[MEXT] Review of draft-ietf-mip6-hareliability-06
arno@natisbad.org (Arnaud Ebalard) Sun, 25 July 2010 18:44 UTC
Return-Path: <arno@natisbad.org>
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15D353A693B for <mext@core3.amsl.com>; Sun, 25 Jul 2010 11:44:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.827
X-Spam-Level:
X-Spam-Status: No, score=-1.827 tagged_above=-999 required=5 tests=[AWL=-1.428, BAYES_50=0.001, J_CHICKENPOX_23=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmXuOwB9hzDd for <mext@core3.amsl.com>; Sun, 25 Jul 2010 11:44:51 -0700 (PDT)
Received: from copper.chdir.org (copper.chdir.org [88.191.97.87]) by core3.amsl.com (Postfix) with ESMTP id 25BD53A68B8 for <mext@ietf.org>; Sun, 25 Jul 2010 11:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=natisbad.org; s=mail; h=From:To:Cc:Subject:Date:Message-ID: MIME-Version:Content-Type; bh=HbkCETWW7CNgfYnW3igHmMjqRD8VB84j4e PRIUMDKus=; b=sCpIV+jnGKxBH+qaexyDyXIg+uaqiPvD7kYeP1q8dH82qeUoty D22RrUIFGNlkamWjlIb5qWP07XQGgn3SbcSavwdnFJKIFZoEsYeNJ+HEIMp/LjWm UD2XQTvi/y+h9W5qb0Bwgr97HJc6iFtr0MosXo2wMzWndvi3+XtzGJm6w=
Received: from [2001:7a8:78df:2:20d:93ff:fe55:8f79] (helo=small.ssi.corp) by copper.chdir.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <arno@natisbad.org>) id 1Od6CC-0008ID-FC; Sun, 25 Jul 2010 20:45:09 +0200
X-Hashcash: 1:20:100725:ryuji.wakikawa@gmail.com::ITy+P15IV24OCiwq:000000000000000000000000000000000000001B3
X-Hashcash: 1:20:100725:mext@ietf.org::fxTiAkO9PYwxGvN6:00000wox
From: arno@natisbad.org
To: Ryuji Wakikawa <ryuji.wakikawa@gmail.com>
X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc
X-Fingerprint: D3A5 B68A 839B 38A5 815A 781B B77C 0748 A7AE 341B
Date: Sun, 25 Jul 2010 20:45:05 +0200
Message-ID: <87iq43flji.fsf@small.ssi.corp>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/23.1.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: IETF MEXT WG ML <mext@ietf.org>
Subject: [MEXT] Review of draft-ietf-mip6-hareliability-06
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jul 2010 18:44:56 -0000
Hi,
I reread the document and find it in good shape already. I will try and
invest more time on the next version if I find the time. Some
comments/typos inline.
> 1.2. Problem Statement and Requirements
>
> In Mobile IPv6 [RFC-3775, RFC-4877], a mobile node registers and
> establishes a binding with only one home agent. The home agent
> represents the possibility of a single point of failure for Mobile
> IPv6. A home agent is responsible for multiple mobile nodes on its
> home link. The failure of the home agent may then result in the loss
> of connectivity for numerous mobile nodes located throughout the
> Internet. To overcome this problem, Mobile IPv6 allows deployment of
> multiple home agents on the home link so that upon the failure of a
> home agent, a mobile node can re-establish its connection through a
> new home agent. However, the base Mobile IPv6 specification does not
> address home agent fail-over and dynamic transfer of service from one
> home agent to another. This transfer of service from the failed home
> agent to a new active home agent requires coordination or pre-
> configuration among the home agents regarding security associations,
> transfer of mobile node bindings, and other service information for
> reliable Mobile IPv6 service in a deployment scenario.
>
> For the home agent reliability solution, we define the following
> requirements:
>
> Reliable Home agent service
>
> Multiple home agents are available for a home prefix and one of
> them actively serves the mobile nodes. A standby home agent takes
> over when the active home agent becomes unavailable. The transfer
> of the MN-HA association should be transparent to applications and
> should not take longer than the care-of-addresses update procedure
> described in Mobile IPv6 [RFC-3775].
>
> Availability of a redundant home agent set
>
> Availability of an active home agent address and a standby home
> agent address at the bootstrapping period for the mobile node is
> assumed.
Entries for "Active home agent address" and "standby home agent address"
may be added to the Terminology section.
> State Synchronization
>
> The information for mobile nodes must be able to be synchronized
> between an active home agent and standby home agents. This
> includes the Binding Cache, AAA information, other Mobile IPv6 and
> NEMO related information. Note that the Home Agent Reliability
> protocol exchanges only running states of mobile nodes.
> Therefore, we do not have any specific operation for synchronizing
> the configuration information. For instance, when Mobile IPv6 is
> operated with Authentication protocol, synchronizing the
Add a reference to RFC 4285.
> 2. Protocol Overview
>
> HARP assumes multiple home agents placement on a same home link or
> different links and groups them into a redundant home agent set. One
> of home agents is selected as an active home agent and receives a
> binding update from mobile nodes. According to [RFC-3775, RFC-4877],
> an active home agent maintains not only binding cache but also IPsec/
> IKEv2 states per mobile node, because Mobile IP adapts IPsec as its
^^^^^^
s/addapt/uses/ ?
> security mechanism for signaling.
>
> If the active home agent fails, all these information per mobile node
> is vanished. As a result, all mobile nodes served by the failed home
> agent will be disconnected. In HARP, other home agents , named
> standby home agent, exchange the required information with the active
> home agent in case of failure of the active home agent. HARP can let
> standby home agent take over the failed home agent with such
> information of the serving mobile nodes.
>
>
> MN HA1 HA2
> | |<-HA1-addr |<-HA2-addr
> | | |
> | (active) (standby)
> | | |
> | |<--------->| 1. Hello exchanges
> |<--------->| | 2. Binding Registration to HA1
> | |<--------->| 3. State exchanges
> | | |
> | X | HA1 FAILURE
> | X |
> | X | 4. Failure Detection
> |<----------------------| 5. Sending Home Agent Switch message
> |<--------------------->| 6. Binding Registration to HA2
> | X (active) RECOVERY COMPLETE
> | X |
>
>
> Figure 1: Overview of Home Agent Reliability Protocol (HARP)
>
> Figure 1 shows an example of the HARP operations. HA1 and HA2 belong
> to the same redundant home agent set and are assigned with an
> individual IP address (HA1 and HA2-addr) at the home link. Each home
> agent can be seen as an individual home agent by mobile nodes. All
> the home agents periodically send a hello message (named HA-HELLO) to
> exchange the home agent information and also monitor the active home
> agent's status (1). The mobile node registers its binding only with
> the active home agent (2). The active home agent synchronizes the
> serving mobile node information (i.e. home address) with the other
> standby home agents periodically (3).
>
> HARP introduces the new HA-HELLO message for failure detection, but
> it should use any types of information to detect that failure. After
may ?
> detecting failure of the active home agent (4), a standby home agent
> whose preference value is the highest takes over the failed home
> agent. For doing so, the standby home agent sends a Home Agent
> Switch message to all the mobile nodes that were registered at the
> failed home agent (5). The standby Home Agent set its own address in
s/set/sets/
> the Home Agent Address field in the Home Agent Switch message so that
> it will receive the binding update from the mobile node as an
> acknowledgment of the sent Home Agent Switch message. The home agent
> switch-over is complete when it receives binding updates from all the
> mobile nodes (6). For protecting the Home Agent Switch, the mobile
> node should have IPsec Security Associations (SA) with the standby
> home agent before any failover. The mobile node may pre-establish
> multiple IPsec SAs with all the home agents.
>
> Although the active home agent manages IPsec/IKEv2 states per mobile
> node, HARP does not offer any recovery mechanism of these states by
> itself. IPsec/IKE states synchronization is out of scope in this
> document. However, some Virtual Private Network (VPN) products have
> proprietary IPsec/IKEv2 state synchronization among multiple boxes.
> If IPsec/IKEv2 states can be recovered from the active home agent to
> standby one, HARP can be operated slightly in different manner named
> Virtual-HARP (VHARP). Unlike HARP, the standby home agents are an
> exact copy of the active home agent. It is similar to the virtual
> router concept of VRRP[RFC-3768, RFC-5798] and HSRP [RFC-2281]. Note
> that HARP is mandatory and VHARP is optional in this document. VHARP
> is shown in Figure 2.
>
>
> MN HA1 HA2
> | |<-HA-addr :<-HA-addr'
> | | :
> | (active) (standby)
> |<--------->| : 1. Binding Registration to HA1
> | |<--------->: 2. State exchanges
> | | :
> | X : HA1 FAILURE
> | X :
> | X : 3. Failure Detection
> | X | 4. HA2 takes over the HA1
> | X (active) RECOVERY COMPLETE
> | X |
>
>
> Figure 2: Overview of Virtual Home Agent Reliability Protocol (VHARP)
>
> All the home agents (HA1 and HA2) in the redundant home agent set
> share a virtual home agent address (HA-addr) and the routing will
> ensure only the active home agent will be reachable using that
> virtual home agent address. After a mobile node's binding
> registration (1), the active home agent pushes all the states of its
> mobile nodes to the other standby home agents (2). In VHARP, all the
> states of a mobile node need to be synchronized. The example
> information such as Binding Cache and Authentication, Authorization,
> and Accounting (AAA) information, etc.
>
> After detecting the active home agent has failed (3), the standby
> home agent whose preference value is the highest takes over the
> failed home agent. The standby home agent activates the virtual home
> agent address on its interface attached to the home link. The
> virtual home agent address's activation can be operated by VRRP.
> Since all the necessary states of mobile nodes have already been
> transferred to this standby home agent, the standby home agent can
> immediately start acting as the active home agent (4). Unlike HARP,
> the mobile node is not required to re-register its binding to a new
> active home agent. The mobile node may use the IKEv2 resumption
> mechanism [RFC-5723] to resume IPsec SA with the new active home
> agent.
>
> This document offers a new management mechanism of an active and
s/an active/active/
> standby home agents by using a new Mobility Header (MH) message named
> a HARP message as shown in Figure 3. This mechanism can be used in
> both HARP and VHARP. Each home agent exchanges own home agent
> information with the other home agents in its redundancy home agent
> set by a Home Agent HELLO message (HA-HELLO) (1). The HA-HELLO
> message can also be used to monitor the availability of the active
> home agent.
>
>
> HA1(active) HA2 HA3 .. HAn
> | | | |
> |<------>|<---->|<---->| 1. HELLO exchange
> |------->| | | 2. HA1 sends SWB-REQ
> |<-------| | | 3. HA2 sends SWB-REP
> |------->| | | 4. HA2 sends SW-COMP
> (standby) (active) | | HA2 BECOMES ACTIVE HA
> | | | |
> SYSTEM MAINTENANCE, ETC.
> | | | |
> |------->| | | 5. HA1 sends SWO-REQ
> |<-------| | | 6. HA2 sends SWO-REP
> |------->| | | 7. HA1 sends SW-COMP (optional)
> (active) (standby) | | 8. HA1 returns to active HA
> | | | | HA1 BECOMES ACTIVE AGAIN
>
>
> Figure 3: Home Agent Management
>
> In some scenarios the active home agent may need to stop serving
> mobile nodes for system maintenance. This specification provides for
> a manual home agent management. As shown in Figure 3, the active
> home agent (HA1) sends a SwitchBack Request message (SWB-REQ) to a
> standby home agent (HA2) (2). HA2 will acknowledge the message by
> sending a SwitchBack Reply message (SWB-REP) to HA1 (3). In the HARP
> operation, it takes certain time to complete home agent fail-over by
> mobile nodes' re-registration to the new home agent. During this
> fail-over operations, HA1 may continue serving the mobile nodes until
> the switch over is completed. When HA2 completes the switch-over, it
> SHOULD send a SW-COMP to HA1 (4). As soon as HA2 sends the SW-COMP,
Completion of the switch-over depends on the MNs, so it may never end or
take very long.
> it becomes the active home agent. HA1 becomes standby when it
> receives SW-COMP.
>
> After the down time, HA1 sends a SwitchOver Request (SWO-REQ) to HA2
> in order to become the active home agent again (5). HA2
> acknowledge
s/acknwoledge/acknowledges/
> it by sending a SwitchOver Reply (SWO-REP) to HA1 (6). HA1 now
> starts home agent fail-over operation. After the completion of fail-
> over, HA1 sends a SW-COMP to HA2 (7). Then, HA1 returns to the
> active home agent and HA2 fall back to a standby home agent (8).
>
>
> 3. Home Agent Configuration
>
> 3.1. Network Configuration
>
> HARP supports two different configurations for standby home agents.
> Standby home agents can be placed on the same home link or on a
> different link. Figure 4 depicts the configuration where home agents
> serving the same home network are located on the same link as defined
> in [RFC-3775].
>
>
> HA1 HA2 HA3 HA4 .... HAn
> | | | | |
> --------+------+------+------+--------+---------
> Home Link
>
>
> Figure 4: Local Recovery Configuration
>
> Figure 5 illustrates when standby home agents are located on a
> different link (illustrated as Recovery Link in Figure 5). Most
> large operators have a very stringent requirement on network
> availability even in the worst type of disaster or outage. This
> configuration can achieve home agent recovery even if the entire home
> link fails. This is called geographic redundancy and a well-known
> configuration for Telecommunications operators. In Figure 5, home
> agents (HA1-HA4) are placed in geographically separated regions
> (region-1 and -2). If region-1 suffers a down time due to any
> reason, all the sessions will be seamlessly taken over by the nodes
> in region-2. Note that HA3 and HA4 cannot receive packets meant for
> the home network until the route on the Routers is changed. The
> routing must be also updated to direct the packets meant for the home
> link to the recovery link.
>
>
> ---------IGP------>|<---BGP--->|<-----IGP---------
>
> HA1 HA2 HA3 HA4
> | | | |
> --------+------+-----+ R---R---R +-----+------+-------
> Home Link Routers Recovery Link
> (region-1) (region-2)
>
>
> Figure 5: Global Recovery Configuration
>
> 3.2. Home Agent Address Configuration
>
> In HARP, each home agent obtains its individual IPv6 address from its
> serving home prefix. In VHARP, all the home agents use a virtual
> home agent address generated from the home prefix.
>
> In addition, each home agent running VHARP need to obtain its
s/need/needs/
> individual IPv6 address from its attached link. This IPv6 address is
> used only for the VHARP operations between home agents and is not
> revealed to mobile nodes for binding registration.
>
> All the home agents MUST join the ALL_HA_MULTICAST_ADDR. In VHARP,
> each home agent join the multicast group with its individual IPv6
> address, but not with virtual home agent address. This multicast
> address can be used to exchange the HA-HELLO message among the home
> agents. On the other hand, if a home recovery link is separately
> defined, each home agent always unicasts the HARP messages to home
> agents configured at a geographically separated link.
>
>
> 4. Home Agent Operations
>
> 4.1. Home Agent List Management
>
> In Mobile IPv6, each home agent periodically sends router
> advertisements with the Home Address Information option [RFC-3775].
> HARP introduces a HARP HA-HELLO message to replace the router
> advertisement. There are several reasons to use HA-HELLO message
> instead of the Router Advertisement such as:
>
> o A HA-HELLO message can be sent beyond the link, while a router
> advertisement cannot be sent beyond the link. In case of
> geographic redundancy, router advertisements cannot be sent to the
> recovery link unless the home link and the recovery link are
> virtually connected by L2TP, etc.
>
> o A HA-HELLO message is defined to manage additional information
> such as Group ID and Active/Standby Status of the home agents in
> the home agent list.
>
> o A HA-HELLO message is exchange only between home agents, while a
> router advertisement is also processed by mobile nodes attached to
> a home link. A HA-HELLO does not introduce any burden to the
> mobile nodes even if it is frequently sent on the home link.
>
> When a HA-HELLO is used to exchange the home agent information, each
> home agent SHOULD NOT process the Home Agent Information option
> carried by a Router Advertisement. A router advertisement is only
> processed by mobile nodes. Operators may define different
> configuration values to the parameters of the home agent information
> for a HA-HELLO and a Router Advertisement.
>
> This document requires additional information to the home agent list
> defined in [RFC-3775]. The additional information is learned through
> HA-HELLO message exchange.
>
> o Group ID of a redundant home agent set. It is learned through the
> Group ID field of the HA-HELLO.
>
> o HA-HELLO Interval. This value is locally configured at every home
> agent by operators and is learned through the Hello Interval field
> of the HA-HELLO.
>
> o An individual home agent address used in the VHARP operation.
> This information is only required when VHARP is used in addition
> to the virtual home agent address. It is learned through the
> Source Address of the HA-HELLO message.
>
> o VHARP capability. This information is learned through the V flag
> of the HA-HELLO message.
>
> o Current mode (HARP or VHARP). This information is learned through
> the M flag of the HA-HELLO message.
>
> o Active status. This information is learned through the A flag of
> the HA-HELLO message.
>
> 4.2. Detecting Home Agent Failure
>
> An active and standby home agents can monitor each other in several
> ways. One method is to reuse other failure detection mechanisms
> defined in VRRP[RFC-3768, RFC-5798] and HSRP [RFC-2281]. However,
> VRRP and HSRP are not sufficient since they cannot detect the case
> where the system is running but the Mobile IPv6 stack is not
> operational. Failure events used in HARP/VHARP are listed below.
>
> Loss of HA-HELLO
>
> HARP/VHARP is an extension to Mobile IPv6 and can monitor
> availability of Mobile IPv6 stack on each home agent by
> periodically sending a HA-HELLO as a heart-beat. This HA-HELLO
> can also be exchanged frequently enough to detect the failure
> promptly without any additional overhead to mobile nodes attached
> to the home link. In the event that a standby home agent does not
> receive any HA-HELLOs from its peer for a configurable duration,
> the standby home agent assumes that home agent's failure. The
> detail of the Hello message is described in Section 4.3.2.
>
> Monitored Server Failure by the Active Home Agent
>
> There may be number of critical servers such as an AAA server in
> the network that are essential for the ongoing Mobile IPv6
> sessions at the home agent. Operators can have a policy in place
> that the active home agent is treated as a failed home agent upon
> detecting that the link to such servers has failed.
>
> Routing Peer/Link Failure
>
> Operators may require the home agent to detect its next-hop
> routing peer failure. If the next-hop routing failure is fatal in
> nature, or due to some other routing policies, the active home
> agent is treated as a failed home gent and the recovering
> operation should be started.
>
> 4.3. Processing the HARP Messages
>
> 4.3.1. IP field and Security Descriptions of HARP message
>
> The HARP message format is defined in Section 6.1.1. If a HARP
> message is unicasted, the destination address is one of Home Agent in
> the same Redundant Home Agent set. If it is HA-HELLO message (by
> setting the type field to 4), it can be multicasted. The destination
> address MUST be set to ALL_HA_MULTICAST_ADDR. The source address
> MUST be set to the sender's home agent address. Note that, in VHARP,
> the virtual home agent address SHOULD NOT be set to source and
s/and/or/ ?
>
> destination address. The IP address of the interface the packet is
> being sent from SHOULD be used.
>
> If a HARP message is unicasted, it SHOULD be authenticated by IPsec
> AH and MAY be encrypted by IPsec ESP.
Does this mean AH alone as a SHOULD and AH+ESP as a MAY? It's not
clear.
> If a HA-HELLO message is
> multicasted, multicast extensions to IPsec [RFC-5374] SHOULD be
> applied. If all the home agents are placed in a secure transport
> network to exchange a HARP message, authentication and encryption MAY
> be omitted. Which security verification is used depends on
> operational policy. If security verification is failed for a
> receiving HA-HELLO, the HA-HELLO MUST be discarded.
>
> The following operations MUST be performed when transmitting a HARP
> message.
>
> o The incremented latest Sequence Number MUST be set to the Sequence
> Number field. The Sequence Number SHOULD be initialized to zero
> for the first Hello message. To accomplish sequence number
> rollover, if the sequence number has already been assigned to be
> the largest possible number representable as a 16-bit unsigned
> integer, then when it is incremented it will then have a value of
> zero (0).
>
> o The sender's Group ID MUST be set to the Group ID field.
>
> o The V-flag MUST be set if the sender is capable of VHARP.
>
> o The M-flag MUST be unset if the sender is operated with HARP.
>
> o The M-flag MUST be set if the sender is operated with VHARP.
>
> o The A-flag MUST be set if the sender is the active home agent.
>
> Performed the following functions when a HARP message is received.
Weird sentence.
>
> o MUST verify the Group ID of the HARP message is equal to the
> receiver's Group ID.
>
> o MUST verify the sender of the HARP message belongs to the
> receiver's same redundant home agent set
>
> o MUST verify that the M flag is equal to the receiver's operating
> mode.
>
> o MUST verify the Sequence Number value in the HARP is larger than
> the last received Sequence Number value. When the sequence number
> rollover is occurred, the sequence number value in the HA-HELLO is
> zero.
>
> If any one of the above checks fails, the receiver SHOULD discard the
> HARP message.
>
> 4.3.2. Processing Home Agent Hello (HA-HELLO)
>
> 4.3.2.1. Sending HA-Hello Message
>
> Each home agent MUST send a HA-HELLO in following case:
>
> o UNSOLICITED: Each home agent SHOULD periodically send a HA-HELLO.
> The interval time is configured locally at each home agent.
>
> o UNSOLICITED: When a home agent detects its local information
> change, it should immediately send a HA-HELLO.
>
> o SOLICITED: when a home agent receives a HA-HELLO with the R-flag
> set. When the R-flag is set, the HA-HELLO can be requested to the
> destination home agent.
weird sentence.
>
> A home agent can solicit a HA-HELLO to a particular home agent(s) in
> the same redundant home agent set by unicasting or multicasting a HA-
> HELLO with the R-flag set. Soliciting HA-HELLO is operated when:
>
> o A new home agent boots up. The new home agent SHOULD solicit HA-
> Hello messages by multicasting a HA-Hello message with the R-flag
> set.
>
> o A HA-HELLO has not been received after the specified hello
> interval. The HA-HELLO MAY be solicited to the home agent.
>
> o A home agent entry in the redundant home agent set is about to be
> removed due to home agent lifetime expiration. The HA-HELLO
> SHOULD be solicited to the home agent whose lifetime is soon
> expired.
>
> In addition to Section 4.3.1, the following operations MUST be
> performed when transmitting a HA-HELLO.
>
> o The Type field MUST be set to 4.
>
> o The R-flag MUST be set if the sender solicits a HA-HELLO to the
> other home agent(s).
>
> o The appropriate home agent configuration values MUST be copied to
> the Home Agent Preference, the Home Agent Lifetime, and Hello
> Interval fields.
>
> 4.3.2.2. Receiving Hello Message
>
> The receiver MUST perform the verification to the HA-HELLO described
> in Section 4.3.1. After the verification, the receiver copies the
> value stored in the HA-HELLO message to the corresponding home agent
> list entry according to Section 4.1.
>
> If the home agent lifetime field in the HA-HELLO is set to 0, the
> receiver MUST remove the sender home agent from the home agents list.
>
> If the R-flag is set in the received HA-HELLO, the receiver MUST send
> a new HA-HELLO to the originator as described in Section 4.3.2.1.
>
> 4.3.3. Processing Home Agent Switch Over (SWO-REQ/REP)
>
> When a standby home agent decides to become an active home agent, the
> standby home agent sends a SwitchOver Request (SWO-REQ) to the
> current active home agent with the following operations.
>
> o MUST be unicasted only to the current active home agent
>
> o MUST be sent from a standby home agent. The active home Agent
> MUST NOT generate this message.
>
> When an active home agent receives a SWO-REQ, it MUST operate the
> following verification and operations in addition to Section 4.3.1:
>
> o If the receiver of the SWO-REQ is not an active home agent, it
> MUST send a SWO-REP with the Status field set to 130 (Not active
> home agent).
>
> o If the sender home agent does not belong to the same redundant
> home agent set, a SWO-REP message MUST be sent to the sender with
> the Status field set to 132 (Not in same redundant home agent
> set).
>
> o There is a case where the active home agent cannot be standby home
> agent. The active home agent MUST reply a SWO-REP with the Status
> field set to 129 (Administratively prohibited).
Which case?
>
> o Otherwise, the active home agent MUST become a standby home agent
> and reply with a SWO-REP message with the Status field set to 0
> (Success).
>
> When a standby home agent receives a SWO-REP, it MUST operate the
> following verification and operations in addition to Section 4.3.1:
>
> o If the receiver is an active home agent, the SWO-REP MUST be
> discarded.
>
> o If the standby home agent receives an unexpected SWO-REP which is
> not in reply to its SWO-REQ, it MUST ignore the SWO-REP.
>
> o Otherwise, if the Status field of the SWO-REP is 0 (Success), the
> standby home agent (the receiver of SWO-REP) immediately becomes
> an active home agent.
>
> o If the value in the Status field is greater than 128 an error has
> occurred. In this case, the receiver MUST NOT attempt to be an
> active home agent.
>
> 4.3.4. Processing Home Agent Switch Back (SWB-REQ/REP)
>
> When an active home agent decides to become a standby home agent, it
> sends a SWB-REQ to one of standby home agents. The reason for the
> active home agent to send this message can be administrative
> intervention, and events like Monitored Server Failure by the active
> home agent or Routing Peer/Link Failure. The following operations
> MUST be performed when SWB-REQ is sent.
>
> o MUST be unicasted only to one of standby home agents in the same
> redundant home agent set
>
> o MUST be sent from an active home agent. The standby home Agent
> MUST NOT generate this message.
>
> When a home agent receives a SWB-REQ message, it verifies the message
> as follows.
>
> o If the sender home agent of the SWB-REQ is not an active home
> agent, the receiver MUST reply a SWB-REP with the Status field is
> set to 130 (Not active home agent).
What's the purpose of replying?
>
> o If the sending home agent does not belong to the same redundant
> home agent set, a SWB-REP MUST be sent in which the Status field
> set to 132 (Not in same redundant home agent set).
>
> o Otherwise, the receiving home agent MUST send a SWB-REP with the
> Status field is set to 0 (Success).
s/is set/set/
>
> o After sending the SWB-REP, the standby home agent MUST NOT become
> an active home agent immediately. This is because the active home
> agent is still active until it receives the SWB-REP which is
> acknowledging the SWB-REQ. The standby home agent SHOULD change
> to active at least after LINK_TRAVERSAL_TIME.
Where does the constant (LINK_TRAVERSAL_TIME) comes from? Should be
possible to change it.
> When a home agent receives a SWB-REP message, it verifies the message
> as follows.
>
> o If the standby home agent receives an unexpected SWB-REP which is
> not in reply to own SWB-REQ, it SHOULD ignore the SWO-REP.
>
> o If the Status field of the SWB-REP is 0 (Success), the active home
> agent immediately becomes a standby home agent. The sender home
> agent of SWB-REP becomes an active home agent after certain time,
> LINK_TRAVERSAL_TIME.
>
> o If the value in the Status field is greater than 128, the receiver
> of SWB-REP (active home agent) cannot become a standby home agent
> and MUST continue to be an active home agent.
>
> 4.4. State Synchronization
>
> A State Synchronization (SS) message format is defined in
> Section 6.1.2. It can carry several state information about a mobile
> node by setting mobility options in the Mobility Options field. The
> following list shows examples of the mobility options which can be
> specified in the state synchronization message.
>
> o IPv6 Home Address (Binding Cache Option)
>
> o Binding Cache Information (Binding Cache Option)
>
> o NEMO Mobile Network Prefix (Mobile Network Prefix Option [RFC-
> 3963])
>
> o IPv4 Care-of Address (IPv4 Care-of Address Option [RFC-5555])
>
> o IPv4 Home Address (IPv4 Home Address Option [RFC-5555])
>
> o Binding Identifier (Binding Identifier Option [RFC-5648]
>
> o AAA states (AAA Information Option)
>
> o Miscellaneous states (Vendor Specific Mobility Option [RFC-5094])
>
> When a home agent need to send the state of multiple mobile nodes in
s/need/needs/
> a single state synchronization message (SS-REQ or SS-REP), a Binding
> Cache Information option is used as a separator. For each mobile
> node, a Binding Cache Information option is placed first, followed by
> any other options related to the mobile node if necessary.
>
> In HARP, since a mobile node will re-register to the new active home
> agent after home agent fail-over, it is not necessary for the standby
> home agents to synchronize all the mobile nodes' state information.
> The standby home agent only need to collect the home address
> information of all the mobile nodes served by the active home agent.
> The information is used to send the Home Agent Switch messages to all
> the mobile node when the home agent failure is occurred.
>
> In VHARP, home agent fail-over is completed without mobile nodes'
> binding re-registration. Therefore, standby home agents need to copy
> the complete state information of each mobile node registered with
> the active home agent.
>
> 4.4.1. Binding Cache Information Management
>
> In HARP, each standby home agent learns the partial binding cache
> information such as a pair of a home address and a mobile node's
> registering home agent address. This information is stored somewhere
> in a standby home agent.
>
> In VHARP, a standby home agent ideally copies the received binding
> cache information and other mobile node's information into the
> appropriate database so that it can act as an active home agent as
> soon as it takes over the failed home agent.
>
> 4.4.2. IP field and Security Descriptions of SS message
>
> A state synchronization message is only unicasted. The destination
> address MUST be one of home agents in the same Redundant Home Agent
> set. The source address MUST be set to the sender's home agent
> address. Note that, in VHARP, the virtual home agent address MUST
> NOT be set to the source address. IP address of the interface the
> packet is being sent from SHOULD be used.
>
> If a state synchronization message is unicasted, it SHOULD be
> authenticated by IPsec AH and MAY be encrypted by IPsec ESP. If all
Same questions as above. Does this mean AH as a SHOULD and AH+ESP as a
MAY?
> the home agents are placed in a secure transport network to exchange
> the state synchronization message, authentication and encryption MAY
> be omitted. If security verification is failed for a receiving state
> synchronization message, the message MUST be discarded. Which
> security mechanism is used depend on the operational policy.
>
> 4.4.3. Requesting State of Mobile Nodes (SS-REQ)
>
> When a home agent needs the state information for a particular mobile
> node or a subset of mobile nodes, it sends a SS-REQ message
> constructed as follows:
>
> o MUST set the Type field to 0 (Request).
>
> o MUST set a random value in the Identifier field that does not
> coincide with any other currently pending Requests.
>
> o MUST include a Binding Cache Information option(s) which Home
> Address field is set to the target home address. Other fields of
> the Binding Cache Information option can be omitted.
>
> o MUST set the unspecified address (::) in the Home Address field of
> the Binding Cache Information option, if it solicits the state of
> all the mobile nodes registering at the destination home agent of
> the SS-REQ message.
>
> o MUST include multiple binding cache information options in a SS-
> REQ, if the sender requests multiple mobile nodes' information.
> The sender SHOULD NOT send multiple SS-REQs per mobile node.
>
> o MUST send a SS-REQ to the active home agent of the target mobile
> node(s).
>
> When a home agent receives a SS-REQ, it MUST perform the verification
> described in Section 4.4.2 and following:
>
> o If the receiver does not know the binding cache for the target
> mobile node(s) specified in the received Binding Cache Information
> option(s), it MUST ignore the SS-REQ and MUST NOT reply a SS-REQ.
>
> o Otherwise, the receiver MUST reply a SS-REP including all the
> state information of the target mobile node(s).
>
> 4.4.4. Sending State Information (SS-REP)
>
> A SS-REP message(s) SHOULD be sent when:
>
> 1. The active home agent receives a SS-REQ.
>
> 2. The active home agent creates or deletes a binding cache entry
> for a particular mobile node.
>
> The active home agent MAY additionally send a SS-REP message in
> following cases:
>
> 1. The active home agent updates the state information for all
> sessions that changed since the last update in a periodic
> interval
>
> 2. Often in VHARP, the active home agent MAY update a binding cache
> entry for a particular mobile node whenever the binding cache
> entry is updated. If an active home agent sends a SS-REP message
> whenever the local state information changes, such as a binding
> cache change, the number of the SS-REP messages can be quite
> large.
>
> Following rules must be applied when the active home agent constructs
> a SS-REP.
>
> o MUST copy the Identifier field of the SS-REQ to the same field of
> the SS-REP, if the SS-REP is sent in response to the SS-REQ.
>
> o MUST set zero to the Identifier field if the SS-REP is sent
> without solicitation (no SS-REQ).
>
> o MUST include required mobility options in the SS-REP.
>
> * In HARP, a partial Binding Cache Information Option (the Home
> Address Field only) MUST be included in the SS-REP.
>
> * In VHARP, a full Binding Cache Information Option and other
> required options shown in Section 6.1.2 MUST be included in the
> SS-REP.
>
> o MUST include the state of all the active mobile nodes registering
> in the active home agent by the SS-REP when the unspecified
> address is found in the Home Address mobility option carried with
> the SS-REQ. The message may be fragmented depending on the total
> size needed to carry all states.
>
> 4.4.5. Synchronizing State (SS-REP and SS-ACK)
>
> When a home agent receives a SS-REP, it MUST take the following
> operations.
>
> o If no options are carried in the SS-REP, the home agent MUST
> ignore the SS-REP and MUST send SS-ACK with the Status
> Synchronization Status option which status value is set to [131:
> No Mobility Option]
What is the point in responding to that?
>
> o If the sender of SS-REP is not in the same global home agent set,
> the home agent MUST reject the SS-REP and MUST send SS-ACK with
> the Status Synchronization Status option which status value is set
> to [130: Not in same global home agent set]
>
> o The receiver home agent MUST record the IPv6 address of the sender
> as the active home agent of the mobile node in its local binding
> cache.
>
> o The receiver home agent MUST update its binding cache and all
> other necessary information in a particular database(s).
>
> o The receiver home agent MUST send a SS-ACK with state
> synchronization status mobility options if A flag is set.
>
> If an active home agent requires an acknowledgment of a SS-REP, it
> MUST set the Ack flag in the SS-REP. The receiver of such SS-REP
> will send back a SS-ACK. The receiver MUST copy the Identifier value
> received in the SS-REP into SS-ACK in order to match the SS-REP and
> SS-ACK.
>
> 4.5. Switching the Active Home Agent
>
> In HARP, the standby home agent which is going to be active MUST send
> a Home Agent Switch message [RFC-5142] to all the mobile nodes that
> were being served by the failed home agent. The following rules MUST
> be applied when transmitting a Home Agent Switch message.
>
> o MUST use IPsec ESP to the Home Agent Switch message.
s/to/to protect/
>
> o MUST set only that standby home agent address in the Home Agent
> Switch message
>
> If there are a large number of mobile nodes served by the failed home
> agent, the overhead sending Home Agent Switch messages is high. This
> overhead cannot be avoided if the active home agent suddenly stop
> serving mobile node because of unexpected reasons (crash, network
> trouble, etc). However, if this switch over is operated under the
> administrative operation (maintenance, etc), the previous active home
> agent may continue serving the mobile nodes until the switch over is
> completed. Until the mobile node sends a binding update to the new
> active home agent, it still sends the packet to the previous home
> agent.
>
> Therefore, the new active home agent can notify the completion of
> switch-over to the previous active home agent by using a SW-COMP
> message. When the new active home agent completes the switch-over,
> it SHOULD send a SW-COMP to the previous active home agent. Until
> the previous home agent receives this message, it SHOULD continue
> serving any mobile nodes that are registered with it. Once the
> previous home agent receives the SW-COMP message, it can be shutdown
> or detached from the network safely.
>
> In VHARP, after detecting the active home agent has failed, the
> standby home agent whose preference value is the highest MUST take
> over the failed home agent. The standby home agent MUST activate the
> virtual home agent address. If a virtual MAC address as introduced
> in [RFC-3768, RFC-5798] is used, the standby home agent MUST start
> using that virtual MAC address as well. If VHARP run with VRRP and
> HSRP as described in Section 4.7, the virtual home agent address can
> be treated as a virtual router address in VRRP and HSRP. Therefore,
> VRRP and HSRP can automatically activate the virtual home agent
> address on the standby home agent after their election mechanism.
> Since all the necessary state has already been transferred to this
> standby home agent before the active home agent failed, it can
> immediately start acting as the active home agent.
>
> When the failed home agent recovers from failure and would return to
> the active home agent, it MUST re-establish IPsec SA with all the
> mobile nodes. All the mobile nodes lost IPsec SA with the home agent
> when the failure is occurred. Otherwise, it cannot be either a
s/is/has/
> standby or active home agent for the mobile nodes. Therefore, as
> soon as the active home agent detects the recovery of the failed home
> agent, it sends a Home Agent Rekey message to all the mobile nodes
> served by other home agents in the same redundant home agent set, and
> includes the recovered home agent address in the Home Agent Addresses
> field. The detail of the Home Agent Rekey message is described in
> Section 6.1.3. The mobile node will re-key the SA by using The IKEv2
> resumption mechanism [RFC-5723]. Alternatively, the mobile node MAY
> start a new IKE session with the recovered home agent.
>
> 4.6. Consideration of Routing and Neighbor Discovery Protocol (VHARP)
>
> This section gives a brief explanation of how a home agent interacts
> with routing and Neighbor Discovery Protocol (NDP) when is VHARP
> used.
>
> When a standby home agent becomes active in VHARP, it MUST start to
> advertise the home agent address and the home prefix of the home
> addresses serviced by the redundant home agent set into the routing
> infrastructure. This operation is normally done using a route
> selector such as BGP or an OSPF modifier. For example, we can use
> the AS_Path prepend operation for BGP, and the Metric field in OSPF
> for the route selection. When each home agent participates in OSPF
> routing, each home agent should be configured with the appropriate
> metric matched to the home agent preference value. When the active
> home agent fails, OSPF detects the failure and can dynamically switch
> the route to the standby home Agent based on the OSPF cost value. If
> this creates conflicts with the home agent preference value due to
> configuration errors, the routers on the home link may not route
> packets to the desired standby home agent. In order to change the
> OSPF cost correctly and dynamically, The operator takes other
> existing approaches. For example, most of router vendors have a
> private MIB to set the cost via SNMP, though this is a vendor-
> specific function.
>
> When an active home agent activates a home agent address, it SHOULD
> use a virtual MAC address as introduced in [RFC-3768, RFC-5798].
> When the active home agent is changed, the neighbor cache of the
> active home agent is not necessarily updated on mobile nodes located
> on the home link. Otherwise, the new home agent MUST update the
> neighbor cache entry for the home agent address on all the mobile
> nodes located on the home link. In addition, Mobile IPv6 uses proxy
> NDP to intercept packets meant for mobile nodes which are away from
> the home link. However, it is unnecessary for the new active home
> agent to overwrite the existing proxy neighbor entries of the mobile
> nodes.
>
> 4.7. Interworking with VRRP
>
> VRRP and HSRP specify an election protocol that dynamically assigns
> responsibility for a virtual router to one of the VRRP routers on a
> LAN. This operation is similar to the VHARP. For example, the VRRP
> router controlling the IP address(es) associated with a virtual
> router is called the Master, and forwards packets sent to these IP
> addresses. The election process provides dynamic fail over in the
> forwarding responsibility should the Master become unavailable.
> Although VRRP is used to guarantee home agent address reachability,
> it cannot be used for state synchronization and explicit switching of
> Master and Backup. Thus, the Home Agent Reliability protocol cannot
> be replaced by VRRP. This section explains how VRRP can interwork
> with HARP/VHARP.
>
> When VRRP is available, VRRP can replace the Hello message described
> in Section 6.1.1. However, some of information is missed by using
> VRRP. After receiving a VRRP message, each home agent SHOULD process
> the message and store the information as if it receives Home Agent
> Hello messages Section 4.3.2.2. The message format of VRRP can be
> found in Section 5.1 of [RFC-5798]. Each field is mapped as follows:
>
> o Virtual Rtr ID: Group ID is stored in the Virtual Rtr ID field.
>
> o Priority: Home Agent Preference is stored in the Priority field.
> Note that VRRP only has 8 bits for the Priority field. Therefore,
> values larger than 255 MUST NOT be assigned to the preference
> value.
>
> o Count IPv6 IPv6 Addr: This field MUST be always be 1.
>
> o Max Advert Int: This field MUST be mapped to the Hello Interval
> field of the Home Agent Hello message, though it only has 12
> bytes.
>
> o IPv6 address: A home agent address is stored in this field.
>
> Home Agent Lifetime, Sequence Number and Flags field are missed in
> the VRRP packet format. Therefore, operators SHOULD use the same
> statically configured value for Home Agent Lifetime. Each home agent
> does not check freshness of received VRRP message because of no
> sequence number.
>
> 4.8. Retransmissions and Rate Limiting
>
> Home agents are responsible for retransmissions and rate limiting of
> SS-REQ, SWO-REQ, SWB-REQ messages for which they expect a response.
> The home agent MUST determine a value for the initial transmission
> timer:
>
> o If the home agent sends a SS-REQ message, it SHOULD use an initial
> retransmission interval of INITIAL_STATE_SYNC_REQ_TIMER.
>
> o If a home agent sends a SWO-REQ or SWB-REQ message, it SHOULD use
> an initial retransmission interval of INITIAL_SWITCH_REQ_TIMER.
>
> If the sending home agent fails to receive a valid matching response
> within the selected initial retransmission interval, it SHOULD
> retransmit the message until a response is received. All of the
> above constants are specified in Section 8.
>
> The retransmission MUST use an exponential backoff process as
> described in [RFC-3775] until either the home agent receives a
> response, or the timeout period reaches the value
> MAC_HARELIABILITY_TIMEOUT. The home agent SHOULD use a separate
> back-off process for different message types and different
> destinations. The rate limiting of Mobility Header messages is the
> same as one in [RFC-3775]. A home agent MUST NOT send Mobility
> Header Messages to a particular home agent more than MAX_UPDATE_RATE
> (3) times a second, which is specified in [RFC-3775].
>
>
> 5. Mobile Node Operation
>
> This section describes the operations of a mobile node only when HARP
> is used. Non of operations in this section is required in VHARP.
s/Non of operations/None of the operations/
> 6.1.3. Home Agent Rekey Message
>
> This message is used to indicate that the mobile node SHOULD start an
> IPsec re-key with the home agent specified in the Home Agent
> Addresses field. This message is used when a failed home agent
> recovers and needs to re-establish IPsec SA/IKE state with a mobile
> node. This message MUST be unicasted to a mobile node by the active
> home agent and MUST be authenticated and encrypted by IPsec ESP. The
> Home Agent Rekey message has the MH Type value TBD. If no options
> are present in this message, no padding is necessary and the Header
> Len field will be set to 2.
>
>
> 0 1 2 3
> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | Reserved |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | |
> + +
> . Home Agent Addresses .
> + +
> | |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> . Mobility options .
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>
> Figure 8: Home Agent Rekey Message
>
> Reserved
>
> The reserved field is 16 bits
>
> Home Agent Address
>
> The receiver of this message MUST rekey the security asscoation
s/asscoation/association/
Cheers,
a+
- Re: [MEXT] Review of draft-ietf-mip6-hareliabilit… Ryuji Wakikawa
- [MEXT] Review of draft-ietf-mip6-hareliability-06 Arnaud Ebalard