Network Working Group Y. Rekhter INTERNET-DRAFT (T.J. Watson Research Center, IBM Corp.) Richard Colella (NIST) TUBA Mobility Support (draft-ietf-tuba-mobility-00.txt) (Posted: May 16, 1994/Expires: November 16, 1994) Status of this Memo This document is a submission to the TUBA Working Group of the Inter- net Engineering Task Force (IETF). Comments should be submitted to the tuba@lanl.gov mailing list. Distribution of this memo is unlimited. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as a "working draft" or "work in progress." Please check the 1id-abstracts.txt listing contained in the internet-drafts Shadow Directories on nic.ddn.mil, ds.internic.net, venera.isi.edu, nic.nordu.net, or munnari.oz.au to learn the current status of any Internet Draft. Abstract This document specifies protocol enhancements that allow transparent routing of CLNP datagrams to Mobile Nodes in the Internet. The Mobile Node is always identified by its Home-Address, regardless of its current point of attachment to the Internet. While situated away from its home, a Mobile Node is also associated with a Care-Of- Address, which provides information about its current point of Rekhter, Colella [Page 1] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 attachment to the Internet. The protocol provides for registering the Care-Of-Address with the Home Agent. The Home Agent tunnels traffic destined for the Mobile Node to the Care-Of-Address. Acknowledgements This document is taken almost verbatim from the draft-ietf-mobileip- protocol-02.txt Internet Draft. The latter is the product of the mobile-ip WG. 1. Introduction If a node moves while keeping its address unchanged, the address may not reflect its new point of attachment. The routing protocols will not be able to route datagrams to it correctly. This document defines new functions that allow a node to roam on the Internet, without changing its network layer address (NSAP). The following entities are defined: Mobile Node A TUBA host or router that changes connections from one network or subnetwork to another. Home Agent A router on a network that advertises reachability for a Mobile Node, maintains a registry of the current Mobility Bindings for that node while it is away from home, and tunnels datagrams for delivery to a Mobile Node. Foreign Agent A router that assists a locally reachable Mobile Node that is away from its home network. The following support services are defined: Agent Discovery Agents advertise their availability on each link. Rekhter, Colella [Page 2] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 A newly arrived Mobile Node can send a solicitation on the link to learn if any prospective Agents are present. Care-Of-Address Assignment The Care-Of-Address terminates the end of a tunnel toward a Mobile Node. Depending on the foreign network configuration, the Care- Of-Address may be dynamically assigned to the Mobile Node, or associated with a Foreign Agent. Registration When the Mobile Node is away from home, it registers the Care- Of- Address with the Home Agent. Depending on its method of attachment, the Mobile Node will register either directly with a Home Agent, or through a Foreign Agent which forwards the registration to the Home Agent. Encapsulation Once a Mobile Node has registered a Care-Of-Address with a Home Agent, the Home Agent intercepts datagrams destined for the Mobile Node, formulates another datagram with the intercepted datagram enclosed within, and forwards the resulting datagram to the Care- Of-Address. Decapsulation At the Care-Of-Address, the enclosed datagram is extracted. When the Mobile Node has its own Care-Of-Address, it decapsu- lates its own datagrams. When the Care-Of-Address is associated with a Foreign Agent, the Foreign Agent decapsulates the datagrams. If the datagram is addressed to a Mobile Node which the Foreign Agent is currently serving, it will deliver the datagram to the Mobile Node. Otherwise, the datagram MUST be silently discarded (rather than being further forwarded). CLNP ER Destination Unreachable MUST NOT be sent when a Foreign Agent is unable to forward a datagram. Rekhter, Colella [Page 3] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 1.1. Requirements A Mobile Node using its Home-Address shall be able to communicate with other nodes after having been disconnected from the Internet, and then reconnected at a different point. A Mobile Node shall continue to be capable of communicating directly with existing nodes that do not implement the mobility functions described in this document. A Mobile Node shall provide authentication in its registration mes- sages. 1.2. Goals As few administrative messages as possible are sent between a Mobile Node and a Foreign Agent. The link is likely to be bandwidth lim- ited. The size of messages on the Mobile Node's directly attached link are to be kept as short as possible. The link is likely to be bandwidth limited. 1.3. Assumptions The protocols defined in this document place no additional require- ments on assignment of addresses (NSAPs). That is, a Mobile Node will be assigned an address (NSAP) by the organization that owns the machine, and will be able to use that address (NSAP) regardless of the current point of attachment. Mobile Nodes are able to change their point of attachment to the Internet as frequently as once per second. No protocol enhancements are required in hosts or routers that are not serving any of the mobility functions. Similarly, no additional protocols are needed by a router (that is not acting as a Home Agent or a Foreign Agent) to route datagrams to or from a Mobile Node. The operation of this specification assumes that CLNP datagrams are routed to a destination without regard to the source of the datagram. If desired, the Mobile Node can tunnel to its Home Agent. The Rekhter, Colella [Page 4] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 definition of such tunneling mechanisms is outside the scope of this specification. 1.4. Specification Language In this document, several words are used to signify the requirements of the specification. These words are often capitalized. MUST This word, or the adjective "required", means that the definition is an absolute requirement of the specification. MUST NOT This phrase means that the definition is an absolute prohibition of the specification. SHOULD This word, or the adjective "recommended", means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications must be understood and carefully weighed before choosing a different course. MAY This word, or the adjective "optional", means that this item is one of an allowed set of alternatives. An implementation which does not include this option MUST be prepared to interoperate with another implementation which does include the option. silently discard The implementation discards the packet without further processing, and without indicating an error to the sender. The implementation SHOULD provide the capability of logging the error, including the contents of the discarded packet, and SHOULD record the event in a statistics counter. 1.5. Terminology This document frequently uses the following terms: Authentication Type This includes the algorithm and algorithm mode. Note that a single algorithm (such as DES) might have several modes (for example, CBC and ECB). Correspondent Host The peer with which a Mobile Node is communicating. The Rekhter, Colella [Page 5] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 Correspondent Host may be either mobile or stationary. Home-Address A long term address (NSAP) that is assigned to a Mobile Node. It remains unchanged regardless of where the node is attached to the Internet. The Home-Address is intercepted by the Home Agent while the Mobile Node is registered with that Home Agent. Link A communication facility or medium over which nodes can commun- icate at the link layer; underlying the network layer. Mobility Binding The association of a Home-Address with a Care-Of-Address, and the remaining LifeTime of the association. Mobility Security Association The security relationship between two nodes that is used with Mobile CLNP protocol messages. This relationship includes the authentication type (including algorithm and algorithm mode), the secret (such as a shared key, or appropriate public/private key pair), and possibly other information such as labelling. Triangle Routing A path followed by a datagram destined for a Mobile Node, when that datagram arrives first at the Home Agent, and then is encapsulated and tunneled by the Home Agent. 2. Agent Discovery To communicate with a Foreign or Home Agent, a Mobile Node must learn either the network layer address (NSAP) or the link layer address of that Agent. It is assumed that a link-layer connection has been established between the Agent and the Mobile Node. The method used to establish such a link-layer connection is not specified in this document. After establishing a link-layer connection that supports the attach- ment of Mobile Nodes, the node must learn if there are any prospec- tive Foreign Agents available to serve it while it is away from home. If the Mobile Node is returning home, it must learn if its Home Agent is available. There are often several methods of learning the availability of an Agent. Those described here are recommended. Rekhter, Colella [Page 6] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 Multi-Point Link-Layers Link establishment protocol, IEEE 802.11, might yield the link address of an agent. This link-layer address is used to attempt registration. ES-IS Configuration information provided by ES-IS protocol allows a Mobile Node to discover the existence and reachability of a Foreign Agent, and permits a Foreign Agent to discover the existence and reachability of a Mobile Node. It is recommended that as few messages as possible which duplicate functionality be sent on mobile links. This is particularly impor- tant on wireless and congested links. When multiple methods are in use, the Mobile Node SHOULD first attempt registration with routers sending ISH packets in preference to those sending link-layer advertisements. This ordering maximizes the likelihood that the registration will be recognized, thereby minimizing the number of registration attempts. An Administrative Domain MAY require registration with a Foreign Agent even when another registration method is in use. This facility is envisioned for service providers with packet filtering fire-walls, or visiting policies (such as accounting) which require exchanges of authorization. 2.1. Authentication No authentication is required for the advertisement and solicitation process. These messages MAY be authenticated using a TUBA Authentication mechanism (as described in draft-ietf-inlsp-tuba-00.txt), which is external to the messages described here. Further work on authentica- tion of advertisement and solicitation is outside of the scope of this document. Whenever an externally authenticated message fails authentication, the message is silently discarded. 2.2. Agent Solicitation Rekhter, Colella [Page 7] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 Every Mobile Node is required to implement ES-IS. However, the ESH packet is only sent when no link-layer identification has been received. Any Foreign Agent and Home Agent which is not identified by a link- layer protocol MUST implement ES-IS. 2.3. Agent Advertisement Every Mobile Node is required to correctly process ES-IS packets. Any Foreign Agent and Home Agent which is not identified by a link- layer protocol MUST implement ES-IS. An Agent which is identified by a link-layer protocol SHOULD also implement ES-IS. It is assumed that the ISH packet format is extended as to allow an indication of whether a router is willing to act as an Agent. The Mobile Node chooses a Care-Of-Address from among advertising Agents in the same fashion as it would choose a first hop router. 3. Registration The registration function exchanges information between Mobile Nodes and Home Agents. This function creates a Mobility Binding, linking the Home-Address with the Care-Of-Address currently used by the Mobile Node. When assigned a transient Care-Of-Address, a Mobile Node can act without a Foreign Agent. When registering or deregistering directly with the Home Agent, the registration process involves the exchange of only 2 messages. a) The Mobile Node sends a Registration Request to the Home Agent, to ask the Home Agent to provide the requested service. b) The Home Agent sends a Registration Reply to the Mobile Node to grant or deny service. An Administrative Domain MAY require registration through a Foreign Agent, as indicated in Agent Advertisements. Rekhter, Colella [Page 8] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 When the Care-Of-Address is associated with a Foreign Agent, the Foreign Agent acts as a relay between the Mobile Node and Home Agent. The extended registration process involves the exchange of 4 mes- sages: a) The Mobile Node sends a Registration Request to the prospective Foreign Agent to begin the registration process. b) The Foreign Agent relays the request by sending a Registration Request to the Home Agent, to ask the Home Agent to provide the requested service. c) The Home Agent sends a Registration Reply to the Foreign Agent to grant or deny service. d) The Foreign Agent sends a copy of the Registration Reply to the Mobile Node to inform it of the disposition of its request. 3.1. Authentication Each Mobile Node, Foreign Agent, and Home Agent MUST support an internal table holding a list of NSAP addresses, and the Mobility Security Association for each address. Mobile Node to Home Agent registration messages are required to be authenticated with the Mobile-Home Authentication Extension. The Mobile Node and Home Agent MUST support authentication using keyed MD5 and key sizes of 128 bits or greater, with manual key distribu- tion. Additional authentication algorithms, algorithm modes, and key distribution methods MAY also be supported. In addition, the Foreign Agent SHOULD support authentication using keyed MD5 and key sizes of 128 bits or greater, with manual key dis- tribution. Additional authentication algorithms, algorithm modes, and key distribution methods MAY also be supported. Only one Mobility Security Association exists between any given pair of participating nodes at any given time. Whenever a Mobility Security Association exists between a pair of nodes, all registration messages between these nodes MUST be authen- ticated, using the appropriate authentication extension. Rekhter, Colella [Page 9] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 3.2. UDP The Registration messages defined herein use the User Datagram Proto- col header [RFC-768]. The UDP well-known port is used. The UDP checksum is required. Any mobility message with an incorrect or zero UDP checksum is silently discarded. 3.3. Registration Request The UDP Header is followed by the fields shown below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | LifeTime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |HAg Addr Len | Home Agent Address (variable)... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |HA Addr Len | Home Address (variable)... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |CO Addr Len | Care-Of-Address (variable)... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + TimeStamp + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Extensions ... +-+-+-+-+-+-+-+- CLNP fields: Source The Home-Address of the Mobile Node. Destination The NSAP address of the Agent, when known. When the NSAP address is unknown (i.e., the agent was discovered via a link-layer protocol), the "all Mobile Agents" multicast address. The link-layer Rekhter, Colella [Page 10] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 unicast address is used to deliver the datagram to the correct Agent. UDP fields: Source Port variable Destination Port MobileTUBA fields: Type 1 when sent by the Mobile Node 2 when sent by the Foreign Agent Code Optional capabilities: 0 - remove prior registrations 1 - retain prior registrations LifeTime The seconds remaining before the registration is considered expired. A value of zero indicates a request for de-registration. A value of all ones indicates infinity. The LifeTime SHOULD NOT be set to greater than the LifeTime learned in an Agent Advertisement. HAg Addr Len The length of the Home Agent Address (in octets) Home Agent The NSAP address of the Home Agent. HA Addr Len The length of the Home NSAP address of the Mobile Node (in octets) Home-Address The Home NSAP address of the Mobile Node. CO Addr Len The length of the Care-Of-Address (in octets) Care-Of-Address The NSAP address for the decapsulation end of a tunnel. TimeStamp 64 bits. A sequence number assigned by the Mobile Node. A Network Time Protocol [RFC-1305] value is preferred, but the elapsed time since system startup, or any other monotonically increasing Rekhter, Colella [Page 11] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 counter MAY be used. The value MUST NOT be the same as an immediately preceeding request. The Mobile-Home Authentication Extension is required, and immediately follows all non-authentication extensions. Authenticator A hash value taken over a stream of bytes consisting of the shared secret between the Mobile Node and Home Agent, followed by (concatenated with) the fields in the message beginning with the Code field, including all prior extensions, and the Type and Length of this extension, but not including the Authenticator field itself, and finally the shared secret again. The Mobile-Foreign or Foreign-Home Authentication Extension is optional, and immediately follows the Mobile-Home Authentication Extension. When forwarded by a Foreign Agent, fields and extensions are copied from the Registration Request without modification. 3.4. Registration Reply The UDP Header is followed by the fields shown below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | LifeTime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |HA Addr Len | Home-Address (variable)... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + TimeStamp + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Extensions ... +-+-+-+-+-+-+-+- CLNP fields: The Source and Destination of the Request message are swapped for the Reply message. Rekhter, Colella [Page 12] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 Note that the Source of the original Registration Request must be saved in order for the Foreign Agent to return the reply to the correct Mobile Node. UDP fields: The Source Port and Destination Port of the Request message are swapped for the Reply message. Note that the Source Port of the original Registration Request must be saved in order for the Foreign Agent to return the reply to the correct Mobile Node port. MobileTUBA fields: Type 3 Code One of the following codes: 0 service will be provided. denied by Foreign Agent, 16 reason unspecified. 17 administratively prohibited. 18 insufficient resources. 19 Mobile Node failed authentication. 20 Home Agent failed authentication. 21 Request LifeTime too long. denied by Home Agent, 32 reason unspecified. 33 administratively prohibited. 34 insufficient resources. 35 Mobile Node failed authentication. 36 Foreign Agent failed authentication. Up-to-date values of the Code field are specified in the most recent "Assigned Numbers" RFC [2]. LifeTime The seconds remaining before the registration is considered expired. A value of zero confirms a request for de-registration. A value of all ones indicates infinity. May be modified by the Home Agent. HA Addr Len Copied from the Request message. Rekhter, Colella [Page 13] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 Home-Address Copied from the Request message. TimeStamp Copied from the Request message. The Mobile-Home Authentication Extension is required, and immediately follows all non-authentication extensions. Authenticator A hash value taken over a stream of bytes consisting of the shared secret between the Mobile Node and Home Agent, followed by (concatenated with) all of the fields in the message beginning with the Code field, including all prior extensions, and the Type and Length of this extension, but not including the Authenticator field itself, and finally the shared secret again. Note that the Care-Of-Address and Home Agent are not present in the message. This provides a separate calculation value for mutual authentication from the Home Agent to the Mobile Node. The Mobile-Foreign or Foreign-Home Authentication Extension is optional, and immediately follows the Mobile-Home Authentication Extension. When forwarded by a Foreign Agent, fields and extensions are copied from the Registration Reply without modification. 4. Mobility Message Extensions To promote extensibility, each message begins with a short fixed part, which is followed by one or more extensions in Type-Length- Value format. Extensions allow variable amounts of information to be carried within each datagram. The end of the list of Extensions is indicated by the Total Length of the CLNP datagram. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Extension | Length | Data ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Rekhter, Colella [Page 14] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 Extension Current values are assigned as follows: 16 Mobility 32 Mobile-Home Authentication 33 Mobile-Foreign Authentication 34 Foreign-Home Authentication 65 GRE Encapsulation Up-to-date values are specified in the most recent "Assigned Numbers" RFC [2]. Length Indicates the length of the Data field. The Length does not include the Extension and Length bytes. Data This field is zero or more bytes and contains the value(s) for this Extension. The format and length of the Data field is determined by the Extension and Length fields. When an extension is encountered which is not recognized, it is ignored. The length field is used to skip the data field in search- ing for the next extension. 4.1. Mobility Extension 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extension | Length | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R| Reserved | +-+-+-+-+-+-+-+-+ Extension 16 Length 3 Sequence Number Contains the number of advertisement messages sent since the node was initialized. This number MUST include this advertisement. When this value decreases, the Mobile Node MUST assume that any current registration has been lost. This field cannot roll over in less than 2**16 seconds, and rollover is unambiguously indicated by Rekhter, Colella [Page 15] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 the value zero. R Registration required bit. When this bit is set to 1, registration with the Foreign Agent is required, even when the Mobile Node has acquired a transient Care-Of-Address. Reserved Sent as zero; ignored on reception. 4.2. Authentication Extensions 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extension | Length | Authenticator +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Extension 32 Mobile-Home 33 Mobile-Foreign 34 Foreign-Home Length The number of data bytes in the Extension (16 when MD5 is used). Authenticator Variable length (128 bits for MD5). For Mobile-Home authentication, the value differs depending on the direction the message is sent. These calculations are defined in the Registration Request and Reply messages. For Mobile-Foreign and Foreign-Home authentication, a hash value taken over a stream of bytes consisting of the shared secret, followed by (concatenated with) the Source, the Destination, the remaining fields in the message beginning with the UDP header, including all prior extensions, and the Type and Length of this extension, but not including the Authenticator field itself, and finally the shared secret again. Rekhter, Colella [Page 16] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 5. Forwarding Datagrams to the Mobile Node 5.1. CLNP in CLNP Encapsulation Support for CLNP in CLNP encapsulated tunneling is required. The format of the CLNP header is as described in [ISO8473]. The outer CLNP header Source and Destination addresses identify the "end- points" of the tunnel. The inner CLNP header Source and Destination addresses identify the sender and recipient of the datagram. The Destination field in the CLNP header is replaced by the Care-Of- Address of the Mobile Node. If the encapsulating agent is not the original source of the datagram, the Source field in the CLNP header is replaced by the CLNP address of the encapsulating agent. When the Home Agent encapsulates the datagram, it sets the CLNP Life- time (CLNP TTL) field to be the same as the original datagram. When decapsulating, the outer CLNP TTL minus one is inserted into the inner CLNP TTL. Thus, CLNP hops are counted, but the actual routers interior to the tunnel are not identified. 5.2. Tunneling Management It is possible that one of the routers along the tunnel interior might encounter an error while processing the datagram, causing it to return a CLNP ER message to the source end of the tunnel. The three types of CLNP errors that can occur in this circumstance are: - Segmentation needed but not permitted. - Lifetime expired. - Destination address unreachable. Unfortunately, CLNP ER only requires routers to return the CLNP header of the datagram. This is not enough to include the encapsu- lated header, so it is not generally possible for the Home Agent to immediately reflect the CLNP ER message from the interior of a tunnel back to the source host. However, by carefully maintaining "soft state" about its tunnels, a Home Agent can return accurate CLNP ER messages in most cases. The Rekhter, Colella [Page 17] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 Home Agent SHOULD maintain at least the following soft state informa- tion about each tunnel: - MTU of the tunnel. - TTL (path length) of the tunnel - Reachability of the end of the tunnel. The Home Agent uses the CLNP ER messages it receives from the inte- rior of a tunnel to update the soft state information for that tun- nel. When subsequent datagrams arrive that would transit the tunnel, the router checks the soft state for the tunnel. If the datagram would violate the state of the tunnel (such as, the TTL is less than the tunnel TTL) the Home Agent sends a CLNP ER message back to the source, but also forwards the datagram into the tunnel. Using this technique, the CLNP ER messages sent by Home Agents will not always match up one-to-one with errors encountered within the tunnel, but they will accurately reflect the state of the network. 6. Mobile Node Considerations A Mobile Node listens for ISH messages at all times that it has a link connection. In this manner, it can learn that its Foreign Agent has changed, or that it has arrived home. Whenever a Mobile Node changes its point of attachment to the Inter- net, it must initiate the registration process. If it is away from home, it must register with a Foreign Agent. If it is returning home, it must deregister with its Home Agent. A Mobile Node will operate without the support of mobility functions when it is at home. 6.1. Configuration and Registration Tables Each Mobile Node will need: - Home-Address - one or more Home Agents For each pending registration: - Media Address of Agent Rekhter, Colella [Page 18] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 - Care-Of-Address - TimeStamp used - LifeTime For each Mobility Security Association: - Authentication Type - Authentication Key 6.2. Registration When Away From Home A Mobile Node SHOULD re-register with its Foreign Agent(s) before the LifeTime of its registration expires. The Mobile Node MAY re- regis- ter with its Foreign Agent(s) at any time. A Mobile Node can ask the Home Agent to terminate forwarding service through a particular Care-Of-Address, by sending a registration with a LifeTime of zero. 6.3. Registration without a Foreign Agent In cases where a Mobile Node away from home is able to dynamically acquire a transient CLNP address, the Mobile Node can serve without a Foreign Agent, using the transient address as the Care-Of-Address. Thus, the registration function and the tunnel decapsulation function can be co-located in a single node. This eliminates the need to deploy separate entities as Foreign Agents. The direct registration process involves the exchange of only two messages: a) The Mobile Node sends a Registration Request to the Home Agent, to ask the Home Agent to provide the requested service. b) The Home Agent sends a Registration Reply to the Mobile Node to grant or deny service. All communication between the Mobile Node and its Home Agent is direct, and there is no need to use the Agent Solicitation, Agent Advertisement, and Registration Request. It is assumed that such a Mobile Node has mechanisms to detect changes in its link-layer connectivity, and to initiate acquisition Rekhter, Colella [Page 19] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 of a new transient address each time such a change occurs. The mechanisms will be specific to the particular link-layer technology, and are outside the scope of this document. 6.4. De-registration When At Home At times, a Mobile Node will attach itself to its home link. Since a Mobile Node that is at home needs no forwarding, a de-registration procedure MAY be used between the Mobile Node and its Home Agent. The de-registration process involves the exchange of only two mes- sages: a) The Mobile Node sends a Registration Request directly to its Home Agent, with the LifeTime set to zero, and the Code field set to 0, to indicate that the Home Agent remove all related entries. b) The Home Agent sends a Registration Reply to the Mobile Node to grant or deny service. In this special case, for Authenticator calculation, the Care-Of- Address is set to the Home-Address. This procedure is specified for the sake of convenience. The Mobile Node is not required to register with its Home Agent. It MAY de- register with each Foreign Agent, or it MAY allow its Mobility Bind- ings to simply expire. It is not necessary to re-register with a Home Agent when a change of Incarnation Number occurs, or the Advertisement LifeTime expires, since the Mobile Node is not seeking tunneling service. 6.5. Registration Replies When a Mobile Node receives a Registration Reply which has a TimeS- tamp which is not the same as the TimeStamp of its most recent Regis- tration Request to the putative sender, the message is silently dis- carded. When a Reply is received which has a Code indicating information from the Foreign Agent, the Mobile-Home Authenticator will be missing or invalid. However, if no other reply has as yet been received, the reason for denial SHOULD be accepted, and result in an appropriate Rekhter, Colella [Page 20] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 action. If a later authenticated reply is received, that reply supercedes the unauthenticated reply. When a Reply is received which has a Code indicating that authentica- tion failed with the Home Agent, the reason for denial SHOULD result in an appropriate action. Otherwise, when a Reply is received with an invalid Authenticator, the message is silently discarded. When the LifeTime of the reply is greater than the original request, the excess time SHOULD be ignored. When the LifeTime of the reply is smaller than the original request, re-registration SHOULD occur before the LifeTime expires. The Mobile Node is not required to issue any message in reply to a Registration Reply. 6.6. Simultaneous Registrations Under normal circumstances, sending a new Registration Request removes other unexpired registrations for a Mobile Node from the Home Agent. An optional capability is to allow multiple simultaneous registra- tions. For example, this is particularly useful when a Mobile Node is on a border between multiple cellular systems. In order to request simultaneous registrations, the Mobile Node sends the Registration Request with a Code set to 1. The return Code in the Registration Reply is the same. No error occurs if the Home Agent is unable to fulfill the request. IP explicitly allows duplication of datagrams. When the Home Agent is able to fulfill the request, the Home Agent will encapsulate a copy of each arriving datagram to each Care-Of-Address, and the Mobile Node will receive multiple copies of its datagrams. 7. Foreign Agent Considerations It is the intent that Foreign Agent involvement be as minimal as pos- sible. The role of the Foreign Agent is passive, passing registra- tion requests to the Home Agent, and decapsulating tunneled datagrams Rekhter, Colella [Page 21] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 to pass to the Mobile Node. When no Mobility Security Association exists, this also reduces the risks resulting from absence of authentication from Foreign Agent messages. The Foreign Agent MUST NOT originate a Request or Reply that has not been prompted by the Mobile Node. No Request or Reply is generated to indicate that the service LifeTime has expired. A Foreign Agent MUST NOT originate a message which revokes the regis- tration of a different Foreign Agent. A Foreign Agent SHOULD forward such revocations without modification when such revocation messages originated from an appropriate Mobile Node or Home Agent. 7.1. Configuration and Registration Tables Each Foreign Agent will need: - Care-Of-Address For each pending or current registration, the Foreign Agent will need a Visitor List: - Media Address (aka SNPA) of Mobile - Home-Address - Home Agent - LifeTime A Foreign Agent that has implemented and is using authentication will also need to have the Mobility Security Association information for each pending or current authenticated registration. Even if a Foreign Agent implements authentication, it might not use authentica- tion with each registration, because of the key management difficul- ties. 7.2. Receiving Registration Requests Upon receipt of a Registration Request, the Foreign Agent may: - immediately deny service to the Mobile Node, by sending a Rekhter, Colella [Page 22] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 Registration Reply with the appropriate Code set. - request permission from the Home Agent to provide service to the Mobile Node, by sending a Registration Request. If the Foreign Agent is unable to satisfy the request for some rea- son, such as the Mobile Node proposes a Lifetime longer than the Foreign Agent has advertised, then the Foreign Agent sends a Regis- tration Reply with an appropriate Code, and does not forward the request to the Home Agent. The Foreign Agent must maintain a list of pending Requests, which includes the Source NSAP Address and UDP Source Port, in order that the Reply can be returned to the Mobile Node. 7.3. Receiving Registration Replies A Registration Reply which does not relate to a pending Registration Request, or to a currently registered Mobile Node, is silently dis- carded. If the Registration Reply granted permission to provide service to the Mobile Node, then the Foreign Agent updates its Visitor List accordingly. 8. Home Agent Considerations It is the intent that the Home Agent have primary responsibility for processing and coordinating services. The Home Agent for a given Mobile Node SHOULD be located on the link identified by the Home-Address. This link MAY be virtual. 8.1. Configuration and Registration Tables Each Home Agent will need: - an NSAP Address For each authorized Mobile Node, the Home Agent will need: - Home-Address assigned to that Node Rekhter, Colella [Page 23] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 For each registered Mobile Node, the Home Agent will need a Forward- ing List: - Home-Address - Care-Of-Address - LifeTime For each Mobility Security Association: - Authentication Type - Authentication Key 8.2. Receiving Requests from the Foreign Agent Upon receipt of a Registration Request from the Foreign Agent, the Home Agent grants or denies the service requested by sending a Regis- tration Reply to the sender of the request, with the appropriate Code set. When a Registration Request has an invalid Authenticator for the Mobile Node, a Reply is sent to the Foreign Agent, in order that the Foreign Agent can clear its pending request list. If permission is granted for the Foreign Agent to provide service to the Mobile Node, the Home Agent will update its Forwarding List with the Home-Address of the Mobile Node, and the Care-Of-Address of the tunnel. The Home Agent MAY shorten the LifeTime of the request. If the Request asks for termination of service by indicating a Life- Time of zero, the Home Agent removes the Mobility Binding for that Care-Of-Address from its Forwarding List. 8.3. Receiving Requests from the Mobile Node Upon receipt of a Registration Request from the Mobile Node, the Home Agent grants or denies the service requested by sending a Registra- tion Reply to the sender of the request, with the appropriate Code set. Rekhter, Colella [Page 24] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 In this special case, for Authenticator calculation, the Care-Of- Address is a copy of the Home-Address. The Home Agent MAY shorten the LifeTime of the request. If the Request asks for termination of service by indicating a Life- Time of zero, and the Code field set to 0, the Home Agent removes the Mobility Bindings for all Foreign Agents associated with that Mobile Node from its Forwarding List. No special Reply is sent to associated Foreign Agents. The entries in their Visiting Lists are allowed to expire naturally. 8.4. Simultaneous Registrations When a Home Agent supports the optional capability of multiple simul- taneous registrations, any datagrams forwarded are simply duplicated, and a copy is sent to each Care-Of-Address. The return Code in the Registration Reply is the same. No error occurs if the Home Agent is unable to fulfill the request, and ear- lier entries in the Forwarding List are removed. 8.5. Registration Expiration If the LifeTime for a given Mobile Node expires before the Home Agent has received a re-registration request, then the associated Mobility Binding is erased from the Forwarding List. No special Registration Reply is sent to the Foreign Agents. The entries in the Visiting Lists will expire naturally, and probably at the same time. Appendix A. TCP Timers Most hosts and routers which implement TCP/IP do not permit easy con- figuration of the TCP Timer values. When high-delay (e.g. SATCOM) or low-bandwidth (e.g. High-Frequency Radio) links are in use, the default TCP Timer values in many systems will cause retransmissions or timeouts when the link and network is actually operating properly, though with greater than usual delays because of the media in use. This can cause an inability to create or maintain connections over Rekhter, Colella [Page 25] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 such links, and can also cause unneeded retransmissions which consume already scarce bandwidth. Vendors are encouraged to make TCP Timers more configurable. Vendors of systems designed for the mobile com- puting markets should pick default timer values more suited to low- bandwidth, high-delay links. Users of Mobile Nodes should be sensi- tive to the possibility of timer-related difficulties. Security Considerations The mobile computing environment is potentially very different from the ordinary computing environment. In many cases, mobile computers will be connected to the network via wireless links. Such links are particularly vulnerable to passive eavesdropping, active replay attacks, and other active attacks. The registration protocol described here will result in a host's traffic being source routed to its mobile location. Such traffic redirection could be a significant vulnerability when the registra- tion were not authentic. Also, source routing is widely understood to be a security problem in the current Internet. [Bellovin89]. This specification includes a strong authentication mechanism (keyed MD5) which precludes many potential attacks based on the Mobile TUBA registration protocol. However, because key distribution is diffi- cult in the absence of a network key management protocol, not all messages with the Foreign Agent are authenticated. Vulnerabilities remain in the registration protocol whenever a registration message is not authenticated. For example, in a commercial environment it might be important to authenticate all messages between the Foreign Agent and the Home Agent, so that billing is possible, and service providers don't provide service to users that are not legitimate cus- tomers of that service provider. The strength of any authentication mechanism is dependent on several factors, including the innate strength of the authentication algo- rithm, the secrecy of the key used, the strength of the key used, and the quality of the particular implementation. This specification requires implementation of keyed MD5 for authentication, but does not preclude the use of other authentication algorithms and modes. For keyed MD5 authentication to be useful, the 128-bit key must be both secret (that is, known only to authorised parties) and pseudo-random. RFC-XXXX provides more information on generating pseudo-random numbers. Users who have sensitive data that they do not wish others to see should use mechanisms outside the scope of this specification (such Rekhter, Colella [Page 26] INTERNET-DRAFT May 16, 1994 Expires: November 16, 1994 as encryption) to provide appropriate protection. Users concerned about traffic analysis should consider appropriate use of link encryption. References [Voydock83] "V.L. Voydock & S.T. Kent, "Security Mechanisms in High- level Networks", ACM Computing Surveys, Vol. 15, No. 2, June 1983." [Bellovin89] Steven M. Bellovin, "Security Problems in the TCP/IP Protocol Suite", ACM Computer Communications Review, Vol. 19, No. 2, March 1989." [ISO9542] ISO9542 "End System to Intermediate System Routeing Exchange protocol for use in conjuction with the Protocol for provid- ing the connectionless-mode network service (ISO8473)" [ISO8473] ISO8473 "Protocol for providing the connectionless-mode network service" [Glenn] Glenn, K., R., "Intergrated Network Layer Security Protocol for TUBA", draft-ietf-tuba-inlsp-00.txt (work in progress) Rekhter, Colella [Page 27]