Network Working Group David B. Johnson INTERNET DRAFT Carnegie Mellon University 28 November 1994 Andrew Myles Macquarie University Charles Perkins IBM Corporation Route Optimization in Mobile IP draft-ietf-mobileip-optim-00.txt Abstract This document defines experimental extensions to the operation of the basic Mobile IP protocol to allow for optimization of datagram routing from a correspondent node to a mobile node. Without route optimization, all datagrams destined to a mobile node are routed through that mobile node's home agent, which then tunnels each datagram to the mobile node's current location. The protocol extensions described here provide a means for correspondent nodes to cache the location of a mobile node and to then tunnel their own datagrams for the mobile node directly to that location, bypassing the possibly lengthy route for each datagram to and from the mobile node's home agent. Extensions are also provided to optimize the handoff from one foreign agent to another as the mobile node moves. This draft is currently incomplete and changes to it are in progress. We welcome any comments on it from others in the community. Status of This Memo This document is an Internet Draft. Internet Drafts are working documents of the Internet Engineering task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as "working drafts" or "work in progress". Please check lid-abstracts.txt listing contained in the internet-drafts Shadow Directories on nic.ddn.mil, nnsc.nsf.net, nic.nordu.net, ftp.nisc.sri.com, or munnari.oz.au to learn the current status of an Internet Draft. Johnson, Myles, Perkins Expires 28 May 1995 [Page i] Internet Draft Route Optimization in Mobile IP 28 November 1994 Contents Abstract i Status of This Memo i 1. Introduction 1 2. Route Optimization Overview 3 2.1. Location Caching . . . . . . . . . . . . . . . . . . . . 3 2.2. Foreign Agent Handoff . . . . . . . . . . . . . . . . . . 3 2.3. Location Cache Updates . . . . . . . . . . . . . . . . . 6 3. Route Optimization Message Formats 8 3.1. Binding Advice Message . . . . . . . . . . . . . . . . . 9 3.2. Binding Inquire Message . . . . . . . . . . . . . . . . . 10 3.3. Binding Update Message . . . . . . . . . . . . . . . . . 11 3.4. Binding Acknowledge Message . . . . . . . . . . . . . . . 13 4. Route Optimization Extension Formats 14 4.1. Previous Foreign Agent Notification Extension . . . . . . 15 4.2. Route Optimization Authentication Extension . . . . . . . 17 4.3. Mobile Node Registration Key Extension . . . . . . . . . 18 4.4. Foreign Agent Registration Key Extension . . . . . . . . 19 5. Mobility Security Association Management 20 5.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . 20 5.2. Mobility Security Associations . . . . . . . . . . . . . 21 5.3. Using a Master Key at the Home Agent . . . . . . . . . . 22 6. Location Cache Considerations 23 6.1. Cache Management . . . . . . . . . . . . . . . . . . . . 23 6.2. Receiving Binding Advice Messages . . . . . . . . . . . . 23 6.3. Receiving Binding Update Messages . . . . . . . . . . . . 23 7. Home Agent Considerations 24 7.1. Tunneling Datagrams . . . . . . . . . . . . . . . . . . . 24 7.2. Receiving Binding Inquire Messages . . . . . . . . . . . 24 8. Foreign Agent Considerations 25 8.1. Previous Foreign Agent Notification . . . . . . . . . . . 25 8.2. Receiving Tunneled Datagrams . . . . . . . . . . . . . . 25 Johnson, Myles, Perkins Expires 28 May 1995 [Page ii] Internet Draft Route Optimization in Mobile IP 28 November 1994 9. Mobile Node Considerations 26 9.1. Previous Foreign Agent List . . . . . . . . . . . . . . . 26 9.2. Previous Foreign Agent Notification . . . . . . . . . . . 26 References 27 Chairs' Addresses 28 Authors' Addresses 29 Johnson, Myles, Perkins Expires 28 May 1995 [Page iii] Internet Draft Route Optimization in Mobile IP 28 November 1994 1. Introduction The basic Mobile IP protocol [2] allows a mobile node to move about, changing its point of attachment to the Internet, while continuing to be addressed by its home IP address. Correspondent nodes sending IP datagrams to a mobile node address them to the mobile node's home address in the same way as any destination. While the mobile node is connected to the Internet away from its home network, it is served by a "home agent" on its home network and is associated with a "care-of address" indicating its current location. The association between a mobile node's home address and its care-of address is known as a "mobility binding". The care-of address is generally the address of a "foreign agent" on the network being visited by the mobile node, which forwards arriving datagrams locally to the mobile node. Alternatively, the care-of address may be temporarily assigned to the mobile node using DHCP [1] or other means. All IP datagrams addressed to the mobile node are routed by the normal IP routing mechanisms to the mobile node's home network, where they are intercepted by the mobile node's home agent, which then tunnels each datagram to the mobile node's current care-of address. Datagrams sent by a mobile node use the foreign agent as a default router but require no other special handling or routing. This basic scheme allows transparent interoperation with mobile nodes, but by forcing all datagrams for a mobile node to be routed through its home agent, this basic protocol may often lead to routing that is significantly less than optimal. For example, if a mobile node, say MN1, is visiting some subnet, even datagrams from a correspondent node on this same subnet must be routed through the Internet to MN1's home agent on MN1's home network, only to then be tunneled back to the original subnet to MN1's foreign agent for delivery to MN1. This indirect routing can significantly delay the delivery of the datagram to MN1 and places an unnecessary burden on the networks and routers along this path through the Internet. If the correspondent node in this example is actually another mobile node, say MN2, then datagrams from MN1 to MN2 must likewise be routed through MN2's home agent on MN2's home network and back to the original subnet for delivery to MN1. This document defines experimental extensions to the basic Mobile IP protocol to allow for the optimization of datagram routing from a correspondent node to a mobile node. These extensions provide a means for nodes that implement them to cache the care-of address of a mobile node and to then tunnel their own datagrams directly there, bypassing the possibly lengthy route to and from that mobile node's home agent. Extensions are also provided to allow datagrams in flight when a mobile node moves or datagrams sent based on an Johnson, Myles, Perkins Expires 28 May 1995 [Page 1] Internet Draft Route Optimization in Mobile IP 28 November 1994 out-of-date cached care-of address to be forwarded directly to the mobile node's new care-of address. All operation of route optimization that effects the routing of IP datagrams to the mobile node is authenticated using the same type of authentication mechanism used in the basic Mobile IP protocol. This authentication relies on a "mobility security association" established in advance between the node sending a message and the node receiving the message that must authenticate it. When the required mobility security association has not been established, a Mobile IP implementation using route optimization operates in the same way as the basic Mobile IP protocol. Section 2 of this document provides an overview of the operation of route optimization. Section 3 defines the message types used by route optimization, and Section 4 defines the message extensions used. Section 5 discusses the problem of managing the mobility security associations needed to provide authentication of all messages that affect the routing of datagrams to a mobile node. The final four sections of this document define in detail the operation of route optimization from the point of view of each of the entities involved: location cache considerations are presented in Section 6, home agent considerations in Section 7. foreign agent considerations in Section 8, and mobile node considerations in Section 9. Johnson, Myles, Perkins Expires 28 May 1995 [Page 2] Internet Draft Route Optimization in Mobile IP 28 November 1994 2. Route Optimization Overview 2.1. Location Caching Route optimization provides a means for any node that wishes to optimize its own communication with mobile nodes to maintain a "location cache" in which it caches the mobility binding of one or more mobile nodes. When sending an IP datagram to a mobile node, if the sender has a location cache entry for this mobile node, it may tunnel the datagram directly to the care-of address indicated in the cached mobility binding. In the absence of any location cache entry, datagrams destined for a mobile node will be routed to the mobile node's home network in the same way as any other IP datagram, and are then tunneled to the mobile node's current care-of address by the mobile node's home agent. This is the only routing mechanism supported by the basic Mobile IP protocol. With route optimization, as a side effect of this indirect routing of a datagram to a mobile node, the original sender of the datagram is informed of the mobile node's current mobility binding, giving the sender an opportunity to cache the binding. A node may create a location cache entry for a mobile node only when it has received and authenticated the mobile node's mobility binding. Likewise, a node may update an existing location cache entry for a mobile node, such as after the mobile node has moved to a new foreign agent, only when it has received and authenticated the mobile node's new mobility binding. A location cache will, by necessity, have a finite size. Any node implementing a location cache may manage the space in its cache using any local cache replacement policy. If a datagram is sent to a destination for which the cache entry has been dropped from the cache, the datagram will be routed normally through the mobile node's home network and will be tunneled to the mobile node's care-of address by its home agent. As when a location cache entry is initially created, this indirect routing to the mobile node will result in the original sender of the datagram being informed of the mobile node's current mobility binding, allowing it to add this entry again to its location cache. 2.2. Foreign Agent Handoff When a mobile node moves and registers with a new foreign agent, the basic Mobile IP protocol does not notify the mobile node's previous foreign agent. IP datagrams intercepted by the home agent after Johnson, Myles, Perkins Expires 28 May 1995 [Page 3] Internet Draft Route Optimization in Mobile IP 28 November 1994 the new registration are tunneled to the mobile node's new care-of address, but datagrams in flight that had already been intercepted by the home agent and tunneled to the old care-of address when the mobile node moved are lost and are assumed to be retransmitted by higher-level protocols if needed. The old foreign agent eventually deletes the mobile node's registration after the expiration of the lifetime period established when the mobile node registered there. Route optimization provides a means for the mobile node's previous foreign agent to be reliably notified of the mobile node's new mobility binding, allowing datagrams in flight to the mobile node's previous foreign agent to be forwarded directly to its new care-of address. This notification also allows any datagrams tunneled to the mobile node's previous foreign agent from correspondent nodes with out-of-date location cache entries for the mobile node (they have not yet learned that the mobile node has moved) to be forwarded directly to its new care-of address. Finally, this notification allows any resources consumed by the mobile node's registration at the previous foreign agent (such as radio channel reservations) to be released immediately, rather than waiting for the mobile node's registration to expire. During registration with a new foreign agent, the mobile node and the new foreign agent may establish a "registration key", which acts as a session key for this registration. The mobile node's home agent may choose a registration key and include copies of it in the Registration Reply message for the foreign agent and for the mobile node. The copy for the mobile node is included in a Mobile Node Registration Key extension and is encrypted under a key and algorithm shared between the home agent and the mobile node as part of their mobility security association. Likewise, the copy for the foreign agent is included in a Foreign Agent Registration Key extension and is encrypted under a key and algorithm shared between the home agent and the foreign agent as part of their mobility security association. If the home agent and foreign agent do not share a mobility security association, then no registration key is established. When the mobile node later registers with a new foreign agent, it may use this registration key from its registration with its previous foreign agent to notify it that it has moved. This notification may also optionally include its new mobility binding, allowing the previous foreign agent to create a location cache entry for the mobile node to serve as a "forwarding pointer" to its new location. Any datagrams for the mobile node tunneled to this previous foreign agent that arrive after this location cache entry has been created will then be re-tunneled to the mobile node's new location at the care-of address in this location cache entry. Johnson, Myles, Perkins Expires 28 May 1995 [Page 4] Internet Draft Route Optimization in Mobile IP 28 November 1994 To minimize the network bandwidth required for this registration over the link between the mobile node and its new foreign agent, the mobile node may request its new foreign agent to attempt to notify its previous foreign agent on its behalf, by including a Previous Foreign Agent Notification extension in its Registration Request message sent to the new foreign agent. The new foreign agent then builds a Binding Update message and transmits it to the mobile node's previous foreign agent as part of registration, requesting an acknowledgement from the previous foreign agent. The Previous Foreign Agent Notification extension includes only those values needed to construct the Binding Update message that are not already contained in the Registration Request message. The authenticator for the Binding Update message is computed by the mobile node based on its registration key shared with its previous foreign agent. If the Binding Acknowledgement message acknowledging this Binding Update message is received by the new foreign agent before it sends the Registration Reply to the mobile node, the new foreign agent indicates the acknowledgement in the Registration Reply message to the mobile node. Otherwise, the new foreign agent forwards the Binding Acknowledgement message to the mobile node when it arrives; the mobile node is responsible for occasionally retransmitting a Binding Update message to its previous foreign agent until the matching Binding Acknowledge message is received, or until the mobile node can be sure of the expiration of its registration with that foreign agent. The location cache entry created at the mobile node's previous foreign agent is treated in the same way as any other location cache entry. In particular, it is possible that this location cache entry could be deleted from the cache at any time. In this case, the foreign agent will be unable to re-tunnel subsequently arriving tunneled datagrams for the mobile node directly to its new location. Suppose a node (such as this previous foreign agent) receives some datagram that has been tunneled to this node, but this node is unable to deliver the datagram locally to the destination mobile node (it is not the mobile node itself, and it is not a foreign agent with a visitor list entry for this mobile node). If this node also has no location cache entry for the mobile node, the node re-tunnels the datagram using a "special tunnel", in which the destination address of the tunnel and the destination address of the datagram carried with in the tunnel are both equal to the mobile node's address. The tunneled datagram will eventually reach the mobile node's home network, where it will be intercepted by the mobile node's home agent and tunneled to the mobile node's current care-of address. Johnson, Myles, Perkins Expires 28 May 1995 [Page 5] Internet Draft Route Optimization in Mobile IP 28 November 1994 The use of the "special tunnel" enables the home agent to determine which node forwarded the datagram to it, allowing it to detect the case in which a foreign agent has "forgotten" about one of the visiting mobile nodes registered with it. For example, if a foreign agent crashes and reboots, it will generally lose all information in its visitor list. If this were to happen, datagrams destined to mobile nodes that were registered with the foreign agent before it crashed would instead loop infinitely between that foreign agent and the mobile node's home agent. By allowing the home agent to detect this situation, the datagram can instead be dropped by the home agent when it receives it in the "special tunnel", rather than retunneling it again to the foreign agent. For compatibility between foreign agents that implement route optimization and home agents that do not, if the foreign agent receive a tunneled datagram that is itself a special tunneled datagram destined for a mobile node not registered with this foreign agent, the foreign agent should drop the datagram. 2.3. Location Cache Updates When a mobile node's home agent intercepts a datagram from the home network and tunnels it to the mobile node, the home agent may deduce that the original sender of the datagram has no location cache entry for the destination mobile node. In this case, the home agent may send a Binding Update message to the sender, informing it of the mobile node's current mobility binding. No acknowledgement for this Binding Update message is needed, since future datagrams intercepted by the home agent from this sender for the mobile node will serve to cause a retransmission of the Binding Update message. In order for the home agent to send this Binding Update to the sender of the datagram, the home agent and this node must have established a mobility security association. When the foreign agent serving a mobile node (or the mobile node itself, when using a temporary local IP address as a care-of address) receives a datagram tunneled to it for the mobile node, in which the source address of the tunnel differs from the original source address of the datagram carried within the tunnel, it may deduce that the original sender of the datagram has an out-of-date location cache entry for this mobile node. In this case, the foreign agent (or the mobile node itself, when using a temporary local IP address as a care-of address) may send a Binding Advice message to the mobile node's home agent (the foreign agent learns the home agent address during registration), advising it that the original sender of the datagram has an out-of-date location cache entry for the mobile node. However, if the source address of the tunnel is the mobile node's home agent, then no Binding Advice message is needed, since in this case, the home agent will have already sent a Binding Update message Johnson, Myles, Perkins Expires 28 May 1995 [Page 6] Internet Draft Route Optimization in Mobile IP 28 November 1994 to the original sender when it tunneled the datagram to the foreign agent. As above, no acknowledgement of the Binding Advice message is needed, since future datagrams for the mobile node from the same sender will serve to cause a retransmissions of the Binding Advice message. No authentication of the Binding Advice message is necessary, since it does not directly affect the routing of IP datagrams to the mobile node. Instead, when a node receives a Binding Advice message, that node sends a Binding Inquire message to the indicated mobile node's home agent requesting the mobile node's current mobility binding, which is answered by a Binding Update message from the home agent. When the Binding Update message is received, the node may then create a location cache entry for the mobile node. In order for this node and the home agent to exchange these Binding Inquire and Binding Update messages, they must have established a mobility security association. Included in each Binding Update message is an indication of the time remaining in the lifetime associated with the mobile node's current registration. Any location cache entry established or updated in response to this Binding Update message must be marked to be deleted after the expiration of this period. A node wanting to provide continued service with a particular location cache entry may attempt to reconfirm that mobility binding before the expiration of this lifetime period. Location cache entry reconfirmation may be appropriate when the node has indications (such as an open transport-level connection to the mobile node) that the location cache entry is still needed. This reconfirmation is performed by the node sending a Binding Inquire message to the mobile node's home agent, requesting it to reply with the mobile node's current mobility binding in a new Binding Update message. Johnson, Myles, Perkins Expires 28 May 1995 [Page 7] Internet Draft Route Optimization in Mobile IP 28 November 1994 3. Route Optimization Message Formats Route optimization defines four message types used for management of location cache entries. Each of these messages begins with a one-octet field indicating the type of the message. The following Type codes are defined in this document: 16 = Binding Advice message 17 = Binding Inquire message 18 = Binding Update message 19 = Binding Acknowledge message Johnson, Myles, Perkins Expires 28 May 1995 [Page 8] Internet Draft Route Optimization in Mobile IP 28 November 1994 3.1. Binding Advice Message A Binding Advice message is used to advise a node that it appears not to have a current mobility binding cached in a location cache entry for some mobile node. It is sent by a mobile node's current foreign agent when the foreign agent receives a tunneled datagram for the mobile node, in which the source address of the tunnel differs from the original source address of the datagram. The Binding Advice message is sent to the original source of the datagram. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mobile Node Home Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 16 Reserved Sent as 0; ignored on reception. Mobile Node Home Address The home address of the mobile node to which the Binding Advice message refers. Johnson, Myles, Perkins Expires 28 May 1995 [Page 9] Internet Draft Route Optimization in Mobile IP 28 November 1994 3.2. Binding Inquire Message A Binding Inquire message is used by a node when requesting a mobile node's current mobility binding from the mobile node's home agent. It is sent by a node upon receiving a Binding Advice message, or by a node desiring to update the mobility binding in a location cache entry that it holds for the mobile node. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mobile Node Home Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Identification + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 17 Reserved Sent as 0; ignored on reception. Mobile Node Home Address The home address of the mobile node to which the Binding Inquire refers. Identification A 64-bit sequence number, assigned by the node sending the Binding Inquire message, used to assist in matching requests with replies, and in protecting against replay attacks. Johnson, Myles, Perkins Expires 28 May 1995 [Page 10] Internet Draft Route Optimization in Mobile IP 28 November 1994 3.3. Binding Update Message The Binding Update message is used to notify another node of a mobile node's current mobility binding. It may be sent by the mobile node's home agent in response to a Binding Inquire message; it may also be sent by a mobile node or the foreign agent with which it is registering, when notifying the mobile node's previous foreign agent that the mobile node has moved. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type |A| Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mobile Node Home Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Care-of Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Identification + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extensions ... +-+-+-+-+-+-+-+- Type 18 Acknowledge (A) The Acknowledge (A) bit is set by the node sending the Binding Update message to request a Binding Acknowledge message be returned acknowledging its receipt. Reserved Sent as 0; ignored on reception. Mobile Node Home Address The home address of the mobile node to which the Binding Update message refers. Johnson, Myles, Perkins Expires 28 May 1995 [Page 11] Internet Draft Route Optimization in Mobile IP 28 November 1994 Care-of Address The current care-of address of the mobile node. Lifetime The number of seconds remaining before the location cache entry must be considered expired. A value of all ones indicates infinity. When sent by the mobile node's home agent in response to a Binding Inquire message, this value should be less than or equal to the remaining lifetime of the mobile node's registration. When sent by the mobile node or its new foreign agent to the mobile node's previous foreign agent during registration, this value is ignored and the lifetime on the location cache entry created at the previous foreign agent must be set to the remaining lifetime of the mobile node's registration with that foreign agent. When sent by the mobile node to its previous foreign agent after completing its new registration, this value should be less than or equal to the remaining lifetime of the mobile node's current registration. Identification A 64-bit sequence number, assigned by the node sending the Binding Inquire message, used to assist in matching requests with replies, and in protecting against replay attacks. The Route Optimization Authentication extension (Section 4.2) is required. Johnson, Myles, Perkins Expires 28 May 1995 [Page 12] Internet Draft Route Optimization in Mobile IP 28 November 1994 3.4. Binding Acknowledge Message A Binding Acknowledge message is used to acknowledge receipt of a Binding Update message. It is sent by the node receiving the Binding Update message, if the Acknowledge (A) bit is set in the Binding Update message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Mobile Node Home Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Identification + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 19 Reserved Sent as 0; ignored on reception. Mobile Node Home Address Copied from the Binding Update message being acknowledged. Identification Copied from the Binding Update message being acknowledged. Johnson, Myles, Perkins Expires 28 May 1995 [Page 13] Internet Draft Route Optimization in Mobile IP 28 November 1994 4. Route Optimization Extension Formats Route optimization defines the following two message extensions: ?? = Previous Foreign Agent Notification extension ?? = Route Optimization Authentication extension ?? = Mobile Node Registration Key extension ?? = Foreign Agent Registration Key extension Johnson, Myles, Perkins Expires 28 May 1995 [Page 14] Internet Draft Route Optimization in Mobile IP 28 November 1994 4.1. Previous Foreign Agent Notification Extension The Previous Foreign Agent Notification Extension may be included in a Registration Request message sent to a foreign agent. It is used to request this foreign agent to send a Binding Update message to the mobile node's previous foreign agent to notify it that the mobile node has moved. The previous foreign agent deletes the mobile node's visitor list entry and creates a location cache entry for the mobile node pointing to its new care-of address. The extension contains only those values needed to construct the Binding Update message that are not otherwise already contained in the Registration Request message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Cache Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Previous Foreign Agent Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Authenticator ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type ??? Length 6 plus the length of the Authenticator Cache Lifetime The number of seconds remaining before the location cache entry created by the previous foreign agent must be considered expired. A value of all ones indicates infinity. A value of zero indicates that the previous foreign agent should not create a location cache entry for the mobile node once it has deleted the mobile node's visitor list entry. The Cache Lifetime value is copied into the Lifetime field of the Binding Update message. Previous Foreign Agent Address The IP address of the mobile node previous foreign agent to which the new foreign agent should send a Binding Update message on behalf of the mobile node. Johnson, Myles, Perkins Expires 28 May 1995 [Page 15] Internet Draft Route Optimization in Mobile IP 28 November 1994 Authenticator The authenticator value to be used in the Route Optimization Authentication extension in the Binding Update message sent by the new foreign agent to the mobile node's previous foreign agent. Johnson, Myles, Perkins Expires 28 May 1995 [Page 16] Internet Draft Route Optimization in Mobile IP 28 November 1994 4.2. Route Optimization Authentication Extension The Route Optimization Authentication Extension is used to authenticate certain route optimization management messages. It contains the same fields and is computed in the same way as the Mobile-Home Authentication Extension used in the basic Mobile IP protocol. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Authenticator ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type ??? Length The length of the Authenticator Authenticator (variable length) A hash value taken over a stream of bytes including the shared secret, all prior extensions in their entirety, and the type and length of this extension, but not including the Authenticator field itself. Johnson, Myles, Perkins Expires 28 May 1995 [Page 17] Internet Draft Route Optimization in Mobile IP 28 November 1994 4.3. Mobile Node Registration Key Extension The Mobile Node Registration Key extension may be used on Registration Reply messages to send a registration key from the mobile node's home agent to the mobile node. The extension is authenticated along with the rest of the Registration Reply message, and thus no additional authenticator is included in the extension. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Encrypted Key ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type ??? Length The length of the Encrypted Key Encrypted Key (variable length) The registration key, chosen by the home agent, encrypted based on the mobility security association between the mobile node and its home agent. Johnson, Myles, Perkins Expires 28 May 1995 [Page 18] Internet Draft Route Optimization in Mobile IP 28 November 1994 4.4. Foreign Agent Registration Key Extension The Foreign Agent Registration Key extension may be used on Registration Reply messages to send a registration key from the home agent to the foreign agent. An authenticator is included in the extension to allow the foreign agent to authenticate the received registration key. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Encrypted Key ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Authenticator ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type ??? Length The length of the Encrypted Key plus the length of the Authenticator Encrypted Key (variable length) The registration key, chosen by the home agent, encrypted based on the mobility security association between the foreign agent and the home agent. Authenticator (variable length) A hash value taken over a stream of bytes including the shared secret and the fields in this extension other than the Authenticator field itself. Johnson, Myles, Perkins Expires 28 May 1995 [Page 19] Internet Draft Route Optimization in Mobile IP 28 November 1994 5. Mobility Security Association Management 5.1. Motivation One of the most difficult aspects of route optimization for Mobile IP in the Internet today is the difficulty of providing authentication for all messages that affect the routing of datagrams to a mobile node. In the basic Mobile IP protocol, all routing of datagrams to the mobile node while away from its home network is controlled by the home agent, since only the home agent is aware of the mobile node's mobility binding and only the home agent tunnels datagrams to the mobile node. Authentication is achieved based on a manually established "mobility security association" between the home agent and the mobile node. Since the home agent and the mobile node are both owned by the same organization (both are assigned IP addresses within the same IP subnet), this manual configuration can be performed fairly easily, for example while the mobile node is at home. With route optimization, though, there is a need in general to authenticate messages between two nodes belonging to different organizations, making establishment of a mobility security association more difficult. Since no general authentication or key distribution protocol is available in the Internet today, the route optimization procedures defined in this document rely on the same type of manually configured mobility security associations as are used in the basic Mobile IP protocol. For a correspondent node to be able to create a location cache entry for a mobile node so that it can tunnel its own IP datagrams directly to the mobile node at its current location, the correspondent node and the mobile node's home agent must have established a mobility security association. This mobility security association, though, may be used in creating and updating location cache entries at this correspondent node for all mobile nodes served by this home agent. This places the correspondent node in a fairly natural relationship with respect to the mobile nodes served by this home agent. For example, these mobile nodes may represent different people affiliated with the organization owning the home agent and these mobile nodes, with which the user of this correspondent node often collaborates. In this case, the effort of establishing the necessary mobility security association with this home agent may be justified. Similarly, for a mobile node to be able to notify its previous foreign agent once it moves and is registering a new care-of address, the foreign agent and the mobile node's home agent must have established a mobility security association, and this mobility security association may be used for all mobile nodes served by this Johnson, Myles, Perkins Expires 28 May 1995 [Page 20] Internet Draft Route Optimization in Mobile IP 28 November 1994 home agent that may register with this foreign agent. This places the foreign agent in a fairly natural relationship with respect to the mobile nodes served by this home agent. For example, these mobile nodes may represent different people affiliated with the organization owning the home agent and these mobile nodes, which may often visit the network served by this foreign agent. In this case, the effort of establishing the necessary mobility security association with this home agent may be justified. In general, if the movement and communication patterns of a mobile node or the group of mobile nodes served by the same home agent are sufficient to justify establishing a mobility security association with the mobile node's home agent, users or network administrators are likely to do so. Establishing a mobility security association is not a requirement to using the protocol, though; if no mobility security association has been established, the Mobile IP protocol with route optimization behaves the same as the basic Mobile IP protocol, and all datagrams destined for a mobile node are intercepted by the mobile node's home agent and are then tunneled to its current location by the home agent. 5.2. Mobility Security Associations For use with route optimization, a mobility security association held by a correspondent node or a foreign agent must in general include the following parameters: - the authentication type (including algorithm and algorithm mode), - the secret (such as a shared key, or appropriate public/private key pair), - the home agent address (defining which mobility security association this is), and - an indication of which mobile nodes this mobility security association applies to, such as by a netmask for the home agent address, or by a list of the individual mobile nodes. A mobility security association held by a home agent in general must include the following parameters: - the authentication type (including algorithm and algorithm mode), - the secret (such as a shared key, or appropriate public/private key pair), and - the address of the node with which it has established this mobility security association. Johnson, Myles, Perkins Expires 28 May 1995 [Page 21] Internet Draft Route Optimization in Mobile IP 28 November 1994 5.3. Using a Master Key at the Home Agent Rather than storing each mobility security association that it has established with many different correspondent nodes and foreign agents, a home agent may manage its mobility security associations so that each of them can be generated from a single "master" key. With the master key, the home agent could build a key for any given other node by computing the node-specific key as MD5(node-address || master-key || node-address) where node-address is the IP address of the particular node for which the home agent is building a key, and master-key is the single master key held by the home agent for all mobility security associations it has established with correspondent nodes. The node-specific key is built by computing an MD5 hash over a string consisting of the master key with the node-address concatenated as a prefix and as a suffix. Using this scheme, when establishing each mobility security association, the network administrator managing the home agent computes the node-specific key and communicates this key to the network administrator of the other node through some "secure" channel, such as over the telephone. The mobility security association is configured at this other node in the same way as any mobility security association. At the home agent, though, no record need be kept that this key has been given out. The home agent need only be configured to know that this scheme is in use for all of its mobility security associations. When the home agent then needs a mobility security association as part of the route optimization protocol, it builds the node-specific key based on the master key and the IP address of the other node with which it is attempting to authenticate. If the other node knows the correct node-specific key, the authentication will succeed; otherwise, it will fail as it should. Johnson, Myles, Perkins Expires 28 May 1995 [Page 22] Internet Draft Route Optimization in Mobile IP 28 November 1994 6. Location Cache Considerations (This section is incomplete, but will contain a detailed description of the data structures and procedures related to managing a location cache.) 6.1. Cache Management LRU Avoiding thrashing Refreshing location cache entries: Binding Inquire and Binding Update 6.2. Receiving Binding Advice Messages Binding Inquire and Binding Update 6.3. Receiving Binding Update Messages authenticating, building cache entry Johnson, Myles, Perkins Expires 28 May 1995 [Page 23] Internet Draft Route Optimization in Mobile IP 28 November 1994 7. Home Agent Considerations (This section is incomplete, but will contain a detailed description of the data structures maintained by a home agent and the route optimization procedures from the point of view of a home agent.) 7.1. Tunneling Datagrams Sending Binding Update messages A home agent must provide some mechanism to limit the rate at which it sends Binding Update messages to to the same node about any given mobility binding, after tunneling a datagram intercepted on the home network. 7.2. Receiving Binding Inquire Messages Johnson, Myles, Perkins Expires 28 May 1995 [Page 24] Internet Draft Route Optimization in Mobile IP 28 November 1994 8. Foreign Agent Considerations (This section is incomplete, but will contain a detailed description of the data structures maintained by a foreign agent and the route optimization procedures from the point of view of a foreign agent.) 8.1. Previous Foreign Agent Notification sending binding update on behalf of mobile node when receive, change to cache, ack how to make cache when notified 8.2. Receiving Tunneled Datagrams Don't send binding advice if tunneled from home agent; the foreign agent knows the home agent address from registration and thus can recognize datagrams tunneled from the home agent A foreign agent must provide some mechanism to limit the rate at which it sends Binding Advice messages about any giving mobility binding. Johnson, Myles, Perkins Expires 28 May 1995 [Page 25] Internet Draft Route Optimization in Mobile IP 28 November 1994 9. Mobile Node Considerations (This section is incomplete, but will contain a detailed description of the data structures maintained by a mobile node and the route optimization procedures from the point of view of a mobile node.) 9.1. Previous Foreign Agent List 9.2. Previous Foreign Agent Notification extension in registration, manage own retransmissions periodically retransmit to each foreign agent in previous foreign agent list need to add status code or bit to Registration Reply from foreign agent Johnson, Myles, Perkins Expires 28 May 1995 [Page 26] Internet Draft Route Optimization in Mobile IP 28 November 1994 References [1] Ralph Droms. Dynamic Host Configuration Protocol. Internet Request For Comments RFC 1541, October 1993. [2] Charles Perkins, editor. IP mobility support. Internet Draft, October 1994. Work in progress. Johnson, Myles, Perkins Expires 28 May 1995 [Page 27] Internet Draft Route Optimization in Mobile IP 28 November 1994 Chairs' Addresses The working group can be contacted via the current chairs: Kannan Alagappan ??? Work: +1-???-???-???? Fax: +1-???-???-???? E-mail: kannan@emc.com Tony Li 170 W. Tasman Dr. San Jose, CA 95134 Work: +1-408-526-8186 Fax: +1-408-???-???? E-mail: tli@cisco.com Johnson, Myles, Perkins Expires 28 May 1995 [Page 28] Internet Draft Route Optimization in Mobile IP 28 November 1994 Authors' Addresses Questions about this document can also be directed to the authors: David B. Johnson Computer Science Department Carnegie Mellon University 5000 Forbes Avenue Pittsburgh, PA 15213-3891 Phone: +1-412-268-7399 Fax: +1-412-268-5576 E-mail: dbj@cs.cmu.edu Andrew Myles Electronics Department Macquarie University 2109 Sydney, Australia Phone: +61-2-8059071 Fax: +61-2-8059128 E-mail: andrewm@mpce.mq.edu.au Charles Perkins Room J1-A25 T. J. Watson Research Center IBM Corporation P. O. Box 218 Yorktown Heights, NY 10598 Phone: +1-914-789-7350 Fax: +1-914-784-7007 E-mail: perk@watson.ibm.com Johnson, Myles, Perkins Expires 28 May 1995 [Page 29]