idnits 2.17.1 draft-ietf-mip4-dynamic-assignment-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1129. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1106. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1113. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1119. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3344 (ref. '1') (Obsoleted by RFC 5944) ** Obsolete normative reference: RFC 3012 (ref. '5') (Obsoleted by RFC 4721) Summary: 6 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Mobile IP Working Group Milind Kulkarni 3 INTERNET-DRAFT Alpesh Patel 4 Category: Standards Track Kent Leung 5 Date : 12 December 2005 Cisco Systems Inc. 7 Mobile IPv4 Dynamic Home Agent Assignment 8 draft-ietf-mip4-dynamic-assignment-07.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on June 12, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 Mobile IPv4 [1] uses the Home Agent (HA) to anchor sessions of a 42 roaming Mobile Node (MN). This draft proposes a messaging mechanism 43 for dynamic home agent assignment and HA redirection. The goal is to 44 provide a mechanism to assign an optimal HA for a Mobile IP session 45 while allowing any suitable method for HA selection. 47 Table of Contents 49 1. Introduction................................................3 50 2. Requirements Terminology....................................3 51 3. Problem Statement...........................................4 52 3.1 Scope.......................................................5 53 3.2 Dynamic Home Agent Discovery in Mobile IPv4.................5 54 3.3 NAI usage and dynamic HA assignment.........................6 55 3.4 Dynamic HA Extension........................................6 56 3.4.1 Requested HA Extension....................................6 57 3.4.2 Redirected HA Extension...................................7 58 4. Messaging mechanism for dynamic HA assignment/redirection...7 59 4.1 Messaging for dynamic HA assignment.........................7 60 4.1.1 Example with Message Flow Diagram.........................8 61 4.2 Messaging for HA redirection...............................10 62 4.2.1 Example with Message Flow Diagram........................11 63 5. Mobility Agent Considerations..............................12 64 5.1 Mobile Node Considerations.................................12 65 5.1.1 MN using FA CoA..........................................13 66 5.1.2 MN using Co-located CoA..................................14 67 5.1.3 Refreshing Assigned HA Address on Mobile Node............14 68 5.2 Foreign Agent Considerations...............................15 69 5.3 Home Agent Considerations..................................15 70 5.3.1 Assigned Home Agent Considerations.......................16 71 6. Requested Home Agent Selection.............................17 72 7. Error Values...............................................18 73 8. IANA Considerations........................................18 74 9. Security Considerations....................................19 75 10. Backward Compatibility Considerations.....................20 76 11. Change Log from previous versions.........................21 77 12. Acknowledgements..........................................22 78 13. Normative References......................................22 79 Authors' Addresses.............................................23 80 Intellectual Property Statement................................23 82 1. Introduction 84 This document adds to the Mobile IP protocol [1], by proposing a 85 messaging mechanism for dynamic home agent assignment and home agent 86 redirection during initial registration. The goal is to assign an 87 optimal HA for a Mobile IP session. The mobile node MUST use the 88 Network Access Identifier (NAI) extension [2] when requesting a 89 dynamically assigned HA. 91 The MN requests a dynamically assigned HA by setting the HA field in 92 the initial Registration Request to ALL-ZERO-ONE-ADDR (defined in 93 section 2). If the request is accepted, the HA sends a successful 94 Registration Reply containing the HA's own address. The requested HA 95 can suggest an alternate HA and if so, the Registration Reply is 96 rejected with a new error code REDIRECT-HA-REQ and the alternate HA 97 address is specified in a new extension (Redirected HA Extension). 99 This document also defines a new Requested HA Extension for use in 100 Registration Requests when the HA field is set to ALL-ZERO-ONE- 101 ADDRESS. The Requested HA address is a hint to the network about the 102 MN's preferred HA. 104 The messaging mechanism is defined in this document so that the 105 MN can request and receive a dynamic HA address in Mobile IP 106 messages. However, the mechanism by which the network selects 107 an HA for assignment to the MN is outside the scope of this 108 document. For example, the selection may be made by any 109 network node that receives the registration request (or 110 information about the registration request), such as a Foreign 111 Agent, AAA server, or Home Agent. The node that selects the 112 HA may select one based on a number of criteria, including but 113 not limited to HA load-balancing, geographical proximity, 114 administrative policy etc. 116 2. Requirements Terminology 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in RFC 2119 [6]. 122 The Mobile IP related terminology described in RFC 3344 [1] is used 123 in this document. In addition, the following terms are used: 125 ALL-ZERO-ONE-ADDR: IP address 0.0.0.0 or 255.255.255.255. An 126 address of 255.255.255.255 indicates a preference 127 for an HA in the home domain. An address of 128 0.0.0.0 indicates no preference for home vs. 129 visited domain. 131 Requested HA: Destination IP address of Home Agent that the 132 Registration Request is sent to. Must be a 133 unicast IP address. This address can be 134 obtained as described in section 6. 136 Note that this specification defines a new 137 "Requested HA Extension" in section 3.4, which 138 is different from the term "Requested HA". 140 Assigned HA: The HA that accepts an MN's Registration Request 141 and returns a successful Registration Reply. 143 Redirected HA: If the registration is rejected with error code 144 REDIRECT-HA-REQ, the HA being referred to is 145 specified in a new extension (Redirected HA 146 Extension). 148 AAA server: Authentication, Authorization and Accounting 149 Server. 151 DNS: Domain Name System. 153 DHCP: Dynamic Host Configuration Protocol. 155 MN: Mobile Node as defined in Mobile IPv4 [1]. 157 HA: Home Agent as defined in Mobile IPv4 [1]. 159 FA: Foreign Agent as defined in Mobile IPv4 [1]. 161 CoA: Care of Address. 163 CCoA: Co-located Care of Address. 165 MN HoA: Mobile Node's Home Address. 167 NAI: Network Access Identifier [2]. 169 Src IP: Source IP address of the packet. 171 Dest IP: Destination IP address of the packet. 173 RRQ: Registration Request. 175 3. Problem Statement 177 The Mobile IPv4 NAI Extension for IPv4 [2] introduced the concept of 178 identifying a MN by the NAI and enabling dynamic home address 179 assignment. When the home address is dynamically assigned, it is 180 desirable to discover the Home Agent dynamically or inform the MN 181 about an optimal HA to use for a multitude of reasons, such as: 183 - If the distance between the visited network and the home network of 184 the mobile node is large, the signaling delay for these registrations 185 may be long. In such a case the MN will be anchored to its distant 186 home agent, resulting in tunneled traffic traveling a long distance 187 between home agent and the mobile node. When a Mobile IP session 188 initiates, if the mobile node can be assigned a home agent that is 189 close to the mobile node it can drastically reduce the latency 190 between the home agent and mobile node. 192 - In a large scale Mobile IP deployment, it is cumbersome to 193 provision MNs with multiple HA addresses. 195 - It is desirable to achieve some form of load balancing between 196 multiple HAs in the network. Dynamic HA assignment and/or HA 197 redirection lets the network select the optimal HA from among a set 198 of HAs and thus achieve load balancing among a group of HAs. 200 - Local administrative policies. 202 3.1 Scope 204 This specification does not address the problem of distributing a 205 security association between the MN and HA, and it can either be 206 statically preconfigured or dynamically distributed using other 207 mechanisms [7]. 209 The draft introduces the terms Requested/Assigned/Redirected HA 210 (section 6). The discovery of candidate HA addresses for insertion 211 into the Redirected HA Extension can be accomplished through various 212 means which are network and/or deployment specific and hence are 213 outside the scope of this specification. 215 The MN MAY request dynamic HA assignment when it is not aware of any 216 HA address and even when it is aware of at least one HA address. 218 3.2 Dynamic Home Agent Discovery in Mobile IPv4 220 Mobile IPv4 [1] specifies the mechanism for discovering the mobile 221 node's home agent using subnet-directed broadcast IP address in the 222 home agent field of the Registration Request. This mechanism was 223 designed for mobile nodes with a static home address and subnet 224 prefix, anchored on fixed home network. However, using subnet 225 directed broadcast as the destination IP address of the Registration 226 Request, it is unlikely that the Registration Request will reach the 227 home subnet because routers will drop these packets by default. See 228 CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks [3]. 230 3.3 NAI usage and dynamic HA assignment 232 The Mobile IPv4 NAI Extension for IPv4 [2] introduced the 233 concept of identifying a MN by the NAI and enabling dynamic 234 home address assignment. This document requires that while 235 using dynamic HA assignment, MN MUST use the NAI and obtain a home 236 address. MN can still suggest a static home address in the 237 Registration Request, but must take the address in the Registration 238 Reply as the home address for the session. This is compatible with 239 the procedures documented in the NAI specification [2]. 241 3.4 Dynamic HA Extension 243 The Dynamic HA Extension, shown in figure 1, contains the address of 244 the HA. This is a generic extension and can be used in Registration 245 Request and Reply messages. It is a skippable extension. 247 0 1 2 3 248 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 250 | Type | Sub-Type | Length | 251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 252 | HA-Address | 253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 255 Figure 1: The Dynamic HA address Extension 257 Type DYNAMIC-HA-ADDRESS (skippable) (to be assigned by 258 IANA) is the type, which specifies the dynamic HA 259 address. 261 Sub-Type Defines the use of this extension as: 262 sub-type 1 = Requested HA Extension 263 2 = Redirected HA Extension 265 Length Indicates the length of the extension not 266 including the type, sub-type and length fields. 267 Length is always 4 bytes. 269 HA-Address Address of the Home Agent. 271 3.4.1 Requested HA Extension 273 The Requested HA Extension is a Dynamic HA Extension of subtype 1. 275 The MN may include the Requested HA Extension in the registration 276 request as a hint to the network where it wishes to be anchored. 278 This extension contains the address of the HA. A valid unicast IP 279 address MUST be used as HA address in this extension. 281 In absence of an FA, the Registration Request is forwarded to this 282 HA. In presence of an FA, the FA MUST forward Registration Request 283 to the HA address in this extension. 285 3.4.2 Redirected HA Extension 287 The Redirected HA Extension is a Dynamic HA Extension of subtype 2. 289 The Redirected HA Extension contains the address of the HA where the 290 MN should attempt the next registration. The HA receiving a 291 Registration Request can suggest an alternate HA and, if so, the 292 Registration Reply is sent with a new error code REDIRECT-HA-REQ and 293 the alternate HA address is specified in this extension. 295 The Redirected HA Extension MUST be included in Registration Reply 296 when the reply code is REDIRECT-HA-REQ. 298 4. Messaging mechanism for dynamic HA assignment/redirection 300 This specification presents two alternatives for home agent 301 assignment. The two alternatives are: 302 (a) Dynamic HA assignment (described in section 4.1) and 303 (b) HA redirection (described in section 4.2). 305 4.1 Messaging for dynamic HA assignment 307 The following sequence of events occurs when the MN requests dynamic 308 Home Agent assignment: 310 1. The MN sets the Home Agent address field in the Registration 311 Request to ALL-ZERO-ONE-ADDR. If the MN is aware of a desired HA 312 address, it can add that address in the Requested HA Extension in 313 the Registration Request. If the HA does not support the 314 Requested HA Extension, see step 2 below. 316 2. This step is applicable, in lieu of step 1, for a MN that is 317 aware of the HA address and desires dynamic HA assignment. Also, 318 the MN follows this (when aware of a HA address) when it 319 discovers a legacy FA in the path or if the known HA does not 320 support the Requested HA Extension (see section 10). 322 The MN sets the Home Agent address field in the Registration 323 Request to the HA address (instead of setting it to ALL-ZERO-ONE- 324 ADDR). The MN also adds the same HA address in the Requested HA 325 Extension in the Registration Request. 327 3. The MN (if using co-located CoA and registering directly with the 328 HA) or the FA (if the MN is registering via the FA) sends the 329 Registration Request to the "Requested HA". If the Requested HA 330 Extension is present, Requested HA is specified in the "HA 331 Address" of this extension. 332 Per section 10, in case of a legacy FA, legacy FA forwards the 333 Registration Request to the address in the HA field of the 334 Request (thus, MN uses step 2 above in case of legacy FA instead 335 of step 1). 337 4. The "Requested HA" is the home agent that processes the 338 Registration Request in accordance with Mobile IPv4 [1] and as 339 per the specification in this document. It creates mobility 340 binding for successful Registration Request. It also sends a 341 Registration Reply to the MN. 343 5. The MN obtains an "Assigned HA" address from the HA field in the 344 successful Registration Reply and uses it for the remainder of 345 the session. (Note that the "Assigned HA" will be same as the 346 "Requested HA"). 348 6. Subsequent Registration Request messages for renewal are sent to 349 the Assigned HA. 351 Section 5.3.1 describes the Assigned HA in detail. Some ideas on how 352 to select the Requested HA are briefly covered in section 6. 354 4.1.1 Example with Message Flow Diagram 356 Detailed explanation of this alternative is best described with the 357 help of a message flow diagram and description. 359 Figure 2 shows one specific example of a Mobile Node using an FA- 360 located Care of Address (FA CoA) and FA understands the Requested HA 361 Extension per this specification. 363 Other scenarios such as when the mobile node uses a co-located care 364 of address and presence of a legacy HA or FA are not described below, 365 but the behavior is similar. 367 MN FA Requested/Assigned HA 368 | 1 | | 369 |------------>| 2 | 370 | |--------------->| 371 | | | 372 | | | 373 | | 3 | 374 | 4 |<---------------| 375 |<------------| | 376 | | | 377 | | 5 | 378 |----------------------------->| 379 | | | 381 Figure 2: Example message flow for dynamic HA assignment 383 1. The MN sets the Home Agent address field in the Registration 384 Request to ALL-ZERO-ONE-ADDR. Since the MN is using FA CoA in this 385 example, it sends the Registration Request to the FA. The 386 Registration Request is formatted as follows: 388 +-----------------------------------------------------------+ 389 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 390 | MN | FA | | ALL-ZERO-ONE-ADDR |FA CoA | 391 +-----------------------------------------------------------+ 393 If the MN is aware of a desired HA address, it can add that address 394 in the Requested HA Extension in Registration Request as a hint. 395 That extension is not shown above. 397 2. The FA sends the Registration Request to the Requested HA. If 398 Requested HA Extension is present, Requested HA is the HA address in 399 this extension. If the Requested HA Extension is not present, the FA 400 determines the Requested HA through means outside the scope of this 401 specification. The Registration Request is formatted as follows: 403 +-----------------------------------------------------------+ 404 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 405 | FA |Requested HA| | ALL-ZERO-ONE-ADDR |FA CoA | 406 +-----------------------------------------------------------+ 408 (If MN includes the Requested HA Extension, the FA copies that 409 extension. The FA then forwards the Registration Request, along with 410 the Requested HA Extension, to the HA address specified in Requested 411 HA Extension.) 413 3. The HA processes the Registration Request in accordance with 414 Mobile IPv4 [1] and the messaging defined in this document. The HA 415 creates mobility binding for successful request and becomes the 416 Assigned HA. The HA then sends Registration Reply to the FA, which 417 is formatted as follows: 419 +-----------------------------------------------------------+ 420 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 421 |Assigned| Src IP of | | Assigned HA |FA CoA/| 422 | HA | the RRQ | | | | 423 +-----------------------------------------------------------+ 425 4. The FA relays the Registration Reply to the MN, as follows. 427 +-----------------------------------------------------------+ 428 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 429 | FA | MN | | Assigned HA |FA CoA/| 430 +-----------------------------------------------------------+ 432 5. The MN obtains the Assigned HA address from the HA field in the 433 successful Registration Reply and uses it for the remainder of the 434 session. The MN sends subsequent Re-Registration or De-Registration 435 Requests for the remainder session directly to the Assigned HA. The 436 Home Agent address field in this Registration Request is set to 437 ALL-ZERO-ONE-ADDR. Note that the Assigned HA is the same as the 438 Requested HA. 440 4.2 Messaging for HA redirection 442 This section describes the events that occur when the Requested HA 443 does not accept the Registration Request and redirects the mobile 444 node to another HA (aka Redirected HA) instead. This behavior is not 445 exhibited by a legacy HA and so is not referred in the description 446 below. In presence of a legacy FA, please refer to section 4.1 for 447 the specific field in the Registration Request. 449 1. The MN sets the Home Agent address field in the Registration 450 Request to ALL-ZERO-ONE-ADDR. 452 2. The MN (if using co-located CoA and registering directly with the 453 HA) or FA (if the MN is registering via the FA) sends the 454 Registration Request to the "Requested HA". If the MN is aware of 455 an HA address, it can add that address in the Requested HA 456 Extension in Registration Request. 458 3. When the HA receives the Registration Request, if the HA field is 459 set to ALL-ZERO-ONE-ADDR, the HA may reject the request with Reply 460 code REDIRECT-HA-REQ and suggest an alternate HA. 462 The HA may reject the Request for a number of reasons, which are 463 outside the scope of this specification. If the HA rejects the 464 Request, the HA field in the Reply is set to this HAs address. 465 The IP address of the HA that is the target of the redirection is 466 specified in Redirected HA Extension. The presence of this 467 extension is mandatory when the reply code is set to REDIRECT-HA- 468 REQ. HA sends the Reply to the FA/MN. 470 4. FA sends the Reply to the MN. 472 5. If the error code is set to REDIRECT-HA-REQ, MN obtains the HA 473 address from Redirected HA Extension. The MN then sends a 474 Registration Request to Redirected HA. The MN may choose to add 475 Requested HA extension in this new Registration Request. If a 476 registration loop occurs (the case when the Redirected HA is an HA 477 that had already directed the MN to register elsewhere) then the 478 MN stops sending any further Registration Request and provides an 479 indication that the loop event was detected. The number of 480 consecutive Redirected HAs remembered by MN for loop detection is 481 an implementation parameter. 483 4.2.1 Example with Message Flow Diagram 485 Figure 3 shows one specific example of a Mobile Node using FA-located 486 Care of Address, where the FA is not a legacy FA. 488 MN FA Requested HA Redirected HA 489 | 1 | | | 490 |------------>| 2 | | 491 | |--------------->| | 492 | | | | 493 | | | | 494 | | 3 | | 495 | 4 |<---------------| | 496 |<------------| | | 497 | | | | 498 | | 5 | | 499 |--------------------------------------------->| 500 | | | | 502 Figure 3: Example message flow for HA redirection 504 1. The MN sets the Home Agent address field in the Registration 505 Request to ALL-ZERO-ONE-ADDR. Since the MN is using FA CoA in this 506 example, it sends the Registration Request to the FA. The 507 Registration Request is formatted as follows: 509 +-----------------------------------------------------------+ 510 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 511 | MN | FA | | ALL-ZERO-ONE-ADDR |FA CoA | 512 +-----------------------------------------------------------+ 514 If the MN is aware of an HA address, it can add that address in the 515 Requested HA Extension in Registration Request as a hint. That 516 extension is not shown above. 518 2. The FA sends the Registration Request to the Requested HA. If 519 Requested HA Extension is present, Requested HA is the HA address in 520 this extension. If the Requested HA Extension is not present, the FA 521 determines the Requested HA through means outside the scope of this 522 specification. The Registration Request is formatted as follows: 524 +-----------------------------------------------------------+ 525 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 526 | FA |Requested HA| | ALL-ZERO-ONE-ADDR |FA CoA | 527 +-----------------------------------------------------------+ 529 3. The HA processes the Registration Request in accordance with 530 Mobile IPv4 [1] and the messaging defined in this specification. If 531 the registration is successful, but local configuration/ 532 administrative policy etc. directs HA to refer the MN to another HA, 533 the HA rejects the Request with error code REDIRECT-HA-REQ. The HA 534 fills in the address of the Redirected HA in the Redirected HA 535 Extension. The HA then sends Registration Reply reject to the FA, 536 which is formatted as follows: 538 +-----------------------------------------------------------+ 539 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 540 | | Src IP of | | HA |FA CoA | 541 | HA | the RRQ | | | | 542 +-----------------------------------------------------------+ 543 | Redirected HA Extension ... | 544 +-----------------------------------------------------------+ 546 4. The FA relays the Registration Reply to the MN, as follows. 548 +-----------------------------------------------------------+ 549 | Src IP=| Dest IP = | MN HoA | HA Address = | CoA = | 550 | FA | MN | | HA |FA CoA/| 551 +-----------------------------------------------------------+ 552 | Redirected HA Extension ... | 553 +-----------------------------------------------------------+ 555 5. If the MN can authenticate the Reply, the MN extracts the HA 556 address from the Redirected HA Extension. The MN then sends a 557 Registration Request to the Redirected HA, unless it has already 558 received a redirection response from that HA while processing the 559 Registration Request. The MN may choose to add Requested HA 560 extension in this new Registration Request. 562 5. Mobility Agent Considerations 564 The following sections describe the behavior of each mobility agent 565 in detail. 567 5.1 Mobile Node Considerations 569 The mobile node MUST use the NAI extension for home address 570 assignment when using the messaging mechanism in this document. 571 Since MN uses the NAI extension, the Home Address field is set to 572 0.0.0.0. 574 While dynamic HA assignment is in progress and the MN has not 575 successfully anchored at a Home Agent, the MN MUST set the Home Agent 576 field in the Registration Request to an ALL-ZERO-ONE-ADDR, which is 577 either 255.255.255.255 or 0.0.0.0. 579 The Registration Request MUST be protected by a valid authenticator 580 as specified in Mobile IPv4 [1] or Mobile IPv4 Challenge/Response 581 Extensions [5]. Configuring security associations is deployment 582 specific and hence outside the scope of this specification. The 583 security associations between a MN and an individual HA may also be 584 dynamically derived during the dynamic HA assignment, based on a 585 shared secret between MN and AAA infrastructure [7]. 587 The mobile node MUST maintain the remaining Mobile IP session with 588 the Assigned HA. 590 As mentioned in the Security Considerations (Section 9), there is a 591 possibility of more than one HA create a mobility binding entry for a 592 given MN, if a rogue node in the middle captures the Registration 593 Request and forwards it to other Home Agents. MN can mitigate such 594 condition by using a short lifetime (e.g. 5 seconds) in the 595 Registration Request with Home Agent field set to ALL-ZERO-ONE-ADDR. 597 The following sections describe MN behavior in FA CoA mode and co- 598 located CoA mode. 600 5.1.1 MN using FA CoA 602 When a mobile node initiates a Mobile IP session requesting dynamic 603 HA assignment, it MUST set the home agent address field in the 604 Registration Request to ALL-ZERO-ONE-ADDR. The destination IP 605 address of the Registration Request is the FA. The FA will determine 606 the Requested HA and forward the Registration Request to the 607 Requested HA. Registration Request processing takes place on the 608 Requested HA as per the specification in this draft. 610 The Registration Request MUST be appropriately authenticated for the 611 HA to validate the Request. 613 If a successful Registration Reply is received, the MN obtains the 614 Assigned HA from the HA field of Reply. The Assigned HA address will 615 be the same as the Requested HA Extension, if it was included in the 616 Registration Request by the MN. 618 If a Registration Reply is received with code REDIRECT-HA-REQ, the MN 619 MUST authenticate the Reply based on HA address in HA field of Reply 620 and attempt Registration with the HA address specified in the 621 Redirected HA Extension. The MN MUST put the Redirected HA address 622 as the Requested HA Extension of the new Registration Request. 624 In some cases, for the first Registration Request the MN may want to 625 hint to the network to be anchored at a specific HA. The MN SHOULD 626 put that address in the HA address of the Requested HA Extension. 628 5.1.2 MN using Co-located CoA 630 An MN in co-located CoA mode requesting dynamic HA assignment MUST 631 set the home agent address field in the Registration Request to ALL- 632 ZERO-ONE-ADDR. The destination IP address of the Registration 633 Request is the Requested HA. Some ideas on how to select a Requested 634 HA are briefly covered in section 6. 636 If a successful Reply is received, the MN obtains the Assigned HA 637 address from the successful Registration Reply. The Assigned HA will 638 be the same as Requested HA to which the Registration Request was 639 sent. The MN MUST cache the Assigned HA address for the length of 640 the Mobile IP session. The mobile node then MUST use this previously 641 cached Assigned HA address as the home agent address in subsequent 642 re-registration and de-registration request(s). This will make sure 643 that for the duration of the Mobile IP session, the mobile node will 644 always be anchored to the assigned home agent with which it was 645 initially registered. 647 If a Registration Reply is received with code REDIRECT-HA-REQ, the MN 648 MUST authenticate the Reply based on HA address in HA field of Reply 649 and attempt Registration with the HA address specified in the 650 Redirected HA Extension. The MN MUST put the Redirected HA in the 651 Requested HA Extension of the new Registration Request. 653 In some cases, for the first Registration Request MN may want to hint 654 to the network to be anchored at a specific HA and the MN SHOULD put 655 that address in the HA address of the Requested HA Extension. 657 While requesting dynamic HA assignment and registering directly with 658 an HA, the Requested HA Extension MUST be included and MUST contain 659 the address of the HA to which the Registration Request is sent. 660 When using co-located CoA but registering via a legacy FA, the HA 661 field in Reqistration Request may be set to Requested HA. 663 If the Registration Request contains the Requested HA Extension, the 664 HA address in that extension MUST match the destination IP of the 665 Request. 667 5.1.3 Refreshing Assigned HA Address on Mobile Node 669 When the Mobile IP session terminates, the mobile node MAY clear the 670 Assigned HA address cached as the home agent address. It MAY request 671 a new HA address for the new Mobile IP session by not including the 672 Requested HA Extension. The advantage of this approach is that the 673 mobile node will be always anchored to an optimal home agent from 674 where it initiated the Mobile IP session. 676 Alternately, the MN may save the Assigned HA address and use it in 677 the Requested HA Extension along with ALL-ZERO-ONE-ADDR HA address in 678 Registration Request for a new Mobile IP session. 680 5.2 Foreign Agent Considerations 682 When the mobile node is using a FA CoA it always registers via the 683 FA. When the MN is using a co-located CoA it may register through a 684 FA or it may register directly with an HA, unless the R bit is set in 685 the FA's agent advertisement, in which case it always registers 686 through the FA. 688 When the FA receives a Registration Request with HA address field set 689 to ALL-ZERO-ONE-ADDR that doesn't contain the Requested HA Extension, 690 the FA obtains the Requested HA address to forward the Registration 691 Request using means outside the scope of this specification. Some 692 ideas on how to select a Requested HA are briefly covered in section 693 6. 695 If the FA cannot obtain the Requested HA to which to forward a 696 Registration Request from MN, it MUST reject request with error code 697 NONZERO-HA-REQD. 699 If the MN has included the Requested HA Extension, the FA MUST 700 forward Registration Request to the address in this extension. If 701 the HA address in this extension is not a routable unicast address, 702 the FA MUST reject request with error code NONZERO-HA-REQD. 704 If the Registration Request contains the Requested HA Extension, the 705 FA uses that address as the destination for the relayed Registration 706 Request. 708 Backward compatibility issues related to the mobility agents are 709 addressed in section 10. 711 5.3 Home Agent Considerations 713 A Home Agent can process an incoming Registration Request in one of 714 the following two ways: 716 1. The MN or FA sends the Registration Request to the Requested HA. 717 The term Requested HA has meaning in the context of a Registration 718 Request message. When the Requested HA successfully processes the 719 Registration Request and creates a binding and sends a Reply with its 720 address, it becomes the Assigned HA. The term Assigned HA is 721 meaningful in the context of a Registration Reply message. 723 2. A Home Agent receiving a Registration Request with HA field set 724 to ALL-ZERO-ONE-ADDR MAY reject the request even if successfully 725 authenticated and suggest an alternate HA address in Reply. In such 726 a case, the HA puts its own address in HA field of Reply and sets the 727 Reply code to REDIRECT-HA-REQ and adds the Redirected HA Extension. 729 If the Registration Request contains the Requested HA Extension, the 730 HA address in that extension must match the destination IP of the 731 Request. If it does not match, the Requested HA MUST reject the 732 Registration Request with error code 136. 734 5.3.1 Assigned Home Agent Considerations 736 The HA that processes the incoming Registration Request fully in 737 accordance with Mobile IPv4 [1] and this specification becomes the 738 Assigned HA. The Registration Request terminates at the Assigned HA. 740 The Assigned HA creates one mobility binding per MN and sends 741 Registration Reply to the MN by copying its address in the home agent 742 field and as the source IP address of the Reply. 744 The following table summarizes the behavior of the Assigned HA, based 745 on the value of the destination IP address and Home Agent field of 746 the Registration Request. 748 Dest IP Addr HA field Processing at Assigned HA 749 ------------ ------------ ---------------------------------- 751 Unicast non-unicast Mobile IPv4 [1]: There is no change 752 in handling for this case from 753 (Must be Mobile IPv4. It is mentioned here 754 equal to the for reference only. 755 HA receiving HA denies the registration with 756 the RRQ) error code 136 and sets HA field to 757 its own IP address in the reply as 758 per section 3.8.3.2 in [1]. 760 ALL-ZERO- New Behavior: Accept the RRQ as per 761 ONE-ADDR this specification. Authenticate 762 the RRQ and create mobility binding 763 if the HA is acting as Assigned HA. 764 Set HA field to its own IP address 765 in the Registration Reply. 767 OR 769 New Behavior: If authentication is 770 successful, reject RRQ with a new 771 error code REDIRECT-HA-REQ. HA 772 puts its address in HA address 773 field of Reject. HA suggests an 774 alternate HA to use in the new 775 Redirected HA Extension. 777 Table 1: Registration Request handling at Assigned HA 779 As per the messaging proposed here, the mobile node (or the foreign 780 agent) sends the Registration Request to the Requested HA address, 781 which is a unicast address. Therefore, this document does not 782 specify any new behavior for the case where the HA receives a subnet 783 directed broadcast Registration Request as specified in section 784 3.8.2.1 of the Mobile IPv4 specification [1]. Although the Home 785 Agent field in the Registration Request is not a unicast address, the 786 destination IP address is a unicast address. This avoids the 787 problem associated with subnet-directed broadcast destination IP 788 address that may result in multiple HAs responding. Thus, there is 789 no need to deny the registration as stated in Mobile IPv4 [1] section 790 3.8.3.2. 792 When the destination IP address is a unicast address and the Home 793 Agent field is ALL-ZERO-ONE-ADDR, the HA accepts/denies registration 794 and sets the HA field to its own IP address in the reply (i.e. the 795 registration is not rejected with error code 136). 797 The HA can reject the request with the error code REDIRECT-HA-REQ and 798 suggest an alternate HA. This redirection can be used for load 799 balancing, geographical proximity based on care-of-address or other 800 reasons. The HA puts its own address in HA field of the Registration 801 Reply message and puts the address of the redirected HA in the 802 Redirected HA Extension. If the HA accepts the Request, it sets the 803 HA field in the Registration Reply to its own address. 805 The Requested HA always performs standard validity checks on the 806 Registration Request. If there is any error, the Registration 807 Request is rejected with error codes specified in Mobile IPv4 [1]. 809 6. Requested Home Agent Selection 811 When dynamic HA assignment is requested, the MN (or FA in the case of 812 registration via FA) sends the Registration Request to the Requested 813 HA. This address MUST be a unicast IP address. If the MN has 814 included a Requested HA Extension in Registration Request, the HA 815 address in this extension is the Requested HA. 817 Some example methods by which the MN or the FA may select the 818 Requested HA are briefly described below: 820 DHCP: 822 MN performs DHCP to obtain an IP address on the visited network. The 823 Requested HA is learned from the DHCP Mobile IP Home Agent Option 68 824 [4]. MN sends Registration Request directly to this HA and receives 825 the Assigned HA to be used for the remainder of the Mobile IP 826 session. 828 AAA: 830 MN performs challenge/response [5] with the FA. The FA retrieves the 831 Requested HA from the AAA server and forwards the Registration 832 Request directly to this HA. The Assigned HA sends a Registration 833 Reply to the FA, which relays it to the MN. MN uses the Assigned HA 834 for the remainder of the Mobile IP session. 836 DNS: 838 In this case the hostname of the HA is configured on the MN or 839 obtained by some other means; e.g., using a service location 840 protocol. MN performs DNS lookup on the HA hostname. The DNS 841 infrastructure provides a resource record with information to 842 identify the optimal HA to the MN. The MN sends a Registration 843 Request directly to the HA and receives the Assigned HA to be used 844 for remainder of the Mobile IP session. 846 Static configuration: 848 The HA address is statically configured on the MN. The MN sends the 849 Registration Request to the configured address. The Requested HA may 850 then redirect the MN to a Redirected HA. 852 7. Error Values 854 Each entry in the following table contains the name and value for the 855 error code to be returned in a Registration Reply. It also includes 856 the section in which the error code is first mentioned in this 857 document. 859 Error Name Value Section Description 860 --------------- ----- ------- ----------------------------- 861 NONZERO-HA-REQD XX 5.2 Non-zero HA address required 862 in Registration Request. 863 REDIRECT-HA-REQ YY 5.3 Reregister with redirected HA. 865 8. IANA Considerations 866 The code value NONZERO-HA-REQD is a Mobile IP response code [1] taken 867 from the range of values associated with rejection by the foreign 868 agent (i.e. value in the range 64-127). 870 The code value REDIRECT-HA-REQ is a Mobile IP response code [1] taken 871 from the range of values associated with rejection by the home agent 872 (i.e. value in the range 128-192). 874 The Dynamic HA Extension is assigned from the range of values 875 associated with skippable extensions at the home agent (i.e. value in 876 the range 128-255). 878 IANA should record the values as defined in Section 7 and 3.4. 880 9. Security Considerations 882 This specification assumes that a security configuration has been 883 preconfigured between the MN and the HA or is configured along with 884 the initial Registration Request/Registration Reply as per [7]. 886 There is a possibility of more than one HA create a mobility binding 887 entry for a given MN, if a man in the middle captures the 888 Registration Request with HA field set to ALL-ZERO-ONE-ADDR and 889 forwards it to other HAs. This scenario assumes that the rogue node 890 can find out the addresses of the HAs which are able to authenticate 891 the Registration Request. It also assumes that the rogue node has 892 the capability to store, duplicate, and send packets to the other HAs 893 within the limited time of the replay window. Otherwise these HAs 894 will reject the Registration Requests anyway. In addition, this type 895 of attack is only possible when the Requested HA Extension is not 896 included in the registration message. The Mobile Node can minimize 897 the duration of this condition by using a short lifetime (e.g. 5 898 seconds) in the Registration Request. 900 This specification does not change the security model established in 901 Mobile IPv4 [1]. Mobile Nodes are often connected to the network via 902 wireless links, which may be more prone to passive eavesdropping or 903 replay attacks. Such an attack might lead to bogus registrations or 904 redirection of traffic or denial of service. 906 As per the messaging in this draft, the Assigned Home Agent will 907 process the incoming Registration Request as per Mobile IPv4 [1]. 908 Hence the Assigned Home Agent will have same security concerns as 909 that of the Home Agent in Mobile IPv4 [1]. They are addressed in 910 Section 5 "Security Considerations" of Mobile IPv4 [1]. 912 The Registration Request and Registration Reply messages are 913 protected by a valid authenticator as specified in Mobile IPv4 [1]. 914 Configuring security associations is a deployment specific issue and 915 is covered by other Mobile IP specifications. There can be many ways 916 of configuring security associations, but this specification does not 917 require any specific way. 919 An example is where the security association between an MN and an 920 individual HA (Requested or Assigned) is dynamically derived during 921 the registration process based on a shared secret between MN and AAA 922 infrastructure, as defined in [7]. The Registration Request is 923 protected with MN-AAA authentication extension and Registration Reply 924 is protected with MN-HA Authentication Extension. Because the 925 security association is shared between MN and AAA, any dynamically 926 assigned HA in the local domain can proxy authenticate the MN using 927 AAA as per [7]. 929 The Assigned Home Agent authenticates each Registration Request from 930 the mobile node as specified in Mobile IPv4 [1] and/or RFC-3012. The 931 MN also authenticates the Registration Reply from the Assigned HA, 932 thus the existing trust model in Mobile IPv4 [1] is maintained. 934 10. Backward Compatibility Considerations 936 In this section, we examine concerns that may arise when using this 937 specification in a mixed environment where some nodes implement the 938 specification and others do not. In each of the examples below, we 939 consider the case where one node is a "Legacy" node which does not 940 implement the specification in the context of other nodes which do. 942 Legacy Home Agent: 944 Legacy home agents may reject the Registration Request with error 945 code 136 because the Home Agent field is not a unicast address. 946 However, some legacy HA implementations may coincidentally process 947 the Registration Request in accordance with this draft, when the HA 948 field in Registration Request is set to ALL-ZERO-ONE-ADDR. 950 Legacy Foreign Agent: 952 Legacy foreign agents may forward a Registration Request with home 953 agent field set to ALL-ZERO-ONE-ADDR by setting the destination IP 954 address to ALL-ZERO-ONE-ADDR. This will result packet being dropped 955 or incidentally handled by a next hop HA, adjacent to the FA. The MN 956 may not be aware of the dropped Registration Request and may probably 957 retry registration, thereby increasing the delay in registration. 959 To reduce the delay in registration, the MN should take following 960 steps: 962 1. The MN should send the Registration Request as specified in this 963 specification. In other words, the MN should set the home agent 964 field in the Registration Request to ALL-ZERO-ONE-ADDR and also add 965 the Requested HA Extension. 967 2. If the MN does not receive a Registration Reply within some time 968 and/or after sending a few Registration Requests, it can assume 969 that the Registration Request(s) has been dropped, either by a 970 legacy FA or an incorrect HA. In addition, if the registration is 971 denied with error code 70 (poorly formed Request), the MN can 972 assume that the legacy FA cannot process this message. In either 973 case, the MN should fall back to a recovery mechanism. The MN 974 should quickly send a new Registration Request as mentioned in 975 section 4.1 step 2. This step will ensure that a legacy FA will 976 forward the Registration Request to the Home Agent thereby making 977 dynamic HA assignment possible. 979 Legacy Mobile Node: 981 A MN that sends a registration request to an FA which can do dynamic 982 HA assignment, but does not set the HA field to ALL-ZERO-ONE-ADDR 983 will continue to be registered with its statically configured HA, 984 exactly according to RFC 3344. 986 11. Change Log from previous versions 988 Note: This section should be removed before publication. 990 Changes from revision 6 to 7: 992 1. Updated section 4.2 bullet 5. 994 Changes from revision 5 to 6: 996 2. Updated section 4.2.1 bullet 5. 997 3. Fixed nits found by idnit tool. 998 4. Added text in section 5.1 outlining how to avoid the 999 possibility of multiple bindings on HAs by requiring short 1000 lifetime for first registration request. 1001 5. Added text in section 9 outlining possibility of multiple 1002 bindings on HAs. 1003 6. Added text in section 12 Acknowledgements. 1005 Changes from revision 4 to 5: 1007 1. Legacy FA Considerations text was updated based on the WG 1008 discussions which addressed IESG review feedback. 1010 Changes from revision 3 to 4: 1012 1. Text added to clarify the cases when MN is configured with HA 1013 address and not configured with HA address and requests 1014 dynamic HA assignment. 1016 2. Clarification on legacy FA section as suggested by Thomas 1017 Narten. 1018 3. More editorial changes suggested by the chairs. 1020 Changes from revision 2 to 3: 1022 1. More editorial changes suggested by the chairs. 1024 Changes from revision 1 to 2: 1026 1. Editorial changes suggested by the WG, the chair's reviews and 1027 idnits. 1029 Changes from revision 0 to 1: 1031 1. Added subtype field in Redirected HA Address Extension. 1032 2. Aligned the HA address at 4-byte world boundary. 1033 3. The case of handling unicast HA field is removed in section 1034 5.3.1. 1036 12. Acknowledgements 1038 The authors would like to thank Pete McCann for thorough review, 1039 suggestions on security considerations and definition of ALL-ZERO- 1040 ONE-ADDR. Thanks to Kuntal Chowdhury for extensive review and 1041 comments on this draft. Also thanks to Henrik Levkowetz for detailed 1042 reviews and suggestions. Thomas Narten highlighted issues for legacy 1043 FA considerations. Thanks to Ahmad Muhanna for pointing out scenario 1044 of multiple bindings on HAs, documented in the Security 1045 Considerations section. 1047 The authors would like to thank Mike Andrews, Madhavi Chandra and 1048 Yoshi Tsuda for their review and suggestions. 1050 13. Normative References 1052 [1] C. Perkins, "IP Mobility Support for IPv4", RFC 3344, August 1053 2002. 1054 [2] P. Calhoun and C. Perkins, "Mobile IP Network Access Identifier 1055 Extension for IPv4", RFC 2794, March 2000. 1056 [3] D. Senie, "Changing the Default for Directed Broadcasts in 1057 Routers", RFC 2644, August 1999. 1058 [4] S. Alexander and R. Droms, "DHCP Options and BOOTP Vendor 1059 Extensions", RFC 2132, March 1997. 1060 [5] C. Perkins and P. Calhoun, "Mobile IPv4 Challenge/Response 1061 Extensions", RFC 3012, November 2000. 1062 [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1063 Levels", BCP 14, RFC 2119, March 1997. 1065 [7] C. Perkins and P. Calhoun, "AAA Registration Keys for Mobile 1066 IP", draft-ietf-mip4-aaa-key-06.txt, June 2004. 1068 Authors' Addresses 1070 Milind Kulkarni 1071 Cisco Systems Inc. 1072 170 W. Tasman Drive, 1073 San Jose, CA 95134 1074 USA 1076 Email: mkulkarn@cisco.com 1077 Phone:+1 408-527-8382 1079 Alpesh Patel 1080 Cisco Systems Inc. 1081 170 W. Tasman Drive, 1082 San Jose, CA 95134 1083 USA 1085 Email: alpesh@cisco.com 1086 Phone:+1 408-853-9580 1088 Kent Leung 1089 Cisco Systems Inc. 1090 170 W. Tasman Drive, 1091 San Jose, CA 95134 1092 USA 1094 Email: kleung@cisco.com 1095 Phone: +1 408-526-5030 1097 Intellectual Property Statement 1099 The IETF takes no position regarding the validity or scope of any 1100 Intellectual Property Rights or other rights that might be claimed to 1101 pertain to the implementation or use of the technology described in 1102 this document or the extent to which any license under such rights 1103 might or might not be available; nor does it represent that it has 1104 made any independent effort to identify any such rights. 1105 Information on the procedures with respect to rights in RFC documents 1106 can be found in BCP 78 and BCP 79. 1108 Copies of IPR disclosures made to the IETF Secretariat and any 1109 assurances of licenses to be made available, or the result of an 1110 attempt made to obtain a general license or permission for the use 1111 of such proprietary rights by implementers or users of this 1112 specification can be obtained from the IETF on-line IPR repository 1113 at http://www.ietf.org/ipr. 1115 The IETF invites any interested party to bring to its attention 1116 any copyrights, patents or patent applications, or other 1117 proprietary rights that may cover technology that may be required to 1118 implement this standard. Please address the information to the IETF 1119 at ietf-ipr@ietf.org. 1121 Disclaimer of Validity 1123 This document and the information contained herein are provided on an 1124 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1125 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1126 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1127 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1128 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1129 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1131 Copyright Statement 1133 Copyright (C) The Internet Society (2005). This document is subject 1134 to the rights, licenses and restrictions contained in BCP 78, and 1135 except as set forth therein, the authors retain all their rights. 1137 Acknowledgement 1139 Funding for the RFC Editor function is currently provided by the 1140 Internet Society.