idnits 2.17.1 draft-ietf-mip4-nemo-v4-base-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 926. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 933. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 939. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1, updated by RFC 4748 (on line 955), which is fine, but *also* found old RFC 3978, Section 5.4, paragraph 1 text on line 40. ** The document seems to lack an RFC 3978 Section 5.5 (updated by RFC 4748) Disclaimer -- however, there's a paragraph with a matching beginning. Boilerplate error? Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 20 longer pages, the longest (page 19) being 60 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 10, 2007) is 6071 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3344 (Obsoleted by RFC 5944) == Outdated reference: A later version (-03) exists of draft-ietf-mip4-nemov4-fa-01 Summary: 5 errors (**), 0 flaws (~~), 5 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group K. Leung 2 Internet-Draft G. Dommety 3 Expires: March 10, 2008 Cisco Systems 4 V. Narayanan 5 QUALCOMM, Inc. 6 A. Petrescu 7 Motorola 8 September 10, 2007 10 IPv4 Network Mobility (NEMO) Protocol 11 draft-ietf-mip4-nemo-v4-base-01.txt 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on March 10, 2008. 38 Copyright Notice 40 Copyright (C) The Internet Society (2007). 42 Abstract 44 This document describes a protocol for supporting Mobile Networks 45 between a Mobile Router and a Home Agent by extending the Mobile IPv4 46 protocol. A Mobile Router is responsible for the mobility of one or 47 more network segments or subnets moving together. The Mobile Router 48 hides its mobility from the nodes on the mobile network. The nodes 49 on the Mobile Network may be fixed in relationship to the Mobile 50 Router and may not have any mobility function. 52 Extensions to Mobile IPv4 are introduced to support Mobile Networks. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 1 57 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 58 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 2 59 4. Mobile Network Extensions . . . . . . . . . . . . . . . . . . 4 60 4.1. Mobile Network Request Extension . . . . . . . . . . . . . 4 61 4.2. Mobile Network Acknowledgement Extension . . . . . . . . . 5 62 5. Mobile Router Operation . . . . . . . . . . . . . . . . . . . 6 63 5.1. Error Processing . . . . . . . . . . . . . . . . . . . . . 7 64 6. Home Agent Operation . . . . . . . . . . . . . . . . . . . . . 8 65 6.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 6.2. Data Structures . . . . . . . . . . . . . . . . . . . . . 9 67 6.2.1. Registration Table . . . . . . . . . . . . . . . . . . 9 68 6.2.2. Prefix Table . . . . . . . . . . . . . . . . . . . . . 9 69 6.3. Mobile Network Prefix Registration . . . . . . . . . . . . 9 70 6.4. Advertising Mobile Network Reachability . . . . . . . . .10 71 6.5. Establishment of Bi-directional Tunnel . . . . . . . . . .11 72 6.6. Sending Registration Replies . . . . . . . . . . . . . . .11 73 6.7. Mobile Network Prefix De-registration . . . . . . . . . .11 74 7. Data Forwarding Operation . . . . . . . . . . . . . . . . . .11 75 8. Nested Mobile Networks . . . . . . . . . . . . . . . . . . . .12 76 9. Routing Protocol between Mobile Router and Home Agent. . . . .12 77 10. Security Considerations . . . . . . . . . . . . . . . . . . .13 78 10.1 Security when Dynamic Routing Protocol is Used. . . . . . .14 79 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . .14 80 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .15 81 13. References . . . . . . . . . . . . . . . . . . . . . . . . . .16 82 13.1. Normative References . . . . . . . . . . . . . . . . . . .16 83 13.2. Informative References . . . . . . . . . . . . . . . . . .16 84 13. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . .16 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .17 86 Intellectual Property and Copyright Statements . . . . . . . . . .19 88 1. Introduction 90 This document describes protocol extensions to Mobile IPv4 91 ([RFC3344]) to enable support for Mobile Networks. This draft 92 addresses only co-located Care-of Address mode (not Foreign Agent 93 Care-of Address mode, for which the gentle reader is directed to 94 [1]). 96 A Mobile Network is defined as a network segment or subnet that can 97 change its point of attachment to the routing infrastructure. Such 98 movement is performed by a Mobile Router, which is the mobility 99 entity that provides connectivity and reachability as well as 100 session continuity for all the nodes in the Mobile Network. The 101 Mobile Router typically serves as the default gateway for the hosts 102 on the Mobile Network. 104 Mobility for the Mobile Network is supported by the Mobile Router 105 registering the point of attachment to its Home Agent. This 106 signaling sets up the tunnel between the two entities. 108 The Mobile Networks (either implicitly configured on the Home Agent 109 or explicitly identified by the Mobile Router) are advertised by 110 the Home Agent for route propagation. Traffic to and from nodes in 111 the Mobile Network are tunneled by the Home Agent to the Mobile 112 Router, and vice versa. Though packets from the Mobile Network can 113 be forwarded directly without tunneling (if reverse tunneling is 114 not used) packets will be dropped if ingress filtering is turned 115 on. 117 This document specifies an additional tunnel between Mobile Router's 118 Home Address and the Home Agent. This tunnel is encapsulated within 119 the normal tunnel between the Care-of Address (CoA) and Home Agent. 120 In Foreign Agent CoA mode, the tunnel between the Mobile Router and 121 Home Agent is needed to allow the Foreign Agent to direct the 122 decapsulated packet to the proper visiting Mobile Router. However, 123 in Collocated CoA mode, the additional tunnel is not essential and 124 can be eliminated because the Mobile Router is the recipient of the 125 encapsulated packets for the Mobile Network. 127 All traffic between the nodes in the Mobile Network and Correspondent 128 Nodes passes through the Home Agent. This document does not cover 129 route optimization of this traffic. 131 A similar protocol has been documented in [RFC3963] for supporting 132 IPv6 mobile networks with Mobile IPv6 extensions. 134 Multihoming for Mobile Routers is outside the scope of this 135 document. 137 2. Terminology 139 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 140 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 141 document are to be interpreted as described in [RFC2119]. 143 Terminology for network mobility support is defined in [RFC3344]. In 144 addition, this document defines the following terms. 146 Mobile Network Prefix 148 The network prefix of the subnet delegated to a Mobile Router 149 as the Mobile Network. 151 Prefix Table 153 A list of Mobile Network Prefixes indexed by the Home Address 154 of a Mobile Router. The Home Agent manages and uses Prefix 155 Table to determine which Mobile Network Prefixes belong to a 156 particular Mobile Router. 158 3. Requirements 160 Although Mobile IPv4 stated that Mobile Network can be supported by 161 the Mobile Router and Home Agent using static configuration or 162 running a routing protocol, there is no solution for explicit 163 registration of the Mobile Networks served by the Mobile Router. A 164 solution needs to provide the Home Agent a means to ensure that a 165 Mobile Router claiming a certain Mobile Network Prefix is 166 authorized to do so. A solution would also expose the Mobile 167 Network Prefixes (and potentially other subnet-relevant 168 information) in the exchanged messages, to aid in network 169 debugging. 171 The following requirements for Mobile Network support are 172 enumerated: 174 o A Mobile Router should be able to operate in explicit or implicit 175 mode. A Mobile Router may explicitly inform the Home Agent which 176 Mobile Network(s) need to be propagated via routing protocol. A 177 Mobile Router may also function in implicit mode, where the Home 178 Agent may learn the mobile networks through other means, such as 179 from the AAA server, via pre-configuration or via a dynamic 180 routing protocol. 182 o The Mobile Network should be supported using Foreign Agents that 183 are compliant to RFC 3344 without any changes ('legacy' Foreign 184 Agents). 186 o The mobile network should allow Fixed nodes, Mobile Nodes, or 187 Mobile Routers to be on it. 189 4. Mobile Network Extensions 191 4.1. Mobile Network Request Extension 193 For Explicit Mode, the Mobile Router informs the Home Agent about the 194 Mobile Network Prefixes during registration. The Registration 195 Request contains zero, one or several Mobile Network Request 196 extensions in addition to any other extensions defined by or in the 197 context of ([RFC3344]). When several Mobile Networks are needed to 198 be registered, each is included in a separate Mobile Network Request 199 extension, with its own Type, Length, Sub-Type, Prefix Length and 200 Prefix fields. A Mobile Network Request extension is encoded in 201 Type-Length-Value (TLV) format and respects the following format: 203 0 1 2 3 204 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 205 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 206 | Type | Length | Sub-Type | Prefix Length | 207 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 208 | Prefix | 209 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 211 Type: 213 Mobile Network Extension (skippable type range to be assigned 214 by IANA) 216 Length: 218 6 220 Sub-Type: 222 1 (Mobile Network Request) 224 Prefix Length: 226 8-bit unsigned integer indicating the number of bits covering 227 the network part of the address contained in the Prefix field. 229 Prefix: 231 32-bit unsigned integer in network byte-order containing an 232 IPv4 address whose first Prefix Length bits make up the Mobile 233 Network Prefix. 235 4.2. Mobile Network Acknowledgement Extension 237 The Registration Reply contains zero, one or several Mobile Network 238 Acknowledgement extensions in addition to any other extensions 239 defined by or in the context of ([RFC3344]). For Implicit Mode, 240 the Mobile Network Acknowledgement informs the Mobile Router the 241 prefixes for which the Home Agent sets up forwarding with respect 242 to this Mobile Router. Policies such as permitting only traffic 243 from these Mobile Networks to be tunneled to the Home Agent may be 244 applied by the Mobile Router. For Explicit Mode, when several 245 Mobile Networks are needed to be acknowledged explicitly, each is 246 included in a separate Mobile Network Acknowledgement extension, 247 with its own Type, Sub-Type, Length and Prefix Length fields. 248 Optionally, all requested Mobile Networks could be acknowledged 249 using only one Mobile Network Acknowledgement extension with 250 "Prefix Length" and "Prefix" fields set to zero. At least one 251 Mobile Network Acknowledgement extension MUST be in a successful 252 Registration Reply to indicate to the Mobile Router that the Mobile 253 Network Request extension was processed, thereby not skipped by the 254 Home Agent. A Registration Reply may contain any non-zero number 255 of Explicit Mode and Implicit Mode Acknowledgements sub-types. Both 256 sub-types can be present in a single Registration Reply. A Mobile 257 Network Acknowledgement extension is encoded in Type-Length-Value 258 (TLV) format and respects the following format: 260 When the registration is denied with code HA_MOBNET_ERROR, the Code 261 field in the extension provides the reason for the failure. 263 0 1 2 3 264 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 266 | Type | Length | Sub-Type | Code | 267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 268 | Prefix Length | Reserved | Prefix 269 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 270 | 271 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 273 Type: 275 Mobile Network Extension (skippable type range to be assigned 276 by IANA) 278 Length: 280 8 282 Sub-Type: 284 TBA (Explicit Mode Acknowledgement) 286 TBA (Implicit Mode Acknowledgement) 288 Code: 290 Value indicating success or failure. 292 0 Success 294 TBA Invalid prefix (MOBNET_INVALID_PREFIX_LEN) 296 TBA Mobile Router is not authorized for prefix 297 (MOBNET_UNAUTHORIZED) 299 TBA Forwarding setup failed (MOBNET_FWDING_SETUP_FAILED) 301 Prefix Length: 303 8-bit unsigned integer indicating the number of bits covering 304 the network part of the address contained in the Prefix field. 306 Reserved: 308 Sent as zero; ignored on reception. 310 Prefix: 312 32-bit unsigned integer in network byte-order containing an 313 IPv4 address whose first Prefix Length bits make up the Mobile 314 Network Prefix. 316 5. Mobile Router Operation 318 A Mobile Router's operation is generally derived from the behavior of 319 a Mobile Node, as set in ([RFC3344]). In addition to maintaining 320 mobility bindings for its Home Address, the Mobile Router, together 321 with the Home Agent, maintains forwarding information for the Mobile 322 Network Prefix(es) assigned to the Mobile Router. 324 A Mobile Router SHOULD set the 'T' bit to 1 in all Registration 325 Request messages it sends to indicate the need for reverse tunnels 326 for all traffic. Without reverse tunnels, all the traffic from the 327 mobile network will be subject to ingress filtering in the visited 328 networks. Upon reception of successful registration reply, the 329 Mobile Router processes the registration in accordance to RFC 3344. 330 In addition, the following steps are taken: 332 o Check for Mobile Network Acknowledgement extension(s) in 333 Registration Reply 335 o Create tunnel to the Home Agent if registered in reverse tunneling 336 mode 338 o Set up default route via this tunnel or egress interface when 339 registered with or without reverse tunneling, respectively 341 In accordance with this specification, a Mobile Router may operate in 342 one of the following two modes: explicit and implicit. In explicit 343 mode, the Mobile Router includes Mobile Network Prefix information in 344 all Registration Requests (as Mobile Network Request extensions), 345 while in implicit mode it does not include this information in any 346 Registration Request. In this latter case, the Home Agent obtains 347 the Mobile Network Prefixes by other means than Mobile IP. One 348 example of obtention of the Mobile Network Prefix is through static 349 configuration on the Home Agent. 351 A Mobile Router can obtain a Collocated or Foreign Agent Care-of- 352 Address while operating in explicit or implicit modes. 354 For de-registration, the Mobile Router sends a registration request 355 with lifetime set to zero without any Mobile Network Request 356 extensions. 358 5.1. Error Processing 360 A Mobile Router interprets the values of the Code field in Mobile 361 Network Acknowledgement Extension of the Registration Reply in order 362 to identify any error related to managing the Mobile Network Prefixes 363 by the Home Agent. 365 If the value of the Code field in the Registration Reply is set to 366 HA_MOBNET_DISALLOWED, then the Mobile Router MUST stop sending 367 Registration Requests with any Mobile Network Prefix extensions to 368 that Home Agent. 370 If the value of the Code field in the Registration Reply is set to 371 HA_MOBNET_ERROR then the Mobile Router MUST stop sending Registration 372 Requests that contain any of the Mobile Network Prefixes that are 373 defined by the values of the fields Prefix and Prefix Length in the 374 Mobile Network Acknowledgement extension. Note that the registration 375 is denied in this case and no forwarding for any Mobile Network 376 Prefixes would be set up by the Home Agent for the Mobile Router. 378 It is possible that the Mobile Router receives a registration reply 379 with no mobile network extensions if the registration was processed 380 by a Mobile IPv4 home agent that does not support this specification 381 at all. In that case, the absence of mobile network extensions must 382 be interpreted by the Mobile Router as the case where the Home Agent 383 does not support mobile networks. 385 All the error code values are TBA (To Be Assigned) subject to IANA 386 allocation. 388 6. Home Agent Operation 390 6.1. Summary 392 A Home Agent MUST support all the operations specified in ([RFC3344]) 393 for mobile node support. The Home Agent MUST support both implicit 394 and explicit modes of operation for a Mobile Router. 396 The Home Agent processes the registration in accordance to RFC 3344, 397 which includes route set up to the Mobile Router's home address via 398 the tunnel to the Care-of Address. In addition, for a Mobile Router 399 registering in explicit mode, the following steps are taken: 401 1. Check that the Mobile Network Prefix information is valid 403 2. Ensure the Mobile Network Prefix(es) is or are authorized to be 404 on the Mobile Router 406 3. Create tunnel to the Mobile Router if it does not already exist 408 4. Set up route for the Mobile Network Prefix via this tunnel 410 5. Propagate Mobile Network Prefix routes via routing protocol 412 6. Send the Registration Reply with the Mobile Network 413 Acknowledgement extension(s) 415 If there are any subnet routes via the tunnel to the Mobile Router 416 that are not specified in the Mobile Network extensions, these routes 417 are removed. 419 In the case where the Mobile Node is not permitted to act as a Mobile 420 Router, the Home Agent sends a registration denied message with error 421 code HA_MOBNET_DISALLOWED. 423 For a Mobile Router registering in implicit mode, the Home Agent 424 performs steps 3-6 above, once the registration request is processed 425 successfully. 427 For deregistration, the Home Agent removes the tunnel to the Mobile 428 Router and all routes using this tunnel. The Mobile Network 429 extensions are ignored. 431 6.2. Data Structures 433 6.2.1. Registration Table 435 The Registration Table in the Home Agent, in accordance with 436 [RFC3344], contains binding information for every Mobile Node 437 registered with it. [RFC3344] defines the format of Registration 438 Table. In addition to all the parameters specified by [RFC3344], 439 the Home Agent MUST store the Mobile Network Prefixes associated 440 with the Mobile Router in the corresponding registration entry, 441 when the corresponding registration was performed in explicit mode. 442 When the Home Agent is advertising reachability to Mobile Network 443 Prefixes served by a Mobile Router, this information stored in the 444 Registration Table can be used. 446 6.2.2. Prefix Table 448 The Home Agent must be able to authorize a Mobile Router for use of 449 Mobile Network Prefixes when the Mobile Router is operating in 450 explicit mode. Also, when the Mobile Router operates in implicit 451 mode, the Home Agent must be able to locate the Mobile Network 452 Prefixes associated with that Mobile Router. The Home Agent may 453 store the home address of the Mobile Router along with the mobile 454 network prefixes associated with that Mobile Router. If the Mobile 455 Router does not have a home address assigned, this table may store 456 the NAI ([RFC2794]) of the Mobile Router that will be used in 457 dynamic home address assignment. 459 6.3. Mobile Network Prefix Registration 461 The Home Agent must process registration requests coming from Mobile 462 Routers in accordance with this section. ([RFC3344]) specifies that 463 the home address of a mobile node registering with a Home Agent must 464 belong to a prefix advertised on the home network. In accordance 465 with this specification, however, the home address must be configured 466 from a prefix that is served by the Home Agent, not necessarily the 467 one on the home network. 469 If the registration request is valid, the Home Agent checks to see 470 if there are any Mobile Network Prefix extensions included in the 471 Registration Request. If so, the Mobile Network Prefix information 472 is obtained from the included extensions, and the Home Address from 473 the Home Address field of the UDP header Registration Request. For 474 every Mobile Network Prefix extension included in the registration 475 request, the Home Agent MUST perform a check against the Prefix 476 Table. If the Prefix Table does not contain at least one entry 477 pairing that Home Address to that Mobile Network Prefix then the 478 check fails, otherwise it succeeds. 480 Following this check against the Prefix Table, the Home Agent MUST 481 construct a Registration Reply containing Mobile Network 482 Acknowledgement extensions. For a Mobile Network Prefix for which 483 the check was unsuccessfull the Code field in the corresponding 484 Mobile Network Acknowledgement extension should be set to 485 MOBNET_UNAUTHORIZED. 487 For a Mobile Network Prefix for which the check was successfull the 488 Code field in the respective Mobile Network Acknowledgement 489 extensions should be set to 0. 491 The Home Agent MUST attempt to set up forwarding for each Mobile 492 Network Prefix extension for which the Prefix Table check was 493 successfull. If the forwarding setup fails for a particular Mobile 494 Network Prefix (for reasons like not enough memory available, or 495 not enough devices available, or other similar) the Code field in 496 the respective Mobile Network Acknowledgement extension should be 497 set to MOBNET_FWDING_SETUP_FAILED. 499 If forwarding and setup was successful for at least one Mobile 500 Network Prefix then the Code field of the Registration Reply 501 message should be set to 0. Otherwise that Code should be 502 HA_MOBNET_ERROR. 504 If the registration request is sent in implicit mode, i.e., without 505 any Mobile Network Request extension, the Home Agent may use pre- 506 configured mobile network prefix information for the Mobile Router to 507 set up forwarding. 509 If the Home Agent is updating an existing binding entry for the 510 Mobile Router, it MUST check all the prefixes in the registration 511 table against the prefixes included in the registration request. 512 If one or more mobile network prefix is missing from the included 513 information in the registration request, it MUST delete those 514 prefixes from the registration table. Also, the Home Agent MUST 515 disable forwarding for those prefixes. 517 If all checks are successful, the Home Agent either creates a new 518 entry for the Mobile Router or updates an existing binding entry 519 for it and returns a successful registration reply back to the 520 Mobile Router or the Foreign Agent (if the registration request was 521 received from a Foreign Agent). 523 In accordance with ([RFC3344]), the Home Agent does proxy ARP for 524 the Mobile Router home address, when the Mobile Router home address 525 is derived from the home network. If the 'T' bit is set, the Home 526 Agent creates a bi-directional tunnel for the corresponding mobile 527 network prefixes or updates the existing bi-directional tunnel. 528 This tunnel is maintained independent of the reverse tunnel for the 529 Mobile Router home address itself. 531 6.4. Advertising Mobile Network Reachability 533 If the mobile network prefixes served by the Home Agent are 534 aggregated with the home network prefix and if the Home Agent is 535 the default router on the home network, the Home Agent does not 536 have to advertise the Mobile Network Prefixes. The routes for the 537 Mobile Network Prefix are automatically aggregated into the home 538 network prefix (it is assumed that the Mobile Network Prefixes are 539 automatically aggregated into the home network prefix). If the 540 Mobile Router updates the mobile network prefix routes via a 541 dynamic routing protocol, the Home Agent SHOULD propagate the 542 routes on the appropriate networks. 544 6.5. Establishment of Bi-directional Tunnel 546 The Home Agent creates and maintains a bi-directional tunnel for the 547 mobile network prefixes of a Mobile Router registered with it. A 548 home agent supporting IPv4 Mobile Router operation MUST be able to 549 forward packets destined to the mobile network prefixes served by the 550 mobile router to its care-of-address. Also, the Home Agent MUST be 551 able to accept packets tunneled by the Mobile Router with the source 552 address of the outer header is set to the care-of-address of the 553 mobile router and that of the inner header is set to the Mobile 554 Router's home address or an address from one of the registered mobile 555 network prefixes. 557 6.6. Sending Registration Replies 559 The Home Agents MUST set the status code in the registration reply to 560 0 to indicate successful processing of the registration request and 561 successful set up of forwarding for all the mobile network prefixes 562 served by the Mobile Router. The registration reply MUST contain at 563 least one Mobile Network Acknowledgement extension. 565 If the Home Agent is unable to set up forwarding for one of more 566 mobile network prefixes served by the Mobile Router, it MUST set the 567 Mobile Network Acknowledgement Extension status code in the 568 registration reply to MOBNET_FWDING_SETUP_FAILED. When the prefix 569 length is zero or greater than 32, the status code MUST be set to 570 MOBNET_INVALID_PREFIX_LEN. 572 If the Mobile Router is not authorized to forward packets to one or 573 mobile network prefixes included in the request, the Home Agent MUST 574 set the code to MOBNET_UNAUTHORIZED_MR. 576 6.7. Mobile Network Prefix De-registration 578 If the received registration request is for de-registration of the 579 care-of-address, the Home Agent, upon successful processing of it, 580 MUST delete the entry(ies) from its registration table. The home 581 agent tears down the bi-directional tunnel and stops forwarding any 582 packets to/from the Mobile Router. The Home Agent MUST ignore any 583 included Mobile Network Request extension in a de-registration 584 request. 586 7. Data Forwarding Operation 588 For traffic to the nodes in the Mobile Network, the Home Agent MUST 589 perform double tunneling of the packet, if the Mobile Router had 590 registered with a Foreign Agent care-of-address. In this case, the 591 Home Agent MUST encapsulate the packet with tunnel header (source IP 592 address set to Home Agent and destination IP address set to Mobile 593 Router's home address) and then encapsulate one more time with tunnel 594 header (source IP address set to Home Agent and destination IP 595 address set to CoA). 597 For optimization, the Home Agent SHOULD only encapsulate the packet 598 with the tunnel header (source IP address set to Home Agent and 599 destination IP address set to CoA) for Collocated CoA mode. 601 When a Home Agent receives a packet from the mobile network prefix in 602 the bi-directional tunnel, it MUST de-encapsulate the packet and 603 route it as a normal IP packet. It MUST verify that the incoming 604 packet has the source IP address set to the care-of-address of the 605 Mobile Router. The packet MUST be dropped if the source address is 606 not set to the care-of-address of the Mobile Router. 608 For traffic from the nodes in the Mobile Network, the Mobile Router 609 encapsulates the packet with tunnel header (source IP address set to 610 Mobile Router's home address and destination IP address set to Home 611 Agent) if reverse tunnel is enabled. Otherwise, the packet is routed 612 directly to the Foreign Agent or access router. 614 In Collocated CoA mode, the Mobile Router MAY encapsulate one more 615 times with tunnel header (source IP address set to the CoA and 616 destination IP address set to Home Agent). 618 8. Nested Mobile Networks 620 Nested Network Mobility is a scenario where a Mobile Router allows 621 another Mobile Router to attach to its Mobile Network. There could 622 be arbitrary levels of nested mobility. The operation of each Mobile 623 Router remains the same whether the Mobile Router attaches to another 624 Mobile Router or to a fixed Access Router on the Internet. The 625 solution described here does not place any restriction on the number 626 of levels for nested mobility. But note that this might introduce 627 significant overhead on the data packets as each level of nesting 628 introduces another tunnel header encapsulation. 630 9. Routing Protocol between Mobile Router and Home Agent 632 There are several benefits of running a dynamic routing protocol 633 between the Mobile Router and the Home Agent. If the mobile 634 network is relatively large, including several wireless subnets, 635 then the topology changes within the moving network can be exposed 636 from the Mobile Router to the Home Agent by using a dynamic routing 637 protocol. The purpose of the NEMOv4 protocol extensions to Mobile 638 IPv4, as defined in previous sections, is not to inform the Home 639 Agent about these topology changes, but to manage the mobility of 640 the Mobile Router. 642 Similarly, topology changes in the home network can be exposed to 643 the Mobile Router by using a dynamic routing protocol. This may be 644 necessary when new fixed networks are added in the home network. 645 Here too, the purpose of NEMOv4 extensions is not to inform the 646 Mobile Router about topology changes at home. 648 Examples of dynamic routing protocol include but are not limited to 649 OSPF Version 2 [RFC2328], BGP [RFC4271] and RIP [RFC2453]. 651 The recommendations are related to how the routing protocol and the 652 Mobile IPv4 implementation work in tandem on the Mobile Router and 653 on the Home Agent (1) without creating incoherent states in the 654 forwarding bases at home and on the Mobile Router (2) without 655 introducing topologically incorrect addressing information in the 656 visited domain and (3) efficiently avoid duplication of sent data 657 or over-provisioning of security. 659 The information exchanged between the Mobile Router and the Home 660 Agent is sent over the bi-directional tunnel established by the 661 Mobile IPv4 exchange Registration Request - Registration Reply (see 662 section 6.5). If a network address and prefix about a subnet in 663 the moving network is sent by the Mobile Router within a routing 664 protocol message then they SHOULD NOT be sent in the Mobile IPv4 665 Registration Request too, in order to avoid incoherencies in the 666 forwarding information bases. The Mobile Router SHOULD use NEMOv4 667 implicit mode in this case (see section 3). 669 The Mobile Router SHOULD NOT send routing protocol information 670 updates in the foreign network. The subnet addresses and prefixes 671 valid in the moving network are topologically incorrect in the 672 visited network. 674 If the Mobile Router and the Home Agent use a dynamic routing 675 protocol over the tunnel interface, and if that protocol offers 676 security mechanisms to protect that protocol's messages, then the 677 security recommendations in section 10.1 apply. 679 10. Security Considerations 681 The Mobile Network extension is protected by the same rules for 682 Mobile IP extensions in registration messages. See the Security 683 Considerations section in RFC 3344. 685 The Home Agent MUST be able to verify that the Mobile Router is 686 authorized to provide mobility service for the Mobile Networks in 687 the registration request, before anchoring these Mobile Network 688 Prefixes on behalf of the Mobile Router. Forwarding for prefixes 689 MUST NOT be set up without successful authorization of the Mobile 690 Router for those prefixes. A registration failure MUST be notified 691 to the mobile router when it cannot be successfully authorized for 692 prefixes requested by it. 694 All registration requests and replies MUST be authenticated by the 695 MN-HA Authentication Extension as specified in ([RFC3344]). When the 696 registration request is sent in explicit mode, i.e., with one or more 697 Mobile Network Prefix extensions, all the Mobile Network Prefix 698 extensions MUST be included before the MN-HA Authentication 699 extension. Also, these extensions MUST be included in the 700 calculation of the MN-HA authenticator value. 702 The Mobile Router should perform ingress filtering on all the packets 703 received on the mobile network prior to reverse tunneling them to the 704 Home Agent. The Mobile Router MUST drop any packets that do not have 705 a source address belonging to the mobile network. 707 The Mobile Router MUST also ensure that the source address of 708 packets arriving on the mobile network is not the same as the 709 Mobile Router's IP address on any interface. These checks will 710 protect against nodes attempting to launch IP spoofing attacks 711 through the bi-directional tunnel. 713 The Home Agent, upon receiving packets through the bi-directional 714 tunnel, MUST verify that the source addresses of the outer IP header 715 of the packets are set to the Mobile Router's care-of-address. Also, 716 it MUST ensure that the source address of the inner IP header is a 717 topologically correct address on the mobile network. This will 718 prevent nodes from using the Home Agent to launch attacks inside the 719 protected network. 721 10.1 Security when Dynamic Routing Protocol is Used 723 If a dynamic routing protocol is used between the Mobile Router and 724 the Home Agent to propagate the mobile network information into the 725 home network, the routing updates SHOULD be protected with IPsec ESP 726 confidentiality between the Mobile Router and Home Agent, to prevent 727 information about home network topology from being visible to 728 eavesdroppers. 730 A routing protocol message protected with ESP, and sent through the 731 Mobile Router - Home Agent bidirectional tunnel, SHOULD NOT contain 732 the Mobile IPv4 Mobile-Home Authentication Extension, since ESP 733 provides enough security. 735 11. IANA Considerations 737 IANA to modify rules for the existing registry "Mobile IPv4 numbers - 738 per RFC 3344". The numbering space for Extensions that may appear in 739 Mobile IP control messages (those sent to and from UDP port number 740 434) should be modified. 742 The new Values and Names for the Type for Extensions appearing in 743 Mobile IP control messages are the following: 745 Value Name 746 ----- ------------------------------------------ 747 TBA Mobile Network Extension (To Be Assigned by IANA) 749 The new Values and Names for the Sub-Type for Mobile Network 750 Extension are the following: 752 Value Name 753 ----- ------------------------------------------ 754 TBA Mobile Network Request Extension 755 TBA Explicit Mode Acknowledgement Extension 756 TBA Implicit Mode Acknowledgement Extension 758 The new Code values for Mobile IP Registration Reply messages are 759 the following: 761 Code Values for Mobile IP Registration Reply messages 762 ----------------------------------------------------- 764 Registration denied by the Home Agent: (To Be Assigned by IANA) 766 TBA Mobile Network Prefix operation error (HA_MOBNET_ERROR) 767 TBA Mobile Router operation is not permitted 768 (HA_MOBNET_DISALLOWED) 770 The new Code Values for Mobile IP Registration Reply messages are the 771 following: 773 Code Values for Mobile Network Acknowledgement Extension 774 -------------------------------------------------------- 776 Registration denied by the Home Agent: 778 TBA Invalid prefix length (MOBNET_INVALID_PREFIX_LEN) 779 TBA Mobile Router is not authorized for prefix 780 (MOBNET_UNAUTHORIZED) 781 TBA Forwarding setup failed (MOBNET_FWDING_SETUP_FAILED) 783 The current non-modified numbering spaces could be consulted at the 784 following URL: http://www.iana.org/assignments/mobileip-numbers 785 (contents last updated 2007-07-02 and last browsed 10 September 786 2007). 788 12. Acknowledgements 790 The authors would like to thank Christophe Janneteau, George 791 Popovich, Ty Bekiares, Ganesh Srinivasan, Alpesh Patel, Ryuji 792 Wakikawa, George Tsirtsis, and Henrik Levkowetz for their helpful 793 discussions, reviews and comments. Vijay Devarapalli extensively 794 reviewed one of the later versions of the draft. 796 13. References 798 13.1. Normative References 800 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 801 Requirement Levels", BCP 14, RFC 2119, March 1997. 803 [RFC2794] Calhoun, P. and C. Perkins, "Mobile IP Network Access 804 Identifier Extension for IPv4", RFC 2794, March 2000. 806 [RFC2453] Malkin, G., "RIP Version 2", RFC 2453, STD 56, November 807 1998. 809 [RFC2328] Moy, J., "OSPF Version 2", RFC 2328, STD 54, April 810 1998. 812 [RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, 813 August 2002. 815 [RFC4271] Rekhter, Y, Ed., Li, T. and S. Hares, "A Border Gateway 816 Protocol (BGP-4)", RFC 4271, January 2006. 818 13.2. Informative References 820 [RFC3963] Devarapalli, V., Wakikawa, R., Petrescu, A., and P. 821 Thubert, "Network Mobility (NEMO) Basic Support Protocol", 822 RFC 3963, January 2005. 824 [1] Tsirtsis, G., Park, V., Narayanan, V., and K. Leung, "FA 825 extensions to NEMOv4 Base", 826 draft-ietf-mip4-nemov4-fa-01.txt, IETF Internet-Draft, 827 Work in Progress, March 19, 2007. 829 14. Changelog 831 The changes are listed in reverse chronological order, most recent 832 changes appearing at the top of the list: 834 From draft-ietf-mip4-nemo-v4-base-00.txt to 835 draft-ietf-mip4-nemo-v4-base-01.txt 836 -added a section on Routing Protocol between Mobile Router and 837 Home Agent. 838 -added a security subsection about running simultaneously a 839 secure routing protocol with secure Mobile IPv4. 840 -added a date tag on the IANA URL for Mobile IP numbering 841 spaces. 842 -substituted 'Mobile Router' for 'MR' everywhere. 843 -updated reference to NEMOv4 FA draft. 845 From draft-ietf-nemo-v4-base-01.txt to 846 draft-ietf-mip4-nemo-v4-base-00.txt: 847 -changed draft name, headers and footers. 848 -changed title. 849 -a more coherent use of terms 'subnet', 'prefix' and 'mobile 850 network'. 852 -clarified only co-located CoA mode is supported (not FA CoA). 853 for Mobile Routers in this specification. And added reference 854 to the FA NEMO optimizations draft. 855 -changed 'devices' to 'hosts'. 856 -changed 'moving networks' to 'mobile networks'. 857 -clarified what 'reachability' in a certain context is: packets 858 may be dropped if ingress filtering is turned on. 859 -removed the MR-FA-CoA tunnel overhead optimization. There is 860 still an issue with text at HA doing optimization. 862 This document was first presented as an individual contribution to 863 the NEMO Working Group, then adopted as a WG item to that group. 864 The 01 version in the NEMO WG has been Last Called on the 865 INFORMATIONAL track. The evolution was: 867 From version draft-ietf-nemo-v4-base-00 to 868 draft-ietf-nemo-v4-base-01: 869 -removed error code HA_MOBNET_UNSUPPORTED. 870 -changed all values to be assigned by IANA, from specific 871 numbers to "TBA" (To Be Assigned). 872 -substituted "egress interface" for "roaming interface". 873 -changed HA behaviour upon reception of MNPs. In 00 the HA 874 replied positively only if all MNPs in RegReq were valid, in 01 875 a reply is constructed specifying which MNP was valid and which 876 not. 877 -clarified a 3-line paragraph saying that RegRep may contain 878 both implicit and explicit acknowledgements. 880 Authors' Addresses 882 Kent Leung 883 Cisco Systems 884 170 W. Tasman Drive 885 San Jose, CA 95134 886 US 888 Phone: +1 408-526-5030 889 Email: kleung@cisco.com 891 Gopal Dommety 892 Cisco Systems 893 170 W. Tasman Drive 894 San Jose, CA 95134 895 US 897 Phone: +1 408-525-1404 898 Email: gdommety@cisco.com 900 Vidya Narayanan 901 QUALCOMM, Inc. 902 5775 Morehouse Dr 903 San Diego, CA 904 USA 906 Phone: +1 858-845-2483 907 Email: vidyan@qualcomm.com 909 Alexandru Petrescu 910 Motorola 911 Parc les Algorithmes Saint Aubin 912 Gif-sur-Yvette 91193 913 France 915 Email: Alexandru.Petrescu@motorola.com 917 Intellectual Property Statement 919 The IETF takes no position regarding the validity or scope of any 920 Intellectual Property Rights or other rights that might be claimed to 921 pertain to the implementation or use of the technology described in 922 this document or the extent to which any license under such rights 923 might or might not be available; nor does it represent that it has 924 made any independent effort to identify any such rights. Information 925 on the procedures with respect to rights in RFC documents can be 926 found in BCP 78 and BCP 79. 928 Copies of IPR disclosures made to the IETF Secretariat and any 929 assurances of licenses to be made available, or the result of an 930 attempt made to obtain a general license or permission for the use of 931 such proprietary rights by implementers or users of this 932 specification can be obtained from the IETF on-line IPR repository at 933 http://www.ietf.org/ipr. 935 The IETF invites any interested party to bring to its attention any 936 copyrights, patents or patent applications, or other proprietary 937 rights that may cover technology that may be required to implement 938 this standard. Please address the information to the IETF at 939 ietf-ipr@ietf.org. 941 Disclaimer of Validity 943 This document and the information contained herein are provided on 944 an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE 945 REPRESENTS OR IS SPONSORED BY (IF ANY), THE IETF TRUST AND THE 946 INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR 947 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 948 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 949 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 951 Copyright Statement 953 Copyright (C) The IETF Trust (2007). This document is subject to 954 the rights, licenses and restrictions contained in BCP 78, and 955 except as set forth therein, the authors retain all their rights. 957 Acknowledgment 959 Funding for the RFC Editor function is currently provided by the 960 Internet Society.