Network Working Group C. Perkins, Ed.
Request for Comments: 3220 Nokia Research Center
Obsoletes: 2002 January 2002
Category: Standards Track
IP Mobility Support for IPv4
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This document specifies protocol enhancements that allow transparent
routing of IP datagrams to mobile nodes in the Internet. Each mobile
node is always identified by its home address, regardless of its
current point of attachment to the Internet. While situated away
from its home, a mobile node is also associated with a care-of
address, which provides information about its current point of
attachment to the Internet. The protocol provides for registering
the care-of address with a home agent. The home agent sends
datagrams destined for the mobile node through a tunnel to the care-
of address. After arriving at the end of the tunnel, each datagram
is then delivered to the mobile node.
Contents
1. Introduction 3
1.1. Protocol Requirements . . . . . . . . . . . . . . . . . 4
1.2. Goals . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Assumptions . . . . . . . . . . . . . . . . . . . . . . 5
1.4. Applicability . . . . . . . . . . . . . . . . . . . . . 5
1.5. New Architectural Entities . . . . . . . . . . . . . . 5
1.6. Terminology . . . . . . . . . . . . . . . . . . . . . . 6
1.7. Protocol Overview . . . . . . . . . . . . . . . . . . . 9
1.8. Message Format and Protocol Extensibility . . . . . . . 13
1.9. Type-Length-Value Extension Format for Mobile IP
Extensions . . . . . . . . . . . . . . . . . . . . . 15
1.10. Long Extension Format . . . . . . . . . . . . . . . . . 16
1.11. Short Extension Format . . . . . . . . . . . . . . . . 16
2. Agent Discovery 17
2.1. Agent Advertisement . . . . . . . . . . . . . . . . . . 18
2.1.1. Mobility Agent Advertisement Extension . . . . 20
2.1.2. Prefix-Lengths Extension . . . . . . . . . . . 22
2.1.3. One-byte Padding Extension . . . . . . . . . . 22
2.2. Agent Solicitation . . . . . . . . . . . . . . . . . . 23
2.3. Foreign Agent and Home Agent Considerations . . . . . . 23
2.3.1. Advertised Router Addresses . . . . . . . . . . 24
2.3.2. Sequence Numbers and Rollover Handling . . . . 24
2.4. Mobile Node Considerations . . . . . . . . . . . . . . 25
2.4.1. Registration Required . . . . . . . . . . . . . 26
2.4.2. Move Detection . . . . . . . . . . . . . . . . 26
2.4.3. Returning Home . . . . . . . . . . . . . . . . 27
2.4.4. Sequence Numbers and Rollover Handling . . . . 28
3. Registration 28
3.1. Registration Overview . . . . . . . . . . . . . . . . . 29
3.2. Authentication . . . . . . . . . . . . . . . . . . . . 30
3.3. Registration Request . . . . . . . . . . . . . . . . . 30
3.4. Registration Reply . . . . . . . . . . . . . . . . . . 33
3.5. Registration Extensions . . . . . . . . . . . . . . . . 36
3.5.1. Computing Authentication Extension Values . . . 36
3.5.2. Mobile-Home Authentication Extension . . . . . 37
3.5.3. Mobile-Foreign Authentication Extension . . . . 37
3.5.4. Foreign-Home Authentication Extension . . . . . 38
3.6. Mobile Node Considerations . . . . . . . . . . . . . . 38
3.6.1. Sending Registration Requests . . . . . . . . . 40
3.6.2. Receiving Registration Replies . . . . . . . . 43
3.6.3. Registration Retransmission . . . . . . . . . . 46
3.7. Foreign Agent Considerations . . . . . . . . . . . . . 46
3.7.1. Configuration and Registration Tables . . . . . 47
3.7.2. Receiving Registration Requests . . . . . . . . 48
3.7.3. Receiving Registration Replies . . . . . . . . 51
3.8. Home Agent Considerations . . . . . . . . . . . . . . . 53
3.8.1. Configuration and Registration Tables . . . . . 54
3.8.2. Receiving Registration Requests . . . . . . . . 55
3.8.3. Sending Registration Replies . . . . . . . . . 58
4. Routing Considerations 61
4.1. Encapsulation Types . . . . . . . . . . . . . . . . . . 61
4.2. Unicast Datagram Routing . . . . . . . . . . . . . . . 61
4.2.1. Mobile Node Considerations . . . . . . . . . . 61
4.2.2. Foreign Agent Considerations . . . . . . . . . 62
4.2.3. Home Agent Considerations . . . . . . . . . . . 63
4.3. Broadcast Datagrams . . . . . . . . . . . . . . . . . . 65
4.4. Multicast Datagram Routing . . . . . . . . . . . . . . 65
4.5. Mobile Routers . . . . . . . . . . . . . . . . . . . . 66
4.6. ARP, Proxy ARP, and Gratuitous ARP . . . . . . . . . . 68
5. Security Considerations 72
5.1. Message Authentication Codes . . . . . . . . . . . . . 72
5.2. Areas of Security Concern in this Protocol . . . . . . 72
5.3. Key Management . . . . . . . . . . . . . . . . . . . . 73
5.4. Picking Good Random Numbers . . . . . . . . . . . . . . 73
5.5. Privacy . . . . . . . . . . . . . . . . . . . . . . . . 73
5.6. Ingress Filtering . . . . . . . . . . . . . . . . . . . 74
5.7. Replay Protection for Registration Requests . . . . . . 74
5.7.1. Replay Protection using Timestamps . . . . . . 74
5.7.2. Replay Protection using Nonces . . . . . . . . 76
6. IANA Considerations 76
6.1. Mobile IP Message Types . . . . . . . . . . . . . . . . 77
6.2. Extensions to RFC 1256 Router Advertisement . . . . . . 77
6.3. Extensions to Mobile IP Registration Messages . . . . . 78
6.4. Code Values for Mobile IP Registration Reply
Messages. . . . . . . . . . . . . . . . . . . . . . 78
7. Acknowledgments 79
A. Patent Issues 81
B. Link-Layer Considerations 81
C. TCP Considerations 82
C.1. TCP Timers . . . . . . . . . . . . . . . . . . . . . . 82
C.2. TCP Congestion Management . . . . . . . . . . . . . . . 82
D. Example Scenarios 83
D.1. Registering with a Foreign Agent Care-of Address . . . 83
D.2. Registering with a Co-Located Care-of Address . . . . . 83
D.3. Deregistration . . . . . . . . . . . . . . . . . . . . 84
E. Applicability of Prefix-Lengths Extension 85
F. Interoperability Considerations 85
G. Changes since RFC 2002 86
G.1. Major Changes . . . . . . . . . . . . . . . . . . . . . 86
G.2. Minor Changes . . . . . . . . . . . . . . . . . . . . . 88
G.3. Changes since revision 04 of RFC2002bis . . . . . . . . 90
H. Example Messages 91
H.1. Example ICMP Agent Advertisement Message Format . . . . 91
H.2. Example Registration Request Message Format . . . . . . 92
H.3. Example Registration Reply Message Format . . . . . . . 93
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 97
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 98
1. Introduction
IP version 4 assumes that a node's IP address uniquely identifies the
node's point of attachment to the Internet. Therefore, a node must
be located on the network indicated by its IP address in order to
receive datagrams destined to it; otherwise, datagrams destined to
the node would be undeliverable. For a node to change its point of
attachment without losing its ability to communicate, currently one
of the two following mechanisms must typically be employed:
a) the node must change its IP address whenever it changes its
point of attachment, or
b) host-specific routes must be propagated throughout much of the
Internet routing fabric.
Both of these alternatives are often unacceptable. The first makes
it impossible for a node to maintain transport and higher-layer
connections when the node changes location. The second has obvious
and severe scaling problems, especially relevant considering the
explosive growth in sales of notebook (mobile) computers.
A new, scalable, mechanism is required for accommodating node
mobility within the Internet. This document defines such a
mechanism, which enables nodes to change their point of attachment to
the Internet without changing their IP address.
Changes between this revised specification for Mobile IP and the
original specifications (see [33, 32, 34, 43, 8]) are detailed in the
appendix section G.
1.1. Protocol Requirements
A mobile node must be able to communicate with other nodes after
changing its link-layer point of attachment to the Internet, yet
without changing its IP address.
A mobile node must be able to communicate with other nodes that do
not implement these mobility functions. No protocol enhancements are
required in hosts or routers that are not acting as any of the new
architectural entities introduced in Section 1.5.
All messages used to update another node as to the location of a
mobile node must be authenticated in order to protect against remote
redirection attacks.
1.2. Goals
The link by which a mobile node is directly attached to the Internet
may often be a wireless link. This link may thus have a
substantially lower bandwidth and higher error rate than traditional
wired networks. Moreover, mobile nodes are likely to be battery
powered, and minimizing power consumption is important. Therefore,
the number of administrative messages sent over the link by which a
mobile node is directly attached to the Internet should be minimized,
and the size of these messages should be kept as small as is
reasonably possible.
1.3. Assumptions
The protocols defined in this document place no additional
constraints on the assignment of IP addresses. That is, a mobile
node can be assigned an IP address by the organization that owns the
machine.
This protocol assumes that mobile nodes will generally not change
their point of attachment to the Internet more frequently than once
per second.
This protocol assumes that IP unicast datagrams are routed based on
the destination address in the datagram header (and not, for example,
by source address).
1.4. Applicability
Mobile IP is intended to enable nodes to move from one IP subnet to
another. It is just as suitable for mobility across homogeneous
media as it is for mobility across heterogeneous media. That is,
Mobile IP facilitates node movement from one Ethernet segment to
another as well as it accommodates node movement from an Ethernet
segment to a wireless LAN, as long as the mobile node's IP address
remains the same after such a movement.
One can think of Mobile IP as solving the "macro" mobility management
problem. It is less well suited for more "micro" mobility management
applications -- for example, handoff amongst wireless transceivers,
each of which covers only a very small geographic area. As long as
node movement does not occur between points of attachment on
different IP subnets, link-layer mechanisms for mobility (i.e.,
link-layer handoff) may offer faster convergence and far less
overhead than Mobile IP.
1.5. New Architectural Entities
Mobile IP introduces the following new functional entities:
Mobile Node
A host or router that changes its point of attachment from one
network or subnetwork to another. A mobile node may change its
location without changing its IP address; it may continue to
communicate with other Internet nodes at any location using its
(constant) IP address, assuming link-layer connectivity to a
point of attachment is available.
Home Agent
A router on a mobile node's home network which tunnels
datagrams for delivery to the mobile node when it is away from
home, and maintains current location information for the mobile
node.
Foreign Agent
A router on a mobile node's visited network which provides
routing services to the mobile node while registered. The
foreign agent detunnels and delivers datagrams to the mobile
node that were tunneled by the mobile node's home agent. For
datagrams sent by a mobile node, the foreign agent may serve as
a default router for registered mobile nodes.
A mobile node is given a long-term IP address on a home network.
This home address is administered in the same way as a "permanent" IP
address is provided to a stationary host. When away from its home
network, a "care-of address" is associated with the mobile node and
reflects the mobile node's current point of attachment. The mobile
node uses its home address as the source address of all IP datagrams
that it sends, except where otherwise described in this document for
datagrams sent for certain mobility management functions (e.g., as in
Section 3.6.1.1).
1.6. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [4].
In addition, this document frequently uses the following terms:
Authorization-enabling extension
An authentication which makes a (registration) message
acceptable to the ultimate recipient of the registration
message. An authorization-enabling extension MUST contain
an SPI.
In this document, all uses of authorization-enabling
extension refer to authentication extensions that enable the
Registration Request message to be acceptable to the home
agent. Using additional protocol structures specified
outside of this document, it may be possible for the mobile
node to provide authentication of its registration to the
home agent, by way of another authenticating entity within
the network that is acceptable to the home agent (for
example, see RFC 2794 [6]).
Agent Advertisement
An advertisement message constructed by attaching a special
Extension to a router advertisement [10] message.
Authentication
The process of verifying (using cryptographic techniques,
for all applications in this specification) the identity of
the originator of a message.
Care-of Address
The termination point of a tunnel toward a mobile node, for
datagrams forwarded to the mobile node while it is away from
home. The protocol can use two different types of care-of
address: a "foreign agent care-of address" is an address of
a foreign agent with which the mobile node is registered,
and a "co-located care-of address" is an externally obtained
local address which the mobile node has associated with one
of its own network interfaces.
Correspondent Node
A peer with which a mobile node is communicating. A
correspondent node may be either mobile or stationary.
Foreign Network
Any network other than the mobile node's Home Network.
Gratuitous ARP
An ARP packet sent by a node in order to spontaneously cause
other nodes to update an entry in their ARP cache [45]. See
section 4.6.
Home Address
An IP address that is assigned for an extended period of
time to a mobile node. It remains unchanged regardless of
where the node is attached to the Internet.
Home Network
A network, possibly virtual, having a network prefix
matching that of a mobile node's home address. Note that
standard IP routing mechanisms will deliver datagrams
destined to a mobile node's Home Address to the mobile
node's Home Network.
Link
A facility or medium over which nodes can communicate at the
link layer. A link underlies the network layer.
Link-Layer Address
The address used to identify an endpoint of some
communication over a physical link. Typically, the Link-
Layer address is an interface's Media Access Control (MAC)
address.
Mobility Agent
Either a home agent or a foreign agent.
Mobility Binding
The association of a home address with a care-of address,
along with the remaining lifetime of that association.
Mobility Security Association
A collection of security contexts, between a pair of nodes,
which may be applied to Mobile IP protocol messages
exchanged between them. Each context indicates an
authentication algorithm and mode (Section 5.1), a secret (a
shared key, or appropriate public/private key pair), and a
style of replay protection in use (Section 5.7).
Node
A host or a router.
Nonce
A randomly chosen value, different from previous choices,
inserted in a message to protect against replays.
Security Parameter Index (SPI)
An index identifying a security context between a pair of
nodes among the contexts available in the Mobility Security
Association. SPI values 0 through 255 are reserved and MUST
NOT be used in any Mobility Security Association.
Tunnel
The path followed by a datagram while it is encapsulated.
The model is that, while it is encapsulated, a datagram is
routed to a knowledgeable decapsulating agent, which
decapsulates the datagram and then correctly delivers it to
its ultimate destination.
Virtual Network
A network with no physical instantiation beyond a router
(with a physical network interface on another network). The
router (e.g., a home agent) generally advertises
reachability to the virtual network using conventional
routing protocols.
Visited Network
A network other than a mobile node's Home Network, to which
the mobile node is currently connected.
Visitor List
The list of mobile nodes visiting a foreign agent.
1.7. Protocol Overview
The following support services are defined for Mobile IP:
Agent Discovery
Home agents and foreign agents may advertise their
availability on each link for which they provide service. A
newly arrived mobile node can send a solicitation on the
link to learn if any prospective agents are present.
Registration
When the mobile node is away from home, it registers its
care-of address with its home agent. Depending on its
method of attachment, the mobile node will register either
directly with its home agent, or through a foreign agent
which forwards the registration to the home agent.
silently discard
The implementation discards the datagram without further
processing, and without indicating an error to the sender.
The implementation SHOULD provide the capability of logging
the error, including the contents of the discarded datagram,
and SHOULD record the event in a statistics counter.
The following steps provide a rough outline of operation of the
Mobile IP protocol:
- Mobility agents (i.e., foreign agents and home agents)
advertise their presence via Agent Advertisement messages
(Section 2). A mobile node may optionally solicit an Agent
Advertisement message from any locally attached mobility agents
through an Agent Solicitation message.
- A mobile node receives these Agent Advertisements and
determines whether it is on its home network or a foreign
network.
- When the mobile node detects that it is located on its home
network, it operates without mobility services. If returning
to its home network from being registered elsewhere, the mobile
node deregisters with its home agent, through exchange of a
Registration Request and Registration Reply message with it.
- When a mobile node detects that it has moved to a foreign
network, it obtains a care-of address on the foreign network.
The care-of address can either be determined from a foreign
agent's advertisements (a foreign agent care-of address), or by
some external assignment mechanism such as DHCP [13] (a co-
located care-of address).
- The mobile node operating away from home then registers its new
care-of address with its home agent through exchange of a
Registration Request and Registration Reply message with it,
possibly via a foreign agent (Section 3).
- Datagrams sent to the mobile node's home address are
intercepted by its home agent, tunneled by the home agent to
the mobile node's care-of address, received at the tunnel
endpoint (either at a foreign agent or at the mobile node
itself), and finally delivered to the mobile node (Section
4.2.3).
- In the reverse direction, datagrams sent by the mobile node are
generally delivered to their destination using standard IP
routing mechanisms, not necessarily passing through the home
agent.
When away from home, Mobile IP uses protocol tunneling to hide a
mobile node's home address from intervening routers between its home
network and its current location. The tunnel terminates at the
mobile node's care-of address. The care-of address must be an
address to which datagrams can be delivered via conventional IP
routing. At the care-of address, the original datagram is removed
from the tunnel and delivered to the mobile node.
Mobile IP provides two alternative modes for the acquisition of a
care-of address:
a) A "foreign agent care-of address" is a care-of address provided
by a foreign agent through its Agent Advertisement messages.
In this case, the care-of address is an IP address of the
foreign agent. In this mode, the foreign agent is the endpoint
of the tunnel and, upon receiving tunneled datagrams,
decapsulates them and delivers the inner datagram to the mobile
node. This mode of acquisition is preferred because it allows
many mobile nodes to share the same care-of address and
therefore does not place unnecessary demands on the already
limited IPv4 address space.
b) A "co-located care-of address" is a care-of address acquired by
the mobile node as a local IP address through some external
means, which the mobile node then associates with one of its
own network interfaces. The address may be dynamically
acquired as a temporary address by the mobile node such as
through DHCP [13], or may be owned by the mobile node as a
long-term address for its use only while visiting some foreign
network. Specific external methods of acquiring a local IP
address for use as a co-located care-of address are beyond the
scope of this document. When using a co-located care-of
address, the mobile node serves as the endpoint of the tunnel
and itself performs decapsulation of the datagrams tunneled to
it.
The mode of using a co-located care-of address has the advantage that
it allows a mobile node to function without a foreign agent, for
example, in networks that have not yet deployed a foreign agent. It
does, however, place additional burden on the IPv4 address space
because it requires a pool of addresses within the foreign network to
be made available to visiting mobile nodes. It is difficult to
efficiently maintain pools of addresses for each subnet that may
permit mobile nodes to visit.
It is important to understand the distinction between the care-of
address and the foreign agent functions. The care-of address is
simply the endpoint of the tunnel. It might indeed be an address of
a foreign agent (a foreign agent care-of address), but it might
instead be an address temporarily acquired by the mobile node (a co-
located care-of address). A foreign agent, on the other hand, is a
mobility agent that provides services to mobile nodes. See Sections
3.7 and 4.2.2 for additional details.
For example, figure 1 illustrates the routing of datagrams to and
from a mobile node away from home, once the mobile node has
registered with its home agent. In figure 1, the mobile node is
using a foreign agent care-of address, not a co-located care-of
address.
2) Datagram is intercepted 3) Datagram is
by home agent and detunneled and
is tunneled to the delivered to the
care-of address. mobile node.
+-----+ +-------+ +------+
|home | =======> |foreign| ------> |mobile|
|agent| | agent | <------ | node |
+-----+ +-------+ +------+
1) Datagram to /|\ /
mobile node | / 4) For datagrams sent by the
arrives on | / mobile node, standard IP
home network | / routing delivers each to its
via standard | |_ destination. In this figure,
IP routing. +----+ the foreign agent is the
|host| mobile node's default router.
+----+
Figure 1: Operation of Mobile IPv4
A home agent MUST be able to attract and intercept datagrams that are
destined to the home address of any of its registered mobile nodes.
Using the proxy and gratuitous ARP mechanisms described in Section
4.6, this requirement can be satisfied if the home agent has a
network interface on the link indicated by the mobile node's home
address. Other placements of the home agent relative to the mobile
node's home location MAY also be possible using other mechanisms for
intercepting datagrams destined to the mobile node's home address.
Such placements are beyond the scope of this document.
Similarly, a mobile node and a prospective or current foreign agent
MUST be able to exchange datagrams without relying on standard IP
routing mechanisms; that is, those mechanisms which make forwarding
decisions based upon the network-prefix of the destination address in
the IP header. This requirement can be satisfied if the foreign
agent and the visiting mobile node have an interface on the same
link. In this case, the mobile node and foreign agent simply bypass
their normal IP routing mechanism when sending datagrams to each
other, addressing the underlying link-layer packets to their
respective link-layer addresses. Other placements of the foreign
agent relative to the mobile node MAY also be possible using other
mechanisms to exchange datagrams between these nodes, but such
placements are beyond the scope of this document.
If a mobile node is using a co-located care-of address (as described
in (b) above), the mobile node MUST be located on the link identified
by the network prefix of this care-of address. Otherwise, datagrams
destined to the care-of address would be undeliverable.
1.8. Message Format and Protocol Extensibility
Mobile IP defines a set of new control messages, sent with UDP [37]
using well-known port number 434. The following two message types
are defined in this document:
1 Registration Request
3 Registration Reply
Up-to-date values for the message types for Mobile IP control
messages are specified in the most recent "Assigned Numbers" [40].
In addition, for Agent Discovery, Mobile IP makes use of the
existing Router Advertisement and Router Solicitation messages
defined for ICMP Router Discovery [10].
Mobile IP defines a general Extension mechanism to allow optional
information to be carried by Mobile IP control messages or by ICMP
Router Discovery messages. Some extensions have been specified to
be encoded in the simple Type-Length-Value format described in
Section 1.9.
Extensions allow variable amounts of information to be carried
within each datagram. The end of the list of Extensions is
indicated by the total length of the IP datagram.
Two separately maintained sets of numbering spaces, from which
Extension Type values are allocated, are used in Mobile IP:
- The first set consists of those Extensions which may appear
only in Mobile IP control messages (those sent to and from UDP
port number 434). In this document, the following Types are
defined for Extensions appearing in Mobile IP control messages:
32 Mobile-Home Authentication
33 Mobile-Foreign Authentication
34 Foreign-Home Authentication
- The second set consists of those extensions which may appear
only in ICMP Router Discovery messages [10]. In this document,
the following Types are defined for Extensions appearing in
ICMP Router Discovery messages:
0 One-byte Padding (encoded with no Length nor Data field)
16 Mobility Agent Advertisement
19 Prefix-Lengths
Each individual Extension is described in detail in a separate
section later in this document. Up-to-date values for these
Extension Type numbers are specified in the most recent "Assigned
Numbers" [40].
Due to the separation (orthogonality) of these sets, it is
conceivable that two Extensions that are defined at a later date
could have identical Type values, so long as one of the Extensions
may be used only in Mobile IP control messages and the other may be
used only in ICMP Router Discovery messages.
The type field in the Mobile IP extension structure can support up to
255 (skippable and not skippable) uniquely identifiable extensions.
When an Extension numbered in either of these sets within the range 0
through 127 is encountered but not recognized, the message containing
that Extension MUST be silently discarded. When an Extension
numbered in the range 128 through 255 is encountered which is not
recognized, that particular Extension is ignored, but the rest of the
Extensions and message data MUST still be processed. The Length
field of the Extension is used to skip the Data field in searching
for the next Extension.
Unless additional structure is utilized for the extension types, new
developments or additions to Mobile IP might require so many new
extensions that the available space for extension types might run
out. Two new extension structures are proposed to solve this
problem. Certain types of extensions can be aggregated, using
subtypes to identify the precise extension, for example as has been
done with the Generic Authentication Keys extensions [35]. In many
cases, this may reduce the rate of allocation for new values of the
type field.
Since the new extension structures will cause an efficient usage of
the extension type space, it is recommended that new Mobile IP
extensions follow one of the two new extension formats whenever there
may be the possibility to group related extensions together.
The following subsections provide details about three distinct
structures for Mobile IP extensions:
- The simple extension format
- The long extension format
- The short extension format
1.9. Type-Length-Value Extension Format for Mobile IP Extensions
The Type-Length-Value format illustrated in figure 2 is used for
extensions which are specified in this document. Since this simple
extension structure does not encourage the most efficient usage of
the extension type space, it is recommended that new Mobile IP
extensions follow one of the two new extension formats specified in
sections 1.10 or 1.11 whenever there may be the possibility to group
related extensions together.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Data ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Figure 2: Type-Length-Value extension format for Mobile IPv4
Type Indicates the particular type of Extension.
Length Indicates the length (in bytes) of the data field within
this Extension. The length does NOT include the Type and
Length bytes.
Data The particular data associated with this Extension. This
field may be zero or more bytes in length. The format
and length of the data field is determined by the type
and length fields.
1.10. Long Extension Format
This format is applicable for non-skippable extensions which carry
information more than 256 bytes.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Sub-Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data .....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Long Extension format requires that the following fields be
specified as the first fields of the extension.
Type is the type, which describes a collection of extensions
having a common data type.
Sub-Type is a unique number given to each member in the aggregated
type.
Length indicates the length (in bytes) of the data field within
this Extension. It does NOT include the Type, Length and
Sub-Type bytes.
Data is the data associated with the subtype of this
extension. This specification does not place any
additional structure on the subtype data.
Since the length field is 16 bits wide, a the extension data can
exceed 256 bytes in length.
1.11. Short Extension Format
This format is compatible with the skippable extensions defined in
section 1.9. It is not applicable for extensions which require more
than 256 bytes of data; for such extensions, use the format described
in section 1.10.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sub-Type | Data ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Short Extension format requires that the following fields be
specified as the first fields of the extension:
Type is the type, which describes a collection of extensions
having a common data type.
Sub-Type is a unique number given to each member in the aggregated
type.
Length 8-bit unsigned integer. Length of the extension, in
bytes, excluding the extension Type and the extension
Length fields. This field MUST be set to 1 plus the
total length of the data field.
Data is the data associated with this extension. This
specification does not place any additional structure on
the subtype data.
2. Agent Discovery
Agent Discovery is the method by which a mobile node determines
whether it is currently connected to its home network or to a foreign
network, and by which a mobile node can detect when it has moved from
one network to another. When connected to a foreign network, the
methods specified in this section also allow the mobile node to
determine the foreign agent care-of address being offered by each
foreign agent on that network.
Mobile IP extends ICMP Router Discovery [10] as its primary mechanism
for Agent Discovery. An Agent Advertisement is formed by including a
Mobility Agent Advertisement Extension in an ICMP Router
Advertisement message (Section 2.1). An Agent Solicitation message
is identical to an ICMP Router Solicitation, except that its IP TTL
MUST be set to 1 (Section 2.2). This section describes the message
formats and procedures by which mobile nodes, foreign agents, and
home agents cooperate to realize Agent Discovery.
Agent Advertisement and Agent Solicitation may not be necessary for
link layers that already provide this functionality. The method by
which mobile nodes establish link-layer connections with prospective
agents is outside the scope of this document (but see Appendix B).
The procedures described below assume that such link-layer
connectivity has already been established.
No authentication is required for Agent Advertisement and Agent
Solicitation messages. They MAY be authenticated using the IP
Authentication Header [22], which is unrelated to the messages
described in this document. Further specification of the way in
which Advertisement and Solicitation messages may be authenticated is
outside of the scope of this document.
2.1. Agent Advertisement
Agent Advertisements are transmitted by a mobility agent to advertise
its services on a link. Mobile nodes use these advertisements to
determine their current point of attachment to the Internet. An
Agent Advertisement is an ICMP Router Advertisement that has been
extended to also carry an Mobility Agent Advertisement Extension
(Section 2.1.1) and, optionally, a Prefix-Lengths Extension (Section
2.1.2), One-byte Padding Extension (Section 2.1.3), or other
Extensions that might be defined in the future.
Within an Agent Advertisement message, ICMP Router Advertisement
fields of the message are required to conform to the following
additional specifications:
- Link-Layer Fields
Destination Address
The link-layer destination address of a unicast Agent
Advertisement MUST be the same as the source link-layer
address of the Agent Solicitation which prompted the
Advertisement.
- IP Fields
TTL The TTL for all Agent Advertisements MUST be set
to 1.
Destination Address
As specified for ICMP Router Discovery [10], the IP
destination address of an multicast Agent Advertisement
MUST be either the "all systems on this link" multicast
address (224.0.0.1) [11] or the "limited broadcast"
address (255.255.255.255). The subnet-directed broadcast
address of the form <prefix>.<-1> cannot be used since
mobile nodes will not generally know the prefix of the
foreign network. When the Agent Advertisement is unicast
to a mobile node, the IP home address of the mobile node
SHOULD be used as the Destination Address.
- ICMP Fields
Code The Code field of the agent advertisement is
interpreted as follows:
0 The mobility agent handles common traffic -- that
is, it acts as a router for IP datagrams not
necessarily related to mobile nodes.
16 The mobility agent does not route common traffic.
However, all foreign agents MUST (minimally)
forward to a default router any datagrams received
from a registered mobile node (Section 4.2.2).
Lifetime
The maximum length of time that the Advertisement is
considered valid in the absence of further
Advertisements.
Router Address(es)
See Section 2.3.1 for a discussion of the addresses that
may appear in this portion of the Agent Advertisement.
Num Addrs
The number of Router Addresses advertised in this
message. Note that in an Agent Advertisement message,
the number of router addresses specified in the ICMP
Router Advertisement portion of the message MAY be set to
0. See Section 2.3.1 for details.
If sent periodically, the nominal interval at which Agent
Advertisements are sent SHOULD be no longer than 1/3 of the
advertisement Lifetime given in the ICMP header. This interval MAY
be shorter than 1/3 the advertised Lifetime. This allows a mobile
node to miss three successive advertisements before deleting the
agent from its list of valid agents. The actual transmission time
for each advertisement SHOULD be slightly randomized [10] in order to
avoid synchronization and subsequent collisions with other Agent
Advertisements that may be sent by other agents (or with other Router
Advertisements sent by other routers). Note that this field has no
relation to the "Registration Lifetime" field within the Mobility
Agent Advertisement Extension defined below.
2.1.1. Mobility Agent Advertisement Extension
The Mobility Agent Advertisement Extension follows the ICMP Router
Advertisement fields. It is used to indicate that an ICMP Router
Advertisement message is also an Agent Advertisement being sent by a
mobility agent. The Mobility Agent Advertisement Extension is
defined as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Registration Lifetime |R|B|H|F|M|G|r|T| reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| zero or more Care-of Addresses |
| ... |
Type 16
Length (6 + 4*N), where 6 accounts for the number of bytes in
the Sequence Number, Registration Lifetime, flags, and
reserved fields, and N is the number of care-of addresses
advertised.
Sequence Number
The count of Agent Advertisement messages sent since the
agent was initialized (Section 2.3.2).
Registration Lifetime
The longest lifetime (measured in seconds) that this
agent is willing to accept in any Registration Request.
A value of 0xffff indicates infinity. This field has no
relation to the "Lifetime" field within the ICMP Router
Advertisement portion of the Agent Advertisement.
R Registration required. Registration with this foreign
agent (or another foreign agent on this link) is required
even when using a co-located care-of address.
B Busy. The foreign agent will not accept registrations
from additional mobile nodes.
H Home agent. This agent offers service as a home agent on
the link on which this Agent Advertisement message is
sent.
F Foreign agent. This agent offers service as a foreign
agent on the link on which this Agent Advertisement
message is sent.
M Minimal encapsulation. This agent implements receiving
tunneled datagrams that use minimal encapsulation [34].
G GRE encapsulation. This agent implements receiving
tunneled datagrams that use GRE encapsulation [16].
r Sent as zero; ignored on reception. SHOULD NOT be
allocated for any other uses.
T Foreign agent supports reverse tunneling [27].
reserved
Sent as zero; ignored on reception.
Care-of Address(es)
The advertised foreign agent care-of address(es) provided
by this foreign agent. An Agent Advertisement MUST
include at least one care-of address if the 'F' bit is
set. The number of care-of addresses present is
determined by the Length field in the Extension.
A home agent MUST always be prepared to serve the mobile nodes for
which it is the home agent. A foreign agent may at times be too busy
to serve additional mobile nodes; even so, it must continue to send
Agent Advertisements, so that any mobile nodes already registered
with it will know that they have not moved out of range of the
foreign agent and that the foreign agent has not failed. A foreign
agent may indicate that it is "too busy" to allow new mobile nodes to
register with it, by setting the 'B' bit in its Agent Advertisements.
An Agent Advertisement message MUST NOT have the 'B' bit set if the
'F' bit is not also set. Furthermore, at least one of the 'F' bit
and the 'H' bit MUST be set in any Agent Advertisement message sent.
When a foreign agent wishes to require registration even from those
mobile nodes which have acquired a co-located care-of address, it
sets the 'R' bit to one. Because this bit applies only to foreign
agents, an agent MUST NOT set the 'R' bit to one unless the 'F' bit
is also set to one.
2.1.2. Prefix-Lengths Extension
The Prefix-Lengths Extension MAY follow the Mobility Agent
Advertisement Extension. It is used to indicate the number of bits
of network prefix that applies to each Router Address listed in the
ICMP Router Advertisement portion of the Agent Advertisement. Note
that the prefix lengths given DO NOT apply to care-of address(es)
listed in the Mobility Agent Advertisement Extension. The Prefix-
Lengths Extension is defined as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Prefix Length | ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 19 (Prefix-Lengths Extension)
Length N, where N is the value (possibly zero) of the Num Addrs
field in the ICMP Router Advertisement portion of the
Agent Advertisement.
Prefix Length(s)
The number of leading bits that define the network number
of the corresponding Router Address listed in the ICMP
Router Advertisement portion of the message. The prefix
length for each Router Address is encoded as a separate
byte, in the order that the Router Addresses are listed
in the ICMP Router Advertisement portion of the message.
See Section 2.4.2 for information about how the Prefix-Lengths
Extension MAY be used by a mobile node when determining whether it
has moved. See Appendix E for implementation details about the use
of this Extension.
2.1.3. One-byte Padding Extension
Some IP protocol implementations insist upon padding ICMP messages to
an even number of bytes. If the ICMP length of an Agent
Advertisement is odd, this Extension MAY be included in order to make
the ICMP length even. Note that this Extension is NOT intended to be
a general-purpose Extension to be included in order to word- or
long-align the various fields of the Agent Advertisement. An Agent
Advertisement SHOULD NOT include more than one One-byte Padding
Extension and if present, this Extension SHOULD be the last Extension
in the Agent Advertisement.
Note that unlike other Extensions used in Mobile IP, the One-byte
Padding Extension is encoded as a single byte, with no "Length" nor
"Data" field present. The One-byte Padding Extension is defined as
follows:
0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+
| Type |
+-+-+-+-+-+-+-+-+
Type 0 (One-byte Padding Extension)
2.2. Agent Solicitation
An Agent Solicitation is identical to an ICMP Router Solicitation
with the further restriction that the IP TTL Field MUST be set to 1.
2.3. Foreign Agent and Home Agent Considerations
Any mobility agent which cannot be discovered by a link-layer
protocol MUST send Agent Advertisements. An agent which can be
discovered by a link-layer protocol SHOULD also implement Agent
Advertisements. However, the Advertisements need not be sent, except
when the site policy requires registration with the agent (i.e., when
the 'R' bit is set), or as a response to a specific Agent
Solicitation. All mobility agents MUST process packets that they
receive addressed to the Mobile-Agents multicast group, at address
224.0.0.11. A mobile node MAY send an Agent Solicitation to
224.0.0.11. All mobility agents SHOULD respond to Agent
Solicitations.
The same procedures, defaults, and constants are used in Agent
Advertisement messages and Agent Solicitation messages as specified
for ICMP Router Discovery [10], except that:
- a mobility agent MUST limit the rate at which it sends broadcast
or multicast Agent Advertisements; the maximum rate SHOULD be
chosen so that the Advertisements do not consume a significant
amount of network bandwidth, AND
- a mobility agent that receives a Router Solicitation MUST NOT
require that the IP Source Address is the address of a neighbor
(i.e., an address that matches one of the router's own addresses
on the arrival interface, under the subnet mask associated with
that address of the router).
- a mobility agent MAY be configured to send Agent Advertisements
only in response to an Agent Solicitation message.
If the home network is not a virtual network, then the home agent for
any mobile node SHOULD be located on the link identified by the
mobile node's home address, and Agent Advertisement messages sent by
the home agent on this link MUST have the 'H' bit set. In this way,
mobile nodes on their own home network will be able to determine that
they are indeed at home. Any Agent Advertisement messages sent by
the home agent on another link to which it may be attached (if it is
a mobility agent serving more than one link), MUST NOT have the 'H'
bit set, unless the home agent also serves as a home agent (to other
mobile nodes) on that other link. A mobility agent MAY use different
settings for each of the 'R', 'H', and 'F' bits on different network
interfaces.
If the home network is a virtual network, the home network has no
physical realization external to the home agent itself. In this
case, there is no physical network link on which to send Agent
Advertisement messages advertising the home agent. Mobile nodes for
which this is the home network are always treated as being away from
home.
On a particular subnet, either all mobility agents MUST include the
Prefix-Lengths Extension or all of them MUST NOT include this
Extension. Equivalently, it is prohibited for some agents on a given
subnet to include the Extension but for others not to include it.
Otherwise, one of the move detection algorithms designed for mobile
nodes will not function properly (Section 2.4.2).
2.3.1. Advertised Router Addresses
The ICMP Router Advertisement portion of the Agent Advertisement MAY
contain one or more router addresses. An agent SHOULD only put its
own addresses, if any, in the advertisement. Whether or not its own
address appears in the Router Addresses, a foreign agent MUST route
datagrams it receives from registered mobile nodes (Section 4.2.2).
2.3.2. Sequence Numbers and Rollover Handling
The sequence number in Agent Advertisements ranges from 0 to 0xffff.
After booting, an agent MUST use the number 0 for its first
advertisement. Each subsequent advertisement MUST use the sequence
number one greater, with the exception that the sequence number
0xffff MUST be followed by sequence number 256. In this way, mobile
nodes can distinguish a reduction in the sequence number that occurs
after a reboot from a reduction that results in rollover of the
sequence number after it attains the value 0xffff.
2.4. Mobile Node Considerations
Every mobile node MUST implement Agent Solicitation. Solicitations
SHOULD only be sent in the absence of Agent Advertisements and when a
care-of address has not been determined through a link-layer protocol
or other means. The mobile node uses the same procedures, defaults,
and constants for Agent Solicitation as specified for ICMP Router
Solicitation messages [10], except that the mobile node MAY solicit
more often than once every three seconds, and that a mobile node that
is currently not connected to any foreign agent MAY solicit more
times than MAX_SOLICITATIONS.
The rate at which a mobile node sends Solicitations MUST be limited
by the mobile node. The mobile node MAY send three initial
Solicitations at a maximum rate of one per second while searching for
an agent. After this, the rate at which Solicitations are sent MUST
be reduced so as to limit the overhead on the local link. Subsequent
Solicitations MUST be sent using a binary exponential backoff
mechanism, doubling the interval between consecutive Solicitations,
up to a maximum interval. The maximum interval SHOULD be chosen
appropriately based upon the characteristics of the media over which
the mobile node is soliciting. This maximum interval SHOULD be at
least one minute between Solicitations.
While still searching for an agent, the mobile node MUST NOT increase
the rate at which it sends Solicitations unless it has received a
positive indication that it has moved to a new link. After
successfully registering with an agent, the mobile node SHOULD also
increase the rate at which it will send Solicitations when it next
begins searching for a new agent with which to register. The
increased solicitation rate MAY revert to the maximum rate, but then
MUST be limited in the manner described above. In all cases, the
recommended solicitation intervals are nominal values. Mobile nodes
MUST randomize their solicitation times around these nominal values
as specified for ICMP Router Discovery [10].
Mobile nodes MUST process received Agent Advertisements. A mobile
node can distinguish an Agent Advertisement message from other uses
of the ICMP Router Advertisement message by examining the number of
advertised addresses and the IP Total Length field. When the IP
total length indicates that the ICMP message is longer than needed
for the number of advertised addresses, the remaining data is
interpreted as one or more Extensions. The presence of a Mobility
Agent Advertisement Extension identifies the advertisement as an
Agent Advertisement.
If there is more than one advertised address, the mobile node SHOULD
pick the first address for its initial registration attempt. If the
registration attempt fails with a status Code indicating rejection by
the foreign agent, the mobile node MAY retry the attempt with each
subsequent advertised address in turn.
When multiple methods of agent discovery are in use, the mobile node
SHOULD first attempt registration with agents including Mobility
Agent Advertisement Extensions in their advertisements, in preference
to those discovered by other means. This preference maximizes the
likelihood that the registration will be recognized, thereby
minimizing the number of registration attempts.
A mobile node MUST ignore reserved bits in Agent Advertisements, as
opposed to discarding such advertisements. In this way, new bits can
be defined later, without affecting the ability for mobile nodes to
use the advertisements even when the newly defined bits are not
understood.
2.4.1. Registration Required
When the mobile node receives an Agent Advertisement with the 'R' bit
set, the mobile node SHOULD register through the foreign agent, even
when the mobile node might be able to acquire its own co-located
care-of address. This feature is intended to allow sites to enforce
visiting policies (such as accounting) which require exchanges of
authorization.
If formerly reserved bits require some kind of monitoring/enforcement
at the foreign link, foreign agents implementing the new
specification for the formerly reserved bits can set the 'R' bit.
This has the effect of forcing the mobile node to register through
the foreign agent, so the foreign agent could then monitor/enforce
the policy.
2.4.2. Move Detection
Two primary mechanisms are provided for mobile nodes to detect when
they have moved from one subnet to another. Other mechanisms MAY
also be used. When the mobile node detects that it has moved, it
SHOULD register (Section 3) with a suitable care-of address on the
new foreign network. However, the mobile node MUST NOT register more
frequently than once per second on average, as specified in Section
3.6.3.
2.4.2.1. Algorithm 1
The first method of move detection is based upon the Lifetime field
within the main body of the ICMP Router Advertisement portion of the
Agent Advertisement. A mobile node SHOULD record the Lifetime
received in any Agent Advertisements, until that Lifetime expires.
If the mobile node fails to receive another advertisement from the
same agent within the specified Lifetime, it SHOULD assume that it
has lost contact with that agent. If the mobile node has previously
received an Agent Advertisement from another agent for which the
Lifetime field has not yet expired, the mobile node MAY immediately
attempt registration with that other agent. Otherwise, the mobile
node SHOULD attempt to discover a new agent with which to register.
2.4.2.2. Algorithm 2
The second method uses network prefixes. The Prefix-Lengths
Extension MAY be used in some cases by a mobile node to determine
whether or not a newly received Agent Advertisement was received on
the same subnet as the mobile node's current care-of address. If the
prefixes differ, the mobile node MAY assume that it has moved. If a
mobile node is currently using a foreign agent care-of address, the
mobile node SHOULD NOT use this method of move detection unless both
the current agent and the new agent include the Prefix-Lengths
Extension in their respective Agent Advertisements; if this Extension
is missing from one or both of the advertisements, this method of
move detection SHOULD NOT be used. Similarly, if a mobile node is
using a co-located care-of address, it SHOULD not use this method of
move detection unless the new agent includes the Prefix-Lengths
Extension in its Advertisement and the mobile node knows the network
prefix of its current co-located care-of address. On the expiration
of its current registration, if this method indicates that the mobile
node has moved, rather than re-registering with its current care-of
address, a mobile node MAY choose instead to register with a the
foreign agent sending the new Advertisement with the different
network prefix. The Agent Advertisement on which the new
registration is based MUST NOT have expired according to its Lifetime
field.
2.4.3. Returning Home
A mobile node can detect that it has returned to its home network
when it receives an Agent Advertisement from its own home agent. If
so, it SHOULD deregister with its home agent (Section 3). Before
attempting to deregister, the mobile node SHOULD configure its
routing table appropriately for its home network (Section 4.2.1). In
addition, if the home network is using ARP [36], the mobile node MUST
follow the procedures described in Section 4.6 with regard to ARP,
proxy ARP, and gratuitous ARP.
2.4.4. Sequence Numbers and Rollover Handling
If a mobile node detects two successive values of the sequence number
in the Agent Advertisements from the foreign agent with which it is
registered, the second of which is less than the first and inside the
range 0 to 255, the mobile node SHOULD register again. If the second
value is less than the first but is greater than or equal to 256, the
mobile node SHOULD assume that the sequence number has rolled over
past its maximum value (0xffff), and that reregistration is not
necessary (Section 2.3).
3. Registration
Mobile IP registration provides a flexible mechanism for mobile nodes
to communicate their current reachability information to their home
agent. It is the method by which mobile nodes:
- request forwarding services when visiting a foreign network,
- inform their home agent of their current care-of address,
- renew a registration which is due to expire, and/or
- deregister when they return home.
Registration messages exchange information between a mobile node,
(optionally) a foreign agent, and the home agent. Registration
creates or modifies a mobility binding at the home agent, associating
the mobile node's home address with its care-of address for the
specified Lifetime.
Several other (optional) capabilities are available through the
registration procedure, which enable a mobile node to:
- discover its home address, if the mobile node is not configured
with this information.
- maintain multiple simultaneous registrations, so that a copy of
each datagram will be tunneled to each active care-of address
- deregister specific care-of addresses while retaining other
mobility bindings, and
- discover the address of a home agent if the mobile node is not
configured with this information.
3.1. Registration Overview
Mobile IP defines two different registration procedures, one via a
foreign agent that relays the registration to the mobile node's home
agent, and one directly with the mobile node's home agent. The
following rules determine which of these two registration procedures
to use in any particular circumstance:
- If a mobile node is registering a foreign agent care-of
address, the mobile node MUST register via that foreign agent.
- If a mobile node is using a co-located care-of address, and
receives an Agent Advertisement from a foreign agent on the
link on which it is using this care-of address, the mobile node
SHOULD register via that foreign agent (or via another foreign
agent on this link) if the 'R' bit is set in the received Agent
Advertisement message.
- If a mobile node is otherwise using a co-located care-of
address, the mobile node MUST register directly with its home
agent.
- If a mobile node has returned to its home network and is
(de)registering with its home agent, the mobile node MUST
register directly with its home agent.
Both registration procedures involve the exchange of Registration
Request and Registration Reply messages (Sections 3.3 and 3.4). When
registering via a foreign agent, the registration procedure requires
the following four messages:
a) The mobile node sends a Registration Request to the prospective
foreign agent to begin the registration process.
b) The foreign agent processes the Registration Request and then
relays it to the home agent.
c) The home agent sends a Registration Reply to the foreign agent
to grant or deny the Request.
d) The foreign agent processes the Registration Reply and then
relays it to the mobile node to inform it of the disposition of
its Request.
When the mobile node instead registers directly with its home agent,
the registration procedure requires only the following two messages:
a) The mobile node sends a Registration Request to the home agent.
b) The home agent sends a Registration Reply to the mobile node,
granting or denying the Request.
The registration messages defined in Sections 3.3 and 3.4 use the
User Datagram Protocol (UDP) [37]. A nonzero UDP checksum SHOULD be
included in the header, and MUST be checked by the recipient. A zero
UDP checksum SHOULD be accepted by the recipient. The behavior of
the mobile node and the home agent with respect to their mutual
acceptance of packets with zero UDP checksums SHOULD be defined as
part of the mobility security association which exists between them.
3.2. Authentication
Each mobile node, foreign agent, and home agent MUST be able to
support a mobility security association for mobile entities, indexed
by their SPI and IP address. In the case of the mobile node, this
must be its Home Address. See Section 5.1 for requirements for
support of authentication algorithms. Registration messages between
a mobile node and its home agent MUST be authenticated with an
authorization-enabling extension, e.g. the Mobile-Home Authentication
Extension (Section 3.5.2). This extension MUST be the first
authentication extension; other foreign agent-specific extensions MAY
be added to the message after the mobile node computes the
authentication.
3.3. Registration Request
A mobile node registers with its home agent using a Registration
Request message so that its home agent can create or modify a
mobility binding for that mobile node (e.g., with a new lifetime).
The Request may be relayed to the home agent by the foreign agent
through which the mobile node is registering, or it may be sent
directly to the home agent in the case in which the mobile node is
registering a co-located care-of address.
IP fields:
Source Address Typically the interface address from which the
message is sent.
Destination Address Typically that of the foreign agent or the
home agent.
See Sections 3.6.1.1 and 3.7.2.2 for details. UDP fields:
Source Port variable
Destination Port 434
The UDP header is followed by the Mobile IP fields shown below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type |S|B|D|M|G|r|T|x| Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Agent |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Care-of Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Identification +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions ...
+-+-+-+-+-+-+-+-
Type 1 (Registration Request)
S Simultaneous bindings. If the 'S' bit is set,
the mobile node is requesting that the home agent retain
its prior mobility bindings, as described in Section
3.6.1.2.
B Broadcast datagrams. If the 'B' bit is set, the mobile
node requests that the home agent tunnel to it any
broadcast datagrams that it receives on the home network,
as described in Section 4.3.
D Decapsulation by mobile node. If the 'D' bit is set, the
mobile node will itself decapsulate datagrams which are
sent to the care-of address. That is, the mobile node is
using a co-located care-of address.
M Minimal encapsulation. If the 'M' bit is set, the mobile
node requests that its home agent use minimal
encapsulation [34] for datagrams tunneled to the mobile
node.
G GRE encapsulation. If the 'G' bit is set, the mobile
node requests that its home agent use GRE encapsulation
[16] for datagrams tunneled to the mobile node.
r Sent as zero; ignored on reception. SHOULD NOT be
allocated for any other uses.
T Reverse Tunneling requested; see [27].
x Sent as zero; ignored on reception.
Lifetime
The number of seconds remaining before the registration
is considered expired. A value of zero indicates a
request for deregistration. A value of 0xffff indicates
infinity.
Home Address
The IP address of the mobile node.
Home Agent
The IP address of the mobile node's home agent.
Care-of Address
The IP address for the end of the tunnel.
Identification
A 64-bit number, constructed by the mobile node, used for
matching Registration Requests with Registration Replies,
and for protecting against replay attacks of registration
messages. See Sections 5.4 and 5.7.
Extensions
The fixed portion of the Registration Request is followed
by one or more of the Extensions listed in Section 3.5.
An authorization-enabling extension MUST be included in
all Registration Requests. See Sections 3.6.1.3 and
3.7.2.2 for information on the relative order in which
different extensions, when present, MUST be placed in a
Registration Request message.
3.4. Registration Reply
A mobility agent returns a Registration Reply message to a mobile
node which has sent a Registration Request (Section 3.3) message. If
the mobile node is requesting service from a foreign agent, that
foreign agent will receive the Reply from the home agent and
subsequently relay it to the mobile node. The Reply message contains
the necessary codes to inform the mobile node about the status of its
Request, along with the lifetime granted by the home agent, which MAY
be smaller than the original Request.
The foreign agent MUST NOT increase the Lifetime selected by the
mobile node in the Registration Request, since the Lifetime is
covered by an authentication extension which enables authorization by
the home agent. Such an extension contains authentication data which
cannot be correctly (re)computed by the foreign agent. The home
agent MUST NOT increase the Lifetime selected by the mobile node in
the Registration Request, since doing so could increase it beyond the
maximum Registration Lifetime allowed by the foreign agent. If the
Lifetime received in the Registration Reply is greater than that in
the Registration Request, the Lifetime in the Request MUST be used.
When the Lifetime received in the Registration Reply is less than
that in the Registration Request, the Lifetime in the Reply MUST be
used.
IP fields:
Source Address Typically copied from the destination address
of the Registration Request to which the
agent is replying. See Sections 3.7.2.3 and
3.8.3.1 for complete details.
Destination Address Copied from the source address of the
Registration Request to which the agent is
replying
UDP fields:
Source Port <variable>
Destination Port Copied from the source port of the
corresponding Registration Request (Section
3.7.1).
The UDP header is followed by the Mobile IP fields shown below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Agent |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Identification +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions ...
+-+-+-+-+-+-+-+-
Type 3 (Registration Reply)
Code A value indicating the result of the Registration
Request. See below for a list of currently defined Code
values.
Lifetime
If the Code field indicates that the registration was
accepted, the Lifetime field is set to the number of
seconds remaining before the registration is considered
expired. A value of zero indicates that the mobile node
has been deregistered. A value of 0xffff indicates
infinity. If the Code field indicates that the
registration was denied, the contents of the Lifetime
field are unspecified and MUST be ignored on reception.
Home Address
The IP address of the mobile node.
Home Agent
The IP address of the mobile node's home agent.
Identification
A 64-bit number used for matching Registration Requests
with Registration Replies, and for protecting against
replay attacks of registration messages. The value is
based on the Identification field from the Registration
Request message from the mobile node, and on the style of
replay protection used in the security context between
the mobile node and its home agent (defined by the
mobility security association between them, and SPI value
in the authorization-enabling extension). See Sections
5.4 and 5.7.
Extensions
The fixed portion of the Registration Reply is followed
by one or more of the Extensions listed in Section 3.5.
An authorization-enabling extension MUST be included in
all Registration Replies returned by the home agent. See
Sections 3.7.2.2 and 3.8.3.3 for rules on placement of
extensions to Reply messages.
The following values are defined for use within the Code field.
Registration successful:
0 registration accepted
1 registration accepted, but simultaneous mobility
bindings unsupported
Registration denied by the foreign agent:
64 reason unspecified
65 administratively prohibited
66 insufficient resources
67 mobile node failed authentication
68 home agent failed authentication
69 requested Lifetime too long
70 poorly formed Request
71 poorly formed Reply
72 requested encapsulation unavailable
73 reserved and unavailable
77 invalid care-of address
78 registration timeout
80 home network unreachable (ICMP error received)
81 home agent host unreachable (ICMP error received)
82 home agent port unreachable (ICMP error received)
88 home agent unreachable (other ICMP error received)
Registration denied by the home agent:
128 reason unspecified
129 administratively prohibited
130 insufficient resources
131 mobile node failed authentication
132 foreign agent failed authentication
133 registration Identification mismatch
134 poorly formed Request
135 too many simultaneous mobility bindings
136 unknown home agent address
Up-to-date values of the Code field are specified in the most recent
"Assigned Numbers" [40].
3.5. Registration Extensions
3.5.1. Computing Authentication Extension Values
The Authenticator value computed for each authentication Extension
MUST protect the following fields from the registration message:
- the UDP payload (that is, the Registration Request or
Registration Reply data),
- all prior Extensions in their entirety, and
- the Type, Length, and SPI of this Extension.
The default authentication algorithm uses HMAC-MD5 [23] to compute a
128-bit "message digest" of the registration message. The data over
which the HMAC is computed is defined as:
- the UDP payload (that is, the Registration Request or
Registration Reply data),
- all prior Extensions in their entirety, and
- the Type, Length, and SPI of this Extension.
Note that the Authenticator field itself and the UDP header are NOT
included in the computation of the default Authenticator value. See
Section 5.1 for information about support requirements for message
authentication codes, which are to be used with the various
authentication Extensions.
The Security Parameter Index (SPI) within any of the authentication
Extensions defines the security context which is used to compute the
Authenticator value and which MUST be used by the receiver to check
that value. In particular, the SPI selects the authentication
algorithm and mode (Section 5.1) and secret (a shared key, or
appropriate public/private key pair) used in computing the
Authenticator. In order to ensure interoperability between different
implementations of the Mobile IP protocol, an implementation MUST be
able to associate any SPI value with any authentication algorithm and
mode which it implements. In addition, all implementations of Mobile
IP MUST implement the default authentication algorithm (HMAC-MD5)
specified above.
3.5.2. Mobile-Home Authentication Extension
Exactly one authorization-enabling extension MUST be present in all
Registration Requests, and also in all Registration Replies generated
by the Home Agent. The Mobile-Home Authentication Extension is
always an authorization-enabling for registration messages specified
in this document. This requirement is intended to eliminate problems
[2] which result from the uncontrolled propagation of remote
redirects in the Internet. The location of the extension marks the
end of the authenticated data.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... SPI (cont.) | Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 32
Length 4 plus the number of bytes in the Authenticator.
SPI Security Parameter Index (4 bytes). An opaque
identifier (see Section 1.6).
Authenticator (variable length) (See Section 3.5.1.)
3.5.3. Mobile-Foreign Authentication Extension
This Extension MAY be included in Registration Requests and Replies
in cases in which a mobility security association exists between the
mobile node and the foreign agent. See Section 5.1 for information
about support requirements for message authentication codes.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... SPI (cont.) | Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 33
Length 4 plus the number of bytes in the Authenticator.
SPI Security Parameter Index (4 bytes). An opaque
identifier (see Section 1.6).
Authenticator (variable length) (See Section 3.5.1.)
3.5.4. Foreign-Home Authentication Extension
This Extension MAY be included in Registration Requests and Replies
in cases in which a mobility security association exists between the
foreign agent and the home agent. See Section 5.1 for information
about support requirements for message authentication codes.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... SPI (cont.) | Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 34
Length 4 plus the number of bytes in the Authenticator.
SPI Security Parameter Index (4 bytes). An opaque
identifier (see Section 1.6).
Authenticator (variable length) (See Section 3.5.1.)
3.6. Mobile Node Considerations
A mobile node MUST be configured with a netmask and a mobility
security association for each of its home agents. In addition, a
mobile node MAY be configured with its home address, and the IP
address of one or more of its home agents; otherwise, the mobile node
MAY discover a home agent using the procedures described in Section
3.6.1.2.
If the mobile node is not configured with a home address, it MAY use
the Mobile Node NAI extension [6] to identify itself, and set the
Home Address field of the Registration Request to 0.0.0.0. In this
case, the mobile node MUST be able to assign its home address after
extracting this information from the Registration Reply from the home
agent.
For each pending registration, the mobile node maintains the
following information:
- the link-layer address of the foreign agent to which the
Registration Request was sent, if applicable,
- the IP destination address of the Registration Request,
- the care-of address used in the registration,
- the Identification value sent in the registration,
- the originally requested Lifetime, and
- the remaining Lifetime of the pending registration.
A mobile node SHOULD initiate a registration whenever it detects a
change in its network connectivity. See Section 2.4.2 for methods by
which mobile nodes MAY make such a determination. When it is away
from home, the mobile node's Registration Request allows its home
agent to create or modify a mobility binding for it. When it is at
home, the mobile node's (de)Registration Request allows its home
agent to delete any previous mobility binding(s) for it. A mobile
node operates without the support of mobility functions when it is at
home.
There are other conditions under which the mobile node SHOULD
(re)register with its foreign agent, such as when the mobile node
detects that the foreign agent has rebooted (as specified in Section
2.4.4) and when the current registration's Lifetime is near
expiration.
In the absence of link-layer indications of changes in point of
attachment, Agent Advertisements from new agents SHOULD NOT cause a
mobile node to attempt a new registration, if its current
registration has not expired and it is still also receiving Agent
Advertisements from the foreign agent with which it is currently
registered. In the absence of link-layer indications, a mobile node
MUST NOT attempt to register more often than once per second.
A mobile node MAY register with a different agent when transport-
layer protocols indicate excessive retransmissions. A mobile node
MUST NOT consider reception of an ICMP Redirect from a foreign agent
that is currently providing service to it as reason to register with
a new foreign agent. Within these constraints, the mobile node MAY
register again at any time.
Appendix D shows some examples of how the fields in registration
messages would be set up in some typical registration scenarios.
3.6.1. Sending Registration Requests
The following sections specify details for the values the mobile node
MUST supply in the fields of Registration Request messages.
3.6.1.1. IP Fields
This section provides the specific rules by which mobile nodes pick
values for the IP header fields of a Registration Request.
IP Source Address:
- When registering on a foreign network with a co-located care-of
address, the IP source address MUST be the care-of address.
- Otherwise, if the mobile node does not have a home address, the
IP source address MUST be 0.0.0.0.
- In all other circumstances, the IP source address MUST be the
mobile node's home address.
IP Destination Address:
- When the mobile node has discovered the agent with which it is
registering, through some means (e.g., link-layer) that does
not provide the IP address of the agent (the IP address of the
agent is unknown to the mobile node), then the "All Mobility
Agents" multicast address (224.0.0.11) MUST be used. In this
case, the mobile node MUST use the agent's link-layer unicast
address in order to deliver the datagram to the correct agent.
- When registering with a foreign agent, the address of the agent
as learned from the IP source address of the corresponding
Agent Advertisement MUST be used. This MAY be an address which
does not appear as an advertised care-of address in the Agent
Advertisement. In addition, when transmitting this
Registration Request message, the mobile node MUST use a link-
layer destination address copied from the link-layer source
address of the Agent Advertisement message in which it learned
this foreign agent's IP address.
- When the mobile node is registering directly with its home
agent and knows the (unicast) IP address of its home agent, the
destination address MUST be set to this address.
- If the mobile node is registering directly with its home agent,
but does not know the IP address of its home agent, the mobile
node may use dynamic home agent address resolution to
automatically determine the IP address of its home agent
(Section 3.6.1.2). In this case, the IP destination address is
set to the subnet-directed broadcast address of the mobile
node's home network. This address MUST NOT be used as the
destination IP address if the mobile node is registering via a
foreign agent, although it MAY be used as the Home Agent
address in the body of the Registration Request when
registering via a foreign agent.
IP Time to Live:
- The IP TTL field MUST be set to 1 if the IP destination address
is set to the "All Mobility Agents" multicast address as
described above. Otherwise a suitable value should be chosen
in accordance with standard IP practice [38].
3.6.1.2. Registration Request Fields
This section provides specific rules by which mobile nodes pick
values for the fields within the fixed portion of a Registration
Request.
A mobile node MAY set the 'S' bit in order to request that the home
agent maintain prior mobility binding(s). Otherwise, the home agent
deletes any previous binding(s) and replaces them with the new
binding specified in the Registration Request. Multiple simultaneous
mobility bindings are likely to be useful when a mobile node using at
least one wireless network interface moves within wireless
transmission range of more than one foreign agent. IP explicitly
allows duplication of datagrams. When the home agent allows
simultaneous bindings, it will tunnel a separate copy of each
arriving datagram to each care-of address, and the mobile node will
receive multiple copies of datagrams destined to it.
The mobile node SHOULD set the 'D' bit if it is registering with a
co-located care-of address. Otherwise, the 'D' bit MUST NOT be set.
A mobile node MAY set the 'B' bit to request its home agent to
forward to it, a copy of broadcast datagrams received by its home
agent from the home network. The method used by the home agent to
forward broadcast datagrams depends on the type of care-of address
registered by the mobile node, as determined by the 'D' bit in the
mobile node's Registration Request:
- If the 'D' bit is set, then the mobile node has indicated that
it will decapsulate any datagrams tunneled to this care-of
address itself (the mobile node is using a co-located care-of
address). In this case, to forward such a received broadcast
datagram to the mobile node, the home agent MUST tunnel it to
this care-of address. The mobile node de-tunnels the received
datagram in the same way as any other datagram tunneled
directly to it.
- If the 'D' bit is NOT set, then the mobile node has indicated
that it is using a foreign agent care-of address, and that the
foreign agent will thus decapsulate arriving datagrams before
forwarding them to the mobile node. In this case, to forward
such a received broadcast datagram to the mobile node, the home
agent MUST first encapsulate the broadcast datagram in a
unicast datagram addressed to the mobile node's home address,
and then MUST tunnel this resulting datagram to the mobile
node's care-of address.
When decapsulated by the foreign agent, the inner datagram will
thus be a unicast IP datagram addressed to the mobile node,
identifying to the foreign agent the intended destination of
the encapsulated broadcast datagram, and will be delivered to
the mobile node in the same way as any tunneled datagram
arriving for the mobile node. The foreign agent MUST NOT
decapsulate the encapsulated broadcast datagram and MUST NOT
use a local network broadcast to transmit it to the mobile
node. The mobile node thus MUST decapsulate the encapsulated
broadcast datagram itself, and thus MUST NOT set the 'B' bit in
its Registration Request in this case unless it is capable of
decapsulating datagrams.
The mobile node MAY request alternative forms of encapsulation by
setting the 'M' bit and/or the 'G' bit, but only if the mobile node
is decapsulating its own datagrams (the mobile node is using a co-
located care-of address) or if its foreign agent has indicated
support for these forms of encapsulation by setting the corresponding
bits in the Mobility Agent Advertisement Extension of an Agent
Advertisement received by the mobile node. Otherwise, the mobile
node MUST NOT set these bits.
a) The IP header, followed by the UDP header, followed by the
fixed-length portion of the Registration Request, followed by
b) If present, any non-authentication Extensions expected to be
used by the home agent (which may or may not also be useful to
the foreign agent), followed by
c) An authorization-enabling extension, followed by
d) If present, any non-authentication Extensions used only by the
foreign agent, followed by
e) The Mobile-Foreign Authentication Extension, if present.
Note that items (a) and (c) MUST appear in every Registration Request
sent by the mobile node. Items (b), (d), and (e) are optional.
However, item (e) MUST be included when the mobile node and the
foreign agent share a mobility security association.
3.6.2. Receiving Registration Replies
Registration Replies will be received by the mobile node in response
to its Registration Requests. Registration Replies generally fall
into three categories:
- the registration was accepted,
- the registration was denied by the foreign agent, or
- the registration was denied by the home agent.
The remainder of this section describes the Registration Reply
handling by a mobile node in each of these three categories.
3.6.2.1. Validity Checks
Registration Replies with an invalid, non-zero UDP checksum MUST be
silently discarded.
In addition, the low-order 32 bits of the Identification field in the
Registration Reply MUST be compared to the low-order 32 bits of the
Identification field in the most recent Registration Request sent to
the replying agent. If they do not match, the Reply MUST be silently
discarded.
Also, the Registration Reply MUST be checked for presence of an
authorization-enabling extension. For all Registration Reply
messages containing a Status Code indicating status from the Home
Agent, the mobile node MUST check for the presence of an
authorization-enabling extension, acting in accordance with the Code
field in the Reply. The rules are as follows:
a) If the mobile node and the foreign agent share a mobility
security association, exactly one Mobile-Foreign Authentication
Extension MUST be present in the Registration Reply, and the
mobile node MUST check the Authenticator value in the
Extension. If no Mobile-Foreign Authentication Extension is
found, or if more than one Mobile-Foreign Authentication
Extension is found, or if the Authenticator is invalid, the
mobile node MUST silently discard the Reply and SHOULD log the
event as a security exception.
b) If the Code field indicates that service is denied by the home
agent, or if the Code field indicates that the registration was
accepted by the home agent, exactly one Mobile-Home
Authentication Extension MUST be present in the Registration
Reply, and the mobile node MUST check the Authenticator value
in the Extension. If the Registration Reply was generated by
the home agent but no Mobile-Home Authentication Extension is
found, or if more than one Mobile-Home Authentication Extension
is found, or if the Authenticator is invalid, the mobile node
MUST silently discard the Reply and SHOULD log the event as a
security exception.
If the Code field indicates an authentication failure, either at the
foreign agent or the home agent, then it is quite possible that any
authenticators in the Registration Reply will also be in error. This
could happen, for example, if the shared secret between the mobile
node and home agent was erroneously configured. The mobile node
SHOULD log such errors as security exceptions.
3.6.2.2. Registration Request Accepted
If the Code field indicates that the request has been accepted, the
mobile node SHOULD configure its routing table appropriately for its
current point of attachment (Section 4.2.1).
If the mobile node is returning to its home network and that network
is one which implements ARP, the mobile node MUST follow the
procedures described in Section 4.6 with regard to ARP, proxy ARP,
and gratuitous ARP.
If the mobile node has registered on a foreign network, it SHOULD
re-register before the expiration of the Lifetime of its
registration. As described in Section 3.6, for each pending
Registration Request, the mobile node MUST maintain the remaining
lifetime of this pending registration, as well as the original
Lifetime from the Registration Request. When the mobile node
receives a valid Registration Reply, the mobile node MUST decrease
its view of the remaining lifetime of the registration by the amount
by which the home agent decreased the originally requested Lifetime.
This procedure is equivalent to the mobile node starting a timer for
the granted Lifetime at the time it sent the Registration Request,
even though the granted Lifetime is not known to the mobile node
until the Registration Reply is received. Since the Registration
Request is certainly sent before the home agent begins timing the
registration Lifetime (also based on the granted Lifetime), this
procedure ensures that the mobile node will re-register before the
home agent expires and deletes the registration, in spite of possibly
non-negligible transmission delays for the original Registration
Request and Reply that started the timing of the Lifetime at the
mobile node and its home agent.
3.6.2.3. Registration Request Denied
If the Code field indicates that service is being denied, the mobile
node SHOULD log the error. In certain cases the mobile node may be
able to "repair" the error. These include:
Code 69: (Denied by foreign agent, Lifetime too long)
In this case, the Lifetime field in the Registration Reply will
contain the maximum Lifetime value which that foreign agent is
willing to accept in any Registration Request. The mobile node
MAY attempt to register with this same agent, using a Lifetime
in the Registration Request that MUST be less than or equal to
the value specified in the Reply.
Code 133: (Denied by home agent, Identification mismatch)
In this case, the Identification field in the Registration
Reply will contain a value that allows the mobile node to
synchronize with the home agent, based upon the style of replay
protection in effect (Section 5.7). The mobile node MUST
adjust the parameters it uses to compute the Identification
field based upon the information in the Registration Reply,
before issuing any future Registration Requests.
Code 136: (Denied by home agent, Unknown home agent address)
This code is returned by a home agent when the mobile node is
performing dynamic home agent address resolution as described
in Sections 3.6.1.1 and 3.6.1.2. In this case, the Home Agent
field within the Reply will contain the unicast IP address of
the home agent returning the Reply. The mobile node MAY then
attempt to register with this home agent in future Registration
Requests. In addition, the mobile node SHOULD adjust the
parameters it uses to compute the Identification field based
upon the corresponding field in the Registration Reply, before
issuing any future Registration Requests.
3.6.3. Registration Retransmission
When no Registration Reply has been received within a reasonable
time, another Registration Request MAY be transmitted. When
timestamps are used, a new registration Identification is chosen for
each retransmission; thus it counts as a new registration. When
nonces are used, the unanswered Request is retransmitted unchanged;
thus the retransmission does not count as a new registration (Section
5.7). In this way a retransmission will not require the home agent
to resynchronize with the mobile node by issuing another nonce in the
case in which the original Registration Request (rather than its
Registration Reply) was lost by the network.
The maximum time until a new Registration Request is sent SHOULD be
no greater than the requested Lifetime of the Registration Request.
The minimum value SHOULD be large enough to account for the size of
the messages, twice the round trip time for transmission to the home
agent, and at least an additional 100 milliseconds to allow for
processing the messages before responding. The round trip time for
transmission to the home agent will be at least as large as the time
required to transmit the messages at the link speed of the mobile
node's current point of attachment. Some circuits add another 200
milliseconds of satellite delay in the total round trip time to the
home agent. The minimum time between Registration Requests MUST NOT
be less than 1 second. Each successive retransmission timeout period
SHOULD be at least twice the previous period, as long as that is less
than the maximum as specified above.
3.7. Foreign Agent Considerations
The foreign agent plays a mostly passive role in Mobile IP
registration. It relays Registration Requests between mobile nodes
and home agents, and, when it provides the care-of address,
decapsulates datagrams for delivery to the mobile node. It SHOULD
also send periodic Agent Advertisement messages to advertise its
presence as described in Section 2.3, if not detectable by link-layer
means.
A foreign agent MUST NOT transmit a Registration Request except when
relaying a Registration Request received from a mobile node, to the
mobile node's home agent. A foreign agent MUST NOT transmit a
Registration Reply except when relaying a Registration Reply received
from a mobile node's home agent, or when replying to a Registration
Request received from a mobile node in the case in which the foreign
agent is denying service to the mobile node. In particular, a
foreign agent MUST NOT generate a Registration Request or Reply
because a mobile node's registration Lifetime has expired. A foreign
agent also MUST NOT originate a Registration Request message that
asks for deregistration of a mobile node; however, it MUST relay
valid (de)Registration Requests originated by a mobile node.
3.7.1. Configuration and Registration Tables
Each foreign agent MUST be configured with a care-of address. In
addition, for each pending or current registration the foreign agent
MUST maintain a visitor list entry containing the following
information obtained from the mobile node's Registration Request:
- the link-layer source address of the mobile node
- the IP Source Address (the mobile node's Home Address) or its
co-located care-of address (see description of the 'R' bit in
section 2.1.1)
- the IP Destination Address (as specified in 3.6.1.1)
- the UDP Source Port
- the Home Agent address
- the Identification field
- the requested registration Lifetime, and
- the remaining Lifetime of the pending or current registration.
If the mobile node's Home Address is zero in the Registration Request
message, then the foreign agent MUST follow the procedures specified
in RFC 2794 [6]. In particular, if the foreign agent cannot manage
pending registration request records with such a zero Home Address
for the mobile node, the foreign agent MUST return a Registration
Reply with Code indicating NONZERO_HOMEADDR_REQD (see [6]).
The foreign agent MAY configure a maximum number of pending
registrations that it is willing to maintain (typically 5).
Additional registrations SHOULD then be rejected by the foreign agent
with code 66. The foreign agent MAY delete any pending Registration
Request after the request has been pending for more than 7 seconds;
in this case, the foreign agent SHOULD reject the Request with code
78 (registration timeout).
As with any node on the Internet, a foreign agent MAY also share
mobility security associations with any other nodes. When relaying a
Registration Request from a mobile node to its home agent, if the
foreign agent shares a mobility security association with the home
agent, it MUST add a Foreign-Home Authentication Extension to the
Request and MUST check the required Foreign-Home Authentication
Extension in the Registration Reply from the home agent (Sections 3.3
and 3.4). Similarly, when receiving a Registration Request from a
mobile node, if the foreign agent shares a mobility security
association with the mobile node, it MUST check the required Mobile-
Foreign Authentication Extension in the Request and MUST add a
Mobile-Foreign Authentication Extension to the Registration Reply to
the mobile node.
3.7.2. Receiving Registration Requests
If the foreign agent accepts a Registration Request from a mobile
node, it checks to make sure that the indicated home agent address
does not belong to any network interface of the foreign agent. If
not, the foreign agent then MUST relay the Request to the indicated
home agent. Otherwise, if the foreign agent denies the Request, it
MUST send a Registration Reply to the mobile node with an appropriate
denial Code, except in cases where the foreign agent would be
required to send out more than one such denial per second to the same
mobile node. The following sections describe this behavior in more
detail.
If the foreign agent has configured one of its network interfaces
with the IP address specified by the mobile node as its home agent
address, the foreign agent MUST NOT forward the request again. If
the foreign agent serves the mobile node as a home agent, the foreign
agent follows the procedures specified in section 3.8.2. Otherwise,
if the foreign agent does not serve the mobile node as a home agent,
the foreign agent rejects the Registration Request with code 136
(unknown home agent address).
If a foreign agent receives a Registration Request from a mobile node
in its visitor list, the existing visitor list entry for the mobile
node SHOULD NOT be deleted or modified until the foreign agent
receives a valid Registration Reply from the home agent with a Code
indicating success. The foreign agent MUST record the new pending
Request as a separate part of the existing visitor list entry for the
mobile node. If the Registration Request requests deregistration,
the existing visitor list entry for the mobile node SHOULD NOT be
deleted until the foreign agent has received a successful
Registration Reply. If the Registration Reply indicates that the
Request (for registration or deregistration) was denied by the home
agent, the existing visitor list entry for the mobile node MUST NOT
be modified as a result of receiving the Registration Reply.
3.7.2.1. Validity Checks
Registration Requests with an invalid, non-zero UDP checksum MUST be
silently discarded. Requests with non-zero bits in reserved fields
MUST be rejected with code 70 (poorly formed request). Requests with
the 'D' bit set to 0, and specifying a care-of address not offered by
the foreign agent, MUST be rejected with code 77 (invalid care-of
address).
Also, the authentication in the Registration Request MUST be checked.
If the foreign agent and the mobile node share a mobility security
association, exactly one Mobile-Foreign Authentication Extension MUST
be present in the Registration Request, and the foreign agent MUST
check the Authenticator value in the Extension. If no Mobile-Foreign
Authentication Extension is found, or if more than one Mobile-Foreign
Authentication Extension is found, or if the Authenticator is
invalid, the foreign agent MUST silently discard the Request and
SHOULD log the event as a security exception. The foreign agent also
SHOULD send a Registration Reply to the mobile node with Code 67.
3.7.2.2. Forwarding a Valid Request to the Home Agent
If the foreign agent accepts the mobile node's Registration Request,
it MUST relay the Request to the mobile node's home agent as
specified in the Home Agent field of the Registration Request. The
foreign agent MUST NOT modify any of the fields beginning with the
fixed portion of the Registration Request up through and including
the Mobile-Home Authentication Extension or other authentication
extension supplied by the mobile node as an authorization-enabling
extension for the home agent. Otherwise, an authentication failure
is very likely to occur at the home agent. In addition, the foreign
agent proceeds as follows:
- It MUST process and remove any Extensions following the
Mobile-Home Authentication Extension,
- It MAY append any of its own non-authentication Extensions of
relevance to the home agent, if applicable, and
- It MUST append the Foreign-Home Authentication Extension, if
the foreign agent shares a mobility security association with
the home agent.
Specific fields within the IP header and the UDP header of the
relayed Registration Request MUST be set as follows:
IP Source Address
The foreign agent's address on the interface from which
the message will be sent.
IP Destination Address
Copied from the Home Agent field within the Registration
Request.
UDP Source Port
<variable>
UDP Destination Port
434
After forwarding a valid Registration Request to the home agent, the
foreign agent MUST begin timing the remaining lifetime of the pending
registration based on the Lifetime in the Registration Request. If
this lifetime expires before receiving a valid Registration Reply,
the foreign agent MUST delete its visitor list entry for this pending
registration.
3.7.2.3. Denying Invalid Requests
If the foreign agent denies the mobile node's Registration Request
for any reason, it SHOULD send the mobile node a Registration Reply
with a suitable denial Code. In such a case, the Home Address, Home
Agent, and Identification fields within the Registration Reply are
copied from the corresponding fields of the Registration Request.
If the Reserved field is nonzero, the foreign agent MUST deny the
Request and SHOULD return a Registration Reply with status code 70 to
the mobile node. If the Request is being denied because the
requested Lifetime is too long, the foreign agent sets the Lifetime
in the Reply to the maximum Lifetime value it is willing to accept in
any Registration Request, and sets the Code field to 69. Otherwise,
the Lifetime SHOULD be copied from the Lifetime field in the Request.
Specific fields within the IP header and the UDP header of the
Registration Reply MUST be set as follows:
IP Source Address
Copied from the IP Destination Address of Registration
Request, unless the "All Agents Multicast" address was
used. In this case, the foreign agent's address (on the
interface from which the message will be sent) MUST be
used.
IP Destination Address
If the Registration Reply is generated by the Foreign
Agent in order to reject a mobile node's Registration
Request, and the Registration Request contains a Home
Address which is not 0.0.0.0, then the IP Destination
Address is copied from the Home Address field of the
Registration Request. Otherwise, if the Registration
Reply is received from the Home Agent, and contains a
Home Address which is not 0.0.0.0, then the IP
Destination Address is copied from the Home Address field
of the Registration Reply. Otherwise, the IP Destination
Address of the Registration Reply is set to be
255.255.255.255.
UDP Source Port
434
UDP Destination Port
Copied from the UDP Source Port of the Registration
Request.
3.7.3. Receiving Registration Replies
The foreign agent updates its visitor list when it receives a valid
Registration Reply from a home agent. It then relays the
Registration Reply to the mobile node. The following sections
describe this behavior in more detail.
If upon relaying a Registration Request to a home agent, the foreign
agent receives an ICMP error message instead of a Registration Reply,
then the foreign agent SHOULD send to the mobile node a Registration
Reply with an appropriate "Home Agent Unreachable" failure Code
(within the range 80-95, inclusive). See Section 3.7.2.3 for details
on building the Registration Reply.
3.7.3.1. Validity Checks
Registration Replies with an invalid, non-zero UDP checksum MUST be
silently discarded.
When a foreign agent receives a Registration Reply message, it MUST
search its visitor list for a pending Registration Request with the
same mobile node home address as indicated in the Reply. If no such
pending Request is found, and if the Registration Reply does not
correspond with any pending Registration Request with a zero mobile
node home address (see section 3.7.1), the foreign agent MUST
silently discard the Reply. The foreign agent MUST also silently
discard the Reply if the low-order 32 bits of the Identification
field in the Reply do not match those in the Request.
Also, the authentication in the Registration Reply MUST be checked.
If the foreign agent and the home agent share a mobility security
association, exactly one Foreign-Home Authentication Extension MUST
be present in the Registration Reply, and the foreign agent MUST
check the Authenticator value in the Extension. If no Foreign-Home
Authentication Extension is found, or if more than one Foreign-Home
Authentication Extension is found, or if the Authenticator is
invalid, the foreign agent MUST silently discard the Reply and SHOULD
log the event as a security exception. The foreign agent also MUST
reject the mobile node's registration and SHOULD send a Registration
Reply to the mobile node with Code 68.
3.7.3.2. Forwarding Replies to the Mobile Node
A Registration Reply which satisfies the validity checks of Section
3.8.2.1 is relayed to the mobile node. The foreign agent MUST also
update its visitor list entry for the mobile node to reflect the
results of the Registration Request, as indicated by the Code field
in the Reply. If the Code indicates that the home agent has accepted
the registration and the Lifetime field is nonzero, the foreign agent
SHOULD set the Lifetime in the visitor list entry to the minimum of
the following two values:
- the value specified in the Lifetime field of the Registration
Reply, and
- the foreign agent's own maximum value for allowable
registration lifetime.
If, instead, the Code indicates that the Lifetime field is zero, the
foreign agent MUST delete its visitor list entry for the mobile node.
Finally, if the Code indicates that the registration was denied by
the home agent, the foreign agent MUST delete its pending
registration list entry, but not its visitor list entry, for the
mobile node.
The foreign agent MUST NOT modify any of the fields beginning with
the fixed portion of the Registration Reply up through and including
the Mobile-Home Authentication Extension. Otherwise, an
authentication failure is very likely to occur at the mobile node.
In addition, the foreign agent SHOULD perform the following
additional procedures:
- It MUST process and remove any Extensions following the
Mobile-Home Authentication Extension,
- It MAY append its own non-authentication Extensions of
relevance to the mobile node, if applicable, and
- It MUST append the Mobile-Foreign Authentication Extension, if
the foreign agent shares a mobility security association with
the mobile node.
Specific fields within the IP header and the UDP header of the
relayed Registration Reply are set according to the same rules
specified in Section 3.7.2.3.
After forwarding a valid Registration Reply to the mobile node, the
foreign agent MUST update its visitor list entry for this
registration as follows. If the Registration Reply indicates that
the registration was accepted by the home agent, the foreign agent
resets its timer of the lifetime of the registration to the Lifetime
granted in the Registration Reply; unlike the mobile node's timing of
the registration lifetime as described in Section 3.6.2.2, the
foreign agent considers this lifetime to begin when it forwards the
Registration Reply message, ensuring that the foreign agent will not
expire the registration before the mobile node does. On the other
hand, if the Registration Reply indicates that the registration was
rejected by the home agent, the foreign agent deletes its visitor
list entry for this attempted registration.
3.8. Home Agent Considerations
Home agents play a reactive role in the registration process. The
home agent receives Registration Requests from the mobile node
(perhaps relayed by a foreign agent), updates its record of the
mobility bindings for this mobile node, and issues a suitable
Registration Reply in response to each.
A home agent MUST NOT transmit a Registration Reply except when
replying to a Registration Request received from a mobile node. In
particular, the home agent MUST NOT generate a Registration Reply to
indicate that the Lifetime has expired.
3.8.1. Configuration and Registration Tables
Each home agent MUST be configured with an IP address and with the
prefix size for the home network. The home agent MUST be configured
with the mobility security association of each authorized mobile node
that it is serving as a home agent.
When the home agent accepts a valid Registration Request from a
mobile node that it serves as a home agent, the home agent MUST
create or modify the entry for this mobile node in its mobility
binding list containing:
- the mobile node's home address
- the mobile node's care-of address
- the Identification field from the Registration Reply
- the remaining Lifetime of the registration
The home agent MAY optionally offer the capability to dynamically
associate a home address to a mobile node upon receiving a
Registration Request from that mobile node. The method by which a
home address is allocated to the mobile node is beyond the scope of
this document, but see [6]. After the home agent makes the
association of the home address to the mobile node, the home agent
MUST put that home address into the Home Address field of the
Registration Reply.
The home agent MAY also maintain mobility security associations with
various foreign agents. When receiving a Registration Request from a
foreign agent, if the home agent shares a mobility security
association with the foreign agent, the home agent MUST check the
Authenticator in the required Foreign-Home Authentication Extension
in the message, based on this mobility security association.
Similarly, when sending a Registration Reply to a foreign agent, if
the home agent shares a mobility security association with the
foreign agent, the home agent MUST include a Foreign-Home
Authentication Extension in the message, based on this mobility
security association.
3.8.2. Receiving Registration Requests
If the home agent accepts an incoming Registration Request, it MUST
update its record of the the mobile node's mobility binding(s) and
SHOULD send a Registration Reply with a suitable Code. Otherwise
(the home agent denies the Request), it SHOULD send a Registration
Reply with an appropriate Code specifying the reason the Request was
denied. The following sections describe this behavior in more
detail. If the home agent does not support broadcasts (see section
4.3), it MUST ignore the 'B' bit (as opposed to rejecting the
Registration Request).
3.8.2.1. Validity Checks
Registration Requests with an invalid, non-zero UDP checksum MUST be
silently discarded by the home agent.
The authentication in the Registration Request MUST be checked. This
involves the following operations:
a) The home agent MUST check for the presence of an
authorization-enabling extension, and perform the indicated
authentication. Exactly one authorization-enabling extension
MUST be present in the Registration Request; and the home agent
MUST either check the Authenticator value in the extension or
verify that the authenticator value has been checked by another
agent with which it has a security association. If no
authorization-enabling extension is found, or if more than one
authorization-enabling extension is found, or if the
Authenticator is invalid, the home agent MUST reject the mobile
node's registration and SHOULD send a Registration Reply to the
mobile node with Code 131. The home agent MUST then discard
the Request and SHOULD log the error as a security exception.
b) The home agent MUST check that the registration Identification
field is correct using the context selected by the SPI within
the authorization-enabling extension. See Section 5.7 for a
description of how this is performed. If incorrect, the home
agent MUST reject the Request and SHOULD send a Registration
Reply to the mobile node with Code 133, including an
Identification field computed in accordance with the rules
specified in Section 5.7. The home agent MUST do no further
processing with such a Request, though it SHOULD log the error
as a security exception.
c) If the home agent shares a mobility security association with
the foreign agent, the home agent MUST check for the presence
of a valid Foreign-Home Authentication Extension. Exactly one
Foreign-Home Authentication Extension MUST be present in the
Registration Request in this case, and the home agent MUST
check the Authenticator value in the Extension. If no
Foreign-Home Authentication Extension is found, or if more than
one Foreign-Home Authentication Extension is found, or if the
Authenticator is invalid, the home agent MUST reject the mobile
node's registration and SHOULD send a Registration Reply to the
mobile node with Code 132. The home agent MUST then discard
the Request and SHOULD log the error as a security exception.
In addition to checking the authentication in the Registration
Request, home agents MUST deny Registration Requests that are sent to
the subnet-directed broadcast address of the home network (as opposed
to being unicast to the home agent). The home agent MUST discard the
Request and SHOULD returning a Registration Reply with a Code of 136.
In this case, the Registration Reply will contain the home agent's
unicast address, so that the mobile node can re-issue the
Registration Request with the correct home agent address.
Note that some routers change the IP destination address of a
datagram from a subnet-directed broadcast address to 255.255.255.255
before injecting it into the destination subnet. In this case, home
agents that attempt to pick up dynamic home agent discovery requests
by binding a socket explicitly to the subnet-directed broadcast
address will not see such packets. Home agent implementors should be
prepared for both the subnet-directed broadcast address and
255.255.255.255 if they wish to support dynamic home agent discovery.
3.8.2.2. Accepting a Valid Request
If the Registration Request satisfies the validity checks in Section
3.8.2.1, and the home agent is able to accommodate the Request, the
home agent MUST update its mobility binding list for the requesting
mobile node and MUST return a Registration Reply to the mobile node.
In this case, the Reply Code will be either 0 if the home agent
supports simultaneous mobility bindings, or 1 if it does not. See
Section 3.8.3 for details on building the Registration Reply message.
The home agent updates its record of the mobile node's mobility
bindings as follows, based on the fields in the Registration Request:
- If the Lifetime is zero and the Care-of Address equals the
mobile node's home address, the home agent deletes all of the
|