idnits 2.17.1 draft-ietf-netlmm-proxymip6-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 21. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 2151. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2162. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2169. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2175. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC3775]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 456: '... mobility anchor MUST allow only autho...' RFC 2119 keyword, line 546: '... by relaxing the MUST requirement for ...' RFC 2119 keyword, line 648: '...chor is serving a mobile node, it MUST...' RFC 2119 keyword, line 651: '... mobility anchor MUST advertise a conn...' RFC 2119 keyword, line 659: '... anchor MUST encapsulate the packet ...' (88 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: On receiving a packet from the mobile node to any destination i.e. not directly connected to the mobile access gateway, the packet MUST be forwarded to the local mobility anchor through the bi-directional tunnel established between itself and the mobile's local mobility anchor. However, the packets that are sent with the link-local source address MUST not be forwarded. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 18, 2007) is 6158 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3775' is mentioned on line 1740, but not defined ** Obsolete undefined reference: RFC 3775 (Obsoleted by RFC 6275) == Missing Reference: 'MN1' is mentioned on line 355, but not defined == Missing Reference: 'MN3' is mentioned on line 355, but not defined == Missing Reference: 'RFC-4285' is mentioned on line 583, but not defined == Missing Reference: 'ID-Pv4-PMIP6' is mentioned on line 663, but not defined == Missing Reference: 'ID-IPv4-PMIP6' is mentioned on line 1328, but not defined == Unused Reference: 'RFC-4303' is defined on line 1996, but no explicit reference was found in the text == Unused Reference: 'ID-DSMIP6' is defined on line 2017, but no explicit reference was found in the text == Unused Reference: 'RFC-1332' is defined on line 2023, but no explicit reference was found in the text == Unused Reference: 'RFC-2434' is defined on line 2032, but no explicit reference was found in the text == Unused Reference: 'RFC-3756' is defined on line 2041, but no explicit reference was found in the text == Unused Reference: 'ID-MIP6-IKEV2' is defined on line 2047, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1305 (Obsoleted by RFC 5905) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 2461 (Obsoleted by RFC 4861) ** Obsolete normative reference: RFC 2462 (Obsoleted by RFC 4862) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 3775 (Obsoleted by RFC 6275) ** Obsolete normative reference: RFC 4306 (Obsoleted by RFC 5996) ** Downref: Normative reference to an Informational RFC: RFC 4830 ** Downref: Normative reference to an Informational RFC: RFC 4831 ** Downref: Normative reference to an Informational RFC: RFC 4832 == Outdated reference: A later version (-18) exists of draft-ietf-netlmm-pmip6-ipv4-support-00 == Outdated reference: A later version (-06) exists of draft-ietf-mip6-nemo-v4traversal-03 -- Possible downref: Normative reference to a draft: ref. 'ID-DSMIP6' -- Obsolete informational reference (is this intentional?): RFC 2472 (Obsoleted by RFC 5072, RFC 5172) -- Obsolete informational reference (is this intentional?): RFC 2434 (Obsoleted by RFC 5226) -- Obsolete informational reference (is this intentional?): RFC 3041 (Obsoleted by RFC 4941) -- Obsolete informational reference (is this intentional?): RFC 3344 (Obsoleted by RFC 5944) == Outdated reference: A later version (-09) exists of draft-ietf-dna-protocol-03 Summary: 14 errors (**), 0 flaws (~~), 17 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETLMM WG S. Gundavelli 3 Internet-Draft K. Leung 4 Intended status: Standards Track Cisco 5 Expires: December 20, 2007 V. Devarapalli 6 Azaire Networks 7 K. Chowdhury 8 Starent Networks 9 B. Patil 10 Nokia Siemens Networks 11 June 18, 2007 13 Proxy Mobile IPv6 14 draft-ietf-netlmm-proxymip6-01.txt 16 Status of this Memo 18 By submitting this Internet-Draft, each author represents that any 19 applicable patent or other IPR claims of which he or she is aware 20 have been or will be disclosed, and any of which he or she becomes 21 aware will be disclosed, in accordance with Section 6 of BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as Internet- 26 Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt. 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 39 This Internet-Draft will expire on December 20, 2007. 41 Copyright Notice 43 Copyright (C) The IETF Trust (2007). 45 Abstract 47 Host based IPv6 mobility is specified in Mobile IPv6 base 48 specification [RFC3775]. In that model, the mobile node is 49 responsible for doing the signaling to its home agent to enable 50 session continuity as it moves between subnets. The design principle 51 in the case of host-based mobility relies on the mobile node being in 52 control of the mobility management. Network based mobility allows IP 53 session continuity for a mobile node without its involvement in 54 mobility management. This specification describes a protocol 55 solution for network based mobility management that relies on Mobile 56 IPv6 signaling and reuse of home agent functionality. A proxy 57 mobility agent in the network which manages the mobility for a mobile 58 node is the reason for referring to this protocol as Proxy Mobile 59 IPv6. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 64 2. Conventions & Terminology . . . . . . . . . . . . . . . . . . 5 65 2.1. Conventions used in this document . . . . . . . . . . . . 5 66 2.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 67 3. Proxy Mobile IPv6 Protocol Overview . . . . . . . . . . . . . 7 68 4. Proxy Mobile IPv6 Protocol Security . . . . . . . . . . . . . 11 69 4.1. Peer Authorization Database Entries . . . . . . . . . . . 11 70 4.2. Security Policy Database Entries . . . . . . . . . . . . . 12 71 5. Local Mobility Anchor Operation . . . . . . . . . . . . . . . 13 72 5.1. Extensions to Binding Cache Conceptual Data Structure . . 14 73 5.2. Bi-Directional Tunnel Management . . . . . . . . . . . . . 14 74 5.3. Routing Considerations . . . . . . . . . . . . . . . . . . 15 75 5.4. Local Mobility Anchor Address Discovery . . . . . . . . . 16 76 5.5. Sequence Number and Time-Stamps for Message Ordering . . . 16 77 5.6. Route Optimizations Considerations . . . . . . . . . . . . 17 78 5.7. Mobile Prefix Discovery Considerations . . . . . . . . . . 18 79 5.8. Signaling Considerations . . . . . . . . . . . . . . . . . 18 80 5.8.1. Initial Proxy Binding Registration . . . . . . . . . . 18 81 5.8.2. Extending the binding lifetime . . . . . . . . . . . . 20 82 5.8.3. De-registration of the binding . . . . . . . . . . . . 20 83 5.9. Local Mobility Anchor Operational Summary . . . . . . . . 20 84 6. Mobile Access Gateway Operation . . . . . . . . . . . . . . . 21 85 6.1. Supported Access Link Types . . . . . . . . . . . . . . . 21 86 6.2. Supported Home Network Prefix Models . . . . . . . . . . . 22 87 6.3. Supported Address Configuration Models . . . . . . . . . . 22 88 6.4. Access Authentication & Mobile Node Identification . . . . 23 89 6.5. Mobile Node's Policy Profile . . . . . . . . . . . . . . . 23 90 6.6. Conceptual Data Structures . . . . . . . . . . . . . . . . 24 91 6.7. Home Network Emulation . . . . . . . . . . . . . . . . . . 24 92 6.7.1. Home Network Prefix Renumbering . . . . . . . . . . . 25 93 6.8. Link-Local and Global Address Uniqueness . . . . . . . . . 26 94 6.9. Signaling Considerations . . . . . . . . . . . . . . . . . 27 95 6.9.1. Initial Attachment and binding registration . . . . . 27 96 6.9.2. Extending the binding lifetime . . . . . . . . . . . . 28 97 6.9.3. De-registration of the binding . . . . . . . . . . . . 28 98 6.10. Routing Considerations . . . . . . . . . . . . . . . . . . 28 99 6.10.1. Transport Network . . . . . . . . . . . . . . . . . . 29 100 6.10.2. Tunneling & Encapsulation Modes . . . . . . . . . . . 29 101 6.10.3. Routing State . . . . . . . . . . . . . . . . . . . . 30 102 6.10.4. Local Routing . . . . . . . . . . . . . . . . . . . . 31 103 6.10.5. Tunnel Management . . . . . . . . . . . . . . . . . . 31 104 6.10.6. Forwarding Rules . . . . . . . . . . . . . . . . . . . 31 105 6.11. Interaction with DHCP Relay Agent . . . . . . . . . . . . 32 106 6.12. Mobile Node Detachment Detection and Resource Cleanup . . 32 107 6.13. Allowing network access to other IPv6 nodes . . . . . . . 33 108 7. Mobile Node Operation . . . . . . . . . . . . . . . . . . . . 34 109 7.1. Booting up in a Proxy Mobile IPv6 Domain . . . . . . . . . 34 110 7.2. Roaming in the Proxy Mobile IPv6 Network . . . . . . . . . 35 111 7.3. IPv6 Host Protocol Parameters . . . . . . . . . . . . . . 36 112 8. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 37 113 8.1. Proxy Binding Update . . . . . . . . . . . . . . . . . . . 37 114 8.2. Proxy Binding Acknowledgment . . . . . . . . . . . . . . . 38 115 8.3. Home Network Prefix Option . . . . . . . . . . . . . . . . 39 116 8.4. Time Stamp Option . . . . . . . . . . . . . . . . . . . . 40 117 8.5. Status Codes . . . . . . . . . . . . . . . . . . . . . . . 41 118 9. Protocol Configuration Variables . . . . . . . . . . . . . . . 42 119 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 120 11. Security Considerations . . . . . . . . . . . . . . . . . . . 42 121 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 44 122 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 44 123 13.1. Normative References . . . . . . . . . . . . . . . . . . . 44 124 13.2. Informative References . . . . . . . . . . . . . . . . . . 45 125 Appendix A. Proxy Mobile IPv6 interactions with AAA 126 Infrastructure . . . . . . . . . . . . . . . . . . . 46 127 Appendix B. Supporting Shared-Prefix Model using DHCPv6 . . . . . 46 128 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 47 129 Intellectual Property and Copyright Statements . . . . . . . . . . 49 131 1. Introduction 133 Mobile IPv6 [RFC-3775] is the enabler for IPv6 mobility. It requires 134 Mobile IPv6 client functionality in the IPv6 stack of a mobile node. 135 Signaling between the mobile node and home agent enables the creation 136 and maintenance of a binding between the mobile node's home address 137 and care-of-address. Mobile IPv6 has been designed to be an integral 138 part of the IPv6 stack in a host. However there exist IPv6 stacks 139 today that do not have Mobile IPv6 functionality and there would 140 likely be IPv6 stacks without Mobile IPv6 client functionality in the 141 future as well. It is desirable to support IP mobility for all hosts 142 irrespective of the presence or absence of mobile IPv6 functionality 143 in the IPv6 stack. 145 It is possible to support mobility for IPv6 nodes by extending Mobile 146 IPv6 [RFC-3775] signaling and reusing the home agent via a proxy 147 mobility agent in the network. This approach to supporting mobility 148 does not require the mobile node to be involved in the signaling 149 required for mobility management. The proxy mobility agent in the 150 network performs the signaling and does the mobility management on 151 behalf of the mobile node. Because of the use and extension of 152 Mobile IPv6 signaling and home agent functionality, it is referred to 153 as Proxy Mobile IPv6 (PMIP6) in the context of this document. 155 Network deployments which are designed to support mobility would be 156 agnostic to the capability in the IPv6 stack of the nodes which it 157 serves. IP mobility for nodes which have mobile IP client 158 functionality in the IPv6 stack as well as those hosts which do not, 159 would be supported by enabling Proxy Mobile IPv6 protocol 160 functionality in the network. The advantages of developing a network 161 based mobility protocol based on Mobile IPv6 are: 163 o Reuse of home agent functionality and the messages/format used in 164 mobility signaling. Mobile IPv6 is a mature protocol with several 165 implementations that have been through interoperability testing. 167 o A common home agent would serve as the mobility agent for all 168 types of IPv6 nodes. 170 o Addresses a real deployment need. 172 The problem statement and the need for a network based mobility 173 protocol solution has been documented in [RFC-4830]. Proxy Mobile 174 IPv6 is a solution that addresses these issues and requirements. 176 2. Conventions & Terminology 178 2.1. Conventions used in this document 180 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 181 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" used in 182 this document are to be interpreted as described in RFC 2119. 184 2.2. Terminology 186 All the general mobility related terms used in this document are to 187 be interpreted as defined in the Mobile IPv6 base specification [RFC- 188 3775]. 190 This document adopts the terms, Local Mobility Anchor (LMA) and 191 Mobile Access Gateway (MAG) from the NETLMM Goals document [RFC- 192 4831]. This document also provides the following context specific 193 explanation to the following terms used in this document. 195 Proxy Mobile IPv6 Domain (PMIPv6-Domain) 197 Proxy Mobile IPv6 domain refers to the network where the mobility 198 management of a mobile node is handled using Proxy Mobile IPv6 199 protocol as defined in this specification. The Proxy Mobile IPv6 200 domain includes local mobility anchors and mobile access gateways 201 between which security associations can be setup and authorization 202 for sending Proxy Binding Updates on behalf of the mobile nodes 203 can be ensured. 205 Local Mobility Anchor (LMA) 207 Local Mobility Anchor is the home agent for the mobile node in the 208 Proxy Mobile IPv6 domain. It is the topological anchor point for 209 the mobile node's home network prefix and is the entity that 210 manages the mobile node's reachability state. It is important to 211 understand that the local mobility anchor has the functional 212 capabilities of a home agent as defined in Mobile IPv6 base 213 specification [RFC-3775] and with the additional required 214 capabilities for supporting Proxy Mobile IPv6 protocol as defined 215 in this specification. 217 Mobile Access Gateway (MAG) 218 Mobile Access Gateway is a function that manages the mobility 219 related signaling for a mobile node that is attached to its access 220 link. It is responsible for tracking the mobile node's attachment 221 to the link and for signaling the mobile node's local mobility 222 anchor. 224 Mobile Node (MN) 226 Through out this document, the term mobile node is used to refer 227 to an IP node whose mobility is managed by the network. The 228 mobile node may be operating in IPv6 mode, IPv4 mode or in IPv4/ 229 IPv6 dual mode. The mobile node is not required to participate in 230 any mobility related signaling for achieving mobility for an IP 231 address that is obtained in that local domain. This document 232 further uses explicit text when referring to a mobile node that is 233 involved in mobility related signaling as per Mobile IPv6 234 specification [RFC-3775]. 236 LMA Address (LMAA) 238 The address that is configured on the interface of the local 239 mobility anchor and is the transport endpoint of the tunnel 240 between the local mobility anchor and the mobile access gateway. 241 This is the address to where the mobile access gateway sends the 242 Proxy Binding Update messages. When supporting IPv4 traversal, 243 i.e. when the network between the local mobility anchor and the 244 mobile access gateway is an IPv4 network, this address will be an 245 IPv4 address and will be referred to as IPv4-LMAA, as specified in 246 [ID-IPV4-PMIP6]. 248 Proxy Care-of Address (Proxy-CoA) 250 Proxy-CoA is the address configured on the interface of the mobile 251 access gateway and is the transport endpoint of the tunnel between 252 the local mobility anchor and the mobile access gateway. The 253 local mobility anchor views this address as the Care-of Address of 254 the mobile node and registers it in the Binding Cache entry for 255 that mobile node. When the transport network between the mobile 256 access gateway and the local mobility anchor is an IPv4 network 257 and if the care-of address that is registered at the local 258 mobility anchor is an IPv4 address, the term, IPv4-Proxy-CoA is 259 used, as defined in [ID-IPV4-PMIP6]. 261 Mobile Node's Home Address (MN-HoA) 262 MN-HoA is the home address of a mobile node in a Proxy Mobile IPv6 263 domain. It is an address obtained by the mobile node in that 264 domain. The mobile node can continue to use this address as long 265 as it is attached to the network that is in the scope of that 266 Proxy Mobile IPv6 domain. 268 Mobile Node's Home Network Prefix (MN-HNP) 270 This is the on-link IPv6 prefix that the mobile node always sees 271 in the Proxy Mobile IPv6 domain. The home network prefix is 272 topologically anchored at the mobile node's local mobility anchor. 273 The mobile node configures its interface with an address from this 274 prefix. 276 Mobile Node's Home Link 278 This is the link on which the mobile node obtained its initial 279 address configuration after it moved into that Proxy Mobile IPv6 280 domain. This is the link that conceptually follows the mobile 281 node. The network will ensure the mobile node always sees this 282 link with respect to the layer-3 network configuration, on any 283 access link that it attaches to in that proxy mobile IPv6 domain. 285 Mobile Node Identifier (MN-Identifier) 287 The identity of the mobile node that is presented to the network 288 as part of the access authentication. This is typically an 289 identifier such as Mobile Node NAI [RFC-4283], or any other type 290 of identifier which may be specific to the access technology. 292 Proxy Binding Update (PBU) 294 A signaling message sent by the mobile access gateway to a mobile 295 node's local mobility anchor for establishing a binding between 296 the mobile node's MN-HoA and the Proxy-CoA. 298 Proxy Binding Acknowledgement (PBA) 300 A response message sent by a local mobility anchor in response to 301 a Proxy Binding Update message that it received from a mobile 302 access gateway. 304 3. Proxy Mobile IPv6 Protocol Overview 306 This specification describes a network-based mobility management 307 protocol. It is called Proxy Mobile IPv6 and is based on Mobile IPv6 308 [RFC-3775]. This protocol is for providing network-based mobility 309 management support to a mobile node, within a restricted and 310 topologically localized portion of the network and with out requiring 311 the participation of the mobile node in any mobility related 312 signaling. 314 Every mobile node that roams in a Proxy Mobile IPv6 domain, would 315 typically be identified by an identifier, MN-Identifier, and using 316 that identifier the mobile node's policy profile can be obtained from 317 the policy store. The policy profile typically contains the 318 provisioned network-based mobility service characteristics and other 319 related parameters such as the mobile node's Identifier, local 320 mobility anchor address, permitted address configuration modes, 321 roaming policy and other parameters that are essential for providing 322 the network based mobility service. 324 Once a mobile node enters its Proxy Mobile IPv6 domain and performs 325 access authentication, the network will ensure that the mobile node 326 is always on its home network and can obtain its home address on any 327 access link using any of the address configuration procedures. In 328 other words, there is a home network prefix that is assigned to a 329 mobile node and conceptually that address always follows the mobile 330 node, where ever it roams within that Proxy Mobile IPv6 domain. From 331 the perspective of the mobile node, the entire Proxy Mobile IPv6 332 domain appears as its home link or a single link. 334 +----+ +----+ 335 |LMA1| |LMA2| 336 +----+ +----+ 337 LMAA1 -> | | <-- LMAA2 338 | | 339 \\ //\\ 340 \\ // \\ 341 \\ // \\ 342 +---\\------------- //------\\----+ 343 ( \\ IPv4/IPv6 // \\ ) 344 ( \\ Network // \\ ) 345 +------\\--------//------------\\-+ 346 \\ // \\ 347 \\ // \\ 348 \\ // \\ 349 Proxy-CoA1--> | | <-- Proxy-CoA2 350 +----+ +----+ 351 |MAG1|-----[MN2] |MAG2| 352 +----+ | +----+ 353 | | | 354 MN-HoA1 --> | MN-HoA2 | <-- MN-HoA3 355 [MN1] [MN3] 357 Figure 1: Proxy Mobile IPv6 Domain 359 The Proxy Mobile IPv6 scheme introduces a new function, the mobile 360 access gateway. It is a function that is on the access link where 361 the mobile node is anchored and does the mobility related signaling 362 on its behalf. From the perspective of the local mobility anchor, 363 the mobile access gateway is a special element in the network that is 364 authorized to send Mobile IPv6 signaling messages on behalf of other 365 mobile nodes. 367 When the mobile node attaches to an access link connected to the 368 mobile access gateway, the mobile node presents its identity, MN- 369 Identifier, as part of the access authentication procedure. After a 370 successful access authentication, the mobile access gateway obtains 371 the mobile node's profile from the policy store. The mobile access 372 gateway would have all the required information for it to emulate the 373 mobile node's home network on the access link. It sends Router 374 Advertisement messages to the mobile node on the access link 375 advertising the mobile node's home network prefix as the hosted on- 376 link-prefix. 378 The mobile node on receiving these Router Advertisement messages on 379 the access link will attempt to configure its interface either using 380 stateful or stateless address configuration modes, based on modes 381 that are permitted on that access link. At the end of a successful 382 address configuration procedure, the mobile node would have obtained 383 an address from its home network prefix. If the mobile node is IPv4 384 capable and if network offers IPv4 network mobility for the mobile 385 node, the mobile node would have obtained an IPv4 address as well. 386 The mobile node can be operating in IPv4-only mode, IPv6-only or in 387 dual-mode and based on the services enabled for that mobile, the 388 mobility is enabled only for those address types. Also, the network 389 between the local mobility anchor and the mobile access gateway can 390 be either IPv4, IPv6 or a private IPv4 with NAT translation devices. 392 For updating the local mobility anchor about the current location of 393 the mobile node, the mobile access gateway sends a Proxy Binding 394 Update message to the mobile node's local mobility anchor. The 395 message will have the mobile node's NAI identifier option and other 396 required options. Upon accepting the Proxy Binding Update message, 397 the local mobility anchor sends a Proxy Binding Acknowledgment 398 message including the mobile node's home network prefix option. It 399 also sets up a route for the mobile node's home network prefix over 400 the tunnel to the mobile access gateway. 402 The mobile access gateway on receiving this Proxy Binding 403 Acknowledgment message sets up a bi-directional tunnel to the local 404 mobility anchor and adds a default route over the tunnel to the local 405 mobility anchor. All traffic from the mobile node gets routed to its 406 local mobility anchor through the bi-directional tunnel. 408 At this point, the mobile node has a valid address from its home 409 network prefix, at the current point of attachment. The serving 410 mobile access gateway and the local mobility anchor also have proper 411 routing states for handling the traffic sent to and from the mobile 412 node using an address from its home network prefix. 414 The local mobility anchor, being the topological anchor point for the 415 mobile node's home network prefix, receives any packet that is sent 416 by any corresponding node to the mobile node. Local mobility anchor 417 forwards the received packet to the mobile access gateway through the 418 bi-directional tunnel. The mobile access gateway on other end of the 419 tunnel, after receiving the packet, removes the outer header and 420 forwards the packet on the access link to the mobile node. 422 The mobile access gateway typically acts as a default router on the 423 access link and any packet that the mobile node sends to any 424 corresponding node is received by the mobile access gateway and it 425 forwards the packet to its local mobility anchor through the bi- 426 directional tunnel. The local mobility anchor on the other end of 427 the tunnel, after receiving the packet removes the outer header and 428 routes the packet to the destination. 430 4. Proxy Mobile IPv6 Protocol Security 432 The signaling messages, Proxy Binding Update and Proxy Binding 433 Acknowledgement, exchanged between the mobile access gateway and the 434 local mobility anchor are protected using IPsec and using the 435 established security association between them. The security 436 association of the specific mobile node for which the signaling 437 message is initiated is not required for protecting these messages. 439 ESP in transport mode with mandatory integrity protection is used for 440 protecting the signaling messages. Confidentiality protection is not 441 required. 443 IKEv2 is used to setup security associations between the mobile 444 access gateway and the local mobility anchor to protect the Proxy 445 Binding Update and Proxy Binding Acknowledgment messages. The mobile 446 access gateway and the local mobility anchor can use any of the 447 authentication mechanisms, as specified in IKEv2, for mutual 448 authentication. 450 Mobile IPv6 specification requires the home agent to prevent a mobile 451 node from creating security associations or creating binding cache 452 entries for another mobile node's home address. In the protocol 453 described in this document, the mobile node is not involved in 454 creating security associations for protecting the signaling messages 455 or sending binding updates. Therefore, this is not a concern. 456 However, the local mobility anchor MUST allow only authorized mobile 457 access gateways to create binding cache entries on behalf of the 458 mobile nodes. The actual mechanism by which the local mobility 459 anchor verifies if a specific mobile access gateway is authorized to 460 send Proxy Binding Updates on behalf of a mobile node is outside the 461 scope of this document. One possible way this could be achieved is 462 sending a query to the policy store such as by using AAA 463 infrastructure. 465 4.1. Peer Authorization Database Entries 467 The following describes PAD entries on the mobile access gateway and 468 the local mobility anchor. The PAD entries are only example 469 configurations. Note that the PAD is a logical concept and a 470 particular mobile access gateway or a local mobility anchor 471 implementation can implement the PAD in an implementation specific 472 manner. The PAD state may also be distributed across various 473 databases in a specific implementation. 475 mobile access gateway PAD: 476 - IF remote_identity = lma_identity_1 477 Then authenticate (shared secret/certificate/EAP) 478 and authorize CHILD_SA for remote address lma_addres_1 480 local mobility anchor PAD: 481 - IF remote_identity = mag_identity_1 482 Then authenticate (shared secret/certificate/EAP) 483 and authorize CHILD_SAs for remote address mag_address_1 485 The list of authentication mechanisms in the above examples is not 486 exhaustive. There could be other credentials used for authentication 487 stored in the PAD. 489 4.2. Security Policy Database Entries 491 The following describes the security policy entries on the mobile 492 access gateway and the local mobility anchor required to protect the 493 Proxy Mobile IPv6 signaling messages. The SPD entries are only 494 example configurations. A particular mobile access gateway or a 495 local mobility anchor implementation could configure different SPD 496 entries as long as they provide the required security. 498 In the examples shown below, the identity of the mobile access 499 gateway is assumed to be mag_1, the address of the mobile access 500 gateway is assumed to be mag_address_1, and the address of the local 501 mobility anchor is assumed to be lma_address_1. 503 mobile access gateway SPD-S: 504 - IF local_address = mag_address_1 & 505 remote_address = lma_address_1 & 506 proto = MH & local_mh_type = BU & remote_mh_type = BAck 507 Then use SA ESP transport mode 508 Initiate using IDi = mag_1 to address lma_1 510 local mobility anchor SPD-S: 511 - IF local_address = lma_address_1 & 512 remote_address = mag_address_1 & 513 proto = MH & local_mh_type = BAck & remote_mh_type = BU 514 Then use SA ESP transport mode 516 5. Local Mobility Anchor Operation 518 For supporting the Proxy Mobile IPv6 scheme specified in this 519 document, the Mobile IPv6 home agent entity, defined in Mobile IPv6 520 specification [RFC-3775], needs some enhancements. The local 521 mobility anchor is an entity that has the functional capabilities of 522 a home agent and with the additional required capabilities for 523 supporting Proxy Mobile IPv6 protocol as defined in this 524 specification. This section describes the operational details of the 525 local mobility anchor. 527 The base Mobile IPv6 specification [RFC-3775], defines home agent and 528 the mobile node as the two functional entities. The Proxy Mobile 529 IPv6 scheme introduces a new entity, the mobile access gateway. This 530 is the entity that will participate in the mobility related 531 signaling. From the perspective of the local mobility anchor, the 532 mobile access gateway is a special element in the network that has 533 the privileges to send mobility related signaling messages on behalf 534 of the mobile node. Typically, the local mobility anchor is 535 provisioned with the list of mobile access gateways authorized to 536 send proxy registrations. 538 When the local mobility anchor receives a Proxy Binding Update 539 message from a mobile access gateway, the message is protected using 540 the IPSec Security Association established between the local mobility 541 anchor and the mobile access gateway. The local mobility anchor can 542 distinguish between a Proxy Binding Update message received from a 543 mobile access gateway from a Binding Update message received directly 544 from a mobile node. This distinction is important for using the 545 right security association for validating the Binding Update and this 546 is achieved by relaxing the MUST requirement for having the Home 547 Address Option presence in Destination Options header and by 548 introducing a new flag in the Binding Update message. The local 549 mobility anchor as a traditional IPSec peer can use the SPI in the 550 IPSec header [RFC-4306] of the received packet for locating the 551 correct security association and for processing the Proxy Binding 552 Update message in the context of the Proxy Mobile IPv6 scheme. 554 For protocol simplicity, the current specification supports the Per- 555 MN-Prefix addressing model. In this addressing model, each mobile 556 node is allocated an exclusively unique home network prefix. The 557 local mobility anchor in this model is just a topological anchor 558 point for that prefix and the prefix is physically hosted on the 559 access link where the mobile node is attached. The local mobility 560 anchor is not required to perform any proxy ND operations [RFC-2461] 561 for defending the mobile node's home address on the home link. 562 However, the local mobility anchor is required to manage the binding 563 cache entry of the mobile node for managing the mobility session and 564 also the routing state for creating a proper route path for traffic 565 to/from the mobile node. 567 5.1. Extensions to Binding Cache Conceptual Data Structure 569 The local mobility anchor maintains a Binding Cache entry for each 570 currently registered mobile node. Binding Cache is a conceptual data 571 structure, described in Section 9.1 of [RFC-3775]. For supporting 572 this specification, the conceptual Binding Cache entry needs to be 573 extended with the following additional fields. 575 o A flag indicating whether or not this Binding Cache entry is 576 created due to a proxy registration. This flag is enabled for 577 Binding Cache entries that are proxy registrations and is turned 578 off for all other entries that are direct registrations from the 579 mobile node. 581 o The identifier of the mobile node, MN-Identifier. This MN- 582 Identifier is obtained from the NAI Option present in the Proxy 583 Binding Update request [RFC-4285]. 585 o A flag indicating whether or not the Binding Cache entry has a 586 home address that is on virtual interface. This flag is enabled, 587 if the home prefix of the mobile node is configured on a virtual 588 interface. When the configured home prefix of a mobile is on a 589 virtual interface, the home agent is not required to function as a 590 Neighbor Discovery proxy for the mobile node. 592 o The IPv6 home network prefix of the mobile node. 594 o The IPv6 home network prefix length of the mobile node. 596 o The interface id of the bi-directional tunnel between the local 597 mobility anchor and the mobile access gateway used for sending and 598 receiving the mobile node's traffic. 600 5.2. Bi-Directional Tunnel Management 602 The bi-directional tunnel between the local mobility anchor and the 603 mobile access gateway is used for routing the traffic to and from the 604 mobile node. The tunnel hides the topology and enables a mobile node 605 to use an IP address that is topologically anchored at the local 606 mobility anchor, from any attached access link in that proxy mobile 607 IPv6 domain. The base Mobile IPv6 specification [RFC-3775], does use 608 the tunneling scheme for routing traffic to and from the mobile that 609 is using its home address. However, there are subtle differences in 610 the way Proxy Mobile IPv6 uses the tunneling scheme. 612 As in Mobile IPv4 [RFC-3344], the tunnel between the local mobility 613 anchor and the mobile access gateway is typically a shared tunnel and 614 can be used for routing traffic streams for different mobile nodes 615 attached to the same mobile access gateway. This specification 616 extends that 1:1 relation between a tunnel and a binding cache entry 617 to 1:m relation, reflecting the shared nature of the tunnel. 619 The tunnel is creating after accepting a Proxy Binding Update message 620 for a mobile node from a mobile access gateway. The created tunnel 621 may be shared with other mobile nodes attached to the same mobile 622 access gateway and with the local mobility anchor having a binding 623 cache entry for those mobile nodes. Some implementations may prefer 624 to use static tunnels as supposed to creating and tearing them down 625 on a need basis. 627 The one end point of the tunnel is the address configured on the 628 interface of the local mobility anchor, LMAA. The other end point of 629 the tunnel is the address configured on the interface of the mobile 630 access gateway, Proxy-CoA. The details related to the supported 631 encapsulation modes and transport protocols is covered in detail in 632 Section 6.10.2. 634 Implementations typically use a software timer for managing the 635 tunnel lifetime and a counter for keeping a count of all the mobiles 636 that are sharing the tunnel. The timer value will be set to the 637 accepted binding life-time and will be updated after each periodic 638 registrations for extending the lifetime. If the tunnel is shared 639 for multiple mobile node's traffic, the tunnel lifetime will be set 640 to the highest binding life time across all the binding life time 641 that is granted for all the mobiles sharing that tunnel. 643 5.3. Routing Considerations 645 This section describes how the data traffic to/from the mobile node 646 is handled at the local mobility anchor. 648 When a local mobility anchor is serving a mobile node, it MUST 649 attempt to intercept packets that are sent to any address that is in 650 the mobile node's home network prefix address range. The local 651 mobility anchor MUST advertise a connected route in to the Routing 652 Infrastructure for that mobile node's home network prefix or for an 653 aggregated prefix with a larger scope. This essentially enables 654 routers in the IPv6 network to detect the local mobility anchor as 655 the last-hop router for that prefix. 657 When forwarding any packets that have the destination address 658 matching the mobile node's home network prefix, the local mobility 659 anchor MUST encapsulate the packet with the outer IPv6 header, as 660 specified in Generic Packet Tunneling in IPv6 specification [RFC- 661 2473]. If the negotiated encapsulation header is either IPv6-over- 662 IPv4 or IPv6-over-IPv4-UDP, as specified in the companion document, 663 IPv4 support for Proxy Mobile IP6 [ID-Pv4-PMIP6], the packet must be 664 encapsulated and routed as specified in that specification. 666 All the reverse tunneled packets that the local mobility anchor 667 receives from the tunnel, after removing the outer header MUST be 668 routed to the destination specified in the inner packet header. 669 These routed packets will have the source address field set to the 670 address from the mobile node's home network prefix. 672 5.4. Local Mobility Anchor Address Discovery 674 Dynamic Home Agent Address Discovery, as explained in Section 10.5 of 675 [RFC-3775], allows a mobile node to discover all the home agents on 676 its home link by sending an ICMP Home Agent Address Discovery Request 677 message to the Mobile IPv6 Home-Agents anycast address, derived from 678 its home network prefix. 680 In Proxy Mobile IPv6, the address of the local mobility anchor 681 configured to serve a mobile node can be discovered by the mobility 682 entities in one or more ways. This MAY be a configured entry in the 683 mobile node's policy profile, or it MAY be obtained through 684 mechanisms outside the scope of this document. It is important to 685 note that there is little value in using DHAAD message in the current 686 form for discovering the local mobility anchor address dynamically. 687 As a mobile node moves from one mobile access gateway to the another, 688 the serving mobile access gateway will not predictably be able to 689 locate the serving local mobility anchor for that mobile that has its 690 binding cache entry for the mobile node. Hence, this specification 691 does not support Dynamic Home Agent Address Discovery protocol. 693 5.5. Sequence Number and Time-Stamps for Message Ordering 695 Mobile IPv6 [RFC-3775] uses the Sequence Number field in registration 696 messages as a way to ensure the correct packet ordering. The local 697 mobility anchor and the mobile node are required to manage this 698 counter over the lifetime of a binding. 700 In Proxy Mobile IPv6, the Proxy Binding Update messages that the 701 local mobility anchor receives on behalf of a specific mobile node 702 may not be from the same mobile access gateway as the previously 703 received message. It creates certain ambiguity and the local 704 mobility anchor will not be predictably order the messages. This 705 could lead to the local mobility anchor processing an older message 706 from a mobile access gateway where the mobile node was previously 707 attached, while ignoring the latest binding update message. 709 In the Proxy Mobile IPv6, the ordering of packets has to be 710 established across packets received from multiple senders. The 711 sequence number scheme as specified in [RFC-3775] will not be 712 sufficient. A global scale, such as a time stamp, can be used to 713 ensure the correct ordering of the packets. This document proposes 714 the use of a Time Stamp Option, specified in Section 8.4, in all 715 Proxy Binding Update messages sent by mobile access gateways. By 716 leveraging the NTP [RFC-1305] service, all the entities in Proxy 717 Mobile IPv6 domain will be able to synchronize their respective 718 clocks. Having a time stamp option in Proxy Binding Update messages 719 will enable the local mobility anchor to predictably identify the 720 latest message from a list of messages delivered in an out-of-order 721 fashion. 723 The Proxy Mobile IPv6 model, defined in this document requires the 724 Proxy Binding Update messages sent by the mobile access gateway to 725 have the Time Stamp option. The local mobility anchor processing a 726 proxy registration MUST ignore the sequence number field and MUST the 727 value from the Time Stamp option to establish ordering of the 728 received Binding Update messages. If the local mobility anchor 729 receives a Proxy Binding Update message with an invalid Time Stamp 730 Option, the Proxy Binding Update MUST be rejected and a Proxy Binding 731 Acknowledgement MUST be returned in which the Status field is set to 732 148 (invalid time stamp option). 734 In the absence of Time Stamp option in the Proxy Binding Update, the 735 entities can fall back to Sequence Number scheme for message 736 ordering, as defined in RFC-3775. However, the specifics on how 737 different mobile access gateways synchronize the sequence number is 738 outside the scope of this document. 740 When using the Time Stamp Option, the local mobility anchor or the 741 mobile access gateway MUST set the timestamp field to a 64-bit value 742 formatted as specified by the Network Time Protocol [RFC-1305]. The 743 low-order 32 bits of the NTP format represent fractional seconds, and 744 those bits which are not available from a time source SHOULD be 745 generated from a good source of randomness. 747 5.6. Route Optimizations Considerations 749 Mobile IPv6 route optimization, as defined in [RFC-3775], enables a 750 mobile node to communicate with a corresponding node directly using 751 its care-of address and further the Return Routability procedure 752 enables the corresponding node to have reasonable trust that the 753 mobile node owns both the home address and care-of address. 755 In the Proxy Mobile IPv6 model, the mobile is not involved in any 756 mobility related signaling and also it does not operate in the dual- 757 address mode. Hence, the return routability procedure as defined in 758 RFC-3775 is not applicable for the proxy model. 760 5.7. Mobile Prefix Discovery Considerations 762 The ICMP Mobile Prefix Advertisement message, described in Section 763 6.8 and Section 11.4.3 of [RFC-3775], allows a home agent to send a 764 Mobile Prefix Advertisement to the mobile node. 766 In Proxy Mobile IPv6, the mobile node's home network prefix is hosted 767 on the access link connected to the mobile access gateway. but 768 topologically anchored on the local mobility anchor. Since, there is 769 no physical home-link for the mobile node's home network prefix on 770 the local mobility anchor and as the mobile is always on the link 771 where the prefix is hosted, any prefix change messages can just be 772 advertised by the mobile access gateway on the access link and thus 773 there is no applicability of this message for Proxy Mobile IPv6. 774 This specification does not use Mobile Prefix Discovery. 776 5.8. Signaling Considerations 778 5.8.1. Initial Proxy Binding Registration 780 Upon receiving a Proxy Binding Update message from a mobile access 781 gateway on behalf of mobile node, the local mobility anchor MUST 782 process the request as defined in Section 10, of the base Mobile IPv6 783 specification [RFC-3775], with one exception that this request is a 784 proxy request, the sender is not the mobile node and so the message 785 has to be processed with the considerations explained in this 786 section. 788 The local mobility anchor MUST apply the required policy checks, as 789 explained in Section 4.0 of this document to verify the sender is a 790 trusted mobile access gateway, authorized to send Proxy Binding 791 Updates requests on behalf of that mobile nodes, using its own 792 identity. The local mobility anchor must check the local/remote 793 policy store to ensure the requesting node is authorized to send 794 Proxy Binding Update messages. 796 The local mobility anchor MUST use the MN-Identifier from the NAI 797 option of the Proxy Binding Update message for identifying the mobile 798 node. 800 The local mobility anchor MUST ignore the sequence number field in 801 the Proxy Binding Updates requests, if the Time-Stamp Option is 802 present in the message. It must also skip all the checks related to 803 sequence number that are required as per the Mobile IPv6 804 specification [RFC-3775]. However, the received sequence number MUST 805 be copied and returned in the Proxy Binding Acknowledgement message 806 sent to the mobile access gateway. 808 The local mobility anchor before accepting a Proxy Binding Update 809 request containing the Home Network Prefix Option with a specific 810 prefix, MUST ensure the prefix is owned by the local mobility anchor 811 and further the mobile node is authorized to use that prefix. If the 812 Home Network Prefix Option has the value 0::/0, the local mobility 813 anchor MUST allocate a prefix for the mobile node and send a Proxy 814 Binding Acknowledgement message with the Home Network Prefix Option 815 containing the allocated value. The specific details on how the 816 local mobility anchor allocates the home network prefix is outside 817 the scope of this document. 819 Upon accepting a Proxy Binding Update request from a mobile access 820 gateway, the local mobility anchor must check if there exists a 821 binding cache entry for that mobile node, identified using the MN- 822 Identifier, that was created due to a direct registration from the 823 mobile node. If there exists a binding cache entry with the proxy 824 registration flag turned off, the local mobility anchor MUST NOT 825 modify that binding state, instead it must create a tentative binding 826 cache entry and update the tentative binding cache entry fields of 827 that binding cache entry. 829 Upon receiving a Binding Update request from a mobile node with 830 lifetime value set to 0, from a tunnel between itself and a trusted 831 mobile access gateway, the local mobility anchor upon accepting that 832 de-registration message, MUST forward the Binding Acknowledgement 833 message in the tunnel from where it received the Binding Update 834 request. It must also replace the binding cache entry with the 835 tentative binding cache entry and enable routing for the mobile 836 node's home network prefix through the proxy mobile IPv6 tunnel. 838 Upon accepting this Proxy Binding Update message, the local mobility 839 anchor must create a Binding Cache entry and must set up a tunnel to 840 the mobile access gateway serving the mobile node. This bi- 841 directional tunnel between the local mobility anchor and the mobile 842 access gateway is used for routing the mobile node's traffic. 844 The Proxy Binding Acknowledgment message must be constructed as shown 845 below. 847 IPv6 header (src=LMAA, dst=Proxy-CoA) 848 Mobility header 849 -BA /*P flag is set*/ 850 Mobility Options 851 - Home Network Prefix Option 852 - TimeStamp Option (optional) 853 - NAI Option 855 Proxy Binding Acknowledgment message contents 857 5.8.2. Extending the binding lifetime 859 Upon accepting the Proxy Binding Update request for extending the 860 lifetime of a currently active binding, the local mobility anchor 861 MUST update the lifetime for that binding and send a Proxy Binding 862 Acknowledgment message to the mobile access gateway. The Proxy 863 Binding Acknowledgment message MUST be constructed as specified in 864 Section 5.8.1. 866 5.8.3. De-registration of the binding 868 Upon accepting the Proxy Binding Update request sent with the 869 lifetime value of zero, the local mobility anchor MUST delete the 870 binding from its Binding Cache and MUST send a Proxy Binding 871 Acknowledgment message to the mobile access gateway. The message 872 MUST be constructed as specified in Section 6.9.1. 874 The local mobility anchor MUST also remove the prefix route over the 875 tunnel for that mobile node's home network prefix. 877 5.9. Local Mobility Anchor Operational Summary 879 o For supporting this scheme, the local mobility anchor MUST satisfy 880 all the requirements listed in Section 8.4 of Mobile IPv6 881 specification [RFC-3775] with the following considerations. 883 o For supporting the per-MN-Prefix addressing model as defined in 884 this specification, the local mobility anchor service MUST NOT be 885 tied to a specific interface. It SHOULD be able to accept Proxy 886 Binding Update requests sent to any of the addresses configured on 887 any of its interfaces. 889 o The requirement for a home agent to maintain a list of home agents 890 for a mobile node's home link is not applicable for the local 891 mobility anchor, when supporting Per-MN-Prefix addressing model. 893 o The local mobility anchors SHOULD drop all HoTI messages received 894 for a home address that has corresponding Binding Cache entry with 895 the proxy registration flag set. 897 o The local mobility anchor must handle the mobile node's data 898 traffic as explained in the Routing Considerations section of this 899 document. 901 6. Mobile Access Gateway Operation 903 The Proxy Mobile IPv6 scheme specified in this document, introduces a 904 new functional entity, the Mobile Access Gateway (MAG). It is the 905 entity that detects the mobile node's movements and initiates the 906 signaling with the mobile node's local mobility anchor for updating 907 the route to the mobile node's home address. In essence, the mobile 908 access gateway performs mobility management on behalf of the mobile 909 node. 911 From the perspective of the local mobility anchor, the mobile access 912 gateway is a special element in the network that sends Mobile IPv6 913 signaling messages on behalf of a mobile node, but using its own 914 identity. It is the entity that binds the mobile node's home address 915 to an address on its own access interface. 917 The mobile access gateway has the following functional roles. 919 o Responsible for detecting the mobile node's attachment or 920 detachment on the connected access link and for initiating the 921 mobility signaling with the mobile node's local mobility anchor. 923 o Emulation of the mobile node's home link on the access link. 925 o Registering the binding state at the mobile node's local mobility 926 anchor. 928 o Responsible for setting up the data path for enabling the mobile 929 node to use an address from its home network prefix and use it 930 from the access link. 932 The mobile access gateway is a function that typically runs on an 933 access router. However, implementations MAY choose to split this 934 function and run it across multiple systems. The specifics on how 935 that is achieved is beyond the scope of this document. 937 6.1. Supported Access Link Types 939 This specification supports only point-to-point access link types and 940 thus it assumes that the link between the mobile node and the mobile 941 access gateway is a dedicated link and that the mobile node and the 942 mobile access gateway are the only two nodes present on that link. 943 The assumed properties for the point-to-point link type are just as 944 assumed by the Neighbor Discovery specification [RFC-2461] for that 945 link type. The link is assumed to have multicast capability and the 946 interfaces connecting to the link can be configured with a link-local 947 address. 949 Support for shared links or other link types is left for the future 950 work. 952 6.2. Supported Home Network Prefix Models 954 This specification supports Per-MN-Prefix model and does not support 955 Shared-Prefix model. As per the Per-MN-Prefix model, there will be a 956 unique home network prefix assigned for each mobile node and no other 957 host shares an address from that prefix. The prefix is always hosted 958 on the access link where the mobile node is anchored. Conceptually, 959 the prefix follows the mobile node as it moves within the proxy 960 mobile IPv6 domain. However, from the routing perspective, the home 961 network prefix is topologically anchored on the local mobility 962 anchor. 964 6.3. Supported Address Configuration Models 966 A mobile node in the proxy mobile IPv6 domain can configure one or 967 more IPv6 addresses on its interface using Stateless or Stateful 968 address autoconfiguration procedures. The Router Advertisement 969 messages sent on the access link, specify the address configuration 970 methods permitted on that access link for that mobile node. The 971 exact semantics of the flags that are enabled, the options that are 972 carried in these advertisement messages is as per the Neighbor 973 Discovery specification [RFC-2461]. However, the advertised flags 974 with respect the address configuration will be consistent for a 975 mobile node, on any of the access links in that proxy mobile IPv6 976 domain. Typically, these configuration settings will be based on the 977 domain wide policy or based on a policy specific to each mobile node. 978 This specification requires that all the mobile access gateways in a 979 given proxy mobile IPv6 domain MUST ensure that the permitted address 980 configuration procedures or the address configuration parameters that 981 are sent in the Router Advertisements are consistent for a mobile 982 node when attached to on any of the access links in the proxy mobile 983 IPv6 domain. 985 When stateless address autoconfiguration is supported on the link, 986 the mobile node can generate one or more IPv6 addresses by combining 987 the network prefix advertised on the access link with an interface 988 identifier, using the techniques described in Stateless 989 Autoconfiguration specification [RFC-2462] or in Privacy extension 990 specification [RFC-3041]. 992 When stateful address autoconfiguration is supported on the link, the 993 mobile node obtains the address configuration from the DHCPv6 server 994 using DHCPv6 client protocol, as specified in DHCPv6 specification 995 [RFC-3315]. 997 In addition to this, other address configuration mechanisms specific 998 to the access link between the mobile node and the mobile access 999 gateway may also be used for pushing the address configuration to the 1000 mobile node. 1002 6.4. Access Authentication & Mobile Node Identification 1004 When a mobile node attaches to an access link connected to the mobile 1005 access gateway, the deployed access security protocols on that link 1006 will ensure that the network-based mobility management service is 1007 offered only after authenticating and authorizing the mobile node for 1008 that service. The exact specifics on how this is achieved or the 1009 interactions between the mobile access gateway and the access 1010 security service is outside the scope of this document. This 1011 specification goes with the stated assumption of having an 1012 established trust and a secured communication link between the mobile 1013 node and mobile access gateway, before the protocol operation begins. 1014 The specification also requires that the mobile access gateway MUST 1015 be able to identify the mobile node by its MN-Identifier and it must 1016 also be able to associate this identity to the sender of any IPv4 or 1017 IPv6 packets on the access link. The mobile access gateway MUST also 1018 be able to obtain the mobile node's policy profile using the MN- 1019 Identifier. 1021 6.5. Mobile Node's Policy Profile 1023 A mobile node's policy profile contains the essential operational 1024 parameters that are required by the network entities for managing the 1025 mobile node's mobility service. These policy profiles are stored in 1026 a local or a remote policy store, the mobile access gateway and the 1027 local mobility anchor MUST be able to obtain a mobile node's policy 1028 profile using its MN-Identifier. The policy profile may also be 1029 handed over to a serving mobile access gateway as part of a context 1030 transfer procedure during a handoff. The exact details on how this 1031 achieved is outside the scope of this document. However, this 1032 specification requires that a mobile access gateway serving a mobile 1033 node MUST have access to its policy profile. 1035 The following are the mandatory fields of the policy profile: 1037 o The mobile node's identifier (MN-Identifier) 1039 o The IPv6 address of the local mobility anchor (LMAA) 1040 o Supported address configuration procedures on the link (Stateful, 1041 Stateless or both) 1043 The following are the optional fields of the policy profile: 1045 o The mobile node's IPv6 home network prefix (MN-HoA) 1047 o The mobile node's IPv6 home network prefix length 1049 6.6. Conceptual Data Structures 1051 Every mobile access gateway MUST maintain a Binding Update List for 1052 each currently attached mobile node. The Binding Update List is a 1053 conceptual data structure, described in Section 11.1 of Mobile IPv6 1054 base specification [RFC-3775]. For supporting this specification, 1055 the conceptual Binding Update List data structure must be extended 1056 with the following new additional fields. 1058 o The Identifier of the mobile node, MN-Identifier. 1060 o The MAC address of the mobile node's connected interface. 1062 o The IPv6 home network prefix of the mobile node. 1064 o The IPv6 home network prefix length of the mobile node. 1066 o The interface identifier of the point-to-point link to the mobile 1067 node. 1069 o The interface identifier of the tunnel between the mobile access 1070 gateway and the mobile node's local mobility anchor. 1072 6.7. Home Network Emulation 1074 One of the key functions of a mobile access gateway is to emulate the 1075 mobile node's home network prefix on the access link. It must 1076 ensure, the mobile node believes it is still connected to its home 1077 link or on the link where it obtained its address configuration after 1078 it moved into that proxy mobile IPv6 domain. 1080 After detecting new mobile node on its access link and after a 1081 successful access authentication and authorization of the mobile node 1082 for network-based mobility service, the mobile access gateway MUST to 1083 emulate the mobile node's home link by sending the Router 1084 Advertisements with the mobile node's home network prefix as the 1085 hosted on-link prefix. The Router Advertisement MUST be sent in 1086 response to a Router Solicitation message that it received from the 1087 mobile node. The Router Advertisement messages MAY also be sent 1088 periodically, based on the interface configuration on the mobile 1089 access gateway. 1091 For emulating the mobile node's home link on the access link, the 1092 mobile access gateway must know the home network prefix of the mobile 1093 node for constructing the Router Advertisement. Typically and as a 1094 default method, the mobile access gateway learns the mobile node's 1095 home network prefix information from the Proxy Binding 1096 Acknowledgement message, it received in response to the Proxy Binding 1097 Update message that it sent to the mobile node's local mobility 1098 anchor for that mobile node. 1100 However, it is also possible, the mobile node's home network prefix 1101 information may be statically configured in the mobile node's policy 1102 profile or it may be handed over to the mobile access gateway as part 1103 of a context transfer procedure. If the mobile access gateway can 1104 predictably know the mobile node's home network prefix information, 1105 it MAY choose to send the Router Advertisement prior to receiving the 1106 Proxy Binding Acknowledgement message from the local mobility anchor. 1107 However, in the event, the local mobility anchor rejects the Proxy 1108 Binding Update message, or if the prefix that is received from the 1109 local mobility anchor for that mobile node is a different prefix than 1110 what the mobile access gateway previously advertised, the mobile 1111 access gateway MUST withdraw the prefix by sending a Router 1112 Advertisement message with zero lifetime for the prior advertised 1113 prefix. 1115 If the access link connecting the mobile access gateway and the 1116 mobile node is a point-to-point link, the Router Advertisements 1117 advertising a specific home network prefix is received only by the 1118 respective mobile node and hence there is clearly a unique link for 1119 each mobile node that is attached to that mobile access gateway. 1121 6.7.1. Home Network Prefix Renumbering 1123 If the mobile node's home network prefix gets renumbered or becomes 1124 invalid during the middle of a mobility session, the mobile access 1125 gateway MUST withdraw the prefix by sending a Router Advertisement on 1126 the access link with zero prefix lifetime for the mobile node's home 1127 network prefix. Also, the local mobility anchor and the mobile 1128 access gateway MUST delete the routing state for that prefix. 1129 However, the specific details on how the local mobility anchor 1130 notifies the mobile access gateway is outside the scope of this 1131 document. 1133 6.8. Link-Local and Global Address Uniqueness 1135 A mobile node in the proxy mobile IPv6 domain, as it moves from one 1136 mobile access gateway to the other, it will continue to detect its 1137 home network and thus making the node believe it is still on the same 1138 link. Every time the mobile node attaches to a new link, the event 1139 related to the interface state change, will trigger the mobile node 1140 to perform DAD operation on the link-local and global addresses. 1141 However, if the node is DNAv6 enabled, as specified in [ID-DNAV6], it 1142 may not detect the link change due to DNAv6 optimizations and hence 1143 it will not trigger the duplicate address detection (DAD) procedure 1144 for establishing the link-local address uniqueness on that new link. 1145 Further, if the mobile node uses an interface identifier that is not 1146 based on EUI-64 identifier, such as specified in IPv6 Stateless 1147 Autoconfiguration specification [RFC-2462], there is a possibility, 1148 with the odds of 1 to billion, of a link-local address collision 1149 between the two neighbors, the mobile node and the mobile access 1150 gateway. 1152 One of the workarounds for this issue is to set the DNAv6 1153 configuration parameter, DNASameLinkDADFlag to TRUE and that will 1154 force the mobile node to redo DAD operation every time the interface 1155 comes up, even when DNAv6 does detect a link change . 1157 However, this issues will not impact point-to-point links based on 1158 PPP session. Each time the mobile node moves and attaches to a new 1159 mobile access gateway, either the PPP session [RFC-1661] is 1160 reestablished or the PPP session may be moved as part of context 1161 transfer procedures between the old and the new mobile access 1162 gateway. 1164 When the mobile node tries to establish a PPP session with the mobile 1165 access gateway, the PPP goes through the Network layer Protocol phase 1166 and the IPv6 Control Protocol, IPCP6 [RFC-2472] gets triggered. Both 1167 the PPP peers negotiate a unique identifier using Interface- 1168 Identifier option in IPV6CP and the negotiated identifier is used for 1169 generating a unique link-local address on that link. Now, if the 1170 mobile node moves to a new mobile access gateway, the PPP session 1171 gets torn down with the old mobile access gateway and a new PPP 1172 session gets established with the new mobile access gateway, and the 1173 mobile node obtains a new link-local address. So, even if the mobile 1174 node is DNAv6 capable, the mobile node always configures a new link- 1175 local address when ever it moves to a new link. 1177 If the PPP session state is moved to the new mobile access gateway, 1178 as part of context transfer procedures that are in place, there will 1179 not be any change to the interface identifiers of the two nodes on 1180 that point-to-point change. The whole link is moved to the new 1181 mobile access gateway and there will not be any need for establishing 1182 link-local address uniqueness on that link. 1184 This issue is not relevant to the mobile node's global address. 1185 Since, there is a unique home network prefix for each mobile node, 1186 the uniqueness for the mobile node's global address is ensured on the 1187 access link. 1189 6.9. Signaling Considerations 1191 6.9.1. Initial Attachment and binding registration 1193 After detecting a new mobile node on its access link after a 1194 successful access authentication and authorization, the mobile access 1195 gateway MUST send a Proxy Binding Update message to the mobile node's 1196 local mobility anchor. 1198 The Proxy Binding Update message must be constructed as shown below. 1200 IPv6 header (src=Proxy-CoA, dst=LMAA) 1201 Mobility header 1202 -BU /*P flag is set*/ 1203 Mobility Options 1204 - Home Network Prefix Option* 1205 - TimeStamp Option (optional) 1206 - NAI Option 1208 *Home Network Prefix option may contain 0::/0 or a specific prefix. 1210 Proxy Binding Update message contents 1212 The Proxy Binding Update message that the mobile access gateway sends 1213 to the mobile node's local mobility anchor MUST have the NAI option, 1214 identifying the mobile node, the Home Network Prefix option and 1215 optionally the Time Stamp option SHOULD be present. The Time Stamp 1216 option is not required if the mobile access gateway can send a valid 1217 sequence number that matches the sequence number maintained by the 1218 local mobility anchor for that mobile node in its binding cache 1219 entry. The message MUST be protected by using IPsec ESP, using the 1220 security association existing between the local mobility anchor and 1221 the mobile access gateway, created either dynamically or statically. 1223 If the mobile access gateway learns the mobile node's home network 1224 prefix either from its policy store or from other means, the mobile 1225 access gateway MAY choose to specify the same in the Home Network 1226 Prefix option for requesting the local mobility anchor to register 1227 that prefix. If the specified value is 0::/0, then the local 1228 mobility anchor will allocate a prefix to the mobile node. 1230 After receiving a Proxy Binding Acknowledgment with the status code 1231 indicating the acceptance of the Proxy Binding Update, the mobile 1232 access gateway MUST setup a tunnel to the mobile node's local 1233 mobility anchor, as explained in section 6.10. The mobile access 1234 gateway MUST also add a policy route for tunneling all the packets 1235 that it receives from the mobile node to its local mobility anchor. 1237 If the local mobility anchor rejects the Proxy Binding Update 1238 message, the mobile access gateways MUST NOT advertise the mobile 1239 node's home prefix on the access link and there by denying mobility 1240 service to the mobile node. 1242 6.9.2. Extending the binding lifetime 1244 For extending the lifetime of a currently existing binding at the 1245 local mobility, the mobile access gateway MUST send a Proxy Binding 1246 Update message with a specific lifetime. The message MUST be 1247 constructed as specified in Section 6.9.1. 1249 6.9.3. De-registration of the binding 1251 At any point, the mobile access gateway detects that the mobile node 1252 has moved away from its access link, it MUST send a Proxy Binding 1253 Update message to the mobile node's local mobility anchor with the 1254 lifetime value set to zero. The message MUST be constructed as 1255 specified in Section 6.9.1. 1257 The mobile access gateway MUST also remove the default route over the 1258 tunnel for that mobile node and delete the Binding Update List for 1259 that mobile node, either upon receiving an Proxy Binding 1260 Acknowledgment message from the local mobility anchor or after a 1261 certain timeout waiting for the acknowledgment message. 1263 6.10. Routing Considerations 1265 This section describes how the mobile access gateway handles the 1266 traffic to/from the mobile node that is attached to one of its access 1267 interface. 1269 Proxy-CoA LMAA 1270 | | 1271 +--+ +---+ +---+ +--+ 1272 |MN|----------|MAG|======================|LMA|----------|CN| 1273 +--+ +---+ +---+ +--+ 1274 IPv6 Tunnel 1276 6.10.1. Transport Network 1278 The transport network between the local mobility anchor and the 1279 mobile access can be either an IPv6 or IPv4 network. However, this 1280 specification only deals with the scenario where the transport 1281 network between the mobility entities is IPv6-only and requires 1282 reachability between the local mobility anchor and the mobile access 1283 gateway over IPv6 transport. Just as in Mobile IPv6 specification 1284 [RFC-3775], the negotiated tunnel transport between the local 1285 mobility anchor and the mobile access gateway is IPv6, by default. 1286 The companion document, IPv4 support for Proxy Mobile IPv6 [IPv4- 1287 PMIP6-SPEC] specifies the required extensions for negotiating IPv4 1288 tunneling mechanism and a specific encapsulation mode for supporting 1289 this protocol operation over IPv4 transport network. 1291 6.10.2. Tunneling & Encapsulation Modes 1293 The IPv6 address that a mobile node uses from its home network prefix 1294 is topologically anchored at the local mobility anchor. For a mobile 1295 node to use this address from an access network attached to a mobile 1296 access gateway, proper tunneling techniques have to be in place. 1297 Tunneling hides the network topology and allows the mobile node's 1298 IPv6 datagrams to be encapsulated as a payload of another IPv6 packet 1299 and be routed between the local mobility anchor and the mobile access 1300 gateway. The Mobile IPv6 base specification [RFC-3775] defines the 1301 use of IPv6-over-IPv6 tunneling, between the home agent and the 1302 mobile node and this specification extends the use of the same 1303 tunneling mechanism between the local mobility anchor and the mobile 1304 access gateway. 1306 On most operating systems, tunnels are implemented as a virtual 1307 point-to-point interface. The source and the destination address of 1308 the two end points of this virtual interface along with the 1309 encapsulation mode are specified for this virtual interface. Any 1310 packet that is routed over this interface, get encapsulated with the 1311 outer header and the addresses as specified for that point to point 1312 tunnel interface. For creating a point to point tunnel to any local 1313 mobility anchor, the mobile access gateway may implement a tunnel 1314 interface with the source address field set to its Proxy-CoA address 1315 and the destination address field set to the LMA address. 1317 The following are the supported packet encapsulation modes that can 1318 be used by the mobile access gateway and the local mobility anchor 1319 for routing mobile node's IPv6 datagrams. 1321 o IPv6-In-IPv6 - IPv6 datagram encapsulated in an IPv6 packet. This 1322 mechanism is defined in the Generic Packet Tunneling for IPv6 1323 specification [RFC-2473]. 1325 o IPv6-In-IPv4 - IPv6 datagram encapsulation in an IPv4 packet. The 1326 details related to this encapsulation mode and the specifics on 1327 how this mode is negotiated is specified in the companion 1328 document, IPv4 support for Proxy Mobile IPv6 [ID-IPv4-PMIP6]. 1330 o IPv6-In-IPv4-UDP - IPv6 datagram encapsulation in an IPv4 UDP 1331 packet. The details related to this mode are covered in the 1332 companion document, IPv4 support for Proxy Mobile IPv6 [IPv4- 1333 PMIP6-SPEC]. 1335 6.10.3. Routing State 1337 The following section explain the routing state for a mobile node on 1338 the mobile access gateway. This routing state reflects only one 1339 specific way of implementation and one MAY choose to implement it in 1340 other ways. The policy based route defined below acts as a traffic 1341 selection rule for routing a mobile node's traffic through a specific 1342 tunnel created between the mobile access gateway and that mobile 1343 node's local mobility anchor and with the specific encapsulation 1344 mode, as negotiated. 1346 The below example identifies the routing state for two visiting 1347 mobile nodes, MN1 and MN2 with their respective local mobility 1348 anchors LMA1 and LMA2. 1350 For all traffic from the mobile node, identified by the mobile node's 1351 MAC address, ingress interface or source prefix (MN-HNP) to 1352 _ANY_DESTINATION_ route via interface tunnel0, next-hop LMAA. 1354 +==================================================================+ 1355 | Packet Source | Destination Address | Destination Interface | 1356 +==================================================================+ 1357 | MAC_Address_MN1, | _ANY_DESTINATION_ | Tunnel0 | 1358 | (IPv6 Prefix or |----------------------------------------------| 1359 | Input Interface) | Locally Connected | Tunnel0 | 1360 +------------------------------------------------------------------+ 1361 | MAC_Address_MN2 | _ANY_DESTINATION_ | Tunnel1 | 1362 + -----------------------------------------------| 1363 | | Locally Connected | direct | 1364 +------------------------------------------------------------------+ 1366 Example - Policy based Route Table 1368 +==================================================================+ 1369 | Interface | Source Address | Destination Address | Encapsulation | 1370 +==================================================================+ 1371 | Tunnel0 | Proxy-CoA | LMAA1 | IPv6-in-IPv6 | 1372 +------------------------------------------------------------------+ 1373 | Tunnel1 |IPv4-Proxy-CoA | IPv4-LMA2 | IPv6-in-IPv4 | 1374 +------------------------------------------------------------------+ 1376 Example - Tunnel Interface Table 1378 6.10.4. Local Routing 1380 If there is data traffic between a visiting mobile node and a 1381 corresponding node that is locally attached to an access link 1382 connected to the mobile access gateway, the mobile access gateway MAY 1383 optimize on the delivery efforts by locally routing the packets and 1384 by not reverse tunneling them to the mobile node's local mobility 1385 anchor. However, this has an implication on the mobile node's 1386 accounting and policy enforcement as the local mobility anchor is not 1387 in the path for that traffic and it will not be able to apply any 1388 traffic policies or do any accounting for those flows. 1390 This decision of path optimization SHOULD be based on the configured 1391 policy configured on the mobile access gateway, but enforced by the 1392 mobile node's local mobility anchor. The specific details on how 1393 this is achieved is beyond of the scope of this document. 1395 6.10.5. Tunnel Management 1397 All the considerations mentioned in Section 5.2, for the tunnel 1398 management on the local mobility anchor apply for the mobile access 1399 gateway as well. 1401 As explained in Section 5.2, the life of the Proxy Mobile IPv6 tunnel 1402 should not be based on a single visiting mobile node's lifetime. The 1403 tunnel may get created as part of creating a mobility state for a 1404 visiting mobile node and later the same tunnel may be associated with 1405 other mobile nodes. So, the tearing down logic of the tunnel must be 1406 based on the number of visitors over that tunnel. 1408 6.10.6. Forwarding Rules 1410 Upon receipt of an encapsulated packet sent to its configured Proxy- 1411 CoA address i.e. on receiving a packet from a tunnel, the mobile 1412 access gateway MUST use the destination address of the inner packet 1413 for forwarding it to the interface where the prefix for that address 1414 is hosted. The mobile access gateway MUST remove the outer header 1415 before forwarding the packet. If the mobile access gateway cannot 1416 find the connected interface for that destination address, it MUST 1417 silently drop the packet. For reporting an error in such scenario, 1418 in the form of ICMP control message, the considerations from Generic 1419 Packet Tunneling specification [RFC-2473] apply. 1421 On receiving a packet from a mobile node connected to its access 1422 link, the mobile access gateway MUST ensure that there is an 1423 established binding for that mobile node with its local mobility 1424 anchor before forwarding the packet directly to the destination or 1425 before tunneling the packet to the mobile node's local mobility 1426 anchor. 1428 On receiving a packet from a mobile node connected to its access 1429 link, to a destination that is locally connected, the mobile access 1430 gateway MUST check the configuration variable, EnableMAGLocalRouting, 1431 to ensure the mobile access gateway is allowed to route the packet 1432 directly to the destination. If the mobile access gateway is not 1433 allowed to route the packet directly, it MUST route the packet 1434 through the bi-directional tunnel established between itself and the 1435 mobile's local mobility anchor. 1437 On receiving a packet from the mobile node to any destination i.e. 1438 not directly connected to the mobile access gateway, the packet MUST 1439 be forwarded to the local mobility anchor through the bi-directional 1440 tunnel established between itself and the mobile's local mobility 1441 anchor. However, the packets that are sent with the link-local 1442 source address MUST not be forwarded. 1444 6.11. Interaction with DHCP Relay Agent 1446 If Stateful Address Configuration using DHCP is supported on the link 1447 on which the mobile node is attached, the DHCP relay agent [RFC-3315] 1448 needs to be configured on the access router. When the mobile node 1449 sends a DHCPv6 Request message, the relay agent function on the 1450 access router MUST set the link-address field in the DHCPv6 message 1451 to the mobile node's home network prefix, so as to provide a prefix 1452 hint to the DHCP Server. Since, the access link is a point-to-point 1453 link with the configured mobile node's prefix as the on-link prefix, 1454 the normal DHCP relay agent configuration on the MAG will ensure the 1455 prefix hint is set to the mobile node's home network prefix. 1457 6.12. Mobile Node Detachment Detection and Resource Cleanup 1459 Before sending a Proxy Binding Update message to the local mobility 1460 anchor for extending the lifetime of a currently existing binding of 1461 a mobile node, the mobile access gateway MUST make sure the mobile 1462 node is still attached to the connected link by using some reliable 1463 method. If the mobile access gateway cannot predictably detect the 1464 presence of the mobile node on the connected link, it MUST NOT 1465 attempt to extend the registration lifetime of the mobile node. 1466 Further, in such scenario, the mobile access gateway MUST terminate 1467 the binding of the mobile node by sending a Proxy Binding Update 1468 message to the mobile node's local mobility anchor with lifetime 1469 value set to 0. It MUST also remove any local state such as the 1470 Binding Update List created for that mobile node. 1472 The specific detection mechanism of the loss of a visiting mobile 1473 node on the connected link is specific to the access link between the 1474 mobile node and the mobile access gateway and is outside the scope of 1475 this document. Typically, there are various link-layer specific 1476 events specific to each access technology that the mobile access 1477 gateway can depend on for detecting the node loss. In general, the 1478 mobile access gateway can depend on one or more of the following 1479 methods for the detection presence of the mobile node on the 1480 connected link: 1482 o Link-layer event specific to the access technology 1484 o PPP Session termination event on point-to-point link types 1486 o IPv6 Neighbor Unreachability Detection event from IPv6 stack 1488 o Notification event from the local mobility anchor 1490 o Absence of data traffic from the mobile node on the link for a 1491 certain duration of time 1493 6.13. Allowing network access to other IPv6 nodes 1495 In some proxy mobile IPv6 deployments, network operators may want to 1496 provision the mobile access gateway to offer network-based mobility 1497 management service only to some visiting mobile nodes and enable just 1498 regular IPv6/IPv4 access to some other nodes attached to that mobile 1499 access gateway. This requires the network to have the control on 1500 when to enable network-based mobility management service to a mobile 1501 node and when to enabled a regular IPv6 access. This specification 1502 does not disallow such configuration. 1504 Upon obtaining the mobile node's profile after a successful access 1505 authentication and after a policy consideration, the mobile access 1506 gateway MUST determine if the network based mobility service should 1507 be offered to that mobile node. If the mobile node is entitled for 1508 such service, then the mobile access gateway must ensure the mobile 1509 node believes it is on its home link, as explained in various 1510 sections of this specification. 1512 If the mobile node is not entitled for the network-based mobility 1513 management service, as enforced by the policy, the mobile access 1514 gateway MAY choose to offer regular IPv6 access to the mobile node 1515 and hence the normal IPv6 considerations apply. If IPv6 access is 1516 enabled, the mobile node SHOULD be able to obtain any IPv6 address 1517 using normal IPv6 address configuration mechanisms. The obtained 1518 address must be from a local visitor network prefix. This 1519 essentially ensures, the mobile access gateway functions as any other 1520 access router and does not impact the protocol operation of a mobile 1521 node attempting to use host-based mobility management service when it 1522 attaches to an access link connected to a mobile access gateway in a 1523 proxy mobile IPv6 domain. 1525 7. Mobile Node Operation 1527 This non-normative section discusses the mobile node's operation in a 1528 Proxy Mobile IPv6 domain. 1530 Once the mobile node enters a Proxy Mobile IPv6 domain and attaches 1531 to an access network and after the access authentication, the network 1532 ensures, the mobile using any of the address configuration mechanisms 1533 permitted by the network for that mobile node, will be able to obtain 1534 an address and move anywhere in that proxy mobile IPv6 domain. From 1535 the perspective of the mobile, the entire proxy mobile IPv6 domain 1536 appears as a single link, the network ensures the mobile believes it 1537 is always on the same link. 1539 The mobile node can be operating in an IPv4-only mode, IPv6-only mode 1540 or in dual IPv4/IPv6 mode. However, the specific details on how the 1541 IPv4 network-based mobility management service is offered to the 1542 mobile node is specified in the companion document, IPv4 Support for 1543 Proxy Mobile IPv6 [ID-IPV4-PMIP6]. 1545 Typically, the configured policy in the network determines if the 1546 mobile node is authorized for IPv6, IPv4 or IPv6/IPv4 home address 1547 mobility. If the configured policy for a mobile node is for IPv6- 1548 only home address mobility, the mobile node will be able to obtain 1549 its IPv6 home address, any where in that Proxy Mobile IPv6 domain, 1550 otherwise the obtained address will be from a local prefix and not 1551 from a prefix that is topologically anchored at the local mobility 1552 anchor and hence the mobile will loose that address after it moves to 1553 a new link. 1555 7.1. Booting up in a Proxy Mobile IPv6 Domain 1557 When a mobile node moves into a proxy mobile IPv6 domain and attaches 1558 to an access link, the mobile node will present its identity, MN- 1559 Identity, to the network as part of the access authentication 1560 procedure. Once the authentication procedure is complete and the 1561 mobile node is authorized to access the network, the network or 1562 specifically the mobile access gateway on the access link will have 1563 the mobile node's profile and so it would know the mobile node's home 1564 network prefix and the permitted address configuration modes. The 1565 mobile node's home network prefix may also be dynamically assigned by 1566 the mobile node's local mobility anchor and the same may be learnt by 1567 the mobile access gateway. 1569 If the mobile node is IPv6 enabled, on attaching to the link and 1570 after access authentication, the mobile node typically would send a 1571 Router Solicitation message. The mobile access gateway on the 1572 attached link will respond to the Router Solicitation message with a 1573 Router Advertisement. The Router Advertisement will have the mobile 1574 node's home network prefix, default-router address and other address 1575 configuration parameters. The address configuration parameters such 1576 as Managed Address Configuration, Stateful Configuration flag values 1577 will typically be consistent through out that domain for that mobile 1578 node. 1580 If the Router Advertisement has the Managed Address Configuration 1581 flag set, the mobile node, as it would normally do, will send a 1582 DHCPv6 Request and the mobile access gateway on that access link will 1583 ensure, the mobile node gets an address from its home network prefix 1584 as a lease from the DHCP server. 1586 If the Router Advertisement does not have the Managed Address 1587 Configuration flag set and if the mobile node is allowed to use an 1588 autoconfigured address, the mobile node will generate an interface 1589 identifier, as per the Autoconf specification [RFC-2462] or using 1590 privacy extensions as specified in Privacy Extensions specification 1591 [RFC-3041]. 1593 If the mobile node is IPv4 enabled or IPv4-only enabled, the mobile 1594 node after the access authentication, will be able to obtain the IPv4 1595 address configuration for the connected interface by using DHCPv4. 1597 Once the address configuration is complete, the mobile node can 1598 continue to use the obtained address configuration as long as it is 1599 with in the scope of that Proxy Mobile IPv6 domain. 1601 7.2. Roaming in the Proxy Mobile IPv6 Network 1603 After booting in the Proxy Mobile IPv6 domain and obtaining the 1604 address configuration, the mobile node as it roams in the network 1605 between access links, will always detect its home network prefix on 1606 the link, as long as the attached access network is in the scope of 1607 that Proxy Mobile IPv6 domain. The mobile node can continue to use 1608 its IPv4/IPv6 MN-HoA for sending and receiving packets. If the 1609 mobile node uses DHCP for address configuration, it will always be 1610 able to obtain its MN-HoA using DHCP. However, the mobile node will 1611 always detect a new default-router on each connected link, but still 1612 advertising the mobile node's home network prefix as the on-link 1613 prefix and with the other configuration parameters consistent with 1614 its home link properties. 1616 7.3. IPv6 Host Protocol Parameters 1618 This specification assumes the mobile node to be a normal IPv6 node, 1619 with its protocol operation consistent with the base IPv6 1620 specification [RFC-2460]. All aspects of Neighbor Discovery 1621 Protocol, including Router Discovery, Neighbor Discovery, Address 1622 Configuration procedures will just remain consistent with the base 1623 IPv6 Neighbor Discovery Specification [RFC-2461]. However, this 1624 specification recommends that the following IPv6 operating parameters 1625 on the mobile node be adjusted to the below recommended values for 1626 protocol efficiency and for achieving faster hand-offs. 1628 Lower Default-Router List Cache Time-out: 1630 As per the base IPv6 specification [RFC-2460], each IPv6 host will 1631 maintain certain host data structures including a Default-Router 1632 list. This is the list of on-link routers that have sent Router 1633 Advertisement messages and are eligible to be default routers on that 1634 link. The Router Lifetime field in the received Router Advertisement 1635 defines the life of this entry. 1637 In the Proxy Mobile IPv6 scenario, when the mobile node moves from 1638 one link to another, the received Router Advertisement messages 1639 advertising the mobile's home network prefix will be from a different 1640 link-local address and thus making the mobile node believe that there 1641 is a new default-router on the link. It is important that the mobile 1642 node uses the newly learnt default-router as supposed to the 1643 previously learnt default-router. The mobile node must update its 1644 default-router list with the new default router entry and must age 1645 out the previously learnt default router entry from its cache, just 1646 as specified in Section 6.3.5 of the base IPv6 ND specification [RFC- 1647 2461]. This action is critical for minimizing packet losses during a 1648 hand off switch. 1650 On detecting a reachability problem, the mobile node will certainly 1651 detect the neighbor or the default-router unreachability by 1652 performing a Neighbor Unreachability Detection procedure, but it is 1653 important that the mobile node times out the previous default router 1654 entry at the earliest. If a given IPv6 host implementation has the 1655 provision to adjust these flush timers, still conforming to the base 1656 IPv6 ND specification, it is desirable to keep the flush-timers to 1657 suit the above consideration. 1659 However, if the mobile access gateway has the ability to withdraw the 1660 previous default-router entry, by sending a Router Advertisement 1661 using the link-local address that of the previous mobile access 1662 gateway and with the Router Lifetime field set to value 0, then it is 1663 possible to force the flush of the Previous Default-Router entry from 1664 the mobile node's cache. This certainly requires some context- 1665 transfer mechanisms in place for notifying the link-local address of 1666 the default-router on the previous link to the mobile access gateway 1667 on the new link. 1669 There are other solutions possible for this problem, including the 1670 assignment of a unique link-local address for all the mobile access 1671 gateways in a Proxy Mobile IPv6 domain. In any case, this is an 1672 implementation choice and has no bearing on the protocol 1673 interoperability. Implementations are free to adopt the best 1674 approach that suits their target deployments. 1676 8. Message Formats 1678 This section defines extensions to the Mobile IPv6 [RFC-3775] 1679 protocol messages. 1681 8.1. Proxy Binding Update 1683 0 1 2 3 1684 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1685 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1686 | Sequence # | 1687 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1688 |A|H|L|K|M|R|P| Reserved | Lifetime | 1689 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1690 | | 1691 | | 1692 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1694 Figure 9: Proxy Binding Update Message 1696 A Binding Update message that is sent by mobile access gateway is 1697 referred to as the Proxy Binding Update message. 1699 Proxy Registration Flag (P) 1701 The Proxy Registration Flag is set to indicate to the local mobility 1702 anchor that the Binding Update is from a mobile access gateway acting 1703 as a proxy mobility agent. The flag MUST be set to the value of 1 1704 for proxy registrations and MUST be set to 0 for direct registrations 1705 sent by a mobile node when using host-base mobility. 1707 For descriptions of other fields present in this message, refer to 1708 the section 6.1.7 of Mobile IPv6 specification [RFC3775]. 1710 8.2. Proxy Binding Acknowledgment 1712 0 1 2 3 1713 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1714 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1715 | Status |K|R|P|Reserved | 1716 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1717 | Sequence # | Lifetime | 1718 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1719 | | 1720 | | 1721 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1723 Figure 10: Proxy Binding Acknowledgment Message 1725 A Binding Acknowledgment message that is sent by the local mobility 1726 anchor to the mobile access gateway is referred to as "Proxy Binding 1727 Acknowledgement". 1729 Proxy Registration Flag (P) 1731 A new flag (P) is included in the Binding Acknowledgement message to 1732 indicate that the local mobility anchor that processed the 1733 corresponding Proxy Binding Update message supports Proxy 1734 Registrations. The flag is set only if the corresponding Proxy 1735 Binding Update had the Proxy Registration Flag (P) set to value of 1. 1736 The rest of the Binding Acknowledgement format remains the same, as 1737 defined in [RFC-3775]. 1739 For descriptions of other fields present in this message, refer to 1740 the section 6.1.8 of Mobile IPv6 specification [RFC3775]. 1742 8.3. Home Network Prefix Option 1744 A new option, Home Network Prefix Option is defined for using it in 1745 the Proxy Binding Update and Acknowledgment messages exchanged 1746 between the local mobility anchor and the mobile access gateway. 1747 This option can be used for exchanging the mobile node's home network 1748 prefix information. 1750 The home network prefix Option has an alignment requirement of 8n+4. 1751 Its format is as follows: 1753 0 1 2 3 1754 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1755 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1756 | Type | Length | Reserved | Prefix Length | 1757 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1758 | | 1759 + + 1760 | | 1761 + Home Network Prefix + 1762 | | 1763 + + 1764 | | 1765 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1767 Type 1768 1770 Length 1772 8-bit unsigned integer indicating the length in octets of 1773 the option, excluding the type and length fields. This field 1774 MUST be set to 18. 1776 Reserved 1778 This field is unused for now. The value MUST be initialized 1779 to 0 by the sender and MUST be ignored by the receiver. 1781 Prefix Length 1783 8-bit unsigned integer indicating the prefix length of the 1784 IPv6 prefix contained in the option. 1786 Home Network Prefix 1788 A sixteen-byte field containing the mobile node's IPv6 Home 1789 Network Prefix. 1791 Figure 11: Home Network Prefix Option 1793 8.4. Time Stamp Option 1795 A new option, Time Stamp Option is defined for use in the Proxy 1796 Binding Update and Acknowledgement messages. This option can be used 1797 in Proxy Binding Update and Proxy Binding Acknowledgement messages. 1799 0 1 2 3 1800 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1801 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1802 | Option Type | Option Length | 1803 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1804 | | 1805 + Timestamp + 1806 | | 1807 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1809 Type 1810 1812 Length 1814 8-bit unsigned integer indicating the length in octets of 1815 the option, excluding the type and length fields. This field 1816 MUST be set to 8. 1818 Timestamp 1820 64-bit time stamp 1822 Figure 12: Time Stamp Option 1824 8.5. Status Codes 1826 This document defines the following new Binding Acknowledgement 1827 status values: 1829 145: Proxy Registration not supported by the local mobility anchor 1831 146: Proxy Registrations from this mobile access gateway not allowed 1833 147: Home Network prefix for this NAI is not configured and the Home 1834 Network Prefix Option not present in the Proxy Binding Update. 1836 148: Invalid Time Stamp Option in the received Proxy Binding Update 1837 message. 1839 Status values less than 128 indicate that the Binding Update was 1840 processed successfully by the receiving nodes. Values greater than 1841 128 indicate that the Binding Update was rejected by the local 1842 mobility anchor. 1844 The value allocation for this usage needs to be approved by the IANA 1845 and must be updated in the IANA registry. 1847 9. Protocol Configuration Variables 1849 The mobile access gateway MUST allow the following variables to be 1850 configured by the system management. 1852 EnableMAGLocalrouting 1854 This flag indicates whether or not the mobile access gateway is 1855 allowed to enable local routing of the traffic exchanged between a 1856 visiting mobile node and a corresponding node that is locally 1857 connected to one of the interfaces of the mobile access gateway. The 1858 corresponding node can be another visiting mobile node as well, or a 1859 local fixed node. 1861 The default value for this flag is set to "FALSE", indicating that 1862 the mobile access gateway MUST reverse tunnel all the traffic to the 1863 mobile node's local mobility anchor. 1865 When the value of this flag is set to "TRUE", the mobile access 1866 gateway MUST route the traffic locally. 1868 This aspect of local routing MAY be defined as policy on a per mobile 1869 basis and when present will take precedence over this flag. 1871 10. IANA Considerations 1873 This document defines a two new Mobility Header Options, the Home 1874 Network Prefix Option and the Time Stamp Option. These options are 1875 described in Sections 8.3 and 8.5 respectively. The Type value for 1876 these options needs to be assigned from the same numbering space as 1877 allocated for the other mobility options, as defined in [RFC-3775]. 1879 This document also defines new Binding Acknowledgement status values 1880 as described in Section 8.5. The status values MUST be assigned from 1881 the same space used for Binding Acknowledgement status values, as 1882 defined in [RFC-3775]. 1884 11. Security Considerations 1886 The potential security threats against any general network-based 1887 mobility management protocol are covered in the document, Security 1888 Threats to Network-Based Localized Mobility Management [RFC-4832]. 1889 This section analyses those vulnerabilities in the context of Proxy 1890 Mobile IPv6 protocol solution and covers all aspects around those 1891 identified vulnerabilities. 1893 A compromised mobile access gateway can potentially send Proxy 1894 Binding Update messages on behalf of the mobile nodes that are not 1895 attached to its access link. This threat is similar to an attack on 1896 a typical routing protocol or equivalent to the compromise of an on- 1897 path router. This threat exists in the network today and this 1898 specification does not make this vulnerability any worse than what it 1899 is. However, to eliminate this vulnerability, the local mobility 1900 anchor before accepting Proxy Binding Update message received from a 1901 mobile access gateway, MUST ensure the mobile node is attached to the 1902 mobile access gateway that sent the Proxy Binding Update message. 1903 This can be achieved using out of band mechanisms and the specifics 1904 of how that is achieved is beyond the scope of this document. 1906 This document does not cover the security requirements for 1907 authorizing the mobile node for the use of the access link. It is 1908 assumed that there are proper Layer-2/Layer-3 based authentication 1909 procedures, such as EAP, are in place and will ensure the mobile node 1910 is properly identified and authorized before permitting it to access 1911 the network. It is further assumed that the same security mechanism 1912 will ensure the mobile session is not hijacked by malicious nodes on 1913 the access link. 1915 This specification requires that all the signaling messages exchanged 1916 between the mobile access gateway and the local mobility anchor MUST 1917 be authenticated by IPsec [RFC-4301]. The use of IPsec to protect 1918 Mobile IPv6 signaling messages is described in detail in the HA-MN 1919 IPsec specification [RFC-3776] and the applicability of that security 1920 model to Proxy Mobile IPv6 protocol is covered in Section 4.0 of this 1921 document. 1923 As described in the base Mobile IPv6 specification [RFC-3775], both 1924 the mobile node (in case of Proxy Mobile IPv6, its the mobile access 1925 gateway) and the local mobility anchor MUST support and SHOULD use 1926 the Encapsulating Security Payload (ESP) header in transport mode and 1927 MUST use a non-NULL payload authentication algorithm to provide data 1928 origin authentication, data integrity and optional anti-replay 1929 protection. 1931 The proxy solution allows one device creating a routing state for 1932 some other device at the local mobility anchor. It is important that 1933 the local mobility anchor has proper authorization services in place 1934 to ensure a given mobile access gateway is permitted to be a proxy 1935 for a specific mobile node. If proper security checks are not in 1936 place, a malicious node may be able to hijack a session or may do a 1937 denial-of-service attacks. 1939 12. Acknowledgements 1941 The authors would like to specially thank Julien Laganier, Christian 1942 Vogt, Pete McCann, Brian Haley, Ahmad Muhanna, JinHyeock Choi for 1943 their thorough review of this document. 1945 The authors would also like to thank the Gerardo Giaretta, Kilian 1946 Weniger, Alex Petrescu, Mohamed Khalil, Fred Templing, Nishida 1947 Katsutoshi, James Kempf, Vidya Narayanan, Henrik Levkowetz, Phil 1948 Roberts, Jari Arkko, Ashutosh Dutta, Hesham Soliman, Behcet Sarikaya, 1949 George Tsirtsis and many others for their passionate discussions in 1950 the working group mailing list on the topic of localized mobility 1951 management solutions. These discussions stimulated much of the 1952 thinking and shaped the draft to the current form. We acknowledge 1953 that ! 1955 The authors would also like to thank Ole Troan, Akiko Hattori, Parviz 1956 Yegani, Mark Grayson, Michael Hammer, Vojislav Vucetic, Jay Iyer and 1957 Tim Stammers for their input on this document. 1959 13. References 1961 13.1. Normative References 1963 [RFC-1305] Mills, D., "Network Time Protocol (Version 3) 1964 Specification, Implementation", RFC 1305, March 1992. 1966 [RFC-2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1967 (IPv6) Specification", RFC 2460, December 1998. 1969 [RFC-2461] Narten, T., Nordmark, E. and W. Simpson, "Neighbor 1970 Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. 1972 [RFC-2462] Thompson, S., Narten, T., "IPv6 Stateless Address 1973 Autoconfiguration", RFC 2462, December 1998. 1975 [RFC-2473] Conta, A. and S. Deering, "Generic Packet Tunneling in 1976 IPv6 Specification", RFC 2473, December 1998. 1978 [RFC-3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and 1979 M.Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 1980 RFC 3315, July 2003. 1982 [RFC-3775] Johnson, D., Perkins, C., Arkko, J., "Mobility Support in 1983 IPv6", RFC 3775, June 2004. 1985 [RFC-3776] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to 1986 Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents", 1987 RFC 3776, June 2004. 1989 [RFC-4283] Patel, A., Leung, K., Khalil, M., Akhtar, H., and K. 1990 Chowdhury, "Mobile Node Identifier Option for Mobile IPv6", RFC 4283, 1991 November 2005. 1993 [RFC-4301] Kent, S. and Atkinson, R., "Security Architecture for the 1994 Internet Protocol", RFC 4301, December 2005. 1996 [RFC-4303] Kent, S. "IP Encapsulating Security Protocol (ESP)", RFC 1997 4303, December 2005. 1999 [RFC-4306] Kaufman, C, et al, "Internet Key Exchange (IKEv2) 2000 Protocol", RFC 4306, December 2005. 2002 [RFC-4830] Kempf, J., Leung, K., Roberts, P., Nishida, K., Giaretta, 2003 G., Liebsch, M., "Problem Statement for Network-based Localized 2004 Mobility Management", September 2006. 2006 [RFC-4831] Kempf, J., Leung, K., Roberts, P., Nishida, K., Giaretta, 2007 G., Liebsch, M., "Goals for Network-based Localized Mobility 2008 Management", October 2006. 2010 [RFC-4832] Vogt, C., Kempf, J., "Security Threats to Network-Based 2011 Localized Mobility Management", September 2006. 2013 [ID-IPV4-PMIP6] Wakikawa, R. and Gundavelli, S., "IPv4 Support for 2014 Proxy Mobile IPv6", draft-ietf-netlmm-pmip6-ipv4-support-00.txt, May 2015 2007. 2017 [ID-DSMIP6] Soliman, H. et al, "Mobile IPv6 support for dual stack 2018 Hosts and Routers (DSMIPv6)", 2019 draft-ietf-mip6-nemo-v4traversal-03.txt, October 2006. 2021 13.2. Informative References 2023 [RFC-1332] McGregor, G., "The PPP Internet Protocol Control Protocol 2024 (IPCP)", RFC 1332, May 1992. 2026 [RFC-1661] Simpson, W., Ed., "The Point-To-Point Protocol (PPP)", STD 2027 51, RFC 1661, July 1994. 2029 [RFC-2472] Haskin, D. and Allen, E., "IP version 6 over PPP", RFC 2030 2472, December 1998. 2032 [RFC-2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an 2033 IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. 2035 [RFC-3041] Narten, T. and Draves, R., "Privacy Extensions for 2036 Stateless Address Autoconfiguration in IPv6", RFC 3041, January 2001. 2038 [RFC-3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, 2039 August 2002. 2041 [RFC-3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor 2042 Discovery (ND) Trust Models and Threats", RFC 3756, May 2004. 2044 [ID-DNAV6] Kempf, J., et al "Detecting Network Attachment in IPv6 2045 Networks (DNAv6)", draft-ietf-dna-protocol-03.txt, October 2006. 2047 [ID-MIP6-IKEV2] Devarapalli, V. and Dupont, F., "Mobile IPv6 2048 Operation with IKEv2 and the revised IPsec Architecture", 2049 draft-ietf-mip6-ikev2-ipsec-08.txt, December 2006. 2051 Appendix A. Proxy Mobile IPv6 interactions with AAA Infrastructure 2053 Every mobile node that roams in a proxy Mobile IPv6 domain, would 2054 typically be identified by an identifier, MN-Identifier, and that 2055 identifier will have an associated policy profile that identifies the 2056 mobile node's home network prefix, permitted address configuration 2057 modes, roaming policy and other parameters that are essential for 2058 providing network-based mobility service. This information is 2059 typically configured in AAA. It is possible the home network prefix 2060 is dynamically allocated for the mobile node when it boots up for the 2061 first time in the network, or it could be a statically configured 2062 value on per mobile node basis. However, for all practical purposes, 2063 the network entities in the proxy Mobile IPv6 domain, while serving a 2064 mobile node will have access to this profile and these entities can 2065 query this information using RADIUS/DIAMETER protocols. 2067 Appendix B. Supporting Shared-Prefix Model using DHCPv6 2069 For supporting shared-prefix model, i.e, if multiple mobile nodes are 2070 configured with a common IPv6 network prefix, as in Mobile IPv6 2071 specification, it is possible to support that configuration under the 2072 following guidelines: 2074 The mobile node is allowed to use stateful address configuration 2075 using DHCPv6 for obtaining its address configuration. The mobile 2076 nodes is not allowed to use any of the stateless autoconfiguration 2077 techniques. The permitted address configuration models for the 2078 mobile node on the access link can be enforced by the mobile access 2079 gateway, by setting the relevant flags in the Router Advertisements, 2080 as per ND Specification, [RFC-2461]. 2082 The Home Network Prefix Option that is sent by the mobile access 2083 gateway in the Proxy Binding Update message, must contain the 128-bit 2084 host address that the mobile node obtained via DHCPv6. 2086 Routing state at the mobile access gateway: 2088 For all IPv6 traffic from the source MN-HoA::/128 to 2089 _ANY_DESTINATION_, route via tunnel0, next-hop LMAA, where tunnel0 is 2090 the MAG to LMA tunnel. 2092 Routing state at the local mobility anchor: 2094 For all IPv6 traffic to destination MN-HoA::/128, route via tunnel0, 2095 next-hop Proxy-CoA, where tunnel0 is the LMA to MAG tunnel. 2097 Authors' Addresses 2099 Sri Gundavelli 2100 Cisco 2101 170 West Tasman Drive 2102 San Jose, CA 95134 2103 USA 2105 Email: sgundave@cisco.com 2107 Kent Leung 2108 Cisco 2109 170 West Tasman Drive 2110 San Jose, CA 95134 2111 USA 2113 Email: kleung@cisco.com 2114 Vijay Devarapalli 2115 Azaire Networks 2116 4800 Great America Pkwy 2117 Santa Clara, CA 95054 2118 USA 2120 Email: vijay.devarapalli@azairenet.com 2122 Kuntal Chowdhury 2123 Starent Networks 2124 30 International Place 2125 Tewksbury, MA 2127 Email: kchowdhury@starentnetworks.com 2129 Basavaraj Patil 2130 Nokia Siemens Networks 2131 6000 Connection Drive 2132 Irving, TX 75039 2133 USA 2135 Email: basavaraj.patil@nsn.com 2137 Full Copyright Statement 2139 Copyright (C) The IETF Trust (2007). 2141 This document is subject to the rights, licenses and restrictions 2142 contained in BCP 78, and except as set forth therein, the authors 2143 retain all their rights. 2145 This document and the information contained herein are provided on an 2146 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2147 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 2148 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 2149 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 2150 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2151 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2153 Intellectual Property 2155 The IETF takes no position regarding the validity or scope of any 2156 Intellectual Property Rights or other rights that might be claimed to 2157 pertain to the implementation or use of the technology described in 2158 this document or the extent to which any license under such rights 2159 might or might not be available; nor does it represent that it has 2160 made any independent effort to identify any such rights. Information 2161 on the procedures with respect to rights in RFC documents can be 2162 found in BCP 78 and BCP 79. 2164 Copies of IPR disclosures made to the IETF Secretariat and any 2165 assurances of licenses to be made available, or the result of an 2166 attempt made to obtain a general license or permission for the use of 2167 such proprietary rights by implementers or users of this 2168 specification can be obtained from the IETF on-line IPR repository at 2169 http://www.ietf.org/ipr. 2171 The IETF invites any interested party to bring to its attention any 2172 copyrights, patents or patent applications, or other proprietary 2173 rights that may cover technology that may be required to implement 2174 this standard. Please address the information to the IETF at 2175 ietf-ipr@ietf.org. 2177 Acknowledgment 2179 Funding for the RFC Editor function is provided by the IETF 2180 Administrative Support Activity (IASA).