RFC 5213
Proxy Mobile IPv6
6. Mobile Access Gateway Operation
The Proxy Mobile IPv6 protocol described in this document introduces a new functional entity, the mobile access gateway (MAG). The mobile access gateway is the entity that is responsible for detecting the mobile node's movements to and from the access link and sending the Proxy Binding Update messages to the local mobility anchor. In essence, the mobile access gateway performs mobility management on behalf of a mobile node. The mobile access gateway is a function that typically runs on an access router. However, implementations MAY choose to split this function and run it across multiple systems. The specifics on how that is achieved or the signaling interactions between those functional entities are beyond the scope of this document. The mobile access gateway has the following key functional roles: o It is responsible for detecting the mobile node's movements on the access link and for initiating the mobility signaling with the mobile node's local mobility anchor. o Emulation of the mobile node's home link on the access link by sending Router Advertisement messages containing the mobile node's home network prefix(es), each prefix carried using the Prefix Information option [RFC4861]. o Responsible for setting up the forwarding for enabling the mobile node to configure one or more addresses from its home network prefix(es) and use it from the attached access link.
6.1. Extensions to Binding Update List Entry Data Structure
Every mobile access gateway MUST maintain a Binding Update List. Each entry in the Binding Update List represents a mobile node's mobility binding with its local mobility anchor. The Binding Update List is a conceptual data structure, described in Section 11.1 of [RFC3775]. For supporting this specification, the conceptual Binding Update List entry data structure needs be extended with the following additional fields. o The identifier of the attached mobile node, MN-Identifier. This identifier is acquired during the mobile node's attachment to the access link through mechanisms outside the scope of this document. o The link-layer identifier of the mobile node's connected interface. This can be acquired from the received Router Solicitation messages from the mobile node or during the mobile node's attachment to the access network. This is typically a link-layer identifier conveyed by the mobile node; however, the specific details on how that is conveyed is out of scope for this specification. If this identifier is not available, this variable length field MUST be set to two (octets) and MUST be initialized to a value of ALL_ZERO. o A list of IPv6 home network prefixes assigned to the mobile node's connected interface. The home network prefix(es) may have been statically configured in the mobile node's policy profile, or, may have been dynamically allocated by the local mobility anchor. Each of these prefix entries will also include the corresponding prefix length. o The Link-local address of the mobile access gateway on the access link shared with the mobile node. o The IPv6 address of the local mobility anchor serving the attached mobile node. This address is acquired from the mobile node's policy profile or from other means. o The interface identifier (if-id) of the point-to-point link between the mobile node and the mobile access gateway. This is internal to the mobile access gateway and is used to associate the Proxy Mobile IPv6 tunnel to the access link where the mobile node is attached.
o The tunnel interface identifier (tunnel-if-id) of the bi-
directional tunnel between the mobile node's local mobility anchor
and the mobile access gateway. This is internal to the mobile
access gateway. The tunnel interface identifier is acquired
during the tunnel creation.
6.2. Mobile Node's Policy Profile
A mobile node's policy profile contains the essential operational
parameters that are required by the network entities for managing the
mobile node's mobility service. These policy profiles are stored in
a local or a remote policy store. The mobile access gateway and the
local mobility anchor MUST be able to obtain a mobile node's policy
profile. The policy profile MAY also be handed over to a serving
mobile access gateway as part of a context transfer procedure during
a handoff or the serving mobile access gateway MAY be able to
dynamically generate this profile. The exact details on how this
achieved is outside the scope of this document. However, this
specification requires that a mobile access gateway serving a mobile
node MUST have access to its policy profile.
The following are the mandatory fields of the policy profile:
o The mobile node's identifier (MN-Identifier)
o The IPv6 address of the local mobility anchor (LMAA)
The following are the optional fields of the policy profile:
o The mobile node's IPv6 home network prefix(es) assigned to the
mobile node's connected interface. These prefixes have to be
maintained on a per-interface basis. There can be multiple unique
entries for each interface of the mobile node. The specific
details on how the network maintains this association between the
prefix set and the interfaces, specially during the mobility
session handoff between interfaces, is outside the scope of this
document.
o The mobile node's IPv6 home network Prefix lifetime. This
lifetime will be the same for all the hosted prefixes on the link,
as they all are part of one mobility session. This value can also
be the same for all the mobile node's mobility sessions.
o Supported address configuration procedures (Stateful, Stateless,
or both) for the mobile node in the Proxy Mobile IPv6 domain
6.3. Supported Access Link Types
This specification supports only point-to-point access link types, and thus, it assumes that the mobile node and the mobile access gateway are the only two nodes on the access link. The link is assumed to have multicast capability. This protocol may also be used on other link types, as long as the link is configured in such a way that it emulates point-to-point delivery between the mobile node and the mobile access gateway for all the protocol traffic. It is also necessary to be able to identify mobile nodes attaching to the link. Requirements relating to this are covered in Section 6.6. Finally, while this specification can operate without link-layer indications of node attachment and detachment to the link, the existence of such indications either on the network or mobile node side improves the resulting performance.6.4. Supported Address Configuration Modes
A mobile node in the Proxy Mobile IPv6 domain can configure one or more global IPv6 addresses on its interface (using Stateless, Stateful address autoconfiguration procedures or manual address configuration) from the hosted prefix(es) on that link. The Router Advertisement messages sent on the access link specify the address configuration methods permitted on that access link for that mobile node. However, the advertised flags, with respect to the address configuration, will be consistent for a mobile node, on any of the access links in that Proxy Mobile IPv6 domain. Typically, these configuration settings will be based on the domain-wide policy or based on a policy specific to each mobile node. When stateless address autoconfiguration is supported on the access link, the mobile node can generate one or more IPv6 addresses from the hosted prefix(es) by standard IPv6 mechanisms such as Stateless Autoconfiguration [RFC4862] or Privacy extensions [RFC4941]. When stateful address autoconfiguration is supported on the link, the mobile node can obtain the address configuration from the DHCP server located in the Proxy Mobile IPv6 domain, by standard DHCP mechanisms, as specified in [RFC3315]. The obtained address(es) will be from its home network prefix(es). Section 6.11 specifies the details on how this configuration can be achieved.
Additionally, other address configuration mechanisms specific to the access link between the mobile node and the mobile access gateway may also be used for delivering the address configuration to the mobile node. This specification does not modify the behavior of any of the standard IPv6 address configuration mechanisms.6.5. Access Authentication and Mobile Node Identification
When a mobile node attaches to an access link connected to the mobile access gateway, the deployed access security protocols on that link SHOULD ensure that the network-based mobility management service is offered only after authenticating and authorizing the mobile node for that service. The exact specifics on how this is achieved or the interactions between the mobile access gateway and the access security service are outside the scope of this document. This specification goes with the stated assumption of having an established trust between the mobile node and the mobile access gateway before the protocol operation begins.6.6. Acquiring Mobile Node's Identifier
All the network entities in a Proxy Mobile IPv6 domain MUST be able to identify a mobile node, using its MN-Identifier. This identifier MUST be stable and unique across the Proxy Mobile IPv6 domain. The mobility entities in the Proxy Mobile IPv6 domain MUST be able to use this identifier in the signaling messages and unambiguously identify a given mobile node. The following are some of the considerations related to this MN-Identifier. o The MN-Identifier is typically obtained as part of the access authentication or from a notified network attachment event. In cases where the user identifier authenticated during access authentication uniquely identifies a mobile node, the MN- Identifier MAY be the same as the user identifier. However, the user identifier MUST NOT be used if it identifies a user account that can be used from more than one mobile node operating in the same Proxy Mobile IPv6 domain. o In some cases, the obtained identifier, as part of the access authentication, can be a temporary identifier and further that temporary identifier may be different at each re-authentication. However, the mobile access gateway MUST be able to use this temporary identifier and obtain the mobile node's stable identifier from the policy store. For instance, in AAA-based systems, the Remote Authentication Dial-In User Service (RADIUS) attribute, Chargeable-User-Identifier [RFC4372] may be used, as long as it uniquely identifies a mobile node, and not a user account that can be used with multiple mobile nodes.
o In some cases and for privacy reasons, the MN-Identifier that the
policy store delivers to the mobile access gateway may not be the
true identifier of the mobile node. However, the mobility access
gateway MUST be able to use this identifier in the signaling
messages exchanged with the local mobility anchor.
o The mobile access gateway MUST be able to identify the mobile node
by its MN-Identifier, and it MUST be able to associate this
identity to the point-to-point link shared with the mobile node.
6.7. Home Network Emulation
One of the key functions of a mobile access gateway is to emulate the
mobile node's home network on the access link. It must ensure the
mobile node does not detect any change with respect to its layer-3
attachment even after it changes its point of attachment in that
Proxy Mobile IPv6 domain.
For emulating the mobile node's home link on the access link, the
mobile access gateway must be able to send Router Advertisement
messages advertising the mobile node's home network prefix(es)
carried using the Prefix Information option(s) [RFC4861] and with
other address configuration parameters consistent with its home link
properties. Typically, these configuration settings will be based on
the domain-wide policy or based on a policy specific to each mobile
node.
Typically, the mobile access gateway learns the mobile node's home
network prefix(es) details from the received Proxy Binding
Acknowledgement message, or it may obtain them from the mobile node's
policy profile. However, the mobile access gateway SHOULD send the
Router Advertisements advertising the mobile node's home network
prefix(es) only after successfully completing the binding
registration with the mobile node's local mobility anchor.
When advertising the home network prefix(es) in the Router
Advertisement messages, the mobile access gateway MAY set the prefix
lifetime value for the advertised prefix(es) to any chosen value at
its own discretion. An implementation MAY choose to tie the prefix
lifetime to the mobile node's binding lifetime. The prefix lifetime
can also be an optional configuration parameter in the mobile node's
policy profile.
6.8. Link-local and Global Address Uniqueness
A mobile node in the Proxy Mobile IPv6 domain, as it moves from one
mobile access gateway to the other, will continue to detect its home
network and does not detect a change of layer-3 attachment. Every
time the mobile node attaches to a new link, the event related to the interface state change will trigger the mobile node to perform Duplicate Address Detection (DAD) operation on the link-local and global address(es). However, if the mobile node is Detecting Network Attachment in IPv6 (DNAv6) enabled, as specified in [DNAV6], it may not detect the link change due to DNAv6 optimizations and may not trigger the duplicate address detection (DAD) procedure for its existing addresses, which may potentially lead to address collisions after the mobile node's handoff to a new link. The issue of address collision is not relevant to the mobile node's global address(es). Since the assigned home network prefix(es) are for the mobile node's exclusive usage, no other node shares an address (other than Subnet-Router anycast address that is configured by the mobile access gateway) from the prefix(es), and so the uniqueness for the mobile node's global address is assured on the access link. The issue of address collision is however relevant to the mobile node's link-local addresses since the mobile access gateway and the mobile node will have link-local addresses configured from the same link-local prefix (FE80::/64). This leaves a room for link-local address collision between the two neighbors (i.e., the mobile node and the mobile access gateway) on that access link. For solving this problem, this specification requires that the link-local address that the mobile access gateway configures on the point-to-point link shared with a given mobile node be generated by the local mobility anchor and be stored in the mobile node's Binding Cache entry. This address will not change for the duration of that mobile node's mobility session and can be provided to the serving mobile access gateway at every mobile node's handoff, as part of the Proxy Mobile IPv6 signaling messages. The specific method by which the local mobility anchor generates the link-local address is out of scope for this specification. It is highly desirable that the access link on the mobile access gateway shared with the mobile node be provisioned in such a way that before the mobile node completes the DAD operation [RFC4862] on its link-local address, the mobile access gateway on that link is aware of its own link-local address provided by the local mobility anchor that it needs to use on that access link. This essentially requires a successful completion of the Proxy Mobile IPv6 signaling by the mobile access gateway before the mobile node completes the DAD operation. This can be achieved by ensuring that link-layer attachment does not complete until the Proxy Mobile IPv6 signaling is
completed. Alternatively, network and local mobility anchor capacity and signaling retransmission timers can be provisioned in such a way that signaling is likely to complete during the default waiting period associated with the DAD process. Optionally, implementations MAY choose to configure a fixed link- local address across all the access links in a Proxy Mobile IPv6 domain and without a need for carrying this address from the local mobility anchor to the mobile access gateway in the Proxy Mobile IPv6 signaling messages. The configuration variable FixedMAGLinkLocalAddressOnAllAccessLinks determines the enabled mode in that Proxy Mobile IPv6 domain.6.9. Signaling Considerations
6.9.1. Binding Registrations
6.9.1.1. Mobile Node Attachment and Initial Binding Registration
1. After detecting a new mobile node on its access link, the mobile access gateway MUST identify the mobile node and acquire its MN- Identifier. If it determines that the network-based mobility management service needs to be offered to the mobile node, it MUST send a Proxy Binding Update message to the local mobility anchor. 2. The Proxy Binding Update message MUST include the Mobile Node Identifier option [RFC4283], carrying the MN-Identifier for identifying the mobile node. 3. The Home Network Prefix option(s) MUST be present in the Proxy Binding Update message. If the mobile access gateway learns the mobile node's home network prefix(es) either from its policy store or from other means, the mobile access gateway MAY choose to request the local mobility anchor to allocate the specific prefix(es) by including a Home Network Prefix option for each of those requested prefixes. The mobile access gateway MAY also choose to include just one Home Network Prefix option with the prefix value of ALL_ZERO, for requesting the local mobility anchor to do the prefix assignment. However, when including a Home Network Prefix option with the prefix value of ALL_ZERO, there MUST be only one instance of the Home Network prefix option in the request. 4. The Handoff Indicator option MUST be present in the Proxy Binding Update message. The Handoff Indicator field in the Handoff Indicator option MUST be set to a value indicating the handoff hint.
* The Handoff Indicator field MUST be set to a value of 1
(Attachment over a new interface) if the mobile access
gateway determines (under the Handoff Indicator
considerations specified in this section) that the mobile
node's current attachment to the network over this interface
is not as a result of a handoff of an existing mobility
session (over the same interface or through a different
interface), but as a result of an attachment over a new
interface. This essentially serves as a request to the local
mobility anchor to create a new mobility session and not
update any existing Binding Cache entry created for the same
mobile node connected to the Proxy Mobile IPv6 domain through
a different interface.
* The Handoff Indicator field MUST be set to a value of 2
(Handoff between two different interfaces of the mobile node)
if the mobile access gateway definitively knows the mobile
node's current attachment is due to a handoff of an existing
mobility session between two different interfaces of the
mobile node.
* The Handoff Indicator field MUST be set to a value of 3
(Handoff between mobile access gateways for the same
interface) if the mobile access gateway definitively knows
the mobile node's current attachment is due to a handoff of
an existing mobility session between two mobile access
gateways and for the same interface of the mobile node.
* The Handoff Indicator field MUST be set to a value of 4
(Handoff state unknown) if the mobile access gateway cannot
determine if the mobile node's current attachment is due to a
handoff of an existing mobility session.
5. The mobile access gateway MUST apply the below considerations
when choosing the value for the Handoff Indicator field.
* The mobile access gateway can choose to use the value 2
(Handoff between two different interfaces of the mobile
node), only when it knows that the mobile node has, on
purpose, switched from one interface to another, and the
previous interface is going to be disabled. It may know this
due to a number of factors. For instance, most cellular
networks have controlled handovers where the network knows
that the host is moving from one attachment to another. In
this situation, the link-layer mechanism can inform the
mobility functions that this is indeed a movement, not a new
attachment.
* Some link layers have link-layer identifiers that can be used
to distinguish (a) the movement of a particular interface to
a new attachment from (b) the attachment of a new interface
from the same host. Option value 3 (Handoff between mobile
access gateways for the same interface) is appropriate in
case (a) and a value of 1 (Attachment over a new interface)
in case (b).
* The mobile access gateway MUST NOT set the option value to 2
(Handoff between two different interfaces of the mobile node)
or 3 (Handoff between mobile access gateways for the same
interface) if it cannot be determined that the mobile node
can move the address between the interfaces involved in the
handover or that it is the same interface that has moved.
Otherwise, Proxy Mobile IPv6-unaware hosts that have multiple
physical interfaces to the same domain may suffer unexpected
failures.
* Where no support from the link layer exists, the host and the
network would need to inform each other about the intended
movement. The Proxy Mobile IPv6 protocol does not specify
this and simply requires that knowledge about movements can
be derived either from the link-layer or from somewhere else.
The method by which this is accomplished is outside the scope
of this specification.
6. Either the Timestamp option or a valid sequence number
maintained on a per mobile node's mobility session basis as
specified in [RFC3775] (if the Sequence-Number-based scheme is
in use) MUST be present. This can be determined based on the
value of the configuration flag TimestampBasedApproachInUse.
When Timestamp option is added to the message, the mobile access
gateway SHOULD also set the Sequence Number field to a value of
a monotonically increasing counter (maintained at each mobile
access gateway and not to be confused with the per mobile node
sequence number specified in [RFC3775]). The local mobility
anchor will ignore this field when there is a Timestamp option
present in the request, but will return the same value in the
Proxy Binding Acknowledgement message. This will be useful for
matching the reply to the request message.
7. The Mobile Node Link-layer Identifier option carrying the link-
layer identifier of the currently attached interface MUST be
present in the Proxy Binding Update message, if the mobile
access gateway is aware of the same. If the link-layer
identifier of the currently attached interface is not known or
if the identifier value is ALL_ZERO, this option MUST NOT be
present.
8. The Access Technology Type option MUST be present in the Proxy
Binding Update message. The access technology type field in the
option SHOULD be set to the type of access technology by which
the mobile node is currently attached to the mobile access
gateway.
9. The Link-local Address option MUST be present in the Proxy
Binding Update message only if the value of the configuration
variable FixedMAGLinkLocalAddressOnAllAccessLinks is set to a
value of ALL_ZERO; otherwise, the Link-local Address option MUST
NOT be present in the request. Considerations from Section 6.8
MUST be applied when using the Link-local Address option.
* For querying the local mobility anchor to provide the link-
local address that it should use on the point-to-point link
shared with the mobile node, this option MUST be set to
ALL_ZERO value. This essentially serves as a request to the
local mobility anchor to provide the link-local address that
it can use on the access link shared with the mobile node.
10. The Proxy Binding Update message MUST be constructed as
specified in Section 6.9.1.5.
11. If there is no existing Binding Update List entry for that
mobile node, the mobile access gateway MUST create a Binding
Update List entry for the mobile node upon sending the Proxy
Binding Update message.
6.9.1.2. Receiving Proxy Binding Acknowledgement
On receiving a Proxy Binding Acknowledgement message (format
specified in Section 8.2) from the local mobility anchor, the mobile
access gateway MUST process the message as specified below.
1. The received Proxy Binding Acknowledgement message (a Binding
Acknowledgement message with the (P) flag set to value of 1)
MUST be authenticated as described in Section 4. When IPsec is
used for message authentication, the SPI in the IPsec header
[RFC4306] of the received packet is needed for locating the
security association, for authenticating the Proxy Binding
Acknowledgement message.
2. The mobile access gateway MUST observe the rules described in
Section 9.2 of [RFC3775] when processing Mobility Headers in the
received Proxy Binding Acknowledgement message.
3. The mobile access gateway MUST apply the considerations
specified in Section 5.5 for processing the Sequence Number
field and the Timestamp option (if present) in the message.
4. The mobile access gateway MUST ignore any checks, specified in
[RFC3775], related to the presence of a Type 2 Routing header in
the Proxy Binding Acknowledgement message.
5. The mobile access gateway MAY use the mobile node identifier
present in the Mobile Node Identifier option for matching the
response to the request messages that it sent recently.
However, if there is more than one request message in its
request queue for the same mobile node, the sequence number
field can be used for identifying the exact message from those
messages. There are other ways to achieve this and
implementations are free to adopt the best approach that suits
their implementation. Additionally, if the received Proxy
Binding Acknowledgement message does not match any of the Proxy
Binding Update messages that it sent recently, the message MUST
be ignored.
6. If the received Proxy Binding Acknowledgement message has any
one or more of the following options, Handoff Indicator option,
Access Technology Type option, Mobile Node Link-layer Identifier
option, Mobile Node Identifier option, carrying option values
that are different from the option values present in the
corresponding request (Proxy Binding Update) message, the
message MUST be ignored as the local mobility anchor is expected
to echo back all these listed options and with the same option
values in the reply message. In this case, the mobile access
gateway MUST NOT retransmit the Proxy Binding Update message
until an administrative action is taken.
7. If the received Proxy Binding Acknowledgement message has the
Status field value set to PROXY_REG_NOT_ENABLED (Proxy
registration not enabled for the mobile node), the mobile access
gateway SHOULD NOT send a Proxy Binding Update message again for
that mobile node until an administrative action is taken. It
MUST deny the mobility service to that mobile node.
8. If the received Proxy Binding Acknowledgement message has the
Status field value set to TIMESTAMP_LOWER_THAN_PREV_ACCEPTED
(Timestamp value lower than previously accepted value), the
mobile access gateway SHOULD try to register again to reassert
the mobile node's presence on its access link. The mobile
access gateway is not specifically required to synchronize its
clock upon receiving this error code.
9. If the received Proxy Binding Acknowledgement message has the
Status field value set to TIMESTAMP_MISMATCH (Invalid timestamp
value), the mobile access gateway SHOULD try to register again
only after it has synchronized its clock to a common time source
that is used by all the mobility entities in that domain for
their clock synchronization. The mobile access gateway SHOULD
NOT synchronize its clock to the local mobility anchor's system
clock, based on the timestamp present in the received message.
10. If the received Proxy Binding Acknowledgement message has the
Status field value set to NOT_AUTHORIZED_FOR_HOME_NETWORK_PREFIX
(The mobile node is not authorized for one or more of the
requesting home network prefixes), the mobile access gateway
SHOULD NOT request the same prefix(es) again, but MAY request
the local mobility anchor to do the assignment of prefix(es) by
including only one Home Network Prefix option with the prefix
value set to ALL_ZERO.
11. If the received Proxy Binding Acknowledgement message has the
Status field value set to any value greater than or equal to 128
(i.e., if the binding is rejected), the mobile access gateway
MUST NOT advertise the mobile node's home network prefix(es) in
the Router Advertisement messages sent on that access link and
MUST deny the mobility service to the mobile node by not
forwarding any packets received from the mobile node using an
address from the home network prefix(es). It MAY also tear down
the point-to-point link shared with the mobile node.
12. If the received Proxy Binding Acknowledgement message has the
Status field value set to 0 (Proxy Binding Update accepted), the
mobile access gateway MUST establish a bi-directional tunnel to
the local mobility anchor (if there is no existing bi-
directional tunnel to that local mobility anchor).
Considerations from Section 5.6.1 MUST be applied for managing
the dynamically created bi-directional tunnel.
13. The mobile access gateway MUST set up the route for forwarding
the packets received from the mobile node using address(es) from
its home network prefix(es) through the bi-directional setup for
that mobile node. The created tunnel and the routing state MUST
result in the forwarding behavior on the mobile access gateway
as specified in Section 6.10.5.
14. The mobile access gateway MUST also update the Binding Update
List entry to reflect the accepted binding registration values.
It MUST also advertise the mobile node's home network prefix(es)
as the hosted on-link prefixes, by including them in the Router
Advertisement messages that it sends on that access link.
15. If the received Proxy Binding Acknowledgement message has the
address in the Link-local Address option set to a NON_ZERO
value, the mobile access gateway SHOULD configure that link-
local address on that point-to-point link and SHOULD NOT
configure any other link-local address without performing a DAD
operation [RFC4862]. This will avoid any potential link-local
address collisions on that access link. However, if the link-
local address generated by the local mobility anchor happens to
be already in use by the mobile node on that link, the mobile
access gateway MUST NOT use that address, but SHOULD configure a
different link-local address. It SHOULD also upload this link-
local address to the local mobility anchor by immediately
sending a Proxy Binding Update message and by including this
address in the Link-local Address option.
6.9.1.3. Extending Binding Lifetime
1. For extending the lifetime of a currently registered mobile node
(i.e., after a successful initial binding registration from the
same mobile access gateway), the mobile access gateway can send a
Proxy Binding Update message to the local mobility anchor with a
new lifetime value. This re-registration message MUST be
constructed with the same set of options as the initial Proxy
Binding Update message, under the considerations specified in
Section 6.9.1.1. However, the following exceptions apply.
2. There MUST be a Home Network Prefix option for each of the
assigned home network prefixes assigned for that mobility session
and with the prefix value in the option set to that respective
prefix value.
3. The Handoff Indicator field in the Handoff Indicator option MUST
be set to a value of 5 (Handoff state not changed - Re-
Registration).
6.9.1.4. Mobile Node Detachment and Binding De-Registration
1. If at any point the mobile access gateway detects that the mobile
node has moved away from its access link, or if it decides to
terminate the mobile node's mobility session, it SHOULD send a
Proxy Binding Update message to the local mobility anchor with
the lifetime value set to zero. This de-registration message
MUST be constructed with the same set of options as the initial
Proxy Binding Update message, under the considerations specified
in Section 6.9.1.1. However, the following exceptions apply.
2. There MUST be a Home Network Prefix option for each of the
assigned home network prefixes assigned for that mobility session
and with the prefix value in the option set to the respective
prefix value.
3. The Handoff Indicator field in the Handoff Indicator option MUST
be set to a value of 4 (Handoff state unknown).
Either upon receipt of a Proxy Binding Acknowledgement message from
the local mobility anchor with the Status field set to 0 (Proxy
Binding Update Accepted), or after INITIAL_BINDACK_TIMEOUT [RFC3775]
timeout waiting for the reply, the mobile access gateway MUST do the
following:
1. It MUST remove the Binding Update List entry for the mobile node
from its Binding Update List.
2. It MUST remove the created routing state for tunneling the mobile
node's traffic.
3. If there is a dynamically created tunnel to the mobile node's
local mobility anchor and if there are not other mobile nodes for
which the tunnel is being used, then the tunnel MUST be deleted.
4. It MUST tear down the point-to-point link shared with the mobile
node. This action will force the mobile node to remove any IPv6
address configuration on the interface connected to this point-
to-point link.
6.9.1.5. Constructing the Proxy Binding Update Message
o The mobile access gateway, when sending the Proxy Binding Update
message to the local mobility anchor, MUST construct the message
as specified below.
IPv6 header (src=Proxy-CoA, dst=LMAA)
Mobility header
- BU /* P & A flags MUST be set to value 1 */
Mobility Options
- Mobile Node Identifier option (mandatory)
- Home Network Prefix option(s) (mandatory)
- Handoff Indicator option (mandatory)
- Access Technology Type option (mandatory)
- Timestamp option (optional)
- Mobile Node Link-layer Identifier option (optional)
- Link-local Address option (optional)
Figure 12: Proxy Binding Update Message Format
o The Source Address field in the IPv6 header of the message MUST be
set to the global address configured on the egress interface of
the mobile access gateway. When there is no Alternate Care-of
Address option present in the request, this address will be
considered as the Proxy-CoA for this Proxy Binding Update message.
However, when there is an Alternate Care-of Address option present
in the request, this address will be not be considered as the
Proxy-CoA, but the address in the Alternate Care-of Address option
will be considered as the Proxy-CoA.
o The Destination Address field in the IPv6 header of the message
MUST be set to the local mobility anchor address.
o The Mobile Node Identifier option [RFC4283] MUST be present.
o At least one Home Network Prefix option MUST be present.
o The Handoff Indicator option MUST be present.
o The Access Technology Type option MUST be present.
o The Timestamp option MAY be present.
o The Mobile Node Link-layer Identifier option MAY be present.
o The Link-local Address option MAY be present.
o If IPsec is used for protecting the signaling messages, the
message MUST be protected, using the security association existing
between the local mobility anchor and the mobile access gateway.
o Unlike in Mobile IPv6 [RFC3775], the Home Address option [RFC3775]
MUST NOT be present in the IPv6 Destination Options extension
header of the Proxy Binding Update message.
6.9.2. Router Solicitation Messages
A mobile node may send a Router Solicitation message on the access
link shared with the mobile access gateway. The Router Solicitation
message that the mobile node sends is as specified in [RFC4861]. The
mobile access gateway, on receiving the Router Solicitation message
or before sending a Router Advertisement message, MUST apply the
following considerations.
1. The mobile access gateway, on receiving the Router Solicitation
message, SHOULD send a Router Advertisement message containing
the mobile node's home network prefix(es) as the on-link
prefix(es). However, before sending the Router Advertisement
message containing the mobile node's home network prefix(es), it
SHOULD complete the binding registration process with the mobile
node's local mobility anchor.
2. If the local mobility anchor rejects the Proxy Binding Update
message, or, if the mobile access gateway failed to complete the
binding registration process for whatever reason, the mobile
access gateway MUST NOT advertise the mobile node's home network
prefix(es) in the Router Advertisement messages that it sends on
the access link. However, it MAY choose to advertise a local
visited network prefix to enable the mobile node for regular IPv6
access.
3. The mobile access gateway SHOULD add the MTU option, as specified
in [RFC4861], to the Router Advertisement messages that it sends
on the access link. This will ensure the mobile node on the link
uses the advertised MTU value. The MTU value SHOULD reflect the
tunnel MTU for the bi-directional tunnel between the mobile
access gateway and the local mobility anchor. Considerations
from Section 6.9.5 SHOULD be applied for determining the tunnel
MTU value.
6.9.3. Default-Router
In Proxy Mobile IPv6, the mobile access gateway is the IPv6 default-
router for the mobile node on the access link. However, as the
mobile node moves from one access link to another, the serving mobile
access gateway on those respective links will send the Router
Advertisement messages. If these Router Advertisements are sent
using a different link-local address or a different link-layer
address, the mobile node will always detect a new default-router
after every handoff. For solving this problem, this specification
requires all the mobile access gateways in the Proxy Mobile IPv6
domain to use the same link-local and link-layer address on any of
the access links wherever the mobile node attaches. These addresses
can be fixed addresses across the entire Proxy Mobile IPv6 domain,
and all the mobile access gateways can use these globally fixed
address on any of the point-to-point links. The configuration
variables FixedMAGLinkLocalAddressOnAllAccessLinks and
FixedMAGLinkLayerAddressOnAllAccessLinks SHOULD be used for this
purpose. Additionally, this specification allows the local mobility
anchor to generate the link-local address and provide it to the
mobile access gateway as part of the signaling messages.
However, both of these approaches (a link-local address generated by
the local mobility anchor or when using a globally fixed link-local
address) have implications on the deployment of SEcure Neighbor
Discovery (SEND) [RFC3971]. In SEND, routers have certificates and
public key pairs, and their Router Advertisements are signed with the private keys of these key pairs. When a number of different routers use the same addresses, the routers either all have to be able to construct these signatures for the same key pair, or the used key pair and the router's cryptographic identity must change after a movement. Both approaches are problematic. Sharing of private key information across multiple nodes in a PMIP6 domain is poor design from a security perspective. And changing even the cryptographic identity of the router goes against the general idea of the Proxy Mobile IPv6 being as invisible to the hosts as possible. There is, however, ongoing work in the IETF to revise the SEND specifications. It is suggested that these revisions also address the above problem. Other revisions are needed to deal with other problematic cases (such as Neighbor Discovery proxies) before wide- spread deployment of SEND.6.9.4. Retransmissions and Rate Limiting
The mobile access gateway is responsible for retransmissions and rate limiting the Proxy Binding Update messages that it sends to the local mobility anchor. The Retransmission and the Rate Limiting rules are as specified in [RFC3775]. However, the following considerations MUST be applied. 1. When the mobile access gateway sends a Proxy Binding Update message, it should use the constant, INITIAL_BINDACK_TIMEOUT [RFC3775], for configuring the retransmission timer, as specified in Section 11.8 [RFC3775]. However, the mobile access gateway is not required to use a longer retransmission interval of InitialBindackTimeoutFirstReg, as specified in [RFC3775], for the initial Proxy Binding Update message. 2. If the mobile access gateway fails to receive a valid matching response for a registration or re-registration message within the retransmission interval, it SHOULD retransmit the message until a response is received. However, the mobile access gateway MUST ensure the mobile node is still attached to the connected link before retransmitting the message. 3. As specified in Section 11.8 of [RFC3775], the mobile access gateway MUST use an exponential back-off process in which the timeout period is doubled upon each retransmission, until either the node receives a response or the timeout period reaches the value MAX_BINDACK_TIMEOUT [RFC3775]. The mobile access gateway MAY continue to send these messages at this slower rate indefinitely.
4. If the Timestamp-based scheme is in use, the retransmitted Proxy
Binding Update messages MUST use the latest timestamp. If the
Sequence Number scheme is in use, the retransmitted Proxy Binding
Update messages MUST use a Sequence Number value greater than
that was used for the previous transmission of this Proxy Binding
Update message, just as specified in [RFC3775].
6.9.5. Path MTU Discovery
It is important that mobile node, mobile access gateway, and local
mobility anchor have a correct understanding of MTUs. When the
mobile node uses the correct MTU, it can send packets that do not
exceed the local link MTU and do not cause the tunneled packets from
the mobile access gateway to be fragmented. This is important both
from the perspective of efficiency, as well as preventing hard-to-
diagnose MTU problems. The following are some of the considerations
related to Path MTU discovery.
o The local mobility anchor and mobile access gateway MAY use the
Path MTU discovery mechanisms, as specified in [RFC1981] or in
[RFC4821], for determining the Path MTU (PMTU) for the (LMA-MAG)
paths. The specific discovery mechanism to be used in a given
deployment can be configurable.
o The mobility entities MUST implement and SHOULD support ICMP-based
Path MTU discovery mechanism, as specified in [RFC1981]. However,
this mechanism may not work correctly if the Proxy Mobile IPv6
network does not deliver or process ICMP Packet Too Big messages.
o The mobility entities MAY implement Packetization Layer Path MTU
discovery mechanisms, as specified in [RFC4821], and use any
application traffic as a payload for the PMTU discovery. Neither
the Proxy Mobile IPv6 protocol or the tunnel between the mobile
access gateway and local mobility agent can easily be used for
this purpose. However, implementations SHOULD support at least
the use of an explicit ICMP Echo Request/Response for this
purpose.
o The mobility entities MAY choose to perform Path MTU discovery for
all the (LMA-MAG) paths at the boot time and may repeat this
operation periodically to ensure the Path MTU values have not
changed for those paths. If the dynamic PMTU discovery mechanisms
fail to determine the Path MTU, an administratively configured
default value MUST be used.
o The IPv6 tunnel MTU for an established tunnel between the local
mobility anchor and the mobile access gateway MUST be computed
based on the determined Path MTU value for that specific path and
the computation should be as specified in Section 6.7 of
[RFC2473].
o The mobile access gateway SHOULD use the determined tunnel Path
MTU value (for the tunnel established with the mobile node's local
mobility anchor) as the MTU value in the MTU option that it sends
in the Router Advertisements on the access link shared with the
mobile node. But, if the MTU value of the access link shared with
the mobile node is lower than the determined Path MTU value, then
the MTU of the access link MUST be used in the MTU option.
o If the mobile access gateway detects a change in the MTU value for
any of the paths (LMA-MAG) and at any point of time, the
corresponding tunnel MTU value MUST be updated to reflect the
change in Path MTU value. The adjusted tunnel MTU value (lower of
the Path MTU and the access link MTU) SHOULD be notified to the
impacted mobile nodes by sending additional Router Advertisement
messages. Additionally, the adjusted tunnel MTU value MUST be
used in all the subsequent Router Advertisement messages as well.
6.10. Routing Considerations
This section describes how the mobile access gateway handles the
traffic to/from the mobile node that is attached to one of its access
interfaces.
Proxy-CoA LMAA
| |
+--+ +---+ +---+ +--+
|MN|----------|MAG|======================|LMA|----------|CN|
+--+ +---+ +---+ +--+
IPv6 Tunnel
Figure 13: Proxy Mobile IPv6 Tunnel
6.10.1. Transport Network
As per this specification, the transport network between the local
mobility anchor and the mobile access gateway is an IPv6 network.
The document [IPV4-PMIP6] specifies the required extensions for
negotiating IPv4 transport and the corresponding encapsulation mode.
6.10.2. Tunneling and Encapsulation Modes
An IPv6 address that a mobile node uses from its home network prefix(es) is topologically anchored at the local mobility anchor. For a mobile node to use this address from an access network attached to a mobile access gateway, proper tunneling techniques have to be in place. Tunneling hides the network topology and allows the mobile node's IPv6 datagram to be encapsulated as a payload of another IPv6 packet and to be routed between the local mobility anchor and the mobile access gateway. The Mobile IPv6 base specification [RFC3775] defines the use of IPv6-over-IPv6 tunneling [RFC2473] between the home agent and the mobile node, and this specification extends the use of the same tunneling mechanism for use between the local mobility anchor and the mobile access gateway. On most operating systems, a tunnel is implemented as a virtual point-to-point interface. The source and the destination address of the two endpoints of this virtual interface along with the encapsulation mode are specified for this virtual interface. Any packet that is routed over this interface gets encapsulated with the outer header as specified for that point-to-point tunnel interface. For creating a point-to-point tunnel to any local mobility anchor, the mobile access gateway may implement a tunnel interface with the Source Address field set to a global address on its egress interface (Proxy-CoA) and the destination address field set to the global address of the local mobility anchor (LMAA). The following is the supported packet encapsulation mode that can be used by the mobile access gateway and the local mobility anchor for routing mobile node's IPv6 datagrams. o IPv6-In-IPv6 - IPv6 datagram encapsulated in an IPv6 packet [RFC2473]. The companion document [IPV4-PMIP6] specifies other encapsulation modes for supporting IPv4 transport. o IPv6-In-IPv4 - IPv6 datagram encapsulation in an IPv4 packet. The details on how this mode is negotiated are specified in [IPV4-PMIP6]. o IPv6-In-IPv4-UDP - IPv6 datagram encapsulation in an IPv4 UDP packet. This mode is specified in [IPV4-PMIP6]. o IPv6-In-IPv4-UDP-TLV - IPv6 datagram encapsulation in an IPv4 UDP packet with a TLV header. This mode is specified in [IPV4-PMIP6].
6.10.3. Local Routing
If there is data traffic between a visiting mobile node and a correspondent node that is locally attached to an access link connected to the mobile access gateway, the mobile access gateway MAY optimize on the delivery efforts by locally routing the packets and by not reverse tunneling them to the mobile node's local mobility anchor. The flag EnableMAGLocalRouting MAY be used for controlling this behavior. However, in some systems, this may have an implication on the mobile node's accounting and policy enforcement as the local mobility anchor is not in the path for that traffic and it will not be able to apply any traffic policies or do any accounting for those flows. This decision of path optimization SHOULD be based on the policy configured on the mobile access gateway, but enforced by the mobile node's local mobility anchor. The specific details on how this is achieved are beyond of the scope of this document.6.10.4. Tunnel Management
All the considerations mentioned in Section 5.6.1 for the tunnel management on the local mobility anchor apply for the mobile access gateway as well.6.10.5. Forwarding Rules
Forwarding Packets Sent to the Mobile Node's Home Network: o On receiving a packet from the bi-directional tunnel established with the mobile node's local mobility anchor, the mobile access gateway MUST use the destination address of the inner packet for forwarding it on the interface where the destination network prefix is hosted. The mobile access gateway MUST remove the outer header before forwarding the packet. Considerations from [RFC2473] MUST be applied for IPv6 decapsulation. If the mobile access gateway cannot find the connected interface for that destination address, it MUST silently drop the packet. For reporting an error in such a scenario, in the form of an ICMP control message, the considerations from [RFC2473] MUST be applied. o On receiving a packet from a correspondent node that is connected to the mobile access gateway as a regular IPv6 host (see Section 6.14) destined to a mobile node that is also locally attached, the mobile access gateway MUST check the flag EnableMAGLocalRouting to determine if the packet can be delivered directly to the mobile node. If the mobile access gateway is not allowed to route the
packet directly, it MUST route the packet towards the local
mobility anchor where the destination address is topologically
anchored, else it can route the packet directly to the mobile
node.
Forwarding Packets Sent by the Mobile Node:
o On receiving a packet from a mobile node connected to its access
link, the mobile access gateway MUST ensure that there is an
established binding for that mobile node with its local mobility
anchor before forwarding the packet directly to the destination or
before tunneling the packet to the mobile node's local mobility
anchor.
o On receiving a packet from a mobile node connected to its access
link for a destination that is locally connected, the mobile
access gateway MUST check the flag EnableMAGLocalRouting, to
ensure the mobile access gateway is allowed to route the packet
directly to the destination. If the mobile access gateway is not
allowed to route the packet directly, it MUST route the packet
through the bi-directional tunnel established between itself and
the mobile node's local mobility anchor. Otherwise, it MUST route
the packet directly to the destination.
o On receiving a packet from a mobile node connected to its access
link, to a destination that is not directly connected, the packet
MUST be forwarded to the local mobility anchor through the bi-
directional tunnel established between itself and the mobile
node's local mobility anchor. However, the packets that are sent
with the link-local source address MUST NOT be forwarded.
o The format of the tunneled packet is shown below. Considerations
from [RFC2473] MUST be applied for IPv6 encapsulation. However,
when using IPv4 transport, the format of the tunneled packet is as
described in [IPV4-PMIP6].
IPv6 header (src= Proxy-CoA, dst= LMAA /* Tunnel Header */
IPv6 header (src= MN-HoA, dst= CN ) /* Packet Header */
Upper layer protocols /* Packet Content*/
Figure 14: Tunneled Packet from MAG to LMA
o The format of the tunneled packet is shown below, when payload
protection using IPsec is enabled for the mobile node's data
traffic. However, when using IPv4 transport, the format of the
packet is as described in [IPV4-PMIP6].
IPv6 header (src= Proxy-CoA, dst= LMAA /* Tunnel Header */ ESP Header in tunnel mode /* ESP Header */ IPv6 header (src= MN-HoA, dst= CN ) /* Packet Header */ Upper layer protocols /* Packet Content*/ Figure 15: Tunneled Packet from MAG to LMA with Payload Protection6.11. Supporting DHCP-Based Address Configuration on the Access Link
This section explains how Stateful Address Configuration using DHCP support can be enabled in a Proxy Mobile IPv6 domain. It also identifies the required configuration in DHCP and mobility infrastructures for supporting this address configuration mode and also identifies the protocol interactions between these two systems. o For supporting Stateful Address Configuration using DHCP, the DHCP relay agent [RFC3315] service MUST be supported on all the mobile access gateways in the Proxy Mobile IPv6 domain. Further, as specified in Section 20 of [RFC3315], the DHCP relay agent should be configured to use a list of destination addresses, which MAY include unicast addresses, the All_DHCP_Servers multicast address, or other addresses as required in a given deployment. o The DHCP infrastructure needs to be configured to assign addresses from each of the prefixes assigned to a link in that Proxy Mobile IPv6 domain. The DHCP relay agent indicates the link to which the mobile node is attached by including an IPv6 address from any of the prefixes assigned to that link in the link-address field of the Relay Forward message. Therefore, for each link in the Mobile IPv6 domain, the DHCP infrastructure will: * be configured with a list of all of the prefixes associated with that link; * identify the link to which the mobile node is attached by looking up the prefix for the link-address field in the Relay Forward message in the list of prefixes associated with each link; * assign to the host an address from each prefix associated with the link to which the mobile node is attached. This DHCP infrastructure configuration requirement is identical to other IPv6 networks; other than receiving DHCP messages from a mobile node through different relay agents (MAGs) over time, the DHCP infrastructure will be unaware of the mobile node's capability with respect to mobility support.
o The local mobility anchor needs to have the same awareness with
respect to the links along with the associated prefixes in a Proxy
Mobile IPv6 domain. When a local mobility anchor assigns
prefix(es) to a mobile node, it MUST assign all the prefixes
associated with a given link and all of those assigned prefixes
will remain as the home network prefixes for that mobile node
throughout the life of that mobility session. The serving mobile
access gateway that hosts these prefixes is physically connected
to that link and can function as the DHCP relay agent. This
common understanding between DHCP and mobility entities about all
the links in the domain along with the associated prefixes
provides the required coordination for allowing mobility entities
to perform prefix assignment dynamically to a mobile node and
still allow the DHCP infrastructure to perform address assignment
for that mobile node only from its home network prefixes.
o When a mobile node sends a DHCP request message, the DHCP relay
agent function on the mobile access gateway will set the link-
address field in the DHCP message to an address in the mobile
node's home network prefix (any one of the mobile node's home
network prefixes assigned to that mobile node's attached
interface). The mobile access gateway can generate an
autoconfiguration address from one of the mobile node's home
network prefixes [RFC4862] and can use this address link-address
option, so as to provide a hint to the DHCP Server for the link
identification. The DHCP server, on receiving the request from
the mobile node, will allocate addresses from all the prefixes
associated with that link (identified using the link-address field
of the request).
o Once the mobile node obtains address(es), moves to a different
link, and sends a DHCP request (at any time) for extending the
DHCP lease, the DHCP relay agent on the new link will set the
link-address field in the DHCP Relay Forward message to one of the
mobile node's home network prefixes. The DHCP server will
identify the client from the Client-DUID option and will identify
the link from the link-address option present in the request and
will allocate the same address(es) as before.
o For correct operation of the model of network-based mobility
management in which the host does not participate in any mobility
management, the mobile node MUST always be assigned an identical
set of IPv6 addresses regardless of the access link to which the
mobile node is attached. For example, the mobile access gateways
in the Proxy Mobile IPv6 domain should be configured so that DHCP
messages from a mobile node will always be handled by the same
DHCP server or by a server from the same group of coordinated DHCP
servers serving that domain. DHCP-based address configuration is
not recommended for deployments in which the local mobility anchor
and the mobile access gateway are located in different
administrative domains.
6.12. Home Network Prefix Renumbering
If the mobile node's home network prefix(es) gets renumbered or
becomes invalid during the middle of a mobility session, the mobile
access gateway MUST withdraw the prefix(es) by sending a Router
Advertisement message on the access link with zero prefix lifetime
for the prefix(es) that is being renumbered. Also, the local
mobility anchor and the mobile access gateway MUST delete the created
routing state for the renumbered prefix(es). However, the specific
details on how the local mobility anchor notifies the mobile access
gateway about the mobile node's home network prefix(es) renumbering
are outside the scope of this document.
6.13. Mobile Node Detachment Detection and Resource Cleanup
Before sending a Proxy Binding Update message to the local mobility
anchor for extending the lifetime of a currently existing binding of
a mobile node, the mobile access gateway MUST make sure the mobile
node is still attached to the connected link by using some reliable
method. If the mobile access gateway cannot predictably detect the
presence of the mobile node on the connected link, it MUST NOT
attempt to extend the registration lifetime of the mobile node.
Further, in such a scenario, the mobile access gateway SHOULD
terminate the binding of the mobile node by sending a Proxy Binding
Update message to the mobile node's local mobility anchor with
lifetime value set to 0. It MUST also remove any local state such as
the Binding Update List entry created for that mobile node.
The specific detection mechanism of the loss of a visiting mobile
node on the connected link is specific to the access link between the
mobile node and the mobile access gateway and is outside the scope of
this document. Typically, there are various link-layer-specific
events specific to each access technology that the mobile access
gateway can depend on for detecting the node loss. In general, the
mobile access gateway can depend on one or more of the following
methods for the detection presence of the mobile node on the
connected link:
o Link-layer event specific to the access technology o Session termination event on point-to-point link types o IPv6 Neighbor Unreachability Detection event from IPv6 stack o Notification event from the local mobility anchor6.14. Allowing Network Access to Other IPv6 Nodes
In some Proxy Mobile IPv6 deployments, network operators may provision the mobile access gateway to offer network-based mobility management service only to some visiting mobile nodes and enable just regular IP access to some other nodes. This requires the network to have control on when to enable network-based mobility management service to a mobile node and when to enable regular IPv6 access. This specification does not disallow such configuration. Upon detecting a mobile node on its access link and after policy considerations, the mobile access gateway MUST determine if network- based mobility management service should be offered to that mobile node. If the mobile node is entitled to network-based mobility management service, then the mobile access gateway must ensure the mobile node does not detect any change with respect to its layer-3 attachment, as explained in various sections of this specification. If the mobile node is not entitled to the network-based mobility management service, as determined from the policy considerations, the mobile access gateway MAY choose to offer regular IPv6 access to the mobile node, and in such a scenario, the normal IPv6 considerations apply. If IPv6 access is enabled, the mobile node SHOULD be able to obtain IPv6 address(es) using the normal IPv6 address configuration procedures. The obtained address(es) must be from a local visitor network prefix(es). This essentially ensures that the mobile access gateway functions as a normal access router to a mobile node attached to its access link and without impacting its host-based mobility protocol operation.
(page 67 continued on part 4)
