idnits 2.17.1 draft-ietf-netlmm-proxymip6-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 21. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 2515. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2526. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2533. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2539. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC-3775]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: o If the received Proxy Binding Acknowledgement message has the Status field value set to PROXY_REG_NOT_ENABLED (Proxy registration not enabled for the mobile node), the mobile access gateway SHOULD not send binding registration requests again for that mobile node. It must also deny the mobility service to that mobile node. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 11, 2007) is 6071 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2461 (Obsoleted by RFC 4861) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 3775 (Obsoleted by RFC 6275) ** Obsolete normative reference: RFC 4282 (Obsoleted by RFC 7542) -- Obsolete informational reference (is this intentional?): RFC 2462 (Obsoleted by RFC 4862) -- Obsolete informational reference (is this intentional?): RFC 2472 (Obsoleted by RFC 5072, RFC 5172) -- Obsolete informational reference (is this intentional?): RFC 3041 (Obsoleted by RFC 4941) -- Obsolete informational reference (is this intentional?): RFC 4306 (Obsoleted by RFC 5996) -- Obsolete informational reference (is this intentional?): RFC 2030 (ref. 'RFC-4330') (Obsoleted by RFC 4330) == Outdated reference: A later version (-18) exists of draft-ietf-netlmm-pmip6-ipv4-support-01 == Outdated reference: A later version (-09) exists of draft-ietf-dna-protocol-06 Summary: 6 errors (**), 0 flaws (~~), 4 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETLMM WG S. Gundavelli 3 Internet-Draft K. Leung 4 Intended status: Standards Track Cisco 5 Expires: March 14, 2008 V. Devarapalli 6 Azaire Networks 7 K. Chowdhury 8 Starent Networks 9 B. Patil 10 Nokia Siemens Networks 11 September 11, 2007 13 Proxy Mobile IPv6 14 draft-ietf-netlmm-proxymip6-04.txt 16 Status of this Memo 18 By submitting this Internet-Draft, each author represents that any 19 applicable patent or other IPR claims of which he or she is aware 20 have been or will be disclosed, and any of which he or she becomes 21 aware will be disclosed, in accordance with Section 6 of BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as Internet- 26 Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt. 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 39 This Internet-Draft will expire on March 14, 2008. 41 Copyright Notice 43 Copyright (C) The IETF Trust (2007). 45 Abstract 47 This specification describes a network-based mobility management 48 protocol. It is called Proxy Mobile IPv6 and is based on Mobile IPv6 50 [RFC-3775]. This protocol enables mobility support to a host without 51 requiring its participation in any mobility related signaling. The 52 design principle in the case of network-based mobility management 53 protocol relies on the network being in control of the mobility 54 management. The mobility entities in the network are responsible for 55 tracking the movements of the host and initiating the required 56 mobility signaling on its behalf. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 2. Conventions & Terminology . . . . . . . . . . . . . . . . . . 5 62 2.1. Conventions used in this document . . . . . . . . . . . . 5 63 2.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 64 3. Proxy Mobile IPv6 Protocol Overview . . . . . . . . . . . . . 8 65 4. Proxy Mobile IPv6 Protocol Security . . . . . . . . . . . . . 13 66 4.1. Peer Authorization Database Entries . . . . . . . . . . . 13 67 4.2. Security Policy Database Entries . . . . . . . . . . . . . 14 68 5. Local Mobility Anchor Operation . . . . . . . . . . . . . . . 15 69 5.1. Extensions to Binding Cache Entry Data Structure . . . . . 15 70 5.2. Supported Home Network Prefix Models . . . . . . . . . . . 16 71 5.3. Signaling Considerations . . . . . . . . . . . . . . . . . 16 72 5.4. Timestamp Option for Message Ordering . . . . . . . . . . 21 73 5.5. Routing Considerations . . . . . . . . . . . . . . . . . . 23 74 5.5.1. Bi-Directional Tunnel Management . . . . . . . . . . . 23 75 5.5.2. Forwarding Considerations . . . . . . . . . . . . . . 23 76 5.6. Local Mobility Anchor Address Discovery . . . . . . . . . 24 77 5.7. Mobile Prefix Discovery Considerations . . . . . . . . . . 25 78 5.8. Route Optimizations Considerations . . . . . . . . . . . . 25 79 6. Mobile Access Gateway Operation . . . . . . . . . . . . . . . 25 80 6.1. Extensions to Binding Update List Entry Data Structure . . 26 81 6.2. Mobile Node's Policy Profile . . . . . . . . . . . . . . . 27 82 6.3. Supported Access Link Types . . . . . . . . . . . . . . . 28 83 6.4. Supported Address Configuration Models . . . . . . . . . . 28 84 6.5. Access Authentication & Mobile Node Identification . . . . 28 85 6.6. Acquiring Mobile Node's Identifier . . . . . . . . . . . . 29 86 6.7. Home Network Emulation . . . . . . . . . . . . . . . . . . 29 87 6.8. Link-Local and Global Address Uniqueness . . . . . . . . . 30 88 6.9. Signaling Considerations . . . . . . . . . . . . . . . . . 31 89 6.9.1. Binding Registrations . . . . . . . . . . . . . . . . 31 90 6.9.2. Router Solicitation Messages . . . . . . . . . . . . . 34 91 6.9.3. Retransmissions and Rate Limiting . . . . . . . . . . 35 92 6.10. Routing Considerations . . . . . . . . . . . . . . . . . . 35 93 6.10.1. Transport Network . . . . . . . . . . . . . . . . . . 36 94 6.10.2. Tunneling & Encapsulation Modes . . . . . . . . . . . 36 95 6.10.3. Routing State . . . . . . . . . . . . . . . . . . . . 37 96 6.10.4. Local Routing . . . . . . . . . . . . . . . . . . . . 38 97 6.10.5. Tunnel Management . . . . . . . . . . . . . . . . . . 38 98 6.10.6. Forwarding Rules . . . . . . . . . . . . . . . . . . . 38 99 6.11. Interaction with DHCP Relay Agent . . . . . . . . . . . . 40 100 6.12. Home Network Prefix Renumbering . . . . . . . . . . . . . 40 101 6.13. Mobile Node Detachment Detection and Resource Cleanup . . 40 102 6.14. Allowing network access to other IPv6 nodes . . . . . . . 41 103 7. Mobile Node Operation . . . . . . . . . . . . . . . . . . . . 42 104 7.1. Moving into a Proxy Mobile IPv6 Domain . . . . . . . . . . 42 105 7.2. Roaming in the Proxy Mobile IPv6 Domain . . . . . . . . . 43 106 7.3. IPv6 Host Protocol Parameters . . . . . . . . . . . . . . 43 107 8. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 44 108 8.1. Proxy Binding Update Message . . . . . . . . . . . . . . . 45 109 8.2. Proxy Binding Acknowledgement Message . . . . . . . . . . 46 110 8.3. Home Network Prefix Option . . . . . . . . . . . . . . . . 46 111 8.4. Link-local Address Option . . . . . . . . . . . . . . . . 47 112 8.5. Timestamp Option . . . . . . . . . . . . . . . . . . . . . 48 113 8.6. Status Values . . . . . . . . . . . . . . . . . . . . . . 49 114 9. Protocol Configuration Variables . . . . . . . . . . . . . . . 50 115 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 51 116 11. Security Considerations . . . . . . . . . . . . . . . . . . . 51 117 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 52 118 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 53 119 13.1. Normative References . . . . . . . . . . . . . . . . . . . 53 120 13.2. Informative References . . . . . . . . . . . . . . . . . . 54 121 Appendix A. Proxy Mobile IPv6 interactions with AAA 122 Infrastructure . . . . . . . . . . . . . . . . . . . 55 123 Appendix B. Supporting Shared-Prefix Model using DHCPv6 . . . . . 55 124 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 56 125 Intellectual Property and Copyright Statements . . . . . . . . . . 57 127 1. Introduction 129 Mobile IPv6 [RFC-3775] is the enabler for IPv6 mobility. It requires 130 Mobile IPv6 client functionality in the IPv6 stack of a mobile node. 131 Signaling between the mobile node and home agent enables the creation 132 and maintenance of a binding between the mobile node's home address 133 and care-of-address. Mobile IPv6 has been designed to be an integral 134 part of the IPv6 stack in a host. However there exist IPv6 stacks 135 today that do not have Mobile IPv6 functionality and there would 136 likely be IPv6 stacks without Mobile IPv6 client functionality in the 137 future as well. It is desirable to support IP mobility for all hosts 138 irrespective of the presence or absence of mobile IPv6 functionality 139 in the IPv6 stack. 141 It is possible to support mobility for IPv6 nodes by extending Mobile 142 IPv6 [RFC-3775] signaling and reusing the home agent via a proxy 143 mobility agent in the network. This approach to supporting mobility 144 does not require the mobile node to be involved in the signaling 145 required for mobility management. The proxy mobility agent in the 146 network performs the signaling and does the mobility management on 147 behalf of the mobile node. Because of the use and extension of 148 Mobile IPv6 signaling and home agent functionality, this protocol is 149 referred to as Proxy Mobile IPv6 (PMIPv6). 151 Network deployments which are designed to support mobility would be 152 agnostic to the capability in the IPv6 stack of the nodes which it 153 serves. IP mobility for nodes which have mobile IP client 154 functionality in the IPv6 stack as well as those hosts which do not, 155 would be supported by enabling Proxy Mobile IPv6 protocol 156 functionality in the network. The advantages of developing a network 157 based mobility protocol based on Mobile IPv6 are: 159 o Reuse of home agent functionality and the messages/format used in 160 mobility signaling. Mobile IPv6 is a mature protocol with several 161 implementations that have been through interoperability testing. 163 o A common home agent would serve as the mobility agent for all 164 types of IPv6 nodes. 166 o Addresses a real deployment need. 168 The problem statement and the need for a network based mobility 169 protocol solution has been documented in [RFC-4830]. Proxy Mobile 170 IPv6 is a solution that addresses these issues and requirements. 172 2. Conventions & Terminology 174 2.1. Conventions used in this document 176 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 177 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 178 document are to be interpreted as described in RFC 2119 [RFC-2119]. 180 2.2. Terminology 182 All the general mobility related terms used in this document are to 183 be interpreted as defined in the Mobile IPv6 base specification [RFC- 184 3775]. 186 This document adopts the terms, Local Mobility Anchor (LMA) and 187 Mobile Access Gateway (MAG) from the NETLMM Goals document [RFC- 188 4831]. This document also provides the following context specific 189 explanation to the following terms used in this document. 191 Proxy Mobile IPv6 Domain (PMIPv6-Domain) 193 Proxy Mobile IPv6 domain refers to the network where the mobility 194 management of a mobile node is handled using Proxy Mobile IPv6 195 protocol as defined in this specification. The Proxy Mobile IPv6 196 domain includes local mobility anchors and mobile access gateways 197 between which security associations can be setup and authorization 198 for sending Proxy Binding Updates on behalf of the mobile nodes 199 can be ensured. 201 Local Mobility Anchor (LMA) 203 Local Mobility Anchor is the home agent for the mobile node in the 204 Proxy Mobile IPv6 domain. It is the topological anchor point for 205 the mobile node's home network prefix and is the entity that 206 manages the mobile node's reachability state. It is important to 207 understand that the local mobility anchor has the functional 208 capabilities of a home agent as defined in Mobile IPv6 base 209 specification [RFC-3775] and with the additional required 210 capabilities for supporting Proxy Mobile IPv6 protocol as defined 211 in this specification. 213 Mobile Access Gateway (MAG) 214 Mobile Access Gateway is a function that manages the mobility 215 related signaling for a mobile node that is attached to its access 216 link. It is responsible for tracking the mobile node's movements 217 on the access link and for signaling the mobile node's local 218 mobility anchor. 220 Mobile Node (MN) 222 Through out this document, the term mobile node is used to refer 223 to an IP host whose mobility is managed by the network. The 224 mobile node may be operating in IPv6 mode, IPv4 mode or in IPv4/ 225 IPv6 dual mode. The mobile node is not required to participate in 226 any mobility related signaling for achieving mobility for an IP 227 address that is obtained in that Proxy Mobile IPv6 domain. This 228 document further uses explicit text when referring to a mobile 229 node that is involved in mobility related signaling as per Mobile 230 IPv6 specification [RFC-3775]. 232 LMA Address (LMAA) 234 The address that is configured on the interface of the local 235 mobility anchor and is the transport endpoint of the bi- 236 directional tunnel established between the local mobility anchor 237 and the mobile access gateway. This is the address to where the 238 mobile access gateway sends the Proxy Binding Update messages. 239 When supporting IPv4 traversal, i.e., when the network between the 240 local mobility anchor and the mobile access gateway is an IPv4 241 network, this address will be an IPv4 address and will be referred 242 to as IPv4-LMAA, as specified in [ID-IPV4-PMIP6]. 244 Proxy Care-of Address (Proxy-CoA) 246 Proxy-CoA is the address configured on the interface of the mobile 247 access gateway and is the transport endpoint of the tunnel between 248 the local mobility anchor and the mobile access gateway. The 249 local mobility anchor views this address as the Care-of Address of 250 the mobile node and registers it in the Binding Cache entry for 251 that mobile node. When the transport network between the mobile 252 access gateway and the local mobility anchor is an IPv4 network 253 and if the care-of address that is registered at the local 254 mobility anchor is an IPv4 address, the term, IPv4-Proxy-CoA is 255 used, as specified in [ID-IPV4-PMIP6]. 257 Mobile Node's Home Address (MN-HoA) 258 MN-HoA is the home address of a mobile node in a Proxy Mobile IPv6 259 domain. It is an address from its home network prefix obtained by 260 a mobile node in a Proxy Mobile IPv6 domain. The mobile node can 261 continue to use this address as long as it is attached to the 262 network that is in the scope of that Proxy Mobile IPv6 domain. 264 Mobile Node's Home Network Prefix (MN-HNP) 266 This is the on-link IPv6 prefix that is always present in the 267 Router Advertisements that the mobile node receives when it is 268 attached to any of the access links in that Proxy Mobile IPv6 269 domain. This home network prefix is topologically anchored at the 270 mobile node's local mobility anchor. The mobile node configures 271 its interface with an address from this prefix. 273 Mobile Node's Home Link 275 This is the link on which the mobile node obtained its initial 276 address configuration after it moved into that Proxy Mobile IPv6 277 domain. This is the link that conceptually follows the mobile 278 node. The network will ensure the mobile node always sees this 279 link with respect to the layer-3 network configuration, on any 280 access link that it attaches to in that Proxy Mobile IPv6 domain. 282 Mobile Node Identifier (MN-Identifier) 284 The identity of a mobile node in the Proxy Mobile IPv6 domain. 285 This is the stable identifier of a mobile node that the mobility 286 entities in a Proxy Mobile IPv6 domain can always acquire and 287 using which a mobile node can predictably be identified. This is 288 typically an identifier such as Mobile Node NAI [RFC-4282]. 290 Proxy Binding Update (PBU) 292 A binding registration request message sent by a mobile access 293 gateway to a mobile node's local mobility anchor for establishing 294 a binding between the mobile node's MN-HNP and the Proxy-CoA. 296 Proxy Binding Acknowledgement (PBA) 298 A binding registration reply message sent by a local mobility 299 anchor in response to a Proxy Binding Update request message that 300 it received from a mobile access gateway. 302 3. Proxy Mobile IPv6 Protocol Overview 304 This specification describes a network-based mobility management 305 protocol. It is called Proxy Mobile IPv6 and is based on Mobile IPv6 306 [RFC-3775]. 308 Proxy Mobile IPv6 protocol is intended for providing network-based 309 mobility management support to a mobile node, without requiring the 310 participation of the mobile node in any mobility related signaling. 311 The mobility entities in the network will track the mobile node's 312 movements and will initiate the mobility signaling and setup the 313 required routing state. 315 The core functional entities in the NETLMM infrastructure are the 316 Local Mobility Anchor and the Mobile Access Gateway. The local 317 mobility is responsible for maintaining the mobile node's 318 reachability state and is the topological anchor point for the mobile 319 node's home network prefix. While the mobile access gateway is the 320 entity that performs the mobility management on behalf of a mobile 321 node and it resides on the access link where the mobile node is 322 anchored. The mobile access gateway is responsible for detecting the 323 mobile node's movements on its access link and for sending binding 324 registrations to the mobile node's local mobility anchor. 326 +----+ +----+ 327 |LMA1| |LMA2| 328 +----+ +----+ 329 LMAA1 -> | | <-- LMAA2 330 | | 331 \\ //\\ 332 \\ // \\ 333 \\ // \\ 334 +---\\------------- //------\\----+ 335 ( \\ IPv4/IPv6 // \\ ) 336 ( \\ Network // \\ ) 337 +------\\--------//------------\\-+ 338 \\ // \\ 339 \\ // \\ 340 \\ // \\ 341 Proxy-CoA1--> | | <-- Proxy-CoA2 342 +----+ +----+ 343 |MAG1|-----{MN2} |MAG2| 344 +----+ | +----+ 345 | | | 346 MN-HoA1 --> | MN-HoA2 | <-- MN-HoA3 347 {MN1} {MN3} 349 Figure 1: Proxy Mobile IPv6 Domain 351 Once a mobile node enters a Proxy Mobile IPv6 domain and attaches to 352 an access network, the mobile access gateway on that access network 353 after identifying the mobile node and acquiring its identifier, will 354 determine if the mobile node is authorized for network-based mobility 355 management service. 357 If the network determines that the network-based mobility management 358 service needs to be offered to that mobile node, the network will 359 ensure that the mobile node using any of the address configuration 360 mechanisms permitted by the network, will be able to obtain an 361 address from its home network prefix and move anywhere in that proxy 362 mobile IPv6 domain. From the perspective of the mobile node, the 363 entire proxy mobile IPv6 domain appears as a single link, the network 364 ensures that the mobile node believes it is always on the same link 365 where it obtained its initial address configuration, even after 366 changing its point of attachment in that network. 368 The mobile node may be operating in an IPv4-only mode, IPv6-only mode 369 or in dual IPv4/IPv6 mode. Based on what is enabled in the network 370 for that mobile node, the mobile node will be able to obtain an IPv4, 371 IPv6 or dual IPv4/IPv6 addresses and move any where in that Proxy 372 Mobile IPv6 domain. However, the specific details related to the 373 IPv4 addressing or IPv4 transport support is specified in the 374 companion document [ID-IPV4-PMIP6]. 376 +-----+ +-----+ +-----+ 377 | MN | | MAG | | LMA | 378 +-----+ +-----+ +-----+ 379 | | | 380 MN Attached | | 381 | | | 382 | MN Attached Event | 383 | (Acquire MN-Id and Profile) | 384 | | | 385 | |----- PBU ----------->| 386 | | | 387 | | Accept PBU 388 | | (Allocate MN-HNP, Setup BCE and Tunnel) 389 | | | 390 | |<--------- PBA -------| 391 | | | 392 | Accept PBA | 393 | (Setup Tunnel and Routing) | 394 | | | 395 | |==== Bi-Dir Tunnel ===| 396 | | | 397 |--- Rtr Sol --------->| | 398 | | | 399 |<------- Rtr Adv -----| | 400 | | | 401 IP Address | | 402 Configuration | | 403 | | | 405 Figure 2: Mobile Node Attachment - Signaling Call Flow 407 Figure 2 shows the signaling call flow, when the mobile node enters 408 the Proxy Mobile IPv6 domain. 410 For updating the local mobility anchor about the current location of 411 the mobile node, the mobile access gateway sends a Proxy Binding 412 Update message to the mobile node's local mobility anchor. Upon 413 accepting this Proxy Binding Update message, the local mobility 414 anchor sends a Proxy Binding Acknowledgement message including the 415 mobile node's home network prefix. It also creates the Binding Cache 416 entry and establishes a bi-directional tunnel to the mobile access 417 gateway. 419 The mobile access gateway on receiving the Proxy Binding 420 Acknowledgement message sets up a bi-directional tunnel to the local 421 mobility anchor and sets up the data path for the mobile node's 422 traffic. At this point the mobile access gateway will have all the 423 required information for emulating the mobile node's home link. It 424 sends Router Advertisement messages to the mobile node on the access 425 link advertising the mobile node's home network prefix as the hosted 426 on-link-prefix. 428 The mobile node on receiving these Router Advertisement messages on 429 the access link will attempt to configure its interface either using 430 stateful or stateless address configuration modes, based on the modes 431 that are permitted on that access link. At the end of a successful 432 address configuration procedure, the mobile node will end up with an 433 address from its home network prefix. 435 Once the address configuration is complete, the mobile node has a 436 valid address from its home network prefix, at the current point of 437 attachment. The serving mobile access gateway and the local mobility 438 anchor also have proper routing states for handling the traffic sent 439 to and from the mobile node using an address from its home network 440 prefix. 442 The local mobility anchor, being the topological anchor point for the 443 mobile node's home network prefix, receives any packets that are sent 444 by any corresponding node to the mobile node. Local mobility anchor 445 forwards these received packets to the mobile access gateway through 446 the bi-directional tunnel. The mobile access gateway on other end of 447 the tunnel, after receiving the packet, removes the outer header and 448 forwards the packet on the access link to the mobile node. 450 The mobile access gateway typically acts as a default router on the 451 access link. However, in some configurations where the functionality 452 of the mobile access gateway is split across different nodes, the 453 node sending the Router Advertisements will be the default-router for 454 the mobile node. Any packet that the mobile node sends to any 455 corresponding node will be received by the mobile access gateway and 456 will be sent to its local mobility anchor through the bi-directional 457 tunnel. The local mobility anchor on the other end of the tunnel, 458 after receiving the packet removes the outer header and routes the 459 packet to the destination. 461 +-----+ +-----+ +-----+ +-----+ 462 | MN | |p-MAG| | LMA | |n-MAG| 463 +-----+ +-----+ +-----+ +-----+ 464 | | | | 465 | |==Bi-Dir Tunnel=| | 466 MN Detached | | | 467 | MN Detached Event | | 468 | | | | 469 | |-- PBU -------->| | 470 | | | | 471 | | Accept PBU | 472 | | (Start BCE delete timer) | 473 | | | | 474 | |<-------- PBA --| | 475 | | | | 476 MN Attached | | | 477 | | | MN Attached Event 478 | | | (Acquire MN-Id and Profile) 479 .... 480 Registration steps as in fig 2. 481 .... 482 | | |==Bi-Dir Tunnel=| 483 |--- Rtr Sol ------------------------------------->| 484 | | | | 485 |<------------------------------------ Rtr Adv ----| 486 | | | | 487 MN retains HoA/HNP 488 | | | | 490 Figure 3: Mobile Node Handoff - Signaling Call Flow 492 Figure 3 shows the signaling call flow for the mobile node's handoff 493 scenario. 495 After obtaining the initial address configuration in the Proxy Mobile 496 IPv6 domain, if the mobile node changes its point of attachment, the 497 mobile access gateway on the new access link, will signal the local 498 mobility anchor for updating the binding and routing state. The 499 mobile node will continue to receive the Router Advertisements 500 containing its home network prefix, making it believe its still on 501 the same link and can use the same address configuration on the new 502 access link. 504 4. Proxy Mobile IPv6 Protocol Security 506 The signaling messages, Proxy Binding Update and Proxy Binding 507 Acknowledgement, exchanged between the mobile access gateway and the 508 local mobility anchor MUST be protected using end-to-end security 509 association(s) offering integrity and data origin authentication. A 510 security association with the mobile node for which the signaling 511 message is issued is not required for protection of these messages. 513 The mobile access gateway and the local mobility anchor MUST 514 implement IPsec for protecting the Proxy Mobile IPv6 signaling 515 messages [RFC-4301]. IPsec is the default security mechanism for 516 securing the signaling messages. However in certain deployments of 517 this protocol, other security mechanisms MAY be applied and the 518 signaling messages must be protected using the semantics provided by 519 that respective mechanism. 521 IPsec ESP [RFC-4303] in transport mode with mandatory integrity 522 protection SHOULD be used for protecting the signaling messages. 523 Confidentiality protection of these messages is not required. 525 IKEv2 [RFC-4306] SHOULD be used to setup security associations 526 between the mobile access gateway and the local mobility anchor to 527 protect the Proxy Binding Update and Proxy Binding Acknowledgement 528 messages. The mobile access gateway and the local mobility anchor 529 can use any of the authentication mechanisms, as specified in IKEv2, 530 for mutual authentication. 532 Mobile IPv6 specification [RFC-3775] requires the home agent to 533 prevent a mobile node from creating security associations or creating 534 binding cache entries for another mobile node's home address. In the 535 protocol described in this document, the mobile node is not involved 536 in creating security associations for protecting the signaling 537 messages or sending binding updates. Therefore, this is not a 538 concern. However, the local mobility anchor MUST allow only 539 authorized mobile access gateways to create binding cache entries on 540 behalf of the mobile nodes. The actual mechanism by which the local 541 mobility anchor verifies if a specific mobile access gateway is 542 authorized to send Proxy Binding Updates on behalf of a mobile node 543 is outside the scope of this document. One possible way this could 544 be achieved is by sending a query to the policy store, such as AAA. 546 4.1. Peer Authorization Database Entries 548 This section describes PAD entries on the mobile access gateway and 549 the local mobility anchor. The PAD entries are only example 550 configurations. Note that the PAD is a logical concept and a 551 particular mobile access gateway or a local mobility anchor 552 implementation can implement the PAD in any implementation specific 553 manner. The PAD state may also be distributed across various 554 databases in a specific implementation. 556 mobile access gateway PAD: 557 - IF remote_identity = lma_identity_1 558 Then authenticate (shared secret/certificate/EAP) 559 and authorize CHILD_SA for remote address lma_addres_1 561 local mobility anchor PAD: 562 - IF remote_identity = mag_identity_1 563 Then authenticate (shared secret/certificate/EAP) 564 and authorize CHILD_SAs for remote address mag_address_1 566 The list of authentication mechanisms in the above examples is not 567 exhaustive. There could be other credentials used for authentication 568 stored in the PAD. 570 4.2. Security Policy Database Entries 572 This section describes the security policy entries on the mobile 573 access gateway and the local mobility anchor required to protect the 574 Proxy Mobile IPv6 signaling messages. The SPD entries are only 575 example configurations. A particular mobile access gateway or a 576 local mobility anchor implementation could configure different SPD 577 entries as long as they provide the required security. 579 In the examples shown below, the identity of the mobile access 580 gateway is assumed to be mag_1, the address of the mobile access 581 gateway is assumed to be mag_address_1, and the address of the local 582 mobility anchor is assumed to be lma_address_1. 584 mobile access gateway SPD-S: 585 - IF local_address = mag_address_1 & 586 remote_address = lma_address_1 & 587 proto = MH & local_mh_type = BU & remote_mh_type = BA 588 Then use SA ESP transport mode 589 Initiate using IDi = mag_1 to address lma_1 591 local mobility anchor SPD-S: 592 - IF local_address = lma_address_1 & 593 remote_address = mag_address_1 & 594 proto = MH & local_mh_type = BA & remote_mh_type = BU 595 Then use SA ESP transport mode 597 5. Local Mobility Anchor Operation 599 For supporting the Proxy Mobile IPv6 protocol specified in this 600 document, the home agent function, specified in [RFC-3775] requires 601 certain functional modifications and enhancements. The home agent 602 with these modifications and enhanced capabilities for supporting 603 Proxy Mobile IPv6 protocol is referred to as the local mobility 604 anchor. 606 The section describes the operational details of the local mobility 607 anchor. 609 5.1. Extensions to Binding Cache Entry Data Structure 611 Every local mobility anchor MUST maintain a Binding Cache entry for 612 each currently registered mobile node. Binding Cache entry is a 613 conceptual data structure, described in Section 9.1 [RFC-3775]. 615 For supporting this specification, the Binding Cache Entry data 616 structure needs to be extended with the following additional fields. 618 o A flag indicating whether or not this Binding Cache entry is 619 created due to a proxy registration. This flag is enabled for 620 Binding Cache entries that are proxy registrations and is turned 621 off for all other entries that are created due to the 622 registrations directly sent by the mobile node. 624 o The identifier of the registered mobile node, MN-Identifier. This 625 identifier is obtained from the NAI Option [RFC-4283] present in 626 the received Proxy Binding Update request. 628 o The Link-local address of the mobile node on the interface 629 attached to the access link. This is obtained from the Link-local 630 Address option, present in the Proxy Binding Update request. 632 o The IPv6 home network prefix of the registered mobile node. The 633 home network prefix of the mobile node may have been statically 634 configured in the mobile node's policy profile, or, it may have 635 been dynamically allocated by the local mobility anchor. The IPv6 636 home network prefix also includes the corresponding prefix length. 638 o The interface identifier of the bi-directional tunnel established 639 between the local mobility anchor and the mobile access gateway 640 where the mobile node is currently anchored. The tunnel interface 641 identifier is acquired during the tunnel creation. 643 o The 64-bit timestamp value of the most recently accepted Proxy 644 Binding Update request sent for this mobile node. This is 645 obtained from the Timestamp option, present in the request. 647 5.2. Supported Home Network Prefix Models 649 This specification supports Per-MN-Prefix model and does not support 650 Shared-Prefix model. As per the Per-MN-Prefix model, there will be 651 an unique home network prefix assigned to each mobile node and no 652 other node shares an address from that prefix. 654 The mobile node's home network prefix is always hosted on the access 655 link where the mobile node is anchored. Conceptually, the entire 656 home network prefix follows the mobile node as it moves within the 657 Proxy Mobile IPv6 domain. The local mobility anchor is not required 658 to perform any proxy ND operations [RFC-2461] for defending the 659 mobile node's home address on the home link. However, from the 660 routing perspective, the home network prefix is topologically 661 anchored on the local mobility anchor. 663 5.3. Signaling Considerations 665 Processing Binding Registrations 667 Upon receiving a Proxy Binding Update request from a mobile access 668 gateway on behalf of a mobile node, the local mobility anchor MUST 669 process the request as defined in Section 10.3 [RFC-3775], with one 670 exception that this request is a proxy binding registration request 671 and hence the following additional considerations must be applied. 673 o The local mobility anchor MUST observe the rules described in 674 Section 9.2 [RFC-3775] when processing Mobility Headers in the 675 received Proxy Binding Update request. 677 o The local mobility anchor MUST identify the mobile node from the 678 identifier present in the NAI option [RFC-4283] of the Proxy 679 Binding Update request. If the NAI option is not present in the 680 Proxy Binding Update request, the local mobility anchor MUST 681 reject the request and send a Proxy Binding Acknowledgement 682 message with Status field set to MISSING_MN_IDENTIFIER_OPTION 683 (Missing mobile node identifier). 685 o If the local mobility anchor cannot identify the mobile node, from 686 the NAI option [RFC-4283] present in the request, it MUST reject 687 the Proxy Binding Update request and send a Proxy Binding 688 Acknowledgement message with Status field set to 133 (Not home 689 agent for this mobile node). 691 o If the local mobility anchor determines that the mobile node is 692 not authorized for network-based mobility management service, it 693 MUST reject the request and send a Proxy Binding Acknowledgement 694 message with Status field set to PROXY_REG_NOT_ENABLED (Proxy 695 Registration not enabled). 697 o The local mobility anchor MUST ignore the check, specified in 698 Section 10.3.1 [RFC-3775], related to the presence of Home Address 699 destination option in the Proxy Binding Update request. 701 o The local mobility anchor MUST authenticate the Proxy Binding 702 Update request as described in Section 4.0. It MUST use the SPI 703 in the IPSec header [RFC-4306] of the received packet for locating 704 the security association needed for authenticating the Proxy 705 Binding Update request. 707 o The local mobility anchor MUST apply the required policy checks, 708 as explained in Section 4.0, to verify the sender is a trusted 709 mobile access gateway, authorized to send proxy binding 710 registration requests on behalf of this mobile node. 712 o If the local mobility anchor determines that the requesting node 713 is not authorized to send proxy binding registration requests, it 714 MUST reject the Proxy Binding Update request and send a Proxy 715 Binding Acknowledgement message with Status field set to 716 MAG_NOT_AUTHORIZED_FOR_PROXY_REG (Not authorized to send proxy 717 registrations). 719 o If the Home Network Prefix option is not present in the Proxy 720 Binding Update request, the local mobility anchor MUST reject the 721 Proxy Binding Update request and send a Proxy Binding 722 Acknowledgement message with Status field set to 129 723 (Administratively Prohibited). 725 o The local mobility anchor MUST apply the considerations specified 726 in Section 5.4, for processing the Sequence Number field and the 727 Timestamp option, in the Proxy Binding Update request. 729 o The local mobility anchor MUST use the identifier in the NAI 730 option [RFC-4283] present in the Proxy Binding Update request for 731 performing the Binding Cache entry existence test. If the entry 732 does not exist, the local mobility MUST consider this request as 733 an initial binding registration request. 735 Initial Binding Registration: 737 o If the Home Network Prefix option present in the Proxy Binding 738 Update request has the value 0::/0, the local mobility anchor MUST 739 allocate a prefix for the mobile node and send a Proxy Binding 740 Acknowledgement message including the Home Network Prefix option 741 containing the allocated prefix value. The specific details on 742 how the local mobility anchor allocates the home network prefix is 743 outside the scope of this document. The local mobility anchor 744 MUST ensure the allocated prefix is not in use by any other mobile 745 node. 747 o If the local mobility anchor is unable to allocate a home network 748 prefix for the mobile node, it MUST reject the request and send a 749 Proxy Binding Acknowledgement message with Status field set to 130 750 (Insufficient resources). 752 o If the Home Network Prefix option present in the request has a 753 specific prefix hint, the local mobility anchor before accepting 754 that request, MUST ensure the prefix is owned by the local 755 mobility anchor and further the mobile node is authorized to use 756 that prefix. If the mobile node is not authorized to use that 757 prefix, the local mobility anchor MUST reject the request and send 758 a Proxy Binding Acknowledgement message with Status field set to 759 NOT_AUTHORIZED_FOR_HOME_NETWORK_PREFIX (Mobile node not authorized 760 to use that prefix). 762 o Upon accepting the request, the local mobility anchor MUST create 763 a Binding Cache entry for the mobile node. It must set the fields 764 in the Binding Cache entry to the accepted values for that 765 binding. If there is a Link-local Address option present in the 766 request, the address must be copied to the link-local address 767 field in the Binding Cache entry. 769 o Upon accepting the Proxy Binding Update request, the local 770 mobility anchor MUST establish a bi-directional tunnel to the 771 mobile access gateway, as described in [RFC-2473]. Considerations 772 from Section 5.5 must be applied. 774 Binding Re-Registration: 776 o If the requesting prefix in the Home Network Prefix option is a 777 non 0::/0 value and is different from what is present in the 778 currently active Binding Cache entry for that mobile node, the 779 local mobility anchor MUST reject the request and send a Proxy 780 Binding Acknowledgement message with Status field set to 129 781 (Administratively Prohibited). 783 o Upon accepting a Proxy Binding Update request for extending the 784 lifetime of a currently active binding for a mobile node, the 785 local mobility anchor MUST update the existing Binding Cache entry 786 for this mobile node. Unless there exists an established bi- 787 directional tunnel to the mobile access gateway with the same 788 transport and encapsulation mode, the local mobility anchor MUST 789 create a tunnel to the mobile access gateway, as described in 790 [RFC-2473] and also delete the existing tunnel route to the 791 previous mobile access gateway. It MUST also send a Proxy Binding 792 Acknowledgement message to the mobile access gateway with the 793 Status field set to 0 (Proxy Binding Update Accepted). 795 Binding De-Registration: 797 o If the received Proxy Binding Update request with the lifetime 798 value of 0, has a Source Address in the IPv6 header, different 799 from what is present in the Proxy-CoA address field in its Binding 800 Cache entry, the local mobility anchor MAY either choose to ignore 801 the request or send a valid Proxy Binding Acknowledgement message 802 with the Status field set to 0 (Proxy Binding Update Accepted). 804 o Upon accepting the Proxy Binding Update request for a mobile node, 805 with the lifetime value of zero, the local mobility anchor MUST 806 wait for MinDelayBeforeBCEDelete amount of time, before it deletes 807 the mobile node's Binding Cache entry. Within this wait period, 808 if the local mobility anchor receives a Proxy Binding Update 809 request message for the same mobile node and from a different 810 mobile access gateway, with the lifetime value of greater than 811 zero, and if that request is accepted, then the Binding Cache 812 entry MUST NOT be deleted, but must be updated with the new 813 values. However, the local mobile anchor MUST send the Proxy 814 Binding Acknowledgement message, immediately upon accepting the 815 request. 817 o Upon accepting the request, the local mobility anchor MUST delete 818 the mobile node's Binding Cache entry and remove the Routing state 819 for the mobile node's home network prefix. 821 Constructing the Proxy Binding Acknowledgement Message: 823 o The local mobility anchor when sending the Proxy Binding 824 Acknowledgement message to the mobile access gateway MUST 825 construct the message as specified below. 827 IPv6 header (src=LMAA, dst=Proxy-CoA) 828 Mobility header 829 -BA /*P flag is set*/ 830 Mobility Options 831 - Home Network Prefix Option 832 - Link-local Address Option (optional) 833 - Timestamp Option (optional) 834 - NAI Option 836 Proxy Binding Acknowledgement message format 838 o The Source Address field in the IPv6 header of the message SHOULD 839 be set to the destination address of the received Proxy Binding 840 Update request. 842 o The Destination Address field in the IPv6 header of the message 843 SHOULD be set to the source address of the received Proxy Binding 844 Update request. 846 o If the Status field is set to a value greater less than 128, i.e. 847 if the binding request was rejected, then the prefix value in the 848 Home Network Prefix option MUST be set to the prefix value from 849 the received Home Network Prefix option. For all other cases, the 850 prefix value MUST be set to the allocated prefix value for that 851 mobile node. 853 o The Link-local Address option MUST be present in the Proxy Binding 854 Acknowledgement message, if the same option was present in the 855 corresponding Proxy Binding Update request message. If there is 856 an existing Binding Cache entry for that mobile node with the 857 link-local address value of ALL_ZERO (value not set), or if there 858 was no existing Binding Cache entry, then the link-local address 859 MUST be copied from the received Link-local Address option in the 860 received Proxy Binding Update request. For all other cases, it 861 MUST be copied from the Binding Cache entry. 863 o Considerations from Section 5.4 must be applied for constructing 864 the Timestamp option. 866 o The identifier in the NAI option [RFC-4283] MUST be copied from 867 the received Proxy Binding Update request. If the Status field 868 value is set to MISSING_MN_IDENTIFIER_OPTION, the NAI option MUST 869 NOT be present in the reply message. 871 o The message MUST be protected by using IPsec, using the security 872 association existing between the local mobility anchor and the 873 mobile access gateway. 875 o The Type 2 Routing header, MUST NOT be present in the IPv6 header 876 of the packet. 878 5.4. Timestamp Option for Message Ordering 880 Mobile IPv6 [RFC-3775] uses the Sequence Number field in binding 881 registration messages as a way for the home agent to process the 882 binding updates in the order they were sent by a mobile node. The 883 home agent and the mobile node are required to manage this counter 884 over the lifetime of a binding. However, in Proxy Mobile IPv6, as 885 the mobile node moves from one mobile access gateway to another and 886 in the absence of context transfer mechanism, the serving mobile 887 access gateway will be unable to determine the sequence number that 888 it needs to use in the signaling messages. Hence, the sequence 889 number scheme as specified in [RFC-3775], will be insufficient for 890 Proxy Mobile IPv6. 892 If the local mobility anchor cannot determine the sending order of 893 the received binding registration messages, it may potentially 894 process an older message sent by a mobile access gateway, where the 895 mobile node was previously anchored, resulting in an incorrect 896 Binding Cache entry. 898 For solving this problem, this specification RECOMMENDS the use of 899 Timestamp option [Section 8.4]. The basic principle behind the use 900 of timestamps in binding registration messages is that the node 901 generating the message inserts the current time-of-day, and the node 902 receiving the message checks that this timestamp is greater than all 903 previously accepted timestamps. 905 Alternatively, the specification also allows the use of Sequence 906 Number based scheme, as per [RFC-3775]. The sequence number MUST be 907 maintained on a per mobile node basis and MUST be synchronized 908 between the serving mobile access gateways. However, the specific 909 details on how a mobile node's sequence number is synchronized 910 between different mobile access gateways is outside the scope of this 911 document. 913 Using Timestamps based approach: 915 o An implementation MUST support Timestamp option. If the Timestamp 916 option is present in the received Proxy Binding Update request 917 message, then the local mobility anchor MUST include a valid 918 Timestamp option in the Proxy Binding Acknowledgement message that 919 it sends to the mobile access gateway. 921 o All the mobility entities in a Proxy Mobile IPv6 domain, 922 exchanging binding registration messages using Timestamp option 923 must have adequately synchronized time-of-day clocks. These nodes 924 SHOULD synchronize their clocks to a common time source, using 925 Network Time Protocol [RFC-4330] or in any other ways suitable for 926 that specific deployment. 928 o When generating the timestamp value for building the Timestamp 929 option, the mobility entities MUST ensure that the generated 930 timestamp is the elapsed time past the same reference epoch, as 931 specified in the format for the Timestamp option [Section 8.5]. 933 o Upon receipt of a Proxy Binding Update message with the Timestamp 934 option, the local mobility anchor MUST check the timestamp field 935 for validity. In order for it to be considered valid, the 936 timestamp value contained in the Timestamp option MUST be close 937 enough to the local mobility anchor's time-of-day clock and the 938 timestamp MUST be greater than all previously accepted timestamps 939 in the Proxy Binding Update messages sent for that mobile node. 941 o If the Timestamp option is present in the received Proxy Binding 942 Update message, the local mobility anchor MUST ignore the sequence 943 number field in the message. However, it MUST copy the sequence 944 number from the received Proxy Binding Update message to the Proxy 945 Binding Acknowledgement message. 947 o If the timestamp value in the received Proxy Binding Update is 948 valid, the local mobility anchor MUST return the same timestamp 949 value in the Timestamp option included in the Proxy Binding 950 Acknowledgement message that it sends to the mobile access 951 gateway. 953 o If the timestamp value in the received Proxy Binding Update is not 954 valid, the local mobility anchor MUST reject the Proxy Binding 955 Update and send a Proxy Binding Acknowledgement message with 956 Status field set to TIMESTAMP_MISMATCH (Timestamp mismatch). The 957 message MUST also include the Timestamp option with the value set 958 to the current time-of-day on the local mobility anchor. 960 Using Sequence Number based approach: 962 o If the Timestamp option is not present in the received Proxy 963 Binding Update request, the local mobility anchor MUST fallback to 964 the Sequence Number based scheme. It MUST process the sequence 965 number field as specified in [RFC-3775]. Also, it MUST NOT 966 include the Timestamp option in the Proxy Binding Acknowledgement 967 messages that it sends to the mobile access gateway. 969 5.5. Routing Considerations 971 5.5.1. Bi-Directional Tunnel Management 973 o A bi-directional tunnel is established between the local mobility 974 anchor and the mobile access gateway with IP-in-IP encapsulation, 975 as described in [RFC-2473]. The tunnel end points are the Proxy- 976 CoA and LMAA. When using IPv4 transport with a specific 977 encapsulation mode, the end points of the tunnel are the IPv4-LMAA 978 and IPv4-Proxy-CoA, as specified in [ID-IPV4-PMIP6]. 980 o The bi-directional tunnel is used for routing the mobile node's 981 data traffic between the mobile access gateway and the local 982 mobility anchor. The tunnel hides the topology and enables a 983 mobile node to use an address from its home network prefix from 984 any access link attached to the mobile access gateway. 986 o The bi-directional tunnel is established after accepting the Proxy 987 Binding Update request message. The created tunnel may be shared 988 with other mobile nodes attached to the same mobile access gateway 989 and with the local mobility anchor having a Binding Cache entry 990 for those mobile nodes. Implementations MAY choose to use static 991 tunnels as supposed to dynamically creating and tearing them down 992 on a need basis. 994 o The tunnel between the local mobility anchor and the mobile access 995 gateway is typically a shared tunnel and can be used for routing 996 traffic streams for different mobile nodes attached to the same 997 mobile access gateway. 999 o Implementations typically use a software timer for managing the 1000 tunnel lifetime and a counter for keeping a count of all the 1001 mobile nodes that are sharing the tunnel. The timer value will be 1002 set to the accepted binding life-time and will be updated after 1003 each periodic registrations for extending the lifetime. If the 1004 tunnel is shared for multiple mobile nodes, the tunnel lifetime 1005 will be set to the highest binding lifetime that is granted to any 1006 one of those mobile nodes sharing that tunnel. 1008 5.5.2. Forwarding Considerations 1010 Intercepting Packets Sent to the Mobile Node's Home Network: 1012 o When the local mobility anchor is serving a mobile node, it MUST 1013 be able to receive packets that are sent to the mobile node's home 1014 network. In order for it to receive those packets, it MUST 1015 advertise a connected route in to the Routing Infrastructure for 1016 the mobile node's home network prefix or for an aggregated prefix 1017 with a larger scope. This essentially enables IPv6 routers in 1018 that network to detect the local mobility anchor as the last-hop 1019 router for that prefix. 1021 Forwarding Packets to the Mobile Node: 1023 o On receiving a packet from a corresponding node with the 1024 destination address matching a mobile node's home network prefix, 1025 the local mobility anchor MUST forward the packet through the bi- 1026 directional tunnel setup for that mobile node. The format of the 1027 tunneled packet is shown below. However, when using IPv4 1028 transport, the format of the packet is as described in [ID-IPV4- 1029 PMIP6]. 1031 IPv6 header (src= LMAA, dst= Proxy-CoA /* Tunnel Header */ 1032 IPv6 header (src= CN, dst= MN-HOA ) /* Packet Header */ 1033 Upper layer protocols /* Packet Content*/ 1035 Figure 7: Tunneled Packets from LMA to MAG 1037 Forwarding Packets Sent by the Mobile Node: 1039 o All the reverse tunneled packets that the local mobility anchor 1040 receives from the mobile access gateway, after removing the tunnel 1041 header MUST be routed to the destination specified in the inner 1042 packet header. These routed packets will have the source address 1043 field set to the mobile node's home address. 1045 5.6. Local Mobility Anchor Address Discovery 1047 Dynamic Home Agent Address Discovery, as explained in Section 10.5 1048 [RFC-3775], allows a mobile node to discover all the home agents on 1049 its home link by sending an ICMP Home Agent Address Discovery Request 1050 message to the Mobile IPv6 Home-Agents anycast address, derived from 1051 its home network prefix. 1053 The DHAAD message in the current form cannot be used in Proxy Mobile 1054 IPv6 for discovering the address of the mobile node's local mobility 1055 anchor. In Proxy Mobile IPv6, the local mobility anchor will not be 1056 able to receive any messages sent to the Mobile IPv6 Home-Agents 1057 anycast address corresponding to the mobile node's home network 1058 prefix, as the prefix is not hosted on any of its interfaces. 1060 Further, the mobile access gateway will not predictably be able to 1061 locate the serving local mobility anchor that has the mobile node's 1062 binding cache entry. Hence, this specification does not support 1063 Dynamic Home Agent Address Discovery protocol. 1065 In Proxy Mobile IPv6, the address of the local mobility anchor 1066 configured to serve a mobile node can be discovered by the mobility 1067 entities in other ways. This may be a configured entry in the mobile 1068 node's policy profile, or it may be obtained through mechanisms 1069 outside the scope of this document. 1071 5.7. Mobile Prefix Discovery Considerations 1073 The ICMP Mobile Prefix Advertisement message, described in Section 1074 6.8 and Section 11.4.3 of [RFC-3775], allows a home agent to send a 1075 Mobile Prefix Advertisement to the mobile node. 1077 In Proxy Mobile IPv6, the mobile node's home network prefix is hosted 1078 on the access link connected to the mobile access gateway. but it is 1079 topologically anchored on the local mobility anchor. Since, there is 1080 no physical home-link for the mobile node's home network prefix on 1081 the local mobility anchor and as the mobile node is always on the 1082 link where the prefix is hosted, any prefix change messages can just 1083 be advertised by the mobile access gateway on the access link and 1084 thus there is no applicability of this message for Proxy Mobile IPv6. 1085 Hence, this specification does not support Mobile Prefix Discovery. 1087 5.8. Route Optimizations Considerations 1089 The Route Optimization in Mobile IPv6, as defined in [RFC-3775], 1090 enables a mobile node to communicate with a corresponding node 1091 directly using its care-of address and further the Return Routability 1092 procedure enables the corresponding node to have reasonable trust 1093 that the mobile node is reachable at both its home address and 1094 care-of address. 1096 In Proxy Mobile IPv6, the mobile node is not involved in any mobility 1097 related signaling. The mobile node uses only its home address for 1098 all its communication and the Care-of address (Proxy-CoA) is not 1099 visible to the mobile node. Hence, the Return Routability procedure 1100 as defined in Mobile IPv6 cannot be used in Proxy Mobile IPv6. 1102 6. Mobile Access Gateway Operation 1104 The Proxy Mobile IPv6 protocol described in this document, introduces 1105 a new functional entity, the Mobile Access Gateway (MAG). The mobile 1106 access gateway is the entity that is responsible for detecting the 1107 mobile node's movements on its access link and sending the binding 1108 registration requests to the local mobility anchor. In essence, the 1109 mobile access gateway performs mobility management on behalf of a 1110 mobile node. 1112 The mobile access gateway is a function that typically runs on an 1113 access router. However, implementations MAY choose to split this 1114 function and run it across multiple systems. The specifics on how 1115 that is achieved or the signaling interactions between those 1116 functional entities is beyond the scope of this document. 1118 The mobile access gateway has the following key functional roles: 1120 o It is responsible for detecting the mobile node's movements on the 1121 access link and for initiating the mobility signaling with the 1122 mobile node's local mobility anchor. 1124 o Emulation of the mobile node's home link on the access link by 1125 sending Router Advertisements with the mobile node's home network 1126 prefix information. 1128 o Responsible for setting up the data path for enabling the mobile 1129 node to configure an address from its home network prefix and use 1130 it from its access link. 1132 6.1. Extensions to Binding Update List Entry Data Structure 1134 Every mobile access gateway MUST maintain a Binding Update List. 1135 Each entry in the Binding Update List represents a mobile node's 1136 mobility binding with its local mobility anchor. The Binding Update 1137 List is a conceptual data structure, described in Section 11.1 [RFC- 1138 3775]. 1140 For supporting this specification, the conceptual Binding Update List 1141 entry data structure needs be extended with the following additional 1142 fields. 1144 o The Identifier of the attached mobile node, MN-Identifier. This 1145 identifier is acquired during the mobile node's attachment to the 1146 access link or through mechanisms outside the scope of this 1147 document. 1149 o The Link-layer address of the mobile node. This address can be 1150 acquired from the received Router Solicitation messages from the 1151 mobile node or during the mobile node's attachment to the access 1152 network. 1154 o The IPv6 home network prefix of the attached mobile node. The 1155 home network prefix of the mobile node is acquired from the mobile 1156 node's local mobility anchor through the received Proxy Binding 1157 Acknowledgement messages. The IPv6 home network prefix also 1158 includes the corresponding prefix length. 1160 o The Link-local address of the mobile node on the interface 1161 attached to the access link. 1163 o The IPv6 address of the local mobility anchor serving the attached 1164 mobile node. This address is acquired from the mobile node's 1165 policy profile. 1167 o The interface identifier of the access link where the mobile node 1168 is currently attached. The interface identifier is acquired 1169 during the mobile node's attachment to the access link. 1171 o The interface identifier of the bi-directional tunnel between the 1172 mobile node's local mobility anchor and the mobile access gateway. 1173 The tunnel interface identifier is acquired during the tunnel 1174 creation. 1176 6.2. Mobile Node's Policy Profile 1178 A mobile node's policy profile contains the essential operational 1179 parameters that are required by the network entities for managing the 1180 mobile node's mobility service. These policy profiles are stored in 1181 a local or a remote policy store, the mobile access gateway and the 1182 local mobility anchor MUST be able to obtain a mobile node's policy 1183 profile. The policy profile may also be handed over to a serving 1184 mobile access gateway as part of a context transfer procedure during 1185 a handoff. The exact details on how this achieved is outside the 1186 scope of this document. However, this specification requires that a 1187 mobile access gateway serving a mobile node MUST have access to its 1188 policy profile. 1190 The following are the mandatory fields of the policy profile: 1192 o The mobile node's identifier (MN-Identifier) 1194 o The IPv6 address of the local mobility anchor (LMAA) 1196 o Supported address configuration procedures on the link (Stateful, 1197 Stateless or both) 1199 The following are the optional fields of the policy profile: 1201 o The mobile node's IPv6 home network prefix (MN-HNP) 1203 6.3. Supported Access Link Types 1205 This specification supports only point-to-point access link types and 1206 thus it assumes that the mobile node and the mobile access gateway 1207 are the only two nodes on the access link. The link is assumed to 1208 have multicast capability. 1210 6.4. Supported Address Configuration Models 1212 A mobile node in the Proxy Mobile IPv6 domain can configure one or 1213 more IPv6 addresses on its interface using Stateless or Stateful 1214 address autoconfiguration procedures. The Router Advertisement 1215 messages sent on the access link, specify the address configuration 1216 methods permitted on that access link for that mobile node. However, 1217 the advertised flags with respect the address configuration will be 1218 consistent for a mobile node, on any of the access links in that 1219 Proxy Mobile IPv6 domain. Typically, these configuration settings 1220 will be based on the domain wide policy or based on a policy specific 1221 to each mobile node. 1223 When stateless address autoconfiguration is supported on the link, 1224 the mobile node can generate one or more IPv6 addresses by combining 1225 the network prefix advertised on the access link with an interface 1226 identifier, using the techniques described in Stateless 1227 Autoconfiguration specification [RFC-2462] or as per Privacy 1228 extension specification [RFC-3041]. 1230 When stateful address autoconfiguration is supported on the link, the 1231 mobile node can obtain the address configuration from the DHCPv6 1232 server using DHCPv6 client protocol, as specified in DHCPv6 1233 specification [RFC-3315]. 1235 Additionally, other address configuration mechanisms specific to the 1236 access link between the mobile node and the mobile access gateway may 1237 also be used for pushing the address configuration to the mobile 1238 node. 1240 6.5. Access Authentication & Mobile Node Identification 1242 When a mobile node attaches to an access link connected to the mobile 1243 access gateway, the deployed access security protocols on that link 1244 SHOULD ensure that the network-based mobility management service is 1245 offered only after authenticating and authorizing the mobile node for 1246 that service. The exact specifics on how this is achieved or the 1247 interactions between the mobile access gateway and the access 1248 security service is outside the scope of this document. This 1249 specification goes with the stated assumption of having an 1250 established trust between the mobile node and mobile access gateway, 1251 before the protocol operation begins. 1253 6.6. Acquiring Mobile Node's Identifier 1255 All the network entities in a Proxy Mobile IPv6 domain MUST be able 1256 to identify a mobile node, using its MN-Identifier. This identifier 1257 MUST be stable across the Proxy Mobile IPv6 domain and the entities 1258 must be able to use this identifier in the signaling messages. 1259 Typically, this identifier is obtained as part of the access 1260 authentication or through other means as specified below. 1262 o The identifier of the mobile node that the mobile access gateway 1263 obtains as part of the access authentication or from the notified 1264 network attachment event, can be a temporary identifier and this 1265 identifier may also change at each re-authentication. However, 1266 the mobile access gateway MUST be able to authenticate the mobile 1267 node based on this identifier and MUST be able to obtain the MN- 1268 Identifier from the policy store, such as from the RADIUS 1269 attribute, Chargeable-User-Identifier. 1271 o The MN-Identifier that the policy store delivers to the mobile 1272 access gateway may not be the true identifier of the mobile node. 1273 However, the mobility access gateway MUST be able to use this 1274 identifier in the signaling messages exchanged with the local 1275 mobility anchor. 1277 o The mobile access gateway MUST be able identify the mobile node by 1278 its MN-Identifier and it MUST be able to associate this identity 1279 to the sender of any IPv4 or IPv6 packets on the access link. 1281 6.7. Home Network Emulation 1283 One of the key functions of a mobile access gateway is to emulate the 1284 mobile node's home network on the access link. It must ensure, the 1285 mobile node believes it is still connected to its home link or on the 1286 link where it obtained its initial address configuration after it 1287 moved into that Proxy Mobile IPv6 domain. 1289 For emulating the mobile node's home link on the access link, the 1290 mobile access gateway must be able to send Router Advertisements 1291 advertising the mobile node's home network prefix and other address 1292 configuration parameters consistent with its home link properties. 1294 Typically, the mobile access gateway learns the mobile node's home 1295 network prefix information from the received Proxy Binding 1296 Acknowledgement message or it may be obtained from the mobile node's 1297 policy profile. However, the mobile access gateway SHOULD send the 1298 Router Advertisements advertising the mobile node's home network 1299 prefix only after successfully completing the binding registration 1300 with the mobile node's local mobility anchor. 1302 6.8. Link-Local and Global Address Uniqueness 1304 A mobile node in the Proxy Mobile IPv6 domain, as it moves from one 1305 mobile access gateway to the other, it will continue to detect its 1306 home network and thus making it believe it is still on the same link. 1307 Every time the mobile node attaches to a new link, the event related 1308 to the interface state change, will trigger the mobile node to 1309 perform DAD operation on the link-local and global addresses. 1310 However, if the mobile node is DNAv6 enabled, as specified in [ID- 1311 DNAV6], it may not detect the link change due to DNAv6 optimizations 1312 and may not trigger the duplicate address detection (DAD) procedure 1313 for establishing the link-local address uniqueness on that new link. 1314 Further, if the mobile node uses an interface identifier that is not 1315 based on EUI-64 identifier, such as specified in IPv6 Stateless 1316 Autoconfiguration specification [RFC-2462], there is a possibility, 1317 with the odds of 1 to billion, of a link-local address collision 1318 between the two neighbors on that access link. 1320 One of the workarounds for this issue is to set the DNAv6 1321 configuration parameter, DNASameLinkDADFlag to TRUE and that will 1322 force the mobile node to redo DAD operation every time the interface 1323 detects a handover, even when DNAv6 does not detect a link change. 1325 However, this issues will not impact point-to-point links based on 1326 PPP session. Each time the mobile node moves and attaches to a new 1327 mobile access gateway, either the PPP session [RFC-1661] is 1328 reestablished or the PPP session may be moved as part of context 1329 transfer procedures between the old and the new mobile access 1330 gateway. 1332 When the mobile node tries to establish a PPP session with the mobile 1333 access gateway, the PPP goes through the Network layer Protocol phase 1334 and the IPv6 Control Protocol, IPCP6 [RFC-2472] gets triggered. Both 1335 the PPP peers negotiate a unique identifier using Interface- 1336 Identifier option in IPV6CP and the negotiated identifier is used for 1337 generating a unique link-local address on that link. Now, if the 1338 mobile node moves to a new mobile access gateway, the PPP session 1339 gets torn down with the old mobile access gateway and a new PPP 1340 session gets established with the new mobile access gateway, and the 1341 mobile node obtains a new link-local address. So, even if the mobile 1342 node is DNAv6 capable, the mobile node always configures a new link- 1343 local address when ever it moves to a new link. 1345 If the PPP session state is moved to the new mobile access gateway, 1346 as part of context transfer procedures that are in place, there will 1347 not be any change to the interface identifiers of the two nodes on 1348 that point-to-point change. The whole link is moved to the new 1349 mobile access gateway and there will not be any need for establishing 1350 link-local address uniqueness on that link. 1352 Alternatively, this specification allows the mobile access gateway to 1353 upload the mobile node's link-local address to the local mobility 1354 anchor using the Link-local Address option, exchanged in the binding 1355 registration messages. The mobile access gateway can learn the 1356 mobile node's link-local address, by snooping the DAD messages sent 1357 by the mobile node for establishing the link-local address uniqueness 1358 on the access link. Subsequently, at each handoff, the mobile access 1359 gateway can obtain this address from the local mobility anchor and 1360 can change its own link-local address, if it detects an address 1361 collision. 1363 This issue is not relevant to the mobile node's global address. 1364 Since, there is a unique home network prefix for each mobile node, 1365 the uniqueness for the mobile node's global address is assured on the 1366 access link. 1368 6.9. Signaling Considerations 1370 6.9.1. Binding Registrations 1372 Initial Binding Registration: 1374 o After detecting a new mobile node on its access link, the mobile 1375 access gateway must identify the mobile node and acquire its MN- 1376 Identifier. If it determines that the network-based mobility 1377 management service needs to offered to the mobile node, it MUST 1378 send a Proxy Binding Update message to the local mobility anchor. 1380 o The Proxy Binding Update message MUST have the NAI option [RFC- 1381 4283], identifying the mobile node, the Home Network Prefix 1382 option, Timestamp option or a valid sequence number and optionally 1383 the Link-local Address option. 1385 o If the mobile access gateway learns the mobile node's home network 1386 prefix either from its policy store or from other means, the 1387 mobile access gateway MAY choose to specify the same in the Home 1388 Network Prefix option for requesting the local mobility anchor to 1389 allocate that prefix. If the specified value is 0::/0, then the 1390 local mobility anchor will consider this as a request for prefix 1391 allocation. 1393 Receiving Binding Registration Reply: 1395 o The mobile access gateway MUST observe the rules described in 1396 Section 9.2 [RFC-3775] when processing Mobility Headers in the 1397 received Proxy Binding Acknowledgement message. 1399 o The message MUST be authenticated as described in Section 4.0. 1400 The SPI in the IPSec header [RFC-4306] of the received packet must 1401 be used for locating the security association needed for 1402 authenticating the message. 1404 o The mobile access gateway MUST apply the considerations specified 1405 in Section 5.4, for processing the Sequence Number field and the 1406 Timestamp option, in the message. 1408 o The mobile access gateway MUST ignore any checks, specified in 1409 [RFC-3775] related to the presence of Type 2 Routing header in the 1410 Proxy Binding Acknowledgement message. 1412 o If the received Proxy Binding Acknowledgement message has the 1413 Status field value set to PROXY_REG_NOT_ENABLED (Proxy 1414 registration not enabled for the mobile node), the mobile access 1415 gateway SHOULD not send binding registration requests again for 1416 that mobile node. It must also deny the mobility service to that 1417 mobile node. 1419 o If the received Proxy Binding Acknowledgement message has the 1420 Status field value set to TIMESTAMP_MISMATCH (Invalid Timestamp), 1421 the mobile access gateway SHOULD try to register again only after 1422 it synchronized its clock with the local mobility anchor's system 1423 clock or to a common time source that is used by all mobility 1424 entities in that domain for their clock synchronization. 1426 o If the received Proxy Binding Acknowledgement message has the 1427 Status field value set to NOT_AUTHORIZED_FOR_HOME_NETWORK_PREFIX 1428 (Not authorized for that prefix), the mobile access gateway SHOULD 1429 try to request for that prefix in the binding registration 1430 request, only after it learned the validity of that prefix. 1432 o If the received Proxy Binding Acknowledgement message has the 1433 Status field value set to any value greater than 128 (i.e., the 1434 binding is rejected), the mobile access gateway MUST NOT advertise 1435 the mobile node's home network prefix in the Router Advertisements 1436 sent on that access link and there by denying mobility service to 1437 the mobile node. 1439 o If the received Proxy Binding Acknowledgement message has the 1440 Status field value set to 0 (Proxy Binding Update accepted), the 1441 mobile access gateway MUST create Binding Update List entry for 1442 the mobile node and must setup a tunnel to the mobile node's local 1443 mobility anchor, as explained in section 6.10. 1445 o If the received Proxy Binding Acknowledgement message has the 1446 address in the Link-local Address option set to a value that 1447 matches its own link-local address on that access interface where 1448 the mobile node is anchored, the mobile access gateway MUST change 1449 its link-local address on that interface. 1451 Binding Re-Registration: 1453 o For extending the lifetime of a currently existing binding at the 1454 local mobility, the mobile access gateway MUST send a Proxy 1455 Binding Update message to the local mobility anchor. The prefix 1456 value in the Home Network Prefix option present in the request 1457 SHOULD be set to the currently registered home network prefix and 1458 the value in the Link-local Address option may be set to ALL_ZERO 1459 or to the link-local address of the mobile node. 1461 Binding De-Registration: 1463 o At any point, the mobile access gateway detects that the mobile 1464 node has moved away from its access link, it MUST send a Proxy 1465 Binding Update message to the local mobility anchor with the 1466 lifetime value set to zero. 1468 o Either upon receipt of a Proxy Binding Acknowledgement message 1469 from the local mobility anchor or after a certain timeout waiting 1470 for the reply, the mobile access gateway MUST remove the binding 1471 entry for that mobile node from its Binding Update List and 1472 withdraw the mobile node's home network prefix as the hosted on- 1473 link prefix on that access link. 1475 Constructing the Proxy Binding Update Message: 1477 o The mobile access gateway when sending the Proxy Binding Update 1478 request to the local mobility anchor MUST construct the message as 1479 specified below. 1481 IPv6 header (src=Proxy-CoA, dst=LMAA) 1482 Mobility header 1483 -BU /*P & A flags are set*/ 1484 Mobility Options 1485 - Home Network Prefix option 1486 - Link-local Address option (Optional) 1487 - Timestamp Option (optional) 1488 - NAI Option 1490 Proxy Binding Update message format 1492 o The Source Address field in the IPv6 header of the message SHOULD 1493 be set to the address of the mobile access gateway. 1495 o The Destination Address field in the IPv6 header of the message 1496 SHOULD be set to the local mobility anchor address. 1498 o The Home Network Prefix option MUST be present. The prefix value 1499 may be set 0::/0 or to a specific prefix value. 1501 o The Link-local Address option MAY be present. The value may be 1502 set to ALL_ZERO or the mobile node's link-local address. 1504 o Considerations from Section 5.4 must be applied for constructing 1505 the Timestamp option. 1507 o The NAI option [RFC-4283] MUST be present, the identifier field in 1508 the option MUST be set to mobile node's identifier, MN-Identifier. 1510 o The message MUST be protected by using IPsec, using the security 1511 association existing between the local mobility anchor and the 1512 mobile access gateway. 1514 6.9.2. Router Solicitation Messages 1516 The mobile node sends a Router Solicitation message on the access 1517 link when ever the link-layer detects a media change. The Source 1518 Address in the IPv6 header of the Router Solicitation message may 1519 either be the link-local address of the mobile node or an unspecified 1520 address (::). 1522 o The mobile access gateway on receiving the Router Solicitation 1523 message SHOULD send a Router Advertisement containing the mobile 1524 node's home network prefix as the on-link prefix. However, before 1525 sending the Router Advertisement message containing the mobile 1526 node's home network prefix, it SHOULD complete the binding 1527 registration process with the mobile node's local mobility anchor. 1529 o If the local mobility anchor rejects the binding registration 1530 request, or, if the mobile access gateway failed to complete the 1531 binding registration process for what ever reasons, the mobile 1532 access gateway MUST NOT advertise the mobile node's home network 1533 prefix in the Router Advertisement messages that it sends on the 1534 access link. However, it MAY choose to advertise a local visitor 1535 network prefix to enable the mobile node for simple IPv6 access. 1537 6.9.3. Retransmissions and Rate Limiting 1539 The mobile access gateway is responsible for retransmissions and rate 1540 limiting the binding registration requests that it sends for updating 1541 a mobile node's binding. Implementations MUST follow the below 1542 guidelines. 1544 o When the mobile access gateway sends a Proxy Binding Update 1545 request, it should use the constant, INITIAL_BINDINGACK_TIMEOUT 1546 [RFC-3775], for configuring the retransmission timer. 1548 o If the mobile access gateway fails to receive a valid matching 1549 response within the retransmission interval, it SHOULD retransmit 1550 the message until a response is received. 1552 o As specified in Section 11.8 [RFC-3775], the mobile access gateway 1553 MUST use an exponential back-off process in which the timeout 1554 period is doubled upon each retransmission, until either the node 1555 receives a response or the timeout period reaches the value 1556 MAX_BINDACK_TIMEOUT [RFC-3775]. The mobile access gateway MAY 1557 continue to send these messages at this slower rate indefinitely. 1559 o If Timestamp based scheme is in use, the retransmitted Proxy 1560 Binding Update messages MUST use the latest timestamp. If 1561 Sequence number scheme is in use, the retransmitted Proxy Binding 1562 Update messages MUST use a Sequence Number value greater than that 1563 used for the previous transmission of this Proxy Binding Update 1564 message, just as specified in [RFC-3775]. 1566 6.10. Routing Considerations 1568 This section describes how the mobile access gateway handles the 1569 traffic to/from the mobile node that is attached to one of its access 1570 interface. 1572 Proxy-CoA LMAA 1573 | | 1574 +--+ +---+ +---+ +--+ 1575 |MN|----------|MAG|======================|LMA|----------|CN| 1576 +--+ +---+ +---+ +--+ 1577 IPv6 Tunnel 1579 6.10.1. Transport Network 1581 The transport network between the local mobility anchor and the 1582 mobile access can be either an IPv6 or IPv4 network. However, this 1583 specification only deals with the IPv6 transport and the companion 1584 document [ID-IPV4-PMIP6] specifies the required extensions for 1585 negotiating IPv4 transport and the corresponding encapsulation mode, 1586 for supporting this protocol operation. 1588 6.10.2. Tunneling & Encapsulation Modes 1590 The IPv6 address that a mobile node uses from its home network prefix 1591 is topologically anchored at the local mobility anchor. For a mobile 1592 node to use this address from an access network attached to a mobile 1593 access gateway, proper tunneling techniques have to be in place. 1594 Tunneling hides the network topology and allows the mobile node's 1595 IPv6 datagrams to be encapsulated as a payload of another IPv6 packet 1596 and be routed between the local mobility anchor and the mobile access 1597 gateway. The Mobile IPv6 base specification [RFC-3775] defines the 1598 use of IPv6-over-IPv6 tunneling, between the home agent and the 1599 mobile node and this specification extends the use of the same 1600 tunneling mechanism between the local mobility anchor and the mobile 1601 access gateway. 1603 On most operating systems, tunnels are implemented as a virtual 1604 point-to-point interface. The source and the destination address of 1605 the two end points of this virtual interface along with the 1606 encapsulation mode are specified for this virtual interface. Any 1607 packet that is routed over this interface, get encapsulated with the 1608 outer header and the addresses as specified for that point to point 1609 tunnel interface. For creating a point to point tunnel to any local 1610 mobility anchor, the mobile access gateway may implement a tunnel 1611 interface with the source address field set to its Proxy-CoA address 1612 and the destination address field set to the LMA address. 1614 The following are the supported packet encapsulation modes that can 1615 be used by the mobile access gateway and the local mobility anchor 1616 for routing mobile node's IPv6 datagrams. 1618 o IPv6-In-IPv6 - IPv6 datagram encapsulated in an IPv6 packet. This 1619 mechanism is defined in the Generic Packet Tunneling for IPv6 1620 specification [RFC-2473]. 1622 o IPv6-In-IPv4 - IPv6 datagram encapsulation in an IPv4 packet. The 1623 details related to this encapsulation mode and the specifics on 1624 how this mode is negotiated is specified in the companion 1625 document, IPv4 support for Proxy Mobile IPv6 [ID-IPV4-PMIP6]. 1627 o IPv6-In-IPv4-UDP - IPv6 datagram encapsulation in an IPv4 UDP 1628 packet. The details related to this mode are covered in the 1629 companion document, IPv4 support for Proxy Mobile IPv6 [ID-IPV4- 1630 PMIP6]. 1632 6.10.3. Routing State 1634 The following section explains the routing state for a mobile node on 1635 the mobile access gateway. This routing state reflects only one 1636 specific way of implementation and one MAY choose to implement it in 1637 other ways. The policy based route defined below acts as a traffic 1638 selection rule for routing a mobile node's traffic through a specific 1639 tunnel created between the mobile access gateway and that mobile 1640 node's local mobility anchor and with the specific encapsulation 1641 mode, as negotiated. 1643 The below example identifies the routing state for two visiting 1644 mobile nodes, MN1 and MN2 with their respective local mobility 1645 anchors LMA1 and LMA2. 1647 For all traffic from the mobile node, identified by the mobile node's 1648 MAC address, ingress interface or source prefix (MN-HNP) to 1649 _ANY_DESTINATION_ route via interface tunnel0, next-hop LMAA. 1651 +==================================================================+ 1652 | Packet Source | Destination Address | Destination Interface | 1653 +==================================================================+ 1654 | MAC_Address_MN1, | _ANY_DESTINATION_ | Tunnel0 | 1655 | (IPv6 Prefix or |----------------------------------------------| 1656 | Input Interface) | Locally Connected | Tunnel0 | 1657 +------------------------------------------------------------------+ 1658 | MAC_Address_MN2, | _ANY_DESTINATION_ | Tunnel1 | 1659 + (IPv6 Prefix or -----------------------------------------------| 1660 | Input Interface | Locally Connected | direct | 1661 +------------------------------------------------------------------+ 1663 Example - Policy based Route Table 1665 +==================================================================+ 1666 | Interface | Source Address | Destination Address | Encapsulation | 1667 +==================================================================+ 1668 | Tunnel0 | Proxy-CoA | LMAA1 | IPv6-in-IPv6 | 1669 +------------------------------------------------------------------+ 1670 | Tunnel1 |IPv4-Proxy-CoA | IPv4-LMA2 | IPv6-in-IPv4 | 1671 +------------------------------------------------------------------+ 1673 Example - Tunnel Interface Table 1675 6.10.4. Local Routing 1677 If there is data traffic between a visiting mobile node and a 1678 corresponding node that is locally attached to an access link 1679 connected to the mobile access gateway, the mobile access gateway MAY 1680 optimize on the delivery efforts by locally routing the packets and 1681 by not reverse tunneling them to the mobile node's local mobility 1682 anchor. However, this has an implication on the mobile node's 1683 accounting and policy enforcement as the local mobility anchor is not 1684 in the path for that traffic and it will not be able to apply any 1685 traffic policies or do any accounting for those flows. 1687 This decision of path optimization SHOULD be based on the configured 1688 policy configured on the mobile access gateway, but enforced by the 1689 mobile node's local mobility anchor. The specific details on how 1690 this is achieved is beyond of the scope of this document. 1692 6.10.5. Tunnel Management 1694 All the considerations mentioned in Section 5.5.1, for the tunnel 1695 management on the local mobility anchor apply for the mobile access 1696 gateway as well. 1698 6.10.6. Forwarding Rules 1700 Forwarding Packets sent to the Mobile Node's Home Network: 1702 o On receiving a packet from the bi-directional tunnel established 1703 with the mobile node's local mobility anchor, the mobile access 1704 gateway MUST use the destination address of the inner packet for 1705 forwarding it on the interface where the destination network 1706 prefix is hosted. The mobile access gateway MUST remove the outer 1707 header before forwarding the packet. If the mobile access gateway 1708 cannot find the connected interface for that destination address, 1709 it MUST silently drop the packet. For reporting an error in such 1710 scenario, in the form of ICMP control message, the considerations 1711 from Generic Packet Tunneling specification [RFC-2473] must be 1712 applied. 1714 o On receiving a packet from a corresponding node that is locally 1715 connected, to the mobile node that is on the access link, the 1716 mobile access gateway MUST check the configuration variable, 1717 EnableMAGLocalRouting, to ensure the mobile access gateway is 1718 allowed to route the packet directly to the mobile node. If the 1719 mobile access gateway is not allowed to route the packet directly, 1720 it MUST route the packet through the bi-directional tunnel 1721 established between itself and the mobile node's local mobility 1722 anchor. Otherwise, it can route the packet directly to the mobile 1723 node. 1725 Forwarding Packets Sent by the Mobile Node: 1727 o On receiving a packet from a mobile node connected to its access 1728 link, the mobile access gateway MUST ensure that there is an 1729 established binding for that mobile node with its local mobility 1730 anchor before forwarding the packet directly to the destination or 1731 before tunneling the packet to the mobile node's local mobility 1732 anchor. 1734 o On receiving a packet from a mobile node connected to its access 1735 link, to a destination that is locally connected, the mobile 1736 access gateway MUST check the configuration variable, 1737 EnableMAGLocalRouting, to ensure the mobile access gateway is 1738 allowed to route the packet directly to the destination. If the 1739 mobile access gateway is not allowed to route the packet directly, 1740 it MUST route the packet through the bi-directional tunnel 1741 established between itself and the mobile node's local mobility 1742 anchor. Otherwise, it can route the packet directly to the 1743 destination. 1745 o On receiving a packet from the mobile node connected to its access 1746 link, to a destination that is not directly connected, the packet 1747 MUST be forwarded to the local mobility anchor through the bi- 1748 directional tunnel established between itself and the mobile 1749 node's local mobility anchor. However, the packets that are sent 1750 with the link-local source address MUST NOT be forwarded. The 1751 format of the tunneled packet is shown below. However, when using 1752 IPv4 transport, the format of the tunneled packet is as described 1753 in [ID-IPV4-PMIP6]. 1755 IPv6 header (src= Proxy-CoA, dst= LMAA /* Tunnel Header */ 1756 IPv6 header (src= MN-HoA, dst= CN ) /* Packet Header */ 1757 Upper layer protocols /* Packet Content*/ 1758 Figure 12: Tunneled Packets from MAG to LMA 1760 6.11. Interaction with DHCP Relay Agent 1762 If Stateful Address Configuration using DHCP is supported on the link 1763 where the mobile node is attached, the DHCP relay agent [RFC-3315] 1764 needs to be configured on that access link. 1766 When the mobile node sends a DHCPv6 Request message, the DHCP relay 1767 agent function on the access link will set the link-address field in 1768 the DHCPv6 message to the mobile node's home network prefix, so as to 1769 provide a prefix hint to the DHCP Server for the address pool 1770 selection. 1772 6.12. Home Network Prefix Renumbering 1774 If the mobile node's home network prefix gets renumbered or becomes 1775 invalid during the middle of a mobility session, the mobile access 1776 gateway MUST withdraw the prefix by sending a Router Advertisement on 1777 the access link with zero prefix lifetime for the mobile node's home 1778 network prefix. Also, the local mobility anchor and the mobile 1779 access gateway MUST delete the routing state for that prefix. 1780 However, the specific details on how the local mobility anchor 1781 notifies the mobile access gateway about the mobile node's home 1782 network prefix renumbering is outside the scope of this document. 1784 6.13. Mobile Node Detachment Detection and Resource Cleanup 1786 Before sending a Proxy Binding Update message to the local mobility 1787 anchor for extending the lifetime of a currently existing binding of 1788 a mobile node, the mobile access gateway MUST make sure the mobile 1789 node is still attached to the connected link by using some reliable 1790 method. If the mobile access gateway cannot predictably detect the 1791 presence of the mobile node on the connected link, it MUST NOT 1792 attempt to extend the registration lifetime of the mobile node. 1793 Further, in such scenario, the mobile access gateway SHOULD terminate 1794 the binding of the mobile node by sending a Proxy Binding Update 1795 message to the mobile node's local mobility anchor with lifetime 1796 value set to 0. It MUST also remove any local state such as the 1797 Binding Update List created for that mobile node. 1799 The specific detection mechanism of the loss of a visiting mobile 1800 node on the connected link is specific to the access link between the 1801 mobile node and the mobile access gateway and is outside the scope of 1802 this document. Typically, there are various link-layer specific 1803 events specific to each access technology that the mobile access 1804 gateway can depend on for detecting the node loss. In general, the 1805 mobile access gateway can depend on one or more of the following 1806 methods for the detection presence of the mobile node on the 1807 connected link: 1809 o Link-layer event specific to the access technology 1811 o PPP Session termination event on point-to-point link types 1813 o IPv6 Neighbor Unreachability Detection event from IPv6 stack 1815 o Notification event from the local mobility anchor 1817 o Absence of data traffic from the mobile node on the link for a 1818 certain duration of time 1820 6.14. Allowing network access to other IPv6 nodes 1822 In some proxy mobile IPv6 deployments, network operators may want to 1823 provision the mobile access gateway to offer network-based mobility 1824 management service only to some visiting mobile nodes and enable just 1825 regular IPv6/IPv4 access to some other nodes attached to that mobile 1826 access gateway. This requires the network to have the control on 1827 when to enable network-based mobility management service to a mobile 1828 node and when to enable regular IPv6 access. This specification does 1829 not disallow such configuration. 1831 Upon obtaining the mobile node's profile after a successful access 1832 authentication and after a policy consideration, the mobile access 1833 gateway MUST determine if the network based mobility service should 1834 be offered to that mobile node. If the mobile node is entitled for 1835 such service, then the mobile access gateway must ensure the mobile 1836 node believes it is on its home link, as explained in various 1837 sections of this specification. 1839 If the mobile node is not entitled for the network-based mobility 1840 management service, as enforced by the policy, the mobile access 1841 gateway MAY choose to offer regular IPv6 access to the mobile node 1842 and hence the normal IPv6 considerations apply. If IPv6 access is 1843 enabled, the mobile node SHOULD be able to obtain any IPv6 address 1844 using normal IPv6 address configuration mechanisms. The obtained 1845 address must be from a local visitor network prefix. This 1846 essentially ensures, the mobile access gateway functions as any other 1847 access router and does not impact the protocol operation of a mobile 1848 node attempting to use host-based mobility management service when it 1849 attaches to an access link connected to a mobile access gateway in a 1850 Proxy Mobile IPv6 domain. 1852 7. Mobile Node Operation 1854 This non-normative section explains the mobile node's operation in a 1855 Proxy Mobile IPv6 domain. 1857 7.1. Moving into a Proxy Mobile IPv6 Domain 1859 Once a mobile node enters a Proxy Mobile IPv6 domain and attaches to 1860 an access network, the mobile access gateway on the access link 1861 detects the attachment of the mobile node and completes the binding 1862 registration with the mobile node's local mobility anchor. If the 1863 binding update operation is successfully performed, the mobile access 1864 gateway will create the required state and setup the data path for 1865 the mobile node's data traffic. 1867 If the mobile node is IPv6 enabled, on attaching to the access link, 1868 it will typically send Router Solicitation message [RFC-2461]. The 1869 mobile access gateway on the access link will respond to the Router 1870 Solicitation message with a Router Advertisement. The Router 1871 Advertisement will have the mobile node's home network prefix, 1872 default-router address and other address configuration parameters. 1874 If the mobile access gateway on the access link, receives a Router 1875 Solicitation message from the mobile node, before it completed the 1876 signaling with the mobile node's local mobility anchor, the mobile 1877 access gateway may not know the mobile node's home network prefix and 1878 may not be able to emulate the mobile node's home link on the access 1879 link. In such scenario, the mobile node may notice a slight delay 1880 before it receives a Router Advertisement message. 1882 If the received Router Advertisement has the Managed Address 1883 Configuration flag set, the mobile node, as it would normally do, 1884 will send a DHCPv6 Request [RFC-3315]. The DHCP relay service 1885 enabled on that access link will ensure the mobile node will obtain 1886 its IPv6 address as a lease from its home network prefix. 1888 If the received Router Advertisement does not have the Managed 1889 Address Configuration flag set and if the mobile node is allowed to 1890 use an autoconfigured address, the mobile node will be able to obtain 1891 an IPv6 address using an interface identifier generated as per the 1892 Autoconf specification [RFC-2462] or as per the Privacy Extensions 1893 specification [RFC-3041]. 1895 If the mobile node is IPv4 enabled and if the network permits, it 1896 will be able to obtain the IPv4 address configuration for the 1897 connected interface by using DHCP [RFC-2131]. The details related to 1898 IPv4 support is specified in the companion document [ID-IPV4-PMIP6]. 1900 Once the address configuration is complete, the mobile node can 1901 continue to use this address configuration as long as it is attached 1902 to the network that is in the scope of that Proxy Mobile IPv6 domain. 1904 7.2. Roaming in the Proxy Mobile IPv6 Domain 1906 After obtaining the address configuration in the Proxy Mobile IPv6 1907 domain, as the mobile node moves and changes its point of attachment 1908 from one mobile access gateway to the other, it can still continue to 1909 use the same address configuration. As long as the attached access 1910 network is in the scope of that Proxy Mobile IPv6 domain, the mobile 1911 node will always detect the same link, where it obtained its initial 1912 address configuration. If the mobile node performs DHCP operation, 1913 it will always obtain the same address as before. 1915 However, the mobile node will always detect a new default-router on 1916 each connected link, but still advertising the mobile node's home 1917 network prefix as the on-link prefix and with the other configuration 1918 parameters consistent with its home link properties. 1920 7.3. IPv6 Host Protocol Parameters 1922 This specification does not require any changes to the mobile node's 1923 IP stack. It assumes the mobile node to be a normal IPv4/IPv6 node, 1924 with its protocol operation consistent with the respective 1925 specifications. 1927 However, this specification recommends that the following IPv6 1928 operating parameters on the mobile node be adjusted to the below 1929 recommended values for protocol efficiency and for achieving faster 1930 hand-offs. 1932 Lower Default-Router List Cache Time-out: 1934 As per the base IPv6 specification [RFC-2461], each IPv6 host is 1935 required to maintain certain host data structures including a 1936 Default-Router list. This is the list of on-link routers that have 1937 sent Router Advertisement messages and are eligible to be default 1938 routers on that link. The Router Lifetime field in the received 1939 Router Advertisement defines the life of this entry. 1941 In case of Proxy Mobile IPv6, when a mobile node moves from one link 1942 to another, the source address of the received Router Advertisement 1943 messages advertising the mobile node's home network prefix will be 1944 from a different link-local address and thus making the mobile node 1945 believe that there is a new default-router on the link. It is 1946 important that the mobile node uses the newly learnt default-router 1947 as supposed to the previously known default-router. The mobile node 1948 must update its default-router list with the new default router entry 1949 and must age out the previously learnt default router entry from its 1950 cache, just as specified in Section 6.3.5 [RFC-2461]. This action is 1951 critical for minimizing packet losses during a hand off switch. 1953 On detecting a reachability problem, the mobile node will certainly 1954 detect the default-router loss by performing the Neighbor 1955 Unreachability Detection procedure, but it is important that the 1956 mobile node times out the previous default router entry at the 1957 earliest. If a given IPv6 host implementation has the provision to 1958 adjust these flush timers, still conforming to the base IPv6 ND 1959 specification, it is desirable to keep the flush-timers to suit the 1960 above consideration. 1962 In access network where SEND [RFC-3971] is not deployed, the mobile 1963 access gateway may withdraw the previous default-router entry, by 1964 sending a Router Advertisement using the link-local address that of 1965 the previous mobile access gateway and with the Router Lifetime field 1966 set to value 0, then this will force the flush of the Previous 1967 Default-Router entry from the mobile node's cache. This certainly 1968 requires context-transfer mechanisms in place for notifying the link- 1969 local address of the default-router on the previous link to the 1970 mobile access gateway on the new link. 1972 There are other solutions possible for this problem, including the 1973 assignment of a unique link-local address for all the mobile access 1974 gateways in a Proxy Mobile IPv6 domain and where SEND [RFC-3971] is 1975 not deployed. In such scenario, the mobile node is not required to 1976 update the default-router entry. However, this is an implementation 1977 choice and has no bearing on the protocol interoperability. 1978 Implementations are free to adopt the best approach that suits their 1979 target deployments. 1981 8. Message Formats 1983 This section defines extensions to the Mobile IPv6 [RFC-3775] 1984 protocol messages. 1986 8.1. Proxy Binding Update Message 1988 0 1 2 3 1989 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1990 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1991 | Sequence # | 1992 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1993 |A|H|L|K|M|R|P| Reserved | Lifetime | 1994 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1995 | | 1996 | | 1997 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1999 Figure 13: Proxy Binding Update Message 2001 A Binding Update message that is sent by a mobile access gateway to a 2002 local mobility anchor is referred to as the "Proxy Binding Update" 2003 message. A new flag (P) is included in the Binding Update message. 2004 The rest of the Binding Update message format remains the same as 2005 defined in [RFC-3775]. 2007 Proxy Registration Flag (P) 2009 A new flag (P) is included in the Binding Update message to indicate 2010 to the local mobility anchor that the Binding Update message is a 2011 proxy registration. The flag MUST be set to the value of 1 for proxy 2012 registrations and MUST be set to 0 for direct registrations sent by a 2013 mobile node. 2015 For descriptions of other fields present in this message, refer to 2016 section 6.1.7 [RFC-3775]. 2018 8.2. Proxy Binding Acknowledgement Message 2020 0 1 2 3 2021 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2022 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2023 | Status |K|R|P|Reserved | 2024 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2025 | Sequence # | Lifetime | 2026 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2027 | | 2028 | | 2029 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2031 Figure 14: Proxy Binding Acknowledgement Message 2033 A Binding Acknowledgement message that is sent by a local mobility 2034 anchor to a mobile access gateway is referred to as the "Proxy 2035 Binding Acknowledgement" message. A new flag (P) is included in the 2036 Binding Acknowledgement message. The rest of the Binding 2037 Acknowledgement message format remains the same as defined in [RFC- 2038 3775]. 2040 Proxy Registration Flag (P) 2042 A new flag (P) is included in the Binding Acknowledgement message to 2043 indicate that the local mobility anchor that processed the 2044 corresponding Proxy Binding Update message supports proxy 2045 registrations. The flag is set only if the corresponding Proxy 2046 Binding Update had the Proxy Registration Flag (P) set to value of 1. 2048 For descriptions of other fields present in this message, refer to 2049 the section 6.1.8 [RFC-3775]. 2051 8.3. Home Network Prefix Option 2053 A new option, Home Network Prefix Option is defined for using it in 2054 the Proxy Binding Update and Proxy Binding Acknowledgement messages 2055 exchanged between a local mobility anchor and a mobile access 2056 gateway. This option is used for exchanging the mobile node's home 2057 network prefix information. 2059 The Home Network Prefix Option has an alignment requirement of 8n+4. 2060 Its format is as follows: 2062 0 1 2 3 2063 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2064 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2065 | Type | Length | Reserved | Prefix Length | 2066 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2067 | | 2068 + + 2069 | | 2070 + Home Network Prefix + 2071 | | 2072 + + 2073 | | 2074 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2076 Type 2077 2079 Length 2081 8-bit unsigned integer indicating the length of the option 2082 in octets, excluding the type and length fields. This field 2083 MUST be set to 18. 2085 Reserved 2087 This field is unused for now. The value MUST be initialized 2088 to 0 by the sender and MUST be ignored by the receiver. 2090 Prefix Length 2092 8-bit unsigned integer indicating the prefix length of the 2093 IPv6 prefix contained in the option. 2095 Home Network Prefix 2097 A sixteen-byte field containing the mobile node's IPv6 Home 2098 Network Prefix. 2100 Figure 15: Home Network Prefix Option 2102 8.4. Link-local Address Option 2104 A new option, Link-local Address Option is defined for using it in 2105 the Proxy Binding Update and Proxy Binding Acknowledgement messages 2106 exchanged between a local mobility anchor and a mobile access 2107 gateway. This option is used for exchanging the mobile node's link- 2108 local address. 2110 The Link-local Address option has an alignment requirement of 8n+6. 2111 Its format is as follows: 2113 0 1 2 3 2114 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2115 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2116 | Type | Length | 2117 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2118 | | 2119 + + 2120 | | 2121 + Link-local Address + 2122 | | 2123 + + 2124 | | 2125 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2127 Type 2128 2130 Length 2132 8-bit unsigned integer indicating the length of the option 2133 in octets, excluding the type and length fields. This field 2134 MUST be set to 16. 2136 Link-local Address 2138 A sixteen-byte field containing the mobile node's link-local 2139 address. 2141 Figure 16: Link-local Address Option 2143 8.5. Timestamp Option 2145 A new option, Timestamp Option is defined for use in the Proxy 2146 Binding Update and Proxy Binding Acknowledgement messages. 2148 The Timestamp option has an alignment requirement of 8n+2. Its 2149 format is as follows: 2151 0 1 2 3 2152 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2154 | Option Type | Option Length | 2155 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2156 | | 2157 + Timestamp + 2158 | | 2159 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2161 Type 2162 2164 Length 2166 8-bit unsigned integer indicating the length in octets of 2167 the option, excluding the type and length fields. The value 2168 for this field MUST be set to 8. 2170 Timestamp 2172 A 64-bit unsigned integer field containing a timestamp. The value 2173 indicates the number of seconds since January 1, 1970, 00:00 UTC, 2174 by using a fixed point format. In this format, the integer number 2175 of seconds is contained in the first 48 bits of the field, and the 2176 remaining 16 bits indicate the number of 1/64K fractions of a 2177 second. 2179 Figure 17: Timestamp Option 2181 8.6. Status Values 2183 This document defines the following new Status values for use in 2184 Proxy Binding Acknowledgement message. These values are to be 2185 allocated from the same number space, as defined in Section 6.1.8 2186 [RFC-3775]. 2188 Status values less than 128 indicate that the Proxy Binding Update 2189 was processed successfully by the local mobility anchor. Status 2190 values greater than 128 indicate that the Proxy Binding Update was 2191 rejected by the local mobility anchor. 2193 PROXY_REG_NOT_ENABLED: 2195 Proxy Registration not enabled for the mobile node. 2197 MAG_NOT_AUTHORIZED_FOR_PROXY_REG: 2199 The mobile access gateway is not authorized to send proxy binding. 2200 updates. 2202 NOT_AUTHORIZED_FOR_HOME_NETWORK_PREFIX 2204 The mobile node is not authorized for the requesting home network 2205 prefix. 2207 TIMESTAMP_MISMATCH: 2209 Invalid Timestamp value in the received Proxy Binding Update 2210 message. 2212 MISSING_MN_IDENTIFIER_OPTION: 2214 Missing mobile node identifier in the Proxy Binding Update 2215 message. 2217 9. Protocol Configuration Variables 2219 The mobile access gateway MUST allow the following variables to be 2220 configured by the system management. 2222 EnableMAGLocalrouting 2224 This flag indicates whether or not the mobile access gateway is 2225 allowed to enable local routing of the traffic exchanged between a 2226 visiting mobile node and a corresponding node that is locally 2227 connected to one of the interfaces of the mobile access gateway. 2228 The corresponding node can be another visiting mobile node as 2229 well, or a local fixed node. 2231 The default value for this flag is set to "FALSE", indicating that 2232 the mobile access gateway MUST reverse tunnel all the traffic to 2233 the mobile node's local mobility anchor. 2235 When the value of this flag is set to "TRUE", the mobile access 2236 gateway MUST route the traffic locally. 2238 This aspect of local routing MAY be defined as policy on a per 2239 mobile basis and when present will take precedence over this flag. 2241 The local mobility anchor MUST allow the following variables to be 2242 configured by the system management. 2244 MinDelayBeforeBCEDelete 2246 This variable specifies the amount of time in milliseconds the 2247 local mobility anchor MUST wait before it deletes a Binding Cache 2248 entry of a mobile node, upon receiving a Proxy Binding Update 2249 message from a mobile access gateway with a lifetime value of 0. 2250 During this wait time, if the local mobility anchor receives a 2251 Proxy Binding Update for the same mobile node, identified by its 2252 MN-Identifier, with lifetime value greater than 0, then it must 2253 update the binding cache entry with the accepted binding values. 2254 At the end of this wait-time, if the local mobility anchor did not 2255 receive any valid Proxy Binding Update message, it MUST delete the 2256 Binding Cache entry for that mobile node. 2258 The default value for this variable is 1000 milliseconds. 2260 10. IANA Considerations 2262 This document defines a three new Mobility Header Options, the Home 2263 Network Prefix option, Link-local Address option and the Timestamp 2264 option. These options are described in Sections 8.3, 8.4 and 8.5 2265 respectively. The Type value for these options needs to be assigned 2266 from the same numbering space as allocated for the other mobility 2267 options, as defined in [RFC-3775]. 2269 This document also defines new Binding Acknowledgement status values 2270 as described in Section 8.6. The status values MUST be assigned from 2271 the same number space used for Binding Acknowledgement status values, 2272 as defined in [RFC-3775]. The allocated values for each of these 2273 status values MUST be greater than 128. 2275 11. Security Considerations 2277 The potential security threats against any network-based mobility 2278 management protocol are described in [RFC-4832]. This section 2279 explains how Proxy Mobile IPv6 protocol defends itself against those 2280 threats. 2282 Proxy Mobile IPv6 protocol requires the signaling messages, Proxy 2283 Binding Update and Proxy Binding Acknowledgement, exchanged between 2284 the mobile access gateway and the local mobility anchor to be 2285 protected using IPsec, using the established security association 2286 between them. This essentially eliminates the threats related to the 2287 impersonation of the mobile access gateway or the local mobility 2288 anchor. 2290 This specification allows a mobile access gateway to send binding 2291 registration messages on behalf of a mobile node. If proper 2292 authorization checks are not in place, a malicious node may be able 2293 to hijack a mobile node's session or may do a denial-of-service 2294 attacks. To prevent this attack, this specification requires the 2295 local mobility anchor to allow only authorized mobile access gateways 2296 to send binding registration messages on behalf of a mobile node. 2298 To eliminate the threats on the interface between the mobile access 2299 gateway and the mobile node, this specification requires an 2300 established trust between the mobile access gateway and the mobile 2301 node and to authenticate and authorize the mobile node before it is 2302 allowed to access the network. 2304 To eliminate the threats related to a compromised mobile access 2305 gateway, this specification recommends that the local mobility anchor 2306 before accepting a Proxy Binding Update message for a given mobile 2307 node, should ensure the mobile node is definitively attached to the 2308 mobile access gateway that sent the binding registration request. 2310 The issues related to a compromised mobile access gateway in the 2311 scenario where the local mobility anchor and the mobile access 2312 gateway in different domains, is outside the scope of this document. 2313 This scenario is beyond the applicability of this document. 2315 12. Acknowledgements 2317 The authors would like to specially thank Julien Laganier, Christian 2318 Vogt, Pete McCann, Brian Haley, Ahmad Muhanna, JinHyeock Choi for 2319 their thorough review of this document. 2321 The authors would also like to thank Alex Petrescu, Alice Qinxia, 2322 Alper Yegin, Ashutosh Dutta, Behcet Sarikaya, Fred Templing, Genadi 2323 Velev, George Tsirtsis, Gerardo Giaretta, Henrik Levkowetz, Hesham 2324 Soliman, James Kempf, Jari Arkko, Jean-Michel Combes, John Zhao, 2325 Jong-Hyouk Lee, Jonne Soininen, Jouni Korhonen, Kilian Weniger, Marco 2326 Liebsch, Mohamed Khalil, Nishida Katsutoshi, Phil Roberts, Ryuji 2327 Wakikawa, Sangjin Jeong, Suresh Krishnan, Vidya Narayanan, Youn-Hee 2328 Han and many others for their passionate discussions in the working 2329 group mailing list on the topic of localized mobility management 2330 solutions. These discussions stimulated much of the thinking and 2331 shaped the draft to the current form. We acknowledge that ! 2333 The authors would also like to thank Ole Troan, Akiko Hattori, Parviz 2334 Yegani, Mark Grayson, Michael Hammer, Vojislav Vucetic, Jay Iyer and 2335 Tim Stammers for their input on this document. 2337 13. References 2339 13.1. Normative References 2341 [RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate 2342 Requirement Levels", BCP 14, RFC 2119, March 1997. 2344 [RFC-2461] Narten, T., Nordmark, E. and W. Simpson, "Neighbor 2345 Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. 2347 [RFC-2473] Conta, A. and S. Deering, "Generic Packet Tunneling in 2348 IPv6 Specification", RFC 2473, December 1998. 2350 [RFC-3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and 2351 M.Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 2352 RFC 3315, July 2003. 2354 [RFC-3775] Johnson, D., Perkins, C., Arkko, J., "Mobility Support in 2355 IPv6", RFC 3775, June 2004. 2357 [RFC-4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The 2358 Network Access Identifier", RFC 4282, November 2005. 2360 [RFC-4283] Patel, A., Leung, K., Khalil, M., Akhtar, H., and K. 2361 Chowdhury, "Mobile Node Identifier Option for Mobile IPv6", RFC 4283, 2362 November 2005. 2364 [RFC-4301] Kent, S. and Atkinson, R., "Security Architecture for the 2365 Internet Protocol", RFC 4301, December 2005. 2367 [RFC-4303] Kent, S. "IP Encapsulating Security Protocol (ESP)", RFC 2368 4303, December 2005. 2370 13.2. Informative References 2372 [RFC-1661] Simpson, W., Ed., "The Point-To-Point Protocol (PPP)", STD 2373 51, RFC 1661, July 1994. 2375 [RFC-2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2376 2131, March 1997. 2378 [RFC-2462] Thompson, S., Narten, T., "IPv6 Stateless Address 2379 Autoconfiguration", RFC 2462, December 1998. 2381 [RFC-2472] Haskin, D. and Allen, E., "IP version 6 over PPP", RFC 2382 2472, December 1998. 2384 [RFC-3041] Narten, T. and Draves, R., "Privacy Extensions for 2385 Stateless Address Autoconfiguration in IPv6", RFC 3041, January 2001. 2387 [RFC-3971] Arkko, J., Ed., Kempf, J., Sommerfeld, B., Zill, B., and 2388 P. Nikander, "SEcure Neighbor Discovery (SEND)", RFC 3971, March 2389 2005. 2391 [RFC-4306] Kaufman, C, et al, "Internet Key Exchange (IKEv2) 2392 Protocol", RFC 4306, December 2005. 2394 [RFC-4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 2395 for IPv4, IPv6 and OSI", RFC 2030, October 1996. 2397 [RFC-4830] Kempf, J., Leung, K., Roberts, P., Nishida, K., Giaretta, 2398 G., Liebsch, M., "Problem Statement for Network-based Localized 2399 Mobility Management", September 2006. 2401 [RFC-4831] Kempf, J., Leung, K., Roberts, P., Nishida, K., Giaretta, 2402 G., Liebsch, M., "Goals for Network-based Localized Mobility 2403 Management", October 2006. 2405 [RFC-4832] Vogt, C., Kempf, J., "Security Threats to Network-Based 2406 Localized Mobility Management", September 2006. 2408 [ID-IPV4-PMIP6] Wakikawa, R. and Gundavelli, S., "IPv4 Support for 2409 Proxy Mobile IPv6", draft-ietf-netlmm-pmip6-ipv4-support-01.txt, May 2410 2007. 2412 [ID-DNAV6] Kempf, J., et al "Detecting Network Attachment in IPv6 2413 Networks (DNAv6)", draft-ietf-dna-protocol-06.txt, October 2006. 2415 Appendix A. Proxy Mobile IPv6 interactions with AAA Infrastructure 2417 Every mobile node that roams in a proxy Mobile IPv6 domain, would 2418 typically be identified by an identifier, MN-Identifier, and that 2419 identifier will have an associated policy profile that identifies the 2420 mobile node's home network prefix, permitted address configuration 2421 modes, roaming policy and other parameters that are essential for 2422 providing network-based mobility service. This information is 2423 typically configured in AAA. It is possible the home network prefix 2424 is dynamically allocated for the mobile node when it boots up for the 2425 first time in the network, or it could be a statically configured 2426 value on per mobile node basis. However, for all practical purposes, 2427 the network entities in the proxy Mobile IPv6 domain, while serving a 2428 mobile node will have access to this profile and these entities can 2429 query this information using RADIUS/DIAMETER protocols. 2431 Appendix B. Supporting Shared-Prefix Model using DHCPv6 2433 This specification supports Per-MN-Prefix model. However, it is 2434 possible to support Shared-Prefix model under the following 2435 guidelines. 2437 The mobile node is allowed to use stateful address configuration 2438 using DHCPv6 for obtaining its address configuration. The mobile 2439 node is not allowed to use any of the stateless autoconfiguration 2440 techniques. The permitted address configuration models for the 2441 mobile node on the access link can be enforced by the mobile access 2442 gateway, by setting the relevant flags in the Router Advertisements, 2443 as per [RFC-2461]. 2445 The Home Network Prefix option that is sent by the mobile access 2446 gateway in the Proxy Binding Update message, must contain the 128-bit 2447 host address that the mobile node obtained via DHCPv6. 2449 Routing state at the mobile access gateway: 2451 For all IPv6 traffic from the source MN-HoA::/128 to 2452 _ANY_DESTINATION_, route via tunnel0, next-hop LMAA, where tunnel0 is 2453 the MAG to LMA tunnel. 2455 Routing state at the local mobility anchor: 2457 For all IPv6 traffic to destination MN-HoA::/128, route via tunnel0, 2458 next-hop Proxy-CoA, where tunnel0 is the LMA to MAG tunnel. 2460 Authors' Addresses 2462 Sri Gundavelli 2463 Cisco 2464 170 West Tasman Drive 2465 San Jose, CA 95134 2466 USA 2468 Email: sgundave@cisco.com 2470 Kent Leung 2471 Cisco 2472 170 West Tasman Drive 2473 San Jose, CA 95134 2474 USA 2476 Email: kleung@cisco.com 2478 Vijay Devarapalli 2479 Azaire Networks 2480 4800 Great America Pkwy 2481 Santa Clara, CA 95054 2482 USA 2484 Email: vijay.devarapalli@azairenet.com 2486 Kuntal Chowdhury 2487 Starent Networks 2488 30 International Place 2489 Tewksbury, MA 2491 Email: kchowdhury@starentnetworks.com 2493 Basavaraj Patil 2494 Nokia Siemens Networks 2495 6000 Connection Drive 2496 Irving, TX 75039 2497 USA 2499 Email: basavaraj.patil@nsn.com 2501 Full Copyright Statement 2503 Copyright (C) The IETF Trust (2007). 2505 This document is subject to the rights, licenses and restrictions 2506 contained in BCP 78, and except as set forth therein, the authors 2507 retain all their rights. 2509 This document and the information contained herein are provided on an 2510 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2511 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 2512 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 2513 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 2514 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2515 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2517 Intellectual Property 2519 The IETF takes no position regarding the validity or scope of any 2520 Intellectual Property Rights or other rights that might be claimed to 2521 pertain to the implementation or use of the technology described in 2522 this document or the extent to which any license under such rights 2523 might or might not be available; nor does it represent that it has 2524 made any independent effort to identify any such rights. Information 2525 on the procedures with respect to rights in RFC documents can be 2526 found in BCP 78 and BCP 79. 2528 Copies of IPR disclosures made to the IETF Secretariat and any 2529 assurances of licenses to be made available, or the result of an 2530 attempt made to obtain a general license or permission for the use of 2531 such proprietary rights by implementers or users of this 2532 specification can be obtained from the IETF on-line IPR repository at 2533 http://www.ietf.org/ipr. 2535 The IETF invites any interested party to bring to its attention any 2536 copyrights, patents or patent applications, or other proprietary 2537 rights that may cover technology that may be required to implement 2538 this standard. Please address the information to the IETF at 2539 ietf-ipr@ietf.org. 2541 Acknowledgment 2543 Funding for the RFC Editor function is provided by the IETF 2544 Administrative Support Activity (IASA).