GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc3775

Network Working Group D. Johnson Request for Comments: 3775 Rice University Category: Standards Track C. Perkins

                                                 Nokia Research Center
                                                              J. Arkko
                                                              Ericsson
                                                             June 2004
                      Mobility Support in IPv6

Status of this Memo

 This document specifies an Internet standards track protocol for the
 Internet community, and requests discussion and suggestions for
 improvements.  Please refer to the current edition of the "Internet
 Official Protocol Standards" (STD 1) for the standardization state
 and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

 Copyright (C) The Internet Society (2004).

Abstract

 This document specifies a protocol which allows nodes to remain
 reachable while moving around in the IPv6 Internet.  Each mobile node
 is always identified by its home address, regardless of its current
 point of attachment to the Internet.  While situated away from its
 home, a mobile node is also associated with a care-of address, which
 provides information about the mobile node's current location.  IPv6
 packets addressed to a mobile node's home address are transparently
 routed to its care-of address.  The protocol enables IPv6 nodes to
 cache the binding of a mobile node's home address with its care-of
 address, and to then send any packets destined for the mobile node
 directly to it at this care-of address.  To support this operation,
 Mobile IPv6 defines a new IPv6 protocol and a new destination option.
 All IPv6 nodes, whether mobile or stationary, can communicate with
 mobile nodes.

Johnson, et al. Standard Track [Page 1] RFC 3775 Mobility Support in IPv6 June 2004

Table of Contents

 1.     Introduction . . . . . . . . . . . . . . . . . . . . . . .   5
 2.     Comparison with Mobile IP for IPv4 . . . . . . . . . . . .   6
 3.     Terminology. . . . . . . . . . . . . . . . . . . . . . . .   7
        3.1.   General Terms . . . . . . . . . . . . . . . . . . .   8
        3.2.   Mobile IPv6 Terms . . . . . . . . . . . . . . . . .  10
 4.     Overview of Mobile IPv6. . . . . . . . . . . . . . . . . .  13
        4.1.   Basic Operation . . . . . . . . . . . . . . . . . .  13
        4.2.   New IPv6 Protocol . . . . . . . . . . . . . . . . .  15
        4.3.   New IPv6 Destination Option . . . . . . . . . . . .  17
        4.4.   New IPv6 ICMP Messages. . . . . . . . . . . . . . .  17
        4.5.   Conceptual Data Structure Terminology . . . . . . .  17
        4.6.   Site-Local Addressability . . . . . . . . . . . . .  18
 5.     Overview of Mobile IPv6 Security . . . . . . . . . . . . .  18
        5.1.   Binding Updates to Home Agents. . . . . . . . . . .  18
        5.2.   Binding Updates to Correspondent Nodes. . . . . . .  20
               5.2.1.  Node Keys . . . . . . . . . . . . . . . . .  20
               5.2.2.  Nonces. . . . . . . . . . . . . . . . . . .  20
               5.2.3.  Cookies and Tokens. . . . . . . . . . . . .  21
               5.2.4.  Cryptographic Functions . . . . . . . . . .  22
               5.2.5.  Return Routability Procedure. . . . . . . .  22
               5.2.6.  Authorizing Binding Management Messages . .  27
               5.2.7.  Updating Node Keys and Nonces . . . . . . .  29
               5.2.8.  Preventing Replay Attacks . . . . . . . . .  30
        5.3.   Dynamic Home Agent Address Discovery. . . . . . . .  30
        5.4.   Mobile Prefix Discovery . . . . . . . . . . . . . .  30
        5.5.   Payload Packets . . . . . . . . . . . . . . . . . .  30
 6.     New IPv6 Protocol, Message Types, and Destination Option .  31
        6.1.   Mobility Header . . . . . . . . . . . . . . . . . .  31
               6.1.1.  Format. . . . . . . . . . . . . . . . . . .  32
               6.1.2.  Binding Refresh Request Message . . . . . .  34
               6.1.3.  Home Test Init Message. . . . . . . . . . .  35
               6.1.4.  Care-of Test Init Message . . . . . . . . .  36
               6.1.5.  Home Test Message . . . . . . . . . . . . .  37
               6.1.6.  Care-of Test Message. . . . . . . . . . . .  38
               6.1.7.  Binding Update Message. . . . . . . . . . .  39
               6.1.8.  Binding Acknowledgement Message . . . . . .  42
               6.1.9.  Binding Error Message . . . . . . . . . . .  44
        6.2.   Mobility Options. . . . . . . . . . . . . . . . . .  46
               6.2.1.  Format. . . . . . . . . . . . . . . . . . .  46
               6.2.2.  Pad1. . . . . . . . . . . . . . . . . . . .  47
               6.2.3.  PadN. . . . . . . . . . . . . . . . . . . .  48
               6.2.4.  Binding Refresh Advice. . . . . . . . . . .  48
               6.2.5.  Alternate Care-of Address . . . . . . . . .  49
               6.2.6.  Nonce Indices . . . . . . . . . . . . . . .  49
               6.2.7.  Binding Authorization Data. . . . . . . . .  50
        6.3.   Home Address Option . . . . . . . . . . . . . . . .  51

Johnson, et al. Standard Track [Page 2] RFC 3775 Mobility Support in IPv6 June 2004

        6.4.   Type 2 Routing Header . . . . . . . . . . . . . . .  53
               6.4.1.  Format. . . . . . . . . . . . . . . . . . .  54
        6.5.   ICMP Home Agent Address Discovery Request Message .  55
        6.6.   ICMP Home Agent Address Discovery Reply Message . .  56
        6.7.   ICMP Mobile Prefix Solicitation Message Format. . .  57
        6.8.   ICMP Mobile Prefix Advertisement Message Format . .  59
 7.     Modifications to IPv6 Neighbor Discovery . . . . . . . . .  61
        7.1.   Modified Router Advertisement Message Format. . . .  61
        7.2.   Modified Prefix Information Option Format . . . . .  62
        7.3.   New Advertisement Interval Option Format. . . . . .  64
        7.4.   New Home Agent Information Option Format. . . . . .  65
        7.5.   Changes to Sending Router Advertisements. . . . . .  67
 8.     Requirements for Types of IPv6 Nodes . . . . . . . . . . .  69
        8.1.   All IPv6 Nodes. . . . . . . . . . . . . . . . . . .  69
        8.2.   IPv6 Nodes with Support for Route Optimization. . .  69
        8.3.   All IPv6 Routers. . . . . . . . . . . . . . . . . .  71
        8.4.   IPv6 Home Agents. . . . . . . . . . . . . . . . . .  71
        8.5.   IPv6 Mobile Nodes . . . . . . . . . . . . . . . . .  73
 9.     Correspondent Node Operation . . . . . . . . . . . . . . .  74
        9.1.   Conceptual Data Structures. . . . . . . . . . . . .  74
        9.2.   Processing Mobility Headers . . . . . . . . . . . .  75
        9.3.   Packet Processing . . . . . . . . . . . . . . . . .  76
               9.3.1.  Receiving Packets with Home Address Option.  76
               9.3.2.  Sending Packets to a Mobile Node. . . . . .  77
               9.3.3.  Sending Binding Error Messages. . . . . . .  78
               9.3.4.  Receiving ICMP Error Messages . . . . . . .  79
        9.4.   Return Routability Procedure. . . . . . . . . . . .  79
               9.4.1.  Receiving Home Test Init Messages . . . . .  80
               9.4.2.  Receiving Care-of Test Init Messages. . . .  80
               9.4.3.  Sending Home Test Messages. . . . . . . . .  80
               9.4.4.  Sending Care-of Test Messages . . . . . . .  81
        9.5    Processing Bindings . . . . . . . . . . . . . . . .  81
               9.5.1.  Receiving Binding Updates . . . . . . . . .  81
               9.5.2.  Requests to Cache a Binding . . . . . . . .  84
               9.5.3.  Requests to Delete a Binding. . . . . . . .  84
               9.5.4.  Sending Binding Acknowledgements. . . . . .  85
               9.5.5.  Sending Binding Refresh Requests. . . . . .  86
        9.6.   Cache Replacement Policy. . . . . . . . . . . . . .  86
 10.    Home Agent Operation . . . . . . . . . . . . . . . . . . .  87
        10.1.  Conceptual Data Structures. . . . . . . . . . . . .  87
        10.2.  Processing Mobility Headers . . . . . . . . . . . .  88
        10.3.  Processing Bindings . . . . . . . . . . . . . . . .  88
               10.3.1. Primary Care-of Address Registration. . . .  88
               10.3.2. Primary Care-of Address De-Registration . .  92
        10.4.  Packet Processing . . . . . . . . . . . . . . . . .  94
               10.4.1. Intercepting Packets for a Mobile Node. . .  94
               10.4.2. Processing Intercepted Packets. . . . . . .  95
               10.4.3. Multicast Membership Control. . . . . . . .  96

Johnson, et al. Standard Track [Page 3] RFC 3775 Mobility Support in IPv6 June 2004

               10.4.4. Stateful Address Autoconfiguration. . . . .  98
               10.4.5. Handling Reverse Tunneled Packets . . . . .  98
               10.4.6. Protecting Return Routability Packets . . .  99
        10.5.  Dynamic Home Agent Address Discovery. . . . . . . .  99
               10.5.1. Receiving Router Advertisement Messages . . 100
        10.6.  Sending Prefix Information to the Mobile Node . . . 102
               10.6.1. List of Home Network Prefixes . . . . . . . 102
               10.6.2. Scheduling Prefix Deliveries. . . . . . . . 102
               10.6.3. Sending Advertisements. . . . . . . . . . . 104
               10.6.4. Lifetimes for Changed Prefixes. . . . . . . 105
 11.    Mobile Node Operation. . . . . . . . . . . . . . . . . . . 105
        11.1.  Conceptual Data Structures. . . . . . . . . . . . . 105
        11.2.  Processing Mobility Headers . . . . . . . . . . . . 107
        11.3.  Packet Processing . . . . . . . . . . . . . . . . . 107
               11.3.1. Sending Packets While Away from Home. . . . 107
               11.3.2. Interaction with Outbound IPsec Processing. 110
               11.3.3. Receiving Packets While Away from Home. . . 112
               11.3.4. Routing Multicast Packets . . . . . . . . . 114
               11.3.5. Receiving ICMP Error Messages . . . . . . . 115
               11.3.6. Receiving Binding Error Messages. . . . . . 116
        11.4.  Home Agent and Prefix Management. . . . . . . . . . 117
               11.4.1. Dynamic Home Agent Address Discovery. . . . 117
               11.4.2. Sending Mobile Prefix Solicitations . . . . 118
               11.4.3. Receiving Mobile Prefix Advertisements. . . 118
        11.5.  Movement. . . . . . . . . . . . . . . . . . . . . . 120
               11.5.1. Movement Detection. . . . . . . . . . . . . 120
               11.5.2. Forming New Care-of Addresses . . . . . . . 122
               11.5.3. Using Multiple Care-of Addresses. . . . . . 123
               11.5.4. Returning Home. . . . . . . . . . . . . . . 124
        11.6.  Return Routability Procedure. . . . . . . . . . . . 126
               11.6.1. Sending Test Init Messages. . . . . . . . . 126
               11.6.2. Receiving Test Messages . . . . . . . . . . 127
               11.6.3. Protecting Return Routability Packets . . . 128
        11.7.  Processing Bindings . . . . . . . . . . . . . . . . 128
               11.7.1. Sending Binding Updates to the Home Agent . 128
               11.7.2. Correspondent Registration. . . . . . . . . 131
               11.7.3. Receiving Binding Acknowledgements. . . . . 134
               11.7.4. Receiving Binding Refresh Requests. . . . . 136
        11.8.  Retransmissions and Rate Limiting . . . . . . . . . 137
 12.    Protocol Constants . . . . . . . . . . . . . . . . . . . . 138
 13.    Protocol Configuration Variables . . . . . . . . . . . . . 138
 14.    IANA Considerations. . . . . . . . . . . . . . . . . . . . 139
 15.    Security Considerations. . . . . . . . . . . . . . . . . . 142
        15.1.  Threats . . . . . . . . . . . . . . . . . . . . . . 142
        15.2.  Features. . . . . . . . . . . . . . . . . . . . . . 144
        15.3.  Binding Updates to Home Agent . . . . . . . . . . . 145
        15.4.  Binding Updates to Correspondent Nodes. . . . . . . 148
               15.4.1. Overview. . . . . . . . . . . . . . . . . . 149

Johnson, et al. Standard Track [Page 4] RFC 3775 Mobility Support in IPv6 June 2004

               15.4.2. Achieved Security Properties. . . . . . . . 149
               15.4.3. Comparison to Regular IPv6 Communications . 150
               15.4.4. Replay Attacks. . . . . . . . . . . . . . . 152
               15.4.5. Denial-of-Service Attacks . . . . . . . . . 152
               15.4.6. Key Lengths . . . . . . . . . . . . . . . . 153
        15.5.  Dynamic Home Agent Address Discovery. . . . . . . . 154
        15.6.  Mobile Prefix Discovery . . . . . . . . . . . . . . 155
        15.7.  Tunneling via the Home Agent. . . . . . . . . . . . 155
        15.8.  Home Address Option . . . . . . . . . . . . . . . . 156
        15.9.  Type 2 Routing Header . . . . . . . . . . . . . . . 156
 16.    Contributors . . . . . . . . . . . . . . . . . . . . . . . 157
 17.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . 157
 18.    References . . . . . . . . . . . . . . . . . . . . . . . . 158
        18.1.  Normative References. . . . . . . . . . . . . . . . 158
        18.2.  Informative References. . . . . . . . . . . . . . . 159
 Appendix A.   Future Extensions . . . . . . . . . . . . . . . . . 161
        A.1.   Piggybacking. . . . . . . . . . . . . . . . . . . . 161
        A.2.   Triangular Routing. . . . . . . . . . . . . . . . . 161
        A.3.   New Authorization Methods . . . . . . . . . . . . . 161
        A.4.   Dynamically Generated Home Addresses. . . . . . . . 161
        A.5.   Remote Home Address Configuration . . . . . . . . . 162
        A.6.   Neighbor Discovery Extensions . . . . . . . . . . . 163
 Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . . . 164
 Full Copyright Statement. . . . . . . . . . . . . . . . . . . . . 165

1. Introduction

 This document specifies a protocol which allows nodes to remain
 reachable while moving around in the IPv6 Internet.  Without specific
 support for mobility in IPv6 [11], packets destined to a mobile node
 would not be able to reach it while the mobile node is away from its
 home link.  In order to continue communication in spite of its
 movement, a mobile node could change its IP address each time it
 moves to a new link, but the mobile node would then not be able to
 maintain transport and higher-layer connections when it changes
 location.  Mobility support in IPv6 is particularly important, as
 mobile computers are likely to account for a majority or at least a
 substantial fraction of the population of the Internet during the
 lifetime of IPv6.
 The protocol defined in this document, known as Mobile IPv6, allows a
 mobile node to move from one link to another without changing the
 mobile node's "home address".  Packets may be routed to the mobile
 node using this address regardless of the mobile node's current point
 of attachment to the Internet.  The mobile node may also continue to
 communicate with other nodes (stationary or mobile) after moving to a

Johnson, et al. Standard Track [Page 5] RFC 3775 Mobility Support in IPv6 June 2004

 new link.  The movement of a mobile node away from its home link is
 thus transparent to transport and higher-layer protocols and
 applications.
 The Mobile IPv6 protocol is just as suitable for mobility across
 homogeneous media as for mobility across heterogeneous media.  For
 example, Mobile IPv6 facilitates node movement from one Ethernet
 segment to another as well as it facilitates node movement from an
 Ethernet segment to a wireless LAN cell, with the mobile node's IP
 address remaining unchanged in spite of such movement.
 One can think of the Mobile IPv6 protocol as solving the network-
 layer mobility management problem.  Some mobility management
 applications -- for example, handover among wireless transceivers,
 each of which covers only a very small geographic area -- have been
 solved using link-layer techniques.  For example, in many current
 wireless LAN products, link-layer mobility mechanisms allow a
 "handover" of a mobile node from one cell to another, re-establishing
 link-layer connectivity to the node in each new location.
 Mobile IPv6 does not attempt to solve all general problems related to
 the use of mobile computers or wireless networks.  In particular,
 this protocol does not attempt to solve:
 o  Handling links with unidirectional connectivity or partial
    reachability, such as the hidden terminal problem where a host is
    hidden from only some of the routers on the link.
 o  Access control on a link being visited by a mobile node.
 o  Local or hierarchical forms of mobility management (similar to
    many current link-layer mobility management solutions).
 o  Assistance for adaptive applications.
 o  Mobile routers.
 o  Service Discovery.
 o  Distinguishing between packets lost due to bit errors vs.  network
    congestion.

2. Comparison with Mobile IP for IPv4

 The design of Mobile IP support in IPv6 (Mobile IPv6) benefits both
 from the experiences gained from the development of Mobile IP support
 in IPv4 (Mobile IPv4) [22, 23, 24], and from the opportunities
 provided by IPv6.  Mobile IPv6 thus shares many features with Mobile

Johnson, et al. Standard Track [Page 6] RFC 3775 Mobility Support in IPv6 June 2004

 IPv4, but is integrated into IPv6 and offers many other improvements.
 This section summarizes the major differences between Mobile IPv4 and
 Mobile IPv6:
 o  There is no need to deploy special routers as "foreign agents", as
    in Mobile IPv4.  Mobile IPv6 operates in any location without any
    special support required from the local router.
 o  Support for route optimization is a fundamental part of the
    protocol, rather than a nonstandard set of extensions.
 o  Mobile IPv6 route optimization can operate securely even without
    pre-arranged security associations.  It is expected that route
    optimization can be deployed on a global scale between all mobile
    nodes and correspondent nodes.
 o  Support is also integrated into Mobile IPv6 for allowing route
    optimization to coexist efficiently with routers that perform
    "ingress filtering" [26].
 o  The IPv6 Neighbor Unreachability Detection assures symmetric
    reachability between the mobile node and its default router in the
    current location.
 o  Most packets sent to a mobile node while away from home in Mobile
    IPv6 are sent using an IPv6 routing header rather than IP
    encapsulation, reducing the amount of resulting overhead compared
    to Mobile IPv4.
 o  Mobile IPv6 is decoupled from any particular link layer, as it
    uses IPv6 Neighbor Discovery [12] instead of ARP.  This also
    improves the robustness of the protocol.
 o  The use of IPv6 encapsulation (and the routing header) removes the
    need in Mobile IPv6 to manage "tunnel soft state".
 o  The dynamic home agent address discovery mechanism in Mobile IPv6
    returns a single reply to the mobile node.  The directed broadcast
    approach used in IPv4 returns separate replies from each home
    agent.

3. Terminology

 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in BCP 14, RFC 2119 [2].

Johnson, et al. Standard Track [Page 7] RFC 3775 Mobility Support in IPv6 June 2004

3.1. General Terms

 IP
    Internet Protocol Version 6 (IPv6).
 node
    A device that implements IP.
 router
    A node that forwards IP packets not explicitly addressed to
    itself.
 unicast routable address
    An identifier for a single interface such that a packet sent to it
    from another IPv6 subnet is delivered to the interface identified
    by that address.  Accordingly, a unicast routable address must
    have either a global or site-local scope (but not link-local).
 host
    Any node that is not a router.
 link
    A communication facility or medium over which nodes can
    communicate at the link layer, such as an Ethernet (simple or
    bridged).  A link is the layer immediately below IP.
 interface
    A node's attachment to a link.
 subnet prefix
    A bit string that consists of some number of initial bits of an IP
    address.
 interface identifier
    A number used to identify a node's interface on a link.  The
    interface identifier is the remaining low-order bits in the node's
    IP address after the subnet prefix.

Johnson, et al. Standard Track [Page 8] RFC 3775 Mobility Support in IPv6 June 2004

 link-layer address
    A link-layer identifier for an interface, such as IEEE 802
    addresses on Ethernet links.
 packet
    An IP header plus payload.
 security association
    An IPsec security association is a cooperative relationship formed
    by the sharing of cryptographic keying material and associated
    context.  Security associations are simplex.  That is, two
    security associations are needed to protect bidirectional traffic
    between two nodes, one for each direction.
 security policy database
    A database that specifies what security services are to be offered
    to IP packets and in what fashion.
 destination option
    Destination options are carried by the IPv6 Destination Options
    extension header.  Destination options include optional
    information that need be examined only by the IPv6 node given as
    the destination address in the IPv6 header, not by routers in
    between.  Mobile IPv6 defines one new destination option, the Home
    Address destination option (see Section 6.3).
 routing header
    A routing header may be present as an IPv6 header extension, and
    indicates that the payload has to be delivered to a destination
    IPv6 address in some way that is different from what would be
    carried out by standard Internet routing.  In this document, use
    of the term "routing header" typically refers to use of a type 2
    routing header, as specified in Section 6.4.
 "|" (concatenation)
    Some formulas in this specification use the symbol "|" to indicate
    bytewise concatenation, as in A | B.  This concatenation requires
    that all of the octets of the datum A appear first in the result,
    followed by all of the octets of the datum B.

Johnson, et al. Standard Track [Page 9] RFC 3775 Mobility Support in IPv6 June 2004

 First (size, input)
    Some formulas in this specification use a functional form "First
    (size, input)" to indicate truncation of the "input" data so that
    only the first "size" bits remain to be used.

3.2. Mobile IPv6 Terms

 home address
    A unicast routable address assigned to a mobile node, used as the
    permanent address of the mobile node.  This address is within the
    mobile node's home link.  Standard IP routing mechanisms will
    deliver packets destined for a mobile node's home address to its
    home link.  Mobile nodes can have multiple home addresses, for
    instance when there are multiple home prefixes on the home link.
 home subnet prefix
    The IP subnet prefix corresponding to a mobile node's home
    address.
 home link
    The link on which a mobile node's home subnet prefix is defined.
 mobile node
    A node that can change its point of attachment from one link to
    another, while still being reachable via its home address.
 movement
    A change in a mobile node's point of attachment to the Internet
    such that it is no longer connected to the same link as it was
    previously.  If a mobile node is not currently attached to its
    home link, the mobile node is said to be "away from home".
 L2 handover
    A process by which the mobile node changes from one link-layer
    connection to another.  For example, a change of wireless access
    point is an L2 handover.

Johnson, et al. Standard Track [Page 10] RFC 3775 Mobility Support in IPv6 June 2004

 L3 handover
    Subsequent to an L2 handover, a mobile node detects a change in an
    on-link subnet prefix that would require a change in the primary
    care-of address.  For example, a change of access router
    subsequent to a change of wireless access point typically results
    in an L3 handover.
 correspondent node
    A peer node with which a mobile node is communicating.  The
    correspondent node may be either mobile or stationary.
 foreign subnet prefix
    Any IP subnet prefix other than the mobile node's home subnet
    prefix.
 foreign link
    Any link other than the mobile node's home link.
 care-of address
    A unicast routable address associated with a mobile node while
    visiting a foreign link; the subnet prefix of this IP address is a
    foreign subnet prefix.  Among the multiple care-of addresses that
    a mobile node may have at any given time (e.g., with different
    subnet prefixes), the one registered with the mobile node's home
    agent for a given home address is called its "primary" care-of
    address.
 home agent
    A router on a mobile node's home link with which the mobile node
    has registered its current care-of address.  While the mobile node
    is away from home, the home agent intercepts packets on the home
    link destined to the mobile node's home address, encapsulates
    them, and tunnels them to the mobile node's registered care-of
    address.
 binding
    The association of the home address of a mobile node with a care-
    of address for that mobile node, along with the remaining lifetime
    of that association.

Johnson, et al. Standard Track [Page 11] RFC 3775 Mobility Support in IPv6 June 2004

 registration
    The process during which a mobile node sends a Binding Update to
    its home agent or a correspondent node, causing a binding for the
    mobile node to be registered.
 mobility message
    A message containing a Mobility Header (see Section 6.1).
 binding authorization
    Correspondent registration needs to be authorized to allow the
    recipient to believe that the sender has the right to specify a
    new binding.
 return routability procedure
    The return routability procedure authorizes registrations by the
    use of a cryptographic token exchange.
 correspondent registration
    A return routability procedure followed by a registration, run
    between the mobile node and a correspondent node.
 home registration
    A registration between the mobile node and its home agent,
    authorized by the use of IPsec.
 nonce
    Nonces are random numbers used internally by the correspondent
    node in the creation of keygen tokens related to the return
    routability procedure.  The nonces are not specific to a mobile
    node, and are kept secret within the correspondent node.
 nonce index
    A nonce index is used to indicate which nonces have been used when
    creating keygen token values, without revealing the nonces
    themselves.

Johnson, et al. Standard Track [Page 12] RFC 3775 Mobility Support in IPv6 June 2004

 cookie
    A cookie is a random number used by a mobile node to prevent
    spoofing by a bogus correspondent node in the return routability
    procedure.
 care-of init cookie
    A cookie sent to the correspondent node in the Care-of Test Init
    message, to be returned in the Care-of Test message.
 home init cookie
    A cookie sent to the correspondent node in the Home Test Init
    message, to be returned in the Home Test message.
 keygen token
    A keygen token is a number supplied by a correspondent node in the
    return routability procedure to enable the mobile node to compute
    the necessary binding management key for authorizing a Binding
    Update.
 care-of keygen token
    A keygen token sent by the correspondent node in the Care-of Test
    message.
 home keygen token
    A keygen token sent by the correspondent node in the Home Test
    message.
 binding management key (Kbm)
    A binding management key (Kbm) is a key used for authorizing a
    binding cache management message (e.g., Binding Update or Binding
    Acknowledgement).  Return routability provides a way to create a
    binding management key.

4. Overview of Mobile IPv6

4.1. Basic Operation

 A mobile node is always expected to be addressable at its home
 address, whether it is currently attached to its home link or is away
 from home.  The "home address" is an IP address assigned to the
 mobile node within its home subnet prefix on its home link.  While a

Johnson, et al. Standard Track [Page 13] RFC 3775 Mobility Support in IPv6 June 2004

 mobile node is at home, packets addressed to its home address are
 routed to the mobile node's home link, using conventional Internet
 routing mechanisms.
 While a mobile node is attached to some foreign link away from home,
 it is also addressable at one or more care-of addresses.  A care-of
 address is an IP address associated with a mobile node that has the
 subnet prefix of a particular foreign link.  The mobile node can
 acquire its care-of address through conventional IPv6 mechanisms,
 such as stateless or stateful auto-configuration.  As long as the
 mobile node stays in this location, packets addressed to this care-of
 address will be routed to the mobile node.  The mobile node may also
 accept packets from several care-of addresses, such as when it is
 moving but still reachable at the previous link.
 The association between a mobile node's home address and care-of
 address is known as a "binding" for the mobile node.  While away from
 home, a mobile node registers its primary care-of address with a
 router on its home link, requesting this router to function as the
 "home agent" for the mobile node.  The mobile node performs this
 binding registration by sending a "Binding Update" message to the
 home agent.  The home agent replies to the mobile node by returning a
 "Binding Acknowledgement" message.  The operation of the mobile node
 is specified in Section 11, and the operation of the home agent is
 specified in Section 10.
 Any node communicating with a mobile node is referred to in this
 document as a "correspondent node" of the mobile node, and may itself
 be either a stationary node or a mobile node.  Mobile nodes can
 provide information about their current location to correspondent
 nodes.  This happens through the correspondent registration.  As a
 part of this procedure, a return routability test is performed in
 order to authorize the establishment of the binding.  The operation
 of the correspondent node is specified in Section 9.
 There are two possible modes for communications between the mobile
 node and a correspondent node.  The first mode, bidirectional
 tunneling, does not require Mobile IPv6 support from the
 correspondent node and is available even if the mobile node has not
 registered its current binding with the correspondent node.  Packets
 from the correspondent node are routed to the home agent and then
 tunneled to the mobile node.  Packets to the correspondent node are
 tunneled from the mobile node to the home agent ("reverse tunneled")
 and then routed normally from the home network to the correspondent
 node.  In this mode, the home agent uses proxy Neighbor Discovery to
 intercept any IPv6 packets addressed to the mobile node's home

Johnson, et al. Standard Track [Page 14] RFC 3775 Mobility Support in IPv6 June 2004

 address (or home addresses) on the home link.  Each intercepted
 packet is tunneled to the mobile node's primary care-of address.
 This tunneling is performed using IPv6 encapsulation [15].
 The second mode, "route optimization", requires the mobile node to
 register its current binding at the correspondent node.  Packets from
 the correspondent node can be routed directly to the care-of address
 of the mobile node.  When sending a packet to any IPv6 destination,
 the correspondent node checks its cached bindings for an entry for
 the packet's destination address.  If a cached binding for this
 destination address is found, the node uses a new type of IPv6
 routing header [11] (see Section 6.4) to route the packet to the
 mobile node by way of the care-of address indicated in this binding.
 Routing packets directly to the mobile node's care-of address allows
 the shortest communications path to be used.  It also eliminates
 congestion at the mobile node's home agent and home link.  In
 addition, the impact of any possible failure of the home agent or
 networks on the path to or from it is reduced.
 When routing packets directly to the mobile node, the correspondent
 node sets the Destination Address in the IPv6 header to the care-of
 address of the mobile node.  A new type of IPv6 routing header (see
 Section 6.4) is also added to the packet to carry the desired home
 address.  Similarly, the mobile node sets the Source Address in the
 packet's IPv6 header to its current care-of addresses.  The mobile
 node adds a new IPv6 "Home Address" destination option (see Section
 6.3) to carry its home address.  The inclusion of home addresses in
 these packets makes the use of the care-of address transparent above
 the network layer (e.g., at the transport layer).
 Mobile IPv6 also provides support for multiple home agents, and a
 limited support for the reconfiguration of the home network.  In
 these cases, the mobile node may not know the IP address of its own
 home agent, and even the home subnet prefixes may change over time.
 A mechanism, known as "dynamic home agent address discovery" allows a
 mobile node to dynamically discover the IP address of a home agent on
 its home link, even when the mobile node is away from home.  Mobile
 nodes can also learn new information about home subnet prefixes
 through the "mobile prefix discovery" mechanism.  These mechanisms
 are described starting from Section 6.5.

4.2. New IPv6 Protocol

 Mobile IPv6 defines a new IPv6 protocol, using the Mobility Header
 (see Section 6.1).  This Header is used to carry the following
 messages:

Johnson, et al. Standard Track [Page 15] RFC 3775 Mobility Support in IPv6 June 2004

 Home Test Init
 Home Test
 Care-of Test Init
 Care-of Test
    These four messages are used to perform the return routability
    procedure from the mobile node to a correspondent node.  This
    ensures authorization of subsequent Binding Updates, as described
    in Section 5.2.5.
 Binding Update
    A Binding Update is used by a mobile node to notify a
    correspondent node or the mobile node's home agent of its current
    binding.  The Binding Update sent to the mobile node's home agent
    to register its primary care-of address is marked as a "home
    registration".
 Binding Acknowledgement
    A Binding Acknowledgement is used to acknowledge receipt of a
    Binding Update, if an acknowledgement was requested in the Binding
    Update, the binding update was sent to a home agent, or an error
    occurred.
 Binding Refresh Request
    A Binding Refresh Request is used by a correspondent node to
    request a mobile node to re-establish its binding with the
    correspondent node.  This message is typically used when the
    cached binding is in active use but the binding's lifetime is
    close to expiration.  The correspondent node may use, for
    instance, recent traffic and open transport layer connections as
    an indication of active use.
 Binding Error
    The Binding Error is used by the correspondent node to signal an
    error related to mobility, such as an inappropriate attempt to use
    the Home Address destination option without an existing binding.

Johnson, et al. Standard Track [Page 16] RFC 3775 Mobility Support in IPv6 June 2004

4.3. New IPv6 Destination Option

 Mobile IPv6 defines a new IPv6 destination option, the Home Address
 destination option.  This option is described in detail in Section
 6.3.

4.4. New IPv6 ICMP Messages

 Mobile IPv6 also introduces four new ICMP message types, two for use
 in the dynamic home agent address discovery mechanism, and two for
 renumbering and mobile configuration mechanisms.  As described in
 Section 10.5 and Section 11.4.1, the following two new ICMP message
 types are used for home agent address discovery:
 o  Home Agent Address Discovery Request, described in Section 6.5.
 o  Home Agent Address Discovery Reply, described in Section 6.6.
 The next two message types are used for network renumbering and
 address configuration on the mobile node, as described in Section
 10.6:
 o  Mobile Prefix Solicitation, described in Section 6.7.
 o  Mobile Prefix Advertisement, described in Section 6.8.

4.5. Conceptual Data Structure Terminology

 This document describes the Mobile IPv6 protocol in terms of the
 following conceptual data structures:
 Binding Cache
    A cache of bindings for other nodes.  This cache is maintained by
    home agents and correspondent nodes.  The cache contains both
    "correspondent registration" entries (see Section 9.1) and "home
    registration" entries (see Section 10.1).
 Binding Update List
    This list is maintained by each mobile node.  The list has an item
    for every binding that the mobile node has or is trying to
    establish with a specific other node.  Both correspondent and home
    registrations are included in this list.  Entries from the list
    are deleted as the lifetime of the binding expires.  See Section
    11.1.

Johnson, et al. Standard Track [Page 17] RFC 3775 Mobility Support in IPv6 June 2004

 Home Agents List
    Home agents need to know which other home agents are on the same
    link.  This information is stored in the Home Agents List, as
    described in more detail in Section 10.1.  The list is used for
    informing mobile nodes during dynamic home agent address
    discovery.

4.6. Site-Local Addressability

 This specification requires that home and care-of addresses MUST be
 unicast routable addresses.  Site-local addresses may be usable on
 networks that are not connected to the Internet, but this
 specification does not define when such usage is safe and when it is
 not.  Mobile nodes may not be aware of which site they are currently
 in, it is hard to prevent accidental attachment to other sites, and
 ambiguity of site-local addresses can cause problems if the home and
 visited networks use the same addresses.  Therefore, site-local
 addresses SHOULD NOT be used as home or care-of addresses.

5. Overview of Mobile IPv6 Security

 This specification provides a number of security features.  These
 include the protection of Binding Updates both to home agents and
 correspondent nodes, the protection of mobile prefix discovery, and
 the protection of the mechanisms that Mobile IPv6 uses for
 transporting data packets.
 Binding Updates are protected by the use of IPsec extension headers,
 or by the use of the Binding Authorization Data option.  This option
 employs a binding management key, Kbm, which can be established
 through the return routability procedure.  Mobile prefix discovery is
 protected through the use of IPsec extension headers.  Mechanisms
 related to transporting payload packets - such as the Home Address
 destination option and type 2 routing header - have been specified in
 a manner which restricts their use in attacks.

5.1. Binding Updates to Home Agents

 The mobile node and the home agent MUST use an IPsec security
 association to protect the integrity and authenticity of the Binding
 Updates and Acknowledgements.  Both the mobile nodes and the home
 agents MUST support and SHOULD use the Encapsulating Security Payload
 (ESP) [6] header in transport mode and MUST use a non-NULL payload
 authentication algorithm to provide data origin authentication,
 connectionless integrity and optional anti-replay protection.  Note
 that Authentication Header (AH) [5] is also possible but for brevity
 not discussed in this specification.

Johnson, et al. Standard Track [Page 18] RFC 3775 Mobility Support in IPv6 June 2004

 In order to protect messages exchanged between the mobile node and
 the home agent with IPsec, appropriate security policy database
 entries must be created.  A mobile node must be prevented from using
 its security association to send a Binding Update on behalf of
 another mobile node using the same home agent.  This MUST be achieved
 by having the home agent check that the given home address has been
 used with the right security association.  Such a check is provided
 in the IPsec processing, by having the security policy database
 entries unequivocally identify a single security association for
 protecting Binding Updates between any given home address and home
 agent.  In order to make this possible, it is necessary that the home
 address of the mobile node is visible in the Binding Updates and
 Acknowledgements.  The home address is used in these packets as a
 source or destination, or in the Home Address Destination option or
 the type 2 routing header.
 As with all IPsec security associations in this specification, manual
 configuration of security associations MUST be supported.  The used
 shared secrets MUST be random and unique for different mobile nodes,
 and MUST be distributed off-line to the mobile nodes.
 Automatic key management with IKE [9] MAY be supported.  When IKE is
 used, either the security policy database entries or the Mobile IPv6
 processing MUST unequivocally identify the IKE phase 1 credentials
 which can be used to authorize the creation of security associations
 for protecting Binding Updates for a particular home address.  How
 these mappings are maintained is outside the scope of this
 specification, but they may be maintained, for instance, as a locally
 administered table in the home agent.  If the phase 1 identity is a
 Fully Qualified Domain Name (FQDN), secure forms of DNS may also be
 used.
 Section 11.3.2 discusses how IKE connections to the home agent need a
 careful treatment of the addresses used for transporting IKE.  This
 is necessary to ensure that a Binding Update is not needed before the
 IKE exchange which is needed for securing the Binding Update.
 When IKE version 1 is used with preshared secret authentication
 between the mobile node and the home agent, aggressive mode MUST be
 used.
 The ID_IPV6_ADDR Identity Payload MUST NOT be used in IKEv1 phase 1.
 Reference [21] contains a more detailed description and examples on
 using IPsec to protect the communications between the mobile node and
 the home agent.

Johnson, et al. Standard Track [Page 19] RFC 3775 Mobility Support in IPv6 June 2004

5.2. Binding Updates to Correspondent Nodes

 The protection of Binding Updates sent to correspondent nodes does
 not require the configuration of security associations or the
 existence of an authentication infrastructure between the mobile
 nodes and correspondent nodes.  Instead, a method called the return
 routability procedure is used to assure that the right mobile node is
 sending the message.  This method does not protect against attackers
 who are on the path between the home network and the correspondent
 node.  However, attackers in such a location are capable of
 performing the same attacks even without Mobile IPv6.  The main
 advantage of the return routability procedure is that it limits the
 potential attackers to those having an access to one specific path in
 the Internet, and avoids forged Binding Updates from anywhere else in
 the Internet.  For a more in depth explanation of the security
 properties of the return routability procedure, see Section 15.
 The integrity and authenticity of the Binding Updates messages to
 correspondent nodes is protected by using a keyed-hash algorithm.
 The binding management key, Kbm, is used to key the hash algorithm
 for this purpose.  Kbm is established using data exchanged during the
 return routability procedure.  The data exchange is accomplished by
 use of node keys, nonces, cookies, tokens, and certain cryptographic
 functions.  Section 5.2.5 outlines the basic return routability
 procedure.  Section 5.2.6 shows how the results of this procedure are
 used to authorize a Binding Update to a correspondent node.

5.2.1. Node Keys

 Each correspondent node has a secret key, Kcn, called the "node key",
 which it uses to produce the keygen tokens sent to the mobile nodes.
 The node key MUST be a random number, 20 octets in length.  The node
 key allows the correspondent node to verify that the keygen tokens
 used by the mobile node in authorizing a Binding Update are indeed
 its own.  This key MUST NOT be shared with any other entity.
 A correspondent node MAY generate a fresh node key at any time; this
 avoids the need for secure persistent key storage.  Procedures for
 optionally updating the node key are discussed later in Section
 5.2.7.

5.2.2. Nonces

 Each correspondent node also generates nonces at regular intervals.
 The nonces should be generated by using a random number generator
 that is known to have good randomness properties [1].  A
 correspondent node may use the same Kcn and nonce with all the
 mobiles it is in communication with.

Johnson, et al. Standard Track [Page 20] RFC 3775 Mobility Support in IPv6 June 2004

 Each nonce is identified by a nonce index.  When a new nonce is
 generated, it must be associated with a new nonce index; this may be
 done, for example, by incrementing the value of the previous nonce
 index, if the nonce index is used as an array pointer into a linear
 array of nonces.  However, there is no requirement that nonces be
 stored that way, or that the values of subsequent nonce indices have
 any particular relationship to each other.  The index value is
 communicated in the protocol, so that if a nonce is replaced by new
 nonce during the run of a protocol, the correspondent node can
 distinguish messages that should be checked against the old nonce
 from messages that should be checked against the new nonce.  Strictly
 speaking, indices are not necessary in the authentication, but allow
 the correspondent node to efficiently find the nonce value that it
 used in creating a keygen token.
 Correspondent nodes keep both the current nonce and a small set of
 valid previous nonces whose lifetime has not yet expired.  Expired
 values MUST be discarded, and messages using stale or unknown indices
 will be rejected.
 The specific nonce index values cannot be used by mobile nodes to
 determine the validity of the nonce.  Expected validity times for the
 nonces values and the procedures for updating them are discussed
 later in Section 5.2.7.
 A nonce is an octet string of any length.  The recommended length is
 64 bits.

5.2.3. Cookies and Tokens

 The return routability address test procedure uses cookies and keygen
 tokens as opaque values within the test init and test messages,
 respectively.
 o  The "home init cookie" and "care-of init cookie" are 64 bit values
    sent to the correspondent node from the mobile node, and later
    returned to the mobile node.  The home init cookie is sent in the
    Home Test Init message, and returned in the Home Test message.
    The care-of init cookie is sent in the Care-of Test Init message,
    and returned in the Care-of Test message.
 o  The "home keygen token" and "care-of keygen token" are 64-bit
    values sent by the correspondent node to the mobile node via the
    home agent (via the Home Test message) and the care-of address (by
    the Care-of Test message), respectively.

Johnson, et al. Standard Track [Page 21] RFC 3775 Mobility Support in IPv6 June 2004

 The mobile node should set the home init or care-of init cookie to a
 newly generated random number in every Home or Care-of Test Init
 message it sends.  The cookies are used to verify that the Home Test
 or Care-of Test message matches the Home Test Init or Care-of Test
 Init message, respectively.  These cookies also serve to ensure that
 parties who have not seen the request cannot spoof responses.
 Home and care-of keygen tokens are produced by the correspondent node
 based on its currently active secret key (Kcn) and nonces, as well as
 the home or care-of address (respectively).  A keygen token is valid
 as long as both the secret key (Kcn) and the nonce used to create it
 are valid.

5.2.4. Cryptographic Functions

 In this specification, the function used to compute hash values is
 SHA1 [20].  Message Authentication Codes (MACs) are computed using
 HMAC_SHA1 [25, 20].  HMAC_SHA1(K,m) denotes such a MAC computed on
 message m with key K.

5.2.5. Return Routability Procedure

 The Return Routability Procedure enables the correspondent node to
 obtain some reasonable assurance that the mobile node is in fact
 addressable at its claimed care-of address as well as at its home
 address.  Only with this assurance is the correspondent node able to
 accept Binding Updates from the mobile node which would then instruct
 the correspondent node to direct that mobile node's data traffic to
 its claimed care-of address.
 This is done by testing whether packets addressed to the two claimed
 addresses are routed to the mobile node.  The mobile node can pass
 the test only if it is able to supply proof that it received certain
 data (the "keygen tokens") which the correspondent node sends to
 those addresses.  These data are combined by the mobile node into a
 binding management key, denoted Kbm.
 The figure below shows the message flow for the return routability
 procedure.

Johnson, et al. Standard Track [Page 22] RFC 3775 Mobility Support in IPv6 June 2004

 Mobile node                 Home agent           Correspondent node
      |                                                     |
      |  Home Test Init (HoTI)   |                          |
      |------------------------->|------------------------->|
      |                          |                          |
      |  Care-of Test Init (CoTI)                           |
      |---------------------------------------------------->|
      |                                                     |
      |                          |  Home Test (HoT)         |
      |<-------------------------|<-------------------------|
      |                          |                          |
      |                             Care-of Test (CoT)      |
      |<----------------------------------------------------|
      |                                                     |
 The Home and Care-of Test Init messages are sent at the same time.
 The procedure requires very little processing at the correspondent
 node, and the Home and Care-of Test messages can be returned quickly,
 perhaps nearly simultaneously.  These four messages form the return
 routability procedure.
 Home Test Init
    A mobile node sends a Home Test Init message to the correspondent
    node (via the home agent) to acquire the home keygen token.  The
    contents of the message can be summarized as follows:
  • Source Address = home address
  • Destination Address = correspondent
  • Parameters:
          +  home init cookie
    The Home Test Init message conveys the mobile node's home address
    to the correspondent node.  The mobile node also sends along a
    home init cookie that the correspondent node must return later.
    The Home Test Init message is reverse tunneled through the home
    agent.  (The headers and addresses related to  reverse tunneling
    have been omitted from the above discussion of the message
    contents.)  The mobile node remembers these cookie values to
    obtain some assurance that its protocol messages are being
    processed by the desired correspondent node.

Johnson, et al. Standard Track [Page 23] RFC 3775 Mobility Support in IPv6 June 2004

 Care-of Test Init
    The mobile node sends a Care-of Test Init message to the
    correspondent node (directly, not via the home agent) to acquire
    the care-of keygen token.  The contents of this message can be
    summarized as follows:
  • Source Address = care-of address
  • Destination Address = correspondent
  • Parameters:
          +  care-of init cookie
    The Care-of Test Init message conveys the mobile node's care-of
    address to the correspondent node.  The mobile node also sends
    along a care-of init cookie that the correspondent node must
    return later.  The Care-of Test Init message is sent directly to
    the correspondent node.
 Home Test
    The Home Test message is sent in response to a Home Test Init
    message.  It is sent via the home agent.  The contents of the
    message are:
  • Source Address = correspondent
  • Destination Address = home address
  • Parameters:
       +  home init cookie
       +  home keygen token
       +  home nonce index

Johnson, et al. Standard Track [Page 24] RFC 3775 Mobility Support in IPv6 June 2004

    When the correspondent node receives the Home Test Init message,
    it generates a home keygen token as follows:
    home keygen token :=
         First (64, HMAC_SHA1 (Kcn, (home address | nonce | 0)))
    where | denotes concatenation.  The final "0" inside the HMAC_SHA1
    function is a single zero octet, used to distinguish home and
    care-of cookies from each other.
    The home keygen token is formed from the first 64 bits of the MAC.
    The home keygen token tests that the mobile node can receive were
    messages sent to its home address.  Kcn is used in the production
    of home keygen token in order to allow the correspondent node to
    verify that it generated the home and care-of nonces, without
    forcing the correspondent node to remember a list of all tokens it
    has handed out.
    The Home Test message is sent to the mobile node via the home
    network, where it is presumed that the home agent will tunnel the
    message to the mobile node.  This means that the mobile node needs
    to already have sent a Binding Update to the home agent, so that
    the home agent will have received and authorized the new care-of
    address for the mobile node before the return routability
    procedure.  For improved security, the data passed between the
    home agent and the mobile node is made immune to inspection and
    passive attacks.  Such protection is gained by encrypting the home
    keygen token as it is tunneled from the home agent to the mobile
    node as specified in Section 10.4.6.  The security properties of
    this additional security are discussed in Section 15.4.1.
    The home init cookie from the mobile node is returned in the Home
    Test message, to ensure that the message comes from a node on the
    route between the home agent and the correspondent node.
    The home nonce index is delivered to the mobile node to later
    allow the correspondent node to efficiently find the nonce value
    that it used in creating the home keygen token.
 Care-of Test
    This message is sent in response to a Care-of Test Init message.
    This message is not sent via the home agent, it is sent directly
    to the mobile node.  The contents of the message are:
  • Source Address = correspondent
  • Destination Address = care-of address

Johnson, et al. Standard Track [Page 25] RFC 3775 Mobility Support in IPv6 June 2004

  • Parameters:
       +  care-of init cookie
       +  care-of keygen token
       +  care-of nonce index
    When the correspondent node receives the Care-of Test Init
    message, it generates a care-of keygen token as follows:
    care-of keygen token :=
       First (64, HMAC_SHA1 (Kcn, (care-of address | nonce | 1)))
    Here, the final "1" inside the HMAC_SHA1 function is a single
    octet containing the hex value 0x01, and is used to distinguish
    home and care-of cookies from each other.  The keygen token is
    formed from the first 64 bits of the MAC, and sent directly to the
    mobile node at its care-of address.  The care-of init cookie from
    the Care-of Test Init message is returned to ensure that the
    message comes from a node on the route to the correspondent node.
    The care-of nonce index is provided to identify the nonce used for
    the care-of keygen token.  The home and care-of nonce indices MAY
    be the same, or different, in the Home and Care-of Test messages.
 When the mobile node has received both the Home and Care-of Test
 messages, the return routability procedure is complete.  As a result
 of the procedure, the mobile node has the data it needs to send a
 Binding Update to the correspondent node.  The mobile node hashes the
 tokens together to form a 20 octet binding key Kbm:
    Kbm = SHA1 (home keygen token | care-of keygen token)
 A Binding Update may also be used to delete a previously established
 binding (Section 6.1.7).  In this case, the care-of keygen token is
 not used.  Instead, the binding management key is generated as
 follows:
    Kbm = SHA1(home keygen token)
 Note that the correspondent node does not create any state specific
 to the mobile node, until it receives the Binding Update from that
 mobile node.  The correspondent node does not maintain the value for
 the binding management key Kbm; it creates Kbm when given the nonce
 indices and the mobile node's addresses.

Johnson, et al. Standard Track [Page 26] RFC 3775 Mobility Support in IPv6 June 2004

5.2.6. Authorizing Binding Management Messages

 After the mobile node has created the binding management key (Kbm),
 it can supply a verifiable Binding Update to the correspondent node.
 This section provides an overview of this registration.  The below
 figure shows the message flow.
 Mobile node                                Correspondent node
      |                                               |
      |             Binding Update (BU)               |
      |---------------------------------------------->|
      |  (MAC, seq#, nonce indices, care-of address)  |
      |                                               |
      |                                               |
      |    Binding Acknowledgement (BA) (if sent)     |
      |<----------------------------------------------|
      |              (MAC, seq#, status)              |
 Binding Update
    To authorize a Binding Update, the mobile node creates a binding
    management key Kbm from the keygen tokens as described in the
    previous section.  The contents of the Binding Update include the
    following:
  • Source Address = care-of address
  • Destination Address = correspondent
  • Parameters:
       +  home address (within the Home Address destination option if
          different from the Source Address)
       +  sequence number (within the Binding Update message header)
       +  home nonce index (within the Nonce Indices option)
       +  care-of nonce index (within the Nonce Indices option)
       +  First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
          | BU)))

Johnson, et al. Standard Track [Page 27] RFC 3775 Mobility Support in IPv6 June 2004

    The Binding Update contains a Nonce Indices option, indicating to
    the correspondent node which home and care-of nonces to use to
    recompute Kbm, the binding management key.  The MAC is computed as
    described in Section 6.2.7, using the correspondent node's address
    as the destination address and the Binding Update message itself
    ("BU" above) as the MH Data.
    Once the correspondent node has verified the MAC, it can create a
    Binding Cache entry for the mobile.
 Binding Acknowledgement
    The Binding Update is in some cases acknowledged by the
    correspondent node.  The contents of the message are as follows:
  • Source Address = correspondent
  • Destination Address = care-of address
  • Parameters:
       +  sequence number (within the Binding Update message header)
       +  First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent
          | BA)))
    The Binding Acknowledgement contains the same sequence number as
    the Binding Update.  The MAC is computed as described in Section
    6.2.7, using the correspondent node's address as the destination
    address and the message itself ("BA" above) as the MH Data.
    Bindings established with correspondent nodes using keys created
    by way of the return routability procedure MUST NOT exceed
    MAX_RR_BINDING_LIFETIME seconds (see Section 12).
    The value in the Source Address field in the IPv6 header carrying
    the Binding Update is normally also the care-of address which is
    used in the binding.  However, a different care-of address MAY be
    specified by including an Alternate Care-of Address mobility
    option in the Binding Update (see Section 6.2.5).  When such a
    message is sent to the correspondent node and the return
    routability procedure is used as the authorization method, the
    Care-of Test Init and Care-of Test messages MUST have been
    performed for the address in the Alternate Care-of Address option
    (not the Source Address).  The nonce indices and MAC value MUST be
    based on information gained in this test.

Johnson, et al. Standard Track [Page 28] RFC 3775 Mobility Support in IPv6 June 2004

    Binding Updates may also be sent to delete a previously
    established binding.  In this case, generation of the binding
    management key depends exclusively on the home keygen token and
    the care-of nonce index is ignored.

5.2.7. Updating Node Keys and Nonces

 Correspondent nodes generate nonces at regular intervals.  It is
 recommended to keep each nonce (identified by a nonce index)
 acceptable for at least MAX_TOKEN_LIFETIME seconds (see Section 12)
 after it has been first used in constructing a return routability
 message response.  However, the correspondent node MUST NOT accept
 nonces beyond MAX_NONCE_LIFETIME seconds (see Section 12) after the
 first use.  As the difference between these two constants is 30
 seconds, a convenient way to enforce the above lifetimes is to
 generate a new nonce every 30 seconds.  The node can then continue to
 accept tokens that have been based on the last 8 (MAX_NONCE_LIFETIME
 / 30) nonces.  This results in tokens being acceptable
 MAX_TOKEN_LIFETIME to MAX_NONCE_LIFETIME seconds after they have been
 sent to the mobile node, depending on whether the token was sent at
 the beginning or end of the first 30 second period.  Note that the
 correspondent node may also attempt to generate new nonces on demand,
 or only if the old nonces have been used.  This is possible, as long
 as the correspondent node keeps track of how long a time ago the
 nonces were used for the first time, and does not generate new nonces
 on every return routability request.
 Due to resource limitations, rapid deletion of bindings, or reboots
 the correspondent node may not in all cases recognize the nonces that
 the tokens were based on.  If a nonce index is unrecognized, the
 correspondent node replies with an error code in the Binding
 Acknowledgement (either 136, 137, or 138 as discussed in Section
 6.1.8).  The mobile node can then retry the return routability
 procedure.
 An update of Kcn SHOULD be done at the same time as an update of a
 nonce, so that nonce indices can identify both the nonce and the key.
 Old Kcn values have to be therefore remembered as long as old nonce
 values.
 Given that the tokens are normally expected to be usable for
 MAX_TOKEN_LIFETIME seconds, the mobile node MAY use them beyond a
 single run of the return routability procedure until
 MAX_TOKEN_LIFETIME expires.  After this the mobile node SHOULD NOT
 use the tokens.  A fast moving mobile node MAY reuse a recent home
 keygen token from a correspondent node when moving to a new location,
 and just acquire a new care-of keygen token to show routability in
 the new location.

Johnson, et al. Standard Track [Page 29] RFC 3775 Mobility Support in IPv6 June 2004

 While this does not save the number of round-trips due to the
 simultaneous processing of home and care-of return routability tests,
 there are fewer messages being exchanged, and a potentially long
 round-trip through the home agent is avoided.  Consequently, this
 optimization is often useful.  A mobile node that has multiple home
 addresses, MAY also use the same care-of keygen token for Binding
 Updates concerning all of these addresses.

5.2.8. Preventing Replay Attacks

 The return routability procedure also protects the participants
 against replayed Binding Updates through the use of the sequence
 number and a MAC.  Care must be taken when removing bindings at the
 correspondent node, however.  Correspondent nodes must retain
 bindings and the associated sequence number information at least as
 long as the nonces used in the authorization of the binding are still
 valid.  Alternatively, if memory is very constrained, the
 correspondent node MAY invalidate the nonces that were used for the
 binding being deleted (or some larger group of nonces that they
 belong to).  This may, however, impact the ability to accept Binding
 Updates from mobile nodes that have recently received keygen tokens.
 This alternative is therefore recommended only as a last measure.

5.3. Dynamic Home Agent Address Discovery

 No security is required for dynamic home agent address discovery.

5.4. Mobile Prefix Discovery

 The mobile node and the home agent SHOULD use an IPsec security
 association to protect the integrity and authenticity of the Mobile
 Prefix Solicitations and Advertisements.  Both the mobile nodes and
 the home agents MUST support and SHOULD use the Encapsulating
 Security Payload (ESP) header in transport mode with a non-NULL
 payload authentication algorithm to provide data origin
 authentication, connectionless integrity and optional anti-replay
 protection.

5.5. Payload Packets

 Payload packets exchanged with mobile nodes can be protected in the
 usual manner, in the same way as stationary hosts can protect them.
 However, Mobile IPv6 introduces the Home Address destination option,
 a routing header, and tunneling headers in the payload packets.  In
 the following we define the security measures taken to protect these,
 and to prevent their use in attacks against other parties.

Johnson, et al. Standard Track [Page 30] RFC 3775 Mobility Support in IPv6 June 2004

 This specification limits the use of the Home Address destination
 option to the situation where the correspondent node already has a
 Binding Cache entry for the given home address.  This avoids the use
 of the Home Address option in attacks described in Section 15.1.
 Mobile IPv6 uses a Mobile IPv6 specific type of a routing header.
 This type provides the necessary functionality but does not open
 vulnerabilities discussed in Section 15.1.
 Tunnels between the mobile node and the home agent are protected by
 ensuring proper use of source addresses, and optional cryptographic
 protection.  The mobile node verifies that the outer IP address
 corresponds to its home agent.  The home agent verifies that the
 outer IP address corresponds to the current location of the mobile
 node (Binding Updates sent to the home agents are secure).  The home
 agent identifies the mobile node through the source address of the
 inner packet.  (Typically, this is the home address of the mobile
 node, but it can also be a link-local address, as discussed in
 Section 10.4.2.  To recognize the latter type of addresses, the home
 agent requires that the Link-Local Address Compatibility (L) was set
 in the Binding Update.)  These measures protect the tunnels against
 vulnerabilities discussed in Section 15.1.
 For traffic tunneled via the home agent, additional IPsec ESP
 encapsulation MAY be supported and used.  If multicast group
 membership control protocols or stateful address autoconfiguration
 protocols are supported, payload data protection MUST be supported.

6. New IPv6 Protocol, Message Types, and Destination Option

6.1. Mobility Header

 The Mobility Header is an extension header used by mobile nodes,
 correspondent nodes, and home agents in all messaging related to the
 creation and management of bindings.  The subsections within this
 section describe the message types that may be sent using the
 Mobility Header.
 Mobility Header messages MUST NOT be sent with a type 2 routing
 header, except as described in Section 9.5.4 for Binding
 Acknowledgement.  Mobility Header messages also MUST NOT be used with
 a Home Address destination option, except as described in Section
 11.7.1 and Section 11.7.2 for Binding Update.  Binding Update List or
 Binding Cache information (when present) for the destination MUST NOT
 be used in sending Mobility Header messages.  That is, Mobility
 Header messages bypass both the Binding Cache check described in
 Section 9.3.2 and the Binding Update List check described in Section

Johnson, et al. Standard Track [Page 31] RFC 3775 Mobility Support in IPv6 June 2004

 11.3.1 which are normally performed for all packets.  This applies
 even to messages sent to or from a correspondent node which is itself
 a mobile node.

6.1.1. Format

 The Mobility Header is identified by a Next Header value of 135 in
 the immediately preceding header, and has the following format:
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Payload Proto |  Header Len   |   MH Type     |   Reserved    |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |           Checksum            |                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
  |                                                               |
  .                                                               .
  .                       Message Data                            .
  .                                                               .
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Payload Proto
    8-bit selector.  Identifies the type of header immediately
    following the Mobility Header.  Uses the same values as the IPv6
    Next Header field [11].
    This field is intended to be used by a future extension (see
    Appendix B.1).
    Implementations conforming to this specification SHOULD set the
    payload protocol type to IPPROTO_NONE (59 decimal).
 Header Len
    8-bit unsigned integer, representing the length of the Mobility
    Header in units of 8 octets, excluding the first 8 octets.
    The length of the Mobility Header MUST be a multiple of 8 octets.
 MH Type
    8-bit selector.  Identifies the particular mobility message in
    question.  Current values are specified in Section 6.1.2 and
    onward.  An unrecognized MH Type field causes an error indication
    to be sent.

Johnson, et al. Standard Track [Page 32] RFC 3775 Mobility Support in IPv6 June 2004

 Reserved
    8-bit field reserved for future use.  The value MUST be
    initialized to zero by the sender, and MUST be ignored by the
    receiver.
 Checksum
    16-bit unsigned integer.  This field contains the checksum of the
    Mobility Header.  The checksum is calculated from the octet string
    consisting of a "pseudo-header" followed by the entire Mobility
    Header starting with the Payload Proto field.  The checksum is the
    16-bit one's complement of the one's complement sum of this
    string.
    The pseudo-header contains IPv6 header fields, as specified in
    Section 8.1 of RFC 2460 [11].  The Next Header value used in the
    pseudo-header is 2.  The addresses used in the pseudo-header are
    the addresses that appear in the Source and Destination Address
    fields in the IPv6 packet carrying the Mobility Header.
    Note that the procedures of calculating upper layer checksums
    while away from home described in Section 11.3.1 apply even for
    the Mobility Header.  If a mobility message has a Home Address
    destination option, then the checksum calculation uses the home
    address in this option as the value of the IPv6 Source Address
    field.  The type 2 routing header is treated as explained in [11].
    The Mobility Header is considered as the upper layer protocol for
    the purposes of calculating the pseudo-header.  The Upper-Layer
    Packet Length field in the pseudo-header MUST be set to the total
    length of the Mobility Header.
    For computing the checksum, the checksum field is set to zero.
 Message Data
    A variable length field containing the data specific to the
    indicated Mobility Header type.
 Mobile IPv6 also defines a number of "mobility options" for use
 within these messages; if included, any options MUST appear after the
 fixed portion of the message data specified in this document.  The
 presence of such options will be indicated by the Header Len field
 within the message.  When the Header Len value is greater than the
 length required for the message specified here, the remaining octets
 are interpreted as mobility options.  These options include padding
 options that can be used to ensure that other options are aligned

Johnson, et al. Standard Track [Page 33] RFC 3775 Mobility Support in IPv6 June 2004

 properly, and that the total length of the message is divisible by 8.
 The encoding and format of defined options are described in Section
 6.2.
 Alignment requirements for the Mobility Header are the same as for
 any IPv6 protocol Header.  That is, they MUST be aligned on an 8-
 octet boundary.

6.1.2. Binding Refresh Request Message

 The Binding Refresh Request (BRR) message requests a mobile node to
 update its mobility binding.  This message is sent by correspondent
 nodes according to the rules in Section 9.5.5.  When a mobile node
 receives a packet containing a Binding Refresh Request message it
 processes the message according to the rules in Section 11.7.4.
 The Binding Refresh Request message uses the MH Type value 0.  When
 this value is indicated in the MH Type field, the format of the
 Message Data field in the Mobility Header is as follows:
                                  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                  |          Reserved             |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  .                                                               .
  .                        Mobility options                       .
  .                                                               .
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Reserved
    16-bit field reserved for future use.  The value MUST be
    initialized to zero by the sender, and MUST be ignored by the
    receiver.
 Mobility Options
    Variable-length field of such length that the complete Mobility
    Header is an integer multiple of 8 octets long.  This field
    contains zero or more TLV-encoded mobility options.  The encoding
    and format of defined options are described in Section 6.2.  The
    receiver MUST ignore and skip any options which it does not
    understand.

Johnson, et al. Standard Track [Page 34] RFC 3775 Mobility Support in IPv6 June 2004

    There MAY be additional information, associated with this Binding
    Refresh Request message that need not be present in all Binding
    Refresh Request messages sent.  Mobility options allow future
    extensions to the format of the Binding Refresh Request message to
    be defined.  This specification does not define any options valid
    for the Binding Refresh Request message.
 If no actual options are present in this message, no padding is
 necessary and the Header Len field will be set to 0.

6.1.3. Home Test Init Message

 A mobile node uses the Home Test Init (HoTI) message to initiate the
 return routability procedure and request a home keygen token from a
 correspondent node (see Section 11.6.1).  The Home Test Init message
 uses the MH Type value 1.  When this value is indicated in the MH
 Type field, the format of the Message Data field in the Mobility
 Header is as follows:
                                  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                  |           Reserved            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  +                       Home Init Cookie                        +
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  .                                                               .
  .                       Mobility Options                        .
  .                                                               .
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Reserved
    16-bit field reserved for future use.  This value MUST be
    initialized to zero by the sender, and MUST be ignored by the
    receiver.
 Home Init Cookie
    64-bit field which contains a random value, the home init cookie.
 Mobility Options
    Variable-length field of such length that the complete Mobility
    Header is an integer multiple of 8 octets long.  This field
    contains zero or more TLV-encoded mobility options.  The receiver

Johnson, et al. Standard Track [Page 35] RFC 3775 Mobility Support in IPv6 June 2004

    MUST ignore and skip any options which it does not understand.
    This specification does not define any options valid for the Home
    Test Init message.
 If no actual options are present in this message, no padding is
 necessary and the Header Len field will be set to 1.
 This message is tunneled through the home agent when the mobile node
 is away from home.  Such tunneling SHOULD employ IPsec ESP in tunnel
 mode between the home agent and the mobile node.  This protection is
 indicated by the IPsec security policy database.  The protection of
 Home Test Init messages is unrelated to the requirement to protect
 regular payload traffic, which MAY use such tunnels as well.

6.1.4. Care-of Test Init Message

 A mobile node uses the Care-of Test Init (CoTI) message to initiate
 the return routability procedure and request a care-of keygen token
 from a correspondent node (see Section 11.6.1).  The Care-of Test
 Init message uses the MH Type value 2.  When this value is indicated
 in the MH Type field, the format of the Message Data field in the
 Mobility Header is as follows:
                                  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                  |           Reserved            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  +                      Care-of Init Cookie                      +
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  .                                                               .
  .                        Mobility Options                       .
  .                                                               .
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Reserved
    16-bit field reserved for future use.  The value MUST be
    initialized to zero by the sender, and MUST be ignored by the
    receiver.
 Care-of Init Cookie
    64-bit field which contains a random value, the care-of init
    cookie.

Johnson, et al. Standard Track [Page 36] RFC 3775 Mobility Support in IPv6 June 2004

 Mobility Options
    Variable-length field of such length that the complete Mobility
    Header is an integer multiple of 8 octets long.  This field
    contains zero or more TLV-encoded mobility options.  The receiver
    MUST ignore and skip any options which it does not understand.
    This specification does not define any options valid for the
    Care-of Test Init message.
 If no actual options are present in this message, no padding is
 necessary and the Header Len field will be set to 1.

6.1.5. Home Test Message

 The Home Test (HoT) message is a response to the Home Test Init
 message, and is sent from the correspondent node to the mobile node
 (see Section 5.2.5).  The Home Test message uses the MH Type value 3.
 When this value is indicated in the MH Type field, the format of the
 Message Data field in the Mobility Header is as follows:
                                  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                  |       Home Nonce Index        |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  +                        Home Init Cookie                       +
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  +                       Home Keygen Token                       +
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  .                                                               .
  .                        Mobility options                       .
  .                                                               .
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Home Nonce Index
    This field will be echoed back by the mobile node to the
    correspondent node in a subsequent Binding Update.
 Home Init Cookie
    64-bit field which contains the home init cookie.

Johnson, et al. Standard Track [Page 37] RFC 3775 Mobility Support in IPv6 June 2004

 Home Keygen Token
    This field contains the 64 bit home keygen token used in the
    return routability procedure.
 Mobility Options
    Variable-length field of such length that the complete Mobility
    Header is an integer multiple of 8 octets long.  This field
    contains zero or more TLV-encoded mobility options.  The receiver
    MUST ignore and skip any options which it does not understand.
    This specification does not define any options valid for the Home
    Test message.
 If no actual options are present in this message, no padding is
 necessary and the Header Len field will be set to 2.

6.1.6. Care-of Test Message

 The Care-of Test (CoT) message is a response to the Care-of Test Init
 message, and is sent from the correspondent node to the mobile node
 (see Section 11.6.2).  The Care-of Test message uses the MH Type
 value 4.  When this value is indicated in the MH Type field, the
 format of the Message Data field in the Mobility Header is as
 follows:
                                  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                  |      Care-of Nonce Index      |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  +                      Care-of Init Cookie                      +
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  +                     Care-of Keygen Token                      +
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  .                                                               .
  .                        Mobility Options                       .
  .                                                               .
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Care-of Nonce Index
    This value will be echoed back by the mobile node to the
    correspondent node in a subsequent Binding Update.

Johnson, et al. Standard Track [Page 38] RFC 3775 Mobility Support in IPv6 June 2004

 Care-of Init Cookie
    64-bit field which contains the care-of init cookie.
 Care-of Keygen Token
    This field contains the 64 bit care-of keygen token used in the
    return routability procedure.
 Mobility Options
    Variable-length field of such length that the complete Mobility
    Header is an integer multiple of 8 octets long.  This field
    contains zero or more TLV-encoded mobility options.  The receiver
    MUST ignore and skip any options which it does not understand.
    This specification does not define any options valid for the
    Care-of Test message.
 If no actual options are present in this message, no padding is
 necessary and the Header Len field will be set to 2.

6.1.7. Binding Update Message

 The Binding Update (BU) message is used by a mobile node to notify
 other nodes of a new care-of address for itself.  Binding Updates are
 sent as described in Section 11.7.1 and Section 11.7.2.
 The Binding Update uses the MH Type value 5.  When this value is
 indicated in the MH Type field, the format of the Message Data field
 in the Mobility Header is as follows:
                                  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                  |          Sequence #           |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |A|H|L|K|        Reserved       |           Lifetime            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  .                                                               .
  .                        Mobility options                       .
  .                                                               .
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Acknowledge (A)
    The Acknowledge (A) bit is set by the sending mobile node to
    request a Binding Acknowledgement (Section 6.1.8) be returned upon
    receipt of the Binding Update.

Johnson, et al. Standard Track [Page 39] RFC 3775 Mobility Support in IPv6 June 2004

 Home Registration (H)
    The Home Registration (H) bit is set by the sending mobile node to
    request that the receiving node should act as this node's home
    agent.  The destination of the packet carrying this message MUST
    be that of a router sharing the same subnet prefix as the home
    address of the mobile node in the binding.
 Link-Local Address Compatibility (L)
    The Link-Local Address Compatibility (L) bit is set when the home
    address reported by the mobile node has the same interface
    identifier as the mobile node's link-local address.
 Key Management Mobility Capability (K)
    If this bit is cleared, the protocol used for establishing the
    IPsec security associations between the mobile node and the home
    agent does not survive movements.  It may then have to be rerun.
    (Note that the IPsec security associations themselves are expected
    to survive movements.)  If manual IPsec configuration is used, the
    bit MUST be cleared.
    This bit is valid only in Binding Updates sent to the home agent,
    and MUST be cleared in other Binding Updates.  Correspondent nodes
    MUST ignore this bit.
 Reserved
    These fields are unused.  They MUST be initialized to zero by the
    sender and MUST be ignored by the receiver.
 Sequence #
    A 16-bit unsigned integer used by the receiving node to sequence
    Binding Updates and by the sending node to match a returned
    Binding Acknowledgement with this Binding Update.
 Lifetime
    16-bit unsigned integer.  The number of time units remaining
    before the binding MUST be considered expired.  A value of zero
    indicates that the Binding Cache entry for the mobile node MUST be
    deleted.  (In this case the specified care-of address MUST also be
    set equal to the home address.)  One time unit is 4 seconds.

Johnson, et al. Standard Track [Page 40] RFC 3775 Mobility Support in IPv6 June 2004

 Mobility Options
    Variable-length field of such length that the complete Mobility
    Header is an integer multiple of 8 octets long.  This field
    contains zero or more TLV-encoded mobility options.  The encoding
    and format of defined options are described in Section 6.2.  The
    receiver MUST ignore and skip any options which it does not
    understand.
    The following options are valid in a Binding Update:
  • Binding Authorization Data option (this option is mandatory in

Binding Updates sent to a correspondent node)

  • Nonce Indices option.
  • Alternate Care-of Address option
 If no options are present in this message, 4 octets of padding are
 necessary and the Header Len field will be set to 1.
 The care-of address is specified either by the Source Address field
 in the IPv6 header or by the Alternate Care-of Address option, if
 present.  The care-of address MUST be a unicast routable address.
 IPv6 Source Address MUST be a topologically correct source address.
 Binding Updates for a care-of address which is not a unicast routable
 address MUST be silently discarded.  Similarly, the Binding Update
 MUST be silently discarded if the care-of address appears as a home
 address in an existing Binding Cache entry, with its current location
 creating a circular reference back to the home address specified in
 the Binding Update (possibly through additional entries).
 The deletion of a binding can be indicated by setting the Lifetime
 field to 0 and by setting the care-of address equal to the home
 address.  In deletion, the generation of the binding management key
 depends exclusively on the home keygen token, as explained in Section
 5.2.5.  (Note that while the senders are required to set both the
 Lifetime field to 0 and the care-of address equal to the home
 address, Section 9.5.1 rules for receivers are more liberal, and
 interpret either condition as a deletion.)
 Correspondent nodes SHOULD NOT delete the Binding Cache entry before
 the lifetime expires, if any application hosted by the correspondent
 node is still likely to require communication with the mobile node.
 A Binding Cache entry that is de-allocated prematurely might cause
 subsequent packets to be dropped from the mobile node, if they
 contain the Home Address destination option.  This situation is
 recoverable, since a Binding Error message is sent to the mobile node

Johnson, et al. Standard Track [Page 41] RFC 3775 Mobility Support in IPv6 June 2004

 (see Section 6.1.9); however, it causes unnecessary delay in the
 communications.

6.1.8. Binding Acknowledgement Message

 The Binding Acknowledgement is used to acknowledge receipt of a
 Binding Update (Section 6.1.7).  This packet is sent as described in
 Section 9.5.4 and Section 10.3.1.
 The Binding Acknowledgement has the MH Type value 6.  When this value
 is indicated in the MH Type field, the format of the Message Data
 field in the Mobility Header is as follows:
                                  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                  |    Status     |K|  Reserved   |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |           Sequence #          |           Lifetime            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  .                                                               .
  .                        Mobility options                       .
  .                                                               .
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Key Management Mobility Capability (K)
    If this bit is cleared, the protocol used by the home agent for
    establishing the IPsec security associations between the mobile
    node and the home agent does not survive movements.  It may then
    have to be rerun.  (Note that the IPsec security associations
    themselves are expected to survive movements.)
    Correspondent nodes MUST set the K bit to 0.
 Reserved
    These fields are unused.  They MUST be initialized to zero by the
    sender and MUST be ignored by the receiver.

Johnson, et al. Standard Track [Page 42] RFC 3775 Mobility Support in IPv6 June 2004

 Status
    8-bit unsigned integer indicating the disposition of the Binding
    Update.  Values of the Status field less than 128 indicate that
    the Binding Update was accepted by the receiving node.  Values
    greater than or equal to 128 indicate that the Binding Update was
    rejected by the receiving node.  The following Status values are
    currently defined:
      0 Binding Update accepted
      1 Accepted but prefix discovery necessary
    128 Reason unspecified
    129 Administratively prohibited
    130 Insufficient resources
    131 Home registration not supported
    132 Not home subnet
    133 Not home agent for this mobile node
    134 Duplicate Address Detection failed
    135 Sequence number out of window
    136 Expired home nonce index
    137 Expired care-of nonce index
    138 Expired nonces
    139 Registration type change disallowed
 Up-to-date values of the Status field are to be specified in the IANA
 registry of assigned numbers [19].
 Sequence #
    The Sequence Number in the Binding Acknowledgement is copied from
    the Sequence Number field in the Binding Update.  It is used by
    the mobile node in matching this Binding Acknowledgement with an
    outstanding Binding Update.

Johnson, et al. Standard Track [Page 43] RFC 3775 Mobility Support in IPv6 June 2004

 Lifetime
    The granted lifetime, in time units of 4 seconds, for which this
    node SHOULD retain the entry for this mobile node in its Binding
    Cache.
    The value of this field is undefined if the Status field indicates
    that the Binding Update was rejected.
 Mobility Options
    Variable-length field of such length that the complete Mobility
    Header is an integer multiple of 8 octets long.  This field
    contains zero or more TLV-encoded mobility options.  The encoding
    and format of defined options are described in Section 6.2.  The
    receiver MUST ignore and skip any options which it does not
    understand.
    There MAY be additional information, associated with this Binding
    Acknowledgement that need not be present in all Binding
    Acknowledgements sent.  Mobility options allow future extensions
    to the format of the Binding Acknowledgement to be defined.  The
    following options are valid for the Binding Acknowledgement:
  • Binding Authorization Data option (this option is mandatory in

Binding Acknowledgements sent by a correspondent node, except

       where otherwise noted in Section 9.5.4)
  • Binding Refresh Advice option
 If no options are present in this message, 4 octets of padding are
 necessary and the Header Len field will be set to 1.

6.1.9. Binding Error Message

 The Binding Error (BE) message is used by the correspondent node to
 signal an error related to mobility, such as an inappropriate attempt
 to use the Home Address destination option without an existing
 binding; see Section 9.3.3 for details.

Johnson, et al. Standard Track [Page 44] RFC 3775 Mobility Support in IPv6 June 2004

 The Binding Error message uses the MH Type value 7.  When this value
 is indicated in the MH Type field, the format of the Message Data
 field in the Mobility Header is as follows:
                                  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                  |     Status    |   Reserved    |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  +                                                               +
  |                                                               |
  +                          Home Address                         +
  |                                                               |
  +                                                               +
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  .                                                               .
  .                        Mobility Options                       .
  .                                                               .
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Status
    8-bit unsigned integer indicating the reason for this message.
    The following values are currently defined:
       1 Unknown binding for Home Address destination option
       2 Unrecognized MH Type value
 Reserved
    A 8-bit field reserved for future use.  The value MUST be
    initialized to zero by the sender, and MUST be ignored by the
    receiver.
 Home Address
    The home address that was contained in the Home Address
    destination option.  The mobile node uses this information to
    determine which binding does not exist, in cases where the mobile
    node has several home addresses.

Johnson, et al. Standard Track [Page 45] RFC 3775 Mobility Support in IPv6 June 2004

 Mobility Options
    Variable-length field of such length that the complete Mobility
    Header is an integer multiple of 8 octets long.  This field
    contains zero or more TLV-encoded mobility options.  The receiver
    MUST ignore and skip any options which it does not understand.
    There MAY be additional information, associated with this Binding
    Error message that need not be present in all Binding Error
    messages sent.  Mobility options allow future extensions to the
    format of the format of the Binding Error message to be defined.
    The encoding and format of defined options are described in
    Section 6.2.  This specification does not define any options valid
    for the Binding Error message.
 If no actual options are present in this message, no padding is
 necessary and the Header Len field will be set to 2.

6.2. Mobility Options

 Mobility messages can include zero or more mobility options.  This
 allows optional fields that may not be needed in every use of a
 particular Mobility Header, as well as future extensions to the
 format of the messages.  Such options are included in the Message
 Data field of the message itself, after the fixed portion of the
 message data specified in the message subsections of Section 6.1.
 The presence of such options will be indicated by the Header Len of
 the Mobility Header.  If included, the Binding Authorization Data
 option (Section 6.2.7) MUST be the last option and MUST NOT have
 trailing padding.  Otherwise, options can be placed in any order.

6.2.1. Format

 Mobility options are encoded within the remaining space of the
 Message Data field of a mobility message, using a type-length-value
 (TLV) format as follows:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |  Option Type  | Option Length |   Option Data...
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Johnson, et al. Standard Track [Page 46] RFC 3775 Mobility Support in IPv6 June 2004

 Option Type
    8-bit identifier of the type of mobility option.  When processing
    a Mobility Header containing an option for which the Option Type
    value is not recognized by the receiver, the receiver MUST quietly
    ignore and skip over the option, correctly handling any remaining
    options in the message.
 Option Length
    8-bit unsigned integer, representing the length in octets of the
    mobility option, not including the Option Type and Option Length
    fields.
 Option Data
    A variable length field that contains data specific to the option.
 The following subsections specify the Option types which are
 currently defined for use in the Mobility Header.
 Implementations MUST silently ignore any mobility options that they
 do not understand.
 Mobility options may have alignment requirements.  Following the
 convention in IPv6, these options are aligned in a packet so that
 multi-octet values within the Option Data field of each option fall
 on natural boundaries (i.e., fields of width n octets are placed at
 an integer multiple of n octets from the start of the header, for n =
 1, 2, 4, or 8) [11].

6.2.2. Pad1

 The Pad1 option does not have any alignment requirements.  Its format
 is as follows:
     0
     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    |   Type = 0    |
    +-+-+-+-+-+-+-+-+
 NOTE! the format of the Pad1 option is a special case - it has
 neither Option Length nor Option Data fields.

Johnson, et al. Standard Track [Page 47] RFC 3775 Mobility Support in IPv6 June 2004

 The Pad1 option is used to insert one octet of padding in the
 Mobility Options area of a Mobility Header.  If more than one octet
 of padding is required, the PadN option, described next, should be
 used rather than multiple Pad1 options.

6.2.3. PadN

 The PadN option does not have any alignment requirements.  Its format
 is as follows:
     0                   1
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
    |   Type = 1    | Option Length | Option Data
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- - - - - - - - -
 The PadN option is used to insert two or more octets of padding in
 the Mobility Options area of a mobility message.  For N octets of
 padding, the Option Length field contains the value N-2, and the
 Option Data consists of N-2 zero-valued octets.  PadN Option data
 MUST be ignored by the receiver.

6.2.4. Binding Refresh Advice

 The Binding Refresh Advice option has an alignment requirement of 2n.
 Its format is as follows:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                 |   Type = 2    |   Length = 2  |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |       Refresh Interval        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 The Binding Refresh Advice option is only valid in the Binding
 Acknowledgement, and only on Binding Acknowledgements sent from the
 mobile node's home agent in reply to a home registration.  The
 Refresh Interval is measured in units of four seconds, and indicates
 remaining time until the mobile node SHOULD send a new home
 registration to the home agent.  The Refresh Interval MUST be set to
 indicate a smaller time interval than the Lifetime value of the
 Binding Acknowledgement.

Johnson, et al. Standard Track [Page 48] RFC 3775 Mobility Support in IPv6 June 2004

6.2.5. Alternate Care-of Address

 The Alternate Care-of Address option has an alignment requirement of
 8n+6.  Its format is as follows:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                 |   Type = 3    |  Length = 16  |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                                                               |
 +                                                               +
 |                                                               |
 +                   Alternate Care-of Address                   +
 |                                                               |
 +                                                               +
 |                                                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Normally, a Binding Update specifies the desired care-of address in
 the Source Address field of the IPv6 header.  However, this is not
 possible in some cases, such as when the mobile node wishes to
 indicate a care-of address which it cannot use as a topologically
 correct source address (Section 6.1.7 and Section 11.7.2) or when the
 used security mechanism does not protect the IPv6 header (Section
 11.7.1).
 The Alternate Care-of Address option is provided for these
 situations.  This option is valid only in Binding Update.  The
 Alternate Care-of Address field contains an address to use as the
 care-of address for the binding, rather than using the Source Address
 of the packet as the care-of address.

6.2.6. Nonce Indices

 The Nonce Indices option has an alignment requirement of 2n.  Its
 format is as follows:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                 |   Type = 4    |   Length = 4  |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |         Home Nonce Index      |     Care-of Nonce Index       |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Johnson, et al. Standard Track [Page 49] RFC 3775 Mobility Support in IPv6 June 2004

 The Nonce Indices option is valid only in the Binding Update message
 sent to a correspondent node, and only when present together with a
 Binding Authorization Data option.  When the correspondent node
 authorizes the Binding Update, it needs to produce home and care-of
 keygen tokens from its stored random nonce values.
 The Home Nonce Index field tells the correspondent node which nonce
 value to use when producing the home keygen token.
 The Care-of Nonce Index field is ignored in requests to delete a
 binding.  Otherwise, it tells the correspondent node which nonce
 value to use when producing the care-of keygen token.

6.2.7. Binding Authorization Data

 The Binding Authorization Data option does not have alignment
 requirements as such.  However, since this option must be the last
 mobility option, an implicit alignment requirement is 8n + 2.  The
 format of this option is as follows:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                 |   Type = 5    | Option Length |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                                                               |
 +                                                               +
 |                         Authenticator                         |
 +                                                               +
 |                                                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 The Binding Authorization Data option is valid in the Binding Update
 and Binding Acknowledgement.
 The Option Length field contains the length of the authenticator in
 octets.
 The Authenticator field contains a cryptographic value which can be
 used to determine that the message in question comes from the right
 authority.  Rules for calculating this value depends on the used
 authorization procedure.

Johnson, et al. Standard Track [Page 50] RFC 3775 Mobility Support in IPv6 June 2004

 For the return routability procedure, this option can appear in the
 Binding Update and Binding Acknowledgements.  Rules for calculating
 the Authenticator value are the following:
    Mobility Data = care-of address | correspondent | MH Data
    Authenticator = First (96, HMAC_SHA1 (Kbm, Mobility Data))
 Where | denotes concatenation. "Care-of address" is the care-of
 address which will be registered for the mobile node if the Binding
 Update succeeds, or the home address of the mobile node if this
 option is used in de-registration.  Note also that this address might
 be different from the source address of the Binding Update message,
 if the Alternative Care-of Address mobility option is used, or when
 the lifetime of the binding is set to zero.
 The "correspondent" is the IPv6 address of the correspondent node.
 Note that, if the message is sent to a destination which is itself
 mobile, the "correspondent" address may not be the address found in
 the Destination Address field of the IPv6 header; instead the home
 address from the type 2 Routing header should be used.
 "MH Data" is the content of the Mobility Header, excluding the
 Authenticator field itself.  The Authenticator value is calculated as
 if the Checksum field in the Mobility Header was zero.  The Checksum
 in the transmitted packet is still calculated in the usual manner,
 with the calculated Authenticator being a part of the packet
 protected by the Checksum.  Kbm is the binding management key, which
 is typically created using nonces provided by the correspondent node
 (see Section 9.4).  Note that while the contents of a potential Home
 Address destination option are not covered in this formula, the rules
 for the calculation of the Kbm do take the home address in account.
 This ensures that the MAC will be different for different home
 addresses.
 The first 96 bits from the MAC result are used as the Authenticator
 field.

6.3. Home Address Option

 The Home Address option is carried by the Destination Option
 extension header (Next Header value = 60).  It is used in a packet
 sent by a mobile node while away from home, to inform the recipient
 of the mobile node's home address.

Johnson, et al. Standard Track [Page 51] RFC 3775 Mobility Support in IPv6 June 2004

 The Home Address option is encoded in type-length-value (TLV) format
 as follows:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
                                 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                 |  Option Type  | Option Length |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                                                               |
 +                                                               +
 |                                                               |
 +                          Home Address                         +
 |                                                               |
 +                                                               +
 |                                                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Option Type
    201 = 0xC9
 Option Length
    8-bit unsigned integer.  Length of the option, in octets,
    excluding the Option Type and Option Length fields.  This field
    MUST be set to 16.
 Home Address
    The home address of the mobile node sending the packet.  This
    address MUST be a unicast routable address.
 The alignment requirement [11] for the Home Address option is 8n+6.
 The three highest-order bits of the Option Type field are encoded to
 indicate specific processing of the option [11]; for the Home Address
 option, these three bits are set to 110.  This indicates the
 following processing requirements:
 o  Any IPv6 node that does not recognize the Option Type must discard
    the packet, and if the packet's Destination Address was not a
    multicast address, return an ICMP Parameter Problem, Code 2,
    message to the packet's Source Address.  The Pointer field in the
    ICMP message SHOULD point at the Option Type field.  Otherwise,
    for multicast addresses, the ICMP message MUST NOT be sent.
 o  The data within the option cannot change en route to the packet's
    final destination.

Johnson, et al. Standard Track [Page 52] RFC 3775 Mobility Support in IPv6 June 2004

 The Home Address option MUST be placed as follows:
 o  After the routing header, if that header is present
 o  Before the Fragment Header, if that header is present
 o  Before the AH Header or ESP Header, if either one of those headers
    are present
 For each IPv6 packet header, the Home Address Option MUST NOT appear
 more than once.  However, an encapsulated packet [15] MAY contain a
 separate Home Address option associated with each encapsulating IP
 header.
 The inclusion of a Home Address destination option in a packet
 affects the receiving node's processing of only this single packet.
 No state is created or modified in the receiving node as a result of
 receiving a Home Address option in a packet.  In particular, the
 presence of a Home Address option in a received packet MUST NOT alter
 the contents of the receiver's Binding Cache and MUST NOT cause any
 changes in the routing of subsequent packets sent by this receiving
 node.

6.4. Type 2 Routing Header

 Mobile IPv6 defines a new routing header variant, the type 2 routing
 header, to allow the packet to be routed directly from a
 correspondent to the mobile node's care-of address.  The mobile
 node's care-of address is inserted into the IPv6 Destination Address
 field.  Once the packet arrives at the care-of address, the mobile
 node retrieves its home address from the routing header, and this is
 used as the final destination address for the packet.
 The new routing header uses a different type than defined for
 "regular" IPv6 source routing, enabling firewalls to apply different
 rules to source routed packets than to Mobile IPv6.  This routing
 header type (type 2) is restricted to carry only one IPv6 address.
 All IPv6 nodes which process this routing header MUST verify that the
 address contained within is the node's own home address in order to
 prevent packets from being forwarded outside the node.  The IP
 address contained in the routing header, since it is the mobile
 node's home address, MUST be a unicast routable address.
 Furthermore, if the scope of the home address is smaller than the
 scope of the care-of address, the mobile node MUST discard the packet
 (see Section 4.6).

Johnson, et al. Standard Track [Page 53] RFC 3775 Mobility Support in IPv6 June 2004

6.4.1. Format

 The type 2 routing header has the following format:
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |  Next Header  | Hdr Ext Len=2 | Routing Type=2|Segments Left=1|
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                            Reserved                           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                                                               |
 +                                                               +
 |                                                               |
 +                         Home Address                          +
 |                                                               |
 +                                                               +
 |                                                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Next Header
    8-bit selector.  Identifies the type of header immediately
    following the routing header.  Uses the same values as the IPv6
    Next Header field [11].
 Hdr Ext Len
    2 (8-bit unsigned integer);  length of the routing header in 8-
    octet units, not including the first 8 octets.
 Routing Type
    2 (8-bit unsigned integer).
 Segments Left
    1 (8-bit unsigned integer).
 Reserved
    32-bit reserved field.  The value MUST be initialized to zero by
    the sender, and MUST be ignored by the receiver.
 Home Address
    The Home Address of the destination Mobile Node.

Johnson, et al. Standard Track [Page 54] RFC 3775 Mobility Support in IPv6 June 2004

 For a type 2 routing header, the Hdr Ext Len MUST be 2.  The Segments
 Left value describes the number of route segments remaining; i.e.,
 number of explicitly listed intermediate nodes still to be visited
 before reaching the final destination.  Segments Left MUST be 1.  The
 ordering rules for extension headers in an IPv6 packet are described
 in Section 4.1 of RFC 2460 [11].  The type 2 routing header defined
 for Mobile IPv6 follows the same ordering as other routing headers.
 If both a type 0 and a type 2 routing header are present, the type 2
 routing header should follow the other routing header.  A packet
 containing such nested encapsulation should be created as if the
 inner (type 2) routing header was constructed first and then treated
 as an original packet by the outer (type 0) routing header
 construction process.
 In addition, the general procedures defined by IPv6 for routing
 headers suggest that a received routing header MAY be automatically
 "reversed" to construct a routing header for use in any response
 packets sent by upper-layer protocols, if the received packet is
 authenticated [6].  This MUST NOT be done automatically for type 2
 routing headers.

6.5. ICMP Home Agent Address Discovery Request Message

 The ICMP Home Agent Address Discovery Request message is used by a
 mobile node to initiate the dynamic home agent address discovery
 mechanism, as described in Section 11.4.1.  The mobile node sends the
 Home Agent Address Discovery Request message to the Mobile IPv6
 Home-Agents anycast address [16] for its own home subnet prefix.
 (Note that the currently defined anycast addresses may not work with
 all prefix lengths other than those defined in RFC 2373 [3, 35].)
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |     Type      |     Code      |            Checksum           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |          Identifier           |            Reserved           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type
    144
 Code

Johnson, et al. Standard Track [Page 55] RFC 3775 Mobility Support in IPv6 June 2004

 Checksum
    The ICMP checksum [14].
 Identifier
    An identifier to aid in matching Home Agent Address Discovery
    Reply messages to this Home Agent Address Discovery Request
    message.
 Reserved
    This field is unused.  It MUST be initialized to zero by the
    sender and MUST be ignored by the receiver.
 The Source Address of the Home Agent Address Discovery Request
 message packet is typically one of the mobile node's current care-of
 addresses.  At the time of performing this dynamic home agent address
 discovery procedure, it is likely that the mobile node is not
 registered with any home agent.  Therefore, neither the nature of the
 address nor the identity of the mobile node can be established at
 this time.  The home agent MUST then return the Home Agent Address
 Discovery Reply message directly to the Source Address chosen by the
 mobile node.

6.6. ICMP Home Agent Address Discovery Reply Message

 The ICMP Home Agent Address Discovery Reply message is used by a home
 agent to respond to a mobile node that uses the dynamic home agent
 address discovery mechanism, as described in Section 10.5.
   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |     Type      |     Code      |            Checksum           |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |           Identifier          |             Reserved          |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                                                               |
  +                                                               +
  .                                                               .
  .                      Home Agent Addresses                     .
  .                                                               .
  +                                                               +
  |                                                               |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Johnson, et al. Standard Track [Page 56] RFC 3775 Mobility Support in IPv6 June 2004

 Type
    145
 Code
 Checksum
    The ICMP checksum [14].
 Identifier
    The identifier from the invoking Home Agent Address Discovery
    Request message.
 Reserved
    This field is unused.  It MUST be initialized to zero by the
    sender and MUST be ignored by the receiver.
 Home Agent Addresses
    A list of addresses of home agents on the home link for the mobile
    node.  The number of addresses presented in the list is indicated
    by the remaining length of the IPv6 packet carrying the Home Agent
    Address Discovery Reply message.

6.7. ICMP Mobile Prefix Solicitation Message Format

 The ICMP Mobile Prefix Solicitation Message is sent by a mobile node
 to its home agent while it is away from home.  The purpose of the
 message is to solicit a Mobile Prefix Advertisement from the home
 agent, which will allow the mobile node to gather prefix information
 about its home network.  This information can be used to configure
 and update home address(es) according to changes in prefix
 information supplied by the home agent.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |     Type      |     Code      |          Checksum             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |          Identifier           |            Reserved           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Johnson, et al. Standard Track [Page 57] RFC 3775 Mobility Support in IPv6 June 2004

 IP Fields:
 Source Address
    The mobile node's care-of address.
 Destination Address
    The address of the mobile node's home agent.  This home agent must
    be on the link that the mobile node wishes to learn prefix
    information about.
 Hop Limit
    Set to an initial hop limit value, similarly to any other unicast
    packet sent by the mobile node.
 Destination Option:
    A Home Address destination option MUST be included.
 ESP header:
    IPsec headers MUST be supported and SHOULD be used as described in
    Section 5.4.
 ICMP Fields:
 Type
    146
 Code
 Checksum
    The ICMP checksum [14].
 Identifier
    An identifier to aid in matching a future Mobile Prefix
    Advertisement to this Mobile Prefix Solicitation.

Johnson, et al. Standard Track [Page 58] RFC 3775 Mobility Support in IPv6 June 2004

 Reserved
    This field is unused.  It MUST be initialized to zero by the
    sender and MUST be ignored by the receiver.
 The Mobile Prefix Solicitation messages may have options.  These
 options MUST use the option format defined in RFC 2461 [12].  This
 document does not define any option types for the Mobile Prefix
 Solicitation message, but future documents may define new options.
 Home agents MUST silently ignore any options they do not recognize
 and continue processing the message.

6.8. ICMP Mobile Prefix Advertisement Message Format

 A home agent will send a Mobile Prefix Advertisement to a mobile node
 to distribute prefix information about the home link while the mobile
 node is traveling away from the home network.  This will occur in
 response to a Mobile Prefix Solicitation with an Advertisement, or by
 an unsolicited Advertisement sent according to the rules in Section
 10.6.
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |     Type      |     Code      |          Checksum             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |          Identifier           |M|O|        Reserved           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |           Options ...
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 IP Fields:
 Source Address
    The home agent's address as the mobile node would expect to see it
    (i.e., same network prefix).
 Destination Address
    If this message is a response to a Mobile Prefix Solicitation,
    this field contains the Source Address field from that packet.
    For unsolicited messages, the mobile node's care-of address SHOULD
    be used.  Note that unsolicited messages can only be sent if the
    mobile node is currently registered with the home agent.

Johnson, et al. Standard Track [Page 59] RFC 3775 Mobility Support in IPv6 June 2004

 Routing header:
    A type 2 routing header MUST be included.
 ESP header:
    IPsec headers MUST be supported and SHOULD be used as described in
    Section 5.4.
 ICMP Fields:
 Type
    147
 Code
 Checksum
    The ICMP checksum [14].
 Identifier
    An identifier to aid in matching this Mobile Prefix Advertisement
    to a previous Mobile Prefix Solicitation.
 M
    1-bit Managed Address Configuration flag.  When set, hosts use the
    administered (stateful) protocol for address autoconfiguration in
    addition to any addresses autoconfigured using stateless address
    autoconfiguration.  The use of this flag is described in [12, 13].
 O
    1-bit Other Stateful Configuration flag.  When set, hosts use the
    administered (stateful) protocol for autoconfiguration of other
    (non-address) information.  The use of this flag is described in
    [12, 13].
 Reserved
    This field is unused.  It MUST be initialized to zero by the
    sender and MUST be ignored by the receiver.

Johnson, et al. Standard Track [Page 60] RFC 3775 Mobility Support in IPv6 June 2004

 The Mobile Prefix Advertisement messages may have options.  These
 options MUST use the option format defined in RFC 2461 [12].  This
 document defines one option which may be carried in a Mobile Prefix
 Advertisement message, but future documents may define new options.
 Mobile nodes MUST silently ignore any options they do not recognize
 and continue processing the message.
 Prefix Information
    Each message contains one or more Prefix Information options.
    Each option carries the prefix(es) that the mobile node should use
    to configure its home address(es).  Section 10.6 describes which
    prefixes should be advertised to the mobile node.
    The Prefix Information option is defined in Section 4.6.2 of RFC
    2461 [12], with modifications defined in Section 7.2 of this
    specification.  The home agent MUST use this modified Prefix
    Information option to send home network prefixes as defined in
    Section 10.6.1.
 If the Advertisement is sent in response to a Mobile Prefix
 Solicitation, the home agent MUST copy the Identifier value from that
 message into the Identifier field of the Advertisement.
 The home agent MUST NOT send more than one Mobile Prefix
 Advertisement message per second to any mobile node.
 The M and O bits MUST be cleared if the Home Agent DHCPv6 support is
 not provided.  If such support is provided then they are set in
 concert with the home network's administrative settings.

7. Modifications to IPv6 Neighbor Discovery

7.1. Modified Router Advertisement Message Format

 Mobile IPv6 modifies the format of the Router Advertisement message
 [12] by the addition of a single flag bit to indicate that the router
 sending the Advertisement message is serving as a home agent on this
 link.  The format of the Router Advertisement message is as follows:

Johnson, et al. Standard Track [Page 61] RFC 3775 Mobility Support in IPv6 June 2004

  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |     Type      |     Code      |          Checksum             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Cur Hop Limit |M|O|H| Reserved|       Router Lifetime         |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                         Reachable Time                        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                          Retrans Timer                        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |   Options ...
 +-+-+-+-+-+-+-+-+-+-+-+-
 This format represents the following changes over that originally
 specified for Neighbor Discovery [12]:
 Home Agent (H)
    The Home Agent (H) bit is set in a Router Advertisement to
    indicate that the router sending this Router Advertisement is also
    functioning as a Mobile IPv6 home agent on this link.
 Reserved
    Reduced from a 6-bit field to a 5-bit field to account for the
    addition of the above bit.

7.2. Modified Prefix Information Option Format

 Mobile IPv6 requires knowledge of a router's global address in
 building a Home Agents List as part of the dynamic home agent address
 discovery mechanism.
 However, Neighbor Discovery [12] only advertises a router's link-
 local address, by requiring this address to be used as the IP Source
 Address of each Router Advertisement.
 Mobile IPv6 extends Neighbor Discovery to allow a router to advertise
 its global address, by the addition of a single flag bit in the
 format of a Prefix Information option for use in Router Advertisement
 messages.  The format of the Prefix Information option is as follows:

Johnson, et al. Standard Track [Page 62] RFC 3775 Mobility Support in IPv6 June 2004

  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |     Type      |    Length     | Prefix Length |L|A|R|Reserved1|
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                         Valid Lifetime                        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                       Preferred Lifetime                      |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                           Reserved2                           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                                                               |
 +                                                               +
 |                                                               |
 +                            Prefix                             +
 |                                                               |
 +                                                               +
 |                                                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 This format represents the following changes over that originally
 specified for Neighbor Discovery [12]:
 Router Address (R)
    1-bit router address flag.  When set, indicates that the Prefix
    field contains a complete IP address assigned to the sending
    router.  The indicated prefix is the first Prefix Length bits of
    the Prefix field.  The router IP address has the same scope and
    conforms to the same lifetime values as the advertised prefix.
    This use of the Prefix field is compatible with its use in
    advertising the prefix itself, since Prefix Advertisement uses
    only the leading bits.  Interpretation of this flag bit is thus
    independent of the processing required for the On-Link (L) and
    Autonomous Address-Configuration (A) flag bits.
 Reserved1
    Reduced from a 6-bit field to a 5-bit field to account for the
    addition of the above bit.
 In a Router Advertisement, a home agent MUST, and all other routers
 MAY, include at least one Prefix Information option with the Router
 Address (R) bit set.  Neighbor Discovery specifies that, if including
 all options in a Router Advertisement causes the size of the
 Advertisement to exceed the link MTU, multiple Advertisements can be
 sent, each containing a subset of the options [12].  Also, when
 sending unsolicited multicast Router Advertisements more frequently

Johnson, et al. Standard Track [Page 63] RFC 3775 Mobility Support in IPv6 June 2004

 than the limit specified in RFC 2461 [12], the sending router need
 not include all options in each of these Advertisements.  However, in
 both of these cases the router SHOULD include at least one Prefix
 Information option with the Router Address (R) bit set in each such
 advertisement, if this bit is set in some advertisement sent by the
 router.
 In addition, the following requirement can assist mobile nodes in
 movement detection.  Barring changes in the prefixes for the link,
 routers that send multiple Router Advertisements with the Router
 Address (R) bit set in some of the included Prefix Information
 options SHOULD provide at least one option and router address which
 stays the same in all of the Advertisements.

7.3. New Advertisement Interval Option Format

 Mobile IPv6 defines a new Advertisement Interval option, used in
 Router Advertisement messages to advertise the interval at which the
 sending router sends unsolicited multicast Router Advertisements.
 The format of the Advertisement Interval option is as follows:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |     Type      |    Length     |           Reserved            |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                     Advertisement Interval                    |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type
    7
 Length
    8-bit unsigned integer.  The length of the option (including the
    type and length fields) is in units of 8 octets.  The value of
    this field MUST be 1.
 Reserved
    This field is unused.  It MUST be initialized to zero by the
    sender and MUST be ignored by the receiver.

Johnson, et al. Standard Track [Page 64] RFC 3775 Mobility Support in IPv6 June 2004

 Advertisement Interval
    32-bit unsigned integer.  The maximum time, in milliseconds,
    between successive unsolicited Router Advertisement messages sent
    by this router on this network interface.  Using the conceptual
    router configuration variables defined by Neighbor Discovery [12],
    this field MUST be equal to the value MaxRtrAdvInterval, expressed
    in milliseconds.
 Routers MAY include this option in their Router Advertisements.  A
 mobile node receiving a Router Advertisement containing this option
 SHOULD utilize the specified Advertisement Interval for that router
 in its movement detection algorithm, as described in Section 11.5.1.
 This option MUST be silently ignored for other Neighbor Discovery
 messages.

7.4. New Home Agent Information Option Format

 Mobile IPv6 defines a new Home Agent Information option, used in
 Router Advertisements sent by a home agent to advertise information
 specific to this router's functionality as a home agent.  The format
 of the Home Agent Information option is as follows:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |     Type      |    Length     |           Reserved            |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |     Home Agent Preference     |      Home Agent Lifetime      |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type
    8
 Length
    8-bit unsigned integer.  The length of the option (including the
    type and length fields) in units of 8 octets.  The value of this
    field MUST be 1.
 Reserved
    This field is unused.  It MUST be initialized to zero by the
    sender and MUST be ignored by the receiver.

Johnson, et al. Standard Track [Page 65] RFC 3775 Mobility Support in IPv6 June 2004

 Home Agent Preference
    16-bit unsigned integer.  The preference for the home agent
    sending this Router Advertisement, for use in ordering the
    addresses returned to a mobile node in the Home Agent Addresses
    field of a Home Agent Address Discovery Reply message.  Higher
    values mean more preferable.  If this option is not included in a
    Router Advertisement in which the Home Agent (H) bit is set, the
    preference value for this home agent MUST be considered to be 0.
    Greater values indicate a more preferable home agent than lower
    values.
    The manual configuration of the Home Agent Preference value is
    described in Section 8.4.  In addition, the sending home agent MAY
    dynamically set the Home Agent Preference value, for example
    basing it on the number of mobile nodes it is currently serving or
    on its remaining resources for serving additional mobile nodes;
    such dynamic settings are beyond the scope of this document.  Any
    such dynamic setting of the Home Agent Preference, however, MUST
    set the preference appropriately, relative to the default Home
    Agent Preference value of 0 that may be in use by some home agents
    on this link (i.e., a home agent not including a Home Agent
    Information option in its Router Advertisements will be considered
    to have a Home Agent Preference value of 0).
 Home Agent Lifetime
    16-bit unsigned integer.  The lifetime associated with the home
    agent in units of seconds.  The default value is the same as the
    Router Lifetime, as specified in the main body of the Router
    Advertisement.  The maximum value corresponds to 18.2 hours.  A
    value of 0 MUST NOT be used.  The Home Agent Lifetime applies only
    to this router's usefulness as a home agent; it does not apply to
    information contained in other message fields or options.
 Home agents MAY include this option in their Router Advertisements.
 This option MUST NOT be included in a Router Advertisement in which
 the Home Agent (H) bit (see Section 7.1) is not set.  If this option
 is not included in a Router Advertisement in which the Home Agent (H)
 bit is set, the lifetime for this home agent MUST be considered to be
 the same as the Router Lifetime in the Router Advertisement.  If
 multiple Advertisements are being sent instead of a single larger
 unsolicited multicast Advertisement, all of the multiple
 Advertisements with the Router Address (R) bit set MUST include this
 option with the same contents, otherwise this option MUST be omitted
 from all Advertisements.

Johnson, et al. Standard Track [Page 66] RFC 3775 Mobility Support in IPv6 June 2004

 This option MUST be silently ignored for other Neighbor Discovery
 messages.
 If both the Home Agent Preference and Home Agent Lifetime are set to
 their default values specified above, this option SHOULD NOT be
 included in the Router Advertisement messages sent by this home
 agent.

7.5. Changes to Sending Router Advertisements

 The Neighbor Discovery protocol specification [12] limits routers to
 a minimum interval of 3 seconds between sending unsolicited multicast
 Router Advertisement messages from any given network interface
 (limited by MinRtrAdvInterval and MaxRtrAdvInterval), stating that:
    "Routers generate Router Advertisements frequently enough that
    hosts will learn of their presence within a few minutes, but not
    frequently enough to rely on an absence of advertisements to
    detect router failure; a separate Neighbor Unreachability
    Detection algorithm provides failure detection."
 This limitation, however, is not suitable to providing timely
 movement detection for mobile nodes.  Mobile nodes detect their own
 movement by learning the presence of new routers as the mobile node
 moves into wireless transmission range of them (or physically
 connects to a new wired network), and by learning that previous
 routers are no longer reachable.  Mobile nodes MUST be able to
 quickly detect when they move to a link served by a new router, so
 that they can acquire a new care-of address and send Binding Updates
 to register this care-of address with their home agent and to notify
 correspondent nodes as needed.
 One method which can provide for faster movement detection, is to
 increase the rate at which unsolicited Router Advertisements are
 sent.  Mobile IPv6 relaxes this limit such that routers MAY send
 unsolicited multicast Router Advertisements more frequently.  This
 method can be applied where the router is expecting to provide
 service to visiting mobile nodes (e.g., wireless network interfaces),
 or on which it is serving as a home agent to one or more mobile nodes
 (who may return home and need to hear its Advertisements).
 Routers supporting mobility SHOULD be able to be configured with a
 smaller MinRtrAdvInterval value and MaxRtrAdvInterval value to allow
 sending of unsolicited multicast Router Advertisements more often.
 The minimum allowed values are:

Johnson, et al. Standard Track [Page 67] RFC 3775 Mobility Support in IPv6 June 2004

 o  MinRtrAdvInterval 0.03 seconds
 o  MaxRtrAdvInterval 0.07 seconds
 In the case where the minimum intervals and delays are used, the mean
 time between unsolicited multicast router advertisements is 50 ms.
 Use of these modified limits MUST be configurable (see also the
 configuration variable MinDelayBetweenRas in Section 13 which may
 also have to be modified accordingly).  Systems where these values
 are available MUST NOT default to them, and SHOULD default to values
 specified in RFC 2461.  Knowledge of the type of network interface
 and operating environment SHOULD be taken into account in configuring
 these limits for each network interface.  This is important with some
 wireless links, where increasing the frequency of multicast beacons
 can cause considerable overhead.  Routers SHOULD adhere to the
 intervals specified in RFC 2461 [12], if this overhead is likely to
 cause service degradation.
 Additionally, the possible low values of MaxRtrAdvInterval may cause
 some problems with movement detection in some mobile nodes.  To
 ensure that this is not a problem, Routers SHOULD add 20 ms to any
 Advertisement Intervals sent in RAs, which are below 200 ms, in order
 to account for scheduling granularities on both the MN and the
 Router.
 Note that multicast Router Advertisements are not always required in
 certain wireless networks that have limited bandwidth.  Mobility
 detection or link changes in such networks may be done at lower
 layers.  Router advertisements in such networks SHOULD be sent only
 when solicited.  In such networks it SHOULD be possible to disable
 unsolicited multicast Router Advertisements on specific interfaces.
 The MinRtrAdvInterval and MaxRtrAdvInterval in such a case can be set
 to some high values.
 Home agents MUST include the Source Link-Layer Address option in all
 Router Advertisements they send.  This simplifies the process of
 returning home, as discussed in Section 11.5.4.
 Note that according to RFC 2461 [12], AdvDefaultLifetime is by
 default based on the value of MaxRtrAdvInterval.  AdvDefaultLifetime
 is used in the Router Lifetime field of Router Advertisements.  Given
 that this field is expressed in seconds, a small MaxRtrAdvInterval
 value can result in a zero value for this field.  To prevent this,
 routers SHOULD keep AdvDefaultLifetime in at least one second, even
 if the use of MaxRtrAdvInterval would result in a smaller value.

Johnson, et al. Standard Track [Page 68] RFC 3775 Mobility Support in IPv6 June 2004

8. Requirements for Types of IPv6 Nodes

 Mobile IPv6 places some special requirements on the functions
 provided by different types of IPv6 nodes.  This section summarizes
 those requirements, identifying the functionality each requirement is
 intended to support.
 The requirements are set for the following groups of nodes:
 o  All IPv6 nodes.
 o  All IPv6 nodes with support for route optimization.
 o  All IPv6 routers.
 o  All Mobile IPv6 home agents.
 o  All Mobile IPv6 mobile nodes.
 It is outside the scope of this specification to specify which of
 these groups are mandatory in IPv6.  We only describe what is
 mandatory for a node that supports, for instance, route optimization.
 Other specifications are expected to define the extent of IPv6.

8.1. All IPv6 Nodes

 Any IPv6 node may at any time be a correspondent node of a mobile
 node, either sending a packet to a mobile node or receiving a packet
 from a mobile node.  There are no Mobile IPv6 specific MUST
 requirements for such nodes, and basic IPv6 techniques are
 sufficient.  If a mobile node attempts to set up route optimization
 with a node with only basic IPv6 support, an ICMP error will signal
 that the node does not support such optimizations (Section 11.3.5),
 and communications will flow through the home agent.
 An IPv6 node MUST NOT support the Home Address destination option,
 type 2 routing header, or the Mobility Header unless it fully
 supports the requirements listed in the next sections for either
 route optimization, mobile node, or home agent functionality.

8.2. IPv6 Nodes with Support for Route Optimization

 Nodes that implement route optimization are a subset of all IPv6
 nodes on the Internet.  The ability of a correspondent node to
 participate in route optimization is essential for the efficient
 operation of the IPv6 Internet, for the following reasons:

Johnson, et al. Standard Track [Page 69] RFC 3775 Mobility Support in IPv6 June 2004

 o  Avoidance of congestion in the home network, and enabling the use
    of lower-performance home agent equipment even for supporting
    thousands of mobile nodes.
 o  Reduced network load across the entire Internet, as mobile devices
    begin to predominate.
 o  Reduction of jitter and latency for the communications.
 o  Greater likelihood of success for QoS signaling as tunneling is
    avoided and, again, fewer sources of congestion.
 o  Improved robustness against network partitions, congestion, and
    other problems, since fewer routing path segments are traversed.
 These effects combine to enable much better performance and
 robustness for communications between mobile nodes and IPv6
 correspondent nodes.  Route optimization introduces a small amount of
 additional state for the peers, some additional messaging, and up to
 1.5 roundtrip delays before it can be turned on.  However, it is
 believed that the benefits far outweigh the costs in most cases.
 Section 11.3.1 discusses how mobile nodes may avoid route
 optimization for some of the remaining cases, such as very short-term
 communications.
 The following requirements apply to all correspondent nodes that
 support route optimization:
 o  The node MUST be able to validate a Home Address option using an
    existing Binding Cache entry, as described in Section 9.3.1.
 o  The node MUST be able to insert a type 2 routing header into
    packets to be sent to a mobile node, as described in Section
    9.3.2.
 o  Unless the correspondent node is also acting as a mobile node, it
    MUST ignore type 2 routing headers and silently discard all
    packets that it has received with such headers.
 o  The node SHOULD be able to interpret ICMP messages as described in
    Section 9.3.4.
 o  The node MUST be able to send Binding Error messages as described
    in Section 9.3.3.
 o  The node MUST be able to process Mobility Headers as described in
    Section 9.2.

Johnson, et al. Standard Track [Page 70] RFC 3775 Mobility Support in IPv6 June 2004

 o  The node MUST be able to participate in a return routability
    procedure (Section 9.4).
 o  The node MUST be able to process Binding Update messages (Section
    9.5).
 o  The node MUST be able to return a Binding Acknowledgement (Section
    9.5.4).
 o  The node MUST be able to maintain a Binding Cache of the bindings
    received in accepted Binding Updates, as described in Section 9.1
    and Section 9.6.
 o  The node SHOULD allow route optimization to be administratively
    enabled or disabled.  The default SHOULD be enabled.

8.3. All IPv6 Routers

 All IPv6 routers, even those not serving as a home agent for Mobile
 IPv6, have an effect on how well mobile nodes can communicate:
 o  Every IPv6 router SHOULD be able to send an Advertisement Interval
    option (Section 7.3) in each of its Router Advertisements [12], to
    aid movement detection by mobile nodes (as in Section 11.5.1).
    The use of this option in Router Advertisements SHOULD be
    configurable.
 o  Every IPv6 router SHOULD be able to support sending unsolicited
    multicast Router Advertisements at the faster rate described in
    Section 7.5.  If the router supports a faster rate, the used rate
    MUST be configurable.
 o  Each router SHOULD include at least one prefix with the Router
    Address (R) bit set and with its full IP address in its Router
    Advertisements (as described in Section 7.2).
 o  Routers supporting filtering packets with routing headers SHOULD
    support different rules for type 0 and type 2 routing headers (see
    Section 6.4) so that filtering of source routed packets (type 0)
    will not necessarily limit Mobile IPv6 traffic which is delivered
    via type 2 routing headers.

8.4. IPv6 Home Agents

 In order for a mobile node to operate correctly while away from home,
 at least one IPv6 router on the mobile node's home link must function
 as a home agent for the mobile node.  The following additional
 requirements apply to all IPv6 routers that serve as a home agent:

Johnson, et al. Standard Track [Page 71] RFC 3775 Mobility Support in IPv6 June 2004

 o  Every home agent MUST be able to maintain an entry in its Binding
    Cache for each mobile node for which it is serving as the home
    agent (Section 10.1 and Section 10.3.1).
 o  Every home agent MUST be able to intercept packets (using proxy
    Neighbor Discovery [12]) addressed to a mobile node for which it
    is currently serving as the home agent, on that mobile node's home
    link, while the mobile node is away from home (Section 10.4.1).
 o  Every home agent MUST be able to encapsulate [15] such intercepted
    packets in order to tunnel them to the primary care-of address for
    the mobile node indicated in its binding in the home agent's
    Binding Cache (Section 10.4.2).
 o  Every home agent MUST support decapsulating [15] reverse tunneled
    packets sent to it from a mobile node's home address.  Every home
    agent MUST also check that the source address in the tunneled
    packets corresponds to the currently registered location of the
    mobile node (Section 10.4.5).
 o  The node MUST be able to process Mobility Headers as described in
    Section 10.2.
 o  Every home agent MUST be able to return a Binding Acknowledgement
    in response to a Binding Update (Section 10.3.1).
 o  Every home agent MUST maintain a separate Home Agents List for
    each link on which it is serving as a home agent, as described in
    Section 10.1 and Section 10.5.1.
 o  Every home agent MUST be able to accept packets addressed to the
    Mobile IPv6 Home-Agents anycast address [16] for the subnet on
    which it is serving as a home agent, and MUST be able to
    participate in dynamic home agent address discovery (Section
    10.5).
 o  Every home agent SHOULD support a configuration mechanism to allow
    a system administrator to manually set the value to be sent by
    this home agent in the Home Agent Preference field of the Home
    Agent Information Option in Router Advertisements that it sends
    (Section 7.4).
 o  Every home agent SHOULD support sending ICMP Mobile Prefix
    Advertisements (Section 6.8), and SHOULD respond to Mobile Prefix
    Solicitations (Section 6.7).  If supported, this behavior MUST be
    configurable, so that home agents can be configured to avoid
    sending such Prefix Advertisements according to the needs of the
    network administration in the home domain.

Johnson, et al. Standard Track [Page 72] RFC 3775 Mobility Support in IPv6 June 2004

 o  Every home agent MUST support IPsec ESP for protection of packets
    belonging to the return routability procedure (Section 10.4.6).
 o  Every home agent SHOULD support the multicast group membership
    control protocols as described in Section 10.4.3.  If this support
    is provided, the home agent MUST be capable of using it to
    determine which multicast data packets to forward via the tunnel
    to the mobile node.
 o  Home agents MAY support stateful address autoconfiguration for
    mobile nodes as described in Section 10.4.4.

8.5. IPv6 Mobile Nodes

 Finally, the following requirements apply to all IPv6 nodes capable
 of functioning as mobile nodes:
 o  The node MUST maintain a Binding Update List (Section 11.1).
 o  The node MUST support sending packets containing a Home Address
    option (Section 11.3.1), and follow the required IPsec interaction
    (Section 11.3.2).
 o  The node MUST be able to perform IPv6 encapsulation and
    decapsulation [15].
 o  The node MUST be able to process type 2 routing header as defined
    in Section 6.4 and Section 11.3.3.
 o  The node MUST support receiving a Binding Error message (Section
    11.3.6).
 o  The node MUST support receiving ICMP errors (Section 11.3.5).
 o  The node MUST support movement detection, care-of address
    formation, and returning home (Section 11.5).
 o  The node MUST be able to process Mobility Headers as described in
    Section 11.2.
 o  The node MUST support the return routability procedure (Section
    11.6).
 o  The node MUST be able to send Binding Updates, as specified in
    Section 11.7.1 and Section 11.7.2.
 o  The node MUST be able to receive and process Binding
    Acknowledgements, as specified in Section 11.7.3.

Johnson, et al. Standard Track [Page 73] RFC 3775 Mobility Support in IPv6 June 2004

 o  The node MUST support receiving a Binding Refresh Request (Section
    6.1.2), by responding with a Binding Update.
 o  The node MUST support receiving Mobile Prefix Advertisements
    (Section 11.4.3) and reconfiguring its home address based on the
    prefix information contained therein.
 o  The node SHOULD support use of the dynamic home agent address
    discovery mechanism, as described in Section 11.4.1.
 o  The node MUST allow route optimization to be administratively
    enabled or disabled.  The default SHOULD be enabled.
 o  The node MAY support the multicast address listener part of a
    multicast group membership protocol as described in Section
    11.3.4.  If this support is provided, the mobile node MUST be able
    to receive tunneled multicast packets from the home agent.
 o  The node MAY support stateful address autoconfiguration mechanisms
    such as DHCPv6 [29] on the interface represented by the tunnel to
    the home agent.

9. Correspondent Node Operation

9.1. Conceptual Data Structures

 IPv6 nodes with route optimization support maintain a Binding Cache
 of bindings for other nodes.  A separate Binding Cache SHOULD be
 maintained by each IPv6 node for each of its unicast routable
 addresses.  The Binding Cache MAY be implemented in any manner
 consistent with the external behavior described in this document, for
 example by being combined with the node's Destination Cache as
 maintained by Neighbor Discovery [12].  When sending a packet, the
 Binding Cache is searched before the Neighbor Discovery conceptual
 Destination Cache [12].
 Each Binding Cache entry conceptually contains the following fields:
 o  The home address of the mobile node for which this is the Binding
    Cache entry.  This field is used as the key for searching the
    Binding Cache for the destination address of a packet being sent.
 o  The care-of address for the mobile node indicated by the home
    address field in this Binding Cache entry.

Johnson, et al. Standard Track [Page 74] RFC 3775 Mobility Support in IPv6 June 2004

 o  A lifetime value, indicating the remaining lifetime for this
    Binding Cache entry.  The lifetime value is initialized from the
    Lifetime field in the Binding Update that created or last modified
    this Binding Cache entry.
 o  A flag indicating whether or not this Binding Cache entry is a
    home registration entry (applicable only on nodes which support
    home agent functionality).
 o  The maximum value of the Sequence Number field received in
    previous Binding Updates for this home address.  The Sequence
    Number field is 16 bits long.  Sequence Number values MUST be
    compared modulo 2**16 as explained in Section 9.5.1.
 o  Usage information for this Binding Cache entry.  This is needed to
    implement the cache replacement policy in use in the Binding
    Cache.  Recent use of a cache entry also serves as an indication
    that a Binding Refresh Request should be sent when the lifetime of
    this entry nears expiration.
 Binding Cache entries not marked as home registrations MAY be
 replaced at any time by any reasonable local cache replacement policy
 but SHOULD NOT be unnecessarily deleted.  The Binding Cache for any
 one of a node's IPv6 addresses may contain at most one entry for each
 mobile node home address.  The contents of a node's Binding Cache
 MUST NOT be changed in response to a Home Address option in a
 received packet.

9.2. Processing Mobility Headers

 Mobility Header processing MUST observe the following rules:
 o  The checksum must be verified as per Section 6.1.  Otherwise, the
    node MUST silently discard the message.
 o  The MH Type field MUST have a known value (Section 6.1.1).
    Otherwise, the node MUST discard the message and issue a Binding
    Error message as described in Section 9.3.3, with Status field set
    to 2 (unrecognized MH Type value).
 o  The Payload Proto field MUST be IPPROTO_NONE (59 decimal).
    Otherwise, the node MUST discard the message and SHOULD send ICMP
    Parameter Problem, Code 0, directly to the Source Address of the
    packet as specified in RFC 2463 [14].  Thus no Binding Cache
    information is used in sending the ICMP message.  The Pointer
    field in the ICMP message SHOULD point at the Payload Proto field.

Johnson, et al. Standard Track [Page 75] RFC 3775 Mobility Support in IPv6 June 2004

 o  The Header Len field in the Mobility Header MUST NOT be less than
    the length specified for this particular type of message in
    Section 6.1.  Otherwise, the node MUST discard the message and
    SHOULD send ICMP Parameter Problem, Code 0, directly to the Source
    Address of the packet as specified in RFC 2463 [14].  (The Binding
    Cache information is again not used.) The Pointer field in the
    ICMP message SHOULD point at the Header Len field.
    Subsequent checks depend on the particular Mobility Header.

9.3. Packet Processing

 This section describes how the correspondent node sends packets to
 the mobile node, and receives packets from it.

9.3.1. Receiving Packets with Home Address Option

 Packets containing a Home Address option MUST be dropped if the given
 home address is not a unicast routable address.
 Mobile nodes can include a Home Address destination option in a
 packet if they believe the correspondent node has a Binding Cache
 entry for the home address of a mobile node.  Packets containing a
 Home Address option MUST be dropped if there is no corresponding
 Binding Cache entry.  A corresponding Binding Cache entry MUST have
 the same home address as appears in the Home Address destination
 option, and the currently registered care-of address MUST be equal to
 the source address of the packet.  These tests MUST NOT be done for
 packets that contain a Home Address option and a Binding Update.
 If the packet is dropped due the above tests, the correspondent node
 MUST send the Binding Error message as described in Section 9.3.3.
 The Status field in this message should be set to 1 (unknown binding
 for Home Address destination option).
 The correspondent node MUST process the option in a manner consistent
 with exchanging the Home Address field from the Home Address option
 into the IPv6 header and replacing the original value of the Source
 Address field there.  After all IPv6 options have been processed, it
 MUST be possible for upper layers to process the packet without the
 knowledge that it came originally from a care-of address or that a
 Home Address option was used.
 The use of IPsec Authentication Header (AH) for the Home Address
 option is not required, except that if the IPv6 header of a packet is
 covered by AH, then the authentication MUST also cover the Home
 Address option; this coverage is achieved automatically by the
 definition of the Option Type code for the Home Address option, since

Johnson, et al. Standard Track [Page 76] RFC 3775 Mobility Support in IPv6 June 2004

 it indicates that the data within the option cannot change en route
 to the packet's final destination, and thus the option is included in
 the AH computation.  By requiring that any authentication of the IPv6
 header also cover the Home Address option, the security of the Source
 Address field in the IPv6 header is not compromised by the presence
 of a Home Address option.
 When attempting to verify AH authentication data in a packet that
 contains a Home Address option, the receiving node MUST calculate the
 AH authentication data as if the following were true: The Home
 Address option contains the care-of address, and the source IPv6
 address field of the IPv6 header contains the home address.  This
 conforms with the calculation specified in Section 11.3.2.

9.3.2. Sending Packets to a Mobile Node

 Before sending any packet, the sending node SHOULD examine its
 Binding Cache for an entry for the destination address to which the
 packet is being sent.  If the sending node has a Binding Cache entry
 for this address, the sending node SHOULD use a type 2 routing header
 to route the packet to this mobile node (the destination node) by way
 of its care-of address.  However, the sending node MUST not do this
 in the following cases:
 o  When sending an IPv6 Neighbor Discovery [12] packet.
 o  Where otherwise noted in Section 6.1.
 When calculating authentication data in a packet that contains a type
 2 routing header, the correspondent node MUST calculate the AH
 authentication data as if the following were true: The routing header
 contains the care-of address, the destination IPv6 address field of
 the IPv6 header contains the home address, and the Segments Left
 field is zero.  The IPsec Security Policy Database lookup MUST based
 on the mobile node's home address.
 For instance, assuming there are no additional routing headers in
 this packet beyond those needed by Mobile IPv6, the correspondent
 node could set the fields in the packet's IPv6 header and routing
 header as follows:
 o  The Destination Address in the packet's IPv6 header is set to the
    mobile node's home address (the original destination address to
    which the packet was being sent).

Johnson, et al. Standard Track [Page 77] RFC 3775 Mobility Support in IPv6 June 2004

 o  The routing header is initialized to contain a single route
    segment, containing the mobile node's care-of address copied from
    the Binding Cache entry.  The Segments Left field is, however,
    temporarily set to zero.
 The IP layer will insert the routing header before performing any
 necessary IPsec processing.  Once all IPsec processing has been
 performed, the node swaps the IPv6 destination field with the Home
 Address field in the routing header, sets the Segments Left field to
 one, and sends the packet.  This ensures the AH calculation is done
 on the packet in the form it will have on the receiver after
 advancing the routing header.
 Following the definition of a type 2 routing header in Section 6.4,
 this packet will be routed to the mobile node's care-of address,
 where it will be delivered to the mobile node (the mobile node has
 associated the care-of address with its network interface).
 Note that following the above conceptual model in an implementation
 creates some additional requirements for path MTU discovery since the
 layer that decides the packet size (e.g., TCP and applications using
 UDP) needs to be aware of the size of the headers added by the IP
 layer on the sending node.
 If, instead, the sending node has no Binding Cache entry for the
 destination address to which the packet is being sent, the sending
 node simply sends the packet normally, with no routing header.  If
 the destination node is not a mobile node (or is a mobile node that
 is currently at home), the packet will be delivered directly to this
 node and processed normally by it.  If, however, the destination node
 is a mobile node that is currently away from home, the packet will be
 intercepted by the mobile node's home agent and tunneled to the
 mobile node's current primary care-of address.

9.3.3. Sending Binding Error Messages

 Section 9.2 and Section 9.3.1 describe error conditions that lead to
 a need to send a Binding Error message.
 A Binding Error message is sent directly to the address that appeared
 in the IPv6 Source Address field of the offending packet.  If the
 Source Address field does not contain a unicast address, the Binding
 Error message MUST NOT be sent.
 The Home Address field in the Binding Error message MUST be copied
 from the Home Address field in the Home Address destination option of
 the offending packet, or set to the unspecified address if no such
 option appeared in the packet.

Johnson, et al. Standard Track [Page 78] RFC 3775 Mobility Support in IPv6 June 2004

 Note that the IPv6 Source Address and Home Address field values
 discussed above are the values from the wire, i.e., before any
 modifications possibly performed as specified in Section 9.3.1.
 Binding Error messages SHOULD be subject to rate limiting in the same
 manner as is done for ICMPv6 messages [14].

9.3.4. Receiving ICMP Error Messages

 When the correspondent node has a Binding Cache entry for a mobile
 node, all traffic destined to the mobile node goes directly to the
 current care-of address of the mobile node using a routing header.
 Any ICMP error message caused by packets on their way to the care-of
 address will be returned in the normal manner to the correspondent
 node.
 On the other hand, if the correspondent node has no Binding Cache
 entry for the mobile node, the packet will be routed through the
 mobile node's home link.  Any ICMP error message caused by the packet
 on its way to the mobile node while in the tunnel, will be
 transmitted to the mobile node's home agent.  By the definition of
 IPv6 encapsulation [15], the home agent MUST relay certain ICMP error
 messages back to the original sender of the packet, which in this
 case is the correspondent node.
 Thus, in all cases, any meaningful ICMP error messages caused by
 packets from a correspondent node to a mobile node will be returned
 to the correspondent node.  If the correspondent node receives
 persistent ICMP Destination Unreachable messages after sending
 packets to a mobile node based on an entry in its Binding Cache, the
 correspondent node SHOULD delete this Binding Cache entry.  Note that
 if the mobile node continues to send packets with the Home Address
 destination option to this correspondent node, they will be dropped
 due to the lack of a binding.  For this reason it is important that
 only persistent ICMP messages lead to the deletion of the Binding
 Cache entry.

9.4. Return Routability Procedure

 This subsection specifies actions taken by a correspondent node
 during the return routability procedure.

Johnson, et al. Standard Track [Page 79] RFC 3775 Mobility Support in IPv6 June 2004

9.4.1. Receiving Home Test Init Messages

 Upon receiving a Home Test Init message, the correspondent node
 verifies the following:
 o  The packet MUST NOT include a Home Address destination option.
 Any packet carrying a Home Test Init message which fails to satisfy
 all of these tests MUST be silently ignored.
 Otherwise, in preparation for sending the corresponding Home Test
 Message, the correspondent node checks that it has the necessary
 material to engage in a return routability procedure, as specified in
 Section 5.2.  The correspondent node MUST have a secret Kcn and a
 nonce.  If it does not have this material yet, it MUST produce it
 before continuing with the return routability procedure.
 Section 9.4.3 specifies further processing.

9.4.2. Receiving Care-of Test Init Messages

 Upon receiving a Care-of Test Init message, the correspondent node
 verifies the following:
 o  The packet MUST NOT include a Home Address destination option.
 Any packet carrying a Care-of Test Init message which fails to
 satisfy all of these tests MUST be silently ignored.
 Otherwise, in preparation for sending the corresponding Care-of Test
 Message, the correspondent node checks that it has the necessary
 material to engage in a return routability procedure in the manner
 described in Section 9.4.1.
 Section 9.4.4 specifies further processing.

9.4.3. Sending Home Test Messages

 The correspondent node creates a home keygen token and uses the
 current nonce index as the Home Nonce Index.  It then creates a Home
 Test message (Section 6.1.5) and sends it to the mobile node at the
 latter's home address.

Johnson, et al. Standard Track [Page 80] RFC 3775 Mobility Support in IPv6 June 2004

9.4.4. Sending Care-of Test Messages

 The correspondent node creates a care-of keygen token and uses the
 current nonce index as the Care-of Nonce Index.  It then creates a
 Care-of Test message (Section 6.1.6) and sends it to the mobile node
 at the latter's care-of address.

9.5. Processing Bindings

 This section explains how the correspondent node processes messages
 related to bindings.  These messages are:
 o  Binding Update
 o  Binding Refresh Request
 o  Binding Acknowledgement
 o  Binding Error

9.5.1. Receiving Binding Updates

 Before accepting a Binding Update, the receiving node MUST validate
 the Binding Update according to the following tests:
 o  The packet MUST contain a unicast routable home address, either in
    the Home Address option or in the Source Address, if the Home
    Address option is not present.
 o  The Sequence Number field in the Binding Update is greater than
    the Sequence Number received in the previous valid Binding Update
    for this home address, if any.
 If the receiving node has no Binding Cache entry for the indicated
 home address, it MUST accept any Sequence Number value in a received
 Binding Update from this mobile node.
 This Sequence Number comparison MUST be performed modulo 2**16, i.e.,
 the number is a free running counter represented modulo 65536.  A
 Sequence Number in a received Binding Update is considered less than
 or equal to the last received number if its value lies in the range
 of the last received number and the preceding 32768 values,
 inclusive.  For example, if the last received sequence number was 15,
 then messages with sequence numbers 0 through 15, as well as 32783
 through 65535, would be considered less than or equal.

Johnson, et al. Standard Track [Page 81] RFC 3775 Mobility Support in IPv6 June 2004

 When the Home Registration (H) bit is not set, the following are also
 required:
 o  A Nonce Indices mobility option MUST be present, and the Home and
    Care-of Nonce Index values in this option MUST be recent enough to
    be recognized by the correspondent node.  (Care-of Nonce Index
    values are not inspected for requests to delete a binding.)
 o  The correspondent node MUST re-generate the home keygen token and
    the care-of keygen token from the information contained in the
    packet.  It then generates the binding management key Kbm and uses
    it to verify the authenticator field in the Binding Update as
    specified in Section 6.1.7.
 o  The Binding Authorization Data mobility option MUST be present,
    and its contents MUST satisfy rules presented in Section 5.2.6.
    Note that a care-of address different from the Source Address MAY
    have been specified by including an Alternate Care-of Address
    mobility option in the Binding Update.  When such a message is
    received and the return routability procedure is used as an
    authorization method, the correspondent node MUST verify the
    authenticator by using the address within the Alternate Care-of
    Address in the calculations.
 o  The Binding Authorization Data mobility option MUST be the last
    option and MUST NOT have trailing padding.
 If the Home Registration (H) bit is set, the Nonce Indices mobility
 option MUST NOT be present.
 If the mobile node sends a sequence number which is not greater than
 the sequence number from the last valid Binding Update for this home
 address, then the receiving node MUST send back a Binding
 Acknowledgement with status code 135, and the last accepted sequence
 number in the Sequence Number field of the Binding Acknowledgement.
 If a binding already exists for the given home address and the home
 registration flag has a different value than the Home Registration
 (H) bit in the Binding Update, then the receiving node MUST send back
 a Binding Acknowledgement with status code 139 (registration type
 change disallowed).  The home registration flag stored in the Binding
 Cache entry MUST NOT be changed.
 If the receiving node no longer recognizes the Home Nonce Index
 value, Care-of Nonce Index value, or both values from the Binding
 Update, then the receiving node MUST send back a Binding
 Acknowledgement with status code 136, 137, or 138, respectively.

Johnson, et al. Standard Track [Page 82] RFC 3775 Mobility Support in IPv6 June 2004

 Packets carrying Binding Updates that fail to satisfy all of these
 tests for any reason other than insufficiency of the Sequence Number,
 registration type change, or expired nonce index values, MUST be
 silently discarded.
 If the Binding Update is valid according to the tests above, then the
 Binding Update is processed further as follows:
 o  The Sequence Number value received from a mobile node in a Binding
    Update is stored by the receiving node in its Binding Cache entry
    for the given home address.
 o  If the Lifetime specified in the Binding Update is nonzero and the
    specified care-of address is not equal to the home address for the
    binding, then this is a request to cache a binding for the home
    address.  If the Home Registration (H) bit is set in the Binding
    Update, the Binding Update is processed according to the procedure
    specified in Section 10.3.1; otherwise, it is processed according
    to the procedure specified in Section 9.5.2.
 o  If the Lifetime specified in the Binding Update is zero or the
    specified care-of address matches the home address for the
    binding, then this is a request to delete the cached binding for
    the home address.  In this case, the Binding Update MUST include a
    valid home nonce index, and the care-of nonce index MUST be
    ignored by the correspondent node.  The generation of the binding
    management key depends then exclusively on the home keygen token
    (Section 5.2.5).  If the Home Registration (H) bit is set in the
    Binding Update, the Binding Update is processed according to the
    procedure specified in Section 10.3.2; otherwise, it is processed
    according to the procedure specified in Section 9.5.3.
 The specified care-of address MUST be determined as follows:
 o  If the Alternate Care-of Address option is present, the care-of
    address is the address in that option.
 o  Otherwise, the care-of address is the Source Address field in the
    packet's IPv6 header.
 The home address for the binding MUST be determined as follows:
 o  If the Home Address destination option is present, the home
    address is the address in that option.
 o  Otherwise, the home address is the Source Address field in the
    packet's IPv6 header.

Johnson, et al. Standard Track [Page 83] RFC 3775 Mobility Support in IPv6 June 2004

9.5.2. Requests to Cache a Binding

 This section describes the processing of a valid Binding Update that
 requests a node to cache a binding, for which the Home Registration
 (H) bit is not set in the Binding Update.
 In this case, the receiving node SHOULD create a new entry in its
 Binding Cache for this home address, or update its existing Binding
 Cache entry for this home address, if such an entry already exists.
 The lifetime for the Binding Cache entry is initialized from the
 Lifetime field specified in the Binding Update, although this
 lifetime MAY be reduced by the node caching the binding; the lifetime
 for the Binding Cache entry MUST NOT be greater than the Lifetime
 value specified in the Binding Update.  Any Binding Cache entry MUST
 be deleted after the expiration of its lifetime.
 Note that if the mobile node did not request a Binding
 Acknowledgement, then it is not aware of the selected shorter
 lifetime.  The mobile node may thus use route optimization and send
 packets with the Home Address destination option.  As discussed in
 Section 9.3.1, such packets will be dropped if there is no binding.
 This situation is recoverable, but can cause temporary packet loss.
 The correspondent node MAY refuse to accept a new Binding Cache entry
 if it does not have sufficient resources.  A new entry MAY also be
 refused if the correspondent node believes its resources are utilized
 more efficiently in some other purpose, such as serving another
 mobile node with higher amount of traffic.  In both cases the
 correspondent node SHOULD return a Binding Acknowledgement with
 status value 130.

9.5.3 Requests to Delete a Binding

 This section describes the processing of a valid Binding Update that
 requests a node to delete a binding when the Home Registration (H)
 bit is not set in the Binding Update.
 Any existing binding for the given home address MUST be deleted.  A
 Binding Cache entry for the home address MUST NOT be created in
 response to receiving the Binding Update.
 If the Binding Cache entry was created by use of return routability
 nonces, the correspondent node MUST ensure that the same nonces are
 not used again with the particular home and care-of address.  If both
 nonces are still valid, the correspondent node has to remember the
 particular combination of nonce indexes, addresses, and sequence
 number as illegal until at least one of the nonces has become too
 old.

Johnson, et al. Standard Track [Page 84] RFC 3775 Mobility Support in IPv6 June 2004

9.5.4. Sending Binding Acknowledgements

 A Binding Acknowledgement may be sent to indicate receipt of a
 Binding Update as follows:
 o  If the Binding Update was discarded as described in Section 9.2 or
    Section 9.5.1, a Binding Acknowledgement MUST NOT be sent.
    Otherwise the treatment depends on the following rules.
 o  If the Acknowledge (A) bit set is set in the Binding Update, a
    Binding Acknowledgement MUST be sent.  Otherwise, the treatment
    depends on the below rule.
 o  If the node rejects the Binding Update due to an expired nonce
    index, sequence number being out of window (Section 9.5.1), or
    insufficiency of resources (Section 9.5.2), a Binding
    Acknowledgement MUST be sent.  If the node accepts the Binding
    Update, the Binding Acknowledgement SHOULD NOT be sent.
 If the node accepts the Binding Update and creates or updates an
 entry for this binding, the Status field in the Binding
 Acknowledgement MUST be set to a value less than 128.  Otherwise, the
 Status field MUST be set to a value greater than or equal to 128.
 Values for the Status field are described in Section 6.1.8 and in the
 IANA registry of assigned numbers [19].
 If the Status field in the Binding Acknowledgement contains the value
 136 (expired home nonce index), 137 (expired care-of nonce index), or
 138 (expired nonces) then the message MUST NOT include the Binding
 Authorization Data mobility option.  Otherwise, the Binding
 Authorization Data mobility option MUST be included, and MUST meet
 the specific authentication requirements for Binding Acknowledgements
 as defined in Section 5.2.
 If the Source Address field of the IPv6 header that carried the
 Binding Update does not contain a unicast address, the Binding
 Acknowledgement MUST NOT be sent and the Binding Update packet MUST
 be silently discarded.  Otherwise, the acknowledgement MUST be sent
 to the Source Address.  Unlike the treatment of regular packets, this
 addressing procedure does not use information from the Binding Cache.
 However, a routing header is needed in some cases.  If the Source
 Address is the home address of the mobile node, i.e., the Binding
 Update did not contain a Home Address destination option, then the
 Binding Acknowledgement MUST be sent to that address and the routing
 header MUST NOT be used.  Otherwise, the Binding Acknowledgement MUST
 be sent using a type 2 routing header which contains the mobile
 node's home address.

Johnson, et al. Standard Track [Page 85] RFC 3775 Mobility Support in IPv6 June 2004

9.5.5. Sending Binding Refresh Requests

 If a Binding Cache entry being deleted is still in active use when
 sending packets to a mobile node, then the next packet sent to the
 mobile node will be routed normally to the mobile node's home link.
 Communication with the mobile node continues, but the tunneling from
 the home network creates additional overhead and latency in
 delivering packets to the mobile node.
 If the sender knows that the Binding Cache entry is still in active
 use, it MAY send a Binding Refresh Request message to the mobile node
 in an attempt to avoid this overhead and latency due to deleting and
 recreating the Binding Cache entry.  This message is always sent to
 the home address of the mobile node.
 The correspondent node MAY retransmit Binding Refresh Request
 messages as long as the rate limitation is applied.  The
 correspondent node MUST stop retransmitting when it receives a
 Binding Update.

9.6. Cache Replacement Policy

 Conceptually, a node maintains a separate timer for each entry in its
 Binding Cache.  When creating or updating a Binding Cache entry in
 response to a received and accepted Binding Update, the node sets the
 timer for this entry to the specified Lifetime period.  Any entry in
 a node's Binding Cache MUST be deleted after the expiration of the
 Lifetime specified in the Binding Update from which the entry was
 created or last updated.
 Each node's Binding Cache will, by necessity, have a finite size.  A
 node MAY use any reasonable local policy for managing the space
 within its Binding Cache.
 A node MAY choose to drop any entry already in its Binding Cache in
 order to make space for a new entry.  For example, a "least-recently
 used" (LRU) strategy for cache entry replacement among entries should
 work well, unless the size of the Binding Cache is substantially
 insufficient.  When entries are deleted, the correspondent node MUST
 follow the rules in Section 5.2.8 in order to guard the return
 routability procedure against replay attacks.
 If the node sends a packet to a destination for which it has dropped
 the entry from its Binding Cache, the packet will be routed through
 the mobile node's home link.  The mobile node can detect this and
 establish a new binding if necessary.

Johnson, et al. Standard Track [Page 86] RFC 3775 Mobility Support in IPv6 June 2004

 However, if the mobile node believes that the binding still exists,
 it may use route optimization and send packets with the Home Address
 destination option.  This can create temporary packet loss, as
 discussed earlier, in the context of binding lifetime reductions
 performed by the correspondent node (Section 9.5.2).

10. Home Agent Operation

10.1. Conceptual Data Structures

 Each home agent MUST maintain a Binding Cache and Home Agents List.
 The rules for maintaining a Binding Cache are the same for home
 agents and correspondent nodes and have already been described in
 Section 9.1.
 The Home Agents List is maintained by each home agent, recording
 information about each router on the same link that is acting as a
 home agent.  This list is used by the dynamic home agent address
 discovery mechanism.  A router is known to be acting as a home agent,
 if it sends a Router Advertisement in which the Home Agent (H) bit is
 set.  When the lifetime for a list entry (defined below) expires,
 that entry is removed from the Home Agents List.  The Home Agents
 List is similar to the Default Router List conceptual data structure
 maintained by each host for Neighbor Discovery [12].  The Home Agents
 List MAY be implemented in any manner consistent with the external
 behavior described in this document.
 Each home agent maintains a separate Home Agents List for each link
 on which it is serving as a home agent.  A new entry is created or an
 existing entry is updated in response to receipt of a valid Router
 Advertisement in which the Home Agent (H) bit is set.  Each Home
 Agents List entry conceptually contains the following fields:
 o  The link-local IP address of a home agent on the link.  This
    address is learned through the Source Address of the Router
    Advertisements [12] received from the router.
 o  One or more global IP addresses for this home agent.  Global
    addresses are learned through Prefix Information options with the
    Router Address (R) bit set and received in Router Advertisements
    from this link-local address.  Global addresses for the router in
    a Home Agents List entry MUST be deleted once the prefix
    associated with that address is no longer valid [12].

Johnson, et al. Standard Track [Page 87] RFC 3775 Mobility Support in IPv6 June 2004

 o  The remaining lifetime of this Home Agents List entry.  If a Home
    Agent Information Option is present in a Router Advertisement
    received from a home agent, the lifetime of the Home Agents List
    entry representing that home agent is initialized from the Home
    Agent Lifetime field in the option (if present); otherwise, the
    lifetime is initialized from the Router Lifetime field in the
    received Router Advertisement.  If Home Agents List entry lifetime
    reaches zero, the entry MUST be deleted from the Home Agents List.
 o  The preference for this home agent; higher values indicate a more
    preferable home agent.  The preference value is taken from the
    Home Agent Preference field in the received Router Advertisement,
    if the Router Advertisement contains a Home Agent Information
    Option and is otherwise set to the default value of 0.  A home
    agent uses this preference in ordering the Home Agents List when
    it sends an ICMP Home Agent Address Discovery message.

10.2. Processing Mobility Headers

 All IPv6 home agents MUST observe the rules described in Section 9.2
 when processing Mobility Headers.

10.3. Processing Bindings

10.3.1. Primary Care-of Address Registration

 When a node receives a Binding Update, it MUST validate it and
 determine the type of Binding Update according to the steps described
 in Section 9.5.1.  Furthermore, it MUST authenticate the Binding
 Update as described in Section 5.1.  An authorization step specific
 for the home agent is also needed to ensure that only the right node
 can control a particular home address.  This is provided through the
 home address unequivocally identifying the security association that
 must be used.
 This section describes the processing of a valid and authorized
 Binding Update when it requests the registration of the mobile node's
 primary care-of address.
 To begin processing the Binding Update, the home agent MUST perform
 the following sequence of tests:
 o  If the node implements only correspondent node functionality, or
    has not been configured to act as a home agent, then the node MUST
    reject the Binding Update.  The node MUST also return a Binding
    Acknowledgement to the mobile node, in which the Status field is
    set to 131 (home registration not supported).

Johnson, et al. Standard Track [Page 88] RFC 3775 Mobility Support in IPv6 June 2004

 o  Else, if the home address for the binding (the Home Address field
    in the packet's Home Address option) is not an on-link IPv6
    address with respect to the home agent's current Prefix List, then
    the home agent MUST reject the Binding Update and SHOULD return a
    Binding Acknowledgement to the mobile node, in which the Status
    field is set to 132 (not home subnet).
 o  Else, if the home agent chooses to reject the Binding Update for
    any other reason (e.g., insufficient resources to serve another
    mobile node as a home agent), then the home agent SHOULD return a
    Binding Acknowledgement to the mobile node, in which the Status
    field is set to an appropriate value to indicate the reason for
    the rejection.
 o  A Home Address destination option MUST be present in the message.
    It MUST be validated as described in Section 9.3.1 with the
    following additional rule.  The Binding Cache entry existence test
    MUST NOT be done for IPsec packets when the Home Address option
    contains an address for which the receiving node could act as a
    home agent.
 If home agent accepts the Binding Update, it MUST then create a new
 entry in its Binding Cache for this mobile node or update its
 existing Binding Cache entry, if such an entry already exists.  The
 Home Address field as received in the Home Address option provides
 the home address of the mobile node.
 The home agent MUST mark this Binding Cache entry as a home
 registration to indicate that the node is serving as a home agent for
 this binding.  Binding Cache entries marked as a home registration
 MUST be excluded from the normal cache replacement policy used for
 the Binding Cache (Section 9.6) and MUST NOT be removed from the
 Binding Cache until the expiration of the Lifetime period.
 Unless this home agent already has a binding for the given home
 address, the home agent MUST perform Duplicate Address Detection [13]
 on the mobile node's home link before returning the Binding
 Acknowledgement.  This ensures that no other node on the home link
 was using the mobile node's home address when the Binding Update
 arrived.  If this Duplicate Address Detection fails for the given
 home address or an associated link local address, then the home agent
 MUST reject the complete Binding Update and MUST return a Binding
 Acknowledgement to the mobile node, in which the Status field is set
 to 134 (Duplicate Address Detection failed).  When the home agent
 sends a successful Binding Acknowledgement to the mobile node, the
 home agent assures to the mobile node that its address(es) will be
 kept unique by the home agent for as long as the lifetime was granted
 for the binding.

Johnson, et al. Standard Track [Page 89] RFC 3775 Mobility Support in IPv6 June 2004

 The specific addresses, which are to be tested before accepting the
 Binding Update and later to be defended by performing Duplicate
 Address Detection, depend on the setting of the Link-Local Address
 Compatibility (L) bit, as follows:
 o  L=0: Defend only the given address.  Do not derive a link-local
    address.
 o  L=1: Defend both the given non link-local unicast (home) address
    and the derived link-local.  The link-local address is derived by
    replacing the subnet prefix in the mobile node's home address with
    the link-local prefix.
 The lifetime of the Binding Cache entry depends on a number of
 factors:
 o  The lifetime for the Binding Cache entry MUST NOT be greater than
    the Lifetime value specified in the Binding Update.
 o  The lifetime for the Binding Cache entry MUST NOT be greater than
    the remaining valid lifetime for the subnet prefix in the mobile
    node's home address specified with the Binding Update.  The
    remaining valid lifetime for this prefix is determined by the home
    agent based on its own Prefix List entry [12].
    The remaining preferred lifetime SHOULD NOT have any impact on the
    lifetime for the binding cache entry.
    The home agent MUST remove a binding when the valid lifetime of
    the prefix associated with it expires.
 o  The home agent MAY further decrease the specified lifetime for the
    binding, for example based on a local policy.  The resulting
    lifetime is stored by the home agent in the Binding Cache entry,
    and this Binding Cache entry MUST be deleted by the home agent
    after the expiration of this lifetime.
 Regardless of the setting of the Acknowledge (A) bit in the Binding
 Update, the home agent MUST return a Binding Acknowledgement to the
 mobile node constructed as follows:
 o  The Status field MUST be set to a value indicating success.  The
    value 1 (accepted but prefix discovery necessary) MUST be used if
    the subnet prefix of the specified home address is deprecated, or
    becomes deprecated during the lifetime of the binding, or becomes
    invalid at the end of the lifetime.  The value 0 MUST be used

Johnson, et al. Standard Track [Page 90] RFC 3775 Mobility Support in IPv6 June 2004

    otherwise.  For the purposes of comparing the binding and prefix
    lifetimes, the prefix lifetimes are first converted into units of
    four seconds by ignoring the two least significant bits.
 o  The Key Management Mobility Capability (K) bit is set if the
    following conditions are all fulfilled, and cleared otherwise:
  • The Key Management Mobility Capability (K) bit was set in the

Binding Update.

  • The IPsec security associations between the mobile node and the

home agent have been established dynamically.

  • The home agent has the capability to update its endpoint in the

used key management protocol to the new care-of address every

       time it moves.
    Depending on the final value of the bit in the Binding
    Acknowledgement, the home agent SHOULD perform the following
    actions:
    K = 0
       Discard key management connections, if any, to the old care-of
       address.  If the mobile node did not have a binding before
       sending this Binding Update, discard the connections to the
       home address.
    K = 1
       Move the peer endpoint of the key management protocol
       connection, if any, to the new care-of address.  For an IKE
       phase 1 connection, this means that any IKE packets sent to the
       peer are sent to this address, and packets from this address
       with the original ISAKMP cookies are accepted.
       Note that RFC 2408 [8] Section 2.5.3 gives specific rules that
       ISAKMP cookies must satisfy: they must depend on specific
       parties and can only be generated by the entity itself.  Then
       it recommends a particular way to do this, namely a hash of IP
       addresses.  With the K bit set to 1, the recommended
       implementation technique does not work directly.  To satisfy
       the two rules, the specific parties must be treated as the
       original IP addresses, not the ones in use at the specific
       moment.
 o  The Sequence Number field MUST be copied from the Sequence Number
    given in the Binding Update.

Johnson, et al. Standard Track [Page 91] RFC 3775 Mobility Support in IPv6 June 2004

 o  The Lifetime field MUST be set to the remaining lifetime for the
    binding as set by the home agent in its home registration Binding
    Cache entry for the mobile node, as described above.
 o  If the home agent stores the Binding Cache entry in nonvolatile
    storage, then the Binding Refresh Advice mobility option MUST be
    omitted.  Otherwise, the home agent MAY include this option to
    suggest that the mobile node refreshes its binding before the
    actual lifetime of the binding ends.
    If the Binding Refresh Advice mobility option is present, the
    Refresh Interval field in the option MUST be set to a value less
    than the Lifetime value being returned in the Binding
    Acknowledgement.  This indicates that the mobile node SHOULD
    attempt to refresh its home registration at the indicated shorter
    interval.  The home agent MUST still retain the registration for
    the Lifetime period, even if the mobile node does not refresh its
    registration within the Refresh period.
 The rules for selecting the Destination IP address (and possibly
 routing header construction) for the Binding Acknowledgement to the
 mobile node are the same as in Section 9.5.4.
 In addition, the home agent MUST follow the procedure defined in
 Section 10.4.1 to intercept packets on the mobile node's home link
 addressed to the mobile node, while the home agent is serving as the
 home agent for this mobile node.  The home agent MUST also be
 prepared to accept reverse tunneled packets from the new care-of
 address of the mobile node, as described in Section 10.4.5.  Finally,
 the home agent MUST also propagate new home network prefixes, as
 described in Section 10.6.

10.3.2. Primary Care-of Address De-Registration

 A binding may need to be de-registered when the mobile node returns
 home or when the mobile node knows that it will not have any care-of
 addresses in the visited network.
 A Binding Update is validated and authorized in the manner described
 in the previous section; note that when the mobile node de-registers
 when it is at home, it may not include the Home Address destination
 option, in which case the mobile node's home address is the source IP
 address of the de-registration Binding Update.  This section
 describes the processing of a valid Binding Update that requests the
 receiving node to no longer serve as its home agent, de-registering
 its primary care-of address.

Johnson, et al. Standard Track [Page 92] RFC 3775 Mobility Support in IPv6 June 2004

 To begin processing the Binding Update, the home agent MUST perform
 the following test:
 o  If the receiving node has no entry marked as a home registration
    in its Binding Cache for this mobile node, then this node MUST
    reject the Binding Update and SHOULD return a Binding
    Acknowledgement to the mobile node, in which the Status field is
    set to 133 (not home agent for this mobile node).
 If the home agent does not reject the Binding Update as described
 above, then it MUST delete any existing entry in its Binding Cache
 for this mobile node.  Then, the home agent MUST return a Binding
 Acknowledgement to the mobile node, constructed as follows:
 o  The Status field MUST be set to a value 0, indicating success.
 o  The Key Management Mobility Capability (K) bit is set or cleared
    and actions based on its value are performed as described in the
    previous section.  The mobile node's home address is used as its
    new care-of address for the purposes of moving the key management
    connection to a new endpoint.
 o  The Sequence Number field MUST be copied from the Sequence Number
    given in the Binding Update.
 o  The Lifetime field MUST be set to zero.
 o  The Binding Refresh Advice mobility option MUST be omitted.
 In addition, the home agent MUST stop intercepting packets on the
 mobile node's home link that are addressed to the mobile node
 (Section 10.4.1).
 The rules for selecting the Destination IP address (and, if required,
 routing header construction) for the Binding Acknowledgement to the
 mobile node are the same as in the previous section.  When the Status
 field in the Binding Acknowledgement is greater than or equal to 128
 and the Source Address of the Binding Update is on the home link, the
 home agent MUST send it to the mobile node's link layer address
 (retrieved either from the Binding Update or through Neighbor
 Solicitation).

Johnson, et al. Standard Track [Page 93] RFC 3775 Mobility Support in IPv6 June 2004

10.4. Packet Processing

10.4.1. Intercepting Packets for a Mobile Node

 While a node is serving as the home agent for mobile node it MUST
 attempt to intercept packets on the mobile node's home link that are
 addressed to the mobile node.
 In order to do this, when a node begins serving as the home agent it
 MUST multicast onto the home link a Neighbor Advertisement message
 [12] on behalf of the mobile node.  For the home address specified in
 the Binding Update, the home agent sends a Neighbor Advertisement
 message [12] to the all-nodes multicast address on the home link to
 advertise the home agent's own link-layer address for this IP address
 on behalf of the mobile node.  If the Link-Layer Address
 Compatibility (L) flag has been specified in the Binding Update, the
 home agent MUST do the same for the link-local address of the mobile
 node.
 All fields in each Neighbor Advertisement message SHOULD be set in
 the same way they would be set by the mobile node if it was sending
 this Neighbor Advertisement [12] while at home, with the following
 exceptions:
 o  The Target Address in the Neighbor Advertisement MUST be set to
    the specific IP address for the mobile node.
 o  The Advertisement MUST include a Target Link-layer Address option
    specifying the home agent's link-layer address.
 o  The Router (R) bit in the Advertisement MUST be set to zero.
 o  The Solicited Flag (S) in the Advertisement MUST NOT be set, since
    it was not solicited by any Neighbor Solicitation.
 o  The Override Flag (O) in the Advertisement MUST be set, indicating
    that the Advertisement SHOULD override any existing Neighbor Cache
    entry at any node receiving it.
 o  The Source Address in the IPv6 header MUST be set to the home
    agent's IP address on the interface used to send the
    advertisement.
 Any node on the home link that receives one of the Neighbor
 Advertisement messages (described above) will update its Neighbor
 Cache to associate the mobile node's address with the home agent's
 link layer address, causing it to transmit any future packets
 normally destined to the mobile node to the mobile node's home agent.

Johnson, et al. Standard Track [Page 94] RFC 3775 Mobility Support in IPv6 June 2004

 Since multicasting on the local link (such as Ethernet) is typically
 not guaranteed to be reliable, the home agent MAY retransmit this
 Neighbor Advertisement message up to MAX_NEIGHBOR_ADVERTISEMENT (see
 [12]) times to increase its reliability.  It is still possible that
 some nodes on the home link will not receive any of the Neighbor
 Advertisements, but these nodes will eventually be able to detect the
 link-layer address change for the mobile node's address through use
 of Neighbor Unreachability Detection [12].
 While a node is serving as a home agent for some mobile node, the
 home agent uses IPv6 Neighbor Discovery [12] to intercept unicast
 packets on the home link addressed to the mobile node.  In order to
 intercept packets in this way, the home agent MUST act as a proxy for
 this mobile node and reply to any received Neighbor Solicitations for
 it.  When a home agent receives a Neighbor Solicitation, it MUST
 check if the Target Address specified in the message matches the
 address of any mobile node for which it has a Binding Cache entry
 marked as a home registration.
 If such an entry exists in the home agent's Binding Cache, the home
 agent MUST reply to the Neighbor Solicitation with a Neighbor
 Advertisement giving the home agent's own link-layer address as the
 link-layer address for the specified Target Address.  In addition,
 the Router (R) bit in the Advertisement MUST be set to zero.  Acting
 as a proxy in this way allows other nodes on the mobile node's home
 link to resolve the mobile node's address and for the home agent to
 defend these addresses on the home link for Duplicate Address
 Detection [12].

10.4.2. Processing Intercepted Packets

 For any packet sent to a mobile node from the mobile node's home
 agent (in which the home agent is the original sender of the packet),
 the home agent is operating as a correspondent node of the mobile
 node for this packet and the procedures described in Section 9.3.2
 apply.  The home agent then uses a routing header to route the packet
 to the mobile node by way of the primary care-of address in the home
 agent's Binding Cache.
 While the mobile node is away from home, the home agent intercepts
 any packets on the home link addressed to the mobile node's home
 address, as described in Section 10.4.1.  In order to forward each
 intercepted packet to the mobile node, the home agent MUST tunnel the
 packet to the mobile node using IPv6 encapsulation [15].  When a home
 agent encapsulates an intercepted packet for forwarding to the mobile
 node, the home agent sets the Source Address in the new tunnel IP
 header to the home agent's own IP address and sets the Destination
 Address in the tunnel IP header to the mobile node's primary care-of

Johnson, et al. Standard Track [Page 95] RFC 3775 Mobility Support in IPv6 June 2004

 address.  When received by the mobile node, normal processing of the
 tunnel header [15] will result in decapsulation and processing of the
 original packet by the mobile node.
 However, packets addressed to the mobile node's link-local address
 MUST NOT be tunneled to the mobile node.  Instead, these packets MUST
 be discarded and the home agent SHOULD return an ICMP Destination
 Unreachable, Code 3, message to the packet's Source Address (unless
 this Source Address is a multicast address).  Packets addressed to
 the mobile node's site-local address SHOULD NOT be tunneled to the
 mobile node by default.
 Interception and tunneling of the following multicast addressed
 packets on the home network are only done if the home agent supports
 multicast group membership control messages from the mobile node as
 described in the next section.  Tunneling of multicast packets to a
 mobile node follows similar limitations to those defined above for
 unicast packets addressed to the mobile node's link-local and site-
 local addresses.  Multicast packets addressed to a multicast address
 with link-local scope [3], to which the mobile node is subscribed,
 MUST NOT be tunneled to the mobile node.  These packets SHOULD be
 silently discarded (after delivering to other local multicast
 recipients).  Multicast packets addressed to a multicast address with
 a scope larger than link-local, but smaller than global (e.g., site-
 local and organization-local [3], to which the mobile node is
 subscribed, SHOULD NOT be tunneled to the mobile node.  Multicast
 packets addressed with a global scope, to which the mobile node has
 successfully subscribed, MUST be tunneled to the mobile node.
 Before tunneling a packet to the mobile node, the home agent MUST
 perform any IPsec processing as indicated by the security policy data
 base.

10.4.3. Multicast Membership Control

 This section is a prerequisite for the multicast data packet
 forwarding, described in the previous section.  If this support is
 not provided, multicast group membership control messages are
 silently ignored.
 In order to forward multicast data packets from the home network to
 all the proper mobile nodes, the home agent SHOULD be capable of
 receiving tunneled multicast group membership control information
 from the mobile node in order to determine which groups the mobile
 node has subscribed to.  These multicast group membership messages
 are Listener Report messages specified in MLD [17] or in other
 protocols such as [37].

Johnson, et al. Standard Track [Page 96] RFC 3775 Mobility Support in IPv6 June 2004

 The messages are issued by the mobile node, but sent through the
 reverse tunnel to the home agent.  These messages are issued whenever
 the mobile node decides to enable reception of packets for a
 multicast group or in response to an MLD Query from the home agent.
 The mobile node will also issue multicast group control messages to
 disable reception of multicast packets when it is no longer
 interested in receiving multicasts for a particular group.
 To obtain the mobile node's current multicast group membership the
 home agent must periodically transmit MLD Query messages through the
 tunnel to the mobile node.  These MLD periodic transmissions will
 ensure the home agent has an accurate record of the groups in which
 the mobile node is interested despite packet losses of the mobile
 node's MLD group membership messages.
 All MLD packets are sent directly between the mobile node and the
 home agent.  Since all of these packets are destined to a link-scope
 multicast address and have a hop limit of 1, there is no direct
 forwarding of such packets between the home network and the mobile
 node.  The MLD packets between the mobile node and the home agent are
 encapsulated within the same tunnel header used for other packet
 flows between the mobile node and home agent.
 Note that at this time, even though a link-local source is used on
 MLD packets, no functionality depends on these addresses being
 unique, nor do they elicit direct responses.  All MLD messages are
 sent to multicast destinations.  To avoid ambiguity on the home
 agent, due to mobile nodes which may choose identical link-local
 source addresses for their MLD function, it is necessary for the home
 agent to identify which mobile node was actually the issuer of a
 particular MLD message.  This may be accomplished by noting which
 tunnel such an MLD arrived by, which IPsec SA was used, or by other
 distinguishing means.
 This specification puts no requirement on how the functions in this
 section and the multicast forwarding in Section 10.4.2 are to be
 achieved.  At the time of this writing it was thought that a full
 IPv6 multicast router function would be necessary on the home agent,
 but it may be possible to achieve the same effects through a "proxy
 MLD" application coupled with kernel multicast forwarding.  This may
 be the subject of future specifications.

Johnson, et al. Standard Track [Page 97] RFC 3775 Mobility Support in IPv6 June 2004

10.4.4. Stateful Address Autoconfiguration

 This section describes how home agents support the use of stateful
 address autoconfiguration mechanisms such as DHCPv6 [29] from the
 mobile nodes.  If this support is not provided, then the M and O bits
 must remain cleared on the Mobile Prefix Advertisement Messages.  Any
 mobile node which sends DHCPv6 messages to the home agent without
 this support will not receive a response.
 If DHCPv6 is used, packets are sent with link-local source addresses
 either to a link-scope multicast address or a link-local address.
 Mobile nodes desiring to locate a DHCPv6 service may reverse tunnel
 standard DHCPv6 packets to the home agent.  Since these link-scope
 packets cannot be forwarded onto the home network, it is necessary
 for the home agent to either implement a DHCPv6 relay agent or a
 DHCPv6 server function itself.  The arriving tunnel or IPsec SA of
 DHCPv6 link-scope messages from the mobile node must be noted so that
 DHCPv6 responses may be sent back to the appropriate mobile node.
 DHCPv6 messages sent to the mobile node with a link-local destination
 must be tunneled within the same tunnel header used for other packet
 flows.

10.4.5. Handling Reverse Tunneled Packets

 Unless a binding has been established between the mobile node and a
 correspondent node, traffic from the mobile node to the correspondent
 node goes through a reverse tunnel.  Home agents MUST support reverse
 tunneling as follows:
 o  The tunneled traffic arrives to the home agent's address using
    IPv6 encapsulation [15].
 o  Depending on the security policies used by the home agent, reverse
    tunneled packets MAY be discarded unless accompanied by a valid
    ESP header.  The support for authenticated reverse tunneling
    allows the home agent to protect the home network and
    correspondent nodes from malicious nodes masquerading as a mobile
    node.
 o  Otherwise, when a home agent decapsulates a tunneled packet from
    the mobile node, the home agent MUST verify that the Source
    Address in the tunnel IP header is the mobile node's primary
    care-of address.  Otherwise, any node in the Internet could send
    traffic through the home agent and escape ingress filtering
    limitations.  This simple check forces the attacker to know the
    current location of the real mobile node and be able to defeat
    ingress filtering. This check is not necessary if the reverse-
    tunneled packet is protected by ESP in tunnel mode.

Johnson, et al. Standard Track [Page 98] RFC 3775 Mobility Support in IPv6 June 2004

10.4.6. Protecting Return Routability Packets

 The return routability procedure, described in Section 5.2.5, assumes
 that the confidentiality of the Home Test Init and Home Test messages
 is protected as they are tunneled between the home agent and the
 mobile node.  Therefore, the home agent MUST support tunnel mode
 IPsec ESP for the protection of packets belonging to the return
 routability procedure.  Support for a non-null encryption transform
 and authentication algorithm MUST be available.  It is not necessary
 to distinguish between different kinds of packets during the return
 routability procedure.
 Security associations are needed to provide this protection.  When
 the care-of address for the mobile node changes as a result of an
 accepted Binding Update, special treatment is needed for the next
 packets sent using these security associations.  The home agent MUST
 set the new care-of address as the destination address of these
 packets, as if the outer header destination address in the security
 association had changed [21].
 The above protection SHOULD be used with all mobile nodes.  The use
 is controlled by configuration of the IPsec security policy database
 both at the mobile node and at the home agent.
 As described earlier, the Binding Update and Binding Acknowledgement
 messages require protection between the home agent and the mobile
 node.  The Mobility Header protocol carries both these messages as
 well as the return routability messages.  From the point of view of
 the security policy database these messages are indistinguishable.
 When IPsec is used to protect return routability signaling or payload
 packets, this protection MUST only be applied to the return
 routability packets entering the IPv6 encapsulated tunnel interface
 between the mobile node and the home agent.  This can be achieved,
 for instance, by defining the security policy database entries
 specifically for the tunnel interface.  That is, the policy entries
 are not generally applied on all traffic on the physical interface(s)
 of the nodes, but rather only on traffic that enters the tunnel.
 This makes use of per-interface security policy database entries [4]
 specific to the tunnel interface (the node's attachment to the tunnel
 [11]).

10.5. Dynamic Home Agent Address Discovery

 This section describes how a home agent can help mobile nodes to
 discover the addresses of the home agents.  The home agent keeps
 track of the other home agents on the same link and responds to
 queries sent by the mobile node.

Johnson, et al. Standard Track [Page 99] RFC 3775 Mobility Support in IPv6 June 2004

10.5.1. Receiving Router Advertisement Messages

 For each link on which a router provides service as a home agent, the
 router maintains a Home Agents List recording information about all
 other home agents on that link.  This list is used in the dynamic
 home agent address discovery mechanism, described in Section 10.5.
 The information for the list is learned through receipt of the
 periodic unsolicited multicast Router Advertisements, in a manner
 similar to the Default Router List conceptual data structure
 maintained by each host for Neighbor Discovery [12].  In the
 construction of the Home Agents List, the Router Advertisements are
 from each (other) home agent on the link and the Home Agent (H) bit
 is set in them.
 On receipt of a valid Router Advertisement, as defined in the
 processing algorithm specified for Neighbor Discovery [12], the home
 agent performs the following steps in addition to any steps already
 required of it by Neighbor Discovery:
 o  If the Home Agent (H) bit in the Router Advertisement is not set,
    delete the sending node's entry in the current Home Agents List
    (if one exists).  Skip all the following steps.
 o  Otherwise, extract the Source Address from the IP header of the
    Router Advertisement.  This is the link-local IP address on this
    link of the home agent sending this Advertisement [12].
 o  Determine the preference for this home agent.  If the Router
    Advertisement contains a Home Agent Information Option, then the
    preference is taken from the Home Agent Preference field in the
    option; otherwise, the default preference of 0 MUST be used.
 o  Determine the lifetime for this home agent.  If the Router
    Advertisement contains a Home Agent Information Option, then the
    lifetime is taken from the Home Agent Lifetime field in the
    option; otherwise, the lifetime specified by the Router Lifetime
    field in the Router Advertisement SHOULD be used.
 o  If the link-local address of the home agent sending this
    Advertisement is already present in this home agent's Home Agents
    List and the received home agent lifetime value is zero,
    immediately delete this entry in the Home Agents List.
 o  Otherwise, if the link-local address of the home agent sending
    this Advertisement is already present in the receiving home
    agent's Home Agents List, reset its lifetime and preference to the
    values determined above.

Johnson, et al. Standard Track [Page 100] RFC 3775 Mobility Support in IPv6 June 2004

 o  If the link-local address of the home agent sending this
    Advertisement is not already present in the Home Agents List
    maintained by the receiving home agent, and the lifetime for the
    sending home agent is non-zero, create a new entry in the list,
    and initialize its lifetime and preference to the values
    determined above.
 o  If the Home Agents List entry for the link-local address of the
    home agent sending this Advertisement was not deleted as described
    above, determine any global address(es) of the home agent based on
    each Prefix Information option received in this Advertisement in
    which the Router Address (R) bit is set (Section 7.2).  Add all
    such global addresses to the list of global addresses in this Home
    Agents List entry.
 A home agent SHOULD maintain an entry in its Home Agents List for
 each valid home agent address until that entry's lifetime expires,
 after which time the entry MUST be deleted.
 As described in Section 11.4.1, a mobile node attempts dynamic home
 agent address discovery by sending an ICMP Home Agent Address
 Discovery Request message to the Mobile IPv6 Home-Agents anycast
 address [16] for its home IP subnet prefix.  A home agent receiving a
 Home Agent Address Discovery Request message that serves this subnet
 SHOULD return an ICMP Home Agent Address Discovery Reply message to
 the mobile node with the Source Address of the Reply packet set to
 one of the global unicast addresses of the home agent.  The Home
 Agent Addresses field in the Reply message is constructed as follows:
 o  The Home Agent Addresses field SHOULD contain all global IP
    addresses for each home agent currently listed in this home
    agent's own Home Agents List (Section 10.1).
 o  The IP addresses in the Home Agent Addresses field SHOULD be
    listed in order of decreasing preference values, based either on
    the respective advertised preference from a Home Agent Information
    option or on the default preference of 0 if no preference is
    advertised (or on the configured home agent preference for this
    home agent itself).
 o  Among home agents with equal preference, their IP addresses in the
    Home Agent Addresses field SHOULD be listed in an order randomized
    with respect to other home agents with equal preference every time
    a Home Agent Address Discovery Reply message is returned by this
    home agent.
 o  If more than one global IP address is associated with a home
    agent, these addresses SHOULD be listed in a randomized order.

Johnson, et al. Standard Track [Page 101] RFC 3775 Mobility Support in IPv6 June 2004

 o  The home agent SHOULD reduce the number of home agent IP addresses
    so that the packet fits within the minimum IPv6 MTU [11].  The
    home agent addresses selected for inclusion in the packet SHOULD
    be those from the complete list with the highest preference.  This
    limitation avoids the danger of the Reply message packet being
    fragmented (or rejected by an intermediate router with an ICMP
    Packet Too Big message [14]).

10.6. Sending Prefix Information to the Mobile Node

10.6.1. List of Home Network Prefixes

 Mobile IPv6 arranges to propagate relevant prefix information to the
 mobile node when it is away from home, so that it may be used in
 mobile node home address configuration and in network renumbering.
 In this mechanism, mobile nodes away from home receive Mobile Prefix
 Advertisements messages.  These messages include Prefix Information
 Options for the prefixes configured on the home subnet interface(s)
 of the home agent.
 If there are multiple home agents, differences in the advertisements
 sent by different home agents can lead to an inability to use a
 particular home address when changing to another home agent.  In
 order to ensure that the mobile nodes get the same information from
 different home agents, it is preferred that all of the home agents on
 the same link be configured in the same manner.
 To support this, the home agent monitors prefixes advertised by
 itself and other home agents on the home link.  In RFC 2461 [12] it
 is acceptable for two routers to advertise different sets of prefixes
 on the same link.  For home agents, the differences should be
 detected for a given home address because the mobile node
 communicates only with one home agent at a time and the mobile node
 needs to know the full set of prefixes assigned to the home link.
 All other comparisons of Router Advertisements are as specified in
 Section 6.2.7 of RFC 2461.

10.6.2. Scheduling Prefix Deliveries

 A home agent serving a mobile node will schedule the delivery of the
 new prefix information to that mobile node when any of the following
 conditions occur:
 MUST:
 o  The state of the flags changes for the prefix of the mobile node's
    registered home address.

Johnson, et al. Standard Track [Page 102] RFC 3775 Mobility Support in IPv6 June 2004

 o  The valid or preferred lifetime is reconfigured or changes for any
    reason other than advancing real time.
 o  The mobile node requests the information with a Mobile Prefix
    Solicitation (see Section 11.4.2).
 SHOULD:
 o  A new prefix is added to the home subnet interface(s) of the home
    agent.
 MAY:
 o  The valid or preferred lifetime or the state of the flags changes
    for a prefix which is not used in any Binding Cache entry for this
    mobile node.
 The home agent uses the following algorithm to determine when to send
 prefix information to the mobile node.
 o  If a mobile node sends a solicitation, answer right away.
 o  If no Mobile Prefix Advertisement has been sent to the mobile node
    in the last MaxMobPfxAdvInterval seconds (see Section 13), then
    ensure that a transmission is scheduled.  The actual transmission
    time is randomized as described below.
 o  If a prefix matching the mobile node's home registration is added
    on the home subnet interface or if its information changes in any
    way that does not deprecate the mobile node's address, ensure that
    a transmission is scheduled.  The actual transmission time is
    randomized as described below.
 o  If a home registration expires, cancel any scheduled
    advertisements to the mobile node.
 The list of prefixes is sent in its entirety in all cases.
 If the home agent has already scheduled the transmission of a Mobile
 Prefix Advertisement to the mobile node, then the home agent will
 replace the advertisement with a new one to be sent at the scheduled
 time.
 Otherwise, the home agent computes a fresh value for RAND_ADV_DELAY
 which offsets from the current time for the scheduled transmission.
 First calculate the maximum delay for the scheduled Advertisement:

Johnson, et al. Standard Track [Page 103] RFC 3775 Mobility Support in IPv6 June 2004

    MaxScheduleDelay = min (MaxMobPfxAdvInterval, Preferred Lifetime),
 where MaxMobPfxAdvInterval is as defined in Section 12.  Then compute
 the final delay for the advertisement:
    RAND_ADV_DELAY = MinMobPfxAdvInterval +
          (rand() % abs(MaxScheduleDelay - MinMobPfxAdvInterval))
 Here rand() returns a random integer value in the range of 0 to the
 maximum possible integer value.  This computation is expected to
 alleviate bursts of advertisements when prefix information changes.
 In addition, a home agent MAY further reduce the rate of packet
 transmission by further delaying individual advertisements, when
 necessary to avoid overwhelming local network resources.  The home
 agent SHOULD periodically continue to retransmit an unsolicited
 Advertisement to the mobile node, until it is acknowledged by the
 receipt of a Mobile Prefix Solicitation from the mobile node.
 The home agent MUST wait PREFIX_ADV_TIMEOUT (see Section 12) before
 the first retransmission and double the retransmission wait time for
 every succeeding retransmission until a maximum number of
 PREFIX_ADV_RETRIES attempts (see Section 12) has been tried.  If the
 mobile node's bindings expire before the matching Binding Update has
 been received, then the home agent MUST NOT attempt any more
 retransmissions, even if not all PREFIX_ADV_RETRIES have been
 retransmitted.  In the meantime, if the mobile node sends another
 Binding Update without returning home, then the home agent SHOULD
 begin transmitting the unsolicited Advertisement again.
 If some condition, as described above, occurs on the home link and
 causes another Prefix Advertisement to be sent to the mobile node,
 before the mobile node acknowledges a previous transmission, the home
 agent SHOULD combine any Prefix Information options in the
 unacknowledged Mobile Prefix Advertisement into a new Advertisement.
 The home agent then discards the old Advertisement.

10.6.3. Sending Advertisements

 When sending a Mobile Prefix Advertisement to the mobile node, the
 home agent MUST construct the packet as follows:
 o  The Source Address in the packet's IPv6 header MUST be set to the
    home agent's IP address to which the mobile node addressed its
    current home registration or its default global home agent address
    if no binding exists.

Johnson, et al. Standard Track [Page 104] RFC 3775 Mobility Support in IPv6 June 2004

 o  If the advertisement was solicited, it MUST be destined to the
    source address of the solicitation.  If it was triggered by prefix
    changes or renumbering, the advertisement's destination will be
    the mobile node's home address in the binding which triggered the
    rule.
 o  A type 2 routing header MUST be included with the mobile node's
    home address.
 o  IPsec headers MUST be supported and SHOULD be used.
 o  The home agent MUST send the packet as it would any other unicast
    IPv6 packet that it originates.
 o  Set the Managed Address Configuration (M) flag if the
    corresponding flag has been set in any of the Router
    Advertisements from which the prefix information has been learned
    (including the ones sent by this home agent).
 o  Set the Other Stateful Configuration (O) flag if the corresponding
    flag has been set in any of the Router Advertisements from which
    the prefix information has been learned (including the ones sent
    by this home agent).

10.6.4. Lifetimes for Changed Prefixes

 As described in Section 10.3.1, the lifetime returned by the home
 agent in a Binding Acknowledgement MUST not be greater than the
 remaining valid lifetime for the subnet prefix in the mobile node's
 home address.  This limit on the binding lifetime serves to prohibit
 use of a mobile node's home address after it becomes invalid.

11. Mobile Node Operation

11.1. Conceptual Data Structures

 Each mobile node MUST maintain a Binding Update List.
 The Binding Update List records information for each Binding Update
 sent by this mobile node, in which the lifetime of the binding has
 not yet expired.  The Binding Update List includes all bindings sent
 by the mobile node either to its home agent or correspondent nodes.
 It also contains Binding Updates which are waiting for the completion
 of the return routability procedure before they can be sent.
 However, for multiple Binding Updates sent to the same destination
 address, the Binding Update List contains only the most recent
 Binding Update (i.e., with the greatest Sequence Number value) sent
 to that destination.  The Binding Update List MAY be implemented in

Johnson, et al. Standard Track [Page 105] RFC 3775 Mobility Support in IPv6 June 2004

 any manner consistent with the external behavior described in this
 document.
 Each Binding Update List entry conceptually contains the following
 fields:
 o  The IP address of the node to which a Binding Update was sent.
 o  The home address for which that Binding Update was sent.
 o  The care-of address sent in that Binding Update.  This value is
    necessary for the mobile node to determine if it has sent a
    Binding Update while giving its new care-of address to this
    destination after changing its care-of address.
 o  The initial value of the Lifetime field sent in that Binding
    Update.
 o  The remaining lifetime of that binding.  This lifetime is
    initialized from the Lifetime value sent in the Binding Update and
    is decremented until it reaches zero, at which time this entry
    MUST be deleted from the Binding Update List.
 o  The maximum value of the Sequence Number field sent in previous
    Binding Updates to this destination.  The Sequence Number field is
    16 bits long and all comparisons between Sequence Number values
    MUST be performed modulo 2**16 (see Section 9.5.1).
 o  The time at which a Binding Update was last sent to this
    destination, as needed to implement the rate limiting restriction
    for sending Binding Updates.
 o  The state of any retransmissions needed for this Binding Update.
    This state includes the time remaining until the next
    retransmission attempt for the Binding Update and the current
    state of the exponential back-off mechanism for retransmissions.
 o  A flag specifying whether or not future Binding Updates should be
    sent to this destination.  The mobile node sets this flag in the
    Binding Update List entry when it receives an ICMP Parameter
    Problem, Code 1, error message in response to a return routability
    message or Binding Update sent to that destination, as described
    in Section 11.3.5.
 The Binding Update List is used to determine whether a particular
 packet is sent directly to the correspondent node or tunneled via the
 home agent (see Section 11.3.1).

Johnson, et al. Standard Track [Page 106] RFC 3775 Mobility Support in IPv6 June 2004

 The Binding Update list also conceptually contains the following data
 related to running the return routability procedure.  This data is
 relevant only for Binding Updates sent to correspondent nodes.
 o  The time at which a Home Test Init or Care-of Test Init message
    was last sent to this destination, as needed to implement the rate
    limiting restriction for the return routability procedure.
 o  The state of any retransmissions needed for this return
    routability procedure.  This state includes the time remaining
    until the next retransmission attempt and the current state of the
    exponential back-off mechanism for retransmissions.
 o  Cookie values used in the Home Test Init and Care-of Test Init
    messages.
 o  Home and care-of keygen tokens received from the correspondent
    node.
 o  Home and care-of nonce indices received from the correspondent
    node.
 o  The time at which each of the tokens and nonces were received from
    the correspondent node, as needed to implement reuse while moving.

11.2. Processing Mobility Headers

 All IPv6 mobile nodes MUST observe the rules described in Section 9.2
 when processing Mobility Headers.

11.3. Packet Processing

11.3.1. Sending Packets While Away from Home

 While a mobile node is away from home, it continues to use its home
 address, as well as also using one or more care-of addresses.  When
 sending a packet while away from home, a mobile node MAY choose among
 these in selecting the address that it will use as the source of the
 packet, as follows:
 o  Protocols layered over IP will generally treat the mobile node's
    home address as its IP address for most packets.  For packets sent
    that are part of transport-level connections established while the
    mobile node was at home, the mobile node MUST use its home
    address.  Likewise, for packets sent that are part of transport-
    level connections that the mobile node may still be using after
    moving to a new location, the mobile node SHOULD use its home
    address in this way.  If a binding exists, the mobile node SHOULD

Johnson, et al. Standard Track [Page 107] RFC 3775 Mobility Support in IPv6 June 2004

    send the packets directly to the correspondent node.  Otherwise,
    if a binding does not exist, the mobile node MUST use reverse
    tunneling.
 o  The mobile node MAY choose to directly use one of its care-of
    addresses as the source of the packet, not requiring the use of a
    Home Address option in the packet.  This is particularly useful
    for short-term communication that may easily be retried if it
    fails.  Using the mobile node's care-of address as the source for
    such queries will generally have a lower overhead than using the
    mobile node's home address, since no extra options need be used in
    either the query or its reply.  Such packets can be routed
    normally, directly between their source and destination without
    relying on Mobile IPv6.  If application running on the mobile node
    has no particular knowledge that the communication being sent fits
    within this general type of communication, however, the mobile
    node should not use its care-of address as the source of the
    packet in this way.
    The choice of the most efficient communications method is
    application specific, and outside the scope of this specification.
    The APIs necessary for controlling the choice are also out of
    scope.
 o  While not at its home link, the mobile node MUST NOT use the Home
    Address destination option when communicating with link-local or
    site-local peers, if the scope of the home address is larger than
    the scope of the peer's address.
    Similarly, the mobile node MUST NOT use the Home Address
    destination option for IPv6 Neighbor Discovery [12] packets.
 Detailed operation of these cases is described later in this section
 and also discussed in [31].
 For packets sent by a mobile node while it is at home, no special
 Mobile IPv6 processing is required.  Likewise, if the mobile node
 uses any address other than one of its home addresses as the source
 of a packet sent while away from home, no special Mobile IPv6
 processing is required.  In either case, the packet is simply
 addressed and transmitted in the same way as any normal IPv6 packet.
 For packets sent by the mobile node sent while away from home using
 the mobile node's home address as the source, special Mobile IPv6
 processing of the packet is required.  This can be done in the
 following two ways:

Johnson, et al. Standard Track [Page 108] RFC 3775 Mobility Support in IPv6 June 2004

 Route Optimization
 This manner of delivering packets does not require going through the
 home network, and typically will enable faster and more reliable
 transmission.
 The mobile node needs to ensure that a Binding Cache entry exists for
 its home address so that the correspondent node can process the
 packet (Section 9.3.1 specifies the rules for Home Address
 Destination Option Processing at a correspondent node).  The mobile
 node SHOULD examine its Binding Update List for an entry which
 fulfills the following conditions:
  • The Source Address field of the packet being sent is equal to the

home address in the entry.

  • The Destination Address field of the packet being sent is equal to

the address of the correspondent node in the entry.

  • One of the current care-of addresses of the mobile node appears as

the care-of address in the entry.

  • The entry indicates that a binding has been successfully created.
  • The remaining lifetime of the binding is greater than zero.
 When these conditions are met, the mobile node knows that the
 correspondent node has a suitable Binding Cache entry.
 A mobile node SHOULD arrange to supply the home address in a Home
 Address option, and MUST set the IPv6 header's Source Address field
 to the care-of address which the mobile node has registered to be
 used with this correspondent node.  The correspondent node will then
 use the address supplied in the Home Address option to serve the
 function traditionally done by the Source IP address in the IPv6
 header.  The mobile node's home address is then supplied to higher
 protocol layers and applications.
 Specifically:
  • Construct the packet using the mobile node's home address as the

packet's Source Address, in the same way as if the mobile node

    were at home.  This includes the calculation of upper layer
    checksums using the home address as the value of the source.
  • Insert a Home Address option into the packet with the Home Address

field copied from the original value of the Source Address field

    in the packet.

Johnson, et al. Standard Track [Page 109] RFC 3775 Mobility Support in IPv6 June 2004

  • Change the Source Address field in the packet's IPv6 header to one

of the mobile node's care-of addresses. This will typically be

    the mobile node's current primary care-of address, but MUST be an
    address assigned to the interface on the link being used.
 By using the care-of address as the Source Address in the IPv6
 header, with the mobile node's home address instead in the Home
 Address option, the packet will be able to safely pass through any
 router implementing ingress filtering [26].
 Reverse Tunneling
    This is the mechanism which tunnels the packets via the home
    agent.  It is not as efficient as the above mechanism, but is
    needed if there is no binding yet with the correspondent node.
    This mechanism is used for packets that have the mobile node's
    home address as the Source Address in the IPv6 header, or with
    multicast control protocol packets as described in Section 11.3.4.
    Specifically:
  • The packet is sent to the home agent using IPv6 encapsulation

[15].

  • The Source Address in the tunnel packet is the primary care-of

address as registered with the home agent.

  • The Destination Address in the tunnel packet is the home

agent's address.

    Then, the home agent will pass the encapsulated packet to the
    correspondent node.

11.3.2. Interaction with Outbound IPsec Processing

 This section sketches the interaction between outbound Mobile IPv6
 processing and outbound IP Security (IPsec) processing for packets
 sent by a mobile node while away from home.  Any specific
 implementation MAY use algorithms and data structures other than
 those suggested here, but its processing MUST be consistent with the
 effect of the operation described here and with the relevant IPsec
 specifications.  In the steps described below, it is assumed that
 IPsec is being used in transport mode [4] and that the mobile node is
 using its home address as the source for the packet (from the point
 of view of higher protocol layers or applications, as described in
 Section 11.3.1):

Johnson, et al. Standard Track [Page 110] RFC 3775 Mobility Support in IPv6 June 2004

 o  The packet is created by higher layer protocols and applications
    (e.g., by TCP) as if the mobile node were at home and Mobile IPv6
    were not being used.
 o  Determine the outgoing interface for the packet.  (Note that the
    selection between reverse tunneling and route optimization may
    imply different interfaces, particularly if tunnels are considered
    interfaces as well.)
 o  As part of outbound packet processing in IP, the packet is
    compared against the IPsec security policy database to determine
    what processing is required for the packet [4].
 o  If IPsec processing is required, the packet is either mapped to an
    existing Security Association (or SA bundle), or a new SA (or SA
    bundle) is created for the packet, according to the procedures
    defined for IPsec.
 o  Since the mobile node is away from home, the mobile is either
    using reverse tunneling or route optimization to reach the
    correspondent node.
    If reverse tunneling is used, the packet is constructed in the
    normal manner and then tunneled through the home agent.
    If route optimization is in use, the mobile node inserts a Home
    Address destination option into the packet, replacing the Source
    Address in the packet's IP header with the care-of address used
    with this correspondent node, as described in Section 11.3.1.  The
    Destination Options header in which the Home Address destination
    option is inserted MUST appear in the packet after the routing
    header, if present, and before the IPsec (AH [5] or ESP [6])
    header, so that the Home Address destination option is processed
    by the destination node before the IPsec header is processed.
    Finally, once the packet is fully assembled, the necessary IPsec
    authentication (and encryption, if required) processing is
    performed on the packet, initializing the Authentication Data in
    the IPsec header.
    RFC 2402 treatment of destination options is extended as follows.
    The AH authentication data MUST be calculated as if the following
    were true:
  • the IPv6 source address in the IPv6 header contains the mobile

node's home address,

Johnson, et al. Standard Track [Page 111] RFC 3775 Mobility Support in IPv6 June 2004

  • the Home Address field of the Home Address destination option

(Section 6.3) contains the new care-of address.

 o  This allows, but does not require, the receiver of the packet
    containing a Home Address destination option to exchange the two
    fields of the incoming packet to reach the above situation,
    simplifying processing for all subsequent packet headers.
    However, such an exchange is not required, as long as the result
    of the authentication calculation remains the same.
 When an automated key management protocol is used to create new
 security associations for a peer, it is important to ensure that the
 peer can send the key management protocol packets to the mobile node.
 This may not be possible if the peer is the home agent of the mobile
 node and the purpose of the security associations would be to send a
 Binding Update to the home agent.  Packets addressed to the home
 address of the mobile node cannot be used before the Binding Update
 has been processed.  For the default case of using IKE [9] as the
 automated key management protocol, such problems can be avoided by
 the following requirements when communicating with its home agent:
 o  When the mobile node is away from home, it MUST use its care-of
    address as the Source Address of all packets it sends as part of
    the key management protocol (without use of Mobile IPv6 for these
    packets, as suggested in Section 11.3.1).
 o  In addition, for all security associations bound to the mobile
    node's home address established by IKE, the mobile node MUST
    include an ISAKMP Identification Payload [8] in the IKE phase 2
    exchange, giving the mobile node's home address as the initiator
    of the Security Association [7].
 The Key Management Mobility Capability (K) bit in Binding Updates and
 Acknowledgements can be used to avoid the need to rerun IKE upon
 movements.

11.3.3. Receiving Packets While Away from Home

 While away from home, a mobile node will receive packets addressed to
 its home address, by one of two methods:
 o  Packets sent by a correspondent node, that does not have a Binding
    Cache entry for the mobile node, will be sent to the home address,
    captured by the home agent and tunneled to the mobile node.
 o  Packets sent by a correspondent node that has a Binding Cache
    entry for the mobile node that contains the mobile node's current
    care-of address, will be sent by the correspondent node using a

Johnson, et al. Standard Track [Page 112] RFC 3775 Mobility Support in IPv6 June 2004

    type 2 routing header.  The packet will be addressed to the mobile
    node's care-of address, with the final hop in the routing header
    directing the packet to the mobile node's home address; the
    processing of this last hop of the routing header is entirely
    internal to the mobile node, since the care-of address and home
    address are both addresses within the mobile node.
 For packets received by the first method, the mobile node MUST check
 that the IPv6 source address of the tunneled packet is the IP address
 of its home agent.  In this method, the mobile node may also send a
 Binding Update to the original sender of the packet as described in
 Section 11.7.2 and subject to the rate limiting defined in Section
 11.8.  The mobile node MUST also process the received packet in the
 manner defined for IPv6 encapsulation [15], which will result in the
 encapsulated (inner) packet being processed normally by upper-layer
 protocols within the mobile node as if it had been addressed (only)
 to the mobile node's home address.
 For packets received by the second method, the following rules will
 result in the packet being processed normally by upper-layer
 protocols within the mobile node as if it had been addressed to the
 mobile node's home address.
 A node receiving a packet addressed to itself (i.e., one of the
 node's addresses is in the IPv6 destination field) follows the next
 header chain of headers and processes them.  When it encounters a
 type 2 routing header during this processing, it performs the
 following checks.  If any of these checks fail, the node MUST
 silently discard the packet.
 o  The length field in the routing header is exactly 2.
 o  The segments left field in the routing header is 1 on the wire.
    (But implementations may process the routing header so that the
    value may become 0 after the routing header has been processed,
    but before the rest of the packet is processed.)
 o  The Home Address field in the routing header is one of the node's
    home addresses, if the segments left field was 1.  Thus, in
    particular the address field is required to be a unicast routable
    address.
 Once the above checks have been performed, the node swaps the IPv6
 destination field with the Home Address field in the routing header,
 decrements segments left by one from the value it had on the wire,
 and resubmits the packet to IP for processing the next header.

Johnson, et al. Standard Track [Page 113] RFC 3775 Mobility Support in IPv6 June 2004

 Conceptually, this follows the same model as in RFC 2460.  However,
 in the case of type 2 routing header this can be simplified since it
 is known that the packet will not be forwarded to a different node.
 The definition of AH requires the sender to calculate the AH
 integrity check value of a routing header in the same way it appears
 in the receiver after it has processed the header.  Since IPsec
 headers follow the routing header, any IPsec processing will operate
 on the packet with the home address in the IP destination field and
 segments left being zero.  Thus, the AH calculations at the sender
 and receiver will have an identical view of the packet.

11.3.4. Routing Multicast Packets

 A mobile node that is connected to its home link functions in the
 same way as any other (stationary) node.  Thus, when it is at home, a
 mobile node functions identically to other multicast senders and
 receivers.  Therefore, this section describes the behavior of a
 mobile node that is not on its home link.
 In order to receive packets sent to some multicast group, a mobile
 node must join that multicast group.  One method, in which a mobile
 node MAY join the group, is via a (local) multicast router on the
 foreign link being visited.  In this case, the mobile node MUST use
 its care-of address and MUST NOT use the Home Address destination
 option when sending MLD packets [17].
 Alternatively, a mobile node MAY join multicast groups via a bi-
 directional tunnel to its home agent.  The mobile node tunnels its
 multicast group membership control packets (such as those defined in
 [17] or in [37]) to its home agent, and the home agent forwards
 multicast packets down the tunnel to the mobile node.  A mobile node
 MUST NOT tunnel multicast group membership control packets until (1)
 the mobile node has a binding in place at the home agent, and (2) the
 latter sends at least one multicast group membership control packet
 via the tunnel.  Once this condition is true, the mobile node SHOULD
 assume it does not change as long as the binding does not expire.
 A mobile node that wishes to send packets to a multicast group also
 has two options:
 1.  Send directly on the foreign link being visited.
     The application is aware of the care-of address and uses it as a
     source address for multicast traffic, just like it would use a
     stationary address.  The mobile node MUST NOT use Home Address
     destination option in such traffic.

Johnson, et al. Standard Track [Page 114] RFC 3775 Mobility Support in IPv6 June 2004

 2.  Send via a tunnel to its home agent.
     Because multicast routing in general depends upon the Source
     Address used in the IPv6 header of the multicast packet, a mobile
     node that tunnels a multicast packet to its home agent MUST use
     its home address as the IPv6 Source Address of the inner
     multicast packet.
 Note that direct sending from the foreign link is only applicable
 while the mobile node is at that foreign link.  This is because the
 associated multicast tree is specific to that source location and any
 change of location and source address will invalidate the source
 specific tree or branch and the application context of the other
 multicast group members.
 This specification does not provide mechanisms to enable such local
 multicast session to survive hand-off and to seamlessly continue from
 a new care-of address on each new foreign link.  Any such mechanism,
 developed as an extension to this specification, needs to take into
 account the impact of fast moving mobile nodes on the Internet
 multicast routing protocols and their ability to maintain the
 integrity of source specific multicast trees and branches.
 While the use of bidirectional tunneling can ensure that multicast
 trees are independent of the mobile nodes movement, in some case such
 tunneling can have adverse affects.  The latency of specific types of
 multicast applications (such as multicast based discovery protocols)
 will be affected when the round-trip time between the foreign subnet
 and the home agent is significant compared to that of the topology to
 be discovered.  In addition, the delivery tree from the home agent in
 such circumstances relies on unicast encapsulation from the agent to
 the mobile node.  Therefore, bandwidth usage is inefficient compared
 to the native multicast forwarding in the foreign multicast system.

11.3.5. Receiving ICMP Error Messages

 Any node that does not recognize the Mobility header will return an
 ICMP Parameter Problem, Code 1, message to the sender of the packet.
 If the mobile node receives such an ICMP error message in response to
 a return routability procedure or Binding Update, it SHOULD record in
 its Binding Update List that future Binding Updates SHOULD NOT be
 sent to this destination.  Such Binding Update List entries SHOULD be
 removed after a period of time in order to allow for retrying route
 optimization.
 New Binding Update List entries MUST NOT be created as a result of
 receiving ICMP error messages.

Johnson, et al. Standard Track [Page 115] RFC 3775 Mobility Support in IPv6 June 2004

 Correspondent nodes that have participated in the return routability
 procedure MUST implement the ability to correctly process received
 packets containing a Home Address destination option.  Therefore,
 correctly implemented correspondent nodes should always be able to
 recognize Home Address options.  If a mobile node receives an ICMP
 Parameter Problem, Code 2, message from some node indicating that it
 does not support the Home Address option, the mobile node SHOULD log
 the error and then discard the ICMP message.

11.3.6. Receiving Binding Error Messages

 When a mobile node receives a packet containing a Binding Error
 message, it should first check if the mobile node has a Binding
 Update List entry for the source of the Binding Error message.  If
 the mobile node does not have such an entry, it MUST ignore the
 message.  This is necessary to prevent a waste of resources on, e.g.,
 return routability procedure due to spoofed Binding Error messages.
 Otherwise, if the message Status field was 1 (unknown binding for
 Home Address destination option), the mobile node should perform one
 of the following two actions:
 o  If the mobile node has recent upper layer progress information,
    which indicates that communications with the correspondent node
    are progressing, it MAY ignore the message.  This can be done in
    order to limit the damage that spoofed Binding Error messages can
    cause to ongoing communications.
 o  If the mobile node has no upper layer progress information, it
    MUST remove the entry and route further communications through the
    home agent.  It MAY also optionally start a return routability
    procedure (see Section 5.2).
 If the message Status field was 2 (unrecognized MH Type value), the
 mobile node should perform one of the following two actions:
 o  If the mobile node is not expecting an acknowledgement or response
    from the correspondent node, the mobile node SHOULD ignore this
    message.
 o  Otherwise, the mobile node SHOULD cease the use of any extensions
    to this specification.  If no extensions had been used, the mobile
    node should cease the attempt to use route optimization.

Johnson, et al. Standard Track [Page 116] RFC 3775 Mobility Support in IPv6 June 2004

11.4. Home Agent and Prefix Management

11.4.1. Dynamic Home Agent Address Discovery

 Sometimes when the mobile node needs to send a Binding Update to its
 home agent to register its new primary care-of address, as described
 in Section 11.7.1, the mobile node may not know the address of any
 router on its home link that can serve as a home agent for it.  For
 example, some nodes on its home link may have been reconfigured while
 the mobile node has been away from home, such that the router that
 was operating as the mobile node's home agent has been replaced by a
 different router serving this role.
 In this case, the mobile node MAY attempt to discover the address of
 a suitable home agent on its home link.  To do so, the mobile node
 sends an ICMP Home Agent Address Discovery Request message to the
 Mobile IPv6 Home-Agents anycast address [16] for its home subnet
 prefix.  As described in Section 10.5, the home agent on its home
 link that receives this Request message will return an ICMP Home
 Agent Address Discovery Reply message.  This message gives the
 addresses for the home agents operating on the home link.
 The mobile node, upon receiving this Home Agent Address Discovery
 Reply message, MAY then send its home registration Binding Update to
 any of the unicast IP addresses listed in the Home Agent Addresses
 field in the Reply.  For example, the mobile node MAY attempt its
 home registration to each of these addresses, in turn, until its
 registration is accepted.  The mobile node sends a Binding Update to
 an address and waits for the matching Binding Acknowledgement, moving
 on to the next address if there is no response.  The mobile node
 MUST, however, wait at least InitialBindackTimeoutFirstReg seconds
 (see Section 13) before sending a Binding Update to the next home
 agent.  In trying each of the returned home agent addresses, the
 mobile node SHOULD try each of them in the order they appear in the
 Home Agent Addresses field in the received Home Agent Address
 Discovery Reply message.
 If the mobile node has a current registration with some home agent
 (the Lifetime for that registration has not yet expired), then the
 mobile node MUST attempt any new registration first with that home
 agent.  If that registration attempt fails (e.g., timed out or
 rejected), the mobile node SHOULD then reattempt this registration
 with another home agent.  If the mobile node knows of no other
 suitable home agent, then it MAY attempt the dynamic home agent
 address discovery mechanism described above.

Johnson, et al. Standard Track [Page 117] RFC 3775 Mobility Support in IPv6 June 2004

 If, after a mobile node transmits a Home Agent Address Discovery
 Request message to the Home Agents Anycast address, it does not
 receive a corresponding Home Agent Address Discovery Reply message
 within INITIAL_DHAAD_TIMEOUT (see Section 12) seconds, the mobile
 node MAY retransmit the same Request message to the same anycast
 address.  This retransmission MAY be repeated up to a maximum of
 DHAAD_RETRIES (see Section 12) attempts.  Each retransmission MUST be
 delayed by twice the time interval of the previous retransmission.

11.4.2. Sending Mobile Prefix Solicitations

 When a mobile node has a home address that is about to become
 invalid, it SHOULD send a Mobile Prefix Solicitation to its home
 agent in an attempt to acquire fresh routing prefix information.  The
 new information also enables the mobile node to participate in
 renumbering operations affecting the home network, as described in
 Section 10.6.
 The mobile node MUST use the Home Address destination option to carry
 its home address.  The mobile node MUST support and SHOULD use IPsec
 to protect the solicitation.  The mobile node MUST set the Identifier
 field in the ICMP header to a random value.
 As described in Section 11.7.2, Binding Updates sent by the mobile
 node to other nodes MUST use a lifetime no greater than the remaining
 lifetime of its home registration of its primary care-of address.
 The mobile node SHOULD further limit the lifetimes that it sends on
 any Binding Updates to be within the remaining valid lifetime (see
 Section 10.6.2) for the prefix in its home address.
 When the lifetime for a changed prefix decreases, and the change
 would cause cached bindings at correspondent nodes in the Binding
 Update List to be stored past the newly shortened lifetime, the
 mobile node MUST issue a Binding Update to all such correspondent
 nodes.
 These limits on the binding lifetime serve to prohibit use of a
 mobile node's home address after it becomes invalid.

11.4.3. Receiving Mobile Prefix Advertisements

 Section 10.6 describes the operation of a home agent to support boot
 time configuration and renumbering a mobile node's home subnet while
 the mobile node is away from home.  The home agent sends Mobile
 Prefix Advertisements to the mobile node while away from home, giving
 "important" Prefix Information options that describe changes in the
 prefixes in use on the mobile node's home link.

Johnson, et al. Standard Track [Page 118] RFC 3775 Mobility Support in IPv6 June 2004

 The Mobile Prefix Solicitation is similar to the Router Solicitation
 used in Neighbor Discovery [12], except it is routed from the mobile
 node on the visited network to the home agent on the home network by
 usual unicast routing rules.
 When a mobile node receives a Mobile Prefix Advertisement, it MUST
 validate it according to the following test:
 o  The Source Address of the IP packet carrying the Mobile Prefix
    Advertisement is the same as the home agent address to which the
    mobile node last sent an accepted home registration Binding Update
    to register its primary care-of address.  Otherwise, if no such
    registrations have been made, it SHOULD be the mobile node's
    stored home agent address, if one exists.  Otherwise, if the
    mobile node has not yet discovered its home agent's address, it
    MUST NOT accept Mobile Prefix Advertisements.
 o  The packet MUST have a type 2 routing header and SHOULD be
    protected by an IPsec header as described in Section 5.4 and
    Section 6.8.
 o  If the ICMP Identifier value matches the ICMP Identifier value of
    the most recently sent Mobile Prefix Solicitation and no other
    advertisement has yet been received for this value, then the
    advertisement is considered to be solicited and will be processed
    further.
    Otherwise, the advertisement is unsolicited, and MUST be
    discarded.  In this case the mobile node SHOULD send a Mobile
    Prefix Solicitation.
 Any received Mobile Prefix Advertisement not meeting these tests MUST
 be silently discarded.
 For an accepted Mobile Prefix Advertisement, the mobile node MUST
 process Managed Address Configuration (M), Other Stateful
 Configuration (O), and the Prefix Information Options as if they
 arrived in a Router Advertisement [12] on the mobile node's home
 link.  (This specification does not, however, describe how to acquire
 home addresses through stateful protocols.)  Such processing may
 result in the mobile node configuring a new home address, although
 due to separation between preferred lifetime and valid lifetime, such
 changes should not affect most communications by the mobile node, in
 the same way as for nodes that are at home.
 This specification assumes that any security associations and
 security policy entries that may be needed for new prefixes have been
 pre-configured in the mobile node.  Note that while dynamic key

Johnson, et al. Standard Track [Page 119] RFC 3775 Mobility Support in IPv6 June 2004

 management avoids the need to create new security associations, it is
 still necessary to add policy entries to protect the communications
 involving the home address(es).  Mechanisms for automatic set-up of
 these entries are outside the scope of this specification.

11.5. Movement

11.5.1. Movement Detection

 The primary goal of movement detection is to detect L3 handovers.
 This section does not attempt to specify a fast movement detection
 algorithm which will function optimally for all types of
 applications, link-layers and deployment scenarios; instead, it
 describes a generic method that uses the facilities of IPv6 Neighbor
 Discovery, including Router Discovery and Neighbor Unreachability
 Detection.  At the time of this writing, this method is considered
 well enough understood to recommend for standardization, however it
 is expected that future versions of this specification or other
 specifications may contain updated versions of the movement detection
 algorithm that have better performance.
 Generic movement detection uses Neighbor Unreachability Detection to
 detect when the default router is no longer bi-directionally
 reachable, in which case the mobile node must discover a new default
 router (usually on a new link).  However, this detection only occurs
 when the mobile node has packets to send, and in the absence of
 frequent Router Advertisements or indications from the link-layer,
 the mobile node might become unaware of an L3 handover that occurred.
 Therefore, the mobile node should supplement this method with other
 information whenever it is available to the mobile node (e.g., from
 lower protocol layers).
 When the mobile node detects an L3 handover, it performs Duplicate
 Address Detection [13] on its link-local address, selects a new
 default router as a consequence of Router Discovery, and then
 performs Prefix Discovery with that new router to form new care-of
 address(es) as described in Section 11.5.2.  It then registers its
 new primary care-of address with its home agent as described in
 Section 11.7.1.  After updating its home registration, the mobile
 node then updates associated mobility bindings in correspondent nodes
 that it is performing route optimization with as specified in Section
 11.7.2.
 Due to the temporary packet flow disruption and signaling overhead
 involved in updating mobility bindings, the mobile node should avoid
 performing an L3 handover until it is strictly necessary.
 Specifically, when the mobile node receives a Router Advertisement
 from a new router that contains a different set of on-link prefixes,

Johnson, et al. Standard Track [Page 120] RFC 3775 Mobility Support in IPv6 June 2004

 if the mobile node detects that the currently selected default router
 on the old link is still bi-directionally reachable, it should
 generally continue to use the old router on the old link rather than
 switch away from it to use a new default router.
 Mobile nodes can use the information in received Router
 Advertisements to detect L3 handovers.  In doing so the mobile node
 needs to consider the following issues:
 o  There might be multiple routers on the same link, thus hearing a
    new router does not necessarily constitute an L3 handover.
 o  When there are multiple routers on the same link they might
    advertise different prefixes.  Thus even hearing a new router with
    a new prefix might not be a reliable indication of an L3 handover.
 o  The link-local addresses of routers are not globally unique, hence
    after completing an L3 handover the mobile node might continue to
    receive Router Advertisements with the same link-local source
    address.  This might be common if routers use the same link-local
    address on multiple interfaces.  This issue can be avoided when
    routers use the Router Address (R) bit, since that provides a
    global address of the router.
 In addition, the mobile node should consider the following events as
 indications that an L3 handover may have occurred.  Upon receiving
 such indications, the mobile node needs to perform Router Discovery
 to discover routers and prefixes on the new link, as described in
 Section 6.3.7 of RFC 2461 [12].
 o  If Router Advertisements that the mobile node receives include an
    Advertisement Interval option, the mobile node may use its
    Advertisement Interval field as an indication of the frequency
    with which it should expect to continue to receive future
    Advertisements from that router.  This field specifies the minimum
    rate (the maximum amount of time between successive
    Advertisements) that the mobile node should expect.  If this
    amount of time elapses without the mobile node receiving any
    Advertisement from this router, the mobile node can be sure that
    at least one Advertisement sent by the router has been lost.  The
    mobile node can then implement its own policy to determine how
    many lost Advertisements from its current default router
    constitute an L3 handover indication.
 o  Neighbor Unreachability Detection determines that the default
    router is no longer reachable.

Johnson, et al. Standard Track [Page 121] RFC 3775 Mobility Support in IPv6 June 2004

 o  With some types of networks, notification that an L2 handover has
    occurred might be obtained from lower layer protocols or device
    driver software within the mobile node.  While further details
    around handling L2 indications as movement hints is an item for
    further study, at the time of writing this specification the
    following is considered reasonable:
    An L2 handover indication may or may not imply L2 movement and L2
    movement may or may not imply L3 movement; the correlations might
    be a function of the type of L2 but might also be a function of
    actual deployment of the wireless topology.
    Unless it is well-known that an L2 handover indication is likely
    to imply L3 movement, instead of immediately multicasting a router
    solicitation it may be better to attempt to verify whether the
    default router is still bi-directionally reachable.  This can be
    accomplished by sending a unicast Neighbor Solicitation and
    waiting for a Neighbor Advertisement with the solicited flag set.
    Note that this is similar to Neighbor Unreachability detection but
    it does not have the same state machine, such as the STALE state.
    If the default router does not respond to the Neighbor
    Solicitation it makes sense to proceed to multicasting a Router
    Solicitation.

11.5.2. Forming New Care-of Addresses

 After detecting that it has moved a mobile node SHOULD generate a new
 primary care-of address using normal IPv6 mechanisms.  This SHOULD
 also be done when the current primary care-of address becomes
 deprecated.  A mobile node MAY form a new primary care-of address at
 any time, but a mobile node MUST NOT send a Binding Update about a
 new care-of address to its home agent more than MAX_UPDATE_RATE times
 within a second.
 In addition, a mobile node MAY form new non-primary care-of addresses
 even when it has not switched to a new default router.  A mobile node
 can have only one primary care-of address at a time (which is
 registered with its home agent), but it MAY have an additional care-
 of address for any or all of the prefixes on its current link.
 Furthermore, since a wireless network interface may actually allow a
 mobile node to be reachable on more than one link at a time (i.e.,
 within wireless transmitter range of routers on more than one
 separate link), a mobile node MAY have care-of addresses on more than
 one link at a time.  The use of more than one care-of address at a
 time is described in Section 11.5.3.

Johnson, et al. Standard Track [Page 122] RFC 3775 Mobility Support in IPv6 June 2004

 As described in Section 4, in order to form a new care-of address, a
 mobile node MAY use either stateless [13] or stateful (e.g., DHCPv6
 [29]) Address Autoconfiguration.  If a mobile node needs to use a
 source address (other than the unspecified address) in packets sent
 as a part of address autoconfiguration, it MUST use an IPv6 link-
 local address rather than its own IPv6 home address.
 RFC 2462 [13] specifies that in normal processing for Duplicate
 Address Detection, the node SHOULD delay sending the initial Neighbor
 Solicitation message by a random delay between 0 and
 MAX_RTR_SOLICITATION_DELAY.  Since delaying DAD can result in
 significant delays in configuring a new care-of address when the
 Mobile Node moves to a new link, the Mobile Node preferably SHOULD
 NOT delay DAD when configuring a new care-of address.  The Mobile
 Node SHOULD delay according to the mechanisms specified in RFC 2462
 unless the implementation has a behavior that desynchronizes the
 steps that happen before the DAD in the case that multiple nodes
 experience handover at the same time.  Such desynchronizing behaviors
 might be due to random delays in the L2 protocols or device drivers,
 or due to the movement detection mechanism that is used.

11.5.3. Using Multiple Care-of Addresses

 As described in Section 11.5.2, a mobile node MAY use more than one
 care-of address at a time.  Particularly in the case of many wireless
 networks, a mobile node effectively might be reachable through
 multiple links at the same time (e.g., with overlapping wireless
 cells), on which different on-link subnet prefixes may exist.  The
 mobile node MUST ensure that its primary care-of address always has a
 prefix that is advertised by its current default router.  After
 selecting a new primary care-of address, the mobile node MUST send a
 Binding Update containing that care-of address to its home agent.
 The Binding Update MUST have the Home Registration (H) and
 Acknowledge (A) bits set its home agent, as described on Section
 11.7.1.
 To assist with smooth handovers, a mobile node SHOULD retain its
 previous primary care-of address as a (non-primary) care-of address,
 and SHOULD still accept packets at this address, even after
 registering its new primary care-of address with its home agent.
 This is reasonable, since the mobile node could only receive packets
 at its previous primary care-of address if it were indeed still
 connected to that link.  If the previous primary care-of address was
 allocated using stateful Address Autoconfiguration [29], the mobile
 node may not wish to release the address immediately upon switching
 to a new primary care-of address.

Johnson, et al. Standard Track [Page 123] RFC 3775 Mobility Support in IPv6 June 2004

 Whenever a mobile node determines that it is no longer reachable
 through a given link, it SHOULD invalidate all care-of addresses
 associated with address prefixes that it discovered from routers on
 the unreachable link which are not in the current set of address
 prefixes advertised by the (possibly new) current default router.

11.5.4. Returning Home

 A mobile node detects that it has returned to its home link through
 the movement detection algorithm in use (Section 11.5.1), when the
 mobile node detects that its home subnet prefix is again on-link.
 The mobile node SHOULD then send a Binding Update to its home agent,
 to instruct its home agent to no longer intercept or tunnel packets
 for it.  In this home registration, the mobile node MUST set the
 Acknowledge (A) and Home Registration (H) bits, set the Lifetime
 field to zero, and set the care-of address for the binding to the
 mobile node's own home address.  The mobile node MUST use its home
 address as the source address in the Binding Update.
 When sending this Binding Update to its home agent, the mobile node
 must be careful in how it uses Neighbor Solicitation [12] (if needed)
 to learn the home agent's link-layer address, since the home agent
 will be currently configured to intercept packets to the mobile
 node's home address using Duplicate Address Detection (DAD).  In
 particular, the mobile node is unable to use its home address as the
 Source Address in the Neighbor Solicitation until the home agent
 stops defending the home address.
 Neighbor Solicitation by the mobile node for the home agent's address
 will normally not be necessary, since the mobile node has already
 learned the home agent's link-layer address from a Source Link-Layer
 Address option in a Router Advertisement.  However, if there are
 multiple home agents it may still be necessary to send a
 solicitation.  In this special case of the mobile node returning
 home, the mobile node MUST multicast the packet, and in addition set
 the Source Address of this Neighbor Solicitation to the unspecified
 address (0:0:0:0:0:0:0:0).  The target of the Neighbor Solicitation
 MUST be set to the mobile node's home address.  The destination IP
 address MUST be set to the Solicited-Node multicast address [3].  The
 home agent will send a multicast Neighbor Advertisement back to the
 mobile node with the Solicited flag (S) set to zero.  In any case,
 the mobile node SHOULD record the information from the Source Link-
 Layer Address option or from the advertisement, and set the state of
 the Neighbor Cache entry for the home agent to REACHABLE.
 The mobile node then sends its Binding Update to the home agent's
 link-layer address, instructing its home agent to no longer serve as
 a home agent for it.  By processing this Binding Update, the home

Johnson, et al. Standard Track [Page 124] RFC 3775 Mobility Support in IPv6 June 2004

 agent will cease defending the mobile node's home address for
 Duplicate Address Detection and will no longer respond to Neighbor
 Solicitations for the mobile node's home address.  The mobile node is
 then the only node on the link receiving packets at the mobile node's
 home address.  In addition, when returning home prior to the
 expiration of a current binding for its home address, and configuring
 its home address on its network interface on its home link, the
 mobile node MUST NOT perform Duplicate Address Detection on its own
 home address, in order to avoid confusion or conflict with its home
 agent's use of the same address.  This rule also applies to the
 derived link-local address of the mobile node, if the Link Local
 Address Compatibility (L) bit was set when the binding was created.
 If the mobile node returns home after the bindings for all of its
 care-of addresses have expired, then it SHOULD perform DAD.
 After the Mobile Node sends the Binding Update, it MUST be prepared
 to reply to Neighbor Solicitations for its home address.  Such
 replies MUST be sent using a unicast Neighbor Advertisement to the
 sender's link-layer address.  It is necessary to reply, since sending
 the Binding Acknowledgement from the home agent may require
 performing Neighbor Discovery, and the mobile node may not be able to
 distinguish Neighbor Solicitations coming from the home agent from
 other Neighbor Solicitations.  Note that a race condition exists
 where both the mobile node and the home agent respond to the same
 solicitations sent by other nodes; this will be only temporary,
 however, until the Binding Update is accepted.
 After receiving the Binding Acknowledgement for its Binding Update to
 its home agent, the mobile node MUST multicast onto the home link (to
 the all-nodes multicast address) a Neighbor Advertisement [12], to
 advertise the mobile node's own link-layer address for its own home
 address.  The Target Address in this Neighbor Advertisement MUST be
 set to the mobile node's home address, and the Advertisement MUST
 include a Target Link-layer Address option specifying the mobile
 node's link-layer address.  The mobile node MUST multicast such a
 Neighbor Advertisement for each of its home addresses, as defined by
 the current on-link prefixes, including its link-local address and
 site-local address.  The Solicited Flag (S) in these Advertisements
 MUST NOT be set, since they were not solicited by any Neighbor
 Solicitation.  The Override Flag (O) in these Advertisements MUST be
 set, indicating that the Advertisements SHOULD override any existing
 Neighbor Cache entries at any node receiving them.
 Since multicasting on the local link (such as Ethernet) is typically
 not guaranteed to be reliable, the mobile node MAY retransmit these
 Neighbor Advertisements [12] up to MAX_NEIGHBOR_ADVERTISEMENT times
 to increase their reliability.  It is still possible that some nodes

Johnson, et al. Standard Track [Page 125] RFC 3775 Mobility Support in IPv6 June 2004

 on the home link will not receive any of these Neighbor
 Advertisements, but these nodes will eventually be able to recover
 through use of Neighbor Unreachability Detection [12].
 Note that the tunnel via the home agent typically stops operating at
 the same time that the home registration is deleted.

11.6. Return Routability Procedure

 This section defines the rules that the mobile node must follow when
 performing the return routability procedure.  Section 11.7.2
 describes the rules when the return routability procedure needs to be
 initiated.

11.6.1. Sending Test Init Messages

 A mobile node that initiates a return routability procedure MUST send
 (in parallel) a Home Test Init message and a Care-of Test Init
 messages.  However, if the mobile node has recently received (see
 Section 5.2.7) one or both home or care-of keygen tokens, and
 associated nonce indices for the desired addresses, it MAY reuse
 them.  Therefore, the return routability procedure may in some cases
 be completed with only one message pair.  It may even be completed
 without any messages at all, if the mobile node has a recent home
 keygen token and has previously visited the same care-of address so
 that it also has a recent care-of keygen token.  If the mobile node
 intends to send a Binding Update with the Lifetime set to zero and
 the care-of address equal to its home address - such as when
 returning home - sending a Home Test Init message is sufficient.  In
 this case, generation of the binding management key depends
 exclusively on the home keygen token (Section 5.2.5).
 A Home Test Init message MUST be created as described in Section
 6.1.3.
 A Care-of Test Init message MUST be created as described in Section
 6.1.4.  When sending a Home Test Init or Care-of Test Init message
 the mobile node MUST record in its Binding Update List the following
 fields from the messages:
 o  The IP address of the node to which the message was sent.
 o  The home address of the mobile node.  This value will appear in
    the Source Address field of the Home Test Init message.  When
    sending the Care-of Test Init message, this address does not
    appear in the message, but represents the home address for which
    the binding is desired.

Johnson, et al. Standard Track [Page 126] RFC 3775 Mobility Support in IPv6 June 2004

 o  The time at which each of these messages was sent.
 o  The cookies used in the messages.
 Note that a single Care-of Test Init message may be sufficient even
 when there are multiple home addresses.  In this case the mobile node
 MAY record the same information in multiple Binding Update List
 entries.

11.6.2. Receiving Test Messages

 Upon receiving a packet carrying a Home Test message, a mobile node
 MUST validate the packet according to the following tests:
 o  The Source Address of the packet belongs to a correspondent node
    for which the mobile node has a Binding Update List entry with a
    state indicating that return routability procedure is in progress.
    Note that there may be multiple such entries.
 o  The Binding Update List indicates that no home keygen token has
    been received yet.
 o  The Destination Address of the packet has the home address of the
    mobile node, and the packet has been received in a tunnel from the
    home agent.
 o  The Home Init Cookie field in the message matches the value stored
    in the Binding Update List.
 Any Home Test message not satisfying all of these tests MUST be
 silently ignored.  Otherwise, the mobile node MUST record the Home
 Nonce Index and home keygen token in the Binding Update List.  If the
 Binding Update List entry does not have a care-of keygen token, the
 mobile node SHOULD continue waiting for the Care-of Test message.
 Upon receiving a packet carrying a Care-of Test message, a mobile
 node MUST validate the packet according to the following tests:
 o  The Source Address of the packet belongs to a correspondent node
    for which the mobile node has a Binding Update List entry with a
    state indicating that return routability procedure is in progress.
    Note that there may be multiple such entries.
 o  The Binding Update List indicates that no care-of keygen token has
    been received yet.
 o  The Destination Address of the packet is the current care-of
    address of the mobile node.

Johnson, et al. Standard Track [Page 127] RFC 3775 Mobility Support in IPv6 June 2004

 o  The Care-of Init Cookie field in the message matches the value
    stored in the Binding Update List.
 Any Care-of Test message not satisfying all of these tests MUST be
 silently ignored.  Otherwise, the mobile node MUST record the Care-of
 Nonce Index and care-of keygen token in the Binding Update List.  If
 the Binding Update List entry does not have a home keygen token, the
 mobile node SHOULD continue waiting for the Home Test message.
 If after receiving either the Home Test or the Care-of Test message
 and performing the above actions, the Binding Update List entry has
 both the home and the care-of keygen tokens, the return routability
 procedure is complete.  The mobile node SHOULD then proceed with
 sending a Binding Update as described in Section 11.7.2.
 Correspondent nodes from the time before this specification was
 published may not support the Mobility Header protocol.  These nodes
 will respond to Home Test Init and Care-of Test Init messages with an
 ICMP Parameter Problem code 1.  The mobile node SHOULD take such
 messages as an indication that the correspondent node cannot provide
 route optimization, and revert back to the use of bidirectional
 tunneling.

11.6.3. Protecting Return Routability Packets

 The mobile node MUST support the protection of Home Test and Home
 Test Init messages as described in Section 10.4.6.
 When IPsec is used to protect return routability signaling or payload
 packets, the mobile node MUST set the source address it uses for the
 outgoing tunnel packets to the current primary care-of address.  The
 mobile node starts to use a new primary care-of address immediately
 after sending a Binding Update to the home agent to register this new
 address.

11.7. Processing Bindings

11.7.1. Sending Binding Updates to the Home Agent

 After deciding to change its primary care-of address as described in
 Section 11.5.1 and Section 11.5.2, a mobile node MUST register this
 care-of address with its home agent in order to make this its primary
 care-of address.
 Also, if the mobile node wants the services of the home agent beyond
 the current registration period, the mobile node should send a new
 Binding Update to it well before the expiration of this period, even
 if it is not changing its primary care-of address.  However, if the

Johnson, et al. Standard Track [Page 128] RFC 3775 Mobility Support in IPv6 June 2004

 home agent returned a Binding Acknowledgement for the current
 registration with Status field set to 1 (accepted but prefix
 discovery necessary), the mobile node should not try to register
 again before it has learned the validity of its home prefixes through
 mobile prefix discovery.  This is typically necessary every time this
 Status value is received, because information learned earlier may
 have changed.
 To register a care-of address or to extend the lifetime of an
 existing registration, the mobile node sends a packet to its home
 agent containing a Binding Update, with the packet constructed as
 follows:
 o  The Home Registration (H) bit MUST be set in the Binding Update.
 o  The Acknowledge (A) bit MUST be set in the Binding Update.
 o  The packet MUST contain a Home Address destination option, giving
    the mobile node's home address for the binding.
 o  The care-of address for the binding MUST be used as the Source
    Address in the packet's IPv6 header, unless an Alternate Care-of
    Address mobility option is included in the Binding Update.  This
    option MUST be included in all home registrations, as the ESP
    protocol will not be able to protect care-of addresses in the IPv6
    header.  (Mobile IPv6 implementations that know they are using
    IPsec AH to protect a particular message might avoid this option.
    For brevity the usage of AH is not discussed in this document.)
 o  If the mobile node's link-local address has the same interface
    identifier as the home address for which it is supplying a new
    care-of address, then the mobile node SHOULD set the Link-Local
    Address Compatibility (L) bit.
 o  If the home address was generated using RFC 3041 [18], then the
    link local address is unlikely to have a compatible interface
    identifier.  In this case, the mobile node MUST clear the Link-
    Local Address Compatibility (L) bit.
 o  If the IPsec security associations between the mobile node and the
    home agent have been established dynamically, and the mobile node
    has the capability to update its endpoint in the used key
    management protocol to the new care-of address every time it
    moves, the mobile node SHOULD set the Key Management Mobility
    Capability (K) bit in the Binding Update.  Otherwise, the mobile
    node MUST clear the bit.

Johnson, et al. Standard Track [Page 129] RFC 3775 Mobility Support in IPv6 June 2004

 o  The value specified in the Lifetime field MUST be non-zero and
    SHOULD be less than or equal to the remaining valid lifetime of
    the home address and the care-of address specified for the
    binding.
    Mobile nodes that use dynamic home agent address discovery should
    be careful with long lifetimes.  If the mobile node loses the
    knowledge of its binding with a specific home agent, registering a
    new binding with another home agent may be impossible as the
    previous home agent is still defending the existing binding.
    Therefore, to ensure that mobile nodes using home agent address
    discovery do not lose information about their binding, they SHOULD
    de-register before losing this information, or use small
    lifetimes.
 The Acknowledge (A) bit in the Binding Update requests the home agent
 to return a Binding Acknowledgement in response to this Binding
 Update.  As described in Section 6.1.8, the mobile node SHOULD
 retransmit this Binding Update to its home agent until it receives a
 matching Binding Acknowledgement.  Once reaching a retransmission
 timeout period of MAX_BINDACK_TIMEOUT, the mobile node SHOULD restart
 the process of delivering the Binding Update, but trying instead the
 next home agent returned during dynamic home agent address discovery
 (see Section 11.4.1).  If there was only one home agent, the mobile
 node instead SHOULD continue to periodically retransmit the Binding
 Update at this rate until acknowledged (or until it begins attempting
 to register a different primary care-of address).  See Section 11.8
 for information about retransmitting Binding Updates.
 With the Binding Update, the mobile node requests the home agent to
 serve as the home agent for the given home address.  Until the
 lifetime of this registration expires, the home agent considers
 itself the home agent for this home address.
 Each Binding Update MUST be authenticated as coming from the right
 mobile node, as defined in Section 5.1.  The mobile node MUST use its
 home address - either in the Home Address destination option or in
 the Source Address field of the IPv6 header - in Binding Updates sent
 to the home agent.  This is necessary in order to allow the IPsec
 policies to be matched with the correct home address.
 When sending a Binding Update to its home agent, the mobile node MUST
 also create or update the corresponding Binding Update List entry, as
 specified in Section 11.7.2.
 The last Sequence Number value sent to the home agent in a Binding
 Update is stored by the mobile node.  If the sending mobile node has
 no knowledge of the correct Sequence Number value, it may start at

Johnson, et al. Standard Track [Page 130] RFC 3775 Mobility Support in IPv6 June 2004

 any value.  If the home agent rejects the value, it sends back a
 Binding Acknowledgement with a status code 135, and the last accepted
 sequence number in the Sequence Number field of the Binding
 Acknowledgement.  The mobile node MUST store this information and use
 the next Sequence Number value for the next Binding Update it sends.
 If the mobile node has additional home addresses, then the mobile
 node SHOULD send an additional packet containing a Binding Update to
 its home agent to register the care-of address for each such other
 home address.
 The home agent will only perform DAD for the mobile node's home
 address when the mobile node has supplied a valid binding between its
 home address and a care-of address.  If some time elapses during
 which the mobile node has no binding at the home agent, it might be
 possible for another node to autoconfigure the mobile node's home
 address.  Therefore, the mobile node MUST treat the creation of a new
 binding with the home agent using an existing home address, the same
 as creation of a new home address.  In the unlikely event that the
 mobile node's home address is autoconfigured as the IPv6 address of
 another network node on the home network, the home agent will reply
 to the mobile node's subsequent Binding Update with a Binding
 Acknowledgement containing a Status of 134 (Duplicate Address
 Detection failed).  In this case, the mobile node MUST NOT attempt to
 re-use the same home address.  It SHOULD continue to register the
 care-of addresses for its other home addresses, if any.  (Mechanisms
 outlined in Appendix B.5 may in the future allow mobile nodes to
 acquire new home addresses to replace the one for which Status 134
 was received.)

11.7.2. Correspondent Registration

 When the mobile node is assured that its home address is valid, it
 can initiate a correspondent registration with the purpose of
 allowing the correspondent node to cache the mobile node's current
 care-of address.  This procedure consists of the return routability
 procedure followed by a registration.
 This section defines when the correspondent registration is to be
 initiated and the rules to follow while it is being performed.
 After the mobile node has sent a Binding Update to its home agent,
 registering a new primary care-of address (as described in Section
 11.7.1), the mobile node SHOULD initiate a correspondent registration
 for each node that already appears in the mobile node's Binding
 Update List.  The initiated procedures can be used to either update
 or delete binding information in the correspondent node.

Johnson, et al. Standard Track [Page 131] RFC 3775 Mobility Support in IPv6 June 2004

 For nodes that do not appear in the mobile node's Binding Update
 List, the mobile node MAY initiate a correspondent registration at
 any time after sending the Binding Update to its home agent.
 Considerations regarding when (and if) to initiate the procedure
 depend on the specific movement and traffic patterns of the mobile
 node and are outside the scope of this document.
 In addition, the mobile node MAY initiate the correspondent
 registration in response to receiving a packet that meets all of the
 following tests:
 o  The packet was tunneled using IPv6 encapsulation.
 o  The Destination Address in the tunnel (outer) IPv6 header is equal
    to any of the mobile node's care-of addresses.
 o  The Destination Address in the original (inner) IPv6 header is
    equal to one of the mobile node's home addresses.
 o  The Source Address in the tunnel (outer) IPv6 header differs from
    the Source Address in the original (inner) IPv6 header.
 o  The packet does not contain a Home Test, Home Test Init, Care-of
    Test, or Care-of Test Init message.
 If a mobile node has multiple home addresses, it becomes important to
 select the right home address to use in the correspondent
 registration.  The used home address MUST be the Destination Address
 of the original (inner) packet.
 The peer address used in the procedure MUST be determined as follows:
 o  If a Home Address destination option is present in the original
    (inner) packet, the address from this option is used.
 o  Otherwise, the Source Address in the original (inner) IPv6 header
    of the packet is used.
 Note that the validity of the original packet is checked before
 attempting to initiate a correspondent registration.  For instance,
 if a Home Address destination option appeared in the original packet,
 then rules in Section 9.3.1 are followed.
 A mobile node MAY also choose to keep its topological location
 private from certain correspondent nodes, and thus need not initiate
 the correspondent registration.

Johnson, et al. Standard Track [Page 132] RFC 3775 Mobility Support in IPv6 June 2004

 Upon successfully completing the return routability procedure, and
 after receiving a successful Binding Acknowledgement from the Home
 Agent, a Binding Update MAY be sent to the correspondent node.
 In any Binding Update sent by a mobile node, the care-of address
 (either the Source Address in the packet's IPv6 header or the Care-of
 Address in the Alternate Care-of Address mobility option of the
 Binding Update) MUST be set to one of the care-of addresses currently
 in use by the mobile node or to the mobile node's home address.  A
 mobile node MAY set the care-of address differently for sending
 Binding Updates to different correspondent nodes.
 A mobile node MAY also send a Binding Update to such a correspondent
 node, instructing it to delete any existing binding for the mobile
 node from its Binding Cache, as described in Section 6.1.7.  Even in
 this case a successful completion of the return routability procedure
 is required first.
 If the care-of address is not set to the mobile node's home address,
 the Binding Update requests that the correspondent node create or
 update an entry for the mobile node in the correspondent node's
 Binding Cache.  This is done in order to record a care-of address for
 use in sending future packets to the mobile node.  In this case, the
 value specified in the Lifetime field sent in the Binding Update
 SHOULD be less than or equal to the remaining lifetime of the home
 registration and the care-of address specified for the binding.  The
 care-of address given in the Binding Update MAY differ from the
 mobile node's primary care-of address.
 If the Binding Update is sent to the correspondent node, requesting
 the deletion of any existing Binding Cache entry it has for the
 mobile node, the care-of address is set to the mobile node's home
 address and the Lifetime field set to zero.  In this case, generation
 of the binding management key depends exclusively on the home keygen
 token (Section 5.2.5).  The care-of nonce index SHOULD be set to zero
 in this case.  In keeping with the Binding Update creation rules
 below, the care-of address MUST be set to the home address if the
 mobile node is at home, or to the current care-of address if it is
 away from home.
 If the mobile node wants to ensure that its new care-of address has
 been entered into a correspondent node's Binding Cache, the mobile
 node needs to request an acknowledgement by setting the Acknowledge
 (A) bit in the Binding Update.

Johnson, et al. Standard Track [Page 133] RFC 3775 Mobility Support in IPv6 June 2004

 A Binding Update is created as follows:
 o  The current care-of address of the mobile node MUST be sent either
    in the Source Address of the IPv6 header, or in the Alternate
    Care-of Address mobility option.
 o  The Destination Address of the IPv6 header MUST contain the
    address of the correspondent node.
 o  The Mobility Header is constructed according to rules in Section
    6.1.7 and Section 5.2.6, including the Binding Authorization Data
    (calculated as defined in Section 6.2.7) and possibly the Nonce
    Indices mobility options.
 o  The home address of the mobile node MUST be added to the packet in
    a Home Address destination option, unless the Source Address is
    the home address.
 Each Binding Update MUST have a Sequence Number greater than the
 Sequence Number value sent in the previous Binding Update to the same
 destination address (if any).  The sequence numbers are compared
 modulo 2**16, as described in Section 9.5.1.  There is no
 requirement, however, that the Sequence Number value strictly
 increase by 1 with each new Binding Update sent or received, as long
 as the value stays within the window.  The last Sequence Number value
 sent to a destination in a Binding Update is stored by the mobile
 node in its Binding Update List entry for that destination.  If the
 sending mobile node has no Binding Update List entry, the Sequence
 Number SHOULD start at a random value.  The mobile node MUST NOT use
 the same Sequence Number in two different Binding Updates to the same
 correspondent node, even if the Binding Updates provide different
 care-of addresses.
 The mobile node is responsible for the completion of the
 correspondent registration, as well as any retransmissions that may
 be needed (subject to the rate limitation defined in Section 11.8).

11.7.3. Receiving Binding Acknowledgements

 Upon receiving a packet carrying a Binding Acknowledgement, a mobile
 node MUST validate the packet according to the following tests:
 o  The packet meets the authentication requirements for Binding
    Acknowledgements defined in Section 6.1.8 and Section 5.  That is,
    if the Binding Update was sent to the home agent, underlying IPsec
    protection is used.  If the Binding Update was sent to the
    correspondent node, the Binding Authorization Data mobility option
    MUST be present and have a valid value.

Johnson, et al. Standard Track [Page 134] RFC 3775 Mobility Support in IPv6 June 2004

 o  The Binding Authorization Data mobility option, if present, MUST
    be the last option and MUST not have trailing padding.
 o  The Sequence Number field matches the Sequence Number sent by the
    mobile node to this destination address in an outstanding Binding
    Update.
 Any Binding Acknowledgement not satisfying all of these tests MUST be
 silently ignored.
 When a mobile node receives a packet carrying a valid Binding
 Acknowledgement, the mobile node MUST examine the Status field as
 follows:
 o  If the Status field indicates that the Binding Update was accepted
    (the Status field is less than 128), then the mobile node MUST
    update the corresponding entry in its Binding Update List to
    indicate that the Binding Update has been acknowledged; the mobile
    node MUST then stop retransmitting the Binding Update.  In
    addition, if the value specified in the Lifetime field in the
    Binding Acknowledgement is less than the Lifetime value sent in
    the Binding Update being acknowledged, the mobile node MUST
    subtract the difference between these two Lifetime values from the
    remaining lifetime for the binding as maintained in the
    corresponding Binding Update List entry (with a minimum value for
    the Binding Update List entry lifetime of 0).  That is, if the
    Lifetime value sent in the Binding Update was L_update, the
    Lifetime value received in the Binding Acknowledgement was L_ack,
    and the current remaining lifetime of the Binding Update List
    entry is L_remain, then the new value for the remaining lifetime
    of the Binding Update List entry should be
       max((L_remain - (L_update - L_ack)), 0)
    where max(X, Y) is the maximum of X and Y.  The effect of this
    step is to correctly manage the mobile node's view of the
    binding's remaining lifetime (as maintained in the corresponding
    Binding Update List entry) so that it correctly counts down from
    the Lifetime value given in the Binding Acknowledgement, but with
    the timer countdown beginning at the time that the Binding Update
    was sent.
    Mobile nodes SHOULD send a new Binding Update well before the
    expiration of this period in order to extend the lifetime.  This
    helps to avoid disruptions in communications which might otherwise
    be caused by network delays or clock drift.

Johnson, et al. Standard Track [Page 135] RFC 3775 Mobility Support in IPv6 June 2004

 o  Additionally, if the Status field value is 1 (accepted but prefix
    discovery necessary), the mobile node SHOULD send a Mobile Prefix
    Solicitation message to update its information about the available
    prefixes.
 o  If the Status field indicates that the Binding Update was rejected
    (the Status field is greater than or equal to 128), then the
    mobile node can take steps to correct the cause of the error and
    retransmit the Binding Update (with a new Sequence Number value),
    subject to the rate limiting restriction specified in Section
    11.8.  If this is not done or it fails, then the mobile node
    SHOULD record in its Binding Update List that future Binding
    Updates SHOULD NOT be sent to this destination.
 The treatment of a Binding Refresh Advice mobility option within the
 Binding Acknowledgement depends on where the acknowledgement came
 from.  This option MUST be ignored if the acknowledgement came from a
 correspondent node.  If it came from the home agent, the mobile node
 uses the Refresh Interval field in the option as a suggestion that it
 SHOULD attempt to refresh its home registration at the indicated
 shorter interval.
 If the acknowledgement came from the home agent, the mobile node
 examines the value of the Key Management Mobility Capability (K) bit.
 If this bit is not set, the mobile node SHOULD discard key management
 protocol connections, if any, to the home agent.  The mobile node MAY
 also initiate a new key management connection.
 If this bit is set, the mobile node SHOULD move its own endpoint in
 the key management protocol connections to the home agent, if any.
 The mobile node's new endpoint should be the new care-of address.
 For an IKE phase 1 connection, this means that packets sent to this
 address with the original ISAKMP cookies are accepted.

11.7.4. Receiving Binding Refresh Requests

 When a mobile node receives a packet containing a Binding Refresh
 Request message, the mobile node has a Binding Update List entry for
 the source of the Binding Refresh Request, and the mobile node wants
 to retain its binding cache entry at the correspondent node, then the
 mobile node should start a return routability procedure.  If the
 mobile node wants to have its binding cache entry removed, it can
 either ignore the Binding Refresh Request and wait for the binding to
 time out, or at any time, it can delete its binding from a
 correspondent node with an explicit binding update with a zero
 lifetime and the care-of address set to the home address.  If the

Johnson, et al. Standard Track [Page 136] RFC 3775 Mobility Support in IPv6 June 2004

 mobile node does not know if it needs the binding cache entry, it can
 make the decision in an implementation dependent manner, such as
 based on available resources.
 Note that the mobile node should be careful to not respond to Binding
 Refresh Requests for addresses not in the Binding Update List to
 avoid being subjected to a denial of service attack.
 If the return routability procedure completes successfully, a Binding
 Update message SHOULD be sent, as described in Section 11.7.2.  The
 Lifetime field in this Binding Update SHOULD be set to a new
 lifetime, extending any current lifetime remaining from a previous
 Binding Update sent to this node (as indicated in any existing
 Binding Update List entry for this node), and the lifetime SHOULD
 again be less than or equal to the remaining lifetime of the home
 registration and the care-of address specified for the binding.  When
 sending this Binding Update, the mobile node MUST update its Binding
 Update List in the same way as for any other Binding Update sent by
 the mobile node.

11.8. Retransmissions and Rate Limiting

 The mobile node is responsible for retransmissions and rate limiting
 in the return routability procedure, registrations, and in solicited
 prefix discovery.
 When the mobile node sends a Mobile Prefix Solicitation, Home Test
 Init, Care-of Test Init or Binding Update for which it expects a
 response, the mobile node has to determine a value for the initial
 retransmission timer:
 o  If the mobile node is sending a Mobile Prefix Solicitation, it
    SHOULD use an initial retransmission interval of
    INITIAL_SOLICIT_TIMER (see Section 12).
 o  If the mobile node is sending a Binding Update and does not have
    an existing binding at the home agent, it SHOULD use
    InitialBindackTimeoutFirstReg (see Section 13) as a value for the
    initial retransmission timer.  This long retransmission interval
    will allow the home agent to complete the Duplicate Address
    Detection procedure mandated in this case, as detailed in Section
    11.7.1.
 o  Otherwise, the mobile node should use the specified value of
    INITIAL_BINDACK_TIMEOUT for the initial retransmission timer.

Johnson, et al. Standard Track [Page 137] RFC 3775 Mobility Support in IPv6 June 2004

 If the mobile node fails to receive a valid matching response within
 the selected initial retransmission interval, the mobile node SHOULD
 retransmit the message until a response is received.
 The retransmissions by the mobile node MUST use an exponential back-
 off process in which the timeout period is doubled upon each
 retransmission, until either the node receives a response or the
 timeout period reaches the value MAX_BINDACK_TIMEOUT.  The mobile
 node MAY continue to send these messages at this slower rate
 indefinitely.
 The mobile node SHOULD start a separate back-off process for
 different message types, different home addresses and different
 care-of addresses.  However, in addition an overall rate limitation
 applies for messages sent to a particular correspondent node.  This
 ensures that the correspondent node has a sufficient amount of time
 to respond when bindings for multiple home addresses are registered,
 for instance.  The mobile node MUST NOT send Mobility Header messages
 of a particular type to a particular correspondent node more than
 MAX_UPDATE_RATE times within a second.
 Retransmitted Binding Updates MUST use a Sequence Number value
 greater than that used for the previous transmission of this Binding
 Update.  Retransmitted Home Test Init and Care-of Test Init messages
 MUST use new cookie values.

12. Protocol Constants

 DHAAD_RETRIES                   4 retransmissions
 INITIAL_BINDACK_TIMEOUT         1 second
 INITIAL_DHAAD_TIMEOUT           3 seconds
 INITIAL_SOLICIT_TIMER           3 seconds
 MAX_BINDACK_TIMEOUT             32 seconds
 MAX_NONCE_LIFETIME              240 seconds
 MAX_TOKEN_LIFETIME              210 seconds
 MAX_RR_BINDING_LIFETIME         420 seconds
 MAX_UPDATE_RATE                 3 times
 PREFIX_ADV_RETRIES              3 retransmissions
 PREFIX_ADV_TIMEOUT              3 seconds

13. Protocol Configuration Variables

 MaxMobPfxAdvInterval            Default: 86,400 seconds
 MinDelayBetweenRAs              Default: 3 seconds,
                                 Min: 0.03 seconds
 MinMobPfxAdvInterval            Default: 600 seconds
 InitialBindackTimeoutFirstReg   Default: 1.5 seconds

Johnson, et al. Standard Track [Page 138] RFC 3775 Mobility Support in IPv6 June 2004

 Home agents MUST allow the first three variables to be configured by
 system management, and mobile nodes MUST allow the last variable to
 be configured by system management.
 The default value for InitialBindackTimeoutFirstReg has been
 calculated as 1.5 times the default value of RetransTimer [12] times
 the default value of DupAddrDetectTransmits [13].
 The value MinDelayBetweenRAs overrides the value of the protocol
 constant MIN_DELAY_BETWEEN_RAS, as specified in RFC 2461 [12].  This
 variable SHOULD be set to MinRtrAdvInterval, if MinRtrAdvInterval is
 less than 3 seconds.

14. IANA Considerations

 This document defines a new IPv6 protocol, the Mobility Header,
 described in Section 6.1.  This protocol has been assigned protocol
 number 135.
 This document also creates a new name space "Mobility Header Type",
 for the MH Type field in the Mobility Header.  The current message
 types are described starting from Section 6.1.2, and are the
 following:
    0  Binding Refresh Request
    1  Home Test Init
    2  Care-of Test Init
    3  Home Test
    4  Care-of Test
    5  Binding Update
    6  Binding Acknowledgement
    7  Binding Error
 Future values of the MH Type can be allocated using Standards Action
 or IESG Approval [10].
 Furthermore, each mobility message may contain mobility options as
 described in Section 6.2.  This document defines a new name space
 "Mobility Option" to identify these options.  The current mobility
 options are defined starting from Section 6.2.2 and are the
 following:

Johnson, et al. Standard Track [Page 139] RFC 3775 Mobility Support in IPv6 June 2004

    0  Pad1
    1  PadN
    2  Binding Refresh Advice
    3  Alternate Care-of Address
    4  Nonce Indices
    5  Authorization Data
 Future values of the Option Type can be allocated using Standards
 Action or IESG Approval [10].
 Finally, this document creates a third new name space "Status Code"
 for the Status field in the Binding Acknowledgement message. The
 current values are described in Section 6.1.8, and are the following:
      0 Binding Update accepted
      1 Accepted but prefix discovery necessary
    128 Reason unspecified
    129 Administratively prohibited
    130 Insufficient resources
    131 Home registration not supported
    132 Not home subnet
    133 Not home agent for this mobile node
    134 Duplicate Address Detection failed
    135 Sequence number out of window
    136 Expired home nonce index
    137 Expired care-of nonce index
    138 Expired nonces
    139 Registration type change disallowed

Johnson, et al. Standard Track [Page 140] RFC 3775 Mobility Support in IPv6 June 2004

 Future values of the Status field can be allocated using Standards
 Action or IESG Approval [10].
 All fields labeled "Reserved" are only to be assigned through
 Standards Action or IESG Approval.
 This document also defines a new IPv6 destination option, the Home
 Address option, described in Section 6.3.  This option has been
 assigned the Option Type value 0xC9.
 This document also defines a new IPv6 type 2 routing header,
 described in Section 6.4.  The value 2 has been allocated by IANA.
 In addition, this document defines four ICMP message types, two used
 as part of the dynamic home agent address discovery mechanism, and
 two used in lieu of Router Solicitations and Advertisements when the
 mobile node is away from the home link.  These messages have been
 assigned ICMPv6 type numbers from the informational message range:
 o  The Home Agent Address Discovery Request message, described in
    Section 6.5;
 o  The Home Agent Address Discovery Reply message, described in
    Section 6.6;
 o  The Mobile Prefix Solicitation, described in Section 6.7; and
 o  The Mobile Prefix Advertisement, described in Section 6.8.
 This document also defines two new Neighbor Discovery [12] options,
 which have been assigned Option Type values within the option
 numbering space for Neighbor Discovery messages:
 o  The Advertisement Interval option, described in Section 7.3; and
 o  The Home Agent Information option, described in Section 7.4.

Johnson, et al. Standard Track [Page 141] RFC 3775 Mobility Support in IPv6 June 2004

15. Security Considerations

15.1. Threats

 Any mobility solution must protect itself against misuses of the
 mobility features and mechanisms.  In Mobile IPv6, most of the
 potential threats are concerned with false Bindings, usually
 resulting in Denial-of-Service attacks.  Some of the threats also
 pose potential for Man-in-the-Middle, Hijacking, Confidentiality, and
 Impersonation attacks.  The main threats this protocol protects
 against are the following:
 o  Threats involving Binding Updates sent to home agents and
    correspondent nodes.  For instance, an attacker might claim that a
    certain mobile node is currently at a different location than it
    really is.  If a home agent accepts such spoofed information sent
    to it, the mobile node might not get traffic destined to it.
    Similarly, a malicious (mobile) node might use the home address of
    a victim node in a forged Binding Update sent to a correspondent
    node.
    These pose threats against confidentiality, integrity, and
    availability.  That is, an attacker might learn the contents of
    packets destined to another node by redirecting the traffic to
    itself.  Furthermore, an attacker might use the redirected packets
    in an attempt to set itself as a Man-in-the-Middle between a
    mobile and a correspondent node.  This would allow the attacker to
    impersonate the mobile node, leading to integrity and availability
    problems.
    A malicious (mobile) node might also send Binding Updates in which
    the care-of address is set to the address of a victim node.  If
    such Binding Updates were accepted, the malicious node could lure
    the correspondent node into sending potentially large amounts of
    data to the victim; the correspondent node's replies to messages
    sent by the malicious mobile node will be sent to the victim host
    or network.  This could be used to cause a Distributed Denial-of-
    Service attack.  For example, the correspondent node might be a
    site that will send a high-bandwidth stream of video to anyone who
    asks for it.  Note that the use of flow-control protocols such as
    TCP does not necessarily defend against this type of attack,
    because the attacker can fake the acknowledgements.  Even keeping
    TCP initial sequence numbers secret does not help, because the
    attacker can receive the first few segments (including the ISN) at
    its own address, and only then redirect the stream to the victim's
    address.  These types of attacks may also be directed to networks
    instead of nodes.  Further variations of this threat are described
    elsewhere [27, 34].

Johnson, et al. Standard Track [Page 142] RFC 3775 Mobility Support in IPv6 June 2004

    An attacker might also attempt to disrupt a mobile node's
    communications by replaying a Binding Update that the node had
    sent earlier.  If the old Binding Update was accepted, packets
    destined for the mobile node would be sent to its old location as
    opposed to its current location.
    In conclusion, there are Denial-of-Service, Man-in-the-Middle,
    Confidentiality, and Impersonation threats against the parties
    involved in sending legitimate Binding Updates, and Denial-of-
    Service threats against any other party.
 o  Threats associated with payload packets: Payload packets exchanged
    with mobile nodes are exposed to similar threats as that of
    regular IPv6 traffic.  However, Mobile IPv6 introduces the Home
    Address destination option, a new routing header type (type 2),
    and uses tunneling headers in the payload packets.  The protocol
    must protect against potential new threats involving the use of
    these mechanisms.
    Third parties become exposed to a reflection threat via the Home
    Address destination option, unless appropriate security
    precautions are followed.  The Home Address destination option
    could be used to direct response traffic toward a node whose IP
    address appears in the option.  In this case, ingress filtering
    would not catch the forged "return address" [36, 32].
    A similar threat exists with the tunnels between the mobile node
    and the home agent.  An attacker might forge tunnel packets
    between the mobile node and the home agent, making it appear that
    the traffic is coming from the mobile node when it is not.  Note
    that an attacker who is able to forge tunnel packets would
    typically also be able to forge packets that appear to come
    directly from the mobile node.  This is not a new threat as such.
    However, it may make it easier for attackers to escape detection
    by avoiding ingress filtering and packet tracing mechanisms.
    Furthermore, spoofed tunnel packets might be used to gain access
    to the home network.
    Finally, a routing header could also be used in reflection
    attacks, and in attacks designed to bypass firewalls.  The
    generality of the regular routing header would allow circumvention
    of IP-address based rules in firewalls.  It would also allow
    reflection of traffic to other nodes.  These threats exist with
    routing headers in general, even if the usage that Mobile IPv6
    requires is safe.
 o  Threats associated with dynamic home agent and mobile prefix
    discovery.

Johnson, et al. Standard Track [Page 143] RFC 3775 Mobility Support in IPv6 June 2004

 o  Threats against the Mobile IPv6 security mechanisms themselves: An
    attacker might, for instance, lure the participants into executing
    expensive cryptographic operations or allocating memory for the
    purpose of keeping state.  The victim node would have no resources
    left to handle other tasks.
 As a fundamental service in an IPv6 stack, Mobile IPv6 is expected to
 be deployed in most nodes of the IPv6 Internet.  The above threats
 should therefore be considered as being applicable to the whole
 Internet.
 It should also be noted that some additional threats result from
 movements as such, even without the involvement of mobility
 protocols.  Mobile nodes must be capable to defend themselves in the
 networks that they visit, as typical perimeter defenses applied in
 the home network no longer protect them.

15.2. Features

 This specification provides a series of features designed to mitigate
 the risk introduced by the threats listed above.  The main security
 features are the following:
 o  Reverse Tunneling as a mandatory feature.
 o  Protection of Binding Updates sent to home agents.
 o  Protection of Binding Updates sent to correspondent nodes.
 o  Protection against reflection attacks that use the Home Address
    destination option.
 o  Protection of tunnels between the mobile node and the home agent.
 o  Closing routing header vulnerabilities.
 o  Mitigating Denial-of-Service threats to the Mobile IPv6 security
    mechanisms themselves.
 The support for encrypted reverse tunneling (see Section 11.3.1)
 allows mobile nodes to defeat certain kinds of traffic analysis.
 Protecting those Binding Updates that are sent to home agents and
 those that are sent to arbitrary correspondent nodes requires very
 different security solutions due to the different situations.  Mobile
 nodes and home agents are naturally expected to be subject to the
 network administration of the home domain.

Johnson, et al. Standard Track [Page 144] RFC 3775 Mobility Support in IPv6 June 2004

 Thus, they can and are supposed to have a security association that
 can be used to reliably authenticate the exchanged messages.  See
 Section 5.1 for the description of the protocol mechanisms, and
 Section 15.3 below for a discussion of the resulting level of
 security.
 It is expected that Mobile IPv6 route optimization will be used on a
 global basis between nodes belonging to different administrative
 domains.  It would be a very demanding task to build an
 authentication infrastructure on this scale.  Furthermore, a
 traditional authentication infrastructure cannot be easily used to
 authenticate IP addresses because IP addresses can change often.  It
 is not sufficient to just authenticate the mobile nodes;
 Authorization to claim the right to use an address is needed as well.
 Thus, an "infrastructureless" approach is necessary.  The chosen
 infrastructureless method is described in Section 5.2, and Section
 15.4 discusses the resulting security level and the design rationale
 of this approach.
 Specific rules guide the use of the Home Address destination option,
 the routing header, and the tunneling headers in the payload packets.
 These rules are necessary to remove the vulnerabilities associated
 with their unrestricted use.  The effect of the rules is discussed in
 Section 15.7, Section 15.8, and Section 15.9.
 Denial-of-Service threats against Mobile IPv6 security mechanisms
 themselves concern mainly the Binding Update procedures with
 correspondent nodes.  The protocol has been designed to limit the
 effects of such attacks, as will be described in Section 15.4.5.

15.3. Binding Updates to Home Agent

 Signaling between the mobile node and the home agent requires message
 integrity.  This is necessary to assure the home agent that a Binding
 Update is from a legitimate mobile node.  In addition, correct
 ordering and anti-replay protection are optionally needed.
 IPsec ESP protects the integrity of the Binding Updates and Binding
 Acknowledgements by securing mobility messages between the mobile
 node and the home agent.
 IPsec can provide anti-replay protection only if dynamic keying is
 used (which may not always be the case).  IPsec does not guarantee
 correct ordering of packets, only that they have not been replayed.
 Because of this, sequence numbers within the Mobile IPv6 messages are
 used to ensure correct ordering (see Section 5.1).  However, if the
 16 bit Mobile IPv6 sequence number space is cycled through, or the
 home agent reboots and loses its state regarding the sequence

Johnson, et al. Standard Track [Page 145] RFC 3775 Mobility Support in IPv6 June 2004

 numbers, replay and reordering attacks become possible.  The use of
 dynamic keying, IPsec anti-replay protection, and the Mobile IPv6
 sequence numbers can together prevent such attacks.  It is also
 recommended that use of non-volatile storage be considered for home
 agents, to avoid losing their state.
 A sliding window scheme is used for the sequence numbers.  The
 protection against replays and reordering attacks without a key
 management mechanism works when the attacker remembers up to a
 maximum of 2**15 Binding Updates.
 The above mechanisms do not show that the care-of address given in
 the Binding Update is correct.  This opens the possibility for
 Denial-of-Service attacks against third parties.  However, since the
 mobile node and home agent have a security association, the home
 agent can always identify an ill-behaving mobile node.  This allows
 the home agent operator to discontinue the mobile node's service, and
 possibly take further actions based on the business relationship with
 the mobile node's owner.
 Note that the use of a single pair of manually keyed security
 associations conflicts with the generation of a new home address [18]
 for the mobile node, or with the adoption of a new home subnet
 prefix.  This is because IPsec security associations are bound to the
 used addresses.  While certificate-based automatic keying alleviates
 this problem to an extent, it is still necessary to ensure that a
 given mobile node cannot send Binding Updates for the address of
 another mobile node.  In general, this leads to the inclusion of home
 addresses in certificates in the Subject AltName field.  This again
 limits the introduction of new addresses without either manual or
 automatic procedures to establish new certificates.  Therefore, this
 specification restricts the generation of new home addresses (for any
 reason) to those situations where a security association or
 certificate for the new address already exists.  (Appendix B.4 lists
 the improvement of security for new addresses as one of the future
 developments for Mobile IPv6.)
 Support for IKE has been specified as optional.  The following should
 be observed about the use of manual keying:
 o  As discussed above, with manually keyed IPsec, only a limited form
    of protection exists against replay and reordering attacks.  A
    vulnerability exists if either the sequence number space is cycled
    through, or if the home agent reboots and forgets its sequence
    numbers (and uses volatile memory to store the sequence numbers).
    Assuming the mobile node moves continuously every 10 minutes, it

Johnson, et al. Standard Track [Page 146] RFC 3775 Mobility Support in IPv6 June 2004

    takes roughly 455 days before the sequence number space has been
    cycled through.  Typical movement patterns rarely reach this high
    frequency today.
 o  A mobile node and its home agent belong to the same domain.  If
    this were not the case, manual keying would not be possible [28],
    but in Mobile IPv6 only these two parties need to know the
    manually configured keys.  Similarly, we note that Mobile IPv6
    employs standard block ciphers in IPsec, and is not vulnerable to
    problems associated with stream ciphers and manual keying.
 o  It is expected that the owner of the mobile node and the
    administrator of the home agent agree on the used keys and other
    parameters with some off-line mechanism.
 The use of IKEv1 with Mobile IPv6 is documented in more detail in
 [21].  The following should be observed from the use of IKEv1:
 o  It is necessary to prevent a mobile node from claiming another
    mobile node's home address.  The home agent must verify that the
    mobile node trying to negotiate the SA for a particular home
    address is authorized for that home address.  This implies that
    even with the use of IKE, a policy entry needs to be configured
    for each home address served by the home agent.
    It may be possible to include home addresses in the Subject
    AltName field of certificate to avoid this.  However,
    implementations are not guaranteed to support the use of a
    particular IP address (care-of address) while another address
    (home address) appears in the certificate.  In any case, even this
    approach would require user-specific tasks in the certificate
    authority.
 o  If preshared secret authentication is used, IKEv1 main mode cannot
    be used.  Aggressive mode or group preshared secrets need to be
    used with corresponding security implications instead.
    Note that, like many other issues, this is a general IKEv1 issue
    related to the ability to use different IP addresses, and not
    specifically related to Mobile IPv6.  For further information, see
    Section 4.4 in [21].
 o  Due to the problems outlined in Section 11.3.2, IKE phase 1
    between the mobile node and its home agent is established using
    the mobile node's current care-of address.  This implies that when
    the mobile node moves to a new location, it may have to re-
    establish phase 1.  A Key Management Mobility Capability (K) flag

Johnson, et al. Standard Track [Page 147] RFC 3775 Mobility Support in IPv6 June 2004

    is provided for implementations that can update the IKE phase 1
    endpoints without re-establishing phase 1, but the support for
    this behavior is optional.
 o  When certificates are used, IKE fragmentation can occur as
    discussed in Section 7 in [21].
 o  Nevertheless, even if per-mobile node configuration is required
    with IKE, an important benefit of IKE is that it automates the
    negotiation of cryptographic parameters, including the SPIs,
    cryptographic algorithms, and so on.  Thus, less configuration
    information is needed.
 o  The frequency of movements in some link layers or deployment
    scenarios may be high enough to make replay and reordering attacks
    possible, if only manual keying is used.  IKE SHOULD be used in
    such cases.  Potentially vulnerable scenarios involve continuous
    movement through small cells, or uncontrolled alternation between
    available network attachment points.
 o  Similarly, in some deployment scenarios the number of mobile nodes
    may be very large.  In these cases, it can be necessary to use
    automatic mechanisms to reduce the management effort in the
    administration of cryptographic parameters, even if some per-
    mobile node configuration is always needed.  IKE SHOULD also be
    used in such cases.
 o  Other automatic key management mechanisms exist beyond IKEv1, but
    this document does not address the issues related to them.  We
    note, however, that most of the above discussion applies to IKEv2
    [30] as well, at least as it is currently specified.

15.4. Binding Updates to Correspondent Nodes

 The motivation for designing the return routability procedure was to
 have sufficient support for Mobile IPv6, without creating significant
 new security problems.  The goal for this procedure was not to
 protect against attacks that were already possible before the
 introduction of Mobile IPv6.
 The next sections will describe the security properties of the used
 method, both from the point of view of possible on-path attackers who
 can see those cryptographic values that have been sent in the clear
 (Section 15.4.2 and Section 15.4.3) and from the point of view of
 other attackers (Section 15.4.6).

Johnson, et al. Standard Track [Page 148] RFC 3775 Mobility Support in IPv6 June 2004

15.4.1. Overview

 The chosen infrastructureless method verifies that the mobile node is
 "live" (that is, it responds to probes) at its home and care-of
 addresses.  Section 5.2 describes the return routability procedure in
 detail.  The procedure uses the following principles:
 o  A message exchange verifies that the mobile node is reachable at
    its addresses, i.e., is at least able to transmit and receive
    traffic at both the home and care-of addresses.
 o  The eventual Binding Update is cryptographically bound to the
    tokens supplied in the exchanged messages.
 o  Symmetric exchanges are employed to avoid the use of this protocol
    in reflection attacks.  In a symmetric exchange, the responses are
    always sent to the same address the request was sent from.
 o  The correspondent node operates in a stateless manner until it
    receives a fully authorized Binding Update.
 o  Some additional protection is provided by encrypting the tunnels
    between the mobile node and home agent with IPsec ESP.  As the
    tunnel also transports the nonce exchanges, the ability of
    attackers to see these nonces is limited.  For instance, this
    prevents attacks from being launched from the mobile node's
    current foreign link, even when no link-layer confidentiality is
    available.
    The resulting level of security is in theory the same even without
    this additional protection: the return routability tokens are
    still exposed only to one path within the whole Internet.
    However, the mobile nodes are often found on an insecure link,
    such as a public access Wireless LAN.  Thus, in many cases, this
    addition makes a practical difference.
 For further information about the design rationale of the return
 routability procedure, see [27, 34, 33, 32].  The mechanisms used
 have been adopted from these documents.

15.4.2. Achieved Security Properties

 The return routability procedure protects Binding Updates against all
 attackers who are unable to monitor the path between the home agent
 and the correspondent node.  The procedure does not defend against
 attackers who can monitor this path.  Note that such attackers are in
 any case able to mount an active attack against the mobile node when

Johnson, et al. Standard Track [Page 149] RFC 3775 Mobility Support in IPv6 June 2004

 it is at its home location.  The possibility of such attacks is not
 an impediment to the deployment of Mobile IPv6 because these attacks
 are possible regardless of whether or not Mobile IPv6 is in use.
 This procedure also protects against Denial-of-Service attacks in
 which the attacker pretends to be mobile, but uses the victim's
 address as the care-of address.  This would cause the correspondent
 node to send the victim some unexpected traffic.  This procedure
 defends against these attacks by requiring at least the passive
 presence of the attacker at the care-of address or on the path from
 the correspondent to the care-of address.  Normally, this will be the
 mobile node.

15.4.3. Comparison to Regular IPv6 Communications

 This section discusses the protection offered by the return
 routability method by comparing it to the security of regular IPv6
 communications.  We will divide vulnerabilities into three classes:
 (1) those related to attackers on the local network of the mobile
 node, home agent, or the correspondent node, (2) those related to
 attackers on the path between the home network and the correspondent
 node, and (3) off-path attackers, i.e., the rest of the Internet.
 We will now discuss the vulnerabilities of regular IPv6
 communications.  The on-link vulnerabilities of IPv6 communications
 include Denial-of-Service, Masquerading, Man-in-the-Middle,
 Eavesdropping, and other attacks.  These attacks can be launched
 through spoofing Router Discovery, Neighbor Discovery and other IPv6
 mechanisms.  Some of these attacks can be prevented with the use of
 cryptographic protection in the packets.
 A similar situation exists with on-path attackers.  That is, without
 cryptographic protection, the traffic is completely vulnerable.
 Assuming that attackers have not penetrated the security of the
 Internet routing protocols, attacks are much harder to launch from
 off-path locations.  Attacks that can be launched from these
 locations are mainly Denial-of-Service attacks, such as flooding and/
 or reflection attacks.  It is not possible for an off-path attacker
 to become a Man-in-the-Middle.
 Next, we will consider the vulnerabilities that exist when IPv6 is
 used together with Mobile IPv6 and the return routability procedure.
 On the local link, the vulnerabilities are the same as those in IPv6,
 but Masquerade and Man-in-the-Middle attacks can now also be launched
 against future communications, and not just against current
 communications.  If a Binding Update was sent while the attacker was
 present on the link, its effects remain for the lifetime of the

Johnson, et al. Standard Track [Page 150] RFC 3775 Mobility Support in IPv6 June 2004

 binding.  This happens even if the attacker moves away from the link.
 In contrast, an attacker who uses only plain IPv6 generally has to
 stay on the link in order to continue the attack.  Note that in order
 to launch these new attacks, the IP address of the victim must be
 known.  This makes this attack feasible, mainly in the context of
 well-known interface IDs, such as those already appearing in the
 traffic on the link or registered in the DNS.
 On-path attackers can exploit similar vulnerabilities as in regular
 IPv6.  There are some minor differences, however.  Masquerade, Man-
 in-the-Middle, and Denial-of-Service attacks can be launched with
 just the interception of a few packets, whereas in regular IPv6 it is
 necessary to intercept every packet.  The effect of the attacks is
 the same regardless of the method, however.  In any case, the most
 difficult task an attacker faces in these attacks is getting on the
 right path.
 The vulnerabilities for off-path attackers are the same as in regular
 IPv6.  Those nodes that are not on the path between the home agent
 and the correspondent node will not be able to receive the home
 address probe messages.
 In conclusion, we can state the following main results from this
 comparison:
 o  Return routability prevents any off-path attacks beyond those that
    are already possible in regular IPv6.  This is the most important
    result, preventing attackers on the Internet from exploiting any
    vulnerabilities.
 o  Vulnerabilities to attackers on the home agent link, the
    correspondent node link, and the path between them are roughly the
    same as in regular IPv6.
 o  However, one difference is that in basic IPv6 an on-path attacker
    must be constantly present on the link or the path, whereas with
    Mobile IPv6, an attacker can leave a binding behind after moving
    away.
    For this reason, this specification limits the creation of
    bindings to at most MAX_TOKEN_LIFETIME seconds after the last
    routability check has been performed, and limits the duration of a
    binding to at most MAX_RR_BINDING_LIFETIME seconds.  With these
    limitations, attackers cannot take any practical advantages of
    this vulnerability.

Johnson, et al. Standard Track [Page 151] RFC 3775 Mobility Support in IPv6 June 2004

 o  There are some other minor differences, such as an effect to the
    Denial-of-Service vulnerabilities.  These can be considered to be
    insignificant.
 o  The path between the home agent and a correspondent node is
    typically easiest to attack on the links at either end, in
    particular if these links are publicly accessible wireless LANs.
    Attacks against the routers or switches on the path are typically
    harder to accomplish.  The security on layer 2 of the links plays
    then a major role in the resulting overall network security.
    Similarly, security of IPv6 Neighbor and Router Discovery on these
    links has a large impact.  If these were secured using some new
    technology in the future, this could change the situation
    regarding the easiest point of attack.
 For a more in-depth discussion of these issues, see [32].

15.4.4. Replay Attacks

 The return routability procedure also protects the participants
 against replayed Binding Updates.  The attacker is unable replay the
 same message due to the sequence number which is a part of the
 Binding Update.  It is also unable to modify the Binding Update since
 the MAC verification would fail after such a modification.
 Care must be taken when removing bindings at the correspondent node,
 however.  If a binding is removed while the nonce used in its
 creation is still valid, an attacker could replay the old Binding
 Update.  Rules outlined in Section 5.2.8 ensure that this cannot
 happen.

15.4.5. Denial-of-Service Attacks

 The return routability procedure has protection against resource
 exhaustion Denial-of-Service attacks.  The correspondent nodes do not
 retain any state about individual mobile nodes until an authentic
 Binding Update arrives.  This is achieved through the construct of
 keygen tokens from the nonces and node keys that are not specific to
 individual mobile nodes.  The keygen tokens can be reconstructed by
 the correspondent node, based on the home and care-of address
 information that arrives with the Binding Update.  This means that
 the correspondent nodes are safe against memory exhaustion attacks
 except where on-path attackers are concerned.  Due to the use of
 symmetric cryptography, the correspondent nodes are relatively safe
 against CPU resource exhaustion attacks as well.

Johnson, et al. Standard Track [Page 152] RFC 3775 Mobility Support in IPv6 June 2004

 Nevertheless, as [27] describes, there are situations in which it is
 impossible for the mobile and correspondent nodes to determine if
 they actually need a binding or whether they just have been fooled
 into believing so by an attacker.  Therefore, it is necessary to
 consider situations where such attacks are being made.
 Even if route optimization is a very important optimization, it is
 still only an optimization.  A mobile node can communicate with a
 correspondent node even if the correspondent refuses to accept any
 Binding Updates.  However, performance will suffer because packets
 from the correspondent node to the mobile node will be routed via the
 mobile's home agent rather than a more direct route.  A correspondent
 node can protect itself against some of these resource exhaustion
 attacks as follows.  If the correspondent node is flooded with a
 large number of Binding Updates that fail the cryptographic integrity
 checks, it can stop processing Binding Updates.  If a correspondent
 node finds that it is spending more resources on checking bogus
 Binding Updates than it is likely to save by accepting genuine
 Binding Updates, then it may silently discard some or all Binding
 Updates without performing any cryptographic operations.
 Layers above IP can usually provide additional information to help
 decide if there is a need to establish a binding with a specific
 peer.  For example, TCP knows if the node has a queue of data that it
 is trying to send to a peer.  An implementation of this specification
 is not required to make use of information from higher protocol
 layers, but some implementations are likely to be able to manage
 resources more effectively by making use of such information.
 We also require that all implementations be capable of
 administratively disabling route optimization.

15.4.6. Key Lengths

 Attackers can try to break the return routability procedure in many
 ways.  Section 15.4.2 discusses the situation where the attacker can
 see the cryptographic values sent in the clear, and Section 15.4.3
 discusses the impact this has on IPv6 communications.  This section
 discusses whether attackers can guess the correct values without
 seeing them.
 While the return routability procedure is in progress, 64 bit cookies
 are used to protect spoofed responses.  This is believed to be
 sufficient, given that to blindly spoof a response a very large
 number of messages would have to be sent before success would be
 probable.

Johnson, et al. Standard Track [Page 153] RFC 3775 Mobility Support in IPv6 June 2004

 The tokens used in the return routability procedure provide together
 128 bits of information.  This information is used internally as
 input to a hash function to produce a 160 bit quantity suitable for
 producing the keyed hash in the Binding Update using the HMAC_SHA1
 algorithm.  The final keyed hash length is 96 bits.  The limiting
 factors in this case are the input token lengths and the final keyed
 hash length.  The internal hash function application does not reduce
 the entropy.
 The 96 bit final keyed hash is of typical size and is believed to be
 secure.  The 128 bit input from the tokens is broken in two pieces,
 the home keygen token and the care-of keygen token.  An attacker can
 try to guess the correct cookie value, but again this would require a
 large number of messages (an the average 2**63 messages for one or
 2**127 for two).  Furthermore, given that the cookies are valid only
 for a short period of time, the attack has to keep a high constant
 message rate to achieve a lasting effect.  This does not appear
 practical.
 When the mobile node is returning home, it is allowed to use just the
 home keygen token of 64 bits.  This is less than 128 bits, but
 attacking it blindly would still require a large number of messages
 to be sent.  If the attacker is on the path and capable of seeing the
 Binding Update, it could conceivably break the keyed hash with brute
 force.  However, in this case the attacker has to be on the path,
 which appears to offer easier ways for denial-of-service than
 preventing route optimization.

15.5. Dynamic Home Agent Address Discovery

 The dynamic home agent address discovery function could be used to
 learn the addresses of home agents in the home network.
 The ability to learn addresses of nodes may be useful to attackers
 because brute-force scanning of the address space is not practical
 with IPv6.  Thus, they could benefit from any means which make
 mapping the networks easier.  For example, if a security threat
 targeted at routers or even home agents is discovered, having a
 simple ICMP mechanism to easily find out possible targets may prove
 to be an additional (though minor) security risk.
 Apart from discovering the address(es) of home agents, attackers will
 not be able to learn much from this information, and mobile nodes
 cannot be tricked into using wrong home agents, as all other
 communication with the home agents is secure.

Johnson, et al. Standard Track [Page 154] RFC 3775 Mobility Support in IPv6 June 2004

15.6. Mobile Prefix Discovery

 The mobile prefix discovery function may leak interesting information
 about network topology and prefix lifetimes to eavesdroppers; for
 this reason, requests for this information has to be authenticated.
 Responses and unsolicited prefix information needs to be
 authenticated to prevent the mobile nodes from being tricked into
 believing false information about the prefixes and possibly
 preventing communications with the existing addresses.  Optionally,
 encryption may be applied to prevent leakage of the prefix
 information.

15.7. Tunneling via the Home Agent

 Tunnels between the mobile node and the home agent can be protected
 by ensuring proper use of source addresses, and optional
 cryptographic protection.  These procedures are discussed in Section
 5.5.
 Binding Updates to the home agents are secure.  When receiving
 tunneled traffic, the home agent verifies that the outer IP address
 corresponds to the current location of the mobile node.  This acts as
 a weak form of protection against spoofing packets that appear to
 come from the mobile node.  This is particularly useful, if no end-
 to-end security is being applied between the mobile and correspondent
 nodes.  The outer IP address check prevents attacks where the
 attacker is controlled by ingress filtering.  It also prevents
 attacks when the attacker does not know the current care-of address
 of the mobile node.  Attackers who know the care-of address and are
 not controlled by ingress filtering could still send traffic through
 the home agent.  This includes attackers on the same local link as
 the mobile node is currently on.  But such attackers could send
 packets that appear to come from the mobile node without attacking
 the tunnel; the attacker could simply send packets with the source
 address set to the mobile node's home address.  However, this attack
 does not work if the final destination of the packet is in the home
 network, and some form of perimeter defense is being applied for
 packets sent to those destinations.  In such cases it is recommended
 that either end-to-end security or additional tunnel protection be
 applied, as is usual in remote access situations.
 Home agents and mobile nodes may use IPsec ESP to protect payload
 packets tunneled between themselves.  This is useful for protecting
 communications against attackers on the path of the tunnel.
 When site local home addresses are used, reverse tunneling can be
 used to send site local traffic from another location.
 Administrators should be aware of this when allowing such home

Johnson, et al. Standard Track [Page 155] RFC 3775 Mobility Support in IPv6 June 2004

 addresses.  In particular, the outer IP address check described above
 is not sufficient against all attackers.  The use of encrypted
 tunnels is particularly useful for these kinds of home addresses.

15.8. Home Address Option

 When the mobile node sends packets directly to the correspondent
 node, the Source Address field of the packet's IPv6 header is the
 care-of address.  Therefore, ingress filtering [26] works in the
 usual manner even for mobile nodes, as the Source Address is
 topologically correct.  The Home Address option is used to inform the
 correspondent node of the mobile node's home address.
 However, the care-of address in the Source Address field does not
 survive in replies sent by the correspondent node unless it has a
 binding for this mobile node.  Also, not all attacker tracing
 mechanisms work when packets are being reflected through
 correspondent nodes using the Home Address option.  For these
 reasons, this specification restricts the use of the Home Address
 option.  It may only be used when a binding has already been
 established with the participation of the node at the home address,
 as described in Section 5.5 and Section 6.3.  This prevents
 reflection attacks through the use of the Home Address option.  It
 also ensures that the correspondent nodes reply to the same address
 that the mobile node sends traffic from.
 No special authentication of the Home Address option is required
 beyond the above, but note that if the IPv6 header of a packet is
 covered by IPsec Authentication Header, then that authentication
 covers the Home Address option as well.  Thus, even when
 authentication is used in the IPv6 header, the security of the Source
 Address field in the IPv6 header is not compromised by the presence
 of a Home Address option.  Without authentication of the packet, any
 field in the IPv6 header, including the Source Address field or any
 other part of the packet and the Home Address option can be forged or
 modified in transit.  In this case, the contents of the Home Address
 option is no more suspect than any other part of the packet.

15.9. Type 2 Routing Header

 The definition of the type 2 routing header is described in Section
 6.4.  This definition and the associated processing rules have been
 chosen so that the header cannot be used for what is traditionally
 viewed as source routing.  In particular, the Home Address in the
 routing header will always have to be assigned to the home address of
 the receiving node; otherwise the packet will be dropped.

Johnson, et al. Standard Track [Page 156] RFC 3775 Mobility Support in IPv6 June 2004

 Generally, source routing has a number of security concerns.  These
 include the automatic reversal of unauthenticated source routes
 (which is an issue for IPv4, but not for IPv6).  Another concern is
 the ability to use source routing to "jump" between nodes inside, as
 well as outside a firewall.  These security concerns are not issues
 in Mobile IPv6, due to the rules mentioned above.
 In essence the semantics of the type 2 routing header is the same as
 a special form of IP-in-IP tunneling where the inner and outer source
 addresses are the same.
 This implies that a device which implements the filtering of packets
 should be able to distinguish between a type 2 routing header and
 other routing headers, as required in Section 8.3.  This is necessary
 in order to allow Mobile IPv6 traffic while still having the option
 of filtering out other uses of routing headers.

16. Contributors

 Tuomas Aura, Mike Roe, Greg O'Shea, Pekka Nikander, Erik Nordmark,
 and Michael Thomas worked on the return routability protocols
 eventually led to the procedures used in this protocol.  The
 procedures described in [34] were adopted in the protocol.
 Significant contributions were made by members of the Mobile IPv6
 Security Design Team, including (in alphabetical order) Gabriel
 Montenegro, Erik Nordmark and Pekka Nikander.

17. Acknowledgements

 We would like to thank the members of the Mobile IP and IPng Working
 Groups for their comments and suggestions on this work.  We would
 particularly like to thank (in alphabetical order) Fred Baker, Josh
 Broch, Samita Chakrabarti, Robert Chalmers, Noel Chiappa, Greg Daley,
 Vijay Devarapalli, Rich Draves, Francis Dupont, Thomas Eklund, Jun-
 Ichiro Itojun Hagino, Brian Haley, Marc Hasson, John Ioannidis, James
 Kempf, Rajeev Koodli, Krishna Kumar, T.J. Kniveton, Joe Lau, Jiwoong
 Lee, Aime Le Rouzic, Vesa-Matti Mantyla, Kevin Miles, Glenn Morrow,
 Thomas Narten, Karen Nielsen, Simon Nybroe, David Oran, Brett
 Pentland, Lars Henrik Petander, Basavaraj Patil, Mohan Parthasarathy,
 Alexandru Petrescu, Mattias Petterson, Ken Powell, Phil Roberts, Ed
 Remmell, Patrice Romand, Luis A. Sanchez, Jeff Schiller, Pekka
 Savola, Arvind Sevalkar, Keiichi Shima, Tom Soderlund, Hesham
 Soliman, Jim Solomon, Tapio Suihko, Dave Thaler, Benny Van Houdt,
 Jon-Olov Vatn, Carl E. Williams, Vladislav Yasevich, Alper Yegin, and

Johnson, et al. Standard Track [Page 157] RFC 3775 Mobility Support in IPv6 June 2004

 Xinhua Zhao, for their detailed reviews of earlier versions of this
 document.  Their suggestions have helped to improve both the design
 and presentation of the protocol.
 We would also like to thank the participants of the Mobile IPv6
 testing event (1999), implementors who participated in Mobile IPv6
 interoperability testing at Connectathons (2000, 2001, 2002, and
 2003), and the participants at the ETSI interoperability testing
 (2000, 2002).  Finally, we would like to thank the TAHI project who
 has provided test suites for Mobile IPv6.

18. References

18.1. Normative References

 [1]   Eastlake 3rd., D., Crocker, S. and J. Schiller, "Randomness
       Recommendations for Security", RFC 1750, December 1994.
 [2]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
       Levels", BCP 14, RFC 2119, March 1997.
 [3]   Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6)
       Addressing Architecture", RFC 3513, April 2003.
 [4]   Kent, S. and R. Atkinson, "Security Architecture for the
       Internet Protocol", RFC 2401, November 1998.
 [5]   Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402,
       November 1998.
 [6]   Kent, S. and R. Atkinson, "IP Encapsulating Security Payload
       (ESP)", RFC 2406, November 1998.
 [7]   Piper, D., "The Internet IP Security Domain of Interpretation
       for ISAKMP", RFC 2407, November 1998.
 [8]   Maughan, D., Schertler, M., Schneider, M. and J. Turner,
       "Internet Security Association and Key Management Protocol
       (ISAKMP)", RFC 2408, November 1998.
 [9]   Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)",
       RFC 2409, November 1998.
 [10]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
       Considerations Section in RFCs", BCP 26, RFC 2434, October
       1998.

Johnson, et al. Standard Track [Page 158] RFC 3775 Mobility Support in IPv6 June 2004

 [11]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
       Specification", RFC 2460, December 1998.
 [12]  Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery
       for IP Version 6 (IPv6)", RFC 2461, December 1998.
 [13]  Thomson, S. and T. Narten, "IPv6 Stateless Address
       Autoconfiguration", RFC 2462, December 1998.
 [14]  Conta, A. and S. Deering, "Internet Control Message Protocol
       (ICMPv6) for the Internet Protocol Version 6 (IPv6)
       Specification", RFC 2463, December 1998.
 [15]  Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6
       Specification", RFC 2473, December 1998.
 [16]  Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast
       Addresses", RFC 2526, March 1999.
 [17]  Deering, S., Fenner, W. and B. Haberman, "Multicast Listener
       Discovery (MLD) for IPv6", RFC 2710, October 1999.
 [18]  Narten, T. and R. Draves, "Privacy Extensions for Stateless
       Address Autoconfiguration in IPv6", RFC 3041, January 2001.
 [19]  Reynolds, J., Ed., "Assigned Numbers: RFC 1700 is Replaced by
       an On-line Database", RFC 3232, January 2002.
 [20]  National Institute of Standards and Technology, "Secure Hash
       Standard", FIPS PUB 180-1, April 1995, <http://
       www.itl.nist.gov/fipspubs/fip180-1.htm>.
 [21]  Arkko, J., Devarapalli, V. and F. Dupont, "Using IPsec to
       Protect Mobile IPv6 Signaling Between Mobile Nodes and Home
       Agents", RFC 3776, June 2004.

18.2. Informative References

 [22]  Perkins, C., Ed., "IP Mobility Support for IPv4", RFC 3344,
       August 2002.
 [23]  Perkins, C., "IP Encapsulation within IP", RFC 2003, October
       1996.
 [24]  Perkins, C., "Minimal Encapsulation within IP", RFC 2004,
       October 1996.

Johnson, et al. Standard Track [Page 159] RFC 3775 Mobility Support in IPv6 June 2004

 [25]  Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing
       for Message Authentication", RFC 2104, February 1997.
 [26]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
       Defeating Denial of Service Attacks which employ IP Source
       Address Spoofing", BCP 38, RFC 2827, May 2000.
 [27]  Aura, T. and J. Arkko, "MIPv6 BU Attacks and Defenses", Work in
       Progress, March 2002.
 [28]  Bellovin, S., "Guidelines for Mandating Automated Key
       Management", Work in Progress, August 2003.
 [29]  Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, C. and
       M. Carney, "Dynamic Host Configuration Protocol for IPv6
       (DHCPv6)", RFC 3315, July 2003.
 [30]  Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", Work in
       Progress, April 2003.
 [31]  Draves, R., "Default Address Selection for Internet Protocol
       version 6 (IPv6)", RFC 3484, February 2003.
 [32]  Nikander, P., Aura, T., Arkko, J., Montenegro, G. and E.
       Nordmark, "Mobile IP version 6 Route Optimization Security
       Design Background", Work in Progress, April 2003.
 [33]  Nordmark, E., "Securing MIPv6 BUs using return routability
       (BU3WAY)", Work in Progress, November 2001.
 [34]  Roe, M., Aura, T., O'Shea, G. and J. Arkko, "Authentication of
       Mobile IPv6 Binding Updates and Acknowledgments", Work in
       Progress, March 2002.
 [35]  Savola, P., "Use of /127 Prefix Length Between Routers
       Considered Harmful", RFC 3627, September 2003.
 [36]  Savola, P., "Security of IPv6 Routing Header and Home Address
       Options", Work in Progress, December 2002.
 [37]  Vida, R. and L. Costa, Eds., "Multicast Listener Discovery
       Version 2 (MLDv2) for IPv6", RFC 3810, June 2004.

Johnson, et al. Standard Track [Page 160] RFC 3775 Mobility Support in IPv6 June 2004

Appendix A. Future Extensions

A.1. Piggybacking

 This document does not specify how to piggyback payload packets on
 the binding related messages.  However, it is envisioned that this
 can be specified in a separate document when issues such as the
 interaction between piggybacking and IPsec are fully resolved (see
 also Appendix A.3).  The return routability messages can indicate
 support for piggybacking with a new mobility option.

A.2. Triangular Routing

 Due to the concerns about opening reflection attacks with the Home
 Address destination option, this specification requires that this
 option be verified against the Binding Cache, i.e., there must be a
 Binding Cache entry for the Home Address and Care-of Address.
 Future extensions may be specified that allow the use of unverified
 Home Address destination options in ways that do not introduce
 security issues.

A.3. New Authorization Methods

 While the return routability procedure provides a good level of
 security, there exist methods that have even higher levels of
 security.  Secondly, as discussed in Section 15.4, future
 enhancements of IPv6 security may cause a need to also improve the
 security of the return routability procedure.  Using IPsec as the
 sole method for authorizing Binding Updates to correspondent nodes is
 also possible.  The protection of the Mobility Header for this
 purpose is easy, though one must ensure that the IPsec SA was created
 with appropriate authorization to use the home address referenced in
 the Binding Update.  For instance, a certificate used by IKE to
 create the security association might contain the home address.  A
 future specification may specify how this is done.

A.4. Dynamically Generated Home Addresses

 A future version of this specification may include functionality that
 allows the generation of new home addresses without requiring pre-
 arranged security associations or certificates even for the new
 addresses.

Johnson, et al. Standard Track [Page 161] RFC 3775 Mobility Support in IPv6 June 2004

A.5. Remote Home Address Configuration

 The method for initializing a mobile node's home address upon power-
 up or after an extended period of being disconnected from the network
 is beyond the scope of this specification.  Whatever procedure is
 used should result in the mobile node having the same stateless or
 stateful (e.g., DHCPv6) home address autoconfiguration information it
 would have if it were attached to the home network.  Due to the
 possibility that the home network could be renumbered while the
 mobile node is disconnected, a robust mobile node would not rely
 solely on storing these addresses locally.
 Such a mobile node could be initialized by using the following
 procedure:
 1.  Generate a care-of address.
 2.  Query DNS for an anycast address associated with the FQDN of the
     home agent(s).
 3.  Perform home agent address discovery, and select a home agent.
 4.  Configure one home address based on the selected home agent's
     subnet prefix and the interface identifier of the mobile node.
 5.  Create security associations and security policy database entries
     for protecting the traffic between the selected home address and
     home agent.
 6.  Perform a home registration on the selected home agent.
 7.  Perform mobile prefix discovery.
 8.  Make a decision if further home addresses need to be configured.
 This procedure is restricted to those situations where the home
 prefix is 64 bits and the mobile node knows its own interface
 identifier, which is also 64 bits.

Johnson, et al. Standard Track [Page 162] RFC 3775 Mobility Support in IPv6 June 2004

A.6. Neighbor Discovery Extensions

 Future specifications may improve the efficiency of Neighbor
 Discovery tasks, which could be helpful for fast movements.  One
 factor is currently being looked at: the delays caused by the
 Duplicate Address Detection mechanism.  Currently, Duplicate Address
 Detection needs to be performed for every new care-of address as the
 mobile node moves, and for the mobile node's link-local address on
 every new link.  In particular, the need and the trade-offs of re-
 performing Duplicate Address Detection for the link-local address
 every time the mobile node moves on to new links will need to be
 examined.  Improvements in this area are, however, generally
 applicable and progress independently from the Mobile IPv6
 specification.
 Future functional improvements may also be relevant for Mobile IPv6
 and other applications.  For instance, mechanisms that would allow
 recovery from a Duplicate Address Detection collision would be useful
 for link-local, care-of, and home addresses.

Johnson, et al. Standard Track [Page 163] RFC 3775 Mobility Support in IPv6 June 2004

Authors' Addresses

 David B. Johnson
 Rice University
 Dept. of Computer Science, MS 132
 6100 Main Street
 Houston  TX 77005-1892
 USA
 EMail: dbj@cs.rice.edu
 Charles E. Perkins
 Nokia Research Center
 313 Fairchild Drive
 Mountain View  CA 94043
 USA
 EMail: charliep@iprg.nokia.com
 Jari Arkko
 Ericsson
 02420  Jorvas
 Finland
 EMail: jari.arkko@ericsson.com

Johnson, et al. Standard Track [Page 164] RFC 3775 Mobility Support in IPv6 June 2004

Full Copyright Statement

 Copyright (C) The Internet Society (2004).  This document is subject
 to the rights, licenses and restrictions contained in BCP 78, and
 except as set forth therein, the authors retain all their rights.
 This document and the information contained herein are provided on an
 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

 The IETF takes no position regarding the validity or scope of any
 Intellectual Property Rights or other rights that might be claimed to
 pertain to the implementation or use of the technology described in
 this document or the extent to which any license under such rights
 might or might not be available; nor does it represent that it has
 made any independent effort to identify any such rights.  Information
 on the procedures with respect to rights in RFC documents can be
 found in BCP 78 and BCP 79.
 Copies of IPR disclosures made to the IETF Secretariat and any
 assurances of licenses to be made available, or the result of an
 attempt made to obtain a general license or permission for the use of
 such proprietary rights by implementers or users of this
 specification can be obtained from the IETF on-line IPR repository at
 http://www.ietf.org/ipr.
 The IETF invites any interested party to bring to its attention any
 copyrights, patents or patent applications, or other proprietary
 rights that may cover technology that may be required to implement
 this standard.  Please address the information to the IETF at ietf-
 ipr@ietf.org.

Acknowledgement

 Funding for the RFC Editor function is currently provided by the
 Internet Society.

Johnson, et al. Standard Track [Page 165]

/data/webs/external/dokuwiki/data/pages/rfc/rfc3775.txt · Last modified: 2004/06/08 23:35 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki