📄 rfc3024.txt
字号:
Network Working Group G. Montenegro, EditorRequest for Comments: 3024 Sun Microsystems, Inc.Obsoletes: 2344 January 2001Category: Standards Track Reverse Tunneling for Mobile IP, revisedStatus of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved.Abstract Mobile Internet Protocol (IP) uses tunneling from the home agent to the mobile node's care-of address, but rarely in the reverse direction. Usually, a mobile node sends its packets through a router on the foreign network, and assumes that routing is independent of source address. When this assumption is not true, it is convenient to establish a topologically correct reverse tunnel from the care-of address to the home agent. This document proposes backwards-compatible extensions to Mobile IP to support topologically correct reverse tunnels. This document does not attempt to solve the problems posed by firewalls located between the home agent and the mobile node's care-of address. This document obsoletes RFC 2344.Montenegro Standards Track [Page 1]
RFC 3024 Reverse Tunneling for Mobile IP, revised January 2001Table of Contents 1. Introduction ................................................... 3 1.1. Terminology .................................................. 4 1.2. Assumptions .................................................. 4 1.3. Justification ................................................ 5 2. Overview ....................................................... 5 3. New Packet Formats ............................................. 6 3.1. Mobility Agent Advertisement Extension ....................... 6 3.2. Registration Request ......................................... 6 3.3. Encapsulating Delivery Style Extension ....................... 7 3.4. New Registration Reply Codes ................................. 8 4. Changes in Protocol Behavior ................................... 9 4.1. Mobile Node Considerations ................................... 9 4.1.1. Sending Registration Requests to the Foreign Agent ......... 9 4.1.2. Receiving Registration Replies from the Foreign Agent ...... 10 4.2. Foreign Agent Considerations ................................. 10 4.2.1. Receiving Registration Requests from the Mobile Node ....... 11 4.2.2. Relaying Registration Requests to the Home Agent ........... 11 4.3. Home Agent Considerations .................................... 11 4.3.1. Receiving Registration Requests from the Foreign Agent ..... 12 4.3.2. Sending Registration Replies to the Foreign Agent .......... 12 5. Mobile Node to Foreign Agent Delivery Styles ................... 13 5.1. Direct Delivery Style ........................................ 13 5.1.1. Packet Processing .......................................... 13 5.1.2. Packet Header Format and Fields ............................ 13 5.2. Encapsulating Delivery Style ................................. 14 5.2.1 Packet Processing ........................................... 14 5.2.2. Packet Header Format and Fields ............................ 15 5.3. Support for Broadcast and Multicast Datagrams ................ 16 5.4. Selective Reverse Tunneling .................................. 16 6. Security Considerations ........................................ 17 6.1. Reverse-tunnel Hijacking and Denial-of-Service Attacks ....... 17 6.2. Ingress Filtering ............................................ 18 6.3. Reverse Tunneling for Disparate Address Spaces ............... 18 7. IANA Considerations ............................................ 18 8. Acknowledgements ............................................... 18 References ........................................................ 19 Editor and Chair Addresses ........................................ 20 Appendix A: Disparate Address Space Support ....................... 21 A.1. Scope of the Reverse Tunneling Solution ................... 21 A.2. Terminating Forward Tunnels at the Foreign Agent .......... 24 A.3. Initiating Reverse Tunnels at the Foreign Agent ........... 26 A.4. Limited Private Address Scenario .......................... 26 Appendix B: Changes from RFC2344 .................................. 29 Full Copyright Statement .......................................... 30Montenegro Standards Track [Page 2]
RFC 3024 Reverse Tunneling for Mobile IP, revised January 20011. Introduction Section 1.3 of the Mobile IP specification [1] lists the following assumption: It is assumed that IP unicast datagrams are routed based on the destination address in the datagram header (i.e., not by source address). Because of security concerns (for example, IP spoofing attacks), and in accordance with RFC 2267 [8] and CERT [3] advisories to this effect, routers that break this assumption are increasingly more common. In the presence of such routers, the source and destination IP address in a packet must be topologically correct. The forward tunnel complies with this, as its endpoints (home agent address and care-of address) are properly assigned addresses for their respective locations. On the other hand, the source IP address of a packet transmitted by the mobile node does not correspond to the network prefix from where it emanates. This document discusses topologically correct reverse tunnels. Mobile IP does dictate the use of reverse tunnels in the context of multicast datagram routing and mobile routers. However, the source IP address is set to the mobile node's home address, so these tunnels are not topologically correct. Notice that there are several uses for reverse tunnels regardless of their topological correctness: - Mobile routers: reverse tunnels obviate the need for recursive tunneling [1]. - Multicast: reverse tunnels enable a mobile node away from home to (1) join multicast groups in its home network, and (2) transmit multicast packets such that they emanate from its home network [1]. - The TTL of packets sent by the mobile node (for example, when sending packets to other hosts in its home network) may be so low that they might expire before reaching their destination. A reverse tunnel solves the problem as it represents a TTL decrement of one [5].Montenegro Standards Track [Page 3]
RFC 3024 Reverse Tunneling for Mobile IP, revised January 20011.1. Terminology The discussion below uses terms defined in the Mobile IP specification. Additionally, it uses the following terms: Forward Tunnel A tunnel that shuttles packets towards the mobile node. It starts at the home agent, and ends at the mobile node's care-of address. Reverse Tunnel A tunnel that starts at the mobile node's care-of address and terminates at the home agent. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [9].1.2. Assumptions Mobility is constrained to a common IP address space (that is, the routing fabric between, say, the mobile node and the home agent is not partitioned into a "private" and a "public" network). This document does not attempt to solve the firewall traversal problem. Rather, it assumes one of the following is true: - There are no intervening firewalls along the path of the tunneled packets. - Any intervening firewalls share the security association necessary to process any authentication [6] or encryption [7] headers which may have been added to the tunneled packets. The reverse tunnels considered here are symmetric, that is, they use the same configuration (encapsulation method, IP address endpoints) as the forward tunnel. IP in IP encapsulation [2] is assumed unless stated otherwise. Route optimization [4] introduces forward tunnels initiated at a correspondent host. Since a mobile node may not know if the correspondent host can decapsulate packets, reverse tunnels in that context are not discussed here.Montenegro Standards Track [Page 4]
RFC 3024 Reverse Tunneling for Mobile IP, revised January 20011.3. Justification Why not let the mobile node itself initiate the tunnel to the home agent? This is indeed what it should do if it is already operating with a topologically correct co-located care-of address. However, one of the primary objectives of the Mobile IP specification is not to require this mode of operation. The mechanisms outlined in this document are primarily intended for use by mobile nodes that rely on the foreign agent for forward tunnel support. It is desirable to continue supporting these mobile nodes, even in the presence of filtering routers.2. Overview A mobile node arrives at a foreign network, listens for agent advertisements and selects a foreign agent that supports reverse tunnels. It requests this service when it registers through the selected foreign agent. At this time, and depending on how the mobile node wishes to deliver packets to the foreign agent, it also requests either the Direct or the Encapsulating Delivery Style (section 5). In the Direct Delivery Style, the mobile node designates the foreign agent as its default router and proceeds to send packets directly to the foreign agent, that is, without encapsulation. The foreign agent intercepts them, and tunnels them to the home agent. In the Encapsulating Delivery Style, the mobile node encapsulates all its outgoing packets to the foreign agent. The foreign agent decapsulates and re-tunnels them to the home agent, using the foreign agent's care-of address as the entry-point of this new tunnel.Montenegro Standards Track [Page 5]
RFC 3024 Reverse Tunneling for Mobile IP, revised January 20013. New Packet Formats3.1. Mobility Agent Advertisement Extension 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Lifetime |R|B|H|F|M|G|V|T| reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | zero or more Care-of Addresses | | ... | The only change to the Mobility Agent Advertisement Extension [1] is the additional 'T' bit: T Agent offers reverse tunneling service. A foreign agent that sets the 'T' bit MUST support the Direct Delivery Style. Encapsulating Delivery Style SHOULD be supported as well (section 5). Using this information, a mobile node is able to choose a foreign agent that supports reverse tunnels. Notice that if a mobile node does not understand this bit, it simply ignores it as per [1].3.2. Registration Request Reverse tunneling support is added directly into the Registration Request by using one of the "rsvd" bits. If a foreign or home agent that does not support reverse tunnels receives a request with the 'T' bit set, the Registration Request fails. This results in a registration denial (failure codes are specified in section 3.4). Home agents SHOULD NOT object to providing reverse tunnel support, because they "SHOULD be able to decapsulate and further deliver packets addressed to themselves, sent by a mobile node" [1]. In the case of topologically correct reverse tunnels, the packets are not sent by the mobile node as distinguished by its home address. Rather, the outermost (encapsulating) IP source address on such datagrams is the care-of address of the mobile node. In Registration Requests sent by a mobile node, the Time to Live field in the IP header MUST be set to 255. This limits a denial of service attack in which malicious hosts send false Registration Requests (see Section 6).⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -