RE: [netlmm] Welcome your comments on draft-qin-mipshop-pmipro-00.txt
qinxia <alice.Q@huawei.com> Wed, 18 April 2007 03:14 UTC
Return-path: <netlmm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1He0dE-0005Ud-RE; Tue, 17 Apr 2007 23:14:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1He0dC-0005UX-V0 for netlmm@ietf.org; Tue, 17 Apr 2007 23:14:54 -0400
Received: from szxga03-in.huawei.com ([61.144.161.55]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1He0d8-0005wv-Us for netlmm@ietf.org; Tue, 17 Apr 2007 23:14:54 -0400
Received: from huawei.com (szxga03-in [172.24.2.9]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0JGO00530BNEK2@szxga03-in.huawei.com> for netlmm@ietf.org; Wed, 18 Apr 2007 11:14:02 +0800 (CST)
Received: from huawei.com ([172.24.1.24]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0JGO00J5UBN1EO@szxga03-in.huawei.com> for netlmm@ietf.org; Wed, 18 Apr 2007 11:14:02 +0800 (CST)
Received: from q52443 ([10.164.5.117]) by szxml04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTPA id <0JGO007OEBMYH5@szxml04-in.huawei.com> for netlmm@ietf.org; Wed, 18 Apr 2007 11:13:49 +0800 (CST)
Date: Wed, 18 Apr 2007 11:13:46 +0800
From: qinxia <alice.Q@huawei.com>
Subject: RE: [netlmm] Welcome your comments on draft-qin-mipshop-pmipro-00.txt
In-reply-to: <462488F6.3010203@informatik.uni-goettingen.de>
To: 'Jun Lei' <lei@informatik.uni-goettingen.de>
Message-id: <003301c78167$93d62cd0$7505a40a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="iso-8859-1"
Content-transfer-encoding: 7bit
Thread-index: AceAzOUtGo9F8EuRTWKdjec22D6BrQAk+qxA
X-Spam-Score: 0.0 (/)
X-Scan-Signature: de9dabb9a3ceb021f26761a300a4624c
Cc: netlmm@ietf.org
X-BeenThere: netlmm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETLMM working group discussion list <netlmm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/netlmm>
List-Post: <mailto:netlmm@ietf.org>
List-Help: <mailto:netlmm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/netlmm>, <mailto:netlmm-request@ietf.org?subject=subscribe>
Errors-To: netlmm-bounces@ietf.org
Hello Lei, Thanks for your comments! Please kindly see inlines. Best wishes Alice > -----Original Message----- > From: Jun Lei [mailto:lei@informatik.uni-goettingen.de] > Sent: Tuesday, April 17, 2007 4:45 PM > To: qinxia > Cc: netlmm@ietf.org > Subject: Re: [netlmm] Welcome your comments on > draft-qin-mipshop-pmipro-00.txt > > Dear Alice, > > It seems that the key idea behind the draft is mainly based on the > "enhanced route optimization for MIPv6" and the cryptography part is > motivated from CGA. [qx] yes, as I said on presentation. > > Just few comments. > > 1. As you have mentioned, it requires more efforts to > determine which CN > needs route optimization. It seems that PMA will do this job. > Any other > methods? At least, the mechanism described here is not clear to me. > [qx] as CN is behind a PMA(MAG), who and how to decide RO with whom? This problem needs to be researched further. If you have good ideas, please let me know. > 2. In the Sec3.1, you mentioned > > "the PMA may initiate another PBU exchange. Thus, the CN may > authenticate this PBU with both temporary home keygen token > and Care of > keygen token....". > > I am a little confused. Where is the definition or clarification of > temporary home keygen token and care of keygen token? And > what's purpose > of them? [qx] temporary home keygen token is defined in "enhanced route optimization for MIPv6" . I did not repeat it in my draft. If people think it is necessary to repeat it, I will append it. > > 3. In sec3.4, you mentioned > > "As soon as the complete PBU message is received by the CN, .... This > PBU contains CGA parameters and signature...." > > To my understanding, "this PBU" should be "Early PBU". Is that right? > The description of the figure 4 is not very explicitly clear. > [qx] ok, I will fix it in the revision. Thanks. > 4. In sec 3.5, it is mentioned > > "If the permanent home keygen token is required, both permanent home > keygen token and handover home keygen token are generated ...." > > I am not quite sure about the above explanation since currently PMA > doesn't hold the permanent home keygen token. Is that right? > [qx] if PMA has no permanent home keygen token, or the token is needed to be updated, then these tokens should be generated. > 5. From the very beginning, the draft claims that this protocol also > support inter-domain case. However, it is hardly to find the explicit > defintion of how to support it. After reading, I have a kind > of feeling > that this protocol could only support intra-domain case. Could you > please give a scenario, which might be helpful. [qx] inter-domain? I did not find this word in this draft, could you point it out? Thanks. > > Cheers > > Jun > > > Hello All, > > My new draft is available, please review it, > > http://tools.ietf.org/wg/mipshop/draft-qin-mipshop-pmipro-00.txt > > > > This document defines route optimization protocol for > Proxy Mobile > > IPv6. Proxy home test, concurrent proxy care-of test > and handover > > procedures are explained. Proxy mobile agent uses > cryptographically > > generated home addresses so that no more home test is > needed after > > the initial home test. Handover home keygen token is > used during > > handover in order to eliminate home test for the next > proxy mobile > > agent. A different route optimization protocol is > defined for inter- > > proxy mobile agent operation if the correspondent node > is not Mobile > > IPv6 enabled. > > > > > > > your comments are sincerely welcome. > > > > Best regards > > > > Alice Qin > > > > > > > -------------------------------------------------------------- > ---------- > > > > > > > > Network Working Group > A. Qin > > Internet-Draft > A. Huang > > Expires: August 29, 2007 > W. Wu > > > B. Sarikaya > > Huawei > Technologies > > > February 25, 2007 > > > > > > PMIPv6 Route Optimization Protocol > > draft-qin-mipshop-pmipro-00.txt > > > > Status of this Memo > > > > By submitting this Internet-Draft, each author > represents that any > > applicable patent or other IPR claims of which he or she is aware > > have been or will be disclosed, and any of which he or > she becomes > > aware will be disclosed, in accordance with Section 6 of BCP 79. > > > > Internet-Drafts are working documents of the Internet Engineering > > Task Force (IETF), its areas, and its working groups. Note that > > other groups may also distribute working documents as Internet- > > Drafts. > > > > Internet-Drafts are draft documents valid for a maximum > of six months > > and may be updated, replaced, or obsoleted by other > documents at any > > time. It is inappropriate to use Internet-Drafts as reference > > material or to cite them other than as "work in progress." > > > > The list of current Internet-Drafts can be accessed at > > http://www.ietf.org/ietf/1id-abstracts.txt. > > > > The list of Internet-Draft Shadow Directories can be accessed at > > http://www.ietf.org/shadow.html. > > > > This Internet-Draft will expire on August 29, 2007. > > > > Copyright Notice > > > > Copyright (C) The IETF Trust (2007). > > > > > > > > > > > > > > > > > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 1] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > Abstract > > > > This document defines route optimization protocol for > PMIPv6. Proxy > > home test, concurrent proxy care-of test and handover > procedures are > > explained. Proxy mobile agent uses cryptographically > generated home > > addresses so that no more home test is needed after the > initial home > > test. Handover home keygen token is used during > handover in order to > > eliminate home test for the next proxy mobile agent. A different > > route optimization protocol is defined for inter-proxy > mobile agent > > operation if the correspondent node is not Mobile IPv6 enabled. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 2] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > 1. Introduction > > > > In Proxy Mobile IPv6 (PMIPv6) scheme, the mobility is > transparent to > > mobile nodes (MN) by the Proxy Mobility Agent (PMA) > simulating a home > > link and acting as a proxy on mobile IP operation, also is > > transparent to correspondent nodes (CN) by forcing all > datagrams for > > a mobile node to be routed through its home agent (HA). Thus, > > datagrams to the mobile node are often routed along > paths that are > > significantly longer than optimal. However, packets > could be routed > > directly between correspondent nodes and the proxy mobile agent > > instead of through home agent, such path is optimal. Moreover, > > immunity to impersonation, denial of service, and > redirection-based > > flooding is necessary for a route optimization protocol > in PMIPv6. > > This document presents a mechanism, based on PMIPv6 [4] > and Enhanced > > Route Optimization for Mobile IPv6 [5], to securely > establish optimal > > route path between PMA and correspondent nodes or > between two PMAs. > > > > The following types of correspondent nodes are considered: > > correspondent nodes which have both Mobile IPv6 stack defined in > > RFC3775 and recognize PMIPv6 messages, correspondent > nodes without > > Mobile IPv6 function which are provided mobility support by Proxy > > Mobile IPv6, as well as a fixed correspondent node > without mobility. > > This document discusses both the first (Type 1 CNs) and > the second > > (Type 2 CNs). > > > > Type 1 CN's MUST support Enhanced Route Optimization for > Mobile IPv6 > > [5] and extensions defined in this document. PMIPv6 RO is > > transparent for Type 2 CNs. > > > > Some terminology is defined in Section 2. Section 3 > presents PMIPv6 > > Route Optimization Protocol for Type 1 CNs and Section 4 presents > > inter-PMA route optimization protocol for Type 2 CNs. Section 5 > > defines home agent, Section 6 defines proxy mobile agent and > > Section 7 defines correspondent node behaviour. In Section 8, > > formats and options of messages are defined. > > > > > > 2. Terminology > > > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", > "SHALL NOT", > > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and > "OPTIONAL" in this > > document are to be interpreted as described in [1]. > > > > Proxy Mobile Agent (PMA) > > The proxy mobile agent is a functional element on the access > > router, which is defined in [4]. In PMIPv6, proxy > mobile agent > > acts an Mobile Ip client agent of MN. In this > document, the route > > optimization function is also provided by PMA. > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 3] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > Proxy Binding Cache > > A cache of mobility bindings of mobile nodes, maintained by a > > proxy mobile agent for use in sending or forwarding > datagrams to > > PMAs serving for these mobile nodes. > > Cryptographically generated home addresses > > A cryptographically generated home address enables > correspondent > > nodes to securely authenticate the owner of home > address (HoA), by > > means of a strong, cryptographic binding between the interface > > identifier of the address and the address owner's public key. > > From the perspective of correspondent node, the home > address of > > the mobile node is owned by proxy mobile agent during route > > optimization procedure. In this document, proxy > mobile IPv6 home > > addresses are cryptographically generated home > addresses using its > > mobile node's public key. Home prefix could be > per-MN prefix or > > shared prefix. > > Permanent home keygen token > > A secret permanent home keygen token, which is generated by a > > correspondent node for a mobile node, is exchanged > between proxy > > mobile agent and a correspondent node. Permanent home keygen > > token is kept by proxy mobile agent. The permanent > home keygen > > token is used to authenticate the proxy mobile agent more > > efficiently in subsequent correspondent registrations. The > > permanent home keygen token is renewed as soon as the > mobile node > > moves to the next proxy mobile agent. Since the > lifetime of proxy > > binding update is due, permanent home keygen token > should be re- > > generated too. > > Handover home keygen token > > A secret handover home keygen token is used during > handover, which > > is generated by a correspondent node for a mobile > node. Handover > > home keygen token, kept by proxy mobile agent, is > obtained along > > with permanent home keygen token at initial time. However, it > > will be not out-of-date even though the registration > lifetime is > > due. During handover, handover home keygen token is > transferred > > from the previous proxy mobile agent to the next proxy mobile > > agent. The next proxy mobile agent uses this token to > > authenticate the proxy binding update. > > Type 1 Correspondent Node > > A node that is Mobile IPv6 enabled to be a > correspondent node as > > per [2]. Type 1 CNs can receive route optimized traffic from > > proxy mobile agents serving their mobile nodes. > > Type 2 Correpondent Node > > A mobile node that is served by proxy mobile agent. Route > > optimization is transparent to Type 2 CNs. Proxy mobile agent > > provides both mobility and route optimization > services to Type 2 > > CNs. > > > > > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 4] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > 3. PMIPv6 Route Optimization Protocol > > > > This section consists of a set of approaches to meet > requirements of > > route optimization for PMIPv6. > > > > 3.1. Route Optimization for PMIPv6 Overview > > > > This document describes a route optimization protocol for PMIPv6. > > This protocol is based on PMIPv6 and Enhanced Route > Optimization for > > Mobile IPv6. > > > > Once a mobile node enters its Proxy Mobile IPv6 domain, > proxy mobile > > agent which runs on the access router does the mobility related > > signaling on behalf of the mobile node. In MIPv6, a > mobile node may > > determine when and which correspondent node needs route > optimization. > > In contrast, access router MAY inform proxy mobile agent > to initiate > > route optimization procedure according to some policies > in PMIPv6. > > The configuration of such policies is out of scope. > > > > As soon as proxy mobile agent makes decision on which > correspondent > > node needs route optimization, proxy mobile agent initiates proxy > > home test procedure depicted in Section 3.2. Correspondent nodes > > verify the reachability of home address via this procedure. > > > > Correspondent nodes also need to verify the reachability > of care-of > > address. Proxy care-of test init message is piggybacked > on a proxy > > binding update message which is sent by proxy mobile > agent on behalf > > of the mobile node to register with a correspondent > node. After the > > first round trip of proxy binding update exchange is > over between a > > correspondent node with proxy mobile agent, the > correspondent node > > sets up a binding cache entry and MAY start routing > packets directly > > to care-of address of the mobile node even though the > care-of address > > is not verified. However, the proxy mobile agent obtains care-of > > keygen token via this round trip of proxy binding update > exchange. > > > > The proxy mobile agent MAY initiate another proxy binding update > > exchange. Thus, the correspondent node MAY authenticate > this proxy > > binding update with both temporary home keygen token and care-of > > keygen token, and then it makes sure of the validity of > proxy binding > > cache entry created by early proxy binding update > exchange. In order > > to protect against redirection-based flooding attacks, > Credit-Based > > Authorization (CBA) can be exploited as described in [5]. > > > > During handover, the next proxy mobile agent simulates > home link for > > the mobile node. For the sake of security, proxy home > test should be > > executed over again for correspondent node to verify the > rachability > > and validity of home address of MN. In order to reduce handover > > latency brought up with the proxy home test, handover home keygen > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 5] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > token is introduced in Section 3.4. > > > > In PMIPv6 route optimization protocol, the proxy home > test and proxy > > care-of test exchanges are initiated by PMA instead of > MN. However, > > both the source address of proxy home test init message and the > > destination address of proxy home test message are home > address of > > mobile node. So, the proxy mobile agent MUST identify, > intercept and > > process the home test messages. > > > > For the sake of security, cryptographically generated > home addresses > > and permanent home keygen token, defined in [5], are > used in PMIPv6 > > route optimization (PMIPv6RO) protocol. > Cryptographically generated > > home addresses, CGA parameters and signature are > calculated with the > > mobile node's public key and private key by each PMA the > mobile node > > visits. The input parameters to the CGA calculations > [3] like the > > subnet prefix, public key and private key are available > to each PMA. > > One possible mechanism is context transfer from the > previous PMA. In > > order to decrease handover latency, handover home keygen token is > > introduced in PMIPv6RO as a credential for the next proxy mobile > > agent to be more efficient by means of eliminating home test > > procedure. > > > > As shown in Figure 1, the optimal route path is depicted > by slashes > > which connect correspondent node with proxy mobile agent. > > +------+ +----+ > > | HA |-------------------| CN | > > +------+ +----+ > > | HAA | > > | +--------------------+ > > // \\ / / > > // \\/ / > > +---------//-----/--------------------/--+ > > | // / \\ PMIP Network / | > > +-------//-----/----\\--------------/----+ > > // / \\ / > > // / \\ / > > //+----+ \\+-------/ > > CoA1 | | | CoA2 > > +----+ +----+ > > |PMA1|<- policies |PMA2|<- policies > > +----+ for RO +----+ for RO > > | | > > -.-.-> [MN] HoA > > > > Figure 1: PMIPv6 Route Optimization Operation > > > > > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 6] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > 3.2. Proxy Home Test Procedure > > > > Proxy Home Test procedure validates the home address. > It includes > > two messages as follows: > > > > Proxy Home Test Init (Proxy HoTI) > > > > Proxy Home Test (Proxy HoT). > > > > Since the destination address of Proxy HoT message is the home > > address of MN, the PMA MUST intercept and process Proxy Home Test > > message instead of forwarding it to MN. > > > > When handoff occurs, correspondent nodes must re-verify the > > reachability of home address. The next proxy mobile > agent MAY also > > initiate the proxy home test. Proxy mobile agent must keep > > correspondent nodes list in its Binding Update List. > When MN roams > > into the next PMA, these Binding Update List entries SHOULD be > > transferred to the next PMA using context transfer > protocol or other > > protocols. When MN roams into the next PMA, the entries in the > > Binding Update List on MN identity like NAI, private and > public keys, > > etc. SHOULD be transferred to the next PMA. The > context transfer > > protocol is out of scope. > > > > As shown in Figure 2, the proxy mobile agent imitates > the Mobile IP > > client of the mobile node. The Proxy Home Test Init > (PHoTI) message > > is sent from PMA to the correspondent node, and it should be > > transmitted via the shared tunnel between the Home Agent and PMA. > > Proxy Mobile Agent Home agent > Correspondent node > > > > According to some policies > > Decide to optimize route path | > | > > | | > | > > |==Proxy Home Test Init > (PHoTI)=>|---------------------->| > > | | > | > > | | > | > > |<====Proxy Home Test > (PHoT)=====|<----------------------| > > | | > | > > > > Figure 2: Proxy Home Test Procedure > > > > 3.3. Concurrent Proxy Care-of Test > > > > Correspondent nodes also need to prove the reachability > of care-of > > address. In this document, since the care-of test is > initiated by > > proxy mobile agent instead of by mobile node, we call it as proxy > > care-of test procedure in order to differentiate the > procedure from > > the definition in MIPv6 [2]. > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 7] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > Proxy care-of test is piggybacked on a proxy binding > update which is > > sent by proxy mobile agent on behalf of the mobile node > to register > > with a correspondent node. The care-of test is done concurrently > > with proxy binding update exchange, so we call it > concurrent proxy > > care-of test. As shown in Figure 3, as a correspondent > node receives > > a proxy binding update message, which contains care-of test init > > option, the CGA Parameters and Signature options, it returns a > > care-of keygen token in care-of test option piggybacked > onto proxy > > binding acknowledgement (PBA) message. The mechanism is > as described > > in [5]. > > > > After the first round trip of proxy binding update > exchange is over > > between a correspondent node with proxy mobile agent, the > > correspondent node sets up a binding cache entry and may route > > packets directly to care-of address of the mobile node > even though > > the care-of address is not verified. However, the proxy > mobile agent > > obtains care-of keygen token via this round trip of proxy binding > > update exchange. The proxy mobile agent may initiate > another proxy > > binding update exchange. Thus, the correspondent node may > > authenticate this proxy binding update with both temporary home > > keygen token and care-of keygen token, and then it makes > sure that > > the proxy binding cache entry created by early proxy > binding update > > exchange is legitimate. In order to protect against redirection- > > based flooding attacks, Credit-Based Authorization is > also exploited, > > which is already introduced in [5]. > > > > If proxy mobile agent has only temporary home keygen > token instead of > > permanent home keygen token, the proxy mobile agent > calculates the > > Binding Authorization Data option field of early proxy > binding update > > message with temporary home keygen token and care-of keygen token > > which is set to ZERO. Proxy mobile agent calculates CGA > parameters > > and signature option according to MN's home address and > private and > > public keys to be sent in a proxy binding update message > to acquire > > permanent home keygen token and handover home keygen token. > > > > If proxy mobile agent has permanent home keygen token, > proxy mobile > > agent calculates the Binding Authorization Data option > field of early > > proxy binding update with permanent home keygen token and care-of > > keygen token which is set to ZERO. No CGA parameters > and signature > > are required. > > > > If proxy mobile agent has only handover home keygen > token, the proxy > > mobile agent calculates the Binding Authorization Data > option field > > of early proxy binding update message with handover home > keygen token > > and care-of keygen token which is set to ZERO. In order to renew > > permanent home keygen token and handover home keygen token, proxy > > mobile agent must include MN's CGA parameters and > signature in this > > early proxy binding update. > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 8] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > Concurrent proxy care-of test procedure should proceed as soon as > > mobile node moves into the next PMA. To save handoff latency, > > concurrent proxy care-of test is piggybacked onto early > proxy binding > > update exchange. As handoff occurs, the next proxy mobile agent > > calculates the Binding Authorization Data option for early proxy > > binding update based on handover home keygen token if > the next proxy > > mobile agent has already obtained the handover home keygen token. > > The next proxy mobile agent and correspondent nodes can resume > > communication, while care-of address reachability verification > > proceeds concurrently. The amount of data, which the > correspondent > > node is permitted to send to care-of address until reachability > > verification completes, is governed by Credit-Based > Authorization. > > This mechanism conforms to [5]. > > > > Proxy Correspondent > > Mobile Agent Node > > | | > > | -------Early Proxy Binding Update------------>| > > | (care-of test init option) | > > | | > > | <------Proxy Binding Acknowledgement----------| > > | (care-of test option) | > > | | > > > > Figure 3: Concurrent Proxy Care-of Test > > > > 3.4. Handover > > > > Route optimization during handover is shown as Figure 4. > > > > If the previous proxy mobile agent forecasts the > forthcoming handover > > of mobile node via layer 2 indication, such as link > going down event > > in the Media-Independent Handover, the previous proxy > mobile agent > > MAY transfer handover context to the next proxy mobile agent in > > advance. The handover home keygen token and other key parameters > > could help the next proxy mobile agent to pass the > verification of > > home address required by correspondent nodes. The next > proxy mobile > > agent MAY fetch the handover home keygen token through > home agent via > > proxy binding update exchanges with the home agent of > mobile node. > > > > After the mobile node left the previous proxy mobile agent, the > > previous proxy mobile agent deregisters the proxy > binding cache entry > > with correspondent nodes. The correspondent node > revokes permanent > > home keygen token. After the next proxy mobile agent obtains > > handover home keygen token, it sends out proxy binding update > > piggybacked by care-of test init option to correspondent nodes. > > > > As depicted in Figure 4, after the next proxy mobile > agent obtains > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 9] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > the care-of keygen token via early proxy binding update and > > acknowledges messages, the binding cache entry is generated but > > unverified in the correspondent node. As soon as the > complete proxy > > binding update message is received by the correspondent node, the > > binding cache entry could be verified. This proxy binding update > > contains CGA parameters and signature option with proxy mobile > > agent's public key and private key to request care-of > keygen token. > > > > The correspondent node receives the proxy binding update and > > authenticates it with handover home keygen token and with CGA > > property. If the proxy binding update passes the > verification, the > > correspondent node returns a care-of keygen token which > is encrypted > > with the next proxy mobile agent's public key. The > care-of keygen > > token is encrypted and sent over proxy binding acknowledgement > > message as a field. As soon as the next proxy mobile > agent receives > > this proxy binding acknowledgement, it sends a complete > proxy binding > > update message to the correspondent nodes. Binding Authorization > > Data option of the complete proxy binding update message is > > calculated using both care-of keygen token and handover > home keygen > > token. > > > > Previous Next > Correspondent > > Proxy mobile Agent Proxy mobile agent node > > > > | Handover context | > | > > |----------------------->| > | > > |(HoA,CN address,handover| > | > > |home keygen token) | > | > > handover \\ \\ > | > > | Proxy binding update(lifetime = 0) > | > > > |------------------------------------------------------>| > > | Proxy binding Acknowledge (if sent) > | > > > |<------------------------------------------------------| > > | | Early Proxy Binding > Update | > > | > |----------------------------->| > > | | Proxy Binding > Acknowledge | > > | > |<-----------------------------| > > | | Complete Proxy > Binding Update| > > | > |----------------------------->| > > | |Proxy Binding > Acknowledge | > > | > |<-----------------------------| > > | |(new Permanent, > | > > | |Handover home keygen > token) | > > | | > | > > > > Figure 4: Route Optimization during Handover Procedure > > > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 10] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > 3.5. Complete Proxy Binding Update > > > > A complete proxy binding update is a proxy binding > update defined in > > [4]. After proxy binding update which piggybacks care-of test > > exchanges is finished, a complete proxy binding update must be > > brought forward. The Binding Authorization Data option > field of it > > is calculated by care-of keygen token for correspondent nodes to > > verify the reachability of care-of address and authenticate the > > legitimacy of the PMA which is sending this message on > behalf of MN. > > The complete proxy binding update is exchanged as depicted in > > Figure 5. > > > > After proxy care-of test is processed, the complete proxy binding > > update exchange follows Figure 5. PBU message must be > sent with CGA > > parameters and signature option for the proxy mobile > agent to request > > permanent home keygen token and handover home keygen > token from the > > correspondent node. A CGA provides a strong binding between its > > interface identifier and the CGA owner's public key. > This enables > > other nodes to securely authenticate the CGA owner. > Depending on the > > strong security brought up with Cryptographically generated home > > addresses, lifetime of binding is extended to a longer > period more > > than 7 minutes [2]. Except for the initial test, the > following home > > tests every 7 minutes are no longer needed. > > > > The correspondent node MUST authenticate the complete > proxy binding > > update message based on the CGA property of the mobile > node's home > > address. If the proxy mobile agent has only temporary > home keygen > > token, and then the proxy mobile agent uses it to calculate the > > Binding Authorization Data option for the complete proxy Binding > > Update message. > > > > If the proxy mobile agent has permanent home keygen > token, the proxy > > mobile agent uses it to calculate the Binding Authorization Data > > option. The home nonce index is set to ZERO. > > > > If the permanent home keygen token is required, both > permanent home > > keygen token and handover home keygen token are generated and > > encrypted with the proxy mobile agent's public key. > Both of the two > > tokens are transferred from correspondent node to the next proxy > > mobile node via the proxy binding acknowledgement response to the > > complete proxy binding update message. This new > handover home keygen > > token will be exploited when the next handover occurs. > > > > The PBA MAY be protected by CGA property of > correspondent nodes. If > > another proxy mobile agent is sending PBA on behalf of the > > correspondent node, that proxy mobile agent SHOULD use > its own CGA > > property to protect PBA instead of the correspondent node's CGA > > property. > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 11] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > Proxy Correspondent Node > > Mobile Agent > > | Complete Proxy Binding Update | > > |--------------------------------------------->| > > | (CGA parameters, signature, home nonce index)| > > | | > > | | > > | Proxy Binding Acknowledgement | > > |<---------------------------------------------| > > |(Permanent home keygen token, | > > | Handover home keygen token) | > > | | > > | | > > > > Figure 5: Complete Proxy Binding Update > > > > > > 4. Route Optimization for Correspondent Nodes without Mobile IP > > > > This section describes route optimization procedure for > correspondent > > nodes which are not Mobile IP enabled. Trigerring and scenario > > analysis are made. Two kinds of solutions are proposed: > one without > > return routability and the other with return routability. > > > > 4.1. Triggering and Scenario Analysis > > > > Route optimization in Mobile IPv6 is an end-to-end > operation. Once > > mobile node and correspondent node complete the route > optimization > > procedure, all of communications between them will be > optimized. In > > Proxy Mobile IP, however, proxy mobile agent is not the > communication > > end but an intermediary router. Generally proxy mobile > agent may not > > be able to judge whether the packets need to be optimized or not. > > So, it MAY be necessary to define a mechanism that > allows mobile node > > to inform the proxy mobile agent of its route optimization > > requirement about its communication with the specific > correspondent > > node, or just let PMA to optimize all of the > communications between > > mobile node and other nodes. > > > > A flag could be defined to identify two route > optimization trigger > > modes: implicit mode that means that it's up to proxy > mobile agent to > > decide and perform route optimization for mobile node, > or explicit > > mode that means mobile node MUST send a message to trigger proxy > > mobile agent to perform route optimization for mobile > node. The flag > > of route optimization trigger mode can also be > configured in a policy > > store, such as in AAA infrastructure. After successful access > > authentication and authorization, proxy mobile agent > gets this flag > > as part of the user profile from AAA infrastructure. On > this point > > route optimization can be considered as a kind of service that > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 12] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > network provides to mobile users. > > > > Assuming that both mobile node and correspondent node > are using Proxy > > Mobile IPv6, there are four possible scenarios/cases due to the > > different location of correspondent node: mobile node and > > correspondent node attach to the same proxy mobile agent and they > > belong to the same home agent (case 1), mobile node and > correspondent > > node attach to the same proxy mobile agent but they belong to > > different home agents (case 2), mobile node and > correspondent node > > attach to different proxy mobile agents, but they have > the same home > > agent (case 3), mobile node and correspondent node attach to > > different proxy mobile agents, and they have different > home agents > > (case 4). > > > > Cases 1 and 2 do not require any signaling between PMAs > and packets > > can be locally routed. As mobile node and correspondent > node both > > attach to the same PMA and this PMA performs > registration process on > > behalf of them and maintains Binding Update List for > them. When PMA > > receives the packets from mobile node or correspondent > node, proxy > > mobile agent SHOULD look up the Binding Update List to > check whether > > or not the destination IP address in the IP packet appears in the > > Binding Update List as home address. If yes, it means > proxy mobile > > agent has registered with home agent on behalf of > destination node > > and proxy mobile agent SHOULD directly forward the packet on the > > connected interface instead of sending the packet to the > home agent > > through the bi-directional tunnel. > > > > In cases 3 and 4, mobile node and correspondent node attach to > > different PMAs, the ideal data path is to directly go > through these > > two PMAs to which mobile node and correspondent node > attach. A bi- > > directional tunnel needs to be established between these > two proxy > > mobile agents for route optimization. > > > > Proxy mobile agent needs to know IP address of the > corresponding PMA > > to which correspondent node attaches so that it can initiate the > > route optimization signaling process. HA of CN knows it > because IP > > address of corresponding PMA has been registered with > the home agent > > as the care-of address of CN. Proxy mobile agent can > send a request > > to the home agent of CN and ask for the Binding Cache > Entry for the > > correspondent node if it knows the IP address of that home agent. > > > > Another method of obtaining PMAs' addresses is by > exchanging them in > > home test messages during return routability signaling. Modified > > PHoTI and PHoT messages can be used for this purpose. > > > > In Section 4.2 we present a route optimization technique based on > > obtaining IP address of the corresponding PMA from the > home agent and > > in Section 4.3 based on return routability procedure. > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 13] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > 4.2. Route Optimization without Return Routability > > > > A possible route optimization process is illustrated in Figure 6, > > where PMA1 performs route optimization process for communication > > between MN1 and CN4 whose corresponding PMA is PMA3 and > HA is HA2. > > After getting home agent address of CN4, PMA1 first > sends the request > > with home address of CN4 to HA2 to inquire the IP > address of PMA3. > > HA2 looks up the Binding Cache and responds with the > care-of address > > of CN4. > > > > PMA1 sends Proxy Binding Update to PMA3 to register the > home address > > of MN1 and IP address of PMA1 as care-of address with PMA3. PMA3 > > stores this information in the Binding Cache entry for > the MN1 and > > responds with another Proxy Binding Update sent to PMA1 which > > interprets it as an acknowledgement as well. PMA1 sends Proxy > > Binding Acknowledgement to PMA3 to confirm the > registration request. > > After this three-way handshake procedure, Binding Cache > Entries for > > MN1 and CN4 have been created in PMA3 and PMA1 respectively. The > > packets between MN1 and CN4 can go through the > bi-directional tunnel > > between PMA1 and PMA3 to reach each other. > > > > PMA1 HA2 PMA3 > > | | | > > | Binding Cache Request/Ack | | > > |<---------------------------->| | > > | | | > > | | > > | Proxy Binding Update | > > |----------------------------------------->| > > | Proxy Binding Update | > > |<-----------------------------------------| > > | Proxy Binding Acknowledgement | > > |----------------------------------------->| > > | | > > > > > > Figure 6: 3-way Handshake > > > > 4.2.1. Tunnel Re-establishment During the Handover > > > > Suppose a bi-directional tunnel has been established for route > > optimization in case 4, handover happens when MN1 moves > from PMA1 to > > PMA2 and PMA2 registers with HA1 on behalf of MN1 after > performing > > access authentication Figure 7. After the handover, PMA3 MUST be > > informed of the mobility of MN1, or the packets from CN4 > to MN1 will > > still be sent to PMA1 because the Binding Cache Entry > for MN1 hasn't > > been updated in PMA3. In fact, the one end of tunnel has changed > > from PMA1 to PMA2 due to handover, and the tunnel MUST be re- > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 14] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > established for route optimization. > > > > +-----+ +-----+ > > | HA1 |~~~~~~~~~~~~~~~~~| HA2 | > > /+-----+\\ +-----+\\ > > // \\ \\ > > // \\ \\ > > // \\ \\ > > // \\ \\ > > // \\ \\ > > +----+ +----+ +----+ > > |PMA2|~~~~~~~~~~~~~~~~~~|PMA1|~~~~~~~~~~~~~~~|PMA3| > > +--+-+ +-+--+ +-+--+ > > | | | > > | | | > > -----+---- ----+------- ---+--+-- > > | > > +-----+ +--+--+ > > <-----| MN1 | | CN4 | > > +-----+ +-----+ > > > > Figure 7: Handover Scenario > > > > The context transfer of Binding Update List entry for > mobile node can > > trigger the new proxy mobile agent to re-establish the tunnel for > > route optimization so that route optimized communication > can continue > > after handover. > > > > An example for route optimization signaling flow during > handover is > > depicted in Figure 8. Here, the handover is controlled > by network in > > a reactive mode, where new proxy mobile agent (PMA2) > sends Context > > Transfer Request message to old proxy mobile agent > (PMA1) and PMA1 > > responds with Context Transfer Data message which carries user > > profiles and Binding Update List entries for MN1. PMA2 > SHOULD send > > Proxy Binding Update message to corresponding proxy mobile agent > > (PMA3 here) according to each Binding Update List entry. The > > following flow is the same as all that described in Section 4.2 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 15] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > PMA1 PMA2 > PMA3 > > | | > | > > | Context Transfer Request | > | > > |<---------------------------| > | > > | | > | > > | Context Transfer Data | > | > > |--------------------------->| > | > > | | > | > > | Proxy Binding Update > | > > > |-------------------------------->| > > | Proxy Binding Update > | > > > |<--------------------------------| > > | Proxy Binding > Acknowledgement | > > > |-------------------------------->| > > | > | > > > > Figure 8: RO in Handover > > > > 4.3. Route Optimization with Return Routability > > > > If a proxy mobile agent provides mobility service for > correspondent > > nodes, PMIPv6 Route Optimization protocol could be used for such > > correspondent nodes, as long as the proxy mobile agent > intercepts and > > processes route optimization extensions via looking over > the MH types > > and distinguishing Proxy Mobile IP signaling from data. > The process > > is shown in Figure 9. The proxy home test init message is > > transmitted over the shared tunnel between proxy mobile agent of > > mobile node and home agent of mobile node. This proxy > home test init > > message is forwarded to home address of the > correspondent node by HA. > > At the home agent of the correspondent node, this message is > > tunnelled into the shared tunnel between the home agent of > > correspondent node and the proxy mobile agent of the > correspondent > > node. > > > > The proxy mobile agent of CN intercepts proxy home test > init message > > and extracts MN's home address and care-of address from > PHoTI. PMA > > of CN sends a proxy home test message back to PMA of MN and adds > > care-of address of CN into PHoT message. PMA of CN > creates a Binding > > Cache entry for this MN. PHoT is transmitted over the > shared tunnel > > between PMA of CN and HA of CN. HA of CN forwards this > message to > > the home address of MN which tunnels it to PMA of MN. > > > > PMA of MN receives PHoT message, it extracts the care-of > address of > > CN and adds this information to the Binding Cache entry > for CN. PMA > > of CN next starts care-of test signaling by sending an > early binding > > update message directly to the care-of address of CN, > i.e. to PMA of > > CN. > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 16] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > Due to the address exchange using PHoTI and PHoT > messages, care-of > > test signaling in Figure 9 MUST NOT be started in > parallel to home > > test signaling. > > Proxy Home Agent(MN) Home Agent(CN) Proxy > > Mobile Agent(MN) Mobile Agent(CN) > > | Proxy HoTI | | | > > |===============>|-------------->|===============>| > > | Proxy HoT | | | > > |<===============|<--------------|<===============| > > | Early Proxy Binding Update | | > > |------------------------------------------------>| > > | Proxy Binding Acknowledgement| | > > |<------------------------------------------------| > > | Complete Proxy Binding Update| | > > |------------------------------------------------>| > > | Proxy Binding Acknowledgement| | > > |<------------------------------------------------| > > | | | > > > > Figure 9: Route Optimization for Correspondent nodes > without mobile > > ip > > > > > > 5. Home Agent Considerations > > > > The home agent MUST drop all HoTI messages received from a home > > address that has corresponding Binding Cache entry with the proxy > > registration flag set. The home agent MUST forward all > Proxy HoTI > > messages received from a home address that has > corresponding Binding > > Cache entry with the proxy registration flag set. > > > > > > 6. Proxy Mobile Agent Considerations > > > > PMA, after successful Home and Care-of Test exchanges, creates a > > Binding Cache entry for the correspondent node or PMA of the > > correspondent node. For each mobile node, the Binding > Cache contains > > one entry for each correspondent node. After handover, > PMA deletes > > the Binding Cache entry and deregisters MN with all its > correspondent > > nodes. > > > > PMA MUST maintain a Binding Update List for each MN. > The fields are > > as defined in [2] and with extensions defined in [4]. > For each MN > > for which route optimization service is offered, the > list in addition > > MUST contain the private and public keys of MN. Apart from home > > registrations as in [4], Binding Update List contains > correspondent > > registrations for route optimization. > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 17] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > After handover, correspondent registration entries in the Binding > > Update List SHOULD be transferred to the next PMA. Such > a transfer > > provides continuity of correspondent registrations for route > > optimization. The next PMA refreshes such registrations > only after > > lifetime expiry. > > > > PMA MUST maintain a Binding Cache if it has Type 2 CNs. Binding > > cache entries are created when PMA receives a home test > init message. > > This Binding Cache is called Proxy Binding Cache. > > > > From the correspondent nodes PMA receives data packets > with Type 2 > > routing header. Type 2 routing header MUST conform to > the structure > > given in Section 6.1.5 of [2]. PMA MUST process the packet as > > follows: PMA replaces the source address with the home > address given > > in Type 2 routing header. PMA removes Type 2 routing > header. PMA > > sends the packet to MN. > > > > PMA MUST not include IPv4 home address option [6] in > proxy binding > > updates sent for route optimization. PMIPv6 route > optimization for > > dual-stack nodes is TBD. > > > > > > 7. Correspondent Node Considerations > > > > This section state the differences in the behaviour of a > > correspondent node that conforms to Section 9 of [2]. > > > > Upon receiving a Proxy Home Test Init message, Early > Proxy Binding > > Update and Complete Proxy Binding Update message, the > correspondent > > node verifies the following: The packet MUST NOT include a Home > > Address destination option. The correspondent node MUST silently > > ignore such packets. > > > > After a successful Home and Care-of Test exchanges, the > correspondent > > node creates a Binding Cache entry for the proxy mobile agent > > proxying the mobile node. The entry MUST be deleted after the > > expiration of its lifetime or after receiving a proxy > binding update > > message which deregisters the mobile node. > > > > Correspondent node MUST receive route optimized data > packets from PMA > > encapsulated in IP-in-IP encapsulation. Source address > of the outer > > header MUST be equal PMA's egress interface address and > MUST match > > the Binding Cache entry. CN MUST remove the outer header before > > passing the packet to the upper layers. > > > > CN MUST use Type 2 routing header in outgoing packets to > PMA. The > > destination address is PMA's egress interface address > which serves as > > Care-of address for the mobile node and the type 2 routing header > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 18] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > contains MN's home address. > > > > > > 8. Message Formats > > > > This section defines extensions to the Proxy Mobile IPv6 > [4] protocol > > messages and the enhanced route optimization in MIPv6 protocol > > messages [5]. > > > > 8.1. Proxy Home Test > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | Home Nonce > Index | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | > | > > + Home Init Cookie > + > > | > | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | > | > > + Home Keygen Token > + > > | > | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | > | > > + > + > > | > | > > + Care-of Address > + > > | > | > > + > + > > | > | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | > | > > . > . > > . Mobility options > . > > . > . > > | > | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > > Proxy Home Test > > > > A new MH type should be assigned by IANA. > > > > Home Keygen Token > > This field contains the 64 bit temporary home keygen > token used to > > authenticate the proxy binding update. > > > > Care-of Address > > This field contains the care-of address assigned to > the CN by PMA. > > For descriptions of other fields present in this > message, refer to > > section 6.1.5 in [2]. > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 19] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > 8.2. Proxy Home Test Init Message > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | Reserved > | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | > | > > + Home Init Cookie > + > > | > | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | > | > > + > + > > | > | > > + Care-of Address > + > > | > | > > + > + > > | > | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | > | > > . > . > > . Mobility Options > . > > . > . > > | > | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > > Proxy Home Test Init > > > > A new MH type should be assigned by IANA. > > > > Care-of Address > > This field contains the care-of address assigned to the mobile > > node by PMA. > > For descriptions of other fields present in this > message, refer to > > section 6.1.5 in [2]. > > > > 8.3. Handover Home Keygen Token option > > > > Handover home keygen token is a mobility option. It is > sent by CN in > > proxy binding acknowledgement message. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 20] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > 0 1 2 > 3 > > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 > 6 7 8 9 0 1 > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | Option Type | > Option Length | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | > | > > : > : > > : Handover Home Keygen Token > : > > : > : > > | > | > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > > Handover Home Keygen Token option > > > > Option Type > > 8-bit identifier of the type of this mobility option. > Its value > > is TBD. > > > > Option Length > > 8-bit unsigned integer representing the length of the Handover > > Home Keygen Token field in octets. > > Handover Home Keygen Token > > This field contains the Handover home keygen token > generated by > > the correspondent node. The content of this field MUST be > > encrypted with the proxy mobile agent's public key. > The length of > > the handover home keygen token is 8 octets before encryption. > > After it is encrypted, this field may be longer than 8 octets. > > > > > > 9. Security Considerations > > > > Security mechanism is very important in the route optimization > > process, especially for the proposal of establishing the tunnel > > between two proxy mobile agents. In the case of route > optimization > > without return routability, if proxy mobile agent does not > > authenticate Proxy Binding Update and Proxy Binding Acknowledge > > messages, a malicious node may send such signaling > messages to proxy > > mobile agents to get the data packets destined for other nodes > > directed to itself. > > > > In addition, when proxy mobile agent sends data packets > through the > > bi-directional tunnel between two proxy mobile agents, > corresponding > > PMA SHOULD examine the data packets to make sure there > is a Binding > > Cache entry for the data source terminal. > > > > Route optimization signaling between PMA of MN and CN > specified in > > this document is based on [5] and use return routability > with better > > security properties than the return routability of the > base protocol > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 21] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > [2]. > > > > Return routability signaling between two PMAs specified in this > > document is also based on [5] and has better security properties. > > > > > > 10. References > > > > 10.1. Normative References > > > > [1] Bradner, S., "Key words for use in RFCs to Indicate > Requirement > > Levels", BCP 14, RFC 2119, March 1997. > > > > [2] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in > > IPv6", RFC 3775, June 2004. > > > > [3] Aura, T., "Cryptographically Generated Addresses (CGA)", > > RFC 3972, March 2005. > > > > [4] Gundavelli, S., "Proxy Mobile IPv6", > > draft-sgundave-mip6-proxymip6-01 (work in progress), > > January 2007. > > > > [5] Arkko, J., "Enhanced Route Optimization for Mobile IPv6", > > draft-ietf-mipshop-cga-cba-03 (work in progress), > February 2007. > > > > 10.2. Informative references > > > > [6] Soliman, H., "Mobile IPv6 support for dual stack Hosts and > > Routers (DSMIPv6)", > draft-ietf-mip6-nemo-v4traversal-03 (work in > > progress), October 2006. > > > > > > Authors' Addresses > > > > Alice Qin > > Huawei Technologies > > No.91 BaiXia Rd. > > Nanjing, Jiangsu 210001 > > China > > > > Email: Alice.Q@huawei.com > > > > > > > > > > > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 22] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > Andy Huang > > Huawei Technologies > > No.91 BaiXia Rd. > > Nanjing, Jiangsu 210001 > > China > > > > Phone: +86-25-84565457 > > Email: hpanda@huawei.com > > > > > > Wenson Wu > > Huawei Technologies > > No.91 BaiXia Rd. > > Nanjing, Jiangsu 210001 > > China > > > > Phone: +86-25-84565459 > > Email: sunseawq@huawei.com > > > > > > Behcet Sarikaya > > Huawei Technologies > > 1700 Alma Dr. Suite 100 > > Plano, TX 75075 > > > > Email: sarikaya@ieee.org > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 23] > > > > > Internet-Draft PMIPv6 Route Optimization > February 2007 > > > > > > Full Copyright Statement > > > > Copyright (C) The IETF Trust (2007). > > > > This document is subject to the rights, licenses and restrictions > > contained in BCP 78, and except as set forth therein, the authors > > retain all their rights. > > > > This document and the information contained herein are > provided on an > > "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION > HE/SHE REPRESENTS > > OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE > IETF TRUST AND > > THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL > WARRANTIES, EXPRESS > > OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY > THAT THE USE OF > > THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR > ANY IMPLIED > > WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A > PARTICULAR PURPOSE. > > > > > > Intellectual Property > > > > The IETF takes no position regarding the validity or scope of any > > Intellectual Property Rights or other rights that might > be claimed to > > pertain to the implementation or use of the technology > described in > > this document or the extent to which any license under > such rights > > might or might not be available; nor does it represent > that it has > > made any independent effort to identify any such rights. > Information > > on the procedures with respect to rights in RFC documents can be > > found in BCP 78 and BCP 79. > > > > Copies of IPR disclosures made to the IETF Secretariat and any > > assurances of licenses to be made available, or the result of an > > attempt made to obtain a general license or permission > for the use of > > such proprietary rights by implementers or users of this > > specification can be obtained from the IETF on-line IPR > repository at > > http://www.ietf.org/ipr. > > > > The IETF invites any interested party to bring to its > attention any > > copyrights, patents or patent applications, or other proprietary > > rights that may cover technology that may be required to > implement > > this standard. Please address the information to the IETF at > > ietf-ipr@ietf.org. > > > > > > Acknowledgment > > > > Funding for the RFC Editor function is provided by the IETF > > Administrative Support Activity (IASA). > > > > > > > > > > > > Qin, et al. Expires August 29, 2007 > [Page 24] > > > > > > > > > -------------------------------------------------------------- > ---------- > > > > _______________________________________________ > > netlmm mailing list > > netlmm@ietf.org > > https://www1.ietf.org/mailman/listinfo/netlmm > > > -- > Jun Lei > PhD Student > > Address: > Georg-August-Universitaet Goettingen > Institut fuer Informatik > Telematics Group > Lotzestrasse 16-18 > 37083 Goettingen > > > Fax: +49 (551) 39-1 44 03 > Tel: +49 (551) 39-1 35 78 > > Email: lei@informatik.uni-goettingen.de > _______________________________________________ netlmm mailing list netlmm@ietf.org https://www1.ietf.org/mailman/listinfo/netlmm
- [netlmm] Draft Agenda for NETLMM at IETF68 Narayanan, Vidya
- Re: [netlmm] Draft Agenda for NETLMM at IETF68 Behcet Sarikaya
- Re: [netlmm] Draft Agenda for NETLMM at IETF68 Vijay Devarapalli
- Re: [netlmm] Draft Agenda for NETLMM at IETF68 Myung-Ki Shin
- RE: [netlmm] Draft Agenda for NETLMM at IETF68 Narayanan, Vidya
- Re: [netlmm] Draft Agenda for NETLMM at IETF68 Julien Laganier
- Re: [netlmm] Draft Agenda for NETLMM at IETF68 Behcet Sarikaya
- RE: [netlmm] Draft Agenda for NETLMM at IETF68 Narayanan, Vidya
- Re: [netlmm] Draft Agenda for NETLMM at IETF68 Vijay Devarapalli
- [netlmm] Welcome your comments on draft-qin-mipsh… qinxia
- Re: Slot for SDO Operationals (was: [netlmm] Draf… Alexandru Petrescu
- RE: Slot for SDO Operationals (was: [netlmm] Draf… Narayanan, Vidya
- [netlmm] Re: [net] Draft Agenda for NETLMM at IET… Katsutoshi Nishida
- [netlmm] RE: [net] Draft Agenda for NETLMM at IET… Narayanan, Vidya
- [netlmm] Re: [net] Draft Agenda for NETLMM at IET… Katsutoshi Nishida
- Re: [netlmm] Welcome your comments on draft-qin-m… Jun Lei
- RE: [netlmm] Welcome your comments on draft-qin-m… qinxia
- Re: [netlmm] Welcome your comments on draft-qin-m… Jun Lei