MIP6 WG S. Gundavelli Internet-Draft K. Leung Expires: April 19, 2007 Cisco Systems V. Devarapalli Azaire Networks October 16, 2006 Proxy Mobile IPv6 draft-sgundave-mip6-proxymip6-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 19, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This specification describes a network-based mobility management protocol. It is called Proxy Mobile IPv6 (PMIPv6) and is based on Mobile IPv6. This protocol is for enabling any IPv6 host to achieve protocol mobility with out requiring the host to participate in any mobility related signaling. Gundavelli, et al. Expires April 19, 2007 [Page 1] Internet-Draft Proxy Mobile IPv6 October 2006 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 3 3. Proxy Mobile IPv6 Protocol Overview . . . . . . . . . . . . . 4 4. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 8 4.1. Proxy Binding Update . . . . . . . . . . . . . . . . . . . 9 4.2. Proxy Binding Acknowledgment . . . . . . . . . . . . . . . 9 4.3. Home Network Prefix Option . . . . . . . . . . . . . . . . 10 4.4. Error Codes . . . . . . . . . . . . . . . . . . . . . . . 11 5. Home Agent Operation . . . . . . . . . . . . . . . . . . . . . 11 5.1. Extensions to conceptual data structures . . . . . . . . . 11 5.2. Processing a Proxy Binding Update Request . . . . . . . . 12 5.3. Packet Routing . . . . . . . . . . . . . . . . . . . . . . 12 6. Proxy Mobile Agent Operation . . . . . . . . . . . . . . . . . 13 6.1. Conceptual Data Structures . . . . . . . . . . . . . . . . 13 6.2. Access Authentication and obtaining the profile . . . . . 14 6.3. Sending Proxy Binding Update request to the home agent . . 14 6.4. Processing Proxy Binding Acknowledgment message . . . . . 14 6.5. Emulating the Mobile Station's home link . . . . . . . . . 15 6.6. Tunnel Lifetime Management . . . . . . . . . . . . . . . . 15 6.7. Packet Routing . . . . . . . . . . . . . . . . . . . . . . 15 7. Mobile Station Operation . . . . . . . . . . . . . . . . . . . 16 7.1. Booting for the first time . . . . . . . . . . . . . . . . 16 7.2. Roaming in the Network . . . . . . . . . . . . . . . . . . 17 7.3. IPv6 Host Protocol Parameters . . . . . . . . . . . . . . 17 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 11. Normative References . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 Intellectual Property and Copyright Statements . . . . . . . . . . 22 Gundavelli, et al. Expires April 19, 2007 [Page 2] Internet-Draft Proxy Mobile IPv6 October 2006 1. Introduction The IP Mobility protocols designed in the IETF so far involve the host in mobility management. There are some deployment scenarios where a network-based mobility management protocol is considered appropriate. The advantages to using a network-based mobility protocol include avoiding tunneling overhead over the air and support for hosts that do not implement any mobility management protocol. The document describes a network-based mobility management protocol based on Mobile IPv6. it is called Proxy Mobile IPv6 (PMIPv6). One of the most important design considerations behind PMIPv6 has been to re-use as much as possible from the existing mobility protocols. There are many advantages to develop a protocol based on Mobile IPv6. Mobile IPv6 is a very mature mobility protocol for IPv6. There have been many implementations and inter-operability events where Mobile IPv6 has been tested. There also numerous specifications enhancing Mobile IPv6 that can be re-used. Further, the Proxy MIPv6 solution described in this document allows the same Home Agent to provide mobility to hosts that use Mobile IPv6 and hosts that do not use any mobility management protocol. Proxy Mobile IPv6 provides solution to a real deployment problem. 2. Conventions used in this document The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [4]. The following new terminology and abbreviations are introduced in this document and all other general mobility related terms as defined in Mobile IPv6 specification [2]. Proxy Mobile Agent (PMA) The proxy mobile agent is a functional element on the access router. This is the entity that makes the mobile station believe it is at its home link, by emulating the home link properties. It registers the location of the mobile station to the home agent and establishes a tunnel for receiving packets sent to the mobile station's home address. Mobility Station (MS) Gundavelli, et al. Expires April 19, 2007 [Page 3] Internet-Draft Proxy Mobile IPv6 October 2006 Any IPv6 host that has the ability to physically roam across different networks. A Mobile Station is not required to have the Mobile IPv6 protocol stack. 3. Proxy Mobile IPv6 Protocol Overview Every mobile station that roams in a PMIPv6 network, would typically be identified by an identifier, such as NAI and that identifier will have an associated policy profile that identifies the mobile's home network prefix, permitted address configuration modes, roaming policy and other parameters that are essential for providing mobility services. This information is typically configured in a policy store, such as AAA. It is possible the home network prefix is dynamically allocated for the mobile station when it boots up for the first time in the network, or it could be a statically configured value on per mobile station basis. However, for all practical purposes, the PMIP network entities while serving a mobile station will have access to its profile. Once a mobile station enters its PMIPv6 network and performs the access authentication, the network will ensure the mobile station is always on its home network and further ensures it always gets its home address when using any of the address configuration procedures. In other words, there is home address/prefix that is specifically assigned for a mobile station and that prefix always follows the node, where ever it goes with in that PMIP domain. From the perspective of the mobile station, the entire PMIP domain appears as a home link. When the mobile station attaches to a link on the access router running proxy mobile agent, the mobile station will present its identity to the network in the form of NAI as part of the access authentication procedure. After a successful authentication, the proxy mobile agent will have the mobile station's profile. The proxy mobile agent will have enough information to ensure the mobile station is at its home link. It sends Router Advertisements with parameters that are specified for the mobile station's home link. It is possible, this Router Advertisement may be in result to Router Solicitation message that the mobile proxy agent received from that mobile station. The parameters in the Router Advertisement, including Link Prefix, MTU, Hop Limit, .etc., will be consistent with what the mobile station saw, when it previously attached to the network. However, the link local address in the received Router Advertisement will be different from the link local address in the previously received Router Advertisement, making the mobile station believe that there is a new default router on the home link. The Gundavelli, et al. Expires April 19, 2007 [Page 4] Internet-Draft Proxy Mobile IPv6 October 2006 Neighbor unreachability detection procedures will kick-in and the previous default Router entry will be removed from the mobile station's cache. As explained in the later sections of the document, the mobile proxy agent can apply certain techniques to remove the previous default router entry from the mobile station's cache. The proxy mobile agent tries to register the mobile station's new point of attachment with its home agent. In the PMIPv6 model, the home interface is a virtual interface and thus there is only one home agent that is anchoring the home prefix and so the mobile proxy agent can predictably locate the home agent that is anchoring the mobile station's home prefix, typically this would be the configured information in the mobile's policy profile. The proxy mobile agent sends a Proxy Binding Update message to the mobile station's home agent. The message will have the mobile node's NAI identifier option. The source address of that message will be the IPv6 address of the proxy mobile agent on the out going interface. The contents of the message include the Mobile Node NAI option, Alternate Care-of Address option (optionally) and a NAI identifier of the proxy mobile node that is sending this request. After validating the request and upon accepting this binding update request, the home agent sets up a tunnel with encapsulation of Ipv6/ IPv6 and with the source address of the tunnel fixed to its own address and the destination address of the proxy mobile agent, obtained from the Binding Update message. This step of tunnel creation is not required, if there is an existing tunnel to the same mobile proxy agent. Further, the home agent will create a route entry pointing the home prefix of the mobile agent as reachable over the tunnel to the proxy mobile agent. This route is not redistributed in the IGP. The home agent will also send a Binding Acknowledgment accepting the binding update request. The proxy mobile agent on receiving this Binding Acknowledgment will create a tunnel pointing to the home agent and will add a default route over the tunnel to the home agent. All traffic from the mobile station that the proxy mobile agent receives in the role of a default router will route the traffic to the home agent over the tunnel. The mobile station on receiving this Router Advertisement will try to configure its interface either using stateful or stateless address configuration modes. Either way, the mobile station will be able to obtain its home address for configuring on the interface. When using stateful address configuration, the proxy mobile agent will function as a DHCP relay agent. It will set the giaddr field in the DHCP request from the mobile station to a random address in the Gundavelli, et al. Expires April 19, 2007 [Page 5] Internet-Draft Proxy Mobile IPv6 October 2006 mobile station's home prefix, forcing the DHCP server to allocate an address from that prefix and the tunnel route entry at the home agent will ensure the DHCP reply packet will get routed correctly to the proxy mobile agent. At this point, the mobile station has a valid home address at the point of current attachment, the serving proxy mobile agent and the home agent have proper routing states for handling the traffic sent by the mobile node and also for the incoming traffic to the mobile station. Call flow detailing the PMIPv6 protocol operation Mobile Proxy Home Policy Station Mobile Agent Agent Store (AAA) + + + + | | | | |Access | | | |Initiation | | | 1)o---------->| | | | | | | | | AAA request | 2)| o---------------------->| | | | | Mobile Station 3)| | | o Authenticated | | | | | | AAA reply | 4)| |<----------------------o | | | | | |PMA obtains| | 5)| | mobile's | | | Access | profile | | | Auth | | | | Complete | | | 6)|<----------o | | | | Proxy | | | | Binding | | | | Update | | 7)| o---------->| | | | | | | | | AAA Query | | | |---------->| | | | | | | | AAA Reply | Gundavelli, et al. Expires April 19, 2007 [Page 6] Internet-Draft Proxy Mobile IPv6 October 2006 | | |<----------| | | | | 8)| | o HA has the| | | | MS profile| | | | | | | | | 9)| | o Creates | | | | the HA-PMA| | | | routing | | | | context | | | | for the MS| | | | home prefx| | | | | | | | | | | Proxy | | | | Binding | | | | Ack | | 10)| o<----------| | | | | | | | Emulates | | | | the mobile| | 11)| o station's | | | | home link,| | | | if BU | | | | accepted | | | | | | 12)o MS does | | | | address | | | | config | | | | | | | 13)o Mobile station can now use its | | home address for all protocol | | communication | | | + + Figure 1: PMIPv6 Protocol Operation Access Authentication: The network access authentication and authorization procedure ensures a valid mobile station is connected to the network. Upon successful Gundavelli, et al. Expires April 19, 2007 [Page 7] Internet-Draft Proxy Mobile IPv6 October 2006 authentication by the policy server, the proxy mobile agent retrieves the mobile station's profile using the presented NAI. Proxy Binding Update: The proxy mobile agent sends a binding update request to the home agent on behalf of the mobile station registering the current anchor point and for creating a binding cache entry and a tunnel route for the mobile station's home prefix. Binding State at the Home Agent: The home agent creates a binding cache entry, tunnel towards the proxy mobile agent, a route for the mobile station's home prefix as reachable over the tunnel. Home Link Emulation: The proxy mobile agent emulates the mobile station's home interface on the access interface, making the mobile believe that it is connected to its home link. The proxy mobile agent sends Router Advertisements with the mobile's home prefix and other attributes that are defined for the mobile station's home link. Address Configuration: Based on the flags specified in the Router Advertisements, the mobile station will use stateful or stateless address configuration methods for configuring its interface. If stateful mode is chosen for address configuration, the proxy mobile agent on the access link will function as a relay agent and will set the giaddr field to the mobile station's home prefix. Further, the proxy mobile agent will act as a default router for the mobile station. Packet Routing: The home agent is the anchor point for the mobile station's home prefix and thus it will receive all packets sent to the mobile station's home address/prefix. The home agent will route all the received packets over the tunnel to the mobile proxy agent and in turn will route it on the access link. For the packets originating from the mobile station, the proxy mobile agent will act as a default router and will route all the received packets over the tunnel to the home agent and in turn will route it to the destination. 4. Message Formats Gundavelli, et al. Expires April 19, 2007 [Page 8] Internet-Draft Proxy Mobile IPv6 October 2006 This section defines extensions to the MIPv6 Binding Update message. 4.1. Proxy Binding Update 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence # | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |A|H|L|K|M|R|P| Reserved | Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: Proxy Binding Update Message A new flag, the 'P' flag, is added to the Binding Update message. The P flag indicates that the registration is a Proxy registration. When a proxy mobile agent sends a registration to the home agent, the P flag MUST be set to 1 indicate to the home agent that this registration is a proxy registration sent by a proxy mobile agent on behalf of a mobile station. 4.2. Proxy Binding Acknowledgment 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status |K|R|P|Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence # | Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Gundavelli, et al. Expires April 19, 2007 [Page 9] Internet-Draft Proxy Mobile IPv6 October 2006 Figure 3: Proxy Binding Acknowledgment Message Proxy Registration Flag (P) The Proxy Registration Flag is set to indicate that the home agent that processed the Proxy Binding Update supports Proxy Registration. It is set to 1 only if the corresponding Proxy Binding Update had the Proxy Registration Flag set to 1. 4.3. Home Network Prefix Option A new option, Home Network Prefix Option is defined for using it in the Binding Acknowledgment sent from the home agent to the proxy mobile agent. This option can be used for notifying the assigned Home network prefix for the mobile station. The proxy mobile agent can use this prefix information in Router Advertisements sent to the mobile station and also in the Address Pool Identifier option in the DHCP messages sent to the DHCP Server. The Home Network Prefix Option is only valid in the Proxy Binding Acknowledgments that are sent from the proxy mobile agent to the home agent in reply to a Proxy Binding Update request. The home network prefix Option has an alignment requirement of 8n+4. Its format is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Reserved | Prefix Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Local Network Prefix + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 4: Home Network Prefix Option Gundavelli, et al. Expires April 19, 2007 [Page 10] Internet-Draft Proxy Mobile IPv6 October 2006 4.4. Error Codes Binding Acknowledgment Status Values The following status code values are defined for using them in the Binding Acknowledgment message when using PMIPv6 protocol. 140: Proxy Registration not supported 141: Proxy Registration from this proxy mobile agent not allowed The value allocation for this usage needs to be approved by the IANA and must be updated in the IANA registry. 5. Home Agent Operation For supporting this scheme, the home agent MUST satisfy all the requirements listed in Section 8.4 of [1]. The key differences of this scheme when compared to the base protocol is as follows: o The mobile station is not anchored on any physical interface on the home agent. Thus the home agent is not required to perform any proxy ND operations for defending the home address on the home link. The home agent is required to manage a binding cache entry for managing the session state and a routing state for properly routing the packets destined to the mobile station. o Each mobile station has a home address in a prefix that is created exclusively for that mobile station and no other mobile station will share its home address from this prefix. o The route entry specifying that the mobile station's home prefix is reachable via the tunnel is created as supposed to creating an route entry just for the mobile node's home address. o If multiple mobile stations are currently visiting the same proxy mobile agent, all the binding updates will share the same care-of address and possibly the same tunnel. 5.1. Extensions to conceptual data structures The home agent maintains a binding cache entry for each currently registered mobile node. The Binding Cache is a conceptual data structure described in detail in [1]. For supporting this Gundavelli, et al. Expires April 19, 2007 [Page 11] Internet-Draft Proxy Mobile IPv6 October 2006 specification, the home agent will continue to create binding cache entries for each mobile station that gets proxy registered by a proxy mobile agent. In addition, the home agent may have to add an additional flag to this conceptual data structure indicating that the entry is a proxy registration. This proxy registration flag may be turned off for all the usual direct registrations. 5.2. Processing a Proxy Binding Update Request After receiving a Proxy Binding Update request from a proxy mobile agent on behalf of a mobile station, the home agent must process the request as defined Section 10, of the base Mobile IPv6 specification [1], with one exception that this request is a proxy request and proper authorization checks have to be enforced. The home agent has to verify the policy to ensure the proxy mobile agent that is sending this request has the right to do so, else it MUST reject the request and send a Proxy Binding Acknowledgment with the proper status code. Upon accepting this request, the home agent must create a Binding Cache entry, a tunnel to the proxy mobile agent adding the mobile station's home prefix route over the tunnel and should send a Binding Acknowledgment with the successful status code. 5.3. Packet Routing After sending a successful Proxy Binding Acknowledgment for the Proxy Binding Acknowledgment reply, the home agent must set up a tunnel to the proxy mobile agent serving the mobile station. The bi-directional tunnel between the home agent and the proxy mobile agent is used for routing the packets sent by the mobile station and also for routing the packets that are sent to the mobile station. The following are the details of the tunnel. o Tunnel Source Address is the home agent's address o Tunnel Destination Address is the proxy mobile agent's address o Tunnel Encapsulation Mode is IPv6/IPv6 Gundavelli, et al. Expires April 19, 2007 [Page 12] Internet-Draft Proxy Mobile IPv6 October 2006 The home agent functions as an anchor point for the mobile station's home prefix. When the home agent receives a data packet destined for the mobile station's home prefix, it MUST forward the packet to the mobile station through the bi-directional tunnel established between itself and the serving proxy mobile agent. The home agent typically can use the routing table for routing the packet to the mobile station through the established tunnel. All the reverse tunneled packets that the home agent receives from the tunnel, after removing the tunnel encapsulation should route them the destination specified in the inner packet header. These routed packets will have the source address field set to the mobile station's home address. 6. Proxy Mobile Agent Operation The Proxy Mobile Agent has the following functional roles. It will emulate the mobile station's home network on the access link, will update the home agent about the current location of the mobile station, will setup data path for enabling the mobile station to use its home address for communication and to some extent the role of the proxy mobile agent is comparable to that of the foreign agent in Mobile IPv4. The link connecting the proxy mobile agent and the mobile station should be considered as a multicast enabled point to point link. It is not a shared link and hence any neighbor discovery messages with link scope are seen only by the specific mobile station and the proxy mobile agent. 6.1. Conceptual Data Structures Every proxy mobile agent must maintain a Visitor List. It is a list of mobile stations that the proxy mobile agent is currently serving. This MAY be implemented in any manner keeping the consistency with the external behaviour described in this section. The Visitor List entry has the following fields: o The NAI of the mobile station. This is obtained as part of the network access authentication procedure. This identifier is required for downloading the mobile station's profile from the policy store. Gundavelli, et al. Expires April 19, 2007 [Page 13] Internet-Draft Proxy Mobile IPv6 October 2006 o The home address of the mobile station. This MAY be a configured parameter in the mobile station's profile. This MAY also be an address assigned by the DHCP server when the mobile station uses stateful address configuration mode for configuring the interface. The proxy mobile agent must implement DHCP relay agent function and should have the ability to learn the address leased to the mobile node for supporting the address allocation modes using DHCP server. o The home prefix of the mobile station. This MUST be a configured parameter in the mobile station's profile. o The last sequence number that was sent in the Proxy Binding Update request. 6.2. Access Authentication and obtaining the profile When the mobile station attaches to a link on the access router running proxy mobile agent, it will present its identity to the network in the form of NAI as part of the access authentication procedure. The proxy mobile agent should be able fetch the mobile station's profile using the presented NAI. 6.3. Sending Proxy Binding Update request to the home agent After a successful access authentication, the proxy mobile agent sends a Proxy Binding Update request to the home agent. The rules around constructing this message will be as defined in the base Mobile IPv6 specification [1]. The proxy mobile agent sends a Proxy Binding Update to the home agent. The source address of this message will be the configured IPv6 address on the egress interface. The contents of the message include the Mobile Node NAI option, Alternate Care-of Address option (optionally) and a NAI identifier of the proxy mobile node that is sending this request. The NAI option for the proxy mobile node MAY NOT be required, in some deployments, if the home agent has mechanisms to identify the proxy mobile agent and for the verification of the mobile station's roaming policy. 6.4. Processing Proxy Binding Acknowledgment message After receiving a Proxy Binding Acknowledgment with the status code indicating the acceptance of the Binding Acknowledgment, the proxy mobile agent can set up the tunnel to the home agent and add a default route to the home agent. Gundavelli, et al. Expires April 19, 2007 [Page 14] Internet-Draft Proxy Mobile IPv6 October 2006 If the home agent denies the Proxy Binding Update request, the proxy mobile agent MUST NOT advertise the mobile station's home prefix on the link and there by denying the mobility service to the mobile station. 6.5. Emulating the Mobile Station's home link The mobile proxy agent on the access link emulates the mobile station's home link behaviour. It makes the mobile station believe it is on its home link. The Router Advertisements that the mobile proxy agent sends on the access link will contain the mobile station's home link prefix. The other parameters in the Router Advertisement with respect to address configuration should be policy driven and may be present in the mobile station's profile. 6.6. Tunnel Lifetime Management In the traditional MIPv6 model, there is a separate tunnel from the home agent to each mobile node that has a binding entry. The tunnel end-point of each these tunnels is the respective mobile node's care-of address and that is unique to that mobile node. In the current context, the care-of address or the tunnel end-point is the address of the proxy mobile agent and there could be multiple mobile stations attached to the same proxy mobile agent and hence the tunnel is a fat tunnel serving multiple mobile stations. This is identical to the Mobile IPv4 model, where a tunnel between the foreign agent and the home agent is shared by many visiting mobile nodes. The life cycle of the tunnels should not be based on a single binding entry. A tunnel may get created due to a single binding entry and later may be shared by many other nodes. So, the tearing down logic of the tunnel has to be based on the number of visitors over that tunnel. Implementations are free to pre-establish tunnels between every home agent and every proxy mobile station in the network and with out creating and destroying the tunnels on a need basis. 6.7. Packet Routing After receiving a successful Proxy Binding Acknowledgment for the Proxy Binding Update request, the proxy mobile agent sets up a tunnel to the mobile station's home agent. The bi-directional tunnel between the proxy mobile agent and the home agent is used for routing the packets sent by the mobile station and also the packets that are sent to the mobile station. Gundavelli, et al. Expires April 19, 2007 [Page 15] Internet-Draft Proxy Mobile IPv6 October 2006 The following are the details of the tunnel. o Tunnel Source Address is the IPv6 Address on the egress interface o Tunnel Destination Address is the home agent's address o Tunnel Encapsulation Mode is IPv6/IPv6 The proxy mobile agent functions as a default router to the mobile station on the access link. Any packets that the mobile station sends, it will simply route them to the home agent over the tunnel. Any packets that the proxy mobile agent receives from this tunnel, it will forward them on the access link. 7. Mobile Station Operation 7.1. Booting for the first time When the mobile station attaches to a link on the access router running proxy mobile agent, it will present its identity to the network in the form of NAI as part of the access authentication procedure. After performing the required access authentication procedures, the mobile station would be assigned a Home Network prefix. Once a prefix is allocated to the mobile station, the prefix just follows the mobile as it moves within the network. The network will ensure, the mobile station retains its home prefix and home address, and the reachability using its home address, and thus providing the required network mobility with in that portion of that managed network with deployed proxy mobile agents. After a successful access authentication, the mobile station will send a Router Solicitation message. The proxy mobile agent on the link will respond to the Router Solicitation message with a Router Advertisement. The Router Advertisement will have the mobile station's home prefix, default router and other address configuration parameters. The address configuration parameters such as Managed Address Configuration, Stateful Configuration flag values will be consistent with the home link policy. If the Router Advertisement has the Managed Address Configuration flag set, the mobile station, as it would normally do, will send a DHCP Request and again the proxy mobile agent on that link will ensure, the mobile station gets its home address as a lease from the Gundavelli, et al. Expires April 19, 2007 [Page 16] Internet-Draft Proxy Mobile IPv6 October 2006 DHCP server. If the Router Advertisement does not have the Managed Address Configuration flag set, the mobile station can autoconfigure itself by appending its link-layer address (EUI-64 format) to the advertised local home network prefix. Once the address configuration is complete, the mobile station will always be able to use that IPv6 address anywhere with in that managed network where proxy mobile agents are deployed. Further, the mobile station will always get the same Address even after a reboot. 7.2. Roaming in the Network As the mobile station roams with in the network, moving from one link to the other, it always detects its home prefix. The proxy mobile agent on the attached link emulates the home link behaviour for the mobile station. It makes the mobile station believe it is on its home link. The Router Solicitation messages will result in a Router Advertisement with its home prefix, default router and other configuration parameters remain consistent with the home link properties. 7.3. IPv6 Host Protocol Parameters The specification assumes the mobile station to be a normal IPv6 host, with its protocol operation consistent with the base IPv6 specification [1]. All aspects of Neighbor Discovery Protocol, including Router Discovery, Neighbor Discovery, Address Configuration procedures will just remain the same as to the base IPv6 ND Specification [1]. However, the protocol recommends the mobile station to adjust the following IPv6 operating parameters to the below recommended values for protocol efficiency and for achieving faster hand-offs. Disabling Duplicate Address Detection: As per this specification, the mobile station and the proxy mobile agent share a point to point link. All messages including multicast messages with link-local scope scope sent by the mobile station or the proxy mobile agent are seen only by those two entities. Further, the prefix that is advertised on this shared link is specific to that mobile station and no other node will be on this link. Thus, the DAD Gundavelli, et al. Expires April 19, 2007 [Page 17] Internet-Draft Proxy Mobile IPv6 October 2006 procedures in this operating environment carry very little value and MAY NOT be required at all. The mobile station MAY disable Duplicate Address Detection (DAD) procedure on the access link, if it does not violate any other specification. Lower Default Router List Cache Time-out: As per the base IPv6 specification [1], each IPv6 host will maintain certain host data structures including a Default Router list. This is the list of on-link routers that have sent Router Advertisement messages and are eligible to be a default routers on that link. The Router Lifetime field in the received Router Advertisement defines the life of this entry. In the current operational scenario, when the mobile station moves from one link to another, a new proxy mobile agent will advertise the prefix that is assigned for that visiting mobile station. The mobile station thus believes its still on the same link and with the same on-link prefix as before. However, the received Router Advertisement messages are from a different link-local address and thus making it believe there is a new default router on the link. It is important that the mobile station uses the newly learnt default router as supposed to the previous default router. The mobile station must update its default-router list with the new default router entry and must age out the previosly default router entry from its cache, just as specified in Section 6.3.5 of the base IPv6 ND specification [1]. This action is critical for minimizing packet losses during a hand off period. On detecting a reachability problem, the mobile station will certainly detect the neighbor or the default router unreachability by performing a Neighbor Unreachability Detection procedure, but it is important that the mobile station times out the previous default router entry at the earliest. If a given IPv6 host implementation has the provision to adjust these flush timers, still conforming to the base IPv6 ND specification, it is desirable to keep the flush- timers to suit the above consideration. However, if the proxy mobile agent has the ability to with draw the previous router entry, by multicasting a Router Advertisement using the link-local address that of the previous mobility proxy agent and with the Router Lifetime field set to zero, then it is possible to force the flush out of the Previous Default Router entry from the mobile station's cache. This certainly requires the proxy mobile agent to notify its link-local address to the home agent as part of the binding update and the home agent to associate this opaque data with the binding cache entry so that a new proxy mobile agent can Gundavelli, et al. Expires April 19, 2007 [Page 18] Internet-Draft Proxy Mobile IPv6 October 2006 learn the link-local address of the previous router and send a Router Advertisement with that link-local address. There are other solutions possible for this problem, including the usage of a virtual MAC address and a fixed link-local address for all the deployed proxy mobile agents in the network. In any case, this is very much implementation dependent and has no bearing on the protocol specification. 8. IANA Considerations This document defines a new flag (P) to the Binding Update message specified in [1]. This document also defines new Binding Acknowledgment status values as described in Section 4.5. The status values MUST be assigned from the same space used for Binding Acknowledgment status values in [1]. 9. Security Considerations The Mobile IPv6 base specification [1] requires the signaling messages between the home agent and the mobile node to be secured by the use of IPsec extension headers. This document introduces a new functional entity, proxy mobile agent, a function that will be implemented in the access routers. This entity is responsible for performing the Mobile IPv6 signaling on behalf of the mobile station, also called as Proxy MIPv6 Signaling. As described in the base Mobile IPv6 specification [3], Section 5.1 both the mobile client (in this case, its the proxy mobile agent) and the home agent MUST support and SHOULD use the Encapsulating Security Payload (ESP) header in transport mode and MUST use a non-NULL payload authentication algorithm to provide data origin authentication, data integrity and optional anti-replay protection. This document does not cover the security requirements for authorizing the mobile station for the use of the access link. It is assumed that there are proper Layer-2 based authentication procedures, such as EAP, in place and will ensure the mobile station is properly identified and authorized before permitting it to access the network. It is further assumed that the same security mechanism Gundavelli, et al. Expires April 19, 2007 [Page 19] Internet-Draft Proxy Mobile IPv6 October 2006 will ensure the mobile session is not hijacked by malicious nodes on the access link. The proxy solution allows one device creating a routing state for some other device at the home agent. It is important that the home agent has proper authorization services in place to ensure a given proxy mobile agent is permitted to be a proxy for a specific mobile station. If proper security checks are not in place, a malicious node may be able to hijack a session or may do a denial-of-service attacks. 10. Acknowledgments 11. Normative References [1] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [2] Narten, T., Nordmark, E., Simpson, W., "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. [3] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. [4] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents", RFC 3776, June 2004. Gundavelli, et al. Expires April 19, 2007 [Page 20] Internet-Draft Proxy Mobile IPv6 October 2006 Authors' Addresses Sri Gundavelli Cisco Systems 170 West Tasman Drive San Jose, CA 95134 USA Email: sgundave@cisco.com Kent Leung Cisco Systems 170 West Tasman Drive San Jose, CA 95134 USA Email: kleung@cisco.com Vijay Devarapalli Azaire Networks 4800 Great America Pkwy Santa Clara, CA 95054 USA Email: vijay.devarapalli@azairenet.com Gundavelli, et al. Expires April 19, 2007 [Page 21] Internet-Draft Proxy Mobile IPv6 October 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Gundavelli, et al. Expires April 19, 2007 [Page 22]