idnits 2.17.1 draft-ietf-mext-rfc3775bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 7614. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 7625. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 7632. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 7638. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC3775, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 14, 2008) is 5759 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2401 (ref. '2') (Obsoleted by RFC 4301) ** Obsolete normative reference: RFC 2402 (ref. '3') (Obsoleted by RFC 4302, RFC 4305) ** Obsolete normative reference: RFC 2406 (ref. '4') (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2407 (ref. '5') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2408 (ref. '6') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2409 (ref. '7') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2460 (ref. '8') (Obsoleted by RFC 8200) ** Downref: Normative reference to an Informational RFC: RFC 3232 (ref. '12') -- Possible downref: Non-RFC (?) normative reference: ref. '13' ** Obsolete normative reference: RFC 4941 (ref. '20') (Obsoleted by RFC 8981) ** Obsolete normative reference: RFC 5226 (ref. '21') (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 3315 (ref. '27') (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 3344 (ref. '28') (Obsoleted by RFC 5944) -- Obsolete informational reference (is this intentional?): RFC 3484 (ref. '29') (Obsoleted by RFC 6724) -- Obsolete informational reference (is this intentional?): RFC 3627 (ref. '32') (Obsoleted by RFC 6547) == Outdated reference: A later version (-03) exists of draft-savola-ipv6-rh-ha-security-02 -- Obsolete informational reference (is this intentional?): RFC 4306 (ref. '37') (Obsoleted by RFC 5996) Summary: 11 errors (**), 0 flaws (~~), 4 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 IETF Mobile IP Working Group D. Johnson 2 Internet-Draft Rice University 3 Obsoletes: 3775 (if approved) C. Perkins (Ed.) 4 Expires: January 15, 2009 WiChorus Inc. 5 J. Arkko 6 Ericsson 7 July 14, 2008 9 Mobility Support in IPv6 10 draft-ietf-mext-rfc3775bis-01.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on January 15, 2009. 37 Abstract 39 This document specifies a protocol which allows nodes to remain 40 reachable while moving around in the IPv6 Internet. Each mobile node 41 is always identified by its home address, regardless of its current 42 point of attachment to the Internet. While situated away from its 43 home, a mobile node is also associated with a care-of address, which 44 provides information about the mobile node's current location. IPv6 45 packets addressed to a mobile node's home address are transparently 46 routed to its care-of address. The protocol enables IPv6 nodes to 47 cache the binding of a mobile node's home address with its care-of 48 address, and to then send any packets destined for the mobile node 49 directly to it at this care-of address. To support this operation, 50 Mobile IPv6 defines a new IPv6 protocol and a new destination option. 51 All IPv6 nodes, whether mobile or stationary, can communicate with 52 mobile nodes. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 57 2. Comparison with Mobile IP for IPv4 . . . . . . . . . . . . . 9 58 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 10 59 3.1. General Terms . . . . . . . . . . . . . . . . . . . . . . 10 60 3.2. Mobile IPv6 Terms . . . . . . . . . . . . . . . . . . . . 12 61 4. Overview of Mobile IPv6 . . . . . . . . . . . . . . . . . . . 16 62 4.1. Basic Operation . . . . . . . . . . . . . . . . . . . . . 16 63 4.2. New IPv6 Protocol . . . . . . . . . . . . . . . . . . . . 18 64 4.3. New IPv6 Destination Option . . . . . . . . . . . . . . . 19 65 4.4. New IPv6 ICMP Messages . . . . . . . . . . . . . . . . . 19 66 4.5. Conceptual Data Structure Terminology . . . . . . . . . . 19 67 4.6. Unique-Local Addressability . . . . . . . . . . . . . . . 20 68 5. Overview of Mobile IPv6 Security . . . . . . . . . . . . . . 21 69 5.1. Binding Updates to Home Agents . . . . . . . . . . . . . 21 70 5.2. Binding Updates to Correspondent Nodes . . . . . . . . . 22 71 5.2.1. Node Keys . . . . . . . . . . . . . . . . . . . . . . 23 72 5.2.2. Nonces . . . . . . . . . . . . . . . . . . . . . . . 23 73 5.2.3. Cookies and Tokens . . . . . . . . . . . . . . . . . 24 74 5.2.4. Cryptographic Functions . . . . . . . . . . . . . . . 24 75 5.2.5. Return Routability Procedure . . . . . . . . . . . . 25 76 5.2.6. Authorizing Binding Management Messages . . . . . . . 29 77 5.2.7. Updating Node Keys and Nonces . . . . . . . . . . . . 31 78 5.2.8. Preventing Replay Attacks . . . . . . . . . . . . . . 32 79 5.3. Dynamic Home Agent Address Discovery . . . . . . . . . . 32 80 5.4. Mobile Prefix Discovery . . . . . . . . . . . . . . . . . 32 81 5.5. Payload Packets . . . . . . . . . . . . . . . . . . . . . 33 82 6. New IPv6 Protocol, Message Types, and Destination Option . . 34 83 6.1. Mobility Header . . . . . . . . . . . . . . . . . . . . . 34 84 6.1.1. Format . . . . . . . . . . . . . . . . . . . . . . . 34 85 6.1.2. Binding Refresh Request Message . . . . . . . . . . . 36 86 6.1.3. Home Test Init Message . . . . . . . . . . . . . . . 37 87 6.1.4. Care-of Test Init Message . . . . . . . . . . . . . . 38 88 6.1.5. Home Test Message . . . . . . . . . . . . . . . . . . 39 89 6.1.6. Care-of Test Message . . . . . . . . . . . . . . . . 40 90 6.1.7. Binding Update Message . . . . . . . . . . . . . . . 42 91 6.1.8. Binding Acknowledgement Message . . . . . . . . . . . 44 92 6.1.9. Binding Error Message . . . . . . . . . . . . . . . . 47 93 6.2. Mobility Options . . . . . . . . . . . . . . . . . . . . 48 94 6.2.1. Format . . . . . . . . . . . . . . . . . . . . . . . 49 95 6.2.2. Pad1 . . . . . . . . . . . . . . . . . . . . . . . . 49 96 6.2.3. PadN . . . . . . . . . . . . . . . . . . . . . . . . 50 97 6.2.4. Binding Refresh Advice . . . . . . . . . . . . . . . 50 98 6.2.5. Alternate Care-of Address . . . . . . . . . . . . . . 51 99 6.2.6. Nonce Indices . . . . . . . . . . . . . . . . . . . . 51 100 6.2.7. Binding Authorization Data . . . . . . . . . . . . . 52 101 6.3. Home Address Option . . . . . . . . . . . . . . . . . . . 53 102 6.4. Type 2 Routing Header . . . . . . . . . . . . . . . . . . 55 103 6.4.1. Format . . . . . . . . . . . . . . . . . . . . . . . 56 104 6.5. ICMP Home Agent Address Discovery Request Message . . . . 57 105 6.6. ICMP Home Agent Address Discovery Reply Message . . . . . 58 106 6.7. ICMP Mobile Prefix Solicitation Message Format . . . . . 59 107 6.8. ICMP Mobile Prefix Advertisement Message Format . . . . . 61 108 7. Modifications to IPv6 Neighbor Discovery . . . . . . . . . . 64 109 7.1. Modified Router Advertisement Message Format . . . . . . 64 110 7.2. Modified Prefix Information Option Format . . . . . . . . 64 111 7.3. New Advertisement Interval Option Format . . . . . . . . 66 112 7.4. New Home Agent Information Option Format . . . . . . . . 67 113 7.5. Changes to Sending Router Advertisements . . . . . . . . 69 114 8. Requirements for Types of IPv6 Nodes . . . . . . . . . . . . 71 115 8.1. All IPv6 Nodes . . . . . . . . . . . . . . . . . . . . . 71 116 8.2. IPv6 Nodes with Support for Route Optimization . . . . . 71 117 8.3. All IPv6 Routers . . . . . . . . . . . . . . . . . . . . 73 118 8.4. IPv6 Home Agents . . . . . . . . . . . . . . . . . . . . 73 119 8.5. IPv6 Mobile Nodes . . . . . . . . . . . . . . . . . . . . 75 120 9. Correspondent Node Operation . . . . . . . . . . . . . . . . 77 121 9.1. Conceptual Data Structures . . . . . . . . . . . . . . . 77 122 9.2. Processing Mobility Headers . . . . . . . . . . . . . . . 78 123 9.3. Packet Processing . . . . . . . . . . . . . . . . . . . . 78 124 9.3.1. Receiving Packets with Home Address Option . . . . . 78 125 9.3.2. Sending Packets to a Mobile Node . . . . . . . . . . 79 126 9.3.3. Sending Binding Error Messages . . . . . . . . . . . 81 127 9.3.4. Receiving ICMP Error Messages . . . . . . . . . . . . 81 128 9.4. Return Routability Procedure . . . . . . . . . . . . . . 82 129 9.4.1. Receiving Home Test Init Messages . . . . . . . . . . 82 130 9.4.2. Receiving Care-of Test Init Messages . . . . . . . . 82 131 9.4.3. Sending Home Test Messages . . . . . . . . . . . . . 83 132 9.4.4. Sending Care-of Test Messages . . . . . . . . . . . . 83 133 9.5. Processing Bindings . . . . . . . . . . . . . . . . . . . 83 134 9.5.1. Receiving Binding Updates . . . . . . . . . . . . . . 83 135 9.5.2. Requests to Cache a Binding . . . . . . . . . . . . . 86 136 9.5.3. Requests to Delete a Binding . . . . . . . . . . . . 86 137 9.5.4. Sending Binding Acknowledgements . . . . . . . . . . 87 138 9.5.5. Sending Binding Refresh Requests . . . . . . . . . . 88 139 9.6. Cache Replacement Policy . . . . . . . . . . . . . . . . 88 140 10. Home Agent Operation . . . . . . . . . . . . . . . . . . . . 90 141 10.1. Conceptual Data Structures . . . . . . . . . . . . . . . 90 142 10.2. Processing Mobility Headers . . . . . . . . . . . . . . . 91 143 10.3. Processing Bindings . . . . . . . . . . . . . . . . . . . 91 144 10.3.1. Primary Care-of Address Registration . . . . . . . . 91 145 10.3.2. Primary Care-of Address De-Registration . . . . . . . 95 146 10.4. Packet Processing . . . . . . . . . . . . . . . . . . . . 96 147 10.4.1. Intercepting Packets for a Mobile Node . . . . . . . 96 148 10.4.2. Processing Intercepted Packets . . . . . . . . . . . 98 149 10.4.3. Multicast Membership Control . . . . . . . . . . . . 99 150 10.4.4. Stateful Address Autoconfiguration . . . . . . . . . 100 151 10.4.5. Handling Reverse Tunneled Packets . . . . . . . . . . 101 152 10.4.6. Protecting Return Routability Packets . . . . . . . . 101 153 10.5. Dynamic Home Agent Address Discovery . . . . . . . . . . 102 154 10.5.1. Receiving Router Advertisement Messages . . . . . . . 102 155 10.6. Sending Prefix Information to the Mobile Node . . . . . . 104 156 10.6.1. List of Home Network Prefixes . . . . . . . . . . . . 104 157 10.6.2. Scheduling Prefix Deliveries . . . . . . . . . . . . 105 158 10.6.3. Sending Advertisements . . . . . . . . . . . . . . . 107 159 10.6.4. Lifetimes for Changed Prefixes . . . . . . . . . . . 108 160 11. Mobile Node Operation . . . . . . . . . . . . . . . . . . . . 109 161 11.1. Conceptual Data Structures . . . . . . . . . . . . . . . 109 162 11.2. Processing Mobility Headers . . . . . . . . . . . . . . . 110 163 11.3. Packet Processing . . . . . . . . . . . . . . . . . . . . 111 164 11.3.1. Sending Packets While Away from Home . . . . . . . . 111 165 11.3.2. Interaction with Outbound IPsec Processing . . . . . 114 166 11.3.3. Receiving Packets While Away from Home . . . . . . . 116 167 11.3.4. Routing Multicast Packets . . . . . . . . . . . . . . 117 168 11.3.5. Receiving ICMP Error Messages . . . . . . . . . . . . 119 169 11.3.6. Receiving Binding Error Messages . . . . . . . . . . 119 170 11.4. Home Agent and Prefix Management . . . . . . . . . . . . 120 171 11.4.1. Dynamic Home Agent Address Discovery . . . . . . . . 120 172 11.4.2. Sending Mobile Prefix Solicitations . . . . . . . . . 121 173 11.4.3. Receiving Mobile Prefix Advertisements . . . . . . . 122 174 11.5. Movement . . . . . . . . . . . . . . . . . . . . . . . . 123 175 11.5.1. Movement Detection . . . . . . . . . . . . . . . . . 123 176 11.5.2. Forming New Care-of Addresses . . . . . . . . . . . . 125 177 11.5.3. Using Multiple Care-of Addresses . . . . . . . . . . 126 178 11.5.4. Returning Home . . . . . . . . . . . . . . . . . . . 127 179 11.6. Return Routability Procedure . . . . . . . . . . . . . . 129 180 11.6.1. Sending Test Init Messages . . . . . . . . . . . . . 129 181 11.6.2. Receiving Test Messages . . . . . . . . . . . . . . . 130 182 11.6.3. Protecting Return Routability Packets . . . . . . . . 131 183 11.7. Processing Bindings . . . . . . . . . . . . . . . . . . . 131 184 11.7.1. Sending Binding Updates to the Home Agent . . . . . . 132 185 11.7.2. Correspondent Registration . . . . . . . . . . . . . 134 186 11.7.3. Receiving Binding Acknowledgements . . . . . . . . . 137 187 11.7.4. Receiving Binding Refresh Requests . . . . . . . . . 139 188 11.8. Retransmissions and Rate Limiting . . . . . . . . . . . . 140 189 12. Protocol Constants . . . . . . . . . . . . . . . . . . . . . 142 190 13. Protocol Configuration Variables . . . . . . . . . . . . . . 143 191 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 144 192 15. Security Considerations . . . . . . . . . . . . . . . . . . . 147 193 15.1. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 147 194 15.2. Features . . . . . . . . . . . . . . . . . . . . . . . . 149 195 15.3. Binding Updates to Home Agent . . . . . . . . . . . . . . 150 196 15.4. Binding Updates to Correspondent Nodes . . . . . . . . . 153 197 15.4.1. Overview . . . . . . . . . . . . . . . . . . . . . . 153 198 15.4.2. Achieved Security Properties . . . . . . . . . . . . 154 199 15.4.3. Comparison to Regular IPv6 Communications . . . . . . 155 200 15.4.4. Replay Attacks . . . . . . . . . . . . . . . . . . . 157 201 15.4.5. Denial-of-Service Attacks . . . . . . . . . . . . . . 157 202 15.4.6. Key Lengths . . . . . . . . . . . . . . . . . . . . . 158 203 15.5. Dynamic Home Agent Address Discovery . . . . . . . . . . 159 204 15.6. Mobile Prefix Discovery . . . . . . . . . . . . . . . . . 159 205 15.7. Tunneling via the Home Agent . . . . . . . . . . . . . . 160 206 15.8. Home Address Option . . . . . . . . . . . . . . . . . . . 160 207 15.9. Type 2 Routing Header . . . . . . . . . . . . . . . . . . 161 208 16. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 163 209 17. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 164 210 18. References . . . . . . . . . . . . . . . . . . . . . . . . . 165 211 18.1. Normative References . . . . . . . . . . . . . . . . . . 165 212 18.2. Informative References . . . . . . . . . . . . . . . . . 166 213 Appendix A. Future Extensions . . . . . . . . . . . . . . . . . 168 214 A.1. Piggybacking . . . . . . . . . . . . . . . . . . . . . . 168 215 A.2. Triangular Routing . . . . . . . . . . . . . . . . . . . 168 216 A.3. New Authorization Methods . . . . . . . . . . . . . . . . 168 217 A.4. Dynamically Generated Home Addresses . . . . . . . . . . 168 218 A.5. Remote Home Address Configuration . . . . . . . . . . . . 168 219 A.6. Neighbor Discovery Extensions . . . . . . . . . . . . . . 169 220 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 171 221 Intellectual Property and Copyright Statements . . . . . . . . . 172 223 1. Introduction 225 This document specifies a protocol which allows nodes to remain 226 reachable while moving around in the IPv6 Internet. Without specific 227 support for mobility in IPv6 [8], packets destined to a mobile node 228 would not be able to reach it while the mobile node is away from its 229 home link. In order to continue communication in spite of its 230 movement, a mobile node could change its IP address each time it 231 moves to a new link, but the mobile node would then not be able to 232 maintain transport and higher-layer connections when it changes 233 location. Mobility support in IPv6 is particularly important, as 234 mobile computers are likely to account for a majority or at least a 235 substantial fraction of the population of the Internet during the 236 lifetime of IPv6. 238 The protocol defined in this document, known as Mobile IPv6, allows a 239 mobile node to move from one link to another without changing the 240 mobile node's "home address". Packets may be routed to the mobile 241 node using this address regardless of the mobile node's current point 242 of attachment to the Internet. The mobile node may also continue to 243 communicate with other nodes (stationary or mobile) after moving to a 244 new link. The movement of a mobile node away from its home link is 245 thus transparent to transport and higher-layer protocols and 246 applications. 248 The Mobile IPv6 protocol is just as suitable for mobility across 249 homogeneous media as for mobility across heterogeneous media. For 250 example, Mobile IPv6 facilitates node movement from one Ethernet 251 segment to another as well as it facilitates node movement from an 252 Ethernet segment to a wireless LAN cell, with the mobile node's IP 253 address remaining unchanged in spite of such movement. 255 One can think of the Mobile IPv6 protocol as solving the network- 256 layer mobility management problem. Some mobility management 257 applications -- for example, handover among wireless transceivers, 258 each of which covers only a very small geographic area -- have been 259 solved using link-layer techniques. For example, in many current 260 wireless LAN products, link-layer mobility mechanisms allow a 261 "handover" of a mobile node from one cell to another, re-establishing 262 link-layer connectivity to the node in each new location. 264 Mobile IPv6 does not attempt to solve all general problems related to 265 the use of mobile computers or wireless networks. In particular, 266 this protocol does not attempt to solve: 268 o Handling links with unidirectional connectivity or partial 269 reachability, such as the hidden terminal problem where a host is 270 hidden from only some of the routers on the link. 272 o Access control on a link being visited by a mobile node. 274 o Local or hierarchical forms of mobility management (similar to 275 many current link-layer mobility management solutions). 277 o Assistance for adaptive applications. 279 o Mobile routers. 281 o Service Discovery. 283 o Distinguishing between packets lost due to bit errors vs. network 284 congestion. 286 2. Comparison with Mobile IP for IPv4 288 The design of Mobile IP support in IPv6 (Mobile IPv6) benefits both 289 from the experiences gained from the development of Mobile IP support 290 in IPv4 (Mobile IPv4) [28] [22] [23], and from the opportunities 291 provided by IPv6. Mobile IPv6 thus shares many features with Mobile 292 IPv4, but is integrated into IPv6 and offers many other improvements. 293 This section summarizes the major differences between Mobile IPv4 and 294 Mobile IPv6: 296 o There is no need to deploy special routers as "foreign agents", as 297 in Mobile IPv4. Mobile IPv6 operates in any location without any 298 special support required from the local router. 300 o Support for route optimization is a fundamental part of the 301 protocol, rather than a nonstandard set of extensions. 303 o Mobile IPv6 route optimization can operate securely even without 304 pre-arranged security associations. It is expected that route 305 optimization can be deployed on a global scale between all mobile 306 nodes and correspondent nodes. 308 o Support is also integrated into Mobile IPv6 for allowing route 309 optimization to coexist efficiently with routers that perform 310 "ingress filtering" [25]. 312 o The IPv6 Neighbor Unreachability Detection assures symmetric 313 reachability between the mobile node and its default router in the 314 current location. 316 o Most packets sent to a mobile node while away from home in Mobile 317 IPv6 are sent using an IPv6 routing header rather than IP 318 encapsulation, reducing the amount of resulting overhead compared 319 to Mobile IPv4. 321 o Mobile IPv6 is decoupled from any particular link layer, as it 322 uses IPv6 Neighbor Discovery [18] instead of ARP. This also 323 improves the robustness of the protocol. 325 o The use of IPv6 encapsulation (and the routing header) removes the 326 need in Mobile IPv6 to manage "tunnel soft state". 328 o The dynamic home agent address discovery mechanism in Mobile IPv6 329 returns a single reply to the mobile node. The directed broadcast 330 approach used in IPv4 returns separate replies from each home 331 agent. 333 3. Terminology 335 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 336 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 337 document are to be interpreted as described in RFC 2119 [1]. 339 3.1. General Terms 341 IP 343 Internet Protocol Version 6 (IPv6). 345 node 347 A device that implements IP. 349 router 351 A node that forwards IP packets not explicitly addressed to 352 itself. 354 unicast routable address 356 An identifier for a single interface such that a packet sent to it 357 from another IPv6 subnet is delivered to the interface identified 358 by that address. Accordingly, a unicast routable address must 359 have either a global or site-local scope (but not link-local). 361 host 363 Any node that is not a router. 365 link 367 A communication facility or medium over which nodes can 368 communicate at the link layer, such as an Ethernet (simple or 369 bridged). A link is the layer immediately below IP. 371 interface 373 A node's attachment to a link. 375 subnet prefix 377 A bit string that consists of some number of initial bits of an IP 378 address. 380 interface identifier 382 A number used to identify a node's interface on a link. The 383 interface identifier is the remaining low-order bits in the node's 384 IP address after the subnet prefix. 386 link-layer address 388 A link-layer identifier for an interface, such as IEEE 802 389 addresses on Ethernet links. 391 packet 393 An IP header plus payload. 395 security association 397 An IPsec security association is a cooperative relationship formed 398 by the sharing of cryptographic keying material and associated 399 context. Security associations are simplex. That is, two 400 security associations are needed to protect bidirectional traffic 401 between two nodes, one for each direction. 403 security policy database 405 A database that specifies what security services are to be offered 406 to IP packets and in what fashion. 408 destination option 410 Destination options are carried by the IPv6 Destination Options 411 extension header. Destination options include optional 412 information that need be examined only by the IPv6 node given as 413 the destination address in the IPv6 header, not by routers in 414 between. Mobile IPv6 defines one new destination option, the Home 415 Address destination option (see Section 6.3). 417 routing header 419 A routing header may be present as an IPv6 header extension, and 420 indicates that the payload has to be delivered to a destination 421 IPv6 address in some way that is different from what would be 422 carried out by standard Internet routing. In this document, use 423 of the term "routing header" typically refers to use of a type 2 424 routing header, as specified in Section 6.4. 426 "|" (concatenation) 428 Some formulas in this specification use the symbol "|" to indicate 429 bytewise concatenation, as in A | B. This concatenation requires 430 that all of the octets of the datum A appear first in the result, 431 followed by all of the octets of the datum B. 433 First (size, input) 435 Some formulas in this specification use a functional form "First 436 (size, input)" to indicate truncation of the "input" data so that 437 only the first "size" bits remain to be used. 439 3.2. Mobile IPv6 Terms 441 home address 443 A unicast routable address assigned to a mobile node, used as the 444 permanent address of the mobile node. This address is within the 445 mobile node's home link. Standard IP routing mechanisms will 446 deliver packets destined for a mobile node's home address to its 447 home link. Mobile nodes can have multiple home addresses, for 448 instance when there are multiple home prefixes on the home link. 450 home subnet prefix 452 The IP subnet prefix corresponding to a mobile node's home 453 address. 455 home link 457 The link on which a mobile node's home subnet prefix is defined. 459 mobile node 461 A node that can change its point of attachment from one link to 462 another, while still being reachable via its home address. 464 movement 466 A change in a mobile node's point of attachment to the Internet 467 such that it is no longer connected to the same link as it was 468 previously. If a mobile node is not currently attached to its 469 home link, the mobile node is said to be "away from home". 471 L2 handover 473 A process by which the mobile node changes from one link-layer 474 connection to another. For example, a change of wireless access 475 point is an L2 handover. 477 L3 handover 479 Subsequent to an L2 handover, a mobile node detects a change in an 480 on-link subnet prefix that would require a change in the primary 481 care-of address. For example, a change of access router 482 subsequent to a change of wireless access point typically results 483 in an L3 handover. 485 correspondent node 487 A peer node with which a mobile node is communicating. The 488 correspondent node may be either mobile or stationary. 490 foreign subnet prefix 492 Any IP subnet prefix other than the mobile node's home subnet 493 prefix. 495 foreign link 497 Any link other than the mobile node's home link. 499 care-of address 501 A unicast routable address associated with a mobile node while 502 visiting a foreign link; the subnet prefix of this IP address is a 503 foreign subnet prefix. Among the multiple care-of addresses that 504 a mobile node may have at any given time (e.g., with different 505 subnet prefixes), the one registered with the mobile node's home 506 agent for a given home address is called its "primary" care-of 507 address. 509 home agent 511 A router on a mobile node's home link with which the mobile node 512 has registered its current care-of address. While the mobile node 513 is away from home, the home agent intercepts packets on the home 514 link destined to the mobile node's home address, encapsulates 515 them, and tunnels them to the mobile node's registered care-of 516 address. 518 binding 520 The association of the home address of a mobile node with a 521 care-of address for that mobile node, along with the remaining 522 lifetime of that association. 524 registration 526 The process during which a mobile node sends a Binding Update to 527 its home agent or a correspondent node, causing a binding for the 528 mobile node to be registered. 530 mobility message 532 A message containing a Mobility Header (see Section 6.1). 534 binding authorization 536 Correspondent registration needs to be authorized to allow the 537 recipient to believe that the sender has the right to specify a 538 new binding. 540 return routability procedure 542 The return routability procedure authorizes registrations by the 543 use of a cryptographic token exchange. 545 correspondent registration 547 A return routability procedure followed by a registration, run 548 between the mobile node and a correspondent node. 550 home registration 552 A registration between the mobile node and its home agent, 553 authorized by the use of IPsec. 555 nonce 557 Nonces are random numbers used internally by the correspondent 558 node in the creation of keygen tokens related to the return 559 routability procedure. The nonces are not specific to a mobile 560 node, and are kept secret within the correspondent node. 562 nonce index 564 A nonce index is used to indicate which nonces have been used when 565 creating keygen token values, without revealing the nonces 566 themselves. 568 cookie 570 A cookie is a random number used by a mobile node to prevent 571 spoofing by a bogus correspondent node in the return routability 572 procedure. 574 care-of init cookie 576 A cookie sent to the correspondent node in the Care-of Test Init 577 message, to be returned in the Care-of Test message. 579 home init cookie 581 A cookie sent to the correspondent node in the Home Test Init 582 message, to be returned in the Home Test message. 584 keygen token 586 A keygen token is a number supplied by a correspondent node in the 587 return routability procedure to enable the mobile node to compute 588 the necessary binding management key for authorizing a Binding 589 Update. 591 care-of keygen token 593 A keygen token sent by the correspondent node in the Care-of Test 594 message. 596 home keygen token 598 A keygen token sent by the correspondent node in the Home Test 599 message. 601 binding management key (Kbm) 603 A binding management key (Kbm) is a key used for authorizing a 604 binding cache management message (e.g., Binding Update or Binding 605 Acknowledgement). Return routability provides a way to create a 606 binding management key. 608 4. Overview of Mobile IPv6 610 4.1. Basic Operation 612 A mobile node is always expected to be addressable at its home 613 address, whether it is currently attached to its home link or is away 614 from home. The "home address" is an IP address assigned to the 615 mobile node within its home subnet prefix on its home link. While a 616 mobile node is at home, packets addressed to its home address are 617 routed to the mobile node's home link, using conventional Internet 618 routing mechanisms. 620 While a mobile node is attached to some foreign link away from home, 621 it is also addressable at one or more care-of addresses. A care-of 622 address is an IP address associated with a mobile node that has the 623 subnet prefix of a particular foreign link. The mobile node can 624 acquire its care-of address through conventional IPv6 mechanisms, 625 such as stateless or stateful auto-configuration. As long as the 626 mobile node stays in this location, packets addressed to this care-of 627 address will be routed to the mobile node. The mobile node may also 628 accept packets from several care-of addresses, such as when it is 629 moving but still reachable at the previous link. 631 The association between a mobile node's home address and care-of 632 address is known as a "binding" for the mobile node. While away from 633 home, a mobile node registers its primary care-of address with a 634 router on its home link, requesting this router to function as the 635 "home agent" for the mobile node. The mobile node performs this 636 binding registration by sending a "Binding Update" message to the 637 home agent. The home agent replies to the mobile node by returning a 638 "Binding Acknowledgement" message. The operation of the mobile node 639 is specified in Section 11, and the operation of the home agent is 640 specified in Section 10. 642 Any node communicating with a mobile node is referred to in this 643 document as a "correspondent node" of the mobile node, and may itself 644 be either a stationary node or a mobile node. Mobile nodes can 645 provide information about their current location to correspondent 646 nodes. This happens through the correspondent registration. As a 647 part of this procedure, a return routability test is performed in 648 order to authorize the establishment of the binding. The operation 649 of the correspondent node is specified in Section 9. 651 There are two possible modes for communications between the mobile 652 node and a correspondent node. The first mode, bidirectional 653 tunneling, does not require Mobile IPv6 support from the 654 correspondent node and is available even if the mobile node has not 655 registered its current binding with the correspondent node. Packets 656 from the correspondent node are routed to the home agent and then 657 tunneled to the mobile node. Packets to the correspondent node are 658 tunneled from the mobile node to the home agent ("reverse tunneled") 659 and then routed normally from the home network to the correspondent 660 node. In this mode, the home agent uses proxy Neighbor Discovery to 661 intercept any IPv6 packets addressed to the mobile node's home 662 address (or home addresses) on the home link. Each intercepted 663 packet is tunneled to the mobile node's primary care-of address. 664 This tunneling is performed using IPv6 encapsulation [9]. 666 The second mode, "route optimization", requires the mobile node to 667 register its current binding at the correspondent node. Packets from 668 the correspondent node can be routed directly to the care-of address 669 of the mobile node. When sending a packet to any IPv6 destination, 670 the correspondent node checks its cached bindings for an entry for 671 the packet's destination address. If a cached binding for this 672 destination address is found, the node uses a new type of IPv6 673 routing header [8] (see Section 6.4) to route the packet to the 674 mobile node by way of the care-of address indicated in this binding. 676 Routing packets directly to the mobile node's care-of address allows 677 the shortest communications path to be used. It also eliminates 678 congestion at the mobile node's home agent and home link. In 679 addition, the impact of any possible failure of the home agent or 680 networks on the path to or from it is reduced. 682 When routing packets directly to the mobile node, the correspondent 683 node sets the Destination Address in the IPv6 header to the care-of 684 address of the mobile node. A new type of IPv6 routing header (see 685 Section 6.4) is also added to the packet to carry the desired home 686 address. Similarly, the mobile node sets the Source Address in the 687 packet's IPv6 header to its current care-of addresses. The mobile 688 node adds a new IPv6 "Home Address" destination option (see 689 Section 6.3) to carry its home address. The inclusion of home 690 addresses in these packets makes the use of the care-of address 691 transparent above the network layer (e.g., at the transport layer). 693 Mobile IPv6 also provides support for multiple home agents, and a 694 limited support for the reconfiguration of the home network. In 695 these cases, the mobile node may not know the IP address of its own 696 home agent, and even the home subnet prefixes may change over time. 697 A mechanism, known as "dynamic home agent address discovery" allows a 698 mobile node to dynamically discover the IP address of a home agent on 699 its home link, even when the mobile node is away from home. Mobile 700 nodes can also learn new information about home subnet prefixes 701 through the "mobile prefix discovery" mechanism. These mechanisms 702 are described starting from Section 6.5. 704 4.2. New IPv6 Protocol 706 Mobile IPv6 defines a new IPv6 protocol, using the Mobility Header 707 (see Section 6.1). This Header is used to carry the following 708 messages: 710 Home Test Init 712 Home Test 714 Care-of Test Init 716 Care-of Test 718 These four messages are used to perform the return routability 719 procedure from the mobile node to a correspondent node. This 720 ensures authorization of subsequent Binding Updates, as described 721 in Section 5.2.5. 723 Binding Update 725 A Binding Update is used by a mobile node to notify a 726 correspondent node or the mobile node's home agent of its current 727 binding. The Binding Update sent to the mobile node's home agent 728 to register its primary care-of address is marked as a "home 729 registration". 731 Binding Acknowledgement 733 A Binding Acknowledgement is used to acknowledge receipt of a 734 Binding Update, if an acknowledgement was requested in the Binding 735 Update, the binding update was sent to a home agent, or an error 736 occurred. 738 Binding Refresh Request 740 A Binding Refresh Request is used by a correspondent node to 741 request a mobile node to re-establish its binding with the 742 correspondent node. This message is typically used when the 743 cached binding is in active use but the binding's lifetime is 744 close to expiration. The correspondent node may use, for 745 instance, recent traffic and open transport layer connections as 746 an indication of active use. 748 Binding Error 750 The Binding Error is used by the correspondent node to signal an 751 error related to mobility, such as an inappropriate attempt to use 752 the Home Address destination option without an existing binding. 754 4.3. New IPv6 Destination Option 756 Mobile IPv6 defines a new IPv6 destination option, the Home Address 757 destination option. This option is described in detail in 758 Section 6.3. 760 4.4. New IPv6 ICMP Messages 762 Mobile IPv6 also introduces four new ICMP message types, two for use 763 in the dynamic home agent address discovery mechanism, and two for 764 renumbering and mobile configuration mechanisms. As described in 765 Section 10.5 and Section 11.4.1, the following two new ICMP message 766 types are used for home agent address discovery: 768 o Home Agent Address Discovery Request, described in Section 6.5. 770 o Home Agent Address Discovery Reply, described in Section 6.6. 772 The next two message types are used for network renumbering and 773 address configuration on the mobile node, as described in 774 Section 10.6: 776 o Mobile Prefix Solicitation, described in Section 6.7. 778 o Mobile Prefix Advertisement, described in Section 6.8. 780 4.5. Conceptual Data Structure Terminology 782 This document describes the Mobile IPv6 protocol in terms of the 783 following conceptual data structures: 785 Binding Cache 787 A cache of bindings for other nodes. This cache is maintained by 788 home agents and correspondent nodes. The cache contains both 789 "correspondent registration" entries (see Section 9.1) and "home 790 registration" entries (see Section 10.1). 792 Binding Update List 794 This list is maintained by each mobile node. The list has an item 795 for every binding that the mobile node has or is trying to 796 establish with a specific other node. Both correspondent and home 797 registrations are included in this list. Entries from the list 798 are deleted as the lifetime of the binding expires. See 799 Section 11.1. 801 Home Agents List 803 Home agents need to know which other home agents are on the same 804 link. This information is stored in the Home Agents List, as 805 described in more detail in Section 10.1. The list is used for 806 informing mobile nodes during dynamic home agent address 807 discovery. 809 4.6. Unique-Local Addressability 811 This specification requires that home and care-of addresses MUST be 812 unicast routable addresses. Site-local addresses may be usable on 813 networks that are not connected to the Internet, but this 814 specification does not define when such usage is safe and when it is 815 not. Mobile nodes may not be aware of which site they are currently 816 in, it is hard to prevent accidental attachment to other sites, and 817 ambiguity of site-local addresses can cause problems if the home and 818 visited networks use the same addresses. Therefore, site-local 819 addresses SHOULD NOT be used as home or care-of addresses. 821 5. Overview of Mobile IPv6 Security 823 This specification provides a number of security features. These 824 include the protection of Binding Updates both to home agents and 825 correspondent nodes, the protection of mobile prefix discovery, and 826 the protection of the mechanisms that Mobile IPv6 uses for 827 transporting data packets. 829 Binding Updates are protected by the use of IPsec extension headers, 830 or by the use of the Binding Authorization Data option. This option 831 employs a binding management key, Kbm, which can be established 832 through the return routability procedure. Mobile prefix discovery is 833 protected through the use of IPsec extension headers. Mechanisms 834 related to transporting payload packets - such as the Home Address 835 destination option and type 2 routing header - have been specified in 836 a manner which restricts their use in attacks. 838 5.1. Binding Updates to Home Agents 840 The mobile node and the home agent MUST use an IPsec security 841 association to protect the integrity and authenticity of the Binding 842 Updates and Acknowledgements. Both the mobile nodes and the home 843 agents MUST support and SHOULD use the Encapsulating Security Payload 844 (ESP) [4] header in transport mode and MUST use a non-NULL payload 845 authentication algorithm to provide data origin authentication, 846 connectionless integrity and optional anti-replay protection. Note 847 that Authentication Header (AH) [3] is also possible but for brevity 848 not discussed in this specification. 850 In order to protect messages exchanged between the mobile node and 851 the home agent with IPsec, appropriate security policy database 852 entries must be created. A mobile node must be prevented from using 853 its security association to send a Binding Update on behalf of 854 another mobile node using the same home agent. This MUST be achieved 855 by having the home agent check that the given home address has been 856 used with the right security association. Such a check is provided 857 in the IPsec processing, by having the security policy database 858 entries unequivocally identify a single security association for 859 protecting Binding Updates between any given home address and home 860 agent. In order to make this possible, it is necessary that the home 861 address of the mobile node is visible in the Binding Updates and 862 Acknowledgements. The home address is used in these packets as a 863 source or destination, or in the Home Address Destination option or 864 the type 2 routing header. 866 As with all IPsec security associations in this specification, manual 867 configuration of security associations MUST be supported. The used 868 shared secrets MUST be random and unique for different mobile nodes, 869 and MUST be distributed off-line to the mobile nodes. 871 Automatic key management with IKE [7] MAY be supported. When IKE is 872 used, either the security policy database entries or the Mobile IPv6 873 processing MUST unequivocally identify the IKE phase 1 credentials 874 which can be used to authorize the creation of security associations 875 for protecting Binding Updates for a particular home address. How 876 these mappings are maintained is outside the scope of this 877 specification, but they may be maintained, for instance, as a locally 878 administered table in the home agent. If the phase 1 identity is a 879 Fully Qualified Domain Name (FQDN), secure forms of DNS may also be 880 used. 882 Section 11.3.2 discusses how IKE connections to the home agent need a 883 careful treatment of the addresses used for transporting IKE. This 884 is necessary to ensure that a Binding Update is not needed before the 885 IKE exchange which is needed for securing the Binding Update. 887 When IKE version 1 is used with preshared secret authentication 888 between the mobile node and the home agent, aggressive mode MUST be 889 used. 891 The ID_IPV6_ADDR Identity Payload MUST NOT be used in IKEv1 phase 1. 893 Reference [14] contains a more detailed description and examples on 894 using IPsec to protect the communications between the mobile node and 895 the home agent. 897 5.2. Binding Updates to Correspondent Nodes 899 The protection of Binding Updates sent to correspondent nodes does 900 not require the configuration of security associations or the 901 existence of an authentication infrastructure between the mobile 902 nodes and correspondent nodes. Instead, a method called the return 903 routability procedure is used to assure that the right mobile node is 904 sending the message. This method does not protect against attackers 905 who are on the path between the home network and the correspondent 906 node. However, attackers in such a location are capable of 907 performing the same attacks even without Mobile IPv6. The main 908 advantage of the return routability procedure is that it limits the 909 potential attackers to those having an access to one specific path in 910 the Internet, and avoids forged Binding Updates from anywhere else in 911 the Internet. For a more in depth explanation of the security 912 properties of the return routability procedure, see Section 15. 914 The integrity and authenticity of the Binding Updates messages to 915 correspondent nodes is protected by using a keyed-hash algorithm. 916 The binding management key, Kbm, is used to key the hash algorithm 917 for this purpose. Kbm is established using data exchanged during the 918 return routability procedure. The data exchange is accomplished by 919 use of node keys, nonces, cookies, tokens, and certain cryptographic 920 functions. Section 5.2.5 outlines the basic return routability 921 procedure. Section 5.2.6 shows how the results of this procedure are 922 used to authorize a Binding Update to a correspondent node. 924 5.2.1. Node Keys 926 Each correspondent node has a secret key, Kcn, called the "node key", 927 which it uses to produce the keygen tokens sent to the mobile nodes. 928 The node key MUST be a random number, 20 octets in length. The node 929 key allows the correspondent node to verify that the keygen tokens 930 used by the mobile node in authorizing a Binding Update are indeed 931 its own. This key MUST NOT be shared with any other entity. 933 A correspondent node MAY generate a fresh node key at any time; this 934 avoids the need for secure persistent key storage. Procedures for 935 optionally updating the node key are discussed later in 936 Section 5.2.7. 938 5.2.2. Nonces 940 Each correspondent node also generates nonces at regular intervals. 941 The nonces should be generated by using a random number generator 942 that is known to have good randomness properties [15]. A 943 correspondent node may use the same Kcn and nonce with all the 944 mobiles it is in communication with. 946 Each nonce is identified by a nonce index. When a new nonce is 947 generated, it must be associated with a new nonce index; this may be 948 done, for example, by incrementing the value of the previous nonce 949 index, if the nonce index is used as an array pointer into a linear 950 array of nonces. However, there is no requirement that nonces be 951 stored that way, or that the values of subsequent nonce indices have 952 any particular relationship to each other. The index value is 953 communicated in the protocol, so that if a nonce is replaced by new 954 nonce during the run of a protocol, the correspondent node can 955 distinguish messages that should be checked against the old nonce 956 from messages that should be checked against the new nonce. Strictly 957 speaking, indices are not necessary in the authentication, but allow 958 the correspondent node to efficiently find the nonce value that it 959 used in creating a keygen token. 961 Correspondent nodes keep both the current nonce and a small set of 962 valid previous nonces whose lifetime has not yet expired. Expired 963 values MUST be discarded, and messages using stale or unknown indices 964 will be rejected. 966 The specific nonce index values cannot be used by mobile nodes to 967 determine the validity of the nonce. Expected validity times for the 968 nonces values and the procedures for updating them are discussed 969 later in Section 5.2.7. 971 A nonce is an octet string of any length. The recommended length is 972 64 bits. 974 5.2.3. Cookies and Tokens 976 The return routability address test procedure uses cookies and keygen 977 tokens as opaque values within the test init and test messages, 978 respectively. 980 o The "home init cookie" and "care-of init cookie" are 64 bit values 981 sent to the correspondent node from the mobile node, and later 982 returned to the mobile node. The home init cookie is sent in the 983 Home Test Init message, and returned in the Home Test message. 984 The care-of init cookie is sent in the Care-of Test Init message, 985 and returned in the Care-of Test message. 987 o The "home keygen token" and "care-of keygen token" are 64-bit 988 values sent by the correspondent node to the mobile node via the 989 home agent (via the Home Test message) and the care-of address (by 990 the Care-of Test message), respectively. 992 The mobile node should set the home init or care-of init cookie to a 993 newly generated random number in every Home or Care-of Test Init 994 message it sends. The cookies are used to verify that the Home Test 995 or Care-of Test message matches the Home Test Init or Care-of Test 996 Init message, respectively. These cookies also serve to ensure that 997 parties who have not seen the request cannot spoof responses. 999 Home and care-of keygen tokens are produced by the correspondent node 1000 based on its currently active secret key (Kcn) and nonces, as well as 1001 the home or care-of address (respectively). A keygen token is valid 1002 as long as both the secret key (Kcn) and the nonce used to create it 1003 are valid. 1005 5.2.4. Cryptographic Functions 1007 In this specification, the function used to compute hash values is 1008 SHA1 [13]. Message Authentication Codes (MACs) are computed using 1009 HMAC_SHA1 [24] [13]. HMAC_SHA1(K,m) denotes such a MAC computed on 1010 message m with key K. 1012 5.2.5. Return Routability Procedure 1014 The Return Routability Procedure enables the correspondent node to 1015 obtain some reasonable assurance that the mobile node is in fact 1016 addressable at its claimed care-of address as well as at its home 1017 address. Only with this assurance is the correspondent node able to 1018 accept Binding Updates from the mobile node which would then instruct 1019 the correspondent node to direct that mobile node's data traffic to 1020 its claimed care-of address. 1022 This is done by testing whether packets addressed to the two claimed 1023 addresses are routed to the mobile node. The mobile node can pass 1024 the test only if it is able to supply proof that it received certain 1025 data (the "keygen tokens") which the correspondent node sends to 1026 those addresses. These data are combined by the mobile node into a 1027 binding management key, denoted Kbm. 1029 The figure below shows the message flow for the return routability 1030 procedure. 1032 Mobile node Home agent Correspondent node 1033 | | 1034 | Home Test Init (HoTI) | | 1035 |------------------------->|------------------------->| 1036 | | | 1037 | Care-of Test Init (CoTI) | 1038 |---------------------------------------------------->| 1039 | | 1040 | | Home Test (HoT) | 1041 |<-------------------------|<-------------------------| 1042 | | | 1043 | Care-of Test (CoT) | 1044 |<----------------------------------------------------| 1045 | | 1047 The Home and Care-of Test Init messages are sent at the same time. 1048 The procedure requires very little processing at the correspondent 1049 node, and the Home and Care-of Test messages can be returned quickly, 1050 perhaps nearly simultaneously. These four messages form the return 1051 routability procedure. 1053 Home Test Init 1055 A mobile node sends a Home Test Init message to the correspondent 1056 node (via the home agent) to acquire the home keygen token. The 1057 contents of the message can be summarized as follows: 1059 * Source Address = home address 1061 * Destination Address = correspondent 1063 * Parameters: 1065 + home init cookie 1067 The Home Test Init message conveys the mobile node's home address 1068 to the correspondent node. The mobile node also sends along a 1069 home init cookie that the correspondent node must return later. 1070 The Home Test Init message is reverse tunneled through the home 1071 agent. (The headers and addresses related to reverse tunneling 1072 have been omitted from the above discussion of the message 1073 contents.) The mobile node remembers these cookie values to 1074 obtain some assurance that its protocol messages are being 1075 processed by the desired correspondent node. 1077 Care-of Test Init 1079 The mobile node sends a Care-of Test Init message to the 1080 correspondent node (directly, not via the home agent) to acquire 1081 the care-of keygen token. The contents of this message can be 1082 summarized as follows: 1084 * Source Address = care-of address 1086 * Destination Address = correspondent 1088 * Parameters: 1090 + care-of init cookie 1092 The Care-of Test Init message conveys the mobile node's care-of 1093 address to the correspondent node. The mobile node also sends 1094 along a care-of init cookie that the correspondent node must 1095 return later. The Care-of Test Init message is sent directly to 1096 the correspondent node. 1098 Home Test 1100 The Home Test message is sent in response to a Home Test Init 1101 message. It is sent via the home agent. The contents of the 1102 message are: 1104 * Source Address = correspondent 1106 * Destination Address = home address 1108 * Parameters: 1110 + home init cookie 1112 + home keygen token 1114 + home nonce index 1116 When the correspondent node receives the Home Test Init message, 1117 it generates a home keygen token as follows: 1119 home keygen token := 1120 First (64, HMAC_SHA1 (Kcn, (home address | nonce | 0))) 1122 where | denotes concatenation. The final "0" inside the HMAC_SHA1 1123 function is a single zero octet, used to distinguish home and 1124 care-of cookies from each other. 1126 The home keygen token is formed from the first 64 bits of the MAC. 1127 The home keygen token tests that the mobile node can receive were 1128 messages sent to its home address. Kcn is used in the production 1129 of home keygen token in order to allow the correspondent node to 1130 verify that it generated the home and care-of nonces, without 1131 forcing the correspondent node to remember a list of all tokens it 1132 has handed out. 1134 The Home Test message is sent to the mobile node via the home 1135 network, where it is presumed that the home agent will tunnel the 1136 message to the mobile node. This means that the mobile node needs 1137 to already have sent a Binding Update to the home agent, so that 1138 the home agent will have received and authorized the new care-of 1139 address for the mobile node before the return routability 1140 procedure. For improved security, the data passed between the 1141 home agent and the mobile node is made immune to inspection and 1142 passive attacks. Such protection is gained by encrypting the home 1143 keygen token as it is tunneled from the home agent to the mobile 1144 node as specified in Section 10.4.6. The security properties of 1145 this additional security are discussed in Section 15.4.1. 1147 The home init cookie from the mobile node is returned in the Home 1148 Test message, to ensure that the message comes from a node on the 1149 route between the home agent and the correspondent node. 1151 The home nonce index is delivered to the mobile node to later 1152 allow the correspondent node to efficiently find the nonce value 1153 that it used in creating the home keygen token. 1155 Care-of Test 1157 This message is sent in response to a Care-of Test Init message. 1158 This message is not sent via the home agent, it is sent directly 1159 to the mobile node. The contents of the message are: 1161 * Source Address = correspondent 1163 * Destination Address = care-of address 1165 * Parameters: 1167 + care-of init cookie 1169 + care-of keygen token 1171 + care-of nonce index 1173 When the correspondent node receives the Care-of Test Init 1174 message, it generates a care-of keygen token as follows: 1176 care-of keygen token := 1177 First (64, HMAC_SHA1 (Kcn, (care-of address | nonce | 1))) 1179 Here, the final "1" inside the HMAC_SHA1 function is a single 1180 octet containing the hex value 0x01, and is used to distinguish 1181 home and care-of cookies from each other. The keygen token is 1182 formed from the first 64 bits of the MAC, and sent directly to the 1183 mobile node at its care-of address. The care-of init cookie from 1184 the Care-of Test Init message is returned to ensure that the 1185 message comes from a node on the route to the correspondent node. 1187 The care-of nonce index is provided to identify the nonce used for 1188 the care-of keygen token. The home and care-of nonce indices MAY 1189 be the same, or different, in the Home and Care-of Test messages. 1191 When the mobile node has received both the Home and Care-of Test 1192 messages, the return routability procedure is complete. As a result 1193 of the procedure, the mobile node has the data it needs to send a 1194 Binding Update to the correspondent node. The mobile node hashes the 1195 tokens together to form a 20 octet binding key Kbm: 1197 Kbm = SHA1 (home keygen token | care-of keygen token) 1199 A Binding Update may also be used to delete a previously established 1200 binding (Section 6.1.7). In this case, the care-of keygen token is 1201 not used. Instead, the binding management key is generated as 1202 follows: 1204 Kbm = SHA1(home keygen token) 1206 Note that the correspondent node does not create any state specific 1207 to the mobile node, until it receives the Binding Update from that 1208 mobile node. The correspondent node does not maintain the value for 1209 the binding management key Kbm; it creates Kbm when given the nonce 1210 indices and the mobile node's addresses. 1212 5.2.6. Authorizing Binding Management Messages 1214 After the mobile node has created the binding management key (Kbm), 1215 it can supply a verifiable Binding Update to the correspondent node. 1216 This section provides an overview of this registration. The below 1217 figure shows the message flow. 1219 Mobile node Correspondent node 1220 | | 1221 | Binding Update (BU) | 1222 |---------------------------------------------->| 1223 | (MAC, seq#, nonce indices, care-of address) | 1224 | | 1225 | | 1226 | Binding Acknowledgement (BA) (if sent) | 1227 |<----------------------------------------------| 1228 | (MAC, seq#, status) | 1230 Binding Update 1232 To authorize a Binding Update, the mobile node creates a binding 1233 management key Kbm from the keygen tokens as described in the 1234 previous section. The contents of the Binding Update include the 1235 following: 1237 * Source Address = care-of address 1239 * Destination Address = correspondent 1241 * Parameters: 1243 + home address (within the Home Address destination option if 1244 different from the Source Address) 1246 + sequence number (within the Binding Update message header) 1248 + home nonce index (within the Nonce Indices option) 1250 + care-of nonce index (within the Nonce Indices option) 1252 + First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent 1253 | BU))) 1255 The Binding Update contains a Nonce Indices option, indicating to 1256 the correspondent node which home and care-of nonces to use to 1257 recompute Kbm, the binding management key. The MAC is computed as 1258 described in Section 6.2.7, using the correspondent node's address 1259 as the destination address and the Binding Update message itself 1260 ("BU" above) as the MH Data. 1262 Once the correspondent node has verified the MAC, it can create a 1263 Binding Cache entry for the mobile. 1265 Binding Acknowledgement 1267 The Binding Update is in some cases acknowledged by the 1268 correspondent node. The contents of the message are as follows: 1270 * Source Address = correspondent 1272 * Destination Address = care-of address 1274 * Parameters: 1276 + sequence number (within the Binding Update message header) 1278 + First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent 1279 | BA))) 1281 The Binding Acknowledgement contains the same sequence number as 1282 the Binding Update. The MAC is computed as described in 1283 Section 6.2.7, using the correspondent node's address as the 1284 destination address and the message itself ("BA" above) as the MH 1285 Data. 1287 Bindings established with correspondent nodes using keys created by 1288 way of the return routability procedure MUST NOT exceed 1289 MAX_RR_BINDING_LIFETIME seconds (see Section 12). 1291 The value in the Source Address field in the IPv6 header carrying the 1292 Binding Update is normally also the care-of address which is used in 1293 the binding. However, a different care-of address MAY be specified 1294 by including an Alternate Care-of Address mobility option in the 1295 Binding Update (see Section 6.2.5). When such a message is sent to 1296 the correspondent node and the return routability procedure is used 1297 as the authorization method, the Care-of Test Init and Care-of Test 1298 messages MUST have been performed for the address in the Alternate 1299 Care-of Address option (not the Source Address). The nonce indices 1300 and MAC value MUST be based on information gained in this test. 1302 Binding Updates may also be sent to delete a previously established 1303 binding. In this case, generation of the binding management key 1304 depends exclusively on the home keygen token and the care-of nonce 1305 index is ignored. 1307 5.2.7. Updating Node Keys and Nonces 1309 Correspondent nodes generate nonces at regular intervals. It is 1310 recommended to keep each nonce (identified by a nonce index) 1311 acceptable for at least MAX_TOKEN_LIFETIME seconds (see Section 12) 1312 after it has been first used in constructing a return routability 1313 message response. However, the correspondent node MUST NOT accept 1314 nonces beyond MAX_NONCE_LIFETIME seconds (see Section 12) after the 1315 first use. As the difference between these two constants is 30 1316 seconds, a convenient way to enforce the above lifetimes is to 1317 generate a new nonce every 30 seconds. The node can then continue to 1318 accept tokens that have been based on the last 8 (MAX_NONCE_LIFETIME 1319 / 30) nonces. This results in tokens being acceptable 1320 MAX_TOKEN_LIFETIME to MAX_NONCE_LIFETIME seconds after they have been 1321 sent to the mobile node, depending on whether the token was sent at 1322 the beginning or end of the first 30 second period. Note that the 1323 correspondent node may also attempt to generate new nonces on demand, 1324 or only if the old nonces have been used. This is possible, as long 1325 as the correspondent node keeps track of how long a time ago the 1326 nonces were used for the first time, and does not generate new nonces 1327 on every return routability request. 1329 Due to resource limitations, rapid deletion of bindings, or reboots 1330 the correspondent node may not in all cases recognize the nonces that 1331 the tokens were based on. If a nonce index is unrecognized, the 1332 correspondent node replies with an error code in the Binding 1333 Acknowledgement (either 136, 137, or 138 as discussed in 1334 Section 6.1.8). The mobile node can then retry the return 1335 routability procedure. 1337 An update of Kcn SHOULD be done at the same time as an update of a 1338 nonce, so that nonce indices can identify both the nonce and the key. 1339 Old Kcn values have to be therefore remembered as long as old nonce 1340 values. 1342 Given that the tokens are normally expected to be usable for 1343 MAX_TOKEN_LIFETIME seconds, the mobile node MAY use them beyond a 1344 single run of the return routability procedure until 1345 MAX_TOKEN_LIFETIME expires. After this the mobile node SHOULD NOT 1346 use the tokens. A fast moving mobile node MAY reuse a recent home 1347 keygen token from a correspondent node when moving to a new location, 1348 and just acquire a new care-of keygen token to show routability in 1349 the new location. 1351 While this does not save the number of round-trips due to the 1352 simultaneous processing of home and care-of return routability tests, 1353 there are fewer messages being exchanged, and a potentially long 1354 round-trip through the home agent is avoided. Consequently, this 1355 optimization is often useful. A mobile node that has multiple home 1356 addresses, MAY also use the same care-of keygen token for Binding 1357 Updates concerning all of these addresses. 1359 5.2.8. Preventing Replay Attacks 1361 The return routability procedure also protects the participants 1362 against replayed Binding Updates through the use of the sequence 1363 number and a MAC. Care must be taken when removing bindings at the 1364 correspondent node, however. Correspondent nodes must retain 1365 bindings and the associated sequence number information at least as 1366 long as the nonces used in the authorization of the binding are still 1367 valid. Alternatively, if memory is very constrained, the 1368 correspondent node MAY invalidate the nonces that were used for the 1369 binding being deleted (or some larger group of nonces that they 1370 belong to). This may, however, impact the ability to accept Binding 1371 Updates from mobile nodes that have recently received keygen tokens. 1372 This alternative is therefore recommended only as a last measure. 1374 5.3. Dynamic Home Agent Address Discovery 1376 No security is required for dynamic home agent address discovery. 1378 5.4. Mobile Prefix Discovery 1380 The mobile node and the home agent SHOULD use an IPsec security 1381 association to protect the integrity and authenticity of the Mobile 1382 Prefix Solicitations and Advertisements. Both the mobile nodes and 1383 the home agents MUST support and SHOULD use the Encapsulating 1384 Security Payload (ESP) header in transport mode with a non-NULL 1385 payload authentication algorithm to provide data origin 1386 authentication, connectionless integrity and optional anti-replay 1387 protection. 1389 5.5. Payload Packets 1391 Payload packets exchanged with mobile nodes can be protected in the 1392 usual manner, in the same way as stationary hosts can protect them. 1393 However, Mobile IPv6 introduces the Home Address destination option, 1394 a routing header, and tunneling headers in the payload packets. In 1395 the following we define the security measures taken to protect these, 1396 and to prevent their use in attacks against other parties. 1398 This specification limits the use of the Home Address destination 1399 option to the situation where the correspondent node already has a 1400 Binding Cache entry for the given home address. This avoids the use 1401 of the Home Address option in attacks described in Section 15.1. 1403 Mobile IPv6 uses a Mobile IPv6 specific type of a routing header. 1404 This type provides the necessary functionality but does not open 1405 vulnerabilities discussed in Section 15.1. 1407 Tunnels between the mobile node and the home agent are protected by 1408 ensuring proper use of source addresses, and optional cryptographic 1409 protection. The mobile node verifies that the outer IP address 1410 corresponds to its home agent. The home agent verifies that the 1411 outer IP address corresponds to the current location of the mobile 1412 node (Binding Updates sent to the home agents are secure). The home 1413 agent identifies the mobile node through the source address of the 1414 inner packet. (Typically, this is the home address of the mobile 1415 node, but it can also be a link-local address, as discussed in 1416 Section 10.4.2. To recognize the latter type of addresses, the home 1417 agent requires that the Link-Local Address Compatibility (L) was set 1418 in the Binding Update.) These measures protect the tunnels against 1419 vulnerabilities discussed in Section 15.1. 1421 For traffic tunneled via the home agent, additional IPsec ESP 1422 encapsulation MAY be supported and used. If multicast group 1423 membership control protocols or stateful address autoconfiguration 1424 protocols are supported, payload data protection MUST be supported. 1426 6. New IPv6 Protocol, Message Types, and Destination Option 1428 6.1. Mobility Header 1430 The Mobility Header is an extension header used by mobile nodes, 1431 correspondent nodes, and home agents in all messaging related to the 1432 creation and management of bindings. The subsections within this 1433 section describe the message types that may be sent using the 1434 Mobility Header. 1436 Mobility Header messages MUST NOT be sent with a type 2 routing 1437 header, except as described in Section 9.5.4 for Binding 1438 Acknowledgement. Mobility Header messages also MUST NOT be used with 1439 a Home Address destination option, except as described in 1440 Section 11.7.1 and Section 11.7.2 for Binding Update. Binding Update 1441 List or Binding Cache information (when present) for the destination 1442 MUST NOT be used in sending Mobility Header messages. That is, 1443 Mobility Header messages bypass both the Binding Cache check 1444 described in Section 9.3.2 and the Binding Update List check 1445 described in Section 11.3.1 which are normally performed for all 1446 packets. This applies even to messages sent to or from a 1447 correspondent node which is itself a mobile node. 1449 6.1.1. Format 1451 The Mobility Header is identified by a Next Header value of 135 in 1452 the immediately preceding header, and has the following format: 1454 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1455 | Payload Proto | Header Len | MH Type | Reserved | 1456 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1457 | Checksum | | 1458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1459 | | 1460 . . 1461 . Message Data . 1462 . . 1463 | | 1464 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1466 Payload Proto 1468 8-bit selector. Identifies the type of header immediately 1469 following the Mobility Header. Uses the same values as the IPv6 1470 Next Header field [8]. 1472 This field is intended to be used by a future extension (see 1473 Appendix A.1). 1475 Implementations conforming to this specification SHOULD set the 1476 payload protocol type to IPPROTO_NONE (59 decimal). 1478 Header Len 1480 8-bit unsigned integer, representing the length of the Mobility 1481 Header in units of 8 octets, excluding the first 8 octets. 1483 The length of the Mobility Header MUST be a multiple of 8 octets. 1485 MH Type 1487 8-bit selector. Identifies the particular mobility message in 1488 question. Current values are specified in Section 6.1.2 and 1489 onward. An unrecognized MH Type field causes an error indication 1490 to be sent. 1492 Reserved 1494 8-bit field reserved for future use. The value MUST be 1495 initialized to zero by the sender, and MUST be ignored by the 1496 receiver. 1498 Checksum 1500 16-bit unsigned integer. This field contains the checksum of the 1501 Mobility Header. The checksum is calculated from the octet string 1502 consisting of a "pseudo-header" followed by the entire Mobility 1503 Header starting with the Payload Proto field. The checksum is the 1504 16-bit one's complement of the one's complement sum of this 1505 string. 1507 The pseudo-header contains IPv6 header fields, as specified in 1508 Section 8.1 of RFC 2460 [8]. The Next Header value used in the 1509 pseudo-header is 135. The addresses used in the pseudo-header are 1510 the addresses that appear in the Source and Destination Address 1511 fields in the IPv6 packet carrying the Mobility Header. 1513 Note that the procedures of calculating upper layer checksums 1514 while away from home described in Section 11.3.1 apply even for 1515 the Mobility Header. If a mobility message has a Home Address 1516 destination option, then the checksum calculation uses the home 1517 address in this option as the value of the IPv6 Source Address 1518 field. The type 2 routing header is treated as explained in [8]. 1520 The Mobility Header is considered as the upper layer protocol for 1521 the purposes of calculating the pseudo-header. The Upper-Layer 1522 Packet Length field in the pseudo-header MUST be set to the total 1523 length of the Mobility Header. 1525 For computing the checksum, the checksum field is set to zero. 1527 Message Data 1529 A variable length field containing the data specific to the 1530 indicated Mobility Header type. 1532 Mobile IPv6 also defines a number of "mobility options" for use 1533 within these messages; if included, any options MUST appear after the 1534 fixed portion of the message data specified in this document. The 1535 presence of such options will be indicated by the Header Len field 1536 within the message. When the Header Len value is greater than the 1537 length required for the message specified here, the remaining octets 1538 are interpreted as mobility options. These options include padding 1539 options that can be used to ensure that other options are aligned 1540 properly, and that the total length of the message is divisible by 8. 1541 The encoding and format of defined options are described in 1542 Section 6.2. 1544 Alignment requirements for the Mobility Header are the same as for 1545 any IPv6 protocol Header. That is, they MUST be aligned on an 1546 8-octet boundary. 1548 6.1.2. Binding Refresh Request Message 1550 The Binding Refresh Request (BRR) message requests a mobile node to 1551 update its mobility binding. This message is sent by correspondent 1552 nodes according to the rules in Section 9.5.5. When a mobile node 1553 receives a packet containing a Binding Refresh Request message it 1554 processes the message according to the rules in Section 11.7.4. 1556 The Binding Refresh Request message uses the MH Type value 0. When 1557 this value is indicated in the MH Type field, the format of the 1558 Message Data field in the Mobility Header is as follows: 1560 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1561 | Reserved | 1562 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1563 | | 1564 . . 1565 . Mobility options . 1566 . . 1567 | | 1568 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1570 Reserved 1572 16-bit field reserved for future use. The value MUST be 1573 initialized to zero by the sender, and MUST be ignored by the 1574 receiver. 1576 Mobility Options 1578 Variable-length field of such length that the complete Mobility 1579 Header is an integer multiple of 8 octets long. This field 1580 contains zero or more TLV-encoded mobility options. The encoding 1581 and format of defined options are described in Section 6.2. The 1582 receiver MUST ignore and skip any options which it does not 1583 understand. 1585 There MAY be additional information, associated with this Binding 1586 Refresh Request message that need not be present in all Binding 1587 Refresh Request messages sent. Mobility options allow future 1588 extensions to the format of the Binding Refresh Request message to 1589 be defined. This specification does not define any options valid 1590 for the Binding Refresh Request message. 1592 If no actual options are present in this message, no padding is 1593 necessary and the Header Len field will be set to 0. 1595 6.1.3. Home Test Init Message 1597 A mobile node uses the Home Test Init (HoTI) message to initiate the 1598 return routability procedure and request a home keygen token from a 1599 correspondent node (see Section 11.6.1). The Home Test Init message 1600 uses the MH Type value 1. When this value is indicated in the MH 1601 Type field, the format of the Message Data field in the Mobility 1602 Header is as follows: 1604 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1605 | Reserved | 1606 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1607 | | 1608 + Home Init Cookie + 1609 | | 1610 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1611 | | 1612 . . 1613 . Mobility Options . 1614 . . 1615 | | 1616 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1618 Reserved 1620 16-bit field reserved for future use. This value MUST be 1621 initialized to zero by the sender, and MUST be ignored by the 1622 receiver. 1624 Home Init Cookie 1626 64-bit field which contains a random value, the home init cookie. 1628 Mobility Options 1630 Variable-length field of such length that the complete Mobility 1631 Header is an integer multiple of 8 octets long. This field 1632 contains zero or more TLV-encoded mobility options. The receiver 1633 MUST ignore and skip any options which it does not understand. 1634 This specification does not define any options valid for the Home 1635 Test Init message. 1637 If no actual options are present in this message, no padding is 1638 necessary and the Header Len field will be set to 1. 1640 This message is tunneled through the home agent when the mobile node 1641 is away from home. Such tunneling SHOULD employ IPsec ESP in tunnel 1642 mode between the home agent and the mobile node. This protection is 1643 indicated by the IPsec security policy database. The protection of 1644 Home Test Init messages is unrelated to the requirement to protect 1645 regular payload traffic, which MAY use such tunnels as well. 1647 6.1.4. Care-of Test Init Message 1649 A mobile node uses the Care-of Test Init (CoTI) message to initiate 1650 the return routability procedure and request a care-of keygen token 1651 from a correspondent node (see Section 11.6.1). The Care-of Test 1652 Init message uses the MH Type value 2. When this value is indicated 1653 in the MH Type field, the format of the Message Data field in the 1654 Mobility Header is as follows: 1656 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1657 | Reserved | 1658 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1659 | | 1660 + Care-of Init Cookie + 1661 | | 1662 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1663 | | 1664 . . 1665 . Mobility Options . 1666 . . 1667 | | 1668 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1670 Reserved 1672 16-bit field reserved for future use. The value MUST be 1673 initialized to zero by the sender, and MUST be ignored by the 1674 receiver. 1676 Care-of Init Cookie 1678 64-bit field which contains a random value, the care-of init 1679 cookie. 1681 Mobility Options 1683 Variable-length field of such length that the complete Mobility 1684 Header is an integer multiple of 8 octets long. This field 1685 contains zero or more TLV-encoded mobility options. The receiver 1686 MUST ignore and skip any options which it does not understand. 1687 This specification does not define any options valid for the 1688 Care-of Test Init message. 1690 If no actual options are present in this message, no padding is 1691 necessary and the Header Len field will be set to 1. 1693 6.1.5. Home Test Message 1695 The Home Test (HoT) message is a response to the Home Test Init 1696 message, and is sent from the correspondent node to the mobile node 1697 (see Section 5.2.5). The Home Test message uses the MH Type value 3. 1698 When this value is indicated in the MH Type field, the format of the 1699 Message Data field in the Mobility Header is as follows: 1701 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1702 | Home Nonce Index | 1703 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1704 | | 1705 + Home Init Cookie + 1706 | | 1707 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1708 | | 1709 + Home Keygen Token + 1710 | | 1711 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1712 | | 1713 . . 1714 . Mobility options . 1715 . . 1716 | | 1717 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1719 Home Nonce Index 1721 This field will be echoed back by the mobile node to the 1722 correspondent node in a subsequent Binding Update. 1724 Home Init Cookie 1726 64-bit field which contains the home init cookie. 1728 Home Keygen Token 1730 This field contains the 64 bit home keygen token used in the 1731 return routability procedure. 1733 Mobility Options 1735 Variable-length field of such length that the complete Mobility 1736 Header is an integer multiple of 8 octets long. This field 1737 contains zero or more TLV-encoded mobility options. The receiver 1738 MUST ignore and skip any options which it does not understand. 1739 This specification does not define any options valid for the Home 1740 Test message. 1742 If no actual options are present in this message, no padding is 1743 necessary and the Header Len field will be set to 2. 1745 6.1.6. Care-of Test Message 1747 The Care-of Test (CoT) message is a response to the Care-of Test Init 1748 message, and is sent from the correspondent node to the mobile node 1749 (see Section 11.6.2). The Care-of Test message uses the MH Type 1750 value 4. When this value is indicated in the MH Type field, the 1751 format of the Message Data field in the Mobility Header is as 1752 follows: 1754 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1755 | Care-of Nonce Index | 1756 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1757 | | 1758 + Care-of Init Cookie + 1759 | | 1760 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1761 | | 1762 + Care-of Keygen Token + 1763 | | 1764 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1765 | | 1766 . . 1767 . Mobility Options . 1768 . . 1769 | | 1770 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1772 Care-of Nonce Index 1774 This value will be echoed back by the mobile node to the 1775 correspondent node in a subsequent Binding Update. 1777 Care-of Init Cookie 1779 64-bit field which contains the care-of init cookie. 1781 Care-of Keygen Token 1783 This field contains the 64 bit care-of keygen token used in the 1784 return routability procedure. 1786 Mobility Options 1788 Variable-length field of such length that the complete Mobility 1789 Header is an integer multiple of 8 octets long. This field 1790 contains zero or more TLV-encoded mobility options. The receiver 1791 MUST ignore and skip any options which it does not understand. 1792 This specification does not define any options valid for the 1793 Care-of Test message. 1795 If no actual options are present in this message, no padding is 1796 necessary and the Header Len field will be set to 2. 1798 6.1.7. Binding Update Message 1800 The Binding Update (BU) message is used by a mobile node to notify 1801 other nodes of a new care-of address for itself. Binding Updates are 1802 sent as described in Section 11.7.1 and Section 11.7.2. 1804 The Binding Update uses the MH Type value 5. When this value is 1805 indicated in the MH Type field, the format of the Message Data field 1806 in the Mobility Header is as follows: 1808 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1809 | Sequence # | 1810 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1811 |A|H|L|K| Reserved | Lifetime | 1812 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1813 | | 1814 . . 1815 . Mobility options . 1816 . . 1817 | | 1818 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1820 Acknowledge (A) 1822 The Acknowledge (A) bit is set by the sending mobile node to 1823 request a Binding Acknowledgement (Section 6.1.8) be returned upon 1824 receipt of the Binding Update. 1826 Home Registration (H) 1828 The Home Registration (H) bit is set by the sending mobile node to 1829 request that the receiving node should act as this node's home 1830 agent. The destination of the packet carrying this message MUST 1831 be that of a router sharing the same subnet prefix as the home 1832 address of the mobile node in the binding. 1834 Link-Local Address Compatibility (L) 1836 The Link-Local Address Compatibility (L) bit is set when the home 1837 address reported by the mobile node has the same interface 1838 identifier as the mobile node's link-local address. 1840 Key Management Mobility Capability (K) 1842 If this bit is cleared, the protocol used for establishing the 1843 IPsec security associations between the mobile node and the home 1844 agent does not survive movements. It may then have to be rerun. 1845 (Note that the IPsec security associations themselves are expected 1846 to survive movements.) If manual IPsec configuration is used, the 1847 bit MUST be cleared. 1849 This bit is valid only in Binding Updates sent to the home agent, 1850 and MUST be cleared in other Binding Updates. Correspondent nodes 1851 MUST ignore this bit. 1853 Reserved 1855 These fields are unused. They MUST be initialized to zero by the 1856 sender and MUST be ignored by the receiver. 1858 Sequence # 1860 A 16-bit unsigned integer used by the receiving node to sequence 1861 Binding Updates and by the sending node to match a returned 1862 Binding Acknowledgement with this Binding Update. 1864 Lifetime 1866 16-bit unsigned integer. The number of time units remaining 1867 before the binding MUST be considered expired. A value of zero 1868 indicates that the Binding Cache entry for the mobile node MUST be 1869 deleted. (In this case the specified care-of address MUST also be 1870 set equal to the home address.) One time unit is 4 seconds. 1872 Mobility Options 1874 Variable-length field of such length that the complete Mobility 1875 Header is an integer multiple of 8 octets long. This field 1876 contains zero or more TLV-encoded mobility options. The encoding 1877 and format of defined options are described in Section 6.2. The 1878 receiver MUST ignore and skip any options which it does not 1879 understand. 1881 The following options are valid in a Binding Update: 1883 * Binding Authorization Data option (this option is mandatory in 1884 Binding Updates sent to a correspondent node) 1886 * Nonce Indices option. 1888 * Alternate Care-of Address option 1890 If no options are present in this message, 4 octets of padding are 1891 necessary and the Header Len field will be set to 1. 1893 The care-of address is specified either by the Source Address field 1894 in the IPv6 header or by the Alternate Care-of Address option, if 1895 present. The care-of address MUST be a unicast routable address. 1896 IPv6 Source Address MUST be a topologically correct source address. 1897 Binding Updates for a care-of address which is not a unicast routable 1898 address MUST be silently discarded. Similarly, the Binding Update 1899 MUST be silently discarded if the care-of address appears as a home 1900 address in an existing Binding Cache entry, with its current location 1901 creating a circular reference back to the home address specified in 1902 the Binding Update (possibly through additional entries). 1904 The deletion of a binding can be indicated by setting the Lifetime 1905 field to 0 and by setting the care-of address equal to the home 1906 address. In deletion, the generation of the binding management key 1907 depends exclusively on the home keygen token, as explained in 1908 Section 5.2.5. (Note that while the senders are required to set both 1909 the Lifetime field to 0 and the care-of address equal to the home 1910 address, Section 9.5.1 rules for receivers are more liberal, and 1911 interpret either condition as a deletion.) 1913 Correspondent nodes SHOULD NOT delete the Binding Cache entry before 1914 the lifetime expires, if any application hosted by the correspondent 1915 node is still likely to require communication with the mobile node. 1916 A Binding Cache entry that is de-allocated prematurely might cause 1917 subsequent packets to be dropped from the mobile node, if they 1918 contain the Home Address destination option. This situation is 1919 recoverable, since a Binding Error message is sent to the mobile node 1920 (see Section 6.1.9); however, it causes unnecessary delay in the 1921 communications. 1923 6.1.8. Binding Acknowledgement Message 1925 The Binding Acknowledgement is used to acknowledge receipt of a 1926 Binding Update (Section 6.1.7). This packet is sent as described in 1927 Section 9.5.4 and Section 10.3.1. 1929 The Binding Acknowledgement has the MH Type value 6. When this value 1930 is indicated in the MH Type field, the format of the Message Data 1931 field in the Mobility Header is as follows: 1933 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1934 | Status |K| Reserved | 1935 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1936 | Sequence # | Lifetime | 1937 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1938 | | 1939 . . 1940 . Mobility options . 1941 . . 1942 | | 1943 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1945 Key Management Mobility Capability (K) 1947 If this bit is cleared, the protocol used by the home agent for 1948 establishing the IPsec security associations between the mobile 1949 node and the home agent does not survive movements. It may then 1950 have to be rerun. (Note that the IPsec security associations 1951 themselves are expected to survive movements.) 1953 Correspondent nodes MUST set the K bit to 0. 1955 Reserved 1957 These fields are unused. They MUST be initialized to zero by the 1958 sender and MUST be ignored by the receiver. 1960 Status 1962 8-bit unsigned integer indicating the disposition of the Binding 1963 Update. Values of the Status field less than 128 indicate that 1964 the Binding Update was accepted by the receiving node. Values 1965 greater than or equal to 128 indicate that the Binding Update was 1966 rejected by the receiving node. The following Status values are 1967 currently defined: 1969 0 Binding Update accepted 1971 1 Accepted but prefix discovery necessary 1973 128 Reason unspecified 1975 129 Administratively prohibited 1977 130 Insufficient resources 1978 131 Home registration not supported 1980 132 Not home subnet 1982 133 Not home agent for this mobile node 1984 134 Duplicate Address Detection failed 1986 135 Sequence number out of window 1988 136 Expired home nonce index 1990 137 Expired care-of nonce index 1992 138 Expired nonces 1994 139 Registration type change disallowed 1996 Up-to-date values of the Status field are to be specified in the 1997 IANA registry of assigned numbers [12]. 1999 Sequence # 2001 The Sequence Number in the Binding Acknowledgement is copied from 2002 the Sequence Number field in the Binding Update. It is used by 2003 the mobile node in matching this Binding Acknowledgement with an 2004 outstanding Binding Update. 2006 Lifetime 2008 The granted lifetime, in time units of 4 seconds, for which this 2009 node SHOULD retain the entry for this mobile node in its Binding 2010 Cache. 2012 The value of this field is undefined if the Status field indicates 2013 that the Binding Update was rejected. 2015 Mobility Options 2017 Variable-length field of such length that the complete Mobility 2018 Header is an integer multiple of 8 octets long. This field 2019 contains zero or more TLV-encoded mobility options. The encoding 2020 and format of defined options are described in Section 6.2. The 2021 receiver MUST ignore and skip any options which it does not 2022 understand. 2024 There MAY be additional information, associated with this Binding 2025 Acknowledgement that need not be present in all Binding 2026 Acknowledgements sent. Mobility options allow future extensions 2027 to the format of the Binding Acknowledgement to be defined. The 2028 following options are valid for the Binding Acknowledgement: 2030 * Binding Authorization Data option (this option is mandatory in 2031 Binding Acknowledgements sent by a correspondent node, except 2032 where otherwise noted in Section 9.5.4) 2034 * Binding Refresh Advice option 2036 If no options are present in this message, 4 octets of padding are 2037 necessary and the Header Len field will be set to 1. 2039 6.1.9. Binding Error Message 2041 The Binding Error (BE) message is used by the correspondent node to 2042 signal an error related to mobility, such as an inappropriate attempt 2043 to use the Home Address destination option without an existing 2044 binding; see Section 9.3.3 for details. 2046 The Binding Error message uses the MH Type value 7. When this value 2047 is indicated in the MH Type field, the format of the Message Data 2048 field in the Mobility Header is as follows: 2050 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2051 | Status | Reserved | 2052 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2053 | | 2054 + + 2055 | | 2056 + Home Address + 2057 | | 2058 + + 2059 | | 2060 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2061 . . 2062 . Mobility Options . 2063 . . 2064 | | 2065 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2067 Status 2069 8-bit unsigned integer indicating the reason for this message. 2070 The following values are currently defined: 2072 1 Unknown binding for Home Address destination option 2074 2 Unrecognized MH Type value 2076 Reserved 2078 A 8-bit field reserved for future use. The value MUST be 2079 initialized to zero by the sender, and MUST be ignored by the 2080 receiver. 2082 Home Address 2084 The home address that was contained in the Home Address 2085 destination option. The mobile node uses this information to 2086 determine which binding does not exist, in cases where the mobile 2087 node has several home addresses. 2089 Mobility Options 2091 Variable-length field of such length that the complete Mobility 2092 Header is an integer multiple of 8 octets long. This field 2093 contains zero or more TLV-encoded mobility options. The receiver 2094 MUST ignore and skip any options which it does not understand. 2096 There MAY be additional information, associated with this Binding 2097 Error message that need not be present in all Binding Error 2098 messages sent. Mobility options allow future extensions to the 2099 format of the format of the Binding Error message to be defined. 2100 The encoding and format of defined options are described in 2101 Section 6.2. This specification does not define any options valid 2102 for the Binding Error message. 2104 If no actual options are present in this message, no padding is 2105 necessary and the Header Len field will be set to 2. 2107 6.2. Mobility Options 2109 Mobility messages can include zero or more mobility options. This 2110 allows optional fields that may not be needed in every use of a 2111 particular Mobility Header, as well as future extensions to the 2112 format of the messages. Such options are included in the Message 2113 Data field of the message itself, after the fixed portion of the 2114 message data specified in the message subsections of Section 6.1. 2116 The presence of such options will be indicated by the Header Len of 2117 the Mobility Header. If included, the Binding Authorization Data 2118 option (Section 6.2.7) MUST be the last option and MUST NOT have 2119 trailing padding. Otherwise, options can be placed in any order. 2121 6.2.1. Format 2123 Mobility options are encoded within the remaining space of the 2124 Message Data field of a mobility message, using a type-length-value 2125 (TLV) format as follows: 2127 0 1 2 3 2128 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2129 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2130 | Option Type | Option Length | Option Data... 2131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2133 Option Type 2135 8-bit identifier of the type of mobility option. When processing 2136 a Mobility Header containing an option for which the Option Type 2137 value is not recognized by the receiver, the receiver MUST quietly 2138 ignore and skip over the option, correctly handling any remaining 2139 options in the message. 2141 Option Length 2143 8-bit unsigned integer, representing the length in octets of the 2144 mobility option, not including the Option Type and Option Length 2145 fields. 2147 Option Data 2149 A variable length field that contains data specific to the option. 2151 The following subsections specify the Option types which are 2152 currently defined for use in the Mobility Header. 2154 Implementations MUST silently ignore any mobility options that they 2155 do not understand. 2157 Mobility options may have alignment requirements. Following the 2158 convention in IPv6, these options are aligned in a packet so that 2159 multi-octet values within the Option Data field of each option fall 2160 on natural boundaries (i.e., fields of width n octets are placed at 2161 an integer multiple of n octets from the start of the header, for n = 2162 1, 2, 4, or 8) [8]. 2164 6.2.2. Pad1 2166 The Pad1 option does not have any alignment requirements. Its format 2167 is as follows: 2169 0 2170 0 1 2 3 4 5 6 7 2171 +-+-+-+-+-+-+-+-+ 2172 | Type = 0 | 2173 +-+-+-+-+-+-+-+-+ 2175 NOTE! the format of the Pad1 option is a special case - it has 2176 neither Option Length nor Option Data fields. 2178 The Pad1 option is used to insert one octet of padding in the 2179 Mobility Options area of a Mobility Header. If more than one octet 2180 of padding is required, the PadN option, described next, should be 2181 used rather than multiple Pad1 options. 2183 6.2.3. PadN 2185 The PadN option does not have any alignment requirements. Its format 2186 is as follows: 2188 0 1 2189 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 2190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - 2191 | Type = 1 | Option Length | Option Data 2192 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - - 2194 The PadN option is used to insert two or more octets of padding in 2195 the Mobility Options area of a mobility message. For N octets of 2196 padding, the Option Length field contains the value N-2, and the 2197 Option Data consists of N-2 zero-valued octets. PadN Option data 2198 MUST be ignored by the receiver. 2200 6.2.4. Binding Refresh Advice 2202 The Binding Refresh Advice option has an alignment requirement of 2n. 2203 Its format is as follows: 2205 0 1 2 3 2206 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2207 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2208 | Type = 2 | Length = 2 | 2209 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2210 | Refresh Interval | 2211 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2213 The Binding Refresh Advice option is only valid in the Binding 2214 Acknowledgement, and only on Binding Acknowledgements sent from the 2215 mobile node's home agent in reply to a home registration. The 2216 Refresh Interval is measured in units of four seconds, and indicates 2217 remaining time until the mobile node SHOULD send a new home 2218 registration to the home agent. The Refresh Interval MUST be set to 2219 indicate a smaller time interval than the Lifetime value of the 2220 Binding Acknowledgement. 2222 6.2.5. Alternate Care-of Address 2224 The Alternate Care-of Address option has an alignment requirement of 2225 8n+6. Its format is as follows: 2227 0 1 2 3 2228 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2229 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2230 | Type = 3 | Length = 16 | 2231 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2232 | | 2233 + + 2234 | | 2235 + Alternate Care-of Address + 2236 | | 2237 + + 2238 | | 2239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2241 Normally, a Binding Update specifies the desired care-of address in 2242 the Source Address field of the IPv6 header. However, this is not 2243 possible in some cases, such as when the mobile node wishes to 2244 indicate a care-of address which it cannot use as a topologically 2245 correct source address (Section 6.1.7 and Section 11.7.2) or when the 2246 used security mechanism does not protect the IPv6 header 2247 (Section 11.7.1). 2249 The Alternate Care-of Address option is provided for these 2250 situations. This option is valid only in Binding Update. The 2251 Alternate Care-of Address field contains an address to use as the 2252 care-of address for the binding, rather than using the Source Address 2253 of the packet as the care-of address. 2255 6.2.6. Nonce Indices 2257 The Nonce Indices option has an alignment requirement of 2n. Its 2258 format is as follows: 2260 0 1 2 3 2261 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2263 | Type = 4 | Length = 4 | 2264 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2265 | Home Nonce Index | Care-of Nonce Index | 2266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2268 The Nonce Indices option is valid only in the Binding Update message 2269 sent to a correspondent node, and only when present together with a 2270 Binding Authorization Data option. When the correspondent node 2271 authorizes the Binding Update, it needs to produce home and care-of 2272 keygen tokens from its stored random nonce values. 2274 The Home Nonce Index field tells the correspondent node which nonce 2275 value to use when producing the home keygen token. 2277 The Care-of Nonce Index field is ignored in requests to delete a 2278 binding. Otherwise, it tells the correspondent node which nonce 2279 value to use when producing the care-of keygen token. 2281 6.2.7. Binding Authorization Data 2283 The Binding Authorization Data option does not have alignment 2284 requirements as such. However, since this option must be the last 2285 mobility option, an implicit alignment requirement is 8n + 2. The 2286 format of this option is as follows: 2288 0 1 2 3 2289 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2290 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2291 | Type = 5 | Option Length | 2292 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2293 | | 2294 + + 2295 | Authenticator | 2296 + + 2297 | | 2298 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2300 The Binding Authorization Data option is valid in the Binding Update 2301 and Binding Acknowledgement. 2303 The Option Length field contains the length of the authenticator in 2304 octets. 2306 The Authenticator field contains a cryptographic value which can be 2307 used to determine that the message in question comes from the right 2308 authority. Rules for calculating this value depends on the used 2309 authorization procedure. 2311 For the return routability procedure, this option can appear in the 2312 Binding Update and Binding Acknowledgements. Rules for calculating 2313 the Authenticator value are the following: 2315 Mobility Data = care-of address | correspondent | MH Data 2316 Authenticator = First (96, HMAC_SHA1 (Kbm, Mobility Data)) 2318 Where | denotes concatenation. "Care-of address" is the care-of 2319 address which will be registered for the mobile node if the Binding 2320 Update succeeds, or the home address of the mobile node if this 2321 option is used in de-registration. Note also that this address might 2322 be different from the source address of the Binding Update message, 2323 if the Alternative Care-of Address mobility option is used, or when 2324 the lifetime of the binding is set to zero. 2326 The "correspondent" is the IPv6 address of the correspondent node. 2327 Note that, if the message is sent to a destination which is itself 2328 mobile, the "correspondent" address may not be the address found in 2329 the Destination Address field of the IPv6 header; instead the home 2330 address from the type 2 Routing header should be used. 2332 "MH Data" is the content of the Mobility Header, excluding the 2333 Authenticator field itself. The Authenticator value is calculated as 2334 if the Checksum field in the Mobility Header was zero. The Checksum 2335 in the transmitted packet is still calculated in the usual manner, 2336 with the calculated Authenticator being a part of the packet 2337 protected by the Checksum. Kbm is the binding management key, which 2338 is typically created using nonces provided by the correspondent node 2339 (see Section 9.4). Note that while the contents of a potential Home 2340 Address destination option are not covered in this formula, the rules 2341 for the calculation of the Kbm do take the home address in account. 2342 This ensures that the MAC will be different for different home 2343 addresses. 2345 The first 96 bits from the MAC result are used as the Authenticator 2346 field. 2348 6.3. Home Address Option 2350 The Home Address option is carried by the Destination Option 2351 extension header (Next Header value = 60). It is used in a packet 2352 sent by a mobile node while away from home, to inform the recipient 2353 of the mobile node's home address. 2355 The Home Address option is encoded in type-length-value (TLV) format 2356 as follows: 2358 0 1 2 3 2359 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2360 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2361 | Option Type | Option Length | 2362 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2363 | | 2364 + + 2365 | | 2366 + Home Address + 2367 | | 2368 + + 2369 | | 2370 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2372 Option Type 2374 201 = 0xC9 2376 Option Length 2378 8-bit unsigned integer. Length of the option, in octets, 2379 excluding the Option Type and Option Length fields. This field 2380 MUST be set to 16. 2382 Home Address 2384 The home address of the mobile node sending the packet. This 2385 address MUST be a unicast routable address. 2387 The alignment requirement [8] for the Home Address option is 8n+6. 2389 The three highest-order bits of the Option Type field are encoded to 2390 indicate specific processing of the option [8]; for the Home Address 2391 option, these three bits are set to 110. This indicates the 2392 following processing requirements: 2394 o Any IPv6 node that does not recognize the Option Type must discard 2395 the packet, and if the packet's Destination Address was not a 2396 multicast address, return an ICMP Parameter Problem, Code 2, 2397 message to the packet's Source Address. The Pointer field in the 2398 ICMP message SHOULD point at the Option Type field. Otherwise, 2399 for multicast addresses, the ICMP message MUST NOT be sent. 2401 o The data within the option cannot change en route to the packet's 2402 final destination. 2404 The Home Address option MUST be placed as follows: 2406 o After the routing header, if that header is present 2408 o Before the Fragment Header, if that header is present 2410 o Before the AH Header or ESP Header, if either one of those headers 2411 are present 2413 For each IPv6 packet header, the Home Address Option MUST NOT appear 2414 more than once. However, an encapsulated packet [9] MAY contain a 2415 separate Home Address option associated with each encapsulating IP 2416 header. 2418 The inclusion of a Home Address destination option in a packet 2419 affects the receiving node's processing of only this single packet. 2420 No state is created or modified in the receiving node as a result of 2421 receiving a Home Address option in a packet. In particular, the 2422 presence of a Home Address option in a received packet MUST NOT alter 2423 the contents of the receiver's Binding Cache and MUST NOT cause any 2424 changes in the routing of subsequent packets sent by this receiving 2425 node. 2427 6.4. Type 2 Routing Header 2429 Mobile IPv6 defines a new routing header variant, the type 2 routing 2430 header, to allow the packet to be routed directly from a 2431 correspondent to the mobile node's care-of address. The mobile 2432 node's care-of address is inserted into the IPv6 Destination Address 2433 field. Once the packet arrives at the care-of address, the mobile 2434 node retrieves its home address from the routing header, and this is 2435 used as the final destination address for the packet. 2437 The new routing header uses a different type than defined for 2438 "regular" IPv6 source routing, enabling firewalls to apply different 2439 rules to source routed packets than to Mobile IPv6. This routing 2440 header type (type 2) is restricted to carry only one IPv6 address. 2441 All IPv6 nodes which process this routing header MUST verify that the 2442 address contained within is the node's own home address in order to 2443 prevent packets from being forwarded outside the node. The IP 2444 address contained in the routing header, since it is the mobile 2445 node's home address, MUST be a unicast routable address. 2446 Furthermore, if the scope of the home address is smaller than the 2447 scope of the care-of address, the mobile node MUST discard the packet 2448 (see Section 4.6). 2450 6.4.1. Format 2452 The type 2 routing header has the following format: 2454 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2455 | Next Header | Hdr Ext Len=2 | Routing Type=2|Segments Left=1| 2456 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2457 | Reserved | 2458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2459 | | 2460 + + 2461 | | 2462 + Home Address + 2463 | | 2464 + + 2465 | | 2466 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2468 Next Header 2470 8-bit selector. Identifies the type of header immediately 2471 following the routing header. Uses the same values as the IPv6 2472 Next Header field [8]. 2474 Hdr Ext Len 2476 2 (8-bit unsigned integer); length of the routing header in 2477 8-octet units, not including the first 8 octets. 2479 Routing Type 2481 2 (8-bit unsigned integer). 2483 Segments Left 2485 1 (8-bit unsigned integer). 2487 Reserved 2489 32-bit reserved field. The value MUST be initialized to zero by 2490 the sender, and MUST be ignored by the receiver. 2492 Home Address 2494 The Home Address of the destination Mobile Node. 2496 For a type 2 routing header, the Hdr Ext Len MUST be 2. The Segments 2497 Left value describes the number of route segments remaining; i.e., 2498 number of explicitly listed intermediate nodes still to be visited 2499 before reaching the final destination. Segments Left MUST be 1. The 2500 ordering rules for extension headers in an IPv6 packet are described 2501 in Section 4.1 of RFC 2460 [8]. The type 2 routing header defined 2502 for Mobile IPv6 follows the same ordering as other routing headers. 2503 If both a type 0 and a type 2 routing header are present, the type 2 2504 routing header should follow the other routing header. A packet 2505 containing such nested encapsulation should be created as if the 2506 inner (type 2) routing header was constructed first and then treated 2507 as an original packet by the outer (type 0) routing header 2508 construction process. 2510 In addition, the general procedures defined by IPv6 for routing 2511 headers suggest that a received routing header MAY be automatically 2512 "reversed" to construct a routing header for use in any response 2513 packets sent by upper-layer protocols, if the received packet is 2514 authenticated [6]. This MUST NOT be done automatically for type 2 2515 routing headers. 2517 6.5. ICMP Home Agent Address Discovery Request Message 2519 The ICMP Home Agent Address Discovery Request message is used by a 2520 mobile node to initiate the dynamic home agent address discovery 2521 mechanism, as described in Section 11.4.1. The mobile node sends the 2522 Home Agent Address Discovery Request message to the Mobile IPv6 Home- 2523 Agents anycast address [10] for its own home subnet prefix. (Note 2524 that the currently defined anycast addresses may not work with all 2525 prefix lengths other than those defined in RFC 4291 [16] [32].) 2527 0 1 2 3 2528 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2529 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2530 | Type | Code | Checksum | 2531 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2532 | Identifier | Reserved | 2533 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2535 Type 2537 144 2539 Code 2541 0 2543 Checksum 2545 The ICMP checksum [17]. 2547 Identifier 2549 An identifier to aid in matching Home Agent Address Discovery 2550 Reply messages to this Home Agent Address Discovery Request 2551 message. 2553 Reserved 2555 This field is unused. It MUST be initialized to zero by the 2556 sender and MUST be ignored by the receiver. 2558 The Source Address of the Home Agent Address Discovery Request 2559 message packet is typically one of the mobile node's current care-of 2560 addresses. At the time of performing this dynamic home agent address 2561 discovery procedure, it is likely that the mobile node is not 2562 registered with any home agent. Therefore, neither the nature of the 2563 address nor the identity of the mobile node can be established at 2564 this time. The home agent MUST then return the Home Agent Address 2565 Discovery Reply message directly to the Source Address chosen by the 2566 mobile node. 2568 6.6. ICMP Home Agent Address Discovery Reply Message 2570 The ICMP Home Agent Address Discovery Reply message is used by a home 2571 agent to respond to a mobile node that uses the dynamic home agent 2572 address discovery mechanism, as described in Section 10.5. 2574 0 1 2 3 2575 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2576 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2577 | Type | Code | Checksum | 2578 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2579 | Identifier | Reserved | 2580 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2581 | | 2582 + + 2583 . . 2584 . Home Agent Addresses . 2585 . . 2586 + + 2587 | | 2588 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2590 Type 2592 145 2594 Code 2596 0 2598 Checksum 2600 The ICMP checksum [17]. 2602 Identifier 2604 The identifier from the invoking Home Agent Address Discovery 2605 Request message. 2607 Reserved 2609 This field is unused. It MUST be initialized to zero by the 2610 sender and MUST be ignored by the receiver. 2612 Home Agent Addresses 2614 A list of addresses of home agents on the home link for the mobile 2615 node. The number of addresses presented in the list is indicated 2616 by the remaining length of the IPv6 packet carrying the Home Agent 2617 Address Discovery Reply message. 2619 6.7. ICMP Mobile Prefix Solicitation Message Format 2621 The ICMP Mobile Prefix Solicitation Message is sent by a mobile node 2622 to its home agent while it is away from home. The purpose of the 2623 message is to solicit a Mobile Prefix Advertisement from the home 2624 agent, which will allow the mobile node to gather prefix information 2625 about its home network. This information can be used to configure 2626 and update home address(es) according to changes in prefix 2627 information supplied by the home agent. 2629 0 1 2 3 2630 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2631 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2632 | Type | Code | Checksum | 2633 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2634 | Identifier | Reserved | 2635 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2637 IP Fields: 2639 Source Address 2641 The mobile node's care-of address. 2643 Destination Address 2645 The address of the mobile node's home agent. This home agent must 2646 be on the link that the mobile node wishes to learn prefix 2647 information about. 2649 Hop Limit 2651 Set to an initial hop limit value, similarly to any other unicast 2652 packet sent by the mobile node. 2654 Destination Option: 2656 A Home Address destination option MUST be included. 2658 ESP header: 2660 IPsec headers MUST be supported and SHOULD be used as described in 2661 Section 5.4. 2663 ICMP Fields: 2665 Type 2667 146 2669 Code 2671 0 2673 Checksum 2675 The ICMP checksum [17]. 2677 Identifier 2679 An identifier to aid in matching a future Mobile Prefix 2680 Advertisement to this Mobile Prefix Solicitation. 2682 Reserved 2684 This field is unused. It MUST be initialized to zero by the 2685 sender and MUST be ignored by the receiver. 2687 The Mobile Prefix Solicitation messages may have options. These 2688 options MUST use the option format defined in RFC 4861 [18]. This 2689 document does not define any option types for the Mobile Prefix 2690 Solicitation message, but future documents may define new options. 2691 Home agents MUST silently ignore any options they do not recognize 2692 and continue processing the message. 2694 6.8. ICMP Mobile Prefix Advertisement Message Format 2696 A home agent will send a Mobile Prefix Advertisement to a mobile node 2697 to distribute prefix information about the home link while the mobile 2698 node is traveling away from the home network. This will occur in 2699 response to a Mobile Prefix Solicitation with an Advertisement, or by 2700 an unsolicited Advertisement sent according to the rules in 2701 Section 10.6. 2703 0 1 2 3 2704 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2705 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2706 | Type | Code | Checksum | 2707 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2708 | Identifier |M|O| Reserved | 2709 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2710 | Options ... 2711 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2713 IP Fields: 2715 Source Address 2717 The home agent's address as the mobile node would expect to see it 2718 (i.e., same network prefix). 2720 Destination Address 2722 If this message is a response to a Mobile Prefix Solicitation, 2723 this field contains the Source Address field from that packet. 2724 For unsolicited messages, the mobile node's care-of address SHOULD 2725 be used. Note that unsolicited messages can only be sent if the 2726 mobile node is currently registered with the home agent. 2728 Routing header: 2730 A type 2 routing header MUST be included. 2732 ESP header: 2734 IPsec headers MUST be supported and SHOULD be used as described in 2735 Section 5.4. 2737 ICMP Fields: 2739 Type 2741 147 2743 Code 2745 0 2747 Checksum 2749 The ICMP checksum [17]. 2751 Identifier 2753 An identifier to aid in matching this Mobile Prefix Advertisement 2754 to a previous Mobile Prefix Solicitation. 2756 M 2758 1-bit Managed Address Configuration flag. When set, hosts use the 2759 administered (stateful) protocol for address autoconfiguration in 2760 addition to any addresses autoconfigured using stateless address 2761 autoconfiguration. The use of this flag is described in [18] 2762 [19]. 2764 O 2766 1-bit Other Stateful Configuration flag. When set, hosts use the 2767 administered (stateful) protocol for autoconfiguration of other 2768 (non-address) information. The use of this flag is described in 2769 [18] [19]. 2771 Reserved 2773 This field is unused. It MUST be initialized to zero by the 2774 sender and MUST be ignored by the receiver. 2776 The Mobile Prefix Advertisement messages may have options. These 2777 options MUST use the option format defined in RFC 4861 [18]. This 2778 document defines one option which may be carried in a Mobile Prefix 2779 Advertisement message, but future documents may define new options. 2780 Mobile nodes MUST silently ignore any options they do not recognize 2781 and continue processing the message. 2783 Prefix Information 2785 Each message contains one or more Prefix Information options. 2786 Each option carries the prefix(es) that the mobile node should use 2787 to configure its home address(es). Section 10.6 describes which 2788 prefixes should be advertised to the mobile node. 2790 The Prefix Information option is defined in Section 4.6.2 of RFC 2791 4861 [18], with modifications defined in Section 7.2 of this 2792 specification. The home agent MUST use this modified Prefix 2793 Information option to send home network prefixes as defined in 2794 Section 10.6.1. 2796 If the Advertisement is sent in response to a Mobile Prefix 2797 Solicitation, the home agent MUST copy the Identifier value from that 2798 message into the Identifier field of the Advertisement. 2800 The home agent MUST NOT send more than one Mobile Prefix 2801 Advertisement message per second to any mobile node. 2803 The M and O bits MUST be cleared if the Home Agent DHCPv6 support is 2804 not provided. If such support is provided then they are set in 2805 concert with the home network's administrative settings. 2807 7. Modifications to IPv6 Neighbor Discovery 2809 7.1. Modified Router Advertisement Message Format 2811 Mobile IPv6 modifies the format of the Router Advertisement message 2812 [18] by the addition of a single flag bit to indicate that the router 2813 sending the Advertisement message is serving as a home agent on this 2814 link. The format of the Router Advertisement message is as follows: 2816 0 1 2 3 2817 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2818 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2819 | Type | Code | Checksum | 2820 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2821 | Cur Hop Limit |M|O|H| Reserved| Router Lifetime | 2822 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2823 | Reachable Time | 2824 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2825 | Retrans Timer | 2826 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2827 | Options ... 2828 +-+-+-+-+-+-+-+-+-+-+-+- 2830 This format represents the following changes over that originally 2831 specified for Neighbor Discovery [18]: 2833 Home Agent (H) 2835 The Home Agent (H) bit is set in a Router Advertisement to 2836 indicate that the router sending this Router Advertisement is also 2837 functioning as a Mobile IPv6 home agent on this link. 2839 Reserved 2841 Reduced from a 6-bit field to a 5-bit field to account for the 2842 addition of the above bit. 2844 7.2. Modified Prefix Information Option Format 2846 Mobile IPv6 requires knowledge of a router's global address in 2847 building a Home Agents List as part of the dynamic home agent address 2848 discovery mechanism. 2850 However, Neighbor Discovery [18] only advertises a router's link- 2851 local address, by requiring this address to be used as the IP Source 2852 Address of each Router Advertisement. 2854 Mobile IPv6 extends Neighbor Discovery to allow a router to advertise 2855 its global address, by the addition of a single flag bit in the 2856 format of a Prefix Information option for use in Router Advertisement 2857 messages. The format of the Prefix Information option is as follows: 2859 0 1 2 3 2860 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2861 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2862 | Type | Length | Prefix Length |L|A|R|Reserved1| 2863 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2864 | Valid Lifetime | 2865 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2866 | Preferred Lifetime | 2867 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2868 | Reserved2 | 2869 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2870 | | 2871 + + 2872 | | 2873 + Prefix + 2874 | | 2875 + + 2876 | | 2877 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2879 This format represents the following changes over that originally 2880 specified for Neighbor Discovery [18]: 2882 Router Address (R) 2884 1-bit router address flag. When set, indicates that the Prefix 2885 field contains a complete IP address assigned to the sending 2886 router. The indicated prefix is the first Prefix Length bits of 2887 the Prefix field. The router IP address has the same scope and 2888 conforms to the same lifetime values as the advertised prefix. 2889 This use of the Prefix field is compatible with its use in 2890 advertising the prefix itself, since Prefix Advertisement uses 2891 only the leading bits. Interpretation of this flag bit is thus 2892 independent of the processing required for the On-Link (L) and 2893 Autonomous Address-Configuration (A) flag bits. 2895 Reserved1 2897 Reduced from a 6-bit field to a 5-bit field to account for the 2898 addition of the above bit. 2900 In a Router Advertisement, a home agent MUST, and all other routers 2901 MAY, include at least one Prefix Information option with the Router 2902 Address (R) bit set. Neighbor Discovery specifies that, if including 2903 all options in a Router Advertisement causes the size of the 2904 Advertisement to exceed the link MTU, multiple Advertisements can be 2905 sent, each containing a subset of the options [18]. Also, when 2906 sending unsolicited multicast Router Advertisements more frequently 2907 than the limit specified in RFC 4861 [18], the sending router need 2908 not include all options in each of these Advertisements. However, in 2909 both of these cases the router SHOULD include at least one Prefix 2910 Information option with the Router Address (R) bit set in each such 2911 advertisement, if this bit is set in some advertisement sent by the 2912 router. 2914 In addition, the following requirement can assist mobile nodes in 2915 movement detection. Barring changes in the prefixes for the link, 2916 routers that send multiple Router Advertisements with the Router 2917 Address (R) bit set in some of the included Prefix Information 2918 options SHOULD provide at least one option and router address which 2919 stays the same in all of the Advertisements. 2921 7.3. New Advertisement Interval Option Format 2923 Mobile IPv6 defines a new Advertisement Interval option, used in 2924 Router Advertisement messages to advertise the interval at which the 2925 sending router sends unsolicited multicast Router Advertisements. 2926 The format of the Advertisement Interval option is as follows: 2928 0 1 2 3 2929 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2930 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2931 | Type | Length | Reserved | 2932 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2933 | Advertisement Interval | 2934 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2936 Type 2938 7 2940 Length 2942 8-bit unsigned integer. The length of the option (including the 2943 type and length fields) is in units of 8 octets. The value of 2944 this field MUST be 1. 2946 Reserved 2948 This field is unused. It MUST be initialized to zero by the 2949 sender and MUST be ignored by the receiver. 2951 Advertisement Interval 2953 32-bit unsigned integer. The maximum time, in milliseconds, 2954 between successive unsolicited Router Advertisement messages sent 2955 by this router on this network interface. Using the conceptual 2956 router configuration variables defined by Neighbor Discovery [18], 2957 this field MUST be equal to the value MaxRtrAdvInterval, expressed 2958 in milliseconds. 2960 Routers MAY include this option in their Router Advertisements. A 2961 mobile node receiving a Router Advertisement containing this option 2962 SHOULD utilize the specified Advertisement Interval for that router 2963 in its movement detection algorithm, as described in Section 11.5.1. 2965 This option MUST be silently ignored for other Neighbor Discovery 2966 messages. 2968 7.4. New Home Agent Information Option Format 2970 Mobile IPv6 defines a new Home Agent Information option, used in 2971 Router Advertisements sent by a home agent to advertise information 2972 specific to this router's functionality as a home agent. The format 2973 of the Home Agent Information option is as follows: 2975 0 1 2 3 2976 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2977 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2978 | Type | Length | Reserved | 2979 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2980 | Home Agent Preference | Home Agent Lifetime | 2981 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2983 Type 2985 8 2987 Length 2989 8-bit unsigned integer. The length of the option (including the 2990 type and length fields) in units of 8 octets. The value of this 2991 field MUST be 1. 2993 Reserved 2995 This field is unused. It MUST be initialized to zero by the 2996 sender and MUST be ignored by the receiver. 2998 Home Agent Preference 3000 16-bit unsigned integer. The preference for the home agent 3001 sending this Router Advertisement, for use in ordering the 3002 addresses returned to a mobile node in the Home Agent Addresses 3003 field of a Home Agent Address Discovery Reply message. Higher 3004 values mean more preferable. If this option is not included in a 3005 Router Advertisement in which the Home Agent (H) bit is set, the 3006 preference value for this home agent MUST be considered to be 0. 3007 Greater values indicate a more preferable home agent than lower 3008 values. 3010 The manual configuration of the Home Agent Preference value is 3011 described in Section 8.4. In addition, the sending home agent MAY 3012 dynamically set the Home Agent Preference value, for example 3013 basing it on the number of mobile nodes it is currently serving or 3014 on its remaining resources for serving additional mobile nodes; 3015 such dynamic settings are beyond the scope of this document. Any 3016 such dynamic setting of the Home Agent Preference, however, MUST 3017 set the preference appropriately, relative to the default Home 3018 Agent Preference value of 0 that may be in use by some home agents 3019 on this link (i.e., a home agent not including a Home Agent 3020 Information option in its Router Advertisements will be considered 3021 to have a Home Agent Preference value of 0). 3023 Home Agent Lifetime 3025 16-bit unsigned integer. The lifetime associated with the home 3026 agent in units of seconds. The default value is the same as the 3027 Router Lifetime, as specified in the main body of the Router 3028 Advertisement. The maximum value corresponds to 18.2 hours. A 3029 value of 0 MUST NOT be used. The Home Agent Lifetime applies only 3030 to this router's usefulness as a home agent; it does not apply to 3031 information contained in other message fields or options. 3033 Home agents MAY include this option in their Router Advertisements. 3034 This option MUST NOT be included in a Router Advertisement in which 3035 the Home Agent (H) bit (see Section 7.1) is not set. If this option 3036 is not included in a Router Advertisement in which the Home Agent (H) 3037 bit is set, the lifetime for this home agent MUST be considered to be 3038 the same as the Router Lifetime in the Router Advertisement. If 3039 multiple Advertisements are being sent instead of a single larger 3040 unsolicited multicast Advertisement, all of the multiple 3041 Advertisements with the Router Address (R) bit set MUST include this 3042 option with the same contents, otherwise this option MUST be omitted 3043 from all Advertisements. 3045 This option MUST be silently ignored for other Neighbor Discovery 3046 messages. 3048 If both the Home Agent Preference and Home Agent Lifetime are set to 3049 their default values specified above, this option SHOULD NOT be 3050 included in the Router Advertisement messages sent by this home 3051 agent. 3053 7.5. Changes to Sending Router Advertisements 3055 The Neighbor Discovery protocol specification [18] limits routers to 3056 a minimum interval of 3 seconds between sending unsolicited multicast 3057 Router Advertisement messages from any given network interface 3058 (limited by MinRtrAdvInterval and MaxRtrAdvInterval), stating that: 3060 "Routers generate Router Advertisements frequently enough that 3061 hosts will learn of their presence within a few minutes, but not 3062 frequently enough to rely on an absence of advertisements to 3063 detect router failure; a separate Neighbor Unreachability 3064 Detection algorithm provides failure detection." 3066 This limitation, however, is not suitable to providing timely 3067 movement detection for mobile nodes. Mobile nodes detect their own 3068 movement by learning the presence of new routers as the mobile node 3069 moves into wireless transmission range of them (or physically 3070 connects to a new wired network), and by learning that previous 3071 routers are no longer reachable. Mobile nodes MUST be able to 3072 quickly detect when they move to a link served by a new router, so 3073 that they can acquire a new care-of address and send Binding Updates 3074 to register this care-of address with their home agent and to notify 3075 correspondent nodes as needed. 3077 One method which can provide for faster movement detection, is to 3078 increase the rate at which unsolicited Router Advertisements are 3079 sent. Mobile IPv6 relaxes this limit such that routers MAY send 3080 unsolicited multicast Router Advertisements more frequently. This 3081 method can be applied where the router is expecting to provide 3082 service to visiting mobile nodes (e.g., wireless network interfaces), 3083 or on which it is serving as a home agent to one or more mobile nodes 3084 (who may return home and need to hear its Advertisements). 3086 Routers supporting mobility SHOULD be able to be configured with a 3087 smaller MinRtrAdvInterval value and MaxRtrAdvInterval value to allow 3088 sending of unsolicited multicast Router Advertisements more often. 3089 The minimum allowed values are: 3091 o MinRtrAdvInterval 0.03 seconds 3092 o MaxRtrAdvInterval 0.07 seconds 3094 In the case where the minimum intervals and delays are used, the mean 3095 time between unsolicited multicast router advertisements is 50ms. 3096 Use of these modified limits MUST be configurable (see also the 3097 configuration variable MinDelayBetweenRas in Section 13 which may 3098 also have to be modified accordingly). Systems where these values 3099 are available MUST NOT default to them, and SHOULD default to values 3100 specified in RFC 4861. Knowledge of the type of network interface 3101 and operating environment SHOULD be taken into account in configuring 3102 these limits for each network interface. This is important with some 3103 wireless links, where increasing the frequency of multicast beacons 3104 can cause considerable overhead. Routers SHOULD adhere to the 3105 intervals specified in RFC 4861 [18], if this overhead is likely to 3106 cause service degradation. 3108 Additionally, the possible low values of MaxRtrAdvInterval may cause 3109 some problems with movement detection in some mobile nodes. To 3110 ensure that this is not a problem, Routers SHOULD add 20ms to any 3111 Advertisement Intervals sent in RAs, which are below 200 ms, in order 3112 to account for scheduling granularities on both the MN and the 3113 Router. 3115 Note that multicast Router Advertisements are not always required in 3116 certain wireless networks that have limited bandwidth. Mobility 3117 detection or link changes in such networks may be done at lower 3118 layers. Router advertisements in such networks SHOULD be sent only 3119 when solicited. In such networks it SHOULD be possible to disable 3120 unsolicited multicast Router Advertisements on specific interfaces. 3121 The MinRtrAdvInterval and MaxRtrAdvInterval in such a case can be set 3122 to some high values. 3124 Home agents MUST include the Source Link-Layer Address option in all 3125 Router Advertisements they send. This simplifies the process of 3126 returning home, as discussed in Section 11.5.4. 3128 Note that according to RFC 4861 [18], AdvDefaultLifetime is by 3129 default based on the value of MaxRtrAdvInterval. AdvDefaultLifetime 3130 is used in the Router Lifetime field of Router Advertisements. Given 3131 that this field is expressed in seconds, a small MaxRtrAdvInterval 3132 value can result in a zero value for this field. To prevent this, 3133 routers SHOULD keep AdvDefaultLifetime in at least one second, even 3134 if the use of MaxRtrAdvInterval would result in a smaller value. 3136 8. Requirements for Types of IPv6 Nodes 3138 Mobile IPv6 places some special requirements on the functions 3139 provided by different types of IPv6 nodes. This section summarizes 3140 those requirements, identifying the functionality each requirement is 3141 intended to support. 3143 The requirements are set for the following groups of nodes: 3145 o All IPv6 nodes. 3147 o All IPv6 nodes with support for route optimization. 3149 o All IPv6 routers. 3151 o All Mobile IPv6 home agents. 3153 o All Mobile IPv6 mobile nodes. 3155 It is outside the scope of this specification to specify which of 3156 these groups are mandatory in IPv6. We only describe what is 3157 mandatory for a node that supports, for instance, route optimization. 3158 Other specifications are expected to define the extent of IPv6. 3160 8.1. All IPv6 Nodes 3162 Any IPv6 node may at any time be a correspondent node of a mobile 3163 node, either sending a packet to a mobile node or receiving a packet 3164 from a mobile node. There are no Mobile IPv6 specific MUST 3165 requirements for such nodes, and basic IPv6 techniques are 3166 sufficient. If a mobile node attempts to set up route optimization 3167 with a node with only basic IPv6 support, an ICMP error will signal 3168 that the node does not support such optimizations (Section 11.3.5), 3169 and communications will flow through the home agent . 3171 An IPv6 node MUST NOT support the Home Address destination option, 3172 type 2 routing header, or the Mobility Header unless it fully 3173 supports the requirements listed in the next sections for either 3174 route optimization, mobile node, or home agent functionality. 3176 8.2. IPv6 Nodes with Support for Route Optimization 3178 Nodes that implement route optimization are a subset of all IPv6 3179 nodes on the Internet. The ability of a correspondent node to 3180 participate in route optimization is essential for the efficient 3181 operation of the IPv6 Internet, for the following reasons: 3183 o Avoidance of congestion in the home network, and enabling the use 3184 of lower-performance home agent equipment even for supporting 3185 thousands of mobile nodes. 3187 o Reduced network load across the entire Internet, as mobile devices 3188 begin to predominate. 3190 o Reduction of jitter and latency for the communications. 3192 o Greater likelihood of success for QoS signaling as tunneling is 3193 avoided and, again, fewer sources of congestion. 3195 o Improved robustness against network partitions, congestion, and 3196 other problems, since fewer routing path segments are traversed. 3198 These effects combine to enable much better performance and 3199 robustness for communications between mobile nodes and IPv6 3200 correspondent nodes. Route optimization introduces a small amount of 3201 additional state for the peers, some additional messaging, and up to 3202 1.5 roundtrip delays before it can be turned on. However, it is 3203 believed that the benefits far outweigh the costs in most cases. 3204 Section 11.3.1 discusses how mobile nodes may avoid route 3205 optimization for some of the remaining cases, such as very short-term 3206 communications. 3208 The following requirements apply to all correspondent nodes that 3209 support route optimization: 3211 o The node MUST be able to validate a Home Address option using an 3212 existing Binding Cache entry, as described in Section 9.3.1. 3214 o The node MUST be able to insert a type 2 routing header into 3215 packets to be sent to a mobile node, as described in 3216 Section 9.3.2. 3218 o Unless the correspondent node is also acting as a mobile node, it 3219 MUST ignore type 2 routing headers and silently discard all 3220 packets that it has received with such headers. 3222 o The node SHOULD be able to interpret ICMP messages as described in 3223 Section 9.3.4. 3225 o The node MUST be able to send Binding Error messages as described 3226 in Section 9.3.3. 3228 o The node MUST be able to process Mobility Headers as described in 3229 Section 9.2. 3231 o The node MUST be able to participate in a return routability 3232 procedure (Section 9.4). 3234 o The node MUST be able to process Binding Update messages 3235 (Section 9.5). 3237 o The node MUST be able to return a Binding Acknowledgement 3238 (Section 9.5.4). 3240 o The node MUST be able to maintain a Binding Cache of the bindings 3241 received in accepted Binding Updates, as described in Section 9.1 3242 and Section 9.6. 3244 o The node SHOULD allow route optimization to be administratively 3245 enabled or disabled. The default SHOULD be enabled. 3247 8.3. All IPv6 Routers 3249 All IPv6 routers, even those not serving as a home agent for Mobile 3250 IPv6, have an effect on how well mobile nodes can communicate: 3252 o Every IPv6 router SHOULD be able to send an Advertisement Interval 3253 option (Section 7.3) in each of its Router Advertisements [18], to 3254 aid movement detection by mobile nodes (as in Section 11.5.1). 3255 The use of this option in Router Advertisements SHOULD be 3256 configurable. 3258 o Every IPv6 router SHOULD be able to support sending unsolicited 3259 multicast Router Advertisements at the faster rate described in 3260 Section 7.5. If the router supports a faster rate, the used rate 3261 MUST be configurable. 3263 o Each router SHOULD include at least one prefix with the Router 3264 Address (R) bit set and with its full IP address in its Router 3265 Advertisements (as described in Section 7.2). 3267 o Routers supporting filtering packets with routing headers SHOULD 3268 support different rules for type 0 and type 2 routing headers (see 3269 Section 6.4) so that filtering of source routed packets (type 0) 3270 will not necessarily limit Mobile IPv6 traffic which is delivered 3271 via type 2 routing headers. 3273 8.4. IPv6 Home Agents 3275 In order for a mobile node to operate correctly while away from home, 3276 at least one IPv6 router on the mobile node's home link must function 3277 as a home agent for the mobile node. The following additional 3278 requirements apply to all IPv6 routers that serve as a home agent: 3280 o Every home agent MUST be able to maintain an entry in its Binding 3281 Cache for each mobile node for which it is serving as the home 3282 agent (Section 10.1 and Section 10.3.1). 3284 o Every home agent MUST be able to intercept packets (using proxy 3285 Neighbor Discovery [18]) addressed to a mobile node for which it 3286 is currently serving as the home agent, on that mobile node's home 3287 link, while the mobile node is away from home (Section 10.4.1). 3289 o Every home agent MUST be able to encapsulate [9] such intercepted 3290 packets in order to tunnel them to the primary care-of address for 3291 the mobile node indicated in its binding in the home agent's 3292 Binding Cache (Section 10.4.2). 3294 o Every home agent MUST support decapsulating [9] reverse tunneled 3295 packets sent to it from a mobile node's home address. Every home 3296 agent MUST also check that the source address in the tunneled 3297 packets corresponds to the currently registered location of the 3298 mobile node (Section 10.4.5). 3300 o The node MUST be able to process Mobility Headers as described in 3301 Section 10.2. 3303 o Every home agent MUST be able to return a Binding Acknowledgement 3304 in response to a Binding Update (Section 10.3.1). 3306 o Every home agent MUST maintain a separate Home Agents List for 3307 each link on which it is serving as a home agent, as described in 3308 Section 10.1 and Section 10.5.1. 3310 o Every home agent MUST be able to accept packets addressed to the 3311 Mobile IPv6 Home-Agents anycast address [10] for the subnet on 3312 which it is serving as a home agent, and MUST be able to 3313 participate in dynamic home agent address discovery 3314 (Section 10.5). 3316 o Every home agent SHOULD support a configuration mechanism to allow 3317 a system administrator to manually set the value to be sent by 3318 this home agent in the Home Agent Preference field of the Home 3319 Agent Information Option in Router Advertisements that it sends 3320 (Section 7.4). 3322 o Every home agent SHOULD support sending ICMP Mobile Prefix 3323 Advertisements (Section 6.8), and SHOULD respond to Mobile Prefix 3324 Solicitations (Section 6.7). If supported, this behavior MUST be 3325 configurable, so that home agents can be configured to avoid 3326 sending such Prefix Advertisements according to the needs of the 3327 network administration in the home domain. 3329 o Every home agent MUST support IPsec ESP for protection of packets 3330 belonging to the return routability procedure (Section 10.4.6). 3332 o Every home agent SHOULD support the multicast group membership 3333 control protocols as described in Section 10.4.3. If this support 3334 is provided, the home agent MUST be capable of using it to 3335 determine which multicast data packets to forward via the tunnel 3336 to the mobile node. 3338 o Home agents MAY support stateful address autoconfiguration for 3339 mobile nodes as described in Section 10.4.4. 3341 8.5. IPv6 Mobile Nodes 3343 Finally, the following requirements apply to all IPv6 nodes capable 3344 of functioning as mobile nodes: 3346 o The node MUST maintain a Binding Update List (Section 11.1). 3348 o The node MUST support sending packets containing a Home Address 3349 option (Section 11.3.1), and follow the required IPsec interaction 3350 (Section 11.3.2). 3352 o The node MUST be able to perform IPv6 encapsulation and 3353 decapsulation [9]. 3355 o The node MUST be able to process type 2 routing header as defined 3356 in Section 6.4 and Section 11.3.3. 3358 o The node MUST support receiving a Binding Error message 3359 (Section 11.3.6). 3361 o The node MUST support receiving ICMP errors (Section 11.3.5). 3363 o The node MUST support movement detection, care-of address 3364 formation, and returning home (Section 11.5). 3366 o The node MUST be able to process Mobility Headers as described in 3367 Section 11.2. 3369 o The node MUST support the return routability procedure 3370 (Section 11.6). 3372 o The node MUST be able to send Binding Updates, as specified in 3373 Section 11.7.1 and Section 11.7.2. 3375 o The node MUST be able to receive and process Binding 3376 Acknowledgements, as specified in Section 11.7.3. 3378 o The node MUST support receiving a Binding Refresh Request 3379 (Section 6.1.2), by responding with a Binding Update. 3381 o The node MUST support receiving Mobile Prefix Advertisements 3382 (Section 11.4.3) and reconfiguring its home address based on the 3383 prefix information contained therein. 3385 o The node SHOULD support use of the dynamic home agent address 3386 discovery mechanism, as described in Section 11.4.1. 3388 o The node MUST allow route optimization to be administratively 3389 enabled or disabled. The default SHOULD be enabled. 3391 o The node MAY support the multicast address listener part of a 3392 multicast group membership protocol as described in 3393 Section 11.3.4. If this support is provided, the mobile node MUST 3394 be able to receive tunneled multicast packets from the home agent. 3396 o The node MAY support stateful address autoconfiguration mechanisms 3397 such as DHCPv6 [27] on the interface represented by the tunnel to 3398 the home agent. 3400 9. Correspondent Node Operation 3402 9.1. Conceptual Data Structures 3404 IPv6 nodes with route optimization support maintain a Binding Cache 3405 of bindings for other nodes. A separate Binding Cache SHOULD be 3406 maintained by each IPv6 node for each of its unicast routable 3407 addresses. The Binding Cache MAY be implemented in any manner 3408 consistent with the external behavior described in this document, for 3409 example by being combined with the node's Destination Cache as 3410 maintained by Neighbor Discovery [18]. When sending a packet, the 3411 Binding Cache is searched before the Neighbor Discovery conceptual 3412 Destination Cache [18]. 3414 Each Binding Cache entry conceptually contains the following fields: 3416 o The home address of the mobile node for which this is the Binding 3417 Cache entry. This field is used as the key for searching the 3418 Binding Cache for the destination address of a packet being sent. 3420 o The care-of address for the mobile node indicated by the home 3421 address field in this Binding Cache entry. 3423 o A lifetime value, indicating the remaining lifetime for this 3424 Binding Cache entry. The lifetime value is initialized from the 3425 Lifetime field in the Binding Update that created or last modified 3426 this Binding Cache entry. 3428 o A flag indicating whether or not this Binding Cache entry is a 3429 home registration entry (applicable only on nodes which support 3430 home agent functionality). 3432 o The maximum value of the Sequence Number field received in 3433 previous Binding Updates for this home address. The Sequence 3434 Number field is 16 bits long. Sequence Number values MUST be 3435 compared modulo 2**16 as explained in Section 9.5.1. 3437 o Usage information for this Binding Cache entry. This is needed to 3438 implement the cache replacement policy in use in the Binding 3439 Cache. Recent use of a cache entry also serves as an indication 3440 that a Binding Refresh Request should be sent when the lifetime of 3441 this entry nears expiration. 3443 Binding Cache entries not marked as home registrations MAY be 3444 replaced at any time by any reasonable local cache replacement policy 3445 but SHOULD NOT be unnecessarily deleted. The Binding Cache for any 3446 one of a node's IPv6 addresses may contain at most one entry for each 3447 mobile node home address. The contents of a node's Binding Cache 3448 MUST NOT be changed in response to a Home Address option in a 3449 received packet. 3451 9.2. Processing Mobility Headers 3453 Mobility Header processing MUST observe the following rules: 3455 o The checksum must be verified as per Section 6.1. Otherwise, the 3456 node MUST silently discard the message. 3458 o The MH Type field MUST have a known value (Section 6.1.1). 3459 Otherwise, the node MUST discard the message and issue a Binding 3460 Error message as described in Section 9.3.3, with Status field set 3461 to 2 (unrecognized MH Type value). 3463 o The Payload Proto field MUST be IPPROTO_NONE (59 decimal). 3464 Otherwise, the node MUST discard the message and SHOULD send ICMP 3465 Parameter Problem, Code 0, directly to the Source Address of the 3466 packet as specified in RFC 4443 [17]. Thus no Binding Cache 3467 information is used in sending the ICMP message. The Pointer 3468 field in the ICMP message SHOULD point at the Payload Proto field. 3470 o The Header Len field in the Mobility Header MUST NOT be less than 3471 the length specified for this particular type of message in 3472 Section 6.1. Otherwise, the node MUST discard the message and 3473 SHOULD send ICMP Parameter Problem, Code 0, directly to the Source 3474 Address of the packet as specified in RFC 4443 [17]. (The Binding 3475 Cache information is again not used.) The Pointer field in the 3476 ICMP message SHOULD point at the Header Len field. 3478 Subsequent checks depend on the particular Mobility Header. 3480 9.3. Packet Processing 3482 This section describes how the correspondent node sends packets to 3483 the mobile node, and receives packets from it. 3485 9.3.1. Receiving Packets with Home Address Option 3487 Packets containing a Home Address option MUST be dropped if the given 3488 home address is not a unicast routable address. 3490 Mobile nodes can include a Home Address destination option in a 3491 packet if they believe the correspondent node has a Binding Cache 3492 entry for the home address of a mobile node. Packets containing a 3493 Home Address option MUST be dropped if there is no corresponding 3494 Binding Cache entry. A corresponding Binding Cache entry MUST have 3495 the same home address as appears in the Home Address destination 3496 option, and the currently registered care-of address MUST be equal to 3497 the source address of the packet. These tests MUST NOT be done for 3498 packets that contain a Home Address option and a Binding Update. 3500 If the packet is dropped due the above tests, the correspondent node 3501 MUST send the Binding Error message as described in Section 9.3.3. 3502 The Status field in this message should be set to 1 (unknown binding 3503 for Home Address destination option). 3505 The correspondent node MUST process the option in a manner consistent 3506 with exchanging the Home Address field from the Home Address option 3507 into the IPv6 header and replacing the original value of the Source 3508 Address field there. After all IPv6 options have been processed, it 3509 MUST be possible for upper layers to process the packet without the 3510 knowledge that it came originally from a care-of address or that a 3511 Home Address option was used. 3513 The use of IPsec Authentication Header (AH) for the Home Address 3514 option is not required, except that if the IPv6 header of a packet is 3515 covered by AH, then the authentication MUST also cover the Home 3516 Address option; this coverage is achieved automatically by the 3517 definition of the Option Type code for the Home Address option, since 3518 it indicates that the data within the option cannot change en route 3519 to the packet's final destination, and thus the option is included in 3520 the AH computation. By requiring that any authentication of the IPv6 3521 header also cover the Home Address option, the security of the Source 3522 Address field in the IPv6 header is not compromised by the presence 3523 of a Home Address option. 3525 When attempting to verify AH authentication data in a packet that 3526 contains a Home Address option, the receiving node MUST calculate the 3527 AH authentication data as if the following were true: The Home 3528 Address option contains the care-of address, and the source IPv6 3529 address field of the IPv6 header contains the home address. This 3530 conforms with the calculation specified in Section 11.3.2. 3532 9.3.2. Sending Packets to a Mobile Node 3534 Before sending any packet, the sending node SHOULD examine its 3535 Binding Cache for an entry for the destination address to which the 3536 packet is being sent. If the sending node has a Binding Cache entry 3537 for this address, the sending node SHOULD use a type 2 routing header 3538 to route the packet to this mobile node (the destination node) by way 3539 of its care-of address. However, the sending node MUST NOT do this 3540 in the following cases: 3542 o When sending an IPv6 Neighbor Discovery [18] packet. 3544 o Where otherwise noted in Section 6.1. 3546 When calculating authentication data in a packet that contains a type 3547 2 routing header, the correspondent node MUST calculate the AH 3548 authentication data as if the following were true: The routing header 3549 contains the care-of address, the destination IPv6 address field of 3550 the IPv6 header contains the home address, and the Segments Left 3551 field is zero. The IPsec Security Policy Database lookup MUST based 3552 on the mobile node's home address. 3554 For instance, assuming there are no additional routing headers in 3555 this packet beyond those needed by Mobile IPv6, the correspondent 3556 node could set the fields in the packet's IPv6 header and routing 3557 header as follows: 3559 o The Destination Address in the packet's IPv6 header is set to the 3560 mobile node's home address (the original destination address to 3561 which the packet was being sent). 3563 o The routing header is initialized to contain a single route 3564 segment, containing the mobile node's care-of address copied from 3565 the Binding Cache entry. The Segments Left field is, however, 3566 temporarily set to zero. 3568 The IP layer will insert the routing header before performing any 3569 necessary IPsec processing. Once all IPsec processing has been 3570 performed, the node swaps the IPv6 destination field with the Home 3571 Address field in the routing header, sets the Segments Left field to 3572 one, and sends the packet. This ensures the AH calculation is done 3573 on the packet in the form it will have on the receiver after 3574 advancing the routing header. 3576 Following the definition of a type 2 routing header in Section 6.4, 3577 this packet will be routed to the mobile node's care-of address, 3578 where it will be delivered to the mobile node (the mobile node has 3579 associated the care-of address with its network interface). 3581 Note that following the above conceptual model in an implementation 3582 creates some additional requirements for path MTU discovery since the 3583 layer that decides the packet size (e.g., TCP and applications using 3584 UDP) needs to be aware of the size of the headers added by the IP 3585 layer on the sending node. 3587 If, instead, the sending node has no Binding Cache entry for the 3588 destination address to which the packet is being sent, the sending 3589 node simply sends the packet normally, with no routing header. If 3590 the destination node is not a mobile node (or is a mobile node that 3591 is currently at home), the packet will be delivered directly to this 3592 node and processed normally by it. If, however, the destination node 3593 is a mobile node that is currently away from home, the packet will be 3594 intercepted by the mobile node's home agent and tunneled to the 3595 mobile node's current primary care-of address. 3597 9.3.3. Sending Binding Error Messages 3599 Section 9.2 and Section 9.3.1 describe error conditions that lead to 3600 a need to send a Binding Error message. 3602 A Binding Error message is sent directly to the address that appeared 3603 in the IPv6 Source Address field of the offending packet. If the 3604 Source Address field does not contain a unicast address, the Binding 3605 Error message MUST NOT be sent. 3607 The Home Address field in the Binding Error message MUST be copied 3608 from the Home Address field in the Home Address destination option of 3609 the offending packet, or set to the unspecified address if no such 3610 option appeared in the packet. 3612 Note that the IPv6 Source Address and Home Address field values 3613 discussed above are the values from the wire, i.e., before any 3614 modifications possibly performed as specified in Section 9.3.1. 3616 Binding Error messages SHOULD be subject to rate limiting in the same 3617 manner as is done for ICMPv6 messages [17]. 3619 9.3.4. Receiving ICMP Error Messages 3621 When the correspondent node has a Binding Cache entry for a mobile 3622 node, all traffic destined to the mobile node goes directly to the 3623 current care-of address of the mobile node using a routing header. 3624 Any ICMP error message caused by packets on their way to the care-of 3625 address will be returned in the normal manner to the correspondent 3626 node. 3628 On the other hand, if the correspondent node has no Binding Cache 3629 entry for the mobile node, the packet will be routed through the 3630 mobile node's home link. Any ICMP error message caused by the packet 3631 on its way to the mobile node while in the tunnel, will be 3632 transmitted to the mobile node's home agent. By the definition of 3633 IPv6 encapsulation [9], the home agent MUST relay certain ICMP error 3634 messages back to the original sender of the packet, which in this 3635 case is the correspondent node. 3637 Thus, in all cases, any meaningful ICMP error messages caused by 3638 packets from a correspondent node to a mobile node will be returned 3639 to the correspondent node. If the correspondent node receives 3640 persistent ICMP Destination Unreachable messages after sending 3641 packets to a mobile node based on an entry in its Binding Cache, the 3642 correspondent node SHOULD delete this Binding Cache entry. Note that 3643 if the mobile node continues to send packets with the Home Address 3644 destination option to this correspondent node, they will be dropped 3645 due to the lack of a binding. For this reason it is important that 3646 only persistent ICMP messages lead to the deletion of the Binding 3647 Cache entry. 3649 9.4. Return Routability Procedure 3651 This subsection specifies actions taken by a correspondent node 3652 during the return routability procedure. 3654 9.4.1. Receiving Home Test Init Messages 3656 Upon receiving a Home Test Init message, the correspondent node 3657 verifies the following: 3659 o The packet MUST NOT include a Home Address destination option. 3661 Any packet carrying a Home Test Init message which fails to satisfy 3662 all of these tests MUST be silently ignored. 3664 Otherwise, in preparation for sending the corresponding Home Test 3665 Message, the correspondent node checks that it has the necessary 3666 material to engage in a return routability procedure, as specified in 3667 Section 5.2. The correspondent node MUST have a secret Kcn and a 3668 nonce. If it does not have this material yet, it MUST produce it 3669 before continuing with the return routability procedure. 3671 Section 9.4.3 specifies further processing. 3673 9.4.2. Receiving Care-of Test Init Messages 3675 Upon receiving a Care-of Test Init message, the correspondent node 3676 verifies the following: 3678 o The packet MUST NOT include a Home Address destination option. 3680 Any packet carrying a Care-of Test Init message which fails to 3681 satisfy all of these tests MUST be silently ignored. 3683 Otherwise, in preparation for sending the corresponding Care-of Test 3684 Message, the correspondent node checks that it has the necessary 3685 material to engage in a return routability procedure in the manner 3686 described in Section 9.4.1. 3688 Section 9.4.4 specifies further processing. 3690 9.4.3. Sending Home Test Messages 3692 The correspondent node creates a home keygen token and uses the 3693 current nonce index as the Home Nonce Index. It then creates a Home 3694 Test message (Section 6.1.5) and sends it to the mobile node at the 3695 latter's home address. 3697 9.4.4. Sending Care-of Test Messages 3699 The correspondent node creates a care-of keygen token and uses the 3700 current nonce index as the Care-of Nonce Index. It then creates a 3701 Care-of Test message (Section 6.1.6) and sends it to the mobile node 3702 at the latter's care-of address. 3704 9.5. Processing Bindings 3706 This section explains how the correspondent node processes messages 3707 related to bindings. These messages are: 3709 o Binding Update 3711 o Binding Refresh Request 3713 o Binding Acknowledgement 3715 o Binding Error 3717 9.5.1. Receiving Binding Updates 3719 Before accepting a Binding Update, the receiving node MUST validate 3720 the Binding Update according to the following tests: 3722 o The packet MUST contain a unicast routable home address, either in 3723 the Home Address option or in the Source Address, if the Home 3724 Address option is not present. 3726 o The Sequence Number field in the Binding Update is greater than 3727 the Sequence Number received in the previous valid Binding Update 3728 for this home address, if any. 3730 If the receiving node has no Binding Cache entry for the indicated 3731 home address, it MUST accept any Sequence Number value in a 3732 received Binding Update from this mobile node. 3734 This Sequence Number comparison MUST be performed modulo 2**16, 3735 i.e., the number is a free running counter represented modulo 3736 65536. A Sequence Number in a received Binding Update is 3737 considered less than or equal to the last received number if its 3738 value lies in the range of the last received number and the 3739 preceding 32768 values, inclusive. For example, if the last 3740 received sequence number was 15, then messages with sequence 3741 numbers 0 through 15, as well as 32783 through 65535, would be 3742 considered less than or equal. 3744 When the Home Registration (H) bit is not set, the following are also 3745 required: 3747 o A Nonce Indices mobility option MUST be present, and the Home and 3748 Care-of Nonce Index values in this option MUST be recent enough to 3749 be recognized by the correspondent node. (Care-of Nonce Index 3750 values are not inspected for requests to delete a binding.) 3752 o The correspondent node MUST re-generate the home keygen token and 3753 the care-of keygen token from the information contained in the 3754 packet. It then generates the binding management key Kbm and uses 3755 it to verify the authenticator field in the Binding Update as 3756 specified in Section 6.1.7. 3758 o The Binding Authorization Data mobility option MUST be present, 3759 and its contents MUST satisfy rules presented in Section 5.2.6. 3760 Note that a care-of address different from the Source Address MAY 3761 have been specified by including an Alternate Care-of Address 3762 mobility option in the Binding Update. When such a message is 3763 received and the return routability procedure is used as an 3764 authorization method, the correspondent node MUST verify the 3765 authenticator by using the address within the Alternate Care-of 3766 Address in the calculations. 3768 o The Binding Authorization Data mobility option MUST be the last 3769 option and MUST NOT have trailing padding. 3771 If the Home Registration (H) bit is set, the Nonce Indices mobility 3772 option MUST NOT be present. 3774 If the mobile node sends a sequence number which is not greater than 3775 the sequence number from the last valid Binding Update for this home 3776 address, then the receiving node MUST send back a Binding 3777 Acknowledgement with status code 135, and the last accepted sequence 3778 number in the Sequence Number field of the Binding Acknowledgement. 3780 If a binding already exists for the given home address and the home 3781 registration flag has a different value than the Home Registration 3782 (H) bit in the Binding Update, then the receiving node MUST send back 3783 a Binding Acknowledgement with status code 139 (registration type 3784 change disallowed). The home registration flag stored in the Binding 3785 Cache entry MUST NOT be changed. 3787 If the receiving node no longer recognizes the Home Nonce Index 3788 value, Care-of Nonce Index value, or both values from the Binding 3789 Update, then the receiving node MUST send back a Binding 3790 Acknowledgement with status code 136, 137, or 138, respectively. 3792 Packets carrying Binding Updates that fail to satisfy all of these 3793 tests for any reason other than insufficiency of the Sequence Number, 3794 registration type change, or expired nonce index values, MUST be 3795 silently discarded. 3797 If the Binding Update is valid according to the tests above, then the 3798 Binding Update is processed further as follows: 3800 o The Sequence Number value received from a mobile node in a Binding 3801 Update is stored by the receiving node in its Binding Cache entry 3802 for the given home address. 3804 o If the Lifetime specified in the Binding Update is nonzero and the 3805 specified care-of address is not equal to the home address for the 3806 binding, then this is a request to cache a binding for the home 3807 address. If the Home Registration (H) bit is set in the Binding 3808 Update, the Binding Update is processed according to the procedure 3809 specified in Section 10.3.1; otherwise, it is processed according 3810 to the procedure specified in Section 9.5.2. 3812 o If the Lifetime specified in the Binding Update is zero or the 3813 specified care-of address matches the home address for the 3814 binding, then this is a request to delete the cached binding for 3815 the home address. In this case, the Binding Update MUST include a 3816 valid home nonce index, and the care-of nonce index MUST be 3817 ignored by the correspondent node. The generation of the binding 3818 management key depends then exclusively on the home keygen token 3819 (Section 5.2.5). If the Home Registration (H) bit is set in the 3820 Binding Update, the Binding Update is processed according to the 3821 procedure specified in Section 10.3.2; otherwise, it is processed 3822 according to the procedure specified in Section 9.5.3. 3824 The specified care-of address MUST be determined as follows: 3826 o If the Alternate Care-of Address option is present, the care-of 3827 address is the address in that option. 3829 o Otherwise, the care-of address is the Source Address field in the 3830 packet's IPv6 header. 3832 The home address for the binding MUST be determined as follows: 3834 o If the Home Address destination option is present, the home 3835 address is the address in that option. 3837 o Otherwise, the home address is the Source Address field in the 3838 packet's IPv6 header. 3840 9.5.2. Requests to Cache a Binding 3842 This section describes the processing of a valid Binding Update that 3843 requests a node to cache a binding, for which the Home Registration 3844 (H) bit is not set in the Binding Update. 3846 In this case, the receiving node SHOULD create a new entry in its 3847 Binding Cache for this home address, or update its existing Binding 3848 Cache entry for this home address, if such an entry already exists. 3849 The lifetime for the Binding Cache entry is initialized from the 3850 Lifetime field specified in the Binding Update, although this 3851 lifetime MAY be reduced by the node caching the binding; the lifetime 3852 for the Binding Cache entry MUST NOT be greater than the Lifetime 3853 value specified in the Binding Update. Any Binding Cache entry MUST 3854 be deleted after the expiration of its lifetime. 3856 Note that if the mobile node did not request a Binding 3857 Acknowledgement, then it is not aware of the selected shorter 3858 lifetime. The mobile node may thus use route optimization and send 3859 packets with the Home Address destination option. As discussed in 3860 Section 9.3.1, such packets will be dropped if there is no binding. 3861 This situation is recoverable, but can cause temporary packet loss. 3863 The correspondent node MAY refuse to accept a new Binding Cache entry 3864 if it does not have sufficient resources. A new entry MAY also be 3865 refused if the correspondent node believes its resources are utilized 3866 more efficiently in some other purpose, such as serving another 3867 mobile node with higher amount of traffic. In both cases the 3868 correspondent node SHOULD return a Binding Acknowledgement with 3869 status value 130. 3871 9.5.3. Requests to Delete a Binding 3873 This section describes the processing of a valid Binding Update that 3874 requests a node to delete a binding when the Home Registration (H) 3875 bit is not set in the Binding Update. 3877 Any existing binding for the given home address MUST be deleted. A 3878 Binding Cache entry for the home address MUST NOT be created in 3879 response to receiving the Binding Update. 3881 If the Binding Cache entry was created by use of return routability 3882 nonces, the correspondent node MUST ensure that the same nonces are 3883 not used again with the particular home and care-of address. If both 3884 nonces are still valid, the correspondent node has to remember the 3885 particular combination of nonce indexes, addresses, and sequence 3886 number as illegal until at least one of the nonces has become too 3887 old. 3889 9.5.4. Sending Binding Acknowledgements 3891 A Binding Acknowledgement may be sent to indicate receipt of a 3892 Binding Update as follows: 3894 o If the Binding Update was discarded as described in Section 9.2 or 3895 Section 9.5.1, a Binding Acknowledgement MUST NOT be sent. 3896 Otherwise the treatment depends on the following rules. 3898 o If the Acknowledge (A) bit set is set in the Binding Update, a 3899 Binding Acknowledgement MUST be sent. Otherwise, the treatment 3900 depends on the below rule. 3902 o If the node rejects the Binding Update due to an expired nonce 3903 index, sequence number being out of window (Section 9.5.1), or 3904 insufficiency of resources (Section 9.5.2), a Binding 3905 Acknowledgement MUST be sent. If the node accepts the Binding 3906 Update, the Binding Acknowledgement SHOULD NOT be sent. 3908 If the node accepts the Binding Update and creates or updates an 3909 entry for this binding, the Status field in the Binding 3910 Acknowledgement MUST be set to a value less than 128. Otherwise, the 3911 Status field MUST be set to a value greater than or equal to 128. 3912 Values for the Status field are described in Section 6.1.8 and in the 3913 IANA registry of assigned numbers [12]. 3915 If the Status field in the Binding Acknowledgement contains the value 3916 136 (expired home nonce index), 137 (expired care-of nonce index), or 3917 138 (expired nonces) then the message MUST NOT include the Binding 3918 Authorization Data mobility option. Otherwise, the Binding 3919 Authorization Data mobility option MUST be included, and MUST meet 3920 the specific authentication requirements for Binding Acknowledgements 3921 as defined in Section 5.2. 3923 If the Source Address field of the IPv6 header that carried the 3924 Binding Update does not contain a unicast address, the Binding 3925 Acknowledgement MUST NOT be sent and the Binding Update packet MUST 3926 be silently discarded. Otherwise, the acknowledgement MUST be sent 3927 to the Source Address. Unlike the treatment of regular packets, this 3928 addressing procedure does not use information from the Binding Cache. 3930 However, a routing header is needed in some cases. If the Source 3931 Address is the home address of the mobile node, i.e., the Binding 3932 Update did not contain a Home Address destination option, then the 3933 Binding Acknowledgement MUST be sent to that address and the routing 3934 header MUST NOT be used. Otherwise, the Binding Acknowledgement MUST 3935 be sent using a type 2 routing header which contains the mobile 3936 node's home address. 3938 9.5.5. Sending Binding Refresh Requests 3940 If a Binding Cache entry being deleted is still in active use when 3941 sending packets to a mobile node, then the next packet sent to the 3942 mobile node will be routed normally to the mobile node's home link. 3943 Communication with the mobile node continues, but the tunneling from 3944 the home network creates additional overhead and latency in 3945 delivering packets to the mobile node. 3947 If the sender knows that the Binding Cache entry is still in active 3948 use, it MAY send a Binding Refresh Request message to the mobile node 3949 in an attempt to avoid this overhead and latency due to deleting and 3950 recreating the Binding Cache entry. This message is always sent to 3951 the home address of the mobile node. 3953 The correspondent node MAY retransmit Binding Refresh Request 3954 messages as long as the rate limitation is applied. The 3955 correspondent node MUST stop retransmitting when it receives a 3956 Binding Update. 3958 9.6. Cache Replacement Policy 3960 Conceptually, a node maintains a separate timer for each entry in its 3961 Binding Cache. When creating or updating a Binding Cache entry in 3962 response to a received and accepted Binding Update, the node sets the 3963 timer for this entry to the specified Lifetime period. Any entry in 3964 a node's Binding Cache MUST be deleted after the expiration of the 3965 Lifetime specified in the Binding Update from which the entry was 3966 created or last updated. 3968 Each node's Binding Cache will, by necessity, have a finite size. A 3969 node MAY use any reasonable local policy for managing the space 3970 within its Binding Cache. 3972 A node MAY choose to drop any entry already in its Binding Cache in 3973 order to make space for a new entry. For example, a "least-recently 3974 used" (LRU) strategy for cache entry replacement among entries should 3975 work well, unless the size of the Binding Cache is substantially 3976 insufficient. When entries are deleted, the correspondent node MUST 3977 follow the rules in Section 5.2.8 in order to guard the return 3978 routability procedure against replay attacks. 3980 If the node sends a packet to a destination for which it has dropped 3981 the entry from its Binding Cache, the packet will be routed through 3982 the mobile node's home link. The mobile node can detect this and 3983 establish a new binding if necessary. 3985 However, if the mobile node believes that the binding still exists, 3986 it may use route optimization and send packets with the Home Address 3987 destination option. This can create temporary packet loss, as 3988 discussed earlier, in the context of binding lifetime reductions 3989 performed by the correspondent node (Section 9.5.2). 3991 10. Home Agent Operation 3993 10.1. Conceptual Data Structures 3995 Each home agent MUST maintain a Binding Cache and Home Agents List. 3997 The rules for maintaining a Binding Cache are the same for home 3998 agents and correspondent nodes and have already been described in 3999 Section 9.1. 4001 The Home Agents List is maintained by each home agent, recording 4002 information about each router on the same link that is acting as a 4003 home agent. This list is used by the dynamic home agent address 4004 discovery mechanism. A router is known to be acting as a home agent, 4005 if it sends a Router Advertisement in which the Home Agent (H) bit is 4006 set. When the lifetime for a list entry (defined below) expires, 4007 that entry is removed from the Home Agents List. The Home Agents 4008 List is similar to the Default Router List conceptual data structure 4009 maintained by each host for Neighbor Discovery [18]. The Home Agents 4010 List MAY be implemented in any manner consistent with the external 4011 behavior described in this document. 4013 Each home agent maintains a separate Home Agents List for each link 4014 on which it is serving as a home agent. A new entry is created or an 4015 existing entry is updated in response to receipt of a valid Router 4016 Advertisement in which the Home Agent (H) bit is set. Each Home 4017 Agents List entry conceptually contains the following fields: 4019 o The link-local IP address of a home agent on the link. This 4020 address is learned through the Source Address of the Router 4021 Advertisements [18] received from the router. 4023 o One or more global IP addresses for this home agent. Global 4024 addresses are learned through Prefix Information options with the 4025 Router Address (R) bit set and received in Router Advertisements 4026 from this link-local address. Global addresses for the router in 4027 a Home Agents List entry MUST be deleted once the prefix 4028 associated with that address is no longer valid [18]. 4030 o The remaining lifetime of this Home Agents List entry. If a Home 4031 Agent Information Option is present in a Router Advertisement 4032 received from a home agent, the lifetime of the Home Agents List 4033 entry representing that home agent is initialized from the Home 4034 Agent Lifetime field in the option (if present); otherwise, the 4035 lifetime is initialized from the Router Lifetime field in the 4036 received Router Advertisement. If Home Agents List entry lifetime 4037 reaches zero, the entry MUST be deleted from the Home Agents List. 4039 o The preference for this home agent; higher values indicate a more 4040 preferable home agent. The preference value is taken from the 4041 Home Agent Preference field in the received Router Advertisement, 4042 if the Router Advertisement contains a Home Agent Information 4043 Option and is otherwise set to the default value of 0. A home 4044 agent uses this preference in ordering the Home Agents List when 4045 it sends an ICMP Home Agent Address Discovery message. 4047 10.2. Processing Mobility Headers 4049 All IPv6 home agents MUST observe the rules described in Section 9.2 4050 when processing Mobility Headers. 4052 10.3. Processing Bindings 4054 10.3.1. Primary Care-of Address Registration 4056 When a node receives a Binding Update, it MUST validate it and 4057 determine the type of Binding Update according to the steps described 4058 in Section 9.5.1. Furthermore, it MUST authenticate the Binding 4059 Update as described in Section 5.1. An authorization step specific 4060 for the home agent is also needed to ensure that only the right node 4061 can control a particular home address. This is provided through the 4062 home address unequivocally identifying the security association that 4063 must be used. 4065 This section describes the processing of a valid and authorized 4066 Binding Update when it requests the registration of the mobile node's 4067 primary care-of address. 4069 To begin processing the Binding Update, the home agent MUST perform 4070 the following sequence of tests: 4072 o If the node implements only correspondent node functionality, or 4073 has not been configured to act as a home agent, then the node MUST 4074 reject the Binding Update. The node MUST also return a Binding 4075 Acknowledgement to the mobile node, in which the Status field is 4076 set to 131 (home registration not supported). 4078 o Else, if the home address for the binding (the Home Address field 4079 in the packet's Home Address option) is not an on-link IPv6 4080 address with respect to the home agent's current Prefix List, then 4081 the home agent MUST reject the Binding Update and SHOULD return a 4082 Binding Acknowledgement to the mobile node, in which the Status 4083 field is set to 132 (not home subnet). 4085 o Else, if the home agent chooses to reject the Binding Update for 4086 any other reason (e.g., insufficient resources to serve another 4087 mobile node as a home agent), then the home agent SHOULD return a 4088 Binding Acknowledgement to the mobile node, in which the Status 4089 field is set to an appropriate value to indicate the reason for 4090 the rejection. 4092 o A Home Address destination option MUST be present in the message. 4093 It MUST be validated as described in Section 9.3.1 with the 4094 following additional rule. The Binding Cache entry existence test 4095 MUST NOT be done for IPsec packets when the Home Address option 4096 contains an address for which the receiving node could act as a 4097 home agent. 4099 If home agent accepts the Binding Update, it MUST then create a new 4100 entry in its Binding Cache for this mobile node or update its 4101 existing Binding Cache entry, if such an entry already exists. The 4102 Home Address field as received in the Home Address option provides 4103 the home address of the mobile node. 4105 The home agent MUST mark this Binding Cache entry as a home 4106 registration to indicate that the node is serving as a home agent for 4107 this binding. Binding Cache entries marked as a home registration 4108 MUST be excluded from the normal cache replacement policy used for 4109 the Binding Cache (Section 9.6) and MUST NOT be removed from the 4110 Binding Cache until the expiration of the Lifetime period. 4112 Unless this home agent already has a binding for the given home 4113 address, the home agent MUST perform Duplicate Address Detection [19] 4114 on the mobile node's home link before returning the Binding 4115 Acknowledgement. This ensures that no other node on the home link 4116 was using the mobile node's home address when the Binding Update 4117 arrived. If this Duplicate Address Detection fails for the given 4118 home address or an associated link local address, then the home agent 4119 MUST reject the complete Binding Update and MUST return a Binding 4120 Acknowledgement to the mobile node, in which the Status field is set 4121 to 134 (Duplicate Address Detection failed). When the home agent 4122 sends a successful Binding Acknowledgement to the mobile node, the 4123 home agent assures to the mobile node that its address(es) will be 4124 kept unique by the home agent for as long as the lifetime was granted 4125 for the binding. 4127 The specific addresses, which are to be tested before accepting the 4128 Binding Update and later to be defended by performing Duplicate 4129 Address Detection, depend on the setting of the Link-Local Address 4130 Compatibility (L) bit, as follows: 4132 o L=0: Defend only the given address. Do not derive a link-local 4133 address. 4135 o L=1: Defend both the given non link-local unicast (home) address 4136 and the derived link-local. The link-local address is derived by 4137 replacing the subnet prefix in the mobile node's home address with 4138 the link-local prefix. 4140 The lifetime of the Binding Cache entry depends on a number of 4141 factors: 4143 o The lifetime for the Binding Cache entry MUST NOT be greater than 4144 the Lifetime value specified in the Binding Update. 4146 o The lifetime for the Binding Cache entry MUST NOT be greater than 4147 the remaining valid lifetime for the subnet prefix in the mobile 4148 node's home address specified with the Binding Update. The 4149 remaining valid lifetime for this prefix is determined by the home 4150 agent based on its own Prefix List entry [18]. 4152 The remaining preferred lifetime SHOULD NOT have any impact on the 4153 lifetime for the binding cache entry. 4155 The home agent MUST remove a binding when the valid lifetime of 4156 the prefix associated with it expires. 4158 o The home agent MAY further decrease the specified lifetime for the 4159 binding, for example based on a local policy. The resulting 4160 lifetime is stored by the home agent in the Binding Cache entry, 4161 and this Binding Cache entry MUST be deleted by the home agent 4162 after the expiration of this lifetime. 4164 Regardless of the setting of the Acknowledge (A) bit in the Binding 4165 Update, the home agent MUST return a Binding Acknowledgement to the 4166 mobile node constructed as follows: 4168 o The Status field MUST be set to a value indicating success. The 4169 value 1 (accepted but prefix discovery necessary) MUST be used if 4170 the subnet prefix of the specified home address is deprecated, or 4171 becomes deprecated during the lifetime of the binding, or becomes 4172 invalid at the end of the lifetime. The value 0 MUST be used 4173 otherwise. For the purposes of comparing the binding and prefix 4174 lifetimes, the prefix lifetimes are first converted into units of 4175 four seconds by ignoring the two least significant bits. 4177 o The Key Management Mobility Capability (K) bit is set if the 4178 following conditions are all fulfilled, and cleared otherwise: 4180 * The Key Management Mobility Capability (K) bit was set in the 4181 Binding Update. 4183 * The IPsec security associations between the mobile node and the 4184 home agent have been established dynamically. 4186 * The home agent has the capability to update its endpoint in the 4187 used key management protocol to the new care-of address every 4188 time it moves. 4190 Depending on the final value of the bit in the Binding 4191 Acknowledgement, the home agent SHOULD perform the following 4192 actions: 4194 K = 0 4196 Discard key management connections, if any, to the old care-of 4197 address. If the mobile node did not have a binding before 4198 sending this Binding Update, discard the connections to the 4199 home address. 4201 K = 1 4203 Move the peer endpoint of the key management protocol 4204 connection, if any, to the new care-of address. For an IKE 4205 phase 1 connection, this means that any IKE packets sent to the 4206 peer are sent to this address, and packets from this address 4207 with the original ISAKMP cookies are accepted. 4209 Note that RFC 2408 [6] Section 2.5.3 gives specific rules that 4210 ISAKMP cookies must satisfy: they must depend on specific 4211 parties and can only be generated by the entity itself. Then 4212 it recommends a particular way to do this, namely a hash of IP 4213 addresses. With the K bit set to 1, the recommended 4214 implementation technique does not work directly. To satisfy 4215 the two rules, the specific parties must be treated as the 4216 original IP addresses, not the ones in use at the specific 4217 moment. 4219 o The Sequence Number field MUST be copied from the Sequence Number 4220 given in the Binding Update. 4222 o The Lifetime field MUST be set to the remaining lifetime for the 4223 binding as set by the home agent in its home registration Binding 4224 Cache entry for the mobile node, as described above. 4226 o If the home agent stores the Binding Cache entry in nonvolatile 4227 storage, then the Binding Refresh Advice mobility option MUST be 4228 omitted. Otherwise, the home agent MAY include this option to 4229 suggest that the mobile node refreshes its binding before the 4230 actual lifetime of the binding ends. 4232 If the Binding Refresh Advice mobility option is present, the 4233 Refresh Interval field in the option MUST be set to a value less 4234 than the Lifetime value being returned in the Binding 4235 Acknowledgement. This indicates that the mobile node SHOULD 4236 attempt to refresh its home registration at the indicated shorter 4237 interval. The home agent MUST still retain the registration for 4238 the Lifetime period, even if the mobile node does not refresh its 4239 registration within the Refresh period. 4241 The rules for selecting the Destination IP address (and possibly 4242 routing header construction) for the Binding Acknowledgement to the 4243 mobile node are the same as in Section 9.5.4. 4245 In addition, the home agent MUST follow the procedure defined in 4246 Section 10.4.1 to intercept packets on the mobile node's home link 4247 addressed to the mobile node, while the home agent is serving as the 4248 home agent for this mobile node. The home agent MUST also be 4249 prepared to accept reverse tunneled packets from the new care-of 4250 address of the mobile node, as described in Section 10.4.5. Finally, 4251 the home agent MUST also propagate new home network prefixes, as 4252 described in Section 10.6. 4254 10.3.2. Primary Care-of Address De-Registration 4256 A binding may need to be de-registered when the mobile node returns 4257 home or when the mobile node knows that it will not have any care-of 4258 addresses in the visited network. 4260 A Binding Update is validated and authorized in the manner described 4261 in the previous section; note that when the mobile node de-registers 4262 when it is at home, it may not include the Home Address destination 4263 option, in which case the mobile node's home address is the source IP 4264 address of the de-registration Binding Update. This section 4265 describes the processing of a valid Binding Update that requests the 4266 receiving node to no longer serve as its home agent, de-registering 4267 its primary care-of address. 4269 To begin processing the Binding Update, the home agent MUST perform 4270 the following test: 4272 o If the receiving node has no entry marked as a home registration 4273 in its Binding Cache for this mobile node, then this node MUST 4274 reject the Binding Update and SHOULD return a Binding 4275 Acknowledgement to the mobile node, in which the Status field is 4276 set to 133 (not home agent for this mobile node). 4278 If the home agent does not reject the Binding Update as described 4279 above, then it MUST delete any existing entry in its Binding Cache 4280 for this mobile node. Then, the home agent MUST return a Binding 4281 Acknowledgement to the mobile node, constructed as follows: 4283 o The Status field MUST be set to a value 0, indicating success. 4285 o The Key Management Mobility Capability (K) bit is set or cleared 4286 and actions based on its value are performed as described in the 4287 previous section. The mobile node's home address is used as its 4288 new care-of address for the purposes of moving the key management 4289 connection to a new endpoint. 4291 o The Sequence Number field MUST be copied from the Sequence Number 4292 given in the Binding Update. 4294 o The Lifetime field MUST be set to zero. 4296 o The Binding Refresh Advice mobility option MUST be omitted. 4298 In addition, the home agent MUST stop intercepting packets on the 4299 mobile node's home link that are addressed to the mobile node 4300 (Section 10.4.1). 4302 The rules for selecting the Destination IP address (and, if required, 4303 routing header construction) for the Binding Acknowledgement to the 4304 mobile node are the same as in the previous section. When the Status 4305 field in the Binding Acknowledgement is greater than or equal to 128 4306 and the Source Address of the Binding Update is on the home link, the 4307 home agent MUST send it to the mobile node's link layer address 4308 (retrieved either from the Binding Update or through Neighbor 4309 Solicitation). 4311 10.4. Packet Processing 4313 10.4.1. Intercepting Packets for a Mobile Node 4315 While a node is serving as the home agent for mobile node it MUST 4316 attempt to intercept packets on the mobile node's home link that are 4317 addressed to the mobile node. 4319 In order to do this, when a node begins serving as the home agent it 4320 MUST multicast onto the home link a Neighbor Advertisement message 4321 [18] on behalf of the mobile node. For the home address specified in 4322 the Binding Update, the home agent sends a Neighbor Advertisement 4323 message [18] to the all-nodes multicast address on the home link to 4324 advertise the home agent's own link-layer address for this IP address 4325 on behalf of the mobile node. If the Link-Layer Address 4326 Compatibility (L) flag has been specified in the Binding Update, the 4327 home agent MUST do the same for the link-local address of the mobile 4328 node. 4330 All fields in each Neighbor Advertisement message SHOULD be set in 4331 the same way they would be set by the mobile node if it was sending 4332 this Neighbor Advertisement [18] while at home, with the following 4333 exceptions: 4335 o The Target Address in the Neighbor Advertisement MUST be set to 4336 the specific IP address for the mobile node. 4338 o The Advertisement MUST include a Target Link-layer Address option 4339 specifying the home agent's link-layer address. 4341 o The Router (R) bit in the Advertisement MUST be set to zero. 4343 o The Solicited Flag (S) in the Advertisement MUST NOT be set, since 4344 it was not solicited by any Neighbor Solicitation. 4346 o The Override Flag (O) in the Advertisement MUST be set, indicating 4347 that the Advertisement SHOULD override any existing Neighbor Cache 4348 entry at any node receiving it. 4350 o The Source Address in the IPv6 header MUST be set to the home 4351 agent's IP address on the interface used to send the 4352 advertisement. 4354 Any node on the home link that receives one of the Neighbor 4355 Advertisement messages (described above) will update its Neighbor 4356 Cache to associate the mobile node's address with the home agent's 4357 link layer address, causing it to transmit any future packets 4358 normally destined to the mobile node to the mobile node's home agent. 4359 Since multicasting on the local link (such as Ethernet) is typically 4360 not guaranteed to be reliable, the home agent MAY retransmit this 4361 Neighbor Advertisement message up to MAX_NEIGHBOR_ADVERTISEMENT (see 4362 [18]) times to increase its reliability. It is still possible that 4363 some nodes on the home link will not receive any of the Neighbor 4364 Advertisements, but these nodes will eventually be able to detect the 4365 link-layer address change for the mobile node's address through use 4366 of Neighbor Unreachability Detection [18]. 4368 While a node is serving as a home agent for some mobile node, the 4369 home agent uses IPv6 Neighbor Discovery [18] to intercept unicast 4370 packets on the home link addressed to the mobile node. In order to 4371 intercept packets in this way, the home agent MUST act as a proxy for 4372 this mobile node and reply to any received Neighbor Solicitations for 4373 it. When a home agent receives a Neighbor Solicitation, it MUST 4374 check if the Target Address specified in the message matches the 4375 address of any mobile node for which it has a Binding Cache entry 4376 marked as a home registration. 4378 If such an entry exists in the home agent's Binding Cache, the home 4379 agent MUST reply to the Neighbor Solicitation with a Neighbor 4380 Advertisement giving the home agent's own link-layer address as the 4381 link-layer address for the specified Target Address. In addition, 4382 the Router (R) bit in the Advertisement MUST be set to zero. Acting 4383 as a proxy in this way allows other nodes on the mobile node's home 4384 link to resolve the mobile node's address and for the home agent to 4385 defend these addresses on the home link for Duplicate Address 4386 Detection [18]. 4388 10.4.2. Processing Intercepted Packets 4390 For any packet sent to a mobile node from the mobile node's home 4391 agent (in which the home agent is the original sender of the packet), 4392 the home agent is operating as a correspondent node of the mobile 4393 node for this packet and the procedures described in Section 9.3.2 4394 apply. The home agent then uses a routing header to route the packet 4395 to the mobile node by way of the primary care-of address in the home 4396 agent's Binding Cache. 4398 While the mobile node is away from home, the home agent intercepts 4399 any packets on the home link addressed to the mobile node's home 4400 address, as described in Section 10.4.1. In order to forward each 4401 intercepted packet to the mobile node, the home agent MUST tunnel the 4402 packet to the mobile node using IPv6 encapsulation [9]. When a home 4403 agent encapsulates an intercepted packet for forwarding to the mobile 4404 node, the home agent sets the Source Address in the new tunnel IP 4405 header to the home agent's own IP address and sets the Destination 4406 Address in the tunnel IP header to the mobile node's primary care-of 4407 address. When received by the mobile node, normal processing of the 4408 tunnel header [9] will result in decapsulation and processing of the 4409 original packet by the mobile node. 4411 However, packets addressed to the mobile node's link-local address 4412 MUST NOT be tunneled to the mobile node. Instead, these packets MUST 4413 be discarded and the home agent SHOULD return an ICMP Destination 4414 Unreachable, Code 3, message to the packet's Source Address (unless 4415 this Source Address is a multicast address). Packets addressed to 4416 the mobile node's site-local address SHOULD NOT be tunneled to the 4417 mobile node by default. 4419 Interception and tunneling of the following multicast addressed 4420 packets on the home network are only done if the home agent supports 4421 multicast group membership control messages from the mobile node as 4422 described in the next section. Tunneling of multicast packets to a 4423 mobile node follows similar limitations to those defined above for 4424 unicast packets addressed to the mobile node's link-local address. 4425 Multicast packets addressed to a multicast address with link-local 4426 scope [16], to which the mobile node is subscribed, MUST NOT be 4427 tunneled to the mobile node. These packets SHOULD be silently 4428 discarded (after delivering to other local multicast recipients). 4429 Multicast packets addressed to a multicast address with a scope 4430 larger than link-local, but smaller than global (e.g., site-local and 4431 organization-local [16]), to which the mobile node is subscribed, 4432 SHOULD NOT be tunneled to the mobile node. Multicast packets 4433 addressed with a global scope, to which the mobile node has 4434 successfully subscribed, MUST be tunneled to the mobile node. 4436 Before tunneling a packet to the mobile node, the home agent MUST 4437 perform any IPsec processing as indicated by the security policy data 4438 base. 4440 10.4.3. Multicast Membership Control 4442 This section is a prerequisite for the multicast data packet 4443 forwarding, described in the previous section. If this support is 4444 not provided, multicast group membership control messages are 4445 silently ignored. 4447 In order to forward multicast data packets from the home network to 4448 all the proper mobile nodes, the home agent SHOULD be capable of 4449 receiving tunneled multicast group membership control information 4450 from the mobile node in order to determine which groups the mobile 4451 node has subscribed to. These multicast group membership messages 4452 are Listener Report messages specified in MLD [11] or in other 4453 protocols such as [34]. 4455 The messages are issued by the mobile node, but sent through the 4456 reverse tunnel to the home agent. These messages are issued whenever 4457 the mobile node decides to enable reception of packets for a 4458 multicast group or in response to an MLD Query from the home agent. 4459 The mobile node will also issue multicast group control messages to 4460 disable reception of multicast packets when it is no longer 4461 interested in receiving multicasts for a particular group. 4463 To obtain the mobile node's current multicast group membership the 4464 home agent must periodically transmit MLD Query messages through the 4465 tunnel to the mobile node. These MLD periodic transmissions will 4466 ensure the home agent has an accurate record of the groups in which 4467 the mobile node is interested despite packet losses of the mobile 4468 node's MLD group membership messages. 4470 All MLD packets are sent directly between the mobile node and the 4471 home agent. Since all of these packets are destined to a link-scope 4472 multicast address and have a hop limit of 1, there is no direct 4473 forwarding of such packets between the home network and the mobile 4474 node. The MLD packets between the mobile node and the home agent are 4475 encapsulated within the same tunnel header used for other packet 4476 flows between the mobile node and home agent. 4478 Note that at this time, even though a link-local source is used on 4479 MLD packets, no functionality depends on these addresses being 4480 unique, nor do they elicit direct responses. All MLD messages are 4481 sent to multicast destinations. To avoid ambiguity on the home 4482 agent, due to mobile nodes which may choose identical link-local 4483 source addresses for their MLD function, it is necessary for the home 4484 agent to identify which mobile node was actually the issuer of a 4485 particular MLD message. This may be accomplished by noting which 4486 tunnel such an MLD arrived by, which IPsec SA was used, or by other 4487 distinguishing means. 4489 This specification puts no requirement on how the functions in this 4490 section and the multicast forwarding in Section 10.4.2 are to be 4491 achieved. At the time of this writing it was thought that a full 4492 IPv6 multicast router function would be necessary on the home agent, 4493 but it may be possible to achieve the same effects through a "proxy 4494 MLD" application coupled with kernel multicast forwarding. This may 4495 be the subject of future specifications. 4497 10.4.4. Stateful Address Autoconfiguration 4499 This section describes how home agents support the use of stateful 4500 address autoconfiguration mechanisms such as DHCPv6 [27] from the 4501 mobile nodes. If this support is not provided, then the M and O bits 4502 must remain cleared on the Mobile Prefix Advertisement Messages. Any 4503 mobile node which sends DHCPv6 messages to the home agent without 4504 this support will not receive a response. 4506 If DHCPv6 is used, packets are sent with link-local source addresses 4507 either to a link-scope multicast address or a link-local address. 4508 Mobile nodes desiring to locate a DHCPv6 service may reverse tunnel 4509 standard DHCPv6 packets to the home agent. Since these link-scope 4510 packets cannot be forwarded onto the home network, it is necessary 4511 for the home agent to either implement a DHCPv6 relay agent or a 4512 DHCPv6 server function itself. The arriving tunnel or IPsec SA of 4513 DHCPv6 link-scope messages from the mobile node must be noted so that 4514 DHCPv6 responses may be sent back to the appropriate mobile node. 4515 DHCPv6 messages sent to the mobile node with a link-local destination 4516 must be tunneled within the same tunnel header used for other packet 4517 flows. 4519 10.4.5. Handling Reverse Tunneled Packets 4521 Unless a binding has been established between the mobile node and a 4522 correspondent node, traffic from the mobile node to the correspondent 4523 node goes through a reverse tunnel. Home agents MUST support reverse 4524 tunneling as follows: 4526 o The tunneled traffic arrives to the home agent's address using 4527 IPv6 encapsulation [9]. 4529 o Depending on the security policies used by the home agent, reverse 4530 tunneled packets MAY be discarded unless accompanied by a valid 4531 ESP header. The support for authenticated reverse tunneling 4532 allows the home agent to protect the home network and 4533 correspondent nodes from malicious nodes masquerading as a mobile 4534 node. 4536 o Otherwise, when a home agent decapsulates a tunneled packet from 4537 the mobile node, the home agent MUST verify that the Source 4538 Address in the tunnel IP header is the mobile node's primary 4539 care-of address. Otherwise, any node in the Internet could send 4540 traffic through the home agent and escape ingress filtering 4541 limitations. This simple check forces the attacker to know the 4542 current location of the real mobile node and be able to defeat 4543 ingress filtering. This check is not necessary if the reverse- 4544 tunneled packet is protected by ESP in tunnel mode. 4546 10.4.6. Protecting Return Routability Packets 4548 The return routability procedure, described in Section 5.2.5, assumes 4549 that the confidentiality of the Home Test Init and Home Test messages 4550 is protected as they are tunneled between the home agent and the 4551 mobile node. Therefore, the home agent MUST support tunnel mode 4552 IPsec ESP for the protection of packets belonging to the return 4553 routability procedure. Support for a non-null encryption transform 4554 and authentication algorithm MUST be available. It is not necessary 4555 to distinguish between different kinds of packets during the return 4556 routability procedure. 4558 Security associations are needed to provide this protection. When 4559 the care-of address for the mobile node changes as a result of an 4560 accepted Binding Update, special treatment is needed for the next 4561 packets sent using these security associations. The home agent MUST 4562 set the new care-of address as the destination address of these 4563 packets, as if the outer header destination address in the security 4564 association had changed [14]. 4566 The above protection SHOULD be used with all mobile nodes. The use 4567 is controlled by configuration of the IPsec security policy database 4568 both at the mobile node and at the home agent. 4570 As described earlier, the Binding Update and Binding Acknowledgement 4571 messages require protection between the home agent and the mobile 4572 node. The Mobility Header protocol carries both these messages as 4573 well as the return routability messages. From the point of view of 4574 the security policy database these messages are indistinguishable. 4575 When IPsec is used to protect return routability signaling or payload 4576 packets, this protection MUST only be applied to the return 4577 routability packets entering the IPv6 encapsulated tunnel interface 4578 between the mobile node and the home agent. This can be achieved, 4579 for instance, by defining the security policy database entries 4580 specifically for the tunnel interface. That is, the policy entries 4581 are not generally applied on all traffic on the physical interface(s) 4582 of the nodes, but rather only on traffic that enters the tunnel. 4583 This makes use of per-interface security policy database entries [2] 4584 specific to the tunnel interface (the node's attachment to the tunnel 4585 [8]). 4587 10.5. Dynamic Home Agent Address Discovery 4589 This section describes how a home agent can help mobile nodes to 4590 discover the addresses of the home agents. The home agent keeps 4591 track of the other home agents on the same link and responds to 4592 queries sent by the mobile node. 4594 10.5.1. Receiving Router Advertisement Messages 4596 For each link on which a router provides service as a home agent, the 4597 router maintains a Home Agents List recording information about all 4598 other home agents on that link. This list is used in the dynamic 4599 home agent address discovery mechanism, described in Section 10.5. 4600 The information for the list is learned through receipt of the 4601 periodic unsolicited multicast Router Advertisements, in a manner 4602 similar to the Default Router List conceptual data structure 4603 maintained by each host for Neighbor Discovery [18]. In the 4604 construction of the Home Agents List, the Router Advertisements are 4605 from each (other) home agent on the link and the Home Agent (H) bit 4606 is set in them. 4608 On receipt of a valid Router Advertisement, as defined in the 4609 processing algorithm specified for Neighbor Discovery [18], the home 4610 agent performs the following steps in addition to any steps already 4611 required of it by Neighbor Discovery: 4613 o If the Home Agent (H) bit in the Router Advertisement is not set, 4614 delete the sending node's entry in the current Home Agents List 4615 (if one exists). Skip all the following steps. 4617 o Otherwise, extract the Source Address from the IP header of the 4618 Router Advertisement. This is the link-local IP address on this 4619 link of the home agent sending this Advertisement [18]. 4621 o Determine the preference for this home agent. If the Router 4622 Advertisement contains a Home Agent Information Option, then the 4623 preference is taken from the Home Agent Preference field in the 4624 option; otherwise, the default preference of 0 MUST be used. 4626 o Determine the lifetime for this home agent. If the Router 4627 Advertisement contains a Home Agent Information Option, then the 4628 lifetime is taken from the Home Agent Lifetime field in the 4629 option; otherwise, the lifetime specified by the Router Lifetime 4630 field in the Router Advertisement SHOULD be used. 4632 o If the link-local address of the home agent sending this 4633 Advertisement is already present in this home agent's Home Agents 4634 List and the received home agent lifetime value is zero, 4635 immediately delete this entry in the Home Agents List. 4637 o Otherwise, if the link-local address of the home agent sending 4638 this Advertisement is already present in the receiving home 4639 agent's Home Agents List, reset its lifetime and preference to the 4640 values determined above. 4642 o If the link-local address of the home agent sending this 4643 Advertisement is not already present in the Home Agents List 4644 maintained by the receiving home agent, and the lifetime for the 4645 sending home agent is non-zero, create a new entry in the list, 4646 and initialize its lifetime and preference to the values 4647 determined above. 4649 o If the Home Agents List entry for the link-local address of the 4650 home agent sending this Advertisement was not deleted as described 4651 above, determine any global address(es) of the home agent based on 4652 each Prefix Information option received in this Advertisement in 4653 which the Router Address (R) bit is set (Section 7.2). Add all 4654 such global addresses to the list of global addresses in this Home 4655 Agents List entry. 4657 A home agent SHOULD maintain an entry in its Home Agents List for 4658 each valid home agent address until that entry's lifetime expires, 4659 after which time the entry MUST be deleted. 4661 As described in Section 11.4.1, a mobile node attempts dynamic home 4662 agent address discovery by sending an ICMP Home Agent Address 4663 Discovery Request message to the Mobile IPv6 Home-Agents anycast 4664 address [10] for its home IP subnet prefix. A home agent receiving a 4665 Home Agent Address Discovery Request message that serves this subnet 4666 SHOULD return an ICMP Home Agent Address Discovery Reply message to 4667 the mobile node with the Source Address of the Reply packet set to 4668 one of the global unicast addresses of the home agent. The Home 4669 Agent Addresses field in the Reply message is constructed as follows: 4671 o The Home Agent Addresses field SHOULD contain all global IP 4672 addresses for each home agent currently listed in this home 4673 agent's own Home Agents List (Section 10.1). 4675 o The IP addresses in the Home Agent Addresses field SHOULD be 4676 listed in order of decreasing preference values, based either on 4677 the respective advertised preference from a Home Agent Information 4678 option or on the default preference of 0 if no preference is 4679 advertised (or on the configured home agent preference for this 4680 home agent itself). 4682 o Among home agents with equal preference, their IP addresses in the 4683 Home Agent Addresses field SHOULD be listed in an order randomized 4684 with respect to other home agents with equal preference every time 4685 a Home Agent Address Discovery Reply message is returned by this 4686 home agent. 4688 o If more than one global IP address is associated with a home 4689 agent, these addresses SHOULD be listed in a randomized order. 4691 o The home agent SHOULD reduce the number of home agent IP addresses 4692 so that the packet fits within the minimum IPv6 MTU [8]. The home 4693 agent addresses selected for inclusion in the packet SHOULD be 4694 those from the complete list with the highest preference. This 4695 limitation avoids the danger of the Reply message packet being 4696 fragmented (or rejected by an intermediate router with an ICMP 4697 Packet Too Big message [17]). 4699 10.6. Sending Prefix Information to the Mobile Node 4701 10.6.1. List of Home Network Prefixes 4703 Mobile IPv6 arranges to propagate relevant prefix information to the 4704 mobile node when it is away from home, so that it may be used in 4705 mobile node home address configuration and in network renumbering. 4706 In this mechanism, mobile nodes away from home receive Mobile Prefix 4707 Advertisements messages. These messages include Prefix Information 4708 Options for the prefixes configured on the home subnet interface(s) 4709 of the home agent. 4711 If there are multiple home agents, differences in the advertisements 4712 sent by different home agents can lead to an inability to use a 4713 particular home address when changing to another home agent. In 4714 order to ensure that the mobile nodes get the same information from 4715 different home agents, it is preferred that all of the home agents on 4716 the same link be configured in the same manner. 4718 To support this, the home agent monitors prefixes advertised by 4719 itself and other home agents on the home link. In RFC 4861 [18] it 4720 is acceptable for two routers to advertise different sets of prefixes 4721 on the same link. For home agents, the differences should be 4722 detected for a given home address because the mobile node 4723 communicates only with one home agent at a time and the mobile node 4724 needs to know the full set of prefixes assigned to the home link. 4725 All other comparisons of Router Advertisements are as specified in 4726 Section 6.2.7 of RFC 4861. 4728 10.6.2. Scheduling Prefix Deliveries 4730 A home agent serving a mobile node will schedule the delivery of the 4731 new prefix information to that mobile node when any of the following 4732 conditions occur: 4734 MUST: 4736 o The state of the flags changes for the prefix of the mobile node's 4737 registered home address. 4739 o The valid or preferred lifetime is reconfigured or changes for any 4740 reason other than advancing real time. 4742 o The mobile node requests the information with a Mobile Prefix 4743 Solicitation (see Section 11.4.2). 4745 SHOULD: 4747 o A new prefix is added to the home subnet interface(s) of the home 4748 agent. 4750 MAY: 4752 o The valid or preferred lifetime or the state of the flags changes 4753 for a prefix which is not used in any Binding Cache entry for this 4754 mobile node. 4756 The home agent uses the following algorithm to determine when to send 4757 prefix information to the mobile node. 4759 o If a mobile node sends a solicitation, answer right away. 4761 o If no Mobile Prefix Advertisement has been sent to the mobile node 4762 in the last MaxMobPfxAdvInterval seconds (see Section 13), then 4763 ensure that a transmission is scheduled. The actual transmission 4764 time is randomized as described below. 4766 o If a prefix matching the mobile node's home registration is added 4767 on the home subnet interface or if its information changes in any 4768 way that does not deprecate the mobile node's address, ensure that 4769 a transmission is scheduled. The actual transmission time is 4770 randomized as described below. 4772 o If a home registration expires, cancel any scheduled 4773 advertisements to the mobile node. 4775 The list of prefixes is sent in its entirety in all cases. 4777 If the home agent has already scheduled the transmission of a Mobile 4778 Prefix Advertisement to the mobile node, then the home agent will 4779 replace the advertisement with a new one to be sent at the scheduled 4780 time. 4782 Otherwise, the home agent computes a fresh value for RAND_ADV_DELAY 4783 which offsets from the current time for the scheduled transmission. 4784 First calculate the maximum delay for the scheduled Advertisement: 4786 MaxScheduleDelay = min (MaxMobPfxAdvInterval, Preferred Lifetime), 4788 where MaxMobPfxAdvInterval is as defined in Section 12. Then compute 4789 the final delay for the advertisement: 4791 RAND_ADV_DELAY = MinMobPfxAdvInterval + 4792 (rand() % abs(MaxScheduleDelay - MinMobPfxAdvInterval)) 4794 Here rand() returns a random integer value in the range of 0 to the 4795 maximum possible integer value. This computation is expected to 4796 alleviate bursts of advertisements when prefix information changes. 4797 In addition, a home agent MAY further reduce the rate of packet 4798 transmission by further delaying individual advertisements, when 4799 necessary to avoid overwhelming local network resources. The home 4800 agent SHOULD periodically continue to retransmit an unsolicited 4801 Advertisement to the mobile node, until it is acknowledged by the 4802 receipt of a Mobile Prefix Solicitation from the mobile node. 4804 The home agent MUST wait PREFIX_ADV_TIMEOUT (see Section 12) before 4805 the first retransmission and double the retransmission wait time for 4806 every succeeding retransmission until a maximum number of 4807 PREFIX_ADV_RETRIES attempts (see Section 12) has been tried. If the 4808 mobile node's bindings expire before the matching Binding Update has 4809 been received, then the home agent MUST NOT attempt any more 4810 retransmissions, even if not all PREFIX_ADV_RETRIES have been 4811 retransmitted. In the mean time, if the mobile node sends another 4812 Binding Update without returning home, then the home agent SHOULD 4813 begin transmitting the unsolicited Advertisement again. 4815 If some condition, as described above, occurs on the home link and 4816 causes another Prefix Advertisement to be sent to the mobile node, 4817 before the mobile node acknowledges a previous transmission, the home 4818 agent SHOULD combine any Prefix Information options in the 4819 unacknowledged Mobile Prefix Advertisement into a new Advertisement. 4820 The home agent then discards the old Advertisement. 4822 10.6.3. Sending Advertisements 4824 When sending a Mobile Prefix Advertisement to the mobile node, the 4825 home agent MUST construct the packet as follows: 4827 o The Source Address in the packet's IPv6 header MUST be set to the 4828 home agent's IP address to which the mobile node addressed its 4829 current home registration or its default global home agent address 4830 if no binding exists. 4832 o If the advertisement was solicited, it MUST be destined to the 4833 source address of the solicitation. If it was triggered by prefix 4834 changes or renumbering, the advertisement's destination will be 4835 the mobile node's home address in the binding which triggered the 4836 rule. 4838 o A type 2 routing header MUST be included with the mobile node's 4839 home address. 4841 o IPsec headers MUST be supported and SHOULD be used. 4843 o The home agent MUST send the packet as it would any other unicast 4844 IPv6 packet that it originates. 4846 o Set the Managed Address Configuration (M) flag if the 4847 corresponding flag has been set in any of the Router 4848 Advertisements from which the prefix information has been learned 4849 (including the ones sent by this home agent). 4851 o Set the Other Stateful Configuration (O) flag if the corresponding 4852 flag has been set in any of the Router Advertisements from which 4853 the prefix information has been learned (including the ones sent 4854 by this home agent). 4856 10.6.4. Lifetimes for Changed Prefixes 4858 As described in Section 10.3.1, the lifetime returned by the home 4859 agent in a Binding Acknowledgement MUST NOT be greater than the 4860 remaining valid lifetime for the subnet prefix in the mobile node's 4861 home address. This limit on the binding lifetime serves to prohibit 4862 use of a mobile node's home address after it becomes invalid. 4864 11. Mobile Node Operation 4866 11.1. Conceptual Data Structures 4868 Each mobile node MUST maintain a Binding Update List. 4870 The Binding Update List records information for each Binding Update 4871 sent by this mobile node, in which the lifetime of the binding has 4872 not yet expired. The Binding Update List includes all bindings sent 4873 by the mobile node either to its home agent or correspondent nodes. 4874 It also contains Binding Updates which are waiting for the completion 4875 of the return routability procedure before they can be sent. 4876 However, for multiple Binding Updates sent to the same destination 4877 address, the Binding Update List contains only the most recent 4878 Binding Update (i.e., with the greatest Sequence Number value) sent 4879 to that destination. The Binding Update List MAY be implemented in 4880 any manner consistent with the external behavior described in this 4881 document. 4883 Each Binding Update List entry conceptually contains the following 4884 fields: 4886 o The IP address of the node to which a Binding Update was sent. 4888 o The home address for which that Binding Update was sent. 4890 o The care-of address sent in that Binding Update. This value is 4891 necessary for the mobile node to determine if it has sent a 4892 Binding Update while giving its new care-of address to this 4893 destination after changing its care-of address. 4895 o The initial value of the Lifetime field sent in that Binding 4896 Update. 4898 o The remaining lifetime of that binding. This lifetime is 4899 initialized from the Lifetime value sent in the Binding Update and 4900 is decremented until it reaches zero, at which time this entry 4901 MUST be deleted from the Binding Update List. 4903 o The maximum value of the Sequence Number field sent in previous 4904 Binding Updates to this destination. The Sequence Number field is 4905 16 bits long and all comparisons between Sequence Number values 4906 MUST be performed modulo 2**16 (see Section 9.5.1). 4908 o The time at which a Binding Update was last sent to this 4909 destination, as needed to implement the rate limiting restriction 4910 for sending Binding Updates. 4912 o The state of any retransmissions needed for this Binding Update. 4913 This state includes the time remaining until the next 4914 retransmission attempt for the Binding Update and the current 4915 state of the exponential back-off mechanism for retransmissions. 4917 o A flag specifying whether or not future Binding Updates should be 4918 sent to this destination. The mobile node sets this flag in the 4919 Binding Update List entry when it receives an ICMP Parameter 4920 Problem, Code 1, error message in response to a return routability 4921 message or Binding Update sent to that destination, as described 4922 in Section 11.3.5. 4924 The Binding Update List is used to determine whether a particular 4925 packet is sent directly to the correspondent node or tunneled via the 4926 home agent (see Section 11.3.1). 4928 The Binding Update list also conceptually contains the following data 4929 related to running the return routability procedure. This data is 4930 relevant only for Binding Updates sent to correspondent nodes. 4932 o The time at which a Home Test Init or Care-of Test Init message 4933 was last sent to this destination, as needed to implement the rate 4934 limiting restriction for the return routability procedure. 4936 o The state of any retransmissions needed for this return 4937 routability procedure. This state includes the time remaining 4938 until the next retransmission attempt and the current state of the 4939 exponential back-off mechanism for retransmissions. 4941 o Cookie values used in the Home Test Init and Care-of Test Init 4942 messages. 4944 o Home and care-of keygen tokens received from the correspondent 4945 node. 4947 o Home and care-of nonce indices received from the correspondent 4948 node. 4950 o The time at which each of the tokens and nonces were received from 4951 the correspondent node, as needed to implement reuse while moving. 4953 11.2. Processing Mobility Headers 4955 All IPv6 mobile nodes MUST observe the rules described in Section 9.2 4956 when processing Mobility Headers. 4958 11.3. Packet Processing 4960 11.3.1. Sending Packets While Away from Home 4962 While a mobile node is away from home, it continues to use its home 4963 address, as well as also using one or more care-of addresses. When 4964 sending a packet while away from home, a mobile node MAY choose among 4965 these in selecting the address that it will use as the source of the 4966 packet, as follows: 4968 o Protocols layered over IP will generally treat the mobile node's 4969 home address as its IP address for most packets. For packets sent 4970 that are part of transport-level connections established while the 4971 mobile node was at home, the mobile node MUST use its home 4972 address. Likewise, for packets sent that are part of transport- 4973 level connections that the mobile node may still be using after 4974 moving to a new location, the mobile node SHOULD use its home 4975 address in this way. If a binding exists, the mobile node SHOULD 4976 send the packets directly to the correspondent node. Otherwise, 4977 if a binding does not exist, the mobile node MUST use reverse 4978 tunneling. 4980 o The mobile node MAY choose to directly use one of its care-of 4981 addresses as the source of the packet, not requiring the use of a 4982 Home Address option in the packet. This is particularly useful 4983 for short-term communication that may easily be retried if it 4984 fails. Using the mobile node's care-of address as the source for 4985 such queries will generally have a lower overhead than using the 4986 mobile node's home address, since no extra options need be used in 4987 either the query or its reply. Such packets can be routed 4988 normally, directly between their source and destination without 4989 relying on Mobile IPv6. If application running on the mobile node 4990 has no particular knowledge that the communication being sent fits 4991 within this general type of communication, however, the mobile 4992 node should not use its care-of address as the source of the 4993 packet in this way. 4995 The choice of the most efficient communications method is 4996 application specific, and outside the scope of this specification. 4997 The APIs necessary for controlling the choice are also out of 4998 scope. 5000 o 5002 Similarly, the mobile node MUST NOT use the Home Address 5003 destination option for IPv6 Neighbor Discovery [18] packets. 5005 Detailed operation of these cases is described later in this section 5006 and also discussed in [29]. 5008 For packets sent by a mobile node while it is at home, no special 5009 Mobile IPv6 processing is required. Likewise, if the mobile node 5010 uses any address other than one of its home addresses as the source 5011 of a packet sent while away from home, no special Mobile IPv6 5012 processing is required. In either case, the packet is simply 5013 addressed and transmitted in the same way as any normal IPv6 packet. 5015 For packets sent by the mobile node sent while away from home using 5016 the mobile node's home address as the source, special Mobile IPv6 5017 processing of the packet is required. This can be done in the 5018 following two ways: 5020 Route Optimization 5022 This manner of delivering packets does not require going through 5023 the home network, and typically will enable faster and more 5024 reliable transmission. 5026 The mobile node needs to ensure that a Binding Cache entry exists 5027 for its home address so that the correspondent node can process 5028 the packet (Section 9.3.1 specifies the rules for Home Address 5029 Destination Option Processing at a correspondent node). The 5030 mobile node SHOULD examine its Binding Update List for an entry 5031 which fulfills the following conditions: 5033 * The Source Address field of the packet being sent is equal to 5034 the home address in the entry. 5036 * The Destination Address field of the packet being sent is equal 5037 to the address of the correspondent node in the entry. 5039 * One of the current care-of addresses of the mobile node appears 5040 as the care-of address in the entry. 5042 * The entry indicates that a binding has been successfully 5043 created. 5045 * The remaining lifetime of the binding is greater than zero. 5047 When these conditions are met, the mobile node knows that the 5048 correspondent node has a suitable Binding Cache entry. 5050 A mobile node SHOULD arrange to supply the home address in a Home 5051 Address option, and MUST set the IPv6 header's Source Address 5052 field to the care-of address which the mobile node has registered 5053 to be used with this correspondent node. The correspondent node 5054 will then use the address supplied in the Home Address option to 5055 serve the function traditionally done by the Source IP address in 5056 the IPv6 header. The mobile node's home address is then supplied 5057 to higher protocol layers and applications. 5059 Specifically: 5061 * Construct the packet using the mobile node's home address as 5062 the packet's Source Address, in the same way as if the mobile 5063 node were at home. This includes the calculation of upper 5064 layer checksums using the home address as the value of the 5065 source. 5067 * Insert a Home Address option into the packet with the Home 5068 Address field copied from the original value of the Source 5069 Address field in the packet. 5071 * Change the Source Address field in the packet's IPv6 header to 5072 one of the mobile node's care-of addresses. This will 5073 typically be the mobile node's current primary care-of address, 5074 but MUST be an address assigned to the interface on the link 5075 being used. 5077 By using the care-of address as the Source Address in the IPv6 5078 header, with the mobile node's home address instead in the Home 5079 Address option, the packet will be able to safely pass through any 5080 router implementing ingress filtering [25]. 5082 Reverse Tunneling 5084 This is the mechanism which tunnels the packets via the home 5085 agent. It is not as efficient as the above mechanism, but is 5086 needed if there is no binding yet with the correspondent node. 5088 This mechanism is used for packets that have the mobile node's 5089 home address as the Source Address in the IPv6 header, or with 5090 multicast control protocol packets as described in Section 11.3.4. 5091 Specifically: 5093 * The packet is sent to the home agent using IPv6 encapsulation 5094 [9]. 5096 * The Source Address in the tunnel packet is the primary care-of 5097 address as registered with the home agent. 5099 * The Destination Address in the tunnel packet is the home 5100 agent's address. 5102 Then, the home agent will pass the encapsulated packet to the 5103 correspondent node. 5105 11.3.2. Interaction with Outbound IPsec Processing 5107 This section sketches the interaction between outbound Mobile IPv6 5108 processing and outbound IP Security (IPsec) processing for packets 5109 sent by a mobile node while away from home. Any specific 5110 implementation MAY use algorithms and data structures other than 5111 those suggested here, but its processing MUST be consistent with the 5112 effect of the operation described here and with the relevant IPsec 5113 specifications. In the steps described below, it is assumed that 5114 IPsec is being used in transport mode [2] and that the mobile node is 5115 using its home address as the source for the packet (from the point 5116 of view of higher protocol layers or applications, as described in 5117 Section 11.3.1): 5119 o The packet is created by higher layer protocols and applications 5120 (e.g., by TCP) as if the mobile node were at home and Mobile IPv6 5121 were not being used. 5123 o Determine the outgoing interface for the packet. (Note that the 5124 selection between reverse tunneling and route optimization may 5125 imply different interfaces, particularly if tunnels are considered 5126 interfaces as well.) 5128 o As part of outbound packet processing in IP, the packet is 5129 compared against the IPsec security policy database to determine 5130 what processing is required for the packet [2]. 5132 o If IPsec processing is required, the packet is either mapped to an 5133 existing Security Association (or SA bundle), or a new SA (or SA 5134 bundle) is created for the packet, according to the procedures 5135 defined for IPsec. 5137 o Since the mobile node is away from home, the mobile is either 5138 using reverse tunneling or route optimization to reach the 5139 correspondent node. 5141 If reverse tunneling is used, the packet is constructed in the 5142 normal manner and then tunneled through the home agent. 5144 If route optimization is in use, the mobile node inserts a Home 5145 Address destination option into the packet, replacing the Source 5146 Address in the packet's IP header with the care-of address used 5147 with this correspondent node, as described in Section 11.3.1. The 5148 Destination Options header in which the Home Address destination 5149 option is inserted MUST appear in the packet after the routing 5150 header, if present, and before the IPsec (AH [3] or ESP [4]) 5151 header, so that the Home Address destination option is processed 5152 by the destination node before the IPsec header is processed. 5154 Finally, once the packet is fully assembled, the necessary IPsec 5155 authentication (and encryption, if required) processing is 5156 performed on the packet, initializing the Authentication Data in 5157 the IPsec header. 5159 RFC 2402 treatment of destination options is extended as follows. 5160 The AH authentication data MUST be calculated as if the following 5161 were true: 5163 * the IPv6 source address in the IPv6 header contains the mobile 5164 node's home address, 5166 * the Home Address field of the Home Address destination option 5167 (Section 6.3) contains the new care-of address. 5169 o This allows, but does not require, the receiver of the packet 5170 containing a Home Address destination option to exchange the two 5171 fields of the incoming packet to reach the above situation, 5172 simplifying processing for all subsequent packet headers. 5173 However, such an exchange is not required, as long as the result 5174 of the authentication calculation remains the same. 5176 When an automated key management protocol is used to create new 5177 security associations for a peer, it is important to ensure that the 5178 peer can send the key management protocol packets to the mobile node. 5179 This may not be possible if the peer is the home agent of the mobile 5180 node and the purpose of the security associations would be to send a 5181 Binding Update to the home agent. Packets addressed to the home 5182 address of the mobile node cannot be used before the Binding Update 5183 has been processed. For the default case of using IKE [7] as the 5184 automated key management protocol, such problems can be avoided by 5185 the following requirements when communicating with its home agent: 5187 o When the mobile node is away from home, it MUST use its care-of 5188 address as the Source Address of all packets it sends as part of 5189 the key management protocol (without use of Mobile IPv6 for these 5190 packets, as suggested in Section 11.3.1). 5192 o In addition, for all security associations bound to the mobile 5193 node's home address established by IKE, the mobile node MUST 5194 include an ISAKMP Identification Payload [6] in the IKE phase 2 5195 exchange, giving the mobile node's home address as the initiator 5196 of the Security Association [5]. 5198 The Key Management Mobility Capability (K) bit in Binding Updates and 5199 Acknowledgements can be used to avoid the need to rerun IKE upon 5200 movements. 5202 11.3.3. Receiving Packets While Away from Home 5204 While away from home, a mobile node will receive packets addressed to 5205 its home address, by one of two methods: 5207 o Packets sent by a correspondent node, that does not have a Binding 5208 Cache entry for the mobile node, will be sent to the home address, 5209 captured by the home agent and tunneled to the mobile node. 5211 o Packets sent by a correspondent node that has a Binding Cache 5212 entry for the mobile node that contains the mobile node's current 5213 care-of address, will be sent by the correspondent node using a 5214 type 2 routing header. The packet will be addressed to the mobile 5215 node's care-of address, with the final hop in the routing header 5216 directing the packet to the mobile node's home address; the 5217 processing of this last hop of the routing header is entirely 5218 internal to the mobile node, since the care-of address and home 5219 address are both addresses within the mobile node. 5221 For packets received by the first method, the mobile node MUST check 5222 that the IPv6 source address of the tunneled packet is the IP address 5223 of its home agent. In this method, the mobile node may also send a 5224 Binding Update to the original sender of the packet as described in 5225 Section 11.7.2 and subject to the rate limiting defined in 5226 Section 11.8. The mobile node MUST also process the received packet 5227 in the manner defined for IPv6 encapsulation [9], which will result 5228 in the encapsulated (inner) packet being processed normally by upper- 5229 layer protocols within the mobile node as if it had been addressed 5230 (only) to the mobile node's home address. 5232 For packets received by the second method, the following rules will 5233 result in the packet being processed normally by upper-layer 5234 protocols within the mobile node as if it had been addressed to the 5235 mobile node's home address. 5237 A node receiving a packet addressed to itself (i.e., one of the 5238 node's addresses is in the IPv6 destination field) follows the next 5239 header chain of headers and processes them. When it encounters a 5240 type 2 routing header during this processing, it performs the 5241 following checks. If any of these checks fail, the node MUST 5242 silently discard the packet. 5244 o The length field in the routing header is exactly 2. 5246 o The segments left field in the routing header is 1 on the wire. 5247 (But implementations may process the routing header so that the 5248 value may become 0 after the routing header has been processed, 5249 but before the rest of the packet is processed.) 5251 o The Home Address field in the routing header is one of the node's 5252 home addresses, if the segments left field was 1. Thus, in 5253 particular the address field is required to be a unicast routable 5254 address. 5256 Once the above checks have been performed, the node swaps the IPv6 5257 destination field with the Home Address field in the routing header, 5258 decrements segments left by one from the value it had on the wire, 5259 and resubmits the packet to IP for processing the next header. 5260 Conceptually, this follows the same model as in RFC 2460. However, 5261 in the case of type 2 routing header this can be simplified since it 5262 is known that the packet will not be forwarded to a different node. 5264 The definition of AH requires the sender to calculate the AH 5265 integrity check value of a routing header in the same way it appears 5266 in the receiver after it has processed the header. Since IPsec 5267 headers follow the routing header, any IPsec processing will operate 5268 on the packet with the home address in the IP destination field and 5269 segments left being zero. Thus, the AH calculations at the sender 5270 and receiver will have an identical view of the packet. 5272 11.3.4. Routing Multicast Packets 5274 A mobile node that is connected to its home link functions in the 5275 same way as any other (stationary) node. Thus, when it is at home, a 5276 mobile node functions identically to other multicast senders and 5277 receivers. Therefore, this section describes the behavior of a 5278 mobile node that is not on its home link. 5280 In order to receive packets sent to some multicast group, a mobile 5281 node must join that multicast group. One method, in which a mobile 5282 node MAY join the group, is via a (local) multicast router on the 5283 foreign link being visited. In this case, the mobile node MUST use 5284 its care-of address and MUST NOT use the Home Address destination 5285 option when sending MLD packets [11]. 5287 Alternatively, a mobile node MAY join multicast groups via a bi- 5288 directional tunnel to its home agent. The mobile node tunnels its 5289 multicast group membership control packets (such as those defined in 5291 [11] or in [34]) to its home agent, and the home agent forwards 5292 multicast packets down the tunnel to the mobile node. A mobile node 5293 MUST NOT tunnel multicast group membership control packets until (1) 5294 the mobile node has a binding in place at the home agent, and (2) the 5295 latter sends at least one multicast group membership control packet 5296 via the tunnel. Once this condition is true, the mobile node SHOULD 5297 assume it does not change as long as the binding does not expire. 5299 A mobile node that wishes to send packets to a multicast group also 5300 has two options: 5302 1. Send directly on the foreign link being visited. 5304 The application is aware of the care-of address and uses it as a 5305 source address for multicast traffic, just like it would use a 5306 stationary address. The mobile node MUST NOT use Home Address 5307 destination option in such traffic. 5309 2. Send via a tunnel to its home agent. 5311 Because multicast routing in general depends upon the Source 5312 Address used in the IPv6 header of the multicast packet, a mobile 5313 node that tunnels a multicast packet to its home agent MUST use 5314 its home address as the IPv6 Source Address of the inner 5315 multicast packet. 5317 Note that direct sending from the foreign link is only applicable 5318 while the mobile node is at that foreign link. This is because the 5319 associated multicast tree is specific to that source location and any 5320 change of location and source address will invalidate the source 5321 specific tree or branch and the application context of the other 5322 multicast group members. 5324 This specification does not provide mechanisms to enable such local 5325 multicast session to survive hand-off and to seamlessly continue from 5326 a new care-of address on each new foreign link. Any such mechanism, 5327 developed as an extension to this specification, needs to take into 5328 account the impact of fast moving mobile nodes on the Internet 5329 multicast routing protocols and their ability to maintain the 5330 integrity of source specific multicast trees and branches. 5332 While the use of bidirectional tunneling can ensure that multicast 5333 trees are independent of the mobile nodes movement, in some case such 5334 tunneling can have adverse affects. The latency of specific types of 5335 multicast applications (such as multicast based discovery protocols) 5336 will be affected when the round-trip time between the foreign subnet 5337 and the home agent is significant compared to that of the topology to 5338 be discovered. In addition, the delivery tree from the home agent in 5339 such circumstances relies on unicast encapsulation from the agent to 5340 the mobile node. Therefore, bandwidth usage is inefficient compared 5341 to the native multicast forwarding in the foreign multicast system. 5343 11.3.5. Receiving ICMP Error Messages 5345 Any node that does not recognize the Mobility header will return an 5346 ICMP Parameter Problem, Code 1, message to the sender of the packet. 5347 If the mobile node receives such an ICMP error message in response to 5348 a return routability procedure or Binding Update, it SHOULD record in 5349 its Binding Update List that future Binding Updates SHOULD NOT be 5350 sent to this destination. Such Binding Update List entries SHOULD be 5351 removed after a period of time in order to allow for retrying route 5352 optimization. 5354 New Binding Update List entries MUST NOT be created as a result of 5355 receiving ICMP error messages. 5357 Correspondent nodes that have participated in the return routability 5358 procedure MUST implement the ability to correctly process received 5359 packets containing a Home Address destination option. Therefore, 5360 correctly implemented correspondent nodes should always be able to 5361 recognize Home Address options. If a mobile node receives an ICMP 5362 Parameter Problem, Code 2, message from some node indicating that it 5363 does not support the Home Address option, the mobile node SHOULD log 5364 the error and then discard the ICMP message. 5366 11.3.6. Receiving Binding Error Messages 5368 When a mobile node receives a packet containing a Binding Error 5369 message, it should first check if the mobile node has a Binding 5370 Update List entry for the source of the Binding Error message. If 5371 the mobile node does not have such an entry, it MUST ignore the 5372 message. This is necessary to prevent a waste of resources on, e.g., 5373 return routability procedure due to spoofed Binding Error messages. 5375 Otherwise, if the message Status field was 1 (unknown binding for 5376 Home Address destination option), the mobile node should perform one 5377 of the following two actions: 5379 o If the mobile node has recent upper layer progress information, 5380 which indicates that communications with the correspondent node 5381 are progressing, it MAY ignore the message. This can be done in 5382 order to limit the damage that spoofed Binding Error messages can 5383 cause to ongoing communications. 5385 o If the mobile node has no upper layer progress information, it 5386 MUST remove the entry and route further communications through the 5387 home agent. It MAY also optionally start a return routability 5388 procedure (see Section 5.2). 5390 If the message Status field was 2 (unrecognized MH Type value), the 5391 mobile node should perform one of the following two actions: 5393 o If the mobile node is not expecting an acknowledgement or response 5394 from the correspondent node, the mobile node SHOULD ignore this 5395 message. 5397 o Otherwise, the mobile node SHOULD cease the use of any extensions 5398 to this specification. If no extensions had been used, the mobile 5399 node should cease the attempt to use route optimization. 5401 11.4. Home Agent and Prefix Management 5403 11.4.1. Dynamic Home Agent Address Discovery 5405 Sometimes when the mobile node needs to send a Binding Update to its 5406 home agent to register its new primary care-of address, as described 5407 in Section 11.7.1, the mobile node may not know the address of any 5408 router on its home link that can serve as a home agent for it. For 5409 example, some nodes on its home link may have been reconfigured while 5410 the mobile node has been away from home, such that the router that 5411 was operating as the mobile node's home agent has been replaced by a 5412 different router serving this role. 5414 In this case, the mobile node MAY attempt to discover the address of 5415 a suitable home agent on its home link. To do so, the mobile node 5416 sends an ICMP Home Agent Address Discovery Request message to the 5417 Mobile IPv6 Home-Agents anycast address [10] for its home subnet 5418 prefix. As described in Section 10.5, the home agent on its home 5419 link that receives this Request message will return an ICMP Home 5420 Agent Address Discovery Reply message. This message gives the 5421 addresses for the home agents operating on the home link. 5423 The mobile node, upon receiving this Home Agent Address Discovery 5424 Reply message, MAY then send its home registration Binding Update to 5425 any of the unicast IP addresses listed in the Home Agent Addresses 5426 field in the Reply. For example, the mobile node MAY attempt its 5427 home registration to each of these addresses, in turn, until its 5428 registration is accepted. The mobile node sends a Binding Update to 5429 an address and waits for the matching Binding Acknowledgement, moving 5430 on to the next address if there is no response. The mobile node 5431 MUST, however, wait at least InitialBindackTimeoutFirstReg seconds 5432 (see Section 13) before sending a Binding Update to the next home 5433 agent. In trying each of the returned home agent addresses, the 5434 mobile node SHOULD try each of them in the order they appear in the 5435 Home Agent Addresses field in the received Home Agent Address 5436 Discovery Reply message. 5438 If the mobile node has a current registration with some home agent 5439 (the Lifetime for that registration has not yet expired), then the 5440 mobile node MUST attempt any new registration first with that home 5441 agent. If that registration attempt fails (e.g., timed out or 5442 rejected), the mobile node SHOULD then reattempt this registration 5443 with another home agent. If the mobile node knows of no other 5444 suitable home agent, then it MAY attempt the dynamic home agent 5445 address discovery mechanism described above. 5447 If, after a mobile node transmits a Home Agent Address Discovery 5448 Request message to the Home Agents Anycast address, it does not 5449 receive a corresponding Home Agent Address Discovery Reply message 5450 within INITIAL_DHAAD_TIMEOUT (see Section 12) seconds, the mobile 5451 node MAY retransmit the same Request message to the same anycast 5452 address. This retransmission MAY be repeated up to a maximum of 5453 DHAAD_RETRIES (see Section 12) attempts. Each retransmission MUST be 5454 delayed by twice the time interval of the previous retransmission. 5456 11.4.2. Sending Mobile Prefix Solicitations 5458 When a mobile node has a home address that is about to become 5459 invalid, it SHOULD send a Mobile Prefix Solicitation to its home 5460 agent in an attempt to acquire fresh routing prefix information. The 5461 new information also enables the mobile node to participate in 5462 renumbering operations affecting the home network, as described in 5463 Section 10.6. 5465 The mobile node MUST use the Home Address destination option to carry 5466 its home address. The mobile node MUST support and SHOULD use IPsec 5467 to protect the solicitation. The mobile node MUST set the Identifier 5468 field in the ICMP header to a random value. 5470 As described in Section 11.7.2, Binding Updates sent by the mobile 5471 node to other nodes MUST use a lifetime no greater than the remaining 5472 lifetime of its home registration of its primary care-of address. 5473 The mobile node SHOULD further limit the lifetimes that it sends on 5474 any Binding Updates to be within the remaining valid lifetime (see 5475 Section 10.6.2) for the prefix in its home address. 5477 When the lifetime for a changed prefix decreases, and the change 5478 would cause cached bindings at correspondent nodes in the Binding 5479 Update List to be stored past the newly shortened lifetime, the 5480 mobile node MUST issue a Binding Update to all such correspondent 5481 nodes. 5483 These limits on the binding lifetime serve to prohibit use of a 5484 mobile node's home address after it becomes invalid. 5486 11.4.3. Receiving Mobile Prefix Advertisements 5488 Section 10.6 describes the operation of a home agent to support boot 5489 time configuration and renumbering a mobile node's home subnet while 5490 the mobile node is away from home. The home agent sends Mobile 5491 Prefix Advertisements to the mobile node while away from home, giving 5492 "important" Prefix Information options that describe changes in the 5493 prefixes in use on the mobile node's home link. 5495 The Mobile Prefix Solicitation is similar to the Router Solicitation 5496 used in Neighbor Discovery [18], except it is routed from the mobile 5497 node on the visited network to the home agent on the home network by 5498 usual unicast routing rules. 5500 When a mobile node receives a Mobile Prefix Advertisement, it MUST 5501 validate it according to the following test: 5503 o The Source Address of the IP packet carrying the Mobile Prefix 5504 Advertisement is the same as the home agent address to which the 5505 mobile node last sent an accepted home registration Binding Update 5506 to register its primary care-of address. Otherwise, if no such 5507 registrations have been made, it SHOULD be the mobile node's 5508 stored home agent address, if one exists. Otherwise, if the 5509 mobile node has not yet discovered its home agent's address, it 5510 MUST NOT accept Mobile Prefix Advertisements. 5512 o The packet MUST have a type 2 routing header and SHOULD be 5513 protected by an IPsec header as described in Section 5.4 and 5514 Section 6.8. 5516 o If the ICMP Identifier value matches the ICMP Identifier value of 5517 the most recently sent Mobile Prefix Solicitation and no other 5518 advertisement has yet been received for this value, then the 5519 advertisement is considered to be solicited and will be processed 5520 further. 5522 Otherwise, the advertisement is unsolicited, and MUST be 5523 discarded. In this case the mobile node SHOULD send a Mobile 5524 Prefix Solicitation. 5526 Any received Mobile Prefix Advertisement not meeting these tests MUST 5527 be silently discarded. 5529 For an accepted Mobile Prefix Advertisement, the mobile node MUST 5530 process Managed Address Configuration (M), Other Stateful 5531 Configuration (O), and the Prefix Information Options as if they 5532 arrived in a Router Advertisement [18] on the mobile node's home 5533 link. (This specification does not, however, describe how to acquire 5534 home addresses through stateful protocols.) Such processing may 5535 result in the mobile node configuring a new home address, although 5536 due to separation between preferred lifetime and valid lifetime, such 5537 changes should not affect most communications by the mobile node, in 5538 the same way as for nodes that are at home. 5540 This specification assumes that any security associations and 5541 security policy entries that may be needed for new prefixes have been 5542 pre-configured in the mobile node. Note that while dynamic key 5543 management avoids the need to create new security associations, it is 5544 still necessary to add policy entries to protect the communications 5545 involving the home address(es). Mechanisms for automatic set-up of 5546 these entries are outside the scope of this specification. 5548 11.5. Movement 5550 11.5.1. Movement Detection 5552 The primary goal of movement detection is to detect L3 handovers. 5553 This section does not attempt to specify a fast movement detection 5554 algorithm which will function optimally for all types of 5555 applications, link-layers and deployment scenarios; instead, it 5556 describes a generic method that uses the facilities of IPv6 Neighbor 5557 Discovery, including Router Discovery and Neighbor Unreachability 5558 Detection. At the time of this writing, this method is considered 5559 well enough understood to recommend for standardization, however it 5560 is expected that future versions of this specification or other 5561 specifications may contain updated versions of the movement detection 5562 algorithm that have better performance. 5564 Generic movement detection uses Neighbor Unreachability Detection to 5565 detect when the default router is no longer bi-directionally 5566 reachable, in which case the mobile node must discover a new default 5567 router (usually on a new link). However, this detection only occurs 5568 when the mobile node has packets to send, and in the absence of 5569 frequent Router Advertisements or indications from the link-layer, 5570 the mobile node might become unaware of an L3 handover that occurred. 5571 Therefore, the mobile node should supplement this method with other 5572 information whenever it is available to the mobile node (e.g., from 5573 lower protocol layers). 5575 When the mobile node detects an L3 handover, it performs Duplicate 5576 Address Detection [19] on its link-local address, selects a new 5577 default router as a consequence of Router Discovery, and then 5578 performs Prefix Discovery with that new router to form new care-of 5579 address(es) as described in Section 11.5.2. It then registers its 5580 new primary care-of address with its home agent as described in 5581 Section 11.7.1. After updating its home registration, the mobile 5582 node then updates associated mobility bindings in correspondent nodes 5583 that it is performing route optimization with as specified in 5584 Section 11.7.2. 5586 Due to the temporary packet flow disruption and signaling overhead 5587 involved in updating mobility bindings, the mobile node should avoid 5588 performing an L3 handover until it is strictly necessary. 5589 Specifically, when the mobile node receives a Router Advertisement 5590 from a new router that contains a different set of on-link prefixes, 5591 if the mobile node detects that the currently selected default router 5592 on the old link is still bi-directionally reachable, it should 5593 generally continue to use the old router on the old link rather than 5594 switch away from it to use a new default router. 5596 Mobile nodes can use the information in received Router 5597 Advertisements to detect L3 handovers. In doing so the mobile node 5598 needs to consider the following issues: 5600 o There might be multiple routers on the same link, thus hearing a 5601 new router does not necessarily constitute an L3 handover. 5603 o When there are multiple routers on the same link they might 5604 advertise different prefixes. Thus even hearing a new router with 5605 a new prefix might not be a reliable indication of an L3 handover. 5607 o The link-local addresses of routers are not globally unique, hence 5608 after completing an L3 handover the mobile node might continue to 5609 receive Router Advertisements with the same link-local source 5610 address. This might be common if routers use the same link-local 5611 address on multiple interfaces. This issue can be avoided when 5612 routers use the Router Address (R) bit, since that provides a 5613 global address of the router. 5615 In addition, the mobile node should consider the following events as 5616 indications that an L3 handover may have occurred. Upon receiving 5617 such indications, the mobile node needs to perform Router Discovery 5618 to discover routers and prefixes on the new link, as described in 5619 Section 6.3.7 of RFC 4861 [18]. 5621 o If Router Advertisements that the mobile node receives include an 5622 Advertisement Interval option, the mobile node may use its 5623 Advertisement Interval field as an indication of the frequency 5624 with which it should expect to continue to receive future 5625 Advertisements from that router. This field specifies the minimum 5626 rate (the maximum amount of time between successive 5627 Advertisements) that the mobile node should expect. If this 5628 amount of time elapses without the mobile node receiving any 5629 Advertisement from this router, the mobile node can be sure that 5630 at least one Advertisement sent by the router has been lost. The 5631 mobile node can then implement its own policy to determine how 5632 many lost Advertisements from its current default router 5633 constitute an L3 handover indication. 5635 o Neighbor Unreachability Detection determines that the default 5636 router is no longer reachable. 5638 o With some types of networks, notification that an L2 handover has 5639 occurred might be obtained from lower layer protocols or device 5640 driver software within the mobile node. While further details 5641 around handling L2 indications as movement hints is an item for 5642 further study, at the time of writing this specification the 5643 following is considered reasonable: 5645 An L2 handover indication may or may not imply L2 movement and L2 5646 movement may or may not imply L3 movement; the correlations might 5647 be a function of the type of L2 but might also be a function of 5648 actual deployment of the wireless topology. 5650 Unless it is well-known that an L2 handover indication is likely 5651 to imply L3 movement, instead of immediately multicasting a router 5652 solicitation it may be better to attempt to verify whether the 5653 default router is still bi-directionally reachable. This can be 5654 accomplished by sending a unicast Neighbor Solicitation and 5655 waiting for a Neighbor Advertisement with the solicited flag set. 5656 Note that this is similar to Neighbor Unreachability detection but 5657 it does not have the same state machine, such as the STALE state. 5659 If the default router does not respond to the Neighbor 5660 Solicitation it makes sense to proceed to multicasting a Router 5661 Solicitation. 5663 11.5.2. Forming New Care-of Addresses 5665 After detecting that it has moved a mobile node SHOULD generate a new 5666 primary care-of address using normal IPv6 mechanisms. This SHOULD 5667 also be done when the current primary care-of address becomes 5668 deprecated. A mobile node MAY form a new primary care-of address at 5669 any time, but a mobile node MUST NOT send a Binding Update about a 5670 new care-of address to its home agent more than MAX_UPDATE_RATE times 5671 within a second. 5673 In addition, a mobile node MAY form new non-primary care-of addresses 5674 even when it has not switched to a new default router. A mobile node 5675 can have only one primary care-of address at a time (which is 5676 registered with its home agent), but it MAY have an additional 5677 care-of address for any or all of the prefixes on its current link. 5678 Furthermore, since a wireless network interface may actually allow a 5679 mobile node to be reachable on more than one link at a time (i.e., 5680 within wireless transmitter range of routers on more than one 5681 separate link), a mobile node MAY have care-of addresses on more than 5682 one link at a time. The use of more than one care-of address at a 5683 time is described in Section 11.5.3. 5685 As described in Section 4, in order to form a new care-of address, a 5686 mobile node MAY use either stateless [19] or stateful (e.g., DHCPv6 5687 [27]) Address Autoconfiguration. If a mobile node needs to use a 5688 source address (other than the unspecified address) in packets sent 5689 as a part of address autoconfiguration, it MUST use an IPv6 link- 5690 local address rather than its own IPv6 home address. 5692 RFC 4862 [19] specifies that in normal processing for Duplicate 5693 Address Detection, the node SHOULD delay sending the initial Neighbor 5694 Solicitation message by a random delay between 0 and 5695 MAX_RTR_SOLICITATION_DELAY. Since delaying DAD can result in 5696 significant delays in configuring a new care-of address when the 5697 Mobile Node moves to a new link, the Mobile Node preferably SHOULD 5698 NOT delay DAD when configuring a new care-of address. The Mobile 5699 Node SHOULD delay according to the mechanisms specified in RFC 4862 5700 unless the implementation has a behavior that desynchronizes the 5701 steps that happen before the DAD in the case that multiple nodes 5702 experience handover at the same time. Such desynchronizing behaviors 5703 might be due to random delays in the L2 protocols or device drivers, 5704 or due to the movement detection mechanism that is used. 5706 11.5.3. Using Multiple Care-of Addresses 5708 As described in Section 11.5.2, a mobile node MAY use more than one 5709 care-of address at a time. Particularly in the case of many wireless 5710 networks, a mobile node effectively might be reachable through 5711 multiple links at the same time (e.g., with overlapping wireless 5712 cells), on which different on-link subnet prefixes may exist. The 5713 mobile node MUST ensure that its primary care-of address always has a 5714 prefix that is advertised by its current default router. After 5715 selecting a new primary care-of address, the mobile node MUST send a 5716 Binding Update containing that care-of address to its home agent. 5717 The Binding Update MUST have the Home Registration (H) and 5718 Acknowledge (A) bits set its home agent, as described on 5719 Section 11.7.1. 5721 To assist with smooth handovers, a mobile node SHOULD retain its 5722 previous primary care-of address as a (non-primary) care-of address, 5723 and SHOULD still accept packets at this address, even after 5724 registering its new primary care-of address with its home agent. 5725 This is reasonable, since the mobile node could only receive packets 5726 at its previous primary care-of address if it were indeed still 5727 connected to that link. If the previous primary care-of address was 5728 allocated using stateful Address Autoconfiguration [27], the mobile 5729 node may not wish to release the address immediately upon switching 5730 to a new primary care-of address. 5732 Whenever a mobile node determines that it is no longer reachable 5733 through a given link, it SHOULD invalidate all care-of addresses 5734 associated with address prefixes that it discovered from routers on 5735 the unreachable link which are not in the current set of address 5736 prefixes advertised by the (possibly new) current default router. 5738 11.5.4. Returning Home 5740 A mobile node detects that it has returned to its home link through 5741 the movement detection algorithm in use (Section 11.5.1), when the 5742 mobile node detects that its home subnet prefix is again on-link. 5743 The mobile node SHOULD then send a Binding Update to its home agent, 5744 to instruct its home agent to no longer intercept or tunnel packets 5745 for it. In this home registration, the mobile node MUST set the 5746 Acknowledge (A) and Home Registration (H) bits, set the Lifetime 5747 field to zero, and set the care-of address for the binding to the 5748 mobile node's own home address. The mobile node MUST use its home 5749 address as the source address in the Binding Update. 5751 When sending this Binding Update to its home agent, the mobile node 5752 must be careful in how it uses Neighbor Solicitation [18] (if needed) 5753 to learn the home agent's link-layer address, since the home agent 5754 will be currently configured to intercept packets to the mobile 5755 node's home address using Duplicate Address Detection (DAD). In 5756 particular, the mobile node is unable to use its home address as the 5757 Source Address in the Neighbor Solicitation until the home agent 5758 stops defending the home address. 5760 Neighbor Solicitation by the mobile node for the home agent's address 5761 will normally not be necessary, since the mobile node has already 5762 learned the home agent's link-layer address from a Source Link-Layer 5763 Address option in a Router Advertisement. However, if there are 5764 multiple home agents it may still be necessary to send a 5765 solicitation. In this special case of the mobile node returning 5766 home, the mobile node MUST multicast the packet, and in addition set 5767 the Source Address of this Neighbor Solicitation to the unspecified 5768 address (0:0:0:0:0:0:0:0). The target of the Neighbor Solicitation 5769 MUST be set to the mobile node's home address. The destination IP 5770 address MUST be set to the Solicited-Node multicast address [16]. 5772 The home agent will send a multicast Neighbor Advertisement back to 5773 the mobile node with the Solicited flag (S) set to zero. In any 5774 case, the mobile node SHOULD record the information from the Source 5775 Link-Layer Address option or from the advertisement, and set the 5776 state of the Neighbor Cache entry for the home agent to REACHABLE. 5778 The mobile node then sends its Binding Update to the home agent's 5779 link-layer address, instructing its home agent to no longer serve as 5780 a home agent for it. By processing this Binding Update, the home 5781 agent will cease defending the mobile node's home address for 5782 Duplicate Address Detection and will no longer respond to Neighbor 5783 Solicitations for the mobile node's home address. The mobile node is 5784 then the only node on the link receiving packets at the mobile node's 5785 home address. In addition, when returning home prior to the 5786 expiration of a current binding for its home address, and configuring 5787 its home address on its network interface on its home link, the 5788 mobile node MUST NOT perform Duplicate Address Detection on its own 5789 home address, in order to avoid confusion or conflict with its home 5790 agent's use of the same address. This rule also applies to the 5791 derived link-local address of the mobile node, if the Link Local 5792 Address Compatibility (L) bit was set when the binding was created. 5793 If the mobile node returns home after the bindings for all of its 5794 care-of addresses have expired, then it SHOULD perform DAD. 5796 After the Mobile Node sends the Binding Update, it MUST be prepared 5797 to reply to Neighbor Solicitations for its home address. Such 5798 replies MUST be sent using a unicast Neighbor Advertisement to the 5799 sender's link-layer address. It is necessary to reply, since sending 5800 the Binding Acknowledgement from the home agent may require 5801 performing Neighbor Discovery, and the mobile node may not be able to 5802 distinguish Neighbor Solicitations coming from the home agent from 5803 other Neighbor Solicitations. Note that a race condition exists 5804 where both the mobile node and the home agent respond to the same 5805 solicitations sent by other nodes; this will be only temporary, 5806 however, until the Binding Update is accepted. 5808 After receiving the Binding Acknowledgement for its Binding Update to 5809 its home agent, the mobile node MUST multicast onto the home link (to 5810 the all-nodes multicast address) a Neighbor Advertisement [18], to 5811 advertise the mobile node's own link-layer address for its own home 5812 address. The Target Address in this Neighbor Advertisement MUST be 5813 set to the mobile node's home address, and the Advertisement MUST 5814 include a Target Link-layer Address option specifying the mobile 5815 node's link-layer address. The mobile node MUST multicast such a 5816 Neighbor Advertisement for each of its home addresses, as defined by 5817 the current on-link prefixes, including its link-local address and 5818 site-local address. The Solicited Flag (S) in these Advertisements 5819 MUST NOT be set, since they were not solicited by any Neighbor 5820 Solicitation. The Override Flag (O) in these Advertisements MUST be 5821 set, indicating that the Advertisements SHOULD override any existing 5822 Neighbor Cache entries at any node receiving them. 5824 Since multicasting on the local link (such as Ethernet) is typically 5825 not guaranteed to be reliable, the mobile node MAY retransmit these 5826 Neighbor Advertisements [18] up to MAX_NEIGHBOR_ADVERTISEMENT times 5827 to increase their reliability. It is still possible that some nodes 5828 on the home link will not receive any of these Neighbor 5829 Advertisements, but these nodes will eventually be able to recover 5830 through use of Neighbor Unreachability Detection [18]. 5832 Note that the tunnel via the home agent typically stops operating at 5833 the same time that the home registration is deleted. 5835 11.6. Return Routability Procedure 5837 This section defines the rules that the mobile node must follow when 5838 performing the return routability procedure. Section 11.7.2 5839 describes the rules when the return routability procedure needs to be 5840 initiated. 5842 11.6.1. Sending Test Init Messages 5844 A mobile node that initiates a return routability procedure MUST send 5845 (in parallel) a Home Test Init message and a Care-of Test Init 5846 messages. However, if the mobile node has recently received (see 5847 Section 5.2.7) one or both home or care-of keygen tokens, and 5848 associated nonce indices for the desired addresses, it MAY reuse 5849 them. Therefore, the return routability procedure may in some cases 5850 be completed with only one message pair. It may even be completed 5851 without any messages at all, if the mobile node has a recent home 5852 keygen token and has previously visited the same care-of address so 5853 that it also has a recent care-of keygen token. If the mobile node 5854 intends to send a Binding Update with the Lifetime set to zero and 5855 the care-of address equal to its home address - such as when 5856 returning home - sending a Home Test Init message is sufficient. In 5857 this case, generation of the binding management key depends 5858 exclusively on the home keygen token (Section 5.2.5). 5860 A Home Test Init message MUST be created as described in 5861 Section 6.1.3. 5863 A Care-of Test Init message MUST be created as described in 5864 Section 6.1.4. When sending a Home Test Init or Care-of Test Init 5865 message the mobile node MUST record in its Binding Update List the 5866 following fields from the messages: 5868 o The IP address of the node to which the message was sent. 5870 o The home address of the mobile node. This value will appear in 5871 the Source Address field of the Home Test Init message. When 5872 sending the Care-of Test Init message, this address does not 5873 appear in the message, but represents the home address for which 5874 the binding is desired. 5876 o The time at which each of these messages was sent. 5878 o The cookies used in the messages. 5880 Note that a single Care-of Test Init message may be sufficient even 5881 when there are multiple home addresses. In this case the mobile node 5882 MAY record the same information in multiple Binding Update List 5883 entries. 5885 11.6.2. Receiving Test Messages 5887 Upon receiving a packet carrying a Home Test message, a mobile node 5888 MUST validate the packet according to the following tests: 5890 o The Source Address of the packet belongs to a correspondent node 5891 for which the mobile node has a Binding Update List entry with a 5892 state indicating that return routability procedure is in progress. 5893 Note that there may be multiple such entries. 5895 o The Binding Update List indicates that no home keygen token has 5896 been received yet. 5898 o The Destination Address of the packet has the home address of the 5899 mobile node, and the packet has been received in a tunnel from the 5900 home agent. 5902 o The Home Init Cookie field in the message matches the value stored 5903 in the Binding Update List. 5905 Any Home Test message not satisfying all of these tests MUST be 5906 silently ignored. Otherwise, the mobile node MUST record the Home 5907 Nonce Index and home keygen token in the Binding Update List. If the 5908 Binding Update List entry does not have a care-of keygen token, the 5909 mobile node SHOULD continue waiting for the Care-of Test message. 5911 Upon receiving a packet carrying a Care-of Test message, a mobile 5912 node MUST validate the packet according to the following tests: 5914 o The Source Address of the packet belongs to a correspondent node 5915 for which the mobile node has a Binding Update List entry with a 5916 state indicating that return routability procedure is in progress. 5917 Note that there may be multiple such entries. 5919 o The Binding Update List indicates that no care-of keygen token has 5920 been received yet. 5922 o The Destination Address of the packet is the current care-of 5923 address of the mobile node. 5925 o The Care-of Init Cookie field in the message matches the value 5926 stored in the Binding Update List. 5928 Any Care-of Test message not satisfying all of these tests MUST be 5929 silently ignored. Otherwise, the mobile node MUST record the Care-of 5930 Nonce Index and care-of keygen token in the Binding Update List. If 5931 the Binding Update List entry does not have a home keygen token, the 5932 mobile node SHOULD continue waiting for the Home Test message. 5934 If after receiving either the Home Test or the Care-of Test message 5935 and performing the above actions, the Binding Update List entry has 5936 both the home and the care-of keygen tokens, the return routability 5937 procedure is complete. The mobile node SHOULD then proceed with 5938 sending a Binding Update as described in Section 11.7.2. 5940 Correspondent nodes from the time before this specification was 5941 published may not support the Mobility Header protocol. These nodes 5942 will respond to Home Test Init and Care-of Test Init messages with an 5943 ICMP Parameter Problem code 1. The mobile node SHOULD take such 5944 messages as an indication that the correspondent node cannot provide 5945 route optimization, and revert back to the use of bidirectional 5946 tunneling. 5948 11.6.3. Protecting Return Routability Packets 5950 The mobile node MUST support the protection of Home Test and Home 5951 Test Init messages as described in Section 10.4.6. 5953 When IPsec is used to protect return routability signaling or payload 5954 packets, the mobile node MUST set the source address it uses for the 5955 outgoing tunnel packets to the current primary care-of address. The 5956 mobile node starts to use a new primary care-of address immediately 5957 after sending a Binding Update to the home agent to register this new 5958 address. 5960 11.7. Processing Bindings 5961 11.7.1. Sending Binding Updates to the Home Agent 5963 After deciding to change its primary care-of address as described in 5964 Section 11.5.1 and Section 11.5.2, a mobile node MUST register this 5965 care-of address with its home agent in order to make this its primary 5966 care-of address. 5968 Also, if the mobile node wants the services of the home agent beyond 5969 the current registration period, the mobile node should send a new 5970 Binding Update to it well before the expiration of this period, even 5971 if it is not changing its primary care-of address. However, if the 5972 home agent returned a Binding Acknowledgement for the current 5973 registration with Status field set to 1 (accepted but prefix 5974 discovery necessary), the mobile node should not try to register 5975 again before it has learned the validity of its home prefixes through 5976 mobile prefix discovery. This is typically necessary every time this 5977 Status value is received, because information learned earlier may 5978 have changed. 5980 To register a care-of address or to extend the lifetime of an 5981 existing registration, the mobile node sends a packet to its home 5982 agent containing a Binding Update, with the packet constructed as 5983 follows: 5985 o The Home Registration (H) bit MUST be set in the Binding Update. 5987 o The Acknowledge (A) bit MUST be set in the Binding Update. 5989 o The packet MUST contain a Home Address destination option, giving 5990 the mobile node's home address for the binding. 5992 o The care-of address for the binding MUST be used as the Source 5993 Address in the packet's IPv6 header, unless an Alternate Care-of 5994 Address mobility option is included in the Binding Update. This 5995 option MUST be included in all home registrations, as the ESP 5996 protocol will not be able to protect care-of addresses in the IPv6 5997 header. (Mobile IPv6 implementations that know they are using 5998 IPsec AH to protect a particular message might avoid this option. 5999 For brevity the usage of AH is not discussed in this document.) 6001 o If the mobile node's link-local address has the same interface 6002 identifier as the home address for which it is supplying a new 6003 care-of address, then the mobile node SHOULD set the Link-Local 6004 Address Compatibility (L) bit. 6006 o If the home address was generated using RFC 4941 [20], then the 6007 link local address is unlikely to have a compatible interface 6008 identifier. In this case, the mobile node MUST clear the Link- 6009 Local Address Compatibility (L) bit. 6011 o If the IPsec security associations between the mobile node and the 6012 home agent have been established dynamically, and the mobile node 6013 has the capability to update its endpoint in the used key 6014 management protocol to the new care-of address every time it 6015 moves, the mobile node SHOULD set the Key Management Mobility 6016 Capability (K) bit in the Binding Update. Otherwise, the mobile 6017 node MUST clear the bit. 6019 o The value specified in the Lifetime field MUST be non-zero and 6020 SHOULD be less than or equal to the remaining valid lifetime of 6021 the home address and the care-of address specified for the 6022 binding. 6024 Mobile nodes that use dynamic home agent address discovery should 6025 be careful with long lifetimes. If the mobile node loses the 6026 knowledge of its binding with a specific home agent, registering a 6027 new binding with another home agent may be impossible as the 6028 previous home agent is still defending the existing binding. 6029 Therefore, to ensure that mobile nodes using home agent address 6030 discovery do not lose information about their binding, they SHOULD 6031 de-register before losing this information, or use small 6032 lifetimes. 6034 The Acknowledge (A) bit in the Binding Update requests the home agent 6035 to return a Binding Acknowledgement in response to this Binding 6036 Update. As described in Section 6.1.8, the mobile node SHOULD 6037 retransmit this Binding Update to its home agent until it receives a 6038 matching Binding Acknowledgement. Once reaching a retransmission 6039 timeout period of MAX_BINDACK_TIMEOUT, the mobile node SHOULD restart 6040 the process of delivering the Binding Update, but trying instead the 6041 next home agent returned during dynamic home agent address discovery 6042 (see Section 11.4.1). If there was only one home agent, the mobile 6043 node instead SHOULD continue to periodically retransmit the Binding 6044 Update at this rate until acknowledged (or until it begins attempting 6045 to register a different primary care-of address). See Section 11.8 6046 for information about retransmitting Binding Updates. 6048 With the Binding Update, the mobile node requests the home agent to 6049 serve as the home agent for the given home address. Until the 6050 lifetime of this registration expires, the home agent considers 6051 itself the home agent for this home address. 6053 Each Binding Update MUST be authenticated as coming from the right 6054 mobile node, as defined in Section 5.1. The mobile node MUST use its 6055 home address - either in the Home Address destination option or in 6056 the Source Address field of the IPv6 header - in Binding Updates sent 6057 to the home agent. This is necessary in order to allow the IPsec 6058 policies to be matched with the correct home address. 6060 When sending a Binding Update to its home agent, the mobile node MUST 6061 also create or update the corresponding Binding Update List entry, as 6062 specified in Section 11.7.2. 6064 The last Sequence Number value sent to the home agent in a Binding 6065 Update is stored by the mobile node. If the sending mobile node has 6066 no knowledge of the correct Sequence Number value, it may start at 6067 any value. If the home agent rejects the value, it sends back a 6068 Binding Acknowledgement with a status code 135, and the last accepted 6069 sequence number in the Sequence Number field of the Binding 6070 Acknowledgement. The mobile node MUST store this information and use 6071 the next Sequence Number value for the next Binding Update it sends. 6073 If the mobile node has additional home addresses, then the mobile 6074 node SHOULD send an additional packet containing a Binding Update to 6075 its home agent to register the care-of address for each such other 6076 home address. 6078 The home agent will only perform DAD for the mobile node's home 6079 address when the mobile node has supplied a valid binding between its 6080 home address and a care-of address. If some time elapses during 6081 which the mobile node has no binding at the home agent, it might be 6082 possible for another node to autoconfigure the mobile node's home 6083 address. Therefore, the mobile node MUST treat the creation of a new 6084 binding with the home agent using an existing home address, the same 6085 as creation of a new home address. In the unlikely event that the 6086 mobile node's home address is autoconfigured as the IPv6 address of 6087 another network node on the home network, the home agent will reply 6088 to the mobile node's subsequent Binding Update with a Binding 6089 Acknowledgement containing a Status of 134 (Duplicate Address 6090 Detection failed). In this case, the mobile node MUST NOT attempt to 6091 re-use the same home address. It SHOULD continue to register the 6092 care-of addresses for its other home addresses, if any. (Mechanisms 6093 outlined in Appendix A.5 may in the future allow mobile nodes to 6094 acquire new home addresses to replace the one for which Status 134 6095 was received.) 6097 11.7.2. Correspondent Registration 6099 When the mobile node is assured that its home address is valid, it 6100 can initiate a correspondent registration with the purpose of 6101 allowing the correspondent node to cache the mobile node's current 6102 care-of address. This procedure consists of the return routability 6103 procedure followed by a registration. 6105 This section defines when the correspondent registration is to be 6106 initiated and the rules to follow while it is being performed. 6108 After the mobile node has sent a Binding Update to its home agent, 6109 registering a new primary care-of address (as described in 6110 Section 11.7.1), the mobile node SHOULD initiate a correspondent 6111 registration for each node that already appears in the mobile node's 6112 Binding Update List. The initiated procedures can be used to either 6113 update or delete binding information in the correspondent node. 6115 For nodes that do not appear in the mobile node's Binding Update 6116 List, the mobile node MAY initiate a correspondent registration at 6117 any time after sending the Binding Update to its home agent. 6118 Considerations regarding when (and if) to initiate the procedure 6119 depend on the specific movement and traffic patterns of the mobile 6120 node and are outside the scope of this document. 6122 In addition, the mobile node MAY initiate the correspondent 6123 registration in response to receiving a packet that meets all of the 6124 following tests: 6126 o The packet was tunneled using IPv6 encapsulation. 6128 o The Destination Address in the tunnel (outer) IPv6 header is equal 6129 to any of the mobile node's care-of addresses. 6131 o The Destination Address in the original (inner) IPv6 header is 6132 equal to one of the mobile node's home addresses. 6134 o The Source Address in the tunnel (outer) IPv6 header differs from 6135 the Source Address in the original (inner) IPv6 header. 6137 o The packet does not contain a Home Test, Home Test Init, Care-of 6138 Test, or Care-of Test Init message. 6140 If a mobile node has multiple home addresses, it becomes important to 6141 select the right home address to use in the correspondent 6142 registration. The used home address MUST be the Destination Address 6143 of the original (inner) packet. 6145 The peer address used in the procedure MUST be determined as follows: 6147 o If a Home Address destination option is present in the original 6148 (inner) packet, the address from this option is used. 6150 o Otherwise, the Source Address in the original (inner) IPv6 header 6151 of the packet is used. 6153 Note that the validity of the original packet is checked before 6154 attempting to initiate a correspondent registration. For instance, 6155 if a Home Address destination option appeared in the original packet, 6156 then rules in Section 9.3.1 are followed. 6158 A mobile node MAY also choose to keep its topological location 6159 private from certain correspondent nodes, and thus need not initiate 6160 the correspondent registration. 6162 Upon successfully completing the return routability procedure, and 6163 after receiving a successful Binding Acknowledgement from the Home 6164 Agent, a Binding Update MAY be sent to the correspondent node. 6166 In any Binding Update sent by a mobile node, the care-of address 6167 (either the Source Address in the packet's IPv6 header or the Care-of 6168 Address in the Alternate Care-of Address mobility option of the 6169 Binding Update) MUST be set to one of the care-of addresses currently 6170 in use by the mobile node or to the mobile node's home address. A 6171 mobile node MAY set the care-of address differently for sending 6172 Binding Updates to different correspondent nodes. 6174 A mobile node MAY also send a Binding Update to such a correspondent 6175 node, instructing it to delete any existing binding for the mobile 6176 node from its Binding Cache, as described in Section 6.1.7. Even in 6177 this case a successful completion of the return routability procedure 6178 is required first. 6180 If the care-of address is not set to the mobile node's home address, 6181 the Binding Update requests that the correspondent node create or 6182 update an entry for the mobile node in the correspondent node's 6183 Binding Cache. This is done in order to record a care-of address for 6184 use in sending future packets to the mobile node. In this case, the 6185 value specified in the Lifetime field sent in the Binding Update 6186 SHOULD be less than or equal to the remaining lifetime of the home 6187 registration and the care-of address specified for the binding. The 6188 care-of address given in the Binding Update MAY differ from the 6189 mobile node's primary care-of address. 6191 If the Binding Update is sent to the correspondent node, requesting 6192 the deletion of any existing Binding Cache entry it has for the 6193 mobile node, the care-of address is set to the mobile node's home 6194 address and the Lifetime field set to zero. In this case, generation 6195 of the binding management key depends exclusively on the home keygen 6196 token (Section 5.2.5). The care-of nonce index SHOULD be set to zero 6197 in this case. In keeping with the Binding Update creation rules 6198 below, the care-of address MUST be set to the home address if the 6199 mobile node is at home, or to the current care-of address if it is 6200 away from home. 6202 If the mobile node wants to ensure that its new care-of address has 6203 been entered into a correspondent node's Binding Cache, the mobile 6204 node needs to request an acknowledgement by setting the Acknowledge 6205 (A) bit in the Binding Update. 6207 A Binding Update is created as follows: 6209 o The current care-of address of the mobile node MUST be sent either 6210 in the Source Address of the IPv6 header, or in the Alternate 6211 Care-of Address mobility option. 6213 o The Destination Address of the IPv6 header MUST contain the 6214 address of the correspondent node. 6216 o The Mobility Header is constructed according to rules in 6217 Section 6.1.7 and Section 5.2.6, including the Binding 6218 Authorization Data (calculated as defined in Section 6.2.7) and 6219 possibly the Nonce Indices mobility options. 6221 o The home address of the mobile node MUST be added to the packet in 6222 a Home Address destination option, unless the Source Address is 6223 the home address. 6225 Each Binding Update MUST have a Sequence Number greater than the 6226 Sequence Number value sent in the previous Binding Update to the same 6227 destination address (if any). The sequence numbers are compared 6228 modulo 2**16, as described in Section 9.5.1. There is no 6229 requirement, however, that the Sequence Number value strictly 6230 increase by 1 with each new Binding Update sent or received, as long 6231 as the value stays within the window. The last Sequence Number value 6232 sent to a destination in a Binding Update is stored by the mobile 6233 node in its Binding Update List entry for that destination. If the 6234 sending mobile node has no Binding Update List entry, the Sequence 6235 Number SHOULD start at a random value. The mobile node MUST NOT use 6236 the same Sequence Number in two different Binding Updates to the same 6237 correspondent node, even if the Binding Updates provide different 6238 care-of addresses. 6240 The mobile node is responsible for the completion of the 6241 correspondent registration, as well as any retransmissions that may 6242 be needed (subject to the rate limitation defined in Section 11.8). 6244 11.7.3. Receiving Binding Acknowledgements 6246 Upon receiving a packet carrying a Binding Acknowledgement, a mobile 6247 node MUST validate the packet according to the following tests: 6249 o The packet meets the authentication requirements for Binding 6250 Acknowledgements defined in Section 6.1.8 and Section 5. That is, 6251 if the Binding Update was sent to the home agent, underlying IPsec 6252 protection is used. If the Binding Update was sent to the 6253 correspondent node, the Binding Authorization Data mobility option 6254 MUST be present and have a valid value. 6256 o The Binding Authorization Data mobility option, if present, MUST 6257 be the last option and MUST NOT have trailing padding. 6259 o The Sequence Number field matches the Sequence Number sent by the 6260 mobile node to this destination address in an outstanding Binding 6261 Update. 6263 Any Binding Acknowledgement not satisfying all of these tests MUST be 6264 silently ignored. 6266 When a mobile node receives a packet carrying a valid Binding 6267 Acknowledgement, the mobile node MUST examine the Status field as 6268 follows: 6270 o If the Status field indicates that the Binding Update was accepted 6271 (the Status field is less than 128), then the mobile node MUST 6272 update the corresponding entry in its Binding Update List to 6273 indicate that the Binding Update has been acknowledged; the mobile 6274 node MUST then stop retransmitting the Binding Update. In 6275 addition, if the value specified in the Lifetime field in the 6276 Binding Acknowledgement is less than the Lifetime value sent in 6277 the Binding Update being acknowledged, the mobile node MUST 6278 subtract the difference between these two Lifetime values from the 6279 remaining lifetime for the binding as maintained in the 6280 corresponding Binding Update List entry (with a minimum value for 6281 the Binding Update List entry lifetime of 0). That is, if the 6282 Lifetime value sent in the Binding Update was L_update, the 6283 Lifetime value received in the Binding Acknowledgement was L_ack, 6284 and the current remaining lifetime of the Binding Update List 6285 entry is L_remain, then the new value for the remaining lifetime 6286 of the Binding Update List entry should be 6288 max((L_remain - (L_update - L_ack)), 0) 6290 where max(X, Y) is the maximum of X and Y. The effect of this step 6291 is to correctly manage the mobile node's view of the binding's 6292 remaining lifetime (as maintained in the corresponding Binding 6293 Update List entry) so that it correctly counts down from the 6294 Lifetime value given in the Binding Acknowledgement, but with the 6295 timer countdown beginning at the time that the Binding Update was 6296 sent. 6298 Mobile nodes SHOULD send a new Binding Update well before the 6299 expiration of this period in order to extend the lifetime. This 6300 helps to avoid disruptions in communications which might otherwise 6301 be caused by network delays or clock drift. 6303 o Additionally, if the Status field value is 1 (accepted but prefix 6304 discovery necessary), the mobile node SHOULD send a Mobile Prefix 6305 Solicitation message to update its information about the available 6306 prefixes. 6308 o If the Status field indicates that the Binding Update was rejected 6309 (the Status field is greater than or equal to 128), then the 6310 mobile node can take steps to correct the cause of the error and 6311 retransmit the Binding Update (with a new Sequence Number value), 6312 subject to the rate limiting restriction specified in 6313 Section 11.8. If this is not done or it fails, then the mobile 6314 node SHOULD record in its Binding Update List that future Binding 6315 Updates SHOULD NOT be sent to this destination. 6317 The treatment of a Binding Refresh Advice mobility option within the 6318 Binding Acknowledgement depends on where the acknowledgement came 6319 from. This option MUST be ignored if the acknowledgement came from a 6320 correspondent node. If it came from the home agent, the mobile node 6321 uses the Refresh Interval field in the option as a suggestion that it 6322 SHOULD attempt to refresh its home registration at the indicated 6323 shorter interval. 6325 If the acknowledgement came from the home agent, the mobile node 6326 examines the value of the Key Management Mobility Capability (K) bit. 6327 If this bit is not set, the mobile node SHOULD discard key management 6328 protocol connections, if any, to the home agent. The mobile node MAY 6329 also initiate a new key management connection. 6331 If this bit is set, the mobile node SHOULD move its own endpoint in 6332 the key management protocol connections to the home agent, if any. 6333 The mobile node's new endpoint should be the new care-of address. 6334 For an IKE phase 1 connection, this means that packets sent to this 6335 address with the original ISAKMP cookies are accepted. 6337 11.7.4. Receiving Binding Refresh Requests 6339 When a mobile node receives a packet containing a Binding Refresh 6340 Request message, the mobile node has a Binding Update List entry for 6341 the source of the Binding Refresh Request, and the mobile node wants 6342 to retain its binding cache entry at the correspondent node, then the 6343 mobile node should start a return routability procedure. If the 6344 mobile node wants to have its binding cache entry removed, it can 6345 either ignore the Binding Refresh Request and wait for the binding to 6346 time out, or at any time, it can delete its binding from a 6347 correspondent node with an explicit binding update with a zero 6348 lifetime and the care-of address set to the home address. If the 6349 mobile node does not know if it needs the binding cache entry, it can 6350 make the decision in an implementation dependent manner, such as 6351 based on available resources. 6353 Note that the mobile node should be careful to not respond to Binding 6354 Refresh Requests for addresses not in the Binding Update List to 6355 avoid being subjected to a denial of service attack. 6357 If the return routability procedure completes successfully, a Binding 6358 Update message SHOULD be sent, as described in Section 11.7.2. The 6359 Lifetime field in this Binding Update SHOULD be set to a new 6360 lifetime, extending any current lifetime remaining from a previous 6361 Binding Update sent to this node (as indicated in any existing 6362 Binding Update List entry for this node), and the lifetime SHOULD 6363 again be less than or equal to the remaining lifetime of the home 6364 registration and the care-of address specified for the binding. When 6365 sending this Binding Update, the mobile node MUST update its Binding 6366 Update List in the same way as for any other Binding Update sent by 6367 the mobile node. 6369 11.8. Retransmissions and Rate Limiting 6371 The mobile node is responsible for retransmissions and rate limiting 6372 in the return routability procedure, registrations, and in solicited 6373 prefix discovery. 6375 When the mobile node sends a Mobile Prefix Solicitation, Home Test 6376 Init, Care-of Test Init or Binding Update for which it expects a 6377 response, the mobile node has to determine a value for the initial 6378 retransmission timer: 6380 o If the mobile node is sending a Mobile Prefix Solicitation, it 6381 SHOULD use an initial retransmission interval of 6382 INITIAL_SOLICIT_TIMER (see Section 12). 6384 o If the mobile node is sending a Binding Update and does not have 6385 an existing binding at the home agent, it SHOULD use 6386 InitialBindackTimeoutFirstReg (see Section 13) as a value for the 6387 initial retransmission timer. This long retransmission interval 6388 will allow the home agent to complete the Duplicate Address 6389 Detection procedure mandated in this case, as detailed in 6390 Section 11.7.1. 6392 o Otherwise, the mobile node should use the specified value of 6393 INITIAL_BINDACK_TIMEOUT for the initial retransmission timer. 6395 If the mobile node fails to receive a valid matching response within 6396 the selected initial retransmission interval, the mobile node SHOULD 6397 retransmit the message until a response is received. 6399 The retransmissions by the mobile node MUST use an exponential back- 6400 off process in which the timeout period is doubled upon each 6401 retransmission, until either the node receives a response or the 6402 timeout period reaches the value MAX_BINDACK_TIMEOUT. The mobile 6403 node MAY continue to send these messages at this slower rate 6404 indefinitely. 6406 The mobile node SHOULD start a separate back-off process for 6407 different message types, different home addresses and different 6408 care-of addresses. However, in addition an overall rate limitation 6409 applies for messages sent to a particular correspondent node. This 6410 ensures that the correspondent node has a sufficient amount of time 6411 to respond when bindings for multiple home addresses are registered, 6412 for instance. The mobile node MUST NOT send Mobility Header messages 6413 of a particular type to a particular correspondent node more than 6414 MAX_UPDATE_RATE times within a second. 6416 Retransmitted Binding Updates MUST use a Sequence Number value 6417 greater than that used for the previous transmission of this Binding 6418 Update. Retransmitted Home Test Init and Care-of Test Init messages 6419 MUST use new cookie values. 6421 12. Protocol Constants 6423 DHAAD_RETRIES 4 retransmissions 6424 INITIAL_BINDACK_TIMEOUT 1 second 6425 INITIAL_DHAAD_TIMEOUT 3 seconds 6426 INITIAL_SOLICIT_TIMER 3 seconds 6427 MAX_BINDACK_TIMEOUT 32 seconds 6428 MAX_NONCE_LIFETIME 240 seconds 6429 MAX_TOKEN_LIFETIME 210 seconds 6430 MAX_RR_BINDING_LIFETIME 420 seconds 6431 MAX_UPDATE_RATE 3 times 6432 PREFIX_ADV_RETRIES 3 retransmissions 6433 PREFIX_ADV_TIMEOUT 3 seconds 6435 13. Protocol Configuration Variables 6437 MaxMobPfxAdvInterval Default: 86,400 seconds 6438 MinDelayBetweenRAs Default: 3 seconds, 6439 Min: 0.03 seconds 6440 MinMobPfxAdvInterval Default: 600 seconds 6441 InitialBindackTimeoutFirstReg Default: 1.5 seconds 6443 Home agents MUST allow the first three variables to be configured by 6444 system management, and mobile nodes MUST allow the last variable to 6445 be configured by system management. 6447 The default value for InitialBindackTimeoutFirstReg has been 6448 calculated as 1.5 times the default value of RetransTimer [18] times 6449 the default value of DupAddrDetectTransmits [19]. 6451 The value MinDelayBetweenRAs overrides the value of the protocol 6452 constant MIN_DELAY_BETWEEN_RAS, as specified in RFC 4861 [18]. This 6453 variable SHOULD be set to MinRtrAdvInterval, if MinRtrAdvInterval is 6454 less than 3 seconds. 6456 14. IANA Considerations 6458 This document defines a new IPv6 protocol, the Mobility Header, 6459 described in Section 6.1. This protocol has been assigned protocol 6460 number 135. 6462 This document also creates a new name space "Mobility Header Type", 6463 for the MH Type field in the Mobility Header. The current message 6464 types are described starting from Section 6.1.2, and are the 6465 following: 6467 0 Binding Refresh Request 6469 1 Home Test Init 6471 2 Care-of Test Init 6473 3 Home Test 6475 4 Care-of Test 6477 5 Binding Update 6479 6 Binding Acknowledgement 6481 7 Binding Error 6483 Future values of the MH Type can be allocated using Standards Action 6484 or IESG Approval [21]. 6486 Furthermore, each mobility message may contain mobility options as 6487 described in Section 6.2. This document defines a new name space 6488 "Mobility Option" to identify these options. The current mobility 6489 options are defined starting from Section 6.2.2 and are the 6490 following: 6492 0 Pad1 6494 1 PadN 6496 2 Binding Refresh Advice 6498 3 Alternate Care-of Address 6500 4 Nonce Indices 6501 5 Authorization Data 6503 Future values of the Option Type can be allocated using Standards 6504 Action or IESG Approval [21]. 6506 Finally, this document creates a third new name space "Status Code" 6507 for the Status field in the Binding Acknowledgement message. The 6508 current values are described in Section 6.1.8, and are the following: 6510 0 Binding Update accepted 6512 1 Accepted but prefix discovery necessary 6514 128 Reason unspecified 6516 129 Administratively prohibited 6518 130 Insufficient resources 6520 131 Home registration not supported 6522 132 Not home subnet 6524 133 Not home agent for this mobile node 6526 134 Duplicate Address Detection failed 6528 135 Sequence number out of window 6530 136 Expired home nonce index 6532 137 Expired care-of nonce index 6534 138 Expired nonces 6536 139 Registration type change disallowed 6538 Future values of the Status field can be allocated using Standards 6539 Action or IESG Approval [21]. 6541 All fields labeled "Reserved" are only to be assigned through 6542 Standards Action or IESG Approval. 6544 This document also defines a new IPv6 destination option, the Home 6545 Address option, described in Section 6.3. This option has been 6546 assigned the Option Type value 0xC9. 6548 This document also defines a new IPv6 type 2 routing header, 6549 described in Section 6.4. The value 2 has been allocated by IANA. 6551 In addition, this document defines four ICMP message types, two used 6552 as part of the dynamic home agent address discovery mechanism, and 6553 two used in lieu of Router Solicitations and Advertisements when the 6554 mobile node is away from the home link. These messages have been 6555 assigned ICMPv6 type numbers from the informational message range: 6557 o The Home Agent Address Discovery Request message, described in 6558 Section 6.5; 6560 o The Home Agent Address Discovery Reply message, described in 6561 Section 6.6; 6563 o The Mobile Prefix Solicitation, described in Section 6.7; and 6565 o The Mobile Prefix Advertisement, described in Section 6.8. 6567 This document also defines two new Neighbor Discovery [18] options, 6568 which have been assigned Option Type values within the option 6569 numbering space for Neighbor Discovery messages: 6571 o The Advertisement Interval option, described in Section 7.3; and 6573 o The Home Agent Information option, described in Section 7.4. 6575 15. Security Considerations 6577 15.1. Threats 6579 Any mobility solution must protect itself against misuses of the 6580 mobility features and mechanisms. In Mobile IPv6, most of the 6581 potential threats are concerned with false Bindings, usually 6582 resulting in Denial-of-Service attacks. Some of the threats also 6583 pose potential for Man-in-the-Middle, Hijacking, Confidentiality, and 6584 Impersonation attacks. The main threats this protocol protects 6585 against are the following: 6587 o Threats involving Binding Updates sent to home agents and 6588 correspondent nodes. For instance, an attacker might claim that a 6589 certain mobile node is currently at a different location than it 6590 really is. If a home agent accepts such spoofed information sent 6591 to it, the mobile node might not get traffic destined to it. 6592 Similarly, a malicious (mobile) node might use the home address of 6593 a victim node in a forged Binding Update sent to a correspondent 6594 node. 6596 These pose threats against confidentiality, integrity, and 6597 availability. That is, an attacker might learn the contents of 6598 packets destined to another node by redirecting the traffic to 6599 itself. Furthermore, an attacker might use the redirected packets 6600 in an attempt to set itself as a Man-in-the-Middle between a 6601 mobile and a correspondent node. This would allow the attacker to 6602 impersonate the mobile node, leading to integrity and availability 6603 problems. 6605 A malicious (mobile) node might also send Binding Updates in which 6606 the care-of address is set to the address of a victim node. If 6607 such Binding Updates were accepted, the malicious node could lure 6608 the correspondent node into sending potentially large amounts of 6609 data to the victim; the correspondent node's replies to messages 6610 sent by the malicious mobile node will be sent to the victim host 6611 or network. This could be used to cause a Distributed Denial-of- 6612 Service attack. For example, the correspondent node might be a 6613 site that will send a high-bandwidth stream of video to anyone who 6614 asks for it. Note that the use of flow-control protocols such as 6615 TCP does not necessarily defend against this type of attack, 6616 because the attacker can fake the acknowledgements. Even keeping 6617 TCP initial sequence numbers secret does not help, because the 6618 attacker can receive the first few segments (including the ISN) at 6619 its own address, and only then redirect the stream to the victim's 6620 address. These types of attacks may also be directed to networks 6621 instead of nodes. Further variations of this threat are described 6622 elsewhere [26] [31]. 6624 An attacker might also attempt to disrupt a mobile node's 6625 communications by replaying a Binding Update that the node had 6626 sent earlier. If the old Binding Update was accepted, packets 6627 destined for the mobile node would be sent to its old location as 6628 opposed to its current location. 6630 In conclusion, there are Denial-of-Service, Man-in-the-Middle, 6631 Confidentiality, and Impersonation threats against the parties 6632 involved in sending legitimate Binding Updates, and Denial-of- 6633 Service threats against any other party. 6635 o Threats associated with payload packets: Payload packets exchanged 6636 with mobile nodes are exposed to similar threats as that of 6637 regular IPv6 traffic. However, Mobile IPv6 introduces the Home 6638 Address destination option, a new routing header type (type 2), 6639 and uses tunneling headers in the payload packets. The protocol 6640 must protect against potential new threats involving the use of 6641 these mechanisms. 6643 Third parties become exposed to a reflection threat via the Home 6644 Address destination option, unless appropriate security 6645 precautions are followed. The Home Address destination option 6646 could be used to direct response traffic toward a node whose IP 6647 address appears in the option. In this case, ingress filtering 6648 would not catch the forged "return address" [33] [36]. 6650 A similar threat exists with the tunnels between the mobile node 6651 and the home agent. An attacker might forge tunnel packets 6652 between the mobile node and the home agent, making it appear that 6653 the traffic is coming from the mobile node when it is not. Note 6654 that an attacker who is able to forge tunnel packets would 6655 typically also be able to forge packets that appear to come 6656 directly from the mobile node. This is not a new threat as such. 6657 However, it may make it easier for attackers to escape detection 6658 by avoiding ingress filtering and packet tracing mechanisms. 6659 Furthermore, spoofed tunnel packets might be used to gain access 6660 to the home network. 6662 Finally, a routing header could also be used in reflection 6663 attacks, and in attacks designed to bypass firewalls. The 6664 generality of the regular routing header would allow circumvention 6665 of IP-address based rules in firewalls. It would also allow 6666 reflection of traffic to other nodes. These threats exist with 6667 routing headers in general, even if the usage that Mobile IPv6 6668 requires is safe. 6670 o Threats associated with dynamic home agent and mobile prefix 6671 discovery. 6673 o Threats against the Mobile IPv6 security mechanisms themselves: An 6674 attacker might, for instance, lure the participants into executing 6675 expensive cryptographic operations or allocating memory for the 6676 purpose of keeping state. The victim node would have no resources 6677 left to handle other tasks. 6679 As a fundamental service in an IPv6 stack, Mobile IPv6 is expected to 6680 be deployed in most nodes of the IPv6 Internet. The above threats 6681 should therefore be considered as being applicable to the whole 6682 Internet. 6684 It should also be noted that some additional threats result from 6685 movements as such, even without the involvement of mobility 6686 protocols. Mobile nodes must be capable to defend themselves in the 6687 networks that they visit, as typical perimeter defenses applied in 6688 the home network no longer protect them. 6690 15.2. Features 6692 This specification provides a series of features designed to mitigate 6693 the risk introduced by the threats listed above. The main security 6694 features are the following: 6696 o Reverse Tunneling as a mandatory feature. 6698 o Protection of Binding Updates sent to home agents. 6700 o Protection of Binding Updates sent to correspondent nodes. 6702 o Protection against reflection attacks that use the Home Address 6703 destination option. 6705 o Protection of tunnels between the mobile node and the home agent. 6707 o Closing routing header vulnerabilities. 6709 o Mitigating Denial-of-Service threats to the Mobile IPv6 security 6710 mechanisms themselves. 6712 The support for encrypted reverse tunneling (see Section 11.3.1) 6713 allows mobile nodes to defeat certain kinds of traffic analysis. 6715 Protecting those Binding Updates that are sent to home agents and 6716 those that are sent to arbitrary correspondent nodes requires very 6717 different security solutions due to the different situations. Mobile 6718 nodes and home agents are naturally expected to be subject to the 6719 network administration of the home domain. 6721 Thus, they can and are supposed to have a security association that 6722 can be used to reliably authenticate the exchanged messages. See 6723 Section 5.1 for the description of the protocol mechanisms, and 6724 Section 15.3 below for a discussion of the resulting level of 6725 security. 6727 It is expected that Mobile IPv6 route optimization will be used on a 6728 global basis between nodes belonging to different administrative 6729 domains. It would be a very demanding task to build an 6730 authentication infrastructure on this scale. Furthermore, a 6731 traditional authentication infrastructure cannot be easily used to 6732 authenticate IP addresses because IP addresses can change often. It 6733 is not sufficient to just authenticate the mobile nodes; 6734 Authorization to claim the right to use an address is needed as well. 6735 Thus, an "infrastructureless" approach is necessary. The chosen 6736 infrastructureless method is described in Section 5.2, and 6737 Section 15.4 discusses the resulting security level and the design 6738 rationale of this approach. 6740 Specific rules guide the use of the Home Address destination option, 6741 the routing header, and the tunneling headers in the payload packets. 6742 These rules are necessary to remove the vulnerabilities associated 6743 with their unrestricted use. The effect of the rules is discussed in 6744 Section 15.7, Section 15.8, and Section 15.9. 6746 Denial-of-Service threats against Mobile IPv6 security mechanisms 6747 themselves concern mainly the Binding Update procedures with 6748 correspondent nodes. The protocol has been designed to limit the 6749 effects of such attacks, as will be described in Section 15.4.5. 6751 15.3. Binding Updates to Home Agent 6753 Signaling between the mobile node and the home agent requires message 6754 integrity. This is necessary to assure the home agent that a Binding 6755 Update is from a legitimate mobile node. In addition, correct 6756 ordering and anti-replay protection are optionally needed. 6758 IPsec ESP protects the integrity of the Binding Updates and Binding 6759 Acknowledgements by securing mobility messages between the mobile 6760 node and the home agent. 6762 IPsec can provide anti-replay protection only if dynamic keying is 6763 used (which may not always be the case). IPsec does not guarantee 6764 correct ordering of packets, only that they have not been replayed. 6765 Because of this, sequence numbers within the Mobile IPv6 messages are 6766 used to ensure correct ordering (see Section 5.1). However, if the 6767 16 bit Mobile IPv6 sequence number space is cycled through, or the 6768 home agent reboots and loses its state regarding the sequence 6769 numbers, replay and reordering attacks become possible. The use of 6770 dynamic keying, IPsec anti-replay protection, and the Mobile IPv6 6771 sequence numbers can together prevent such attacks. It is also 6772 recommended that use of non-volatile storage be considered for home 6773 agents, to avoid losing their state. 6775 A sliding window scheme is used for the sequence numbers. The 6776 protection against replays and reordering attacks without a key 6777 management mechanism works when the attacker remembers up to a 6778 maximum of 2**15 Binding Updates. 6780 The above mechanisms do not show that the care-of address given in 6781 the Binding Update is correct. This opens the possibility for 6782 Denial-of-Service attacks against third parties. However, since the 6783 mobile node and home agent have a security association, the home 6784 agent can always identify an ill-behaving mobile node. This allows 6785 the home agent operator to discontinue the mobile node's service, and 6786 possibly take further actions based on the business relationship with 6787 the mobile node's owner. 6789 Note that the use of a single pair of manually keyed security 6790 associations conflicts with the generation of a new home address [20] 6791 for the mobile node, or with the adoption of a new home subnet 6792 prefix. This is because IPsec security associations are bound to the 6793 used addresses. While certificate-based automatic keying alleviates 6794 this problem to an extent, it is still necessary to ensure that a 6795 given mobile node cannot send Binding Updates for the address of 6796 another mobile node. In general, this leads to the inclusion of home 6797 addresses in certificates in the Subject AltName field. This again 6798 limits the introduction of new addresses without either manual or 6799 automatic procedures to establish new certificates. Therefore, this 6800 specification restricts the generation of new home addresses (for any 6801 reason) to those situations where a security association or 6802 certificate for the new address already exists. (Appendix A.4 lists 6803 the improvement of security for new addresses as one of the future 6804 developments for Mobile IPv6.) 6806 Support for IKE has been specified as optional. The following should 6807 be observed about the use of manual keying: 6809 o As discussed above, with manually keyed IPsec, only a limited form 6810 of protection exists against replay and reordering attacks. A 6811 vulnerability exists if either the sequence number space is cycled 6812 through, or if the home agent reboots and forgets its sequence 6813 numbers (and uses volatile memory to store the sequence numbers). 6815 Assuming the mobile node moves continuously every 10 minutes, it 6816 takes roughly 455 days before the sequence number space has been 6817 cycled through. Typical movement patterns rarely reach this high 6818 frequency today. 6820 o A mobile node and its home agent belong to the same domain. If 6821 this were not the case, manual keying would not be possible [35], 6822 but in Mobile IPv6 only these two parties need to know the 6823 manually configured keys. Similarly, we note that Mobile IPv6 6824 employs standard block ciphers in IPsec, and is not vulnerable to 6825 problems associated with stream ciphers and manual keying. 6827 o It is expected that the owner of the mobile node and the 6828 administrator of the home agent agree on the used keys and other 6829 parameters with some off-line mechanism. 6831 The use of IKEv1 with Mobile IPv6 is documented in more detail in 6832 [14]. The following should be observed from the use of IKEv1: 6834 o It is necessary to prevent a mobile node from claiming another 6835 mobile node's home address. The home agent must verify that the 6836 mobile node trying to negotiate the SA for a particular home 6837 address is authorized for that home address. This implies that 6838 even with the use of IKE, a policy entry needs to be configured 6839 for each home address served by the home agent. 6841 It may be possible to include home addresses in the Subject 6842 AltName field of certificate to avoid this. However, 6843 implementations are not guaranteed to support the use of a 6844 particular IP address (care-of address) while another address 6845 (home address) appears in the certificate. In any case, even this 6846 approach would require user-specific tasks in the certificate 6847 authority. 6849 o If preshared secret authentication is used, IKEv1 main mode cannot 6850 be used. Aggressive mode or group preshared secrets need to be 6851 used with corresponding security implications instead. 6853 Note that, like many other issues, this is a general IKEv1 issue 6854 related to the ability to use different IP addresses, and not 6855 specifically related to Mobile IPv6. For further information, see 6856 Section 4.4 in [14]. 6858 o Due to the problems outlined in Section 11.3.2, IKE phase 1 6859 between the mobile node and its home agent is established using 6860 the mobile node's current care-of address. This implies that when 6861 the mobile node moves to a new location, it may have to re- 6862 establish phase 1. A Key Management Mobility Capability (K) flag 6863 is provided for implementations that can update the IKE phase 1 6864 endpoints without re-establishing phase 1, but the support for 6865 this behavior is optional. 6867 o When certificates are used, IKE fragmentation can occur as 6868 discussed in Section 7 in [14]. 6870 o Nevertheless, even if per-mobile node configuration is required 6871 with IKE, an important benefit of IKE is that it automates the 6872 negotiation of cryptographic parameters, including the SPIs, 6873 cryptographic algorithms, and so on. Thus, less configuration 6874 information is needed. 6876 o The frequency of movements in some link layers or deployment 6877 scenarios may be high enough to make replay and reordering attacks 6878 possible, if only manual keying is used. IKE SHOULD be used in 6879 such cases. Potentially vulnerable scenarios involve continuous 6880 movement through small cells, or uncontrolled alternation between 6881 available network attachment points. 6883 o Similarly, in some deployment scenarios the number of mobile nodes 6884 may be very large. In these cases, it can be necessary to use 6885 automatic mechanisms to reduce the management effort in the 6886 administration of cryptographic parameters, even if some per- 6887 mobile node configuration is always needed. IKE SHOULD also be 6888 used in such cases. 6890 o Other automatic key management mechanisms exist beyond IKEv1, but 6891 this document does not address the issues related to them. We 6892 note, however, that most of the above discussion applies to IKEv2 6893 [37] as well, at least as it is currently specified. 6895 15.4. Binding Updates to Correspondent Nodes 6897 The motivation for designing the return routability procedure was to 6898 have sufficient support for Mobile IPv6, without creating significant 6899 new security problems. The goal for this procedure was not to 6900 protect against attacks that were already possible before the 6901 introduction of Mobile IPv6. 6903 The next sections will describe the security properties of the used 6904 method, both from the point of view of possible on-path attackers who 6905 can see those cryptographic values that have been sent in the clear 6906 (Section 15.4.2 and Section 15.4.3) and from the point of view of 6907 other attackers (Section 15.4.6). 6909 15.4.1. Overview 6911 The chosen infrastructureless method verifies that the mobile node is 6912 "live" (that is, it responds to probes) at its home and care-of 6913 addresses. Section 5.2 describes the return routability procedure in 6914 detail. The procedure uses the following principles: 6916 o A message exchange verifies that the mobile node is reachable at 6917 its addresses, i.e., is at least able to transmit and receive 6918 traffic at both the home and care-of addresses. 6920 o The eventual Binding Update is cryptographically bound to the 6921 tokens supplied in the exchanged messages. 6923 o Symmetric exchanges are employed to avoid the use of this protocol 6924 in reflection attacks. In a symmetric exchange, the responses are 6925 always sent to the same address the request was sent from. 6927 o The correspondent node operates in a stateless manner until it 6928 receives a fully authorized Binding Update. 6930 o Some additional protection is provided by encrypting the tunnels 6931 between the mobile node and home agent with IPsec ESP. As the 6932 tunnel also transports the nonce exchanges, the ability of 6933 attackers to see these nonces is limited. For instance, this 6934 prevents attacks from being launched from the mobile node's 6935 current foreign link, even when no link-layer confidentiality is 6936 available. 6938 The resulting level of security is in theory the same even without 6939 this additional protection: the return routability tokens are 6940 still exposed only to one path within the whole Internet. 6941 However, the mobile nodes are often found on an insecure link, 6942 such as a public access Wireless LAN. Thus, in many cases, this 6943 addition makes a practical difference. 6945 For further information about the design rationale of the return 6946 routability procedure, see [26] [31] [30] [36]. The mechanisms used 6947 have been adopted from these documents. 6949 15.4.2. Achieved Security Properties 6951 The return routability procedure protects Binding Updates against all 6952 attackers who are unable to monitor the path between the home agent 6953 and the correspondent node. The procedure does not defend against 6954 attackers who can monitor this path. Note that such attackers are in 6955 any case able to mount an active attack against the mobile node when 6956 it is at its home location. The possibility of such attacks is not 6957 an impediment to the deployment of Mobile IPv6 because these attacks 6958 are possible regardless of whether or not Mobile IPv6 is in use. 6960 This procedure also protects against Denial-of-Service attacks in 6961 which the attacker pretends to be mobile, but uses the victim's 6962 address as the care-of address. This would cause the correspondent 6963 node to send the victim some unexpected traffic. This procedure 6964 defends against these attacks by requiring at least the passive 6965 presence of the attacker at the care-of address or on the path from 6966 the correspondent to the care-of address. Normally, this will be the 6967 mobile node. 6969 15.4.3. Comparison to Regular IPv6 Communications 6971 This section discusses the protection offered by the return 6972 routability method by comparing it to the security of regular IPv6 6973 communications. We will divide vulnerabilities into three classes: 6974 (1) those related to attackers on the local network of the mobile 6975 node, home agent, or the correspondent node, (2) those related to 6976 attackers on the path between the home network and the correspondent 6977 node, and (3) off-path attackers, i.e., the rest of the Internet. 6979 We will now discuss the vulnerabilities of regular IPv6 6980 communications. The on-link vulnerabilities of IPv6 communications 6981 include Denial-of-Service, Masquerading, Man-in-the-Middle, 6982 Eavesdropping, and other attacks. These attacks can be launched 6983 through spoofing Router Discovery, Neighbor Discovery and other IPv6 6984 mechanisms. Some of these attacks can be prevented with the use of 6985 cryptographic protection in the packets. 6987 A similar situation exists with on-path attackers. That is, without 6988 cryptographic protection, the traffic is completely vulnerable. 6990 Assuming that attackers have not penetrated the security of the 6991 Internet routing protocols, attacks are much harder to launch from 6992 off-path locations. Attacks that can be launched from these 6993 locations are mainly Denial-of-Service attacks, such as flooding 6994 and/or reflection attacks. It is not possible for an off-path 6995 attacker to become a Man-in-the-Middle. 6997 Next, we will consider the vulnerabilities that exist when IPv6 is 6998 used together with Mobile IPv6 and the return routability procedure. 6999 On the local link, the vulnerabilities are the same as those in IPv6, 7000 but Masquerade and Man-in-the-Middle attacks can now also be launched 7001 against future communications, and not just against current 7002 communications. If a Binding Update was sent while the attacker was 7003 present on the link, its effects remain for the lifetime of the 7004 binding. This happens even if the attacker moves away from the link. 7005 In contrast, an attacker who uses only plain IPv6 generally has to 7006 stay on the link in order to continue the attack. Note that in order 7007 to launch these new attacks, the IP address of the victim must be 7008 known. This makes this attack feasible, mainly in the context of 7009 well-known interface IDs, such as those already appearing in the 7010 traffic on the link or registered in the DNS. 7012 On-path attackers can exploit similar vulnerabilities as in regular 7013 IPv6. There are some minor differences, however. Masquerade, Man- 7014 in-the-Middle, and Denial-of-Service attacks can be launched with 7015 just the interception of a few packets, whereas in regular IPv6 it is 7016 necessary to intercept every packet. The effect of the attacks is 7017 the same regardless of the method, however. In any case, the most 7018 difficult task an attacker faces in these attacks is getting on the 7019 right path. 7021 The vulnerabilities for off-path attackers are the same as in regular 7022 IPv6. Those nodes that are not on the path between the home agent 7023 and the correspondent node will not be able to receive the home 7024 address probe messages. 7026 In conclusion, we can state the following main results from this 7027 comparison: 7029 o Return routability prevents any off-path attacks beyond those that 7030 are already possible in regular IPv6. This is the most important 7031 result, preventing attackers on the Internet from exploiting any 7032 vulnerabilities. 7034 o Vulnerabilities to attackers on the home agent link, the 7035 correspondent node link, and the path between them are roughly the 7036 same as in regular IPv6. 7038 o However, one difference is that in basic IPv6 an on-path attacker 7039 must be constantly present on the link or the path, whereas with 7040 Mobile IPv6, an attacker can leave a binding behind after moving 7041 away. 7043 For this reason, this specification limits the creation of 7044 bindings to at most MAX_TOKEN_LIFETIME seconds after the last 7045 routability check has been performed, and limits the duration of a 7046 binding to at most MAX_RR_BINDING_LIFETIME seconds. With these 7047 limitations, attackers cannot take any practical advantages of 7048 this vulnerability. 7050 o There are some other minor differences, such as an effect to the 7051 Denial-of-Service vulnerabilities. These can be considered to be 7052 insignificant. 7054 o The path between the home agent and a correspondent node is 7055 typically easiest to attack on the links at either end, in 7056 particular if these links are publicly accessible wireless LANs. 7058 Attacks against the routers or switches on the path are typically 7059 harder to accomplish. The security on layer 2 of the links plays 7060 then a major role in the resulting overall network security. 7061 Similarly, security of IPv6 Neighbor and Router Discovery on these 7062 links has a large impact. If these were secured using some new 7063 technology in the future, this could change the situation 7064 regarding the easiest point of attack. 7066 For a more in-depth discussion of these issues, see [36]. 7068 15.4.4. Replay Attacks 7070 The return routability procedure also protects the participants 7071 against replayed Binding Updates. The attacker is unable replay the 7072 same message due to the sequence number which is a part of the 7073 Binding Update. It is also unable to modify the Binding Update since 7074 the MAC verification would fail after such a modification. 7076 Care must be taken when removing bindings at the correspondent node, 7077 however. If a binding is removed while the nonce used in its 7078 creation is still valid, an attacker could replay the old Binding 7079 Update. Rules outlined in Section 5.2.8 ensure that this cannot 7080 happen. 7082 15.4.5. Denial-of-Service Attacks 7084 The return routability procedure has protection against resource 7085 exhaustion Denial-of-Service attacks. The correspondent nodes do not 7086 retain any state about individual mobile nodes until an authentic 7087 Binding Update arrives. This is achieved through the construct of 7088 keygen tokens from the nonces and node keys that are not specific to 7089 individual mobile nodes. The keygen tokens can be reconstructed by 7090 the correspondent node, based on the home and care-of address 7091 information that arrives with the Binding Update. This means that 7092 the correspondent nodes are safe against memory exhaustion attacks 7093 except where on-path attackers are concerned. Due to the use of 7094 symmetric cryptography, the correspondent nodes are relatively safe 7095 against CPU resource exhaustion attacks as well. 7097 Nevertheless, as [26] describes, there are situations in which it is 7098 impossible for the mobile and correspondent nodes to determine if 7099 they actually need a binding or whether they just have been fooled 7100 into believing so by an attacker. Therefore, it is necessary to 7101 consider situations where such attacks are being made. 7103 Even if route optimization is a very important optimization, it is 7104 still only an optimization. A mobile node can communicate with a 7105 correspondent node even if the correspondent refuses to accept any 7106 Binding Updates. However, performance will suffer because packets 7107 from the correspondent node to the mobile node will be routed via the 7108 mobile's home agent rather than a more direct route. A correspondent 7109 node can protect itself against some of these resource exhaustion 7110 attacks as follows. If the correspondent node is flooded with a 7111 large number of Binding Updates that fail the cryptographic integrity 7112 checks, it can stop processing Binding Updates. If a correspondent 7113 node finds that it is spending more resources on checking bogus 7114 Binding Updates than it is likely to save by accepting genuine 7115 Binding Updates, then it may silently discard some or all Binding 7116 Updates without performing any cryptographic operations. 7118 Layers above IP can usually provide additional information to help 7119 decide if there is a need to establish a binding with a specific 7120 peer. For example, TCP knows if the node has a queue of data that it 7121 is trying to send to a peer. An implementation of this specification 7122 is not required to make use of information from higher protocol 7123 layers, but some implementations are likely to be able to manage 7124 resources more effectively by making use of such information. 7126 We also require that all implementations be capable of 7127 administratively disabling route optimization. 7129 15.4.6. Key Lengths 7131 Attackers can try to break the return routability procedure in many 7132 ways. Section 15.4.2 discusses the situation where the attacker can 7133 see the cryptographic values sent in the clear, and Section 15.4.3 7134 discusses the impact this has on IPv6 communications. This section 7135 discusses whether attackers can guess the correct values without 7136 seeing them. 7138 While the return routability procedure is in progress, 64 bit cookies 7139 are used to protect spoofed responses. This is believed to be 7140 sufficient, given that to blindly spoof a response a very large 7141 number of messages would have to be sent before success would be 7142 probable. 7144 The tokens used in the return routability procedure provide together 7145 128 bits of information. This information is used internally as 7146 input to a hash function to produce a 160 bit quantity suitable for 7147 producing the keyed hash in the Binding Update using the HMAC_SHA1 7148 algorithm. The final keyed hash length is 96 bits. The limiting 7149 factors in this case are the input token lengths and the final keyed 7150 hash length. The internal hash function application does not reduce 7151 the entropy. 7153 The 96 bit final keyed hash is of typical size and is believed to be 7154 secure. The 128 bit input from the tokens is broken in two pieces, 7155 the home keygen token and the care-of keygen token. An attacker can 7156 try to guess the correct cookie value, but again this would require a 7157 large number of messages (an the average 2**63 messages for one or 7158 2**127 for two). Furthermore, given that the cookies are valid only 7159 for a short period of time, the attack has to keep a high constant 7160 message rate to achieve a lasting effect. This does not appear 7161 practical. 7163 When the mobile node is returning home, it is allowed to use just the 7164 home keygen token of 64 bits. This is less than 128 bits, but 7165 attacking it blindly would still require a large number of messages 7166 to be sent. If the attacker is on the path and capable of seeing the 7167 Binding Update, it could conceivably break the keyed hash with brute 7168 force. However, in this case the attacker has to be on the path, 7169 which appears to offer easier ways for denial-of-service than 7170 preventing route optimization. 7172 15.5. Dynamic Home Agent Address Discovery 7174 The dynamic home agent address discovery function could be used to 7175 learn the addresses of home agents in the home network. 7177 The ability to learn addresses of nodes may be useful to attackers 7178 because brute-force scanning of the address space is not practical 7179 with IPv6. Thus, they could benefit from any means which make 7180 mapping the networks easier. For example, if a security threat 7181 targeted at routers or even home agents is discovered, having a 7182 simple ICMP mechanism to easily find out possible targets may prove 7183 to be an additional (though minor) security risk. 7185 Apart from discovering the address(es) of home agents, attackers will 7186 not be able to learn much from this information, and mobile nodes 7187 cannot be tricked into using wrong home agents, as all other 7188 communication with the home agents is secure. 7190 15.6. Mobile Prefix Discovery 7192 The mobile prefix discovery function may leak interesting information 7193 about network topology and prefix lifetimes to eavesdroppers; for 7194 this reason, requests for this information has to be authenticated. 7195 Responses and unsolicited prefix information needs to be 7196 authenticated to prevent the mobile nodes from being tricked into 7197 believing false information about the prefixes and possibly 7198 preventing communications with the existing addresses. Optionally, 7199 encryption may be applied to prevent leakage of the prefix 7200 information. 7202 15.7. Tunneling via the Home Agent 7204 Tunnels between the mobile node and the home agent can be protected 7205 by ensuring proper use of source addresses, and optional 7206 cryptographic protection. These procedures are discussed in 7207 Section 5.5. 7209 Binding Updates to the home agents are secure. When receiving 7210 tunneled traffic, the home agent verifies that the outer IP address 7211 corresponds to the current location of the mobile node. This acts as 7212 a weak form of protection against spoofing packets that appear to 7213 come from the mobile node. This is particularly useful, if no end- 7214 to-end security is being applied between the mobile and correspondent 7215 nodes. The outer IP address check prevents attacks where the 7216 attacker is controlled by ingress filtering. It also prevents 7217 attacks when the attacker does not know the current care-of address 7218 of the mobile node. Attackers who know the care-of address and are 7219 not controlled by ingress filtering could still send traffic through 7220 the home agent. This includes attackers on the same local link as 7221 the mobile node is currently on. But such attackers could send 7222 packets that appear to come from the mobile node without attacking 7223 the tunnel; the attacker could simply send packets with the source 7224 address set to the mobile node's home address. However, this attack 7225 does not work if the final destination of the packet is in the home 7226 network, and some form of perimeter defense is being applied for 7227 packets sent to those destinations. In such cases it is recommended 7228 that either end-to-end security or additional tunnel protection be 7229 applied, as is usual in remote access situations. 7231 Home agents and mobile nodes may use IPsec ESP to protect payload 7232 packets tunneled between themselves. This is useful for protecting 7233 communications against attackers on the path of the tunnel. 7235 When site local home addresses are used, reverse tunneling can be 7236 used to send site local traffic from another location. 7237 Administrators should be aware of this when allowing such home 7238 addresses. In particular, the outer IP address check described above 7239 is not sufficient against all attackers. The use of encrypted 7240 tunnels is particularly useful for these kinds of home addresses. 7242 15.8. Home Address Option 7244 When the mobile node sends packets directly to the correspondent 7245 node, the Source Address field of the packet's IPv6 header is the 7246 care-of address. Therefore, ingress filtering [25] works in the 7247 usual manner even for mobile nodes, as the Source Address is 7248 topologically correct. The Home Address option is used to inform the 7249 correspondent node of the mobile node's home address. 7251 However, the care-of address in the Source Address field does not 7252 survive in replies sent by the correspondent node unless it has a 7253 binding for this mobile node. Also, not all attacker tracing 7254 mechanisms work when packets are being reflected through 7255 correspondent nodes using the Home Address option. For these 7256 reasons, this specification restricts the use of the Home Address 7257 option. It may only be used when a binding has already been 7258 established with the participation of the node at the home address, 7259 as described in Section 5.5 and Section 6.3. This prevents 7260 reflection attacks through the use of the Home Address option. It 7261 also ensures that the correspondent nodes reply to the same address 7262 that the mobile node sends traffic from. 7264 No special authentication of the Home Address option is required 7265 beyond the above, but note that if the IPv6 header of a packet is 7266 covered by IPsec Authentication Header, then that authentication 7267 covers the Home Address option as well. Thus, even when 7268 authentication is used in the IPv6 header, the security of the Source 7269 Address field in the IPv6 header is not compromised by the presence 7270 of a Home Address option. Without authentication of the packet, any 7271 field in the IPv6 header, including the Source Address field or any 7272 other part of the packet and the Home Address option can be forged or 7273 modified in transit. In this case, the contents of the Home Address 7274 option is no more suspect than any other part of the packet. 7276 15.9. Type 2 Routing Header 7278 The definition of the type 2 routing header is described in 7279 Section 6.4. This definition and the associated processing rules 7280 have been chosen so that the header cannot be used for what is 7281 traditionally viewed as source routing. In particular, the Home 7282 Address in the routing header will always have to be assigned to the 7283 home address of the receiving node; otherwise the packet will be 7284 dropped. 7286 Generally, source routing has a number of security concerns. These 7287 include the automatic reversal of unauthenticated source routes 7288 (which is an issue for IPv4, but not for IPv6). Another concern is 7289 the ability to use source routing to "jump" between nodes inside, as 7290 well as outside a firewall. These security concerns are not issues 7291 in Mobile IPv6, due to the rules mentioned above. 7293 In essence the semantics of the type 2 routing header is the same as 7294 a special form of IP-in-IP tunneling where the inner and outer source 7295 addresses are the same. 7297 This implies that a device which implements the filtering of packets 7298 should be able to distinguish between a type 2 routing header and 7299 other routing headers, as required in Section 8.3. This is necessary 7300 in order to allow Mobile IPv6 traffic while still having the option 7301 of filtering out other uses of routing headers. 7303 16. Contributors 7305 Tuomas Aura, Mike Roe, Greg O'Shea, Pekka Nikander, Erik Nordmark, 7306 and Michael Thomas worked on the return routability protocols 7307 eventually led to the procedures used in this protocol. The 7308 procedures described in [31] were adopted in the protocol. 7310 Significant contributions were made by members of the Mobile IPv6 7311 Security Design Team, including (in alphabetical order) Gabriel 7312 Montenegro, Erik Nordmark and Pekka Nikander. 7314 17. Acknowledgements 7316 We would like to thank the members of the Mobile IP and IPng Working 7317 Groups for their comments and suggestions on this work. We would 7318 particularly like to thank (in alphabetical order) Fred Baker, Josh 7319 Broch, Samita Chakrabarti, Robert Chalmers, Noel Chiappa, Greg Daley, 7320 Vijay Devarapalli, Rich Draves, Francis Dupont, Thomas Eklund, Jun- 7321 Ichiro Itojun Hagino, Brian Haley, Marc Hasson, John Ioannidis, James 7322 Kempf, Rajeev Koodli, Krishna Kumar, T.J. Kniveton, Joe Lau, Jiwoong 7323 Lee, Aime Le Rouzic, Vesa-Matti Mantyla, Kevin Miles, Glenn Morrow, 7324 Thomas Narten, Karen Nielsen, Simon Nybroe, David Oran, Brett 7325 Pentland, Lars Henrik Petander, Basavaraj Patil, Mohan Parthasarathy, 7326 Alexandru Petrescu, Mattias Petterson, Ken Powell, Phil Roberts, Ed 7327 Remmell, Patrice Romand, Luis A. Sanchez, Jeff Schiller, Pekka 7328 Savola, Arvind Sevalkar, Keiichi Shima, Tom Soderlund, Hesham 7329 Soliman, Jim Solomon, Tapio Suihko, Dave Thaler, Benny Van Houdt, 7330 Jon-Olov Vatn, Carl E. Williams, Vladislav Yasevich, Alper Yegin, and 7331 Xinhua Zhao, for their detailed reviews of earlier versions of this 7332 document. Their suggestions have helped to improve both the design 7333 and presentation of the protocol. 7335 We would also like to thank the participants of the Mobile IPv6 7336 testing event (1999), implementors who participated in Mobile IPv6 7337 interoperability testing at Connectathons (2000, 2001, 2002, and 7338 2003), and the participants at the ETSI interoperability testing 7339 (2000, 2002). Finally, we would like to thank the TAHI project who 7340 has provided test suites for Mobile IPv6. 7342 18. References 7344 18.1. Normative References 7346 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 7347 Levels", BCP 14, RFC 2119, March 1997. 7349 [2] Kent, S. and R. Atkinson, "Security Architecture for the 7350 Internet Protocol", RFC 2401, November 1998. 7352 [3] Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402, 7353 November 1998. 7355 [4] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload 7356 (ESP)", RFC 2406, November 1998. 7358 [5] Piper, D., "The Internet IP Security Domain of Interpretation 7359 for ISAKMP", RFC 2407, November 1998. 7361 [6] Maughan, D., Schneider, M., and M. Schertler, "Internet 7362 Security Association and Key Management Protocol (ISAKMP)", 7363 RFC 2408, November 1998. 7365 [7] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", 7366 RFC 2409, November 1998. 7368 [8] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) 7369 Specification", RFC 2460, December 1998. 7371 [9] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6 7372 Specification", RFC 2473, December 1998. 7374 [10] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast 7375 Addresses", RFC 2526, March 1999. 7377 [11] Deering, S., Fenner, W., and B. Haberman, "Multicast Listener 7378 Discovery (MLD) for IPv6", RFC 2710, October 1999. 7380 [12] Reynolds, J., "Assigned Numbers: RFC 1700 is Replaced by an On- 7381 line Database", RFC 3232, January 2002. 7383 [13] National Institute of Standards and Technology, "Secure Hash 7384 Standard", FIPS PUB 180-1, April 1995, 7385 . 7387 [14] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to 7388 Protect Mobile IPv6 Signaling Between Mobile Nodes and Home 7389 Agents", RFC 3776, June 2004. 7391 [15] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 7392 Requirements for Security", BCP 106, RFC 4086, June 2005. 7394 [16] Hinden, R. and S. Deering, "IP Version 6 Addressing 7395 Architecture", RFC 4291, February 2006. 7397 [17] Conta, A., Deering, S., and M. Gupta, "Internet Control Message 7398 Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) 7399 Specification", RFC 4443, March 2006. 7401 [18] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 7402 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 7403 September 2007. 7405 [19] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address 7406 Autoconfiguration", RFC 4862, September 2007. 7408 [20] Narten, T., Draves, R., and S. Krishnan, "Privacy Extensions 7409 for Stateless Address Autoconfiguration in IPv6", RFC 4941, 7410 September 2007. 7412 [21] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA 7413 Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. 7415 18.2. Informative References 7417 [22] Perkins, C., "IP Encapsulation within IP", RFC 2003, 7418 October 1996. 7420 [23] Perkins, C., "Minimal Encapsulation within IP", RFC 2004, 7421 October 1996. 7423 [24] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing 7424 for Message Authentication", RFC 2104, February 1997. 7426 [25] Ferguson, P. and D. Senie, "Network Ingress Filtering: 7427 Defeating Denial of Service Attacks which employ IP Source 7428 Address Spoofing", BCP 38, RFC 2827, May 2000. 7430 [26] Aura, T. and J. Arkko, "MIPv6 BU Attacks and Defenses", 7431 draft-aura-mipv6-bu-attacks-01 (work in progress), March 2002. 7433 [27] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. 7434 Carney, "Dynamic Host Configuration Protocol for IPv6 7435 (DHCPv6)", RFC 3315, July 2003. 7437 [28] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, 7438 August 2002. 7440 [29] Draves, R., "Default Address Selection for Internet Protocol 7441 version 6 (IPv6)", RFC 3484, February 2003. 7443 [30] Nordmark, E., "Securing MIPv6 BUs using return routability 7444 (BU3WAY)", draft-nordmark-mobileip-bu3way-00 (work in 7445 progress), November 2001. 7447 [31] Roe, M., "Authentication of Mobile IPv6 Binding Updates and 7448 Acknowledgments", draft-roe-mobileip-updateauth-02 (work in 7449 progress), March 2002. 7451 [32] Savola, P., "Use of /127 Prefix Length Between Routers 7452 Considered Harmful", RFC 3627, September 2003. 7454 [33] Savola, P., "Security of IPv6 Routing Header and Home Address 7455 Options", draft-savola-ipv6-rh-ha-security-02 (work in 7456 progress), March 2002. 7458 [34] Vida, R. and L. Costa, "Multicast Listener Discovery Version 2 7459 (MLDv2) for IPv6", RFC 3810, June 2004. 7461 [35] Bellovin, S. and R. Housley, "Guidelines for Cryptographic Key 7462 Management", BCP 107, RFC 4107, June 2005. 7464 [36] Nikander, P., Arkko, J., Aura, T., Montenegro, G., and E. 7465 Nordmark, "Mobile IP Version 6 Route Optimization Security 7466 Design Background", RFC 4225, December 2005. 7468 [37] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", 7469 RFC 4306, December 2005. 7471 Appendix A. Future Extensions 7473 A.1. Piggybacking 7475 This document does not specify how to piggyback payload packets on 7476 the binding related messages. However, it is envisioned that this 7477 can be specified in a separate document when issues such as the 7478 interaction between piggybacking and IPsec are fully resolved (see 7479 also Appendix A.3). The return routability messages can indicate 7480 support for piggybacking with a new mobility option. 7482 A.2. Triangular Routing 7484 Due to the concerns about opening reflection attacks with the Home 7485 Address destination option, this specification requires that this 7486 option be verified against the Binding Cache, i.e., there must be a 7487 Binding Cache entry for the Home Address and Care-of Address. 7489 Future extensions may be specified that allow the use of unverified 7490 Home Address destination options in ways that do not introduce 7491 security issues. 7493 A.3. New Authorization Methods 7495 While the return routability procedure provides a good level of 7496 security, there exist methods that have even higher levels of 7497 security. Secondly, as discussed in Section 15.4, future 7498 enhancements of IPv6 security may cause a need to also improve the 7499 security of the return routability procedure. Using IPsec as the 7500 sole method for authorizing Binding Updates to correspondent nodes is 7501 also possible. The protection of the Mobility Header for this 7502 purpose is easy, though one must ensure that the IPsec SA was created 7503 with appropriate authorization to use the home address referenced in 7504 the Binding Update. For instance, a certificate used by IKE to 7505 create the security association might contain the home address. A 7506 future specification may specify how this is done. 7508 A.4. Dynamically Generated Home Addresses 7510 A future version of this specification may include functionality that 7511 allows the generation of new home addresses without requiring pre- 7512 arranged security associations or certificates even for the new 7513 addresses. 7515 A.5. Remote Home Address Configuration 7517 The method for initializing a mobile node's home address upon 7518 power-up or after an extended period of being disconnected from the 7519 network is beyond the scope of this specification. Whatever 7520 procedure is used should result in the mobile node having the same 7521 stateless or stateful (e.g., DHCPv6) home address autoconfiguration 7522 information it would have if it were attached to the home network. 7523 Due to the possibility that the home network could be renumbered 7524 while the mobile node is disconnected, a robust mobile node would not 7525 rely solely on storing these addresses locally. 7527 Such a mobile node could be initialized by using the following 7528 procedure: 7530 1. Generate a care-of address. 7532 2. Query DNS for an anycast address associated with the FQDN of the 7533 home agent(s). 7535 3. Perform home agent address discovery, and select a home agent. 7537 4. Configure one home address based on the selected home agent's 7538 subnet prefix and the interface identifier of the mobile node. 7540 5. Create security associations and security policy database entries 7541 for protecting the traffic between the selected home address and 7542 home agent. 7544 6. Perform a home registration on the selected home agent. 7546 7. Perform mobile prefix discovery. 7548 8. Make a decision if further home addresses need to be configured. 7550 This procedure is restricted to those situations where the home 7551 prefix is 64 bits and the mobile node knows its own interface 7552 identifier, which is also 64 bits. 7554 A.6. Neighbor Discovery Extensions 7556 Future specifications may improve the efficiency of Neighbor 7557 Discovery tasks, which could be helpful for fast movements. One 7558 factor is currently being looked at: the delays caused by the 7559 Duplicate Address Detection mechanism. Currently, Duplicate Address 7560 Detection needs to be performed for every new care-of address as the 7561 mobile node moves, and for the mobile node's link-local address on 7562 every new link. In particular, the need and the trade-offs of re- 7563 performing Duplicate Address Detection for the link-local address 7564 every time the mobile node moves on to new links will need to be 7565 examined. Improvements in this area are, however, generally 7566 applicable and progress independently from the Mobile IPv6 7567 specification. 7569 Future functional improvements may also be relevant for Mobile IPv6 7570 and other applications. For instance, mechanisms that would allow 7571 recovery from a Duplicate Address Detection collision would be useful 7572 for link-local, care-of, and home addresses. 7574 Authors' Addresses 7576 David B. Johnson 7577 Rice University 7578 Dept. of Computer Science, MS 132 7579 6100 Main Street 7580 Houston TX 77005-1892 7581 USA 7583 Email: dbj@cs.rice.edu 7585 Charles E. Perkins 7586 WiChorus Inc. 7587 3590 N. 1st Street, Suite 300 7588 San Jose CA 95134 7589 USA 7591 Email: charliep@computer.org 7593 Jari Arkko 7594 Ericsson 7595 Jorvas 02420 7596 Finland 7598 Email: jari.arkko@ericsson.com 7600 Full Copyright Statement 7602 Copyright (C) The IETF Trust (2008). 7604 This document is subject to the rights, licenses and restrictions 7605 contained in BCP 78, and except as set forth therein, the authors 7606 retain all their rights. 7608 This document and the information contained herein are provided on an 7609 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 7610 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 7611 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 7612 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 7613 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 7614 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 7616 Intellectual Property 7618 The IETF takes no position regarding the validity or scope of any 7619 Intellectual Property Rights or other rights that might be claimed to 7620 pertain to the implementation or use of the technology described in 7621 this document or the extent to which any license under such rights 7622 might or might not be available; nor does it represent that it has 7623 made any independent effort to identify any such rights. Information 7624 on the procedures with respect to rights in RFC documents can be 7625 found in BCP 78 and BCP 79. 7627 Copies of IPR disclosures made to the IETF Secretariat and any 7628 assurances of licenses to be made available, or the result of an 7629 attempt made to obtain a general license or permission for the use of 7630 such proprietary rights by implementers or users of this 7631 specification can be obtained from the IETF on-line IPR repository at 7632 http://www.ietf.org/ipr. 7634 The IETF invites any interested party to bring to its attention any 7635 copyrights, patents or patent applications, or other proprietary 7636 rights that may cover technology that may be required to implement 7637 this standard. Please address the information to the IETF at 7638 ietf-ipr@ietf.org.