Network Working Group K. Leung Internet-Draft G. Dommety Expires: August 24, 2006 Cisco Systems V. Narayanan QUALCOMM, Inc. A. Petrescu Motorola February 24, 2006 IPv4 Network Mobility (NEMO) Basic Support Protocol draft-ietf-nemo-v4-base-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 24, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes the support of Mobile Networks, as defined in Mobile IPv4, by the Mobile Router and Home Agent. A Mobile Router is responsible for the mobility of one or more network segments or subnets moving together. The Mobile Router hides its mobility from Leung, et al. Expires August 24, 2006 [Page 1] Internet-Draft Mobile Router February 2006 the nodes on the mobile network. The nodes on the Mobile Network may be fixed in relationship to the Mobile Router and may not have any mobility function. Extensions to Mobile IPv4 are introduced to support Mobile Networks. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Mobile Network Extensions . . . . . . . . . . . . . . . . . . 6 4.1. Mobile Network Request Extension . . . . . . . . . . . . . 6 4.2. Mobile Network Acknowledgement Extension . . . . . . . . . 7 5. Mobile Router Operation . . . . . . . . . . . . . . . . . . . 9 5.1. Error Processing . . . . . . . . . . . . . . . . . . . . . 9 6. Home Agent Operation . . . . . . . . . . . . . . . . . . . . . 11 6.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 11 6.2. Data Structures . . . . . . . . . . . . . . . . . . . . . 11 6.2.1. Registration Table . . . . . . . . . . . . . . . . . . 11 6.2.2. Prefix Table . . . . . . . . . . . . . . . . . . . . . 12 6.3. Mobile Network Prefix Registration . . . . . . . . . . . . 12 6.4. Advertising Mobile Network Reachability . . . . . . . . . 13 6.5. Establishment of Bi-directional Tunnel . . . . . . . . . . 13 6.6. Sending Registration Replies . . . . . . . . . . . . . . . 14 6.7. Mobile Network Prefix De-registration . . . . . . . . . . 14 7. Data Forwarding Operation . . . . . . . . . . . . . . . . . . 15 8. Nested Mobile Networks . . . . . . . . . . . . . . . . . . . . 16 9. Security Considerations . . . . . . . . . . . . . . . . . . . 17 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 12.1. Normative References . . . . . . . . . . . . . . . . . . . 21 12.2. Informative References . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 Intellectual Property and Copyright Statements . . . . . . . . . . 23 Leung, et al. Expires August 24, 2006 [Page 2] Internet-Draft Mobile Router February 2006 1. Introduction This document describes protocol extensions to Mobile IPv4 ([RFC3344]) to enable support for Mobile Networks. A Mobile Network is defined as a network segment or subnet that can change its point of attachment to the routing infrastructure. Such movement is performed by a Mobile Router, which is the mobility entity that provides connectivity and reachability as well as session continuity for all the nodes in the Mobile Network. The Mobile Router typically serves as the default gateway for the devices on the Mobile Network. Mobility for the Mobile Network is supported by the Mobile Router registering the point of attachment to its Home Agent. This signaling sets up the tunnel between the two entities. The Mobile Networks (either implicitly configured on the Home Agent or explicitly identified by the Mobile Router) are advertised by the Home Agent for route propagation. Traffic to and from nodes in the Mobile Network are tunneled by the Home Agent to the Mobile Router, and vice versa. Though packets from the Mobile Network can be forwarded directly without tunneling when reverse tunneling is not enabled, reachability is still subject to ingress filtering conditions for the path in this case. This document specifies an additional tunnel between Mobile Router's Home Address and the Home Agent. This tunnel is encapsulated within the normal tunnel between the Care-of Address (CoA) and Home Agent. In Foreign Agent CoA mode, the tunnel between the Mobile Router and Home Agent is needed to allow the Foreign Agent to direct the decapsulated packet to the proper visiting Mobile Router. However, in Collocated CoA mode, the additional tunnel is not essential and can be eliminated because the Mobile Router is the recipient of the encapsulated packets for the Mobile Network. All traffic between the nodes in the Mobile Network and Correspondent Nodes passes through the Home Agent. This document does not cover route optimization of this traffic. A similar protocol has been documented in [RFC3963] for supporting IPv6 moving networks with Mobile IPv6 extensions. Multihoming for Mobile Routers is outside of scope of this document. Leung, et al. Expires August 24, 2006 [Page 3] Internet-Draft Mobile Router February 2006 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Terminology for network mobility support is defined in [RFC3344]. In addition, this document defines the following terms. Mobile Network Prefix The network prefix of the subnet delegated to a Mobile Router as the Mobile Network. Prefix Table A list of Mobile Network Prefixes indexed by the Home Address of a Mobile Router. The Home Agent manages and uses Prefix Table to determine which Mobile Network Prefixes belong to a particular Mobile Router. Leung, et al. Expires August 24, 2006 [Page 4] Internet-Draft Mobile Router February 2006 3. Requirements Although Mobile IPv4 stated that Mobile Network can be supported by the Mobile Router and Home Agent using static configuration or running a routing protocol, there is no solution for explicit registration of the Mobile Networks served by the Mobile Router. The following requirements for Mobile Network support are enumerated: o A Mobile Router should be able to operate in explicit or implicit mode. A Mobile Router may explicitly inform the Home Agent which Mobile Network(s) need to be propagated via routing protocol. A Mobile Router may also function in implicit mode, where the Home Agent may learn the mobile networks through other means, such as from the AAA server or via pre-configuration. o The Mobile Network should be supported using Foreign Agents that are compliant to RFC 3344 without any changes. o The mobile network should allow Fixed nodes, Mobile Nodes, or Mobile Routers to be on it. Leung, et al. Expires August 24, 2006 [Page 5] Internet-Draft Mobile Router February 2006 4. Mobile Network Extensions 4.1. Mobile Network Request Extension For Explicit Mode, the Mobile Router informs the Home Agent about the Mobile Network Prefixes during registration. The Registration Request contains zero, one or several Mobile Network Request extensions in addition to any other extensions defined by or in the context of ([RFC3344]). When several Mobile Networks are needed to be registered, each is included in a separate Mobile Network Request extension, with its own Type, Length, Sub-Type, Prefix Length and Prefix fields. A Mobile Network Request extension is encoded in Type-Length-Value (TLV) format and respects the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Sub-Type | Prefix Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Prefix | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: Mobile Network Extension (skippable type range to be assigned by IANA) Length: 6 Sub-Type: 1 (Mobile Network Request) Prefix Length: 8-bit unsigned integer indicating the number of bits covering the network part of the address contained in the Prefix field. Prefix: 32-bit unsigned integer in network byte-order containing an IPv4 address whose first Prefix Length bits make up the Mobile Network Prefix. Leung, et al. Expires August 24, 2006 [Page 6] Internet-Draft Mobile Router February 2006 4.2. Mobile Network Acknowledgement Extension The Registration Reply contains zero, one or several Mobile Network Acknowledgement extensions in addition to any other extensions defined by or in the context of ([RFC3344]). For Implicit Mode, the Mobile Network Acknowledgement informs the Mobile Router the prefixes served by the Home Agent. Policies such as permitting only traffic from these Mobile Networks to be tunneled to the Home Agent may be applied by the Mobile Router. For Explicit Mode, when several Mobile Networks are needed to be acknowledged explicitly, each is included in a separate Mobile Network Acknowledgement extension, with its own Type, Sub-Type, Length and Prefix Length fields. Optionally, all requested Mobile Networks could be acknowledged using only one Mobile Network Acknowledgement extension with "Prefix Length" and "Prefix" fields set to zero. At least one Mobile Network Acknowledgement extension MUST be in a successful Registration Reply to indicate to the Mobile Router that the Mobile Network Request extension was processed, thereby not skipped by the Home Agent. A Registration Reply may have either or both Implicit Mode Acknowledgement or Explicit Mode Acknowledgement extensions. A Mobile Network Acknowledgement extension is encoded in Type-Length-Value (TLV) format and respects the following format: When the registration is denied with code HA_MOBNET_ERROR, the Code field in the extension provides the reason for the failure. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Sub-Type | Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Prefix Length | Reserved | Prefix +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: Mobile Network Extension (skippable type range to be assigned by IANA) Length: 8 Leung, et al. Expires August 24, 2006 [Page 7] Internet-Draft Mobile Router February 2006 Sub-Type: 2 (Explicit Mode Acknowledgement) 3 (Implicit Mode Acknowledgement) Code: Value indicating success or failure. 0 Success 1 Invalid prefix (MOBNET_INVALID_PREFIX_LEN) 2 MR is not authorized for prefix (MOBNET_UNAUTHORIZED) 3 Forwarding setup failed (MOBNET_FWDING_SETUP_FAILED) Prefix Length: 8-bit unsigned integer indicating the number of bits covering the network part of the address contained in the Prefix field. Reserved: Sent as zero; ignored on reception. Prefix: 32-bit unsigned integer in network byte-order containing an IPv4 address whose first Prefix Length bits make up the Mobile Network Prefix. Leung, et al. Expires August 24, 2006 [Page 8] Internet-Draft Mobile Router February 2006 5. Mobile Router Operation A Mobile Router's operation is generally derived from the behavior of a Mobile Node, as set in ([RFC3344]). In addition to maintaining mobility bindings for its Home Address, the Mobile Router, together with the Home Agent, maintains forwarding information for the Mobile Network Prefix(es) assigned to the Mobile Router. A Mobile Router SHOULD set the 'T' bit to 1 in all Registration Request messages it sends to indicate the need for reverse tunnels for all traffic. Without reverse tunnels, all the traffic from the mobile network will be subject to ingress filtering in the visited networks. Upon reception of successful registration reply, the Mobile Router processes the registration in accordance to RFC 3344. In addition, the following steps are taken: o Check for Mobile Network Acknowledgement extension(s) in Registration Reply o Create tunnel to the Home Agent if registered in reverse tunneling mode o Set up default route via this tunnel or roaming interface when registered with or without reverse tunneling, respectively In accordance with this specification, a Mobile Router may operate in one of the following two modes: explicit and implicit. In explicit mode, the Mobile Router includes Mobile Network Prefix information in all Registration Requests (as Mobile Network Request extensions), while in implicit mode it does not include this information in any Registration Request. In this latter case, the Home Agent obtains the Mobile Network Prefixes by other means than Mobile IP. A Mobile Router can obtain a Collocated or Foreign Agent Care-of- Address while operating in explicit or implicit modes. For de-registration, the Mobile Router sends a registration request with lifetime set to zero without any Mobile Network Request extensions. 5.1. Error Processing A Mobile Router interprets the values of the Code field in Mobile Network Acknowledgement Extension of the Registration Reply in order to identify any error related to managing the Mobile Network Prefixes by the Home Agent. If the value of the Code field in the Registration Reply is set to Leung, et al. Expires August 24, 2006 [Page 9] Internet-Draft Mobile Router February 2006 HA_MOBNET_UNSUPPORTED or HA_MOBNET_DISALLOWED, then the Mobile Router MUST stop sending Registration Requests with any Mobile Network Prefix extensions to that Home Agent. If the value of the Code field in the Registration Reply is set to HA_MOBNET_ERROR then the Mobile Router MUST stop sending Registration Requests that contain any of the Mobile Network Prefixes that are defined by the values of the fields Prefix and Prefix Length in the Mobile Network Acknowledgement extension. Note that the registration is denied in this case and no forwarding for any Mobile Network Prefixes would be set up by the Home Agent for the Mobile Router. It is possible that the Mobile Router receives a registration reply with no mobile network extensions if the registration was processed by a Mobile IPv4 home agent that does not support this specification at all. In that case, the absence of mobile network extensions must be interpreted by the Mobile Router as the case where the Home Agent does not support mobile networks. All the error code values are subject to IANA allocation. Leung, et al. Expires August 24, 2006 [Page 10] Internet-Draft Mobile Router February 2006 6. Home Agent Operation 6.1. Summary A Home Agent MUST support all the operations specified in ([RFC3344]) for mobile node support. The Home Agent MUST support both implicit and explicit modes of operation for a Mobile Router. The Home Agent processes the registration in accordance to RFC 3344, which includes route set up to the Mobile Router's home address via the tunnel to the Care-of Address. In addition, for a Mobile Router registering in explicit mode, the following steps are taken: 1. Check that the subnet information is valid 2. Ensure such subnet is authorized to be on the Mobile Router 3. Create tunnel to the Mobile Router if it does not already exist 4. Set up route for the subnets via this tunnel 5. Propagate subnet routes via routing protocol 6. Send the Registration Reply with the Mobile Network Acknowledgement extension(s) If there are any subnet routes via the tunnel to the Mobile Router that are not specified in the Mobile Network extensions, these routes are removed. In the case where the Mobile Node is not permitted to act as a Mobile Router, the Home Agent sends a registration denied message with error code HA_MOBNET_DISALLOWED. For a Mobile Router registering in implicit mode, the Home Agent performs steps 3-6 above, once the registration request is processed successfully. For deregistration, the Home Agent removes the tunnel to the Mobile Router and all routes using this tunnel. The Mobile Network extensions are ignored. 6.2. Data Structures 6.2.1. Registration Table The registration table in the Home Agent, in accordance with ([RFC3344]), contains binding information for every mobile node Leung, et al. Expires August 24, 2006 [Page 11] Internet-Draft Mobile Router February 2006 registered with it. In addition to all the parameters specified by ([RFC3344]), the home agent MUST store the mobile network prefixes associated with the Mobile Router in the corresponding registration entry, when the corresponding registration was performed in explicit mode. When the Home Agent is advertising reachability to mobile network prefixes served by a Mobile Router, this information stored in the registration table can be used. 6.2.2. Prefix Table The Home Agent must be able to authorize a Mobile Router for use of mobile network prefixes when the Mobile Router is operating in explicit mode. Also, when the Mobile Router operates in implicit mode, the Home Agent must be able to locate the mobile network prefixes associated with that Mobile Router. The Home Agent may store the home address of the Mobile Router along with the mobile network prefixes associated with that Mobile Router. If the Mobile Router does not have a home address assigned, this table may store the NAI ([RFC2794]) of the Mobile Router that will be used in dynamic home address assignment. 6.3. Mobile Network Prefix Registration The Home Agent must process registration requests coming from Mobile Routers in accordance with this section. ([RFC3344]) specifies that the home address of a mobile node registering with a Home Agent must belong to a prefix advertised on the home network. In accordance with this specification, however, the home address must be configured from a prefix that is served by the Home Agent, not necessarily the one on the home network. If the registration request is valid, the Home Agent checks to see if there are any Mobile Network Prefix extensions included in the registration request. If so, the Mobile Network Prefix information is obtained from the included extensions. For every Mobile Network Prefix extension included in the registration request, the Home Agent MUST perform a check against the Prefix Table. If the check fails or if the Mobile Router is not authorized for using any of those prefixes, the Home Agent MUST reject the registration request with Mobile Network Acknowledgement Extension code MOBNET_UNAUTHORIZED. On the other hand, if check passes for every requested Mobile Network Prefix, the Home Agent MUST attempt to set up forwarding for all the Mobile Network Prefixes included in the registration request. If forwarding set up fails for any of the prefixes, the Home Agent MUST reject the registration request with Mobile Network Acknowledgement Extension code MOBNET_FWDING_SETUP_FAILED. The Home Agent, in this case, MUST NOT forward traffic to any of these prefixes. Note that only the Mobile Network Prefix(es) that failed validation or set up Leung, et al. Expires August 24, 2006 [Page 12] Internet-Draft Mobile Router February 2006 procedure are included in the denied Registration Reply with error code HA_MOBNET_ERROR. If the registration request is sent in implicit mode, i.e., without any Mobile Network Request extension, the Home Agent may use pre- configured mobile network prefix information for the Mobile Router to set up forwarding. If the Home Agent is updating an existing binding entry for the Mobile Router, it MUST check all the prefixes in the registration table against the prefixes included in the registration request. If one or more mobile network prefix is missing from the included information in the registration request, it MUST delete those prefixes from the registration table. Also, the Home Agent MUST disable forwarding for those prefixes. If all checks are successful, the Home Agent either creates a new entry(ies) for the Mobile Router or updates an existing binding entry(ies) for it and returns a successful registration reply back to the Mobile Router or the Foreign Agent (if the registration request was received from a Foreign Agent). In accordance with ([RFC3344]), the Home Agent does proxy ARP for the Mobile Router home address, when the Mobile Router home address is derived from the home network. If the 'T' bit is set, the Home Agent creates a bi-directional tunnel for the corresponding mobile network prefixes or updates the existing bi-directional tunnel. This tunnel is maintained independent of the reverse tunnel for the Mobile Router home address itself. 6.4. Advertising Mobile Network Reachability If the mobile network prefixes served by the Home Agent are aggregated with the home network prefix and if the Home Agent is the default router on the home network, the Home Agent does not have to do anything different than normal. The routes for the mobile network prefix are automatically aggregated into the home network prefix. If the Mobile Router updates the mobile network prefix routes via a dynamic routing protocol, the Home Agent SHOULD propagate the routes on the appropriate networks. 6.5. Establishment of Bi-directional Tunnel The Home Agent creates and maintains a bi-directional tunnel for the mobile network prefixes of a Mobile Router registered with it. A home agent supporting IPv4 Mobile Router operation MUST be able to forward packets destined to the mobile network prefixes served by the mobile router to its care-of-address. Also, the Home Agent MUST be Leung, et al. Expires August 24, 2006 [Page 13] Internet-Draft Mobile Router February 2006 able to accept packets tunneled by the Mobile Router with the source address of the outer header is set to the care-of-address of the mobile router and that of the inner header is set to the Mobile Router's home address or an address from one of the registered mobile network prefixes. 6.6. Sending Registration Replies The Home Agents MUST set the status code in the registration reply to 0 to indicate successful processing of the registration request and successful set up of forwarding for all the mobile network prefixes served by the Mobile Router. The registration reply MUST contain at least one Mobile Network Acknowledgement extension. If the Home Agent does not support Mobile Routers, it SHOULD set the status code in the registration reply to HA_MOBNET_UNSUPPORTED. If the Home Agent is unable to set up forwarding for one of more mobile network prefixes served by the Mobile Router, it MUST set the Mobile Network Acknowledgement Extension status code in the registration reply to MOBNET_FWDING_SETUP_FAILED. When the prefix length is zero or greater than 32, the status code MUST be set to MOBNET_INVALID_PREFIX_LEN. If the Mobile Router is not authorized to forward packets to one or mobile network prefixes included in the request, the Home Agent MUST set the code to MOBNET_UNAUTHORIZED_MR. 6.7. Mobile Network Prefix De-registration If the received registration request is for de-registration of the care-of-address, the Home Agent, upon successful processing of it, MUST delete the entry(ies) from its registration table. The home agent tears down the bi-directional tunnel and stops forwarding any packets to/from the Mobile Router. The Home Agent MUST ignore any included Mobile Network Request extension in a de-registration request. Leung, et al. Expires August 24, 2006 [Page 14] Internet-Draft Mobile Router February 2006 7. Data Forwarding Operation For traffic to the nodes in the Mobile Network, the Home Agent MUST perform double tunneling of the packet, if the Mobile Router had registered with a Foreign Agent care-of-address. In this case, the Home Agent MUST encapsulate the packet with tunnel header (source IP address set to Home Agent and destination IP address set to Mobile Router's home address) and then encapsulate one more time with tunnel header (source IP address set to Home Agent and destination IP address set to CoA). For optimization, the Home Agent SHOULD only encapsulate the packet with the tunnel header (source IP address set to Home Agent and destination IP address set to CoA) for Collocated CoA mode. When a Home Agent receives a packet from the mobile network prefix in the bi-directional tunnel, it MUST de-encapsulate the packet and route it as a normal IP packet. It MUST verify that the incoming packet has the source IP address set to the care-of-address of the Mobile Router. The packet MUST be dropped if the source address is not set to the care-of-address of the Mobile Router. For traffic from the nodes in the Mobile Network, the Mobile Router encapsulates the packet with tunnel header (source IP address set to Mobile Router's home address and destination IP address set to Home Agent) if reverse tunnel is enabled. Otherwise, the packet is routed directly to the Foreign Agent or access router. In Collocated CoA mode, the Mobile Router MAY encapsulate one more time with tunnel header (source IP address set to the CoA and destination IP address set to Home Agent). For optimization, the Mobile Router SHOULD encapsulate the packet only with the tunnel header (source IP address set to CoA and destination IP address set to the Home Agent). Leung, et al. Expires August 24, 2006 [Page 15] Internet-Draft Mobile Router February 2006 8. Nested Mobile Networks Nested Network Mobility is a scenario where a Mobile Router allows another Mobile Router to attach to its Mobile Network. There could be arbitrary levels of nested mobility. The operation of each Mobile Router remains the same whether the Mobile Router attaches to another Mobile Router or to a fixed Access Router on the Internet. The solution described here does not place any restriction on the number of levels for nested mobility. But note that this might introduce significant overhead on the data packets as each level of nesting introduces another tunnel header encapsulation. Leung, et al. Expires August 24, 2006 [Page 16] Internet-Draft Mobile Router February 2006 9. Security Considerations The Mobile Network extension is protected by the same rules for Mobile IP extensions in registration messages. See the Security Considerations section in RFC 3344. The Home Agent MUST be able to verify that the Mobile Router is authorized to provide mobility service for the Mobile Networks in the registration request, before anchoring these subnets on behalf of the Mobile Router. Forwarding for prefixes MUST NOT be set up without successful authorization of the Mobile Router for those prefixes. A registration failure MUST be notified to the mobile router when it cannot be successfully authorized for prefixes requested by it. All registration requests and replies MUST be authenticated by the MN-HA Authentication Extension as specified in ([RFC3344]). When the registration request is sent in explicit mode, i.e., with one or more Mobile Network Prefix extensions, all the Mobile Network Prefix extensions MUST be included before the MN-HA Authentication extension. Also, these extensions MUST be included in the calculation of the MN-HA authenticator value. The Mobile Router should perform ingress filtering on all the packets received on the mobile network prior to reverse tunneling them to the Home Agent. The Mobile Router MUST drop any packets that do not have a source address belonging to the mobile network. The Mobile Router MUST also ensure that the source address of packets arriving on the mobile network is not the same as the Mobile Router's IP address on any interface. These checks will protect against nodes attempting to launch IP spoofing attacks through the bi-directional tunnel. The Home Agent, upon receiving packets through the bi-directional tunnel, MUST verify that the source addresses of the outer IP header of the packets are set to the Mobile Router's care-of-address. Also, it MUST ensure that the source address of the inner IP header is a topologically correct address on the mobile network. This will prevent nodes from using the Home Agent to launch attacks inside the protected network. If a dynamic routing protocol is used between the Mobile Router and the Home Agent to propagate the mobile network information into the home network, the routing updates SHOULD be protected with IPsec ESP confidentiality between the Mobile Router and Home Agent, to prevent information about home network topology from being visible to eavesdroppers. Leung, et al. Expires August 24, 2006 [Page 17] Internet-Draft Mobile Router February 2006 10. IANA Considerations IANA to modify rules for the existing registry "Mobile IPv4 numbers - per RFC 3344". The numbering space for Extensions that may appear in Mobile IP control messages (those sent to and from UDP port number 434) should be modified. The new Values and Names for the Type for Extensions appearing in Mobile IP control messages are the following: Value Name ----- ------------------------------------------ 45 Mobile Network Extension (to be assigned by IANA) The new Values and Names for the Sub-Type for Mobile Network Extension are the following: Value Name ----- ------------------------------------------ 1 Mobile Network Request Extension 2 Explicit Mode Acknowledgement Extension 3 Implicit Mode Acknowledgement Extension The new Code values for Mobile IP Registration Reply messages are the following: Code Values for Mobile IP Registration Reply messages ----------------------------------------------------- Registration denied by the Home Agent: (to be assigned by IANA) 143 Mobile Network Prefix operation error (HA_MOBNET_ERROR) 144 MR is not supported on HA (HA_MOBNET_UNSUPPORTED) 145 MR operation is not permitted (HA_MOBNET_DISALLOWED) The new Code Values for Mobile IP Registration Reply messages are the following: Leung, et al. Expires August 24, 2006 [Page 18] Internet-Draft Mobile Router February 2006 Code Values for Mobile Network Acknowledgement Extension ----------------------------------------------------- Registration denied by the Home Agent: 1 Invalid prefix length (MOBNET_INVALID_PREFIX_LEN) 2 MR is not authorized for prefix (MOBNET_UNAUTHORIZED) 3 Forwarding setup failed (MOBNET_FWDING_SETUP_FAILED) The current (non-modified) numbering spaces could be consulted at the following URL: http://www.iana.org/assignments/mobileip-numbers Leung, et al. Expires August 24, 2006 [Page 19] Internet-Draft Mobile Router February 2006 11. Acknowledgements The authors would like to thank Christophe Janneteau, George Popovich, Ty Bekiares, Ganesh Srinivasan and Alpesh Patel for their helpful discussions, reviews and comments. Leung, et al. Expires August 24, 2006 [Page 20] Internet-Draft Mobile Router February 2006 12. References 12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2794] Calhoun, P. and C. Perkins, "Mobile IP Network Access Identifier Extension for IPv4", RFC 2794, March 2000. [RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, August 2002. 12.2. Informative References [RFC3963] Devarapalli, V., Wakikawa, R., Petrescu, A., and P. Thubert, "Network Mobility (NEMO) Basic Support Protocol", RFC 3963, January 2005. Leung, et al. Expires August 24, 2006 [Page 21] Internet-Draft Mobile Router February 2006 Authors' Addresses Kent Leung Cisco Systems 170 W. Tasman Drive San Jose, CA 95134 US Phone: +1 408-526-5030 Email: kleung@cisco.com Gopal Dommety Cisco Systems 170 W. Tasman Drive San Jose, CA 95134 US Phone: +1 408-525-1404 Email: gdommety@cisco.com Vidya Narayanan QUALCOMM, Inc. 5775 Morehouse Dr San Diego, CA USA Phone: +1 858-845-2483 Email: vidyan@qualcomm.com Alexandru Petrescu Motorola Parc les Algorithmes Saint Aubin Gif-sur-Yvette 91193 France Email: Alexandru.Petrescu@motorola.com Leung, et al. Expires August 24, 2006 [Page 22] Internet-Draft Mobile Router February 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Leung, et al. Expires August 24, 2006 [Page 23]