Network Working Group K. Shima Internet-Draft IIJ Research Laboratory Expires: March 31, 2004 Oct 2003 Route Optimization hint option draft-shima-mip6-rohints-00 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 31, 2004. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This memo describes the distribution mechanism of route optimization hints, which can be used by a mobile node to determine when the node should initiate the route optimization procedure when communicating with correspondent nodes. Usually, a mobile node will perform RO procedure to any correspondent node as described in Mobile IPv6 specification [1]. However, in some cases, it is better not to perform RO. A typical example is a firewalled network. This memo also describes a configuration of a firewall which makes mobile nodes possible to move between an intranet and the Internet by using RO hints. Shima Expires March 31, 2004 [Page 1] Internet-Draft RO hint option Oct 2003 1. Background Mobile IPv6 [1] provides a mobility feature to IPv6 nodes. With Mobile IPv6, an IPv6 node can move from one IPv6 network to another IPv6 network. Usually, all the traffic between a mobile node and a correspondent node flows via a home agent of the mobile node, using bi-directional tunneling between the mobile node and the home agent. In addition to this basic mechanism, if both a mobile node and a correspondent node support the route optimization (RO) mechanism as described in Mobile IPv6, they can communicate with each other directly with no home agent support. However, in the current Internet, moving to arbitrary networks may not always be possible. Most of the enterprise networks and even individual networks operate an internet firewall system recently. Because of a firewall, only restricted (usually specific ports of TCP and UDP packets) and uni-directional (usually initiated from internal nodes to external nodes only) traffic can be passed through the firewall. In such a situation, Mobile IPv6 RO cannot be performed because required signaling packets cannot be passed through the firewall and incoming route optimized traffic (direct traffic from the Internet to a node in an intranet) is dropped at the firewall. In a future, a firewall will support Mobile IPv6 specification and will be able to handle Mobile IPv6 signaling packets and direct traffic properly. However, it is better if we can utilize RO to a certain level with those not supporting Mobile IPv6. This memo describes a recommended network topology which makes it possible to use RO feature with a current firewall system. This memo also introduces a new ND option which carries information that can be used to determine if a mobile node should initiate RO procedure or not. Shima Expires March 31, 2004 [Page 2] Internet-Draft RO hint option Oct 2003 2. Basic idea The basic idea is not to perform RO if there is a firewall between a mobile node and a correspondent node. If a mobile node is in an intranet, the mobile node can communicate with any nodes in the same intranet. In this case, the mobile node can perform RO procedure. However, the mobile node cannot communicate with the nodes outside the intranet using RO, because HoT and CoT messages from the correspondent node will be dropped by the firewall. A mobile node should use bi-directional tunneling to communicate with the nodes outside the intranet. If a mobile node is in the Internet (away from the intranet), it can communicate with any nodes in the Internet with RO if the correspondent node supports RO. Opposite to the above situation, the mobile node cannot communicate with nodes which are in their intranet with RO because the firewall will drop a direct traffic from the mobile node to the intranet nodes. In this case, the mobile node should tunnel its traffic to its home agent so that the packets are forwarded properly from the home agent to the intranet nodes. The firewall must be configured to pass the tunneled traffic destinated to the home agent from the nodes on the Internet. Shima Expires March 31, 2004 [Page 3] Internet-Draft RO hint option Oct 2003 3. Mobile node operation A mobile node should not initiate RO procedure if it is on an intranet and a correspondent node is on the Internet. Opposite to this, a mobile node should not initiate RO procedure if it is on the Internet and a correspondent node is on an intranet. If the prefix of the intranet is known, a mobile node can decide its location by comparing its current CoA to the prefix. Also, a mobile node can decide the location of a correspondent node by comparing its address to the prefix. The intranet prefix can be pre-configured in a mobile node, or can be distributed by a Mobile Prefix Advertisement message with a new ND option described later (Section 5). Shima Expires March 31, 2004 [Page 4] Internet-Draft RO hint option Oct 2003 4. Firewall configuration When utilizing Mobile IPv6 RO feature with a firewall, the following topology can be used for example. Internet | external | .......... Firewall ............... internal | +----------+------DMZ | | | homeagent intranet To make it possible for a mobile node to reach the nodes in the intranet, the firewall must be configured as follows. o Pass all the traffic from the Internet to the home agent if the packets are protected by ESP. o Pass all the tunneled traffic from the Internet to the home agent. The points are (1)the firewall must pass binding update and binding acknowledgment packets from mobile nodes which are on the Internet side to the home agent and (2)the firewall must pass traffic from mobile nodes which are on the Internet side to correspondent nodes which are on the intranet side, those traffic are tunneled via the home agent. Shima Expires March 31, 2004 [Page 5] Internet-Draft RO hint option Oct 2003 5. RO hints option format A mobile node must retrieve its intranet prefix(es) to determine its location and the location of correspondent nodes. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Prefix Length |S|O|I|Reserved1| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Valid Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Preferred Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Prefix + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type TBD Length 8-bit unsigned integer. The length of the option (including the type and length fields) in units of 8 octets. This value must be 4. Prefix Length 8-bit unsigned integer. The length of the prefix. Site prefix (S) Site prefix (S) indicates that the prefix is the prefix of the site which a mobile node belongs to. Using this value, a mobile node can determine whether it is in the intranet or it is in the Internet (away from the intranet). Shima Expires March 31, 2004 [Page 6] Internet-Draft RO hint option Oct 2003 Perform RO when outside (O) Perform RO when outside (O) bit is set if one want a mobile node perform RO procedure to the destination nodes those addresses match the prefix field, while the mobile is away from the intranet. Perform RO when inside (I) Perform RO when inside (I) bit is set if one want a mobile node perform RO procedure to the destination nodes those addresses match the prefix field, while the mobile is in the intranet. A home agent may include this option when it sends a Mobile Prefix Advertisement to advice mobile nodes as a hint that can be used to judge when they should perform RO procedure. Shima Expires March 31, 2004 [Page 7] Internet-Draft RO hint option Oct 2003 6. Example Suppose there is a network as described below. Internet | | Firewall........................................ | 2001:DB8:100::/48 | | +--------+------------ 2001:DB8:100:1::/64 | | | homeagent(2001:DB8:100:1::100) | +------------ +------------ other intranet subnets +------------ The intranet uses 2001:DB8:100::/48 address space, the home network is 2001:DB8:100:1::/64 and the home agent address is 2001:DB8:100:1::100. In this case, the firewall must have the following rules. ANY -> "2001:DB8:100:1::100", ESP, PASS ANY -> "2001:DB8:100:1::100", IPV6, PASS The home agent will advertise the following 2 RO hints. 2001:DB8:100::/48, S=on, O=off, I=on ::/0, S=off, O=on, I=off A mobile node that receives those hints can know that its intranet prefix is 2001:DB8:100::/48 from the first hint. When a mobile node start communicating with other nodes, it must determine its location and the correspondent's location by comparing their prefixes with the intranet prefix(2001:DB8:100::/48). If a mobile node is in the intranet and communicates with other intranet nodes, the former hint matches. Since the 'I' flag is set, the mobile node try to perform RO with the node. If the mobile node communicates with nodes which are not in the intranet, the latter hint matches. Since the 'I' flag is not set in the latter hint, the mobile node does not perform RO and uses bi-directional tunneling. Shima Expires March 31, 2004 [Page 8] Internet-Draft RO hint option Oct 2003 If the mobile node is away from the intranet and communicates with nodes in the intranet, the former hint matches. In this case the 'O' flag is not set, the mobile node doesn't perform RO. If the mobile node communicates with the nodes on the Internet, it performs RO since the 'O' flag of the latter hints is set. Shima Expires March 31, 2004 [Page 9] Internet-Draft RO hint option Oct 2003 7. IANA Consideration A new type number for the RO hints option should be assigned by IANA. Shima Expires March 31, 2004 [Page 10] Internet-Draft RO hint option Oct 2003 8. Security Consideration Since the Mobile Prefix Advertisement message is protected by IPsec, no new security vulnerability is introduced. Shima Expires March 31, 2004 [Page 11] Internet-Draft RO hint option Oct 2003 References [1] Johnson, Perkins and Arkko, "Mobility Support in IPv6". Author's Address Keiichi Shima Research Laboratory, Internet Initiative Japan Inc. Jinboucho Mitsui Building 1-105 Jinboucho, Kanda Chiyoda-ku, Tokyo 101-0051 JAPAN Phone: +81 3 5205 6500 EMail: keiichi@iij.ad.jp URI: http://www.iij.ad.jp/ Shima Expires March 31, 2004 [Page 12] Internet-Draft RO hint option Oct 2003 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Shima Expires March 31, 2004 [Page 13] Internet-Draft RO hint option Oct 2003 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Shima Expires March 31, 2004 [Page 14]