INTERNET DRAFT Pat R. Calhoun Category: Standards Track Gabriel Montenegro Title: draft-ietf-mobileip-reg-tunnel-00.txt Charles E. Perkins Date: November 1998 Sun Laboratories, Inc. Mobile IP Regionalized Tunnel Management Status of this Memo This document is a submission by the Mobile IP Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the mobile-ip@smallworks.com mailing list. Distribution of this memo is unlimited. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as ``work in progress.'' To view the entire list of current Internet-Drafts, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Abstract RFC2002 defines a method for a Mobile Node to be assigned a Home Agent dynamically through the use of a limited broadcast message. However, most corporate networks do not allow such packets to traverse through their firewall, which renders this feature difficult to use. This draft introduces new entity named the Home Domain Allocation Agency (HDAA) that can dynamically assign a Home Address to the Mobile Node. This draft also proposes a method for the HDAA to assign a dynamic Home Agent to the Mobile Node. Calhoun, Perkins expires April 1999 [Page 1] INTERNET DRAFT November 1998 Table of Contents 1.0 Introduction 2.0 Router Discovery Extensions 2.1 PFA IP Address 3.0 Mobile IP Registration Extensions 3.1 Hierarchical Mobility Agent Extension 4.0 Security Considerations 5.0 References 6.0 Acknowledgements 7.0 Chairs' Addresses 8.0 Author's Address 1.0 Introduction RFC2002 [2] assumes that the Foreign Agent and the Home Agent interact directly during the registration process. This assumption creates two problems; first the Mobility Agents can not exist on a private networks and this does not allow for efficient smooth hand- off of the Mobile Node between Foreign Agents. +------------------------------------+ | Private Foreign Network | | +------+ +------+ +-------+ | | | MN |---| FA |------| PFA | | | +------+ +------+ +---+---+ | | | | +------------------------------|-----+ +-------|--------+ | | | | Public Network | | | | +-------|--------+ | +------------------------------|-----+ | Private Home Network | | | +------+ +---+---+ | | | HA |------| PHA | | | +------+ +-------+ | | | +------------------------------------+ Figure 1: Proxy Mobility Agents The figure above depicts the Foreign Agent and the Home Agent on a private network. The Proxy Foreign Agent (PFA) and the Proxy Home Agent (PHA) each have one routable address that is accessible from Calhoun, Perkins expires April 1999 [Page 2] INTERNET DRAFT November 1998 the public network and one address that resides on the private network. In order to reach either the FA or the HA from the public network, the request must be sent through the appropriate Proxy Agent (PA). In this figure the PHA can be viewed as the HDAA as described in [4] and [5]. Note that although the figure only shows one level of hierarchy, this document does not limit the number. It is possible for a complex network to contain many levels before reaching the Proxy Agent. The Mobile IP Challenge Draft [5] describes smooth hand-off and how the short-lived session keys are transferred from one Foreign Agent to another within a given Administrative Domain. When using regionalized tunnels, the Foreign Agent's session key generated by the HDAA belongs to the PFA since this is the only known Mobility Agent to the HDAA. Since the session key is owned by the PFA, the Mobility Agent can move from one Foreign Agent to another within the same foreign network without having to redistribute the session keys. This of course assumes that all of the foreign agents share some form of security association. We will describe the message flow of the Mobile Node's registration as shown in figure 1. The Foreign Agent announces his presences via the Router Advertisement message, which includes the PFA's publicly routable address in the PFA IP Address extension as describe in section 2.1. Upon receipt of this message the Mobile Node must determine whether to use the FA or the PFA address. The Router Advertisement also MUST include the FA's NAI [5], which is used by the Mobile Node to determine if it is on its home or a foreign network. If the Mobile Network determines that it is visiting a foreign network, it MUST use the PFA's IP Address in the care-of- address field of the Registration Request. The Mobile Node must then register with the Home Domain, and since it had determined that it was visiting it MUST use its configured PHA address in the Registration Request's Home Agent field. The message is then forwarded to the Foreign Agent, which adds a Hierarchical Mobility Agent Extension to the message and forwads the request to the PFA. The PFA must authenticate the message in the Mobile-Foreign Authentication extension (if present). If the Hierarchical Mobility Agent extension is present, the PFA must retain the Mobile Node's current point of attachment and remove the extension from the request. The PFA then adds the Foreign-Home Authentication extension to the request and forwards the request to the PHA. The PHA must authenticate the request from the PFA and determine the Mobile Node's true Home Agent within the private network. This can be statically configured on the PHA, or this can be retrieved from an Calhoun, Perkins expires April 1999 [Page 3] INTERNET DRAFT November 1998 Authentication, Authorization and Accounting protocol such as [6]. The PHA then adds the Hierarchical Mobility Agent extension to the Registration Request and forward the request to the Home Agent. The Home Agent uses the Hierarchical Mobility Agent extension to find the next Mobility Agent to use in order to contact the Mobile Node. The Registration Request is processed by the Home Agent as desribed in [2] and the Registration Reply is forwarded to the PHA. The PHA adds the necessary Foreign-Home Authentication extension and forwards the request to the PFA. The PFA then authenticates the packet and must find the Foreign Agent within its network to use in order that is serving the Mobile Node. It uses the information that was in the Hierarchical Mobility Agent extension of the Registration Request, which it had cached. The PFA removes the Foreign-Home Authentication extension and forwards the reply to the Foreign Agent, which hands it off to the Mobile Node. In the event that the Mobile Node moves to another Foreign Agent within the same foreign domain, the Mobile Node issues another Registration Request (similar to the one previously described). The Foreign Agent will forward this request to the PFA, which will update the Mobile Node's current point of attachment through the Hierarchical Mobility Agent extension. The PFA can then issue a Registration Reply directly to the Mobile Node through the Foreign Agent. 2.0 Router Discovery Extensions This section will define the extensions necessary to the Router Discovery Protocol [7]. The Mobile Node can assume that the Foreign Agent supports this specification if the extensions in this section are part of the Router Advertisements. 2.1 PFA IP Address The PFA IP Address Extension is present in the Router Advertisements by the Foreign Agent in order to provide the Mobile Node with the publicly routable address for the Proxy Foreign Agent. The Mobile Node MUST use this address as the care-of-address in the Registration Request if the Foreign Agent does not belong to the same administrative domain. This is known by comparing the domain in the Foreign Agent's NAI [5] with the Mobile Node's NAI. The PFA IP Address Extension is defined as follows: Calhoun, Perkins expires April 1999 [Page 4] INTERNET DRAFT November 1998 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | PFA IP Address .... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ PFA IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type TDB Length 4 PFA IP Address The PFA IP Address field contains the Foreign Domains' Proxy Foreign Agent's publicly routable address. 3.0 Mobile IP Registration Extensions This section will define new Mobile IP Registration Extensions that must be used in order to use the functionality described in this document. 3.1 Hierarchical Mobility Agent Extension One or more Hierarchical Mobility Agent Extension MAY be present in a Registration Request or Reply. If more than one Hierarchical Mobility Agent Extension is present, the order of these extensions MUST be maintained through the hierarchy. When replying with a Registration Reply, the Home Agent MUST ensure that the order of the Hierarchical Mobility Agent extensions are reversed from the order found in the Registration Request. If the Hierarchical Mobility Agent Extension is present in the Request, Each foreign agent MUST check to make sure that its address is Included in the list of tunnel agents. If not, it rejects the Request with a status code of 70. Otherwise, the foreign agent makes note of the address of the next lower-level tunnel agent, for future association with the mobile node's network address. Calhoun, Perkins expires April 1999 [Page 5] INTERNET DRAFT November 1998 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | MA IP Address .... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MA IP Address .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type TDB Length 4 MA IP Address The IP Address of the Mobility Agent in the hierarchy. 4.0 Security Considerations This document proposes methods for Mobility Agents on private networks to communicate with other agents on public or private networks. It assumes that any security authentication extensions used are defined either in [2] or [5]. 5.0 References [1] P. Calhoun, G. Montenegro, C. Perkins, "Tunnel Establishment Protocol", draft-ietf-mobileip-calhoun-tep-01.txt, Work in Progress, March 1998. [2] C. Perkins, Editor. IP Mobility Support. RFC 2002, October 1996. [3] B. Aboba. "The Network Access Identifier." Internet-Draft, Work in Progress, August 1997. [4] P. Calhoun, C. Perkins, "DIAMETER Dynamic Home Address Allocation", draft-ietf-mobileip-home-addr-alloc-00.txt, Work in Progress, November 1998. [5] P. Calhoun, C. Perkins, "DIAMETER Challenge Extension", draft-ietf-mobileip-challenge-00.txt, Work in Progress, Calhoun, Perkins expires April 1999 [Page 6] INTERNET DRAFT November 1998 November 1998. [6] P. Calhoun, C. Perkins, "DIAMETER Mobile IP Extension", draft-calhoun-diameter-mobileip-00.txt, July 1998. [7] Deering, S., Editor, "ICMP Router Discovery Messages", RFC 1256, September 1991. 6.0 Acknowledgements The author would like to thank Vipul Gupta for useful discussions. 7.0 Chairs' Addresses The working group can be contacted via the current chairs: Jim Solomon RedBack Networks 1389 Moffett Park Drive Sunnyvale, CA 94089-1134 USA Phone: +1 408 548-3583 Fax: +1 408 548-3599 E-mail: solomon@rback.com Erik Nordmark Sun Microsystems, Inc. 901 San Antonio Road Mailstop UMPK17-202 Mountain View, California 94303 Phone: +1 650 786-5166 Fax: +1 650 786-5896 E-Mail: erik.nordmark@eng.sun.com 8.0 Author's Address Questions about this memo can be directed to: Pat R. Calhoun Network and Security Center Sun Microsystems Laboratories, Inc. 15 Network Circle Menlo Park, California, 94025 Calhoun, Perkins expires April 1999 [Page 7] INTERNET DRAFT November 1998 USA Phone: 1-650-786-7733 Fax: 1-650-786-6445 E-mail: pat.calhoun@eng.sun.com Gabriel E. Montenegro Network and Security Center Sun Microsystems Laboratories, Inc. 15 Network Circle Menlo Park, California, 94025 USA Phone: 1-650-786-6288 Fax: 1-650-786-6445 E-mail: gabriel.montenegro@Eng.Sun.Com Charles E. Perkins Network and Security Center Sun Microsystems Laboratories, Inc. 15 Network Circle Menlo Park, California, 94025 USA Phone: 1-650-786-6464 Fax: 1-650-786-6445 E-mail: charles.perkins@eng.sun.com Calhoun, Perkins expires April 1999 [Page 8]