of this specification is not 7047 required to make use of information from higher protocol layers, but 7048 some implementations are likely to be able to manage resources more 7049 effectively by making use of such information. 7051 We also require that all implementations be capable of 7052 administratively disabling route optimization. 7054 15.4.6 Key Lengths 7056 Attackers can try to break the return routability procedure in many 7057 ways. Section 15.4.2 discusses the situation where the attacker can 7058 see the cryptographic values sent in the clear, and Section 15.4.3 7059 discusses the impact this has on IPv6 communications. This section 7060 discusses whether attackers can guess the right values without seeing 7061 them. 7063 While the return routability procedure is in progress, 64 bit cookies 7064 are used to protect spoofed responses. This is believed to be 7065 sufficient, given that to blindly spoof a response a very large 7066 number of messages would have to be sent before success would be 7067 probable. 7069 The tokens used in the return routability procedure provide together 7070 128 bits of information. This information is used internally as an 7071 input to a hash function to produce a 160 bit quantity suitable for 7072 producing the keyed hash in the Binding Update using the HMAC_SHA1 7073 algorithm. The final keyed hash length is 96 bits. The limiting 7074 factors in this case are the input token lengths and the final keyed 7075 hash length. The internal hash function application does not reduce 7076 the entropy. 7078 The 96 bit final keyed hash is of typical size and believed to be 7079 secure. The 128 bit input from the tokens is broken in two pieces, 7080 the home keygen token and the care-of keygen token. An attacker can 7081 try to guess the right cookie value, but again this would require a 7082 large number of messages, in the average 2**63 messages for one or 7083 2**127 for two. Furthermore, given that the cookies are valid only 7084 for a short period of time, the attack has to keep a high constant 7085 message rate to achieve a lasting effect. This does not appear 7086 practical. 7088 When the mobile node is returning home, it is allowed to use just the 7089 home keygen token of 64 bits. This is less than 128 bits, but 7090 attacking it blindly would still require a large number of messages 7091 to be sent. If the attacker is on the path and capable of seeing the 7092 Binding Update, it could conceivably break the keyed hash with brute 7093 force. However, in this case the attacker has to be on path, which 7094 appears to offer easier ways for denial-of-service than preventing 7095 route optimization. 7097 15.5 Dynamic Home Agent Address Discovery 7099 The dynamic home agent address discovery function could be used to 7100 learn the addresses of home agents in the home network. 7102 The ability to learn addresses of nodes may be useful to attackers, 7103 because brute-force scanning of the address space is not practical 7104 with IPv6. Thus, they could benefit from any means which make 7105 mapping the networks easier. For example, if a security threat 7106 targeted at routers or even home agents is discovered, having a 7107 simple ICMP mechanism to find out possible targets easily may prove 7108 to be an additional (though minor) security risk. 7110 Apart from discovering the address(es) of home agents, attackers will 7111 not be able to learn much from this information, however, and mobile 7112 nodes cannot be tricked into using wrong home agents as all other 7113 communication with the home agents is secure. 7115 15.6 Mobile Prefix Discovery 7117 The mobile prefix discovery function may leak interesting information 7118 about network topology and prefix lifetimes to eavesdroppers, and for 7119 this reason requests for this information have to be authenticated. 7120 Responses and unsolicited prefix information needs to be 7121 authenticated to prevent the mobile nodes from being tricked into 7122 believing false information about the prefixes, and possibly 7123 preventing communications with the existing addresses. Optionally, 7124 encryption may be applied to prevent leakage of the prefix 7125 information. 7127 15.7 Tunneling via the Home Agent 7129 Tunnels between the mobile node and the home agent can be protected 7130 by ensuring proper use of source addresses, and optional 7131 cryptographic protection. These procedures are discussed in Section 7132 5.5. 7134 Binding Updates to the home agents are secure. When receiving 7135 tunneled traffic the home agent verifies the outer IP address 7136 corresponds to the current location of the mobile node. This acts as 7137 a weak form of protection against spoofing packets that appear to 7138 come from the mobile node. This is particularly useful, if no 7139 end-to-end security is being applied between the mobile and 7140 correspondent nodes. The outer IP address check prevents attacks 7141 where the attacker is controlled by ingress filtering. It also 7142 prevents attacks when the attacker does not know the current care-of 7143 address of the mobile node. Attackers who know the care-of address 7144 and are not controlled by ingress filtering could still send traffic 7145 through the home agent. This includes attackers on the same local 7146 link as the mobile node is currently on. But such attackers could in 7147 any case send packets that appear to come from the mobile node, 7148 without attacking the tunnel; the attacker could simply send packets 7149 with the source address set to the mobile node's home address. 7150 However, this attack does not work if the final destination of the 7151 packet is in the home network, and some form of perimeter defense is 7152 being applied for packets sent to those destinations. In such cases 7153 it is recommended that either end-to-end security or additional 7154 tunnel protection is applied, as is usual in remote access 7155 situations. 7157 Home agents and mobile nodes may use IPsec ESP to protect payload 7158 packets tunneled between themselves. This is useful to protect 7159 communications against attackers on the path of the tunnel. 7161 When site local home address are used, reverse tunneling can be used 7162 to send site local traffic from another location. Administrators 7163 should be aware of this when allowing such home addresses. In 7164 particular, the outer IP address check described above is not 7165 sufficient against all attackers. The use of encrypted tunnels is 7166 particularly useful for this kind of home addresses. 7168 15.8 Home Address Option 7170 When the mobile node sends packets directly to the correspondent 7171 node, the Source Address field of the packet's IPv6 header is the 7172 care-of address. Ingress filtering [26] works therefore in the usual 7173 manner even for mobile nodes, as the Source Address is topologically 7174 correct. The Home Address option is used to inform the correspondent 7175 node of the mobile node's home address. 7177 However, the care-of address in the Source Address field does not 7178 survive in replies sent by the correspondent node unless it has a 7179 binding for this mobile node. Also, not all attacker tracing 7180 mechanisms work when packets are being reflected through 7181 correspondent nodes using the Home Address option. For these 7182 reasons, this specification restricts the use of the Home Address 7183 option. It may only used when a binding has already been established 7184 with the participation of the node at the home address, as described 7185 in Section 5.5 and Section 6.3. This prevents reflection attacks 7186 through the use of the Home Address option. It also ensures that the 7187 correspondent nodes reply to the same address as the mobile node 7188 sends traffic from. 7190 No special authentication of the Home Address option is required 7191 beyond the above, but note that if the IPv6 header of a packet is 7192 covered by IPsec Authentication Header, then that authentication 7193 covers the Home Address option as well. Thus, even when 7194 authentication is used in the IPv6 header, the security of the Source 7195 Address field in the IPv6 header is not compromised by the presence 7196 of a Home Address option. Without authentication of the packet, then 7197 any field in the IPv6 header, including the Source Address field, and 7198 any other parts of the packet, including the Home Address option, can 7199 be forged or modified in transit. In this case, the contents of the 7200 Home Address option is no more suspect than any other part of the 7201 packet. 7203 15.9 Type 2 Routing Header 7205 The definition of the type 2 routing header is described in Section 7206 6.4. This definition and the associated processing rules have been 7207 chosen so that the header cannot be used for what is traditionally 7208 viewed as source routing. In particular, the Home Address in the 7209 routing header will always have to be assigned to the home address of 7210 the receiving node. Otherwise the packet will be dropped. 7212 Generally, source routing has a number of security concerns. These 7213 include the automatic reversal of unauthenticated source routes 7214 (which is an issue for IPv4, but not for IPv6). Another concern is 7215 the ability to use source routing to "jump" between nodes inside, as 7216 well as outside a firewall. These security concerns are not issues 7217 in Mobile IPv6, due to the rules mentioned above. 7219 In essence the semantics of the type 2 routing header is the same as 7220 a special form of IP-in-IP tunneling where the inner and outer source 7221 addresses are the same. 7223 This implies that a device which implements filtering of packets 7224 should be able to distinguish between a type 2 routing header and 7225 other routing headers, as required in Section 8.3. This is necessary 7226 in order to allow Mobile IPv6 traffic while still having the option 7227 to filter out other uses of routing headers. 7229 16. Contributors 7231 Tuomas Aura, Mike Roe, Greg O'Shea, Pekka Nikander, Erik Nordmark, 7232 and Michael Thomas worked on the return routability protocols which 7233 eventually led to the procedures used in this protocol. The 7234 procedures described in [34] were adopted in the protocol. 7236 Significant contributions were made by members of the Mobile IPv6 7237 Security Design Team, including (in alphabetical order) Gabriel 7238 Montenegro, Erik Nordmark and Pekka Nikander, who have contributed 7239 volumes of text to this specification. 7241 17. Acknowledgements 7243 We would like to thank the members of the Mobile IP and IPng Working 7244 Groups for their comments and suggestions on this work. We would 7245 particularly like to thank (in alphabetical order) Fred Baker, Josh 7246 Broch, Samita Chakrabarti, Robert Chalmers, Noel Chiappa, Greg Daley, 7247 Vijay Devarapalli, Rich Draves, Francis Dupont, Thomas Eklund, 7248 Jun-Ichiro Itojun Hagino, Brian Haley, Marc Hasson, John Ioannidis, 7249 James Kempf, Rajeev Koodli, Krishna Kumar, T.J. Kniveton, Joe Lau, 7250 Jiwoong Lee, Aime Le Rouzic, Vesa-Matti Mantyla, Kevin Miles, Glenn 7251 Morrow, Thomas Narten, Karen Nielsen, Simon Nybroe, David Oran, Brett 7252 Pentland, Lars Henrik Petander, Basavaraj Patil, Mohan Parthasarathy, 7253 Alexandru Petrescu, Mattias Petterson, Ken Powell, Phil Roberts, Ed 7254 Remmell, Patrice Romand, Luis A. Sanchez, Jeff Schiller, Pekka 7255 Savola, Arvind Sevalkar, Keiichi Shima, Tom Soderlund, Hesham 7256 Soliman, Jim Solomon, Tapio Suihko, Dave Thaler, Benny Van Houdt, 7257 Jon-Olov Vatn, Carl E. Williams, Vladislav Yasevich, Alper Yegin, 7258 and Xinhua Zhao, for their detailed reviews of earlier versions of 7259 this document. Their suggestions have helped to improve both the 7260 design and presentation of the protocol. 7262 We would also like to thank the participants of the Mobile IPv6 7263 testing event (1999), implementors who participated Mobile IPv6 7264 interoperability testing at Connectathons (2000, 2001, 2002, and 7265 2003), and the participants at the ETSI interoperability testing 7266 (2000, 2002). Finally, we would like to thank the TAHI project who 7267 has provided test suites for Mobile IPv6. 7269 Normative References 7271 [1] Eastlake, D., Crocker, S. and J. Schiller, "Randomness 7272 Recommendations for Security", RFC 1750, December 1994. 7274 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 7275 Levels", BCP 14, RFC 2119, March 1997. 7277 [3] Hinden, R. and S. Deering, "IP Version 6 Addressing 7278 Architecture", RFC 2373, July 1998. 7280 [4] Kent, S. and R. Atkinson, "Security Architecture for the 7281 Internet Protocol", RFC 2401, November 1998. 7283 [5] Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402, 7284 November 1998. 7286 [6] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload 7287 (ESP)", RFC 2406, November 1998. 7289 [7] Piper, D., "The Internet IP Security Domain of Interpretation 7290 for ISAKMP", RFC 2407, November 1998. 7292 [8] Maughan, D., Schertler, M., Schneider, M. and J. Turner, 7293 "Internet Security Association and Key Management Protocol 7294 (ISAKMP)", RFC 2408, November 1998. 7296 [9] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", 7297 RFC 2409, November 1998. 7299 [10] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA 7300 Considerations Section in RFCs", BCP 26, RFC 2434, October 7301 1998. 7303 [11] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) 7304 Specification", RFC 2460, December 1998. 7306 [12] Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery 7307 for IP Version 6 (IPv6)", RFC 2461, December 1998. 7309 [13] Thomson, S. and T. Narten, "IPv6 Stateless Address 7310 Autoconfiguration", RFC 2462, December 1998. 7312 [14] Conta, A. and S. Deering, "Internet Control Message Protocol 7313 (ICMPv6) for the Internet Protocol Version 6 (IPv6) 7314 Specification", RFC 2463, December 1998. 7316 [15] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6 7317 Specification", RFC 2473, December 1998. 7319 [16] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast 7320 Addresses", RFC 2526, March 1999. 7322 [17] Deering, S., Fenner, W. and B. Haberman, "Multicast Listener 7323 Discovery (MLD) for IPv6", RFC 2710, October 1999. 7325 [18] Narten, T. and R. Draves, "Privacy Extensions for Stateless 7326 Address Autoconfiguration in IPv6", RFC 3041, January 2001. 7328 [19] Reynolds, J., "Assigned Numbers: RFC 1700 is Replaced by an 7329 On-line Database", RFC 3232, January 2002. 7331 [20] National Institute of Standards and Technology, "Secure Hash 7332 Standard", FIPS PUB 180-1, April 1995, . 7335 [21] Arkko, J., Devarapalli, V. and F. Dupont, "Using IPsec to 7336 Protect Mobile IPv6 Signaling betweenMobile Nodes and Home 7337 Agents", draft-ietf-mobileip-mipv6-ha-ipsec-05 (work in 7338 progress), May 2003. 7340 Informative References 7342 [22] Perkins, C., "IP Mobility Support", RFC 2002, October 1996. 7344 [23] Perkins, C., "IP Encapsulation within IP", RFC 2003, October 7345 1996. 7347 [24] Perkins, C., "Minimal Encapsulation within IP", RFC 2004, 7348 October 1996. 7350 [25] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing 7351 for Message Authentication", RFC 2104, February 1997. 7353 [26] Ferguson, P. and D. Senie, "Network Ingress Filtering: 7354 Defeating Denial of Service Attacks which employ IP Source 7355 Address Spoofing", RFC 2267, January 1998. 7357 [27] Aura, T. and J. Arkko, "MIPv6 BU Attacks and Defenses", 7358 draft-aura-mipv6-bu-attacks-01 (work in progress), March 2002. 7360 [28] Bellovin, S., "Guidelines for Mandating Automated Key 7361 Management", draft-bellovin-mandate-keymgmt-00 (work in 7362 progress), August 2003. 7364 [29] Droms, R., "Dynamic Host Configuration Protocol for IPv6 7365 (DHCPv6)", draft-ietf-dhc-dhcpv6-28 (work in progress), 7366 November 2002. 7368 [30] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", 7369 draft-ietf-ipsec-ikev2-07 (work in progress), April 2003. 7371 [31] Draves, R., "Default Address Selection for IPv6", 7372 draft-ietf-ipv6-default-addr-select-09 (work in progress), 7373 August 2002. 7375 [32] Nikander, P., Aura, T., Arkko, J., Montenegro, G. and E. 7376 Nordmark, "Mobile IP version 6 Route Optimization Security 7377 Design Background", draft-nikander-mobileip-v6-ro-sec-00.txt 7378 (work in progress), April 2003. 7380 [33] Nordmark, E., "Securing MIPv6 BUs using return routability 7381 (BU3WAY)", draft-nordmark-mobileip-bu3way-00 (work in 7382 progress), November 2001. 7384 [34] Roe, M., Aura, T., O'Shea, G. and J. Arkko, "Authentication of 7385 Mobile IPv6 Binding Updates and Acknowledgments", 7386 draft-roe-mobileip-updateauth-02 (work in progress), March 7387 2002. 7389 [35] Savola, P., "Use of /127 Prefix Length Between Routers 7390 Considered Harmful", draft-savola-ipv6-127-prefixlen-04 (work 7391 in progress), June 2002. 7393 [36] Savola, P., "Security of IPv6 Routing Header and Home Address 7394 Options", draft-savola-ipv6-rh-ha-security-03 (work in 7395 progress), December 2002. 7397 [37] Vida, R. and L. Costa, "Multicast Listener Discovery Version 2 7398 (MLDv2) for IPv6", draft-vida-mld-v2-06 (work in progress), 7399 December 2002. 7401 Authors' Addresses 7403 David B. Johnson 7404 Rice University 7405 Dept. of Computer Science, MS 132 7406 6100 Main Street 7407 Houston TX 77005-1892 7408 USA 7410 EMail: dbj@cs.rice.edu 7412 Charles E. Perkins 7413 Nokia Research Center 7414 313 Fairchild Drive 7415 Mountain View CA 94043 7416 USA 7418 EMail: charliep@iprg.nokia.com 7420 Jari Arkko 7421 Ericsson 7422 Jorvas 02420 7423 Finland 7425 EMail: jari.arkko@ericsson.com 7427 Appendix A. Changes from Previous Version of the Draft 7429 This appendix briefly lists some of the major changes in this draft 7430 relative to the previous version of this same draft, 7431 draft-ietf-mobileip-ipv6-21.txt: 7433 o The required policy checks for protecting return routability 7434 packets have been clarified; the language now allows different 7435 implementations as long as the end result is the same (tracked 7436 issue 306). 7438 o The specification no longer discusses the differences of using 7439 randomly generated and EUI-64 based interface identifiers for 7440 link-local addresses while away from home (tracked issue 302). 7442 o The rules for treating IKE cookies when using the Key Management 7443 Capability (K) flag have been specified in Section 10.3.1 (tracked 7444 issue 298). 7446 o Section 6.2.7 now makes it clear why the home address does not 7447 need to be a part of the formula for calculating the MAC; the home 7448 address is taken in account in the construction of the keygen 7449 tokens (tracked issue 298). 7451 o The security considerations discuss the need for payload packet 7452 protection in more depth than previously. In particular, the use 7453 of payload packet protection is now recommended when communicating 7454 with hosts in a home network protected with some form of perimeter 7455 defense (tracked issue 298). 7457 o The rules for treating IKE cookies when using the Key Management 7458 Capability (K) flag have been specified in Section 10.3.1 (tracked 7459 issue 298). 7461 o Section 11.5.1 has been rewritten as a collection of hints about 7462 movement or the lack thereof. Appropriate actions are specified 7463 for each of the received hints (tracked issue 297). 7465 o Section 11.5.1 no longer claims that tracking of inbound traffic 7466 from the router ensures symmetric reachability (tracked issue 7467 297). 7469 o The specific mechanisms for tracking inbound reachability when not 7470 sending any traffic have been moved outside this document (tracked 7471 issue 297). 7473 o The return routability MAC calculation formula has been aligned 7474 between Section 5.2.6 and Section 6.2.7 (tracked issue 293). 7476 o It is now required that nodes may not implement the Home Address 7477 option or type 2 Routing header without conforming to all requires 7478 in Section 8.2 (tracked issue 290). 7480 o Section 9.5.1 now clearly specifies in which order the various 7481 checks on Binding Updates must be performed before the update of 7482 the sequence number can take place (tracked issue 290). 7484 o It is now required that when sending packets to a correspondent 7485 node using route optimization, mobile nodes use the same care-of 7486 address which has been registered by the correspondent node as the 7487 current location of the mobile node (tracked issue 289). 7489 o The administrative capability for disabling route optimization is 7490 now a SHOULD, not a MUST (tracked issue 289). 7492 o The aggregate list of prefixes on the home network has been 7493 replaced with the home agent's own AdvPrefixList and a 7494 recommendation that the home agents be configured with the same 7495 prefixes (tracked issue 289). 7497 o It is now required that the mobile node MUST NOT use the Home 7498 Address destination option for IPv6 Neighbor Discovery packets 7499 (tracked issue 289). 7501 o Section 11.7.2 now excludes any return routability related message 7502 from initiating the need to update a binding (tracked issue 289). 7504 o Section 11.7.2 no longer discusses what to do when the 7505 correspondent node has a stale Binding Cache entry, because in 7506 most cases this cannot be detected (tracked issue 289). 7508 o Section 11.7.3 has been clarified to explain that after receiving 7509 a Status value 128 or larger, the mobile node node should take 7510 steps to correct the problem, and only if this fails it should 7511 avoid resending Binding Updates (tracked issue 289). 7513 o The events causing a Mobile Prefix Advertisement to be sent have 7514 been clarified to not include prefix lifetime changes due to 7515 passing of real-time (tracked issue 289). 7517 o Section 15.4 and Section 15.4.6 discuss separately on-path attacks 7518 and blind guessing of keygen tokens (tracked issue 288). 7520 o The document now has an extensive discussion of the implications 7521 of either using or not using IKE (tracked issue 282). 7523 o A timeout mechanism has been specified for peers marked as not 7524 supporting the Mobility Header protocol (tracked issue 281). 7526 o The document now explicitly mentions that multiple home addresses 7527 are supported (tracked issue 281). 7529 o Mobile nodes are now allowed to respond to all Neighbor 7530 Solicitations on the home link while waiting for a Binding 7531 Acknowledgement from their home agent, as the Solicitations from 7532 home agent cannot be distinguished from other Solicitations 7533 (tracked issue 279). 7535 o Section 11.5.1 takes in account that the link-local addresses of 7536 two routers on different links can be equal. To counteract the 7537 effect of this for movement detection, home agents are required to 7538 send consistent information about their global address through the 7539 Router Address (R) flag in Router Advertisements, and mobile nodes 7540 track these addresses as well as the source address of the 7541 advertisement when doing movement detection (tracked issue 278). 7543 o The treatment of the Home registration (H) flag and the existence 7544 of mobility options related to return routability has been 7545 clarified. The options for return routability are must be present 7546 if and only if the flag is zero (tracked issue 277). 7548 o The sequence number example in Section 9.5.1 has been corrected 7549 (tracked issue 276). 7551 o ICMPv6 Parameter Problem and Binding Error messages are now sent 7552 without a Binding Cache lookup (tracked issue 273). 7554 o A new Binding Acknowledgment Status value 139 (Registration type 7555 change disallowed) has been added to report an error where the 7556 mobile node tries to change a home registration to a correspondent 7557 registration, or vice versa (tracked issue 273). 7559 o The use of Home Address destination option, type 2 Routing header, 7560 and Binding Cache lookups has been clarified for all Mobility 7561 Header messages in Section 6.1 (tracked issue 269). 7563 o Looping Binding Cache entries are now forbidden (tracked issue 7564 268). 7566 o A number of editorial modifications have been performed (tracked 7567 issues 267, 280, 283, 289, 290, 301, and 304). 7569 Appendix B. Future Extensions 7571 B.1 Piggybacking 7573 This document does not specify how to piggyback payload packets on 7574 the binding related messages. However, it is envisioned that this 7575 can be specified in a separate document when currently discussed 7576 issues such as the interaction between piggybacking and IPsec are 7577 fully resolved (see also Appendix B.3). The return routability 7578 messages can indicate support for piggybacking with a new mobility 7579 option. 7581 B.2 Triangular Routing 7583 Due to the concerns about opening reflection attacks with the Home 7584 Address destination option, this specification requires that this 7585 option must be verified against the Binding Cache, i.e., there must 7586 be a Binding Cache entry for the Home Address and Care-of Address. 7588 Future extensions may be specified that allow the use of unverified 7589 Home Address destination options in ways that do not introduce 7590 security issues. 7592 B.3 New Authorization Methods 7594 While the return routability procedure provides a good level of 7595 security, there exists methods that have even higher levels of 7596 security. Secondly, as discussed in Section 15.4, future 7597 enhancements of IPv6 security may cause a need to improve also the 7598 security of the return routability procedure. Using IPsec as the 7599 sole method for authorizing Binding Updates to correspondent nodes is 7600 also possible. The protection of the Mobility Header for this 7601 purpose is easy, though one must ensure that the IPsec SA was created 7602 with appropriate authorization to use the home address referenced in 7603 the Binding Update. For instance, a certificate used by IKE to 7604 create the security association might contain the home address. A 7605 future specification may specify how this is done. 7607 B.4 Dynamically Generated Home Addresses 7609 A future version of this specification may include functionality that 7610 allows the generation of new home addresses without requiring 7611 pre-arranged security associations or certificates even for the new 7612 addresses. 7614 B.5 Remote Home Address Configuration 7616 The method for initializing a mobile node's home addresses on 7617 power-up or after an extended period of being disconnected from the 7618 network is beyond the scope of this specification. Whatever 7619 procedure is used should result in the mobile node having the same 7620 stateless or stateful (e.g., DHCPv6) home address autoconfiguration 7621 information it would have if it were attached to the home network. 7622 Due to the possibility that the home network could be renumbered 7623 while the mobile node is disconnected, a robust mobile node would not 7624 rely solely on storing these addresses locally. 7626 Such a mobile node could initialize by using the following procedure: 7628 1. Generate a care-of address. 7630 2. Query DNS for an anycast address associated with the FQDN of the 7631 home agent(s). 7633 3. Perform home agent address discovery, and select a home agent. 7635 4. Configure one home address based on the selected home agent's 7636 subnet prefix and the interface identifier of the mobile node. 7638 5. Create security associations and security policy database entries 7639 for protecting the traffic between the selected home address and 7640 home agent. 7642 6. Perform a home registration to the selected home agent. 7644 7. Perform mobile prefix discovery. 7646 8. Make a decision if further home addresses need to be configured. 7648 This procedure is restricted to those situations where the home 7649 prefix is 64 bits and the mobile node knows its own interface 7650 identifier of also 64 bits. 7652 B.6 Neighbor Discovery Extensions 7654 Future specifications may improve the efficiency of Neighbor 7655 Discovery tasks, which could be helpful for fast movements. One 7656 factor which is currently being looked at is the delays caused by the 7657 Duplicate Address Detection mechanism. Currently, Duplicate Address 7658 Detection needs to be performed for every new care-of address as the 7659 mobile node moves, and for the mobile node's link-local address on 7660 every new link. In particular, the need and the trade-offs of 7661 re-performing Duplicate Address Detection for the link-local address 7662 every time when the mobile node moves on to new links will need to be 7663 examined. Improvements in this area are, however, generally 7664 applicable and progressed independently from Mobile IPv6 7665 specification. 7667 Future functional improvements may also be relevant for Mobile IPv6 7668 and other applications. For instance, mechanisms that would allow 7669 recovery from a Duplicate Address Detection collision would be useful 7670 for link-local, care-of, and home addresses. 7672 Intellectual Property Statement 7674 The IETF takes no position regarding the validity or scope of any 7675 intellectual property or other rights that might be claimed to 7676 pertain to the implementation or use of the technology described in 7677 this document or the extent to which any license under such rights 7678 might or might not be available; neither does it represent that it 7679 has made any effort to identify any such rights. Information on the 7680 IETF's procedures with respect to rights in standards-track and 7681 standards-related documentation can be found in BCP-11. Copies of 7682 claims of rights made available for publication and any assurances of 7683 licenses to be made available, or the result of an attempt made to 7684 obtain a general license or permission for the use of such 7685 proprietary rights by implementors or users of this specification can 7686 be obtained from the IETF Secretariat. 7688 The IETF invites any interested party to bring to its attention any 7689 copyrights, patents or patent applications, or other proprietary 7690 rights which may cover technology that may be required to practice 7691 this standard. Please address the information to the IETF Executive 7692 Director. 7694 Full Copyright Statement 7696 Copyright (C) The Internet Society (2003). All Rights Reserved. 7698 This document and translations of it may be copied and furnished to 7699 others, and derivative works that comment on or otherwise explain it 7700 or assist in its implementation may be prepared, copied, published 7701 and distributed, in whole or in part, without restriction of any 7702 kind, provided that the above copyright notice and this paragraph are 7703 included on all such copies and derivative works. However, this 7704 document itself may not be modified in any way, such as by removing 7705 the copyright notice or references to the Internet Society or other 7706 Internet organizations, except as needed for the purpose of 7707 developing Internet standards in which case the procedures for 7708 copyrights defined in the Internet Standards process must be 7709 followed, or as required to translate it into languages other than 7710 English. 7712 The limited permissions granted above are perpetual and will not be 7713 revoked by the Internet Society or its successors or assignees. 7715 This document and the information contained herein is provided on an 7716 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 7717 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 7718 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 7719 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 7720 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 7722 Acknowledgement 7724 Funding for the RFC Editor function is currently provided by the 7725 Internet Society.