idnits 2.17.1 draft-ietf-netlmm-proxymip6-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 21. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 2619. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2630. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2637. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2643. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC-3775]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o The Home Address option MUST not be present in the Destination Option extension header of the Proxy Binding Update message. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: o If the received Proxy Binding Acknowledgement message has the Status field value set to PROXY_REG_NOT_ENABLED (Proxy registration not enabled for the mobile node), the mobile access gateway SHOULD not send binding registration requests again for that mobile node. It must also deny the mobility service to that mobile node. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 14, 2007) is 6069 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2461 (Obsoleted by RFC 4861) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 3775 (Obsoleted by RFC 6275) ** Obsolete normative reference: RFC 4282 (Obsoleted by RFC 7542) -- Obsolete informational reference (is this intentional?): RFC 2462 (Obsoleted by RFC 4862) -- Obsolete informational reference (is this intentional?): RFC 2472 (Obsoleted by RFC 5072, RFC 5172) -- Obsolete informational reference (is this intentional?): RFC 3041 (Obsoleted by RFC 4941) -- Obsolete informational reference (is this intentional?): RFC 4306 (Obsoleted by RFC 5996) -- Obsolete informational reference (is this intentional?): RFC 2030 (ref. 'RFC-4330') (Obsoleted by RFC 4330) == Outdated reference: A later version (-18) exists of draft-ietf-netlmm-pmip6-ipv4-support-01 == Outdated reference: A later version (-09) exists of draft-ietf-dna-protocol-06 Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETLMM WG S. Gundavelli 3 Internet-Draft K. Leung 4 Intended status: Standards Track Cisco 5 Expires: March 17, 2008 V. Devarapalli 6 Azaire Networks 7 K. Chowdhury 8 Starent Networks 9 B. Patil 10 Nokia Siemens Networks 11 September 14, 2007 13 Proxy Mobile IPv6 14 draft-ietf-netlmm-proxymip6-05.txt 16 Status of this Memo 18 By submitting this Internet-Draft, each author represents that any 19 applicable patent or other IPR claims of which he or she is aware 20 have been or will be disclosed, and any of which he or she becomes 21 aware will be disclosed, in accordance with Section 6 of BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as Internet- 26 Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt. 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 39 This Internet-Draft will expire on March 17, 2008. 41 Copyright Notice 43 Copyright (C) The IETF Trust (2007). 45 Abstract 47 This specification describes a network-based mobility management 48 protocol. It is called Proxy Mobile IPv6 and is based on Mobile IPv6 50 [RFC-3775]. This protocol enables mobility support to a host without 51 requiring its participation in any mobility related signaling. The 52 design principle in the case of network-based mobility management 53 protocol relies on the network being in control of the mobility 54 management. The mobility entities in the network are responsible for 55 tracking the movements of the host and initiating the required 56 mobility signaling on its behalf. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 2. Conventions & Terminology . . . . . . . . . . . . . . . . . . 5 62 2.1. Conventions used in this document . . . . . . . . . . . . 5 63 2.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 64 3. Proxy Mobile IPv6 Protocol Overview . . . . . . . . . . . . . 8 65 4. Proxy Mobile IPv6 Protocol Security . . . . . . . . . . . . . 13 66 4.1. Peer Authorization Database Entries . . . . . . . . . . . 13 67 4.2. Security Policy Database Entries . . . . . . . . . . . . . 14 68 5. Local Mobility Anchor Operation . . . . . . . . . . . . . . . 15 69 5.1. Extensions to Binding Cache Entry Data Structure . . . . . 15 70 5.2. Supported Home Network Prefix Models . . . . . . . . . . . 16 71 5.3. Signaling Considerations . . . . . . . . . . . . . . . . . 16 72 5.4. Timestamp Option for Message Ordering . . . . . . . . . . 21 73 5.5. Routing Considerations . . . . . . . . . . . . . . . . . . 23 74 5.5.1. Bi-Directional Tunnel Management . . . . . . . . . . . 23 75 5.5.2. Forwarding Considerations . . . . . . . . . . . . . . 24 76 5.6. Local Mobility Anchor Address Discovery . . . . . . . . . 25 77 5.7. Mobile Prefix Discovery Considerations . . . . . . . . . . 25 78 5.8. Route Optimizations Considerations . . . . . . . . . . . . 25 79 6. Mobile Access Gateway Operation . . . . . . . . . . . . . . . 26 80 6.1. Extensions to Binding Update List Entry Data Structure . . 26 81 6.2. Mobile Node's Policy Profile . . . . . . . . . . . . . . . 27 82 6.3. Supported Access Link Types . . . . . . . . . . . . . . . 28 83 6.4. Supported Address Configuration Models . . . . . . . . . . 28 84 6.5. Access Authentication & Mobile Node Identification . . . . 29 85 6.6. Acquiring Mobile Node's Identifier . . . . . . . . . . . . 29 86 6.7. Home Network Emulation . . . . . . . . . . . . . . . . . . 30 87 6.8. Link-Local and Global Address Uniqueness . . . . . . . . . 30 88 6.9. Signaling Considerations . . . . . . . . . . . . . . . . . 31 89 6.9.1. Binding Registrations . . . . . . . . . . . . . . . . 32 90 6.9.2. Router Solicitation Messages . . . . . . . . . . . . . 35 91 6.9.3. Retransmissions and Rate Limiting . . . . . . . . . . 36 92 6.10. Routing Considerations . . . . . . . . . . . . . . . . . . 36 93 6.10.1. Transport Network . . . . . . . . . . . . . . . . . . 37 94 6.10.2. Tunneling & Encapsulation Modes . . . . . . . . . . . 37 95 6.10.3. Routing State . . . . . . . . . . . . . . . . . . . . 38 96 6.10.4. Local Routing . . . . . . . . . . . . . . . . . . . . 39 97 6.10.5. Tunnel Management . . . . . . . . . . . . . . . . . . 39 98 6.10.6. Forwarding Rules . . . . . . . . . . . . . . . . . . . 39 99 6.11. Interaction with DHCP Relay Agent . . . . . . . . . . . . 40 100 6.12. Home Network Prefix Renumbering . . . . . . . . . . . . . 41 101 6.13. Mobile Node Detachment Detection and Resource Cleanup . . 41 102 6.14. Allowing network access to other IPv6 nodes . . . . . . . 42 103 7. Mobile Node Operation . . . . . . . . . . . . . . . . . . . . 42 104 7.1. Moving into a Proxy Mobile IPv6 Domain . . . . . . . . . . 43 105 7.2. Roaming in the Proxy Mobile IPv6 Domain . . . . . . . . . 44 106 7.3. IPv6 Host Protocol Parameters . . . . . . . . . . . . . . 44 107 8. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 45 108 8.1. Proxy Binding Update Message . . . . . . . . . . . . . . . 46 109 8.2. Proxy Binding Acknowledgement Message . . . . . . . . . . 47 110 8.3. Home Network Prefix Option . . . . . . . . . . . . . . . . 48 111 8.4. Link-local Address Option . . . . . . . . . . . . . . . . 50 112 8.5. Timestamp Option . . . . . . . . . . . . . . . . . . . . . 51 113 8.6. Status Values . . . . . . . . . . . . . . . . . . . . . . 51 114 9. Protocol Configuration Variables . . . . . . . . . . . . . . . 53 115 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 116 11. Security Considerations . . . . . . . . . . . . . . . . . . . 54 117 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 55 118 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 55 119 13.1. Normative References . . . . . . . . . . . . . . . . . . . 55 120 13.2. Informative References . . . . . . . . . . . . . . . . . . 56 121 Appendix A. Proxy Mobile IPv6 interactions with AAA 122 Infrastructure . . . . . . . . . . . . . . . . . . . 57 123 Appendix B. Supporting Shared-Prefix Model using DHCPv6 . . . . . 57 124 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 58 125 Intellectual Property and Copyright Statements . . . . . . . . . . 60 127 1. Introduction 129 Mobile IPv6 [RFC-3775] is the enabler for IPv6 mobility. It requires 130 Mobile IPv6 client functionality in the IPv6 stack of a mobile node. 131 Signaling between the mobile node and home agent enables the creation 132 and maintenance of a binding between the mobile node's home address 133 and care-of-address. Mobile IPv6 has been designed to be an integral 134 part of the IPv6 stack in a host. However there exist IPv6 stacks 135 today that do not have Mobile IPv6 functionality and there would 136 likely be IPv6 stacks without Mobile IPv6 client functionality in the 137 future as well. It is desirable to support IP mobility for all hosts 138 irrespective of the presence or absence of mobile IPv6 functionality 139 in the IPv6 stack. 141 It is possible to support mobility for IPv6 nodes by extending Mobile 142 IPv6 [RFC-3775] signaling and reusing the home agent via a proxy 143 mobility agent in the network. This approach to supporting mobility 144 does not require the mobile node to be involved in the signaling 145 required for mobility management. The proxy mobility agent in the 146 network performs the signaling and does the mobility management on 147 behalf of the mobile node. Because of the use and extension of 148 Mobile IPv6 signaling and home agent functionality, this protocol is 149 referred to as Proxy Mobile IPv6 (PMIPv6). 151 Network deployments which are designed to support mobility would be 152 agnostic to the capability in the IPv6 stack of the nodes which it 153 serves. IP mobility for nodes which have mobile IP client 154 functionality in the IPv6 stack as well as those hosts which do not, 155 would be supported by enabling Proxy Mobile IPv6 protocol 156 functionality in the network. The advantages of developing a network 157 based mobility protocol based on Mobile IPv6 are: 159 o Reuse of home agent functionality and the messages/format used in 160 mobility signaling. Mobile IPv6 is a mature protocol with several 161 implementations that have been through interoperability testing. 163 o A common home agent would serve as the mobility agent for all 164 types of IPv6 nodes. 166 o Addresses a real deployment need. 168 The problem statement and the need for a network based mobility 169 protocol solution has been documented in [RFC-4830]. Proxy Mobile 170 IPv6 is a solution that addresses these issues and requirements. 172 2. Conventions & Terminology 174 2.1. Conventions used in this document 176 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 177 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 178 document are to be interpreted as described in RFC 2119 [RFC-2119]. 180 2.2. Terminology 182 All the general mobility related terms used in this document are to 183 be interpreted as defined in the Mobile IPv6 base specification [RFC- 184 3775]. 186 This document adopts the terms, Local Mobility Anchor (LMA) and 187 Mobile Access Gateway (MAG) from the NETLMM Goals document [RFC- 188 4831]. This document also provides the following context specific 189 explanation to the following terms used in this document. 191 Proxy Mobile IPv6 Domain (PMIPv6-Domain) 193 Proxy Mobile IPv6 domain refers to the network where the mobility 194 management of a mobile node is handled using Proxy Mobile IPv6 195 protocol as defined in this specification. The Proxy Mobile IPv6 196 domain includes local mobility anchors and mobile access gateways 197 between which security associations can be setup and authorization 198 for sending Proxy Binding Updates on behalf of the mobile nodes 199 can be ensured. 201 Local Mobility Anchor (LMA) 203 Local Mobility Anchor is the home agent for the mobile node in the 204 Proxy Mobile IPv6 domain. It is the topological anchor point for 205 the mobile node's home network prefix and is the entity that 206 manages the mobile node's reachability state. It is important to 207 understand that the local mobility anchor has the functional 208 capabilities of a home agent as defined in Mobile IPv6 base 209 specification [RFC-3775] and with the additional required 210 capabilities for supporting Proxy Mobile IPv6 protocol as defined 211 in this specification. 213 Mobile Access Gateway (MAG) 214 Mobile Access Gateway is a function that manages the mobility 215 related signaling for a mobile node that is attached to its access 216 link. It is responsible for tracking the mobile node's movements 217 on the access link and for signaling the mobile node's local 218 mobility anchor. 220 Mobile Node (MN) 222 Through out this document, the term mobile node is used to refer 223 to an IP host whose mobility is managed by the network. The 224 mobile node may be operating in IPv6 mode, IPv4 mode or in IPv4/ 225 IPv6 dual mode. The mobile node is not required to participate in 226 any mobility related signaling for achieving mobility for an IP 227 address that is obtained in that Proxy Mobile IPv6 domain. This 228 document further uses explicit text when referring to a mobile 229 node that is involved in mobility related signaling as per Mobile 230 IPv6 specification [RFC-3775]. 232 LMA Address (LMAA) 234 The address that is configured on the interface of the local 235 mobility anchor and is the transport endpoint of the bi- 236 directional tunnel established between the local mobility anchor 237 and the mobile access gateway. This is the address to where the 238 mobile access gateway sends the Proxy Binding Update messages. 239 When supporting IPv4 traversal, i.e., when the network between the 240 local mobility anchor and the mobile access gateway is an IPv4 241 network, this address will be an IPv4 address and will be referred 242 to as IPv4-LMAA, as specified in [ID-IPV4-PMIP6]. 244 Proxy Care-of Address (Proxy-CoA) 246 Proxy-CoA is the address configured on the interface of the mobile 247 access gateway and is the transport endpoint of the tunnel between 248 the local mobility anchor and the mobile access gateway. The 249 local mobility anchor views this address as the Care-of Address of 250 the mobile node and registers it in the Binding Cache entry for 251 that mobile node. When the transport network between the mobile 252 access gateway and the local mobility anchor is an IPv4 network 253 and if the care-of address that is registered at the local 254 mobility anchor is an IPv4 address, the term, IPv4-Proxy-CoA is 255 used, as specified in [ID-IPV4-PMIP6]. 257 Mobile Node's Home Address (MN-HoA) 258 MN-HoA is the home address of a mobile node in a Proxy Mobile IPv6 259 domain. It is an address from its home network prefix obtained by 260 a mobile node in a Proxy Mobile IPv6 domain. The mobile node can 261 continue to use this address as long as it is attached to the 262 network that is in the scope of that Proxy Mobile IPv6 domain. 264 Mobile Node's Home Network Prefix (MN-HNP) 266 This is the on-link IPv6 prefix that is always present in the 267 Router Advertisements that the mobile node receives when it is 268 attached to any of the access links in that Proxy Mobile IPv6 269 domain. This home network prefix is topologically anchored at the 270 mobile node's local mobility anchor. The mobile node configures 271 its interface with an address from this prefix. 273 Mobile Node's Home Link 275 This is the link on which the mobile node obtained its initial 276 address configuration after it moved into that Proxy Mobile IPv6 277 domain. This is the link that conceptually follows the mobile 278 node. The network will ensure the mobile node always sees this 279 link with respect to the layer-3 network configuration, on any 280 access link that it attaches to in that Proxy Mobile IPv6 domain. 282 Mobile Node Identifier (MN-Identifier) 284 The identity of a mobile node in the Proxy Mobile IPv6 domain. 285 This is the stable identifier of a mobile node that the mobility 286 entities in a Proxy Mobile IPv6 domain can always acquire and 287 using which a mobile node can predictably be identified. This is 288 typically an identifier such as Mobile Node NAI [RFC-4282]. 290 Proxy Binding Update (PBU) 292 A binding registration request message sent by a mobile access 293 gateway to a mobile node's local mobility anchor for establishing 294 a binding between the mobile node's MN-HNP and the Proxy-CoA. 296 Proxy Binding Acknowledgement (PBA) 298 A binding registration reply message sent by a local mobility 299 anchor in response to a Proxy Binding Update request message that 300 it received from a mobile access gateway. 302 3. Proxy Mobile IPv6 Protocol Overview 304 This specification describes a network-based mobility management 305 protocol. It is called Proxy Mobile IPv6 and is based on Mobile IPv6 306 [RFC-3775]. 308 Proxy Mobile IPv6 protocol is intended for providing network-based 309 mobility management support to a mobile node, without requiring the 310 participation of the mobile node in any mobility related signaling. 311 The mobility entities in the network will track the mobile node's 312 movements and will initiate the mobility signaling and setup the 313 required routing state. 315 The core functional entities in the NETLMM infrastructure are the 316 Local Mobility Anchor and the Mobile Access Gateway. The local 317 mobility is responsible for maintaining the mobile node's 318 reachability state and is the topological anchor point for the mobile 319 node's home network prefix. While the mobile access gateway is the 320 entity that performs the mobility management on behalf of a mobile 321 node and it resides on the access link where the mobile node is 322 anchored. The mobile access gateway is responsible for detecting the 323 mobile node's movements on its access link and for sending binding 324 registrations to the mobile node's local mobility anchor. 326 +----+ +----+ 327 |LMA1| |LMA2| 328 +----+ +----+ 329 LMAA1 -> | | <-- LMAA2 330 | | 331 \\ //\\ 332 \\ // \\ 333 \\ // \\ 334 +---\\------------- //------\\----+ 335 ( \\ IPv4/IPv6 // \\ ) 336 ( \\ Network // \\ ) 337 +------\\--------//------------\\-+ 338 \\ // \\ 339 \\ // \\ 340 \\ // \\ 341 Proxy-CoA1--> | | <-- Proxy-CoA2 342 +----+ +----+ 343 |MAG1|-----{MN2} |MAG2| 344 +----+ | +----+ 345 | | | 346 MN-HoA1 --> | MN-HoA2 | <-- MN-HoA3 347 {MN1} {MN3} 349 Figure 1: Proxy Mobile IPv6 Domain 351 Once a mobile node enters a Proxy Mobile IPv6 domain and attaches to 352 an access network, the mobile access gateway on that access network 353 after identifying the mobile node and acquiring its identifier, will 354 determine if the mobile node is authorized for network-based mobility 355 management service. 357 If the network determines that the network-based mobility management 358 service needs to be offered to that mobile node, the network will 359 ensure that the mobile node using any of the address configuration 360 mechanisms permitted by the network, will be able to obtain an 361 address from its home network prefix and move anywhere in that proxy 362 mobile IPv6 domain. From the perspective of the mobile node, the 363 entire proxy mobile IPv6 domain appears as a single link, the network 364 ensures that the mobile node believes it is always on the same link 365 where it obtained its initial address configuration, even after 366 changing its point of attachment in that network. 368 The mobile node may be operating in an IPv4-only mode, IPv6-only mode 369 or in dual IPv4/IPv6 mode. Based on what is enabled in the network 370 for that mobile node, the mobile node will be able to obtain an IPv4, 371 IPv6 or dual IPv4/IPv6 addresses and move any where in that Proxy 372 Mobile IPv6 domain. However, the specific details related to the 373 IPv4 addressing or IPv4 transport support is specified in the 374 companion document [ID-IPV4-PMIP6]. 376 +-----+ +-----+ +-----+ 377 | MN | | MAG | | LMA | 378 +-----+ +-----+ +-----+ 379 | | | 380 MN Attached | | 381 | | | 382 | MN Attached Event | 383 | (Acquire MN-Id and Profile) | 384 | | | 385 | |----- PBU ----------->| 386 | | | 387 | | Accept PBU 388 | | (Allocate MN-HNP, Setup BCE and Tunnel) 389 | | | 390 | |<--------- PBA -------| 391 | | | 392 | Accept PBA | 393 | (Setup Tunnel and Routing) | 394 | | | 395 | |==== Bi-Dir Tunnel ===| 396 | | | 397 |--- Rtr Sol --------->| | 398 | | | 399 |<------- Rtr Adv -----| | 400 | | | 401 IP Address | | 402 Configuration | | 403 | | | 405 Figure 2: Mobile Node Attachment - Signaling Call Flow 407 Figure 2 shows the signaling call flow, when the mobile node enters 408 the Proxy Mobile IPv6 domain. 410 For updating the local mobility anchor about the current location of 411 the mobile node, the mobile access gateway sends a Proxy Binding 412 Update message to the mobile node's local mobility anchor. Upon 413 accepting this Proxy Binding Update message, the local mobility 414 anchor sends a Proxy Binding Acknowledgement message including the 415 mobile node's home network prefix. It also creates the Binding Cache 416 entry and establishes a bi-directional tunnel to the mobile access 417 gateway. 419 The mobile access gateway on receiving the Proxy Binding 420 Acknowledgement message sets up a bi-directional tunnel to the local 421 mobility anchor and sets up the data path for the mobile node's 422 traffic. At this point the mobile access gateway will have all the 423 required information for emulating the mobile node's home link. It 424 sends Router Advertisement messages to the mobile node on the access 425 link advertising the mobile node's home network prefix as the hosted 426 on-link-prefix. 428 The mobile node on receiving these Router Advertisement messages on 429 the access link will attempt to configure its interface either using 430 stateful or stateless address configuration modes, based on the modes 431 that are permitted on that access link. At the end of a successful 432 address configuration procedure, the mobile node will end up with an 433 address from its home network prefix. 435 Once the address configuration is complete, the mobile node has a 436 valid address from its home network prefix, at the current point of 437 attachment. The serving mobile access gateway and the local mobility 438 anchor also have proper routing states for handling the traffic sent 439 to and from the mobile node using an address from its home network 440 prefix. 442 The local mobility anchor, being the topological anchor point for the 443 mobile node's home network prefix, receives any packets that are sent 444 by any corresponding node to the mobile node. Local mobility anchor 445 forwards these received packets to the mobile access gateway through 446 the bi-directional tunnel. The mobile access gateway on other end of 447 the tunnel, after receiving the packet, removes the outer header and 448 forwards the packet on the access link to the mobile node. 450 The mobile access gateway typically acts as a default router on the 451 access link. Any packet that the mobile node sends to any 452 corresponding node will be received by the mobile access gateway and 453 will be sent to its local mobility anchor through the bi-directional 454 tunnel. The local mobility anchor on the other end of the tunnel, 455 after receiving the packet removes the outer header and routes the 456 packet to the destination. 458 +-----+ +-----+ +-----+ +-----+ 459 | MN | |p-MAG| | LMA | |n-MAG| 460 +-----+ +-----+ +-----+ +-----+ 461 | | | | 462 | |==Bi-Dir Tunnel=| | 463 MN Detached | | | 464 | MN Detached Event | | 465 | | | | 466 | |-- PBU -------->| | 467 | | | | 468 | | Accept PBU | 469 | | (Start BCE delete timer) | 470 | | | | 471 | |<-------- PBA --| | 472 | | | | 473 MN Attached | | | 474 | | | MN Attached Event 475 | | | (Acquire MN-Id and Profile) 476 .... 477 Registration steps as in fig 2. 478 .... 479 | | |==Bi-Dir Tunnel=| 480 |--- Rtr Sol ------------------------------------->| 481 | | | | 482 |<------------------------------------ Rtr Adv ----| 483 | | | | 484 MN retains HoA/HNP 485 | | | | 487 Figure 3: Mobile Node Handoff - Signaling Call Flow 489 Figure 3 shows the signaling call flow for the mobile node's handoff 490 scenario. 492 After obtaining the initial address configuration in the Proxy Mobile 493 IPv6 domain, if the mobile node changes its point of attachment, the 494 mobile access gateway on the new access link, will signal the local 495 mobility anchor for updating the binding and routing state. The 496 mobile node will continue to receive the Router Advertisements 497 containing its home network prefix, making it believe its still on 498 the same link and can use the same address configuration on the new 499 access link. 501 4. Proxy Mobile IPv6 Protocol Security 503 The signaling messages, Proxy Binding Update and Proxy Binding 504 Acknowledgement, exchanged between the mobile access gateway and the 505 local mobility anchor MUST be protected using end-to-end security 506 association(s) offering integrity and data origin authentication. A 507 security association with the mobile node for which the signaling 508 message is issued is not required for protection of these messages. 510 The mobile access gateway and the local mobility anchor MUST 511 implement IPsec for protecting the Proxy Mobile IPv6 signaling 512 messages [RFC-4301]. IPsec is the default security mechanism for 513 securing the signaling messages. However in certain deployments of 514 this protocol, other security mechanisms MAY be applied and the 515 signaling messages must be protected using the semantics provided by 516 that respective mechanism. 518 IPsec ESP [RFC-4303] in transport mode with mandatory integrity 519 protection SHOULD be used for protecting the signaling messages. 520 Confidentiality protection of these messages is not required. 522 IKEv2 [RFC-4306] SHOULD be used to setup security associations 523 between the mobile access gateway and the local mobility anchor to 524 protect the Proxy Binding Update and Proxy Binding Acknowledgement 525 messages. The mobile access gateway and the local mobility anchor 526 can use any of the authentication mechanisms, as specified in IKEv2, 527 for mutual authentication. 529 Mobile IPv6 specification [RFC-3775] requires the home agent to 530 prevent a mobile node from creating security associations or creating 531 binding cache entries for another mobile node's home address. In the 532 protocol described in this document, the mobile node is not involved 533 in creating security associations for protecting the signaling 534 messages or sending binding updates. Therefore, this is not a 535 concern. However, the local mobility anchor MUST allow only 536 authorized mobile access gateways to create binding cache entries on 537 behalf of the mobile nodes. The actual mechanism by which the local 538 mobility anchor verifies if a specific mobile access gateway is 539 authorized to send Proxy Binding Updates on behalf of a mobile node 540 is outside the scope of this document. One possible way this could 541 be achieved is by sending a query to the policy store, such as AAA. 543 4.1. Peer Authorization Database Entries 545 This section describes PAD entries on the mobile access gateway and 546 the local mobility anchor. The PAD entries are only example 547 configurations. Note that the PAD is a logical concept and a 548 particular mobile access gateway or a local mobility anchor 549 implementation can implement the PAD in any implementation specific 550 manner. The PAD state may also be distributed across various 551 databases in a specific implementation. 553 mobile access gateway PAD: 554 - IF remote_identity = lma_identity_1 555 Then authenticate (shared secret/certificate/EAP) 556 and authorize CHILD_SA for remote address lma_addres_1 558 local mobility anchor PAD: 559 - IF remote_identity = mag_identity_1 560 Then authenticate (shared secret/certificate/EAP) 561 and authorize CHILD_SAs for remote address mag_address_1 563 The list of authentication mechanisms in the above examples is not 564 exhaustive. There could be other credentials used for authentication 565 stored in the PAD. 567 4.2. Security Policy Database Entries 569 This section describes the security policy entries on the mobile 570 access gateway and the local mobility anchor required to protect the 571 Proxy Mobile IPv6 signaling messages. The SPD entries are only 572 example configurations. A particular mobile access gateway or a 573 local mobility anchor implementation could configure different SPD 574 entries as long as they provide the required security. 576 In the examples shown below, the identity of the mobile access 577 gateway is assumed to be mag_1, the address of the mobile access 578 gateway is assumed to be mag_address_1, and the address of the local 579 mobility anchor is assumed to be lma_address_1. 581 mobile access gateway SPD-S: 582 - IF local_address = mag_address_1 & 583 remote_address = lma_address_1 & 584 proto = MH & local_mh_type = BU & remote_mh_type = BA 585 Then use SA ESP transport mode 586 Initiate using IDi = mag_1 to address lma_1 588 local mobility anchor SPD-S: 589 - IF local_address = lma_address_1 & 590 remote_address = mag_address_1 & 591 proto = MH & local_mh_type = BA & remote_mh_type = BU 592 Then use SA ESP transport mode 594 5. Local Mobility Anchor Operation 596 For supporting the Proxy Mobile IPv6 protocol specified in this 597 document, the home agent function, specified in [RFC-3775] requires 598 certain functional modifications and enhancements. The home agent 599 with these modifications and enhanced capabilities for supporting 600 Proxy Mobile IPv6 protocol is referred to as the local mobility 601 anchor. 603 The section describes the operational details of the local mobility 604 anchor. 606 5.1. Extensions to Binding Cache Entry Data Structure 608 Every local mobility anchor MUST maintain a Binding Cache entry for 609 each currently registered mobile node. Binding Cache entry is a 610 conceptual data structure, described in Section 9.1 [RFC-3775]. 612 For supporting this specification, the Binding Cache Entry data 613 structure needs to be extended with the following additional fields. 615 o A flag indicating whether or not this Binding Cache entry is 616 created due to a proxy registration. This flag is enabled for 617 Binding Cache entries that are proxy registrations and is turned 618 off for all other entries that are created due to the 619 registrations directly sent by the mobile node. 621 o The identifier of the registered mobile node, MN-Identifier. This 622 identifier is obtained from the NAI Option [RFC-4283] present in 623 the received Proxy Binding Update request. 625 o The Link-local address of the mobile node on the interface 626 attached to the access link. This is obtained from the Link-local 627 Address option, present in the Proxy Binding Update request. 629 o The IPv6 home network prefix of the registered mobile node. The 630 home network prefix of the mobile node may have been statically 631 configured in the mobile node's policy profile, or, it may have 632 been dynamically allocated by the local mobility anchor. The IPv6 633 home network prefix also includes the corresponding prefix length. 635 o The interface identifier of the bi-directional tunnel established 636 between the local mobility anchor and the mobile access gateway 637 where the mobile node is currently anchored. The tunnel interface 638 identifier is acquired during the tunnel creation. 640 o The 64-bit timestamp value of the most recently accepted Proxy 641 Binding Update request sent for this mobile node. This is 642 obtained from the Timestamp option, present in the request. 644 5.2. Supported Home Network Prefix Models 646 This specification supports Per-MN-Prefix model and does not support 647 Shared-Prefix model. As per the Per-MN-Prefix model, there will be 648 an unique home network prefix assigned to each mobile node and no 649 other node shares an address from that prefix. 651 The mobile node's home network prefix is always hosted on the access 652 link where the mobile node is anchored. Conceptually, the entire 653 home network prefix follows the mobile node as it moves within the 654 Proxy Mobile IPv6 domain. The local mobility anchor is not required 655 to perform any proxy ND operations [RFC-2461] for defending the 656 mobile node's home address on the home link. However, from the 657 routing perspective, the home network prefix is topologically 658 anchored on the local mobility anchor. 660 5.3. Signaling Considerations 662 Processing Binding Registrations 664 Upon receiving a Proxy Binding Update request from a mobile access 665 gateway on behalf of a mobile node, the local mobility anchor MUST 666 process the request as defined in Section 10.3 [RFC-3775], with one 667 exception that this request is a proxy binding registration request 668 and hence the following additional considerations must be applied. 670 o The local mobility anchor MUST observe the rules described in 671 Section 9.2 [RFC-3775] when processing Mobility Headers in the 672 received Proxy Binding Update request. 674 o The local mobility anchor MUST identify the mobile node from the 675 identifier present in the NAI option [RFC-4283] of the Proxy 676 Binding Update request. If the NAI option is not present in the 677 Proxy Binding Update request, the local mobility anchor MUST 678 reject the request and send a Proxy Binding Acknowledgement 679 message with Status field set to MISSING_MN_IDENTIFIER_OPTION 680 (Missing mobile node identifier). 682 o If the local mobility anchor cannot identify the mobile node, from 683 the NAI option [RFC-4283] present in the request, it MUST reject 684 the Proxy Binding Update request and send a Proxy Binding 685 Acknowledgement message with Status field set to 133 (Not home 686 agent for this mobile node). 688 o If the local mobility anchor determines that the mobile node is 689 not authorized for network-based mobility management service, it 690 MUST reject the request and send a Proxy Binding Acknowledgement 691 message with Status field set to PROXY_REG_NOT_ENABLED (Proxy 692 Registration not enabled). 694 o The local mobility anchor MUST ignore the check, specified in 695 Section 10.3.1 [RFC-3775], related to the presence of Home Address 696 destination option in the Proxy Binding Update request. 698 o The local mobility anchor MUST authenticate the Proxy Binding 699 Update request as described in Section 4.0. It MUST use the SPI 700 in the IPSec header [RFC-4306] of the received packet for locating 701 the security association needed for authenticating the Proxy 702 Binding Update request. 704 o The local mobility anchor MUST apply the required policy checks, 705 as explained in Section 4.0, to verify the sender is a trusted 706 mobile access gateway, authorized to send proxy binding 707 registration requests on behalf of this mobile node. 709 o If the local mobility anchor determines that the requesting node 710 is not authorized to send proxy binding registration requests, it 711 MUST reject the Proxy Binding Update request and send a Proxy 712 Binding Acknowledgement message with Status field set to 713 MAG_NOT_AUTHORIZED_FOR_PROXY_REG (Not authorized to send proxy 714 registrations). 716 o If the Home Network Prefix option is not present in the Proxy 717 Binding Update request, the local mobility anchor MUST reject the 718 Proxy Binding Update request and send a Proxy Binding 719 Acknowledgement message with Status field set to 129 720 (Administratively Prohibited). 722 o The local mobility anchor MUST apply the considerations specified 723 in Section 5.4, for processing the Sequence Number field and the 724 Timestamp option, in the Proxy Binding Update request. 726 o The local mobility anchor MUST use the identifier in the NAI 727 option [RFC-4283] present in the Proxy Binding Update request for 728 performing the Binding Cache entry existence test. If the entry 729 does not exist, the local mobility MUST consider this request as 730 an initial binding registration request. 732 Initial Binding Registration: 734 o If the Home Network Prefix option present in the Proxy Binding 735 Update request has the value 0::/0, the local mobility anchor MUST 736 allocate a prefix for the mobile node and send a Proxy Binding 737 Acknowledgement message including the Home Network Prefix option 738 containing the allocated prefix value. The specific details on 739 how the local mobility anchor allocates the home network prefix is 740 outside the scope of this document. The local mobility anchor 741 MUST ensure the allocated prefix is not in use by any other mobile 742 node. 744 o If the local mobility anchor is unable to allocate a home network 745 prefix for the mobile node, it MUST reject the request and send a 746 Proxy Binding Acknowledgement message with Status field set to 130 747 (Insufficient resources). 749 o If the Home Network Prefix option present in the request has a 750 specific prefix hint, the local mobility anchor before accepting 751 that request, MUST ensure the prefix is owned by the local 752 mobility anchor and further the mobile node is authorized to use 753 that prefix. If the mobile node is not authorized to use that 754 prefix, the local mobility anchor MUST reject the request and send 755 a Proxy Binding Acknowledgement message with Status field set to 756 NOT_AUTHORIZED_FOR_HOME_NETWORK_PREFIX (Mobile node not authorized 757 to use that prefix). 759 o Upon accepting the request, the local mobility anchor MUST create 760 a Binding Cache entry for the mobile node. It must set the fields 761 in the Binding Cache entry to the accepted values for that 762 binding. If there is a Link-local Address option present in the 763 request, the address must be copied to the link-local address 764 field in the Binding Cache entry. 766 o Upon accepting the Proxy Binding Update request, the local 767 mobility anchor MUST establish a bi-directional tunnel to the 768 mobile access gateway, as described in [RFC-2473]. Considerations 769 from Section 5.5 must be applied. 771 Binding Re-Registration: 773 o If the requesting prefix in the Home Network Prefix option is a 774 non 0::/0 value and is different from what is present in the 775 currently active Binding Cache entry for that mobile node, the 776 local mobility anchor MUST reject the request and send a Proxy 777 Binding Acknowledgement message with Status field set to 129 778 (Administratively Prohibited). 780 o Upon accepting a Proxy Binding Update request for extending the 781 lifetime of a currently active binding for a mobile node, the 782 local mobility anchor MUST update the existing Binding Cache entry 783 for this mobile node. Unless there exists an established bi- 784 directional tunnel to the mobile access gateway with the same 785 transport and encapsulation mode, the local mobility anchor MUST 786 create a tunnel to the mobile access gateway, as described in 787 [RFC-2473] and also delete the existing tunnel route to the 788 previous mobile access gateway. It MUST also send a Proxy Binding 789 Acknowledgement message to the mobile access gateway with the 790 Status field set to 0 (Proxy Binding Update Accepted). 792 Binding De-Registration: 794 o If the received Proxy Binding Update request with the lifetime 795 value of 0, has a Source Address in the IPv6 header, different 796 from what is present in the Proxy-CoA address field in its Binding 797 Cache entry, the local mobility anchor MAY either choose to ignore 798 the request or send a valid Proxy Binding Acknowledgement message 799 with the Status field set to 0 (Proxy Binding Update Accepted). 801 o Upon accepting the Proxy Binding Update request for a mobile node, 802 with the lifetime value of zero, the local mobility anchor MUST 803 wait for MinDelayBeforeBCEDelete amount of time, before it deletes 804 the mobile node's Binding Cache entry. Within this wait period, 805 if the local mobility anchor receives a Proxy Binding Update 806 request message for the same mobile node and from a different 807 mobile access gateway, with the lifetime value of greater than 808 zero, and if that request is accepted, then the Binding Cache 809 entry MUST NOT be deleted, but must be updated with the new 810 values. However, the local mobile anchor MUST send the Proxy 811 Binding Acknowledgement message, immediately upon accepting the 812 request. 814 o Upon accepting the request, the local mobility anchor MUST delete 815 the mobile node's Binding Cache entry and remove the Routing state 816 for the mobile node's home network prefix. 818 Constructing the Proxy Binding Acknowledgement Message: 820 o The local mobility anchor when sending the Proxy Binding 821 Acknowledgement message to the mobile access gateway MUST 822 construct the message as specified below. 824 IPv6 header (src=LMAA, dst=Proxy-CoA) 825 Mobility header 826 -BA /*P flag is set*/ 827 Mobility Options 828 - Home Network Prefix Option 829 - Link-local Address Option (optional) 830 - Timestamp Option (optional) 831 - NAI Option 833 Proxy Binding Acknowledgement message format 835 o The Source Address field in the IPv6 header of the message SHOULD 836 be set to the destination address of the received Proxy Binding 837 Update request. 839 o The Destination Address field in the IPv6 header of the message 840 SHOULD be set to the source address of the received Proxy Binding 841 Update request. 843 o If the Status field is set to a value greater less than 128, i.e. 844 if the binding request was rejected, then the prefix value in the 845 Home Network Prefix option MUST be set to the prefix value from 846 the received Home Network Prefix option. For all other cases, the 847 prefix value MUST be set to the allocated prefix value for that 848 mobile node. 850 o The Link-local Address option MUST be present in the Proxy Binding 851 Acknowledgement message, if the same option was present in the 852 corresponding Proxy Binding Update request message. If there is 853 an existing Binding Cache entry for that mobile node with the 854 link-local address value of ALL_ZERO (value not set), or if there 855 was no existing Binding Cache entry, then the link-local address 856 MUST be copied from the received Link-local Address option in the 857 received Proxy Binding Update request. For all other cases, it 858 MUST be copied from the Binding Cache entry. 860 o Considerations from Section 5.4 must be applied for constructing 861 the Timestamp option. 863 o The identifier in the NAI option [RFC-4283] MUST be copied from 864 the received Proxy Binding Update request. If the Status field 865 value is set to MISSING_MN_IDENTIFIER_OPTION, the NAI option MUST 866 NOT be present in the reply message. 868 o The message MUST be protected by using IPsec, using the security 869 association existing between the local mobility anchor and the 870 mobile access gateway. 872 o The Type 2 Routing header, MUST NOT be present in the IPv6 header 873 of the packet. 875 5.4. Timestamp Option for Message Ordering 877 Mobile IPv6 [RFC-3775] uses the Sequence Number field in binding 878 registration messages as a way for the home agent to process the 879 binding updates in the order they were sent by a mobile node. The 880 home agent and the mobile node are required to manage this counter 881 over the lifetime of a binding. However, in Proxy Mobile IPv6, as 882 the mobile node moves from one mobile access gateway to another and 883 in the absence of context transfer mechanism, the serving mobile 884 access gateway will be unable to determine the sequence number that 885 it needs to use in the signaling messages. Hence, the sequence 886 number scheme as specified in [RFC-3775], will be insufficient for 887 Proxy Mobile IPv6. 889 If the local mobility anchor cannot determine the sending order of 890 the received binding registration messages, it may potentially 891 process an older message sent by a mobile access gateway, where the 892 mobile node was previously anchored, resulting in an incorrect 893 Binding Cache entry. 895 For solving this problem, this specification adopts two alternative 896 solutions, one is based on timestamps and the other based on sequence 897 numbers, as defined in [RFC-3775]. 899 The basic principle behind the use of timestamps in binding 900 registration messages is that the node generating the message inserts 901 the current time-of-day, and the node receiving the message checks 902 that this timestamp is greater than all previously accepted 903 timestamps. The timestamp based solution may be used, when the 904 serving mobile access gateways in a Proxy Mobile IPv6 domain do not 905 have the ability to obtain the last sequence number that was sent in 906 a binding registration message for updating a given mobile node's 907 binding. 909 As an alternative to the Timestamp based approach, the specification 910 also allows the use of Sequence Number based scheme, as per [RFC- 911 3775]. However, for this scheme to work, the serving mobile access 912 gateways in a Proxy Mobile IPv6 domain MUST have the ability to 913 obtain the last sequence number that was sent in a binding 914 registration message for updating a given mobile node's binding. The 915 sequence number MUST be maintained on a per mobile node basis and 916 MUST be synchronized between the serving mobile access gateways. 917 However, the specific details on how a mobile node's sequence number 918 is synchronized between different mobile access gateways is outside 919 the scope of this document. 921 Using Timestamps based approach: 923 o An implementation MUST support Timestamp option. If the Timestamp 924 option is present in the received Proxy Binding Update request 925 message, then the local mobility anchor MUST include a valid 926 Timestamp option in the Proxy Binding Acknowledgement message that 927 it sends to the mobile access gateway. 929 o All the mobility entities in a Proxy Mobile IPv6 domain, 930 exchanging binding registration messages using Timestamp option 931 must have adequately synchronized time-of-day clocks. This is the 932 essential requirement for this solution to work. If this 933 requirement is not met, the solution will not predictably work in 934 all cases. 936 o The mobility entities in a Proxy Mobile IPv6 domain SHOULD 937 synchronize their clocks to a common time source. For 938 synchronizing the clocks, the nodes may use Network Time Protocol 939 [RFC-4330]. Deployments may also adopt other approaches suitable 940 for that specific deployment. 942 o When generating the timestamp value for building the Timestamp 943 option, the mobility entities MUST ensure that the generated 944 timestamp is the elapsed time past the same reference epoch, as 945 specified in the format for the Timestamp option [Section 8.5]. 947 o Upon receipt of a Proxy Binding Update message with the Timestamp 948 option, the local mobility anchor MUST check the timestamp field 949 for validity. In order for it to be considered valid, the 950 timestamp value contained in the Timestamp option MUST be close 951 enough to the local mobility anchor's time-of-day clock and the 952 timestamp MUST be greater than all previously accepted timestamps 953 in the Proxy Binding Update messages sent for that mobile node. 955 o If the Timestamp option is present in the received Proxy Binding 956 Update message, the local mobility anchor MUST ignore the sequence 957 number field in the message. However, it MUST copy the sequence 958 number from the received Proxy Binding Update message to the Proxy 959 Binding Acknowledgement message. 961 o If the timestamp value in the received Proxy Binding Update is 962 valid, the local mobility anchor MUST return the same timestamp 963 value in the Timestamp option included in the Proxy Binding 964 Acknowledgement message that it sends to the mobile access 965 gateway. 967 o If the timestamp value in the received Proxy Binding Update is not 968 valid, the local mobility anchor MUST reject the Proxy Binding 969 Update and send a Proxy Binding Acknowledgement message with 970 Status field set to TIMESTAMP_MISMATCH (Timestamp mismatch). The 971 message MUST also include the Timestamp option with the value set 972 to the current time-of-day on the local mobility anchor. 974 Using Sequence Number based approach: 976 o If the Timestamp option is not present in the received Proxy 977 Binding Update request, the local mobility anchor MUST fallback to 978 the Sequence Number based scheme. It MUST process the sequence 979 number field as specified in [RFC-3775]. Also, it MUST NOT 980 include the Timestamp option in the Proxy Binding Acknowledgement 981 messages that it sends to the mobile access gateway. 983 o An implementation MUST support Sequence Number based scheme, as 984 per [RFC-3775]. 986 5.5. Routing Considerations 988 5.5.1. Bi-Directional Tunnel Management 990 o A bi-directional tunnel is established between the local mobility 991 anchor and the mobile access gateway with IP-in-IP encapsulation, 992 as described in [RFC-2473]. The tunnel end points are the Proxy- 993 CoA and LMAA. When using IPv4 transport with a specific 994 encapsulation mode, the end points of the tunnel are the IPv4-LMAA 995 and IPv4-Proxy-CoA, as specified in [ID-IPV4-PMIP6]. 997 o The bi-directional tunnel is used for routing the mobile node's 998 data traffic between the mobile access gateway and the local 999 mobility anchor. The tunnel hides the topology and enables a 1000 mobile node to use an address from its home network prefix from 1001 any access link attached to the mobile access gateway. 1003 o The bi-directional tunnel is established after accepting the Proxy 1004 Binding Update request message. The created tunnel may be shared 1005 with other mobile nodes attached to the same mobile access gateway 1006 and with the local mobility anchor having a Binding Cache entry 1007 for those mobile nodes. Implementations MAY choose to use static 1008 tunnels instead of dynamically creating and tearing them down on a 1009 need basis. 1011 o The tunnel between the local mobility anchor and the mobile access 1012 gateway is typically a shared tunnel and can be used for routing 1013 traffic streams for different mobile nodes attached to the same 1014 mobile access gateway. 1016 o Implementations typically use a software timer for managing the 1017 tunnel lifetime and a counter for keeping a count of all the 1018 mobile nodes that are sharing the tunnel. The timer value will be 1019 set to the accepted binding life-time and will be updated after 1020 each periodic registrations for extending the lifetime. If the 1021 tunnel is shared for multiple mobile nodes, the tunnel lifetime 1022 will be set to the highest binding lifetime that is granted to any 1023 one of those mobile nodes sharing that tunnel. 1025 5.5.2. Forwarding Considerations 1027 Intercepting Packets Sent to the Mobile Node's Home Network: 1029 o When the local mobility anchor is serving a mobile node, it MUST 1030 be able to receive packets that are sent to the mobile node's home 1031 network. In order for it to receive those packets, it MUST 1032 advertise a connected route in to the Routing Infrastructure for 1033 the mobile node's home network prefix or for an aggregated prefix 1034 with a larger scope. This essentially enables IPv6 routers in 1035 that network to detect the local mobility anchor as the last-hop 1036 router for that prefix. 1038 Forwarding Packets to the Mobile Node: 1040 o On receiving a packet from a corresponding node with the 1041 destination address matching a mobile node's home network prefix, 1042 the local mobility anchor MUST forward the packet through the bi- 1043 directional tunnel setup for that mobile node. The format of the 1044 tunneled packet is shown below. However, when using IPv4 1045 transport, the format of the packet is as described in [ID-IPV4- 1046 PMIP6]. 1048 IPv6 header (src= LMAA, dst= Proxy-CoA /* Tunnel Header */ 1049 IPv6 header (src= CN, dst= MN-HOA ) /* Packet Header */ 1050 Upper layer protocols /* Packet Content*/ 1052 Figure 7: Tunneled Packets from LMA to MAG 1054 Forwarding Packets Sent by the Mobile Node: 1056 o All the reverse tunneled packets that the local mobility anchor 1057 receives from the mobile access gateway, after removing the tunnel 1058 header MUST be routed to the destination specified in the inner 1059 packet header. These routed packets will have the source address 1060 field set to the mobile node's home address. 1062 5.6. Local Mobility Anchor Address Discovery 1064 Dynamic Home Agent Address Discovery, as explained in Section 10.5 1065 [RFC-3775], allows a mobile node to discover all the home agents on 1066 its home link by sending an ICMP Home Agent Address Discovery Request 1067 message to the Mobile IPv6 Home-Agents anycast address, derived from 1068 its home network prefix. 1070 The DHAAD message in the current form cannot be used in Proxy Mobile 1071 IPv6 for discovering the address of the mobile node's local mobility 1072 anchor. In Proxy Mobile IPv6, the local mobility anchor will not be 1073 able to receive any messages sent to the Mobile IPv6 Home-Agents 1074 anycast address corresponding to the mobile node's home network 1075 prefix, as the prefix is not hosted on any of its interfaces. 1076 Further, the mobile access gateway will not predictably be able to 1077 locate the serving local mobility anchor that has the mobile node's 1078 binding cache entry. Hence, this specification does not support 1079 Dynamic Home Agent Address Discovery protocol. 1081 In Proxy Mobile IPv6, the address of the local mobility anchor 1082 configured to serve a mobile node can be discovered by the mobility 1083 entities in other ways. This may be a configured entry in the mobile 1084 node's policy profile, or it may be obtained through mechanisms 1085 outside the scope of this document. 1087 5.7. Mobile Prefix Discovery Considerations 1089 The ICMP Mobile Prefix Advertisement message, described in Section 1090 6.8 and Section 11.4.3 of [RFC-3775], allows a home agent to send a 1091 Mobile Prefix Advertisement to the mobile node. 1093 In Proxy Mobile IPv6, the mobile node's home network prefix is hosted 1094 on the access link connected to the mobile access gateway. but it is 1095 topologically anchored on the local mobility anchor. Since, there is 1096 no physical home-link for the mobile node's home network prefix on 1097 the local mobility anchor and as the mobile node is always on the 1098 link where the prefix is hosted, any prefix change messages can just 1099 be advertised by the mobile access gateway on the access link and 1100 thus there is no applicability of this message for Proxy Mobile IPv6. 1101 Hence, this specification does not support Mobile Prefix Discovery. 1103 5.8. Route Optimizations Considerations 1105 The Route Optimization in Mobile IPv6, as defined in [RFC-3775], 1106 enables a mobile node to communicate with a corresponding node 1107 directly using its care-of address and further the Return Routability 1108 procedure enables the corresponding node to have reasonable trust 1109 that the mobile node is reachable at both its home address and 1110 care-of address. 1112 In Proxy Mobile IPv6, the mobile node is not involved in any mobility 1113 related signaling. The mobile node uses only its home address for 1114 all its communication and the Care-of address (Proxy-CoA) is not 1115 visible to the mobile node. Hence, the Return Routability procedure 1116 as defined in Mobile IPv6 cannot be used in Proxy Mobile IPv6. 1118 6. Mobile Access Gateway Operation 1120 The Proxy Mobile IPv6 protocol described in this document, introduces 1121 a new functional entity, the Mobile Access Gateway (MAG). The mobile 1122 access gateway is the entity that is responsible for detecting the 1123 mobile node's movements on its access link and sending the binding 1124 registration requests to the local mobility anchor. In essence, the 1125 mobile access gateway performs mobility management on behalf of a 1126 mobile node. 1128 The mobile access gateway is a function that typically runs on an 1129 access router. However, implementations MAY choose to split this 1130 function and run it across multiple systems. The specifics on how 1131 that is achieved or the signaling interactions between those 1132 functional entities is beyond the scope of this document. 1134 The mobile access gateway has the following key functional roles: 1136 o It is responsible for detecting the mobile node's movements on the 1137 access link and for initiating the mobility signaling with the 1138 mobile node's local mobility anchor. 1140 o Emulation of the mobile node's home link on the access link by 1141 sending Router Advertisements with the mobile node's home network 1142 prefix information. 1144 o Responsible for setting up the data path for enabling the mobile 1145 node to configure an address from its home network prefix and use 1146 it from its access link. 1148 6.1. Extensions to Binding Update List Entry Data Structure 1150 Every mobile access gateway MUST maintain a Binding Update List. 1151 Each entry in the Binding Update List represents a mobile node's 1152 mobility binding with its local mobility anchor. The Binding Update 1153 List is a conceptual data structure, described in Section 11.1 [RFC- 1154 3775]. 1156 For supporting this specification, the conceptual Binding Update List 1157 entry data structure needs be extended with the following additional 1158 fields. 1160 o The Identifier of the attached mobile node, MN-Identifier. This 1161 identifier is acquired during the mobile node's attachment to the 1162 access link or through mechanisms outside the scope of this 1163 document. 1165 o The Link-layer address of the mobile node. This address can be 1166 acquired from the received Router Solicitation messages from the 1167 mobile node or during the mobile node's attachment to the access 1168 network. 1170 o The IPv6 home network prefix of the attached mobile node. The 1171 home network prefix of the mobile node is acquired from the mobile 1172 node's local mobility anchor through the received Proxy Binding 1173 Acknowledgement messages. The IPv6 home network prefix also 1174 includes the corresponding prefix length. 1176 o The Link-local address of the mobile node on the interface 1177 attached to the access link. 1179 o The IPv6 address of the local mobility anchor serving the attached 1180 mobile node. This address is acquired from the mobile node's 1181 policy profile. 1183 o The interface identifier of the access link where the mobile node 1184 is currently attached. The interface identifier is acquired 1185 during the mobile node's attachment to the access link. 1187 o The interface identifier of the bi-directional tunnel between the 1188 mobile node's local mobility anchor and the mobile access gateway. 1189 The tunnel interface identifier is acquired during the tunnel 1190 creation. 1192 6.2. Mobile Node's Policy Profile 1194 A mobile node's policy profile contains the essential operational 1195 parameters that are required by the network entities for managing the 1196 mobile node's mobility service. These policy profiles are stored in 1197 a local or a remote policy store, the mobile access gateway and the 1198 local mobility anchor MUST be able to obtain a mobile node's policy 1199 profile. The policy profile may also be handed over to a serving 1200 mobile access gateway as part of a context transfer procedure during 1201 a handoff. The exact details on how this achieved is outside the 1202 scope of this document. However, this specification requires that a 1203 mobile access gateway serving a mobile node MUST have access to its 1204 policy profile. 1206 The following are the mandatory fields of the policy profile: 1208 o The mobile node's identifier (MN-Identifier) 1210 o The IPv6 address of the local mobility anchor (LMAA) 1212 o Supported address configuration procedures on the link (Stateful, 1213 Stateless or both) 1215 The following are the optional fields of the policy profile: 1217 o The mobile node's IPv6 home network prefix (MN-HNP) 1219 6.3. Supported Access Link Types 1221 This specification supports only point-to-point access link types and 1222 thus it assumes that the mobile node and the mobile access gateway 1223 are the only two nodes on the access link. The link is assumed to 1224 have multicast capability. This protocol may also be used on other 1225 link types, as long as the link is configured in such a way that it 1226 guarantees a point-to-point delivery between the mobile node and the 1227 mobile access gateway for all the protocol traffic. 1229 6.4. Supported Address Configuration Models 1231 A mobile node in the Proxy Mobile IPv6 domain can configure one or 1232 more IPv6 addresses on its interface using Stateless or Stateful 1233 address autoconfiguration procedures. The Router Advertisement 1234 messages sent on the access link, specify the address configuration 1235 methods permitted on that access link for that mobile node. However, 1236 the advertised flags with respect to the address configuration will 1237 be consistent for a mobile node, on any of the access links in that 1238 Proxy Mobile IPv6 domain. Typically, these configuration settings 1239 will be based on the domain wide policy or based on a policy specific 1240 to each mobile node. 1242 When stateless address autoconfiguration is supported on the link, 1243 the mobile node can generate one or more IPv6 addresses by combining 1244 the network prefix advertised on the access link with an interface 1245 identifier, using the techniques described in Stateless 1246 Autoconfiguration specification [RFC-2462] or as per Privacy 1247 extension specification [RFC-3041]. 1249 When stateful address autoconfiguration is supported on the link, the 1250 mobile node can obtain the address configuration from the DHCPv6 1251 server using DHCPv6 client protocol, as specified in DHCPv6 1252 specification [RFC-3315]. 1254 Additionally, other address configuration mechanisms specific to the 1255 access link between the mobile node and the mobile access gateway may 1256 also be used for pushing the address configuration to the mobile 1257 node. 1259 6.5. Access Authentication & Mobile Node Identification 1261 When a mobile node attaches to an access link connected to the mobile 1262 access gateway, the deployed access security protocols on that link 1263 SHOULD ensure that the network-based mobility management service is 1264 offered only after authenticating and authorizing the mobile node for 1265 that service. The exact specifics on how this is achieved or the 1266 interactions between the mobile access gateway and the access 1267 security service is outside the scope of this document. This 1268 specification goes with the stated assumption of having an 1269 established trust between the mobile node and mobile access gateway, 1270 before the protocol operation begins. 1272 6.6. Acquiring Mobile Node's Identifier 1274 All the network entities in a Proxy Mobile IPv6 domain MUST be able 1275 to identify a mobile node, using its MN-Identifier. This identifier 1276 MUST be stable across the Proxy Mobile IPv6 domain and the entities 1277 must be able to use this identifier in the signaling messages. 1278 Typically, this identifier is obtained as part of the access 1279 authentication or through other means as specified below. 1281 o The identifier of the mobile node that the mobile access gateway 1282 obtains as part of the access authentication or from the notified 1283 network attachment event, can be a temporary identifier and this 1284 identifier may also change at each re-authentication. However, 1285 the mobile access gateway MUST be able to authenticate the mobile 1286 node based on this identifier and MUST be able to obtain the MN- 1287 Identifier from the policy store, such as from the RADIUS 1288 attribute, Chargeable-User-Identifier. 1290 o The MN-Identifier that the policy store delivers to the mobile 1291 access gateway may not be the true identifier of the mobile node. 1292 However, the mobility access gateway MUST be able to use this 1293 identifier in the signaling messages exchanged with the local 1294 mobility anchor. 1296 o The mobile access gateway MUST be able identify the mobile node by 1297 its MN-Identifier and it MUST be able to associate this identity 1298 to the sender of any IPv4 or IPv6 packets on the access link. 1300 6.7. Home Network Emulation 1302 One of the key functions of a mobile access gateway is to emulate the 1303 mobile node's home network on the access link. It must ensure, the 1304 mobile node believes it is still connected to its home link or on the 1305 link where it obtained its initial address configuration after it 1306 moved into that Proxy Mobile IPv6 domain. 1308 For emulating the mobile node's home link on the access link, the 1309 mobile access gateway must be able to send Router Advertisements 1310 advertising the mobile node's home network prefix and other address 1311 configuration parameters consistent with its home link properties. 1313 Typically, the mobile access gateway learns the mobile node's home 1314 network prefix information from the received Proxy Binding 1315 Acknowledgement message or it may be obtained from the mobile node's 1316 policy profile. However, the mobile access gateway SHOULD send the 1317 Router Advertisements advertising the mobile node's home network 1318 prefix only after successfully completing the binding registration 1319 with the mobile node's local mobility anchor. 1321 6.8. Link-Local and Global Address Uniqueness 1323 A mobile node in the Proxy Mobile IPv6 domain, as it moves from one 1324 mobile access gateway to the other, it will continue to detect its 1325 home network and thus making it believe it is still on the same link. 1326 Every time the mobile node attaches to a new link, the event related 1327 to the interface state change, will trigger the mobile node to 1328 perform DAD operation on the link-local and global addresses. 1329 However, if the mobile node is DNAv6 enabled, as specified in [ID- 1330 DNAV6], it may not detect the link change due to DNAv6 optimizations 1331 and may not trigger the duplicate address detection (DAD) procedure 1332 for establishing the link-local address uniqueness on that new link. 1333 Further, if the mobile node uses an interface identifier that is not 1334 based on EUI-64 identifier, such as specified in IPv6 Stateless 1335 Autoconfiguration specification [RFC-2462], there is a possibility, 1336 with the odds of 1 to billion, of a link-local address collision 1337 between the two neighbors on that access link. 1339 One of the workarounds for this issue is to set the DNAv6 1340 configuration parameter, DNASameLinkDADFlag to TRUE and that will 1341 force the mobile node to redo DAD operation every time the interface 1342 detects a handover, even when DNAv6 does not detect a link change. 1344 However, this issues will not impact point-to-point links based on 1345 PPP session. Each time the mobile node moves and attaches to a new 1346 mobile access gateway, either the PPP session [RFC-1661] is 1347 reestablished or the PPP session may be moved as part of context 1348 transfer procedures between the old and the new mobile access 1349 gateway. 1351 When the mobile node tries to establish a PPP session with the mobile 1352 access gateway, the PPP goes through the Network layer Protocol phase 1353 and the IPv6 Control Protocol, IPCP6 [RFC-2472] gets triggered. Both 1354 the PPP peers negotiate a unique identifier using Interface- 1355 Identifier option in IPV6CP and the negotiated identifier is used for 1356 generating a unique link-local address on that link. Now, if the 1357 mobile node moves to a new mobile access gateway, the PPP session 1358 gets torn down with the old mobile access gateway and a new PPP 1359 session gets established with the new mobile access gateway, and the 1360 mobile node obtains a new link-local address. So, even if the mobile 1361 node is DNAv6 capable, the mobile node always configures a new link- 1362 local address when ever it moves to a new link. 1364 If the PPP session state is moved to the new mobile access gateway, 1365 as part of context transfer procedures that are in place, there will 1366 not be any change to the interface identifiers of the two nodes on 1367 that point-to-point change. The whole link is moved to the new 1368 mobile access gateway and there will not be any need for establishing 1369 link-local address uniqueness on that link. 1371 Alternatively, this specification allows the mobile access gateway to 1372 upload the mobile node's link-local address to the local mobility 1373 anchor using the Link-local Address option, exchanged in the binding 1374 registration messages. The mobile access gateway can learn the 1375 mobile node's link-local address, by snooping the DAD messages sent 1376 by the mobile node for establishing the link-local address uniqueness 1377 on the access link. Subsequently, at each handoff, the mobile access 1378 gateway can obtain this address from the local mobility anchor and 1379 can change its own link-local address, if it detects an address 1380 collision. 1382 This issue is not relevant to the mobile node's global address. 1383 Since, there is a unique home network prefix for each mobile node, 1384 the uniqueness for the mobile node's global address is assured on the 1385 access link. 1387 6.9. Signaling Considerations 1388 6.9.1. Binding Registrations 1390 Initial Binding Registration: 1392 o After detecting a new mobile node on its access link, the mobile 1393 access gateway must identify the mobile node and acquire its MN- 1394 Identifier. If it determines that the network-based mobility 1395 management service needs to offered to the mobile node, it MUST 1396 send a Proxy Binding Update message to the local mobility anchor. 1398 o The Proxy Binding Update message MUST have the NAI option [RFC- 1399 4283], identifying the mobile node, the Home Network Prefix 1400 option, either the Timestamp option or a valid sequence number and 1401 optionally the Link-local Address option. When Timestamp option 1402 is added to the message, the mobile access gateway MAY set the 1403 Sequence Number field to a value of a monotonically increasing 1404 counter and the local mobility anchor will ignore this field, but 1405 will return the same value in the Proxy Binding Acknowledgement 1406 message. This will be useful for matching the reply to the 1407 request message. 1409 o The Home Address option MUST not be present in the Destination 1410 Option extension header of the Proxy Binding Update message. 1412 o If the mobile access gateway learns the mobile node's home network 1413 prefix either from its policy store or from other means, the 1414 mobile access gateway MAY choose to specify the same in the Home 1415 Network Prefix option for requesting the local mobility anchor to 1416 allocate that prefix. If the specified value is 0::/0, then the 1417 local mobility anchor will consider this as a request for prefix 1418 allocation. 1420 Receiving Binding Registration Reply: 1422 o The mobile access gateway MUST observe the rules described in 1423 Section 9.2 [RFC-3775] when processing Mobility Headers in the 1424 received Proxy Binding Acknowledgement message. 1426 o The message MUST be authenticated as described in Section 4.0. 1427 The SPI in the IPSec header [RFC-4306] of the received packet must 1428 be used for locating the security association needed for 1429 authenticating the message. 1431 o The mobile access gateway MUST apply the considerations specified 1432 in Section 5.4, for processing the Sequence Number field and the 1433 Timestamp option, in the message. 1435 o The mobile access gateway MUST ignore any checks, specified in 1436 [RFC-3775] related to the presence of Type 2 Routing header in the 1437 Proxy Binding Acknowledgement message. 1439 o If the Timestamp option is present in the received Proxy Binding 1440 Acknowledgement message and with the Status field value set to any 1441 value other than TIMESTAMP_MISMATCH (Invalid Timestamp), the 1442 mobile access gateway MAY use the timestamp value for matching the 1443 response to the request message that it sent recently. For all 1444 other cases, it MAY use the sequence number in combination with 1445 the identifier present in the NAI option for matching the response 1446 to the request. 1448 o If the received Proxy Binding Acknowledgement message has the 1449 Status field value set to PROXY_REG_NOT_ENABLED (Proxy 1450 registration not enabled for the mobile node), the mobile access 1451 gateway SHOULD not send binding registration requests again for 1452 that mobile node. It must also deny the mobility service to that 1453 mobile node. 1455 o If the received Proxy Binding Acknowledgement message has the 1456 Status field value set to TIMESTAMP_MISMATCH (Invalid Timestamp), 1457 the mobile access gateway SHOULD try to register again only after 1458 it synchronized its clock to a common time source that is used by 1459 all the mobility entities in that domain for their clock 1460 synchronization. The mobile access gateway SHOULD NOT synchronize 1461 its clock to the local mobility anchor's system clock, based on 1462 the timestamp present in the received message. 1464 o If the received Proxy Binding Acknowledgement message has the 1465 Status field value set to NOT_AUTHORIZED_FOR_HOME_NETWORK_PREFIX 1466 (Not authorized for that prefix), the mobile access gateway SHOULD 1467 try to request for that prefix in the binding registration 1468 request, only after it learned the validity of that prefix. 1470 o If the received Proxy Binding Acknowledgement message has the 1471 Status field value set to any value greater than 128 (i.e., the 1472 binding is rejected), the mobile access gateway MUST NOT advertise 1473 the mobile node's home network prefix in the Router Advertisements 1474 sent on that access link and there by denying mobility service to 1475 the mobile node. 1477 o If the received Proxy Binding Acknowledgement message has the 1478 Status field value set to 0 (Proxy Binding Update accepted), the 1479 mobile access gateway MUST create Binding Update List entry for 1480 the mobile node and must setup a tunnel to the mobile node's local 1481 mobility anchor, as explained in section 6.10. 1483 o If the received Proxy Binding Acknowledgement message has the 1484 address in the Link-local Address option set to a value that 1485 matches its own link-local address on that access interface where 1486 the mobile node is anchored, the mobile access gateway MUST change 1487 its link-local address on that interface. 1489 Binding Re-Registration: 1491 o For extending the lifetime of a currently existing binding at the 1492 local mobility, the mobile access gateway MUST send a Proxy 1493 Binding Update message to the local mobility anchor. The prefix 1494 value in the Home Network Prefix option present in the request 1495 SHOULD be set to the currently registered home network prefix and 1496 the value in the Link-local Address option may be set to ALL_ZERO 1497 or to the link-local address of the mobile node. 1499 Binding De-Registration: 1501 o At any point, the mobile access gateway detects that the mobile 1502 node has moved away from its access link, it MUST send a Proxy 1503 Binding Update message to the local mobility anchor with the 1504 lifetime value set to zero. 1506 o Either upon receipt of a Proxy Binding Acknowledgement message 1507 from the local mobility anchor or after a certain timeout waiting 1508 for the reply, the mobile access gateway MUST remove the binding 1509 entry for that mobile node from its Binding Update List and 1510 withdraw the mobile node's home network prefix as the hosted on- 1511 link prefix on that access link. 1513 Constructing the Proxy Binding Update Message: 1515 o The mobile access gateway when sending the Proxy Binding Update 1516 request to the local mobility anchor MUST construct the message as 1517 specified below. 1519 IPv6 header (src=Proxy-CoA, dst=LMAA) 1520 Mobility header 1521 -BU /*P & A flags are set*/ 1522 Mobility Options 1523 - Home Network Prefix option 1524 - Link-local Address option (Optional) 1525 - Timestamp Option (optional) 1526 - NAI Option 1528 Proxy Binding Update message format 1530 o The Source Address field in the IPv6 header of the message SHOULD 1531 be set to the address of the mobile access gateway. 1533 o The Destination Address field in the IPv6 header of the message 1534 SHOULD be set to the local mobility anchor address. 1536 o The Home Network Prefix option MUST be present. The prefix value 1537 may be set 0::/0 or to a specific prefix value. 1539 o The Link-local Address option MAY be present. The value may be 1540 set to ALL_ZERO or the mobile node's link-local address. 1542 o Considerations from Section 5.4 must be applied for constructing 1543 the Timestamp option. 1545 o The NAI option [RFC-4283] MUST be present, the identifier field in 1546 the option MUST be set to mobile node's identifier, MN-Identifier. 1548 o The message MUST be protected by using IPsec, using the security 1549 association existing between the local mobility anchor and the 1550 mobile access gateway. 1552 6.9.2. Router Solicitation Messages 1554 The mobile node sends a Router Solicitation message on the access 1555 link when ever the link-layer detects a media change. The Source 1556 Address in the IPv6 header of the Router Solicitation message may 1557 either be the link-local address of the mobile node or an unspecified 1558 address (::). 1560 o The mobile access gateway on receiving the Router Solicitation 1561 message SHOULD send a Router Advertisement containing the mobile 1562 node's home network prefix as the on-link prefix. However, before 1563 sending the Router Advertisement message containing the mobile 1564 node's home network prefix, it SHOULD complete the binding 1565 registration process with the mobile node's local mobility anchor. 1567 o If the local mobility anchor rejects the binding registration 1568 request, or, if the mobile access gateway failed to complete the 1569 binding registration process for what ever reasons, the mobile 1570 access gateway MUST NOT advertise the mobile node's home network 1571 prefix in the Router Advertisement messages that it sends on the 1572 access link. However, it MAY choose to advertise a local visitor 1573 network prefix to enable the mobile node for simple IPv6 access. 1575 6.9.3. Retransmissions and Rate Limiting 1577 The mobile access gateway is responsible for retransmissions and rate 1578 limiting the binding registration requests that it sends for updating 1579 a mobile node's binding. Implementations MUST follow the below 1580 guidelines. 1582 o When the mobile access gateway sends a Proxy Binding Update 1583 request, it should use the constant, INITIAL_BINDINGACK_TIMEOUT 1584 [RFC-3775], for configuring the retransmission timer. 1586 o If the mobile access gateway fails to receive a valid matching 1587 response within the retransmission interval, it SHOULD retransmit 1588 the message until a response is received. 1590 o As specified in Section 11.8 [RFC-3775], the mobile access gateway 1591 MUST use an exponential back-off process in which the timeout 1592 period is doubled upon each retransmission, until either the node 1593 receives a response or the timeout period reaches the value 1594 MAX_BINDACK_TIMEOUT [RFC-3775]. The mobile access gateway MAY 1595 continue to send these messages at this slower rate indefinitely. 1597 o If Timestamp based scheme is in use, the retransmitted Proxy 1598 Binding Update messages MUST use the latest timestamp. If 1599 Sequence number scheme is in use, the retransmitted Proxy Binding 1600 Update messages MUST use a Sequence Number value greater than that 1601 used for the previous transmission of this Proxy Binding Update 1602 message, just as specified in [RFC-3775]. 1604 6.10. Routing Considerations 1606 This section describes how the mobile access gateway handles the 1607 traffic to/from the mobile node that is attached to one of its access 1608 interface. 1610 Proxy-CoA LMAA 1611 | | 1612 +--+ +---+ +---+ +--+ 1613 |MN|----------|MAG|======================|LMA|----------|CN| 1614 +--+ +---+ +---+ +--+ 1615 IPv6 Tunnel 1617 6.10.1. Transport Network 1619 The transport network between the local mobility anchor and the 1620 mobile access can be either an IPv6 or IPv4 network. However, this 1621 specification only deals with the IPv6 transport and the companion 1622 document [ID-IPV4-PMIP6] specifies the required extensions for 1623 negotiating IPv4 transport and the corresponding encapsulation mode, 1624 for supporting this protocol operation. 1626 6.10.2. Tunneling & Encapsulation Modes 1628 The IPv6 address that a mobile node uses from its home network prefix 1629 is topologically anchored at the local mobility anchor. For a mobile 1630 node to use this address from an access network attached to a mobile 1631 access gateway, proper tunneling techniques have to be in place. 1632 Tunneling hides the network topology and allows the mobile node's 1633 IPv6 datagrams to be encapsulated as a payload of another IPv6 packet 1634 and be routed between the local mobility anchor and the mobile access 1635 gateway. The Mobile IPv6 base specification [RFC-3775] defines the 1636 use of IPv6-over-IPv6 tunneling, between the home agent and the 1637 mobile node and this specification extends the use of the same 1638 tunneling mechanism between the local mobility anchor and the mobile 1639 access gateway. 1641 On most operating systems, tunnels are implemented as a virtual 1642 point-to-point interface. The source and the destination address of 1643 the two end points of this virtual interface along with the 1644 encapsulation mode are specified for this virtual interface. Any 1645 packet that is routed over this interface, get encapsulated with the 1646 outer header and the addresses as specified for that point to point 1647 tunnel interface. For creating a point to point tunnel to any local 1648 mobility anchor, the mobile access gateway may implement a tunnel 1649 interface with the source address field set to its Proxy-CoA address 1650 and the destination address field set to the LMA address. 1652 The following are the supported packet encapsulation modes that can 1653 be used by the mobile access gateway and the local mobility anchor 1654 for routing mobile node's IPv6 datagrams. 1656 o IPv6-In-IPv6 - IPv6 datagram encapsulated in an IPv6 packet [RFC- 1657 2473]. 1659 o IPv6-In-IPv4 - IPv6 datagram encapsulation in an IPv4 packet. The 1660 details on how this mode is negotiated is specified in [ID-IPV4- 1661 PMIP6]. 1663 o IPv6-In-IPv4-UDP - IPv6 datagram encapsulation in an IPv4 UDP 1664 packet. This mode is specified in [ID-IPV4-PMIP6]. 1666 6.10.3. Routing State 1668 The following section explains the routing state for a mobile node on 1669 the mobile access gateway. This routing state reflects only one 1670 specific way of implementation and one MAY choose to implement it in 1671 other ways. The policy based route defined below acts as a traffic 1672 selection rule for routing a mobile node's traffic through a specific 1673 tunnel created between the mobile access gateway and that mobile 1674 node's local mobility anchor and with the specific encapsulation 1675 mode, as negotiated. 1677 The below example identifies the routing state for two visiting 1678 mobile nodes, MN1 and MN2 with their respective local mobility 1679 anchors LMA1 and LMA2. 1681 For all traffic from the mobile node, identified by the mobile node's 1682 MAC address, ingress interface or source prefix (MN-HNP) to 1683 _ANY_DESTINATION_ route via interface tunnel0, next-hop LMAA. 1685 +==================================================================+ 1686 | Packet Source | Destination Address | Destination Interface | 1687 +==================================================================+ 1688 | MAC_Address_MN1, | _ANY_DESTINATION_ | Tunnel0 | 1689 | (IPv6 Prefix or |----------------------------------------------| 1690 | Input Interface) | Locally Connected | Tunnel0 | 1691 +------------------------------------------------------------------+ 1692 | MAC_Address_MN2, | _ANY_DESTINATION_ | Tunnel1 | 1693 + (IPv6 Prefix or -----------------------------------------------| 1694 | Input Interface | Locally Connected | direct | 1695 +------------------------------------------------------------------+ 1697 Example - Policy based Route Table 1699 +==================================================================+ 1700 | Interface | Source Address | Destination Address | Encapsulation | 1701 +==================================================================+ 1702 | Tunnel0 | Proxy-CoA | LMAA1 | IPv6-in-IPv6 | 1703 +------------------------------------------------------------------+ 1704 | Tunnel1 |IPv4-Proxy-CoA | IPv4-LMA2 | IPv6-in-IPv4 | 1705 +------------------------------------------------------------------+ 1707 Example - Tunnel Interface Table 1709 6.10.4. Local Routing 1711 If there is data traffic between a visiting mobile node and a 1712 corresponding node that is locally attached to an access link 1713 connected to the mobile access gateway, the mobile access gateway MAY 1714 optimize on the delivery efforts by locally routing the packets and 1715 by not reverse tunneling them to the mobile node's local mobility 1716 anchor. However, this has an implication on the mobile node's 1717 accounting and policy enforcement as the local mobility anchor is not 1718 in the path for that traffic and it will not be able to apply any 1719 traffic policies or do any accounting for those flows. 1721 This decision of path optimization SHOULD be based on the configured 1722 policy configured on the mobile access gateway, but enforced by the 1723 mobile node's local mobility anchor. The specific details on how 1724 this is achieved is beyond of the scope of this document. 1726 6.10.5. Tunnel Management 1728 All the considerations mentioned in Section 5.5.1, for the tunnel 1729 management on the local mobility anchor apply for the mobile access 1730 gateway as well. 1732 6.10.6. Forwarding Rules 1734 Forwarding Packets sent to the Mobile Node's Home Network: 1736 o On receiving a packet from the bi-directional tunnel established 1737 with the mobile node's local mobility anchor, the mobile access 1738 gateway MUST use the destination address of the inner packet for 1739 forwarding it on the interface where the destination network 1740 prefix is hosted. The mobile access gateway MUST remove the outer 1741 header before forwarding the packet. If the mobile access gateway 1742 cannot find the connected interface for that destination address, 1743 it MUST silently drop the packet. For reporting an error in such 1744 scenario, in the form of ICMP control message, the considerations 1745 from Generic Packet Tunneling specification [RFC-2473] must be 1746 applied. 1748 o On receiving a packet from a corresponding node that is locally 1749 connected, to the mobile node that is on the access link, the 1750 mobile access gateway MUST check the configuration variable, 1751 EnableMAGLocalRouting, to ensure the mobile access gateway is 1752 allowed to route the packet directly to the mobile node. If the 1753 mobile access gateway is not allowed to route the packet directly, 1754 it MUST route the packet through the bi-directional tunnel 1755 established between itself and the mobile node's local mobility 1756 anchor. Otherwise, it can route the packet directly to the mobile 1757 node. 1759 Forwarding Packets Sent by the Mobile Node: 1761 o On receiving a packet from a mobile node connected to its access 1762 link, the mobile access gateway MUST ensure that there is an 1763 established binding for that mobile node with its local mobility 1764 anchor before forwarding the packet directly to the destination or 1765 before tunneling the packet to the mobile node's local mobility 1766 anchor. 1768 o On receiving a packet from a mobile node connected to its access 1769 link, to a destination that is locally connected, the mobile 1770 access gateway MUST check the configuration variable, 1771 EnableMAGLocalRouting, to ensure the mobile access gateway is 1772 allowed to route the packet directly to the destination. If the 1773 mobile access gateway is not allowed to route the packet directly, 1774 it MUST route the packet through the bi-directional tunnel 1775 established between itself and the mobile node's local mobility 1776 anchor. Otherwise, it can route the packet directly to the 1777 destination. 1779 o On receiving a packet from the mobile node connected to its access 1780 link, to a destination that is not directly connected, the packet 1781 MUST be forwarded to the local mobility anchor through the bi- 1782 directional tunnel established between itself and the mobile 1783 node's local mobility anchor. However, the packets that are sent 1784 with the link-local source address MUST NOT be forwarded. The 1785 format of the tunneled packet is shown below. However, when using 1786 IPv4 transport, the format of the tunneled packet is as described 1787 in [ID-IPV4-PMIP6]. 1789 IPv6 header (src= Proxy-CoA, dst= LMAA /* Tunnel Header */ 1790 IPv6 header (src= MN-HoA, dst= CN ) /* Packet Header */ 1791 Upper layer protocols /* Packet Content*/ 1793 Figure 12: Tunneled Packets from MAG to LMA 1795 6.11. Interaction with DHCP Relay Agent 1797 If Stateful Address Configuration using DHCP is supported on the link 1798 where the mobile node is attached, the DHCP relay agent [RFC-3315] 1799 needs to be configured on that access link. 1801 When the mobile node sends a DHCPv6 Request message, the DHCP relay 1802 agent function on the access link will set the link-address field in 1803 the DHCPv6 message to the mobile node's home network prefix, so as to 1804 provide a prefix hint to the DHCP Server for the address pool 1805 selection. 1807 6.12. Home Network Prefix Renumbering 1809 If the mobile node's home network prefix gets renumbered or becomes 1810 invalid during the middle of a mobility session, the mobile access 1811 gateway MUST withdraw the prefix by sending a Router Advertisement on 1812 the access link with zero prefix lifetime for the mobile node's home 1813 network prefix. Also, the local mobility anchor and the mobile 1814 access gateway MUST delete the routing state for that prefix. 1815 However, the specific details on how the local mobility anchor 1816 notifies the mobile access gateway about the mobile node's home 1817 network prefix renumbering is outside the scope of this document. 1819 6.13. Mobile Node Detachment Detection and Resource Cleanup 1821 Before sending a Proxy Binding Update message to the local mobility 1822 anchor for extending the lifetime of a currently existing binding of 1823 a mobile node, the mobile access gateway MUST make sure the mobile 1824 node is still attached to the connected link by using some reliable 1825 method. If the mobile access gateway cannot predictably detect the 1826 presence of the mobile node on the connected link, it MUST NOT 1827 attempt to extend the registration lifetime of the mobile node. 1828 Further, in such scenario, the mobile access gateway SHOULD terminate 1829 the binding of the mobile node by sending a Proxy Binding Update 1830 message to the mobile node's local mobility anchor with lifetime 1831 value set to 0. It MUST also remove any local state such as the 1832 Binding Update List created for that mobile node. 1834 The specific detection mechanism of the loss of a visiting mobile 1835 node on the connected link is specific to the access link between the 1836 mobile node and the mobile access gateway and is outside the scope of 1837 this document. Typically, there are various link-layer specific 1838 events specific to each access technology that the mobile access 1839 gateway can depend on for detecting the node loss. In general, the 1840 mobile access gateway can depend on one or more of the following 1841 methods for the detection presence of the mobile node on the 1842 connected link: 1844 o Link-layer event specific to the access technology 1846 o PPP Session termination event on point-to-point link types 1848 o IPv6 Neighbor Unreachability Detection event from IPv6 stack 1849 o Notification event from the local mobility anchor 1851 o Absence of data traffic from the mobile node on the link for a 1852 certain duration of time 1854 6.14. Allowing network access to other IPv6 nodes 1856 In some Proxy Mobile IPv6 deployments, network operators may want to 1857 provision the mobile access gateway to offer network-based mobility 1858 management service only to some visiting mobile nodes and enable just 1859 regular IP access to some other nodes. This requires the network to 1860 have control on when to enable network-based mobility management 1861 service to a mobile node and when to enable regular IPv6 access. 1862 This specification does not disallow such configuration. 1864 Upon detecting a mobile node on its access link and after policy 1865 considerations, the mobile access gateway MUST determine if network- 1866 based mobility management service should be offered to that mobile 1867 node. This decision may also be influenced by the mobile node's 1868 host-based mobility capabilities and preferences. This may be 1869 negotiated using link-layer message exchange or through other means 1870 outside the scope of this specification. If the mobile node is 1871 entitled for network-based mobility management service, then the 1872 mobile access gateway must ensure the mobile node believes it is on 1873 its home link, as explained in various sections of this 1874 specification. 1876 If the mobile node is not entitled for the network-based mobility 1877 management service, as determined from the policy considerations, the 1878 mobile access gateway MAY choose to offer regular IPv6 access to the 1879 mobile node and in such scenario the normal IPv6 considerations 1880 apply. If IPv6 access is enabled, the mobile node SHOULD be able to 1881 obtain an IPv6 address using normal IPv6 address configuration 1882 procedures. The obtained address must be from a local visitor 1883 network prefix. This essentially ensures, the mobile access gateway 1884 functions as a normal access router to a mobile node attached to its 1885 access link and with out impacting its host-based mobility protocol 1886 operation. 1888 7. Mobile Node Operation 1890 This non-normative section explains the mobile node's operation in a 1891 Proxy Mobile IPv6 domain. 1893 7.1. Moving into a Proxy Mobile IPv6 Domain 1895 Once a mobile node enters a Proxy Mobile IPv6 domain and attaches to 1896 an access network, the mobile access gateway on the access link 1897 detects the attachment of the mobile node and completes the binding 1898 registration with the mobile node's local mobility anchor. If the 1899 binding update operation is successfully performed, the mobile access 1900 gateway will create the required state and setup the data path for 1901 the mobile node's data traffic. 1903 If the mobile node is IPv6 enabled, on attaching to the access link, 1904 it will typically send Router Solicitation message [RFC-2461]. The 1905 mobile access gateway on the access link will respond to the Router 1906 Solicitation message with a Router Advertisement. The Router 1907 Advertisement will have the mobile node's home network prefix, 1908 default-router address and other address configuration parameters. 1910 If the mobile access gateway on the access link, receives a Router 1911 Solicitation message from the mobile node, before it completed the 1912 signaling with the mobile node's local mobility anchor, the mobile 1913 access gateway may not know the mobile node's home network prefix and 1914 may not be able to emulate the mobile node's home link on the access 1915 link. In such scenario, the mobile node may notice a slight delay 1916 before it receives a Router Advertisement message. 1918 If the received Router Advertisement has the Managed Address 1919 Configuration flag set, the mobile node, as it would normally do, 1920 will send a DHCPv6 Request [RFC-3315]. The DHCP relay service 1921 enabled on that access link will ensure the mobile node will obtain 1922 its IPv6 address as a lease from its home network prefix. 1924 If the received Router Advertisement does not have the Managed 1925 Address Configuration flag set and if the mobile node is allowed to 1926 use an autoconfigured address, the mobile node will be able to obtain 1927 an IPv6 address using an interface identifier generated as per the 1928 Autoconf specification [RFC-2462] or as per the Privacy Extensions 1929 specification [RFC-3041]. 1931 If the mobile node is IPv4 enabled and if the network permits, it 1932 will be able to obtain the IPv4 address configuration for the 1933 connected interface by using DHCP [RFC-2131]. The details related to 1934 IPv4 support is specified in the companion document [ID-IPV4-PMIP6]. 1936 Once the address configuration is complete, the mobile node can 1937 continue to use this address configuration as long as it is attached 1938 to the network that is in the scope of that Proxy Mobile IPv6 domain. 1940 7.2. Roaming in the Proxy Mobile IPv6 Domain 1942 After obtaining the address configuration in the Proxy Mobile IPv6 1943 domain, as the mobile node moves and changes its point of attachment 1944 from one mobile access gateway to the other, it can still continue to 1945 use the same address configuration. As long as the attached access 1946 network is in the scope of that Proxy Mobile IPv6 domain, the mobile 1947 node will always detect the same link, where it obtained its initial 1948 address configuration. If the mobile node performs DHCP operation, 1949 it will always obtain the same address as before. 1951 However, the mobile node will always detect a new default-router on 1952 each connected link, but still advertising the mobile node's home 1953 network prefix as the on-link prefix and with the other configuration 1954 parameters consistent with its home link properties. 1956 7.3. IPv6 Host Protocol Parameters 1958 This specification does not require any changes to the mobile node's 1959 IP stack. It assumes the mobile node to be a normal IPv4/IPv6 node, 1960 with its protocol operation consistent with the respective 1961 specifications. 1963 However, this specification recommends that the following IPv6 1964 operating parameters on the mobile node be adjusted to the below 1965 recommended values for protocol efficiency and for achieving faster 1966 hand-offs. 1968 Lower Default-Router List Cache Time-out: 1970 As per the base IPv6 specification [RFC-2461], each IPv6 host is 1971 required to maintain certain host data structures including a 1972 Default-Router list. This is the list of on-link routers that have 1973 sent Router Advertisement messages and are eligible to be default 1974 routers on that link. The Router Lifetime field in the received 1975 Router Advertisement defines the life of this entry. 1977 In case of Proxy Mobile IPv6, when a mobile node moves from one link 1978 to another, the source address of the received Router Advertisement 1979 messages advertising the mobile node's home network prefix will be 1980 from a different link-local address and thus making the mobile node 1981 believe that there is a new default-router on the link. It is 1982 important that the mobile node uses the newly learnt default-router 1983 and not the previously known default-router. The mobile node must 1984 update its default-router list with the new default router entry and 1985 must age out the previously learnt default router entry from its 1986 cache, just as specified in Section 6.3.5 [RFC-2461]. This action is 1987 critical for minimizing packet losses during a hand off switch. 1989 On detecting a reachability problem, the mobile node will certainly 1990 detect the default-router loss by performing the Neighbor 1991 Unreachability Detection procedure, but it is important that the 1992 mobile node times out the previous default router entry at the 1993 earliest. If a given IPv6 host implementation has the provision to 1994 adjust these flush timers, still conforming to the base IPv6 ND 1995 specification, it is desirable to keep the flush-timers to suit the 1996 above consideration. 1998 In access network where SEND [RFC-3971] is not deployed, the mobile 1999 access gateway may withdraw the previous default-router entry, by 2000 sending a Router Advertisement using the link-local address that of 2001 the previous mobile access gateway and with the Router Lifetime field 2002 set to value 0, then this will force the flush of the Previous 2003 Default-Router entry from the mobile node's cache. This certainly 2004 requires context-transfer mechanisms in place for notifying the link- 2005 local address of the default-router on the previous link to the 2006 mobile access gateway on the new link. 2008 There are other solutions possible for this problem, including the 2009 assignment of a fixed link-local address for all the mobile access 2010 gateways in a Proxy Mobile IPv6 domain and where SEND [RFC-3971] is 2011 not deployed. In such scenario, the mobile node is not required to 2012 update the default-router entry. However, this is an implementation 2013 choice and has no bearing on the protocol interoperability. 2014 Implementations are free to adopt the best approach that suits their 2015 target deployments. 2017 8. Message Formats 2019 This section defines extensions to the Mobile IPv6 [RFC-3775] 2020 protocol messages. 2022 8.1. Proxy Binding Update Message 2024 0 1 2 3 2025 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2026 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2027 | Sequence # | 2028 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2029 |A|H|L|K|M|R|P| Reserved | Lifetime | 2030 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2031 | | 2032 . . 2033 . Mobility options . 2034 . . 2036 | | 2037 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2039 Figure 13: Proxy Binding Update Message 2041 A Binding Update message that is sent by a mobile access gateway to a 2042 local mobility anchor is referred to as the "Proxy Binding Update" 2043 message. A new flag (P) is included in the Binding Update message. 2044 The rest of the Binding Update message format remains the same as 2045 defined in [RFC-3775]. 2047 Proxy Registration Flag (P) 2049 A new flag (P) is included in the Binding Update message to 2050 indicate to the local mobility anchor that the Binding Update 2051 message is a proxy registration. The flag MUST be set to the 2052 value of 1 for proxy registrations and MUST be set to 0 for direct 2053 registrations sent by a mobile node. 2055 Mobility Options 2057 Variable-length field of such length that the complete Mobility 2058 Header is an integer multiple of 8 octets long. This field 2059 contains zero or more TLV-encoded mobility options. The encoding 2060 and format of defined options are described in Section 6.2 [RFC- 2061 3775]. The local mobility anchor MUST ignore and skip any options 2062 which it does not understand. 2064 As per this specification, the following mobility options are 2065 valid in a Proxy Binding Update message: 2067 Home Network Prefix option 2069 Link-local Address option 2071 NAI Option 2073 Timestamp option 2075 For descriptions of other fields present in this message, refer to 2076 section 6.1.7 [RFC-3775]. 2078 8.2. Proxy Binding Acknowledgement Message 2080 0 1 2 3 2081 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2082 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2083 | Status |K|R|P|Reserved | 2084 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2085 | Sequence # | Lifetime | 2086 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2087 | | 2088 . . 2089 . Mobility options . 2090 . . 2091 | | 2092 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2094 Figure 14: Proxy Binding Acknowledgement Message 2096 A Binding Acknowledgement message that is sent by a local mobility 2097 anchor to a mobile access gateway is referred to as the "Proxy 2098 Binding Acknowledgement" message. A new flag (P) is included in the 2099 Binding Acknowledgement message. The rest of the Binding 2100 Acknowledgement message format remains the same as defined in [RFC- 2101 3775]. 2103 Proxy Registration Flag (P) 2104 A new flag (P) is included in the Binding Acknowledgement message 2105 to indicate that the local mobility anchor that processed the 2106 corresponding Proxy Binding Update message supports proxy 2107 registrations. The flag is set only if the corresponding Proxy 2108 Binding Update had the Proxy Registration Flag (P) set to value of 2109 1. 2111 Mobility Options 2113 Variable-length field of such length that the complete Mobility 2114 Header is an integer multiple of 8 octets long. This field 2115 contains zero or more TLV-encoded mobility options. The encoding 2116 and format of defined options are described in Section 6.2 [RFC- 2117 3775]. The mobile access gateway MUST ignore and skip any options 2118 which it does not understand. 2120 As per this specification, the following mobility options are 2121 valid in a Proxy Binding Acknowledgement message: 2123 Home Network Prefix option 2125 Link-local Address option 2127 NAI Option 2129 Timestamp option 2131 Status 2133 8-bit unsigned integer indicating the disposition of the Proxy 2134 Binding Update. Values of the Status field less than 128 indicate 2135 that the Proxy Binding Update was accepted by the local mobility 2136 anchor. Values greater than or equal to 128 indicate that the 2137 binding registration was rejected by the local mobility anchor. 2138 Section 8.6 defines the Status values that can used in Proxy 2139 Binding Acknowledgement message. 2141 For descriptions of other fields present in this message, refer to 2142 the section 6.1.8 [RFC-3775]. 2144 8.3. Home Network Prefix Option 2146 A new option, Home Network Prefix Option is defined for using it in 2147 the Proxy Binding Update and Proxy Binding Acknowledgement messages 2148 exchanged between a local mobility anchor and a mobile access 2149 gateway. This option is used for exchanging the mobile node's home 2150 network prefix information. 2152 The Home Network Prefix Option has an alignment requirement of 8n+4. 2153 Its format is as follows: 2155 0 1 2 3 2156 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2158 | Type | Length | Reserved | Prefix Length | 2159 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2160 | | 2161 + + 2162 | | 2163 + Home Network Prefix + 2164 | | 2165 + + 2166 | | 2167 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2169 Type 2170 2172 Length 2174 8-bit unsigned integer indicating the length of the option 2175 in octets, excluding the type and length fields. This field 2176 MUST be set to 18. 2178 Reserved 2180 This field is unused for now. The value MUST be initialized 2181 to 0 by the sender and MUST be ignored by the receiver. 2183 Prefix Length 2185 8-bit unsigned integer indicating the prefix length of the 2186 IPv6 prefix contained in the option. 2188 Home Network Prefix 2190 A sixteen-byte field containing the mobile node's IPv6 Home 2191 Network Prefix. 2193 Figure 15: Home Network Prefix Option 2195 8.4. Link-local Address Option 2197 A new option, Link-local Address Option is defined for using it in 2198 the Proxy Binding Update and Proxy Binding Acknowledgement messages 2199 exchanged between a local mobility anchor and a mobile access 2200 gateway. This option is used for exchanging the mobile node's link- 2201 local address. 2203 The Link-local Address option has an alignment requirement of 8n+6. 2204 Its format is as follows: 2206 0 1 2 3 2207 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2208 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2209 | Type | Length | 2210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2211 | | 2212 + + 2213 | | 2214 + Link-local Address + 2215 | | 2216 + + 2217 | | 2218 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2220 Type 2221 2223 Length 2225 8-bit unsigned integer indicating the length of the option 2226 in octets, excluding the type and length fields. This field 2227 MUST be set to 16. 2229 Link-local Address 2231 A sixteen-byte field containing the mobile node's link-local 2232 address. 2234 Figure 16: Link-local Address Option 2236 8.5. Timestamp Option 2238 A new option, Timestamp Option is defined for use in the Proxy 2239 Binding Update and Proxy Binding Acknowledgement messages. 2241 The Timestamp option has an alignment requirement of 8n+2. Its 2242 format is as follows: 2244 0 1 2 3 2245 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2246 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2247 | Option Type | Option Length | 2248 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2249 | | 2250 + Timestamp + 2251 | | 2252 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2254 Type 2255 2257 Length 2259 8-bit unsigned integer indicating the length in octets of 2260 the option, excluding the type and length fields. The value 2261 for this field MUST be set to 8. 2263 Timestamp 2265 A 64-bit unsigned integer field containing a timestamp. The value 2266 indicates the number of seconds since January 1, 1970, 00:00 UTC, 2267 by using a fixed point format. In this format, the integer number 2268 of seconds is contained in the first 48 bits of the field, and the 2269 remaining 16 bits indicate the number of 1/64K fractions of a 2270 second. 2272 Figure 17: Timestamp Option 2274 8.6. Status Values 2276 This document defines the following new Status values for use in 2277 Proxy Binding Acknowledgement message. These values are to be 2278 allocated from the same number space, as defined in Section 6.1.8 2279 [RFC-3775]. 2281 Status values less than 128 indicate that the Proxy Binding Update 2282 was processed successfully by the local mobility anchor. Status 2283 values greater than 128 indicate that the Proxy Binding Update was 2284 rejected by the local mobility anchor. 2286 PROXY_REG_NOT_ENABLED: 2288 Proxy Registration not enabled for the mobile node. 2290 MAG_NOT_AUTHORIZED_FOR_PROXY_REG: 2292 The mobile access gateway is not authorized to send proxy binding. 2293 updates. 2295 NOT_AUTHORIZED_FOR_HOME_NETWORK_PREFIX 2297 The mobile node is not authorized for the requesting home network 2298 prefix. 2300 TIMESTAMP_MISMATCH: 2302 Invalid Timestamp value in the received Proxy Binding Update 2303 message. 2305 MISSING_MN_IDENTIFIER_OPTION: 2307 Missing mobile node identifier in the Proxy Binding Update 2308 message. 2310 Additionally, the following Status values defined in [RFC-3775] can 2311 also be used in Proxy Binding Acknowledgement message. 2313 0 Proxy Binding Update accepted 2315 128 Reason unspecified 2317 129 Administratively prohibited 2319 130 Insufficient resources 2320 133 Not local mobility anchor for this mobile node 2322 9. Protocol Configuration Variables 2324 The mobile access gateway MUST allow the following variables to be 2325 configured by the system management. 2327 EnableMAGLocalrouting 2329 This flag indicates whether or not the mobile access gateway is 2330 allowed to enable local routing of the traffic exchanged between a 2331 visiting mobile node and a corresponding node that is locally 2332 connected to one of the interfaces of the mobile access gateway. 2333 The corresponding node can be another visiting mobile node as 2334 well, or a local fixed node. 2336 The default value for this flag is set to "FALSE", indicating that 2337 the mobile access gateway MUST reverse tunnel all the traffic to 2338 the mobile node's local mobility anchor. 2340 When the value of this flag is set to "TRUE", the mobile access 2341 gateway MUST route the traffic locally. 2343 This aspect of local routing MAY be defined as policy on a per 2344 mobile basis and when present will take precedence over this flag. 2346 The local mobility anchor MUST allow the following variables to be 2347 configured by the system management. 2349 MinDelayBeforeBCEDelete 2351 This variable specifies the amount of time in milliseconds the 2352 local mobility anchor MUST wait before it deletes a Binding Cache 2353 entry of a mobile node, upon receiving a Proxy Binding Update 2354 message from a mobile access gateway with a lifetime value of 0. 2355 During this wait time, if the local mobility anchor receives a 2356 Proxy Binding Update for the same mobile node, identified by its 2357 MN-Identifier, with lifetime value greater than 0, then it must 2358 update the binding cache entry with the accepted binding values. 2359 At the end of this wait-time, if the local mobility anchor did not 2360 receive any valid Proxy Binding Update message, it MUST delete the 2361 Binding Cache entry for that mobile node. 2363 The default value for this variable is 1000 milliseconds. 2365 10. IANA Considerations 2367 This document defines a three new Mobility Header Options, the Home 2368 Network Prefix option, Link-local Address option and the Timestamp 2369 option. These options are described in Sections 8.3, 8.4 and 8.5 2370 respectively. The Type value for these options needs to be assigned 2371 from the same numbering space as allocated for the other mobility 2372 options, as defined in [RFC-3775]. 2374 This document also defines new Binding Acknowledgement status values 2375 as described in Section 8.6. The status values MUST be assigned from 2376 the same number space used for Binding Acknowledgement status values, 2377 as defined in [RFC-3775]. The allocated values for each of these 2378 status values MUST be greater than 128. 2380 11. Security Considerations 2382 The potential security threats against any network-based mobility 2383 management protocol are described in [RFC-4832]. This section 2384 explains how Proxy Mobile IPv6 protocol defends itself against those 2385 threats. 2387 Proxy Mobile IPv6 protocol requires the signaling messages, Proxy 2388 Binding Update and Proxy Binding Acknowledgement, exchanged between 2389 the mobile access gateway and the local mobility anchor to be 2390 protected using IPsec, using the established security association 2391 between them. This essentially eliminates the threats related to the 2392 impersonation of the mobile access gateway or the local mobility 2393 anchor. 2395 This specification allows a mobile access gateway to send binding 2396 registration messages on behalf of a mobile node. If proper 2397 authorization checks are not in place, a malicious node may be able 2398 to hijack a mobile node's session or may do a denial-of-service 2399 attacks. To prevent this attack, this specification requires the 2400 local mobility anchor to allow only authorized mobile access gateways 2401 to send binding registration messages on behalf of a mobile node. 2403 To eliminate the threats on the interface between the mobile access 2404 gateway and the mobile node, this specification requires an 2405 established trust between the mobile access gateway and the mobile 2406 node and to authenticate and authorize the mobile node before it is 2407 allowed to access the network. 2409 To eliminate the threats related to a compromised mobile access 2410 gateway, this specification recommends that the local mobility anchor 2411 before accepting a Proxy Binding Update message for a given mobile 2412 node, should ensure the mobile node is definitively attached to the 2413 mobile access gateway that sent the binding registration request. 2415 The issues related to a compromised mobile access gateway in the 2416 scenario where the local mobility anchor and the mobile access 2417 gateway in different domains, is outside the scope of this document. 2418 This scenario is beyond the applicability of this document. 2420 12. Acknowledgements 2422 The authors would like to specially thank Julien Laganier, Christian 2423 Vogt, Pete McCann, Brian Haley, Ahmad Muhanna, JinHyeock Choi for 2424 their thorough review of this document. 2426 The authors would also like to thank Alex Petrescu, Alice Qinxia, 2427 Alper Yegin, Ashutosh Dutta, Behcet Sarikaya, Fred Templing, Genadi 2428 Velev, George Tsirtsis, Gerardo Giaretta, Henrik Levkowetz, Hesham 2429 Soliman, James Kempf, Jari Arkko, Jean-Michel Combes, John Zhao, 2430 Jong-Hyouk Lee, Jonne Soininen, Jouni Korhonen, Kilian Weniger, Marco 2431 Liebsch, Mohamed Khalil, Nishida Katsutoshi, Phil Roberts, Ryuji 2432 Wakikawa, Sangjin Jeong, Suresh Krishnan, Vidya Narayanan, Youn-Hee 2433 Han and many others for their passionate discussions in the working 2434 group mailing list on the topic of localized mobility management 2435 solutions. These discussions stimulated much of the thinking and 2436 shaped the draft to the current form. We acknowledge that ! 2438 The authors would also like to thank Ole Troan, Akiko Hattori, Parviz 2439 Yegani, Mark Grayson, Michael Hammer, Vojislav Vucetic, Jay Iyer and 2440 Tim Stammers for their input on this document. 2442 13. References 2444 13.1. Normative References 2446 [RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate 2447 Requirement Levels", BCP 14, RFC 2119, March 1997. 2449 [RFC-2461] Narten, T., Nordmark, E. and W. Simpson, "Neighbor 2450 Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. 2452 [RFC-2473] Conta, A. and S. Deering, "Generic Packet Tunneling in 2453 IPv6 Specification", RFC 2473, December 1998. 2455 [RFC-3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and 2456 M.Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 2457 RFC 3315, July 2003. 2459 [RFC-3775] Johnson, D., Perkins, C., Arkko, J., "Mobility Support in 2460 IPv6", RFC 3775, June 2004. 2462 [RFC-4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The 2463 Network Access Identifier", RFC 4282, November 2005. 2465 [RFC-4283] Patel, A., Leung, K., Khalil, M., Akhtar, H., and K. 2466 Chowdhury, "Mobile Node Identifier Option for Mobile IPv6", RFC 4283, 2467 November 2005. 2469 [RFC-4301] Kent, S. and Atkinson, R., "Security Architecture for the 2470 Internet Protocol", RFC 4301, December 2005. 2472 [RFC-4303] Kent, S. "IP Encapsulating Security Protocol (ESP)", RFC 2473 4303, December 2005. 2475 13.2. Informative References 2477 [RFC-1661] Simpson, W., Ed., "The Point-To-Point Protocol (PPP)", STD 2478 51, RFC 1661, July 1994. 2480 [RFC-2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2481 2131, March 1997. 2483 [RFC-2462] Thompson, S., Narten, T., "IPv6 Stateless Address 2484 Autoconfiguration", RFC 2462, December 1998. 2486 [RFC-2472] Haskin, D. and Allen, E., "IP version 6 over PPP", RFC 2487 2472, December 1998. 2489 [RFC-3041] Narten, T. and Draves, R., "Privacy Extensions for 2490 Stateless Address Autoconfiguration in IPv6", RFC 3041, January 2001. 2492 [RFC-3971] Arkko, J., Ed., Kempf, J., Sommerfeld, B., Zill, B., and 2493 P. Nikander, "SEcure Neighbor Discovery (SEND)", RFC 3971, March 2494 2005. 2496 [RFC-4306] Kaufman, C, et al, "Internet Key Exchange (IKEv2) 2497 Protocol", RFC 4306, December 2005. 2499 [RFC-4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 2500 for IPv4, IPv6 and OSI", RFC 2030, October 1996. 2502 [RFC-4830] Kempf, J., Leung, K., Roberts, P., Nishida, K., Giaretta, 2503 G., Liebsch, M., "Problem Statement for Network-based Localized 2504 Mobility Management", September 2006. 2506 [RFC-4831] Kempf, J., Leung, K., Roberts, P., Nishida, K., Giaretta, 2507 G., Liebsch, M., "Goals for Network-based Localized Mobility 2508 Management", October 2006. 2510 [RFC-4832] Vogt, C., Kempf, J., "Security Threats to Network-Based 2511 Localized Mobility Management", September 2006. 2513 [ID-IPV4-PMIP6] Wakikawa, R. and Gundavelli, S., "IPv4 Support for 2514 Proxy Mobile IPv6", draft-ietf-netlmm-pmip6-ipv4-support-01.txt, May 2515 2007. 2517 [ID-DNAV6] Kempf, J., et al "Detecting Network Attachment in IPv6 2518 Networks (DNAv6)", draft-ietf-dna-protocol-06.txt, October 2006. 2520 Appendix A. Proxy Mobile IPv6 interactions with AAA Infrastructure 2522 Every mobile node that roams in a proxy Mobile IPv6 domain, would 2523 typically be identified by an identifier, MN-Identifier, and that 2524 identifier will have an associated policy profile that identifies the 2525 mobile node's home network prefix, permitted address configuration 2526 modes, roaming policy and other parameters that are essential for 2527 providing network-based mobility service. This information is 2528 typically configured in AAA. It is possible the home network prefix 2529 is dynamically allocated for the mobile node when it boots up for the 2530 first time in the network, or it could be a statically configured 2531 value on per mobile node basis. However, for all practical purposes, 2532 the network entities in the proxy Mobile IPv6 domain, while serving a 2533 mobile node will have access to this profile and these entities can 2534 query this information using RADIUS/DIAMETER protocols. 2536 Appendix B. Supporting Shared-Prefix Model using DHCPv6 2538 This specification supports Per-MN-Prefix model. However, it is 2539 possible to support Shared-Prefix model under the following 2540 guidelines. 2542 The mobile node is allowed to use stateful address configuration 2543 using DHCPv6 for obtaining its address configuration. The mobile 2544 node is not allowed to use any of the stateless autoconfiguration 2545 techniques. The permitted address configuration models for the 2546 mobile node on the access link can be enforced by the mobile access 2547 gateway, by setting the relevant flags in the Router Advertisements, 2548 as per [RFC-2461]. 2550 The Home Network Prefix option that is sent by the mobile access 2551 gateway in the Proxy Binding Update message, must contain the 128-bit 2552 host address that the mobile node obtained via DHCPv6. 2554 Routing state at the mobile access gateway: 2556 For all IPv6 traffic from the source MN-HoA::/128 to 2557 _ANY_DESTINATION_, route via tunnel0, next-hop LMAA, where tunnel0 is 2558 the MAG to LMA tunnel. 2560 Routing state at the local mobility anchor: 2562 For all IPv6 traffic to destination MN-HoA::/128, route via tunnel0, 2563 next-hop Proxy-CoA, where tunnel0 is the LMA to MAG tunnel. 2565 Authors' Addresses 2567 Sri Gundavelli 2568 Cisco 2569 170 West Tasman Drive 2570 San Jose, CA 95134 2571 USA 2573 Email: sgundave@cisco.com 2575 Kent Leung 2576 Cisco 2577 170 West Tasman Drive 2578 San Jose, CA 95134 2579 USA 2581 Email: kleung@cisco.com 2582 Vijay Devarapalli 2583 Azaire Networks 2584 4800 Great America Pkwy 2585 Santa Clara, CA 95054 2586 USA 2588 Email: vijay.devarapalli@azairenet.com 2590 Kuntal Chowdhury 2591 Starent Networks 2592 30 International Place 2593 Tewksbury, MA 2595 Email: kchowdhury@starentnetworks.com 2597 Basavaraj Patil 2598 Nokia Siemens Networks 2599 6000 Connection Drive 2600 Irving, TX 75039 2601 USA 2603 Email: basavaraj.patil@nsn.com 2605 Full Copyright Statement 2607 Copyright (C) The IETF Trust (2007). 2609 This document is subject to the rights, licenses and restrictions 2610 contained in BCP 78, and except as set forth therein, the authors 2611 retain all their rights. 2613 This document and the information contained herein are provided on an 2614 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2615 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 2616 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 2617 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 2618 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2619 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2621 Intellectual Property 2623 The IETF takes no position regarding the validity or scope of any 2624 Intellectual Property Rights or other rights that might be claimed to 2625 pertain to the implementation or use of the technology described in 2626 this document or the extent to which any license under such rights 2627 might or might not be available; nor does it represent that it has 2628 made any independent effort to identify any such rights. Information 2629 on the procedures with respect to rights in RFC documents can be 2630 found in BCP 78 and BCP 79. 2632 Copies of IPR disclosures made to the IETF Secretariat and any 2633 assurances of licenses to be made available, or the result of an 2634 attempt made to obtain a general license or permission for the use of 2635 such proprietary rights by implementers or users of this 2636 specification can be obtained from the IETF on-line IPR repository at 2637 http://www.ietf.org/ipr. 2639 The IETF invites any interested party to bring to its attention any 2640 copyrights, patents or patent applications, or other proprietary 2641 rights that may cover technology that may be required to implement 2642 this standard. Please address the information to the IETF at 2643 ietf-ipr@ietf.org. 2645 Acknowledgment 2647 Funding for the RFC Editor function is provided by the IETF 2648 Administrative Support Activity (IASA).