Internet Engineering Task Force C-Y Lee INTERNET DRAFT G. Morrow July 2000 F. Kadri Intercepting Location Updates Status of this memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Expires January 2001 [Page 1] Internet Draft Intercepting Location Updates July 2000 Abstract The base Mobile IP allows a host to transparently send datagrams to mobile nodes as it would to any other nodes. Datagrams addressed to the mobile are always routed via the Home Agent in the home network. However, as the mobile node moves away from its home network, it may no longer be topologically close to its home agent. Route optimization [MIP-OPTIM] has been proposed to allow a host to send packets to the mobile as a mobile node (MN) moves, without having to route the packets via the home agent each time. The mobile provides its current address to a host (or correspondent node, CN) that it is communicating with as it moves. The host updates the cache of the mobile location with this new address and tunnels datagrams (addressed to the mobile) to the current address of the mobile. However not all correspondent nodes are capable of tunneling IP datagrams as required by the route optimization mechanisms described in [MIP-OPTIM]. More importantly, disclosing the current location (or COA) of the mobile node to correspondent nodes is not always desirable, nor is the overhead of encapsulating datagram to the MN ideal. This proposal provides an optional means for a host, using an existing IP host stack to communicate transparently with a mobile node, when a route optimization scheme such as [MIP-OPTIM] is utilized. At the same time, this proposal does not reveal the current location of the MN to correspondent nodes. In conjunction, it is not necessary to encapsulate datagram sent from the CN to the MN in a foreign network. To prevent datagram sourced by the MN from being filtered at firewalls data sent from the MN to the CN does not have to be routed via the home agent all the time, nor is it necessary to encapsulate the data tunneled from the MN to a CN. In addition, this proposal provides a means to regionalize location update [REGIONAL-REG] transparent to mobile nodes. Mobile nodes do not have to be aware or capable of regionalizing or localizing location update messages. Furthermore, location update messages can be localized within a network or a routing area or domain, by leveraging existing routing hierarchies in the network. This obviates the need to construct a hierarchy of foreign agents and the consequent need to ensure the hierarchy is reasonably optimal for routing and loop free. Expires January 2001 [Page 2] Internet Draft Intercepting Location Updates July 2000 1.0 Introduction A mobile node (MN) is identified by its home IP address, and when it moves to a new location, it has to notify its home agent. This enables the home agent to route IP datagrams to the mobile node at its new location. The mobile node notifies its home agent of its new care of address by sending a Registration Request message. This registration mechanism is defined in the base Mobile IP protocol [MIP]. To allow hosts (referred to as correspondent nodes, CNs) to send IP datagrams to the mobile node 's care of address directly without having to go to the home agent first, correspondent nodes need to be notified as well when the mobile node moves. In MIP-OPTIM, a mobile node may notify the correspondent nodes its care of address via the home agent. As described in MIP-OPTIM, a mobile node may send a Binding Warning message to is home agent to request that the home agent inform (by sending Binding Update messages) the correspondent nodes its new care-of address (COA). A mobile may append this message (Binding Warning Extension) in the Registration Request message to the home agent. On reception of the Binding Warning Extension message, the home agent should send Binding Update messages to the correspondent nodes listed in the Binding Warning message, to notify the correspondent nodes the mobile node's new care-of address. The location hiding route optimization described in this document requires a minor modification to the Binding Update message defined in MIP-OPTIM, the addition of Router Alert Option [ROUTER-ALERT] in the message. The Router Alert Option allows an IP packet to be inspected by routers for further processing if necessary. [Note: Ideally an Edge Router Alert, which is only inspected by edge devices would be more suitable for this purpose] Here, the Binding Update message is forwarded as any other IP datagrams by intermediate routers towards the correspondent node. When the Binding Update message reaches the router serving the subnet where the correspondent node resides, the router will perform the necessary operations to allow datagrams addressed to the mobile node, from this subnet to be redirected to the care-of address of the mobile node. This router is referred to as the correspondent agent. The mechanisms required to redirect datagrams to the mobile node is described in the section below, Correspondent Agent (CA) Operations. The benefits of this proposal are : * backward compatibility with RFC2002 and [MIP-OPTIM]. Expires January 2001 [Page 3] Internet Draft Intercepting Location Updates July 2000 * not necessary to encapsulate or decapsulate data, reducing header overhead * allows optimized route to the mobile without requiring changes to correspondent nodes on the Internet. * hides the care-of address of the mobile node from the correspondent node. Otherwise, knowledge of the care-of address can be used to infer the where-abouts of the mobile user. * allows the mobile node to send data to the correspondent node without necessarily going through the home agent [REVERSE-TUNNEL], i.e it allows route optimization in the reverse direction from the mobile node to the correspondent node. * the hierarchy of foreign agents are transparent to mobile nodes. A mobile does not have to know whether it is using a hierarchical foreign agent or a RFC2002 foreign agent. * leverages routing hierarchy e.g routing area, routing domain to localize location update messages Expires January 2001 [Page 4] Internet Draft Intercepting Location Updates July 2000 2.0 Motivation The motivations for this proposal are: i) to allow existing hosts not capable of tunneling IP datagrams, to communicate with a mobile node using a more optimal path to the MN than via the HA (in the case where the MN has moved away from its home network). ii) to allow the traffic from a CN to use the more optimal path to the MN without having to reveal the current location of the MN or the COA of the MN, to the CN. iii) to obviate the need for encapulation of data (in both forward and reverse directions) iv) to allow a MN to use the more optimal path to the CN when data destined to a CN is tunneled first from the MN to HA to prevent data sourced by the MN from being filtered by firewalls. v) constraining location update message within a region or domain in a way that is transparent to mobile nodes 3.0 Overview This proposal allows an IP host using an existing TCP/IP stack to communicate with a mobile IP host, without requiring datagrams to go through a router (the Home Agent) in the home network when the mobile node is not in its home network. A host (correspondent node, CN) sends data to a mobile node (MN) transparently using its home address and need not be aware of the MN's address in a foreign network. The CN does not need to be able to encapsulate or decapsulate IP datagrams. The router serving the CN binds the MN home address to the care-of-address (COA) of the MN when it receives a location update message from the MN or Foreign Agent (FA). [ Note: This router is referred to as the Correspondent Agent (CA). The location update message is referred to as the binding update to be consistent with Mobile IP terminology. If requested by a MN, a Foreign Agent provides routing services to a MN, and sends and receives binding messages on behalf of the MN. The COA of a MN can be a Foreign Agent or a temporary address the MN acquires when it visits a Foreign Network. ] Expires January 2001 [Page 5] Internet Draft Intercepting Location Updates July 2000 +-------------+ |correspondent| |node | +-------------+ # # packet sent to # mobile node home address # +=============+ |correspondent| |agent | +=============+ # * At t0, packet # * At t1 packet redirected to sent to # * care-of address of mobile node home addr # * # * +=====+ * |Home | * |Agent| * +=====+ * # * # * +------+ +------+ mobile node |mobile| - - - -> |mobile| - - - -> moving away |node | |node | from home +------+ +------+ network t0 t1 -------> time axis mobile node at home network at t0 A MN or Foreign Agent notifies the CN that the MN has moved by triggering a binding update towards the CN. This update message is sent with the Router Alert Option, allowing the router (CA) serving the CN to intercept it and binds the mobile node's care-of address with the mobile node's home address. The details of this scheme is described in Correspondent Agent Operations. 4.0 Correspondent Agent Operations As described in the Introduction section, as a mobile node moves to a new location, it sends a Registration Request to its home agent, informing the home agent of its new care-of address. The home agent in turn sends a Binding Update message (setting the IP destination address of the message to the correspondent node address and Expires January 2001 [Page 6] Internet Draft Intercepting Location Updates July 2000 including the Router Alert option in the IP packet) to notify the correspondent node of the mobile node new care-of-address. This Binding Update is intercepted by the last hop router (referred to as correspondent agent) to the correspondent node. To provide transparent optimal routing for the the correspondent node, and the benefits listed in the Introduction Section, the access router(s) serving the correspondent nodes MUST support the Correspondent Agent functions described here. Otherwise, the Binding Update message will reach the correspondent node. If the access routers in the network where the correspondent node resides supports the location hiding route optimization proposed here, the correspondent agent caches the mobility bindings as described in MIP-OPTIM, and tunnels data for the mobile node to the care-of address. If there are no correspondent agents in the access network, the location hiding route optimization has the same effect as MIP-OPTIM, i.e. if the correspondent node supports MIP-OPTIM, it tunnels data for the mobile node to the care-of address. If the correspondent node does not support MIP-OPTIM, packets addressed to the mobile node are routed via the home agent (i.e no route optimization), as in MIP. In other words, this scheme is backward compatible with both MIP and MIP-OPTIM. Expires January 2001 [Page 7] Internet Draft Intercepting Location Updates July 2000 +-------------+ |correspondent| |node | +-------------+ # # data addressed to # mobile node home address # Binding +=============+ Update (BU) |correspondent| ------->|agent | | +=============+ | # * | # * | # * | # * | # * +=====+ Registration * |Home | Request * |Agent|<----------+ * +=====+ | * # | * # | * # home | * # address | * COA +------+ | +------+ |mobile| | |mobile| |node | |-- |node | +------+ +------+ mobile node mobile node at home network at foreign network When a correspondent agent receives a Binding Update message, it caches the mobile node's home address and its care-of address, if the correspondent agent is the next hop to the care-of address, off this subnet. It should send an ICMP redirect message to the correspondent node, to redirect packets addressed to the mobile node to the correspondent agent. The redirect message should cause the correspondent node IP stack to add or update a route towards the mobile IP home address with the next hop set to the correspondent agent . This ensures that the correspondent node IP stack forwards datagrams addressed to the mobile node, to the correspondent agent instead of another gateway or router. Note that existing hosts can process the ICMP redirect message as required above. According to RFC1122 on host requirements when receiving an ICMP redirect message, "A host receiving a Redirect message MUST update its routing information accordingly." Expires January 2001 [Page 8] Internet Draft Intercepting Location Updates July 2000 If the correspondent agent is not the next hop to the care-of address it sends the Binding Update message to, the next hop router to the care-of address. The next hop router, which is referred to as the redirector, caches the mobile node's home address and its care-of address and acknowledges the binding update message. The collective functions of the binding update interceptor and data redirector shown in the figure below will be referred to as the correspondent agent. Note that here, the interceptor and redirector are not co-located, whereas in the scenario described in the preceding paragraph, the interceptor is also the the next hop to the care-of address i.e the interceptor and redirector are co-located. When the interceptor receives the acknowledgement message for the binding update from the redirector, it should send an ICMP redirect message to the correspondent node to redirect the packets addressed to the mobile node and the redirection router. The correspondent node processes the ICMP redirect message as described in the preceeding scenario where the interceptor and redirector are co-located. If the correspondent node, interceptor and redirector are on the same LAN, the Binding Update to the redirector may be encrypted to prevent the correspondent node from obtaining the care-of address of the mobile node in the clear by snooping on binding update messages on the LAN. +-------------+ |correspondent| |node | +-------------+ # # data addressed to # mobile node home address # +=====================#============+ | # | | +===========+ BU +==========+ | Correspondent | |interceptor|------>|redirector| | Agent | +===========+ +==========+ | | ^ * | +====|=======================*=====+ | * Binding | * Update(BU) | * +=====+ * COA |Home | +------+ |Agent|<------------------|mobile| +=====+ Registration |node | Request +------+ at foreign network Expires January 2001 [Page 9] Internet Draft Intercepting Location Updates July 2000 5.0 Binding Messages In [MIP-OPTIM], it is not necessary to acknowledge Binding Update messages. This may result in the home agent needlessly retransmitting the binding update message to correspondent nodes that do not support these messages. Quoted from [MIP-OPTIM], "When a mobile node's home agent intercepts a datagram from the home network and tunnels it to the mobile node, the home agent may deduce that the original source of the datagram has no binding cache entry for the destination mobile node. The home agent SHOULD then send a Binding Update message to the original source node, informing it of the mobile node's current mobility binding. No acknowledgment for such a Binding Update message is needed, since additional future datagrams from this source node intercepted by the home agent for the mobile node will cause transmission of another Binding Update. For a Binding Update to be authenticated by the original source node, the source node and the home agent must have established a mobility security association." We propose that the home agent be provisioned with 2 parameters "binding_update_retry count", "binding_update_abandon_count". "binding_update_retry count" is the count of packets received from the CN and addressed to the MN since the sending of the last binding update message to a correspondent node. It should be configured to be on the order of < 10 packets. "binding_update_abandon_count" is the count of binding updates sent from the HA to a CN. The number determines when the HA should give up sending binding updates to CN at the "binding_update_retry_count" interval. This parameter should be on the order of < 3. By using these parameters, the home agent can determine if it should send further Binding Update messages to a correspondent node. The same scheme should be used by Foreign agents and MNs(co-located FA) on the binding warning. 6.0 Constraining location update information to a domain or routing area When a mobile node or foreign agent sends a location update message (i.e Registration Request with Binding Warning Extension or Binding Warning) to the home agent, it should add the Router Alert Option to the location update message. It is then possible for an "intermediate" router to intercept the location update message (i.e Binding Warning Extension message sent with the Registration Request Expires January 2001 [Page 10] Internet Draft Intercepting Location Updates July 2000 message or Binding Warning) from the mobile node/foreign agent to the home agent and create a tunnel to the mobile node or foreign agent. The "intermediate" router should forward the update message towards the CN after changing the ip source address of the message to its own address. This allows the correspondent agent or node (if no agent) to setup a tunnel to the intermediate router instead. The advantage of allowing tunnels to be setup to intermediate routers is to reduce location update latency. If a MN moves within a domain, the binding update message does not have to travel all the way to the correspondent agent/node, i.e a tunnel does not have to be reconstructed from CA/CN to MN/FA when an MN moves. Using such a hierarchy of "foreign agents" in the networks such that update messages do not have to be relayed all the way to the Home Agent are advocated in HAWAII/CellularIP/REGIONAL-REG. This proposal facilitates the use of such "hierarchical foreign agents" by leveraging border routers or firewalls at the edges of a network domain to function as these "hierarchical foreign agents". Border routers or firewalls where the Registration Request message traverses on its way to the home agent can be configured to act as "gateway foreign agents". Mobile nodes or foreign agents send location update (Registration Request) messages to the home agent as in the base Mobile IP specification, instead of having to send special "regional" registration messages to a "gateway foreign agent". The advantages of the scheme proposed here facilitate contraining location update messages to a region or domain include: * intra-domain mobility improvement is performed using the base Mobile IP messages. No new registration messages (such as regional tunnel messages in REGIONAL-REG) are required. The Registration Request messages defined in RFC2002 can be used with the addition of Router Alert Option. * no assumptions are made about foreign nodes or mobile nodes being informed of a "gateway foreign agent" or foreign nodes or mobile nodes being configured with a default route to a "domain root router". * the "gateway care-of address" does not have to "flood a beacon periodically in the access network to allow base stations to create routes back to the gateway". To quote from Cellular IP, "All packets transmitted by mobile hosts regardless of their destination address are routed to the gateway using these routes." * no host-based forwarding (which has scalability issues) in internal Expires January 2001 [Page 11] Internet Draft Intercepting Location Updates July 2000 routers of a foreign domain required, i.e no states are stored in internal routers. In HAWAII, and quoted from the HAWAII draft "Each router in the path between the mobile host and the "domain root router" adds a forwarding entry for the mobile host". * foreign agents do not have to be configured with the domain "gateway foreign agent" and need not advertise the "gateway foreign agent". When the location update message traverses the border router/firewall of a domain on its way to the home agent, the "gateway foreign agent" function can be activated. * If the home agent is in the same network domain as the foreign agent or mobile node, the location update message goes directly to the home agent without having to be sent to a "gateway foreign agent" first. Expires January 2001 [Page 12] Internet Draft Intercepting Location Updates July 2000 6.1 Location Update Message intercepted by border routers 6.1.1 Mobile node and correspondent node in different domains +-------------+ |correspondent| |node | +-------------+ H H H Binding +=============+ Update (BU) |correspondent| +------>|agent |dddddddddddddddddd | +=============+ d home | a d address(H) | a d +======+ +=====+ a d |mobile| |home | a RR d |node | |agent| a <----to home---+ d +======+ +=====+ a agent | d ^ a | d RR=COAa | aaaaaaaaaaaaaaaaa | d | a | d | a COAa | d COAd +======+ Registration +======+ |Border| Request (RR) |Border| |Router|<---------+ |Router| +======+cccccccc | +======+ ^ b c | ^ e RR=COAb | b c | RR=COAc RR| e | b c | | e | b COAb c | COAc | e COAe +------+ c | +------+ +------+ |mobile| c +---|mobile| |mobile| |node | ccccccc|node | |node | +------+ +------+ +------+ ---------> mobile node moves to another mobile node moves location in the same foreign to another network domain foreign domain i) Mobile node and correspondent node in different domains ii) Mobile node moves to different domain Expires January 2001 [Page 13] Internet Draft Intercepting Location Updates July 2000 A provider may configure these "intermediate" routers e.g border routers or firewalls, to process the update message and setup tunnels. Intermediate routers may setup tunnels towards the mobile node if configured to do so. In most operation networks, only border routers or firewalls and the serving router (correspondent agent) of the correspondent node may need to setup these tunnels. The update message will be terminated at a router which already has a tunnel for this mobile node. The "intermediate" router which intercepts the update message sets up a tunnel to the care-of address of the mobile node (or the foreign agent) When the mobile node moves within a foreign network domain e.g moving from one cell to another, the update message may be intercepted at a border router within the foreign network. The update message does not have to be relayed to the home agent because the care-of address (COAa), from the home agent perspective has not changed. When the mobile node moves from one mobile network into another mobile network, the update message will reach another border router. This BR sends an update message towards the home agent to inform the home agent that the tunnel endpoint has changed. The BR setup a tunnel to the COA of the mobile node or FA. The home agent sends a binding update message towards the correspondent node. The correspondent agent or node may set up a tunnel to the BR. Expires January 2001 [Page 14] Internet Draft Intercepting Location Updates July 2000 6.1.2 Mobile node and correspondent node in the same domain If a mobile node is not in its home domain, and a node in the foreign domain initiates communication with the mobile node, data addressed to the mobile node home address from this foreign domain will be redirected to the local co-located care-of address (COAb in this case), as shown below. The location update (Registration Request) message may be intercepted by a border router (BR#1) for this foreign domain, and BR#1 redirects data to the mobile node by sending a Binding Update message towards the correspondent node. BR#1 is acting as a "proxy" home agent - the correspondent agent/node should be able to trust, or authenticate BR#1 if necessary. For instance, all border routers serving a domain can be provided with a "private key" and can be authenticated by any nodes within the domain using the "public key". If the mobile node moves to another location within this foreign network, BR#1 intercepts the Registration Request from the mobile node or foreign agent and sends a Binding Update message with the new COA (which may be a private address) towards the correspondent node. home address(H) +======+ +=====+ |mobile| |home | |node | |agent| +======+ +=====+ ^ RR=COAa| | | COAa +======+ |Border|HHHHHHHHHHHHHHHHHHHHHHHHH |Router| BU=COAb H |#1 |----------------------+ H | | | H +======+ | H ^ b | H RR=COAb| b BU=COAb | H | b | H | b COAb V H +------+ +-------------+ +-------------+ |mobile| |correspondent| |correspondent| |node |bbbbbbbbbbbbb|agent |HHHHHHHH|node | +------+ +-------------+ +-------------+ mobile node and correspondent node in the same foreign domain (Note: BU - Binding Update) Expires January 2001 [Page 15] Internet Draft Intercepting Location Updates July 2000 A more efficient way of notifying the correspondent node in the same domain is by sending the location update message (eg Binding Update) directly towards the correspondent node, but this approach places more burden on the mobile node. Nevertheless, it is possible to have BR#1 send the list of correspondent nodes that it has redirected within the domain in the Registration Reply message to the mobile node. This allows the mobile node to send Binding Update messages directly (if necessary, to further reduce handoff latency) to the correspondent nodes, subsequently when it moves to another location within the domain. Otherwise data from within this domain, addressed to the mobile node is routed via BR#1. Expires January 2001 [Page 16] Internet Draft Intercepting Location Updates July 2000 6.1.2.1 Mobile node and correspondent node in the mobile node's home domain Even when the location update message has to be sent via BR#1, the handoff latency is still less than if the local correspondent nodes have to be notified via a home agent which is not in the same domain. If the home agent is in the same domain, the location update ( Registration Request) message is forwarded to the home agent without having to go through a border router, as shown below. In both cases (figure above and below), subsequent data (after being notified of new location) addressed to the mobile node from within this domain is routed directly to the mobile node (not via BR#1 or home agent). +======+ |home |