As per Relevance of the word delivery, we have this rfc below:
Network Working Group G. Montenegro,
Request for Comments: 2344 Sun Microsystems, Inc
Category: Standards Track May 1998
Reverse Tunneling for Mobile
Status of this
This document specifies an Internet standards track protocol for
Internet community, and requests discussion and suggestions
improvements. Please refer to the current edition of the "
Official Protocol Standards" (STD 1) for the standardization
and status of this protocol. Distribution of this memo is unlimited
Copyright
Copyright (C) The Internet Society (1998). All Rights Reserved
Mobile IP uses tunneling from the home agent to the mobile node'
care-of address, but rarely in the reverse direction. Usually,
mobile node sends its packets through a router on the
network, and assumes that routing is independent of source address
When this assumption is not true, it is convenient to establish
topologically correct reverse tunnel from the care-of address to
home agent
This document proposes backwards-compatible extensions to Mobile
in order to support topologically correct reverse tunnels.
document does not attempt to solve the problems posed by
located between the home agent and the mobile node's care-of address
Table of
1. Introduction ................................................ 2
1.1. Terminology ............................................... 3
1.2. Assumptions ............................................... 4
1.3. Justification ............................................. 4
2. Overview .................................................... 4
3. New Packet Formats .......................................... 5
3.1. Mobility Agent Advertisement Extension .................... 5
3.2. Registration Request ...................................... 5
3.3. Encapsulating Delivery Style Extension .................... 6
3.4. New Registration Reply Codes .............................. 7
4. Changes in Protocol Behavior ................................ 8
4.1. Mobile Node Considerations ................................ 8
Montenegro Standards Track [Page 1]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
4.1.1. Sending Registration Requests to the Foreign Agent ...... 8
4.1.2. Receiving Registration Replies from the Foreign Agent ... 9
4.2. Foreign Agent Considerations .............................. 9
4.2.1. Receiving Registration Requests from the Mobile Node ... 10
4.2.2. Relaying Registration Requests to the Home Agent ....... 10
4.3. Home Agent Considerations ................................ 10
4.3.1. Receiving Registration Requests from the Foreign Agent . 11
4.3.2. Sending Registration Replies to the Foreign Agent ...... 11
5. Mobile Node to Foreign Agent Delivery Styles ............... 12
5.1. Direct Delivery Style .................................... 12
5.1.1. Packet Processing ...................................... 12
5.1.2. Packet Header Format and Fields ........................ 12
5.2. Encapsulating Delivery Style ............................. 13
5.2.1 Packet Processing ....................................... 13
5.2.2. Packet Header Format and Fields ........................ 14
5.3. Support for Broadcast and Multicast Datagrams ............ 15
5.4. Selective Reverse Tunneling .............................. 15
6. Security Considerations .................................... 16
6.1. Reverse-tunnel Hijacking and Denial-of-Service Attacks ... 16
6.2. Ingress Filtering ........................................ 17
7. Acknowledgements ........................................... 17
References .................................................... 17
Editor and Chair Addresses .................................... 18
Full Copyright Statement ...................................... 19
1.
Section 1.3 of the Mobile IP specification [1] lists the
assumption
It is assumed that IP unicast datagrams are routed based on
destination address in the datagram header (i.e., not by
address).
Because of security concerns (for example, IP spoofing attacks),
in accordance with RFC 2267 [8] and CERT [3] advisories to
effect, routers that break this assumption are increasingly
common
In the presence of such routers, the source and destination
address in a packet must be topologically correct. The forward
complies with this, as its endpoints (home agent address and care-
address) are properly assigned addresses for their
locations. On the other hand, the source IP address of a
transmitted by the mobile node does not correspond to the
prefix from where it emanates
This document discusses topologically correct reverse tunnels
Montenegro Standards Track [Page 2]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
Mobile IP does dictate the use of reverse tunnels in the context
multicast datagram routing and mobile routers. However, the source
address is set to the mobile node's home address, so these
are not topologically correct
Notice that there are several uses for reverse tunnels regardless
their topological correctness
- Mobile routers: reverse tunnels obviate the need for
tunneling [1].
- Multicast: reverse tunnels enable a mobile node away from
to (1) join multicast groups in its home network, and (2)
transmit multicast packets such that they emanate from its
network [1].
- The TTL of packets sent by the mobile node (for example,
sending packets to other hosts in its home network) may be
low that they might expire before reaching their destination.
reverse tunnel solves the problem as it represents a
decrement of one [5].
1.1.
The discussion below uses terms defined in the Mobile
specification. Additionally, it uses the following terms
Forward
A tunnel that shuttles packets towards the mobile node.
starts at the home agent, and ends at the mobile node's care-
address
Reverse
A tunnel that starts at the mobile node's care-of address
terminates at the home agent
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
document are to be interpreted as described in RFC 2119 [9].
Montenegro Standards Track [Page 3]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
1.2.
Mobility is constrained to a common IP address space (that is,
routing fabric between, say, the mobile node and the home agent
not partitioned into a "private" and a "public" network).
This document does not attempt to solve the firewall
problem. Rather, it assumes one of the following is true
- There are no intervening firewalls along the path of
tunneled packets
- Any intervening firewalls share the security
necessary to process any authentication [6] or encryption [7]
headers which may have been added to the tunneled packets
The reverse tunnels considered here are symmetric, that is, they
the same configuration (encapsulation method, IP address endpoints
as the forward tunnel. IP in IP encapsulation [2] is assumed
stated otherwise
Route optimization [4] introduces forward tunnels initiated at
correspondent host. Since a mobile node may not know if
correspondent host can decapsulate packets, reverse tunnels in
context are not discussed here
1.3.
Why not let the mobile node itself initiate the tunnel to the
agent? This is indeed what it should do if it is already
with a topologically correct co-located care-of address
However, one of the primary objectives of the Mobile IP
is not to require this mode of operation
The mechanisms outlined in this document are primarily intended
use by mobile nodes that rely on the foreign agent for forward
support. It is desirable to continue supporting these mobile nodes
even in the presence of filtering routers
2.
A mobile node arrives at a foreign network, listens for
advertisements and selects a foreign agent that supports
tunnels. It requests this service when it registers through
selected foreign agent. At this time, and depending on how
Montenegro Standards Track [Page 4]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
mobile node wishes to deliver packets to the foreign agent, it
requests either the Direct or the Encapsulating Delivery
(section 5).
In the Direct Delivery Style, the mobile node designates the
agent as its default router and proceeds to send packets directly
the foreign agent, that is, without encapsulation. The foreign
intercepts them, and tunnels them to the home agent
In the Encapsulating Delivery Style, the mobile node encapsulates
its outgoing packets to the foreign agent. The foreign
decapsulates and re-tunnels them to the home agent, using the
agent's care-of address as the entry-point of this new tunnel
3. New Packet
3.1. Mobility Agent Advertisement
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |R|B|H|F|M|G|V|T| reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| zero or more Care-of Addresses |
| ... |
The only change to the Mobility Agent Advertisement Extension [1]
the additional 'T' bit
T Agent offers reverse tunneling service
A foreign agent that sets the 'T' bit MUST support the two
styles currently supported: Direct and Encapsulating Delivery
(section 5).
Using this information, a mobile node is able to choose a
agent that supports reverse tunnels. Notice that if a mobile
does not understand this bit, it simply ignores it as per [1].
3.2. Registration
Reverse tunneling support is added directly into the
Request by using one of the "rsvd" bits. If a foreign or home
that does not support reverse tunnels receives a request with the 'T
bit set, the Registration Request fails. This results in
registration denial (failure codes are specified in section 3.4).
Montenegro Standards Track [Page 5]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
Most home agents would not object to providing reverse
support, because they "SHOULD be able to decapsulate and
deliver packets addressed to themselves, sent by a mobile node" [1].
In the case of topologically correct reverse tunnels, the packets
not sent by the mobile node as distinguished by its home address
Rather, the outermost (encapsulating) IP source address on
datagrams is the care-of address of the mobile node. Nevertheless
home agents probably already support the required decapsulation
further forwarding
In Registration Requests sent by a mobile node, the Time to
field in the IP header MUST be set to 255. This limits a denial
service attack in which malicious hosts send false
Requests (see Section 6).
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type |S|B|D|M|G|V|T|-| Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Home Agent |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Care-of Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Extensions ...
+-+-+-+-+-+-+-+-
The only change to the Registration Request packet is the
'T' bit
T If the 'T' bit is set, the mobile node asks its
agent to accept a reverse tunnel from the care-
address. Mobile nodes using a foreign agent care-
address ask the foreign agent to reverse-tunnel
packets
3.3. Encapsulating Delivery Style
The Encapsulating Delivery Style Extension MAY be included by
mobile node in registration requests to further specify
tunneling behavior. It is expected to be used only by the
agent. Accordingly, the foreign agent MUST consume this
(that is, it must not relay it to the home agent or include it
Montenegro Standards Track [Page 6]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
replies to the mobile node). As per Section 3.6.1.3 of [1],
mobile node MUST include the Encapsulating Delivery Style
after the Mobile-Home Authentication Extension, and before
Mobile-Foreign Authentication Extension, if present
The Encapsulating Delivery Style Extension MUST NOT be included
the 'T' bit is not set in the Registration Request
If this extension is absent, Direct Delivery is assumed
Encapsulation is done according to what was negotiated for
forward tunnel (that is, IP in IP is assumed unless
otherwise). For more details on the delivery styles, please refer
section 5.
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
130
0
3.4. New Registration Reply
Foreign and home agent registration replies MUST convey if
reverse tunnel request failed. These new reply codes are defined
Service denied by the foreign agent
74 requested reverse tunnel
75 reverse tunnel is mandatory and 'T' bit not
76 mobile node too
Service denied by the home agent
137 requested reverse tunnel
138 reverse tunnel is mandatory and 'T' bit not
139 requested encapsulation
Montenegro Standards Track [Page 7]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
In response to a Registration Request with the 'T' bit set,
nodes may receive (and MUST accept) code 70 (poorly formed request
from foreign agents and code 134 (poorly formed request) from
agents. However, foreign and home agents that support
tunneling MUST use codes 74 and 137, respectively
Absence of the 'T' bit in a Registration Request MAY elicit
with codes 75 and 138 at the foreign agent and the home agent
respectively
Forward and reverse tunnels are symmetric, that is, both are able
use the same tunneling options negotiated at registration.
implies that the home agent MUST deny registrations if an
form of tunneling is requested (code 139). Notice that Mobile IP [1]
already defines the analogous failure code 72 for use by the
agent
4. Changes in Protocol
Unless otherwise specified, behavior specified by Mobile IP [1]
assumed. In particular, if any two entities share a mobility
association, they MUST use the appropriate Authentication
(Mobile-Foreign, Foreign-Home or Mobile-Home
Extension) when exchanging registration protocol datagrams.
Mobile-Home Authentication Extension MUST always be present
Reverse tunneling imposes additional protocol processing
on mobile entities. Differences in protocol behavior with respect
Mobile IP [1] are specified in the subsequent sections
4.1. Mobile Node
This section describes how the mobile node handles registrations
request a reverse tunnel
4.1.1. Sending Registration Requests to the Foreign
In addition to the considerations in [1], a mobile node sets the 'T
bit in its Registration Request to petition a reverse tunnel
The mobile node MUST set the TTL field of the IP header to 255.
is meant to limit the reverse tunnel hijacking attack (Section 6).
The mobile node MAY optionally include an Encapsulating
Style Extension
Montenegro Standards Track [Page 8]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
4.1.2. Receiving Registration Replies from the Foreign
Possible valid responses are
- A registration denial issued by either the home agent or
foreign agent
a. The mobile node follows the error checking guidelines
[1], and depending on the reply code, MAY try modifying
registration request (for example, by eliminating
request for alternate forms of encapsulation), and issuing
new registration
b. Depending on the reply code, the mobile node MAY
zeroing the 'T' bit, eliminating the Encapsulating
Style Extension (if one was present), and issuing a
registration. Notice that after doing so the
may succeed, but due to the lack of a reverse tunnel
transfer may not be possible
- The home agent returns a Registration Reply indicating that
service will be provided
In this last case, the mobile node has succeeded in establishing
reverse tunnel between its care-of address and its home agent.
the mobile node is operating with a co-located care-of address,
MAY encapsulate outgoing data such that the destination address
the outer header is the home agent. This ability to
reverse-tunnel packets is discussed further in section 5.4.
If the care-of address belongs to a separate foreign agent,
mobile node MUST employ whatever delivery style was requested (
or Encapsulating) and proceed as specified in section 5.
A successful registration reply is an assurance that both the
agent and the home agent support whatever alternate forms
encapsulation (other than IP in IP) were requested. Accordingly,
mobile node MAY use them at its discretion
4.2. Foreign Agent
This section describes how the foreign agent handles
that request a reverse tunnel
Montenegro Standards Track [Page 9]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
4.2.1. Receiving Registration Requests from the Mobile
A foreign agent that receives a Registration Request with the 'T'
set processes the packet as specified in the Mobile IP
[1], and determines whether it can accomodate the forward
request. If it cannot, it returns an appropriate code. In particular
if the foreign agent is unable to support the requested form
encapsulation it MUST return code 72.
The foreign agent MAY reject Registration Requests without the 'T
bit set by denying them with code 75 (reverse tunnel is mandatory
'T' bit not set).
The foreign agent MUST verify that the TTL field of the IP header
set to 255. Otherwise, it MUST reject the registration with code 76
(mobile node too distant). The foreign agent MUST limit the rate
which it sends these registration replies to a maximum of one
second
As a last check, the foreign agent verifies that it can support
reverse tunnel with the same configuration. If it cannot, it
return a Registration Reply denying the request with code 74
(requested reverse tunnel unavailable).
4.2.2. Relaying Registration Requests to the Home
Otherwise, the foreign agent MUST relay the Registration Request
the home agent
Upon receipt of a Registration Reply that satisfies validity checks
the foreign agent MUST update its visitor list, including
that this mobile node has been granted a reverse tunnel and
delivery style expected (section 5).
While this visitor list entry is in effect, the foreign agent
process incoming traffic according to the delivery style,
it and tunnel it from the care-of address to the home agent'
address
4.3. Home Agent
This section describes how the home agent handles registrations
request a reverse tunnel
Montenegro Standards Track [Page 10]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
4.3.1. Receiving Registration Requests from the Foreign
A home agent that receives a Registration Request with the 'T'
set processes the packet as specified in the Mobile IP
[1] and determines whether it can accomodate the forward
request. If it cannot, it returns an appropriate code.
particular, if the home agent is unable to support the requested
of encapsulation it MUST return code 139 (requested
unavailable).
The home agent MAY reject registration requests without the 'T'
set by denying them with code 138 (reverse tunnel is mandatory and '
T' bit not set).
As a last check, the home agent determines whether it can support
reverse tunnel with the same configuration as the forward tunnel.
it cannot, it MUST send back a registration denial with code 137
(requested reverse tunnel unavailable).
Upon receipt of a Registration Reply that satisfies validity checks
the home agent MUST update its mobility bindings list to
that this mobile node has been granted a reverse tunnel and the
of encapsulation expected
4.3.2. Sending Registration Replies to the Foreign
In response to a valid Registration Request, a home agent MUST
a Registration Reply to the mobile node
After a successful registration, the home agent may
encapsulated packets addressed to itself. Decapsulating such
and blindly injecting them into the network is a potential
weakness (section 6.1). Accordingly, the home agent MUST implement
and, by default, SHOULD enable the following check for
packets addressed to itself
The home agent searches for a mobility binding whose care-
address is the source of the outer header, and whose mobile
address is the source of the inner header
If no such binding is found, or if the packet uses an
mechanism that was not negotiated at registration the home agent
silently discard the packet and SHOULD log the event as a
exception
Home agents that terminate tunnels unrelated to Mobile IP (
example, multicast tunnels) MAY turn off the above check, but
practice is discouraged for the aforementioned reasons
Montenegro Standards Track [Page 11]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
While the registration is in effect, a home agent MUST process
valid reverse tunneled packet (as determined by checks like
above) by decapsulating it, recovering the original packet, and
forwarding it on behalf of its sender (the mobile node) to
destination address (the correspondent host).
5. Mobile Node to Foreign Agent Delivery
This section specifies how the mobile node sends its data traffic
the foreign agent. In all cases, the mobile node learns the
agent's link-layer address from the link-layer header in the
advertisement
5.1. Direct Delivery
This delivery mechanism is very simple to implement at the
node, and uses small (non-encapsulated) packets on the link
the mobile node and the foreign agent (potentially a very slow link).
However, it only supports reverse-tunneling of unicast packets,
does not allow selective reverse tunneling (section 5.4).
5.1.1. Packet
The mobile node MUST designate the foreign agent as its
router. Not doing so will not guarantee encapsulation of all
mobile node's outgoing traffic, and defeats the purpose of
reverse tunnel. The foreign agent MUST
- detect packets sent by the mobile node,
- modify its forwarding function to encapsulate them
forwarding
5.1.2. Packet Header Format and
This section shows the format of the packet headers used by
Direct Delivery style. The formats shown assume IP in
encapsulation [2].
Packet format received by the foreign agent (Direct Delivery Style):
IP fields
Source Address = mobile node's home address Destination
= correspondent host's
Upper Layer
Packet format forwarded by the foreign agent (Direct Delivery Style):
Montenegro Standards Track [Page 12]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
IP fields (encapsulating header):
Source Address = foreign agent's care-of
Destination Address = home agent's
Protocol field: 4 (IP in IP
IP fields (original header):
Source Address = mobile node's home
Destination Address = correspondent host's
Upper Layer
These fields of the encapsulating header MUST be chosen as follows
IP Source
Copied from the Care-of Address field within the
Request
IP Destination
Copied from the Home Agent field within the
Request
IP Protocol
Default is 4 (IP in IP [2]), but other methods of
MAY be used as negotiated at registration time
5.2. Encapsulating Delivery
This mechanism requires that the mobile node implement encapsulation
and explicitly directs packets at the foreign agent by designating
as the destination address in a new outermost header. Mobile
that wish to send either broadcast or multicast packets MUST use
Encapsulating Delivery Style
5.2.1 Packet
The foreign agent does not modify its forwarding function. Rather
it receives an encapsulated packet and after verifying that it
sent by the mobile node, it
- decapsulates to recover the inner packet
- re-encapsulates, and sends it to the home agent
If a foreign agent receives an un-encapsulated packet from a
node which had explicitly requested the Encapsulated Delivery Style
then the foreign agent MUST NOT reverse tunnel such a packet
rather MUST forward it using standard, IP routing mechanisms
Montenegro Standards Track [Page 13]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
5.2.2. Packet Header Format and
This section shows the format of the packet headers used by
Encapsulating Delivery style. The formats shown assume IP in
encapsulation [2].
Packet format received by the foreign agent (Encapsulating
Style):
IP fields (encapsulating header):
Source Address = mobile node's home
Destination Address = foreign agent's
Protocol field: 4 (IP in IP
IP fields (original header):
Source Address = mobile node's home
Destination Address = correspondent host's
Upper Layer
The fields of the encapsulating IP header MUST be chosen as follows
IP Source
The mobile node's home address
IP Destination
The address of the agent as learned from the IP source
of the agent's most recent registration reply
IP Protocol
Default is 4 (IP in IP [2]), but other methods of
MAY be used as negotiated at registration time
Packet format forwarded by the foreign agent (Encapsulating
Style):
IP fields (encapsulating header):
Source Address = foreign agent's care-of
Destination Address = home agent's
Protocol field: 4 (IP in IP
IP fields (original header):
Source Address = mobile node's home
Destination Address = correspondent host's
Upper Layer
These fields of the encapsulating IP header MUST be chosen
follows
Montenegro Standards Track [Page 14]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
IP Source
Copied from the Care-of Address field within the
Request
IP Destination
Copied from the Home Agent field within the
Request
IP Protocol
Default is 4 (IP in IP [2]), but other methods of
MAY be used as negotiated at registration time
5.3. Support for Broadcast and Multicast
If a mobile node is operating with a co-located care-of address
broadcast and multicast datagrams are handled according to
4.3 and 4.4 of the Mobile IP specification [1]. Mobile nodes using
foreign agent care-of address MAY have their broadcast and
datagrams reverse-tunneled by the foreign agent. However, any
nodes doing so MUST use the encapsulating delivery style
This delivers the datagram only to the foreign agent. The
decapsulates it and then processes it as any other packet from
mobile node, namely, by reverse tunneling it to the home agent
5.4. Selective Reverse
Packets destined to local resources (for example, a nearby printer
might be unaffected by ingress filtering. A mobile node with a co
located care-of address MAY optimize delivery of these packets by
reverse tunneling them. On the other hand, a mobile node using
foreign agent care-of address MAY use this selective
tunneling capability by requesting the Encapsulating Delivery Style
and following these guidelines
Packets NOT meant to be reversed tunneled
Sent using the Direct Delivery style. The foreign agent
process these packets as regular traffic: they MAY
forwarded but MUST NOT be reverse tunneled to the home agent
Montenegro Standards Track [Page 15]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
Packets meant to be reverse tunneled
Sent using the Encapsulating Delivery style. The foreign
MUST process these packets as specified in section 5.2:
MUST be reverse tunneled to the home agent
6. Security
The extensions outlined in this document are subject to the
considerations outlined in the Mobile IP specification [1].
Essentially, creation of both forward and reverse tunnels involves
authentication procedure, which reduces the risk for attack
6.1. Reverse-tunnel Hijacking and Denial-of-Service
Once the tunnel is set up, a malicious node could hijack it to
packets into the network. Reverse tunnels might exacerbate
problem, because upon reaching the tunnel exit point packets
forwarded beyond the local network. This concern is also present
the Mobile IP specification, as it already dictates the use
reverse tunnels for certain applications
Unauthenticated exchanges involving the foreign agent allow
malicious node to pose as a valid mobile node and re-direct
existing reverse tunnel to another home agent, perhaps
malicious node. The best way to protect against these attacks is
employing the Mobile-Foreign and Foreign-Home
Extensions defined in [1].
If the necessary mobility security associations are not available
this document introduces a mechanism to reduce the range
effectiveness of the attacks. The mobile node MUST set to 255 the
value in the IP headers of Registration Requests sent to the
agent. This prevents malicious nodes more than one hop away
posing as valid mobile nodes. Additional codes for use
registration denials make those attacks that do occur easier
track
With the goal of further reducing the attacks the Mobile IP
Group considered other mechanisms involving the use
unauthenticated state. However, these introduce the possibilities
denial-of-service attacks. The consensus was that this was too
of a trade-off for mechanisms that guarantee no more than weak (non
cryptographic) protection against attacks
Montenegro Standards Track [Page 16]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
6.2. Ingress
There has been some concern regarding the long-term effectiveness
reverse-tunneling in the presence of ingress filtering.
conjecture is that network administrators will target reverse
tunneled packets (IP in IP encapsulated packets) for filtering.
ingress filtering recommendation spells out why this is not the
[8]:
Tracking the source of an attack is simplified when the source
more likely to be "valid."
7.
The encapsulating style of delivery was proposed by Charlie Perkins
Jim Solomon has been instrumental in shaping this document into
present form
[1] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.
[2] Perkins, C., "IP Encapsulation within IP", RFC 2003,
1996.
[3] Computer Emergency Response Team (CERT), "IP Spoofing
and Hijacked Terminal Connections", CA-95:01, January 1995.
Available via anonymous ftp from info.cert.
in/pub/cert_advisories
[4] Johnson, D., and C. Perkins, "Route Optimization in Mobile IP",
Work in Progress
[5] Manuel Rodriguez, private communication, August 1995.
[6] Atkinson, R., "IP Authentication Header", RFC 1826, August 1995.
[7] Atkinson, R., "IP Encapsulating Security Payload", RFC 1827,
August 1995.
[8] Ferguson, P., and D. Senie, "Network Ingress Filtering:
Denial of Service Attacks which employ IP Source
Spoofing", RFC 2267, January 1998.
[9] Bradner, S., "Key words for use in RFCs to Indicate
Levels", BCP 14, RFC 2119, March 1997.
Montenegro Standards Track [Page 17]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
Editor and Chair
Questions about this document may be directed at
Gabriel E.
Sun Microsystems, Inc
901 San Antonio
Mailstop UMPK 15-214
Mountain View, California 94303
Voice: +1-415-786-6288
Fax: +1-415-786-6445
EMail: gabriel.montenegro@eng.sun.
The working group can be contacted via the current chairs
Jim
Motorola, Inc
1301 E. Algonquin Rd. - Rm 2240
Schaumburg, IL 60196
Voice: +1-847-576-2753
Fax: +1-847-576-3240
EMail: solomon@comm.mot.
Erik
Sun Microsystems, Inc
901 San Antonio
Mailstop UMPK17-202
Mountain View, California 94303
Voice: +1-415-786-5166
EMail: erik.nordmark@eng.sun.
Montenegro Standards Track [Page 18]
RFC 2344 Reverse Tunneling for Mobile IP May 1998
Full Copyright
Copyright (C) The Internet Society (1998). All Rights Reserved
This document and translations of it may be copied and furnished
others, and derivative works that comment on or otherwise explain
or assist in its implementation may be prepared, copied,
and distributed, in whole or in part, without restriction of
kind, provided that the above copyright notice and this paragraph
included on all such copies and derivative works. However,
document itself may not be modified in any way, such as by
the copyright notice or references to the Internet Society or
Internet organizations, except as needed for the purpose
developing Internet standards in which case the procedures
copyrights defined in the Internet Standards process must
followed, or as required to translate it into languages other
English
The limited permissions granted above are perpetual and will not
revoked by the Internet Society or its successors or assigns
This document and the information contained herein is provided on
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
Montenegro Standards Track [Page 19]
if you see any problems within the linking, don't worry be happy,
this is version 0.1 of the Relevance System and you gotta expect some crappy subroutines sometimes,
just be content we did not write this in Java, which would have made this "bigger and better" HAHAHHA.
RFC documents can be found at I.E.T.F.
Relevance System Copyright © 2002 Spectrum WorldResearch
other technical nosh by ServerMasters Corporation
collaboration of BobX
