1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
|
<pre>Network Working Group H. Soliman, Ed.
Request for Comments: 5555 Elevate Technologies
Category: Standards Track June 2009
<span class="h1">Mobile IPv6 Support for Dual Stack Hosts and Routers</span>
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
The current Mobile IPv6 and Network Mobility (NEMO) specifications
support IPv6 only. This specification extends those standards to
allow the registration of IPv4 addresses and prefixes, respectively,
and the transport of both IPv4 and IPv6 packets over the tunnel to
the home agent. This specification also allows the mobile node to
roam over both IPv6 and IPv4, including the case where Network
Address Translation is present on the path between the mobile node
and its home agent.
<span class="grey">Soliman Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Requirements Notation ......................................<a href="#page-4">4</a>
<a href="#section-1.2">1.2</a>. Motivation for Using Mobile IPv6 Only ......................<a href="#page-4">4</a>
<a href="#section-1.3">1.3</a>. Scenarios Considered by This Specification .................<a href="#page-4">4</a>
<a href="#section-2">2</a>. Solution Overview ...............................................<a href="#page-6">6</a>
<a href="#section-2.1">2.1</a>. Home Agent Address Discovery ...............................<a href="#page-6">6</a>
<a href="#section-2.2">2.2</a>. Mobile Prefix Solicitation and Advertisement ...............<a href="#page-7">7</a>
<a href="#section-2.3">2.3</a>. Binding Management .........................................<a href="#page-8">8</a>
<a href="#section-2.3.1">2.3.1</a>. Foreign Network Supports IPv6 .......................<a href="#page-8">8</a>
<a href="#section-2.3.2">2.3.2</a>. Foreign Network Supports IPv4 Only ..................<a href="#page-9">9</a>
<a href="#section-2.4">2.4</a>. Route Optimization ........................................<a href="#page-11">11</a>
<a href="#section-2.5">2.5</a>. Dynamic IPv4 Home Address Allocation ......................<a href="#page-11">11</a>
<a href="#section-3">3</a>. Extensions and Modifications to Mobile IPv6 ....................<a href="#page-11">11</a>
<a href="#section-3.1">3.1</a>. Binding Update Extensions .................................<a href="#page-11">11</a>
<a href="#section-3.1.1">3.1.1</a>. IPv4 Home Address Option ...........................<a href="#page-11">11</a>
<a href="#section-3.1.2">3.1.2</a>. The IPv4 Care-of Address Option ....................<a href="#page-13">13</a>
<a href="#section-3.1.3">3.1.3</a>. The Binding Update Message Extensions ..............<a href="#page-13">13</a>
<a href="#section-3.2">3.2</a>. Binding Acknowledgement Extensions ........................<a href="#page-14">14</a>
<a href="#section-3.2.1">3.2.1</a>. IPv4 Address Acknowledgement Option ................<a href="#page-14">14</a>
<a href="#section-3.2.2">3.2.2</a>. The NAT Detection Option ...........................<a href="#page-16">16</a>
<a href="#section-4">4</a>. Protocol Operation .............................................<a href="#page-17">17</a>
<a href="#section-4.1">4.1</a>. Tunnelling Formats ........................................<a href="#page-17">17</a>
<a href="#section-4.1.1">4.1.1</a>. Tunnelling Impacts on Transport and MTU ............<a href="#page-18">18</a>
<a href="#section-4.2">4.2</a>. NAT Detection .............................................<a href="#page-19">19</a>
<a href="#section-4.3">4.3</a>. NAT Keepalives ............................................<a href="#page-21">21</a>
<a href="#section-4.4">4.4</a>. Mobile Node Operation .....................................<a href="#page-22">22</a>
<a href="#section-4.4.1">4.4.1</a>. Selecting a Care-of Address ........................<a href="#page-22">22</a>
<a href="#section-4.4.2">4.4.2</a>. Sending Binding Updates ............................<a href="#page-23">23</a>
<a href="#section-4.4.3">4.4.3</a>. Sending Packets from a Visited Network .............<a href="#page-25">25</a>
<a href="#section-4.4.4">4.4.4</a>. Movement Detection in IPv4-Only Networks ...........<a href="#page-26">26</a>
<a href="#section-4.5">4.5</a>. Home Agent Operation ......................................<a href="#page-26">26</a>
<a href="#section-4.5.1">4.5.1</a>. Sending Packets to the Mobile Node .................<a href="#page-28">28</a>
<a href="#section-4.6">4.6</a>. Correspondent Node Operation ..............................<a href="#page-29">29</a>
<a href="#section-5">5</a>. Security Considerations ........................................<a href="#page-29">29</a>
<a href="#section-5.1">5.1</a>. Handover Interactions for IPsec and IKE ...................<a href="#page-30">30</a>
5.2. IKE Negotiation Messages between the Mobile Node
and Home Agent ............................................<a href="#page-33">33</a>
<a href="#section-5.2.1">5.2.1</a>. IKEv2 Operation for Securing DSMIPv6 Signaling .....<a href="#page-33">33</a>
<a href="#section-5.2.2">5.2.2</a>. IKEv2 Operation for Securing Data over IPv4 ........<a href="#page-36">36</a>
<a href="#section-6">6</a>. Protocol Constants .............................................<a href="#page-38">38</a>
<a href="#section-7">7</a>. Acknowledgements ...............................................<a href="#page-38">38</a>
<a href="#section-8">8</a>. IANA Considerations ............................................<a href="#page-38">38</a>
<a href="#section-9">9</a>. References .....................................................<a href="#page-39">39</a>
<a href="#section-9.1">9.1</a>. Normative References ......................................<a href="#page-39">39</a>
<a href="#section-9.2">9.2</a>. Informative References ....................................<a href="#page-40">40</a>
<a href="#section-10">10</a>. Contributors ..................................................<a href="#page-41">41</a>
<span class="grey">Soliman Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Mobile IPv6 [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] and NEMO [<a href="./rfc3963" title=""Network Mobility (NEMO) Basic Support Protocol"">RFC3963</a>] allow mobile nodes to move
within the Internet while maintaining reachability and ongoing
sessions, using an IPv6 home address or prefix. However, since IPv6
is not widely deployed, it is unlikely that mobile nodes will
initially use only IPv6 addresses for their connections. It is
reasonable to assume that mobile nodes will, for a long time, need an
IPv4 home address that can be used by upper layers. It is also
reasonable to assume that mobile nodes will move to networks that
might not support IPv6 and would therefore need the capability to
support an IPv4 care-of address. Hence, this specification extends
Mobile IPv6 capabilities to allow dual stack mobile nodes to request
that their home agent (also dual stacked) tunnel IPv4/IPv6 packets
addressed to their home addresses, as well as IPv4/IPv6 care-of
address(es).
Using this specification, mobile nodes would only need Mobile IPv6
and [<a href="./rfc3963" title=""Network Mobility (NEMO) Basic Support Protocol"">RFC3963</a>] to manage mobility while moving within the Internet,
hence eliminating the need to run two mobility management protocols
simultaneously. This specification provides the extensions needed in
order to allow dual stack mobile nodes to use IPv6 mobility only.
This specification will also consider cases where a mobile node moves
into a private IPv4 network and gets configured with a private IPv4
care-of address. In these scenarios, the mobile node needs to be
able to traverse the IPv4 NAT in order to communicate with the home
agent. IPv4 NAT traversal for Mobile IPv6 is presented in this
specification.
In this specification, the term "mobile node" refers to both a mobile
host and a mobile router unless the discussion is specific to either
hosts or routers. Similarly, we use the term "home address" to
reflect an address/prefix format. Note that both mobile host and
router functionality have already been defined in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] and
[<a href="./rfc3963" title=""Network Mobility (NEMO) Basic Support Protocol"">RFC3963</a>], respectively. This specification does not change those
already defined behaviors, nor does it extend the specific types of
hosts and router support already defined, with the following two
exceptions: (i) allowing the mobile node to communicate with its home
agent even over IPv4 networks, and (ii) allowing the use of IPv4 home
addresses and prefixes.
In this specification, extensions are defined for the binding update
and binding acknowledgement. It should be noted that all these
extensions apply to cases where the mobile node communicates with a
Mobility Anchor Point (MAP) as defined in [<a href="./rfc5380" title=""Hierarchical Mobile IPv6 (HMIPv6) Mobility Management"">RFC5380</a>]. The
<span class="grey">Soliman Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
requirements on the MAP are identical to those stated for the home
agent; however, it is unlikely that NAT traversal would be needed
with a MAP, as it is expected to be in the same address domain.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Requirements Notation</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Motivation for Using Mobile IPv6 Only</span>
IPv6 offers a number of improvements over today's IPv4, primarily due
to its large address space. Mobile IPv6 offers a number of
improvements over Mobile IPv4 [<a href="./rfc3344" title=""IP Mobility Support for IPv4"">RFC3344</a>], mainly due to capabilities
inherited from IPv6. For instance, route optimization and dynamic
home agent discovery can only be achieved with Mobile IPv6.
One of the advantages of the large address space provided by IPv6 is
that it allows mobile nodes to obtain a globally unique care-of
address wherever they are. Hence, there is no need for Network
Address Translator (NAT) traversal techniques designed for Mobile
IPv4. This allows Mobile IPv6 to be a significantly simpler and more
bandwidth-efficient mobility management protocol. At the same time,
during the transition towards IPv6, NAT traversal for existing
private IPv4 networks needs to be considered. This specification
introduces NAT traversal for this purpose.
The above benefits make the case for using only Mobile IPv6 for dual
stack mobile nodes, as it allows for a long-lasting mobility
solution. The use of Mobile IPv6 for dual stack mobility eliminates
the need for changing the mobility solution due to the introduction
of IPv6 within a deployed network.
<span class="h3"><a class="selflink" id="section-1.3" href="#section-1.3">1.3</a>. Scenarios Considered by This Specification</span>
There are several scenarios that illustrate potential
incompatibilities for mobile nodes using Mobile IPv6. Some of the
problems associated with mobility and transition issues were
presented in [<a href="./rfc4977" title=""Problem Statement: Dual Stack Mobility"">RFC4977</a>]. This specification considers the scenarios
that address all the problems discussed in [<a href="./rfc4977" title=""Problem Statement: Dual Stack Mobility"">RFC4977</a>]. The scenarios
considered in this specification are listed below.
All of the following scenarios assume that both the mobile node and
the home agent are IPv4- and IPv6-enabled and that only Mobile IPv6
is used between the mobile node and the home agent. We also assume
<span class="grey">Soliman Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
that the home agent is always reachable through a globally unique
IPv4 address. Finally, it's important to note that the following
scenarios are not mutually exclusive.
Scenario 1: IPv4-only foreign network
In this scenario, a mobile node is connected to an IPv4-only foreign
network. The mobile node can only configure an IPv4 care-of address.
Scenario 2: Mobile node behind a NAT
In this scenario, the mobile node is in a private IPv4 foreign
network that has a NAT device connecting it to the Internet. If the
home agent is located outside the NAT device, the mobile node will
need a NAT traversal mechanism to communicate with the home agent.
It should be noted that [<a href="./rfc5389" title=""Session Traversal Utilities for NAT (STUN)"">RFC5389</a>] highlights issues with some types
of NATs that act as generic Application Level Gateways (ALGs) and
rewrite any 32-bit field containing the NAT's public IP addresses.
This specification will not support such NATs.
Scenario 3: Home agent behind a NAT
In this scenario, the communication between the mobile node and the
home agent is further complicated by the fact that the home agent is
located within a private IPv4 network. However, in this scenario, we
assume that the home agent is allocated a globally unique IPv4
address. The address might not be physically configured on the home
agent interface. Instead, it is associated with the home agent on
the Network Address Port Translation (NAPT) device, which allows the
home agent to be reachable through address or port mapping.
Scenario 4: Use of IPv4-only applications
In this scenario, the mobile node may be located in an IPv4, IPv6, or
dual network. However, the mobile node might be communicating with
an IPv4-only node. In this case, the mobile node would need a stable
IPv4 address for its application. The alternative to using an IPv4
address is to use protocol translators; however, end-to-end
communication with IPv4 is preferred to the use of protocol
translators.
The mobile node may also be communicating with an IPv4-only
application that requires an IPv4 address.
The cases above illustrate the need for the allocation of a stable
IPv4 home address to the mobile node. This is done using an IPv4
home address. Since running Mobile IPv4 and Mobile IPv6
<span class="grey">Soliman Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
simultaneously is problematic (as illustrated in [<a href="./rfc4977" title=""Problem Statement: Dual Stack Mobility"">RFC4977</a>]), this
scenario adds a requirement on Mobile IPv6 to support IPv4 home
addresses.
Scenario 5: IPv6 and IPv4-enabled networks
In this scenario, the mobile node should prefer the use of an IPv6
care-of address for either its IPv6 or IPv4 home address. Normal
IP-in-IP tunnelling should be used in this scenario as described in
[<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>]. Under rare exceptions, where IP-in-IP tunnelling for IPv6
does not allow the mobile node to reach the home agent, the mobile
node follows the sending algorithm described in <a href="#section-4.4.1">Section 4.4.1</a>. UDP
tunnelling in IPv6 networks is proposed in this document as a last-
resort mechanism when reachability cannot be achieved through normal
IP-in-IP tunnelling. It should not be viewed as a normal mode of
operation and should not be used as a first resort.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Solution Overview</span>
In order to allow Mobile IPv6 to be used by dual stack mobile nodes,
the following needs to be done:
o Mobile nodes should be able to use IPv4 and IPv6 home or care-of
addresses simultaneously and to update their home agents
accordingly.
o Mobile nodes need to be able to know the IPv4 address of the home
agent as well as its IPv6 address. There is no need for IPv4
prefix discovery, however.
o Mobile nodes need to be able to detect the presence of a NAT
device and traverse it in order to communicate with the home
agent.
This section presents an overview of the extensions required in order
to allow mobile nodes to use only Mobile IPv6 for IP mobility
management.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Home Agent Address Discovery</span>
Dynamic Home Agent Address Discovery (DHAAD) is defined in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>]
to allow mobile nodes to discover their home agents by appending a
well-known anycast interface identifier to their home link's prefix.
However, this mechanism is based on IPv6-anycast routing. If a
mobile node (MN) is located in an IPv4-only foreign network, it
cannot rely on native IPv6 routing. In this scenario, the solution
for discovering the home agent's IPv4 address is through the Domain
Name System (DNS). If the MN is attached to an IPv6-only or dual
<span class="grey">Soliman Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
stack network, it may also use procedures defined in [<a href="#ref-CHOWDHURY" title=""MIP6-bootstrapping for the Integrated Scenario"">CHOWDHURY</a>] to
discover home agent information. Note that the use of [<a href="#ref-CHOWDHURY" title=""MIP6-bootstrapping for the Integrated Scenario"">CHOWDHURY</a>]
cannot give the mobile node information that allows it to communicate
with the home agent if the mobile node is located in an IPv4-only
network. In this scenario, the mobile node needs to discover the
IPv4 address of its home agent through the DNS.
For DNS lookup by name, the mobile node should be configured with the
name of the home agent. When the mobile node needs to discover a
home agent, it sends a DNS request with QNAME set to the configured
name. An example is "ha1.example.com". If a home agent has an IPv4
and IPv6 address, the corresponding DNS record should be configured
with both 'AAAA' and 'A' records. Accordingly, the DNS reply will
contain 'AAAA' and 'A' records.
For DNS lookup by service, the SRV record defined in [<a href="./rfc5026" title=""Mobile IPv6 Bootstrapping in Split Scenario"">RFC5026</a>] is
reused. For instance, if the service name is "mip6" and the protocol
name is "ipv6" in the SRV record, the mobile node SHOULD send a DNS
request with the QNAME set to "_mip6._ipv6.example.com". The
response should contain the home agent's FQDN(s) and may include the
corresponding 'AAAA' and 'A' records as well.
If multiple home agents reside on the home link, each configured with
a public IPv4 address, then the operation above applies. The correct
DNS entries can be configured accordingly.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Mobile Prefix Solicitation and Advertisement</span>
According to [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>], the mobile node can send a Mobile Prefix
Solicitation and receive a Mobile Prefix Advertisement containing all
prefixes advertised on the home link.
A dual stack mobile node MAY send a Mobile Prefix Solicitation
message encapsulated in IPv4 (i.e., IPv6 in IPv4) in the case where
the mobile node has no access to IPv6 within the local network.
Securing these messages requires the mobile node to have a security
association with the home agent, using IPsec and based on the mobile
node's IPv4 care-of address as described in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] and [<a href="./rfc4877" title=""Mobile IPv6 Operation with IKEv2 and the Revised IPsec Architecture"">RFC4877</a>].
[<a id="ref-RFC3775">RFC3775</a>] requires the mobile node to include the home address option
in the solicitation message sent to the home agent. If the mobile
node is located in an IPv4 network, it will not be assigned an IPv6
address to include in the source address. In this case, the mobile
node MUST use its home address in the source address field of the
IPv6 packet, in addition to using the home address option as expected
by [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>].
<span class="grey">Soliman Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Binding Management</span>
A dual stack mobile node will need to update its home agent with its
care-of address. If a mobile node has an IPv4 and an IPv6 home
address, it will need to create a binding cache entry for each
address. The format of the IP packet carrying the binding update and
acknowledgement messages will vary depending on whether the mobile
node has access to IPv6 in the visited network. There are three
different scenarios to consider with respect to the visited network:
o The visited network has IPv6 connectivity and provides the mobile
node with a care-of address (in a stateful or stateless manner).
o The mobile node can only configure a globally unique IPv4 address
in the visited network.
o The mobile node can only configure a private IPv4 address in the
visited network.
<span class="h4"><a class="selflink" id="section-2.3.1" href="#section-2.3.1">2.3.1</a>. Foreign Network Supports IPv6</span>
In this case, the mobile node is able to configure a globally unique
IPv6 address. The mobile node will send a binding update to the IPv6
address of its home agent, as defined in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>]. The binding
update MAY include the IPv4 home address option introduced in this
document. After receiving the binding update, the home agent creates
two binding cache entries: one for the mobile node's IPv4 home
address and another for the mobile node's IPv6 home address. Both
entries will point to the mobile node's IPv6 care-of address. Hence,
whenever a packet is addressed to the mobile node's IPv4 or IPv6 home
address, the home agent will tunnel it in IPv6 to the mobile node's
IPv6 care-of address that is included in the binding update.
Effectively, the mobile node establishes two different tunnels, one
for its IPv4 traffic (IPv4 in IPv6) and one for its IPv6 traffic
(IPv6 in IPv6), with a single binding update.
In this scenario, this document extends [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] by including the
IPv4 home address option in the binding update message. Furthermore,
if the network supports both IPv4 and IPv6, or if the mobile node is
experiencing problems with IP-in-IP tunnelling, this document
proposes some mitigating actions as described in <a href="#section-4.4.1">Section 4.4.1</a>.
After accepting the binding update and creating the corresponding
binding cache entries, the home agent MUST send a binding
acknowledgement to the mobile node as defined in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>]. In
addition, if the binding update included an IPv4 home address option,
the binding acknowledgement MUST include the IPv4 address
acknowledgment option as described in <a href="#section-3.2.1">Section 3.2.1</a>. This option
<span class="grey">Soliman Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
informs the mobile node whether the binding was accepted for the IPv4
home address. If this option is not included in the binding
acknowledgement and the IPv4 home address option was included in the
binding update, the mobile node MUST assume that the home agent does
not support the IPv4 home address option and therefore SHOULD NOT
include the option in future binding updates to that home agent
address.
When a mobile node acquires both IPv4 and IPv6 care-of addresses at
the foreign network, it SHOULD prioritize the IPv6 care-of address
for its MIPv6 binding as described in <a href="#section-4.4.1">Section 4.4.1</a>.
<span class="h4"><a class="selflink" id="section-2.3.2" href="#section-2.3.2">2.3.2</a>. Foreign Network Supports IPv4 Only</span>
If the mobile node is in a foreign network that only supports IPv4,
it needs to detect whether a NAT is in its communication path to the
home agent. This is done while exchanging the binding update and
acknowledgement messages as shown later in this document. NAT
detection is needed for the purposes of the signaling presented in
this specification.
<span class="h5"><a class="selflink" id="section-2.3.2.1" href="#section-2.3.2.1">2.3.2.1</a>. Foreign Network Supports IPv4 Only (Public Addresses)</span>
In this scenario, the mobile node will need to tunnel IPv6 packets
containing the binding update to the home agent's IPv4 address. The
mobile node uses the IPv4 address it gets from the foreign network as
a source address in the outer header. The binding update will
contain the mobile node's IPv6 home address. However, since the
care-of address in this scenario is the mobile node's IPv4 address,
the mobile node MUST include its IPv4 care-of address in the IPv6
packet. The IPv4 address is represented in the IPv4 care-of address
option defined in this specification. If the mobile node had an IPv4
home address, it MUST also include the IPv4 home address option
described in this specification.
After accepting the binding update, the home agent MUST create a new
binding cache entry for the mobile node's IPv6 home address. If an
IPv4 home address option is included, the home agent MUST create
another entry for that address. All entries MUST point to the mobile
node's IPv4 care-of address. Hence, all packets addressed to the
mobile node's home address(es) (IPv4 or IPv6) will be encapsulated in
an IPv4 header that includes the home agent's IPv4 address in the
source address field and the mobile node's IPv4 care-of address in
the destination address field.
After accepting the binding updates and creating the corresponding
entries, the home agent MUST send a binding acknowledgement as
specified in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>]. In addition, if the binding update included
<span class="grey">Soliman Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
an IPv4 home address option, the binding acknowledgement MUST include
the IPv4 address acknowledgment option as described in <a href="#section-3.2.1">Section 3.2.1</a>.
The binding acknowledgement is encapsulated to the IPv4 care-of
address, which was included in the source address field of the IPv4
header encapsulating the binding update.
<span class="h5"><a class="selflink" id="section-2.3.2.2" href="#section-2.3.2.2">2.3.2.2</a>. Foreign Network Supports IPv4 Only (Private Addresses)</span>
In this scenario the mobile node will need to tunnel IPv6 packets
containing the binding update to the home agent's IPv4 address. In
order to traverse the NAT device, IPv6 packets are tunneled using UDP
and IPv4. The UDP port allocated for the home agent is 4191
(dsmipv6).
The mobile node uses the IPv4 address it gets from the visited
network as a source address in the IPv4 header. The binding update
will contain the mobile node's IPv6 home address.
After accepting the binding update, the home agent MUST create a new
binding cache entry for the mobile node's IPv6 home address. If an
IPv4 home address option is included, the home agent MUST create
another entry for that address. All entries MUST point to the mobile
node's IPv4 care-of address included in the source address of the
IPv4 header that encapsulated the binding update message. In
addition, the tunnel used MUST indicate UDP encapsulation for NAT
traversal. Hence, all packets addressed to the mobile node's home
address(es) (IPv4 or IPv6) will be encapsulated in UDP and then
encapsulated in an IPv4 header that includes the home agent's IPv4
address in the source address field and the mobile node's IPv4 care-
of address in the destination address field. Note that the home
agent MUST store the source UDP port numbers contained in the packet
carrying the binding update in order to be able to forward packets to
the mobile node.
After accepting the binding updates and creating the corresponding
entries, the home agent MUST send a binding acknowledgement as
specified in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>]. In addition, if the binding update included
an IPv4 home address option, the binding acknowledgement MUST include
the IPv4 address acknowledgment option as described later in this
specification. The binding acknowledgement is encapsulated in UDP
and then in IPv4 with the home agent's IPv4 address in the source
address field and the mobile node's IPv4 care-of address in the
destination field. The IPv4 address in the destination field of the
IPv4 packet is the source address that was received in the IPv4
header containing the binding update message. The inner IPv6 packet
will contain the home agent's IPv6 address as a source address and
the mobile node's IPv6 home address in the destination address field.
<span class="grey">Soliman Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
The mobile node needs to maintain the NAT bindings for its current
IPv4 care-of address. This is done through sending the binding
update regularly to the home agent.
<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a>. Route Optimization</span>
Route optimization, as specified in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>], will operate in an
identical manner for dual stack mobile nodes when they are located in
a visited network that provides IPv6 addresses to the mobile node and
while communicating with an IPv6-enabled correspondent node.
However, when located in an IPv4-only network, or when using the IPv4
home address to communicate with an IPv4 correspondent node, route
optimization will not be possible due to the difficulty of performing
the return-routability test. In this specification, UDP
encapsulation is only used between the mobile node and its home
agent. Therefore, mobile nodes will need to communicate through the
home agent.
Route optimization will not be possible for IPv4 traffic -- that is,
traffic addressed to the mobile node's IPv4 home address. This is
similar to using Mobile IPv4; therefore, there is no reduction of
features resulting from using this specification.
<span class="h3"><a class="selflink" id="section-2.5" href="#section-2.5">2.5</a>. Dynamic IPv4 Home Address Allocation</span>
It is possible to allow for the mobile node's IPv4 home address to be
allocated dynamically. This is done by including 0.0.0.0 in the IPv4
home address option that is included in the binding update. The home
agent SHOULD allocate an IPv4 address to the mobile node and include
it in the IPv4 address acknowledgement option sent to the mobile
node. In this case, the lifetime of the binding is bound to the
minimum of the lifetimes of the IPv6 binding and the lease time of
the IPv4 home address.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Extensions and Modifications to Mobile IPv6</span>
This section highlights the protocol and implementation additions
required to support this specification.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Binding Update Extensions</span>
<span class="h4"><a class="selflink" id="section-3.1.1" href="#section-3.1.1">3.1.1</a>. IPv4 Home Address Option</span>
This option is included in the mobility header, including the binding
update message sent from the mobile node to a home agent or Mobility
Anchor Point. The alignment requirement for this option is 4n.
<span class="grey">Soliman Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |Prefix-len |P| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv4 home address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: IPv4 Home Address Option
Type
29
Length
6
Prefix-len
The length of the prefix allocated to the mobile node. If only a
single address is allocated, this field MUST be set to 32. In the
first binding update requesting a prefix, the field contains the
prefix length requested. However, in the following binding
updates, this field must contain the length of the prefix
allocated. A value of zero is invalid and MUST be considered an
error.
P
A flag indicating, when set, that the mobile node requests a
mobile network prefix. This flag is only relevant for new
requests, and must be ignored for binding refreshes.
Reserved
This field is reserved for future use. It MUST be set to zero by
the sender and ignored by the receiver.
IPv4 Home Address
The mobile node's IPv4 home address that should be defended by the
home agent. This field could contain any unicast IPv4 address
(public or private) that was assigned to the mobile node. The
value 0.0.0.0 is used to request an IPv4 home address from the
home agent. A mobile node may choose to use this option to
request a prefix by setting the address to All Zeroes and setting
the P flag. The mobile node could then form an IPv4 home address
<span class="grey">Soliman Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
based on the allocated prefix. Alternatively, the mobile node may
use two different options, one for requesting an address (static
or dynamic) and another for requesting a prefix.
<span class="h4"><a class="selflink" id="section-3.1.2" href="#section-3.1.2">3.1.2</a>. The IPv4 Care-of Address Option</span>
This option is included in the mobility header, including the binding
update message sent from the mobile node to a home agent or Mobility
Anchor Point. The alignment requirement for this option is 4n.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv4 Care-of address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The IPv4 CoA Option
Type
32
Length
6
Reserved
This field is set to zero by the sender and ignored by the
receiver.
IPv4 Care-of Address
This field contains the mobile node's IPv4 care-of address. The
IPv4 care-of address is used when the mobile node is located in an
IPv4-only network.
<span class="h4"><a class="selflink" id="section-3.1.3" href="#section-3.1.3">3.1.3</a>. The Binding Update Message Extensions</span>
This specification extends the binding update message with one new
flag. The flag is shown and described below.
<span class="grey">Soliman Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence # |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|A|H|L|K|M|R|P|F| Reserved | Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Binding Update Message
F
When set, this flag indicates a request for forcing UDP
encapsulation regardless of whether a NAT is present on the path
between the mobile node and the home agent. This flag may be set
by the mobile node if it is required to use UDP encapsulation
regardless of the presence of a NAT. This flag SHOULD NOT be set
when the mobile node is configured with an IPv6 care-of address --
with the exception of the scenario mentioned in <a href="#section-4.4.1">Section 4.4.1</a>.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Binding Acknowledgement Extensions</span>
<span class="h4"><a class="selflink" id="section-3.2.1" href="#section-3.2.1">3.2.1</a>. IPv4 Address Acknowledgement Option</span>
This option is included in the mobility header, including the binding
acknowledgement message sent from the home agent or Mobility Anchor
Point to the mobile node. This option indicates whether a binding
cache entry was created for the mobile node's IPv4 address.
Additionally, this option includes an IPv4 home address in the case
of dynamic IPv4 home address configuration (i.e., if the unspecified
IPv4 address was included in the binding update). The alignment
requirement for this option is 4n.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Status |Pref-len |Res|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv4 home address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: IPv4 Address Acknowledgement Option
<span class="grey">Soliman Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
Type
30
Length
6
Status
Indicates success or failure for the IPv4 home address binding.
Values from 0 to 127 indicate success. Higher values indicate
failure.
Pref-len
The prefix length of the address allocated. This field is only
valid in case of success and MUST be set to zero and ignored in
case of failure. This field overrides what the mobile node
requested (if not equal to the requested length).
Res
This field is reserved for future use. It MUST be set to zero by
the sender and ignored by the receiver
IPv4 Home Address
The IPv4 home address that the home agent will use in the binding
cache entry. This could be a public or private address. This
field MUST contain the mobile node's IPv4 home address. If the
address were dynamically allocated, the home agent will add the
address to inform the mobile node. Otherwise, if the address is
statically allocated to the mobile node, the home agent will copy
it from the binding update message.
The following values are allocated for the status field:
o 0 Success
o 128 Failure, reason unspecified
o 129 Administratively prohibited
o 130 Incorrect IPv4 home address
o 131 Invalid IPv4 address
<span class="grey">Soliman Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
o 132 Dynamic IPv4 home address assignment not available
o 133 Prefix allocation unauthorized
<span class="h4"><a class="selflink" id="section-3.2.2" href="#section-3.2.2">3.2.2</a>. The NAT Detection Option</span>
This option is sent from the home agent to the mobile node to
indicate whether a NAT was in the path. This option MAY also include
a suggested NAT binding refresh time for the mobile node. This might
be useful for scenarios where the mobile node is known to be moving
within the home agent's administrative domain and, therefore, the NAT
timeout is known (through configuration) to the home agent. <a href="./rfc5405#section-3.5">Section</a>
<a href="./rfc5405#section-3.5">3.5 of [RFC5405]</a> discusses issues with NAT timeout in some detail.
The alignment requirement for this option is 4n. If a NAT is
detected, this option MUST be sent by the home agent.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |F| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Refresh time |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: The NAT Detection Option
Type
31
Length
6
F
This flag indicates to the mobile node that UDP encapsulation is
required. When set, this flag indicates that the mobile node MUST
use UDP encapsulation even if a NAT is not located between the
mobile node and home agent. This flag SHOULD NOT be set when the
mobile node is assigned an IPv6 care-of address -- with the
exception of accommodating the scenarios discussed in
<a href="#section-4.4.1">Section 4.4.1</a>.
<span class="grey">Soliman Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
Reserved
This field is reserved for future use. It MUST be set to zero by
the sender and ignored by the receiver.
Refresh Time
A suggested time (in seconds) for the mobile node to refresh the
NAT binding. If set to zero, it is ignored. If this field is set
to all 1s, it means that keepalives are not needed, i.e., no NAT
was detected. The home agent MUST be configured with a default
value for the refresh time. The recommended value is outlined in
<a href="#section-6">Section 6</a>.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Protocol Operation</span>
This section presents the protocol operation and processing for the
messages presented above. In addition, this section introduces the
NAT detection and traversal mechanism used by this specification.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Tunnelling Formats</span>
This specification allows the mobile node to use various tunnelling
formats depending on its location and the visited network's
capabilities. The mobile node can tunnel IPv6 in IPv4, IPv4 in IPv6,
or use UDP encapsulation to tunnel IPv6 in IPv4. Naturally, this
specification also supports tunnelling IPv6 in IPv6 [<a href="./rfc2473" title=""Generic Packet Tunneling in IPv6 Specification"">RFC2473</a>].
This specification allows UDP-based tunnelling to be used between the
mobile node and its home agent or MAP. A UDP encapsulation format
means the following order of headers:
IPv4/v6
UDP
IP (v4 or v6)
Other headers
Note that the use of UDP encapsulation for IPv6 care-of addresses
SHOULD NOT be done except in the circumstances highlighted in <a href="#section-4.4.1">Section</a>
<a href="#section-4.4.1">4.4.1</a>.
When using this format, the receiver parses the version field
following the UDP header in order to determine whether the following
header is IPv4 or IPv6. The rest of the headers are processed
normally. The above order of headers does not take IPsec headers
<span class="grey">Soliman Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
into account as they may be placed in different parts of the packet.
The above format MUST be supported by all implementations of this
specification and MUST always be used to send the binding update
message.
UDP tunnelling can also encapsulate an Encapsulating Security Payload
(ESP) header as shown below:
IPv4/v6
UDP
ESP
IP (v4 or v6)
Other headers
The negotiation of the secure tunnel format described above is
discussed in <a href="#section-5.2">Section 5.2</a>. The receiver of a UDP tunnel detects
whether or not an ESP header is present based on the UDP port used.
<span class="h4"><a class="selflink" id="section-4.1.1" href="#section-4.1.1">4.1.1</a>. Tunnelling Impacts on Transport and MTU</span>
Changing the tunnel format may occur due to movement of the mobile
node from one network to another. This can impact the link and path
MTU, which may affect the amount of bandwidth available to the
applications. The mobile node may use Path MTU Discovery (PMTUD) as
specified in [<a href="./rfc4459" title=""MTU and Fragmentation Issues with In-the- Network Tunneling"">RFC4459</a>].
To accommodate traffic that uses Explicit Congestion Notification
(ECN), it is RECOMMENDED that the ECN and Differentiated Services
Code Point (DSCP) information be copied between the inner and outer
header as defined in [<a href="./rfc3168" title=""The Addition of Explicit Congestion Notification (ECN) to IP"">RFC3168</a>] and [<a href="./rfc2983" title=""Differentiated Services and Tunnels"">RFC2983</a>]. It is RECOMMENDED that
the full-functionality option defined in <a href="./rfc3168#section-9.1.1">Section 9.1.1 of [RFC3168]</a>
be used to deal with ECN.
Note that some implementations may not be able to use ECN over the
UDP tunnel. This is due to the lack of access to ECN bits in the UDP
API on most platforms. However, this issue can be avoided if UDP
encapsulation is done in the kernel.
Note that, when using UDP encapsulation, the Time to Live (TTL) field
must be decremented in the same manner as when IP-in-IP encapsulation
is used.
<span class="grey">Soliman Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. NAT Detection</span>
This section deals with NAT detection for the purpose of
encapsulating packets between the mobile node and the home agent when
the mobile node is present in a private IPv4 network. Mobile IPv6
uses IKEv2 to establish the IPsec security association (SA) between
the mobile node and the home agent. IKEv2 has its own NAT detection
mechanism. However, IKEv2's NAT detection is only used for the
purpose of setting up the IPsec SA for secure traffic. The
interactions between the two NAT traversal mechanisms are described
in <a href="#section-5">Section 5</a>.
NAT detection is done when the initial binding update message is sent
from the mobile node to the home agent. When located in an IPv4-only
foreign link, the mobile node sends the binding update message
encapsulated in UDP and IPv4. The source address of the IPv6 packet
is the mobile node's IPv6 home address. The destination address is
the IPv6 address of the home agent. The IPv4 header contains the
IPv4 care-of address in the source address field and the IPv4 address
of the home agent in the destination address field.
When the home agent receives the encapsulated binding update, it
compares the IPv4 address of the source address field in the IPv4
header with the IPv4 address included in the IPv4 care-of address
option. If the two addresses match, no NAT device was in the path.
Otherwise, a NAT was in the path and the NAT detection option is
included in the binding acknowledgement. The binding acknowledgement
and all future packets are then encapsulated in UDP and IPv4. The
source address in the IPv4 header is the IPv4 address of the home
agent. The destination address is the IPv4 address received in the
IPv4 header encapsulating the binding update (this address will be
different from the IPv4 care-of address when a NAT is in the path).
The source port in the packet is the home agent's source port. The
destination port is the source port received in the binding update
message. Note that the home agent stores the port numbers and
associates them with the mobile node's tunnel in order to forward
future packets.
Upon receiving the binding acknowledgement with the NAT detection
option, the mobile node sets the tunnel to the home agent to UDP
encapsulation. Hence, all future packets to the home agent are
tunneled in UDP and IPv4. For all tunneled IPv6 packets, the source
address in the IPv6 header is the mobile node's IPv6 home address and
the destination address is the correspondent node's IPv6 address.
All tunneled IPv4 packets will contain the mobile node's IPv4 home
address in the source address field of the inner IPv4 packet and the
<span class="grey">Soliman Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
correspondent node's IPv4 address in the destination address field.
The outer IPv4 header is the same whether the inner packet is IPv4 or
IPv6.
If no NAT device was detected in the path between the mobile node and
the home agent, then IPv6 packets are tunneled in an IPv4 header
unless the home agent forces UDP encapsulation using the F flag. The
content of the inner and outer headers are identical to the UDP
encapsulation case.
A mobile node MUST always tunnel binding updates in UDP when located
in an IPv4-only network. Essentially, this process allows for
perpetual NAT detection. Similarly, the home agent MUST encapsulate
binding acknowledgements in a UDP header whenever the binding update
is encapsulated in UDP.
In conclusion, the packet formats for the binding update and
acknowledgement messages are shown below:
Binding update received by the home agent:
IPv4 header (src=V4ADDR, dst=HA_V4ADDR)
UDP header
IPv6 header (src=V6HOA, dst=HAADDR)
ESP header
Mobility header
BU [IPv4 HAO]
IPv4 CoA option
Where V4ADDR is either the IPv4 care-of address or the address
provided by the NAT device. V6HOA is the IPv6 home address of the
mobile node. The binding update MAY also contain the IPv4 home
address option, IPv4 HAO.
Binding acknowledgement sent by the home agent:
IPv4 header (src= HA_V4ADDR, dst=V4ADDR)
UDP header
IPv6 header (src=HAADDR, dst=V6HOA)
<span class="grey">Soliman Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
ESP header
Mobility header
BA ([IPv4 ACK], NAT DET)
Where V6HOA is the IPv6 home address of the mobile node. The IPv4
ACK is the IPv4 address acknowledgement option, which is only
included if the IPv4 home address option is present in the BU. The
NAT DET is the NAT detection option, which MUST be present in the
binding acknowledgement message if the binding update was
encapsulated in UDP.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. NAT Keepalives</span>
If a NAT is detected, the mobile node will need to refresh the NAT
bindings in order to be reachable from the home agent. NAT bindings
can be refreshed through sending and receiving traffic encapsulated
in UDP. However, if the mobile node is not active, it will need to
periodically send a message to the home agent in order to refresh the
NAT binding. This can be done using the binding update message. The
binding update/acknowledgement pair will ensure that the NAT bindings
are refreshed in a reliable manner. There is no way for the mobile
node to know the exact time of the NAT binding. The default time
suggested in this specification is NATKATIMEOUT (see <a href="#section-6">Section 6</a>). If
the home agent suggests a different refresh period in the binding
acknowledgement, the mobile node SHOULD use the value suggested by
the home agent.
If the refresh time in the NAT detection option in the binding
acknowledgement is set to all 1s, the mobile node need not send
messages to refresh the NAT binding. However, the mobile node may
still be required to encapsulate traffic in UDP. This scenario may
take place when a NAT is not detected but the home agent still
requires the mobile node to use UDP encapsulation.
It should be noted that a mobile node that does not need to be
reachable (i.e., one that only cares about the session continuity
aspect of Mobile IP) does not need to refresh the NAT binding. In
this case, the mobile node would only be able to initiate
communication with other nodes. However, this is likely to imply
that the mobile node will need to send a binding update before
initiating communication after a long idle period as it is likely to
be assigned a different port and IPv4 address by the NAT when it
initiates communication. Hence, an implementation may choose, for
the sake of simplicity, to always maintain the NAT bindings even when
it does not need reachability.
<span class="grey">Soliman Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
Note that keepalives are also needed by IKEv2 over UDP port 4500.
This is needed for IKE (Internet Key Exchange Protocol) dead-peer
detection, which is not handled by DSMIPv6 keepalives.
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. Mobile Node Operation</span>
In addition to the operations specified in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] and [<a href="./rfc3963" title=""Network Mobility (NEMO) Basic Support Protocol"">RFC3963</a>],
this specification requires mobile nodes to be able to support an
IPv4 home address. This specification also requires the mobile node
to choose an IPv4 or an IPv6 care-of address. We first discuss
care-of address selection, then continue with binding management and
transmission of normal traffic.
<span class="h4"><a class="selflink" id="section-4.4.1" href="#section-4.4.1">4.4.1</a>. Selecting a Care-of Address</span>
When a mobile node is in a dual stacked, visited network, it will
have a choice between an IPv4 and an IPv6 care-of address. The
mobile node SHOULD prefer the IPv6 care-of address and bind it to its
home address(es). If a mobile node attempted to bind the IPv6 care-
of address to its home address(es) and the binding update timed out,
the mobile node SHOULD:
o Resend the binding update using the exponential back-off algorithm
described in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>].
o If after three attempts, in total, a binding acknowledgement was
not received, the mobile node SHOULD send a new binding update
using the IPv4 care-of address. The exponential backoff algorithm
described in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] should be used for re-transmission of the
binding update if needed.
This procedure should be used to avoid scenarios where IPv6
connectivity may not be as reliable as IPv4. This unreliability may
take place during early deployments of IPv6 or may simply be due to
temporary outages affecting IPv6 routing.
It is RECOMMENDED that upon movement, the mobile node not change the
IP address family chosen for the previous binding update unless the
mobile node is aware that it has moved to a different administrative
domain where previous problems with IPv6 routing may not be present.
Repeating the above procedure upon every movement can cause
significant degradation of the mobile node's applications'
performance due to extended periods of packet losses after handover,
if the routing outage is still in effect.
When using an IPv4 care-of address and IP-in-IP encapsulation, if the
mobile node implementation is made aware by upper layers of
persistent packet losses, it may attempt to resend the binding update
<span class="grey">Soliman Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
with the F flag set, requesting UDP encapsulation for all packets.
This may avoid packet losses due to situations where local
firewalling policies prevent the use of IP-in-IP encapsulation.
The effect of this address selection mechanism is to allow the
following preferences in the absence of NAT:
1. IPv6
2. IPv4 (using IP-in-IP or UDP encapsulation if a NAT is detected)
3. UDP encapsulation when IP-in-IP is not allowed by the local
domain.
<span class="h4"><a class="selflink" id="section-4.4.2" href="#section-4.4.2">4.4.2</a>. Sending Binding Updates</span>
When sending an IPv6 packet containing a binding update while
connected to an IPv4-only access network, mobile nodes MUST ensure
the following:
o The IPv6 packet is encapsulated in UDP.
o The source address in the IPv4 header is the mobile node's IPv4
care-of address.
o The destination address in the IPv4 header is the home agent's
IPv4 address.
o The source address in the IPv6 header is the mobile node's IPv6
home address.
o The IPv4 home address option MAY be included in the mobility
header. This option contains the IPv4 home address. If the
mobile node did not have a static home address, it MAY include the
unspecified IPv4 address, which acts as a request for a dynamic
IPv4 home address. Alternatively, one or more IPv4 home address
options may be included with requests for IPv4 prefixes (i.e.,
with the P flag set).
o If the mobile node wishes to use UDP encapsulation only, it must
set the F flag in the binding update message.
o The IPv6 packet MUST be authenticated as per [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>], based on
the mobile node's IPv6 home address.
When sending a binding update from a visited network that supports
IPv6, the mobile node MUST follow the rules specified in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>].
In addition, if the mobile node has an IPv4 home address or needs
<span class="grey">Soliman Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
one, it MUST include the IPv4 home address option in the mobility
header. If the mobile node already has a static IPv4 home address,
this address MUST be included in the IPv4 home address option.
Otherwise, if the mobile node needs a dynamic IPv4 address, it MUST
include the IPv4 0.0.0.0 address in the IPv4 home address option.
In addition to the rules in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>], the mobile node should follow
the care-of address selection guidelines in <a href="#section-4.4.1">Section 4.4.1</a>.
When the mobile node receives a binding acknowledgement from the home
agent, it follows the rules in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] and [<a href="./rfc3963" title=""Network Mobility (NEMO) Basic Support Protocol"">RFC3963</a>]. In addition,
the following actions MUST be made:
o If the status field indicated failure with error code 144, the
mobile node MAY resend the binding update without setting the F
flag.
o If the mobility header includes an IPv4 address acknowledgement
option indicating success, the mobile node should create two
entries in its binding update list: one for the IPv6 home address
and another for the IPv4 home address.
o If the NAT detection option is present, the mobile node MUST
tunnel future packets in UDP and IPv4. This MUST be indicated in
the binding update list.
o If no IPv4 address acknowledgement option is present, and an IPv4
home address option was present in the binding update, the mobile
node MUST only create one binding update list entry for its IPv6
home address. The mobile node MAY include the IPv4 home address
option in future binding updates.
o If an IPv4 address acknowledgement option is present and it
indicates failure for the IPv4 home address binding, the mobile
node MUST NOT create an entry for that address in its binding
update list. The mobile node MAY include the IPv4 home address
option in future binding updates.
<span class="h5"><a class="selflink" id="section-4.4.2.1" href="#section-4.4.2.1">4.4.2.1</a>. Removing Bindings</span>
Mobile nodes will remove bindings from the home agent's binding cache
whenever they move to the home link, or simply when mobility support
is not needed.
Deregistering the IPv6 home address is described in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>]. The
same mechanism applies in this specification. Mobile nodes may
remove the binding for only the IPv4 home address by sending a
binding update that does not include the IPv4 home address option.
<span class="grey">Soliman Standards Track [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
Upon receiving this binding update, the home agent will replace the
existing cache entries with the content of the new message. This
ensures that the IPv4 home address binding is removed while
maintaining an IPv6 binding.
Note that the mobile node cannot remove the IPv6 home address binding
while maintaining an IPv4 home address binding.
A binding update message with a lifetime of zero will remove all
bindings for the mobile node.
<span class="h4"><a class="selflink" id="section-4.4.3" href="#section-4.4.3">4.4.3</a>. Sending Packets from a Visited Network</span>
When the mobile node is located in an IPv6-enabled network, it sends
and receives IPv6 packets as described in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>]. In cases where
IP-in-IP encapsulation is not providing connectivity to the home
agent, the mobile node may choose to encapsulate in UDP as suggested
in <a href="#section-4.4.1">Section 4.4.1</a>. However, this encapsulation of IPv6 traffic should
be used as a last resort, as described. IPv4 traffic is encapsulated
in IPv6 packets to the home agent.
When the mobile node is located in an IPv4-only network, it will send
IPv6 packets to its home agent according to the following format:
IPv4 header (src=V4CoA, dst=HA_V4ADDR)
[UDP header]
IPv6 header (src=V6HoA, dst=CN)
Upper layer protocols
Here, the UDP header is only used if a NAT has been detected between
the mobile node and the home agent, or if the home agent forced UDP
encapsulation. V4CoA is the IPv4 care-of address configured by the
mobile node in the visited network.
Similarly, IPv4 packets are sent according to the following format:
IPv4 header (src=V4CoA, dst=HA_V4ADDR)
[UDP header]
IPv4 header (src=V4HoA, dst=V4CN)
Upper Layer protocols
<span class="grey">Soliman Standards Track [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
Here, the UDP header is only used if a NAT has been detected between
the mobile node and the home agent, or if the home agent forced UDP
encapsulation.
<span class="h4"><a class="selflink" id="section-4.4.4" href="#section-4.4.4">4.4.4</a>. Movement Detection in IPv4-Only Networks</span>
[<a id="ref-RFC3775">RFC3775</a>] describes movement detection mostly based on IPv6-specific
triggers and Neighbor Discovery [<a href="./rfc4861" title=""Neighbor Discovery for IP version 6 (IPv6)"">RFC4861</a>] information. These
triggers are not available in an IPv4-only network. Hence, a mobile
node located in an IPv4-only network SHOULD use [<a href="./rfc4436" title=""Detecting Network Attachment in IPv4 (DNAv4)"">RFC4436</a>] for
guidance on movement-detection mechanisms in IPv4-only networks.
The mobile node detects that it's in an IPv4-only network when the
IPv6 movement-detection algorithm fails to configure an IPv6 address.
This specification does not support mobile nodes returning home while
using IPv4. That is, the IPv4 support is only defined for mobile
nodes that are in a visited network.
<span class="h3"><a class="selflink" id="section-4.5" href="#section-4.5">4.5</a>. Home Agent Operation</span>
In addition to the home agent specification in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] and
[<a href="./rfc3963" title=""Network Mobility (NEMO) Basic Support Protocol"">RFC3963</a>], the home agent needs to be able to process the IPv4 home
address option and generate the IPv4 address acknowledgement option.
Both options are included in the mobility header. Furthermore, the
home agent MUST be able to detect the presence of a NAT device and
indicate that presence in the NAT detection option included in the
binding acknowledgement.
A home agent must also act as a proxy for address resolution in IPv4
for the registered IPv4 home addresses of mobile nodes it is serving.
Moreover, the administrative domain of the home agent is responsible
for advertising the routing information of registered IPv4 mobile-
network prefixes of the mobile nodes.
In order to comply with this specification, the home agent MUST be
able to find the IPv4 home address of a mobile node when given the
IPv6 home address. That is, given an IPv6 home address, the home
agent MUST store the corresponding IPv4 home address if a static one
is present. If a dynamic address is requested by the mobile node,
the home agent MUST store that address (associated with the IPv6 home
address) after it's allocated to the mobile node.
When the home agent receives a binding update encapsulated in UDP and
containing the IPv4 home address option, it needs to follow all the
steps in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] and [<a href="./rfc3963" title=""Network Mobility (NEMO) Basic Support Protocol"">RFC3963</a>]. In addition, the following checks
MUST be done:
<span class="grey">Soliman Standards Track [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
o If the IPv4 care-of address in the IPv4 CoA option is not the same
as the IPv4 address in the source address in the IPv4 header, then
a NAT was in the path. This information should be flagged for the
binding acknowledgement.
o If the F flag in the binding update is set, the home agent needs
to determine whether it accepts forcing UDP encapsulation. If it
does not, the binding acknowledgement is sent with error code 144.
UDP encapsulation SHOULD NOT be used when the mobile node is
located in an IPv6-enabled link, with the exception of the
scenarios outlined in <a href="#section-4.4.1">Section 4.4.1</a>.
o If the IPv4 home address option contains a valid unicast IPv4
address, the home agent MUST check that this address is allocated
to the mobile node that has the IPv6 home address included in the
home address option. The same MUST be done for an IPv4 prefix.
o If the IPv4 home address option contained the unspecified IPv4
address, the home agent SHOULD dynamically allocate an IPv4 home
address to the mobile node. If none is available, the home agent
MUST return error code 132 in the status field of the IPv4 address
acknowledgement option. If a prefix is requested, the home agent
SHOULD allocate a prefix with the requested length; if prefix
allocation (of any length) is not possible, the home agent MUST
indicate failure of the operation with the appropriate error code.
o If the binding update is accepted for the IPv4 home address, the
home agent creates a binding cache entry for the IPv4 home
address/prefix. The home agent MUST include an IPv4
acknowledgement option in the mobility header containing the
binding acknowledgement.
o If the binding update is accepted for both IPv4 and IPv6 home
addresses, the home agent creates separate binding cache entries,
one for each home address. The care-of address is the one
included in the binding update. If the care-of address is an IPv4
address, the home agent MUST set up a tunnel to the IPv4 care-of
address of the mobile node.
When sending a binding acknowledgement to the mobile node, the home
agent constructs the message according to [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] and [<a href="./rfc3963" title=""Network Mobility (NEMO) Basic Support Protocol"">RFC3963</a>].
Note that the routing header MUST always contain the IPv6 home
address as specified in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>].
If the care-of address of the mobile node is an IPv4 address, the
home agent includes the mobile node's IPv6 home address in the
destination address field in the IPv6 header. If a NAT is detected,
the home agent MUST then encapsulate the packet in UDP and in an IPv4
<span class="grey">Soliman Standards Track [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
header. The source address is set to the home agent's IPv4 address
and the destination address is set to the address received in the
source address of the IPv4 header encapsulating the binding update.
After creating a binding cache entry for the mobile node's home
addresses, all packets sent to the mobile node's home addresses are
tunneled by the home agent to the mobile node's care-of address. If
a NAT is detected, packets are encapsulated in UDP and IPv4.
Otherwise, if the care-of address is an IPv4 address and no NAT is
detected, packets are encapsulated in an IPv4 header unless UDP
encapsulation is forced by the home agent.
<span class="h4"><a class="selflink" id="section-4.5.1" href="#section-4.5.1">4.5.1</a>. Sending Packets to the Mobile Node</span>
The home agent follows the rules specified in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] for sending
IPv6 packets to mobile nodes located in IPv6 networks. When sending
IPv4 packets to mobile nodes in an IPv6 network, the home agent must
encapsulate the IPv4 packets in IPv6.
When sending IPv6 packets to a mobile node located in an IPv4
network, the home agent uses the following format:
IPv4 header (src= HA_V4ADDR, dst= V4ADDR)
[UDP header]
IPv6 header (src=CN, dst= V6HoA)
Upper layer protocols
Where the UDP header is only included if a NAT is detected between
the mobile node and the home agent or if the home agent forced UDP
encapsulation. V4ADDR is the IPv4 address received in the source
address field of the IPv4 packet containing the binding update.
When sending IPv4 packets to a mobile node located in an IPv4
network, the home agent must follow the format negotiated in the
binding update/acknowledgement exchange. In the absence of a
negotiated format, the default format that MUST be supported by all
implementations is:
IPv4 header (src= HA_V4ADDR, dst= V4ADDR)
[UDP header]
IPv4 header (src=V4CN, dst= V4HoA)
Upper layer protocols
<span class="grey">Soliman Standards Track [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
Where the UDP header is only included if a NAT is detected between
the mobile node and home agent or if the home agent forced UDP
encapsulation.
<span class="h3"><a class="selflink" id="section-4.6" href="#section-4.6">4.6</a>. Correspondent Node Operation</span>
This specification has no impact on IPv4 or IPv6 correspondent nodes.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Security Considerations</span>
This specification allows a mobile node to send one binding update
for its IPv6 and IPv4 home addresses. This is a slight deviation
from [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>], which requires one binding update per home address.
However, like [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>], the IPsec security association needed to
authenticate the binding update is still based on the mobile node's
IPv6 home address. Therefore, in order to authorize the mobile
node's IPv4 home address binding, the home agent MUST store the IPv4
address corresponding to the IPv6 address that is allocated to a
mobile node. Therefore, it is sufficient for the home agent to know
that the IPsec verification for the packet containing the binding
update was valid, provided that it knows which IPv4 home address is
associated with which IPv6 home address. Hence, the security of the
IPv4 home address binding is the same as the IPv6 binding.
In effect, associating the mobile node's IPv4 home address with its
IPv6 home address moves the authorization of the binding update for
the IPv4 address to the Mobile IPv6 implementation, which infers it
from the fact that the mobile node has an IPv6 home address and the
right credentials for sending an authentic binding update for the
IPv6 address.
This specification requires the use of IKEv2 as the default mechanism
for dynamic keying.
In cases where this specification is used for NAT traversal, it is
important to note that it has the same vulnerabilities associated
with [<a href="./rfc3519" title=""Mobile IP Traversal of Network Address Translation (NAT) Devices"">RFC3519</a>]. An attacker is able to hijack the mobile node's
session with the home agent if it can modify the contents of the
outer IPv4 header. The contents of the header are not authenticated
and there is no way for the home agent to verify their validity.
Hence, a man in the middle attack, where a change in the contents of
the IPv4 header can cause a legitimate mobile node's traffic to be
diverted to an illegitimate receiver independently of the
authenticity of the binding update message, is possible.
In this specification, the binding update message MUST be protected
using ESP transport mode. When the mobile node is located in an
IPv4-only network, the binding update message is encapsulated in UDP
<span class="grey">Soliman Standards Track [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
as described earlier in <a href="#section-4.2">Section 4.2</a>. However, UDP SHOULD NOT be used
to encapsulate the binding update message when the mobile node is
located in an IPv6-enabled network. If protection of payload traffic
is needed when the mobile node is located in an IPv4-only network,
encapsulation is done using tunnel mode ESP over port 4500 as
described in [<a href="./rfc3948" title=""UDP Encapsulation of IPsec ESP Packets"">RFC3948</a>]. During the IKE negotiation with the home
agent, if the mobile node and home agent support the use of port
4500, the mobile node MUST establish the security association over
port 4500, regardless of the presence of a NAT. This is done to
avoid switching between ports 500 and 4500 and the potential traffic
disruption resulting from this switch.
Handovers within private IPv4 networks or from IPv6 to IPv4 networks
will impact the security association between the mobile node and the
home agent. The following section presents the expected behaviour of
the mobile node and home agent in those situations. The details of
the IKE negotiations and messages are illustrated in <a href="#section-5.2">Section 5.2</a>.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Handover Interactions for IPsec and IKE</span>
After the mobile node detects movement, it configures a new care-of
address. If the mobile node is in an IPv4-only network, it removes
binding update list entries for correspondent nodes, since route
optimisation cannot be supported. This may cause inbound packet
losses, as remote correspondent nodes are unaware of such movement.
To avoid confusion in the correspondent node, the mobile node SHOULD
deregister its binding with each correspondent node by sending a
deregistration binding update. The deregistration binding update
message is tunnelled to the home agent and onto the correspondent
node. This is done after the mobile node updates the home agent with
its new location as discussed below.
The mobile node sends the binding update message to the home agent.
If the mobile node is in an IPv6-enabled network, the binding update
SHOULD be sent without IPv4/UDP encapsulation, unless UDP
encapsulation is needed as described in <a href="#section-4.4.1">Section 4.4.1</a>. If the mobile
node is in an IPv4-only network, then -- after IPsec processing of
the binding update (BU) message -- it encapsulates the BU in UDP/IPv4
as discussed in Sections <a href="#section-4.2">4.2</a> and <a href="#section-4.4">4.4</a>. In order to be able to send
the binding update while in an IPv4-only network, the mobile node
needs to use the new IPv4 care-of address in the outer header, which
is different from the care-of address used in the existing tunnel.
This should be done without permanently updating the tunnel within
the mobile node's implementation in order to allow the mobile node to
receive packets on the old care-of address until the binding
acknowledgement is received. The method used to achieve this effect
is implementation dependent and is outside the scope of this
specification. This implies that the IP forwarding function (which
<span class="grey">Soliman Standards Track [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
selects the interface or tunnel through which a packet is sent) is
not based solely on the destination address: some IPv6 packets
destined to the home agent are sent via the existing tunnel, while
BUs are sent using the new care-of address. Since BUs are protected
by IPsec, the forwarding function cannot necessarily determine the
correct treatment from the packet headers. Thus, the DSMIPv6
implementation has to attach additional information to BUs, and this
information has to be preserved after IPsec processing and made
available to the forwarding function or to DSMIP extensions included
in the forwarding function. Depending on the mobile node's
implementation, meeting this requirement may require changes to the
IPsec implementation.
Upon receiving the binding update message encapsulated in UDP/IPv4,
the home agent processes it as follows. In order to allow the
DSMIPv6 implementation in the home agent to detect the presence of a
NAT on the path to the mobile node, it needs to compare the outer
IPv4 source address with the IPv4 address in the IPv4 care-of address
option. This implies that the information in the outer header will
be preserved after IPsec processing and made available to the DSMIPv6
implementation in the home agent. Depending on the home agent's
implementation, meeting this requirement may require changes to the
IPsec implementation.
The home agent updates its tunnel mode security association to
include the mobile node's care-of address as the remote-tunnel header
address and 4500 as the port number. The IPv4 address and port
number are likely to be wrong; the mobile node provides the correct
information in a separate exchange as described below. When the
mobile node is located in a private IPv4 network (which is detected
as described above), the new address and port number are allocated by
the NAT. The home agent will also enable or disable UDP
encapsulation for outgoing ESP packets for the purpose of NAT
traversal.
If the Key Management Mobility Capability (K) bit was set in the
binding update, and the home agent supports this feature, the home
agent updates its IKE security associations to include the mobile
node's care-of address as the peer address and 4500 as the port
number. The home agent may also need to change NAT traversal fields
in the IKE_SA to enable the dynamic update of the IP address and port
number, based on the reception of authenticated IKE messages or
authenticated packets using tunnel mode ESP. The dynamic updates are
described in <a href="./rfc4306#section-2.23">Section 2.23 of [RFC4306]</a>. As described above, when the
mobile node is located in a private IPv4 network, the address and
port number used for IPsec and IKE traffic is not yet known by the
home agent at this point.
<span class="grey">Soliman Standards Track [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
The mobile node updates the IKE SA in one of two ways. If the K flag
was set in the binding acknowledgement message, the mobile node
SHOULD send an empty informational message, which results in the IKE
module in the home agent dynamically updating the SA information.
The IKE implementation in the home agent is REQUIRED to support this
feature. Alternatively, the IKE SA should be re-negotiated. Note
that updating the IKE SA MUST take place after the mobile node has
sent the binding update and received the acknowledgement from the
home agent.
It is important to note that the mobile node's IPv4 care-of address
seen by the DSMIPv6 module in the home agent upon receiving the
binding update may differ from the IPv4 care-of address seen by the
IKE module and the care-of address used for forwarding IPsec tunnel
mode traffic. Hence, it is probable that different modules in the
home agent will have a different care-of address that should be used
for encapsulating traffic to the mobile node.
After successfully processing the binding update, the home agent
sends the binding acknowledgement to the mobile node's care-of
address as received in the outer header of the packet containing the
binding update. Note that if the BU was rejected, the binding
acknowledgement (BAck) is sent to the same address from which the BU
was received. This may require special treatment in IP forwarding
and/or IPsec processing that resembles the sending of BUs in the
mobile node (described above).
Upon receiving the binding acknowledgement, the mobile node updates
its local tunnel mode security association information to include the
tunnel header IP source address, which is the mobile node's address,
and the tunnel header IP destination, which is the home agent's
address. The mobile node may also need to enable or disable UDP
encapsulation for outgoing ESP packets for the purpose of NAT
traversal and the sending of keepalives.
The mobile node MAY use MOBIKE [<a href="./rfc4555" title=""IKEv2 Mobility and Multihoming Protocol (MOBIKE)"">RFC4555</a>] to update its IKE SA with
the home agent. Using MOBIKE requires negotiating this capability
with the home agent when establishing the SA. In this case, the
mobile node and the home agent MUST NOT update their IPsec SAs
locally, as this step is performed by MOBIKE. Furthermore, the use
of MOBIKE allows the mobile node to update the SA independently of
the binding update exchange. Hence, there is no need for the mobile
node to wait for a binding acknowledgement before performing MOBIKE.
The use of MOBIKE is OPTIONAL in this specification.
<span class="grey">Soliman Standards Track [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. IKE Negotiation Messages between the Mobile Node and Home Agent</span>
This specification defines a number of possible data encapsulation
formats, depending on the mobile node's connectivity to the visited
network. When connected to an IPv6-enabled network, the tunnelling
formats are clear. However, when connected to an IPv4-only network,
care should be taken when negotiating the IKE association and the
consequential tunnelling formats used for secure and insecure
traffic. This section illustrates the IKE message exchange between
the mobile node and home agent when the mobile node is located in an
IPv4-only network. Two different IKE negotiations are considered:
o IKEv2 operation for securing DSMIPv6 signaling.
o IKEv2 operation for securing data over IPv4
<span class="h4"><a class="selflink" id="section-5.2.1" href="#section-5.2.1">5.2.1</a>. IKEv2 Operation for Securing DSMIPv6 Signaling</span>
A mobile node connected to an IPv4-only network SHOULD follow the
procedures described below in order to establish an SA for the
protection of binding update and binding acknowledgement messages.
Note that V4ADDR refers to either the mobile node's care-of address
in the visited link or the public address allocated to the mobile
node by the NAT.
Mobile Node Home Agent
----------- ----------
IPv4(source_addr=V4ADDR, dest_addr=HAADDR)
UDP (500, 500) HDR, SAi1, KEi, Ni
NAT-D, NAT-D -->
<- IPv4(source_addr=HAADDR, dest_addr=V4ADDR)
UDP(500,X) HDR, SAr1, KEr, Nr, [CERTREQ]
NAT-D, NAT-D
IPv4(source_addr=V4ADDR, dest_addr=HAADDR)
UDP (4500,4500) <non-ESP Marker > HDR, SK
{IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, N(USE_TRANSPORT_MODE),
SAi2, TSi, TSr}
-->
<-- IPv4(source_addr=HAADDR, dest_addr=V4ADDR)
UDP (4500,Y) <non-ESP Marker > HDR, SK
{IDr, [CERT,] AUTH, N(USE_TRANSPORT_MODE),
SAr2, TSi, TSr}
<span class="grey">Soliman Standards Track [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
The corresponding Security Policy Database (SPD) entries are shown
below.
Mobile node SPD-S:
IF local_address = home_address_1 &
remote_address = home_agent_1 &
proto = MH & local_mh_type = BU &
remote_mh_type = BAck
Then use SA ESP transport mode
Initiate using IDi = user_1 to address home_agent_1
Home Agent SPD-S:
IF local_address = home_agent_1 &
remote_address = home_address_1 &
proto = MH &
local_mh_type = BAck &
remote_mh_type = BU
Then use SA ESP transport mode
Where home_address_1 is the mobile node's registered IPv6 home
address and home_agent_1 is the IP address of the home agent.
The above should result in BU/BA messages with the following BU
received by the home agent:
IPv4 header (src=V4ADDR, dst=HA_V4ADDR)
UDP header (sport=Z, dport=DSMIPv6)
IPv6 header (src=V6HOA, dst=HAADDR)
ESP header in transport mode
Mobility header
BU [IPv4 HAO]
<span class="grey">Soliman Standards Track [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
IPv4 CoA option
(and others as needed)
At the home agent, following UDP de-capsulation, the binding update
is delivered to the IPsec module as shown below:
IPv6 header (src=V6HOA, dst=HAADDR)
ESP header in transport mode
Mobility header
BU [IPv4 HAO]
IPv4 CoA option
(and others as needed)
In addition, V4ADDR and the sport (Z) need to be passed with the
packet to ensure correct processing.
Following IPsec processing, the binding update is delivered to the
DSMIPv6 home agent module as follows:
IPv6 header (src=V6HOA, dst=HAADDR)
Mobility header
BU [IPv4 HAO]
IPv4 CoA option
(and others as needed)
In addition, V4ADDR and the sport (Z) need to be passed with the
packet to ensure correct processing.
The binding acknowledgement sent by the home agent module to the
IPsec module is as follows:
IPv6 header (src=HAADDR, dst=V6HOA)
Mobility header
BA ([IPv4 ACK], NAT DET)
(and others as needed)
<span class="grey">Soliman Standards Track [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
In addition, V4ADDR, the sport from the BU (Z), and an indication
that UDP encapsulation must be used need to be passed with the packet
to ensure correct processing.
The binding acknowledgement sent by the home agent to the mobile node
is as follows:
IPv4 header (src= HA_V4ADDR, dst=V4ADDR)
UDP header (sport=DSMIPv6, dport=Z)
IPv6 header (src=HAADDR, dst=V6HOA)
ESP header in transport mode
Mobility header
BA ([IPv4 ACK], NAT DET)
<span class="h4"><a class="selflink" id="section-5.2.2" href="#section-5.2.2">5.2.2</a>. IKEv2 Operation for Securing Data over IPv4</span>
To secure data traffic when the mobile node is located in an IPv4-
only network, the mobile node MUST establish a child_SA for that
purpose. Note that V4ADDR refers to either the mobile node's care-of
address in the visited link or the public address allocated to the
mobile node by the NAT. The procedure is as follows:
Mobile Node Home Agent
----------- ----------
IPv4(source_addr=V4ADDR, dest_addr=HAADDR)
UDP (4500,4500) < non-ESP Marker > HDR, SK
{[N], SA, Ni, [KEi], TSi, TSr} -->
<--IPv4(source_addr=HAADDR, dest_addr=V4ADDR)
UDP (4500,Y) < non-ESP Marker > HDR, SK
SA, Nr, [KEr], TSi, TSr}
If no NAT is detected, the encapsulation used will be:
IPv4 (source_addr=v4CoA, dest_addr=HAAddr)
ESP
IP (source_addr=HoA, set_addr=CNAddr)
Upper_layer_HDR
<span class="grey">Soliman Standards Track [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
Where IP is either IPv4 or IPv6 and HoA is either the IPv4 HoA or the
IPv6 HoA.
If a NAT is detected, the encapsulation used will be:
IPv4 (source_addr=v4Addr, dest_addr=HAAddr)
UDP (sport=Y, dport=4500)
ESP
IP (source_addr=HoA, set_addr=CNAddr)
Upper_layer_HDR
Where v4CoA may be the external IPv4 address of the NAT, IP is either
an IPv4 or IPv6 header, and HoA is either the IPv4 or the IPv6 HoA.
The above format shows the packet as seen by the home agent.
The SPD, whether a NAT is detected or not, is set as follows. Note
that this rule is designed to match all data from the MN to nodes
other than the home agent. This is done so that this rule does not
overlap with the earlier rule securing BU/BA signaling between the MN
and the HA.
Mobile Node SPD-S:
IF local_address = home_address &
remote_address != home_agent &
proto=any
Then use SA ESP tunnel mode
Initiate using IDi = user_1 to address home_agent_1
home agent SPD-S:
IF local_address != home_agent &
remote_address = home_address &
proto=any
Then use SA ESP tunnel mode
<span class="grey">Soliman Standards Track [Page 37]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-38" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
Where home_address is the MN's registered IPv6 or IPv4 home address
and home_agent is the IPv6 or the IPv4 address of the home agent.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Protocol Constants</span>
NATKATIMEOUT = 110 seconds.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Acknowledgements</span>
Thanks to the following members (in alphabetical order) of the MIP6
and NEMO Working Groups for their contributions, discussions, and
reviews: Jari Arkko, Sri Gundavelli, Wassim Haddad, Alfred Hoenes,
Conny Larsson, Acee Lindem, Ahmad Muhanna, Vidya Narayanan, Karen
Nielsen, and Keiichi Shima. Thanks to Karen Nielsen, Pasi Eronen,
and Christian Kaas-Petersen for raising the issue of IKEv2
interactions and proposing the solution included in this document.
Thanks to Pasi Eronen for many thorough reviews of this document.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. IANA Considerations</span>
IANA has made the following allocations according to this
specification:
A UDP port (4191) has been assigned for the NAT traversal
mechanism described in <a href="#section-4.2">Section 4.2</a>.
The IPv4 home address option described in <a href="#section-3.1.1">Section 3.1.1</a> has been
assigned value 29. This option is included in the mobility header
described in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>].
The IPv4 address acknowledgement option described in <a href="#section-3.2.1">Section 3.2.1</a>
has been assigned value 29. This option is included in the
mobility header described in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>].
The NAT detection option described in <a href="#section-3.2.2">Section 3.2.2</a> has been
assigned a value 31. This option is included in the mobility
header described in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>].
The IPv4 care-of address option described in <a href="#section-3.1.2">Section 3.1.2</a> has
been assigned value 32. This option is included in the mobility
header described in [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>].
The status field in the IPv4 home address option has been allocated
by IANA under the new registry: "DSMIPv6 IPv4 Home Address Option
Status Codes".
<span class="grey">Soliman Standards Track [Page 38]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-39" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
The status field values are allocated using the following procedure:
1. New status field values are allocated through IETF review. This
is for all RFC types including standards track, informational, and
experimental status that originate from the IETF and have been
approved by the IESG for publication.
2. Requests for new option type value assignments from outside the
IETF are only made through the publication of an IETF document,
per 1 above. Note also that documents published as Independent
"RFC Editor contributions" [<a href="./rfc4844" title=""The RFC Series and RFC Editor"">RFC4844</a>] are not considered to be IETF
documents.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. References</span>
<span class="h3"><a class="selflink" id="section-9.1" href="#section-9.1">9.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC2473">RFC2473</a>] Conta, A. and S. Deering, "Generic Packet Tunneling in
IPv6 Specification", <a href="./rfc2473">RFC 2473</a>, December 1998.
[<a id="ref-RFC3168">RFC3168</a>] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition
of Explicit Congestion Notification (ECN) to IP", <a href="./rfc3168">RFC</a>
<a href="./rfc3168">3168</a>, September 2001.
[<a id="ref-RFC3775">RFC3775</a>] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support
in IPv6", <a href="./rfc3775">RFC 3775</a>, June 2004.
[<a id="ref-RFC3948">RFC3948</a>] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.
Stenberg, "UDP Encapsulation of IPsec ESP Packets", <a href="./rfc3948">RFC</a>
<a href="./rfc3948">3948</a>, January 2005.
[<a id="ref-RFC3963">RFC3963</a>] Devarapalli, V., Wakikawa, R., Petrescu, A., and P.
Thubert, "Network Mobility (NEMO) Basic Support
Protocol", <a href="./rfc3963">RFC 3963</a>, January 2005.
[<a id="ref-RFC4306">RFC4306</a>] Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
Protocol", <a href="./rfc4306">RFC 4306</a>, December 2005.
[<a id="ref-RFC4436">RFC4436</a>] Aboba, B., Carlson, J., and S. Cheshire, "Detecting
Network Attachment in IPv4 (DNAv4)", <a href="./rfc4436">RFC 4436</a>, March
2006.
[<a id="ref-RFC4555">RFC4555</a>] Eronen, P., "IKEv2 Mobility and Multihoming Protocol
(MOBIKE)", <a href="./rfc4555">RFC 4555</a>, June 2006.
<span class="grey">Soliman Standards Track [Page 39]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-40" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
[<a id="ref-RFC4861">RFC4861</a>] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", <a href="./rfc4861">RFC 4861</a>,
September 2007.
[<a id="ref-RFC4877">RFC4877</a>] Devarapalli, V. and F. Dupont, "Mobile IPv6 Operation
with IKEv2 and the Revised IPsec Architecture", <a href="./rfc4877">RFC 4877</a>,
April 2007.
[<a id="ref-RFC5026">RFC5026</a>] Giaretta, G., Ed., Kempf, J., and V. Devarapalli, Ed.,
"Mobile IPv6 Bootstrapping in Split Scenario", <a href="./rfc5026">RFC 5026</a>,
October 2007.
<span class="h3"><a class="selflink" id="section-9.2" href="#section-9.2">9.2</a>. Informative References</span>
[<a id="ref-CHOWDHURY">CHOWDHURY</a>] Chowdhury, K. and A. Yegin, "MIP6-bootstrapping for the
Integrated Scenario", Work in Progress, April 2008.
[<a id="ref-RFC2983">RFC2983</a>] Black, D., "Differentiated Services and Tunnels", <a href="./rfc2983">RFC</a>
<a href="./rfc2983">2983</a>, October 2000.
[<a id="ref-RFC3344">RFC3344</a>] Perkins, C., Ed., "IP Mobility Support for IPv4", <a href="./rfc3344">RFC</a>
<a href="./rfc3344">3344</a>, August 2002.
[<a id="ref-RFC3519">RFC3519</a>] Levkowetz, H. and S. Vaarala, "Mobile IP Traversal of
Network Address Translation (NAT) Devices", <a href="./rfc3519">RFC 3519</a>,
April 2003.
[<a id="ref-RFC4459">RFC4459</a>] Savola, P., "MTU and Fragmentation Issues with In-the-
Network Tunneling", <a href="./rfc4459">RFC 4459</a>, April 2006.
[<a id="ref-RFC4844">RFC4844</a>] Daigle, L., Ed., and Internet Architecture Board, "The
RFC Series and RFC Editor", <a href="./rfc4844">RFC 4844</a>, July 2007.
[<a id="ref-RFC4977">RFC4977</a>] Tsirtsis, G. and H. Soliman, "Problem Statement: Dual
Stack Mobility", <a href="./rfc4977">RFC 4977</a>, August 2007.
[<a id="ref-RFC5380">RFC5380</a>] Soliman, H., Castelluccia, C., ElMalki, K., and L.
Bellier, "Hierarchical Mobile IPv6 (HMIPv6) Mobility
Management", <a href="./rfc5380">RFC 5380</a>, October 2008.
[<a id="ref-RFC5389">RFC5389</a>] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
"Session Traversal Utilities for NAT (STUN)", <a href="./rfc5389">RFC 5389</a>,
October 2008.
[<a id="ref-RFC5405">RFC5405</a>] Eggert, L. and G. Fairhurst, "Unicast UDP Usage
Guidelines for Application Designers", <a href="https://www.rfc-editor.org/bcp/bcp145">BCP 145</a>, <a href="./rfc5405">RFC 5405</a>,
November 2008.
<span class="grey">Soliman Standards Track [Page 40]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-41" ></span>
<span class="grey"><a href="./rfc5555">RFC 5555</a> DSMIPv6 June 2009</span>
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Contributors</span>
This document reflects discussions and contributions from several
people including (in alphabetical order):
Vijay Devarapalli: vijay.devarapalli@azairenet.com
James Kempf: kempf@docomolabs-usa.com
Henrik Levkowetz: henrik@levkowetz.com
Pascal Thubert: pthubert@cisco.com
George Tsirtsis: G.Tsirtsis@Qualcomm.com
Ryuji Wakikawa: ryuji@sfc.wide.ad.jp
Author's Address
Hesham Soliman (editor)
Elevate Technologies
EMail: hesham@elevatemobile.com
Soliman Standards Track [Page 41]
</pre>
|
