idnits 2.17.1 draft-ietf-mext-rfc3775bis-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Mar 11, 2011) is 4766 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Informational RFC: RFC 2104 (ref. '1') ** Obsolete normative reference: RFC 2460 (ref. '6') (Obsoleted by RFC 8200) -- Possible downref: Non-RFC (?) normative reference: ref. '11' ** Obsolete normative reference: RFC 4941 (ref. '21') (Obsoleted by RFC 8981) ** Obsolete normative reference: RFC 5226 (ref. '23') (Obsoleted by RFC 8126) ** Obsolete normative reference: RFC 5996 (ref. '24') (Obsoleted by RFC 7296) -- Obsolete informational reference (is this intentional?): RFC 3315 (ref. '30') (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 3344 (ref. '31') (Obsoleted by RFC 5944) -- Obsolete informational reference (is this intentional?): RFC 3484 (ref. '32') (Obsoleted by RFC 6724) -- Obsolete informational reference (is this intentional?): RFC 3627 (ref. '36') (Obsoleted by RFC 6547) == Outdated reference: A later version (-03) exists of draft-savola-ipv6-rh-ha-security-02 Summary: 5 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF Mobile IP Working Group C. Perkins (Ed.) 3 Internet-Draft Tellabs Inc. 4 Obsoletes: 3775 (if approved) D. Johnson 5 Intended status: Standards Track Rice University 6 Expires: September 12, 2011 J. Arkko 7 Ericsson 8 Mar 11, 2011 10 Mobility Support in IPv6 11 draft-ietf-mext-rfc3775bis-13.txt 13 Abstract 15 This document specifies Mobile IPv6, a protocol which allows nodes to 16 remain reachable while moving around in the IPv6 Internet. Each 17 mobile node is always identified by its home address, regardless of 18 its current point of attachment to the Internet. While situated away 19 from its home, a mobile node is also associated with a care-of 20 address, which provides information about the mobile node's current 21 location. IPv6 packets addressed to a mobile node's home address are 22 transparently routed to its care-of address. The protocol enables 23 IPv6 nodes to cache the binding of a mobile node's home address with 24 its care-of address, and to then send any packets destined for the 25 mobile node directly to it at this care-of address. To support this 26 operation, Mobile IPv6 defines a new IPv6 protocol and a new 27 destination option. All IPv6 nodes, whether mobile or stationary, 28 can communicate with mobile nodes. This document obsoletes RFC 3775. 30 Status of this Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at http://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on September 12, 2011. 47 Copyright Notice 48 Copyright (c) 2011 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 This document may contain material from IETF Documents or IETF 62 Contributions published or made publicly available before November 63 10, 2008. The person(s) controlling the copyright in some of this 64 material may not have granted the IETF Trust the right to allow 65 modifications of such material outside the IETF Standards Process. 66 Without obtaining an adequate license from the person(s) controlling 67 the copyright in such materials, this document may not be modified 68 outside the IETF Standards Process, and derivative works of it may 69 not be created outside the IETF Standards Process, except to format 70 it for publication as an RFC or to translate it into languages other 71 than English. 73 Table of Contents 75 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 76 2. Comparison with Mobile IP for IPv4 . . . . . . . . . . . . . 9 77 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 10 78 3.1. General Terms . . . . . . . . . . . . . . . . . . . . . 10 79 3.2. Mobile IPv6 Terms . . . . . . . . . . . . . . . . . . . 12 80 4. Overview of Mobile IPv6 . . . . . . . . . . . . . . . . . . . 16 81 4.1. Basic Operation . . . . . . . . . . . . . . . . . . . . 16 82 4.2. New IPv6 Protocol . . . . . . . . . . . . . . . . . . . 18 83 4.3. New IPv6 Destination Option . . . . . . . . . . . . . . 19 84 4.4. New IPv6 ICMP Messages . . . . . . . . . . . . . . . . . 19 85 4.5. Conceptual Data Structure Terminology . . . . . . . . . 20 86 4.6. Unique-Local Addressability . . . . . . . . . . . . . . 20 87 5. Overview of Mobile IPv6 Security . . . . . . . . . . . . . . 22 88 5.1. Binding Updates to Home Agents . . . . . . . . . . . . . 22 89 5.2. Binding Updates to Correspondent Nodes . . . . . . . . . 23 90 5.2.1. Node Keys . . . . . . . . . . . . . . . . . . . . . . 23 91 5.2.2. Nonces . . . . . . . . . . . . . . . . . . . . . . . 24 92 5.2.3. Cookies and Tokens . . . . . . . . . . . . . . . . . 24 93 5.2.4. Cryptographic Functions . . . . . . . . . . . . . . . 25 94 5.2.5. Return Routability Procedure . . . . . . . . . . . . 25 95 5.2.6. Authorizing Binding Management Messages . . . . . . . 30 96 5.2.7. Updating Node Keys and Nonces . . . . . . . . . . . . 32 97 5.2.8. Preventing Replay Attacks . . . . . . . . . . . . . . 33 98 5.2.9. Handling Interruptions to Return Routability . . . . 33 99 5.3. Dynamic Home Agent Address Discovery . . . . . . . . . . 34 100 5.4. Mobile Prefix Discovery . . . . . . . . . . . . . . . . 34 101 5.5. Payload Packets . . . . . . . . . . . . . . . . . . . . 34 102 6. New IPv6 Protocol, Message Types, and Destination Option . . 36 103 6.1. Mobility Header . . . . . . . . . . . . . . . . . . . . 36 104 6.1.1. Format . . . . . . . . . . . . . . . . . . . . . . . 36 105 6.1.2. Binding Refresh Request Message . . . . . . . . . . . 38 106 6.1.3. Home Test Init Message . . . . . . . . . . . . . . . 39 107 6.1.4. Care-of Test Init Message . . . . . . . . . . . . . . 40 108 6.1.5. Home Test Message . . . . . . . . . . . . . . . . . . 41 109 6.1.6. Care-of Test Message . . . . . . . . . . . . . . . . 42 110 6.1.7. Binding Update Message . . . . . . . . . . . . . . . 44 111 6.1.8. Binding Acknowledgement Message . . . . . . . . . . . 46 112 6.1.9. Binding Error Message . . . . . . . . . . . . . . . . 49 113 6.2. Mobility Options . . . . . . . . . . . . . . . . . . . . 50 114 6.2.1. Format . . . . . . . . . . . . . . . . . . . . . . . 50 115 6.2.2. Pad1 . . . . . . . . . . . . . . . . . . . . . . . . 51 116 6.2.3. PadN . . . . . . . . . . . . . . . . . . . . . . . . 52 117 6.2.4. Binding Refresh Advice . . . . . . . . . . . . . . . 52 118 6.2.5. Alternate Care-of Address . . . . . . . . . . . . . . 52 119 6.2.6. Nonce Indices . . . . . . . . . . . . . . . . . . . . 53 120 6.2.7. Binding Authorization Data . . . . . . . . . . . . . 54 122 6.3. Home Address Option . . . . . . . . . . . . . . . . . . 55 123 6.4. Type 2 Routing Header . . . . . . . . . . . . . . . . . 57 124 6.4.1. Format . . . . . . . . . . . . . . . . . . . . . . . 57 125 6.5. ICMP Home Agent Address Discovery Request Message . . . 59 126 6.6. ICMP Home Agent Address Discovery Reply Message . . . . 60 127 6.7. ICMP Mobile Prefix Solicitation Message Format . . . . . 61 128 6.8. ICMP Mobile Prefix Advertisement Message Format . . . . 62 129 7. Modifications to IPv6 Neighbor Discovery . . . . . . . . . . 66 130 7.1. Modified Router Advertisement Message Format . . . . . . 66 131 7.2. Modified Prefix Information Option Format . . . . . . . 66 132 7.3. New Advertisement Interval Option Format . . . . . . . . 68 133 7.4. New Home Agent Information Option Format . . . . . . . . 69 134 7.5. Changes to Sending Router Advertisements . . . . . . . . 71 135 8. Requirements for Types of IPv6 Nodes . . . . . . . . . . . . 73 136 8.1. All IPv6 Nodes . . . . . . . . . . . . . . . . . . . . . 73 137 8.2. IPv6 Nodes with Support for Route Optimization . . . . . 73 138 8.3. All IPv6 Routers . . . . . . . . . . . . . . . . . . . . 75 139 8.4. IPv6 Home Agents . . . . . . . . . . . . . . . . . . . . 75 140 8.5. IPv6 Mobile Nodes . . . . . . . . . . . . . . . . . . . 77 141 9. Correspondent Node Operation . . . . . . . . . . . . . . . . 79 142 9.1. Conceptual Data Structures . . . . . . . . . . . . . . . 79 143 9.2. Processing Mobility Headers . . . . . . . . . . . . . . 80 144 9.3. Packet Processing . . . . . . . . . . . . . . . . . . . 80 145 9.3.1. Receiving Packets with Home Address Option . . . . . 80 146 9.3.2. Sending Packets to a Mobile Node . . . . . . . . . . 81 147 9.3.3. Sending Binding Error Messages . . . . . . . . . . . 83 148 9.3.4. Receiving ICMP Error Messages . . . . . . . . . . . . 83 149 9.4. Return Routability Procedure . . . . . . . . . . . . . . 84 150 9.4.1. Receiving Home Test Init Messages . . . . . . . . . . 84 151 9.4.2. Receiving Care-of Test Init Messages . . . . . . . . 84 152 9.4.3. Sending Home Test Messages . . . . . . . . . . . . . 85 153 9.4.4. Sending Care-of Test Messages . . . . . . . . . . . . 85 154 9.5. Processing Bindings . . . . . . . . . . . . . . . . . . 85 155 9.5.1. Receiving Binding Updates . . . . . . . . . . . . . . 85 156 9.5.2. Requests to Cache a Binding . . . . . . . . . . . . . 88 157 9.5.3. Requests to Delete a Binding . . . . . . . . . . . . 88 158 9.5.4. Sending Binding Acknowledgements . . . . . . . . . . 89 159 9.5.5. Sending Binding Refresh Requests . . . . . . . . . . 90 160 9.6. Cache Replacement Policy . . . . . . . . . . . . . . . . 90 161 10. Home Agent Operation . . . . . . . . . . . . . . . . . . . . 92 162 10.1. Conceptual Data Structures . . . . . . . . . . . . . . . 92 163 10.2. Processing Mobility Headers . . . . . . . . . . . . . . 93 164 10.3. Processing Bindings . . . . . . . . . . . . . . . . . . 93 165 10.3.1. Primary Care-of Address Registration . . . . . . . . 93 166 10.3.2. Primary Care-of Address De-Registration . . . . . . . 97 167 10.4. Packet Processing . . . . . . . . . . . . . . . . . . . 98 168 10.4.1. Intercepting Packets for a Mobile Node . . . . . . . 98 169 10.4.2. Processing Intercepted Packets . . . . . . . . . . . 100 170 10.4.3. Multicast Membership Control . . . . . . . . . . . . 101 171 10.4.4. Stateful Address Autoconfiguration . . . . . . . . . 102 172 10.4.5. Handling Reverse Tunneled Packets . . . . . . . . . . 103 173 10.4.6. Protecting Return Routability Packets . . . . . . . . 103 174 10.5. Dynamic Home Agent Address Discovery . . . . . . . . . . 104 175 10.5.1. Receiving Router Advertisement Messages . . . . . . . 104 176 10.6. Sending Prefix Information to the Mobile Node . . . . . 107 177 10.6.1. List of Home Network Prefixes . . . . . . . . . . . . 107 178 10.6.2. Scheduling Prefix Deliveries . . . . . . . . . . . . 107 179 10.6.3. Sending Advertisements . . . . . . . . . . . . . . . 109 180 10.6.4. Lifetimes for Changed Prefixes . . . . . . . . . . . 110 181 11. Mobile Node Operation . . . . . . . . . . . . . . . . . . . . 111 182 11.1. Conceptual Data Structures . . . . . . . . . . . . . . . 111 183 11.2. Processing Mobility Headers . . . . . . . . . . . . . . 112 184 11.3. Packet Processing . . . . . . . . . . . . . . . . . . . 113 185 11.3.1. Sending Packets While Away from Home . . . . . . . . 113 186 11.3.2. Interaction with Outbound IPsec Processing . . . . . 116 187 11.3.3. Receiving Packets While Away from Home . . . . . . . 118 188 11.3.4. Routing Multicast Packets . . . . . . . . . . . . . . 119 189 11.3.5. Receiving ICMP Error Messages . . . . . . . . . . . . 121 190 11.3.6. Receiving Binding Error Messages . . . . . . . . . . 121 191 11.4. Home Agent and Prefix Management . . . . . . . . . . . . 122 192 11.4.1. Dynamic Home Agent Address Discovery . . . . . . . . 122 193 11.4.2. Sending Mobile Prefix Solicitations . . . . . . . . . 123 194 11.4.3. Receiving Mobile Prefix Advertisements . . . . . . . 124 195 11.5. Movement . . . . . . . . . . . . . . . . . . . . . . . . 125 196 11.5.1. Movement Detection . . . . . . . . . . . . . . . . . 125 197 11.5.2. Home Link Detection . . . . . . . . . . . . . . . . . 128 198 11.5.3. Forming New Care-of Addresses . . . . . . . . . . . . 128 199 11.5.4. Using Multiple Care-of Addresses . . . . . . . . . . 129 200 11.5.5. Returning Home . . . . . . . . . . . . . . . . . . . 130 201 11.6. Return Routability Procedure . . . . . . . . . . . . . . 132 202 11.6.1. Sending Test Init Messages . . . . . . . . . . . . . 132 203 11.6.2. Receiving Test Messages . . . . . . . . . . . . . . . 133 204 11.6.3. Protecting Return Routability Packets . . . . . . . . 134 205 11.7. Processing Bindings . . . . . . . . . . . . . . . . . . 134 206 11.7.1. Sending Binding Updates to the Home Agent . . . . . . 134 207 11.7.2. Correspondent Registration . . . . . . . . . . . . . 137 208 11.7.3. Receiving Binding Acknowledgements . . . . . . . . . 140 209 11.7.4. Receiving Binding Refresh Requests . . . . . . . . . 142 210 11.8. Retransmissions and Rate Limiting . . . . . . . . . . . 143 211 12. Protocol Constants . . . . . . . . . . . . . . . . . . . . . 145 212 13. Protocol Configuration Variables . . . . . . . . . . . . . . 146 213 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 147 214 15. Security Considerations . . . . . . . . . . . . . . . . . . . 150 215 15.1. Threats . . . . . . . . . . . . . . . . . . . . . . . . 150 216 15.2. Features . . . . . . . . . . . . . . . . . . . . . . . . 152 217 15.3. Binding Updates to Home Agent . . . . . . . . . . . . . 154 218 15.4. Binding Updates to Correspondent Nodes . . . . . . . . . 156 219 15.4.1. Overview . . . . . . . . . . . . . . . . . . . . . . 156 220 15.4.2. Achieved Security Properties . . . . . . . . . . . . 157 221 15.4.3. Comparison to Regular IPv6 Communications . . . . . . 158 222 15.4.4. Replay Attacks . . . . . . . . . . . . . . . . . . . 160 223 15.4.5. Denial-of-Service Attacks . . . . . . . . . . . . . . 160 224 15.4.6. Key Lengths . . . . . . . . . . . . . . . . . . . . . 161 225 15.5. Dynamic Home Agent Address Discovery . . . . . . . . . . 162 226 15.6. Mobile Prefix Discovery . . . . . . . . . . . . . . . . 163 227 15.7. Tunneling via the Home Agent . . . . . . . . . . . . . . 163 228 15.8. Home Address Option . . . . . . . . . . . . . . . . . . 164 229 15.9. Type 2 Routing Header . . . . . . . . . . . . . . . . . 164 230 15.10. SHA-1 Secure Enough for Mobile IPv6 Control Messages . . 165 231 16. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 166 232 17. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 167 233 18. References . . . . . . . . . . . . . . . . . . . . . . . . . 168 234 18.1. Normative References . . . . . . . . . . . . . . . . . . 168 235 18.2. Informative References . . . . . . . . . . . . . . . . . 169 236 Appendix A. Future Extensions . . . . . . . . . . . . . . . . . 172 237 A.1. Piggybacking . . . . . . . . . . . . . . . . . . . . . . 172 238 A.2. Triangular Routing . . . . . . . . . . . . . . . . . . . 172 239 A.3. New Authorization Methods . . . . . . . . . . . . . . . 172 240 A.4. Neighbor Discovery Extensions . . . . . . . . . . . . . 172 241 Appendix B. Changes since RFC 3775 . . . . . . . . . . . . . . . 174 242 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 177 244 1. Introduction 246 This document specifies a protocol which allows nodes to remain 247 reachable while moving around in the IPv6 Internet. Without specific 248 support for mobility in IPv6 [6], packets destined to a mobile node 249 would not be able to reach it while the mobile node is away from its 250 home link. In order to continue communication in spite of its 251 movement, a mobile node could change its IP address each time it 252 moves to a new link, but the mobile node would then not be able to 253 maintain transport and higher-layer connections when it changes 254 location. Mobility support in IPv6 is particularly important, as 255 mobile computers are likely to account for a majority or at least a 256 substantial fraction of the population of the Internet during the 257 lifetime of IPv6. 259 The protocol defined in this document, known as Mobile IPv6, allows a 260 mobile node to move from one link to another without changing the 261 mobile node's "home address". Packets may be routed to the mobile 262 node using this address regardless of the mobile node's current point 263 of attachment to the Internet. The mobile node may also continue to 264 communicate with other nodes (stationary or mobile) after moving to a 265 new link. The movement of a mobile node away from its home link is 266 thus transparent to transport and higher-layer protocols and 267 applications. 269 The Mobile IPv6 protocol is just as suitable for mobility across 270 homogeneous media as for mobility across heterogeneous media. For 271 example, Mobile IPv6 facilitates node movement from one Ethernet 272 segment to another as well as it facilitates node movement from an 273 Ethernet segment to a wireless LAN cell, with the mobile node's IP 274 address remaining unchanged in spite of such movement. 276 One can think of the Mobile IPv6 protocol as solving the network- 277 layer mobility management problem. Some mobility management 278 applications -- for example, handover among wireless transceivers, 279 each of which covers only a very small geographic area -- have been 280 solved using link-layer techniques. For example, in many current 281 wireless LAN products, link-layer mobility mechanisms allow a 282 "handover" of a mobile node from one cell to another, re-establishing 283 link-layer connectivity to the node in each new location. 285 Mobile IPv6 does not attempt to solve all general problems related to 286 the use of mobile computers or wireless networks. In particular, 287 this protocol does not attempt to solve: 289 o Handling links with unidirectional connectivity or partial 290 reachability, such as the hidden terminal problem where a host is 291 hidden from only some of the routers on the link. 293 o Access control on a link being visited by a mobile node. 295 o Local or hierarchical forms of mobility management (similar to 296 many current link-layer mobility management solutions). 298 o Assistance for adaptive applications. 300 o Mobile routers. 302 o Service Discovery. 304 o Distinguishing between packets lost due to bit errors vs. network 305 congestion. 307 This document obsoletes RFC 3775. Issues with the original document 308 have been observed during integration, testing and deployment of RFC 309 3775. A more detailed list of the changes since RFC 3775 may be 310 found in Appendix B. 312 2. Comparison with Mobile IP for IPv4 314 The design of Mobile IP support in IPv6 (Mobile IPv6) benefits both 315 from the experiences gained from the development of Mobile IP support 316 in IPv4 (Mobile IPv4) [31] [25] [26], and from the opportunities 317 provided by IPv6. Mobile IPv6 thus shares many features with Mobile 318 IPv4, but is integrated into IPv6 and offers many other improvements. 319 This section summarizes the major differences between Mobile IPv4 and 320 Mobile IPv6: 322 o There is no need to deploy special routers as "foreign agents", as 323 in Mobile IPv4. Mobile IPv6 operates in any location without any 324 special support required from the local router. 326 o Support for route optimization is a fundamental part of the 327 protocol, rather than a nonstandard set of extensions. 329 o Mobile IPv6 route optimization can operate securely even without 330 pre-arranged security associations. It is expected that route 331 optimization can be deployed on a global scale between all mobile 332 nodes and correspondent nodes. 334 o Support is also integrated into Mobile IPv6 for allowing route 335 optimization to coexist efficiently with routers that perform 336 "ingress filtering" [27]. 338 o The IPv6 Neighbor Unreachability Detection assures symmetric 339 reachability between the mobile node and its default router in the 340 current location. 342 o Most packets sent to a mobile node while away from home in Mobile 343 IPv6 are sent using an IPv6 routing header rather than IP 344 encapsulation, reducing the amount of resulting overhead compared 345 to Mobile IPv4. 347 o Mobile IPv6 is decoupled from any particular link layer, as it 348 uses IPv6 Neighbor Discovery [18] instead of ARP. This also 349 improves the robustness of the protocol. 351 o The use of IPv6 encapsulation (and the routing header) removes the 352 need in Mobile IPv6 to manage "tunnel soft state". 354 o The dynamic home agent address discovery mechanism in Mobile IPv6 355 returns a single reply to the mobile node. The directed broadcast 356 approach used in IPv4 returns separate replies from each home 357 agent. 359 3. Terminology 361 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 362 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 363 document are to be interpreted as described in RFC 2119 [2]. 365 3.1. General Terms 367 IP 369 Internet Protocol Version 6 (IPv6). 371 node 373 A device that implements IP. 375 router 377 A node that forwards IP packets not explicitly addressed to 378 itself. 380 unicast routable address 382 An identifier for a single interface such that a packet sent to it 383 from another IPv6 subnet is delivered to the interface identified 384 by that address. Accordingly, a unicast routable address must 385 either be global IPv6 address or a unique local IPv6 address. 387 host 389 Any node that is not a router. 391 link 393 A communication facility or medium over which nodes can 394 communicate at the link layer, such as an Ethernet (simple or 395 bridged). A link is the layer immediately below IP. 397 interface 399 A node's attachment to a link. 401 subnet prefix 403 A bit string that consists of some number of initial bits of an IP 404 address. 406 interface identifier 408 A number used to identify a node's interface on a link. The 409 interface identifier is the remaining low-order bits in the node's 410 IP address after the subnet prefix. 412 link-layer address 414 A link-layer identifier for an interface, such as IEEE 802 415 addresses on Ethernet links. 417 packet 419 An IP header plus payload. 421 security association 423 An IPsec security association is a cooperative relationship formed 424 by the sharing of cryptographic keying material and associated 425 context. Security associations are simplex. That is, two 426 security associations are needed to protect bidirectional traffic 427 between two nodes, one for each direction. 429 security policy database 431 A database that specifies what security services are to be offered 432 to IP packets and in what fashion. 434 destination option 436 Destination options are carried by the IPv6 Destination Options 437 extension header. Destination options include optional 438 information that need be examined only by the IPv6 node given as 439 the destination address in the IPv6 header, not by routers in 440 between. Mobile IPv6 defines one new destination option, the Home 441 Address destination option (see Section 6.3). 443 routing header 445 A routing header may be present as an IPv6 header extension, and 446 indicates that the payload has to be delivered to a destination 447 IPv6 address in some way that is different from what would be 448 carried out by standard Internet routing. In this document, use 449 of the term "routing header" typically refers to use of a type 2 450 routing header, as specified in Section 6.4. 452 "|" (concatenation) 454 Some formulas in this specification use the symbol "|" to indicate 455 bytewise concatenation, as in A | B. This concatenation requires 456 that all of the octets of the datum A appear first in the result, 457 followed by all of the octets of the datum B. 459 First (size, input) 461 Some formulas in this specification use a functional form "First 462 (size, input)" to indicate truncation of the "input" data so that 463 only the first "size" bits remain to be used. 465 3.2. Mobile IPv6 Terms 467 These terms are intended to be compatible with the definitions given 468 in RFC 3753[39]. However, if there is any conflict, the definitions 469 given here should be considered to supersede those in RFC 3753. 471 home address 473 A unicast routable address assigned to a mobile node, used as the 474 permanent address of the mobile node. This address is within the 475 mobile node's home link. Standard IP routing mechanisms will 476 deliver packets destined for a mobile node's home address to its 477 home link. Mobile nodes can have multiple home addresses, for 478 instance when there are multiple home prefixes on the home link. 480 home subnet prefix 482 The IP subnet prefix corresponding to a mobile node's home 483 address. 485 home link 487 The link on which a mobile node's home subnet prefix is defined. 489 mobile node 491 A node that can change its point of attachment from one link to 492 another, while still being reachable via its home address. 494 movement 496 A change in a mobile node's point of attachment to the Internet 497 such that it is no longer connected to the same link as it was 498 previously. If a mobile node is not currently attached to its 499 home link, the mobile node is said to be "away from home". 501 L2 handover 503 A process by which the mobile node changes from one link-layer 504 connection to another. For example, a change of wireless access 505 point is a L2 handover. 507 L3 handover 509 Subsequent to a L2 handover, a mobile node detects a change in an 510 on-link subnet prefix that would require a change in the primary 511 care-of address. For example, a change of access router 512 subsequent to a change of wireless access point typically results 513 in an L3 handover. 515 correspondent node 517 A peer node with which a mobile node is communicating. The 518 correspondent node may be either mobile or stationary. 520 foreign subnet prefix 522 Any IP subnet prefix other than the mobile node's home subnet 523 prefix. 525 foreign link 527 Any link other than the mobile node's home link. 529 care-of address 531 A unicast routable address associated with a mobile node while 532 visiting a foreign link; the subnet prefix of this IP address is a 533 foreign subnet prefix. Among the multiple care-of addresses that 534 a mobile node may have at any given time (e.g., with different 535 subnet prefixes), the one registered with the mobile node's home 536 agent for a given home address is called its "primary" care-of 537 address. 539 home agent 541 A router on a mobile node's home link with which the mobile node 542 has registered its current care-of address. While the mobile node 543 is away from home, the home agent intercepts packets on the home 544 link destined to the mobile node's home address, encapsulates 545 them, and tunnels them to the mobile node's registered care-of 546 address. 548 binding 550 The association of the home address of a mobile node with a 551 care-of address for that mobile node, along with the remaining 552 lifetime of that association. 554 registration 556 The process during which a mobile node sends a Binding Update to 557 its home agent or a correspondent node, causing a binding for the 558 mobile node to be registered. 560 mobility message 562 A message containing a Mobility Header (see Section 6.1). 564 binding authorization 566 Correspondent registration needs to be authorized to allow the 567 recipient to believe that the sender has the right to specify a 568 new binding. 570 return routability procedure 572 The return routability procedure authorizes registrations by the 573 use of a cryptographic token exchange. 575 correspondent registration 577 A return routability procedure followed by a registration, run 578 between the mobile node and a correspondent node. 580 home registration 582 A registration between the mobile node and its home agent, 583 authorized by the use of IPsec. 585 nonce 587 Nonces are random numbers used internally by the correspondent 588 node in the creation of keygen tokens related to the return 589 routability procedure. The nonces are not specific to a mobile 590 node, and are kept secret within the correspondent node. 592 nonce index 594 A nonce index is used to indicate which nonces have been used when 595 creating keygen token values, without revealing the nonces 596 themselves. 598 cookie 600 A cookie is a random number used by a mobile node to prevent 601 spoofing by a bogus correspondent node in the return routability 602 procedure. 604 care-of init cookie 606 A cookie sent to the correspondent node in the Care-of Test Init 607 message, to be returned in the Care-of Test message. 609 home init cookie 611 A cookie sent to the correspondent node in the Home Test Init 612 message, to be returned in the Home Test message. 614 keygen token 616 A keygen token is a number supplied by a correspondent node in the 617 return routability procedure to enable the mobile node to compute 618 the necessary binding management key for authorizing a Binding 619 Update. 621 care-of keygen token 623 A keygen token sent by the correspondent node in the Care-of Test 624 message. 626 home keygen token 628 A keygen token sent by the correspondent node in the Home Test 629 message. 631 binding management key (Kbm) 633 A binding management key (Kbm) is a key used for authorizing a 634 binding cache management message (e.g., Binding Update or Binding 635 Acknowledgement). Return routability provides a way to create a 636 binding management key. 638 4. Overview of Mobile IPv6 640 4.1. Basic Operation 642 A mobile node is always expected to be addressable at its home 643 address, whether it is currently attached to its home link or is away 644 from home. The "home address" is an IP address assigned to the 645 mobile node within its home subnet prefix on its home link. While a 646 mobile node is at home, packets addressed to its home address are 647 routed to the mobile node's home link, using conventional Internet 648 routing mechanisms. 650 While a mobile node is attached to some foreign link away from home, 651 it is also addressable at one or more care-of addresses. A care-of 652 address is an IP address associated with a mobile node that has the 653 subnet prefix of a particular foreign link. The mobile node can 654 acquire its care-of address through conventional IPv6 mechanisms, 655 such as stateless or stateful auto-configuration. As long as the 656 mobile node stays in this location, packets addressed to this care-of 657 address will be routed to the mobile node. The mobile node may also 658 accept packets from several care-of addresses, such as when it is 659 moving but still reachable at the previous link. 661 The association between a mobile node's home address and care-of 662 address is known as a "binding" for the mobile node. While away from 663 home, a mobile node registers its primary care-of address with a 664 router on its home link, requesting this router to function as the 665 "home agent" for the mobile node. The mobile node performs this 666 binding registration by sending a "Binding Update" message to the 667 home agent. The home agent replies to the mobile node by returning a 668 "Binding Acknowledgement" message. The operation of the mobile node 669 is specified in Section 11, and the operation of the home agent is 670 specified in Section 10. 672 Any node communicating with a mobile node is referred to in this 673 document as a "correspondent node" of the mobile node, and may itself 674 be either a stationary node or a mobile node. Mobile nodes can 675 provide information about their current location to correspondent 676 nodes. This happens through the correspondent registration. As a 677 part of this procedure, a return routability test is performed in 678 order to authorize the establishment of the binding. The operation 679 of the correspondent node is specified in Section 9. 681 There are two possible modes for communications between the mobile 682 node and a correspondent node. The first mode, bidirectional 683 tunneling, does not require Mobile IPv6 support from the 684 correspondent node and is available even if the mobile node has not 685 registered its current binding with the correspondent node. Packets 686 from the correspondent node are routed to the home agent and then 687 tunneled to the mobile node. Packets to the correspondent node are 688 tunneled from the mobile node to the home agent ("reverse tunneled") 689 and then routed normally from the home network to the correspondent 690 node. In this mode, the home agent uses proxy Neighbor Discovery to 691 intercept any IPv6 packets addressed to the mobile node's home 692 address (or home addresses) on the home link. Each intercepted 693 packet is tunneled to the mobile node's primary care-of address. 694 This tunneling is performed using IPv6 encapsulation [7]. 696 The second mode, "route optimization", requires the mobile node to 697 register its current binding at the correspondent node. Packets from 698 the correspondent node can be routed directly to the care-of address 699 of the mobile node. When sending a packet to any IPv6 destination, 700 the correspondent node checks its cached bindings for an entry for 701 the packet's destination address. If a cached binding for this 702 destination address is found, the node uses a new type of IPv6 703 routing header [6] (see Section 6.4) to route the packet to the 704 mobile node by way of the care-of address indicated in this binding. 706 Routing packets directly to the mobile node's care-of address allows 707 the shortest communications path to be used. It also eliminates 708 congestion at the mobile node's home agent and home link. In 709 addition, the impact of temporary failures of the home agent or 710 networks on the path to or from the home agent is reduced. 712 When routing packets directly to the mobile node, the correspondent 713 node sets the Destination Address in the IPv6 header to the care-of 714 address of the mobile node. A new type of IPv6 routing header (see 715 Section 6.4) is also added to the packet to carry the desired home 716 address. Similarly, the mobile node sets the Source Address in the 717 packet's IPv6 header to its current care-of addresses. The mobile 718 node adds a new IPv6 "Home Address" destination option (see 719 Section 6.3) to carry its home address. The inclusion of home 720 addresses in these packets makes the use of the care-of address 721 transparent above the network layer (e.g., at the transport layer). 723 Mobile IPv6 also provides support for multiple home agents, and a 724 limited support for the reconfiguration of the home network. In 725 these cases, the mobile node may not know the IP address of its own 726 home agent, and even the home subnet prefixes may change over time. 727 A mechanism, known as "dynamic home agent address discovery" allows a 728 mobile node to dynamically discover the IP address of a home agent on 729 its home link, even when the mobile node is away from home. Mobile 730 nodes can also learn new information about home subnet prefixes 731 through the "mobile prefix discovery" mechanism. These mechanisms 732 are described starting from Section 6.5. 734 This document is written under the assumption that the mobile node is 735 configured with the home prefix for the mobile node to be able to 736 discover a home agent and configure a home address. This might be 737 limiting in deployments where the home agent and the home address for 738 the mobile node needs to be assigned dynamically. Additional 739 mechanisms have been specified for the mobile node to dynamically 740 configure a home agent, a home address and the home prefix. These 741 mechanisms are described in "Mobile IPv6 Bootstrapping in Split 742 Scenario" [22] and "MIP6 bootstrapping for the Integrated Scenario" 743 [35]. 745 4.2. New IPv6 Protocol 747 Mobile IPv6 defines a new IPv6 protocol, using the Mobility Header 748 (see Section 6.1). This Header is used to carry the following 749 messages: 751 Home Test Init 753 Home Test 755 Care-of Test Init 757 Care-of Test 759 These four messages are used to perform the return routability 760 procedure from the mobile node to a correspondent node. This 761 ensures authorization of subsequent Binding Updates, as described 762 in Section 5.2.5. 764 Binding Update 766 A Binding Update is used by a mobile node to notify a 767 correspondent node or the mobile node's home agent of its current 768 binding. The Binding Update sent to the mobile node's home agent 769 to register its primary care-of address is marked as a "home 770 registration". 772 Binding Acknowledgement 774 A Binding Acknowledgement is used to acknowledge receipt of a 775 Binding Update, if an acknowledgement was requested in the Binding 776 Update (e.g., the Binding Update was sent to a home agent), or an 777 error occurred. 779 Binding Refresh Request 781 A Binding Refresh Request is used by a correspondent node to 782 request that a mobile node re-establish its binding with the 783 correspondent node. This message is typically used when the 784 cached binding is in active use but the binding's lifetime is 785 close to expiration. The correspondent node may use, for 786 instance, recent traffic and open transport layer connections as 787 an indication of active use. 789 Binding Error 791 The Binding Error is used by the correspondent node to signal an 792 error related to mobility, such as an inappropriate attempt to use 793 the Home Address destination option without an existing binding. 794 The Binding Error message is also used by the Home Agent to signal 795 an error to the mobile node, if it receives an unrecognized 796 Mobility Header Message Type from the mobile node. 798 4.3. New IPv6 Destination Option 800 Mobile IPv6 defines a new IPv6 destination option, the Home Address 801 destination option. This option is described in detail in 802 Section 6.3. 804 4.4. New IPv6 ICMP Messages 806 Mobile IPv6 also introduces four new ICMP message types, two for use 807 in the dynamic home agent address discovery mechanism, and two for 808 renumbering and mobile configuration mechanisms. As described in 809 Section 10.5 and Section 11.4.1, the following two new ICMP message 810 types are used for home agent address discovery: 812 o Home Agent Address Discovery Request, described in Section 6.5. 814 o Home Agent Address Discovery Reply, described in Section 6.6. 816 The next two message types are used for network renumbering and 817 address configuration on the mobile node, as described in 818 Section 10.6: 820 o Mobile Prefix Solicitation, described in Section 6.7. 822 o Mobile Prefix Advertisement, described in Section 6.8. 824 4.5. Conceptual Data Structure Terminology 826 This document describes the Mobile IPv6 protocol in terms of the 827 following conceptual data structures: 829 Binding Cache 831 A cache of bindings for other nodes. This cache is maintained by 832 home agents and correspondent nodes. The cache contains both 833 "correspondent registration" entries (see Section 9.1) and "home 834 registration" entries (see Section 10.1). 836 Binding Update List 838 This list is maintained by each mobile node. The list has an item 839 for every binding that the mobile node has or is trying to 840 establish with a specific other node. Both correspondent and home 841 registrations are included in this list. Entries from the list 842 are deleted as the lifetime of the binding expires. See 843 Section 11.1. 845 Home Agents List 847 Home agents need to know which other home agents are on the same 848 link. This information is stored in the Home Agents List, as 849 described in more detail in Section 10.1. The list is used for 850 informing mobile nodes during dynamic home agent address 851 discovery. 853 4.6. Unique-Local Addressability 855 This specification requires that home and care-of addresses MUST be 856 unicast routable addresses. Unique-local IPv6 unicast addresses 857 (ULAs) RFC4193 [15] may be usable on networks that use such non- 858 globally routable addresses but this specification does not define 859 when such usage is safe and when it is not. Mobile nodes may not be 860 able to distinguish between their home site and the site at which 861 they are currently located. This can make it hard to prevent 862 accidental attachment to other sites, because the mobile node might 863 use the ULA at another site, which could not be used to successfully 864 send packets to the mobile node's HA. This would result in 865 unreachability between the MN and the HA, when unique-local IPv6 866 routable addresses are used as care-of addresses. Similarly, CNs 867 outside the MN's own site will not be reachable when ULAs are used as 868 home addresses. Therefore, unique-local IPv6 unicast addresses 869 SHOULD NOT be used as home or care-of addresses when other address 870 choices are available. If such addresses are used, however, 871 according to RFC4193 [15], they are treated as any global unicast 872 IPv6 address so, for the remainder of this specification, use of 873 unique-local IPv6 unicast addresses is not differentiated from other 874 globally unique IPv6 addresses. 876 5. Overview of Mobile IPv6 Security 878 This specification provides a number of security features. These 879 include the protection of Binding Updates both to home agents and 880 correspondent nodes, the protection of mobile prefix discovery, and 881 the protection of the mechanisms that Mobile IPv6 uses for 882 transporting data packets. 884 Binding Updates are protected by the use of IPsec extension headers, 885 or by the use of the Binding Authorization Data option. This option 886 employs a binding management key, Kbm, which can be established 887 through the return routability procedure. Mobile prefix discovery is 888 protected through the use of IPsec extension headers. Mechanisms 889 related to transporting payload packets - such as the Home Address 890 destination option and type 2 routing header - have been specified in 891 a manner which restricts their use in attacks. 893 5.1. Binding Updates to Home Agents 895 The mobile node and the home agent MUST use an IPsec security 896 association to protect the integrity and authenticity of the Binding 897 Updates and Acknowledgements. Both the mobile nodes and the home 898 agents MUST support and SHOULD use the Encapsulating Security Payload 899 (ESP) [5] header in transport mode and MUST use a non-NULL payload 900 authentication algorithm to provide data origin authentication, 901 connectionless integrity and optional anti-replay protection. Note 902 that Authentication Header (AH) [4] is also possible but for brevity 903 not discussed in this specification. 905 In order to protect messages exchanged between the mobile node and 906 the home agent with IPsec, appropriate security policy database 907 entries must be created. A mobile node must be prevented from using 908 its security association to send a Binding Update on behalf of 909 another mobile node using the same home agent. This MUST be achieved 910 by having the home agent check that the given home address has been 911 used with the right security association. Such a check is provided 912 in the IPsec processing, by having the security policy database 913 entries unequivocally identify a single security association for 914 protecting Binding Updates between any given home address and home 915 agent. In order to make this possible, it is necessary that the home 916 address of the mobile node is visible in the Binding Updates and 917 Acknowledgements. The home address is used in these packets as a 918 source or destination, or in the Home Address destination option or 919 the type 2 routing header. 921 As with all IPsec security associations in this specification, manual 922 configuration of security associations MUST be supported. The shared 923 secrets used MUST be random and unique for different mobile nodes, 924 and MUST be distributed off-line to the mobile nodes. Automatic key 925 management with IKEv2 [24] MAY be supported as described in [20]. 927 Section 11.3.2 discusses how IKEv2 connections to the home agent need 928 a careful treatment of the addresses used for transporting IKEv2. 929 This is necessary to ensure that a Binding Update is not needed 930 before the IKEv2 exchange which is needed for securing the Binding 931 Update. 933 More detailed descriptions and examples using IPsec to protect 934 communications between the mobile node and the home agent have been 935 published [12][20]. 937 5.2. Binding Updates to Correspondent Nodes 939 The protection of Binding Updates sent to correspondent nodes does 940 not require the configuration of security associations or the 941 existence of an authentication infrastructure between the mobile 942 nodes and correspondent nodes. Instead, a method called the return 943 routability procedure is used to assure that the right mobile node is 944 sending the message. This method does not protect against attackers 945 who are on the path between the home network and the correspondent 946 node. However, attackers in such a location are capable of 947 performing the same attacks even without Mobile IPv6. The main 948 advantage of the return routability procedure is that it limits the 949 potential attackers to those having an access to one specific path in 950 the Internet, and avoids forged Binding Updates from anywhere else in 951 the Internet. For a more in depth explanation of the security 952 properties of the return routability procedure, see Section 15. 953 Also, consult [42] 955 The integrity and authenticity of the Binding Update messages to 956 correspondent nodes is protected by using a keyed-hash algorithm. 957 The binding management key, Kbm, is used to key the hash algorithm 958 for this purpose. Kbm is established using data exchanged during the 959 return routability procedure. The data exchange is accomplished by 960 use of node keys, nonces, cookies, tokens, and certain cryptographic 961 functions. Section 5.2.5 outlines the basic return routability 962 procedure. Section 5.2.6 shows how the results of this procedure are 963 used to authorize a Binding Update to a correspondent node. 965 5.2.1. Node Keys 967 Each correspondent node has a secret key, Kcn, called the "node key", 968 which it uses to produce the keygen tokens sent to the mobile nodes. 969 The node key MUST be a random number, 20 octets in length. The node 970 key allows the correspondent node to verify that the keygen tokens 971 used by the mobile node in authorizing a Binding Update are indeed 972 its own. This key MUST NOT be shared with any other entity. 974 A correspondent node MAY generate a fresh node key at any time; this 975 avoids the need for secure persistent key storage. Procedures for 976 optionally updating the node key are discussed later in 977 Section 5.2.7. 979 5.2.2. Nonces 981 Each correspondent node also generates nonces at regular intervals. 982 The nonces should be generated by using a random number generator 983 that is known to have good randomness properties [14]. A 984 correspondent node may use the same Kcn and nonce with all the 985 mobiles it is in communication with. 987 Each nonce is identified by a nonce index. When a new nonce is 988 generated, it must be associated with a new nonce index; this may be 989 done, for example, by incrementing the value of the previous nonce 990 index, if the nonce index is used as an array pointer into a linear 991 array of nonces. However, there is no requirement that nonces be 992 stored that way, or that the values of subsequent nonce indices have 993 any particular relationship to each other. The index value is 994 communicated in the protocol, so that if a nonce is replaced by new 995 nonce during the run of a protocol, the correspondent node can 996 distinguish messages that should be checked against the old nonce 997 from messages that should be checked against the new nonce. Strictly 998 speaking, indices are not necessary in the authentication, but allow 999 the correspondent node to efficiently find the nonce value that it 1000 used in creating a keygen token. 1002 Correspondent nodes keep both the current nonce and a small set of 1003 valid previous nonces whose lifetime has not yet expired. Expired 1004 values MUST be discarded, and messages using stale or unknown indices 1005 will be rejected. 1007 The specific nonce index values cannot be used by mobile nodes to 1008 determine the validity of the nonce. Expected validity times for the 1009 nonces values and the procedures for updating them are discussed 1010 later in Section 5.2.7. 1012 A nonce is an octet string of any length. The recommended length is 1013 64 bits. 1015 5.2.3. Cookies and Tokens 1017 The return routability address test procedure uses cookies and keygen 1018 tokens as opaque values within the test init and test messages, 1019 respectively. 1021 o The "home init cookie" and "care-of init cookie" are 64 bit values 1022 sent to the correspondent node from the mobile node, and later 1023 returned to the mobile node. The home init cookie is sent in the 1024 Home Test Init message, and returned in the Home Test message. 1025 The care-of init cookie is sent in the Care-of Test Init message, 1026 and returned in the Care-of Test message. 1028 o The "home keygen token" and "care-of keygen token" are 64-bit 1029 values sent by the correspondent node to the mobile node via the 1030 home agent (via the Home Test message) and the care-of address (by 1031 the Care-of Test message), respectively. 1033 The mobile node should set the home init or care-of init cookie to a 1034 newly generated random number in every Home or Care-of Test Init 1035 message it sends. The cookies are used to verify that the Home Test 1036 or Care-of Test message matches the Home Test Init or Care-of Test 1037 Init message, respectively. These cookies also serve to ensure that 1038 parties who have not seen the request cannot spoof responses. 1040 Home and care-of keygen tokens are produced by the correspondent node 1041 based on its currently active secret key (Kcn) and nonces, as well as 1042 the home or care-of address (respectively). A keygen token is valid 1043 as long as both the secret key (Kcn) and the nonce used to create it 1044 are valid. 1046 5.2.4. Cryptographic Functions 1048 By default in this specification, the function used to compute hash 1049 values is SHA-1 [11], which is considered to offer sufficient 1050 protection for Mobile IPv6 control messages (see Section 15.10). 1051 Message Authentication Codes (MACs) are then computed using HMAC_SHA1 1052 [1][11]. HMAC_SHA1(K,m) denotes such a MAC computed on message m 1053 with key K. 1055 5.2.5. Return Routability Procedure 1057 The Return Routability Procedure enables the correspondent node to 1058 obtain some reasonable assurance that the mobile node is in fact 1059 addressable at its claimed care-of address as well as at its home 1060 address. Only with this assurance is the correspondent node able to 1061 accept Binding Updates from the mobile node which would then instruct 1062 the correspondent node to direct that mobile node's data traffic to 1063 its claimed care-of address. 1065 This is done by testing whether packets addressed to the two claimed 1066 addresses are routed to the mobile node. The mobile node can pass 1067 the test only if it is able to supply proof that it received certain 1068 data (the "keygen tokens") which the correspondent node sends to 1069 those addresses. These data are combined by the mobile node into a 1070 binding management key, denoted Kbm. 1072 The figure below shows the message flow for the return routability 1073 procedure. 1075 Mobile node Home agent Correspondent node 1076 | | 1077 | Home Test Init (HoTI) | | 1078 |------------------------->|------------------------->| 1079 | | | 1080 | Care-of Test Init (CoTI) | 1081 |---------------------------------------------------->| 1082 | | 1083 | | Home Test (HoT) | 1084 |<-------------------------|<-------------------------| 1085 | | | 1086 | Care-of Test (CoT) | 1087 |<----------------------------------------------------| 1088 | | 1090 The Home and Care-of Test Init messages are sent at the same time. 1091 The procedure requires very little processing at the correspondent 1092 node, and the Home and Care-of Test messages can be returned quickly, 1093 perhaps nearly simultaneously. These four messages form the return 1094 routability procedure. 1096 Home Test Init 1098 A mobile node sends a Home Test Init message to the correspondent 1099 node (via the home agent) to acquire the home keygen token. The 1100 contents of the message can be summarized as follows: 1102 * Source Address = home address 1104 * Destination Address = correspondent 1106 * Parameters: 1108 + home init cookie 1110 The Home Test Init message conveys the mobile node's home address 1111 to the correspondent node. The mobile node also sends along a 1112 home init cookie that the correspondent node must return later. 1113 The Home Test Init message is reverse tunneled through the home 1114 agent. (The headers and addresses related to reverse tunneling 1115 have been omitted from the above discussion of the message 1116 contents.) The mobile node remembers these cookie values to 1117 obtain some assurance that its protocol messages are being 1118 processed by the desired correspondent node. 1120 Care-of Test Init 1122 The mobile node sends a Care-of Test Init message to the 1123 correspondent node (directly, not via the home agent) to acquire 1124 the care-of keygen token. The contents of this message can be 1125 summarized as follows: 1127 * Source Address = care-of address 1129 * Destination Address = correspondent 1131 * Parameters: 1133 + care-of init cookie 1135 The Care-of Test Init message conveys the mobile node's care-of 1136 address to the correspondent node. The mobile node also sends 1137 along a care-of init cookie that the correspondent node must 1138 return later. The Care-of Test Init message is sent directly to 1139 the correspondent node. 1141 Home Test 1143 The Home Test message is sent in response to a Home Test Init 1144 message. It is sent via the home agent. The contents of the 1145 message are: 1147 * Source Address = correspondent 1149 * Destination Address = home address 1151 * Parameters: 1153 + home init cookie 1155 + home keygen token 1157 + home nonce index 1159 When the correspondent node receives the Home Test Init message, 1160 it generates a home keygen token as follows: 1162 home keygen token := 1163 First (64, HMAC_SHA1 (Kcn, (home address | nonce | 0))) 1165 where | denotes concatenation. The final "0" inside the HMAC_SHA1 1166 function is a single zero octet, used to distinguish home and 1167 care-of cookies from each other. 1169 The home keygen token is formed from the first 64 bits of the MAC. 1170 The home keygen token tests that the mobile node can receive 1171 messages sent to its home address. Kcn is used in the production 1172 of home keygen token in order to allow the correspondent node to 1173 verify that it generated the home and care-of nonces, without 1174 forcing the correspondent node to remember a list of all tokens it 1175 has handed out. 1177 The Home Test message is sent to the mobile node via the home 1178 network, where it is presumed that the home agent will tunnel the 1179 message to the mobile node. This means that the mobile node needs 1180 to already have sent a Binding Update to the home agent, so that 1181 the home agent will have received and authorized the new care-of 1182 address for the mobile node before the return routability 1183 procedure. For improved security, the data passed between the 1184 home agent and the mobile node is made immune to inspection and 1185 passive attacks. Such protection is gained by encrypting the home 1186 keygen token as it is tunneled from the home agent to the mobile 1187 node as specified in Section 10.4.6. The security properties of 1188 this additional security are discussed in Section 15.4.1. 1190 The home init cookie from the mobile node is returned in the Home 1191 Test message, to ensure that the message comes from a node on the 1192 route between the home agent and the correspondent node. 1194 The home nonce index is delivered to the mobile node to later 1195 allow the correspondent node to efficiently find the nonce value 1196 that it used in creating the home keygen token. 1198 Care-of Test 1200 This message is sent in response to a Care-of Test Init message. 1201 This message is not sent via the home agent, it is sent directly 1202 to the mobile node. The contents of the message are: 1204 * Source Address = correspondent 1206 * Destination Address = care-of address 1208 * Parameters: 1210 + care-of init cookie 1212 + care-of keygen token 1214 + care-of nonce index 1216 When the correspondent node receives the Care-of Test Init 1217 message, it generates a care-of keygen token as follows: 1219 care-of keygen token := 1220 First (64, HMAC_SHA1 (Kcn, (care-of address | nonce | 1))) 1222 Here, the final "1" inside the HMAC_SHA1 function is a single 1223 octet containing the hex value 0x01, and is used to distinguish 1224 home and care-of cookies from each other. The keygen token is 1225 formed from the first 64 bits of the MAC, and sent directly to the 1226 mobile node at its care-of address. The care-of init cookie from 1227 the Care-of Test Init message is returned to ensure that the 1228 message comes from a node on the route to the correspondent node. 1230 The care-of nonce index is provided to identify the nonce used for 1231 the care-of keygen token. The home and care-of nonce indices MAY 1232 be the same, or different, in the Home and Care-of Test messages. 1234 When the mobile node has received both the Home and Care-of Test 1235 messages, the return routability procedure is complete. As a result 1236 of the procedure, the mobile node has the data it needs to send a 1237 Binding Update to the correspondent node. The mobile node hashes the 1238 tokens together to form a 20 octet binding key Kbm: 1240 Kbm = SHA-1 (home keygen token | care-of keygen token) 1242 A Binding Update may also be used to delete a previously established 1243 binding (Section 6.1.7). In this case, the care-of keygen token is 1244 not used. Instead, the binding management key is generated as 1245 follows: 1247 Kbm = SHA-1(home keygen token) 1249 Note that the correspondent node does not create any state specific 1250 to the mobile node, until it receives the Binding Update from that 1251 mobile node. The correspondent node does not maintain the value for 1252 the binding management key Kbm; it creates Kbm when given the nonce 1253 indices and the mobile node's addresses. 1255 5.2.6. Authorizing Binding Management Messages 1257 After the mobile node has created the binding management key (Kbm), 1258 it can supply a verifiable Binding Update to the correspondent node. 1259 This section provides an overview of this registration. The below 1260 figure shows the message flow. 1262 Mobile node Correspondent node 1263 | | 1264 | Binding Update (BU) | 1265 |---------------------------------------------->| 1266 | (MAC, seq#, nonce indices, care-of address) | 1267 | | 1268 | | 1269 | Binding Acknowledgement (BA) (if sent) | 1270 |<----------------------------------------------| 1271 | (MAC, seq#, status) | 1273 Binding Update 1275 To authorize a Binding Update, the mobile node creates a binding 1276 management key Kbm from the keygen tokens as described in the 1277 previous section. The contents of the Binding Update include the 1278 following: 1280 * Source Address = care-of address 1282 * Destination Address = correspondent 1284 * Parameters: 1286 + home address (within the Home Address destination option if 1287 different from the Source Address) 1289 + sequence number (within the Binding Update message header) 1291 + home nonce index (within the Nonce Indices option) 1293 + care-of nonce index (within the Nonce Indices option) 1295 + First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent 1296 | BU))) 1298 The Binding Update contains a Nonce Indices option, indicating to 1299 the correspondent node which home and care-of nonces to use to 1300 recompute Kbm, the binding management key. The MAC is computed as 1301 described in Section 6.2.7, using the correspondent node's address 1302 as the destination address and the Binding Update message itself 1303 ("BU" above) as the MH Data. 1305 Once the correspondent node has verified the MAC, it can create a 1306 Binding Cache entry for the mobile. 1308 Binding Acknowledgement 1310 The Binding Update is in some cases acknowledged by the 1311 correspondent node. The contents of the message are as follows: 1313 * Source Address = correspondent 1315 * Destination Address = care-of address 1317 * Parameters: 1319 + sequence number (within the Binding Update message header) 1321 + First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent 1322 | BA))) 1324 The Binding Acknowledgement contains the same sequence number as 1325 the Binding Update. The MAC is computed as described in 1326 Section 6.2.7, using the correspondent node's address as the 1327 destination address and the message itself ("BA" above) as the MH 1328 Data. 1330 Bindings established with correspondent nodes using keys created by 1331 way of the return routability procedure MUST NOT exceed 1332 MAX_RR_BINDING_LIFETIME seconds (see Section 12). 1334 The value in the Source Address field in the IPv6 header carrying the 1335 Binding Update is normally also the care-of address which is used in 1336 the binding. However, a different care-of address MAY be specified 1337 by including an Alternate Care-of Address mobility option in the 1338 Binding Update (see Section 6.2.5). When such a message is sent to 1339 the correspondent node and the return routability procedure is used 1340 as the authorization method, the Care-of Test Init and Care-of Test 1341 messages MUST have been performed for the address in the Alternate 1342 Care-of Address option (not the Source Address). The nonce indices 1343 and MAC value MUST be based on information gained in this test. 1345 Binding Updates may also be sent to delete a previously established 1346 binding. In this case, generation of the binding management key 1347 depends exclusively on the home keygen token and the care-of nonce 1348 index is ignored. 1350 5.2.7. Updating Node Keys and Nonces 1352 Correspondent nodes generate nonces at regular intervals. It is 1353 recommended to keep each nonce (identified by a nonce index) 1354 acceptable for at least MAX_TOKEN_LIFETIME seconds (see Section 12) 1355 after it has been first used in constructing a return routability 1356 message response. However, the correspondent node MUST NOT accept 1357 nonces beyond MAX_NONCE_LIFETIME seconds (see Section 12) after the 1358 first use. As the difference between these two constants is 30 1359 seconds, a convenient way to enforce the above lifetimes is to 1360 generate a new nonce every 30 seconds. The node can then continue to 1361 accept tokens that have been based on the last 8 (MAX_NONCE_LIFETIME 1362 / 30) nonces. This results in tokens being acceptable 1363 MAX_TOKEN_LIFETIME to MAX_NONCE_LIFETIME seconds after they have been 1364 sent to the mobile node, depending on whether the token was sent at 1365 the beginning or end of the first 30 second period. Note that the 1366 correspondent node may also attempt to generate new nonces on demand, 1367 or only if the old nonces have been used. This is possible, as long 1368 as the correspondent node keeps track of how long a time ago the 1369 nonces were used for the first time, and does not generate new nonces 1370 on every return routability request. 1372 Due to resource limitations, rapid deletion of bindings, or reboots 1373 the correspondent node may not in all cases recognize the nonces that 1374 the tokens were based on. If a nonce index is unrecognized, the 1375 correspondent node replies with an error code in the Binding 1376 Acknowledgement (either 136, 137, or 138 as discussed in 1377 Section 6.1.8). The mobile node can then retry the return 1378 routability procedure. 1380 An update of Kcn SHOULD be done at the same time as an update of a 1381 nonce, so that nonce indices can identify both the nonce and the key. 1382 Old Kcn values have to be therefore remembered as long as old nonce 1383 values. 1385 Given that the tokens are normally expected to be usable for 1386 MAX_TOKEN_LIFETIME seconds, the mobile node MAY use them beyond a 1387 single run of the return routability procedure until 1388 MAX_TOKEN_LIFETIME expires. After this the mobile node SHOULD NOT 1389 use the tokens. A fast moving mobile node MAY reuse a recent home 1390 keygen token from a correspondent node when moving to a new location, 1391 and just acquire a new care-of keygen token to show routability in 1392 the new location. 1394 While this does not save the number of round-trips due to the 1395 simultaneous processing of home and care-of return routability tests, 1396 there are fewer messages being exchanged, and a potentially long 1397 round-trip through the home agent is avoided. Consequently, this 1398 optimization is often useful. A mobile node that has multiple home 1399 addresses, MAY also use the same care-of keygen token for Binding 1400 Updates concerning all of these addresses. 1402 5.2.8. Preventing Replay Attacks 1404 The return routability procedure also protects the participants 1405 against replayed Binding Updates through the use of the sequence 1406 number and a MAC. Care must be taken when removing bindings at the 1407 correspondent node, however. Correspondent nodes must retain 1408 bindings and the associated sequence number information at least as 1409 long as the nonces used in the authorization of the binding are still 1410 valid. Alternatively, if memory is very constrained, the 1411 correspondent node MAY invalidate the nonces that were used for the 1412 binding being deleted (or some larger group of nonces that they 1413 belong to). This may, however, impact the ability to accept Binding 1414 Updates from mobile nodes that have recently received keygen tokens. 1415 This alternative is therefore recommended only as a last measure. 1417 5.2.9. Handling Interruptions to Return Routability 1419 In some scenarios, such as simultaneous mobility, where both 1420 correspondent host and mobile host move at the same time, or in the 1421 case where the correspondent node reboots and loses data, route 1422 optimization may not complete, or relevant data in the binding cache 1423 might be lost. 1425 o Return Routability signalling MUST be sent to the correspondent 1426 node's home address if it has one (i.e. not to the correspondent 1427 nodes care-of address if the correspondent node is also mobile). 1429 o If Return Routability signalling timed out after MAX_RO_FAILURE 1430 attempts, the mobile node MUST revert to sending packets to the 1431 correspondent node's home address through its home agent. 1433 The mobile node may run the bidirectional tunnelling in parallel with 1434 the return routability procedure until it is successful. Exponential 1435 backoff SHOULD be used for retransmission of return routability 1436 messages. 1438 The return routability procedure may be triggered by movement of the 1439 mobile node or by sustained loss of end-to-end communication with a 1440 correspondent node (e.g. based on indications from upper-layers) that 1441 has been using a route optimised connection to the mobile node. If 1442 such indications are received, the mobile node MAY revert to bi- 1443 directional tunnelling while re-starting the return routability 1444 procedure. 1446 5.3. Dynamic Home Agent Address Discovery 1448 Dynamic home agent address discovery has been designed for use in 1449 deployments where security is not needed. For this reason, no 1450 security solution is provided in this document for dynamic home agent 1451 address discovery. 1453 5.4. Mobile Prefix Discovery 1455 The mobile node and the home agent SHOULD use an IPsec security 1456 association to protect the integrity and authenticity of the Mobile 1457 Prefix Solicitations and Advertisements. Both the mobile nodes and 1458 the home agents MUST support and SHOULD use the Encapsulating 1459 Security Payload (ESP) header in transport mode with a non-NULL 1460 payload authentication algorithm to provide data origin 1461 authentication, connectionless integrity and optional anti-replay 1462 protection. 1464 5.5. Payload Packets 1466 Payload packets exchanged with mobile nodes can be protected in the 1467 usual manner, in the same way as stationary hosts can protect them. 1468 However, Mobile IPv6 introduces the Home Address destination option, 1469 a routing header, and tunneling headers in the payload packets. In 1470 the following we define the security measures taken to protect these, 1471 and to prevent their use in attacks against other parties. 1473 This specification limits the use of the Home Address destination 1474 option to the situation where the correspondent node already has a 1475 Binding Cache entry for the given home address. This avoids the use 1476 of the Home Address option in attacks described in Section 15.1. 1478 Mobile IPv6 uses a type of routing header specific to Mobile IPv6. 1479 This type provides the necessary functionality but does not open 1480 vulnerabilities discussed in Section 15.1 and RFC 5095 [44]. 1482 Tunnels between the mobile node and the home agent are protected by 1483 ensuring proper use of source addresses, and optional cryptographic 1484 protection. The mobile node verifies that the outer IP address 1485 corresponds to its home agent. The home agent verifies that the 1486 outer IP address corresponds to the current location of the mobile 1487 node (Binding Updates sent to the home agents are secure). The home 1488 agent identifies the mobile node through the source address of the 1489 inner packet. (Typically, this is the home address of the mobile 1490 node, but it can also be a link-local address, as discussed in 1491 Section 10.4.2. To recognize the latter type of addresses, the home 1492 agent requires that the Link-Local Address Compatibility (L) was set 1493 in the Binding Update.) These measures protect the tunnels against 1494 vulnerabilities discussed in Section 15.1. 1496 For traffic tunneled via the home agent, additional IPsec ESP 1497 encapsulation MAY be supported and used. If multicast group 1498 membership control protocols or stateful address autoconfiguration 1499 protocols are supported, payload data protection MUST be supported. 1501 6. New IPv6 Protocol, Message Types, and Destination Option 1503 6.1. Mobility Header 1505 The Mobility Header is an extension header used by mobile nodes, 1506 correspondent nodes, and home agents in all messaging related to the 1507 creation and management of bindings. The subsections within this 1508 section describe the message types that may be sent using the 1509 Mobility Header. 1511 Mobility Header messages MUST NOT be sent with a type 2 routing 1512 header, except as described in Section 9.5.4 for Binding 1513 Acknowledgement. Mobility Header messages also MUST NOT be used with 1514 a Home Address destination option, except as described in 1515 Section 11.7.1 and Section 11.7.2 for Binding Update. Binding Update 1516 List or Binding Cache information (when present) for the destination 1517 MUST NOT be used in sending Mobility Header messages. That is, 1518 Mobility Header messages bypass both the Binding Cache check 1519 described in Section 9.3.2 and the Binding Update List check 1520 described in Section 11.3.1 which are normally performed for all 1521 packets. This applies even to messages sent to or from a 1522 correspondent node which is itself a mobile node. 1524 6.1.1. Format 1526 The Mobility Header is identified by a Next Header value of 135 in 1527 the immediately preceding header, and has the following format: 1529 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1530 | Payload Proto | Header Len | MH Type | Reserved | 1531 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1532 | Checksum | | 1533 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1534 | | 1535 . . 1536 . Message Data . 1537 . . 1538 | | 1539 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1541 Payload Proto 1543 8-bit selector. Identifies the type of header immediately 1544 following the Mobility Header. Uses the same values as the IPv6 1545 Next Header field [6]. 1547 This field is intended to be used by a future extension (see 1548 Appendix A.1). 1550 Implementations conforming to this specification SHOULD set the 1551 payload protocol type to IPPROTO_NONE (59 decimal). 1553 Header Len 1555 8-bit unsigned integer, representing the length of the Mobility 1556 Header in units of 8 octets, excluding the first 8 octets. 1558 The length of the Mobility Header MUST be a multiple of 8 octets. 1560 MH Type 1562 8-bit selector. Identifies the particular mobility message in 1563 question. Current values are specified in Section 6.1.2 and 1564 onward. An unrecognized MH Type field causes an error indication 1565 to be sent. 1567 Reserved 1569 8-bit field reserved for future use. The value MUST be 1570 initialized to zero by the sender, and MUST be ignored by the 1571 receiver. 1573 Checksum 1575 16-bit unsigned integer. This field contains the checksum of the 1576 Mobility Header. The checksum is calculated from the octet string 1577 consisting of a "pseudo-header" followed by the entire Mobility 1578 Header starting with the Payload Proto field. The checksum is the 1579 16-bit one's complement of the one's complement sum of this 1580 string. 1582 The pseudo-header contains IPv6 header fields, as specified in 1583 Section 8.1 of RFC 2460 [6]. The Next Header value used in the 1584 pseudo-header is 135. The addresses used in the pseudo-header are 1585 the addresses that appear in the Source and Destination Address 1586 fields in the IPv6 packet carrying the Mobility Header. 1588 Note that the procedures of calculating upper layer checksums 1589 while away from home described in Section 11.3.1 apply even for 1590 the Mobility Header. If a mobility message has a Home Address 1591 destination option, then the checksum calculation uses the home 1592 address in this option as the value of the IPv6 Source Address 1593 field. The type 2 routing header is treated as explained in [6]. 1595 The Mobility Header is considered as the upper layer protocol for 1596 the purposes of calculating the pseudo-header. The Upper-Layer 1597 Packet Length field in the pseudo-header MUST be set to the total 1598 length of the Mobility Header. 1600 For computing the checksum, the checksum field is set to zero. 1602 Message Data 1604 A variable length field containing the data specific to the 1605 indicated Mobility Header type. 1607 Mobile IPv6 also defines a number of "mobility options" for use 1608 within these messages; if included, any options MUST appear after the 1609 fixed portion of the message data specified in this document. The 1610 presence of such options will be indicated by the Header Len field 1611 within the message. When the Header Len value is greater than the 1612 length required for the message specified here, the remaining octets 1613 are interpreted as mobility options. These options include padding 1614 options that can be used to ensure that other options are aligned 1615 properly, and that the total length of the message is divisible by 8. 1616 The encoding and format of defined options are described in 1617 Section 6.2. 1619 Alignment requirements for the Mobility Header are the same as for 1620 any IPv6 protocol Header. That is, they MUST be aligned on an 1621 8-octet boundary. 1623 6.1.2. Binding Refresh Request Message 1625 The Binding Refresh Request (BRR) message requests a mobile node to 1626 update its mobility binding. This message is sent by correspondent 1627 nodes according to the rules in Section 9.5.5. When a mobile node 1628 receives a packet containing a Binding Refresh Request message it 1629 processes the message according to the rules in Section 11.7.4. 1631 The Binding Refresh Request message uses the MH Type value 0. When 1632 this value is indicated in the MH Type field, the format of the 1633 Message Data field in the Mobility Header is as follows: 1635 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1636 | Reserved | 1637 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1638 | | 1639 . . 1640 . Mobility options . 1641 . . 1642 | | 1643 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1645 Reserved 1647 16-bit field reserved for future use. The value MUST be 1648 initialized to zero by the sender, and MUST be ignored by the 1649 receiver. 1651 Mobility Options 1653 Variable-length field of such length that the complete Mobility 1654 Header is an integer multiple of 8 octets long. This field 1655 contains zero or more TLV-encoded mobility options. The encoding 1656 and format of defined options are described in Section 6.2. The 1657 receiver MUST ignore and skip any options which it does not 1658 understand. 1660 There MAY be additional information, associated with this Binding 1661 Refresh Request message that need not be present in all Binding 1662 Refresh Request messages sent. Mobility options allow future 1663 extensions to the format of the Binding Refresh Request message to 1664 be defined. This specification does not define any options valid 1665 for the Binding Refresh Request message. 1667 If no actual options are present in this message, no padding is 1668 necessary and the Header Len field will be set to 0. 1670 6.1.3. Home Test Init Message 1672 A mobile node uses the Home Test Init (HoTI) message to initiate the 1673 return routability procedure and request a home keygen token from a 1674 correspondent node (see Section 11.6.1). The Home Test Init message 1675 uses the MH Type value 1. When this value is indicated in the MH 1676 Type field, the format of the Message Data field in the Mobility 1677 Header is as follows: 1679 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1680 | Reserved | 1681 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1682 | | 1683 + Home Init Cookie + 1684 | | 1685 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1686 | | 1687 . . 1688 . Mobility Options . 1689 . . 1690 | | 1691 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1693 Reserved 1695 16-bit field reserved for future use. This value MUST be 1696 initialized to zero by the sender, and MUST be ignored by the 1697 receiver. 1699 Home Init Cookie 1701 64-bit field which contains a random value, the home init cookie. 1703 Mobility Options 1705 Variable-length field of such length that the complete Mobility 1706 Header is an integer multiple of 8 octets long. This field 1707 contains zero or more TLV-encoded mobility options. The receiver 1708 MUST ignore and skip any options which it does not understand. 1709 This specification does not define any options valid for the Home 1710 Test Init message. 1712 If no actual options are present in this message, no padding is 1713 necessary and the Header Len field will be set to 1. 1715 This message is tunneled through the home agent when the mobile node 1716 is away from home. Such tunneling SHOULD employ IPsec ESP in tunnel 1717 mode between the home agent and the mobile node. This protection is 1718 indicated by the IPsec security policy database. The protection of 1719 Home Test Init messages is unrelated to the requirement to protect 1720 regular payload traffic, which MAY use such tunnels as well. 1722 6.1.4. Care-of Test Init Message 1724 A mobile node uses the Care-of Test Init (CoTI) message to initiate 1725 the return routability procedure and request a care-of keygen token 1726 from a correspondent node (see Section 11.6.1). The Care-of Test 1727 Init message uses the MH Type value 2. When this value is indicated 1728 in the MH Type field, the format of the Message Data field in the 1729 Mobility Header is as follows: 1731 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1732 | Reserved | 1733 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1734 | | 1735 + Care-of Init Cookie + 1736 | | 1737 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1738 | | 1739 . . 1740 . Mobility Options . 1741 . . 1742 | | 1743 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1745 Reserved 1747 16-bit field reserved for future use. The value MUST be 1748 initialized to zero by the sender, and MUST be ignored by the 1749 receiver. 1751 Care-of Init Cookie 1753 64-bit field which contains a random value, the care-of init 1754 cookie. 1756 Mobility Options 1758 Variable-length field of such length that the complete Mobility 1759 Header is an integer multiple of 8 octets long. This field 1760 contains zero or more TLV-encoded mobility options. The receiver 1761 MUST ignore and skip any options which it does not understand. 1762 This specification does not define any options valid for the 1763 Care-of Test Init message. 1765 If no actual options are present in this message, no padding is 1766 necessary and the Header Len field will be set to 1. 1768 6.1.5. Home Test Message 1770 The Home Test (HoT) message is a response to the Home Test Init 1771 message, and is sent from the correspondent node to the mobile node 1772 (see Section 5.2.5). The Home Test message uses the MH Type value 3. 1773 When this value is indicated in the MH Type field, the format of the 1774 Message Data field in the Mobility Header is as follows: 1776 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1777 | Home Nonce Index | 1778 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1779 | | 1780 + Home Init Cookie + 1781 | | 1782 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1783 | | 1784 + Home Keygen Token + 1785 | | 1786 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1787 | | 1788 . . 1789 . Mobility options . 1790 . . 1791 | | 1792 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1794 Home Nonce Index 1796 This field will be echoed back by the mobile node to the 1797 correspondent node in a subsequent Binding Update. 1799 Home Init Cookie 1801 64-bit field which contains the home init cookie. 1803 Home Keygen Token 1805 This field contains the 64 bit home keygen token used in the 1806 return routability procedure. 1808 Mobility Options 1810 Variable-length field of such length that the complete Mobility 1811 Header is an integer multiple of 8 octets long. This field 1812 contains zero or more TLV-encoded mobility options. The receiver 1813 MUST ignore and skip any options which it does not understand. 1814 This specification does not define any options valid for the Home 1815 Test message. 1817 If no actual options are present in this message, no padding is 1818 necessary and the Header Len field will be set to 2. 1820 6.1.6. Care-of Test Message 1822 The Care-of Test (CoT) message is a response to the Care-of Test Init 1823 message, and is sent from the correspondent node to the mobile node 1824 (see Section 11.6.2). The Care-of Test message uses the MH Type 1825 value 4. When this value is indicated in the MH Type field, the 1826 format of the Message Data field in the Mobility Header is as 1827 follows: 1829 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1830 | Care-of Nonce Index | 1831 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1832 | | 1833 + Care-of Init Cookie + 1834 | | 1835 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1836 | | 1837 + Care-of Keygen Token + 1838 | | 1839 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1840 | | 1841 . . 1842 . Mobility Options . 1843 . . 1844 | | 1845 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1847 Care-of Nonce Index 1849 This value will be echoed back by the mobile node to the 1850 correspondent node in a subsequent Binding Update. 1852 Care-of Init Cookie 1854 64-bit field which contains the care-of init cookie. 1856 Care-of Keygen Token 1858 This field contains the 64 bit care-of keygen token used in the 1859 return routability procedure. 1861 Mobility Options 1863 Variable-length field of such length that the complete Mobility 1864 Header is an integer multiple of 8 octets long. This field 1865 contains zero or more TLV-encoded mobility options. The receiver 1866 MUST ignore and skip any options which it does not understand. 1867 This specification does not define any options valid for the 1868 Care-of Test message. 1870 If no actual options are present in this message, no padding is 1871 necessary and the Header Len field will be set to 2. 1873 6.1.7. Binding Update Message 1875 The Binding Update (BU) message is used by a mobile node to notify 1876 other nodes of a new care-of address for itself. Binding Updates are 1877 sent as described in Section 11.7.1 and Section 11.7.2. 1879 The Binding Update uses the MH Type value 5. When this value is 1880 indicated in the MH Type field, the format of the Message Data field 1881 in the Mobility Header is as follows: 1883 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1884 | Sequence # | 1885 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1886 |A|H|L|K| Reserved | Lifetime | 1887 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1888 | | 1889 . . 1890 . Mobility options . 1891 . . 1892 | | 1893 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1895 Acknowledge (A) 1897 The Acknowledge (A) bit is set by the sending mobile node to 1898 request a Binding Acknowledgement (Section 6.1.8) be returned upon 1899 receipt of the Binding Update. 1901 Home Registration (H) 1903 The Home Registration (H) bit is set by the sending mobile node to 1904 request that the receiving node should act as this node's home 1905 agent. The destination of the packet carrying this message MUST 1906 be that of a router sharing the same subnet prefix as the home 1907 address of the mobile node in the binding. 1909 Link-Local Address Compatibility (L) 1911 The Link-Local Address Compatibility (L) bit is set when the home 1912 address reported by the mobile node has the same interface 1913 identifier as the mobile node's link-local address. 1915 Key Management Mobility Capability (K) 1917 If this bit is cleared, the protocol used for establishing the 1918 IPsec security associations between the mobile node and the home 1919 agent does not survive movements. It may then have to be rerun. 1920 (Note that the IPsec security associations themselves are expected 1921 to survive movements.) If manual IPsec configuration is used, the 1922 bit MUST be cleared. 1924 This bit is valid only in Binding Updates sent to the home agent, 1925 and MUST be cleared in other Binding Updates. Correspondent nodes 1926 MUST ignore this bit. 1928 Reserved 1930 These fields are unused. They MUST be initialized to zero by the 1931 sender and MUST be ignored by the receiver. 1933 Sequence # 1935 A 16-bit unsigned integer used by the receiving node to sequence 1936 Binding Updates and by the sending node to match a returned 1937 Binding Acknowledgement with this Binding Update. 1939 Lifetime 1941 16-bit unsigned integer. The number of time units remaining 1942 before the binding MUST be considered expired. A value of zero 1943 indicates that the Binding Cache entry for the mobile node MUST be 1944 deleted. One time unit is 4 seconds. 1946 Mobility Options 1948 Variable-length field of such length that the complete Mobility 1949 Header is an integer multiple of 8 octets long. This field 1950 contains zero or more TLV-encoded mobility options. The encoding 1951 and format of defined options are described in Section 6.2. The 1952 receiver MUST ignore and skip any options which it does not 1953 understand. 1955 The following options are valid in a Binding Update: 1957 * Binding Authorization Data option (this option is mandatory in 1958 Binding Updates sent to a correspondent node) 1960 * Nonce Indices option. 1962 * Alternate Care-of Address option 1964 If no options are present in this message, 4 octets of padding are 1965 necessary and the Header Len field will be set to 1. 1967 The care-of address is specified either by the Source Address field 1968 in the IPv6 header or by the Alternate Care-of Address option, if 1969 present. The care-of address MUST be a unicast routable address. 1970 IPv6 Source Address MUST be a topologically correct source address. 1971 Binding Updates for a care-of address which is not a unicast routable 1972 address MUST be silently discarded. 1974 The deletion of a binding MUST be indicated by setting the Lifetime 1975 field to 0. In deletion, the generation of the binding management 1976 key depends exclusively on the home keygen token, as explained in 1977 Section 5.2.5. 1979 Correspondent nodes SHOULD NOT delete the Binding Cache entry before 1980 the lifetime expires, if any application hosted by the correspondent 1981 node is still likely to require communication with the mobile node. 1982 A Binding Cache entry that is de-allocated prematurely might cause 1983 subsequent packets to be dropped from the mobile node, if they 1984 contain the Home Address destination option. This situation is 1985 recoverable, since a Binding Error message is sent to the mobile node 1986 (see Section 6.1.9); however, it causes unnecessary delay in the 1987 communications. 1989 6.1.8. Binding Acknowledgement Message 1991 The Binding Acknowledgement is used to acknowledge receipt of a 1992 Binding Update (Section 6.1.7). This packet is sent as described in 1993 Section 9.5.4 and Section 10.3.1. 1995 The Binding Acknowledgement has the MH Type value 6. When this value 1996 is indicated in the MH Type field, the format of the Message Data 1997 field in the Mobility Header is as follows: 1999 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2000 | Status |K| Reserved | 2001 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2002 | Sequence # | Lifetime | 2003 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2004 | | 2005 . . 2006 . Mobility options . 2007 . . 2008 | | 2009 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2011 Status 2013 8-bit unsigned integer indicating the disposition of the Binding 2014 Update. Values of the Status field less than 128 indicate that 2015 the Binding Update was accepted by the receiving node. Values 2016 greater than or equal to 128 indicate that the Binding Update was 2017 rejected by the receiving node. The following Status values are 2018 currently defined: 2020 0 Binding Update accepted 2022 1 Accepted but prefix discovery necessary 2024 128 Reason unspecified 2026 129 Administratively prohibited 2028 130 Insufficient resources 2030 131 Home registration not supported 2032 132 Not home subnet 2034 133 Not home agent for this mobile node 2036 134 Duplicate Address Detection failed 2038 135 Sequence number out of window 2040 136 Expired home nonce index 2042 137 Expired care-of nonce index 2044 138 Expired nonces 2046 139 Registration type change disallowed 2048 TBD Invalid Care-of Address 2050 Up-to-date values of the Status field are to be specified in the 2051 IANA registry of assigned numbers [29]. 2053 Key Management Mobility Capability (K) 2055 If this bit is cleared, the protocol used by the home agent for 2056 establishing the IPsec security associations between the mobile 2057 node and the home agent does not survive movements. It may then 2058 have to be rerun. (Note that the IPsec security associations 2059 themselves are expected to survive movements.) 2061 Correspondent nodes MUST set the K bit to 0. 2063 Reserved 2065 This field is unused. It MUST be initialized to zero by the 2066 sender and MUST be ignored by the receiver. 2068 Sequence # 2070 The Sequence Number in the Binding Acknowledgement is copied from 2071 the Sequence Number field in the Binding Update. It is used by 2072 the mobile node in matching this Binding Acknowledgement with an 2073 outstanding Binding Update. 2075 Lifetime 2077 The granted lifetime, in time units of 4 seconds, for which this 2078 node SHOULD retain the entry for this mobile node in its Binding 2079 Cache. 2081 The value of this field is undefined if the Status field indicates 2082 that the Binding Update was rejected. 2084 Mobility Options 2086 Variable-length field of such length that the complete Mobility 2087 Header is an integer multiple of 8 octets long. This field 2088 contains zero or more TLV-encoded mobility options. The encoding 2089 and format of defined options are described in Section 6.2. The 2090 receiver MUST ignore and skip any options which it does not 2091 understand. 2093 There MAY be additional information, associated with this Binding 2094 Acknowledgement that need not be present in all Binding 2095 Acknowledgements sent. Mobility options allow future extensions 2096 to the format of the Binding Acknowledgement to be defined. The 2097 following options are valid for the Binding Acknowledgement: 2099 * Binding Authorization Data option (this option is mandatory in 2100 Binding Acknowledgements sent by a correspondent node, except 2101 where otherwise noted in Section 9.5.4) 2103 * Binding Refresh Advice option 2105 If no options are present in this message, 4 octets of padding are 2106 necessary and the Header Len field will be set to 1. 2108 6.1.9. Binding Error Message 2110 The Binding Error (BE) message is used by the correspondent node to 2111 signal an error related to mobility, such as an inappropriate attempt 2112 to use the Home Address destination option without an existing 2113 binding; see Section 9.3.3 for details. 2115 The Binding Error message uses the MH Type value 7. When this value 2116 is indicated in the MH Type field, the format of the Message Data 2117 field in the Mobility Header is as follows: 2119 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2120 | Status | Reserved | 2121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2122 | | 2123 + + 2124 | | 2125 + Home Address + 2126 | | 2127 + + 2128 | | 2129 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2130 . . 2131 . Mobility Options . 2132 . . 2133 | | 2134 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2136 Status 2138 8-bit unsigned integer indicating the reason for this message. 2139 The following values are currently defined: 2141 1 Unknown binding for Home Address destination option 2143 2 Unrecognized MH Type value 2145 Reserved 2147 A 8-bit field reserved for future use. The value MUST be 2148 initialized to zero by the sender, and MUST be ignored by the 2149 receiver. 2151 Home Address 2153 The home address that was contained in the Home Address 2154 destination option. The mobile node uses this information to 2155 determine which binding does not exist, in cases where the mobile 2156 node has several home addresses. 2158 Mobility Options 2160 Variable-length field of such length that the complete Mobility 2161 Header is an integer multiple of 8 octets long. This field 2162 contains zero or more TLV-encoded mobility options. The receiver 2163 MUST ignore and skip any options which it does not understand. 2165 There MAY be additional information, associated with this Binding 2166 Error message that need not be present in all Binding Error 2167 messages sent. Mobility options allow future extensions to the 2168 format of the Binding Error message to be defined. The encoding 2169 and format of defined options are described in Section 6.2. This 2170 specification does not define any options valid for the Binding 2171 Error message. 2173 If no actual options are present in this message, no padding is 2174 necessary and the Header Len field will be set to 2. 2176 6.2. Mobility Options 2178 Mobility messages can include zero or more mobility options. This 2179 allows optional fields that may not be needed in every use of a 2180 particular Mobility Header, as well as future extensions to the 2181 format of the messages. Such options are included in the Message 2182 Data field of the message itself, after the fixed portion of the 2183 message data specified in the message subsections of Section 6.1. 2185 The presence of such options will be indicated by the Header Len of 2186 the Mobility Header. If included, the Binding Authorization Data 2187 option (Section 6.2.7) MUST be the last option and MUST NOT have 2188 trailing padding. Otherwise, options can be placed in any order. 2190 6.2.1. Format 2192 Mobility options are encoded within the remaining space of the 2193 Message Data field of a mobility message, using a type-length-value 2194 (TLV) format as follows: 2196 0 1 2 3 2197 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2198 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2199 | Option Type | Option Length | Option Data... 2200 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2202 Option Type 2204 8-bit identifier of the type of mobility option. When processing 2205 a Mobility Header containing an option for which the Option Type 2206 value is not recognized by the receiver, the receiver MUST quietly 2207 ignore and skip over the option, correctly handling any remaining 2208 options in the message. 2210 Option Length 2212 8-bit unsigned integer, representing the length in octets of the 2213 mobility option, not including the Option Type and Option Length 2214 fields. 2216 Option Data 2218 A variable length field that contains data specific to the option. 2220 The following subsections specify the Option types which are 2221 currently defined for use in the Mobility Header. 2223 Implementations MUST silently ignore any mobility options that they 2224 do not understand. 2226 Mobility options may have alignment requirements. Following the 2227 convention in IPv6, these options are aligned in a packet so that 2228 multi-octet values within the Option Data field of each option fall 2229 on natural boundaries (i.e., fields of width n octets are placed at 2230 an integer multiple of n octets from the start of the header, for n = 2231 1, 2, 4, or 8) [6]. 2233 6.2.2. Pad1 2235 The Pad1 option does not have any alignment requirements. Its format 2236 is as follows: 2238 0 2239 0 1 2 3 4 5 6 7 2240 +-+-+-+-+-+-+-+-+ 2241 | Type = 0 | 2242 +-+-+-+-+-+-+-+-+ 2244 NOTE! the format of the Pad1 option is a special case - it has 2245 neither Option Length nor Option Data fields. 2247 The Pad1 option is used to insert one octet of padding in the 2248 Mobility Options area of a Mobility Header. If more than one octet 2249 of padding is required, the PadN option, described next, should be 2250 used rather than multiple Pad1 options. 2252 6.2.3. PadN 2254 The PadN option does not have any alignment requirements. Its format 2255 is as follows: 2257 0 1 2258 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 2259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - 2260 | Type = 1 | Option Length | Option Data 2261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - 2263 The PadN option is used to insert two or more octets of padding in 2264 the Mobility Options area of a mobility message. For N octets of 2265 padding, the Option Length field contains the value N-2, and the 2266 Option Data consists of N-2 zero-valued octets. PadN Option data 2267 MUST be ignored by the receiver. 2269 6.2.4. Binding Refresh Advice 2271 The Binding Refresh Advice option has an alignment requirement of 2n. 2272 Its format is as follows: 2274 0 1 2 3 2275 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2276 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2277 | Type = 2 | Length = 2 | 2278 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2279 | Refresh Interval | 2280 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2282 The Binding Refresh Advice option is only valid in the Binding 2283 Acknowledgement, and only on Binding Acknowledgements sent from the 2284 mobile node's home agent in reply to a home registration. The 2285 Refresh Interval is measured in units of four seconds, and indicates 2286 remaining time until the mobile node SHOULD send a new home 2287 registration to the home agent. The Refresh Interval MUST be set to 2288 indicate a smaller time interval than the Lifetime value of the 2289 Binding Acknowledgement. 2291 6.2.5. Alternate Care-of Address 2293 The Alternate Care-of Address option has an alignment requirement of 2294 8n+6. Its format is as follows: 2296 0 1 2 3 2297 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2298 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2299 | Type = 3 | Length = 16 | 2300 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2301 | | 2302 + + 2303 | | 2304 + Alternate Care-of Address + 2305 | | 2306 + + 2307 | | 2308 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2310 Normally, a Binding Update specifies the desired care-of address in 2311 the Source Address field of the IPv6 header. However, this is not 2312 possible in some cases, such as when the mobile node wishes to 2313 indicate a care-of address which it cannot use as a topologically 2314 correct source address (Section 6.1.7 and Section 11.7.2) or when the 2315 used security mechanism does not protect the IPv6 header 2316 (Section 11.7.1). 2318 The Alternate Care-of Address option is provided for these 2319 situations. This option is valid only in Binding Update. The 2320 Alternate Care-of Address field contains an address to use as the 2321 care-of address for the binding, rather than using the Source Address 2322 of the packet as the care-of address. 2324 6.2.6. Nonce Indices 2326 The Nonce Indices option has an alignment requirement of 2n. Its 2327 format is as follows: 2329 0 1 2 3 2330 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2331 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2332 | Type = 4 | Length = 4 | 2333 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2334 | Home Nonce Index | Care-of Nonce Index | 2335 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2337 The Nonce Indices option is valid only in the Binding Update message 2338 sent to a correspondent node, and only when present together with a 2339 Binding Authorization Data option. When the correspondent node 2340 authorizes the Binding Update, it needs to produce home and care-of 2341 keygen tokens from its stored random nonce values. 2343 The Home Nonce Index field tells the correspondent node which nonce 2344 value to use when producing the home keygen token. 2346 The Care-of Nonce Index field is ignored in requests to delete a 2347 binding. Otherwise, it tells the correspondent node which nonce 2348 value to use when producing the care-of keygen token. 2350 6.2.7. Binding Authorization Data 2352 The Binding Authorization Data option does not have alignment 2353 requirements as such. However, since this option must be the last 2354 mobility option, an implicit alignment requirement is 8n + 2. The 2355 format of this option is as follows: 2357 0 1 2 3 2358 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2359 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2360 | Type = 5 | Option Length | 2361 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2362 | | 2363 + + 2364 | Authenticator | 2365 + + 2366 | | 2367 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2369 The Binding Authorization Data option is valid in the Binding Update 2370 and Binding Acknowledgement. 2372 The Option Length field contains the length of the authenticator in 2373 octets. 2375 The Authenticator field contains a cryptographic value which can be 2376 used to determine that the message in question comes from the right 2377 authority. Rules for calculating this value depends on the used 2378 authorization procedure. 2380 For the return routability procedure, this option can appear in the 2381 Binding Update and Binding Acknowledgements. Rules for calculating 2382 the Authenticator value are the following: 2384 Mobility Data = care-of address | correspondent | MH Data 2385 Authenticator = First (96, HMAC_SHA1 (Kbm, Mobility Data)) 2387 Where | denotes concatenation. "Care-of address" is the care-of 2388 address which will be registered for the mobile node if the Binding 2389 Update succeeds, or the home address of the mobile node if this 2390 option is used in de-registration. Note also that this address might 2391 be different from the source address of the Binding Update message, 2392 if the Alternative Care-of Address mobility option is used, or when 2393 the lifetime of the binding is set to zero. 2395 The "correspondent" is the IPv6 address of the correspondent node. 2396 Note that, if the message is sent to a destination which is itself 2397 mobile, the "correspondent" address may not be the address found in 2398 the Destination Address field of the IPv6 header; instead the home 2399 address from the type 2 Routing header should be used. 2401 "MH Data" is the content of the Mobility Header, excluding the 2402 Authenticator field itself. The Authenticator value is calculated as 2403 if the Checksum field in the Mobility Header was zero. The Checksum 2404 in the transmitted packet is still calculated in the usual manner, 2405 with the calculated Authenticator being a part of the packet 2406 protected by the Checksum. Kbm is the binding management key, which 2407 is typically created using nonces provided by the correspondent node 2408 (see Section 9.4). Note that while the contents of a potential Home 2409 Address destination option are not covered in this formula, the rules 2410 for the calculation of the Kbm do take the home address in account. 2411 This ensures that the MAC will be different for different home 2412 addresses. 2414 The first 96 bits from the MAC result are used as the Authenticator 2415 field. 2417 6.3. Home Address Option 2419 The Home Address option is carried by the Destination Option 2420 extension header (Next Header value = 60). It is used in a packet 2421 sent by a mobile node while away from home, to inform the recipient 2422 of the mobile node's home address. 2424 The Home Address option is encoded in type-length-value (TLV) format 2425 as follows: 2427 0 1 2 3 2428 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2429 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2430 | Option Type | Option Length | 2431 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2432 | | 2433 + + 2434 | | 2435 + Home Address + 2436 | | 2437 + + 2438 | | 2439 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2441 Option Type 2443 201 = 0xC9 2445 Option Length 2447 8-bit unsigned integer. Length of the option, in octets, 2448 excluding the Option Type and Option Length fields. This field 2449 MUST be set to 16. 2451 Home Address 2453 The home address of the mobile node sending the packet. This 2454 address MUST be a unicast routable address. 2456 The alignment requirement [6] for the Home Address option is 8n+6. 2458 The three highest-order bits of the Option Type field are encoded to 2459 indicate specific processing of the option [6]; for the Home Address 2460 option, these three bits are set to 110. This indicates the 2461 following processing requirements: 2463 o Any IPv6 node that does not recognize the Option Type must discard 2464 the packet, and if the packet's Destination Address was not a 2465 multicast address, return an ICMP Parameter Problem, Code 2, 2466 message to the packet's Source Address. The Pointer field in the 2467 ICMP message SHOULD point at the Option Type field. Otherwise, 2468 for multicast addresses, the ICMP message MUST NOT be sent. 2470 o The data within the option cannot change en route to the packet's 2471 final destination. 2473 The Home Address option MUST be placed as follows: 2475 o After the routing header, if that header is present 2477 o Before the Fragment Header, if that header is present 2479 o Before the AH Header or ESP Header, if either one of those headers 2480 are present 2482 For each IPv6 packet header, the Home Address Option MUST NOT appear 2483 more than once. However, an encapsulated packet [7] MAY contain a 2484 separate Home Address option associated with each encapsulating IP 2485 header. 2487 The inclusion of a Home Address destination option in a packet 2488 affects the receiving node's processing of only this single packet. 2490 No state is created or modified in the receiving node as a result of 2491 receiving a Home Address option in a packet. In particular, the 2492 presence of a Home Address option in a received packet MUST NOT alter 2493 the contents of the receiver's Binding Cache and MUST NOT cause any 2494 changes in the routing of subsequent packets sent by this receiving 2495 node. 2497 6.4. Type 2 Routing Header 2499 Mobile IPv6 defines a new routing header variant, the type 2 routing 2500 header, to allow the packet to be routed directly from a 2501 correspondent to the mobile node's care-of address. The mobile 2502 node's care-of address is inserted into the IPv6 Destination Address 2503 field. Once the packet arrives at the care-of address, the mobile 2504 node retrieves its home address from the routing header, and this is 2505 used as the final destination address for the packet. 2507 The new routing header uses a different type than defined for 2508 "regular" IPv6 source routing, enabling firewalls to apply different 2509 rules to source routed packets than to Mobile IPv6. This routing 2510 header type (type 2) is restricted to carry only one IPv6 address. 2511 All IPv6 nodes which process this routing header MUST verify that the 2512 address contained within is the node's own home address in order to 2513 prevent packets from being forwarded outside the node. The IP 2514 address contained in the routing header, since it is the mobile 2515 node's home address, MUST be a unicast routable address. 2516 Furthermore, if the scope of the home address is smaller than the 2517 scope of the care-of address, the mobile node MUST discard the packet 2518 (see Section 4.6). 2520 6.4.1. Format 2522 The type 2 routing header has the following format: 2524 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2525 | Next Header | Hdr Ext Len=2 | Routing Type=2|Segments Left=1| 2526 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2527 | Reserved | 2528 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2529 | | 2530 + + 2531 | | 2532 + Home Address + 2533 | | 2534 + + 2535 | | 2536 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2538 Next Header 2540 8-bit selector. Identifies the type of header immediately 2541 following the routing header. Uses the same values as the IPv6 2542 Next Header field [6]. 2544 Hdr Ext Len 2546 2 (8-bit unsigned integer); length of the routing header in 2547 8-octet units, not including the first 8 octets. 2549 Routing Type 2551 2 (8-bit unsigned integer). 2553 Segments Left 2555 1 (8-bit unsigned integer). 2557 Reserved 2559 32-bit reserved field. The value MUST be initialized to zero by 2560 the sender, and MUST be ignored by the receiver. 2562 Home Address 2564 The Home Address of the destination Mobile Node. 2566 For a type 2 routing header, the Hdr Ext Len MUST be 2. The Segments 2567 Left value describes the number of route segments remaining; i.e., 2568 number of explicitly listed intermediate nodes still to be visited 2569 before reaching the final destination. Segments Left MUST be 1. The 2570 ordering rules for extension headers in an IPv6 packet are described 2571 in Section 4.1 of RFC 2460 [6]. The type 2 routing header defined 2572 for Mobile IPv6 follows the same ordering as other routing headers. 2573 If another routing header is present along with a type 2 routing 2574 header, the type 2 routing header should follow the other routing 2575 header. A packet containing such nested encapsulation should be 2576 created as if the inner (type 2) routing header was constructed first 2577 and then treated as an original packet by header construction process 2578 for the other routing header. 2580 In addition, the general procedures defined by IPv6 for routing 2581 headers suggest that a received routing header MAY be automatically 2582 "reversed" to construct a routing header for use in any response 2583 packets sent by upper-layer protocols, if the received packet is 2584 authenticated [6]. This MUST NOT be done automatically for type 2 2585 routing headers. 2587 6.5. ICMP Home Agent Address Discovery Request Message 2589 The ICMP Home Agent Address Discovery Request message is used by a 2590 mobile node to initiate the dynamic home agent address discovery 2591 mechanism, as described in Section 11.4.1. The mobile node sends the 2592 Home Agent Address Discovery Request message to the Mobile IPv6 Home- 2593 Agents anycast address [8] for its own home subnet prefix. (Note 2594 that the currently defined anycast addresses may not work with all 2595 prefix lengths other than those defined in RFC 4291 [16] [36].) 2597 0 1 2 3 2598 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2599 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2600 | Type | Code | Checksum | 2601 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2602 | Identifier | Reserved | 2603 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2605 Type 2607 144 2609 Code 2611 0 2613 Checksum 2615 The ICMP checksum [17]. 2617 Identifier 2619 An identifier to aid in matching Home Agent Address Discovery 2620 Reply messages to this Home Agent Address Discovery Request 2621 message. 2623 Reserved 2625 This field is unused. It MUST be initialized to zero by the 2626 sender and MUST be ignored by the receiver. 2628 The Source Address of the Home Agent Address Discovery Request 2629 message packet is typically one of the mobile node's current care-of 2630 addresses. At the time of performing this dynamic home agent address 2631 discovery procedure, it is likely that the mobile node is not 2632 registered with any home agent. Therefore, neither the nature of the 2633 address nor the identity of the mobile node can be established at 2634 this time. The home agent MUST then return the Home Agent Address 2635 Discovery Reply message directly to the Source Address chosen by the 2636 mobile node. 2638 6.6. ICMP Home Agent Address Discovery Reply Message 2640 The ICMP Home Agent Address Discovery Reply message is used by a home 2641 agent to respond to a mobile node that uses the dynamic home agent 2642 address discovery mechanism, as described in Section 10.5. 2644 0 1 2 3 2645 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2646 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2647 | Type | Code | Checksum | 2648 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2649 | Identifier | Reserved | 2650 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2651 | | 2652 + + 2653 . . 2654 . Home Agent Addresses . 2655 . . 2656 + + 2657 | | 2658 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2660 Type 2662 145 2664 Code 2666 0 2668 Checksum 2670 The ICMP checksum [17]. 2672 Identifier 2674 The identifier from the invoking Home Agent Address Discovery 2675 Request message. 2677 Reserved 2679 This field is unused. It MUST be initialized to zero by the 2680 sender and MUST be ignored by the receiver. 2682 Home Agent Addresses 2684 A list of addresses of home agents on the home link for the mobile 2685 node. The number of addresses presented in the list is indicated 2686 by the remaining length of the IPv6 packet carrying the Home Agent 2687 Address Discovery Reply message. 2689 6.7. ICMP Mobile Prefix Solicitation Message Format 2691 The ICMP Mobile Prefix Solicitation Message is sent by a mobile node 2692 to its home agent while it is away from home. The purpose of the 2693 message is to solicit a Mobile Prefix Advertisement from the home 2694 agent, which will allow the mobile node to gather prefix information 2695 about its home network. This information can be used to configure 2696 and update home address(es) according to changes in prefix 2697 information supplied by the home agent. 2699 0 1 2 3 2700 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2701 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2702 | Type | Code | Checksum | 2703 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2704 | Identifier | Reserved | 2705 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2707 IP Fields: 2709 Source Address 2711 The mobile node's care-of address. 2713 Destination Address 2715 The address of the mobile node's home agent. This home agent must 2716 be on the link that the mobile node wishes to learn prefix 2717 information about. 2719 Hop Limit 2721 Set to an initial hop limit value, similarly to any other unicast 2722 packet sent by the mobile node. 2724 Destination Option: 2726 A Home Address destination option MUST be included. 2728 ESP header: 2730 IPsec headers MUST be supported and SHOULD be used as described in 2731 Section 5.4. 2733 ICMP Fields: 2735 Type 2737 146 2739 Code 2741 0 2743 Checksum 2745 The ICMP checksum [17]. 2747 Identifier 2749 An identifier to aid in matching a future Mobile Prefix 2750 Advertisement to this Mobile Prefix Solicitation. 2752 Reserved 2754 This field is unused. It MUST be initialized to zero by the 2755 sender and MUST be ignored by the receiver. 2757 The Mobile Prefix Solicitation messages may have options. These 2758 options MUST use the option format defined in Neighbor Discovery (RFC 2759 4861 [18]). This document does not define any option types for the 2760 Mobile Prefix Solicitation message, but future documents may define 2761 new options. Home agents MUST silently ignore any options they do 2762 not recognize and continue processing the message. 2764 6.8. ICMP Mobile Prefix Advertisement Message Format 2766 A home agent will send a Mobile Prefix Advertisement to a mobile node 2767 to distribute prefix information about the home link while the mobile 2768 node is traveling away from the home network. This will occur in 2769 response to a Mobile Prefix Solicitation with an Advertisement, or by 2770 an unsolicited Advertisement sent according to the rules in 2771 Section 10.6. 2773 0 1 2 3 2774 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2775 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2776 | Type | Code | Checksum | 2777 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2778 | Identifier |M|O| Reserved | 2779 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2780 | Options ... 2781 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2783 IP Fields: 2785 Source Address 2787 The home agent's address as the mobile node would expect to see it 2788 (i.e., same network prefix). 2790 Destination Address 2792 If this message is a response to a Mobile Prefix Solicitation, 2793 this field contains the Source Address field from that packet. 2794 For unsolicited messages, the mobile node's care-of address SHOULD 2795 be used. Note that unsolicited messages can only be sent if the 2796 mobile node is currently registered with the home agent. 2798 Routing header: 2800 A type 2 routing header MUST be included. 2802 ESP header: 2804 IPsec headers MUST be supported and SHOULD be used as described in 2805 Section 5.4. 2807 ICMP Fields: 2809 Type 2811 147 2813 Code 2815 0 2817 Checksum 2819 The ICMP checksum [17]. 2821 Identifier 2823 An identifier to aid in matching this Mobile Prefix Advertisement 2824 to a previous Mobile Prefix Solicitation. 2826 M 2828 1-bit Managed Address Configuration flag. When set, hosts use the 2829 administered (stateful) protocol for address autoconfiguration in 2830 addition to any addresses autoconfigured using stateless address 2831 autoconfiguration. The use of this flag is described in [18] 2832 [19]. 2834 O 2836 1-bit Other Stateful Configuration flag. When set, hosts use the 2837 administered (stateful) protocol for autoconfiguration of other 2838 (non-address) information. The use of this flag is described in 2839 [18] [19]. 2841 Reserved 2843 This field is unused. It MUST be initialized to zero by the 2844 sender and MUST be ignored by the receiver. 2846 The Mobile Prefix Advertisement messages may have options. These 2847 options MUST use the option format defined in Neighbor Discovery (RFC 2848 4861 [18]). This document defines one option which may be carried in 2849 a Mobile Prefix Advertisement message, but future documents may 2850 define new options. Mobile nodes MUST silently ignore any options 2851 they do not recognize and continue processing the message. 2853 Prefix Information 2855 Each message contains one or more Prefix Information options. 2856 Each option carries the prefix(es) that the mobile node should use 2857 to configure its home address(es). Section 10.6 describes which 2858 prefixes should be advertised to the mobile node. 2860 The Prefix Information option is defined in Section 4.6.2 of 2861 Neighbor Discovery (RFC 4861 [18]), with modifications defined in 2862 Section 7.2 of this specification. The home agent MUST use this 2863 modified Prefix Information option to send home network prefixes 2864 as defined in Section 10.6.1. 2866 If the Advertisement is sent in response to a Mobile Prefix 2867 Solicitation, the home agent MUST copy the Identifier value from that 2868 message into the Identifier field of the Advertisement. 2870 The home agent MUST NOT send more than one Mobile Prefix 2871 Advertisement message per second to any mobile node. 2873 The M and O bits MUST be cleared if the Home Agent DHCPv6 support is 2874 not provided. If such support is provided then they are set in 2875 concert with the home network's administrative settings. 2877 7. Modifications to IPv6 Neighbor Discovery 2879 7.1. Modified Router Advertisement Message Format 2881 Mobile IPv6 modifies the format of the Router Advertisement message 2882 [18] by the addition of a single flag bit to indicate that the router 2883 sending the Advertisement message is serving as a home agent on this 2884 link. The format of the Router Advertisement message is as follows: 2886 0 1 2 3 2887 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2888 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2889 | Type | Code | Checksum | 2890 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2891 | Cur Hop Limit |M|O|H| Reserved| Router Lifetime | 2892 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2893 | Reachable Time | 2894 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2895 | Retrans Timer | 2896 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2897 | Options ... 2898 +-+-+-+-+-+-+-+-+-+-+-+- 2900 This format represents the following changes over that originally 2901 specified for Neighbor Discovery [18]: 2903 Home Agent (H) 2905 The Home Agent (H) bit is set in a Router Advertisement to 2906 indicate that the router sending this Router Advertisement is also 2907 functioning as a Mobile IPv6 home agent on this link. 2909 Reserved 2911 Reduced from a 6-bit field to a 5-bit field to account for the 2912 addition of the above bit. 2914 7.2. Modified Prefix Information Option Format 2916 Mobile IPv6 requires knowledge of a router's global address in 2917 building a Home Agents List as part of the dynamic home agent address 2918 discovery mechanism. 2920 However, Neighbor Discovery [18] only advertises a router's link- 2921 local address, by requiring this address to be used as the IP Source 2922 Address of each Router Advertisement. 2924 Mobile IPv6 extends Neighbor Discovery to allow a router to advertise 2925 its global address, by the addition of a single flag bit in the 2926 format of a Prefix Information option for use in Router Advertisement 2927 messages. The format of the Prefix Information option is as follows: 2929 0 1 2 3 2930 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2931 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2932 | Type | Length | Prefix Length |L|A|R|Reserved1| 2933 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2934 | Valid Lifetime | 2935 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2936 | Preferred Lifetime | 2937 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2938 | Reserved2 | 2939 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2940 | | 2941 + + 2942 | | 2943 + Prefix + 2944 | | 2945 + + 2946 | | 2947 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2949 This format represents the following changes over that originally 2950 specified for Neighbor Discovery [18]: 2952 Router Address (R) 2954 1-bit router address flag. When set, indicates that the Prefix 2955 field contains a complete IP address assigned to the sending 2956 router. The indicated prefix is given by the first Prefix Length 2957 bits of the Prefix field. The router IP address has the same 2958 scope and conforms to the same lifetime values as the advertised 2959 prefix. This use of the Prefix field is compatible with its use 2960 in advertising the prefix itself, since Prefix Advertisement uses 2961 only the leading bits. Interpretation of this flag bit is thus 2962 independent of the processing required for the On-Link (L) and 2963 Autonomous Address-Configuration (A) flag bits. 2965 Reserved1 2967 Reduced from a 6-bit field to a 5-bit field to account for the 2968 addition of the above bit. 2970 In a Router Advertisement, a home agent MUST, and all other routers 2971 MAY, include at least one Prefix Information option with the Router 2972 Address (R) bit set. Neighbor Discovery (RFC 4861 [18]) specifies 2973 that, when including all options in a Router Advertisement causes the 2974 size of the Advertisement to exceed the link MTU, multiple 2975 Advertisements can be sent, each containing a subset of the Neighbor 2976 Discovery options. Also, when sending unsolicited multicast Router 2977 Advertisements more frequently than the limit specified in RFC 4861, 2978 the sending router need not include all options in each of these 2979 Advertisements. However, in both of these cases the router SHOULD 2980 include at least one Prefix Information option with the Router 2981 Address (R) bit set in each such advertisement, if this bit is set in 2982 some advertisement sent by the router. 2984 In addition, the following requirement can assist mobile nodes in 2985 movement detection. Barring changes in the prefixes for the link, 2986 routers that send multiple Router Advertisements with the Router 2987 Address (R) bit set in some of the included Prefix Information 2988 options SHOULD provide at least one option and router address which 2989 stays the same in all of the Advertisements. 2991 7.3. New Advertisement Interval Option Format 2993 Mobile IPv6 defines a new Advertisement Interval option, used in 2994 Router Advertisement messages to advertise the interval at which the 2995 sending router sends unsolicited multicast Router Advertisements. 2996 The format of the Advertisement Interval option is as follows: 2998 0 1 2 3 2999 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3000 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3001 | Type | Length | Reserved | 3002 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3003 | Advertisement Interval | 3004 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3006 Type 3008 7 3010 Length 3012 8-bit unsigned integer. The length of the option (including the 3013 type and length fields) is in units of 8 octets. The value of 3014 this field MUST be 1. 3016 Reserved 3018 This field is unused. It MUST be initialized to zero by the 3019 sender and MUST be ignored by the receiver. 3021 Advertisement Interval 3023 32-bit unsigned integer. The maximum time, in milliseconds, 3024 between successive unsolicited Router Advertisement messages sent 3025 by this router on this network interface. Using the conceptual 3026 router configuration variables defined by Neighbor Discovery [18], 3027 this field MUST be equal to the value MaxRtrAdvInterval, expressed 3028 in milliseconds. 3030 Routers MAY include this option in their Router Advertisements. A 3031 mobile node receiving a Router Advertisement containing this option 3032 SHOULD utilize the specified Advertisement Interval for that router 3033 in its movement detection algorithm, as described in Section 11.5.1. 3035 This option MUST be silently ignored for other Neighbor Discovery 3036 messages. 3038 7.4. New Home Agent Information Option Format 3040 Mobile IPv6 defines a new Home Agent Information option, used in 3041 Router Advertisements sent by a home agent to advertise information 3042 specific to this router's functionality as a home agent. The format 3043 of the Home Agent Information option is as follows: 3045 0 1 2 3 3046 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 3047 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3048 | Type | Length | Reserved | 3049 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3050 | Home Agent Preference | Home Agent Lifetime | 3051 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3053 Type 3055 8 3057 Length 3059 8-bit unsigned integer. The length of the option (including the 3060 type and length fields) in units of 8 octets. The value of this 3061 field MUST be 1. 3063 Reserved 3065 This field is unused. It MUST be initialized to zero by the 3066 sender and MUST be ignored by the receiver. 3068 Home Agent Preference 3070 16-bit unsigned integer. The preference for the home agent 3071 sending this Router Advertisement, for use in ordering the 3072 addresses returned to a mobile node in the Home Agent Addresses 3073 field of a Home Agent Address Discovery Reply message. Higher 3074 values mean more preferable. If this option is not included in a 3075 Router Advertisement in which the Home Agent (H) bit is set, the 3076 preference value for this home agent MUST be considered to be 0. 3077 Greater values indicate a more preferable home agent than lower 3078 values. 3080 The manual configuration of the Home Agent Preference value is 3081 described in Section 8.4. In addition, the sending home agent MAY 3082 dynamically set the Home Agent Preference value, for example 3083 basing it on the number of mobile nodes it is currently serving or 3084 on its remaining resources for serving additional mobile nodes; 3085 such dynamic settings are beyond the scope of this document. Any 3086 such dynamic setting of the Home Agent Preference, however, MUST 3087 set the preference appropriately, relative to the default Home 3088 Agent Preference value of 0 that may be in use by some home agents 3089 on this link (i.e., a home agent not including a Home Agent 3090 Information option in its Router Advertisements will be considered 3091 to have a Home Agent Preference value of 0). 3093 Home Agent Lifetime 3095 16-bit unsigned integer. The lifetime associated with the home 3096 agent in units of seconds. The default value is the same as the 3097 Router Lifetime, as specified in the main body of the Router 3098 Advertisement. The maximum value corresponds to 18.2 hours. A 3099 value of 0 MUST NOT be used. The Home Agent Lifetime applies only 3100 to this router's usefulness as a home agent; it does not apply to 3101 information contained in other message fields or options. 3103 Home agents MAY include this option in their Router Advertisements. 3104 This option MUST NOT be included in a Router Advertisement in which 3105 the Home Agent (H) bit (see Section 7.1) is not set. If this option 3106 is not included in a Router Advertisement in which the Home Agent (H) 3107 bit is set, the lifetime for this home agent MUST be considered to be 3108 the same as the Router Lifetime in the Router Advertisement. If 3109 multiple Advertisements are being sent instead of a single larger 3110 unsolicited multicast Advertisement, all of the multiple 3111 Advertisements with the Router Address (R) bit set MUST include this 3112 option with the same contents, otherwise this option MUST be omitted 3113 from all Advertisements. 3115 This option MUST be silently ignored for other Neighbor Discovery 3116 messages. 3118 If both the Home Agent Preference and Home Agent Lifetime are set to 3119 their default values specified above, this option SHOULD NOT be 3120 included in the Router Advertisement messages sent by this home 3121 agent. 3123 7.5. Changes to Sending Router Advertisements 3125 The Neighbor Discovery protocol specification [18] limits routers to 3126 a minimum interval of 3 seconds between sending unsolicited multicast 3127 Router Advertisement messages from any given network interface 3128 (limited by MinRtrAdvInterval and MaxRtrAdvInterval), stating that: 3130 "Routers generate Router Advertisements frequently enough that 3131 hosts will learn of their presence within a few minutes, but not 3132 frequently enough to rely on an absence of advertisements to 3133 detect router failure; a separate Neighbor Unreachability 3134 Detection algorithm provides failure detection." 3136 This limitation, however, is not suitable to providing timely 3137 movement detection for mobile nodes. Mobile nodes detect their own 3138 movement by learning the presence of new routers as the mobile node 3139 moves into wireless transmission range of them (or physically 3140 connects to a new wired network), and by learning that previous 3141 routers are no longer reachable. Mobile nodes MUST be able to 3142 quickly detect when they move to a link served by a new router, so 3143 that they can acquire a new care-of address and send Binding Updates 3144 to register this care-of address with their home agent and to notify 3145 correspondent nodes as needed. 3147 One method which can provide for faster movement detection, is to 3148 increase the rate at which unsolicited Router Advertisements are 3149 sent. Mobile IPv6 relaxes this limit such that routers MAY send 3150 unsolicited multicast Router Advertisements more frequently. This 3151 method can be applied where the router is expecting to provide 3152 service to visiting mobile nodes (e.g., wireless network interfaces), 3153 or on which it is serving as a home agent to one or more mobile nodes 3154 (who may return home and need to hear its Advertisements). 3156 Routers supporting mobility SHOULD be able to be configured with a 3157 smaller MinRtrAdvInterval value and MaxRtrAdvInterval value to allow 3158 sending of unsolicited multicast Router Advertisements more often. 3159 The minimum allowed values are: 3161 o MinRtrAdvInterval 0.03 seconds 3162 o MaxRtrAdvInterval 0.07 seconds 3164 In the case where the minimum intervals and delays are used, the mean 3165 time between unsolicited multicast router advertisements is 50ms. 3166 Use of these modified limits MUST be configurable (see also the 3167 configuration variable MinDelayBetweenRas in Section 13 which may 3168 also have to be modified accordingly). Systems where these values 3169 are available MUST NOT default to them, and SHOULD default to values 3170 specified in Neighbor Discovery (RFC 4861 [18]). Knowledge of the 3171 type of network interface and operating environment SHOULD be taken 3172 into account in configuring these limits for each network interface. 3173 This is important with some wireless links, where increasing the 3174 frequency of multicast beacons can cause considerable overhead. 3175 Routers SHOULD adhere to the intervals specified in RFC 4861 [18], if 3176 this overhead is likely to cause service degradation. 3178 Additionally, the possible low values of MaxRtrAdvInterval may cause 3179 some problems with movement detection in some mobile nodes. To 3180 ensure that this is not a problem, Routers SHOULD add 20ms to any 3181 Advertisement Intervals sent in RAs, which are below 200 ms, in order 3182 to account for scheduling granularities on both the MN and the 3183 Router. 3185 Note that multicast Router Advertisements are not always required in 3186 certain wireless networks that have limited bandwidth. Mobility 3187 detection or link changes in such networks may be done at lower 3188 layers. Router advertisements in such networks SHOULD be sent only 3189 when solicited. In such networks it SHOULD be possible to disable 3190 unsolicited multicast Router Advertisements on specific interfaces. 3191 The MinRtrAdvInterval and MaxRtrAdvInterval in such a case can be set 3192 to some high values. 3194 Home agents MUST include the Source Link-Layer Address option in all 3195 Router Advertisements they send. This simplifies the process of 3196 returning home, as discussed in Section 11.5.5. 3198 Note that according to Neighbor Discovery (RFC 4861 [18]), 3199 AdvDefaultLifetime is by default based on the value of 3200 MaxRtrAdvInterval. AdvDefaultLifetime is used in the Router Lifetime 3201 field of Router Advertisements. Given that this field is expressed 3202 in seconds, a small MaxRtrAdvInterval value can result in a zero 3203 value for this field. To prevent this, routers SHOULD keep 3204 AdvDefaultLifetime in at least one second, even if the use of 3205 MaxRtrAdvInterval would result in a smaller value. 3207 8. Requirements for Types of IPv6 Nodes 3209 Mobile IPv6 places some special requirements on the functions 3210 provided by different types of IPv6 nodes. This section summarizes 3211 those requirements, identifying the functionality each requirement is 3212 intended to support. 3214 The requirements are set for the following groups of nodes: 3216 o All IPv6 nodes. 3218 o All IPv6 nodes with support for route optimization. 3220 o All IPv6 routers. 3222 o All Mobile IPv6 home agents. 3224 o All Mobile IPv6 mobile nodes. 3226 It is outside the scope of this specification to specify which of 3227 these groups are mandatory in IPv6. We only describe what is 3228 mandatory for a node that supports, for instance, route optimization. 3229 Other specifications are expected to define the extent of IPv6. 3231 8.1. All IPv6 Nodes 3233 Any IPv6 node may at any time be a correspondent node of a mobile 3234 node, either sending a packet to a mobile node or receiving a packet 3235 from a mobile node. There are no Mobile IPv6 specific MUST 3236 requirements for such nodes, and basic IPv6 techniques are 3237 sufficient. If a mobile node attempts to set up route optimization 3238 with a node with only basic IPv6 support, an ICMP error will signal 3239 that the node does not support such optimizations (Section 11.3.5), 3240 and communications will flow through the home agent . 3242 An IPv6 node MUST NOT support the Home Address destination option, 3243 type 2 routing header, or the Mobility Header unless it fully 3244 supports the requirements listed in the next sections for either 3245 route optimization, mobile node, or home agent functionality. 3247 8.2. IPv6 Nodes with Support for Route Optimization 3249 Nodes that implement route optimization are a subset of all IPv6 3250 nodes on the Internet. The ability of a correspondent node to 3251 participate in route optimization is essential for the efficient 3252 operation of the IPv6 Internet, for the following reasons: 3254 o Avoidance of congestion in the home network, and enabling the use 3255 of lower-performance home agent equipment even for supporting 3256 thousands of mobile nodes. 3258 o Reduced network load across the entire Internet, as mobile devices 3259 begin to predominate. 3261 o Reduction of jitter and latency for the communications. 3263 o Greater likelihood of success for QoS signaling as tunneling is 3264 avoided and, again, fewer sources of congestion. 3266 o Improved robustness against network partitions, congestion, and 3267 other problems, since fewer routing path segments are traversed. 3269 These effects combine to enable much better performance and 3270 robustness for communications between mobile nodes and IPv6 3271 correspondent nodes. Route optimization introduces a small amount of 3272 additional state for the peers, some additional messaging, and up to 3273 1.5 roundtrip delays before it can be turned on. However, it is 3274 believed that the benefits far outweigh the costs in most cases. 3275 Section 11.3.1 discusses how mobile nodes may avoid route 3276 optimization for some of the remaining cases, such as very short-term 3277 communications. 3279 The following requirements apply to all correspondent nodes that 3280 support route optimization: 3282 o The node MUST be able to validate a Home Address option using an 3283 existing Binding Cache entry, as described in Section 9.3.1. 3285 o The node MUST be able to insert a type 2 routing header into 3286 packets to be sent to a mobile node, as described in 3287 Section 9.3.2. 3289 o Unless the correspondent node is also acting as a mobile node, it 3290 MUST ignore type 2 routing headers and silently discard all 3291 packets that it has received with such headers. 3293 o The node SHOULD be able to interpret ICMP messages as described in 3294 Section 9.3.4. 3296 o The node MUST be able to send Binding Error messages as described 3297 in Section 9.3.3. 3299 o The node MUST be able to process Mobility Headers as described in 3300 Section 9.2. 3302 o The node MUST be able to participate in a return routability 3303 procedure (Section 9.4). 3305 o The node MUST be able to process Binding Update messages 3306 (Section 9.5). 3308 o The node MUST be able to return a Binding Acknowledgement 3309 (Section 9.5.4). 3311 o The node MUST be able to maintain a Binding Cache of the bindings 3312 received in accepted Binding Updates, as described in Section 9.1 3313 and Section 9.6. 3315 o The node SHOULD allow route optimization to be administratively 3316 enabled or disabled. The default SHOULD be enabled. 3318 8.3. All IPv6 Routers 3320 All IPv6 routers, even those not serving as a home agent for Mobile 3321 IPv6, have an effect on how well mobile nodes can communicate: 3323 o Every IPv6 router SHOULD be able to send an Advertisement Interval 3324 option (Section 7.3) in each of its Router Advertisements [18], to 3325 aid movement detection by mobile nodes (as in Section 11.5.1). 3326 The use of this option in Router Advertisements SHOULD be 3327 configurable. 3329 o Every IPv6 router SHOULD be able to support sending unsolicited 3330 multicast Router Advertisements at the faster rate described in 3331 Section 7.5. If the router supports a faster rate, the used rate 3332 MUST be configurable. 3334 o Each router SHOULD include at least one prefix with the Router 3335 Address (R) bit set and with its full IP address in its Router 3336 Advertisements (as described in Section 7.2). 3338 o Routers supporting filtering packets with routing headers SHOULD 3339 support different rules for type 0 and type 2 routing headers (see 3340 Section 6.4) so that filtering of source routed packets (type 0) 3341 will not necessarily limit Mobile IPv6 traffic which is delivered 3342 via type 2 routing headers. 3344 8.4. IPv6 Home Agents 3346 In order for a mobile node to operate correctly while away from home, 3347 at least one IPv6 router on the mobile node's home link must function 3348 as a home agent for the mobile node. The following additional 3349 requirements apply to all IPv6 routers that serve as a home agent: 3351 o Every home agent MUST be able to maintain an entry in its Binding 3352 Cache for each mobile node for which it is serving as the home 3353 agent (Section 10.1 and Section 10.3.1). 3355 o Every home agent MUST be able to intercept packets (using proxy 3356 Neighbor Discovery [18]) addressed to a mobile node for which it 3357 is currently serving as the home agent, on that mobile node's home 3358 link, while the mobile node is away from home (Section 10.4.1). 3360 o Every home agent MUST be able to encapsulate [7] such intercepted 3361 packets in order to tunnel them to the primary care-of address for 3362 the mobile node indicated in its binding in the home agent's 3363 Binding Cache (Section 10.4.2). 3365 o Every home agent MUST support decapsulating [7] reverse tunneled 3366 packets sent to it from a mobile node's home address. Every home 3367 agent MUST also check that the source address in the tunneled 3368 packets corresponds to the currently registered location of the 3369 mobile node (Section 10.4.5). 3371 o The node MUST be able to process Mobility Headers as described in 3372 Section 10.2. 3374 o Every home agent MUST be able to return a Binding Acknowledgement 3375 in response to a Binding Update (Section 10.3.1). 3377 o Every home agent MUST maintain a separate Home Agents List for 3378 each link on which it is serving as a home agent, as described in 3379 Section 10.1 and Section 10.5.1. 3381 o Every home agent MUST be able to accept packets addressed to the 3382 Mobile IPv6 Home-Agents anycast address [8] for the subnet on 3383 which it is serving as a home agent, and MUST be able to 3384 participate in dynamic home agent address discovery 3385 (Section 10.5). 3387 o Every home agent SHOULD support a configuration mechanism to allow 3388 a system administrator to manually set the value to be sent by 3389 this home agent in the Home Agent Preference field of the Home 3390 Agent Information Option in Router Advertisements that it sends 3391 (Section 7.4). 3393 o Every home agent SHOULD support sending ICMP Mobile Prefix 3394 Advertisements (Section 6.8), and SHOULD respond to Mobile Prefix 3395 Solicitations (Section 6.7). If supported, this behavior MUST be 3396 configurable, so that home agents can be configured to avoid 3397 sending such Prefix Advertisements according to the needs of the 3398 network administration in the home domain. 3400 o Every home agent MUST support IPsec ESP for protection of packets 3401 belonging to the return routability procedure (Section 10.4.6). 3403 o Every home agent SHOULD support the multicast group membership 3404 control protocols as described in Section 10.4.3. If this support 3405 is provided, the home agent MUST be capable of using it to 3406 determine which multicast data packets to forward via the tunnel 3407 to the mobile node. 3409 o Home agents MAY support stateful address autoconfiguration for 3410 mobile nodes as described in Section 10.4.4. 3412 8.5. IPv6 Mobile Nodes 3414 Finally, the following requirements apply to all IPv6 nodes capable 3415 of functioning as mobile nodes: 3417 o The node MUST maintain a Binding Update List (Section 11.1). 3419 o The node MUST support sending packets containing a Home Address 3420 option (Section 11.3.1), and follow the required IPsec interaction 3421 (Section 11.3.2). 3423 o The node MUST be able to perform IPv6 encapsulation and 3424 decapsulation [7]. 3426 o The node MUST be able to process type 2 routing header as defined 3427 in Section 6.4 and Section 11.3.3. 3429 o The node MUST support receiving a Binding Error message 3430 (Section 11.3.6). 3432 o The node MUST support receiving ICMP errors (Section 11.3.5). 3434 o The node MUST support movement detection, care-of address 3435 formation, and returning home (Section 11.5). 3437 o The node MUST be able to process Mobility Headers as described in 3438 Section 11.2. 3440 o The node MUST support the return routability procedure 3441 (Section 11.6). 3443 o The node MUST be able to send Binding Updates, as specified in 3444 Section 11.7.1 and Section 11.7.2. 3446 o The node MUST be able to receive and process Binding 3447 Acknowledgements, as specified in Section 11.7.3. 3449 o The node MUST support receiving a Binding Refresh Request 3450 (Section 6.1.2), by responding with a Binding Update. 3452 o The node MUST support receiving Mobile Prefix Advertisements 3453 (Section 11.4.3) and reconfiguring its home address based on the 3454 prefix information contained therein. 3456 o The node SHOULD support use of the dynamic home agent address 3457 discovery mechanism, as described in Section 11.4.1. 3459 o The node MUST allow route optimization to be administratively 3460 enabled or disabled. The default SHOULD be enabled. 3462 o The node MAY support the multicast address listener part of a 3463 multicast group membership protocol as described in 3464 Section 11.3.4. If this support is provided, the mobile node MUST 3465 be able to receive tunneled multicast packets from the home agent. 3467 o The node MAY support stateful address autoconfiguration mechanisms 3468 such as DHCPv6 [30] on the interface represented by the tunnel to 3469 the home agent. 3471 9. Correspondent Node Operation 3473 9.1. Conceptual Data Structures 3475 IPv6 nodes with route optimization support maintain a Binding Cache 3476 of bindings for other nodes. A separate Binding Cache SHOULD be 3477 maintained by each IPv6 node for each of its unicast routable 3478 addresses. The Binding Cache MAY be implemented in any manner 3479 consistent with the external behavior described in this document, for 3480 example by being combined with the node's Destination Cache as 3481 maintained by Neighbor Discovery [18]. When sending a packet, the 3482 Binding Cache is searched before the Neighbor Discovery conceptual 3483 Destination Cache [18]. 3485 Each Binding Cache entry conceptually contains the following fields: 3487 o The home address of the mobile node for which this is the Binding 3488 Cache entry. This field is used as the key for searching the 3489 Binding Cache for the destination address of a packet being sent. 3491 o The care-of address for the mobile node indicated by the home 3492 address field in this Binding Cache entry. 3494 o A lifetime value, indicating the remaining lifetime for this 3495 Binding Cache entry. The lifetime value is initialized from the 3496 Lifetime field in the Binding Update that created or last modified 3497 this Binding Cache entry. A correspondent node MAY select a 3498 smaller lifetime for the Binding Cache entry, and supply that 3499 value to the mobile node in the Binding Acknowledgment message. 3501 o A flag indicating whether or not this Binding Cache entry is a 3502 home registration entry (applicable only on nodes which support 3503 home agent functionality). 3505 o The maximum value of the Sequence Number field received in 3506 previous Binding Updates for this home address. The Sequence 3507 Number field is 16 bits long. Sequence Number values MUST be 3508 compared modulo 2**16 as explained in Section 9.5.1. 3510 o Usage information for this Binding Cache entry. This is needed to 3511 implement the cache replacement policy in use in the Binding 3512 Cache. Recent use of a cache entry also serves as an indication 3513 that a Binding Refresh Request should be sent when the lifetime of 3514 this entry nears expiration. 3516 Binding Cache entries not marked as home registrations MAY be 3517 replaced at any time by any reasonable local cache replacement policy 3518 but SHOULD NOT be unnecessarily deleted. The Binding Cache for any 3519 one of a node's IPv6 addresses may contain at most one entry for each 3520 mobile node home address. The contents of a node's Binding Cache 3521 MUST NOT be changed in response to a Home Address option in a 3522 received packet. 3524 9.2. Processing Mobility Headers 3526 Mobility Header processing MUST observe the following rules: 3528 o The checksum must be verified as per Section 6.1. If invalid, the 3529 node MUST silently discard the message. 3531 o The MH Type field MUST have a known value (Section 6.1.1). 3532 Otherwise, the node MUST discard the message and issue a Binding 3533 Error message as described in Section 9.3.3, with Status field set 3534 to 2 (unrecognized MH Type value). 3536 o The Payload Proto field MUST be IPPROTO_NONE (59 decimal). 3537 Otherwise, the node MUST discard the message and SHOULD send ICMP 3538 Parameter Problem, Code 0, directly to the Source Address of the 3539 packet as specified in RFC 4443 [17]. Thus no Binding Cache 3540 information is used in sending the ICMP message. The Pointer 3541 field in the ICMP message SHOULD point at the Payload Proto field. 3543 o The Header Len field in the Mobility Header MUST NOT be less than 3544 the length specified for this particular type of message in 3545 Section 6.1. Otherwise, the node MUST discard the message and 3546 SHOULD send ICMP Parameter Problem, Code 0, directly to the Source 3547 Address of the packet as specified in RFC 4443 [17]. (The Binding 3548 Cache information is again not used.) The Pointer field in the 3549 ICMP message SHOULD point at the Header Len field. 3551 Subsequent checks depend on the particular Mobility Header. 3553 9.3. Packet Processing 3555 This section describes how the correspondent node sends packets to 3556 the mobile node, and receives packets from it. 3558 9.3.1. Receiving Packets with Home Address Option 3560 Packets containing a Home Address option MUST be dropped if the given 3561 home address is not a unicast routable address. 3563 Mobile nodes can include a Home Address destination option in a 3564 packet if they believe the correspondent node has a Binding Cache 3565 entry for the home address of a mobile node. If the Next Header 3566 value of the Destination Option is one of the following: {50 (ESP), 3567 51 (AH), 135 (Mobility Header)}, the packet SHOULD be processed 3568 normally. Otherwise, the packet MUST be dropped if there is no 3569 corresponding Binding Cache entry. A corresponding Binding Cache 3570 entry MUST have the same home address as appears in the Home Address 3571 destination option, and the currently registered care-of address MUST 3572 be equal to the source address of the packet. 3574 If the packet is dropped due to the above tests, the correspondent 3575 node MUST send the Binding Error message as described in 3576 Section 9.3.3. The Status field in this message should be set to 1 3577 (unknown binding for Home Address destination option). 3579 The correspondent node MUST process the option in a manner consistent 3580 with exchanging the Home Address field from the Home Address option 3581 into the IPv6 header and replacing the original value of the Source 3582 Address field there. After all IPv6 options have been processed, it 3583 MUST be possible for upper layers to process the packet without the 3584 knowledge that it came originally from a care-of address or that a 3585 Home Address option was used. 3587 The use of IPsec Authentication Header (AH) for the Home Address 3588 option is not required, except that if the IPv6 header of a packet is 3589 covered by AH, then the authentication MUST also cover the Home 3590 Address option; this coverage is achieved automatically by the 3591 definition of the Option Type code for the Home Address option, since 3592 it indicates that the data within the option cannot change en route 3593 to the packet's final destination, and thus the option is included in 3594 the AH computation. By requiring that any authentication of the IPv6 3595 header also cover the Home Address option, the security of the Source 3596 Address field in the IPv6 header is not compromised by the presence 3597 of a Home Address option. 3599 When attempting to verify AH authentication data in a packet that 3600 contains a Home Address option, the receiving node MUST calculate the 3601 AH authentication data as if the following were true: The Home 3602 Address option contains the care-of address, and the source IPv6 3603 address field of the IPv6 header contains the home address. This 3604 conforms with the calculation specified in Section 11.3.2. 3606 9.3.2. Sending Packets to a Mobile Node 3608 Before sending any packet, the sending node SHOULD examine its 3609 Binding Cache for an entry for the destination address to which the 3610 packet is being sent. If the sending node has a Binding Cache entry 3611 for this address, the sending node SHOULD use a type 2 routing header 3612 to route the packet to this mobile node (the destination node) by way 3613 of its care-of address. However, the sending node MUST NOT do this 3614 in the following cases: 3616 o When sending an IPv6 Neighbor Discovery [18] packet. 3618 o Where otherwise noted in Section 6.1. 3620 When calculating authentication data in a packet that contains a type 3621 2 routing header, the correspondent node MUST calculate the AH 3622 authentication data as if the following were true: The routing header 3623 contains the care-of address, the destination IPv6 address field of 3624 the IPv6 header contains the home address, and the Segments Left 3625 field is zero. The IPsec Security Policy Database lookup MUST based 3626 on the mobile node's home address. 3628 For instance, assuming there are no additional routing headers in 3629 this packet beyond those needed by Mobile IPv6, the correspondent 3630 node could set the fields in the packet's IPv6 header and routing 3631 header as follows: 3633 o The Destination Address in the packet's IPv6 header is set to the 3634 mobile node's home address (the original destination address to 3635 which the packet was being sent). 3637 o The routing header is initialized to contain a single route 3638 segment, containing the mobile node's care-of address copied from 3639 the Binding Cache entry. The Segments Left field is, however, 3640 temporarily set to zero. 3642 The IP layer will insert the routing header before performing any 3643 necessary IPsec processing. Once all IPsec processing has been 3644 performed, the node swaps the IPv6 destination field with the Home 3645 Address field in the routing header, sets the Segments Left field to 3646 one, and sends the packet. This ensures the AH calculation is done 3647 on the packet in the form it will have on the receiver after 3648 advancing the routing header. 3650 Following the definition of a type 2 routing header in Section 6.4, 3651 this packet will be routed to the mobile node's care-of address, 3652 where it will be delivered to the mobile node (the mobile node has 3653 associated the care-of address with its network interface). 3655 Note that following the above conceptual model in an implementation 3656 creates some additional requirements for path MTU discovery since the 3657 layer that determines the packet size (e.g., TCP and applications 3658 using UDP) needs to be aware of the size of the headers added by the 3659 IP layer on the sending node. 3661 If, instead, the sending node has no Binding Cache entry for the 3662 destination address to which the packet is being sent, the sending 3663 node simply sends the packet normally, with no routing header. If 3664 the destination node is not a mobile node (or is a mobile node that 3665 is currently at home), the packet will be delivered directly to this 3666 node and processed normally by it. If, however, the destination node 3667 is a mobile node that is currently away from home, the packet will be 3668 intercepted by the mobile node's home agent and tunneled to the 3669 mobile node's current primary care-of address. 3671 9.3.3. Sending Binding Error Messages 3673 Section 9.2 and Section 9.3.1 describe error conditions that lead to 3674 a need to send a Binding Error message. 3676 A Binding Error message is sent directly to the address that appeared 3677 in the IPv6 Source Address field of the offending packet. If the 3678 Source Address field does not contain a unicast address, the Binding 3679 Error message MUST NOT be sent. 3681 The Home Address field in the Binding Error message MUST be copied 3682 from the Home Address field in the Home Address destination option of 3683 the offending packet, or set to the unspecified address if no such 3684 option appeared in the packet. 3686 Note that the IPv6 Source Address and Home Address field values 3687 discussed above are the values from the wire, i.e., before any 3688 modifications possibly performed as specified in Section 9.3.1. 3690 Binding Error messages SHOULD be subject to rate limiting in the same 3691 manner as is done for ICMPv6 messages [17]. 3693 9.3.4. Receiving ICMP Error Messages 3695 When the correspondent node has a Binding Cache entry for a mobile 3696 node, all traffic destined to the mobile node goes directly to the 3697 current care-of address of the mobile node using a routing header. 3698 Any ICMP error message caused by packets on their way to the care-of 3699 address will be returned in the normal manner to the correspondent 3700 node. 3702 On the other hand, if the correspondent node has no Binding Cache 3703 entry for the mobile node, the packet will be routed through the 3704 mobile node's home link. Any ICMP error message caused by the packet 3705 on its way to the mobile node while in the tunnel, will be 3706 transmitted to the mobile node's home agent. By the definition of 3707 IPv6 encapsulation [7], the home agent MUST relay certain ICMP error 3708 messages back to the original sender of the packet, which in this 3709 case is the correspondent node. 3711 Thus, in all cases, any meaningful ICMP error messages caused by 3712 packets from a correspondent node to a mobile node will be returned 3713 to the correspondent node. If the correspondent node receives 3714 persistent ICMP Destination Unreachable messages after sending 3715 packets to a mobile node based on an entry in its Binding Cache, the 3716 correspondent node SHOULD delete this Binding Cache entry. Note that 3717 if the mobile node continues to send packets with the Home Address 3718 destination option to this correspondent node, they will be dropped 3719 due to the lack of a binding. For this reason it is important that 3720 only persistent ICMP messages lead to the deletion of the Binding 3721 Cache entry. 3723 9.4. Return Routability Procedure 3725 This subsection specifies actions taken by a correspondent node 3726 during the return routability procedure. 3728 9.4.1. Receiving Home Test Init Messages 3730 Upon receiving a Home Test Init message, the correspondent node 3731 verifies the following: 3733 o The packet MUST NOT include a Home Address destination option. 3735 Any packet carrying a Home Test Init message which fails to satisfy 3736 this test MUST be silently ignored. 3738 Otherwise, in preparation for sending the corresponding Home Test 3739 Message, the correspondent node checks that it has the necessary 3740 material to engage in a return routability procedure, as specified in 3741 Section 5.2. The correspondent node MUST have a secret Kcn and a 3742 nonce. If it does not have this material yet, it MUST produce it 3743 before continuing with the return routability procedure. 3745 Section 9.4.3 specifies further processing. 3747 9.4.2. Receiving Care-of Test Init Messages 3749 Upon receiving a Care-of Test Init message, the correspondent node 3750 verifies the following: 3752 o The packet MUST NOT include a Home Address destination option. 3754 Any packet carrying a Care-of Test Init message which fails to 3755 satisfy this test MUST be silently ignored. 3757 Otherwise, in preparation for sending the corresponding Care-of Test 3758 Message, the correspondent node checks that it has the necessary 3759 material to engage in a return routability procedure in the manner 3760 described in Section 9.4.1. 3762 Section 9.4.4 specifies further processing. 3764 9.4.3. Sending Home Test Messages 3766 The correspondent node creates a home keygen token and uses the 3767 current nonce index as the Home Nonce Index. It then creates a Home 3768 Test message (Section 6.1.5) and sends it to the mobile node at the 3769 latter's home address. 3771 9.4.4. Sending Care-of Test Messages 3773 The correspondent node creates a care-of keygen token and uses the 3774 current nonce index as the Care-of Nonce Index. It then creates a 3775 Care-of Test message (Section 6.1.6) and sends it to the mobile node 3776 at the latter's care-of address. 3778 9.5. Processing Bindings 3780 This section explains how the correspondent node processes messages 3781 related to bindings. These messages are: 3783 o Binding Update 3785 o Binding Refresh Request 3787 o Binding Acknowledgement 3789 o Binding Error 3791 9.5.1. Receiving Binding Updates 3793 Before accepting a Binding Update, the receiving node MUST validate 3794 the Binding Update according to the following tests: 3796 o The packet MUST contain a unicast routable home address, either in 3797 the Home Address option or in the Source Address, if the Home 3798 Address option is not present. 3800 o The Sequence Number field in the Binding Update is greater than 3801 the Sequence Number received in the previous valid Binding Update 3802 for this home address, if any. 3804 If the receiving node has no Binding Cache entry for the indicated 3805 home address, it MUST accept any Sequence Number value in a 3806 received Binding Update from this mobile node. 3808 This Sequence Number comparison MUST be performed modulo 2**16, 3809 i.e., the number is a free running counter represented modulo 3810 65536. A Sequence Number in a received Binding Update is 3811 considered less than or equal to the last received number if its 3812 value lies in the range of the last received number and the 3813 preceding 32768 values, inclusive. For example, if the last 3814 received sequence number was 15, then messages with sequence 3815 numbers 0 through 15, as well as 32783 through 65535, would be 3816 considered less than or equal. 3818 When the Home Registration (H) bit is not set, the following are also 3819 required: 3821 o A Nonce Indices mobility option MUST be present, and the Home and 3822 Care-of Nonce Index values in this option MUST be recent enough to 3823 be recognized by the correspondent node. (Care-of Nonce Index 3824 values are not inspected for requests to delete a binding.) 3826 o The correspondent node MUST re-generate the home keygen token and 3827 the care-of keygen token from the information contained in the 3828 packet. It then generates the binding management key Kbm and uses 3829 it to verify the authenticator field in the Binding Update as 3830 specified in Section 6.1.7. 3832 o The Binding Authorization Data mobility option MUST be present, 3833 and its contents MUST satisfy rules presented in Section 5.2.6. 3834 Note that a care-of address different from the Source Address MAY 3835 have been specified by including an Alternate Care-of Address 3836 mobility option in the Binding Update. When such a message is 3837 received and the return routability procedure is used as an 3838 authorization method, the correspondent node MUST verify the 3839 authenticator by using the address within the Alternate Care-of 3840 Address in the calculations. 3842 o The Binding Authorization Data mobility option MUST be the last 3843 option and MUST NOT have trailing padding. 3845 If the Home Registration (H) bit is set, the Nonce Indices mobility 3846 option MUST NOT be present. 3848 If the mobile node sends a sequence number which is not greater than 3849 the sequence number from the last valid Binding Update for this home 3850 address, then the receiving node MUST send back a Binding 3851 Acknowledgement with status code 135, and the last accepted sequence 3852 number in the Sequence Number field of the Binding Acknowledgement. 3854 If a binding already exists for the given home address and the home 3855 registration flag has a different value than the Home Registration 3856 (H) bit in the Binding Update, then the receiving node MUST send back 3857 a Binding Acknowledgement with status code 139 (registration type 3858 change disallowed). The home registration flag stored in the Binding 3859 Cache entry MUST NOT be changed. 3861 If the receiving node no longer recognizes the Home Nonce Index 3862 value, Care-of Nonce Index value, or both values from the Binding 3863 Update, then the receiving node MUST send back a Binding 3864 Acknowledgement with status code 136, 137, or 138, respectively. 3866 Packets carrying Binding Updates that fail to satisfy all of these 3867 tests for any reason other than insufficiency of the Sequence Number, 3868 registration type change, or expired nonce index values, MUST be 3869 silently discarded. 3871 If the Binding Update is valid according to the tests above, then the 3872 Binding Update is processed further as follows: 3874 o The Sequence Number value received from a mobile node in a Binding 3875 Update is stored by the receiving node in its Binding Cache entry 3876 for the given home address. 3878 o If the Lifetime specified in the Binding Update is not zero, then 3879 this is a request to cache a binding for the home address. If the 3880 Home Registration (H) bit is set in the Binding Update, the 3881 Binding Update is processed according to the procedure specified 3882 in Section 10.3.1; otherwise, it is processed according to the 3883 procedure specified in Section 9.5.2. 3885 o If the Lifetime specified in the Binding Update is zero, then this 3886 is a request to delete the cached binding for the home address. 3887 In this case, the Binding Update MUST include a valid home nonce 3888 index, and the care-of nonce index MUST be ignored by the 3889 correspondent node. The generation of the binding management key 3890 depends then exclusively on the home keygen token (Section 5.2.5). 3891 If the Home Registration (H) bit is set in the Binding Update, the 3892 Binding Update is processed according to the procedure specified 3893 in Section 10.3.2; otherwise, it is processed according to the 3894 procedure specified in Section 9.5.3. 3896 The specified care-of address MUST be determined as follows: 3898 o If the Alternate Care-of Address option is present, the care-of 3899 address is the address in that option. 3901 o Otherwise, the care-of address is the Source Address field in the 3902 packet's IPv6 header. 3904 The home address for the binding MUST be determined as follows: 3906 o If the Home Address destination option is present, the home 3907 address is the address in that option. 3909 o Otherwise, the home address is the Source Address field in the 3910 packet's IPv6 header. 3912 9.5.2. Requests to Cache a Binding 3914 This section describes the processing of a valid Binding Update that 3915 requests a node to cache a binding, for which the Home Registration 3916 (H) bit is not set in the Binding Update. 3918 In this case, the receiving node SHOULD create a new entry in its 3919 Binding Cache for this home address, or update its existing Binding 3920 Cache entry for this home address, if such an entry already exists. 3921 The lifetime for the Binding Cache entry is initialized from the 3922 Lifetime field specified in the Binding Update, although this 3923 lifetime MAY be reduced by the node caching the binding; the lifetime 3924 for the Binding Cache entry MUST NOT be greater than the Lifetime 3925 value specified in the Binding Update. Any Binding Cache entry MUST 3926 be deleted after the expiration of its lifetime. 3928 Note that if the mobile node did not request a Binding 3929 Acknowledgement, then it is not aware of the selected shorter 3930 lifetime. The mobile node may thus use route optimization and send 3931 packets with the Home Address destination option. As discussed in 3932 Section 9.3.1, such packets will be dropped if there is no binding. 3933 This situation is recoverable, but can cause temporary packet loss. 3935 The correspondent node MAY refuse to accept a new Binding Cache entry 3936 if it does not have sufficient resources. A new entry MAY also be 3937 refused if the correspondent node believes its resources are utilized 3938 more efficiently in some other purpose, such as serving another 3939 mobile node with higher amount of traffic. In both cases the 3940 correspondent node SHOULD return a Binding Acknowledgement with 3941 status value 130. 3943 9.5.3. Requests to Delete a Binding 3945 This section describes the processing of a valid Binding Update that 3946 requests a node to delete a binding when the Home Registration (H) 3947 bit is not set in the Binding Update. 3949 Any existing binding for the given home address MUST be deleted. A 3950 Binding Cache entry for the home address MUST NOT be created in 3951 response to receiving the Binding Update. 3953 If the Binding Cache entry was created by use of return routability 3954 nonces, the correspondent node MUST ensure that the same nonces are 3955 not used again with the particular home and care-of address. If both 3956 nonces are still valid, the correspondent node has to remember the 3957 particular combination of nonce indexes, addresses, and sequence 3958 number as illegal until at least one of the nonces has become too 3959 old. 3961 9.5.4. Sending Binding Acknowledgements 3963 A Binding Acknowledgement may be sent to indicate receipt of a 3964 Binding Update as follows: 3966 o If the Binding Update was discarded as described in Section 9.2 or 3967 Section 9.5.1, a Binding Acknowledgement MUST NOT be sent. 3968 Otherwise the treatment depends on the following rules. 3970 o If the Acknowledge (A) bit is set in the Binding Update, a Binding 3971 Acknowledgement MUST be sent. Otherwise, the treatment depends on 3972 the next rule. 3974 o If the node rejects the Binding Update due to an expired nonce 3975 index, sequence number being out of window (Section 9.5.1), or 3976 insufficiency of resources (Section 9.5.2), a Binding 3977 Acknowledgement MUST be sent. If the node accepts the Binding 3978 Update, the Binding Acknowledgement SHOULD NOT be sent. 3980 If the node accepts the Binding Update and creates or updates an 3981 entry for this binding, the Status field in the Binding 3982 Acknowledgement MUST be set to a value less than 128. Otherwise, the 3983 Status field MUST be set to a value greater than or equal to 128. 3984 Values for the Status field are described in Section 6.1.8 and in the 3985 IANA registry of assigned numbers [29]. 3987 If the Status field in the Binding Acknowledgement contains the value 3988 136 (expired home nonce index), 137 (expired care-of nonce index), or 3989 138 (expired nonces) then the message MUST NOT include the Binding 3990 Authorization Data mobility option. Otherwise, the Binding 3991 Authorization Data mobility option MUST be included, and MUST meet 3992 the specific authentication requirements for Binding Acknowledgements 3993 as defined in Section 5.2. 3995 If the Source Address field of the IPv6 header that carried the 3996 Binding Update does not contain a unicast address, the Binding 3997 Acknowledgement MUST NOT be sent and the Binding Update packet MUST 3998 be silently discarded. Otherwise, the acknowledgement MUST be sent 3999 to the Source Address. Unlike the treatment of regular packets, this 4000 addressing procedure does not use information from the Binding Cache. 4002 However, a routing header is needed in some cases. If the Source 4003 Address is the home address of the mobile node, i.e., the Binding 4004 Update did not contain a Home Address destination option, then the 4005 Binding Acknowledgement MUST be sent to that address and the routing 4006 header MUST NOT be used. Otherwise, the Binding Acknowledgement MUST 4007 be sent using a type 2 routing header which contains the mobile 4008 node's home address. 4010 9.5.5. Sending Binding Refresh Requests 4012 If a Binding Cache entry being deleted is still in active use when 4013 sending packets to a mobile node, then the next packet sent to the 4014 mobile node will be routed normally to the mobile node's home link. 4015 Communication with the mobile node continues, but the tunneling from 4016 the home network creates additional overhead and latency in 4017 delivering packets to the mobile node. 4019 If the sender knows that the Binding Cache entry is still in active 4020 use, it MAY send a Binding Refresh Request message to the mobile node 4021 in an attempt to avoid this overhead and latency due to deleting and 4022 recreating the Binding Cache entry. This message is always sent to 4023 the home address of the mobile node. 4025 The correspondent node MAY retransmit Binding Refresh Request 4026 messages as long as the rate limitation is applied. The 4027 correspondent node MUST stop retransmitting when it receives a 4028 Binding Update. 4030 9.6. Cache Replacement Policy 4032 Conceptually, a node maintains a separate timer for each entry in its 4033 Binding Cache. When creating or updating a Binding Cache entry in 4034 response to a received and accepted Binding Update, the node sets the 4035 timer for this entry to the specified Lifetime period. Any entry in 4036 a node's Binding Cache MUST be deleted after the expiration of the 4037 Lifetime specified in the Binding Update from which the entry was 4038 created or last updated. 4040 Each node's Binding Cache will, by necessity, have a finite size. A 4041 node MAY use any reasonable local policy for managing the space 4042 within its Binding Cache. 4044 A node MAY choose to drop any entry already in its Binding Cache in 4045 order to make space for a new entry. For example, a "least-recently 4046 used" (LRU) strategy for cache entry replacement among entries should 4047 work well, unless the size of the Binding Cache is substantially 4048 insufficient. When entries are deleted, the correspondent node MUST 4049 follow the rules in Section 5.2.8 in order to guard the return 4050 routability procedure against replay attacks. 4052 If the node sends a packet to a destination for which it has dropped 4053 the entry from its Binding Cache, the packet will be routed through 4054 the mobile node's home link. The mobile node can detect this and 4055 establish a new binding if necessary. 4057 However, if the mobile node believes that the binding still exists, 4058 it may use route optimization and send packets with the Home Address 4059 destination option. This can create temporary packet loss, as 4060 discussed earlier, in the context of binding lifetime reductions 4061 performed by the correspondent node (Section 9.5.2). 4063 10. Home Agent Operation 4065 10.1. Conceptual Data Structures 4067 Each home agent MUST maintain a Binding Cache and Home Agents List. 4069 The rules for maintaining a Binding Cache are the same for home 4070 agents and correspondent nodes and have already been described in 4071 Section 9.1. 4073 The Home Agents List is maintained by each home agent, recording 4074 information about each router on the same link that is acting as a 4075 home agent. This list is used by the dynamic home agent address 4076 discovery mechanism. A router is known to be acting as a home agent, 4077 if it sends a Router Advertisement in which the Home Agent (H) bit is 4078 set. When the lifetime for a list entry (defined below) expires, 4079 that entry is removed from the Home Agents List. The Home Agents 4080 List is similar to the Default Router List conceptual data structure 4081 maintained by each host for Neighbor Discovery [18]. The Home Agents 4082 List MAY be implemented in any manner consistent with the external 4083 behavior described in this document. 4085 Each home agent maintains a separate Home Agents List for each link 4086 on which it is serving as a home agent. A new entry is created or an 4087 existing entry is updated in response to receipt of a valid Router 4088 Advertisement in which the Home Agent (H) bit is set. Each Home 4089 Agents List entry conceptually contains the following fields: 4091 o The link-local IP address of a home agent on the link. This 4092 address is learned through the Source Address of the Router 4093 Advertisements [18] received from the router. 4095 o One or more global IP addresses for this home agent. Global 4096 addresses are learned through Prefix Information options with the 4097 Router Address (R) bit set and received in Router Advertisements 4098 from this link-local address. Global addresses for the router in 4099 a Home Agents List entry MUST be deleted once the prefix 4100 associated with that address is no longer valid [18]. 4102 o The remaining lifetime of this Home Agents List entry. If a Home 4103 Agent Information Option is present in a Router Advertisement 4104 received from a home agent, the lifetime of the Home Agents List 4105 entry representing that home agent is initialized from the Home 4106 Agent Lifetime field in the option (if present); otherwise, the 4107 lifetime is initialized from the Router Lifetime field in the 4108 received Router Advertisement. If Home Agents List entry lifetime 4109 reaches zero, the entry MUST be deleted from the Home Agents List. 4111 o The preference for this home agent; higher values indicate a more 4112 preferable home agent. The preference value is taken from the 4113 Home Agent Preference field in the received Router Advertisement, 4114 if the Router Advertisement contains a Home Agent Information 4115 Option and is otherwise set to the default value of 0. A home 4116 agent uses this preference in ordering the Home Agents List when 4117 it sends an ICMP Home Agent Address Discovery message. 4119 10.2. Processing Mobility Headers 4121 All IPv6 home agents MUST observe the rules described in Section 9.2 4122 when processing Mobility Headers. 4124 10.3. Processing Bindings 4126 10.3.1. Primary Care-of Address Registration 4128 When a node receives a Binding Update, it MUST validate it and 4129 determine the type of Binding Update according to the steps described 4130 in Section 9.5.1. Furthermore, it MUST authenticate the Binding 4131 Update as described in Section 5.1. An authorization step specific 4132 for the home agent is also needed to ensure that only the right node 4133 can control a particular home address. This is provided through the 4134 home address unequivocally identifying the security association that 4135 must be used. 4137 This section describes the processing of a valid and authorized 4138 Binding Update when it requests the registration of the mobile node's 4139 primary care-of address. 4141 To begin processing the Binding Update, the home agent MUST perform 4142 the following sequence of tests: 4144 o If the node implements only correspondent node functionality, or 4145 has not been configured to act as a home agent, then the node MUST 4146 reject the Binding Update. The node MUST also return a Binding 4147 Acknowledgement to the mobile node, in which the Status field is 4148 set to 131 (home registration not supported). 4150 o Else, if the home address for the binding (the Home Address field 4151 in the packet's Home Address option) is not an on-link IPv6 4152 address with respect to the home agent's current Prefix List, then 4153 the home agent MUST reject the Binding Update and SHOULD return a 4154 Binding Acknowledgement to the mobile node, in which the Status 4155 field is set to 132 (not home subnet). 4157 o Else, if the home agent chooses to reject the Binding Update for 4158 any other reason (e.g., insufficient resources to serve another 4159 mobile node as a home agent), then the home agent SHOULD return a 4160 Binding Acknowledgement to the mobile node, in which the Status 4161 field is set to an appropriate value to indicate the reason for 4162 the rejection. 4164 o A Home Address destination option MUST be present in the message. 4165 It MUST be validated as described in Section 9.3.1 with the 4166 following additional rule. The Binding Cache entry existence test 4167 MUST NOT be done for IPsec packets when the Home Address option 4168 contains an address for which the receiving node could act as a 4169 home agent. 4171 If home agent accepts the Binding Update, it MUST then create a new 4172 entry in its Binding Cache for this mobile node or update its 4173 existing Binding Cache entry, if such an entry already exists. The 4174 Home Address field as received in the Home Address option provides 4175 the home address of the mobile node. 4177 The home agent MUST mark this Binding Cache entry as a home 4178 registration to indicate that the node is serving as a home agent for 4179 this binding. Binding Cache entries marked as a home registration 4180 MUST be excluded from the normal cache replacement policy used for 4181 the Binding Cache (Section 9.6) and MUST NOT be removed from the 4182 Binding Cache until the expiration of the Lifetime period. 4184 Unless this home agent already has a binding for the given home 4185 address, the home agent MUST perform Duplicate Address Detection [19] 4186 on the mobile node's home link before returning the Binding 4187 Acknowledgement. This ensures that no other node on the home link 4188 was using the mobile node's home address when the Binding Update 4189 arrived. If this Duplicate Address Detection fails for the given 4190 home address or an associated link local address, then the home agent 4191 MUST reject the complete Binding Update and MUST return a Binding 4192 Acknowledgement to the mobile node, in which the Status field is set 4193 to 134 (Duplicate Address Detection failed). When the home agent 4194 sends a successful Binding Acknowledgement to the mobile node, the 4195 home agent assures to the mobile node that its address(es) will be 4196 kept unique by the home agent for as long as the lifetime was granted 4197 for the binding. 4199 The specific addresses, which are to be tested before accepting the 4200 Binding Update and later to be defended by performing Duplicate 4201 Address Detection, depend on the setting of the Link-Local Address 4202 Compatibility (L) bit, as follows: 4204 o L=0: Defend only the given address. Do not derive a link-local 4205 address. 4207 o L=1: Defend both the given non link-local unicast (home) address 4208 and the derived link-local. The link-local address is derived by 4209 replacing the subnet prefix in the mobile node's home address with 4210 the link-local prefix. 4212 The lifetime of the Binding Cache entry depends on a number of 4213 factors: 4215 o The lifetime for the Binding Cache entry MUST NOT be greater than 4216 the Lifetime value specified in the Binding Update. 4218 o The lifetime for the Binding Cache entry MUST NOT be greater than 4219 the remaining valid lifetime for the subnet prefix in the mobile 4220 node's home address specified with the Binding Update. The 4221 remaining valid lifetime for this prefix is determined by the home 4222 agent based on its own Prefix List entry [18]. 4224 The remaining preferred lifetime SHOULD NOT have any impact on the 4225 lifetime for the Binding Cache entry. 4227 The home agent MUST remove a binding when the valid lifetime of 4228 the prefix associated with it expires. 4230 o The home agent MAY further decrease the specified lifetime for the 4231 binding, for example based on a local policy. The resulting 4232 lifetime is stored by the home agent in the Binding Cache entry, 4233 and this Binding Cache entry MUST be deleted by the home agent 4234 after the expiration of this lifetime. 4236 Regardless of the setting of the Acknowledge (A) bit in the Binding 4237 Update, the home agent MUST return a Binding Acknowledgement to the 4238 mobile node constructed as follows: 4240 o The Status field MUST be set to a value indicating success. The 4241 value 1 (accepted but prefix discovery necessary) MUST be used if 4242 the subnet prefix of the specified home address is deprecated, or 4243 becomes deprecated during the lifetime of the binding, or becomes 4244 invalid at the end of the lifetime. The value 0 MUST be used 4245 otherwise. For the purposes of comparing the binding and prefix 4246 lifetimes, the prefix lifetimes are first converted into units of 4247 four seconds by ignoring the two least significant bits. 4249 o The Key Management Mobility Capability (K) bit is set if the 4250 following conditions are all fulfilled, and cleared otherwise: 4252 * The Key Management Mobility Capability (K) bit was set in the 4253 Binding Update. 4255 * The IPsec security associations between the mobile node and the 4256 home agent have been established dynamically. 4258 * The home agent has the capability to update its endpoint in the 4259 used key management protocol to the new care-of address every 4260 time it moves. 4262 Depending on the final value of the bit in the Binding 4263 Acknowledgement, the home agent SHOULD perform the following 4264 actions: 4266 K = 0 4268 Discard key management connections, if any, to the old care-of 4269 address. If the mobile node did not have a binding before 4270 sending this Binding Update, discard the connections to the 4271 home address. 4273 K = 1 4275 Move the peer endpoint of the key management protocol 4276 connection, if any, to the new care-of address. 4278 o The Sequence Number field MUST be copied from the Sequence Number 4279 given in the Binding Update. 4281 o The Lifetime field MUST be set to the remaining lifetime for the 4282 binding as set by the home agent in its home registration Binding 4283 Cache entry for the mobile node, as described above. 4285 o If the home agent stores the Binding Cache entry in nonvolatile 4286 storage, then the Binding Refresh Advice mobility option MUST be 4287 omitted. Otherwise, the home agent MAY include this option to 4288 suggest that the mobile node refreshes its binding before the 4289 actual lifetime of the binding ends. 4291 If the Binding Refresh Advice mobility option is present, the 4292 Refresh Interval field in the option MUST be set to a value less 4293 than the Lifetime value being returned in the Binding 4294 Acknowledgement. This indicates that the mobile node SHOULD 4295 attempt to refresh its home registration at the indicated shorter 4296 interval. The home agent MUST still retain the registration for 4297 the Lifetime period, even if the mobile node does not refresh its 4298 registration within the Refresh period. 4300 The rules for selecting the Destination IP address (and possibly 4301 routing header construction) for the Binding Acknowledgement to the 4302 mobile node are the same as in Section 9.5.4. 4304 In addition, the home agent MUST follow the procedure defined in 4305 Section 10.4.1 to intercept packets on the mobile node's home link 4306 addressed to the mobile node, while the home agent is serving as the 4307 home agent for this mobile node. The home agent MUST also be 4308 prepared to accept reverse tunneled packets from the new care-of 4309 address of the mobile node, as described in Section 10.4.5. Finally, 4310 the home agent MUST also propagate new home network prefixes, as 4311 described in Section 10.6. 4313 10.3.2. Primary Care-of Address De-Registration 4315 A binding may need to be de-registered when the mobile node returns 4316 home or when the mobile node knows that it will not have any care-of 4317 addresses in the visited network. 4319 A Binding Update is validated and authorized in the manner described 4320 in the previous section; note that when the mobile node de-registers 4321 when it is at home, it MAY choose to omit the Home Address 4322 destination option, in which case the mobile node's home address is 4323 the source IP address of the de-registration Binding Update. This 4324 section describes the processing of a valid Binding Update that 4325 requests the receiving node to no longer serve as its home agent, de- 4326 registering its primary care-of address. 4328 To begin processing the Binding Update, the home agent MUST perform 4329 the following test: 4331 o If the receiving node has no entry marked as a home registration 4332 in its Binding Cache for this mobile node, then this node MUST 4333 reject the Binding Update and SHOULD return a Binding 4334 Acknowledgement to the mobile node, in which the Status field is 4335 set to 133 (not home agent for this mobile node). 4337 If the home agent does not reject the Binding Update as described 4338 above, then the home agent MUST return a Binding Acknowledgement to 4339 the mobile node, constructed as follows: 4341 o The Status field MUST be set to a value 0, indicating success. 4343 o The Key Management Mobility Capability (K) bit is set or cleared 4344 and actions based on its value are performed as described in the 4345 previous section. The mobile node's home address is used as its 4346 new care-of address for the purposes of moving the key management 4347 connection to a new endpoint. 4349 o The Sequence Number field MUST be copied from the Sequence Number 4350 given in the Binding Update. 4352 o The Lifetime field MUST be set to zero. 4354 o The Binding Refresh Advice mobility option MUST be omitted. 4356 The rules for selecting the Destination IP address (and, if required, 4357 routing header construction) for the Binding Acknowledgement to the 4358 mobile node are the same as in the previous section. When the Status 4359 field in the Binding Acknowledgement is greater than or equal to 128 4360 and the Source Address of the Binding Update is on the home link, and 4361 the Binding Update came from a mobile node on the same link, the home 4362 agent MUST send it to the mobile node's link layer address (retrieved 4363 either from the Binding Update or through Neighbor Solicitation). 4365 When a mobile node sends a Binding Update to refresh the binding from 4366 the visited link and soon after moves to the home link and sends a 4367 de-registration Binding Update, a race condition can happen if the 4368 first Binding Update gets delayed. The delayed Binding Update can 4369 cause the home agent to create a new Binding Cache entry for a mobile 4370 node that had just attached to the home link and successfully deleted 4371 the binding. This would prevent the mobile node from using its home 4372 address from the home link. 4374 In order to prevent this, the home agent SHOULD NOT remove the 4375 Binding Cache entry immediately after receiving the deregistration 4376 Binding Update from the mobile node. It SHOULD mark the Binding 4377 Cache entry as invalid, and MUST stop intercepting packets on the 4378 mobile node's home link that are addressed to the mobile node 4379 (Section 10.4.1). The home agent should wait for 4380 MAX_DELETE_BCE_TIMEOUT (Section 12) seconds before removing the 4381 Binding Cache entry completely. In the scenario described above, if 4382 the home agent receives the delayed Binding Update that the mobile 4383 node sent from the visited link, it would reject the message since 4384 the sequence number would be less than the last received 4385 deregistration Binding Update from the home link. The home agent 4386 would then send a Binding Acknowledgment with status '135' (Sequence 4387 number out of window) to the care of address on the visited link. 4388 The mobile node can continue using the home address from the home 4389 link. 4391 10.4. Packet Processing 4393 10.4.1. Intercepting Packets for a Mobile Node 4395 While a node is serving as the home agent for a mobile node it MUST 4396 attempt to intercept packets on the mobile node's home link that are 4397 addressed to the mobile node. 4399 In order to do this, when a node begins serving as the home agent it 4400 MUST have performed Duplicate Address Detection (as specified in 4401 Section 10.3.1), and subsequently it MUST multicast onto the home 4402 link a Neighbor Advertisement message [18] on behalf of the mobile 4403 node. For the home address specified in the Binding Update, the home 4404 agent sends a Neighbor Advertisement message [18] to the all-nodes 4405 multicast address on the home link to advertise the home agent's own 4406 link-layer address for this IP address on behalf of the mobile node. 4407 If the Link-Layer Address Compatibility (L) flag has been specified 4408 in the Binding Update, the home agent MUST do the same for the link- 4409 local address of the mobile node. 4411 All fields in each Neighbor Advertisement message SHOULD be set in 4412 the same way they would be set by the mobile node if it was sending 4413 this Neighbor Advertisement [18] while at home, with the following 4414 exceptions: 4416 o The Target Address in the Neighbor Advertisement MUST be set to 4417 the specific IP address for the mobile node. 4419 o The Advertisement MUST include a Target Link-layer Address option 4420 specifying the home agent's link-layer address. 4422 o The Router (R) bit in the Advertisement MUST be set to zero. 4424 o The Solicited Flag (S) in the Advertisement MUST NOT be set, since 4425 it was not solicited by any Neighbor Solicitation. 4427 o The Override Flag (O) in the Advertisement MUST be set, indicating 4428 that the Advertisement SHOULD override any existing Neighbor Cache 4429 entry at any node receiving it. 4431 o The Source Address in the IPv6 header MUST be set to the home 4432 agent's IP address on the interface used to send the 4433 advertisement. 4435 Any node on the home link that receives one of the Neighbor 4436 Advertisement messages (described above) will update its Neighbor 4437 Cache to associate the mobile node's address with the home agent's 4438 link layer address, causing it to transmit any future packets 4439 normally destined to the mobile node to the mobile node's home agent. 4440 Since multicasting on the local link (such as Ethernet) is typically 4441 not guaranteed to be reliable, the home agent MAY retransmit this 4442 Neighbor Advertisement message up to MAX_NEIGHBOR_ADVERTISEMENT (see 4443 [18]) times to increase its reliability. It is still possible that 4444 some nodes on the home link will not receive any of the Neighbor 4445 Advertisements, but these nodes will eventually be able to detect the 4446 link-layer address change for the mobile node's address through use 4447 of Neighbor Unreachability Detection [18]. 4449 While a node is serving as a home agent for some mobile node, the 4450 home agent uses IPv6 Neighbor Discovery [18] to intercept unicast 4451 packets on the home link addressed to the mobile node. In order to 4452 intercept packets in this way, the home agent MUST act as a proxy for 4453 this mobile node and reply to any received Neighbor Solicitations for 4454 it. When a home agent receives a Neighbor Solicitation, it MUST 4455 check if the Target Address specified in the message matches the 4456 address of any mobile node for which it has a Binding Cache entry 4457 marked as a home registration. 4459 If such an entry exists in the home agent's Binding Cache, the home 4460 agent MUST reply to the Neighbor Solicitation with a Neighbor 4461 Advertisement giving the home agent's own link-layer address as the 4462 link-layer address for the specified Target Address. In addition, 4463 the Router (R) bit in the Advertisement MUST be set to zero. Acting 4464 as a proxy in this way allows other nodes on the mobile node's home 4465 link to resolve the mobile node's address and for the home agent to 4466 defend these addresses on the home link for Duplicate Address 4467 Detection [18]. 4469 10.4.2. Processing Intercepted Packets 4471 For any packet sent to a mobile node from the mobile node's home 4472 agent (in which the home agent is the original sender of the packet), 4473 the home agent is operating as a correspondent node of the mobile 4474 node for this packet and the procedures described in Section 9.3.2 4475 apply. The home agent then uses a routing header to route the packet 4476 to the mobile node by way of the primary care-of address in the home 4477 agent's Binding Cache. 4479 While the mobile node is away from home, the home agent intercepts 4480 any packets on the home link addressed to the mobile node's home 4481 address, as described in Section 10.4.1. In order to forward each 4482 intercepted packet to the mobile node, the home agent MUST tunnel the 4483 packet to the mobile node using IPv6 encapsulation [7]. When a home 4484 agent encapsulates an intercepted packet for forwarding to the mobile 4485 node, the home agent sets the Source Address in the new tunnel IP 4486 header to the home agent's own IP address and sets the Destination 4487 Address in the tunnel IP header to the mobile node's primary care-of 4488 address. When received by the mobile node, normal processing of the 4489 tunnel header [7] will result in decapsulation and processing of the 4490 original packet by the mobile node. 4492 However, packets addressed to the mobile node's link-local address 4493 MUST NOT be tunneled to the mobile node. Instead, these packets MUST 4494 be discarded and the home agent SHOULD return an ICMP Destination 4495 Unreachable, Code 3, message to the packet's Source Address (unless 4496 this Source Address is a multicast address). 4498 Interception and tunneling of the following multicast addressed 4499 packets on the home network are only done if the home agent supports 4500 multicast group membership control messages from the mobile node as 4501 described in the next section. Tunneling of multicast packets to a 4502 mobile node follows similar limitations to those defined above for 4503 unicast packets addressed to the mobile node's link-local address. 4504 Multicast packets addressed to a multicast address with link-local 4505 scope [16], to which the mobile node is subscribed, MUST NOT be 4506 tunneled to the mobile node. These packets SHOULD be silently 4507 discarded (after delivering to other local multicast recipients). 4508 Multicast packets addressed to a multicast address with a scope 4509 larger than link-local, but smaller than global (e.g., site-local and 4510 organization-local [16]), to which the mobile node is subscribed, 4511 SHOULD NOT be tunneled to the mobile node. Multicast packets 4512 addressed with a global scope, to which the mobile node has 4513 successfully subscribed, MUST be tunneled to the mobile node. 4515 Before tunneling a packet to the mobile node, the home agent MUST 4516 perform any IPsec processing as indicated by the security policy data 4517 base. 4519 10.4.3. Multicast Membership Control 4521 This section is a prerequisite for the multicast data packet 4522 forwarding, described in the previous section. If this support is 4523 not provided, multicast group membership control messages are 4524 silently ignored. 4526 In order to forward multicast data packets from the home network to 4527 all the proper mobile nodes, the home agent SHOULD be capable of 4528 receiving tunneled multicast group membership control information 4529 from the mobile node in order to determine which groups the mobile 4530 node has subscribed to. These multicast group membership messages 4531 are Listener Report messages specified in MLD [9] or in other 4532 protocols such as [40]. 4534 The messages are issued by the mobile node, but sent through the 4535 reverse tunnel to the home agent. These messages are issued whenever 4536 the mobile node decides to enable reception of packets for a 4537 multicast group or in response to an MLD Query from the home agent. 4538 The mobile node will also issue multicast group control messages to 4539 disable reception of multicast packets when it is no longer 4540 interested in receiving multicasts for a particular group. 4542 To obtain the mobile node's current multicast group membership the 4543 home agent must periodically transmit MLD Query messages through the 4544 tunnel to the mobile node. These MLD periodic transmissions will 4545 ensure the home agent has an accurate record of the groups in which 4546 the mobile node is interested despite packet losses of the mobile 4547 node's MLD group membership messages. 4549 All MLD packets are sent directly between the mobile node and the 4550 home agent. Since all of these packets are destined to a link-scope 4551 multicast address and have a hop limit of 1, there is no direct 4552 forwarding of such packets between the home network and the mobile 4553 node. The MLD packets between the mobile node and the home agent are 4554 encapsulated within the same tunnel header used for other packet 4555 flows between the mobile node and home agent. 4557 Note that at this time, even though a link-local source is used on 4558 MLD packets, no functionality depends on these addresses being 4559 unique, nor do they elicit direct responses. All MLD messages are 4560 sent to multicast destinations. To avoid ambiguity on the home 4561 agent, due to mobile nodes which may choose identical link-local 4562 source addresses for their MLD function, it is necessary for the home 4563 agent to identify which mobile node was actually the issuer of a 4564 particular MLD message. This may be accomplished by noting which 4565 tunnel such an MLD arrived by, which IPsec SA was used, or by other 4566 distinguishing means. 4568 This specification puts no requirement on how the functions in this 4569 section and the multicast forwarding in Section 10.4.2 are to be 4570 achieved. At the time of this writing it was thought that a full 4571 IPv6 multicast router function would be necessary on the home agent, 4572 but it may be possible to achieve the same effects through a "proxy 4573 MLD" application coupled with kernel multicast forwarding. This may 4574 be the subject of future specifications. 4576 10.4.4. Stateful Address Autoconfiguration 4578 This section describes how home agents support the use of stateful 4579 address autoconfiguration mechanisms such as DHCPv6 [30] from the 4580 mobile nodes. If this support is not provided, then the M and O bits 4581 must remain cleared on the Mobile Prefix Advertisement Messages. Any 4582 mobile node which sends DHCPv6 messages to the home agent without 4583 this support will not receive a response. 4585 If DHCPv6 is used, packets are sent with link-local source addresses 4586 either to a link-scope multicast address or a link-local address. 4587 Mobile nodes desiring to locate a DHCPv6 service may reverse tunnel 4588 standard DHCPv6 packets to the home agent. Since these link-scope 4589 packets cannot be forwarded onto the home network, it is necessary 4590 for the home agent to either implement a DHCPv6 relay agent or a 4591 DHCPv6 server function itself. The arriving tunnel or IPsec SA of 4592 DHCPv6 link-scope messages from the mobile node must be noted so that 4593 DHCPv6 responses may be sent back to the appropriate mobile node. 4594 DHCPv6 messages sent to the mobile node with a link-local destination 4595 must be tunneled within the same tunnel header used for other packet 4596 flows. 4598 10.4.5. Handling Reverse Tunneled Packets 4600 Unless a binding has been established between the mobile node and a 4601 correspondent node, traffic from the mobile node to the correspondent 4602 node goes through a reverse tunnel. Home agents MUST support reverse 4603 tunneling as follows: 4605 o The tunneled traffic arrives to the home agent's address using 4606 IPv6 encapsulation [7]. 4608 o Depending on the security policies used by the home agent, reverse 4609 tunneled packets MAY be discarded unless accompanied by a valid 4610 ESP header. The support for authenticated reverse tunneling 4611 allows the home agent to protect the home network and 4612 correspondent nodes from malicious nodes masquerading as a mobile 4613 node. 4615 o Otherwise, when a home agent decapsulates a tunneled packet from 4616 the mobile node, the home agent MUST verify that the Source 4617 Address in the tunnel IP header is the mobile node's primary 4618 care-of address. Otherwise, any node in the Internet could send 4619 traffic through the home agent and escape ingress filtering 4620 limitations. This simple check forces the attacker to know the 4621 current location of the real mobile node and be able to defeat 4622 ingress filtering. This check is not necessary if the reverse- 4623 tunneled packet is protected by ESP in tunnel mode. 4625 10.4.6. Protecting Return Routability Packets 4627 The return routability procedure, described in Section 5.2.5, assumes 4628 that the confidentiality of the Home Test Init and Home Test messages 4629 is protected as they are tunneled between the home agent and the 4630 mobile node. Therefore, the home agent MUST support tunnel mode 4631 IPsec ESP for the protection of packets belonging to the return 4632 routability procedure. Support for a non-null encryption transform 4633 and authentication algorithm MUST be available. It is not necessary 4634 to distinguish between different kinds of packets during the return 4635 routability procedure. 4637 Security associations are needed to provide this protection. When 4638 the care-of address for the mobile node changes as a result of an 4639 accepted Binding Update, special treatment is needed for the next 4640 packets sent using these security associations. The home agent MUST 4641 set the new care-of address as the destination address of these 4642 packets, as if the outer header destination address in the security 4643 association had changed. 4645 The above protection SHOULD be used with all mobile nodes. The use 4646 is controlled by configuration of the IPsec security policy database 4647 both at the mobile node and at the home agent. 4649 As described earlier, the Binding Update and Binding Acknowledgement 4650 messages require protection between the home agent and the mobile 4651 node. The Mobility Header protocol carries both these messages as 4652 well as the return routability messages. From the point of view of 4653 the security policy database these messages are indistinguishable. 4654 When IPsec is used to protect return routability signaling or payload 4655 packets, this protection MUST only be applied to the return 4656 routability packets entering the IPv6 encapsulated tunnel interface 4657 between the mobile node and the home agent. This can be achieved, 4658 for instance, by defining the security policy database entries 4659 specifically for the tunnel interface. That is, the policy entries 4660 are not generally applied on all traffic on the physical interface(s) 4661 of the nodes, but rather only on traffic that enters the tunnel. 4662 This makes use of per-interface security policy database entries [3] 4663 specific to the tunnel interface (the node's attachment to the tunnel 4664 [6]). 4666 10.5. Dynamic Home Agent Address Discovery 4668 This section describes an optional mechanism by which a home agent 4669 can help mobile nodes to discover the addresses of other home agents 4670 on the mobile node's home network. The home agent keeps track of the 4671 other home agents on the same link and responds to queries sent by 4672 the mobile node. 4674 10.5.1. Receiving Router Advertisement Messages 4676 For each link on which a router provides service as a home agent, the 4677 router maintains a Home Agents List recording information about all 4678 other home agents on that link. This list is used in the dynamic 4679 home agent address discovery mechanism; the mobile node uses the list 4680 as described in Section 11.4.1. The information for the list is 4681 learned through receipt of the periodic unsolicited multicast Router 4682 Advertisements, in a manner similar to the Default Router List 4683 conceptual data structure maintained by each host for Neighbor 4684 Discovery [18]. In the construction of the Home Agents List, the 4685 Router Advertisements are from each (other) home agent on the link 4686 and the Home Agent (H) bit is set in them. 4688 On receipt of a valid Router Advertisement, as defined in the 4689 processing algorithm specified for Neighbor Discovery [18], the home 4690 agent performs the following steps in addition to any steps already 4691 required of it by Neighbor Discovery: 4693 o If the Home Agent (H) bit in the Router Advertisement is not set, 4694 delete the sending node's entry in the current Home Agents List 4695 (if one exists). Skip all the following steps. 4697 o Otherwise, extract the Source Address from the IP header of the 4698 Router Advertisement. This is the link-local IP address on this 4699 link of the home agent sending this Advertisement [18]. 4701 o Determine the preference for this home agent. If the Router 4702 Advertisement contains a Home Agent Information Option, then the 4703 preference is taken from the Home Agent Preference field in the 4704 option; otherwise, the default preference of 0 MUST be used. 4706 o Determine the lifetime for this home agent. If the Router 4707 Advertisement contains a Home Agent Information Option, then the 4708 lifetime is taken from the Home Agent Lifetime field in the 4709 option; otherwise, the lifetime specified by the Router Lifetime 4710 field in the Router Advertisement SHOULD be used. 4712 o If the link-local address of the home agent sending this 4713 Advertisement is already present in this home agent's Home Agents 4714 List and the received home agent lifetime value is zero, 4715 immediately delete this entry in the Home Agents List. 4717 o Otherwise, if the link-local address of the home agent sending 4718 this Advertisement is already present in the receiving home 4719 agent's Home Agents List, reset its lifetime and preference to the 4720 values determined above. 4722 o If the link-local address of the home agent sending this 4723 Advertisement is not already present in the Home Agents List 4724 maintained by the receiving home agent, and the lifetime for the 4725 sending home agent is non-zero, create a new entry in the list, 4726 and initialize its lifetime and preference to the values 4727 determined above. 4729 o If the Home Agents List entry for the link-local address of the 4730 home agent sending this Advertisement was not deleted as described 4731 above, determine any global address(es) of the home agent based on 4732 each Prefix Information option received in this Advertisement in 4733 which the Router Address (R) bit is set (Section 7.2). Add all 4734 such global addresses to the list of global addresses in this Home 4735 Agents List entry. 4737 A home agent SHOULD maintain an entry in its Home Agents List for 4738 each valid home agent address until that entry's lifetime expires, 4739 after which time the entry MUST be deleted. 4741 As described in Section 11.4.1, a mobile node attempts dynamic home 4742 agent address discovery by sending an ICMP Home Agent Address 4743 Discovery Request message to the Mobile IPv6 Home-Agents anycast 4744 address [8] for its home IP subnet prefix. A home agent receiving a 4745 Home Agent Address Discovery Request message that serves this subnet 4746 SHOULD return an ICMP Home Agent Address Discovery Reply message to 4747 the mobile node with the Source Address of the Reply packet set to 4748 one of the global unicast addresses of the home agent. The Home 4749 Agent Addresses field in the Reply message is constructed as follows: 4751 o The Home Agent Addresses field SHOULD contain all global IP 4752 addresses for each home agent currently listed in this home 4753 agent's own Home Agents List (Section 10.1). 4755 o The IP addresses in the Home Agent Addresses field SHOULD be 4756 listed in order of decreasing preference values, based either on 4757 the respective advertised preference from a Home Agent Information 4758 option or on the default preference of 0 if no preference is 4759 advertised (or on the configured home agent preference for this 4760 home agent itself). 4762 o Among home agents with equal preference, their IP addresses in the 4763 Home Agent Addresses field SHOULD be listed in an order randomized 4764 with respect to other home agents with equal preference every time 4765 a Home Agent Address Discovery Reply message is returned by this 4766 home agent. 4768 o If more than one global IP address is associated with a home 4769 agent, these addresses SHOULD be listed in a randomized order. 4771 o The home agent SHOULD reduce the number of home agent IP addresses 4772 so that the packet fits within the minimum IPv6 MTU [6]. The home 4773 agent addresses selected for inclusion in the packet SHOULD be 4774 those from the complete list with the highest preference. This 4775 limitation avoids the danger of the Reply message packet being 4776 fragmented (or rejected by an intermediate router with an ICMP 4777 Packet Too Big message [17]). 4779 10.6. Sending Prefix Information to the Mobile Node 4781 10.6.1. List of Home Network Prefixes 4783 Mobile IPv6 arranges to propagate relevant prefix information to the 4784 mobile node when it is away from home, so that it may be used in 4785 mobile node home address configuration and in network renumbering. 4786 In this mechanism, mobile nodes away from home receive Mobile Prefix 4787 Advertisement messages. These messages include Prefix Information 4788 Options for the prefixes configured on the home subnet interface(s) 4789 of the home agent. 4791 If there are multiple home agents, differences in the advertisements 4792 sent by different home agents can lead to an inability to use a 4793 particular home address when changing to another home agent. In 4794 order to ensure that the mobile nodes get the same information from 4795 different home agents, it is preferred that all of the home agents on 4796 the same link be configured in the same manner. 4798 To support this, the home agent monitors prefixes advertised by 4799 itself and other home agents on the home link. In Neighbor Discovery 4800 (RFC 4861 [18]) it is acceptable for two routers to advertise 4801 different sets of prefixes on the same link. For home agents, the 4802 differences should be detected for a given home address because the 4803 mobile node communicates only with one home agent at a time and the 4804 mobile node needs to know the full set of prefixes assigned to the 4805 home link. All other comparisons of Router Advertisements are as 4806 specified in Section 6.2.7 of RFC 4861. 4808 10.6.2. Scheduling Prefix Deliveries 4810 A home agent serving a mobile node will schedule the delivery of the 4811 new prefix information to that mobile node when any of the following 4812 conditions occur: 4814 MUST: 4816 o The state of the flags changes for the prefix of the mobile node's 4817 registered home address. 4819 o The valid or preferred lifetime is reconfigured or changes for any 4820 reason other than advancing real time. 4822 o The mobile node requests the information with a Mobile Prefix 4823 Solicitation (see Section 11.4.2). 4825 SHOULD: 4827 o A new prefix is added to the home subnet interface(s) of the home 4828 agent. 4830 MAY: 4832 o The valid or preferred lifetime or the state of the flags changes 4833 for a prefix which is not used in any Binding Cache entry for this 4834 mobile node. 4836 The home agent uses the following algorithm to determine when to send 4837 prefix information to the mobile node. 4839 o If a mobile node sends a solicitation, answer right away. 4841 o If no Mobile Prefix Advertisement has been sent to the mobile node 4842 in the last MaxMobPfxAdvInterval seconds (see Section 13), then 4843 ensure that a transmission is scheduled. The actual transmission 4844 time is randomized as described below. 4846 o If a prefix matching the mobile node's home registration is added 4847 on the home subnet interface or if its information changes in any 4848 way that does not deprecate the mobile node's address, ensure that 4849 a transmission is scheduled. The actual transmission time is 4850 randomized as described below. 4852 o If a home registration expires, cancel any scheduled 4853 advertisements to the mobile node. 4855 The list of prefixes is sent in its entirety in all cases. 4857 If the home agent has already scheduled the transmission of a Mobile 4858 Prefix Advertisement to the mobile node, then the home agent will 4859 replace the advertisement with a new one to be sent at the scheduled 4860 time. 4862 Otherwise, the home agent computes a fresh value for RAND_ADV_DELAY 4863 which offsets from the current time for the scheduled transmission. 4864 First calculate the maximum delay for the scheduled Advertisement: 4866 MaxScheduleDelay = min (MaxMobPfxAdvInterval, Preferred Lifetime), 4868 where MaxMobPfxAdvInterval is as defined in Section 12. Then compute 4869 the final delay for the advertisement: 4871 RAND_ADV_DELAY = MinMobPfxAdvInterval + 4872 (rand() % abs(MaxScheduleDelay - MinMobPfxAdvInterval)) 4874 Here rand() returns a random integer value in the range of 0 to the 4875 maximum possible integer value. This computation is expected to 4876 alleviate bursts of advertisements when prefix information changes. 4877 In addition, a home agent MAY further reduce the rate of packet 4878 transmission by further delaying individual advertisements, when 4879 necessary to avoid overwhelming local network resources. The home 4880 agent SHOULD periodically continue to retransmit an unsolicited 4881 Advertisement to the mobile node, until it is acknowledged by the 4882 receipt of a Mobile Prefix Solicitation from the mobile node. 4884 The home agent MUST wait PREFIX_ADV_TIMEOUT (see Section 12) before 4885 the first retransmission and double the retransmission wait time for 4886 every succeeding retransmission until a maximum number of 4887 PREFIX_ADV_RETRIES attempts (see Section 12) has been tried. If the 4888 mobile node's bindings expire before the matching Binding Update has 4889 been received, then the home agent MUST NOT attempt any more 4890 retransmissions, even if not all PREFIX_ADV_RETRIES have been 4891 retransmitted. In the mean time, if the mobile node sends another 4892 Binding Update without returning home, then the home agent SHOULD 4893 begin transmitting the unsolicited Advertisement again. 4895 If some condition, as described above, occurs on the home link and 4896 causes another Prefix Advertisement to be sent to the mobile node, 4897 before the mobile node acknowledges a previous transmission, the home 4898 agent SHOULD combine any Prefix Information options in the 4899 unacknowledged Mobile Prefix Advertisement into a new Advertisement. 4900 The home agent then discards the old Advertisement. 4902 10.6.3. Sending Advertisements 4904 When sending a Mobile Prefix Advertisement to the mobile node, the 4905 home agent MUST construct the packet as follows: 4907 o The Source Address in the packet's IPv6 header MUST be set to the 4908 home agent's IP address to which the mobile node addressed its 4909 current home registration or its default global home agent address 4910 if no binding exists. 4912 o If the advertisement was solicited, it MUST be destined to the 4913 source address of the solicitation. If it was triggered by prefix 4914 changes or renumbering, the advertisement's destination will be 4915 the mobile node's home address in the binding which triggered the 4916 rule. 4918 o A type 2 routing header MUST be included with the mobile node's 4919 home address. 4921 o IPsec headers MUST be supported and SHOULD be used. 4923 o The home agent MUST send the packet as it would any other unicast 4924 IPv6 packet that it originates. 4926 o Set the Managed Address Configuration (M) flag if the 4927 corresponding flag has been set in any of the Router 4928 Advertisements from which the prefix information has been learned 4929 (including the ones sent by this home agent). 4931 o Set the Other Stateful Configuration (O) flag if the corresponding 4932 flag has been set in any of the Router Advertisements from which 4933 the prefix information has been learned (including the ones sent 4934 by this home agent). 4936 10.6.4. Lifetimes for Changed Prefixes 4938 As described in Section 10.3.1, the lifetime returned by the home 4939 agent in a Binding Acknowledgement MUST NOT be greater than the 4940 remaining valid lifetime for the subnet prefix in the mobile node's 4941 home address. This limit on the binding lifetime serves to prohibit 4942 use of a mobile node's home address after it becomes invalid. 4944 11. Mobile Node Operation 4946 11.1. Conceptual Data Structures 4948 Each mobile node MUST maintain a Binding Update List. 4950 The Binding Update List records information for each Binding Update 4951 sent by this mobile node, in which the lifetime of the binding has 4952 not yet expired. The Binding Update List includes all bindings sent 4953 by the mobile node either to its home agent or correspondent nodes. 4954 It also contains Binding Updates which are waiting for the completion 4955 of the return routability procedure before they can be sent. 4956 However, for multiple Binding Updates sent to the same destination 4957 address, the Binding Update List contains only the most recent 4958 Binding Update (i.e., with the greatest Sequence Number value) sent 4959 to that destination. The Binding Update List MAY be implemented in 4960 any manner consistent with the external behavior described in this 4961 document. 4963 Each Binding Update List entry conceptually contains the following 4964 fields: 4966 o The IP address of the node to which a Binding Update was sent. 4968 o The home address for which that Binding Update was sent. 4970 o The care-of address sent in that Binding Update. This value is 4971 necessary for the mobile node to determine if it has sent a 4972 Binding Update while giving its new care-of address to this 4973 destination after changing its care-of address. 4975 o The initial value of the Lifetime field sent in that Binding 4976 Update. 4978 o The remaining lifetime of that binding. This lifetime is 4979 initialized from the Lifetime value sent in the Binding Update and 4980 is decremented until it reaches zero, at which time this entry 4981 MUST be deleted from the Binding Update List. 4983 o The maximum value of the Sequence Number field sent in previous 4984 Binding Updates to this destination. The Sequence Number field is 4985 16 bits long and all comparisons between Sequence Number values 4986 MUST be performed modulo 2**16 (see Section 9.5.1). 4988 o The time at which a Binding Update was last sent to this 4989 destination, as needed to implement the rate limiting restriction 4990 for sending Binding Updates. 4992 o The state of any retransmissions needed for this Binding Update. 4993 This state includes the time remaining until the next 4994 retransmission attempt for the Binding Update and the current 4995 state of the exponential back-off mechanism for retransmissions. 4997 o A flag specifying whether or not future Binding Updates should be 4998 sent to this destination. The mobile node sets this flag in the 4999 Binding Update List entry when it receives an ICMP Parameter 5000 Problem, Code 1, error message in response to a return routability 5001 message or Binding Update sent to that destination, as described 5002 in Section 11.3.5. 5004 The Binding Update List is used to determine whether a particular 5005 packet is sent directly to the correspondent node or tunneled via the 5006 home agent (see Section 11.3.1). 5008 The Binding Update list also conceptually contains the following data 5009 related to running the return routability procedure. This data is 5010 relevant only for Binding Updates sent to correspondent nodes. 5012 o The time at which a Home Test Init or Care-of Test Init message 5013 was last sent to this destination, as needed to implement the rate 5014 limiting restriction for the return routability procedure. 5016 o The state of any retransmissions needed for this return 5017 routability procedure. This state includes the time remaining 5018 until the next retransmission attempt and the current state of the 5019 exponential back-off mechanism for retransmissions. 5021 o Cookie values used in the Home Test Init and Care-of Test Init 5022 messages. 5024 o Home and care-of keygen tokens received from the correspondent 5025 node. 5027 o Home and care-of nonce indices received from the correspondent 5028 node. 5030 o The time at which each of the tokens and nonces were received from 5031 the correspondent node, as needed to implement reuse while moving. 5033 11.2. Processing Mobility Headers 5035 All IPv6 mobile nodes MUST observe the rules described in Section 9.2 5036 when processing Mobility Headers. 5038 11.3. Packet Processing 5040 11.3.1. Sending Packets While Away from Home 5042 While a mobile node is away from home, it continues to use its home 5043 address, as well as also using one or more care-of addresses. When 5044 sending a packet while away from home, a mobile node MAY choose among 5045 these in selecting the address that it will use as the source of the 5046 packet, as follows: 5048 o Protocols layered over IP will generally treat the mobile node's 5049 home address as its IP source address for most packets. For 5050 packets sent that are part of transport-level connections 5051 established while the mobile node was at home, the mobile node 5052 MUST use its home address. Likewise, for packets sent that are 5053 part of transport-level connections that the mobile node may still 5054 be using after moving to a new location, the mobile node SHOULD 5055 use its home address in this way. If a binding exists, the mobile 5056 node SHOULD send the packets directly to the correspondent node. 5057 Otherwise, if a binding does not exist, the mobile node MUST use 5058 reverse tunneling. 5060 o The mobile node MAY choose to directly use one of its care-of 5061 addresses as the source of the packet, not requiring the use of a 5062 Home Address option in the packet. This is particularly useful 5063 for short-term communication that may easily be retried if it 5064 fails. Using the mobile node's care-of address as the source for 5065 such queries will generally have a lower overhead than using the 5066 mobile node's home address, since no extra options need to be used 5067 in either the query or its reply. Such packets can be routed 5068 normally, directly between their source and destination without 5069 relying on Mobile IPv6. If application running on the mobile node 5070 has no particular knowledge that the communication being sent fits 5071 within this general type of communication, however, the mobile 5072 node should not use its care-of address as the source of the 5073 packet in this way. 5075 The choice of the most efficient communications method is 5076 application specific, and outside the scope of this specification. 5077 The APIs necessary for controlling the choice are also out of 5078 scope. One example of such an API is described in the IPv6 Socket 5079 API for Source Address Selection specification [43]. 5081 o While not at its home link, the mobile node MUST NOT use the Home 5082 Address destination option when communicating with link-local 5083 peers. 5085 Similarly, the mobile node MUST NOT use the Home Address 5086 destination option for IPv6 Neighbor Discovery [18] packets. 5088 Detailed operation of these cases is described later in this section 5089 and also discussed in [32]. 5091 For packets sent by a mobile node while it is at home, no special 5092 Mobile IPv6 processing is required. Likewise, if the mobile node 5093 uses any address other than one of its home addresses as the source 5094 of a packet sent while away from home, no special Mobile IPv6 5095 processing is required. In either case, the packet is simply 5096 addressed and transmitted in the same way as any normal IPv6 packet. 5098 For packets sent by the mobile node sent while away from home using 5099 the mobile node's home address as the source, special Mobile IPv6 5100 processing of the packet is required. This can be done in the 5101 following two ways: 5103 Route Optimization 5105 This manner of delivering packets does not require going through 5106 the home network, and typically will enable faster and more 5107 reliable transmission. 5109 The mobile node needs to ensure that a Binding Cache entry exists 5110 for its home address so that the correspondent node can process 5111 the packet (Section 9.3.1 specifies the rules for Home Address 5112 Destination Option Processing at a correspondent node). The 5113 mobile node SHOULD examine its Binding Update List for an entry 5114 which fulfills the following conditions: 5116 * The Source Address field of the packet being sent is equal to 5117 the home address in the entry. 5119 * The Destination Address field of the packet being sent is equal 5120 to the address of the correspondent node in the entry. 5122 * One of the current care-of addresses of the mobile node appears 5123 as the care-of address in the entry. 5125 * The entry indicates that a binding has been successfully 5126 created. 5128 * The remaining lifetime of the binding is greater than zero. 5130 When these conditions are met, the mobile node knows that the 5131 correspondent node has a suitable Binding Cache entry. 5133 A mobile node SHOULD arrange to supply the home address in a Home 5134 Address option, and MUST set the IPv6 header's Source Address 5135 field to the care-of address which the mobile node has registered 5136 to be used with this correspondent node. The correspondent node 5137 will then use the address supplied in the Home Address option to 5138 serve the function traditionally done by the Source IP address in 5139 the IPv6 header. The mobile node's home address is then supplied 5140 to higher protocol layers and applications. 5142 Specifically: 5144 * Construct the packet using the mobile node's home address as 5145 the packet's Source Address, in the same way as if the mobile 5146 node were at home. This includes the calculation of upper 5147 layer checksums using the home address as the value of the 5148 source. 5150 * Insert a Home Address option into the packet with the Home 5151 Address field copied from the original value of the Source 5152 Address field in the packet. 5154 * Change the Source Address field in the packet's IPv6 header to 5155 one of the mobile node's care-of addresses. This will 5156 typically be the mobile node's current primary care-of address, 5157 but MUST be an address assigned to the interface on the link 5158 being used. 5160 By using the care-of address as the Source Address in the IPv6 5161 header, with the mobile node's home address instead in the Home 5162 Address option, the packet will be able to safely pass through any 5163 router implementing ingress filtering [27]. 5165 Reverse Tunneling 5167 This is the mechanism which tunnels the packets via the home 5168 agent. It is not as efficient as the above mechanism, but is 5169 needed if there is no binding yet with the correspondent node. 5171 This mechanism is used for packets that have the mobile node's 5172 home address as the Source Address in the IPv6 header, or with 5173 multicast control protocol packets as described in Section 11.3.4. 5174 Specifically: 5176 * The packet is sent to the home agent using IPv6 encapsulation 5177 [7]. 5179 * The Source Address in the tunnel packet is the primary care-of 5180 address as registered with the home agent. 5182 * The Destination Address in the tunnel packet is the home 5183 agent's address. 5185 Then, the home agent will pass the encapsulated packet to the 5186 correspondent node. 5188 11.3.2. Interaction with Outbound IPsec Processing 5190 This section sketches the interaction between outbound Mobile IPv6 5191 processing and outbound IP Security (IPsec) processing for packets 5192 sent by a mobile node while away from home. Any specific 5193 implementation MAY use algorithms and data structures other than 5194 those suggested here, but its processing MUST be consistent with the 5195 effect of the operation described here and with the relevant IPsec 5196 specifications. In the steps described below, it is assumed that 5197 IPsec is being used in transport mode [3] and that the mobile node is 5198 using its home address as the source for the packet (from the point 5199 of view of higher protocol layers or applications, as described in 5200 Section 11.3.1): 5202 o The packet is created by higher layer protocols and applications 5203 (e.g., by TCP) as if the mobile node were at home and Mobile IPv6 5204 were not being used. 5206 o Determine the outgoing interface for the packet. (Note that the 5207 selection between reverse tunneling and route optimization may 5208 imply different interfaces, particularly if tunnels are considered 5209 interfaces as well.) 5211 o As part of outbound packet processing in IP, the packet is 5212 compared against the IPsec security policy database to determine 5213 what processing is required for the packet [3]. 5215 o If IPsec processing is required, the packet is either mapped to an 5216 existing Security Association (or SA bundle), or a new SA (or SA 5217 bundle) is created for the packet, according to the procedures 5218 defined for IPsec. 5220 o Since the mobile node is away from home, the mobile is either 5221 using reverse tunneling or route optimization to reach the 5222 correspondent node. 5224 If reverse tunneling is used, the packet is constructed in the 5225 normal manner and then tunneled through the home agent. 5227 If route optimization is in use, the mobile node inserts a Home 5228 Address destination option into the packet, replacing the Source 5229 Address in the packet's IP header with the care-of address used 5230 with this correspondent node, as described in Section 11.3.1. The 5231 Destination Options header in which the Home Address destination 5232 option is inserted MUST appear in the packet after the routing 5233 header, if present, and before the IPsec (AH [4] or ESP [5]) 5234 header, so that the Home Address destination option is processed 5235 by the destination node before the IPsec header is processed. 5237 Finally, once the packet is fully assembled, the necessary IPsec 5238 authentication (and encryption, if required) processing is 5239 performed on the packet, initializing the Authentication Data in 5240 the IPsec header. 5242 RFC 4302 treatment of destination options is extended as follows. 5243 The AH authentication data MUST be calculated as if the following 5244 were true: 5246 * the IPv6 source address in the IPv6 header contains the mobile 5247 node's home address, 5249 * the Home Address field of the Home Address destination option 5250 (Section 6.3) contains the new care-of address. 5252 o This allows, but does not require, the receiver of the packet 5253 containing a Home Address destination option to exchange the two 5254 fields of the incoming packet to reach the above situation, 5255 simplifying processing for all subsequent packet headers. 5256 However, such an exchange is not required, as long as the result 5257 of the authentication calculation remains the same. 5259 When an automated key management protocol is used to create new 5260 security associations for a peer, it is important to ensure that the 5261 peer can send the key management protocol packets to the mobile node. 5262 This may not be possible if the peer is the home agent of the mobile 5263 node and the purpose of the security associations would be to send a 5264 Binding Update to the home agent. Packets addressed to the home 5265 address of the mobile node cannot be used before the Binding Update 5266 has been processed. For the default case of using IKEv2 [24] as the 5267 automated key management protocol, such problems can be avoided by 5268 the following requirements when communicating with its home agent: 5270 o When the mobile node is away from home, it MUST use its care-of 5271 address as the Source Address of all packets it sends as part of 5272 the key management protocol (without use of Mobile IPv6 for these 5273 packets, as suggested in Section 11.3.1). 5275 The Key Management Mobility Capability (K) bit in Binding Updates and 5276 Acknowledgements can be used to avoid the need to rerun IKEv2 upon 5277 movements. 5279 11.3.3. Receiving Packets While Away from Home 5281 While away from home, a mobile node will receive packets addressed to 5282 its home address, by one of two methods: 5284 o Packets sent by a correspondent node, that does not have a Binding 5285 Cache entry for the mobile node, will be sent to the home address, 5286 captured by the home agent and tunneled to the mobile node. 5288 o Packets sent by a correspondent node that has a Binding Cache 5289 entry for the mobile node that contains the mobile node's current 5290 care-of address, will be sent by the correspondent node using a 5291 type 2 routing header. The packet will be addressed to the mobile 5292 node's care-of address, with the final hop in the routing header 5293 directing the packet to the mobile node's home address; the 5294 processing of this last hop of the routing header is entirely 5295 internal to the mobile node, since the care-of address and home 5296 address are both addresses within the mobile node. 5298 For packets received by the first method, the mobile node MUST check 5299 that the IPv6 source address of the tunneled packet is the IP address 5300 of its home agent. In this method, the mobile node may also send a 5301 Binding Update to the original sender of the packet as described in 5302 Section 11.7.2 and subject to the rate limiting defined in 5303 Section 11.8. The mobile node MUST also process the received packet 5304 in the manner defined for IPv6 encapsulation [7], which will result 5305 in the encapsulated (inner) packet being processed normally by upper- 5306 layer protocols within the mobile node as if it had been addressed 5307 (only) to the mobile node's home address. 5309 For packets received by the second method, the following rules will 5310 result in the packet being processed normally by upper-layer 5311 protocols within the mobile node as if it had been addressed to the 5312 mobile node's home address. 5314 A node receiving a packet addressed to itself (i.e., one of the 5315 node's addresses is in the IPv6 destination field) follows the next 5316 header chain of headers and processes them. When it encounters a 5317 type 2 routing header during this processing, it performs the 5318 following checks. If any of these checks fail, the node MUST 5319 silently discard the packet. 5321 o The length field in the routing header is exactly 2. 5323 o The segments left field in the routing header is 1 on the wire. 5324 (But implementations may process the routing header so that the 5325 value may become 0 after the routing header has been processed, 5326 but before the rest of the packet is processed.) 5328 o The Home Address field in the routing header is one of the node's 5329 home addresses, if the segments left field was 1. Thus, in 5330 particular the address field is required to be a unicast routable 5331 address. 5333 Once the above checks have been performed, the node swaps the IPv6 5334 destination field with the Home Address field in the routing header, 5335 decrements segments left by one from the value it had on the wire, 5336 and resubmits the packet to IP for processing the next header. 5337 Conceptually, this follows the same model as in RFC 2460. However, 5338 in the case of type 2 routing header this can be simplified since it 5339 is known that the packet will not be forwarded to a different node. 5341 The definition of AH requires the sender to calculate the AH 5342 integrity check value of a routing header in the same way it appears 5343 in the receiver after it has processed the header. Since IPsec 5344 headers follow the routing header, any IPsec processing will operate 5345 on the packet with the home address in the IP destination field and 5346 segments left being zero. Thus, the AH calculations at the sender 5347 and receiver will have an identical view of the packet. 5349 11.3.4. Routing Multicast Packets 5351 A mobile node that is connected to its home link functions in the 5352 same way as any other (stationary) node. Thus, when it is at home, a 5353 mobile node functions identically to other multicast senders and 5354 receivers. Therefore, this section describes the behavior of a 5355 mobile node that is not on its home link. 5357 In order to receive packets sent to some multicast group, a mobile 5358 node must join that multicast group. One method, in which a mobile 5359 node MAY join the group, is via a (local) multicast router on the 5360 foreign link being visited. In this case, the mobile node MUST use 5361 its care-of address and MUST NOT use the Home Address destination 5362 option when sending MLD packets [9]. 5364 Alternatively, a mobile node MAY join multicast groups via a bi- 5365 directional tunnel to its home agent. The mobile node tunnels its 5366 multicast group membership control packets (such as those defined in 5367 [9] or in [40]) to its home agent, and the home agent forwards 5368 multicast packets down the tunnel to the mobile node. A mobile node 5369 MUST NOT tunnel multicast group membership control packets until (1) 5370 the mobile node has a binding in place at the home agent, and (2) the 5371 latter sends at least one multicast group membership control packet 5372 via the tunnel. Once this condition is true, the mobile node SHOULD 5373 assume it does not change as long as the binding does not expire. 5375 A mobile node that wishes to send packets to a multicast group also 5376 has two options: 5378 1. Send directly on the foreign link being visited. 5380 To do this, the application uses the care-of address as a source 5381 address for multicast traffic, just as it would use a stationary 5382 address. This requires that the application either knows the 5383 care-of address, or uses an API such as the IPv6 Socket API for 5384 Source Address Selection specification [43] to request that the 5385 care-of address be used as the source address in transmitted 5386 packets. The mobile node MUST NOT use Home Address destination 5387 option in such traffic. 5389 2. Send via a tunnel to its home agent. 5391 Because multicast routing in general depends upon the Source 5392 Address used in the IPv6 header of the multicast packet, a mobile 5393 node that tunnels a multicast packet to its home agent MUST use 5394 its home address as the IPv6 Source Address of the inner 5395 multicast packet. 5397 Note that direct sending from the foreign link is only applicable 5398 while the mobile node is at that foreign link. This is because the 5399 associated multicast tree is specific to that source location and any 5400 change of location and source address will invalidate the source 5401 specific tree or branch and the application context of the other 5402 multicast group members. 5404 This specification does not provide mechanisms to enable such local 5405 multicast session to survive hand-off and to seamlessly continue from 5406 a new care-of address on each new foreign link. Any such mechanism, 5407 developed as an extension to this specification, needs to take into 5408 account the impact of fast moving mobile nodes on the Internet 5409 multicast routing protocols and their ability to maintain the 5410 integrity of source specific multicast trees and branches. 5412 While the use of bidirectional tunneling can ensure that multicast 5413 trees are independent of the mobile nodes movement, in some case such 5414 tunneling can have adverse affects. The latency of specific types of 5415 multicast applications (such as multicast based discovery protocols) 5416 will be affected when the round-trip time between the foreign subnet 5417 and the home agent is significant compared to that of the topology to 5418 be discovered. In addition, the delivery tree from the home agent in 5419 such circumstances relies on unicast encapsulation from the agent to 5420 the mobile node. Therefore, bandwidth usage is inefficient compared 5421 to the native multicast forwarding in the foreign multicast system. 5423 11.3.5. Receiving ICMP Error Messages 5425 Any node that does not recognize the Mobility header will return an 5426 ICMP Parameter Problem, Code 1, message to the sender of the packet. 5427 If the mobile node receives such an ICMP error message in response to 5428 a return routability procedure or Binding Update, it SHOULD record in 5429 its Binding Update List that future Binding Updates SHOULD NOT be 5430 sent to this destination. Such Binding Update List entries SHOULD be 5431 removed after a period of time in order to allow for retrying route 5432 optimization. 5434 New Binding Update List entries MUST NOT be created as a result of 5435 receiving ICMP error messages. 5437 Correspondent nodes that have participated in the return routability 5438 procedure MUST implement the ability to correctly process received 5439 packets containing a Home Address destination option. Therefore, 5440 correctly implemented correspondent nodes should always be able to 5441 recognize Home Address options. If a mobile node receives an ICMP 5442 Parameter Problem, Code 2, message from some node indicating that it 5443 does not support the Home Address option, the mobile node SHOULD log 5444 the error and then discard the ICMP message. 5446 11.3.6. Receiving Binding Error Messages 5448 When a mobile node receives a packet containing a Binding Error 5449 message, it should first check if the mobile node has a Binding 5450 Update List entry for the source of the Binding Error message. If 5451 the mobile node does not have such an entry, it MUST ignore the 5452 message. This is necessary to prevent a waste of resources on, e.g., 5453 return routability procedure due to spoofed Binding Error messages. 5455 Otherwise, if the message Status field was 1 (unknown binding for 5456 Home Address destination option), the mobile node should perform one 5457 of the following three actions: 5459 o If the Binding Error Message was sent by the Home Agent, the 5460 Mobile Node SHOULD send a Binding Update to the Home Agent 5461 according to Section 11.7.1. 5463 o If the mobile node has recent upper layer progress information, 5464 which indicates that communications with the correspondent node 5465 are progressing, it MAY ignore the message. This can be done in 5466 order to limit the damage that spoofed Binding Error messages can 5467 cause to ongoing communications. 5469 o If the mobile node has no upper layer progress information, it 5470 MUST remove the entry and route further communications through the 5471 home agent. It MAY also optionally start a return routability 5472 procedure (see Section 5.2). 5474 If the message Status field was 2 (unrecognized MH Type value), the 5475 mobile node should perform one of the following two actions: 5477 o If the mobile node is not expecting an acknowledgement or response 5478 from the correspondent node, the mobile node SHOULD ignore this 5479 message. 5481 o Otherwise, the mobile node SHOULD cease the use of any extensions 5482 to this specification. If no extensions had been used, the mobile 5483 node should cease the attempt to use route optimization. 5485 11.4. Home Agent and Prefix Management 5487 11.4.1. Dynamic Home Agent Address Discovery 5489 Sometimes when the mobile node needs to send a Binding Update to its 5490 home agent to register its new primary care-of address, as described 5491 in Section 11.7.1, the mobile node may not know the address of any 5492 router on its home link that can serve as a home agent for it. For 5493 example, some nodes on its home link may have been reconfigured while 5494 the mobile node has been away from home, such that the router that 5495 was operating as the mobile node's home agent has been replaced by a 5496 different router serving this role. 5498 In this case, the mobile node MAY attempt to discover the address of 5499 a suitable home agent on its home link. To do so, the mobile node 5500 sends an ICMP Home Agent Address Discovery Request message to the 5501 Mobile IPv6 Home-Agents anycast address [8] for its home subnet 5502 prefix. As described in Section 10.5, the home agent on its home 5503 link that receives this Request message will return an ICMP Home 5504 Agent Address Discovery Reply message. This message gives the 5505 addresses for the home agents operating on the home link. 5507 The mobile node, upon receiving this Home Agent Address Discovery 5508 Reply message, MAY then send its home registration Binding Update to 5509 any of the unicast IP addresses listed in the Home Agent Addresses 5510 field in the Reply. For example, the mobile node MAY attempt its 5511 home registration to each of these addresses, in turn, until its 5512 registration is accepted. The mobile node sends a Binding Update to 5513 an address and waits for the matching Binding Acknowledgement, moving 5514 on to the next address if there is no response. The mobile node 5515 MUST, however, wait at least InitialBindackTimeoutFirstReg seconds 5516 (see Section 13) before sending a Binding Update to the next home 5517 agent. In trying each of the returned home agent addresses, the 5518 mobile node SHOULD try each of them in the order they appear in the 5519 Home Agent Addresses field in the received Home Agent Address 5520 Discovery Reply message. In order to do this, the mobile node SHOULD 5521 store the list of home agents for later use in case the home agent 5522 currently managing the mobile node's care-of address forwarding 5523 should become unavailable. The list MAY be stored, along with any 5524 available lifetime information for the home agent addresses, in 5525 nonvolatile memory to survive reboots by the mobile node. 5527 If the mobile node has a current registration with some home agent 5528 (the Lifetime for that registration has not yet expired), then the 5529 mobile node MUST attempt any new registration first with that home 5530 agent. If that registration attempt fails (e.g., timed out or 5531 rejected), the mobile node SHOULD then reattempt this registration 5532 with another home agent. If the mobile node knows of no other 5533 suitable home agent, then it MAY attempt the dynamic home agent 5534 address discovery mechanism described above. 5536 If, after a mobile node transmits a Home Agent Address Discovery 5537 Request message to the Home Agents Anycast address, it does not 5538 receive a corresponding Home Agent Address Discovery Reply message 5539 within INITIAL_DHAAD_TIMEOUT (see Section 12) seconds, the mobile 5540 node MAY retransmit the same Request message to the same anycast 5541 address. This retransmission MAY be repeated up to a maximum of 5542 DHAAD_RETRIES (see Section 12) attempts. Each retransmission MUST be 5543 delayed by twice the time interval of the previous retransmission. 5545 11.4.2. Sending Mobile Prefix Solicitations 5547 When a mobile node has a home address that is about to become 5548 invalid, it SHOULD send a Mobile Prefix Solicitation to its home 5549 agent in an attempt to acquire fresh routing prefix information. The 5550 new information also enables the mobile node to participate in 5551 renumbering operations affecting the home network, as described in 5552 Section 10.6. 5554 The mobile node MUST use the Home Address destination option to carry 5555 its home address. The mobile node MUST support and SHOULD use IPsec 5556 to protect the solicitation. The mobile node MUST set the Identifier 5557 field in the ICMP header to a random value. 5559 As described in Section 11.7.2, Binding Updates sent by the mobile 5560 node to other nodes MUST use a lifetime no greater than the remaining 5561 lifetime of its home registration of its primary care-of address. 5562 The mobile node SHOULD further limit the lifetimes that it sends on 5563 any Binding Updates to be within the remaining valid lifetime (see 5564 Section 10.6.2) for the prefix in its home address. 5566 When the lifetime for a changed prefix decreases, and the change 5567 would cause cached bindings at correspondent nodes in the Binding 5568 Update List to be stored past the newly shortened lifetime, the 5569 mobile node MUST issue a Binding Update to all such correspondent 5570 nodes. 5572 These limits on the binding lifetime serve to prohibit use of a 5573 mobile node's home address after it becomes invalid. 5575 11.4.3. Receiving Mobile Prefix Advertisements 5577 Section 10.6 describes the operation of a home agent to support boot 5578 time configuration and renumbering a mobile node's home subnet while 5579 the mobile node is away from home. The home agent sends Mobile 5580 Prefix Advertisements to the mobile node while away from home, giving 5581 "important" Prefix Information options that describe changes in the 5582 prefixes in use on the mobile node's home link. 5584 The Mobile Prefix Solicitation is similar to the Router Solicitation 5585 used in Neighbor Discovery [18], except it is routed from the mobile 5586 node on the visited network to the home agent on the home network by 5587 usual unicast routing rules. 5589 When a mobile node receives a Mobile Prefix Advertisement, it MUST 5590 validate it according to the following test: 5592 o The Source Address of the IP packet carrying the Mobile Prefix 5593 Advertisement is the same as the home agent address to which the 5594 mobile node last sent an accepted home registration Binding Update 5595 to register its primary care-of address. Otherwise, if no such 5596 registrations have been made, it SHOULD be the mobile node's 5597 stored home agent address, if one exists. Otherwise, if the 5598 mobile node has not yet discovered its home agent's address, it 5599 MUST NOT accept Mobile Prefix Advertisements. 5601 o The packet MUST have a type 2 routing header and SHOULD be 5602 protected by an IPsec header as described in Section 5.4 and 5603 Section 6.8. 5605 o If the ICMP Identifier value matches the ICMP Identifier value of 5606 the most recently sent Mobile Prefix Solicitation and no other 5607 advertisement has yet been received for this value, then the 5608 advertisement is considered to be solicited and will be processed 5609 further. 5611 Otherwise, the advertisement is unsolicited, and MUST be 5612 discarded. In this case the mobile node SHOULD send a Mobile 5613 Prefix Solicitation. 5615 Any received Mobile Prefix Advertisement not meeting these tests MUST 5616 be silently discarded. 5618 For an accepted Mobile Prefix Advertisement, the mobile node MUST 5619 process Managed Address Configuration (M), Other Stateful 5620 Configuration (O), and the Prefix Information Options as if they 5621 arrived in a Router Advertisement [18] on the mobile node's home 5622 link. (This specification does not, however, describe how to acquire 5623 home addresses through stateful protocols.) Such processing may 5624 result in the mobile node configuring a new home address, although 5625 due to separation between preferred lifetime and valid lifetime, such 5626 changes should not affect most communications by the mobile node, in 5627 the same way as for nodes that are at home. 5629 This specification assumes that any security associations and 5630 security policy entries that may be needed for new prefixes have been 5631 pre-configured in the mobile node. Note that while dynamic key 5632 management avoids the need to configure new security associations, it 5633 is still necessary to add policy entries to protect the 5634 communications involving the home address(es). Mechanisms for 5635 setting up these entries are outside the scope of this specification. 5637 11.5. Movement 5639 11.5.1. Movement Detection 5641 The primary goal of movement detection is to detect L3 handovers. 5642 This section does not attempt to specify a fast movement detection 5643 algorithm which will function optimally for all types of 5644 applications, link-layers and deployment scenarios; instead, it 5645 describes a generic method that uses the facilities of IPv6 Neighbor 5646 Discovery, including Router Discovery and Neighbor Unreachability 5647 Detection. At the time of this writing, this method is considered 5648 well enough understood to recommend for standardization, however it 5649 is expected that future versions of this specification or other 5650 specifications may contain updated versions of the movement detection 5651 algorithm that have better performance. 5653 Generic movement detection uses Neighbor Unreachability Detection to 5654 detect when the default router is no longer bi-directionally 5655 reachable, in which case the mobile node must discover a new default 5656 router (usually on a new link). However, this detection only occurs 5657 when the mobile node has packets to send, and in the absence of 5658 frequent Router Advertisements or indications from the link-layer, 5659 the mobile node might become unaware of an L3 handover that occurred. 5660 Therefore, the mobile node should supplement this method with other 5661 information whenever it is available to the mobile node (e.g., from 5662 lower protocol layers). 5664 When the mobile node detects an L3 handover, it performs Duplicate 5665 Address Detection [19] on its link-local address, selects a new 5666 default router as a consequence of Router Discovery, and then 5667 performs Prefix Discovery with that new router to form new care-of 5668 address(es) as described in Section 11.5.3. It then registers its 5669 new primary care-of address with its home agent as described in 5670 Section 11.7.1. After updating its home registration, the mobile 5671 node then updates associated mobility bindings in correspondent nodes 5672 that it is performing route optimization with as specified in 5673 Section 11.7.2. 5675 Due to the temporary packet flow disruption and signaling overhead 5676 involved in updating mobility bindings, the mobile node should avoid 5677 performing an L3 handover until it is strictly necessary. 5678 Specifically, when the mobile node receives a Router Advertisement 5679 from a new router that contains a different set of on-link prefixes, 5680 if the mobile node detects that the currently selected default router 5681 on the old link is still bi-directionally reachable, it should 5682 generally continue to use the old router on the old link rather than 5683 switch away from it to use a new default router. 5685 Mobile nodes can use the information in received Router 5686 Advertisements to detect L3 handovers. In doing so the mobile node 5687 needs to consider the following issues: 5689 o There might be multiple routers on the same link, thus hearing a 5690 new router does not necessarily constitute an L3 handover. 5692 o When there are multiple routers on the same link they might 5693 advertise different prefixes. Thus even hearing a new router with 5694 a new prefix might not be a reliable indication of an L3 handover. 5696 o The link-local addresses of routers are not globally unique, hence 5697 after completing an L3 handover the mobile node might continue to 5698 receive Router Advertisements with the same link-local source 5699 address. This might be common if routers use the same link-local 5700 address on multiple interfaces. This issue can be avoided when 5701 routers use the Router Address (R) bit, since that provides a 5702 global address of the router. 5704 In addition, the mobile node should consider the following events as 5705 indications that an L3 handover may have occurred. Upon receiving 5706 such indications, the mobile node needs to perform Router Discovery 5707 to discover routers and prefixes on the new link, as described in 5708 Section 6.3.7 of Neighbor Discovery (RFC 4861 [18]). 5710 o If Router Advertisements that the mobile node receives include an 5711 Advertisement Interval option, the mobile node may use its 5712 Advertisement Interval field as an indication of the frequency 5713 with which it should expect to continue to receive future 5714 Advertisements from that router. This field specifies the minimum 5715 rate (the maximum amount of time between successive 5716 Advertisements) that the mobile node should expect. If this 5717 amount of time elapses without the mobile node receiving any 5718 Advertisement from this router, the mobile node can be sure that 5719 at least one Advertisement sent by the router has been lost. The 5720 mobile node can then implement its own policy to determine how 5721 many lost Advertisements from its current default router 5722 constitute an L3 handover indication. 5724 o Neighbor Unreachability Detection determines that the default 5725 router is no longer reachable. 5727 o With some types of networks, notification that a L2 handover has 5728 occurred might be obtained from lower layer protocols or device 5729 driver software within the mobile node. While further details 5730 around handling L2 indications as movement hints is an item for 5731 further study, at the time of writing this specification the 5732 following is considered reasonable: 5734 A L2 handover indication may or may not imply L2 movement and L2 5735 movement may or may not imply L3 movement; the correlations might 5736 be a function of the type of L2 but might also be a function of 5737 actual deployment of the wireless topology. 5739 Unless it is well-known that a L2 handover indication is likely to 5740 imply L3 movement, instead of immediately multicasting a router 5741 solicitation it may be better to attempt to verify whether the 5742 default router is still bi-directionally reachable. This can be 5743 accomplished by sending a unicast Neighbor Solicitation and 5744 waiting for a Neighbor Advertisement with the solicited flag set. 5745 Note that this is similar to Neighbor Unreachability detection but 5746 it does not have the same state machine, such as the STALE state. 5748 If the default router does not respond to the Neighbor 5749 Solicitation it makes sense to proceed to multicasting a Router 5750 Solicitation. 5752 11.5.2. Home Link Detection 5754 When an MN detects that it has arrived on a new link using the 5755 movement detection algorithm in use (Section 11.5.1,) or on 5756 bootstrapping, it performs the following steps to determine if it is 5757 on the home link. 5759 o The MN performs the procedure described in Section 11.5.3 and 5760 configures an address. It also keeps track of all the on-link 5761 prefix(es) received in the RA along with their prefix lengths. 5763 o If the home prefix has not been statically configured the MN uses 5764 some form of bootstrapping procedure (e.g. RFC5026 [22]) to 5765 determine the home prefix. 5767 o Given the availability of the home prefix, the MN checks whether 5768 or not the home prefix matches one of the prefixes received in the 5769 RA. If it does, the MN concludes that it is connected to the home 5770 link. 5772 11.5.3. Forming New Care-of Addresses 5774 After detecting that it has moved a mobile node SHOULD generate a new 5775 primary care-of address using normal IPv6 mechanisms. This SHOULD 5776 also be done when the current primary care-of address becomes 5777 deprecated. A mobile node MAY form a new primary care-of address at 5778 any time, but a mobile node MUST NOT send a Binding Update about a 5779 new care-of address to its home agent more than MAX_UPDATE_RATE times 5780 within a second. 5782 In addition, a mobile node MAY form new non-primary care-of addresses 5783 even when it has not switched to a new default router. A mobile node 5784 can have only one primary care-of address at a time (which is 5785 registered with its home agent), but it MAY have an additional 5786 care-of address for any or all of the prefixes on its current link. 5787 Furthermore, since a wireless network interface may actually allow a 5788 mobile node to be reachable on more than one link at a time (i.e., 5789 within wireless transmitter range of routers on more than one 5790 separate link), a mobile node MAY have care-of addresses on more than 5791 one link at a time. The use of more than one care-of address at a 5792 time is described in Section 11.5.4. 5794 As described in Section 4, in order to form a new care-of address, a 5795 mobile node MAY use either stateless [19] or stateful (e.g., DHCPv6 5796 [30]) Address Autoconfiguration. If a mobile node needs to use a 5797 source address (other than the unspecified address) in packets sent 5798 as a part of address autoconfiguration, it MUST use an IPv6 link- 5799 local address rather than its own IPv6 home address. 5801 RFC 4862 [19] specifies that in normal processing for Duplicate 5802 Address Detection, the node SHOULD delay sending the initial Neighbor 5803 Solicitation message by a random delay between 0 and 5804 MAX_RTR_SOLICITATION_DELAY. Since delaying DAD can result in 5805 significant delays in configuring a new care-of address when the 5806 Mobile Node moves to a new link, the Mobile Node preferably SHOULD 5807 NOT delay DAD when configuring a new care-of address. The Mobile 5808 Node SHOULD delay according to the mechanisms specified in RFC 4862 5809 unless the implementation has a behavior that desynchronizes the 5810 steps that happen before the DAD in the case that multiple nodes 5811 experience handover at the same time. Such desynchronizing behaviors 5812 might be due to random delays in the L2 protocols or device drivers, 5813 or due to the movement detection mechanism that is used. 5815 11.5.4. Using Multiple Care-of Addresses 5817 As described in Section 11.5.3, a mobile node MAY use more than one 5818 care-of address at a time. Particularly in the case of many wireless 5819 networks, a mobile node effectively might be reachable through 5820 multiple links at the same time (e.g., with overlapping wireless 5821 cells), on which different on-link subnet prefixes may exist. The 5822 mobile node MUST ensure that its primary care-of address always has a 5823 prefix that is advertised by its current default router. After 5824 selecting a new primary care-of address, the mobile node MUST send a 5825 Binding Update containing that care-of address to its home agent. 5826 The Binding Update MUST have the Home Registration (H) and 5827 Acknowledge (A) bits set its home agent, as described on 5828 Section 11.7.1. 5830 To assist with smooth handovers, a mobile node SHOULD retain its 5831 previous primary care-of address as a (non-primary) care-of address, 5832 and SHOULD still accept packets at this address, even after 5833 registering its new primary care-of address with its home agent. 5834 This is reasonable, since the mobile node could only receive packets 5835 at its previous primary care-of address if it were indeed still 5836 connected to that link. If the previous primary care-of address was 5837 allocated using stateful Address Autoconfiguration [30], the mobile 5838 node may not wish to release the address immediately upon switching 5839 to a new primary care-of address. 5841 Whenever a mobile node determines that it is no longer reachable 5842 through a given link, it SHOULD invalidate all care-of addresses 5843 associated with address prefixes that it discovered from routers on 5844 the unreachable link which are not in the current set of address 5845 prefixes advertised by the (possibly new) current default router. 5847 11.5.5. Returning Home 5849 A mobile node detects that it has returned to its home link through 5850 the movement detection algorithm in use (Section 11.5.2), when the 5851 mobile node detects that its home subnet prefix is again on-link. To 5852 be able to send and receive packets using its home address from the 5853 home link, the mobile node MUST send a Binding Update to its home 5854 agent to instruct its home agent to no longer intercept or tunnel 5855 packets for it. Until the mobile node sends such a de-registration 5856 Binding Update, it MUST NOT attempt to send and receive packets using 5857 its home address from the home link. The home agent will continue to 5858 intercept all packets sent to the mobile's home address and tunnel 5859 them to the previously registered care-of address. 5861 In this home registration, the mobile node MUST set the Acknowledge 5862 (A) and Home Registration (H) bits, set the Lifetime field to zero, 5863 and set the care-of address for the binding to the mobile node's own 5864 home address. The mobile node MUST use its home address as the 5865 source address in the Binding Update. 5867 When sending this Binding Update to its home agent, the mobile node 5868 must be careful in how it uses Neighbor Solicitation [18] (if needed) 5869 to learn the home agent's link-layer address, since the home agent 5870 will be currently configured to intercept packets to the mobile 5871 node's home address using Proxy Neighbor Discovery (Proxy ND). In 5872 particular, the mobile node is unable to use its home address as the 5873 Source Address in the Neighbor Solicitation until the home agent 5874 stops defending the home address. 5876 Neighbor Solicitation by the mobile node for the home agent's address 5877 will normally not be necessary, since the mobile node has already 5878 learned the home agent's link-layer address from a Source Link-Layer 5879 Address option in a Router Advertisement. However, if there are 5880 multiple home agents it may still be necessary to send a 5881 solicitation. In this special case of the mobile node returning 5882 home, the mobile node MUST multicast the packet, and in addition set 5883 the Source Address of this Neighbor Solicitation to the unspecified 5884 address (0:0:0:0:0:0:0:0). The target of the Neighbor Solicitation 5885 MUST be set to the mobile node's home address. The destination IP 5886 address MUST be set to the Solicited-Node multicast address [16]. 5887 The home agent will send a multicast Neighbor Advertisement back to 5888 the mobile node with the Solicited flag (S) set to zero. In any 5889 case, the mobile node SHOULD record the information from the Source 5890 Link-Layer Address option or from the advertisement, and set the 5891 state of the Neighbor Cache entry for the home agent to REACHABLE. 5893 The mobile node then sends its Binding Update to the home agent's 5894 link-layer address, instructing its home agent to no longer serve as 5895 a home agent for it. By processing this Binding Update, the home 5896 agent will cease defending the mobile node's home address for 5897 Duplicate Address Detection and will no longer respond to Neighbor 5898 Solicitations for the mobile node's home address. The mobile node is 5899 then the only node on the link receiving packets at the mobile node's 5900 home address. In addition, when returning home prior to the 5901 expiration of a current binding for its home address, and configuring 5902 its home address on its network interface on its home link, the 5903 mobile node MUST NOT perform Duplicate Address Detection on its own 5904 home address, in order to avoid confusion or conflict with its home 5905 agent's use of the same address. This rule also applies to the 5906 derived link-local address of the mobile node, if the Link Local 5907 Address Compatibility (L) bit was set when the binding was created. 5908 If the mobile node returns home after the bindings for all of its 5909 care-of addresses have expired, then it SHOULD perform DAD. 5911 After the Mobile Node sends the Binding Update, it MUST be prepared 5912 to reply to Neighbor Solicitations for its home address. Such 5913 replies MUST be sent using a unicast Neighbor Advertisement to the 5914 sender's link-layer address. It is necessary to reply, since sending 5915 the Binding Acknowledgement from the home agent may require 5916 performing Neighbor Discovery, and the mobile node may not be able to 5917 distinguish Neighbor Solicitations coming from the home agent from 5918 other Neighbor Solicitations. Note that a race condition exists 5919 where both the mobile node and the home agent respond to the same 5920 solicitations sent by other nodes; this will be only temporary, 5921 however, until the Binding Update is accepted. 5923 After receiving the Binding Acknowledgement for its Binding Update to 5924 its home agent, the mobile node MUST multicast onto the home link (to 5925 the all-nodes multicast address) a Neighbor Advertisement [18], to 5926 advertise the mobile node's own link-layer address for its own home 5927 address. The Target Address in this Neighbor Advertisement MUST be 5928 set to the mobile node's home address, and the Advertisement MUST 5929 include a Target Link-layer Address option specifying the mobile 5930 node's link-layer address. The mobile node MUST multicast such a 5931 Neighbor Advertisement for each of its home addresses, as defined by 5932 the current on-link prefixes, including its link-local address. The 5933 Solicited Flag (S) in these Advertisements MUST NOT be set, since 5934 they were not solicited by any Neighbor Solicitation. The Override 5935 Flag (O) in these Advertisements MUST be set, indicating that the 5936 Advertisements SHOULD override any existing Neighbor Cache entries at 5937 any node receiving them. 5939 Since multicasting on the local link (such as Ethernet) is typically 5940 not guaranteed to be reliable, the mobile node MAY retransmit these 5941 Neighbor Advertisements [18] up to MAX_NEIGHBOR_ADVERTISEMENT times 5942 to increase their reliability. It is still possible that some nodes 5943 on the home link will not receive any of these Neighbor 5944 Advertisements, but these nodes will eventually be able to recover 5945 through use of Neighbor Unreachability Detection [18]. 5947 Note that the tunnel via the home agent typically stops operating at 5948 the same time that the home registration is deleted. 5950 11.6. Return Routability Procedure 5952 This section defines the rules that the mobile node must follow when 5953 performing the return routability procedure. Section 11.7.2 5954 describes the rules when the return routability procedure needs to be 5955 initiated. 5957 11.6.1. Sending Test Init Messages 5959 A mobile node that initiates a return routability procedure MUST send 5960 (in parallel) a Home Test Init message and a Care-of Test Init 5961 messages. However, if the mobile node has recently received (see 5962 Section 5.2.7) one or both home or care-of keygen tokens, and 5963 associated nonce indices for the desired addresses, it MAY reuse 5964 them. Therefore, the return routability procedure may in some cases 5965 be completed with only one message pair. It may even be completed 5966 without any messages at all, if the mobile node has a recent home 5967 keygen token and has previously visited the same care-of address so 5968 that it also has a recent care-of keygen token. If the mobile node 5969 intends to send a Binding Update with the Lifetime set to zero and 5970 the care-of address equal to its home address - such as when 5971 returning home - sending a Home Test Init message is sufficient. In 5972 this case, generation of the binding management key depends 5973 exclusively on the home keygen token (Section 5.2.5). 5975 A Home Test Init message MUST be created as described in 5976 Section 6.1.3. 5978 A Care-of Test Init message MUST be created as described in 5979 Section 6.1.4. When sending a Home Test Init or Care-of Test Init 5980 message the mobile node MUST record in its Binding Update List the 5981 following fields from the messages: 5983 o The IP address of the node to which the message was sent. 5985 o The home address of the mobile node. This value will appear in 5986 the Source Address field of the Home Test Init message. When 5987 sending the Care-of Test Init message, this address does not 5988 appear in the message, but represents the home address for which 5989 the binding is desired. 5991 o The time at which each of these messages was sent. 5993 o The cookies used in the messages. 5995 Note that a single Care-of Test Init message may be sufficient even 5996 when there are multiple home addresses. In this case the mobile node 5997 MAY record the same information in multiple Binding Update List 5998 entries. 6000 11.6.2. Receiving Test Messages 6002 Upon receiving a packet carrying a Home Test message, a mobile node 6003 MUST validate the packet according to the following tests: 6005 o The Source Address of the packet belongs to a correspondent node 6006 for which the mobile node has a Binding Update List entry with a 6007 state indicating that return routability procedure is in progress. 6008 Note that there may be multiple such entries. 6010 o The Binding Update List indicates that no home keygen token has 6011 been received yet. 6013 o The Destination Address of the packet has the home address of the 6014 mobile node, and the packet has been received in a tunnel from the 6015 home agent. 6017 o The Home Init Cookie field in the message matches the value stored 6018 in the Binding Update List. 6020 Any Home Test message not satisfying all of these tests MUST be 6021 silently ignored. Otherwise, the mobile node MUST record the Home 6022 Nonce Index and home keygen token in the Binding Update List. If the 6023 Binding Update List entry does not have a care-of keygen token, the 6024 mobile node SHOULD continue waiting for the Care-of Test message. 6026 Upon receiving a packet carrying a Care-of Test message, a mobile 6027 node MUST validate the packet according to the following tests: 6029 o The Source Address of the packet belongs to a correspondent node 6030 for which the mobile node has a Binding Update List entry with a 6031 state indicating that return routability procedure is in progress. 6032 Note that there may be multiple such entries. 6034 o The Binding Update List indicates that no care-of keygen token has 6035 been received yet. 6037 o The Destination Address of the packet is the current care-of 6038 address of the mobile node. 6040 o The Care-of Init Cookie field in the message matches the value 6041 stored in the Binding Update List. 6043 Any Care-of Test message not satisfying all of these tests MUST be 6044 silently ignored. Otherwise, the mobile node MUST record the Care-of 6045 Nonce Index and care-of keygen token in the Binding Update List. If 6046 the Binding Update List entry does not have a home keygen token, the 6047 mobile node SHOULD continue waiting for the Home Test message. 6049 If after receiving either the Home Test or the Care-of Test message 6050 and performing the above actions, the Binding Update List entry has 6051 both the home and the care-of keygen tokens, the return routability 6052 procedure is complete. The mobile node SHOULD then proceed with 6053 sending a Binding Update as described in Section 11.7.2. 6055 Correspondent nodes from the time before this specification was 6056 published may not support the Mobility Header protocol. These nodes 6057 will respond to Home Test Init and Care-of Test Init messages with an 6058 ICMP Parameter Problem code 1. The mobile node SHOULD take such 6059 messages as an indication that the correspondent node cannot provide 6060 route optimization, and revert back to the use of bidirectional 6061 tunneling. 6063 11.6.3. Protecting Return Routability Packets 6065 The mobile node MUST support the protection of Home Test and Home 6066 Test Init messages as described in Section 10.4.6. 6068 When IPsec is used to protect return routability signaling or payload 6069 packets, the mobile node MUST set the source address it uses for the 6070 outgoing tunnel packets to the current primary care-of address. The 6071 mobile node starts to use a new primary care-of address immediately 6072 after sending a Binding Update to the home agent to register this new 6073 address. 6075 11.7. Processing Bindings 6077 11.7.1. Sending Binding Updates to the Home Agent 6079 In order to change its primary care-of address as described in 6080 Section 11.5.1 and Section 11.5.3, a mobile node MUST register this 6081 care-of address with its home agent in order to make this its primary 6082 care-of address. 6084 Also, if the mobile node wants the services of the home agent beyond 6085 the current registration period, the mobile node should send a new 6086 Binding Update to it well before the expiration of this period, even 6087 if it is not changing its primary care-of address. However, if the 6088 home agent returned a Binding Acknowledgement for the current 6089 registration with Status field set to 1 (accepted but prefix 6090 discovery necessary), the mobile node should not try to register 6091 again before it has learned the validity of its home prefixes through 6092 mobile prefix discovery. This is typically necessary every time this 6093 Status value is received, because information learned earlier may 6094 have changed. 6096 To register a care-of address or to extend the lifetime of an 6097 existing registration, the mobile node sends a packet to its home 6098 agent containing a Binding Update, with the packet constructed as 6099 follows: 6101 o The Home Registration (H) bit MUST be set in the Binding Update. 6103 o The Acknowledge (A) bit MUST be set in the Binding Update. 6105 o The packet MUST contain a Home Address destination option, giving 6106 the mobile node's home address for the binding. 6108 o The care-of address for the binding MUST be used as the Source 6109 Address in the packet's IPv6 header, unless an Alternate Care-of 6110 Address mobility option is included in the Binding Update. This 6111 option MUST be included in all home registrations, as the ESP 6112 protocol will not be able to protect care-of addresses in the IPv6 6113 header. (Mobile IPv6 implementations that know they are using 6114 IPsec AH to protect a particular message might avoid this option. 6115 For brevity the usage of AH is not discussed in this document.) 6117 o If the mobile node's link-local address has the same interface 6118 identifier as the home address for which it is supplying a new 6119 care-of address, then the mobile node SHOULD set the Link-Local 6120 Address Compatibility (L) bit. 6122 o If the home address was generated using RFC 4941 [21], then the 6123 link local address is unlikely to have a compatible interface 6124 identifier. In this case, the mobile node MUST clear the Link- 6125 Local Address Compatibility (L) bit. 6127 o If the IPsec security associations between the mobile node and the 6128 home agent have been established dynamically, and the mobile node 6129 has the capability to update its endpoint in the used key 6130 management protocol to the new care-of address every time it 6131 moves, the mobile node SHOULD set the Key Management Mobility 6132 Capability (K) bit in the Binding Update. Otherwise, the mobile 6133 node MUST clear the bit. 6135 o The value specified in the Lifetime field MUST be non-zero and 6136 SHOULD be less than or equal to the remaining valid lifetime of 6137 the home address and the care-of address specified for the 6138 binding. 6140 Mobile nodes that use dynamic home agent address discovery should 6141 be careful with long lifetimes. If the mobile node loses the 6142 knowledge of its binding with a specific home agent, registering a 6143 new binding with another home agent may be impossible as the 6144 previous home agent is still defending the existing binding. 6145 Therefore, to ensure that mobile nodes using home agent address 6146 discovery do not lose information about their binding, they SHOULD 6147 de-register before losing this information, or use small 6148 lifetimes. 6150 The Acknowledge (A) bit in the Binding Update requests the home agent 6151 to return a Binding Acknowledgement in response to this Binding 6152 Update. As described in Section 6.1.8, the mobile node SHOULD 6153 retransmit this Binding Update to its home agent until it receives a 6154 matching Binding Acknowledgement. Once reaching a retransmission 6155 timeout period of MAX_BINDACK_TIMEOUT, the mobile node SHOULD restart 6156 the process of delivering the Binding Update, but trying instead the 6157 next home agent returned during dynamic home agent address discovery 6158 (see Section 11.4.1). If there was only one home agent, the mobile 6159 node instead SHOULD continue to periodically retransmit the Binding 6160 Update at this rate until acknowledged (or until it begins attempting 6161 to register a different primary care-of address). See Section 11.8 6162 for information about retransmitting Binding Updates. 6164 With the Binding Update, the mobile node requests the home agent to 6165 serve as the home agent for the given home address. Until the 6166 lifetime of this registration expires, the home agent considers 6167 itself the home agent for this home address. 6169 Each Binding Update MUST be authenticated as coming from the right 6170 mobile node, as defined in Section 5.1. The mobile node MUST use its 6171 home address - either in the Home Address destination option or in 6172 the Source Address field of the IPv6 header - in Binding Updates sent 6173 to the home agent. This is necessary in order to allow the IPsec 6174 policies to be matched with the correct home address. 6176 When sending a Binding Update to its home agent, the mobile node MUST 6177 also create or update the corresponding Binding Update List entry, as 6178 specified in Section 11.7.2. 6180 The last Sequence Number value sent to the home agent in a Binding 6181 Update is stored by the mobile node. If the sending mobile node has 6182 no knowledge of the correct Sequence Number value, it may start at 6183 any value. If the home agent rejects the value, it sends back a 6184 Binding Acknowledgement with a status code 135, and the last accepted 6185 sequence number in the Sequence Number field of the Binding 6186 Acknowledgement. The mobile node MUST store this information and use 6187 the next Sequence Number value for the next Binding Update it sends. 6189 If the mobile node has additional home addresses, then the mobile 6190 node SHOULD send an additional packet containing a Binding Update to 6191 its home agent to register the care-of address for each such other 6192 home address. 6194 The home agent will only perform DAD for the mobile node's home 6195 address when the mobile node has supplied a valid binding between its 6196 home address and a care-of address. If some time elapses during 6197 which the mobile node has no binding at the home agent, it might be 6198 possible for another node to autoconfigure the mobile node's home 6199 address. Therefore, the mobile node MUST treat the creation of a new 6200 binding with the home agent using an existing home address, the same 6201 as creation of a new home address. In the unlikely event that the 6202 mobile node's home address is autoconfigured as the IPv6 address of 6203 another network node on the home network, the home agent will reply 6204 to the mobile node's subsequent Binding Update with a Binding 6205 Acknowledgement containing a Status of 134 (Duplicate Address 6206 Detection failed). In this case, the mobile node MUST NOT attempt to 6207 re-use the same home address. It SHOULD continue to register the 6208 care-of addresses for its other home addresses, if any. Mechanisms 6209 outlined in "Mobile IPv6 Bootstrapping in Split Scenario" [22] allow 6210 mobile nodes to acquire new home addresses to replace the one for 6211 which Status 134 was received. 6213 11.7.2. Correspondent Registration 6215 When the mobile node is assured that its home address is valid, it 6216 can initiate a correspondent registration with the purpose of 6217 allowing the correspondent node to cache the mobile node's current 6218 care-of address. This procedure consists of the return routability 6219 procedure followed by a registration. 6221 This section defines when the correspondent registration is to be 6222 initiated and the rules to follow while it is being performed. 6224 After the mobile node has sent a Binding Update to its home agent, 6225 registering a new primary care-of address (as described in 6226 Section 11.7.1), the mobile node SHOULD initiate a correspondent 6227 registration for each node that already appears in the mobile node's 6228 Binding Update List. The initiated procedures can be used to either 6229 update or delete binding information in the correspondent node. 6231 For nodes that do not appear in the mobile node's Binding Update 6232 List, the mobile node MAY initiate a correspondent registration at 6233 any time after sending the Binding Update to its home agent. 6234 Considerations regarding when (and if) to initiate the procedure 6235 depend on the specific movement and traffic patterns of the mobile 6236 node and are outside the scope of this document. 6238 In addition, the mobile node MAY initiate the correspondent 6239 registration in response to receiving a packet that meets all of the 6240 following tests: 6242 o The packet was tunneled using IPv6 encapsulation. 6244 o The Destination Address in the tunnel (outer) IPv6 header is equal 6245 to any of the mobile node's care-of addresses. 6247 o The Destination Address in the original (inner) IPv6 header is 6248 equal to one of the mobile node's home addresses. 6250 o The Source Address in the tunnel (outer) IPv6 header differs from 6251 the Source Address in the original (inner) IPv6 header. 6253 o The packet does not contain a Home Test, Home Test Init, Care-of 6254 Test, or Care-of Test Init message. 6256 If a mobile node has multiple home addresses, it becomes important to 6257 select the right home address to use in the correspondent 6258 registration. The used home address MUST be the Destination Address 6259 of the original (inner) packet. 6261 The peer address used in the procedure MUST be determined as follows: 6263 o If a Home Address destination option is present in the original 6264 (inner) packet, the address from this option is used. 6266 o Otherwise, the Source Address in the original (inner) IPv6 header 6267 of the packet is used. 6269 Note that the validity of the original packet is checked before 6270 attempting to initiate a correspondent registration. For instance, 6271 if a Home Address destination option appeared in the original packet, 6272 then rules in Section 9.3.1 are followed. 6274 A mobile node MAY also choose to keep its topological location 6275 private from certain correspondent nodes, and thus need not initiate 6276 the correspondent registration. 6278 Upon successfully completing the return routability procedure, and 6279 after receiving a successful Binding Acknowledgement from the Home 6280 Agent, a Binding Update MAY be sent to the correspondent node. 6282 In any Binding Update sent by a mobile node, the care-of address 6283 (either the Source Address in the packet's IPv6 header or the Care-of 6284 Address in the Alternate Care-of Address mobility option of the 6285 Binding Update) MUST be set to one of the care-of addresses currently 6286 in use by the mobile node or to the mobile node's home address. A 6287 mobile node MAY set the care-of address differently for sending 6288 Binding Updates to different correspondent nodes. 6290 A mobile node MAY also send a Binding Update to such a correspondent 6291 node, instructing it to delete any existing binding for the mobile 6292 node from its Binding Cache, as described in Section 6.1.7. Even in 6293 this case a successful completion of the return routability procedure 6294 is required first. 6296 If the care-of address is not set to the mobile node's home address, 6297 the Binding Update requests that the correspondent node create or 6298 update an entry for the mobile node in the correspondent node's 6299 Binding Cache. This is done in order to record a care-of address for 6300 use in sending future packets to the mobile node. In this case, the 6301 value specified in the Lifetime field sent in the Binding Update 6302 SHOULD be less than or equal to the remaining lifetime of the home 6303 registration and the care-of address specified for the binding. The 6304 care-of address given in the Binding Update MAY differ from the 6305 mobile node's primary care-of address. 6307 If the Binding Update is sent to the correspondent node, requesting 6308 the deletion of any existing Binding Cache entry it has for the 6309 mobile node, the care-of address is set to the mobile node's home 6310 address and the Lifetime field set to zero. In this case, generation 6311 of the binding management key depends exclusively on the home keygen 6312 token (Section 5.2.5). The care-of nonce index SHOULD be set to zero 6313 in this case. In keeping with the Binding Update creation rules 6314 below, the care-of address MUST be set to the home address if the 6315 mobile node is at home, or to the current care-of address if it is 6316 away from home. 6318 If the mobile node wants to ensure that its new care-of address has 6319 been entered into a correspondent node's Binding Cache, the mobile 6320 node needs to request an acknowledgement by setting the Acknowledge 6321 (A) bit in the Binding Update. 6323 A Binding Update is created as follows: 6325 o The current care-of address of the mobile node MUST be sent either 6326 in the Source Address of the IPv6 header, or in the Alternate 6327 Care-of Address mobility option. 6329 o The Destination Address of the IPv6 header MUST contain the 6330 address of the correspondent node. 6332 o The Mobility Header is constructed according to rules in 6333 Section 6.1.7 and Section 5.2.6, including the Binding 6334 Authorization Data (calculated as defined in Section 6.2.7) and 6335 possibly the Nonce Indices mobility options. 6337 o The home address of the mobile node MUST be added to the packet in 6338 a Home Address destination option, unless the Source Address is 6339 the home address. 6341 Each Binding Update MUST have a Sequence Number greater than the 6342 Sequence Number value sent in the previous Binding Update to the same 6343 destination address (if any). The sequence numbers are compared 6344 modulo 2**16, as described in Section 9.5.1. There is no 6345 requirement, however, that the Sequence Number value strictly 6346 increase by 1 with each new Binding Update sent or received, as long 6347 as the value stays within the window. The last Sequence Number value 6348 sent to a destination in a Binding Update is stored by the mobile 6349 node in its Binding Update List entry for that destination. If the 6350 sending mobile node has no Binding Update List entry, the Sequence 6351 Number SHOULD start at a random value. The mobile node MUST NOT use 6352 the same Sequence Number in two different Binding Updates to the same 6353 correspondent node, even if the Binding Updates provide different 6354 care-of addresses. 6356 The mobile node is responsible for the completion of the 6357 correspondent registration, as well as any retransmissions that may 6358 be needed (subject to the rate limitation defined in Section 11.8). 6360 11.7.3. Receiving Binding Acknowledgements 6362 Upon receiving a packet carrying a Binding Acknowledgement, a mobile 6363 node MUST validate the packet according to the following tests: 6365 o The packet meets the authentication requirements for Binding 6366 Acknowledgements defined in Section 6.1.8 and Section 5. That is, 6367 if the Binding Update was sent to the home agent, the underlying 6368 IPsec protection is used. If the Binding Update was sent to the 6369 correspondent node, the Binding Authorization Data mobility option 6370 MUST be present and have a valid value. 6372 o The Binding Authorization Data mobility option, if present, MUST 6373 be the last option and MUST NOT have trailing padding. 6375 o The Sequence Number field matches the Sequence Number sent by the 6376 mobile node to this destination address in an outstanding Binding 6377 Update, and the Status field is not 135. 6379 Any Binding Acknowledgement not satisfying all of these tests MUST be 6380 silently ignored. 6382 When a mobile node receives a packet carrying a valid Binding 6383 Acknowledgement, the mobile node MUST examine the Status field as 6384 follows: 6386 o If the Status field indicates that the Binding Update was accepted 6387 (the Status field is less than 128), then the mobile node MUST 6388 update the corresponding entry in its Binding Update List to 6389 indicate that the Binding Update has been acknowledged; the mobile 6390 node MUST then stop retransmitting the Binding Update. In 6391 addition, if the value specified in the Lifetime field in the 6392 Binding Acknowledgement is less than the Lifetime value sent in 6393 the Binding Update being acknowledged, the mobile node MUST 6394 subtract the difference between these two Lifetime values from the 6395 remaining lifetime for the binding as maintained in the 6396 corresponding Binding Update List entry (with a minimum value for 6397 the Binding Update List entry lifetime of 0). That is, if the 6398 Lifetime value sent in the Binding Update was L_update, the 6399 Lifetime value received in the Binding Acknowledgement was L_ack, 6400 and the current remaining lifetime of the Binding Update List 6401 entry is L_remain, then the new value for the remaining lifetime 6402 of the Binding Update List entry should be 6404 max((L_remain - (L_update - L_ack)), 0) 6406 where max(X, Y) is the maximum of X and Y. The effect of this step 6407 is to correctly manage the mobile node's view of the binding's 6408 remaining lifetime (as maintained in the corresponding Binding 6409 Update List entry) so that it correctly counts down from the 6410 Lifetime value given in the Binding Acknowledgement, but with the 6411 timer countdown beginning at the time that the Binding Update was 6412 sent. 6414 Mobile nodes SHOULD send a new Binding Update well before the 6415 expiration of this period in order to extend the lifetime. This 6416 helps to avoid disruptions in communications which might otherwise 6417 be caused by network delays or clock drift. 6419 o If the Binding Acknowledgement correctly passes authentication and 6420 the Status field value is 135 (Sequence Number out of window), 6421 then the mobile node MUST update its binding sequence number 6422 appropriately to match the sequence number given in the Binding 6423 Acknowledgement. Otherwise, if the Status field value is 135 but 6424 the Binding Acknowledgement does not pass authentication, the 6425 message MUST be silently ignored. 6427 o If the Status field value is 1 (accepted but prefix discovery 6428 necessary), the mobile node SHOULD send a Mobile Prefix 6429 Solicitation message to update its information about the available 6430 prefixes. 6432 o If the Status field indicates that the Binding Update was rejected 6433 (the Status field is greater than or equal to 128), then the 6434 mobile node can take steps to correct the cause of the error and 6435 retransmit the Binding Update (with a new Sequence Number value), 6436 subject to the rate limiting restriction specified in 6437 Section 11.8. If this is not done or it fails, then the mobile 6438 node SHOULD record in its Binding Update List that future Binding 6439 Updates SHOULD NOT be sent to this destination. 6441 The treatment of a Binding Refresh Advice mobility option within the 6442 Binding Acknowledgement depends on where the acknowledgement came 6443 from. This option MUST be ignored if the acknowledgement came from a 6444 correspondent node. If it came from the home agent, the mobile node 6445 uses the Refresh Interval field in the option as a suggestion that it 6446 SHOULD attempt to refresh its home registration at the indicated 6447 shorter interval. 6449 If the acknowledgement came from the home agent, the mobile node 6450 examines the value of the Key Management Mobility Capability (K) bit. 6451 If this bit is not set, the mobile node SHOULD discard key management 6452 protocol connections, if any, to the home agent. The mobile node MAY 6453 also initiate a new key management connection. 6455 If this bit is set, the mobile node SHOULD move its own endpoint in 6456 the key management protocol connections to the home agent, if any. 6457 The mobile node's new endpoint should be the new care-of address. 6459 11.7.4. Receiving Binding Refresh Requests 6461 When a mobile node receives a packet containing a Binding Refresh 6462 Request message, if the mobile node has a Binding Update List entry 6463 for the source of the Binding Refresh Request, and the mobile node 6464 wants to retain its Binding Cache entry at the correspondent node, 6465 then the mobile node should start a return routability procedure. If 6466 the mobile node wants to have its Binding Cache entry removed, it can 6467 either ignore the Binding Refresh Request and wait for the binding to 6468 time out, or at any time, it can delete its binding from a 6469 correspondent node with an explicit Binding Update with a zero 6470 lifetime and the care-of address set to the home address. If the 6471 mobile node does not know if it needs the Binding Cache entry, it can 6472 make the decision in an implementation dependent manner, such as 6473 based on available resources. 6475 Note that the mobile node should be careful to not respond to Binding 6476 Refresh Requests for addresses not in the Binding Update List to 6477 avoid being subjected to a denial of service attack. 6479 If the return routability procedure completes successfully, a Binding 6480 Update message SHOULD be sent, as described in Section 11.7.2. The 6481 Lifetime field in this Binding Update SHOULD be set to a new 6482 lifetime, extending any current lifetime remaining from a previous 6483 Binding Update sent to this node (as indicated in any existing 6484 Binding Update List entry for this node), and the lifetime SHOULD 6485 again be less than or equal to the remaining lifetime of the home 6486 registration and the care-of address specified for the binding. When 6487 sending this Binding Update, the mobile node MUST update its Binding 6488 Update List in the same way as for any other Binding Update sent by 6489 the mobile node. 6491 11.8. Retransmissions and Rate Limiting 6493 The mobile node is responsible for retransmissions and rate limiting 6494 in the return routability procedure, registrations, and in solicited 6495 prefix discovery. 6497 When the mobile node sends a Mobile Prefix Solicitation, Home Test 6498 Init, Care-of Test Init or Binding Update for which it expects a 6499 response, the mobile node has to determine a value for the initial 6500 retransmission timer: 6502 o If the mobile node is sending a Mobile Prefix Solicitation, it 6503 SHOULD use an initial retransmission interval of 6504 INITIAL_SOLICIT_TIMER (see Section 12). 6506 o If the mobile node is sending a Binding Update and does not have 6507 an existing binding at the home agent, it SHOULD use 6508 InitialBindackTimeoutFirstReg (see Section 13) as a value for the 6509 initial retransmission timer. This long retransmission interval 6510 will allow the home agent to complete the Duplicate Address 6511 Detection procedure mandated in this case, as detailed in 6512 Section 11.7.1. 6514 o Otherwise, the mobile node should use the specified value of 6515 INITIAL_BINDACK_TIMEOUT for the initial retransmission timer. 6517 If the mobile node fails to receive a valid matching response within 6518 the selected initial retransmission interval, the mobile node SHOULD 6519 retransmit the message until a response is received. 6521 The retransmissions by the mobile node MUST use an exponential back- 6522 off process in which the timeout period is doubled upon each 6523 retransmission, until either the node receives a response or the 6524 timeout period reaches the value MAX_BINDACK_TIMEOUT. The mobile 6525 node MAY continue to send these messages at this slower rate 6526 indefinitely. 6528 The mobile node SHOULD start a separate back-off process for 6529 different message types, different home addresses and different 6530 care-of addresses. However, in addition an overall rate limitation 6531 applies for messages sent to a particular correspondent node. This 6532 ensures that the correspondent node has a sufficient amount of time 6533 to respond when bindings for multiple home addresses are registered, 6534 for instance. The mobile node MUST NOT send Mobility Header messages 6535 of a particular type to a particular correspondent node more than 6536 MAX_UPDATE_RATE times within a second. 6538 Retransmitted Binding Updates MUST use a Sequence Number value 6539 greater than that used for the previous transmission of this Binding 6540 Update. Retransmitted Home Test Init and Care-of Test Init messages 6541 MUST use new cookie values. 6543 12. Protocol Constants 6545 DHAAD_RETRIES 4 retransmissions 6546 INITIAL_BINDACK_TIMEOUT 1 second 6547 INITIAL_DHAAD_TIMEOUT 3 seconds 6548 INITIAL_SOLICIT_TIMER 3 seconds 6549 MAX_BINDACK_TIMEOUT 32 seconds 6550 MAX_DELETE_BCE_TIMEOUT 10 seconds 6551 MAX_NONCE_LIFETIME 240 seconds 6552 MAX_TOKEN_LIFETIME 210 seconds 6553 MAX_RO_FAILURE 3 retries 6554 MAX_RR_BINDING_LIFETIME 420 seconds 6555 MAX_UPDATE_RATE 3 times 6556 PREFIX_ADV_RETRIES 3 retransmissions 6557 PREFIX_ADV_TIMEOUT 3 seconds 6559 13. Protocol Configuration Variables 6561 MaxMobPfxAdvInterval Default: 86,400 seconds 6562 MinDelayBetweenRAs Default: 3 seconds, 6563 Min: 0.03 seconds 6564 MinMobPfxAdvInterval Default: 600 seconds 6565 InitialBindackTimeoutFirstReg Default: 1.5 seconds 6567 Home agents MUST allow the first three variables to be configured by 6568 system management, and mobile nodes MUST allow the last variable to 6569 be configured by system management. 6571 The default value for InitialBindackTimeoutFirstReg has been 6572 calculated as 1.5 times the default value of RetransTimer, as 6573 specified in Neighbor Discovery (RFC 4861 [18]) times the default 6574 value of DupAddrDetectTransmits, as specified in Stateless Address 6575 Autoconfiguration (RFC 4862 [19]) 6577 The value MinDelayBetweenRAs overrides the value of the protocol 6578 constant MIN_DELAY_BETWEEN_RAS, as specified in Neighbor Discovery 6579 (RFC 4861 [18]). This variable SHOULD be set to MinRtrAdvInterval, 6580 if MinRtrAdvInterval is less than 3 seconds. 6582 14. IANA Considerations 6584 This document defines a new IPv6 protocol, the Mobility Header, 6585 described in Section 6.1. This protocol has been assigned protocol 6586 number 135. 6588 This document also creates a new name space "Mobility Header Type", 6589 for the MH Type field in the Mobility Header. The current message 6590 types are described starting from Section 6.1.2, and are the 6591 following: 6593 0 Binding Refresh Request 6595 1 Home Test Init 6597 2 Care-of Test Init 6599 3 Home Test 6601 4 Care-of Test 6603 5 Binding Update 6605 6 Binding Acknowledgement 6607 7 Binding Error 6609 Future values of the MH Type can be allocated using Standards Action 6610 or IESG Approval [23]. 6612 Furthermore, each mobility message may contain mobility options as 6613 described in Section 6.2. This document defines a new name space 6614 "Mobility Option" to identify these options. The current mobility 6615 options are defined starting from Section 6.2.2 and are the 6616 following: 6618 0 Pad1 6620 1 PadN 6622 2 Binding Refresh Advice 6624 3 Alternate Care-of Address 6626 4 Nonce Indices 6627 5 Authorization Data 6629 Future values of the Option Type can be allocated using Standards 6630 Action or IESG Approval [23]. 6632 Finally, this document creates a third new name space "Status Code" 6633 for the Status field in the Binding Acknowledgement message. The 6634 current values are listed in Section 6.1.8 and are the following: 6636 0 Binding Update accepted 6638 1 Accepted but prefix discovery necessary 6640 128 Reason unspecified 6642 129 Administratively prohibited 6644 130 Insufficient resources 6646 131 Home registration not supported 6648 132 Not home subnet 6650 133 Not home agent for this mobile node 6652 134 Duplicate Address Detection failed 6654 135 Sequence number out of window 6656 136 Expired home nonce index 6658 137 Expired care-of nonce index 6660 138 Expired nonces 6662 139 Registration type change disallowed 6664 TBD Invalid Care-of Address 6666 Future values of the Status field can be allocated using Standards 6667 Action or IESG Approval [23]. 6669 All fields labeled "Reserved" are only to be assigned through 6670 Standards Action or IESG Approval. 6672 This document also defines a new IPv6 destination option, the Home 6673 Address option, described in Section 6.3. This option has been 6674 assigned the Option Type value 0xC9. 6676 This document also defines a new IPv6 type 2 routing header, 6677 described in Section 6.4. The value 2 has been allocated by IANA. 6679 In addition, this document defines four ICMP message types, two used 6680 as part of the dynamic home agent address discovery mechanism, and 6681 two used in lieu of Router Solicitations and Advertisements when the 6682 mobile node is away from the home link. These messages have been 6683 assigned ICMPv6 type numbers from the informational message range: 6685 o The Home Agent Address Discovery Request message, described in 6686 Section 6.5; 6688 o The Home Agent Address Discovery Reply message, described in 6689 Section 6.6; 6691 o The Mobile Prefix Solicitation, described in Section 6.7; and 6693 o The Mobile Prefix Advertisement, described in Section 6.8. 6695 This document also defines two new Neighbor Discovery [18] options, 6696 which have been assigned Option Type values within the option 6697 numbering space for Neighbor Discovery messages: 6699 o The Advertisement Interval option, described in Section 7.3; and 6701 o The Home Agent Information option, described in Section 7.4. 6703 15. Security Considerations 6705 15.1. Threats 6707 Any mobility solution must protect itself against misuses of the 6708 mobility features and mechanisms. In Mobile IPv6, most of the 6709 potential threats are concerned with false Bindings, usually 6710 resulting in Denial-of-Service attacks. Some of the threats also 6711 pose potential for Man-in-the-Middle, Hijacking, Confidentiality, and 6712 Impersonation attacks. The main threats this protocol protects 6713 against are the following: 6715 o Threats involving Binding Updates sent to home agents and 6716 correspondent nodes. For instance, an attacker might claim that a 6717 certain mobile node is currently at a different location than it 6718 really is. If a home agent accepts such spoofed information sent 6719 to it, the mobile node might not get traffic destined to it. 6720 Similarly, a malicious (mobile) node might use the home address of 6721 a victim node in a forged Binding Update sent to a correspondent 6722 node. 6724 These pose threats against confidentiality, integrity, and 6725 availability. That is, an attacker might learn the contents of 6726 packets destined to another node by redirecting the traffic to 6727 itself. Furthermore, an attacker might use the redirected packets 6728 in an attempt to set itself as a Man-in-the-Middle between a 6729 mobile and a correspondent node. This would allow the attacker to 6730 impersonate the mobile node, leading to integrity and availability 6731 problems. 6733 A malicious (mobile) node might also send Binding Updates in which 6734 the care-of address is set to the address of a victim node. If 6735 such Binding Updates were accepted, the malicious node could lure 6736 the correspondent node into sending potentially large amounts of 6737 data to the victim; the correspondent node's replies to messages 6738 sent by the malicious mobile node will be sent to the victim host 6739 or network. This could be used to cause a Distributed Denial-of- 6740 Service attack. For example, the correspondent node might be a 6741 site that will send a high-bandwidth stream of video to anyone who 6742 asks for it. Note that the use of flow-control protocols such as 6743 TCP does not necessarily defend against this type of attack, 6744 because the attacker can fake the acknowledgements. Even keeping 6745 TCP initial sequence numbers secret does not help, because the 6746 attacker can receive the first few segments (including the ISN) at 6747 its own address, and only then redirect the stream to the victim's 6748 address. These types of attacks may also be directed to networks 6749 instead of nodes. Further variations of this threat are described 6750 elsewhere [28] [34]. 6752 An attacker might also attempt to disrupt a mobile node's 6753 communications by replaying a Binding Update that the node had 6754 sent earlier. If the old Binding Update was accepted, packets 6755 destined for the mobile node would be sent to its old location as 6756 opposed to its current location. 6758 A malicious mobile node associated to multiple home agents could 6759 create a routing loop amongst them. This can be achieved when a 6760 mobile node binds one home address located on a first home agent 6761 to another home address on a second home agent. This type of 6762 binding will force the home agents to route the same packet among 6763 each other without knowledge that a routing loop has been created. 6764 Such looping problem is limited to cases where a mobile node has 6765 multiple home agents and is permitted to be associated with the 6766 multiple home agents. For the single home agent case, a policy at 6767 the home agent would prevent the binding of one home address to 6768 another home address hosted by the same home agent. 6770 The potential problems caused by such routing loops in this 6771 scenario can be substantially reduced by use of the Tunnel-Limit 6772 Option specified in RFC 2473 [7]. 6774 In conclusion, there are Denial-of-Service, Man-in-the-Middle, 6775 Confidentiality, and Impersonation threats against the parties 6776 involved in sending legitimate Binding Updates, the threat of 6777 routing loops when there are multiple home agents, and Denial-of- 6778 Service threats against any other party. 6780 o Threats associated with payload packets: Payload packets exchanged 6781 with mobile nodes are exposed to similar threats as that of 6782 regular IPv6 traffic. However, Mobile IPv6 introduces the Home 6783 Address destination option, a new routing header type (type 2), 6784 and uses tunneling headers in the payload packets. The protocol 6785 must protect against potential new threats involving the use of 6786 these mechanisms. 6788 Third parties become exposed to a reflection threat via the Home 6789 Address destination option, unless appropriate security 6790 precautions are followed. The Home Address destination option 6791 could be used to direct response traffic toward a node whose IP 6792 address appears in the option. In this case, ingress filtering 6793 would not catch the forged "return address" [37] [42]. 6795 A similar threat exists with the tunnels between the mobile node 6796 and the home agent. An attacker might forge tunnel packets 6797 between the mobile node and the home agent, making it appear that 6798 the traffic is coming from the mobile node when it is not. Note 6799 that an attacker who is able to forge tunnel packets would 6800 typically also be able to forge packets that appear to come 6801 directly from the mobile node. This is not a new threat as such. 6802 However, it may make it easier for attackers to escape detection 6803 by avoiding ingress filtering and packet tracing mechanisms. 6804 Furthermore, spoofed tunnel packets might be used to gain access 6805 to the home network. 6807 Finally, a routing header could also be used in reflection 6808 attacks, and in attacks designed to bypass firewalls. The 6809 generality of the regular routing header would allow circumvention 6810 of IP-address based rules in firewalls. It would also allow 6811 reflection of traffic to other nodes. These threats exist with 6812 routing headers in general, even if the usage that Mobile IPv6 6813 requires is safe. 6815 o Threats associated with dynamic home agent and mobile prefix 6816 discovery. 6818 o Threats against the Mobile IPv6 security mechanisms themselves: An 6819 attacker might, for instance, lure the participants into executing 6820 expensive cryptographic operations or allocating memory for the 6821 purpose of keeping state. The victim node would have no resources 6822 left to handle other tasks. 6824 As a fundamental service in an IPv6 stack, Mobile IPv6 is expected to 6825 be deployed in most nodes of the IPv6 Internet. The above threats 6826 should therefore be considered as being applicable to the whole 6827 Internet. 6829 It should also be noted that some additional threats result from 6830 movements as such, even without the involvement of mobility 6831 protocols. Mobile nodes must be capable to defend themselves in the 6832 networks that they visit, as typical perimeter defenses applied in 6833 the home network no longer protect them. 6835 15.2. Features 6837 This specification provides a series of features designed to mitigate 6838 the risk introduced by the threats listed above. The main security 6839 features are the following: 6841 o Reverse Tunneling as a mandatory feature. 6843 o Protection of Binding Updates sent to home agents. 6845 o Protection of Binding Updates sent to correspondent nodes. 6847 o Protection against reflection attacks that use the Home Address 6848 destination option. 6850 o Protection of tunnels between the mobile node and the home agent. 6852 o Closing routing header vulnerabilities. 6854 o Mitigating Denial-of-Service threats to the Mobile IPv6 security 6855 mechanisms themselves. 6857 The support for encrypted reverse tunneling (see Section 11.3.1) 6858 allows mobile nodes to defeat certain kinds of traffic analysis. 6860 Protecting those Binding Updates that are sent to home agents and 6861 those that are sent to arbitrary correspondent nodes requires very 6862 different security solutions due to the different situations. Mobile 6863 nodes and home agents are naturally expected to be subject to the 6864 network administration of the home domain. 6866 Thus, they can and are supposed to have a security association that 6867 can be used to reliably authenticate the exchanged messages. See 6868 Section 5.1 for the description of the protocol mechanisms, and 6869 Section 15.3 below for a discussion of the resulting level of 6870 security. 6872 It is expected that Mobile IPv6 route optimization will be used on a 6873 global basis between nodes belonging to different administrative 6874 domains. It would be a very demanding task to build an 6875 authentication infrastructure on this scale. Furthermore, a 6876 traditional authentication infrastructure cannot be easily used to 6877 authenticate IP addresses because IP addresses can change often. It 6878 is not sufficient to just authenticate the mobile nodes; 6879 Authorization to claim the right to use an address is needed as well. 6880 Thus, an "infrastructureless" approach is necessary. The chosen 6881 infrastructureless method is described in Section 5.2, and 6882 Section 15.4 discusses the resulting security level and the design 6883 rationale of this approach. 6885 Specific rules guide the use of the Home Address destination option, 6886 the routing header, and the tunneling headers in the payload packets. 6887 These rules are necessary to remove the vulnerabilities associated 6888 with their unrestricted use. The effect of the rules is discussed in 6889 Section 15.7, Section 15.8, and Section 15.9. 6891 Denial-of-Service threats against Mobile IPv6 security mechanisms 6892 themselves concern mainly the Binding Update procedures with 6893 correspondent nodes. The protocol has been designed to limit the 6894 effects of such attacks, as will be described in Section 15.4.5. 6896 15.3. Binding Updates to Home Agent 6898 Signaling between the mobile node and the home agent requires message 6899 integrity. This is necessary to assure the home agent that a Binding 6900 Update is from a legitimate mobile node. In addition, correct 6901 ordering and anti-replay protection are optionally needed. 6903 IPsec ESP protects the integrity of the Binding Updates and Binding 6904 Acknowledgements by securing mobility messages between the mobile 6905 node and the home agent. 6907 IPsec can provide anti-replay protection only if dynamic keying is 6908 used (which may not always be the case). IPsec does not guarantee 6909 correct ordering of packets, only that they have not been replayed. 6910 Because of this, sequence numbers within the Mobile IPv6 messages are 6911 used to ensure correct ordering (see Section 5.1). However, if the 6912 16 bit Mobile IPv6 sequence number space is cycled through, or the 6913 home agent reboots and loses its state regarding the sequence 6914 numbers, replay and reordering attacks become possible. The use of 6915 dynamic keying, IPsec anti-replay protection, and the Mobile IPv6 6916 sequence numbers can together prevent such attacks. It is also 6917 recommended that use of non-volatile storage be considered for home 6918 agents, to avoid losing their state. 6920 A sliding window scheme is used for the sequence numbers. The 6921 protection against replays and reordering attacks without a key 6922 management mechanism works when the attacker remembers up to a 6923 maximum of 2**15 Binding Updates. 6925 The above mechanisms do not show that the care-of address given in 6926 the Binding Update is correct. This opens the possibility for 6927 Denial-of-Service attacks against third parties. However, since the 6928 mobile node and home agent have a security association, the home 6929 agent can always identify an ill-behaving mobile node. This allows 6930 the home agent operator to discontinue the mobile node's service, and 6931 possibly take further actions based on the business relationship with 6932 the mobile node's owner. 6934 Note that the use of a single pair of manually keyed security 6935 associations conflicts with the generation of a new home address [21] 6936 for the mobile node, or with the adoption of a new home subnet 6937 prefix. This is because IPsec security associations are bound to the 6938 used addresses. While certificate-based automatic keying alleviates 6939 this problem to an extent, it is still necessary to ensure that a 6940 given mobile node cannot send Binding Updates for the address of 6941 another mobile node. In general, this leads to the inclusion of home 6942 addresses in certificates in the Subject AltName field. This again 6943 limits the introduction of new addresses without either manual or 6944 automatic procedures to establish new certificates. Therefore, this 6945 specification restricts the generation of new home addresses (for any 6946 reason) to those situations where a security association or 6947 certificate for the new address already exists. 6949 Support for IKEv2 has been specified as optional. The following 6950 should be observed about the use of manual keying: 6952 o As discussed above, with manually keyed IPsec, only a limited form 6953 of protection exists against replay and reordering attacks. A 6954 vulnerability exists if either the sequence number space is cycled 6955 through, or if the home agent reboots and forgets its sequence 6956 numbers (and uses volatile memory to store the sequence numbers). 6958 Assuming the mobile node moves continuously every 10 minutes, it 6959 takes roughly 455 days before the sequence number space has been 6960 cycled through. Typical movement patterns rarely reach this high 6961 frequency today. 6963 o A mobile node and its home agent belong to the same domain. If 6964 this were not the case, manual keying would not be possible [41], 6965 but in Mobile IPv6 only these two parties need to know the 6966 manually configured keys. Similarly, we note that Mobile IPv6 6967 employs standard block ciphers in IPsec, and is not vulnerable to 6968 problems associated with stream ciphers and manual keying. 6970 o It is expected that the owner of the mobile node and the 6971 administrator of the home agent agree on the used keys and other 6972 parameters with some off-line mechanism. 6974 The use of IKEv2 with Mobile IPv6 is documented in more detail in 6975 [20]. The following should be observed regarding the use of IKEv2: 6977 o It is necessary to prevent a mobile node from claiming another 6978 mobile node's home address. The home agent must verify that the 6979 mobile node trying to negotiate the SA for a particular home 6980 address is authorized for that home address. This implies that 6981 even with the use of IKEv2, a policy entry needs to be configured 6982 for each home address served by the home agent. 6984 It may be possible to include home addresses in the Subject 6985 AltName field of certificate to avoid this. However, 6986 implementations are not guaranteed to support the use of a 6987 particular IP address (care-of address) while another address 6988 (home address) appears in the certificate. In any case, even this 6989 approach would require user-specific tasks in the certificate 6990 authority. 6992 o Due to the problems outlined in Section 11.3.2, the IKEv2 SA 6993 between the mobile node and its home agent is established using 6994 the mobile node's current care-of address. This implies that when 6995 the mobile node moves to a new location, it may have to re- 6996 establish an IKEv2 Security Association. A Key Management 6997 Mobility Capability (K) flag is provided for implementations that 6998 can update the IKEv2 endpoints without re-establishing an IKEv2 6999 Security Association, but the support for this behavior is 7000 optional. 7002 o Nevertheless, even if per-mobile node configuration is required 7003 with IKEv2, an important benefit of IKEv2 is that it automates the 7004 negotiation of cryptographic parameters, including the SPIs, 7005 cryptographic algorithms, and so on. Thus, less configuration 7006 information is needed. 7008 o The frequency of movements in some link layers or deployment 7009 scenarios may be high enough to make replay and reordering attacks 7010 possible, if only manual keying is used. IKEv2 SHOULD be used in 7011 such cases. Potentially vulnerable scenarios involve continuous 7012 movement through small cells, or uncontrolled alternation between 7013 available network attachment points. 7015 o Similarly, in some deployment scenarios the number of mobile nodes 7016 may be very large. In these cases, it can be necessary to use 7017 automatic mechanisms to reduce the management effort in the 7018 administration of cryptographic parameters, even if some per- 7019 mobile node configuration is always needed. IKEv2 SHOULD also be 7020 used in such cases. 7022 15.4. Binding Updates to Correspondent Nodes 7024 The motivation for designing the return routability procedure was to 7025 have sufficient support for Mobile IPv6, without creating significant 7026 new security problems. The goal for this procedure was not to 7027 protect against attacks that were already possible before the 7028 introduction of Mobile IPv6. 7030 The next sections will describe the security properties of the used 7031 method, both from the point of view of possible on-path attackers who 7032 can see those cryptographic values that have been sent in the clear 7033 (Section 15.4.2 and Section 15.4.3) and from the point of view of 7034 other attackers (Section 15.4.6). 7036 15.4.1. Overview 7038 The chosen infrastructureless method verifies that the mobile node is 7039 "live" (that is, it responds to probes) at its home and care-of 7040 addresses. Section 5.2 describes the return routability procedure in 7041 detail. The procedure uses the following principles: 7043 o A message exchange verifies that the mobile node is reachable at 7044 its addresses, i.e., is at least able to transmit and receive 7045 traffic at both the home and care-of addresses. 7047 o The eventual Binding Update is cryptographically bound to the 7048 tokens supplied in the exchanged messages. 7050 o Symmetric exchanges are employed to avoid the use of this protocol 7051 in reflection attacks. In a symmetric exchange, the responses are 7052 always sent to the same address the request was sent from. 7054 o The correspondent node operates in a stateless manner until it 7055 receives a fully authorized Binding Update. 7057 o Some additional protection is provided by encrypting the tunnels 7058 between the mobile node and home agent with IPsec ESP. As the 7059 tunnel also transports the nonce exchanges, the ability of 7060 attackers to see these nonces is limited. For instance, this 7061 prevents attacks from being launched from the mobile node's 7062 current foreign link, even when no link-layer confidentiality is 7063 available. 7065 The resulting level of security is in theory the same even without 7066 this additional protection: the return routability tokens are 7067 still exposed only to one path within the whole Internet. 7068 However, the mobile nodes are often found on an insecure link, 7069 such as a public access Wireless LAN. Thus, in many cases, this 7070 addition makes a practical difference. 7072 For further information about the design rationale of the return 7073 routability procedure, see [28] [34] [33] [42]. The mechanisms used 7074 have been adopted from these documents. 7076 15.4.2. Achieved Security Properties 7078 The return routability procedure protects Binding Updates against all 7079 attackers who are unable to monitor the path between the home agent 7080 and the correspondent node. The procedure does not defend against 7081 attackers who can monitor this path. Note that such attackers are in 7082 any case able to mount an active attack against the mobile node when 7083 it is at its home location. The possibility of such attacks is not 7084 an impediment to the deployment of Mobile IPv6 because these attacks 7085 are possible regardless of whether or not Mobile IPv6 is in use. 7087 This procedure also protects against Denial-of-Service attacks in 7088 which the attacker pretends to be mobile, but uses the victim's 7089 address as the care-of address. This would cause the correspondent 7090 node to send the victim some unexpected traffic. This procedure 7091 defends against these attacks by requiring at least the passive 7092 presence of the attacker at the care-of address or on the path from 7093 the correspondent to the care-of address. Normally, this will be the 7094 mobile node. 7096 15.4.3. Comparison to Regular IPv6 Communications 7098 This section discusses the protection offered by the return 7099 routability method by comparing it to the security of regular IPv6 7100 communications. We will divide vulnerabilities into three classes: 7101 (1) those related to attackers on the local network of the mobile 7102 node, home agent, or the correspondent node, (2) those related to 7103 attackers on the path between the home network and the correspondent 7104 node, and (3) off-path attackers, i.e., the rest of the Internet. 7106 We will now discuss the vulnerabilities of regular IPv6 7107 communications. The on-link vulnerabilities of IPv6 communications 7108 include Denial-of-Service, Masquerading, Man-in-the-Middle, 7109 Eavesdropping, and other attacks. These attacks can be launched 7110 through spoofing Router Discovery, Neighbor Discovery and other IPv6 7111 mechanisms. Some of these attacks can be prevented with the use of 7112 cryptographic protection in the packets. 7114 A similar situation exists with on-path attackers. That is, without 7115 cryptographic protection, the traffic is completely vulnerable. 7117 Assuming that attackers have not penetrated the security of the 7118 Internet routing protocols, attacks are much harder to launch from 7119 off-path locations. Attacks that can be launched from these 7120 locations are mainly Denial-of-Service attacks, such as flooding 7121 and/or reflection attacks. It is not possible for an off-path 7122 attacker to become a Man-in-the-Middle. 7124 Next, we will consider the vulnerabilities that exist when IPv6 is 7125 used together with Mobile IPv6 and the return routability procedure. 7126 On the local link, the vulnerabilities are the same as those in IPv6, 7127 but Masquerade and Man-in-the-Middle attacks can now also be launched 7128 against future communications, and not just against current 7129 communications. If a Binding Update was sent while the attacker was 7130 present on the link, its effects remain for the lifetime of the 7131 binding. This happens even if the attacker moves away from the link. 7132 In contrast, an attacker who uses only plain IPv6 generally has to 7133 stay on the link in order to continue the attack. Note that in order 7134 to launch these new attacks, the IP address of the victim must be 7135 known. This makes this attack feasible, mainly in the context of 7136 well-known interface IDs, such as those already appearing in the 7137 traffic on the link or registered in the DNS. 7139 On-path attackers can exploit similar vulnerabilities as in regular 7140 IPv6. There are some minor differences, however. Masquerade, Man- 7141 in-the-Middle, and Denial-of-Service attacks can be launched with 7142 just the interception of a few packets, whereas in regular IPv6 it is 7143 necessary to intercept every packet. The effect of the attacks is 7144 the same regardless of the method, however. In any case, the most 7145 difficult task an attacker faces in these attacks is getting on the 7146 right path. 7148 The vulnerabilities for off-path attackers are the same as in regular 7149 IPv6. Those nodes that are not on the path between the home agent 7150 and the correspondent node will not be able to receive the home 7151 address probe messages. 7153 In conclusion, we can state the following main results from this 7154 comparison: 7156 o Return routability prevents any off-path attacks beyond those that 7157 are already possible in regular IPv6. This is the most important 7158 result, preventing attackers on the Internet from exploiting any 7159 vulnerabilities. 7161 o Vulnerabilities to attackers on the home agent link, the 7162 correspondent node link, and the path between them are roughly the 7163 same as in regular IPv6. 7165 o However, one difference is that in basic IPv6 an on-path attacker 7166 must be constantly present on the link or the path, whereas with 7167 Mobile IPv6, an attacker can leave a binding behind after moving 7168 away. 7170 For this reason, this specification limits the creation of 7171 bindings to at most MAX_TOKEN_LIFETIME seconds after the last 7172 routability check has been performed, and limits the duration of a 7173 binding to at most MAX_RR_BINDING_LIFETIME seconds. With these 7174 limitations, attackers cannot take any practical advantages of 7175 this vulnerability. 7177 o There are some other minor differences, such as an effect to the 7178 Denial-of-Service vulnerabilities. These can be considered to be 7179 insignificant. 7181 o The path between the home agent and a correspondent node is 7182 typically easiest to attack on the links at either end, in 7183 particular if these links are publicly accessible wireless LANs. 7185 Attacks against the routers or switches on the path are typically 7186 harder to accomplish. The security on layer 2 of the links plays 7187 then a major role in the resulting overall network security. 7188 Similarly, security of IPv6 Neighbor and Router Discovery on these 7189 links has a large impact. If these were secured using some new 7190 technology in the future, this could change the situation 7191 regarding the easiest point of attack. 7193 For a more in-depth discussion of these issues, see [42]. 7195 15.4.4. Replay Attacks 7197 The return routability procedure also protects the participants 7198 against replayed Binding Updates. The attacker is unable replay the 7199 same message due to the sequence number which is a part of the 7200 Binding Update. It is also unable to modify the Binding Update since 7201 the MAC verification would fail after such a modification. 7203 Care must be taken when removing bindings at the correspondent node, 7204 however. If a binding is removed while the nonce used in its 7205 creation is still valid, an attacker could replay the old Binding 7206 Update. Rules outlined in Section 5.2.8 ensure that this cannot 7207 happen. 7209 15.4.5. Denial-of-Service Attacks 7211 The return routability procedure has protection against resource 7212 exhaustion Denial-of-Service attacks. The correspondent nodes do not 7213 retain any state about individual mobile nodes until an authentic 7214 Binding Update arrives. This is achieved through the construct of 7215 keygen tokens from the nonces and node keys that are not specific to 7216 individual mobile nodes. The keygen tokens can be reconstructed by 7217 the correspondent node, based on the home and care-of address 7218 information that arrives with the Binding Update. This means that 7219 the correspondent nodes are safe against memory exhaustion attacks 7220 except where on-path attackers are concerned. Due to the use of 7221 symmetric cryptography, the correspondent nodes are relatively safe 7222 against CPU resource exhaustion attacks as well. 7224 Nevertheless, as [28] describes, there are situations in which it is 7225 impossible for the mobile and correspondent nodes to determine if 7226 they actually need a binding or whether they just have been fooled 7227 into believing so by an attacker. Therefore, it is necessary to 7228 consider situations where such attacks are being made. 7230 Even if route optimization is a very important optimization, it is 7231 still only an optimization. A mobile node can communicate with a 7232 correspondent node even if the correspondent refuses to accept any 7233 Binding Updates. However, performance will suffer because packets 7234 from the correspondent node to the mobile node will be routed via the 7235 mobile's home agent rather than a more direct route. A correspondent 7236 node can protect itself against some of these resource exhaustion 7237 attacks as follows. If the correspondent node is flooded with a 7238 large number of Binding Updates that fail the cryptographic integrity 7239 checks, it can stop processing Binding Updates. If a correspondent 7240 node finds that it is spending more resources on checking bogus 7241 Binding Updates than it is likely to save by accepting genuine 7242 Binding Updates, then it may silently discard some or all Binding 7243 Updates without performing any cryptographic operations. 7245 Layers above IP can usually provide additional information to help 7246 determine whether there is a need to establish a binding with a 7247 specific peer. For example, TCP knows if the node has a queue of 7248 data that it is trying to send to a peer. An implementation of this 7249 specification is not required to make use of information from higher 7250 protocol layers, but some implementations are likely to be able to 7251 manage resources more effectively by making use of such information. 7253 We also require that all implementations be capable of 7254 administratively disabling route optimization. 7256 15.4.6. Key Lengths 7258 Attackers can try to break the return routability procedure in many 7259 ways. Section 15.4.2 discusses the situation where the attacker can 7260 see the cryptographic values sent in the clear, and Section 15.4.3 7261 discusses the impact this has on IPv6 communications. This section 7262 discusses whether attackers can guess the correct values without 7263 seeing them. 7265 While the return routability procedure is in progress, 64 bit cookies 7266 are used to protect spoofed responses. This is believed to be 7267 sufficient, given that to blindly spoof a response a very large 7268 number of messages would have to be sent before success would be 7269 probable. 7271 The tokens used in the return routability procedure provide together 7272 128 bits of information. This information is used internally as 7273 input to a hash function to produce a 160 bit quantity suitable for 7274 producing the keyed hash in the Binding Update using the HMAC_SHA1 7275 algorithm. The final keyed hash length is 96 bits. The limiting 7276 factors in this case are the input token lengths and the final keyed 7277 hash length. The internal hash function application does not reduce 7278 the entropy. 7280 The 96 bit final keyed hash is of typical size and is believed to be 7281 secure. The 128 bit input from the tokens is broken in two pieces, 7282 the home keygen token and the care-of keygen token. An attacker can 7283 try to guess the correct cookie value, but again this would require a 7284 large number of messages (an the average 2**63 messages for one or 7285 2**127 for two). Furthermore, given that the cookies are valid only 7286 for a short period of time, the attack has to keep a high constant 7287 message rate to achieve a lasting effect. This does not appear 7288 practical. 7290 When the mobile node is returning home, it is allowed to use just the 7291 home keygen token of 64 bits. This is less than 128 bits, but 7292 attacking it blindly would still require a large number of messages 7293 to be sent. If the attacker is on the path and capable of seeing the 7294 Binding Update, it could conceivably break the keyed hash with brute 7295 force. However, in this case the attacker has to be on the path, 7296 which appears to offer easier ways for denial-of-service than 7297 preventing route optimization. 7299 15.5. Dynamic Home Agent Address Discovery 7301 The dynamic home agent address discovery function could be used to 7302 learn the addresses of home agents in the home network. 7304 The ability to learn addresses of nodes may be useful to attackers 7305 because brute-force scanning of the address space is not practical 7306 with IPv6. Thus, they could benefit from any means which make 7307 mapping the networks easier. For example, if a security threat 7308 targeted at routers or even home agents is discovered, having a 7309 simple ICMP mechanism to easily find out possible targets may prove 7310 to be an additional (though minor) security risk. 7312 This document does not define any authentication mechanism for 7313 dynamic home agent address discovery messages. Therefore the home 7314 agent cannot verify the home address of the mobile node that 7315 requested the list of home agents. 7317 Apart from discovering the address(es) of home agents, attackers will 7318 not be able to learn much from this information, and mobile nodes 7319 cannot be tricked into using wrong home agents, as all other 7320 communication with the home agents is secure. 7322 In cases where additional security is needed, one may consider 7323 instead the use of MIPv6 bootstrapping [22], (based on DNS SRV 7324 Resource Records [10]) in conjunction with security mechanisms 7325 suggested in these specifications. In that solution, security is 7326 provided by the DNSSEC [13] framework. The needed pre-configured 7327 data on the mobile node for this mechanism is the domain name of the 7328 mobile service provider, which is marginally better than the home 7329 subnet prefix. For the security, a trust anchor which dominates the 7330 domain is needed. 7332 15.6. Mobile Prefix Discovery 7334 The mobile prefix discovery function may leak interesting information 7335 about network topology and prefix lifetimes to eavesdroppers; for 7336 this reason, requests for this information have to be authenticated. 7337 Responses and unsolicited prefix information needs to be 7338 authenticated to prevent the mobile nodes from being tricked into 7339 believing false information about the prefixes and possibly 7340 preventing communications with the existing addresses. Optionally, 7341 encryption may be applied to prevent leakage of the prefix 7342 information. 7344 15.7. Tunneling via the Home Agent 7346 Tunnels between the mobile node and the home agent can be protected 7347 by ensuring proper use of source addresses, and optional 7348 cryptographic protection. These procedures are discussed in 7349 Section 5.5. 7351 Binding Updates to the home agents are secure. When receiving 7352 tunneled traffic, the home agent verifies that the outer IP address 7353 corresponds to the current location of the mobile node. This acts as 7354 a weak form of protection against spoofing packets that appear to 7355 come from the mobile node. This is particularly useful, if no end- 7356 to-end security is being applied between the mobile and correspondent 7357 nodes. The outer IP address check prevents attacks where the 7358 attacker is controlled by ingress filtering. It also prevents 7359 attacks when the attacker does not know the current care-of address 7360 of the mobile node. Attackers who know the care-of address and are 7361 not controlled by ingress filtering could still send traffic through 7362 the home agent. This includes attackers on the same local link as 7363 the mobile node is currently on. But such attackers could send 7364 packets that appear to come from the mobile node without attacking 7365 the tunnel; the attacker could simply send packets with the source 7366 address set to the mobile node's home address. However, this attack 7367 does not work if the final destination of the packet is in the home 7368 network, and some form of perimeter defense is being applied for 7369 packets sent to those destinations. In such cases it is recommended 7370 that either end-to-end security or additional tunnel protection be 7371 applied, as is usual in remote access situations. 7373 Home agents and mobile nodes may use IPsec ESP to protect payload 7374 packets tunneled between themselves. This is useful for protecting 7375 communications against attackers on the path of the tunnel. 7377 When a Unique-Local Address (ULA) RFC4193 [15] is used as a home 7378 address, reverse tunneling can be used to send local traffic from 7379 another location. Administrators should be aware of this when 7380 allowing such home addresses. In particular, the outer IP address 7381 check described above is not sufficient against all attackers. The 7382 use of encrypted tunnels is particularly useful for these kinds of 7383 home addresses. 7385 15.8. Home Address Option 7387 When the mobile node sends packets directly to the correspondent 7388 node, the Source Address field of the packet's IPv6 header is the 7389 care-of address. Therefore, ingress filtering [27] works in the 7390 usual manner even for mobile nodes, as the Source Address is 7391 topologically correct. The Home Address option is used to inform the 7392 correspondent node of the mobile node's home address. 7394 However, the care-of address in the Source Address field does not 7395 survive in replies sent by the correspondent node unless it has a 7396 binding for this mobile node. Also, not all attacker tracing 7397 mechanisms work when packets are being reflected through 7398 correspondent nodes using the Home Address option. For these 7399 reasons, this specification restricts the use of the Home Address 7400 option. It may only be used when a binding has already been 7401 established with the participation of the node at the home address, 7402 as described in Section 5.5 and Section 6.3. This prevents 7403 reflection attacks through the use of the Home Address option. It 7404 also ensures that the correspondent nodes reply to the same address 7405 that the mobile node sends traffic from. 7407 No special authentication of the Home Address option is required 7408 beyond the above, but note that if the IPv6 header of a packet is 7409 covered by IPsec Authentication Header, then that authentication 7410 covers the Home Address option as well. Thus, even when 7411 authentication is used in the IPv6 header, the security of the Source 7412 Address field in the IPv6 header is not compromised by the presence 7413 of a Home Address option. Without authentication of the packet, any 7414 field in the IPv6 header, including the Source Address field or any 7415 other part of the packet and the Home Address option can be forged or 7416 modified in transit. In this case, the contents of the Home Address 7417 option is no more suspect than any other part of the packet. 7419 15.9. Type 2 Routing Header 7421 The definition of the type 2 routing header is described in 7422 Section 6.4. This definition and the associated processing rules 7423 have been chosen so that the header cannot be used for what is 7424 traditionally viewed as source routing. In particular, the Home 7425 Address in the routing header will always have to be assigned to the 7426 home address of the receiving node; otherwise the packet will be 7427 dropped. 7429 Generally, source routing has a number of security concerns. These 7430 include the automatic reversal of unauthenticated source routes 7431 (which is an issue for IPv4, but not for IPv6). Another concern is 7432 the ability to use source routing to "jump" between nodes inside, as 7433 well as outside a firewall. These security concerns are not issues 7434 in Mobile IPv6, due to the rules mentioned above. 7436 In essence the semantics of the type 2 routing header is the same as 7437 a special form of IP-in-IP tunneling where the inner and outer source 7438 addresses are the same. 7440 This implies that a device which implements the filtering of packets 7441 should be able to distinguish between a type 2 routing header and 7442 other routing headers, as required in Section 8.3. This is necessary 7443 in order to allow Mobile IPv6 traffic while still having the option 7444 of filtering out other uses of routing headers. 7446 15.10. SHA-1 Secure Enough for Mobile IPv6 Control Messages 7448 This document relies on hash-based message authentication codes 7449 (HMAC) computed using the SHA-1 [11] hash algorithm for the home 7450 keygen token, care-of keygen token, as well as the authentication 7451 fields in the binding update and binding authorization data (see 7452 Section 5.2.4). While SHA-1 has been deprecated for some 7453 cryptographic mechanisms, SHA-1 is considered secure for the 7454 foreseeable future when used as specified here. For additional 7455 details, see [38]. 7457 16. Contributors 7459 Work done by Tuomas Aura, Mike Roe, Greg O'Shea, Pekka Nikander, Erik 7460 Nordmark, and Michael Thomas shaped the return routability protocols 7461 described in [34]. 7463 Significant contributions were made by members of the Mobile IPv6 7464 Security Design Team, including (in alphabetical order) Gabriel 7465 Montenegro, Erik Nordmark and Pekka Nikander. 7467 17. Acknowledgements 7469 We would like to thank the members of the Mobile IP, Mobility 7470 Extensions for IPv6, and IPng Working Groups for their comments and 7471 suggestions on this work. We would particularly like to thank (in 7472 alphabetical order) Fred Baker, Josh Broch, Samita Chakrabarti, 7473 Robert Chalmers, Noel Chiappa, Jean-Michel Combes, Greg Daley, Vijay 7474 Devarapalli, Rich Draves, Francis Dupont, Ashutosh Dutta, Arnaud 7475 Ebalard, Wesley Eddy, Thomas Eklund, Jun-Ichiro Itojun Hagino, Brian 7476 Haley, Marc Hasson, John Ioannidis, James Kempf, Rajeev Koodli, 7477 Suresh Krishnan, Krishna Kumar, T.J. Kniveton, Joe Lau, Aime Le 7478 Rouzic, Julien Laganier, Jiwoong Lee, Benjamin Lim, Vesa-Matti 7479 Mantyla, Kevin Miles, Glenn Morrow, Ahmad Muhanna, Thomas Narten, 7480 Karen Nielsen, Simon Nybroe, David Oran, Mohan Parthasarathy, 7481 Basavaraj Patil, Brett Pentland, Lars Henrik Petander, Alexandru 7482 Petrescu, Mattias Petterson, Ken Powell, Ed Remmell, Phil Roberts, 7483 Patrice Romand, Luis A. Sanchez, Pekka Savola, Jeff Schiller, Arvind 7484 Sevalkar, Keiichi Shima, Tom Soderlund, Hesham Soliman, Jim Solomon, 7485 Tapio Suihko, Dave Thaler, Pascal Thubert, Benny Van Houdt, Jon-Olov 7486 Vatn, Ryuji Wakikawa, Kilian Weniger, Carl E. Williams, Vladislav 7487 Yasevich, Alper Yegin, and Xinhua Zhao, for their detailed reviews of 7488 earlier versions of this document. Their suggestions have helped to 7489 improve both the design and presentation of the protocol. 7491 We would also like to thank the participants of the Mobile IPv6 7492 testing event (1999), implementors who participated in Mobile IPv6 7493 interoperability testing at Connectathons (2000, 2001, 2002, and 7494 2003), and the participants at the ETSI interoperability testing 7495 (2000, 2002). Finally, we would like to thank the TAHI project who 7496 has provided test suites for Mobile IPv6. 7498 18. References 7500 18.1. Normative References 7502 [1] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing 7503 for Message Authentication", RFC 2104, February 1997. 7505 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 7506 Levels", BCP 14, RFC 2119, March 1997. 7508 [3] Kent, S. and K. Seo, "Security Architecture for the Internet 7509 Protocol", RFC 4301, December 2005. 7511 [4] Kent, S., "IP Authentication Header", RFC 4302, December 2005. 7513 [5] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, 7514 December 2005. 7516 [6] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) 7517 Specification", RFC 2460, December 1998. 7519 [7] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6 7520 Specification", RFC 2473, December 1998. 7522 [8] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast 7523 Addresses", RFC 2526, March 1999. 7525 [9] Deering, S., Fenner, W., and B. Haberman, "Multicast Listener 7526 Discovery (MLD) for IPv6", RFC 2710, October 1999. 7528 [10] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 7529 specifying the location of services (DNS SRV)", RFC 2782, 7530 February 2000. 7532 [11] National Institute of Standards and Technology, "Secure Hash 7533 Standard", FIPS PUB 180-1, April 1995, 7534 . 7536 [12] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to 7537 Protect Mobile IPv6 Signaling Between Mobile Nodes and Home 7538 Agents", RFC 3776, June 2004. 7540 [13] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, 7541 "DNS Security Introduction and Requirements", RFC 4033, 7542 March 2005. 7544 [14] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 7545 Requirements for Security", BCP 106, RFC 4086, June 2005. 7547 [15] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 7548 Addresses", RFC 4193, October 2005. 7550 [16] Hinden, R. and S. Deering, "IP Version 6 Addressing 7551 Architecture", RFC 4291, February 2006. 7553 [17] Conta, A., Deering, S., and M. Gupta, "Internet Control Message 7554 Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) 7555 Specification", RFC 4443, March 2006. 7557 [18] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 7558 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 7559 September 2007. 7561 [19] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address 7562 Autoconfiguration", RFC 4862, September 2007. 7564 [20] Devarapalli, V. and F. Dupont, "Mobile IPv6 Operation with 7565 IKEv2 and the Revised IPsec Architecture", RFC 4877, 7566 April 2007. 7568 [21] Narten, T., Draves, R., and S. Krishnan, "Privacy Extensions 7569 for Stateless Address Autoconfiguration in IPv6", RFC 4941, 7570 September 2007. 7572 [22] Giaretta, G., Kempf, J., and V. Devarapalli, "Mobile IPv6 7573 Bootstrapping in Split Scenario", RFC 5026, October 2007. 7575 [23] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA 7576 Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. 7578 [24] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, "Internet Key 7579 Exchange Protocol Version 2 (IKEv2)", RFC 5996, September 2010. 7581 18.2. Informative References 7583 [25] Perkins, C., "IP Encapsulation within IP", RFC 2003, 7584 October 1996. 7586 [26] Perkins, C., "Minimal Encapsulation within IP", RFC 2004, 7587 October 1996. 7589 [27] Ferguson, P. and D. Senie, "Network Ingress Filtering: 7590 Defeating Denial of Service Attacks which employ IP Source 7591 Address Spoofing", BCP 38, RFC 2827, May 2000. 7593 [28] Aura, T. and J. Arkko, "MIPv6 BU Attacks and Defenses", 7594 draft-aura-mipv6-bu-attacks-01 (work in progress), March 2002. 7596 [29] Reynolds, J., "Assigned Numbers: RFC 1700 is Replaced by an On- 7597 line Database", RFC 3232, January 2002. 7599 [30] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. 7600 Carney, "Dynamic Host Configuration Protocol for IPv6 7601 (DHCPv6)", RFC 3315, July 2003. 7603 [31] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, 7604 August 2002. 7606 [32] Draves, R., "Default Address Selection for Internet Protocol 7607 version 6 (IPv6)", RFC 3484, February 2003. 7609 [33] Nordmark, E., "Securing MIPv6 BUs using return routability 7610 (BU3WAY)", draft-nordmark-mobileip-bu3way-00 (work in 7611 progress), November 2001. 7613 [34] Roe, M., "Authentication of Mobile IPv6 Binding Updates and 7614 Acknowledgments", draft-roe-mobileip-updateauth-02 (work in 7615 progress), March 2002. 7617 [35] Chowdhury, K. and A. Yegin, "MIP6-bootstrapping for the 7618 Integrated Scenario", 7619 draft-ietf-mip6-bootstrapping-integrated-dhc-06 (work in 7620 progress), April 2008. 7622 [36] Savola, P., "Use of /127 Prefix Length Between Routers 7623 Considered Harmful", RFC 3627, September 2003. 7625 [37] Savola, P., "Security of IPv6 Routing Header and Home Address 7626 Options", draft-savola-ipv6-rh-ha-security-02 (work in 7627 progress), March 2002. 7629 [38] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security 7630 Considerations for the SHA-0 and SHA-1 Message-Digest 7631 Algorithms", draft-turner-sha0-sha1-seccon-05 (work in 7632 progress), February 2011. 7634 [39] Manner, J. and M. Kojo, "Mobility Related Terminology", 7635 RFC 3753, June 2004. 7637 [40] Vida, R. and L. Costa, "Multicast Listener Discovery Version 2 7638 (MLDv2) for IPv6", RFC 3810, June 2004. 7640 [41] Bellovin, S. and R. Housley, "Guidelines for Cryptographic Key 7641 Management", BCP 107, RFC 4107, June 2005. 7643 [42] Nikander, P., Arkko, J., Aura, T., Montenegro, G., and E. 7645 Nordmark, "Mobile IP Version 6 Route Optimization Security 7646 Design Background", RFC 4225, December 2005. 7648 [43] Nordmark, E., Chakrabarti, S., and J. Laganier, "IPv6 Socket 7649 API for Source Address Selection", RFC 5014, September 2007. 7651 [44] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation of 7652 Type 0 Routing Headers in IPv6", RFC 5095, December 2007. 7654 Appendix A. Future Extensions 7656 A.1. Piggybacking 7658 This document does not specify how to piggyback payload packets on 7659 the binding related messages. However, it is envisioned that this 7660 can be specified in a separate document when issues such as the 7661 interaction between piggybacking and IPsec are fully resolved (see 7662 also Appendix A.3). The return routability messages can indicate 7663 support for piggybacking with a new mobility option. 7665 A.2. Triangular Routing 7667 Due to the concerns about opening reflection attacks with the Home 7668 Address destination option, this specification requires that this 7669 option be verified against the Binding Cache, i.e., there must be a 7670 Binding Cache entry for the Home Address and Care-of Address. 7672 Future extensions may be specified that allow the use of unverified 7673 Home Address destination options in ways that do not introduce 7674 security issues. 7676 A.3. New Authorization Methods 7678 While the return routability procedure provides a good level of 7679 security, there exist methods that have even higher levels of 7680 security. Secondly, as discussed in Section 15.4, future 7681 enhancements of IPv6 security may cause a need to also improve the 7682 security of the return routability procedure. Using IPsec as the 7683 sole method for authorizing Binding Updates to correspondent nodes is 7684 also possible. The protection of the Mobility Header for this 7685 purpose is easy, though one must ensure that the IPsec SA was created 7686 with appropriate authorization to use the home address referenced in 7687 the Binding Update. For instance, a certificate used by IKEv2 to 7688 create the security association might contain the home address. A 7689 future specification may specify how this is done. 7691 A.4. Neighbor Discovery Extensions 7693 Future specifications may improve the efficiency of Neighbor 7694 Discovery tasks, which could be helpful for fast movements. One 7695 factor is currently being looked at: the delays caused by the 7696 Duplicate Address Detection mechanism. Currently, Duplicate Address 7697 Detection needs to be performed for every new care-of address as the 7698 mobile node moves, and for the mobile node's link-local address on 7699 every new link. In particular, the need and the trade-offs of re- 7700 performing Duplicate Address Detection for the link-local address 7701 every time the mobile node moves on to new links will need to be 7702 examined. Improvements in this area are, however, generally 7703 applicable and progress independently from the Mobile IPv6 7704 specification. 7706 Future functional improvements may also be relevant for Mobile IPv6 7707 and other applications. For instance, mechanisms that would allow 7708 recovery from a Duplicate Address Detection collision would be useful 7709 for link-local, care-of, and home addresses. 7711 Appendix B. Changes since RFC 3775 7713 The following issues were identified during the evolution of the 7714 current document. Discussion about most of the issues can be found 7715 on the [mext] working group page 7716 http://trac.tools.ietf.org/wg/mext/trac/report/6 7718 Issue #1 Last Accepted SQN [Ahmad Muhanna] 7720 Solution: specify that the mobile node update its binding sequence 7721 number to match the sequence number given in the Binding 7722 Acknowledgement (if the Binding Acknowledgement correctly passes 7723 authentication and the status is 135 (Sequence Number out of 7724 window). See Section 11.7.3. 7726 Issue #4 Remove references to site-local addresses [George 7727 Tsirtsis]. 7729 Fixed. 7731 Issue #5 Wrong protocol number (2 instead of 135) used in discussion 7732 about checksum pseudo-header. 7734 Fixed. See Section 6.1.1. 7736 Issue #8 Application using the care-of address [Julien Laganier] 7738 Cite IPv6 Socket API for Source Address Selection specification 7739 [43]. See Section 11.3.4. 7741 Issue #10 The usage of "HA lifetime" [Ryuji Wakikawa] 7743 The mobile node SHOULD store the list of home agents for later use 7744 in case the home agent currently managing the mobile node's 7745 care-of address forwarding should become unavailable. See 7746 Section 11.4.1. 7748 Issue #11 De-registration when returning home [Vijay Devarapalli] 7750 To be able to send and receive packets using its home address from 7751 the home link, the mobile node MUST send a Binding Update to its 7752 home agent to instruct its home agent to no longer intercept or 7753 tunnel packets for it. Until the mobile node sends such a de- 7754 registration Binding Update, it MUST NOT attempt to send and 7755 receive packets using its home address from the home link. See 7756 Section 11.5.5. 7758 Issue #12 BErr sent by HA too, not only by CN [Alexandru Petrescu] 7760 Fixed. See Section 4.2. 7762 Issue #13 Home Link Detection [Suresh Krishnan] 7764 Proposal: add Section 11.5.2 for Home Link Detection, drawing on 7765 Internet Draft draft-krishnan-mext-hld. 7767 Issue #14 References to Bootstrapping [Vijay Devarapalli] 7769 Cite "Mobile IPv6 Bootstrapping in Split Scenario" [22] and "MIP6 7770 bootstrapping for the Integrated Scenario" [35]. See Section 4.1. 7772 Issue #17 Multi-homed mobile node can cause routing loop between 7773 home agents [Benjamin Lim] 7775 Added security advisory in Section 15.1, to highlight risk of 7776 routing loop among HAs (e.g., in 3GPP): 7778 A malicious mobile node associated to multiple home agents could 7779 create a routing loop amongst them. This would happen when a 7780 mobile node binds one home address located on a first home agent 7781 to another home address on a second home agent. 7783 Issue #18 Subject: Issues regarding Home Address Option and ICMP / 7784 Binding Errors [Fabian Mauchle] 7786 Proposal: Use the value in the Next Header field {50 (ESP), 51 7787 (AH), 135 (Mobility Header)} to determine, if a Binding Cache 7788 entry is required. See Section 9.3.1. 7790 Proposal: If the Binding Error Message was sent by the Home Agent, 7791 the Mobile Node SHOULD send a Binding Update to the Home Agent 7792 according to Section 11.7.1. See Section 11.3.6. 7794 Issue #19 BU de-registration race condition [Kilian Weniger] 7796 Problem arises if de-registration arrives at Home Agent before an 7797 immediately preceding Binding Update. 7799 Solution: Home Agent defers BCE removal after sending the Binding 7800 Acknowledgement. See Section 10.3.2. 7802 Issue #6 Minor editorial corrections and updates. 7804 Update IPsec and IKE references to the revised IPsec architecture 7805 and IKEv2. 7807 Update HMAC_SHA1 [1] to Normative instead of Informational. 7809 Include discussion (see Section 15.10) to inform implementers that 7810 HMAC_SHA1 is considered to offer sufficient protection for control 7811 messages as required by Mobile IPv6. 7813 Authors' Addresses 7815 Charles E. Perkins 7816 Tellabs Inc. 7817 4555 Great America Parkway, Suite 150 7818 Santa Clara CA 95054 7819 USA 7821 Email: charliep@computer.org 7823 David B. Johnson 7824 Rice University 7825 Dept. of Computer Science, MS 132 7826 6100 Main Street 7827 Houston TX 77005-1892 7828 USA 7830 Email: dbj@cs.rice.edu 7832 Jari Arkko 7833 Ericsson 7834 Jorvas 02420 7835 Finland 7837 Email: jari.arkko@ericsson.com