HA_6_3_1 - Protecting Return Routability Packets (HoTI)
Router
NUT
|
--------+-------+-------+--------------- Link0
| |
R0 MN0
|
--------+-------+-------+------- Link0X
| |
MN0X CN0X
Link0 global 3ffe:501:ffff:100::/64 home link Link0X global 3ffe:501:ffff:1100::/64 foreign link R0 (Link0) global 3ffe:501:ffff:100::a0a0 ether 00:00:00:00:a0:a0 MN0 global 3ffe:501:ffff:100:200:ff:fe00:a2a2 home address MN0X global 3ffe:501:ffff:1100:200:ff:fe00:a2a2 care-of address CN0X global 3ffe:501:ffff:1100:<TnDef.Link0_addr>
Check Link0 routing tableNUT (Link0) MN0X | | | <---- | Echo Request | ----> | Echo Reply | |
1. MN0X sends Echo Request 2. MN0X receives Echo Reply
home registrationNUT (Link0) MN0X | | | <---- | BU (A=1, lifetime=0x0010) (SPI=0x101) | ----> | BA (SPI=0x102) | |
1. MN0X sends BU 2. MN0X receives BACheck BCENUT (Link0) MN0X | | | <---- | Echo Request w/ HaO | ----> | Echo Reply w/ RH | |
1. MN0X sends Echo Request w/ HaO 2. MN0X receives Echo Reply w/ RH
Tunnel ProcessingNUT (Link0) MN0 MN0X CN0X | | | | | <============ | | HoTI (encapsulated) (SPI=0x103) | | ------------> | HoTI | | | |
1. MN0X sends HoTI (encapsulated) packet format is: Home_Test_Init_message_format_sending_ESP.gif 2. CN0X receives HoTI packet format is: Home_Test_Init_message_format_receiving_ESP.gif
PASS: CN0X receives HoTI
The return routability procedure described in Section 5.2.5 assumes that the confidentiality of the Home Test Init and Home Test messages is protected as they are tunneled between the home agent to the mobile node. Therefore, the home agent MUST support tunnel mode IPsec ESP for the protection of packets belonging to the return routability procedure. Support for a non-null encryption transform and authentication algorithm MUST be available. It is not necessary to distinguish between different kinds of packets within the return routability procedure.Security associations are needed to provide this protection. When the care-of address for the mobile node changes as a result of an accepted Binding Update, special treatment is needed for the next packets sent using these security associations. The home agent MUST set the new care-of address as the destination address of these packets, as if the outer header destination address in the security association had changed [21].The above protection SHOULD be used with all mobile nodes. The use is controlled by configuration of the IPsec security policy database both at the mobile node and at the home agent.As described earlier, the Binding Update and Binding Acknowledgement messages require protection between the home agent and the mobile node. The Mobility Header protocol carries both these messages as well as the return routability messages. From the point of view of the security policy database these messages are indistinguishable. When IPsec is used to protect return routability signaling or payload packets, this protection MUST only be applied to the return routability packets entering the IPv6 encapsulated tunnel interface between the mobile node and the home agent. This can be achieved, for instance, by defining the security policy database entries specifically for the tunnel interface. That is, the policy entries are not generally applied on all traffic on the physical interface(s) of the nodes, but rather only on traffic that enters the tunnel. This makes use of per-interface security policy database entries [4], specific to the tunnel interface (the node's attachment to the tunnel [11]).