idnits 2.17.1 draft-ietf-mip4-dynamic-assignment-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1118. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1095. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1102. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1108. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3344 (ref. '1') (Obsoleted by RFC 5944) ** Obsolete normative reference: RFC 3012 (ref. '5') (Obsoleted by RFC 4721) Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Mobile IP Working Group Milind Kulkarni 3 INTERNET-DRAFT Alpesh Patel 4 Category: Standards Track Kent Leung 5 Date : 12 October 2005 Cisco Systems Inc. 7 Mobile IPv4 Dynamic Home Agent Assignment 8 draft-ietf-mip4-dynamic-assignment-06.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on April 12, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 Mobile IPv4 [1] uses the Home Agent (HA) to anchor sessions of a 42 roaming Mobile Node (MN). This draft proposes a messaging mechanism 43 for dynamic home agent assignment and HA redirection. The goal is to 44 provide a mechanism to assign an optimal HA for a Mobile IP session 45 while allowing any suitable method for HA selection. 47 Table of Contents 49 1. Introduction................................................3 50 2. Requirements Terminology....................................3 51 3. Problem Statement...........................................4 52 3.1 Scope.......................................................5 53 3.2 Dynamic Home Agent Discovery in Mobile IPv4.................5 54 3.3 NAI usage and dynamic HA assignment.........................6 55 3.4 Dynamic HA Extension........................................6 56 3.4.1 Requested HA Extension....................................6 57 3.4.2 Redirected HA Extension...................................7 58 4. Messaging mechanism for dynamic HA assignment/redirection...7 59 4.1 Messaging for dynamic HA assignment.........................7 60 4.1.1 Example with Message Flow Diagram.........................8 61 4.2 Messaging for HA redirection...............................10 62 4.2.1 Example with Message Flow Diagram........................11 63 5. Mobility Agent Considerations..............................12 64 5.1 Mobile Node Considerations.................................12 65 5.1.1 MN using FA CoA..........................................13 66 5.1.2 MN using Co-located CoA..................................14 67 5.1.3 Refreshing Assigned HA Address on Mobile Node............14 68 5.2 Foreign Agent Considerations...............................15 69 5.3 Home Agent Considerations..................................15 70 5.3.1 Assigned Home Agent Considerations.......................16 71 6. Requested Home Agent Selection.............................17 72 7. Error Values...............................................18 73 8. IANA Considerations........................................18 74 9. Security Considerations....................................19 75 10. Backward Compatibility Considerations.....................20 76 11. Change Log from previous versions.........................21 77 12. Acknowledgements..........................................22 78 13. Normative References......................................22 79 Authors' Addresses.............................................22 80 Intellectual Property Statement................................23 82 1. Introduction 84 This document adds to the Mobile IP protocol [1], by proposing a 85 messaging mechanism for dynamic home agent assignment and home agent 86 redirection during initial registration. The goal is to assign an 87 optimal HA for a Mobile IP session. The mobile node MUST use the 88 Network Access Identifier (NAI) extension [2] when requesting a 89 dynamically assigned HA. 91 The MN requests a dynamically assigned HA by setting the HA field in 92 the initial Registration Request to ALL-ZERO-ONE-ADDR (defined in 93 section 2). If the request is accepted, the HA sends a successful 94 Registration Reply containing the HA's own address. The requested HA 95 can suggest an alternate HA and if so, the Registration Reply is 96 rejected with a new error code REDIRECT-HA-REQ and the alternate HA 97 address is specified in a new extension (Redirected HA Extension). 99 This document also defines a new Requested HA Extension for use in 100 Registration Requests when the HA field is set to ALL-ZERO-ONE- 101 ADDRESS. The Requested HA address is a hint to the network about the 102 MN's preferred HA. 104 The messaging mechanism is defined in this document so that the 105 MN can request and receive a dynamic HA address in Mobile IP 106 messages. However, the mechanism by which the network selects 107 an HA for assignment to the MN is outside the scope of this 108 document. For example, the selection may be made by any 109 network node that receives the registration request (or 110 information about the registration request), such as a Foreign 111 Agent, AAA server, or Home Agent. The node that selects the 112 HA may select one based on a number of criteria, including but 113 not limited to HA load-balancing, geographical proximity, 114 administrative policy etc. 116 2. Requirements Terminology 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in RFC 2119 [6]. 122 The Mobile IP related terminology described in RFC 3344 [1] is used 123 in this document. In addition, the following terms are used: 125 ALL-ZERO-ONE-ADDR: IP address 0.0.0.0 or 255.255.255.255. An 126 address of 255.255.255.255 indicates a preference 127 for an HA in the home domain. An address of 128 0.0.0.0 indicates no preference for home vs. 129 visited domain. 131 Requested HA: Destination IP address of Home Agent that the 132 Registration Request is sent to. Must be a 133 unicast IP address. This address can be 134 obtained as described in section 6. 136 Note that this specification defines a new 137 "Requested HA Extension" in section 3.4, which 138 is different from the term "Requested HA". 140 Assigned HA: The HA that accepts an MN's Registration Request 141 and returns a successful Registration Reply. 143 Redirected HA: If the registration is rejected with error code 144 REDIRECT-HA-REQ, the HA being referred to is 145 specified in a new extension (Redirected HA 146 Extension). 148 AAA server: Authentication, Authorization and Accounting 149 Server. 151 DNS: Domain Name System. 153 DHCP: Dynamic Host Configuration Protocol. 155 MN: Mobile Node as defined in Mobile IPv4 [1]. 157 HA: Home Agent as defined in Mobile IPv4 [1]. 159 FA: Foreign Agent as defined in Mobile IPv4 [1]. 161 CoA: Care of Address. 163 CCoA: Co-located Care of Address. 165 MN HoA: Mobile Node's Home Address. 167 NAI: Network Access Identifier [2]. 169 Src IP: Source IP address of the packet. 171 Dest IP: Destination IP address of the packet. 173 RRQ: Registration Request. 175 3. Problem Statement 177 The Mobile IPv4 NAI Extension for IPv4 [2] introduced the concept of 178 identifying a MN by the NAI and enabling dynamic home address 179 assignment. When the home address is dynamically assigned, it is 180 desirable to discover the Home Agent dynamically or inform the MN 181 about an optimal HA to use for a multitude of reasons, such as: 183 - If the distance between the visited network and the home network of 184 the mobile node is large, the signaling delay for these registrations 185 may be long. In such a case the MN will be anchored to its distant 186 home agent, resulting in tunneled traffic traveling a long distance 187 between home agent and the mobile node. When a Mobile IP session 188 initiates, if the mobile node can be assigned a home agent that is 189 close to the mobile node it can drastically reduce the latency 190 between the home agent and mobile node. 192 - In a large scale Mobile IP deployment, it is cumbersome to 193 provision MNs with multiple HA addresses. 195 - It is desirable to achieve some form of load balancing between 196 multiple HAs in the network. Dynamic HA assignment and/or HA 197 redirection lets the network select the optimal HA from among a set 198 of HAs and thus achieve load balancing among a group of HAs. 200 - Local administrative policies. 202 3.1 Scope 204 This specification does not address the problem of distributing a 205 security association between the MN and HA, and it can either be 206 statically preconfigured or dynamically distributed using other 207 mechanisms [7]. 209 The draft introduces the terms Requested/Assigned/Redirected HA 210 (section 6). The discovery of candidate HA addresses for insertion 211 into the Redirected HA Extension can be accomplished through various 212 means which are network and/or deployment specific and hence are 213 outside the scope of this specification. 215 The MN MAY request dynamic HA assignment when it is not aware of any 216 HA address and even when it is aware of at least one HA address. 218 3.2 Dynamic Home Agent Discovery in Mobile IPv4 220 Mobile IPv4 [1] specifies the mechanism for discovering the mobile 221 node's home agent using subnet-directed broadcast IP address in the 222 home agent field of the Registration Request. This mechanism was 223 designed for mobile nodes with a static home address and subnet 224 prefix, anchored on fixed home network. However, using subnet 225 directed broadcast as the destination IP address of the Registration 226 Request, it is unlikely that the Registration Request will reach the 227 home subnet because routers will drop these packets by default. See 228 CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks [3]. 230 3.3 NAI usage and dynamic HA assignment 232 The Mobile IPv4 NAI Extension for IPv4 [2] introduced the 233 concept of identifying a MN by the NAI and enabling dynamic 234 home address assignment. This document requires that while 235 using dynamic HA assignment, MN MUST use the NAI and obtain a home 236 address. MN can still suggest a static home address in the 237 Registration Request, but must take the address in the Registration 238 Reply as the home address for the session. This is compatible with 239 the procedures documented in the NAI specification [2]. 241 3.4 Dynamic HA Extension 243 The Dynamic HA Extension, shown in figure 1, contains the address of 244 the HA. This is a generic extension and can be used in Registration 245 Request and Reply messages. It is a skippable extension. 247 0 1 2 3 248 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 250 | Type | Sub-Type | Length | 251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 252 | HA-Address | 253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 255 Figure 1: The Dynamic HA address Extension 257 Type DYNAMIC-HA-ADDRESS (skippable) (to be assigned by 258 IANA) is the type, which specifies the dynamic HA 259 address. 261 Sub-Type Defines the use of this extension as: 262 sub-type 1 = Requested HA Extension 263 2 = Redirected HA Extension 265 Length Indicates the length of the extension not 266 including the type, sub-type and length fields. 267 Length is always 4 bytes. 269 HA-Address Address of the Home Agent. 271 3.4.1 Requested HA Extension 273 The Requested HA Extension is a Dynamic HA Extension of subtype 1. 275 The MN may include the Requested HA Extension in the registration 276 request as a hint to the network where it wishes to be anchored. 278 This extension contains the address of the HA. A valid unicast IP 279 address MUST be used as HA address in this extension. 281 In absence of an FA, the Registration Request is forwarded to this 282 HA. In presence of an FA, the FA MUST forward Registration Request 283 to the HA address in this extension. 285 3.4.2 Redirected HA Extension 287 The Redirected HA Extension is a Dynamic HA Extension of subtype 2. 289 The Redirected HA Extension contains the address of the HA where the 290 MN should attempt the next registration. The HA receiving a 291 Registration Request can suggest an alternate HA and, if so, the 292 Registration Reply is sent with a new error code REDIRECT-HA-REQ and 293 the alternate HA address is specified in this extension. 295 The Redirected HA Extension MUST be included in Registration Reply 296 when the reply code is REDIRECT-HA-REQ. 298 4. Messaging mechanism for dynamic HA assignment/redirection 300 This specification presents two alternatives for home agent 301 assignment. The two alternatives are: 302 (a) Dynamic HA assignment (described in section 4.1) and 303 (b) HA redirection (described in section 4.2). 305 4.1 Messaging for dynamic HA assignment 307 The following sequence of events occurs when the MN requests dynamic 308 Home Agent assignment: 310 1. The MN sets the Home Agent address field in the Registration 311 Request to ALL-ZERO-ONE-ADDR. If the MN is aware of a desired HA 312 address, it can add that address in the Requested HA Extension in 313 the Registration Request. If the HA does not support the 314 Requested HA Extension, see step 2 below. 316 2. This step is applicable, in lieu of step 1, for a MN that is 317 aware of the HA address and desires dynamic HA assignment. Also, 318 the MN follows this (when aware of a HA address) when it 319 discovers a legacy FA in the path or if the known HA does not 320 support the Requested HA Extension (see section 10). 322 The MN sets the Home Agent address field in the Registration 323 Request to the HA address (instead of setting it to ALL-ZERO-ONE- 324 ADDR). The MN also adds the same HA address in the Requested HA 325 Extension in the Registration Request. 327 3. The MN (if using co-located CoA and registering directly with the 328 HA) or the FA (if the MN is registering via the FA) sends the 329 Registration Request to the "Requested HA". If the Requested HA 330 Extension is present, Requested HA is specified in the "HA 331 Address" of this extension. 332 Per section 10, in case of a legacy FA, legacy FA forwards the 333 Registration Request to the address in the HA field of the 334 Request (thus, MN uses step 2 above in case of legacy FA instead 335 of step 1). 337 4. The "Requested HA" is the home agent that processes the 338 Registration Request in accordance with Mobile IPv4 [1] and as 339 per the specification in this document. It creates mobility 340 binding for successful Registration Request. It also sends a 341 Registration Reply to the MN. 343 5. The MN obtains an "Assigned HA" address from the HA field in the 344 successful Registration Reply and uses it for the remainder of 345 the session. (Note that the "Assigned HA" will be same as the 346 "Requested HA"). 348 6. Subsequent Registration Request messages for renewal are sent to 349 the Assigned HA. 351 Section 5.3.1 describes the Assigned HA in detail. Some ideas on how 352 to select the Requested HA are briefly covered in section 6. 354 4.1.1 Example with Message Flow Diagram 356 Detailed explanation of this alternative is best described with the 357 help of a message flow diagram and description. 359 Figure 2 shows one specific example of a Mobile Node using an FA- 360 located Care of Address (FA CoA) and FA understands the Requested HA 361 Extension per this specification. 363 Other scenarios such as when the mobile node uses a co-located care 364 of address and presence of a legacy HA or FA are not described below, 365 but the behavior is similar. 367 MN FA Requested/Assigned HA 368 | 1 | | 369 |------------>| 2 | 370 | |--------------->| 371 | | | 372 | | | 373 | | 3 | 374 | 4 |<---------------| 375 |<------------| | 376 | | | 377 | | 5 | 378 |----------------------------->| 379 | | | 381 Figure 2: Example message flow for dynamic HA assignment 383 1. The MN sets the Home Agent address field in the Registration 384 Request to ALL-ZERO-ONE-ADDR. Since the MN is using FA CoA in this 385 example, it sends the Registration Request to the FA. The 386 Registration Request is formatted as follows: 388 +-----------------------------------------------------------+ 389 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 390 | MN | FA | | ALL-ZERO-ONE-ADDR |FA CoA | 391 +-----------------------------------------------------------+ 393 If the MN is aware of a desired HA address, it can add that address 394 in the Requested HA Extension in Registration Request as a hint. 395 That extension is not shown above. 397 2. The FA sends the Registration Request to the Requested HA. If 398 Requested HA Extension is present, Requested HA is the HA address in 399 this extension. If the Requested HA Extension is not present, the FA 400 determines the Requested HA through means outside the scope of this 401 specification. The Registration Request is formatted as follows: 403 +-----------------------------------------------------------+ 404 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 405 | FA |Requested HA| | ALL-ZERO-ONE-ADDR |FA CoA | 406 +-----------------------------------------------------------+ 408 (If MN includes the Requested HA Extension, the FA copies that 409 extension. The FA then forwards the Registration Request, along with 410 the Requested HA Extension, to the HA address specified in Requested 411 HA Extension.) 413 3. The HA processes the Registration Request in accordance with 414 Mobile IPv4 [1] and the messaging defined in this document. The HA 415 creates mobility binding for successful request and becomes the 416 Assigned HA. The HA then sends Registration Reply to the FA, which 417 is formatted as follows: 419 +-----------------------------------------------------------+ 420 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 421 |Assigned| Src IP of | | Assigned HA |FA CoA/| 422 | HA | the RRQ | | | | 423 +-----------------------------------------------------------+ 425 4. The FA relays the Registration Reply to the MN, as follows. 427 +-----------------------------------------------------------+ 428 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 429 | FA | MN | | Assigned HA |FA CoA/| 430 +-----------------------------------------------------------+ 432 5. The MN obtains the Assigned HA address from the HA field in the 433 successful Registration Reply and uses it for the remainder of the 434 session. The MN sends subsequent Re-Registration or De-Registration 435 Requests for the remainder session directly to the Assigned HA. The 436 Home Agent address field in this Registration Request is set to 437 ALL-ZERO-ONE-ADDR. Note that the Assigned HA is the same as the 438 Requested HA. 440 4.2 Messaging for HA redirection 442 This section describes the events that occur when the Requested HA 443 does not accept the Registration Request and redirects the mobile 444 node to another HA (aka Redirected HA) instead. This behavior is not 445 exhibited by a legacy HA and so is not referred in the description 446 below. In presence of a legacy FA, please refer to section 4.1 for 447 the specific field in the Registration Request. 449 1. The MN sets the Home Agent address field in the Registration 450 Request to ALL-ZERO-ONE-ADDR. 452 2. The MN (if using co-located CoA and registering directly with the 453 HA) or FA (if the MN is registering via the FA) sends the 454 Registration Request to the "Requested HA". If the MN is aware of 455 an HA address, it can add that address in the Requested HA 456 Extension in Registration Request. 458 3. When the HA receives the Registration Request, if the HA field is 459 set to ALL-ZERO-ONE-ADDR, the HA may reject the request with Reply 460 code REDIRECT-HA-REQ and suggest an alternate HA. 462 The HA may reject the Request for a number of reasons, which are 463 outside the scope of this specification. If the HA rejects the 464 Request, the HA field in the Reply is set to this HAs address. 465 The IP address of the HA that is the target of the redirection is 466 specified in Redirected HA Extension. The presence of this 467 extension is mandatory when the reply code is set to REDIRECT-HA- 468 REQ. HA sends the Reply to the FA/MN. 470 4. FA sends the Reply to the MN. 472 5. If the error code is set to REDIRECT-HA-REQ, MN obtains the HA 473 address from Redirected HA Extension. The MN then sends a 474 Registration Request to Redirected HA, unless it has already 475 received a redirection response from this HA while processing this 476 Registration Request. The MN may choose to add Requested HA 477 extension in this new Registration Request. 479 4.2.1 Example with Message Flow Diagram 481 Figure 3 shows one specific example of a Mobile Node using FA-located 482 Care of Address, where the FA is not a legacy FA. 484 MN FA Requested HA Redirected HA 485 | 1 | | | 486 |------------>| 2 | | 487 | |--------------->| | 488 | | | | 489 | | | | 490 | | 3 | | 491 | 4 |<---------------| | 492 |<------------| | | 493 | | | | 494 | | 5 | | 495 |--------------------------------------------->| 496 | | | | 498 Figure 3: Example message flow for HA redirection 500 1. The MN sets the Home Agent address field in the Registration 501 Request to ALL-ZERO-ONE-ADDR. Since the MN is using FA CoA in this 502 example, it sends the Registration Request to the FA. The 503 Registration Request is formatted as follows: 505 +-----------------------------------------------------------+ 506 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 507 | MN | FA | | ALL-ZERO-ONE-ADDR |FA CoA | 508 +-----------------------------------------------------------+ 510 If the MN is aware of an HA address, it can add that address in the 511 Requested HA Extension in Registration Request as a hint. That 512 extension is not shown above. 514 2. The FA sends the Registration Request to the Requested HA. If 515 Requested HA Extension is present, Requested HA is the HA address in 516 this extension. If the Requested HA Extension is not present, the FA 517 determines the Requested HA through means outside the scope of this 518 specification. The Registration Request is formatted as follows: 520 +-----------------------------------------------------------+ 521 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 522 | FA |Requested HA| | ALL-ZERO-ONE-ADDR |FA CoA | 523 +-----------------------------------------------------------+ 525 3. The HA processes the Registration Request in accordance with 526 Mobile IPv4 [1] and the messaging defined in this specification. If 527 the registration is successful, but local configuration/ 528 administrative policy etc. directs HA to refer the MN to another HA, 529 the HA rejects the Request with error code REDIRECT-HA-REQ. The HA 530 fills in the address of the Redirected HA in the Redirected HA 531 Extension. The HA then sends Registration Reply reject to the FA, 532 which is formatted as follows: 534 +-----------------------------------------------------------+ 535 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 536 | | Src IP of | | HA |FA CoA | 537 | HA | the RRQ | | | | 538 +-----------------------------------------------------------+ 539 | Redirected HA Extension ... | 540 +-----------------------------------------------------------+ 542 4. The FA relays the Registration Reply to the MN, as follows. 544 +-----------------------------------------------------------+ 545 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 546 | FA | MN | | HA |FA CoA/| 547 +-----------------------------------------------------------+ 548 | Redirected HA Extension ... | 549 +-----------------------------------------------------------+ 551 5. If the MN can authenticate the Reply, the MN extracts the HA 552 address from the Redirected HA Extension. The MN then sends a 553 Registration Request to the Redirected HA, unless it has already 554 received a redirection response from that HA while processing the 555 Registration Request. The MN may choose to add Requested HA 556 extension in this new Registration Request. 558 5. Mobility Agent Considerations 560 The following sections describe the behavior of each mobility agent 561 in detail. 563 5.1 Mobile Node Considerations 565 The mobile node MUST use the NAI extension for home address 566 assignment when using the messaging mechanism in this document. 567 Since MN uses the NAI extension, the Home Address field is set to 568 0.0.0.0. 570 While dynamic HA assignment is in progress and the MN has not 571 successfully anchored at a Home Agent, the MN MUST set the Home Agent 572 field in the Registration Request to an ALL-ZERO-ONE-ADDR, which is 573 either 255.255.255.255 or 0.0.0.0. 575 The Registration Request MUST be protected by a valid authenticator 576 as specified in Mobile IPv4 [1] or Mobile IPv4 Challenge/Response 577 Extensions [5]. Configuring security associations is deployment 578 specific and hence outside the scope of this specification. The 579 security associations between a MN and an individual HA may also be 580 dynamically derived during the dynamic HA assignment, based on a 581 shared secret between MN and AAA infrastructure [7]. 583 The mobile node MUST maintain the remaining Mobile IP session with 584 the Assigned HA. 586 As mentioned in the Security Considerations (Section 9), there is a 587 possibility of more than one HA create a mobility binding entry for 588 a given MN, if a rogue node in the middle captures the Registration 589 Request and forwards it to other Home Agents. MN can mitigate such 590 condition by using a short lifetime (e.g. 5 seconds) in the 591 Registration Request with Home Agent field set to ALL-ZERO-ONE-ADDR. 593 The following sections describe MN behavior in FA CoA mode and co- 594 located CoA mode. 596 5.1.1 MN using FA CoA 598 When a mobile node initiates a Mobile IP session requesting dynamic 599 HA assignment, it MUST set the home agent address field in the 600 Registration Request to ALL-ZERO-ONE-ADDR. The destination IP 601 address of the Registration Request is the FA. The FA will determine 602 the Requested HA and forward the Registration Request to the 603 Requested HA. Registration Request processing takes place on the 604 Requested HA as per the specification in this draft. 606 The Registration Request MUST be appropriately authenticated for the 607 HA to validate the Request. 609 If a successful Registration Reply is received, the MN obtains the 610 Assigned HA from the HA field of Reply. The Assigned HA address will 611 be the same as the Requested HA Extension, if it was included in the 612 Registration Request by the MN. 614 If a Registration Reply is received with code REDIRECT-HA-REQ, the MN 615 MUST authenticate the Reply based on HA address in HA field of Reply 616 and attempt Registration with the HA address specified in the 617 Redirected HA Extension. The MN MUST put the Redirected HA address 618 as the Requested HA Extension of the new Registration Request. 620 In some cases, for the first Registration Request the MN may want to 621 hint to the network to be anchored at a specific HA. The MN SHOULD 622 put that address in the HA address of the Requested HA Extension. 624 5.1.2 MN using Co-located CoA 626 An MN in co-located CoA mode requesting dynamic HA assignment MUST 627 set the home agent address field in the Registration Request to ALL- 628 ZERO-ONE-ADDR. The destination IP address of the Registration 629 Request is the Requested HA. Some ideas on how to select a Requested 630 HA are briefly covered in section 6. 632 If a successful Reply is received, the MN obtains the Assigned HA 633 address from the successful Registration Reply. The Assigned HA will 634 be the same as Requested HA to which the Registration Request was 635 sent. The MN MUST cache the Assigned HA address for the length of 636 the Mobile IP session. The mobile node then MUST use this previously 637 cached Assigned HA address as the home agent address in subsequent 638 re-registration and de-registration request(s). This will make sure 639 that for the duration of the Mobile IP session, the mobile node will 640 always be anchored to the assigned home agent with which it was 641 initially registered. 643 If a Registration Reply is received with code REDIRECT-HA-REQ, the MN 644 MUST authenticate the Reply based on HA address in HA field of Reply 645 and attempt Registration with the HA address specified in the 646 Redirected HA Extension. The MN MUST put the Redirected HA in the 647 Requested HA Extension of the new Registration Request. 649 In some cases, for the first Registration Request MN may want to hint 650 to the network to be anchored at a specific HA and the MN SHOULD put 651 that address in the HA address of the Requested HA Extension. 653 While requesting dynamic HA assignment and registering directly with 654 an HA, the Requested HA Extension MUST be included and MUST contain 655 the address of the HA to which the Registration Request is sent. 656 When using co-located CoA but registering via a legacy FA, the HA 657 field in Reqistration Request may be set to Requested HA. 659 If the Registration Request contains the Requested HA Extension, the 660 HA address in that extension MUST match the destination IP of the 661 Request. 663 5.1.3 Refreshing Assigned HA Address on Mobile Node 665 When the Mobile IP session terminates, the mobile node MAY clear the 666 Assigned HA address cached as the home agent address. It MAY request 667 a new HA address for the new Mobile IP session by not including the 668 Requested HA Extension. The advantage of this approach is that the 669 mobile node will be always anchored to an optimal home agent from 670 where it initiated the Mobile IP session. 672 Alternately, the MN may save the Assigned HA address and use it in 673 the Requested HA Extension along with ALL-ZERO-ONE-ADDR HA address in 674 Registration Request for a new Mobile IP session. 676 5.2 Foreign Agent Considerations 678 When the mobile node is using a FA CoA it always registers via the 679 FA. When the MN is using a co-located CoA it may register through a 680 FA or it may register directly with an HA, unless the R bit is set in 681 the FA's agent advertisement, in which case it always registers 682 through the FA. 684 When the FA receives a Registration Request with HA address field set 685 to ALL-ZERO-ONE-ADDR that doesn't contain the Requested HA Extension, 686 the FA obtains the Requested HA address to forward the Registration 687 Request using means outside the scope of this specification. Some 688 ideas on how to select a Requested HA are briefly covered in section 689 6. 691 If the FA cannot obtain the Requested HA to which to forward a 692 Registration Request from MN, it MUST reject request with error code 693 NONZERO-HA-REQD. 695 If the MN has included the Requested HA Extension, the FA MUST 696 forward Registration Request to the address in this extension. If 697 the HA address in this extension is not a routable unicast address, 698 the FA MUST reject request with error code NONZERO-HA-REQD. 700 If the Registration Request contains the Requested HA Extension, the 701 FA uses that address as the destination for the relayed Registration 702 Request. 704 Backward compatibility issues related to the mobility agents are 705 addressed in section 10. 707 5.3 Home Agent Considerations 709 A Home Agent can process an incoming Registration Request in one of 710 the following two ways: 712 1. The MN or FA sends the Registration Request to the Requested HA. 713 The term Requested HA has meaning in the context of a Registration 714 Request message. When the Requested HA successfully processes the 715 Registration Request and creates a binding and sends a Reply with its 716 address, it becomes the Assigned HA. The term Assigned HA is 717 meaningful in the context of a Registration Reply message. 719 2. A Home Agent receiving a Registration Request with HA field set 720 to ALL-ZERO-ONE-ADDR MAY reject the request even if successfully 721 authenticated and suggest an alternate HA address in Reply. In such 722 a case, the HA puts its own address in HA field of Reply and sets the 723 Reply code to REDIRECT-HA-REQ and adds the Redirected HA Extension. 725 If the Registration Request contains the Requested HA Extension, the 726 HA address in that extension must match the destination IP of the 727 Request. If it does not match, the Requested HA MUST reject the 728 Registration Request with error code 136. 730 5.3.1 Assigned Home Agent Considerations 732 The HA that processes the incoming Registration Request fully in 733 accordance with Mobile IPv4 [1] and this specification becomes the 734 Assigned HA. The Registration Request terminates at the Assigned HA. 736 The Assigned HA creates one mobility binding per MN and sends 737 Registration Reply to the MN by copying its address in the home agent 738 field and as the source IP address of the Reply. 740 The following table summarizes the behavior of the Assigned HA, based 741 on the value of the destination IP address and Home Agent field of 742 the Registration Request. 744 Dest IP Addr HA field Processing at Assigned HA 745 ------------ ------------ ---------------------------------- 747 Unicast non-unicast Mobile IPv4 [1]: There is no change 748 in handling for this case from 749 (Must be Mobile IPv4. It is mentioned here 750 equal to the for reference only. 751 HA receiving HA denies the registration with 752 the RRQ) error code 136 and sets HA field to 753 its own IP address in the reply as 754 per section 3.8.3.2 in [1]. 756 ALL-ZERO- New Behavior: Accept the RRQ as per 757 ONE-ADDR this specification. Authenticate 758 the RRQ and create mobility binding 759 if the HA is acting as Assigned HA. 760 Set HA field to its own IP address 761 in the Registration Reply. 763 OR 765 New Behavior: If authentication is 766 successful, reject RRQ with a new 767 error code REDIRECT-HA-REQ. HA 768 puts its address in HA address 769 field of Reject. HA suggests an 770 alternate HA to use in the new 771 Redirected HA Extension. 773 Table 1: Registration Request handling at Assigned HA 775 As per the messaging proposed here, the mobile node (or the foreign 776 agent) sends the Registration Request to the Requested HA address, 777 which is a unicast address. Therefore, this document does not 778 specify any new behavior for the case where the HA receives a subnet 779 directed broadcast Registration Request as specified in section 780 3.8.2.1 of the Mobile IPv4 specification [1]. Although the Home 781 Agent field in the Registration Request is not a unicast address, the 782 destination IP address is a unicast address. This avoids the 783 problem associated with subnet-directed broadcast destination IP 784 address that may result in multiple HAs responding. Thus, there is 785 no need to deny the registration as stated in Mobile IPv4 [1] section 786 3.8.3.2. 788 When the destination IP address is a unicast address and the Home 789 Agent field is ALL-ZERO-ONE-ADDR, the HA accepts/denies registration 790 and sets the HA field to its own IP address in the reply (i.e. the 791 registration is not rejected with error code 136). 793 The HA can reject the request with the error code REDIRECT-HA-REQ and 794 suggest an alternate HA. This redirection can be used for load 795 balancing, geographical proximity based on care-of-address or other 796 reasons. The HA puts its own address in HA field of the Registration 797 Reply message and puts the address of the redirected HA in the 798 Redirected HA Extension. If the HA accepts the Request, it sets the 799 HA field in the Registration Reply to its own address. 801 The Requested HA always performs standard validity checks on the 802 Registration Request. If there is any error, the Registration 803 Request is rejected with error codes specified in Mobile IPv4 [1]. 805 6. Requested Home Agent Selection 807 When dynamic HA assignment is requested, the MN (or FA in the case of 808 registration via FA) sends the Registration Request to the Requested 809 HA. This address MUST be a unicast IP address. If the MN has 810 included a Requested HA Extension in Registration Request, the HA 811 address in this extension is the Requested HA. 813 Some example methods by which the MN or the FA may select the 814 Requested HA are briefly described below: 816 DHCP: 818 MN performs DHCP to obtain an IP address on the visited network. The 819 Requested HA is learned from the DHCP Mobile IP Home Agent Option 68 820 [4]. MN sends Registration Request directly to this HA and receives 821 the Assigned HA to be used for the remainder of the Mobile IP 822 session. 824 AAA: 826 MN performs challenge/response [5] with the FA. The FA retrieves the 827 Requested HA from the AAA server and forwards the Registration 828 Request directly to this HA. The Assigned HA sends a Registration 829 Reply to the FA, which relays it to the MN. MN uses the Assigned HA 830 for the remainder of the Mobile IP session. 832 DNS: 834 In this case the hostname of the HA is configured on the MN or 835 obtained by some other means; e.g., using a service location 836 protocol. MN performs DNS lookup on the HA hostname. The DNS 837 infrastructure provides a resource record with information to 838 identify the optimal HA to the MN. The MN sends a Registration 839 Request directly to the HA and receives the Assigned HA to be used 840 for remainder of the Mobile IP session. 842 Static configuration: 844 The HA address is statically configured on the MN. The MN sends the 845 Registration Request to the configured address. The Requested HA may 846 then redirect the MN to a Redirected HA. 848 7. Error Values 850 Each entry in the following table contains the name and value for the 851 error code to be returned in a Registration Reply. It also includes 852 the section in which the error code is first mentioned in this 853 document. 855 Error Name Value Section Description 856 --------------- ----- ------- ----------------------------- 857 NONZERO-HA-REQD XX 5.2 Non-zero HA address required 858 in Registration Request. 859 REDIRECT-HA-REQ YY 5.3 Reregister with redirected HA. 861 8. IANA Considerations 862 The code value NONZERO-HA-REQD is a Mobile IP response code [1] taken 863 from the range of values associated with rejection by the foreign 864 agent (i.e. value in the range 64-127). 866 The code value REDIRECT-HA-REQ is a Mobile IP response code [1] taken 867 from the range of values associated with rejection by the home agent 868 (i.e. value in the range 128-192). 870 The Dynamic HA Extension is assigned from the range of values 871 associated with skippable extensions at the home agent (i.e. value in 872 the range 128-255). 874 IANA should record the values as defined in Section 7 and 3.4. 876 9. Security Considerations 878 This specification assumes that a security configuration has been 879 preconfigured between the MN and the HA or is configured along with 880 the initial Registration Request/Registration Reply as per [7]. 882 There is a possibility of more than one HA create a mobility 883 binding entry for a given MN, if a man in the middle captures the 884 Registration Request with HA field set to ALL-ZERO-ONE-ADDR and 885 forwards it to other HAs. This scenario assumes that the rogue node 886 can find out the addresses of the HAs which are able to authenticate 887 the Registration Request. It also assumes that the rogue node has 888 the capability to store, duplicate, and send packets to the other HAs 889 within the limited time of the replay window. Otherwise these HAs 890 will reject the Registration Requests anyway. In addition, this type 891 of attack is only possible when the Requested HA Extension is not 892 included in the registration message. The Mobile Node can minimize 893 the duration of this condition by using a short lifetime (e.g. 5 894 seconds) in the Registration Request. 896 This specification does not change the security model established in 897 Mobile IPv4 [1]. Mobile Nodes are often connected to the network via 898 wireless links, which may be more prone to passive eavesdropping or 899 replay attacks. Such an attack might lead to bogus registrations or 900 redirection of traffic or denial of service. 902 As per the messaging in this draft, the Assigned Home Agent will 903 process the incoming Registration Request as per Mobile IPv4 [1]. 904 Hence the Assigned Home Agent will have same security concerns as 905 that of the Home Agent in Mobile IPv4 [1]. They are addressed in 906 Section 5 "Security Considerations" of Mobile IPv4 [1]. 908 The Registration Request and Registration Reply messages are 909 protected by a valid authenticator as specified in Mobile IPv4 [1]. 910 Configuring security associations is a deployment specific issue and 911 is covered by other Mobile IP specifications. There can be many ways 912 of configuring security associations, but this specification does not 913 require any specific way. 915 An example is where the security association between an MN and an 916 individual HA (Requested or Assigned) is dynamically derived during 917 the registration process based on a shared secret between MN and AAA 918 infrastructure, as defined in [7]. The Registration Request is 919 protected with MN-AAA authentication extension and Registration Reply 920 is protected with MN-HA Authentication Extension. Because the 921 security association is shared between MN and AAA, any dynamically 922 assigned HA in the local domain can proxy authenticate the MN using 923 AAA as per [7]. 925 The Assigned Home Agent authenticates each Registration Request from 926 the mobile node as specified in Mobile IPv4 [1] and/or RFC-3012. The 927 MN also authenticates the Registration Reply from the Assigned HA, 928 thus the existing trust model in Mobile IPv4 [1] is maintained. 930 10. Backward Compatibility Considerations 932 In this section, we examine concerns that may arise when using this 933 specification in a mixed environment where some nodes implement the 934 specification and others do not. In each of the examples below, we 935 consider the case where one node is a "Legacy" node which does not 936 implement the specification in the context of other nodes which do. 938 Legacy Home Agent: 940 Legacy home agents may reject the Registration Request with error 941 code 136 because the Home Agent field is not a unicast address. 942 However, some legacy HA implementations may coincidentally process 943 the Registration Request in accordance with this draft, when the HA 944 field in Registration Request is set to ALL-ZERO-ONE-ADDR. 946 Legacy Foreign Agent: 948 Legacy foreign agents may forward a Registration Request with home 949 agent field set to ALL-ZERO-ONE-ADDR by setting the destination IP 950 address to ALL-ZERO-ONE-ADDR. This will result packet being dropped 951 or incidentally handled by a next hop HA, adjacent to the FA. The MN 952 may not be aware of the dropped Registration Request and may probably 953 retry registration, thereby increasing the delay in registration. 955 To reduce the delay in registration, the MN should take following 956 steps: 958 1. The MN should send the Registration Request as specified in this 959 specification. In other words, the MN should set the home agent 960 field in the Registration Request to ALL-ZERO-ONE-ADDR and also add 961 the Requested HA Extension. 963 2. If the MN does not receive a Registration Reply within some time 964 and/or after sending a few Registration Requests, it can assume 965 that the Registration Request(s) has been dropped, either by a 966 legacy FA or an incorrect HA. In addition, if the registration is 967 denied with error code 70 (poorly formed Request), the MN can 968 assume that the legacy FA cannot process this message. In either 969 case, the MN should fall back to a recovery mechanism. The MN 970 should quickly send a new Registration Request as mentioned in 971 section 4.1 step 2. This step will ensure that a legacy FA will 972 forward the Registration Request to the Home Agent thereby making 973 dynamic HA assignment possible. 975 Legacy Mobile Node: 977 A MN that sends a registration request to an FA which can do dynamic 978 HA assignment, but does not set the HA field to ALL-ZERO-ONE-ADDR 979 will continue to be registered with its statically configured HA, 980 exactly according to RFC 3344. 982 11. Change Log from previous versions 984 Note: This section should be removed before publication. 986 Changes from revision 5 to 6: 988 1. Updated section 4.2.1 bullet 5. 989 2. Fixed nits found by idnit tool. 990 3. Added text in section 5.1 outlining how to avoid the 991 possibility of multiple bindings on HAs by requiring short 992 lifetime for first registration request. 993 4. Added text in section 9 outlining possibility of multiple 994 bindings on HAs. 995 5. Added text in section 12 Acknowledgements. 997 Changes from revision 4 to 5: 999 1. Legacy FA Considerations text was updated based on the WG 1000 discussions which addressed IESG review feedback. 1002 Changes from revision 3 to 4: 1004 1. Text added to clarify the cases when MN is configured with HA 1005 address and not configured with HA address and requests 1006 dynamic HA assignment. 1007 2. Clarification on legacy FA section as suggested by Thomas 1008 Narten. 1009 3. More editorial changes suggested by the chairs. 1011 Changes from revision 2 to 3: 1013 1. More editorial changes suggested by the chairs. 1015 Changes from revision 1 to 2: 1017 1. Editorial changes suggested by the WG, the chair's reviews and 1018 idnits. 1020 Changes from revision 0 to 1: 1022 1. Added subtype field in Redirected HA Address Extension. 1023 2. Aligned the HA address at 4-byte world boundary. 1024 3. The case of handling unicast HA field is removed in section 1025 5.3.1. 1027 12. Acknowledgements 1029 The authors would like to thank Pete McCann for thorough review, 1030 suggestions on security considerations and definition of ALL-ZERO- 1031 ONE-ADDR. Thanks to Kuntal Chowdhury for extensive review and 1032 comments on this draft. Also thanks to Henrik Levkowetz for detailed 1033 reviews and suggestions. Thomas Narten highlighted issues for legacy 1034 FA considerations. Thanks to Ahmad Muhanna for pointing out scenario 1035 of multiple bindings on HAs, documented in the Security 1036 Considerations section. 1038 The authors would like to thank Mike Andrews, Madhavi Chandra and 1039 Yoshi Tsuda for their review and suggestions. 1041 13. Normative References 1043 [1] C. Perkins, "IP Mobility Support for IPv4", RFC 3344, August 1044 2002. 1045 [2] P. Calhoun and C. Perkins, "Mobile IP Network Access Identifier 1046 Extension for IPv4", RFC 2794, March 2000. 1047 [3] D. Senie, "Changing the Default for Directed Broadcasts in 1048 Routers", RFC 2644, August 1999. 1049 [4] S. Alexander and R. Droms, "DHCP Options and BOOTP Vendor 1050 Extensions", RFC 2132, March 1997. 1051 [5] C. Perkins and P. Calhoun, "Mobile IPv4 Challenge/Response 1052 Extensions", RFC 3012, November 2000. 1053 [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1054 Levels", BCP 14, RFC 2119, March 1997. 1055 [7] C. Perkins and P. Calhoun, "AAA Registration Keys for Mobile 1056 IP", draft-ietf-mip4-aaa-key-06.txt, June 2004. 1058 Authors' Addresses 1059 Milind Kulkarni 1060 Cisco Systems Inc. 1061 170 W. Tasman Drive, 1062 San Jose, CA 95134 1063 USA 1065 Email: mkulkarn@cisco.com 1066 Phone:+1 408-527-8382 1068 Alpesh Patel 1069 Cisco Systems Inc. 1070 170 W. Tasman Drive, 1071 San Jose, CA 95134 1072 USA 1074 Email: alpesh@cisco.com 1075 Phone:+1 408-853-9580 1077 Kent Leung 1078 Cisco Systems Inc. 1079 170 W. Tasman Drive, 1080 San Jose, CA 95134 1081 USA 1083 Email: kleung@cisco.com 1084 Phone: +1 408-526-5030 1086 Intellectual Property Statement 1088 The IETF takes no position regarding the validity or scope of any 1089 Intellectual Property Rights or other rights that might be claimed to 1090 pertain to the implementation or use of the technology described in 1091 this document or the extent to which any license under such rights 1092 might or might not be available; nor does it represent that it has 1093 made any independent effort to identify any such rights. 1094 Information on the procedures with respect to rights in RFC documents 1095 can be found in BCP 78 and BCP 79. 1097 Copies of IPR disclosures made to the IETF Secretariat and any 1098 assurances of licenses to be made available, or the result of an 1099 attempt made to obtain a general license or permission for the use 1100 of such proprietary rights by implementers or users of this 1101 specification can be obtained from the IETF on-line IPR repository 1102 at http://www.ietf.org/ipr. 1104 The IETF invites any interested party to bring to its attention 1105 any copyrights, patents or patent applications, or other 1106 proprietary rights that may cover technology that may be required to 1107 implement this standard. Please address the information to the IETF 1108 at ietf-ipr@ietf.org. 1110 Disclaimer of Validity 1112 This document and the information contained herein are provided on an 1113 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1114 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1115 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1116 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1117 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1118 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1120 Copyright Statement 1122 Copyright (C) The Internet Society (2005). This document is subject 1123 to the rights, licenses and restrictions contained in BCP 78, and 1124 except as set forth therein, the authors retain all their rights. 1126 Acknowledgement 1128 Funding for the RFC Editor function is currently provided by the 1129 Internet Society.