idnits 2.17.1 draft-ietf-mip4-dynamic-assignment-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1067. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1044. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1051. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1057. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3344 (ref. '1') (Obsoleted by RFC 5944) ** Obsolete normative reference: RFC 3012 (ref. '5') (Obsoleted by RFC 4721) Summary: 7 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Mobile IP Working Group Milind Kulkarni 3 INTERNET-DRAFT Alpesh Patel 4 Category: Standards Track Kent Leung 5 Date : 28 May 2005 Cisco Systems Inc. 7 Mobile IPv4 Dynamic Home Agent Assignment 8 draft-ietf-mip4-dynamic-assignment-04.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet Drafts as reference 25 material or to cite them other than as "work in progress". 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on September 28, 2005. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 Mobile IPv4 [1] uses the Home Agent (HA) to anchor sessions of a 42 roaming Mobile Node (MN). This draft proposes a messaging mechanism 43 for dynamic home agent assignment and HA redirection. The goal is to 44 provide a mechanism to assign an optimal HA for a Mobile IP session 45 while allowing any suitable method for HA selection. 47 Table of Contents 49 1. Introduction................................................3 50 2. Requirements Terminology....................................3 51 3. Problem Statement...........................................4 52 3.1 Scope.......................................................5 53 3.2 Dynamic Home Agent Discovery in Mobile IPv4.................5 54 3.3 NAI usage and dynamic HA assignment.........................5 55 3.4 Dynamic HA Extension........................................6 56 3.4.1 Requested HA Extension....................................6 57 3.4.2 Redirected HA Extension...................................7 58 4. Messaging mechanism for dynamic HA assignment/redirection...7 59 4.1 Messaging for dynamic HA assignment.........................7 60 4.1.1 Example with Message Flow Diagram.........................8 61 4.2 Messaging for HA redirection...............................10 62 4.2.1 Example with Message Flow Diagram........................10 63 5. Mobility Agent Considerations..............................12 64 5.1 Mobile Node Considerations.................................12 65 5.1.1 MN using FA CoA..........................................13 66 5.1.2 MN using Co-located CoA..................................13 67 5.1.3 Refreshing Assigned HA Address on Mobile Node............14 68 5.2 Foreign Agent Considerations...............................14 69 5.3 Home Agent Considerations..................................15 70 5.3.1 Assigned Home Agent Considerations.......................15 71 6. Requested Home Agent Selection.............................17 72 7. Error Values...............................................18 73 8. IANA Considerations........................................18 74 9. Security Considerations....................................18 75 10. Backward Compatibility Considerations.....................19 76 11. Change Log from previous versions.........................20 77 12. Acknowledgements..........................................21 78 13. Normative References......................................21 79 Authors' Addresses.............................................21 80 Intellectual Property Statement................................22 81 1. Introduction 83 This document adds to the Mobile IP protocol [1], by proposing a 84 messaging mechanism for dynamic home agent assignment and home agent 85 redirection during initial registration. The goal is to assign an 86 optimal HA for a Mobile IP session. The mobile node MUST use the 87 Network Access Identifier (NAI) extension [2] when requesting a 88 dynamically assigned HA. 90 The MN requests a dynamically assigned HA by setting the HA field in 91 the initial Registration Request to ALL-ZERO-ONE-ADDR (defined in 92 section 2). If the request is accepted, the HA sends a successful 93 Registration Reply containing the HA's own address. The requested HA 94 can suggest an alternate HA and if so, the Registration Reply is 95 rejected with a new error code REDIRECT-HA-REQ and the alternate HA 96 address is specified in a new extension (Redirected HA Extension). 98 This document also defines a new Requested HA Extension for use in 99 Registration Requests when the HA field is set to ALL-ZERO-ONE- 100 ADDRESS. The Requested HA address is a hint to the network about the 101 MN's preferred HA. 103 The messaging mechanism is defined in this document so that the 104 MN can request and receive a dynamic HA address in Mobile IP 105 messages. However, the mechanism by which the network selects 106 an HA for assignment to the MN is outside the scope of this 107 document. For example, the selection may be made by any 108 network node that receives the registration request (or 109 information about the registration request), such as a Foreign 110 Agent, AAA server, or Home Agent. The node that selects the 111 HA may select one based on a number of criteria, including but 112 not limited to HA load-balancing, geographical proximity, 113 administrative policy etc. 115 2. Requirements Terminology 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 119 document are to be interpreted as described in RFC 2119 [6]. 121 The Mobile IP related terminology described in RFC 3344 [1] is used 122 in this document. In addition, the following terms are used: 124 ALL-ZERO-ONE-ADDR: IP address 0.0.0.0 or 255.255.255.255. An 125 address of 255.255.255.255 indicates a preference 126 for an HA in the home domain. An address of 127 0.0.0.0 indicates no preference for home vs. 128 visited domain. 130 Requested HA: Destination IP address of Home Agent that the 131 Registration Request is sent to. Must be a 132 unicast IP address. This address can be 133 obtained as described in section 6. 135 Note that this specification defines a new 136 "Requested HA Extension" in section 3.4, which 137 is different from the term "Requested HA". 139 Assigned HA: The HA that accepts an MN's Registration Request 140 and returns a successful Registration Reply. 142 Redirected HA: If the registration is rejected with error code 143 REDIRECT-HA-REQ, the HA being referred to is 144 specified in a new extension (Redirected HA 145 Extension). 147 AAA server: Authentication, Authorization and Accounting 148 Server. 150 DNS: Domain Name System. 152 DHCP: Dynamic Host Configuration Protocol. 154 MN: Mobile Node as defined in Mobile IPv4 [1]. 156 HA: Home Agent as defined in Mobile IPv4 [1]. 158 FA: Foreign Agent as defined in Mobile IPv4 [1]. 160 CoA: Care of Address. 162 CCoA: Co-located Care of Address. 164 MN HoA: Mobile Node's Home Address. 166 NAI: Network Access Identifier [2]. 168 Src IP: Source IP address of the packet. 170 Dest IP: Destination IP address of the packet. 172 3. Problem Statement 174 The Mobile IPv4 NAI Extension for IPv4 [2] introduced the concept of 175 identifying a MN by the NAI and enabling dynamic home address 176 assignment. When the home address is dynamically assigned, it is 177 desirable to discover the Home Agent dynamically or inform the MN 178 about an optimal HA to use for a multitude of reasons, such as: 180 - If the distance between the visited network and the home network of 181 the mobile node is large, the signaling delay for these registrations 182 may be long. In such a case the MN will be anchored to its distant 183 home agent, resulting in tunneled traffic traveling a long distance 184 between home agent and the mobile node. When a Mobile IP session 185 initiates, if the mobile node can be assigned a home agent that is 186 close to the mobile node it can drastically reduce the latency 187 between the home agent and mobile node. 189 - In a large scale Mobile IP deployment, it is cumbersome to 190 provision MNs with multiple HA addresses. 192 - It is desirable to achieve some form of load balancing between 193 multiple HAs in the network. Dynamic HA assignment and/or HA 194 redirection lets the network select the optimal HA from among a set 195 of HAs and thus achieve load balancing among a group of HAs. 197 - Local administrative policies. 199 3.1 Scope 201 This specification does not address the problem of distributing a 202 security association between the MN and HA, and it can either be 203 statically preconfigured or dynamically distributed using other 204 mechanisms [7]. 206 The draft introduces the terms Requested/Assigned/Redirected HA 207 (section 6). The discovery of candidate HA addresses for insertion 208 into the Redirected HA Extension can be accomplished through various 209 means which are network and/or deployment specific and hence are 210 outside the scope of this specification. 212 The MN MAY request dynamic HA assignment when it is not aware of any 213 HA address and even when it is aware of at least one HA address. 215 3.2 Dynamic Home Agent Discovery in Mobile IPv4 217 Mobile IPv4 [1] specifies the mechanism for discovering the mobile 218 node's home agent using subnet-directed broadcast IP address in the 219 home agent field of the Registration Request. This mechanism was 220 designed for mobile nodes with a static home address and subnet 221 prefix, anchored on fixed home network. However, using subnet 222 directed broadcast as the destination IP address of the Registration 223 Request, it is unlikely that the Registration Request will reach the 224 home subnet because routers will drop these packets by default. See 225 CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks [3]. 227 3.3 NAI usage and dynamic HA assignment 228 The Mobile IPv4 NAI Extension for IPv4 [2] introduced the 229 concept of identifying a MN by the NAI and enabling dynamic 230 home address assignment. This document requires that while 231 using dynamic HA assignment, MN MUST use the NAI and obtain a home 232 address. MN can still suggest a static home address in the 233 Registration Request, but must take the address in the Registration 234 Reply as the home address for the session. This is compatible with 235 the procedures documented in the NAI specification [2]. 237 3.4 Dynamic HA Extension 239 The Dynamic HA Extension, shown in figure 1, contains the address of 240 the HA. This is a generic extension and can be used in Registration 241 Request and Reply messages. It is a skippable extension. 243 0 1 2 3 244 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 246 | Type | Sub-Type | Length | 247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 248 | HA-Address | 249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 251 Figure 1: The Dynamic HA address Extension 253 Type DYNAMIC-HA-ADDRESS (skippable) (to be assigned by 254 IANA) is the type, which specifies the dynamic HA 255 address. 257 Sub-Type Defines the use of this extension as: 258 sub-type 1 = Requested HA Extension 259 2 = Redirected HA Extension 261 Length Indicates the length of the extension not 262 including the type, sub-type and length fields. 263 Length is always 4 bytes. 265 HA-Address Address of the Home Agent. 267 3.4.1 Requested HA Extension 269 The Requested HA Extension is a Dynamic HA Extension of subtype 1. 271 The MN may include the Requested HA Extension in the registration 272 request as a hint to the network where it wishes to be anchored. 273 This extension contains the address of the HA. A valid unicast IP 274 address MUST be used as HA address in this extension. 276 In absence of an FA, the RRQ is forwarded to this HA. In presence of 277 an FA, the FA MUST forward RRQ to the HA address in this extension. 279 3.4.2 Redirected HA Extension 281 The Redirected HA Extension is a Dynamic HA Extension of subtype 2. 283 The Redirected HA Extension contains the address of the HA where the 284 MN should attempt the next registration. The HA receiving a 285 Registration Request can suggest an alternate HA and, if so, the 286 Registration Reply is sent with a new error code REDIRECT-HA-REQ and 287 the alternate HA address is specified in this extension. 289 The Redirected HA Extension MUST be included in Registration Reply 290 when the reply code is REDIRECT-HA-REQ. 292 4. Messaging mechanism for dynamic HA assignment/redirection 294 This specification presents two alternatives for home agent 295 assignment. The two alternatives are: 296 (a) Dynamic HA assignment (described in section 4.1) and 297 (b) HA redirection (described in section 4.2). 299 4.1 Messaging for dynamic HA assignment 301 The following sequence of events occur when the MN requests dynamic 302 Home Agent assignment: 304 1. The MN sets the Home Agent address field in the Registration 305 Request to ALL-ZERO-ONE-ADDR. If the MN is aware of a desired HA 306 address, it can add that address in the Requested HA Extension in 307 the Registration Request. If the HA does not support the 308 Requested HA Extension, see step 2 below. 310 2. This step is applicable, in lieu of step 1, for a MN that is 311 aware of the HA address and desires dynamic HA assignment. Also, 312 the MN follows this (when aware of a HA address) when it 313 discovers a legacy FA in the path or if the known HA does not 314 support the Requested HA Extension (see section 10). 316 The MN sets the Home Agent address field in the Registration 317 Request to the HA address (instead of setting it to ALL-ZERO-ONE- 318 ADDR). The MN also adds the same HA address in the Requested HA 319 Extension in the Registration Request. 321 3. The MN (if using co-located CoA and registering directly with the 322 HA) or the FA (if the MN is registering via the FA) sends the 323 Registration Request to the "Requested HA". If the Requested HA 324 Extension is present, Requested HA is specified in the "HA 325 Address" of this extension. 327 Per section 10, in case of a legacy FA, legacy FA forwards the 328 Registration Request to the address in the HA field of the 329 Request (thus, MN uses step 2 above in case of legacy FA instead 330 of step 1). 332 4. The "Requested HA" is the home agent that processes the 333 Registration Request in accordance with Mobile IPv4 [1] and as 334 per the specification in this document. It creates mobility 335 binding for successful Registration Request. It also sends a 336 Registration Reply to the MN. 338 5. The MN obtains an "Assigned HA" address from the HA field in the 339 successful Registration Reply and uses it for the remainder of 340 the session. (Note that the "Assigned HA" will be same as the 341 "Requested HA"). 343 6. Subsequent Registration Request messages for renewal are sent to 344 the Assigned HA. 346 Section 5.3.1 describes the Assigned HA in detail. Some ideas on how 347 to select the Requested HA are briefly covered in section 6. 349 4.1.1 Example with Message Flow Diagram 351 Detailed explanation of this alternative is best described with the 352 help of a message flow diagram and description. 354 Figure 2 shows one specific example of a Mobile Node using an FA- 355 located Care of Address (FA CoA) and FA understands the Requested HA 356 Extension per this specification. 358 Other scenarios such as when the mobile node uses a co-located care 359 of address and presence of a legacy HA or FA are not described below, 360 but the behavior is similar. 362 MN FA Requested/Assigned HA 363 | 1 | | 364 |------------>| 2 | 365 | |--------------->| 366 | | | 367 | | | 368 | | 3 | 369 | 4 |<---------------| 370 |<------------| | 371 | | | 372 | | 5 | 373 |----------------------------->| 374 | | | 375 Figure 2: Example message flow for dynamic HA assignment 377 1. The MN sets the Home Agent address field in the Registration 378 Request to ALL-ZERO-ONE-ADDR. Since the MN is using FA CoA in this 379 example, it sends the Registration Request to the FA. The 380 Registration Request is formatted as follows: 382 +-----------------------------------------------------------+ 383 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 384 | MN | FA | | ALL-ZERO-ONE-ADDR |FA CoA | 385 +-----------------------------------------------------------+ 387 If the MN is aware of a desired HA address, it can add that address 388 in the Requested HA Extension in Registration Request as a hint. 389 That extension is not shown above. 391 2. The FA sends the Registration Request to the Requested HA. If 392 Requested HA Extension is present, Requested HA is the HA address in 393 this extension. If the Requested HA Extension is not present, the FA 394 determines the Requested HA through means outside the scope of this 395 specification. The Registration Request is formatted as follows: 397 +-----------------------------------------------------------+ 398 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 399 | FA |Requested HA| | ALL-ZERO-ONE-ADDR |FA CoA | 400 +-----------------------------------------------------------+ 402 (If MN includes the Requested HA Extension, the FA copies that 403 extension. The FA then forwards the Registration Request, along with 404 the Requested HA Extension, to the HA address specified in Requested 405 HA Extension.) 407 3. The HA processes the Registration Request in accordance with 408 Mobile IPv4 [1] and the messaging defined in this document. The HA 409 creates mobility binding for successful request and becomes the 410 Assigned HA. The HA then sends Registration Reply to the FA, which 411 is formatted as follows: 413 +-----------------------------------------------------------+ 414 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 415 |Assigned| Src IP of | | Assigned HA |FA CoA/| 416 | HA | the RRQ | | | | 417 +-----------------------------------------------------------+ 419 4. The FA relays the Registration Reply to the MN, as follows. 421 +-----------------------------------------------------------+ 422 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 423 | FA | MN | | Assigned HA |FA CoA/| 424 +-----------------------------------------------------------+ 425 5. The MN obtains the Assigned HA address from the HA field in the 426 successful Registration Reply and uses it for the remainder of the 427 session. The MN sends subsequent Re-Registration or De-Registration 428 Requests for the remainder session directly to the Assigned HA. Note 429 that the Assigned HA is the same as the Requested HA. 431 4.2 Messaging for HA redirection 433 This section describes the events that occur when the Requested HA 434 does not accept the Registration Request and redirects the mobile 435 node to another HA (aka Redirected HA) instead. This behavior is not 436 exhibited by a legacy HA and so is not referred in the description 437 below. In presence of a legacy FA, please refer to section 4.1 for 438 the specific field in the Registration Request. 440 1. The MN sets the Home Agent address field in the Registration 441 Request to ALL-ZERO-ONE-ADDR. 443 2. The MN (if using co-located CoA and registering directly with the 444 HA) or FA (if the MN is registering via the FA) sends the 445 Registration Request to the "Requested HA". If the MN is aware of 446 an HA address, it can add that address in the Requested HA 447 Extension in Registration Request. 449 3. When the HA receives the Registration Request, if the HA field is 450 set to ALL-ZERO-ONE-ADDR, the HA may reject the request with Reply 451 code REDIRECT-HA-REQ and suggest an alternate HA. 453 The HA may reject the Request for a number of reasons, which are 454 outside the scope of this specification. If the HA rejects the 455 Request, the HA field in the Reply is set to this HAs address. 456 The IP address of the HA that is the target of the redirection is 457 specified in Redirected HA Extension. The presence of this 458 extension is mandatory when the reply code is set to REDIRECT-HA- 459 REQ. HA sends the Reply to the FA/MN. 461 4. FA sends the Reply to the MN. 463 5. If the error code is set to REDIRECT-HA-REQ, MN obtains the HA 464 address from Redirected HA Extension. The MN then sends a 465 Registration Request to Redirected HA, unless it has already 466 received a redirection response from this HA while processing this 467 Registration Request. The MN may choose to add Requested HA 468 extension in this new Registration Request. 470 4.2.1 Example with Message Flow Diagram 472 Figure 3 shows one specific example of a Mobile Node using FA-located 473 Care of Address, where the FA is not a legacy FA. 475 MN FA Requested HA Redirected HA 476 | 1 | | | 477 |------------>| 2 | | 478 | |--------------->| | 479 | | | | 480 | | | | 481 | | 3 | | 482 | 4 |<---------------| | 483 |<------------| | | 484 | | | | 485 | | 5 | | 486 |--------------------------------------------->| 487 | | | | 489 Figure 3: Example message flow for HA redirection 491 1. The MN sets the Home Agent address field in the Registration 492 Request to ALL-ZERO-ONE-ADDR. Since the MN is using FA CoA in this 493 example, it sends the Registration Request to the FA. The 494 Registration Request is formatted as follows: 496 +-----------------------------------------------------------+ 497 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 498 | MN | FA | | ALL-ZERO-ONE-ADDR |FA CoA | 499 +-----------------------------------------------------------+ 501 If the MN is aware of an HA address, it can add that address in the 502 Requested HA Extension in Registration Request as a hint. That 503 extension is not shown above. 505 2. The FA sends the Registration Request to the Requested HA. If 506 Requested HA Extension is present, Requested HA is the HA address in 507 this extension. If the Requested HA Extension is not present, the FA 508 determines the Requested HA through means outside the scope of this 509 specification. The Registration Request is formatted as follows: 511 +-----------------------------------------------------------+ 512 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 513 | FA |Requested HA| | ALL-ZERO-ONE-ADDR |FA CoA | 514 +-----------------------------------------------------------+ 516 3. The HA processes the Registration Request in accordance with 517 Mobile IPv4 [1] and the messaging defined in this specification. If 518 the registration is successful, but local configuration/ 519 administrative policy etc. directs HA to refer the MN to another HA, 520 the HA rejects the Request with error code REDIRECT-HA-REQ. The HA 521 fills in the address of the Redirected HA in the Redirected HA 522 Extension. The HA then sends Registration Reply reject to the FA, 523 which is formatted as follows: 525 +-----------------------------------------------------------+ 526 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 527 | | Src IP of | | HA |FA CoA | 528 | HA | the RRQ | | | | 529 +-----------------------------------------------------------+ 530 | Redirected HA Extension ... | 531 +-----------------------------------------------------------+ 533 4. The FA relays the Registration Reply to the MN, as follows. 535 +-----------------------------------------------------------+ 536 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 537 | FA | MN | | HA |FA CoA/| 538 +-----------------------------------------------------------+ 539 | Redirected HA Extension ... | 540 +-----------------------------------------------------------+ 542 5. If the MN can authenticate the Reply, the MN extracts the HA 543 address from the Redirected HA Extension. The MN then sends a 544 Registration Request to the Redirected HA, unless it has already 545 received a redirection response from that HA while processing the 546 Registration Request. The MN may choose to add Requested HA 547 extension in this new Registration Request. 549 5. Mobility Agent Considerations 551 The following sections describe the behavior of each mobility agent 552 in detail. 554 5.1 Mobile Node Considerations 556 The mobile node MUST use the NAI extension for home address 557 assignment when using the messaging mechanism in this document. 558 Since MN uses the NAI extension, the Home Address field is set to 559 0.0.0.0. 561 While dynamic HA assignment is in progress and the MN has not 562 successfully anchored at a Home Agent, the MN MUST set the Home Agent 563 field in the Registration Request to an ALL-ZERO-ONE-ADDR, which is 564 either 255.255.255.255 or 0.0.0.0. 566 The Registration Request MUST be protected by a valid authenticator 567 as specified in Mobile IPv4 [1] or Mobile IPv4 Challenge/Response 568 Extensions [5]. Configuring security associations is deployment 569 specific and hence outside the scope of this specification. The 570 security associations between a MN and an individual HA may also be 571 dynamically derived during the dynamic HA assignment, based on a 572 shared secret between MN and AAA infrastructure [7]. 574 The mobile node MUST maintain the remaining Mobile IP session with 575 the Assigned HA. 577 The following sections describe MN behavior in FA CoA mode and co- 578 located CoA mode. 580 5.1.1 MN using FA CoA 582 When a mobile node initiates a Mobile IP session requesting dynamic 583 HA assignment, it MUST set the home agent address field in the 584 Registration Request to ALL-ZERO-ONE-ADDR. The destination IP 585 address of the Registration Request is the FA. The FA will determine 586 the Requested HA and forward the Registration Request to the 587 Requested HA. Registration Request processing takes place on the 588 Requested HA as per the specification in this draft. 590 The Registration Request MUST be appropriately authenticated for the 591 HA to validate the Request. 593 If a successful Registration Reply is received, the MN obtains the 594 Assigned HA from the HA field of Reply. The Assigned HA address will 595 be the same as the Requested HA Extension, if it was included in the 596 Registration Request by the MN. 598 If a Registration Reply is received with code REDIRECT-HA-REQ, the MN 599 MUST authenticate the Reply based on HA address in HA field of Reply 600 and attempt Registration with the HA address specified in the 601 Redirected HA Extension. The MN MUST put the Redirected HA address 602 as the Requested HA Extension of the new Registration Request. 604 In some cases, for the first Registration Request the MN may want to 605 hint to the network to be anchored at a specific HA. The MN SHOULD 606 put that address in the HA address of the Requested HA Extension. 608 5.1.2 MN using Co-located CoA 610 An MN in co-located CoA mode requesting dynamic HA assignment MUST 611 set the home agent address field in the Registration Request to ALL- 612 ZERO-ONE-ADDR. The destination IP address of the Registration 613 Request is the Requested HA. Some ideas on how to select a Requested 614 HA are briefly covered in section 6. 616 If a successful Reply is received, the MN obtains the Assigned HA 617 address from the successful Registration Reply. The Assigned HA will 618 be the same as Requested HA to which the Registration Request was 619 sent. The MN MUST cache the Assigned HA address for the length of 620 the Mobile IP session. The mobile node then MUST use this previously 621 cached Assigned HA address as the home agent address in subsequent 622 re-registration and de-registration request(s). This will make sure 623 that for the duration of the Mobile IP session, the mobile node will 624 always be anchored to the assigned home agent with which it was 625 initially registered. 627 If a Registration Reply is received with code REDIRECT-HA-REQ, the MN 628 MUST authenticate the Reply based on HA address in HA field of Reply 629 and attempt Registration with the HA address specified in the 630 Redirected HA Extension. The MN MUST put the Redirected HA in the 631 Requested HA Extension of the new Registration Request. 633 In some cases, for the first Registration Request MN may want to hint 634 to the network to be anchored at a specific HA and the MN SHOULD put 635 that address in the HA address of the Requested HA Extension. 637 While requesting dynamic HA assignment and registering directly with 638 an HA, the Requested HA Extension MUST be included and MUST contain 639 the address of the HA to which the Registration Request is sent. 640 When using co-located CoA but registering via a legacy FA, the HA 641 field in Reqistration Request may be set to Requested HA. 643 If the Registration Request contains the Requested HA Extension, the 644 HA address in that extension MUST match the destination IP of the 645 Request. 647 5.1.3 Refreshing Assigned HA Address on Mobile Node 649 When the Mobile IP session terminates, the mobile node MAY clear the 650 Assigned HA address cached as the home agent address. It MAY request 651 a new HA address for the new Mobile IP session by not including the 652 Requested HA Extension. The advantage of this approach is that the 653 mobile node will be always anchored to an optimal home agent from 654 where it initiated the Mobile IP session. 656 Alternately, the MN may save the Assigned HA address and use it in 657 the Requested HA Extension along with ALL-ZERO-ONE-ADDR HA address in 658 Registration Request for a new Mobile IP session. 660 5.2 Foreign Agent Considerations 662 When the mobile node is using a FA CoA it always registers via the 663 FA. When the MN is using a co-located CoA it may register through a 664 FA or it may register directly with an HA, unless the R bit is set in 665 the FA's agent advertisement, in which case it always registers 666 through the FA. 668 When the FA receives a Registration Request with HA address field set 669 to ALL-ZERO-ONE-ADDR that doesn't contain the Requested HA Extension, 670 the FA obtains the Requested HA address to forward the Registration 671 Request using means outside the scope of this specification. Some 672 ideas on how to select a Requested HA are briefly covered in section 673 6. 675 If the FA cannot obtain the Requested HA to which to forward a 676 Registration Request from MN, it MUST reject request with error code 677 NONZERO-HA-REQD. 679 If the MN has included the Requested HA Extension, the FA MUST 680 forward Registration Request to the address in this extension. If 681 the HA address in this extension is not a routable unicast address, 682 the FA MUST reject request with error code NONZERO-HA-REQD. 684 If the Registration Request contains the Requested HA Extension, the 685 FA uses that address as the destination for the relayed Registration 686 Request. 688 Backward compatibility issues related to the mobility agents are 689 addressed in section 10. 691 5.3 Home Agent Considerations 693 A Home Agent can process an incoming Registration Request in one of 694 the following two ways: 696 1. The MN or FA sends the Registration Request to the Requested HA. 697 The term Requested HA has meaning in the context of a Registration 698 Request message. When the Requested HA successfully processes the 699 Registration Request and creates a binding and sends a Reply with its 700 address, it becomes the Assigned HA. The term Assigned HA is 701 meaningful in the context of a Registration Reply message. 703 2. A Home Agent receiving a Registration Request with HA field set 704 to ALL-ZERO-ONE-ADDR MAY reject the request even if successfully 705 authenticated and suggest an alternate HA address in Reply. In such 706 a case, the HA puts its own address in HA field of Reply and sets the 707 Reply code to REDIRECT-HA-REQ and adds the Redirected HA Extension. 709 If the Registration Request contains the Requested HA Extension, the 710 HA address in that extension must match the destination IP of the 711 Request. If it does not match, the Requested HA MUST reject the 712 Registration Request with error code 136. 714 5.3.1 Assigned Home Agent Considerations 716 The HA that processes the incoming Registration Request fully in 717 accordance with Mobile IPv4 [1] and this specification becomes the 718 Assigned HA. The Registration Request terminates at the Assigned HA. 720 The Assigned HA creates one mobility binding per MN and sends 721 Registration Reply to the MN by copying its address in the home agent 722 field and as the source IP address of the Reply. 724 The following table summarizes the behavior of the Assigned HA, based 725 on the value of the destination IP address and Home Agent field of 726 the Registration Request. 728 Dest IP Addr HA field Processing at Assigned HA 729 ------------ ------------ ---------------------------------- 731 Unicast non-unicast Mobile IPv4 [1]: There is no change 732 in handling for this case from 733 (Must be Mobile IPv4. It is mentioned here 734 equal to the for reference only. 735 HA receiving HA denies the registration with 736 the RRQ) error code 136 and sets HA field to 737 its own IP address in the reply as 738 per section 3.8.3.2 in [1]. 740 ALL-ZERO- New Behavior: Accept the RRQ as per 741 ONE-ADDR this specification. Authenticate 742 the RRQ and create mobility binding 743 if the HA is acting as Assigned HA. 744 Set HA field to its own IP address 745 in the Registration Reply. 747 OR 749 New Behavior: If authentication is 750 successful, reject RRQ with a new 751 error code REDIRECT-HA-REQ. HA 752 puts its address in HA address 753 field of Reject. HA suggests an 754 alternate HA to use in the new 755 Redirected HA Extension. 757 Table 1: Registration Request handling at Assigned HA 759 As per the messaging proposed here, the mobile node (or the foreign 760 agent) sends the Registration Request to the Requested HA address, 761 which is a unicast address. Therefore, this document does not 762 specify any new behavior for the case where the HA receives a subnet 763 directed broadcast Registration Request as specified in section 764 3.8.2.1 of the Mobile IPv4 specification [1]. Although the Home 765 Agent field in the Registration Request is not a unicast address, the 766 destination IP address is a unicast address. This avoids the 767 problem associated with subnet-directed broadcast destination IP 768 address that may result in multiple HAs responding. Thus, there is 769 no need to deny the registration as stated in Mobile IPv4 [1] section 770 3.8.3.2. 772 When the destination IP address is a unicast address and the Home 773 Agent field is ALL-ZERO-ONE-ADDR, the HA accepts/denies registration 774 and sets the HA field to its own IP address in the reply (i.e. the 775 registration is not rejected with error code 136). 777 The HA can reject the request with the error code REDIRECT-HA-REQ and 778 suggest an alternate HA. This redirection can be used for load 779 balancing, geographical proximity based on care-of-address or other 780 reasons. The HA puts its own address in HA field of the Registration 781 Reply message and puts the address of the redirected HA in the 782 Redirected HA Extension. If the HA accepts the Request, it sets the 783 HA field in the Registration Reply to its own address. 785 The Requested HA always performs standard validity checks on the 786 Registration Request. If there is any error, the Registration 787 Request is rejected with error codes specified in Mobile IPv4 [1]. 789 6. Requested Home Agent Selection 791 When dynamic HA assignment is requested, the MN (or FA in the case of 792 registration via FA) sends the Registration Request to the Requested 793 HA. This address MUST be a unicast IP address. If the MN has 794 included a Requested HA Extension in Registration Request, the HA 795 address in this extension is the Requested HA. 797 Some example methods by which the MN or the FA may select the 798 Requested HA are briefly described below: 800 DHCP: 802 MN performs DHCP to obtain an IP address on the visited network. The 803 Requested HA is learned from the DHCP Mobile IP Home Agent Option 68 804 [4]. MN sends Registration Request directly to this HA and receives 805 the Assigned HA to be used for the remainder of the Mobile IP 806 session. 808 AAA: 810 MN performs challenge/response [5] with the FA. The FA retrieves the 811 Requested HA from the AAA server and forwards the Registration 812 Request directly to this HA. The Assigned HA sends a Registration 813 Reply to the FA, which relays it to the MN. MN uses the Assigned HA 814 for the remainder of the Mobile IP session. 816 DNS: 818 In this case the hostname of the HA is configured on the MN or 819 obtained by some other means; e.g., using a service location 820 protocol. MN performs DNS lookup on the HA hostname. The DNS 821 infrastructure provides a resource record with information to 822 identify the optimal HA to the MN. The MN sends a Registration 823 Request directly to the HA and receives the Assigned HA to be used 824 for remainder of the Mobile IP session. 826 Static configuration: 828 The HA address is statically configured on the MN. The MN sends the 829 Registration Request to the configured address. The Requested HA may 830 then redirect the MN to a Redirected HA. 832 7. Error Values 834 Each entry in the following table contains the name and value for the 835 error code to be returned in a Registration Reply. It also includes 836 the section in which the error code is first mentioned in this 837 document. 839 Error Name Value Section Description 840 --------------- ----- ------- ----------------------------- 841 NONZERO-HA-REQD XX 5.2 Non-zero HA address required 842 in Registration Request. 843 REDIRECT-HA-REQ YY 5.3 Reregister with redirected HA. 845 8. IANA Considerations 847 The code value NONZERO-HA-REQD is a Mobile IP response code [1] taken 848 from the range of values associated with rejection by the foreign 849 agent (i.e. value in the range 64-127). 851 The code value REDIRECT-HA-REQ is a Mobile IP response code [1] taken 852 from the range of values associated with rejection by the home agent 853 (i.e. value in the range 128-192). 855 The Dynamic HA Extension is assigned from the range of values 856 associated with skippable extensions at the home agent (i.e. value in 857 the range 128-255). 859 IANA should record the values as defined in Section 7 and 3.4. 861 9. Security Considerations 863 This specification assumes that a security configuration has been 864 preconfigured between the MN and the HA or is configured along with 865 the initial RRQ/RRP as per [7]. 867 This specification does not change the security model established in 868 Mobile IPv4 [1]. Mobile Nodes are often connected to the network via 869 wireless links, which may be more prone to passive eavesdropping or 870 replay attacks. Such an attack might lead to bogus registrations or 871 redirection of traffic or denial of service. 873 As per the messaging in this draft, the Assigned Home Agent will 874 process the incoming Registration Request as per Mobile IPv4 [1]. 875 Hence the Assigned Home Agent will have same security concerns as 876 that of the Home Agent in Mobile IPv4 [1]. They are addressed in 877 Section 5 "Security Considerations" of Mobile IPv4 [1]. 879 The Registration Request and Registration Reply messages are 880 protected by a valid authenticator as specified in Mobile IPv4 [1]. 881 Configuring security associations is a deployment specific issue and 882 is covered by other Mobile IP specifications. There can be many ways 883 of configuring security associations, but this specification does not 884 require any specific way. 886 An example is where the security association between an MN and an 887 individual HA (Requested or Assigned) is dynamically derived during 888 the registration process based on a shared secret between MN and AAA 889 infrastructure, as defined in [7]. The Registration Request is 890 protected with MN-AAA authentication extension and Registration Reply 891 is protected with MN-HA Authentication Extension. Because the 892 security association is shared between MN and AAA, any dynamically 893 assigned HA in the local domain can proxy authenticate the MN using 894 AAA as per [7]. 896 The Assigned Home Agent authenticates each Registration Request from 897 the mobile node as specified in Mobile IPv4 [1] and/or RFC-3012. The 898 MN also authenticates the Registration Reply from the Assigned HA, 899 thus the existing trust model in Mobile IPv4 [1] is maintained. 901 10. Backward Compatibility Considerations 903 In this section, we examine concerns that may arise when using this 904 specification in a mixed environment where some nodes implement the 905 specification and others do not. In each of the examples below, we 906 consider the case where one node is a "Legacy" node which does not 907 implement the specification in the context of other nodes which do. 909 Legacy Home Agent: 911 Legacy home agents may reject the Registration Request with error 912 code 136 because the Home Agent field is not a unicast address. 913 However, some legacy HA implementations may coincidentally process 914 the Registration Request in accordance with this draft, when the HA 915 field in Registration Request is set to ALL-ZERO-ONE-ADDR. 917 Legacy Foreign Agent: 919 Legacy foreign agents may forward a Registration Request with home 920 agent field set to ALL-ZERO-ONE-ADDR by setting the destination IP 921 address to ALL-ZERO-ONE-ADDR. This will result packet being dropped 922 or incidentally handled by a next hop HA, adjacent to the FA. The MN 923 may not be aware of the dropped Registration Request and may probably 924 retry registration, thereby increasing the delay in registration. 926 To reduce the delay in registration, the MN should take following 927 steps: 929 1. The MN should send the Registration Request as specified in this 930 specification. In other words, the MN should set the home agent 931 field in the Registration Request to ALL-ZERO-ONE-ADDR and also add 932 the Requested HA Extension. 933 2. If the MN does not receive a Registration Reply within some time 934 and/or after sending a few Registration Requests, it can assume 935 that the Registration Request(s) has been dropped, either by a 936 legacy FA or an incorrect HA. The MN then should fall back to a 937 recovery mechanism. The MN should quickly send a new Registration 938 Request as mentioned in section 4.1 step 2. This step will ensure 939 that a legacy FA will forward the Registration Request to the Home 940 Agent thereby making dynamic HA assignment possible. 942 Legacy Mobile Node: 944 A MN that sends a registration request to an FA which can do dynamic 945 HA assignment, but does not set the HA field to ALL-ZERO-ONE-ADDR 946 will continue to be registered with its statically configured HA, 947 exactly according to RFC 3344. 949 11. Change Log from previous versions 951 Note: This section should be removed before publication. 953 Changes from revision 3 to 4: 955 1. Text added to clarify the cases when MN is configured with HA 956 address and not configured with HA address and requests 957 dynamic HA assignment. 958 2. Clarification on legacy FA section as suggested by Thomas 959 Narten. 960 3. More editorial changes suggested by the chairs. 962 Changes from revision 2 to 3: 964 1. More editorial changes suggested by the chairs. 966 Changes from revision 1 to 2: 968 1. Editorial changes suggested by the WG, the chair's reviews and 969 idnits. 971 Changes from revision 0 to 1: 973 1. Added subtype field in Redirected HA Address Extension. 974 2. Aligned the HA address at 4-byte world boundary. 975 3. The case of handling unicast HA field is removed in section 976 5.3.1. 978 12. Acknowledgements 980 The authors would like to thank Pete McCann for thorough review, 981 suggestions on security considerations and definition of ALL-ZERO- 982 ONE-ADDR. Thanks to Kuntal Chowdhury for extensive review and 983 comments on this draft. Also thanks to Henrik Levkowetz for detailed 984 reviews and suggestions. 986 The authors would like to thank Mike Andrews, Madhavi Chandra and 987 Yoshi Tsuda for their review and suggestions. 989 13. Normative References 991 [1] C. Perkins, "IP Mobility Support for IPv4", RFC 3344, August 992 2002. 993 [2] P. Calhoun and C. Perkins, "Mobile IP Network Access Identifier 994 Extension for IPv4", RFC 2794, March 2000. 995 [3] D. Senie, "Changing the Default for Directed Broadcasts in 996 Routers", RFC 2644, August 1999. 997 [4] S. Alexander and R. Droms, "DHCP Options and BOOTP Vendor 998 Extensions", RFC 2132, March 1997. 999 [5] C. Perkins and P. Calhoun, "Mobile IPv4 Challenge/Response 1000 Extensions", RFC 3012, November 2000. 1001 [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1002 Levels", BCP 14, RFC 2119, March 1997. 1003 [7] C. Perkins and P. Calhoun, "AAA Registration Keys for Mobile 1004 IP", draft-ietf-mip4-aaa-key-06.txt, June 2004. 1006 Authors' Addresses 1008 Milind Kulkarni 1009 Cisco Systems Inc. 1010 170 W. Tasman Drive, 1011 San Jose, CA 95134 1012 USA 1014 Email: mkulkarn@cisco.com 1015 Phone:+1 408-527-8382 1017 Alpesh Patel 1018 Cisco Systems Inc. 1019 170 W. Tasman Drive, 1020 San Jose, CA 95134 1021 USA 1023 Email: alpesh@cisco.com 1024 Phone:+1 408-853-9580 1026 Kent Leung 1027 Cisco Systems Inc. 1028 170 W. Tasman Drive, 1029 San Jose, CA 95134 1030 USA 1032 Email: kleung@cisco.com 1033 Phone: +1 408-526-5030 1035 Intellectual Property Statement 1037 The IETF takes no position regarding the validity or scope of any 1038 Intellectual Property Rights or other rights that might be claimed to 1039 pertain to the implementation or use of the technology described in 1040 this document or the extent to which any license under such rights 1041 might or might not be available; nor does it represent that it has 1042 made any independent effort to identify any such rights. 1043 Information on the procedures with respect to rights in RFC documents 1044 can be found in BCP 78 and BCP 79. 1046 Copies of IPR disclosures made to the IETF Secretariat and any 1047 assurances of licenses to be made available, or the result of an 1048 attempt made to obtain a general license or permission for the use 1049 of such proprietary rights by implementers or users of this 1050 specification can be obtained from the IETF on-line IPR repository 1051 at http://www.ietf.org/ipr. 1053 The IETF invites any interested party to bring to its attention 1054 any copyrights, patents or patent applications, or other 1055 proprietary rights that may cover technology that may be required to 1056 implement this standard. Please address the information to the IETF 1057 at ietf-ipr@ietf.org. 1059 Disclaimer of Validity 1061 This document and the information contained herein are provided on an 1062 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1063 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1064 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1065 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1066 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1067 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1069 Copyright Statement 1071 Copyright (C) The Internet Society (2003). This document is subject 1072 to the rights, licenses and restrictions contained in BCP 78, and 1073 except as set forth therein, the authors retain all their rights. 1075 Acknowledgement 1077 Funding for the RFC Editor function is currently provided by the 1078 Internet Society.