WDIFF

draft-ietf-netlmm-proxymip6-00.txt --> draft-ietf-netlmm-proxymip6-01.txt-120498.txt

NETLMM WG S. Gundavelli
Internet-Draft K. Leung
Intended status: Standards Track Cisco
Expires: October 10, December 20, 2007 V. Devarapalli
Azaire Networks
K. Chowdhury
Starent Networks
B. Patil
Nokia Siemens Networks
April 08,
June 18, 2007

Proxy Mobile IPv6
draft-ietf-netlmm-proxymip6-00.txt
draft-ietf-netlmm-proxymip6-01.txt

Status of this Memo

By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This Internet-Draft will expire on October 10, December 20, 2007.

Abstract

Host based IPv6 mobility is specified in Mobile IPv6 base
specification [RFC3775]. In that model, the mobile node is

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 1]

Internet-Draft Proxy Mobile IPv6 April June 2007

responsible for doing the signaling to its home agent to enable
session continuity as it moves between subnets. The design principle
in the case of host-based mobility relies on the mobile node being in
control of the mobility management. Network based mobility allows IP
session continuity for a mobile node without its involvement in
mobility management. This specification describes a protocol
solution for network based mobility management that relies on Mobile
IPv6 signaling and reuse of home agent functionality. A proxy
mobility agent in the network which manages the mobility for a mobile
node is the reason for referring to this protocol as Proxy Mobile
IPv6.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Conventions & Terminology . . . . . . . . . . . . . . . . . . 5
2.1. Conventions used in this document . . . . . . . . . . . . 5
2.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
3. Proxy Mobile IPv6 Protocol Overview . . . . . . . . . . . . . 8 7
4. Proxy Mobile IPv6 Protocol Security . . . . . . . . . . . . . 11
4.1. Peer Authorization Database Entries . . . . . . . . . . . 12 11
4.2. Security Policy Database Entries . . . . . . . . . . . . . 12
5. Local Mobility Anchor Operation . . . . . . . . . . . . . . . 13
5.1. Extensions to Binding Cache Conceptual Data Structure . . 14
5.2. Bi-Directional Tunnel Management . . . . . . . . . . . . . 15 14
5.3. Routing Considerations . . . . . . . . . . . . . . . . . . 16 15
5.4. Local Mobility Anchor Address Discovery . . . . . . . . . 17 16
5.5. Sequence Number and Time-Stamps for Message Ordering . . . 17 16
5.6. Route Optimizations Considerations . . . . . . . . . . . . 19 17
5.7. Mobile Prefix Discovery Considerations . . . . . . . . . . 19 18
5.8. Local Mobility Anchor Operational Summary . . . . . . . . 19
6. Mobile Access Gateway Operation Signaling Considerations . . . . . . . . . . . . . . . 21
6.1. Address Configuration Models . . 18
5.8.1. Initial Proxy Binding Registration . . . . . . . . . . 18
5.8.2. Extending the binding lifetime . . . 22
6.2. Conceptual Data Structures . . . . . . . . . 20
5.8.3. De-registration of the binding . . . . . . . 23
6.3. Access Authentication . . . . . 20
5.9. Local Mobility Anchor Operational Summary . . . . . . . . 20
6. Mobile Access Gateway Operation . . . . . 23
6.4. Home Network Emulation . . . . . . . . . . 21
6.1. Supported Access Link Types . . . . . . . . 24
6.5. Link-Local and Global Address Uniqueness . . . . . . . 21
6.2. Supported Home Network Prefix Models . . 24
6.6. Tunnel Management . . . . . . . . . 22
6.3. Supported Address Configuration Models . . . . . . . . . . 22
6.4. Access Authentication & Mobile Node Identification . 25
6.7. Routing Considerations . . . 23
6.5. Mobile Node's Policy Profile . . . . . . . . . . . . . . . 26
6.8. Interaction with DHCP Relay Agent 23
6.6. Conceptual Data Structures . . . . . . . . . . . . 27
6.9. Mobile Node Detachment Detection and Resource Cleanup . . 27
6.10. Coexistence with Mobile Nodes using Host-based Mobility . 28
6.11. Mobile Access Gateway Operation Summary . 24
6.7. Home Network Emulation . . . . . . . . 29
7. Mobile Node Operation . . . . . . . . . . 24
6.7.1. Home Network Prefix Renumbering . . . . . . . . . . 31
7.1. Booting up in a Proxy Mobile IPv6 Domain . 25
6.8. Link-Local and Global Address Uniqueness . . . . . . . . 32
7.2. Roaming in the Proxy Mobile IPv6 Network . 26
6.9. Signaling Considerations . . . . . . . . 33
7.3. IPv6 Host Protocol Parameters . . . . . . . . . 27
6.9.1. Initial Attachment and binding registration . . . . . 33 27

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 2]

Internet-Draft Proxy Mobile IPv6 April June 2007

8. Message Formats .

6.9.2. Extending the binding lifetime . . . . . . . . . . . . 28
6.9.3. De-registration of the binding . . . . . . . . . . 34
8.1. Proxy Binding Update . . 28
6.10. Routing Considerations . . . . . . . . . . . . . . . . . 35
8.2. Proxy Binding Acknowledgment . 28
6.10.1. Transport Network . . . . . . . . . . . . . . 35
8.3. Home Network Prefix Option . . . . 29
6.10.2. Tunneling & Encapsulation Modes . . . . . . . . . . . 29
6.10.3. Routing State . . 36
8.4. Time Stamp Option . . . . . . . . . . . . . . . . . . 30
6.10.4. Local Routing . . . 38
8.5. Status Codes . . . . . . . . . . . . . . . . . 31
6.10.5. Tunnel Management . . . . . . . 38
9. IANA Considerations . . . . . . . . . . . 31
6.10.6. Forwarding Rules . . . . . . . . . . 39
10. Security Considerations . . . . . . . . . 31
6.11. Interaction with DHCP Relay Agent . . . . . . . . . . 39
11. Acknowledgements . . 32
6.12. Mobile Node Detachment Detection and Resource Cleanup . . 32
6.13. Allowing network access to other IPv6 nodes . . . . . . . 33
7. Mobile Node Operation . . . . . . . . . . . . 40
12. References . . . . . . . . 34
7.1. Booting up in a Proxy Mobile IPv6 Domain . . . . . . . . . 34
7.2. Roaming in the Proxy Mobile IPv6 Network . . . . . . . . . 41
12.1. Normative References 35
7.3. IPv6 Host Protocol Parameters . . . . . . . . . . . . . . 36
8. Message Formats . . . . . 41
12.2. Informative References . . . . . . . . . . . . . . . . . . 42
Appendix A. 37
8.1. Proxy Mobile IPv6 interactions with AAA
Infrastructure Binding Update . . . . . . . . . . . . . . . . . . . 43
Appendix B. Supporting Shared-Prefix Model using DHCPv6 37
8.2. Proxy Binding Acknowledgment . . . . . 43
Authors' Addresses . . . . . . . . . . 38
8.3. Home Network Prefix Option . . . . . . . . . . . . . . 44
Intellectual Property and Copyright Statements . . 39
8.4. Time Stamp Option . . . . . . . . 46

Gundavelli, et al. Expires October 10, 2007 [Page 3]

Internet-Draft Proxy Mobile IPv6 April 2007

1. Introduction

Mobile IPv6 [RFC-3775] is the enabler for IPv6 mobility. It requires
Mobile IPv6 client functionality in the IPv6 stack of a mobile node.
Signaling between the MN and HA enables the creation and maintenance
of a binding between the MNs home address and care-of-address.
Mobile IPv6 has been designed to be an integral part of the IPv6
stack in a host. However there exist IPv6 stacks today that do not
have Mobile IPv6 functionality and there would likely be IPv6 stacks
without MIPv6 functionality in the future as well. It is desirable
to support IP mobility for all hosts irrespective of the presence or . . . . . . . . . . . . 40
8.5. Status Codes . . . . . . . . . . . . . . . . . . . . . . . 41
9. Protocol Configuration Variables . . . . . . . . . . . . . . . 42
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42
11. Security Considerations . . . . . . . . . . . . . . . . . . . 42
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 44
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 44
13.1. Normative References . . . . . . . . . . . . . . . . . . . 44
13.2. Informative References . . . . . . . . . . . . . . . . . . 45
Appendix A. Proxy Mobile IPv6 interactions with AAA
Infrastructure . . . . . . . . . . . . . . . . . . . 46
Appendix B. Supporting Shared-Prefix Model using DHCPv6 . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 47
Intellectual Property and Copyright Statements . . . . . . . . . . 49

Gundavelli, et al. Expires December 20, 2007 [Page 3]

Internet-Draft Proxy Mobile IPv6 June 2007

1. Introduction

Mobile IPv6 [RFC-3775] is the enabler for IPv6 mobility. It requires
Mobile IPv6 client functionality in the IPv6 stack of a mobile node.
Signaling between the mobile node and home agent enables the creation
and maintenance of a binding between the mobile node's home address
and care-of-address. Mobile IPv6 has been designed to be an integral
part of the IPv6 stack in a host. However there exist IPv6 stacks
today that do not have Mobile IPv6 functionality and there would
likely be IPv6 stacks without Mobile IPv6 client functionality in the
future as well. It is desirable to support IP mobility for all hosts
irrespective of the presence or absence of mobile IPv6 functionality
in the IPv6 stack.

It is possible to support mobility for IPv6 nodes by extending Mobile
IPv6 [RFC-3775] signaling and reusing the home agent via a proxy
mobility agent in the network. This approach to supporting mobility
does not require the mobile node to be involved in the signaling
required for mobility management. The proxy mobility agent in the
network performs the signaling and does the mobility management on
behalf of the mobile node. Because of the use and extension of
Mobile IPv6 signaling and home agent functionality, it is referred to
as Proxy Mobile IPv6 (PMIP6) in the context of this document.

Network deployments which are designed to support mobility would be
agnostic to the capability in the IPv6 stack of the nodes which it
serves. IP mobility for nodes which have mobile IP client
functionality in the IPv6 stack as well as those hosts which do not,
would be supported by enabling PMIP6 Proxy Mobile IPv6 protocol
functionality in the network. The advantages of developing a network
based mobility protocol based on Mobile IPv6 are:

o Reuse of home agent functionality and the messages/format used in
mobility signaling. Mobile IPv6 is a mature protocol with several
implementations that have been through interoperability testing.

o A common home agent would serve as the mobility agent for all
types of IPv6 nodes.

o Addresses a real deployment need.

The problem statement and the need for a network based mobility
protocol solution has been documented in
[draft-ietf-netlmm-nohost-ps-05.txt]. PMIP6 is a solution that
addresses these issues and requirements.

The IP Mobility protocols designed in the IETF so far involve the
host in mobility management. There are some deployment scenarios
where a network-based mobility management protocol is considered

Gundavelli, et al. Expires October 10, 2007 [Page 4]

Internet-Draft Proxy Mobile IPv6 April 2007

appropriate. The advantages to using a network-based mobility
protocol include avoiding tunneling overhead over the air and support
for hosts that do not implement any mobility management protocol.

The document describes a network-based mobility management protocol
based on Mobile IPv6. it is called Proxy Mobile IPv6 (PMIPv6). One
of the most important design considerations behind PMIPv6 has been to
re-use as much as possible from the existing mobility protocols.

There are many advantages to develop a protocol based on Mobile IPv6.
Mobile IPv6 is a very mature mobility protocol for IPv6. There have
been many implementations and inter-operability events where Mobile
IPv6 has been tested. There also numerous specifications enhancing
Mobile IPv6 that can be re-used. Further,

o Reuse of home agent functionality and the Proxy MIPv6 solution
described messages/format used in this document allows the same Home Agent to provide
mobility to hosts that use signaling. Mobile IPv6 and hosts is a mature protocol with several
implementations that do not use any have been through interoperability testing.

o A common home agent would serve as the mobility management protocol. Proxy Mobile agent for all
types of IPv6 provides solution to nodes.

o Addresses a real deployment problem. need.

The specific details related to enabling IPv4 home address mobility
for the mobile node problem statement and the details related to supporting IPv4
transport need for a network are covered based mobility
protocol solution has been documented in the companion document. [RFC-4830]. Proxy Mobile
IPv6 is a solution that addresses these issues and requirements.

Gundavelli, et al. Expires December 20, 2007 [Page 4]

Internet-Draft Proxy Mobile IPv6 June 2007

2. Conventions & Terminology

2.1. Conventions used in this document

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" used in
this document are to be interpreted as described in RFC 2119.

2.2. Terminology

All the general mobility related terms used in this document are to
be interpreted as defined in the Mobile IPv6 base specification [RFC-
3775].

This document adopts the terms, Local Mobility Anchor (LMA) and
Mobile Access Gateway (MAG) from the NETLMM Goals document
[draft-ietf-netlmm-nohost-req-05.txt]. It further [RFC-
4831]. This document also provides the following context specific
explanation to these terms, specific to the following terms used in this solution document.

Proxy Mobile IPv6 Domain (PMIPv6-Domain)

Proxy Mobile IPv6 domain refers to the network where the mobility
management of a mobile node is handled using Proxy Mobile IPv6
protocol as defined in this specification. The Proxy Mobile IPv6
domain includes local mobility anchors and mobile access gateways
between which security associations can be setup and authorization
for sending Proxy Binding Updates on behalf of the mobile nodes
can be ensured.

Local Mobility Anchor (LMA)

Gundavelli, et al. Expires October 10, 2007 [Page 5]

Internet-Draft Proxy Mobile IPv6 April 2007

Local Mobility Anchor is the home agent for the mobile node in the
Proxy Mobile IPv6 domain. It is the topological anchor point for
the mobile node's home network prefix and is the entity that
manages the mobile node's reachability state. It is important to
understand that the LMA local mobility anchor has the functional
capabilities of a home agent as defined in Mobile IPv6 base
specification [RFC-3775] and with the additional required
capabilities for supporting Proxy Mobile IPv6 protocol as defined
in this specification.

Proxy

Mobile Agent (PMA) Access Gateway (MAG)

Gundavelli, et al. Expires December 20, 2007 [Page 5]

Internet-Draft Proxy mobility agent Mobile IPv6 June 2007

Mobile Access Gateway is a function that manages the mobility
related signaling for a mobile node that is attached to its access
link. It is responsible for tracking the mobile node's attachment
to the link and for signaling the mobile node's local mobility
anchor.

Mobile Access Gateway (MAG)

It is the entity where the Proxy Mobile Agent function resides.

Mobile Node (MN)

Through out this document, the term mobile node is used to refer
to an IP node whose mobility is provided managed by the network. The
mobile node may be operating in IPv6 mode, IPv4 mode or in IPv4/
IPv6 dual mode. The mobile node is not required to participate in
any mobility related signaling for achieving mobility for an IP
address that is obtained in that local domain. This document
further uses explicit text when referring to a mobile node that is
involved in mobility related signaling as per Mobile IPv6
specification [RFC-3775].

LMA Address (LMAA)

The mobile node's capability or its
involvement in any address that is configured on the interface of the local
mobility related signaling for obtaining anchor and is the transport endpoint of the tunnel
between the local mobility for anchor and the mobile access gateway.
This is the address to where the mobile access gateway sends the
Proxy Binding Update messages. When supporting IPv4 traversal,
i.e. when the network between the local mobility anchor and the
mobile access gateway is an IPv4 network, this address that will be an
IPv4 address and will be referred to as IPv4-LMAA, as specified in
[ID-IPV4-PMIP6].

Proxy Care-of Address (Proxy-CoA)

Proxy-CoA is obtained outside the current proxy address configured on the interface of the mobile IPv6 domain,
access gateway and is not relevant in the context transport endpoint of this
document the tunnel between
the local mobility anchor and the mobile access gateway. The
local mobility anchor views this definition address as the Care-of Address of
the Mobile Node shall survive. mobile node and registers it in the Binding Cache entry for
that mobile node. When the transport network between the mobile
access gateway and the local mobility anchor is an IPv4 network
and if the care-of address that is registered at the local
mobility anchor is an IPv4 address, the term, IPv4-Proxy-CoA is
used, as defined in [ID-IPV4-PMIP6].

Mobile Node's Home Address (MN-HoA)

Gundavelli, et al. Expires December 20, 2007 [Page 6]

Internet-Draft Proxy Mobile IPv6 June 2007

MN-HoA is the home address of a mobile node in a Proxy Mobile IPv6
domain. It is an address obtained by the mobile node in that
domain. The mobile node can continue to use this address as long
as it is attached to the network that is in the scope of that
Proxy Mobile IPv6 domain. When supporting IPv4 address mobility
for a mobile node, the term, IPv4 MN-HoA

Mobile Node's Home Network Prefix (MN-HNP)

This is used to refer to the
IPv4 address of on-link IPv6 prefix that the mobile node.

Proxy Care-of Address (Proxy-CoA)

Gundavelli, et al. Expires October 10, 2007 [Page 6]

Internet-Draft node always sees
in the Proxy Mobile IPv6 April 2007

Proxy-CoA domain. The home network prefix is the address configured on the interface of
topologically anchored at the mobile
access gateway and is the transport endpoint of the tunnel between
the node's local mobility anchor and the mobile access gateway. anchor.
The
local mobility anchor views this mobile node configures its interface with an address as from this
prefix.

Mobile Node's Home Link

This is the Care-of Address of link on which the mobile node and registers obtained its initial
address configuration after it in moved into that Proxy Mobile IPv6
domain. This is the Binding Cache entry for link that conceptually follows the mobile
node. When the transport The network between will ensure the mobile
access gateway and node always sees this
link with respect to the local mobility anchor is an IPv4 layer-3 network
and if the care-of address configuration, on any
access link that is registered at the local
mobility anchor is an IPv4 address, the term, IPv4 Proxy-CoA is
used.

LMA Address (LMAA) it attaches to in that proxy mobile IPv6 domain.

Mobile Node Identifier (MN-Identifier)

The address identity of the mobile node that is configured on presented to the interface network
as part of the local
mobility anchor and access authentication. This is the transport endpoint typically an
identifier such as Mobile Node NAI [RFC-4283], or any other type
of identifier which may be specific to the tunnel
between the local mobility anchor and access technology.

Proxy Binding Update (PBU)

A signaling message sent by the mobile access gateway.
This is the address gateway to where a mobile
node's local mobility anchor for establishing a binding between
the mobile access gateway sends node's MN-HoA and the Proxy-CoA.

Proxy Binding Update messages. When supporting IPv4 traversal,
i.e. when the network between the Acknowledgement (PBA)

A response message sent by a local mobility anchor and the in response to
a Proxy Binding Update message that it received from a mobile
access gateway is an IPv4 network, this address will be an
IPv4 address and will be referred to as IPv4 LMAA. gateway.

3. Proxy Mobile IPv6 Domain (PMIPv6-Domain)

It is Protocol Overview

This specification describes a localized network-based mobility management domain.
protocol. It is called Proxy Mobile IPv6 and is based on Mobile IPv6
[RFC-3775]. This protocol is for providing network-based mobility

Gundavelli, et al. Expires December 20, 2007 [Page 7]

Internet-Draft Proxy Mobile IPv6 June 2007

management support to a mobile node, within a restricted and
topologically localized portion of the access network where and with out requiring
the mobility management participation of a the mobile node
is handled using in any mobility related
signaling.

Every mobile node that roams in a Proxy Mobile IPv6 protocol as defined in this
specification.

Mobile Node's Home Link

This is the link on which domain, would
typically be identified by an identifier, MN-Identifier, and using
that identifier the mobile node node's policy profile can be obtained its initial from
the policy store. The policy profile typically contains the
provisioned network-based mobility service characteristics and other
related parameters such as the mobile node's Identifier, local
mobility anchor address, permitted address configuration after it moved into modes,
roaming policy and other parameters that Proxy Mobile IPv6
domain. This is are essential for providing
the link that conceptually follows network based mobility service.

Once a mobile node enters its Proxy Mobile IPv6 domain and performs
access authentication, the mobile
node. The network will ensure that the mobile node
is always sees this
link with respect to the layer-3 on its home network configuration, and can obtain its home address on any
access link that it attaches to in that proxy mobile IPv6 domain.

Mobile Node's Home Network Prefix (MN-HNP)

This is using any of the on-link address configuration procedures. In
other words, there is a home network prefix that the is assigned to a
mobile node and conceptually that address always sees in follows the mobile
node, where ever it roams within that Proxy Mobile IPv6 domain. The home network prefix is
topologically anchored at the mobile's local mobility anchor. The
mobile node configures its interface with an address from this
prefix. When supporting IPv4 home address mobility, From
the term,
IPv4 Home Network refers to perspective of the mobile node's IPv4 home prefix and
the term, Home Network always refers to node, the entire Proxy Mobile IPv6
domain appears as its home network
prefix. link or a single link.

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 7] 8]

Internet-Draft Proxy Mobile IPv6 April June 2007

Mobile Node Identifier (MN-Identifier)

The identity of the mobile node that is presented to the network
as part of the access authentication. This is typically an
identifier such as Mobile Node NAI [RFC-4283] any other type of
identifier which may be specific to the access technology.

+----+ +----+
|LMA1| |LMA2|
+----+ +----+
LMAA1 -> | | <-- LMAA2
| |
\\ //\\
\\ // \\
\\ // \\
+---\\------------- //------\\----+
( \\ IPv4/IPv6 // \\ )
( \\ Network // \\ )
+------\\--------//------------\\-+
\\ // \\
\\ // \\
\\ // \\
Proxy-CoA1--> | | <-- Proxy-CoA2
+----+ +----+
|MAG1|-----[MN2] |MAG2|
+----+ | +----+
| | |
MN-HoA1 --> | MN-HoA2 | <-- MN-HoA3
[MN1] [MN3]

Figure 1: Proxy Binding Update (PBU)

A signaling message sent by Mobile IPv6 Domain

The Proxy Mobile IPv6 scheme introduces a new function, the mobile
access gateway to a mobile
node's local mobility anchor for establishing gateway. It is a binding between function that is on the access link where
the mobile node's MN-HoA node is anchored and does the mobility related signaling
on its behalf. From the perspective of the Proxy-CoA.

Proxy Binding Acknowledgement (PBA)

A response message sent by a local mobility anchor in response to
a Proxy Binding Update message that it received from a anchor,
the mobile access gateway.

3. Proxy Mobile IPv6 Protocol Overview

This specification describes gateway is a network-based mobility management
protocol. It special element in the network that is called Proxy
authorized to send Mobile IPv6 (PMIPv6) and is based signaling messages on
Mobile IPv6 [RFC-3775]. This protocol is for providing network-based
mobility management support to a mobile node, within a restricted and
topologically localized portion of the network and with out requiring
the participation behalf of the other
mobile node in any mobility related
signaling.

Every nodes.

When the mobile node that roams in a Proxy Mobile IPv6 domain, would
typically be identified by attaches to an identifier, such as MN-Identifier, and
using that identifier access link connected to the
mobile node's policy profile can be
obtained from the policy store. The policy profile typically
contains the provisioned network-based mobility service
characterstics and other related parameters such as access gateway, the mobile node's
home network prefix, permitted address configuration modes, roaming
policy and other parameters that are essential for providing network
based mobility service.

Once node presents its identity, MN-
Identifier, as part of the access authentication procedure. After a mobile node enters its Proxy Mobile IPv6 domain and performs
successful access authentication, the network will ensure mobile access gateway obtains
the mobile node is
always on its node's profile from the policy store. The mobile access
gateway would have all the required information for it to emulate the
mobile node's home network and further ensures on the access link. It sends Router
Advertisement messages to the mobile node can
always obtain its home address on the access link and using any of
advertising the address configuration procedures. In other words, there is mobile node's home network prefix that is assigned for a mobile node and conceptually as the hosted on-
link-prefix.

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 8] 9]

Internet-Draft Proxy Mobile IPv6 April June 2007

The mobile node on receiving these Router Advertisement messages on
the access link will attempt to configure its interface either using
stateful or stateless address configuration modes, based on modes
that are permitted on that access link. At the end of a successful
address always follows configuration procedure, the mobile node would have obtained
an address from its home network prefix. If the mobile node is IPv4
capable and if network offers IPv4 network mobility for the mobile
node, where ever it roams
within the mobile node would have obtained an IPv4 address as well.
The mobile node can be operating in IPv4-only mode, IPv6-only or in
dual-mode and based on the services enabled for that proxy mobile, the
mobility is enabled only for those address types. Also, the network
between the local mobility anchor and the mobile access gateway can
be either IPv4, IPv6 domain. From or a private IPv4 with NAT translation devices.

For updating the perspective local mobility anchor about the current location of
the mobile node, the entire Proxy Mobile IPv6 domain appears as its home
link or mobile access gateway sends a single link.

+----+ +----+
|LMA1| |LMA2|
+----+ +----+
LMAA1---- | | ---- LMAA2
| |
\\ // \\
+--\\------------- //---\\----+
( \\ IPv4/IPv6 // \\ )
( \\ Network // \\ )
+-----\\--------//---------\\-+
\\ // \\
\\ // \\ <--- Tunnel2
\\ // \\
|-- Proxy-CoA1 |-- Proxy-CoA2
+----+ +----+
[MN1].__.|MAG1|.__.[MN2] |MAG2|
+----+ +----+
| |
| |
------------------- [MN5]
| |
[MN3] [MN4]

Figure 1: Proxy Mobile IPv6 Domain Binding
Update message to the mobile node's local mobility anchor. The
message will have the mobile node's NAI identifier option and other
required options. Upon accepting the Proxy Mobile IPv6 scheme introduces Binding Update message,
the local mobility anchor sends a new function, Proxy Binding Acknowledgment
message including the mobile
access gateway. node's home network prefix option. It is
also sets up a function that is on route for the access link where mobile node's home network prefix over
the tunnel to the mobile is anchored access gateway.

The mobile access gateway on receiving this Proxy Binding
Acknowledgment message sets up a bi-directional tunnel to the local
mobility anchor and does adds a default route over the tunnel to the local
mobility related signaling on
behalf of anchor. All traffic from the mobile node. From node gets routed to its
local mobility anchor through the perspective bi-directional tunnel.

At this point, the mobile node has a valid address from its home
network prefix, at the current point of attachment. The serving
mobile access gateway and the local mobility anchor also have proper
routing states for handling the traffic sent to and from the mobile
node using an address from its home network prefix.

The local mobility anchor, being the mobile access gateway is a special element in topological anchor point for the
mobile node's home network prefix, receives any packet that is authorized sent
by any corresponding node to send Mobile IPv6 signaling messages
on behalf of a the mobile node.

When Local mobility anchor
forwards the mobile node attaches to an access link connected received packet to the mobile access gateway, the mobile node presents its identity, MN-
Identifier, as part of the access access authentication procedure.
After a successful access authentication, gateway through the
bi-directional tunnel. The mobile access gateway
obtains on other end of the mobile node's profile from
tunnel, after receiving the policy store, such as from

Gundavelli, et al. Expires October 10, 2007 [Page 9]

Internet-Draft Proxy Mobile IPv6 April 2007

a AAA infrastructure. The mobile access gatway would have all packet, removes the
information for it to emulate outer header and
forwards the mobile node's home network packet on the access link. The mobile access gateway also starts sending periodic
Router Advertisements link to the mobile node advertising its home network
prefix. node.

The mobile node on receiving these Router Advertisement messages access gateway typically acts as a default router on the
access link will attempt to configure its interface either using
statefull or stateless address configuration modes, based on modes
that are permitted on and any packet that access link. At the end of a successful
address configuration procedure, the mobile node would have obtained
an address from its home network prefix. If the mobile sends to any
corresponding node is IPv4
capable and if network offers IPv4 network mobility for the mobile
node, received by the mobile node would have obtained an IPv4 address as well.
The mobile node can be operating in IPv4-only mode, IPv6-only or in
dual-mode access gateway and based on the services enabled for that mobile, it
forwards the packet to its local mobility is enabled only for those address types. Also, the network
between anchor through the bi-

Gundavelli, et al. Expires December 20, 2007 [Page 10]

Internet-Draft Proxy Mobile IPv6 June 2007

directional tunnel. The local mobility anchor on the other end of
the tunnel, after receiving the packet removes the outer header and
routes the packet to the destination.

4. Proxy Mobile IPv6 Protocol Security

The signaling messages, Proxy Binding Update and Proxy Binding
Acknowledgement, exchanged between the mobile access gateway can
be either IPv4, IPv6, IPv4 with NAT translation devices in the access
network.

For updating and the
local mobility anchor about are protected using IPsec and using the current location
established security association between them. The security
association of the specific mobile node, node for which the signaling
message is initiated is not required for protecting these messages.

ESP in transport mode with mandatory integrity protection is used for
protecting the signaling messages. Confidentiality protection is not
required.

IKEv2 is used to setup security associations between the mobile
access gateway sends a and the local mobility anchor to protect the Proxy
Binding Update message to the and Proxy Binding Acknowledgment messages. The mobile node's
access gateway and the local mobility anchor. The
message will have anchor can use any of the
authentication mechanisms, as specified in IKEv2, for mutual
authentication.

Mobile IPv6 specification requires the home agent to prevent a mobile
node from creating security associations or creating binding cache
entries for another mobile node's NAI identifier option and Home
Network Prefix Option and/or IPv4 Home Address option. The source
address of that message will be home address. In the address of protocol
described in this document, the mobile access
gateway on its egress interface. Upon accepting node is not involved in
creating security associations for protecting the Proxy Binding
Update request, signaling messages
or sending binding updates. Therefore, this is not a concern.
However, the local mobility anchor sends a Proxy Binding
Acknowledgment message to the MUST allow only authorized mobile
access gateway. It also sets up
a route to the mobile node's home network prefix over the tunnel and
sends Proxy Binding Acknowledgment message gateways to create binding cache entries on behalf of the
mobile access
gateway. nodes. The mobile access gateway on receiving this Proxy Binding
Acknowledgment message sets up a tunnel to actual mechanism by which the local mobility
anchor
and adds verifies if a default route over the tunnel to the local mobility
anchor. All traffic from the specific mobile node gets routed access gateway is authorized to the
send Proxy Binding Updates on behalf of a mobile
node's local mobility anchor over node is outside the tunnel.

At
scope of this point, the mobile node has document. One possible way this could be achieved is
sending a valid home address from its home
network prefix, at query to the current point of attachment. policy store such as by using AAA
infrastructure.

4.1. Peer Authorization Database Entries

The serving following describes PAD entries on the mobile access gateway and
the local mobility anchor also have proper
routing states for handling anchor. The PAD entries are only example
configurations. Note that the traffic sent to PAD is a logical concept and from the a
particular mobile
node.

The access gateway or a local mobility anchor, being the topological anchor point for
implementation can implement the
mobile node's home network prefix, it receives any packet sent by any PAD in an implementation specific

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 10] 11]

Internet-Draft Proxy Mobile IPv6 April June 2007

corresponding node to the

manner. The PAD state may also be distributed across various
databases in a specific implementation.

mobile node. Local access gateway PAD:
- IF remote_identity = lma_identity_1
Then authenticate (shared secret/certificate/EAP)
and authorize CHILD_SA for remote address lma_addres_1

local mobility anchor
forwards PAD:
- IF remote_identity = mag_identity_1
Then authenticate (shared secret/certificate/EAP)
and authorize CHILD_SAs for remote address mag_address_1

The list of authentication mechanisms in the received packet to above examples is not
exhaustive. There could be other credentials used for authentication
stored in the PAD.

4.2. Security Policy Database Entries

The following describes the security policy entries on the mobile
access gateway through and the
tunnel. local mobility anchor required to protect the
Proxy Mobile IPv6 signaling messages. The SPD entries are only
example configurations. A particular mobile access gateway on other end of the tunnel, after
receiving or a
local mobility anchor implementation could configure different SPD
entries as long as they provide the packet removes required security.

In the tunnel header and forwards examples shown below, the
packet on identity of the mobile access link
gateway is assumed to be mag_1, the address of the mobile node.

The mobile access
gateway typically acts as a default router on the
access link is assumed to be mag_address_1, and any packet that the mobile node sends to any
corresponding node is received by address of the local
mobility anchor is assumed to be lma_address_1.

mobile access gateway and it
forwards the packet SPD-S:
- IF local_address = mag_address_1 &
remote_address = lma_address_1 &
proto = MH & local_mh_type = BU & remote_mh_type = BAck
Then use SA ESP transport mode
Initiate using IDi = mag_1 to the address lma_1

local mobility anchor through SPD-S:
- IF local_address = lma_address_1 &
remote_address = mag_address_1 &
proto = MH & local_mh_type = BAck & remote_mh_type = BU
Then use SA ESP transport mode

Gundavelli, et al. Expires December 20, 2007 [Page 12]

Internet-Draft Proxy Mobile IPv6 June 2007

5. Local Mobility Anchor Operation

For supporting the tunnel. Proxy Mobile IPv6 scheme specified in this
document, the Mobile IPv6 home agent entity, defined in Mobile IPv6
specification [RFC-3775], needs some enhancements. The local
mobility anchor on is an entity that has the other end functional capabilities of
a home agent and with the tunnel, after
receiving additional required capabilities for
supporting Proxy Mobile IPv6 protocol as defined in this
specification. This section describes the packet removes operational details of the tunnel header
local mobility anchor.

The base Mobile IPv6 specification [RFC-3775], defines home agent and routes
the packet
to mobile node as the destination.

4. two functional entities. The Proxy Mobile
IPv6 Protocol Security

The signaling messages, Proxy Binding Update and Proxy Binding
Acknowledgement, exchanged between scheme introduces a new entity, the mobile access gateway and gateway. This
is the entity that will participate in the
local mobility anchor are protected using IPsec and using related
signaling. From the
established security association between them. The security
association perspective of the specific mobile node for which local mobility anchor, the signaling
message is initiated
mobile access gateway is not required for protecting these messages.

ESP a special element in transport mode with mandatory integrity protection is used for
protecting the signaling messages. Confidentiality protection is not
required.

IKEv2 is used network that has
the privileges to setup security associations between send mobility related signaling messages on behalf
of the mobile
access gateway and node. Typically, the local mobility anchor is
provisioned with the list of mobile access gateways authorized to protect
send proxy registrations.

When the local mobility anchor receives a Proxy Binding Update
message from a mobile access gateway, the message is protected using
the IPSec Security Association established between the local mobility
anchor and the mobile access gateway. The local mobility anchor can
distinguish between a Proxy Binding Acknowledgment messages. The Update message received from a
mobile access gateway from a Binding Update message received directly
from a mobile node. This distinction is important for using the
right security association for validating the Binding Update and this
is achieved by relaxing the MUST requirement for having the Home
Address Option presence in Destination Options header and by
introducing a new flag in the Binding Update message. The local
mobility anchor as a traditional IPSec peer can use any of the
authentication mechanisms, as specified SPI in IKEv2, the
IPSec header [RFC-4306] of the received packet for mutual
authentication.

Mobile IPv6 specification requires locating the home agent to prevent a mobile
node from creating
correct security associations or creating binding cache
entries association and for another mobile node's home address. In processing the protocol
described Proxy Binding
Update message in this document, the context of the Proxy Mobile IPv6 scheme.

For protocol simplicity, the current specification supports the Per-
MN-Prefix addressing model. In this addressing model, each mobile
node is not involved allocated an exclusively unique home network prefix. The
local mobility anchor in
creating security associations for protecting the signaling messages
or sending binding updates. Therefore, this model is not just a concern.
However, topological anchor
point for that prefix and the prefix is physically hosted on the
access link where the mobile node is attached. The local mobility
anchor MUST allow only authorized mobile
access gateways is not required to create binding cache entries on behalf of perform any proxy ND operations [RFC-2461]
for defending the mobile nodes. The actual mechanism by which node's home address on the home link.
However, the local mobility anchor verifies if a specific mobile access gateway is authorized required to
send Proxy Binding Updates on behalf manage the binding
cache entry of a the mobile node is outside for managing the
scope of this document. One possible way this could be achieved is mobility session and

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 11] 13]

Internet-Draft Proxy Mobile IPv6 April June 2007

sending a query to

also the policy store such as by using AAA
infrastrucure.

4.1. Peer Authorization Database Entries

The following describes PAD entries on routing state for creating a proper route path for traffic
to/from the mobile access gateway and
the node.

5.1. Extensions to Binding Cache Conceptual Data Structure

The local mobility anchor. The PAD entries are only example
configurations. Note that the PAD is a logical concept and anchor maintains a
particular Binding Cache entry for each
currently registered mobile access gateway or node. Binding Cache is a local mobility anchor
implementation can implement the PAD conceptual data
structure, described in an implementation specific
manner. The PAD state may also Section 9.1 of [RFC-3775]. For supporting
this specification, the conceptual Binding Cache entry needs to be distributed across various
databases in
extended with the following additional fields.

o A flag indicating whether or not this Binding Cache entry is
created due to a specific implementation.

mobile access gateway PAD:
- IF remote_identity = lma_identity_1
Then authenticate (shared secret/certificate/EAP)
and authorize CHILD_SA proxy registration. This flag is enabled for remote address lma_addres_1

local mobility anchor PAD:
- IF remote_identity = mag_identity_1
Then authenticate (shared secret/certificate/EAP)
Binding Cache entries that are proxy registrations and authorize CHILD_SAs is turned
off for remote address mag_address_1 all other entries that are direct registrations from the
mobile node.

o The list identifier of authentication mechanisms in the above examples mobile node, MN-Identifier. This MN-
Identifier is not
exhaustive. There could be other credentials used for authentication
stored obtained from the NAI Option present in the PAD.

4.2. Security Policy Database Entries

The following describes Proxy
Binding Update request [RFC-4285].

o A flag indicating whether or not the security policy entries Binding Cache entry has a
home address that is on virtual interface. This flag is enabled,
if the home prefix of the mobile
access gateway and node is configured on a virtual
interface. When the local mobility anchor configured home prefix of a mobile is on a
virtual interface, the home agent is not required to protect function as a
Neighbor Discovery proxy for the
Proxy Mobile mobile node.

o The IPv6 signaling messages. home network prefix of the mobile node.

o The SPD entries are only
example configurations. A particular IPv6 home network prefix length of the mobile access gateway or a node.

o The interface id of the bi-directional tunnel between the local
mobility anchor implementation could configure different SPD
entries as long as they provide the required security.

In the examples shown below, the identity of and the mobile access gateway is assumed to be mag_1, used for sending and
receiving the address of mobile node's traffic.

5.2. Bi-Directional Tunnel Management

The bi-directional tunnel between the local mobility anchor and the
mobile access gateway is assumed used for routing the traffic to be mag_address_1, and from the
mobile node. The tunnel hides the topology and enables a mobile node
to use an IP address of that is topologically anchored at the local
mobility anchor is assumed anchor, from any attached access link in that proxy mobile
IPv6 domain. The base Mobile IPv6 specification [RFC-3775], does use
the tunneling scheme for routing traffic to be lma_address_1. and from the mobile that
is using its home address. However, there are subtle differences in
the way Proxy Mobile IPv6 uses the tunneling scheme.

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 12] 14]

Internet-Draft Proxy Mobile IPv6 April June 2007

mobile access gateway SPD-S:
- IF local_address = mag_address_1 &
remote_address = lma_address_1 &
proto = MH & local_mh_type = BU & remote_mh_type = BAck
Then use SA ESP transport mode
Initiate using IDi = mag_1 to address lma_1

local mobility anchor SPD-S:
- IF local_address = lma_address_1 &
remote_address = mag_address_1 &
proto = MH & local_mh_type = BAck & remote_mh_type = BU
Then use SA ESP transport mode

5. Local Mobility Anchor Operation

For supporting the Proxy Mobile IPv6 scheme defined in this document,
the Mobile IPv6 home agent entity, defined

As in Mobile IPv6
specification [RFC-3775], needs some protocol enhancements. The IPv4 [RFC-3344], the tunnel between the local mobility
anchor is and the functional entity with these
capabilities mobile access gateway is typically a shared tunnel and
can be used for supporting Proxy Mobile IPv6. routing traffic streams for different mobile nodes
attached to the same mobile access gateway. This section
describes specification
extends that 1:1 relation between a tunnel and a binding cache entry
to 1:m relation, reflecting the operational details shared nature of the local mobility anchor. tunnel.

The base Mobile IPv6 specification [RFC-3775], defines home agent and
the tunnel is creating after accepting a Proxy Binding Update message
for a mobile node as the two functional entities. The Proxy Mobile
IPv6 scheme introduces from a new entity, the mobile access gateway. This
is The created tunnel
may be shared with other mobile nodes attached to the entity that will participate in same mobile
access gateway and with the local mobility related
signaling. From anchor having a binding
cache entry for those mobile nodes. Some implementations may prefer
to use static tunnels as supposed to creating and tearing them down
on a need basis.

The one end point of the perspective tunnel is the address configured on the
interface of the local mobility anchor, LMAA. The other end point of
the tunnel is the address configured on the interface of the mobile
access gateway gateway, Proxy-CoA. The details related to the supported
encapsulation modes and transport protocols is a special element covered in detail in
Section 6.10.2.

Implementations typically use a software timer for managing the network
tunnel lifetime and a counter for keeping a count of all the mobiles
that has are sharing the privileges tunnel. The timer value will be set to send mobility related signaling messages on behalf
of the
accepted binding life-time and will be updated after each periodic
registrations for extending the lifetime. If the tunnel is shared
for multiple mobile node's traffic, the tunnel lifetime will be set
to the highest binding life time across all the binding life time
that is granted for all the mobiles sharing that tunnel.

5.3. Routing Considerations

This section describes how the data traffic to/from the mobile node. Typically, node
is handled at the local mobility anchor is
provisioned with the list of mobile access gateways authorized to
send proxy registrations. anchor.

When the a local mobility anchor receives a Proxy Binding Update
message from is serving a mobile access gateway, the message node, it MUST
attempt to intercept packets that are sent to any address that is protected using
the IPSec Security Association established between the local mobility
anchor and in
the mobile access gateway. node's home network prefix address range. The local
mobility anchor can
distinguish between a Proxy Binding Update message received from a
mobile access gateway from a Binding Update message received directly
from MUST advertise a mobile node. This distinction is important for using connected route in to the
right security association Routing
Infrastructure for validating the Binding Update and this
is achieved by relaxing the MUST requirement that mobile node's home network prefix or for having the Home
Address Option presence in Destination Options header and by
introducing an
aggregated prefix with a new flag larger scope. This essentially enables
routers in the Binding Update message. The IPv6 network to detect the local mobility anchor as a traditional IPSec peer can use
the SPI in last-hop router for that prefix.

When forwarding any packets that have the
IPSec header [RFC-4306] of destination address
matching the mobile node's home network prefix, the local mobility
anchor MUST encapsulate the received packet for locating with the outer IPv6 header, as

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 13] 15]

Internet-Draft Proxy Mobile IPv6 April June 2007

correct security association and for processing the Proxy Binding
Update message

specified in Generic Packet Tunneling in the context of the Proxy Mobile IPv6 scheme.

For protocol simplicity, the current specification supports the Per-
MN-Prefix addressing model. In this addressing model, each mobile
node [RFC-
2473]. If the negotiated encapsulation header is allocated an exclusively unique home network prefix either IPv6-over-
IPv4 or IPv6-over-IPv4-UDP, as specified in the companion document,
IPv4 support for Proxy Mobile IP6 [ID-Pv4-PMIP6], the packet must be
encapsulated and routed as specified in that specification.

All the
prefix is not hosted on reverse tunneled packets that the home link. The local mobility anchor
receives from the tunnel, after removing the outer header MUST be
routed to the destination specified in
this addressing model is just a topological anchor point and the
prefix is physically hosted on inner packet header.
These routed packets will have the access link where source address field set to the
address from the mobile node's home network prefix.

5.4. Local Mobility Anchor Address Discovery

Dynamic Home Agent Address Discovery, as explained in Section 10.5 of
[RFC-3775], allows a mobile node
is attached. The local mobility anchor is not required to perform
any proxy ND operations [RFC-2461] for defending discover all the mobile node's home address, MN-HoA, agents on
its home link by sending an ICMP Home Agent Address Discovery Request
message to the Mobile IPv6 Home-Agents anycast address, derived from
its home link. However, network prefix.

In Proxy Mobile IPv6, the address of the local mobility anchor is required
configured to manage serve a mobile node can be discovered by the binding cache mobility
entities in one or more ways. This MAY be a configured entry of in the
mobile
node for managing node's policy profile, or it MAY be obtained through
mechanisms outside the mobility session and also scope of this document. It is important to
note that there is little value in using DHAAD message in the routing state for
creating a proper route path current
form for traffic to/from discovering the mobile node.

5.1. Extensions to Binding Cache Conceptual Data Structure

The local mobility anchor maintains address dynamically.
As a Binding Cache entry for each
currently registered mobile node. Binding Cache is a conceptual data
structure, described in Section 9.1 of [RFC3775]. For supporting
this specification, the conceptual Binding Cache entry needs node moves from one mobile access gateway to be
extended with the following new fields.

o A flag indicating whether or another,
the serving mobile access gateway will not this Binding Cache entry is
created due predictably be able to a proxy registration. This flag is enabled
locate the serving local mobility anchor for
Binding Cache entries that are proxy registrations and is turned
off for all other entries mobile that are direct registrations from has its
binding cache entry for the mobile node.

o A flag indicating if IPv6 HoA mobility is accepted. If Hence, this flag
is set, the relevant specification
does not support Dynamic Home Agent Address Discovery protocol.

5.5. Sequence Number and Time-Stamps for Message Ordering

Mobile IPv6 HoA fields [RFC-3775] uses the Sequence Number field in this data structure have
to be set registration
messages as a way to ensure the configured values. If this flag.

o correct packet ordering. The identifier of local
mobility anchor and the mobile node, MN-Identifier. This MN-
Identifier is obtained from the NAI Option present in the Proxy
Binding Update request [RFC-4285].

o A flag indicating whether or not the Binding Cache entry has a
home address that is on virtual interface. This flag is enabled,
if node are required to manage this
counter over the home prefix lifetime of the mobile is configured on a virtual
interface. When binding.

In Proxy Mobile IPv6, the configured home prefix Proxy Binding Update messages that the
local mobility anchor receives on behalf of a specific mobile is on a
virtual interface, node
may not be from the home agent is same mobile access gateway as the previously
received message. It creates certain ambiguity and the local
mobility anchor will not required be predictably order the messages. This
could lead to function as the local mobility anchor processing an older message
from a
Neighbor Discovery proxy for mobile access gateway where the mobile node. node was previously
attached, while ignoring the latest binding update message.

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 14] 16]

Internet-Draft Proxy Mobile IPv6 April June 2007

o The IPv6 home network prefix of

In the mobile node.

o The IPv6 home network prefix length of Proxy Mobile IPv6, the mobile node.

o The interface id ordering of packets has to be
established across packets received from multiple senders. The
sequence number scheme as specified in [RFC-3775] will not be
sufficient. A global scale, such as a time stamp, can be used to
ensure the tunnel between correct ordering of the local mobility anchor
and packets. This document proposes
the use of a Time Stamp Option, specified in Section 8.4, in all
Proxy Binding Update messages sent by mobile access gateway used for sending and receiving gateways. By
leveraging the
mobile node's traffic.

o Tentative binding cache entry with NTP [RFC-1305] service, all the above fields. This
entry is populated upon tentatively accepting a proxy binding
update request for a mobile node whose direct registration still
exists, i.e. the mobile has not deregistered and it received a
proxy binding update request.

5.2. Bi-Directional Tunnel Management

The bi-directional tunnel between entities in Proxy
Mobile IPv6 domain will be able to synchronize their respective
clocks. Having a time stamp option in Proxy Binding Update messages
will enable the local mobility anchor and the
mobile access gateway is used for routing the traffic to and from predictably identify the
mobile node.
latest message from a list of messages delivered in an out-of-order
fashion.

The tunnel hides Proxy Mobile IPv6 model, defined in this document requires the
Proxy Binding Update messages sent by the topology and enables a mobile node access gateway to use an IP address that is topologically anchored at
have the Time Stamp option. The local mobility anchor, from any attached access link in that anchor processing a
proxy mobile
IPv6 domain. The base Mobile IPv6 specification [RFC-3775], does use registration MUST ignore the tunneling scheme for routing traffic to sequence number field and from the mobile that
is using its home address. However, there are subtle differences in MUST the way Proxy Mobile IPv6 uses
value from the tunneling scheme.

As in Mobile IPv4 [RFC-3344], Time Stamp option to establish ordering of the tunnel between
received Binding Update messages. If the local mobility anchor and the mobile access gateway is typically
receives a shared tunnel and
can be used for routing traffic streams for different mobile nodes
attached to Proxy Binding Update message with an invalid Time Stamp
Option, the same mobile access gateway. This specification
extends that 1:1 relation between a tunnel Proxy Binding Update MUST be rejected and a binding cache entry
to 1:m relation, reflecting the shared nature of Proxy Binding
Acknowledgement MUST be returned in which the tunnel.

The tunnel Status field is creating after accepting a set to
148 (invalid time stamp option).

In the absence of Time Stamp option in the Proxy Binding Update request
for a mobile node from a mobile access gateway. The created tunnel
may be shared with other mobile nodes attached Update, the
entities can fall back to Sequence Number scheme for message
ordering, as defined in RFC-3775. However, the same specifics on how
different mobile access gateway and with gateways synchronize the sequence number is
outside the scope of this document.

When using the Time Stamp Option, the local mobility anchor having a binding
cache entry for those or the
mobile nodes. Some implementations may prefer
to use static tunnels as supposed access gateway MUST set the timestamp field to creating and tearing them down
on a need basis. 64-bit value
formatted as specified by the Network Time Protocol [RFC-1305]. The one end point
low-order 32 bits of the tunnel is the NTP format represent fractional seconds, and
those bits which are not available from a time source SHOULD be
generated from a good source of randomness.

5.6. Route Optimizations Considerations

Mobile IPv6 route optimization, as defined in [RFC-3775], enables a
mobile node to communicate with a corresponding node directly using
its care-of address configured on and further the
interface of Return Routability procedure
enables the local mobility anchor, LMAA. The other end point of corresponding node to have reasonable trust that the tunnel is
mobile node owns both the home address configured on and care-of address.

In the interface of Proxy Mobile IPv6 model, the mobile
access gateway, Proxy-CoA. The tunnel encapsulation mode can be
either IPv6/IPv6, IPv6/IPv4, IPv6/IPv4-UDP, IPv4/IPv6, IPv4/IPv4-UDP,
based on the transport mode is not involved in any
mobility related signaling and also it does not operate in the presence of NAT translation dual-

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 15] 17]

Internet-Draft Proxy Mobile IPv6 April June 2007

devices on

address mode. Hence, the path.

Implementations typically use a software timer return routability procedure as defined in
RFC-3775 is not applicable for managing the
tunnel lifetime proxy model.

5.7. Mobile Prefix Discovery Considerations

The ICMP Mobile Prefix Advertisement message, described in Section
6.8 and Section 11.4.3 of [RFC-3775], allows a counter for keeping home agent to send a count of all
Mobile Prefix Advertisement to the mobiles
that are sharing mobile node.

In Proxy Mobile IPv6, the tunnel. The timer value will be set to mobile node's home network prefix is hosted
on the
accepted binding life-time and will be updated after each periodic
registrations for extending access link connected to the lifetime. If mobile access gateway. but
topologically anchored on the tunnel local mobility anchor. Since, there is shared
no physical home-link for multiple the mobile node's traffic, the tunnel lifetime will be set
to home network prefix on
the highest binding life time across all local mobility anchor and as the binding life time
that mobile is granted for all always on the mobiles sharing that tunnel.

5.3. Routing Considerations

This section describes how link
where the data traffic to/from prefix is hosted, any prefix change messages can just be
advertised by the mobile node access gateway on the access link and thus
there is handled at no applicability of this message for Proxy Mobile IPv6.
This specification does not use Mobile Prefix Discovery.

5.8. Signaling Considerations

5.8.1. Initial Proxy Binding Registration

Upon receiving a Proxy Binding Update message from a mobile access
gateway on behalf of mobile node, the local mobility anchor. The following entries
explains anchor MUST
process the request as defined in Section 10, of the routing state base Mobile IPv6
specification [RFC-3775], with one exception that this request is created for a
proxy request, the sender is not the mobile node home
network prefix.

IPv6 traffic for and so the Mobile Node's home address:
================================================
MN-HoA::/64 via tunnel0, next-hop Proxy-CoA

tunnel0:
========
Source: LMAA
Destination: Proxy-CoA
Tunnel Transport: IPv6
Tunnel Payload: IPv6 message
has to be processed with the considerations explained in this
section.

The local mobility anchor functions MUST apply the required policy checks, as a topological anchor point for
explained in Section 4.0 of this document to verify the sender is a
trusted mobile node's home network prefix. When the access gateway, authorized to send Proxy Binding
Updates requests on behalf of that mobile nodes, using its own
identity. The local mobility anchor receives a data packet from a corresponding node, destined for
the mobile node's home network prefix, the created routing state will
enable must check the packets to be forwarded local/remote
policy store to ensure the mobile requesting node through is authorized to send
Proxy Binding Update messages.

The local mobility anchor MUST use the bi-
directional tunnel established between itself and MN-Identifier from the serving mobile
access gateway.

If NAI
option of the tunnel between Proxy Binding Update message for identifying the mobile
node.

The local mobility anchor and MUST ignore the mobile access
gateway is an IPv6 tunnel, i.e. sequence number field in
the Proxy Binding Updates requests, if the registered care-of address Time-Stamp Option is
present in the IPv6 Proxy-CoA, any IPv6 packets received from any corresponding
node for message. It must also skip all the mobile node's home network prefix, MN-HNP, will be
encapsulated in an IPv6 packet, IPv6/IPv6 mode, and will be carried
as an IPv6 packet. And any IPv4 packets for checks related to
sequence number that are required as per the mobile node's IPv4-
MN-HoA, will be encapsulated in an Mobile IPv6 packet, IPv4/IPv6 mode, and
specification [RFC-3775]. However, the received sequence number MUST

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 16] 18]

Internet-Draft Proxy Mobile IPv6 April June 2007

will

be carried as an IPv6 packet.

All copied and returned in the reverse tunneled packets that Proxy Binding Acknowledgement message
sent to the mobile access gateway.

The local mobility anchor
receives from the tunnel, after removing the packet encapsulation
will get routed to the destination specified in the inner packet
header. These routed packets will have the source address field set
to before accepting a Proxy Binding Update
request containing the mobile node's home address.

5.4. Local Mobility Anchor Address Discovery

Dynamic Home Agent Address Discovery, as explained in Section 10.5 of
[RFC-3775], allows Network Prefix Option with a mobile node to discover all specific
prefix, MUST ensure the home agents on
its home link prefix is owned by sending an ICMP Home Agent Address Discovery Request
message to the Mobile IPv6 Home-Agents anycast address, derived from
its home network prefix.

The Proxy Mobile IPv6 model assumes that local mobility anchor
and further the mobile access gateway
will be able node is authorized to obtain use that prefix. If the address of
Home Network Prefix Option has the value 0::/0, the local mobility
anchor in
one or more ways. This MAY be MUST allocate a configured entry in prefix for the mobile
node's policy profile, or it MAY be obtained through mechanisms
outside node and send a Proxy
Binding Acknowledgement message with the scope of this document. It is important to note that
there is little value in using DHAAD for discovering Home Network Prefix Option
containing the allocated value. The specific details on how the
local mobility anchor address dynamically. As a mobile moves from one
mobile access gateway to allocates the another, home network prefix is outside
the serving scope of this document.

Upon accepting a Proxy Binding Update request from a mobile access
gateway will not predictably be able to locate
gateway, the serving local mobility anchor for that mobile that has its must check if there exists a
binding cache entry for that mobile node, identified using the MN-
Identifier, that was created due to a direct registration from the
mobile node. However, if If there is only one exists a binding cache entry with the proxy
registration flag turned off, the local mobility anchor
configured to serve MUST NOT
modify that binding state, instead it must create a mobile node, tentative binding
cache entry and update the tentative binding cache entry fields of
that binding cache entry.

Upon receiving a Binding Update request from a mobile node with
lifetime value set to 0, from a tunnel between itself and a trusted
mobile access gateway can use
Dynamic Home Agent Address Discovery scheme for discovering the
address of gateway, the local mobility anchor.

With anchor upon accepting that
de-registration message, MUST forward the Binding Acknowledgement
message in the tunnel from where it received the Binding Update
request. It must also replace the binding cache entry with the
tentative binding cache entry and enable routing for the currently supported Per-MN-Prefix addressing model, every mobile node is assigned a unique
node's home network prefix, prefix through the proxy mobile IPv6 tunnel.

Upon accepting this Proxy Binding Update message, the local mobility
anchor is must create a topological anchor point for that prefix Binding Cache entry and
with the prefix being hosted on the access link attached must set up a tunnel to
the mobile access gateway. For gateway serving the discovery scheme to work, mobile node. This bi-
directional tunnel between the local mobility anchor MUST be able to receive the ICMP discovery packets
sent to the anycast address derived from and the mobile node's home
network prefix.

5.5. Sequence Number and Time-Stamps
access gateway is used for Message Ordering

Mobile IPv6 [RFC-3775] uses the Sequence Number field in registration
messages as a way to ensure routing the correct packet ordering. mobile node's traffic.

The local Proxy Binding Acknowledgment message must be constructed as shown
below.

IPv6 header (src=LMAA, dst=Proxy-CoA)
Mobility header
-BA /*P flag is set*/
Mobility Options
- Home Network Prefix Option

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 17] 19]

Internet-Draft Proxy Mobile IPv6 April June 2007

mobility anchor and the mobile node are required to manage this
counter over

- TimeStamp Option (optional)
- NAI Option

Proxy Binding Acknowledgment message contents

5.8.2. Extending the binding lifetime of a binding.

In Proxy Mobile IPv6,

Upon accepting the Proxy Binding Update messages that request for extending the
local mobility anchor receives on behalf
lifetime of a specific mobile node
may not be from the same mobile access gateway as the previously
received message. It creates certain ambiguity and the local
mobility anchor will not be predictably order the messages. This
could lead to currently active binding, the local mobility anchor processing an older message
from a mobile access gateway where the mobile node was previously
attached, while ignoring the latest binding update message.

In the Proxy Mobile IPv6, the ordering of packets has to be
established accross packets received from multiple senders. The
sequence number scheme as specified in [RFC-3775] will not be
sufficient. A global scale, such as a time stamp, can be used to
ensure the correct ordering of the packets. This document proposes
MUST update the use of lifetime for that binding and send a Time Stamp Option, specified in Section 8.4, in all Proxy Binding Update messages sent by
Acknowledgment message to the mobile access gateways. By
leveraging the NTP [RFC-1305] service, all the entities in gateway. The Proxy
Mobile IPv6 domain will
Binding Acknowledgment message MUST be able to synchronize their respective
clocks. Having a time stamp option constructed as specified in
Section 5.8.1.

5.8.3. De-registration of the binding

Upon accepting the Proxy Binding Update messages
will enable request sent with the
lifetime value of zero, the local mobility anchor to predictably identify MUST delete the
latest message
binding from its Binding Cache and MUST send a list of messages delivered in an out-of-order
fashion.

The Proxy Mobile IP model, defined in this document requires the Binding Update messages sent by
Acknowledgment message to the mobile access gateway to have the
time stamp option. gateway. The message
MUST be constructed as specified in Section 6.9.1.

The local mobility anchor processing a proxy
registration MUST ignore the sequence number field and SHOULD use the
value from also remove the Time Stamp option to establish ordering of prefix route over the
received Binding Update messages. If
tunnel for that mobile node's home network prefix.

5.9. Local Mobility Anchor Operational Summary

o For supporting this scheme, the local mobility anchor
receives a Binding Update message with an invalid Time Stamp Option,
the Binding Update MUST be rejected and a Binding Acknowledgement MUST be returned in which the Status field is set to 148 (invalid
time stamp option).

In satisfy
all the absence of Time Stamp option requirements listed in Section 8.4 of Mobile IPv6
specification [RFC-3775] with the Proxy Binding Update, the
entities can fall back to Sequence Number scheme for message
ordering, following considerations.

o For supporting the per-MN-Prefix addressing model as defined in RFC-3775. However,
this specification, the specifics local mobility anchor service MUST NOT be
tied to a specific interface. It SHOULD be able to accept Proxy
Binding Update requests sent to any of the addresses configured on how
different
any of its interfaces.

o The requirement for a home agent to maintain a list of home agents
for a mobile access gateways synchronize the sequence number node's home link is
outside the scope of this document.

When using not applicable for the Time Stamp Option, local
mobility anchor, when supporting Per-MN-Prefix addressing model.

o The local mobility anchors SHOULD drop all HoTI messages received
for a home address that has corresponding Binding Cache entry with
the proxy registration flag set.

o The local mobility anchor or must handle the mobile access gateway MUST set the the timestamp field to a 64-bit
value formatted node's data
traffic as specified by explained in the Network Time Protocol [RFC-1305].
The low-order 32 bits Routing Considerations section of the NTP format represent fractional seconds,
and those bits which are not available from a time source SHOULD be this

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 18] 20]

Internet-Draft Proxy Mobile IPv6 April June 2007

generated from a good source of randomness.

5.6. Route Optimizations Considerations

document.

6. Mobile Access Gateway Operation

The Proxy Mobile IPv6 route optimization, as defined scheme specified in [RFC-3775], enables this document, introduces a
new functional entity, the Mobile Access Gateway (MAG). It is the
entity that detects the mobile node to communicate with a corresponding node directly using
its care-of address node's movements and further initiates the Return Routability procedure
enables
signaling with the corresponding node mobile node's local mobility anchor for updating
the route to have reasonable trust that the mobile node owns both the node's home address and care-of address. In essence, the Proxy Mobile IPv6 model, mobile
access gateway performs mobility management on behalf of the mobile
node.

From the perspective of the local mobility anchor, the mobile access
gateway is not involved a special element in any
mobility related the network that sends Mobile IPv6
signaling and also it does not operate in messages on behalf of a mobile node, but using its own
identity. It is the dual- entity that binds the mobile node's home address mode. Hence,
to an address on its own access interface.

The mobile access gateway has the return routability procedure as defined in
RFC-3775 is not applicable following functional roles.

o Responsible for detecting the proxy model. This document does
not address mobile node's attachment or
detachment on the Route Optimization problem connected access link and leaves this work item for future enhancements.

5.7. Mobile Prefix Discovery Considerations

The ICMP Mobile Prefix Advertisement message, described in Section
6.8 and Section 11.4.3 initiating the
mobility signaling with the mobile node's local mobility anchor.

o Emulation of [RFC-3775], allows a home agent to send a
Mobile Prefix Advertisement to the mobile node.

In Proxy Mobile IPv6 deployments, node's home link on the access link.

o Registering the binding state at the mobile node's local mobility
anchor.

o Responsible for setting up the data path for enabling the mobile
node to use an address from its home network prefix and use it
from the access link.

The mobile access gateway is hosted a function that typically runs on an
access router. However, implementations MAY choose to split this
function and run it across multiple systems. The specifics on how
that is achieved is beyond the scope of this document.

6.1. Supported Access Link Types

This specification supports only point-to-point access link shared types and
thus it assumes that the link between the mobile access
gateway node and the mobile node, but topologically anchored on the local
mobility anchor. Since, there
access gateway is no physical home-link for a dedicated link and that the mobile node's home network prefix on the local mobility anchor node and as the
mobile is always access gateway are the only two nodes present on that link.
The assumed properties for the point-to-point link where the prefix is hosted, any
prefix change messages can type are just be advertised as
assumed by the mobile access
gateway on the access Neighbor Discovery specification [RFC-2461] for that
link type. The link and thus there is no applicability of this
messaging for Proxy Mobile IPv6. This specification does not support
Mobile Prefix Discovery.

5.8. Local Mobility Anchor Operational Summary

o For supporting this scheme, the local mobility anchor MUST satisfy
all the requirements listed in Section 8.4 of Mobile IPv6
specification [RFC-3775] with the following considerations.

o For supporting the per-MN-Prefix addressing model as defined in
this specification, the local mobility anchor service MUST NOT be
tied to a specific interface. It SHOULD be able to accept Proxy
Binding Update requests sent assumed to any of have multicast capability and the addresses configured on
any of its interfaces.

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 19] 21]

Internet-Draft Proxy Mobile IPv6 April June 2007

o The requirement for a home agent

interfaces connecting to maintain the link can be configured with a link-local
address.

Support for shared links or other link types is left for the future
work.

6.2. Supported Home Network Prefix Models

This specification supports Per-MN-Prefix model and does not support
Shared-Prefix model. As per the Per-MN-Prefix model, there will be a list of
unique home agents network prefix assigned for a each mobile node's home link node and no other
host shares an address from that prefix. The prefix is not applicable for always hosted
on the local
mobility anchor, when supporting Per-MN-Prefix addressing model as
there is no access link specific relation between where the two.

o After receiving a Proxy Binding Update request from a mobile
access gateway on behalf of mobile node, node is anchored. Conceptually,
the local mobility anchor
MUST process prefix follows the request mobile node as defined in Section 10, of it moves within the base
Mobile IPv6 specification [RFC-3775], with one exception that this
request is a proxy request, the sender is not the
mobile node and
so IPv6 domain. However, from the message has to be processed with routing perspective, the home
network prefix is topologically anchored on the considerations
explained in this section.

o The local mobility anchor MUST apply the required policy checks,
as explained
anchor.

6.3. Supported Address Configuration Models

A mobile node in Section 4.0 of this document to verify the sender
is a a trusted mobile access gateway, authorized to send proxy
binding updates requests on behalf of that mobile nodes, using IPv6 domain can configure one or
more IPv6 addresses on its
own identity. interface using Stateless or Stateful
address autoconfiguration procedures. The local mobility anchor must check the local/
remote policy store to ensure Router Advertisement
messages sent on the requesting node is authorized to
send proxy binding update requests.

o Upon accepting a proxy binding update request from a mobile access
gateway, link, specify the local mobility anchor must check if there exists a
binding cache entry address configuration
methods permitted on that access link for that mobile node, identified using node. The
exact semantics of the MN-
Identifier, flags that was created due to a direct registration from are enabled, the
mobile node. If there exists a binding cache entry with options that are
carried in these advertisement messages is as per the proxy
registration flag turned off, Neighbor
Discovery specification [RFC-2461]. However, the local mobility anchor MUST NOT
modify that binding state, instead it must create a tentative
binding cache entry and update advertised flags
with respect the tentative binding cache entry
fields address configuration will be consistent for a
mobile node, on any of the access links in that binding cache entry.

o Upon receiving a Binding Update request from a proxy mobile node with
lifetime value set to 0, from a tunnel between itself and IPv6
domain. Typically, these configuration settings will be based on the
domain wide policy or based on a
trusted policy specific to each mobile access gateway, the local mobility anchor upon
accepting node.
This specification requires that de-registration message, MUST forward all the Binding
Acknowledgement message mobile access gateways in a
given proxy mobile IPv6 domain MUST ensure that the tunnel from where it received the
Binding Update request. It must also replace permitted address
configuration procedures or the binding cache
entry with address configuration parameters that
are sent in the tentative binding cache entry and enable routing Router Advertisements are consistent for the a mobile node's home prefix through
node when attached to on any of the access links in the proxy mobile
IPv6
tunnel.

o The local mobility anchor MUST use the MN-Identifier present in
the NAI option of domain.

When stateless address autoconfiguration is supported on the Proxy Binding Update request for identifying link,
the mobile node.

o The local mobility anchor MUST ensure node can generate one or more IPv6 addresses by combining
the network prefix presented in advertised on the
Home Network Prefix option of access link with an interface
identifier, using the received Proxy Binding Update
request techniques described in Stateless
Autoconfiguration specification [RFC-2462] or in Privacy extension
specification [RFC-3041].

When stateful address autoconfiguration is owned by itself and further supported on the link, the
mobile node identified obtains the address configuration from the DHCPv6 server

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 20] 22]

Internet-Draft Proxy Mobile IPv6 April June 2007

by MN-Identifier is authorized to use this prefix.

o The local mobility anchor MUST ignore the sequence number field

using DHCPv6 client protocol, as specified in DHCPv6 specification
[RFC-3315].

In addition to this, other address configuration mechanisms specific
to the Proxy Binding Updates requests, if access link between the Time-Stamp Option is
present in mobile node and the message. It must mobile access
gateway may also skip all be used for pushing the checks related address configuration to sequence number as suggested in the
mobile node.

6.4. Access Authentication & Mobile IPv6 specification
[RFC-3775]. However, the received sequence number MUST be copied
and returned in the Proxy Binding Acknowledgement sent Node Identification

When a mobile node attaches to an access link connected to the mobile
access gateway.

o Upon accepting this request, gateway, the local deployed access security protocols on that link
will ensure that the network-based mobility anchor must create
a Binding Cache entry with management service is
offered only after authenticating and authorizing the home address from mobile node for
that service. The exact specifics on how this is achieved or the Home Network
Prefix Option in
interactions between the Binding Update mobile access gateway and must set up a tunnel to the proxy mobile agent serving access
security service is outside the mobile node. scope of this document. This bi-
directional tunnel between
specification goes with the local mobility anchor stated assumption of having an
established trust and a secured communication link between the mobile
node and mobile access gateway is used for routing gateway, before the mobile traffic.

o protocol operation begins.
The local mobility anchors SHOULD drop all HoTI messages received
for a home address specification also requires that has corresponding Binding Cache entry with the proxy registration flag set.

o The local mobility anchor must handle mobile access gateway MUST
be able to identify the mobile node's data
traffic as explained in node by its MN-Identifier and it must
also be able to associate this identity to the Routing Considerations section sender of this
document.

6. Mobile Access Gateway Operation

The Proxy Mobile any IPv4 or
IPv6 scheme specified in this document, introduces a
new functional entity, the Mobile Access Gateway (MAG). It is packets on the
entity that detects access link. The mobile access gateway MUST also
be able to obtain the mobile node's movements and initiates the
signaling with policy profile using the MN-
Identifier.

6.5. Mobile Node's Policy Profile

A mobile node's local mobility anchor for updating policy profile contains the route to essential operational
parameters that are required by the network entities for managing the
mobile node's home address. In essence, mobility service. These policy profiles are stored in
a local or a remote policy store, the mobile access gateway performs mobility management on behalf of the mobile
node.

From the perspective of and the
local mobility anchor, the anchor MUST be able to obtain a mobile node's policy
profile using its MN-Identifier. The policy profile may also be
handed over to a serving mobile access gateway is as part of a special element in the network that sends Mobile IPv6
signaling messages context
transfer procedure during a handoff. The exact details on behalf how this
achieved is outside the scope of this document. However, this
specification requires that a mobile node, but using access gateway serving a mobile
node MUST have access to its own
identity. It is policy profile.

The following are the entity that binds mandatory fields of the policy profile:

o The mobile node's home address
to an address on its own access interface. identifier (MN-Identifier)

o The mobile access gateway has IPv6 address of the following functional roles. local mobility anchor (LMAA)

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 21] 23]

Internet-Draft Proxy Mobile IPv6 April June 2007

o It is responsible for detecting the mobile node's attachment or
detachment Supported address configuration procedures on the connected access link and for initiating (Stateful,
Stateless or both)

The following are the
mobility signaling to optional fields of the policy profile:

o The mobile node's local mobility anchor. IPv6 home network prefix (MN-HoA)

o Emulation of the The mobile node's IPv6 home link on the network prefix length

6.6. Conceptual Data Structures

Every mobile access link.

o It is responsible gateway MUST maintain a Binding Update List for setting up
each currently attached mobile node. The Binding Update List is a
conceptual data structure, described in Section 11.1 of Mobile IPv6
base specification [RFC-3775]. For supporting this specification,
the conceptual Binding Update List data path for enabling structure must be extended
with the following new additional fields.

o The Identifier of the mobile node to use its node, MN-Identifier.

o The MAC address of the mobile node's connected interface.

o The IPv6 home address for communication from network prefix of the
access link.

This Proxy Mobile mobile node.

o The IPv6 scheme is independent home network prefix length of the underlying access
technology or mobile node.

o The interface identifier of the point-to-point link model. to the mobile
node.

o The interface identifier of the tunnel between the mobile node access
gateway and the mobile node's local mobility anchor.

6.7. Home Network Emulation

One of the key functions of a mobile access gateway can be either:

o Point-to-Point Link

o Shared Link

This specification does not support split links.

6.1. Address Configuration Models

Currently, this specification only supports Per-MN-Prefix model In
the Per-MN-Prefix model, there is a unique to emulate the
mobile node's home network prefix
assigned for each mobile node and that prefix is hosted on the access link. Conceptually, the prefix just follows It must
ensure, the mobile node as believes it
moves within is still connected to its home
link or on the link where it obtained its address configuration after
it moved into that proxy mobile IPv6 domain. In this addressing model,
based

After detecting new mobile node on the administrative policy, its access link and after a
successful access authentication and authorization of the mobile node can use either
Stateless Address Autoconfiguration or Statefull Address
Configuration using DHCP for obtaining the IPv6 address configuration
for its interface on network-based mobility service, the mobile access link. Further, gateway MUST to
emulate the mobile node can
also generate interface identifiers node's home link by sending the Router
Advertisements with privacy considerations, the mobile node's home network prefix as
specified the
hosted on-link prefix. The Router Advertisement MUST be sent in Privacy Extensions specification [RFC-3041] and as per
CGA specification [RFC-3042]. For IPv4 home address configuration,

Gundavelli, et al. Expires December 20, 2007 [Page 24]

Internet-Draft Proxy Mobile IPv6 June 2007

response to a Router Solicitation message that it received from the
mobile node can obtain node. The Router Advertisement messages MAY also be sent
periodically, based on the address configuration using DHCP or
optionally by using IPCP. In addition to this, Other address interface configuration mechanisms specific to on the mobile
access link between gateway.

For emulating the mobile node and node's home link on the access link, the
mobile access gateway may also be used by must know the
mobile node.

The configured administrative policy for home network prefix of the mobile dictates the type
of addressing model that is supported
node for constructing the Router Advertisement. Typically and as a mobile on
default method, the access
link. The mobile access gateway on learns the access router will control
this by setting mobile node's
home network prefix information from the relevant flags Proxy Binding
Acknowledgement message, it received in response to the Router Advertisement Proxy Binding
Update message that it sends on sent to the access link.

Gundavelli, et al. Expires October 10, 2007 [Page 22]

Internet-Draft Proxy Mobile IPv6 April 2007

6.2. Conceptual Data Structures

Every mobile access gateway maintains a Binding Update List node's local mobility
anchor for each
currently attached that mobile node. The Binding Update List

However, it is a
conceptual data structure, described in Section 11.1 of Mobile IPv6
base specification [RFC-3775]. For supporting this specification, also possible, the conceptual Binding Update List data structure must mobile node's home network prefix
information may be extended
with the following new additional fields.

o The Identifier of statically configured in the mobile node, MN-Identifier. The format of
the MN-Identifier is specific node's policy
profile or it may be handed over to the mobile access technology. This MN
identifier is obtained gateway as part
of a context transfer procedure. If the Access Authentication
procedure and is used for downloading mobile access gateway can
predictably know the mobile node's profile home network prefix information,
it MAY choose to send the Router Advertisement prior to receiving the
Proxy Binding Acknowledgement message from the policy store.

o The physical address or local mobility anchor.
However, in the MAC address of event, the local mobility anchor rejects the Proxy
Binding Update message, or if the mobile node's
connected interface.

o The IPv6 home network prefix of that is received from the
local mobility anchor for that mobile node.

o The IPv6 home network node is a different prefix length of than
what the mobile node.

o The link-local address of access gateway previously advertised, the mobile node on the link. This
address MAY be learnt from the source address of
access gateway MUST withdraw the prefix by sending a Router
Solicitation
Advertisement message received from with zero lifetime for the mobile node.

o The tunnel identifier of prior advertised
prefix.

If the tunnel between access link connecting the mobile access gateway and the local mobility anchor used for reverse tunneling
the
mobile node's traffic. On a given implementation, if a tunnel
appears like node is a virtual interface, that applies point-to-point link, the proper
encapsulation on every packet that Router Advertisements
advertising a specific home network prefix is routed through that
interface, then received only by the interface identifier
respective mobile node and hence there is stored in the binding
update list. entry.

6.3. Access Authentication

When clearly a unique link for
each mobile node attaches that is attached to the that mobile access link connected to gateway.

6.7.1. Home Network Prefix Renumbering

If the mobile node's home network prefix gets renumbered or becomes
invalid during the middle of a mobility session, the mobile access gateway,
gateway MUST withdraw the prefix by sending a Router Advertisement on
the deployed access security protocols will
ensure that only authorized link with zero prefix lifetime for the mobile nodes will be able to access node's home
network prefix. Also, the
link local mobility anchor and further the mobile
access gateway will be able to identify
the mobile node by its MN-Identifier and optionally will be able to
detect MUST delete the mobile node's attachment or detachment to routing state for that prefix.
However, the link. The
exact specifics specific details on how this is achieved the local mobility anchor
notifies the mobile access gateway is outside the scope of this
document. This document goes with the stated assumption of having an
established trust between the mobile node and mobile access gateway
on the access link before the protocol operation begins. The mobile

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 23] 25]

Internet-Draft Proxy Mobile IPv6 April June 2007

access gateway will be able to use the mobile node's MN-Identity

6.8. Link-Local and
will be obtain its policy profile from the network policy store or
from the local policy store.

6.4. Home Network Emulation

One of the key functions of the mobile access gateway is to emulate
the mobile node's home network on the access link. It has to ensure,
the Global Address Uniqueness

A mobile node believes it is connected to its home link or in the link
where it obtained its address configuration after it moved into that proxy mobile IPv6 domain. After the access authentication is
complete, the domain, as it moves from one
mobile access gateway will have access to the mobile
node's profile, obtained from querying a local/network policy store
or provided to other, it as part of some context transfer procedure. After
this point, the mobile access gateway will have enough information continue to
emulate the mobile node's home link. It must send the Router
Advertisement messages advertising the mobile node's detect its
home network
prefix and other parameters.

If thus making the access link connecting node believe it is still on the mobile access gateway and same
link. Every time the mobile node is attaches to a point-to-point new link, the Router Advertisements
advertising a specific home network prefix is received only by event
related to the interface state change, will trigger the
respective mobile node
to perform DAD operation on the link-local and hence there is clearly a unique link for
each mobile global addresses.
However, if the node that is attached to that mobile access gateway.

If DNAv6 enabled, as specified in [ID-DNAV6], it
may not detect the access link connecting the mobile access gateway change due to DNAv6 optimizations and hence
it will not trigger the
mobile node is a shared-link, duplicate address detection (DAD) procedure
for establishing the mobile access gateway MUST ensure link-local address uniqueness on that each of new link.
Further, if the mobile node uses an interface identifier that is attached to that link receives
Router Advertisements with its respective home network prefix not
based on EUI-64 identifier, such as specified in IPv6 Stateless
Autoconfiguration specification [RFC-2462], there is a possibility,
with the
on-link prefix. For this odds of 1 to happen, billion, of a link-local address collision
between the mobile access gateway MUST
unicast two neighbors, the Router Advertisement to mobile node and the mobile node. The destination
field access
gateway.

One of the link-layer header in the Router Advertisement MUST be workarounds for this issue is to set the mobile's node's interface physical/MAC address DNAv6
configuration parameter, DNASameLinkDADFlag to TRUE and however, the
destination field in that will
force the IPv6 header set mobile node to redo DAD operation every time the interface
comes up, even when DNAv6 does detect a link change .

However, this issues will not impact point-to-point links based on
PPP session. Each time the all-nodes-multicast
address.

6.5. Link-Local and Global Address Uniqueness

A mobile node in moves and attaches to a proxy new
mobile IPv6 domain, as it moves from one access link to gateway, either the other, will continue to detect its home network
and hence PPP session [RFC-1661] is
reestablished or the issue PPP session may be moved as part of link-local address uniqueness arises. The
link-local that context
transfer procedures between the mobile node attempts to use on old and the new link must
be unique.

On a point-to-point link, such as in a PPP session, when mobile access
gateway.

When the mobile node tries to establish a PPP session [RFC-1661] with the mobile

Gundavelli, et al. Expires October 10, 2007 [Page 24]

Internet-Draft Proxy Mobile IPv6 April 2007
access gateway, the PPP goes through the Network layer Protocol phase
and the IPv6 Control Protocol, IPCP6 [RFC-2472] gets triggered. Both
the PPP peers negotiate a unique identifier using Interface-
Identifier option in IPV6CP and the negotiated identifier is used for
generating a unique link-local address on that link. Now, if the
mobile node moves to a new mobile access router, gateway, the PPP session
gets torn down with the old mobile access gateway and a new PPP
session gets established with the new mobile access gateway will be
established gateway, and the
mobile node obtains a new link-local address. Now, So, even if the mobile
node is DNAv6 capable, as specified in the DNAv6
specification [draft-ietf-dna-protocol-03], the mobile node always configures a new link-local link-
local address when ever it moves to a new link.

However, if the link between the mobile node and

If the mobile access
gateway PPP session state is a shared link and if a DNAv6 capable mobile node moves
from one access link moved to the other, the new mobile node may access gateway,
as part of context transfer procedures that are in place, there will
not detect a
link be any change due to the optimizations from DNAv6 and hence there is a
possibility interface identifiers of the link-local address collision two nodes on the connected
access link, One of the work around for this issue
that point-to-point change. The whole link is moved to the set
following flag on the new

Gundavelli, et al. Expires December 20, 2007 [Page 26]

Internet-Draft Proxy Mobile IPv6 June 2007

mobile node, DNASameLinkDADFlag to TRUE access gateway and
that there will force the mobile node to redo DAD operation even when DNAv6
detects no link change.

The global not be any need for establishing
link-local address or the MN-HoA uniqueness on that link.

This issue is assured as not relevant to the
uniqueness mobile node's global address.
Since, there is established by the local mobility anchor before
accepting a proxy binding update unique home network prefix for a mobile node. This is further
assured with the currently supported per-mn-prefix model, as there
are two each mobile nodes that share node,
the same home network prefix.
Further, if uniqueness for the mobile node's global address configuration is based ensured on statefull address
configuration using DHCP, the DHCP server will ensure
access link.

6.9. Signaling Considerations

6.9.1. Initial Attachment and binding registration

After detecting a new mobile node on its access link after a
successful access authentication and authorization, the uniqueness.

6.6. Tunnel Management

In mobile access
gateway MUST send a Proxy Binding Update message to the traditional Mobile mobile node's
local mobility anchor.

The Proxy Binding Update message must be constructed as shown below.

IPv6 model, there header (src=Proxy-CoA, dst=LMAA)
Mobility header
-BU /*P flag is set*/
Mobility Options
- Home Network Prefix Option*
- TimeStamp Option (optional)
- NAI Option

*Home Network Prefix option may contain 0::/0 or a separate tunnel from specific prefix.

Proxy Binding Update message contents

The Proxy Binding Update message that the mobile access gateway sends
to the mobile node's local mobility anchor to every MUST have the NAI option,
identifying the mobile node that has a binding
cache entry. node, the Home Network Prefix option and
optionally the Time Stamp option SHOULD be present. The one end-point of these tunnels Time Stamp
option is not required if the respective mobile node's care-of address and access gateway can send a valid
sequence number that is unique to matches the sequence number maintained by the
local mobility anchor for that mobile node.
In the case of Proxy Mobile IPv6, node in its binding cache
entry. The message MUST be protected by using IPsec ESP, using the care-of address or
security association existing between the tunnel
end-point is local mobility anchor and
the address of mobile access gateway, created either dynamically or statically.

If the mobile access gateway and there could
be multiple learns the mobile nodes attached to node's home network
prefix either from its policy store or from other means, the same mobile
access gateway
and hence the tunnel is a shared tunnel serving multiple mobile
nodes. This is identical MAY choose to specify the Mobile IPv4 model [RFC-3344], where
a tunnel between the foreign agent and same in the home agent is shared by
many visiting mobile nodes and hence Home Network
Prefix option for requesting the tunnel management needs local mobility anchor to
be on a global basis and not be dependent on a specific mobile node's
binding.

The life of the Proxy Mobile IPv6 tunnel should not be based on a register

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 25] 27]

Internet-Draft Proxy Mobile IPv6 April June 2007

single binding cache entry. The tunnel may get created as part of
creating a mobility state for a mobile node and later the same tunnel
may be associated with other mobile nodes. So, the tearing down
logic of

that prefix. If the tunnel must be based on specified value is 0::/0, then the number of visitors over that
tunnel. Implementations are free to pre-establish tunnels between
every local
mobility anchor and every mobile access gateway in will allocate a
proxy mobile IPv6 domain and with out having prefix to create and destroy
the tunnels on a need basis.

6.7. Routing Considerations

This section describes how the data traffic to/from the mobile node
is handled at node.

After receiving a Proxy Binding Acknowledgment with the mobile access gateway. The following entries
explains status code
indicating the routing state for acceptance of the mobile node on Proxy Binding Update, the mobile
access
gateway.

Mobile Node's IPv6 traffic:
===========================
For all traffic from the source address MN-HoA gateway MUST setup a tunnel to destination 0::/0
route via tunnel0, next-hop LMAA.

MN-HoA::/64 is reachable via the directly connected interface.

tunnel0:
========
Source: Proxy-CoA
Destination: LMAA
Tunnel Payload: IPv6
Tunnel Transport: IPv6

When the mobile node's local
mobility anchor, as explained in section 6.10. The mobile access
gateway receives any MUST also add a policy route for tunneling all the packets
that it receives from the mobile node to any destination, the packet will be forwarded to its local mobility anchor.

If the local mobility anchor through rejects the bi-directional tunnel established between
itself Proxy Binding Update
message, the mobile access gateways MUST NOT advertise the mobile
node's home prefix on the access link and there by denying mobility
service to the mobile node.

6.9.2. Extending the binding lifetime

For extending the lifetime of a currently existing binding at the mobile's
local mobility anchor. However, mobility, the packets
that are sent mobile access gateway MUST send a Proxy Binding
Update message with link-local source address are not forwarded.

If a specific lifetime. The message MUST be
constructed as specified in Section 6.9.1.

6.9.3. De-registration of the tunnel between binding

At any point, the mobile access gateway and detects that the mobile node
has moved away from its access link, it MUST send a Proxy Binding
Update message to the mobile node's local mobility anchor is an IPv6 with the
lifetime value set to zero. The message MUST be constructed as
specified in Section 6.9.1.

The mobile access gateway MUST also remove the default route over the
tunnel i.e. if for that mobile node and delete the registered care-of address is Binding Update List for
that mobile node, either upon receiving an
IPv6 Proxy-CoA, any IPv6 packet Proxy Binding
Acknowledgment message from the local mobility anchor or after a
certain timeout waiting for the acknowledgment message.

6.10. Routing Considerations

This section describes how the mobile node with access gateway handles the source
MN-HoA, will be encapsulated in an IPv6 packet, IPv6/IPv6 mode and
will be carried as an IPv6 packet. And any IPv4 packet from
traffic to/from the mobile node with the source IPv4 Mobile-HoA, will be encapsulated in that is attached to one of its access
interface.

Proxy-CoA LMAA
| |
+--+ +---+ +---+ +--+
|MN|----------|MAG|======================|LMA|----------|CN|
+--+ +---+ +---+ +--+

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 26] 28]

Internet-Draft Proxy Mobile IPv6 April June 2007

IPv6 packet, IPv4/IPv6 mode, Tunnel

6.10.1. Transport Network

The transport network between the local mobility anchor and will the
mobile access can be carried as either an IPv6
packet.

All or IPv4 network. However, this
specification only deals with the packets that scenario where the transport
network between the mobility entities is IPv6-only and requires
reachability between the local mobility anchor and the mobile access
gateway receives from the
tunnel, after removing over IPv6 transport. Just as in Mobile IPv6 specification
[RFC-3775], the negotiated tunnel encapsulation, will forward it to transport between the mobile node on local
mobility anchor and the connected interface.

6.8. Interaction with DHCP Relay Agent

If Statefull Address Configuration using DHCP mobile access gateway is supported on the
link on which IPv6, by default.
The companion document, IPv4 support for Proxy Mobile IPv6 [IPv4-
PMIP6-SPEC] specifies the required extensions for negotiating IPv4
tunneling mechanism and a specific encapsulation mode for supporting
this protocol operation over IPv4 transport network.

6.10.2. Tunneling & Encapsulation Modes

The IPv6 address that a mobile node uses from its home network prefix
is attached, the DHCP relay agent [RFC-
3315] needs to be configured on the access router. When topologically anchored at the local mobility anchor. For a mobile
node sends to use this address from an access network attached to a DHCPv6 Request message, the relay agent function on the mobile
access router must set the link-address field gateway, proper tunneling techniques have to be in place.
Tunneling hides the DHCPv6 message
to network topology and allows the mobile node's home network prefix, so as
IPv6 datagrams to provide be encapsulated as a prefix
hint to payload of another IPv6 packet
and be routed between the DHCP Server. On a point-to-point link, this is just a
normal DHCP relay agent configuration. However, on local mobility anchor and the shared links
supporting multiple mobile nodes with different home prefixes, there
is some interaction required access
gateway. The Mobile IPv6 base specification [RFC-3775] defines the
use of IPv6-over-IPv6 tunneling, between the relay home agent and the
mobile
access gateway, for setting node and this specification extends the link-address field to use of the requesting
mobile node's home network prefix.

6.9. Mobile Node Detachment Detection and Resource Cleanup

Before sending a Proxy Binding Update message to same
tunneling mechanism between the local mobility anchor for extending and the lifetime of mobile
access gateway.

On most operating systems, tunnels are implemented as a currently existing binding virtual
point-to-point interface. The source and the destination address of
a mobile node,
the mobile access gateway MUST make sure two end points of this virtual interface along with the mobile
node
encapsulation mode are specified for this virtual interface. Any
packet that is still attached to routed over this interface, get encapsulated with the connected link by using some reliable
method. If
outer header and the addresses as specified for that point to point
tunnel interface. For creating a point to point tunnel to any local
mobility anchor, the mobile access gateway cannot predictably detect the
presence of may implement a tunnel
interface with the mobile node on source address field set to its Proxy-CoA address
and the connected link, it MUST NOT
attempt destination address field set to extend the registration lifetime of LMA address.

The following are the mobile node.
Further, in such scenario, supported packet encapsulation modes that can
be used by the mobile access gateway MUST terminate
the binding of the mobile node by sending a Proxy Binding Update
message to and the mobile node's local mobility anchor with lifetime
value set to 0. It MUST also remove any local state such as binding
update list entry that was created
for that routing mobile node.

The specific detection node's IPv6 datagrams.

Gundavelli, et al. Expires December 20, 2007 [Page 29]

Internet-Draft Proxy Mobile IPv6 June 2007

o IPv6-In-IPv6 - IPv6 datagram encapsulated in an IPv6 packet. This
mechanism of is defined in the loss of a visiting mobile
node on Generic Packet Tunneling for IPv6
specification [RFC-2473].

o IPv6-In-IPv4 - IPv6 datagram encapsulation in an IPv4 packet. The
details related to this encapsulation mode and the connected link specifics on
how this mode is specific negotiated is specified in the companion
document, IPv4 support for Proxy Mobile IPv6 [ID-IPv4-PMIP6].

o IPv6-In-IPv4-UDP - IPv6 datagram encapsulation in an IPv4 UDP
packet. The details related to this mode are covered in the access link between
companion document, IPv4 support for Proxy Mobile IPv6 [IPv4-
PMIP6-SPEC].

6.10.3. Routing State

The following section explain the routing state for a mobile node and on
the mobile access gateway and is outside the scope of
this document. Typically, there are various link-layer gateway. This routing state reflects only one
specific
events way of implementation and one MAY choose to implement it in
other ways. The policy based route defined below acts as a traffic
selection rule for routing a mobile node's traffic through a specific to each access technology that
tunnel created between the mobile access gateway can depend on for detecting the node loss. In general, the and that mobile access gateway can depend on one or more of
node's local mobility anchor and with the following
methods for specific encapsulation
mode, as negotiated.

The below example identifies the detection presence of routing state for two visiting
mobile nodes, MN1 and MN2 with their respective local mobility
anchors LMA1 and LMA2.

For all traffic from the mobile node on node, identified by the mobile node's
MAC address, ingress interface or source prefix (MN-HNP) to
_ANY_DESTINATION_ route via interface tunnel0, next-hop LMAA.

+==================================================================+
| Packet Source | Destination Address | Destination Interface |
+==================================================================+
| MAC_Address_MN1, | _ANY_DESTINATION_ | Tunnel0 |
| (IPv6 Prefix or |----------------------------------------------|
| Input Interface) | Locally Connected | Tunnel0 |
+------------------------------------------------------------------+
| MAC_Address_MN2 | _ANY_DESTINATION_ | Tunnel1 |
+ -----------------------------------------------|
| | Locally Connected | direct |
+------------------------------------------------------------------+

Example - Policy based Route Table

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 27] 30]

Internet-Draft Proxy Mobile IPv6 April June 2007

connected link:

o Link-layer event specific to the access technology

o PPP Session termination event on point-to-point link types

o IPv6 Neighbor Unreachability Detection event from IPv6 stack

o Notification event from the local mobility anchor

o Absence of

Example - Tunnel Interface Table

6.10.4. Local Routing

If there is data traffic from the mobile node on the link for between a
certain duration of time

6.10. Coexistence with Mobile Nodes using Host-based Mobility

In some operating environments, network operators may want to
provision the access link attached to the visiting mobile access gateway to
offer network-based mobility service only to some nodes and enable
normal IP access support for some other nodes on node and a
corresponding node that link. This
specification supports is locally attached to an access links with such mixture of nodes. The
network has link
connected to the control mobile access gateway, the mobile access gateway MAY
optimize on when the delivery efforts by locally routing the packets and
by not reverse tunneling them to enable the mobile node with the
network node's local mobility service.

Upon obtaining
anchor. However, this has an implication on the mobile node's profile after a successful access
authentication
accounting and after a policy consideration, the mobile access
gateway MUST determine if enforcement as the network based local mobility service should anchor is not
in the path for that traffic and it will not be offered able to that mobile node. If the mobile node is entitled apply any
traffic policies or do any accounting for
such service, then those flows.

This decision of path optimization SHOULD be based on the network should ensure configured
policy configured on the mobile node believes
it is access gateway, but enforced by the
mobile node's local mobility anchor. The specific details on its home link, as explained in various sections how
this is achieved is beyond of the scope of this document.

6.10.5. Tunnel Management

All the mobile node is not entitled considerations mentioned in Section 5.2, for the network based mobility
service, as determined from tunnel
management on the policy, local mobility anchor apply for the mobile access
gateway
MUST ensure as well.

As explained in Section 5.2, the mobile node can obtain an IPv6 address using normal life of the Proxy Mobile IPv6 address configuration mechanisms. The obtained address tunnel
should not be from based on a local visitor network prefix. In other words the single visiting mobile
node should be able to operate node's lifetime. The
tunnel may get created as part of creating a mobility state for a traditional
visiting mobile node roaming
in a visitor network and later the same tunnel may be associated with
other mobile nodes. So, the ability to obtain an address from tearing down logic of the local visitor network prefix hosted tunnel must be
based on that link. This
essentially ensures, the proxy mobile IPv6 protocol will not impact the behavior number of visitors over that tunnel.

6.10.6. Forwarding Rules

Upon receipt of an encapsulated packet sent to its configured Proxy-
CoA address i.e. on receiving a packet from a tunnel, the mobile node that is using host-based mobility, as
per [RFC-3775].

If
access gateway MUST use the stateless destination address configuration mode is supported on that
link, of the prefix information option in inner packet
for forwarding it to the router advertisements
should contain local visitor network prefix. If statefull interface where the prefix for that address
configuration mode
is enforced on hosted. The mobile access gateway MUST remove the link and if DHCP is in used, outer header

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 28] 31]

Internet-Draft Proxy Mobile IPv6 April June 2007

before forwarding the mobile node should be able to obtain the IPv6 care-of address
from the local visitor network prefix. packet. If the link between the mobile access gateway and cannot
find the connected interface for that destination address, it MUST
silently drop the packet. For reporting an error in such scenario,
in the form of ICMP control message, the considerations from Generic
Packet Tunneling specification [RFC-2473] apply.

On receiving a packet from a mobile node is
a shared link, the Router Advertisement has to unicasted connected to its access
link, the mobile access gateway MUST ensure that there is an
established binding for that mobile node with its local mobility
anchor before forwarding the destination address in the layer-2 header set packet directly to the mobile's MAC address and the destination address in the IPv6
header set or
before tunneling the packet to the all-nodes multicast address.

6.11. Mobile Access Gateway Operation Summary

o After detecting mobile node's local mobility
anchor.

On receiving a packet from a new mobile node on connected to its access link and after
link, to a destination that is locally connected, the
successful mobile access authentication and authorization of
gateway MUST check the mobile
node, configuration variable, EnableMAGLocalRouting,
to ensure the mobile access gateway MUST be able is allowed to able route the packet
directly to access the
mobile node's profile. This may be downloaded from destination. If the local/
network policy store using MN-Identity or may be obtained as part
of a context transfer procedure. The mobile node's profile at access gateway is not
allowed to route the
minimum packet directly, it MUST have the mobile node's local mobility anchor address
and route the MN-Identity. Optionally, it may have packet
through the mobile node's
home network prefix bi-directional tunnel established between itself and other configuration parameters.

o The mobile access gateway MAY use one or more ways to detect the
attachment of
mobile's local mobility anchor.

On receiving a packet from the mobile node on to the link. The techniques can be
specific any destination i.e.
not directly connected to the mobile access technology or can gateway, the packet MUST
be other generic events
as mentioned in forwarded to the above sections.

o If local mobility anchor through the network determines bi-directional
tunnel established between itself and the mobile's local mobility
anchor. However, the packets that are sent with the link-local
source address MUST not be forwarded.

6.11. Interaction with DHCP Relay Agent

If Stateful Address Configuration using DHCP is supported on the link
on which the mobile node will not is attached, the DHCP relay agent [RFC-3315]
needs to be offered configured on the access router. When the mobile node
sends a DHCPv6 Request message, the network-based mobility service, relay agent function on the mobile
access gateway router MUST
ensure that set the Router Advertisements it sends will not contain link-address field in the DHCPv6 message
to the mobile node's home network prefix, but will be so as to provide a prefix
hint to the hosted on-link
prefix. Also, if DHCP Server. Since, the mobile node attempts to obtain an IPv6
address, access link is a point-to-point
link with the configured mobile access gateway or node's prefix as the on-link prefix,
the normal DHCP relay agent configuration on the
link MUST MAG will ensure that the
prefix hint that gets added is set to the DHCP mobile node's home network prefix.

6.12. Mobile Node Detachment Detection and Resource Cleanup

Before sending a Proxy Binding Update message will be of to the local hosted prefix.

o `The mobile access gateway on receiving mobility
anchor for extending the lifetime of a Router Solicitation
message from currently existing binding of
a mobile node MUST send a Router Advertisement
message containing node, the mobile node's home network prefix.

o The mobile access gateway MUST send the periodic Router
Advertisement messages, as per the ND specification [RFC-2461],
advertising the mobile node's home network prefix on the access
link.

o If the link between make sure the mobile
node and the mobile access gateway is a shared-link, then the Router Advertisement MUST be unicasted still attached to the mobile node connected link by setting the destination address in the link- using some reliable

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 29] 32]

Internet-Draft Proxy Mobile IPv6 April June 2007

layer header to

method. If the mobile node's MAC address and with access gateway cannot predictably detect the
destination address in
presence of the IPv6 header set mobile node on the connected link, it MUST NOT
attempt to extend the all-nodes
multicast address.

o If registration lifetime of the mobile node uses DHCP for address configuration, node.
Further, in such scenario, the mobile access gateway or specifically the DHCP relay agent on the link MUST ensure terminate
the DHCPv4/v6 packets are properly tagged with binding of the
sending mobile node's MN-HoA, as the prefix hint.

o The node by sending a Proxy Binding Update
message that the mobile access gateway
sends to the mobile node's local mobility anchor, anchor with lifetime
value set to 0. It MUST have the configured IPv6
address of also remove any local state such as the egress interface. The Proxy
Binding Update message
MUST have the NAI option identifying the List created for that mobile node, home network
prefix option and optionally node.

The specific detection mechanism of the time stamp option. If loss of a visiting mobile
node on the home
network prefix option connected link is set specific to value 0, the local mobility anchor
will assign access link between the home network prefix
mobile node and will return them in the
Proxy Binding Acknowledgment. This message MUST be protected by
using IPSec security association created between the mobile access gateway and local mobility anchor.

o After receiving a Proxy Binding Acknowledgment with the status
code indicating is outside the acceptance scope of the Binding Update,
this document. Typically, there are various link-layer specific
events specific to each access technology that the mobile access
gateway MUST setup a tunnel to can depend on for detecting the mobile node's local
mobility anchor, as explained in node loss. In general, the above sections, if there is
exists no tunnel. The
mobile access gateway MUST also add a
default route over can depend on one or more of the tunnel following
methods for all the traffic detection presence of the mobile node on the
connected link:

o Link-layer event specific to the access technology

o PPP Session termination event on point-to-point link types

o IPv6 Neighbor Unreachability Detection event from the mobile
node. IPv6 stack

o If Notification event from the local mobility anchor denies the Proxy Binding Update
request, the mobile access gateways MUST NOT advertise

o Absence of data traffic from the mobile
node's home prefix node on the access link and there by denying
mobility service for a
certain duration of time

6.13. Allowing network access to the other IPv6 nodes

In some proxy mobile node.

o Before attempting IPv6 deployments, network operators may want to extend binding lifetime of a mobile node,
provision the mobile access gateway MUST make sure the to offer network-based mobility
management service only to some visiting mobile node is still
attached nodes and enable just
regular IPv6/IPv4 access to the connected link by using some reliable method. If
the other nodes attached to that mobile
access gateway cannot predictably detect gateway. This requires the presence
of network to have the mobile node control on the connected link, it MUST NOT attempt
when to
extend the registration lifetime of the mobile node. Also, it
MUST terminate the binding of the enable network-based mobility management service to a mobile
node by sending a Proxy
Binding Update message and when to enabled a regular IPv6 access. This specification
does not disallow such configuration.

Upon obtaining the mobile node's local mobility anchor
with lifetime value set to 0.

o At any point, if the mobile profile after a successful access gateway detects that
authentication and after a policy consideration, the mobile
node has roamed away from its access link, it
gateway MUST send a Proxy
Binding Update to determine if the local network based mobility anchor with the lifetime
value set service should
be offered to 0 and it must also remove that mobile node. If the default route over mobile node is entitled for
such service, then the
tunnel for that mobile and also remove access gateway must ensure the Binding Update list mobile
node believes it is on its home link, as explained in various
sections of this specification.

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 30] 33]

Internet-Draft Proxy Mobile IPv6 April June 2007

entry and any other local state created for that

If the mobile node.

7. Mobile Node Operation

The Network-based node is not entitled for the network-based mobility scheme defined in this document, allows a
management service, as enforced by the policy, the mobile node access
gateway MAY choose to offer regular IPv6 access to obtain IP mobility within the proxy mobile node
and hence the normal IPv6
domain, with out requiring considerations apply. If IPv6 access is
enabled, the mobile node SHOULD be able to involve in obtain any mobility
management.

When a mobile node enters a proxy mobile IPv6 domain and attached to
an access link, the address
using normal IPv6 address configuration mechanisms. The obtained
address must be from a local visitor network identifies prefix. This
essentially ensures, the mobile node access gateway functions as part of the any other
access authentication router and establishes an identity for does not impact the mobile
node. This identity has protocol operation of a binding mobile
node attempting to use host-based mobility management service when it
attaches to an access link connected to a cryptographic state and
potentially associating the mobile node's link-layer address of the
attached interface. The specifics on how this is achieved is beyond
the scope of this document and is very much specific to the access
technology and depends on the applied security protocols gateway in place.
For all practical purposes, this document assumes that a
proxy mobile IPv6 domain.

7. Mobile Node Operation

This non-normative section discusses the mobile node's access to the network is secure. operation in a
Proxy Mobile IPv6 domain.

Once the mobile node enters a Proxy Mobile IPv6 domain and attaches
to an access network, the network identifies the mobile as part of and after the access authentication procedure and ensures authentication, the network
ensures, the mobile using any of the address configuration mechanisms
permitted by the network for that mobile, mobile node, will be able to obtain
an address and move anywhere in that managed proxy mobile IPv6 domain. From
the perspective of the mobile, the entire
Proxy Mobile proxy mobile IPv6 domain
appears as a single link, the network ensures the mobile believes it
is always on the same link.

The mobile node can be operating in an IPv4-only mode, IPv6-only mode
or in dual IPv4/IPv6 mode. However, the specific details on how the
IPv4 network-based mobility management service is offered to the
mobile node is specified in the companion document, IPv4 Support for
Proxy Mobile IPv6 [ID-IPV4-PMIP6].

Typically, the configured policy in the network determines if the type of home address(es) i.e. MN-HoA,
mobile node is authorized for IPv6, IPv4
MN-HoA or both, that the network mobility is supported for. IPv6/IPv4 home address
mobility. If the configured policy for a mobile node is for IPv6-only IPv6-
only home address mobility, the mobile node will be able to obtain
its MN-HoA, any
where in that proxy mobile IPv6 domain and if policy allows only
IPv4-only home address mobility, the mobile node will be able to
obtain its IPv4 MN-HoA, address, any where in that domain. Similarly, if the
policy permits both the IPv4 and IPv6 home address mobility, the
mobile node will be able to obtain its MN-HoA and IPv4 MN-HoA and
move anywhere in the network. However, if the mobile node is
configured for IPv6-only mobility and if the mobile node attempts to
obtain an IPv4 address configuration via DHCP mechanism, the obtained
address configuration will not have any mobility properties, i.e. the

Gundavelli, et al. Expires October 10, 2007 [Page 31]

Internet-Draft Proxy Mobile IPv6 April 2007 domain,
otherwise the obtained address will be from a local prefix and not
from a prefix that is topologically anchored at the local mobility
anchor and hence the mobile will loose that address as after it moves to
a different link.
The specifics on how this is achieved is the operational logic of the
mobile access gateway on the access new link.

7.1. Booting up in a Proxy Mobile IPv6 Domain

When a mobile node moves into a proxy mobile IPv6 domain and attaches

Gundavelli, et al. Expires December 20, 2007 [Page 34]

Internet-Draft Proxy Mobile IPv6 June 2007

to an access link, the mobile node will present its identity, MN-
Identity, to the network as part of the access authentication
procedure. Once the authentication procedure is complete and the
mobile node is authorized to access the network, the network or
specifically the mobile access gateway on the access link will have
the mobile node's profile and so it would know the mobile node's home
network prefix and the permitted address configuration modes. The
mobile node's home network prefix may also be dynamically assigned by
the mobile node's local mobility anchor and the same may be learnt by
the mobile access gateway.

If the mobile node is IPv6 enabled, on attaching to the link and
after access authentication, the mobile node typically would send a
Router Solicitation message. The mobile access gateway on the
attached link will respond to the Router Solicitation message with a
Router Advertisement. The Router Advertisement will have the mobile
node's home network prefix, default-router address and other address
configuration parameters. The address configuration parameters such
as Managed Address Configuration, Statefull Stateful Configuration flag values
will typically be consistent through out that domain for that mobile
node.

If the Router Advertisement has the Managed Address Configuration
flag set, the mobile node, as it would normally do, will send a
DHCPv6 Request and the mobile access gateway on that access link will
ensure, the mobile node node gets the MN-HoA an address from its home network prefix
as a lease from the DHCP server.

If the Router Advertisement does not have the Managed Address
Configuration flag set and if the mobile node is allowed to use an
autoconfigured address, the mobile node will generate an interface
identifier, as per the Autoconf specification [RFC-2462] or using
privacy extensions as specified in Privacy Extensions specification
[RFC-3041].

If the mobile node is IPv4 enabled or IPv4-only enabled, the mobile
node after the access authentication, will be able to obtain the IPv4
address configuration for the connected interface by using DHCPv4.

Gundavelli, et al. Expires October 10, 2007 [Page 32]

Internet-Draft Proxy Mobile IPv6 April 2007 using DHCPv4.

Once the address configuration is complete, the mobile node will have
the MN-HoA, IPv4 MN-HoA or both, that it can
continue to use the obtained address configuration as long as it is
with in the scope of that proxy mobile Proxy Mobile IPv6 domain.

7.2. Roaming in the Proxy Mobile IPv6 Network

After booting in the Proxy Mobile IPv6 domain and obtaining the
address configuration, the mobile node as it roams in the network
between access links, will always detect its home network prefix on

Gundavelli, et al. Expires December 20, 2007 [Page 35]

Internet-Draft Proxy Mobile IPv6 June 2007

the link, as long as the attached access network is in the scope of
that proxy mobile Proxy Mobile IPv6 domain. The mobile node can continue to use
its IPv4/IPv6 MN-HoA for sending and receiving packets. If the
mobile node uses DHCP for address configuration, it will always be
able to obtain its MN-HoA using DHCP. However, the mobile node will
always detect a new default-router on each connected link, but still
advertising the mobile node's home network prefix as the on-link
prefix and with the other configuration parameters consistent with the
its home link
properties as before. properties.

7.3. IPv6 Host Protocol Parameters

This specification assumes the mobile node to be a normal IPv6 node,
with its protocol operation consistent with the base IPv6
specification [RFC-2460]. All aspects of Neighbor Discovery
Protocol, including Router Discovery, Neighbor Discovery, Address
Configuration procedures will just remain consistent with the base
IPv6 Neighbor Discovery Specification [RFC-2461]. However, this
specification recommends that the following IPv6 operating parameters
on the mobile node be adjusted to the below recommended values for
protocol efficiency and for achieving faster hand-offs.

Lower Default-Router List Cache Time-out:

As per the base IPv6 specification [RFC-2460], each IPv6 host will
maintain certain host data structures including a Default-Router
list. This is the list of on-link routers that have sent Router
Advertisement messages and are eligible to be default routers on that
link. The Router Lifetime field in the received Router Advertisement
defines the life of this entry.

In the Proxy Mobile IPv6 scenario, when the mobile node moves from
one link to another, the received Router Advertisement messages
advertising the mobile's home network prefix will be from a different

Gundavelli, et al. Expires October 10, 2007 [Page 33]

Internet-Draft Proxy Mobile IPv6 April 2007
link-local address and thus making the mobile node believe that there
is a new default-router on the link. It is important that the mobile
node uses the newly learnt default-router as supposed to the
previously learnt default-router. The mobile node must update its
default-router list with the new default router entry and must age
out the previously learnt default router entry from its cache, just
as specified in Section 6.3.5 of the base IPv6 ND specification [RFC-
2461]. This action is critical for minimizing packet losses during a
hand off switch switch.

On detecting a reachability problem, the mobile node will certainly
detect the neighbor or the default-router unreachability by
performing a Neighbor Unreachability Detection procedure, but it is

Gundavelli, et al. Expires December 20, 2007 [Page 36]

Internet-Draft Proxy Mobile IPv6 June 2007

important that the mobile node times out the previous default router
entry at the earliest. If a given IPv6 host implementation has the
provision to adjust these flush timers, still conforming to the base
IPv6 ND specification, it is desirable to keep the flush-timers to
suit the above consideration.

However, if the mobile access gateway has the ability to with draw withdraw the
previous default-router entry, by multicasting sending a Router Advertisement
using the link-local address that of the previous
mobility proxy agent mobile access
gateway and with the Router Lifetime field set to value 0, then it is
possible to force the flush out of the Previous Default-Router entry from
the mobile node's cache. This certainly requires some context-transfer context-
transfer mechanisms in place for notifying the link-local address of
the default-router on the previous link to the mobile access gateway
on the new link.

There are other solutions possible for this problem, including the
assignment of a unique link-local address for all the mobile access routers
gateways in the a Proxy Mobile IPv6 Network. domain. In either any case, this is an
implementation choice and has no bearing on the protocol
interoperability. Implementations are free to adopt the best
approach that suits their target deployments.

8. Message Formats

This section defines extensions to the Mobile IPv6 [RFC-3775]
protocol messages.

Gundavelli, et al. Expires October 10, 2007 [Page 34]

Internet-Draft Proxy Mobile IPv6 April 2007

8.1. Proxy Binding Update

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence # |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|A|H|L|K|M|R|P| Reserved | Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 6: 9: Proxy Binding Update Message

Gundavelli, et al. Expires December 20, 2007 [Page 37]

Internet-Draft Proxy Mobile IPv6 June 2007

A Binding Update message that is sent by mobile access gateway is
referred to as the Proxy Binding Update message.

Proxy Registration Flag (P)

The Proxy Registration Flag is set to indicate to the local mobility
anchor that the Binding Update is from a mobile access gateway acting
as a proxy mobility agent. The flag MUST be set to the value of 1
for proxy registrations and MUST be set to 0 for direct registration
send my registrations
sent by a mobile node when using host-base mobility.

For descriptions of other fields present in this message, refer to
the section 6.1.7 of Mobile IPv6 specification [RFC3775].

8.2. Proxy Binding Acknowledgment

Gundavelli, et al. Expires October 10, 2007 [Page 35]

Internet-Draft Proxy Mobile IPv6 April 2007

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Status |K|R|P|Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence # | Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 7: 10: Proxy Binding Acknowledgment Message

A Binding Acknowledgment message that is sent by the local mobility
anchor to the mobile access gateway is referred to as "Proxy Binding
Acknowledgement".

Proxy Registration Flag (P)

A new flag (P) is included in the Binding Acknowledgement message to
indicate that the local mobility anchor Agent that processed the
corresponding Proxy Binding Update message supports Proxy
Registrations. The flag is set only if the corresponding Proxy
Binding Update had the Proxy Registration Flag (P) set to value of 1.
The rest of the Binding Acknowledgement format remains the same, as
defined in [RFC-3775].

Gundavelli, et al. Expires December 20, 2007 [Page 38]

Internet-Draft Proxy Mobile IPv6 June 2007

For descriptions of other fields present in this message, refer to
the section 6.1.8 of Mobile IPv6 base specificatoin [RFC-3775].

A Binding Acknowledgment message that is sent by the mobile access
gateway is also referred to as "Proxy Binding Acknowledgement". specification [RFC3775].

8.3. Home Network Prefix Option

A new option, Home Network Prefix Option is defined for using it in
the Proxy Binding Update and Acknowledgment messages exchanged
between the local mobility anchor to and the mobile access gateway.
This option can be used for exchanging the mobile node's home network
prefix and
home address information.

The home network prefix Option has an alignment requirement of 8n+4.
Its format is as follows:

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 36] 39]

Internet-Draft Proxy Mobile IPv6 April June 2007

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved | Prefix Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Home Network Prefix +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type
<IANA>

Length

8-bit unsigned integer indicating the length in octets of
the option, excluding the type and length fields. This field
MUST be set to 18.

Reserved

This field is unused for now. The value MUST be initialized
to 0 by the sender and MUST be ignored by the receiver.

Prefix Length

8-bit unsigned integer indicating the prefix length of the
IPv6 prefix contained in the option. If the prefix length
is set to the value 128, indicates the presence of the
mobile node's 128-bit home address.

Home Network Prefix

A sixteen-byte field containing the mobile node's IPv6 Home
Network Prefix Prefix.

Figure 8: 11: Home Network Prefix Option

Gundavelli, et al. Expires October 10, 2007 [Page 37]

Internet-Draft Proxy Mobile IPv6 April 2007

8.4. Time Stamp Option

A new option, Time Stamp Option is defined for use in the Proxy
Binding Update and Acknowledgement messages. This option MUST can be present used
in
all Proxy Binding Update and Proxy Binding Acknowledgement messages.

Gundavelli, et al. Expires December 20, 2007 [Page 40]

Internet-Draft Proxy Mobile IPv6 June 2007

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | Option Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Timestamp +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type
<IANA>

Length

8-bit unsigned integer indicating the length in octets of
the option, excluding the type and length fields. This field
MUST be set to 18. 8.

Timestamp

64-bit time stamp

Figure 9: 12: Time Stamp Option

8.5. Status Codes

This document defines the following new Binding Acknowledgement
status values:

145: Proxy Registration not supported by the local mobility anchor

146: Proxy Registrations from this mobile access gateway not allowed

147: No home address Home Network prefix for this NAI is not configured and the Home
Network

Gundavelli, et al. Expires October 10, 2007 [Page 38]

Internet-Draft Proxy Mobile IPv6 April 2007 Prefix Option not present in the Proxy Binding Update.

148: Invalid Time Stamp Option in the received Proxy Binding Update
message.

Status values less than 128 indicate that the Binding Update was
processed successfully by the receiving nodes. Values greater than
128 indicate that the Binding Update was rejected by the local
mobility anchor.

The value allocation for this usage needs to be approved by the IANA

Gundavelli, et al. Expires December 20, 2007 [Page 41]

Internet-Draft Proxy Mobile IPv6 June 2007

and must be updated in the IANA registry.

9. IANA Considerations

This document defines a new Mobility Header Option, Protocol Configuration Variables

The mobile access gateway MUST allow the Mobile Home
Network Prefix Option. following variables to be
configured by the system management.

EnableMAGLocalrouting

This option flag indicates whether or not the mobile access gateway is described in Section 8.3.
allowed to enable local routing of the traffic exchanged between a
visiting mobile node and a corresponding node that is locally
connected to one of the interfaces of the mobile access gateway. The
Type
corresponding node can be another visiting mobile node as well, or a
local fixed node.

The default value for this option needs flag is set to be assigned from "FALSE", indicating that
the same
numbering space as allocated for mobile access gateway MUST reverse tunnel all the other traffic to the
mobile node's local mobility options anchor.

When the value of this flag is set to "TRUE", the mobile access
gateway MUST route the traffic locally.

This aspect of local routing MAY be defined
in [RFC-3775]. as policy on a per mobile
basis and when present will take precedence over this flag.

10. IANA Considerations

This document defines a two new Mobility Header Option, Options, the Home
Network Prefix Option and the Time Stamp Option. This option is These options are
described in Section 8.4. Sections 8.3 and 8.5 respectively. The type Type value for
this option
these options needs to be assigned from the same numbering space as
allocated for the other mobility options options, as defined in [RFC-3775].

This document also defines new Binding Acknowledgement status values
as described in Section 8.5. The status values MUST be assigned from
the same space used for Binding Acknowledgement status values values, as
defined in [RFC-3775].

10.

11. Security Considerations

The potential security threats against any general network-based
mobility management protocol are covered in the document, Security
Threats to Network-Based Localized Mobility Management
[draft-ietf-netlmm-threats-04.txt]. [RFC-4832].
This section analyses those vulnerabilities in the context of Proxy

Gundavelli, et al. Expires December 20, 2007 [Page 42]

Internet-Draft Proxy Mobile IPv6 June 2007

Mobile IPv6 protocol solution and covers all aspects around those
identified vulnerabilities.

A compromised mobile access gateway can potentially send Proxy
Binding Update
requests for messages on behalf of the mobile nodes that are not
attached to its access link. This threat is similar to an attack on
a typical routing protocol or equivalent to the compromise of a on-path router and hence this

Gundavelli, et al. Expires October 10, 2007 [Page 39]

Internet-Draft Proxy Mobile IPv6 April 2007 an on-
path router. This threat exists in the network today and this
specification does not make this vulnerability any worse than what it
is. However, to eliminate this attack, vulnerability, the local mobility
anchor can before accepting Proxy Binding Update message received from a
mobile access gateway, MUST ensure that the mobile node is attached to the access link of the requesting
mobile access gateway. gateway that sent the Proxy Binding Update message.
This can be achieved using out of band mechanisms,
such as from the mobile node's access authentication to the network mechanisms and the specifics
of how that is achieved is beyond the scope of this document.

This document does not cover the security requirements for
authorizing the mobile node for the use of the access link. It is
assumed that there are proper Layer-2 Layer-2/Layer-3 based authentication
procedures, such as EAP, are in place and will ensure the mobile node
is properly identified and authorized before permitting it to access
the network. It is further assumed that the same security mechanism
will ensure the mobile session is not hijacked by malicious nodes on
the access link.

This specification requires that all the signaling messages exchanged
between the mobile access gateway and the local mobility anchor MUST
be authenticated by IPsec [RFC-4301]. The use of IPsec to protect
Mobile IPv6 signaling messages is described in detail in the HA-MN
IPsec specification [RFC-3776] and the extension applicability of that security
model to Proxy Mobile IPv6 protocol is covered in Section 4.0 of this
document.

As described in the base Mobile IPv6 specification [RFC-3775],
Section 5.1 both
the mobile client node (in this case, case of Proxy Mobile IPv6, its the mobile access
gateway) and the local mobility anchor MUST support and SHOULD use
the Encapsulating Security Payload (ESP) header in transport mode and
MUST use a non-NULL payload authentication algorithm to provide data
origin authentication, data integrity and optional anti-replay
protection.

The proxy solution allows one device creating a routing state for
some other device at the local mobility anchor. It is important that
the local mobility anchor has proper authorization services in place
to ensure a given mobile access gateway is permitted to be a proxy
for a specific mobile node. If proper security checks are not in
place, a malicious node may be able to hijack a session or may do a
denial-of-service attacks.

11.

Gundavelli, et al. Expires December 20, 2007 [Page 43]

Internet-Draft Proxy Mobile IPv6 June 2007

12. Acknowledgements

The authors would like to specially thank Julien Laganier, Christian
Vogt, Pete McCann, Brian Haley and Haley, Ahmad Muhanna Muhanna, JinHyeock Choi for
their thorough

Gundavelli, et al. Expires October 10, 2007 [Page 40]

Internet-Draft Proxy Mobile IPv6 April 2007 review of this document.

The authors would also like to thank the Gerardo Giaretta, Kilian
Weniger, Alex Petrescu, Mohamed Khalil, Fred Templing, Nishida
Katsutoshi, James Kempf, Vidya Narayanan, Henrik Levkowetz, Phil
Roberts, Jari Arkko, Ashutosh Dutta, Hesham Soliman, Behcet Sarikaya,
George Tsirtsis and many others for their passionate discussions in
the working group mailing list on the topic of localized mobility
management solutions. These discussions stimulated much of the
thinking and shaped the draft to the current form. We acknowledge
that !

The authors would also like to thank Ole Troan, Akiko Hattori, Perviz Parviz
Yegani, Mark Grayson, Michael Hammer, Vojislav Vucetic, Jay Iyer and
Tim Stammers for their input on this document.

12.

13. References

12.1.

13.1. Normative References

[RFC-1305] Mills, D., "Network Time Protocol (Version 3)
Specification, Implementation", RFC 1305, March 1992.

[RFC-2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.

[RFC-2461] Narten, T., Nordmark, E. and W. Simpson, "Neighbor
Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998.

[RFC-2462] Thompson, S., Narten, T., "IPv6 Stateless Address
Autoconfiguration", RFC 2462, December 1998.

[RFC-2473] Conta, A. and S. Deering, "Generic Packet Tunneling in
IPv6 Specification", RFC 2473, December 1998.

[RFC-3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and
M.Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)",
RFC 3315, July 2003.

[RFC-3775] Johnson, D., Perkins, C., Arkko, J., "Mobility Support in
IPv6", RFC 3775, June 2004.

[RFC-3776] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to
Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents",

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 41] 44]

Internet-Draft Proxy Mobile IPv6 April June 2007

Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents",
RFC 3776, June 2004.

[RFC-4283] Patel, A., Leung, K., Khalil, M., Akhtar, H., and K.
Chowdhury, "Mobile Node Identifier Option for Mobile IPv6", RFC 4283,
November 2005.

[RFC-4301] Kent, S. and Atkinson, R., "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.

[RFC-4303] Kent, S. "IP Encapsulating Security Protocol (ESP)", RFC
4303, December 2005.

[RFC-4306] Kaufman, C, et al, "Internet Key Exchange (IKEv2)
Protocol", RFC 4306, December 2005.

[draft-ietf-netlmm-nohost-req-05.txt]

[RFC-4830] Kempf, J., Leung, K., Roberts, P., Nishida, K., Giaretta,
G., Liebsch, M., "Goals "Problem Statement for Network-based Localized
Mobility Management", October September 2006.

[draft-ietf-netlmm-nohost-ps-05.txt]

[RFC-4831] Kempf, J., Leung, K., Roberts, P., Nishida, K., Giaretta,
G., Liebsch, M., "Problem Statement "Goals for Network-based Localized Mobility
Management", September October 2006.

[draft-ietf-netlmm-threats-04.txt]

[RFC-4832] Vogt, C., Kempf, J., "Security Threats to Network-Based
Localized Mobility Management", September 2006.

[draft-ietf-mip6-nemo-v4traversal-03.txt]

[ID-IPV4-PMIP6] Wakikawa, R. and Gundavelli, S., "IPv4 Support for
Proxy Mobile IPv6", draft-ietf-netlmm-pmip6-ipv4-support-00.txt, May
2007.

[ID-DSMIP6] Soliman, H. et al, "Mobile IPv6 support for dual stack
Hosts and Routers (DSMIPv6)",
draft-ietf-mip6-nemo-v4traversal-03.txt, October 2006.

12.2.

13.2. Informative References

[RFC-1332] McGregor, G., "The PPP Internet Protocol Control Protocol
(IPCP)", RFC 1332, May 1992.

[RFC-1661] Simpson, W., Ed., "The Point-To-Point Protocol (PPP)", STD
51, RFC 1661, July 1994.

[RFC-2472] Haskin, D. and Allen, E., "IP version 6 over PPP", RFC
2472, December 1998.

[RFC-2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.

[RFC-3041] Narten, T. and Draves, R., "Privacy Extensions for

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 42] 45]

Internet-Draft Proxy Mobile IPv6 April June 2007

[RFC-3041] Narten, T. and Draves, R., "Privacy Extensions for
Stateless Address Autoconfiguration in IPv6", RFC 3041, January 2001.

[RFC-3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
August 2002.

[RFC-3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
Discovery (ND) Trust Models and Threats", RFC 3756, May 2004.

[draft-iab-multilink-subnet-issues-03.txt] Thaler, D., "Multilink
Subnet Issues", January 2006.

[draft-ietf-dna-protocol-03]

[ID-DNAV6] Kempf, J., et al "Detecting Network Attachment in IPv6
Networks (DNAv6)", draft-ietf-dna-protocol-03, draft-ietf-dna-protocol-03.txt, October 2006.

[draft-ietf-mip6-ikev2-ipsec-08]

[ID-MIP6-IKEV2] Devarapalli, V. and Dupont, F., "Mobile IPv6
Operation with IKEv2 and the revised IPsec Architecture",
draft-ietf-mip6-ikev2-ipsec-08.txt, December 2006.

Appendix A. Proxy Mobile IPv6 interactions with AAA Infrastructure

Every mobile node that roams in a proxy Mobile IPv6 domain, would
typically be identified by an identifier, MN-Identifier, and that
identifier will have an associated policy profile that identifies the
mobile node's home network prefix, permitted address configuration
modes, roaming policy and other parameters that are essential for
providing network-based mobility service. This information is
typically configured in AAA. It is possible the home network prefix
is dynamically allocated for the mobile node when it boots up for the
first time in the network, or it could be a statically configured
value on per mobile node basis. However, for all practical purposes,
the network entities in the proxy Mobile IPv6 domain, while serving a
mobile node will have access to this profile and these entities can
query this information using RADIUS/DIAMETER protocols.

Appendix B. Supporting Shared-Prefix Model using DHCPv6

For supporting shared-prefix model, i.e, if multiple mobile nodes are
configured with a common IPv6 network prefix, as in Mobile IPv6
specification, it is possible to support that configuration under the
following guidelines:

The mobile node is allowed to use statefull stateful address configuration

Gundavelli, et al. Expires October 10, 2007 [Page 43]

Internet-Draft Proxy Mobile IPv6 April 2007
using DHCPv6 for obtaining its address configuration. The mobile
nodes is not allowed to use any of the stateless autoconfiguration
techniques. The permitted address configuration models for the

Gundavelli, et al. Expires December 20, 2007 [Page 46]

Internet-Draft Proxy Mobile IPv6 June 2007

mobile node on the access link can be enforced by the mobile access
gateway
gateway, by setting the relevant flags in the Router Advertisements,
as per ND Specification, [RFC-2461] [RFC-2461].

The Home Network Prefix Option that is sent by the mobile access
gateway in the Proxy Binding Update message, must contain the 128-bit
host address that the mobile node obtained via DHCPv6.

Routing state at the mobile access gateway:

For all IPv6 traffic from the source MN-HoA::/128 to destination
0::/0,
_ANY_DESTINATION_, route via tunnel0, next-hop LMAA, where tunnel0 is
the MAG to LMA tunnel.

Routing state at the local mobility anchor:

For all IPv6 traffic to destination MN-HoA::/128, route via tunnel0,
next-hop Proxy-CoA, where tunnel0 is the LMA to MAG tunnel.

Authors' Addresses

Sri Gundavelli
Cisco
170 West Tasman Drive
San Jose, CA 95134
USA

Email: sgundave@cisco.com

Kent Leung
Cisco
170 West Tasman Drive
San Jose, CA 95134
USA

Email: kleung@cisco.com

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 44] 47]

Internet-Draft Proxy Mobile IPv6 April June 2007

Vijay Devarapalli
Azaire Networks
4800 Great America Pkwy
Santa Clara, CA 95054
USA

Email: vijay.devarapalli@azairenet.com

Kuntal Chowdhury
Starent Networks
30 International Place
Tewksbury, MA

Email: kchowdhury@starentnetworks.com

Basavaraj Patil
Nokia Siemens Networks
6000 Connection Drive
Irving, TX 75039
USA

Email: basavaraj.patil@nsn.com

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 45] 48]

Internet-Draft Proxy Mobile IPv6 April June 2007

Full Copyright Statement

This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.

This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.

Acknowledgment

Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).

Gundavelli, et al. Expires October 10, December 20, 2007 [Page 46] 49]

----