1. 49th IETF - San Diego - 1 Mobile Networks Support in IPv6 - Draft Update draft-ernst-mobileip-v6-01.txt - Thierry Ernst - MOTOROLA Labs Ludovic Bellier - INRIA (Planete project) Claude Castelluccia - INRIA (Planete project) Hong-Yon Lach - MOTOROLA Labs

2. Ernst Thierry - 49th IETF San Diego - 2 Definition and Terminology  Mobile Node = a node that changes its point of attachment u by means of Mobile IPv6  Mobile Network = an entire network that changes its point of attachment u A IP subnet or a collection of IP subnets u Mobile Router (MR) + its attached Nodes and Routers. u SNs = all stationary nodes located in mobile network ( SNs are not Mobile Nodes !) u Future needs require to consider (potentially large) mobile networks  CNs = all nodes communicating with SNs  Aim of this work is to: u Provide continuous Internet connectivity to SNs u Offer optimal routing between CNs and SNs  Mobile IPv6 specification: u Mobile IPv6 nodes may either be Mobile Hosts or Mobile Routers. u But no explicit mention of mobile networks.

3. Ernst Thierry - 49th IETF San Diego - 3 Experimentation: Test Bed  Francis Dupont INRIA IPv6 Implementation under FreeBSD 3.3  MR has two interfaces u One on the home / foreign link in the home / foreign network u One on the internal link in the mobile network  Mobile Network attaches to foreign link : u MR obtains a care-of address on the foreign link u MR registers care-of address with HA. u HA opens an IPv6-in-IPv6 tunnel to MR’s careof address u HA adds a host-specific route for MR’s home address to MR’s careof address

4. Ernst Thierry - 49th IETF San Diego - 4 Experimentation: Ping between CN and MR No problem, MR receives the packet => Redirection works fine whether Mobile Node is a Host or a Router u Packet is routed to BR u BR sends NDP messages to discover MR’s MAC address u BR HA replies with HA’s address on behalf of MR u HA intercepts packets addressed to MR u HA routes the packet to the IPv6-in-IPv6 tunnel u HA tunnels the packet to MR’s care-of address I ’m MR MR ?

5. Ernst Thierry - 49th IETF San Diego - 5 Experimentation: Ping between CN and SN Routing Loop MR ? I ’m MR u Packet is routed to BR u In BR’s routing table, MR' home address is the next hop towards SN u BR sends NDP messages to discover MR’s MAC address u HA replies with HA’s address on behalf of MR u HA intercepts but does not have an entry for SN’s address u HA sends the packet to its default route, i.e. the BR u The packet enters in a routing loop Problem, SN never receives the packet => Redirection to SNs impossible

6. Ernst Thierry - 49th IETF San Diego - 6 Our Solution: Network Scope Binding Updates  Assumption: all nodes in the mobile network share a common IP prefix = Mobile Network Prefix u if only one subnet -> internal link ’s prefix u If several subnets -> a common prefix identifying (sub-SLA) all subnets in the mobile network  Our solution: all packets with a destination address corresponding to the Mobile Network Prefix are routed to the MR ’s careof address.  Means: u A Binding between the Mobile Network Prefix and the MR’s careof address. u a new Sub-Option to carry the Mobile Network Prefix + a ‘P’ flag u Prefix and flag are recorded in the binding cache u Binding Cache is searched for a Prefix for those records showing the ‘P’ flag. u BUs containing the Mobile Network Prefix are sent: To the HA to allow redirection To all CNs to allow optimal routing u BUs are sent by the MR, not by individual SNs: mobility of network is transparent to SNs mobility management is aggregated (a given CN only gets 1 BU whatever # SNs)

7. Ernst Thierry - 49th IETF San Diego - 7 Our Solution: Security Issues  Existing Mobile IPv6 for Mobile Nodes: u Authentication of BU’s sender: MN authenticated thanks to IPSec u Authorization of MN = allowing MN to send BUs no explicit authorization If sender is authenticated, the Mobile IPv6 policy is to accept, record, and use whatever received careof address  Mobile IPv6 extensions to support Mobile Networks: u Authentication of BU’s sender: MR is authenticated thanks to IPSec - (same as for a single MN) u Authorization of MR = allowing the MR to manage mobility of an entire network If the Mobile IPv6 policy says that a careof-address can be registered for a prefix, then MR has the right to register a binding between the Mobile Network Prefix and its address. Authorization may be provided by a certificate:  exchanged during SA negociation  to guarantee that MR actually serves the mobile network with the specified Prefix.  Our solution is a matter of Authorization, not a matter of Authentication

8. Ernst Thierry - 49th IETF San Diego - 8 Mobile IP Working Group Item ?  Does the Mobile IP WG agree that: u HA is unable to redirect packets sent to nodes in the mobile network ? (if the final destination is not the Mobile Router itself) u CN is unable to directly route packets to nodes in the mobile network) (if the final destination is not the Mobile Router itself) => no redirection + no optimal routing = SNs are unreachable  This should be addressed by the Mobile IP WG => Add « Support of Mobile Networks » as a work item of the Mobile IP WG and include it in the charter.

9. Ernst Thierry - 49th IETF San Diego - 9 For More Information draft-ernst-mobileip-v6-network-01.txt Thierry Ernst thierry.ernst@inrialpes.fr http:// www.inrialpes.fr/planete This is a joint work between and