home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Internet Info 1997 December
/
Internet_Info_CD-ROM_Walnut_Creek_December_1997.iso
/
drafts
/
draft_ietf_j_p
/
draft-ietf-mobileip-optim-06.txt
< prev
next >
Wrap
Text File
|
1997-08-04
|
113KB
|
2,688 lines
Mobile IP Working Group Charles Perkins
INTERNET DRAFT Sun Microsystems
29 July 1997 David B. Johnson
Carnegie Mellon University
Route Optimization in Mobile IP
draft-ietf-mobileip-optim-06.txt
Status of This Memo
This document is a submission by the Mobile IP Working Group of the
Internet Engineering Task Force (IETF). Comments should be submitted
to the mobile-ip@SmallWorks.COM mailing list.
Distribution of this memo is unlimited.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at
any time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check
the ``1id-abstracts.txt'' listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (North
Europe), ftp.nis.garr.it (South Europe), munnari.oz.au (Pacific Rim),
ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast).
The Route Optimization protocol extensions for Mobile IP for IPv4
are actively being worked on within the Mobile IP Working Group,
although recent emphasis has been on the design and specification of
Mobile IP for IPv6. This document represents the current state of
the Mobile IPv4 Route Optimization extensions. The design of Route
Optimization may evolve to more closely follow the design of Mobile
IPv6, depending upon the suitability of the IPv6 design revisions
for IPv4, especially the trust model that may be assumed between the
home agent and correspondent node. This document may be revised and
resubmitted once those revisions are evaluated and further developed.
Perkins and Johnson Expires 29 January 1998 [Page i]
Internet Draft Route Optimization in Mobile IP 29 July 1997
Abstract
This document defines extensions to the operation of the base
Mobile IP protocol to allow for optimization of datagram routing from
a correspondent node to a mobile node. Without Route Optimization,
all datagrams destined to a mobile node are routed through that
mobile node's home agent, which then tunnels each datagram to the
mobile node's current location. The protocol extensions described
here provide a means for correspondent nodes that implement them
to cache the binding of a mobile node and to then tunnel their own
datagrams for the mobile node directly to that location, bypassing
the possibly lengthy route for each datagram to and from the mobile
node's home agent. Extensions are also provided to allow datagrams
in flight when a mobile node moves, and datagrams sent based on an
out-of-date cached binding, to be forwarded directly to the mobile
node's new binding.
Perkins and Johnson Expires 29 January 1998 [Page ii]
Internet Draft Route Optimization in Mobile IP 29 July 1997
Contents
Status of This Memo i
Abstract ii
1. Introduction 1
2. Terminology 2
3. Route Optimization Overview 3
3.1. Binding Caches . . . . . . . . . . . . . . . . . . . . . 3
3.2. Foreign Agent Smooth Handoff . . . . . . . . . . . . . . 5
3.3. Establishing Registration Keys . . . . . . . . . . . . . 6
3.3.1. The Home Agent as a KDC . . . . . . . . . . . . . 8
3.3.2. Using the Foreign Agent as a KDC . . . . . . . . 9
3.4. Using Diffie-Hellman with the Foreign Agent . . . . . . . 9
3.5. Special Tunnels . . . . . . . . . . . . . . . . . . . . . 12
4. Route Optimization Message Formats 12
4.1. Binding Warning Message . . . . . . . . . . . . . . . . . 13
4.2. Binding Request Message . . . . . . . . . . . . . . . . . 14
4.3. Binding Update Message . . . . . . . . . . . . . . . . . 15
4.4. Binding Acknowledge Message . . . . . . . . . . . . . . . 17
4.5. Route Optimization Authentication Extension . . . . . . . 18
4.6. Modified Registration Request Message . . . . . . . . . . 19
5. Format of Smooth Handoff Extensions 19
5.1. Previous Foreign Agent Notification Extension . . . . . . 20
5.2. Modified Mobility Agent Advertisement Extension . . . . . 21
6. Messages Requesting A Registration Key 22
6.1. Foreign Agent Key Request extension . . . . . . . . . . . 22
6.2. Mobile Node Public Key extension . . . . . . . . . . . . 23
6.3. Foreign Agent Public Key extension . . . . . . . . . . . 24
6.4. Registration Key Request Extension . . . . . . . . . . . 24
7. Extensions to Supply A Registration Key 25
7.1. Home-Mobile Key Reply Extension . . . . . . . . . . . . . 26
7.2. Foreign Agent Key Reply Extension . . . . . . . . . . . . 27
7.3. Mobile Node Public Key Reply Extension . . . . . . . . . 28
7.4. Foreign Agent Public Key Reply Extension . . . . . . . . 28
7.5. Diffie-Hellman Key Reply Extension . . . . . . . . . . . 29
Perkins and Johnson Expires 29 January 1998 [Page iii]
Internet Draft Route Optimization in Mobile IP 29 July 1997
8. Using Special Tunnels 30
8.1. Home Agent Handling of Special Tunnels . . . . . . . . . 31
8.2. Foreign Agents and Special Tunnels . . . . . . . . . . . 31
9. Mobile Node Key Requests 32
10. Miscellaneous Home Agent Operations 33
10.1. Home Agent Rate Limiting . . . . . . . . . . . . . . . . 33
10.2. Receiving Registration Key Requests . . . . . . . . . . . 33
10.3. Mobility Security Association Management . . . . . . . . 34
10.4. Home Agent Supplying Registration Keys . . . . . . . . . 35
11. Miscellaneous Foreign Agent Operations 36
11.1. Previous Foreign Agent Notification . . . . . . . . . . . 36
11.2. Maintaining Binding Caches . . . . . . . . . . . . . . . 37
11.3. Rate Limiting . . . . . . . . . . . . . . . . . . . . . . 38
11.4. Foreign Agent Handling Key Requests . . . . . . . . . . . 38
12. Security Considerations 39
13. Summary 39
A. Using a Master Key at the Home Agent 40
References 42
Chairs' Addresses 43
Authors' Addresses 44
Perkins and Johnson Expires 29 January 1998 [Page iv]
Internet Draft Route Optimization in Mobile IP 29 July 1997
1. Introduction
The base Mobile IP protocol [10], allows any mobile node to move
about, changing its point of attachment to the Internet, while
continuing to be identified by its home IP address. Correspondent
nodes sending IP datagrams to a mobile node send them to the mobile
node's home address in the same way as with any other destination.
This scheme allows transparent interoperation between mobile nodes
and their correspondent nodes, but forces all datagrams for a mobile
node to be routed through its home agent. Thus, datagrams to the
mobile node are often routed along paths that are significantly
longer than optimal. For example, if a mobile node is visiting some
subnet, even datagrams from a correspondent node on the same subnet
must be routed through the Internet to the mobile node's home agent
(on its home network), only then to be tunneled back to the original
subnet for final delivery. This indirect routing can significantly
delay the delivery of the datagrams to mobile nodes, and places an
unnecessary burden on the networks and routers along their paths
through the Internet.
In this document, we will define extensions to the operation of
the base Mobile IP protocol to allow for better routing, so that
datagrams can be routed from a correspondent node to a mobile node
without going to the home agent first. In this document, we refer
collectively to these extensions as Route Optimization.
Route Optimization extensions provide a means for nodes that
implement them to cache the binding of a mobile node and to then
tunnel their own datagrams directly to the care-of address indicated
in that binding, bypassing the possibly lengthy route to and from
that mobile node's home agent. Extensions are also provided to allow
datagrams in flight when a mobile node moves, and datagrams sent
based on an out-of-date cached binding, to be forwarded directly to
the mobile node's new care-of address.
All operation of Route Optimization that changes the routing of IP
datagrams to the mobile node is authenticated using the same type of
mechanisms used in the base Mobile IP protocol. This authentication
generally relies on a mobility security association established in
advance between the sender and receiver of such messages.
After Section 2 gives some extra terminology, Section 3 provides
an overview of the basic protocol operations associated with Route
Optimization. Section 4 defines the message types used to update
binding caches. Subsequent sections show the formats for each
message and registration extension in detail, explaining the function
of each field within the messages. The formats are presented in
the same basic order corresponding to the topic outline of the
Perkins and Johnson Expires 29 January 1998 [Page 1]
Internet Draft Route Optimization in Mobile IP 29 July 1997
document. Home agent considerations in Section 10, and foreign
agent considerations in Section 11. Details about the management of
special tunnels are given in Section 8.
2. Terminology
This document introduces the following terminology, in addition to
that used to describe the base Mobile IP protocol:
Binding cache
A cache of mobility bindings of mobile nodes, maintained by a
node for use in tunneling datagrams to those mobile nodes.
Binding update
A message indicating a mobile node's current mobility binding,
and in particular its care-of address.
Registration Key
A secret key shared between a mobile node and a foreign
agent, that may optionally be established during registration
with that foreign agent. When later moving and registering
a new care-of address elsewhere, the mobile node uses the
registration key shared with its previous foreign agent to send
it an authenticated Binding Update to this foreign agent.
Registration Lifetime
The registration lifetime is the time duration for which a
binding is valid. The term remaining registration lifetime
means the amount of time remaining for which a registration
lifetime is still valid, at some time after the registration
was approved by the home agent.
Security Parameter Index (SPI)
An index identifying a security context between a pair of
nodes among the contexts available in the Mobility Security
Association. SPI values 0 through 255 are reserved and MUST
NOT be used in any Mobility Security Association.
Special tunnel
A method of tunneling a datagram in which the outer destination
address when encapsulating the datagram is set equal to the
Perkins and Johnson Expires 29 January 1998 [Page 2]
Internet Draft Route Optimization in Mobile IP 29 July 1997
inner destination address (the original destination address of
the datagram). A special tunnel is used in Route Optimization
for returning a datagram, addressed to a mobile node, to the
mobile node's home agent without knowing the home agent's
address.
Triangle Routing
A situation in which a Correspondent Host's packets to a Mobile
Host follow a path which is longer than the optimal path
because the packets must be forwarded to the Mobile Host via a
Home Agent.
3. Route Optimization Overview
This section provides an overview of the protocols and operations of
Route Optimization. These can be divided into four main parts:
1. Updating binding caches
2. Managing smooth handoffs between foreign agents
3. Acquiring registration keys for smooth handoffs
4. Special tunnels
The rest of the document goes into detail about each general part of
the protocol, in the order suggested above.
3.1. Binding Caches
Route Optimization provides a means for any node to maintain a
binding cache containing the care-of address of one or more mobile
nodes. When sending an IP datagram to a mobile node, if the sender
has a binding cache entry for the destination mobile node, it may
tunnel the datagram directly to the care-of address indicated in the
cached mobility binding.
In the absence of any binding cache entry, datagrams destined for a
mobile node will be routed to the mobile node's home network in the
same way as any other IP datagram, and then tunneled to the mobile
node's current care-of address by the mobile node's home agent.
This is the only routing mechanism supported by the base Mobile IP
protocol. With Route Optimization, as a side effect of this indirect
routing of a datagram to a mobile node, the original sender of the
Perkins and Johnson Expires 29 January 1998 [Page 3]
Internet Draft Route Optimization in Mobile IP 29 July 1997
datagram may be informed of the mobile node's current mobility
binding, giving the sender an opportunity to cache the binding.
Any node may maintain a binding cache to optimize its own
communication with mobile nodes. A node may create or update a
binding cache entry for a mobile node only when it has received
and authenticated the mobile node's mobility binding. As before,
each binding in the binding cache also has an associated lifetime,
specified in the Binding Update message in which the node obtained
the binding. After the expiration of this time period, the binding
is deleted from the cache. In addition, a node cache may use any
reasonable strategy for managing the space within the binding cache.
When a new entry needs to be added to the binding cache, the node may
choose to drop any entry already in the cache, if needed, to make
space for the new entry. For example, a least-recently used (LRU)
strategy for cache entry replacement is likely to work well.
When a mobile node's home agent intercepts a datagram from the home
network and tunnels it to the mobile node, the home agent may deduce
that the original source of the datagram has no binding cache entry
for the destination mobile node. The home agent should then send
a Binding Update message to the original source node, informing it
of the mobile node's current mobility binding. No acknowledgment
for such a Binding Update message is needed, since additional future
datagrams from this source node intercepted by the home agent for the
mobile node will cause transmission of another Binding Update. For
a Binding Update to be authenticated by the original source node,
the source node and the home agent must have established a mobility
security association.
Similarly, when any node (e.g., a foreign agent) receives a tunneled
datagram, if it has a binding cache entry for the destination mobile
node (and thus has no visitor list entry for this mobile node), the
node receiving this tunneled datagram may deduce that the tunneling
node has an out-of-date binding cache entry for this mobile node.
In this case, the receiving node should send a Binding Warning
message to the mobile node's home agent, advising it to send a
Binding Update message to the node that tunneled this datagram. The
mobile node's home agent can be determined from the binding cache
entry, because the home agent address is learned from the Binding
Update that established this cache entry. The address of the node
that tunneled this datagram can be determined from the datagram's
header, since the address of the node tunneling this datagram is
the outer source address of the encapsulated datagram. As in the
case of a Binding Update sent by the mobile node's home agent, no
acknowledgment of this Binding Warning is needed, since additional
future datagrams for the mobile node tunneled by the same node will
cause the transmission of another Binding Warning. However, unlike
Perkins and Johnson Expires 29 January 1998 [Page 4]
Internet Draft Route Optimization in Mobile IP 29 July 1997
the Binding Update message, no authentication of the Binding Warning
message is necessary, since it does not directly affect the routing
of IP datagrams to the mobile node.
When sending an IP datagram, if the sending node has a binding cache
entry for the destination node, it should tunnel the datagram to the
mobile node's care-of address using the encapsulation techniques used
by home agents, and described in [8, 9, 4].
3.2. Foreign Agent Smooth Handoff
When a mobile node moves and registers with a new foreign agent, the
base Mobile IP protocol does not notify the mobile node's previous
foreign agent. IP datagrams intercepted by the home agent after
the new registration are tunneled to the mobile node's new care-of
address, but datagrams in flight that had already been intercepted
by the home agent and tunneled to the old care-of address when the
mobile node moved are lost and are assumed to be retransmitted by
higher-level protocols if needed. The old foreign agent eventually
deletes its registration for the mobile node after the expiration of
the registration lifetime.
Route Optimization provides a means for the mobile node's previous
foreign agent to be reliably notified of the mobile node's new
mobility binding, allowing datagrams in flight to the mobile
node's previous foreign agent to be forwarded to its new care-of
address. This notification also allows any datagrams tunneled to
the mobile node's previous foreign agent, from correspondent nodes
with out-of-date binding cache entries for the mobile node, to be
forwarded to its new care-of address. Finally, this notification
allows any resources consumed by the mobile node at the previous
foreign agent (such as radio channel reservations) to be released
immediately, rather than waiting for its registration lifetime to
expire.
As part of the registration procedure, the mobile node may
request that its new foreign agent attempt to notify its previous
foreign agent on its behalf, by including a Previous Foreign Agent
Notification extension in its Registration Request message sent to
the new foreign agent. The new foreign agent then builds a Binding
Update message and transmits it to the mobile node's previous foreign
agent as part of registration, requesting an acknowledgment from the
previous foreign agent. The extension includes only those values
needed to construct the Binding Update message that are not already
contained in the Registration Request message. The authenticator
for the Binding Update message is computed by the mobile node using
the registration key shared with its previous foreign agent. This
Perkins and Johnson Expires 29 January 1998 [Page 5]
Internet Draft Route Optimization in Mobile IP 29 July 1997
notification will typically include the mobile node's new care-of
address, allowing the previous foreign agent to create a binding
cache entry for the mobile node to serve as a forwarding pointer [5]
to its new location. Any tunneled datagrams for the mobile node that
arrive at its previous foreign agent after the forwarding pointer has
been created will then be re-tunneled by this foreign agent to the
mobile node's new care-of address.
For this smooth handoff to be secure, during registration with a
new foreign agent, the mobile node and the foreign agent usually
need to establish a new shared secret key called a registration key.
The registration key is used to authenticate the notification sent
to the previous foreign agent. Other uses of the registration key
are possible, such as for use as an encryption key for providing
privacy over a wireless link between the mobile node and its foreign
agent, but such uses are beyond the scope of this specification.
Once established, the registration key for a mobile node can be
stored by the foreign agent with the mobile node's visitor list
entry. Section 3.3 gives an overview of methods for establishing
a registration key. The Mobility Agent Advertisement extension of
the agent advertisement message is revised under Route Optimization
to include a bit indicating that the foreign agent sending the
advertisement supports smooth handoffs. If this bit is not set in
the agent advertisement from the foreign agent, the mobile node
SHOULD not request a registration key in its Registration Request
message.
The mobile node is responsible for occasionally retransmitting a
Binding Update message to its previous foreign agent until the
matching Binding Acknowledge message is received, or until the
mobile node can be sure that foreign agent has expired its binding.
The mobile node is likely to select a small timeout value for the
remaining registration lifetime available to such bindings sent to
previous foreign agents.
3.3. Establishing Registration Keys
Foreign agents are expected to be cheap and widely available, as
Mobile IP becomes fully deployed. Mobile nodes will likely find it
difficult to manage long-term security relationships with so many
foreign agents. To securely perform the operations needed for smooth
handoffs from one foreign agent to the next, however, any careful
foreign agent should require assurance that it is getting authentic
handoff information, and not arranging to forward in-flight datagrams
to a bogus destination. The biggest complication in the Route
Optimization protocol involves the creation of (sufficient) trust
between mobile node and foreign agent when none exists beforehand,
Perkins and Johnson Expires 29 January 1998 [Page 6]
Internet Draft Route Optimization in Mobile IP 29 July 1997
while allowing the use of fully trustworthy security associations
between foreign agents and mobile nodes whenever they do exist.
Note that the mobile node can only rarely verify the identity of
the foreign agent in any absolute terms. It can only act on the
presumption that the foreign agent is performing its duties by
correct adherence to protocol. Again, foreign agents are mostly
passive devices. Any entity that is willing to perform the services
would be accepted by the mobile node, even if the foreign agent were
somehow malicious "on-the-side". For instance, neither the mobile
node nor any home agent would be likely to be able to determine if a
foreign agent duplicated the mobile node's traffic stream, shared the
mobile node's data with some adversary, or replayed mobile node data
after the expiration of the mobile node's binding at that care-of
address. If the foreign agent were to perform more active attacks,
such as dropping datagrams intentionally, or modifying the datagrams
according to some dark purpose, the mobile node would not necessarily
know where the problem was originating. However, all of these same
points are true as well for existing infrastructure routers, so the
situation is no worse than already exists.
In short, the exact identity of the foreign agent is not crucial to
the process of establishing a registration key. Only an agreement
to follow protocol can be expected or enforced. If the mobile node
has a way to obtain a certified public key for the foreign agent,
then the identity may be established in a firmer fashion, but the
needed public key infrastructure seems to be at least five years
distant. Therefore, methods are proposed in this document by which
an anonymous foreign agent (i.e., one whose identity we cannot
establish) can create a registration key with a mobile node during
the registration process. In this document, we propose the following
methods for establishing a registration key, in order of declining
preference. Other methods of establishing keys may become available
in the future.
1. If the foreign agent and mobile node share a security
association, it can be used to secure the Previous Foreign Agent
Notification.
2. If the home agent and foreign agent share a security association,
the home agent can choose the new registration key.
3. If the foreign agent has a public key, it can again use the home
agent to supply a registration key.
4. If the mobile node includes its public key in its Registration
Request, the foreign agent can choose the new registration key.
Perkins and Johnson Expires 29 January 1998 [Page 7]
Internet Draft Route Optimization in Mobile IP 29 July 1997
5. The mobile node and its foreign agent can execute a
Diffie-Hellman key exchange protocol [2] as part of the
registration protocol.
Once the registration key is established, the method for performing
smooth handoff seems natural. The following sections give a
brief overview of the above listed methods for establishing the
registration key. Once the key is established, and able to be used
by way of a (possibly newly created) SPI, the smooth handoff just
involves sending a Binding Update to the previous foreign agent at
the right time.
If a request for key establishment cannot be accommodated by
the foreign agent and/or the home agent, then the mobile node's
key request must go unfulfilled. This does not mean that the
Registration Request itself fails, so it has no effect on the status
code returned by the home agent to the mobile node. The mobile node
has to be able to handle the case in which it has requested a key but
the Registration Reply arrives without any key reply extension.
3.3.1. The Home Agent as a KDC
Crucial to methods (2) and (3) listed above is that the home agent
and mobile node already are known to share a mobility security
association, which can be used to encode the registration key for
delivery to the mobile node. Thus, if the home agent can securely
deliver the key to the foreign agent, it can be used as a Key
Distribution Center (KDC) for the mobile node and its new foreign
agent. The mobile node requests this by including a Registration
Key Request extension in its Registration Request message. When the
home agent chooses the registration key, it sends it back in two
different extensions to the Registration Reply. One extension has
the encrypted key for the foreign agent, and the other extension has
the same key encrypted differently for the mobile node.
For the registration key to be established using this method, the
home agent must be able to securely transmit an encrypted copy of the
registration key to the foreign agent. This is straightforward if
the foreign agent already has a mobility security association with
the home agent. If mobile nodes from some home network often visit a
foreign agent, then the effort of creating such a mobility security
association between that foreign agent and the home agent serving
their home network may be worthwhile.
Note that MD5 can be used here for the purpose of transmitting
registration keys, secure against eavesdroppers. The expression
expr1 = MD5(secret | regrep | secret) XOR (key)
Perkins and Johnson Expires 29 January 1998 [Page 8]
Internet Draft Route Optimization in Mobile IP 29 July 1997
(where regrep is the Registration Reply message payload, and XOR is
exclusive-or) can be included within the appropriate Registration
Reply extension and encodes the key in a way which allows recovery
only by the recipient. It is secure against replay because of the
identification field within the Registration Reply message. The
recipient recovers the key by computing
expr2== MD5(secret | regrep | secret)
which then yields key = expr1XOR expr2. Use of MD5 avoids
entanglements with the legal issues surrounding the export of
encryption technology, and reducing the computational power needed to
secure the password against eavesdroppers.
If no such mobility security association exists, but the foreign
agent has a public key available, it can still ask the home agent to
use it to pick a registration key. This is preferable than asking
the mobile node to pick a good registration key, because doing so
may depend upon using resources not available to all mobile nodes.
Just selecting pseudo-random numbers is by itself a significant
computational burden. Moreover, allowing the home agent to pick the
key fits well into the existing registration procedures. On the
other hand, it is possible that a mobile node could do with less than
perfect pseudo-random numbers as long as the registration key were to
be used in the restricted fashion envisioned for smooth handoffs.
3.3.2. Using the Foreign Agent as a KDC
When the foreign agent and mobile node share a mobility security
association, there is no need to pick a registration key. The mobile
node can secure its Binding Update to the foreign agent whenever it
needs to, by using the existing security association. This is the
most desirable case.
Otherwise, if available, the mobile node can include its public key
(such as RSA [11]) in its Registration Request to the foreign agent,
using a mobile node public key extension. The foreign agent chooses
the new registration key and returns a copy of it encrypted with the
mobile node's public key, using a foreign-mobile registration key
reply extension.
3.4. Using Diffie-Hellman with the Foreign Agent
The Diffie-Hellman key-exchange algorithm [2] can be used.
Diffie-Hellman is a public key cryptosystem that allows two parties
to establish a shared secret key, such that the shared secret key
cannot be determined by other parties overhearing the messages
exchanged during the algorithm. It is already used, for example, in
Perkins and Johnson Expires 29 January 1998 [Page 9]
Internet Draft Route Optimization in Mobile IP 29 July 1997
other protocols that require a key exchange, such as in the Cellular
Digital Packet Data (CDPD) system [1].
This technique is known to suffer from a man-in-the-middle attack.
In other words, a malicious agent could pretend to the foreign
agent to be the mobile node, and pretend to the mobile node to be
the foreign agent, and participate as an unwanted third member in
the key exchange Armed with knowledge of the registration key, the
malicious agent could at a later time disrupt the smooth handoff, or
initiate the handoff prematurely. The man-in-the-middle attack is no
worse than a malicious agent pretending to be a foreign agent in any
other circumstance; that is, it is no worse than already exists with
the base Mobile IP specification [10]. In route optimization, the
man-in-the-middle attack is prevented in most circumstances because
each registration key produced by the techniques in this chapter is
effectively authenticated by the home agent.
Even so, if Diffie-Hellman were not computationally so expensive,
it could likely serve the needs of many mobile nodes. Moreover,
the mobile node and/or the foreign agent are presumably in direct
contact, so that the malicious man-in-the-middle would be detectable
with high probability if either of the former nodes notices the
reception of duplicate packets, and corrective action taken.
Diffie-Hellman results are returned by the protocol in a way intended
to avoid such attacks.
But, the algorithm itself uses exponentiations involving numbers
with hundreds of digits. That may take a long time for some mobile
nodes to do, time which would come at the expense of interactivity
or convenient operation of user application programs. For this
reason, Diffie-Hellman is considered the least desirable alternative
for establishing registration keys. Even so, since it requires no
other configuration, it should be required in all implementations of
foreign agents that advertise support for smooth handoffs.
Briefly, the Diffie-Hellman algorithm involves the use of two large
public numbers, a prime number (p) and a generator (g). The prime
number and the generator must be known by both parties involved in
the algorithm, but need not be kept secret; these values may be the
same or different for each execution of the algorithm and are not
used once the algorithm completes. Each party chooses a private
random number, produces a computed value based on this random number,
the prime and the generator, and sends the computed value in a
message to the other party. The computed value is the number g**x
mod p, where x is the private random number, p is the prime which is
sent as part of the transaction, and g is the generator. Each party
then computes the (same) shared secret key using its own private
random number, the computed value received from the other party, and
Perkins and Johnson Expires 29 January 1998 [Page 10]
Internet Draft Route Optimization in Mobile IP 29 July 1997
the prime and generator values. The shared secret is the number c**y
mod p, where c is the computed value which uses the other party's
private number, p is the same as before, and y is the receiver's
private number. Since (g**x)**y == (g**y)**x, and since knowing the
computed values mod p does not enable passive listeners to determine
the private values, the algorithm does successfully allow the two
parties to agree on an otherwise undetectable secret.
To use this algorithm during registration with a foreign agent, the
mobile node includes a Registration Key Request extension in its
Registration Request message, containing its nonzero values for
the prime and generator, along with the computed value from its
own private random number. If no other strategy is available, the
foreign agent then chooses its own private random number and includes
a Diffie-Hellman Registration Key Reply extension in its Registration
Reply message to the mobile node; the extension includes the foreign
agent's own computed value based on its chosen random number and the
supplied prime and generator values from the mobile node. The mobile
node and foreign agent each independently form the (same) shared
secret key from their own chosen random number, the computed value
supplied by the other party, and the prime and generator values.
Establishing a registration key using Diffie-Hellman is
computationally more expensive than most methods described in
Section 3.3. The use of Diffie-Hellman described here, though, is
designed to allow the Diffie-Hellman computations to be overlapped
with other activities. The mobile node may choose (or be manually
configured with) the prime and generator values at any time, or
may use the same two values for a number of registrations. The
mobile node may also choose its private random number and calculate
its computed value at any time. For example, after completing
one registration, the mobile node may choose the private random
number for its next registration and begin the computation of
its new computed value based on this random number, such that it
has completed this computation before it is needed in its next
registration. Even more simply, the mobile node may use the
same private random number and computed value for any number of
registrations. The foreign agent may choose its private random
number and begin computation of its computed value based on this
number as soon as it receives the mobile node's Registration Request
message, and need only complete this computation before it sends
the matching Registration Reply message for the mobile node's
registration.
This could be extended to support other similar key exchange
algorithms, either by adding a new request and reply extension for
each, or by adding a field in the extensions to indicate which
algorithm is to be used. Diffie-Hellman currently seems the only
Perkins and Johnson Expires 29 January 1998 [Page 11]
Internet Draft Route Optimization in Mobile IP 29 July 1997
obvious choice, though; an implementation is available in the free
RSAREF toolkit from RSA Laboratories [7].
3.5. Special Tunnels
Suppose a foreign agent receives a tunneled datagram, but it doesn't
have a visitor list entry for the mobile node. Moreover, suppose
the foreign agent has no binding cache entry for the destination
mobile node. To attempt delivery of the datagram in this case, the
node must encapsulate the datagram as a special tunnel datagram (see
Section 8), destined to the mobile node. Using a special tunnel
allows the home agent to avoid a possible routing loop when a foreign
agent has forgotten that it is serving the mobile node, perhaps
because the foreign agent has crashed and lost its visitor list
state. The special tunnel allows the home agent to see the address
of the node that tunneled the datagram, and to avoid tunneling the
datagram back to the same node.
4. Route Optimization Message Formats
Route Optimization defines four message types used for management
of binding cache entries. These message types fit in the numbering
space defined in the base Mobile IP specification for messages sent
to UDP port 454. Each of these messages begins with a one-octet
field indicating the type of the message. The binding cache
management messages in this section are carried by way of UDP, sent
to port 434.
The following type codes are defined in this document:
16 Binding Warning message
17 Binding Request message
18 Binding Update message
19 Binding Acknowledge message
Route Optimization also requires one minor change to existing
Mobile IP messages: a new flag bit must be added to the Registration
Request message, replacing a previously unused, reserved bit in the
message.
This section describes each of the new Route Optimization messages
and the change to Registration Request message.
Perkins and Johnson Expires 29 January 1998 [Page 12]
Internet Draft Route Optimization in Mobile IP 29 July 1997
4.1. Binding Warning Message
A Binding Warning message is used to advise a mobile node's home
agent that another node appears to have either no binding cache entry
or an out-of-date binding cache entry for some mobile node. When any
node detunnels a datagram, if it is not the current foreign agent for
the destination mobile node, it should send a Binding Warning message
to the mobile node's home agent.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mobile Node Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Target Node Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The format of the Binding Warning message is illustrated above, and
contains the following fields:
Type 16
Reserved Sent as 0; ignored on reception.
Mobile Node Home Address
The home address of the mobile node to which the Binding
Warning message refers.
Target Node Address
The address of the node tunneling the datagram that
caused the Binding Warning message. This node should be
the target of the Binding Update message sent by the home
agent.
A home agent will receive a Binding Warning message if a node
maintaining a binding cache entry for one of the home agent's mobile
nodes uses an out-of-date entry. When a home agent receives a
Binding Warning message, it should send a Binding Update message to
the target node address identified in the Binding Warning, giving it
the current binding for the mobile node identified in the mobile node
home address field of the Binding Warning.
Perkins and Johnson Expires 29 January 1998 [Page 13]
Internet Draft Route Optimization in Mobile IP 29 July 1997
4.2. Binding Request Message
A Binding Request message is used by a node to request a mobile
node's current mobility binding from the mobile node's home agent.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mobile Node Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Identification +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The format of the Binding Request message is illustrated above, and
contains the following fields:
Type 17
Reserved Sent as 0; ignored on reception.
Mobile Node Home Address
The home address of the mobile node to which the Binding
Request refers.
Identification
A 64-bit sequence number, assigned by the node sending
the Binding Request message, used to assist in matching
requests with replies, and in protecting against replay
attacks.
When the home agent receives a Binding Request message, it consults
its home list and determines the correct binding information to be
sent to the requesting node. Before satisfying the request, the home
agent is required to check whether or not the mobile node has allowed
the information to be disseminated. If the mobile node specified
the private (P) bit in its Registration Request message, then the
home agent must make no further attempt to satisfy Binding Requests
on behalf of that mobile node. In this case, the home agent should
return a Binding Update in which both the care-of address is set
equal to the mobile node's home address and the lifetime is set to
zero. Such a Binding Update message indicates that the binding cache
entry for the specified mobile node should be deleted.
Perkins and Johnson Expires 29 January 1998 [Page 14]
Internet Draft Route Optimization in Mobile IP 29 July 1997
4.3. Binding Update Message
The Binding Update message is used for notification of a mobile
node's current mobility binding. It should be sent by the mobile
node's home agent in response to a Binding Request message or a
Binding Warning message. It should also be sent by a mobile node, or
by the foreign agent with which the mobile node is registering, when
notifying the mobile node's previous foreign agent that the mobile
node has moved.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type |A|I|M|G| Rsvd | Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mobile Node Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Care-of Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Identification +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions ...
+-+-+-+-+-+-+-+-
The format of the Binding Update message is illustrated above, and
contains the following fields:
Type 18
A The 'A' (acknowledge) bit is set by the node sending the
Binding Update message to request a Binding Acknowledge
message be returned.
I The 'I' (identification present) bit is set by the node
sending the Binding Update message if the identification
field is present in the message.
M If the 'M' (minimal encapsulation) bit is set, datagrams
may be tunneled to the mobile node using the minimal
encapsulation protocol [9].
G If the 'G' (Generic Record Encapsulation, or GRE) bit is
set, datagrams may be tunneled to the mobile node using
GRE [4].
Rsvd Reserved. Sent as 0; ignored on reception.
Perkins and Johnson Expires 29 January 1998 [Page 15]
Internet Draft Route Optimization in Mobile IP 29 July 1997
Lifetime The number of seconds remaining before the binding cache
entry must be considered expired. A value of all ones
indicates infinity. A value of zero indicates that no
binding cache entry for the mobile node should be created
and that any existing binding cache entry (and visitor
list entry, in the case of a mobile node's previous
foreign agent) for the mobile node should be deleted.
The lifetime is typically equal to the remaining lifetime
of the mobile node's registration.
Mobile Node Home Address
The home address of the mobile node to which the Binding
Update message refers.
Care-of Address
The current care-of address of the mobile node. When set
equal to the home address of the mobile node, the Binding
Update message instead indicates that no binding cache
entry for the mobile node should be created, and any
existing binding cache entry (and visitor list entry, in
the case of a mobile node's previous foreign agent) for
the mobile node should be deleted.
Identification
If present, a 64-bit number, assigned by the node sending
the Binding Request message, used to assist in matching
requests with replies, and in protecting against replay
attacks.
Each Binding Update message indicates the binding's maximum lifetime.
When sending the Binding Update message, the home agent should set
this lifetime to the remaining registration lifetime. A node wanting
to provide continued service with a particular binding cache entry
may attempt to reconfirm that mobility binding before the expiration
of the registration lifetime. Such reconfirmation of a binding cache
entry may be appropriate when the node has indications (such as an
open transport-level connection to the mobile node) that the binding
cache entry is still needed. This reconfirmation is performed by
the node sending a Binding Request message to the mobile node's
home agent, requesting it to reply with the mobile node's current
mobility binding in a new Binding Update message. Note that the node
maintaining the binding should also keep track of the home agent's
address, to be able to fill in the destination IP address of future
Binding Requests.
When a node receives a Binding Update message, it is required to
verify the authentication in the message, using the mobility security
association it shares with the mobile node's home agent. The
Perkins and Johnson Expires 29 January 1998 [Page 16]
Internet Draft Route Optimization in Mobile IP 29 July 1997
authentication data is found in the Route Optimization Authentication
extension (Section 4.5), which is required. If the authentication
succeeds, then a binding cache entry should be updated for use in
future transmissions of data to the mobile node. Otherwise, an
authentication exception should be raised.
Under all circumstances, the sending of Binding Update messages is
subject to the rate limiting restriction described in Section 10.1.
When using nonces for replay protection, the identification field in
the Binding Update message is used differently in this case, to still
allow replay protection even though the Binding Update is not being
sent in reply to a request directly from the target node. In this
case, the home agent is required to set the high-order 32 bits of the
identification field to the value of the nonce that will be used by
the home agent in the next Binding Update message sent to this node.
The low-order 32 bits of the identification field are required to be
set to the value of the nonce being used for this message.
Thus, on each Binding Update message, the home agent communicates to
the target node, the value of the nonce that will be used next time,
and if no Binding Updates are lost in the network, the home agent and
the target node can remain synchronized with respect to the nonces
being used. If, however, the target node receives a Binding Update
with what it believes to be an incorrect nonce, it may resynchronize
with the home agent by using a Binding Request message.
4.4. Binding Acknowledge Message
A Binding Acknowledge message is used to acknowledge receipt of a
Binding Update message. It should be sent by a node receiving the
Perkins and Johnson Expires 29 January 1998 [Page 17]
Internet Draft Route Optimization in Mobile IP 29 July 1997
Binding Update message if the acknowledge (A) bit is set in the
Binding Update message.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type |N| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mobile Node Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Identification +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The format of the Binding Acknowledge message is illustrated above,
and contains the following fields:
Type 19
N If the 'N' (negative acknowledge) bit is set, this
acknowledgment is negative. For instance, if the Binding
Update was not accepted, but the incoming datagram has
the Acknowledge flag set, then the 'N' bit should be set
in this Binding Acknowledge message.
Reserved Sent as 0; ignored on reception.
Mobile Node Home Address
Copied from the Binding Update message being
acknowledged.
Identification
Copied from the Binding Update message being
acknowledged, if present there.
DISCUSSION:
Should there be a code field defined, as with the
Registration Reply message, instead of the 'N' bit?
4.5. Route Optimization Authentication Extension
The Route Optimization Authentication extension is used to
authenticate certain Route Optimization management messages. It
has the same format as the three authentication extensions defined
for base Mobile IP [10], but is distinguished by its type, which is
Perkins and Johnson Expires 29 January 1998 [Page 18]
Internet Draft Route Optimization in Mobile IP 29 July 1997
35. The authenticator value is computed, as before, from the stream
of bytes including the shared secret, the UDP payload (that is, the
Route Optimization management message), all prior extensions in
their entirety, and the type and length of this extension, but not
including the authenticator field itself nor the UDP header. This
extension is required to be used in any Binding Update message.
4.6. Modified Registration Request Message
One bit is added to the flag bits in the Registration Request message
to indicate that the mobile node would like its home agent to keep
its mobility binding private. Normally, the home agent sends Binding
Update messages to correspondent nodes as needed to allow them to
cache the mobile node's binding. If the mobile node sets the private
('P') bit in the Registration Request message, the home agent MUST
NOT send the mobile node's binding in any Binding Update message.
Instead, each Binding Update message should give the mobile node's
care-of address equal to its home address, and should give a lifetime
value of 0.
Thus, the Registration Request message under Route Optimization
begins as shown below:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type |S|B|D|M|G|V|P|r| Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (Unchanged ...)
+-+-+-+-+-+-+-+-+-+-+-+-+
P The private ('P') bit is set by the node sending the
Binding Update message to indicate that the home agent
should keep its mobility binding private. In any Binding
Update message sent by the mobile node's home agent, the
care-of address should be set equal to the mobile node's
home address, and the lifetime should be set equal to 0.
5. Format of Smooth Handoff Extensions
This section describes the format details for messages which are used
to enable a smooth handoff from the previous foreign agent to the new
foreign agent when a mobile node initiates a new registration.
Perkins and Johnson Expires 29 January 1998 [Page 19]
Internet Draft Route Optimization in Mobile IP 29 July 1997
5.1. Previous Foreign Agent Notification Extension
The Previous Foreign Agent Notification extension may be included in
a Registration Request message sent to a foreign agent. It requests
the new foreign agent to send a Binding Update message to the mobile
node's previous foreign agent on behalf of the mobile node, to notify
it that the mobile node has moved. The previous foreign agent may
then delete the mobile node's visitor list entry and, if a new
care-of address is included in the Binding Update message, create a
binding cache entry for the mobile node with its new care-of address.
The Previous Foreign Agent Notification extension contains only those
values not otherwise already contained in the Registration Request
message that are needed for the new foreign agent to construct the
Binding Update message.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Cache Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Previous Foreign Agent Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| New Care-of Address Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SPI |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authenticator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 96
Length 14 plus the length of the authenticator
Cache Lifetime
The number of seconds remaining before the binding
cache entry created by the previous foreign agent must
be considered expired. A value of all ones indicates
infinity. A value of zero indicates that the previous
foreign agent should not create a binding cache entry for
the mobile node once it has deleted the mobile node's
visitor list entry. The cache lifetime value is copied
into the lifetime field of the Binding Update message.
Previous Foreign Agent Address
The IP address of the mobile node's previous foreign
agent to which the new foreign agent should send a
Binding Update message on behalf of the mobile node.
Perkins and Johnson Expires 29 January 1998 [Page 20]
Internet Draft Route Optimization in Mobile IP 29 July 1997
New Care-of Address
The new care-of address for the new foreign agent to send
in the Binding Update message to the previous foreign
agent. This should be either the care-of address being
registered in this new registration (i.e., to cause IP
datagrams from the previous foreign agent to be tunneled
to the new foreign agent) or the mobile node's home
address (i.e., to cause the previous foreign agent to
delete its visitor list entry only for the mobile node,
but not forward datagrams for it).
SPI Security Parameters Index (4 bytes). An opaque
identifier. The SPI is copied over into the Route
Optimization Authentication extension by the new foreign
agent.
Authenticator
The authenticator value to be used in the Route
Optimization Authentication extension in the Binding
Update message sent by the new foreign agent to the
mobile node's previous foreign agent. This authenticator
is calculated only over the Binding Update message body.
The binding cache entry created at the mobile node's previous
foreign agent is treated in the same way as any other binding cache
entry [10].
5.2. Modified Mobility Agent Advertisement Extension
Performing smooth handoffs requires one minor change to the existing
Mobile IP Mobility Agent Advertisement extension [10]. A new
flag bit, the 'S' bit, replaces a previously unused reserved bit
in the extension, to indicate that the foreign agent supports
smooth handoffs, and thus registration key establishment. By
default, every foreign agent that supports smooth handoffs SHOULD at
Perkins and Johnson Expires 29 January 1998 [Page 21]
Internet Draft Route Optimization in Mobile IP 29 July 1997
least to support the establishment of a registration key by using
Diffie-Hellman key exchange.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |R|B|H|F|M|G|V|T|S| reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (unchanged...)
+-+-+-
Thus, the proposed modification to the Mobility Agent Advertisement
extension, illustrated above, keeps the advertisement almost the same
as in the base Mobile IP specification, except for adding following
bit:
S The 'S' smooth handoff bit is set by the foreign agent
sending the agent advertisement message to indicate that
it supports the smooth handoffs and registration key
establishment, and thus the Registration Key Request and
Diffie-Hellman Registration Key Reply extensions.
More detailed information about the handling of this extension by
foreign agents is deferred until Section 11.1.
6. Messages Requesting A Registration Key
The following extensions may be used by mobile nodes or foreign
agents to request the establishment of a registration key. See
sections 9,10.4, and 11 for appropriate algorithms which allow each
node to tailor the use of these extensions to most closely fit its
configured requirements.
113 Foreign Agent Key Request Extension
114 Mobile Node Public Key Extension
115 Foreign Agent Public Key Extension
116 Diffie-Hellman Key Request Extension
6.1. Foreign Agent Key Request extension
If the foreign agent receives a Registration Key Request from
a mobile node, and it has a security association with the home
agent, it may append the Foreign Agent Key Request extension to
the Registration Request after the mobile-home authentication
Perkins and Johnson Expires 29 January 1998 [Page 22]
Internet Draft Route Optimization in Mobile IP 29 July 1997
extension. The home agent will use the SPI specified in the key
request extension to encode the registration key in the subsequent
Registration Reply message. The format of the Foreign Agent Key
Request extension is illustrated below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ..... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... SPI (continued) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 113
Length 4
SPI Security Parameters Index (4 bytes). An opaque
identifier.
6.2. Mobile Node Public Key extension
If the mobile node has a public key, it can ask its prospective
foreign agent to choose a registration key, and to use the mobile
node's public key to encode the chosen registration key. No
eavesdropper will be able to decode the registration key, even if
it is broadcast to all entities with access to the network medium
used by the mobile node. If using the public key, the foreign
agent should still include the selected key in the Registration
Request before it goes to the home agent. Then, the home agent can
authenticate the selected encoded registration key as part of the
Registration Reply message. The format of the mobile node public key
extension is as illustrated below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |MN Public Key ..
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... Mobile Node Public Key, continued ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 114
Length The length (typically larger than 255) of the mobile
node's public key
Perkins and Johnson Expires 29 January 1998 [Page 23]
Internet Draft Route Optimization in Mobile IP 29 July 1997
6.3. Foreign Agent Public Key extension
If the foreign agent has a public key, it can ask the home agent to
choose a registration key, and to use the foreign agent's public key
to encode the chosen registration key. Then, the home agent can
authenticate the selected encoded registration key as part of the
Registration Reply message. The format of the foreign agent public
key extension is as illustrated below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... SPI (continued) |FA Public Key ..
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Foreign Agent Public Key (continued) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 115
Length 4 plus the length (typically larger than 255) of the
foreign agent's public key
SPI Security Parameters Index (4 bytes). An opaque
identifier.
Foreign Agent's Public Key
The SPI is provided for the home agent to transcribe into the
eventual Foreign Agent Public Key Reply extension to the Registration
Reply message.
6.4. Registration Key Request Extension
The Registration Key Request extension, illustrated below, may be
included in a Registration Request message sent to a foreign agent.
If the length of the parameters in the key request extension are all
zero, then the mobile node is asking the foreign agent to supply a
key by any means it has available except for Diffie-Hellman.
If the lengths are nonzero, then the mobile node is enabling the
foreign agent to also perform the Diffie-Hellman key exchange
algorithm (as described in Section 3.4) if the other possible key
establishment methods are not available. The foreign agent should
then select a good pseudo-random registration key, and include a
Diffie-Hellman Registration Key Reply extension, in the Registration
Perkins and Johnson Expires 29 January 1998 [Page 24]
Internet Draft Route Optimization in Mobile IP 29 July 1997
Request message sent to the home agent to complete the key exchange.
The home agent will also include same extension in the Registration
Reply sent to the mobile node, and then it will be authenticated as
part of the reply message.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Prime ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... Prime (continued) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Generator ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Computed Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 116
Length 3 times the length (in bytes) of each of prime,
generator, and computed value. The values prime,
generator, and computed value must all be the same
length, which must be a multiple of 8 bits.
Prime One of the two public numbers involved in the
Diffie-Hellman key exchange algorithm. The prime should
be a large prime number.
Generator
One of the two public numbers involved in the
Diffie-Hellman key exchange algorithm. If p is the value
of the prime used for this Diffie-Hellman exchange,
the generator should be less than p, and should be a
primitive root of p.
Computed Value
The public computed value from the mobile node for this
Diffie-Hellman exchange. The mobile node chooses a large
random number, x. If g is the value of the generator and
p is the value of the prime, the computed value in the
extension is g**x mod p.
7. Extensions to Supply A Registration Key
The following extensions are used to supply a registration key to
a requesting entity, either a foreign agent or a mobile node, and
Perkins and Johnson Expires 29 January 1998 [Page 25]
Internet Draft Route Optimization in Mobile IP 29 July 1997
are the counterparts to corresponding extensions used to request
registration keys that are described in the last section.
120 Home-Mobile Key Reply Extension
121 Foreign Agent Key Reply Extension
122 Mobile Node Public Key Reply Extension
123 Foreign Agent Public Key Reply Extension
124 Diffie-Hellman Key Reply Extension
7.1. Home-Mobile Key Reply Extension
The home-mobile key reply extension may be used in Registration Reply
messages to send a registration key from the mobile node's home agent
to the mobile node. When used, the home agent is required to also
include a key reply extension in the Registration Reply message,
which gives a copy of the same key to the mobile node's new foreign
agent. The home-mobile key reply extension, illustrated below, is
authenticated along with the rest of the Registration Reply message,
and thus no additional authenticator is included in the extension.
The SPI used to encode the registration key may be different than the
SPI used to authenticate the Registration Reply message.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... SPI (continued) | MN Enc. Key ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Mobile Node Encrypted Key ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 120
Length 4 plus the length of the encrypted key for the mobile
node
SPI Security Parameters Index (4 bytes). An opaque
identifier.
Mobile Node Encrypted Key
(variable length) The registration key, chosen by
the home agent, encrypted under the mobility security
association between the home agent and the mobile node.
The same key must be sent, encrypted for the foreign
agent in a foreign agent registration key extension in
this Registration Reply message.
Perkins and Johnson Expires 29 January 1998 [Page 26]
Internet Draft Route Optimization in Mobile IP 29 July 1997
7.2. Foreign Agent Key Reply Extension
The home-foreign registration key reply extension may be used in
Registration Reply messages to send a registration key from the
mobile node's home agent to the mobile node's new foreign agent.
When used, the home agent is required to also include a home-mobile
registration key reply extension in the Registration Reply message,
giving a copy of the same key to the mobile node.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... SPI (continued) | FA Enc. Key ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Foreign Agent Encrypted Key ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 121
Length 4 plus the length of the encrypted foreign agent's key
plus the length of the authenticator
SPI Security Parameters Index (4 bytes). An opaque
identifier.
Foreign Agent Encrypted Key
(variable length) The registration key, chosen by
the home agent, encrypted under the mobility security
association between the home agent and the foreign agent.
The key which is sent in this extension must also be sent by the
home agent to the mobile node, encoded for the mobile node in a
mobile node registration key extension in the same Registration Reply
message.
Authentication of the key is performed by use of data within a HA-FA
Authentication extension to the Registration Reply message which is
required when the Foreign Agent Key Reply extension is used. Replay
protection is accomplished using the identification field in the
Registration Request message, which is also used by the foreign agent
to identify the pending registration data.
Perkins and Johnson Expires 29 January 1998 [Page 27]
Internet Draft Route Optimization in Mobile IP 29 July 1997
7.3. Mobile Node Public Key Reply Extension
When the mobile node sends a Mobile Node Public Key Request to its
prospective foreign agent, the foreign agent can immediately select
a registration key. The foreign agent encodes this registration key
into the Mobile Node Public Key Reply extension to the Registration
Request, along with an SPI for future reference. The home agent
subsequently transcribes the extension without change into the
Registration Reply message. This procedure allows the mobile node to
be protected against common man-in-the-middle attacks.
The Mobile Node Public Key Reply message is illustrated below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... SPI (continued) | MN Enc. Key ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... Mobile Node's Encoded Key (continued) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 122
Length The length (in bytes) of the computed value.
SPI Security Parameters Index (4 bytes). An opaque
identifier.
Mobile Node's Encoded Key
The foreign agent chooses a suitable key, possibly a
pseudo-random number, and encodes it using the mobile
node's public key.
7.4. Foreign Agent Public Key Reply Extension
In response to a foreign agent public key request extension, the home
agent will select a registration key and encode it twice into two
separate key reply extensions of the Registration Reply message. The
Foreign Agent Public Key Reply extension contains the registration
key encoded with the public key of the foreign agent.
Perkins and Johnson Expires 29 January 1998 [Page 28]
Internet Draft Route Optimization in Mobile IP 29 July 1997
The Foreign Agent Public Key Reply message is illustrated below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... SPI (continued) | FA Enc. Key ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ...Foreign Agent's Encoded Key (continued) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 123
Length 4 plus the length (in bytes) of the Foreign Agent's
Encoded Key.
SPI Security Parameters Index (4 bytes). An opaque
identifier.
Foreign Agent's Encoded Key
The foreign agent chooses a suitable pseudo-random
number, and encodes it using the mobile node's public
key.
The SPI, provided by the foreign agent for transcribing into this
extension, is ultimately targeted for use by the mobile node.
7.5. Diffie-Hellman Key Reply Extension
The Diffie-Hellman Registration Key Reply extension, illustrated
below, should be included in a Registration Request message sent by
a foreign agent to the home agent, when the following conditions are
met:
- mobile node has included a Registration Key Request extension
with nonzero prime and generator in its Registration Request
message to the foreign agent, and
- the foreign agent has no public key or security association with
the home agent or mobile node.
Perkins and Johnson Expires 29 January 1998 [Page 29]
Internet Draft Route Optimization in Mobile IP 29 July 1997
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | SPI ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... SPI (continued) |Computed Val....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... Computed Value (continued) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type 125
Length 4 plus the length (in bytes) of the computed value.
SPI Security Parameters Index (4 bytes). An opaque
identifier.
Computed Value
The foreign agent chooses a large random number, y. If g
is the value of the generator and p is the value of the
prime, the computed value in the extension is gymod p.
The values of the generator and prime, if nonzero, are
taken from the Registration Key Request extension from
the mobile node's Registration Request message.
The foreign agent supplies a new SPI along with the new registration
key, so that the new key will be useful in the same way as
registration keys created by any other method.
8. Using Special Tunnels
Whenever any node receives a tunneled datagram for which it has no
visitor list entry for the datagram's destination, the node is not
serving the mobile node as a foreign agent, and thus the care-of
address used by the tunnel originator is surely incorrect. Thus,
the tunneling node has an out-of-date binding cache entry for the
destination mobile node. If the node receiving the tunneled datagram
has a binding cache entry for the destination, it should re-tunnel
the datagram to the care-of address indicated in its binding cache
entry.
If a foreign agent receiving the tunneled datagram has no binding
cache entry for the destination, it cannot re-tunnel the node to
its destination. Instead, the foreign agent should forward the
datagram to the destination mobile node's home agent, using a special
form of tunneling called a special tunnel. To tunnel the datagram
using a special tunnel, the tunneled datagram's destination address
Perkins and Johnson Expires 29 January 1998 [Page 30]
Internet Draft Route Optimization in Mobile IP 29 July 1997
is set equal to the destination address in the tunneled datagram.
Thus, both the inner and outer destination addresses are set to
the home address of the mobile node. The tunneled datagram will
thus be routed to the mobile node's home network, where it will be
intercepted by the mobile node's home agent in the same way as other
datagrams addressed to the mobile node.
8.1. Home Agent Handling of Special Tunnels
The home agent should then tunnel the datagram to the current care-of
address for the mobile node. However, the home agent may not tunnel
the datagram to the current care-of address if the special tunnel
of the datagram originated at that care-of address, as indicated
by the outer source address of the special tunnel. The use of the
special tunnel format allows the home agent to identify the node
that tunneled the datagram to it (as well as the original sender of
the datagram). If the home agent believes that the current care-of
address for the mobile node is the same as the source of the special
tunnel, then the home agent SHOULD discard the datagram. When that
happens, the foreign agent serving the mobile node appears to have
lost its entry for the mobile node in its visitor list. For example,
the foreign agent may have crashed and rebooted.
Otherwise, after tunneling the datagram to the current care-of
address for the mobile node, the home agent should notify the source
of the special tunnel of the mobile node's current binding, by
sending it a Binding Update message. The home agent should also
send a Binding Update message to the sender of the original datagram
(the inner source address of the tunneled datagram), if it shares a
mobility security association with this node.
8.2. Foreign Agents and Special Tunnels
When a foreign agent is the endpoint of a tunneled datagram, it
examines its visitor list for an entry for the destination mobile
node, as in the base Mobile IP protocol. If no visitor list entry
is found, the foreign agent examines its binding cache for a cache
entry for the destination mobile node. If one is found, the foreign
agent re-tunnels the new care-of address indicated in the binding
cache entry. In this case, the foreign agent also may infer that the
sender of the datagram has an out-of-date binding cache entry for
this mobile node, since it otherwise would have tunneled the datagram
directly to the correct new care-of address itself. The foreign
agent should then send a Binding Warning message to the mobile node's
home agent. The foreign agent probably learned the address of the
home agent in the Registration Reply message for the mobile node, or
Perkins and Johnson Expires 29 January 1998 [Page 31]
Internet Draft Route Optimization in Mobile IP 29 July 1997
a later Binding Update message from which the binding cache entry was
created.
If a foreign agent receives a tunneled datagram for a mobile node
for which it has no visitor list entry or binding cache entry, the
foreign agent should forward the datagram to the mobile node's home
agent by sending it as a special tunnel (Section 3.2). The home
agent will intercept the special tunnel datagram addressed to the
mobile node in the same way as any datagram for the mobile node while
it is away from home.
9. Mobile Node Key Requests
If the mobile node detects that its new foreign agent supports
smooth handoffs, it may initiate that process with its previous
foreign agent, as well as asking its new foreign agent to aid in
supplying a registration key for the new registration. The following
code fragment illustrates a good algorithm for the mobile node
to use during registration, to allow the maximum flexibility in
the selection of the new registration key. Any particular mobile
node may be configured to use one, none, or any subset of the
key establishment procedures made available as part of the Route
Optimization protocol.
if (got 'S' bit from advertisement) {
if (have registration key with previous FA) {
; /* append Previous Foreign Agent Notification */
}
/* Set up registration key */
if (have security association with current FA) {
; /* Don't need to create a registration key */
}
else if (have a public key) {
; /* append MN Public Key request */
}
else if (want D-H exchange) {
/* compute a value for prime p and generator g */
/* use it and append MN Key request */
}
else /* append MN key request with null computed value, etc */
}
In this way, the mobile node can get a registration key whenever one
is available by any mechanism specified in this document.
Perkins and Johnson Expires 29 January 1998 [Page 32]
Internet Draft Route Optimization in Mobile IP 29 July 1997
10. Miscellaneous Home Agent Operations
10.1. Home Agent Rate Limiting
A home agent is required to provide some mechanism to limit the
rate at which it sends Binding Update messages to to the same node
about any given mobility binding. This rate limiting is especially
important because it is expected that, within the short term, most
Internet nodes will not support maintenance of a binding cache. In
this case, continual transmissions of Binding Update messages to
such a correspondent node will only add unnecessary overhead to at
the home agent and correspondent node, and along the Internet path
between these nodes.
10.2. Receiving Registration Key Requests
When the home agent receives a Registration Request message, an
extension requesting a registration key (Section 6) may be present
in the message, requesting the home agent to provide a registration
key to the mobile node and its foreign agent, as described in
Section 3.2. In that event, the home agent employs a good algorithm
for producing random keys [3] and encrypts the result separately for
use by the foreign agent and by the mobile node. The chosen key is
encrypted under the mobility security association shared between the
home agent and the mobile node, and the encrypted key is placed in
a home-mobile registration key reply extension (Section 7.1) in the
Registration Reply message. The same key also is encrypted under
the mobility security association shared between the home agent and
the foreign agent, and the encrypted key is placed in a home-foreign
registration key reply extension (Section 7.2) in the Registration
Reply message. When the home agent transmits the Registration Reply
message containing reply extensions to the foreign agent, the message
has the overall structure as follows:
-------------------------------------------------------------
|IP|UDP| Reg-Reply| MN Key| FA Key| HA-MH Auth.| HA-FA Auth.|
-------------------------------------------------------------
The mobile node gets the registration key, typically encoded using
an algorithm such as that described in Section 3.3.1. The encoding
of the foreign agent's copy of the key depends on the particular
key request made by the foreign agent, and may depend upon the SPI
specified along with the encoded key. The HA-FA authentication
extension is only included if the home agent and foreign agent share
a mobility security association.
Perkins and Johnson Expires 29 January 1998 [Page 33]
Internet Draft Route Optimization in Mobile IP 29 July 1997
If the home agent cannot satisfy a request to select a registration
key, it MAY still satisfy the registration attempt. In this case,
the home agent returns a Registration Reply message indicating
success, but does not include any key reply extension.
10.3. Mobility Security Association Management
One of the most difficult aspects of Route Optimization for Mobile IP
in the Internet today is that of providing authentication for all
messages that affect the routing of datagrams to a mobile node.
In the base Mobile IP protocol, only the home agent is aware of
the mobile node's mobility binding and only the home agent tunnels
datagrams to the mobile node. Thus, all routing of datagrams to the
mobile node while away from its home network is controlled by the
home agent. Authentication is currently achieved based on a manually
established mobility security association between the home agent and
the mobile node. Since the home agent and the mobile node are both
owned by the same organization (both are assigned IP addresses within
the same IP subnet), this manual configuration is manageable, and
(for example) can be performed while the mobile node is at home.
However, with Route Optimization, authentication is more difficult
to manage, since a Binding Update may in general need to be sent to
almost any node in the Internet. Since no authentication or key
distribution protocol is generally available in the Internet today,
the Route Optimization procedures defined in this document make
use of the same type of manually key distributing used in the base
Mobile IP protocol. For use with Route Optimization, a mobility
security association held by a correspondent node or a foreign agent
must include the same parameters as required by base Mobile IP [10].
For a correspondent node to be able to create a binding cache entry
for a mobile node, the correspondent node and the mobile node's
home agent are required to have established a mobility security
association. This mobility security association, though, could
conceivably be used in creating and updating binding cache entries
at this correspondent node for all mobile nodes served by this home
agent. Doing so places the correspondent node in a fairly natural
relationship with respect to the mobile nodes served by this home
agent. For example, the mobile nodes may represent different people
affiliated with the same organization owning the home agent, with
which the user of the correspondent node often collaborates. The
effort of establishing such a mobility security association with
the relevant home agent may be more easily justified (appendix A)
than the effort of doing so with each mobile node. It is similarly
possible for a home agent to have a manually established mobility
security association with the foreign agents often used by its mobile
Perkins and Johnson Expires 29 January 1998 [Page 34]
Internet Draft Route Optimization in Mobile IP 29 July 1997
nodes, or for a particular mobile node to have a manually established
mobility security association with the foreign agents serving the
foreign networks that it often visits.
In general, if the movement and communication patterns of a mobile
node or the group of mobile nodes served by the same home agent are
sufficient to justify establishing a mobility security association
with the mobile node's home agent, users or network administrators
are likely to do so. Without establishing a mobility security
association, nodes will not currently be able to use the Route
Optimization extensions but can use the base Mobile IP protocol.
10.4. Home Agent Supplying Registration Keys
When the home agent receives a Registration Request message
with registration key extensions, it usually performs one of two
operations:
- select and encode a registration key for both the mobile node and
the foreign agent, or
- transcribe the registration key already selected by the foreign
agent into the appropriate extension to the Registration Reply
message.
Both operations ensure that the mobile node and home agent are
dealing with the same foreign agent.
When building the Registration Reply, the home agent should follow
an algorithm such as the one illustrated below, to be as useful as
possible for the range of registration key establishment scenarios
that are possible given the current route optimization protocol.
/* Set up registration key */
if (Foreign Agent Key Request) { /* then have security assn. */
/* append MN Key Reply to Registration Reply */
/* append FA key reply to Registration Reply */
}
else if ((have foreign agent public key) ||
(have FA Public Key Reply)) {
/* append MN Key Reply to Registration Reply */
/* append FA Public Key Reply to Registration Reply */
}
else {
/* do nothing */
}
/* append mobile-home authentication extension at end */
Perkins and Johnson Expires 29 January 1998 [Page 35]
Internet Draft Route Optimization in Mobile IP 29 July 1997
11. Miscellaneous Foreign Agent Operations
This section details various operational considerations important
for foreign agents wishing to support smooth handoff. This includes
processing Previous Foreign Agent Notification messages, algorithms
for establishment of registration keys, use of special tunnels, and
the maintenance of up-to-date binding cache entries.
11.1. Previous Foreign Agent Notification
When a foreign agent receives a Previous Foreign Agent Notification
message, it creates a Binding Update for the previous foreign agent,
using the specified SPI and precomputed authenticator sent to it by
the mobile node. The Binding Update message is also required to set
the 'A' bit, so that the previous foreign agent will know to send a
Binding Acknowledge message back to the mobile node.
When the previous foreign agent receives the Binding Update, it will
authenticate the message using the mobility security association and
SPI set up with the registration key established with the mobile
node during its registration with this mobile node. If the message
authentication is correct, the visitor list entry for this mobile
node at the previous foreign agent will be deleted and a Binding
Acknowledge message returned to the sender. In addition, if a new
care-of address was included in the Binding Update message, the
previous foreign agent will create a binding cache entry for the
mobile node; the previous foreign agent can then tunnel datagrams
to the mobile node's new care-of address using that binding cache,
just as any node maintaining a binding cache. The previous foreign
agent is also expected to return a Binding Acknowledge message to the
mobile node.
Note that this Binding Acknowledge is addressed to the mobile node,
and thus needs to be tunneled using the new binding cache entry. The
tunneled acknowledgment then should be delivered directly to the
new foreign agent, without having to go to the home network. This
creates an interesting problem for the new foreign agent when it
receives the acknowledgment before the Registration Reply from the
home agent. It is suggested that the new foreign agent deliver the
acknowledgment to the mobile node anyway, even though the mobile
node is technically unregistered. If there is concern that this
provides a loophole for unauthorized traffic to the mobile node, the
new foreign agent could limit the number of datagrams delivered to
the unregistered mobile node to this single instance. Alternatively,
a new extension to the Registration Reply message can be defined to
carry along the acknowledgment from the previous foreign agent. This
latter approach would have the benefit that fewer datagrams would
Perkins and Johnson Expires 29 January 1998 [Page 36]
Internet Draft Route Optimization in Mobile IP 29 July 1997
be transmitted over bandwidth-constrained wireless media during
registration.
When the Binding Acknowledge message from the previous foreign agent
is received by the new foreign agent, it detunnels it and sends
it to the mobile node. In this way, the mobile node can discover
that its previous foreign agent has received the Binding Update
message. The mobile node has to be certain that its previous foreign
agent has been notified about its new care-of address, because
otherwise the previous foreign agent could become a "black hole"
for datagrams destined for the mobile node based on out-of-date
binding cache entries at other nodes. The new foreign agent has no
further responsibility for helping to update the binding cache at the
previous foreign agent, and does not retransmit the message even if
no acknowledgment is received.
If the acknowledgment has not been received after sufficient time,
the mobile node is responsible for retransmitting another Binding
Update message to its previous foreign agent. Although the previous
foreign agent may have already received and processed the Binding
Update message (the Binding Acknowledge message may have been lost in
transit to the new foreign agent), the mobile node should continue
to retransmit its Binding Update message until the previous foreign
agent responds with a Binding Acknowledge.
The registration key established with this previous foreign agent
is typically destroyed as a part of the processing of this Binding
Update message, or soon afterwards. Since the previous foreign
agent deletes the visitor list entry for the mobile node, it also
deletes its record of the registration key. A registration key is
thus useful only for the notification to the previous foreign agent
after moving to a new care-of address. When no subsequent use of
this registration key is expected, no reply protection is necessary
for the Binding Update message used for the notification. Some
foreign agents may choose to retain the key for a short time in case
the mobile node does not receive the acknowledgment and resends the
Binding Update later.
11.2. Maintaining Binding Caches
It is possible that the binding cache entry taken by the previous
foreign agent from the information in the abovementioned extension
will be deleted from its cache at any time. In this case, the
previous foreign agent will be unable to re-tunnel subsequently
arriving tunneled datagrams for the mobile node, and would resort to
using a special tunnel. Mobile nodes SHOULD assign small lifetimes
Perkins and Johnson Expires 29 January 1998 [Page 37]
Internet Draft Route Optimization in Mobile IP 29 July 1997
to such bindings so that they will not take up space in the foreign
agent's binding cache for very long.
11.3. Rate Limiting
A foreign agent is required to provide some mechanism to limit the
rate at which it sends Binding Warning messages to the same node
about any given mobility binding. This rate limiting is especially
important because it is expected that, within the short term, many
Internet nodes will not support maintenance of a binding cache. In
this case, continual transmissions of Binding Warning messages to
such a correspondent node will only add unnecessary overhead to at
the foreign agent and correspondent node, and along the Internet path
between these nodes.
11.4. Foreign Agent Handling Key Requests
The foreign agent, when it receives a request from a mobile node for
a registration key, is faced with a variety of possible actions. The
action selected by the foreign agent depends on the resources it has
available. The foreign agent typically attempts to reduce as much
as possible the computational burden placed on the mobile node, but
relies on the security association with the greatest cryptographic
strength to encode the registration key. Furthermore, if the foreign
agent performs the key selection, it still supplies the encoded key
in an extension to the Registration Request message, so that the
process of registration will also have the effect of authenticating
its choice of registration key to the mobile node. This strategy
reduces the opportunity for interlopers to mount man-in-the-middle
attacks.
The following code fragment, executed when the foreign agent receives
a key request of some variety, exhibits an algorithm which may be
useful for implementors of foreign agents. The algorithm is supposed
to be used when a foreign agent gets a Registration Request with one
of the key request extensions included.
if (Previous Foreign Agent Notification) {
/* build the Binding Update and authentication extension */
}
/* Set up registration key */
if (have security association with HA) {
/* Append FA key request to Registration Request */
}
else if (have a public key) {
Perkins and Johnson Expires 29 January 1998 [Page 38]
Internet Draft Route Optimization in Mobile IP 29 July 1997
/* append FA Public Key request to Registration Request */
}
else if (have mobile node's public key) {
/* pick a good key */
/* append FA Public Key Reply to Registration Request */
}
else if (want D-H exchange) {
/* start the computation */
/* append the result to the Registration Key Request */
else {
/* do nothing */
}
12. Security Considerations
Whenever the foreign agent is involved with the production of a
registration key by use of the Diffie-Hellman algorithm, the process
is susceptible to the "man-in-the-middle" attack, as detailed in
Section 3.4. This attack is not known to produce further difficulty,
and susceptibility is already inherent in the operation of the base
Mobile IP specification [10]. Attention to this detail is warranted
during any future changes to the Route Optimization protocol, and
ways to reduce the risk of direct interest for inclusion into future
revisions of this document.
The calculation of the authentication data described in Section 3.3.1
is specified to be the same as in the base Mobile IP document for
ease of implementation. There is a better method available (HMAC),
specified in RFC 2104 [6]. If the base Mobile IP specification is
updated to use HMAC, then this route optimization specification
should also be updated similarly.
Registration keys should typically NOT be used as master keys for
producing other derived keys, because of the man-in-the-middle attack
associated with unidentifiable foreign agents.
13. Summary
In this document, we have presented the current protocol definition
for Route Optimization, by which is meant the elimination of triangle
routing whenever the correspondent node is able to perform the
necessary protocol operations. The Route Optimization protocol
definition is largely concerned with three areas:
Perkins and Johnson Expires 29 January 1998 [Page 39]
Internet Draft Route Optimization in Mobile IP 29 July 1997
- Supplying a Binding Update to any correspondent node that needs
one (and has some realistic chance to process it correctly)
- Providing means to create the needed authentication and replay
protection so that the recipient of a binding update message can
believe it, and
- Allowing for the mobile node and foreign agent to create a
registration key for later use in making a smooth transitions to
a new point of attachment.
The ways provided for the mobile node and foreign agent to obtain a
registration key are as follows:
- Use the mobility security association they share if it exists
- Use the mobile node's public key if it exists
- Use the foreign agent's public key, if it exists, to enable the
home agent to create public keys for both entities, or
- Use the security association between the foreign agent and home
agent, if it exists, to enable the home agent to create the
registration keys for both entities, or
- Use the Diffie-Hellman key exchange algorithm.
Lastly, we detail the use of special tunnels, so that foreign agents
that lose track of one of their visiting mobile nodes can still
forward datagrams to the home agent for another try at delivery.
A. Using a Master Key at the Home Agent
Rather than storing each mobility security association that it has
established with many different correspondent nodes and foreign
agents, a home agent may manage its mobility security associations so
that each of them can be generated from a single master key. With
the master key, the home agent could build a key for any given other
node by computing the node-specific key as
MD5(node-address | master-key | node-address)
where node-address is the IP address of the particular node for which
the home agent is building a key, and master-key is the single master
key held by the home agent for all mobility security associations it
has established with correspondent nodes. The node-specific key is
built by computing an MD5 hash over a string consisting of the master
key with the node-address concatenated as a prefix and as a suffix.
Perkins and Johnson Expires 29 January 1998 [Page 40]
Internet Draft Route Optimization in Mobile IP 29 July 1997
Using this scheme, when establishing each mobility security
association, the network administrator managing the home agent
computes the node-specific key and communicates this key to the
network administrator of the other node through some secure channel,
such as over the telephone. The mobility security association
is configured at this other node in the same way as any mobility
security association. At the home agent, though, no record need be
kept that this key has been given out. The home agent need only be
configured to know that this scheme is in use for all of its mobility
security associations (perhaps only for specific set of its mobile
nodes).
When the home agent needs a mobility security association as part
of Route Optimization, it builds the node-specific key based on the
master key and the IP address of the other node with which it is
attempting to authenticate. If the other node knows the correct
node-specific key, the authentication will succeed; otherwise, it
will fail as it should.
Perkins and Johnson Expires 29 January 1998 [Page 41]
Internet Draft Route Optimization in Mobile IP 29 July 1997
References
[1] CDPD consortium. Cellular Digital Packet Data Specification,
July 1993.
[2] W. Diffie and M. Hellman. New Directions in Cryptography. IEEE
Transactions on Information Theory, 22:644--654, November 1976.
[3] Donald E. Eastlake, Stephen D. Crocker, and Jeffrey I. Schiller.
Randomness Recommendations for Security. RFC 1750, December
1994.
[4] Stan Hanks, Tony Li, Dino Farinacci, and Paul Traina. Generic
Routing Encapsulation (GRE). RFC 1701, October 1994.
[5] David B. Johnson. Scalable and Robust Internetwork Routing
for Mobile Hosts. In Proceedings of the 14th International
Conference on Distributed Computing Systems, pages 2--11, June
1994.
[6] H. Krawczyk, M. Bellare, and R. Cannetti. HMAC: Keyed-Hashing
for Message Authentication. RFC 2104, February 1997.
[7] RSA Laboratories. Rsaref: A cryptographic toolkit, version
2.0, 1994. http://www.consensus.com/rsaref/index.html.
[8] Charles Perkins. IP Encapsulation within IP. RFC 2003, May
1996.
[9] Charles Perkins. Minimal Encapsulation within IP. RFC 2004,
May 1996.
[10] C. Perkins, Editor. IPv4 Mobility Support. RFC 2002, October
1996.
[11] Bruce Schneier. Applied Cryptography: Protocols, Algorithms,
and Source Code in C. John Wiley, New York, NY, USA, 1994.
Perkins and Johnson Expires 29 January 1998 [Page 42]
Internet Draft Route Optimization in Mobile IP 29 July 1997
Chairs' Addresses
The working group can be contacted via the current chairs:
Jim Solomon
Motorola, Inc.
1301 E. Algonquin Road
Schaumburg, IL 60196
USA
Phone: +1-847-576-2753
E-mail: solomon@comm.mot.com
Erik Nordmark
Sun Microsystems, Inc.
901 San Antonio Road
Palo Alto, California 94303
USA
Phone: +1 415 786-5166
Fax: +1 415 786-5896
E-mail: nordmark@sun.com
Perkins and Johnson Expires 29 January 1998 [Page 43]
Internet Draft Route Optimization in Mobile IP 29 July 1997
Authors' Addresses
Questions about this document can also be directed to the authors:
Charles E. Perkins
Technology Development Group
Mail Stop MPK15-214
Room 2682
Sun Microsystems, Inc.
901 San Antonio Road
Palo Alto, California 94303
USA
Phone: +1-415-786-6464
Fax: +1-415-786-6445
email: charles.perkins@Sun.COM
David B. Johnson
Computer Science Department
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213-3891
Phone: +1-412-268-7399
Fax: +1-412-268-5576
E-mail: dbj@cs.cmu.edu
Perkins and Johnson Expires 29 January 1998 [Page 44]
