idnits 2.17.1 draft-ietf-mip4-nemo-v4-base-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 992. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 968. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 975. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 981. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 29, 2007) is 6017 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3344 (Obsoleted by RFC 5944) == Outdated reference: A later version (-03) exists of draft-ietf-mip4-nemov4-fa-01 == Outdated reference: A later version (-10) exists of draft-ietf-mip4-rfc3344bis-05 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group K. Leung 2 Internet-Draft G. Dommety 3 Intended Status: Proposed Standard Cisco Systems 4 Expires: May 4, 2008 V. Narayanan 5 Qualcomm, Inc. 6 A. Petrescu 7 Motorola 8 October 29, 2007 10 Network Mobility (NEMO) Extensions for Mobile IPv4 11 draft-ietf-mip4-nemo-v4-base-05.txt 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on May 4, 2008. 38 Abstract 40 This document describes a protocol for supporting Mobile Networks 41 between a Mobile Router and a Home Agent by extending the Mobile IPv4 42 protocol. A Mobile Router is responsible for the mobility of one or 43 more network segments or subnets moving together. The Mobile Router 44 hides its mobility from the nodes on the mobile network. The nodes 45 on the Mobile Network may be fixed in relationship to the Mobile 46 Router and may not have any mobility function. 48 Extensions to Mobile IPv4 are introduced to support Mobile Networks. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 1 53 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 4. Mobile Network Extensions . . . . . . . . . . . . . . . . . . 3 56 4.1. Mobile Network Request Extension . . . . . . . . . . . . . 3 57 4.2. Mobile Network Acknowledgement Extension . . . . . . . . . 4 58 5. Mobile Router Operation . . . . . . . . . . . . . . . . . . . 6 59 5.1. Error Processing . . . . . . . . . . . . . . . . . . . . . 6 60 6. Home Agent Operation . . . . . . . . . . . . . . . . . . . . . 7 61 6.1. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 6.2. Data Structures . . . . . . . . . . . . . . . . . . . . . 8 63 6.2.1. Registration Table . . . . . . . . . . . . . . . . . . 8 64 6.2.2. Prefix Table . . . . . . . . . . . . . . . . . . . . . 8 65 6.3. Mobile Network Prefix Registration . . . . . . . . . . . . 8 66 6.4. Advertising Mobile Network Reachability . . . . . . . . .10 67 6.5. Establishment of Bi-directional Tunnel . . . . . . . . . .10 68 6.6. Sending Registration Replies . . . . . . . . . . . . . . .10 69 6.7. Mobile Network Prefix De-registration . . . . . . . . . .11 70 7. Data Forwarding Operation . . . . . . . . . . . . . . . . . .11 71 8. Nested Mobile Networks . . . . . . . . . . . . . . . . . . . .11 72 9. Routing Protocol between Mobile Router and Home Agent. . . . .12 73 10. Security Considerations . . . . . . . . . . . . . . . . . . .13 74 10.1 Security when Dynamic Routing Protocol is Used. . . . . . .13 75 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . .14 76 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .15 77 13. References . . . . . . . . . . . . . . . . . . . . . . . . . .15 78 13.1. Normative References . . . . . . . . . . . . . . . . . . .15 79 13.2. Informative References . . . . . . . . . . . . . . . . . .15 80 14. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . .16 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .17 82 Intellectual Property and Copyright Statements . . . . . . . . . .18 84 1. Introduction 86 This document describes protocol extensions to Mobile IPv4 as per 87 [RFC3344] and its update [2], to enable support for Mobile 88 Networks. This draft addresses mainly the co-located Care-of 89 Address mode. Foreign Agent Care-of Address mode (with 'legacy' 90 Foreign Agents, [RFC3344]) are supported but without optimization, 91 double encapsulation being used. For an optimization of this mode, 92 the gentle reader is directed to [1]. 94 A Mobile Network is defined as a network segment or subnet that can 95 change its point of attachment to the routing infrastructure. Such 96 movement is performed by a Mobile Router, which is the mobility 97 entity that provides connectivity and reachability as well as 98 session continuity for all the nodes in the Mobile Network. The 99 Mobile Router typically serves as the default gateway for the hosts 100 on the Mobile Network. 102 Mobility for the Mobile Network is supported by the Mobile Router 103 registering the point of attachment to its Home Agent. This 104 signaling sets up the tunnel between the two entities. 106 The Mobile Networks (either implicitly configured on the Home Agent 107 or explicitly identified by the Mobile Router) are advertised by 108 the Home Agent for route propagation. Traffic to and from nodes in 109 the Mobile Network are tunneled by the Home Agent to the Mobile 110 Router, and vice versa. Though packets from the Mobile Network can 111 be forwarded directly without tunneling (if reverse tunneling is 112 not used) packets will be dropped if ingress filtering is turned 113 on. 115 This document specifies an additional tunnel between a Mobile 116 Router's Home Address and the Home Agent. This tunnel is 117 encapsulated within the normal tunnel between the Care-of Address 118 (CoA) and Home Agent. In Foreign Agent CoA mode, the tunnel 119 between the Mobile Router and Home Agent is needed to allow the 120 Foreign Agent to direct the decapsulated packet to the proper 121 visiting Mobile Router. However, in Collocated CoA mode, the 122 additional tunnel is not essential and could be eliminated because 123 the Mobile Router is the recipient of the encapsulated packets for 124 the Mobile Network; a proposal for this feature is in [1]. 126 All traffic between the nodes in the Mobile Network and Correspondent 127 Nodes passes through the Home Agent. This document does not cover 128 route optimization of this traffic. 130 A similar protocol has been documented in [RFC3963] for supporting 131 IPv6 mobile networks with Mobile IPv6 extensions. 133 Multihoming for Mobile Routers is outside the scope of this 134 document. 136 2. Terminology 138 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 139 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 140 document are to be interpreted as described in [RFC2119]. 142 Terminology for network mobility support is defined in [RFC3344] 143 and its update [2]. In addition, this document defines the 144 following terms. 146 Mobile Network Prefix 148 The network prefix of the subnet delegated to a Mobile Router 149 as the Mobile Network. 151 Prefix Table 153 A list of Mobile Network Prefixes indexed by the Home Address 154 of a Mobile Router. The Home Agent manages and uses Prefix 155 Table to determine which Mobile Network Prefixes belong to a 156 particular Mobile Router. 158 3. Requirements 160 Although Mobile IPv4 stated that Mobile Network can be supported by 161 the Mobile Router and Home Agent using static configuration or 162 running a routing protocol, there is no solution for explicit 163 registration of the Mobile Networks served by the Mobile Router. A 164 solution needs to provide the Home Agent a means to ensure that a 165 Mobile Router claiming a certain Mobile Network Prefix is 166 authorized to do so. A solution would also expose the Mobile 167 Network Prefixes (and potentially other subnet-relevant 168 information) in the exchanged messages, to aid in network 169 debugging. 171 The following requirements for Mobile Network support are 172 enumerated: 174 o A Mobile Router should be able to operate in explicit or implicit 175 mode. A Mobile Router may explicitly inform the Home Agent 176 which Mobile Network(s) need to be propagated via a routing 177 protocol. A Mobile Router may also function in implicit mode, 178 where the Home Agent may learn the mobile networks through other 179 means, such as from the AAA server, via pre-configuration, or 180 via a dynamic routing protocol. 182 o The Mobile Network should be supported using Foreign Agents that 183 are compliant to [RFC3344] without any changes ('legacy' Foreign 184 Agents). 186 o The mobile network should allow Fixed nodes, Mobile Nodes, or 187 Mobile Routers to be on it. 189 4. Mobile Network Extensions 191 4.1. Mobile Network Request Extension 193 For Explicit Mode, the Mobile Router informs the Home Agent about 194 the Mobile Network Prefixes during registration. The Registration 195 Request contains zero, one or several Mobile Network Request 196 extensions in addition to any other extensions defined by or in the 197 context of [RFC3344]. When several Mobile Networks are needed to 198 be registered, each is included in a separate Mobile Network 199 Request extension, with its own Type, Length, Sub-Type, Prefix 200 Length and Prefix fields. A Mobile Network Request extension is 201 encoded in Type-Length-Value (TLV) format and respects the 202 following format: 204 0 1 2 3 205 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 206 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 207 | Type | Length | Sub-Type | Prefix Length | 208 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 209 | Prefix | 210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 212 Type: 214 Mobile Network Extension (skippable type range to be assigned 215 by IANA) 217 Length: 219 6 221 Sub-Type: 223 1 (Mobile Network Request) 225 Prefix Length: 227 8-bit unsigned integer indicating the number of bits covering 228 the network part of the address contained in the Prefix field. 230 Prefix: 232 32-bit unsigned integer in network byte-order containing an 233 IPv4 address whose first Prefix Length bits make up the Mobile 234 Network Prefix. 236 4.2. Mobile Network Acknowledgement Extension 238 The Registration Reply contains zero, one or several Mobile Network 239 Acknowledgement extensions in addition to any other extensions 240 defined by or in the context of [RFC3344] and its update [2]. 241 For Implicit Mode, the Mobile Network Acknowledgement informs the 242 Mobile Router the prefixes for which the Home Agent sets up 243 forwarding with respect to this Mobile Router. Policies such as 244 permitting only traffic from these Mobile Networks to be tunneled 245 to the Home Agent may be applied by the Mobile Router. For 246 Explicit Mode, when several Mobile Networks are needed to be 247 acknowledged explicitly, each is included in a separate Mobile 248 Network Acknowledgement extension, with its own Type, Sub-Type, 249 Length and Prefix Length fields. Optionally, all requested Mobile 250 Networks could be acknowledged using only one Mobile Network 251 Acknowledgement extension with "Prefix Length" and "Prefix" fields 252 set to zero. At least one Mobile Network Acknowledgement extension 253 MUST be in a successful Registration Reply to indicate to the 254 Mobile Router that the Mobile Network Request extension was 255 processed, thereby not skipped by the Home Agent. 257 A Registration Reply may contain any non-zero number of Explicit 258 Mode and Implicit Mode Acknowledgements sub-types. Both sub-types 259 can be present in a single Registration Reply. A Mobile Network 260 Acknowledgement extension is encoded in Type-Length-Value (TLV) 261 format. When the registration is denied with code HA_MOBNET_ERROR, 262 the Code field in the extension provides the reason for the 263 failure. 265 0 1 2 3 266 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 268 | Type | Length | Sub-Type | Code | 269 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 270 | Prefix Length | Reserved | Prefix 271 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 272 | 273 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 275 Type: 277 Mobile Network Extension (skippable type range to be assigned 278 by IANA) 280 Length: 282 8 284 Sub-Type: 286 TBA (Explicit Mode Acknowledgement) 288 TBA (Implicit Mode Acknowledgement) 290 Code: 292 Value indicating success or failure. 294 0 Success 296 TBA Invalid prefix (MOBNET_INVALID_PREFIX_LEN) 298 TBA Mobile Router is not authorized for prefix 299 (MOBNET_UNAUTHORIZED) 301 TBA Forwarding setup failed (MOBNET_FWDING_SETUP_FAILED) 303 Prefix Length: 305 8-bit unsigned integer indicating the number of bits covering 306 the network part of the address contained in the Prefix field. 308 Reserved: 310 Sent as zero; ignored on reception. 312 Prefix: 314 32-bit unsigned integer in network byte-order containing an 315 IPv4 address whose first Prefix Length bits make up the Mobile 316 Network Prefix. 318 5. Mobile Router Operation 320 A Mobile Router's operation is generally derived from the behavior 321 of a Mobile Node, as set in [RFC3344] and its update [2]. In 322 addition to maintaining mobility bindings for its Home Address, the 323 Mobile Router, together with the Home Agent, maintains forwarding 324 information for the Mobile Network Prefix(es) assigned to the 325 Mobile Router. 327 A Mobile Router SHOULD set the 'T' bit to 1 in all Registration 328 Request messages it sends to indicate the need for reverse tunnels 329 for all traffic. Without reverse tunnels, all the traffic from the 330 mobile network will be subject to ingress filtering in the visited 331 networks. Upon reception of a successful registration reply, the 332 Mobile Router processes the registration in accordance to 333 [RFC3344]. In addition, the following steps are taken: 335 o Check for Mobile Network Acknowledgement extension(s) in 336 Registration Reply 338 o Create tunnel to the Home Agent if registered in reverse tunneling 339 mode 341 o Set up default route via this tunnel or egress interface when 342 registered with or without reverse tunneling, respectively 344 In accordance with this specification, a Mobile Router may operate 345 in one of the following two modes: explicit and implicit. In 346 explicit mode, the Mobile Router includes Mobile Network Prefix 347 information in all Registration Requests (as Mobile Network Request 348 extensions), while in implicit mode it does not include this 349 information in any Registration Request. In this latter case, the 350 Home Agent obtains the Mobile Network Prefixes by other means than 351 Mobile IP. One example of obtaining the Mobile Network Prefix is 352 through static configuration on the Home Agent. 354 A Mobile Router can obtain a Collocated or Foreign Agent Care-of 355 Address while operating in explicit or implicit modes. 357 For de-registration, the Mobile Router sends a registration request 358 with lifetime set to zero without any Mobile Network Request 359 extensions. 361 5.1. Error Processing 363 A Mobile Router interprets the values of the Code field in the 364 Mobile Network Acknowledgement Extension of the Registration Reply 365 in order to identify any error related to managing the Mobile 366 Network Prefixes by the Home Agent. 368 If the value of the Code field in the Registration Reply is set to 369 HA_MOBNET_DISALLOWED, then the Mobile Router MUST stop sending 370 Registration Requests with any Mobile Network Prefix extensions to 371 that Home Agent. 373 If the value of the Code field in the Registration Reply is set to 374 HA_MOBNET_ERROR then the Mobile Router MUST stop sending Registration 375 Requests that contain any of the Mobile Network Prefixes that are 376 defined by the values of the fields Prefix and Prefix Length in the 377 Mobile Network Acknowledgement extension. Note that the registration 378 is denied in this case and no forwarding for any Mobile Network 379 Prefixes would be set up by the Home Agent for the Mobile Router. 381 It is possible that the Mobile Router receives a registration reply 382 with no mobile network extensions if the registration was processed 383 by a Mobile IPv4 home agent that does not support this specification 384 at all. In that case, the absence of mobile network extensions must 385 be interpreted by the Mobile Router as the case where the Home Agent 386 does not support mobile networks. 388 All the error code values are TBA (To Be Assigned) subject to IANA 389 allocation. 391 6. Home Agent Operation 393 6.1. Summary 395 A Home Agent MUST support all the operations specified in [RFC3344] 396 and its update [2] for mobile node support. The Home Agent MUST 397 support both implicit and explicit modes of operation for a Mobile 398 Router. 400 The Home Agent processes the registration in accordance to 401 [RFC3344], which includes route set up to the Mobile Router's Home 402 Address via the tunnel to the Care-of Address. In addition, for a 403 Mobile Router registering in explicit mode, the following steps are 404 taken: 405 1. Check that the Mobile Network Prefix information is valid 407 2. Ensure the Mobile Network Prefix(es) is or are authorized to be 408 on the Mobile Router 410 3. Create tunnel to the Mobile Router if it does not already exist 412 4. Set up route for the Mobile Network Prefix via this tunnel 414 5. Propagate Mobile Network Prefix routes via routing protocol 416 6. Send the Registration Reply with the Mobile Network 417 Acknowledgement extension(s) 419 If there are any subnet routes via the tunnel to the Mobile Router 420 that are not specified in the Mobile Network extensions, these routes 421 are removed. 423 In the case where the Mobile Node is not permitted to act as a Mobile 424 Router, the Home Agent sends a registration denied message with error 425 code HA_MOBNET_DISALLOWED. 427 For a Mobile Router registering in implicit mode, the Home Agent 428 performs steps 3-6 above, once the registration request is processed 429 successfully. 431 For deregistration, the Home Agent removes the tunnel to the Mobile 432 Router and all routes using this tunnel. The Mobile Network 433 extensions are ignored. 435 6.2. Data Structures 437 6.2.1. Registration Table 439 The Registration Table in the Home Agent, in accordance with 440 [RFC3344] and its update [2], contains binding information for 441 every Mobile Node registered with it. [RFC3344] and its update [2] 442 define the format of a Registration Table. In addition to all the 443 parameters specified by [RFC3344] and its update [2], the Home 444 Agent MUST store the Mobile Network Prefixes associated with the 445 Mobile Router in the corresponding registration entry, when the 446 corresponding registration was performed in explicit mode. When 447 the Home Agent is advertising reachability to Mobile Network 448 Prefixes served by a Mobile Router, this information stored in the 449 Registration Table can be used. 451 6.2.2. Prefix Table 453 The Home Agent must be able to authorize a Mobile Router for use of 454 Mobile Network Prefixes when the Mobile Router is operating in 455 explicit mode. Also, when the Mobile Router operates in implicit 456 mode, the Home Agent must be able to locate the Mobile Network 457 Prefixes associated with that Mobile Router. The Home Agent may 458 store the Home Address of the Mobile Router along with the mobile 459 network prefixes associated with that Mobile Router. If the Mobile 460 Router does not have a Home Address assigned, this table may store 461 the NAI [RFC2794] of the Mobile Router that will be used in dynamic 462 Home Address assignment. 464 6.3. Mobile Network Prefix Registration 466 The Home Agent must process registration requests coming from 467 Mobile Routers in accordance with this section. The document 468 [RFC3344] and its update [2] specify that the Home Address of a 469 mobile node registering with a Home Agent must belong to a prefix 470 advertised on the home network. In accordance with this 471 specification, however, the Home Address must be configured from a 472 prefix that is served by the Home Agent, not necessarily the one on 473 the home network. 475 If the registration request is valid, the Home Agent checks to see 476 if there are any Mobile Network Prefix extensions included in the 477 Registration Request. 479 If so, the Mobile Network Prefix information is obtained from the 480 included extensions, and the Home Address from the Home Address 481 field of the Registration Request. For every Mobile Network Prefix 482 extension included in the registration request, the Home Agent MUST 483 perform a check against the Prefix Table. If the Prefix Table does 484 not contain at least one entry pairing that Home Address to that 485 Mobile Network Prefix then the check fails, otherwise it succeeds. 487 Following this check against the Prefix Table, the Home Agent MUST 488 construct a Registration Reply containing Mobile Network 489 Acknowledgement extensions. For a Mobile Network Prefix for which 490 the check was unsuccessfull the Code field in the corresponding 491 Mobile Network Acknowledgement extension should be set to 492 MOBNET_UNAUTHORIZED. 494 For a Mobile Network Prefix for which the check was successfull the 495 Code field in the respective Mobile Network Acknowledgement 496 extensions should be set to 0. 498 The Home Agent MUST attempt to set up forwarding for each Mobile 499 Network Prefix extension for which the Prefix Table check was 500 successfull. If the forwarding setup fails for a particular Mobile 501 Network Prefix (for reasons like not enough memory available, or 502 not enough devices available, or other similar) the Code field in 503 the respective Mobile Network Acknowledgement extension should be 504 set to MOBNET_FWDING_SETUP_FAILED. 506 If forwarding and setup was successful for at least one Mobile 507 Network Prefix then the Code field of the Registration Reply 508 message should be set to 0. Otherwise that Code should be 509 HA_MOBNET_ERROR. 511 If the registration request is sent in implicit mode, i.e., without 512 any Mobile Network Request extension, the Home Agent may use pre- 513 configured mobile network prefix information for the Mobile Router to 514 set up forwarding. 516 If the Home Agent is updating an existing binding entry for the 517 Mobile Router, it MUST check all the prefixes in the registration 518 table against the prefixes included in the registration request. 519 If one or more mobile network prefix is missing from the included 520 information in the registration request, it MUST delete those 521 prefixes from the registration table. Also, the Home Agent MUST 522 disable forwarding for those prefixes. 524 If all checks are successful, the Home Agent either creates a new 525 entry for the Mobile Router or updates an existing binding entry 526 for it and returns a successful registration reply back to the 527 Mobile Router or the Foreign Agent (if the registration request was 528 received from a Foreign Agent). 530 In accordance with [RFC3344], the Home Agent does proxy ARP for the 531 Mobile Router Home Address, when the Mobile Router Home Address is 532 derived from the home network. 534 If the 'T' bit is set, the Home Agent creates a bi-directional 535 tunnel for the corresponding mobile network prefixes or updates the 536 existing bi-directional tunnel. This tunnel is maintained 537 independent of the reverse tunnel for the Mobile Router home 538 address itself. 540 6.4. Advertising Mobile Network Reachability 542 If the mobile network prefixes served by the Home Agent are 543 aggregated with the home network prefix and if the Home Agent is 544 the default router on the home network, the Home Agent does not 545 have to advertise the Mobile Network Prefixes. The routes for the 546 Mobile Network Prefix are automatically aggregated into the home 547 network prefix (it is assumed that the Mobile Network Prefixes are 548 automatically aggregated into the home network prefix). If the 549 Mobile Router updates the mobile network prefix routes via a 550 dynamic routing protocol, the Home Agent SHOULD propagate the 551 routes on the appropriate networks. 553 6.5. Establishment of Bi-directional Tunnel 555 The Home Agent creates and maintains a bi-directional tunnel for 556 the mobile network prefixes of a Mobile Router registered with it. 557 A home agent supporting IPv4 Mobile Router operation MUST be able 558 to forward packets destined to the mobile network prefixes served 559 by the Mobile Router to its Care-of Address. Also, the Home Agent 560 MUST be able to accept packets tunneled by the Mobile Router with 561 the source address of the outer header set to the Care-of Address 562 of the Mobile Router and that of the inner header set to the Mobile 563 Router's Home Address or an address from one of the registered 564 mobile network prefixes. 566 6.6. Sending Registration Replies 568 The Home Agent MUST set the status code in the registration reply 569 to 0 to indicate successful processing of the registration request 570 and successful set up of forwarding for all the mobile network 571 prefixes served by the Mobile Router. The registration reply MUST 572 contain at least one Mobile Network Acknowledgement extension. 574 If the Home Agent is unable to set up forwarding for one of more 575 mobile network prefixes served by the Mobile Router, it MUST set the 576 Mobile Network Acknowledgement Extension status code in the 577 registration reply to MOBNET_FWDING_SETUP_FAILED. When the prefix 578 length is zero or greater than 32, the status code MUST be set to 579 MOBNET_INVALID_PREFIX_LEN. 581 If the Mobile Router is not authorized to forward packets to one or 582 mobile network prefixes included in the request, the Home Agent MUST 583 set the code to MOBNET_UNAUTHORIZED_MR. 585 6.7. Mobile Network Prefix De-registration 587 If the received registration request is for de-registration of the 588 Care-of Address, the Home Agent, upon successful processing of it, 589 MUST delete the entry(ies) from its registration table. The home 590 agent tears down the bi-directional tunnel and stops forwarding any 591 packets to/from the Mobile Router. The Home Agent MUST ignore any 592 included Mobile Network Request extension in a de-registration 593 request. 595 7. Data Forwarding Operation 597 For traffic to the nodes in the Mobile Network, the Home Agent MUST 598 perform double tunneling of the packet, if the Mobile Router had 599 registered with a Foreign Agent Care-of Address. In this case, the 600 Home Agent MUST encapsulate the packet with tunnel header (source 601 IP address set to Home Agent and destination IP address set to 602 Mobile Router's Home Address) and then encapsulate one more time 603 with tunnel header (source IP address set to Home Agent and 604 destination IP address set to CoA). 606 For optimization, the Home Agent SHOULD only encapsulate the packet 607 with the tunnel header (source IP address set to Home Agent and 608 destination IP address set to CoA) for Collocated CoA mode. 610 When a Home Agent receives a packet from the mobile network prefix 611 in the bi-directional tunnel, it MUST de-encapsulate the packet and 612 route it as a normal IP packet. It MUST verify that the incoming 613 packet has the source IP address set to the Care-of Address of the 614 Mobile Router. The packet MUST be dropped if the source address is 615 not set to the Care-of Address of the Mobile Router. 617 For traffic from the nodes in the Mobile Network, the Mobile Router 618 encapsulates the packet with a tunnel header (source IP address set 619 to Mobile Router's Home Address and destination IP address set to 620 Home Agent) if reverse tunnel is enabled. Otherwise, the packet is 621 routed directly to the Foreign Agent or access router. 623 In Collocated CoA mode, the Mobile Router MAY encapsulate one more 624 times with a tunnel header (source IP address set to the CoA and 625 destination IP address set to Home Agent). 627 8. Nested Mobile Networks 629 Nested Network Mobility is a scenario where a Mobile Router allows 630 another Mobile Router to attach to its Mobile Network. There could 631 be arbitrary levels of nested mobility. The operation of each Mobile 632 Router remains the same whether the Mobile Router attaches to another 633 Mobile Router or to a fixed Access Router on the Internet. The 634 solution described here does not place any restriction on the number 635 of levels for nested mobility. But note that this might introduce 636 significant overhead on the data packets as each level of nesting 637 introduces another tunnel header encapsulation. 639 9. Routing Protocol between Mobile Router and Home Agent 641 There are several benefits of running a dynamic routing protocol 642 between the Mobile Router and the Home Agent. If the mobile 643 network is relatively large, including several wireless subnets, 644 then the topology changes within the moving network can be exposed 645 from the Mobile Router to the Home Agent by using a dynamic routing 646 protocol. The purpose of the NEMOv4 protocol extensions to Mobile 647 IPv4, as defined in previous sections, is not to inform the Home 648 Agent about these topology changes, but to manage the mobility of 649 the Mobile Router. 651 Similarly, topology changes in the home network can be exposed to 652 the Mobile Router by using a dynamic routing protocol. This may be 653 necessary when new fixed networks are added in the home network. 654 Here too, the purpose of NEMOv4 extensions is not to inform the 655 Mobile Router about topology changes at home. 657 Examples of dynamic routing protocol include but are not limited to 658 OSPF Version 2 [RFC2328], BGP [RFC4271] and RIP [RFC2453]. 660 The recommendations are related to how the routing protocol and the 661 Mobile IPv4 implementation work in tandem on the Mobile Router and 662 on the Home Agent (1) without creating incoherent states in the 663 forwarding information bases at home and on the Mobile Router (2) 664 without introducing topologically incorrect addressing information 665 in the visited domain and (3) efficiently avoid duplication of sent 666 data or over-provisioning of security. 668 The information exchanged between the Mobile Router and the Home 669 Agent is sent over the bi-directional tunnel established by the 670 Mobile IPv4 exchange Registration Request - Registration Reply (see 671 section 6.5). If a network address and prefix about a subnet in 672 the moving network is sent by the Mobile Router within a routing 673 protocol message then they SHOULD NOT be sent in the Mobile IPv4 674 Registration Request too, in order to avoid incoherencies in the 675 forwarding information bases. The Mobile Router SHOULD use NEMOv4 676 implicit mode in this case (see section 3). 678 The Mobile Router SHOULD NOT send routing protocol information 679 updates in the foreign network. The subnet addresses and prefixes 680 valid in the moving network are topologically incorrect in the 681 visited network. 683 If the Mobile Router and the Home Agent use a dynamic routing 684 protocol over the tunnel interface, and if that protocol offers 685 security mechanisms to protect that protocol's messages, then the 686 security recommendations in section 10.1 apply. 688 10. Security Considerations 690 The Mobile Network extension is protected by the same rules for 691 Mobile IP extensions in registration messages. See the Security 692 Considerations section in [RFC3344]. 694 The Home Agent MUST be able to verify that the Mobile Router is 695 authorized to provide mobility service for the Mobile Networks in 696 the registration request, before anchoring these Mobile Network 697 Prefixes on behalf of the Mobile Router. Forwarding for prefixes 698 MUST NOT be set up without successful authorization of the Mobile 699 Router for those prefixes. A registration failure MUST be notified 700 to the mobile router when it cannot be successfully authorized for 701 prefixes requested by it. 703 All registration requests and replies MUST be authenticated by the 704 MN-HA Authentication Extension as specified in [RFC3344] and its 705 update [2]. When the registration request is sent in explicit 706 mode, i.e., with one or more Mobile Network Prefix extensions, all 707 the Mobile Network Prefix extensions MUST be included before the 708 MN-HA Authentication extension. Also, these extensions MUST be 709 included in the calculation of the MN-HA authenticator value. 711 The Mobile Router should perform ingress filtering on all the packets 712 received on the mobile network prior to reverse tunneling them to the 713 Home Agent. The Mobile Router MUST drop any packets that do not have 714 a source address belonging to the mobile network. 716 The Mobile Router MUST also ensure that the source address of 717 packets arriving on the mobile network is not the same as the 718 Mobile Router's IP address on any interface. These checks will 719 protect against nodes attempting to launch IP spoofing attacks 720 through the bi-directional tunnel. 722 The Home Agent, upon receiving packets through the bi-directional 723 tunnel, MUST verify that the source addresses of the outer IP header 724 of the packets are set to the Mobile Router's care-of-address. Also, 725 it MUST ensure that the source address of the inner IP header is a 726 topologically correct address on the mobile network. This will 727 prevent nodes from using the Home Agent to launch attacks inside the 728 protected network. 730 10.1 Security when Dynamic Routing Protocol is Used 732 If a dynamic routing protocol is used between the Mobile Router and 733 the Home Agent to propagate the mobile network information into the 734 home network, the routing updates SHOULD be protected with IPsec ESP 735 confidentiality between the Mobile Router and Home Agent, to prevent 736 information about home network topology from being visible to 737 eavesdroppers. 739 A routing protocol message protected with ESP, and sent through the 740 Mobile Router - Home Agent bidirectional tunnel, SHOULD NOT contain 741 the Mobile IPv4 Mobile-Home Authentication Extension, since ESP 742 provides enough security. 744 11. IANA Considerations 746 IANA to modify rules for the existing registry "Mobile IPv4 numbers - 747 per RFC 3344". The numbering space for Extensions that may appear in 748 Mobile IP control messages (those sent to and from UDP port number 749 434) should be modified. 751 The new Values and Names for the Type for Extensions appearing in 752 Mobile IP control messages are the following: 754 Value Name 755 ----- ------------------------------------------ 756 TBA Mobile Network Extension (To Be Assigned by IANA) 758 The new Values and Names for the Sub-Type for Mobile Network 759 Extension are the following: 761 Value Name 762 ----- ------------------------------------------ 763 TBA Mobile Network Request Extension 764 TBA Explicit Mode Acknowledgement Extension 765 TBA Implicit Mode Acknowledgement Extension 767 The new Code values for Mobile IP Registration Reply messages are 768 the following: 770 Code Values for Mobile IP Registration Reply messages 771 ----------------------------------------------------- 773 Registration denied by the Home Agent: (To Be Assigned by IANA) 775 TBA Mobile Network Prefix operation error (HA_MOBNET_ERROR) 776 TBA Mobile Router operation is not permitted 777 (HA_MOBNET_DISALLOWED) 779 The new Code Values for Mobile IP Registration Reply messages are the 780 following: 782 Code Values for Mobile Network Acknowledgement Extension 783 -------------------------------------------------------- 785 Registration denied by the Home Agent: 787 TBA Invalid prefix length (MOBNET_INVALID_PREFIX_LEN) 788 TBA Mobile Router is not authorized for prefix 789 (MOBNET_UNAUTHORIZED) 790 TBA Forwarding setup failed (MOBNET_FWDING_SETUP_FAILED) 792 The current non-modified numbering spaces could be consulted at the 793 following URL: http://www.iana.org/assignments/mobileip-numbers 794 (contents last updated 2007-07-02 and last browsed 2007-10-04). 796 12. Acknowledgements 798 The authors would like to thank Christophe Janneteau, George 799 Popovich, Ty Bekiares, Ganesh Srinivasan, Alpesh Patel, Ryuji 800 Wakikawa, George Tsirtsis, and Henrik Levkowetz for their helpful 801 discussions, reviews and comments. Vijay Devarapalli extensively 802 reviewed one of the later versions of the draft. Hans Sjostrand 803 (Hans Sj\"ostrand) identified the last clarifications with respect 804 to Foreign Agent mode treatment. Pete McCann contributed necessary 805 refinements of many statements. 807 13. References 809 13.1. Normative References 811 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 812 Requirement Levels", BCP 14, RFC 2119, March 1997. 814 [RFC2794] Calhoun, P. and C. Perkins, "Mobile IP Network Access 815 Identifier Extension for IPv4", RFC 2794, March 2000. 817 [RFC2453] Malkin, G., "RIP Version 2", RFC 2453, STD 56, November 818 1998. 820 [RFC2328] Moy, J., "OSPF Version 2", RFC 2328, STD 54, April 821 1998. 823 [RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, 824 August 2002. 826 [RFC4271] Rekhter, Y, Ed., Li, T. and S. Hares, "A Border Gateway 827 Protocol (BGP-4)", RFC 4271, January 2006. 829 13.2. Informative References 831 [RFC3963] Devarapalli, V., Wakikawa, R., Petrescu, A., and P. 832 Thubert, "Network Mobility (NEMO) Basic Support Protocol", 833 RFC 3963, January 2005. 835 [1] Tsirtsis, G., Park, V., Narayanan, V., and K. Leung, "FA 836 extensions to NEMOv4 Base", 837 draft-ietf-mip4-nemov4-fa-01.txt, IETF Internet-Draft, 838 Work in Progress, March 19, 2007. 840 [2] Perkins, C., Ed., "IP Mobility Support for IPv4, 841 revised", draft-ietf-mip4-rfc3344bis-05.txt, IETF 842 Internet-Draft, Work in Progress, July 9, 2007. 844 14. Changelog 846 The changes are listed in reverse chronological order, most recent 847 changes appearing at the top of the list: 849 From draft-ietf-mip4-nemo-v4-base-04.txt to 850 draft-ietf-mip4-nemo-v4-base-05.txt 851 -updated the Acknowledgements section. 852 -capitalized all occurences of "Home Address", "Mobile Router" 853 and "Care-of Address". 854 -refined many statements. 855 -checked against 'idnits' script version 2.04.16. 857 From draft-ietf-mip4-nemo-v4-base-03.txt to 858 draft-ietf-mip4-nemo-v4-base-04.txt 859 -more changes in Introduction to say that with FA mode only the 860 non-optimized double-encapsulation operation is supported and 861 [1] proposes a optimization. 863 From draft-ietf-mip4-nemo-v4-base-02.txt to 864 draft-ietf-mip4-nemo-v4-base-03.txt 865 -changed a sentence in the Introduction to say that FA mode _is_ 866 supported but unoptimized, and that a reference [1] optimizes 867 that mode. 868 -added reference [2] to the rfc3344bis draft. 870 From draft-ietf-mip4-nemo-v4-base-01.txt to 871 draft-ietf-mip4-nemo-v4-base-02.txt 872 -changed title from "IPv4 Network Mobility (NEMO) Protocol" to 873 "Network Mobility (NEMO) Extensions for Mobile IPv4". 875 From draft-ietf-mip4-nemo-v4-base-00.txt to 876 draft-ietf-mip4-nemo-v4-base-01.txt 877 -added a section on Routing Protocol between Mobile Router and 878 Home Agent. 879 -added a security subsection about running simultaneously a 880 secure routing protocol with secure Mobile IPv4. 881 -added a date tag on the IANA URL for Mobile IP numbering 882 spaces. 883 -substituted 'Mobile Router' for 'MR' everywhere. 884 -updated reference to NEMOv4 FA draft. 886 From draft-ietf-nemo-v4-base-01.txt to 887 draft-ietf-mip4-nemo-v4-base-00.txt: 888 -changed draft name, headers and footers. 889 -changed title. 890 -a more coherent use of terms 'subnet', 'prefix' and 'mobile 891 network'. 892 -clarified only co-located CoA mode is supported (not FA CoA). 893 for Mobile Routers in this specification. And added reference 894 to the FA NEMO optimizations draft. 895 -changed 'devices' to 'hosts'. 896 -changed 'moving networks' to 'mobile networks'. 898 -clarified what 'reachability' in a certain context is: packets 899 may be dropped if ingress filtering is turned on. 900 -removed the MR-FA-CoA tunnel overhead optimization. There is 901 still an issue with text at HA doing optimization. 903 This document was first presented as an individual contribution to 904 the NEMO Working Group, then adopted as a WG item to that group. 905 The 01 version in the NEMO WG has been Last Called on the 906 INFORMATIONAL track. The evolution was: 908 From version draft-ietf-nemo-v4-base-00 to 909 draft-ietf-nemo-v4-base-01: 910 -removed error code HA_MOBNET_UNSUPPORTED. 911 -changed all values to be assigned by IANA, from specific 912 numbers to "TBA" (To Be Assigned). 913 -substituted "egress interface" for "roaming interface". 914 -changed HA behaviour upon reception of MNPs. In 00 the HA 915 replied positively only if all MNPs in RegReq were valid, in 01 916 a reply is constructed specifying which MNP was valid and which 917 not. 918 -clarified a 3-line paragraph saying that RegRep may contain 919 both implicit and explicit acknowledgements. 921 Authors' Addresses 923 Kent Leung 924 Cisco Systems 925 170 W. Tasman Drive 926 San Jose, CA 95134 927 US 929 Phone: +1 408-526-5030 930 Email: kleung@cisco.com 932 Gopal Dommety 933 Cisco Systems 934 170 W. Tasman Drive 935 San Jose, CA 95134 936 US 938 Phone: +1 408-525-1404 939 Email: gdommety@cisco.com 941 Vidya Narayanan 942 QUALCOMM, Inc. 943 5775 Morehouse Dr 944 San Diego, CA 945 USA 947 Phone: +1 858-845-2483 948 Email: vidyan@qualcomm.com 949 Alexandru Petrescu 950 Motorola 951 Parc les Algorithmes Saint Aubin 952 Gif-sur-Yvette 91193 953 France 954 Email: Alexandru.Petrescu@motorola.com 956 Comments are solicited and should be addressed to the working 957 group's mailing list at mip4@ietf.org and/or the authors. 959 Intellectual Property Statement 961 The IETF takes no position regarding the validity or scope of any 962 Intellectual Property Rights or other rights that might be claimed to 963 pertain to the implementation or use of the technology described in 964 this document or the extent to which any license under such rights 965 might or might not be available; nor does it represent that it has 966 made any independent effort to identify any such rights. Information 967 on the procedures with respect to rights in RFC documents can be 968 found in BCP 78 and BCP 79. 970 Copies of IPR disclosures made to the IETF Secretariat and any 971 assurances of licenses to be made available, or the result of an 972 attempt made to obtain a general license or permission for the use of 973 such proprietary rights by implementers or users of this 974 specification can be obtained from the IETF on-line IPR repository at 975 http://www.ietf.org/ipr. 977 The IETF invites any interested party to bring to its attention any 978 copyrights, patents or patent applications, or other proprietary 979 rights that may cover technology that may be required to implement 980 this standard. Please address the information to the IETF at 981 ietf-ipr@ietf.org. 983 Disclaimer of Validity 985 This document and the information contained herein are provided on 986 an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE 987 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE 988 IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL 989 WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY 990 WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE 991 ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS 992 FOR A PARTICULAR PURPOSE. 994 Copyright Statement 996 Copyright (C) The IETF Trust (2007). This document is subject to 997 the rights, licenses and restrictions contained in BCP 78, and 998 except as set forth therein, the authors retain all their rights. 1000 Acknowledgment 1002 Funding for the RFC Editor function is currently provided by the 1003 Internet Society.