Network-Based Mobility Extensions C. Perkins (netext) Futurewei Inc. Internet-Draft May 2012 Expires: November 2, 2012 Alternate Tunnel Source Address for LMA and Home Agent draft-perkins-netext-hatunaddr-00.txt Abstract Widely deployed mobility management systems for wireless communications have isolated the path for forwarding data from the control plane signaling for mobility management. To realize this requirement with Mobile IP requires that the control functions of the home agent be addressable at a different IP address than the source IP address of the tunnel between the home agent and mobile node. Similar considerations hold for mobility anchors implementing Hierarchical Mobile IP or PMIP. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on November 2, 2012. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Perkins Expires November 2, 2012 [Page 1] Internet-Draft Alternate LMA/HA Tunnel May 2012 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Perkins Expires November 2, 2012 [Page 2] Internet-Draft Alternate LMA/HA Tunnel May 2012 1. Introduction Mobile IP [4] and Mobile IPv6 [5] associate the Home Agent's IP address both with the target of control messages form the mobile node, and the source IP address for packets tunneled to the mobile node from the Home Agent. However, in most contemporary commercial mobility management systems, these two IP addresses are not the same. Thus, Mobile IP has been seen as missing an important feature, and perhaps for that reason not fully integrated into the mobility management systems for commercial wireless ISPs. In this document, we specify a simple extension for Mobile IPv6 to enable a mobile node to receive packets tunneled to it from an IP address different from the IP address used for sending Binding Updates and other control messages from Mobile IPv6. The extension is applied to the Binding Acknowledgement message, which is expected to be processed by the mobile node before any packets are tunneled to the mobile node from the home agent. Almost identical considerations hold for Mobile IPv4, Proxy MIP [2], Hierarchical Mobile IP [3]. Similar extensions to the registration messages in those MIP variations will also be specified in this document. Perkins Expires November 2, 2012 [Page 3] Internet-Draft Alternate LMA/HA Tunnel May 2012 2. Alternate Home Agent Tunnel Address for PMIPv6 and Mobile IPv6 The "Alternate Home Agent Tunnel Address" option may be included as an extension to the Binding Acknowledgement message. The Alternate Home Agent Tunnel Address option has an alignment requirement of 8n+6. Its format is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = TBD | Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Alternate Home Agent Tunnel Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The "Alternate Home Agent Tunnel Address" option may be included as an extension to the Binding Acknowledgement message. When the mobile node receives Binding Acknowledgement message including the Alternate Home Agent Tunnel Address, it should enable decapsulation for packets arriving from that alternate address. Moreover, the mobile node MUST then use the alternate HA tunnel IP address whenever tunneling packets (using IPv6-in-IPv6 encapsulation [1]) through that the home agent. If the Binding Acknowledgement message has the 'P' set, it is being sent from the LMA to the MAG, and is called a "Proxy Binding Acknowledgement" message[2]. In this case, the "Alternate Home Agent Tunnel Address" option may also be included. When the MAG receives such a Proxy Binding Acknowledgement message including the Alternate Home Agent Tunnel Address, it should enable decapsulation for packets arriving from that alternate address. Moreover, the MAG MUST then use the alternate HA tunnel IP address whenever tunneling the mobile node's packets to that LMA. If the mobile node sets the 'M' bit in the Binding Update, then the effect is to register a regional care-of address with the local MAP as defined in Hierarchical Mobile IP [3]. In this case, the Binding Acknowledgement message may also include the "Alternate Home Agent Tunnel Address" option. When the mobile node receives such a Binding Acknowledgement message including the Alternate Home Agent Tunnel Address, it should enable decapsulation for packets arriving from that alternate address. Moreover, the mobile node MUST then use the Perkins Expires November 2, 2012 [Page 4] Internet-Draft Alternate LMA/HA Tunnel May 2012 alternate HA tunnel IP address whenever tunneling the mobile node's packets to that MAP. Perkins Expires November 2, 2012 [Page 5] Internet-Draft Alternate LMA/HA Tunnel May 2012 3. Alternate Home Agent Tunnel Address for Mobile IPv4 The "Alternate Home Agent Tunnel Address" option may be included as an extension to the Registration Reply message. Its format is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = TBD | Length = 6 | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Alternate IPv4 Home Agent Tunnel Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Reserved Sent as zero; ignored on reception. Alternate IPv4 Home Agent Tunnel Address The Alternate IPv4 Home Agent Tunnel Address required by this home agent. The home agent may include the "Alternate IPv4 Home Agent Tunnel Address" as an extension to the Registration Reply message. When the mobile node receives Registration Reply message including the Alternate IPv4 Home Agent Tunnel Address, it MUST enable decapsulation for packets arriving from that alternate address. Moreover, the mobile node MUST then use the alternate HA tunnel IP address whenever tunneling packets through that the home agent. Perkins Expires November 2, 2012 [Page 6] Internet-Draft Alternate LMA/HA Tunnel May 2012 4. Security Considerations This document does not introduce any security mechanisms, and does not have any impact on existing security mechanisms. Since the Binding Acknowledgement and Registration Reply messages to the mobile node are required to be secured, including the Alternate Home Agent Tunnel Address extension will not enable a malicious node to create any disruption to the desired tunneling behavior along the data path. In cases where confidentiality is required for traffic between the mobile node and HA-D [i.e., the data-plane home-agent] tunnel termination IP address, a security association will be required. For this, there are at least two options: IKEv2 The mobile node and HA-D can establish a security association using IKEv2 [7] Update to RFC 3957 (Authentication, Authorization, and Accounting (AAA) Registration Keys for Mobile IPv4) A new extension for the Binding Acknowledgement and/or Registration Reply could be specified for use by the mobile node to calculate a shared secret and establish a derived security association with the HA-D. This extension would be similar to the "Generalized MN Key Generation Nonce" extensions already specified in RFC 3957 [6] For the second option, a new calculation is needed in order to ensure that the IP addresses of both the HA-D and the mobile node are included in the input for the cryptographic hash function. Perkins Expires November 2, 2012 [Page 7] Internet-Draft Alternate LMA/HA Tunnel May 2012 5. IANA Considerations This document creates a new Mobility Option for Mobile IPv6 that can be included in the Binding Acknowledgement message. The protocol number for this new Mobility Option, the "Alternate Home Agent Tunnel Address" option, should be allocated from the space of Mobility Options for Mobile IPv6. This document creates a new Extension for Mobile IPv4 that can be included in the Registration Reply message. The protocol number for this new Extension, the "Alternate IPv4 Home Agent Tunnel Address" option, should be allocated from the space of non-skippable extensions for Mobile IPv4 (i.e., a number within the range 0--127). Perkins Expires November 2, 2012 [Page 8] Internet-Draft Alternate LMA/HA Tunnel May 2012 6. References 6.1. Normative References [1] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6 Specification", RFC 2473, December 1998. [2] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008. [3] Soliman, H., Castelluccia, C., ElMalki, K., and L. Bellier, "Hierarchical Mobile IPv6 (HMIPv6) Mobility Management", RFC 5380, October 2008. [4] Perkins, C., "IP Mobility Support for IPv4, Revised", RFC 5944, November 2010. [5] Perkins, C., Johnson, D., and J. Arkko, "Mobility Support in IPv6", RFC 6275, July 2011. 6.2. Informative References [6] Perkins, C. and P. Calhoun, "Authentication, Authorization, and Accounting (AAA) Registration Keys for Mobile IPv4", RFC 3957, March 2005. [7] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 5996, September 2010. Perkins Expires November 2, 2012 [Page 9] Internet-Draft Alternate LMA/HA Tunnel May 2012 Author's Address Charles E. Perkins Futurewei Inc. 2330 Central Expressway Santa Clara, CA 95050 USA Email: charliep@computer.org Perkins Expires November 2, 2012 [Page 10]